tag:blogger.com,1999:blog-7267320703085764135.post7652622258063843537..comments2023-09-30T05:22:48.379-07:00Comments on Zen One: OpenVPN and DD-WRT on Linksys WRT54GLStevehttp://www.blogger.com/profile/05731012323706683031noreply@blogger.comBlogger39125tag:blogger.com,1999:blog-7267320703085764135.post-81100382611492452372010-06-29T16:54:51.877-07:002010-06-29T16:54:51.877-07:00This comment has been removed by the author.Jayanthhttps://www.blogger.com/profile/05061696543112937294noreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-89761156201916439272010-03-15T04:53:52.543-07:002010-03-15T04:53:52.543-07:00Hi Steve
It seems that you'll make my day, be...Hi Steve<br /><br />It seems that you'll make my day, because i'm been looking for this kind of solution for quite some time now... <br /><br />I have a Linksys WRT54GL and I want to connect it with my dyndns over an IPsec VPN connection. Is that possible with this solution? I use dd-wrt today and it doesn't support Ipsec...<br /><br />/regards BennyUnknownhttps://www.blogger.com/profile/14484930784222527690noreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-38157322382123450392009-08-14T04:45:33.009-07:002009-08-14T04:45:33.009-07:00Hi,
Do you know if there is a Linux-based OpenVPN...Hi,<br /><br />Do you know if there is a Linux-based OpenVPN-compatible router/modem with a RJ-11 port to establish the ADSL connection and to make SSL VPNs ? It doesn't matter if it has wireless or not.<br /><br />Linksys WRT54GL Ver 1.1 works very well with openvpn but it needs another appliance to do the ADSL dialing.<br /><br />I hope you can help.<br /><br />Regards.<br />Leandro.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-29594305314302945982009-07-11T12:31:14.545-07:002009-07-11T12:31:14.545-07:00Hi Steve,
the first really helpful configuration ...Hi Steve,<br /><br />the first really helpful configuration for a routed vpn I saw.<br /><br />After endless unsuccessful retries to get openvpn working I'm very happy that I got it now.<br /><br />Thanks a lot for this blog.<br /><br />Best regards, FranzFranznoreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-83865778840146736702009-06-01T19:19:57.168-07:002009-06-01T19:19:57.168-07:00Mark - this setup has been working flawlessly in m...Mark - this setup has been working flawlessly in multiple environments that I have it setup. The devices have remained stable after I setting wireless TX Power to 84 and overclocking frequency to 200 MHz. I also have two of the devices setup for site-to-site VPN. DD-WRT might be the low-cost green solution you're looking for!Steve Zenonehttps://www.blogger.com/profile/18092491053989613420noreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-3718292308449484622009-06-01T14:07:04.494-07:002009-06-01T14:07:04.494-07:00How has this been working for you? Is it stable? ...How has this been working for you? Is it stable? Can you do site to site VPN? I currently also want to consolidate my router, wap, and ipcop/openvpn to one unit and save power consumption!Mark Tarqhttps://www.blogger.com/profile/05978335566532784513noreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-13210648179084647792009-05-01T05:40:00.000-07:002009-05-01T05:40:00.000-07:00Hi Steve,
Thanks for the great article! Using thi...Hi Steve,<br /><br />Thanks for the great article! Using this article and other internet sources I managed to get OpenVPN and DD-WRT set up, however I still have some kinks to work out. I'm not too well versed in networking and haven't been able to connect from my Vista laptop to my DD-WRT router at home from the road...<br /><br />In my setup I had the VPN use port 80, so that it'd be useful anyplace and not blocked. However I am questioning if this is sound.<br /><br />In your experience, what would be the best port and protocol to use for road-warrior access to absolutely be able to connect? <br /><br />I don't travel often, but wanted a reliable port that'd be useful at hotels, schools, coffee shops etc. I've heard that some of these places actually block the common VPN ports to prevent people for circumventing their network use policies or "encourage" them to use their service.<br /><br />Thanks again,<br />-RicAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-25384742719578967892009-02-17T20:47:00.000-08:002009-02-17T20:47:00.000-08:00Your post is great, I managed to get it working fr...Your post is great, I managed to get it working from within the local network, but cannot get it to work from outside. I can see it is connecting to 1194 by looking at the log in /var/log/messages on the dd-wrt device. It gets as far as saying it received the TLS initial packet from the client and nothing more. Seems like a routing problem such that the client never gets a response.<BR/><BR/>My routing table looks like:<BR/>Kernel IP routing table<BR/>Destination Gateway Genmask Flags MSS Window irtt Iface<BR/>10.5.10.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0<BR/>192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0<BR/>10.5.10.0 10.5.10.2 255.255.255.0 UG 0 0 0 tun0<BR/>24.28.0.0 0.0.0.0 255.255.224.0 U 0 0 0 vlan1<BR/>169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0<BR/>127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo<BR/>0.0.0.0 24.28.0.1 0.0.0.0 UG 0 0 0 vlan1<BR/><BR/>Thanks if you can helpAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-61505518140297105992009-02-05T22:17:00.000-08:002009-02-05T22:17:00.000-08:00Thanks again.I might buy the Linksys or an Asus wi...Thanks again.<BR/>I might buy the Linksys or an Asus with 8mb of ram over 4mb.<BR/><BR/>Question, is using a VPN software/Service like Hamachi, LeafNetworks, or Remobo a secure alternative with less maintenance? Are these encrypted between peer to peer solely, or would I have to worry about the security of my data? Can these types of services be trusted safely with valuable data? I am going to give the DD-WRT a try, but I would like to have a simple software like this to fall back on. Thoughts?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-78608890662909485762009-02-05T19:29:00.000-08:002009-02-05T19:29:00.000-08:00There are other commercial firewalls that offer su...There are other commercial firewalls that offer support. However, you could definitely place a DD-WRT device at home to protect your home network, and another at your office to protect your office network. I personally wouldn't create a gateway-to-gateway VPN tunnel between the two. Rather, I'd setup OpenVPN on each DD-WRT device to allow inbound road warrior connections, as describe in the blog posting. I would then install an OpenVPN client on your home and office systems with the appropriate VPN certs. You would then establish the VPN connection as needed and would have more control.Steve Zenonehttps://www.blogger.com/profile/18092491053989613420noreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-31577015062098771942009-02-05T17:00:00.000-08:002009-02-05T17:00:00.000-08:00Thanks for the details steve.The office is actuall...Thanks for the details steve.<BR/><BR/>The office is actually my own, so I have an open port there and do not need to worry about the policies in that fashion.<BR/><BR/>My scenario is this:<BR/>The first computer is at the office which houses only live files that I work with on a regular or frequent basis. The second computer is at home and has older archived information and files that I may need to access at random, but not regularly.<BR/><BR/>I am hoping to manage a VPN so I can sychronize a folder on each of the 2 computers so the same data is at home, and the office at any given point. I would use a software like Vice Versa, or something similar.<BR/><BR/>Thanks for the tips on admin and another user. Looks like I will be creating a second user and limiting its access. Should I have a separate user account for VPN, separate from the admin and the new account I will be creating as well?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-88367771210203927922009-02-05T11:10:00.000-08:002009-02-05T11:10:00.000-08:00Before installing the device at your office I’d re...Before installing the device at your office I’d review their policies to make sure you’re not violating any of them. Consult with the IT/Security/Policy people at your office.<BR/><BR/>Putting the VPN at work could potentially put your home and office at increased risk; for example, if you had a VPN connection established between home and the office, and a system on your home network were to be compromised, the attacker could then make their way through the VPN tunnel that’s already established between the two routers and attack systems at the office.<BR/><BR/>As for Firefox plugins -- it’s a good habit to look at the installed plugins and see which are active and how they’re configured. At a high level you can do this by looking at the add-ons through Firefox. At a lower level you can look at the add-ons on the filesystem. You can disable all plugins by starting Firefox in safe mode (‘firefox -safe-mode’).<BR/><BR/>Regarding the admin account - no, you do not want to create a new user account and give it admin privileges for doing your day-to-day activity. For example, imagine you’re logged in as user JOHNDOE, a user that you gave admin rights to. During the course of the day you get an email that has an attachment that you know you shouldn’t be clicking on, but you do. The attachment is actually malware that isn’t detected by your anti virus software. Since you are logged in as an admin, the malware will execute with admin privileges. The integrity of the system has been compromised. That’s bad.Steve Zenonehttps://www.blogger.com/profile/18092491053989613420noreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-72570700858580876462009-02-05T08:19:00.000-08:002009-02-05T08:19:00.000-08:00Thanks Steven, exactly the answer I was looking fo...Thanks Steven, exactly the answer I was looking for.<BR/><BR/>So it sounds like WRT54GL and DD-WRT are a good idea, I am going to purchase the router soon.<BR/><BR/>Would it be even more secure to run one of these on each end, at my home and at my office for added VPN security? Or will that not really make a difference?<BR/><BR/>I run Norton's Internet Security. Yes, I know it isn't the greatest but it does its job with minimal hands on activity so I am always up to date with anti-virus and firewall protection. I currently use WRT54G routers and they have been bullet proof. Once loaded up DD-WRT but didn't have the time to adjust and always play with it as it wasn't as stable as the regular Linksys firmware, so I will be hoping that DD-WRT is more stable on the WRT54GL.<BR/><BR/>About Firefox plugins, is there a way to enable and disable all plugins? I like to use certain plugins so I couldn't see disabling them all and not using any. Is there a secure way to use them safely? Or a way to enable and disable based on tasks you are doing?<BR/><BR/>When not using Administrator, do you simply create a new user account and give them Administrator access? I have fallen back to using Administrator always and have been curious on the best way to go about reverting back to using an actual user profile. Any feedback on that will be helpful.<BR/><BR/>Thanks!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-21267700300981929302009-02-04T23:22:00.000-08:002009-02-04T23:22:00.000-08:00Anonymous - In my opinion, running DD-WRT with Ope...Anonymous - In my opinion, running DD-WRT with OpenVPN is an effective low cost solution for secure remote access. Yes, OPenVPN is supported on XP. <BR/><BR/>Though you may have a secure remote access solution, do keep in mind that "good" security is a layered approach - there's no silver bullet that will reduce all risk to zero. That means running current and up to date anti-virus on your windows systems, use firewalls (e.g., host based firewall for a laptop you take on the road), configure your browser to be more "secure" (firefox w/ noscript addon, etc), harden your wifi networks and don't connect to untrusted networks, don't login an admin user on your computers to do day-to-day activity, use strong passwords, and simply use common sense when surfing the web or clicking on links or attachments within emails.Steve Zenonehttps://www.blogger.com/profile/18092491053989613420noreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-69380128169283692872009-02-04T22:51:00.000-08:002009-02-04T22:51:00.000-08:00Is this an ideal solution to set up a VPN at my ho...Is this an ideal solution to set up a VPN at my home where I store most files on a computer? I would like to connect when I am at my office and copy files, and synchronize files between the 2 computers over WAN. Is DD-WRT and Open VPN a good solution when running Windows XP?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-22703273349659839702009-01-25T08:51:00.000-08:002009-01-25T08:51:00.000-08:00Ric wrote:"In your reply you mentioned using ...Ric wrote:<BR/>"In your reply you mentioned using the netstat command to make sure the tunneling is working. Do you mean netstat -aon and check that the connection is established with my vpn by looking at the foreign address (& port)?"<BR/><BR/>I was referring to using netstat to show the routing table. The routing table will be used by your client system to determine where traffic should go when leaving your system.<BR/><BR/>Based upon what I see in the routing table I then confirm that that traffic that's supposed to be going through the VPN indeed is by doing:<BR/><BR/>1. ping IP's that should only be accessible via VPN and observe the hops to confirm the path taken by the traffic<BR/><BR/>2. use tcpdump or some other tool to capture packets for confirmation that the traffic is being routed correctly. If my primary interface is eth0, I'll run tcpdump looking at that interface so make sure I don't see any non-VPN traffic going to the destination where traffic should be encrypted. Secondly, if the OpenVPN interface is tun0, I can also have tcpdump look at the traffic going through that interface to confirm traffic is going where I want it to.Steve Zenonehttps://www.blogger.com/profile/18092491053989613420noreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-66368114742087714892009-01-21T07:09:00.000-08:002009-01-21T07:09:00.000-08:00Hi Steve,Thanks for your help in a previous post t...Hi Steve,<BR/><BR/>Thanks for your help in a previous post to "Anonymous (Ric)", it helped me out.<BR/><BR/>I set everything up and will be testing out the config from my folks' house.<BR/><BR/>In your reply you mentioned using the netstat command to make sure the tunneling is working. Do you mean netstat -aon and check that the connection is established with my vpn by looking at the foreign address (& port)? <BR/><BR/>How would I ensure that nothing else is using the local connection and all is being routed through the VPN? Would all processes be using that VPN port?<BR/><BR/>Sorry if the question seems dumb, just trying to understand.<BR/><BR/>Thanks again!!!<BR/><BR/>RicAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-21983979835370312472008-11-02T15:22:00.000-08:002008-11-02T15:22:00.000-08:00Hi all!!My internet connection at work is "capped"...Hi all!!<BR/>My internet connection at work is "capped" (eSafe) through a router VPN.<BR/>My question is, can I create a 2nd vpn connection from one pc at work to go out through the router's vpn to an external vpn server (at home, for example)?<BR/>It's a vpn into another vpn.<BR/><BR/>I have a DSL PPPoE router and a WRT54gl at home.<BR/><BR/>Thanks!!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-41333024881697641792008-11-01T17:09:00.000-07:002008-11-01T17:09:00.000-07:00I didn't know the default IP FORWARD chain was set...I didn't know the default IP FORWARD chain was set to 1. Here are my firewall rules. I think I have a little bit of redundancy here:<BR/><BR/>iptables -I INPUT -p udp --dport 1194 -j ACCEPT<BR/>iptables -I FORWARD -i br0 -o tun0 -j ACCEPT<BR/>iptables -I FORWARD -i tun0 -o br0 -j ACCEPT<BR/>iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE<BR/>iptables -I FORWARD 1 --source 10.8.0.0/24 -j ACCEPTUnknownhttps://www.blogger.com/profile/13394534799307005715noreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-68196722171041054432008-10-31T23:02:00.000-07:002008-10-31T23:02:00.000-07:00KevDog - In steps 10-12 I detail how the options a...KevDog - In steps 10-12 I detail how the options are added to the ADMINISTRATION | COMMANDS section. I've had no need to add the ip_forward set to 1 on any of the dd-wrt installs that I've done because, by default, the value is already set to 1.Steve Zenonehttps://www.blogger.com/profile/18092491053989613420noreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-80935090235498421392008-10-31T20:02:00.000-07:002008-10-31T20:02:00.000-07:00SteveIm not sure how you are adding or modifying y...Steve<BR/><BR/>Im not sure how you are adding or modifying your options. Im using the Administration/Commands Dialog box. I found to actually enable forwarding for my vpn, I had to add the following line:<BR/>echo 1 > /proc/sys/net/ipv4/ip_forward<BR/><BR/><BR/>Do you find that you need to do this?Unknownhttps://www.blogger.com/profile/13394534799307005715noreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-13952889004299857872008-10-23T08:27:00.000-07:002008-10-23T08:27:00.000-07:00Anonymous (Ric) -- I'm glad that the tutorial has ...Anonymous (Ric) -- I'm glad that the tutorial has helped you out. Anytime I connect to public wireless access point I tunnel all of my traffic through my VPN connection. To answer your questions:<BR/><BR/>1. Yes, you can change the port and protocol OpenVPN uses. For example, in the server config you could use:<BR/><BR/> proto tcp<BR/> port 80<BR/><BR/>and on the client config you would, for example, use:<BR/><BR/> proto tcp<BR/> remote dyndns-hostname-or-ip-of-server 80<BR/><BR/>2. Opening up the firewall to ONLY allow VPN traffic inbound to the router/firewall has increased your risk...but only very slightly...and I emphasize *slightly*. If someone were to steal your VPN private cert they could then get through the firewall until you revoke the cert. The benefits obtained by punching a hole to only allow VPN traffic greatly outweigh the risks, in my opinion. If there was a zero-day exploit against, say, how OpenVPN authenticates, then an attacker could get in...unless a fix is released and you apply it before the attacker exploits your box. How likely is this to happen? Is the likelihood low? It should be low for you (you should be protecting your private certs and I don't anticipate a zero-day exploit anytime soon and I will patch if one is announced). To sum up, the risk is low and the pros outweigh any cons.<BR/><BR/>3. The guide that I wrote on setting up DD-WRT and OpenVPN does list steps to help improve the security of your DD-WRT device. As well, DD-WRT is fairly hardened by default. Deciding to broadcast SSID, filtering MACs, or use WPA vs. WPA2 are decisions you'll need to make. Disabling SSID won't prevent an attacker from obtaining the SSID, and some of your older devices might have a difficult time connecting without a SSID broadcast. WPA2 is my preferred choice, however, some older clients may not support WPA2...so WPA becomes the next logical choice. MAC address filters can be a real pain in the neck to manage if you have family and friends stopping by and wanting to connect to your wireless access point. For the most part, WPA will keep the cruft off your network. Filtering on MAC will give you some added confidence while requiring more of your time to administrate. It's a trade-off you'll need to make.<BR/><BR/>4. Whenever I want to test my VPN's routing, I'll do a couple of things:<BR/><BR/>First, you can check your routing table with 'netstat -rn' and see what the routes are. I won't get into interpreting the table.<BR/><BR/>Secondly, and perhaps more user friendly, you can use traceroute to see where the routes are going. For example, if you're routing all traffic through your VPN tunnel via the "redirect-gateway" option in the client config, I would do a "traceroute -n www.google.com" and make sure that the first hop is through my VPN tunnel and not Starbuck's TMobile gateway.<BR/><BR/>I hope that does the trick for you. <BR/>--SteveSteve Zenonehttps://www.blogger.com/profile/18092491053989613420noreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-50084425889815234632008-10-23T03:38:00.000-07:002008-10-23T03:38:00.000-07:00Hi Steve,GREAT BLOG! Thank you so much for the he...Hi Steve,<BR/><BR/>GREAT BLOG! Thank you so much for the help...<BR/><BR/>I'm trying to setup a road-warrior access using my WRT-54G. All I need is to sit at a hotel or Starbucks someplace and have a secure way to reroute all my traffic through the VPN back to my home WRT-54G and out to the net from there. Both for security and privacy reasons. So your tutorial is perfect.<BR/><BR/>A couple of quick questions though:<BR/><BR/>1. Is it possible to set ports for this to use a port that is always open at any hotel etc.? I mean would I be stuck if the hotel or coffee shot I were at blocked 1194 or 443? Could I use port 80 or some other port and still be secure?<BR/><BR/>2. If setting up the firewall on the WRT-54G to open the port for open VPN, would that weaken the router security any?<BR/><BR/>3. I'm not familiar with a lot of the advanced settings for DD-WRT (for basic things like security, firewall etc.) I've hardened my WRT-54G using Linksys firmware before switching to DD-WRT. Can you post a "hardening DD-WRT" type tutorial, especially for IPTables?<BR/><BR/>4. Last one... Assuming someone sets up a VPN they believe works and routes everything securely and privately through to their home DD-WRT router and then out to the net from there, how can someone test this to ensure it works the way its supposed to? Is there a "Shields Up" type service to test a VPN? I'm paranoid, that a misconfiguration would give me a false sense of security, like using the local DNS versus the one through the VPN etc.<BR/><BR/>Sorry for the barrage and thanks.<BR/><BR/>RicAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-90799152133088244172008-10-15T09:04:00.000-07:002008-10-15T09:04:00.000-07:00SteveWhat I was noticing was particularly long dns...Steve<BR/><BR/>What I was noticing was particularly long dns lookups. In the client config file I edited the following line:<BR/><BR/>redirect-gateway def1 bypass-dns<BR/><BR/>I believe the addition of the bypass-dns flag, would bypass dns lookup via the openvpn gateway.<BR/><BR/>I know in some cases this may not be desireable, however the vpn connection does seem to be much more "snappier". I wish there was a way for the linksys firmware to cache dns requests. If it is caching dns requests, then possibly my configuration is wrong.Unknownhttps://www.blogger.com/profile/13394534799307005715noreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-18948479108842487092008-10-14T21:50:00.000-07:002008-10-14T21:50:00.000-07:00KevDog - I also wanted to thank you for posting yo...KevDog - I also wanted to thank you for posting your configs for v24-sp1! Good stuff!Steve Zenonehttps://www.blogger.com/profile/18092491053989613420noreply@blogger.com