Embedded Linux VPN Router Near Release

An anonymous reader writes "A new open source project aims to build a VPN router that supports all major routing protocols on a standardized hardware platform running embedded Linux. The "Linux Router Project - LR101" started in mid-2003 and plans a first release in January 2004. It is based on a dual-NIC VIA EPIA mainboard and a Travla case, along with Red Hat 8, zebra, FreeS/WAN, IP-tables, an other open source software, all compiled from source."

HA

[pheared]

It would be nice if they have High Availability on their feature list. Some nice solid appliances like this would be interesting.

Re:HA

[happymattu]

I was outsourced to a company who is working on a similar ALL IN WONDER gateway, VPN, ADSL / CABLE, VOIP networking device that packs a mean punch. I worked on the NAT configuration, IPTABLES, and consulted on the firewall. All my work was done on Embedded UcLinux (BRECIS) and compiled from source in C (MIPS GCC) to ROM. Huge scale project and the first rev is allready out, and the following 1.2 rev will be out Q1 or Q2 2004.

Re:HA

[bbdd]

i have several locations with the symantec 200 routers (pdf link) with dual wan ports.

i would love to replace them with an ipcop type of open source / flashdisk / bootable cd / etc firewall that supports dual wan ports.

would be nice with a dmz as well, so that would be 4 nics total. 2 wan with failover, dmz, and lan.

Re:HA

[happymattu]

It is open source, buy the parts and throw together your own !

Re:HA

[monkeydo]

Right, and since when are BGP and OSPF, "All major routing protocols?"

Re:HA

[Wavicle]

I just recently did a bunch of research on pricing stuff for doing embedded-systems-like projects on an Epia. Here's what I came up with:

Epia CL 10000 (1GHz C3 Nehemiah core with two LAN ports, I don't like that this requires a cooling fan, but it is the only dual lan configuration with a hardware RNG) $215

128MB PC2100 DDR (far more memory than is needed, and far more power consumptive than a "typical" embedded system, but the board requires DDR ram and finding something smaller than 128MB PC2100 is hard and more expensive) $21

IDE-to-CF adapter (you don't really want to use a mechanical hard drive, do you?) $29

128MB CF Card $29

150 Watt Power Supply (smallest I could find in a single AC input package, unfortunately it requires forced air cooling) $20

So that's $215+$29+$29+$25+$20 = $318 + S&H + Tax (if any)

It doesn't include the cost of the case, or your time to design a system that fits on the 128MB compact flash card, and draws a lot of power relative to your typical embedded system device. I didn't find a case I particularly liked for this set up, what I really wanted was a case that would allow me to replace the fans on the cpu and psu with a single super-quiet 120mm fan case.

Honestly I don't think that, as typical embedded systems like this go, the EPIA is a good choice. If you have an embedded kiosk system, I think it is great, but for something like a hardware router it is overkill.

A better solution may be a soekris board, which is designed for the embedded network appliance market, if it meets your processing requirements. The Soekris 4801-50 board has a 266MHz 586-class processor with 3 onboard lan ports, 128MB SDRAM and a CF adapter (and several other goodies) with a peak power load of 15W all for $235 in a package smaller than the EPIA.

The soekris board isn't good for much else though.

Re:HA

[Jon+Chatow]

You sure that the CL6000 doesn't have an RNG, but the CL10000 does? 'Cos the 6000 is fanless, after all - it would only cost a dozen or so dollars less, but ...

Re:HA

[Wavicle]

I'm fairly certain that only the Nehemiah core has Padlock, and the CL6000 doesn't have a Nehemiah core. Too bad though. If they had a fanless Nehemiah core mini-itx with the CLE266 mpeg accelerator, I'd think that'd be the most popular board around.

Re:HA

[Octorian]

But this device has one big feature you neglected to mention, that all of the "common low-end gateway boxes" seem to lack almost completely...

Dynamic routing
(BGP, OSPF, etc.)

Seriously, how can you call something a "router" when it doesn't even support any useful "routing protocols"?

Clarification needed.

[Mourgos]

Is this a stripped down Redhat distro, with a configuration tool that they wrote? Isn't a whole distribution a little bit too much for such a project? Wouldn't a linuxfromscratch installation - with only the bare minimums - be a better idea? Just a thought.

Re:Clarification needed.

[wo1verin3]

It is based on a dual-NIC VIA EPIA mainboard and a Travla case, along with Red Hat 8, zebra, FreeS/WAN, IP-tables...

Yes.

Re:Clarification needed.

Is this a stripped down Redhat distro, with a configuration tool that they wrote? Isn't a whole distribution a little bit too much for such a project?

Too me, stripped down implies it isn't whole anymore.

Re:Clarification needed.

[Mourgos]

I full blown distribution! I could have never imagined the idea of a router with a rootkit installed. I bet it's not gonna be long till this happens.

Isn't it missing something?

[Rosco+P.+Coltrane]

Where's PPTP? for a VPN router, it's kind of desirable ...

Re:Isn't it missing something?

[bzzzt]

According to the "tech details" page it's shipping with the Poptop pptp server...

Re:Isn't it missing something?

[Frennzy]

From TFA:

Version 0.3.9 des RootFS verfugbar What has been done? First, there are many changes in the LR101 Scripts; second, IP-Tables has been updated to 1.2.9 and a configuration interface, start it with command lrconfig , is available, now. DHCP has been tested, unfortunately PPPoE and PPtP not yet. If somebody could test this, please do so! ... please set the DEBUG Level in /etc/LR101/ppp/options.pppox0 to 9 and send the log ( /var/log/messages ) to support_at_linux-it-solutions.de. Thank you!

Re:Isn't it missing something?

[Rosco+P.+Coltrane]

Oh ok, nevermind then, I didn't see it in their main list.

Thanks.

Why not a WRV54G?

[greygent]

Or, just buy a Linux-based Linksys WRV54G for well under $200 with most, if not all the features of this project. No, I don't mean the WRT54g, I mean the WRV54G. Excellent piece of gear, VPN, firewalling, dmz, wireless (wep/wpa), snmp, yadda yadda.

Re:Why not a WRV54G?

[MonTempIar]

Well you could probably save some money if you got a similar Linksys router without the wireless capabilities of the one you linked to.

Re:Why not a WRV54G?

[CaptnMArk]

too bad these don't have a serial (for console) and USB2 ports (for external disk)

Re:Why not a WRV54G?

[no+soup+for+you]

WRV54G has max of 50 users. That might be a big deal for them, might not.

>= to

[bobbinFrapples]

Snapgear?

Re:Warning !

[Tony+Hoyle]

If that's true, then it's illegal for a US citizen to contribute to the 2.6.0 kernel too, since that has crypto in it.

Compiled from source...

[Binestar]

all compiled from source.

As opposed to say, a Linksys Router, which we all know is compiled from Cheerios. =)

Re:Well, good luck with this project, guys

[Rosco+P.+Coltrane]

The only market for this is some screwed up and corrupted country like Argentina or Nigeria, where they would get the software for free, use it in the government

In Nigeria, the government official in charge of IT is waiting for you to help him unlock those $20M from that deceased german businessman, in order to have funds to buy routers ...

RH8?

[Jeffrey+Baker]

Using a full blown RH 8 installations eems like an odd thing to do. Lots of people are using Soekris computers as routers, firewalls, access points, and VPNs, but they are generally run off stripped BSD or Linux installations with hardly any extraneous crap. Mine is running a very bare Debian installed into a 256MB compact flash.

Soekris

Re:RH8?

[kervel]

i was considering to buy a soekris, but when i added up all costs (shipping, ...) it turned out to be not worth the money. Soekris is silent okay, and powersaving okay, but the slow CPU limits the use to routing/firewalling/VPN/... and you can buy cheaper equipment for that.

Re:RH8?

[NevDull]

If you had read the article, you'd have seen that they are using 32MB CF. Do you really think they're running "a full blown RH 8 [sic] installations"?

Please check one:
[ ] I can't read
[ ] I choose not to read
[ ] I read the article, but I think that a full install of RedHat fits in 32MB
[ ] Please forgive my Debian zealotry

Re:RH8?

[Stinking+Pig]

I tried to check number one and now I've got a black mark on my monitor! This is all your fault you insensitive clod!

Re:RH8?

[funky+womble]

Routing/etc is a pretty common use for this kit, but plenty of other projects are well-suited, often much better than more common PC hardware due to some unusual features - the Elan chip on the net45xx has a high-res timer supported by FreeBSD, particularly nice for accurate timing (NTP or for other reasons)... The programmable 'error' LED could be used for indicating web hits on a personal homepage, show new email (some drivers support Morse code, so you could even indicate the sender's name), or various more useful things. There are 8 general-purpose I/O lines on the 45xx (12 on the 48xx) which gives a lot of options for control systems (home/greenhouse, lighting/heating/fans, model/robot controls, who knows...). The hardware watchdog timer on-board is quite a rare feature on kit this cheap too, and this and the unique serial-BIOS can be a lifesaver on remotely-installed kit.

Obviously they're not general-purpose computers (I doubt you'd want one for a file/DB server...) but there's still a lot that can be done with them, and the feature-set isn't available on some of the other small systems around the same price point (e.g. Nagasaki, VIA EPIA, Bonatech lex) - though of course, these have some features not built-in to Soekris boxes (e.g. onboard sound). Mind you, for e.g. a simple firewall or wireless AP, I don't think there's another small+silent PC that can compete with the price of a 4501 since the recent drop in price.

If you're in Europe, ordering from kd85.com reduces shipping costs (though in the UK, it may well still be cheaper to buy from the US, since the exchange rate is good at the moment, and shipping isn't all that expensive, though you do have to budget for VAT and around ~10 handling fee to Airborne/UPS, so a group-buy might make sense).

Re:RH8?

[malarkey]

now I've got a black mark on my monitor!>

just white it out.

All compiled from source?

I want a router where all the binaries were hand assembled, myself.

A different LRP

Is this the same Linux Router Project that was run by that crazy, paranoid survivalist guy? Or is that still dead?

Re:A different LRP

[GoneGaryT]

Don't know about the mental health of the author, but I did try LRP a couple of years ago on an old PC with 5 NICs plugged into it. It almost worked, AFAIR. Last time I looked, LRP had been abandoned.

I presume that this is a shiny, all-new LRP?

Re:A different LRP

[versus]

The successor to the LRP project is LEAF

We use it at our 50+ PC routers.

Re:Warning !

[BdosError]

Crypto export laws were relexed a long time ago (during the Clinton administration).

Just goes to support what I've observed about people who claim Mensa membership.

Not to be confused with...

[ScottSpeaks!]

...the Linux Router Project, a floppy-based 386-compatible micro-distro which served as the basis for (among other things) Coyote Linux.

Re:Not to be confused with...

[fataugie]

That's all well and good, but LRP was shutdown after Diesel Dave decided to call it quits. It was news on slashdot a few months ago (too lazy to link to it).

LEAF is the successor (LEAF).

Use a $80 wrt54g to do the same

[Jim+Buzbee]

Custom firmware for the wrt54g does/will do pretty much the same thing. Progress is very quick. See the forum here:

sveasoft

Still No Shiva Support on Linux

[PingXao]

This isn't the project's fault, I know, but there is a "major", albeit proprietary, VPN protocol that's still not supported on Linux. It's Shiva's SST (Shiva Secure Tunnel). It was originally developed by Shiva, then sold to Intel where it became part of the NetStructure family. I should point out that these VPN gateways also support IPSEC, but some companies - like mine - only permit access using the SST flavor tunnel.

Shiva never had any Linux client software. Intel never developed any either. Then it got sold to HP/Compaq which never developed any Linux client software either. Recently it was sold yet again to a new company called - interestingly enough - Shiva. (No relation to the original company.) Like I said, the SST protocol is proprietary so the lack of support on Linux isn't the fault of the Linux VPN Router project or the FreeSWAN project either. Maybe all that's needed is for someone to contact Shiva/Intel/HP/Shiva to see if they'd be willing to open up the SST spec. I don't know. Unless the Shiva Secure Tunnel protocol offers major advantages over IPSEC I can't imagine any reason why they'd keep it secret. Maybe they're only still using it for backwards compatibility or something, because to me it sure looks like all new developement is geared towards IPSEC. If that's the case I guess I'm screwed. My company flat out refuses to open any IPSEC tunnels on their NetStructure VPN appliances.

Re:Still No Shiva Support on Linux

[mdouglas]

I administered a Shiva vpn server in 2000/2001. I would have preferred to use the open standard IPSEC vs the proprietary SST; however their IPSEC option would not support RADIUS authentication. That was the deciding factor for going with SST. Aside from that it wasn't a bad product.

Re:Still No Shiva Support on Linux

[TheCrazyFinn]

It actually predates Shiva.

It was developed by Infocrypt, which Shiva bought, and Shiva was in turn eaten by Intel.

SST is legacy, as LANRovers have had IPSEC support since at least version 6.7.

If your company doesn't use IPSec, it's probably going to get left behind when Intel finally dumps the old and crufty SST protocol.

PPTP is UNdesirable

[billstewart]

The initial PPTP was a total botch, with seven major security flaws. Some of them have since been fixed, but it gives you some idea of the professionalism and quality that didn't go into the basic design. If you want to use a VPN for security, use IPSEC - and this project has FreeS/WAN IPSEC in it. If you really really want to use a VPN to transport lame non-IP legacy Microsoft LAN protocols, go pay Microsoft some money for one of their server projects, and charge the silly customer who's hiring you as a consultant because they don't want to upgrade to the 1990s for it. If you want to use a VPN to carry private IP addresses, but don't actually care about security, use IPSEC anyway, or use GRE tunnels.

Re:PPTP is UNdesirable

[jbr439]

How about if I want to use my home linux box to access my employer's Microsoft based network?

Do I downgrade my home box to Windows? Ans: when hell freezes over.

Do I get my employer to use IPSEC? Ans: not if my employer is an "all microsoft, all the time" kind of place. [although with MS supporting IPSEC in some form, that is changing]

In other words, contrary to what some of the less thoughtful may think, PPTP client functionality is a must for some of us; and telling us why we should not be using PPTP is, shall we say, less than helpful.

Re:PPTP is UNdesirable

[YU+Nicks+NE+Way]

You do know that GRE tunnels are the generic name for PPTP, don't you?

Re:PPTP is UNdesirable

[asdfghjklqwertyuiop]

I agree, IPsec is an over engineered pain in the ass if all you want is a simple encrypted tunnel. For that I reccommend openvpn. It is mature, easy to work with and works exactly like you'd expect. And they even have a windows port going on...

Re:PPTP is UNdesirable

[asdfghjklqwertyuiop]

PPTP uses GRE tunnels, it isn't synonymous with them.

Re:PPTP is UNdesirable

[Octorian]

The best solution for this I've found so far, is a program called OpenVPN. The thing is easy to configure, runs on most 'nix platforms, tunnels over UDP (I'm sorry, but IP over TCP is stupid), and works wonderfuly.

Re:PPTP is UNdesirable

[teqo]

Thanks for the rant, Bill. PPTP, esp. when MS-compatible, is way less secure than IPSec. Today, the biggest problem with PPTP is the connection between password strength and encryption strenght (see Schneier's analysis on PPTPv2 for details), and as soon as this problem is worked-around (see for example the Designfragen discussion for some CS department WLAN, if you can read German), PPTP is 'middle secure'.

What makes PPTP a tempting VPN protocol is it's availibility among different plattforms. Although some plattforms offer built-in IPSec support, these implementations often differ in certain details which harms interoperability a lot. We have extensions like XAUTH, L2TP, DHCP-over-IPSec, not to mention the many different options to be configured, and even the new Mac OS X Panther release does strange things with it's IPSec-L2TP implementation. Yes, you get beer-free VPN IPSec clients in case you buy expensive iron, Cisco for example, but for many this is too much money...

PPTP is for poor man's VPN only, but if this is enough security for your setting (and you can increase this through tight password policies), you will have instant VPN access from all kinds of common plattforms, free and not free ones...

IPSec is great, but seldomly available and/or not trivially deployable. PPTP is less secure, but it's out there... Life isn't always that simple.

Re:Well, good luck with this project, guys

[Mongo222]

By this logic Windows must be the most buggy software of all since Microsoft makes more money supporting it than all it;s competitors combined! Bigger profits through crappier software!

Re:Well, good luck with this project, guys

[Mongo222]

You'd honestly use WinXP as a router? I pray to god that you aren't responsible for network infrastructure at any company with sensitive data. This product has lead it's producer to start limiting it's patches to once a month mass bug updates because otherwise patching was causing it's uses too much downtime and man power. Your position is laughable.

Re:bah!

[elFarto+the+2nd]

....and its cool now?

Regards
elFarto

"RealTek/NE2000 compatible NICs for the DMZ"

[pmsr]

Having programmed some of these "beauties" in connection with a microcontroller, i must say they are shooting themselves in the foot. The first word that comes to my mouth is YUCK! I know all these 3Com and Intel network cards are more expensive, but they save time and money in the long run.

/Pedro

Re:"RealTek/NE2000 compatible NICs for the DMZ"

[smnolde]

RealTek is RealCrap. You get what you pay for.

From /usr/src/sys/pci/if_rl.c on my FreeBSD system:
* The RealTek 8139 PCI NIC redefines the meaning of 'low end.' This is
* probably the worst PCI ethernet controller ever made, with the possible
* exception of the FEAST chip made by SMC. The 8139 supports bus-master
* DMA, but it has a terrible interface that nullifies any performance
* gains that bus-master DMA usually offers.
*
* It's impossible given this rotten design to really achieve decent
* performance at 100Mbps, unless you happen to have a 400Mhz PII or
* some equally overmuscled CPU to drive it.

This is my favorite comment:
* Here's a totally undocumented fact for you. When the
* RealTek chip is in the process of copying a packet into
* RAM for you, the length will be 0xfff0. If you spot a
* packet header with this value, you need to stop. The
* datasheet makes absolutely no mention of this and
* RealTek should be shot for this.

More funny stuff:
* The RealTek is brain damaged and wants longword-aligned
* TX buffers, plus we can only have one fragment buffer
* per packet. We have to copy pretty much all the time.

Re:"RealTek/NE2000 compatible NICs for the DMZ"

[evil_one]

The Realtek NE2000 compatable nic is NOT the same as the Realtek 8139. Typically the realtek ne2000 is an 8029. Very different chip.

Re:"RealTek/NE2000 compatible NICs for the DMZ"

[pmsr]

Yes, true! The smell is the same, though.

/Pedro

Re:Warning !

[Homology]

If that's true, then it's illegal for a US citizen to contribute to the 2.6.0 kernel too, since that has crypto in it.

Indeed, export of cryptographic technology from USA is hampered with strong restrictions. So many Open Source projects are quite careful to avoid breaking laws by having (much) development done outside USA, and also letting release builds be done outside US as well.

For instance, OpenBSD has offered strong encryption for several years. The OpenBSD project is located in Canada, and a lot of development/release builds are done outside US. As Integrated Crypto shows :

Hence the OpenBSD project has embedded cryptography into numerous places in the operating system. We require that the cryptographic software we use be freely available and with good licenses. We do not directly use cryptography with nasty patents. We also require that such software is from countries with useful export licenses because we do not wish to break the laws of any country. The cryptographic software components which we use currently were written in Argentina, Australia, Canada, Germany, Greece, Norway, and Sweden.

When we create OpenBSD releases or snapshots we build our release binaries in free countries to assure that the sources and binaries we provide to users are free of tainting. In the past our release binary builds have been done in Canada, Sweden, and Germany.

before using ipsec...

[thanasakis]

..make sure that you have read this
Discusses some serious considerations before deciding to use ipsec and ike. And since ipsec/ike is the only serious solution in many cases, these concerns should not be taken lightly. For example did you know that the ike implementation in 2000/XP simply checks the signer of the servers certificate and not the actual identity that is signed? This means that any other user with a certificate which is signed by the same authority as you can impersonate the server.

The article is very lengthy, I know, but definitely worth your time.

Alternatives

[ScrewMaster]

There's a number of such projects out there ... Smoothwall is one. IPCop for another (although it is forked from Smoothwall.) I don't see this project as offering that much over similar ones.

Stick that in your pipe and combust it.

[TheScienceKid]

I beg to differ, Sir/Madam. So stick that in your pipe and combust it! (Proud member of British Mensa, a Linux user for over two years now and my first AS exam is on the 8th Jan so I think I've made my point.)

Low IQ Mensa member, and proud of it.

[Futurepower(R)]

I was a Mensa member. (I haven't paid my dues in a long time.) I just barely passed the test to get into the club. So, I may be the Mensa member with the lowest IQ.

Where is the usable VPN client?

[Burz]

I would like to see something that would let me access existing VPN routers from home.

Should be but...

[agoliveira]

Well, I had the same idea but, unfortunatly, I had nothing but trouble using OpenBSD and I tried the last 3 releases.
Basicaly, I had complete system freezes when under heavy load and unstable network drivers (can't remember wich ones right now but the interface dropped at random times).
I don't know if was me but I used the same hardware with IpCop (VIA-M boards actualy) without a hitch so I decided to stick with it.
I will probably try OpenBSD again as I like the idea but at least for me, right now, it's a dead fish - pun intended ;)

Redhat ruined my interest

[superpulpsicle]

You had my attention up to the point where you mentioned "redhat". The company that doesn't care about their nonprofit distro. Whoopie, now you got a vpn on it.

No security in obscurity

[anti-NAT]

Your company is very naive then. They are probably using the "nobody else is using it, so it will be more secure" argument.

Give somebody who can make that decision the results of the following google search - security in obscurity

The first article in this Crypto-Gram also explains the problem - Secrecy, Security, and Obscurity

An alternative: m0n0wall

[Jackson-The-Cat]

http://www.m0n0.ch/wall
If your interested in Linux or embedded VPN solutions, check out m0n0wall. Its excellent!

Its been done

[toaster13]

Umm...you guys do realize that www.snapgear.com has had embedded, ipsec/iptables equipped routers based on linux for years right? They're enterprise quality and I've had several deployed for over a year. This isn't new, nor is it exciting. Also, embedded implies that its not x86...or using a hard drive. This is a mini-itx based "router" running a distro that has no business being used as such.

I'll tell you what *I* would like to see it use...

[NerveGas]

I'd like to see one based on this bad boy.

4 gigE ports, each on it's own PCI-X controller. Between the two Xeons and whatever amount of memory you through at it, one of these could *easily* handle a great deal of BGP sessions, load-balancing, failover, as well as VPN and encryption.

With a board like that, a couple of Xeons, and a gig of memory, these could out-perform some very, very expensive commercial routers.

steve

True.

[leonbrooks]

One of my clients spent AUD$1500 buying one of these and having me fit it out with a Flash disk as a router supporting BGP (and much other stuff, if he ever needs it there). The alternative was paying AUD$6000 and on up (several outfits seriously quoted him well clear of AUD$20,000 for new Cisco gear), and other than when the owner one day using shutdown -h instead of shutdown -r to try to cure a problem that in the event was being caused by something else, it's had a flawless, zero-maintenance run.

Andrew Warenczak, the guy who designed the box, is looking at making a half-height version, making 4 completely independent servers in one RU of 19" rack.