Posted: Sun May 10, 2015 7:33 Post subject: OpenVPN on dedicated VAP
I bought a new router specifically with the purpose of using OpenVPN. Found out that with DD-WRT it is possible to have a separate WiFi network (Virtual Access Point) use the OpenVPN tunnel so dedided to flash DD-WRT on it.
Took me a few hours to read all the announcements and other information such as this forum thread.
I flashed from most recent stock firmware to the most recent build in "Other Downloads" on the DD-WRT site for my router: build 26854. Used the Asus WEB GUI to do this, unplugged it from power to reboot, reset DD-WRT to factory defaults, reboot normally and waited some time.
Installation of DD-WRT was a breeze therefore: easy and painless.
Followed the OpenVPN on Dedicated Virtual Access Point guide in order to create the VAP to use OpenVPN with.
Firstly, got OpenVPN working (with IPVanish VPN service).
Used the DD-WRT UI user and password authentication for it instead of the method described in the IPVanish installation instructions. This was also easy.
Note: the IPVanish installation instruction also has instructions to increase logging settings for OpenVPN stuff in DD-WRT etc.
This is *REALLY* helpfull in debugging problems. I recommend doing this!
Then created the VAP. No problems there either.
Continued to separate the two access points and then to the Policy Based Routing section in order to get only the VAP to use OpenVPN.
Initially I could not get this working: the IPVanish OpenVPN server pushed the "redirect-gateway def1" setting.
There is a note in the guide that tells to make sure this is not in your "additional config" setting, but since the server pushes this setting it still interferes with the routing.
Effectively this settings instructs all traffic to go to OpenVPN by overriding the default gateway. This is done by having a slightly more specific netmask than the default gateway. (Default: 0.0.0.0/0, the def1 setting creates two routes: 0.0.0.0/1 and 128.0.0.0/1).
In other to get things to work I added a few instructions to the startup script to remove these routes again.
My script looks like this:
Code:
sleep 45;
tun_name=$(ifconfig | sed -n 's/.*\(tun[^ ]\).*/\1/p');
tun_addr=$(ifconfig $tun_name | sed -nr 's/.*P-t-P:([^ ]+) .*/\1/p');
tun_gw=$(ip route show | grep $tun_name | grep "0.0.0.0/1 via" | cut -d' ' -f3);
route del -net 128.0.0.0/1 gw $tun_gw
route del -net 0.0.0.0/1 gw $tun_gw
ip rule add from 10.13.37.0/24 table 200;
ip route add default via $tun_addr dev $tun_name table 200;
ip route flush cache;
The tun_gw variable determines the gateway address for the OpenVPN connection and the route del commands remove the default gateway override routes. Note: there is no typo, there should not be "ip " in front of "route del" there, if you do put it there the route deletion does not work.
What the guide does not explain is how separating the traffic is done.
A routing table can only have a single default gateway. Defining multiple does not work.
In other to separate the traffic the "ip rule" instructs redirects the specificed traffic (everything coming from the 10.13.37.0 subnet) to use a separate routing table with number 200.
Then it sets up the default gateway for this routing table 200 and flushes the routing cache.
(Kernels supporting multiple routing tables refer to them by using unique integer slots between 0 and 255 with 255 being the local routing table and 254 being the main routing table.)
Took me a while to figure this out so I thought I'd share it here.
Tried to update the Wiki page, but you can't create accounts there and it is to cumbersome to find who to ask for one. If anyone who can create those accounts creates one for me, I'll try and add some notes to the page with this extra information (without removing the information already there).
Thanks to everybody for the information in this thread and elsewhere and special thanks to Malachi, who provided the final information I needed before starting the flash. _________________ Asus RT-AC68U @ Build 05-07-2015-r26854 (Router with dedicated OpenVPN VAP)
Posted: Wed May 13, 2015 18:34 Post subject: Re: Can't Revert AC68U to Asus Firmware
Haul wrote:
Flash stock 3626 first, then flash newest stock. The problem is that the newest stock is partitioned differently than before.
Thank you Thank you !! Will try tonight.
I did try going back one version but not back to 3626.
So once I upgrade from 3626 to latest OEM with new partition what happens if I want to go back to DD-WRT? Do I need to revert to 3626 again? Or does DD-WRT handle either partitioning?
Is this what is meant by ASUS Firmware Restoration tool not being a "Upgrade Tool" in that it cannot handle the repartitioning?
I've been having WIFI drop outs for months, multiple builds from multiple developers (2 Laptops Win 7 and Win 8, 2 AC68U's at 2 different locations) and want to try stock firmware. I'm now using Stock firmware on a AC66U set as an access point with WIFI configured exactly the same (Channel, Width, SSID, Security etc.) and it's working perfect. My wife VPNs to work 2 full days a week and she'll have to reconnect several times a day on AC68U/DD-WRT. On AC66U/OEM she never loses connection.
Posted: Thu May 14, 2015 17:09 Post subject: Re: Can't Revert AC68U to Asus Firmware
mswlogo wrote:
So once I upgrade from 3626 to latest OEM with new partition what happens if I want to go back to DD-WRT? Do I need to revert to 3626 again? Or does DD-WRT handle either partitioning?
Is this what is meant by ASUS Firmware Restoration tool not being a "Upgrade Tool" in that it cannot handle the repartitioning?
I do not know exactly how it works, but once I went to 3626 and then newest, I was able to go back to DD-WRT again. I haven't tried going back yet again to stock and don't know if I'll need to do 3626 first again, or if flashing the newest directly will now work.
Posted: Sat May 16, 2015 16:53 Post subject: WIfi 0
I put this build on my
ASUS (RT-AC68U) Wireless-AC1900 Dual-Band Gigabit Router
Downloads › betas › 2014 › 02-19-2014-r23598 › asus-rt-ac68u
The 2.6 Ghz light is on
the 5 GHz light is off
My Wireless interface 1 is AC and I can connect to it and get an ip
My wireless interface 0 is G/N(also tried G only) with WEP(for older devices).
I can't get any device to connect to interface 0 and get an IP. The radio is on and I can see the ssid on the devices...it just won't connect and get an IP
Posted: Tue May 19, 2015 14:50 Post subject: Re: Can't Revert AC68U to Asus Firmware
mswlogo wrote:
Haul wrote:
Flash stock 3626 first, then flash newest stock. The problem is that the newest stock is partitioned differently than before.
Thank you Thank you !! Will try tonight.
I did try going back one version but not back to 3626.
So once I upgrade from 3626 to latest OEM with new partition what happens if I want to go back to DD-WRT? Do I need to revert to 3626 again? Or does DD-WRT handle either partitioning?
Is this what is meant by ASUS Firmware Restoration tool not being a "Upgrade Tool" in that it cannot handle the repartitioning?
I've been having WIFI drop outs for months, multiple builds from multiple developers (2 Laptops Win 7 and Win 8, 2 AC68U's at 2 different locations) and want to try stock firmware. I'm now using Stock firmware on a AC66U set as an access point with WIFI configured exactly the same (Channel, Width, SSID, Security etc.) and it's working perfect. My wife VPNs to work 2 full days a week and she'll have to reconnect several times a day on AC68U/DD-WRT. On AC66U/OEM she never loses connection.
Going back to OEM Asus fixed my WIFI issues.
USB 3.0 didn't work well at all on DD-WRT either. When I finally did manage to get it to work (at blazing USB 2.0 speeds) when I copied files to it, the WIFI would shut down during the copy over the LAN.
Turns out the OEM firmware (which I never even looked at) has all the features I need.
DDNS, VPN (PPTP), Mac assigned DHCP (you can't assign names though which is annoying) and NAT.
Asus DDNS is pretty slick. No account needed !!
Just put in any sub domain and click Apply and you're done.
I appreciate all the effort that goes into DD-WRT, it certainly put pressure on manufacturers to up the anti, but DD-WRT just isn't working up to par for me any more.
When I do Administration > Firmware Upgrade, select the right file and press "upgrade" it starts the countdown, but soon afterwards I get "The connection was reset" in the browser. It didn't happen to me before with my previous upgrades. Any ideas how to bypass that?
UPDATE: I was able to fix it by clearing logins and cookies in Firefox for the past hour.
So forgive me for asking the same question that has been asked a number of times in this thread. Tried reading the 68 pages but its simply too much.
Whats the situation for flashing the 68u now? Before it seems one had to flash a rather old brainslayer build and then used kong builds for good performance. The routerdb points at a 14 month-old asus_rt-ac68u-firmware.trx, whereas in betas i can now find a .trx from yesterday (r27147).
1. what build is now considered decently stable for rt-ac68u?
2. do I need to flash something older first?
3. should I make any considerations to hardware version etc?
When I do Administration > Firmware Upgrade, select the right file and press "upgrade" it starts the countdown, but soon afterwards I get "The connection was reset" in the browser. It didn't happen to me before with my previous upgrades. Any ideas how to bypass that?
UPDATE: I was able to fix it by clearing logins and cookies in Firefox for the past hour.
shmerl, how is this beta build running on your ac68u? I'm currently running r23940 from the DD-WRT database and I'm not too happy with it, I was having issues with no port forwarding working on the latest ASUS stock firmware, and after flashing DD-WRT r23940 I'm still having the issue with none of my port forwards working...does anyone know what the deal is with this its driving me nuts.
I feel your pain,
I've been waiting a long time to get oppionons on whats "stable" but it seems you need to install them all and test for yourself at this point.
Personally the only one that seemed working for me for what "I" wanted was the old one listed in the router database,
but turning off that option for ampdu i believe, to stop reboot crashes.
spm wrote:
So forgive me for asking the same question that has been asked a number of times in this thread. Tried reading the 68 pages but its simply too much.
Whats the situation for flashing the 68u now? Before it seems one had to flash a rather old brainslayer build and then used kong builds for good performance. The routerdb points at a 14 month-old asus_rt-ac68u-firmware.trx, whereas in betas i can now find a .trx from yesterday (r27147).
1. what build is now considered decently stable for rt-ac68u?
2. do I need to flash something older first?
3. should I make any considerations to hardware version etc?