2 VPN Client and 2 WiFi SSID: how to route traffic

[Martineau]

Really interresting!!!

For specific needs, I use 2 client VPN connections with openvpn. One in america openvpn1, and the other in europe openvpn2. I'm using Asus RT-AC56U with the latest stable Asus-merlin OS.

I have 3 WIFI per channel (2.4Gz and 5Gz)

From antenna 2.4Gz;
MYWIFI
MYWIFI_Guest1_VPN1
MYWIFI_Guest2_VPN2

From antenna 5.0GZ;
MYWIFI_5GZ
MYWIFI_Guest1_VPN1_5GZ
MYWIFI_Guest2_VPN2_5GZ

Here's what I'll need:
1-That MYWIFI and MYWIFI_5GZ continue to access Br0 bridge (standard config without going into any VPN)
2-That all traffic from my networks * Guest1_VPN1 * pass through VPN openvpn1
3-That all traffic from my networks * Guest2_VPN2 * pass through VPN openvpn2
3-After a reboot, all VPN should reconnect and keep the previous config.

Any idea howto do it?

I have sent you a link via PM.

So after you have manually run the commands with the 'autodnsmasq' directive, you would simply modify

/jffs/scripts/nat-start

/jffs/scripts/WiFiVPN.sh   MYWIFI_Guest1_VPN1       1
/jffs/scripts/WiFiVPN.sh   MYWIFI_Guest1_VPN1_5GZ   1

/jffs/scripts/WiFiVPN.sh   MYWIFI_Guest2_VPN2       2
/jffs/scripts/WiFiVPN.sh   MYWIFI_Guest2_VPN2_5GZ   2

to have the ability to access the USA/Europe VPNs by connecting to either the 2.4GHz or 5GHz SSIDs.

 

[Steph]

I have sent you a link via PM.

So after you have manually run the commands with the 'autodnsmasq' directive, you would simply modify

/jffs/scripts/nat-start

/jffs/scripts/WiFiVPN.sh   MYWIFI_Guest1_VPN1       1
/jffs/scripts/WiFiVPN.sh   MYWIFI_Guest1_VPN1_5GZ   1

/jffs/scripts/WiFiVPN.sh   MYWIFI_Guest2_VPN2       2
/jffs/scripts/WiFiVPN.sh   MYWIFI_Guest2_VPN2_5GZ   2

to have the ability to access the USA/Europe VPNs by connecting to either the 2.4GHz or 5GHz SSIDs.

Both VPNs have state connected.
seems to have problem only with connections made through VPN2, connections made with MYWIFI_Guest2_VPN2*.

from cli and with the script wifivpn.sh status:
RT-AC56U-5088:/jffs/scripts# /jffs/scripts/wifivpn.sh status
(wifivpn.sh): 20304 v1.03b (Non Public Beta) © 2016-2017 Martineau, WiFi VPN status request.....[status]
WiFi->VPN Configuration Status for interfaces:
wl0.1 Murray_613-MTL 2.4GHz Guest 1 (192.168.101.0/24) routed through tunnel VPN Client 1 (ExpressVPN-MTL) using VPN DNS (10.29.0.1) via bridge:br1
wl0.2 Murray_613-FR2 2.4GHz Guest 2 (192.168.102.0/24) routed through tunnel VPN Client 2 (ExpressVPN-FR2) using VPN DNS (10.13.0.1) via bridge:br2
----- (ASUS_Guest3) 2.4GHz Guest 3 ** Disabled **
wl1.1 Murray_613-MTL_5GZ 5GHz Guest 1 (192.168.101.0/24) routed through tunnel VPN Client 1 (ExpressVPN-MTL) using VPN DNS (10.29.0.1) via bridge:br1
wl1.2 Murray_613-FR2_5GZ 5GHz Guest 2 (192.168.102.0/24) routed through tunnel VPN Client 2 (ExpressVPN-FR2) using VPN DNS (10.13.0.1) via bridge:br2
----- (ASUS_5G_Guest3) 5GHz Guest 3 ** Disabled **
eth1 Murray_613 2.4GHz Network
eth2 Murray_613_5G 5GHz Network

**Warning for multiple ACTIVE concurrent VPN Clients UNIQUE ports are advised - Port 1195:UDP is configured for use by several VPN Clients


FYI:Connections from MYWIFI_GUEST1_VPN1* working correctly.
And yes the VPN are correctly connected.

Also, All my traffic using the first opened VPN connexion. I mean, not only the traffic from WIFI connection associated but all local ethernet ports and others WIFI not included in bridges Br1 and Br2. Ex: eth1 and eth2 is WIFI the WIFI 2.4 and 5.0 but are not connected through Bridges where I have configured the VPNs. But traffic passing inside the VPN. Not supposed to. Seems be caused by the default route added by the VPN connection.

Any idea how to troubleshoot it? Is it because both VPN using the same destination server port?

 

[Martineau]

FYI:Connections from MYWIFI_GUEST1_VPN1* working correctly.
And yes the VPN are correctly connected.

My WiFiVPN.sh script expects both VPN Clients to be configured correctly prior to creating the mapping - it does insert the necessary Selective Routing RPDB rules but does not alter the associated VPN routes.

All my traffic using the first opened VPN connexion.
Seems be caused by the default route added by the VPN connection.

Is it because both VPN using the same destination server port?

Have you tried changing one of them to an alternative port?

Any idea how to troubleshoot it?

I recently posted a script to try and verify the VPN Selective routing configuration: ChkVPNConfig

P.S. It makes it easier to read diagnostic/debug results if you post command line output using forum 'code tags'

e.g.

/jffs/scripts/wifivpn.sh status

(wifivpn.sh): 20304 v1.03b (Non Public Beta) © 2016-2017 Martineau, WiFi VPN status request.....[status]

     WiFi->VPN Configuration Status for interfaces:

     wl0.1 Murray_613-MTL 2.4GHz Guest 1 (192.168.101.0/24) routed through tunnel VPN Client 1 (ExpressVPN-MTL) using VPN DNS (10.29.0.1) via bridge:br1
     wl0.2 Murray_613-FR2 2.4GHz Guest 2 (192.168.102.0/24) routed through tunnel VPN Client 2 (ExpressVPN-FR2) using VPN DNS (10.13.0.1) via bridge:br2
     ----- (ASUS_Guest3)  2.4GHz Guest 3 ** Disabled **
     wl1.1 Murray_613-MTL_5GZ 5GHz Guest 1 (192.168.101.0/24) routed through tunnel VPN Client 1 (ExpressVPN-MTL) using VPN DNS (10.29.0.1) via bridge:br1
     wl1.2 Murray_613-FR2_5GZ 5GHz Guest 2 (192.168.102.0/24) routed through tunnel VPN Client 2 (ExpressVPN-FR2) using VPN DNS (10.13.0.1) via bridge:br2
     ----- (ASUS_5G_Guest3)   5GHz Guest 3 ** Disabled **
     eth1 Murray_613 2.4GHz Network
     eth2 Murray_613_5G 5GHz Network

**Warning for multiple ACTIVE concurrent VPN Clients UNIQUE ports are advised - Port 1195:UDP is configured for use by several VPN Clients

 

[Steph]

[Unfortunatly I cannot change the UDP used by vpn servers. It's the only config my provider offer. Also, I downloaded there config file .ovpn for VPN creation (Client 1 and Client 2). If I could change the routing from a config by a rule and isolate the VPN to a specific subnet or WIFI connection, could help me to do it?

Here's the ouput when I ran the wifivpn.sh follow by ChkVPNConfig scripts.

RT-AC56U-5088:/jffs/scripts# ./nat-start

(wifivpn.sh): 17076 v1.03b (Non Public Beta) © 2016-2017 Martineau, Guest WiFi VPN Bridge request.....[wl0.1 1]
(wifivpn.sh): 17076 WiFi 2.4GHz Guest 1 Murray_613-MTL requesting start of VPN Client 1 (ExpressVPN-MTL)
(wifivpn.sh): 17076 Waiting for VPN Client 1 (ExpressVPN-MTL) to connect.....
(wifivpn.sh): 17076 VPN Client 1 (ExpressVPN-MTL) connect'd in 6 secs

    **Warning WiFi (wl0.1) 2.4GHz Guest 1 Murray_613-MTL already attached to bridge: br1
    **Warning WiFi (wl0.1) already assigned to NVRAM variable: lan1_ifnames

    (wifivpn.sh): 17076 WiFi (wl0.1) 2.4GHz Guest 1 Murray_613-MTL (192.168.101.0/24) routed through tunnel VPN Client 1 (ExpressVPN-MTL) using VPN DNS (10.36.0.1) via bridge:br1


(wifivpn.sh): 17526 v1.03b (Non Public Beta) © 2016-2017 Martineau, Guest WiFi VPN Bridge request.....[wl1.1 1]

    **Warning WiFi (wl1.1) 5GHz Guest 1 Murray_613-MTL_5GZ already attached to bridge: br1
    **Warning WiFi (wl1.1) already assigned to NVRAM variable: lan1_ifnames

    (wifivpn.sh): 17526 WiFi (wl1.1) 5GHz Guest 1 Murray_613-MTL_5GZ (192.168.101.0/24) routed through tunnel VPN Client 1 (ExpressVPN-MTL) using VPN DNS (10.36.0.1) via bridge:br1


(wifivpn.sh): 17845 v1.03b (Non Public Beta) © 2016-2017 Martineau, Guest WiFi VPN Bridge request.....[wl0.2 2]
(wifivpn.sh): 17845 WiFi 2.4GHz Guest 2 Murray_613-FR2 requesting start of VPN Client 2 (ExpressVPN-FR2)
(wifivpn.sh): 17845 Waiting for VPN Client 2 (ExpressVPN-FR2) to connect.....
(wifivpn.sh): 17845 VPN Client 2 (ExpressVPN-FR2) connect'd in 6 secs

**Warning for multiple ACTIVE concurrent VPN Clients UNIQUE ports are advised - Port 1195:UDP is configured for use by several VPN Clients

    **Warning WiFi (wl0.2) 2.4GHz Guest 2 Murray_613-FR2 already attached to bridge: br2
    **Warning WiFi (wl0.2) already assigned to NVRAM variable: lan2_ifnames

    (wifivpn.sh): 17845 WiFi (wl0.2) 2.4GHz Guest 2 Murray_613-FR2 (192.168.102.0/24) routed through tunnel VPN Client 2 (ExpressVPN-FR2) using VPN DNS (10.13.0.1) via bridge:br2


(wifivpn.sh): 18407 v1.03b (Non Public Beta) © 2016-2017 Martineau, Guest WiFi VPN Bridge request.....[wl1.2 2]

**Warning for multiple ACTIVE concurrent VPN Clients UNIQUE ports are advised - Port 1195:UDP is configured for use by several VPN Clients

    **Warning WiFi (wl1.2) 5GHz Guest 2 Murray_613-FR2_5GZ already attached to bridge: br2
    **Warning WiFi (wl1.2) already assigned to NVRAM variable: lan2_ifnames

    (wifivpn.sh): 18407 WiFi (wl1.2) 5GHz Guest 2 Murray_613-FR2_5GZ (192.168.102.0/24) routed through tunnel VPN Client 2 (ExpressVPN-FR2) using VPN DNS (10.13.0.1) via bridge:br2

RT-AC56U-5088:/jffs/scripts# ./ChkVPNConfig.sh

(ChkVPNConfig.sh): 18955 v1.01b3 VPN Selective Routing configuration checker .....


(ChkVPNConfig.sh): 18955 WAN (main) route Table: 254

10.36.1.197 dev tun11  proto kernel  scope link  src 10.36.1.198
10.13.3.77 dev tun12  proto kernel  scope link  src 10.13.3.78
10.13.0.1 via 10.13.3.77 dev tun12
10.36.0.1 via 10.36.1.197 dev tun11
0.0.0.0/1 via 10.36.1.197 dev tun11
128.0.0.0/1 via 10.36.1.197 dev tun11
default via 192.168.0.1 dev eth0

(ChkVPNConfig.sh): 18955 ***ERROR***Selective Routing NOT enabled! - table 'main' is FORCE routing ALL traffic via VPN Client 1


(ChkVPNConfig.sh): 18955 VPN Client 1 route Table: 111


(ChkVPNConfig.sh): 18955 VPN Client 2 route Table: 112


(ChkVPNConfig.sh): 18955 RPDB rules:

0:    from all lookup local
20100:    from 192.168.101.0/24 lookup ovpnc1
20200:    from 192.168.102.0/24 lookup ovpnc2
20200:    from 192.168.102.0/24 lookup ovpnc2
32766:    from all lookup main
32767:    from all lookup default

(ChkVPNConfig.sh): 18955 Count of active RPDB rules:

      1 lookup ovpnc1
      2 lookup ovpnc2


(ChkVPNConfig.sh): 18955 **Warning for multiple ACTIVE concurrent VPN Clients UNIQUE ports are advised - Port 1195:UDP is configured for use by several VPN Clients

Also, some error with DNS parameter seems error. What could I do if I would like to force use DNS provided by the VPN connection for each VPN client connections?

RT-AC56U-5088:/jffs/scripts# ./nat-start 


(wifivpn.sh): 4193 v1.03b (Non Public Beta) © 2016-2017 Martineau, Guest WiFi VPN Bridge request.....[wl0.1 1]


**Warning for multiple ACTIVE concurrent VPN Clients UNIQUE ports are advised - Port 1195:UDP is configured for use by several VPN Clients


**Warning WiFi (wl0.1) 2.4GHz Guest 1 Murray_613-MTL already attached to bridge: br1

**Warning WiFi (wl0.1) already assigned to NVRAM variable: lan1_ifnames

awkNR: /etc/openvpn/dns/client1.resolv: No such file or directory

iptables: No chain/target/match by that name.

awkNR: /etc/openvpn/dns/client1.resolv: No such file or directory

awkNR: /etc/openvpn/dns/client1.resolv: No such file or directory

iptables: No chain/target/match by that name.


(wifivpn.sh): 4193 WiFi (wl0.1) 2.4GHz Guest 1 Murray_613-MTL (192.168.101.0/24) routed through tunnel VPN Client 1 (ExpressVPN-MTL) using WAN DNS (192.168.0.1) via bridge:br1



(wifivpn.sh): 4631 v1.03b (Non Public Beta) © 2016-2017 Martineau, Guest WiFi VPN Bridge request.....[wl0.2 2]


**Warning for multiple ACTIVE concurrent VPN Clients UNIQUE ports are advised - Port 1195:UDP is configured for use by several VPN Clients


**Warning WiFi (wl0.2) 2.4GHz Guest 2 Murray_613-FR2 already attached to bridge: br2

**Warning WiFi (wl0.2) already assigned to NVRAM variable: lan2_ifnames

awkNR: /etc/openvpn/dns/client2.resolv: No such file or directory

iptables: No chain/target/match by that name.

awkNR: /etc/openvpn/dns/client2.resolv: No such file or directory

awkNR: /etc/openvpn/dns/client2.resolv: No such file or directory

iptables: No chain/target/match by that name.


(wifivpn.sh): 4631 WiFi (wl0.2) 2.4GHz Guest 2 Murray_613-FR2 (192.168.102.0/24) routed through tunnel VPN Client 2 (ExpressVPN-FR2) using WAN DNS (192.168.0.1) via bridge:br2

 

[Martineau]

[Unfortunatly I cannot change the UDP used by vpn servers. It's the only config my provider offer

RT-AC56U-5088:/jffs/scripts# ./ChkVPNConfig.sh

(ChkVPNConfig.sh): 18955 v1.01b3 VPN Selective Routing configuration checker .....

(ChkVPNConfig.sh): 18955 WAN (main) route Table: 254

10.36.1.197 dev tun11  proto kernel  scope link  src 10.36.1.198
10.13.3.77 dev tun12  proto kernel  scope link  src 10.13.3.78
10.13.0.1 via 10.13.3.77 dev tun12
10.36.0.1 via 10.36.1.197 dev tun11
0.0.0.0/1 via 10.36.1.197 dev tun11
128.0.0.0/1 via 10.36.1.197 dev tun11
default via 192.168.0.1 dev eth0

(ChkVPNConfig.sh): 18955 ***ERROR***Selective Routing NOT enabled! - table 'main' is FORCE routing ALL traffic via VPN Client 1

Thank you for beta testing my ChkVPNConfig.sh script ...(you have exposed a minor reporting issue! )

Have you enabled Selective Routing?
Enable Selective routing for WiFiVPN mapping

 

[Steph]

Thank you for beta testing my ChkVPNConfig.sh script ...(you have exposed a minor reporting issue! )

Have you enabled Selective Routing?
Enable Selective routing for WiFiVPN mapping

Oups! No I simply activated the VPN connections and no rule are present in config.

I activated strict isolation for both VPN config and now only traffic from my dedicated WIFI passing through VPN. Also, that corrected my DNS resolution problem.

I still get DNS error messages when I run WiFiVPN.sh script but DNS working fine from WIFI/VPN connection.

Sometime, your script searching for file "client(id).resolv" in /etc/openvpn/dns. But first, from my asus model, the folder is located in different path "/etc/openvpn/client(id)/...". Second, the file you searching for "client(id).resolv" is absent from theses folders in my case.

I got warning when I run ChkVPNConfig.sh script. The route 0.0.0.0/1 seems to be a problem. Because I want to route all through VPN connection, this route is needed, no? Could you tell me what the following warning purpose (ChkVPNConfig.sh)?

RT-AC56U-5088:/jffs/scripts# ./ChkVPNConfig.sh

(ChkVPNConfig.sh): 12677 v1.01b3 VPN Selective Routing configuration checker .....


(ChkVPNConfig.sh): 12677 WAN (main) route Table: 254

10.36.1.197 dev tun11  proto kernel  scope link  src 10.36.1.198
10.125.3.41 dev tun12  proto kernel  scope link  src 10.125.3.42
default via 192.168.0.1 dev eth0

(ChkVPNConfig.sh): 12677 VPN Client 1 route Table: 111

10.36.1.197 dev tun11  proto kernel  scope link  src 10.36.1.198
10.36.0.1 via 10.36.1.197 dev tun11
0.0.0.0/1 via 10.36.1.197 dev tun11
128.0.0.0/1 via 10.36.1.197 dev tun11

(ChkVPNConfig.sh): 12677 **Warning '0.0.0.0/1 via 10.36.1.197 dev tun11 ' found in VPN Client 1


(ChkVPNConfig.sh): 12677 VPN Client 2 route Table: 112

10.125.3.41 dev tun12  proto kernel  scope link  src 10.125.3.42
10.125.0.1 via 10.125.3.41 dev tun12
0.0.0.0/1 via 10.125.3.41 dev tun12
128.0.0.0/1 via 10.125.3.41 dev tun12

(ChkVPNConfig.sh): 12677 **Warning '0.0.0.0/1 via 10.125.3.41 dev tun12 ' found in VPN Client 2


(ChkVPNConfig.sh): 12677 RPDB rules:

0:    from all lookup local
20100:    from 192.168.101.0/24 lookup ovpnc1
20200:    from 192.168.102.0/24 lookup ovpnc2
32766:    from all lookup main
32767:    from all lookup default

(ChkVPNConfig.sh): 12677 Count of active RPDB rules:

      1 lookup ovpnc1
      1 lookup ovpnc2


(ChkVPNConfig.sh): 12677 **Warning for multiple ACTIVE concurrent VPN Clients UNIQUE ports are advised - Port 1195:UDP is configured for use by several VPN Clients

 

[Martineau]

Oups! No I simply activated the VPN connections and no rule are present in config.

Should I create rules and enable it?

Crucially Selective Routing must be enabled

Once Selective Routing is enabled, the GUI tables may be left empty - which would be the case for Advanced Selective Routing for MACs,Ports Domains etc. and of course for Guest WiFi SSIDs!

NOTE: I personally recommend adding the appropriate unique 'dummy' VPN entry (one per VPN Client) especially if 'Accept DNS Configuration=EXLUSIVE' is set in the GUI to prevent DNS leaks.

 

[Joboo7777]

Thank you for beta testing my ChkVPNConfig.sh script ...(you have exposed a minor reporting issue! )

Have you enabled Selective Routing?
Enable Selective routing for WiFiVPN mapping

Martineau, does "Block routed clients if tunnel goes down=Yes" work for SSIDs mapped to VPN? Want to make sure if the VPN tunnel goes down that clients cannot go out to standard WAN internet.

 

[Martineau]

Martineau, does "Block routed clients if tunnel goes down=Yes" work for SSIDs mapped to VPN? Want to make sure if the VPN tunnel goes down that clients cannot go out to standard WAN internet.

Oh no it's been bugging me for months that I may have missed a nice-to-have feature ...but would you stop using my script if the answer is NO?

Fortunately, YES it does honour the VPN kill-switch, but that doesn't mean to say that it is 100% foolproof.

It is an accepted fact of life that non-trivial code is sadly always at the mercy of (stupid) human-error (if not pesky random disruptive sunspot activity etc. )

I'd surely bet my house that there isn't a skilled programmer on earth who hasn't at least once experienced that moment of panic stricken horror whilst reduced to repeatedly muttering "...now how on earth did that fail?" at their supposedly bomb-proof production-ready program.

My point is that I rely on the firmware script to implement the VPN kill-switch feature, yet crucially (whilst there is no reason why the command to implement the VPN kill-switch should fail) the firmware doesn't actually check the return code nor confirm if the VPN kill-switch is successfully installed.

DISCLAIMER:
It is your responsibility to thoroughly personally test to see if your online activities are sufficiently obfuscated to your satisfaction (in all circumstances) when using my WiFiVPN.sh mapping - that's why it is still in Beta status.

 

[Martineau]

What could I do if I would like to force use DNS provided by the VPN connection for each VPN client connections?

You need to set

and follow the instructions to add the dummy entries to the tables

2 VPN Client and 2 WiFi SSID: how to route traffic

 

[Joboo7777]

Oh no it's been bugging me for months that I may have missed a nice-to-have feature ...but would you stop using my script if the answer is NO?

Fortunately, YES it does honour the VPN kill-switch, but that doesn't mean to say that it is 100% foolproof.

It is an accepted fact of life that non-trivial code is sadly always at the mercy of (stupid) human-error (if not pesky random disruptive sunspot activity etc. )

I'd surely bet my house that there isn't a skilled programmer on earth who hasn't at least once experienced that moment of panic stricken horror whilst reduced to repeatedly muttering "...now how on earth did that fail?" at their supposedly bomb-proof production-ready program.

My point is that I rely on the firmware script to implement the VPN kill-switch feature, yet crucially (whilst there is no reason why the command to implement the VPN kill-switch should fail) the firmware doesn't actually check the return code nor confirm if the VPN kill-switch is successfully installed.

DISCLAIMER:
It is your responsibility to thoroughly personally test to see if your online activities are sufficiently obfuscated to your satisfaction (in all circumstances) when using my WiFiVPN.sh mapping - that's why it is still in Beta status.

So I should wait for it to become production for you to take responsibility? I kid.. I kid.

I completetly understand where you are coming from. I haven't tested it yet as I'm waiting for the production release of 384. But when I do I will be sure to report back my results.

 

[Stach]

Martineau, I'm setting up a VPN client for our house and your script is EXACTLY what I am looking to do (selective VPN usage for clients). Please PM me with a link to your script for my RT-AC3200 running 380.69_2.

Thanks in advance!
Stach

 

[Martineau]

Martineau, I'm setting up a VPN client for our house and your script is EXACTLY what I am looking to do (selective VPN usage for clients).
Please PM me with a link to your script for my RT-AC3200 running 380.69_2.

I have sent you a link via PM.

 

[Steph]

FYI I did a complet reset of my router (ASUS RT-56U) and reconfigured VPN and Guests WIFI. After ran WIFIVPN.sh script to configure bridges and all DHCP,config came with dnsautomasq. Work like a charm! Even after a reboot.

Thank you Martineau!

 

[mr8]

Hello, I was previously using a modified version of this script, but thought I would give this script a try.

I am trying to set my own dhcp range in my dnsmasq, but the bridge still reverts to x.x.10x.2-x.x.10x.20. Is there any way to customize the dhcp option without hacking the code?

 

[Martineau]

Hello, I was previously using a modified version of this script, but thought I would give this script a try.

I am trying to set my own dhcp range in my dnsmasq, but the bridge still reverts to x.x.10x.2-x.x.10x.20. Is there any way to customize the dhcp option without hacking the code?

My WiFIVPN.sh script is easier to support if there is a standard subnet naming convention:
e.g. as shown in my code:

# My numbering scheme for third OCTET:
#
#       xxx.xxx.1.0     LAN
#       xxx.xxx.10x.0   Bridge          i.e. 101,102,103,104 and 105 etc.
#       xxx.xxx.24x.0   Wifi 2.4GHz     i.e. 241,242 and 243
#       xxx.xxx.5x.0    Wifi 5GHz       i.e. 51,52 and 53
#       xxx.xxx.x0.0    VLAN keep 'x' as multiple of 10 e.g. 5 (10,20,30,50,200 etc.)
#                       but skip 60 as it is *may be* reserved by ASUS?

and is implemented if my script required you to invoke it with the 'autodnsmasq' argument.

NOTE: The 'autodnsmasq' argument has no effect if appropriate entries are found in

/jffs/configs/dnsmasq.conf.add

so you may simply modify the entries to enforce your own subnets to the bridges rather than hack my script .

 

[mr8]

...

so you may simply modify the entries to enforce your own subnets to the bridges rather than hack my script .

Weird. It wasn't working before, but is working now! Thanks again for the awesome script!

btw, do I need to run the script if the vpn gets disconnected/reconnected? Possibly something in `openvpn-event`..?

Also, what are the advantages or running my external VPN servers on unique ports? Is there a performance hit if they are on the same port?

 

[Martineau]

Weird. It wasn't working before, but is working now! Thanks again for the awesome script!

Did you restart dnsmasq after you modified '/jffs/confs/dnsmasq.conf.add'?

service restart_dnsmasq

btw, do I need to run the script if the vpn gets disconnected/reconnected? Possibly something in `openvpn-event`..?

I personally suggest you use nat-start to restart the VPN Clients (if they are found to be UP) and as a precaution rerun any scripts to ensure the RPDB/iptable rules are as you expect.

NOTE: However in my production script v1.04 I now use the openvpn-event trigger to call WiFiVPN.sh to now correctly honour the GUI 'Start with WAN' option and also each VPN Client reads its own configuration dynamically from '/jffs/configs/WiFiVPN_map' which makes implementation more flexible etc.

vpnclientX-route-up

/jffs/scripts/WiFiVPN.sh   "?"   ${dev:4:1}   &

Also, what are the advantages or running my external VPN servers on unique ports? Is there a performance hit if they are on the same port?

Depends....but unique ports doesn't hurt...it's usually the change between UDP to TCP that will hit performance.

 

[Sc0rp10]

hi @Martineau

My ISP renews the DHCP lease every night so the VPN has to reconnect and at that time the guest wifi loses its connection with the VPN client.

I am running merlin 384.4_2 on ac88u and using your public beta 1.3b. Is there a way to re-run the script once the VPN reconnects?

Cheers !

 

[Martineau]

hi @Martineau
My ISP renews the DHCP lease every night so the VPN has to reconnect and at that time the guest wifi loses its connection with the VPN client.
Is there a way to re-run the script once the VPN reconnects?

As described in post #98 ; you can continue to use nat-start or (preferably) use the openvpn-event vpnclientX-route-up script to call WiFiVPN.sh

/jffs/scripts/vpnclientX-route-up

/jffs/scripts/WiFiVPN.sh $WIFI_IF $VPN_ID &                    # Bridge X via this VPN

or in the worst case scenario use the openvpn-event vpnclientX-up script to run a background VPN Syslog Monitor script to call WiFiVPN.sh when the appropriate 'successful reconnect' message appears

/jffs/scripts/vpnclientX-up

/jffs/scripts/VPN_SyslogMonitor.sh $VPN_ID &