Tomato Dual VLAN (where one of them is VPN tunnelled)


I'm working to get my home network setup with Tomato to work with two Wi-Fi SSIDs. My router is a dual-band NETGEAR NIGHTHAWK router and so far Tomato works great on it and so does the VPN feature. The only downside is that when the VPN is active (when you choose start via the Tomato interface) it applies the VPN tunnel to both SSIDs that I have setup. Is there not some way to only have the VPN be applied to only one of those SSIDs? That way, by changing my wireless network, I can be apart of the VPN tunnel that is running on my router.

Is this possible?

Best Answer

I implemented something like this recently on my home network, on Tomato (shibby) v138. Here's a diagram: Tomato LAN diagram

Before getting into the VPN setup, I initially had both the 2.4GHz and 5GHz networks on the same SSID, let's call it "public". The internal network assigned devices to addresses in the range This is what you see in the top half of the diagram.

These are the changes I made to add a new subnet that was routed through the VPN:

  1. Under Basic/Network/LAN, I added a new bridge named "br1". I gave it the IP address, netmask, DHCP enabled, and IP Range
  2. Under Advanced/Virtual Wireless, I added two new virtual wireless interfaces, wl0.1 and wl1.1, for the 2.4GHz and 5GHz interfaces respectively. Both are assigned to the new bridge "LAN1 (br1)". I gave both the same new SSID, e.g. "private". You can also give them a different password from the public network if you like.
  3. Under VPN Tunneling/OpenVPN Client/Basic, I configured the VPN client (my VPN provider is Private Internet Access, so I followed this guide). I also enabled "Start with WAN" so it will start up automatically.
  4. Under VPN Tunneling/OpenVPN Client/Advanced, I set the "Ignore Redirect Gateway" option so the client won't route everything to the VPN.
  5. Under VPN Tunneling/OpenVPN Client/Routing Policy, I checked "Redirect through VPN" and added a line with type "From Source IP" and value "" so all hosts on the new subnet get routed through the VPN.

At that point, I can start the VPN client, then pick up a wireless device, connect to the "private" network and confirm that my internet-facing IP is behind the VPN, and connect to "public" and stream Netflix/Amazon Prime video without getting geographic restriction errors.

Now you can set up each device to connect to either SSID according to their needs. In our house, the media streamer that serves Netflix streams to the TV set stays on the public network. My phone and laptop connect to the private network. In most cases you should pick one or the other--you don't want the device auto-connecting to either one arbitrarily.

Optional Extras

Getting wired: If you want a physical Ethernet port to connect through the VPN, you can add a new VLAN under Advanced/VLAN and assign it to the new bridge (br1). At this point you can move one or more physical Ethernet ports on the router to your secure VLAN if you want. I didn't, so only wireless clients will be able to join my private subnet.

Internal Routing: After following the steps above, you may find that clients on the public and private networks can't talk to each other. Setting up the VPN client's routing policy as I did above adds this rule:

iptables -t mangle -A PREROUTING -s -j MARK --set-mark 311

to tomato's firewall script. That marks every packet originating on the network, and everything with the mark 311 gets routed through the VPN. This meant that any devices on the "public" subnet ( couldn't talk to devices on the "private" subnet through the internal network, because though the request would get through, the response would get diverted to the VPN and lost. In my case I wanted to be able to access file shares from a server on the private network, so I decided to clear the mark for anything that should be sent to the public network. I did that by adding the line:

iptables -t mangle -A PREROUTING -s -d -j MARK --set-mark 0

to Administration/Scripts/Firewall. You can add a similar rule for any ports you intend to forward to the router from the private network.

Fail-safe: Also known as a "kill switch," I added a couple additional rules to Administration/Scripts/Firewall that are meant to prevent anything from the private network going to the unprotected WAN (vlan2). This means that if the VPN goes down for some reason, clients connecting to the private network can't accidentally communicate over the unprotected WAN interface.

iptables -I FORWARD -s -o vlan2 -m state --state NEW -j REJECT --reject-with icmp-host-prohibited 
iptables -I FORWARD -p tcp -s -o vlan2 -m state --state NEW -j REJECT --reject-with tcp-reset