Network2/Experiments/OpenWRT

From OLPC
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

OpenWRT

Installed OpenWRT on my Linksys WRT54G (v2.0). Very easy.

iptables

Found that I could no longer ping my IP address from crank.

Examined firewall: 

iptables -t mangle -L

Good, no mangling. 

iptables -t nat -L

Some NAT, but just a couple of MASQUERADE rules. 

iptables -t filter -L

Lots of filtering. In more detail: 

iptables -t filter -L INPUT

Some complicated chains:

  • syn_flood rate-limits TCP connection control packets.
  • input_rule is empty
  • input has subchains for zone_wan and zone_lan.
  • zone_lan accepts everything.
  • zone_wan rejects everything not accepted by input_wan.

Okay, let's add an accept rule to input_wan: 

iptables -t filter -A input_wan -p icmp -j ACCEPT

Alternately, add: 

config 'rule'
        option 'target' 'ACCEPT'
        option '_name' 'ping'
        option 'src' 'wan'
        option 'proto' 'icmp'

to /etc/config/firewall (or to /etc/firewall.user?)

6tunnel

Now that I'm answering pings, I can set up an IPv6 tunnel with the Hurricane Electric tunnelbroker. Easy.

Then install 6tunnel: 

opkg install 6tunnel
cat > /etc/config/6tunnel <<EOF
config 6tunnel
        option tnlifname     'he-ipv6'
        option remoteip4        '209.51.161.14'
        option localip4         '24.91.152.135'
        option localip6         '2001:470:1f06:6f7::2/64'
        option prefix           '2001:470:1f07:6f7::1/64'
EOF
/etc/init.d/6tunnel start

radvd

To make use of my new tunnel, I need to advertise my prefix to my LAN. We do this with radvd.

Note that the prefix here that we want to advertise is called the 'routed /64' by tunnelbroker. 

cat > /etc/config/radvd <<EOF
config interface
        option interface 'lan'
        option AdvSendAdvert 1
        option AdvManagedFlag 0
        option AdvOtherConfigFlag 0
        option AdvHomeAgentFlag 0
        option ignore 0

config prefix 
        option interface 'lan'
        option prefix '2001:470:1f07:6f7::/64'
        option AdvOnLink 1
        option AdvAutonomous 1
        option AdvRouterAddr 0
        option ignore 0
EOF
/etc/init.d/radvd start

OpenVPN

OpenVPN is a pain to install on OpenWRT because it depends on OpenSSL, which is too big.

Fortunately, we can hack around that: 

cat > /bin/myopenvpn <<EOF
#!/bin/sh
BASE=\`pwd\`
cd /tmp
opkg update
opkg download libopenssl
mkdir ssl
tar Ozxf libopenssl* ./data.tar.gz | tar zxC ./ssl
mv ssl/usr/lib/* ssl; rm -rf ssl/usr
cd \$BASE
env LD_LIBRARY_PATH=/tmp/ssl openvpn "\$@"
EOF
chmod a+x /bin/myopenvpn

Then edit /tmp/opkg-lists/snapshots to remove the dependency of openvpn.

... 

Follow CA instructions. 
Make sure you put the right CN in your server cert.

... 

openssl dhparam -out dh1024.pem 1024

Server: 

ntpclient -h pool.ntp.org -s
cd /etc/openvpn  # or whever you put your certs
myopenvpn --mode server --client-to-client --dev tap --user nobody --group nogroup --tls-server --ca ./ca.pem --cert server.pem --key server.pem --dh dh1024.pem --proto tcp-server &
ip link set tap0 up
brctl addif br-lan tap0

Client: 

openvpn --user nobody --group nobody --dev tap --tls-remote openwrt --tls-client --ca ca.cert --cert ./client.pem --key client.pem --proto tcp-client --remote openwrt &
ip link set tap0 up
Retrieved from "http://wiki.laptop.org/mediawiki/index.php?title=Network2/Experiments/OpenWRT&oldid=231260"