How to setup SSID for VPN and SSID for Regular ISP using MerlinWRT

[jobongo]

First of all I have to say that Merlin firmware is great. With that being said, I figured out a way to setup a guest wireless SSID to be routed over a VPN and have all my other devices go over the regular ISP using Merlin’s 24b3 build. I tried separate bridges, marking frames and nothing seemed to work. I have looked and looked and if someone else sees some improvements that can be made please let me know. This takes a few start-up scripts to get it working but it works. The only downside is that if the router has a soft or partial reset then it needs to be rebooted to set everything back up.

This setup creates an additional LAN; one for the SSID that will be routed to the VPN. I used a guest network so that it sets up a Virtual wireless interface. I would recommend that you setup entware. This should work if you want to set this up on the 5Ghz radio instead (eth2) but I have not tried it. I am using Merlin's build so you will need to enable JFFS. I have a custom dnsmasq.conf file that adds an additional DHCP server for the clients connecting to the VPN SSID. I used entware to make the startup scripts but they should work in the scripts folder in JFFS. I have no tried using them there yet. Here are the scripts:

IFCONFIG script: This assigns an ip to the virtual wireless interface to act as a gateway. This will automatically assign a /24 subnet. If you want something else use "netmask xxx.xxx.xxx.xxx" command after the IP.

        #!/bin/sh
        sleep 1
	ifconfig wl0.1 192.168.2.1

IPTABLES script: This allows access from wl0.1 interface as well as setting up masquerading on tun0 interface. Replace interface names where appropriate. I used the “accept all” concept to simplify but you can customize where needed to add additional security.

       #!/bin/sh	
        iptables -I INPUT -i wl0.1 -j ACCEPT
	iptables -I FORWARD -i wl0.1 -j ACCEPT
	iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -o tun0 -j MASQUERADE

EBTABLES script: This had me confused at first. –DROP does not mean drop the frame in the broute table. It means send it up the OSI layer (layer 3) which is what we want to do. This essentially makes wl0.1 interface routable outside of the br0 interface. The reason for arp(address resolution protocol) is so that mac addresses can be dynamically associated with an IP outside of the br0 interface.

        #!/bin/sh
        sleep 1
	ebtables -t broute -I BROUTING -i wl0.1 -p ipv4 -j DROP
	ebtables -t broute -I BROUTING -i wl0.1 -p arp -j DROP

ROUTERULES script: This is something that has to be setup to direct the traffic over the VPN. Once the ebtables rules are applied the interface and all packets that arrive are isolated. These rule and routes tell them where to go and where to look.

        #!/bin/sh
        sleep 20
        ip route add 192.168.0.0/24 dev eth0 table 10
	ip route add 192.168.1.0/24 dev br0 table 10
        ip route add 192.168.2.0/24 dev br0 table 10
	ip route add default dev tun0 table 10
	ip route add 0.0.0.0/1 dev tun0 table 10
	ip route add 128.0.0.0/1 dev tun0 table 10
	ip rule add from 192.168.2.0/24 table 10
	ip route flush cache

OPENVPN: I used openvpn through entware. I was unable to make the configuration that I need though the web browser. The web interface worked but I wanted to bind my openvpn connection to a port and could not with the integrated one. This is not a big issue. I also set the route-nopull option in my openvpn config. This way no routes were added to the main table and I could select which ones I wanted to add to table 10.

DNSMASQ.CONF.ADD: This is what I added to the jffs/configs/dnsmasq.conf.add file:

       interface=wl0.1
       dhcp-range=wl0.1,192.168.2.2,192.168.2.254,255.255.255.0,86400s
       dhcp-option=wl0.1,3,192.168.2.1

I think I have covered it all. This is not perfect by any means but it works. You can also add per-IP devices be routed over the VPN (in case you want device on the default LAN to go over the VPN). Make sure that your scripts are executable. With this setup you can run them on-by-one and see if they all work. I may have missed something and if I have please let me know. If you have any trouble, let me know. I hope someone else finds this useful.

 

[RMerlin]

Nice work I suggest you write a Wiki article on Github if you have the time, so such howtos can be easily accessible to people looking for them.

 

[jobongo]

Github Post

Thanks Merlin. I will be sure to create the wiki and post it on Github. I am going to make a few modifications and maybe create a script for a cron job.

 

[huotg01]

...I think I have covered it all. This is not perfect by any means but it works. You can also add per-IP devices be routed over the VPN (in case you want device on the default LAN to go over the VPN). Make sure that your scripts are executable. With this setup you can run them on-by-one and see if they all work. I may have missed something and if I have please let me know. If you have any trouble, let me know. I hope someone else finds this useful.

For my information, and maybe for some others almost new to all these possibilities, could you just write a few words about the usages that can be done with such a setup ? Why would we do that?

Thanks,

GH

 

[jobongo]

Why one would want to do this.

This setup that I made is just to simplify connecting to a VPN for wireless devices. A lot of people use VPN's to connect work and many use it to change there IP location to view geographically restricted content (Netflix, Hulu, etc) Simply put, you don't have to created specific rules for specific devices to route them over the VPN with this setup. You can just connect to the SSID that gets routed to the VPN and go. This is quite simple to implement in other custom firmwares (DD-WRT, Tomato) but I didn't want to go this route. These other firmwares, to the best of my knowledge, don't allow the use of hardware acceleration that is available in the RT-N66U. I wanted to keep this feature as I don't use QoS and other features that would disable it. Also, I have tried a couple of DD-WRT builds and found them to be "buggy" with this router.

Also, before I used two separate routers for my network. One was for the VPN and one was for the ISP. This setup allows for you to only use one router. I know that this setup is not perfect by any means but I have seen a few posts where people are trying to do the same thing (or very similar)

http://forums.smallnetbuilder.com/showthread.php?p=59338

http://tomatousb.org/forum/t-458894/rt-n66u-firmware-to-create-ssid-vpn-tunnel

and I thought that maybe there was more out there that thought the way I did and wanted to know how to do it. I am working on a wiki that will be posted on the Merlwrt github site that will go into more detail into exactly how it is setup. I hope this answered your questions.

 

[huotg01]

Thanks Merlin. I will be sure to create the wiki and post it on Github. I am going to make a few modifications and maybe create a script for a cron job.

Good job. In the mean time, I added a link to this thread on the wiki.
GH

 

[jobongo]

Thanks. I am writing the wiki but have been a little under the weather for the past week. I also wrote a single script to simplify it and make everything more automated. I will post it within the next couple days.

 

[Ancaster]

Great work! I could have used this a few months ago before buying a 2nd N66, though it only cost me $140 for 2 of them, I could have used the $100 gift card towards something else.

I have since connected servers/drives respectively to each router. Router 2 has a US VPN permanently ON and also has a drive with only children's shows and movies.

Router 2 in my setup also only runs 5GHz and is on a different channel than Router 1. And R1 has QoS for a wireless Ooma VoIP setup which is then connected to my home network of corded/cordless phones. R1's ports are consumed by 2 PCs, a server, and the LAN-WAN connection to R2.

Could I employ your methods and accomplish my present setup with one N66 while maintaining the reduced congestion and QoS?
(I guess I would lose the kids' drive up there)

 

[jobongo]

I don't see why your couldn't do it this way. The main reason that I chose to do it this way was to keep the hardware acceleration enabled because I have a lot of wan/lan traffic. The setup should work the same with QoS enabled.

I would set up your VoIP phones and get everything working with QoS first. Then apply the script for whichever SSID you want to connect. I am not sure what you mean by congestion from your post. If you are talking about the network traffic, I wouldn't think that the only adding a VPN and some devices to the switch should impact it that much. From what I understand that hardware acceleration doesn't improve traffic throughput for devices connected to the switch ports, only lan/wan connections.

My home network has a server, NAS, PS3, Apple TV, Xbox 360 a VPN Client, a VPN server, and one desktop machine, not to mention the wireless devices that connect. This is all run through the RT-N66U and I have never had a problem.

I have an additional 5 port gigabit switch connected to one of the RT-N66U switchports to handle the additional hardware devices. This is just an idea if you need more ports.

Let me know if you run into any trouble trying to set it up.

 

[solidify]

DNS settings

Hi Jobongo,
I've been trying to get this to work for a couple of weeks - as I am not an experienced user, it took me a while but now, finally, it does. Thanks for your work. I used your github manual and followed these instructions above as well. I installed openvpn via entware and got everything to work finally, there were some issues with the S20openvpn script in the init.d folder and I had not clearly understood why you did not want to use merlin's built-in openvpn. Now I do, and if someone needs help with this, I can put up all my config scripts.

The reason I write is another though:
how would I combine this with opendns / dnscrypt? I had followed that tutorial as well, but for some reason it didn't work along with the openvpn config, so before I search for the problem, I wanted to ask a very basic question: since the DNS server should be closest to the endpoint of my VPN (so in my country for the normal wifi, and in the US for the vpn_ssid), would it be possible to initialize its setup twice; once for each?

Cheers,
solidify

 

[abl75]

Hi Jobongo

I have tried to setup your script, as found on Gilthub, on Asuswrt-merlin Build 3.0.0.4.372.31 but strangely when trying to run it from WinSCP it has reported errors with your original "blank" lines (already removed), as well as a missing "then" (?)

Here is the script I am using:

#!/bin/sh
touch -am /tmp/000VPNbypassstarted
####### Interface Specific Settings #######
WRLSS_IF=wl0.1 # Name of the wireless interface that will be used.
WRLSS_IF_NTWK_ADDR=192.168.2.0 # Network address that the wireless interface will be on.
WRLSS_IF_INET_ADDR=192.168.2.1 # IP address that will be assigned to the wireless interface.
WRLSS_IF_NETMASK=255.255.255.0 # Netmask of the wireless network to be added.
TUN_IF=tun11 # Name of tunnel interface.
########## DHCP Specific Settings ###########
DHCP_OPT1=3 # dnsmasq option to specify router.
LS_TIME=86400s # Duration of the dhcp leases.
LS_START=192.168.2.100 # Start address of leases. This needs to be within the same network as above.
LS_END=192.168.2.120 # End address of leases. This needs to be within the same network as above.
######## Hide SSID of Guest Network ########
### HIDE_SSID=0 # This option is to hide the SSID of a guest network if a guest network is used. 1=hide and 0=visible.
##########################################################################################################
########################################## DHCP Server ###################################################
if [ `cat /etc/dnsmasq.conf | grep -c $WRLSS_IF` == 0 ]; then
killall dnsmasq
sleep 2
echo "interface=$WRLSS_IF" >> /etc/dnsmasq.conf
echo "dhcp-range=$WRLSS_IF,$LS_START,$LS_END,$WRLSS_IF_NETMASK,$LS_TIME" >> /etc/dnsmasq.conf
echo "dhcp-option=$WRLSS_IF,$DHCP_OPT1,$WRLSS_IF_INET_ADDR" >> /etc/dnsmasq.conf
dnsmasq --log-async
fi
sleep 2
### Check to see if tun interface is available ###
while [ ! -n "`ifconfig | grep $TUN_IF`" ]; do
sleep 1
done
############################################ IP ROUTING ##################################################
ifconfig $WRLSS_IF $WRLSS_IF_INET_ADDR netmask $WRLSS_IF_NETMASK; then
ip route show table main | grep -Ev ^default | while read ROUTE; do
ip route add table 10 $ROUTE;
done
#ip route del 0.0.0.0/1 table main # Uncomment this line if you are not using the route-nopull option.
# Many VPN service providers push this route to redirect internet traffic over the tunnel.
ip route add default dev $TUN_IF table 10
ip rule add dev $WRLSS_IF table 10
ip route flush cache
####################################### ETHERNET BRIDGE TABLES RULES #####################################
EBT_BRULE1="-p ipv4 -i $WRLSS_IF -j DROP"
EBT_BRULE2="-p arp -i $WRLSS_IF -j DROP"
if [ -n "$EBT_BRULE1" ] && [ `ebtables -t broute -L | grep -ice "$EBT_BRULE1"` != 1 ]; then
ebtables -t broute -I BROUTING $EBT_BRULE1
fi
if [ -n "$EBT_BRULE2" ] && [ `ebtables -t broute -L | grep -ice "$EBT_BRULE2"` != 1 ]; then
ebtables -t broute -I BROUTING $EBT_BRULE2
fi
############################################ IP TABLES RULES #############################################
if [ `iptables -L -v | grep -c $WRLSS_IF` == 0 ]; then
iptables -I INPUT -i $WRLSS_IF -m state --state NEW -j ACCEPT
iptables -I FORWARD -i $WRLSS_IF -o $TUN_IF -j ACCEPT
fi
if [ `iptables -t nat -L -v | grep -c $TUN_IF` == 0 ]; then
iptables -t nat -I POSTROUTING -s $WRLSS_IF_NTWK_ADDR/24 -o $TUN_IF -j MASQUERADE # Change /24 to the subnet that you will be using.
fi
############################################### HIDE SSID ################################################
### if [ `nvram get "$WRLSS_IF"_closed` != 1 ] && [ $HIDE_SSID == 1 ]; then
### nvram set "$WRLSS_IF"_closed=1
### nvram commit
### fi
### if [ `nvram get "$WRLSS_IF"_closed` != 0 ] && [ $HIDE_SSID == 0 ]; then
### nvram set "$WRLSS_IF"_closed=0
### nvram commit
### fi
touch -am tmp/000VPNbypasscomplete

As can be seen I removed the logic to allow hiding the SSID, and added a couple of Touch commands to monitor its execution.

 

[biff]

Hi Solidify,

I'd love to see how you setup openvpn via entware. I have not been able to get it running. I've spent a couple of evenings googling, but haven't really found anything useful. The entware install of openvpn seems very minimal, and I suspect I missing a lot of stuff.

I have the VPN Client working via the firmware GUI, but I really want to set up a VPN on its own SSID, so getting this installation of openvpn going is my current bottleneck.

Could you share your config files and setup, or pass along any useful links you might have?

Thanks in advance.

 

[nizx]

Issues with RT-AC68

I am trying your script on the RT-AC68U running Merlin but I cant get it to work, all apparently goes as expected but all the traffic is routed to the VPN on my main SSID, and on the Guest one assigned for the VPN I cannot even connect to internet. Anything I can check to troubleshoot this? I would really love to use this at home.

 

[Rookie]

Before I try this out, has anybody been using this script without any issues?Sounds like a really cool concept.
Thanks for sharing.

 

[saffron]

Great work Jobongo.

Is it feasible to run 3 SSID on a AC68U - 2 different openVPN and 1 regular ISP?

I've got a AC68U running stock firmware and will have a go at 1 VPN/ 1 ISP but wont to avoid introducing another router to run the second VPN.

 

[nizx]

Still not working

Hopefully someone can help. I really love to try this out but it is not working on the AC68U. Tried the script but all traffic is still routed to the VPN on the main Wifi and the one used for the VPN has no internet access.

 

[Alfsu]

Route Traffic - NOT- in VPN client page

Hopefully someone can help. I really love to try this out but it is not working on the AC68U. Tried the script but all traffic is still routed to the VPN on the main Wifi and the one used for the VPN has no internet access.

Try by disabling "Route Traffic" option in the VPN client configuration page. The VPN will be established but no traffic will go through it unless it is specifically routed using IP tables; which should be already part of the SSID for VPN configuration.

You can find more related information in the Selective Routing thread

Good luck!

 

[saffron]

Hopefully someone can help. I really love to try this out but it is not working on the AC68U. Tried the script but all traffic is still routed to the VPN on the main Wifi and the one used for the VPN has no internet access.

This is working with some minor changes on a AC68U with latest firmware.

In theory opening multiple tunnels is possible by using all the guests.

I want to check a few things first like VPN leaks and disconnects then I'll write a step by step post from the very start. Check back next week.

Saffron

 

[saffron]

Edit1: After much experimenting, I've found Tomato Shibby firmware (RT-AC68U version 123 AIO) can hold a multiple, stable OpenVPN connections with considerably less fuss than Merlin's. All settings are entered in the GUI without any SSH/telnet or mounting JFFS. At the moment I have ethernet and eth1 on ISP, wl0.1 on tun11, wl0.2 on tun12. Most combinations are possible including selectively chosing where ethernet ports are directed. More to follow.

Saffron

 

[PorscheT]

Edit1: After much experimenting, I've found Tomato Shibby firmware (RT-AC68U version 123 AIO) can hold a multiple, stable OpenVPN connections with considerably less fuss than Merlin's. All settings are entered in the GUI without any SSH/telnet or mounting JFFS. At the moment I have ethernet and eth1 on ISP, wl0.1 on tun11, wl0.2 on tun12. Most combinations are possible including selectively chosing where ethernet ports are directed. More to follow.

Saffron

Interesting... looking forward to hearing your findings. Would love to get this working.