Quick links

 

email me:

Compuserve
or
WSU

Last update: 1-1-14

VPN Tutorial for Newbies

Installing BolehVPN on the ASUS RT-N66U Router

with Merlin Firmware


By Don DeGracia, Jan 01, 2014

dondeg@compuserve.com

www.dondeg.com


STEP 3: PROGRAM WHICH DEVICES GO THROUGH THE VPN

Having all the connections go through the VPN creates problems for some services. When you go through the VPN, it slows your internet connection for a variety of reasons. For most purposes, you won’t even notice. For example, I can still watch high def Youtube video and see no effect of the VPN running. However, if you are, say, playing online games where every ounce of bandwidth is used, you will notice a significant speed decrease.

So, it would be nice to be able to tell the router which devices to send through the VPN and which to route through your normal ISP connection. Step 3 explains how to do this. This was the hardest step of all because it relies on programming your router using scripts, and it requires logging into your router using a program other than the web interface. But, I am not a network programmer at all, and I managed to get it to work. Because I had to piece together so many sources, I think it will be helpful to somebody to list the steps here.

NOTE: THIS IS TOTALLY SPECIFIC FOR THE ASUS ROUTERS RUNNING MERLIN! For other routers and other firmware, I wish you the best of luck!!


Steps overview:

  1. Set up JFFS partition on the RT-N66U.
  2. Obtain and customize script for controlling which devices will go through the VPN.
  3. Determine the IP addresses of the devices you want to EXCLUDE from the VPN connection.
  4. Copy script to JFFS partition and run it.


STEP A. SET UP JFFS PARTITION.

(This is taken from a post by wizin that is here)

[1] Assuming you have VPN Account and have it already working with OpenVPN in your Asus-Merlin Router (test manually if VPN works first)

[2] Make sure VPN is ON and Start with WAN option

[3] Goto to Administration > System

[4] Enable JFFS partition = YES

[5] Format JFFS partition at next boot = YES

[6] REBOOT ROUTER

 

You now have space on your router's memory for storing the script that will control which devices connect to either the VPN or ISP.


STEP B. THE SCRIPT.

Download this script: openvpn-event.txt

The script is taken from message #9 by Grdnkln that is posted here. What this script does is BY DEFAULT routes all devices through the VPN. The way the script works is you list in the very last lines of the script the IP addresses of the devices you do NOT want to pass through the VPN. What you need to do is:

[1] Openopenvpn-event.txt in notepad.

[2] What to do with the script is described next.


STEP C. CUSTOMIZING THE SCRIPT.

You next need to customize the script by telling it which devices will NOT pass through the VPN. Customizing the script is easy. You just need to repeat the following line for each device you want to exclude from the VPN at the very end of the script:


iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.xxx -j MARK --set-mark 1


All you need to do is replace “192.168.1.xxx” with the actual IP address of the device you want to exclude from the VPN.

To get the IP address of any device on your network:

  1. Open Merlin in your web browser.
  2. On the left select “Network Map”
  3. Click on the ball that says “Clients”
  4. This opens a window called “Client Status” that lists all the devices and their IP addresses. Make note of the IP addresses of the devices you want to exclude. You can copy/paste from the table.

 

Important side note: Generally the router will assign IP addresses on the fly and the IP addresses listed above can potentially change. If you want to ensure this does not happen then:

[1] Under “Advanced Settings” on the left bar click “LAN”. tab.

[2] Click the “DHCP Server” tab.

[3] Under “Manually Assigned IP around the DHCP list (Max Limit : 128)” you can assign fixed IP addresses to the devices you want to exclude.

[4] Click the red arrow next to the empty window labeled “MAC Address” and you should see a list of all your connected devices.

[5] Choose the device you want to exclude from the VPN. Click the plus arrow.

[6] Repeat until you have selected all the devices you want to exclude from the VPN.

[7] Now these devices will have permanent IP addresses, and you do not have to worry that they may change and mess up your script in the future.

Finally, for each device you want to exclude, at the end of the script in your text file, put in a separate line for each, with the correct IP address filled in:

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.xxx -j MARK --set-mark 1

At this point, you should have the script as a text file in notepad, and the final lines of the script should have the IP addresses of all the devices you want to exclude from the VPN. There should be one of the above lines for each IP address. Save the file. Then make a COPY of the text file and rename it “openvpn- event” WITH NO EXTENSION!!!

 

OTHER THAN THE LAST LINES, YOU DO NOT NEED TO MODIFY ANY OTHER PART OF THE SCRIPT!!


Step D: Copy Script to Router and Run Script

This last step is kind of the trickiest of all because you have to log on to your router using a different program and use this program to copy the script and run it. This information is also taken from the post by wizin that is here.

A prelude to this is you need to have SSH enabled on your router. To enable SSH on Merlin do this:

[1] Under “Advanced Settings” on the left bar click “Administration”.

[2] Under “Miscellaneous” make sure these are set as follows:

  1. Enable SSH = Yes

  2. Allow SSH Port Forwarding = No

  3. SSH service port = 22

  4. Allow SSH access from WAN = No

  5. Allow SSH password login = Yes

  6. Enable SSH Brute Force Protection = No

[3] If you changed any of the above, click “APPLY” when all done.

 

To copy the script to the router you need to:

[1] Download a Software like WinSCP.

[2] Install WinSCP then start it up.

[3] To make a new connection fill in the fields as follows:

  1. File Protocol – SCP (NOTE: MAKE SURE IT IS SCP!!!)

  2. Hostname: 192.168.1.1

  3. Username/Password: Whatever you use to login to the router

  4. Port 22

[4] Save login settings (you have to) and then hit Login.

[5] This will log you into your router. There will be two folder trees. On the right is your router folder tree.

[6] In the router folder tree, you need to go upto the root folder, where you will see the jffs folder under the root.

[7] Go Inside Folder then Go Inside Scripts Folder.

[8] Place the openvpn-event file (the one without the txt extension) you created above in this folder (/jffs/scripts).

[9] Once the file is copied there, then right click > Properties > Change Octal to 0777.

[10] Thats it.

[11] Close WinSCP.

[12] Reboot Router. Rebooting will ensure the script runs.

At this point, the script should take effect and the devices you excluded should NOT be going through the VPN and everything else on your LAN should be going through the VPN.

If you want to add or subtract devices from the script, just modify the openvpn-event file. You can easily do this by logging back into the router, right clicking the file and chose “EDIT”.

 

LAST THING: BACKUP YOUR ROUTER CONFIGURATION

[1] Click "Administration" on left bar.

[2] Click "Restore/Save/Upload Settings" tab

[3] Click "Save" under "Save Settings".

[4] Rename file to something that reminds you what the settings are and store safely somewhere.

 

CONCLUSION

Whew! The price we pay for privacy. Oh well, now that it’s well known that everybody is spying on everybody else over the internet, it’s worth the effort to go through all the above to shut yourself off from prying eyes.

Ok, well, I hope I have saved somebody out there some time. It took me several weeks of searching and reading on the internet to figure out all of the above. Hopefully this step by step primer, as complicated as it may seem, saves somebody all the time and trouble I went through. And special thanks to all the people I linked to above who made all of this possible.