I recently configured OpenWrt to use Proton VPN and added a route so that the VLAN ProtonLAN used interface ProtonVPN via table 100.
The gateway address for Proton VPN is 10.2.0.2/32 as advised by Proton
Proton also provides a DNS server at 10.2.0.1.
I had created a static route that simply said traffic to 10.2.0.1/32 should go out of ProtonVPN. This was working and all network devices could use 10.2.0.1 as their DNS.
I decided to add some additional Proton VPN servers for redundancy and removed all the Wireguard peers that I had for Proton VPN, including the working configuration.
I have added a new peer and 10.2.0.1 is now unreachable, even by OpenWrt.
The only change I made, was to import a new Proton peer, so why would that route stop working?
config interface 'ProtonVPN' option proto 'wireguard' option private_key 'supersecretkey' list dns '10.2.0.1' list addresses '10.2.0.2/32'
I appear to have sorted this by importing the config file from Proton to the whole Wireguard interface, rather than just importing a peer.
I had just thought I could import multiple [Peer] sections to the same Wireguard interface, however the private key is different for each endpoint, so that's not possible. The peer public key appears to be the same.
So I must configure multiple Wireguard interfaces for multiple endpoints which is a pity.
The Proton app (on Android at least), will hop VPNs if one is hot and I was hoping to have a fairly simple way of doing this in OpenWrt.
If I have to have multiple interfaces for multiple endpoints, then not only will I have to raise/lower interfaces, I will also have to modify routing rules.
Does anyone know of a script that will monitor VPNs and change them if it detects poor performance?
It is for one tunnel, if that tunnel is down it will start the next tunnel.
You enter the tunnels in the script which you want in this fail over group.
You can run multiple instances of the script if you have multiple tunnels active for which you have a fail over tunnel standing by.
Depending on providers the VPN servers are sometimes overcrowded or down for maintenance etc.
If you want a 24/7 VPN then a watchdog with failover is often useful
Your script will ping the active tunnel until is sees a problem then switch to the next tunnel, correct?
Your LAN must be configured to route through VPN1, so what happens when the script switches to VPN2? How does the LAN know to route through that instead?
If you have three active tunnels e.g. your LAN goes to Destination A , your Guest-lan goes to Destination B and your Iot-lan goes to Destination C.
To make it redundant you configure two (or three or four) VPN servers to Destination A and those servers to an instance of the script the script will use this group of servers as fail over group if one is down it switches to the next
You can do this for all destinations so in your case if you want all destinations to have fail over you need 6 VPN tunnels and three instances of the script running each instances with two tunnels to the same destination/routing.
So the script does not do anything on the routing it just switches to the backup tunnel which is already configured with the same destination/routing.
Currently, (V)LAN interface ProtonLAN, uses interface ProtonVPN for its gateway. This is accomplished using a routing table and the interface ProtonVPN has table of 100.
Other (V)LAN interfaces use wan as their gateway.
In order to use your script, instead of ProtonVPN I would maybe have the following gateway interfaces:
Proton123 Proton456 Proton789
Would I then give all three a table of 100, how else would ProtonLAN know to route through whichever gateway is active?
Yes that is the idea, but only one of the wg interfaces can be enabled at the same time.
You might need to use option4table (Override IPv4 routing table) on the Advanced tab of the interface, set that to 100 for each tunnel.
The active tunnel will then make the routing table 100.
Note: you need to enable Route Allowed IPs for this to work!!
I had a quick look and although I have already defined table 100, it doesn't appear in the dropdown for Override IPv4 routing table in the ProtonVPN interface?
Why do I need Route Allowed IPS. Perhaps I'm confused by the Allowed IPs being 0.0.0.0/0, which already means everything doesn't it?
EDIT: Or does this mean add a route for the Allowed IPs?
If you use option4table you need a default route in that table therefore you do need to enable route allowed IPs.
Think if it as that the routes (including the default route) of the WG interface is moved from the main table to the option table.
For Table 100 you select custom and then enter 100.
Remove the table 100 you already made, the option tables are made when the interface starts
So just for clarity, instead of creating a route and routing table as per the images, I could just add table 100 to Override IPv4 routing table and enable Route Allowed IPs?
It is Proton that configures the gateway as 10.2.0.2/32, both in their docs and in the configuration files. Presumably this is to prevent any possible threat on any other IP in that range? Why does it need the /24?
So in IPv4 Rules, I would need 3 rules, one for each of:
OK, so after a good bit of playing around (SWMBO is away tonight ), I have reached the following.
For each Proton tunnel (all have gateway of 10.2.0.2), e.g.
Proton123 Proton456 Proton789
I also need a Static IPv4 Routes entry for each tunnel, to 0.0.0.0/0 with table 100 so that my IPv4 Rule that sends anything from ProtonLAN to table 100, works with all 3 tunnels.
I also have 3 Static IPv4 Routes for 10.2.0.1/32 (Proton's DNS) to go out of 10.2.0.2, so that all clients can make use of the Proton DNS regardless of whether they are using the VPN.
The DNS server routes can all be active at the same time, but the table rules can only be active one at a time, to coincide with whichever tunnel is up at the time.
So I just need to modify your script a little to also enable/disable the Static IPv4 Routes entries as well as the tunnel.
), I have reached the following.