Can I use crontab to switch VPN clients on a schedule?

Happy_Yam

New Around Here
Hello! I am enjoying my RT-AC86U with Merlin. I have a question - I use a VPN provider which has many servers, and I have different VPN clients set up in the router for some particular servers. Manually I can turn each one on, or off; or select it to start up when rebooting. And I schedule a reboot every early a.m. and I have one of the VPNs start at reboot.

Is there a way of getting the router to do this automatically using crontab? Like on Monday it reboots to client1, Tuesday to client2, etc. Or am I stuck changing this manually?

(I want to do this b/c I don't want to use the same VPN server with its static IP all the time; I'm concerned it could fingerprint me...)

Thanks much in advance.
 

Zastoff

Very Senior Member
Here is some of the Cron i used when i had a vpn-provider.
Can easily be modified for what you need i guess.
Code:
## OVPN Restart @ 02.05 WeekDays
cru a VpnRestartWD "05 2 * * 1-5 service stop_vpnclient1 && sleep 22m && service start_vpnclient1" #OVPN_Restart#

## OVPN Restart @ 04.05 WeekEnds
cru a VpnRestartWE "05 4 * * 6,0 service stop_vpnclient1 && sleep 32m && service start_vpnclient1" #OVPN_Restart#

#OVPN Up Down
cru a VpnDown "5 2 * * * service stop_vpnclient1" #OVPN_Down#
cru a VpnUp "5 5 * * * service start_vpnclient1" #OVPN_Up#
Had them in /jffs/scripts Services-start

 

Martineau

Part of the Furniture
I schedule a reboot every early a.m. and I have one of the VPNs start at reboot.

Is there a way of getting the router to do this automatically using crontab? Like on Monday it reboots to client1, Tuesday to client2, etc. Or am I stuck changing this manually?
You could explicitly set the desired VPN client you wish to start after a REBOOT using something like this
Code:
case $(date +%u) in
    0) VPNID=5;;
    1) VPNID=1;;
    2) VPNID=2;;
    3) VPNID=3;;
    4) VPNID=4;;        # Thu
    5) VPNID=5;;
    6) VPNID=1;;
esac
    
nvram set vpn_clientx_eas=$VPNID
nvram commit

service reboot
 

Viktor Jaep

Very Senior Member
Hello! I am enjoying my RT-AC86U with Merlin. I have a question - I use a VPN provider which has many servers, and I have different VPN clients set up in the router for some particular servers. Manually I can turn each one on, or off; or select it to start up when rebooting. And I schedule a reboot every early a.m. and I have one of the VPNs start at reboot.

Is there a way of getting the router to do this automatically using crontab? Like on Monday it reboots to client1, Tuesday to client2, etc. Or am I stuck changing this manually?

(I want to do this b/c I don't want to use the same VPN server with its static IP all the time; I'm concerned it could fingerprint me...)

Thanks much in advance.
Shameless plug for VPNMON-R2... It can randomly connect to a random slot for you based on a schedule, or regularly scheduled cron job... ;)


I currently have mine set up to randomly pick from over 2000 Nordvpn servers across the US a few times a day. ;)
 

eibgrad

Part of the Furniture
I set my diy setup to reconnect every 30 minutes and pick a new server. Different providers though might get a bit trickier. Shouldn't be too bad though just using a different day indicator in the cron entry.

Users need to be aware that when you force a reconnection of the VPN, this will invalidate existing, long running connections. The client has no idea this has happened, and so you may find that certain apps will hang for a brief period until they realize they've lost that connection and need to reestablish it.

A good example is Google Docs. If you're editing a document when this change in the VPN server occurs, you'll find the document can no longer be edited until such time as the connection is fully reestablished by the client. And I've seen that take as much as 3-4 minutes in the worst cases! It can be incredibly annoying to users who don't know why this is happening. And as the administrator, you may not necesssarily appreciate the impact if you happen NOT to be the one dependent on these long running connections.

Of course, the problem becomes worse the more often you change VPN server, and 30 minutes is pretty aggressive imo. I personally limit it to every 4 hours for maximum stealthiness. Even so, it can still be a problem. The ideal would be a single change every night, since it's unlikely there would be such long running connections at that time.

I'm NOT saying you shouldn't change VPN servers from time to time. Just that you have to cognizant that for certain types of apps, this may become problematic if done too aggressively.
 

Tech Junky

Very Senior Member
@eibgrad I don't seem to have those issues you mentioned and keep several gdocs open in tabs . If you're having an issue a quick solution is enabling offline docs.

I would expect the most noticeable impact to be streaming but, I see no impact there whether video or audio. It's more noticeable with lower priority things.

My reason for being aggressive is quicker downloads avoiding blacklists of VPN IPs. Even this forum maintains a blacklist in which I need to change IPs to be able to access content. For things like banks that are stubborn with their blacklists I punch holes in the routing to force use of non-vpn IP and this allows access and less 2FA prompts to deal with or captcha matching.

It all depends on the use case and needs though.
 

eibgrad

Part of the Furniture
@eibgrad I don't seem to have those issues you mentioned and keep several gdocs open in tabs . If you're having an issue a quick solution is enabling offline docs.

I would expect the most noticeable impact to be streaming but, I see no impact there whether video or audio. It's more noticeable with lower priority things.

My reason for being aggressive is quicker downloads avoiding blacklists of VPN IPs. Even this forum maintains a blacklist in which I need to change IPs to be able to access content. For things like banks that are stubborn with their blacklists I punch holes in the routing to force use of non-vpn IP and this allows access and less 2FA prompts to deal with or captcha matching.

It all depends on the use case and needs though.

I understand what you're saying. My concern is for admins who may naively assume there will be no negative impact to their users.

In the case of streaming, I assume most of it is using UDP and is therefore stateless. Also, such apps are typically buffering large amounts of data, and so even if a connection is interrupted from time to time, it's NOT noticable to the end user. But something like Google Docs or VOIP may not take so kindly to it (I personally keep my VOIP adapter off the VPN for this very reason).

I'm just trying to make it clear that you can't just assume all is well when you are this aggressive. As long as you've confirmed it does NOT create a negative impact, fine. But as you suggest, it needs to be evaluated on a case by case basis.
 

Tech Junky

Very Senior Member
Points made for and against. The key to most things is trust but verify. One thing that comes to mind since you mention VoIP is gvoice which is either VoIP or sip IIRC. When using it the other day it had some interference on a call but that could be two things for me either latency from the 5G path or added latency from the VPN it was connected to at the time. it didn't make a huge impact but was noticeable when listening for it.

Being a network guy and not an admin means I get to figure these issues out. Personal vs enterprise though comes down to budget and preferences. In the enterprise world it's quite different as everything is private anyway between sites usually through MPLS links or dedicated VPNs for specific traffic. Private lines that have capacity and over provisioned for fail over make a difference in how you manage traffic. Latency sensitive apps don't tend to have issues with multigig paths. Implementing QOS assists but, having a dedicated path helps too.
 

eibgrad

Part of the Furniture
In the case of VOIP, I happen to have an old OOMA VOIP adapter which relies on its own OpenVPN client to establish a persistent connection (something I only discovered accidentally while monitoring the router w/ tcpdump for other purposes). And so having the VOIP adapter connected over my own VPN becomes a real problem should someone be actively using the phone and the server is suddenly changed. It's things like this are not necessarily obvious. Things can often *appear* to be fine at first blush.
 

Tech Junky

Very Senior Member
True. Interesting though that ooma would be using a VPN for voice traffic as that would typically make it sound worse.
 

monakh

Regular Contributor
Shameless plug for VPNMON-R2... It can randomly connect to a random slot for you based on a schedule, or regularly scheduled cron job... ;)


I currently have mine set up to randomly pick from over 2000 Nordvpn servers across the US a few times a day. ;)
This is great! Are the Nord servers in a list fed to your script or are they pulled directly from Nord? This could really help me out!
 

Viktor Jaep

Very Senior Member
This is great! Are the Nord servers in a list fed to your script or are they pulled directly from Nord? This could really help me out!
They are pulled directly from Nord on-the-fly through their API... I know they change things up fairly frequently on their end, so it's good to get the latest & greatest. ;)
 

Viktor Jaep

Very Senior Member

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top