1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Prevent VPN Server from using openvpn-event

Discussion in 'Asuswrt-Merlin' started by soniccool, Apr 16, 2018.

  1. soniccool

    soniccool Occasional Visitor

    Joined:
    Apr 16, 2017
    Messages:
    12
    Hey there,

    I have a openvpn-event file below as follows when i start my VPN Client.


    But due to this it wont let me start a VPN Server because I believe it loads this openvpn-event file. Basically if my VPNServer just loads forever when starting it.

    Is there a way i can make VPNServer not load this file? Or a way i can make VPNClient still load this script but not as a openvpn-event?



    Code:
    #!/bin/bash
    # This code goes in the WAN UP section.
    # This code based on the contributions from this thread:
    # http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/
    #
    # And from material in these articles:
    # http://linux-ip.net/html/adv-multi-internet.html
    # http://fedorasolved.org/Members/kanarip/iptables-howto
    #
    # This script configures "selective" VPN routing. Normally, OpenVPN will route ALL traffic out
    # the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
    # traffic to bypass the VPN and use the regular Internet instead.
    #
    # To list the current rules on the router, issue the command:
    # iptables -t mangle -L PREROUTING
    #
    # Flush/reset all the rules to default by issuing the command:
    # iptables -t mangle -F PREROUTING
    #
    #
    # First it is necessary to disable Reverse Path Filtering on all
    # current and future network interfaces:
    #
    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
    echo 0 > $i
    done
    #
    # Delete and table 100 and flush any existing rules if they exist.
    #
    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING
    #
    # Copy all non-default and non-VPN related routes from the main table into table 100.
    # Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
    #
    # NOTE: Here I assume the OpenVPN tunnel is named "tun11".
    #
    #
    ip route show table main | grep -Ev ^default | grep -Ev tun11 \
    | while read ROUTE ; do
    ip route add table 100 $ROUTE
    done
    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache
    #
    # Define the routing policies for the traffic. The rules will be applied in the order that they
    # are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
    # to "1" it will bypass the VPN.
    #
    # EXAMPLES:
    #
    # All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
     iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
    # Ports 80 and 443 will bypass the VPN
    # iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
    # All traffic from a particular computer on the LAN will use the VPN
    # iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.224 -j MARK --set-mark 0
     iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.4 -j MARK --set-mark 0
    # All traffic to a specific Internet IP address will use the VPN
    # iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
    # All UDP and ICMP traffic will bypass the VPN
    # iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
    # iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
    # All traffic from a specific Internet IP address range USING CIDR NOTATION will bypass the VPN
    # iptables -t mangle -A PREROUTING -i br0 -s 74.125.229.0/24 -j MARK --set-mark 0
    # All traffic to a specific Internet IP address range USING CIDR NOTATION will use the VPN
    # iptables -t mangle -A PREROUTING -i br0 -d 98.207.0.0/16 -j MARK --set-mark 0
    
    #new
    #iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --sport 32400,32443 -j MARK --set-mark 2
    #iptables -t mangle -A OUTPUT -p udp -m multiport --dport 17827,32400,32443,32410,32412,32413,32414,32469 -j MARK --set-mark 2
    iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.4 -d plex.tv -j MARK --set-mark 1
    iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.4 -p tcp -m multiport --sport 32400,32443 -j MARK --set-mark 1
    iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.4 -p udp -m multiport --sport 1194 -j MARK --set-mark 1
    
    
    
    
    #old
    #iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 32400 -j MARK --set-mark 1
    #iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.4 -p tcp -m multiport --sport 32400 -j MARK --set-mark 1
    #iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 8888 -j MARK --set-mark 1
    #iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.4 -p tcp -m multiport --sport 8888 -j MARK --set-mark 1
    
    
    # Bypass Plex IP Ranges https://forums.aws.amazon.com/ann.jspa?annID=1701
    # FROM/SOURCE
    #iptables -t mangle -A PREROUTING -i br0 -s 184.169.128.0/17 -j MARK --set-mark 1
    #iptables -t mangle -A PREROUTING -i br0 -s 50.18.0.0/16 -j MARK --set-mark 1
    #iptables -t mangle -A PREROUTING -i br0 -s 54.241.0.0/16 -j MARK --set-mark 1
    #iptables -t mangle -A PREROUTING -i br0 -s 184.72.0.0/18 -j MARK --set-mark 1
    
    #new
    #iptables -t mangle -A PREROUTING -i br0 -s 54.176.0.0/16 -j MARK --set-mark 1
    
    
    
    
    # TO/DESTINATION
    #iptables -t mangle -A PREROUTING -i br0 -d 184.169.128.0/17 -j MARK --set-mark 1
    #iptables -t mangle -A PREROUTING -i br0 -d 50.18.0.0/16 -j MARK --set-mark 1
    #iptables -t mangle -A PREROUTING -i br0 -d 54.241.0.0/16 -j MARK --set-mark 1
    #iptables -t mangle -A PREROUTING -i br0 -d 184.72.0.0/18 -j MARK --set-mark 1
    
    #new
    #iptables -t mangle -A PREROUTING -i br0 -d 54.176.0.0/16 -j MARK --set-mark 1
    
    
    
    
    #Bypass IPChicken
    #iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 209.68.27.16 -j MARK --set-mark 1
     
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. soniccool

    soniccool Occasional Visitor

    Joined:
    Apr 16, 2017
    Messages:
    12
  4. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,702
    Location:
    UK
    Use @john9527's openvpn-event script template and you can choose which openvpn-event custom script is used by the individual VPN Server/Client.

    NOTE: I have stated many times that custom scripts based on this are inherently flawed for many technical reasons but will definitely fail especially in configurations where multiple concurrent VPN connections are required.

    For simple source IP/destination IP Selective routing then this is easily configured via the GUI, but for your Selective Port routing requirements, I suggest you Use fwmark 0x7000 for WAN Selective Port routing to have your custom script only issue the appropriate iptables fwmark tagging rather than physically cloning route tables and using reserved fwmarks etc.
     
    Last edited: Apr 18, 2018
  5. soniccool

    soniccool Occasional Visitor

    Joined:
    Apr 16, 2017
    Messages:
    12
    Got it! Awesome, I took a look. Here is what i found.

    Code:
    #!/bin/sh
    
    scr_name="$(basename $0)[$$]"
    
    case "$1" in
        "tun11")
            vpn_name="client1"
            ;;
        "tun12")
            vpn_name="client2"
            ;;
        "tun13")
            vpn_name="client3"
            ;;
        "tun14")
            vpn_name="client4"
            ;;
        "tun15")
            vpn_name="client5"
            ;;
        "tun21")
            vpn_name="server1"
            ;;
        "tun22")
            vpn_name="server2"
            ;;
        *)
            vpn_name=""
            ;;
    esac
    
    # Call appropriate script based on script_type
    vpn_script_name="vpn$vpn_name-$script_type"
    
    # Check script state/use nvram to save last script run
    vpn_script_state=$(nvram get vpn_script_state)
    nvram set vpn_script_state="$vpn_script_name"
    if [ "$vpn_script_name" = "$vpn_script_state" ]; then
        echo "VPN script" $vpn_script_name "already run" | logger -t "$scr_name"
        exit 0
    fi
    
    if [[ -f "/jffs/scripts/$vpn_script_name" ]] ; then
        sh /jffs/scripts/$vpn_script_name $*
    else
        echo "Script not defined for event: "$vpn_script_name | logger -t $scr_name
        exit 0
    fi
    
    exit 0
    But im not sure what to name the filenames? Basically i just want tun11 to run this script in my first post, and server doesnt need to run anything.

    What do i name the filenames in conjunction with this openvpn-event file?
     
  6. soniccool

    soniccool Occasional Visitor

    Joined:
    Apr 16, 2017
    Messages:
    12
    Also im gonna try out your fwmark suggestion as mentioned later today.
     
  7. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,702
    Location:
    UK
    For VPN Clients, the openvpn-event script will execute scripts in the form

    vpnclientX-zzzzz where X is the VPN Client instance, and zzzzz is the trigger event.

    As per the OpenVPN man page, there are several trigger points e.g. UP, DOWN etc. so using the openvpn-event script makes it easier to manage the custom scripts for each 'tun1x/tun2x' device.

    e.g. for VPN Client 1 (tun11)

    vpnclient1-up
    vpnclient1-route-up
    vpnclient1-down

    so if script openvpn-event finds an appropriate file it will execute it.

    As you're adding tun11 VPN routing rules, I would create/use the vpnclient1-route-up script
     
    Last edited: Apr 18, 2018
  8. soniccool

    soniccool Occasional Visitor

    Joined:
    Apr 16, 2017
    Messages:
    12
    So i went ahead and did as so, and it works for my client1. But i cant start vpnserver. Its just stuck on loading

    "Initialinzing the settings of OpenVPN server now, please wait a few minutes to let the server to setup completed before VPN clients establish the connection. "

    Am i supposed to have any files for vpnserver? Or can i leave that blank?
     
  9. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,702
    Location:
    UK
    If you temporarily rename openvpn-event, does the VPN Server still fail? - if so then you will need to provide the portion of Syslog containing the openvpn server messages when the VPN Server startup fails.

    Unless you need to customise either of the VPN Servers then no.
     
    Last edited: Apr 18, 2018
  10. soniccool

    soniccool Occasional Visitor

    Joined:
    Apr 16, 2017
    Messages:
    12
    Yes if i rename it, it does not fail.

    Here is the syslog with the openvpn-event you suggested and my script up above as client1 route up. This issue has been plaguing me for a year lol.

    First i start the client1 Vpn then i start the VpnServer1.\

    Client1 works, but vpnserver1 fails.

    It wont let me post the syslog here, so here is a pastebin of the syslog.

    https://pastebin.com/RUxSvKZG
     
  11. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,702
    Location:
    UK
    Presumably you have a cron job to ensure VPN Client 1 is always running?
    Code:
    Apr 18 17:57:00 crond[791]: USER admin pid 7127 cmd service start_vpnclient1
    Apr 18 17:57:00 init: VPN_LOG_NOTE: 90: VPN Client 1 already running...
    Anyway the openvpn-event script appears to be executed correctly as expected for tun11
    Code:
    Apr 18 17:57:01 custom_script: Running /jffs/scripts/openvpn-event (args: tun11 1500 1587 10.7.7.166 255.255.255.0 init)
    Apr 18 17:57:01 openvpn-event[7189]: Script not defined for event: vpnclient1-up
    yet strangely for tun21 ....
    Code:
    Apr 18 17:57:17 kernel: device tun21 entered promiscuous mode
    Apr 18 17:57:17 ovpn-server1[7449]: Options error: --up script fails with 'updown.sh': Permission denied (errno=13)
    Apr 18 17:57:17 ovpn-server1[7449]: Options error: Please correct this error.
    Apr 18 17:57:17 ovpn-server1[7449]: Use --help for more information.
    Apr 18 17:57:17 init: VPN_LOG_ERROR: 1387: Starting VPN instance failed...
    Can you post the output
    Code:
       ls    -lah    /etc/openvpn/server1
    
       cd   /jffs/scripts
       ./openvpn-event   tun21
     
    Last edited: Apr 19, 2018
  12. soniccool

    soniccool Occasional Visitor

    Joined:
    Apr 16, 2017
    Messages:
    12
    Yes i will setup the following cronjob once its all good.

    As for your question here is the output:


    Doesnt seem like anything is being generated, and also gives me permission denied when checking tun21
     
  13. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,702
    Location:
    UK
    OK on mine
    Code:
              ls    -lah    /etc/openvpn/server1
    
    drwx------    2 admin    root         220 Apr 19 18:52 .
    drwx------    8 admin    root         240 Apr 19 18:53 ..
    -rw-------    1 admin    root        1.2K Apr 19 18:52 ca.crt
    -rw-------    1 admin    root         916 Apr 19 18:52 ca.key
    -rw-rw-rw-    1 admin    root        6.0K Apr 19 18:52 client.ovpn
    -rw-------    1 admin    root         983 Apr 19 18:52 config.ovpn
    -rw-------    1 admin    root         432 Apr 19 18:52 dh.pem
    -rw-------    1 admin    root        1.3K Apr 19 18:52 server.crt
    -rw-------    1 admin    root         932 Apr 19 18:52 server.key
    -rw-------    1 admin    root         472 Apr 20 07:44 status
    lrwxrwxrwx    1 admin    root          27 Apr 19 18:52 updown.sh -> /jffs/scripts/openvpn-event
    Code:
    [email protected]:/jffs/scripts# ./openvpn-event tun21
    [email protected]:/jffs/scripts#
    but in Syslog
    Code:
    RT-AC68U user.warn openvpn-event[5767]: User openvpn-event running
    RT-AC68U user.warn openvpn-event[5767]:      Script not defined for event: vpnserver1-
    
    Hmm, I thought this little bug had been squashed:confused:

    So, as per the RMerlin wiki User Scripts guide, at the bottom of the page it tells you that you must make ALL custom scripts executable.
    i.e. issue the following to fix it:
    Code:
    chmod a+rx /jffs/scripts/openvpn-event
    or follow the wiki instructions to make ALL files in /jffs/scripts executable (not always appropriate in my environment:eek:)

    NOTE: Confusingly, for VPN Clients, the firmware explicitly forces the 'text file' openvpn-event to always execute as a valid script (see '/usr/sbin/vpnrouting.sh'), but for the VPN Servers it doesn't, causing you frustration for the past year! :rolleyes:
     
    Last edited: Apr 20, 2018
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!