How to exclude guest access from VPN tunnel on wireless router running openvpn client

[DTS]

I have an Asus RT-AC86U running the latest Merlin firmware. I have an openvpn client setup. Currently all traffic goes over the VPN. However, my goal is that wireless clients that connect to the guess WiFi are not routed through the VPN tunnel.

Is there a policy based routing rule that will do this?

From the GUI, I'm having trouble determining if WiFi guests can be put on a separate subnet (and if so, how to specify the address range). With the default settings, guests get addresses in the same subnet as non-guests. In that situation I'm not sure how to set up a policy based routing rule that will meet my goal.

 

[Martineau]

I have an Asus RT-AC86U running the latest Merlin firmware. I have an openvpn client setup. Currently all traffic goes over the VPN. However, my goal is that wireless clients that connect to the guess WiFi are not routed through the VPN tunnel.

Is there a policy based routing rule that will do this?

From the GUI, I'm having trouble determining if WiFi guests can be put on a separate subnet (and if so, how to specify the address range). With the default settings, guests get addresses in the same subnet as non-guests. In that situation I'm not sure how to set up a policy based routing rule that will meet my goal.

You will need a script to (automatically) create the Guest subnet e.g. GuestSubnet.sh.

Spoiler: Help syntax

#======================================================================================================= © 2016-2018 Martineau, v1.02
#
# Configure Guest WiFi with new DHCP subnet and DNS using '/etc/dnsmasq.conf' and optionally allow LAN access to specified IPs
#
# Usage:    GuestSubnet  ['help' | '-h']
#                        {wifi_interface | ssid } | ['del[subnet]'] ['autodnsmasq'] [ 'ssid='name] ['ip='ipaddress[,ipaddress]]
#
#           GuestSubnet  wl0.1
#                        Guest WiFI 2.4GHz interface wl0.1 will have the new DHCP subnet and DNS applied (default)
#           GuestSubnet  wl0.1 del
#                        Guest WiFI 2.4GHz interface wl0.1 firewall rules will be removed but subnet remains.
#           GuestSubnet  wl0.1 delsubnet
#                        Guest WiFI 2.4GHz interface wl0.1 firewall rules will be removed and subnet will be reset to Asus default.
#           GuestSubnet  wl0.2 autodnsmasq
#                        Guest WiFi 2.4GHz interface wl0.2 will have new DHCP and DNS directives inserted into /jffs/configs/dnsmasq.conf.add
#                        if they don't already exist.
#                        NOTE: dnsmasq will be bounced.
#           GuestSubnet  wl1.2 ip=192.168.1.99,192.168.1.100
#                        Guest WiFi 5GHz interface wl1.2 will allow access to LAN devices 192.168.1.99,192.168.1.100 
#           GuestSubnet  Guest242
#                        Guest WiFI SSID 'Guest242' (possibly wl0.2?) will have the new DHCP subnet and DNS applied
#
# /jffs/configs/dnsmasq.conf.add:
#
# e.g.
#
# 2.4GHz Guest #1 uses DHCP pool 10.88.241.2 - 10.88.241.20 and OpenDNS/Google DNS
#        interface=wl0.1
#        dhcp-range=wl0.1,10.88.241.2,10.88.241.20,255.255.255.0,21600s
#        dhcp-option=wl0.1,3,10.88.241.1
#        dhcp-option=wl0.1,6,208.67.220.220,8.8.8.8
#
# and will be included in /'etc/dnsmasq.conf' by command 'service restart_dnsmasq' and @boot time etc.

 

[DTS]

You will need a script to (automatically) create the Guest subnet e.g. GuestSubnet.sh.

Thank you. But that post points to this URL for the updated code, and that is a bad link (404 error).

 

[Martineau]

Thank you. But that post points to this URL for the updated code, and that is a bad link (404 error).

Hmmm the link I posted works for me? ...even in your (re)post #3 clicking or even (right-clicking) on 'GuestSubnet.sh' takes you to the original thread's link New GuestSubnet.sh script

 

[DTS]

Hmmm the link I posted works for me?

Yes, it works for me today too!
I have the script now and I'm reading through it. It looks like you put a heck of a lot of hard work into this. It is very organized and clean code. Thanks so much for sharing it.

I have not ever used a script on a router before. I have ssh access to my router and I can login. I can use sftp to transfer files easily. I can use nano. Beyond that, I have some really basic questions. I did not find a "how to get started with scripts" guide, although if there is one, I would like to read it.

My questions are:

• Do I need to have jffs enabled to use scripts? Answered below
  
• Where do I save this script? Answered below
  
• The part of the instructions that mention "/jffs/configs/dnsmasq.conf.add" are not clear to me at all. EDIT: I found a 2014 discussion here. And more general help here (asuswrt-merlin wiki).
  
• Where do I find some explanation of dhcp-option's? dnsmasq --help dhcp (more below)
  
• How do I enable it to start automatically? Probably answered below
  
• Is there a way to monitor and administer this functionality from the GUI once installed? (If not, that's OK. I'm just wondering.)
• could you give an example of the script invocation so that both 2.4GHz and 5GHz guests will only have Internet access (no LAN access) and will be on a separate subnet that I can easily exclude from the VPN tunnel? (I'm thinking that if the main subnet is 192.168.1.X, the guest subnet could be 192.168.2.X, for example.)

I'll try to answer some of my own questions: (EDIT: could not answer all of them.)

Regarding my first question, it appears that Asuswrt-Merlin enables jffs by default, in contrast to dd-wrt.

/tmp/home/root# ls /jffs/
cfg.json         nmp_cl_json.js   nvram            openvpn          ssl              syslog.log-1
configs          nmp_client_list  nvram_war        scripts          syslog.log       usericon

However, support for custom scripts must be enabled, under Administration -> System in the webui.

Where do I save this script? From the examples, it appears the file needs to be named GuestSubnet (without extension) and saved in /jffs/scripts/. (Is it named GuestSubnet or GuestSubnet.sh?)

This part of the instructions is not clear to me:

# /jffs/configs/dnsmasq.conf.add:
#
# e.g.
#
# 2.4GHz Guest #1 uses DHCP pool 10.88.241.2 - 10.88.241.20 and OpenDNS/Google DNS
#        interface=wl0.1
#        dhcp-range=wl0.1,10.88.241.2,10.88.241.20,255.255.255.0,21600s
#        dhcp-option=wl0.1,3,10.88.241.1
#        dhcp-option=wl0.1,6,208.67.220.220,8.8.8.8

Where are those dhcp-option's documented? Is "6" a code for DNS server, for example?
From the dnsmasq man page, the set of option-names known by dnsmasq can be discovered by running "dnsmasq --help dhcp". For example, to set the default route option to 192.168.4.4, do --dhcp-option=3,192.168.4.4 or --dhcp-option = option:router, 192.168.4.4

If I add those lines to /jffs/configs/dnsmasq.conf.add, how does dnsmasq know that they apply only to the guest wifi clients?

How do I enable it to start automatically? I see that this will be done by virtue of "/'etc/dnsmasq.conf' by command 'service restart_dnsmasq' and @boot time etc." It's not clear to me exactly how that happens, but I guess it will be clear once I know the answer to the above question.

An example command line for GuestSubnet specific to my use-case would be very helpful. Thank you.

 

[Martineau]

Yes, it works for me today too!
I have the script now and I'm reading through it. It looks like you put a heck of a lot of hard work into this. It is very organized and clean code. Thanks so much for sharing it.

I have not ever used a script on a router before. I have ssh access to my router and I can login. I can use sftp to transfer files easily. I can use nano. Beyond that, I have some really basic questions. I did not find a "how to get started with scripts" guide, although if there is one, I would like to read it.

My questions are:

• Do I need to have jffs enabled to use scripts? Answered below
  
• Where do I save this script? Answered below
  
• The part of the instructions that mention "/jffs/configs/dnsmasq.conf.add" are not clear to me at all. EDIT: I found a 2014 discussion here. And more general help here (asuswrt-merlin wiki).
  
• Where do I find some explanation of dhcp-option's? dnsmasq --help dhcp (more below)
  
• How do I enable it to start automatically? Probably answered below
  
• Is there a way to monitor and administer this functionality from the GUI once installed? (If not, that's OK. I'm just wondering.)
• could you give an example of the script invocation so that both 2.4GHz and 5GHz guests will only have Internet access (no LAN access) and will be on a separate subnet that I can easily exclude from the VPN tunnel? (I'm thinking that if the main subnet is 192.168.1.X, the guest subnet could be 192.168.2.X, for example.)

I'll try to answer some of my own questions: (EDIT: could not answer all of them.)

Regarding my first question, it appears that Asuswrt-Merlin enables jffs by default, in contrast to dd-wrt.

/tmp/home/root# ls /jffs/
cfg.json         nmp_cl_json.js   nvram            openvpn          ssl              syslog.log-1
configs          nmp_client_list  nvram_war        scripts          syslog.log       usericon

However, support for custom scripts must be enabled, under Administration -> System in the webui.

Where do I save this script? From the examples, it appears the file needs to be named GuestSubnet (without extension) and saved in /jffs/scripts/. (Is it named GuestSubnet or GuestSubnet.sh?)

This part of the instructions is not clear to me:

# /jffs/configs/dnsmasq.conf.add:
#
# e.g.
#
# 2.4GHz Guest #1 uses DHCP pool 10.88.241.2 - 10.88.241.20 and OpenDNS/Google DNS
#        interface=wl0.1
#        dhcp-range=wl0.1,10.88.241.2,10.88.241.20,255.255.255.0,21600s
#        dhcp-option=wl0.1,3,10.88.241.1
#        dhcp-option=wl0.1,6,208.67.220.220,8.8.8.8

Where are those dhcp-option's documented? Is "6" a code for DNS server, for example?
From the dnsmasq man page, the set of option-names known by dnsmasq can be discovered by running "dnsmasq --help dhcp". For example, to set the default route option to 192.168.4.4, do --dhcp-option=3,192.168.4.4 or --dhcp-option = option:router, 192.168.4.4

If I add those lines to /jffs/configs/dnsmasq.conf.add, how does dnsmasq know that they apply only to the guest wifi clients?

How do I enable it to start automatically? I see that this will be done by virtue of "/'etc/dnsmasq.conf' by command 'service restart_dnsmasq' and @boot time etc." It's not clear to me exactly how that happens, but I guess it will be clear once I know the answer to the above question.

An example command line for GuestSubnet specific to my use-case would be very helpful. Thank you.

I personally use the '.sh' suffix to differentiate between internal 'system recognised' scripts without the '.sh' suffix (e.g. wan-start,init-start etc.) and any custom user-written scripts.

However, I find it superfluous to include the '.sh' in the internal documentation, but you can name the scripts with the '.sh' suffix, yet invoke it without the suffix via a defined alias.
i.e. so you may create the script as 'GuestSubnet' to match the internal documentation or use the '.sh' suffix convention and invoke its execution accordingly.

Having created the script and made it executable (see Wiki), you should be able to test/run the script from the command prompt.

cd /jffs/scripts
./GuestSubnet   -h

and the examples displayed shows that the user simply needs to provide the required interface name that is to be modified:
e.g. For Guest 2.4GHz WiFi #1

./GuestSubnet  wl0.1   autodnsmasq

and, to remove

./GuestSubnet  wl0.1   del

Similarly for Guest 5GHz WiFi #2

./GuestSubnet  wl1.2   autodnsmasq

and, to remove

./GuestSubnet  wl1.2   del

Although the script attempts to relieve the user from knowing anything about esoteric WiFi configuration, once '/jffs/configs/dnsmasq.conf.add' exists, then if the configuration needs to be further customised, then it can be manually edited (assuming you understand the dnsmasq syntax) to suit your requirements, but the dnsmasq defaults created by the script should be appropriate.

An example command line for GuestSubnet specific to my use-case would be very helpful.

How do I enable it to start automatically?

To have the WiFi subnets applied after boot (i.e. using the examples above), simply add them to say

/jffs/scripts/nat-start

#!/bin/sh
sh /jffs/scripts/GuestSubnet  wl0.1   # Guest 2.4GHz Wifi #1 subnet
sh /jffs/scripts/GuestSubnet  wl1.2   # Guest 5GHz   Wifi #2 subnet

So effectively a three line script is all that is needed to prove that the script works.

 

[DTS]

Thanks so much. In case you want to use it, here is my expanded commentary block for the script file:

#======================================================================================================= © 2016-2018 Martineau, v1.02
#
# Prerequisite:
#        Support for custom scripts must be enabled, under Administration -> System in the webui.
#       Custom scripts must be saved in /jffs/scripts/
#       Script files must be made executable: chmod a+rx /jffs/scripts/*
#       see https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts for more help
#
# Configure Guest WiFi with new DHCP subnet and DNS using '/etc/dnsmasq.conf' and optionally allow LAN access to specified IPs
# For minimal configuration, just provide the required interface name that is to be modified, as in first example
#
# Usage:    GuestSubnet  ['help' | '-h']
#                        {wifi_interface | ssid } | ['del[subnet]'] ['autodnsmasq'] [ 'ssid='name] ['ip='ipaddress[,ipaddress]]
#
#           GuestSubnet  wl0.1
#                        Guest WiFI 2.4GHz interface wl0.1 will have the new DHCP subnet and DNS applied (default)
#           GuestSubnet  wl0.1 del
#                        Guest WiFI 2.4GHz interface wl0.1 firewall rules will be removed but subnet remains.
#           GuestSubnet  wl0.1 delsubnet
#                        Guest WiFI 2.4GHz interface wl0.1 firewall rules will be removed and subnet will be reset to Asus default.
#           GuestSubnet  wl0.2 autodnsmasq
#                        Guest WiFi 2.4GHz interface wl0.2 will have new DHCP and DNS directives inserted into /jffs/configs/dnsmasq.conf.add
#                        if they don't already exist.
#                        NOTE: dnsmasq will be bounced.
#           GuestSubnet  wl1.2 ip=192.168.1.99,192.168.1.100
#                        Guest WiFi 5GHz interface wl1.2 will allow access to LAN devices 192.168.1.99,192.168.1.100
#           GuestSubnet  Guest242
#                        Guest WiFI SSID 'Guest242' (possibly wl0.2?) will have the new DHCP subnet and DNS applied
#
# Although the script attempts to relieve the user from knowing anything about esoteric WiFi configuration, if the configuration needs to be further customised, create '/jffs/configs/dnsmasq.conf.add' and manually edit as required.
#
# /jffs/configs/dnsmasq.conf.add:
#
# e.g. set 2.4GHz Guest #1 to use DHCP pool 10.88.241.2 - 10.88.241.20 and OpenDNS/Google DNS
#
#        interface=wl0.1
#        dhcp-range=wl0.1,10.88.241.2,10.88.241.20,255.255.255.0,21600s
#        dhcp-option=wl0.1,3,10.88.241.1
#        dhcp-option=wl0.1,6,208.67.220.220,8.8.8.8
#
# and will be included in /'etc/dnsmasq.conf' by command 'service restart_dnsmasq' and @boot time etc.
# see "man dnsmasq", or run "dnsmasq --help dhcp" for more info
#
# to have the desired GuestSubnet commands run automatically at boot, add them to a script which is automatically executed, e.g., /jffs/scripts/nat-start or /jffs/scripts/services-start:
#
#       #!/bin/sh
#       sh /jffs/scripts/GuestSubnet  wl0.1   # Guest 2.4GHz Wifi #1 subnet
#       sh /jffs/scripts/GuestSubnet  wl1.2   # Guest 5GHz   Wifi #2 subnet

 

[DTS]

I have a few more questions:

1. What is the difference between these two commands?

./GuestSubnet  wl0.1

and

./GuestSubnet  wl0.1   autodnsmasq

The instructions make me believe that the first one will "have the new DHCP subnet and DNS applied (default)" which seems to be exactly what the second command does. Is there a difference?

2. What is the interface naming convention? I'm sure there must be a wiki page on this, but I did not find it yet.

When I run `ip a` here are my wireless interfaces:

21: wl0.1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 1000
    link/ether 0e:7c:92:6b:a1:24 brd ff:ff:ff:ff:ff:ff

22: wl1.1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 1000
    link/ether 0e:7c:92:6b:a1:26 brd ff:ff:ff:ff:ff:ff

Obviously, that's not the whole story, and it doesn't even show the IP addresses for those interfaces... so I tried the following command:

# nvram show | grep ssid
wl0.1_ssid=Asus2G_Guest
wl0.2_ssid=ASUS_48_2G_Guest2
wl0.3_ssid=ASUS_48_2G_Guest3
size: 66404 bytes (64668 left)
wl0_ssid=Asus2G
wl1.1_ssid=Asus5G_Guest
wl1.2_ssid=ASUS_48_5G_Guest2
wl1.3_ssid=ASUS_48_5G_Guest3
wl1_ssid=Asus5G
wl_ssid=Asus2G
wlc0_ssid=
wlc1_ssid=

That does at least show all the interfaces. Guest2 and Guest3 are not active or enabled, so I was a bit surprised to see them there. I'm also not sure why wl0 and wl1 do not show up with the `ip address` command, and why wl0.1 and wl1.1 don't have IP addresses

3. After executing these GuestSubnet, how do I verify that the desired results have happened? Normally, I would use the `ip address` command, but I see that on a router things are a bit different. As my output above shows, that command does not list an IP address for these wireless interfaces, so I'm not sure how I will monitor that things have gone according to plan.

My best guess is that I need these two commands:

sh /jffs/scripts/GuestSubnet  wl0.1   # Guest 2.4GHz Wifi #1 subnet
sh /jffs/scripts/GuestSubnet  wl1.1   # Guest 5GHz   Wifi #1 subnet

However, I would like to check the before and after IP addresses and subnet mask on those interfaces. How do I do that?

 

[Martineau]

I have a few more questions:

1. What is the difference between these two commands?

./GuestSubnet  wl0.1

and

./GuestSubnet  wl0.1   autodnsmasq

The instructions make me believe that the first one will "have the new DHCP subnet and DNS applied (default)" which seems to be exactly what the second command does. Is there a difference?

2. What is the interface naming convention? I'm sure there must be a wiki page on this, but I did not find it yet.

When I run `ip a` here are my wireless interfaces:

21: wl0.1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 1000
    link/ether 0e:7c:92:6b:a1:24 brd ff:ff:ff:ff:ff:ff

22: wl1.1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 1000
    link/ether 0e:7c:92:6b:a1:26 brd ff:ff:ff:ff:ff:ff

Obviously, that's not the whole story, and it doesn't even show the IP addresses for those interfaces... so I tried the following command:

# nvram show | grep ssid
wl0.1_ssid=Asus2G_Guest
wl0.2_ssid=ASUS_48_2G_Guest2
wl0.3_ssid=ASUS_48_2G_Guest3
size: 66404 bytes (64668 left)
wl0_ssid=Asus2G
wl1.1_ssid=Asus5G_Guest
wl1.2_ssid=ASUS_48_5G_Guest2
wl1.3_ssid=ASUS_48_5G_Guest3
wl1_ssid=Asus5G
wl_ssid=Asus2G
wlc0_ssid=
wlc1_ssid=

That does at least show all the interfaces. Guest2 and Guest3 are not active or enabled, so I was a bit surprised to see them there. I'm also not sure why wl0 and wl1 do not show up with the `ip address` command, and why wl0.1 and wl1.1 don't have IP addresses

3. After executing these GuestSubnet, how do I verify that the desired results have happened? Normally, I would use the `ip address` command, but I see that on a router things are a bit different. As my output above shows, that command does not list an IP address for these wireless interfaces, so I'm not sure how I will monitor that things have gone according to plan.

My best guess is that I need these two commands:

sh /jffs/scripts/GuestSubnet  wl0.1   # Guest 2.4GHz Wifi #1 subnet
sh /jffs/scripts/GuestSubnet  wl1.1   # Guest 5GHz   Wifi #1 subnet

However, I would like to check the before and after IP addresses and subnet mask on those interfaces. How do I do that?

1. What is the difference between these two commands?

./GuestSubnet  wl0.1

and

./GuestSubnet  wl0.1   autodnsmasq

Err read the help?

If you run the first command, and either '/jffs/configs/dnsmasq.conf.add' doesn't exist, or there is no appropriate wln.x entry, then the script will report

(GuestSubnet.sh): nnnnnn ***ERROR Guest Wifi SSID: (wln.x) not defined in '/etc/dnsmasq.conf' - use 'autodnsmasq' command arg

So for noobs they would simply supply the 'autodnsmasq' directive and as per the help, if '/jffs/configs/dnsmasq.conf.add' doesn't physically exist it will be created; if it already exists,then appropriate wln.x entries will be inserted if not present.

Clearly the 'autodnsmasq' directive is normally not required, but if specified, then it will simply act as a fail-safe when called from say nat-start following a firmware upgrade etc.

3. After executing these GuestSubnet, how do I verify that the desired results have happened? Normally, I would use the `ip address` command, but I see that on a router things are a bit different. As my output above shows, that command does not list an IP address for these wireless interfaces...

ifconfig   wl0.3

wl0.3     Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:x
          inet addr:10.88.243.1  Bcast:10.88.243.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:2548914
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

...so I'm not sure how I will monitor that things have gone according to plan.

That's called testing i.e. attach a client device to the new Guest Wifi subnet and check its configuration etc. and see if it is able to connect to the Internet but is excluded from the VPNs.