VPN on a dedicated virtual (wireless) AP

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
woodomat
DD-WRT Novice


Joined: 28 Aug 2012
Posts: 13

PostPosted: Tue Aug 28, 2012 21:52    Post subject: VPN on a dedicated virtual (wireless) AP Reply with quote
Hi,

I'm trying to set up a virtual (wireless) AP in a way to route ALL traffic of the devices connected to that AP over an OpenVPN connection. The "normal" wireless AP and the LAN ports however should NOT use OpenVPN but rather the normal WAN.

I have successfully set up both the virtual AP (wl0.1) and an OpenVPN connection (tun0).

What I'm puzzled about is how to connect those two devices and where to get started. I've read through the wiki, parts of the forum but haven't found what I'm looking for...

Any hints would be highly appreciated. I run build 18024 on an E3000.

Thank you!
Sponsor
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17627
Location: Hesse/Germany

PostPosted: Tue Aug 28, 2012 22:28    Post subject: Reply with quote
unbridge the vap
forward all traffic via iptables from wifi to tun


easier:
-unbridge wifi
-create a openvpn tap connection and dont NAT nor bridge it
-create a new bridge of the tap and the wifi interface.
-you are done

_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
woodomat
DD-WRT Novice


Joined: 28 Aug 2012
Posts: 13

PostPosted: Mon Sep 03, 2012 19:00    Post subject: Reply with quote
Thanks for the reply, sash!

I'd prefere to go with tun - and managed to set up a "mixed" config in one wlan. But I was unlucky with setting up a dedicated vap that routes everything over vpn.

Can you enlighten me with some specific commands and where to enter them in the GUI?

Thanks again!
Vespian
DD-WRT User


Joined: 26 May 2009
Posts: 183
Location: N34 31.872 E69 10.821 for now.

PostPosted: Tue Sep 18, 2012 22:05    Post subject: Reply with quote
I would very much so like to know how to do this as well. I've been playing around with the policy based routing with no luck, and then I found this post. This... is ultimately what I wanted.

I created the VAP, and created a new bridge to which wlan0.1 is assigned. It has its own seperate subnet and DHCP server, and is not bridged. My VPN is openVPN.. its running as a TUN device. (I have no control over the openVPN server)

redirect-gateway def1 is set in the openVPN config.

How do I set this up so that only wlan0.1 is pushing traffic through the VPN?

_________________
The Peacock Thread <-- New? READ THIS!
------

Current:
ASUS RT-N16 DD-WRT v24-sp2 mega(SVN revision 19519)Running OTRW - Take 2 on 8 GB Flash Disk. 128M swap + 7.5 GB ext2 on /opt
Past:
ASUS WL500GP v2 [DD-WRT v24-sp2 (06/17/09) mega-(SVN 12307M NEWD Eko)]

Registered Linux User #491768
Vespian
DD-WRT User


Joined: 26 May 2009
Posts: 183
Location: N34 31.872 E69 10.821 for now.

PostPosted: Thu Sep 20, 2012 20:46    Post subject: Reply with quote
iptables -I FORWARD -i br1 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br1 -j ACCEPT


I'm no iptables expert (obviously).. but am I even close to getting this right?

Or do i need to expressly forward wl0.1 to tun1?

I'm trying to do your first suggestion, forward all traffic from the VAP to the TUN. It may also be good to know that I have wl0.1 assigned to br1.

I have also disabled the gateway redirection.

_________________
The Peacock Thread <-- New? READ THIS!
------

Current:
ASUS RT-N16 DD-WRT v24-sp2 mega(SVN revision 19519)Running OTRW - Take 2 on 8 GB Flash Disk. 128M swap + 7.5 GB ext2 on /opt
Past:
ASUS WL500GP v2 [DD-WRT v24-sp2 (06/17/09) mega-(SVN 12307M NEWD Eko)]

Registered Linux User #491768
Vespian
DD-WRT User


Joined: 26 May 2009
Posts: 183
Location: N34 31.872 E69 10.821 for now.

PostPosted: Thu Sep 20, 2012 21:31    Post subject: Reply with quote
These are my current iptables forward chain rules:

root@DD-WRT:~# iptables -L FORWARD --verbose
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- wl0.1 tun anywhere anywhere
0 0 ACCEPT 0 -- tun wl0.1 anywhere anywhere
0 0 ACCEPT 0 -- br0 br0 anywhere anywhere
712 37824 TCPMSS tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
8989 3110K lan2wan 0 -- any any anywhere anywhere
8141 3040K ACCEPT 0 -- any any anywhere anywhere state RELATED,ESTABLISHED
672 58560 ACCEPT 0 -- br0 ppp0 anywhere anywhere
176 11555 ACCEPT 0 -- br1 ppp0 anywhere anywhere
0 0 TRIGGER 0 -- ppp0 br0 anywhere anywhere TRIGGER type:in match:0 relate:0
0 0 trigger_out 0 -- br0 any anywhere anywhere
0 0 ACCEPT 0 -- br0 any anywhere anywhere state NEW

interestingly enough, I can ping googles DNS server 8.8.8.8. I cannot however resolve any web pages.. and it seems that the ICMP traffic is being funneled through the lan2wan connection.

_________________
The Peacock Thread <-- New? READ THIS!
------

Current:
ASUS RT-N16 DD-WRT v24-sp2 mega(SVN revision 19519)Running OTRW - Take 2 on 8 GB Flash Disk. 128M swap + 7.5 GB ext2 on /opt
Past:
ASUS WL500GP v2 [DD-WRT v24-sp2 (06/17/09) mega-(SVN 12307M NEWD Eko)]

Registered Linux User #491768
Vespian
DD-WRT User


Joined: 26 May 2009
Posts: 183
Location: N34 31.872 E69 10.821 for now.

PostPosted: Sat Sep 22, 2012 15:10    Post subject: Reply with quote
Sash, I know you know how to do this... and if you help me... I will pass that knowledge on.

I've got nothing to do but sit here and stare at my computer screen for hours and hours a night.. and I will donate some of that time to adding this to the wiki should you help me figure it out.

It seems I'm not the only one who would want to do this.

_________________
The Peacock Thread <-- New? READ THIS!
------

Current:
ASUS RT-N16 DD-WRT v24-sp2 mega(SVN revision 19519)Running OTRW - Take 2 on 8 GB Flash Disk. 128M swap + 7.5 GB ext2 on /opt
Past:
ASUS WL500GP v2 [DD-WRT v24-sp2 (06/17/09) mega-(SVN 12307M NEWD Eko)]

Registered Linux User #491768
Vespian
DD-WRT User


Joined: 26 May 2009
Posts: 183
Location: N34 31.872 E69 10.821 for now.

PostPosted: Sat Sep 22, 2012 15:36    Post subject: Reply with quote
[removed by user]
_________________
The Peacock Thread <-- New? READ THIS!
------

Current:
ASUS RT-N16 DD-WRT v24-sp2 mega(SVN revision 19519)Running OTRW - Take 2 on 8 GB Flash Disk. 128M swap + 7.5 GB ext2 on /opt
Past:
ASUS WL500GP v2 [DD-WRT v24-sp2 (06/17/09) mega-(SVN 12307M NEWD Eko)]

Registered Linux User #491768


Last edited by Vespian on Tue Sep 25, 2012 17:46; edited 2 times in total
Vespian
DD-WRT User


Joined: 26 May 2009
Posts: 183
Location: N34 31.872 E69 10.821 for now.

PostPosted: Sat Sep 22, 2012 15:48    Post subject: Reply with quote
[removed by user]
_________________
The Peacock Thread <-- New? READ THIS!
------

Current:
ASUS RT-N16 DD-WRT v24-sp2 mega(SVN revision 19519)Running OTRW - Take 2 on 8 GB Flash Disk. 128M swap + 7.5 GB ext2 on /opt
Past:
ASUS WL500GP v2 [DD-WRT v24-sp2 (06/17/09) mega-(SVN 12307M NEWD Eko)]

Registered Linux User #491768


Last edited by Vespian on Tue Sep 25, 2012 17:46; edited 1 time in total
Vespian
DD-WRT User


Joined: 26 May 2009
Posts: 183
Location: N34 31.872 E69 10.821 for now.

PostPosted: Sat Sep 22, 2012 17:59    Post subject: Reply with quote
I've also discovered that if you unbridge the VAP, you will not be able to set up WPA or WPA2 security because of a bug in the broadcom driver as it concerns unbridged APs. I have set up a new bridge.. set the VAP as default (bridged config) and assigned it to br1. This allows me to set up WPA2 AES security.

I am still having some difficulty in getting the IPTABLES forwarding rules correct so that traffic is forwarded to the tunnel interface. I also need to figure out how to get the DHCP server to assign a different DNS server to the VAP. I have DHCP functioning on the VAP. It is assigning IP's from a seperate subnet.

_________________
The Peacock Thread <-- New? READ THIS!
------

Current:
ASUS RT-N16 DD-WRT v24-sp2 mega(SVN revision 19519)Running OTRW - Take 2 on 8 GB Flash Disk. 128M swap + 7.5 GB ext2 on /opt
Past:
ASUS WL500GP v2 [DD-WRT v24-sp2 (06/17/09) mega-(SVN 12307M NEWD Eko)]

Registered Linux User #491768
Vespian
DD-WRT User


Joined: 26 May 2009
Posts: 183
Location: N34 31.872 E69 10.821 for now.

PostPosted: Sat Sep 22, 2012 21:17    Post subject: Reply with quote
[removed by user]
_________________
The Peacock Thread <-- New? READ THIS!
------

Current:
ASUS RT-N16 DD-WRT v24-sp2 mega(SVN revision 19519)Running OTRW - Take 2 on 8 GB Flash Disk. 128M swap + 7.5 GB ext2 on /opt
Past:
ASUS WL500GP v2 [DD-WRT v24-sp2 (06/17/09) mega-(SVN 12307M NEWD Eko)]

Registered Linux User #491768


Last edited by Vespian on Tue Sep 25, 2012 17:45; edited 1 time in total
Vespian
DD-WRT User


Joined: 26 May 2009
Posts: 183
Location: N34 31.872 E69 10.821 for now.

PostPosted: Tue Sep 25, 2012 17:38    Post subject: SOLVED! Reply with quote
I have successfully gotten this working.

I will update the wiki with more thorough instructions soon, but if you could modify this thread as being solved... that would be beneficial.

I didn't have to use iptables at all.

Quick low down of how I did it:

VAP CONFIG:

1. Create a new VAP and leave it in its default configuration (do not unbridge it) This will allow you to use WPA for wireless security on broadcom hardware. (just trust me... if you don't do this you will be limited to WEP)

2. Create a new bridge, and assign it an IP space that is separate from your other network.

3.Add the VAP to the new bridge.

4. Set up a new DHCP server, and assign it to run on the new bridge.

5. Turn DNSMasq on. Put in its additional config(use the same bridge here as you did for the new DHCP server):
Code:
dhcp-option=br1,6, 8.8.8.8, 8.8.4.4


OPENVPN Config:


1. Set up your vpn connection like you normally would.

2. ENSURE that redirect-gateway def1 is NOT set in your additional config dialog. We need to define our own routes later.

3. ENSURE that route no-pull is NOT set in your additional config dialog. (This will allow OpenVPN to set up the basic routing and iptables rules that you will need)

Policy Based Routing:

1. Telnet into your router.

2. Pass the following commands (notes on specific modifications YOU WILL HAVE TO MAKE TO THESE COMMANDS is below the code block.

Code:

ip rule add from 10.13.37.0/24 table 200
ip route add default via 10.8.5.117 dev tun1 table 200
ip route flush cache


Note: You will have to replace 10.13.37.0/24 with the network address of your new bridge. You will also need to replace 10.8.5.117 with the address of the P-t-P link set up by OpenVPN. You can find this information by passing ifconfig to your router via telnet... and looking up the tunnel interface P-t-P address.

After all that.. it should be working. You may have to renew your DHCP information manually on your computer to get the changes to take... but that's all there is to it.

Like I said, I am going to be working on adding a more in depth instruction set to the wiki for this soon.

Enjoy! Smile

_________________
The Peacock Thread <-- New? READ THIS!
------

Current:
ASUS RT-N16 DD-WRT v24-sp2 mega(SVN revision 19519)Running OTRW - Take 2 on 8 GB Flash Disk. 128M swap + 7.5 GB ext2 on /opt
Past:
ASUS WL500GP v2 [DD-WRT v24-sp2 (06/17/09) mega-(SVN 12307M NEWD Eko)]

Registered Linux User #491768
Vespian
DD-WRT User


Joined: 26 May 2009
Posts: 183
Location: N34 31.872 E69 10.821 for now.

PostPosted: Tue Sep 25, 2012 20:03    Post subject: Wiki Updated. Reply with quote
I updated the wiki with more detailed instructions. Smile

http://www.dd-wrt.com/wiki/index.php/OpenVPN_on_Dedicated_Wireless_Access_Point_%28VAP%29

_________________
The Peacock Thread <-- New? READ THIS!
------

Current:
ASUS RT-N16 DD-WRT v24-sp2 mega(SVN revision 19519)Running OTRW - Take 2 on 8 GB Flash Disk. 128M swap + 7.5 GB ext2 on /opt
Past:
ASUS WL500GP v2 [DD-WRT v24-sp2 (06/17/09) mega-(SVN 12307M NEWD Eko)]

Registered Linux User #491768
Otto
DD-WRT Novice


Joined: 03 Sep 2008
Posts: 14

PostPosted: Fri Apr 19, 2013 10:12    Post subject: non-vpn route via VAP Reply with quote
How would you isolate one a VAP from VPN?

I have router#1 (Asus RN-U66, latest Fractal) running on home. It´s running openvpn server in TAP/birdged mode.

I travel quite a lot so I just configured another router#2 (Netgear WNDR3700v2, latest Brainslayer) which has openvpn client configured so that it will connect to router#1 openvpn server.

router#1
Stationary at my home (WAN 100/10Mbps)
192.168.5.1, DHCP .100--.150
openvpn server TAP mode
openvpn server gateway 192.168.5.1
openvpn server pool .200--.220



router#2
Goes with me when traveling (WAN depends on the place I´m staying)
192.168.5.2, DHCP .150--.199


I have enabled "redirect default Gateway" option from openvpn server settings so when openvpn client connect to openvpn server, all the traffic is routed from eth ports and APs from router#2 via router#1 (verified this in with my friends WAN and traceroute).

This is very convenient when travelling. I can just grab router#2 with me to hookup it to hotel's WAN and it will route all the traffic via my home router#1 and I have access to my media servers and sites which are only available in my home country, etc. However, sometimes I would like to use router#2 so that all the traffic is not routed via router#1 (let´s say distance from router#2 to router#1 is 6000km and throughput via router#1 is ~0.1Mbps and I just want to browse youtube). I would like to have a VAP (on router#2) which is isolated from my TAP (vpn to router#1). I tried creating bridge br1 and assigned ath0.1 (VAP on router#2, bridged mode) and enabled MultiDHCP 10.11.12.0/24 on br1 bridge. Connecting to this ath0.1 VAP gives me IP address of 10.11.12.40, but no connectivity to anywhere (no bridges yet). If I assign eth1 (WAN) to br1 I loose connectivity on br0 which is not my intention.

I tried disable "redirect default Gateway" from router#1 but it went nuts (ping via ath0 or ath1 (WiFis) went to 300ms and lots of packet loss). openvpn on TAP mode and "redirect default Gateway" was the only way I got vpn tunnel working.

My question is:
How should I configure VAP ath0.1 (on router#2) so that traffic is not routed via TAP VPN (via router#1) in my configuration? And I would still have ability access to my VPN via eth ports and APs (ath0, ath1).
A340
DD-WRT Novice


Joined: 23 Oct 2007
Posts: 40

PostPosted: Wed Jul 23, 2014 16:28    Post subject: Reply with quote
I will like help please setting up DD-WRT OpenVPN Client to route via my bridge VAP on the router and non-VPN traffic to route via the normal WAN.

Currently I use two routers to do this, now I will like to learn how to make one router alone to be able do this.

My VPN client router is hard cabled to the ISP PPPoe router via a Lan port.

The OpenVPN server is located in another country, and all connect fine, just that I will like to eliminate one router and have it done with one alone.

I will like the router to broadcast the VPN Client via VAP and the Non-VPN side Wirelessly and if possible be able to have one LAN port assigned to VPN connection and the other Three to just allow normal non-VPN traffic.

Attempting to do this, before the VPN connects to the server I get internet connectivity however,when my VPN comes up, I get no internet connectivity at all from the router.

Attached are some screen shots of my current setting thus far, which has not worked.
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum