Setting Up a Site-to-Site VPN using a Linksys RV082 and OpenWrt/Openswan on a WRT54GS

After a week of trying out several different types of VPNs (PPTP, SSTP, IPSEC) at my new office, I finally figured out a solution to setup a WAN between my Linksys WRT54GSv3 and a Linksys RV082 business router. The solution was initially presented by Joe Kelly at NerdBoys.com but I couldn’t get it to actually work until tonight.

Being a big fan of DD-WRT, I was hoping that I would be able to use it for my IPSEC VPN but DD-WRT only supports OpenVPN, not Openswan, which is what I need to connect to the remote RV082 router.

The techniques provided by Joe worked but the software did not. Apparently, I had to downgrade to OpenWrt from his suggested RC6 to RC4. With RC6, I could establish a tunnel successfully, but I could not ping and traffic did not go through either side. I thought it was my routing table but RC4 has the same routing table and it works perfectly.

Setting up a tunnel is actually easier than I expected — I had to modify just 3 files on my OpenWrt install and add one tunnel to my RV082. So here’s what my network looks like:

  OpenWRT (LFT) RV082 (ATX)
External IP 24.0.175.222 4.2.2.2
External Gateway 24.0.175.221 4.2.2.1
Internal IP 172.16.1.1 172.16.0.1
Internal Subnet 172.16.1.0 172.16.0.0
Internal Subnet Mask 255.255.255.0 255.255.255.0

File 1: /etc/ipsec.conf

version 2.0     # conforms to second version of ipsec.conf specification
# basic configuration
config setup
        plutodebug="none"
        klipsdebug="none"
        nat_traversal=no
        interfaces=%defaultroute

# Add connections here
conn LFT-to-ATX
        authby=secret
        keyexchange=ike
        ikelifetime=480m
        keylife=60m
        pfs=yes
        left=24.0.175.222
        leftsubnet=172.16.1.0/24
        leftsourceip=172.16.1.1
        leftnexthop=24.0.175.221
        right=4.2.2.2
        rightsubnet=172.16.0.0/24
        rightnexthop=4.2.2.1
        auto=start
        dpddelay=10
        dpdtimeout=30
        dpdaction=hold

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

File 2: /etc/ipsec.secrets

: PSK "mybigolsecret"

I appended the following on file 3: /etc/firewall.user

### IPSec VPN
# allow IPSEC
iptables -A input_rule -p esp -j ACCEPT
# allow ISAKMP
iptables -A input_rule -p udp -m udp --dport 500 -j ACCEPT
# allow NAT-T
iptables -A input_rule -p udp -m udp --dport 4500 -j ACCEPT
# disable NAT for communications with remote LAN
iptables -t nat -A postrouting_rule -d 172.16.0.0/24     -j ACCEPT
# Allow any traffic between tunnel LANs
iptables -A forwarding_rule -i $LAN -o ipsec0 -j ACCEPT
iptables -A forwarding_rule -i ipsec0 -o $LAN -j ACCEPT

After restarting ipsec on OpenWrt (ipsec setup restart), the following routing table was produced:

Destination Gateway Genmask Flags Metric Ref Use Iface
24.0.175.220 0.0.0.0 255.255.255.252 U 0 0 0 ipsec0
24.0.175.220 0.0.0.0 255.255.255.252 U 0 0 0 vlan1
172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
172.16.0.0 24.0.175.221 255.255.255.0 UG 0 0 0 ipsec0
0.0.0.0 24.0.175.221 0.0.0.0 UG 0 0 0 vlan1

As for the configuration on the RV082 side, it looks like this:


Click

The RV082’s routing table looks like so:

Destination IP Address Subnet Mask Default Gateway Hop Count Interface
4.2.2.0 255.255.255.248 * 40 ixp1
4.2.2.0 255.255.255.248 * 45 ipsec0
172.16.1.0 255.255.255.0 4.2.2.1 10 ipsec0
172.16.0.0 255.255.255.0 * 50 ixp0
default 0.0.0.0 4.2.2.1 40 ixp1

And voila! A secure, perma-VPN is born. There are big ol gaps in information here, but Joe’s fab post fills in much of that if you need it.

Chrissy is a PowerShell MVP who has worked in IT for nearly 20 years, and currently serves as a Sr. Database Engineer in Belgium. Always an avid scripter, she attended the Monad session at Microsoft’s Professional Developers Conference in Los Angeles back in 2005 and has worked and played with PowerShell ever since. Chrissy is currently pursuing an MS in Systems Engineering at Regis University and helps maintain RealCajunRecipes.com in her spare time. She holds a number of certifications, including those relating to SQL Server, SuSE Linux, SharePoint and network security. She recently became co-lead of the SQL PASS PowerShell Virtual Chapter. You can follow her on Twitter at @cl.

Posted in Networking
One comment on “Setting Up a Site-to-Site VPN using a Linksys RV082 and OpenWrt/Openswan on a WRT54GS
  1. Joe says:

    Thanks for the plug. I'm glad you got it to work! Openswan is a pain in the butt to configure and troubleshoot. I've found OpenVPN much easier to work with. On the other hand, Openswan seems to use less CPU than OpenVPN on the WRT54G series. Six of one, half a dozen of the other, I guess.

Leave a Reply

Your email address will not be published. Required fields are marked *

*