2 VPN Client and 2 WiFi SSID: how to route traffic

[Martineau]

I ran the script and it did wonders (although it gave me few errors - like client1.resolv, client2.resolv file doesn’t exist, entry for iptable/ebtables, etc. - not sure why) - BUT it WORKS!!

[COE]awkNR: /etc/openvpn/dns/client1.resolv: No such file or directory

iptables: No chain/target/match by that name.

awkNR: /etc/openvpn/dns/client1.resolv: No such file or directory

awkNR: /etc/openvpn/dns/client1.resolv: No such file or directory

iptables: No chain/target/match by that name.


(WiFiVPN.sh): 3360 WiFi (wl0.1) 2.4GHz Guest 1 WL1 (192.168.101.0/24) routed through tunnel VPN Client 1 (XVPN1) using WAN DNS (xxx.xx.xx.x) via bridge:br1[/CODE]

Normally VPN users are paranoid regarding DNS leaks, so usually the GUI option 'Accept DNS Configuration=EXCLUSIVE" is set for the VPN Client (which the script attempts to enforce), but it would appear in your case you're happy using your WAN ISP DNS, so you may be able to suppress the 'untidy' DNS errors by specifying the 'nodns' directive.

 

[M8M]

Normally VPN users are paranoid regarding DNS leaks, so usually the GUI option 'Accept DNS Configuration=EXCLUSIVE" is set for the VPN Client (which the script attempts to enforce), but it would appear in your case you're happy using your WAN ISP DNS, so you may be able to suppress the 'untidy' DNS errors by specifying the 'nodns' directive.

Thanks for your prompt response and expert advise. Accept DNS config was disabled from VPN provider’s script. I turned it to Exclusive as you suggested and it solved the problem. I’ve few more queries and will look forward to your suggestions:
1. Do I still need to manually add ip range in VPN client policy rule to include 192.168.101.1/24?
2. If no, how can I also add 1 addtiinal IP for my TV in the VPN policy rule that’s on eth01 192.168.1.xxx so that it goes through VPN1?
3. Everytime I reboot the router, settings are gone. Is there a way to retain it?
4. My internet connection is 1gbps and normally I get ard 400-500mbps on wifi and 900mbps on lan WITHOUT VPN. With VPN (have tried top 3 providers) though the speed reduces to 10-20mbps. Is there anything I can try in the setup to improve speed?

Thanks again and have a nice day!!

 

[wallyg8r]

Not sure if the absolute path to the brctl utility is different on the RT-AC86U ? you could check by issuing:

which brctl

but the location is moot as sadly the RT-AC86U isn't compatible with the script see post #31

/bin/brctl

I did a search and replace to change all the references to /bin/brctl and the script runs through and looks ok but even though it says it's assigning
each eth1 1 and eth2 2 to different vpn clients both 2.4/5ghz bands end up under vpn client 1.

@RT-AC86U-9370:/jffs/scripts# ./wifivpn.sh eth1 1

(wifivpn.sh): 25281 v1.03b (Public Beta) © 2016-2017 Martineau, WiFi VPN Bridge request.....[eth1 1]
(wifivpn.sh): 25281 WiFi 2.4GHz Network requesting start of VPN Client 1 (Client 1)
(wifivpn.sh): 25281 Waiting for VPN Client 1 (Client 1) to connect.....
(wifivpn.sh): 25281 VPN Client 1 (Client 1) connect'd in 5 secs

(wifivpn.sh): 25281 WiFi (eth1) 2.4GHz Network (192.168.101.0/24) routed through tunnel VPN Client 1 (Client 1) using VPN DNS (103.86.96.100) via bridge:br1

Any idea what else would have to be changed in order for it to work properly, or am I beating a dead horse?

 

[Martineau]

I did a search and replace to change all the references to

/bin/brctl

OK thanks......it probably isn't a good idea (even if it is more efficient/faster?) to always use absolute paths in scripts to utilities.

The script runs through and looks ok but even though it says it's assigning each eth1 1 and eth2 2 to different vpn clients both 2.4/5ghz bands end up under vpn client 1.

Have you set up selective routing correctly for both VPN Clients using the GUI? see post #65
and also issue

./WiFiVPN.sh   status   diag

or you could try my crude VPN configuration checker ChkVPNConfig.sh see post #83

Any idea what else would have to be changed in order for it to work properly, or am I beating a dead horse?

The lack of robocfg prevents the creation of VLANs (using bridges) which ultimately also allows the use of router switch ports to be assigned to the custom WiFi VPN mapping (you may be able to use the 'nobridge' directive) but not having the RT-AC86U I can't really comment further.

 

[Martineau]

1. Do I still need to manually add ip range in VPN client policy rule to include 192.168.101.1/24?
2. If no, how can I also add 1 addtiinal IP for my TV in the VPN policy rule that’s on eth01 192.168.1.xxx so that it goes through VPN1?

You need to configure the Selective Routing of LAN devices via the GUI.

3. Everytime I reboot the router, settings are gone. Is there a way to retain it?

Use /jffs/scripts/nat-start to call WiFiVPN.sh

4. My internet connection is 1gbps and normally I get ard 400-500mbps on wifi and 900mbps on lan WITHOUT VPN. With VPN (have tried top 3 providers) though the speed reduces to 10-20mbps. Is there anything I can try in the setup to improve speed?

You should check the VPN performance threads e.g.
OpenVPN slow on AC-86U with Merlin firmware
OpenVPN performance of the RT-AC86U
OpenSSL/OpenVPN Performance - CBC and GCM ciphers
etc.

 

[M8M]

You need to configure the Selective Routing of LAN devices via the GUI.

Thanks once again!
The selective routing option on VPN client setup does’nt work for 192.168.1.xx IPs. Am I missing something?

 

[Martineau]

The selective routing option on VPN client setup does’nt work for 192.168.1.xx IPs. Am I missing something?

Assuming you have added entries 192.168.1.xx to the Selective Routing GUI, then the appropriate RPDB rules will be applied.

You can check the configuration

./WiFiVPN.sh   status   diag

Delete this WiFi->VPN configuration? [ Type 'del' ] >
Show   this WiFi VPN configuration? [ Y/N ] > y

and you should see the GUI entries 192.168.1.xx listed under the heading 'RPDB rules'

 

[M8M]

I see it now and it WORKS!!
Thanks for all your advise, you’ve been quite instrumental in coding the scripts and helping others!!

One last question from my side:
Given that I’m getting v poor vpn speeds I’m inclined to try Proxy services. Is there a way to configure wifi1, wifi2 etc with diff DNS Values maintaining individual DHCP assignments 192.168.101/102 etc (without using VPN)

Thanks once again. You already helped me configure my dream setup!!

 

[Martineau]

I see it now and it WORKS!!
Thanks for all your advise, you’ve been quite instrumental in coding the scripts and helping others!!

One last question from my side:
Given that I’m getting v poor vpn speeds I’m inclined to try Proxy services. Is there a way to configure wifi1, wifi2 etc with diff DNS Values maintaining individual DHCP assignments 192.168.101/102 etc (without using VPN)

A Smart DNS subscription is by far the most efficient method, assuming that the services you need to access don't block them and the VPN obfuscation isn't required.

Defining the SMART DNS in dnsmasq is easy, but it is indeed possible to specify different DNS servers for your LAN devices either via the GUI (AiProtection->DNS-filtering) or manually editing /jffs/configs/dnsmasq.conf.add

Your observed VPN throughput speed does seem extremely low, but the RT-AC88 (without a hardware crypto) apparently can achieve 75Mbps see Poor VPN speed when using Asus OpenVPN Client vs. 200Mbps for the hardware enabled RT-AC86 which is still quite a dramatic hit on a 1Gbps connection.

Different VPN ISPs or even different nodes within a VPN ISP's infrastructure can vary in speed so unfortunately it can be a tedious process to fine-tune and optimise the VPN connection, as sadly there isn't a one-fit solution for all.

 

[Jack Yaz]

I see it now and it WORKS!!
Thanks for all your advise, you’ve been quite instrumental in coding the scripts and helping others!!

One last question from my side:
Given that I’m getting v poor vpn speeds I’m inclined to try Proxy services. Is there a way to configure wifi1, wifi2 etc with diff DNS Values maintaining individual DHCP assignments 192.168.101/102 etc (without using VPN)

Thanks once again. You already helped me configure my dream setup!!

You could always give my script a go https://www.snbforums.com/threads/yazfi-enhanced-asuswrt-merlin-guest-wifi-networks.45924/

 

[M8M]

A Smart DNS subscription is by far the most efficient method, assuming that the services you need to access don't block them and the VPN obfuscation isn't required.

Defining the SMART DNS in dnsmasq is easy, but it is indeed possible to specify different DNS servers for your LAN devices either via the GUI (AiProtection->DNS-filtering) or manually editing /jffs/configs/dnsmasq.conf.add

Your observed VPN throughput speed does seem extremely low, but the RT-AC88 (without a hardware crypto) apparently can achieve 75Mbps see Poor VPN speed when using Asus OpenVPN Client vs. 200Mbps for the hardware enabled RT-AC86 which is still quite a dramatic hit on a 1Gbps connection.

Different VPN ISPs or even different nodes within a VPN ISP's infrastructure can vary in speed so unfortunately it can be a tedious process to fine-tune and optimise the VPN connection, as sadly there isn't a one-fit solution for all.

Thanks again for all the advise!!

 

[M8M]

You could always give my script a go https://www.snbforums.com/threads/yazfi-enhanced-asuswrt-merlin-guest-wifi-networks.45924/

Ok Thanks. Will try this out.

 

[M8M]

Thanks again for all the advise!!

Hi Again - I have to come back for your expert opinion as I still can't make some things work.
I know this thread is for VPN connections, but given that I'm not getting the speed that I expect thru VPN, I'm now trying Smart DNS/proxy services.
Expect it to be a simple configuration, but I'm struggling and appreciate any advise.
To setup a guest wifi SSID which supplies DHCP ip address e.g. 192.168.101.x and uses the specific DNS from smartdns provider.

The idea is to open the network for this special dns only for the devices that connect to this wifi ssid..

Any thoughts on how this can be achieved?

 

[mhorn]

Martineau, where can I find a copy of your WiFiVPN.sh script? Is it posted publicly someplace?

 

[Martineau]

Martineau, where can I find a copy of your WiFiVPN.sh script? Is it posted publicly someplace?

see post #7

 

[mhorn]

Hi Martineau.

Some Background
I have two ASUS RT-AC68U. I need to support three SSIDs. Initially, I thought I could use AIMesh, but since the Guest Networks are only supported on the main router unit and will not propagate to any additional nodes I had to take a different approach. The main unit has SSID1, SSID2 (Guest network), and SSIDextend (Guest); the second unit connects to the main unit over the SSIDextend and is in Repeater Mode to server SSID3.
For each of the SSIDs, I have a 2.4GHz and 5GHz flavor.

I was going to use your script to bridge the 2.4GHz and 5GHz of the SSID. This is so that a phone/table can use the 5GHz, but still see the 2.4GHz devices like Sonos.

I was going to test your script first on my router that is in Repeater mode, to bridge the SSID3 + SSID3 5GHz, but found the script say Repeater Mode not supported. What was the reason for the restriction?
Are there just some features of your script that were difficult to support in other operating modes? Or is bridging somehow just not possible on the router in Repeater mode?

Two other things I'm hoping to configure with your scripts are:
- main router bridging SSID1 + SSID1 5GHz + LAN port(s)
- Configure the failover of Secondary WAN to only router to the bridged SSID1 + SSID1 5GHz + LAN

Main router status:
./wifivpn.sh_v1.0x_beta.sh

(wifivpn.sh_v1.0x_beta.sh): 7270 v1.03b (Public Beta) © 2016-2017 Martineau, WiFi VPN status request.....[]

WiFi->VPN Configuration Status for interfaces:

wl0.1 MiradorMarkos 2.4GHz Guest 1
----- (AlcobaMarkos) 2.4GHz Guest 2 ** Disabled **
----- (ASUS_Guest3) 2.4GHz Guest 3 ** Disabled **
wl1.1 MiradorMarkos_5G 5GHz Guest 1
wl1.2 MarkosExtend 5GHz Guest 2
----- (ASUS_5G_Guest3) 5GHz Guest 3 ** Disabled **
eth1 DosMarkos 2.4GHz Network
eth2 DosMarkos_5G 5GHz Network

Sorry for the newbie questions.

 

[Martineau]

I was going to test your script first on my router that is in Repeater mode, to bridge the SSID3 + SSID3 5GHz, but found the script say Repeater Mode not supported.

What was the reason for the restriction?

Are there just some features of your script that were difficult to support in other operating modes? Or is bridging somehow just not possible on the router in Repeater mode?

I have never used repeater mode, but clearly when not in standard router mode some router features are disabled.
However, feel free to modify the script to remove the Repeater mode check, and see if WiFiVPN.sh works in repeater mode.

Two other things I'm hoping to configure with your scripts are:
- main router bridging SSID1 + SSID1 5GHz + LAN port(s)

I wrote VLANSwitch.sh to either bridge SSIDs (routed via a VPN Client) with a specific router switch port or to create a separate VLAN subnet on a router switch port, so it should be possible to achieve your desired bridge-map.

 

[Tobias]

Hi Martineau,

I've seen a lot of valuable tips from you in the forum but I just can't figure out how to solve my desired setup.

My top priority :
1. to make the guest networks to work in pairs regardless of frequency, i.e wl0.1 and wl1.1 can reach each other.
(Sonos and Chromecast are not reachable from clients connected to the wrong 2.4/5Ghz).
2. (less important) let users of the guest network access main network resources, e.g. Printer.

I have downloaded both your scripts wifivpn.sh and vlanswitch.sh. I have tried a lot of things but failed. I guess the common thing to all my tries is that I ended up not being able to connect to the guest network(s) at all.

If you could give me specific commands, I would be very grateful. Or something that leads me towards making this happen

Best regards,
Tobias

 

[Martineau]

My top priority :
1. to make the guest networks to work in pairs regardless of frequency, i.e wl0.1 and wl1.1 can reach each other.
(Sonos and Chromecast are not reachable from clients connected to the wrong 2.4/5Ghz).
2. (less important) let users of the guest network access main network resources, e.g. Printer.

I have downloaded both your scripts wifivpn.sh and vlanswitch.sh. I have tried a lot of things but failed. I guess the common thing to all my tries is that I ended up not being able to connect to the guest network(s) at all.

Not sure if you have the latest WiFiVPN.sh script?, but the following should achieve your desired configuration:
e.g. where xxx.xxx.xxx.xxx is the LAN printer you wish to share

./WiFiVPN.sh wl0.1 novpn lanip=xxx.xxx.xxx.xxx autodnsmasq

./WiFiVPN.sh wl1.1 novpn lanip=xxx.xxx.xxx.xxx autodnsmasq

./WiFiVPN.sh wl0.1 wl1.1 join

 

[Tobias]

Not sure if you have the latest WiFiVPN.sh script?, but the following should achieve your desired configuration:
e.g. where xxx.xxx.xxx.xxx is the LAN printer you wish to share

./WiFiVPN.sh wl0.1 novpn lanip=xxx.xxx.xxx.xxx autodnsmasq

./WiFiVPN.sh wl1.1 novpn lanip=xxx.xxx.xxx.xxx autodnsmasq

./WiFiVPN.sh wl0.1 wl1.1 join

I knew you are quick replying, kind of thought that the vibration during my cinema visit was your reply (or car theft, break in our house, fire detectors - trying to hook up as much as possible online).
Thanks a lot, will try the latest wifivpn.sh (1.0.9) script.