OpenVPN username/password authentication on DD-WRT

In this post I’ll be using DD-WRT build 23320 and an ASUS RT-AC66U router to set up two “always on” VPNs (using openvpn) using username / password authentication. This router supports all the new wifi protocols and in theory has over 1Gbps ability using dual band, also supports 2.4GHz and 5.0Ghz band communication. I’ve used it with DD-WRT without any stability issues for more than 6 months now.

DD-WRT is one of my favourite linux distros, it’s specially made to work on home routers, APs and small appliances. You may download it from: http://www.dd-wrt.com and make sure your equipment is supported by looking into the router database.

Apart from the regular home router needs DD-WRT also support a complete set of network functionality like:

  • FreeRadius
  • PPPoE Serverdd-wrt
  • VPN
  • USB (printing/mass storage)
  • NAS
  • Hotspot
  • SIP Proxy
  • Adblocking
  • Webserver
  • QOS

As I said, I’ll be talking about enhancing the standard functionality of openvpn in dd-wrt. OpenVPN is available on most of the DD-WRT appliances, nevertheless you can only have one vpn connected and it doesn’t support username/password authentication.

Let me describe the setup:asus

  1. Home at country A (localnet 192.168.17.0/27)
  2. Home at country B (localnet 192.168.18.0/27)
  3. External third-party net at country C (localnet 172.17.31.0/23)
  4. In order to see IPTV on country A I need to route all the IPTV network through openvpn server at country B
  5. I want to have full network access to networks on country B and C from country A
  6. I want to have full network access from country B to country A
  7. I don’t want access from country C on country A (or B but it’s not relevant for us)

What’s needed:

  1. DD-WRT enabled router (in this case ASUS RT-AC66U) with support for openvpn (mega version).
  2. OpenVPN endpoint* (in this examples we will be using 2 endpoints, one for country B and another to country C).
  3. User access to those endpoint (username/password/certificates).openvpn

* as an endpoint you may use anykind of applyance or custom-made openvpn solution, if you want to build it fast I’d recommend you Endian FW, Pfsense, or your own OpenVPN installation.

DD-WRT has a very nice graphical interface and we will use it to build our setup, before I configured the router thought the command line, storing all the config data in nvram with the commands:

nvram set _VAR1_=”config blabla”

nvram commit

and the created a startup script that would read all those variables and create the config files.

But as I said there’s a better way of doing it and that’s by using the startup option on the command menu that can be found under administration.

dd-wrt-header

We will create a unique script that will be read when the DD-WRT comes to live and startup our VPNs.

Just go to press edit under the startup place older.

You may insert the text bellow, I’ll describe what it does further on the post.

mkdir /tmp/openvpncl
cat > /tmp/openvpncl/myauth1.txt << EOF
MY_USER_NAME_GOES_HERE
MY_PASSWORD_GOES_HERE
EOF
cat > /tmp/openvpncl/myauth2.txt << EOF
MY_USER_NAME_GOES_HERE
MY_PASSWORD_GOES_HERE
EOF
chmod 500 /tmp/openvpncl/myauth1.txt
chmod 500 /tmp/openvpncl/myauth2.txt
cat > /tmp/openvpncl/route-up_1.sh << EOF
#!/bin/sh
route add -net 23.13.0.0/16 gw xxx.xxx.xxx.xxx #IPTV ROUTES
route add -net 80.24.178.0/23 gw xxx.xxx.xxx.xxx #IPTV ROUTES
route add -net 10.2.2.0/24 gw xxx.xxx.xxx.xxx #IPTV ROUTES
route add -net 10.22.0.0/16 gw xxx.xxx.xxx.xxx #IPTV ROUTES
EOF
cat > /tmp/openvpncl/route-up_2.sh << EOF
#!/bin/sh
route add -net 16.13.0.0/16 gw xxx.xxx.xxx.xxx #EXT NET ROUTES
route add -net 12.24.178.0/23 gw xxx.xxx.xxx.xxx #EXT NET ROUTES
route add -net 13.2.2.0/24 gw xxx.xxx.xxx.xxx #EXT NET ROUTES
route add -net 10.232.0.0/16 gw xxx.xxx.xxx.xxx #EXT NET ROUTES
EOF
chmod 500 /tmp/openvpncl/route-up_1.sh
chmod 500 /tmp/openvpncl/route-up_2.sh
cat > /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_1.conf << EOF
client
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
ca /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_1.ca
auth-user-pass /tmp/openvpncl/myauth1.txt
script-security 2
dev tap1
cipher bf-cbc
auth sha1
remote CHANGE_TO_HOSTNAME_or_IP_1 1194
comp-lzo no
tls-client
tun-mtu 1500
mtu-disc yes
fast-io
EOF
cat > /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_2.conf << EOF
client
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
ca /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_2.ca
auth-user-pass /tmp/openvpncl/myauth2.txt
script-security 2
dev tap2
cipher bf-cbc
auth sha1
remote CHANGE_TO_HOSTNAME_or_IP_2 1194
comp-lzo no
tls-client
tun-mtu 1500
mtu-disc yes
fast-io
EOF
cat > /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_1.ca << EOF
-----BEGIN CERTIFICATE-----
YOUR_CERTIFICATE_GOES_HERE__dasdadasdasdsasalzELMAkGA1UE
BhMCUFQx CzAJBgNVBAgTAkxYMQswCQYDVQQHEwJMWDEbMBkGA1UEChM
Sd3d3LmxpbnV4LWdl ZXguY29tMQswCQYDVQQLEwJJVDEeMBwGA1UEAx
MVd3d3LmxpbnV4LWdlZXguY29t IENBMSQwIgYJKoZIhvcNAQkBFhVwb
XNvbGl2ZWlyYUBnbWFpbC5jb20wHhcNMTAw MTE0MTk0NzE0WhcNMjUx
MTI1MTAyMTU0WjCBlzELMAkGA1UEBhMCUFQxCzAJBgNV BAgTAkxYMQs
wCQYDVQQHEwJMWDEbMBkGA1UEChMSd3d3LmxpbnV4LWdlZXguY29t MQ
swCQYDVQlfhoashoadasiodasiodqwenzczcpzocp4LWdlZXguY29tIE
NBMSQw IgYJKoZIhvcNAQkBFhVwbXNvbGl2zdsadsasdadsZWlyYUBnb
-----END CERTIFICATE-----
EOF
cat > /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_2.ca << EOF
-----BEGIN CERTIFICATE-----
YOUR_CERTIFICATE_GOES_HERE__dasdadasdasdsasalzELMAkGA1UE
BhMCUFQx CzAJBgNVBAgTAkxYMQswCQYDVQQHEwJMWDEbMBkGA1UEChM
Sd3d3LmxpbnV4LWdl ZXguY29tMQswCQYDVQQLEwJJVDEeMBwGA1UEAx
MVd3d3LmxpbnV4LWdlZXguY29t IENBMSQwIgYJKoZIhvcNAQkBFhVwb
XNvbGl2ZWlyYUBnbWFpbC5jb20wHhcNMTAw MTE0MTk0NzE0WhcNMjUx
MTI1MTAyMTU0WjCBlzELMAkGA1UEBhMCUFQxCzAJBgNV BAgTAkxYMQs
wCQYDVQQHEwJMWDEbMBkGA1UEChMSd3d3LmxpbnV4LWdlZXguY29t MQ
swCQYDVQlfhoashoadasiodasiodqwenzczcpzocp4LWdlZXguY29tIE
NBMSQw IgYJKoZIhvcNAQkBFhVwbXNvbGl2zdsadsasdadsZWlyYUBnb
-----END CERTIFICATE-----
EOF
chmod 700 /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_1.ca
chmod 700 /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_2.ca
sleep 5

(nohup openvpn –config /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_1.conf –route-up /tmp/openvpncl/route-up1.sh &) > /dev/null
(nohup openvpn –config /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_2.conf –route-up /tmp/openvpncl/route-up2.sh &) > /dev/null

If you know openvpn a bit deeper you may find odd that I’m not using LZO compression, this is done on purpose, LZO will limit the bandwidth available on the router because of cpu usage. In my case most of the traffic is already compressed (ssh, mp4, images, and so on). With LZO I would find my cpu near 100% with traffic around 25Mbps. So I prefer to disable it and compress the traffic between the endpoints at application level. This allows me to have 100Mbps+ throughput on the VPN link with this router + DD-WRT config.

You will have to edit the firewall place older on DD-WRT , once again press edit and insert the following:

iptables -I FORWARD 1 -i br0 -o tap1 -j ACCEPT
iptables -I FORWARD 2 -i tap1 -o br0 -j ACCEPT
iptables -I FORWARD 3 -i br0 -0 tap2 -j ACCEPT
iptables -I INPUT 1 -i tap1 -o br0 -j ACCEPT

The startup script is nothing more than a set of commands that will be run to create the configuration files on DD-WRT , please be advised that you will have the VPNs in plain text on the configuration, this may pose a security risk. Nevertheless it’s not less insecure than have the full configuration relaying on certificates as if someone is able to retrieve your data from  DD-WRT he will also be able to retrieve the certificates. If you really don’t want to have the password on plain text you won’t be able to fully automate the VPN startup process.

The iptables rules are need in order to allow access to the different networks, this is the most basic set of rules that will allow the configuration I proposed at the beginning. Finally please don’t forget to change the route-upX.sh scripts to match your needs.

Happy networking with DD-WRT!

Pedro Oliveira

 

Qualcomm, Inc. Sony Gobi 2000 Wireless Modem – OpenSuSE 12.1 – Vaio VPCSB

sony-vaio-vpcsb16fg-2

Hello,

Recently I’ve updated my openSuSE 11.4 to the latest openSuSE 12.1, it was a hassle free upgrade and my system is running smoothly, nevertheless I didn’t use one of my favorite features on this laptop, the built-in GSM card.
Today I needed it and, bummer,  it didn’t work, even if I could see it in network manager, I remembered I didn’t install the firmware (this card needs a firmware to be inserted every time the device boots). So I put the files in /lib/firmware/gobi and run gobi_loader it ran just perfect.
Next i reboot the laptop, but it didn’t load the firmware automatically, I’ve checked udev and the entry was missing.

So in order to use the Qualcomm, Inc. Sony Gobi 2000 Wireless Modem with the Vaio VPCSB you’ll need:

Install gobi_loader

sudo zypper in gobi_loader

Copy the firmware files to /lib/firmware/gobi (you can find these files on the net (i won’t put them here because of license issues) the names;

amss.mbn apps.mbn UQCN.mbn

With the latest gobi_loader from SuSE it’s all. But it still doesn’t work do the following:

Create a new udev rule file (with joe, vi, kwrite, gedit, etc), just don’t forget you must be root or use sudo:

vi /etc/udev/rules.d/61-gobi.rules

Content:

# udev rules for firmware loading on qualcomm gobi devices

ACTION==”add”, SUBSYSTEM==”tty” KERNEL==”ttyUSB*” GOTO=”gobi_rules”

GOTO=”gobi_rules_end”

LABEL=”gobi_rules”
ATTRS{idVendor}==”05c6″, ATTRS{idProduct}==”9225″, RUN+=”gobi_loader -2000 $env{DEVNAME} /lib/firmware/gobi”
LABEL=”gobi_rules_end”

Cheers,
Pedro Oliveira

OpenSuSE Linux on Sony Vaio VPCSB – User Review

Hi today I was using my new laptop (well it has about 1 month now) and I thought in sharing my usage experience with it. My Vaio is a VPCSB and I run it with OpenSuSE 11.4 X86_64.
I have a thing for Sony Vaios, this one is my 4th. I like Vaios for their build quality, looks, performance and size as I also travel quite a bit.
I’m not a gamer at all so what I value for my computer usage is:

1 – Size (13 inches or smaller)
2 – Weight (2Kg or lower)
3 – Looks
4 – Display quality
5 – Battery endurance
6 – Performance (CPU, Memory, IO)
7 – Number of IO ports (USB, VGA, DVI, Network cards, DVD or Blue-ray in this case, GSM card)
8 – Extras (Illuminated keyboard, hybrid video systems, etc)
9 – And the most important item… Linux compatibility as it will be my choice OS

So after breaking my old Vaio display, I researched a lot (and not only Vaios), I bought this VPCSB, my expectations were very high as my last laptop, a Vaio SZXN was (and still is because it was fixed) an excellent laptop. It worked flawlessly for 4 years with about 12 hours run everyday, lots of traveling, lots of airplane usage and with minor upgrades on memory (2GB ram to 4GB) and a major upgrade this year on the hard drive where I bought a Samsung high performance SSD.
Well, back to the new computer let’s start on the hardware listing (including lscpi and lsusb output):

CPU:  Intel(R) Core(TM) i5-2410M CPU @ 2.30GHz
RAM: 6GB
HD:SAMSUNG MMDOE56G5MXP-0VB

00:00.0 Host bridge: Intel Corporation 2nd Generation Core Processor Family DRAM Controller (rev 09)
00:01.0 PCI bridge: Intel Corporation 2nd Generation Core Processor Family PCI Express Root Port (rev 09)
00:02.0 VGA compatible controller: Intel Corporation 2nd Generation Core Processor Family Integrated Graphics Controller (rev 09)
00:16.0 Communication controller: Intel Corporation 6 Series Chipset Family MEI Controller #1 (rev 04)
00:1a.0 USB Controller: Intel Corporation 6 Series Chipset Family USB Enhanced Host Controller #2 (rev 04)
00:1b.0 Audio device: Intel Corporation 6 Series Chipset Family High Definition Audio Controller (rev 04)
00:1c.0 PCI bridge: Intel Corporation 6 Series Chipset Family PCI Express Root Port 1 (rev b4)
00:1c.1 PCI bridge: Intel Corporation 6 Series Chipset Family PCI Express Root Port 2 (rev b4)
00:1c.2 PCI bridge: Intel Corporation 6 Series Chipset Family PCI Express Root Port 3 (rev b4)
00:1c.3 PCI bridge: Intel Corporation 6 Series Chipset Family PCI Express Root Port 4 (rev b4)
00:1d.0 USB Controller: Intel Corporation 6 Series Chipset Family USB Enhanced Host Controller #1 (rev 04)
00:1f.0 ISA bridge: Intel Corporation HM65 Express Chipset Family LPC Controller (rev 04)
00:1f.2 SATA controller: Intel Corporation 6 Series Chipset Family 6 port SATA AHCI Controller (rev 04)
00:1f.3 SMBus: Intel Corporation 6 Series Chipset Family SMBus Controller (rev 04)
01:00.0 VGA compatible controller: ATI Technologies Inc NI Seymour [AMD Radeon HD 6470M] (rev ff)
02:00.0 Network controller: Intel Corporation Centrino Wireless-N 1000
03:00.0 Unassigned class [ff00]: Realtek Semiconductor Co., Ltd. Device 5209 (rev 01)
04:00.0 USB Controller: NEC Corporation uPD720200 USB 3.0 Hayt Controller (rev 04)
05:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet controller (rev 06)

Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 003: ID 08ff:168f AuthenTec, Inc.
Bus 001 Device 004: ID 0c45:64b5 Microdia
Bus 001 Device 007: ID 05c6:9225 Qualcomm, Inc. Sony Gobi 2000 Wireless Modem
Bus 001 Device 006: ID 0489:e00f Foxconn / Hon Hai Foxconn T77H114 BCM2070 [Single-Chip Bluetooth 2.1 + EDR Adapter]
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub

So running with Linux (OpenSuSE) what works and what doesn’t work?
Easy there are only 2 things that aren’t running on Linux:
1 – Finger print reader (Bus 001 Device 003: ID 08ff:168f AuthenTec, Inc. )
2 – Touch-pad with multi-touch although it works fine with single-touch
Maybe the multi-touch function can be activated but to be sincere I didn’t pay much attention to it.
The fingerprint is not working due to Sony (they are failing on us here), the multi touch has a signed firmware that doesn’t allow any application to use it, so it needs a Sony interface application to communicate with the system.

What runs and should have trouble running?
The webcams are known to be prone to have trouble and this one works like a charm.
The internal GSM card also works perfectly in Linux (ID 05c6:9225 Qualcomm, Inc. Sony Gobi 2000 Wireless Modem), just a note, I disabled the PIN request on the ISP chip, I did this because from time to time I lost communication with the GSM device after suspending to ram or disk.
The Ati Radeon card works really well with the fglrx driver (even the hybrid features).

What didn’t I tested / used till now:
I never tried to use the blue-ray functions, I’ve recorded and CDs and DVDs but never used blue-ray disks (I just have some Playstation 3 games on blue-ray)

User experience and usability:
Let me say it this way… I LOVE MY NEW VAIO!
It’s small yet powerful, it has a nice amount of ram, fast SSD, good battery life. The display is great, altought the view angles aren’t that good.
In what concerns to mobility I can’t find anything better, I really like the Intel wireless device (supporting 801.11B,G,N), the GSM card it a major feature and it’s a really nice feature to have if you move a lot, and the usual ethernet port also deliveries good performance.
What I don’t like at all are the mouse buttons, they are hard to press and noisy. The same happens to the fan if you’re running at full speed (like compiling a kernel), it will get noisy, but you’re just working on Libreoffice, using FireFox it will be just fine.
On the other hand the lightened keyboard is great for working late at home or in the plane, you’ll not be searching for keys anymore.

Conclusion
Do I tell you to buy this one?
YES, it’s small, fast, pretty and it will deliver, you’ll be able to work full days on this one without miss your desk computer 🙂

PS – What do I like more than my new Vaio?
My new tablet, I’ve also bought a Samsung Galaxy Tab 10.1 but I’ll write about it sometime.
Cheers,
Pedro Oliveira

 

Kernel 2.6.31 is out and rocking!

This weekend I’ve had some free time so I tested a new kernel on my suse 11.1 x86_64 system. I’ve been a beta tester for the kernel for some time and I was eager to test the final version.

There are plenty new features, the one I enjoy more are probably on the filesystem area but there is plenty to choose.

This version adds USB 3.0 support, a equivalent of FUSE for character devices used for proxying OSS sound to ALSA, some memory management changes that improve interactivity in desktops, readahead improvements, ATI Radeon Modesetting support, support for Intel’s Wireless Multicomm 3200 Wifi devices, kernel support and a userspace tool for performance counters, gcov support, a memory checker for unitialized memory, a memory leak detector, a reimplementation of inotify and dnotify on top of a new filesystem notification infrastructure, btrfs improvements, support for the IEEE 802.15.4 network standard, IPv4 over Firewire, many new drivers, small improvements and fixes.

You may see the hole list here:

http://kernelnewbies.org/Linux_2_6_31

I still didn’t do extensive testing but so far so good ;), although my kde4.3  seams to lag a bit, I’m not sure if this is from the new kernel or the changes I’ve done within KDE itself.

On the other end with server machines it works perfectly, i’m doing stress tests on two virtual servers and memory usage / IO times / CPU usage.

On the test i’m using two opensuse 11.1 x86_64, one as 2.6.27 kernel version and the other 2.6.31, same amount of memory and 2 cpu each on the same host. Hope to have some more data in a few days and then post the results (cacti graphs) here if they are relevant.

So, what are you waiting for… TRY IT

Cheers

Pedro Oliveira