Click for text version
Magnus Wedberg / home

Zebedee on a Netgear Readynas Ultra (and other x86 devices)

VPN on a Readynas
The Readynas x86 devices (talking specifically about the Pro/Ultra models, here, but the article is not limited to them) are powerful devices, with Intel Atom processors, two gigabit ports, adequate amounts of memory, and a customized version of Debian running the goods.

The worst thing about these devices is clearly the firmware/software packages. The look of the administrative interface is dated, many packages are old (and the best ones are the unsupported community ones), and generally you'll have to resort to command line hacking to do advanced stuff or fix problems. Contrast this with Synology devices, which in their cheaper variants (although still more expensive than more powerful Readynas devices as of this writing) contain less powerful processors (ARM architecture, similar to Netgear Readynas Duo v2) but have beautiful firmware with a massive list of features and a lush forest of usable addons. However, I wanted the Readynas Ultra for the general hackability with an x86 architecture.

Building a "real" OpenVPN server for the Readynas is complicated for many people, but there is another alternative. It's Zebedee. This tiny program takes local UDP/TCP ports, tunnels them through a single encrypted (Blowfish) and compressed (zlib/bzip2) TCP stream, and splits them up into remote ports again at the server. It's no real replacement for a VPN, as you have to control single ports and where they go, but it's a useful and "cheap" sort of "VPN".

Do note that for pure NAS use, meaning networked hard disk performance, the Synology devices might be better anyway. They are great, especially if you avoid the low-end "j" models. Their CPU performance is not impressive, though, so VPN performance will be very slow. In contrast, a Readynas Ultra 2 (non-"plus", meaning 1.5GHz single-core Intel Atom) will easily sustain 20-25 megaBYTES of encrypted content per second (on a local gigabit net). That's pretty awesome.

Building Zebedee for the Readynas
Well, if you install a build environment on your Readynas or any x86 Linux machine, you can easily compile it using the instructions and source at the Zebedee homepage. Or you can download the binary here, as I have already compiled the 2.4.1A version for you.

In the package above I have also included sample client id and server configuration files, but here they are anyway (in this example the zip is unpacked in /root/zebedee/):

server.zbd

verbosity 2 # Slightly more than basic messages server true # Yes, it's a server! detached true # Run detached from terminal # udpmode false # Are we operating in UDP mode? ipmode both serverport 11965 # Uncomment the following line to log messages to a file # #logfile '/root/zebedee/zbd-srv.log' keygenlevel 2 # Generate maximum strength private keys # To validate the identity of clients uncomment the following # line: # checkidfile '/root/zebedee/clients.id' # Set up allowed redirection ports. # These should be pretty safe -- but it's not a good idea # to open up all ports. #redirect 5900-5999 # VNC traffic #redirect 80 # X Window System #targethost 192.168.0.2 # Redirection target 127.0.0.1:22,80,137,138,139,443,445 compression zlib:9 # Allow maximum zlib compression keylength 256 # Allow keys up to 256 bits keylifetime 36000 # Shared keys last 10 hours maxbufsize 16383 # Allow maximum possible buffer size

This basically tells the server to listen at port 11965 (which you will have to forward in your router) and allow targets to the local Samba (Windows networking a.k.a. SMB), SSH, HTTP and HTTPS ports. You can also target other stuff at the local network by adding "target" lines, for example target 192.168.99.100:9100 would target a networked printer at that IP.

Client configuration is somewhat beyond the scope of this article, especially as you might have to use a Linux computer as a gateway if you want Windows networking with post-XP operating systems, and it's probably more fruitful to keep the discussion of this to the Zebedee mailing list anyway. But you don't have to use Windows networking; you could use Zebedee to forward FTP, iSCSI (this might be crazy dangerous if you lose packets a lot!) or whatnot.

The clients.id file contains a list of keys that are allowed to connect (note that the computer name is just descriptive and of course, DO NOT USE THIS ID FILE):

clients.id

b3c46f66bd524179309f83612f5964f4be651897 Computer_name

You generate a key/id pair with zebedee -p -P

Running everything
Now you'll have to auto start the Zebedee server on your Readynas. Create a file named zebedee.sh in /etc/init.d and make it executable.

/etc/init.d/zebedee.sh

#! /bin/sh # # zebedee # # Run Zebedee server at startup # case "$1" in start|restart|force-reload) echo -n "Running zebedee" /root/zebedee/zebedee -f /root/zebedee/server.zbd echo "." ;; stop) echo -n "Stopping zebedee" start-stop-daemon -K -n zebedee -R 5 echo "." ;; *) echo "Usage: /etc/init.d/zebedee.sh {start|stop}" exit 1 esac exit 0

Now update rc.d so Zebedee starts and stops automagically:
update-rc.d -f zebedee.sh defaults
This should make it run, and allow the system to gracefully shut down the process.

This was a vague description of how to do it. Questions to the mailing list please!


photos articles services about