DSVR (Domain-Specific VPN Router)
If you're using a VPN service today, you may have found the following limitations:
- All or nothing. Either ALL traffic goes down the VPN or none - unable to be selective.
- Only one VPN at a time. Cannot selectively route certain sites down one VPN, and others down another VPN.
- Unless you've configured your VPN at the router level, it's likely that only a single device can use your VPN at one time.
This project serves to address each of the above - see the FEATURES section.
Please review my blog post here http://darranboyd.wordpress.com/2013/07/05/selective-vpn-routing-solution-dsvr/
Per-site VPN routing down specific VPN connections whilst all other traffic goes down the native internet connection, for example:
ussite1.com -> United States based PPTP VPN ussite2.com -> United States based PPTP VPN uksite1.com -> United Kingdom based PPTP VPN uksite2.com -> United Kingdom based PPTP VPN allothersites -> Native internet connection
Supports multiple concurrent PPTP connections
Transparent in-line device - no configuration changes required on any other network components or clients
User specified DNS server for per-site DNS queries, for privacy from your ISP.
Stateful firewall (SPI)
Port Forwarding & uPnP on existing router/AP not affected (see TODO)
CLI access via SSH
Web administration portal
- Separate Modem/CE device with ethernet and DHCP server
- Separate Router/AP to provide Wifi/Wired access to clients
- Minimum of one PPTP VPN account from a service provider. Else it'll just be a pass-through router/firewall.
New components required:
- Raspberry Pi (Model B, 512mb RAM)
- SD Card (4gb min) flashed with Raspbian Wheezy
- Power source for Raspberry Pi
- USB NIC adapter (suggest Apple model: A1277)
- Standard Ethernet cable
- Theoretical 100mbit/s - likely less due to RPi using USB bus.
- Cannot perform source-based VPN routing without removal of existing NAT boundary, so that real sources can be determined. (see WIKI for workaround)
- Currently assumes your LAN subnet is 192.168.1.0 (see TODO)
- Currently only support PPTP based VPNs (see TODO)
- Raspbian Wheezy (2012-12-16)
- StrongVPN PPTP VPN accounts
Flash your SD card with Raspbain (Wheezy 2012-12-16) http://downloads.raspberrypi.org/images/raspbian/2012-12-16-wheezy-raspbian/2012-12-16-wheezy-raspbian.zip
Boot-up your RPi with the on-board NIC plugged into your network (without the USB NIC module installed), to obtain a DHCP address
Determine the RPi IP address (hint: look at your router web interface), and SSH into it - ssh pi@ipaddress
sudo raspi-config, expand_rootfs, change_pass, change_locale, change_timezone, boot behavior (desktop no). Reboot - yes
SSH back into the RPi, then update apt -
sudo apt-get update && sudo apt-get install ca-certificates
Install GIT -
sudo apt-get install git
In case you're not already there, move to the home directory
Download DSVR from git -
git clone https://github.com/dboyd13/DSVR.git ./dsvr-source
Run the install script with sudo -
sudo ./installdsvrpackage.sh- take note of any errors that may come up, note that the failure to start the ISC DHCP Server is expected and not an issue. This will take a while, as it will be installing a number of dependent packages via the web.
Remove the "source" folder -
rm -r ~/dsvr-source
sudo shutdown -h nowcommand to power-down the RPi
With the power-off, plug the USB NIC into an available USB port.
Wire your RPI inline between your existing Modem/CE and your existing Router/Access Point as follows:
eth0 (onboard) is 'internet side' eth1 (usb) is 'lan side'
eth (inside) eth (wan) DHCP Server DHCP Client +-----+ + NAT (Hide) +-----+ | P | | + | I | | U | | | | N | | B I | | | | T C | | L N | +------+ +---------+ +------------+ | E L | | I T |<---+Modem/|<--+Raspberry|<--+Router/ |<---+ R I | | C E | |CE | |Pi | |Access Point| | N E | | R | +------+ +---------+ +------------+ | A N | | N | | | | L T | | E | | + | S | | T | | eth1 (usb) | | +-----+ | 10.254.254.254 +-----+ + DHCP Server eth0 (onboard) Web admin server DHCP Client SSH server NAT (Hide) VPN gateway
- Power-up the RPi, whilst it's booting power-down and power-up both your Modem/CE and your Router/Access Point
- Wait a while for things to come up, I'd guess around 3-5mins
- On your Router/Access Point verify that the WAN interface has received a DHCP lease from the RPi, something in the 10.254.254.x range
- Verify that the internet is still working from your client machines. If not wait a while longer, else something has gone wrong.
- Verify you can ssh to your RPi - ssh email@example.com, verify that the RPi can access the internet both via IP and DNS.
- Verify that you pass the ShieldsUp! (www.grc.com/shieldsup) 'All Service Ports' stealth test, this is to test the SPI firewall is functional.
The device should be a functional pass-through router/firewall at this point, see the next section to setup per-site VPNs.
- Browse to http://10.254.254.254
- Click 'add' to add a PPTP VPN connection
- Input all fields (note that VPN server MUST be an IP address - see TODO), and specify which sites you want to be routed down this connection, suggest you include a unique 'ip address checker' (aruljohn.com, strongvpn.com) site for each - this will help in verifying it's functional
- Click 'update', then 'back'
- Repeat 2-4 for each required PPTP VPN.
- Reboot router
- Wait - maybe 3-5mins, then test that per-site VPN routing is functional. If you included a unique 'ip address checker' site for each connection, this is the best initial test.
Should be working now. Enjoy.
'DMZ' for inside interface to circumvent dbl-nat issues (e.g. uPnP, port forwarding, VPN server)
Run/debug and fix.
Add Y/N prompt to explain what needs to happen once it completes (wiring, IP to connect to, setup PPTP connections)
- create scripts to refresh files in installstubs/
- create VERSION file based on provided arg
- Allow hostname OR IP address input/parsing/encoding for peer VPN server. - FIXED.
- Read and display VERSION file
- Don't assume 'require-mppe-128' and allow user to specify PPTP encryption (or not)
- Read and display VERSION file
- make webadmin look better on iPad webkit browser
- form input validation
- Authentication for webadmin
- Add support for OpenVPN
- Allow change from 10.254.254.254 inside default (remember dhcpd.conf and DNSRouter init changes needed too!)
- Installer to prompt user for variables such as - inside IP address, LAN segment, install location
- don't assume 192.168.1.0 is LAN segment for routes and iptables
Portions of code taken from the dnschef project (https://thesprawl.org/projects/dnschef/) Copyright (C) 2013 Peter Kacherginsky All rights Reserved
DSVR (Domain Specific VPN Router) Copyright 2013 Darran Boyd dboyd13 [at @] gmail.com Licensed under the "Attribution-NonCommercial-ShareAlike" Vizsage Public License (the "License"). You may not use this file except in compliance with the License. Roughly speaking, non-commercial users may share and modify this code, but must give credit and share improvements. However, for proper details please read the full License, available at http://vizsage.com/license/Vizsage-License-BY-NC-SA.html and the handy reference for understanding the full license at http://vizsage.com/license/Vizsage-Deed-BY-NC-SA.html Unless required by applicable law or agreed to in writing, any software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
- ASCII diagram (http://www.asciiflow.com/#Draw8450497916007412677/1697158644) - To properly calc memory usage due to disk caching - http://www.linuxatemyram.com/index.html