Hi everyone,
I recently purchased a Linksys WRT1200AC router, and have installed DD-WRT on it (v3.0-r30796 std (10/25/16)).
My goal is to set up a VAP (virtual access point) "SSID2" which connects to my (commercial) VPN provider using OpenVPN, while the original AP "SSID1" just goes through my ISP. The idea is to allow me to connect to the internet over VPN most of the time, but to be able to bypass this for certain purposes (i.e. Netflix).
I have managed to get both the VAP set up as well as OpenVPN, but am having trouble with the routing configuration (I think).
Using the GUI, I set up a virtual interface for SSID2 called ath1.1 and secured that using WPA2.
I then created a bridge (br1) and assigned the interface ath1.1 to br1. ath1.0, ath0 (which is the 5GHz channel) and eth0 are all set to br0.
I then set br1 to have IP address 192.168.2.1 and configured a second DHCP server for 192.168.2.xx.
I set the following DNSmasq options to allow for each bridge to use a different set of DNS servers: br0 to use OpenNIC, and br1 to use the DNS server for my VPN provider:
Code:
dhcp-option=br0,6, 169.239.202.202, 185.121.177.177
dhcp-option=br1,6, 10.8.0.1
At this point, I am able to connect to both SSIDs and can access the internet via both - in each case the traffic travels over the VPN.
Then, I added the following to the 'policy based routing' part of my openVPN setup:
At this point, I can connect to the internet directly through my ISP when connected to SSID1, as expected. However, when I connect to SSID2, I have no internet connection. ping/traceroute at this point both time out with 'unknown host' and 'failure in name resolution' respectively. Checking my laptop's /etc/resolv.conf shows that the nameserver is set to my VPN provider's DNS server as expected (and incidentally, using the OpenNIC servers instead produces the same result).
I think something is wrong with the routing table, but I'm not really sure. I have tried a lot of different fixes from the dd-wrt forums and a number of blogs, including a variety of firewall and/or startup scripts, as well as attempting to unbridge the two networks. Unfortunately, none have worked.
If anyone has any suggestions, I would be extremely grateful!
Thanks!
Some more info:
WITH policy based routing set:
Code:
# ip route
default via ISP.ISP.ISP.1 dev eth0
10.16.0.0/16 dev tun1 proto kernel scope link src 10.16.0.9
ISP.ISP.ISP.0/25 dev eth0 proto kernel scope link src ISP.ISP.ISP.12
127.0.0.0/8 dev lo scope link
169.254.0.0/16 dev br0 proto kernel scope link src 169.254.255.1
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev br1 proto kernel scope link src 192.168.2.1
# ip rule
0: from all lookup local
32759: from 192.168.2.0/24 lookup 10
32760: from 192.168.2.0/24 lookup 10
32761: from 192.168.2.0/24 lookup 10
32762: from 192.168.2.0/24 lookup 10
32763: from 192.168.2.0/24 lookup 10
32764: from 192.168.2.0/24 lookup 10
32765: from 192.168.2.0/24 lookup 10
32766: from all lookup main
32767: from all lookup default
WITHOUT policy based routing set:
Code:
# ip route
0.0.0.0/1 via 10.16.0.1 dev tun1
default via ISP.ISP.ISP.1 dev eth0
10.16.0.0/16 dev tun1 proto kernel scope link src 10.16.0.7
ISP.ISP.ISP.0/25 dev eth0 proto kernel scope link src ISP.ISP.ISP.12
ISP2.ISP2.ISP2.ISP2 via ISP.ISP.ISP.1 dev eth0
127.0.0.0/8 dev lo scope link
128.0.0.0/1 via 10.16.0.1 dev tun1
169.254.0.0/16 dev br0 proto kernel scope link src 169.254.255.1
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev br1 proto kernel scope link src 192.168.2.1
# ip rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default