YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

[Jack Yaz]

So just to confirm, I can now have 4 different VPN clients in play on my RT-AC68U? (2Ghz main & guest, 5Ghz main & guest)
Or is it just 3? (main, 2Ghz guest & 5Ghz guest)

Not sure I follow. The last update was to allow people with 2 5GHz radios to use the 2nd 5GHz radio with YazFi.

You can use up to 5 VPN Clients (depending on what your router supports), assuming there are no TCP/UDP or Port conflicts.

You can enable all guest networks (so 6, on your router I think) and direct them all to 1 VPN client, or spread them across 2-3, whatever you like!

 

[fearz]

Does this allow speed limit / bandwidth for guest network while qos is running?

 

[Tekneek]

Do we need to comment out guest networks we want to leave configured by the GUI (not override any of their configs) or will leaving it false in
YazFi.config be sufficient?

 

[Jack Yaz]

Do we need to comment out guest networks we want to leave configured by the GUI (not override any of their configs) or will leaving it false in
YazFi.config be sufficient?

Just leave wlXX_ENABLED as false and all will be fine!

Does this allow speed limit / bandwidth for guest network while qos is running?

I think that the firmware only allows QoS or Bandwidth Limiting, not both simultaneously. YazFi does not adapt this.

 

[Jack Yaz]

YazFi v1.3.0 is now available

Changelog:

Support of for guests routed over ppp0 WAN (problem found in my own environment!). VPN routed guests were unaffected.

Addition of an update function, so future updates post 1.3.0 can be invoked using a switch in the script itself.

Script updated by running:

/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/jackyaz/YazFi/master/YazFi" -o "/jffs/scripts/YazFi" && chmod 0755 /jffs/scripts/YazFi

 

[Brenneke]

Not sure I follow. The last update was to allow people with 2 5GHz radios to use the 2nd 5GHz radio with YazFi.

You can use up to 5 VPN Clients (depending on what your router supports), assuming there are no TCP/UDP or Port conflicts.

You can enable all guest networks (so 6, on your router I think) and direct them all to 1 VPN client, or spread them across 2-3, whatever you like!

Currently I have two VPN clients on the 2 4 radio, one TCP & one UDP - is this not the limiting factor? I can't have more than two clients working because of this right?
Can I also have the same (one TCP & one UDP client) on the 5 Ghz radio without conflicting with those on the 2.4 radio?
I don't need that many clients but would like to understand the possibilities.
Thanks for your patience!

 

[Brenneke]

You can enable all guest networks (so 6, on your router I think) and direct them all to 1 VPN client, or spread them across 2-3, whatever you like!

If I spread my guest networks across 3 VPN clients, how do I get around the "TCP/UDP or Port conflicts" problem?

 

[Jack Yaz]

If I spread my guest networks across 3 VPN clients, how do I get around the "TCP/UDP or Port conflicts" problem?

I believe providers like PIA have alternative UDP ports (like 1197) that can allow you to have multiple UDP clients. I haven't tested this though!

 

[CaptainSTX]

I believe providers like PIA have alternative UDP ports (like 1197) that can allow you to have multiple UDP clients. I haven't tested this though!

PIA offers UDP connections on Ports 53,1194,1197,1198,8080 and 9021.

Each of the ports offers its own level of security, Root CA, Auth Hash and CRL.

I was able to get two clients from PIA running on the prior version of Merlin however the client running on Port 1197 seemed less stable and was slightly slower as you would expect using AES-256-CBC. I haven't tried on the latest stable version of Merlin but see no reason it would not work.

 

[Brenneke]

I believe providers like PIA have alternative UDP ports (like 1197) that can allow you to have multiple UDP clients. I haven't tested this though!

Thank you - will inquire with my VPN provider to see if this is offered.
Would a conflict still exist with two UDP connections on same port between 2.4 and 5.0 radios?

 

[Swistheater]

does this stay active after reboots or do you have to start it each time? or what about working with AP mode? just wondering.

 

[HuskyHerder]

@Swistheater

YazFi will be started, after a reboot. Its added to the firewall-start script. As to AP I'll let Jack answer that one as its not something I can.

 

[Swistheater]

I doubt it does because it attaches itself to firewall start script and in AP mode doesn't have a firewall

 

[HuskyHerder]

@Swistheater

I would think it could be added to a crontab job. Ill let Jack get more specific.

I helped with a few things as far as trying out the 3rd radio stuff, for my 5300, but I am still learning and don't want to steer anyone wrong.

As for me what I did for all my personal scheduled jobs, and scripts, like lights on and off. I created one script that runs on reboot. It makes sure all my jobs are scheduled and run accordingly. Much easier than having 2 or 3 lines here there and everywhere.

Long story short. I see no reason why it cannot work for you. It may just need a tweak.

 

[Swistheater]

okay so this is pretty good for setting up VPN's that wont allow ipv6 traffic to leak through, but I got a question about adding support to allow ipv6 traffic

 

[Jack Yaz]

I doubt it does because it attaches itself to firewall start script and in AP mode doesn't have a firewall

I'm not sure how much, if any, of YazFi will work in AP mode. Certain things like VPN routing probably won't as I don't think they're available in AP mode. Happy to have feedback on what does and doesn't work though!

 

[Jack Yaz]

okay so this is pretty good for setting up VPN's that wont allow ipv6 traffic to leak through, but I got a question about adding support to allow ipv6 traffic

I don't have ipv6 enabled so I'm unable to test for support. If its a case of replicating commands into ip6tables then perhaps its possible. I think openvpn only supports ipv4 - are you able to add ipv6 clients in policy routing?

 

[Swistheater]

In concept I know how to, but I haven't tried yet.

 

[Brenneke]

I made changes on my network and now YazFi is not working for me, believe it may be an issue with my VPN clients policy rules, of which I have zero understanding - any help you could provide will be much appreciated.

I updated YazFi script to latest, changed configuration file & ran the script using the /jffs/scripts/YazFi command - output attached.

I have 2 VPN clients which have been proven to work correctly - both clients always show connected.
Client 1 UDP
Client 2 TCP

I would like my main 2.4Ghz network to connect to Client 1. (which does)
I would like my 2.4Ghz guest network to connect to Client 1. (which does)
I would like my 5Ghz guest network to connect to Client 2. (which currently does if I run the script, but after a while I find it always switches to Client 1)

Screenshots attached from my YazFi configuration file for the two guest networks. The DNS IPs are Nord's.

Screenshots from router VPN clients showing what I currently have set for policy rules.....kind of fumbled through that, best guess going off of how it was when it was working with only one guest network.

Thank you.

 

[Jack Yaz]

At the time when it stops sending traffic ovee VPN client 2, what does the vpn status page show? Only thing I can think of currently is that the tunnel is going down, since the policy routing rules all looked correct.