TP-Link TL-WDR3600 v1 VLAN and OpenVPN HowTo/Info

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware
Author Message
baptiste
DD-WRT Novice


Joined: 25 Feb 2007
Posts: 26
Location: Mebane, NC

PostPosted: Sun Dec 15, 2013 19:15    Post subject: TP-Link TL-WDR3600 v1 VLAN and OpenVPN HowTo/Info Reply with quote
I recently upgraded my old Asus Broadcom router to a new TP-Link TL-WDR3600 at my business and it was a bit of an effort to get the same functionality I had, but I wanted to add OpenVPN and the TP-Links supported it out of the box (GREAT routers, lots of memory)

But getting the exact config was a challenge and I had to do lots of trial and error along with referencing a LOT of forum posts to finally reach the correct set of configuration. So figured I'd share...

This was all done on v23082 dd-wrt

VLANs
-----
I have 5 networks at my business run through a 24 port smart switch and other smaller switches farther out. I use a combination of port based and tagged VLANs. I could have gone to all tagged, but one high power AP was wired to the router and I didn't feel like running it to the switch so... I made my life difficult for fun.

Here is the setup:
Private LAN: x.x.5.1
Public WiFi: x.x.6.1
Repair LAN (virus central!): x.x.7.1
VoIP: x.x.8.1
Partner LAN: x.x.10.1

5.1 is the main network. It's not tagged and is the default LAN on the smart switch (I use port configurations to block the traffic from going elsewhere) Not ideal and I should do it 'right' but for now... That's how it worked Smile The router's wireless radios tie directly to this and are WPA2/AES encrypted.

6.1 (vlan7) is Public WiFI through a Ubiquiti Nano so it was port based due to laziness and desire to try both methods. When I upgraded the router, the LAN cable was right there and so I left it at the router vs going to the smart switch (tagged)

7.1 (vlan3) is the LAN for my repair benches so there's all sorts of nasty traffic on it. All wired.

8.1 (vlan4) is my VoIP network. No real NEED for this to be segmented, but it's an artifact from when I ran asterisk and why make life simple?

10.1 (vlan6) is a network for a few people subletting a small section of our building.

So all the VLANs are isolated and share our single Internet link.

I tried every possible combination I could to get tagging to configure properly via the web mgmt interface. I can't say it's broken because once I got into the command line stuff, I realized maybe I never had the exact combination I needed. But with all the eth0.x interface identifiers and unsure about the bridging working quite right (some people did VLANs via bridges, but I never had to do that before). I found a post using command line startup stuff and it worked. After some tweaks here is what I did:

First you need to get the router properly configured, which requires a startup script (Administration -> Startup)

# Enable VLANs against the eth0 switch internally
swconfig dev eth0 set enable_vlan 3
swconfig dev eth0 set enable_vlan 4
swconfig dev eth0 set enable_vlan 6
swconfig dev eth0 set enable_vlan 7
# Assign ports to vlans. Port 1 internally is WAN port. 2-5 are LAN ports 1-4 on the back)
# Keep Ports 1, 3, and 4 on main VLAN/LAN. Tag the trunk for later
swconfig dev eth0 vlan 1 set ports "0t 2t 4 5"
# Assign smart switch trunk to other VLANs for tagging.
swconfig dev eth0 vlan 3 set ports "0t 2t"
swconfig dev eth0 vlan 4 set ports "0t 2t"
swconfig dev eth0 vlan 6 set ports "0t 2t"
# Assign Public WiFI AP port to it's VLAN. No tagging.
swconfig dev eth0 vlan 7 set ports "0t 3"
swconfig dev eth0 set apply
vconfig add eth0 3
vconfig add eth0 4
vconfig add eth0 6
vconfig add eth0 7
# Create VLAN interfaces and assign network IPs (which you redo later, but...)
ifconfig vlan3 192.168.7.1 netmask 255.255.255.0
ifconfig vlan4 192.168.8.1 netmask 255.255.255.0
ifconfig vlan6 192.168.10.1 netmask 255.255.255.0
ifconfig vlan7 192.168.6.1 netmask 255.255.255.0
# Bring the interfaces up...
ifconfig vlan3 up
ifconfig vlan4 up
ifconfig vlan6 up
ifconfig vlan7 up

So we create some easy to identify vlan interface identifiers and assign various ports to them. vlan1 is the main network, so we left everything there EXCEPT port 3 (#2 on back) which is the port VLAN for Public Wifi. Port 2 (labelled #1 on the back) is the trunk to the smart switch, carrying tagged AND untagged traffic. I didn't need the tag option (2t) for vlan1, but put it there anyway in case I decided to tag everything like a good network dweeb. But I wanted to see if tagged and untagged would work so there we go. I assigned the switch trunk port to all the other VLANs except vlan7, which is the Public WiFi VLAN (it used to be VLAN 2 in the broadcom router, but Atheros changes the vlan setup and vlan2 is the WAN port. So we made it vlan7 and updated the smart switch config)

Yes my vlan numbering is bizarre. Part artifact from Broadcom (WAN was vlan5. Now it's vlan2) and I should have just made the vlan number match the LAN block number, but I'm OCD in a weird way and was too lazy to update everything in the smart switch.

Save the Startup Scripts. You also want to isolate your VLANs, so you need a couple things in your firewall script:

# Restrict RIP access from WAN
iptables -I INPUT -p udp -i vlan3 --dport 520 -j DROP
iptables -I INPUT -p udp -i vlan4 --dport 520 -j DROP
iptables -I INPUT -p udp -i vlan6 --dport 520 -j DROP
iptables -I INPUT -p udp -i vlan7 --dport 520 -j DROP

# Block all traffic between VLANs
iptables -I FORWARD -i vlan+ -o vlan+ -j DROP

# Allow VLANs to communicate with WAN
iptables -I FORWARD -i vlan+ -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o vlan+ -j ACCEPT

Save all this and reboot the router...

Now go to Setup -> Networking... For each VLAN section that now appears, (3, 4, 6, and 7 in my case), Select 'Unbridged', enable NAT, and configure the LAN IP (192.168.x.1) and netmask (255.255.255.0). Save.

Now if you need DHCP on the VLANs like I do, add them at the bottom. Select the vlan ID for each one that needs DHCP, set a start IP, the # of clients allowed, and a lease time. Apply and reboot. That's it! Your networks should be working with tagged and untagged traffic pouring out of the trunk port.

Note - if you need additional DHCP options for your vlans, you can specify them in the DNSMasq options section of Services. I specify different DNS depending on the network (for some basic DNS filtering with OpenDNS). Just tag the option to the vlan:

dhcp-option=vlan3,6,208.67.222.222,208.67.220.220
dhcp-option=vlan7,6,208.67.222.222,208.67.220.220
dhcp-option=vlan4,6,8.8.8.8,8.8.4.4
dhcp-option=vlan6,6,8.8.8.8,8.8.4.4

Static Leases apply across all the DHCP instances, so the normal web mgmt stuff works there.

OpenVPN
-------
One reason for upgrading my router - I wanted OpenVPN. After a bit of research I was able to get things working. Here are some decent pages dedicated to this:

http://www.dd-wrt.com/wiki/index.php/OpenVPN
http://goo.gl/leS8 (Excellent resource!)
http://www.howtogeek.com/64433/
https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide (creating certs and setup Windows)

Setting up OpenVPN is beyond the scope of this. The key is properly creating your CA, server, and client certificates and copying them to your router config. Note that due to GMT time differences, your certs/keys may not work for up to a day. Easy fix? After you install OpenVPN on your computer, set the clock back one day and create your keys Smile Then no GMT issues. Then set it back once the certificates and keys are all created.

You copy in the appropriate Certificate/Key segments (not the other junk on top) into your OpenVPN Server fields (Services->VPN->OpenVPN Server) See the howtogeek article for exactly which key file goes into which form field.

The key to getting it working well is the extra options and everyone had some things different. Here is what is working well for me for a bridged VPN:

mode server
proto udp
port 1194
dev tap0
# This will link me into my main LAN using a small slice of IPs I carved OUT of my DHCP pool
# Be sure to update your DHCP LAN settings so there is no overlap
server-bridge 192.168.5.1 255.255.255.0 192.168.5.251 192.168.5.254
keepalive 10 120
daemon
verb 3
# Prevents warnings and allows push route to work
script-security 2
client-to-client
# Unsure but this seemed to speed things up a bit. You have to configure your client for this too.
comp-lzo adaptive
# This gets the OpenVPN status tab working. Ports 5001 or 5002 did NOT work
management localhost 16
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

You also have to add a couple things to your Startup Script:

openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up

And your Firewall Script:

# OpenVPN Access
iptables -A INPUT -i tap0 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT

Reboot and configure your client. I got this working with much less hassle than I thought. Make sure you check EVERY box when installing OpenVPN so you get the easy-rsa and openssl tools. Otherwise the creation of your CA, certs, and keys won't be possible.

Hopefully this helps some of you and if any experts out there have suggestions or improvements, by all means let me know!

UPDATE! I learned a little bit of a lesson. Being OCD, I like to have DHCP reservations for all my machines with nice recognizable names in the DD-WRT status screens. So I create lease records for everything. Well now that I have OpenVPN working great, I wanted to create hostnames for them as well. So not thinking this through (OpenVPN doesn’t USE DNSMasq for DHCP), I created two leases for the OpenVPN client MAC addresses and IP addresses. As soon as I saved them, the router CPU pegged at 100%. Thankfully it was a ‘nice’ process, so the router continued to pass traffic just fine, but the web GUI slowed to a crawl. Eventually I was able to get the Services tab to load and remove the two entries. Once I did that and clicked Apply? CPU load returned to it’s normal 0.01 self. So word to the wise – don’t do this!

UPDATE #2: I’ve been working on turning Raspberry Pi’s into small Network Sentinel/OpenVPN devices. While researching and configuring them, I realized I had overlooked an important feature of OpenVPN. Opening any port to the Internet is risky, especially if it will respond to probes. While OpenVPN is very secure with few vulnerabilities found for it, it has a feature called TLS Auth/HMAC Authentication that can harden it even more against attacks. It requires the generation of a 2048-bit key that is stored on both the server and client sides. When you initiate a connection to OpenVPN, the first thing it will require is this key. It the client does not present the key, the port stops responding to traffic. This ensures scan/vulnerability scans are shutdown immediately. Setting it up is very easy. First, you need to create the key on either the client or server:

openvpn –genkey –secret ta.key

Open the key file and copy all the text within it. Paste it into the TLS Auth Key field in DD-WRT (Services->VPN). Then add the following to the Additional Config section:

key-direction 0
tls-auth /tmp/openvpn/ta.key

Click Apply to save. Now copy the ta.key file into your computer’s OpenVPN config directory and add the following to the appropriate ovpn file:

key-direction 1 # Enables tls-auth HMAC protection
tls-auth “C:\\Program Files\\OpenVPN\\config\\ta.key”

Now when you initiate a connect, the server will require this key be presented before anything else. Otherwise it won’t respond. An excellent safety measure.

_________________
TPLINK TL-WDR3600 v1.2 r23720
TPLINK TL-WDR3600 v1.4 r23720 (VLANs, OpenVPN, QoS, VoIP)
Buffalo WHR-300HP (running WHR-HP-G300N) r23720
Numerous deployed Buffalo WHR and Asus WL-520gu units (various firmwares)


Last edited by baptiste on Sun Mar 16, 2014 21:34; edited 7 times in total
Sponsor
msantos2007
DD-WRT User


Joined: 13 Oct 2009
Posts: 102

PostPosted: Sun Dec 15, 2013 23:01    Post subject: Reply with quote
Thank you very much for your sharing!

Rgs, Marcelo.
andsus
DD-WRT User


Joined: 06 Dec 2013
Posts: 50

PostPosted: Thu Jan 09, 2014 3:26    Post subject: Reply with quote
Yes, thanks Razz
andsus
DD-WRT User


Joined: 06 Dec 2013
Posts: 50

PostPosted: Fri Jan 10, 2014 5:52    Post subject: Reply with quote
Hi Baptiste,
What is the DHCP on your Basic LAN Setting?
Do you have set starting IP address: 192.168.5.251 with "Maximum DHCP Users" 4 clients?

Does server-bridge Gateway IP address need to be set in Basic LAN setting? Or just don't overlap?

# Be sure to update your DHCP LAN settings so there is no overlap
server-bridge 192.168.5.1 255.255.255.0 192.168.5.251 192.168.5.254
# Gateway (VPN Server) Subnetmask Start-IP End-IP

I have simple setup and don't set VLAN, and wanted to have OpenVPN server.

My goal is to have my NAS goes thru VPN before reaching internet.



WDR3600 v1
Local DNS: 192.168.1.1
DHCP : 192.168.1.100 (set to 50 clients)

server:
mode server # set OpenVPN major mode
proto udp # set protocol
port 1194 # tcp/udp port
dev tap0 # tun/tap virtual network

server-bridge 192.168.0.1 255.255.255.0 192.168.0.50 192.168.0.100
# Gateway (VPN Server) Subnetmask Start-IP End-IP
keepalive 10 120
daemon # become daemon after initialization
verb 5 # verbose change to verb 3
comp-lzo adaptive # LZO compression
client-to-client # tell OpenVPN to internally route client-to-client traffic
management localhost 5001 # This gets the OpenVPN status tab working. Ports 5001
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

# Only use crl-verify if you are using the revoke list - otherwise leave it commented out
# crl-verify /tmp/openvpn/ca.crl

startup script:
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up

firewall script:
iptables -A INPUT -i tap0 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT

How to make sure my NAS in 192.168.1.16 go thru internet via vpn?
Does NAS needs to be running OpenVPN client?

Please advice.
THANKS
baptiste
DD-WRT Novice


Joined: 25 Feb 2007
Posts: 26
Location: Mebane, NC

PostPosted: Sun Mar 16, 2014 21:32    Post subject: Reply with quote
Andsus - I'm sorry for not responding earlier. Not sure why I didn't get the notification of a reply. Hopefully you got it working. But here's some info just in case...

On Basic Settings you want to set your DHCP range to *exclude* a slice of IP space for the VPN. In my case I set my Max IP to 249. IN other words the DHCP settings in the Settings screen have nothing to do with VPN except to make sure the range in the OpenVPN settings doesn't overlap with your LAN DHCP range.

That one config line for VPN takes care of setting all that for the VPN clients:

server-bridge 192.168.5.1 255.255.255.0 192.168.5.251 192.168.5.254
which is in the form of:
server-bridge Gateway_IP Subnet_Mask Start_VPN_IP End_VPN_IP

So yes, in my case I allotted 4 IPs for VPN clients since it's just me logging in. But you can change it as needed.

Do you want your NAS accessing the internet via VPN? Or do you mean you want to get to your NAS *from* the Internet. I'm assuming the latter. Basically your client computer connects to your router and gets an IP address (in my case 192.168.5.251 in your case 192.168.0.50). Then you just connect to the NAS using NetBIOS or a direct IP address for it (.1.16). I mount Windows shares with this configuration all the time.

Hope this helps!

_________________
TPLINK TL-WDR3600 v1.2 r23720
TPLINK TL-WDR3600 v1.4 r23720 (VLANs, OpenVPN, QoS, VoIP)
Buffalo WHR-300HP (running WHR-HP-G300N) r23720
Numerous deployed Buffalo WHR and Asus WL-520gu units (various firmwares)
baptiste
DD-WRT Novice


Joined: 25 Feb 2007
Posts: 26
Location: Mebane, NC

PostPosted: Sun Mar 16, 2014 21:35    Post subject: Update for HMAC Authentication Reply with quote
FYI I've updated the original post to outline how to enable HMAC Authentication which can further harden the open OpenVPN port from probes/hackers. See section Update #2. It's remarkably easy.
_________________
TPLINK TL-WDR3600 v1.2 r23720
TPLINK TL-WDR3600 v1.4 r23720 (VLANs, OpenVPN, QoS, VoIP)
Buffalo WHR-300HP (running WHR-HP-G300N) r23720
Numerous deployed Buffalo WHR and Asus WL-520gu units (various firmwares)
itxnc
DD-WRT Novice


Joined: 15 Dec 2013
Posts: 9

PostPosted: Thu Jun 26, 2014 13:18    Post subject: some updates for my DD-WRT VLAN setup... Reply with quote
I've been trying for a LONG time to get a couple of test machines on my bench VLAN to print to my main laser printers. Never could seem to get it working.

Turns out my rules above were a little bit off...

One of the things you HAVE to get familiar with when using DD-WRT is the interface nomenclature can change based on the device you use.

In my examples above - I used vlan1 as my primary LAN. In my firewall rules, I used that as well (vlan+ to specify ALL networks - how handy!) The problem is... it doesn't always work. In the scope of VLANs, vlan1 is useful and recognized. But when it comes to the firewall... It's not (and I thought it was). Instead, iptables looks at the bridge br0. This makes sense. A WiFi router by default has to bridge the LAN interface AND wireless. So in my hardware's case - br0 contains eth0 (the main switch), ath0 (2.4GHz WiFi), and ath1 (5GHz WiFi). Looking at ifconfig, you'll see that vlan1 exists, but has no IP address. The IP address is on br0.

That means my rules above will allow traffic from the other VLANs to the main vlan1/br0 because vlan+ is a wildcard only for VLANs.

So the firewall rules REALLY need to be as follows:

# Restrict RIP access from WAN
iptables -I INPUT -p udp -i vlan3 --dport 520 -j DROP
iptables -I INPUT -p udp -i vlan4 --dport 520 -j DROP
iptables -I INPUT -p udp -i vlan6 --dport 520 -j DROP
iptables -I INPUT -p udp -i vlan7 --dport 520 -j DROP

# OpenVPN Access
iptables -A INPUT -i tap0 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT

# Block all traffic between VLANs
iptables -I FORWARD -i vlan+ -o vlan+ -j DROP
iptables -I FORWARD -i vlan+ -o br0 -j DROP
iptables -I FORWARD -i br0 -o vlan+ -j DROP

# Allow VLANs to communicate with WAN (vlan2)
iptables -I FORWARD -i br0 -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o br0 -j ACCEPT
iptables -I FORWARD -i vlan+ -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o vlan+ -j ACCEPT

Ironically - with my firewall mistake - I should have always been able to print to the printers (oops). But I couldn't. Turns out - my local Windows firewall was blocking it. I use BitDefender AV and their firewall tends to be VERY picky. Especially on these machines - given it's a 'bench' LAN often filled with infected machines, I have the interfaces set to 'Public'. Well, despite traffic going out to the other subnet, it didn't like the idea of return traffic coming from another private subnet (.5.x vs .7.x). When I added an exemption for the printer IPs in the firewall? Bang - worked wonders. So the iptables rules ARE simple...

# Allow printing from Bench LAN PCs
iptables -I FORWARD -p tcp -s 192.168.7.44 -d 192.168.5.235 -j ACCEPT
iptables -I FORWARD -p tcp -s 192.168.5.235 -d 192.168.7.44 -j ACCEPT

And repeat for each printer and Bench PC. Now - could I probably do something a bit tighter like...

iptables -I FORWARD -p tcp -s 192.168.7.44 -d 192.168.5.235 --dport 9100 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp -s 192.168.5.235 -d 192.168.7.44 --sport 9100 -m state --state ESTABLISHED,RELATED -j ACCEPT

Probably - but I had wasted so much time on this already - I didn't have time to test this further, plus one printer allows for scanning and I may want to install the scan suite on a Test PC to scan. Experiment as you wish. I figured for now on two private LANs the IP tests were enough.

So sorry about that mixup. I used to use br0 in my firewall rules on Broadcom and when I could simplify with vlan+, I did it when I moved to Atheros. My testing indicated it worked - but apparently only because my local firewall was blocking stuff. Note to self - disable the local firewall when testing the router one. SMH.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum