5

I'm working to get my home network setup with Tomato to work with two Wi-Fi SSIDs. My router is a dual-band NETGEAR NIGHTHAWK router and so far Tomato works great on it and so does the VPN feature. The only downside is that when the VPN is active (when you choose start via the Tomato interface) it applies the VPN tunnel to both SSIDs that I have setup. Is there not some way to only have the VPN be applied to only one of those SSIDs? That way, by changing my wireless network, I can be apart of the VPN tunnel that is running on my router.

Is this possible?

Hennes
  • 64,768
  • 7
  • 111
  • 168
matsko
  • 173
  • 1
  • 5
  • i am half way there myself, you need to play around the `iptables` command line. For example, calling this, will delete the rule forwarding all traffic from the secondary network (the one on 192.168.2.xxx) to the tunnel _tun11_ which is my openvpn... but i need to add back the masquerading for the interface somewhre... `iptables -t nat -D POSTROUTING -s 192.168.2.0/24 -o tun11 -j MASQUERADE` – draeron Apr 29 '16 at 03:50

1 Answers1

6

I implemented something like this recently on my home network, on Tomato (shibby) v138. Here's a diagram: Tomato LAN diagram

Before getting into the VPN setup, I initially had both the 2.4GHz and 5GHz networks on the same SSID, let's call it "public". The internal network assigned devices to addresses in the range 192.168.1.2-254. This is what you see in the top half of the diagram.

These are the changes I made to add a new subnet that was routed through the VPN:

  1. Under Basic/Network/LAN, I added a new bridge named "br1". I gave it the IP address 192.168.2.1, netmask 255.255.255.0, DHCP enabled, and IP Range 192.168.2.2-254.
  2. Under Advanced/Virtual Wireless, I added two new virtual wireless interfaces, wl0.1 and wl1.1, for the 2.4GHz and 5GHz interfaces respectively. Both are assigned to the new bridge "LAN1 (br1)". I gave both the same new SSID, e.g. "private". You can also give them a different password from the public network if you like.
  3. Under VPN Tunneling/OpenVPN Client/Basic, I configured the VPN client (my VPN provider is Private Internet Access, so I followed this guide). I also enabled "Start with WAN" so it will start up automatically.
  4. Under VPN Tunneling/OpenVPN Client/Advanced, I set the "Ignore Redirect Gateway" option so the client won't route everything to the VPN.
  5. Under VPN Tunneling/OpenVPN Client/Routing Policy, I checked "Redirect through VPN" and added a line with type "From Source IP" and value "192.168.2.0/24" so all hosts on the new subnet get routed through the VPN.

At that point, I can start the VPN client, then pick up a wireless device, connect to the "private" network and confirm that my internet-facing IP is behind the VPN, and connect to "public" and stream Netflix/Amazon Prime video without getting geographic restriction errors.

Now you can set up each device to connect to either SSID according to their needs. In our house, the media streamer that serves Netflix streams to the TV set stays on the public network. My phone and laptop connect to the private network. In most cases you should pick one or the other--you don't want the device auto-connecting to either one arbitrarily.

Optional Extras

Getting wired: If you want a physical Ethernet port to connect through the VPN, you can add a new VLAN under Advanced/VLAN and assign it to the new bridge (br1). At this point you can move one or more physical Ethernet ports on the router to your secure VLAN if you want. I didn't, so only wireless clients will be able to join my private subnet.

Internal Routing: After following the steps above, you may find that clients on the public and private networks can't talk to each other. Setting up the VPN client's routing policy as I did above adds this rule: 

iptables -t mangle -A PREROUTING -s 192.168.2.0/24 -j MARK --set-mark 311

to tomato's firewall script. That marks every packet originating on the 192.168.2.0/24 network, and everything with the mark 311 gets routed through the VPN. This meant that any devices on the "public" subnet (192.168.1.0/24) couldn't talk to devices on the "private" subnet through the internal network, because though the request would get through, the response would get diverted to the VPN and lost. In my case I wanted to be able to access file shares from a server on the private network, so I decided to clear the mark for anything that should be sent to the public network. I did that by adding the line:

iptables -t mangle -A PREROUTING -s 192.168.2.0/24 -d 192.168.1.0/24 -j MARK --set-mark 0

to Administration/Scripts/Firewall. You can add a similar rule for any ports you intend to forward to the router from the private network.

Fail-safe: Also known as a "kill switch," I added a couple additional rules to Administration/Scripts/Firewall that are meant to prevent anything from the private network going to the unprotected WAN (vlan2). This means that if the VPN goes down for some reason, clients connecting to the private network can't accidentally communicate over the unprotected WAN interface.

iptables -I FORWARD -s 192.168.2.0/24 -o vlan2 -m state --state NEW -j REJECT --reject-with icmp-host-prohibited 
iptables -I FORWARD -p tcp -s 192.168.2.0/24 -o vlan2 -m state --state NEW -j REJECT --reject-with tcp-reset
Matt
  • 171
  • 1
  • 5
  • I'm on AdvancedTomato v35-140. I followed your instructions verbatim up to the "Optional Extras" section, but my traffic on the private network was not going through the vpn. After some reboots, fiddling with settings, saving, reboot, etc, I finally have the same settings as before (as in your post), and it just works now. Thanks! – m59 Dec 25 '17 at 23:13
  • 1
    So it worked in the end? The process for me wasn't quite as linear as it's written, there was a lot of trial and error and rebooting along the way but I tried to edit it down to the essential steps. – Matt Dec 28 '17 at 02:33
  • 1
    Yep. Either it's a bit of a bug with Tomato, a fluke, or there's some non-intuitive necessity to change stuff or reboot at a certain time or whatever. But all of my settings look like yours and it didn't work before and now it does! – m59 Dec 30 '17 at 15:21
  • Are you able to switch back and forth between the vpn and non-vpn wifi and have your IP hidden accordingly? I have an internet connection, but my traffic doesn't seem to go through the VPN if I have already connected to the non-vpn wifi on a device, unless I reboot the router itself after switching that device to the vpn wifi. – m59 Jan 12 '18 at 00:26
  • Yes, I test using a "what is my ip" style service and when I connect to each SSID my external IP changes accordingly. When it goes wrong (i.e. you're connected to the VPN wifi but your traffic isn't going through the VPN), check your device's assigned IP address--is it on the "private" subnet? Also if you don't set up the "fail-safe" and the VPN goes down, your traffic will not be protected even if you do connect to the private SSID. – Matt Jan 12 '18 at 19:29
  • Yeah, the device IP is being assigned properly when switching. I have narrowed it down to needing to toggle "Redirect through VPN" off, save, then back on and save, and then traffic goes through the VPN. So, it seems that the redirect is not being applied in that situation. I'm far from knowing enough about routing to know what to pursue to solve that. At least toggling that setting is simple and fast. – m59 Jan 13 '18 at 18:25
  • It turns out, my setup is still wrong. I want to use OpenDNS dns servers for br0 without messing up the vpn on br1, which I think needs to be using the dns servers from the vpn. If I set the DNS servers under WAN in the GUI, the vpn routing is broken (my IP leaks). If I use dnsmasq to just set the servers for br0, I end up breaking the dnsmasq `address` directive that I also use. `dhcp-option=br0,6,208.67.222.123,208.67.220.123`, and if I fix the address directive by also using the router itself for dns, I break the openDNS family filter. `dhcp-option=br0,6,192.168.1.1,208.67.222.123,(etc)` – m59 Jan 24 '18 at 02:57