So the process is:
1) Router boots and autossh creates tunnel to remote server
2) I connect to this tunnel to manage the router
3) I want to be able to issue a command (/etc/init.d/vpn start) to start a VPN client connection (to StongVPN) to avoid doubleNAT on the LAN-connected clients. The command needs to be issued by ssh'ing in to the router from the server - using the tunnel.
3a) Before the VPN is initiated, autossh needs closed cleanly to release the port(s) used on the server.
4) When the VPN is up, I can access the router via the public IP of the VPN server.
5) I'd ALSO like to have autossh run when the VPN is up to connect to the server as in (1) and the router be reachable via that route, so autossh needs to run after the VPN is up.
6) When the VPN is stopped, autossh needs to stop cleanly first, then the VPN goes down, then autossh needs to start again using the normal routing / gateway.
To achieve this, I have used 4 scripts (A to D) inspired by https://forum.openwrt.org/viewtopic.php … 21#p105621 Next to them I have indicated the order they are run in.
A init.d/vpn
- to kill any existing autossh instances (1)
- to run /etc/init.d/openvpn start (2)
- to kill the VPN autossh instance (4)
- to run /etc/init.d/openvpn stop (5)
B hotplug.d/iface/60-vpnscript
- to run /etc/init.d/autossh start on ifup (3) and ifdown (6) of the VPN interface vpn0
C /etc/openvpn/autossh-up.sh (3)
D /etc/openvpn/autossh-down.sh (6)
- scripts run from openvpn on Up / Down to initiate the hotplug.d
$ cat /etc/init.d/vpn
#!/bin/sh /etc/rc.common
# Example script
# Copyright (C) 2007 OpenWrt.org
START=90
STOP=90
start() {
logger "VPN: init.d script start"
/etc/init.d/autossh stop
logger "VPN: autossh stopped over WAN"
/etc/init.d/openvpn start
logger "VPN: openvpn started"
}
stop() {
logger "VPN: init.d script stop"
/etc/init.d/autossh stop
logger "VPN: autossh stopped over VPN"
/etc/init.d/openvpn stop
logger "VPN: openvpn stopped"
}
$ cat /etc/hotplug.d/iface/60-vpnscript
#!/bin/sh
if [ "$INTERFACE" = "vpn0" ] && [ "$ACTION" = "ifup" ]
#if [ "$DEVICE" = "tun0" ] && [ "$ACTION" = "ifup" ]
then
/etc/init.d/autossh start
logger "VPN: autossh start over VPN"
fi
if [ "$INTERFACE" = "vpn0" ] && [ "$ACTION" = "ifdown" ]
#if [ "$DEVICE" = "tun0" ] && [ "$ACTION" = "ifdown" ]
then
/etc/init.d/autossh start
logger "VPN: autossh start over WAN"
$ cat /etc/openvpn/autossh-up.sh
#! /bin/sh
ACTION=ifup INTERFACE=vpn0 /sbin/hotplug-call iface
exit 0
$ cat /etc/openvpn/autossh-down.sh
#! /bin/sh
ACTION=ifdown INTERFACE=vpn0 /sbin/hotplug-call iface
exit 0
My /etc/config/openvpn looks like:
$ cat /etc/config/openvpn
config openvpn 'myvpn'
option _description 'StrongVPN settings'
option _role 'client'
option dev 'tun'
option proto 'udp'
option log '/tmp/openvpn.log'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/my-vpn.crt'
option key '/etc/openvpn/my-vpn.key'
option client '1'
option echo 'vpnXXXXXXX'
option nobind '1'
option persist_tun '1'
option persist_key '1'
option tun_mtu '1500'
option remote '109.XXXXXXXXX'
option redirect_gateway 'def1'
option cipher 'AES-128-CBC'
option hand_window '30'
option reneg_sec '86400'
option resolv_retry 'infinite'
option route_delay '2'
option comp_lzo 'no'
option port '4672'
option verb '4'
option mssfix '1390'
option fragment '1390'
option pull '1'
option tls_auth '/etc/openvpn/ta.crt 1'
option up_restart '1'
option up '/etc/openvpn/autossh-up.sh'
option down '/etc/openvpn/autossh-down.sh'
option enabled '1'
option script_security '2'
This 'works' apart from a dropbear error "authpriv.info dropbear[13979]: Exit before auth: Exited normally" when I try to connect to the running ssh tunnel over the VPN...
16:47:20 user.notice root: VPN: init.d script start
16:47:20 user.info autossh[14405]: received signal to exit (15)
16:47:20 user.notice root: VPN: autossh stopped over WAN
16:47:20 user.notice root: VPN: openvpn started
16:47:23 daemon.notice netifd: Interface 'vpn0' is enabled
16:47:23 daemon.notice netifd: Network device 'tun0' link is up
16:47:23 daemon.notice netifd: Interface 'vpn0' has link connectivity
16:47:23 daemon.notice netifd: Interface 'vpn0' is setting up now
16:47:24 daemon.notice netifd: vpn0 (15453): udhcpc (v1.22.1) started
16:47:24 user.info autossh[15460]: starting ssh (count 1)
16:47:24 user.info autossh[15460]: ssh child pid is 15464
16:47:24 daemon.notice netifd: vpn0 (15453): Sending discover...
16:47:24 user.notice firewall: Reloading firewall due to ifup of vpn0 ()
16:47:25 user.notice root: starting ntpclient
16:47:26 user.notice root: VPN: autossh start over VPN
16:47:27 daemon.notice netifd: vpn0 (15453): Sending discover...
16:47:30 daemon.notice netifd: vpn0 (15453): Sending discover...
16:48:35 authpriv.info dropbear[15730]: Child connection from 127.0.0.1:39165
16:48:35 user.info autossh[15460]: ssh exited with error status 1; restarting ssh
16:48:35 user.info autossh[15460]: starting ssh (count 2)
16:48:35 user.info autossh[15460]: ssh child pid is 15735
16:48:35 authpriv.info dropbear[15730]: Exit before auth: Exited normally
From here, I can't access from the remote server and have to run /etc/init.d/autossh restart to get it back up.
For completeness, here is the output of /etc/init.d/vpn stop
16:54:33 user.notice root: VPN: init.d script stop
16:54:33 user.info autossh[15460]: received signal to exit (15)
16:54:33 user.notice root: VPN: autossh stopped over VPN
16:54:33 user.notice root: VPN: openvpn stopped
16:54:33 daemon.notice netifd: Network device 'tun0' link is down
16:54:33 daemon.notice netifd: Interface 'vpn0' has link connectivity loss
16:54:33 daemon.notice netifd: vpn0 (15453): Read error: Network is down, reopening socket
16:54:33 daemon.notice netifd: Interface 'vpn0' is disabled
16:54:33 daemon.notice netifd: vpn0 (15453): udhcpc: bind: No such device
16:54:33 user.notice root: stopping ntpclient
16:54:33 user.notice root: VPN: autossh start over WAN
16:54:33 user.info autossh[16670]: starting ssh (count 1)
16:54:33 user.info autossh[16670]: ssh child pid is 16672
Any ideas? Could it be the timing of the ifup command? Or is it the autossh hotplug script interfering?
(Last edited by tristanc on 28 Feb 2015, 17:56)