ddwrt-ovpn-client-watchdog.sh

#!/bin/sh
#DEBUG=; set -x # uncomment/comment to enable/disable debug mode

#          name: ddwrt-ovpn-client-watchdog.sh
#       version: 4.2.0, 13-oct-2024, by eibgrad
#       purpose: (re)start failed/stopped/unresponsive openvpn client
#   script type: startup (autostart)
#  installation:
#    1. enable jffs2 (administration->jffs2)
#    2. enable syslogd (services->services->system log)
#    3. use shell (telnet/ssh) to execute one of the following commands:
#         curl -kLs bit.ly/ddwrt-installer|tr -d '\r'|sh -s -- iNC273ER startup
#       or
#         wget -qO - bit.ly/ddwrt-installer|tr -d '\r'|sh -s -- iNC273ER startup
#    4. (optional): use vi editor to modify options:
#         vi /jffs/etc/config/ddwrt-ovpn-client-watchdog.startup
#    5. reboot
(
# ------------------------------ BEGIN OPTIONS ------------------------------- #

# time (in secs) between checks for failed/stopped/unresponsive openvpn client
CHECK_INTERVAL=60

# remote host used for ping checks
PING_HOST='8.8.8.8'

# time (in secs) between failed ping attempts
PING_INTERVAL=10

# number of consecutive failed ping attempts required for restart
PING_NUMFAIL=3 # (3 recommended, 0 disables ping checks)

# uncomment/comment to enable/disable
#   when enabled, verify PING_HOST is reachable via bridge!
#SW_PING_TAP_VIA_BRIDGE=

# ------------------------------- END OPTIONS -------------------------------- #

# ---------------------- DO NOT CHANGE BELOW THIS LINE ----------------------- #

LOCK="/tmp/$(basename $0).lock"
OVPN_CONF='/tmp/openvpncl/openvpn.conf'

# function ping_check()
ping_check() {
    [ $PING_NUMFAIL -gt 0 ] || return 0

    local i=1
    local vpn_if="$(awk '/^ *dev /{v=$2};END{print v}' $OVPN_CONF 2>/dev/null)"

    [ "$vpn_if" ] || { echo "error: line ${LINENO}: vpn_if=NULL"; return 0; }

    # we can't ping a bridged tunnel assigned to a bridge (e.g., br0)
    if [ "${vpn_if:0:3}" == 'tap' ]; then
        local br_if="$(echo /sys/class/net/*/brif/$vpn_if | cut -d/ -f5)"

        if [ "$br_if" != '*' ]; then
            if [ ${SW_PING_TAP_VIA_BRIDGE+x} ]; then
                # ping bridge assignment instead of underlying tunnel
                vpn_if="$br_if"
            else
                # skip ping checks
                return 0
            fi
        fi
    fi

    # tip: ping multiple times to minimize risk of reporting false negative
    while :; do
        ping -qc1 -W3 -I $vpn_if $PING_HOST &>/dev/null && return 0
        [ $((i++)) -ge $PING_NUMFAIL ] && break || sleep $PING_INTERVAL
    done

    # fall-through == failure
    return 1
}

# reject additional instances
mkdir $LOCK &>/dev/null || exit 0

# catch unexpected exit and cleanup
trap "rmdir $LOCK; exit 0" SIGHUP SIGINT SIGTERM

# wait for *reliable* internet connection
until ping -qc1 -W3 8.8.8.8 &>/dev/null; do sleep 10; done

while sleep $CHECK_INTERVAL; do
    # openvpn client must be enabled
    [ "$(nvram get openvpncl_enable)" != '0' ] || continue

    # check for failed/stopped/unresponsive openvpn client
    [ "$(ps | awk '$0~v{print $1}' v="--config +$OVPN_CONF")" ] && \
        ping_check && continue

    # confirm openvpn client is still enabled
    [ "$(nvram get openvpncl_enable)" != '0' ] || continue

    # fall-through == failure; (re)start openvpn client
    stopservice  openvpn && sleep 5
    startservice openvpn && sleep 5
    echo "info: openvpn client (re)started @ $(date)"
done

) 2>&1 | logger -t "$(basename $0 | grep -Eo '^.{0,23}')[$$]" &