Requesting the addition of a second VPN client configuration page like Tomato has. I have done a lot of searching and tried creating scripts that will bring up 2 tunnels and selectively route ips through ISP, Tun0 and TUN1 but without success.
eibgrad, Thanks for you insight in to tomato's dual vpn setup. I have been working on scripts to create the two tunnels and will report back here with any successes for anyone else interested. Perhaps if we get a good script that is solid and works, providing ip based routing to the 3 tunnels (ISP, Tun0 and Tun1) then eventually it can be added to the GUI.
I'm guessing this is probably a pretty niche requirement, so it isn't likely to get added in the GUI. But if they were going to do that, just adding the option for a second VPN would be the wrong approach.
You'd want to make it generic similar to stuff like bridges, VAPs etc. are generic and have an "add" button to add as many VPNs as you like.
IMHO it doesn't really make sense to add stuff like this to the GUI that are more of a power user thing, because the power users can figure out how to do with it with a script. There are a lot of things that would (hopefully) be higher on their list. Like hey, how about traffic/bandwidth stats per IP/MAC, or a way to dump the traffic of a specific connection to a log file for troubleshooting...
IMHO it doesn't really make sense to add stuff like this to the GUI that are more of a power user thing, because the power users can figure out how to do with it with a script. There are a lot of things that would (hopefully) be higher on their list. Like hey, how about traffic/bandwidth stats per IP/MAC, or a way to dump the traffic of a specific connection to a log file for troubleshooting...
Brainslayers Special edition that he sells in the store has QOS per IP. Not sure what else extra it has as I haven't looked at it in a while. I did pay for it, but it never supported the routers I had so I couldn't ever use it.
Two or more tunnels can work fine, if separated routing tables (by 'ip route' commands) and routing rules (by 'ip rule' commands) are available.
In my option, as this function is not a common requirement, and it is possible through command lines, it is OK without a GUI.
Of course, network namespace will work better and we can do more with it. If developers can compile ip netns into the kernel, it will be great.
I copied the files that the gui creates from /tmp/openvpncl to /jffs/openvpncl. I can disable the gui and run the scripts and the tunnel comes up and works. There are routes that are pushed from the server in to the client. I need to run openvpn with the option --route-noexec. and instead of it applying the routes, it will put them in the route-up script where I can see all that it does and modify it.
Janikeu,
I will examine your methods, but I am trying to get a second tun not a tap and some of the options in the .conf file are only for tap devices.
Brian
My DIR-880L running my own dd-wrt build connects to 3 VPN servers with the VPN clients scripts that I write. The GUI is too cumbersome for me to use effectively and only limited to 1 client, so I wrote my own scripts to startup and connects to all 3 sites' OpenVPN server. This allows me to manage the remote routers.
So it is perfectly achievable using dd-wrt builds. Your router just need to have enough juice to run so many processes.
My DIR-880L running my own dd-wrt build connects to 3 VPN servers with the VPN clients scripts that I write. The GUI is too cumbersome for me to use effectively and only limited to 1 client, so I wrote my own scripts to startup and connects to all 3 sites' OpenVPN server. This allows me to manage the remote routers.
So it is perfectly achievable using dd-wrt builds. Your router just need to have enough juice to run so many processes.
I too attempted to get a second TUN interface going for a second VPN connection.
As openVPN is limited to 1 thread and I have a dual core router I was wanting to get 2 running and have some load balancing and some VPN redundancy. I get that one machine won't be able to take advantage of both links for a single connection, however in some scenarios it could use both pipes and other machines would be able to use the extra bandwidth.
I was able to get multiple TUNs up / active and connected to the VPN provider at the same time but i could never get traffic to route properly. meaning that I could send traffic out both individually but nothing would come back on one of the links. _________________ Routers:
WXR-1900DHP - Active (main) - v3.0-r36070M kongac (05/31/18 )
WZR-N600DHP - Wired AP - v3.0-r33679 BS (11/04/17)
WNDR-3400 - retired to its box for several years
logger -t custom-script 'Starting OpenVPN Bypass PBR'
NO_VPN_LST=`nvram get no_vpn_lst`
[ -z "$NO_VPN_LST" ] && exit 0
WAN_GWAY="0.0.0.0"
while [ $WAN_GWAY == "0.0.0.0" ]; do
sleep 1
WAN_GWAY=`nvram get wan_gateway`
done
ip route add default via $WAN_GWAY table 10 2>>/tmp/mnt/sda1/messages
for ipa in $NO_VPN_LST; do
ip rule add from $ipa table 10 2>>/tmp/mnt/sda1/messages
done
ip route flush cache 2>>/tmp/mnt/sda1/messages
logger -t custom-script 'Script completed'
exit 0
Example of tun2.conf I had been using TCP but really UDP should be used as if you think about it encapsulating TCP inside of TCP is a lot of overhead and can create some extreme latency if any of the TCP throttling features come in to play. Ultimately using UDP and having packet loss will still be handled correctly by your TCP packets that are buried in the UDP packets.
You need to set the management ports to different ports else it will fail.
You need to set different PID files too.
The OpenVPN settings shown may not be optimal.
_________________ Routers:
WXR-1900DHP - Active (main) - v3.0-r36070M kongac (05/31/18 )
WZR-N600DHP - Wired AP - v3.0-r33679 BS (11/04/17)
WNDR-3400 - retired to its box for several years
The following shell script accepts parameters and starts the OpenVPN client:
Code:
#!/bin/sh
if [ $# -ne 3 ]
then
echo "Usage: $0 <dev> <client name> <client config>"
exit 1
fi
TUN=$1
OVPNCL=$2
OVPNCLDIR=/tmp
OVPNCLCFG=$3
echo ------------------------------------------
echo [${OVPNCL}] starting up ...
echo
if [ ! -f ${OVPNCLDIR}/${OVPNCL} ]
then
ln -s /usr/sbin/openvpn ${OVPNCLDIR}/${OVPNCL}
fi
if [ `ps | grep "./${OVPNCL}" | grep -v grep | wc -l` -gt 0 ]
then
echo [${OVPNCL}] already running!
else
cd ${OVPNCLDIR}
echo Starting OpenVPN Client [${OVPNCL}] ...
./${OVPNCL} --cd ${OVPNCLDIR} --config ${OVPNCLCFG} --daemon
sleep 5
if [ `ps | grep "./${OVPNCL}" | grep -v grep | wc -l` -gt 0 ]
then
echo Done.
else
echo Unable to start OpenVPN Client [${OVPNCL}]!
fi
fi
quarkysg,
Thank you for your scripts. They only seem to expand on the openvon.conf, route-up.sh and route-down.sh files that dd-wrt creates in /tmp/openvpncl. They do not address the main issue which is routing. Since you do not have a --no-pull or --route-noexec, then you are accepting routes pushed from the vpn server. This will delete the default gateway and route all traffic through the newly created tun. When you run the script again does the 2nd pushed route clobber the first and all data goes out the 2nd created tunnel or does the second tunnel not work. Seems that you would need to do a no pull and create selective routing to use more than one tunnel. All the firewall rules do is allow packets through the tunnel. They do not specify what packets or from what addresses.
I was asking in #openvpn on irc and was told I could get the pushed routes by setting verb 4 and logging. I am in the process of examining the log now. I believe ,for 2 tunnels and IPS routes that I need to set 3 blocks of ip's and route each block to ISP, TUN0, TUN1. Then I just assign pc to an ip in the right block to use the appropriate path.
quarkysg,
Thank you for your scripts. They only seem to expand on the openvon.conf, route-up.sh and route-down.sh files that dd-wrt creates in /tmp/openvpncl. They do not address the main issue which is routing. Since you do not have a --no-pull or --route-noexec, then you are accepting routes pushed from the vpn server. This will delete the default gateway and route all traffic through the newly created tun. When you run the script again does the 2nd pushed route clobber the first and all data goes out the 2nd created tunnel or does the second tunnel not work. Seems that you would need to do a no pull and create selective routing to use more than one tunnel. All the firewall rules do is allow packets through the tunnel. They do not specify what packets or from what addresses.
I was asking in #openvpn on irc and was told I could get the pushed routes by setting verb 4 and logging. I am in the process of examining the log now. I believe ,for 2 tunnels and IPS routes that I need to set 3 blocks of ip's and route each block to ISP, TUN0, TUN1. Then I just assign pc to an ip in the right block to use the appropriate path.
Brian
I basically control all 4 routers at all 4 sites. The 3 sites’ VPN servers does not push default routes for clients so I do not need to worry about specifying routing rules in OpenVPN configs. I handle routing according to my needs using routing scripts, including PBR.
Do refer to the OpenVPN documentation for options you can configure. The latest version of dd-wrt include OpenVPN 2.4 so refer to that version. You’ll also need to understand the configuration that your VPN provider is pushing over so do check with them.
As dd-wrt is basically a Linux server, whatever networking stuff that applies to most Linux distro will work for dd-wrt routers as long as the user land program is available.
