Network2/Experiments/OpenWRT: Difference between revisions

From OLPC
Jump to navigation Jump to search
m (New page: Installed OpenWRT. Found that I could no longer ping my IP address from crank. Examined firewall: iptables -t mangle -L Good, no mangling. iptables -t nat -L Some NAT, but just a c...)
 
 
(12 intermediate revisions by one other user not shown)
Line 1: Line 1:
{{Network2 header}}
Installed OpenWRT.
== OpenWRT ==
Installed OpenWRT on my Linksys WRT54G (v2.0). Very easy.


=== iptables ===
Found that I could no longer ping my IP address from crank.
Found that I could no longer ping my IP address from crank.


Line 30: Line 33:


iptables -t filter -A input_wan -p icmp -j ACCEPT
iptables -t filter -A input_wan -p icmp -j ACCEPT

Alternately, add:

config 'rule'
option 'target' 'ACCEPT'
option '_name' 'ping'
option 'src' 'wan'
option 'proto' 'icmp'

to <tt>/etc/config/firewall</tt> (or to <tt>/etc/firewall.user</tt>?)

=== 6tunnel ===

Now that I'm answering pings, I can set up an IPv6 tunnel with the Hurricane Electric tunnelbroker. Easy.

Then install 6tunnel:

opkg install 6tunnel
cat > /etc/config/6tunnel <<EOF
config 6tunnel
option tnlifname 'he-ipv6'
option remoteip4 '209.51.161.14'
option localip4 '24.91.152.135'
option localip6 '2001:470:1f06:6f7::2/64'
option prefix '2001:470:1f07:6f7::1/64'
EOF
/etc/init.d/6tunnel start

=== radvd ===

To make use of my new tunnel, I need to advertise my prefix to my LAN. We do this with <tt>radvd</tt>.

Note that the prefix here that we want to advertise is called the 'routed /64' by tunnelbroker.

cat > /etc/config/radvd <<EOF
config interface
option interface 'lan'
option AdvSendAdvert 1
option AdvManagedFlag 0
option AdvOtherConfigFlag 0
option AdvHomeAgentFlag 0
option ignore 0
config prefix
option interface 'lan'
option prefix '2001:470:1f07:6f7::/64'
option AdvOnLink 1
option AdvAutonomous 1
option AdvRouterAddr 0
option ignore 0
EOF
/etc/init.d/radvd start

=== OpenVPN ===

OpenVPN is a pain to install on OpenWRT because it depends on OpenSSL, which is too big.

Fortunately, we can hack around that:

cat > /bin/myopenvpn <<EOF
#!/bin/sh
BASE=\`pwd\`
cd /tmp
opkg update
opkg download libopenssl
mkdir ssl
tar Ozxf libopenssl* ./data.tar.gz | tar zxC ./ssl
mv ssl/usr/lib/* ssl; rm -rf ssl/usr
cd \$BASE
env LD_LIBRARY_PATH=/tmp/ssl openvpn "\$@"
EOF
chmod a+x /bin/myopenvpn

Then edit /tmp/opkg-lists/snapshots to remove the dependency of openvpn.

...

Follow CA instructions.
Make sure you put the right CN in your server cert.

...

openssl dhparam -out dh1024.pem 1024

'''Server''':
ntpclient -h pool.ntp.org -s
cd /etc/openvpn # or whever you put your certs
myopenvpn --mode server --client-to-client --dev tap --user nobody --group nogroup --tls-server --ca ./ca.pem --cert server.pem --key server.pem --dh dh1024.pem --proto tcp-server &
ip link set tap0 up
brctl addif br-lan tap0

'''Client''':
openvpn --user nobody --group nobody --dev tap --tls-remote openwrt --tls-client --ca ca.cert --cert ./client.pem --key client.pem --proto tcp-client --remote openwrt &
ip link set tap0 up

Latest revision as of 21:21, 31 January 2010

OpenWRT

Installed OpenWRT on my Linksys WRT54G (v2.0). Very easy.

iptables

Found that I could no longer ping my IP address from crank.

Examined firewall:

iptables -t mangle -L

Good, no mangling.

iptables -t nat -L

Some NAT, but just a couple of MASQUERADE rules.

iptables -t filter -L

Lots of filtering. In more detail:

iptables -t filter -L INPUT

Some complicated chains:

  • syn_flood rate-limits TCP connection control packets.
  • input_rule is empty
  • input has subchains for zone_wan and zone_lan.
  • zone_lan accepts everything.
  • zone_wan rejects everything not accepted by input_wan.

Okay, let's add an accept rule to input_wan:

iptables -t filter -A input_wan -p icmp -j ACCEPT

Alternately, add:

config 'rule'
        option 'target' 'ACCEPT'
        option '_name' 'ping'
        option 'src' 'wan'
        option 'proto' 'icmp'

to /etc/config/firewall (or to /etc/firewall.user?)

6tunnel

Now that I'm answering pings, I can set up an IPv6 tunnel with the Hurricane Electric tunnelbroker. Easy.

Then install 6tunnel:

opkg install 6tunnel
cat > /etc/config/6tunnel <<EOF
config 6tunnel
        option tnlifname     'he-ipv6'
        option remoteip4        '209.51.161.14'
        option localip4         '24.91.152.135'
        option localip6         '2001:470:1f06:6f7::2/64'
        option prefix           '2001:470:1f07:6f7::1/64'
EOF
/etc/init.d/6tunnel start

radvd

To make use of my new tunnel, I need to advertise my prefix to my LAN. We do this with radvd.

Note that the prefix here that we want to advertise is called the 'routed /64' by tunnelbroker.

cat > /etc/config/radvd <<EOF
config interface
        option interface 'lan'
        option AdvSendAdvert 1
        option AdvManagedFlag 0
        option AdvOtherConfigFlag 0
        option AdvHomeAgentFlag 0
        option ignore 0

config prefix 
        option interface 'lan'
        option prefix '2001:470:1f07:6f7::/64'
        option AdvOnLink 1
        option AdvAutonomous 1
        option AdvRouterAddr 0
        option ignore 0
EOF
/etc/init.d/radvd start

OpenVPN

OpenVPN is a pain to install on OpenWRT because it depends on OpenSSL, which is too big.

Fortunately, we can hack around that:

cat > /bin/myopenvpn <<EOF
#!/bin/sh
BASE=\`pwd\`
cd /tmp
opkg update
opkg download libopenssl
mkdir ssl
tar Ozxf libopenssl* ./data.tar.gz | tar zxC ./ssl
mv ssl/usr/lib/* ssl; rm -rf ssl/usr
cd \$BASE
env LD_LIBRARY_PATH=/tmp/ssl openvpn "\$@"
EOF
chmod a+x /bin/myopenvpn

Then edit /tmp/opkg-lists/snapshots to remove the dependency of openvpn.

...

Follow CA instructions. 
Make sure you put the right CN in your server cert.

...

openssl dhparam -out dh1024.pem 1024

Server:

ntpclient -h pool.ntp.org -s
cd /etc/openvpn  # or whever you put your certs
myopenvpn --mode server --client-to-client --dev tap --user nobody --group nogroup --tls-server --ca ./ca.pem --cert server.pem --key server.pem --dh dh1024.pem --proto tcp-server &
ip link set tap0 up
brctl addif br-lan tap0

Client:

openvpn --user nobody --group nobody --dev tap --tls-remote openwrt --tls-client --ca ca.cert --cert ./client.pem --key client.pem --proto tcp-client --remote openwrt &
ip link set tap0 up