After a week of trying out several different types of VPNs (PPTP, SSTP, IPSEC) at my new office, I finally figured out a solution to setup a WAN between my Linksys WRT54GSv3 and a Linksys RV082 business router. The solution was initially presented by Joe Kelly at NerdBoys.com but I couldn’t get it to actually work until tonight.
Being a big fan of DD-WRT, I was hoping that I would be able to use it for my IPSEC VPN but DD-WRT only supports OpenVPN, not Openswan, which is what I need to connect to the remote RV082 router.
The techniques provided by Joe worked but the software did not. Apparently, I had to downgrade to OpenWrt from his suggested RC6 to RC4. With RC6, I could establish a tunnel successfully, but I could not ping and traffic did not go through either side. I thought it was my routing table but RC4 has the same routing table and it works perfectly.
Setting up a tunnel is actually easier than I expected — I had to modify just 3 files on my OpenWrt install and add one tunnel to my RV082. So here’s what my network looks like:
|OpenWRT (LFT)||RV082 (ATX)|
|Internal Subnet Mask||255.255.255.0||255.255.255.0|
File 1: /etc/ipsec.conf
# basic configuration
# Add connections here
#Disable Opportunistic Encryption
File 2: /etc/ipsec.secrets
I appended the following on file 3: /etc/firewall.user
# allow IPSEC
iptables -A input_rule -p esp -j ACCEPT
# allow ISAKMP
iptables -A input_rule -p udp -m udp –dport 500 -j ACCEPT
# allow NAT-T
iptables -A input_rule -p udp -m udp –dport 4500 -j ACCEPT
# disable NAT for communications with remote LAN
iptables -t nat -A postrouting_rule -d 172.16.0.0/24 -j ACCEPT
# Allow any traffic between tunnel LANs
iptables -A forwarding_rule -i $LAN -o ipsec0 -j ACCEPT
iptables -A forwarding_rule -i ipsec0 -o $LAN -j ACCEPT
After restarting ipsec on OpenWrt (ipsec setup restart), the following routing table was produced:
As for the configuration on the RV082 side, it looks like this:
The RV082’s routing table looks like so:
|Destination IP Address||Subnet Mask||Default Gateway||Hop Count||Interface|
And voila! A secure, perma-VPN is born. There are big ol gaps in information here, but Joe’s fab post fills in much of that if you need it.