Dedicate 1 SSID for VPN and 1 SSID for usual with Asuswrt-merlin

[Vic]

I am using Merlin FW 380.58 and for some reason dnsmasq is not run with log-async (double checked cat /tmp/etc/dnsmasq.conf ), so I have added that option to dnsmasq.conf.add and then it works - I have tested it both with and without log-async, without log-async clients don't get IP assigned

here is my mix of scripts (updated v2.0) for running VPN over dedicated SSID - WL1.1 (first 5GHz guest network)

telnet or SSH to your router
use "vi" for editor and press INSERT on your keyboard
paste this code to appropriate file
press ESCAPE and :wq

/jffs/configs/dnsmasq.conf.add

log-async
interface=wl1.1
dhcp-range=wl1.1,192.168.201.2,192.168.201.254,255.255.255.0,28800s
dhcp-option=wl1.1,3,192.168.201.1

/jffs/scripts/wan-start

#!/bin/sh
# depending on how fast you get your WAN IP, you MAY need to increase sleep 10 to some bigger value
sleep 10
# guest wireless assignment
ifconfig wl1.1 192.168.201.1 netmask 255.255.255.0
logger "IP for wl1.1 interface added"

# guest wireless bridge
ebtables -t broute -I BROUTING -p ipv4 -i wl1.1 -j DROP
ebtables -t broute -I BROUTING -p arp -i wl1.1 -j DROP

# guest wireless firewall. vpn kill switch is built in.
iptables -I INPUT -i wl1.1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wl1.1 -o tun11 -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.201.0/24 -o tun11 -j MASQUERADE

/jffs/scripts/vpn-route-1.sh

#!/bin/sh
# This script goes in /jffs/scripts/vpn-route-1.sh
# Add the following 2 lines to the VPN - OpenVPN Client n - Custom Configuration box
# route-nopull
# route-up /jffs/scripts/vpn-route-1.sh

# clear tun11 (VPN client 1) table, if exists
ip route flush table 11
ip route del default table 11

# not strictly necessary but speeds up routing changes
ip route flush cache

# get tunnel ip
tun11_ip=$(ifconfig tun11 | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

# routing VPN IP range from other side of the tunnel via tun11_ip
# ip route add 192.168.X.Y/24 via $tun11_ip

# routing table for tun11 with divert rule
ip route add default via $tun11_ip dev tun11 table 11
ip rule add dev wl1.1 table 11
#ip rule add from 192.168.xxx.yyy table 11
#ip rule add from 192.168.xxx.zzz table 11

# not strictly necessary
ip route flush cache

# force VPN to default to Google Public DNS, you can use DNS from VPN provider if you setup routing VPN IP range
DNS_SERVER="8.8.8.8 8.8.4.4"
for ip in $DNS_SERVER
do
iptables -t nat -A PREROUTING -i wl1.1 -p udp --dport 53 -j DNAT --to $ip
iptables -t nat -A PREROUTING -i wl1.1 -p tcp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.yyy -p udp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.yyy -p tcp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.zzz -p udp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.zzz -p tcp --dport 53 -j DNAT --to $ip
done

# VPN kill switch for desired IPs
#iptables -I FORWARD ! -o tun11 -s 192.168.xxx.yyy -j DROP
#iptables -I FORWARD ! -o tun11 -s 192.168.xxx.zzz -j DROP

exit 0

/jffs/scirpts/init-start

#!/bin/sh
cru a ScheduledReconnect "0 4 * * * /sbin/service restart_wan"

this last code will restart your WAN interface every day at 4 AM - useful if you have dynamic IP assigned every 24h, so you won't experience IP renewal during day, adjust to your needs

don't forget to run once before reboot

chmod 755 /jffs/scripts/*

reboot your router and test https://dnsleaktest.com/

I followed the script but now my guest wifi doesn't have an active internet. I can connect to wifi but no internet

 

[TheNybbler]

I followed the script but now my guest wifi doesn't have an active internet. I can connect to wifi but no internet

Hi Vic. I had the same problem when I first ran the scripts. You need to make sure you've configured the OpenVPN connection in the Asuswrt-merlin Interface (supplied it the a .ovpn file and the correct username/password, then set it to ON.

 

[Vic]

Hi Vic. I had the same problem when I first ran the scripts. You need to make sure you've configured the OpenVPN connection in the Asuswrt-merlin Interface (supplied it the a .ovpn file and the correct username/password, then set it to ON.

It's not the case here, I had setup the guest wifi prior to the setup and turned it on.

 

[M8M]

Hi - Checking out this post as I've a similar config requirement for my ASUS RT-AC88U router.
Tried the scripts several times but it doesn't work. Is there an updated version to the scripts posted?

Also, can someone clarify what X, Y, xxx, yyy, zzz in below commands exactly are?
ip route add 192.168.X.Y/24 via $tun11_ip
ip rule add from 192.168.xxx.yyy table 11
ip rule add from 192.168.xxx.zzz table 11

Many Thanks!