2 VPN Client and 2 WiFi SSID: how to route traffic

[aunahin]

Hi Martineau,

I have spend last couple to days trying to solve this problem without any luck. Tried 2 different scripts - 1 from the AsusMerlin's wiki and other from a different snbforums post.

Can you please send me your script to try out?

 

[ppaull]

Hello Martineau, would you please send me your script too? I'm on a RT-AC68U and would love to be able to separate VPN and normal onto different SSID's. Thank you.

 

[ppaull]

Thanks for sending the script, Martineau, and everything seems to work quite well!

I'm wondering if there is a way to link a specific ethernet port to a vpn?

Also, I'm getting this error, even though the vpn bridge with the guest network is working:

wl0.1   vpn-usa   2.4GHz Guest 1  (192.168.102.0/24) routed through tunnel VPN Client 2 (***ERROR VPN is DOWN) is MISSING a valid DNS entry in '-t nat DNSVPN2' via bridge:br2

EDIT: Looks like things aren't set up quite right after all, maybe related to the error above. When I have used with WiFiVPN to set up a guest network to connect via VPN, and then connect to my regular (non-guest) WiFi network, my ip address still shows I'm connected through the VPN.

 

[Martineau]

Thanks for sending the script, Martineau, and everything seems to work quite well!

I'm wondering if there is a way to link a specific ethernet port to a vpn?

Yes......you need a script to create a VLAN and then map this VLAN port to the VPN
e.g.

Spoiler: vlan50 VPN statistics

 ./GS108.sh status

IoT vlan30 ACTIVE devices (ARP only accurate within 60secs?)
 ============================================================

 Internet vlan40 ACTIVE devices (ARP only accurate within 60secs?)
 =================================================================
10.88.40.15 xx:xx:xx:xx:xx:xx  Samsung-TV (?)

 VPN (vlan50) br1 ACTIVE devices (ARP only accurate within 60secs?)
 ==================================================================
10.88.101.16 xx:xx:xx:xx:xx N/A  (HP-DM1.martineau.lan)



./VLANSwitch.sh 50 status verbose

 VPN vlan50 Bridge Status
 ========================
br1  8000.ac9e177ee4a0 no  wl0.3
                           vlan50
br1       Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
          inet addr:10.88.101.1  Bcast:10.88.101.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:71215 errors:0 dropped:0 overruns:0 frame:0
          TX packets:131234 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:5609552 (5.3 MiB)  TX bytes:163299414 (155.7 MiB)

Also, I'm getting this error, even though the vpn bridge with the guest network is working:

wl0.1   vpn-usa   2.4GHz Guest 1  (192.168.102.0/24) routed through tunnel VPN Client 2 (***ERROR VPN is DOWN) is MISSING a valid DNS entry in '-t nat DNSVPN2' via bridge:br2

Apologies, it is actually a poorly worded (aka reused ) Warning message informing you that you are not using 'Accept DNS Configuration=EXCLUSIVE' so you are open to DNS leaks as discussed earlier in the thread.

 

[Martineau]

EDIT: Looks like things aren't set up quite right after all, maybe related to the error above.

When I have used with WiFiVPN to set up a guest network to connect via VPN, and then connect to my regular (non-guest) WiFi network, my ip address still shows I'm connected through the VPN.

Have you enabled Selective Routing?

or have you simply started the VPN Client and routed ALL traffic via the tunnel?

NOTE: You may omit the 'DummyVPN2' entry but without it (or a real LAN IP address explicitly routed via the tunnel) you won't be able to get rid of the Warning message.

 

[ppaull]

Martineau, I haven't had time to check yet but I wanted to thank you for your replies. I'll be able to check tomorrow. Thanks again

 

[ppaull]

Yes......you need a script to create a VLAN and then map this VLAN port to the VPN
e.g...

I think I've found enough to create a script that creates a VLAN, here. But then mapping that port to the VPN, I'm stumped.

Have you enabled Selective Routing?

...

or have you simply started the VPN Cient and routed ALL traffic via the tunnel?

NOTE: You may omit the 'DummyVPN2' entry but without it (or a real LAN IP address explicitly routed via the tunnel) you won't be able to get rid of the Warning message.

Yep, that was it. Thank you!

 

[Martineau]

I think I've found enough to create a script that creates a VLAN, here. But then mapping that port to the VPN, I'm stumped.

The clue is hiding in post #64

./VLANSwitch.sh 50 status verbose

 VPN vlan50 Bridge Status
 ========================
br1  8000.xxxxxxxxxxxx no  wl0.3
                           vlan50

i.e. you simply need to add the VLAN to the appropriate bridge (created by WiFiVPN.sh) rather than 'br0', so both interfaces route their traffic via the VPN.

NOTE: This is effectively what my (verbose 750 lines vs. 5 lines ) VLANSwitch.sh script does, although my script method doesn't use ebtables.

Spoiler: VLANSwitch

#============================================================= © 2016-2018 Martineau 'Router-on-a-stick'
#
# Configure RT-AC68U LAN Port X as VLAN Trunk for tagged VLAN nnn to downstream switch(s) on separate subnet using '/etc/dnsmasq.conf'
#
#
# Usage:    VLANSwitch  ['help'|'-h'] | [ [vlan_id] [switch_port] ]
#                                       [ ['status' ['verbose']] ['del'] ['vpn'[n]] ['vlanfw'] ['nodnsmasq'] ['autodnsmasq'] [alias='vlan_alias'] [debug]
#
#           VLANSwitch  200
#                       Switch port 4 will have vlan200 tagged to it
#           VLANSwitch  200 del
#                       Switch port 4 will have vlan200 removed
#           VLANSwitch  50 status
#                       Show the connected VLAN devices (or Bridge if VLAN is enslaved to one)
#           VLANSwitch  50 status verbose
#                       Show the vlan configuration and statistics etc.
#           VLANSwitch  20 3 vpn2 alias=NewYork
#                       Switch port 3 will have vlan20 tagged to it and will be forced via the VPN Client 2 (on bridge br2)
#                       and will have alias "NewYork" assigned in the config - assuming VPN Client 2 is via USA!  ;-)
#           VLANSwitch  20 3 vpn2 
#                       Switch port 3 will have vlan20 tagged to it and will be forced via the VPN Client 2 (on bridge br2)
#                       and the VPN Client 'description' field in the GUI will be used if available (Firmware >v380.xx) or 'ovpncX' as the alias
#           VLANSwitch  30 vpn1 vlanfw
#                       Switch port 4 will have vlan30 tagged to it and will be forced via the VPN Client 1 (on bridge br1)
#                       Firewall rules will explicitly use vlan30 rather than vlan+
#           VLANSwitch  101 nodnsmasq
#                       Switch port 4 will have vlan101 tagged to it, and vlan101 does not need to exist in /etc/dnsmasq.conf
#           VLANSwitch  101 autodnsmasq
#                       Switch port 4 will have vlan101 tagged to it, and /jffs/configs/dnsmasq.conf.add will be modified
#                       NOTE: dnsmasq will be auto-restarted.

 

[ppaull]

i.e. you simply need to add the VLAN to the appropriate bridge (created by WiFiVPN.sh) rather than 'br0', so both interfaces route their traffic via the VPN.

Thanks, that was enough of a clue that I was able to get a start. I’m using WiFiVPN.sh to connect to a VPN on Guest account 3, therefore it creates a bridge 3. So I edited the VLAN script to reference br3 instead of br0:

robocfg vlan 1 ports "1 2 3 8t"
robocfg vlan 10 ports "4 8t"
vconfig add eth0 10
ifconfig vlan10 up
brctl addif br3 vlan10

(Note, even though I’m on RT-AC68U, it seems as though I need to use 8t, not 5t—robocfg show gave me 8t as defaults for ports 1 2 3 4.)

Unfortunately, this script only works until I reboot. After reboot, no ethernet port stays connected for more than 5 seconds. I have to remove the VLAN script to have a stable router. Do I have to include these “ebtables”? Which means research them...

 

[alanbridgestone]

Martineau

Can you please be so kind to share with me the wifivpn script mentioned in this thread ?

I have exactly the same problem and this will save me a lot of time and hassle

I have N66U with firmware version 380.65_2

Thanks in advance for your help

 

[Martineau]

Martineau

Can you please be so kind to share with me the wifivpn script mentioned in this thread ?

I have exactly the same problem and this will save me a lot of time and hassle

I have N66U with firmware version 380.65_2

Thanks in advance for your help

I have sent you a link via PM.

NOTE: v380.65_2 is quite old....not sure if my script is still compatible but if you don't mind being a Beta tester

 

[Martineau]

@Joboo7777

I have sent you a link via PM.

 

[Joboo7777]

@Joboo7777

I have sent you a link via PM.

Thank You Sir. I'm not the most fluent person when it comes to custom router configuration/scripting, etc. Below are the steps I've gathered from previous threads and would appreciate your feedback. Hopefully I did not miss a step.

My goal is to create 1 Guest SSID to VPN Client mapping.

1) Enable "JFFS partition at next boot"
2) Enable "JFFS custom scripts and configs"
3) Enable "SSH"
4) Reboot
5) Create one 5Ghz Guest SSID with "Access Intranet" set to On
6) Create one Client VPN connection with "Selective Routing" Enabled
7) Copy wifivpn.sh_v1.0x_beta.sh script to /jiffs/scripts/ directory using an SSH client
8) Run wifivpn.sh_v1.0x_beta.sh with 'status' parameter using SSH client, this allows you to gather the appropriate information to map the wifi SSID to VPN Client.
9) Run wifivpn.sh_v1.0x_beta.sh with information gathered from previous step to create the wifi SSID>VPN Client mapping
10) Check for autodnsmasq error from the results of running command in previous step. If error, then run wifivpn.sh_v1.0x_beta.sh with 'autodnsmasq' parameter to generate the required '/etc/dnsmasq.conf' statements
11) Add appropriate statements to the '/jffs/scripts/nat-start' script using text editor to ensure SSID>VPN Client mappings are automatically regenerated union router reboots.
12) Test functionality

Sorry if these steps seem trivial. This will be my first attempt at enabling router capabilities using custom scripting. Any feedback would be appreciated.

 

[Martineau]

5) Create one 5Ghz Guest SSID with "Access Intranet" set to On

I don't think you want to do Step 5.
i.e. why would you need to allow Intranet (LAN) access when you have the other WiFi SSIDs already configured with LAN access?

@Carlo's summary and step-by-step instructions are very clear and easy to follow:
2 VPN Client and 2 WiFi SSID: how to route traffic

NOTE: Whilst use of nat-start was originally recommended, during the boot sequence, this will unfortunately ignore the GUI 'Start with WAN=NO' directive, as the script would always attempt to start the VPN Client - potentially against the admins' wishes.

Consequently it is advisable to call WiFiVPN.sh asynchronously from the openvpn-event vpnclientX-route-up script.

P.S. You can of course call the script anything you like but 'WiFiVPN.sh' is preferred.

 

[Joboo7777]

I don't think you want to do Step 5.
i.e. why would you need to allow Intranet (LAN) access when you have the other WiFi SSIDs already configured with LAN access?

Thank you for your feedback! The use case for step 5 is to allow all devices regardless of which SSID they are connected to continue to communicate locally. For instance, if I have an Apple TV on the SSID mapped to VPN, and an iPhone or iPad on and SSID mapped to standard Wan internet, they could still communicate via technologies like Airplay. I'm assuming this would only be possible if I enable allow intranet on the SSID mapped to VPN?

NOTE: Whilst use of nat-start was originally recommended, during the boot sequence, this will unfortunately ignore the GUI 'Start with WAN=NO' directive, as the script would always attempt to start the VPN Client - potentially against the admins' wishes.

Consequently it is advisable to call WiFiVPN.sh asynchronously from the openvpn-event vpnclientX-route-up script.

So should Step 11 be: Add appropriate statement(s) to the 'vpnclientX-route-up' script using text editor.

 

[Martineau]

The use case for step 5 is to allow all devices regardless of which SSID they are connected to continue to communicate locally. For instance, if I have an Apple TV on the SSID mapped to VPN, and an iPhone or iPad on and SSID mapped to standard Wan internet, they could still communicate via technologies like Airplay. I'm assuming this would only be possible if I enable allow intranet on the SSID mapped to VPN?

No idea - never owned any Apple kit, but since Selective Routing is implemented, then I doubt it will work without custom changes.

So should Step 11 be: Add appropriate statement(s) to the 'vpnclientX-route-up' script using text editor.

I suggest you get the script working first, but I advise you to use nat-start rather than risk breaking the VPN start up.

 

[Joboo7777]

No idea - never owned any Apple kit, but since Selective Routing is implemented, then I doubt it will work without custom changes.



I suggest you get the script working first, but I advise you to use nat-start rather than risk breaking the VPN start up.

Thanks for all your help. I am able to use airplay using selective routing so hoping it will continue to work using this custom scripting process.

Thanks again for all your help!
John

 

[Steph]

Really interresting!!!

For specific needs, I use 2 client VPN connections with openvpn. One in america openvpn1, and the other in europe openvpn2. I'm using Asus RT-AC56U with the latest stable Asus-merlin OS.

I have 3 WIFI per channel (2.4Gz and 5Gz)

From antenna 2.4Gz;
MYWIFI
MYWIFI_Guest1_VPN1
MYWIFI_Guest2_VPN2

From antenna 5.0GZ;
MYWIFI_5GZ
MYWIFI_Guest1_VPN1_5GZ
MYWIFI_Guest2_VPN2_5GZ

Here's what I'll need:
1-That MYWIFI and MYWIFI_5GZ continue to access Br0 bridge (standard config without going into any VPN)
2-That all traffic from my networks * Guest1_VPN1 * pass through VPN openvpn1
3-That all traffic from my networks * Guest2_VPN2 * pass through VPN openvpn2
3-After a reboot, all VPN should reconnect and keep the previous config.

Any idea howto do it?

Thanks for your help and advise!
Steph

 

[ppaull]

Unfortunately, this script only works until I reboot.

I figured out what the problem was. After rebooting, my VLAN script tried to add vlan10 to br3 but Martineau's WiFiVPN.sh script hadn't yet been called, so there was no br3 yet.

So instead, I placed the line connecting the VLAN to br3

brctl addif br3 vlan10

in nat-start after the line calling WiFiVPN.sh

Works great. Now after the router boots, and once there's actually a connection the VPN, port 4 shares that connection.

 

[ppaull]

Any idea howto do it?

Steph, I'm new to all of this, but if you ask Martineau for his WiFiVPN.sh script, it will do that for you. Once you've installed it in /jffs/scripts, I believe you would call it from /jffs/scripts/nat-start like this:

/jffs/scripts/WiFiVPN.sh MYWIFI_Guest1_VPN1 1
/jffs/scripts/WiFiVPN.sh MYWIFI_Guest1_VPN2 2

You'd want to run both of those commands via ssh first, to let the script set up anything that it needs to set up.