Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Hardware Software Linux

Embedded Linux VPN Router Near Release 121

Posted by simoniker from the embed-this dept.
An anonymous reader writes "A new open source project aims to build a VPN router that supports all major routing protocols on a standardized hardware platform running embedded Linux. The "Linux Router Project - LR101" started in mid-2003 and plans a first release in January 2004. It is based on a dual-NIC VIA EPIA mainboard and a Travla case, along with Red Hat 8, zebra, FreeS/WAN, IP-tables, an other open source software, all compiled from source."
This discussion has been archived. No new comments can be posted.

Embedded Linux VPN Router Near Release More

Embedded Linux VPN Router Near Release

Comments Filter:

  • HA (Score:5, Interesting)

    by pheared ( 446683 ) <[ten.deraehp] [ta] [nivek]> on Monday December 29, 2003 @05:15PM (#7830339) Homepage
    It would be nice if they have High Availability on their feature list. Some nice solid appliances like this would be interesting.
    • I was outsourced to a company who is working on a similar ALL IN WONDER gateway, VPN, ADSL / CABLE, VOIP networking device that packs a mean punch. I worked on the NAT configuration, IPTABLES, and consulted on the firewall. All my work was done on Embedded UcLinux (BRECIS) and compiled from source in C (MIPS GCC) to ROM. Huge scale project and the first rev is allready out, and the following 1.2 rev will be out Q1 or Q2 2004.
      • But this device has one big feature you neglected to mention, that all of the "common low-end gateway boxes" seem to lack almost completely...

        Dynamic routing
        (BGP, OSPF, etc.)

        Seriously, how can you call something a "router" when it doesn't even support any useful "routing protocols"?
        • One of my clients spent AUD$1500 buying one of these [motium.com] and having me fit it out with a Flash disk as a router supporting BGP (and much other stuff, if he ever needs it there). The alternative was paying AUD$6000 and on up (several outfits seriously quoted him well clear of AUD$20,000 for new Cisco gear), and other than when the owner one day using shutdown -h instead of shutdown -r to try to cure a problem that in the event was being caused by something else, it's had a flawless, zero-maintenance run.

          Andrew

    • Re:HA (Score:1)

      by bbdd ( 733681 )
      i have several locations with the symantec 200 routers [symantec.com] (pdf link) with dual wan ports.

      i would love to replace them with an ipcop type of open source / flashdisk / bootable cd / etc firewall that supports dual wan ports.

      would be nice with a dmz as well, so that would be 4 nics total. 2 wan with failover, dmz, and lan.

    • Right, and since when are BGP and OSPF, "All major routing protocols?"

  • Clarification needed. (Score:5, Insightful)

    by Mourgos ( 621534 ) on Monday December 29, 2003 @05:15PM (#7830341)
    Is this a stripped down Redhat distro, with a configuration tool that they wrote? Isn't a whole distribution a little bit too much for such a project? Wouldn't a linuxfromscratch installation - with only the bare minimums - be a better idea? Just a thought.
    • It is based on a dual-NIC VIA EPIA mainboard and a Travla case, along with Red Hat 8, zebra, FreeS/WAN, IP-tables...

      Yes.

    • Re:Clarification needed. (Score:2, Insightful)

      by Anonymous Coward
      Is this a stripped down Redhat distro, with a configuration tool that they wrote? Isn't a whole distribution a little bit too much for such a project?

      Too me, stripped down implies it isn't whole anymore.

  • Isn't it missing something? (Score:5, Insightful)

    by Rosco P. Coltrane ( 209368 ) on Monday December 29, 2003 @05:18PM (#7830370)
    Where's PPTP? for a VPN router, it's kind of desirable ...

    • Re:Isn't it missing something? (Score:4, Informative)

      by bzzzt ( 313005 ) on Monday December 29, 2003 @05:23PM (#7830405)
      According to the "tech details" page it's shipping with the Poptop pptp server...
    • From TFA:

      Version 0.3.9 des RootFS verfugbar What has been done? First, there are many changes in the LR101 Scripts; second, IP-Tables has been updated to 1.2.9 and a configuration interface, start it with command lrconfig , is available, now. DHCP has been tested, unfortunately PPPoE and PPtP not yet. If somebody could test this, please do so! ... please set the DEBUG Level in /etc/LR101/ppp/options.pppox0 to 9 and send the log ( /var/log/messages ) to support_at_linux-it-solutions.de. Thank you!

    • PPTP is UNdesirable (Score:4, Interesting)

      by billstewart ( 78916 ) on Monday December 29, 2003 @05:37PM (#7830522) Journal
      The initial PPTP was a total botch, with seven major security flaws. Some of them have since been fixed, but it gives you some idea of the professionalism and quality that didn't go into the basic design. If you want to use a VPN for security, use IPSEC - and this project has FreeS/WAN IPSEC in it. If you really really want to use a VPN to transport lame non-IP legacy Microsoft LAN protocols, go pay Microsoft some money for one of their server projects, and charge the silly customer who's hiring you as a consultant because they don't want to upgrade to the 1990s for it. If you want to use a VPN to carry private IP addresses, but don't actually care about security, use IPSEC anyway, or use GRE tunnels.

      • Re:PPTP is UNdesirable (Score:3, Insightful)

        by jbr439 ( 214107 )
        How about if I want to use my home linux box to access my employer's Microsoft based network?

        Do I downgrade my home box to Windows? Ans: when hell freezes over.

        Do I get my employer to use IPSEC? Ans: not if my employer is an "all microsoft, all the time" kind of place. [although with MS supporting IPSEC in some form, that is changing]

        In other words, contrary to what some of the less thoughtful may think, PPTP client functionality is a must for some of us; and telling us why we should not be using PPTP is
      • You do know that GRE tunnels are the generic name for PPTP, don't you?
      • Thanks for the rant, Bill. PPTP, esp. when MS-compatible, is way less secure than IPSec. Today, the biggest problem with PPTP is the connection between password strength and encryption strenght (see Schneier's analysis on PPTPv2 [schneier.com] for details), and as soon as this problem is worked-around (see for example the Designfragen discussion for some CS department WLAN [fu-berlin.de], if you can read German), PPTP is 'middle secure'.

        What makes PPTP a tempting VPN protocol is it's availibility among different plattforms. Although so

  • Why not a WRV54G? (Score:5, Insightful)

    by greygent ( 523713 ) on Monday December 29, 2003 @05:20PM (#7830386) Homepage
    Or, just buy a Linux-based Linksys WRV54G [seattlewireless.net] for well under $200 with most, if not all the features of this project. No, I don't mean the WRT54g, I mean the WRV54G. Excellent piece of gear, VPN, firewalling, dmz, wireless (wep/wpa), snmp, yadda yadda.
  • Snapgear [snapgear.com]?

  • Compiled from source... (Score:5, Funny)

    by Binestar ( 28861 ) on Monday December 29, 2003 @05:21PM (#7830393) Homepage
    all compiled from source.

    As opposed to say, a Linksys Router, which we all know is compiled from Cheerios. =)

  • RH8? (Score:5, Informative)

    by Jeffrey Baker ( 6191 ) on Monday December 29, 2003 @05:22PM (#7830402)
    Using a full blown RH 8 installations eems like an odd thing to do. Lots of people are using Soekris computers as routers, firewalls, access points, and VPNs, but they are generally run off stripped BSD or Linux installations with hardly any extraneous crap. Mine is running a very bare Debian installed into a 256MB compact flash.

    Soekris [soekris.com]

    • Re:RH8? (Score:2, Interesting)

      by kervel ( 179803 )
      i was considering to buy a soekris, but when i added up all costs (shipping, ...) it turned out to be not worth the money. Soekris is silent okay, and powersaving okay, but the slow CPU limits the use to routing/firewalling/VPN/... and you can buy cheaper equipment for that.
      • Routing/etc is a pretty common use for this kit, but plenty of other projects are well-suited, often much better than more common PC hardware due to some unusual features - the Elan chip on the net45xx has a high-res timer supported by FreeBSD, particularly nice for accurate timing (NTP or for other reasons)... The programmable 'error' LED could be used for indicating web hits on a personal homepage, show new email (some drivers support Morse code, so you could even indicate the sender's name), or various m

    • Re:RH8? (Score:5, Funny)

      by NevDull ( 170554 ) on Monday December 29, 2003 @05:46PM (#7830587) Homepage Journal
      If you had read the article, you'd have seen that they are using 32MB CF. Do you really think they're running "a full blown RH 8 [sic] installations"?

      Please check one:
      [ ] I can't read
      [ ] I choose not to read
      [ ] I read the article, but I think that a full install of RedHat fits in 32MB
      [ ] Please forgive my Debian zealotry

  • All compiled from source? (Score:1, Funny)

    by Anonymous Coward
    I want a router where all the binaries were hand assembled, myself.

  • A different LRP (Score:1, Interesting)

    by Anonymous Coward
    Is this the same Linux Router Project that was run by that crazy [slashdot.org], paranoid survivalist [slashdot.org] guy? Or is that still dead?
    • Don't know about the mental health of the author, but I did try LRP a couple of years ago on an old PC with 5 NICs plugged into it. It almost worked, AFAIR. Last time I looked, LRP had been abandoned.

      I presume that this is a shiny, all-new LRP?

  • Not to be confused with... (Score:5, Informative)

    by ScottSpeaks! ( 707844 ) on Monday December 29, 2003 @05:29PM (#7830456) Homepage Journal
    ...the Linux Router Project [linuxrouter.org], a floppy-based 386-compatible micro-distro which served as the basis for (among other things) Coyote Linux [coyotelinux.com].
    • That's all well and good, but LRP was shutdown after Diesel Dave decided to call it quits. It was news on slashdot a few months ago (too lazy to link to it).

      LEAF is the successor (LEAF [leaf-project.org]).

  • Use a $80 wrt54g to do the same (Score:5, Informative)

    by Jim Buzbee ( 517 ) on Monday December 29, 2003 @05:33PM (#7830484) Homepage
    Custom firmware for the wrt54g does/will do pretty much the same thing. Progress is very quick. See the forum here:

    sveasoft [sveasoft.com]
  • This isn't the project's fault, I know, but there is a "major", albeit proprietary, VPN protocol that's still not supported on Linux. It's Shiva's SST (Shiva Secure Tunnel). It was originally developed by Shiva, then sold to Intel where it became part of the NetStructure family. I should point out that these VPN gateways also support IPSEC, but some companies - like mine - only permit access using the SST flavor tunnel.

    Shiva never had any Linux client software. Intel never developed any either. Then i
    • I administered a Shiva vpn server in 2000/2001. I would have preferred to use the open standard IPSEC vs the proprietary SST; however their IPSEC option would not support RADIUS authentication. That was the deciding factor for going with SST. Aside from that it wasn't a bad product.
    • It actually predates Shiva.

      It was developed by Infocrypt, which Shiva bought, and Shiva was in turn eaten by Intel.

      SST is legacy, as LANRovers have had IPSEC support since at least version 6.7.

      If your company doesn't use IPSec, it's probably going to get left behind when Intel finally dumps the old and crufty SST protocol.

    • Your company is very naive then. They are probably using the "nobody else is using it, so it will be more secure" argument.

      Give somebody who can make that decision the results of the following google search - security in obscurity [google.com]

      The first article in this Crypto-Gram also explains the problem - Secrecy, Security, and Obscurity [schneier.com]

  • Having programmed some of these "beauties" in connection with a microcontroller, i must say they are shooting themselves in the foot. The first word that comes to my mouth is YUCK! I know all these 3Com and Intel network cards are more expensive, but they save time and money in the long run.

    /Pedro

    • Re:"RealTek/NE2000 compatible NICs for the DMZ" (Score:4, Interesting)

      by smnolde ( 209197 ) on Monday December 29, 2003 @07:34PM (#7831400) Homepage
      RealTek is RealCrap. You get what you pay for.

      From /usr/src/sys/pci/if_rl.c on my FreeBSD system:
      * The RealTek 8139 PCI NIC redefines the meaning of 'low end.' This is
      * probably the worst PCI ethernet controller ever made, with the possible
      * exception of the FEAST chip made by SMC. The 8139 supports bus-master
      * DMA, but it has a terrible interface that nullifies any performance
      * gains that bus-master DMA usually offers.
      *
      * It's impossible given this rotten design to really achieve decent
      * performance at 100Mbps, unless you happen to have a 400Mhz PII or
      * some equally overmuscled CPU to drive it.

      This is my favorite comment:
      * Here's a totally undocumented fact for you. When the
      * RealTek chip is in the process of copying a packet into
      * RAM for you, the length will be 0xfff0. If you spot a
      * packet header with this value, you need to stop. The
      * datasheet makes absolutely no mention of this and
      * RealTek should be shot for this.

      More funny stuff:
      * The RealTek is brain damaged and wants longword-aligned
      * TX buffers, plus we can only have one fragment buffer
      * per packet. We have to copy pretty much all the time.

  • ..make sure that you have read this [securityfocus.com]
    Discusses some serious considerations before deciding to use ipsec and ike. And since ipsec/ike is the only serious solution in many cases, these concerns should not be taken lightly. For example did you know that the ike implementation in 2000/XP simply checks the signer of the servers certificate and not the actual identity that is signed? This means that any other user with a certificate which is signed by the same authority as you can impersonate the server.

    The art
  • There's a number of such projects out there ... Smoothwall is one. IPCop for another (although it is forked from Smoothwall.) I don't see this project as offering that much over similar ones.
  • I would like to see something that would let me access existing VPN routers from home.

  • You had my attention up to the point where you mentioned "redhat". The company that doesn't care about their nonprofit distro. Whoopie, now you got a vpn on it.
  • http://www.m0n0.ch/wall
    If your interested in Linux or embedded VPN solutions, check out m0n0wall. Its excellent!
  • Umm...you guys do realize that www.snapgear.com has had embedded, ipsec/iptables equipped routers based on linux for years right? They're enterprise quality and I've had several deployed for over a year. This isn't new, nor is it exciting. Also, embedded implies that its not x86...or using a hard drive. This is a mini-itx based "router" running a distro that has no business being used as such.

  • I'd like to see one based on this [tyan.com] bad boy.

    4 gigE ports, each on it's own PCI-X controller. Between the two Xeons and whatever amount of memory you through at it, one of these could *easily* handle a great deal of BGP sessions, load-balancing, failover, as well as VPN and encryption.

    With a board like that, a couple of Xeons, and a gig of memory, these could out-perform some very, very expensive commercial routers.

    steve

Slashdot Top Deals

Get hold of portable property. -- Charles Dickens, "Great Expectations"

Close