In my previous articles, I discussed how to install and setup OpenWRT on the WRT54GL, and how to setup Shorewall as a firewall solution. Today I will be discussing how to install, setup, and use VPNC to connect to a Cisco VPN 3000 Concentrator, as well as how to configure Shorewall to allow VPN communication through the firewall.

This article is written assuming a that you are using the same versions of OpenWRT & Shorewall, and are configured similarly, as discussed in my previous articles.

VPNC

VPNC has been backported to the White Russian release (although poorly), and can be installed using ipkg. To install, first edit /etc/ipkg.conf and add the following line after the other “src” lines:

src backports http://downloads.openwrt.org/backports/rc5

Now to install vpnc:

ipkg update
ipkg install libgcrypt
ipkg install kmod-tun
ipkg install vpnc

The first two installs are required packages that aren’t (for some reason) installed when you install vpnc. If you try running vpnc right now, you’ll get the error:

can't open /dev/net/tun, check that it is either device char 10 200 or (with DevFS) a symlink to ../misc/net/tun (not misc/net/tun): No such file or directory
can't initialise tunnel interface: No such file or directory

vpnc requires the kernel module tun. The vpnc installer adds an entry to /etc/modules.d/ to auto-install the module on startup, but it won’t be started after you install it. To install to so we can use it right now, run:

insmod tun

The configuration settings for vpnc are located in /etc/vpnc/. Open vpnc.conf with an editor (like vi) and add/edit the follow configuration settings: (replace the IP/usernames/passwords with your VPN credentials)

Interface name tun0
IPSec gateway 12.34.56.78
IPSec ID globaluser
IPSec secret globalpass
Xauth username myuser
Xauth password mypass

Now (at the time of this writing), if this package had been setup properly, this would be all we would have to do for vpnc, and we could just run the command vpnc to start the VPN service. However, if you try doing this now, vpnc will fail to find the vpnc.conf file because it is hard-coded to look for /etc/vpnc.conf. We fix this easily by running:

ln -s /etc/vpnc/vpnc.conf /etc/vpnc.conf

Also, when vpnc runs, it trys to write its PID information to /var/run/vpnc/ which doesn’t exist. We can fix this by running:

mkdir /var/run/vpnc

Were not done yet, and this is the big one. After vpnc connects to the VPN server, it will run /etc/vpnc/vpnc-script. The problem is that this file was originally written for a Bash environment, but OpenWRT only has sh. If you try running vpnc, you will get the following error:

/etc/vpnc/vpnc-script: 222: Syntax error: Bad for loop variable

Luckily, there’s only two places in the code that cause conflict with this environment. We will need to edit the vpnc-script and change the two (2) instances of this code…

                for ((i = 0 ; i < CISCO_SPLIT_INC ; i++ )) ; do
                        eval NETWORK="\${CISCO_SPLIT_INC_${i}_ADDR}"
                        eval NETMASK="\${CISCO_SPLIT_INC_${i}_MASK}"
                        eval NETMASKLEN="\${CISCO_SPLIT_INC_${i}_MASKLEN}"
                        set_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN"
                done

…to…

                i=0                                                        
                while [ $i -lt $CISCO_SPLIT_INC ] ; do             
                        eval NETWORK="\${CISCO_SPLIT_INC_${i}_ADDR}"
                        eval NETMASK="\${CISCO_SPLIT_INC_${i}_MASK}"
                        eval NETMASKLEN="\${CISCO_SPLIT_INC_${i}_MASKLEN}"
                        set_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN"
                i=`expr $i + 1`
                done

Alrighty, we’re done. If you run vpnc right now, it should connect and run as a daemon (without throwing any erros). To disconnect, use vpnc-disconnect.
Note that vpnc-script modifies your routing table (route) and your DNS resolutions (/etc/resolv.conf) on connection. You may need to modify this script as necessary.

Shorewall

Now that we have vpnc configured, lets setup Shorewall.

First we will create a zone for the VPN in /etc/shorewall/zones …

vpnc  ipv4

…, and map the zone to the interface in /etc/shorewall/interfaces:

vpnc  tun0  detect

The configuration file /etc/shorewall/tunnels is used to specify the VPN tunnels your firewall will be allowing through. The second argument is the zone in which the VPN gateway is behind, and the third argument is the IP of the VPN gateway. Chances are you won’t need the second line, but I added it there just incase. (You may also need to change udp to tcp, depending on your VPN Concentrator settings)

generic:udp:500    wan  12.34.56.78
generic:tcp:1723  wan  12.34.56.78

Lastly you will need setup any masquerading in /etc/shorewall/masq if you want to access the VPN from local network:

# If the lan and wifi are bridged
tun0    br0
#If you have removed the bridge (seperated them)
tun0    vlan0
tun0    eth1

Were done! Restart Shorewall using shorewall restart and the rules should be applied. We can now run vpnc to setup the VPN connection, and you should be able to connect to the servers behind it.

If you would like vpnc to be started on startup of Shorewall, add the following:

/etc/shorewall/start

vpnc

/etc/shorewall/stop

vpnc-disconnect

Conclusion

Despite the problem with the VPNC package, its not too difficult to setup a VPN connection with a Cisco VPN Concentrator. If your VPN gateway timeouts after a period of inactivity, you may need to setup a watchdog service that sends small traffic through the tunnel every so often. Your mileage may vary.

I hope my article was helpful. Please leave comments!