VPN Switch?

I’ve had this working before, but I have upgraded to the 2.25 firmware and now it’s not working properly again.

It connects to the VPN, but no traffic is routed through the VPN. setvpnfirewall -enabled or -force setting both do the same now…

Here is my BTN_1 script: (Switch to the left VPN ON)

#!/bin/sh
logger "Button: $BUTTON ; State: ${ACTION}";
if [ "${ACTION}" == "released" ]; then
uci set glconfig.openvpn.enable=0;uci commit glconfig; /etc/init.d/startvpn stop;killall openvpn;/usr/bin/setvpnfirewall -disable;
else
uci set glconfig.openvpn.enable=1; uci commit glconfig; /etc/init.d/startvpn start;/usr/bin/setvpnfirewall -enable
fi
echo "$BUTTON ${ACTION}" > /dev/console

I think it is


--disable

--enable

two -

Yes, I tried that…

Here are the instructions, apologies for the delay in posting them!

Instructions for AR150:

This set of scripts will properly configure the switch on your router to enable / disable the VPN, sync the LEDs to the VPN status, and sync the VPN status and LEDs to the switch position on reboot. I get no DNS leak with this configuration, the DNS is properly tunneled when the VPN is enabled.

YOU MUST BE ON FIRMWARE 2.25

1.) SSH into your router and upload vpn.zip to the / directory (the root directory of the router)

2.) cd into / and extract the contents of vpn.zip

3.) You should end up with a folder located at /vpn/ containing files such as /vpn/BTN_8, /vpn/up, /vpn/down, /vpn/config.sh and some others

4.) Perform a chmod +x on /vpn/config.sh

5.) cd into the /vpn/ directory

6.) run config.sh (type ./config.sh)

7.) Modify /vpn/network and /vpn/dhcp and change all instances of DNSHERE to the IP of the custom DNS server you want to use when the VPN is connected and all instances of SECONDDNSHERE to the IP of the secondary custom DNS server you want to use when the VPN is connected

After performing these steps your router will be properly configured. The switch will now enable the VPN and custom DNS when switched to the right and disable the VPN and custom DNS and return to DHCP when switched to the left. When the router is rebooted the position of the switch will determine whether or not to enable or disable the VPN. Whenever the VPN is enabled the middle green LED light is on, whenever the VPN is disabled the red LED light is on instead. The lights are coordinated to the switch each time the switch is flipped and also whenever the router is rebooted. The switch, LEDs, and VPN will always be in sync.

You can use a public DNS such as Google DNS (8.8.8.8 and 8.8.4.4) for DNSHERE and SECONDDNSHERE in your /vpn/network and /vpn/dhcp files or you can use a private DNS that is only accessible when connected to the VPN (such as 172.0.0.2 and 172.0.0.3)

When connected to the VPN all DNS requests will tunnel through the VPN using the custom DNS servers, when not connected the VPN the router will use the default DNS provided by DHCP.

With some simple changes you can configure the router to also use custom DNS when the VPN is disconnected if you don’t want to use the DNS assigned via DHCP.

When you connect to the VPN the /etc/config/network and /etc/config/dhcp get replaced by /vpn/network and /vpn/dhcp

When you disconnect from the VPN the /etc/config/network and /etc/config/dhcp files get replaced by /vpn/network.good and /vpn/dhcp.good

The /vpn/network.good and /vpn/dhcp.good files are configured to use DNS via DHCP, so if you want to use custom DNS servers when the VPN is disconnected instead of the default DNS provided by DHCP, you will need to modify two files:

Modify the /vpn/network.good and add the following lines to the wan and wwan interface configs, replacing the DNSHERE and SECONDDNSHERE with the custom DNS you want to use when the VPN is disconnected:
option custom_dns ‘1’
option dns ‘DNSHERE SECONDDNSHERE’

Then modify /vpn/dhcp.good and add the following lines to the dnsmasq config, replacing the DNSHERE and SECONDDNSHERE with the custom DNS you want to use when the VPN is disconnected:
list server ‘DNSHERE’
list server ‘SECONDDNSHERE’
option noresolv ‘1’

After you have made these modifications the router will use your custom DNS settings from /vpn/network.good and /vpn/dhcp.good whenever the VPN is disconnected.

You can use different custom DNS settings for when the VPN is connected and for when it is disconnected.

The DNSHERE and SECONDDNSHERE in your /vpn/network.good and /vpn/dhcp.good do not have to be the same servers as you have in /vpn/network and /vpn/dhcp, so you can use one set of custom DNS servers when the VPN is connected and a different set of custom DNS servers when the VPN is disconnected.

You can add your VPN configuration file to the router at anytime and you can connect the router to the internet at anytime. Changing the .ovpn file or source of the router’s internet (WiFi, ethernet, etc) will not affect the switch functionality. The switch enables/disables whatever .ovpn file is configured and doesn’t care about how the router is connected to the internet.

Just make sure that if you’ve been using an .ovpn file and have private custom DNS servers set in /vpn/network and /vpn/dhcp that are only accessible when the VPN is connected, that if you change to a new .ovpn file you need to make sure to update your /vpn/network and /vpn/dhcp files with custom DNS that the new .ovpn configuration can access. If you are using public custom DNS for the VPN such as Google DNS (8.8.8.8 and 8.8.4.4) and want your .ovpn configuration to always use that custom DNS, then you won’t need to modify anything when you change to a new .ovpn configuration because all .ovpn files will use that DNS. You only need to worry about updating the custom DNS if you change to an .ovpn file that can’t access the DNS you were previously using.

Also, the reason the setvpnfirewall script is being replaced in config.sh is because the in front of options such as disable was not working. It was not correctly reading the parameter when I used the in my up and down scripts so I modified the setvpnfirewall script to look for arguments such as disable and force instead of disable and force

The zip file containing everything you need is attached.

The final functionality is as follows:

When the router is already powered on and running

Moving the switch to the RIGHT calls a script to enable the VPN and set custom DNS servers
Moving the switch to the LEFT calls a script to disable the VPN and use DHCP for DNS
LED status syncs with switch position

When the router reboots

A script detects the position of the switch
If the switch is to the RIGHT a script is called to enable the VPN and set custom DNS servers
If the switch is to the LEFT a script is called to disable the VPN and use DHCP for DNS
LED status syncs with switch position

LED status

Whenever the switch is toggled or the router reboots the LED status updates to sync with the switch position
The LED for wan (green, on the left) is always on whenever the router has power
The LED for lan (green, in the middle) is only on whenever the switch is to the RIGHT
The LED for wlan (red, on the right) is only on whenever the switch is to the LEFT
The middle LED (lan) and right LED (wlan) are never on at the same time

Other Models

This works flawlessly on my AR150 and the same solution should work on other GLI models also. I’m sure the network and dhcp and setvpnfirewall files are different for some of the other routers or firmware, but you can clone this pretty easily by replacing the /vpn/network.good and /vpn/dhcp.good and the /vpn/network and /vpn/dhcp files with the default /etc/config/network and /etc/config/dhcp files from the router you are using and then and replacing the /vpn/setvpnfirewall script with the default one from the router you are using.

Then modify the new /vpn/network and add the following lines to the wan and wwan interface configs, replacing the DNSHERE and SECONDDNSHERE with the custom DNS you want to use when the VPN is connected:

option custom_dns ‘1’
option dns ‘DNSHERE SECONDDNSHERE’

Then modify the new /vpn/dhcp and add the following lines to the dnsmasq config, replacing the DNSHERE and SECONDDNSHERE with the custom DNS you want to use when the VPN is connected:

list server ‘DNSHERE’
list server ‘SECONDDNSHERE’
option noresolv ‘1’

Then modify the new /vpn/setfirewallvpn to remove the from in front strong of disable, force, etc like in the original /vpn/setfirewallvpn. Those simple changes should make it work for the other routers or firmware.

I’ll answer any questions I can, hope this helps!

(There are two zip files attached because the forum wouldn’t let me delete the original upload. They are almost identical, but the first one contains the original glddnsupdater.sh file. I removed this file from my router to prevent calling out to update the dynamic DNS but left it in the zip file in case I wanted to restore it at some point. The second zip file does not include this file. This file plays no part in the switch functionality.)

Just a quick update - I tried this on a gl-ar300M. It didn’t work.

 

I think it is because the device names for the switch are different, among other reasons.

Unfortunately, now I can’t connect to a VPN succesfully. When I manually enable it, my internet connection dies.

I’ll see if I can get this working on my device in a week or so. In the mean time, does anyone have a good idea for getting the router back to stock? what would happen if I just flashed the firmware file over it?

Seems like a simple fix for both issues.

To get it working on the ar300m just remember you need to replace /vpn/network.good and /vpn/dhcp.good with the original /etc/config/network and /etc/config/dhcp and then copy both of those to /vpn/network and /vpn/dhcp and do the replacements and additions I mentioned in my long post describing the whole setup. I just added the heading “Other Models” in bold to that section of the most if you want to look at it again.

The easy fix to get things working again is just to reload the firmware. Download the newest firmware and then load it on the router via the web admin to reset the router completely. Then just reconfigure the settings / VPN through the web admin again. Should take you all of 5 minutes and a few mouse clicks.

To fix it manually without a firmware reload you’ll need to replace the /etc/config/dhcp and /etc/config/network with the originals

(I’m assuming you read my entire post and made backups of the files my scripts would replace?)

If you wanted to restore things on an ar150 you would just replace the dhcp and network files with the /vpn/dhcp.good and /vpn/network.good files since they match the originals, but since you are on an ar300m your dhcp and network files are not the same as the ones with the .good extension in the /vpn/ folder. You just need to replace them with the originals from the firmware. You could extract them yourself or I’m sure someone here has them.

Just restore all the files my scripts changed to their originals, such as rc.local and setvpnfirewall

But I think the easier way is just flash the firmware and reconfigure. Much simpler.

@moonspore thanks for the thorough instructions, going to attempt now.

 

With a firmware update, would this config be removed (if keep settings is checked?)

Also, could anyone tell me what glidnsupdater.sh file does and if it’s essential?

Yes, the settings would be removed with a firmware update, but it doesn’t take a lot of time to reconfigure again after. However, you could also compile your own firmware from source with these changes included in the build so that if you perform a firmware reset then these changes would be part of the reset also.

Also, the glidnsupdater.sh file isn’t used in the configuration I explained, but I put the original copy of it in the zip file anyway as a backup. Changing/removing the glidnsudpater.sh file prevents the dyndns from updating. I didn’t want my router constantly calling out alerting a third-party service of my IP address so I removed the glidnsupdater.sh file. The zip file just contains the original in case I wanted to restore it. I have re-uploaded the zip file without glidnsupdater.sh, it wasn’t intended to be part of the zip file originally.

The new zip is attached to this post as well.

@moonspore nice work and thanks for sharing. After reviewing all the files I’m not clear on the purpose of the below two lines in the rc.local file. Would you provide some insight please?

/usr/bin/glautoupdater &
(sleep 15;/usr/bin/gl_health) &

Those lines are part of the default rc.local file for the router. The first line seems to call the autoupdate scripts for the router to update the firmware if the option in the admin for autoupdate is enabled.

I didn’t want the dynamic DNS so I removed glidnsudpater.sh from my router. This is the same kind of thing. You could comment out the line for glautoupdater (or delete / erase everything in the script) so that the router can never autoupdate even if the option is enabled.

Thanks for the information, I feel a bit silly for not having done a diff against the stock file. My unit has other tweaks so I commented out the glautoupdater line just to be safe.

If you haven’t, run gl_health manually from the command line. Although the output is interesting, I do wonder why it’s running in the background.

Yeah, that and the dynamic DNS updater were really antithetical to my goals, so I did the same. I understand why they are there and the appeal for most people, but not for what I’m doing. I’m so glad GLI make these routers and allow these modifications.

Although the AR150 runs good, less tasks = more free ram and less CPU use. So like you I disabled dynamic DNS, the last thing I want to do while hiding my MAC & IP at a hotspot or hotel is giving someone an easy way to locate me :wink: .

@moonspore GL-MT300A no working…

@Valakas01 Same with MT300N,

I’ve updated from BTN_8 to BTN_0, copied my network and dhcp config (also tried not updating the network / dhcp contents), also tried modifying setvpnfirewall.

It does toggle VPN on and off but nothing will load despite it showing as connected.

I’ve tried for a couple of hours to get it working with no luck. I’m imagining it is something to do with setvpnfirwall or more likely the Up script but I’m not sure what it could be:

uci set glconfig.openvpn.enable=1

uci commit glconfig

/etc/init.d/startvpn start

/usr/bin/setvpnfirewall force

/etc/init.d/network reload

/etc/init.d/dnsmasq reload

 

@moonspore thanks so much, top scripting

Got this working on the mt300n V1

For anyone else trying to get this to work, follow moonspores instructions to the letter for “other devices”…take your time.

Once you have run the config.sh script do the following

cd /etc/rc.button
mv BTN_0 BTN_BAK
mv BTN_8 BTN_0
vi BTN_0

Change the action to “.pressed.” instead of “.released.”

Save, and it should work.

If not (probably something other than 300N etc)

tail -f /vpn/out

and see what action you get when you toggle the switch. If its different to above then use that instead of “pressed” or “released”

Good luck

 

@moonspore, thanks for the script.

Hi All, in firmware v2.26 and later, you can configure the switch to control Openvpn from the UI. Please try. You have to have a working openvpn before you can configure this.

The button just enable/disable openvpn without touching the DNS. So if you want to change the DNS, you can modify as to @moonspore 's script or wait for our further development.

http://www.gl-inet.com/firmware/testing/

@moonspore, thanks for the script. Here’s a modified version for the AR750 that also uses the System LED to show VPN status

 

 

Reattaching zip file below
<p style=“outline: 0px; vertical-align: baseline; background: #f9f9f9; margin: 0px 0px 20px; padding: 0px; font-size: 11pt; color: #222222; font-family: source_sans_proregular, ‘Helvetica Neue’, Arial, Helvetica, Geneva, sans-serif;”>@moonspore, thanks for the script. Here’s a modified version for the AR750 that also uses the System LED to show VPN status</p>
 

Where are the settings to apply this in the UI pls?