Setting Up a Site-to-Site VPN using a Linksys RV082 and OpenWrt/Openswan on a WRT54GS
After a week of trying out several different types of VPNs (PPTP, SSTP, IPSEC) at my new office, I finally figured out a solution to setup a WAN between my Linksys WRT54GSv3 and a Linksys RV082 business router. The solution was initially presented by Joe Kelly at NerdBoys.com but I couldn't get it to actually work until tonight.
Being a big fan of DD-WRT, I was hoping that I would be able to use it for my IPSEC VPN but DD-WRT only supports OpenVPN, not Openswan, which is what I need to connect to the remote RV082 router.
The techniques provided by Joe worked but the software did not. Apparently, I had to downgrade to OpenWrt from his suggested RC6 to RC4. With RC6, I could establish a tunnel successfully, but I could not ping and traffic did not go through either side. I thought it was my routing table but RC4 has the same routing table and it works perfectly.
Setting up a tunnel is actually easier than I expected -- I had to modify just 3 files on my OpenWrt install and add one tunnel to my RV082. So here's what my network looks like:
| OpenWRT (LFT) | RV082 (ATX) | |
| External IP | 24.0.175.222 | 4.2.2.2 |
| External Gateway | 24.0.175.221 | 4.2.2.1 |
| Internal IP | 172.16.1.1 | 172.16.0.1 |
| Internal Subnet | 172.16.1.0 | 172.16.0.0 |
| Internal Subnet Mask | 255.255.255.0 | 255.255.255.0 |
File 1: /etc/ipsec.conf version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup plutodebug="none" klipsdebug="none" nat_traversal=no interfaces=%defaultroute
# Add connections here conn LFT-to-ATX authby=secret keyexchange=ike ikelifetime=480m keylife=60m pfs=yes left=24.0.175.222 leftsubnet=172.16.1.0/24 leftsourceip=172.16.1.1 leftnexthop=24.0.175.221 right=4.2.2.2 rightsubnet=172.16.0.0/24 rightnexthop=4.2.2.1 auto=start dpddelay=10 dpdtimeout=30 dpdaction=hold
#Disable Opportunistic Encryption include /etc/ipsec.d/examples/no_oe.conf
File 2: /etc/ipsec.secrets : PSK "mybigolsecret"
I appended the following on file 3: /etc/firewall.user ### IPSec VPN # allow IPSEC iptables -A input_rule -p esp -j ACCEPT # allow ISAKMP iptables -A input_rule -p udp -m udp --dport 500 -j ACCEPT # allow NAT-T iptables -A input_rule -p udp -m udp --dport 4500 -j ACCEPT # disable NAT for communications with remote LAN iptables -t nat -A postrouting_rule -d 172.16.0.0/24 -j ACCEPT # Allow any traffic between tunnel LANs iptables -A forwarding_rule -i $LAN -o ipsec0 -j ACCEPT iptables -A forwarding_rule -i ipsec0 -o $LAN -j ACCEPT
After restarting ipsec on OpenWrt (ipsec setup restart), the following routing table was produced:
| Destination | Gateway | Genmask | Flags | Metric | Ref | Use | Iface |
| 24.0.175.220 | 0.0.0.0 | 255.255.255.252 | U | 0 | 0 | 0 | ipsec0 |
| 24.0.175.220 | 0.0.0.0 | 255.255.255.252 | U | 0 | 0 | 0 | vlan1 |
| 172.16.1.0 | 0.0.0.0 | 255.255.255.0 | U | 0 | 0 | 0 | br0 |
| 172.16.0.0 | 24.0.175.221 | 255.255.255.0 | UG | 0 | 0 | 0 | ipsec0 |
| 0.0.0.0 | 24.0.175.221 | 0.0.0.0 | UG | 0 | 0 | 0 | vlan1 |
As for the configuration on the RV082 side, it looks like this:
Click
The RV082's routing table looks like so:
| Destination IP Address | Subnet Mask | Default Gateway | Hop Count | Interface |
| 4.2.2.0 | 255.255.255.248 | * | 40 | ixp1 |
| 4.2.2.0 | 255.255.255.248 | * | 45 | ipsec0 |
| 172.16.1.0 | 255.255.255.0 | 4.2.2.1 | 10 | ipsec0 |
| 172.16.0.0 | 255.255.255.0 | * | 50 | ixp0 |
| default | 0.0.0.0 | 4.2.2.1 | 40 | ixp1 |
And voila! A secure, perma-VPN is born. There are big ol gaps in information here, but Joe's fab post fills in much of that if you need it.