linux router connecting to dd-wrt(s) for VPN - TCP-IP

This is a discussion on linux router connecting to dd-wrt(s) for VPN - TCP-IP ; I have been working as an admin on a WAN comprised of multiple linux servers (and associated [irrelevant] Sun Ray clusters) for a short period of time now. Until this point my tasks have been primarily comprised of configuration of ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: linux router connecting to dd-wrt(s) for VPN

  1. linux router connecting to dd-wrt(s) for VPN

    I have been working as an admin on a WAN comprised of multiple linux
    servers (and associated [irrelevant] Sun Ray clusters) for a short
    period of time now. Until this point my tasks have been primarily
    comprised of configuration of different security and authentication
    services with a few package installation and configuration tasks and
    scripting thrown in for good measure.

    I've just been given a new task to begin when I'm completed with the
    one that I'm currently involved in. Being as my current one only
    consists of me babysitting downloads for another few hours, I decided
    to start researching the upcoming one.

    The office that I work at is connected to several satellite offices
    via 3 separate dd-wrt openVPN linksys routers. Each is a separate
    gateway, 2 for specialized services and one for general internet and
    GNOME desktop traffic (which is normally on the local subnet of the
    WAN to conserve bandwidth). Our current projected expansion has my
    superior thinking that it would be a good idea to replace these 3
    linksys routers (and their associated 200MHz processors) with a
    dedicated linux routing machine, short on memory and HDD space, with
    1GHz or slightly higher processor so that we can handle whatever
    bandwidth needs we're thrown in the next year.

    So I started googling, as it is to be my task to set up that machine.
    Unfortunately, although I'm familiar with the basic concepts and
    terminology used in networking, I'm relatively deficient in practical
    experience. What I'm looking for is information on using the linux
    router to connect to the other dd-Wrts utilizing the same VPN
    structure as was utilized before. I have not been able to find
    anything except for information on connecting dd-Wrt devices to each
    other. Thus I'm looking for any tips or pointers to information on
    configuring such a setup, or any explanation of how existing
    documentation can be used with a few changes, etc...

    I'm also interested, for curiosity's sake, in how much information
    these dd-Wrt devices can actively handle with their processing
    capabilities (both with and without SSL/TLS overhead).

    Thank you for any help or comments you might have.


    Damon Getsman


  2. Re: linux router connecting to dd-wrt(s) for VPN

    > I'm also interested, for curiosity's sake, in how much information
    > these dd-Wrt devices can actively handle with their processing
    > capabilities (both with and without SSL/TLS overhead).


    A question perhaps best asked on the dd-wrt website forums?

    As for standalone PC as a router, BSD is often considered a better candidate
    than most linux distros. Mainly for security reasons.


  3. Re: linux router connecting to dd-wrt(s) for VPN

    On 2008-04-16 12:56:34 -0400, Damon Getsman said:

    > The office that I work at is connected to several satellite offices
    > via 3 separate dd-wrt openVPN linksys routers. Each is a separate
    > gateway, 2 for specialized services and one for general internet and
    > GNOME desktop traffic (which is normally on the local subnet of the
    > WAN to conserve bandwidth). Our current projected expansion has my
    > superior thinking that it would be a good idea to replace these 3
    > linksys routers (and their associated 200MHz processors) with a
    > dedicated linux routing machine, short on memory and HDD space, with
    > 1GHz or slightly higher processor so that we can handle whatever
    > bandwidth needs we're thrown in the next year.



    I'd highly recommend OpenBSD for routing / security / VPN work as well.
    The OS is not known for being a serious OS performer, but does very
    well with minimal hardware configurations - for example, I've been
    running my home firewall box and OpenVPN connectivity to myself and
    other distant personal machines where I work, inclusive of routing
    protocols, on a 486DX5-133 with 32MB for the last few years very
    reliably. The anti-DDoS, anti-spoof, AuthPF and some other features
    with PF are just awesome, IMHO.

    The PF language for implementing firewall rules is very robust and
    feature-rich (available in other *BSD's too).

    I'd consider spec'ing some new / cheap machines to do all this work, if
    you can do that, here's a running list of ideas:

    Consider these issues / ideas when spec'ing your box:

    - Every network packet on an untuned OS represents a hardware
    interrupt. This chews up CPU on a system, along with the impact that
    running OpenVPN in whatever cryptographic configuration you have.
    Modern Linux systems do do interrupt coalescing, which mitigates this
    somewhat, but you could go all the way up to ToE (TCP Offload Engines)
    & SSL offload engines on a box (both are supported on Linux, I
    particularly like Chelsio for ToE cards, and some SSL accelerators on
    *BSD).

    - Whatever OS you choose, take a good look in the documentation for
    kernel tweak-ables for network buffers and size appropriately to create
    necessary queues for traffic flows, etc.

    - Consider the use of transparent bridging in any firewall
    configuration for additional security - transparent bridging is where
    you place an IP-aware firewall configured in the middle of an Ethernet
    bridge configured with two or more Ethernet interfaces in your OS. The
    cool part about this is that there's not much "to hack" here, as the
    firewall doesn't have an addressable IP end-point. This may not fit
    into your VPN plans well, just toy with the idea.

    - FWBuilder is a cool GUI tool for configuring firewalls of disparate
    types, however, it's support for full PF features is kind of lagging
    somewhat.

    Hope this helps a little

    /dmfh

    --
    _ __ _
    __| |_ __ / _| |_ 01100100 01101101
    / _` | ' \| _| ' \ 01100110 01101000
    \__,_|_|_|_|_| |_||_| dmfh(-2)dmfh.cx


  4. Re: linux router connecting to dd-wrt(s) for VPN

    On 04/18/2008 06:29 AM, Digital Mercenary For Honor wrote:
    > On 2008-04-16 12:56:34 -0400, Damon Getsman said:
    >
    >> The office that I work at is connected to several satellite offices
    >> via 3 separate dd-wrt openVPN linksys routers. Each is a separate
    >> gateway, 2 for specialized services and one for general internet and
    >> GNOME desktop traffic (which is normally on the local subnet of the
    >> WAN to conserve bandwidth). Our current projected expansion has my
    >> superior thinking that it would be a good idea to replace these 3
    >> linksys routers (and their associated 200MHz processors) with a
    >> dedicated linux routing machine, short on memory and HDD space, with
    >> 1GHz or slightly higher processor so that we can handle whatever
    >> bandwidth needs we're thrown in the next year.

    >
    >
    > I'd highly recommend OpenBSD for routing / security / VPN work as well.
    > The OS is not known for being a serious OS performer, but does very well
    > with minimal hardware configurations - for example, I've been running my
    > home firewall box and OpenVPN connectivity to myself and other distant
    > personal machines where I work, inclusive of routing protocols, on a
    > 486DX5-133 with 32MB for the last few years very reliably. The
    > anti-DDoS, anti-spoof, AuthPF and some other features with PF are just
    > awesome, IMHO.
    >
    > The PF language for implementing firewall rules is very robust and
    > feature-rich (available in other *BSD's too).
    >
    > I'd consider spec'ing some new / cheap machines to do all this work, if
    > you can do that, here's a running list of ideas:
    >
    > Consider these issues / ideas when spec'ing your box:
    >
    > - Every network packet on an untuned OS represents a hardware interrupt.
    > This chews up CPU on a system, along with the impact that running
    > OpenVPN in whatever cryptographic configuration you have. Modern Linux
    > systems do do interrupt coalescing, which mitigates this somewhat, but
    > you could go all the way up to ToE (TCP Offload Engines) & SSL offload
    > engines on a box (both are supported on Linux, I particularly like
    > Chelsio for ToE cards, and some SSL accelerators on *BSD).
    >
    > - Whatever OS you choose, take a good look in the documentation for
    > kernel tweak-ables for network buffers and size appropriately to create
    > necessary queues for traffic flows, etc.
    >
    > - Consider the use of transparent bridging in any firewall configuration
    > for additional security - transparent bridging is where you place an
    > IP-aware firewall configured in the middle of an Ethernet bridge
    > configured with two or more Ethernet interfaces in your OS. The cool
    > part about this is that there's not much "to hack" here, as the firewall
    > doesn't have an addressable IP end-point. This may not fit into your VPN
    > plans well, just toy with the idea.
    >
    > - FWBuilder is a cool GUI tool for configuring firewalls of disparate
    > types, however, it's support for full PF features is kind of lagging
    > somewhat.
    >
    > Hope this helps a little


    Hum, seems quite distracting to me instead.

    FYI, none can beat networking performance, routing and, or firewall
    capabilities of Linux kernel version 2.6 series.

    How many small routers and, or so called xDSL modems based on OpenBSD,
    NetBSD and, or FreeBSD are available on the market?

    Why the hell *BSD's have so many firewall daemons -- ip6fw, ipfilter,
    ipfw, PF and, or separate ipnatd?

    --
    Dr Balwinder S "bsd" Dheeman Registered Linux User: #229709
    Anu'z Linux@HOME (Unix Shoppe) Machines: #168573, 170593, 259192
    Chandigarh, UT, 160062, India Gentoo, Fedora, Debian/FreeBSD/XP
    Home: http://cto.homelinux.net/~bsd/ Visit: http://counter.li.org/

  5. Re: linux router connecting to dd-wrt(s) for VPN

    > FYI, none can beat networking performance, routing and, or firewall
    > capabilities of Linux kernel version 2.6 series.


    Performance is highly subjective. Even worse when it's touted as a benefit
    without addressing the security risks.

    There are choices out there and each worth considering. Different solutions
    exist, offering many choices. Pick what's considered suitable.


  6. Re: linux router connecting to dd-wrt(s) for VPN

    > I'm also interested, for curiosity's sake, in how much information
    > these dd-Wrt devices can actively handle with their processing
    > capabilities (both with and without SSL/TLS overhead).


    Don't know about dd-wrt, but small home routers like the one you
    describe (200MHz mips processor) seem to be able to (en/de)crypt (over
    SSH, but SSL should be comparable) in the order of 100-200KB/s in
    my experience.

    It's easy for you to check: do an "ssh wrtserver cat /dev/null and time it.


    Stefan

  7. Re: linux router connecting to dd-wrt(s) for VPN

    On 2008-04-18 10:55:02 -0400, Balwinder S Dheeman
    said:

    > Hum, seems quite distracting to me instead.
    >
    > FYI, none can beat networking performance, routing and, or firewall
    > capabilities of Linux kernel version 2.6 series.
    >
    > How many small routers and, or so called xDSL modems based on OpenBSD,
    > NetBSD and, or FreeBSD are available on the market?
    >
    > Why the hell *BSD's have so many firewall daemons -- ip6fw, ipfilter,
    > ipfw, PF and, or separate ipnatd?



    (Gets out the popcorn, definitely flame bait, but it does expose an
    industry problem.)

    Did you read in my post "whatever OS you chose", or is the only thing
    you see a Penguin when you look @ operating systems? Your post
    irritated me because it echos a problem in the industry with "OS
    fever". OS's and any code-base are tools that are useful in some
    circumstances and not others. It's the same damn disease we have in the
    industry with Java.

    If you knew some TCP/IP history, you'd also know that TCP/IP "came
    from" BSD, and every TCP/IP stack in the world owes its heritage to a
    bunch of folks @ Berkeley some 30 now almost 40 years ago.

    FBSD continues to have a fantastically performing TCP/IP stack - they
    did a huge re-write / clean-up of their TCP/IP stack resulting in
    amazing performance gains. Innovations abound in Linux as well.

    Why do the BSD's have so many firewall - (what?) - they're not daemons,
    they're interfaces to a piece of kernel code, with the note-able
    exception of ipnatd / divert you mentioned. IMHO, PF just rules
    (expressing my own personal opinion). How, in a firewall rule you can
    detect DoS / DDoS and auto-firewall stuff is amazing (please don't
    bring up the perfect-storm-IP-src-spoof thing, yes, I know, URPF is a
    partial solution for this, etc.)

    Analyze & embrace everyone's innovation with a careful scrutinizing eye
    of what you want or need. "Logo loyalty" is only for closed minds. Each
    of the Unices (Linux, FBSD, OBSD, Solaris, Darwin, etc.) has some
    special sauce they added and keep adding, thank the ancients we all
    think differently, it moves things along.

    Grab an old machine, a couple of old ISA NIC cards, download a bunch of
    different OS's, and grab a man page, please.

    - This message brought to you through a 486-DX133, 32MB RAM, 240MB IDE
    HDD OBSD PF-based firewall router - 900 up days and counting...



    /dmfh

    --
    _ __ _
    __| |_ __ / _| |_ 01100100 01101101
    / _` | ' \| _| ' \ 01100110 01101000
    \__,_|_|_|_|_| |_||_| dmfh(-2)dmfh.cx


  8. Re: linux router connecting to dd-wrt(s) for VPN

    > (Gets out the popcorn, definitely flame bait, but it does expose an
    > industry problem.)


    Gotta love a good smackdown now and then. Nicely done.

  9. Re: linux router connecting to dd-wrt(s) for VPN

    On 04/20/2008 07:11 PM, Bill Kearney wrote:
    >> FYI, none can beat networking performance, routing and, or firewall
    >> capabilities of Linux kernel version 2.6 series.

    >
    > Performance is highly subjective. Even worse when it's touted as a
    > benefit without addressing the security risks.
    >
    > There are choices out there and each worth considering. Different
    > solutions exist, offering many choices. Pick what's considered suitable.


    So, is not Linux as much secure as are the *BSD's? or people and, or
    creators of a Gazillion Linux redistributions either don't know what the
    heck that security thing is which only *BSD can provide better?

    Ha!
    --
    Dr Balwinder S "bsd" Dheeman Registered Linux User: #229709
    Anu'z Linux@HOME (Unix Shoppe) Machines: #168573, 170593, 259192
    Chandigarh, UT, 160062, India Gentoo, Fedora, Debian/FreeBSD/XP
    Home: http://cto.homelinux.net/~bsd/ Visit: http://counter.li.org/

  10. Re: linux router connecting to dd-wrt(s) for VPN

    > So, is not Linux as much secure as are the *BSD's? or people and, or
    > creators of a Gazillion Linux redistributions either don't know what the
    > heck that security thing is which only *BSD can provide better?


    Seemed the earlier reply quite well addressed the reasons. That you don't
    have enough experience with either perhaps explains why you didn't
    understand it.


+ Reply to Thread