2 VPN Client and 2 WiFi SSID: how to route traffic

[Martineau]

EDIT : Okay, I was testing the VPN SSID from an android phone that was ignoring the IP attribution rules (!!). It was actually (partially) working all along.

The DNS problem remains though.

When you set "Accept DNS Configuration=EXCLUSIVE", the firmware will create the appropriate DNSVPNx chain.

The script is stating that no valid entry exists in the chain.

I suggest you try issuing the following:

iptables --line -t nat -nvL DNSVPN1

and post the result.

NOTE: The script identifies 'DNS leak" as being non-VPN ISP DNS use, but with the use of Stubby/DoT, then an encrypted DNS lookup via the WAN is now no longer considered a DNS leak, and the legacy script may continue to be over-sensitive when reporting the DNS lookup state.

 

[50_Hertz]

@Martineau,

It has been a year and a half since I successfully installed and ran your WiFiVPN script on my RT-AC88U.
I have recently upgraded the Merlin firmware to 384.10_2 and I am now facing a DNS issue (I suspect it has nothing to do with the firmware upgrade but more with me changing something in the VPN config).

Starting config: all the SSIDs on br0:

then I map wl0.1 to VPN 1:

At this stage, I am surprised it used the WAN DNS instead of the VPN DNS

finally:

103.86.96.100 is Nord VPN DNS server IP.

My VPN client config:
- Protocol: UDP
- Accept DNS configuration: exclusive
- Create NAT on tunnel: yes
- Redirect internet traffic: policy rules (strict)
- Block routed clients if tunnel goes down: yes
- VPN1_DUMMY 172.16.1.1 0.0.0.0 VPN
- Custom configuration:

remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 0
# log /tmp/vpn.log
​

Thank you very much for your time & help

 

[Martineau]

@Martineau,
It has been a year and a half since I successfully installed and ran your WiFiVPN script on my RT-AC88U.
I have recently upgraded the Merlin firmware to 384.10_2 and I am now facing a DNS issue (I suspect it has nothing to do with the firmware upgrade but more with me changing something in the VPN config).

Accept DNS configuration: exclusive
VPN1_DUMMY 172.16.1.1 0.0.0.0 VPN

As shown in the diag output, based on the above config directives, there doesn't appear to be the expected entry in chain DNSVPN1

I believe v1.03b is available in post #7 so could you please give that version a test, but that version is probably almost as old as your current version!

If v1.03b doesn't resolve your issue, then I'll PM a link to my latest ugly/hacked personal version.

 

[50_Hertz]

@Martineau

I was on 1.0x so 1.03b is actually a newer version for me.
Just tried it, looks like it fixed the issue!

Thank you very much

 

[50_Hertz]

@Martineau - something I have noticed over the last few weeks is that the .nat-start.sh does not seem to be executed automatically when needed.

./WiFiVPN.sh status

./nat-start

I would say I have to rerun it manually once a week. Any guess of what might happen here?
Thanks a lot

 

[octopus]

@Martineau - something I have noticed over the last few weeks is that the .nat-start.sh does not seem to be executed automatically when needed.

./WiFiVPN.sh status

I have noticed over the last few weeks is that the .nat-start.sh does not seem to be executed automatically when needed.

Try to remove .sh at the end of nat-start

 

[50_Hertz]

I have noticed over the last few weeks is that the .nat-start.sh does not seem to be executed automatically when needed.

Try to remove .sh at the end of nat-start

Sorry for the typo - there is not sh at the end of the file name.

 

[Martineau]

@Martineau - something I have noticed over the last few weeks is that the .nat-start.sh does not seem to be executed automatically when needed.

./WiFiVPN.sh status

View attachment 18359

./nat-start

View attachment 18360

I would say I have to rerun it manually once a week. Any guess of what might happen here?
Thanks a lot

nat-start will be scheduled by the firmware as and when required, and can be tracked in Syslog

Jun 23 13:11:12 RT-AC68U custom_script: Running /jffs/scripts/nat-start

and if you have judicious logger statements in nat-start, you should be able to prove it physically ran and identify which actions it performs:
e.g.

RT-AC68U (nat-start): 9171 Martineau NAT customisation Starting....[]

RT-AC68U (nat-start): 9171 Martineau NAT customisation ALREADY running...ABORTing

v1.13x WiFiVPN.sh allows the mapping of the Wifi Guest to only occur when the actual VPN Client is initialised (use vpnclientX-route-up), rather than using nat-start to initiate the mapping as it may not be appropriate to allow nat-start to arbitrarily start the VPN client.

This is the method I prefer/recommend, but the old-skool method of using nat-start to request WiFiVPN.sh still works.

./WiFiVPN.sh

(WiFiVPN.sh): 17507 v1.14 © 2016-2019 Martineau, WiFi status request.....[]

    WiFi Configuration Status for interfaces:
    wl0.1   G241IoT          2.4GHz Guest 1
    -----   (G242)           2.4GHz Guest 2  ** Disabled **
    wl0.3   G243BR3NY        2.4GHz Guest 3
    wl1.1   G51IoT           5GHz   Guest 1
    -----   (BR2G52)         5GHz   Guest 2  ** Disabled **
    wl1.3   G53BR3UK         5GHz   Guest 3
    eth1    Mart1n3auWPA     2.4GHz Network
    eth2    Mart1n3auMedia   5GHz   Network

./VPN_Client_Switch.sh   status

(VPN_Client_Switch.sh): 17880 v1.09 Request..... [status]

    VPN Client Status:

        Client 1 Connected via 100.120.101.149 (HMA New York)           VPN tunnel end-point I/P: 89.187.178.139
        Checking response (max 5secs) from 'http://ipecho.net/plain' to verify  VPN tunnel end-point I/P: 89.187.178.139
                                                                        VPN tunnel end-point I/P: 89.187.178.139

        Inter-|   Receive                                                |  Transmit
         face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed
         tun11:   23453     225    0    0    0     0          0         0    22480     338    0    0    0     0       0          0

        NOTE: OpenVPN Statistics logged to Syslog

./WiFiVPN.sh wl0.3 1

(WiFiVPN.sh): 18657 v1.14 © 2016-2019 Martineau, Guest WiFi VPN Bridge request.....[wl0.3 1]

    (WiFiVPN.sh): 18657 WiFi (wl0.3) 2.4GHz Guest 3 G243BR3NY (10.88.101.0/24) using VPN DNS (104.223.91.210) via Bridge: br1

./WiFiVPN.sh status

(WiFiVPN.sh): 19070 v1.14 © 2016-2019 Martineau, WiFi status request.....[status]

    WiFi Configuration Status for interfaces:

    wl0.1   G241IoT          2.4GHz Guest 1
    -----   (G242)           2.4GHz Guest 2  ** Disabled **
    wl0.3   G243BR3NY        2.4GHz Guest 3  (10.88.101.0/24) routed through tunnel VPN Client 1 (HMA New York) using VPN DNS (104.223.91.210) via Bridge: br1
    wl1.1   G51IoT           5GHz   Guest 1
    -----   (BR2G52)         5GHz   Guest 2  ** Disabled **
    wl1.3   G53BR3UK         5GHz   Guest 3
    eth1    Mart1n3auWPA     2.4GHz Network
    eth2    Mart1n3auMedia   5GHz   Network

Simulating the effect of nat-start to remap the WiFi SSID to the VPN Client, correctly reports that the mapping is already in place

./WiFiVPN.sh wl0.3   1

(WiFiVPN.sh): 19936 v1.14 © 2016-2019 Martineau, Guest WiFi VPN Bridge request.....[wl0.3 1]

    **Warning WiFi (wl0.3) 2.4GHz Guest 3 G243BR3NY already attached to bridge: br1
    **Warning WiFi (wl0.3) already assigned to NVRAM variable: lan1_ifnames

    (WiFiVPN.sh): 19936 WiFi (wl0.3) 2.4GHz Guest 3 G243BR3NY (10.88.101.0/24) using VPN DNS (104.223.91.210) via Bridge: br1

However, if you are reporting a bug in the 'Accept DNS configuration=EXCLUSIVE' processing, then in the interim, explicitly removing the WiFI mapping and then remapping

./WiFiVPN.sh wl0.3   del

./WiFiVPN.sh wl0.3   1

should fix it, if not, I will need to investigate further.....

 

[JNechleba]

Quick question - I have a RT-AC66U_B1 and I need to be able to run a VPN for a couple of devices via Wifi.

From reading a couple of posts, it seems there is a way to setup a Guest network to go through the VPN. Before I dig in to try to figure this out (while I'm not a network newbie this is over my experience level), can someone tell me if it is possible to get this working with an L2TP VPN? That's what my VPN service provider in the US supports.

Any tips and suggestions appreciated.

Thanks

 

[gingerking]

I'm a newbie here. I've followed this thread as it appears to be providing a solution to exactly what I'd like to achieve. I'd like virtual wireless access point based routing that determines which vpnclient connection to use on an asus ac87u running merlin latest version. I've copied the 1.03b wifivpn.sh script but when I ran the status command, I got some odd information returned that said that the 5g default ssid was disabled when I had devices connected to it. As a result, I've not had confidence to run it to change anything. I've seen there's a later ( 1.13 ) version of the wifivpn.sh script and would like to see if that works. Where can I get a later copy of the script? Will it work on an ac87u running latest version of merlin 384.13_4?

 

[hoodfavourite]

Hey everybody!

Hmm this might all be an outdated and obsolete way to manage guestnetworks 2020, i dont know. Been struggling to get this to work for 2 days now. Im on a RT-AC68U. Im no scripter, but i do get the basics (the kindergarten basics ). I first tried with the 1.0 beta, without doing anything prior with bridges and whatnot. Mostly a bunch of errors. Found the latest beta version and made some progress. I made a new file thru touch command in /jffs/scripts and simply copied the entire scripts without any changes. This is how far i've got:

When adding first networks...:

@RT-AC68U-E648:/jffs/scripts# ./WiFiVPN ABNB1 2 autodnsmasq
(WiFiVPN): 4806 v1.03b (Public Beta) © 2016-2017 Martineau, Guest WiFi VPN Bridge request.....[ABNB1 2 autodnsmasq]
**Warning WiFi (wl0.1) 2.4GHz Guest 1 Guestnetwork_ABNB1 already attached to bridge: br2
**Warning WiFi (wl0.1) already assigned to NVRAM variable: lan2_ifnames
awkNR: /etc/openvpn/dns/client2.resolv: No such file or directory
awkNR: /etc/openvpn/dns/client2.resolv: No such file or directory
awkNR: /etc/openvpn/dns/client2.resolv: No such file or directory
(WiFiVPN): 4806 WiFi (wl0.1) 2.4GHz Guest 1 Guestnetwork_ABNB1 (192.168.102.0/24) routed through tunnel VPN Client 2 (USA) using VPN DNS () via bridge:br2


grona1337@RT-AC68U-E648:/jffs/scripts# ./WiFiVPN Guestnetwork_ABNB2 3 autodnsmasq
(WiFiVPN): 5491 v1.03b (Public Beta) © 2016-2017 Martineau, Guest WiFi VPN Bridge request.....[Guestnetwork_ABNB2 3 autodnsmasq]
**Warning WiFi (wl0.2) 2.4GHz Guest 2 Guestnetwork_ABNB2 already attached to bridge: br3
**Warning WiFi (wl0.2) already assigned to NVRAM variable: lan3_ifnames
awkNR: /etc/openvpn/dns/client3.resolv: No such file or directory
awkNR: /etc/openvpn/dns/client3.resolv: No such file or directory
awkNR: /etc/openvpn/dns/client3.resolv: No such file or directory
(WiFiVPN): 5491 WiFi (wl0.2) 2.4GHz Guest 2 Guestnetwork_ABNB2 (192.168.103.0/24) routed through tunnel VPN Client 3 (ZURICH) using VPN DNS () via bridge:br3

I've added the dnsmasq.conf input thru autodnsmasq obviously. I've havent really done any scripting regarding the bridges, i did try some links to different forumthreads yesterday but i feel i do more damage than good.

Status check after:

@RT-AC68U-E648:/jffs/scripts# ./WiFiVPN status
(WiFiVPN): 6003 v1.03b (Public Beta) © 2016-2017 Martineau, WiFi VPN status request.....[status]
WiFi->VPN Configuration Status for interfaces:
wl0.1 Guestnetwork_ABNB1 2.4GHz Guest 1 (192.168.102.0/24) routed through tunnel VPN Client 2 (***ERROR VPN is DOWN) is MISSING a valid DNS entry in '-t nat DNSVPN2' via bridge:br2
***ERROR invalid bridge configuration
br1 8000.000000000000 no
wl0.2 Guestnetwork_ABNB2 2.4GHz Guest 2 (192.168.103.0/24) routed through tunnel VPN Client 3 (***ERROR VPN is DOWN) is MISSING a valid DNS entry in '-t nat DNSVPN3' via bridge:br3
***ERROR invalid bridge configuration
br1 8000.000000000000 no
----- (ASUS_Guest3) 2.4GHz Guest 3 ** Disabled **
wl1.1 Guestnetwork1 5GHz Guest 1 (***ERROR no entry in table 114; br4 NOT) routed through tunnel VPN Client 4 (***ERROR VPN is DOWN) is MISSING a valid DNS entry in '-t nat DNSVPN4' via bridge:br4
***ERROR invalid bridge configuration
br1 8000.000000000000 no

wl1.2 ASUS_5G_Guest2 5GHz Guest 2
----- (ASUS_5G_Guest3) 5GHz Guest 3 ** Disabled **
eth1 comhem_5657Love 2.4GHz Network
eth2 comhem_5657Love_5G 5GHz Network

My dnsmasq:

@RT-AC68U-E648:/tmp/etc# cat dnsmasq.conf

# Bridge br2 uses DHCP pool 192.168.102.2 - 192.168.102.20
interface=br2
dhcp-range=br2,192.168.102.2,192.168.102.20,255.255.255.0,14400s
dhcp-option=br2,3,192.168.102.1
dhcp-option=br2,6,192.168.102.1
dhcp-option=br2,252,"\n"
# Bridge br3 uses DHCP pool 192.168.103.2 - 192.168.103.20
interface=br3
dhcp-range=br3,192.168.103.2,192.168.103.20,255.255.255.0,14400s
dhcp-option=br3,3,192.168.103.1
dhcp-option=br3,6,192.168.103.1
dhcp-option=br3,252,"\n"
# Bridge br4 uses DHCP pool 192.168.104.2 - 192.168.104.20
interface=br4
dhcp-range=br4,192.168.104.2,192.168.104.20,255.255.255.0,14400s
dhcp-option=br4,3,192.168.104.1
dhcp-option=br4,6,192.168.104.1
dhcp-option=br4,252,"\n"

I've tried YaZFi i few times, but cant seem to get internet to work thru clients running TOR. Probably a completely different solution to that problem, maybe not a hard one at that...
My ISP modem is bridged to my 68U. All i've want with this is a VPN router with tight network security. Vpnclient1 for my computer and other devices like phones osv thru WAN iface AND a few guestnetworks each on different subnet connected to separate VPN clients (2-5).
Been reading here for a year or so and learned a few things, allbeit im no scripthacker. Been learning alot just reading threads and searching around here. Very grateful to this entire community! This is the first time im actually asking for help so i hope someone would help me structure the work needed to be done. Got ADHD so im usually all over the place and have a hard time taking it one step at a time

regards
H