How to select a VPN client from a win-pc

[KimM]

I am considering buying a AsusWRT-Merlin based router ASUS RT-AC88U.

I am aiming to have more VPN clients, clients:
- dedicated to streaming from different countries
- dedicated to P2P
- dedicated to normal safe trafic in my homeland
- and the ability to passthru the router without using the VPN clients

But I am not sure, how I can or should set it up, so let me give you an example:

- My wife is watching some Danish web tv, and is therefore connected to a Danish vpn-server. She then wants to watch some US Netflix and therefore wants to switch to an US vpn-server.

- At the same time i'm watching BBC and is connected to an UK vpn server. Then I want to do some local banking and other administrative tasks, and therefore I want to use a connection to a DK vpn server.

- And one of the kids are playing a game directly on the wan.

We are all using Windows 7 based computers, both wired and wireless.

I now you can setup router rules, or you can logon to the router and change the setup, but that is not an option,as neither my wife nor my kids are IT-whizs.

I'm thinking of some kind of interface on the pc, where you can select which vpn-client you want to use, something like this, for example:

1. VPN connection ending in DK
2. VPN connection ending in UK
3. VPN connection ending in US
4. Connection without VPN

Please select: _

That is, that the connection isn't guided by rules on the router, but by choice/selection on the individual
workstation.

Is this an option, and how to implement it?

 

[Xentrk]

I am considering buying a AsusWRT-Merlin based router ASUS RT-AC88U.

I am aiming to have more VPN clients, clients:
- dedicated to streaming from different countries
- dedicated to P2P
- dedicated to normal safe trafic in my homeland
- and the ability to passthru the router without using the VPN clients

But I am not sure, how I can or should set it up, so let me give you an example:

- My wife is watching some Danish web tv, and is therefore connected to a Danish vpn-server. She then wants to watch some US Netflix and therefore wants to switch to an US vpn-server.

- At the same time i'm watching BBC and is connected to an UK vpn server. Then I want to do some local banking and other administrative tasks, and therefore I want to use a connection to a DK vpn server.

- And one of the kids are playing a game directly on the wan.

We are all using Windows 7 based computers, both wired and wireless.

I now you can setup router rules, or you can logon to the router and change the setup, but that is not an option,as neither my wife nor my kids are IT-whizs.

I'm thinking of some kind of interface on the pc, where you can select which vpn-client you want to use, something like this, for example:

1. VPN connection ending in DK
2. VPN connection ending in UK
3. VPN connection ending in US
4. Connection without VPN

Please select: _

That is, that the connection isn't guided by rules on the router, but by choice/selection on the individual
workstation.

Is this an option, and how to implement it?

On the router, you will first create static IP address for your clients based on the MAC address. Then, in the OpenVPN Web Gui page, you configure the VPN settings. Check the policy rules box. This will give you a drop down list to enter the static ip address for the clients that you want to go thru the VPN tunnel. This is the recommended setup if you have media streaming players such as Roku or watch shows thru the Smart TV apps. Even if you are not an IT wiz, there are guides on the forum on how to set it up. A good OpenVPN provider will also have instructions for ASUS Merlin and other firmware.

This guide is for PIA and some of it applies to other providers:

https://www.snbforums.com/threads/h...and-other-vpn-providers-380-67_0-07-18.30851/

And this guide I wrote for TorGuard VPN:

https://www.snbforums.com/threads/torguard-openvpn-2-4-client-setup-for-asus-merlin-380-65-380-65_2-part-i.38281/

https://www.snbforums.com/threads/torguard-openvpn-2-4-client-setup-for-asus-merlin-380-65-380-65_2-part-ii.38282/

https://www.snbforums.com/threads/torguard-openvpn-2-4-client-setup-for-asus-merlin-380-65-380-65_2-part-iii.38283/

Unfortunately, the CPU's in most consumer routers will not allow you to get the best OpenVPN performance. Expect a drop in speed. However, despite the poor results, I am able to watch shows, sporting events and 4K videos without buffering. I use a Roku player. My vpn server is half way across the world.

If you and your family are watching using your laptops, then most commercial vpn providers have clients apps for iOS, Windows, Android, etc. I usually get faster performance when running OpenVPN on these devices. But I only do so when I am away from my house.

 

[Martineau]

I am considering buying a AsusWRT-Merlin based router ASUS RT-AC88U.

I am aiming to have more VPN clients, clients:
- dedicated to streaming from different countries
- dedicated to P2P
- dedicated to normal safe trafic in my homeland
- and the ability to passthru the router without using the VPN clients

But I am not sure, how I can or should set it up, so let me give you an example:

- My wife is watching some Danish web tv, and is therefore connected to a Danish vpn-server. She then wants to watch some US Netflix and therefore wants to switch to an US vpn-server.

- At the same time i'm watching BBC and is connected to an UK vpn server. Then I want to do some local banking and other administrative tasks, and therefore I want to use a connection to a DK vpn server.

- And one of the kids are playing a game directly on the wan.

We are all using Windows 7 based computers, both wired and wireless.

I now you can setup router rules, or you can logon to the router and change the setup, but that is not an option,as neither my wife nor my kids are IT-whizs.

I'm thinking of some kind of interface on the pc, where you can select which vpn-client you want to use, something like this, for example:

1. VPN connection ending in DK
2. VPN connection ending in UK
3. VPN connection ending in US
4. Connection without VPN

Please select: _

That is, that the connection isn't guided by rules on the router, but by choice/selection on the individual
workstation.

Is this an option, and how to implement it?

See the post

https://www.snbforums.com/threads/s...t-from-device-in-local-net.29958/#post-233148

so whilst the title seems appropriate, the thread is actually about switching the single ACTIVE VPN Client connection rather than dynamically selectively choosing which of the multiple concurrent VPN Clients is to be used by the source Win device.

However, the post describes the basic technique you would use and obviously you could enhance the .bat file to display a menu

e.g.

@echo off

FOR /F "tokens=4 delims= " %%i in ('route print ^| find " 0.0.0.0"') do set localIp=%%i
echo Choose:
echo [A] VPN DK
echo [B] VPN UK
echo [C] VPN US
echo [D] Local ISP
echo.
:choice
SET /P C=[A,B,C,D]?
for %%? in (A) do if /I "%C%"=="%%?" goto A
for %%? in (B) do if /I "%C%"=="%%?" goto B
for %%? in (C) do if /I "%C%"=="%%?" goto C
for %%? in (D) do if /I "%C%"=="%%?" goto D
goto choice
:A
echo VPN DK selected on %ComputerName% %localIp%
@echo off
::plink and pass the arg for VPN DK to VPN_Switch.sh
goto end
:B
echo VPN UK selected on %ComputerName% %localIp%
::plink and pass the arg for VPN UK to VPN_Switch.sh
goto end
:C
echo VPN US selected on %ComputerName% %localIp%
::plink and pass the arg for VPN US to VPN_Switch.sh
goto end
:D
echo WAN selected on %ComputerName% %localIp%
::plink and pass the arg for WAN ISP to VPN_Switch.sh
goto end
:end

and the VPN_Switch.sh script on the router would need to add/remove the ip rule to redirect the desired Win device to the correct VPN client table

e.g. 111 is for ovpnc1, etc.

 

[KimM]

See the post

https://www.snbforums.com/threads/s...t-from-device-in-local-net.29958/#post-233148

so whilst the title seems appropriate, the thread is actually about switching the single ACTIVE VPN Client connection rather than dynamically selectively choosing which of the multiple concurrent VPN Clients is to be used by the source Win device.

However, the post describes the basic technique you would use and obviously you could enhance the .bat file to display a menu

e.g.

@echo off
echo Choose:
echo [A] VPN DK
echo [B] VPN UK
echo [C] VPN US
echo [D] Local ISP
echo.
:choice
SET /P C=[A,B,C,D]?
for %%? in (A) do if /I "%C%"=="%%?" goto A
for %%? in (B) do if /I "%C%"=="%%?" goto B
for %%? in (C) do if /I "%C%"=="%%?" goto C
for %%? in (D) do if /I "%C%"=="%%?" goto D
goto choice
:A
echo VPN DK selected
@echo off
::plink and pass the arg for VPN DK to VPN_Switch.sh
goto end
:B
echo VPN UK selected
::plink and pass the arg for VPN UK to VPN_Switch.sh
goto end
:C
echo VPN US selected
::plink and pass the arg for VPN US to VPN_Switch.sh
goto end
:D
echo WAN selected
::plink and pass the arg for WAN ISP to VPN_Switch.sh
goto end
:end

and the VPN_Switch.sh script on the router would need to add/remove the ip rule to redirect the desired Win device to the correct VPN client table

e.g. 111 is for ovpnc1, etc.

Hi Martineau
Thank you for the answer - could you give an example of such a VPN_Switch.sh script, please.

 

[Martineau]

Hi Martineau
Thank you for the answer - could you give an example of such a VPN_Switch.sh script, please.

I wrote this script back in 2015 (apologies for the ugly code) and have just edited/removed a lot of the obsolete code and reduced the features shown by the original intention (see 'help' etc.)

To avoid confusion with the functionality of the original VPN_Switch.sh, it is probably prudent to save this script as

/jffs/scripts/VPN_select_ON_OFF.sh

#!/bin/sh
# Usage:  VPN_select_ON_OFF {1 | 2 | 3 | 4 | 5 | 0} [host.dnsmasq | ip_address | KEY_tag] {ON | OFF} {FORCE | NOFORCE}
#
#
#             where  1 - 5            VPN Client to be used
#                      0              PPTP or L2TP Client to be used
#                    Host.dnsmasq     will be matched against / etc /hosts.dnsmasq contents
#                    Key_tag          will be matched against $USEPATH/VPN_MASKS.txt
#
#                    ON | OFF         VPN routing (if omitted then the audit file will be used to flip)
#
#                    FORCE | NOFORCE  Enforce or remove WAN blocking
# e.g.
#
#        VPN_select_ON_OFF   1  u200-115   on   force
#        VPN_select_ON_OFF   1  u200-115   off  noforce
#        VPN_select_ON_OFF   1  u200-115   off
#        VPN_select_ON_OFF   2  192.168.10.8/29
#        VPN_select_ON_OFF   2  192.168.10.200-192.168.10.203   on   force
#        VPN_select_ON_OFF   1  192.168.10.8/29   force
#        VPN_select_ON_OFF   1  192.168.10.8/29   noforce
#
MYROUTER=$(nvram get computer_name)
#USEPATH="/tmp/mnt/$MYROUTER"
USEPATH="/jffs/configs"
ETC="etc"

if [ "$1" != "1" ] && [ "$1" != "2" ] && [ "$1" != "3" ] && [ "$1" != "4" ] && [ "$1" != "5" ];then
   logger -s -t "($(basename $0))" $$ **ERROR First arg $1 must be 1 to 5, or 0...... [$@]
   echo -e "\a"
   exit 1
else
   if [ "$1" != "0" ];then
      logger -s -t "($(basename $0))" $$ VPN Client $1 Selective routing for [$@]
   else
      logger -s -t "($(basename $0))" $$ PPTP/L2TP Selective routing for [$@]
   fi
fi

# Translate input args into UPPERCASE
ACTION=`echo $3 | tr '[a-z]' '[A-Z]'`
FORCE=`echo $4 | tr '[a-z]' '[A-Z]'`

# Check if WAN access is to be blocked $3=FORCE requested
if [ "$ACTION" = "FORCE" ];then
   ACTION="NULL"
   FORCE="FORCE"
fi

# Check if WAN access is to be unblocked $3=NOFORCE requested
if [ "$ACTION" = "NOFORCE" ];then
   ACTION="NULL"
   FORCE="NOFORCE"
fi

# Perform a lookup if a hostname (or I/P address) is supplied and is not known to PING
# NOTE: etc /host.dnsmasq is in format
#
#       I/P address    hostname
#
if [ "$1" != "" ];then
   IP_NAME=`echo $2 | tr '[a-z]' '[A-Z]'`
 
   IP_RANGE=`ping -c1 -t1 -w1 $IP_NAME 2>&1 | tr -d '():' | awk '/^PING/{print $3}'`
   if [ -z $IP_RANGE ];then  # Not PINGable so lookup static
 
 
      IP_RANGE=$(grep -i "$IP_NAME" "$ETC"/hosts.dnsmasq  | awk '{print $1}')
      logger -s -t "($(basename $0))" $$ "Lookup '$IP_NAME' in DNSMASQ returned:>$IP_RANGE<"
      # If entry not matched in / etc /hosts.dnsmasq see if it exists in our VPN_MASKS.txt lookup file
      #
      #       KEY     I/P address
      #
      if [ "$IP_RANGE" = "" ];then
         IP_RANGE="$(grep -i "^$2" $USEPATH/VPN_MASKS.txt | awk '{print $2}')"
         logger -s -t "($(basename $0))" $$ "Lookup '$IP_NAME' in $USEPATH/VPN_MASKS.txt returned:>$IP_RANGE<"
      fi
   fi

else
   IP_NAME="HP-SPECTRE"
   IP_RANGE=`grep -i $IP_NAME $ETC/hosts.dnsmasq  | awk '{print $1}'`
   logger -s -t "($(basename $0))" $$ "DEFAULT '"$IP_NAME"' lookup returned:>$IP_RANGE<"
fi

# Validate the I/P address
REGEX="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b"
CHECK=$(echo $IP_RANGE | egrep $REGEX)
if [[ "$?" -eq 0 ]];then
   echo "Valid IP address " $IP_RANGE
else
   logger -s -t "($(basename $0))" $$ **ERROR Invalid IP address $IP_RANGE
   echo -e "\a"
   exit 1
fi

if [ "$IP_RANGE" = "" ];then
   logger -s -t "($(basename $0))" $$ "**ERROR Missing arg: DNSMASQ hostname or IP address"
   echo -e "\a"
   exit 1
fi

VPN_UNIT=$1
VPN_PRIO=9000

# Is the actual VPN client UP....well is there a route to the VPN?
VPNROUTE=$(ip route show | grep -a "dev tun1"$1)
if [ "x$VPNROUTE" = "x" ] || [ "$(nvram get "vpn_client"$1"_state")" != "2" ];then
   logger -s -t "($(basename $0))" $$ "**Warning VPN Client $1 is not UP?"
   echo -e "\a"
   #exit 1
fi

MY_VPNTAB="11"$1

# Turn selective routing OFF
if [ "$ACTION" = "OFF" ];then
   ON_OFF=0
   logger -s -t "($(basename $0))" $$ "VPN Client "$1 "Selective routing for" $IP_RANGE "via RPDB ovpnc"$1 "("$MY_VPNTAB") (OFF)"
   ip rule del from $IP_RANGE lookup $MY_VPNTAB priority $VPN_PRIO 2> /dev/null > /dev/null
fi

# Turn selective routing ON
if [ "$ACTION" = "ON" ];then
   ON_OFF=1
   # Enable the selective rerouting
   # Prevent duplicate selective routing rule entries
   logger -s -t "($(basename $0))" $$ "VPN Client "$1 "Selective routing for" $IP_RANGE "via RPDB ovpnc"$1 "("$MY_VPNTAB") (ON)"
   ip rule del from $IP_RANGE lookup $MY_VPNTAB priority $VPN_PRIO 2> /dev/null > /dev/null
   ip rule add from $IP_RANGE lookup $MY_VPNTAB priority $VPN_PRIO
 
fi

ip rule
ip route flush cache

# Track known status of VPN selective routing.....
#echo $ON_OFF > $USEPATH/VPN_$IP_RANGE.txt

# Debug the routing tables
#/jffs/scripts/IPTablesDump.sh "VPN$1_Client_$IP_RANGE-$ACTION"

exit 0

so basically the Win .bat file will execute 'plink.exe' to request the execution of 'VPN_select_ON_OFF.sh' on the router, with the appropriate three mandatory arguments.

NOTE: Unless modified, this script would unfortunately potentially allow DNS leaks.