brent timothy saner on 23 Sep 2014 12:34:06 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Router Projects and VPNs


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/23/2014 03:05 PM, Rich Freeman wrote:
> I have a Buffalo router that uses DD-WRT currently (though with a
> heartbleed-vulnerable version of openssl), and was thinking about
> changing my router setup, possibly including changing firmwares or
> even implementing another router.
> 
> Here are some of the features I was thinking about implementing, and
> I'd like some opinion on whether any of the DIY projects out there
> support this stuff:
> 
> 1.  Obtain IP from ISP.  The IP assigned by the ISP should be
> obtainable from within the LAN via some kind of interface (and not
> just checkmyip/etc).

[bts@workhorse ~]$ curl -s http://icanhazip.com
98.115.27.97
[bts@workhorse ~]$

> 2.  Set up outgoing tunnel via a VPN to a proxy (flexibility may be
> useful here so that I am not constrained in my choice of proxy).
> Outgoing connections should use this route by default.

why proxy AND VPN? ideally, one or the other should suffice. but i can
help with this if it's via openvpn[0].

> 3.  Allow for incoming VPN connections to get into the LAN.  Non-LAN
> traffic coming in through this VPN should go out via the proxy VPN.

bit more complex, but https://community.openvpn.net/openvpn/wiki/RoutedLans

I highly recommend using shorewall[1]. you can do all this via
iproute2[2] and stock iptables, both of which are included by default in
modern distributions (and probably openwrt?), but shorewall provides
segregated config files and the like to build out some really
complicated and awesome stuff. their documentation is incredible and
even has this case[3] specifically documented.

> 4.  Allow for incoming connections direct to the ISP-assigned IP (not
> via the proxy VPN), and these should be forwarded per a rules table.

I'm not totally clear what you mean here; can you elaborate?

> 5.  I probably don't want any incoming connections over the proxy VPN,
> but at the very least they shouldn't use the same forwarding rules as
> the ISP IP.

See above; the setup should take the proper route by default.

> 6.  Optional, but it would be ideal if I can control WiFi traffic to
> the rest of the LAN, ideally not using NAT in-between (obviously
> traffic to the internet would use NAT).

VLAN tagging may be what you want here for your APs. How this is
configured depends on the APs. (Sidenote; I highly recommend the
Ubiquiti Unifi APs as they run linux- you can ssh right into them- but
have a fantastic *centralized* web GUI and support VLAN tagging right
out of the box)

> 7.  It would be really nice if I could route IPv6 as well, perhaps
> using a broker.  I definitely want IPv6 support when my ISP has it
> (hopefully before I die).
> 

https://ipv6.he.net/ Free tunnel broker.
Shorewall can perform the above functions as well for IPv6 via their
IPv6 fork, shorewall6[4].


> I imagine I could do all of this with the usual linux routing
> capabilities, but it is complex enough that a router with a pretty GUI
> might not accommodate all of it.  Has anybody done anything like this
> with any of the usual projects?


I'm on a dedicated linux routerbox right now that does everything you
mentioned above and a bit more. :) It takes a bit to set up, but it's
worth it- much more flexible than a GUI-based one, for sure. I'd be more
than happy to share configs if you'd like.

> Also, is there any cheap hardware out there suitable for building a
> linux-based router (that is, something that can run something closer
> to traditional x86 and not a SOC-based router like OpenWRT/etc)?  It
> seems like most of the hardware out there costs $200+.  I don't mind
> rolling my own so much but I don't want to build a whole ATX system
> just to route packets.  I guess I do have some old motherboard+CPUs
> lying around, but they're going to be power-hungry and hard to cool
> without a real case/etc.
> 
> --
> Rich

I use this:

http://www.amazon.com/gp/product/B004GKULFO/ref=oh_aui_detailpage_o02_s00?ie=UTF8&psc=1

with 2x these:
http://www.amazon.com/gp/product/B007ZWLRSU/ref=oh_aui_detailpage_o02_s02?ie=UTF8&psc=1

(for which you'll want one of these:
http://www.amazon.com/gp/product/B0014DFE4Y/ref=oh_aui_detailpage_o06_s00?ie=UTF8&psc=1
but it isn't necessary)

and 2x these:
http://www.amazon.com/gp/product/B002BW6DQ0/ref=oh_aui_detailpage_o01_s00?ie=UTF8&psc=1

and i also threw in one of these:
http://www.amazon.com/gp/product/B000BMZHX2/ref=oh_aui_detailpage_o03_s00?ie=UTF8&psc=1

(so i have five physical NICs)


## FOOTNOTES ##
[0] http://openvpn.net/ and, notably,
http://openvpn.net/index.php/open-source/documentation/howto.html
[1] http://shorewall.net/
[2]
http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2
[3] http://shorewall.net/OPENVPN.html#RoadWarrior
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJUIcshAAoJEIwATC+TSB9rUZ8P/i4LAYAj+12e1Aitx4YeyreW
zV1SaRrdgE6Mq4KjXtvYodRUdaD0dZTb/J7vvwv87b+2+YnshPBlG0BvMK7srNwk
Ef2qnkLebBLKTM4iOLON/0rE9Cw199vO5queySfsp8H3Tsq8Y6c+T51T17vSvbgu
MET+PVOTMlrBfcA6C23XFVpcSmS2l895KjBbY6ksHHW49Jx+MjctJsr7JpvpVokt
auaGWv2Kw1rZpcTF4G+knRjdH/4Rz0FOi7xRM8nsx8SUM4b9X4z8gL/oPqyC3NHO
oCSQi34Wz70A8xHMKTLJTy3i3MCoBEjuC6uB6vw9Jt9aK+DRcgAWoPmiPVPATTWT
sY27Qp31tC/NtK2Lt4rTZ3cqMDvC/KptElO9v5rOUS54iuZvresZb4O5FnjM/9ZN
sMBKLQaOneGaRZLQY0kxf/weLVQHATOLYDdXVvmdnt+BhtU/4uwV0DiBSzNX5wQ/
IvTXS00OPW5puWq5mUahF99n2aZww/sknt8aJiTKIQNWeuUFuAz1pXirw2xH7960
Tq9DjQEStA/vz1Kz4cBStQtsDO0relcGUVPjjf4WeM0tOKplSpGwcJrCywj9E2Dg
vdFKHsuB9zOB+iyIBY2hmFhDAEoWfrhgMsYppQV4bgxBw/HcEXTvItgRAzJSEhGc
NMYdCGYmFz4Is7aDlv3b
=5yi3
-----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug