Menu
What's new
By:
Filters Better Search

Dedicate 1 SSID for VPN and 1 SSID for usual with Asuswrt-merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

aky007

aky007

New Around Here
Hi everyone,

One of our development team are from china and they are suffering the China’s internet Great wall. Currently they were installed vpn client from each of their computer which is quite inconvenience to turn it on and off.

So we brought a Asus RT-AC88U with Asuswrt-merlin installed and plan to create 2 SSID (one dedicate for VPN and another for usual internet).

We found an article on their github wiki : How to setup SSID for VPN and SSID for regular ISP using Open VPN which seem like the thing we want to do.

But it is so complicated, can anyone give a beginner friendly guide so we can set it up as planned?

This could save million of internet users from country with internet censorship system.

PS: Will donate to Asuswrt-Merlin once the problem solved. :p

Thanks a lot.
 
Very interesting question and I'd be happy to see a proper, beginner-friendly guide for this too.

I am not in desperate need since I am running Astrill's (VPN provider) dedicated applet on the router. My quick and dirty solution is to exclude the 5GHz WiFi from the VPN (through the applet). The downside is that my laptop does not support 5GHz...
 
there has been a lot of talk about this on the forum, use search
first you would need to enable guest wireless networks, assign them different IP range, dnsmasq --log-async, etc.

for the beginning you can allow some IP address to go through VPN, so you don't need separate SSID, you could just change IP when you want
http://www.snbforums.com/threads/ho...pn-client-using-batch-file.27678/#post-212470

here is my mix of scripts for running VPN over dedicated SSID - WL1.1 (first 5GHz guest newtork)

telnet or SSH to your router
use "vi" for editor and press INSERT on your keyboard
paste this code to appropriate file
press ESCAPE and :wq

/jffs/scripts/wan-start
Code: 
#!/bin/sh
# depending on how fast you get your WAN IP, you MAY need to increase sleep 10 to some bigger value
sleep 10
# stop DHCP server
killall dnsmasq
sleep 1
logger "killall dnsmasq - command is executed"

# guest wireless assignment (customize your subnet IP range and interface ID)
ifconfig wl1.1 192.168.201.1 netmask 255.255.255.0
logger "IP for wl1.1 interface added"

# guest wireless wl1.1 DHCP
# /jffs/configs/dnsmasq.conf.add is added to /etc/dnsmasq.conf
dnsmasq --log-async
sleep 1
logger "dnsmasq --log-async - command is executed"

# guest wireless bridge
ebtables -t broute -I BROUTING -p ipv4 -i wl1.1 -j DROP
ebtables -t broute -I BROUTING -p arp -i wl1.1 -j DROP


# guest wireless firewall. vpn kill switch is built in.
iptables -I INPUT -i wl1.1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wl1.1 -o tun11 -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.201.0/24 -o tun11 -j MASQUERADE

/jffs/configs/dnsmasq.conf.add
Code: 
log-async
interface=wl1.1
dhcp-range=wl1.1,192.168.201.2,192.168.201.254,255.255.255.0,28800s
dhcp-option=wl1.1,3,192.168.201.1

/jffs/scripts/vpn-route-1.sh
Code: 
#!/bin/sh
# This script goes in /jffs/scripts/vpn-route-1.sh
# Add the following 2 lines to the VPN - OpenVPN Client n - Custom Configuration box
# route-nopull
# route-up /jffs/scripts/vpn-route-1.sh

# clear tun11 (VPN client 1) table, if exists
ip route flush table 11
ip route del default table 11

# not strictly necessary but speeds up routing changes
ip route flush cache

# get tunnel ip
tun11_ip=$(ifconfig tun11 | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

# routing VPN IP range from other side of the tunnel via tun11_ip
# ip route add 192.168.X.Y/24 via $tun11_ip


# routing table for tun11 with divert rule
ip route add default via $tun11_ip dev tun11 table 11
ip rule add dev wl1.1 table 11
#ip rule add from 192.168.xxx.yyy table 11
#ip rule add from 192.168.xxx.zzz table 11

# not strictly necessary
ip route flush cache

# force VPN to default to Google Public DNS, you can use DNS from VPN provider if you setup routing VPN IP range
DNS_SERVER="8.8.8.8 8.8.4.4"
for ip in $DNS_SERVER
do
iptables -t nat -A PREROUTING -i wl1.1 -p udp --dport 53 -j DNAT --to $ip
iptables -t nat -A PREROUTING -i wl1.1 -p tcp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.yyy -p udp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.yyy -p tcp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.zzz -p udp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.zzz -p tcp --dport 53 -j DNAT --to $ip
done

# VPN kill switch for desired IPs
#iptables -I FORWARD ! -o tun11 -s 192.168.xxx.yyy -j DROP
#iptables -I FORWARD ! -o tun11 -s 192.168.xxx.zzz -j DROP

exit 0

/jffs/scirpts/init-start
Code: 
#!/bin/sh
cru a ScheduledReconnect "0 4 * * * /sbin/service restart_wan"

this last code will restart your WAN interface every day at 4 AM

don't forget to run once before reboot
Code: 
chmod 755 /jffs/scripts/*

reboot and test https://dnsleaktest.com/

maybe scripts need a bit of polishing, but I hope it will work in 99% of cases

These scripts are NOT compatible with Adaptive QOS!
 
Last edited:
peraburek said:
/jffs/scripts/wan-start
Click to expand...

That dnsmasq code won't work properly. You need to use service restart_dnsmasq, otherwise any postconf/conf.add script won't be applied if you manually kill/run dnsmasq. It might work for you only because something else properly restarts dnsmasq later on during boot.
 
RMerlin said:
That dnsmasq code won't work properly. You need to use service restart_dnsmasq, otherwise any postconf/conf.add script won't be applied if you manually kill/run dnsmasq. It might work for you only because something else properly restarts dnsmasq later on during boot.
Click to expand...

Hi RMerlin, you can see in the script few lines down "dnsmasq --log-async" is called
I have tried just by running "dnsmasq" but it doesn't work, it has to be "dnsmasq --log-async" otherwise it doesn't work

this combination of 1 VPN dedicated SSID and 1 SSID for normal traffic doesn't mix with Adaptive QOS
I didn't tried AiProtection, but I guess it is the same

I have 3 SSIDs for three different VPN endpoints and 2 SSIDs for normal traffic, it works great
 
peraburek said:
Hi RMerlin, you can see in the script few lines down "dnsmasq --log-async" is called
I have tried just by running "dnsmasq" but it doesn't work, it has to be "dnsmasq --log-async" otherwise it doesn't work
Click to expand...

Re-read what I posted - you must use the "service" command, not directly run the dnsmasq exe.
 
We have the same problem. We solved it with a VPN client that has the ability for application filtering (certain applications such as Outlook doesn't need VPN here in China, for instance) and site filtering (whereby specific URLs are either included or excluded from the VPN tunnel). In our case, this works great. Unfortunately our VPN provider pretty much sucks so I won't mention who they are. You might want to check out similar functionality with your VPN provider if you think it's worthwhile.
 
I am using Merlin FW 380.58 and for some reason dnsmasq is not run with log-async (double checked cat /tmp/etc/dnsmasq.conf ), so I have added that option to dnsmasq.conf.add and then it works - I have tested it both with and without log-async, without log-async clients don't get IP assigned

here is my mix of scripts (updated v2.0) for running VPN over dedicated SSID - WL1.1 (first 5GHz guest network)

telnet or SSH to your router
use "vi" for editor and press INSERT on your keyboard
paste this code to appropriate file
press ESCAPE and :wq

/jffs/configs/dnsmasq.conf.add
Code: 
log-async
interface=wl1.1
dhcp-range=wl1.1,192.168.201.2,192.168.201.254,255.255.255.0,28800s
dhcp-option=wl1.1,3,192.168.201.1


/jffs/scripts/wan-start
Code: 
#!/bin/sh
# depending on how fast you get your WAN IP, you MAY need to increase sleep 10 to some bigger value
sleep 10
# guest wireless assignment
ifconfig wl1.1 192.168.201.1 netmask 255.255.255.0
logger "IP for wl1.1 interface added"

# guest wireless bridge
ebtables -t broute -I BROUTING -p ipv4 -i wl1.1 -j DROP
ebtables -t broute -I BROUTING -p arp -i wl1.1 -j DROP

# guest wireless firewall. vpn kill switch is built in.
iptables -I INPUT -i wl1.1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wl1.1 -o tun11 -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.201.0/24 -o tun11 -j MASQUERADE

/jffs/scripts/vpn-route-1.sh
Code: 
#!/bin/sh
# This script goes in /jffs/scripts/vpn-route-1.sh
# Add the following 2 lines to the VPN - OpenVPN Client n - Custom Configuration box
# route-nopull
# route-up /jffs/scripts/vpn-route-1.sh

# clear tun11 (VPN client 1) table, if exists
ip route flush table 11
ip route del default table 11

# not strictly necessary but speeds up routing changes
ip route flush cache

# get tunnel ip
tun11_ip=$(ifconfig tun11 | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

# routing VPN IP range from other side of the tunnel via tun11_ip
# ip route add 192.168.X.Y/24 via $tun11_ip

# routing table for tun11 with divert rule
ip route add default via $tun11_ip dev tun11 table 11
ip rule add dev wl1.1 table 11
#ip rule add from 192.168.xxx.yyy table 11
#ip rule add from 192.168.xxx.zzz table 11

# not strictly necessary
ip route flush cache

# force VPN to default to Google Public DNS, you can use DNS from VPN provider if you setup routing VPN IP range
DNS_SERVER="8.8.8.8 8.8.4.4"
for ip in $DNS_SERVER
do
iptables -t nat -A PREROUTING -i wl1.1 -p udp --dport 53 -j DNAT --to $ip
iptables -t nat -A PREROUTING -i wl1.1 -p tcp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.yyy -p udp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.yyy -p tcp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.zzz -p udp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.zzz -p tcp --dport 53 -j DNAT --to $ip
done

# VPN kill switch for desired IPs
#iptables -I FORWARD ! -o tun11 -s 192.168.xxx.yyy -j DROP
#iptables -I FORWARD ! -o tun11 -s 192.168.xxx.zzz -j DROP

exit 0

/jffs/scirpts/init-start
Code: 
#!/bin/sh
cru a ScheduledReconnect "0 4 * * * /sbin/service restart_wan"

this last code will restart your WAN interface every day at 4 AM - useful if you have dynamic IP assigned every 24h, so you won't experience IP renewal during day, adjust to your needs

don't forget to run once before reboot
Code: 
chmod 755 /jffs/scripts/*

reboot your router and test https://dnsleaktest.com/
 
Last edited:
The friendliest way I know to achieve it is to use Astrill VPN and their router applet, where you can set client routing per SSID.
 
RMerlin said:
Asuswrt automatically runs it with --log-async by default.

https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/rc/services.c#L930
Click to expand...

I did a full factory reset, in order to check if "log-async" will be in dnsmasq.conf

cat /tmp/etc/dnsmasq.conf

Code: 
admin@RT-AC68U-XXXX:/tmp/home/root# cat /tmp/etc/dnsmasq.conf
pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=ppp1*
no-dhcp-interface=ppp1*
resolv-file=/tmp/resolv.conf
servers-file=/tmp/resolv.dnsmasq
no-poll
no-negcache
cache-size=1500
min-port=4096
dhcp-range=lan,192.168.1.2,192.168.1.254,255.255.255.0,86400s
dhcp-option=lan,3,192.168.1.1
dhcp-option=lan,252,"\n"
dhcp-authoritative
admin@RT-AC68U-XXXX:/tmp/home/root#

can you check if there is some bug, shouldn't "log-async" be listed in /tmp/etc/dnsmasq.conf ??
 
peraburek said:
I did a full factory reset, in order to check if "log-async" will be in dnsmasq.conf
Click to expand...

--log-sync is passed at run time, it's not inside the config file. Do a "ps w | grep dnsmasq", you will see it there.
 
@RMerlin - it is true I saw output after running "ps w | grep dnsmasq", still I can't explain why it doesn't work without log-async in dnsmasq.conf.add

you can try to setup this scenario on your test router and see for yourself, you will probably have a better idea than me
 
peraburek said:
@RMerlin - it is true I saw output after running "ps w | grep dnsmasq", still I can't explain why it doesn't work without log-async in dnsmasq.conf.add

you can try to setup this scenario on your test router and see for yourself, you will probably have a better idea than me
Click to expand...

Once again, I have to refer you to my original post on the proper way to restart the dnsmasq service, using the service command. Do NOT just run "dnsmasq", it won't work.
 
please take a look at post http://www.snbforums.com/threads/de...-usual-with-asuswrt-merlin.31415/#post-253228

I have changed in "script version 2.0" - "/jffs/scripts/wan-start" it doesn't call dnsmasq anymore, there is no more "killall dnsmasq"!
Everything is sorted at the boot with "/jffs/configs/dnsmasq.conf.add" much better I would say
Still, without "log-async" in "/jffs/configs/dnsmasq.conf.add" and in end-effect "/tmp/etc/dnsmasq.conf" it doesn't work

Are you willing to test it?
 
GFW of China can detect OpenVPN in 30 minutes according to this very helpful discussion.

When your team switches vpn on from their computer it works? This is a vanilla OpenVPN with no mods? I am under the impression it will not work unless you use a protocol that can not be detected as of yet.
Both ends will need Scramble OpenVPN, you could check into obsproxy and other methods. Unless I misunderstand and you just want them to be able to get a uncensored Internet. If that is the case you will need to find a VPN that uses that patch in the link above (search google), the problem with that is maybe GFW also has a list of IP's to blacklist that are known to defeat its purpose.

I would say how much work are you willing to go through to get a private static IP with that patch. Its the only solution that you can do on the router as far as I know, but both ends need it. Like I said too- GFW may be blocking certain well knowen IP's as well. You may need to find a vpn provider with the patch and a static private IP just for your team. Unless you have a static IP, a Asus router and want to share your internet with them. (That would be my suggestion) You can do it, you both will need a modified version of RMerlins firmware.

Edit#2 Something like (I am not promoting these guys) slickvpn, I see they have that patch, only they lack a dedicated static IP, which may be what you want. If you use a URL in the opvn config file and your not using dnscrypt, GFW may block it before you even have a chance to connect.
Example bad-
Code: 
client
dev tun
proto udp
remote mexico.privateinternetaccess.com 1194
...
..............
Example good-
Code: 
client
dev tun
proto udp
remote ##.##.##.## 8080
...
Use a IP address in the opvn config and GFW dns interceptor on port 53 has no idea whats going on over at that IP (since your not looking up a url) (your vpn provider that you bought a static private IP from) Hope my rambling makes a little sense.
 
Last edited:
peraburek said:
I am using Merlin FW 380.58 and for some reason dnsmasq is not run with log-async (double checked cat /tmp/etc/dnsmasq.conf ), so I have added that option to dnsmasq.conf.add and then it works - I have tested it both with and without log-async, without log-async clients don't get IP assigned

here is my mix of scripts (updated v2.0) for running VPN over dedicated SSID - WL1.1 (first 5GHz guest network)

telnet or SSH to your router
use "vi" for editor and press INSERT on your keyboard
paste this code to appropriate file
press ESCAPE and :wq

/jffs/configs/dnsmasq.conf.add
Code: 
log-async
interface=wl1.1
dhcp-range=wl1.1,192.168.201.2,192.168.201.254,255.255.255.0,28800s
dhcp-option=wl1.1,3,192.168.201.1


/jffs/scripts/wan-start
Code: 
#!/bin/sh
# depending on how fast you get your WAN IP, you MAY need to increase sleep 10 to some bigger value
sleep 10
# guest wireless assignment
ifconfig wl1.1 192.168.201.1 netmask 255.255.255.0
logger "IP for wl1.1 interface added"

# guest wireless bridge
ebtables -t broute -I BROUTING -p ipv4 -i wl1.1 -j DROP
ebtables -t broute -I BROUTING -p arp -i wl1.1 -j DROP

# guest wireless firewall. vpn kill switch is built in.
iptables -I INPUT -i wl1.1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wl1.1 -o tun11 -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.201.0/24 -o tun11 -j MASQUERADE

/jffs/scripts/vpn-route-1.sh
Code: 
#!/bin/sh
# This script goes in /jffs/scripts/vpn-route-1.sh
# Add the following 2 lines to the VPN - OpenVPN Client n - Custom Configuration box
# route-nopull
# route-up /jffs/scripts/vpn-route-1.sh

# clear tun11 (VPN client 1) table, if exists
ip route flush table 11
ip route del default table 11

# not strictly necessary but speeds up routing changes
ip route flush cache

# get tunnel ip
tun11_ip=$(ifconfig tun11 | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

# routing VPN IP range from other side of the tunnel via tun11_ip
# ip route add 192.168.X.Y/24 via $tun11_ip

# routing table for tun11 with divert rule
ip route add default via $tun11_ip dev tun11 table 11
ip rule add dev wl1.1 table 11
#ip rule add from 192.168.xxx.yyy table 11
#ip rule add from 192.168.xxx.zzz table 11

# not strictly necessary
ip route flush cache

# force VPN to default to Google Public DNS, you can use DNS from VPN provider if you setup routing VPN IP range
DNS_SERVER="8.8.8.8 8.8.4.4"
for ip in $DNS_SERVER
do
iptables -t nat -A PREROUTING -i wl1.1 -p udp --dport 53 -j DNAT --to $ip
iptables -t nat -A PREROUTING -i wl1.1 -p tcp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.yyy -p udp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.yyy -p tcp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.zzz -p udp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.zzz -p tcp --dport 53 -j DNAT --to $ip
done

# VPN kill switch for desired IPs
#iptables -I FORWARD ! -o tun11 -s 192.168.xxx.yyy -j DROP
#iptables -I FORWARD ! -o tun11 -s 192.168.xxx.zzz -j DROP

exit 0

/jffs/scirpts/init-start
Code: 
#!/bin/sh
cru a ScheduledReconnect "0 4 * * * /sbin/service restart_wan"

this last code will restart your WAN interface every day at 4 AM - useful if you have dynamic IP assigned every 24h, so you won't experience IP renewal during day, adjust to your needs

don't forget to run once before reboot
Code: 
chmod 755 /jffs/scripts/*

reboot your router and test https://dnsleaktest.com/
Click to expand...

Hi, I've got the above script working but I would like to modify it so that either the vpn ssid allocates ip addresses on the same subnet as the other lan addressing range, or routing is setup so that clients connected to the vpn ssid can communicate with other clients connected to the same router (either via Ethernet or other ssid).

How would I go about doing this?
 
You must log in or register to reply here.

Similar threads

J
Asus GT-BE98 Pro and Merlin, no internet when VPN disabled
Replies
4
Views
436
jbilodea
J
RMerlin
Release Asuswrt-Merlin 3006.102.2 is now available for Wifi 7 devices
2 3
Replies
55
Views
5K
FishBones
F
RMerlin
Release Asuswrt-Merlin 3006.102.1 is now available for Wifi 7 devices
4 5 6
Replies
106
Views
17K
jksmurf
J
X
Wireless Router for VPN Access from China
Replies
1
Views
684
mtoto
M
RMerlin
  • Locked
Beta Asuswrt-Merlin 3006.102.1 Beta is now available for WIfi 7 devices
3 4 5
Replies
97
Views
14K
RMerlin
RMerlin
Similar threads
Thread starter Title Forum Replies Date
J SSID QR Code validity after hard reset but using same SSID Password when setup again? Asuswrt-Merlin 1
4 Multi SSID in AP mode with AI Mesh Asuswrt-Merlin 1
P Accessing remotly Server While Using VPN on Asus Router with Merlin Firmware Asuswrt-Merlin 9
G Using VPN Director to route only torrent traffic through VPN Asuswrt-Merlin 9
B Unable to establish VPN connection to my PiVPN (ovpn) from my Asus RT-AC86U running Asuswrt-Merlin 386.14 Asuswrt-Merlin 1
T Wireguard Client VPN not using DNS Asuswrt-Merlin 14
S Wireguard VPN doesn't work, buyer beware Asuswrt-Merlin 6
G VPN director configuration for qBittorrent Asuswrt-Merlin 7
J ASUS GT-AXE16000 CPU usage with VPN on lan machine Asuswrt-Merlin 25
I Wireguard VPN client does not autostart after reboot Asuswrt-Merlin 2

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Members online

Total: 638 (members: 32, guests: 606)
Top