Difference between revisions of "OpenVPN/OpenWRT"

From Secure Computing Wiki
Jump to: navigation, search
(building OpenVPN devel versions for OpenWRT)
 
(Makefile fixes, some more explanatory text)
Line 10: Line 10:
  
 
<ol>
 
<ol>
<li> get the OpenWRT source tree from OpenWRT SVN (do this on a Linux system, as a normal user, no root permissions needed):
+
<li> get the OpenWRT source tree from OpenWRT SVN (do this on a Linux system, as a normal user, no root permissions needed) - this is for OpenWRT 10.03 ("backfire"), adapt for other branches as needed:
 
<blockquote>
 
<blockquote>
 
svn co svn://svn.openwrt.org/openwrt/branches/backfire/
 
svn co svn://svn.openwrt.org/openwrt/branches/backfire/
Line 30: Line 30:
 
backfire/package/openvpn_devel$<br>
 
backfire/package/openvpn_devel$<br>
 
</blockquote>
 
</blockquote>
</ol>
 
  
 
(you could pick any name you want for the package directory, but it's useful to be consistent with the definitions in the Makefile itself)
 
(you could pick any name you want for the package directory, but it's useful to be consistent with the definitions in the Makefile itself)
Line 42: Line 41:
 
include $(TOPDIR)/rules.mk
 
include $(TOPDIR)/rules.mk
  
PKG_NAME:=openvpn-devel
+
PKG_NAME:=openvpn_devel
# this is "2010, week 26"  
+
# this is "2010, week 26"
 
PKG_VERSION:=201026
 
PKG_VERSION:=201026
 +
# BUILD_DIR has to accomodate path naming of source tarball
 +
PKG_BUILD_DIR:=$(BUILD_DIR)/openvpn-devel
 
PKG_RELEASE:=1
 
PKG_RELEASE:=1
  
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+
PKG_SOURCE:=openvpn-$(PKG_VERSION).tar.gz
 
PKG_SOURCE_URL:=ftp://ftp.secure-computing.net/pub/FreeBSD/ports/openvpn-devel/
 
PKG_SOURCE_URL:=ftp://ftp.secure-computing.net/pub/FreeBSD/ports/openvpn-devel/
 
# if you change the PKG_VERSION, adjust this checksum ("md5sum $PKG_SOURCE")
 
# if you change the PKG_VERSION, adjust this checksum ("md5sum $PKG_SOURCE")
Line 92: Line 93:
 
         $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/openvpn $(1)/usr/sbin/
 
         $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/openvpn $(1)/usr/sbin/
 
         $(INSTALL_DIR) $(1)/etc/init.d/
 
         $(INSTALL_DIR) $(1)/etc/init.d/
         $(INSTALL_BIN) files/$(PKG_NAME).init $(1)/etc/init.d/$(PKG_NAME)
+
         $(INSTALL_BIN) files/openvpn.init $(1)/etc/init.d/openvpn
 
         $(INSTALL_DIR) $(1)/etc/config
 
         $(INSTALL_DIR) $(1)/etc/config
         $(INSTALL_CONF) files/$(PKG_NAME).config $(1)/etc/config/$(PKG_NAME)
+
         $(INSTALL_CONF) files/openvpn.config $(1)/etc/config/openvpn
 
         $(INSTALL_DIR) $(1)/etc/openvpn
 
         $(INSTALL_DIR) $(1)/etc/openvpn
 
endef
 
endef
Line 112: Line 113:
 
<ol>
 
<ol>
 
<li>in the "Target System" menu, select the correct OpenWRT version for your hardware (check the openwrt.net pages for your router type, one example would be "TP-Link TL1043ND -> ar71xx -> Atheros AR71xx/AR7240/AR913x").  Since we do not want to build a bootable OpenWRT itself, just an OpenVPN package, it's not important to get this 100% right - having the right CPU version (ar71xx in this example) is what counts.  The output of "opkg install $somepackage" on your OpenWRT installation will tell you the architecture type, in the .ipk file name.
 
<li>in the "Target System" menu, select the correct OpenWRT version for your hardware (check the openwrt.net pages for your router type, one example would be "TP-Link TL1043ND -> ar71xx -> Atheros AR71xx/AR7240/AR913x").  Since we do not want to build a bootable OpenWRT itself, just an OpenVPN package, it's not important to get this 100% right - having the right CPU version (ar71xx in this example) is what counts.  The output of "opkg install $somepackage" on your OpenWRT installation will tell you the architecture type, in the .ipk file name.
<li>go to "Network" -> "VPN" and check <M> "openvpn-devel"
+
<li>go to "Network" -> "VPN" and check <M> "openvpn-devel" (pre-requisites like lzo and zlib will be autoselected)
 
<li>then "exit" -> "exit" -> "exit" -> "save config -> yes"
 
<li>then "exit" -> "exit" -> "exit" -> "save config -> yes"
 
</ol><p>
 
</ol><p>
Line 123: Line 124:
 
  make[2] target/compile<br>
 
  make[2] target/compile<br>
 
  make[3] -C target/linux compile<br>
 
  make[3] -C target/linux compile<br>
 +
...<br>
 +
make[3] -C package/zlib compile<br>
 +
make[3] -C package/openssl compile<br>
 +
make[3] -C package/iproute2 compile<br>
 +
make[3] -C package/iptables compile<br>
 +
make[3] -C package/firewall compile<br>
 +
make[3] -C package/hostapd compile<br>
 +
make[3] -C package/kernel compile<br>
 +
make[3] -C package/mtd compile<br>
 +
make[3] -C package/openvpn_devel compile  <<<<< :-)<br>
 +
make[3] -C package/opkg compile<br>
 +
...<br>
 +
make[3] package/preconfig<br>
 +
make[2] target/install<br>
 +
make[3] -C target/linux install<br>
 +
make[2] package/index<br>
 +
backfire$ <br>
 +
</blockquote>
  
 +
<li> now you have an openvpn_devel package in ./bin/ar71xx/packages/
  
 +
<blockquote>
 +
backfire$ ls -l bin/ar71xx/packages/<br>
 +
...<br>
 +
-rw-r--r-- 1 gert users 182075 27. Jun 16:03 openvpn_devel_201026-1_ar71xx.ipk<br>
 +
...<br>
 +
</blockquote>
  
 +
</ol><p>
  
</blockquote>
+
=== Installing the package ===
  
<li> now you have an openvpn_devel package in ... (to be finished), which can be installed with (to be completed)
+
Login to your OpenWRT router, ftp/wget the package to /tmp, and run "opkg install":
 +
 
 +
<blockquote>
 +
root@openwrt:/tmp$ opkg update<br>
 +
...<br>
 +
root@openwrt:/tmp$ wget http:<myserver>/openvpn_devel_201026-1_ar71xx.ipk<br>
 +
root@openwrt:/tmp$ opkg install openvpn*ipk<br>
 +
(copy-paste from life router to-be-done)
 +
</blockquote>

Revision as of 09:47, 27 June 2010

OpenVPN-devel package for OpenVPN

OpenWRT is a very small Linux distribution for routers, initially the Cisco/Linksys "WRT 54 GL", thus the name.

OpenWRT comes with an OpenVPN package based on the mainstream 2.1 release (as of 2010/06/27).

If you want IPv6 support or any of the other features in the development tree, you have to build your own package, based on the openvpn-devel sources. Given that OpenWRT packages are not for standard i386/amd64 CPUs but usually some sort of MIPS system, you need a cross-compilation environment and special tools - but that's all already provided by the OpenWRT folks, so you just need to add a few bits to add your own package.

how to build

  1. get the OpenWRT source tree from OpenWRT SVN (do this on a Linux system, as a normal user, no root permissions needed) - this is for OpenWRT 10.03 ("backfire"), adapt for other branches as needed:

    svn co svn://svn.openwrt.org/openwrt/branches/backfire/

  2. get the OpenWRT package tree from SVN and "install" (put all the symlinks where they are needed):

    cd backfire
    ./scripts/feeds update
    ./scripts/feeds install -a

  3. now add a directory for "openvpn-devel" (the package tree has "openvpn" already), and copy a few files from the existing openvpn package (we're lazy):

    backfire$ cd package
    backfire/package$ mkdir openvpn_devel
    backfire/package$ cd openvpn_devel
    backfire/package/openvpn_devel$ cp -r ../feeds/packages/openvpn/files .
    backfire/package/openvpn_devel$

    (you could pick any name you want for the package directory, but it's useful to be consistent with the definitions in the Makefile itself)

  4. copy-paste the following text to a file named "Makefile" in this directory:
    #
    # Makefile for openvpn-devel package for OpenWRT
    #
    
    include $(TOPDIR)/rules.mk
    
    PKG_NAME:=openvpn_devel
    # this is "2010, week 26"
    PKG_VERSION:=201026
    # BUILD_DIR has to accomodate path naming of source tarball
    PKG_BUILD_DIR:=$(BUILD_DIR)/openvpn-devel
    PKG_RELEASE:=1
    
    PKG_SOURCE:=openvpn-$(PKG_VERSION).tar.gz
    PKG_SOURCE_URL:=ftp://ftp.secure-computing.net/pub/FreeBSD/ports/openvpn-devel/
    # if you change the PKG_VERSION, adjust this checksum ("md5sum $PKG_SOURCE")
    PKG_MD5SUM:=424e7ae5de6430374e97c9e458ee45d5
    
    PKG_INSTALL:=1
    
    include $(INCLUDE_DIR)/package.mk
    
    define Package/openvpn_devel
      SECTION:=net
      CATEGORY:=Network
      DEPENDS:=+kmod-tun +kmod-ipv6 +libopenssl +liblzo +ip
      TITLE:=Open source VPN solution using SSL - DEVEL VERSION
      URL:=http://openvpn.net
      SUBMENU:=VPN
    endef
    
    define Package/openvpn_devel/conffiles
    /etc/config/openvpn
    endef
    
    define Package/openvpn_devel/description
             Open source VPN solution using SSL - DEVEL VERSION, Week $(PKG_VERSION)
    endef
    
    define Build/Configure
            $(call Build/Configure/Default, \
                    --disable-pthread \
                    --disable-debug \
                    --disable-plugins \
                    --enable-management \
                    --disable-socks \
                    --enable-password-save \
                    --enable-iproute2 \
                    --with-iproute-path=/usr/sbin/ip \
                    ,\
                    ac_cv_func_epoll_create=no \
            )
    endef
    
    define Package/openvpn_devel/install
            $(INSTALL_DIR) $(1)/usr/sbin
            $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/openvpn $(1)/usr/sbin/
            $(INSTALL_DIR) $(1)/etc/init.d/
            $(INSTALL_BIN) files/openvpn.init $(1)/etc/init.d/openvpn
            $(INSTALL_DIR) $(1)/etc/config
            $(INSTALL_CONF) files/openvpn.config $(1)/etc/config/openvpn
            $(INSTALL_DIR) $(1)/etc/openvpn
    endef
    
    $(eval $(call BuildPackage,openvpn_devel))
    
    
    
  5. go back to the top level directory and run the config scripts:

    backfire/package/openvpn_devel$ cd ../..
    backfire$ make defconfig
    backfire$ make menuconfig

    1. in the "Target System" menu, select the correct OpenWRT version for your hardware (check the openwrt.net pages for your router type, one example would be "TP-Link TL1043ND -> ar71xx -> Atheros AR71xx/AR7240/AR913x"). Since we do not want to build a bootable OpenWRT itself, just an OpenVPN package, it's not important to get this 100% right - having the right CPU version (ar71xx in this example) is what counts. The output of "opkg install $somepackage" on your OpenWRT installation will tell you the architecture type, in the .ipk file name.
    2. go to "Network" -> "VPN" and check <M> "openvpn-devel" (pre-requisites like lzo and zlib will be autoselected)
    3. then "exit" -> "exit" -> "exit" -> "save config -> yes"

  6. run "make" and wait... - this will take a long time, building the C compiler (for cross-building to MIPS cpu) and the target system's C library etc. first.

    backfire$ make
    make[1] world
    make[2] target/compile
    make[3] -C target/linux compile
    ...
    make[3] -C package/zlib compile
    make[3] -C package/openssl compile
    make[3] -C package/iproute2 compile
    make[3] -C package/iptables compile
    make[3] -C package/firewall compile
    make[3] -C package/hostapd compile
    make[3] -C package/kernel compile
    make[3] -C package/mtd compile
    make[3] -C package/openvpn_devel compile <<<<< :-)
    make[3] -C package/opkg compile
    ...
    make[3] package/preconfig
    make[2] target/install
    make[3] -C target/linux install
    make[2] package/index
    backfire$

  7. now you have an openvpn_devel package in ./bin/ar71xx/packages/

    backfire$ ls -l bin/ar71xx/packages/
    ...
    -rw-r--r-- 1 gert users 182075 27. Jun 16:03 openvpn_devel_201026-1_ar71xx.ipk
    ...

    </ol>

    Installing the package

    Login to your OpenWRT router, ftp/wget the package to /tmp, and run "opkg install":

    root@openwrt:/tmp$ opkg update
    ...
    root@openwrt:/tmp$ wget http:<myserver>/openvpn_devel_201026-1_ar71xx.ipk
    root@openwrt:/tmp$ opkg install openvpn*ipk
    (copy-paste from life router to-be-done)