Connection and VPN Bonding

From Hack Sphere Labs Wiki
Revision as of 09:39, 27 February 2012 by Webdawg (talk | contribs) (NAT Forwarding as Internet Gateway)

Jump to: navigation, search

Objective

Perferablly bond multiple 3G modems together to create a stable faster connection. I am trying to aggregate 3 unstable connections into one.

Ideas

  • Bond 2-3 OpenVPN tun interfaces.
    • LAGG
    • Kernel Bonding
      • LACP (Stable connections, same BW)
  • Linux Advanced Routing & Traffic Control - http://lartc.org/

Notes

Custom Linux

I tested with debian.

Server Configuration

I used a Debian VPS because I wanted to route all my traffic out to the internet through the bond.

OpenVPN

su -
aptitude update
aptitude upgrade
aptitude install openvpn

tap configuration is a bit different then tun configuration. Since it works via layer two you do not need to worry about layer 3 stuff like IPs in the config file.

Setup a CA, Certs, ta.key: http://wiki.hackspherelabs.com/index.php?title=OpenVPN#Setup but here are some commands for reference:

mkdir /etc/openvpn/easy-rsa
cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa/
source ./vars
./clean-all
./build-ca
./build-key-server servername
./build-dh
cd keys
openvpn --genkey --secret ta.key
cd ..
./build-key-pkcs12 clientx

You need some openvpn config files in /etc/openvpn/ and here is an example of a tap server openvpn config file:

Template error: are you trying to use the = sign? Visit Help:Template#Escape template-breaking characters for workarounds.
Template error: are you trying to use the = sign? Visit Help:Template#Escape template-breaking characters for workarounds.

You need a vpn server for each modem that you want to bond. You will need to configure a different port and ip for each one while also a different tap interface.

You need to stop and disable openvpn from starting because the bonding.sh script will call openvpn.

/etc/init.d/openvpn stop
update-rc.d openvpn disable

You also need the utilities that this script calls

aptitude install uml-utilities ifenslave
Template error: are you trying to use the = sign? Visit Help:Template#Escape template-breaking characters for workarounds.
Template error: are you trying to use the = sign? Visit Help:Template#Escape template-breaking characters for workarounds.

NAT Forwarding as Internet Gateway

The entire reason I wanted to do this was to forward internet traffic through multiple modems. So on my debian box:

nano /etc/sysctl.conf

Uncomment: #net.ipv4.ip_forward=1

echo 1 > /proc/sys/net/ipv4/ip_forward

You then can forward incoming traffic with:

iptables -t nat -A POSTROUTING -o bond0 -j MASQUERADE
nano iptables.nat.sh

An put the line in it.

Client

USB Drive/Modem CD Rom Eject

The first step is to get the OS to eject the CD drive: http://ubuntuforums.org/showthread.php?t=1002262

After you plug the device in edit /etc/udev/70-persistent-cd.rules find your device (Novatel_Mass_Storage) and add:

, RUN+="/usr/bin/eject %k"

You will have to do this for each of these type of modems.


I used wvdial to test the modem. It looks like pppd accepts .chat scripts too. Here is my wvdial script:

[Dialer Defaults]
Init1 = ATZ
#Init2 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
Init2 = ATQ V1 E1 S0=0 &C1 &D2 +FCLASS=0
Init3 - ATQ V1 E1 S0=0 &C1 &D2 +FCLASS=0
#? - Init5 = AT+CGDCONT=1,"IP",""
Carrier Check = yes
Dial Command = ATX1DT
Modem Type = Analog Modem
Baud = 460800
New PPPD = yes
Modem = /dev/ttyUSB0
ISDN = 0
Phone = #777
Password = JustAnyOldPW
Username = 5555555555@vzw3g.com

Replace 5555555555 with your devices phone number.

Notes

pfSense

With the USB760 modem you need to eject the drive before it works.

cdcontrol -f /dev/cd0

This needs to be automated. This thread suggests a devd rule: http://forum.pfsense.org/index.php/topic,43285.0.html

bsd router/firewall/more

Notes

ZeroShell

Zeroshell is a Linux distribution for servers and embedded devices aimed at providing the main network services a LAN requires. It is available in the form of Live CD or Compact Flash image and you can configure and administer it using your web browser.

  • Says it supports VPN Bonding
  • 3G support (+It is linux)

Notes

udev/cdcontrol Creation