Slashdot Mirror

← Back to Stories (view on slashdot.org)

Embedded Linux VPN Router Near Release

Posted by simoniker on from the embed-this dept.

An anonymous reader writes "A new open source project aims to build a VPN router that supports all major routing protocols on a standardized hardware platform running embedded Linux. The "Linux Router Project - LR101" started in mid-2003 and plans a first release in January 2004. It is based on a dual-NIC VIA EPIA mainboard and a Travla case, along with Red Hat 8, zebra, FreeS/WAN, IP-tables, an other open source software, all compiled from source."

27 of 121 comments (clear)

  1. HA by pheared · · Score: 5, Interesting

    It would be nice if they have High Availability on their feature list. Some nice solid appliances like this would be interesting.

  2. Clarification needed. by Mourgos · · Score: 5, Insightful

    Is this a stripped down Redhat distro, with a configuration tool that they wrote? Isn't a whole distribution a little bit too much for such a project? Wouldn't a linuxfromscratch installation - with only the bare minimums - be a better idea? Just a thought.

    1. Re:Clarification needed. by wo1verin3 · · Score: 2, Informative

      It is based on a dual-NIC VIA EPIA mainboard and a Travla case, along with Red Hat 8, zebra, FreeS/WAN, IP-tables...

      Yes.

    2. Re:Clarification needed. by Anonymous Coward · · Score: 2, Insightful
      Is this a stripped down Redhat distro, with a configuration tool that they wrote? Isn't a whole distribution a little bit too much for such a project?

      Too me, stripped down implies it isn't whole anymore.

  3. Isn't it missing something? by Rosco+P.+Coltrane · · Score: 4, Insightful

    Where's PPTP? for a VPN router, it's kind of desirable ...

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    1. Re:Isn't it missing something? by bzzzt · · Score: 3, Informative

      According to the "tech details" page it's shipping with the Poptop pptp server...

  4. Why not a WRV54G? by greygent · · Score: 4, Insightful

    Or, just buy a Linux-based Linksys WRV54G for well under $200 with most, if not all the features of this project. No, I don't mean the WRT54g, I mean the WRV54G. Excellent piece of gear, VPN, firewalling, dmz, wireless (wep/wpa), snmp, yadda yadda.

    1. Re:Why not a WRV54G? by no+soup+for+you · · Score: 2, Informative

      WRV54G has max of 50 users. That might be a big deal for them, might not.

      --
      If you blog it...
  5. Re:Warning ! by Tony+Hoyle · · Score: 4, Insightful

    If that's true, then it's illegal for a US citizen to contribute to the 2.6.0 kernel too, since that has crypto in it.

  6. Compiled from source... by Binestar · · Score: 5, Funny

    all compiled from source.

    As opposed to say, a Linksys Router, which we all know is compiled from Cheerios. =)

    --
    Do you Gentoo!?
  7. RH8? by Jeffrey+Baker · · Score: 4, Informative
    Using a full blown RH 8 installations eems like an odd thing to do. Lots of people are using Soekris computers as routers, firewalls, access points, and VPNs, but they are generally run off stripped BSD or Linux installations with hardly any extraneous crap. Mine is running a very bare Debian installed into a 256MB compact flash.

    Soekris

    1. Re:RH8? by kervel · · Score: 2, Interesting

      i was considering to buy a soekris, but when i added up all costs (shipping, ...) it turned out to be not worth the money. Soekris is silent okay, and powersaving okay, but the slow CPU limits the use to routing/firewalling/VPN/... and you can buy cheaper equipment for that.

    2. Re:RH8? by NevDull · · Score: 5, Funny

      If you had read the article, you'd have seen that they are using 32MB CF. Do you really think they're running "a full blown RH 8 [sic] installations"?

      Please check one:
      [ ] I can't read
      [ ] I choose not to read
      [ ] I read the article, but I think that a full install of RedHat fits in 32MB
      [ ] Please forgive my Debian zealotry

    3. Re:RH8? by Stinking+Pig · · Score: 2, Funny

      I tried to check number one and now I've got a black mark on my monitor! This is all your fault you insensitive clod!

      --
      "Nothing was broken, and it's been fixed." -- Jon Carroll
  8. Re:Warning ! by BdosError · · Score: 2, Insightful

    Crypto export laws were relexed a long time ago (during the Clinton administration).

    Just goes to support what I've observed about people who claim Mensa membership.

    --
    Complexity is Easy. Simplicity is Hard.
  9. Not to be confused with... by ScottSpeaks! · · Score: 4, Informative

    ...the Linux Router Project, a floppy-based 386-compatible micro-distro which served as the basis for (among other things) Coyote Linux.

    1. Re:Not to be confused with... by fataugie · · Score: 3, Informative

      That's all well and good, but LRP was shutdown after Diesel Dave decided to call it quits. It was news on slashdot a few months ago (too lazy to link to it).

      LEAF is the successor (LEAF).

      --

      WTF? Over?

  10. Use a $80 wrt54g to do the same by Jim+Buzbee · · Score: 4, Informative

    Custom firmware for the wrt54g does/will do pretty much the same thing. Progress is very quick. See the forum here:

    sveasoft

  11. PPTP is UNdesirable by billstewart · · Score: 3, Interesting

    The initial PPTP was a total botch, with seven major security flaws. Some of them have since been fixed, but it gives you some idea of the professionalism and quality that didn't go into the basic design. If you want to use a VPN for security, use IPSEC - and this project has FreeS/WAN IPSEC in it. If you really really want to use a VPN to transport lame non-IP legacy Microsoft LAN protocols, go pay Microsoft some money for one of their server projects, and charge the silly customer who's hiring you as a consultant because they don't want to upgrade to the 1990s for it. If you want to use a VPN to carry private IP addresses, but don't actually care about security, use IPSEC anyway, or use GRE tunnels.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
    1. Re:PPTP is UNdesirable by jbr439 · · Score: 3, Insightful

      How about if I want to use my home linux box to access my employer's Microsoft based network?

      Do I downgrade my home box to Windows? Ans: when hell freezes over.

      Do I get my employer to use IPSEC? Ans: not if my employer is an "all microsoft, all the time" kind of place. [although with MS supporting IPSEC in some form, that is changing]

      In other words, contrary to what some of the less thoughtful may think, PPTP client functionality is a must for some of us; and telling us why we should not be using PPTP is, shall we say, less than helpful.

  12. Re:Still No Shiva Support on Linux by mdouglas · · Score: 2, Interesting

    I administered a Shiva vpn server in 2000/2001. I would have preferred to use the open standard IPSEC vs the proprietary SST; however their IPSEC option would not support RADIUS authentication. That was the deciding factor for going with SST. Aside from that it wasn't a bad product.

  13. Re:Still No Shiva Support on Linux by TheCrazyFinn · · Score: 2, Informative

    It actually predates Shiva.

    It was developed by Infocrypt, which Shiva bought, and Shiva was in turn eaten by Intel.

    SST is legacy, as LANRovers have had IPSEC support since at least version 6.7.

    If your company doesn't use IPSec, it's probably going to get left behind when Intel finally dumps the old and crufty SST protocol.

    --
    "You've got an invalid haircut" -Warren Zevon - Life'll Kill Ya
  14. "RealTek/NE2000 compatible NICs for the DMZ" by pmsr · · Score: 2, Interesting

    Having programmed some of these "beauties" in connection with a microcontroller, i must say they are shooting themselves in the foot. The first word that comes to my mouth is YUCK! I know all these 3Com and Intel network cards are more expensive, but they save time and money in the long run.

    /Pedro

    1. Re:"RealTek/NE2000 compatible NICs for the DMZ" by smnolde · · Score: 3, Interesting

      RealTek is RealCrap. You get what you pay for.

      From /usr/src/sys/pci/if_rl.c on my FreeBSD system:
      * The RealTek 8139 PCI NIC redefines the meaning of 'low end.' This is
      * probably the worst PCI ethernet controller ever made, with the possible
      * exception of the FEAST chip made by SMC. The 8139 supports bus-master
      * DMA, but it has a terrible interface that nullifies any performance
      * gains that bus-master DMA usually offers.
      *
      * It's impossible given this rotten design to really achieve decent
      * performance at 100Mbps, unless you happen to have a 400Mhz PII or
      * some equally overmuscled CPU to drive it.

      This is my favorite comment:
      * Here's a totally undocumented fact for you. When the
      * RealTek chip is in the process of copying a packet into
      * RAM for you, the length will be 0xfff0. If you spot a
      * packet header with this value, you need to stop. The
      * datasheet makes absolutely no mention of this and
      * RealTek should be shot for this.

      More funny stuff:
      * The RealTek is brain damaged and wants longword-aligned
      * TX buffers, plus we can only have one fragment buffer
      * per packet. We have to copy pretty much all the time.

    2. Re:"RealTek/NE2000 compatible NICs for the DMZ" by evil_one · · Score: 2, Informative

      The Realtek NE2000 compatable nic is NOT the same as the Realtek 8139. Typically the realtek ne2000 is an 8029. Very different chip.

      --
      Desperation is a stinky cologne
  15. Re:Warning ! by Homology · · Score: 3, Informative
    If that's true, then it's illegal for a US citizen to contribute to the 2.6.0 kernel too, since that has crypto in it.

    Indeed, export of cryptographic technology from USA is hampered with strong restrictions. So many Open Source projects are quite careful to avoid breaking laws by having (much) development done outside USA, and also letting release builds be done outside US as well.

    For instance, OpenBSD has offered strong encryption for several years. The OpenBSD project is located in Canada, and a lot of development/release builds are done outside US. As Integrated Crypto shows :

    Hence the OpenBSD project has embedded cryptography into numerous places in the operating system. We require that the cryptographic software we use be freely available and with good licenses. We do not directly use cryptography with nasty patents. We also require that such software is from countries with useful export licenses because we do not wish to break the laws of any country. The cryptographic software components which we use currently were written in Argentina, Australia, Canada, Germany, Greece, Norway, and Sweden.

    When we create OpenBSD releases or snapshots we build our release binaries in free countries to assure that the sources and binaries we provide to users are free of tainting. In the past our release binary builds have been done in Canada, Sweden, and Germany.

  16. before using ipsec... by thanasakis · · Score: 2, Informative

    ..make sure that you have read this
    Discusses some serious considerations before deciding to use ipsec and ike. And since ipsec/ike is the only serious solution in many cases, these concerns should not be taken lightly. For example did you know that the ike implementation in 2000/XP simply checks the signer of the servers certificate and not the actual identity that is signed? This means that any other user with a certificate which is signed by the same authority as you can impersonate the server.

    The article is very lengthy, I know, but definitely worth your time.