Routing a VPN through a Virtual Access point using DD-WRT

furrymonster · 09-24-2017, 06:50 PM

Hi everyone,

I recently purchased a Linksys WRT1200AC router, and have installed DD-WRT on it (v3.0-r30796 std (10/25/16)).

My goal is to set up a VAP (virtual access point) "SSID2" which connects to my (commercial) VPN provider using OpenVPN, while the original AP "SSID1" just goes through my ISP. The idea is to allow me to connect to the internet over VPN most of the time, but to be able to bypass this for certain purposes (i.e. Netflix).

I have managed to get both the VAP set up as well as OpenVPN, but am having trouble with the routing configuration (I think).

Using the GUI, I set up a virtual interface for SSID2 called ath1.1 and secured that using WPA2.

I then created a bridge (br1) and assigned the interface ath1.1 to br1. ath1.0, ath0 (which is the 5GHz channel) and eth0 are all set to br0.

I then set br1 to have IP address 192.168.2.1 and configured a second DHCP server for 192.168.2.xx.

I set the following DNSmasq options to allow for each bridge to use a different set of DNS servers: br0 to use OpenNIC, and br1 to use the DNS server for my VPN provider:

Code:

dhcp-option=br0,6, 169.239.202.202, 185.121.177.177
dhcp-option=br1,6, 10.8.0.1

At this point, I am able to connect to both SSIDs and can access the internet via both - in each case the traffic travels over the VPN.

Then, I added the following to the 'policy based routing' part of my openVPN setup:

Code:

192.168.2.0/24

At this point, I can connect to the internet directly through my ISP when connected to SSID1, as expected. However, when I connect to SSID2, I have no internet connection. ping/traceroute at this point both time out with 'unknown host' and 'failure in name resolution' respectively. Checking my laptop's /etc/resolv.conf shows that the nameserver is set to my VPN provider's DNS server as expected (and incidentally, using the OpenNIC servers instead produces the same result).

I think something is wrong with the routing table, but I'm not really sure. I have tried a lot of different fixes from the dd-wrt forums and a number of blogs, including a variety of firewall and/or startup scripts, as well as attempting to unbridge the two networks. Unfortunately, none have worked.

If anyone has any suggestions, I would be extremely grateful!

Thanks!

Some more info:

WITH policy based routing set:

Code:

# ip route
default via ISP.ISP.ISP.1 dev eth0 
10.16.0.0/16 dev tun1  proto kernel  scope link  src 10.16.0.9 
ISP.ISP.ISP.0/25 dev eth0  proto kernel  scope link  src ISP.ISP.ISP.12 
127.0.0.0/8 dev lo  scope link 
169.254.0.0/16 dev br0  proto kernel  scope link  src 169.254.255.1 
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1 
192.168.2.0/24 dev br1  proto kernel  scope link  src 192.168.2.1 

# ip rule
0:	from all lookup local 
32759:	from 192.168.2.0/24 lookup 10 
32760:	from 192.168.2.0/24 lookup 10 
32761:	from 192.168.2.0/24 lookup 10 
32762:	from 192.168.2.0/24 lookup 10 
32763:	from 192.168.2.0/24 lookup 10 
32764:	from 192.168.2.0/24 lookup 10 
32765:	from 192.168.2.0/24 lookup 10 
32766:	from all lookup main 
32767:	from all lookup default

WITHOUT policy based routing set:

Code:

# ip route
0.0.0.0/1 via 10.16.0.1 dev tun1 
default via ISP.ISP.ISP.1 dev eth0 
10.16.0.0/16 dev tun1  proto kernel  scope link  src 10.16.0.7 
ISP.ISP.ISP.0/25 dev eth0  proto kernel  scope link  src ISP.ISP.ISP.12 
ISP2.ISP2.ISP2.ISP2 via ISP.ISP.ISP.1 dev eth0 
127.0.0.0/8 dev lo  scope link 
128.0.0.0/1 via 10.16.0.1 dev tun1 
169.254.0.0/16 dev br0  proto kernel  scope link  src 169.254.255.1 
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1 
192.168.2.0/24 dev br1  proto kernel  scope link  src 192.168.2.1 

# ip rule
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default

furrymonster · 10-07-2017, 12:29 AM

So I think I have found a solution to my problem and am posting it here in case it saves somebody else time.

Having run the command

Code:

route -n

with and without the 'policy based routing' set, I noticed an entry routing 0.0.0.0 via what I presume is my ISP's gateway ip.

So after some trial and error (again, I am a newbie at this), I added the following as a startup script to attempt to add a similar route for my VPN provider:

Quote:

ip route add 0.0.0.0 via `ifconfig | grep -A30 tun1 | grep inet[^6] | awk '{print $2}'`

I restarted the router and suddenly everything was working as intended. Regular traffic over the regular SSID, VPN traffic over the VPN SSID.

Still need to do a bunch of testing, but I just wanted to share. Good luck!

zddd1 · 03-27-2023, 09:18 AM

Thanks for the solution. I set up my OPENVPN as regular

1) created a dedicated SSID for it
2) Created a new bridge, then assigned the assigned the SSID to it
3) Bridge is subnet 192.168.3.0/24
4) Added policy-based routing 192.168.3.0/24 in the VPN settings
5) Set the DNS settings for the bridge to point to DNS of my VPN provider.

Everything works. DD-WRT v3.0-r51440 std (01/19/23), Netgear R7800