It seems like I’m specializing in setting up Gentoo-based routers. In my work here in California (for the short time I’ll be here, as it looks like my next destination is London by the end of the year), there was the need to change the previous network setup from the previous router (a Juniper ScreenOS device) to something more apt to work with FiOS as the uplink — in particular, we just got our 150Mbit down, 65Mbit up link and the router we had, from Juniper, is only rated up to a very optimistic 40Mbps in either direction.
After trying, and failing, to get the FiOS router/access-point and the VPN provided by the Juniper router, to play nice together, I picked up one of the (extremely old) HPs we had around (a desktop, not a server), ordered a couple of PCI gigabit network cards, and simply set up Gentoo on it. Actually, since the cards took a couple of days to arrive I first set everything up “dry” and then got the network cards in. The bright side is that the cards arrived at 11am, and by 4pm the whole thing was running better than before; by the end of the day I also got an IPv6 tunnel and we finally have support for IPv6 here in the office — which is important for me because of how my Excelsior is setup (I’ll write more about that later on).
Getting Linux to play nice with the Juniper router and its VPN has been the most bothersome part of the whole. Luckily this wasn’t Juniper’s “SSL VPN”, which requires their Java-based tool to run as root to work as a client on Linux — instead the VPN, completely unmarked, is using IPsec. It’s a bit of a burden to know what to tweak between the kernel and the userland, and everything is up.. unfortunately it seems like the racoon init script is a bit of a pain in the butt, as it failed to work properly for me, while my improvements fail to work for others — if you’re using it and feel like testing it, I’m pretty sure Anthony would be happy to have more hands on deck.
I have yet to set up OpenVPN to be honest, and there is another problem with VPN Tracker behind this router as there is no IPsec connection tracking helper, which means that the UDP packets required for negotiation are not working (the client does not support UPnP/IGD for port forwarding which is a definite pain). In general though it’s much easier for me to deal with a Gentoo Linux-based router than it is dealing with the stupid Juniper ScreenOS.
I’ve been doing some reading around on which parameters to tweak, but since I haven’t had much time to experiment with it yet, and on the other hand the office is now basically running with three people in at any time, there’s very little that doesn’t work out of the box. The one thing that I noticed, though, is that somehow IPv6 (over the tunnel) feels “snappier” than IPv4. Maybe it’s the NAT that has to be done, or the fact that the iptables rules are more complex for v4 than v6 (as they have DNAT as well) — the ping times are also quite good: they are halved for IPv6: 3ms vs 6ms over v4, to Google’s homepage; similar (but much higher) results happen for Yahoo! but they are reversed for Facebook.
That’s nice to hear, I’ve been doing Gentoo based routers/firewalls/VPNs since 2004 for my company because I always found myself limited by manufacturer’s limitations or overpriced hardware.Our today’s routers/firewalls/VPNs are redundant and handle symmetrical 100Mbps and 200Mbps connections (ipv4 only) for production purposes. They also handle IPVS load balancers for certain part.I wonder how you’re handling your iptables rules (I use a home made framework and GIT) and what you choose as VPN software (I use strongswan) ?We can share some cool tips and tricks if you wish, don’t hesitate to ping me on IRC.
I won’t go into details in the middle of the night, but IPv6 should have lower lag by design. From what I remember, it’s also more efficient at transmitting large packets.
While I agree the SSL VPN is crap (does not work in a 64 bit browser on Windows, does not work with OpenJDK, …), it does not need root.The only thing it uses root for is to hack remote hosts into your /etc/hosts which I very much prefer it not to do. You can just use the 127.0.1.something addresses it creates directly (though I’d prefer if it didn’t create those either but instead did ordinary port forwarding).But I have to say that I am not at all convinced of what the point of that annoyance is instead of using regular ssh with a password-protected key.