Vpn Guest network rt-ac86u

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

vino-vino

New Around Here
Hi folks - noob to this, so please go easy :)

I have managed to setup an openvpn client via the gui and that works great.

I've been able to set up some routing rules, again via the latest gui 'policy rules', and these allow me to select particular ip addresses to go through the vpn, the rest via the regular isp network connection. All works great....

I want to have the first 5g guest network (only) use the vpn, everything else to use the regular connection.

I have followed guide for this here:

https://github.com/RMerl/asuswrt-me...or-VPN-and-SSID-for-Regular-ISP-using-OpenVPN.


It's not working for me... I have followed it pretty much exactly.

Specifically, it does set up the guest network to hand out IPs in the range of 192.168.2.100/120

But, When a client connects, they get an ip in that range, but they can't see the Internet.

Was wondering if perhaps there is some kind of clash between to Gui configured openvpn client and the script? I think the policy rules section is really new so perhaps doesn't play nicely with the scripting?

Is there a way to (through the gui), configure dhcp ip range for the guest network? I think if I can just get the guest network using the 192.168.2.X range, I can config the policy rules in the openvpn gui page to just route vpn traffic from those addresses.

Thanks guys, sorry if this is some basic shizzle.
 

vino-vino

New Around Here
I guess I haven’t provided enough detail to get any responses - I’m still having a problem so I’ll try and provide more detail here.

First up, I have and OpenVpn client setup via the Web interface. It works great - I have tested it in a couple of configurations. In both instances I had an iPad connected wirelessly to router over the default 5Ghz network.

1. In the OpenVpn Client section of the Web interface I have set ‘Redirect Internet traffic’ to ‘all’ and verified my iPad is going through the Vpn. In this config any other device I connect to the router also goes through the Vpn.

2. In the OpenVpn Client section of the Web interface I have set ‘Redirect Internet traffic’ to ‘Policy Rules’ and then added a single rule - ‘Source Ip’ my iPads Ip address, ‘Destination’ as 0.0.0.0I verified my iPad is going through the Vpn. In this config any other device I connect to the router does NOT go through the Vpn but just uses the regular internet connection.

The above is great - works really well.

The problem is in trying to get everything on my guest network to use the Vpn (the other SSIDs I want to bypass the Vpn).
I am using the first 5Ghz guest network (wl1.1).
I saw the script example merlin has in github to do this (referenced in the url above) - its exactly what I am after.

NOTE - Before editing / running the script I left my OpenVpn client active and set to ‘Policy Rules’ , but I removed the rule I had added for my iPad.

I have run the script pretty much as is. The only change I have made is to change is to change the wireless interface to the guest network:

WRLSS_IF=wl0.1
changed to
WRLSS_IF=wl1.1​

After running the script I can connect my iPad to the guest network and confirm I am getting an Ip address of 192.168.2.101. This confirms that the changes to dhcp as setup in the scrip is working just fine. But when I try to browse to an internet site I get nothing - it just tries for a while and times out.
In this setup, if I connect another client to the regular wireless interface, I go through the regular internet connection and can browse just fine.

Next thing I tried was to change the ‘Policy Rules’ option in the OpenVpn client config in the Web interface. I was wondering if there was some kind of clash using that set-up. I tried with all the options in here - with no luck. Still can’t access the internet form the guest network.


Finally, I had a closer look at the script - I *think* there might be an error in it .
The script has these values set at the top:

LS_START=192.168.2.100
LS_END=192.168.2.120​

But I notice in the ‘initial setup’ description (point 3) says:

3. Determine the network IP addressing that you would like to assign to this SSID. (e.g. 192.168.2.0/24)​

And the script itself has this:

if [ `iptables -t nat -L -v | grep -c $TUN_IF` == 0 ]; theniptables -t nat -I POSTROUTING -s $WRLSS_IF_NTWK_ADDR/24 -o $TUN_IF -j MASQUERADE # Change /24 to the subnet that you will be using.
fi​

I think the script itself is expecting the ip range for clients to go no higher than 192.168.2.24, when in fact we are starting at 192.168.2.100
So I tried changing the script such that:

LS_START=192.168.2.2
LS_END=192.168.2.24​

I reran - but still no luck - the problem is the same, no internet access from the guest network.

I am *fairly* sure that is an error in the script, but even fixing it doesn’t seem to help me. My hunch is that the guest network is not allowed to ‘see’ the OpenVpn client setup from the main UI (maybe because it is ‘internal network’ that the guest is not allowed to see)??

Any help greatly appreciated, thanks for reading.
 

bbunge

Part of the Furniture
The /24 is called the CIDR and indicates the number of IP addresses you can use. In this case it is 254 from .1 to .254.

Sent from my Amazon Tate using Tapatalk
 

vino-vino

New Around Here
The /24 is called the CIDR and indicates the number of IP addresses you can use. In this case it is 254 from .1 to .254.

Sent from my Amazon Tate using Tapatalk

Thanks so much for replying!

Well this shows you my level of knowledge - just enough to be dangerous :)
I googled CIDR and it makes a bit more sense to me - thanks for helping me.

Well this will lead to me reverting my script changes, so I'm now back to the first problem - pretty much the original script and my guest network can't hit the Internet.

Any more help is greatly appreciated.
 

joegreat

Very Senior Member
Well this will lead to me reverting my script changes, so I'm now back to the first problem - pretty much the original script and my guest network can't hit the Internet.
Hi,

Did you make any progress on this topic? I have the same issue with the script - simply does not work with the actual Merlin firmware.

With kind regards
Joe :cool:
 

peraburek

Senior Member
here is how I got it working
if somebody could update WIKI with this script it would be great

in this case I am using
Guest Wireless 1 - 5GHz (wl1.1) with OpenVPN Client 1 (tun11)
Guest Wireless 2 - 5GHz (wl1.2) with OpenVPN client 2 (tun12)

if you want to use Guest Wireless 2.4GHz adjust your interface name

scritpt: "/jffs/scripts/wan-start"
Code:
#!/bin/sh
# restart DHCP
service restart_dnsmasq
sleep 1

# guest wireless wl1.1 & wl1.2 DHCP
killall dnsmasq
sleep 2
echo "interface=wl1.1" >> /etc/dnsmasq.conf
echo "dhcp-range=wl1.1,192.168.10.2,192.168.10.254,255.255.255.0,28800s" >> /etc/dnsmasq.conf
echo "dhcp-option=wl1.1,3,192.168.10.1" >> /etc/dnsmasq.conf
echo "interface=wl1.2" >> /etc/dnsmasq.conf
echo "dhcp-range=wl1.2,192.168.20.2,192.168.20.254,255.255.255.0,28800s" >> /etc/dnsmasq.conf
echo "dhcp-option=wl1.2,3,192.168.20.1" >> /etc/dnsmasq.conf
dnsmasq --log-async
sleep 2

# guest wireless assignment
ifconfig wl1.1 192.168.10.1 netmask 255.255.255.0
ifconfig wl1.2 192.168.20.1 netmask 255.255.255.0

# guest wireless bridge
ebtables -t broute -I BROUTING -p ipv4 -i wl1.1 -j DROP
ebtables -t broute -I BROUTING -p arp -i wl1.1 -j DROP
ebtables -t broute -I BROUTING -p ipv4 -i wl1.2 -j DROP
ebtables -t broute -I BROUTING -p arp -i wl1.2 -j DROP

# guest wireless firewall. vpn kill switch is built in.
iptables -I INPUT -i wl1.1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wl1.1 -o tun11 -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.10.0/24 -o tun11 -j MASQUERADE
iptables -I INPUT -i wl1.2 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wl1.2 -o tun12 -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.20.0/24 -o tun12 -j MASQUERADE


for OpenVPN client 1 script "/jffs/scripts/vpn-route-1.sh"

Code:
#!/bin/sh
# This script goes in /jffs/scripts/vpn-route-1.sh
# Add the following 2 lines to the OpenVPN configs
# route-nopull
# route-up /jffs/scripts/vpn-route-1.sh

# clear tun11 (VPN client 1) table, if exists
ip route flush table 11
ip route del default table 11

# not strictly necessary but speeds up routing changes
ip route flush cache

# get tunnel ip
tun11_ip=$(ifconfig tun11 | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

# routing table for tun11 with divert rule
ip route add default via $tun11_ip dev tun11 table 11
ip rule add dev wl1.1 table 11
#ip rule add from 192.168.1.11 table 11

# not strictly necessary
ip route flush cache

# force vpn to default to custom dns
DNS_SERVER="8.8.8.8 8.8.4.4"
for ip in $DNS_SERVER
do
iptables -t nat -A PREROUTING -i wl1.1 -p udp --dport 53 -j DNAT --to $ip
iptables -t nat -A PREROUTING -i wl1.1 -p tcp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.1.11 -p udp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.1.11 -p tcp --dport 53 -j DNAT --to $ip
done

#vpn kill switch
#iptables -I FORWARD ! -o tun11 -s 192.168.1.11 -j DROP

exit 0


for OpenVPN client 2 script "/jffs/scripts/vpn-route-2.sh"
Code:
#!/bin/sh
# This script goes in /jffs/scripts/vpn-route-2.sh
# Add the following 2 lines to the OpenVPN configs
# route-nopull
# route-up /jffs/scripts/vpn-route-2.sh

# clear tun12 (VPN client 2) table, if exists
ip route flush table 12
ip route del default table 12

# not strictly necessary but speeds up routing changes
ip route flush cache

# get tunnel ip
tun12_ip=$(ifconfig tun12 | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

# routing table for tun12 with divert rule
ip route add default via $tun12_ip dev tun12 table 12
ip rule add dev wl1.2 table 12
#ip rule add from 192.168.1.12 table 12

# not strictly necessary
ip route flush cache

# force vpn to default to custom dns
DNS_SERVER="80.237.128.144 80.237.128.145"
for ip in $DNS_SERVER
do
iptables -t nat -A PREROUTING -i wl1.2 -p udp --dport 53 -j DNAT --to $ip
iptables -t nat -A PREROUTING -i wl1.2 -p tcp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.1.12 -p udp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.1.12 -p tcp --dport 53 -j DNAT --to $ip
done

#vpn kill switch
#iptables -I FORWARD ! -o tun12 -s 192.168.1.12 -j DROP

exit 0


dont forget to run to make your scripts executable
Code:
chmod 755 /jffs/scripts/*

I suggest you setup daily reboot of your router (at some time when it is convenient for example 3AM etc.) because DHCP Server (dnsmasq) restarts sometimes for some reason

if anybody has idea how to make scripts even better, feel free to propose changes
 
Last edited:

joegreat

Very Senior Member
Hi Joe - in short, no. I gave up.
Hi,

After some debugging of the script suggested in the Merlin Wiki, I found the problem and could fix it: It's just the right configuration of the VPN Client settings in the firmware!
You need to set:
a) Create NAT on tunnel = No - otherwise a route is created for all traffic
b) Redirect Internet traffic = Policy rules - no rules to be added in the GUI - all will happen by the script
c) For convince: Add the created VPN script to the openvpn-event user script for the initial start (plus the cru command into the services-start user script).

One small change to the suggested script:
Move the ifconfig command from the routing section to the start of the DHCP Server section (otherwise the DHCP server complains about the non-existing guest WLAN).

With this changes the VPN connection is setup correctly for the given guest WLAN on every reboot and works like a charm. :D

With kind regards
Joe :cool:

PS.: I also combined my VPN setup with dnscrypt to route the DNS queries to a different (encrypted) DNS server.
 
Last edited:

joegreat

Very Senior Member
can you please share your success so others can try it as well :)
You can read the full success story here - as always: a small forum search helps to find answer... :rolleyes:
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top