Auto-Reconnect for VPN (dietpi-nordvpn) Topic is solved

[Ode]

I'm loving DietPi and I'm enjoying the fact that it makes me learn more about Linux in general.

At the moment i'm using dietpi-nordvpn, which i understand is a gui for OpenVPN. It works great but i often encounter VPN disconnects.

My question/suggestion is, what is the quickest method to reestablish a connection to the VPN automatically?

Would we require some type of Tun0 interface monitoring service to issue a script to restart the VPN, or is there a simpler way, or does a solution already exist?

Thanks

[Joulinar]

Hi,

many thanks for your question. I don't use Nordvpn/ OpenVPN as I'm more in favour of WireGuard . Anyway let's see what we can do.

How you you reestablish the connections once disconnected?

I found following on a quick google search https://forum.manjaro.org/t/nordvpn-set ... n/108673/4

[Ode]

Thanks for the suggestion.

I tried doing something similar but it doesnt seem to be working. It doesnt restart the dietpi-nordvpn.service after it went down, so i still need to restart the service manually.

This is what i have, perhaps there are n00bie mistakes?

/etc/systemd/system/auto-reconnect-vpn.service

Code: Select all

[Unit]
Description=Auto-Reconnect-VPN (NordVPN)
After=dietpi-nordvpn.service

[Service]
RemainAfterExit=yes
Type=simple
ExecStart=systemctl restart dietpi-nordvpn

[Install]
WantedBy=default.target

i then did:

Code: Select all

sudo chmod 644 /etc/systemd/system/auto-reconnect-vpn.service

Followed by

Code: Select all

sudo systemctl enable /etc/systemd/system/auto-reconnect-vpn.service

and

Code: Select all

sudo systemctl enable /etc/systemd/system/auto-reconnect-vpn.service

I also added it to dietpi's custom autostart script /var/lib/dietpi/dietpi-autostart/custom.sh

Code: Select all

systemctl /etc/systemd/system/auto-reconnect-vpn.service

To test he above i did a

Code: Select all

sudo systemctl stop dietpi-nordvpn.service

syslog shows the following:

Code: Select all

Jul  4 02:15:28 BeastiPi openvpn[1275]: Sat Jul  4 02:15:28 2020 event_wait : Interrupted system call (code=4)
Jul  4 02:15:28 BeastiPi openvpn[1275]: Sat Jul  4 02:15:28 2020 SIGTERM received, sending exit notification to peer
Jul  4 02:15:28 BeastiPi systemd[1]: Stopping NordVPN (DietPi)...
Jul  4 02:15:29 BeastiPi openvpn[1275]: Sat Jul  4 02:15:29 2020 /var/lib/dietpi/dietpi-software/installed/dietpi-nordvpn/down.sh tun0 1500 1585 XXX.XXX.XXX.XXX 255.255.255.0 init
Jul  4 02:15:29 BeastiPi systemd[1]: Stopping Deluge Daemon (DietPi)...
Jul  4 02:15:29 BeastiPi systemd[1]: deluged.service: Succeeded.
Jul  4 02:15:29 BeastiPi systemd[1]: Stopped Deluge Daemon (DietPi).
Jul  4 02:15:29 BeastiPi systemd[1]: Stopping NZBget (DietPi)...
Jul  4 02:15:29 BeastiPi systemd[1]: nzbget.service: Succeeded.
Jul  4 02:15:29 BeastiPi systemd[1]: Stopped NZBget (DietPi).
Jul  4 02:15:29 BeastiPi openvpn[1275]: Sat Jul  4 02:15:29 2020 /sbin/ip route del XXX.XXX.XXX.XXX/32
Jul  4 02:15:29 BeastiPi openvpn[1275]: Sat Jul  4 02:15:29 2020 /sbin/ip route del 0.0.0.0/1
Jul  4 02:15:29 BeastiPi openvpn[1275]: Sat Jul  4 02:15:29 2020 /sbin/ip route del 128.0.0.0/1
Jul  4 02:15:29 BeastiPi openvpn[1275]: Sat Jul  4 02:15:29 2020 Closing TUN/TAP interface
Jul  4 02:15:29 BeastiPi openvpn[1275]: Sat Jul  4 02:15:29 2020 /sbin/ip addr del dev tun0 XXX.XXX.XXX.XXX/24
Jul  4 02:15:29 BeastiPi openvpn[1275]: Sat Jul  4 02:15:29 2020 SIGTERM[soft,exit-with-notification] received, process exiting
Jul  4 02:15:29 BeastiPi systemd[1]: dietpi-nordvpn.service: Succeeded.
Jul  4 02:15:29 BeastiPi systemd[1]: Stopped NordVPN (DietPi).

The dietpi-nordvpn.service stops successfully, and the down-script works as expected by shutting down deluge and nzbget. But as mentioned, the VPN doesnt come back up.


While trying to search a reason, I noticed that other services remain up after starting, my /etc/systemd/system/auto-reconnect-vpn.service does not.

Code: Select all

dietpi@BeastiPi:~$ systemctl --type=service --state=active
UNIT                                                        		LOAD   		ACTIVE 		SUB     	DESCRIPTION
argononed.service                                          	loaded 		active 		running 	Argon One Fan and Button Service
auto-reconnect-vpn.service                                  loaded 		active 		[color=#00BF00]exited [/color] 	Auto-Reconnect-VPN (NordVPN)
...

i thought that by adding

Code: Select all

[Service]  
RemainAfterExit=yes

to the auto-reconnect-vpn.service it would stay up, but i was wrong.

I also noticed that services that are running exist in multiple locations. Some seem to be backups, but others i'm not sure.
For example: argononed.service

Code: Select all

dietpi@BeastiPi:~$ sudo find / -name argononed.service
/etc/systemd/system/multi-user.target.wants/argononed.service
/mnt/dietpi-backup/data/etc/systemd/system/multi-user.target.wants/argononed.service
/mnt/dietpi-backup/data/lib/systemd/system/argononed.service
/sys/fs/cgroup/memory/system.slice/argononed.service
/sys/fs/cgroup/pids/system.slice/argononed.service
/sys/fs/cgroup/devices/system.slice/argononed.service
/sys/fs/cgroup/systemd/system.slice/argononed.service
/sys/fs/cgroup/unified/system.slice/argononed.service
/lib/systemd/system/argononed.service

Do i need to add my newly created service to these other locations. like /etc/systemd/system/multi-user.target.wants, /sys/fs/, /lib/systemd/system/, etc do have the service active -- and -- would this make the service work as intended, i.e., restart the "dietpi-nordvpn.service" should i go down?

Thanks

[Joulinar]

Ok I had a closer look to this whole topic and I guess it will not work that way at all. There is no check how to find out that VPN connection get lost. Let's approach it from a different angel. I created a 7 day trail account at NordVPN. Let's see if it help to fix your challenge.

How does it looks like of your connection is lost.

Code: Select all

systemctl status dietpi-nordvpn.service
journalctl -u dietpi-nordvpn.service -n 20
ip a
ping -I tun0 -q -c 1 -W 1 1.1.1.1
dietpi-nordvpn status

I found another script in the web that will check connectivity via tun0 interface.

https://forum.turris.cz/t/guide-openvpn ... inux/10949

It's a simple ping -I tun0 to verify connection via VPN tunnel. But it expects a tun0 interface, which is not present if you stop the service manually . Therefore it would be good to know how VPN service as well as VPN interface looks like if connection get lost by it's own.

[Ode]

I thought that we would know that the VPN was down by noticing that the dietpi-nordvpn.service was down. I would also know since no internet traffic was passing, since i have a fw rule to send all web traffic out Tun0 only.
But for the current issue, i was thinking that we could monitor the dietpi-nordvpn.service. If it went down the autoconnect service would see it and restart the vpn.

If this is not possible, then your next suggestion seems logical.

Although, do you think this is specific to the dietpi-nordvpn app? Does this occur with with other providers/vpn apps?
I was just wondering if its worth the effort. My NordVPN subscription is running out in September, and in light of recent news, i dont think i will be renewing.
Perhaps mullvad has what i'm looking for already (resume vpn on disconnect)?

Many thanks for all the trouble you're going through.

[slalo19]

I don't understand too much of this but it would be nice to be able to restart the connection every time the vpn is disconnected. I have nordvpn and I wish I could use it on my server with radarr.

[Joulinar]

Hi,

Just vor clarification

1. NordVPN is using OpenVPN as VPN software
2. dietpi-nordvpn is just a script/gui to create the needed OpenVPN client file *.ovpn as well as setting up the required service dietpi-nordvpn.service, which is needed to be able to start VPN connection during boot
3. dietpi-nordvpn.service is the service who triggers the OpenVPN connection to NordVPN by running simple ExecStart command
   • ExecStart=/usr/sbin/openvpn /etc/openvpn/ovpn_udp/xxx.nordvpn.com.udp.ovpn
4. theoretically you could call OpenVPN manually from command line as well to establish VPN connection

Looks like it could happen that NordVPN connection stuck and no further packages are able to pass the VPN tunnel. That's the point where you see internet connection not working anymore. I guess dietpi-nordvpn.service is still active, but VPN interface is not functioning. Therefore we would need to know what is status of VPN service as well as VPN interface once you lost connection.

Code: Select all

systemctl status dietpi-nordvpn.service
journalctl -u dietpi-nordvpn.service -n 20
ip a
ping -I tun0 -q -c 1 -W 1 1.1.1.1
dietpi-nordvpn status

if tun0 interface is still present once issue occurs, we could use ping -I tun0 to verify the connection and trigger a restart of dietpi-nordvpn.service

[Ode]

@Joulinar

i setup the script you shared earlier and it works. Thanks!

Code: Select all

#!/bin/sh

# Check vpn-tunnel "tun0" and ping google DNS if internet connection work
if  [ "$(ping -I tun0 -q -c 1 -W 1 8.8.8.8 | grep '100% packet loss' )" != "" ]; then
        logger -t VPN_Reconnect VPN-Tunnel "tun0" has got no internet connection -> restart it
        systemctl restart dietpi-nordvpn.service
#else
#       logger -t VPN_Reconnect VPN-Tunnel "tun0" is working with internet connection
fi

I commented out the VPN working text as it was flooding syslog with little trade-off.

From syslog i can see that the VPN went down and the the script executed correctly

Jul 6 00:24:01 BeastiPi VPN_Reconnect: VPN-Tunnel tun0 is working with internet connection
Jul 6 00:25:01 BeastiPi CRON[27443]: (root) CMD (/usr/bin/vpn_reconnect #VPN Down? Restart it. Checks every minute.)
Jul 6 00:25:01 BeastiPi VPN_Reconnect: VPN-Tunnel tun0 is working with internet connection
Jul 6 00:26:01 BeastiPi CRON[27462]: (root) CMD (/usr/bin/vpn_reconnect #VPN Down? Restart it. Checks every minute.)
Jul 6 00:26:02 BeastiPi VPN_Reconnect: VPN-Tunnel tun0 has got no internet connection - Restart it
Jul 6 00:26:02 BeastiPi openvpn[18931]: Mon Jul 6 00:26:02 2020 event_wait : Interrupted system call (code=4)
Jul 6 00:26:02 BeastiPi openvpn[18931]: Mon Jul 6 00:26:02 2020 SIGTERM received, sending exit notification to peer
Jul 6 00:26:02 BeastiPi systemd[1]: Stopping NordVPN (DietPi)...
Jul 6 00:26:03 BeastiPi openvpn[18931]: Mon Jul 6 00:26:03 2020 /var/lib/dietpi/dietpi-software/installed/dietpi-nordvpn/down.sh tun0 1500 1585 10.8.0.11 255.255.255.0 init
Jul 6 00:26:04 BeastiPi openvpn[18931]: Mon Jul 6 00:26:04 2020 /sbin/ip route del XXX.XXX.XXX.XXX/32
Jul 6 00:26:04 BeastiPi openvpn[18931]: Mon Jul 6 00:26:04 2020 /sbin/ip route del 0.0.0.0/1
Jul 6 00:26:04 BeastiPi openvpn[18931]: Mon Jul 6 00:26:04 2020 /sbin/ip route del 128.0.0.0/1
Jul 6 00:26:04 BeastiPi openvpn[18931]: Mon Jul 6 00:26:04 2020 Closing TUN/TAP interface
Jul 6 00:26:04 BeastiPi openvpn[18931]: Mon Jul 6 00:26:04 2020 /sbin/ip addr del dev tun0 10.8.0.11/24
Jul 6 00:26:04 BeastiPi openvpn[18931]: Mon Jul 6 00:26:04 2020 SIGTERM[soft,exit-with-notification] received, process exiting
Jul 6 00:26:04 BeastiPi systemd[1]: dietpi-nordvpn.service: Succeeded.
Jul 6 00:26:04 BeastiPi systemd[1]: Stopped NordVPN (DietPi).
Jul 6 00:26:04 BeastiPi systemd[1]: Started NordVPN (DietPi).

...VPN negotiation logs

Jul 6 00:26:05 BeastiPi openvpn[27480]: Mon Jul 6 00:26:05 2020 Initialization Sequence Completed
Jul 6 00:27:01 BeastiPi CRON[27508]: (root) CMD (/usr/bin/vpn_reconnect #VPN Down? Restart it. Checks every minute.)
Jul 6 00:27:01 BeastiPi VPN_Reconnect: VPN-Tunnel tun0 is working with internet connection
Jul 6 00:28:01 BeastiPi CRON[27527]: (root) CMD (/usr/bin/vpn_reconnect #VPN Down? Restart it. Checks every minute.)
Jul 6 00:28:01 BeastiPi VPN_Reconnect: VPN-Tunnel tun0 is working with internet connection

Incedentally, while i was going through the logs i found the following

Jul 6 00:26:04 BeastiPi openvpn[27480]: Mon Jul 6 00:26:04 2020 WARNING: --ping should normally be used with --ping-restart or --ping-exit

I'm wondering if the ping-restart would solve the reconnect without having to create another script like the one above.

On this forum it appears that openvpn could do this, if its correctly setup:
https://forums.openvpn.net/viewtopic.php?t=8062

My point is, perhaps the "autoconnect" could be done more efficiently by doing everything in openvpn?

Anyway. thanks again for your help.

[Joulinar]

honestly I'm not an openvpn specialist. better to check such options like --ping-restart within a specilized board

At least checking the tunnel manually could be used in meantime as workaround.

BTW: the client config file is provided by NordVPN. The settings you will do could be overwritten once a new file is downloaded.
I checked my VPN messages and I can see the VPN tunnel is restarted automatically if there is no traffic pacing by. Somethow the --ping-restart is active.

Code: Select all

Jul 06 17:47:45 DietPi3 openvpn[425]: Mon Jul  6 17:47:45 2020 Restart pause, 5 second(s)
Jul 06 17:47:45 DietPi3 openvpn[425]: Mon Jul  6 17:47:45 2020 SIGUSR1[soft,ping-restart] received, process restarting
Jul 06 17:47:45 DietPi3 openvpn[425]: Mon Jul  6 17:47:45 2020 [au561.nordvpn.com] Inactivity timeout (--ping-restart), restarting

Most probably there are other issues with the tunnel or at NordVPN side leading the tunnel to be stuck. Google is full of such messages and people searching for a way to automatically reconnect

BTW: you can copy the script into /etc/cron.minutely and using dietpi-cron to specify how often the script should be running.