phedny
03-04-2005, 12:04
I've added support for CIPE-style VPN's for the WL-500g. At the moment I've 6 boxes running VPN-enabled firmware. Two types of VPN are implemented: routed and bridged. The routed type I've got running in production and seems to work stable. The bridged type I've only gave a little testing and seems to be working, but I'm not activelly using it.
DESCRIPTION
In routed mode, what actually happens is that a point-to-point link is created between two WL-500g boxes and a route to the remote network is added. This means only IP traffic (no IPv6, IPX) can be routed and broadcast traffic will not pass through the VPN. It keeps the two networks in a seperate subnet, so this is nice if you have, for example, one subnet on 192.168.1.0/24 and one on 192.168.2.0/24. From within one network, you can ping the IP's in the other network.
In bridged mode, an virtual ethernet link is created between two WL-500g boxes, that is added to the br0 bridge. In effect, this merges two networks together. In this mode, all kind of traffic is possible (including IPv6, IPX), as the boxes appear like 'magical' switches on the network :). For IP-networking, in this mode the network need to be in the same subnet for communication and broadcast traffic is forwarded. Be carefull when using DHCP, as you should only have a single DHCP server configured in a subnet.
INSTALLATION
I've made a patch, but it's not for the 'vanilla' custom firmware source tree. Because of lack of enough disk space, I added this patch on top of the IPv6 patch, and therefore the Makefiles and httpd and rc files also contain IPv6-related stuff. I've been working with the 1.9.2.7-3b version of Oleg's firmware.
Patch can be downloaded from http://www.p-bierman.nl/~phedny/wl500g.cipe.tbz2 and should be extraced into the broadcom/src directory. Inside the gateway directory, it adds the cipe3 and cipe4 directories containing the cipe source, updates the Makefile, adds two web pages, updates the webserver to accept the new config variables and updates the rc program to setup the VPN's on boot and configure the firewall to make the VPN working.
CONFIGURATION
On the pages in the VPN menu, you can add multiple VPN's. For each VPN you need a key, made of 32 hex digits. One way to create such a beast is running this command on a UNIX machine: 'ps ax | md5sum', which will generate a nice key.
Now, when configuring a VPN, you need to select a port to use for both boxes. A port may not be shared by multiple VPN's, so needs to be unique. I prefer to make the first VPN use port 39001, the second 39002 and so on for routed CIPE and use 38001, ... for bridged CIPE.
On the webpage, enter the port you selected in the local port field and the port selected for the other WL-500g in the remote port field. Make sure the keys you enter match, otherwise no traffic will pass. In the remote IP field, you enter the external IP-address of the WL-500g box you'd like to contact.
For bridged CIPE, that's all there is. When using routed CIPE, you need to enter the internal IP-address of the WL-500g box you contact, together with its netmask. This is used for adding the route to the other network.
After adding one or more VPN's, press Finish and then Save&Restart and the VPN's should get up and running. Try pinging machines in network 2 from machines in network 1. Or try pinging the remote WL-500g box, it should all work now.
ADDITIONAL INFORMATION
The CIPE protocol is designed by Olaf Titz. I've been using it for a couple of years and because it doesn't need heavy software I thought it would be interesting to make it work on the WL-500g. Because it works on top of UDP, CIPE can work across NAT (which I can confirm) and should also work with dynamic IP-addresses. Therefore it is nice to use for connecting a road-warrior (a notebook VPN-ing home from different locations) with your network.
More information about CIPE can be found at http://sites.inka.de/sites/bigred/devel/cipe.html where you can also find the original source code. A Windows version is also available at http://cipe-win32.sourceforge.net/ but I haven't tried that one.
- Phedny
DESCRIPTION
In routed mode, what actually happens is that a point-to-point link is created between two WL-500g boxes and a route to the remote network is added. This means only IP traffic (no IPv6, IPX) can be routed and broadcast traffic will not pass through the VPN. It keeps the two networks in a seperate subnet, so this is nice if you have, for example, one subnet on 192.168.1.0/24 and one on 192.168.2.0/24. From within one network, you can ping the IP's in the other network.
In bridged mode, an virtual ethernet link is created between two WL-500g boxes, that is added to the br0 bridge. In effect, this merges two networks together. In this mode, all kind of traffic is possible (including IPv6, IPX), as the boxes appear like 'magical' switches on the network :). For IP-networking, in this mode the network need to be in the same subnet for communication and broadcast traffic is forwarded. Be carefull when using DHCP, as you should only have a single DHCP server configured in a subnet.
INSTALLATION
I've made a patch, but it's not for the 'vanilla' custom firmware source tree. Because of lack of enough disk space, I added this patch on top of the IPv6 patch, and therefore the Makefiles and httpd and rc files also contain IPv6-related stuff. I've been working with the 1.9.2.7-3b version of Oleg's firmware.
Patch can be downloaded from http://www.p-bierman.nl/~phedny/wl500g.cipe.tbz2 and should be extraced into the broadcom/src directory. Inside the gateway directory, it adds the cipe3 and cipe4 directories containing the cipe source, updates the Makefile, adds two web pages, updates the webserver to accept the new config variables and updates the rc program to setup the VPN's on boot and configure the firewall to make the VPN working.
CONFIGURATION
On the pages in the VPN menu, you can add multiple VPN's. For each VPN you need a key, made of 32 hex digits. One way to create such a beast is running this command on a UNIX machine: 'ps ax | md5sum', which will generate a nice key.
Now, when configuring a VPN, you need to select a port to use for both boxes. A port may not be shared by multiple VPN's, so needs to be unique. I prefer to make the first VPN use port 39001, the second 39002 and so on for routed CIPE and use 38001, ... for bridged CIPE.
On the webpage, enter the port you selected in the local port field and the port selected for the other WL-500g in the remote port field. Make sure the keys you enter match, otherwise no traffic will pass. In the remote IP field, you enter the external IP-address of the WL-500g box you'd like to contact.
For bridged CIPE, that's all there is. When using routed CIPE, you need to enter the internal IP-address of the WL-500g box you contact, together with its netmask. This is used for adding the route to the other network.
After adding one or more VPN's, press Finish and then Save&Restart and the VPN's should get up and running. Try pinging machines in network 2 from machines in network 1. Or try pinging the remote WL-500g box, it should all work now.
ADDITIONAL INFORMATION
The CIPE protocol is designed by Olaf Titz. I've been using it for a couple of years and because it doesn't need heavy software I thought it would be interesting to make it work on the WL-500g. Because it works on top of UDP, CIPE can work across NAT (which I can confirm) and should also work with dynamic IP-addresses. Therefore it is nice to use for connecting a road-warrior (a notebook VPN-ing home from different locations) with your network.
More information about CIPE can be found at http://sites.inka.de/sites/bigred/devel/cipe.html where you can also find the original source code. A Windows version is also available at http://cipe-win32.sourceforge.net/ but I haven't tried that one.
- Phedny