SearchSearch   ProfileProfile   Log inLog in   RegisterRegister 

VPN tunnel in Scenario 3 : Centralized Network Topology

 
Post new topic   Reply to topic    FirstSpot Forum Index -> Announcement, Technical FAQ
View previous topic :: View next topic  
Author Message
alan
Forum facilitator


Joined: 26 Sep 2003
Posts: 4405

PostPosted: Wed Aug 02, 2006 8:29 am    
Post subject: VPN tunnel in Scenario 3 : Centralized Network Topology

(Some background information : please check out http://www.patronsoft.com/firstspot/topologies.html and http://www.patronsoft.com/firstspot/FirstSpot_Scenario_3_with_VPN.pdf first)

Again, you don't need to use a VPN tunnel if you have control over the outgoing path (e.g. you are an ISP/WISP). If you have no control over the outgoing path and you want to take advantage of Scenario 3, you need to setup a VPN tunnel.

A very frequently asked question is : which VPN systems do we support? Here are some guidelines:

1) First, we don't have an official list. The main problem is that it is difficult to maintain such a certified VPN list.

2) The key feature (as you might already be aware) is what we called non-split tunnel. Basically, it means your VPN client need to have capability to force all traffic to the centralized VPN server instead of splitting the traffic at the hotspot side (that's why it is called non-split tunnel). For definition of split tunnel, please check out http://www142.nortelnetworks.com/bvdoc/contivity/doc_html/315899A00/chapte7a.htm . Non-split tunnel is just the opposite of split tunnel. Also, non-split tunnel is not an industry standard term, so different VPN vendor will have different terminologies. Try to describe to your potential VPN vendors the capability you need, not just throw the term "non-split tunnel" to them.

The other features needed are ability to turn off NAT (almost all mid-range routers can do that) and DHCP relay support (This is optional and needed if you want to use FirstSpot DHCP server. Alternatively, you can use router's DHCP server.)

3) In general, the lowest-end VPN (e.g. Linksys) usually won't work, and many mid-range VPN routers will work (again, Zywall 10 is the example we used often). The cost is about a couple of hundred of US$ so it is not that bad. Keep in mind that we are talking about the VPN client (i.e. Hotspot side). The focus should be on the Hotspot side anyway as the centralized VPN server is only a one-off investment.

4) Our customers reportedly have some success with Zywall 10 (refer to http://www.patronsoft.com/forum/viewtopic.php?p=3797#3797 for more technical information), Nortel Contivity 1010 and Cisco PIX 501. Many others will work as well, so it is always good to check with your VPN vendors.

Another frequent concern is the bandwidth requirement. There are some proprietary gateway hardware or proprietary AP that allows authentication (only) through a centralized site. Our design philosophy is to rely on standard hardware equipment instead. We do understand that there will be bandwidth concerns. As bandwidth is getting cheaper, we believe that overtime the bandwidth "overhead" is not as significant as the costly proprietary hardware.
_________________
~ Patronsoft Limited ~
Back to top
alan
Forum facilitator


Joined: 26 Sep 2003
Posts: 4405

PostPosted: Wed Jul 29, 2009 5:21 am    
Post subject: enable non-split VPN tunnel using DD-WRT router

A low-cost way to create VPN tunnel is to use DD-WRT ( DDWRT ) enabled router ( http://www.dd-wrt.com ). DD-WRT is a free firmware that allows user to flash their existing router to enable more advanced feature like VPN tunneling. DD-WRT runs on many varieties of router (including many low-end routers) and even a PC.

Below are the steps to enable non-split tunnel in a DD-WRT enabled router (using PPTP protocol as an example):

1. Flash DD-WRT (with VPN) firmware to your router. Please refer to DD-WRT Wiki ( http://www.dd-wrt.com/wiki/index.php/Installation ) for details.

2. Launch your browser and go to the web control panel (default URL: http://192.168.1.1/) of your DD-WRT router. If this is the first time you access the control panel, you will be asked to configure the username and password.

3. Click “Services” tab and then the “VPN” sub-tab.

4. You will see “PPTP Client” which is disabled by default. To enable it, click “Enable”.

5. Fill in the fields according to the followings:

Server IP or DNS Name: IP address or domain name of your VPN server

Remote Subnet: 0.0.0.0

Remote Subnet Mask: 0.0.0.0

(the above 0.0.0.0/0.0.0.0 setting ensures all traffic are forwarded to the VPN server, i.e. non-split tunnel)

MPPE Encryption: The type of security to use for the connection. Leave it blank if there is no encryption (recommended due to better performance). Available settings are “required,no40,no56,stateful,stateless”. Please refer to DD-WRT Wiki at http://www.dd-wrt.com/wiki/index.php/Static_PPTP_VPN_Client for details.

MTU: Leave Default

MRU: Leave Default

NAT: Leave Enabled

Username: Username of your VPN server

Password: Password of your VPN server

6. Scroll down and click “Apply Settings”.

7. Click “Administration” tab, and then “Commands” sub-tab.

8. Paste the following code into “Command Shell” and then click “Save Custom Script”.

Code:
# Get the number of IP addresses of the PPTP server
no_of_ip=`nslookup $1 | grep "Address" | sed "1d" | wc -l`

# Save all IP addresses of the PPTP server to a temp file
nslookup $1 | grep "Address" | sed 1d > /tmp/fstmp

# Get the address of the default gateway from routing table
default_gateway=`route -n | grep '^0\.0\.0\.0[ \t]\+[1-9][0-9]*\.[1-9][0-9]*\.[1-9][0-9]*\.[1-9][0-9]*[ \t]\+0\.0\.0\.0[ \t]\+[^ \t]*G[^ \t]*[ \t]' | awk '{print $2}'`

# Exclude the IP addresses of the PPTP server from routing table
j=0
while [ "$j" != "$no_of_ip" ]
do
   let m=j+1
   ip=`sed -n "$m"p /tmp/fstmp | cut -f3 -d" "`
   route add $ip gw $default_gateway
   let j+=1
done

rm /tmp/fstmp


9. Paste the following commands into the command shell.

Code:
sleep 30
/tmp/custom.sh [DNS Name or IP Address of your VPN Server]

where [DNS Name or IP Address of your VPN Server] must be replaced by the DNS name (domain name) or IP Address of your PPTP VPN server.

For example:
Code:
sleep 30
/tmp/custom.sh pptp.yourhosting.com

Finally, click “Save Startup”.

10. Click “Administration” tab, and then “Management” sub-tab. Scroll down and click “Reboot Router” to restart your DD-WRT router.


References:
http://www.dd-wrt.com/wiki/index.php/PPTP_Server_Configuration#PPTP_Server
_________________
~ Patronsoft Limited ~
Back to top
Display posts from previous:   
Post new topic   Reply to topic    FirstSpot Forum Index -> Announcement, Technical FAQ All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group