2 VPN Client and 2 WiFi SSID: how to route traffic

[archy141]

Hi archi,
Are the two VPN clients from the same provider? Are they using the same protocol and port?

Yes same provider.

As suggested by VPN support I have already tried changing the second vpn clients udp port to 1195 through the routers gui and it failed to connect.


Dec 2 02:01:27 rc_service: httpd 546:notify_rc start_vpnclient2
Dec 2 02:01:28 openvpn[4842]: OpenVPN 2.4.3 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 4 2017
Dec 2 02:01:28 openvpn[4842]: library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.08
Dec 2 02:01:28 openvpn[4843]: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Dec 2 02:01:28 openvpn[4843]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 2 02:01:29 openvpn[4843]: TCP/UDP: Preserving recently used remote address: [AF_INET]185.144.83.11:1195
Dec 2 02:01:29 openvpn[4843]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Dec 2 02:01:29 openvpn[4843]: UDP link local: (not bound)
Dec 2 02:01:29 openvpn[4843]: UDP link remote: [AF_INET]x.x.x.x:1195
Dec 2 02:01:59 openvpn[4843]: [UNDEF] Inactivity timeout (--ping-exit), exiting
Dec 2 02:01:59 openvpn[4843]: SIGTERM[soft,ping-exit] received, process exiting

UDP port 1195 is not blocked on the router by default ?

*UPDATE

I used another VPN and used ports UDP 1194 & TCP 443 and got both VPN clients connected simultaneously. Problem still is that the redirect traffic policy is being ignored and all dhcp clients are going through the vpn.

 

[50_Hertz]

Script working well on my rt-ac88u (I have used the autodsnmasq command to create the bridges automatically)
Main hurdles I have encountered:

• Remember that you can't have multiple VPN clients using the same port and the same protocol at the same time (this is especially valid if you want to setup multiple VPN clients using the same VPN provider)
• Don't forget to make sure that your script is UNIX encoded (especially if you are using windows - you can encode it directly on the router or you can use cygwin, ...)
• Don't forget to make the script executable (chmod a+rx / jffs/scripts/*)
• The name of the nat-start file must be nat-start and not nat-start.sh

Happy to help anyone with my modest experience

 

[Martineau]

Script working well on my rt-ac88u (I have used the autodsnmasq command to create the bridges automatically)

Glad it worked and thanks for being a beta tester.

Main hurdles I have encountered:

• Remember that you can't have multiple VPN clients using the same port and the same protocol at the same time (this is especially valid if you want to setup multiple VPN clients using the same VPN provider)

The above isn't always necessary, but manually configuring a unique socket for each VPN Client doesn't hurt although I suspect (as per your suggestion) that explicitly enforcing this in my script (or even by RMerlin in the VPN GUI) would inevitably be inappropriate in some cases.

• Don't forget to make sure that your script is UNIX encoded (especially if you are using windows - you can encode it directly on the router or you can use cygwin, ...)
• Don't forget to make the script executable (chmod a+rx / jffs/scripts/*)
• The name of the nat-start file must be nat-start and not nat-start.sh

All of the above are described https://github.com/RMerl/asuswrt-merlin/wiki in the section about User scripts, using either the router's nano editor or WinSCP etc. and there are many posts detailing the use of the command line utility

dos2unix

BusyBox v1.25.1 (2017-10-04 15:01:12 EDT) multi-call binary.
Usage: dos2unix [-ud] [FILE]
Convert FILE in-place from DOS to Unix format.
When no file is given, use stdin/stdout.
 -u dos2unix
 -d unix2dos

to ensure the script has Unix LF chars rather than the Windows CRLF.

 

[archy141]

Script working well on my rt-ac88u (I have used the autodsnmasq command to create the bridges automatically)
Main hurdles I have encountered:

• Remember that you can't have multiple VPN clients using the same port and the same protocol at the same time (this is especially valid if you want to setup multiple VPN clients using the same VPN provider)...

Thanks for your tips and the problem was to do with using ports.
I have never done any work on the router at command level before so it has been a steep climb as i didn't even know how to SSH or use vi at the start.
Combination of errors at my end and bad VPN provider support have caused more problems & confusion than i should have experienced.
I now feel a lot more confident having done this process to work on the router. It's been a great learning experience.

I'm now using a more reputable VPN provider and the script has done its job in routing the traffic correctly.

@martineau thanks for your help and hard work. I'm happy to confirm your script works great on the AC3200.


I have two additional requests that I would appreciate help with from anyone:

1. How can I have clients on the two routed VPN networks also access local network resources (192.168.1.x) ?
2. I have enabled a third NON VPN guest network(wl1.3). How can I have clients connected to it issued with a specific DNS server ?

 

[Martineau]

I'm now using a more reputable VPN provider and the script has done its job in routing the traffic correctly. @martineau thanks for your help and hard work. I'm happy to confirm your script works great on the AC3200.

Not sure what the comment regarding 'a more reputable VPN provider' is supposed to imply? - i.e. ease of configuration/support/reliability/performance etc., but glad to hear that my script does assist less technically savvy users.

How can I have clients on the two routed VPN networks also access local network resources (192.168.1.x) ?

The purpose of a dedicated SSID for VPN use is to isolate traffic from your LAN and the script will further endeavour to prevent DNS leaks by forcing clients to use the VPN DNS if 'Accept DNS Configuration=EXCLUSIVE'.

If this is not what is required then surely you would simply allow clients to connect to your main 2.4GHz/5GHz SSIDs (or create a Guest Wifi SSID with 'Access Intranet=ON') and use the Selective routing for VPN traffic?

Clearly the convenience of being able to switch between SSIDs isn't too much of a hardship to protect the integrity of LAN resource access?

However, if you examine my script you will see that there are two examples of LAN 'pin-hole' access
e.g. Shared Printer 10.88.8.131 and a (very silly) port example from device 10.88.8.111

# Application/local device rules
   if [ "$FIREWALL_TYPE" != "OpenLAN" ];then
      $IPT $ACTION FORWARD $FWRULENO -o $BRIDGE_ID -i br0 -s 10.88.8.111 -d $BRIDGE_SUBNET_PREFIX.0/24 -p tcp --dport 22 -j ACCEPT 2> /dev/null # <- LAN SSH pin-hole
      $IPT $ACTION FORWARD $FWRULENO -i $BRIDGE_ID -o br0 -s $BRIDGE_SUBNET_PREFIX.0/24  -d 10.88.8.131   -j ACCEPT 2> /dev/null # LAN printer ->
      $IPT $ACTION FORWARD $FWRULENO -o $BRIDGE_ID -i br0 -s 10.88.8.131 -d $BRIDGE_SUBNET_PREFIX.0/24    -j ACCEPT 2> /dev/null # <- LAN printer
   else
      $IPT $ACTION FORWARD $FWRULENO -i $BRIDGE_ID -o br0 -j ACCEPT 2> /dev/null
   fi

You can customise these three example rules to your specific LAN (192.168.1.x) requirements or use the 'openlan' directive when invoking the script.

 

[archy141]

Not sure what the comment regarding 'a more reputable VPN provider' is supposed to imply? - i.e. ease of configuration/support/reliability/performance etc., but glad to hear that my script does assist less technically savvy users.... .

Your script is absolutely brilliant for someone like me. Initially it all felt confusing and difficult as i had to learn basics from googling etc. Now that I'm more experienced I can really appreciate what the script manges to achieves from very little user input. Great job !

Yes - a more reputable VPN provider known to offer better support, reliability and performance.
The support from the previous provider I was dealing with were repeatedly telling me to use udp port 1195 for second vpn client when it later turned out that port wasn't even open on their servers. It's one of those VPN providers that you can buy with one lifetime payment and I guess something has to give.

You are right about compromising LAN integrity and I need to weigh up the cons and pros.
I have a small android media steaming box that i wanted to protect using VPN and at the same time enable to access local storage for playback of media files. It is a little inconvenient having to swap WiFi each timeto to choose between playing local files or streamed ones. Plus option to save streaming files to local LAN is gone.

The second help request was to enable couple of my network clients to occasionally have auto configured Smart DNS server values - Non VPN. This is to overcome geolocation restrictions imposed by some streaming media sites. I would still like to implement this for my third enabled guest SSID (smartdns) as otherwise I have to manually change client DNS values back and forth depending on where i would like to stream from - UK/US.

Do I have to create a new dhcp pool and issue it specific DNS server values to achieve this ?


Also i have been intermittently losing connection on vpn client 2.

I get the following WifiVPN output error for it:

wl1.2 VPN2 5GHz Guest 2 (192.168.102.0/24) routed through tunnel VPN Client 2 (***ERROR VPN is DOWN) is MISSING a valid DNS entry in '- t nat DNSVPN2' via bridge:br2

Executing nat-start from ssh brings it back up. Any ideas why this could be happening ?
If it is because of connection drop from VPN, does your your script try to reconnect ?

 

[Martineau]

Your script is absolutely brilliant for someone like me.

Many thanks for the positive feedback

Also i have been intermittently losing connection on vpn client 2.

There are many posts discussing client-side OpenVPN GUI directives that may assist in maintaining a reliable OpenVPN connection.

e.g
auth-nocache
reneg-sec nnnnn
etc.

although not sure if these are still appropriate, but, unfortunately, there are still unresolved posts where there are no definitive answers for solving random/timed VPN disconnection issues?

If it is because of connection drop from VPN, does your your script try to reconnect ?

​

My WiFiVPN.sh script is used to configure the static Guest SSID->VPN Client mapping, and as a courtesy, checks that the target VPN Client is actually configured and if it isn't ACTIVE will attempt to start it.

However, once the script has completed, it does not continually monitor the availability/integrity of the VPN Client connection.

I posted my crude old-skool solution OpenVPN disconnects when session expires for explicitly monitoring the STATE of an OpenVPN connection, either in real-time by reacting to an unsolicited VPN-related Syslog message or using a cron job to ask for data to be physically retrieved via tunnel and force a VPN Client restart if the expected data isn't returned by sending a custom trigger message to Syslog.

Executing nat-start from ssh brings it back up

​

If manually executing nat-start restores the VPN connection, then this would imply that the WAN connection isn't the cause of the failure but an OpenVPN Server/Client issue.

 

[princi]

The purpose of a dedicated SSID for VPN use is to isolate traffic from your LAN and the script will further endeavour to prevent DNS leaks by forcing clients to use the VPN DNS if 'Accept DNS Configuration=EXCLUSIVE'.

If this is not what is required then surely you would simply allow clients to connect to your main 2.4GHz/5GHz SSIDs (or create a Guest Wifi SSID with 'Access Intranet=ON') and use the Selective routing for VPN traffic?

Hi Martineau,

Just to confirm, in a nutshell, that:

Your script supports 2 VPN cilents running concurrently on an AC3200 where the traffic on each tunnel is bound to a unique SSID and WiFi Interface.

So, with the 3 SSIDs on the AC3200, you would have: SSID: Local SSID: VPN1 SSID: VPN2

Sounds fantastic. Only area for improvement is supporting newer routers with 3 WiFi interfaces and a faster CPU.

 

[.TT.]

@Martineau
Will this script work on ac86u?
Happy to give it a try if you think it will =)

 

[Martineau]

Hi Martineau,

Just to confirm, in a nutshell, that:

Your script supports 2 VPN cilents running concurrently on an AC3200 where the traffic on each tunnel is bound to a unique SSID and WiFi Interface.

So, with the 3 SSIDs on the AC3200, you would have: SSID: Local SSID: VPN1 SSID: VPN2

Sounds fantastic. Only area for improvement is supporting newer routers with 3 WiFi interfaces and a faster CPU.

Correct.

Whilst the script currently allows any of the available WiFi interfaces to be associated with a VPN Client, I would recommend only using the 6 Guest WiFi interfaces rather than the two main 2.4Ghz/5GHz SSIDs, but for the 2nd 5GHz interface on the RT-AC3200 then the script may need to be modified.

 

[Martineau]

@Martineau
Will this script work on ac86u?
Happy to give it a try if you think it will =)

Unfortunately the script uses robocfg and your helpful description of its replacement ethctl on the RT-AC86U would require you to figure out the appropriate ethctl commands as I do not have the RT-AC86U to test.

If you wish to try and convert the robocfg commands to their ethctl equivalents then I can certainly PM you a link to the script.

 

[.TT.]

I never did manage to figure those out =)
Thanks anyway!

 

[Martineau]

I never did manage to figure those out =)
Thanks anyway!

Out of interest, what does the 'query' command return?

 

[.TT.]

Out of interest, what does the 'query' command return?

ethctl query
Interface specific commands:
Usage: ethctl <interface> <command> [arguments...]

  media-type : Set/Get media type
  ethctl <interface> media-type [option] [port <sub_port#> ]
    [option]: auto - auto select
              2500FD - 2500Mb, Full Duplex
              1000FD - 1000Mb, Full Duplex
              1000HD - 1000Mb, Half Duplex
              100FD - 100Mb, Full Duplex
              100HD - 100Mb, Half Duplex
              10FD  - 10Mb,  Full Duplex
              10HD  - 10Mb,  Half Duplex
    [port <sub_port#>]: required if <interface> has Crossbar or Trunk port underneath


  phy-reset : Soft reset the transceiver
  ethctl <interface> phy-reset [port <sub_port#>]
    [port <sub_port#>]: required if <interface> has Crossbar or Trunk port underneath


  reg : Set/Get port mii register
  ethctl <interface> reg <[0-31]> [0xhhhh] [port <sub_port#>]
    [port <sub_port#>]: required if <interface> has Crossbar or Trunk port underneath


  phy-power : Phy power up/down control
  ethctl <interface> phy-power <up|down>

  vport : Enable/disable/query Switch for VLAN port mapping
  ethctl <interface> vport <enable|disable|query>

  stats : Display software stats
  ethctl <interface> stats

  ethernet@wirespeed : Enable/Disable ethernet@wirespeed
  ethctl <interface> ethernet@wirespeed <show|enable|disable> [port <sub_port#>]
    [port <sub_port#>]: required if <interface> has Crossbar or Trunk port underneath



Common commands:
Usage: ethctl <command> [arguments...]

  tx_iudma : Set/Get number of Tx iuDMA channels
  ethctl tx_iudma <[1-4]>

  rx_iudma : Set/Get number of Rx iuDMA channels
  ethctl rx_iudma <[1-4]>


  phy : Phy Access
  ethctl phy int|ext|extsw|ext32 <phy_addr> <reg> [<value|reg2> [no_read_back]] [-d]
  ethctl phy i2c <reg> [<value|reg2> [no_read_back]] [-d]
      <reg>: 0-0x1f: CL22 IEEE register; 0x1f-0xffff: Broadcom Extended Registers.
             0xffff-0x1fffff: CL45 IEEE Register, DeviceAddress + 2 byte Registers.
             0x20ffff-0xffffffff: Broadcom PHY 32bit address.
      <ext32>: Force to access Broadcom phy 32bit address.
  ethctl phy serdespower <phy_addr> [<power_mode>]
      [<power_mode>]: 0 - Non power saving mode; for loop back, inter connection
                      1 - Basic power saving mode; default mode
                      2 - Device Forced Off
  -d: Dump registers started from <reg> to <reg2>.

 

[Martineau]

ethctl query
Interface specific commands:
Usage: ethctl <interface> <command> [arguments...]

<snip>

Rather than the man page/help syntax I was hoping for actual configuration details for existing RT-AC86U
VLAN port mapping

vport : Enable/disable/query Switch for VLAN port mapping

  ethctl <interface> vport <enable|disable|query>

e.g.

ethctl    br0    vport    query

 

[.TT.]

Not having much luck with getting more.

ethctl br0 vport query
invalid interface name br0
  vport : Enable/disable/query Switch for VLAN port mapping
  ethctl <interface> vport <enable|disable|query>

ethctl eth0 vport query
command return error!

br0 is indicated as LAN in webgui

 

[princi]

Correct.

Whilst the script currently allows any of the available WiFi interfaces to be associated with a VPN Client, I would recommend only using the 6 Guest WiFi interfaces rather than the two main 2.4Ghz/5GHz SSIDs, but for the 2nd 5GHz interface on the RT-AC3200 then the script may need to be modified.

Good to know. Only use Guest Wifi interfaces.

That would have been my intention - to use the 2nd 5ghz Interface as well.

 

[Özkan Yılmaz]

Hello @Martineau
Your script sounds great. I would like to give it a try if you can send me the link.

My router is Asus RT-AC68U FW: 380.68_4.

 

[Martineau]

Hello @Martineau
Your script sounds great. I would like to give it a try if you can send me the link.

My router is Asus RT-AC68U FW: 380.68_4.

I have sent you a link via PM.

 

[Özkan Yılmaz]

I have sent you a link via PM.

Hello @Martineau,

Thank you for the link. I followed your guide in this post but I cannot make it work.

I get the following response when I run status command

admin@RT-AC68U:/jffs/scripts# ./WiFiVPN status

(WiFiVPN): 5947 v1.02b (Non Public Beta) © 2016-2017 Martineau, WiFi VPN status request.....[status]

        WiFi->VPN Configuration Status for interfaces:

        wl0.1   ASUS_Guest1          2.4GHz Guest 1
        wl0.2  ASUS_ Guest2         2.4GHz Guest 2  (192.168.101.0/24) routed through tunnel VPN Client 1 (USA IP) using VPN DNS (10.9.0.1) via
bridge:br1

        wl0.3   ASUS_Guest3           2.4GHz Guest 3  (192.168.102.0/24) routed through tunnel VPN Client 2 (Greece) using VPN DNS (10.9.0.1) via
bridge:br2

        -----   (ASUS_5G_Guest1) 5GHz   Guest 1  ** Disabled **
        -----   (ASUS_5G_Guest2) 5GHz   Guest 2  ** Disabled **
        -----   (ASUS_5G_Guest3) 5GHz   Guest 3  ** Disabled **
        eth1    ASUS 2.4GHz Network
        eth2    ASUS_5G 5GHz   Network

Here is VPN status page for your reference.

Even everything seems fine, it doesn't work. eth1, eth2, wl0.1 and wl0.2 are connecting over USA VPN and there is no internet connection at wl0.3.

Here is my VPN configuration if you want to check:
Client 1
Client 2