Rich Freeman on 23 Sep 2014 13:15:20 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Router Projects and VPNs

Thanks for the info you provided - below is just the bit that needs

On Tue, Sep 23, 2014 at 3:33 PM, brent timothy saner
<> wrote:
> On 09/23/2014 03:05 PM, Rich Freeman wrote:
>> I have a Buffalo router that uses DD-WRT currently (though with a
>> heartbleed-vulnerable version of openssl), and was thinking about
>> changing my router setup, possibly including changing firmwares or
>> even implementing another router.
>> Here are some of the features I was thinking about implementing, and
>> I'd like some opinion on whether any of the DIY projects out there
>> support this stuff:
>> 1.  Obtain IP from ISP.  The IP assigned by the ISP should be
>> obtainable from within the LAN via some kind of interface (and not
>> just checkmyip/etc).
> [bts@workhorse ~]$ curl -s
> [bts@workhorse ~]$

That will return the proxy IP, not my ISP-assigned IP, since the
router will route curl through the VPN if that originates within the
LAN.  I could run that on the router itself and get the IP, but from
there I could just check the interface list more reliably.

In the example below, I want to obtain, not

>> 2.  Set up outgoing tunnel via a VPN to a proxy (flexibility may be
>> useful here so that I am not constrained in my choice of proxy).
>> Outgoing connections should use this route by default.
> why proxy AND VPN? ideally, one or the other should suffice. but i can
> help with this if it's via openvpn[0].

A VPN is the mechanism used to communicate with the proxy.  As in:
Client -> Router -> Router VPN IP ->
Router WAN IP -> ISP -> Internet -> Proxy Internet IP
-> Proxy VPN IP -> proxy internal network -> Proxy Internet
IP -> Internet -> destination

The VPN connects the router to the proxy over the internet, and the
proxy then forwards the traffic to wherever it is really going.

>> 4.  Allow for incoming connections direct to the ISP-assigned IP (not
>> via the proxy VPN), and these should be forwarded per a rules table.
> I'm not totally clear what you mean here; can you elaborate?

The incoming connection is made to in the example above, not

So, the router has interfaces:

The default route should be vpn-out.
The vpn should connect out to the proxy over wan, and place tunneled
traffic on vpn-out.
Incoming connections from wan should be routed to lan via a rules set.
Traffic from lan should be routed to wan via the default route.
New connections from vpn-out should probably be dropped, or at least
should use a different set of rules than traffic from wan.
Traffic from wifi should go to vpn-out via the default route, and any
traffic to lan should be filtered ideally.

>> 6.  Optional, but it would be ideal if I can control WiFi traffic to
>> the rest of the LAN, ideally not using NAT in-between (obviously
>> traffic to the internet would use NAT).
> VLAN tagging may be what you want here for your APs. How this is
> configured depends on the APs. (Sidenote; I highly recommend the
> Ubiquiti Unifi APs as they run linux- you can ssh right into them- but
> have a fantastic *centralized* web GUI and support VLAN tagging right
> out of the box)

Possibly.  Or I might just treat the Wifi as a separate interface and
filter it.

> I'm on a dedicated linux routerbox right now that does everything you
> mentioned above and a bit more. :) It takes a bit to set up, but it's
> worth it- much more flexible than a GUI-based one, for sure. I'd be more
> than happy to share configs if you'd like.

Thanks.  I could also do a lot more with traffic shaping with such a
config as has come up in past PLUG meetings.

> I use this:

Thanks for this and other data I didn't reply to in your email.  It
will all be helpful!

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --