Setting Up a Site-to-Site VPN using a Linksys RV082 and OpenWrt/Openswan on a WRT54GS

After a week of trying out several different types of VPNs (PPTP, SSTP, IPSEC) at my new office, I finally figured out a solution to setup a WAN between my Linksys WRT54GSv3 and a Linksys RV082 business router. The solution was initially presented by Joe Kelly at NerdBoys.com but I couldn’t get it to actually work until tonight.

Being a big fan of DD-WRT, I was hoping that I would be able to use it for my IPSEC VPN but DD-WRT only supports OpenVPN, not Openswan, which is what I need to connect to the remote RV082 router.

The techniques provided by Joe worked but the software did not. Apparently, I had to downgrade to OpenWrt from his suggested RC6 to RC4. With RC6, I could establish a tunnel successfully, but I could not ping and traffic did not go through either side. I thought it was my routing table but RC4 has the same routing table and it works perfectly.

Setting up a tunnel is actually easier than I expected — I had to modify just 3 files on my OpenWrt install and add one tunnel to my RV082. So here’s what my network looks like:

  OpenWRT (LFT) RV082 (ATX)
External IP 24.0.175.222 4.2.2.2
External Gateway 24.0.175.221 4.2.2.1
Internal IP 172.16.1.1 172.16.0.1
Internal Subnet 172.16.1.0 172.16.0.0
Internal Subnet Mask 255.255.255.0 255.255.255.0

File 1: /etc/ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
plutodebug=”none”
klipsdebug=”none”
nat_traversal=no
interfaces=%defaultroute

# Add connections here
conn LFT-to-ATX
authby=secret
keyexchange=ike
ikelifetime=480m
keylife=60m
pfs=yes
left=24.0.175.222
leftsubnet=172.16.1.0/24
leftsourceip=172.16.1.1
leftnexthop=24.0.175.221
right=4.2.2.2
rightsubnet=172.16.0.0/24
rightnexthop=4.2.2.1
auto=start
dpddelay=10
dpdtimeout=30
dpdaction=hold

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

File 2: /etc/ipsec.secrets
: PSK “mybigolsecret”

I appended the following on file 3: /etc/firewall.user
### IPSec VPN
# allow IPSEC
iptables -A input_rule -p esp -j ACCEPT
# allow ISAKMP
iptables -A input_rule -p udp -m udp –dport 500 -j ACCEPT
# allow NAT-T
iptables -A input_rule -p udp -m udp –dport 4500 -j ACCEPT
# disable NAT for communications with remote LAN
iptables -t nat -A postrouting_rule -d 172.16.0.0/24 -j ACCEPT
# Allow any traffic between tunnel LANs
iptables -A forwarding_rule -i $LAN -o ipsec0 -j ACCEPT
iptables -A forwarding_rule -i ipsec0 -o $LAN -j ACCEPT

After restarting ipsec on OpenWrt (ipsec setup restart), the following routing table was produced:

Destination Gateway Genmask Flags Metric Ref Use Iface
24.0.175.220 0.0.0.0 255.255.255.252 U 0 0 0 ipsec0
24.0.175.220 0.0.0.0 255.255.255.252 U 0 0 0 vlan1
172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
172.16.0.0 24.0.175.221 255.255.255.0 UG 0 0 0 ipsec0
0.0.0.0 24.0.175.221 0.0.0.0 UG 0 0 0 vlan1

As for the configuration on the RV082 side, it looks like this:


Click

The RV082’s routing table looks like so:

Destination IP Address Subnet Mask Default Gateway Hop Count Interface
4.2.2.0 255.255.255.248 * 40 ixp1
4.2.2.0 255.255.255.248 * 45 ipsec0
172.16.1.0 255.255.255.0 4.2.2.1 10 ipsec0
172.16.0.0 255.255.255.0 * 50 ixp0
default 0.0.0.0 4.2.2.1 40 ixp1

And voila! A secure, perma-VPN is born. There are big ol gaps in information here, but Joe’s fab post fills in much of that if you need it.

Chrissy is a Cloud and Datacenter Management & Data Platform MVP who has worked in IT for over 20 years. She is the creator of the popular SQL PowerShell module dbatools, holds a master's degree in Systems Engineering and is coauthor of Learn dbatools in a Month of Lunches. Chrissy is certified in SQL Server, Linux, SharePoint and network security. You can follow her on Twitter at @cl.

Posted in Networking