2 VPN Client and 2 WiFi SSID: how to route traffic

[Martineau]

Hello @Martineau,
I followed your guide in this post but I cannot make it work.

Even everything seems fine, it doesn't work. eth1, eth2, wl0.1 and wl0.2 are connecting over USA VPN and there is no internet connection at wl0.3.

Note 100% sure if I understand the above , are you saying ALL WiFi SSIDs are connecting to VPN Client 1 ?

Correct configuration of Selective Routing of multiple VPN Client connections is crucial to the success of mapping SSIDs->VPN Clients.
(NOTE: Some VPN ISPs may not allow multiple connections as their VPN endpoint is expected to be used solely on a single device such as a laptop rather than a router.)

The script does not enforce use of unique ports for each VPN connection, as it may work with some VPN ISPs but not others, but I would suggest that you follow the success stories
connect 2 vpn at the same time?
and ensure that you do not use UDP 1215 for both connections; usually there is an alternative UDP port or possibly (although usually slower) TCP port?

Also to prevent DNS leaks, although you have set 'Accept DNS Configuration=EXCLUSIVE', the firmware doesn't actually configure this unless there are Policy entries in the VPN GUI table
i.e. you should add the two missing Selective Routing dummy IPs as shown in this post.
2 VPN Client and 2 WiFi SSID: how to route traffic
i.e.

VPN1_Dummy 172.16.1.1 0.0.0.0 vpn
VPN2_Dummy 172.16.2.1 0.0.0.0 vpn

NOTE: The script that I sent to you differs slightly from the one successfully tested/implemented by @Carlo ,@archy141 ,@50_Hertz etc. but the changes are minor - that's why it is still beta i.e. evolving from feedback, so hopefully it still works as intended.

 

[Özkan Yılmaz]

Note 100% sure if I understand the above , are you saying ALL WiFi SSIDs are connecting to VPN Client 1 ?

Yes, except the one (wl0.3) that I try to configure to connect to VPN Client 2. But this SSID had no internet connection.

ensure that you do not use UDP 1215 for both connections; usually there is an alternative UDP port or possibly (although usually slower) TCP port

This solved my issue, I changed VPN Client 2 to connect UDP 389. I didn't have to add Selective Routing dummy IPs.

Thank you for your help

 

[Martineau]

This solved my issue, I changed VPN Client 2 to connect UDP 389.

Thanks for the feedback.

Hmm, perhaps I should add a WARNING check in the script to make sure that different ports are used.

I didn't have to add Selective Routing dummy IPs.

The Selective routing dummy IPs are only required to enforce the 'Accept DNS configuration=Exclusive' to prevent DNS leaks.

 

[Özkan Yılmaz]

Thanks for the feedback.

You are welcome. Thank you for the great script

The Selective routing dummy IPs are only required to enforce the 'Accept DNS configuration=Exclusive' to prevent DNS leaks.

I tried that but VPNs stopped working (still shows connected though). Please check the response for status command.

admin@RT-AC68U:/jffs/scripts# ./WiFiVPN status

(WiFiVPN): 12853 v1.02b (Non Public Beta) © 2016-2017 Martineau, WiFi VPN status request.....[status]

        WiFi->VPN Configuration Status for interfaces:

        wl0.1   ASUS_Guest1         2.4GHz Guest 1
        wl0.2   ASUS_Guest2      2.4GHz Guest 2  (***ERROR no entry in table 111; br1 NOT) routed through tunnel VPN Client 1 (VPN with USA IP) is MISSING a valid DNS entry in '-t nat DNSVPN1' via
bridge:br1

        wl0.3   ASUS_Guest3    2.4GHz Guest 3  (***ERROR no entry in table 112; br2 NOT) routed through tunnel VPN Client 2 (Greece) is MISSING a valid DNS entry in '-t nat DNSVPN2' via
bridge:br2

        -----   (ASUS_5G_Guest1) 5GHz   Guest 1  ** Disabled **
        -----   (ASUS_5G_Guest2) 5GHz   Guest 2  ** Disabled **
        -----   (ASUS_5G_Guest3) 5GHz   Guest 3  ** Disabled **
        eth1    ASUS 2.4GHz Network
        eth2    ASUS_5G 5GHz   Network

 

[Martineau]

You are welcome. Thank you for the great script


I tried that but VPNs stopped working (still shows connected though). Please check the response for status command.

admin@RT-AC68U:/jffs/scripts# ./WiFiVPN status

(WiFiVPN): 12853 v1.02b (Non Public Beta) © 2016-2017 Martineau, WiFi VPN status request.....[status]

        WiFi->VPN Configuration Status for interfaces:

        wl0.1   ASUS_Guest1         2.4GHz Guest 1
        wl0.2   ASUS_Guest2      2.4GHz Guest 2  (***ERROR no entry in table 111; br1 NOT) routed through tunnel VPN Client 1 (VPN with USA IP) is MISSING a valid DNS entry in '-t nat DNSVPN1' via
bridge:br1

        wl0.3   ASUS_Guest3    2.4GHz Guest 3  (***ERROR no entry in table 112; br2 NOT) routed through tunnel VPN Client 2 (Greece) is MISSING a valid DNS entry in '-t nat DNSVPN2' via
bridge:br2

        -----   (ASUS_5G_Guest1) 5GHz   Guest 1  ** Disabled **
        -----   (ASUS_5G_Guest2) 5GHz   Guest 2  ** Disabled **
        -----   (ASUS_5G_Guest3) 5GHz   Guest 3  ** Disabled **
        eth1    ASUS 2.4GHz Network
        eth2    ASUS_5G 5GHz   Network

You will need to restart both VPN Clients, then reissue the SSID->VPN mapping commands

./WiFiVPN   wl0.2   1   del
./WiFiVPN   wl0.2   1

./WiFiVPN   wl0.3   2   del
./WiFiVPN   wl0.3   2

./WiFiVPN   status

 

[Özkan Yılmaz]

You will need to restart both VPN Clients, then reissue the SSID->VPN mapping commands

./WiFiVPN   wl0.2   1   del
./WiFiVPN   wl0.2   1

./WiFiVPN   wl0.3   2   del
./WiFiVPN   wl0.3   2

./WiFiVPN   status

Oh... I forgot to use del command before .
I have added Selective Routing dummy IPs and executed the commands you supplied and everything works now .

 

[switch720]

Hi @Martineau,

I'm trying to do the achieve the same on the Asus RTAC66U_B1, does your script work on that router (I've got the RT-AC68U Merlin firmware installed)?
Tried to do it using the script from the Merlin GitHub to no such avail. Would love to try out your script.

Thanks

 

[Martineau]

Hi @Martineau,

I'm trying to do the achieve the same on the Asus RTAC66U_B1, does your script work on that router (I've got the RT-AC68U Merlin firmware installed)?
Tried to do it using the script from the Merlin GitHub to no such avail. Would love to try out your script.

Thanks

I have sent you a link via PM.

 

[switch720]

Thanks @Martineau. Managed to get it working straight away, very easy!

The only thing that did come up was that I had a space in the WiFi name so I tried to wrap it in single then double quotes but it didn't work. Was following the vpn_usa example earlier in the post rather than looking at the help initially.

Used the physical interface name (wl0.1) instead and it worked straight away, once again thank you!

WiFi name with space:


(WiFiVPN.sh): 20467 v1.03b (Non Public Beta) © 2016-2017 Martineau, WiFi VPN status request.....[status]
WiFi->VPN Configuration Status for interfaces:

wl0.1 Plusnet VPN 2.4GHz Guest 1
----- (ASUS_Guest2) 2.4GHz Guest 2 ** Disabled **
----- (ASUS_Guest3) 2.4GHz Guest 3 ** Disabled **
wl1.1 Plusnet 5G 5GHz Guest 1
----- (ASUS_5G_Guest2) 5GHz Guest 2 ** Disabled **
----- (ASUS_5G_Guest3) 5GHz Guest 3 ** Disabled **
eth1 Plusnet 2.4GHz Network
eth2 Plusnet 5GHz Network

admin@Asus Router:/jffs/scripts# ./WiFiVPN.sh "Plusnet VPN" 1
[: VPN: unknown operand
[: VPN: unknown operand
[: VPN: unknown operand

 

[agreement]

I have sent you a link via PM.

Hi Matineau! Long time lurker, but never registered. I signed up specifically to give this a shot on my RT-AC68U with Merlin 380.69. Any chance you can PM me a link? Thanks in advance. Looking forward to taking this for a spin. Ideally want to have the normal 2.4/5ghz networks with no VPN. Then all 3 guest networks enabled with VPNs.

 

[yh2017]

Hi, is there a way for me to get the script for use on my RT-AC87U?

 

[Martineau]

Hi Matineau! Long time lurker, but never registered. I signed up specifically to give this a shot on my RT-AC68U with Merlin 380.69. Any chance you can PM me a link? Thanks in advance. Looking forward to taking this for a spin. Ideally want to have the normal 2.4/5ghz networks with no VPN. Then all 3 guest networks enabled with VPNs.

I have sent you a link via PM.

 

[Martineau]

Hi, is there a way for me to get the script for use on my RT-AC87U?

I have sent you a link via PM.

 

[agreement]

I'm tinkering. Enabled SFTP / SSL / Telnet on my router. Setup 3 guest networks (UK / NL / ATL), each with 2.4/5ghz SSIDs. Configured the VPNs per your recommendations. Telnet in and ran the prescribed commands, but getting different answers than Carlo.

Can you post the output of these commands?

nvram get wan0_ifname
 
nvram get wan0_gw_ifname

nvram get pppoe_ifname

The responses I received, in order, are:
vlan2
vlan2
no response

 

[Martineau]

Telnet in and ran the prescribed commands, but getting different answers than Carlo.

The responses I received, in order, are:
vlan2
vlan2
no response

Carlo has the RT-N66U, however, if you do not have a PPoE configuration, the WAN interface name may be of the form eth0 or vlanX depending on the router and the features enabled in the GUI, and my script will hopefully accept either.

Can you issue

./WiFIVPN.sh   status   diag

and post the output.

 

[agreement]

Can you issue

./WiFIVPN.sh   status   diag

and post the output.

Output is as follows:

admin@RT-AC68U-79B0:/jffs/scripts# ./WiFiVPN.sh   status   diag

(WiFiVPN.sh): 5037 v1.03b (Non Public Beta) ▒ 2016-2017 Martineau, WiFi VPN stat                                                                             us request.....[status diag]

        WiFi->VPN Configuration Diagnostics for interfaces:

        NVRAM lan_ifnames='vlan1 eth1 eth2
bridge name     bridge id               STP enabled     interfaces
br0             8000.54a050d079b0       yes             vlan1
                                                        eth1
                                                        eth2
br1             8000.54a050d079b1       no              wl0.1
                                                        wl1.1
br2             8000.54a050d079b2       no              wl0.2
                                                        wl1.2

        wl0.1   LuckyUK24G       2.4GHz Guest 1  (192.168.101.0/24) routed throu                                                                             gh tunnel VPN Client 1 (UK) using VPN DNS (198.18.0.1) via bridge:br1
br1             8000.54a050d079b1       no              wl0.1
                                                        wl1.1
        NVRAM lan1_ifname='br1'
        NVRAM lan1_ifnames='wl0.1 wl1.1'

-------------------
Synopsis:
It took me a little tinkering to figure this out. Frame of reference - I'm tech savvy, but I've never even run a single script on my router before. I ran into a few snags.
1 - When I saved the script direct from the web to a file and uploaded it, the router didn't like it. I created a new file from within the WinSCP browser, and then pasted the script into it. Resolved the issue.
2 - When you posted the example nat-start script to launch everything at router startup, you left off the leading bin sh stuff to open the script. I'm a dummy so I simply copy and pasted it - inexperience. I went back and mimicked Carlo's code though, and it's working perfectly now.
3 - Unrelated snafu - My VPN provider wouldn't let me run 3 simultaneous connections which threw me for a loop for a while. Figured it out after checking logs and some info on their site. Now I'm running 2 VPNs - ATL and UK. Each VPN has a 2.4ghz/5ghz SSID.

As far as VPNs - Everything seems to be working perfectly. If I restart the router, the VPNs comes right back up. I also confirmed that when I'm connected to a VPN SSID, everything is flowing correctly over VPN via whatsmyip. DNS Leak test reports no leaks. I just wish BBC iPlayer would let me stream instead of recognizing my VPN now lol.

This script may be simple to you, but it's nothing short of incredible to me. Thank you so much for your efforts!

 

[Martineau]

1 - When I saved the script direct from the web to a file and uploaded it, the router didn't like it. I created a new file from within the WinSCP browser, and then pasted the script into it. Resolved the issue.

Yes WinSCP is useful for managing the creation/editing of scripts on the router (simple copy'n'paste etc.), but (as the name implies) is only available for WIN platforms.

P.S. Correct script Encoding and the mandatory Unix LF (rather than the Windows CRLF) chars can be frustrating.

2 - When you posted the example nat-start script to launch everything at router startup, you left off the leading bin sh stuff to open the script. I'm a dummy so I simply copy and pasted it - inexperience. I went back and mimicked Carlo's code though, and it's working perfectly now.

I have corrected this in my original post, but Carlo generously posted in detail how he managed to interpret my (less than perfect) instructions.

3 - Unrelated snafu - My VPN provider wouldn't let me run 3 simultaneous connections which threw me for a loop for a while. Figured it out after checking logs and some info on their site. Now I'm running 2 VPNs - ATL and UK. Each VPN has a 2.4ghz/5ghz SSID.

Sadly I don't believe there is a definitive list of VPN ISPs that explicitly forbid multiple concurrent connections or impose an arbitrary limit such as 2 in your case , and sadly my script is unable to detect this restriction

As far as VPNs - Everything seems to be working perfectly. If I restart the router, the VPNs comes right back up. I also confirmed that when I'm connected to a VPN SSID, everything is flowing correctly over VPN via whatsmyip. DNS Leak test reports no leaks. I just wish BBC iPlayer would let me stream instead of recognizing my VPN now lol.

This script may be simple to you, but it's nothing short of incredible to me. Thank you so much for your efforts!

Glad to know that you got it working albeit with a reduced number of concurrent VPN connections, (although there is nothing to stop you trying the FREE vpnbook VPN as a third concurrent connection) and loss of BBC iPlayer streaming.

However, many thanks for testing the script and I may soon feel that I can publicly post the script given the positive feedback for the Beta version.

 

[agreement]

However, many thanks for testing the script and I may soon feel that I can publicly post the script given the positive feedback for the Beta version.

Thank YOU!

One last question - if I upgrade the Merlin firmware. Can I simply backup my settings, restore to defaults, upgrade, then restore my settings do you think? Or what’s the best route to go? I’d prefer to avoid redoing this all from scratch upon every firmware update.

 

[Martineau]

One last question - if I upgrade the Merlin firmware. Can I simply backup my settings, restore to defaults, upgrade, then restore my settings do you think

Now that you know how to install scripts I highly recommend User NVRAM Save/Restore Utility (R26.2)

I always reset to factory defaults for each upgrade, and always restore /jffs/. I have only ever experienced one occasion where for some reason the NVRAM restore script appeared to cause unexplained issues, but a full reset and a manual re-entering the configuration data always (at least for me) has restored the expected stable router functionality.

 

[agreement]

Now that you know how to install scripts I highly recommend User NVRAM Save/Restore Utility (R26.2)

Awesome. Thanks for the heads up. Ran that script and backed everything up to the USB stick. Hopefully the next firmware upgrade goes smoothly Thanks again. You've been tremendously helpful.