Network2/Experiments/OpenWRT: Difference between revisions
mNo edit summary |
|||
(11 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
{{Network2 header}} |
{{Network2 header}} |
||
== OpenWRT == |
|||
Installed OpenWRT on my Linksys WRT54G (v2.0). Very easy. |
|||
=== iptables === |
|||
Found that I could no longer ping my IP address from crank. |
Found that I could no longer ping my IP address from crank. |
||
Line 31: | Line 33: | ||
iptables -t filter -A input_wan -p icmp -j ACCEPT |
iptables -t filter -A input_wan -p icmp -j ACCEPT |
||
Alternately, add: |
|||
config 'rule' |
|||
option 'target' 'ACCEPT' |
|||
option '_name' 'ping' |
|||
option 'src' 'wan' |
|||
option 'proto' 'icmp' |
|||
to <tt>/etc/config/firewall</tt> (or to <tt>/etc/firewall.user</tt>?) |
|||
=== 6tunnel === |
|||
Now that I'm answering pings, I can set up an IPv6 tunnel with the Hurricane Electric tunnelbroker. Easy. |
|||
Then install 6tunnel: |
|||
opkg install 6tunnel |
|||
cat > /etc/config/6tunnel <<EOF |
|||
config 6tunnel |
|||
option tnlifname 'he-ipv6' |
|||
option remoteip4 '209.51.161.14' |
|||
option localip4 '24.91.152.135' |
|||
option localip6 '2001:470:1f06:6f7::2/64' |
|||
option prefix '2001:470:1f07:6f7::1/64' |
|||
EOF |
|||
/etc/init.d/6tunnel start |
|||
=== radvd === |
|||
To make use of my new tunnel, I need to advertise my prefix to my LAN. We do this with <tt>radvd</tt>. |
|||
Note that the prefix here that we want to advertise is called the 'routed /64' by tunnelbroker. |
|||
cat > /etc/config/radvd <<EOF |
|||
config interface |
|||
option interface 'lan' |
|||
option AdvSendAdvert 1 |
|||
option AdvManagedFlag 0 |
|||
option AdvOtherConfigFlag 0 |
|||
option AdvHomeAgentFlag 0 |
|||
option ignore 0 |
|||
config prefix |
|||
option interface 'lan' |
|||
option prefix '2001:470:1f07:6f7::/64' |
|||
option AdvOnLink 1 |
|||
option AdvAutonomous 1 |
|||
option AdvRouterAddr 0 |
|||
option ignore 0 |
|||
EOF |
|||
/etc/init.d/radvd start |
|||
=== OpenVPN === |
|||
OpenVPN is a pain to install on OpenWRT because it depends on OpenSSL, which is too big. |
|||
Fortunately, we can hack around that: |
|||
cat > /bin/myopenvpn <<EOF |
|||
#!/bin/sh |
|||
BASE=\`pwd\` |
|||
cd /tmp |
|||
opkg update |
|||
opkg download libopenssl |
|||
mkdir ssl |
|||
tar Ozxf libopenssl* ./data.tar.gz | tar zxC ./ssl |
|||
mv ssl/usr/lib/* ssl; rm -rf ssl/usr |
|||
cd \$BASE |
|||
env LD_LIBRARY_PATH=/tmp/ssl openvpn "\$@" |
|||
EOF |
|||
chmod a+x /bin/myopenvpn |
|||
Then edit /tmp/opkg-lists/snapshots to remove the dependency of openvpn. |
|||
... |
|||
Follow CA instructions. |
|||
Make sure you put the right CN in your server cert. |
|||
... |
|||
openssl dhparam -out dh1024.pem 1024 |
|||
'''Server''': |
|||
ntpclient -h pool.ntp.org -s |
|||
cd /etc/openvpn # or whever you put your certs |
|||
myopenvpn --mode server --client-to-client --dev tap --user nobody --group nogroup --tls-server --ca ./ca.pem --cert server.pem --key server.pem --dh dh1024.pem --proto tcp-server & |
|||
ip link set tap0 up |
|||
brctl addif br-lan tap0 |
|||
'''Client''': |
|||
openvpn --user nobody --group nobody --dev tap --tls-remote openwrt --tls-client --ca ca.cert --cert ./client.pem --key client.pem --proto tcp-client --remote openwrt & |
|||
ip link set tap0 up |
Latest revision as of 21:21, 31 January 2010
OpenWRT
Installed OpenWRT on my Linksys WRT54G (v2.0). Very easy.
iptables
Found that I could no longer ping my IP address from crank.
Examined firewall:
iptables -t mangle -L
Good, no mangling.
iptables -t nat -L
Some NAT, but just a couple of MASQUERADE rules.
iptables -t filter -L
Lots of filtering. In more detail:
iptables -t filter -L INPUT
Some complicated chains:
- syn_flood rate-limits TCP connection control packets.
- input_rule is empty
- input has subchains for zone_wan and zone_lan.
- zone_lan accepts everything.
- zone_wan rejects everything not accepted by input_wan.
Okay, let's add an accept rule to input_wan:
iptables -t filter -A input_wan -p icmp -j ACCEPT
Alternately, add:
config 'rule' option 'target' 'ACCEPT' option '_name' 'ping' option 'src' 'wan' option 'proto' 'icmp'
to /etc/config/firewall (or to /etc/firewall.user?)
6tunnel
Now that I'm answering pings, I can set up an IPv6 tunnel with the Hurricane Electric tunnelbroker. Easy.
Then install 6tunnel:
opkg install 6tunnel cat > /etc/config/6tunnel <<EOF config 6tunnel option tnlifname 'he-ipv6' option remoteip4 '209.51.161.14' option localip4 '24.91.152.135' option localip6 '2001:470:1f06:6f7::2/64' option prefix '2001:470:1f07:6f7::1/64' EOF /etc/init.d/6tunnel start
radvd
To make use of my new tunnel, I need to advertise my prefix to my LAN. We do this with radvd.
Note that the prefix here that we want to advertise is called the 'routed /64' by tunnelbroker.
cat > /etc/config/radvd <<EOF config interface option interface 'lan' option AdvSendAdvert 1 option AdvManagedFlag 0 option AdvOtherConfigFlag 0 option AdvHomeAgentFlag 0 option ignore 0 config prefix option interface 'lan' option prefix '2001:470:1f07:6f7::/64' option AdvOnLink 1 option AdvAutonomous 1 option AdvRouterAddr 0 option ignore 0 EOF /etc/init.d/radvd start
OpenVPN
OpenVPN is a pain to install on OpenWRT because it depends on OpenSSL, which is too big.
Fortunately, we can hack around that:
cat > /bin/myopenvpn <<EOF #!/bin/sh BASE=\`pwd\` cd /tmp opkg update opkg download libopenssl mkdir ssl tar Ozxf libopenssl* ./data.tar.gz | tar zxC ./ssl mv ssl/usr/lib/* ssl; rm -rf ssl/usr cd \$BASE env LD_LIBRARY_PATH=/tmp/ssl openvpn "\$@" EOF chmod a+x /bin/myopenvpn
Then edit /tmp/opkg-lists/snapshots to remove the dependency of openvpn.
...
Follow CA instructions. Make sure you put the right CN in your server cert.
...
openssl dhparam -out dh1024.pem 1024
Server:
ntpclient -h pool.ntp.org -s cd /etc/openvpn # or whever you put your certs myopenvpn --mode server --client-to-client --dev tap --user nobody --group nogroup --tls-server --ca ./ca.pem --cert server.pem --key server.pem --dh dh1024.pem --proto tcp-server & ip link set tap0 up brctl addif br-lan tap0
Client:
openvpn --user nobody --group nobody --dev tap --tls-remote openwrt --tls-client --ca ca.cert --cert ./client.pem --key client.pem --proto tcp-client --remote openwrt & ip link set tap0 up