[graelb]

Hi All,

I'm sure this question has been posted somewhere on the forums before, but I can't find something that matches my situation well enough to get working.

My current setup is this: I need two wireless networks, 1 that I can connect to for work (Static IP through ISP), and another that I can connect to with home devices to route through my Privacy-VPN.

I'm running on Firmware: DD-WRT v3.0-r33675M kongac (11/03/17)

I've tried setting up a separate virtual unbridged interface under wireless tab, and got that working, but when I set the PBR to run on that separate subnet, I couldn't get DNS to route on the home-network; I would get an IP address on the correct subnet, but I would NOT get DNS to work. Pinging 8.8.8.8 would respond. In this config, my work network was working exactly as expected.

I've been working on this for like three hours now, and I'm frustrated as all hell.

So... can anyone give me any pointers? Again, I'll bulletpoint the ideal situation:

2 SSIDs on the 5G bands:

Celestia-Work
-Routes directly through ISP, using 8.8.8.8 as main DNS

Celestia-Home (I'll probably leave this as Celestia-5G)
-uses OpenVPN. Using 198.18.0.1 as primary DNS, fallback to 8.8.8.8 if possible

Any help would be appreciated big time.

Thanks guys!

[Per Yngve Berg]

Don't put the router's own IP in the PBR field.
Use a CIDR notation that does not include the router's own address.

[egc]

As Per Yngve said do not include the IP address of the router in the PBR.

But that also implies that you can not use DNS servers which are not publicly available.

So use DNS servers like 8.8.8.8 or 1.1.1.1 or what publicly available servers you want.

(and yes that could be leaking DNS requests, if you do not want that then see my signature about Policy Based Routing, in the second posting is a doc about DNS leaks and what to do about it)

[graelb]

Okay, Trying this again.

For more info, I'm using this tutorial as my guide:

https://medium.com/@libertylocked/dd-wrt-tricks-dedicated-wireless-virtual-access-point-for-openvpn-the-easy-way-6399fca14916


At the time of this particular posting, I'm not even getting DHCP.

I have Celestia-5G set up as the new wlan, and Celestia-Work as the natural wlan. Celestia-work is working, I don't have PBR set up yet. I have DHCP, and I'm on the 192.168.1.x subnet.

Celestia-work is NOT getting an IP address (169.x.x.x)

[graelb]

Success!

Got it. I had to powercycle the router. no idea why THAT made a difference after rebooting, but it did!

Thanks guys!

[graelb]

NNNNNOPE. I lied.

Having all sorts of issues.

Won't connect to the vpn AP.
WILL connect, but will lose connectivity with internet (ping or otherwise)

Will sometimes connect, but dns doesn't work....

[egc]

First get the VAP working without the VPN.

VAP's on Broadcom are sometimes troublesome to get working (maybe I issed it but what router are you using?)

The guide you followed actually looks quite decent at first glance.

Attached my notes with the VAP workarounds , but I think your build is so old that it is pre-VAP-trouble era, so that it might work without any workarounds.

In the old days you had to reboot to get a VAP working (rebooting after setup is alwauys a good idea)

First get the VAP working reliably then proceed with the VPN, is the VAP working with the VPN then proceed with PBR.

Always use a publicly available DNS server like mentioned in your guide (like 8.8.8.8 or 1.1.1.1)

[graelb]

Thanks for the tips egc. I'll give that a shot. It was weird, because once I got through the guide, everything was actually working just fine. After a few hours it stopped working reliably on either network, and different issues across different devices (mobile wouldn't connect to one network, and wouldn't get dns on another, Desktop would connect to the network that mobile wouldn't, and would get an IP address, but wouldn't ping, etc.)

I'm running on a Netgear R6400.

I'll try your suggestion. If worst case, I'll get another wifi router for the non-vpn network, and just run that in tandem on a vlan instead of a wlan.... Or I'll just go back to manually disabling the vpn during work =P

I might try running it in unbridged mode... I don't care if there is cross-network talk. I just want to make sure that anything on the one network goes through vpn for streaming and privacy purposes.

[egc]

The R6400 (v1) is a fine router (v2 also)

I have installed a boat load of them

Maybe reset to defaults first as you have been tinkering a lot and if you do that maybe just use Kongs latest build

Kong's builds have the ddup utility see: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1172285#1172285

do not forget the

[graelb]

Alternatively, is there a command I can run that will toggle the vpn via command line that I can just set up as a script to run over ssh?

If a toggle isn't available, I could set up two scripts, one to turn it on and apply settings, and one to turn it off and apply settings... Obviously that won't work if the settings aren't saved when you disable it via script...

[egc]

[graelb]

Got it working! You were right. Make it work first, then work on getting the VPN and PBR working. Thank you!

Now... is there any way to allow all devices to see each other regardless of which network they're connected to, WITHOUT changing the PBR for VPN?

[egc]

I think what you are referring to is that clients on PBR can not see clients not under PBR and vice versa.

This is caused by the fact that local routes are not present in the alternate routing table.

See my signature at the bottom of this page 'Simple PBR' for some background.

You do not have to use that solution there is also a script from @eibgrad, which just copies the local routes.

I will send you the link tonight

[egc]

[graelb]

I'm definitely not being clear in my question here.

I have three wireless APs set up through the router:

Celestia: 192.168.1.x subnet
Celestia-5G:192.168.22.x subnet (PBR for VPN set for 192.168.22.128/25, and DHCP is routing those same IPs for that wlan)
Celestia-Work:192.168.1.x subnet

If I am connected to the -work AP, then I can see the devices connected to the celestia AP, but NOT any of them that are connected to the -5G AP, which is obnoxious because that means I can't stream audio to any of my google-homes setup on that network.

Actually, now that I have written it all out, Yes you guessed right. I can't see any of the devices set up on the PBR. My assumption here... is that it's because of the different subnets? Will your earlier suggestion fix that?