Simplest dynamic VPN configurations

audetto · April 26, 2020, 10:53am

Managed to get open vpn configured.

Most services offer multiple endpoints (i.e. countries) so I can create a new vpn configuration for each country I want to support.

What is the easiest way to switch between them?
I have followed this tutorial
https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci

in particular the bit 4.1-b where I did not create a new interface but simply assigned the tun interface to the firewall zone.

Is there a way to "name" these tun interfaces?

One solution could be to ensure all vpn clients are running and then just switch tun is assigned to the firewall wan zone. Better if their tun is named statically.

or, opposite

Ensure only one vpn client is running, they all call their tun devices the same so the wan firewall does not need to change.

And, ideally I would like to switch it off when not needed.

How does it sound?

trendy · April 26, 2020, 12:15pm

I think it is more proper to create multiple configurations in step 2 and change the remote server only. Name the configs accordingly.
All of them can be in the same firewall zone.
Make sure they are not starting on boot, as your provider might not like your multiple connections.

audetto · April 26, 2020, 4:35pm

What about I only have 1 vpn client in the gui with a configuration file which is a symbolic link, then I programmatically stop / start the client and swap the conf files.

what about

/etc/init.d/openvpn stop / start ?

trendy · April 26, 2020, 7:13pm

Sounds more complicated to me, as you'll have to stop openvpn, change the symlink, start openvpn.

audetto · April 26, 2020, 8:08pm

You are right.

All I need to do now is to go to the OpenVPN Page.
Disable & Stop the running service, and enable the desired service.

then Save&Apply

Ideally I would like a single click, but for the first day with OpenWRT is a pretty good result.

I guess as long as there is a single vpn client running the interface is always called the same, and the firewall handles it properly.

trendy · April 27, 2020, 7:26am

There used to be some luci application to run custom commands, but I cannot seem to find it anymore.

You can add them all with option device tun+
Or you can create unmanaged interfaces where the VPNs will be bound and use the network interface name in the firewall zone.

audetto · April 27, 2020, 12:09pm

I've found this issue too

One cannot simply stop and start the new service. It needs to be enabled and saved.

trendy · April 27, 2020, 6:42pm

This is a bit rare example, so I am not sure how fast will it be solved. Definitely I wouldn't hold my breath.