Posted: Tue Jun 08, 2021 23:26 Post subject: Open VPN + Selective use/routing
Hi all,
I have a scenario I need to implement, where simply and basically I would like to have the single wifi router establish an OpenVPN tunnel to my provider, and then selectively have some traffic use it while the rest does not.
Kind of like say implementing more than one SSID, and assign different subnets to each, and for one of those (say "VPN Users", have all their traffic go through the tunnel, while the users of the other(s) SSIDs just flow through normally through the WAN connection.
Is this something I can do with a dd-wrt router?
I was thinking:
1) Use its OpenVPN client
2) Create at least 2 SSIDS
3)Use policy based routing or, something I just saw not sure if correctly, bridge a WLAN&SSID with a Virtual Tunnel Interface?
What do you think? Can I do this with dd-wrt? And any routers in particular you could recommend? (not super basic but with the required features)
Selective routing is already possible using the PBR (policy based routing) field of the GUI. Any source IP/network specified there is routed through the VPN. Everything else is routed through the WAN/ISP.
Selective routing is already possible using the PBR (policy based routing) field of the GUI. Any source IP/network specified there is routed through the VPN. Everything else is routed through the WAN/ISP.
However, if you want to route traffic based on SSID, you can only do that indirectly, by placing those users on their own IP network, then specifying that IP network in the PBR field. There's simply no other way to know which users used which specific SSID for the same IP network (that information is lost to the rest of the network as soon as the user connects to the SSID). But having different classes of users on different IP networks is itself sometimes problematic. For example, network discovery does NOT work across IP network boundaries!
Hi, thanks for replying!
Maybe the way I described it seemed like 2 scenarios (maybe because I mentioned different features), but it's just the one.
I'll try again
- The router will be the main/only one in the house.
- I want the router to connect as a client to an OpenVPN service I have.
- Some devices will be wired (I expect to use just "normal" connectivity with these)
- Some devices will be wireless. For these, I do not necessarily want routing "based on SSID" per se (although if it's a feature,and a better option, sure, why not), but what I would like is to have 2 different SSIDs (for example "normal" and "vpn-out") with I guess different subnets (unless again, some feature makes that not really needed) and the goal is that when I want them to use vpn I connect them to "vpn-out" and when I don't, I connect them to "normal"
There's no problem in creating a configuration where users connect to one SSID that's bound to the WAN, and another SSID that's bound to the VPN. **BUT** that can only happen based on the IP network, NOT the SSID. IOW, you can't say "bind SSID X to the WAN, and bind SSID Y to the VPN", and by inference have them both on the same IP network. Instead, you have to define SSID X as 192.168.1.0/24 (for example), and SSID Y as 192.168.2.0/24 (for example), then use policy based routing to bind 192.168.2.0/24 to the VPN. IOW, what you want to accomplishes *requires* that each SSID be on different IP networks. And sometimes that's the rub. You just have to be aware of this requirement and its implications (e.g., lack of network discovery across the IP networks). If you can live w/ those implications, it'll work.
Got it, and that's perfectly fine. I don't need the networks to see/talk to each other, only that when a device needs the vpn (basically for accessing out of region content) it can connect to a SSID and (seems based on the ip it receives it will reach its destination through the vpn tunnel, and ehen I don't need that, just "regular" routing with no unnecessary overhead.
So on a nutshell:
- create vpn config
- create ssids, assigining each to a different dhcp scope
- use pbr to make one subnet route through the tunnel and the other through the wan.
- create vpn config
- create ssids, assigining each to a different dhcp scope
- use pbr to make one subnet route through the tunnel and the other through the wan.
- create vpn config
- create ssids, assigining each to a different dhcp scope
- use pbr to make one subnet route through the tunnel and the other through the wan.
Is that about right?
Yes.
walterg74 wrote:
Recommended routers?
I don't get into recommending specific routers. FWIW, I always use Broadcom routers (esp. ASUS), since they tend to be more compatible than other chipsets, and is supported w/ other firmware besides dd-wrt (e.g., freshtomato, merlin). I find having other firmware options quite valuable since every firmware tends to be better at some operations than others.
You think this guy is up to the job? Or overkill/too little
Joined: 16 Nov 2015 Posts: 6440 Location: UK, London, just across the river..
Posted: Wed Jun 09, 2021 12:54 Post subject:
dont bother with Broadcom, as although they are good, they are a bit touchy of compatibility as well there is WIP on Broadcom units atm..
Get R7800 as its the best supported/performance/price value router atm...as well, you will need that CPU power for VPN, as you mention it... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
If you really want broadcom in Europe Netgear R6400v2 is rather cheap.
Broadcom has proprietary drivers, some prefer Atheros/ Qualcomm
One of the best routers is Netgear R7800.
Also research Wireguard new VPN has 3 times the performance
Checked a little about Wireguard, is that just a technology? If so, wouldn't really matter as I am not creating my own von, but dependent on what my provider has.
That is why it is important that you choose a provider which supports WireGuard on the router
Ha! I still have about a year and a half of my subscription with them, and they have servers all over the world for what I need, not really about to change for the time being. But I will keep it in mind...
Joined: 01 Mar 2012 Posts: 22 Location: Nairobi, KE
Posted: Mon Jun 28, 2021 13:57 Post subject:
walterg74 wrote:
eibgrad wrote:
You're describing two different scenarios here.
Selective routing is already possible using the PBR (policy based routing) field of the GUI. Any source IP/network specified there is routed through the VPN. Everything else is routed through the WAN/ISP.
However, if you want to route traffic based on SSID, you can only do that indirectly, by placing those users on their own IP network, then specifying that IP network in the PBR field. There's simply no other way to know which users used which specific SSID for the same IP network (that information is lost to the rest of the network as soon as the user connects to the SSID). But having different classes of users on different IP networks is itself sometimes problematic. For example, network discovery does NOT work across IP network boundaries!
Hi, thanks for replying!
Maybe the way I described it seemed like 2 scenarios (maybe because I mentioned different features), but it's just the one.
I'll try again
- The router will be the main/only one in the house.
- I want the router to connect as a client to an OpenVPN service I have.
- Some devices will be wired (I expect to use just "normal" connectivity with these)
- Some devices will be wireless. For these, I do not necessarily want routing "based on SSID" per se (although if it's a feature,and a better option, sure, why not), but what I would like is to have 2 different SSIDs (for example "normal" and "vpn-out") with I guess different subnets (unless again, some feature makes that not really needed) and the goal is that when I want them to use vpn I connect them to "vpn-out" and when I don't, I connect them to "normal"
Is that clearer?
I am doing the same thing with TP-Link Archer C7 (v2).
I have 4 SSIDs:
On the 2.4GHz band I have main-2.4 and virtual-2.4
On the 5GHz band I have main-5 and virtual-5
main-2.4 and main-5 are assigned to one bridge (br1), has a subnet of 10.10.0.0/24 and this subnet is placed in the PBR and so goes through the VPN.
virtual-2 and virtual-5 are on another bridge (br2), has a subnet of 10.10.1.0/24, and is routed directly via the ISP.
The LAN (172.16.4.0/24) is on br0 and is routed via the ISP.
PS: It's possible to move interfaces across bridges. In PBR, any subnet you put in there will go out via the VPN.