What's new

Dedicated SSID for VPN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

The easiest way to do what you asked for would be to put SabaiOS on your Asus 3200 and add their VPNA box.

Just google Sabaitechnology

They even have a support service who will setup everything remotely for you.

I’m a huge fan of RMerlin’s work and very grateful - but I think the Sabai solution might be a better fit for you.
 
Yes you would create a file in the router's /jffs/configs directory called dnsmasq.conf.add that contains these two lines:
Code:
dhcp-host=60:57:18:5b:58:d3,set:roku
dhcp-option=tag:roku,option:dns-server,8.8.8.8,8.8.4.4

You need to change the MAC address (60:57:18:5b:58:d3) to that of your Roku. And change the two DNS server addresses (8.8.8.8,8.8.4.4) to that of your SmartDNS.

How you create that file depends on your operating system, abilities, preferences, etc. If you are a Windows user probably the easiest option is to use WinSCP. When configuring WinSCP's connection to the router you must choose the SCP protocol, not SFTP.
Hello - thanks again for your attempts to help.

I purchased (yes, purchased) the WinSCP app for Windows. Attempts to connect to me router have dailed though.

I have attempted to log in the same way I log in to the setup using the web browser - but I keep getting a "connection refused" error.

I am afraid I still need your help! What are the pre-reqs to connecting to the router with WinSCP?
 
You first need to log into the router's GUI and enable SSH access. Then setup your connection in WinSCP using the SCP protocol.

0.png 1.png
 
You first need to log into the router's GUI and enable SSH access. Then setup your connection in WinSCP using the SCP protocol.

View attachment 13843 View attachment 13844
Thanks! Anything special about the script? After I put the correct MAC address and DNS addresses is there anything special with line endings or adding any text at the beginning of the script to make sure it is recognized?

Can’t thank you enough - thank you!
 
Thanks! Anything special about the script? After I put the correct MAC address and DNS addresses is there anything special with line endings or adding any text at the beginning of the script to make sure it is recognized?
Because this is not actually a script, it's just a text file that gets appended to an existing config file, you don't need to worry about making it executable or starting it with a shebang.

The file needs to be in standard unix format, so that means unix-type line endings. I think that if you're using WinSCP's built-in editor* the line endings should be correct.

So after creating the file you can reboot the router. If you then use WinSCP to log back into the router you can look at dnsmasq.conf in the /etc directory. You should see that your lines have been appended to the end of this file.

* EDIT: Strangely the documentation for WinSCP explicitly says the internal editor doesn't support Unix-type line endings. I have tested this over and over again and found the opposite to be true. :confused: (This is creating the file directly on the Unix host, not creating on Windows and then copying it to Unix).
 
Last edited:
Because this is not actually a script, it's just a text file that gets appended to an existing config file, you don't need to worry about making it executable or starting it with a shebang.

The file needs to be in standard unix format, so that means unix-type line endings. I think that if you're using WinSCP's built-in editor* the line endings should be correct.

So after creating the file you can reboot the router. If you then use WinSCP to log back into the router you can look at dnsmasq.conf in the /etc directory. You should see that your lines have been appended to the end of this file.

* EDIT: Strangely the documentation for WinSCP explicitly says the internal editor doesn't support Unix-type line endings. I have tested this over and over again and found the opposite to be true. :confused: (This is creating the file directly on the Unix host, not creating on Windows and then copying it to Unix).

Hello - thanks - this has worked. I screwed something up and lost all connection to the router for some reason. I did a "factory defaults" reset and all seems well.

Should I delete the dnsmasq.conf.add from the jffs/configs directory?


Sent from my iPhone using Tapatalk
 
Last edited:
OK. So where are you now?

Are the contents of /jffs/configs/dnsmasq.conf.add being added to the end of dnsmasq.conf in the /etc directory?

Is your Roku device picking up 8.8.8.8 and 8.8.4.4 as its DNS servers? Are all the other devices picking up the "normal" DNS server?

If all the above is working then you need to leave the dnsmasq.conf.add where it is because it needs to be applied every time the router boots up.
 
OK. So where are you now?

Are the contents of /jffs/configs/dnsmasq.conf.add being added to the end of dnsmasq.conf in the /etc directory?

Is your Roku device picking up 8.8.8.8 and 8.8.4.4 as its DNS servers? Are all the other devices picking up the "normal" DNS server?

If all the above is working then you need to leave the dnsmasq.conf.add where it is because it needs to be applied every time the router boots up.


It’s working now but I deleted the file. I will put the file back as you advise for the next reboot of the router.

Thanks again - you were so helpful.


Sent from my iPhone using Tapatalk
 
Hi - sorry to resurect an old thread. I now have the need to route my Roku through a VPN connection. I do not want ALL my traffic to be routed through the VPN. I have successfully setup the VPN on my router and it is working - but ALL traffic is being routed through it. I only want either a single device, the ROku, to route through it, or - even better - could I route all traffic from one SSID through the router?
 
Michael, resurrection was an old Cylon trick (or that's what they say). No worries, this is covered, on the forum, just put your search-fu to work and all will be revealed. If you assigned your devices in LAN>DHCP>SERVER, you only need to input which device/IP goes through the VPN client, provided your purchased the appropriate streaming config/IP from your VPN provider. In the VPN client is where you route the devices/computers either through your VPN config, or drop then to WAN. Cheers
 
@Michael R Stamper

You may also give YazFi a look it may also be of interest to you. Especially if you are interested in the SSID approach.
https://www.snbforums.com/threads/yazfi-enhanced-asuswrt-merlin-guest-wifi-networks.45924/

Edit: I see @Jack Yaz has already replied earlier in the topic. Sorry about the double mention.

Carry On!

No problem, thank you. I have installed the script but you reeally need to know what you are doing (I do not) to configure it. From what I can gather I need to create a script file to point a particular guest SSID to a VPN connection. It is not clear to me what I should be entering into the script. Second - how does this script then PREVENT all of the other traffic from going through the VPN? Is it as simple as setting the Redirect Internet traffic in the VPN settings to "no"? Correction - I have tried "no" and all of my traffic is still routed through the VPN.

Here is the SSID I would like to setup as a VPN SSID. I am not sure what values I should be setting for entries 2-6. NordVPN doesn't require DNS entries.

####################################################################
###### 5 GHz - 2 Networks ######
###### (for those with 2 5GHz radios, e.g. RT-AC5300) ######
####################################################################
###### Guest Network 1 (wl2.1) #####
####################################################################
wl21_ENABLED=true
wl21_IPADDR=
wl21_DHCPSTART=
wl21_DHCPEND=
wl21_DNS1=
wl21_DNS2=
wl21_REDIRECTALLTOVPN=true
wl21_VPNCLIENTNUMBER=1

Thanks for the help. I think I am close.
 
The dns entires are not part of what the VPN uses. They are how the script knows where to go on the internet, they are basically the same as your router dns, but you need to input them here.

The "IPADDR" field is what IP address range you wish the script to assign to the new SSID. If your router uses 192.168.1.x for the IP address ranges it normal assigns. In this field you would put something like 192.168.2.0

In "IPADDR" 192.168.2.0 * or whatever range you choose to use.
In "DHCPSTART" "2"
In "DHCPEND" "254"
In DNS1 "* see note"
In DNS2 "* see note"

According to @Jack Yaz You can leave the DNS field blank now. https://www.snbforums.com/threads/y...-guest-wifi-networks.45924/page-6#post-407253
By leaving blank YazFi will use the same DNS servers as the router.


By using a separate IP setup, all your devices are on a separate range and much easier to designate that a range goes to a VPN vs each IP. This allows you to add devices at will to the VPN SSID and they will always go to the VPN as needed.

You'll need to configure the VPN client #1 in the VPN section. You seem to have this working as per your statement.

Next you will need to tell the router to only send some info over the VPN, this is done via the Policy routing section. Here is a screen grab from @Brenneke I shameless grabbed from the YazFi thread.
Screen Shot 2018-08-26 at 01.08.04.png

Since you are the OP, I can't say I am getting your topic off topic. But I would urge you to maybe move the conversation over to the YazFi topic where @Jack Yaz can assist you more directly. Since its his topic and his script.

Additionally I helped as much as I could remember, off the back of my head. I moved to stock a few months back and some of the GUI is different vs Merlin or it could be I have not simply used it in a bit and as they say if you don't use it you loose it.

Hopefully I have gotten you a little closer to your goal. I know how great it felt when I got it running for the first time. A million bucks worth.
 
The dns entires are not part of what the VPN uses. They are how the script knows where to go on the internet, they are basically the same as your router dns, but you need to input them here.

The "IPADDR" field is what IP address range you wish the script to assign to the new SSID. If your router uses 192.168.1.x for the IP address ranges it normal assigns. In this field you would put something like 192.168.2.0

In "IPADDR" 192.168.2.0 * or whatever range you choose to use.
In "DHCPSTART" "2"
In "DHCPEND" "254"
In DNS1 "* see note"
In DNS2 "* see note"

According to @Jack Yaz You can leave the DNS field blank now. https://www.snbforums.com/threads/y...-guest-wifi-networks.45924/page-6#post-407253
By leaving blank YazFi will use the same DNS servers as the router.


By using a separate IP setup, all your devices are on a separate range and much easier to designate that a range goes to a VPN vs each IP. This allows you to add devices at will to the VPN SSID and they will always go to the VPN as needed.

You'll need to configure the VPN client #1 in the VPN section. You seem to have this working as per your statement.

Next you will need to tell the router to only send some info over the VPN, this is done via the Policy routing section. Here is a screen grab from @Brenneke I shameless grabbed from the YazFi thread.
View attachment 14216

Since you are the OP, I can't say I am getting your topic off topic. But I would urge you to maybe move the conversation over to the YazFi topic where @Jack Yaz can assist you more directly. Since its his topic and his script.

Additionally I helped as much as I could remember, off the back of my head. I moved to stock a few months back and some of the GUI is different vs Merlin or it could be I have not simply used it in a bit and as they say if you don't use it you loose it.

Hopefully I have gotten you a little closer to your goal. I know how great it felt when I got it running for the first time. A million bucks worth.
Thanks - quick question before I move over to the YazFi area. When I attempt to assign a MAC address to my device that I want to use the VPN service I am told that "192.168.2.0" is not a valid IP address. How do I tell my router that this is a valid part of the range?
 
Scratches head.... Thinks for a min.... you don't need to assign the IP address to anything. Other than setting the variables in the script.

If you are talking DHCP reservation, I think you are.. I don't think there is anything you can do, in that regard. IPs are assigned first come, first serve by the script when the device connects to the specified SSID. So if your phone connects to "VPNSSID" it would get 192.168.2.2 for which would be handled by the script. Then a streaming stick would get 192.168.2.3 if it connected second.

If you switch back to your primary SSID from the VPN SSID, then the router would indeed be able to assign a reserved IP for that device.

Jack may be able to work some magic to allow you to set a specified IP personally I would focus on getting it up and going and then come back and do that later on.

AFAIK the router will not reserve IP's outside its normal specified range. This is where the beauty of the script comes in.
 
I do need to make installing/configuration easier, I'd love a menu driven script I just lack the scripting knowledge / time to do so. :(

I'm travelling most of today but if you ping me a PM or post in YazFi I'll pick it up later.

What @HuskyHerder has provided so far is correct. In theory, you should only need to set yes against enabled and redirect, and enter a client number, and the script can populate the rest. I need to check the script but your VPN client config needs to be set to either Policy Rules or Policy Rules (strict) - I'm not sure if I implemented a check for that or not.
 
Thanks - quick question before I move over to the YazFi area. When I attempt to assign a MAC address to my device that I want to use the VPN service I am told that "192.168.2.0" is not a valid IP address. How do I tell my router that this is a valid part of the range?
MAC assignment is not necessary as YazFi tells dnsmasq to use a different DHCP pool for the guest Wi-Fi interface.

.0 is used in the script to signify the IP address range to use, but manually assignment requires a valid IP such as .2
 
If you're posting code outputs it may be that, you can use [ CODE ] tags to wrap the output

Additional spaces in square brackets intentional remove them to actually mark as code
 
@Michael R Stamper At the risk of stating the obvious, if you're willing to accept routing individual devices (i.e. Roku) through the VPN rather than the entire SSID you can do that in the WebUI using policy based routing. No need for additional scripts.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top