Dedicated SSID to use VPN Client

[Jack Yaz]

I have found this on the wiki: https://github.com/RMerl/asuswrt-me...or-VPN-and-SSID-for-Regular-ISP-using-OpenVPN.

but it says it's not complete, so I;m unsure if it will work?

Also, the below snippet, would it be better to write this into dnsmasq.postconf, or dnsmasq.conf .add and then restart dnsmasq, rather than killing and sleeping?

if [ `cat /etc/dnsmasq.conf | grep -c $WRLSS_IF` == 0 ]; then
    killall dnsmasq
    sleep 2
    echo "interface=$WRLSS_IF" >> /etc/dnsmasq.conf
    echo "dhcp-range=$WRLSS_IF,$LS_START,$LS_END,$WRLSS_IF_NETMASK,$LS_TIME" >> /etc/dnsmasq.conf
    echo "dhcp-option=$WRLSS_IF,$DHCP_OPT1,$WRLSS_IF_INET_ADDR" >> /etc/dnsmasq.conf
    dnsmasq --log-async
fi
sleep 2
### Check to see if tun interface is available ###
while [ ! -n "`ifconfig | grep $TUN_IF`" ]; do
    sleep 1
done
#####

 

[Jack Yaz]

Here's my attempt at a rework. Do I need to activate guest network in the UI first, or will the script bring it online?

Can someone explain the routing bit, and whether I need to delete the 0.0.0.0/1 line? My output for ip route show table main included

admin@RT-AC87U:/jffs/configs# ip route show table main
104.238.169.101 via 80.195.49.1 dev eth0
80.195.49.1 dev eth0  proto kernel  scope link
10.21.10.5 dev tun11  proto kernel  scope link  src 10.21.10.6
169.254.39.0/24 dev br0  proto kernel  scope link  src 169.254.39.57
10.8.0.0/24 dev tun21  proto kernel  scope link  src 10.8.0.1
10.14.16.0/24 dev br0  proto kernel  scope link  src 10.14.16.1
80.195.49.0/24 dev eth0  proto kernel  scope link  src 80.195.49.163
127.0.0.0/8 dev lo  scope link
default via 80.195.49.1 dev eth0

#!/bin/sh
####### Interface Specific Settings #######
WRLSS_IF=wl0.2                   # Name of the wireless interface that will be used.
WRLSS_IF_NTWK_ADDR=10.16.15.0   # Network address that the wireless interface will be on.
WRLSS_IF_INET_ADDR=10.16.15.1   # IP address that will be assigned to the wireless interface.
WRLSS_IF_NETMASK=255.255.255.0   # Netmask of the wireless network to be added.
TUN_IF=tun11                     # Name of tunnel interface.
########## DHCP Specific Settings ###########
DHCP_OPT1=3                      # dnsmasq option to specify router.
LS_TIME=86400s                   # Duration of the dhcp leases.
LS_START=10.16.15.2           # Start address of leases. This needs to be within the same network as above.
LS_END=10.16.15.14             # End address of leases. This needs to be within the same network as above.
######## Hide SSID of Guest Network ########
HIDE_SSID=1                      # This option is to hide the SSID of a guest network if a guest network is used. Input 1 to hide and 0 to make it visible.

##########################################################################################################
##########################################################################################################              
########################################## DHCP Server ###################################################

if [ `cat /etc/dnsmasq.conf | grep -c $WRLSS_IF` == 0 ]; then
    #killall dnsmasq
    #sleep 2
    echo "interface=$WRLSS_IF" >> /jffs/configs/dnsmasq.conf.add
    echo "dhcp-range=$WRLSS_IF,$LS_START,$LS_END,$WRLSS_IF_NETMASK,$LS_TIME" >> /jffs/configs/dnsmasq.conf.add
    echo "dhcp-option=$WRLSS_IF,$DHCP_OPT1,$WRLSS_IF_INET_ADDR" >> /jffs/configs/dnsmasq.conf.add
    service restart_dnsmasq
fi

### Check to see if tun interface is available ###
while [ ! -n "`ifconfig | grep $TUN_IF`" ]; do
    sleep 1
done
############################################ IP ROUTING ##################################################

ifconfig $WRLSS_IF $WRLSS_IF_INET_ADDR netmask $WRLSS_IF_NETMASK
ip route show table main | grep -Ev ^default | while read ROUTE; do
ip route add table 10 $ROUTE;
done
#ip route del 0.0.0.0/1 table main          # Uncomment this line if you are not using the route-nopull option.
# Many VPN service providers push this route to redirect internet traffic over the tunnel.                                        
ip route add default dev $TUN_IF table 10  
ip rule add dev $WRLSS_IF table 10
ip route flush cache
####################################### ETHERNET BRIDGE TABLES RULES #####################################

EBT_BRULE1="-p ipv4 -i $WRLSS_IF -j DROP"
EBT_BRULE2="-p arp -i $WRLSS_IF -j DROP"
if [ -n "$EBT_BRULE1" ] && [ `ebtables -t broute -L | grep -ice "$EBT_BRULE1"` != 1 ]; then
    ebtables -t broute -I BROUTING $EBT_BRULE1
fi
if [ -n "$EBT_BRULE2" ] && [ `ebtables -t broute -L | grep -ice "$EBT_BRULE2"` != 1 ]; then
    ebtables -t broute -I BROUTING $EBT_BRULE2
fi
############################################ IP TABLES RULES #############################################

if [ `iptables -L -v | grep -c $WRLSS_IF` == 0 ]; then
    iptables -I INPUT -i $WRLSS_IF -m state --state NEW -j ACCEPT
    iptables -I FORWARD -i $WRLSS_IF -o $TUN_IF -j ACCEPT
fi
if [ `iptables -t nat -L -v | grep -c $TUN_IF` == 0 ]; then
    iptables -t nat -I POSTROUTING -s $WRLSS_IF_NTWK_ADDR/28 -o $TUN_IF -j MASQUERADE  # Change /24 to the subnet that you will be using.
fi
############################################### HIDE SSID ################################################

if [ `nvram get "$WRLSS_IF"_closed` != 1 ] && [ $HIDE_SSID == 1 ]; then
    nvram set "$WRLSS_IF"_closed=1
    nvram commit
fi
if [ `nvram get "$WRLSS_IF"_closed` != 0 ] && [ $HIDE_SSID == 0 ]; then
    nvram set "$WRLSS_IF"_closed=0
    nvram commit
fi