RT-AC68U: How to setup SSID for VPN and SSID for Regular ISP

[saffron]

RT-AC68U: How to setup SSID for VPN (paid VPN like PIA) and SSID for Regular ISP

Flash Tomato on to the router (FLASHING FIRMWARE IS AT YOUR OWN RISK)
http://tomato.groov.pl/download/K26ARM/
I used tomato-RT-AC68U-ARM--123-AIO-64K.trx

Upload and flash just using ASUSwrt GUI

You may have to reboot several times. If it still doesnt fire hold down WPS button and then power on. Keep holding the WPS button for 30 seconds until the power button rapidly blinks. Reboot.

In the tomato GUI:

Basic >Network
Create a second bridge br1. IP 192.168.2.1/24. Enable DHCP. Save.

Advanced >VLAN
VLAN #3 bridge to LAN1 (br1). Put at least one port (Port 4) on VLAN #3. Save.

Advanced >Virtual Wirless
Set guest wl0.1 (and wl1.1 for 5GHz) to LAN1(br1). Set security WPA2 and password. Save.

VPN Tunneling > OpenVPN Client >Client 1 >Basic
Enable Start with WAN. Enter your VPN details. Enable Create NAT on tunnel. Save.

VPN Tunneling > OpenVPN Client >Client 1 >Advanced
(EDIT) Accept DNS configuration :Strict. Save.

Admin >Scripts> WAN Up
Copy in the following script minus Spotify rules at bottom. Add* Save.
http://www.linksysinfo.org/index.ph...-ports-through-vpn-openvpn.37240/#post-205781
*iptables -t nat -I POSTROUTING -o tun11 --src 192.168.2.0/24 -j MASQUERADE

(EDIT) See post #3 for example.


Reboot & Done. The script simply creates a second table for non-VPN and directs there with a firewall mark.

Optional. You can add custom bash scripts in VPN> Custom Configuration box:
route-up /jffs/whatever.sh (dont forget chmod a+rx)
route-down /jffs/whatever.sh

Pretty easy to customise things like stopping DNS leaks on VPN (VPN DNS leaks to ISP but not really big deal**) or killing interface when VPN fails.

**iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get wan_get_dns | awk -F' ' '{print $1}')
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get wan_get_dns | awk -F' ' '{print $1}')
======================

RT-AC68U: How to setup SSID for VPN1, SSID for VPN2 (paid VPNs like PIA with different exit locations) and SSID for Regular ISP

Basically the same as above except you must create 3 new routing tables (1 for each bridge/ssid) instead of just 1 new routing table.

Steps
Add another bridge interface, br2
Add another virtual wireless to br2
Add VPN Client 2 and enable start with WAN. The second tunnel is callled tun12.
Modify the above script for 3 tables. Call them whatever and give them 3 different fwmarks.
Reboot.

Running 3 separate SSID on 3 bridges works but is not very stable (for now..). I think the stability problem is with my up/down scripts and recreating routing tables when one of the VPNs fails. The VPNs mix up each others DNS' which I can't seem to control. Let me know if you have a better idea to stabilise 3 ssids.

Saffron

 

[PorscheT]

RT-AC68U: How to setup SSID for VPN (paid VPN like PIA) and SSID for Regular ISP

Admin >Scripts> WAN Up
Copy in the following script minus Spotify rules at bottom. Add* Save.
http://www.linksysinfo.org/index.ph...-ports-through-vpn-openvpn.37240/#post-205781
*iptables -t nat -I POSTROUTING -o tun11 --src 192.168.2.0/24 -j MASQUERADE

Saffron

Thanks for the guide Saffron. I'm trying to set up regular traffic on 2.4 ghz and VPN on 5 ghz. I'm confused here on this step. Which lines exactly do I need to copy into the WAN Up tab? I'm having a hard time figuring out where the author's notes end and the scripts begin/end. Also, I'm not sure if I even need to use all the scripts in Grdnkln's post except for the Spotify portion?

 

[saffron]

Thanks for the guide Saffron. I'm trying to set up regular traffic on 2.4 ghz and VPN on 5 ghz. I'm confused here on this step. Which lines exactly do I need to copy into the WAN Up tab? I'm having a hard time figuring out where the author's notes end and the scripts begin/end. Also, I'm not sure if I even need to use all the scripts in Grdnkln's post except for the Spotify portion?

Set 2.4ghz SSID eth1 (wl0.0) on br0.
Set 5ghz SSID eth2 (wl1.0) on br1.
I'm assuming you're NOT using any guest wireless (e.g. wl0.1 or wl1.1)

# This code goes in the WAN UP section of the Tomato GUI.
# This code based on the contributions from this thread:
# http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/
#
# And from material in these articles:
# http://linux-ip.net/html/adv-multi-internet.html
# http://fedorasolved.org/Members/kanarip/iptables-howto
#
# This script configures "selective" VPN routing. Normally Tomato will route ALL traffic out
# the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
# traffic to bypass the VPN and use the regular Internet instead.
#
# To list the current rules on the router, issue the command:
# iptables -t mangle -L PREROUTING
#
# Flush/reset all the rules to default by issuing the command:
# iptables -t mangle -F PREROUTING
#

#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
ip route show table main | grep -Ev ^default | grep -Ev tun11 \
| while read ROUTE ; do
ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache


#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#
# EXAMPLES:
#
# All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
# iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
# Ports 80 and 443 will bypass the VPN
# iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
# All traffic from a particular computer on the LAN will use the VPN
# iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
# All traffic to a specific Internet IP address will use the VPN
# iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
# All UDP and ICMP traffic will bypass the VPN
# iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
# iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1

#This says ALL traffic through br0 is non-VPN / ISP
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

#some additions: insert rules into chain, eth2 is 5GHZ
iptables -I INPUT -i eth2 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i eth2 -o tun11 -j ACCEPT

iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -o tun11 -j MASQUERADE

#use ISPs DNS on br0
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get wan_get_dns | awk -F' ' '{print $1}')
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get wan_get_dns | awk -F' ' '{print $1}')

Paste the code above into WAN Up.

(EDIT) Tested.
VPN speed is almost the same with 2 SSIDs (VPN+ISP) as standard 1 SSID (-0.06Mbps)

With 3 SSIDs(VPN1+VPN2+ISP) it slows I think because tun11 and tun12 are 'virtual tunnels' and there is actually only one tunnel 'processor' which they share(?). Possible security risk.

 

[PorscheT]

Great! I'll give this a try when I get home tonight. I have the AC56U but I'm assuming all steps with be exactly the same.

 

[saffron]

RT-AC68U: How to setup SSID for VPN Client 1, SSID for VPN Client 2 (paid VPNs like PIA with different exit locations) and SSID for Regular ISP

In example wl0.1(br1) is VPN1, wl0.2(br2) is VPN2 and eth1(br0) is ISP. If a VPN connection resets then this setup requires multiple up/down scripts. This initial "WAN Up" script works until a VPN connection resets:

#start
#sleep X is for troubleshooting

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

ip route flush table 11
ip route del default table 11
ip rule del fwmark 1 table 11

ip route flush table 12
ip route del default table 12
ip rule del fwmark 2 table 12

ip route flush table 13
ip route del default table 13
ip rule del fwmark 3 table 13

ip route flush cache

#above code is redundant

iptables -t mangle -F PREROUTING
sleep 3

# Prep Iptables for multiple vlans/bridges to be forwarded through tunnels
iptables -I INPUT -i wl0.1 -m state --state NEW -j ACCEPT
iptables -I INPUT -i wl0.2 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wl0.1 -o tun11 -j ACCEPT
iptables -I FORWARD -i wl0.2 -o tun12 -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -o tun11 -j MASQUERADE
iptables -t nat -I POSTROUTING -s 192.168.3.0/24 -o tun12 -j MASQUERADE
sleep 3

#isp table
ip route show table main | grep -Ev ^default | grep -Ev tun11 | grep -Ev tun12 \
| while read ROUTE ; do
ip route add table 11 $ROUTE
done
ip route add default table 11 via $(nvram get wan_gateway)
sleep 3

#vpn1 table
ip route show table main | grep -Ev ^default | grep -Ev tun12 \
  | while read ROUTE ; do
      ip route add table 12 $ROUTE
done
VPN1_GW=$(ifconfig tun11 | awk '/inet addr/ {split ($2,A,":"); print A[2]}')
ip route add table 12 default via $VPN1_GW dev tun11
sleep 3

#vpn2 table
ip route show table main | grep -Ev ^default | grep -Ev tun11 \
  | while read ROUTE ; do
      ip route add table 13 $ROUTE
done
VPN2_GW=$(ifconfig tun12 | awk '/inet addr/ {split ($2,A,":"); print A[2]}')
ip route add table 13 default via $VPN2_GW dev tun12
sleep 3

# Add Mark rules so any marked packets will follow separate routing tables, and not main/default table
ip rule add fwmark 1 table 11
ip rule add fwmark 2 table 12
ip rule add fwmark 3 table 13
ip route flush cache
sleep 3

# Mark traffic by bridge ID
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br1 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -i br2 -j MARK --set-mark 3
sleep 3

#ISP DNS for br0
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get wan_get_dns | awk -F' ' '{print $1}')
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get wan_get_dns | awk -F' ' '{print $1}')

 

[PorscheT]

Thank you saffron! I just went through the steps exactly and it worked the first time. Excellent!

 

[saffron]

Easy peasy, huh?

Anyway this works in Merlin's firmware with a but more code for bridges. The advantage of this is Merlin is quite a bit faster as a VPN client than Tomato Shibby.

Other improvements are to replace the ip rule fw marks (note that they are in hex not decimal) with ip rule for a device. Something like :

ip rule add dev br0 table 11
ip rule add dev br1 table 12
ip rule add dev br2 table 13

Use route 'up' and 'down scripts in each VPN client.

And br1 and br2 must be expressly isolated with iptables otherwise there is packet collision of sorts. AC68U really can't cope with tun11 and tun12 being used simultaneously - one at a time.

 

[PorscheT]

Easy peasy, huh?

Anyway this works in Merlin's firmware with a but more code for bridges. The advantage of this is Merlin is quite a bit faster as a VPN client than Tomato Shibby.

Other improvements are to replace the ip rule fw marks (note that they are in hex not decimal) with ip rule for a device. Something like :

ip rule add dev br0 table 11
ip rule add dev br1 table 12
ip rule add dev br2 table 13

Use route 'up' and 'down scripts in each VPN client.

And br1 and br2 must be expressly isolated with iptables otherwise there is packet collision of sorts. AC68U really can't cope with tun11 and tun12 being used simultaneously - one at a time.

I would love to get this working in Merlin as it is indeed faster for me. Plus I prefer the interface but it sounds more complex. I have a 50/5 connection but am only getting around 20/5 with Tomato via PIA VPN. I was getting close to full speed 40/5 with Merlin. But at least it works stable so far.

 

[saffron]

I would love to get this working in Merlin as it is indeed faster for me. Plus I prefer the interface but it sounds more complex. I have a 50/5 connection but am only getting around 20/5 with Tomato via PIA VPN. I was getting close to full speed 40/5 with Merlin. But at least it works stable so far.

With Merlin fw http://www.smallnetbuilder.com/forums/showpost.php?p=150098&postcount=22

Like you I found Tomato was easier but Merlin was faster.

 

[ooklathemok]

Currently, I have a mess of a setup where I have the VPN going to one IP, that of another router so I can connect to the VPN or regular ISP at will. This seems so much better, but it took me 3 days to figure out how to get that working. I'm just not smart enough to do this my RT-AC68U without help. Is there steps to do this in Merlin? The link in the last post doesn't seem to work.

EDIT: Found the post. I followed the instructions (which are also on the Merlin Wiki) a few months ago without success. I guess I need to take a couple courses on networking or something.

 

[brtravel]

EDIT: Found the post. I followed the instructions (which are also on the Merlin Wiki) a few months ago without success. I guess I need to take a couple courses on networking or something.

Is this the post? http://www.snbforums.com/threads/ho...nd-ssid-for-regular-isp-using-merlinwrt.9839/

 

[RTomar]

When entering the script into the WAN UP field, since there is already a previous script for adblocking I'm returned with:

WAN Up script is too long. Maximum allowed is 4096 bytes.
​

After spending countless hours trying things around the net, with most pointing to JFFS, I can honestly say that I can't make any sense out of what anyone is trying to say. I'm very new to this but would like to have both of these features and I just can't understand what anyone is trying to say when they refer to using the JFFS. Could anyone please help me?

* I don't understand how to put something into the JFFS
* I don't understand how to utilize it at all

Using the RT-AC68U with the Tomato Firmware 1.28.0000 -2.9-131 K26ARM USB AIO-64K