Hi all, since upgrading to 23.05 my VPN routing is no longer working. My ovpn config files call the following script to add a new route when they come up:
#!/usr/bin/env sh
table=vpn
if [ "$script_type" == "route-up" ]; then
logger -t network "Adding route for vpn due to VPN tunnel UP"
ip route add default via $route_vpn_gateway dev $dev table $table proto static
elif [ "$script_type" == "route-pre-down" ]; then
logger -t network "Removing route for vpn due to VPN tunnel DOWN"
ip route del default via $route_vpn_gateway dev $dev table $table proto static
fi
However in 23.05 these scripts are no longer getting executed, it appears due to this error:
Sat Nov 4 16:54:08 2023 daemon.warn openvpn(vpn)[8322]: Multiple --route-up scripts defined. The previously configured script is overridden.
Sat Nov 4 16:54:08 2023 daemon.warn openvpn(vpn)[8322]: Multiple --route-pre-down scripts defined. The previously configured script is overridden.
I have no idea where these multiple scripts are coming from, my config hasn't changed, so it must be a breaking change in 23.05.
@egc I saw this, thanks for taking the time to do that.
I'm confused how this change was allowed in, it seems to change some fundamental workings of OpenVPN without any documentation to support it. It invalidates a lot of good how-to guides and existing knowledge on the forum.
I cannot find any information on what is the RIGHT way to do this sort of routing script now.
It is a bug but unfortunately they are not willing to correct it.
I compile my own builds so it is working for me.
But I do not know what else I can do to convince someone to take action now my pull request is not accepted.
I thought I’d finally got to the point that I could use the official builds again now that some changes I was waiting to be merged for qemu finally made it into the build, but that took nearly 2 years!
You want to executed the script at a certain point in the openvpn setup (so on route up) this makes available certain openvpn environment variables which you can use in your scripts
It is not about a workaround that is possible, it is about patching this bug especially as there is already a pull request made for this.
Probably the easiest workaround is to add to the existing /etc/hotplug.d/openvpn/01-user the lines indicated with an >
#!/bin/sh
[ -e "/etc/openvpn.user" ] && {
env -i ACTION="$ACTION" INSTANCE="$INSTANCE" \
/bin/sh \
/etc/openvpn.user \
$*
}
# Wrap user defined scripts on up/down/route-up/route-pre-down/ipchange events
# Script set with up/down/route-up/route-pre-down/ipchange in the openvpn config are also executed with the command=user_xxxx
case "$ACTION" in
up) command=$user_up ;;
down) command=$user_down ;;
> route-up)
> command=$user_route_up
> # Place your route-up script here, use full path
> ;;
> route-pre-down)
> command=$user_route_pre_down
> # Place your route-pre-down script here, use full path
> ;;
ipchange) command=$user_ipchange ;;
*) command= ;;
esac
if [ -n "$command" ]; then
shift
exec /bin/sh -c "$command $*"
fi
I guess it depends on your personal perception of the problem.
Creating a hotplug script is not an issue for me, as I consider hotplug as part of the standard native OpenWrt API for handling various event triggers, which makes OpenVPN related events not much different from events of other services.
In a similar way, using NetworkManager expects me to utilize its own dispatcher scripts if I want to handle its event triggers.
--route-up cmd Run command cmd after routes are added, subject to --route-delay.
cmd consists of a path to a script (or executable program), optionally followed by arguments. The path and arguments may be single- or double-quoted and/or escaped using a backslash, and should be separated by one or more spaces.
See the Environmental Variables section below for additional parameters passed as environmental variables. --route-pre-down cmd
Run command cmd before routes are removed upon disconnection.
cmd consists of a path to a script (or executable program), optionally followed by arguments. The path and arguments may be single- or double-quoted and/or escaped using a backslash, and should be separated by one or more spaces.
See the Environmental Variables section below for additional parameters passed as environmental variables.
So it is not about my point of view it is about a bug which can and should be patched.
I understand your point, but I think that each platform has its own specifics, and perfect compliance with the functionality declared in the manual is not critical for a particular service implementation as long as comparable functionality is provided by other platform-specific means.
The most efficient workaround I've found is indeed to create a new hotplug script in /etc/hotplug.d/openvpn like
#!/usr/bin/env sh
[ "${INSTANCE}" = "vpn1" ] && {
logger -t hotplug "Device: ${INSTANCE} / Action: ${ACTION}"
if [ "$ACTION" == "route-up" ]; then
logger -t network "Adding default route via $route_vpn_gateway for vpn device $dev due to VPN tunnel UP"
ip route add default via $route_vpn_gateway dev $dev table vpn1 proto static
elif [ "$ACTION" == "route-pre-down" ]; then
logger -t network "Removing default route via $route_vpn_gateway for vpn device $dev due to VPN tunnel DOWN"
ip route del default via $route_vpn_gateway dev $dev table vpn1 proto static
fi
}
[ "${INSTANCE}" = "vpn2" ] && {
logger -t hotplug "Device: ${INSTANCE} / Action: ${ACTION}"
if [ "$ACTION" == "route-up" ]; then
logger -t network "Adding default route via $route_vpn_gateway for vpn device $dev due to VPN tunnel UP"
ip route add default via $route_vpn_gateway dev $dev table vpn2 proto static
elif [ "$ACTION" == "route-pre-down" ]; then
logger -t network "Removing default route via $route_vpn_gateway for vpn device $dev due to VPN tunnel DOWN"
ip route del default via $route_vpn_gateway dev $dev table vpn2 proto static
fi
}
However you need to manually add this to the backup files list or it will not persist over an upgrade.
To @egc point, this still needs to be fixed, OpenWRT should not block/override scripts defined in the .ovpn files, or at least shouldn't do so without clearly documenting the preferred/correct way of implementing route-up and route-pre-down actions. It's a breaking change and a regression.
It is not about platform specifics, the developers just forget to implement route-up and route-pre-down commands, they did for up and down so clearly it was the intent to comply with OpenVPN functionality.
What the developers did is to integrate the OpenVPN events with hotplug actions in a very complicated but elegant way so you can use the OpenVPN way which is documented in the Man page and on which people rely but you can also use hotplug actions.
So it is just a bug/oversight which can easily be patched.
Edit the commit description and explain that your PR fixes a regression that makes problematic to specify certain options in the OpenVPN configuration file.
That's not how it works.
You need to add a new commit or better amend the last commit, but it should be the same branch where the original PR comes from, in this specific case it's the master branch of your cloned repo.
Here's an instruction you may find helpful: https://openwrt.org/docs/guide-developer/working-with-github-pr
