I am setting a secondary (DD-WRT) router to act as a OpenVPN client so that all clients would get VPN access simply by connecting to the router. But seems clients traffic is always routed via the main gateway instead of the established VPN tunnel.
Traffic from clients connected to my DD-WRT are routed through my gateway router, not through the VPN tunnel tun0.
I think I need to forward traffic from br0 interface to tun0 interface. I have tried following iptables rules and checked that IPv4 forward is enabled.
cat /proc/sys/net/ipv4/ip_forward ==> 1
cat /proc/sys/net/ipv4/conf/tun0/forwarding ==> 1
cat /proc/sys/net/ipv4/conf/br0/forwarding ==> 1
# These rules are saved by pressing the 'Save firewall' button
#and rebooting the DD-WRT router.
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
And separately
# These rules are saved by pressing the 'Save firewall' button
# and rebooting the DD-WRT router.
iptables -I FORWARD -s 192.168.2.0/24 -d 192.168.66.0/24 -j ACCEPT
iptables -I FORWARD -s 192.168.66.0/24 -d 192.168.2.0/24 -j ACCEPT
I don't post VPN server/client configs because the client can connect to the server without errors and both ping and wget commands work properly from inside the DD-WRT.
So, my question is:
How do I route all traffic from clients connected to the DD-WRT to its OpenVPN tunnel tun0? Am I using iptables incorrectly? Add a new route perhaps?
If some info is missing please ask. Thank you in advance! :)
P.S. Below more info.
ROUTING TABLE (after VPN tunnel is up)
root@DD-WRT:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
87.219.xxx.xxx 192.168.2.1 255.255.255.255 UGH 0 0 0 br0
192.168.66.1 192.168.66.5 255.255.255.255 UGH 0 0 0 tun0
192.168.66.5 * 255.255.255.255 UH 0 0 0 tun0
192.168.5.0 192.168.66.5 255.255.255.0 UG 0 0 0 tun0
192.168.2 .0 * 255.255.255.0 U 0 0 0 br0
169.254.0.0 * 255.255.0.0 U 0 0 0 br0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 192.168.66.5 128.0.0.0 UG 0 0 0 tun0
128.0.0.0 192.168.66.5 128.0.0.0 UG 0 0 0 tun0
default 192.168.2.1 0.0.0.0 UG 0 0 0 br0
IP ROUTE SHOW
root@DD-WRT:~# ip route show
87.219.xxx.xxx via 192.168.2.1 dev br0
192.168.66.1 via 192.168.66.5 dev tun0
192.168.66.5 dev tun0 proto kernel scope link src 192.168.66.6
192.168.5.0/24 via 192.168.66.5 dev tun0
192.168.2.0/24 dev br0 proto kernel scope link src 192.168.2.160
169.254.0.0/16 dev br0 proto kernel scope link src 169.254.255.1
127.0.0.0/8 dev lo scope link
0.0.0.0/1 via 192.168.66.5 dev tun0
128.0.0.0/1 via 192.168.66.5 dev tun0
default via 192.168.2.1 dev br0
IP RULE SHOW
root@DD-WRT:~# ip rule show
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
OpenVPN CLIENT LOG
root@DD-WRT:~# cat /var/log/messages | grep openvpn
May 24 15:47:21 DD-WRT daemon.notice openvpn[699]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Aug 12 2010
May 24 15:47:21 DD-WRT daemon.warn openvpn[699]: WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
May 24 15:47:21 DD-WRT daemon.notice openvpn[702]: UDPv4 link local: [undef]
May 24 15:47:21 DD-WRT daemon.notice openvpn[702]: UDPv4 link remote: 87.219.xxx.xxx:1194
May 24 15:47:23 DD-WRT daemon.notice openvpn[702]: [server] Peer Connection Initiated with 87.219.xxx.xxx:1194
May 24 15:47:25 DD-WRT daemon.notice openvpn[702]: TUN/TAP device tun0 opened
May 24 15:47:25 DD-WRT daemon.notice openvpn[702]: /sbin/ifconfig tun0 192.168.66.6 pointopoint 192.168.66.5 mtu 1500
May 24 15:47:26 DD-WRT daemon.notice openvpn[702]: Initialization Sequence Completed
Is interface forwading enabled? cat /proc/sys/net/ipv4/ip_forward needs to report 1, or both cat /proc/sys/net/ipv4/conf/tun0/forwarding and cat /proc/sys/net/ipv4/conf/br0/forwardingneed to report 1. (the first enables forwarding globally, the second enables it per interface -- it can be done either way) – Andrew BMay 24 '14 at 16:18
Did you try creating a bridge ? I use such setup with tap adapter. For tun you might need NAT via iptables – Alec IstominMay 24 '14 at 21:24
@alec-istomin I use tunneling because Android clients use OpenVPN Connect application and only tunneling is supported for that. To make the VPN available for all tunneling was the best option. – user1534160May 25 '14 at 6:36
@alec-istomin To use NAT I must put the DD-WRT to Gateway mode, right? Wouldn't this cause issues because the primary router is also working as gateway? – user1534160May 25 '14 at 6:37
Here I'm assuming that the lan and vpn interfaces on the server are br0 and tun0, respectively.
# Enable IP forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward
# Allow postrouting to tun0. You may want to use "-s" here to strictly limit forwarding to IPs on your LAN.
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
# Enable forwarding from the LAN to the VPN (and back via related and established connections).
# Again, you may want to use "-s".
iptables -A FORWARD -i br0 -o tun0 -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
When creating new blog post content, the goal should be to make it popular, and let most people engagement and to start dialogue within your content. I summarize four tips in the following article for promoting blog posts online... http://iearningtips.com/tips-of-using-web-master-tools-for-promoting-blog-posts/
Although driving traffic by social networking and social media is important, don't let socializing supersede your "creation" tasks. Valuable content leads to business growth. If you are not building quality content and you are only socializing, your business is going to suffer as a result. Read the following articles for more discussion about Social Networking of online business: http://iearningtips.com/driving-traffic-with-social-networking/
Choose your interesting product and then build a web site to promote the product. Next step is to get ranking in internet searching engines including google, bing, yahoo, facebook, baidu, etc. If visitors browse your web site and buy product via your affiliate link, then, you can make money. Does it sound simple ? Read the following for more info on make money online ... http://iearningtips.com/tips-to-make-money-online-with-internet-marketing/
PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks. Among the different markets are :
banks
colleges and universities
engineering companies
convention and exhibition centers
hospitals and medical centers
hotels
manufacturing businesses
school boards (K-12)
telecommunications companies
Why do I need PacketFence ?
Do you want to efficiently handle guests on your network? Is your network a breeding ground for computer worms and viruses? Can anyone connect to your network without your knowledge? If so, PacketFence is for you.
Info Source: http://www.pcworld.com/article/2031443/how-to-set-up-public-wi-fi-at-your-business.html
Offering wireless Internet access for guests can open new doors for your business. For a cafe or restaurant, customers are more likely to stay longer, purchase more items, and return knowing they can use a Wi-Fi connection. For motels and hotels, Wi-Fi is one of travelers' deciding factors when selecting where to stay. Offering guest wireless access from an otherwise private office can be beneficial too, as it provides outside associates, contractors, and other visitors with a reliable Internet connection.
Although mobile carriers have covered much of the nation’s more-populated areas withwireless 4G Internet access, Wi-Fi connections can provide faster speeds and usually aren’t subject to usage limits. Plus Wi-Fi can be offered where 4G access isn’t available—as well as for laptops, tablets, and other mobile devices that aren’t4G- equipped.
Protecting your private network
The simplest way you might think to offer public or guest Wi-Fi access is to let people on an existing Wi-Fi network used by the business, but this isn’t secure. Allowing outsiders on the private network could open your company up to hacking and data theft.
Private wireless networks should be encrypted with WPA2-Personal security, at least, to keep others from connecting and eavesdropping on your network traffic. Businesses with more than a handful of Wi-Fi users should consider using WPA2-Enterprise security, requiring a RADIUS server or service, to better secure and manage Wi-Fi access. For more on that, here are 8 Wi-Fi security tips to protect your small business.
Using existing equipment
Businesses with existing private Wi-Fi network might be able to offer public or guest access safely without purchasing additional hardware. Some consumer and small-office wireless routers offer a guest access feature. When guest access is enabled, users will see another network name (known as an SSID) in the list of available networks on their Wi-Fi devices, and its access will be separated from the main network.
Business-class routers and access points (APs) typically offer multiple SSID and virtual LAN (VLAN) features. When these features are set up properly, multiple wireless network names (SSIDs) can be broadcasted with varying levels of security, one of which could be a guest network safely segregated from your private network.
Using hotspot equipment for better features
FLICKR: WESLEY FRYER
Purchasing or setting up wireless hardware specifically designed for offering Wi-Fi hotspot access provides some useful features that most traditional routers and APs lack. For instance, for legal purposes you may want to require users to accept Terms of Service (ToS) before accessing the Internet. When shopping around for hotspot equipment, this feature is called a captive portal. You may also want to impose time and bandwidth limits, or even charge for the Wi-Fi access. For features like these you’ll likely have to purchase or set up additional hardware specifically designed for Wi-Fi hotspots.
Private and guest Wi-Fi networks
If you’re a do-it-yourselfer, you could upgrade a Linksys or other compatible wireless router with free third-party firmware, which replaces the router’s software to add additional features. TheCoovaAP firmware includes a captive portal to require end users to accept ToS. It can also require that they log in via either self-registration or with access codes you create. CoovaAP's firmware also offers traffic shaping controls that let you limit bandwidth for guests.
The DD-WRT firmware offers many general Wi-Fi features and customizations in addition to hotspot features. It includes a simple integrated captive portal and supports third-party servers and services for more complex hotspot setups.
However, keep in mind that neither the CoovaAP nor DD-WRT firmware offers an easy way to segregate access to your private network. So, unless you’re comfortable making customizations, you’d probably need to connect the router to a separate Internet connection, or to a guest VLAN if your existing equipment supports it.
OPEN MESHOpen Mesh access points
If you want more of a quick, plug-and-play hotspot setup, consider purchasing the Fonera Simpl router fromFon. It offers simultaneous private and public Wi-Fi signals, so it’s best to replace it with any existing router you have. On the public signal, visitors are given one hour of daily Wi-Fi access. After that, revenue from additional time visitors purchase is split 50/50 between your company and Fon. However, users must sign up and log in with Fon in order to access the Internet. This could help increase the safety of your hotspot, but it can annoy visitors wanting quick, free access.
To offer public or private Wi-Fi access over a larger area that a single wireless router doesn’t cover, one economical option is Open Mesh. It’s designed to provide both private and public wireless access easily, with hotspot features including a captive portal and speed limits. Plus, it uses the wireless mesh technique, which means that not all the wireless APs have to be wired back to the router or switch, making installation easier.
Another option is to purchase and use a hotspot gateway, basically a router specifically designed for offering hotspot access. These generally include the most hotspot features and functionality, and are especially useful for large deployments like at large hotels or venues. There are many vendors to choose from, including ZyXEL,Intellinet, 4ipnet, andHandlink.
Taking the final steps
Remember, always ensure that your private network is kept separate from any public networks, and encrypted with WPA2 security. If you want to offer simple public access, check if your current wireless router or access points (APs) have a guest feature, or that they support multiple SSIDs and VLANs for business-class products.
If you're up to the tech challenge, you could upgrade a compatible wireless router with third-party firmware to get hotspot features. If not, consider getting the Fon router. To cover a larger area, look into Open Mesh. If you’d like all the bells and whistles, shop for a hotspot gateway.
Whatever hotspot setup your company adopts, it’s a good idea to enable content filtering, as you probably don’t want visitors surfing inappropriate websites. Some routers and hotspot setups offer a content filter. If yours does not, you can enable the OpenDNS cloud security service on any router or hotspot gateway.
Information Source: http://www.seguetech.com/blog/2013/07/05/waterfall-vs-agile-right-development-methodology
One of the first decisions we face for each of our project implementations at Segue is “Which development methodology should we use?” This is a topic that gets a lot of discussion (and often heated debate). If this is not something you’ve worked with before, a definition of development methodology is in order; put very simply, it’s a way of organizing the work of software development. To clarify further, it is NOT a style of project management or a specific technical approach, although you will often hear these terms all thrown together or used interchangeably.
The two basic, most popular methodologies are :
Waterfall (ugh, terrible name!), which might be more properly called the “traditional” approach, and
Agile (newer than Waterfall, but not that new).
Both of these are usable, mature methodologies. Having been involved in software development projects for a long time, here are my thoughts on the strengths and weaknesses of each.
The Waterfall Methodology
Waterfall is a linear approach to software development. In this methodology, the sequence of events is something like:
Gather and document requirements
Design
Code and unit test
Perform system testing
Perform user acceptance testing (UAT)
Fix any issues
Deliver the finished product
In a true Waterfall development project, each of these represents a distinct stage of software development, and each stage generally finishes before the next one can begin. There is also typically a stage gate between each; for example, requirements must be reviewed and approved by the customer before design can begin.
There are good things and bad about the Waterfall approach. On the positive side:
Developers and customers agree on what will be delivered early in the development lifecycle. This makes planning and designing more straightforward.
Progress is more easily measured, as the full scope of the work is known in advance.
Throughout the development effort, it’s possible for various members of the team to be involved or to continue with other work, depending on the active phase of the project. For example, business analysts can learn about and document what needs to be done, while the developers are working on other projects. Testers can prepare test scripts from requirements documentation while coding is underway.
Except for reviews, approvals, status meetings, etc., a customer presence is not strictly required after the requirements phase.
Because design is completed early in the development lifecycle, this approach lends itself to projects where multiple software components must be designed (sometimes in parallel) for integration with external systems.
Finally, the software can be designed completely and more carefully, based upon a more complete understanding of all software deliverables. This provides a better software design with less likelihood of the “piecemeal effect,” a development phenomenon that can occur as pieces of code are defined and subsequently added to an application where they may or may not fit well.
Here are some issues I have encountered using a pure Waterfall approach:
One area which almost always falls short is the effectiveness of requirements. Gathering and documenting requirements in a way that is meaningful to a customer is the most difficult part of software development, in my opinion. Customers are sometimes intimidated by details, and specific details, provided early in the project, are required with this approach. In addition, customers are not always able to visualize an application from a requirements document. Wireframes and mockups can help, but there’s no question that most end users have some difficulty putting these elements together with written requirements to arrive at a good picture of what they will be getting.
Another potential drawback of pure Waterfall development is the possibility that the customer will be dissatisfied with their delivered software product. As all deliverables are based upon documented requirements, a customer may not see what will be delivered until it’s almost finished. By that time, changes can be difficult (and costly) to implement.
The Agile Methodology
Agile is an iterative, team-based approach to development. This approach emphasizes the rapid delivery of an application in complete functional components. Rather than creating tasks and schedules, all time is “time-boxed” into phases called “sprints.” Each sprint has a defined duration (usually in weeks) with a running list of deliverables, planned one sprint in advance. Deliverables are prioritized by business value as determined by the customer. If all planned work for the sprint cannot be completed, work is reprioritized and the information is used for future sprint planning.
As work is completed during each sprint, it is continuously reviewed and evaluated by the customer, who may be considered the most critical member of the Agile team. As a result, Agile relies on a very high level of customer involvement throughout the project.
Some advantages of the Agile approach are easy to see:
The customer has frequent and early opportunities to see the work being delivered, and to make decisions and changes throughout the development project.
The customer gains a strong sense of ownership by working extensively and directly with the project team throughout the project.
If time to market for a specific application is a concern, Agile can more quickly produce a basic version of working software.
Development is often more user-focused, likely a result of more and frequent direction from the customer.
The very high degree of customer involvement, while great for the project, may present problems for some customers who simply may not have the time or interest for this type of participation.
Agile works best when members of the development team are completely dedicated to the project.
Because Agile focuses on time-boxed delivery and frequent reprioritization, it’s possible that some items set for delivery will not be completed within the allotted timeframe. Additional sprints (beyond those initially planned) may be needed, adding to the project cost. In addition, customer involvement often leads to additional features requested throughout the project. Again, this can add to the overall time and cost of the implementation.
The close working relationships in an Agile project are easiest to manage when the team members are located in the same physical space, which is not always possible. However, there are a variety of ways to handle this issue, such as webcams, collaboration tools, etc.
The iterative nature of Agile development may lead to a reduction in overall system quality, as there is less emphasis on understanding the finished system as a whole early in the project. This becomes more pronounced in larger-scale implementations, or with systems that include a high level of integration.
Making the Choice Between Agile and Waterfall
So, how do we choose? First, we change the game a little (which is what most software development organizations do) by defining our own process. At Segue, it’s called our Process Framework, and it’s a variation on the traditional Waterfall methodology. Our modifications include use of prototyping where possible to provide the customer a better view of their finished product early in the design/development cycle. This helps to improve the team’s understanding of requirements and communication with the customer. After the primary framework of the application is completed per high level requirements, we continue to develop and also to reach out to the customer for refinement of requirements. In this way, we strive to be as iterative as possible without compromising our overall system architecture.
We consider the following factors when considering which methodology to use:
The factors above are not equally weighted; each is assessed depending on the individual project and circumstances.
Once we’ve decided which basic methodology to utilize, we can further refine the process to best fit our project goals. Ultimately, although the way in which we do our work is important, delivering a solid and maintainable product that satisfies our customer is what really counts.
Four important stages for consumer buying behavior analysis is: 1) Research Stage, 2) Decision Stage, 3) Buying Action Stage, 4) Post-Sales Follow-Up Stage. Read its description is the following link:
FLICKR: WESLEY FRYER
OPEN MESH
cat /proc/sys/net/ipv4/ip_forwardneeds to report 1, or bothcat /proc/sys/net/ipv4/conf/tun0/forwardingandcat /proc/sys/net/ipv4/conf/br0/forwardingneed to report 1. (the first enables forwarding globally, the second enables it per interface -- it can be done either way) – Andrew B May 24 '14 at 16:18