tomato-ovpn-client-watchdog.sh

#!/bin/sh
#DEBUG=; set -x # uncomment/comment to enable/disable debug mode

#          name: tomato-ovpn-client-watchdog.sh
#       version: 3.1.0, 13-oct-2024, by eibgrad
#       purpose: (re)start failed/stopped/unresponsive openvpn client(s)
#   script type: init (autostart)
#  installation:
#    1. enable jffs (administration->jffs)
#    2. enable syslog (status->logs->logging configuration->syslog)
#    3. enable 'enable on start' option for openvpn client(s) to be monitored
#    4. use shell (telnet/ssh) to execute one of the following commands:
#         curl -kLs bit.ly/tomato-installer|tr -d '\r'|sh -s -- MPnU5WrK init
#       or
#         wget -qO - bit.ly/tomato-installer|tr -d '\r'|sh -s -- MPnU5WrK init
#    5. (optional) use vi editor to modify options:
#         vi /jffs/etc/config/tomato-ovpn-client-watchdog.init
#    6. reboot
(
# ------------------------------ BEGIN OPTIONS ------------------------------- #

# participating openvpn client(s) [ '1 2 3'=only | '*'=all | ''=none ]
PARTICIPANTS='*'

# time (in secs) between checks for failed/stopped/unresponsive openvpn client(s)
CHECK_INTERVAL=60

# remote host used for ping checks
PING_HOST='8.8.8.8'

# time (in secs) between failed ping attempts
PING_INTERVAL=10

# number of consecutive failed ping attempts required for restart
PING_NUMFAIL=3 # (3 recommended, 0 disables ping checks)

# uncomment/comment to enable/disable
#   when enabled, verify PING_HOST is reachable via bridge!
#SW_PING_TAP_VIA_BRIDGE=

# ------------------------------- END OPTIONS -------------------------------- #

# ---------------------- DO NOT CHANGE BELOW THIS LINE ----------------------- #

LOCK="/tmp/$(basename $0).lock"

# function ping_check( client-num )
ping_check() {
    [ $PING_NUMFAIL -gt 0 ] || return 0

    local i=1
    local conf="/tmp/etc/openvpn/client${1}/config.ovpn"
    local vpn_if="$(awk '/^ *dev /{v=$2};END{print v}' $conf 2>/dev/null)"

    [ "$vpn_if" ] || { echo "error: line ${LINENO}: vpn_if=NULL"; return 0; }

    # we can't ping a bridged tunnel assigned to a bridge (e.g., br0)
    if [ "${vpn_if:0:3}" == 'tap' ]; then
        local br_if="$(echo /sys/class/net/*/brif/$vpn_if | cut -d/ -f5)"

        if [ "$br_if" != '*' ]; then
            if [ ${SW_PING_TAP_VIA_BRIDGE+x} ]; then
                # ping bridge assignment instead of underlying tunnel
                vpn_if="$br_if"
            else
                # skip ping checks
                return 0
            fi
        fi
    fi

    # tip: ping multiple times to minimize risk of reporting false negative
    while :; do
        ping -qc1 -W3 -I $vpn_if $PING_HOST &>/dev/null && return 0
        [ $((i++)) -ge $PING_NUMFAIL ] && break || sleep $PING_INTERVAL
    done

    # fall-through == failure
    return 1
}

# reject additional instances
mkdir $LOCK &>/dev/null || exit 0

# catch unexpected exit and cleanup
trap "rmdir $LOCK; exit 0" SIGHUP SIGINT SIGTERM

# wait for *reliable* internet connection
until ping -qc1 -W3 8.8.8.8 &>/dev/null; do sleep 10; done

while sleep $CHECK_INTERVAL; do
    # process all "enable on start" openvpn clients
    for i in $(nvram get vpn_client_eas | tr ',' ' '); do
        # confirm openvpn client is participant
        echo "$PARTICIPANTS" | grep -q "[*$i]" || continue

        # check for failed/stopped/unresponsive openvpn client
        pidof vpnclient${i} &>/dev/null && ping_check $i && continue

        # confirm openvpn client is still enabled
        $(nvram get vpn_client_eas | grep -q $i) || continue

        # fall-through == failure; (re)start openvpn client
        service vpnclient${i} restart >/dev/null && sleep 5
        echo "info: openvpn client #$i (re)started @ $(date)"
    done
done

) 2>&1 | logger -t "$(basename $0 | grep -Eo '^.{0,23}')[$$]" &