How to setup SSID for VPN and SSID for Regular ISP using MerlinWRT

jobongo · #1 02-07-2013, 05:45 PM

First of all I have to say that Merlin firmware is great. With that being said, I figured out a way to setup a guest wireless SSID to be routed over a VPN and have all my other devices go over the regular ISP using Merlin’s 24b3 build. I tried separate bridges, marking frames and nothing seemed to work. I have looked and looked and if someone else sees some improvements that can be made please let me know. This takes a few start-up scripts to get it working but it works. The only downside is that if the router has a soft or partial reset then it needs to be rebooted to set everything back up.

This setup creates an additional LAN; one for the SSID that will be routed to the VPN. I used a guest network so that it sets up a Virtual wireless interface. I would recommend that you setup entware. This should work if you want to set this up on the 5Ghz radio instead (eth2) but I have not tried it. I am using Merlin's build so you will need to enable JFFS. I have a custom dnsmasq.conf file that adds an additional DHCP server for the clients connecting to the VPN SSID. I used entware to make the startup scripts but they should work in the scripts folder in JFFS. I have no tried using them there yet. Here are the scripts:

IFCONFIG script: This assigns an ip to the virtual wireless interface to act as a gateway. This will automatically assign a /24 subnet. If you want something else use "netmask xxx.xxx.xxx.xxx" command after the IP.

Code:

        #!/bin/sh
        sleep 1
	ifconfig wl0.1 192.168.2.1

IPTABLES script: This allows access from wl0.1 interface as well as setting up masquerading on tun0 interface. Replace interface names where appropriate. I used the “accept all” concept to simplify but you can customize where needed to add additional security.

Code:

       #!/bin/sh	
        iptables -I INPUT -i wl0.1 -j ACCEPT
	iptables -I FORWARD -i wl0.1 -j ACCEPT
	iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -o tun0 -j MASQUERADE

EBTABLES script: This had me confused at first. –DROP does not mean drop the frame in the broute table. It means send it up the OSI layer (layer 3) which is what we want to do. This essentially makes wl0.1 interface routable outside of the br0 interface. The reason for arp(address resolution protocol) is so that mac addresses can be dynamically associated with an IP outside of the br0 interface.

Code:

        #!/bin/sh
        sleep 1
	ebtables -t broute -I BROUTING -i wl0.1 -p ipv4 -j DROP
	ebtables -t broute -I BROUTING -i wl0.1 -p arp -j DROP

ROUTERULES script: This is something that has to be setup to direct the traffic over the VPN. Once the ebtables rules are applied the interface and all packets that arrive are isolated. These rule and routes tell them where to go and where to look.

Code:

        #!/bin/sh
        sleep 20
        ip route add 192.168.0.0/24 dev eth0 table 10
	ip route add 192.168.1.0/24 dev br0 table 10
        ip route add 192.168.2.0/24 dev br0 table 10
	ip route add default dev tun0 table 10
	ip route add 0.0.0.0/1 dev tun0 table 10
	ip route add 128.0.0.0/1 dev tun0 table 10
	ip rule add from 192.168.2.0/24 table 10
	ip route flush cache

OPENVPN: I used openvpn through entware. I was unable to make the configuration that I need though the web browser. The web interface worked but I wanted to bind my openvpn connection to a port and could not with the integrated one. This is not a big issue. I also set the route-nopull option in my openvpn config. This way no routes were added to the main table and I could select which ones I wanted to add to table 10.

DNSMASQ.CONF.ADD: This is what I added to the jffs/configs/dnsmasq.conf.add file:

Code:

       interface=wl0.1
       dhcp-range=wl0.1,192.168.2.2,192.168.2.254,255.255.255.0,86400s
       dhcp-option=wl0.1,3,192.168.2.1

I think I have covered it all. This is not perfect by any means but it works. You can also add per-IP devices be routed over the VPN (in case you want device on the default LAN to go over the VPN). Make sure that your scripts are executable. With this setup you can run them on-by-one and see if they all work. I may have missed something and if I have please let me know. If you have any trouble, let me know. I hope someone else finds this useful.

RMerlin · #2 02-07-2013, 11:18 PM

Nice work

I suggest you write a Wiki article on Github if you have the time, so such howtos can be easily accessible to people looking for them.

jobongo · #3 02-08-2013, 03:59 AM

Thanks Merlin. I will be sure to create the wiki and post it on Github. I am going to make a few modifications and maybe create a script for a cron job.

huotg01 · #4 02-08-2013, 11:51 AM

Quote:

Originally Posted by jobongo

...I think I have covered it all. This is not perfect by any means but it works. You can also add per-IP devices be routed over the VPN (in case you want device on the default LAN to go over the VPN). Make sure that your scripts are executable. With this setup you can run them on-by-one and see if they all work. I may have missed something and if I have please let me know. If you have any trouble, let me know. I hope someone else finds this useful.

For my information, and maybe for some others almost new to all these possibilities, could you just write a few words about the usages that can be done with such a setup ? Why would we do that?

Thanks,

GH

jobongo · #5 02-08-2013, 06:07 PM

This setup that I made is just to simplify connecting to a VPN for wireless devices. A lot of people use VPN's to connect work and many use it to change there IP location to view geographically restricted content (Netflix, Hulu, etc) Simply put, you don't have to created specific rules for specific devices to route them over the VPN with this setup. You can just connect to the SSID that gets routed to the VPN and go. This is quite simple to implement in other custom firmwares (DD-WRT, Tomato) but I didn't want to go this route. These other firmwares, to the best of my knowledge, don't allow the use of hardware acceleration that is available in the RT-N66U. I wanted to keep this feature as I don't use QoS and other features that would disable it. Also, I have tried a couple of DD-WRT builds and found them to be "buggy" with this router.

Also, before I used two separate routers for my network. One was for the VPN and one was for the ISP. This setup allows for you to only use one router. I know that this setup is not perfect by any means but I have seen a few posts where people are trying to do the same thing (or very similar)

http://forums.smallnetbuilder.com/sh...ad.php?p=59338

http://tomatousb.org/forum/t-458894/...sid-vpn-tunnel

and I thought that maybe there was more out there that thought the way I did and wanted to know how to do it. I am working on a wiki that will be posted on the Merlwrt github site that will go into more detail into exactly how it is setup. I hope this answered your questions.

huotg01 · #6 02-18-2013, 10:47 AM

Quote:

Originally Posted by jobongo

Thanks Merlin. I will be sure to create the wiki and post it on Github. I am going to make a few modifications and maybe create a script for a cron job.

Good job. In the mean time, I added a link to this thread on the wiki.
GH

jobongo · #7 02-19-2013, 06:33 AM

Thanks. I am writing the wiki but have been a little under the weather for the past week. I also wrote a single script to simplify it and make everything more automated. I will post it within the next couple days.

Ancaster · #8 03-07-2013, 09:59 AM

Great work! I could have used this a few months ago before buying a 2nd N66, though it only cost me $140 for 2 of them, I could have used the $100 gift card towards something else.

I have since connected servers/drives respectively to each router. Router 2 has a US VPN permanently ON and also has a drive with only children's shows and movies.

Router 2 in my setup also only runs 5GHz and is on a different channel than Router 1. And R1 has QoS for a wireless Ooma VoIP setup which is then connected to my home network of corded/cordless phones. R1's ports are consumed by 2 PCs, a server, and the LAN-WAN connection to R2.

Could I employ your methods and accomplish my present setup with one N66 while maintaining the reduced congestion and QoS?
(I guess I would lose the kids' drive up there)

jobongo · #9 03-08-2013, 04:06 AM

I don't see why your couldn't do it this way. The main reason that I chose to do it this way was to keep the hardware acceleration enabled because I have a lot of wan/lan traffic. The setup should work the same with QoS enabled.

I would set up your VoIP phones and get everything working with QoS first. Then apply the script for whichever SSID you want to connect. I am not sure what you mean by congestion from your post. If you are talking about the network traffic, I wouldn't think that the only adding a VPN and some devices to the switch should impact it that much. From what I understand that hardware acceleration doesn't improve traffic throughput for devices connected to the switch ports, only lan/wan connections.

My home network has a server, NAS, PS3, Apple TV, Xbox 360 a VPN Client, a VPN server, and one desktop machine, not to mention the wireless devices that connect. This is all run through the RT-N66U and I have never had a problem.

I have an additional 5 port gigabit switch connected to one of the RT-N66U switchports to handle the additional hardware devices. This is just an idea if you need more ports.

Let me know if you run into any trouble trying to set it up.