WikiDevi.Wi-Cat.RU:DD-WRT/VPNC
vpnc is supposed to work with:
- Cisco VPN concentrator 3000 Series
- Cisco IOS routers
- Cisco PIX / ASA Zecurity Appliances
- Juniper/Netscreen
This describes how to use DD-WRT to connect to a Cisco VPN Concentrator using vpnc without auto-reconnect and without connect on startup
This "script" without reconnect is mainly for people to test vpnc and find out the correct settings before they use the script with auto-reconnect. If you want your router to automatically reconnect on connection loss see further down
There is currently no gui for this, but don't worry, it won't be complicated. This script also automatically reconnects, if your vpn connection gets disconnected
To let your router connect to the vpn concentrator and share the connection with its clients follow the steps below:
- You need to flash DD-WRT VPN build after 08/18/07 (I recommend latest v24 vpn).
- Paste the code below into a text editor and adjust line 2 - 6.
- Open a Webbrowser, type the IP of your router, then go to Administration -> Commands
- Paste the code adjusted in Step 2 into the commands box, then click 'Save Startup'
- Reboot your router
- Log in via telnet and enter: vpnc /tmp/etc/vpnc/vpn.conf
- To share the vpn tunnel with the connected pc's, enter the following via telnet:
iptables -A FORWARD -o tun0 -j ACCEPT iptables -A FORWARD -i tun0 -j ACCEPT iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
I added also the next rule to share the tunnel tun0 with the LAN connected in br0 interface and added the DNS and WIN servers from my VPN to the local computer connected to LAN:
iptables -A FORWARD -i br0 -j ACCEPT
To disconnect the tunnel, type vpnc-disconnect.
Step 6+7 have to be redone after every disconnect or reboot
If you have any comment or question on this, you can PM me in the DD-WRT Forum (Username: alain)
#!/bin/sh vpn_concentrator="host" ##enter ip or hostname of your Ipsec vpn concentrator vpn_groupname="grid" ##enter the group name here vpn_grouppasswd="grppasswd" ##enter the group password here vpn_username="username" ##enter your username here vpn_password="password" ##enter your password here #--do not edit this-- #Written by Alain R. (alainr /A*T/ gmx. de) 27.Sep.2007 vpnc-disconnect rm -f /tmp/etc/vpnc/vpn.conf mkdir /tmp/etc/vpnc echo " IPSec gateway $vpn_concentrator IPSec ID $vpn_groupname IPSec secret $vpn_grouppasswd Xauth username $vpn_username Xauth password $vpn_password " >> /tmp/etc/vpnc/vpn.conf
If your VPN also requires your NTDomain to be submitted, modify the above 2 sections to include: (This also applies to the 'persistent' section below)
under "vpn_password"
vpn_domain="domain" ##enter your NTDomain here
and under "Xauth password $vpn_password" add:
Domain $vpn_domain
This describes how to use DD-WRT to connect to a Cisco VPN Concentrator using vpnc with auto-reconnect
This script does not give out any (useful) error nessages. If you have trouble establishing a tunnel, first look at the script without reconnect
There is currently no gui for this, but don't worry, it won't be complicated.
This script also automatically reconnects, if your vpn connection gets disconnected
To let your router connect to the vpn concentrator and share the connection with its clients follow the steps below:
- You need to flash DD-WRT VPN build after 08/18/07 (I recommend latest v24 vpn).
- Paste the code below into a text editor and adjust line 5 - 11.
- Open a Webbrowser, type the IP of your router, then go to Administration -> Commands
- Paste the code adjusted in Step 2 into the commands box, then click 'Save Startup'
- Reboot your router
If everything worked fine, your router has now established a vpn tunnel.
If you have any comment or question on this, you can PM me in the DD-WRT Forum (Username: alain)
mkdir /tmp/etc/vpnc
rm -f /tmp/etc/vpnc/vpnc.sh
echo '
#!/bin/sh
vpn_concentrator="host" ##enter ip or hostname of your Ipsec vpn concentrator
vpn_keepalive_host1="keepalive1" ##enter the ip or hostname of a computer that is only reachable if vpn connection is established.
vpn_keepalive_host2="keepalive2" ##enter the ip or hostname of a computer that is only reachable if vpn connection is established.
vpn_groupname="grid" ##enter the group name here
vpn_grouppasswd="grppasswd" ##enter the group password here
vpn_username="username" ##enter your username here
vpn_password="password" ##enter your password here
#--do not edit this--
#Written by Alain R. 28.Sep.2007
vpnc-disconnect
rm -f /tmp/etc/vpnc/vpn.conf
echo "
IPSec gateway $vpn_concentrator
IPSec ID $vpn_groupname
IPSec secret $vpn_grouppasswd
Xauth username $vpn_username
Xauth password $vpn_password
" >> /tmp/etc/vpnc/vpn.conf
pingtest1 () {
ping -q -c1 $param1 >> /dev/null
if [ "$?" == "0" ]; then
echo 0 #reachable
else
echo 1 #not reachable
fi
}
pingtest2 () {
ping -q -c2 $param2 >> /dev/null
if [ "$?" == "0" ]; then
echo 0 #reachable
else
echo 1 #not reachable
fi
}
while [ true ]; do
param1=$vpn_concentrator;
if [ "`pingtest1`" == "0" ]; then #Vpn concentrator reachable
doloop=1;
while [ $doloop -gt 0 ]; do
param1=$vpn_keepalive_host1;
if [ "`pingtest1`" == "0" ]; then
sleep 300
else
param2=$vpn_keepalive_host2;
if [ "`pingtest2`" == "0" ]; then
sleep 300
else
doloop=0;
vpnc-disconnect
vpnc /tmp/etc/vpnc/vpn.conf --dpd-idle 0
sleep 1
if [ "`pingtest1`" != "0" ]; then
sleep 10
fi
tundev="`ifconfig |grep tun |cut -b 1-4`"
iptables -A FORWARD -o $tundev -j ACCEPT
iptables -A FORWARD -i $tundev -j ACCEPT
iptables -t nat -A POSTROUTING -o $tundev -j MASQUERADE
sleep 9
fi
fi
done
else
sleep 10;
fi
done
return 0;
' >> /tmp/etc/vpnc/vpnc.sh
chmod 700 /tmp/etc/vpnc/vpnc.sh
/tmp/etc/vpnc/vpnc.sh&
Multi-Site VPN
There was a problem with the previous version of this script pid was not set correctly and the iptables were not updated properly upon termination. If you used it please copy and paste this new version.
What happens if your company has more than one location that you need access to? Use this:
mkdir /tmp/etc/vpnc
# get rid of left over scripts
if [ -f /tmp/etc/vpnc/vpnc-tun0.sh ]; then
rm -f /tmp/etc/vpnc/vpnc-tun0.sh
fi
if [ -f /tmp/etc/vpnc/vpnc-tun1.sh ]; then
rm -f /tmp/etc/vpnc/vpnc-tun1.sh
fi
cp /etc/resolv.conf /tmp/etc/resolv.conf
# get rid of any leftover connections
vpnc-disconnect
echo '
#!/bin/sh
vpnc_interface="tun0"
vpnc_concentrator="xxx"
vpnc_keepalive_host="xxx"
vpnc_groupname="xxx"
vpnc_grouppasswd="xxx"
vpnc_username="xxx"
vpnc_password="xxx"
vpnc_domain=""
vpnc_nat_host="xxx"
# remove any old config files
rm -f /tmp/etc/vpnc/vpnc-tun0.conf
# create the new config file
echo "
Local Port 0
Interface name ${vpnc_interface}
IPSec gateway ${vpnc_concentrator}
IPSec ID ${vpnc_groupname}
IPSec secret ${vpnc_grouppasswd}
Xauth username ${vpnc_username}
Xauth password ${vpnc_password}
Domain ${vpnc_domain}
" > /tmp/etc/vpnc/vpnc-tun0.conf
source /tmp/etc/vpnc/vpnc-manager.sh
return 0;
' >> /tmp/etc/vpnc/vpnc-tun0.sh
echo '
#!/bin/sh
vpnc_interface="tun1"
vpnc_concentrator="xxx"
vpnc_keepalive_host="xxx"
vpnc_groupname="xxx"
vpnc_grouppasswd="xxx"
vpnc_username="xxx"
vpnc_password="xxx"
vpnc_nat_host="xxx"
# remove any old config files
rm -f /tmp/etc/vpnc/vpnc-tun1.conf
# create the new config file
echo "
Local Port 0
Interface name ${vpnc_interface}
IPSec gateway ${vpnc_concentrator}
IPSec ID ${vpnc_groupname}
IPSec secret ${vpnc_grouppasswd}
Xauth username ${vpnc_username}
Xauth password ${vpnc_password}
" > /tmp/etc/vpnc/vpnc-tun1.conf
source /tmp/etc/vpnc/vpnc-manager.sh
return 0;
' >> /tmp/etc/vpnc/vpnc-tun1.sh
echo '
#!/bin/sh
# Some timing parameters, adjust to your preference
sleep_short=10
sleep_long=300
pid=0
while [ true ]; do
loss=`ping -q -c3 ${vpnc_keepalive_host} | awk "NR == 4 { print \\$7 }"`
if [ ${loss} != "100%" ]; then
sleep ${sleep_long}
else
if [ ${pid} != "0" ]; then
echo "Killing daemon with pid: ${pid}"
# kill the daemon
kill ${pid}
# reverse the iptables rules
iptables -D FORWARD -o ${vpnc_interface} -j ACCEPT
iptables -D FORWARD -i ${vpnc_interface} -j ACCEPT
iptables -t nat -D POSTROUTING -o ${vpnc_interface} -j MASQUERADE
# Tunnel nat
iptables -D PREROUTING -t nat -i ${vpnc_interface} -p tcp --dport 20 -j DNAT --to ${vpnc_nat_host}:20
iptables -D PREROUTING -t nat -i ${vpnc_interface} -p tcp --dport 21 -j DNAT --to ${vpnc_nat_host}:21
iptables -D PREROUTING -t nat -i ${vpnc_interface} -p tcp --dport 3389 -j DNAT --to ${vpnc_nat_host}:3389
iptables -D PREROUTING -t nat -i ${vpnc_interface} -p tcp --dport 5900 -j DNAT --to ${vpnc_nat_host}:5900
iptables -D FORWARD -p tcp -d ${vpnc_nat_host} --dport 20 -j ACCEPT
iptables -D FORWARD -p tcp -d ${vpnc_nat_host} --dport 21 -j ACCEPT
iptables -D FORWARD -p tcp -d ${vpnc_nat_host} --dport 3389 -j ACCEPT
iptables -D FORWARD -p tcp -d ${vpnc_nat_host} --dport 5900 -j ACCEPT
fi
# Establish the link
vpnc /tmp/etc/vpnc/vpnc-${vpnc_interface}.conf --dpd-idle 0
# Record the process id
pid=`ps | grep "vpnc .*${vpnc_interface}" | awk "{print \\$1}"`
sleep 1
# Ping the remote host to see if we are live
loss=`ping -q -c3 ${vpnc_keepalive_host} | awk "NR == 4 { print \\$7 }"`
if [ ${loss} == "100%" ]; then
sleep ${sleep_short}
fi
# Make sure we can talk with the interface from within the LAN
iptables -A FORWARD -o ${vpnc_interface} -j ACCEPT
iptables -A FORWARD -i ${vpnc_interface} -j ACCEPT
iptables -t nat -A POSTROUTING -o ${vpnc_interface} -j MASQUERADE
# Tunnel nat, adjust to your preference
iptables -A PREROUTING -t nat -i ${vpnc_interface} -p tcp --dport 20 -j DNAT --to ${vpnc_nat_host}:20
iptables -A PREROUTING -t nat -i ${vpnc_interface} -p tcp --dport 21 -j DNAT --to ${vpnc_nat_host}:21
iptables -A PREROUTING -t nat -i ${vpnc_interface} -p tcp --dport 3389 -j DNAT --to ${vpnc_nat_host}:3389
iptables -A PREROUTING -t nat -i ${vpnc_interface} -p tcp --dport 5900 -j DNAT --to ${vpnc_nat_host}:5900
iptables -I FORWARD -p tcp -d ${vpnc_nat_host} --dport 20 -j ACCEPT
iptables -I FORWARD -p tcp -d ${vpnc_nat_host} --dport 21 -j ACCEPT
iptables -I FORWARD -p tcp -d ${vpnc_nat_host} --dport 3389 -j ACCEPT
iptables -I FORWARD -p tcp -d ${vpnc_nat_host} --dport 5900 -j ACCEPT
# fix the resolv.conf, bug in vpnc where it ignores DNSUpdate
cat /tmp/etc/resolv.conf > /etc/resolv.conf
sleep ${sleep_short}
fi
done
' >> /tmp/etc/vpnc/vpnc-manager.sh
# Set the permissions
chmod 700 /tmp/etc/vpnc/vpnc-tun0.sh
chmod 700 /tmp/etc/vpnc/vpnc-tun1.sh
chmod 700 /tmp/etc/vpnc/vpnc-manager.sh
# Fire off the connectors
/tmp/etc/vpnc/vpnc-tun0.sh&
/tmp/etc/vpnc/vpnc-tun1.sh&
It is important to note the ping line for the keepalive host assumes the loss percentage is on line 4 of the output column 7, if your routers output of ping looks different you need to adjust that line.
iptables startup condition
For some reason on the newer bilds iptables will get flushed after the startup script is executed. Just put in a sleep on top of the vpnc manager sh, make it sleep for 10 seconds.
FAQ Frequently asked Questions
- Can some attacker steal my VPN password
Yes, if you don't secure your router...
- Is it possible to get this to work when using the router as a wireless repeater?
Yes, I use it here on a wireless repeater. If you experience problems, flash latest v24 and follow Wlan Repeater.
- I cannot connect if my password contains ", $, `, or \.
The reason is that the shell always interprets these characters (even between quotation marks). If your password contains such characters, just put a \ (escape character) before each of the above characters. If your password is for example abc$123\xyz you need to enter abc\$123\\xyz
- Can I use split-tunneling to access my local network (and local internet connection) while still accessing my corporate network via VPN tunnel?
Yes. On a Windows machine (which I have tested), you need to edit the TCP/IP configuration and explicitly identify your DNS servers via IP. Add in your corporate DNS server first in the list, then your ISP DNS servers. If you access corporate SMB network shares, be sure to add in your corporate WINS server.
For split tunneling, use the following code:
#!/bin/sh # This is a wrapper for the vpnc-script overriding some variables needed # for setting up split-tunneling # this effectively disables changes to /etc/resolv.conf INTERNAL_IP4_DNS= # This sets up split networking regardless of the concentrators specifications. # You can add as many routes as you want, but you must set the counter # CISCO_SPLIT_INC accordingly. All requests to IP ranges NOT listed # in the code below will NOT go though the VPN tunnel. CISCO_SPLIT_INC=2 CISCO_SPLIT_INC_0_ADDR=147.0.0.0 #IP range to go into first tunnel CISCO_SPLIT_INC_0_MASK=255.0.0.0 #Subnet Mask for first tunnel CISCO_SPLIT_INC_0_MASKLEN=8 #Mask length CISCO_SPLIT_INC_0_PROTOCOL=0 CISCO_SPLIT_INC_0_SPORT=0 CISCO_SPLIT_INC_0_DPORT=0 CISCO_SPLIT_INC_1_ADDR=172.0.0.0 #IP range to go into the second tunnel CISCO_SPLIT_INC_1_MASK=255.0.0.0 #Subnet mask CISCO_SPLIT_INC_1_MASKLEN=8 #Mask length CISCO_SPLIT_INC_1_PROTOCOL=0 CISCO_SPLIT_INC_1_SPORT=0 CISCO_SPLIT_INC_1_DPORT=0 # run the original script . /etc/vpnc/vpnc-script
An example of the whole re-connect script with the split-tunnel built in:
mkdir /tmp/etc/vpnc
rm -f /tmp/etc/vpnc/vpnc.sh
echo '
#!/bin/sh
vpn_concentrator="host" ##enter ip or hostname of your Ipsec vpn concentrator
vpn_keepalive_host1="keepalive1" ##enter the ip or hostname of a computer that is only reachable if vpn connection is established.
vpn_keepalive_host2="keepalive2" ##enter the ip or hostname of a computer that is only reachable if vpn connection is established.
vpn_groupname="grid" ##enter the group name here
vpn_grouppasswd="grppasswd" ##enter the group password here
vpn_username="username" ##enter your username here
vpn_password="password" ##enter your password here
#--do not edit this--
#Written by Alain R. 28.Sep.2007
vpnc-disconnect
rm -f /tmp/etc/vpnc/vpn.conf
echo "
#!/bin/sh
# This is a wrapper for the vpnc-script overriding some variables needed
# for setting up split-tunneling
# this effectively disables changes to /etc/resolv.conf
INTERNAL_IP4_DNS=
# This sets up split networking regardless of the concentrators specifications.
# You can add as many routes as you want, but you must set the counter
# CISCO_SPLIT_INC accordingly. All requests to IP ranges NOT listed
# in the code below will NOT go though the VPN tunnel.
CISCO_SPLIT_INC=2
CISCO_SPLIT_INC_0_ADDR=147.0.0.0 #IP range to go into first tunnel
CISCO_SPLIT_INC_0_MASK=255.0.0.0 #Subnet Mask for first tunnel
CISCO_SPLIT_INC_0_MASKLEN=8 #Mask length
CISCO_SPLIT_INC_0_PROTOCOL=0
CISCO_SPLIT_INC_0_SPORT=0
CISCO_SPLIT_INC_0_DPORT=0
CISCO_SPLIT_INC_1_ADDR=172.0.0.0 #IP range to go into the second tunnel
CISCO_SPLIT_INC_1_MASK=255.0.0.0 #Subnet mask
CISCO_SPLIT_INC_1_MASKLEN=8 #Mask length
CISCO_SPLIT_INC_1_PROTOCOL=0
CISCO_SPLIT_INC_1_SPORT=0
CISCO_SPLIT_INC_1_DPORT=0
# run the original script
. /etc/vpnc/vpnc-script
" > /tmp/etc/vpnc/wrapper.sh
chmod 700 /tmp/etc/vpnc/wrapper.sh
echo "
IPSec gateway $vpn_concentrator
IPSec ID $vpn_groupname
IPSec secret $vpn_grouppasswd
Xauth username $vpn_username
Xauth password $vpn_password
Script /tmp/etc/vpnc/wrapper.sh
" >> /tmp/etc/vpnc/vpn.conf
pingtest1 () {
ping -q -c1 $param1 >> /dev/null
if [ "$?" == "0" ]; then
echo 0 #reachable
else
echo 1 #not reachable
fi
}
pingtest2 () {
ping -q -c2 $param2 >> /dev/null
if [ "$?" == "0" ]; then
echo 0 #reachable
else
echo 1 #not reachable
fi
}
while [ true ]; do
param1=$vpn_concentrator;
if [ "`pingtest1`" == "0" ]; then #Vpn concentrator reachable
doloop=1;
while [ $doloop -gt 0 ]; do
param1=$vpn_keepalive_host1;
if [ "`pingtest1`" == "0" ]; then
sleep 300
else
param2=$vpn_keepalive_host2;
if [ "`pingtest2`" == "0" ]; then
sleep 300
else
doloop=0;
vpnc-disconnect
vpnc /tmp/etc/vpnc/vpn.conf --dpd-idle 0
sleep 1
if [ "`pingtest1`" != "0" ]; then
sleep 10
fi
tundev="`ifconfig |grep tun |cut -b 1-4`"
iptables -A FORWARD -o $tundev -j ACCEPT
iptables -A FORWARD -i $tundev -j ACCEPT
iptables -t nat -A POSTROUTING -o $tundev -j MASQUERADE
sleep 9
fi
fi
done
else
sleep 10;
fi
done
return 0;
' >> /tmp/etc/vpnc/vpnc.sh
chmod 700 /tmp/etc/vpnc/vpnc.sh
/tmp/etc/vpnc/vpnc.sh&
__NOMATHJAX__
