[Solved] Dual Wan with 1 OpenVpn Client and ability to choose from which to wan to go out.

[bluechris]

So clearly the file's corrupt.

Have you manually deleted the first line, save the file, then manually re-edit, retype '#!/bin/sh', as the first line then save the file and retry to run it again manually from the terminal.

If cut'n'paste is beyond you then I'd give up Ha ha!

Anyway thanks for trying, enjoy the evening.

Im ok now. I recreated the file from winscp and runned but here is the result

Mar 21 21:57:05 custom script: Running /jffs/scripts/openvpnclient1.postconf (args: /etc/openvpn/client1/config.ovpn)
Mar 21 21:57:05 (openvpnclient1.postconf): 690 Started..... [/etc/openvpn/client1/config.ovpn]
Mar 21 21:57:05 (openvpnclient1.postconf): 690 ***ERROR** VPN Client WAN BIND I/P address not found for virtual interface 'wan0'
Mar 21 21:57:05 openvpn[707]: Options error: --local and --nobind don't make sense when used together

 

[bluechris]

Oh there is something more in log

Mar 21 21:57:09 (openvpnclient1.postconf): 1182 Started..... [/etc/openvpn/client1/config.ovpn]
Mar 21 21:57:09 (openvpnclient1.postconf): 1182 VPN Client will BIND to 192.168.4.1 via interface 'vlan2'
Mar 21 21:57:09 (openvpnclient1.postconf): 1182 Complete.
Mar 21 21:57:09 openvpn[1206]: Options error: --local and --nobind don't make sense when used together

192.168.4.1 is the gateway of the Wan0

edit:i also now see that what you say in your script remarks works.. i suppose the script is working its just cannot delete the nobind?

admin@NETGEAR-7936:/tmp/home/root# ip route show table wan0
192.168.4.1 dev vlan2  proto kernel  scope link
192.168.6.0/24 dev vlan3  proto kernel  scope link  src 192.168.6.22
192.168.5.0/24 dev br0  proto kernel  scope link  src 192.168.5.1
192.168.4.0/24 dev vlan2  proto kernel  scope link  src 192.168.4.22
127.0.0.0/8 dev lo  scope link
default via 192.168.4.1 dev vlan2
admin@NETGEAR-7936:/tmp/home/root# ip route show table wan1
192.168.4.1 dev vlan2  proto kernel  scope link
192.168.6.21 dev vlan3  proto kernel  scope link
192.168.6.0/24 dev vlan3  proto kernel  scope link  src 192.168.6.22
192.168.5.0/24 dev br0  proto kernel  scope link  src 192.168.5.1
192.168.4.0/24 dev vlan2  proto kernel  scope link  src 192.168.4.22
127.0.0.0/8 dev lo  scope link
default via 192.168.6.21 dev vlan3
admin@NETGEAR-7936:/tmp/home/root#

 

[Martineau]

Mar 21 21:57:09 (openvpnclient1.postconf): 1182 Started..... [/etc/openvpn/client1/config.ovpn]
Mar 21 21:57:09 (openvpnclient1.postconf): 1182 VPN Client will BIND to 192.168.4.1 via interface 'vlan2'
Mar 21 21:57:09 (openvpnclient1.postconf): 1182 Complete.
Mar 21 21:57:09 openvpn[1206]: Options error: --local and --nobind don't make sense when used together

192.168.4.1 is the gateway of the Wan0

edit:i also now see that what you say in your script remarks works.. i suppose the script is working its just cannot delete the nobind?[/CODE]

So my shonky method works!!! - and will correctly dynamically adjust the BIND address at each VPN Client initialisation. (no need to test 'local wan1'!) Tee hee

So in the code we have this line..hastily added on recommendation by @john9527

pc_delete "nobind"                   $CONFIG   # Delete the conflicting 'nobind' option using the new 'helper' function to see if it works!

Now either

 cat /usr/sbin/helper.sh

doesn't contain the 'pc_delete' function, or I just have to again state that I won't trust these functions.

Can you try replacing that line with

sed -i "s/^nobind.*$//" $CONFIG

It should deliberately leave a 'hole' in the resulting config...to prove something was originally there but has now been removed!

 

[bluechris]

I get this now

Mar 21 22:49:27 kernel: tun: Universal TUN/TAP device driver, 1.6
Mar 21 22:49:27 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Mar 21 22:49:27 custom script: Running /jffs/scripts/openvpnclient1.postconf (args: /etc/openvpn/client1/config.ovpn)
Mar 21 22:49:27 (openvpnclient1.postconf): 1196 Started..... [/etc/openvpn/client1/config.ovpn]
Mar 21 22:49:27 (openvpnclient1.postconf): 1196 VPN Client will BIND to 192.168.4.1 via interface 'vlan2'
Mar 21 22:49:27 (openvpnclient1.postconf): 1196 Complete.
Mar 21 22:49:27 openvpn[1221]: OpenVPN 2.3.12 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct  1 2016
Mar 21 22:49:27 openvpn[1221]: library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.08
Mar 21 22:49:27 openvpn[1222]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 21 22:49:27 openvpn[1222]: TCP/UDP: Socket bind failed on local address [AF_INET]192.168.4.1:1194: Cannot assign requested address
Mar 21 22:49:27 openvpn[1222]: Exiting due to fatal error
Mar 21 22:49:28 openvpn[1233]: Options error: You must define CA file (--ca) or CA path (--capath)
Mar 21 22:49:28 openvpn[1233]: Use --help for more information.
Mar 21 22:49:28 syslog: VPN_LOG_ERROR: 452: Starting OpenVPN failed...

you know it gets the gateway address .. i think it must get the wan0 ip address which is 192.168.4.22

Can you try replacing that line with

sed -i "s/^nobind.*$//" $CONFIG

It should deliberately leave a 'hole' in the resulting config...to prove something was originally there but has now been removed!

 

[bluechris]

It doesnt have delete but you can replace with a null?

#!/bin/sh

# Asuswrt-Merlin helper functions
# For use with Postconf scripts (and others)

_quote() {
        echo $1 | sed 's/[]\/()$*.^|[]/\\&/g'
}

# This function looks for a string, and inserts a specified string after it inside a given file
# $1: the line to locate, $2: the line to insert, $3: Config file where to insert
pc_insert() {
        PATTERN=$(_quote "$1")
        CONTENT=$(_quote "$2")
        sed -i "/$PATTERN/a$CONTENT" $3
}



# This function looks for a string, and replace it with a different string inside a given file
# $1: the line to locate, $2: the line to replace with, $3: Config file where to insert
pc_replace() {
        PATTERN=$(_quote "$1")
        CONTENT=$(_quote "$2")
        sed -i "s/$PATTERN/$CONTENT/" $3
}

# This function will append a given string at the end of a given file
# $1 The line to append at the end, $2: Config file where to append
pc_append() {
        echo "$1" >> $2
}

 

[Martineau]

I get this now

Mar 21 22:49:27 kernel: tun: Universal TUN/TAP device driver, 1.6
Mar 21 22:49:27 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Mar 21 22:49:27 custom script: Running /jffs/scripts/openvpnclient1.postconf (args: /etc/openvpn/client1/config.ovpn)
Mar 21 22:49:27 (openvpnclient1.postconf): 1196 Started..... [/etc/openvpn/client1/config.ovpn]
Mar 21 22:49:27 (openvpnclient1.postconf): 1196 VPN Client will BIND to 192.168.4.1 via interface 'vlan2'
Mar 21 22:49:27 (openvpnclient1.postconf): 1196 Complete.
Mar 21 22:49:27 openvpn[1221]: OpenVPN 2.3.12 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct  1 2016
Mar 21 22:49:27 openvpn[1221]: library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.08
Mar 21 22:49:27 openvpn[1222]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 21 22:49:27 openvpn[1222]: TCP/UDP: Socket bind failed on local address [AF_INET]192.168.4.1:1194: Cannot assign requested address
Mar 21 22:49:27 openvpn[1222]: Exiting due to fatal error
Mar 21 22:49:28 openvpn[1233]: Options error: You must define CA file (--ca) or CA path (--capath)
Mar 21 22:49:28 openvpn[1233]: Use --help for more information.
Mar 21 22:49:28 syslog: VPN_LOG_ERROR: 452: Starting OpenVPN failed...

you know it gets the gateway address .. i think it must get the wan0 ip address which is 192.168.4.22

Well, that was a waste of my time...

So dumping the call to 'pc_delete' and doing it the 'old-skool' way with 'sed' fixes the script, but sadly not the concept.

I knew that in a single WAN0 environment, I cannot BIND VPN to the real WAN0 ISP provided address e.g. '88.xxx.xxx.xxx', hence I create the 'br0:VPN' alias to map a spare local LAN address '10.88.8.4', which then allows the BIND.

I wonder if I should create the appropriate alias in a DUAL-WAN environment?....but your 192.168.4.1 is nominally a local LAN subnet address

OK, I really do appreciate you taking time from your family....this thread makes a refreshing change for me rather than viewing the tedious and obnoxious dross recently on the forums

I'll think about it overnight.

Again, many thanks.

 

[Martineau]

It doesnt have delete but you can replace with a null?

Well that £$!& explains things!! ....so basically @john9527

https://www.snbforums.com/threads/nopool-option-openvpn-server.38149/#post-314469

lied!

Yet again the old adage "poor documentation is significantly worse than no documentation" holds true, so does "code never matches external documentation - always read the source code if you truly need to see what it actually does"!

Err what router/firmware version do you have?

Sorry didn't answer your question, Yes I could use

pc_replace "nobind" "" $CONFIG

 

[bluechris]

Well, that was a waste of my time...

So dumping the call to 'pc_delete' and doing it the 'old-skool' way with 'sed' fixes the script, but sadly not the concept.

I knew that in a single WAN0 environment, I cannot VPN to the real WAN0 ISP provided '88.xxx.xxx.xxx' address, hence I create the 'br0:VPN' alias to map a spare local LAN address '10.88.8.4', which then allows the BIND.

I wonder if I should create the appropriate alias in a DUAL-WAN environment?....but your 192.168.4.1 is a local LAN subnet address

OK, I really do appreciate you taking time from your family....makes a refreshing change for me rather than viewing the tedious and obnoxious dross recently on the forums

I'll think about it overnight.

Again, many thanks.

I thank you m8... to do this kind of scripting is pretty good ability that you have.
Maybe you can put the vlan id? I saw in log vlan2 is wan0 and vlan3 is wan1...just a thought

Sent using tapatalk

 

[john9527]

Well that £$!& explains things!! ....so basically @john9527

https://github.com/RMerl/asuswrt-merlin/commit/cdefe67922a54a595c9cfd2efa9a259f642937cb
Went in 380.63_beta1...I didn't lie!!!!

I just checked it on my fork, and it works fine (as do all the other helper functions).
No idea why it doesn't work for you.....maybe something broke in busybox 1.25.1?

 

[bluechris]

Well that £$!& explains things!! ....so basically @john9527

https://www.snbforums.com/threads/nopool-option-openvpn-server.38149/#post-314469

lied!

Yet again the old adage "poor documentation is significantly worse than no documentation" holds true, so does "code never matches external documentation - always read the source code if you truly need to see what it actually does"!

Err what router/firmware version do you have

Netgear r7000 and i was in 380.65 but i rolled back to 380.62_1 because sip nat helper has problem and my voip phones wasn't connecting to my freepbx server

Sent using tapatalk

 

[bluechris]

Sorry didn't answer your question, Yes I could use

pc_replace "nobind" "" $CONFIG

The replace did the trick and here is what i get .. i need to get 192.168.4.22 which is the wan0 ip but instead i get 192.168.4.1 which is the gateway

Mar 21 23:33:01 custom script: Running /jffs/scripts/openvpnclient1.postconf (args: /etc/openvpn/client1/config.ovpn)
Mar 21 23:33:01 (openvpnclient1.postconf): 1176 Started..... [/etc/openvpn/client1/config.ovpn]
Mar 21 23:33:01 (openvpnclient1.postconf): 1176 VPN Client will BIND to 192.168.4.1 via interface 'vlan2'
Mar 21 23:33:01 (openvpnclient1.postconf): 1176 Complete.
Mar 21 23:33:01 openvpn[1208]: OpenVPN 2.3.12 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct  1 2016
Mar 21 23:33:01 openvpn[1208]: library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.08
Mar 21 23:33:01 openvpn[1209]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 21 23:33:01 openvpn[1209]: TCP/UDP: Socket bind failed on local address [AF_INET]192.168.4.1:1194: Cannot assign requested address
Mar 21 23:33:01 openvpn[1209]: Exiting due to fatal error
Mar 21 23:33:02 openvpn[1222]: Options error: You must define CA file (--ca) or CA path (--capath)
Mar 21 23:33:02 openvpn[1222]: Use --help for more information.

https://github.com/RMerl/asuswrt-merlin/commit/cdefe67922a54a595c9cfd2efa9a259f642937cb
Went in 380.63_beta1

I just checked it on my fork, and it works fine (as do all the other helper functions).
No idea why it doesn't work for you.....maybe something broke in busybox 1.25.1?

Its not your fault m8.. i wasnt in latest version and sorry for this.

 

[Martineau]

https://github.com/RMerl/asuswrt-merlin/commit/cdefe67922a54a595c9cfd2efa9a259f642937cb
Went in 380.63_beta1

I just checked it on my fork, and it works fine (as do all the other helper functions).
No idea why it doesn't work for you.....maybe something broke in busybox 1.25.1?

Whatever!

Yet again the old adage "poor documentation is significantly worse than no documentation" still holds true.
Would it have hurt for you to explicitly state that the 'pc_delete' function was only added/available in firmware > v380.63

P.S. Clearly during testing, 'pc_delete' does work for me on 380.66_alpha2, but Shock!/Horror! we have a self-confessed 'illegal' Netgear interloper.

 

[bluechris]

Guilty as charged sir

 

[bluechris]

Whatever!

Yet again the old adage "poor documentation is significantly worse than no documentation" still holds true.
Would it have hurt for you to explicitly state that the 'pc_delete' function was only added/available in firmware > v380.63

P.S. Clearly during testing, 'pc_delete' does work for me on 380.66_alpha2, but Shock!/Horror! we have a self-confessed 'illegal' Netgear interloper.

M8 except the pc_delete problem that is working with a null replacement which is not biggy, you found the reason why the $BIND_IP variable in your script receives back the gateway ip and not the wan0 ip?
In my case the config of wan0 is
IP: 192.168.4.22
GW: 192.168.4.1
Your script works fine but gives as wan0 the 192.168.4.1 ip

 

[Dimmie]

EDIT:
1st Solution if you know the wan ip that you want your VPN to go out.

you create a file in /jffs/scripts with name openvpnclient1.postconf

In this file you put this inside

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "nobind" "local xxx.xxx.xxx.xxx" $CONFIG

where xxx.xxx.xxx.xxx is your wan ip.

You Reboot the router and your openvpn client1 connects from the specific wan and you can see that in syslog.

Unfortunately this is not working.

When I manually start openvpnclient1.postconf , I get this error:

sed: -i requires an argument

 

[Martineau]

Unfortunately this is not working.

When I manually start openvpnclient1.postconf , I get this error:

sed: -i requires an argument

Did you provide the configuration file argument when you started it manually?

./openvpnclient1.postconf   /etc/openvpn/client1/config.ovpn

NOTE: It is actually easier to use the VPN Custom Configuration OpenVPN directive

local xxx.xxx.xxx.xxx

or

local ddns_name

However, I use .postconf to accept/recognise a pseudo OpenVPN directive
e.g.

local wan1

to translate the interface name into the appropriate IP address currently in use by the target WAN.

Spoiler: Syslog

(start-vpnclient1): 30980 User Service event script args = [start vpnclient1]
(start-vpnclient1): 30980 User Service event Complete.

custom_script: Running /jffs/scripts/openvpnclient1.postconf (args: /etc/openvpn/client1/config.ovpn)
(openvpnclient1.postconf): 31716 v1.02 Started..... [/etc/openvpn/client1/config.ovpn]
(openvpnclient1.postconf): 31716 VPN Client 1 will BIND to 78.xxx.xxx.xxx.xxx via virtual interface 'wan1'

(openvpnclient1.postconf): 31716 NVRAM vpn_client1_custom Updated in the GUI

 

[Dimmie]

To start with: When I put 'local xxx.xxx.xxx.xxx' in the custom configuration, it doesn't work.

I use merlin 384.13 on AC2900

 

[Dimmie]

And when I put the argument I get the error

sed: -i requires an argument



Syslog shows:
Aug 10 13:47:29 custom_script: Running /jffs/scripts/openvpnclient1.postconf (args: /etc/openvpn/client1/config.ovpn)


but is missing this part:
(openvpnclient1.postconf): 31716 v1.02 Started..... [/etc/openvpn/client1/config.ovpn]
(openvpnclient1.postconf): 31716 VPN Client 1 will BIND to 78.xxx.xxx.xxx.xxx via virtual interface 'wan1'

(openvpnclient1.postconf): 31716 NVRAM vpn_client1_custom Updated in the GUI

 

[thomasl78]

@Martineau,

Hi Martineau, your script may be a possible solution for my situation.

I would like to route openvpnclient2 through the existing openvpnclient1 (connection established). Is it possible with your script?

I have tried to bind with the local ip of openvpnclient1 and public ip of openvpnclient1 to openvpnclient2, but neither works. The both ways errored out.

Is it possible with Asus-merlin for my situation?

Thanks,
Thomas

 

[sputnikk]

Hi all,

Having a problem with this script.

I needed it because once I enabled DualWAN in load balancing mode while my ASUS was an OpenVPN client to work (completely separate /24) - my ASUS could ping remote clients over VPN but ASUS WiFi clients couldn't. Turn off dual wan and it worked.

Using this script and adding "local wan0" to openvpn config worked. (In fact, ASUS stopped being able to ping from terminal but WiFi clients could)

However, if the secondary WAN goes down or fails to start (which it often does, the well known toggle on/off bug) - openvpn fails to start with unable to find wan0.

I get that I'm stuck on a single WAN even when LB'ed for my OpenVPN connection (hence the forced routing through it) since its encapsulated...
but it would be nice to have the OpenVPN Client still work even if secondary WAN goes down - without a reconfig.

Even nicer would be if Primary WAN failed it would respin the VPN connection from secondary WAN and continue routing my WiFi Clients - but perhaps thats asking too much

Edit: spelling