PDA

Bekijk de volledige versie : VPN support (CIPE)



phedny
03-04-2005, 12:04
I've added support for CIPE-style VPN's for the WL-500g. At the moment I've 6 boxes running VPN-enabled firmware. Two types of VPN are implemented: routed and bridged. The routed type I've got running in production and seems to work stable. The bridged type I've only gave a little testing and seems to be working, but I'm not activelly using it.

DESCRIPTION

In routed mode, what actually happens is that a point-to-point link is created between two WL-500g boxes and a route to the remote network is added. This means only IP traffic (no IPv6, IPX) can be routed and broadcast traffic will not pass through the VPN. It keeps the two networks in a seperate subnet, so this is nice if you have, for example, one subnet on 192.168.1.0/24 and one on 192.168.2.0/24. From within one network, you can ping the IP's in the other network.

In bridged mode, an virtual ethernet link is created between two WL-500g boxes, that is added to the br0 bridge. In effect, this merges two networks together. In this mode, all kind of traffic is possible (including IPv6, IPX), as the boxes appear like 'magical' switches on the network :). For IP-networking, in this mode the network need to be in the same subnet for communication and broadcast traffic is forwarded. Be carefull when using DHCP, as you should only have a single DHCP server configured in a subnet.

INSTALLATION

I've made a patch, but it's not for the 'vanilla' custom firmware source tree. Because of lack of enough disk space, I added this patch on top of the IPv6 patch, and therefore the Makefiles and httpd and rc files also contain IPv6-related stuff. I've been working with the 1.9.2.7-3b version of Oleg's firmware.

Patch can be downloaded from http://www.p-bierman.nl/~phedny/wl500g.cipe.tbz2 and should be extraced into the broadcom/src directory. Inside the gateway directory, it adds the cipe3 and cipe4 directories containing the cipe source, updates the Makefile, adds two web pages, updates the webserver to accept the new config variables and updates the rc program to setup the VPN's on boot and configure the firewall to make the VPN working.

CONFIGURATION

On the pages in the VPN menu, you can add multiple VPN's. For each VPN you need a key, made of 32 hex digits. One way to create such a beast is running this command on a UNIX machine: 'ps ax | md5sum', which will generate a nice key.

Now, when configuring a VPN, you need to select a port to use for both boxes. A port may not be shared by multiple VPN's, so needs to be unique. I prefer to make the first VPN use port 39001, the second 39002 and so on for routed CIPE and use 38001, ... for bridged CIPE.

On the webpage, enter the port you selected in the local port field and the port selected for the other WL-500g in the remote port field. Make sure the keys you enter match, otherwise no traffic will pass. In the remote IP field, you enter the external IP-address of the WL-500g box you'd like to contact.

For bridged CIPE, that's all there is. When using routed CIPE, you need to enter the internal IP-address of the WL-500g box you contact, together with its netmask. This is used for adding the route to the other network.

After adding one or more VPN's, press Finish and then Save&Restart and the VPN's should get up and running. Try pinging machines in network 2 from machines in network 1. Or try pinging the remote WL-500g box, it should all work now.

ADDITIONAL INFORMATION

The CIPE protocol is designed by Olaf Titz. I've been using it for a couple of years and because it doesn't need heavy software I thought it would be interesting to make it work on the WL-500g. Because it works on top of UDP, CIPE can work across NAT (which I can confirm) and should also work with dynamic IP-addresses. Therefore it is nice to use for connecting a road-warrior (a notebook VPN-ing home from different locations) with your network.

More information about CIPE can be found at http://sites.inka.de/sites/bigred/devel/cipe.html where you can also find the original source code. A Windows version is also available at http://cipe-win32.sourceforge.net/ but I haven't tried that one.

- Phedny

Styno
03-04-2005, 12:36
Wow, looks like a great development. Good work!

Pirat
05-04-2005, 10:13
Yea! Good work!!

Is ist possible to build this as a package?? (I'm no developer! :cool: )

phedny
07-04-2005, 20:01
Is ist possible to build this as a package?? (I'm no developer! :cool: )

You can download my IPv6 + CIPE firmware. It's not based on the newest version of Oleg's firmware, but it is working pretty well.

Download it from: http://www.p-bierman.nl/~phedny/WL500g-1.9.2.7-3b+ipv6+cipe.trx

tomilius
10-04-2005, 07:23
Will it ever be based on the latest firmware? It's a great accomplishment, but in the spirit of adding on to the WL-500g, I'd have to take away from it to get VPN support.

Or, a better follow-up question: do you will ever make it a package? ... Please? ^_^

phedny
10-04-2005, 19:09
Will it ever be based on the latest firmware? It's a great accomplishment, but in the spirit of adding on to the WL-500g, I'd have to take away from it to get VPN support.

I think it would be very easy to place it in the current source tree, but I don't have enough space left on my hard drive to do so. In the near future I will remove the old broadcom tree and replace it with the newest custom firmware tree.


Or, a better follow-up question: do you will ever make it a package? ... Please? ^_^

Honest answer: I didn't look into packages yet, and for now I don't have much time to do so. Maybe someone else is willing to do this, or I might do so when I have more spare time (that won't be the month April and I'm not sure about May as I expect some upcoming projects).

tomilius
10-04-2005, 20:35
Understandable. Thank you :)

Pirat
18-04-2005, 18:34
Is it possible to post the compiled binarys+configs to add to an running system?

tase
20-04-2005, 23:46
Sorry maybe this post shouldn't be here.

A couldn't find broadcom/src directory and make neither be in my asus firmware 1.9.2.7-4.

Could you share asus compiled cipe?.

mctiew
21-04-2005, 02:50
Sorry maybe this post shouldn't be here.

A couldn't find broadcom/src directory and make neither be in my asus firmware 1.9.2.7-4.

Could you share asus compiled cipe?.

Sorry I find it strange there are so much interest in CIPE. There is already a openvpn. Is CIPE more popular than openvpn ?

Cheers

Holli
21-04-2005, 17:11
....

Could you share asus compiled cipe?.


Look here:

fast mirror: http://files.wl500g.info/asus/custom/phedny/1.9.2.7-3b+ipv6+cipe/WL500g-1.9.2.7-3b+ipv6+cipe.trx

http://www.p-bierman.nl/~phedny/WL500g-1.9.2.7-3b+ipv6+cipe.trx

kato
05-05-2005, 08:10
Can i create VPN tunnel only between wl500g-WL500g or wl500g-xxx router?
Thanks

phedny
05-05-2005, 12:43
Can i create VPN tunnel only between wl500g-WL500g or wl500g-xxx router?
Thanks

More information about CIPE can be found at http://sites.inka.de/sites/bigred/devel/cipe.html where you can also find the original source code. A Windows version is also available at http://cipe-win32.sourceforge.net/ but I haven't tried that one.

The first link you can download Linux sources, so you can create a VPN to any system running either Linux or Windows.

phedny
05-05-2005, 14:04
I just created a patch to the 1.9.2.7-4 Oleg firmware for CIPE support. Maybe Oleg is interested in integrating it into his next firmware version?

A couple of customers of the company where I work are using CIPE in their WL-500g and it seems to run stable and smooth...


In the src/ folder enter these commands to make it work:

bunzip2 cipe.diff.bz2
patch -Np2 < cipe.diff

tomilius
05-05-2005, 21:26
Cool! :) I myself have been using openVPN--I'm not sure which is better.

mctiew
06-05-2005, 00:59
Cool! :) I myself have been using openVPN--I'm not sure which is better.

http://www.cs.auckland.ac.nz/~pgut001/pubs/linux_vpn.txt

Cheers

phedny
06-05-2005, 09:04
Cool! :) I myself have been using openVPN--I'm not sure which is better.

I added CIPE support, because it isn't such a complex application and with some modifications in the Makefile it compiled and run straight away :)

CIPE is nice for static VPN's between subnets, but it requires a seperate UDP port for each tunnel and allocates a different network device. When using routed CIPE, each tunnel also introduces two routes into the kernel routing table.

OpenVPN at the other side is a little more complex, but seems more flexible to me. I looked into it, and it seemed to me it required OpenSSL, which would not really fit in firmware. But since you've got things running, I think it would be nice to integrate it into the firmware and add a menu link in the web-interface (for CIPE a new VPN-menu was introduced; as I was thinking about also integrating a PPTP-server).

phedny
09-05-2005, 19:31
Patch to the 1.9.2.7-5 tree ;)
Also updated a little wrong thingy in the web-interface menu.

bunzip2 the file and in the src/ directory enter:
patch -Np2 < path/to/cipe.diff