DNC Software, EasyDNC Remo version 5, is an easy to use DNC-to-CNC file transfer program specifically designed for modern versions of MS Windows. 64 bit DNC Software created specifically for the very latest versions of Windows 10.

From DD-WRT Wiki

As of DD-WRT v.24 SP1, it is now possible to set up DD-WRT as an OpenVPN appliance using only the web-based GUI. It is no longer necessary to issue shell commands, or to echo quoted certificates and config files using a shell script.

This Tutorial shows how to set up an OpenVPN Server on DD-WRT and his clients on either Desktop PCs or another DD-WRT box.

7Sample Setup with Routing 8Instructions for Bridging 9Troubleshooting

[edit]Getting Started - Flashing the Router

To flash a brand new WRT54GL:

First, install the 'mini' version of DD-WRT. (Current filename: dd-wrt.v24_mini_generic.bin )Then, install the 'vpn' version of DD-WRT that has OpenVPN support. (Current filename: dd-wrt.v24_vpn_generic.bin )For other routers, use the appropriate bin files and installation procedure, as per the DD-WRT website.

We have more detailed instructions on this for example at Installation.

[edit]Enough NVRAM storage space?

All the data from the web-GUI is permanently stored in the NVRAM area. Overfilling the NVRAM area is likely to brick your router.

Using a KEY_SIZE of 1024 you need about 5200 bytes available in NVRAM on the server-side before you push SAVE in the web-GUI, or you might brick your router.
Using a KEY_SIZE of 2048 you need about 6000 bytes available in NVRAM on the server-side.

To test how much NVRAM space is left (and used) telnet or ssh into your router and type:

If you do not have enough NVRAM space available, you cannot use the web-GUI method that is outlined below. You must use the Script method to store the certificates and activate VPN. Doing a factory reset may free up NVRAM, however, you will lose your existing configuration.

[edit]Creating Certificates

Once you have verified you have enough nvram space, you need the OpenVPN software installed on your computer, as it is used to create all the needed certificates.

See steps below for 'how to' download/install/use OpenVPN on your computer, or visit
http://openvpn.net/index.php/documentation/howto.html for the general official guide.

[edit]Creating Certificates Using Easy RSA in Windows

PRECAUTION: When generating certificates using Easy RSA in Windows, the certificate will be signed using GMT time, not your local time. This will result in the certificated not being valid until your local time equals that of GMT at the time of the certificate signing. For instance, if on the West Coast of USA, your local time is GMT-8. Your certificates will not be valid until 8 hours after generation, assuming that you have your time set to GMT-8 on the router and are using a NTP time server to manage the router time setting. You will need to set your router to use GMT until the time difference elapses or you will receive TLS Auth errors when tring to connect until the time difference passes. After then, you can set your time to GMT-8 or what ever time zone you are in.

Easy RSA is installed with the OpenVPN package on Windows. Open up a Command Prompt and cd to C:<<Program Files>>OpenVPNeasy-rsa. Run the following batch file to copy configuration files into place (this will overwrite any preexisting vars.bat and openssl.cnf files):

Now edit the vars file (called vars.bat on Windows) and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank. Save the file and return to the CMD Prompt. All of the following build actions produce files that will be placed in the 'keys' directory under C:<<Program Files>>OpenVPNeasy-rsa.

In the CMD Prompt, type:

The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command:

Note that in the above sequence, most queried parameters were defaulted to the values set in the vars or vars.bat files. The only parameter which must be explicitly entered is the Common Name. In the example above, I used 'OpenVPN-CA'.Generate certificate & key for server

Next, we will generate a certificate and private key for the server. Type:

As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter 'server'. Two other queries require positive responses, 'Sign the certificate? [y/n]' and '1 out of 1 certificate requests certified, commit? [y/n]'.Generate certificates & keys for 3 clients

Generating client certificates is very similar to the previous step. Create as many client certs as needed, naming each individually. Type:

If you would like to password-protect your client keys, substitute the build-key-pass script.

Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. 'client1', 'client2', or 'client3'. Always use a unique common name for each client.Generate Diffie Hellman parameters

Diffie Hellman parameters must be generated for the OpenVPN server. Type:

Output:

[edit] Creating Certificates using Ubuntu Linux

Creating certificates only requires the easy-rsa package. Easy-rsa is now managed as an independent package

You may want to use TLS pre-authentication on your VPN. Then you could need to install openvpn in this ubuntu machine, even this machine won't be a VPN tunnel peer, just to generate a ta.key file (you could generate this file from a client computer where the openvpn package is mandatory). Then the command above becomes

Recent easy-rsa package in Ubuntu features a single make-cadir command that will deal with all the stuff below about copying templates files and setting permissions into your own $HOME/<certification authority directory> or elsewhere. No need to sudo. Just run

Tale of two wastelands requirements. then edit vars as explained below, then go on with

then go on beginning with ./clean-all in the code below.

Install OpenVPN package (with easy-rsa inside)

You must execute the following commands as root. Either type sudo in front of every command (ie sudo ./clean-all) or do sudo su once and see the last character on the command prompt change to #.

If you plan to use TLS authentication (see openvpn manual , install openvpn now if not yet done.Create the shared key:

You can uninstall openvpn now if this machine won't be a vpn peer.

At this point, you have created the certificates which you will need to pass out to the server and clients.You find them in the new directory keys.KEEP THEM IN A SAFE PLACE.

Notes about the above commands:

• Before you run the source vars command you may want to edit some of the export lines in the vars file. You might do: cp vars vars-org before you edit the vars script. One of the following commands will allow you to edit the vars file in Ubuntu Linux gedit vars or nano vars or vi vars. KEY_SIZE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL are probably the only export variables you should mess with. Please note: if you change KEY_SIZE it must be done before running source vars.
• source vars - will run the vars script and export the vars variables all the way to the command prompt. Type sudo set in the Linux terminal window to see all global variables, or just set if you have already done sudo su. The rest of the commands above depend on and use the global variables exported from the vars script
• ./clean-all - makes sure no old keys are stored in the 'keys' directory. All the .crt and .key files you create make up ONE set of mutually dependent keys, that all store parts from one another.
• ./build-ca - creates the ca.crt and ca.key files - ./build-ca will ask you to enter some parameters. Here is an example of what I might use (living in Denmark)

• ./build-key-server server - creates the server.crt and server.key files. Here is an example of what I might use (living in Denmark)

• ./build-key client1 - creates the client1.crt and client1.key files

So long as you change nothing in the vars file, you can come back and run the ./build-key clientX command at any time, in order to create keys for one more client to connect to your OpenVPN (DD-WRT) server.

• ./build-dh - creates the dh1024.pem or dh2048.pem files, depending on KEY-SIZE variable. Please note: if you change KEY_SIZE you must re-do all steps above begining with source vars

edit: easy-rsa is at version 3 and some of the commands have changed. These are the new ones. I use no password and require certificates. I believe this works closely with the rest of the instructions.

[edit]Setting up the Gateway

In the Web Interface of your DD-WRT loaded router, go to Services > OpenVPN Daemon.

The server will reject certificates unless the server clock is set correctly. To fix this, enable NTP.

• First, set 'Start OpenVPN: Enable'.
  
• Then you can either choose 'System' or 'WAN Up' as 'Start Type'. The first choice launches OpenVPN on system startup whereas the second runs OpenVPN whenever the WAN interface goes up

NOTE: Be carefull! If your openvpn.conf has to resolve some Domain Names, you may face issues with 'System' start type. Especially if your openvpn.conf contains the command local domain.

• Second, paste the certificate files created above into the boxes in the DD-WRT web interface as follows:

Box	File to insert
Public Server Cert (CA Cert)	ca.crt
Certificate Revoke List	(blank)
Public Server Cert	server.crt
Private Server Key	server.key
DH PEM	dh1024.pem
OpenVPN Config	(see below)
OpenVPN TLS Auth	blank (or ta.key file content)

NOTE: Only paste the sections of text starting with (and including):
-----BEGIN CERTIFICATE-----
and ending with (and including):
-----END CERTIFICATE-----
in the text files. That is, include the two ---BEGIN/END CERTIFICATE--- lines. Do not paste all the descriptive stuff above that section.

NOTE on File Access in Ubuntu (for recent Ubuntu see Note** further): The following commands will make it easier to use the GUI tools in Ubuntu to copy text from the files stored in /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys to the web-GUI of DD-WRT.

Then open any File browser in Ubuntu menu 'Places' and paste

into the 'Location:' text field and you can easily open (display/edit) the files in order to copy-and-paste the certificate and key sections into DD-WRT web-GUI.

Note** In recent Ubuntu, after you ran make-cadir with some target in your $HOME (e.g. My-OpenVPN-CA), source vars, clean-all and build-ca as explain above, the key folder ($KEY_DIR) has permissions set to 700 (fine). In it you can read/write all files. *.keys are set to permissions 600 (fine again), and all others are 644 (fine too).Don't open key/crt/pem files from the graphical file browser as a graphical utility ViewFile will popup, either puzzeling you with what to copy/paste or failing to show anything. Instead, in a terminal, use:

Copy paste only the useful data to limit nvram space needed (including headers/footers -----BEGIN .....END PRIVATE KEY CERTIFICATE OpenVPN Static key V1-----

[edit]Sample Setup with Routing

The following example config file uses OpenVPN in routed mode. It is also possible to set up OpenVPN in bridged mode, this is explained below.

[edit]The Server Config File

In routed mode, there are three networks to consider:

1. The LAN (192.168.54.0 here)
   
2. The WAN (Internet)
   
3. The OpenVPN private routing network (192.168.66.0 here)

The OpenVPN private routing network is used by the OpenVPN software. The OpenVPN server and clients will be on this 'private' subnet, and OpenVPN will route packets between your LAN subnet (192.168.54.0) and the OpenVPN subnet (192.168.66.0). Change the LAN subnet addresses to whatever you like. By default the LAN address is 192.168.1.0, but I changed it to 192.168.54.0 here so I could test these devices under my pre-existing LAN.

Note that the port used in this example is 1194, and the OpenVPN subnet is 192.168.66.0. You can change those, but then you must change the firewall commands to match your new settings. I chose 192.168.66.0 simply because it doesn't conflict with anything else on my network.

My Server Config File:

In this example, all the computers behind this appliance will have 192.168.54.* IP addresses (The network is 192.168.54.0/24).

[edit]The Server Firewall Script

Go to Administration > Commands.

Type in these text 'commands' for the Firewall, replace 1194 with your OpenVPN port number:

Replace 192.168.66.0/24 with your OpenVPN server subnet:

Then click Save Firewall.

The first two lines allow external clients to connect to the OpenVPN software (on port 1194).The last line allows packets to flow to/from the OpenVPN private network, and thus may not be necessary on bridged configurations.

[edit]Client Config File - Desktop

This is my configuration file for a Desktop OpenVPN Client to connect to the server we just set up.It was tested from a laptop with Ubuntu Linux.

Client Config File:

(Note: for a routed OpenVPN, the 'float' option is necessary.)

You could prefer to use the sample client.conf file provided by openvpn installation:copy /usr/share/doc/openvpn/examples/sample-config-files/client.conf (or equivalent client.openvpn for Windows) into your $HOME (or config folder for Windows) then rename the copy to your-client-name, keeping the extension as is.Adapt it according your needs, e.g. :Set the line(s)

according to the server name/ip port.

For linux you can uncomment linesfor security, but if the tun/tap goes down, you'll need to re run the sudo openvpn my.conf; command.

Change the lines

to as issued by certificates generation.

Uncomment the line

if you use it (ddwrt server config is set to tls-auth ta.key 0 , which is what we want), and so, copy the ta.key file into all clients config folder.

Just below, add

if you want to match with ddwrt default, which is not openvpn sha1 default. If you set ddwrt server to sha1 you don't (may not) need this line.

Uncomment/change the line

to which is the openvpn recommended ciphering algorithm, and set ddwrt openvpn server to use it instead of the default none.

Uncomment the line

which, with no more argument, means adaptive compression (match with ddwrt default)

Run openvpn as said above for linux. For Windows, right-clic the icon OpenVPN-GUI and select Run as administrator.

Note: the first statement in the config file, client, implies the --pull option which allows the server to push some other parameters to the clients once the connection is established.

[edit]Client Configuration - DD-WRT

This is the configuration for an OpenVPN Client running on another DD-WRT box.

Just set the OpenVPN server name (its WAN address or name) and port (1194) using the GUI, and then put in the certs similar to the procedure on the server:

Box	File to insert
Public Server Cert	ca.crt
Public Client Cert	client1.crt
Private Client Key	client1.key

[edit]Performance

Using Linksys WRT54GL v1.1 boxes as both client and server OpenVPN appliances.
CPU Model: Broadcom BCM5352 chip rev 0
SCP File transfer with CPU at 200 MHz: 313 KB/s
SCP File transfer with CPU at 250 MHz: 423 KB/s

Thus, estimated OpenVPN User Capacity (with CPU at 250 MHz):
For users with 768 Kbit DSL:
About 4-5 users (100% usage, like big downloads)
About 10-20 users (intermittent usage, like web or shell traffic)

For users with 128 Kbit dial-up modems:
About 25 users (100% usage, like big downloads)
About 50-100 users (intermittant usage, like web or shell traffic)

I tested an OpenVPN connection for about 24 hours in my lab. I transferred 525 MB of files. I also did two power cycles on both client and server appliances, and the tunnel re-established itself correctly.

[edit]Instructions for Bridging

Bridging is mainly needed if you need to exchange Broadcasts (needed for many network games and for windows shares) or if you have other protocols than IP. With a bridge the Clients get a part of the servers 'other-side-network', normally the LAN on DD-WRT boxes.

In this example, the network (which is the LAN and the network where the VPN Clients are located) is 10.22.0.0/16 or 10.22.0.0 with a subnet mask of 255.255.0.0, the normal DD-WRTs DHCP-Server assigns no addresses under 10.22.0.100 (to set under Setup > Basic Setup > Network Address Server Settings (DHCP) ).

[edit]The server config file for bridging

verb 5 isn't necessary, but good for troubleshooting.

The Start-IP and End-IP in the server-bridge statement define the IP address range from where the Client get their addresses assigned. It must not overlap with the DHCP Servers address range (see above, before the file).

[edit]The Startup Script

Goto Administration > Commands, paste

then hit Save Startup.

[edit]The Firewall Script

Clear the box (if it doesn't automatically do so) and enter

Then hit Save Firewall.

[edit]Client config file for bridging

You will also need to modify your client config file(s) to match your server config file. In particular, the dev setting needs to match what is configured on the server.

Client Config File:

Now restart your router and try.

[edit]Troubleshooting

[edit]Prerequisites

Running commands and watching logs.Use telnet, SSH, or Administration > Commands to run commands.

To troubleshoot, you should turn on logging, and then watch the log file using this command:

To turn on logging, do this:

1. Turn on syslog with setting Services > System Log > Syslogd' to Enabled,
2. Add a line that says 'verb 5' to the OpenVPN config file

[edit]Steps

• First, is OpenVPN running?

If you don't see the OpenVPN process listed, then that is the first problem you need to solve.

Make sure you are running it by setting 'Start type: WAN Up'.

• Maybe there is an error in your config file. If so, OpenVPN will log an error message and then die.

Here is an example error I got when my config file had a bad setting in it:

See if OpenVPN is logging an error message for you, to tell you what is wrong. (See 'Logging' above; you need syslogd on and 'verb 5' in your OpenVPN config file.)

• Next, is your firewall blocking OpenVPN?

If your firewall settings are wrong, OpenVPN's packets will be blocked by the DD-WRT firewall software.

First, turn off your firewall altogether, as a test to see if that makes things work. 'Security > Firewall > SPI Firewall: Disable'. If that fixes your problem, you need to tweak your firewall rules.

You can review your Linux IPTABLES firewall rules with this command:

Also, the firewall can log any DROPped or REJECTed packets. Examine these log messages and compare the DROPped packets to your iptables rules, and then tweak as necessary.

'Security > Firewall > Log: Enable'Security > Firewall > Log > Log Level: Medium'Security > Firewall > Log > Options > Dropped: Enable; Rejected: Enable'

There are many web sites that explain Linux iptables rules and commands.

• If you are still having trouble, make sure the cert and config files are saved correctly on the DD-WRT by looking in the directory /tmp/openvpn/ (for server) and /tmp/openvpncl/ (for client).

[edit]TLS Configuration Issues

There may be problems that occur due to TLS Errors, the following in particular 'cannot locate HMAC in incoming packet.' Here is an evolution/combination of the server and client configurations from this wiki and the startup script listed in the other VPN configuration page:

Server:

and client:

Many thanks to all the contributors below, especially bmatthewshea who figured out the correct locations for the certificates.

--Derek

[edit]Windows Certificate Creation

For those who wish to create the certificates on their Windows machine, please reference the documentation from the OpenVPN site.

ERROR MESSAGE: 'OpenVPN: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed'

In Windows there is a bug with easy-rsa that causes this error at any connection attempt if you added the line remote-cert-tls server to your client configuration file. The following fix was provided by a user on the OpenVPN mailing list.

In file easy-rsa/openssl.cnf.sample go to section [ server ] and add the following two lines:

Then remake certificates from the beginning. You even have to run init-config again in order to erase the old openssl.cnf by the sample with the the right settings.Now everything should work properly :) .

Unix version is fine.

2010-08-14 --- I have installed OpenVPN 2.1 for Windows and faces this issue. The fix works very well!

[edit]Comments

• 2009-03-25: Posted to this wiki after looking everywhere and not finding this =P
  The original post which this article was copied & pasted from: Forum thread

• 2009-06-25: The server will reject certificates unless the server clock is set correctly. To fix this, enable NTP.
  Other note: The server seems to reject Server certificates where the common name on the certificate isn't 'server'

• 2009-07-16: revised the whole site --Azaël

• 2009-08-08: added TLS Configuration Issues section --zamodeo

• 2009-09-19: Followed the wiki using Ubuntu 9.04 and made minor clarification changes to the wiki --MrAlvin

• 2009-11-15: I suggest to remove last line of config file related to server config in bridging mode ('crl-verify /tmp/openvpn/ca.crl'). There is no 'Certificate Revoke List' section filled in and no file created, so when it starts the first connection attempt, the server process goes in error and ends --bfg9000it

• 2009-12-18: I second the last suggestion regarding the config file for the server config in bridging mode. My setup was non-functional until I removed that line 'crl-verify /tmp/openvpn/ca.crl' as I was not using a revoke list. I imagine that when one is instated, the line will be necessary to reference it; however I do not know. --arriflex

• 2010-01-21: To configure routed openvpn in linksys<->linksys mode with subnets behind each router talking to each other through the tunnel, it seems it's still necessary (dd-wrt v24-sp2 build 13064) to script the ccd directory and populate it with the proper iroute statement in a file named for the common name in the certificate of the connecting client router. Also, I found I needed 'iptables -t nat -I POSTROUTING -o tun0 -j ACCEPT' in my firewall script and another line similar for the PREROUTING table. I used this on server and client because these rules turn off the NATing of the vpn tunnel between endpoints, which you want if you want your tunnel to be truly routed. Otherwise, that NAT does bad things like one-way audio for SIP traffic, e.g. --mulderlr

• 2010-02-10: I have set up a pfSense server and dd-wrt client (build 13064) which I'm tunneling VoIP traffic. I had to set up client specific iroutes on pfSense through the gui (there is a tab for this under OpenVPN), and make sure that the proper networks were routed and pushed in the server config. I did not find I need the PREROUTE and POSTROUTE of mulderlr, however, i did have to add a forward rule: 'iptables -I FORWARD -i tun0 -o br0 -j ACCEPT' --Edjusted 15:52, 10 February 2010 (CET)

• 2010-02-15: As a nice addition to this how-to, I have an Asus WL500W with 4GB memory stick attached to it and Optware installed on it (although not necessary) I mount it as /opt and created an 'openvpn' directory on it then copied all of the files from a running OpenVPN setup from a real server I have a chroot jail, ccd/ directory and certs on this directory, and as clients connect they get their respective settings from my server DHCP, DNS and WINS (samba) information so road-warriors or sites with more computers behind them can connect and it creates a really nice network. I'm testing this with five clients connected right now and works flawlessly.

• 2010-06-11: Had some Problems to get the openvpn daemon start with (v24-sp2 SVN revision: 13064). Reason was an unreadable ca.crt certificate although I pasted it via the webinterface. If the daemon isn't running (ssh -> ps grep vpn) after you finished to follow the instructions from above, try starting it by hand (openvpn /tmp/openvpn/openvpn.conf) and watch for error messages. In my case I had to copy the ca.crt via scp to the router. --Dude 11:00, 11 June 2010 (CEST)

• 2010-06-11: If the connection to your vpn-server can be established and pinging some IPs in your 'home-net' also works but the communications freezes after some seconds try 'proto tcp-server' (Server-conf) and 'proto tcp-client' (Client-conf) as alternative protocol. Don't forget to open the tcp-protocol in your firewall! This worked fine for me!--Dude 11:00, 11 June 2010 (CEST)

• 2010-08-30: I used Windows to generate the certificates and tried for over an hour to get it to work before I figured out that the certificates were generated for UTC time so the certificates would not become valid until 5 hours after creating them. I changed the router time to UTC for the time being, then changed it back to -500 the next day. It worked like a charm.

I'm using eko-s big build with OpenVPN on it, I set it up according to this how-to, but I added some bits from my own.

• Bridged mode setup
• Certificate based auth
• static key auth
• Client config dir
• Chroot jail for the vpn process
• Network details taken from the router

My config looks like this:

As you see I do some 'cool' things with my setup, I made some videos I posted on youtube about this, now with dd-wrt it's even better as many of these services can be centralized on the router.

Hope this comes in handy for someone.

If you need a bit of help with this PM me at the forum, I'd gladly try to help.

Great job, dd-wrt rocks,

--Dgonzalezh 00:41, 15 February 2010 (CET)

• 2009-05-11: By user icmp: To allow clients in the server side LAN to access clients in the client LAN i had to do some additional configuring.

Server side startup commands:

(Where 192.168.24.0 is the network on client1 and 192.168.25.0 is the network on client 2)

I added the following to the server side OpenVPN config:

Firewall commands on each client:

To save some memory I don't start httpd automatically. I disabled HTTPD in the web interface. If for any reason I should need the web interface, I simply connect with SSH to the router and issue the command: httpdIf you consider doing the same, make sure first that you can access your router with telnet or ssh. Otherwise you'll lock yourself out.

Thank You very much for this article. Great job!

• 2011-03-13: Regarding comments above dated 2009-11-15 and 2009-12-18, it's worth pointing out that if you do use a Certificate Revocation List, when you add the directive crl-verify <crl_file>, be sure to point to the full path of <crl_file>. The OpenVPN documentation does not indicate this, and it appears that clients cannot connect if openvpn cannot find the CRL file. --jmaher

--Keamas 11:50, 27 October 2010 (CEST)

Can anyone post how to route the whole traffic through the VPN tunnel with the Gateway scenario ?

--Krissi 19:00, 25 June 2011 (CEST)

Public Server Cert and CA Cert
This article assimilates that the 'Public Server Cert' and 'CA Cert' are the same. That is seen under the Server Configuration. It is actually described as just one value to insert.
Fact is though that the OpenVPN setup needs input for both CA Cert and Public Server Cert. Somebody should update the documentation to reflect this. As far as I understand the values should be as follows:
CA Cert = ca.crt
Public Server Cert = server.crt
Private Server Key = server.key
DH PEM = dh1024.pem
Public Client Cert = client.crt
Private Client Key = client.key

LinuxCNC

Stable release
Repository	https://github.com/LinuxCNC/linuxcnc
License	Free
Website	http://linuxcnc.org/

LinuxCNC (formerly Enhanced Machine Controller or EMC2) is a free, open-source GNU/Linux software system that implements numerical control capability using general purpose computers to control CNC machines. Designed by various volunteer developers at linuxcnc.org, it is typically bundled as an ISO file with a modified version of 32-bit Ubuntu Linux which provides the required real-time kernel.

Due to the tight real-time operating system integration, a standard Ubuntu Linux desktop PC without the real-time kernel will only run the package in demo mode.

Purpose[edit]

LinuxCNC is a software system for numerical control of machines such as milling machines, lathes, plasma cutters, routers, cutting machines, robots and hexapods. It can control up to 9 axes or joints of a CNC machine using G-code (RS-274NGC) as input. It has several GUIs suited to specific kinds of usage (touch screen, interactive development).

Currently it is almost exclusively used on x86 PC platforms, but has been ported to other architectures.^{[citation needed]} It makes extensive use of a real time-modified kernel, and supports both stepper- and servo-type drives.

It does not provide drawing (CAD - Computer Aided Design) or G-code generation from the drawing (CAM - Computer Automated Manufacturing) functions.

History[edit]

The EMC Public Domain software system was originally developed by NIST, as the next step beyond the National Center for Manufacturing Sciences / Air Force sponsored Next Generation Controller Program[NGC 1989] /Specification for an Open Systems Architecture[SOSAS]. It was called the EMC [Enhanced Machine Controller Architecture 1993]. Government sponsored Public Domain software systems for the control of milling machines were among the very first projects developed with the digital computer in the 1950s. It was to be a 'vendor-neutral' reference implementation of the industry standard language for numerical control of machining operations, RS-274D (G-code).

The software included the RS274 interpreter driving the motion trajectory planner, real-time motor/actuator drivers and a user interface. It demonstrated the feasibility of an advanced numerical control system using off the shelf PC hardware running FreeBSD or Linux, interfacing to various hardware motion control systems. Additional development continues using current and additional architectures (e.g. ARM architecture devices).

The demonstration project was very successful and created a community of users and volunteer contributors. Around June 2000, NIST relocated the source code to SourceForge under the Public Domain license in order to allow external contributors to make changes. In 2003, the community rewrote some parts of it, reorganized and simplified other parts, then gave it the new name, EMC2. EMC2 is still being actively developed. Licensing is now under the GNU General Public License.

The adoption of the new name EMC2 was prompted by several major changes. Primarily, a new layer known as HAL (Hardware Abstraction layer) was introduced to interconnect functions easily without altering C code or recompiling. This split trajectory and motion planning from motion hardware, making it easier to generate control programs to support gantry machine, lathe threading and rigid tapping, SCARA robot arms and a variety of other adaptations. HAL comes with some interactive tools to examine signals and connect and remove links. It also includes a virtual oscilloscope to examine signals in real time. Another change with EMC2 is Classic Ladder, (an open-source ladder logic implementation) adapted for the real time environment to configure complex auxiliary devices like automatic tool changers.

Around 2011, the name was changed officially from EMC2 to LinuxCNC. This was done at the insistence of EMC Corporation and the agreement of the project leadership. Internally some refer to LinuxCNC by EMC or EMC2 as it was historically known. EMC Corporation proposed that the LinuxCNC project, as previously named, would be confusing for customers or potential customers with their (mainly) storage related products.

Platforms[edit]

Due to the need of fine grained, precise real-time control of machines, LinuxCNC requires a platform with real-time computing capabilities. Early versions of LinuxCNC (EMC) ran under a real-time version of Windows NT, but later version of Windows did not have good real-time support so Linux with real-time extensions became the preferred platform.^[1] Currently LinuxCNC uses the RTAI kernel or PREEMPT-RT with LinuxCNC's 'uspace' flavour of the RTAPI.

Installing LinuxCNC and the underlying real-time kernel patches on a base Linux system can be a daunting task. Paul Corner came to the rescue with the BDI (Brain Dead Install) which was a CD from which a complete working system (Linux, real-time patches, and LinuxCNC) could be installed.^[2] This made LinuxCNC accessible to a much larger user community. Today Paul’s BDI has evolved into a bootable (live) ISO that can be burned to a CD or USB and run on most any PC style computer to test drive LinuxCNC without having to install the system. Bootable LinuxCNC ISOs are available for Debian wheezy (RTAI kernel) and Debian stretch (RT-PREEMPT kernel).

The policy for LinuxCNC is to build packages and offer support for Debian, but pre-built binary packages are also available for other Linux systems and architectures.^[3]

Design[edit]

LinuxCNC uses the model of 'sense, plan, act' in its interactions with hardware.^[4] For instance, it reads the current axis position, calculates a new target position/voltage, and then writes that to the hardware. There is no buffering of commands nor are externally initiated reads or writes allowed. This no-buffering approach gives the most freedom to adding or changing capabilities of LinuxCNC. By using relatively 'dumb' external hardware and programming the capabilities in the host computer, LinuxCNC is not locked to any one piece of hardware. It also allows an interested user to easily change behaviour/capabilities/hardware.

This model tends to lend itself to specific types of external interfaces---PCI, PCIE, Parallel port (in SPP or EPP mode), ISA, and Ethernet have been used for motor control. USB and RS232 serial are not good candidates; USB having bad realtime capabilities and RS232 being too slow for motor control.

LinuxCNC has basic 'realtime' requirements because of this model. The interval between reading and writing must be consistent and reasonably fast. A typical machine does realtime calculations in a 1 millisecond repeating thread. The reading and writing to hardware must be a small part of this time, e.g. 200 microseconds, otherwise the phase shift makes tuning more difficult and there is less time available for the non-realtime programs, which may make the screen controls less responsive.

LinuxCNC 'employs a trapezoidal velocity profile generator.'^[5]

Configuration[edit]

LinuxCNC uses a software layer called HAL (Hardware Abstraction Layer).^[6]

HAL allows a multitude of configurations to be built ^[7] while being flexible: one can mix & match various hardware control boards, output control signals through the parallel port or serial port - while driving stepper or servo motors, solenoids and other actuators.

LinuxCNC also includes a software programmable logic controller (PLC) which is usually used in extensive configurations (such as complex machining centres). The software PLC is based on the open source project Classicladder,^[8] and runs within the real-time environment.

See also[edit]

• Machinekit, an open source project to port and extend EMC2/LinuxCNC to run efficiently on the BeagleBone and related hardware.

References[edit]

Notes

1. ^'EMC History'. Linuxcnc Board of Directors. September 12, 2018. Retrieved 2018-09-14.
2. ^'EMC History'. Linuxcnc Board of Directors. September 12, 2018. Retrieved 2018-09-14.
3. ^'Getting LinuxCNC'. linuxcnc.org. February 19, 2018. Retrieved 2018-09-14.
4. ^'Linuxcnc hardware design requirements'.
5. ^'Simple Tp Notes'.
6. ^'EMC2's Hardware Abstraction Layer'. Linuxcnc Board of Directors. Retrieved 2010-09-30.
7. ^'A couple case studies'. Retrieved 2010-09-30.
8. ^'ClassicLadder'. sites.google.com. Retrieved 2014-03-06.

Bibliography

• Proctor, F. M., and Michaloski, J., 'Enhanced Machine Controller Architecture Overview,' NIST Internal Report 5331, December 1993. Available online at ftp://129.6.13.104/pub/NISTIR_5331.pdf^{[permanent dead link]}
• Albus, J.S.; Lumia, R. (1994). 'The Enhanced Machine Controller (EMC): An Open Architecture Controller for Machine Tools'. Journal of Manufacturing Review. 7 (3): 278–280.
• Lumia, 'The Enhanced Machine Controller Architecture', 5th International Symposium on Robotics and Manufacturing, Maui, HI, August 14–18, 1994, https://www.nist.gov/customcf/get_pdf.cfm?pub_id=820483
• Fred Proctor et al., 'Simulation and Implementation of an Open Architecture Controller', Simulation, and Control Technologies for Manufacturing, Volume 2596, Proceedings of the SPIE, October 1995, https://web.archive.org/web/20100527174141/http://www.isd.mel.nist.gov/documents/proctor/sim/sim.html
• Fred Proctor, John Michaloski, Will Shackleford, and Sandor Szabo, 'Validation of Standard Interfaces for Machine Control', Intelligent Automation and Soft Computing: Trends in Research, Development, and Applications, Volume 2, TSI Press, Albuquerque, NM, 1996, https://web.archive.org/web/20100527165142/http://www.isd.mel.nist.gov/documents/proctor/isram96/isram96.html
• Shackleford and Proctor, 'Use of open source distribution for a Machine tool Controller', Sensors and controls for intelligent manufacturing. Conference, Boston MA, 2001, vol. 4191, pp. 19–30, https://web.archive.org/web/20100820224129/http://www.isd.mel.nist.gov/documents/shackleford/4191_05.pdf or doi:10.1117/12.417244
• Morar et al., 'ON THE POSSIBILITY OF IMPROVING THE WIND GENERATORS', International Conference on Economic Engineering and Manufacturing Systems, Brasov, 25–26 October 2007, https://web.archive.org/web/20120313054238/http://www.recentonline.ro/021/Morar_L_01a.pdf
• Zhang et al., 'Development of EMC2 CNC Based on Qt', Manufacturing Technology & Machine Tool, 2008, http://en.cnki.com.cn/Article_en/CJFDTOTAL-ZJYC200802046.htm
• Leto et al., 'CAD/CAM INTEGRATION FOR NURBS PATH INTERPOLATION ON PC BASED REAL-TIME NUMERICAL CONTROL', 8th INTERNATIONAL CONFERENCE ON ADVANCED MANUFACTURING SYSTEMS AND TECHNOLOGY JUNE 12–13, 2008 UNIVERSITY OF UDINE - ITALY, https://web.archive.org/web/20110703113248/http://158.110.28.100/amst08/papers/art837759.pdf
• Xu et al., 'Mechanism and Application of HAL in the EMC2', Modern Manufacturing Technology and Equipment 2009-05, http://en.cnki.com.cn/Article_en/CJFDTOTAL-SDJI200905037.htm
• Zivanovic et al., 'Methodology for Configuring Desktop 3-axis Parallel Kinematic Machine'^{[permanent dead link]}, FME Transactions (2009) 37, 107-115,
• Glavonjic; et al. (2009). 'Desktop 3-axis parallel kinematic milling machine'. The International Journal of Advanced Manufacturing Technology. 46 (1–4): 51–60. doi:10.1007/s00170-009-2070-3.
• Staroveski et al., 'IMPLEMENTATION OF A LINUX-BASED CNC OPEN CONTROL SYSTEM', 12th INTERNATIONAL SCIENTIFIC CONFERENCE ON PRODUCTION ENGINEERING –CIM2009, Croatian Association of Production Engineering, Zagreb 2009,
• Li et al., 'Control system design and simulation of parallel kinematic machine based on EMC2', Machinery Design & Manufacture 2010-08, http://en.cnki.com.cn/Article_en/CJFDTOTAL-JSYZ201008074.htm
• Li; et al. (2010). 'Kinematics Analysis and Control System Design of 6-DOF Parallel Kinematic Machine with Matlab and EMC2'. Advanced Materials Research. 102-104: 363–367. doi:10.4028/www.scientific.net/AMR.102-104.363.
• Klancnik et al., 'Computer-Based Workpiece Detection on CNC Milling Machine Tools Using Optical Camera and Neural Networks', Advances in Production Engineering & Management 5 (2010) 1, 59-68, http://maja.uni-mb.si/files/apem/APEM5-1-view.pdf^{[permanent dead link]}
• Milutinovic; et al. (2010). 'Reconfigurable robotic machining system controlled and programmed in a machine tool manner'. The International Journal of Advanced Manufacturing Technology. 55 (9–12): 555. doi:10.1007/s00170-010-2888-8.

External links[edit]

• The NIST RS274NGC Standard - Version 3 Aug 2000 also available as a PDF
• The Enhanced Machine Controller homepage at NIST