Setting Up a Site-to-Site VPN using a Linksys RV082 and OpenWrt/Openswan on a WRT54GS

After a week of trying out several different types of VPNs (PPTP, SSTP, IPSEC) at my new office, I finally figured out a solution to setup a WAN between my Linksys WRT54GSv3 and a Linksys RV082 business router. The solution was initially presented by Joe Kelly at but I couldn't get it to actually work until tonight.

Being a big fan of DD-WRT, I was hoping that I would be able to use it for my IPSEC VPN but DD-WRT only supports OpenVPN, not Openswan, which is what I need to connect to the remote RV082 router.

The techniques provided by Joe worked but the software did not. Apparently, I had to downgrade to OpenWrt from his suggested RC6 to RC4. With RC6, I could establish a tunnel successfully, but I could not ping and traffic did not go through either side. I thought it was my routing table but RC4 has the same routing table and it works perfectly.

Setting up a tunnel is actually easier than I expected -- I had to modify just 3 files on my OpenWrt install and add one tunnel to my RV082. So here's what my network looks like:

 OpenWRT (LFT)RV082 (ATX)
External IP24.0.175.2224.2.2.2
External Gateway24.0.175.2214.2.2.1
Internal IP172.16.1.1172.16.0.1
Internal Subnet172.16.1.0172.16.0.0
Internal Subnet Mask255.255.255.0255.255.255.0

File 1: /etc/ipsec.conf version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup plutodebug="none" klipsdebug="none" nat_traversal=no interfaces=%defaultroute

# Add connections here conn LFT-to-ATX authby=secret keyexchange=ike ikelifetime=480m keylife=60m pfs=yes left= leftsubnet= leftsourceip= leftnexthop= right= rightsubnet= rightnexthop= auto=start dpddelay=10 dpdtimeout=30 dpdaction=hold

#Disable Opportunistic Encryption include /etc/ipsec.d/examples/no_oe.conf

File 2: /etc/ipsec.secrets : PSK "mybigolsecret"

I appended the following on file 3: /etc/firewall.user ### IPSec VPN # allow IPSEC iptables -A input_rule -p esp -j ACCEPT # allow ISAKMP iptables -A input_rule -p udp -m udp --dport 500 -j ACCEPT # allow NAT-T iptables -A input_rule -p udp -m udp --dport 4500 -j ACCEPT # disable NAT for communications with remote LAN iptables -t nat -A postrouting_rule -d -j ACCEPT # Allow any traffic between tunnel LANs iptables -A forwarding_rule -i $LAN -o ipsec0 -j ACCEPT iptables -A forwarding_rule -i ipsec0 -o $LAN -j ACCEPT

After restarting ipsec on OpenWrt (ipsec setup restart), the following routing table was produced:


As for the configuration on the RV082 side, it looks like this:


The RV082's routing table looks like so:

Destination IP AddressSubnet MaskDefault GatewayHop CountInterface*40ixp1*45ipsec0*50ixp0

And voila! A secure, perma-VPN is born. There are big ol gaps in information here, but Joe's fab post fills in much of that if you need it.