Using RT-N16 as a 4 port openVPN Router (via VPN provider)

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
Globestar
DD-WRT Novice


Joined: 30 Jun 2010
Posts: 31

PostPosted: Wed Jun 30, 2010 13:35    Post subject: Using RT-N16 as a 4 port openVPN Router (via VPN provider) Reply with quote
Firmware:

DD-WRT v24-sp2 big (c) 2010 NewMedia-NET GmbH
Release: 05/21/10 (SVN revision: 14471)

Router:
Asus RT-N16

Topic: Using the Asus RT-N16 as a 4 port openVPN Router (via a VPN provider)

Objective:

I would like to have a 4 port wired LAN where all outbound WAN traffic is directed to a VPN provider via an openVPN tunnel. (That is, I wish to entirely bypass my local Internet provider (ISP), other than using them as a transport pipe to a third party VPN provider.) For the moment, I do not intend to use any wireless connections, although I certainly want this capability in the near future. In summary, I wish to have a 4 port LAN switch that routes all outbound traffic through an encrypted openVPN tunnel while blocking all traffic and connectivity (DNS lookups, etc) with the local ISP.

Clarification: The use of the term "VPN Provider" refers to a commercial VPN service provider. Some examples would be StrongVPN, WiTopia, SwissVPN, et al (no bias intended).

What I’ve already accomplished:

I successfully installed the firmware and configured the router without significant difficulty. Thanks to the plethora information in this forum, I did not contribute any new building material to the construction industry (i.e. another “brick”). I specifically enabled logging, SSH shell, turned off wireless (for the moment) and activated the JFFS file system.

After a significant amount of effort, I was able to figure out iptables (although I won’t claim any great expertise) and get the firewall working (I think). The firewall rules are stored on the /jffs partition and the nvram variable is set so that the router will find it on reboot (i.e. nvram set rc_firewall = /jffs/firewall/asus_rt-n16.fw). The router now connects successfully to my ISP (ADSL using PPPoE) and survives reboot.

Thanks again to the plethora information in this forum, I was also able to configure openVPN to connect to a third party VPN provider. The openVPN configuration file is stored on the /jffs partition along with the ca certificate and I start it with the command: openvpn --daemon --config /jffs/openVPN/openvpn.conf

Looking at the log files /var/log/messages, I can see that a connection has been established to the remote VPN provider. Similarly, the command ifconfig shows the VPN virtual device. My configuration is shown below

Code:
client
dev tun               
proto tcp-client
remote your.vpn.provider.net 443
resolv-retry infinite
nobind
persist-key
persist-tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /jffs/openVPN/ca.crt
verb 3   
ns-cert-type server


What I have not accomplished:

Despite (apparently) establishing a VPN connection, I cannot route any traffic from any of the wired LAN ports to the virtual VPN device. I have tried a variety of different things but nothing seems to work. Most of this effort centers around my attempts to bridge traffic, for example

Code:
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up 


I believe that, somehow, I need to isolate the output from the 2 port LAN switch (vlan2?) and connect it to the VPN virtual device (tap/tun). On this point, I am not exactly sure as what to do or how to do it.

Since this forum is loaded with Linux gurus and DD-WRT experts, I thought that I would throw the question to you folks and see what suggestions come back. (Be nice now, ha ha!).

So does anyone have any suggestions or ideas?

OTHER DETAILS AND QUESTIONS:

In looking through this forum, I noticed that there are many comments about bridging and routing of VPN circuits. Can someone clearly explain the differences?

I have set up openVPN on the DD-WRT as a client of the remote VPN provider. It appears that as a client the device used in the configuration file should be TUN for clients (ie dev tun). In other configurations (VPN server), TAP is used. Why is this? (In the config file supplied by the VPN provider, the dev TUN is specified but I’m not sure that I am compelled to use the same setting with DD-WRT.

It is my understanding that TUN devices are virtual point-to-point devices while TAP devices are virtual network devices. This would mean that for TUN devices, ifconfig must be given the virtual IP of the other P-T-P device while TAP devices need a local IP and netmask, yes? If the VPN tunnel is created with a TAP device then it can be bridged as an Ethernet connection to the LAN Switch? Also, if I am correct (and I am not sure), with a TUN device DNS and WINS are not broadcasted over the VPN?

In experimenting, I can build an openVPN connection the remote VPN provider using either a TAP or TUN device. In either case, ifconfig shows the virtual device with the correct IP address (TUN) or MAC address (TAP).

I am also a bit unsure of how the hardware on the Asus RT-N16 relates to the DD-WRT firmware with regard to TUN/TAP. Any comments?

With regard to the original objective (4 port openVPN router), is it possible that one of you fine folks out there could sketch out a better picture of what I should be trying to do?

Thanks,
Globestar
Sponsor
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Wed Jun 30, 2010 20:16    Post subject: Reply with quote
Use the redirect-gateway option to make the tunnel become your main route. It's in many of the wiki's example configs (there's like 5 guides) and you can read more about it in the openvpn documentation if want.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
jalanmac
DD-WRT Novice


Joined: 20 Sep 2006
Posts: 38

PostPosted: Thu Jul 01, 2010 12:27    Post subject: Reply with quote
Globestar,

I have had an OpenVPN setup with Witopia now for almost two years and have had a great experience with them and with DD-WRT supporting it. When I first set it up I spent some time configuring trying to use the scripts but found that (at least with Witopia) the entire deal could be configured from the VPN page. I also found that some versions of DD-WRT worked and some didn't - or at least I was able to make some work and unable to make some other versions work. I currently have a working setup with version 13577 and have included a screen capture of the VPN page for you to review (again, with witopia settings). I found that setting up the keys was also a combination of luck and skill (mostly luck) so make sure you try resetting the keys if your router starts and yet you find yourself continuing to be routed through your local ISP.

Finally, I reached out to witopia and explained my situation (I didn't want another router - their cloakbox) for $200 but was willing to pay the $100 for a cloakbox annual renewal if I could configure it on my router. They were very accommodating and we have been using that agreement ever since.



VPN Settings.JPG
 Description:
 Filesize:  37.91 KB
 Viewed:  21988 Time(s)

VPN Settings.JPG


Globestar
DD-WRT Novice


Joined: 30 Jun 2010
Posts: 31

PostPosted: Thu Jul 01, 2010 13:50    Post subject: Reply with quote
jalanmac wrote:
Globestar,

I have had an OpenVPN setup with Witopia now for almost two years and have had a great experience with them and with DD-WRT supporting it. When I first set it up I spent some time configuring trying to use the scripts but found that (at least with Witopia) the entire deal could be configured from the VPN page. I also found that some versions of DD-WRT worked and some didn't - or at least I was able to make some work and unable to make some other versions work. I currently have a working setup with version 13577 and have included a screen capture of the VPN page for you to review (again, with witopia settings). I found that setting up the keys was also a combination of luck and skill (mostly luck) so make sure you try resetting the keys if your router starts and yet you find yourself continuing to be routed through your local ISP.

Finally, I reached out to witopia and explained my situation (I didn't want another router - their cloakbox) for $200 but was willing to pay the $100 for a cloakbox annual renewal if I could configure it on my router. They were very accommodating and we have been using that agreement ever since.


jalanmac,

Well, it certainly doesn't get any simpler than this, does it?

All you had to do was configure the client, per your configuration diagram? No changes to the firewall, etc?

I presume that Witopia provided you with some configuration information, yes? If so, could you post a sanitized version?

Thanks for the information and the reply,
Regards,
Globestar
Globestar
DD-WRT Novice


Joined: 30 Jun 2010
Posts: 31

PostPosted: Thu Jul 01, 2010 13:54    Post subject: Reply with quote
phuzi0n wrote:
Use the redirect-gateway option to make the tunnel become your main route. It's in many of the wiki's example configs (there's like 5 guides) and you can read more about it in the openvpn documentation if want.


phuzi0n,

I will investigate further. As you likely guessed, I needed a push in the right direction. Any comment on my TUN/TAP query?

Thanks for your reply. It is appreciated. Will post the results.

Regards,
Globestar
jalanmac
DD-WRT Novice


Joined: 20 Sep 2006
Posts: 38

PostPosted: Thu Jul 01, 2010 14:23    Post subject: Reply with quote
Globestar,

While Witopia was very helpful in answering my questions, they didn't provide any direct documentation and only updated comments I had put together from the various guides I came across. That input resulted in the settings you see above so I really don't have anything else - and I believe they have switched to a customized Tomato for the cloakbox they provide so they would be unlikely to have specific DDWRT support any more.
I double checked the router this morning (I last updated it back in January so I didn't want to misspeak) and the commands page remains blank. Because I have swapped out routers a couple of times with this configuration, the other bit of advice I would give is for every time you try, update the keys, apply, wait and THEN unplug the router and plug back in and try IPchicken or speedtest. I found that restarting the router made it easier to determine with certainty whether you were connected or not.
Globestar
DD-WRT Novice


Joined: 30 Jun 2010
Posts: 31

PostPosted: Thu Jul 01, 2010 20:07    Post subject: Reply with quote
phuzi0n wrote:
Use the redirect-gateway option to make the tunnel become your main route. It's in many of the wiki's example configs (there's like 5 guides) and you can read more about it in the openvpn documentation if want.


Does this command apply to a openVPN client connection? In my case, the DD-WRT router is a client to a commercial VPN service provider.

In look at the OpenVPN logs I see that the remote server is actually pushing these commands to me:

Code:
Jul  1 19:34:00 DD-WRT daemon.notice openvpn[2601]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS xxx.xxx.xxx.xxx,dhcp-option DNS xxx.xxx.xxx.xxx,route-gateway xxx.xxx.xxx.xxx,topology subnet,ping 10,ping-restart 60,socket-flags TC


I can definitely see the successful VPN connection but nothing from the 4-port LAN switch seems to be routed to the TUN PTP device.

Regards,
Globestar
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Fri Jul 02, 2010 0:47    Post subject: Reply with quote
The difference between taps and tuns is that taps are for bridging and tuns are for routing. Use a tun interface and see this post about enabling NAT if you're configuring it in a way that doesn't do it automatically (iirc the GUI will add NAT for you).

http://www.dd-wrt.com/phpBB2/viewtopic.php?p=457347#457347

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Globestar
DD-WRT Novice


Joined: 30 Jun 2010
Posts: 31

PostPosted: Mon Jul 05, 2010 14:46    Post subject: Reply with quote
phuzi0n wrote:
The difference between taps and tuns is that taps are for bridging and tuns are for routing. Use a tun interface and see this post about enabling NAT if you're configuring it in a way that doesn't do it automatically (iirc the GUI will add NAT for you).
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=457347#457347


phuzi0n,

That helped a lot!! In fact, my situation was nearly identical to the post that you cited!! (Thanks!!)

In my case, I had followed some advice in other posts about configuring the firewall. This information turned out to be completely wrong and when I fixed the firewall problem and enabled NAT (per your suggestion) then everything seemed to work.

You also brought up something that I was next on the list. You said:
phuzi0n wrote:
The startup script isn't a good place to run openvpn from because if it crashes then it won't ever be restarted. It would be better to just use the built in GUI on the services->VPN page. Also, never put iptables commands in the startup script because they will just be wiped out when the firewall is rebuilt, they belong in the firewall script.
http://www.dd-wrt.com/phpBB2/posting_sec.php?mode=quote&p=457390

With regard to this topic, what is the preferred method to detect when openVPN has stopped functioning and a method to restart it?

In looking at my routing table, which is very similar to the one in the cited post, I notice that if the OpenVPN process quits that traffic will (by default) be routed to the local ISP, yes? (Of course, I can remove the default route but then I suspect that I will not be able to restart openVPN service because it won't have a path the Internet.)

Is there some event or parameter that I can watch to detect when openVPN is disconnected? (For instance, by looking at 'cat /var/run/openvpn.pid' - although I'm not sure where the pid is located for openVPN).

My objective (I think) is to remove the local route to the ISP, detect when openVPN is disconnected and then rebuild the firewall before restarting openVPN.

There seems to be a lot of conflicting information on the forum about the topic so I need push in the right direction.

As before, your comments and thoughts will be most helpful.

Thanks,
Globestar
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Mon Jul 05, 2010 22:36    Post subject: Reply with quote
Globestar wrote:
With regard to this topic, what is the preferred method to detect when openVPN has stopped functioning and a method to restart it?

Use the GUI and you won't have to worry about restarting it because the firmware will for you. If you run openvpn manually then you'll need to write a script to check if it's running and restart it. There's a user trying to do it the hard way but they're making a lot of mistakes along the way and frater is doing most of it for them.

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=74932

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Globestar
DD-WRT Novice


Joined: 30 Jun 2010
Posts: 31

PostPosted: Wed Jul 07, 2010 16:07    Post subject: Reply with quote
phuzi0n wrote:
Globestar wrote:
With regard to this topic, what is the preferred method to detect when openVPN has stopped functioning and a method to restart it?

Use the GUI and you won't have to worry about restarting it because the firmware will for you. If you run openvpn manually then you'll need to write a script to check if it's running and restart it. There's a user trying to do it the hard way but they're making a lot of mistakes along the way and frater is doing most of it for them.
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=74932


Indeed, it looks like a lot of effort. However, it is on track with what I want/need to do. My questions would be slightly different:

1) Instead of using CRON, would it not be simpler just to write a small shell program that periodically checks some nvram variable? For example, watching "nvram get wan_ipaddr" would tell you when/if your ISP changes your IP address. With openVPN, perhaps watching ps you might be able to detect when the openVPN process stops? Any suggestion on what or how to detect when openVPN hangs or exits?

2) With regard to the GUI, is it possible to just put the name of the openVPN config file into the GUI ratrher than pasting the contents? I presume that whatever I paste into the GUI must be equivalent to the contents of my openvpn.conf file? And, if I wanted to, say, run another script to, for example, change some of the firewall parameters after openVPN starts? Since these would normally not be part of the openVPN config file how would they be entered via the GUI? I also believe that openVPN will execute the contents of route-up.sh (start) and route-down.sh (close) when it's started manually. What about the same functionality via the GUI?

3) Finally, do you know when the firewall script (rc_firewall =) is called? It appears that when my ISP changes my IP address (every few days)that the firewall is rebuilt with the proper wan addresses. (I see this from looking at the iptables.) How does this happen? Can I presume that the same process which updates DDNS also triggers the firewall script?

Thanks again for your time/effort,
Regards,
Globestar
Globestar
DD-WRT Novice


Joined: 30 Jun 2010
Posts: 31

PostPosted: Thu Jul 08, 2010 15:53    Post subject: Reply with quote
phuzi0n wrote:
Globestar wrote:
With regard to this topic, what is the preferred method to detect when openVPN has stopped functioning and a method to restart it?

Use the GUI and you won't have to worry about restarting it because the firmware will for you. If you run openvpn manually then you'll need to write a script to check if it's running and restart it. There's a user trying to do it the hard way but they're making a lot of mistakes along the way and frater is doing most of it for them.

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=74932


In reading my last post, it might be better to just state my issues and see what you and other specialists on the DD-WRT firmware.

There are two scenarios that I want to address. These revolve around:

1) Changes of IP wan address.
2) openVPN hangs or drops

My ISP periodically (every few days) changes the wan IP. How does the DD-WRT firmware respond to this change?

Presumably, when the wan IP changes the openVPN client will lose it's connection with the server. I suspect that an ordinary startup script (per the wiki) will cover this situation?

However, when openVPN drops (or hangs), how is that handled? Is there any way to detect this event and react to it?

Thanks!
hereagn
DD-WRT Novice


Joined: 14 Oct 2010
Posts: 4

PostPosted: Thu Oct 14, 2010 23:06    Post subject: Reply with quote
phuzi0n wrote:
Globestar wrote:
With regard to this topic, what is the preferred method to detect when openVPN has stopped functioning and a method to restart it?

Use the GUI and you won't have to worry about restarting it because the firmware will for you. If you run openvpn manually then you'll need to write a script to check if it's running and restart it. There's a user trying to do it the hard way but they're making a lot of mistakes along the way and frater is doing most of it for them.

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=74932


Thanks for all your valuable guidance phuzi0n. I was hoping you could offer a little more knowledge to this noob. I'm attempting the same thing that globester has been doing here. Well getting on to the scripts to notify when openvpn has disconnected is beyond my learning curve just yet. I was wondering if you could assist in my understanding of the line:
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE
and routing tables

I've been successful in how you suggest to use the webgui to add cert's and have been able to get my router, this model n16, to connect as a client to the remote server of an openvpn provider. The issue I am having is understanding, given how globester put it the plethora of info, how to establish the openvpn tunnel. Particularly where I am just becoming introduced to scripts and this environment. I get to the server but it seems what I can't seem to figure out or understand is how to establish that connection locally on my router.

here is the routes that are established if I use a tun/tap adapter for M$/32bit.

route ADD x.x.x.x MASK 255.255.255.255 192.168.1.1
route ADD 0.0.0.0 MASK 128.0.0.0 x.x.x.x
route ADD 128.0.0.0 MASK 128.0.0.0 x.x.x.x
route ADD x.x.x.x MASK 255.255.255.255 x.x.x.x

I can get my router to establish the openvpn connection to x.x.x.x but that is as far as it goes. I am thinking if I could see how to configure the route-up.sh and route-down.sh in the /tmp/openvpncl dir that this would complete the full connection and accomplish what it seems globester has achieved successfully. Possibly it's just a matter of putting those route add statements in the appropriate file and running the command: openvpn --config /tmp/openvpncl/openvpn.conf --daemon
as I say my script knowledge and building experience is next to non-existant.

Please excuse if it is inappropriate to piggyback on anothers post, as I'm a real noob here and to all of this. I had first started my own but realized with all the logs and POSTROUTING that the space I was taking up was seemingly un-necessary.


Last edited by hereagn on Wed Dec 01, 2010 17:07; edited 2 times in total
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Fri Oct 15, 2010 11:43    Post subject: Reply with quote
phuzi0n wrote:
Use the redirect-gateway option to make the tunnel become your main route. It's in many of the wiki's example configs (there's like 5 guides) and you can read more about it in the openvpn documentation if want.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
hereagn
DD-WRT Novice


Joined: 14 Oct 2010
Posts: 4

PostPosted: Sat Oct 16, 2010 14:12    Post subject: Reply with quote
Yea I had tried a openvpn.config with a configuration similar to marko's over here http://www.dd-wrt.com/phpBB2/viewtopic.php?p=457347. I will try it again as I just added the redirect-gateway def1 to the config file via ssh. I have found with this model that this is not the a very efficient way to add data to files it seems. As all data reverts back to the data added by the webgui which always give me a certificate loading error for ca.crt unless I directly copy the certificate files with winscp to /tmp/openvpncl. Am thinking that perhaps I should attempt the jiffs route as globester has done here.

Thank you for your attention phuzi0n after I posted and was looking some more at the task I am attempting I got thinking it was a matter of bridging that I was not understanding.
This was the addition I was trying to the config

client
dev tun
proto udp
remote provider.com 1194
resolv-retry infinite
nobind
persist-tun
tls-client
ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
key /tmp/openvpncl/client.key
ns-cert-type server
route-delay 2
redirect-gateway def1
ns-cert-type server
comp-lzo
verb 3

is there anything missing that you would suggest I include/remove and should I echo it out in a command such as marko did? should there be a zero on the tun dev tun0 in the config? I actually was looking at this:
--mktun --dev tun0 ifconfig tun0 192.168.tunnel.2 netmask 255.255.255.252 promisc up route add -net 192.168.rlan.0 netmask 255.255.255.0 gw 192.168.tunnel.1
where:
92.168.tunnel.2 = 192.168.x.x address of the local openVPN tunnel. Must be different subnet from remote and local LANs.
192.168.tunnel.1 = 192.168.x.x address of the remote end ofl openVPN tunnel. Must be different subnet from remote and local LANs.
192.168.rlan.0 = IP address range of remote LAN
sleep 20 = wait period to ensure /tmp has been created.
from one of the guides you mention found on this page
http://www.dd-wrt.com/wiki/index.php/OpenVPN but I get confused if remote end of vpn tunnel would be the 128.0.0.1 type range and the range for the remote lan would be the x.x.x.x range I mentioned in my last thread post.

Thank you again for your attention here and hope you excuse my noobishness.


Last edited by hereagn on Wed Dec 01, 2010 17:04; edited 1 time in total
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum