To celebrate the re-launch of my "blog," I'm going to do a multi-part entry about DD-WRT. But, first, a little history.
For the first time in 10 years, I have no servers running in my house. At one point, I had three servers running in here doing various things. Then, I moved my public server offsite (it's in the rack at the office now).
That left two more Gentoo boxes running here in the house. Late last year I picked up a 1TB external hard drive, which I attached to my iMac and deactivated the file server. I will probably eventually replace this with a Drobo FS, but for now it's fine.
That just left a single Gentoo box that was running Asterisk and various network services. But I finally convinced my wife to let me drop the goofy VoIP line that I was paying $30 for and just add more minutes to her cellphone. With Asterisk out of the picture, the only thing left running on that box was network services.
Well, a few weeks ago I ordered a TP-Link TL-WR1043ND router, intending to use it as a testbed for DD-WRT. Well, my experiments worked so well that I pulled my old router out and replaced it with the DD-WRT one. The faster processor also afforded a nice speed bump of about 7 Mb/s. With it handling all the services, I pulled out the final server and deactivated it. And my office is blissfully quiet now.
DD-WRT is now handling all the minor network services (DHCP, NTP, etc).
But what is it about DD-WRT that makes it so awesome - awesome enough to rip out some of my network infrastructure to make way for it? A few things that I will cover in this post.
1. DHCP static address assignments
Believe it or not, the built-in firmware of the WRT-54G did not give you the ability to define a static address to be assigned by DHCP based on MAC address. This seems like a glaring oversight to me, but it was the reason I ran my own DHCP server rather than use the built-in ones.
In DD-WRT (v24-sp2) you can go to the Services tab and set as many as you'd like. In my case, these are a couple of devices (like printers) that are addressed via IP address by the various machines, as well as my laptop and iMac.
So that's one nice thing, but it's not nearly as cool as ...
2. VPN Support
The standard and VPN versions of DD-WRT support both PPTP and OpenVPN varieties of VPN ... and I'm actually using both at the same time. My router is both a VPN server and VPN client as well. How? Why?
Well, as to why, at dealnews, we run a PPTP-based VPN to allow us to work at home as needed. Once connected, we have access to our testing servers and all our development services. It's like being directly connected to the work network, but I'm sitting at my iMac at home in my pajamas.
I had been connecting directly from my Macs to the VPN for some time but, sitting at home the other day, I reflected on how silly it was that I was connecting two machines to the VPN and only when I needed them, rather than using DD-WRT to have a single tunnel up all the time that any computer on the home network could use if needed.
Setting up a PPTP VPN Endpoint using DD-WRT
So how did I set it up? Trial and error, as, frankly, the DD-WRT documentation is a bit lacking. So if you find yourself in my position of wanting to have a tunnel to your workplace VPN, hopefully this documentation will help you.
I'm making a few assumptions before we begin:
You have already configured your router using DD-WRT and have the most recent release (as of this writing, v24-sp2), VPN version installed.
- The version number should be in the upper right corner of the web admin. If it says "std" or "vpn," you're in good shape. If it says "micro," you probably don't have the necessary tools.
You possess some basic understanding of networking, and have the necessary settings to complete a VPN connection. If you've gotten as far as flashing with third-party firmware, you probably do.
You understand that there is the possibility, albeit remote, that you could brick your router. I am not responsible for that, which is why I suggest you purchase an additional router to get all this set up on first before sacrificing your primary router.
With that out of the way, let's begin!
Log into your router's DD-WRT web admin, and go to the Services -> VPN tab.
Under PPTPD Client, click the radio button next to Enable.
In the "Server IP or DNS Name" box, enter your VPN server.
In the "Remote Subnet" box, enter the network address of the remote network. In my case, this was 10.1.2.0.
In the " Remote Subnet Mask" box, enter the remote subnet mask. In my case, this was 255.255.255.0.
In the "MPPE Encryption" box, I have "mppe required,no40,no56,stateless". This was required to get mine to work, but may not be necessary for you. Try first without it, then try with it if it won't work.
Leave the MTU and MRU values alone unless you know what you're doing.
Username and password are self explanatory.
WIth that done, press "Save" and "Apply Settings" at the bottom the page. With any luck, you should now have a VPN tunnel up to your remote host.
To test it, go to Administration -> Commands, and in the command box, enter the following:
ping -c 1 <some remote address on VPN>
If you get a response back that looks like:
PING <remote service IP> (<remote service IP>): 56 data bytes 64 bytes from <remote service IP>: seq=0 ttl=64 time=281.288 ms --- <remote service IP> ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 281.288/281.288/281.288 ms
Then it's up and working. Now, try from your computer...
Probably didn't work, did it? This is because your router's firewall doesn't yet know about the remote network or to route packets to it appropriately. For some reason, the current version of DD-WRT does not add the appropriate configuration to the firewall automatically when the PPTP tunnel is established. So, we have to do it manually.
Go to Administration -> Commands, and enter the following:
iptables -I OUTPUT 1 --source 0.0.0.0/0.0.0.0 --destination <remote network address>/16 --jump ACCEPT --out-interface ppp0 iptables -I INPUT 1 --source <remote network address>/16 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp0 iptables -I FORWARD 1 --source 0.0.0.0/0.0.0.0 --destination <remote network address>/16 --jump ACCEPT --out-interface ppp0 iptables -I FORWARD 1 --source <remote network address>/16 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT iptables --table nat --append POSTROUTING --out-interface ppp0 --jump MASQUERADE iptables --append FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu
At the bottom, press "Run Commands" and wait. It shouldn't take long, and should produce no output. Then, enter that command again, and press "Save Firewall" at the bottom. Give your router a few seconds to restart the appropriate services, then try again from your computer.
Your machine, and all machines on your network, should now be able to access the VPN. In this configuration, only traffic matching the remote network will pass over the VPN - the rest of your traffic will be routed to the Internet in normal fashion.
Now, in my next entry, I'll tell you why I'm not using PPTP to connect myself back to my home network when I'm on the road.