How to setup SSID for VPN and SSID for Regular ISP using MerlinWRT

[saffron]

Interesting... looking forward to hearing your findings. Would love to get this working.

Basic steps here for RT-AC68U
http://www.smallnetbuilder.com/forums/showthread.php?p=148510#post148510

There is some scripting involved but SSH/telnet and jffs is optional.

 

[saffron]

Openvpn Client 1 on primary wireless and Client 2 on guest wireless 1

Tested on RT-AC68U and Merlin 376.47

I've had this connection up for over 24 hours. A third SSID for ISP was really unstable and not recommended - vlans and Asus don't really mix.

1. Setup the guest wireless
2. Setup the 2 openvpn clients and have them start with wan
3. Add to wan-start

#!/bin/sh

# guest wireless wl0.1 DHCP
killall dnsmasq
sleep 2

echo "interface=wl0.1" >> /etc/dnsmasq.conf
echo "dhcp-range=wl0.1,192.168.2.2,192.168.2.254,255.255.255.0,86400s" >> /etc/dnsmasq.conf
echo "dhcp-option=wl0.1,3,192.168.2.1" >> /etc/dnsmasq.conf
dnsmasq --log-async
sleep 2

# guest wireless assignment
ifconfig wl0.1 192.168.2.1 netmask 255.255.255.0

# guest wireless bridge
# gets around asus vlan shortcomings
ebtables -t broute -I BROUTING -p ipv4 -i wl0.1 -j DROP
ebtables -t broute -I BROUTING -p arp -i wl0.1 -j DROP

# guest wireless firewall
iptables -I INPUT -i wl0.1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wl0.1 -o tun12 -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -o tun12 -j MASQUERADE

# primary wireless firewall
iptables -I INPUT -i wl0.0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wl0.0 -o tun11 -j ACCEPT

4. Add to /jffs/scripts/vpn-route-up.sh

#!/bin/sh

# This script goes in /jffs/scripts/vpn-route-up.sh

# Add the following to the OpenVPN configs
# route-nopull (Don't accept routes from server)
# route-up /jffs/scripts/vpn-route-up.sh


# clear tun11 (client 1) table, if exists
ip route flush table 11
ip route del default table 11

# clear tun12 (client 2) table, if exists
ip route flush table 12
ip route del default table 12

# not strictly necessary but speeds up routing changes
ip route flush cache

# get tunnel ips
tun11_ip=$(ifconfig tun11 | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')
tun12_ip=$(ifconfig tun12 | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

# routing table for tun11 with divert rule
ip route add default via $tun11_ip dev tun11 table 11
ip rule add dev br0 table 11

# routing table for tun12 with divert rule
ip route add default via $tun12_ip dev tun12 table 12
ip rule add dev wl0.1 table 12

# not strictly necessary but speeds up routing changes
ip route flush cache

exit 0

5. Reboot

Scripts based on previous by Jobongo and Martineau

 

[saffron]

ISP on primary wireless and Vpn Client 1 on guest wireless 1

Tested with RT-AC68U and Merlin 376.47

Scripts put regular ISP on regular SSID (2.4ghz) and vpn client 1 on guest wireless 1 (2.4ghz)

My WAN connection type is IP. I'm not sure if this would work with PPPoE.

wan-start (make sure it's executable- chmod 755 wan-start)

#!/bin/sh

# guest wireless wl0.1 DHCP
killall dnsmasq
sleep 2

echo "interface=wl0.1" >> /etc/dnsmasq.conf
echo "dhcp-range=wl0.1,192.168.2.2,192.168.2.254,255.255.255.0,21600s" >> /etc/dnsmasq.conf
echo "dhcp-option=wl0.1,3,192.168.2.1" >> /etc/dnsmasq.conf
dnsmasq --log-async
sleep 2

# guest wireless assignment
ifconfig wl0.1 192.168.2.1 netmask 255.255.255.0

# guest wireless bridge
ebtables -t broute -I BROUTING -p ipv4 -i wl0.1 -j DROP
ebtables -t broute -I BROUTING -p arp -i wl0.1 -j DROP

# guest wireless firewall. vpn kill switch is in built.
iptables -I INPUT -i wl0.1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wl0.1 -o tun11 -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -o tun11 -j MASQUERADE


#optional. block all ports on vpn except: dns(53),http(80),https(443)
iptables -I FORWARD -i wl0.1 -s 192.168.2.0/24 -o tun11 -p tcp -m multiport ! --port 53,80,443 -j DROP
iptables -I FORWARD -i wl0.1 -s 192.168.2.0/24 -o tun11 -p udp -m multiport ! --port 53,443 -j DROP

vpn-route-up.sh (make sure it's executable- chmod 755 vpn-route-up.sh)

#!/bin/sh

# This script goes in /jffs/scripts/vpn-route-up.sh

# Add the following to the OpenVPN configs
# route-nopull
# route-up /jffs/scripts/vpn-route-up.sh


# clear tun11 (client 1) table, if exists
ip route flush table 11
ip route del default table 11

# not strictly necessary but speeds up routing changes
ip route flush cache


# get tunnel ip
tun11_ip=$(ifconfig tun11 | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

# routing table for tun11 with divert rule
ip route add default via $tun11_ip dev tun11 table 11
ip rule add dev wl0.1 table 11


# not strictly necessary
ip route flush cache

#optional. force vpn to default to google dns
DNS_SERVER="8.8.8.8 8.8.4.4"
for ip in $DNS_SERVER
do
iptables -t nat -A PREROUTING -i wl0.1 -p udp --dport 53 -j DNAT --to $ip
iptables -t nat -A PREROUTING -i wl0.1 -p tcp --dport 53 -j DNAT --to $ip
done


exit 0

 

[phaelium]

Hey Saffron

Thanks for all your hard work, this looks really close to what I need.

Would you mind helping me with this?


How would I modify your asuswrt script above to do this:

Primary/Default SSID/LAN (physically cabled, 2.4 and 5Ghz Wifi) all go out OpenVPN client connection to PIA.

Guest SSID (2.4 and 5 Ghz, wl0.1 and wl1.1) go out regular WAN (non VPN) and cannot access primary SSID or LAN.


Thank you!

 

[brownstein]

Can someone post a script example using L2TP vice openvpn? my speeds are too slow using openvpn and I cannot seem to get PPTP to work with privateinternetaccess configs.

 

[brtravel]

Basic steps here for RT-AC68U
http://www.smallnetbuilder.com/forums/showthread.php?p=148510#post148510

There is some scripting involved but SSH/telnet and jffs is optional.

Any idea why this thread seems to be gone?

-------------------------------

I'm going to be traveling for a while and want to get a router setup with two VPN locations over two SSIDs so I can quickly geolocate any of my devices to two different places by changing networks. I've played with Tomato a bit, and got a single instance of OpenVPN working on it, but I don't have a Merlin compatible router. From what I'm reading here, this sounds very doable with Merlin, correct?

 

[jammin]

Any idea why this thread seems to be gone?

Try this:
http://forums.smallnetbuilder.com/showthread.php?p=148510#post148510

 

[bilboSNB]

Should this script (per the wiki) work with the gui openvpn client?

I have had a go but at present its not quite working.

 

[Phycopat]

Dosent work..

Hello all..
Have tryed to make this working all night. No luck

I'm on 376.49_5..

OpenVPN is working just fine in all, then i start to put in scripts errors come

All i would like is to have a SSID for VPN and rest of LAN(1-4) and other SSID for WAN..

Does 1 of you gurus have a guide ? Also did try that from wiki, no luck.,.

Config:

"wan-start & vpn-route-up.sh"


Right now i have WAN IP on local LAN
But no connection on wl0.1

 

[mfncl]

ISP on primary wireless and Vpn Client 1 on guest wireless 1

Tested with RT-AC68U and Merlin 376.47

Scripts put regular ISP on regular SSID (2.4ghz) and vpn client 1 on guest wireless 1 (2.4ghz)

My WAN connection type is IP. I'm not sure if this would work with PPPoE.

wan-start (make sure it's executable- chmod 755 wan-start)

#!/bin/sh

# guest wireless wl0.1 DHCP
killall dnsmasq
sleep 2

echo "interface=wl0.1" >> /etc/dnsmasq.conf
echo "dhcp-range=wl0.1,192.168.2.2,192.168.2.254,255.255.255.0,21600s" >> /etc/dnsmasq.conf
echo "dhcp-option=wl0.1,3,192.168.2.1" >> /etc/dnsmasq.conf
dnsmasq --log-async
sleep 2

# guest wireless assignment
ifconfig wl0.1 192.168.2.1 netmask 255.255.255.0

# guest wireless bridge
ebtables -t broute -I BROUTING -p ipv4 -i wl0.1 -j DROP
ebtables -t broute -I BROUTING -p arp -i wl0.1 -j DROP

# guest wireless firewall. vpn kill switch is in built.
iptables -I INPUT -i wl0.1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wl0.1 -o tun11 -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -o tun11 -j MASQUERADE


#optional. block all ports on vpn except: dns(53),http(80),https(443)
iptables -I FORWARD -i wl0.1 -s 192.168.2.0/24 -o tun11 -p tcp -m multiport ! --port 53,80,443 -j DROP
iptables -I FORWARD -i wl0.1 -s 192.168.2.0/24 -o tun11 -p udp -m multiport ! --port 53,443 -j DROP

vpn-route-up.sh (make sure it's executable- chmod 755 vpn-route-up.sh)

Thanks Saffron!

Have this working on my AC-RT66U w/Merlin 378.51.
Just one change was needed - the vpn-route script was not being executed by openvpn on connection initialization, here the error:

Mar 30 19:13:34 openvpn[512]: WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.
Mar 30 19:13:34 openvpn[512]: WARNING: Failed running command (--route-up): external program fork failed
Mar 30 19:13:34 openvpn[512]: Initialization Sequence Completed

Adding "script-security 2" to the openvpn advanced parameters in the GUI resolved the issue.

Seems the firmware dev updated the openvpn version recently that has stronger default security.

 

[princi]

This is working with some minor changes on a AC68U with latest firmware.

In theory opening multiple tunnels is possible by using all the guests.

I want to check a few things first like VPN leaks and disconnects then I'll write a step by step post from the very start. Check back next week.

Saffron

Hi Saffron,

Any update on how you would setup multiple tunnels using Merlin - given that newer firmware is now available on better hardware.

Eg: RT-AC3200 has three seperate radios, so you could assign local traffic to one radio and two VPN tunnels to the other two.

Thanks...

 

[peraburek]

Thanks Saffron!

Have this working on my AC-RT66U w/Merlin 378.51.
Just one change was needed - the vpn-route script was not being executed by openvpn on connection initialization, here the error:

Mar 30 19:13:34 openvpn[512]: WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.
Mar 30 19:13:34 openvpn[512]: WARNING: Failed running command (--route-up): external program fork failed
Mar 30 19:13:34 openvpn[512]: Initialization Sequence Completed

Adding "script-security 2" to the openvpn advanced parameters in the GUI resolved the issue.

Seems the firmware dev updated the openvpn version recently that has stronger default security.

Thank you very much @mfncl for your tip! Thank you @saffron for the script!

I have followed saffron script, I got VPN SSID to work, but I am missing policy routing (I have 2 computers in LAN 1-4) that I would like to go through VPN tunnel.

If I run vpn-route-up.sh script, policy routing doesn't work anymore.
I have tried to add VPN SSID DHCP range to OpenVPN policy routing (to route 192.168.0.2/24) but it doesn't work

do you have idea, how to enable policy routing for VPN SSID, or how to add two additional computer IPs from LAN to VPN tunnel?