Curious if anyone knows how well or if at all DD-WRT works in a multipoint VPN enviroment.
What we want to do is interconnect 3 maybe 4 sites together. After doing some reading it appears that you have a host side and a client side which I assume the host can support multipul clients. but is that the only configuration or can I take and connect a node that's already a client and also use it as a host and allow another client to connect to it? Reason for asking in the setup we want all sites to be able to communicate with each other but don't want traffic to have to pass thru the host to get there. So some sort of a star configuration would be needed.
I realize this is a wireless group but DD-WRT is heavely used here so just looking for comments.
You do realize the low-power devices that can run DD-WRT are probably not ideal for this sort of thing, right?
Doing multi-site interconnects is not trivial. Setting up the routing tables to avoid congestion can be pretty complex. Trying to daisy-chain mulitple sites really complicates matters. And besides the routing issues, you also have to contend with inter-site server and workstation traffic. If you just "set it up" in a trivial manner you'll have enormous amounts of bandwidth getting wasted on site-to-site overhead traffic.
Try asking on the dd-wrt forums. Then budget for proper Cisco gear.
I agree, and this is not for an office/work enviroment. It is going to be used to connect 2 maybe 3 NXU radio liking devices from several places across the country back to my area. So in reality I only need to be able to have the server and 1 or 2 clients. Each tunnle will be bridging to another home network and the only traffic across them will be a single 24Kbps VoIP stream and managment traffic. The ability to configure as a star was brought up by someone else but in reality i do not think it's necessary. If these devices supported host names and not just static ips they would be placed out on the open internet.
Yep. It sucks. You're just not going to get much in the way of performance from an already overloaded CPU. The problem is that OpenVPN has to encrypt and decrypt the tunnel at both ends. Crypto modules burn lots of CPU cycles (and is usually best done in a dedicated processor). I didn't even bother doing benchmarks with just one tunnel, as bench tests showed it was obviously far too slow.
If you have a pair of routers loaded with DD-WRT, try a simple end to end bench test. Setup the WAN ports for different static IP's with the gateway IP pointing to the opposite router. Interconnect the WAN ports with an ethernet crossover cable. At 100baseTX-FDX, you should able to get wire speed of 100 Mbits/sec between routers. In other words, you're NOT going to be limited by the speed of the simulated internet connection.
Now, setup a fast computah at each end of the simulation to a LAN port. Install IPerf or JPerf benchmarking software.
Make sure you use the latest versions. Now run some benchmarks with and without the VPN. I've only done this once. I got about
35Mbits/sec thruput w/o the VPN, and I vaguely recall only about
5Mbit/sec (or worse) with PPTP running, but without any optimization or performance tweaking.
More on IPerf and JPerf: (near bottom)
What are you using for connectivity? The CPU can probably handle one or two tunnels over a slow DSL line or T1.
See benchmarks and comments at:
With OpenVPN running: 6354/690 Kbits/sec No VPN running: 26340/723 Kbits/sec
You can have multiple connections, but you have to configure each one individually. I think you can setup a "star", where you have a tunnel directly to each other endpoint. That will take some simple static routing and is fairly easily configured. However, that does help with the preformance problem, but not much. The CPU is still overloaded.
Thanks for the input Jeff as always your helpful. As I stated befor be do not need a ton of bandwidth but I also know what it like to run anything on hardware that is being pushed beyond it's limits. Anyone want to suggest some other solutions for the VPN that wont require stupid expensive hardware and ideally can be placed behind the firewalls that are in place.. I.E the VPN hardware just creates the tunnel thru the WAN router. Id be more interested in a solution that would let us reuse exsisting hardware we might already have
I forgot that I have a nailed up VPN running between my house and office with a WRT54G v3 at one end, and a Buffalo WHR-HP-G54 at the other. I'll run some bechmarks this weekend and see what happens.
Sure. I've used various Sonicwall products to build multiple connection VPN's. The messiest was 5 locations in 3 states via DSL and T1 lines. Speed was limited by the outgoing bandwidth of the DSL lines, not the processor. Unfortunately, it was an older Sonicwall
10, which is no longer manufactured.
I've also used Netscreen hardware, which is now part of Jupiter Networks. One huge advantage was that Netscreen simultaneously supports PPTP (for Windoze client dial-in) and IPSec (for router to router). Netscreen is basically Linux on the inside.
I've also use FreeSWAN on Red Hat and OpenVPN SSL on Ubuntu between 3 sites. This was a bit of major project and learning curve for me. I finally had to yell for help and hired a local student to make it all work. It's been up for about 2 years and I'm still recovering from some of the odd tweaks the student threw into the servers. The Linux boxes currently run on 2GBytes Compact Flash drives (no hard disk). A big advantage is the ability to easily deal with static routes and complex firewall issues, as there's an Asterisk server running on one of the servers. The only problem is that the business owner insists that I document everything in case I should suddenly die or go on vacation.
One of my friends has a local store and the owners house connected with a pair of Linksys BEFVP41 v2 routers running IPSec. They work, but are what I describe as "tempermental". They hang, crash, die, or reboot, for no obvious reason. I've recommended replacement, but the owner claims he doesn't use the VPN very much and is willing to tolerate the instabilities. Not recommended.
I've tried various Netgear routers that terminate VPN's. I never could get them to work the way I thought they should work, so I gave up. I suspect it might have been possible if I had bothered to read the instructions.
Thought I would post my findings after doing some testing with iperf.
The setup- Desktop computer connected to netgear gigabit switch. WRT54GL router running open vpn on the router, router's wan port connected to gigabit switch, gateway router issued IP to WAN via DHCP. Connected the the GL's lan port I have a dell poweredge 1550 (10/100 ethernet) server. Forwaded port 5001 in the GL to the server. setup Iperf as -s on server machine. ran -c from desktop and after 20 tests (10 each from each side of the router) received an average throughput of 28.5Mbps.
Reconfigured with open VPN on the router and used the windows VPN adapter to connect to the router. after 10 tests with Iperf the average throughput was 5.292Mbps.
Next step will be to configue another router as the client and run the same tests as above. I have a wrt54g v8 here that wont seem to boot up right now... hmm maybe I'll try to reflash the POS.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.