linux router connecting to dd-wrt(s) for VPN
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||||||||
|
Posted by Damon Getsman on April 16, 2008, 12:56 pm
Please log in for more thread options servers (and associated [irrelevant] Sun Ray clusters) for a short period of time now. Until this point my tasks have been primarily comprised of configuration of different security and authentication services with a few package installation and configuration tasks and scripting thrown in for good measure. I've just been given a new task to begin when I'm completed with the one that I'm currently involved in. Being as my current one only consists of me babysitting downloads for another few hours, I decided to start researching the upcoming one. The office that I work at is connected to several satellite offices via 3 separate dd-wrt openVPN linksys routers. Each is a separate gateway, 2 for specialized services and one for general internet and GNOME desktop traffic (which is normally on the local subnet of the WAN to conserve bandwidth). Our current projected expansion has my superior thinking that it would be a good idea to replace these 3 linksys routers (and their associated 200MHz processors) with a dedicated linux routing machine, short on memory and HDD space, with 1GHz or slightly higher processor so that we can handle whatever bandwidth needs we're thrown in the next year. So I started googling, as it is to be my task to set up that machine. Unfortunately, although I'm familiar with the basic concepts and terminology used in networking, I'm relatively deficient in practical experience. What I'm looking for is information on using the linux router to connect to the other dd-Wrts utilizing the same VPN structure as was utilized before. I have not been able to find anything except for information on connecting dd-Wrt devices to each other. Thus I'm looking for any tips or pointers to information on configuring such a setup, or any explanation of how existing documentation can be used with a few changes, etc... I'm also interested, for curiosity's sake, in how much information these dd-Wrt devices can actively handle with their processing capabilities (both with and without SSL/TLS overhead). Thank you for any help or comments you might have. :) <a href="http://www.state.nj.us/military/publications/guardlife/ volume31no6/promotions.html">
Damon Getsman
</a>
| |||||||||||||||||||||||||
|
Posted by Bill Kearney on April 16, 2008, 3:12 pm
Please log in for more thread options > I'm also interested, for curiosity's sake, in how much information
> these dd-Wrt devices can actively handle with their processing > capabilities (both with and without SSL/TLS overhead). A question perhaps best asked on the dd-wrt website forums? As for standalone PC as a router, BSD is often considered a better candidate than most linux distros. Mainly for security reasons. | |||||||||||||||||||||||||
|
Posted by Digital Mercenary For Honor on April 17, 2008, 8:59 pm
Please log in for more thread options
> The office that I work at is connected to several satellite offices
> via 3 separate dd-wrt openVPN linksys routers. Each is a separate > gateway, 2 for specialized services and one for general internet and > GNOME desktop traffic (which is normally on the local subnet of the > WAN to conserve bandwidth). Our current projected expansion has my > superior thinking that it would be a good idea to replace these 3 > linksys routers (and their associated 200MHz processors) with a > dedicated linux routing machine, short on memory and HDD space, with > 1GHz or slightly higher processor so that we can handle whatever > bandwidth needs we're thrown in the next year. I'd highly recommend OpenBSD for routing / security / VPN work as well. The OS is not known for being a serious OS performer, but does very well with minimal hardware configurations - for example, I've been running my home firewall box and OpenVPN connectivity to myself and other distant personal machines where I work, inclusive of routing protocols, on a 486DX5-133 with 32MB for the last few years very reliably. :D The anti-DDoS, anti-spoof, AuthPF and some other features with PF are just awesome, IMHO. The PF language for implementing firewall rules is very robust and feature-rich (available in other *BSD's too). I'd consider spec'ing some new / cheap machines to do all this work, if you can do that, here's a running list of ideas: Consider these issues / ideas when spec'ing your box: - Every network packet on an untuned OS represents a hardware interrupt. This chews up CPU on a system, along with the impact that running OpenVPN in whatever cryptographic configuration you have. Modern Linux systems do do interrupt coalescing, which mitigates this somewhat, but you could go all the way up to ToE (TCP Offload Engines) & SSL offload engines on a box (both are supported on Linux, I particularly like Chelsio for ToE cards, and some SSL accelerators on *BSD). - Whatever OS you choose, take a good look in the documentation for kernel tweak-ables for network buffers and size appropriately to create necessary queues for traffic flows, etc. - Consider the use of transparent bridging in any firewall configuration for additional security - transparent bridging is where you place an IP-aware firewall configured in the middle of an Ethernet bridge configured with two or more Ethernet interfaces in your OS. The cool part about this is that there's not much "to hack" here, as the firewall doesn't have an addressable IP end-point. This may not fit into your VPN plans well, just toy with the idea. - FWBuilder is a cool GUI tool for configuring firewalls of disparate types, however, it's support for full PF features is kind of lagging somewhat. Hope this helps a little /dmfh -- _ __ _ __| |_ __ / _| |_ 01100100 01101101 / _` | ' \| _| ' \ 01100110 01101000 \__,_|_|_|_|_| |_||_| dmfh(-2)dmfh.cx | |||||||||||||||||||||||||
|
Posted by Balwinder S Dheeman on April 18, 2008, 10:25 am
Please log in for more thread options On 04/18/2008 06:29 AM, Digital Mercenary For Honor wrote:
>
>> The office that I work at is connected to several satellite offices
>> via 3 separate dd-wrt openVPN linksys routers. Each is a separate >> gateway, 2 for specialized services and one for general internet and >> GNOME desktop traffic (which is normally on the local subnet of the >> WAN to conserve bandwidth). Our current projected expansion has my >> superior thinking that it would be a good idea to replace these 3 >> linksys routers (and their associated 200MHz processors) with a >> dedicated linux routing machine, short on memory and HDD space, with >> 1GHz or slightly higher processor so that we can handle whatever >> bandwidth needs we're thrown in the next year. >
> > I'd highly recommend OpenBSD for routing / security / VPN work as well. > The OS is not known for being a serious OS performer, but does very well > with minimal hardware configurations - for example, I've been running my > home firewall box and OpenVPN connectivity to myself and other distant > personal machines where I work, inclusive of routing protocols, on a > 486DX5-133 with 32MB for the last few years very reliably. :D The > anti-DDoS, anti-spoof, AuthPF and some other features with PF are just > awesome, IMHO. > > The PF language for implementing firewall rules is very robust and > feature-rich (available in other *BSD's too). > > I'd consider spec'ing some new / cheap machines to do all this work, if > you can do that, here's a running list of ideas: > > Consider these issues / ideas when spec'ing your box: > > - Every network packet on an untuned OS represents a hardware interrupt. > This chews up CPU on a system, along with the impact that running > OpenVPN in whatever cryptographic configuration you have. Modern Linux > systems do do interrupt coalescing, which mitigates this somewhat, but > you could go all the way up to ToE (TCP Offload Engines) & SSL offload > engines on a box (both are supported on Linux, I particularly like > Chelsio for ToE cards, and some SSL accelerators on *BSD). > > - Whatever OS you choose, take a good look in the documentation for > kernel tweak-ables for network buffers and size appropriately to create > necessary queues for traffic flows, etc. > > - Consider the use of transparent bridging in any firewall configuration > for additional security - transparent bridging is where you place an > IP-aware firewall configured in the middle of an Ethernet bridge > configured with two or more Ethernet interfaces in your OS. The cool > part about this is that there's not much "to hack" here, as the firewall > doesn't have an addressable IP end-point. This may not fit into your VPN > plans well, just toy with the idea. > > - FWBuilder is a cool GUI tool for configuring firewalls of disparate > types, however, it's support for full PF features is kind of lagging > somewhat. > > Hope this helps a little Hum, seems quite distracting to me instead. FYI, none can beat networking performance, routing and, or firewall capabilities of Linux kernel version 2.6 series. How many small routers and, or so called xDSL modems based on OpenBSD, NetBSD and, or FreeBSD are available on the market? Why the hell *BSD's have so many firewall daemons -- ip6fw, ipfilter, ipfw, PF and, or separate ipnatd? -- Dr Balwinder S "bsd" Dheeman Registered Linux User: #229709 Anu'z Linux@HOME (Unix Shoppe) Machines: #168573, 170593, 259192 Chandigarh, UT, 160062, India Gentoo, Fedora, Debian/FreeBSD/XP Home: http://cto.homelinux.net/~bsd/ Visit: http://counter.li.org/ | |||||||||||||||||||||||||
|
Posted by Bill Kearney on April 20, 2008, 9:41 am
Please log in for more thread options > FYI, none can beat networking performance, routing and, or firewall
> capabilities of Linux kernel version 2.6 series. Performance is highly subjective. Even worse when it's touted as a benefit without addressing the security risks. There are choices out there and each worth considering. Different solutions exist, offering many choices. Pick what's considered suitable. | |||||||||||||||||||||||||
