How to auto reconnect VPN in DD-WRT

[Guest]

My problem is when the VPN disconnect, I have to reboot the router.

How to to fix this problem? And How to block traffic in DD-WRT when VPN isn't running

[Staff 9972]

My problem is when the VPN disconnect, I have to reboot the router.

How to to fix this problem?

Hello!

The

resolv-retry infinite

directive in our configuration files should already force openvpn to try a reconnection as soon as the connection with an Air server is lost. However, if the DD-WRT OpenVPN has crashed you need either to reboot or to prepare a script which re-launches OpenVPN.

You might also try to run OpenVPN as daemon and prepare a startup script to launch it, based on our ca.crt, user.crt, user.key and air.ovpn.

A script would look like this (it's assumed that openvpn is in /usr/sbin)

cd /tmp
/usr/sbin/openvpn --mktun --dev tun0

echo \”
# Here just paste your air.ovpn file content...
daemon 
# ...but note the addition of the directive daemon
# end of air.ovpn paste
\” > air.ovpn

echo \"
-----BEGIN CERTIFICATE-----
…INSERT ca.crt CONTENT HERE…
-----END CERTIFICATE-----
\" > ca.crt

echo \"
-----BEGIN CERTIFICATE-----
…INSERT user.crt HERE…
-----END CERTIFICATE-----
\" > user.crt

echo \"
-----BEGIN RSA PRIVATE KEY-----
…INSERT user.key HERE…
-----END RSA PRIVATE KEY-----
\" > user.key
chmod 600 user.key

sleep 12
ln -s /usr/sbin/openvpn /tmp/airvpn
/tmp/airvpn --config air.ovpn

Kind regards

[Guest]

thank you for your answer. It's does'nt run, but it's not a problem.

My main issue is about to block traffic when VPN is not connected? Is anybody has a solution ?

[Staff 9972]

thank you for your answer. It's does'nt run, but it's not a problem.

My main issue is about to block traffic when VPN is not connected? Is anybody has a solution ?

Hello!

You might use iptables. See here for a significant example, and adapt it to your DD-WRT router. Keep in mind that:

- Air uses a tun interface;

- change the "lo" interface according to your DD-WRT router;

- the xx.xx.xx.xx IP address reported in the example must be changed to the Air server entry-IP server address, not the exit-IP (add as many rules as you wish for each entry-IP address, in case you want to switch Air server from the DD-WRT OpenVPN web interface). You will find the entry-IP address of each server on the air.ovpn file generated for that server, line "remote".

http://www.linuxforums.org/forum/networking/178976-how-only-allow-openvpn-connections-iptables.html

Kind regards

[Guest]

thank you but i don't understand what I have to make ...

In my case (with a 95.211.98.154 VPN ip), should I create a custom script in DD-wrt with these command line?

# Generated by iptables-save v1.4.10 on Mon May 23 18:02:08 2011

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -i lo -j ACCEPT

-A INPUT -i tun+ -j ACCEPT

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A INPUT -s 95.211.98.154 -j ACCEPT

-A INPUT -j DROP

-A OUTPUT -o tun+ -j ACCEPT

-A OUTPUT -d 95.211.98.154 -j ACCEPT

-A OUTPUT -j DROP

COMMIT

# Completed on Mon May 23 18:02:08 2011

[Staff 9972]

thank you but i don't understand what I have to make ...

In my case (with a 95.211.98.154 VPN ip), should I create a custom script in DD-wrt with these command line?

# Generated by iptables-save v1.4.10 on Mon May 23 18:02:08 2011

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -i lo -j ACCEPT

-A INPUT -i tun+ -j ACCEPT

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A INPUT -s 95.211.98.154 -j ACCEPT

-A INPUT -j DROP

-A OUTPUT -o tun+ -j ACCEPT

-A OUTPUT -d 95.211.98.154 -j ACCEPT

-A OUTPUT -j DROP

COMMIT

# Completed on Mon May 23 18:02:08 2011

Hello!

That is neither a script nor command lines, but a configuration.

With DD-WRT, it might be better to insert the rules as you did before for the connection setup: as a list of iptables commands. Please see https://airvpn.org/ddwrt/ paragraph "DD-WRT Firewall rules". Also, check the "lo" interface, it is very probable that on your DD-WRT you use "br0".

A simple example of rules to block all outgoing packets except those toward the Air server whose entry-IP is 95.211.98.154 and assuming a "default" DD-WRT firmware with OpenVPN flavour and tun0 as tun interface:

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT 
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT 
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -I OUTPUT -o br0 \! --dst 95.211.98.154 -j DROP  # if destination for outgoing packets (on br0 only!) is NOT 95.211.98.154, drop the packet

Insert the above rules as specified in the aforementioned tutorial.

Kind regards

[a1frommars 0]

 

 

A simple example of rules to block all outgoing packets except those toward the Air server whose entry-IP is 95.211.98.154 and assuming a "default" DD-WRT firmware with OpenVPN flavour and tun0 as tun interface:

 

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT 
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT 
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -I OUTPUT -o br0 \! --dst 95.211.98.154 -j DROP  # if destination for outgoing packets (on br0 only!) is NOT 95.211.98.154, drop the packet

 

Hey,

 

is there any way to do this with a country-based configuration? I'm not using a single server I use nl.vpn.airdns.org.

 

Kind regards

[Khariz 109]

can iptables not resolve nl.vpn.airdns.org?  

 

I was reading an entry by someone on a ubuntu forum a few minutes ago:  https://ubuntuforums.org/showthread.php?t=1537138&s=e855fd7706794071ede694d02dbb8ca1&p=9633457#post9633457

 

Granted what he is doing with iptables is different than what you are doing, but have you tried plugging nl.vpn.airdns.org into there and seeing if it works?