Too dumb to figure out VPN on DD-WRT
April 21, 2008 11:40 AM Subscribe
VPNFilter: I like my home network, but I want to access it outside of my home. How do I set up my WRT54GL running DD-WRT v23 SP2 to do that?
Versions of this question have been asked on metafilter zillions of times, but I haven't found an answer that I understand because of my tiny brain.
The specific desires:
>Wake on LAN for home computer, running XP
>Remote access and manipulation of files on home computer
>Possibly secure tunneling using SSH, although I assume this will in part be a side product of everything else; I don't need this yet but would like to have it in case I am using some shady wireless access point in the future.
>What other cool things could I do with my setup?
I know about Hamachi, but from what I can tell using DD-WRT makes Hamachi unnecessary. Is this true?
Versions of this question have been asked on metafilter zillions of times, but I haven't found an answer that I understand because of my tiny brain.
The specific desires:
>Wake on LAN for home computer, running XP
>Remote access and manipulation of files on home computer
>Possibly secure tunneling using SSH, although I assume this will in part be a side product of everything else; I don't need this yet but would like to have it in case I am using some shady wireless access point in the future.
>What other cool things could I do with my setup?
I know about Hamachi, but from what I can tell using DD-WRT makes Hamachi unnecessary. Is this true?
Been a while since I've played with DD-WRT, so this might be a little old.
The most important aspect is ensuring you have a public facing IP address on the router (an address an outsider can access). I'm going to make the assumption that your DD-WRT router connects to a box provided by your Internet provider.
So go into the web control panel's status screen. You'll see "Internet Configuration" with an IP address listed beneath.
If that IP address looks like
10.0.0.0 through 10.255.255.255
172.16.0.0 through 172.31.0.0
192.168.0.0 through 192.168.255.0
Then you're going to have a few issues as you're Internet providers box isn't giving your DD-WRT router a public address. Normally you can login to the providers box (It'll be the address that the DD-WRT status screen calls "gateway" under the Internet config section) and allow it to not act as a NAT server.
Assuming you actually have a public IP address, or manage to get one to the DD-WRT then you've 90% the way there.
Now you have two choices, either you setup DD-WRT to handle the VPN connection itself, so when you connect you are part of your home network and can browse, or use your 'net connection. A guide for doing that is here. If you want instead to connect directly with a machine at home, e.g. your file-server etc (you can still share your home 'net connection) then you'll want to follow this guide. Both choices are equally easy to do, just remember to forward the correct port to the correct server if you pick option two.
I can't speak to the topic of wake-on-lan, never used it myself.
I had a friend who used Hamachi for a while until he got a router that handled VPN correctly. The disadvantages of Hamachi,-- you're dependant on a third-party mediator to handle your connections, and I think that you can't bridge network connections on the far end.
Also, I think SSH Tunnelling over VPN is essentially pointless, since VPN is a secured, encrypted point to point connection anyway.
posted by Static Vagabond at 12:14 PM on April 21, 2008
The most important aspect is ensuring you have a public facing IP address on the router (an address an outsider can access). I'm going to make the assumption that your DD-WRT router connects to a box provided by your Internet provider.
So go into the web control panel's status screen. You'll see "Internet Configuration" with an IP address listed beneath.
If that IP address looks like
10.0.0.0 through 10.255.255.255
172.16.0.0 through 172.31.0.0
192.168.0.0 through 192.168.255.0
Then you're going to have a few issues as you're Internet providers box isn't giving your DD-WRT router a public address. Normally you can login to the providers box (It'll be the address that the DD-WRT status screen calls "gateway" under the Internet config section) and allow it to not act as a NAT server.
Assuming you actually have a public IP address, or manage to get one to the DD-WRT then you've 90% the way there.
Now you have two choices, either you setup DD-WRT to handle the VPN connection itself, so when you connect you are part of your home network and can browse, or use your 'net connection. A guide for doing that is here. If you want instead to connect directly with a machine at home, e.g. your file-server etc (you can still share your home 'net connection) then you'll want to follow this guide. Both choices are equally easy to do, just remember to forward the correct port to the correct server if you pick option two.
I can't speak to the topic of wake-on-lan, never used it myself.
I had a friend who used Hamachi for a while until he got a router that handled VPN correctly. The disadvantages of Hamachi,-- you're dependant on a third-party mediator to handle your connections, and I think that you can't bridge network connections on the far end.
Also, I think SSH Tunnelling over VPN is essentially pointless, since VPN is a secured, encrypted point to point connection anyway.
posted by Static Vagabond at 12:14 PM on April 21, 2008
I'd do this:
- Set up an external port forward to a machine on your network running an SSH server with public key auth only
- SSH to that with a dynamic port forward (i.e. ssh -D 1080 yourmachine.foo.com)
- Use localhost:1080 to proxy SOCKS traffic to your LAN
You may even be able to do the first step with the sshd running on the WRT54G. I've been running Tomato on mine lately and have run DD-WRT in the past.
posted by kcm at 12:14 PM on April 21, 2008
- Set up an external port forward to a machine on your network running an SSH server with public key auth only
- SSH to that with a dynamic port forward (i.e. ssh -D 1080 yourmachine.foo.com)
- Use localhost:1080 to proxy SOCKS traffic to your LAN
You may even be able to do the first step with the sshd running on the WRT54G. I've been running Tomato on mine lately and have run DD-WRT in the past.
posted by kcm at 12:14 PM on April 21, 2008
Use OpenVPN. It's as simple as it gets for non-third party VPNs, and is light on resources. There's also clients for every platform you can think of.
We use this at work and I use a setup like you want at home, except with a FreeBSD firewall.
posted by cellphone at 12:36 PM on April 21, 2008
We use this at work and I use a setup like you want at home, except with a FreeBSD firewall.
posted by cellphone at 12:36 PM on April 21, 2008
DD-WRT has an OpenVPN-ready firmware image for the Linksys WRT54GL (it'll be labelled "vpn", such as dd-wrt.v24_vpn_generic.bin). I've set up 3 or 4 of my soho clients with DD-WRT's VPN firmware and OpenVPN. The documentation on how to do that is at the DD-WRT Wiki. Don't muck with Hamachi since you have all the tools already in place. The WRT54GL with the right DD-WRT firmware will work fine as an OpenVPN server.
Basically, you want to follow 1.4 on that Wiki page, "server mode with certificates". The main hassle is setting up a certifying authority, but the OpenVPN package has its "easy-rsa" scripts that will more or less take care of that for you. I believe there's a small bug (that might be discussed in the documentation) where you have to set the router's timezone to UTC and turn off daylight savings. This is because the router believes the time to be UTC no matter what, and you'll muck up the date by putting in the timezone offset.
If your public IP is dynamic, set up an account at one of those DNS services like dyndns.org. DD-WRT has a DDNS configuration under the Setup section. If your ISP changes your IP, your router will notify the DDNS service. That way, you can get to your router by somename.dyndns.org.
Note that the Wiki's instructions will set up the TAP configuration/Ethernet Bridging for the VPN. You will receive an internal IP in the router's DHCP range, which will presumably put you in the same network as any PCs you might have attached to the router. This makes Windows file sharing and all that relatively easy, as you won't have to muck around with a WINS server.
I believe DD-WRT, at least in the v24 versions, has some sort of Wake-On-LAN web interface, where you can send a magic packet to a machine on the network. Presumably, once you're connected via the VPN, you can get to the router's web interface and use that to wake up your PC. I haven't tested this, but I don't see why it wouldn't work.
Feel free to ping me if you have any issues.
posted by chengjih at 1:23 PM on April 21, 2008 [1 favorite]
Basically, you want to follow 1.4 on that Wiki page, "server mode with certificates". The main hassle is setting up a certifying authority, but the OpenVPN package has its "easy-rsa" scripts that will more or less take care of that for you. I believe there's a small bug (that might be discussed in the documentation) where you have to set the router's timezone to UTC and turn off daylight savings. This is because the router believes the time to be UTC no matter what, and you'll muck up the date by putting in the timezone offset.
If your public IP is dynamic, set up an account at one of those DNS services like dyndns.org. DD-WRT has a DDNS configuration under the Setup section. If your ISP changes your IP, your router will notify the DDNS service. That way, you can get to your router by somename.dyndns.org.
Note that the Wiki's instructions will set up the TAP configuration/Ethernet Bridging for the VPN. You will receive an internal IP in the router's DHCP range, which will presumably put you in the same network as any PCs you might have attached to the router. This makes Windows file sharing and all that relatively easy, as you won't have to muck around with a WINS server.
I believe DD-WRT, at least in the v24 versions, has some sort of Wake-On-LAN web interface, where you can send a magic packet to a machine on the network. Presumably, once you're connected via the VPN, you can get to the router's web interface and use that to wake up your PC. I haven't tested this, but I don't see why it wouldn't work.
Feel free to ping me if you have any issues.
posted by chengjih at 1:23 PM on April 21, 2008 [1 favorite]
Response by poster: It looks like my choices are narrowed down to the Scott Hanselman link that Static Vagabond linked to above and OpenVPN with DD-WRT v24 VPN firmware that chengjih described. I am probably really confused, but it seems like the former method accomplishes VPN without upgrading my firmware or installing OpenVPN. If this is true, why would I want OpenVPN? If it isn't true, what am I not understanding?
posted by billtron at 1:41 PM on April 21, 2008
posted by billtron at 1:41 PM on April 21, 2008
I looked for the PPTP administrative page on my DD-WRT router and I can't find it. I'm using v23SP2 for what it's worth. The DD-WRT wiki has this page with more detailed instructions on setting up the router as a PPTP server:
http://www.dd-wrt.com/wiki/index.php/PPTP_Server_Configuration
but, as noted, I can't find the admin pages that are described in the Wiki.
Possibly, PPTP has been deprecated in DD-WRT because of security vulnerabilities in the protocol, which may explain why I don't see it on my router.
So, your choices are to use PPTP which would be easier to set up but your VPN would be vulnerable to a determined attacker, or OpenVPN which is harder to set up and requires installing some software on your client computer, but is considered secure. You can weigh the OpenVPN installation hassle versus the odds of running into a determined (and skilled) attacker (who would also be more interested in breaking the PPTP rather than simply bashing you over the head and stealing your stuff when you're knocked out).
Actually, one piece of information is missing: are you going to be connecting from a computer under your control (e.g., your own laptop) or any old machine?
posted by chengjih at 3:11 PM on April 21, 2008
http://www.dd-wrt.com/wiki/index.php/PPTP_Server_Configuration
but, as noted, I can't find the admin pages that are described in the Wiki.
Possibly, PPTP has been deprecated in DD-WRT because of security vulnerabilities in the protocol, which may explain why I don't see it on my router.
So, your choices are to use PPTP which would be easier to set up but your VPN would be vulnerable to a determined attacker, or OpenVPN which is harder to set up and requires installing some software on your client computer, but is considered secure. You can weigh the OpenVPN installation hassle versus the odds of running into a determined (and skilled) attacker (who would also be more interested in breaking the PPTP rather than simply bashing you over the head and stealing your stuff when you're knocked out).
Actually, one piece of information is missing: are you going to be connecting from a computer under your control (e.g., your own laptop) or any old machine?
posted by chengjih at 3:11 PM on April 21, 2008
Response by poster: I was planning on only using laptops under our own control, but now that I think of it, what would it take to use a computer on which I could not install OpenVPN? Probably something entirely different and complicated, in which case never mind.
One question: when I make scripts on a Windows machine, what extension do I give them?
posted by billtron at 4:57 PM on April 21, 2008
One question: when I make scripts on a Windows machine, what extension do I give them?
posted by billtron at 4:57 PM on April 21, 2008
In ddwrt v23sp2, you can wake any previously seen machine on the internal net by doing this:
- Administration -> WOL
- click the "wake up" button for the correct machine
I'm pretty sure the machine needs to have been visible on the network to appear in this list, but don't know whether this functionality depends on the ARP cache or not, nor how long they stay in this list if asleep.
posted by so at 8:05 PM on April 21, 2008
- Administration -> WOL
- click the "wake up" button for the correct machine
I'm pretty sure the machine needs to have been visible on the network to appear in this list, but don't know whether this functionality depends on the ARP cache or not, nor how long they stay in this list if asleep.
posted by so at 8:05 PM on April 21, 2008
If you have a machine on which you can't install OpenVPN, then you have to devise some other means of connecting. As noted, older versions of DD-WRT may have PPTP as an option, with the usual security warnings.
What kind of scripts are you making on the Windows machine? I use a small batch file (.bat) on my laptop, to kick off OpenVPN with the right client configuration file, but I really don't need to do it that way. There may be other scripting files, but that would probably depend on the script interpreter, and I'm not really a Windows guy.
The Wake-On-Lan interface in DD-WRT requires the target machine's MAC address. I believe that's all that's needed.
posted by chengjih at 8:27 PM on April 21, 2008
What kind of scripts are you making on the Windows machine? I use a small batch file (.bat) on my laptop, to kick off OpenVPN with the right client configuration file, but I really don't need to do it that way. There may be other scripting files, but that would probably depend on the script interpreter, and I'm not really a Windows guy.
The Wake-On-Lan interface in DD-WRT requires the target machine's MAC address. I believe that's all that's needed.
posted by chengjih at 8:27 PM on April 21, 2008
Oh, I did find the PPTP server option for DD-WRT v23SP2. Administration | Services. There's a PPTP server option underneath the XBOX Kaid thing. I was looking for more extensive config options, but DD-WRT uses some javascript to hide those options if the service is not enabled. So, yes, you can use PPTP with the aforementioned security caveats. It depends on your threat model, and how much work you want to put into setting up your VPN.
One other thing that may not be obvious: PPTP uses a single shared secret among all your clients, so if you lose one of your machines, that secret would have to be changed everywhere. It's like all the employees at an office using the same key to get into the building: if someone is terminated, you might have to issue new keys to everyone.
OpenVPN, if configured to use certificates, won't have this sort of issue, as each of your client machines would have its own certificate, which can be centrally revoked if the machine is lost. The trade-off is that you will have to manage this mini public key infrastructure. Again, whether this is a worthwhile trade-off depends on your threat model.
posted by chengjih at 8:35 PM on April 21, 2008
One other thing that may not be obvious: PPTP uses a single shared secret among all your clients, so if you lose one of your machines, that secret would have to be changed everywhere. It's like all the employees at an office using the same key to get into the building: if someone is terminated, you might have to issue new keys to everyone.
OpenVPN, if configured to use certificates, won't have this sort of issue, as each of your client machines would have its own certificate, which can be centrally revoked if the machine is lost. The trade-off is that you will have to manage this mini public key infrastructure. Again, whether this is a worthwhile trade-off depends on your threat model.
posted by chengjih at 8:35 PM on April 21, 2008
This thread is closed to new comments.
posted by tdischino at 12:06 PM on April 21, 2008