What's new

Dedicate 1 SSID for VPN and 1 SSID for usual with Asuswrt-merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

aky007

New Around Here
Hi everyone,

One of our development team are from china and they are suffering the China’s internet Great wall. Currently they were installed vpn client from each of their computer which is quite inconvenience to turn it on and off.

So we brought a Asus RT-AC88U with Asuswrt-merlin installed and plan to create 2 SSID (one dedicate for VPN and another for usual internet).

We found an article on their github wiki : How to setup SSID for VPN and SSID for regular ISP using Open VPN which seem like the thing we want to do.

But it is so complicated, can anyone give a beginner friendly guide so we can set it up as planned?

This could save million of internet users from country with internet censorship system.

PS: Will donate to Asuswrt-Merlin once the problem solved. :p

Thanks a lot.
 
Very interesting question and I'd be happy to see a proper, beginner-friendly guide for this too.

I am not in desperate need since I am running Astrill's (VPN provider) dedicated applet on the router. My quick and dirty solution is to exclude the 5GHz WiFi from the VPN (through the applet). The downside is that my laptop does not support 5GHz...
 
there has been a lot of talk about this on the forum, use search
first you would need to enable guest wireless networks, assign them different IP range, dnsmasq --log-async, etc.

for the beginning you can allow some IP address to go through VPN, so you don't need separate SSID, you could just change IP when you want
http://www.snbforums.com/threads/ho...pn-client-using-batch-file.27678/#post-212470

here is my mix of scripts for running VPN over dedicated SSID - WL1.1 (first 5GHz guest newtork)

telnet or SSH to your router
use "vi" for editor and press INSERT on your keyboard
paste this code to appropriate file
press ESCAPE and :wq

/jffs/scripts/wan-start
Code:
#!/bin/sh
# depending on how fast you get your WAN IP, you MAY need to increase sleep 10 to some bigger value
sleep 10
# stop DHCP server
killall dnsmasq
sleep 1
logger "killall dnsmasq - command is executed"

# guest wireless assignment (customize your subnet IP range and interface ID)
ifconfig wl1.1 192.168.201.1 netmask 255.255.255.0
logger "IP for wl1.1 interface added"

# guest wireless wl1.1 DHCP
# /jffs/configs/dnsmasq.conf.add is added to /etc/dnsmasq.conf
dnsmasq --log-async
sleep 1
logger "dnsmasq --log-async - command is executed"

# guest wireless bridge
ebtables -t broute -I BROUTING -p ipv4 -i wl1.1 -j DROP
ebtables -t broute -I BROUTING -p arp -i wl1.1 -j DROP


# guest wireless firewall. vpn kill switch is built in.
iptables -I INPUT -i wl1.1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wl1.1 -o tun11 -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.201.0/24 -o tun11 -j MASQUERADE

/jffs/configs/dnsmasq.conf.add
Code:
log-async
interface=wl1.1
dhcp-range=wl1.1,192.168.201.2,192.168.201.254,255.255.255.0,28800s
dhcp-option=wl1.1,3,192.168.201.1

/jffs/scripts/vpn-route-1.sh
Code:
#!/bin/sh
# This script goes in /jffs/scripts/vpn-route-1.sh
# Add the following 2 lines to the VPN - OpenVPN Client n - Custom Configuration box
# route-nopull
# route-up /jffs/scripts/vpn-route-1.sh

# clear tun11 (VPN client 1) table, if exists
ip route flush table 11
ip route del default table 11

# not strictly necessary but speeds up routing changes
ip route flush cache

# get tunnel ip
tun11_ip=$(ifconfig tun11 | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

# routing VPN IP range from other side of the tunnel via tun11_ip
# ip route add 192.168.X.Y/24 via $tun11_ip


# routing table for tun11 with divert rule
ip route add default via $tun11_ip dev tun11 table 11
ip rule add dev wl1.1 table 11
#ip rule add from 192.168.xxx.yyy table 11
#ip rule add from 192.168.xxx.zzz table 11

# not strictly necessary
ip route flush cache

# force VPN to default to Google Public DNS, you can use DNS from VPN provider if you setup routing VPN IP range
DNS_SERVER="8.8.8.8 8.8.4.4"
for ip in $DNS_SERVER
do
iptables -t nat -A PREROUTING -i wl1.1 -p udp --dport 53 -j DNAT --to $ip
iptables -t nat -A PREROUTING -i wl1.1 -p tcp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.yyy -p udp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.yyy -p tcp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.zzz -p udp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.zzz -p tcp --dport 53 -j DNAT --to $ip
done

# VPN kill switch for desired IPs
#iptables -I FORWARD ! -o tun11 -s 192.168.xxx.yyy -j DROP
#iptables -I FORWARD ! -o tun11 -s 192.168.xxx.zzz -j DROP

exit 0

/jffs/scirpts/init-start
Code:
#!/bin/sh
cru a ScheduledReconnect "0 4 * * * /sbin/service restart_wan"

this last code will restart your WAN interface every day at 4 AM

don't forget to run once before reboot
Code:
chmod 755 /jffs/scripts/*

reboot and test https://dnsleaktest.com/

maybe scripts need a bit of polishing, but I hope it will work in 99% of cases

These scripts are NOT compatible with Adaptive QOS!
 
Last edited:
/jffs/scripts/wan-start

That dnsmasq code won't work properly. You need to use service restart_dnsmasq, otherwise any postconf/conf.add script won't be applied if you manually kill/run dnsmasq. It might work for you only because something else properly restarts dnsmasq later on during boot.
 
That dnsmasq code won't work properly. You need to use service restart_dnsmasq, otherwise any postconf/conf.add script won't be applied if you manually kill/run dnsmasq. It might work for you only because something else properly restarts dnsmasq later on during boot.

Hi RMerlin, you can see in the script few lines down "dnsmasq --log-async" is called
I have tried just by running "dnsmasq" but it doesn't work, it has to be "dnsmasq --log-async" otherwise it doesn't work

this combination of 1 VPN dedicated SSID and 1 SSID for normal traffic doesn't mix with Adaptive QOS
I didn't tried AiProtection, but I guess it is the same

I have 3 SSIDs for three different VPN endpoints and 2 SSIDs for normal traffic, it works great
 
Hi RMerlin, you can see in the script few lines down "dnsmasq --log-async" is called
I have tried just by running "dnsmasq" but it doesn't work, it has to be "dnsmasq --log-async" otherwise it doesn't work

Re-read what I posted - you must use the "service" command, not directly run the dnsmasq exe.
 
We have the same problem. We solved it with a VPN client that has the ability for application filtering (certain applications such as Outlook doesn't need VPN here in China, for instance) and site filtering (whereby specific URLs are either included or excluded from the VPN tunnel). In our case, this works great. Unfortunately our VPN provider pretty much sucks so I won't mention who they are. You might want to check out similar functionality with your VPN provider if you think it's worthwhile.
 
I am using Merlin FW 380.58 and for some reason dnsmasq is not run with log-async (double checked cat /tmp/etc/dnsmasq.conf ), so I have added that option to dnsmasq.conf.add and then it works - I have tested it both with and without log-async, without log-async clients don't get IP assigned

here is my mix of scripts (updated v2.0) for running VPN over dedicated SSID - WL1.1 (first 5GHz guest network)

telnet or SSH to your router
use "vi" for editor and press INSERT on your keyboard
paste this code to appropriate file
press ESCAPE and :wq

/jffs/configs/dnsmasq.conf.add
Code:
log-async
interface=wl1.1
dhcp-range=wl1.1,192.168.201.2,192.168.201.254,255.255.255.0,28800s
dhcp-option=wl1.1,3,192.168.201.1


/jffs/scripts/wan-start
Code:
#!/bin/sh
# depending on how fast you get your WAN IP, you MAY need to increase sleep 10 to some bigger value
sleep 10
# guest wireless assignment
ifconfig wl1.1 192.168.201.1 netmask 255.255.255.0
logger "IP for wl1.1 interface added"

# guest wireless bridge
ebtables -t broute -I BROUTING -p ipv4 -i wl1.1 -j DROP
ebtables -t broute -I BROUTING -p arp -i wl1.1 -j DROP

# guest wireless firewall. vpn kill switch is built in.
iptables -I INPUT -i wl1.1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wl1.1 -o tun11 -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.201.0/24 -o tun11 -j MASQUERADE

/jffs/scripts/vpn-route-1.sh
Code:
#!/bin/sh
# This script goes in /jffs/scripts/vpn-route-1.sh
# Add the following 2 lines to the VPN - OpenVPN Client n - Custom Configuration box
# route-nopull
# route-up /jffs/scripts/vpn-route-1.sh

# clear tun11 (VPN client 1) table, if exists
ip route flush table 11
ip route del default table 11

# not strictly necessary but speeds up routing changes
ip route flush cache

# get tunnel ip
tun11_ip=$(ifconfig tun11 | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

# routing VPN IP range from other side of the tunnel via tun11_ip
# ip route add 192.168.X.Y/24 via $tun11_ip

# routing table for tun11 with divert rule
ip route add default via $tun11_ip dev tun11 table 11
ip rule add dev wl1.1 table 11
#ip rule add from 192.168.xxx.yyy table 11
#ip rule add from 192.168.xxx.zzz table 11

# not strictly necessary
ip route flush cache

# force VPN to default to Google Public DNS, you can use DNS from VPN provider if you setup routing VPN IP range
DNS_SERVER="8.8.8.8 8.8.4.4"
for ip in $DNS_SERVER
do
iptables -t nat -A PREROUTING -i wl1.1 -p udp --dport 53 -j DNAT --to $ip
iptables -t nat -A PREROUTING -i wl1.1 -p tcp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.yyy -p udp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.yyy -p tcp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.zzz -p udp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.zzz -p tcp --dport 53 -j DNAT --to $ip
done

# VPN kill switch for desired IPs
#iptables -I FORWARD ! -o tun11 -s 192.168.xxx.yyy -j DROP
#iptables -I FORWARD ! -o tun11 -s 192.168.xxx.zzz -j DROP

exit 0

/jffs/scirpts/init-start
Code:
#!/bin/sh
cru a ScheduledReconnect "0 4 * * * /sbin/service restart_wan"

this last code will restart your WAN interface every day at 4 AM - useful if you have dynamic IP assigned every 24h, so you won't experience IP renewal during day, adjust to your needs

don't forget to run once before reboot
Code:
chmod 755 /jffs/scripts/*

reboot your router and test https://dnsleaktest.com/
 
Last edited:
The friendliest way I know to achieve it is to use Astrill VPN and their router applet, where you can set client routing per SSID.
 

I did a full factory reset, in order to check if "log-async" will be in dnsmasq.conf

cat /tmp/etc/dnsmasq.conf

Code:
admin@RT-AC68U-XXXX:/tmp/home/root# cat /tmp/etc/dnsmasq.conf
pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=ppp1*
no-dhcp-interface=ppp1*
resolv-file=/tmp/resolv.conf
servers-file=/tmp/resolv.dnsmasq
no-poll
no-negcache
cache-size=1500
min-port=4096
dhcp-range=lan,192.168.1.2,192.168.1.254,255.255.255.0,86400s
dhcp-option=lan,3,192.168.1.1
dhcp-option=lan,252,"\n"
dhcp-authoritative
admin@RT-AC68U-XXXX:/tmp/home/root#

can you check if there is some bug, shouldn't "log-async" be listed in /tmp/etc/dnsmasq.conf ??
 
I did a full factory reset, in order to check if "log-async" will be in dnsmasq.conf

--log-sync is passed at run time, it's not inside the config file. Do a "ps w | grep dnsmasq", you will see it there.
 
@RMerlin - it is true I saw output after running "ps w | grep dnsmasq", still I can't explain why it doesn't work without log-async in dnsmasq.conf.add

you can try to setup this scenario on your test router and see for yourself, you will probably have a better idea than me
 
@RMerlin - it is true I saw output after running "ps w | grep dnsmasq", still I can't explain why it doesn't work without log-async in dnsmasq.conf.add

you can try to setup this scenario on your test router and see for yourself, you will probably have a better idea than me

Once again, I have to refer you to my original post on the proper way to restart the dnsmasq service, using the service command. Do NOT just run "dnsmasq", it won't work.
 
please take a look at post http://www.snbforums.com/threads/de...-usual-with-asuswrt-merlin.31415/#post-253228

I have changed in "script version 2.0" - "/jffs/scripts/wan-start" it doesn't call dnsmasq anymore, there is no more "killall dnsmasq"!
Everything is sorted at the boot with "/jffs/configs/dnsmasq.conf.add" much better I would say
Still, without "log-async" in "/jffs/configs/dnsmasq.conf.add" and in end-effect "/tmp/etc/dnsmasq.conf" it doesn't work

Are you willing to test it?
 
GFW of China can detect OpenVPN in 30 minutes according to this very helpful discussion.

When your team switches vpn on from their computer it works? This is a vanilla OpenVPN with no mods? I am under the impression it will not work unless you use a protocol that can not be detected as of yet.
Both ends will need Scramble OpenVPN, you could check into obsproxy and other methods. Unless I misunderstand and you just want them to be able to get a uncensored Internet. If that is the case you will need to find a VPN that uses that patch in the link above (search google), the problem with that is maybe GFW also has a list of IP's to blacklist that are known to defeat its purpose.

I would say how much work are you willing to go through to get a private static IP with that patch. Its the only solution that you can do on the router as far as I know, but both ends need it. Like I said too- GFW may be blocking certain well knowen IP's as well. You may need to find a vpn provider with the patch and a static private IP just for your team. Unless you have a static IP, a Asus router and want to share your internet with them. (That would be my suggestion) You can do it, you both will need a modified version of RMerlins firmware.

Edit#2 Something like (I am not promoting these guys) slickvpn, I see they have that patch, only they lack a dedicated static IP, which may be what you want. If you use a URL in the opvn config file and your not using dnscrypt, GFW may block it before you even have a chance to connect.
Example bad-
Code:
client
dev tun
proto udp
remote mexico.privateinternetaccess.com 1194
...
..............
Example good-
Code:
client
dev tun
proto udp
remote ##.##.##.## 8080
...
Use a IP address in the opvn config and GFW dns interceptor on port 53 has no idea whats going on over at that IP (since your not looking up a url) (your vpn provider that you bought a static private IP from) Hope my rambling makes a little sense.
 
Last edited:
I am using Merlin FW 380.58 and for some reason dnsmasq is not run with log-async (double checked cat /tmp/etc/dnsmasq.conf ), so I have added that option to dnsmasq.conf.add and then it works - I have tested it both with and without log-async, without log-async clients don't get IP assigned

here is my mix of scripts (updated v2.0) for running VPN over dedicated SSID - WL1.1 (first 5GHz guest network)

telnet or SSH to your router
use "vi" for editor and press INSERT on your keyboard
paste this code to appropriate file
press ESCAPE and :wq

/jffs/configs/dnsmasq.conf.add
Code:
log-async
interface=wl1.1
dhcp-range=wl1.1,192.168.201.2,192.168.201.254,255.255.255.0,28800s
dhcp-option=wl1.1,3,192.168.201.1


/jffs/scripts/wan-start
Code:
#!/bin/sh
# depending on how fast you get your WAN IP, you MAY need to increase sleep 10 to some bigger value
sleep 10
# guest wireless assignment
ifconfig wl1.1 192.168.201.1 netmask 255.255.255.0
logger "IP for wl1.1 interface added"

# guest wireless bridge
ebtables -t broute -I BROUTING -p ipv4 -i wl1.1 -j DROP
ebtables -t broute -I BROUTING -p arp -i wl1.1 -j DROP

# guest wireless firewall. vpn kill switch is built in.
iptables -I INPUT -i wl1.1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wl1.1 -o tun11 -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.201.0/24 -o tun11 -j MASQUERADE

/jffs/scripts/vpn-route-1.sh
Code:
#!/bin/sh
# This script goes in /jffs/scripts/vpn-route-1.sh
# Add the following 2 lines to the VPN - OpenVPN Client n - Custom Configuration box
# route-nopull
# route-up /jffs/scripts/vpn-route-1.sh

# clear tun11 (VPN client 1) table, if exists
ip route flush table 11
ip route del default table 11

# not strictly necessary but speeds up routing changes
ip route flush cache

# get tunnel ip
tun11_ip=$(ifconfig tun11 | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

# routing VPN IP range from other side of the tunnel via tun11_ip
# ip route add 192.168.X.Y/24 via $tun11_ip

# routing table for tun11 with divert rule
ip route add default via $tun11_ip dev tun11 table 11
ip rule add dev wl1.1 table 11
#ip rule add from 192.168.xxx.yyy table 11
#ip rule add from 192.168.xxx.zzz table 11

# not strictly necessary
ip route flush cache

# force VPN to default to Google Public DNS, you can use DNS from VPN provider if you setup routing VPN IP range
DNS_SERVER="8.8.8.8 8.8.4.4"
for ip in $DNS_SERVER
do
iptables -t nat -A PREROUTING -i wl1.1 -p udp --dport 53 -j DNAT --to $ip
iptables -t nat -A PREROUTING -i wl1.1 -p tcp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.yyy -p udp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.yyy -p tcp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.zzz -p udp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.zzz -p tcp --dport 53 -j DNAT --to $ip
done

# VPN kill switch for desired IPs
#iptables -I FORWARD ! -o tun11 -s 192.168.xxx.yyy -j DROP
#iptables -I FORWARD ! -o tun11 -s 192.168.xxx.zzz -j DROP

exit 0

/jffs/scirpts/init-start
Code:
#!/bin/sh
cru a ScheduledReconnect "0 4 * * * /sbin/service restart_wan"

this last code will restart your WAN interface every day at 4 AM - useful if you have dynamic IP assigned every 24h, so you won't experience IP renewal during day, adjust to your needs

don't forget to run once before reboot
Code:
chmod 755 /jffs/scripts/*

reboot your router and test https://dnsleaktest.com/

Hi, I've got the above script working but I would like to modify it so that either the vpn ssid allocates ip addresses on the same subnet as the other lan addressing range, or routing is setup so that clients connected to the vpn ssid can communicate with other clients connected to the same router (either via Ethernet or other ssid).

How would I go about doing this?
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top