1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Vpn Guest network rt-ac86u

Discussion in 'Asuswrt-Merlin' started by vino-vino, Jun 21, 2015.

  1. vino-vino

    vino-vino New Around Here

    Joined:
    Jun 21, 2015
    Messages:
    5
    Hi folks - noob to this, so please go easy :)

    I have managed to setup an openvpn client via the gui and that works great.

    I've been able to set up some routing rules, again via the latest gui 'policy rules', and these allow me to select particular ip addresses to go through the vpn, the rest via the regular isp network connection. All works great....

    I want to have the first 5g guest network (only) use the vpn, everything else to use the regular connection.

    I have followed guide for this here:

    https://github.com/RMerl/asuswrt-me...or-VPN-and-SSID-for-Regular-ISP-using-OpenVPN.


    It's not working for me... I have followed it pretty much exactly.

    Specifically, it does set up the guest network to hand out IPs in the range of 192.168.2.100/120

    But, When a client connects, they get an ip in that range, but they can't see the Internet.

    Was wondering if perhaps there is some kind of clash between to Gui configured openvpn client and the script? I think the policy rules section is really new so perhaps doesn't play nicely with the scripting?

    Is there a way to (through the gui), configure dhcp ip range for the guest network? I think if I can just get the guest network using the 192.168.2.X range, I can config the policy rules in the openvpn gui page to just route vpn traffic from those addresses.

    Thanks guys, sorry if this is some basic shizzle.
     
  2. vino-vino

    vino-vino New Around Here

    Joined:
    Jun 21, 2015
    Messages:
    5
    I guess I haven’t provided enough detail to get any responses - I’m still having a problem so I’ll try and provide more detail here.

    First up, I have and OpenVpn client setup via the Web interface. It works great - I have tested it in a couple of configurations. In both instances I had an iPad connected wirelessly to router over the default 5Ghz network.

    1. In the OpenVpn Client section of the Web interface I have set ‘Redirect Internet traffic’ to ‘all’ and verified my iPad is going through the Vpn. In this config any other device I connect to the router also goes through the Vpn.

    2. In the OpenVpn Client section of the Web interface I have set ‘Redirect Internet traffic’ to ‘Policy Rules’ and then added a single rule - ‘Source Ip’ my iPads Ip address, ‘Destination’ as 0.0.0.0I verified my iPad is going through the Vpn. In this config any other device I connect to the router does NOT go through the Vpn but just uses the regular internet connection.

    The above is great - works really well.

    The problem is in trying to get everything on my guest network to use the Vpn (the other SSIDs I want to bypass the Vpn).
    I am using the first 5Ghz guest network (wl1.1).
    I saw the script example merlin has in github to do this (referenced in the url above) - its exactly what I am after.

    NOTE - Before editing / running the script I left my OpenVpn client active and set to ‘Policy Rules’ , but I removed the rule I had added for my iPad.

    I have run the script pretty much as is. The only change I have made is to change is to change the wireless interface to the guest network:

    WRLSS_IF=wl0.1
    changed to
    WRLSS_IF=wl1.1​

    After running the script I can connect my iPad to the guest network and confirm I am getting an Ip address of 192.168.2.101. This confirms that the changes to dhcp as setup in the scrip is working just fine. But when I try to browse to an internet site I get nothing - it just tries for a while and times out.
    In this setup, if I connect another client to the regular wireless interface, I go through the regular internet connection and can browse just fine.

    Next thing I tried was to change the ‘Policy Rules’ option in the OpenVpn client config in the Web interface. I was wondering if there was some kind of clash using that set-up. I tried with all the options in here - with no luck. Still can’t access the internet form the guest network.


    Finally, I had a closer look at the script - I *think* there might be an error in it .
    The script has these values set at the top:

    LS_START=192.168.2.100
    LS_END=192.168.2.120​

    But I notice in the ‘initial setup’ description (point 3) says:

    3. Determine the network IP addressing that you would like to assign to this SSID. (e.g. 192.168.2.0/24)​

    And the script itself has this:

    if [ `iptables -t nat -L -v | grep -c $TUN_IF` == 0 ]; theniptables -t nat -I POSTROUTING -s $WRLSS_IF_NTWK_ADDR/24 -o $TUN_IF -j MASQUERADE # Change /24 to the subnet that you will be using.
    fi​

    I think the script itself is expecting the ip range for clients to go no higher than 192.168.2.24, when in fact we are starting at 192.168.2.100
    So I tried changing the script such that:

    LS_START=192.168.2.2
    LS_END=192.168.2.24​

    I reran - but still no luck - the problem is the same, no internet access from the guest network.

    I am *fairly* sure that is an error in the script, but even fixing it doesn’t seem to help me. My hunch is that the guest network is not allowed to ‘see’ the OpenVpn client setup from the main UI (maybe because it is ‘internal network’ that the guest is not allowed to see)??

    Any help greatly appreciated, thanks for reading.
     
  3. bbunge

    bbunge Very Senior Member

    Joined:
    Aug 11, 2014
    Messages:
    1,042
    Location:
    Pennsylvania USA
    The /24 is called the CIDR and indicates the number of IP addresses you can use. In this case it is 254 from .1 to .254.

    Sent from my Amazon Tate using Tapatalk
     
  4. vino-vino

    vino-vino New Around Here

    Joined:
    Jun 21, 2015
    Messages:
    5
    Thanks so much for replying!

    Well this shows you my level of knowledge - just enough to be dangerous :)
    I googled CIDR and it makes a bit more sense to me - thanks for helping me.

    Well this will lead to me reverting my script changes, so I'm now back to the first problem - pretty much the original script and my guest network can't hit the Internet.

    Any more help is greatly appreciated.
     
    joegreat likes this.
  5. joegreat

    joegreat Very Senior Member

    Joined:
    Jan 9, 2013
    Messages:
    1,696
    Location:
    Vienna, Austria
    Hi,

    Did you make any progress on this topic? I have the same issue with the script - simply does not work with the actual Merlin firmware.

    With kind regards
    Joe :cool:
     
  6. vino-vino

    vino-vino New Around Here

    Joined:
    Jun 21, 2015
    Messages:
    5
    Hi Joe - in short, no. I gave up.
     
  7. peraburek

    peraburek Senior Member

    Joined:
    Mar 13, 2015
    Messages:
    207
    here is how I got it working
    if somebody could update WIKI with this script it would be great

    in this case I am using
    Guest Wireless 1 - 5GHz (wl1.1) with OpenVPN Client 1 (tun11)
    Guest Wireless 2 - 5GHz (wl1.2) with OpenVPN client 2 (tun12)

    if you want to use Guest Wireless 2.4GHz adjust your interface name

    scritpt: "/jffs/scripts/wan-start"
    Code:
    #!/bin/sh
    # restart DHCP
    service restart_dnsmasq
    sleep 1
    
    # guest wireless wl1.1 & wl1.2 DHCP
    killall dnsmasq
    sleep 2
    echo "interface=wl1.1" >> /etc/dnsmasq.conf
    echo "dhcp-range=wl1.1,192.168.10.2,192.168.10.254,255.255.255.0,28800s" >> /etc/dnsmasq.conf
    echo "dhcp-option=wl1.1,3,192.168.10.1" >> /etc/dnsmasq.conf
    echo "interface=wl1.2" >> /etc/dnsmasq.conf
    echo "dhcp-range=wl1.2,192.168.20.2,192.168.20.254,255.255.255.0,28800s" >> /etc/dnsmasq.conf
    echo "dhcp-option=wl1.2,3,192.168.20.1" >> /etc/dnsmasq.conf
    dnsmasq --log-async
    sleep 2
    
    # guest wireless assignment
    ifconfig wl1.1 192.168.10.1 netmask 255.255.255.0
    ifconfig wl1.2 192.168.20.1 netmask 255.255.255.0
    
    # guest wireless bridge
    ebtables -t broute -I BROUTING -p ipv4 -i wl1.1 -j DROP
    ebtables -t broute -I BROUTING -p arp -i wl1.1 -j DROP
    ebtables -t broute -I BROUTING -p ipv4 -i wl1.2 -j DROP
    ebtables -t broute -I BROUTING -p arp -i wl1.2 -j DROP
    
    # guest wireless firewall. vpn kill switch is built in.
    iptables -I INPUT -i wl1.1 -m state --state NEW -j ACCEPT
    iptables -I FORWARD -i wl1.1 -o tun11 -j ACCEPT
    iptables -t nat -I POSTROUTING -s 192.168.10.0/24 -o tun11 -j MASQUERADE
    iptables -I INPUT -i wl1.2 -m state --state NEW -j ACCEPT
    iptables -I FORWARD -i wl1.2 -o tun12 -j ACCEPT
    iptables -t nat -I POSTROUTING -s 192.168.20.0/24 -o tun12 -j MASQUERADE

    for OpenVPN client 1 script "/jffs/scripts/vpn-route-1.sh"

    Code:
    #!/bin/sh
    # This script goes in /jffs/scripts/vpn-route-1.sh
    # Add the following 2 lines to the OpenVPN configs
    # route-nopull
    # route-up /jffs/scripts/vpn-route-1.sh
    
    # clear tun11 (VPN client 1) table, if exists
    ip route flush table 11
    ip route del default table 11
    
    # not strictly necessary but speeds up routing changes
    ip route flush cache
    
    # get tunnel ip
    tun11_ip=$(ifconfig tun11 | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')
    
    # routing table for tun11 with divert rule
    ip route add default via $tun11_ip dev tun11 table 11
    ip rule add dev wl1.1 table 11
    #ip rule add from 192.168.1.11 table 11
    
    # not strictly necessary
    ip route flush cache
    
    # force vpn to default to custom dns
    DNS_SERVER="8.8.8.8 8.8.4.4"
    for ip in $DNS_SERVER
    do
    iptables -t nat -A PREROUTING -i wl1.1 -p udp --dport 53 -j DNAT --to $ip
    iptables -t nat -A PREROUTING -i wl1.1 -p tcp --dport 53 -j DNAT --to $ip
    #iptables -t nat -A PREROUTING -s 192.168.1.11 -p udp --dport 53 -j DNAT --to $ip
    #iptables -t nat -A PREROUTING -s 192.168.1.11 -p tcp --dport 53 -j DNAT --to $ip
    done
    
    #vpn kill switch
    #iptables -I FORWARD ! -o tun11 -s 192.168.1.11 -j DROP
    
    exit 0 

    for OpenVPN client 2 script "/jffs/scripts/vpn-route-2.sh"
    Code:
    #!/bin/sh
    # This script goes in /jffs/scripts/vpn-route-2.sh
    # Add the following 2 lines to the OpenVPN configs
    # route-nopull
    # route-up /jffs/scripts/vpn-route-2.sh
    
    # clear tun12 (VPN client 2) table, if exists
    ip route flush table 12
    ip route del default table 12
    
    # not strictly necessary but speeds up routing changes
    ip route flush cache
    
    # get tunnel ip
    tun12_ip=$(ifconfig tun12 | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')
    
    # routing table for tun12 with divert rule
    ip route add default via $tun12_ip dev tun12 table 12
    ip rule add dev wl1.2 table 12
    #ip rule add from 192.168.1.12 table 12
    
    # not strictly necessary
    ip route flush cache
    
    # force vpn to default to custom dns
    DNS_SERVER="80.237.128.144 80.237.128.145"
    for ip in $DNS_SERVER
    do
    iptables -t nat -A PREROUTING -i wl1.2 -p udp --dport 53 -j DNAT --to $ip
    iptables -t nat -A PREROUTING -i wl1.2 -p tcp --dport 53 -j DNAT --to $ip
    #iptables -t nat -A PREROUTING -s 192.168.1.12 -p udp --dport 53 -j DNAT --to $ip
    #iptables -t nat -A PREROUTING -s 192.168.1.12 -p tcp --dport 53 -j DNAT --to $ip
    done
    
    #vpn kill switch
    #iptables -I FORWARD ! -o tun12 -s 192.168.1.12 -j DROP
    
    exit 0 

    dont forget to run to make your scripts executable
    Code:
    chmod 755 /jffs/scripts/*
    I suggest you setup daily reboot of your router (at some time when it is convenient for example 3AM etc.) because DHCP Server (dnsmasq) restarts sometimes for some reason

    if anybody has idea how to make scripts even better, feel free to propose changes
     
    Last edited: Oct 24, 2015
    adid likes this.
  8. joegreat

    joegreat Very Senior Member

    Joined:
    Jan 9, 2013
    Messages:
    1,696
    Location:
    Vienna, Austria
    Hi,

    After some debugging of the script suggested in the Merlin Wiki, I found the problem and could fix it: It's just the right configuration of the VPN Client settings in the firmware!
    You need to set:
    a) Create NAT on tunnel = No - otherwise a route is created for all traffic
    b) Redirect Internet traffic = Policy rules - no rules to be added in the GUI - all will happen by the script
    c) For convince: Add the created VPN script to the openvpn-event user script for the initial start (plus the cru command into the services-start user script).

    One small change to the suggested script:
    Move the ifconfig command from the routing section to the start of the DHCP Server section (otherwise the DHCP server complains about the non-existing guest WLAN).

    With this changes the VPN connection is setup correctly for the given guest WLAN on every reboot and works like a charm. :D

    With kind regards
    Joe :cool:

    PS.: I also combined my VPN setup with dnscrypt to route the DNS queries to a different (encrypted) DNS server.
     
    Last edited: Oct 25, 2015
  9. peraburek

    peraburek Senior Member

    Joined:
    Mar 13, 2015
    Messages:
    207
    can you please share your success so others can try it as well :)
     
    joegreat likes this.
  10. joegreat

    joegreat Very Senior Member

    Joined:
    Jan 9, 2013
    Messages:
    1,696
    Location:
    Vienna, Austria
    You can read the full success story here - as always: a small forum search helps to find answer... :rolleyes: