Jump to content
Not connected, Your IP: 3.85.85.246
Sign in to follow this  
Guest

How to auto reconnect VPN in DD-WRT

Recommended Posts

Guest

My problem is when the VPN disconnect, I have to reboot the router.

How to to fix this problem? And How to block traffic in DD-WRT when VPN isn't running

Share this post


Link to post

My problem is when the VPN disconnect, I have to reboot the router.

How to to fix this problem?

Hello!

The

resolv-retry infinite
directive in our configuration files should already force openvpn to try a reconnection as soon as the connection with an Air server is lost. However, if the DD-WRT OpenVPN has crashed you need either to reboot or to prepare a script which re-launches OpenVPN.

You might also try to run OpenVPN as daemon and prepare a startup script to launch it, based on our ca.crt, user.crt, user.key and air.ovpn.

A script would look like this (it's assumed that openvpn is in /usr/sbin)

cd /tmp
/usr/sbin/openvpn --mktun --dev tun0

echo \”
# Here just paste your air.ovpn file content...
daemon 
# ...but note the addition of the directive daemon
# end of air.ovpn paste
\” > air.ovpn

echo \"
-----BEGIN CERTIFICATE-----
…INSERT ca.crt CONTENT HERE…
-----END CERTIFICATE-----
\" > ca.crt

echo \"
-----BEGIN CERTIFICATE-----
…INSERT user.crt HERE…
-----END CERTIFICATE-----
\" > user.crt

echo \"
-----BEGIN RSA PRIVATE KEY-----
…INSERT user.key HERE…
-----END RSA PRIVATE KEY-----
\" > user.key
chmod 600 user.key

sleep 12
ln -s /usr/sbin/openvpn /tmp/airvpn
/tmp/airvpn --config air.ovpn

Kind regards

Share this post


Link to post
Guest

thank you for your answer. It's does'nt run, but it's not a problem.

My main issue is about to block traffic when VPN is not connected? Is anybody has a solution ?

Share this post


Link to post

thank you for your answer. It's does'nt run, but it's not a problem.

My main issue is about to block traffic when VPN is not connected? Is anybody has a solution ?

Hello!

You might use iptables. See here for a significant example, and adapt it to your DD-WRT router. Keep in mind that:

- Air uses a tun interface;

- change the "lo" interface according to your DD-WRT router;

- the xx.xx.xx.xx IP address reported in the example must be changed to the Air server entry-IP server address, not the exit-IP (add as many rules as you wish for each entry-IP address, in case you want to switch Air server from the DD-WRT OpenVPN web interface). You will find the entry-IP address of each server on the air.ovpn file generated for that server, line "remote".

http://www.linuxforums.org/forum/networking/178976-how-only-allow-openvpn-connections-iptables.html

Kind regards

Share this post


Link to post
Guest

thank you but i don't understand what I have to make ...

In my case (with a 95.211.98.154 VPN ip), should I create a custom script in DD-wrt with these command line?

# Generated by iptables-save v1.4.10 on Mon May 23 18:02:08 2011

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -i lo -j ACCEPT

-A INPUT -i tun+ -j ACCEPT

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A INPUT -s 95.211.98.154 -j ACCEPT

-A INPUT -j DROP

-A OUTPUT -o tun+ -j ACCEPT

-A OUTPUT -d 95.211.98.154 -j ACCEPT

-A OUTPUT -j DROP

COMMIT

# Completed on Mon May 23 18:02:08 2011

Share this post


Link to post

thank you but i don't understand what I have to make ...

In my case (with a 95.211.98.154 VPN ip), should I create a custom script in DD-wrt with these command line?

# Generated by iptables-save v1.4.10 on Mon May 23 18:02:08 2011

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -i lo -j ACCEPT

-A INPUT -i tun+ -j ACCEPT

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A INPUT -s 95.211.98.154 -j ACCEPT

-A INPUT -j DROP

-A OUTPUT -o tun+ -j ACCEPT

-A OUTPUT -d 95.211.98.154 -j ACCEPT

-A OUTPUT -j DROP

COMMIT

# Completed on Mon May 23 18:02:08 2011

Hello!

That is neither a script nor command lines, but a configuration.

With DD-WRT, it might be better to insert the rules as you did before for the connection setup: as a list of iptables commands. Please see https://airvpn.org/ddwrt/ paragraph "DD-WRT Firewall rules". Also, check the "lo" interface, it is very probable that on your DD-WRT you use "br0".

A simple example of rules to block all outgoing packets except those toward the Air server whose entry-IP is 95.211.98.154 and assuming a "default" DD-WRT firmware with OpenVPN flavour and tun0 as tun interface:

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT 
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT 
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -I OUTPUT -o br0 \! --dst 95.211.98.154 -j DROP  # if destination for outgoing packets (on br0 only!) is NOT 95.211.98.154, drop the packet

Insert the above rules as specified in the aforementioned tutorial.

Kind regards

Share this post


Link to post

 

 

A simple example of rules to block all outgoing packets except those toward the Air server whose entry-IP is 95.211.98.154 and assuming a "default" DD-WRT firmware with OpenVPN flavour and tun0 as tun interface:

 

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT 
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT 
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -I OUTPUT -o br0 \! --dst 95.211.98.154 -j DROP  # if destination for outgoing packets (on br0 only!) is NOT 95.211.98.154, drop the packet

 

Hey,

 

is there any way to do this with a country-based configuration? I'm not using a single server I use nl.vpn.airdns.org.

 

Kind regards

Share this post


Link to post

can iptables not resolve nl.vpn.airdns.org?  

 

I was reading an entry by someone on a ubuntu forum a few minutes ago:  https://ubuntuforums.org/showthread.php?t=1537138&s=e855fd7706794071ede694d02dbb8ca1&p=9633457#post9633457

 

Granted what he is doing with iptables is different than what you are doing, but have you tried plugging nl.vpn.airdns.org into there and seeing if it works?

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...