Dedicated SSID for VPN

[Michael R Stamper]

Hello

I am new to networking and I apologize in advance if this has been asked and I was too naive to know what to search for.

I live in Japan and I have an Asus RT-AC3200 router. I have a VPN provider that I pay for, NordVPN.

I would like to setup multiple SSIDs on my router - for local Japan internet use and VPN US internet use (for use with Roku streaming device). I have installed the Merlin firmware and I am still lost. The end goal is to have a list of SSIDs as such:

MyNet_2.4_VPNUSA -- this would connect via NordVPN OpenVPN
MyNet_2.4_DNSUSA -- this is not required but would be nice - I would use this to ONLY change the DNS settings - no VPN
MyNet_2.4_Japan -- this is straight to the internet - no VPN and no DNS settings

Is this possible? If so - could someone please be kind enough to point me in the right direction?

Thanks!

 

[st3v3n]

Michael, welcome. This may be the exact answer for your post, but anything is possible. Had a bit of extra time today, so hope this points you where you want/need to be.

If your Roku is close enough to your router for Ethernet, you'd have greater speed/bandwidth with less buffering of HD and/or 4K, especially if the Roku device is set to use 2.4 wireless. Video streaming often severely impacts not only your viewing pleasure but slows performance of your other 2.4 devices to a crawl, depending on amount of bandwidth you have. You're correct in assuming almost any problem posed has been answered many times, many ways so if you use the search function you can usually find what you need. Sometimes it's difficult to find answers so here's a few pointers. First, take snapshots so you can refer back if you become unsure what changes you made and/or saved.

Go to the WAN tab/section in the router GUI, and choose if you wish to allow the router to automatically go 'straight' to the internet (WAN/ISP), which is your ISP. You can use the ISP's choice of DNS, or set the 'automatically choose' button to 'no' so you can choose any other DNS solution you like. These days, the ISP's DNS may not be as private or as fast as you like, and they can now sell your information as they see fit, so do your research. DO use a primary and secondary DNS, either here or on your LAN DHCP Server page, preferably from different servers in case the primary ever goes down. Example; #1 DNS could be google, 8.8.8.8, then QuadNine, 9.9.9.9 or even 1.1.1.1. These are good, fast public DNS servers; some say they don't log your searches and don't keep records very long; it's up to you to check privacy policies, and to be able to see and go where you choose.

This reply assumes you've set the device names/SSID scheme as you wrote for your 2.4 band, but remember, there's only one 2.4 band (not going into or counting 'guest' bands). We use a single SSID for all of the bands, even though we don't have much use for 2.4 these days. If you haven't read the posts, an unknown bug causes problems with the 2.4 band on some RT-AC3200s, with no fix on the horizon. The bug affects some more than others but we haven't had any problems. Try to keep your SSIDs as simple as possible and change your passwords at least once a month; don't use short easy (dumb) passwords, but for now, stay away from exotic characters.

Proceed to the LAN DCHP Server section. Since the router sees the MAC address of every device, regardless whether it's connected by wire or wireless, instead of using different SSIDs to route your devices to OpenVPN clients or WAN/ISP, (if that is the idea), the LAN DHCP section can assist you in sending/routing your devices to WAN/ISP (DNS) or to your OpenVPN client; the OpenVPN client will use whatever the VPN provider has coded into their config.

IF you hover over and/or click on BOLD items or sections, information or a link to a page may appear to help you. Here's a link to get you started: https://www.asus.com/support/FAQ/1000906
When the top portion of the LAN DHCP page is set up, save the page and move down to 'Manual Assignment; on this you can choose YES but if you choose 'no' the rest of this may not help you very much. You'll be down to the 'Manually Assigned IP around the DHCP list (Max Limit : 128) section, which will list all devices by their MAC address. Use the MAC address pull-down menu to choose each device; give each device a 'friendly' hostname, such as MikeiPad, AlicePC, instead of trying to remember every MAC addresses. After doing so, the router makes it easy for you to see and select your devices. Add each device in this section to the setup using the plus ( + ) symbol on the right of the page, you can remove them using the minus ( - ) symbol. Save the page.

Now go to the VPN Client tab/section, to set up and load your Nord OpenVPN client. Choose whether you want to turn the VPN client on manually or have it start with the router. You can name each client as you please, i.e., Nord1, etc. Check all settings then save the page. At this point, make sure you've taken a screen shot of each page you configured, then save the entire router setup before you reboot the router. You don't have to reboot, but over the years, we've found that starting everything fresh by rebooting works well. It can take several minutes to load so grab a beverage, etc. If for some reason the bands/SSIDs or devices don't work as expected, have your screen grabs ready to refer to for troubleshooting.

Nord used to provide a tutorial for setting up Asus/Merlin, but it may not be up to date for the latest version. Remember, the search function in the forums and the wiki are your best friend. Keep your search terms basic/simple and you'll eventually find what you need, and be patient. This is a basic way to set up your SSIDs, devices, alternate DNS and OpenVPN config from scratch, it can be as simple, yet as complicated you want. Good luck.

 

[Zirescu]

https://github.com/RMerl/asuswrt-me...or-VPN-and-SSID-for-Regular-ISP-using-OpenVPN.

 

[bilboSNB]

https://www.snbforums.com/threads/yazfi-enhanced-asuswrt-merlin-guest-wifi-networks.45924/

 

[agilani]

You should be able to just setup a guest ssid for it and assign a static ip address to the device and then configure openvpn to route that ip address to the internet over the vpn.

I'm not sure you can select the ssid to route over the vpn.

 

[Zirescu]

That'll only get you so far though. Say you have one device you want to be able to sometimes connect to the VPN and other times you want it to connect as through your ISP. Setting up the rules based on the static IP address forces it to always report through that one interface. Switching between the SSID give you the flexibility of having the device connect out based on how it's connected to the router.

 

[st3v3n]

Thanks guys, knew others would quickly be posting URLs to posts and wikis rather than attempting to dictate the ideas. Guest SSIDs are tricky beasts on the new FW, if you don't want to assign a static IP address for a guest IP. The post was puzzling as Agliani mentions in his last sentence. We've never selected an SSID to 'route' over a VPN; just devices. Long week, perhaps it's a matter of perception. (Been away awhile, Good job Jack, love 'YazFI') G'day and good luck gents.

 

[st3v3n]

That'll only get you so far though. Say you have one device you want to be able to sometimes connect to the VPN and other times you want it to connect as through your ISP. Setting up the rules based on the static IP address forces it to always report through that one interface. Switching between the SSID give you the flexibility of having the device connect out based on how it's connected to the router.

Any aspect of this will only get you so far, and there'a always a way to skin a cat, er network. I tried to stick with what might help the OP instead of go too far astray; if that was the way it was taken, they my regrets. Clarification of the variables would be helpful, but we do what we can to lend a hand from one day to the next. End of line.

 

[Michael R Stamper]

Thanks for the replies everyone. I will continue my research.

I am still struggling but I am searching.

(1) I really want my Roku to access an SSID that is routed through a specific DNS server - a SmartDNS service that I specify. Let:s call it MyNet-DNS.

(2) I want a MyNet-VPN SSID where I can connect, say, my laptop to from time to time when I want my traffic protected.

(3) I want a MyNet-Japan SSID where I just want to pass through to my local provider (I am in Japan).

So far this seems more challenging than it should be based on the responses so far. It seems the only way to accomplish (1) and (3) is to assign each devices to a static IP and either run it through the VPN, so NOT, using the same SSID.

For (2) it seems it is either ALL of my internet traffic or NONE of my internet traffic.

Am I missing something? Are (1), (2), and (3) possible?

UPDATE
For (2) I have setup the DNS Filter for each MAC Address that connects to my network. For the Roku I setup Custom 1 to point to my SmartDNS service I subscribe to. For each other device I have setup "No Filtering". Not sure it is working though - when I use the SmartDNS test URL to verify if I am using the service on one of the devices set to "no filtering" I am getting a positive result that "you are using the service". So I am not sure if this is the right path.

 

[Jack Yaz]

Thanks for the replies everyone. I will continue my research.

I am still struggling but I am searching.

(1) I really want my Roku to access an SSID that is routed through a specific DNS server - a SmartDNS service that I specify. Let:s call it MyNet-DNS.

(2) I want a MyNet-VPN SSID where I can connect, say, my laptop to from time to time when I want my traffic protected.

(3) I want a MyNet-Japan SSID where I just want to pass through to my local provider (I am in Japan).

So far this seems more challenging than it should be based on the responses so far. It seems the only way to accomplish (1) and (3) is to assign each devices to a static IP and either run it through the VPN, so NOT, using the same SSID.

For (2) it seems it is either ALL of my internet traffic or NONE of my internet traffic.

Am I missing something? Are (1), (2), and (3) possible?

UPDATE
For (2) I have setup the DNS Filter for each MAC Address that connects to my network. For the Roku I setup Custom 1 to point to my SmartDNS service I subscribe to. For each other device I have setup "No Filtering". Not sure it is working though - when I use the SmartDNS test URL to verify if I am using the service on one of the devices set to "no filtering" I am getting a positive result that "you are using the service". So I am not sure if this is the right path.

Give my script a go: https://www.snbforums.com/threads/yazfi-enhanced-asuswrt-merlin-guest-wifi-networks.45924/

EDIT: LAN access from guest SSIDs is a WIP, I've started the code this weekend

 

[Michael R Stamper]

Give my script a go: https://www.snbforums.com/threads/yazfi-enhanced-asuswrt-merlin-guest-wifi-networks.45924/

EDIT: LAN access from guest SSIDs is a WIP, I've started the code this weekend

Thanks for reply. Would this work with a SmartDNS service?

 

[Jack Yaz]

Thanks for reply. Would this work with a SmartDNS service?

You can specify a set of DNS serves per SSID, if that's what you mean?

 

[Michael R Stamper]

You can specify a set of DNS serves per SSID, if that's what you mean?

YES! I am struggling to get this to work per MAC address with the AiProtection settings. I enter a single DNS entry but the device still sees 8.8.8.8 and 8.8.8.4 which allows the device to geolocate to my actual location. My DNS subscription service points to the US.

I will definitely try out your script. I am on Windows - is there a specific SSH Shell I need to download? I notice in the intrusions there are references to “use your favorite shell client”. I assume PowerShell in Windows would suffice?

Thanks for your time!

 

[ColinTaylor]

YES! I am struggling to get this to work per MAC address with the AiProtection settings. I enter a single DNS entry but the device still sees 8.8.8.8 and 8.8.8.4 which allows the device to geolocate to my actual location. My DNS subscription service points to the US.

Some devices like Roku's use hard-coded DNS addresses, like 8.8.8.8 and 8.8.8.4 (to stop you doing what you're trying to do). So they will ignore any DNS addresses given out by the router via DHCP. This is where DNSFilter comes in. DNSFilter redirects a particular device, identified by its MAC address, to a specified DNS server. I don't think this works through a VPN, but I might be wrong. The SSID is irrelevant as the device is identified by its MAC address not by the wireless network it is connected to.

 

[Michael R Stamper]

Some devices like Roku's use hard-coded DNS addresses, like 8.8.8.8 and 8.8.8.4 (to stop you doing what you're trying to do). So they will ignore any DNS addresses given out by the router via DHCP. This is where DNSFilter comes in. DNSFilter redirects a particular device, identified by its MAC address, to a specified DNS server. I don't think this works through a VPN, but I might be wrong. The SSID is irrelevant as the device is identified by its MAC address not by the wireless network it is connected to.

Hi - I should back up.

I am trying to do 2 different things.

1. Dedicate my Roku device to use my SmartDNS service without forwarding ALL of my internet traffic through the DNS service. This would be a normal SSID where the MAC Address would be filtered to use the DNS service. Let’s call the SSID MyNet.

2. Setup a SSID that routes all traffic connected to this SSID (a different SSID than 1 above) through my VPN service. Let’s call the SSID MyNet_VPN.

I believe this would solve my problems. Unfortunately in 1 above when I use DNS Filtering it is not quite working. Netflix seems confused while YouTube TV seems fine. It is frustrating that I cannot put multiple DNS server entries in the DNS filtering dialog - I can only enter ONE IP address. This might be the problem.,

In the routers DHCP settings I can enter 2 IP address for my DNS service and although it routes ALL traffic through the DNS service Netflix behaves on the Roku. It just means ALL of my traffic for the entire router is routed through the SmartDNS service, which I do not want.

 

[ColinTaylor]

1. If this is simply a matter of getting the Roku to use a specific DNS server then you would just use DNSFilter. Set the Global Filter Mode to No Filtering and add your Roku as one of the listed clients that uses a custom DNS. It looks like you did this in post #9 but it didn't work? Make sure your WAN DNS setting is set to automatic and not your SmartDNS service.

2. For this you'll have to use yazfi to create a separate subnet for that SSID. If you were willing to accept routing individual clients through the VPN based on their IP address (rather than the SSID they are connected to) you can do this in the GUI using policy rules, then there would be no need to install yazfi. It would mean that you'd have to log into the router every time you wanted to enable or disable the rule though.

Unfortunately in 1 above when I use DNS Filtering it is not quite working. Netflix seems confused while YouTube TV seems fine. It is frustrating that I cannot put multiple DNS server entries in the DNS filtering dialog - I can only enter ONE IP address. This might be the problem.

Having multiple DNS servers is not normally relevant as the second server is typically only used if the first server is unresponsive (offline). Also, Netflix blacklists some IP addresses it knows are being used to get around region restrictions so it might be that.

 

[Michael R Stamper]

1. If this is simply a matter of getting the Roku to use a specific DNS server then you would just use DNSFilter. Set the Global Filter Mode to No Filtering and add your Roku as one of the listed clients that uses a custom DNS. It looks like you did this in post #9 but it didn't work? Make sure your WAN DNS setting is set to automatic and not your SmartDNS service.

2. For this you'll have to use yazfi to create a separate subnet for that SSID. If you were willing to accept routing individual clients through the VPN based on their IP address (rather than the SSID they are connected to) you can do this in the GUI using policy rules, then there would be no need to install yazfi. It would mean that you'd have to log into the router every time you wanted to enable or disable the rule though.

Having multiple DNS servers is not normally relevant as the second server is typically only used if the first server is unresponsive (offline). Also, Netflix blacklists some IP addresses it knows are being used to get around region restrictions so it might be that.

Thanks for taking the time to reply!

I indeed did as you suggest in #1. In the Custom DNS field is it possible to enter a string of IPs? I can only enter one value. Comma and Semicolon don’t seem to be allowed. In the DHCP settings I can enter a secondary DNS IP.

Netflix works if route all traffic through my DNS service on the DHCP settings but doesn’t work in the DNS filtering. It seems 8.8.8.8 and 8.8.8.4 are leaking through.

Sent from my iPhone using Tapatalk

 

[ColinTaylor]

In the Custom DNS field is it possible to enter a string of IPs? I can only enter one value. Comma and Semicolon don’t seem to be allowed. In the DHCP settings I can enter a secondary DNS IP.

No that's not how DNSFilter works, you can only redirect each client to one DNS server.

Netflix works if route all traffic through my DNS service on the DHCP settings but doesn’t work in the DNS filtering. It seems 8.8.8.8 and 8.8.8.4 are leaking through.

Strange. I've not heard of that behaviour before. You are talking about LAN > DHCP Server >DNS Server 1&2? Can you set the DNS servers manually on the Roku. Failing that you could create a custom config file on the router that gives out those DNS servers just to the Roku.

 

[Michael R Stamper]

No that's not how DNSFilter works, you can only redirect each client to one DNS server.

Strange. I've not heard of that behaviour before. You are talking about LAN > DHCP Server >DNS Server 1&2? Can you set the DNS servers manually on the Roku. Failing that you could create a custom config file on the router that gives out those DNS servers just to the Roku.

Hi - and thanks again for your time.

This works: LAN > DHCP Server >DNS Server 1&2 but that routes all traffic to the DNS service for everyone. I want my iPhone and iPad to see the normal internet my ISP provides. But - Netflix works when I use this method.

With DNS filtering I, as you confirm, can enter one of the IP addresses for my DNS service. This works for YouTube TV but Netflix is perhaps more aggressive and using this method it realizes there is something wrong and errors out.

A script sounds promising - where does one start? Something simple to route my Roku to my SmartDNS service. By MAC address I guess?

Thanks for your help!


Sent from my iPhone using Tapatalk

 

[ColinTaylor]

A script sounds promising - where does one start? Something simple to route my Roku to my SmartDNS service. By MAC address I guess?

Yes you would create a file in the router's /jffs/configs directory called dnsmasq.conf.add that contains these two lines:

dhcp-host=60:57:18:5b:58:d3,set:roku
dhcp-option=tag:roku,option:dns-server,8.8.8.8,8.8.4.4

You need to change the MAC address (60:57:18:5b:58:d3) to that of your Roku. And change the two DNS server addresses (8.8.8.8,8.8.4.4) to that of your SmartDNS.

How you create that file depends on your operating system, abilities, preferences, etc. If you are a Windows user probably the easiest option is to use WinSCP. When configuring WinSCP's connection to the router you must choose the SCP protocol, not SFTP.