DD-WRT VPN Settings?

[CPressland]

Hi All,

So my new WRT54GL Router arrived and I installed DD-WRT VPN on it, I originally used the following script to get VPN working over OpenVPN:

Startup:

mkdir /tmp/openvpn
echo "-----BEGIN CERTIFICATE-----
[clipped]
-----END CERTIFICATE-----
"> /tmp/openvpn/ca.crt
echo "iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE"> /tmp/openvpn/route-up.sh
chmod +x /tmp/openvpn/route-up.sh
echo "iptables -D POSTROUTING -t nat -o tun0 -j MASQUERADE"> /tmp/openvpn/route-down.sh
chmod +x /tmp/openvpn/route-down.sh
echo "[username clipped]
[password clipped]"> /tmp/openvpn/vpn.user
echo "client
dev tun
proto udp
remote uk1.vpn.giganews.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
ca /tmp/openvpn/ca.crt
tls-remote uk1.vpn.giganews.com
auth-user-pass /tmp/openvpn/vpn.user
comp-lzo
verb 3
auth SHA256
cipher AES-256-CBC
keysize 256
tls-cipher DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA"> /tmp/openvpn/myopenvpn.conf
sleep 60
openvpn --config /tmp/openvpn/myopenvpn.conf --route-up /tmp/openvpn/route-up.sh --down /tmp/openvpn/route-down.sh --daemon
[/CODE]

Firewall:

[CODE]
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
[/CODE]

Custom:

[CODE]
killall openvpn
openvpn --config /tmp/openvpn/myopenvpn.conf --route-up /tmp/openvpn/route-up.sh --down /tmp/openvpn/route-down.sh --daemon
[/CODE]

Anyway, this connection works fine, the Router Connects but I'm only able to receive a maximum of 2MB due to the load on the router (shame).

So I've decided to fall back on PPTP instead of OpenVPN and used the configuration recommended by my VPN Provider:

http://www.giganews.com/vyprvpn/setup/dd-wrt/pptp.html

However, nothing is showing up in the Logs as this service being active and the WAN is still showing the correct IP.

Can anyone guide me through configuring this part of DD-WRT? I've looked on the DD-WRT Forums as well as Giganews and it's not been all that helpful.

Thanks

Chris

[CPressland]

Okay, so I managed to get the VPN running via PPTP but I'm still limited to a 2MB connection, when connecting directly via my Server I still get the full 50MB. I guess this is a router CPU limitation. Does anyone have any input towards this?

[+BudMan MVC]

there is no way that 2MB is the limit of that routers cpu speed... You got something else holding you back - are you wireless or something? BTW I doubt you have a 50MByte connection, do you mean 50Mbits? 50MB would be a roughly a 400Mbps connection -- yeah that router is never going to be able to handle that.

[CPressland]

Sorry man, I mean 50Mb, yeah 2Mb. That's what's showing up on Speedtest.net. After disabling the VPN I get approx 46Mb, any ideas how I can diagnose? SSH - TOP shows the OpenVPN process using 89% CPU!

[+BudMan MVC]

and where are you vpn'd too? Your going to be limited by their connection to speedtest. Yes a vpn is going to be a performance hit -- from 46mb to 2 seems a bit much.. I wouldn't think its that much and your being throttled by the vpn endpoint. Keep in mind the tiny little horse power those soho routers actually have ;) Didn't I suggest you go with a real router distro on some pc hardware?

To test what the router can do over a vpn -- fire up your own vpn server on the wan side and do a performance test.

So something like like

[your vpn server] --- 100mbit --- [router wan port] wrt54gl [lan] -- 100mbit -- [then do a ftp, http transfer, etc]

What do you get then?

So please clarify -- your saying if you connect to same vpn service from your PC you see 46mbit? That is a pretty big hit, its going to be a hit - but I would not think that much.. Time to move to router distro on real hardware if that is the case..

You could make sure you turn off all the extra firewall stuff - that can help! You can also overclock the thing a bit. I know dd-wrt has were you can up the cpu mhz a bit..

edit: So I found a test of openvpn on the 54gl using dd-wrt, seems there pretty good hit ;)

http://www.cs.wustl....ovpn/index.html

"The throughput was found to be limited by the router CPU, and is not sufficient for fast connections such as 10/100 Mbps LANs. It is sufficient for slower connections such as most Internet connections. Measurements were presented for traffic generated from client to server. The encryption cipher was found to significantly reduce total throughput."

You could look for one with pptp as well -- guess its time you move to full router distro if your going to want high bandwidth over a vpn connection.

[CPressland]

Okay,

Vanilla Internet - 48Mbps

VPN Using OpenVPN on Windows 7 - 45Mbps

VPN Using PPTP on Windows 7 - 47Mbps

VPN Using OpenVPN on DD-WRT - 2.17Mbps

VPN Using PPTP on DD-WRT - 2.85Mbps

And yes, you did recommend a PC Distro but I'll explore that after exploring weather or not I even need this router.

Just setup an OpenVPN on my work PC and connected same speed :(.

Surely if the VPN is active it should be bypassing the SPI Firewall? Hmm, I'll disable it anyway and test again!

[CPressland]

You could look for one with pptp as well -- guess its time you move to full router distro if your going to want high bandwidth over a vpn connection.

Okay, I'm sold, thanks for the Article! Can you recommend a good Router Distro with OpenVPN? Also am I correct in assuming any PC hardware will be okay as long as it has multiple PCI-E NICs?

[+BudMan MVC]

I run pfsense -- openvpn built in, I use it to connect from from work to my home network every day pretty much ;) But sure you can use it for site to site or other connections as well.

Im currently running 2.1 code, been playing with ipv6 for quite some time and use it to create my Hurricane Electric tunnel.

2.1-DEVELOPMENT (i386)

built on Fri Oct 21 12:51:56 EDT 2011

FreeBSD 8.1-RELEASE-p6

I run mine on an OLD p3 800Mhz with a 6gb hard drive.. Not sure why you think you need pci-e nics? I have some cheap $20 gig cards that I had laying around. Have no real need for gig in the router, but its the cards I had laying around.

re1: <RealTek 8169/8169S/8169SB(L)/8110S/8110SB(L) Gigabit Ethernet>

But sure pretty much any old hardware or New if you have it laying around will work.. Just need as many nics as you want interfaces. If you have more than 2 you could have like a dmz segment, or wireless segment, etc. etc.

Have Fun with it -- I can say for sure once you start playing with a routing distro you will never go back to the limits of a off the shelf soho, even if running very flexible useful firmware like dd-wrt, etc.

[CPressland]

Okay, so just an Update.

Managed to grab a PC with an low power DualCore Intel @ 1.8GHz for free, Single NIC /w 2PCI Slots. Ordered 2 PCI NICs from eBay for ?5. So when they turn up I'll get this running.

Tell me budman, after installing pfSense, I asume most of the default configuration is fairly adequate?

[+BudMan MVC]

Pretty much.. You going to want to play with IPv6? If not just run the released 2.0 line -- if you want to play with ipv6 then there are some things you need to do.

Not a lot of config required unless you want to play or are doing stuff with multiple segments, or carp or going to install packages like squid or snort, etc. etc.

Yeah pretty much install walk through the bouncing ball and you should be on the internet, etc. Has built in dhcp/dns, just like any soho router -- but for example im not a fan of simple dns forwarders so I installed the unbound package and have dnssec enabled

[CPressland]

Okay, well hopefully will have this setup sometime midweek. I think DHCP and DNS might as well be handled by pfSense, no point giving the fileserver extra load when I've got a 1.8GHz DualCore Router! lmao.

[+BudMan MVC]

yeah pfsense can clearly handle your dhcp and dns now ;) Your not limited to the horse power of smart phone.

Thats a pretty screaming box to be sure for a 50mbit connection.. like I said mines an OLD p3 800mhz box so yours is going to be screaming -- what cards did you buy BTW? Hope not some junk? How much ram? What disk?

[CPressland]

Awesome,

Okay it's a 1.8GHz DualCore Intel Chip (64-bit), Not Sure of the Exact CPU as I'm not going to power it up until I get the NICs.

NICs are basic, eBay item ID: 280367096159, but am planning on ordering two 220893882033 if what i've ordered isn't up for the task.

Motherboard only has two PCI Slots and one PCI-E Slot. Won't be using the Built in NIC.

RAM is 2GB of DDR2-667, Motherboard has two memory slots, both filled.

Hard Disk is a 160GB SATA1 HDD, Was all I had, but will be replaced with a 8GB SSD at some point in the future. But I somehow doubt pfSense will ever use this as SWAP with 2GB of Memory?

Your Thoughts?

[+BudMan MVC]

You prob get away with a CF disk vs a SSD.. This is a common setup for pfsense setup. Yeah the 160 way overkill and just wasted.. Not even touching my 6GB really, I show 24% usage and 0% swap and I only have 512MB of ram.

Those first nics prob fine -- you could use the onboard as well, matter of fact you might want to make that your wan - since prob different than your pci ones and stand out during setup. since you will have 3 interfaces you can setup a wireless segment or dmz segment, etc.

That is a screaming router box, you easy can run ntop and snort on it at the same time!

[CPressland]

Don't need any special segments just yet, but will keep it in mind :). May use Integrated NIC once I know what chipset it's on, as Nvidia chipsets always have hell with Linux/BSD.

I appreciate the hard drive is a waste, I have no use for it elsewhere but will remove it at some point.

Finally, NTOP - that's a network monitoring daemon right? How will that help me?

[+BudMan MVC]

How will it help you?? :blink: Ok -- then no you have not need to run it..

So if having a record of all the connections, bandwidth and protocols used in and out of your network means nothing to you, then no you have no use of it ;)

So if having the ability to see all the network connections in and out of your network in real time, with filters for top conversation, top talker, protocol is of no need to you then sure.. Not curious to see what uses your bandwidth with ability to break it out by IP, by protocol, etc.

Then yeah no use to you ;)

[Sikh]

You will LOVE ntop.

I took budmans advice almost a year ago and found a ****ty p3 128 mess of ram tower in my basement and omfg, best router ever. I now have a intel atom 1.2 ghz dual core with 2 gigs of ram (was sitting around) and a 160gb hard drive (old old hard drive) and my router has been better then ever.

When I first installed ntop, I use it for its basic "who's using how much bandwidth method". But after that, omfg, the amount of power it has, literally seeing every connection being made and coming back is awesome!

Now, I just use it daily to make sure everything's running fine and no one computer is "randomly" hogging all the upload bandwidth because of "certain programs" that like to stay open.

Anyway, point is, install ntop. lol

[+BudMan MVC]

Hey Sikh, have not seen you around in a while.. Hey here's a new toy you might be interested in - been playing with it for a couple of months now.

http://www.colasoft.com/nchronos/nchronos-free.php

Slickest thing I have seen in quite some time, this sort of thing is normally only available to the enterprise because of cost.. Now if they would just add IPv6 support we would be talking!

[CPressland]

Okay, I'm sold, you guys should write the Wiki Page for NTOP because you make it sound a LOT more interesting than pfSense Wiki does! :D

Package Management it Similar to Linux right? Go to Repo and just install directly from Package Management Application? No Downloading Tarballs and hacking functionality in?

[+BudMan MVC]

packages are installed from the pfsense webgui yes, you click install on the ones you want ;)

[CPressland]

Well hopefully the NIC Cards will arrive tomorrow and I can begin testing. Currently using OpenVPN on my FileServer is putting about 20% load on the CPU when I'm downloading at maximum speed, plus it's not covering my entire LAN, just that one server. As mentioned in the other thread, the Extreme Goal of this is to get a fully functional OpenVPN client covering the entire LAN, looks like we're onto a Win here.

Any idea what I can do with the WRT54GL now I'm not using it for VPN functionality?

EDIT: Also, where can I get a full list of all current Packages available on 2.0?

[CPressland]

Just installing it in VMWare to try out. My god BSD confuses the **** out of me compared to Unix/Linux. I know they come from similar backgrounds, but it's so much more complicated. But I'm told Stability in BSD is 10fold more stable than anything else.

[+BudMan MVC]

Use it as just an accesspoint - what I use my wrt54 as. Worse case its my backup router if my pfsense box takes a dump.

Once you install you can view the packages from the gui, not sure if they are listed elsewhere?

Here is a dump

here is the full listing, its a pretty long capture ;)

[CPressland]

Yeah, as said, I'm running it in VMWare to test so I can see all the packages. Not sure what'll be useful. You mentioned DNS Cacheing? What Package?

[+BudMan MVC]

You can see what I have installed -- unbound is pretty nice package, and the author is very responsive on the forums. From my understanding it is to be integrated vs being a package. If you going to want dnssec or ipv6 dns support you prob going to want to install that package.

What would be useful comes down to what you want to do.. I have no need of content filtering so I don't run squid or squidguard, box is pretty tight to try and run ntop or I would for sure. But I have nchronos running on another box so I have a full time capture going and can review anything I need to review as far as far as conversations and or network issues.

If you going to run openvpn for road warriors then the export package prob be handy ;)

i like the vnstat package because it gives you a running look at your bandwidth -- example below, I had to reset my database awhile back so I lost my year of history easy to see bandwidth usage.

Some of the packages are not stated for 2 line, some work some don't etc.. Seems a popular package is the pfblocker, can insert lists of known bad IPs so you can block them, etc. I personally don't see much use in it unless you were running some service off your connection, and you didn't want all the hits from china sort of thing hitting your service. But only thing I have open to the public net is my vpn connection (good luck breaking that) and ssh, again good luck breaking public key auth and block of IP after 4 bad attempts. And part of ntp.pool and my torrent ports so I really have no use of blocking anything.

Take a look at the packages, some might interest you - maybe not. Its a great router without any packages btw ;)