Guys,
I've been googling and searching for a day and a half and I'm coming up with bits and pieces on how to do this, but nothing concrete. Was hoping someone could give me some insight on how to pull this off.
Our company has 2 offices, currently TAP bridged with DD-WRT, on 2 Asus RT-AC68U (read six-eight). It works perfectly, save for the fact that DD-WRT crashes daily on one router (probably due to the workload), and throughput between sites is 50ish... We're using TAP\Bridged VPN instead of TUN because we need to function as one complete office where everything crosses back and forth, DNS, AD, etc... between employees at both sites.
After reading about the horsepower of the new RT-AC86U (read eight-six....geez you think they could make it more confusing?) We decided to upgrade to the new units. Seeing that they are not DD-WRT compatible, and thinking those firmwares are increasingly buggy, we went with Merlin.
The conversion of DDWRT scripts over to Merlin seems cryptic to me. Sometimes I think I can just paste these scripts into nat-start and firewall-start, then other times I'm not so sure. I also see people setting it up directly in the gui interface too....
What do you guys say is the best way to do this? Here is a diagram of what I'm trying to do.
I did find this link where a guy was setting up one side in merlin and the other side on a RasPi, via the GUI on the router side
https://www.snbforums.com/threads/need-help-with-creating-bridged-vpn-tap.32844/
But all this seems like it's not well documented on the Merlin side of things... or at least my situation isn't.
Can y'all take a look!? thanks!
Here are my DD-WRT router scripts which work:
__________________CLIENT ROUTER STARTUP__________
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn
./myvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
sleep 5
echo "
client
daemon
dev tap0
proto udp
remote <CLIENT SIDE WAN IP> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
" > /tmp/client.conf
echo "
-----BEGIN CERTIFICATE (ABBREVIATED FOR CHAR LIMIT)-----
XXXXDDCCA/SgAwIBAgIJANoufcXAyUn0MA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzELMAkGA1UECBMCR0ExFjAUBgNVBAcTDUZsb3dlcnlCcmFuY2gxFTAT
-----END CERTIFICATE-----
" > /tmp/ca.crt
echo "
-----BEGIN PRIVATE KEY-----
XXXXvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDXwLr5FcKH03yn
A2qZnGGBmTjyAN5bAFDkhIZ3t9RzZeFgwti1EO2Mrd4gwAbVO+qUwCKGDg57OVHB
-----END PRIVATE KEY-----
" > /tmp/client.key
chmod 600 /tmp/client.key
echo "
-----BEGIN CERTIFICATE-----
XXXXUDCCBDigAwIBAgIBATANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkdBMRYwFAYDVQQHEw1GbG93ZXJ5QnJhbmNoMRUwEwYDVQQKEwxT
-----END CERTIFICATE-----
" > /tmp/client.crt
./myvpn --config client.conf
route add -net 192.168.1.0/24 dev br0
______________CLIENT ROUTER FIREWALL____________
#DROP DHCP FROM PASSING THRU THE VPN
ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
_____________SERVER ROUTER STARTUP_________________
WANIF=`get_wanface`
ifconfig $WANIF:2 <SERVER SIDE WAN IP1> netmask 255.255.255.248 broadcast <SERVER SIDE GATEWAY>
ifconfig $WANIF:3 <SERVER SIDE WAN IP2> netmask 255.255.255.248 broadcast <SERVER SIDE GATEWAY>
ifconfig $WANIF:4 <SERVER SIDE WAN IP3> netmask 255.255.255.248 broadcast <SERVER SIDE GATEWAY>
ifconfig $WANIF:5 <SERVER SIDE WAN IP3> netmask 255.255.255.248 broadcast <SERVER SIDE GATEWAY>
# Begin VPN
cd /tmp
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
echo "
# Tunnel options
mode server # Set OpenVPN major mode
proto udp # Setup the protocol (server)
port 1194 # TCP/UDP port number
dev tap0 # TUN/TAP virtual network device
keepalive 15 60 # Simplify the expression of --ping
daemon # Become a daemon after all initialization
verb 3 # Set output verbosity to n
comp-lzo # Use fast LZO compression
# OpenVPN server mode options
client-to-client # tells OpenVPN to internally route client-to-client traffic
duplicate-cn # Allow multiple clients with the same common name
# TLS Mode Options
tls-server # Enable TLS and assume server role during TLS handshake
ca ca.crt # Certificate authority (CA) file
dh dh1024.pem # File containing Diffie Hellman parameters
cert server.crt # Local peer's signed certificate
key server.key # Local peer's private key
" > openvpn.conf
echo "
-----BEGIN CERTIFICATE-----
INSERT YOUR ca.crt HERE
-----END CERTIFICATE-----
" > ca.crt
echo "
-----BEGIN CERTIFICATE-----
XXXDDCCA/SgAwIBAgIJANoufcXAyUn0MA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzELMAkGA1UECBMCR0ExFjAUBgNVBAcTDUZsb3dlcnlCcmFuY2gxFTAT
-----END CERTIFICATE-----
" > server.key
chmod 600 server.key
echo "
-----BEGIN CERTIFICATE-----
XXXajCCBFKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkdBMRYwFAYDVQQHEw1GbG93ZXJ5QnJhbmNoMRUwEwYDVQQKEwxT
-----END CERTIFICATE-----
" > server.crt
echo "
-----BEGIN DH PARAMETERS-----
XXXCAKCAQEA1zDLMGs9wYtPRaKD4krtEABijPS0yB58l7OUX3KSkcgw2R7uj5lh
jFkHojQFuxB0ITDgk8Z4rgUdh7EKCjna6Xy41V/aXLljqRiw9DnHpcirYUjHGRtS
-----END DH PARAMETERS-----
" > dh1024.pem
sleep 5
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn --config openvpn.conf
route add -net 192.168.1.0/24 dev br0
#Prevent DHCP from being routed across the tunnel
echo "begin-base64 644 -" > /tmp/ebt_ip.o.gz.u64
echo "H4sIADwAAAACA5VWz28bVRD+dteON20KG9eq3BJUB21UVy1m2+RQRCO5cX5w" >>
uudecode /tmp/ebt_ip.o.gz.u64 | gunzip -cd > /tmp/ebt_ip.o
sleep 15 ; insmod ebtables ; insmod ebtable_filter ; insmod /tmp/ebt_ip.o &
sleep 25 ; ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP &
sleep 5 ; ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP &
____________________SERVER ROUTER FIREWALL______________
#_______________________NAT COMPUTER 1_________________________________
# WAN <SERVER SIDE WAN IP> -> LAN 192.168.1.35 (xxxxxx.net)
iptables -t nat -I PREROUTING -d <SERVER SIDE WAN IP> -j DNAT --to 192.168.1.35
iptables -t nat -I POSTROUTING -s 192.168.1.35 -j SNAT --to <SERVER SIDE WAN IP>
iptables -I FORWARD -d 192.168.1.35 -p tcp --dport 25 -j ACCEPT
iptables -I FORWARD -d 192.168.1.35 -p tcp --dport 80 -j ACCEPT
iptables -I FORWARD -d 192.168.1.35 -p tcp --dport 443 -j ACCEPT
#_______________________NAT COMPUTER 2_________________________________
# WAN <SERVER SIDE WAN IP2> -> LAN 192.168.1.9 (Connections)
iptables -t nat -I PREROUTING -d <SERVER SIDE WAN IP2> -j DNAT --to 192.168.1.9
iptables -t nat -I POSTROUTING -s 192.168.1.9 -j SNAT --to <SERVER SIDE WAN IP2>
iptables -I FORWARD -d 192.168.1.9 -p tcp --dport 9080 -j ACCEPT
iptables -I FORWARD -d 192.168.1.9 -p tcp --dport 9081 -j ACCEPT
#_______________________DDWRT Router_________________________________
# WAN <SERVER SIDE WAN IP3> -> LAN 192.168.1.100
/usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT
#_______________________Mail (RDS)_________________________________
# WAN <SERVER SIDE WAN IP4> -> LAN 192.168.1.11 (Mail)
iptables -t nat -I PREROUTING -d <SERVER SIDE WAN IP4> -j DNAT --to 192.168.1.11
iptables -t nat -I POSTROUTING -s 192.168.1.11 -j SNAT --to <SERVER SIDE WAN IP4>
iptables -I FORWARD -d 192.168.1.11 -p tcp --dport 25 -j ACCEPT
iptables -I FORWARD -d 192.168.1.11 -p tcp --dport 1352 -j ACCEPT
#_______________________NAT COMPUTER 3___________________
# WAN <SERVER SIDE WAN IP5> -> LAN 192.168.1.13
iptables -t nat -I PREROUTING -d <SERVER SIDE WAN IP5> -j DNAT --to 192.168.1.13
iptables -t nat -I POSTROUTING -s 192.168.1.13 -j SNAT --to <SERVER SIDE WAN IP5>
iptables -I FORWARD -d 192.168.1.13 -p tcp --dport 9080 -j ACCEPT
iptables -I FORWARD -d 192.168.1.13 -p tcp --dport 9081 -j ACCEPT
Thanks in advance, for any suggestions and advice. I want to do this the right way that can generate the fastest throughput, and I understand Merlin has it down.
cfm56
I've been googling and searching for a day and a half and I'm coming up with bits and pieces on how to do this, but nothing concrete. Was hoping someone could give me some insight on how to pull this off.
Our company has 2 offices, currently TAP bridged with DD-WRT, on 2 Asus RT-AC68U (read six-eight). It works perfectly, save for the fact that DD-WRT crashes daily on one router (probably due to the workload), and throughput between sites is 50ish... We're using TAP\Bridged VPN instead of TUN because we need to function as one complete office where everything crosses back and forth, DNS, AD, etc... between employees at both sites.
After reading about the horsepower of the new RT-AC86U (read eight-six....geez you think they could make it more confusing?) We decided to upgrade to the new units. Seeing that they are not DD-WRT compatible, and thinking those firmwares are increasingly buggy, we went with Merlin.
The conversion of DDWRT scripts over to Merlin seems cryptic to me. Sometimes I think I can just paste these scripts into nat-start and firewall-start, then other times I'm not so sure. I also see people setting it up directly in the gui interface too....
What do you guys say is the best way to do this? Here is a diagram of what I'm trying to do.
I did find this link where a guy was setting up one side in merlin and the other side on a RasPi, via the GUI on the router side
https://www.snbforums.com/threads/need-help-with-creating-bridged-vpn-tap.32844/
But all this seems like it's not well documented on the Merlin side of things... or at least my situation isn't.
Can y'all take a look!? thanks!
Here are my DD-WRT router scripts which work:
__________________CLIENT ROUTER STARTUP__________
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn
./myvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
sleep 5
echo "
client
daemon
dev tap0
proto udp
remote <CLIENT SIDE WAN IP> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
" > /tmp/client.conf
echo "
-----BEGIN CERTIFICATE (ABBREVIATED FOR CHAR LIMIT)-----
XXXXDDCCA/SgAwIBAgIJANoufcXAyUn0MA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzELMAkGA1UECBMCR0ExFjAUBgNVBAcTDUZsb3dlcnlCcmFuY2gxFTAT
-----END CERTIFICATE-----
" > /tmp/ca.crt
echo "
-----BEGIN PRIVATE KEY-----
XXXXvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDXwLr5FcKH03yn
A2qZnGGBmTjyAN5bAFDkhIZ3t9RzZeFgwti1EO2Mrd4gwAbVO+qUwCKGDg57OVHB
-----END PRIVATE KEY-----
" > /tmp/client.key
chmod 600 /tmp/client.key
echo "
-----BEGIN CERTIFICATE-----
XXXXUDCCBDigAwIBAgIBATANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkdBMRYwFAYDVQQHEw1GbG93ZXJ5QnJhbmNoMRUwEwYDVQQKEwxT
-----END CERTIFICATE-----
" > /tmp/client.crt
./myvpn --config client.conf
route add -net 192.168.1.0/24 dev br0
______________CLIENT ROUTER FIREWALL____________
#DROP DHCP FROM PASSING THRU THE VPN
ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
_____________SERVER ROUTER STARTUP_________________
WANIF=`get_wanface`
ifconfig $WANIF:2 <SERVER SIDE WAN IP1> netmask 255.255.255.248 broadcast <SERVER SIDE GATEWAY>
ifconfig $WANIF:3 <SERVER SIDE WAN IP2> netmask 255.255.255.248 broadcast <SERVER SIDE GATEWAY>
ifconfig $WANIF:4 <SERVER SIDE WAN IP3> netmask 255.255.255.248 broadcast <SERVER SIDE GATEWAY>
ifconfig $WANIF:5 <SERVER SIDE WAN IP3> netmask 255.255.255.248 broadcast <SERVER SIDE GATEWAY>
# Begin VPN
cd /tmp
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
echo "
# Tunnel options
mode server # Set OpenVPN major mode
proto udp # Setup the protocol (server)
port 1194 # TCP/UDP port number
dev tap0 # TUN/TAP virtual network device
keepalive 15 60 # Simplify the expression of --ping
daemon # Become a daemon after all initialization
verb 3 # Set output verbosity to n
comp-lzo # Use fast LZO compression
# OpenVPN server mode options
client-to-client # tells OpenVPN to internally route client-to-client traffic
duplicate-cn # Allow multiple clients with the same common name
# TLS Mode Options
tls-server # Enable TLS and assume server role during TLS handshake
ca ca.crt # Certificate authority (CA) file
dh dh1024.pem # File containing Diffie Hellman parameters
cert server.crt # Local peer's signed certificate
key server.key # Local peer's private key
" > openvpn.conf
echo "
-----BEGIN CERTIFICATE-----
INSERT YOUR ca.crt HERE
-----END CERTIFICATE-----
" > ca.crt
echo "
-----BEGIN CERTIFICATE-----
XXXDDCCA/SgAwIBAgIJANoufcXAyUn0MA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzELMAkGA1UECBMCR0ExFjAUBgNVBAcTDUZsb3dlcnlCcmFuY2gxFTAT
-----END CERTIFICATE-----
" > server.key
chmod 600 server.key
echo "
-----BEGIN CERTIFICATE-----
XXXajCCBFKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkdBMRYwFAYDVQQHEw1GbG93ZXJ5QnJhbmNoMRUwEwYDVQQKEwxT
-----END CERTIFICATE-----
" > server.crt
echo "
-----BEGIN DH PARAMETERS-----
XXXCAKCAQEA1zDLMGs9wYtPRaKD4krtEABijPS0yB58l7OUX3KSkcgw2R7uj5lh
jFkHojQFuxB0ITDgk8Z4rgUdh7EKCjna6Xy41V/aXLljqRiw9DnHpcirYUjHGRtS
-----END DH PARAMETERS-----
" > dh1024.pem
sleep 5
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn --config openvpn.conf
route add -net 192.168.1.0/24 dev br0
#Prevent DHCP from being routed across the tunnel
echo "begin-base64 644 -" > /tmp/ebt_ip.o.gz.u64
echo "H4sIADwAAAACA5VWz28bVRD+dteON20KG9eq3BJUB21UVy1m2+RQRCO5cX5w" >>
uudecode /tmp/ebt_ip.o.gz.u64 | gunzip -cd > /tmp/ebt_ip.o
sleep 15 ; insmod ebtables ; insmod ebtable_filter ; insmod /tmp/ebt_ip.o &
sleep 25 ; ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP &
sleep 5 ; ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP &
____________________SERVER ROUTER FIREWALL______________
#_______________________NAT COMPUTER 1_________________________________
# WAN <SERVER SIDE WAN IP> -> LAN 192.168.1.35 (xxxxxx.net)
iptables -t nat -I PREROUTING -d <SERVER SIDE WAN IP> -j DNAT --to 192.168.1.35
iptables -t nat -I POSTROUTING -s 192.168.1.35 -j SNAT --to <SERVER SIDE WAN IP>
iptables -I FORWARD -d 192.168.1.35 -p tcp --dport 25 -j ACCEPT
iptables -I FORWARD -d 192.168.1.35 -p tcp --dport 80 -j ACCEPT
iptables -I FORWARD -d 192.168.1.35 -p tcp --dport 443 -j ACCEPT
#_______________________NAT COMPUTER 2_________________________________
# WAN <SERVER SIDE WAN IP2> -> LAN 192.168.1.9 (Connections)
iptables -t nat -I PREROUTING -d <SERVER SIDE WAN IP2> -j DNAT --to 192.168.1.9
iptables -t nat -I POSTROUTING -s 192.168.1.9 -j SNAT --to <SERVER SIDE WAN IP2>
iptables -I FORWARD -d 192.168.1.9 -p tcp --dport 9080 -j ACCEPT
iptables -I FORWARD -d 192.168.1.9 -p tcp --dport 9081 -j ACCEPT
#_______________________DDWRT Router_________________________________
# WAN <SERVER SIDE WAN IP3> -> LAN 192.168.1.100
/usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT
#_______________________Mail (RDS)_________________________________
# WAN <SERVER SIDE WAN IP4> -> LAN 192.168.1.11 (Mail)
iptables -t nat -I PREROUTING -d <SERVER SIDE WAN IP4> -j DNAT --to 192.168.1.11
iptables -t nat -I POSTROUTING -s 192.168.1.11 -j SNAT --to <SERVER SIDE WAN IP4>
iptables -I FORWARD -d 192.168.1.11 -p tcp --dport 25 -j ACCEPT
iptables -I FORWARD -d 192.168.1.11 -p tcp --dport 1352 -j ACCEPT
#_______________________NAT COMPUTER 3___________________
# WAN <SERVER SIDE WAN IP5> -> LAN 192.168.1.13
iptables -t nat -I PREROUTING -d <SERVER SIDE WAN IP5> -j DNAT --to 192.168.1.13
iptables -t nat -I POSTROUTING -s 192.168.1.13 -j SNAT --to <SERVER SIDE WAN IP5>
iptables -I FORWARD -d 192.168.1.13 -p tcp --dport 9080 -j ACCEPT
iptables -I FORWARD -d 192.168.1.13 -p tcp --dport 9081 -j ACCEPT
Thanks in advance, for any suggestions and advice. I want to do this the right way that can generate the fastest throughput, and I understand Merlin has it down.
cfm56
