2 VPN Client and 2 WiFi SSID: how to route traffic

[Tobias]

Hello Martineau,

I have tried a few times to make it work, but unfortunately it does not. The guest networks does not to talk to each other. I started with the simplest possible solution and did not provide any lanip. Could that be a problem?
I have performed a factory reset (with and without loading back saved router settings).

nimda@RT-AC68U-DC28:/jffs/scripts# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.40167ea1dc28       yes             vlan1
                                                        eth1
                                                        eth2
br1             8000.40167ea1dc29       no              wl0.1
br2             8000.40167ea1dc2d       no              wl1.1

nimda@RT-AC68U-DC28:/jffs/scripts# ./wifivpn.sh status

(wifivpn.sh): 2918 v1.09 non-Public Beta © 2016-2018 Martineau, WiFi status request.....[status]


        WiFi Configuration Status for interfaces:

        wl0.1   HolyGrail Guest  2.4GHz Guest 1  (***ERROR no entry in table 111; br1 NOT) routed through tunnel VPN Client 1 (***ERROR VPN is DOWN) is MISSING a valid DNS entry in '-t nat DNSVPN1' via Bridge: br1
        -----   (ASUS_Guest2)    2.4GHz Guest 2  ** Disabled **
        -----   (ASUS_Guest3)    2.4GHz Guest 3  ** Disabled **
        wl1.1   HolyGrail Guest 5GHz 5GHz   Guest 1  (***ERROR no entry in table 112; br2 NOT) routed through tunnel VPN Client 2 (***ERROR VPN is DOWN) is MISSING a valid DNS entry in '-t nat DNSVPN2' via Bridge: br2
        -----   (ASUS_5G_Guest2) 5GHz   Guest 2  ** Disabled **
        -----   (ASUS_5G_Guest3) 5GHz   Guest 3  ** Disabled **
        eth1    HolyGrail        2.4GHz Network
        eth2    HolyGrail 5GHz   5GHz   Network

Some values from NVRAM (Please tell me if you need see some more).

br0_ifnames=vlan1 eth1 eth2 wl0.1 wl1.1
lan1_ifnames=wl0.1
lan2_ifnames=wl1.1

FYI: I don't see references to any vlan for either wl0.1 or wl1.1.
Any ideas?

 

[Martineau]

Hello Martineau,

I have tried a few times to make it work, but unfortunately it does not. The guest networks does not to talk to each other. I started with the simplest possible solution and did not provide any lanip. Could that be a problem?
I have performed a factory reset (with and without loading back saved router settings).

nimda@RT-AC68U-DC28:/jffs/scripts# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.40167ea1dc28       yes             vlan1
                                                        eth1
                                                        eth2
br1             8000.40167ea1dc29       no              wl0.1
br2             8000.40167ea1dc2d       no              wl1.1

nimda@RT-AC68U-DC28:/jffs/scripts# ./wifivpn.sh status

(wifivpn.sh): 2918 v1.09 non-Public Beta © 2016-2018 Martineau, WiFi status request.....[status]


        WiFi Configuration Status for interfaces:

        wl0.1   HolyGrail Guest  2.4GHz Guest 1  (***ERROR no entry in table 111; br1 NOT) routed through tunnel VPN Client 1 (***ERROR VPN is DOWN) is MISSING a valid DNS entry in '-t nat DNSVPN1' via Bridge: br1
        -----   (ASUS_Guest2)    2.4GHz Guest 2  ** Disabled **
        -----   (ASUS_Guest3)    2.4GHz Guest 3  ** Disabled **
        wl1.1   HolyGrail Guest 5GHz 5GHz   Guest 1  (***ERROR no entry in table 112; br2 NOT) routed through tunnel VPN Client 2 (***ERROR VPN is DOWN) is MISSING a valid DNS entry in '-t nat DNSVPN2' via Bridge: br2
        -----   (ASUS_5G_Guest2) 5GHz   Guest 2  ** Disabled **
        -----   (ASUS_5G_Guest3) 5GHz   Guest 3  ** Disabled **
        eth1    HolyGrail        2.4GHz Network
        eth2    HolyGrail 5GHz   5GHz   Network

Some values from NVRAM (Please tell me if you need see some more).

br0_ifnames=vlan1 eth1 eth2 wl0.1 wl1.1
lan1_ifnames=wl0.1
lan2_ifnames=wl1.1

FYI: I don't see references to any vlan for either wl0.1 or wl1.1.
Any ideas?

So to recap.

You have mapped wl0.1 through VPN Client 1, and wl1.1 through VPN Client 2 but you want clients to communicate?

Hopefully you have tested - assuming you have added the specific client IPs (or subnet for ALL clients) to the appropriate Selective Routing GUI:

1. When a client connects to 2.4Ghz Guest #1 it can access the Internet via VPN Client 1?
2. When a client connects to 5Ghz Guest #1 it can access the Internet via VPN Client 2?​

(The above basic functionality has worked since v1.03b)

However, only later versions include the 'lanip=' and 'join=' options.
e.g.

./WiFiVPN.sh wl0.1 wl1.1 join

So depending on the use of the two options, additional rules will be added.
Please provide the output from:

iptables --line -t filter -nvL MyVLANs

 

[Tobias]

Hi again,

I am sorry if I mess anything up here in this thread as I am not interested, yet, to add any VPNs. In the future, very likely but at least not now. (But I do have a long wish list )

So to recap.
You have mapped wl0.1 through VPN Client 1, and wl1.1 through VPN Client 2 but you want clients to communicate?

I issued these commands which I believe should bypass VPN:

./wifivpn.sh wl0.1 novpn autodnsmasq
./wifivpn.sh wl1.1 novpn autodnsmasq
./wifivpn.sh wl0.1 wl1.1 join

Hopefully you have tested - assuming you have added the specific client IPs (or subnet for ALL clients) to the appropriate Selective Routing GUI:

1. When a client connects to 2.4Ghz Guest #1 it can access the Internet via VPN Client 1?
2. When a client connects to 5Ghz Guest #1 it can access the Internet via VPN Client 2?​

I have tested that both bands successfully can reach the internet.

Please provide the output from:

iptables --line -t filter -nvL MyVLANs

Here it is:

 iptables --line -t filter -nvL MyVLANs
Chain MyVLANs (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1     1655  441K ACCEPT     all  --  br2    vlan2   0.0.0.0/0            0.0.0.0/0
2        0     0 ACCEPT     all  --  vlan2  br2     0.0.0.0/0            0.0.0.0/0
3     4068 1343K ACCEPT     all  --  br1    vlan2   0.0.0.0/0            0.0.0.0/0
4        0     0 ACCEPT     all  --  vlan2  br1     0.0.0.0/0            0.0.0.0/0

The problems with the above is that it looks good to me ;-) but I am merely a novice when it comes to routing.

 

[Martineau]

I issued these commands which I believe should bypass VPN:

./wifivpn.sh wl0.1 novpn autodnsmasq
./wifivpn.sh wl1.1 novpn autodnsmasq
./wifivpn.sh wl0.1 wl1.1 join

I have tested that both bands successfully can reach the internet.

Thanks, but I don't understand why your status command shows references to the two VPNs , rather than this:

./wifivpn.sh status

(wifivpn.sh): 2918 v1.09 non-Public Beta © 2016-2018 Martineau, WiFi status request.....[status]
        WiFi Configuration Status for interfaces:
        wl0.1   HolyGrail Guest  2.4GHz Guest 1  (xxx.xxx.101.0/24) via non-VPN bridge:br1
        -----   (ASUS_Guest2)    2.4GHz Guest 2  ** Disabled **
        -----   (ASUS_Guest3)    2.4GHz Guest 3  ** Disabled **
        wl1.1   HolyGrail Guest 5GHz 5GHz   Guest 1  (xxx.xxx.102.0/24) via non-VPN bridge:br2
        -----   (ASUS_5G_Guest2) 5GHz   Guest 2  ** Disabled **
        -----   (ASUS_5G_Guest3) 5GHz   Guest 3  ** Disabled **
        eth1    HolyGrail        2.4GHz Network
        eth2    HolyGrail 5GHz   5GHz   Network

Also if you have issued the 'join' then two rules should have been inserted at the top of the MyVLANs chain (also the two explicit DROP br1 to br0 and br2 to br0 seem to be missing?)
e.g.

iptables  --line -t filter -nvL MyVLANs

Chain MyVLANs (1 references)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 ACCEPT     all  --  br2    br1     0.0.0.0/0            0.0.0.0/0            state NEW /* Join wl1.1 to wl0.1 */
2        0     0 ACCEPT     all  --  br1    br2     0.0.0.0/0            0.0.0.0/0            state NEW /* Join wl0.1 to wl1.1 */
3     1655  441K ACCEPT     all  --  br2    vlan2   0.0.0.0/0            0.0.0.0/0
4        0     0 ACCEPT     all  --  vlan2  br2     0.0.0.0/0            0.0.0.0/0
5     4068 1343K ACCEPT     all  --  br1    vlan2   0.0.0.0/0            0.0.0.0/0
6        0     0 ACCEPT     all  --  vlan2  br1     0.0.0.0/0            0.0.0.0/0

Can you try inserting the rules manually
e.g.

iptables -I MyVLANs -i br1 -o br2 -m state --state NEW,ESTABLISHED -m comment --comment "Join wl0.1 to wl1.1" -j ACCEPT

iptables -I MyVLANs -i br2 -o br1 -m state --state NEW,ESTABLISHED -m comment --comment "Join wl1.1 to wl0.1" -j ACCEPT

 

[Tobias]

Thanks, but I don't understand why your status command shows references to the two VPNs , rather than this:

./wifivpn.sh status

(wifivpn.sh): 2918 v1.09 non-Public Beta © 2016-2018 Martineau, WiFi status request.....[status]
        WiFi Configuration Status for interfaces:
        wl0.1   HolyGrail Guest  2.4GHz Guest 1  (xxx.xxx.101.0/24) via non-VPN bridge:br1
        -----   (ASUS_Guest2)    2.4GHz Guest 2  ** Disabled **
        -----   (ASUS_Guest3)    2.4GHz Guest 3  ** Disabled **
        wl1.1   HolyGrail Guest 5GHz 5GHz   Guest 1  (xxx.xxx.102.0/24) via non-VPN bridge:br2
        -----   (ASUS_5G_Guest2) 5GHz   Guest 2  ** Disabled **
        -----   (ASUS_5G_Guest3) 5GHz   Guest 3  ** Disabled **
        eth1    HolyGrail        2.4GHz Network
        eth2    HolyGrail 5GHz   5GHz   Network

Also if you have issued the 'join' then two rules should have been inserted at the top of the MyVLANs chain (also the two explicit DROP br1 to br0 and br2 to br0 seem to be missing?)
e.g.

iptables  --line -t filter -nvL MyVLANs

Chain MyVLANs (1 references)
num   pkts bytes target     prot opt in     out     source               destination      
1        0     0 ACCEPT     all  --  br2    br1     0.0.0.0/0            0.0.0.0/0            state NEW /* Join wl1.1 to wl0.1 */
2        0     0 ACCEPT     all  --  br1    br2     0.0.0.0/0            0.0.0.0/0            state NEW /* Join wl0.1 to wl1.1 */
3     1655  441K ACCEPT     all  --  br2    vlan2   0.0.0.0/0            0.0.0.0/0
4        0     0 ACCEPT     all  --  vlan2  br2     0.0.0.0/0            0.0.0.0/0
5     4068 1343K ACCEPT     all  --  br1    vlan2   0.0.0.0/0            0.0.0.0/0
6        0     0 ACCEPT     all  --  vlan2  br1     0.0.0.0/0            0.0.0.0/0

Can you try inserting the rules manually
e.g.

iptables -I MyVLANs -i br1 -o br2 -m state --state NEW,ESTABLISHED -m comment --comment "Join wl0.1 to wl1.1" -j ACCEPT

iptables -I MyVLANs -i br2 -o br1 -m state --state NEW,ESTABLISHED -m comment --comment "Join wl1.1 to wl0.1" -j ACCEPT

Thank you very much for helping me (and hopefully a bunch of people struggling with the same challenges)!
There was a problem with the two supplied lines:

nimda@RT-AC68U-DC28:/jffs/scripts# iptables -I MyVLANs -i br2 -o br1 -m state --state NEW,ESTABLISHED -m comment --comment "Join wl1.1 to wl0.1" -j ACCEPT
iptables: No chain/target/match by that name.

 

[Martineau]

Thank you very much for helping me (and hopefully a bunch of people struggling with the same challenges)

I believe your requirements is a specific edge-case!

There was a problem with the two supplied lines:

nimda@RT-AC68U-DC28:/jffs/scripts# iptables -I MyVLANs -i br2 -o br1 -m state --state NEW,ESTABLISHED -m comment --comment "Join wl1.1 to wl0.1" -j ACCEPT
iptables: No chain/target/match by that name.

Can you try explicitly loading the iptables 'comment' module

modprobe xt_comment.ko

modprobe -D xt_comment.ko

then try to add the rules again.

 

[mzuri]

Hi Martineau

I have enabled Guest 1 & Guest 2 Wifi and have Client 1& 2 VPNs but am getting a syntax error

ASUSWRT-Merlin RT-AC68U 384.8-2 Sat Dec  8 18:18:10 UTC 2018
admin@RT-AC68U-CFC8:/tmp/home/root# cd /jffs/scripts
admin@RT-AC68U-CFC8:/jffs/scripts# nano
admin@RT-AC68U-CFC8:/jffs/scripts# chmod a+rx /jffs/scripts/*
admin@RT-AC68U-CFC8:/jffs/scripts# ls -t
WiFiVPN
admin@RT-AC68U-CFC8:/jffs/scripts# ./WiFiVPN.sh -h
-sh: ./WiFiVPN.sh: not found
admin@RT-AC68U-CFC8:/jffs/scripts# /jffs/scripts/WiFiVPN.sh
-sh: /jffs/scripts/WiFiVPN.sh: not found
admin@RT-AC68U-CFC8:/jffs/scripts# /jffs/scripts/WiFiVPN
/jffs/scripts/WiFiVPN: line 4: syntax error: unexpected ")"
admin@RT-AC68U-CFC8:/jffs/scripts#

What am I doing wrong?

 

[Martineau]

admin@RT-AC68U-CFC8:/jffs/scripts# ./WiFiVPN.sh -h
-sh: ./WiFiVPN.sh: not found
admin@RT-AC68U-CFC8:/jffs/scripts# /jffs/scripts/WiFiVPN.sh
-sh: /jffs/scripts/WiFiVPN.sh: not found
admin@RT-AC68U-CFC8:/jffs/scripts# /jffs/scripts/WiFiVPN
/jffs/scripts/WiFiVPN: line 4: syntax error: unexpected ")"
admin@RT-AC68U-CFC8:/jffs/scripts#
[/CODE]
What am I doing wrong?

Three possibilities:

Confirm the script actually exists with the expected name/executable attributes:

ls  -lah /jffs/scripts

or

sh -v /jffs/scripts/WiFiVPN.sh -h

1. First line is not

#!/bin/sh/

Try

sh /jffs/scripts/WiFiVPN.sh -h

2. Script is not Unix format or the Encoding is invalid.
However, if you used the router's nano editor then this shouldn't be the cause?
Try

dos2unix /jffs/scripts/WiFiVPN.sh

3. You have inadvertently introduced a typo in the code when you copied it?
Try downloading or copy'n'paste the script again but use say WinSCP's editor (or notepad++)

 

[mzuri]

Three possibilities:

Thanks mate! Just a quick question

I used the router's nano editor and use Notepad ++ , copying the entire code to Nano followed by ^O or ^W

dos2unix /jffs/scripts/WiFiVPN.sh

Do you save as 'WiFiVPN' or as 'WiFiVPN.sh' ? As if I save it as WiFiVPN all of your commands specify WiFiVPN.sh. I had a similar issue when I first started https://www.snbforums.com/threads/scripts-not-executing-on-boot.49340/#post-437859

Thanks!!

 

[mzuri]

Hi Martineau
So I thought I would start from scratch

Still not working with - line 4: syntax error: unexpected ")"

1st Attempt I saved as 'WiFiVPN' in nano via Notepad++ (Copy/Paste into Nano):

/tmp/home/root# cd /jffs/scripts
/jffs/scripts# ls  -lah /jffs/scripts
drwxr-xr-x    2 admin    root           0 Jan 22 17:44 .
drwxr-xr-x    9 admin    root           0 Jan 22 17:47 ..
-rw-rw-rw-    1 admin    root       44.5K Jan 22 17:44 WiFiVPN
/jffs/scripts# chmod a+rx /jffs/scripts/*
/jffs/scripts# ls  -lah /jffs/scripts
drwxr-xr-x    2 admin    root           0 Jan 22 17:44 .
drwxr-xr-x    9 admin    root           0 Jan 22 17:47 ..
-rwxrwxrwx    1 admin    root       44.5K Jan 22 17:44 WiFiVPN
/jffs/scripts# sh -v /jffs/scripts/WiFiVPN.sh -h
sh: can't open '/jffs/scripts/WiFiVPN.sh'
/jffs/scripts# sh /jffs/scripts/WiFiVPN -h
/jffs/scripts/WiFiVPN: line 4: syntax error: unexpected ")"
/jffs/scripts# dos2unix /jffs/scripts/WiFiVPN
/jffs/scripts# sh /jffs/scripts/WiFiVPN -h
/jffs/scripts/WiFiVPN: line 4: syntax error: unexpected ")"
/jffs/scripts#

2nd Attempt assuming typo and that maybe I should name it as 'WiFiVPN.sh' - I re downloaded wifivpn.sh_v1.0x_beta.sh and deleted 'WiFiVPN' :

/jffs/scripts# rm WiFiVPN
/jffs/scripts#  ls  -lah /jffs/scripts
drwxr-xr-x    2 admin    root           0 Jan 22 17:57 .
drwxr-xr-x    9 admin    root           0 Jan 22 17:53 ..
/jffs/scripts# nano
/jffs/scripts# chmod a+rx /jffs/scripts/*
/jffs/scripts# ls  -lah /jffs/scripts
drwxr-xr-x    2 admin    root           0 Jan 22 17:59 .
drwxr-xr-x    9 admin    root           0 Jan 22 17:53 ..
-rwxrwxrwx    1 admin    root       44.5K Jan 22 17:59 WiFiVPN.sh
/jffs/scripts# sh -v /jffs/scripts/WiFiVPN.sh -h
#!/bin/sh
VER="v1.03b (Public Beta)"
#==============================================================================
© 2016-2018 Martineau, v01.03b Public Beta)
/jffs/scripts/WiFiVPN.sh: line 4: syntax error: unexpected ")"
/jffs/scripts#

Dunno what's happening. I will try a factory reset and start all over? I suppose that this has nothing to do with v.1.03b
Also does it make a difference activating the OpenVPN client before installing your script?

 

[Martineau]

Also does it make a difference activating the OpenVPN client before installing your script?

No.....although the script will ensure that the VPN is actually configured and will automativally start the VPN if it is DOWN. (NOTE: This behaviour may not be what you desire.)

I will try a factory reset and start all over?

NO! .....I severely doubt a reset to factory default would fix a script execution error, so such drastic action would be a complete waste of time.

When I first posted scripts on Pastebin, despite the various options provided by the Pastebin GUI, users apparently had difficulty downloading the scripts in the correct format.

Consequently I did write a simple script (before dos2unix was formally added to the firmware) for anyone that regularly needs to retrieve any of my scripts:

Spoiler: PastebinScript.sh

#!/bin/sh
VER="v1.01"
#======================================================================================= © 2018 Martineau v1.01
#
# Retrieve Script from Pastebin
#
#     PastebinScript.sh   [help | -h] {script_name pastebin_id}
#
#     PastebinScript.sh   test.sh g3CAuCBi
#
#                        v1.01 © 2016-2018 Martineau. Get Pastebin script 'junk.sh'.... https://pastebin.com/raw.php?i=g3CAuCBi
#
#                         % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
#                                                        Dload  Upload   Total   Spent    Left  Speed
#                         0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
#                       100 11313    0 11313    0     0  59542      0 --:--:-- --:--:-- --:--:-- 59542

Say(){
   echo -e $$ $@ | logger -st "($(basename $0))"
}
SayT(){
   echo -e $$ $@ | logger -t "($(basename $0))"
}
#
# Print between line beginning with'#==' to first blank line inclusive
ShowHelp() {
    /usr/bin/awk '/^#==/{f=1} f{print; if (!NF) exit}' $0
}
ANSIColours() {
    cRESET="\e[0m";cBLA="\e[30m";cRED="\e[31m";cGRE="\e[32m";cYEL="\e[33m";cBLU="\e[34m";cMAG="\e[35m";cCYA="\e[36m";cGRA="\e[37m";cFGRESET="\e[39m"
    cBGRA="\e[90m";cBRED="\e[91m";cBGRE="\e[92m";cBYEL="\e[93m";cBBLU="\e[94m";cBMAG="\e[95m";cBCYA="\e[96m";cBWHT="\e[97m"
    aBOLD="\e[1m";aDIM="\e[2m";aUNDER="\e[4m";aBLINK="\e[5m";aREVERSE="\e[7m"
    aBOLDr="\e[21m";aDIMr="\e[22m";aUNDERr="\e[24m";aBLINKr="\e[25m";aREVERSEr="\e[27m"
    cWRED="\e[41m";cWGRE="\e[42m";cWYEL="\e[43m";cWBLU="\e[44m";cWMAG="\e[45m";cWCYA="\e[46m";cWGRA="\e[47m"
    cYBLU="\e[93;48;5;21m"
    xHOME="\e[H";xERASE="\e[2J";xERASEDOWN="\e[J";xERASEUP="\e[1J";xCSRPOS="\e[s";xPOSCSR="\e[u";xERASEEOL="\e[K"
}
Get_Router_Model() {
 # Contribution by @loneleycoder as odmpid is blank for non SKU hardware,
 local HARDWARE_MODEL
 [ -z "$(nvram get odmpid)" ] && HARDWARE_MODEL=$(nvram get productid) || HARDWARE_MODEL=$(nvram get odmpid)
 echo $HARDWARE_MODEL
}
Main(){
    DUMMY=
}
#==========================================Main================================================================
ANSIColours
FIRMWARE=$(echo $(nvram get buildno) | awk 'BEGIN { FS = "." } {printf("%03d%02d",$1,$2)}')
HARDWARE_MODEL=$(Get_Router_Model)
# Need assistance ?
if [ "$1" == "-h" ] || [ "$1" == "help" ];then
    echo -e $cBWHT
    ShowHelp
    echo -e $cRESET
    exit 0
fi
echo -e $cBWHT
Say $VER "© 2016-2018 Martineau. Get Pastebin script '$1'.... https://pastebin.com/raw.php?i=$2 "
echo -en $cBRED
if [ -z "$1" ] || [ -z "$2" ];then
 echo -e $cBRED"\a\t\t***ERROR Missing args requires both 'script_name' and 'pastebin_id' e.g. 'test.sh g3CAuCBi'\n"$cRESET
 exit 99
fi
SCRIPT_FN="/jffs/scripts/"$1
rm -f $SCRIPT_FN
# Easier to use wget to check existence of Pastebin file.....
if wget --spider https://pastebin.com/raw.php?i=$2 2>/dev/null; then
    echo -en $cBGRE
    curl -kL https://pastebin.com/raw.php?i=$2 | tr -d '\r' > $SCRIPT_FN
    echo -en $cBRED
    chmod +x $SCRIPT_FN
else
    SayT "***ERROR Pastebin file ' https://pastebin.com/raw.php?i=$2' does NOT exist?"
    echo -e $cBRED"\a\n\t\t***ERROR Pastebin file $aREVERSE'https://pastebin.com/raw.php?i=$2'$aREVERSEr does NOT exist?\n"
fi
echo -e $cRESET
exit 0

So you could see if you can correctly create the script PastebinScript.sh, then use the script to download a test copy of WiFiVPN.sh
e.g.

Spoiler: PastebinScript.sh execution console log

 ./PastebinScript.sh junk.sh 94Gf5hru

(PastebinScript.sh): 10525 v1.01 © 2016-2018 Martineau. Get Pastebin script 'junk.sh'.... https://pastebin.com/raw.php?i=94Gf5hru
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 46489    0 46489    0     0   170k      0 --:--:-- --:--:-- --:--:--  170k

./junk.sh -h

#============================================================================== © 2016-2018 Martineau, v01.03b Public Beta)
#
# Configure a Wifi interface to use a VPN Client connection
#
#          WiFiVPN     [ {'help'} | {'-h'} | status | diag]
#                      { wifi_interface | ssid [ vpn_number | 'del' | 'status'] }  ['nodns'] ['autodnsmasq'] ['nobridge'] ['openlan'] ['novpn'] ['vlan'{X}] ['debug'] ['brctlopt']
# e.g.
#          WiFiVPN
#                      List ALL WiFi interfaces and associated VPN bridges.
#          WiFiVPN     wl0.2 1
#                      Guest 2.4Ghz #2 (wl0.2) is forced to use VPN Client 1 using bridge 1 (br1) and forces VPN 1 DNS
#          WiFiVPN     wl0.2 del
#                      Guest 2.4Ghz #2 (wl0.2) is reset to use the WAN rather than the VPN
#          WiFiVPN     wl0.2 nodns
#                      Guest 2.4Ghz #2 (wl0.2) is forced to use VPN Client 1 using bridge 1 (br1) and uses router DNS.
#          WifiVPN     wl1.3 status
#                      Guest 5Ghz #3 (wl1.3) config is listed in detail.
#          WiFiVPN     br2g24 5
#                      Guest SSID 'br2g24' (could be 2.4GHz Wifi Guest #2!?) is forced to use VPN Client 5 using bridge 5 (br5) and forces VPN 5 DNS
#          WiFiVPN     eth1 1
#                      2.4Ghz WiFi network (eth1) is forced to use VPN Client 1 using bridge 1 (br1) and forces VPN 1 DNS
#          WiFiVPN     eth2 2
#                      5Ghz WiFi network (eth2) is forced to use VPN Client 2 using bridge 2 (br2)  and forces VPN 2 DNS
#          WiFiVPN     status
#                      List ALL WiFi interfaces and associated VPN bridges.
#          WiFiVPN     diag
#                      List ALL WiFi interfaces and associated VPN bridges. Prompts to delete/show config.
#

As shown above there is no syntax error in the original file download, but I suggest you try and cut'n'paste the following into the command prompt:

curl -kL https://pastebin.com/raw.php?i=94Gf5hru | tr -d '\r' > /jffs/scripts/junk.sh

chmod +x /jffs/scripts/junk.sh

/jffs/scripts/junk.sh

to see if this method works.

 

[mzuri]

Thanks for the hand holding

I usually simply press on download on pastebin to get my scripts

But will try the pastebin.sh - presume I have to install it as usual through nano and execute. Off to work now but will try it later

 

[mzuri]

So formatted JFFS then ran the foll at Putty command prompt:

curl -kL https://pastebin.com/raw.php?i=94Gf5hru | tr -d '\r' > /jffs/scripts/junk.sh

chmod +x /jffs/scripts/junk.sh

/jffs/scripts/junk.sh

to see if this method works.[/QUOTE]

I then got the foll:

admin@RT-AC68U-CFC8:/tmp/home/root# curl -kL https://pastebin.com/raw.php?i=94Gf
5hru | tr -d '\r' > /jffs/scripts/junk.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0
100 46489 0 46489 0 0 10317 0 --:--:-- 0:00:04 --:--:-- 45847
admin@RT-AC68U-CFC8:/tmp/home/root# chmod +x /jffs/scripts/junk.sh
admin@RT-AC68U-CFC8:/tmp/home/root# /jffs/scripts/junk.sh

(junk.sh): 1495 v1.03b (Public Beta) © 2016-2017 Martineau, WiFi VPN status request.....[]

WiFi->VPN Configuration Status for interfaces:

----- (ASUS_Guest1) 2.4GHz Guest 1 ** Disabled **
----- (ASUS_Guest2) 2.4GHz Guest 2 ** Disabled **
----- (ASUS_Guest3) 2.4GHz Guest 3 ** Disabled **
wl1.1 WLAN_UK 5GHz Guest 1
wl1.2 WLAN_IN 5GHz Guest 2
----- (ASUS_5G_Guest3) 5GHz Guest 3 ** Disabled **
eth1 WLANA2 2.4GHz Network
eth2 WLANA2_5G 5GHz Network

**Warning for multiple ACTIVE concurrent VPN Clients UNIQUE ports are advised - Port 1194:UDP is configured for use by several VPN Clients

admin@RT-AC68U-CFC8:/tmp/home/root#

VPN works kind of but same client VPN2 on both wl1.1 & wl1.2 eth1 &2 and my LAN. Is that because I started at the wrong end and should go the https://www.snbforums.com/threads/2...-ssid-how-to-route-traffic.41222/#post-349086 route first before even getting to setting up things??

I use NordVPN so i do not have any other UDP port options I think and am loathe to use IKEv2, OpenVPN TCP as you may have suggested elsewhere- are there any other workarounds?

Thanks!

 

[Martineau]

So formatted JFFS

Well as stated previously, whilst drastic, this destructive action should ensure that there are no filesystem errors, but I wouldn't normally expect this to be performed every time you encounter a script/creation execution issue.

So to recap, your original post was as a result of you being unable to correctly copy'n'paste the WiFiVPN.sh script from the Pasetbin source into the nano editor, as the manual cURL command line method to retrieve/create a working script was sucessful?

VPN works kind of but same client VPN2 on both wl1.1 & wl1.2 eth1 &2 and my LAN. Is that because I started at the wrong end and should go the https://www.snbforums.com/threads/2...-ssid-how-to-route-traffic.41222/#post-349086 route first before even getting to setting up things??

You can have as many interfaces mapped to a single VPN Client, but you must have enabled Selective Routing in the VPN Client GUI and entered the appropriate Policy rules for the devices/subnets etc.

I use NordVPN so i do not have any other UDP port options I think and am loathe to use IKEv2, OpenVPN TCP as you may have suggested elsewhere- are there any other workarounds?

If NordVPN only offer UDP:1194/TCP:443 then if you try to run concurrent NordVPN VPN Clients, to the same socket, then you will most likely experience VPN routing issues. However, if you only ever have one VPN ACTIVE at a time, then you may ignore the 'warning message' (WiFiVPN.sh is simply trying to be helpful, as it cannot prevent you from potentially shooting yourself in the foot!). NOTE: v1.09 of WiFiVPN.sh reworked the check so if you need it then let me know.

If NordVPN's TCP:443 is not acceptable (unacceptable performance/throughput degradation?) then I'm afraid without another VPN provider, you will most likely be restricted to one ACTIVE VPN Client at a time.

 

[mzuri]

Thank you so much Martineau - I will have to do so more Noob homework!

Marineau said:
If NordVPN only offer UDP:1194/TCP:443 then if you try to run concurrent NordVPN VPN Clients, to the same socket, then you will most likely experience VPN routing issues.

I believe if unique subnets are allocated in the routing table then each tunnel would have their own interface and gateway (making it look as different devices are connecting to the different tunnels ) is that right? (NordVPN allows 6 concurrent connections)

 

[Martineau]

Thank you so much Martineau - I will have to do so more Noob homework!

I believe if unique subnets are allocated in the routing table then each tunnel would have their own interface and gateway (making it look as different devices are connecting to the different tunnels ) is that right?

No.

The router's VPN Client connection to NordVPN counts as one device, and all LAN/VLANs/Subnet devices routed via the VPN Client are MASQUERADE'd as a single connection.

 

[mzuri]

No.

The router's VPN Client connection to NordVPN counts as one device, and all LAN/VLANs/Subnet devices routed via the VPN Client are MASQUERADE'd as a single connection.

aha! Cheers!

 

[mzuri]

I am sorry I did not properly read this thread as a lot of my questions were already covered. I appreciate your patience

 

[Frederic Thomas]

Hi Martineau,

I would like to try your last WiFiVPN.sh for my RT-AC3200, could you please send it over?

Thanks,
-Fred

 

[Lucky-Strike]

EDIT : Okay, I was testing the VPN SSID from an android phone that was ignoring the IP attribution rules (!!). It was actually (partially) working all along.
The DNS problem remains though.
---

Hi Martineau, hi guys,

I'm new to this forum and to the "router scripting" world. I ended up here after buying a AC87u router and earching how to get segmented WiFi network.
First, thank you for your script Martineau !

I've been reading the thread for a few hours and trying various things, but no luck 'til now... I must be doing silly things as every step of the way is not working as it should ^^.

Infos about my setup :
- The router is behing my ISP box
- The WAN IP of the router is 192.168.1.21
- Router's LAN IP is 192.168.2.1, subnet is 255.255.255.0, range is 192.168.2.2 to .254
- 4 SSIDs are enabled : the 2 main ones (2.4Ghz and 5Ghz : ASRT and ASRT_5G) + 2 Guests (ASRT_VPN and ASRT_VPN_5G)

Here is what I did :
1) Activated 2.4Ghz Guest SSID n°1 and 5Ghz Guest SSID n°1 (with no lan access)
2) Set up my VPN Client n°1 (Provider : TigerVPN), with exclusive DNS configuration. I tested it by enabling it on "all" trafic temporarly : it works (dnsleaktest shows the VPN IP and the VPN DNS).
Then I switched to Policy Rules (Strict) and added a Dummy VPN Rule.

Note that Create NAT on tunnel is enabled : I read that it could cause problems on another post... But I tried without it and it still fails.
3) Downloaded and ran WiFiVPN.sh (1.03b)

First surprise : the output of ./wifivpn.sh status is quite odd. Even though 2.4Ghz, 5Ghz and two guests are enabled, it shows the following :

(wifivpn.sh): 6910 v1.03b (Public Beta) © 2016-2017 Martineau, WiFi VPN status request.....[status]

        WiFi->VPN Configuration Status for interfaces:

        wl0.1   ASRT_VPN         2.4GHz Guest 1
        -----   (ASUS_Guest2)    2.4GHz Guest 2  ** Disabled **
        -----   (ASUS_Guest3)    2.4GHz Guest 3  ** Disabled **
        -----   (ASRT_VPN_5G)    5GHz   Guest 1  ** Disabled **
        -----   (ASUS_5G_Guest2) 5GHz   Guest 2  ** Disabled **
        -----   (ASUS_5G_Guest3) 5GHz   Guest 3  ** Disabled **
        eth1    ASRT             2.4GHz Network
        -----   (ASRT_5G)        5GHz   Network  ** Disabled **

As if most networks where **Disabled** ??
I ignored that and tried to run the script anyway with ./wifivpn.sh wl0.1 1 : logically, it failed since I did not set any bridge before, and offered to use autodnsmasq, which I did.

/etc/dnsmasq.conf (generated by autodnsmasq) :

...
# Bridge br1 uses DHCP pool 192.168.101.2 - 192.168.101.20
interface=br1
dhcp-range=br1,192.168.101.2,192.168.101.20,255.255.255.0,14400s
dhcp-option=br1,3,192.168.101.1
dhcp-option=br1,6,192.168.101.1
dhcp-option=br1,252,"\n"

Then the probems really begin :
1) When I connect to ASRT_VPN, my IP is not in the specified range : it should be 192.168.101.x but instead, it is 192.168.2.x, which corresponds to br0 range. Do not know why...
EDIT : okay, if I connect with my laptop, the IP is in the right range. If I connect from my phone (which I was doing from the begining), it is not. Android is totally ignoring the router's IP attribution... It works from my laptop. I have internet access through my VPN. But the DNS problem remains.

brctl show :

bridge name     bridge id               STP enabled     interfaces
br0             8000.382c4aab5de0       yes             vlan1
                                                        eth1
                                                        vlan4000
br1             8000.382c4aab5de1       no              wl0.1

2) WiFiVPN.sh fails at retrieving VPN's DNS. When I run ./wifivpn.sh wl0.1 1 it says :

(wifivpn.sh): 11049 v1.03b (Public Beta) © 2016-2017 Martineau, Guest WiFi VPN Bridge request.....[wl0.1 1]

        (wifivpn.sh): 11049 WiFi (wl0.1) 2.4GHz Guest 1 ASRT_VPN (192.168.101.0/24) routed through tunnel VPN Client 1 (TigerVPN) using WAN DNS () via bridge:br1

And when running ./wifivpn.sh status after creating the bridge it says :

wl0.1   ASRT_VPN         2.4GHz Guest 1  (192.168.101.0/24) routed through tunnel VPN Client 1 (TigerVPN) is MISSING a valid DNS entry in '-t nat DNSVPN1' via bridge:br1

I know that last error has been mentionned before, but the offered solutions don't seem to fix it for me.
EDIT : that problem remains. Even now that I'm connected to ASRT_VPN and that it is working, dnsleaktest show my VPN IP but all DNS are my ISP's and not my VPN provider's.

I must be doing something really stupid somewhere, but I can't figure out what... Could you help me ?
Thanks a lot.