built in vpn watch dog? possible script, if not.

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

weech

New Around Here
hi,
i will be getting an rt-ax88u, in the next day or so. currently, i have a linksys 3200acm with dd-wrt.
on the dd-wrt forums, i got some great help and was provided a script to run at startup that runs a vpn watch dog. if the ping through the vpn tunnel fails, it restarts the openvpn client without rebooting the router.

not having the asus router, yet, and doing a fair amount of searching, i can't determine if the merlin firmware has a built in checkbox for a vpn watch dog. is there one?

if not, will the vpn watchdog script that i have in dd-wrt, work in merlin? one of the dd-wrt gurus there, egc, wrote it and it works great. i can post it (it's not long), if requested.
just from looking at some sample scripts for merlin, the syntax looks quite similar.

thoughts will be appreciated. thanks!
 

RMerlin

Asuswrt-Merlin dev
OpenVPN clients shouldn't need a watchdog, they already send a ping every "x" seconds, and restart if there is no reply.
 

eibgrad

Very Senior Member
I agree the OpenVPN client shouldn't need a watchdog (i.e., need to ping across the tunnel). OpenVPN already provides its own internal "ping", provided either the server or client use the keepalive directive (one or the other usually does).

However, imo a watchdog is still warranted because some OpenVPN providers will use a forced AUTH FAILED condition to either prevent access to a server, or throw connected clients off an existing connections. Since it's considered a FATAL error, it kills the OpenVPN process! And the router is none the wiser for it. You tend to see this w/ the lower tier providers like KeepSolid, FastestVPN, etc. Not so much the more reputable ones (ExpressVPN, PIA, etc.). But even then, it's NOT unheard of.

That's why I've written and use a watchdog for all my OpenVPN clients, whether I'm running Merlin, DD-WRT, or FreshTomato. In each case, I provide an option to ping across the tunnel, although personally I've never found it necessary. The keepalive seems to do the job. More importantly, it monitors the process table, looking for any indication the OpenVPN client has stopped running, and if so, restarts it.


BTW, ironically the OpenVPN *server* includes a watchdog that monitors the process table (it runs every two minutes), which in my experience isn't necessary. But it does no harm to have it regardless.

Code:
[email protected]lab-merlin1:/tmp/etc# cat /tmp/etc/openvpn/server1/vpn-watchdog1.sh
#!/bin/sh
if [ -z $(pidof vpnserver1) ]
then
   service restart_vpnserver1
fi
[email protected]:/tmp/etc# cru l
*/2 * * * * /etc/openvpn/server1/vpn-watchdog1.sh #CheckVPNServer1#
 
Last edited:

RMerlin

Asuswrt-Merlin dev
However, imo a watchdog is still warranted because some OpenVPN providers will use a forced AUTH FAILED condition to either prevent access to a server, or throw connected clients off an existing connections.
Then those providers need to be called out for having a broken implementation, rather than people figuring out ways to work around it.

BTW, ironically the OpenVPN *server* includes a watchdog that monitors the process table (it runs every two minutes), which in my experience isn't necessary. But it does no harm to have it regardless.
That's because it's far more critical than a client. A remote OpenVPN server that crashes can mean losing access to a remote site with no way of recovery unless someone can physically go on site to fix it.
 

weech

New Around Here
thanks for the script, eibgrad!

rmerlin, thanks for the information on how it should work. i wasn't aware of the inner workings of openvpn and the periodic ping. i have protonvpn, and no idea whether theirs works properly, or not. do either of you know if there is a way to tell?
 

RMerlin

Asuswrt-Merlin dev
thanks for the script, eibgrad!

rmerlin, thanks for the information on how it should work. i wasn't aware of the inner workings of openvpn and the periodic ping. i have protonvpn, and no idea whether theirs works properly, or not. do either of you know if there is a way to tell?
Check the config, there's typically a ping and/or ping-restart parameter.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top