Vpn между двумя роутерами dd wrt

OpenVPN Router to Router Bridged Configuration Alternative (Hardware VPN)

This is a quick and dirty guide to creating a VPN between (2) DD-WRT v24 SP2 routers (both flashed with VPN version).

This will allow for hardware like VPN access on the client side to more than one client, device, and or appliance that does NOT have built in VPN capabilities, but has either wireless and/or DHCP capabilities.

  • Internet Video box that is service and region limited
  • Region limited gaming console.
  • You can in theory use a video device or gaming console outside of the US, while still using US services. So long as the DD-WRT server is in the US.
  • ISPs that limit service to their IP ranges.
  • Devices that don’t have native VPN clients such as: A Tablet or PDA device that you want to use in a coffee shop and back to your home or business.

When setup correctly, all traffic is routed and encrypted over the VPN. The DHCP lease is provided by the remote DD-WRT server. All clients will share the WAN IP of the server (NAT).

  • you can route specific traffic to the local DD-WRT router or PC, but that is outside the scope of this guide (via route command and changing the default gateway via manual IP assignments)
  1. Local router’s WAN port will be connected to a network with internet access (either directly with a real IP address or a NAT/reserved address. this setup works with double NAT). This guide assumes you are getting a WAN address of 192.168.1.10
  2. Remote router IP address is 10.19.77.1 (50 clients MAX, start IP 10.19.77.2). Has functional internet service 🙂
  3. Local router IP address is 10.19.77.77 (dhcp is off. )
  4. This is operating in bridged mode and is less efficient than routed mode when dealing with network broadcasts and other traffic.
  5. Port 8080 will be used in this example, change this if you like.
  6. An item in red is something you can OR should change
  • you can setup the local DD-WRT router to use a proxy or socks server, but that is outside the scope of this guide.
  • you can setup the remote DD-WRT router to be behind a firewall/proxy/nat and/or act as a switch/access point (NAT OFF) and get DHCP leases for local devices from ANOTHER remote DHCP server, but that it outside the scope of this guide.
Читайте также:  Кинетик роутер настройка через приложение

[edit] The Quick and Dirty:

  1. Turn off dhcp on local router.
  2. Change the local lan ip to something beyond dhcp lease of remote dhcp server. Ex. 10.19.77.77
  3. Timezones and ntp time set the same on both local and remote router.

I suggest using a remote server with something outside the range of the WAN side of the local router. Ex. If you’re local router’s WAN ip is 192.168.1.10, don’t use 192.168.1.x as the remote server’s LAN range.

I HIGHLY suggest using certificates and NOT a static key (please look elsewhere for assistance on this). The static key was omitted for security reasons, USE YOUR OWN when testing. Switch to certificates when done.

The remote server’s host and domain have been altered. Use your own here!

I suggest using UDP and not TCP (use » —proto udp » on both remote and local routers configuration scripts). TCP will help when using socks or HTTP proxies since they generally only allow TCP. Some ISPs throttle UDP traffic, but not TCP. There is a performance penalty when using TCP however in congested or slow connections. I suggest using dynamic DNS on remote DD-WRT router. Look elsewhere for information on this.

[edit] Remote Router Scripts:

iptables -I INPUT 1 -p tcp --dport 8080 -j ACCEPT
openvpn --mktun --dev tap0 brctl addif br0 tap0 ifconfig tap0 0.0.0.0 promisc up echo " -----BEGIN OpenVPN Static key V1----- ATTN get your own static key! -----END OpenVPN Static key V1----- " > /tmp/static.key ln -s /usr/sbin/openvpn /tmp/myvpn /tmp/myvpn --dev tap0 --secret /tmp/static.key --comp-lzo --port 8080 --proto tcp-server --keepalive 10 60 --verb 3 --daemon

[edit] Local Router Scripts:

cd /tmp ln -s /usr/sbin/openvpn /tmp/myvpn ./myvpn --mktun --dev tap0 brctl addif br0 tap0 ifconfig tap0 0.0.0.0 promisc up sleep 5 echo " -----BEGIN OpenVPN Static key V1----- ATTN get your own static key! -----END OpenVPN Static key V1----- " > /tmp/static.key chmod 600 /tmp/static.key ln -s /usr/sbin/openvpn /tmp/myvpn /tmp/myvpn --secret static.key --dev tap0 --remote MYHOST.DYNAMICdns.xxx --proto tcp-client --port 8080 --comp-lzo --keepalive 10 60 --verb 3 --daemon

I had problems with the other scripts in this entire wiki which cover OpenVPN setups. You will notice that my above scripts don’t have the use of the .conf file. I was not able to get those to work. So I did it the old script way, which has since been removed from this wiki (and now re-entered by me). —S19303cc 20:29, 16 January 2011 (CET)

Читайте также:  Антенна к роутеру мгтс

Источник

[edit] Introduction

This setup will bridge DD-WRT routers, allowing any host connected to the network to be visible from the WAN cloud. To turn this HOWTO simple I’ll use only two DD-WRT routers but theoretically you can further extend the setup to any number of routers.

[edit] Notes

  • If your ISP do not provide you a fixed IP address, you should now create a dynamic DNS account from any DD-WRT supported provider. I’ll use a No-IP.com account in the article’s examples.
  • I assume you’ve got your WAN already up, if you need a different setup please feel free to change whatever you need.

[edit] Tested Versions

This article should work with any supported DD-WRT version. Feel free to add your version to the following list:

  • DD-WRT v24-sp2 (10/10/09) std-nokaid (instructions below are not for v24-sp2 firmware; may work (untested) with method from http://www.dd-wrt.com/phpBB2/viewtopic.php?p=10933#10933)

[edit] Configuration

[edit] Generic information

  • dd-wrt-01
    • Address: 192.168.1.1
    • Netmask: 255.255.255.0
    • Gateway: 0.0.0.0
    • DHCP Range: 192.168.1.100-150
    • DDNS: foo-corp-dd-wrt-01.no-ip.com
    • dd-wrt-02
      • Address: 192.168.2.1
      • Netmask: 255.255.255.0
      • Gateway: 0.0.0.0
      • DHCP Range: 192.168.2.100-150
      • DDNS: foo-corp-dd-wrt-02.no-ip.com

      [edit] dd-wrt-01

      This step will configure the basic information for the local network.

      1. Goto Setup > Basic Setup
      2. Set Router Name and Host Name to «dd-wrt-01»
      3. Set Local IP Address to «192.168.1.1»
      4. Set Subnet Mask to «255.255.255.0»
      5. Save

      Now lets make your dynamic IP address always reachable trough a hostname.

      1. Goto Administration > DDNS
      2. Set DNS Service to «No-IP.com»
      3. Change Username, Password and Hostname to your personal account information
      4. Hostname in this example will be set to «foo-corp-dd-wrt-01.no-ip.com»
      5. Save

      Now we tell the router that there is another network on the other side of the WAN. Basically we’re telling «If you want to access any host on the 192.168.2.x subnet please forward your packet trough the router at the IP address «192.168.2.1».

      1. Goto Setup > Advanced Routing
      2. Under Static Routing:
      3. Set Route Name to «foo-corp-dd-wrt-02»
      4. Set Metric to «0»
      5. Set Destination LAN NET to «192.168.2.0»
      6. Set Subnet Mask to «255.255.255.0»
      7. Set Gateway to «192.168.2.1»
      8. Set Interface to «ANY»
      9. Save

      This router will have the role of «concentrator» meaning that every router that wants to be part of our bridge should connect to it. If you’ve got a more complex design with three routers (A, B and C) traffic from B to C will always pass trough router A.

      1. Goto Services > PPTP
      2. Enable PPTP Server
      3. Set Server IP to «192.168.1.1»
      4. Set Client IP(s) to «192.168.1.200-201»
      5. Set CHAP-Secrets to: » * *»
      6. Disable PPTP Client Options
      7. Save

      Saving ourselves from a headache.. 😉

      1. Goto Security > VPN
      2. Enable PPTP Passthrough
      3. Disable IPSec and L2TP Passthrough
      4. Save

      This step maybe optional.. but routing packets trough a WAN interface without being encrypted is stupid.

      1. Goto Administration > Commands
      2. Enter «sed -i -e ‘s/mppe .*/mppe required,stateless/’ /tmp/pptpd/options.pptpd»
      3. Save Startup
      4. NOTE: This will force all PPTP clients to use encryption
      5. Save

      [edit] dd-wrt-02

      1. Goto Setup > Basic Setup
      2. Set Router Name and Host Name to «dd-wrt-02»
      3. Set Local IP Address to «192.168.2.1»
      4. Set Subnet Mask to «255.255.255.0»
      5. Save
      1. Goto Administration > DDNS
      2. Set DNS Service to «No-IP.com»
      3. Change Username, Password and Hostname to your personal account information
      4. Hostname in this example will be set to «foo-corp-dd-wrt-02.no-ip.com»
      5. Save

      Now we tell the router that there is another network on the other side of the WAN. Basically we’re telling «If you want to access any host on the 192.168.1.x subnet please forward your packet trough the router at the IP address «192.168.1.1».

      1. Goto Setup > Advanced Routing
      2. Set Route Name to «foo-corp-dd-wrt-01»
      3. Set Metric to «0»
      4. Set Destination LAN NET to «192.168.1.0»
      5. Set Subnet Mask to «255.255.255.0»
      6. Set Gateway to «192.168.1.1»
      7. Set Interface to «ANY»
      8. Save

      This router will have the role of «node».

      1. Goto Services > PPTP
      2. Disable PPTP Server
      3. Enable PPTP Client Options
      4. Set Server IP or DNS Name to «foo-corp-dd-wrt-01.no-ip.com»
      5. Set Remote Subnet to «192.168.1.0»
      6. Set Remote Subnet Mask to «255.255.255.0»
      7. Set MPPE Encryption to «mppe required»
      8. Set MTU to «1450»
      9. Set MRU to «1450»
      10. Enable NAT
      11. Set Username to «PPTP_CLIENT_USERNAME_SITE02»
      12. Set Password to «PPTP_CLIENT_PASSWORD_SITE02»
      13. Save
      1. Goto Security > VPN
      2. Enable PPTP Passthrough
      3. Disable IPSec and L2TP Passthrough
      4. Save

      [edit] Notes

      • The router’s subnets should not intersect each other (i.e. 192.168..1).
      • The IP address pool for VPN clients must be outside the range of DHCP clients.
      • In the example the IP range used for VPN clients were «192.168.1.200-201» thus 2 VPN clients are allowed to connect to our concentrator. You should increase this if more routers will be bridged.

      [edit] Issues

      • Not sure why «NAT» is enabled, given the sites are a site to site route — NAT will break the whole premise of a site to site connection

      Источник

Оцените статью
Adblock
detector