One of the features of the YazFi addon is to set up a guest network to redirect to a VPN client on the router. Read more here: www.snbforums.com/threads/yazfi-v4-x.70308/

THIS WIKI IS NOT COMPLETE. IF YOU UNDERSTAND THE SCRIPT AND WOULD LIKE TO USE IT THEN FEEL FREE. THANKS.

This is a tutorial for those who use a VPN and would like to dedicate an SSID for that VPN. This does very minor configuration changes to the router while still keeping the hardware acceleration enabled. This setup allows you to have VPN access and regular internet on the same router. This (to the best of my knowledge) can be used with any virtual interface (tun, ppp, etc.) that provides an alternate wan gateway and can be used with any wireless interface on the router(eth1,eth2, guest network interfaces). This wiki is geared towards those that use OpenVPN but should work with other VPNs such as PPTP and L2TP.

Here are a few steps that are necessary for the initial configuration of this setup.

1. Enable jffs. The script can be run from the jffs partition or it can be run from optware (or entware).

2. Create the start-up scripts in the scripts folder if you are going to use the jffs partition as per the wiki.

3. Determine the network IP addressing that you would like to assign to this SSID. (e.g. 192.168.2.0/24)

4. Setup the VPN and make sure that everything works as it should.

5. Determine the wireless radio that you will be using. Here is a list of which radio corresponds to which SSID. If you are going to be using a guest network, enable this now. Here is a list of the radio-to-interface correlation.

• eth1 - Default LAN 2.4Ghz SSID

• wl0.1 - 2.4Ghz Guest Network 1

• wl0.2 - 2.4Ghz Guest Network 2

• wl0.3 - 2.4Ghz Guest Network 3

• eth2 - Default LAN 5Ghz SSID

• wl1.1 - 5Ghz Guest Network 1

• wl1.2 - 5Ghz Guest Network 2

• wl1.3 - 5Ghz Guest Network 3

The following script is designed to check if certain parameters are in place before trying to execute. For instance, the tunnel interface is verified as being up before routes are added to the routing table. Most changes should be made only to the first part where variables are assigned. There are a couple of changes that may need to be made further down depending on your VPN and network configuration. These areas are commented.

#!/bin/sh
####### Interface Specific Settings #######
WRLSS_IF=wl0.1                   # Name of the wireless interface that will be used.
WRLSS_IF_NTWK_ADDR=192.168.2.0   # Network address that the wireless interface will be on.
WRLSS_IF_INET_ADDR=192.168.2.1   # IP address that will be assigned to the wireless interface.
WRLSS_IF_NETMASK=255.255.255.0   # Netmask of the wireless network to be added.
TUN_IF=tun11                     # Name of tunnel interface.
########## DHCP Specific Settings ###########
DHCP_OPT1=3                      # dnsmasq option to specify router.
LS_TIME=86400s                   # Duration of the dhcp leases.
LS_START=192.168.2.100           # Start address of leases. This needs to be within the same network as above.
LS_END=192.168.2.120             # End address of leases. This needs to be within the same network as above.
######## Hide SSID of Guest Network ########
HIDE_SSID=1                      # This option is to hide the SSID of a guest network if a guest network is used. Input 1 to hide and 0 to make it visible.

##########################################################################################################
##########################################################################################################                
########################################## DHCP Server ###################################################

if [ `cat /etc/dnsmasq.conf | grep -c $WRLSS_IF` == 0 ]; then
	killall dnsmasq
	sleep 2
	echo "interface=$WRLSS_IF" >> /etc/dnsmasq.conf
	echo "dhcp-range=$WRLSS_IF,$LS_START,$LS_END,$WRLSS_IF_NETMASK,$LS_TIME" >> /etc/dnsmasq.conf
	echo "dhcp-option=$WRLSS_IF,$DHCP_OPT1,$WRLSS_IF_INET_ADDR" >> /etc/dnsmasq.conf
	dnsmasq --log-async
fi
sleep 2
### Check to see if tun interface is available ###
while [ ! -n "`ifconfig | grep $TUN_IF`" ]; do
	sleep 1
done
############################################ IP ROUTING ##################################################

ifconfig $WRLSS_IF $WRLSS_IF_INET_ADDR netmask $WRLSS_IF_NETMASK
ip route show table main | grep -Ev ^default | while read ROUTE; do 
ip route add table 10 $ROUTE; 
done
#ip route del 0.0.0.0/1 table main          # Uncomment this line if you are not using the route-nopull option. 
# Many VPN service providers push this route to redirect internet traffic over the tunnel.                                          
ip route add default dev $TUN_IF table 10    
ip rule add dev $WRLSS_IF table 10
ip route flush cache
####################################### ETHERNET BRIDGE TABLES RULES #####################################

EBT_BRULE1="-p ipv4 -i $WRLSS_IF -j DROP"
EBT_BRULE2="-p arp -i $WRLSS_IF -j DROP"
if [ -n "$EBT_BRULE1" ] && [ `ebtables -t broute -L | grep -ice "$EBT_BRULE1"` != 1 ]; then
	ebtables -t broute -I BROUTING $EBT_BRULE1
fi
if [ -n "$EBT_BRULE2" ] && [ `ebtables -t broute -L | grep -ice "$EBT_BRULE2"` != 1 ]; then
	ebtables -t broute -I BROUTING $EBT_BRULE2
fi
############################################ IP TABLES RULES #############################################

if [ `iptables -L -v | grep -c $WRLSS_IF` == 0 ]; then
	iptables -I INPUT -i $WRLSS_IF -m state --state NEW -j ACCEPT
	iptables -I FORWARD -i $WRLSS_IF -o $TUN_IF -j ACCEPT
fi
if [ `iptables -t nat -L -v | grep -c $TUN_IF` == 0 ]; then
	iptables -t nat -I POSTROUTING -s $WRLSS_IF_NTWK_ADDR/24 -o $TUN_IF -j MASQUERADE  # Change /24 to the subnet that you will be using.
fi
############################################### HIDE SSID ################################################

if [ `nvram get "$WRLSS_IF"_closed` != 1 ] && [ $HIDE_SSID == 1 ]; then
	nvram set "$WRLSS_IF"_closed=1
	nvram commit
fi
if [ `nvram get "$WRLSS_IF"_closed` != 0 ] && [ $HIDE_SSID == 0 ]; then
	nvram set "$WRLSS_IF"_closed=0
	nvram commit
fi

The first part of this script is where information is put in in order to setup the extra network and create the additional routes, rules, and settings. Most of the information that needs to be changed is in this part. The second part (the part after the two lines of #) is where the commands are executed to set everything up.

1 . Create a file in the scripts folder of jffs and name it what you like. I recommend using WinSCP to do the following: Copy the above script into this file and save.

2 . Next, place this line in the services-start file in the scripts folder:

/jffs/scripts/your_file_name (ex. vpn_ssid)

3 . Open up a terminal to the router or go to the Run Cmd tab under Tools in the web interface and type the following command:

chmod 0755 /jffs/scripts/your_file_name

These are additional options that you can add to the script above if a standalone OpenVPN service is being used. This needs to be inserted before “DHCP Server” section.

############## Tunnel Module ##############
if [ `lsmod | grep -c tun` == 0 ]; then    # This works with Openvpn using a tun interface.
	insmod tun
	sleep 1
fi
####### Standalone Openvpn Specific #######
if [ ! -n "`pidof openvpn`" ]; then
	cd /directory/of/openvpn/config     # Change to directory of your openvpn configuration.
	openvpn --config ./openvpn.conf     # Change to name of openvpn configuration.
fi
	sleep 1

The following is to setup a cron job. This simply reruns this script at whatever times specified to ensure that everything is still setup. The current setting “*/30” makes it rerun the script every 30 minutes. Place this line in a separate script.

cru a VPN_Check "*/30 * * * * /jffs/scripts/your_file_name/"