PDA

View Full Version : linux router connecting to dd-wrt(s) for VPN



Damon Getsman
04-16-08, 11:56 AM
I have been working as an admin on a WAN comprised of multiple linux
servers (and associated [irrelevant] Sun Ray clusters) for a short
period of time now. Until this point my tasks have been primarily
comprised of configuration of different security and authentication
services with a few package installation and configuration tasks and
scripting thrown in for good measure.

I've just been given a new task to begin when I'm completed with the
one that I'm currently involved in. Being as my current one only
consists of me babysitting downloads for another few hours, I decided
to start researching the upcoming one.

The office that I work at is connected to several satellite offices
via 3 separate dd-wrt openVPN linksys routers. Each is a separate
gateway, 2 for specialized services and one for general internet and
GNOME desktop traffic (which is normally on the local subnet of the
WAN to conserve bandwidth). Our current projected expansion has my
superior thinking that it would be a good idea to replace these 3
linksys routers (and their associated 200MHz processors) with a
dedicated linux routing machine, short on memory and HDD space, with
1GHz or slightly higher processor so that we can handle whatever
bandwidth needs we're thrown in the next year.

So I started googling, as it is to be my task to set up that machine.
Unfortunately, although I'm familiar with the basic concepts and
terminology used in networking, I'm relatively deficient in practical
experience. What I'm looking for is information on using the linux
router to connect to the other dd-Wrts utilizing the same VPN
structure as was utilized before. I have not been able to find
anything except for information on connecting dd-Wrt devices to each
other. Thus I'm looking for any tips or pointers to information on
configuring such a setup, or any explanation of how existing
documentation can be used with a few changes, etc...

I'm also interested, for curiosity's sake, in how much information
these dd-Wrt devices can actively handle with their processing
capabilities (both with and without SSL/TLS overhead).

Thank you for any help or comments you might have. :)

<a href="http://www.state.nj.us/military/publications/guardlife/
volume31no6/promotions.html">
Damon Getsman
</a>

Bill Kearney
04-16-08, 02:12 PM
> I'm also interested, for curiosity's sake, in how much information
> these dd-Wrt devices can actively handle with their processing
> capabilities (both with and without SSL/TLS overhead).

A question perhaps best asked on the dd-wrt website forums?

As for standalone PC as a router, BSD is often considered a better candidate
than most linux distros. Mainly for security reasons.

Digital Mercenary For Honor
04-17-08, 07:59 PM
On 2008-04-16 12:56:34 -0400, Damon Getsman <dgetsman@amirehab.net> said:

> The office that I work at is connected to several satellite offices
> via 3 separate dd-wrt openVPN linksys routers. Each is a separate
> gateway, 2 for specialized services and one for general internet and
> GNOME desktop traffic (which is normally on the local subnet of the
> WAN to conserve bandwidth). Our current projected expansion has my
> superior thinking that it would be a good idea to replace these 3
> linksys routers (and their associated 200MHz processors) with a
> dedicated linux routing machine, short on memory and HDD space, with
> 1GHz or slightly higher processor so that we can handle whatever
> bandwidth needs we're thrown in the next year.


I'd highly recommend OpenBSD for routing / security / VPN work as well.
The OS is not known for being a serious OS performer, but does very
well with minimal hardware configurations - for example, I've been
running my home firewall box and OpenVPN connectivity to myself and
other distant personal machines where I work, inclusive of routing
protocols, on a 486DX5-133 with 32MB for the last few years very
reliably. :D The anti-DDoS, anti-spoof, AuthPF and some other features
with PF are just awesome, IMHO.

The PF language for implementing firewall rules is very robust and
feature-rich (available in other *BSD's too).

I'd consider spec'ing some new / cheap machines to do all this work, if
you can do that, here's a running list of ideas:

Consider these issues / ideas when spec'ing your box:

- Every network packet on an untuned OS represents a hardware
interrupt. This chews up CPU on a system, along with the impact that
running OpenVPN in whatever cryptographic configuration you have.
Modern Linux systems do do interrupt coalescing, which mitigates this
somewhat, but you could go all the way up to ToE (TCP Offload Engines)
& SSL offload engines on a box (both are supported on Linux, I
particularly like Chelsio for ToE cards, and some SSL accelerators on
*BSD).

- Whatever OS you choose, take a good look in the documentation for
kernel tweak-ables for network buffers and size appropriately to create
necessary queues for traffic flows, etc.

- Consider the use of transparent bridging in any firewall
configuration for additional security - transparent bridging is where
you place an IP-aware firewall configured in the middle of an Ethernet
bridge configured with two or more Ethernet interfaces in your OS. The
cool part about this is that there's not much "to hack" here, as the
firewall doesn't have an addressable IP end-point. This may not fit
into your VPN plans well, just toy with the idea.

- FWBuilder is a cool GUI tool for configuring firewalls of disparate
types, however, it's support for full PF features is kind of lagging
somewhat.

Hope this helps a little

/dmfh

--
_ __ _
__| |_ __ / _| |_ 01100100 01101101
/ _` | ' \| _| ' \ 01100110 01101000
\__,_|_|_|_|_| |_||_| dmfh(-2)dmfh.cx

Balwinder S Dheeman
04-18-08, 09:25 AM
On 04/18/2008 06:29 AM, Digital Mercenary For Honor wrote:
> On 2008-04-16 12:56:34 -0400, Damon Getsman <dgetsman@amirehab.net> said:
>
>> The office that I work at is connected to several satellite offices
>> via 3 separate dd-wrt openVPN linksys routers. Each is a separate
>> gateway, 2 for specialized services and one for general internet and
>> GNOME desktop traffic (which is normally on the local subnet of the
>> WAN to conserve bandwidth). Our current projected expansion has my
>> superior thinking that it would be a good idea to replace these 3
>> linksys routers (and their associated 200MHz processors) with a
>> dedicated linux routing machine, short on memory and HDD space, with
>> 1GHz or slightly higher processor so that we can handle whatever
>> bandwidth needs we're thrown in the next year.
>
>
> I'd highly recommend OpenBSD for routing / security / VPN work as well.
> The OS is not known for being a serious OS performer, but does very well
> with minimal hardware configurations - for example, I've been running my
> home firewall box and OpenVPN connectivity to myself and other distant
> personal machines where I work, inclusive of routing protocols, on a
> 486DX5-133 with 32MB for the last few years very reliably. :D The
> anti-DDoS, anti-spoof, AuthPF and some other features with PF are just
> awesome, IMHO.
>
> The PF language for implementing firewall rules is very robust and
> feature-rich (available in other *BSD's too).
>
> I'd consider spec'ing some new / cheap machines to do all this work, if
> you can do that, here's a running list of ideas:
>
> Consider these issues / ideas when spec'ing your box:
>
> - Every network packet on an untuned OS represents a hardware interrupt.
> This chews up CPU on a system, along with the impact that running
> OpenVPN in whatever cryptographic configuration you have. Modern Linux
> systems do do interrupt coalescing, which mitigates this somewhat, but
> you could go all the way up to ToE (TCP Offload Engines) & SSL offload
> engines on a box (both are supported on Linux, I particularly like
> Chelsio for ToE cards, and some SSL accelerators on *BSD).
>
> - Whatever OS you choose, take a good look in the documentation for
> kernel tweak-ables for network buffers and size appropriately to create
> necessary queues for traffic flows, etc.
>
> - Consider the use of transparent bridging in any firewall configuration
> for additional security - transparent bridging is where you place an
> IP-aware firewall configured in the middle of an Ethernet bridge
> configured with two or more Ethernet interfaces in your OS. The cool
> part about this is that there's not much "to hack" here, as the firewall
> doesn't have an addressable IP end-point. This may not fit into your VPN
> plans well, just toy with the idea.
>
> - FWBuilder is a cool GUI tool for configuring firewalls of disparate
> types, however, it's support for full PF features is kind of lagging
> somewhat.
>
> Hope this helps a little

Hum, seems quite distracting to me instead.

FYI, none can beat networking performance, routing and, or firewall
capabilities of Linux kernel version 2.6 series.

How many small routers and, or so called xDSL modems based on OpenBSD,
NetBSD and, or FreeBSD are available on the market?

Why the hell *BSD's have so many firewall daemons -- ip6fw, ipfilter,
ipfw, PF and, or separate ipnatd?

--
Dr Balwinder S "bsd" Dheeman Registered Linux User: #229709
Anu'z Linux@HOME (Unix Shoppe) Machines: #168573, 170593, 259192
Chandigarh, UT, 160062, India Gentoo, Fedora, Debian/FreeBSD/XP
Home: http://cto.homelinux.net/~bsd/ Visit: http://counter.li.org/

Stefan Monnier
04-21-08, 10:38 AM
> I'm also interested, for curiosity's sake, in how much information
> these dd-Wrt devices can actively handle with their processing
> capabilities (both with and without SSL/TLS overhead).

Don't know about dd-wrt, but small home routers like the one you
describe (200MHz mips processor) seem to be able to (en/de)crypt (over
SSH, but SSL should be comparable) in the order of 100-200KB/s in
my experience.

It's easy for you to check: do an "ssh wrtserver cat /dev/null <bigfile"
and time it.


Stefan

Digital Mercenary For Honor
04-22-08, 12:44 PM
On 2008-04-18 10:55:02 -0400, Balwinder S Dheeman
<bsd.SANSPAM@cto.homelinux.net> said:

> Hum, seems quite distracting to me instead.
>
> FYI, none can beat networking performance, routing and, or firewall
> capabilities of Linux kernel version 2.6 series.
>
> How many small routers and, or so called xDSL modems based on OpenBSD,
> NetBSD and, or FreeBSD are available on the market?
>
> Why the hell *BSD's have so many firewall daemons -- ip6fw, ipfilter,
> ipfw, PF and, or separate ipnatd?


(Gets out the popcorn, definitely flame bait, but it does expose an
industry problem.)

Did you read in my post "whatever OS you chose", or is the only thing
you see a Penguin when you look @ operating systems? Your post
irritated me because it echos a problem in the industry with "OS
fever". OS's and any code-base are tools that are useful in some
circumstances and not others. It's the same damn disease we have in the
industry with Java.

If you knew some TCP/IP history, you'd also know that TCP/IP "came
from" BSD, and every TCP/IP stack in the world owes its heritage to a
bunch of folks @ Berkeley some 30 now almost 40 years ago.

FBSD continues to have a fantastically performing TCP/IP stack - they
did a huge re-write / clean-up of their TCP/IP stack resulting in
amazing performance gains. Innovations abound in Linux as well.

Why do the BSD's have so many firewall - (what?) - they're not daemons,
they're interfaces to a piece of kernel code, with the note-able
exception of ipnatd / divert you mentioned. IMHO, PF just rules
(expressing my own personal opinion). How, in a firewall rule you can
detect DoS / DDoS and auto-firewall stuff is amazing (please don't
bring up the perfect-storm-IP-src-spoof thing, yes, I know, URPF is a
partial solution for this, etc.)

Analyze & embrace everyone's innovation with a careful scrutinizing eye
of what you want or need. "Logo loyalty" is only for closed minds. Each
of the Unices (Linux, FBSD, OBSD, Solaris, Darwin, etc.) has some
special sauce they added and keep adding, thank the ancients we all
think differently, it moves things along.

Grab an old machine, a couple of old ISA NIC cards, download a bunch of
different OS's, and grab a man page, please.

- This message brought to you through a 486-DX133, 32MB RAM, 240MB IDE
HDD OBSD PF-based firewall router - 900 up days and counting...

</roast off>

/dmfh

--
_ __ _
__| |_ __ / _| |_ 01100100 01101101
/ _` | ' \| _| ' \ 01100110 01101000
\__,_|_|_|_|_| |_||_| dmfh(-2)dmfh.cx

Bill Kearney
04-25-08, 06:00 AM
> (Gets out the popcorn, definitely flame bait, but it does expose an
> industry problem.)

Gotta love a good smackdown now and then. Nicely done.

Balwinder S Dheeman
04-25-08, 09:50 AM
On 04/20/2008 07:11 PM, Bill Kearney wrote:
>> FYI, none can beat networking performance, routing and, or firewall
>> capabilities of Linux kernel version 2.6 series.
>
> Performance is highly subjective. Even worse when it's touted as a
> benefit without addressing the security risks.
>
> There are choices out there and each worth considering. Different
> solutions exist, offering many choices. Pick what's considered suitable.

So, is not Linux as much secure as are the *BSD's? or people and, or
creators of a Gazillion Linux redistributions either don't know what the
heck that security thing is which only *BSD can provide better?

Ha!
--
Dr Balwinder S "bsd" Dheeman Registered Linux User: #229709
Anu'z Linux@HOME (Unix Shoppe) Machines: #168573, 170593, 259192
Chandigarh, UT, 160062, India Gentoo, Fedora, Debian/FreeBSD/XP
Home: http://cto.homelinux.net/~bsd/ Visit: http://counter.li.org/

Bill Kearney
04-26-08, 07:17 AM
> So, is not Linux as much secure as are the *BSD's? or people and, or
> creators of a Gazillion Linux redistributions either don't know what the
> heck that security thing is which only *BSD can provide better?

Seemed the earlier reply quite well addressed the reasons. That you don't
have enough experience with either perhaps explains why you didn't
understand it.