SmallNetBuilder Forums
Go Back   SmallNetBuilder Forums > Wireless Networking > ASUS Wireless > Asuswrt-Merlin

Reply
 
Thread Tools Search this Thread Display Modes
  #21  
Old 11-05-2014, 08:55 AM
saffron saffron is offline
New Member
 
Join Date: Oct 2014
Posts: 15
Thanks: 0
Thanked 3 Times in 2 Posts
saffron is just starting out
Default

Quote:
Originally Posted by PorscheT View Post
Interesting... looking forward to hearing your findings. Would love to get this working.
Basic steps here for RT-AC68U
http://www.smallnetbuilder.com/forum...510#post148510

There is some scripting involved but SSH/telnet and jffs is optional.

Last edited by saffron; 11-05-2014 at 08:58 AM.
Reply With Quote
  #22  
Old 11-13-2014, 11:15 PM
saffron saffron is offline
New Member
 
Join Date: Oct 2014
Posts: 15
Thanks: 0
Thanked 3 Times in 2 Posts
saffron is just starting out
Default Openvpn Client 1 on primary wireless and Client 2 on guest wireless 1

Tested on RT-AC68U and Merlin 376.47

I've had this connection up for over 24 hours. A third SSID for ISP was really unstable and not recommended - vlans and Asus don't really mix.

1. Setup the guest wireless
2. Setup the 2 openvpn clients and have them start with wan
3. Add to wan-start
Code:
#!/bin/sh

# guest wireless wl0.1 DHCP
killall dnsmasq
sleep 2

echo "interface=wl0.1" >> /etc/dnsmasq.conf
echo "dhcp-range=wl0.1,192.168.2.2,192.168.2.254,255.255.255.0,86400s" >> /etc/dnsmasq.conf
echo "dhcp-option=wl0.1,3,192.168.2.1" >> /etc/dnsmasq.conf
dnsmasq --log-async
sleep 2

# guest wireless assignment
ifconfig wl0.1 192.168.2.1 netmask 255.255.255.0

# guest wireless bridge
# gets around asus vlan shortcomings
ebtables -t broute -I BROUTING -p ipv4 -i wl0.1 -j DROP
ebtables -t broute -I BROUTING -p arp -i wl0.1 -j DROP

# guest wireless firewall
iptables -I INPUT -i wl0.1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wl0.1 -o tun12 -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -o tun12 -j MASQUERADE

# primary wireless firewall
iptables -I INPUT -i wl0.0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wl0.0 -o tun11 -j ACCEPT
4. Add to /jffs/scripts/vpn-route-up.sh
Code:
#!/bin/sh

# This script goes in /jffs/scripts/vpn-route-up.sh

# Add the following to the OpenVPN configs
# route-nopull (Don't accept routes from server)
# route-up /jffs/scripts/vpn-route-up.sh


# clear tun11 (client 1) table, if exists
ip route flush table 11
ip route del default table 11

# clear tun12 (client 2) table, if exists
ip route flush table 12
ip route del default table 12

# not strictly necessary but speeds up routing changes
ip route flush cache

# get tunnel ips
tun11_ip=$(ifconfig tun11 | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')
tun12_ip=$(ifconfig tun12 | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

# routing table for tun11 with divert rule
ip route add default via $tun11_ip dev tun11 table 11
ip rule add dev br0 table 11

# routing table for tun12 with divert rule
ip route add default via $tun12_ip dev tun12 table 12
ip rule add dev wl0.1 table 12

# not strictly necessary but speeds up routing changes
ip route flush cache

exit 0
5. Reboot

Scripts based on previous by Jobongo and Martineau

Last edited by saffron; 11-13-2014 at 11:17 PM.
Reply With Quote
  #23  
Old 11-18-2014, 10:10 PM
saffron saffron is offline
New Member
 
Join Date: Oct 2014
Posts: 15
Thanks: 0
Thanked 3 Times in 2 Posts
saffron is just starting out
Default ISP on primary wireless and Vpn Client 1 on guest wireless 1

Tested with RT-AC68U and Merlin 376.47

Scripts put regular ISP on regular SSID (2.4ghz) and vpn client 1 on guest wireless 1 (2.4ghz)

My WAN connection type is IP. I'm not sure if this would work with PPPoE.

wan-start (make sure it's executable- chmod 755 wan-start)
Code:
#!/bin/sh

# guest wireless wl0.1 DHCP
killall dnsmasq
sleep 2

echo "interface=wl0.1" >> /etc/dnsmasq.conf
echo "dhcp-range=wl0.1,192.168.2.2,192.168.2.254,255.255.255.0,21600s" >> /etc/dnsmasq.conf
echo "dhcp-option=wl0.1,3,192.168.2.1" >> /etc/dnsmasq.conf
dnsmasq --log-async
sleep 2

# guest wireless assignment
ifconfig wl0.1 192.168.2.1 netmask 255.255.255.0

# guest wireless bridge
ebtables -t broute -I BROUTING -p ipv4 -i wl0.1 -j DROP
ebtables -t broute -I BROUTING -p arp -i wl0.1 -j DROP

# guest wireless firewall. vpn kill switch is in built.
iptables -I INPUT -i wl0.1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wl0.1 -o tun11 -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -o tun11 -j MASQUERADE


#optional. block all ports on vpn except: dns(53),http(80),https(443)
iptables -I FORWARD -i wl0.1 -s 192.168.2.0/24 -o tun11 -p tcp -m multiport ! --port 53,80,443 -j DROP
iptables -I FORWARD -i wl0.1 -s 192.168.2.0/24 -o tun11 -p udp -m multiport ! --port 53,443 -j DROP
vpn-route-up.sh (make sure it's executable- chmod 755 vpn-route-up.sh)
Code:
#!/bin/sh

# This script goes in /jffs/scripts/vpn-route-up.sh

# Add the following to the OpenVPN configs
# route-nopull
# route-up /jffs/scripts/vpn-route-up.sh


# clear tun11 (client 1) table, if exists
ip route flush table 11
ip route del default table 11

# not strictly necessary but speeds up routing changes
ip route flush cache


# get tunnel ip
tun11_ip=$(ifconfig tun11 | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

# routing table for tun11 with divert rule
ip route add default via $tun11_ip dev tun11 table 11
ip rule add dev wl0.1 table 11


# not strictly necessary
ip route flush cache

#optional. force vpn to default to google dns
DNS_SERVER="8.8.8.8 8.8.4.4"
for ip in $DNS_SERVER
do
iptables -t nat -A PREROUTING -i wl0.1 -p udp --dport 53 -j DNAT --to $ip
iptables -t nat -A PREROUTING -i wl0.1 -p tcp --dport 53 -j DNAT --to $ip
done


exit 0
Reply With Quote
The Following User Says Thank You to saffron For This Useful Post:
  #24  
Old 11-19-2014, 03:03 AM
phaelium phaelium is offline
New Member
 
Join Date: Jan 2014
Location: Vancouver
Posts: 5
Thanks: 4
Thanked 0 Times in 0 Posts
phaelium is just starting out
Default

Hey Saffron

Thanks for all your hard work, this looks really close to what I need.

Would you mind helping me with this?


How would I modify your asuswrt script above to do this:

Primary/Default SSID/LAN (physically cabled, 2.4 and 5Ghz Wifi) all go out OpenVPN client connection to PIA.

Guest SSID (2.4 and 5 Ghz, wl0.1 and wl1.1) go out regular WAN (non VPN) and cannot access primary SSID or LAN.


Thank you!
Reply With Quote
Reply

Tags
multiple, ssid, vpn

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


All times are GMT -4. The time now is 04:24 PM.


Top 10 Stats
Top Posters* Top Thanked
RMerlin  398
L&LD  122
azazel1024  119
john9527  98
htismaqe  89
stevech  84
ColinTaylor  76
hggomes  54
sfx2000  51
Anzaia  45
RMerlin  6302
john9527  464
stevech  353
ryzhov_al  290
TeHashX  254
L&LD  245
RogerSC  204
sinshiva  146
sfx2000  136
joegreat  127
Most Viewed Threads* Hottest Threads*
Old Asuswrt-Merli...  59370
Old RT-AC68 -...  25857
Old Moderate Nat...  5565
Old ASUS RT-N66U...  5171
Old iOS 8.1...  4290
Old RT-AC87U -...  2891
Old New AC68...  2771
Old RT-AC68P QOS...  2349
Old AC68U,...  2201
Old Ruckus...  1979
Old Asuswrt-Merli...  254
Old RT-AC68 -...  141
Old Moderate Nat...  34
Old iOS 8.1...  33
Old RT-AC87U -...  26
Old RT-AC68P QOS...  24
Old How to flash...  24
Old Help Plz:...  21
Old Linksys...  21
Old NAS...  20


Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
© 2006-2014 Pudai LLC All Rights Reserved.