DD-WRT VPN

Curious if anyone knows how well or if at all DD-WRT works in a multipoint
VPN enviroment.

What we want to do is interconnect 3 maybe 4 sites together.
After doing some reading it appears that you have a host side and a client
side which I assume the host can support multipul clients. but is that the
only configuration or can I take and connect a node that's already a client
and also use it as a host and allow another client to connect to it?
Reason for asking in the setup we want all sites to be able to communicate
with each other but don't want traffic to have to pass thru the host to get
there. So some sort of a star configuration would be needed.

I realize this is a wireless group but DD-WRT is heavely used here so just
looking for comments.

Thanks,
Adair

You do realize the low-power devices that can run DD-WRT are probably not
ideal for this sort of thing, right?

Doing multi-site interconnects is not trivial. Setting up the routing
tables to avoid congestion can be pretty complex. Trying to daisy-chain
mulitple sites really complicates matters. And besides the routing issues,
you also have to contend with inter-site server and workstation traffic. If
you just "set it up" in a trivial manner you'll have enormous amounts of
bandwidth getting wasted on site-to-site overhead traffic.

Try asking on the dd-wrt forums. Then budget for proper Cisco gear.

-Bill Kearney

"Adair Winter" <(E-Mail Removed)> wrote in message
news:XlMak.3263$(E-Mail Removed)...
> Curious if anyone knows how well or if at all DD-WRT works in a multipoint
> VPN enviroment.
>
> What we want to do is interconnect 3 maybe 4 sites together.
> After doing some reading it appears that you have a host side and a
> client side which I assume the host can support multipul clients. but is
> that the only configuration or can I take and connect a node that's
> already a client and also use it as a host and allow another client to
> connect to it?
> Reason for asking in the setup we want all sites to be able to communicate
> with each other but don't want traffic to have to pass thru the host to
> get there. So some sort of a star configuration would be needed.
>
> I realize this is a wireless group but DD-WRT is heavely used here so just
> looking for comments.

"Bill Kearney" <(E-Mail Removed)> wrote in message
> You do realize the low-power devices that can run DD-WRT are probably not
> ideal for this sort of thing, right?
>
> Doing multi-site interconnects is not trivial. Setting up the routing
> tables to avoid congestion can be pretty complex. Trying to daisy-chain
> mulitple sites really complicates matters. And besides the routing
> issues, you also have to contend with inter-site server and workstation
> traffic. If you just "set it up" in a trivial manner you'll have enormous
> amounts of bandwidth getting wasted on site-to-site overhead traffic.
>
> Try asking on the dd-wrt forums. Then budget for proper Cisco gear.
>
> -Bill Kearney
>

I agree, and this is not for an office/work enviroment. It is going to be
used to connect 2 maybe 3 NXU radio liking devices from several places
across the country back to my area. So in reality I only need to be able to
have the server and 1 or 2 clients. Each tunnle will be bridging to another
home network and the only traffic across them will be a single 24Kbps VoIP
stream and managment traffic.
The ability to configure as a star was brought up by someone else but in
reality i do not think it's necessary. If these devices supported host names
and not just static ips they would be placed out on the open internet.

Adair

On Wed, 2 Jul 2008 09:33:38 -0500, "Adair Winter" <(E-Mail Removed)>
wrote:

>Curious if anyone knows how well or if at all DD-WRT works in a multipoint
>VPN enviroment.

Yep. It sucks. You're just not going to get much in the way of
performance from an already overloaded CPU. The problem is that
OpenVPN has to encrypt and decrypt the tunnel at both ends. Crypto
modules burn lots of CPU cycles (and is usually best done in a
dedicated processor). I didn't even bother doing benchmarks with just
one tunnel, as bench tests showed it was obviously far too slow.

If you have a pair of routers loaded with DD-WRT, try a simple end to
end bench test. Setup the WAN ports for different static IP's with
the gateway IP pointing to the opposite router. Interconnect the WAN
ports with an ethernet crossover cable. At 100baseTX-FDX, you should
able to get wire speed of 100 Mbits/sec between routers. In other
words, you're NOT going to be limited by the speed of the simulated
internet connection.

Now, setup a fast computah at each end of the simulation to a LAN
port. Install IPerf or JPerf benchmarking software.
<http://www.smallnetbuilder.com/content/view/30408/235/>
<http://www.smallnetbuilder.com/content/view/30418/235/>
Make sure you use the latest versions. Now run some benchmarks with
and without the VPN. I've only done this once. I got about
35Mbits/sec thruput w/o the VPN, and I vaguely recall only about
5Mbit/sec (or worse) with PPTP running, but without any optimization
or performance tweaking.

More on IPerf and JPerf:
<http://www.openmaniak.com/iperf.php> (near bottom)
<http://code.google.com/p/xjperf/>
<http://xjperf.googlecode.com/files/jperf2.0.0.zip>

>What we want to do is interconnect 3 maybe 4 sites together.

What are you using for connectivity? The CPU can probably handle one
or two tunnels over a slow DSL line or T1.

See benchmarks and comments at:
<http://www.dd-wrt.com/phpBB2/viewtopic.php?p=178704>
With OpenVPN running: 6354/690 Kbits/sec
No VPN running: 26340/723 Kbits/sec

>After doing some reading it appears that you have a host side and a client
>side which I assume the host can support multipul clients. but is that the
>only configuration or can I take and connect a node that's already a client
>and also use it as a host and allow another client to connect to it?
>Reason for asking in the setup we want all sites to be able to communicate
>with each other but don't want traffic to have to pass thru the host to get
>there. So some sort of a star configuration would be needed.

You can have multiple connections, but you have to configure each one
individually. I think you can setup a "star", where you have a tunnel
directly to each other endpoint. That will take some simple static
routing and is fairly easily configured. However, that does help with
the preformance problem, but not much. The CPU is still overloaded.

>I realize this is a wireless group but DD-WRT is heavely used here so just
>looking for comments.

Ask again in the DD-WRT forums.

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

On Wed, 02 Jul 2008 09:19:00 -0700, Jeff Liebermann <(E-Mail Removed)>
wrote:

>More on IPerf and JPerf:
><http://www.openmaniak.com/iperf.php> (near bottom)
><http://code.google.com/p/xjperf/>
><http://xjperf.googlecode.com/files/jperf2.0.0.zip>

One more URL:
<http://www.openmaniak.com/iperf.php> (Tutorial with examples)

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Thanks for the input Jeff as always your helpful. As I stated befor be do
not need a ton of bandwidth but I also know what it like to run anything on
hardware that is being pushed beyond it's limits.
Anyone want to suggest some other solutions for the VPN that wont require
stupid expensive hardware and ideally can be placed behind the firewalls
that are in place.. I.E the VPN hardware just creates the tunnel thru the
WAN router. Id be more interested in a solution that would let us reuse
exsisting hardware we might already have


Adair


Adair
"Jeff Liebermann" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Wed, 2 Jul 2008 09:33:38 -0500, "Adair Winter" <(E-Mail Removed)>
> wrote:
>
>>Curious if anyone knows how well or if at all DD-WRT works in a multipoint
>>VPN enviroment.
>
> Yep. It sucks. You're just not going to get much in the way of
> performance from an already overloaded CPU. The problem is that
> OpenVPN has to encrypt and decrypt the tunnel at both ends. Crypto
> modules burn lots of CPU cycles (and is usually best done in a
> dedicated processor). I didn't even bother doing benchmarks with just
> one tunnel, as bench tests showed it was obviously far too slow.
>
> If you have a pair of routers loaded with DD-WRT, try a simple end to
> end bench test. Setup the WAN ports for different static IP's with
> the gateway IP pointing to the opposite router. Interconnect the WAN
> ports with an ethernet crossover cable. At 100baseTX-FDX, you should
> able to get wire speed of 100 Mbits/sec between routers. In other
> words, you're NOT going to be limited by the speed of the simulated
> internet connection.
>
> Now, setup a fast computah at each end of the simulation to a LAN
> port. Install IPerf or JPerf benchmarking software.
> <http://www.smallnetbuilder.com/content/view/30408/235/>
> <http://www.smallnetbuilder.com/content/view/30418/235/>
> Make sure you use the latest versions. Now run some benchmarks with
> and without the VPN. I've only done this once. I got about
> 35Mbits/sec thruput w/o the VPN, and I vaguely recall only about
> 5Mbit/sec (or worse) with PPTP running, but without any optimization
> or performance tweaking.
>
> More on IPerf and JPerf:
> <http://www.openmaniak.com/iperf.php> (near bottom)
> <http://code.google.com/p/xjperf/>
> <http://xjperf.googlecode.com/files/jperf2.0.0.zip>
>
>>What we want to do is interconnect 3 maybe 4 sites together.
>
> What are you using for connectivity? The CPU can probably handle one
> or two tunnels over a slow DSL line or T1.
>
> See benchmarks and comments at:
> <http://www.dd-wrt.com/phpBB2/viewtopic.php?p=178704>
> With OpenVPN running: 6354/690 Kbits/sec
> No VPN running: 26340/723 Kbits/sec
>
>>After doing some reading it appears that you have a host side and a
>>client
>>side which I assume the host can support multipul clients. but is that the
>>only configuration or can I take and connect a node that's already a
>>client
>>and also use it as a host and allow another client to connect to it?
>>Reason for asking in the setup we want all sites to be able to communicate
>>with each other but don't want traffic to have to pass thru the host to
>>get
>>there. So some sort of a star configuration would be needed.
>
> You can have multiple connections, but you have to configure each one
> individually. I think you can setup a "star", where you have a tunnel
> directly to each other endpoint. That will take some simple static
> routing and is fairly easily configured. However, that does help with
> the preformance problem, but not much. The CPU is still overloaded.
>
>>I realize this is a wireless group but DD-WRT is heavely used here so just
>>looking for comments.
>
> Ask again in the DD-WRT forums.
>
> --
> Jeff Liebermann (E-Mail Removed)
> 150 Felker St #D http://www.LearnByDestroying.com
> Santa Cruz CA 95060 http://802.11junk.com
> Skype: JeffLiebermann AE6KS 831-336-2558

On Wed, 2 Jul 2008 15:31:31 -0500, "Adair Winter" <(E-Mail Removed)>
wrote:

>Thanks for the input Jeff as always your helpful.

Thanks.

>As I stated befor be do
>not need a ton of bandwidth but I also know what it like to run anything on
>hardware that is being pushed beyond it's limits.

I forgot that I have a nailed up VPN running between my house and
office with a WRT54G v3 at one end, and a Buffalo WHR-HP-G54 at the
other. I'll run some bechmarks this weekend and see what happens.

>Anyone want to suggest some other solutions for the VPN that wont require
>stupid expensive hardware and ideally can be placed behind the firewalls
>that are in place.. I.E the VPN hardware just creates the tunnel thru the
>WAN router. Id be more interested in a solution that would let us reuse
>exsisting hardware we might already have

Sure. I've used various Sonicwall products to build multiple
connection VPN's. The messiest was 5 locations in 3 states via DSL
and T1 lines. Speed was limited by the outgoing bandwidth of the DSL
lines, not the processor. Unfortunately, it was an older Sonicwall
10, which is no longer manufactured.

I've also used Netscreen hardware, which is now part of Jupiter
Networks. One huge advantage was that Netscreen simultaneously
supports PPTP (for Windoze client dial-in) and IPSec (for router to
router). Netscreen is basically Linux on the inside.

I've also use FreeSWAN on Red Hat and OpenVPN SSL on Ubuntu between 3
sites. This was a bit of major project and learning curve for me. I
finally had to yell for help and hired a local student to make it all
work. It's been up for about 2 years and I'm still recovering from
some of the odd tweaks the student threw into the servers. The Linux
boxes currently run on 2GBytes Compact Flash drives (no hard disk). A
big advantage is the ability to easily deal with static routes and
complex firewall issues, as there's an Asterisk server running on one
of the servers. The only problem is that the business owner insists
that I document everything in case I should suddenly die or go on
vacation.

One of my friends has a local store and the owners house connected
with a pair of Linksys BEFVP41 v2 routers running IPSec. They work,
but are what I describe as "tempermental". They hang, crash, die, or
reboot, for no obvious reason. I've recommended replacement, but the
owner claims he doesn't use the VPN very much and is willing to
tolerate the instabilities. Not recommended.

I've tried various Netgear routers that terminate VPN's. I never
could get them to work the way I thought they should work, so I gave
up. I suspect it might have been possible if I had bothered to read
the instructions.

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 (E-Mail Removed)
# http://802.11junk.com (E-Mail Removed)
# http://www.LearnByDestroying.com AE6KS

"Jeff Liebermann" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I forgot that I have a nailed up VPN running between my house and
> office with a WRT54G v3 at one end, and a Buffalo WHR-HP-G54 at the
> other. I'll run some bechmarks this weekend and see what happens.

This is actually one of the reason I thought about asking here, I knew you
had done it.
Like I say we don't need gigs of throughput just enough to match a decent
internet connection (1.5 to 8Mbps) at most the connection will need to
support 55Kb of audio stream MAX.
Please let me know how your tests come out.. at this time I am trying to
setup a test on my local lan using a couple routers.. If I get some good
data I'll post that.


> Sure. I've used various Sonicwall products to build multiple
> connection VPN's. The messiest was 5 locations in 3 states via DSL
> and T1 lines. Speed was limited by the outgoing bandwidth of the DSL
> lines, not the processor. Unfortunately, it was an older Sonicwall
> 10, which is no longer manufactured.

Always an option but the hardware (unless you find a good used deal) tends
to be more expensive.

>
> I've also used Netscreen hardware, which is now part of Jupiter
> Networks. One huge advantage was that Netscreen simultaneously
> supports PPTP (for Windoze client dial-in) and IPSec (for router to
> router). Netscreen is basically Linux on the inside.

Nice, but same as above.

>
> I've also use FreeSWAN on Red Hat and OpenVPN SSL on Ubuntu between 3
> sites. This was a bit of major project and learning curve for me. I
> finally had to yell for help and hired a local student to make it all
> work. It's been up for about 2 years and I'm still recovering from
> some of the odd tweaks the student threw into the servers. The Linux
> boxes currently run on 2GBytes Compact Flash drives (no hard disk). A
> big advantage is the ability to easily deal with static routes and
> complex firewall issues, as there's an Asterisk server running on one
> of the servers. The only problem is that the business owner insists
> that I document everything in case I should suddenly die or go on
> vacation.

Heh, I've actually been doing alot of reading this evening about running
openVPN on regular windows/linux boxes instead of the WRT54G/L/S hardware.
should be able to get way more than enough processing horespower out of just
about anything that will run windows XP or linux.

>
> One of my friends has a local store and the owners house connected
> with a pair of Linksys BEFVP41 v2 routers running IPSec. They work,
> but are what I describe as "tempermental". They hang, crash, die, or
> reboot, for no obvious reason. I've recommended replacement, but the
> owner claims he doesn't use the VPN very much and is willing to
> tolerate the instabilities. Not recommended.

Ya, that just sounds like shitting hardware to me.

>
> I've tried various Netgear routers that terminate VPN's. I never
> could get them to work the way I thought they should work, so I gave
> up. I suspect it might have been possible if I had bothered to read
> the instructions.

Instruction....nah....for sissy!
I actually own a netgear FSV (or something like that) vpn router and tho
I've never used it as my personal router or as a vpn router I've heard
nothing but bad things about it reguardless of the application so I've never
attempted to use it....hey it was given to me by a business I used to work
for....no wonder they got rid of it. heh


> --
> # Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
> # 831-336-2558 (E-Mail Removed)
> # http://802.11junk.com (E-Mail Removed)
> # http://www.LearnByDestroying.com AE6KS

Thought I would post my findings after doing some testing with iperf.

The setup-
Desktop computer connected to netgear gigabit switch.
WRT54GL router running open vpn on the router, router's wan port connected
to gigabit switch, gateway router issued IP to WAN via DHCP.
Connected the the GL's lan port I have a dell poweredge 1550 (10/100
ethernet) server.
Forwaded port 5001 in the GL to the server. setup Iperf as -s on server
machine.
ran -c from desktop and after 20 tests (10 each from each side of the
router) received an average throughput of 28.5Mbps.

Reconfigured with open VPN on the router and used the windows VPN adapter to
connect to the router.
after 10 tests with Iperf the average throughput was 5.292Mbps.

Next step will be to configue another router as the client and run the same
tests as above. I have a wrt54g v8 here that wont seem to boot up right
now... hmm maybe I'll try to reflash the POS.

Adair