Open WRT
OpenWRT
Here’s where I talk about what I’ve done with OpenWRT.
Work Goal #1 is to get these things going at work as simple bridges with DHCP forwarding to C&C’s servers. Goal 2 is to do neat things with SNMP.
At home, it’s a different story.
Intro
Most of the configuration of openWRT is done through setting nvram variables using the nvram set <name≥<string> command. The boot scripts reference nvram for these strings to get their configuration variables. For the most part, the OpenWRT Wiki is a good reference for defining these variables.
WPA setup
Getting WPA working requires the nas package (do ipkg update && ipkg install nas). Then, set wl0_akm=psk (pre-shared key for WPA, not ⚠ WPA2) then set wl0_crypto=tkip - any other setting seems not to work with AirPort. Good job Apple.
Traffic Shaping
There’s wondershaper inside the wojje.net openWrt repository. does not seem to be as fine grained as the sveasoft ⚠ QoS package, though. Seemed to be OK for my own personal use at home, but is woefully inadequate for a house full of bittorrent users.
OpenVPN
There’s a general howto here. http://wiki.openwrt.org/HotspotOpenvpnHowto. yep.
Probably of interest (from the OpenVPN FAQ):
Here at work, we wanted to implement a VPN solution for Roadwarriors
which have to connect to the main office. OpenVPN looked like a nice
solution, as it also works with Windows and can tunnel through an https
proxy.
One problem though, was the unability to use a constant port number on
the server side.
The —inetd option seemed very promising, but the man-page explicitly
states that this option can not be used for multiple connections,
although there seemed to be no reason. (The only reason i found
mentioned was, that there was no config file templating mechanism,
which obviously isn’t really a problem).
A test later I found, that the code was written for inetd with
“wait=yes” in mind, but that was quickly changed[1] (see attached patch).
The attached patch [merged with OpenVPN as of 1.6-beta5]
adds a new option “—inetd nowait” which makes OpenVPN
work with a connected socket on stdin, like (x)inetd does with wait=no,
or even netcat with the -e option.
Of course this still runs one OpenVPN process per client. You still need
one tap device per client, and configure bridging between them.
This also only works with SSL/TLS and tap devices, because of the single
config file shared between all server processes.
The server config file in our case is easy:
| # OpenVPN multiple-client-server
| inetd nowait
| proto tcp-server
|
| # 10.254.0.1 is our local VPN endpoint (office).
| dev tap
| ifconfig 10.254.0.1 255.255.255.0
|
| # Our up script will establish routes
| # once the VPN is alive.
| ifconfig-noexec
| up /etc/openvpn/vpn-server.up
|
| # We are SSL/TLS Server
| tls-server
| dh /etc/openvpn/dh2048.pem
| ca /etc/openvpn/my-ca.crt
| crl-verify /etc/openvpn/my-ca.crl
| cert /etc/openvpn/server.crt
| key /etc/openvpn/server.key
The only magic thing is the ifconfig-noexec. Of course we can’t ifconfig
each of the tap interfaces with the same IP address. But we don’t need
to, as we are using bridging.
My Bridging setup script (run once at bootup):
| # load Bridging-Module
| modprobe bridge
|
| # configure bridge
| brctl addbr br0
| brctl stp br0 off
| brctl setfd br0 0
|
| # our private vpn network
| ifconfig br0 10.254.0.1 netmask 0xffffff00 broadcast 10.254.0.255
The per-client setup script (vpn-server.up):
| # add interface to bridge and activate
| brctl addif br0 $1
| ifconfig $1 up
And for completeness sake, here is the xinetd config file for the
OpenVPN server:
| service openvpn_1
| {
| type = UNLISTED
| port = 443
| socket_type = stream
| protocol = tcp
| wait = no
| user = root
| server = /usr/sbin/openvpn
| server_args = —config /etc/openvpn/vpn-server.conf
| disable = no
| }
And thats it. It works for me. If you have any questions or comments,
contact me, I’d be happy to hear from you.
CU,
Stefan Sec Zehl
what this does not mention is that to use —inetd nowait, you must have a TLS/SSL setup. Which brings me to…