2 VPN Client and 2 WiFi SSID: how to route traffic

[Carlo]

Hello Everyone,
i'm Carlo from Italy: this is my first post on this forum (well it's the second )
I did search and i did try to find the answer to my need but i didnt find, so i'm very sorry if there is a post that answer me.
I added a comment on antoehr thread but I dont know if it was the correct place, so i try to open a new thread.

I am not an expert on network/shell so i try ask you if you can help me, my question is very similar to the one of this post https://www.snbforums.com/threads/ssid-for-vpn.39852/ , but cant understand how to solve it.
I have an asus RT-N66U with the last version of Merlin-Asuswrt (380.68).

Router LAN is 192.168.2.1/255.255.255.0.
Wan is 192.168.1.1/255.255.255.0
I have enabled WIFI 2.4 & WIFI 5G with 2 different SSID
I have configured 2 VPN: Client 1 and Client 2 (they are working)
I did an ifconfig and i found these interfaces: br0, eth0, eth1, eth2, lo, tun11, tun12, vlan1, vlan2.

My wish is to route traffic to VPN Client 1 for the devices connected to the WIFI 2.4, and route to VPN Client 2 for the devices connected to the WIFI 5.0.

I do not have many devices so i guess an easy solution (maybe) can be to assign different dhcp range (eg. from 192.168.2.10 to 192.168.2.29 for WIFI 2.4, and from 192.168.2.30 to 192.168.2.49 for WIFI 5) and configure the Policy Rules on each VPN Client.

Can someone tell me if the solution can work... and how to do it?

Thank you very very much for your support.
Carlo.

 

[Martineau]

My wish is to route traffic to VPN Client 1 for the devices connected to the WIFI 2.4, and route to VPN Client 2 for the devices connected to the WIFI 5.0.

Although my first suggestion doesn't meet your requirements, I would say the easiest (non-scripting) solution is to simply ensure that ALL devices that connect to your main 2.4GHz (eth1) and the 5GHz (eth2) WiFi are assigned reserved/static I/P addresses.

The VPN routing is then easily achieved by adding the Policy rules via the GUI based on the device I/P address rather than the Wifi the device is connected to.

However, for forced VPN routing by WiFi network, you will indeed need to use scripting to map say a Guest WiFi interface/SSID to a specific VPN as per the various SSID-->VPN scripts on the Wiki or examples posted in the forum.
e.g.

Guest WiFi #1 2.4GHz (wl0.1) --> VPN Client 1
Guest WiFi #3 5GHz   (wl1.3) --> VPN Client 2

So using the above scenario, (and a different subnet) it doesn't matter what the I/P address of the device actually is, the device will always be routed via the VPN depending on the Guest WiFi network it is connected to.

Not sure what errors you experience when using the 'SSID->VPN' script?

My wish is to route traffic to VPN Client 1 for the devices connected to the WIFI 2.4, and route to VPN Client 2 for the devices connected to the WIFI 5.0.

Can someone tell me if the solution can work

Yes, forcing your main 2.4GHz (eth1) and the 5GHz (eth2) WiFi networks to use a specific VPN tunnel does work, but using the Guest networks rather than the main 2.4GHz/5GHz WiFi networks is safer..

i.e. suppose you routed both your main 2.4GHz (eth1) and the 5GHz (eth2) WiFi to say VPN 1, then you could potentially lock yourself out of your router via WiFi!

 

[Carlo]

Hello Martineau,
thank you very much for your answer.

I'll tell you something more about the network i have and i am trying to configure.

I am using the DSL modem-router provided by my internet company.
This modem has wifi so i use this device for normal home wifi (it has it's 2.4G, 5G and guests networks)

I am planning to use the asus router RT-N66U only for the VPN, for that reason i can use the normal WiFi instead of the guests one.

So the RT-N66U is connected directly to the DSL modem-router via cable.
DSL modem-router use the 192.168.1.x network.
RT-N66U use 192.168.2.x network and is connected to the DSL modem-router as the WAN.

My plan is to turn on the RT-N66U when someone at home need the VPN.
At the same time i would like to choose with VPN Client to use just connecting to one of the 2 wifi.
So i will have, for example, the WIFI 2.4 named "VPN United States" and the WIFI 5 named "VPN United Kingdom".
In this way if someone need the VPN from United States he just need to connect to the WIFI 2.4, if someone need the VPN from United Kingdom he just have to connect to the WiFi 5G; at the same time anyone can switch between VPNs just changing the WIFI he is connect to (or use the DSL modem-router to not use VPN)

Because i am not the only one using the vpn i would like to not have to log to the N66U to activate/deactivate the vpn clients.

Can you help me to understand if is possible to reach that configuration?

Thank you very much.
Carlo.

 

[Martineau]

Because i am not the only one using the vpn i would like to not have to log to the N66U to activate/deactivate the vpn clients.

So you only want to perform the admin/configuration ONLY once on the RT-N66U, then basically simply allow non technical users to simply power the VPN access point ON/OFF when required?

(It would be far easier if you could assign reserved I/P address to devices connecting to the RT-N66U ).

OK, first the easy GUI bit.....

By default the RT-N66U will broadcast SSIDs

Asus          2.4GHz on eth1
Asus_5G       5GHz   on eth2

yet you still persist with the idea that you don't want the RT-N66U to broadcast Guest Networks?

I still strongly suggest (at least initially) you enable two trial Guest WiFi SSIDs on the RT-N66U to prove that WiFi->VPN mapping works.
e.g.

     Guest Network Name (SSID)=VPN_USA          2.4GHz on wl0.1; 'Access Intranet=OFF'
     Guest Network Name (SSID)=VPN_UK           5GHz on   wl1.1; 'Access Intranet=OFF'

Assuming you have correctly configured the VPN Clients as follows:
e.g.

     VPN Client 1
          Description='America'
          Redirect Internet traffic='Policy Rules (strict)'
          Accept DNS Configuration='Exclusive'
          VPN1_Dummy 172.16.1.1 0.0.0.0 vpn
 
     VPN Client 2
          Description='United Kingdom'
          Redirect Internet traffic='Policy Rules (strict)'
          Accept DNS Configuration='Exclusive'
          VPN2_Dummy 172.16.2.1 0.0.0.0 vpn

Now you simply need a working WiFi->VPN script!!!!

I'm still not sure which scripts you have already tried and why they failed for you?
e.g. https://www.snbforums.com/threads/i...p-range-for-guest-networks.30066/#post-234632
shows the necessary stages - basically

1. Create the new VPN bridges (requires the bridge definition entries to be present in '/etc/dnsmasq.conf')
2. Move the WiFi interfaces to the appropriate bridge.
3. Apply Firewall rules

i.e. in your case you would need to alter the script to redirect both main WiFi SSIDs rather than the Guest WiFi SSIDs:

nvram set lan_ifnames="vlan1 wl0.1 wl0.2 wl0.3 wl1.1 wl1.2 wl1.3"
nvram set lan1_ifnames="eth1"
nvram set lan2_ifnames="eth2"

However, if you believe you are technically able to create/edit scripts, and have time to be a beta tester for the latest version of my WiFi->VPN script then I will send you a link.
NOTE: The script is now >1200 lines!

 

[Carlo]

Hello Martineau,
thank you for your answer.

I'm still not sure which scripts you have already tried and why they failed for you?

Actually i'm just a bit lost because i dont know what script i should use and/or edit to do the routing.

So you only want to perform the admin/configuration ONLY once on the RT-N66U, then basically simply allow non technical users to simply power the VPN access point ON/OFF when required?

Yes it's my desire

yet you still persist with the idea that you don't want the RT-N66U to broadcast Guest Networks?
I still strongly suggest (at least initially) you enable two trial Guest WiFi SSIDs on the RT-N66U to prove that WiFi->VPN mapping works.

It's ok to use the Guest networks: i understand your concern and I agree.
So right now I am using 2 guests (wl0.1 and wl1.1)
I also added the dnsmasq.postconf that correctly start every reboot of the RT-N66U.

This is my script:

Spoiler

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

logger "dnsmasq-dhcp: Configure wl0.1 to have special DHCP USA"
ifconfig wl0.1 192.168.10.1 netmask 255.255.255.0
iptables -D INPUT -i wl0.1 -j ACCEPT
iptables -I INPUT -i wl0.1 -j ACCEPT
ebtables -t broute -D BROUTING -i wl0.1 -p ipv4 -j DROP
ebtables -t broute -I BROUTING -i wl0.1 -p ipv4 -j DROP

logger "dnsmasq-dhcp: Configure wl1.1 to have special DHCP UK"
ifconfig wl1.1 192.168.20.1 netmask 255.255.255.0
iptables -D INPUT -i wl1.1 -j ACCET
iptables -I INPUT -i wl1.1 -j ACCEPT
ebtables -t broute -D BROUTING -i wl1.1 -p ipv4 -j DROP
ebtables -t broute -I BROUTING -i wl1.1 -p ipv4 -j DROP

pc_append "
log-dhcp

interface=wl0.1
dhcp-range=wl0.1,192.168.10.50,192.168.10.70,255.255.255.0,120s
dhcp-option=wl0.1,3,192.168.10.1
dhcp-option=wl0.1,6,8.8.8.8,8.8.4.4

interface=wl1.1
dhcp-range=wl1.1,192.168.20.50,192.168.20.70,255.255.255.0,120s
dhcp-option=wl1.1,3,192.168.20.1
dhcp-option=wl1.1,6,8.8.8.8,8.8.4.4

" /tmp/etc/dnsmasq.conf

DHCP works so device connected to the Wifi get the correct IP according to the settings on the script.

Now again i'm lost.
I do not know from what script i should start to route the 2 wifi (wl0.1 and wl1.1) to the 2 vpn clients.

I was reading the script on the post you gave me, but it start with:

WAN_IF=$(nvram get wan0_interface)
WANIP=$(/sbin/ifconfig $WAN_IF | grep 'inet addr' | cut -d':' -f2 | awk '{print $1}')

but if i check on the router the command nvram get wan0_interface i get nothing as result, so i'm a bit lost.

However, if you believe you are technically able to create/edit scripts, and have time to be a beta tester for the latest version of my WiFi->VPN script then I will send you a link.

I'm not afraid of the lenght of the script, and i have no problem to be a beta tester.
The problem is that my knowledge on linux network/firewall script is near zero and i will just make disasters with a complex script

Do you think i can start with an easier script?
It's very complex to route the traffic between vpn and wifi?

Thank you very much.
Carlo.

 

[Martineau]

but if i check on the router the command nvram get wan0_interface i get nothing as result,

Can you post the output of these commands?

nvram get wan0_ifname
 
nvram get wan0_gw_ifname

nvram get pppoe_ifname

 

[Martineau]

I'm not afraid of the lenght of the script, and i have no problem to be a beta tester.
The problem is that my knowledge on linux network/firewall script is near zero and i will just make disasters with a complex script

Do you think i can start with an easier script?

Whilst my script is lengthy and appears complex, it is primarily designed to remove the need for any changes by non-technical users, so you should not need to edit the script 'disastrously'.

Also to ensure you don't try anything silly that would cause issues, a lot of the code is simply error checking and of course (diagnostic) reporting.

i.e. if you try to map a WiFi interface that isn't configured, or the VPN Client isn't actually UP then you'd want the script to prevent this or automatically start the required VPN Client for you?!

It's very complex to route the traffic between vpn and wifi?

No - once you understand how the router works!

Here is the WiFiVPN.sh beta script for you to test when you have time.

/jffs/scripts/WiFiVPN.sh

For a description of the script command syntax issue:

./WiFiVPN.sh -h

Spoiler: WiFiVPN Script command syntax

#============================================================================== © 2016-2017 Martineau, v1.0X (Non Public Beta)
#
# Configure a Wifi interface to use a VPN Client connection
#
#          WiFiVPN     [ {'help'} | {'-h'} | status | diag]
#                      { wifi_interface | ssid [ vpn_number | 'del' | 'status'] }  ['nodns'] ['autodnsmasq'] ['nobridge'] ['openlan'] ['novpn'] ['vlan'{X}] ['debug']
# e.g.
#          WiFiVPN     status
#                      List ALL WiFi interfaces and associated VPN bridges.
#                      (This is the default if no command supplied)
#          WiFiVPN     wl0.2 1
#                      Guest 2.4Ghz #2 (wl0.2) is forced to use VPN Client 1 using bridge 1 (br1) and forces VPN 1 DNS
#          WiFiVPN     wl0.2 del
#                      Guest 2.4Ghz #2 (wl0.2) is reset to use the WAN rather than the VPN
#          WiFiVPN     wl0.2 nodns
#                      Guest 2.4Ghz #2 (wl0.2) is forced to use VPN Client 1 using bridge 1 (br1) and uses WAN DNS.
#          WifiVPN     wl1.3 status
#                      Guest 5Ghz #3 (wl1.3) config is listed in detail.
#          WiFiVPN     br2g24 5
#                      Guest SSID 'br2g24' (could be 2.4GHz Wifi Guest #2!?) is forced to use VPN Client 5 using bridge 5 (br5) and forces VPN 5 DNS
#          WiFiVPN     eth1 1
#                      2.4Ghz WiFi network (eth1) is forced to use VPN Client 1 using bridge 1 (br1) and forces VPN 1 DNS
#          WiFiVPN     eth2 2
#                      5Ghz WiFi network (eth2) is forced to use VPN Client 2 using bridge 2 (br2)  and forces VPN 2 DNS
#          WiFiVPN     status
#                      List ALL WiFi interfaces and associated VPN bridges.
#          WiFiVPN     diag
#                      List ALL WiFi interfaces and associated VPN bridges. Prompts to delete/show config.

Please disable your custom dnsmasq.postconf; and reboot.

Once you have installed the script onto the router, you can manually test that it works, so from the SSH command prompt issue the 'status' command

cd /jffs/scripts

./WiFiVPN.sh status

and you should get a response such as:

(WiFiVPN.sh): nnnnn v1.0X © 2016-2017 Martineau, WiFi VPN status request.....[status]

 WiFi->VPN Configuration Status for interfaces:

 wl0.1   VPN_USA          2.4GHz Guest 1
 -----   (ASUS_Guest2)    2.4GHz Guest 2  ** Disabled **
 -----   (ASUS_Guest3)    2.4GHz Guest 3  ** Disabled **
 wl1.1   VPN_UK           5GHz   Guest 1
 -----   (ASUS_5G_Guest2) 5GHz   Guest 2  ** Disabled **
 -----   (ASUS_5G_Guest3) 5GHz   Guest 3  ** Disabled **
 eth1    Asus             2.4GHz Network
 eth2    Asus_5G          5GHz   Network

So now you can easily map an available WiFi interface to its appropriate VPN instance .
NOTE: If the VPN isn't UP, the script will attempt to start it - assuming it is correctly configured.

e.g. To map whichever physical WiFi interface is currently hosting SSID VPN_USA --> VPN Client 1 issue:

./WiFiVPN.sh vpn_usa 1

(WiFiVPN.sh): nnnnn v1.0X © 2016-2017 Martineau, Guest WiFi VPN Bridge request.....[vpn_usa_ny 1]

 (WiFiVPN.sh): nnnnn ***ERROR Bridge 'br1' not defined in '/etc/dnsmasq.conf' - ABORTing.....(Use 'autodnsmasq' directive!)

If you have not manually (or the script hasn't previously already) inserted the appropriate bridge definitions for the proposed VPN, then my script will report the above.

However, the script is able to auto-generate the required '/etc/dnsmasq.conf' statements if you supply the 'autodnsmasq' directive.

So reissue the command with the 'autodnsmasq' parameter.

./WiFiVPN.sh vpn_usa 1 autodnsmasq

(WiFiVPN.sh): nnnnn v1.0X © 2016-2017 Martineau, Guest WiFi VPN Bridge request.....[vpn_usa_ny 1 autodnsmasq]

 (WiFiVPN.sh): nnnnn ***Warning Bridge 'br1' not defined in '/etc/dnsmasq.conf' - auto updating '/jffs/configs/dnsmasq.conf.add' with 'br1' statements.....

 (WiFiVPN.sh): nnnnn WiFi (wl0.1) 2.4GHz Guest 1 VPN_USA_NY (192.168.101.0/24) routed through tunnel VPN Client 1 (America) using VPN DNS (100.120.0.1) via bridge:br1

Now if you reissue the 'status' command, the results should now be

(WiFiVPN.sh): nnnnn v1.0X © 2016-2017 Martineau, WiFi VPN status request.....[status]

   WiFi->VPN Configuration Status for interfaces:

   wl0.1   VPN_USA          2.4GHz Guest 1 (192.168.101.0/24) routed through tunnel VPN Client 1 (America) using VPN DNS (xxx.xxx.xxx.xxx) via bridge:br1
   -----   (ASUS_Guest2)    2.4GHz Guest 2  ** Disabled **
   -----   (ASUS_Guest3)    2.4GHz Guest 3  ** Disabled **
   wl1.1   VPN_UK           5GHz   Guest 1
   -----   (ASUS_5G_Guest2) 5GHz   Guest 2  ** Disabled **
   -----   (ASUS_5G_Guest3) 5GHz   Guest 3  ** Disabled **
   eth1    Asus             2.4GHz Network
   eth2    Asus_5G          5GHz   Network

NOTE: Do not use the autodnsmasq directive unless you are prompted to!

If you now connect to the Guest WiFi->VPN SSID VPN_USA you should be routed via the desired regional VPN.

Once we have proved that my script works, you can map the other interfaces to a desired VPN.

Finally to have the WiFi->VPN mapping applied when the router is switched on, you will need the appropriate statements in

/jffs/scripts/nat-start

e.g.

#!/bin/sh          <---- Remember to add this line if nat-start script didn't already exist

/jffs/scripts/WiFiVPN.sh vpn_usa 1
/jffs/scripts/WiFiVPN.sh vpn_uk  2

NOTE: My script will also allow multiple WiFi interfaces to be assigned to the same VPN:

e.g. Allow SSID VPN_USA to be used by both 2.4GHz and 5GHz devices, and the same for VPN_UK (unless you need to segregate by WiFi capabilities?)

./WiFiVPN.sh wl0.1 1
./WiFiVPN.sh wl1.1 1

./WiFiVPN.sh wl0.2 2
./WiFiVPN.sh wl1.2 2

To remove the WiFi->VPN mapping
e.g. Unlink the WiFi->VPN mapping between Guest 2.4Ghz #1 from whichever VPN Client it is routed through:

./WiFiVPN.sh wl0.1 del

Let me know how it goes on your RT-N66U.

 

[Carlo]

Hello Martineau,
thank you for your support.
I did check the 3 commands and this is the result:

nvram get wan0_ifname

eth0

nvram get wan0_gw_ifname

eth0

nvram get pppoe_ifname

(this command gave no result)


Thank you.
Carlo.

 

[Carlo]

Hello Martineau,
thank you very much!
Thanks to you know i have my network working as in my dreams!

So this what i wanted to have:
- 2 vpn client enabled at the same time
- at least 2 wifi SSID enabled
- at least one SSID routed to each vpn client
- a one time configuration to let users at home to just use the VPN without know how the router works or without the need to log on the router to change the configuration

I have succesfully configurated the 2 vpn clints using the router web interface:
Client 1 = VPN connected to the United States
Client 2 = VPN connected to the United Kingdom

Right now i've activated 4 guests wifi (2x2.4g and 2x5G).
I named them this way:
- USA_2.4G
- USA_5G
- UK_2.4G
- UK_5G
then i also have the standard wifi (not guests) named this way:
- NOVPN-2.4
- NOVPN-5.0

After that i just followed the instruction, very easy.

1) I copied the script on /jffs/scripts/WiFiVPN.sh

2) I did run it with the status parameter to check the configuration (and because i was curious eheheh)
I got this result:

wl0.1   USA_2.4G      2.4GHz Guest 1
wl0.2   UK_2.4G       2.4GHz Guest 2
-----   (ASUS_Guest3)    2.4GHz Guest 3  ** Disabled **
wl1.1   USA_5G        5GHz   Guest 1
wl1.2   UK_5G         5GHz   Guest 2
-----   (ASUS_5G_Guest3) 5GHz   Guest 3  ** Disabled **
eth1    NOVPN-2.4       2.4GHz Network
eth2    NOVPN-5.0       5GHz   Network

3) I configured the 2 routing with the autodnsmasq params to create the 2 bridges:

./WiFiVPN.sh USA_5G 1 autodnsmasq
./WiFiVPN.sh UK_5G 2 autodnsmasq

4) Now that the route has been made, i created the nat-start to configurate the route at every reboot.
I used the interface name instead of the SSID: i did that because i know i would rename the SSID soon or later so i dont want to have problems later.
So this is my nat-start:

#!/bin/sh
/jffs/scripts/WiFiVPN.sh wl0.1 1
/jffs/scripts/WiFiVPN.sh wl1.1 1
/jffs/scripts/WiFiVPN.sh wl0.2 2
/jffs/scripts/WiFiVPN.sh wl1.2 2

... et voilà!
If i connect to USA_5G or USA_2.4G i am using the vpn client 1 (United States)
If i connect to UK_5G or UK_2.4G i am using the vpn client 2 (United Kingdom)

Now everyone at home that need the VPN just turn on the router, and just pick the WIFI according to the VPN he needs! AWESOME!

I did restart the router and BOOM!
Everything still working as excepted!

If i try now to run the script with the status parameter, this is the output:

wl0.1   USA_2.4G      2.4GHz Guest 1  (192.168.101.0/24) routed through tunnel VPN Client 1 (United States) using VPN DNS (10.175.0.1) via bridge:br1
wl0.2   UK_2.4G       2.4GHz Guest 2  (192.168.102.0/24) routed through tunnel VPN Client 2 (United Kingdom) using VPN DNS (10.175.0.1) via bridge:br2
-----   (ASUS_Guest3)    2.4GHz Guest 3  ** Disabled **
wl1.1   USA_5G        5GHz   Guest 1  (192.168.101.0/24) routed through tunnel VPN Client 1 (United States) using VPN DNS (10.175.0.1) via bridge:br1
wl1.2   UK_5G         5GHz   Guest 2  (192.168.102.0/24) routed through tunnel VPN Client 2 (United Kingdom) using VPN DNS (10.175.0.1) via bridge:br2
-----   (ASUS_5G_Guest3) 5GHz   Guest 3  ** Disabled **
eth1    NOVPN-2.4       2.4GHz Network
eth2    NOVPN-5.0       5GHz   Network

It was so easy.
I'm so happy you cant immagine!!!!!!
Thank you again!

 

[Martineau]

Hello Martineau,
thank you very much!
Thanks to you know i have my network working as in my dreams

Many thanks for testing the script, and I am extremely grateful for your very detailed feedback.

I do however have a small confession,

The script is already running successfully on several RT-AC68U/RT-AC56U routers but I was actually curious to see if it works on the RT-N66U.

However, I missed your OP regarding the firmware installed:

I have an asus RT-N66U with the last version of Merlin-Asuswrt (380.68).

I had hoped that you were running a non-Merlin version, but obviously the prime objective was to solve your requirement.

I am sure forum members will be interested in the VPN performance/throughput you experience on such hardware even with @RMerlin's VPN optimisations.

It is generally acknowledged that the ARM routers perform better than the legacy MIPS routers for VPN so I suspect you will need to ensure you squeeze every bit of performance out of your configuration.
@RMerlin sets the CPU affinity for the VPN Clients:

VPN Clients 2 and 4                       CPU0
            1,3 and 5                     CPU1

So nominally the odd-numbered client instances may perform better as CPU0 needs to handle all of the other router services, whilst CPU1 is (potentially) less busy.
NOTE: You may find that running two VPN clients on CPU1 is actually counter productive, but it is worth trying.

Broadcasting many SSIDs may have a overhead, but I still think it is safer to use the Guest WiFi, although you could temporarily try setting say eth1/eth2 to use the VPN but be aware of the consequences!

P.S. Personally I prefer to see the SSIDs in the nat-start commands, but you could obviously script an auto-update to nat-start to keep it human-friendly when you rename the VPN SSIDs.[/QUOTE]

 

[Carlo]

Many thanks for testing the script, and I am extremely grateful for your very detailed feedback.

no no, thank you!

I do however have a small confession,

ahhh me too
VPN are used to remove geographic restiction to service we legally pay for
One of them is video streaming.

I had hoped that you were running a non-Merlin version, but obviously the prime objective was to solve your requirement.

I was unable to configure the VPN without the settings provided by Merlin (default firmware was not working for me).

I suspect you will need to ensure you squeeze every bit of performance out of your configuration

Ahhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
You are right.
I... mmmm.... didnt think of that problem before your message....
Yes you are right.

ou may find that running two VPN clients on CPU1 is actually counter productive, but it is worth trying

You are right: i will try because the real use case here is that, even if the 2 vpn are connected, only one is really used at the same moment.

you could temporarily try setting say eth1/eth2 to use the VPN but be aware of the consequences!

Yes.. i guess i will try: i will configure the router via cable, and use just the 2 main wifi (2.4G=VPN1, 5G=VPN2)

To give you additional info about performance, i can say this:
- Average download/upload speed when using VPN (Italy to United States) on a notebook connected via WIFI to the DSL provider router (not the N66U): 15-20MBbps
- Average Mbps for the Android tv playng the video service (without VPN): 15 Mb/s
- Average Mbps for the Android tv playng the video service with VPN configured directly on the Android TV: 4-5 Mb/s
- Average Mbps for the Android tv playng the video service with N66U "VPN WiFi": 2.5-3 Mb/s

According to that stats... i guess i need a router with better performance right?

 

[archy141]

Fantastic work guys

Martineau - Can I follow Carlo's steps with your script to get a similar solution working on my triband AC3200 running latest Merlin FW ?
What adjustments would I need to make ?

I would also like to have at two VPN clients (1US & 1UK) Mapped to two SSID's and a separate none VPN SSID. DHCP would be the most practical with family members and multiple devices.

Both of your help would be most appreciated

 

[Martineau]

I would also like to have at two VPN clients (1US & 1UK) Mapped to two SSID's and a separate none VPN SSID. DHCP would be the most practical with family members and multiple devices. Can I follow Carlo's steps with your script to get a similar solution working on my triband AC3200 running latest Merlin FW ?

What adjustments would I need to make ?

NONE ? but that's why it is still Beta!

If you are willing to be a beta tester for RT-AC3200 owners I'll send you a link to the script.

 

[archy141]

NONE ? but that's why it is still Beta!

If you are willing to be a beta tester for RT-AC3200 owners I'll send you a link to the script.

Sorry i have been away and unable to logon.
It would be a pleasure to try out your script and i plan to try it this week.
First on a spare N66U to get the process tested out as I'm not too confident on working with routers.
Once successfully completed I will than replicate the steps on the ac3200 as its the beloved main house router which house members rely on.

 

[princi]

Hello Carlo & Martineau,

You have achieved what I have been wanting to do for years (2 VPN tunnels connected at the same time plus local traffic).

I did manage it using Sabai OS and an external VPN Accelerator, but you can’t bind the tunnels to an SSID - only to a device.

Hello to Archy141 as well. I also saw the potential of using the 3 WiFi interfaces on the AC3200 to achieve the above goal - but tried and failed.

I’ll be following this thread closely. I have plenty of Asus routers available for testing purposes (AC3200, 2 x AC68U, AC88U, AC86U)

I can even run four at once! (Level 2 switch with 10G fibre, own subnet).

AC3200 is a good test bed for trialling a 3 SSID solution, but the CPU is showing signs of age.

FYI Carlo, my motivation for doing this is exactly the same as yours. Tunnels to FR, DE, CH, US, UK, AU, JP for the purpose of watching local TV / local Netflix.

Chapeau / Hut ab to Martineau for your script development efforts. And of course to RMerlin.

 

[50_Hertz]

Hi guys,

Fantastic thread! Exactly what I have been looking for!
I have just bought an RT-AC88U after two years of pain using my local ISP modem/router...
This is my first post on this forum and I am delighted to enter the world of Merlin, VPN scripts (and hopefully not factory resets ).
I would like to create a similar configuration on my router:

• eth1 => ISP
• wl1.1 => VPN client 1
• wl1.2 => VPN client 2
• wl1.3 => VPN client 3

I am running Merlin 382.1 and have configured the 3 vpn clients.

I have looked around and found few posts on the topic:

• https://www.snbforums.com/threads/d...-usual-with-asuswrt-merlin.31415/#post-253228 (from peraburek)
  
• https://github.com/RMerl/asuswrt-me...or-VPN-and-SSID-for-Regular-ISP-using-OpenVPN (from jobongo)

However Martineau's script seems to be the most recent and worked for all of you guys so I would be keen to test it and become a beta tester for rt-ac88u users.

Thank you very much for your help

 

[Martineau]

I would be keen to test it and become a beta tester for rt-ac88u users.

I have just bought an RT-AC88U after two years of pain using my local ISP modem/router...
This is my first post on this forum and I am delighted to enter the world of Merlin, VPN scripts (and hopefully not factory resets ).
I would like to create a similar configuration on my router:

• eth1 => ISP
• wl1.1 => VPN client 1
• wl1.2 => VPN client 2
• wl1.3 => VPN client 3

I am running Merlin 382.1 and have configured the 3 vpn clients.

I have looked around and found few posts on the topic:

• https://www.snbforums.com/threads/d...-usual-with-asuswrt-merlin.31415/#post-253228 (from peraburek)
  
• https://github.com/RMerl/asuswrt-me...or-VPN-and-SSID-for-Regular-ISP-using-OpenVPN (from jobongo)

I have sent you a link via PM.

 

[princi]

Hi guys,

Fantastic thread! Exactly what I have been looking for!
I have just bought an RT-AC88U after two years of pain using my local ISP modem/router...
This is my first post on this forum and I am delighted to enter the world of Merlin, VPN scripts (and hopefully not factory resets ).
I would like to create a similar configuration on my router:

• eth1 => ISP
• wl1.1 => VPN client 1
• wl1.2 => VPN client 2
• wl1.3 => VPN client 3

Impressive. Do let me know when you have it working well. It'll be good to have someone else to bother when I try to do it myself ;-)

 

[archy141]

NONE ? but that's why it is still Beta!

If you are willing to be a beta tester for RT-AC3200 owners I'll send you a link to the script.

I have spent some time in trying to get the setup working on the ac3200 (FW 380.68_4) but not succeeded. In frustration I even ended up re-flashing & factory resetting the router and repeating the steps without success again. I also tried different Vpn providers. Using the wifivpn status command the routes seemed to be correctly mapped to the desired wifi guest lans but the clients would fail to authenticate and connect at times or route incorrectly.

So than I began to question the router and firmware itself and took some steps backwards.
I factory reset the router once again and only took the steps to get my Internet connection up and configure two VPN clients using your instructions ie Redirect Internet Traffic - Strict policy, DNS Exclusive & VPN_Dummy net.

With one VPN client connected I can browse the Internet without traffic being directed through the VPN as expected but as soon as I also connect second VPN client the redirect Internet policy rule seems to fail and all traffic is routed through one of of the VPN clients.

Is this expected or a problem with the router or firmware ?

Surely both router VPN clients should automatically block standard DHCP traffic being routed through them with redirect Internet traffc policy in place. No autodnsmasq/bridge rules were yet in place to create the new dhcp pools and route traffic through the relevant VPN client.

I'm hoping you can help me in small steps to diagnose this problem.
I'm quite sure tha if I setup a single router VPN client & a single wifi net with your script everything will be fine and trouble starts when the second one is added.

 

[50_Hertz]

I have spent some time in trying to get the setup working on the ac3200 (FW 380.68_4) but not succeeded. In frustration I even ended up re-flashing & factory resetting the router and repeating the steps without success again. I also tried different Vpn providers. Using the wifivpn status command the routes seemed to be correctly mapped to the desired wifi guest lans but the clients would fail to authenticate and connect at times or route incorrectly.

So than I began to question the router and firmware itself and took some steps backwards.
I factory reset the router once again and only took the steps to get my Internet connection up and configure two VPN clients using your instructions ie Redirect Internet Traffic - Strict policy, DNS Exclusive & VPN_Dummy net.

With one VPN client connected I can browse the Internet without traffic being directed through the VPN as expected but as soon as I also connect second VPN client the redirect Internet policy rule seems to fail and all traffic is routed through one of of the VPN clients.

Is this expected or a problem with the router or firmware ?

Surely both router VPN clients should automatically block standard DHCP traffic being routed through them with redirect Internet traffc policy in place. No autodnsmasq/bridge rules were yet in place to create the new dhcp pools and route traffic through the relevant VPN client.

I'm hoping you can help me in small steps to diagnose this problem.
I'm quite sure tha if I setup a single router VPN client & a single wifi net with your script everything will be fine and trouble starts when the second one is added.

Hi archi,
Are the two VPN clients from the same provider? Are they using the same protocol and port?