Stopping OpenVPN w/o breakage?

Followed this NordVPN guide to get my shiny new Linksys OpenWRT router all VPN'ed, secured and privatized, FTW. https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWRT-setup-with-NordVPN.htm

Everything's hunky dory, stable, love it!

Problem I have is, if I don't want to be all VPN'ed, eg. when I'm trying to download a 28Gb file that looks like it's going to take 15 hours....how's THAT work?

I SSH'ed in and did a 'service openvpn stop' and I lost my internet. So I started openvpn back up, and some devices were connected but not all. In the midst of troubleshooting my VOIP phone not connecting - the entire WAN interface dropped. I was still connected to the router though, both the GUI and SSH were active. SO, I gave it a 'reboot' command from the CLI and that fixed things.

I suspect the other VPNish changes I made were the cause. Must I roll back firewall/dhcp/dns mods in addition to stopping openvpn service? Guess I'll need to hammer out what's needed and throw it all into a shell script for future use.

Any thoughts? Point in the right direction is much appreciated!

Bugs

That guide has 4 things that permanently / potentially interfere with vpn down.....

  1. Setting DNS only to vpn servers via network.wan

  2. /etc/firewall.user -> tun0 down = no forwarding

  3. /etc/hotplug.d/iface/99-prevent-leak > ifdown = no forwarding

  4. /etc/openvpn/reconnect.sh & ( perma force it backup < note: this is somewhat buggy / reliant on 2 and 3 by checking 8.8.8.8... much better to grab your vpn servers ip... etc. )

Move 1 to an up/down script, adding your isp or whatever direct dns servers you want to use on down... or hotplug....

remove 3 if you don't need it... same goes for 2 and 4 ( or launch/kill 4 from your up down script too, i've never really had a need for 4)

Something like...

#!/bin/sh
publicDNS1="1.1.1.1"
publicDNS2="8.8.8.8"
vpnDNS1="103.86.96.100"
vpnDNS2="103.86.99.100"
killsw=n

case "${script_type}" in
	up)
		uci set network.wan.peerdns='0'
		uci del network.wan.dns
		uci add_list network.wan.dns="$vpnDNS1"
		uci add_list network.wan.dns="$vpnDNS2"
		#uci commit network
		#/etc/openvpn/reconnect.sh &
	;;
	down) 
		uci set network.wan.peerdns='0'
		uci del network.wan.dns
		uci add_list network.wan.dns="$publicDNS1"
		uci add_list network.wan.dns="$publicDNS2"
		#uci commit network
		#kill -9 $(pidof reconnect.sh)

		if [ "$killsw" = y ]; then
			if (! iptables -C forwarding_rule -j REJECT); then
				iptables -I forwarding_rule -j REJECT
			fi
		else	
			if ( iptables -C forwarding_rule -j REJECT); then
				iptables -D forwarding_rule -j REJECT
			fi
		fi


	;;
esac

/etc/init.d/dnsmasq reload
exit 0
1 Like

I decided to use one device and protect that for VPN uploads/downloads as I have Super fast Virgin fibre (well i couldnt turn down the kind offer of 500Mbs could I) and even the best VPN provider isnt going to get anywhere near those speeds. Have a look at my post:

I can then stipulate which devices to pass through the VPN gateway.

Just a thought

Many thanks! Yea, I just realized that 'vpn leakage' section is only optional and is most likely the culprit. My bad for not seeing that myself. It's a good idea to have in place though, which is why I did it - if that tunnel drops w/o me knowing, I want all traffic to drop. I've just got to handle managing that gracefully for those times I want to drop the VPN. That script should work with a couple of minor tweaks, I'll let you know how it goes. :smiley:

1 Like

Wulfy,

You were all over that and I thank you for your help - spot on!

Rather than over complicate the solution with sed and/or awk commands, I just used a simple file remove/rename and replace method. Then I commit the firewall and commit again (do I need both or does 'uci commit' encompass both)? In any case, my 'downvpn.sh' and 'upvpn.sh' does the trick. Hopefully this can help any other nordvpn users wanting to bring their tunnel down gracefully when not wanted and back up again successfully. Fully vetted on OpenWrt 18.06.4, r7808-ef686b7292.

my 'downvpn.sh' just comments out the rule we inserted as per the nordvpn instructions and removes the 99-prevent-leak (I made a copy first in /root/ to copy back in upvpn later)...
easy peasy.

######## downvpn.sh  #########
#!/bin/sh

mv /etc/firewall.user /etc/firewall.user.vpn
mv /etc/firewall.user.novpn /etc/firewall.user

rm /etc/hotplug.d/iface/99-prevent-leak

uci commit firewall
uci commit

/etc/init.d/openvpn stop

echo "done and done"

exit 0

####### upvpn.sh  ###########
#!/bin/sh

mv /etc/firewall.user /etc/firewall.user.novpn
mv /etc/firewall.user.vpn /etc/firewall.user

cp /root/99-prevent-leak /etc/hotplug.d/iface/

uci commit firewall
uci commit

/etc/init.d/openvpn start

echo "done and done"

exit 0

2 Likes

Yup, "uci commit" is a "do all"... tho' you won't need it if your just moving the firewall.user.

( there is a slim chance you might need an /etc/init.d/firewall reload to clear the scripted iptables entry... but i'm pretty sure a tun up/down would trigger that )

Wulfy, you are right once again. Just tested after removing both uci commits, neither one is necessary. Even simplier, I like! Revision 2 of my scripts is complete! :nerd_face:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.