How to disconnect/reconnect from OPEN VPN Client using Batch File

[Salt_Lamp]

Hey everybody. I've been trying to figure out how to get my computer to disconnect from the OpenVPN client I set up using the scripts provided in the linked guide below. Everything seems to be working just fine, but the last optional step involving creating an additional batch file to disconnect from the VPN without logging into the router or rebooting my computer I'm having a lot of trouble with. I filled out all the appropriate technical information in the batch file based on the guide, but whenever I run it and select local ISP it instead decides to stay on the VPN. I'm not sure what it is I'm doing wrong, so any help would be much appreciated. Like I said earlier, everything else appears to be working just fine. All the devices I want on the VPN are on it and all the others I don't want on it aren't. It's just this last bit that's giving me some issues.

By the way, I'm not very tech savvy (far from it, in fact), so if there's any key information I didn't happen to provide then please let me know and I'll try my best to include it in my next post. Thanks in advance.

https://github.com/RMerl/asuswrt-me...ver-VPN-and-Drop-connections-if-VPN-goes-down

 

[bilboSNB]

Hey everybody. I've been trying to figure out how to get my computer to disconnect from the OpenVPN client I set up using the scripts provided in the linked guide below. Everything seems to be working just fine, but the last optional step involving creating an additional batch file to disconnect from the VPN without logging into the router or rebooting my computer I'm having a lot of trouble with. I filled out all the appropriate technical information in the batch file based on the guide, but whenever I run it and select local ISP it instead decides to stay on the VPN. I'm not sure what it is I'm doing wrong, so any help would be much appreciated. Like I said earlier, everything else appears to be working just fine. All the devices I want on the VPN are on it and all the others I don't want on it aren't. It's just this last bit that's giving me some issues.

By the way, I'm not very tech savvy (far from it, in fact), so if there's any key information I didn't happen to provide then please let me know and I'll try my best to include it in my next post. Thanks in advance.

https://github.com/RMerl/asuswrt-me...ver-VPN-and-Drop-connections-if-VPN-goes-down

Right click it and run run as administrator

 

[Salt_Lamp]

Already tried that, I'm afraid. It makes no difference.

 

[peraburek]

try this, I am using this script to route specific IPs through VPN tunnel

change 192.168.x.x with IP of your choosen device you want to divert through VPN tunnel
change 192.168.y.y. with IP address of remote IP range if you want to access it (ping etc.)

this example is for VPN Client 1 (interface tun11), VPN Client 2 use interface tun12, so beware
add these lines to your OpenVPN Client custom config:
route-nopull
route-up /jffs/scripts/vpn-route-1.sh

#!/bin/sh
# This script goes in /jffs/scripts/vpn-route-1.sh
# Add the following 2 lines to the OpenVPN configs
# route-nopull
# route-up /jffs/scripts/vpn-route-1.sh

# clear tun11 (VPN client 1) table, if exists
ip route flush table 11
ip route del default table 11

# not strictly necessary but speeds up routing changes
ip route flush cache

# get tunnel ip
tun11_ip=$(ifconfig tun11 | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

# routing remote IP range 192.168.y.y/24 via tun11_ip
#ip route add 192.168.y.y/24 via $tun11_ip

# routing table for tun11 with divert rule (192.168.x.x is IP of specific device in your local LAN)
ip route add default via $tun11_ip dev tun11 table 11
ip rule add from 192.168.x.x table 11

# not strictly necessary
ip route flush cache

# force vpn to default to custom dns - in this case OpenDNS
DNS_SERVER="208.67.222.222 208.67.220.220"
for ip in $DNS_SERVER
do
iptables -t nat -A PREROUTING -s 192.168.x.x -p udp --dport 53 -j DNAT --to $ip
iptables -t nat -A PREROUTING -s 192.168.x.x -p tcp --dport 53 -j DNAT --to $ip
done

# vpn kill switch (optional) in case your VPN tunnel goes down, traffic is blocked
#iptables -I FORWARD ! -o tun11 -s 192.168.x.x -j DROP

exit 0

don't forget chmod 755 /jffs/scripts/vpn-route-1.sh to make your script executable
reboot and test

 

[Salt_Lamp]

Thanks very much for the info, but I'm not sure that's going to help. You see the only thing I'm having trouble with at the moment is trying to get the batch file responsible for disconnecting from the VPN to actually work. Any time I've tried to run it, regardless of administrative permissions, it refuses to switch back to my local ISP. Now I have no idea if this is even possible I'm just trying to follow the guide I linked to in my first post. Could it have something to do with DHCP since that appears to be what I switch to when I select local ISP in the admin command prompt? Once again, any help would be much appreciated.

By the way, my apologies for the title of this thread not accurately describing the problem. It's now been changed to avoid any future confusion.

 

[Deleted member 27741]

Note- you need putty installed. You may want to put the batch file in the putty folder to make sure the path works but the putty must work obviously.

I use a batch file with the following in it-
mode con: cols=20 lines=20
start putty.exe yourusername@yourrouter.asuscomm.com -P sshportprobably22 -pw yourpassword -m "c:\path\to\file\OPENVPNCLIENT1STOP"

the file OPENVPNCLIENT1STOP has the following in it-
service stop_vpnclient1

 

[Salt_Lamp]

Note- you need putty installed. You may want to put the batch file in the putty folder to make sure the path works but the putty must work obviously.

I use a batch file with the following in it-
mode con: cols=20 lines=20
start putty.exe yourusername@yourrouter.asuscomm.com -P sshportprobably22 -pw yourpassword -m "c:\path\to\file\OPENVPNCLIENT1STOP"

the file OPENVPNCLIENT1STOP has the following in it-
service stop_vpnclient1

Thanks for the info. I think I see what you're suggesting, but is there any way at all to disconnect a specific device from the VPN without shutting it down entirely, or is this the best that can be done?

Instead of messing around with batch files should I instead be looking at policy routing within the Merlin interface, or would that be pointless?

 

[peraburek]

@Salt_Lamp - just try my script, I know where your problem is

1. your VPN Client is routing everything through VPN tunnel if you have enabled "Redirect Internet Traffic", that is the reason why you can't get back to your ISP!!
route-nopull together with rest of the script will solve your problem, been there

adjust your router like this:
shorten your DHCP Pool, from default 192.168.1.2 - 254 to 192.168.10 - 254
assign your computer for example 192.168.1.5 (replace 192.168.x.x with your computer IP 192.168.1.5)

try https://www.dnsleaktest.com/ and confirm your public IP is VPN remote public IP

afterwards assign your computer IP 192.168.1.15 and it should be back on your ISP connection try https://www.dnsleaktest.com/ and confirm your IP is your ISP

then you can adjust .bat file

I can cofirm it works, because I am using two OpenVPN clients, jumping with .bat file from one VPN to another VPN and back to ISP - it works perfectly!

 

[Salt_Lamp]

@Salt_Lamp - just try my script, I know where your problem is

1. your VPN Client is routing everything through VPN tunnel if you have enabled "Redirect Internet Traffic", that is the reason why you can't get back to your ISP!!
route-nopull together with rest of the script will solve your problem, been there

adjust your router like this:
shorten your DHCP Pool, from default 192.168.1.2 - 254 to 192.168.10 - 254
assign your computer for example 192.168.1.5 (replace 192.168.x.x with your computer IP 192.168.1.5)

try https://www.dnsleaktest.com/ and confirm your public IP is VPN remote public IP

afterwards assign your computer IP 192.168.1.15 and it should be back on your ISP connection try https://www.dnsleaktest.com/ and confirm your IP is your ISP

then you can adjust .bat file

I can cofirm it works, because I am using two OpenVPN clients, jumping with .bat file from one VPN to another VPN and back to ISP - it works perfectly!

Hmm, I see. I suppose there's no harm in giving it a shot, but I just have a few more random questions before I get into it, if you don't mind. Firstly, how would I add an additional device to your original script? Also, what does remote IP range mean, is it important? How do I configure that for additional devices? Would enabling the kill switch screw up my ability to switch from the VPN to my local ISP? Lastly, do I add those 2 additional lines before/after I insert the script into my router?

Sorry for all the basic questions. I'm quite the layman, after all.

 

[Salt_Lamp]

Bump

 

[peraburek]

@Salt_Lamp - first you have to add vpn-route-1.sh script to your router

be sure JFFS partition is enabled first (Administration)
login to ssh or telnet, and go to /jffs/scripts
type "vi vpn-route-1.sh" and paste my script adjusted to your needs

if you need more hosts, you can add them one by one, or by network range /29 or /28 etc.
replace "ip rule add from 192.168.x.x table 11" with your IPs for example

ip rule add from 192.168.1.5 table 11
ip rule add from 192.168.1.6 table 11
ip rule add from 192.168.1.7 table 11
ip rule add from 192.168.1.8 table 11

add more lines if neccessary, adjust rest of the script

after you do it, make sure script is executable

chmod 755 /jffs/scripts

VPN kill switch won't affect your ability to change from VPN to ISP, it is just for security purposes, in case your VPN goes down, and you don't want your host to expose your ISP public IP address (for example: Netflix and other stuff)

after that add these two lines to your VPN Client config:

route-nopull
route-up /jffs/scripts/vpn-route-1.sh

reboot and test, first start with one IP, after you get it workinig (dns leak test) then adjust it to your needs


remote IP is in case you need to access remote IPs behind NAT on VPN Server, for example if network behind VPN server has range 192.168.72.0 /24 (subnet mask 255.255.255.0)
then you can add:

ip route add 192.168.72.0/24 via $tun11_ip

this way you can use IP of your DNS server on other side of the tunnel

 

[Salt_Lamp]

@Salt_Lamp - first you have to add vpn-route-1.sh script to your router

be sure JFFS partition is enabled first (Administration)
login to ssh or telnet, and go to /jffs/scripts
type "vi vpn-route-1.sh" and paste my script adjusted to your needs

if you need more hosts, you can add them one by one, or by network range /29 or /28 etc.
replace "ip rule add from 192.168.x.x table 11" with your IPs for example

ip rule add from 192.168.1.5 table 11
ip rule add from 192.168.1.6 table 11
ip rule add from 192.168.1.7 table 11
ip rule add from 192.168.1.8 table 11

add more lines if neccessary, adjust rest of the script

after you do it, make sure script is executable

chmod 755 /jffs/scripts

VPN kill switch won't affect your ability to change from VPN to ISP, it is just for security purposes, in case your VPN goes down, and you don't want your host to expose your ISP public IP address (for example: Netflix and other stuff)

after that add these two lines to your VPN Client config:

route-nopull
route-up /jffs/scripts/vpn-route-1.sh

reboot and test, first start with one IP, after you get it workinig (dns leak test) then adjust it to your needs


remote IP is in case you need to access remote IPs behind NAT on VPN Server, for example if network behind VPN server has range 192.168.72.0 /24 (subnet mask 255.255.255.0)
then you can add:

ip route add 192.168.72.0/24 via $tun11_ip

this way you can use IP of your DNS server on other side of the tunnel

I still don't understand what remote IP means, unfortunately. Is it necessary for this to work properly? Also, can you run me through how to configure DHCP again? I'm not sure which values it is I'm supposed to change. Do I change starting pool or ending pool, or both?

I also tried to change the local IP address of my router for a bit of extra security, but I had a lot of trouble browsing the internet afterwards. Some sites would load while others wouldn't. Why is that exactly?

 

[peraburek]

@Salt_Lamp - change starting of your DHCP pool by moving it a bit
if you have default values (router IP 192.168.1.1) set your DHCP pool (192.168.1.10 - 254)

change your computer IP manually to 192.168.1.5 - when you want to use VPN
change your computer IP to DHCP when you want to use ISP

here is the script:

#!/bin/sh
# This script goes in /jffs/scripts/vpn-route-1.sh
# Add the following 2 lines to the OpenVPN configs
# route-nopull
# route-up /jffs/scripts/vpn-route-1.sh

# clear tun11 (VPN client 1) table, if exists
ip route flush table 11
ip route del default table 11

# not strictly necessary but speeds up routing changes
ip route flush cache

# get tunnel ip
tun11_ip=$(ifconfig tun11 | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

# routing table for tun11 with divert rule (192.168.x.x is IP of specific device in your local LAN)
ip route add default via $tun11_ip dev tun11 table 11
ip rule add from 192.168.1.5 table 11

# not strictly necessary
ip route flush cache

# force vpn to default to custom dns - in this case OpenDNS
DNS_SERVER="208.67.222.222 208.67.220.220"
for ip in $DNS_SERVER
do
iptables -t nat -A PREROUTING -s 192.168.1.5 -p udp --dport 53 -j DNAT --to $ip
iptables -t nat -A PREROUTING -s 192.168.1.5 -p tcp --dport 53 -j DNAT --to $ip
done

# vpn kill switch (optional) in case your VPN tunnel goes down, traffic is blocked
iptables -I FORWARD ! -o tun11 -s 192.168.1.5 -j DROP

exit 0

don't forget chmod 755 /jffs/scripts/vpn-route-1.sh to make your script executable
reboot and test

Remote IP range is not important - it is ONLY if you want to access network behind VPN Server
if you are using some VPN Service (Private Internet Access, AirVPN, etc.) than you don't need this.
Which VPN Service are you using, what are their DNS servers IPs?

 

[Salt_Lamp]

I'm using PIA, at the moment. I'm not really sure what their DNS servers are, actually. How would I go about finding that out?

Also, if I change my router's local IP address does that effect DHCP? How do I resolve my router's IP with DHCP?

 

[peraburek]

ask PIA support by mail about DNS servers
yes, changing your router local IP address affect DHCP by using new range you have assigned, resolve router IP with DHCP - what are you talking about?
stop asking questions and do the test!

 

[Salt_Lamp]

ask PIA support by mail about DNS servers
yes, changing your router local IP address affect DHCP by using new range you have assigned, resolve router IP with DHCP - what are you talking about?
stop asking questions and do the test!

Ok, I guess I'll have to follow up with PIA on that. Are their DNS servers better than OPEN DNS? I've heard that OPEN DNS logs your activity. Is that true?

Anyway, I did the test and added your script, but now my VPN client won't turn on. I put the script in jffs/scripts. I'm not sure what "chmod 775" is. I didn't see the folder anywhere in my router's system files when I logged into it via SSH. Is the problem related to "chmod 775"?

 

[RMerlin]

Bump

This is unnecessary. People saw your post already, they will answer if they can.

 

[Salt_Lamp]

Still need some help here guys. I'd like to resolve the rest of this issue ASAP, so any additional guidance would be much appreciated. Thanks.

 

[peraburek]

don't forget to run

chmod 755 /jffs/scripts/vpn-route-1.sh

to make your script executable
reboot and test

 

[Salt_Lamp]

don't forget to run

chmod 755 /jffs/scripts/vpn-route-1.sh

to make your script executable
reboot and test

How do I run it? I've put the following script into jffs/scripts with the extension .sh

#!/bin/sh


ip route flush table 11
ip route del default table 11


ip route flush cache


tun11_ip=$(ifconfig tun11 | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')


ip route add default via $tun11_ip dev tun11 table 11
ip rule add from 192.168.xx.xx table 11
ip rule add from 192.168.xx.xx table 11

ip route flush cache


DNS_SERVER="208.67.222.222 208.67.220.220"
for ip in $DNS_SERVER
do
iptables -t nat -A PREROUTING -s 192.168.xx.xx -p udp --dport 53 -j DNAT --to $ip
iptables -t nat -A PREROUTING -s 192.168.xx.xx -p tcp --dport 53 -j DNAT --to $ip
iptables -t nat -A PREROUTING -s 192.168.xx.xx -p udp --dport 53 -j DNAT --to $ip
iptables -t nat -A PREROUTING -s 192.168.xx.xx -p tcp --dport 53 -j DNAT --to $ip
done


iptables -I FORWARD ! -o tun11 -s 192.168.xx.xx -j DROP

exit 0