linux router connecting to dd-wrt(s) for VPN

A question perhaps best asked on the dd-wrt website forums?

As for standalone PC as a router, BSD is often considered a better candidate than most linux distros. Mainly for security reasons.

I'd highly recommend OpenBSD for routing / security / VPN work as well. The OS is not known for being a serious OS performer, but does very well with minimal hardware configurations - for example, I've been running my home firewall box and OpenVPN connectivity to myself and other distant personal machines where I work, inclusive of routing protocols, on a 486DX5-133 with 32MB for the last few years very reliably. :D The anti-DDoS, anti-spoof, AuthPF and some other features with PF are just awesome, IMHO.

The PF language for implementing firewall rules is very robust and feature-rich (available in other *BSD's too).

I'd consider spec'ing some new / cheap machines to do all this work, if you can do that, here's a running list of ideas:

Consider these issues / ideas when spec'ing your box:

- Every network packet on an untuned OS represents a hardware interrupt. This chews up CPU on a system, along with the impact that running OpenVPN in whatever cryptographic configuration you have. Modern Linux systems do do interrupt coalescing, which mitigates this somewhat, but you could go all the way up to ToE (TCP Offload Engines) & SSL offload engines on a box (both are supported on Linux, I particularly like Chelsio for ToE cards, and some SSL accelerators on

- Whatever OS you choose, take a good look in the documentation for kernel tweak-ables for network buffers and size appropriately to create necessary queues for traffic flows, etc.

- Consider the use of transparent bridging in any firewall configuration for additional security - transparent bridging is where you place an IP-aware firewall configured in the middle of an Ethernet bridge configured with two or more Ethernet interfaces in your OS. The cool part about this is that there's not much "to hack" here, as the firewall doesn't have an addressable IP end-point. This may not fit into your VPN plans well, just toy with the idea.

- FWBuilder is a cool GUI tool for configuring firewalls of disparate types, however, it's support for full PF features is kind of lagging somewhat.

Hope this helps a little

/dmfh

-- _ __ _ __| |_ __ / _| |_ 01100100 01101101 / _` | ' \\| _| ' \\ 01100110 01101000 \\__,_|_|_|_|_| |_||_| dmfh(-2)dmfh.cx

Hum, seems quite distracting to me instead.

FYI, none can beat networking performance, routing and, or firewall capabilities of Linux kernel version 2.6 series.

How many small routers and, or so called xDSL modems based on OpenBSD, NetBSD and, or FreeBSD are available on the market?

Why the hell *BSD's have so many firewall daemons -- ip6fw, ipfilter, ipfw, PF and, or separate ipnatd?

Performance is highly subjective. Even worse when it's touted as a benefit without addressing the security risks.

There are choices out there and each worth considering. Different solutions exist, offering many choices. Pick what's considered suitable.

Don't know about dd-wrt, but small home routers like the one you describe (200MHz mips processor) seem to be able to (en/de)crypt (over SSH, but SSL should be comparable) in the order of 100-200KB/s in my experience.

It's easy for you to check: do an "ssh wrtserver cat /dev/null

(Gets out the popcorn, definitely flame bait, but it does expose an industry problem.)

Did you read in my post "whatever OS you chose", or is the only thing you see a Penguin when you look @ operating systems? Your post irritated me because it echos a problem in the industry with "OS fever". OS's and any code-base are tools that are useful in some circumstances and not others. It's the same damn disease we have in the industry with Java.

If you knew some TCP/IP history, you'd also know that TCP/IP "came from" BSD, and every TCP/IP stack in the world owes its heritage to a bunch of folks @ Berkeley some 30 now almost 40 years ago.

FBSD continues to have a fantastically performing TCP/IP stack - they did a huge re-write / clean-up of their TCP/IP stack resulting in amazing performance gains. Innovations abound in Linux as well.

Why do the BSD's have so many firewall - (what?) - they're not daemons, they're interfaces to a piece of kernel code, with the note-able exception of ipnatd / divert you mentioned. IMHO, PF just rules (expressing my own personal opinion). How, in a firewall rule you can detect DoS / DDoS and auto-firewall stuff is amazing (please don't bring up the perfect-storm-IP-src-spoof thing, yes, I know, URPF is a partial solution for this, etc.)

Analyze & embrace everyone's innovation with a careful scrutinizing eye of what you want or need. "Logo loyalty" is only for closed minds. Each of the Unices (Linux, FBSD, OBSD, Solaris, Darwin, etc.) has some special sauce they added and keep adding, thank the ancients we all think differently, it moves things along.

Grab an old machine, a couple of old ISA NIC cards, download a bunch of different OS's, and grab a man page, please.

- This message brought to you through a 486-DX133, 32MB RAM, 240MB IDE HDD OBSD PF-based firewall router - 900 up days and counting...

/dmfh

-- _ __ _ __| |_ __ / _| |_ 01100100 01101101 / _` | ' \| _| ' \ 01100110 01101000 \__,_|_|_|_|_| |_||_| dmfh(-2)dmfh.cx

Gotta love a good smackdown now and then. Nicely done.

So, is not Linux as much secure as are the *BSD's? or people and, or creators of a Gazillion Linux redistributions either don't know what the heck that security thing is which only *BSD can provide better?

Ha!

Seemed the earlier reply quite well addressed the reasons. That you don't have enough experience with either perhaps explains why you didn't understand it.