WiFiVPN.sh v1.0x Beta

#!/bin/sh
VER="v1.03b (Public Beta)"
#============================================================================== © 2016-2018 Martineau, v01.03b Public Beta)
#
# Configure a Wifi interface to use a VPN Client connection
#
#          WiFiVPN     [ {'help'} | {'-h'} | status | diag]
#                      { wifi_interface | ssid [ vpn_number | 'del' | 'status'] }  ['nodns'] ['autodnsmasq'] ['nobridge'] ['openlan'] ['novpn'] ['vlan'{X}] ['debug'] ['brctlopt']
# e.g.
#          WiFiVPN
#                      List ALL WiFi interfaces and associated VPN bridges.
#          WiFiVPN     wl0.2 1
#                      Guest 2.4Ghz #2 (wl0.2) is forced to use VPN Client 1 using bridge 1 (br1) and forces VPN 1 DNS
#          WiFiVPN     wl0.2 del
#                      Guest 2.4Ghz #2 (wl0.2) is reset to use the WAN rather than the VPN
#          WiFiVPN     wl0.2 nodns
#                      Guest 2.4Ghz #2 (wl0.2) is forced to use VPN Client 1 using bridge 1 (br1) and uses router DNS.
#          WifiVPN     wl1.3 status
#                      Guest 5Ghz #3 (wl1.3) config is listed in detail.
#          WiFiVPN     br2g24 5
#                      Guest SSID 'br2g24' (could be 2.4GHz Wifi Guest #2!?) is forced to use VPN Client 5 using bridge 5 (br5) and forces VPN 5 DNS
#          WiFiVPN     eth1 1
#                      2.4Ghz WiFi network (eth1) is forced to use VPN Client 1 using bridge 1 (br1) and forces VPN 1 DNS
#          WiFiVPN     eth2 2
#                      5Ghz WiFi network (eth2) is forced to use VPN Client 2 using bridge 2 (br2)  and forces VPN 2 DNS
#          WiFiVPN     status
#                      List ALL WiFi interfaces and associated VPN bridges.
#          WiFiVPN     diag
#                      List ALL WiFi interfaces and associated VPN bridges. Prompts to delete/show config.
#

# NOTE: Requires 'brX' interface to be defined in '/jffs/configs/dnsmasq.conf.add'
#       e.g. VPN Client 2 (tun12) will expect to use br2 interface
#
#       **WARNING** If 'dnsmasq' is specified, if no bridge config is found in '/etc/dnsmasq.conf', the script will configure one!.
#
# P.S.  Connected Wifi clients will no longer appear in the Network Map status? :(
#                 but can be seen in the Wireless Log! ;-)

#
#         Bridge brX uses DHCP pool 192.168.10x.2 - 192.168.10x.20
#         interface=brx
#         dhcp-range=brx,192.168.10x.2,192.168.10x.20,255.255.255.0,14400s
#         dhcp-option=brx,3,192.168.10x.1
#         dhcp-option=brx,6,192.168.10x.1


#*=====================================Functions=====================================================

# Print between line beginning with'#==' to first blank line inclusive
ShowHelp() {
    echo -en $cBWHT
    awk '/^#==/{f=1} f{print; if (!NF) exit}' $0
    echo -en $cRESET
}
Say(){
   /usr/bin/logger -st "($(basename $0))" $$ $@
}
ANSIColours () {

    cRESET="\e[0m";cBLA="\e[30m";cRED="\e[31m";cGRE="\e[32m";cYEL="\e[33m";cBLU="\e[34m";cMAG="\e[35m";cCYA="\e[36m";cGRA="\e[37m"
    cBGRA="\e[90m";cBRED="\e[91m";cBGRE="\e[92m";cBYEL="\e[93m";cBBLU="\e[94m";cBMAG="\e[95m";cBCYA="\e[96m";cBWHT="\e[97m"
    aBOLD="\e[1m";aDIM="\e[2m";aUNDER="\e[4m";aBLINK="\e[5m";aREVERSE="\e[7m"
    cRED_="\e[41m";cGRE_="\e[42m"

}
Check_Router_Mode() {
    local OK=1                              # Assume not Router mode
    case "$(nvram get sw_mode)" in
        0) SW_MODE="Unconfigured";;
        1) SW_MODE="Router";OK=0;;
        2) SW_MODE="Repeater";;
        3) SW_MODE="AP";;
        4) SW_MODE="Hotspot";;
        *) SW_MODE="Unknown nvram sw_mode value="$(nvram get sw_mode);;
    esac
    echo $SW_MODE
    return $OK
}
# Function Parse(String delimiter(s) variable_names)
Parse() {
    #
    #   Parse       "Word1,Word2|Word3" ",|" VAR1 VAR2 REST
    #               (Effectivley executes VAR1="Word1";VAR2="Word2";REST="Word3")

    local string IFS

    TEXT="$1"
    IFS="$2"
    shift 2
    read -r -- "$@" <<EOF
$TEXT
EOF
}
Get_VPN_ADDR() {

    local VPNADDRS=`nvram show 2> /dev/null | grep -E "vpn_client.*addr" | grep -v t_addr`
    local VPN_ADDR=""

    for VPN in $VPNADDRS
    do

       if [ "${VPN:10:1}" = "$1" ]; then
          VPN_ADDR=${VPN:17}
          #Say "***DEBUG ACTIVE VPN Client="$1 "via" $VPN_ADDR "VPN="$VPN
       #else
       #   Say "Get_VPN_ADDR():" $VPN ">" ${VPN:10:1} ">>" ${VPN:17}
       fi

    done

    echo $VPN_ADDR

}
Config_dnsmasqBRx() {

    if [ -z $2 ];then
        local FN="/jffs/configs/dnsmasq.conf.add"
    else
        local FN="$2"
    fi

    local BRIDGE_ID="$1"
    local DIGIT=${BRIDGE_ID:2:1}


    if [ -f "$FN" ];then
        local NOW=$(date +"%Y%m%d-%H%M%S")    # current date and time
        cp $FN ${FN}-$NOW
        sed -i "/$BRIDGE_ID/d" $FN          # Remove existing Bridge if it exists
    fi

    local LANIPADDR=$(nvram get lan_ipaddr)
    local LAN_SUBNET=${LANIPADDR%.*}
    local LAN_TWO_OCTETS=$(echo "$LAN_SUBNET" | awk 'BEGIN { FS = "." } {print $1"."$2}')


    # My numbering scheme for third OCTET:
    #
    #       10.88.8x.0      LAN
    #       10.88.10x.0     Bridge          i.e. 101,102,103,104 and 105
    #       10.88.24x.0     Wifi 2.4GHz     i.e. 241,242 and 243
    #       10.88.5x.0      Wifi 5GHz       i.e. 51,52 and 53
    #       10.88.x0.0      VLAN keep 'x' as multiple of 10 e.g. 50 won't clash with 51 aka Guest 5GHz #1
    #                       but skip 60 as it is reserved by ASUS?

    if [ "$METHOD" == "Bridge" ];then
        TYPE="10"
    else
        case "$WIFI_IF" in
            wl0)
                TYPE="24"
                ;;
            wl1)
                TYPE="5"
                ;;
            vlan)
                TYPE="0"
                ;;
            *)
                TYPE="8"
                ;;
        esac
    fi

    VPN_SUBNET_PREFIX=$LAN_TWO_OCTETS".$TYPE"

cat >> $FN << EOF
# Bridge $BRIDGE_ID uses DHCP pool ${VPN_SUBNET_PREFIX}$DIGIT.2 - ${VPN_SUBNET_PREFIX}$DIGIT.20
interface=$BRIDGE_ID
dhcp-range=$BRIDGE_ID,${VPN_SUBNET_PREFIX}$DIGIT.2,${VPN_SUBNET_PREFIX}$DIGIT.20,255.255.255.0,14400s
dhcp-option=$BRIDGE_ID,3,${VPN_SUBNET_PREFIX}$DIGIT.1
dhcp-option=$BRIDGE_ID,6,${VPN_SUBNET_PREFIX}$DIGIT.1
dhcp-option=$BRIDGE_ID,252,"\n"
EOF
    service restart_dnsmasq 2>&1 >/dev/null
    #cat /etc/dnsmasq.conf
}
Drop_BR0() {

    if [ "$DEBUG" == "debug" ];then
        Say "br0 Before='"$(nvram get lan_ifnames)"'"
    fi
    echo $(nvram get lan_ifnames) | sed -e "s/\<$1\>//g"            # \< and \> force a sed word boundary
    return 0

}
WiFiBridgeVPN() {

    if [ "$1" == "delete" ];then
        local ACTIONS="-D"              # Iteration action to perform when deleting rules
    else
        local ACTIONS="-D -I"           # Iteration actions to perform when inserting rules
    fi

    # Delete Firewall rules and reinsert if required
    for ACTION in $ACTIONS
        do

            FWRULENO=

            if [ "$ACTION" == "-I" ];then
                FWRULENO=`iptables -nvL FORWARD --line | grep -E "ACCEPT     all.*state RELATED,ESTABLISHED" | awk '{print $1}'`
                FWRULENO=$(($FWRULENO+1))
            fi

            # Firewall rules
            if [ "$FIREWALL_TYPE" != "OpenLAN" ];then
                $IPT $ACTION INPUT -i $BRIDGE_ID -j DROP 2> /dev/null                           # Drop everything
                #$IPT $ACTION logdrop -i br1 -j LOG --log-prefix "WiFi VPN DROP " 2> /dev/null      # Eye-catcher for above

                # Allow dnsmasq to listen to new bridge for explicit services
                $IPT $ACTION INPUT -i $BRIDGE_ID -p udp --dport 67:68 -j ACCEPT 2> /dev/null        # DHCP

                for PROTO in tcp udp
                    do
                        $IPT $ACTION INPUT -i $BRIDGE_ID -p $PROTO --dport 53 -j ACCEPT 2> /dev/null    # DNS (TCP DNS is used by DNSSEC?)
                    done
            else
               $IPT $ACTION INPUT -i  $BRIDGE_ID  -m state --state NEW -j ACCEPT 2> /dev/null   # Router Access
            fi

            #Allow packets from vlanX0 to/from WiFi
            if [ "$VLAN_PORT" != "NONE" ];then
                $EBT $ACTION FORWARD $FWRULENO -i vlan${VLAN_PORT}0 -o $WIFI_IF -j ACCEPT
                $EBT $ACTION FORWARD $FWRULENO -i $WIFI_IF -o vlan${VLAN_PORT}0 -j ACCEPT
            fi

            # Force 'Exclusive' use of VPN DNS unless 'nodns' specified by user request
            local FIRST_VPN_DNS=$(awk 'NR==1{print $2}' /etc/openvpn/dns/client${VPN_ID}.resolv)
            local RULE="-j DNAT --to "$FIRST_VPN_DNS            # Use VPN DNS - default
            if [ "$ACTION" == "-D" ];then
                if [ -z "$($IPT -t nat -L DNSVPN$VPN_ID | grep $BRIDGE_SUBNET_PREFIX | grep "DNAT")" ];then
                    local RULE="-j RETURN"                                                                  # Delete WAN DNS
                fi
            else
                if [ "$VPNDNS" == "VPNDNS" ];then
                    ACTION="-A"                                                                             # Use VPN DNS using 'A'
                else
                    local RULE="-j RETURN"                                                                  # Use WAN DNS using '-I'
                fi
            fi
            $IPT -t nat $ACTION DNSVPN$VPN_ID -i $BRIDGE_ID -s $BRIDGE_SUBNET_PREFIX.0/24 $RULE 2> /dev/null    # DNS to be used
            [ "$ACTION" == "-A" ] && ACTION="-I"                                                            # Revert to Insert

            # Chromecast seems to want to PING the router?
            $IPT $ACTION INPUT -i $BRIDGE_ID \
                -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 2> /dev/null
            $IPT $ACTION INPUT -i br0 \
                -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 2> /dev/null

            # VPN rules
            if [ "$VPN_CONFIG" != "UseWAN" ];then
                $IPT $ACTION FORWARD $FWRULENO -i $BRIDGE_ID -d $LAN_SUBNET.0/24 -j DROP 2> /dev/null
                $IPT $ACTION FORWARD $FWRULENO -i tun1$VPN_ID -o $BRIDGE_ID  -j ACCEPT 2> /dev/null     # Allow bridge replies inbound from VPN
                $IPT $ACTION FORWARD $FWRULENO -i $BRIDGE_ID  -o tun1$VPN_ID -j ACCEPT 2> /dev/null     # Allow bridge requests outbound via VPN

                $IPT -t nat $ACTION POSTROUTING -s $BRIDGE_SUBNET_PREFIX.0/24 -o tun1$VPN_ID -j MASQUERADE 2> /dev/null
            fi

            # Application/local device rules
            if [ "$FIREWALL_TYPE" != "OpenLAN" ];then

                $IPT $ACTION FORWARD $FWRULENO -o $BRIDGE_ID -i br0 -s 10.88.8.111 -d $BRIDGE_SUBNET_PREFIX.0/24 -p tcp --dport 22 -j ACCEPT 2> /dev/null   # <- LAN SSH pinhole
                $IPT $ACTION FORWARD $FWRULENO -i $BRIDGE_ID -o br0 -s $BRIDGE_SUBNET_PREFIX.0/24  -d 10.88.8.131   -j ACCEPT 2> /dev/null  # LAN printer ->
                $IPT $ACTION FORWARD $FWRULENO -o $BRIDGE_ID -i br0 -s 10.88.8.131 -d $BRIDGE_SUBNET_PREFIX.0/24 -j ACCEPT 2> /dev/null # <- LAN printer
            else
                $IPT $ACTION FORWARD $FWRULENO -i $BRIDGE_ID -o br0 -j ACCEPT 2> /dev/null
            fi

        done
}
WiFiVPN() {

    if [ "$1" == "delete" ];then
        local ACTIONS="-D"              # Iteration action to perform when deleting rules
    else
        local ACTIONS="-D -I"           # Iteration actions to perform when inserting rules
    fi

    # Delete Firewall rules and reinsert if required
    for ACTION in $ACTIONS
        do


            if [ "$FIREWALL_TYPE" != "OpenLAN" ];then
                $IPT $ACTION INPUT -i $WIFI_IF -j logdrop 2> /dev/null                          # Drop everything
                #$IPT $ACTION logdrop -i br1 -j LOG --log-prefix "WiFi VPN DROP " 2> /dev/null      # Eye-catcher for above

                # Allow dnsmasq to listen to new bridge for explicit services
                $IPT $ACTION INPUT -i $WIFI_IF -p udp --dport 67:68 -j ACCEPT 2> /dev/null      # DHCP

                for PROTO in tcp udp
                    do
                        $IPT $ACTION INPUT -i $WIFI_IF -p $PROTO --dport 53 -j ACCEPT 2> /dev/null  # DNS (TCP DNS is used by DNSSEC?)
                    done

            else
                $IPT $ACTION INPUT -i $WIFI_IF -m state --state NEW -j ACCEPT 2> /dev/null      # Allow ALL Router access!!!
            fi

            # Guest Wireless Bridge
            for PROTO in ipv4 arp
                do
                    $EBT -t broute $ACTION BROUTING -p $PROTO -i $WIFI_IF -j DROP 2> /dev/null  # Pass upto iptables for access/blocking
                done

            # Force 'Exclusive' use of VPN DNS unless 'nodns' specified by user request
            local FIRST_VPN_DNS=$(awk 'NR==1{print $2}' /etc/openvpn/dns/client${VPN_ID}.resolv)
            local RULE="-j DNAT --to "$FIRST_VPN_DNS            # Use VPN DNS - default
            if [ "$ACTION" == "-D" ];then
                if [ -z "$($IPT -t nat -L DNSVPN$VPN_ID | grep $BRIDGE_SUBNET_PREFIX | grep "DNAT")" ];then
                    local RULE="-j RETURN"                                                                  # Delete WAN DNS
                fi
            else
                if [ "$VPNDNS" == "VPNDNS" ];then
                    ACTION="-A"                                                                             # Use VPN DNS using 'A'
                else
                    local RULE="-j RETURN"                                                                  # Use WAN DNS using '-I'
                fi
            fi

            $IPT -t nat $ACTION DNSVPN$VPN_ID -i $BRIDGE_ID -s $BRIDGE_SUBNET_PREFIX.0/24 $RULE 2> /dev/null    # DNS to be used
            [ "$ACTION" == "-A" ] && ACTION="-I"                                                            # Revert to Insert

            # VPN routes
            if [ "$VPN_CONFIG" != "UseWAN" ];then
                $IPT $ACTION FORWARD $FWRULENO -i tun1$VPN_ID -o$WIFI_IF  -j ACCEPT 2> /dev/null        # Allow bridge replies inbound from VPN
                $IPT $ACTION FORWARD $FWRULENO -i $WIFI_IF  -o tun1$VPN_ID -j ACCEPT 2> /dev/null       # Allow bridge requests outbound via VPN
                $IPT -t nat $ACTION POSTROUTING -s $BRIDGE_SUBNET_PREFIX.0/24 -o tun1$VPN_ID -j MASQUERADE 2> /dev/null
            fi

            # Application/local device rules

            if [ "$FIREWALL_TYPE" != "OpenLAN" ];then
                $IPT $ACTION FORWARD $FWRULENO -i $WIFI_IF -d $LAN_SUBNET.0/24 -j DROP 2> /dev/null
                $IPT $ACTION FORWARD $FWRULENO -i $WIFI_IF -d 10.88.8.131 -j logaccept                              # LAN Printer
                #$IPT $ACTION FORWARD $FWRULENO -i $WIFI_IF -d 10.88.8.131 -p icmp --icmp-type 8 -j logaccept
            fi

        done
}
GetBr_ID () {

    INTERFACE="$1"

    if [ ! -z "$INTERFACE" ];then
        echo $(brctl show | awk -v pattern="${INTERFACE}\$" '/^br/ { HDR=$1 } ; $0 ~ pattern {f=1} f{print HDR; f=0; exit}')
        return 0
    else
        echo ""
        return 1
    fi
}
Show_Status () {

    if [ ! -z $2 ];then
        local BRIDGE_IF=$2
    else
        local BRIDGE_IF=$(GetBr_ID "$1")                                            # Which bridge is the Wifi Guest defined on?
    fi
    if [ ! -z $3 ];then
        local BR_SUBNET_PREFIX=
    fi

    if [ "$METHOD" != "Bridge" ];then
        local BRIDGE_IF=$1
    fi

    local VPN_NUM=
    if [ "$METHOD" == "Bridge" ];then
        if [ "${BRIDGE_IF:0:2}" == "br" ];then
            local VPN_NUM=${BRIDGE_IF:2:1}
            local BR_SUBNET=$(ip route show table "11"$VPN_NUM | grep $BRIDGE_IF | awk '{print $1}')
        else
            local BR_SUBNET=
        fi
    else
        local VPN_NUM=$VPN_ID
        local BR_SUBNET=$(ip route show table "11"$VPN_NUM | grep $BRIDGE_IF | awk '{print $1}')
    fi

    echo -en $cBWHT
    if [ "$METHOD" == "Bridge" ];then
        echo -e "\n\n\t\t\t\tBridge config";echo -e "\t\t\t\t============="
    else
        echo -e "\n\n\t\t\t\tWiFi config";echo -e "\t\t\t\t==========="
    fi

    echo -e "\n\t\t\tfilter INPUT rule config";echo -e "\t\t\t========================"

    echo -en $cBMAG

    if [ ! -z $BRIDGE_IF ];then
        $IPT -nvL INPUT --line -t filter | grep $BRIDGE_IF
    else
        $IPT -nvL --line -t filter | grep br | grep -v br0
    fi

    echo -e $cBWHT"\n\t\t\tfilter FORWARD rule config";echo -e "\t\t\t=========================="
    echo -en $cBMAG
    if [ ! -z $BRIDGE_IF ];then
        $IPT -nvL FORWARD --line -t filter | grep $BRIDGE_IF
    else
        $IPT -nvL --line -t filter | grep br | grep -v br0
    fi

    if [ ! -z $BR_SUBNET ];then
        FIRST_VPN_DNS=$(awk 'NR==1{print $2}' /etc/openvpn/dns/client${VPN_ID}.resolv)
        local DNSTEXT="using VPN DNS ("$FIRST_VPN_DNS")"
        echo -e $cBWHT"\n\t\t\\tnat DNSVPN"$VPN_NUM "rule config";echo -e "\t\t\t======================="
        echo -en $cBMAG
        $IPT -nvL DNSVPN${VPN_NUM} --line -t nat | grep $BR_SUBNET
        if [ -z "$(iptables -nvL DNSVPN${VPN_NUM} --line -t nat | grep $BR_SUBNET | grep -v "RETURN")" ];then
            local DNSTEXT=
        fi
        echo -e $cBWHT"\n\t\t\\tnat POSTROUTING rule config";echo -e "\t\t\t============================"$cBMAG
        $IPT -nvL POSTROUTING --line -t nat | grep $BR_SUBNET
    fi

    if [ "$METHOD" == "Bridge" ];then
        echo -e $cBWHT"\n\n\t\tBridge" $BRIDGE_IF "interface config";echo -e "\t\t==========================="$cBMAG
        brctl show | awk -v pattern="${BRIDGE_IF}" '$0 ~ pattern {flag=1;print $0;next}/^br/{flag=0}flag'
        if [ "${BRIDGE_IF:0:2}" == "br" ];then
            echo -e $cBWHT"\n\n\t\t\tBridge" $BRIDGE_IF "details";echo -e "\t\t\t=================="$cBMAG
            local TEMP=$(/usr/sbin/brctl showstp $BRIDGE_IF 2>&1 /dev/null)
            if [ -z "$(echo $TEMP | grep "No such device")" ];then
                /usr/sbin/brctl showstp $BRIDGE_IF
            else                                    # brX: can't get info No such device
                BRIDGE_IF="??"
            fi
        fi

        # Vlan switch port?
        if [ ! -z "$(robocfg show | grep -E "vlan[1-9][0]")" ];then     # X0, X00
            echo -e $cBWHT"\n\n\tVLAN Config";echo -e "\t==========="$cBMAG
            robocfg show | grep -E "vlan1|vlan[1-5][0]|vlan[7-9][0]"        # Ignore 60!!!!! not mine
        fi
    else
        echo -e $cBWHT"\n\n\t\t\t\tebtables Rules";echo -e "\t\t\t\t==============\n"
        echo -e "\n\t\t\\tbroute BROUTING rule config";echo -e "\t\t\t==========================="$cBMAG
        $EBT -t broute -L | grep $BRIDGE_IF
        echo -e $cBWHT"\n\t\t\\tfilter FORWARD rule config";echo -e "\t\t\t=========================="$cBMAG
        $EBT -t filter -L | grep $BRIDGE_IF
    fi

    echo -e $cBWHT"\n\n\tRPDB Rules";echo -e "\t=========="$cBMAG
    /usr/sbin/ip rule

    if [ ! -z "$VPN_NUM" ];then

        local VPNTAG=$(nvram get vpn_client${VPN_NUM}_desc)
        if [ -z "$VPNTAG" ];then
            local VPNTAG=`grep -i "11"$VPN_NUM /etc/iproute2/rt_tables | awk '{print $2}'`
        fi
        local LENGTH=${#VPNTAG}
        local LENGTH=$((27+$LENGTH))
        local EQUALS="$(printf %${LENGTH}s |tr " " "=")"
        echo -e $cBWHT"\n\n\tRPDB VPN Client" $VPN_NUM "("$VPNTAG") routes";echo -e "\t$EQUALS"$cBMAG

        /usr/sbin/ip route show table 11$VPN_NUM
    fi

    local WIFI_Type="WiFi"
    if [ "$WIFI_IF" == "eth1" ] || [ "$WIFI_IF" == "eth2" ];then
       local WIFI_Type="WiFi"
    fi

    STATE="OK"

    if [ "$METHOD" == "Bridge" ];then
        if [ ${BRIDGE_IF:0:2} != "br" ] || [ "$BRIDGE_ID" != "$BRIDGE_IF" ];then            # Probably already attached to br0
           STATE="N/A"
        fi
    else
        if [ -z "$(iptables -nvL FORWARD | grep -E "${WIFI_IF:0:3}\.${WIFI_IF:4:1}.*tun1")" ];then
            STATE="N/A"
        fi
    fi

    if [ "$STATE" != "OK" ];then
        echo -e $cRED"\a\n\n\t"$WIFI_Type $WIFI_DESC $SSID "("$WIFI_IF") isn't routed via a VPN Client?\n"
    else
        echo -e $cBGRE"\n\n\tStatus: "$WIFI_Type $WIFI_DESC "("$WIFI_IF")" $SSID "("$BR_SUBNET") routed via VPN Client" \
                 $VPN_NUM "("$VPNTAG")" $DNSTEXT "via bridge:"$BRIDGE_IF"\n"
    fi
    echo -en $cRESET
    return 0
}
ManageVPNStatus () {
    # If this script is running then surely we expect the associated VPN Client connection to be UP!!!??  ;-)
    #echo -e "\nChecking status of VPN Client" $VPN_ID "......"

    if [ "$VPN_ID" -eq 0 ];then
        echo "-1"
        return
    fi
    local VPN_STATE=`nvram show 2> /dev/null | grep "vpn_client${VPN_ID}_state" | awk 'BEGIN {FS="="} {print $2}'`

    local WIFI_Type="WiFi"
    if [ "$WIFI_IF" == "eth1" ] || [ "$WIFI_IF" == "eth2" ];then
       local WIFI_Type="WiFi"
    fi
    if [ "$VPN_STATE" -eq 0 ];then
        if [ "$1" != "?" ];then
            Say $WIFI_Type $WIFI_DESC $SSID "requesting start of VPN Client" $VPN_ID "("$VPNTAG")"
            if [ -f /jffs/scripts/VPN_Client_Switch.sh ];then
                local STAT="Custom script '/jffs/scripts/VPN_Client_Switch.sh'"
                /jffs/scripts/VPN_Client_Switch.sh $VPN_ID "on"                     # Start it....will handle dnsmasq update for HMA etc.
                VPN_STATE=$(Check_VPNState "$VPN_ID" "2" "Quiet")           # Redundant but ensures consistency!
                echo $VPN_STATE
            else
                local STAT="Normal service 'start_vpnclient"$VPN_ID"' request"
                service start_vpnclient$VPN_ID 2> /dev/null > /dev/null             # Start it using normal services
                VPN_STATE=$(Check_VPNState "$VPN_ID" "2")
                echo $VPN_STATE
            fi
        else
            #echo -e "\a\n**WARNING VPN Client" $VPN_ID "isn't ACTIVE\n"
            echo $VPN_STATE
        fi
    else
        echo $VPN_STATE
    fi

}
Check_VPNState(){

      local I=0
      local OK=0

      local VPNTAG=$(nvram get vpn_client${1}_desc)
      if [ -z "$VPNTAG" ];then
        local VPNTAG=`grep -i "11"$1 /etc/iproute2/rt_tables | awk '{print $2}'`
      fi

      if [ "$2" = "2" ]; then
         local WSTATE="connect"
      fi
      if [ "$2" = "0" ]; then
         local WSTATE="disconnect"
      fi
      #while sleep 1; do logger "vpn_client$1_state is `nvram get vpn_client$1_state`"; done    # Command line equivalent
      if [ -z $3 ];then
        Say "Waiting for VPN Client" $1 "("$VPNTAG") to" $WSTATE"....."
      fi
      local VPN_STATE=0
      while [ $I -lt 60 ]; do
        sleep 1
        #Say"Waiting for VPN Client" $1 "to" $WSTATE"....." $i
        if [ "$(nvram get "vpn_client"$1"_state")" = "$2" ];then
           OK="1"
           local VPN_STATE=$(nvram get "vpn_client"$1"_state")
           break
        fi
        I=$(($I + 1))
      done
      if [ "$OK" = "1" ];then
            if [ -z $3 ];then
                #echo -en $cBYEL
                Say "VPN Client" $1 "("$VPNTAG")" $WSTATE"'d in" $I "secs"
                #echo -en $cRESET
            fi
            echo "$VPN_STATE"
            return 0
      else
            #echo -e " "
            if [ -z $3 ];then
                #echo -en $cBRED
                Say "***ERROR*** VPN Client" $1 "("$VPNTAG") FAILED to" $WSTATE "after" $I "secs"
                #echo -en $cBWHT
            fi
            #echo -e "\a"
            echo "$VPN_STATE"
            return 1
      fi
}
Drop_VLAN1() {

    #Say "vlan1 Before='"$(robocfg show | grep "vlan1" | cut -d":" -f3)"'"

    # Remove the switch port from vlan 1                                                         (strip leading/trailing spaces!!)
    local VLAN1_PORTS=`robocfg show | grep "vlan1" | cut -d":" -f3 | sed -e "s/\$1//g" | awk '{$1=$1};1'`
    robocfg vlan 1 ports "$VLAN1_PORTS"                                                                     # Delete port from vlan1

    #Say "vlan1 After='"$VLAN1_PORTS"'"

    return 0

}
ValidVLAN(){

    local FOUND=0
    local SWITCHPORT="BAD"

    for THISARG in $*
    do
        if [ ${THISARG:0:4} == "vlan" ];then
            FOUND=1
            break
        fi
    done

    if [ $FOUND -eq 1 ];then
        local SWITCHPORT=$(echo $THISARG | grep -E "^vlan[1|2|3]$")         # Exclude Switch port 4 - uplink to TP-Link switch
        if [ ! -z $SWITCHPORT ];then
            local SWITCHPORT=${SWITCHPORT:4:1}
            echo $SWITCHPORT
            return 0
        fi
    fi

    echo $SWITCHPORT
    return 1

}
Set_WiFi_Description () {

    WIFI_DESC=

    if [ "${WIFI_IF:0:3}" == "wl0" ];then
        WIFI_DESC=$WIFI_DESC"2.4GHz Guest "${WIFI_IF:4:1}
        SSID=$(nvram show 2> /dev/null | grep "_ssid" | grep -E "wl[0-1]\." | grep -i $WIFI_IF)
        SSID=${SSID##*=}
    fi
    if [ "${WIFI_IF:0:3}" == "wl1" ];then
        WIFI_DESC=$WIFI_DESC"5GHz   Guest "${WIFI_IF:4:1}
        SSID=$(nvram show 2> /dev/null | grep "_ssid" | grep -E "wl[0-1]\." | grep -i $WIFI_IF)
        SSID=${SSID##*=}
    fi
    if [ "$WIFI_IF" == "eth1" ];then
        WIFI_DESC=$WIFI_DESC"2.4GHz Network"
    fi
    if [ "$WIFI_IF" == "eth2" ];then
        WIFI_DESC=$WIFI_DESC"5GHz   Network"
    fi
}
Show_Status_Diagnostics () {

    echo -e $cBWHT

    Say $VER "© 2016-2017 Martineau," "WiFi VPN status request.....[$@]"

    MODE="Normal"
    TXT="Status for"
    if [ "$(echo $@ | grep -cw "diag")" -gt 0 ];then
        MODE="diag"
        TXT="Diagnostics for"
    fi

    echo -e $cBCYA"\n\tWiFi->VPN Configuration "${TXT}" interfaces:\n"

    if [ "$MODE" == "diag" ];then
        echo -e $cBYEL"\tNVRAM lan_ifnames='"$(nvram get lan_ifnames)
        echo -en $cBMAG
        brctl show
        echo -e
    fi

    for WIFI_IF in wl0.1 wl0.2 wl0.3 wl1.1 wl1.2 wl1.3 eth1 eth2
        do
            MSGCOLOR="$cBGRE"
            Set_WiFi_Description
            SSID=$(nvram get $WIFI_IF"_ssid")
            [ "$WIFI_IF" == "eth1" ] && SSID=$(nvram get wl0_ssid)
            [ "$WIFI_IF" == "eth2" ] && SSID=$(nvram get wl1_ssid)
            WIFI_DEFINED=$(ifconfig | grep $WIFI_IF | cut -d' ' -f1)
            BRIDGE_IF=$(GetBr_ID "$WIFI_IF")
            BRIDGE_ID=$BRIDGE_IF                    # Ugly global variable Hack for Showstatus()
            VPN_NUM=${BRIDGE_IF:2:1}
            VPN_ID=$VPN_NUM                     # Ugly global variable Hack for Showstatus()

            # Guest WiFi not ACTIVE
            if [ -z "$WIFI_DEFINED" ];then
                WIFI_DEFINED="-----"
                SSID="("$SSID")"
                WIFI_DESC=$(printf "%-16s" "$WIFI_DESC")"** Disabled **"
            fi

            #echo -e "\t"$WIFI_IF "is on" $BRIDGE_IF
            if [ ! -z "$VPN_NUM" ] && [ "$BRIDGE_IF" != "br0" ];then
                BR_SUBNET=$(ip route show table "11"$VPN_NUM | grep $BRIDGE_IF | awk '{print $1}')
                VPNTAG="$(nvram get vpn_client${VPN_NUM}_desc)"
                if [ -z "$VPNTAG" ];then
                    VPNTAG=`grep -i "11"$VPN_NUM /etc/iproute2/rt_tables | awk '{print $2}'`
                fi
                BRIDGE_IF_IP=`grep -i "dhcp-option=$BRIDGE_ID,3" /etc/dnsmasq.conf  | awk 'BEGIN { FS = "," } {print $3}'`      # Extract I/P from 'dhcp-option=$GUEST_IF,3,10.88.241.1'
                BRIDGE_SUBNET_PREFIX=${BRIDGE_IF_IP%.*}                                                                     # Extract first three octets of I/P
                if [ -z "$BRIDGE_SUBNET_PREFIX" ];then
                    BRIDGE_SUBNET_PREFIX="*unknown*"
                fi
                if [ -f "/etc/openvpn/dns/client${VPN_NUM}.resolv" ];then
                    FIRST_VPN_DNS=$(awk 'NR==1{print $2}' /etc/openvpn/dns/client${VPN_NUM}.resolv)
                else
                    FIRST_VPN_DNS="*unknown*"
                    MSGCOLOR="$cBRED"
                    VPNTAG="***ERROR VPN is DOWN"
                fi

                if [ -z "$($IPT -t nat -nvL DNSVPN${VPN_NUM} 2> /dev/null | grep "$BRIDGE_ID")" ];then
                    MSGCOLOR="$cBRED"
                    DNSTEXT=" is MISSING a valid DNS entry in '-t nat DNSVPN"${VPN_NUM}"'"

                    if [ "$MODE" == "diag" ] && [ ! -z "$($IPT -t nat -nvL DNSVPN${VPN_NUM} 2> /dev/null)" ];then
                        echo -en $cBMAG
                        $IPT -t nat -nvL DNSVPN${VPN_NUM}
                    fi
                else
                    DNSTEXT="using VPN DNS ("$FIRST_VPN_DNS")"      # VPN DNS forced?
                    if [ "$VPNTAG" != "***ERROR VPN is DOWN" ];then
                        if [ -z "$($IPT -nvL DNSVPN${VPN_NUM} --line -t nat | grep $BRIDGE_SUBNET_PREFIX | grep -v "RETURN")" ];then
                            DNSTEXT="using WAN DNS ("$(awk 'NR==1{print $2}' /tmp/resolv.conf)")"
                        fi
                    fi
                fi

                if [ -z "$BR_SUBNET" ];then         # No physical route for the bridge
                    BR_SUBNET="***ERROR no entry in table 11"$VPN_NUM"; "$BRIDGE_ID"  NOT"
                    MSGCOLOR="$cBRED"
                fi
                if [ "$MSGCOLOR" == "$cBRED" ];then
                    echo -en "\a"
                fi


                echo -e $MSGCOLOR"\t$(printf "%-7s" "$WIFI_DEFINED") $(printf "%-16s" "$SSID") $(printf "%-15s" "$WIFI_DESC")" "("$BR_SUBNET") routed through tunnel VPN Client" $VPN_NUM "("$VPNTAG")" $DNSTEXT "via bridge:"$BRIDGE_ID

                if [ "$MODE" == "diag" ];then

                    echo -en $cBMAG
                    brctl show | awk -v pattern="${BRIDGE_IF}" '$0 ~ pattern {flag=1;print $0;next}/^br/{flag=0}flag'

                    echo -en $cBYEL
                    echo -e "\tNVRAM lan${VPN_NUM}_ifname='"$(nvram get lan${VPN_NUM}_ifname)"'"
                    echo -e "\tNVRAM lan${VPN_NUM}_ifnames='"$(nvram get lan${VPN_NUM}_ifnames)"'"

                    echo -e

                    echo -en $cBWHT"\tDelete this WiFi->VPN configuration? "
                    read -p "[ Type 'del' ] > " INPUT
                    echo -en $cBYEL
                    case "$INPUT" in
                        "del")
                            ./$(basename $0) $WIFI_IF $VPN_NUM del
                            ;;
                        *)
                            echo -e
                            ;;
                    esac
                    echo -en $cBWHT"\tShow   this WiFi VPN configuration? "
                    read -p "[ Y/N ] > " INPUT
                    echo -en $cBYEL
                    case "$INPUT" in
                        "Y"|"y")
                            Show_Status $WIFI_IF $BRIDGE_IF
                            ;;
                        *)
                            echo -e
                            ;;
                    esac
                else
                    echo -e
                fi

                if [ ! -z "$(brctl show | grep -E "^br[1-5]" | grep "\.000000000000")" ];then
                    echo -en $cBRED"\a\n\t***ERROR invalid bridge configuration\n\t\t"
                    brctl show | grep -E "^br[1-5]" | grep "\.000000000000"
                    BRIDGE_IF=$(brctl show | grep -E "^br[1-5]" | grep "\.000000000000" | awk '{print $1}')
                    echo -e

                    if [ "$MODE" == "diag" ];then
                        echo -en $cBWHT"\tDelete this invalid configuration? "
                        read -p "[ Y/N ] > " INPUT
                        echo -en $cBYEL
                        case "$INPUT" in
                            "Y"|"y")
                                ifconfig $BRIDGE_IF down
                                brctl delbr $BRIDGE_IF
                                echo -e
                                ;;
                            *)
                                echo -e
                                ;;
                        esac
                    fi
                fi
            else
                echo -e ${cBLU}"\t$(printf "%-7s" "$WIFI_DEFINED") $(printf "%-16s" "$SSID") $(printf "%-15s" "$WIFI_DESC")"
            fi
        done

        if [ "$MODE" == "diag" ];then
            echo -e $cBYEL"\nWAN DNS "$(awk 'NR==1{print $2}' /tmp/resolv.conf)
            echo -e $cBYEL"\n$(Check_DuplicateVPNPorts "2" "diag")"
        fi
}
Get_VPN_ADDR() {

local VPNADDRS=`nvram show 2> /dev/null | grep -E "vpn_client.*addr" | grep -v t_addr`
local VPN_ADDR=""

for VPN in $VPNADDRS
do

   if [ "${VPN:10:1}" = "$1" ]; then
      VPN_ADDR=${VPN:17}
      #Say "***DEBUG ACTIVE VPN Client="$1 "via" $VPN_ADDR "VPN="$VPN
   #else
   #   Say "Get_VPN_ADDR():" $VPN ">" ${VPN:10:1} ">>" ${VPN:17}
   fi

done

echo $VPN_ADDR

}
Check_DuplicateVPNPorts() {

    local VPN_ID=
    local VPN_ADDR=
    local VPN_PORTS=

    local VPN_ID_LIST="1 2 3 4 5"


    #local VPN_CLIENTPORTS=$(nvram show 2> /dev/null | grep -E "vpn_client.*port" | grep -v "client_port")
    for VPN_ID in $VPN_ID_LIST
        do
            VPN_ADDR=$(Get_VPN_ADDR "$VPN_ID")
            if [ -z "$VPN_ADDR" ];then
                continue                                # VPN Client instance not configured?
            fi
            # vpn_client1_port=553
            # vpn_client1_proto=udp
            if [ "$1" == "2" ];then
                local VPN_STATE=$(nvram get "vpn_client"$VPN_ID"_state")
                if [ "$VPN_STATE" != "2" ];then
                    continue
                fi
            fi
            local THIS=$(echo $(nvram get vpn_client${VPN_ID}_port)":"$(nvram get vpn_client${VPN_ID}_proto | tr "a-z" "A-Z") )
            if [ "$2" == "diag" ];then
                local VPN_PORTS=$( echo -e "$VPN_PORTS VPN client" $VPN_ID "ACTIVE using port" $THIS", ")
            else
                local VPN_PORTS=$(echo -e "$VPN_PORTS ${THIS}\n")
            fi
        done
    if [ "$2" != "diag" ];then
        # Convert words to individual lines and report on duplicates
        echo $VPN_PORTS | tr ' ' '\n' | sort -n | uniq -d
    else
        echo $VPN_PORTS
    fi

}
#*=================================================Main=====================================================

ANSIColours

# Can only run in Router Mode;
if [ "$(Check_Router_Mode)" != "Router" ];then
    echo -e "\e[41m\a\n\n\n\n\t\t\t\t** "$(Check_Router_Mode)" mode is not supported **\t\t\t\t\t\n\n\n\e[0m"
    exit 999
fi

IPT="/usr/sbin/iptables"
EBT="/usr/sbin/ebtables"


# Check override options specified....
DEBUG=
VPNDNS="VPNDNS"                                                 # Force VPN DNS                     (default)
METHOD="Bridge"                                                 # Create separate bridge i.e. br1-5 (default)
FIREWALL_TYPE="BlockLAN"                                        # Explicity block Router/LAN access (default)
VPN_CONFIG="VPN_CONFIG"                                         # Force VPN (default)
VLAN_PORT="NONE"                                                # No switch port attached to Bridge (default)
WIFI_IF=""                                                      # $1 arg required override
VPN_ID=""                                                       # $2 arg override
BRCTL_OPT=

WIFI_DESC=

if [ ! -z $1 ];then
    if [ $(echo $@ | grep -cw "debug") -gt 0 ];then         # 'debug'   requested?
        DEBUG="debug"
        if [ "$1" == "debug" ];then
            shift                                               # Remove from arg list!
        fi
        echo -e "\n\n\t\t"$cBWHT$aBLINK"DEBUG mode enabled"\t"$cBWHT$aBLINK"DEBUG mode enabled"\n\n"$cRESET
        set -x                                                  # Enable trace
    fi
    if [ $(echo $@ | grep -cw "nodns") -gt 0 ];then
        VPNDNS="NODNS"                                          # 'nodns' requested so use router DNS
    fi
    if [ $(echo $@ | grep -cw "nobridge") -gt 0 ];then
        METHOD="NoBridge"                                       # 'nobridge' requested so don't create 'brx' interface use wlX.n or eth1/2
    fi
    if [ $(echo $@ | grep -cw "openlan") -gt 0 ];then
        FIREWALL_TYPE="OpenLAN"                                 # 'openlan' requested so don't create LAN DROP rules - Router/LAN open to all!!
    fi
    if [ $(echo $@ | grep -cw "novpn") -gt 0 ];then
        VPN_CONFIG="UseWAN"                                     # 'novpn' requested so don't route bridge via VPN
    fi
    if [ $(echo $@ | grep -cw "brctlopt") -gt 0 ];then
        BRCTL_OPT="BRCTLOPT"                                    # 'brctlopt' requested so force STP=DISABLE and BRIDGE FORWARD TIMEOUT=0
    fi
    if [ $(echo $@ | grep -cw "vlan") -gt 0 ];then
        VLAN_PORT=$(ValidVLAN $@)                               # 'vlanX' requested so add switch port X to Bridge
        if [ $? -ne 0 ] || [ "$VLAN_PORT" == "BAD" ];then
            echo -e $cBRED"\a\n\t"
                Say "***ERROR VLAN switch port invalid [$@]"
                echo -e $cRESET
            exit 98
        fi
        # Only valid for a Bridge
        if [ "$METHOD" != "Bridge" ];then
            echo -e $cBRED"\a\n\t"
            Say "***ERROR VLAN switch port" $VLAN_PORT "cannot be configured if 'nobridge' specified [$@]"
            echo -e $cRESET
            exit 99
        fi
    fi
fi

# Provide assistance
if [ "$1" = "-h" ] || [ "$1" = "help" ]; then
   ShowHelp                                                     # Show help
   exit 0
fi

# Show status or detailed status and diagnostics actions
if [ "$1" == "status" ] || [ "$1" == "diag" ] || [ -z $1 ]; then
    Show_Status_Diagnostics $1 $2
    if [ ! -z "$(Check_DuplicateVPNPorts "2")" ];then
        echo -e "\n"${cRED}"**Warning for multiple ACTIVE concurrent VPN Clients UNIQUE ports are advised - Port" $(Check_DuplicateVPNPorts) "is configured for use by several VPN Clients"
    fi
    echo -e $cRESET
    exit 0
fi

# Validate mandatory args e.g. Wifi Interface and VPN Client instance.
if [ ! -z $1 ] && [ "$1" != "del" ] && [ "$1" != "debug" ] && [ "$1" != "nodns" ] \
                && [ "$1" != "autodnsmasq" ] && [ "$1" != "nobridge" ] && [ "$1" != "openlan" ] && [ "$1" != "novpn" ] \
                && [ "$1" != "vlan1" ] && [ "$1" != "vlan2" ] && [ "$1" != "vlan3" ];then
    WIFI_IF=$1
    # Check if a valid Guest Wifi was specified....
    VALID=$(echo $WIFI_IF | grep -E "^eth[1|2]|wl[0|1]\.[1-3]")     # Guest 2.4 Wifi wl0.1/2/3 & eth1 and 5Ghz wl1.1/2/3 & eth2
    if [ -z "$VALID" ];then
        # Check if a Guest WiFi SSID was specified (rather than the actual Guest WiFi interface)
        WIFI_VAR=$(nvram show 2> /dev/null | grep "_ssid" | grep -E "wl[0-1]\." | grep -iE "=$1$")
        #Say "**DEBUG**" $WIFI_VAR
        if [ -z "$WIFI_VAR" ]; then
            echo -en $cBRED"\a\n\t"
            Say "**ERROR**" "Valid WiFi interface (or SSID) required e.g. wl0.3; ('"$1"') is not a valid SSID!"
            echo -e $cRESET
            exit 95
        else
            WIFI_IF=${WIFI_VAR:0:5}
            #Say "**DEBUG**" $WIFI_IF
        fi

    fi
    VPN_ID="0"
    # VPN Client instance
    if [ ! -z $2 ] && [ "$2" != "del" ] && [ "$2" != "debug" ] && [ "$2" != "nodns" ] \
                    && [ "$2" != "autodnsmasq" ] && [ "$2" != "nobridge" ] && [ "$2" != "openlan" ] && [ "$2" != "novpn" ] \
                    && [ "$2" != "vlan1" ] && [ "$2" != "vlan2" ] && [ "$2" != "vlan3" ];then
        VPN_ID=$2                       # User supplied WiFi interface
    fi
fi

if [ "$METHOD" == "Bridge" ];then
                                                            # Ideally New Bridge interface is the same as the VPN number
    #BRIDGE_ID="br"$(brctl show | grep -cE "^br[0-9]")      # but get next in sequence for eapd compatibility :-(
    BRIDGE_ID="br"$VPN_ID

    if [ "$2" = "del" ];then
        BRIDGE_ID=$(GetBr_ID "$WIFI_IF")
        #if [ -z $BRIDGE_ID ];then          #
            #BRIDGE_ID="br"$VPN_ID          # Bridge interface is the same as the VPN number
        #fi
    fi

    # No explicit interface specified, so look for configured bridge to report on
    #if [ "$1" == "status" ];then
        #BRIDGE_ID=`/usr/sbin/brctl show | grep -E "^br[1-5]" | awk '{print $1}'`
    #fi

    if [ "${BRIDGE_ID:0:2}" == "br" ] && [ "$BRIDGE_ID" != "br0" ] ;then
        INDEX=${BRIDGE_ID:2:1}
        #INDEX=3                            # Hmm must the NVRAM variables ALWAYS be 'lan3_ifname' and 'lan3_ifnames' ????
        WIFI_VAR=`/usr/sbin/brctl show | grep -E "^br[1-5]" | awk '{print $4}'`
        if [ ! -z "$WIFI_VAR" ];then
            if [ "$(echo $WIFI_VAR | grep -c "vlan")" -eq 0 ];then                  # Ignore VLAN switch port!
                #WIFI_IF=$WIFI_VAR
                BUGFIX=
            fi
        fi
    fi
else
    BRIDGE_ID=$WIFI_IF
fi

# For titles ONLY
WIFI_Type="Guest WiFi"
if [ "$WIFI_IF" == "eth1" ] || [ "$WIFI_IF" == "eth2" ];then
    WIFI_Type="WiFi"
fi

VPNTAG=$(nvram get vpn_client${VPN_ID}_desc)
if [ -z "$VPNTAG" ];then
    VPNTAG=`grep -i "11"${VPN_ID} /etc/iproute2/rt_tables | awk '{print $2}'`
fi

echo -e $cBWHT
if [ "$METHOD" == "Bridge" ];then
    Say $VER "© 2016-2017 Martineau," $WIFI_Type "VPN Bridge request.....[$@]"
else
    Say $VER "© 2016-2017 Martineau," $WIFI_Type "VPN WiFi Bridge request.....[$@]"
fi

WIFI_Type="WiFi ("$WIFI_IF")"

# Cosmetic desciption
Set_WiFi_Description

if [ "$BRIDGE_ID" == "br0" ] || [ "$BRIDGE_ID" == "brstatus" ];then
    BRIDGE_ID="N/A"
    echo -en $cRED"\a\n\t"
    Say "**Warning" $WIFI_Type $WIFI_DESC $SSID "("$WIFI_IF") ambiguous command request?"
    echo -e $cRESET
    exit 96
fi

# Detailed WiFi interface Status request...done here since we need variables set
if [ "$2" == "status" ] || [ "$3" == "status" ] || [ "$FORCE_STATUS" == "1" ];then
    if [ "$BRIDGE_ID" == "brstatus" ];then
        BRIDGE_ID=$(GetBr_ID "$WIFI_IF")            # Which bridge is the WiFi interface attached to
        VPN_ID=${BRIDGE_ID:2:1}
    fi

    if [ ! -z "$(iptables -nvL FORWARD | grep -E "${WIFI_IF:0:3}\.${WIFI_IF:4:1}.*tun1")" ];then
        METHOD="NoBridge"
    fi
    Show_Status $WIFI_IF $BRIDGE_ID
    if [ "$(ManageVPNStatus "?")" != "2" ];then
        echo -e $cRED"\a\n\t"
        Say "**Warning" "VPN Client" $VPN_ID "is not ACTIVE"
        echo -e $cRESET
    fi
    exit 0
fi

# Check VPN Client is ACTIVE; if not start it except if it's a delete request!!!
if [ "$2" != "del" ] && [ "$3" != "del" ];then
    if [ -z "$VPN_ID" ];then
        echo -en $cBRED"\a\n\t"
        Say "***ERROR Missing VPN arg2; Cannot check VPN status for mapping" $WIFI_Type $WIFI_DESC "("$WIFI_IF")"
        echo -e $cRESET
        exit 98
    fi
    if [ "$(ManageVPNStatus)" != "2" ];then
        echo -e $cBRED"\a\n\t**ERROR VPN Client" $VPN_ID "isn't ACTIVE\n"
        echo -en $cRESET
        exit 99                                                         # VPN didn't start ?
    else
        # If this ACTIVE VPN Client has the same UDP/TCP as another ACTIVE VPN Client then inform user!
        if [ ! -z "$(Check_DuplicateVPNPorts "2")" ];then
            echo -e "\n"${cBYEL}"**Warning for multiple ACTIVE concurrent VPN Clients UNIQUE ports are advised - Port" $(Check_DuplicateVPNPorts "2") "is configured for use by several VPN Clients"
        fi
    fi
fi

LANIPADDR=`nvram get lan_ipaddr`
LAN_SUBNET=${LANIPADDR%.*}

if [ "$METHOD" != "Bridge" ];then
    BRIDGE_ID=$WIFI_IF
fi

if [ ${BRIDGE_ID:0:3} != "eth" ];then
    #Check if /etc/dnsmasq.conf Bridge directives are defined for 'wlX.n' or 'brX'
    BRIDGE_IF_IP=$(grep -i "dhcp-option=$BRIDGE_ID,3" /etc/dnsmasq.conf  | awk 'BEGIN { FS = "," } {print $3}')     # Extract I/P from 'dhcp-option=$GUEST_IF,3,10.88.241.1'
    if [ -z $BRIDGE_IF_IP ]; then
        if [ $(echo $@ | grep -c "autodnsmasq") -eq 0  ];then
            echo -en $cBRED"\a\n\t"
            Say "***ERROR Bridge '"$BRIDGE_ID"' not defined in '/etc/dnsmasq.conf' - ABORTing.....(Use 'autodnsmasq' directive!)"
            echo -e $cRESET
            exit 96
        else
            echo -en $cRED"\a\n\t"
            Say "***Warning Bridge '"$BRIDGE_ID"' not defined in '/etc/dnsmasq.conf' - auto updating '/jffs/configs/dnsmasq.conf.add' with '"$BRIDGE_ID"' statements....."
            echo -e $cRESET
            # Insert the new Bridge directives into /jffs/configs/dnsmasq.conf.add
            if [ "$(nvram get jffs2_scripts)" == "1" ];then
                Config_dnsmasqBRx $BRIDGE_ID
                BRIDGE_IF_IP=`grep -i "dhcp-option=$BRIDGE_ID,3" /etc/dnsmasq.conf  | awk 'BEGIN { FS = "," } {print $3}'`      # Extract I/P from 'dhc
            else
                echo -en $cBRED"\a\t"
                Say "***ERROR Cannot update '/etc/dnsmasq.conf' using '/jffs/configs/dnsmasq.conf.add' - 'Enable JFFS custom scripts and configs' DISABLED!"
                echo -e $cRESET
                exit 97
            fi
        fi
    fi
    BRIDGE_SUBNET_PREFIX=${BRIDGE_IF_IP%.*}                                                                     # Extract first three octets of I/P
fi

# Check if valid WiFi guest interface
if [ "$(/usr/sbin/brctl show  | grep -c $WIFI_IF )" != "1" ]; then
    echo -en $cBRED"\a\n\t"
    Say "***ERROR" $WIFI_Type $WIFI_DESC $SSID "WiFi '"$WIFI_IF"' not ENABLED. ABORTing....."
    echo -e $cRESET
    exit 98
fi

# Delete request ?
if [ "$2" == "del" ] || [ "$3" == "del" ];then              # delete Guest VPN request e.g. 'wl0.1 del'

    if [ ! -z "$(iptables -nvL FORWARD | grep -E "${WIFI_IF:0:3}\.${WIFI_IF:4:1}.*tun1")" ];then
        METHOD="NoBridge"
    fi

    if [ "$METHOD" == "Bridge" ];then

        # Which bridge is the WiFi interface currently defined on?
        BRIDGE_ID=$(GetBr_ID "$WIFI_IF")

        if [ ${BRIDGE_ID:0:2} == "br" ];then                            # Imply the VPN instance
            VPN_ID=${BRIDGE_ID:2:1}

            VPNTAG=$(nvram get vpn_client${VPN_ID}_desc)
            if [ -z "$VPNTAG" ];then
                VPNTAG=`grep -i "11"${VPN_ID} /etc/iproute2/rt_tables | awk '{print $2}'`
            fi
            BRIDGE_IF_IP=`grep -i "dhcp-option=$BRIDGE_ID,3" /etc/dnsmasq.conf  | awk 'BEGIN { FS = "," } {print $3}'`      # Extract I/P from 'dhcp-option=$GUEST_IF,3,10.88.241.1'
            BRIDGE_SUBNET_PREFIX=${BRIDGE_IF_IP%.*}                                                                     # Extract first three octets of I/P
        fi

        # If Wifi interface is attached to br0 then it shouldn't/can't be deleted???
        if [ "$BRIDGE_ID" != "$WIFI_IF" ] && [ "$BRIDGE_ID" != "br0" ];then         # If no bridge found then $BRIDGE_ID will be 'wlX.X'
            /usr/sbin/brctl delif $BRIDGE_ID $WIFI_IF

            # Don't delete the bridge if it still has WiFi/vlan interfaces defined
            KEEPBRIDGE=0
            if [ -z "$(brctl show | grep -E "^$BRIDGE_ID" | awk '{print $4}')" ];then
                /sbin/ifconfig $BRIDGE_ID down              # ip link set $BRIDGE_ID down
                /usr/sbin/brctl delbr $BRIDGE_ID            #
            else
                KEEPBRIDGE=1                                # Retain this bridge for the other interfaces.
            fi

            /usr/sbin/brctl addif "br0" $WIFI_IF            # ip link set $WIFI_IF master br0

            nvram set lan_ifnames="$(nvram get lan_ifnames) "$WIFI_IF           # br0
            # is vlanX0 in the list
            if [ ! -z $(robocfg show | grep -iE "vlan[1-9]0" > /dev/null 2>&1) ];then
                echo robocfg del $(nvram get wan0_ifname) "here"
            fi
            if [ "$(nvram get lan${VPN_ID}_ifnames | wc -w )" -eq 0 ];then
                nvram unset lan${VPN_ID}_ifnames
                nvram unset lan${VPN_ID}_ifname
            else
                ZZ=$(nvram get lan${VPN_ID}_ifnames | sed -e "s/$WIFI_IF//g" )
                ZZ=$(echo "$ZZ" | sed "s/^ //g")
                nvram set lan${VPN_ID}_ifnames=$ZZ
            fi
            nvram commit

            killall eapd
            eapd

            if [ "$KEEPBRIDGE" != "1" ];then
                WiFiBridgeVPN "delete"                          # Delete firewall rules and DNSVPNx entry
                /usr/sbin/ip route del $BRIDGE_SUBNET_PREFIX.0/24 dev $BRIDGE_ID table 11$VPN_ID 2> /dev/null > /dev/null
                /usr/sbin/ip rule del from $BRIDGE_SUBNET_PREFIX.0/24 2> /dev/null > /dev/null
            fi

            BR_SUBNET=$(ip route show table "11"$VPN_ID | grep $BRIDGE_ID | awk '{print $1}')
            FIRST_VPN_DNS=$(awk 'NR==1{print $2}' /etc/openvpn/dns/client${VPN_ID}.resolv)

            echo -en $cBGRE"\n\t"
            Say $WIFI_Type $WIFI_DESC $SSID "("$BR_SUBNET") route though tunnel VPN Client" $VPN_ID "("$VPNTAG") via bridge:"$BRIDGE_ID "DELETED."
            echo -e $cRESET
            #Show_Status_Diagnostics
        else
            BRIDGE_ID="N/A"
            echo -en $cRED"\a\n\t"
            Say "**Warning" $WIFI_Type $WIFI_DESC $SSID "("$WIFI_IF") isn't routed through a VPN Client tunnel? - can't DELETE!!"
            echo -e $cRESET
        fi
    else

        BR_SUBNET=$(ip route show table "11"$VPN_ID | grep $BRIDGE_ID | awk '{print $1}')
        FIRST_VPN_DNS=$(awk 'NR==1{print $2}' /etc/openvpn/dns/client${VPN_ID}.resolv)

        WiFiVPN "delete"

        /usr/sbin/ip route del $BRIDGE_SUBNET_PREFIX.0/24 dev $BRIDGE_ID table 11$VPN_ID 2> /dev/null > /dev/null
        /usr/sbin/ip rule del from $BRIDGE_SUBNET_PREFIX.0/24 2> /dev/null > /dev/null

        echo -en "\n"$cGRE"\t"
        Say $WIFI_Type $WIFI_DESC $SSID "("$BR_SUBNET") route through tunnel VPN Client" $VPN_ID "("$VPNTAG") via bridge:"$BRIDGE_ID "DELETED."
        echo -e "\n"$cRESET
        #Show_Status_Diagnostics

    fi
    if [ "$(ManageVPNStatus "?")" != "2" ] && [ "$VPN_ID" != "0" ];then
        echo -en $cRED"\a\n\t"
        Say "**Warning" "VPN Client" $VPN_ID "is not ACTIVE"
        echo -e $cRESET
    fi

    exit 99
fi

# Add/create the WiFi VPN route
if [ "$METHOD" == "Bridge" ];then

    # Remove proposed VPN WiFi interface from br0
    /usr/sbin/brctl delif br0 $WIFI_IF 2> /dev/null > /dev/null     # ip link delete $WIFI_IF master br0

    # Create New Bridge e.g. br2
    # Only create the bridge if it doesn't currently exist...i.e. when adding multiple interfaces
    if [ -z "$(brctl show | grep -oE "^$BRIDGE_ID")" ];then
        /usr/sbin/brctl addbr $BRIDGE_ID                                # ip link add $BRIDGE_ID type bridge
    fi
    # Don't add the WiFi interface if it already exists on the bridge
    if [ "$(GetBr_ID "$WIFI_IF")" != "$BRIDGE_ID" ];then
        /usr/sbin/brctl addif $BRIDGE_ID $WIFI_IF                           # ip link set $WIFI_IF master $BRIDGE_ID
    else
        echo -e $cRED"\a\n\t**Warning WiFi ("$WIFI_IF")" $WIFI_DESC $SSID" already attached to bridge:" $BRIDGE_ID
    fi
    # Add a Switch port as a vlan to bridge
    if [ "$VLAN_PORT" != "NONE" ];then
        #robocfg vlan1 ports "1 2 3 4 5t"                               # RT-AC68U default
        Drop_VLAN1 $VLAN_PORT                                           # Drop switch port from vlan1
        robocfg vlan $VLAN_PORT"0" ports $VLAN_PORT"t 5t"               # Create the new vlanX0 e.g. vlan20 based on switch port 2
        #vconfig add $(nvram get wan0_ifname) $VLAN_PORT"0" 2> /dev/null            #
        vconfig add $BRIDGE_ID $VLAN_PORT"0" 2> /dev/null               #
        /usr/sbin/brctl addif $BRIDGE_ID vlan$VLAN_PORT"0"
        if [ ! -z "$BRCTL_OPT" ];then
            /usr/sbin/brctl stp $BRIDGE_ID disable                      # Explicitly
            /usr/sbin/brctl setfd $BRIDGE_ID 0                          # New Bridge default is 15 seconds?
        fi
        #ifconfig vlan$VLAN_PORT"0" $BRIDGE_SUBNET_PREFIX.2 netmask 255.255.255.0 broadcast $BRIDGE_SUBNET_PREFIX.255
        ifconfig vlan$VLAN_PORT"0" up
    fi

    /sbin/ifconfig $BRIDGE_ID $BRIDGE_SUBNET_PREFIX.1 netmask 255.255.255.0 broadcast $BRIDGE_SUBNET_PREFIX.255

    # Fix WPA2 on Guest WiFi
    nvram set lan_ifnames="$(Drop_BR0 $WIFI_IF)"

    if [ "$DEBUG" == "debug" ];then
        Say "br0 After='"$(nvram get lan_ifnames)"'"
    fi

    if [ "$VLAN_PORT" = "NONE" ];then
        # Append new WiFi interface
        if [ -z "$(nvram get lan${INDEX}_ifnames)" ];then
            nvram set lan${INDEX}_ifnames=$WIFI_IF
        else
            # Don't add the WiFI interface if it already exists in the NVRAM variable
            if [ -z "$(nvram get lan${INDEX}_ifnames | grep "$WIFI_IF")" ];then
                nvram set lan${INDEX}_ifnames=$(nvram get lan${INDEX}_ifnames)" "$WIFI_IF
            else
                echo -e $cRED"\a\t**Warning WiFi ("$WIFI_IF") already assigned to NVRAM variable: lan${INDEX}_ifnames"
            fi
        fi
    else
        nvram set lan${INDEX}_ifnames="$WIFI_IF vlan${VLAN_PORT}0"
    fi

    nvram set lan${INDEX}_ifname=$BRIDGE_ID
    nvram commit
    killall eapd
    eapd

    WiFiBridgeVPN "create"                  # Create the New Bridge interface Firewall rules
else

    # Bridge the WiFi interface without using a bridge
    /sbin/ifconfig $BRIDGE_ID $BRIDGE_SUBNET_PREFIX.1 netmask 255.255.255.0

    WiFiVPN
fi

if [ "$VPN_CONFIG" != "UseWAN" ];then
    # Route the Wifi bridge via VPN
    X=${BRIDGE_ID:2:1}
    #PRIO_VAL=$((7000+$X))
    PRIO_VAL="20"$X"00"

    ACTIONS="del add"
    for ACTION in $ACTIONS
        do
            /usr/sbin/ip route $ACTION $BRIDGE_SUBNET_PREFIX.0/24 dev $BRIDGE_ID table 11$VPN_ID 2> /dev/null > /dev/null
            /usr/sbin/ip rule  $ACTION from $BRIDGE_SUBNET_PREFIX.0/24 table 11$VPN_ID prio $PRIO_VAL 2> /dev/null > /dev/null
        done

    /usr/sbin/ip route flush cache
fi

# Summary action report
BR_SUBNET=$(ip route show table "11"$VPN_ID | grep $BRIDGE_ID | awk '{print $1}')
FIRST_VPN_DNS=$(awk 'NR==1{print $2}' /etc/openvpn/dns/client${VPN_ID}.resolv)
DNSTEXT="using VPN DNS ("$FIRST_VPN_DNS")"      # VPN DNS forced?
if [ -z "`$IPT -nvL DNSVPN${VPN_ID} --line -t nat | grep $BRIDGE_SUBNET_PREFIX | grep -v "RETURN"`" ];then
    DNSTEXT="using WAN DNS ("$(nvram get wan_dns | cut -d' ' -f1)")"
fi
echo -en "\n"$cBGRE"\t"
Say $WIFI_Type $WIFI_DESC $SSID "("$BR_SUBNET") routed through tunnel VPN Client" $VPN_ID "("$VPNTAG")" $DNSTEXT "via bridge:"$BRIDGE_ID
#Show_Status_Diagnostics
echo -e $cRESET


exit