Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Embedded Linux VPN Router Near Release

Posted by simoniker on Mon Dec 29, 2003 04:11 PM
from the embed-this dept.
Software Hardware Linux
An anonymous reader writes "A new open source project aims to build a VPN router that supports all major routing protocols on a standardized hardware platform running embedded Linux. The "Linux Router Project - LR101" started in mid-2003 and plans a first release in January 2004. It is based on a dual-NIC VIA EPIA mainboard and a Travla case, along with Red Hat 8, zebra, FreeS/WAN, IP-tables, an other open source software, all compiled from source."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Embedded Linux VPN Router Near Release 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • HA (Score:5, Interesting)

    by pheared (446683) <kevin@noSpAM.pheared.net> on Monday December 29 2003, @04:15PM (#7830339) Homepage
    It would be nice if they have High Availability on their feature list. Some nice solid appliances like this would be interesting.
    • Right, and since when are BGP and OSPF, "All major routing protocols?"
      • I just recently did a bunch of research on pricing stuff for doing embedded-systems-like projects on an Epia. Here's what I came up with:

        Epia CL 10000 (1GHz C3 Nehemiah core with two LAN ports, I don't like that this requires a cooling fan, but it is the only dual lan configuration with a hardware RNG) $215

        128MB PC2100 DDR (far more memory than is needed, and far more power consumptive than a "typical" embedded system, but the board requires DDR ram and finding something smaller than 128MB PC2100 is hard
        • You sure that the CL6000 doesn't have an RNG, but the CL10000 does? 'Cos the 6000 is fanless, after all - it would only cost a dozen or so dollars less, but ...
          • I'm fairly certain that only the Nehemiah core has Padlock, and the CL6000 doesn't have a Nehemiah core. Too bad though. If they had a fanless Nehemiah core mini-itx with the CLE266 mpeg accelerator, I'd think that'd be the most popular board around.
      • But this device has one big feature you neglected to mention, that all of the "common low-end gateway boxes" seem to lack almost completely...

        Dynamic routing
        (BGP, OSPF, etc.)

        Seriously, how can you call something a "router" when it doesn't even support any useful "routing protocols"?
        • One of my clients spent AUD$1500 buying one of these [motium.com] and having me fit it out with a Flash disk as a router supporting BGP (and much other stuff, if he ever needs it there). The alternative was paying AUD$6000 and on up (several outfits seriously quoted him well clear of AUD$20,000 for new Cisco gear), and other than when the owner one day using shutdown -h instead of shutdown -r to try to cure a problem that in the event was being caused by something else, it's had a flawless, zero-maintenance run.

          Andrew

  • Clarification needed. (Score:5, Insightful)

    by Mourgos (621534) on Monday December 29 2003, @04:15PM (#7830341)
    Is this a stripped down Redhat distro, with a configuration tool that they wrote? Isn't a whole distribution a little bit too much for such a project? Wouldn't a linuxfromscratch installation - with only the bare minimums - be a better idea? Just a thought.
    • It is based on a dual-NIC VIA EPIA mainboard and a Travla case, along with Red Hat 8, zebra, FreeS/WAN, IP-tables...

      Yes.

    • Re:Clarification needed. (Score:2, Insightful)

      by Anonymous Coward
      Is this a stripped down Redhat distro, with a configuration tool that they wrote? Isn't a whole distribution a little bit too much for such a project?

      Too me, stripped down implies it isn't whole anymore.

  • Isn't it missing something? (Score:5, Insightful)

    by Rosco P. Coltrane (209368) on Monday December 29 2003, @04:18PM (#7830370)
    Where's PPTP? for a VPN router, it's kind of desirable ...

    • Re:Isn't it missing something? (Score:4, Informative)

      by bzzzt (313005) on Monday December 29 2003, @04:23PM (#7830405)
      According to the "tech details" page it's shipping with the Poptop pptp server...
    • From TFA:

      Version 0.3.9 des RootFS verfugbar What has been done? First, there are many changes in the LR101 Scripts; second, IP-Tables has been updated to 1.2.9 and a configuration interface, start it with command lrconfig , is available, now. DHCP has been tested, unfortunately PPPoE and PPtP not yet. If somebody could test this, please do so! ... please set the DEBUG Level in /etc/LR101/ppp/options.pppox0 to 9 and send the log ( /var/log/messages ) to support_at_linux-it-solutions.de. Thank you!

    • PPTP is UNdesirable (Score:4, Interesting)

      by billstewart (78916) on Monday December 29 2003, @04:37PM (#7830522) Journal
      The initial PPTP was a total botch, with seven major security flaws. Some of them have since been fixed, but it gives you some idea of the professionalism and quality that didn't go into the basic design. If you want to use a VPN for security, use IPSEC - and this project has FreeS/WAN IPSEC in it. If you really really want to use a VPN to transport lame non-IP legacy Microsoft LAN protocols, go pay Microsoft some money for one of their server projects, and charge the silly customer who's hiring you as a consultant because they don't want to upgrade to the 1990s for it. If you want to use a VPN to carry private IP addresses, but don't actually care about security, use IPSEC anyway, or use GRE tunnels.
      • How about if I want to use my home linux box to access my employer's Microsoft based network?

        Do I downgrade my home box to Windows? Ans: when hell freezes over.

        Do I get my employer to use IPSEC? Ans: not if my employer is an "all microsoft, all the time" kind of place. [although with MS supporting IPSEC in some form, that is changing]

        In other words, contrary to what some of the less thoughtful may think, PPTP client functionality is a must for some of us; and telling us why we should not be using PPTP is
      • You do know that GRE tunnels are the generic name for PPTP, don't you?
        • The best solution for this I've found so far, is a program called OpenVPN [sourceforge.net]. The thing is easy to configure, runs on most 'nix platforms, tunnels over UDP (I'm sorry, but IP over TCP is stupid), and works wonderfuly.

  • Why not a WRV54G? (Score:5, Insightful)

    by greygent (523713) on Monday December 29 2003, @04:20PM (#7830386) Homepage
    Or, just buy a Linux-based Linksys WRV54G [seattlewireless.net] for well under $200 with most, if not all the features of this project. No, I don't mean the WRT54g, I mean the WRV54G. Excellent piece of gear, VPN, firewalling, dmz, wireless (wep/wpa), snmp, yadda yadda.
  • Snapgear [snapgear.com]?

  • Compiled from source... (Score:5, Funny)

    by Binestar (28861) on Monday December 29 2003, @04:21PM (#7830393) Homepage
    all compiled from source.

    As opposed to say, a Linksys Router, which we all know is compiled from Cheerios. =)

  • RH8? (Score:5, Informative)

    by Jeffrey Baker (6191) on Monday December 29 2003, @04:22PM (#7830402)
    Using a full blown RH 8 installations eems like an odd thing to do. Lots of people are using Soekris computers as routers, firewalls, access points, and VPNs, but they are generally run off stripped BSD or Linux installations with hardly any extraneous crap. Mine is running a very bare Debian installed into a 256MB compact flash.

    Soekris [soekris.com]

    • Re:RH8? (Score:2, Interesting)

      by kervel (179803)
      i was considering to buy a soekris, but when i added up all costs (shipping, ...) it turned out to be not worth the money. Soekris is silent okay, and powersaving okay, but the slow CPU limits the use to routing/firewalling/VPN/... and you can buy cheaper equipment for that.
      • Routing/etc is a pretty common use for this kit, but plenty of other projects are well-suited, often much better than more common PC hardware due to some unusual features - the Elan chip on the net45xx has a high-res timer supported by FreeBSD, particularly nice for accurate timing (NTP or for other reasons)... The programmable 'error' LED could be used for indicating web hits on a personal homepage, show new email (some drivers support Morse code, so you could even indicate the sender's name), or various m

    • Re:RH8? (Score:5, Funny)

      by NevDull (170554) on Monday December 29 2003, @04:46PM (#7830587) Homepage Journal
      If you had read the article, you'd have seen that they are using 32MB CF. Do you really think they're running "a full blown RH 8 [sic] installations"?

      Please check one:
      [ ] I can't read
      [ ] I choose not to read
      [ ] I read the article, but I think that a full install of RedHat fits in 32MB
      [ ] Please forgive my Debian zealotry

  • All compiled from source? (Score:1, Funny)

    by Anonymous Coward
    I want a router where all the binaries were hand assembled, myself.

  • A different LRP (Score:1, Interesting)

    by Anonymous Coward
    Is this the same Linux Router Project that was run by that crazy [slashdot.org], paranoid survivalist [slashdot.org] guy? Or is that still dead?
    • Don't know about the mental health of the author, but I did try LRP a couple of years ago on an old PC with 5 NICs plugged into it. It almost worked, AFAIR. Last time I looked, LRP had been abandoned.

      I presume that this is a shiny, all-new LRP?

  • Not to be confused with... (Score:5, Informative)

    by ScottSpeaks! (707844) on Monday December 29 2003, @04:29PM (#7830456) Homepage Journal
    ...the Linux Router Project [linuxrouter.org], a floppy-based 386-compatible micro-distro which served as the basis for (among other things) Coyote Linux [coyotelinux.com].
    • That's all well and good, but LRP was shutdown after Diesel Dave decided to call it quits. It was news on slashdot a few months ago (too lazy to link to it).

      LEAF is the successor (LEAF [leaf-project.org]).

  • Use a $80 wrt54g to do the same (Score:5, Informative)

    by Jim Buzbee (517) on Monday December 29 2003, @04:33PM (#7830484) Homepage
    Custom firmware for the wrt54g does/will do pretty much the same thing. Progress is very quick. See the forum here:

    sveasoft [sveasoft.com]
  • This isn't the project's fault, I know, but there is a "major", albeit proprietary, VPN protocol that's still not supported on Linux. It's Shiva's SST (Shiva Secure Tunnel). It was originally developed by Shiva, then sold to Intel where it became part of the NetStructure family. I should point out that these VPN gateways also support IPSEC, but some companies - like mine - only permit access using the SST flavor tunnel.

    Shiva never had any Linux client software. Intel never developed any either. Then i
    • I administered a Shiva vpn server in 2000/2001. I would have preferred to use the open standard IPSEC vs the proprietary SST; however their IPSEC option would not support RADIUS authentication. That was the deciding factor for going with SST. Aside from that it wasn't a bad product.
    • It actually predates Shiva.

      It was developed by Infocrypt, which Shiva bought, and Shiva was in turn eaten by Intel.

      SST is legacy, as LANRovers have had IPSEC support since at least version 6.7.

      If your company doesn't use IPSec, it's probably going to get left behind when Intel finally dumps the old and crufty SST protocol.
  • Having programmed some of these "beauties" in connection with a microcontroller, i must say they are shooting themselves in the foot. The first word that comes to my mouth is YUCK! I know all these 3Com and Intel network cards are more expensive, but they save time and money in the long run.

    /Pedro

    • Re:"RealTek/NE2000 compatible NICs for the DMZ" (Score:4, Interesting)

      by smnolde (209197) on Monday December 29 2003, @06:34PM (#7831400) Homepage
      RealTek is RealCrap. You get what you pay for.

      From /usr/src/sys/pci/if_rl.c on my FreeBSD system:
      * The RealTek 8139 PCI NIC redefines the meaning of 'low end.' This is
      * probably the worst PCI ethernet controller ever made, with the possible
      * exception of the FEAST chip made by SMC. The 8139 supports bus-master
      * DMA, but it has a terrible interface that nullifies any performance
      * gains that bus-master DMA usually offers.
      *
      * It's impossible given this rotten design to really achieve decent
      * performance at 100Mbps, unless you happen to have a 400Mhz PII or
      * some equally overmuscled CPU to drive it.

      This is my favorite comment:
      * Here's a totally undocumented fact for you. When the
      * RealTek chip is in the process of copying a packet into
      * RAM for you, the length will be 0xfff0. If you spot a
      * packet header with this value, you need to stop. The
      * datasheet makes absolutely no mention of this and
      * RealTek should be shot for this.

      More funny stuff:
      * The RealTek is brain damaged and wants longword-aligned
      * TX buffers, plus we can only have one fragment buffer
      * per packet. We have to copy pretty much all the time.

  • ..make sure that you have read this [securityfocus.com]
    Discusses some serious considerations before deciding to use ipsec and ike. And since ipsec/ike is the only serious solution in many cases, these concerns should not be taken lightly. For example did you know that the ike implementation in 2000/XP simply checks the signer of the servers certificate and not the actual identity that is signed? This means that any other user with a certificate which is signed by the same authority as you can impersonate the server.

    The art
  • There's a number of such projects out there ... Smoothwall is one. IPCop for another (although it is forked from Smoothwall.) I don't see this project as offering that much over similar ones.

  • I'd like to see one based on this [tyan.com] bad boy.

    4 gigE ports, each on it's own PCI-X controller. Between the two Xeons and whatever amount of memory you through at it, one of these could *easily* handle a great deal of BGP sessions, load-balancing, failover, as well as VPN and encryption.

    With a board like that, a couple of Xeons, and a gig of memory, these could out-perform some very, very expensive commercial routers.

    steve

    • Re:Warning ! (Score:5, Insightful)

      by Tony Hoyle (11698) <tmh@nodomain.org> on Monday December 29 2003, @04:21PM (#7830389) Homepage
      If that's true, then it's illegal for a US citizen to contribute to the 2.6.0 kernel too, since that has crypto in it.

      • Re:Warning ! (Score:4, Informative)

        by Homology (639438) on Monday December 29 2003, @05:22PM (#7830872)
        If that's true, then it's illegal for a US citizen to contribute to the 2.6.0 kernel too, since that has crypto in it.

        Indeed, export of cryptographic technology from USA is hampered with strong restrictions. So many Open Source projects are quite careful to avoid breaking laws by having (much) development done outside USA, and also letting release builds be done outside US as well.

        For instance, OpenBSD has offered strong encryption for several years. The OpenBSD project is located in Canada, and a lot of development/release builds are done outside US. As Integrated Crypto [openbsd.org] shows :

        Hence the OpenBSD project has embedded cryptography into numerous places in the operating system. We require that the cryptographic software we use be freely available and with good licenses. We do not directly use cryptography with nasty patents. We also require that such software is from countries with useful export licenses because we do not wish to break the laws of any country. The cryptographic software components which we use currently were written in Argentina, Australia, Canada, Germany, Greece, Norway, and Sweden.

        When we create OpenBSD releases or snapshots we build our release binaries in free countries to assure that the sources and binaries we provide to users are free of tainting. In the past our release binary builds have been done in Canada, Sweden, and Germany.

    • Re:Warning ! (Score:2, Insightful)

      by BdosError (261714)
      Crypto export laws were relexed a long time ago (during the Clinton administration).

      Just goes to support what I've observed about people who claim Mensa membership.
    • The only market for this is some screwed up and corrupted country like Argentina or Nigeria, where they would get the software for free, use it in the government

      In Nigeria, the government official in charge of IT is waiting for you to help him unlock those $20M from that deceased german businessman, in order to have funds to buy routers ...

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.