| brent timothy saner on 23 Sep 2014 12:34:06 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Router Projects and VPNs |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/23/2014 03:05 PM, Rich Freeman wrote: > I have a Buffalo router that uses DD-WRT currently (though with a > heartbleed-vulnerable version of openssl), and was thinking about > changing my router setup, possibly including changing firmwares or > even implementing another router. > > Here are some of the features I was thinking about implementing, and > I'd like some opinion on whether any of the DIY projects out there > support this stuff: > > 1. Obtain IP from ISP. The IP assigned by the ISP should be > obtainable from within the LAN via some kind of interface (and not > just checkmyip/etc). [bts@workhorse ~]$ curl -s http://icanhazip.com 98.115.27.97 [bts@workhorse ~]$ > 2. Set up outgoing tunnel via a VPN to a proxy (flexibility may be > useful here so that I am not constrained in my choice of proxy). > Outgoing connections should use this route by default. why proxy AND VPN? ideally, one or the other should suffice. but i can help with this if it's via openvpn[0]. > 3. Allow for incoming VPN connections to get into the LAN. Non-LAN > traffic coming in through this VPN should go out via the proxy VPN. bit more complex, but https://community.openvpn.net/openvpn/wiki/RoutedLans I highly recommend using shorewall[1]. you can do all this via iproute2[2] and stock iptables, both of which are included by default in modern distributions (and probably openwrt?), but shorewall provides segregated config files and the like to build out some really complicated and awesome stuff. their documentation is incredible and even has this case[3] specifically documented. > 4. Allow for incoming connections direct to the ISP-assigned IP (not > via the proxy VPN), and these should be forwarded per a rules table. I'm not totally clear what you mean here; can you elaborate? > 5. I probably don't want any incoming connections over the proxy VPN, > but at the very least they shouldn't use the same forwarding rules as > the ISP IP. See above; the setup should take the proper route by default. > 6. Optional, but it would be ideal if I can control WiFi traffic to > the rest of the LAN, ideally not using NAT in-between (obviously > traffic to the internet would use NAT). VLAN tagging may be what you want here for your APs. How this is configured depends on the APs. (Sidenote; I highly recommend the Ubiquiti Unifi APs as they run linux- you can ssh right into them- but have a fantastic *centralized* web GUI and support VLAN tagging right out of the box) > 7. It would be really nice if I could route IPv6 as well, perhaps > using a broker. I definitely want IPv6 support when my ISP has it > (hopefully before I die). > https://ipv6.he.net/ Free tunnel broker. Shorewall can perform the above functions as well for IPv6 via their IPv6 fork, shorewall6[4]. > I imagine I could do all of this with the usual linux routing > capabilities, but it is complex enough that a router with a pretty GUI > might not accommodate all of it. Has anybody done anything like this > with any of the usual projects? I'm on a dedicated linux routerbox right now that does everything you mentioned above and a bit more. :) It takes a bit to set up, but it's worth it- much more flexible than a GUI-based one, for sure. I'd be more than happy to share configs if you'd like. > Also, is there any cheap hardware out there suitable for building a > linux-based router (that is, something that can run something closer > to traditional x86 and not a SOC-based router like OpenWRT/etc)? It > seems like most of the hardware out there costs $200+. I don't mind > rolling my own so much but I don't want to build a whole ATX system > just to route packets. I guess I do have some old motherboard+CPUs > lying around, but they're going to be power-hungry and hard to cool > without a real case/etc. > > -- > Rich I use this: http://www.amazon.com/gp/product/B004GKULFO/ref=oh_aui_detailpage_o02_s00?ie=UTF8&psc=1 with 2x these: http://www.amazon.com/gp/product/B007ZWLRSU/ref=oh_aui_detailpage_o02_s02?ie=UTF8&psc=1 (for which you'll want one of these: http://www.amazon.com/gp/product/B0014DFE4Y/ref=oh_aui_detailpage_o06_s00?ie=UTF8&psc=1 but it isn't necessary) and 2x these: http://www.amazon.com/gp/product/B002BW6DQ0/ref=oh_aui_detailpage_o01_s00?ie=UTF8&psc=1 and i also threw in one of these: http://www.amazon.com/gp/product/B000BMZHX2/ref=oh_aui_detailpage_o03_s00?ie=UTF8&psc=1 (so i have five physical NICs) ## FOOTNOTES ## [0] http://openvpn.net/ and, notably, http://openvpn.net/index.php/open-source/documentation/howto.html [1] http://shorewall.net/ [2] http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2 [3] http://shorewall.net/OPENVPN.html#RoadWarrior -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJUIcshAAoJEIwATC+TSB9rUZ8P/i4LAYAj+12e1Aitx4YeyreW zV1SaRrdgE6Mq4KjXtvYodRUdaD0dZTb/J7vvwv87b+2+YnshPBlG0BvMK7srNwk Ef2qnkLebBLKTM4iOLON/0rE9Cw199vO5queySfsp8H3Tsq8Y6c+T51T17vSvbgu MET+PVOTMlrBfcA6C23XFVpcSmS2l895KjBbY6ksHHW49Jx+MjctJsr7JpvpVokt auaGWv2Kw1rZpcTF4G+knRjdH/4Rz0FOi7xRM8nsx8SUM4b9X4z8gL/oPqyC3NHO oCSQi34Wz70A8xHMKTLJTy3i3MCoBEjuC6uB6vw9Jt9aK+DRcgAWoPmiPVPATTWT sY27Qp31tC/NtK2Lt4rTZ3cqMDvC/KptElO9v5rOUS54iuZvresZb4O5FnjM/9ZN sMBKLQaOneGaRZLQY0kxf/weLVQHATOLYDdXVvmdnt+BhtU/4uwV0DiBSzNX5wQ/ IvTXS00OPW5puWq5mUahF99n2aZww/sknt8aJiTKIQNWeuUFuAz1pXirw2xH7960 Tq9DjQEStA/vz1Kz4cBStQtsDO0relcGUVPjjf4WeM0tOKplSpGwcJrCywj9E2Dg vdFKHsuB9zOB+iyIBY2hmFhDAEoWfrhgMsYppQV4bgxBw/HcEXTvItgRAzJSEhGc NMYdCGYmFz4Is7aDlv3b =5yi3 -----END PGP SIGNATURE----- ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug