First of all I have to say that Merlin firmware is great. With that being said, I figured out a way to setup a guest wireless SSID to be routed over a VPN and have all my other devices go over the regular ISP using Merlin’s 24b3 build. I tried separate bridges, marking frames and nothing seemed to work. I have looked and looked and if someone else sees some improvements that can be made please let me know. This takes a few start-up scripts to get it working but it works. The only downside is that if the router has a soft or partial reset then it needs to be rebooted to set everything back up.
This setup creates an additional LAN; one for the SSID that will be routed to the VPN. I used a guest network so that it sets up a Virtual wireless interface. I would recommend that you setup entware. This should work if you want to set this up on the 5Ghz radio instead (eth2) but I have not tried it. I am using Merlin's build so you will need to enable JFFS. I have a custom dnsmasq.conf file that adds an additional DHCP server for the clients connecting to the VPN SSID. I used entware to make the startup scripts but they should work in the scripts folder in JFFS. I have no tried using them there yet. Here are the scripts:
IFCONFIG script: This assigns an ip to the virtual wireless interface to act as a gateway. This will automatically assign a /24 subnet. If you want something else use "netmask xxx.xxx.xxx.xxx" command after the IP.
ifconfig wl0.1 192.168.2.1
IPTABLES script: This allows access from wl0.1 interface as well as setting up masquerading on tun0 interface. Replace interface names where appropriate. I used the “accept all” concept to simplify but you can customize where needed to add additional security.
iptables -I INPUT -i wl0.1 -j ACCEPT
iptables -I FORWARD -i wl0.1 -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -o tun0 -j MASQUERADE
EBTABLES script: This had me confused at first. –DROP does not mean drop the frame in the broute table. It means send it up the OSI layer (layer 3) which is what we want to do. This essentially makes wl0.1 interface routable outside of the br0 interface. The reason for arp(address resolution protocol) is so that mac addresses can be dynamically associated with an IP outside of the br0 interface.
ebtables -t broute -I BROUTING -i wl0.1 -p ipv4 -j DROP
ebtables -t broute -I BROUTING -i wl0.1 -p arp -j DROP
ROUTERULES script: This is something that has to be setup to direct the traffic over the VPN. Once the ebtables rules are applied the interface and all packets that arrive are isolated. These rule and routes tell them where to go and where to look.
ip route add 192.168.0.0/24 dev eth0 table 10
ip route add 192.168.1.0/24 dev br0 table 10
ip route add 192.168.2.0/24 dev br0 table 10
ip route add default dev tun0 table 10
ip route add 0.0.0.0/1 dev tun0 table 10
ip route add 188.8.131.52/1 dev tun0 table 10
ip rule add from 192.168.2.0/24 table 10
ip route flush cache
OPENVPN: I used openvpn through entware. I was unable to make the configuration that I need though the web browser. The web interface worked but I wanted to bind my openvpn connection to a port and could not with the integrated one. This is not a big issue. I also set the route-nopull option in my openvpn config. This way no routes were added to the main table and I could select which ones I wanted to add to table 10.
DNSMASQ.CONF.ADD: This is what I added to the jffs/configs/dnsmasq.conf.add file:
I think I have covered it all. This is not perfect by any means but it works. You can also add per-IP devices be routed over the VPN (in case you want device on the default LAN to go over the VPN). Make sure that your scripts are executable. With this setup you can run them on-by-one and see if they all work. I may have missed something and if I have please let me know. If you have any trouble, let me know. I hope someone else finds this useful.