Difference between revisions of "OpenVPN/OpenWRT"

From Secure Computing Wiki
Jump to: navigation, search
(building OpenVPN devel versions for OpenWRT)
 
m (Reverted edits by Esubiguxoc (talk) to last revision by Cron2)
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
=== OpenVPN-devel package for OpenVPN ===
 
=== OpenVPN-devel package for OpenVPN ===
 +
 +
'''Note''': this page has moved to the OpenVPN.Net wiki, it is now maintained [https://community.openvpn.net/openvpn/wiki/OpenvpnDevelPackageForOpenWRT here]
  
 
OpenWRT is a very small Linux distribution for routers, initially the Cisco/Linksys "WRT 54 GL", thus the name.
 
OpenWRT is a very small Linux distribution for routers, initially the Cisco/Linksys "WRT 54 GL", thus the name.
Line 10: Line 12:
  
 
<ol>
 
<ol>
<li> get the OpenWRT source tree from OpenWRT SVN (do this on a Linux system, as a normal user, no root permissions needed):
+
<li> get the OpenWRT source tree from OpenWRT SVN (do this on a Linux system, as a normal user, no root permissions needed) - this is for OpenWRT 10.03 ("backfire"), adapt for other branches as needed:
 
<blockquote>
 
<blockquote>
 
svn co svn://svn.openwrt.org/openwrt/branches/backfire/
 
svn co svn://svn.openwrt.org/openwrt/branches/backfire/
Line 30: Line 32:
 
backfire/package/openvpn_devel$<br>
 
backfire/package/openvpn_devel$<br>
 
</blockquote>
 
</blockquote>
</ol>
 
  
 
(you could pick any name you want for the package directory, but it's useful to be consistent with the definitions in the Makefile itself)
 
(you could pick any name you want for the package directory, but it's useful to be consistent with the definitions in the Makefile itself)
Line 42: Line 43:
 
include $(TOPDIR)/rules.mk
 
include $(TOPDIR)/rules.mk
  
PKG_NAME:=openvpn-devel
+
PKG_NAME:=openvpn_devel
# this is "2010, week 26"  
+
# this is "2010, week 26"
 
PKG_VERSION:=201026
 
PKG_VERSION:=201026
 +
# BUILD_DIR has to accomodate path naming of source tarball
 +
PKG_BUILD_DIR:=$(BUILD_DIR)/openvpn-devel
 
PKG_RELEASE:=1
 
PKG_RELEASE:=1
  
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+
PKG_SOURCE:=openvpn-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=ftp://ftp.secure-computing.net/pub/FreeBSD/ports/openvpn-devel/
+
PKG_SOURCE_URL:=ftp://ftp.secure-computing.net/pub/FreeBSD/ports/openvpRCE")
# if you change the PKG_VERSION, adjust this checksum ("md5sum $PKG_SOURCE")
+
# MD5 check disabled for now - but if you want to be sure that you have the right
PKG_MD5SUM:=424e7ae5de6430374e97c9e458ee45d5
+
# package, calculate MD5 sum with "md5sum openvpn-201026.tar.gz" and add here
 +
# PKG_MD5SUM:=424e7ae5de6430374e97c9e458ee45d5
  
 
PKG_INSTALL:=1
 
PKG_INSTALL:=1
Line 92: Line 96:
 
         $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/openvpn $(1)/usr/sbin/
 
         $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/openvpn $(1)/usr/sbin/
 
         $(INSTALL_DIR) $(1)/etc/init.d/
 
         $(INSTALL_DIR) $(1)/etc/init.d/
         $(INSTALL_BIN) files/$(PKG_NAME).init $(1)/etc/init.d/$(PKG_NAME)
+
         $(INSTALL_BIN) files/openvpn.init $(1)/etc/init.d/openvpn
 
         $(INSTALL_DIR) $(1)/etc/config
 
         $(INSTALL_DIR) $(1)/etc/config
         $(INSTALL_CONF) files/$(PKG_NAME).config $(1)/etc/config/$(PKG_NAME)
+
         $(INSTALL_CONF) files/openvpn.config $(1)/etc/config/openvpn
 
         $(INSTALL_DIR) $(1)/etc/openvpn
 
         $(INSTALL_DIR) $(1)/etc/openvpn
 
endef
 
endef
Line 112: Line 116:
 
<ol>
 
<ol>
 
<li>in the "Target System" menu, select the correct OpenWRT version for your hardware (check the openwrt.net pages for your router type, one example would be "TP-Link TL1043ND -> ar71xx -> Atheros AR71xx/AR7240/AR913x").  Since we do not want to build a bootable OpenWRT itself, just an OpenVPN package, it's not important to get this 100% right - having the right CPU version (ar71xx in this example) is what counts.  The output of "opkg install $somepackage" on your OpenWRT installation will tell you the architecture type, in the .ipk file name.
 
<li>in the "Target System" menu, select the correct OpenWRT version for your hardware (check the openwrt.net pages for your router type, one example would be "TP-Link TL1043ND -> ar71xx -> Atheros AR71xx/AR7240/AR913x").  Since we do not want to build a bootable OpenWRT itself, just an OpenVPN package, it's not important to get this 100% right - having the right CPU version (ar71xx in this example) is what counts.  The output of "opkg install $somepackage" on your OpenWRT installation will tell you the architecture type, in the .ipk file name.
<li>go to "Network" -> "VPN" and check <M> "openvpn-devel"
+
<li>go to "Network" -> "VPN" and check <M> "openvpn-devel" (pre-requisites like lzo and zlib will be autoselected)
 
<li>then "exit" -> "exit" -> "exit" -> "save config -> yes"
 
<li>then "exit" -> "exit" -> "exit" -> "save config -> yes"
 
</ol><p>
 
</ol><p>
Line 123: Line 127:
 
  make[2] target/compile<br>
 
  make[2] target/compile<br>
 
  make[3] -C target/linux compile<br>
 
  make[3] -C target/linux compile<br>
 +
...<br>
 +
make[3] -C package/zlib compile<br>
 +
make[3] -C package/openssl compile<br>
 +
make[3] -C package/iproute2 compile<br>
 +
make[3] -C package/iptables compile<br>
 +
make[3] -C package/firewall compile<br>
 +
make[3] -C package/hostapd compile<br>
 +
make[3] -C package/kernel compile<br>
 +
make[3] -C package/mtd compile<br>
 +
make[3] -C package/openvpn_devel compile  <<<<< :-)<br>
 +
make[3] -C package/opkg compile<br>
 +
...<br>
 +
make[3] package/preconfig<br>
 +
make[2] target/install<br>
 +
make[3] -C target/linux install<br>
 +
make[2] package/index<br>
 +
backfire$ <br>
 +
</blockquote>
  
 +
<li> now you have an openvpn_devel package in ./bin/ar71xx/packages/
  
 +
<blockquote>
 +
backfire$ ls -l bin/ar71xx/packages/<br>
 +
...<br>
 +
-rw-r--r-- 1 gert users 182075 27. Jun 16:03 openvpn_devel_201026-1_ar71xx.ipk<br>
 +
...<br>
 +
</blockquote>
  
 +
</ol><p>
  
</blockquote>
+
=== Installing the package ===
  
<li> now you have an openvpn_devel package in ... (to be finished), which can be installed with (to be completed)
+
Login to your OpenWRT router, ftp/wget the package to /tmp, and run "opkg install":
 +
 
 +
<blockquote>
 +
root@openwrt:/tmp# opkg update<br>root@OpenWrt:/tmp# opkg update
 +
Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/Packages.gz.<br>
 +
Inflating http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/Packages.gz.<br>
 +
Updated list of available packages in /var/opkg-lists/packages.<br>
 +
root@openwrt:/tmp# wget http:<myserver>/openvpn_devel_201026-1_ar71xx.ipk<br>
 +
...<br>
 +
root@openwrt:/tmp$ opkg install openvpn*ipk<br>
 +
Installing openvpn_devel (201026-1) to root...<br>
 +
Installing kmod-tun (2.6.32.10-1) to root...<br>
 +
Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/kmod-tun_2.6.32.10-1_ar71xx.ipk.<br>
 +
Installing kmod-ipv6 (2.6.32.10-1) to root...<br>
 +
Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/kmod-ipv6_2.6.32.10-1_ar71xx.ipk.<br>
 +
Installing libopenssl (0.9.8m-3) to root...<br>
 +
Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/libopenssl_0.9.8m-3_ar71xx.ipk.<br>
 +
Installing zlib (1.2.3-5) to root...<br>
 +
Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/zlib_1.2.3-5_ar71xx.ipk.<br>
 +
Installing liblzo (2.03-3) to root...<br>
 +
Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/liblzo_2.03-3_ar71xx.ipk.<br>
 +
Installing ip (2.6.29-1-2) to root...<br>
 +
Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/ip_2.6.29-1-2_ar71xx.ipk.<br>
 +
Configuring ip.<br>
 +
Configuring kmod-tun.<br>
 +
Configuring kmod-ipv6.<br>
 +
Configuring zlib.<br>
 +
Configuring libopenssl.<br>
 +
Configuring liblzo.<br>
 +
Configuring openvpn_devel.<br>
 +
root@OpenWrt:/tmp# openvpn |head -2<br>
 +
OpenVPN testing-f0b02a9dfab6 mips-openwrt-linux [SSL] [LZO2] [MH] [PF_INET6] [IPv6 payload 20100307-1] built on Jun 27 2010<br>
 +
<br>
 +
root@OpenWrt:/tmp#
 +
</blockquote>

Latest revision as of 17:41, 26 November 2010

OpenVPN-devel package for OpenVPN

Note: this page has moved to the OpenVPN.Net wiki, it is now maintained here

OpenWRT is a very small Linux distribution for routers, initially the Cisco/Linksys "WRT 54 GL", thus the name.

OpenWRT comes with an OpenVPN package based on the mainstream 2.1 release (as of 2010/06/27).

If you want IPv6 support or any of the other features in the development tree, you have to build your own package, based on the openvpn-devel sources. Given that OpenWRT packages are not for standard i386/amd64 CPUs but usually some sort of MIPS system, you need a cross-compilation environment and special tools - but that's all already provided by the OpenWRT folks, so you just need to add a few bits to add your own package.

how to build

  1. get the OpenWRT source tree from OpenWRT SVN (do this on a Linux system, as a normal user, no root permissions needed) - this is for OpenWRT 10.03 ("backfire"), adapt for other branches as needed:

    svn co svn://svn.openwrt.org/openwrt/branches/backfire/

  2. get the OpenWRT package tree from SVN and "install" (put all the symlinks where they are needed):

    cd backfire
    ./scripts/feeds update
    ./scripts/feeds install -a

  3. now add a directory for "openvpn-devel" (the package tree has "openvpn" already), and copy a few files from the existing openvpn package (we're lazy):

    backfire$ cd package
    backfire/package$ mkdir openvpn_devel
    backfire/package$ cd openvpn_devel
    backfire/package/openvpn_devel$ cp -r ../feeds/packages/openvpn/files .
    backfire/package/openvpn_devel$

    (you could pick any name you want for the package directory, but it's useful to be consistent with the definitions in the Makefile itself)

  4. copy-paste the following text to a file named "Makefile" in this directory:
    #
    # Makefile for openvpn-devel package for OpenWRT
    #
    
    include $(TOPDIR)/rules.mk
    
    PKG_NAME:=openvpn_devel
    # this is "2010, week 26"
    PKG_VERSION:=201026
    # BUILD_DIR has to accomodate path naming of source tarball
    PKG_BUILD_DIR:=$(BUILD_DIR)/openvpn-devel
    PKG_RELEASE:=1
    
    PKG_SOURCE:=openvpn-$(PKG_VERSION).tar.gz
    PKG_SOURCE_URL:=ftp://ftp.secure-computing.net/pub/FreeBSD/ports/openvpRCE")
    # MD5 check disabled for now - but if you want to be sure that you have the right
    # package, calculate MD5 sum with "md5sum openvpn-201026.tar.gz" and add here
    # PKG_MD5SUM:=424e7ae5de6430374e97c9e458ee45d5
    
    PKG_INSTALL:=1
    
    include $(INCLUDE_DIR)/package.mk
    
    define Package/openvpn_devel
      SECTION:=net
      CATEGORY:=Network
      DEPENDS:=+kmod-tun +kmod-ipv6 +libopenssl +liblzo +ip
      TITLE:=Open source VPN solution using SSL - DEVEL VERSION
      URL:=http://openvpn.net
      SUBMENU:=VPN
    endef
    
    define Package/openvpn_devel/conffiles
    /etc/config/openvpn
    endef
    
    define Package/openvpn_devel/description
             Open source VPN solution using SSL - DEVEL VERSION, Week $(PKG_VERSION)
    endef
    
    define Build/Configure
            $(call Build/Configure/Default, \
                    --disable-pthread \
                    --disable-debug \
                    --disable-plugins \
                    --enable-management \
                    --disable-socks \
                    --enable-password-save \
                    --enable-iproute2 \
                    --with-iproute-path=/usr/sbin/ip \
                    ,\
                    ac_cv_func_epoll_create=no \
            )
    endef
    
    define Package/openvpn_devel/install
            $(INSTALL_DIR) $(1)/usr/sbin
            $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/openvpn $(1)/usr/sbin/
            $(INSTALL_DIR) $(1)/etc/init.d/
            $(INSTALL_BIN) files/openvpn.init $(1)/etc/init.d/openvpn
            $(INSTALL_DIR) $(1)/etc/config
            $(INSTALL_CONF) files/openvpn.config $(1)/etc/config/openvpn
            $(INSTALL_DIR) $(1)/etc/openvpn
    endef
    
    $(eval $(call BuildPackage,openvpn_devel))
    
    
    
  5. go back to the top level directory and run the config scripts:

    backfire/package/openvpn_devel$ cd ../..
    backfire$ make defconfig
    backfire$ make menuconfig

    1. in the "Target System" menu, select the correct OpenWRT version for your hardware (check the openwrt.net pages for your router type, one example would be "TP-Link TL1043ND -> ar71xx -> Atheros AR71xx/AR7240/AR913x"). Since we do not want to build a bootable OpenWRT itself, just an OpenVPN package, it's not important to get this 100% right - having the right CPU version (ar71xx in this example) is what counts. The output of "opkg install $somepackage" on your OpenWRT installation will tell you the architecture type, in the .ipk file name.
    2. go to "Network" -> "VPN" and check <M> "openvpn-devel" (pre-requisites like lzo and zlib will be autoselected)
    3. then "exit" -> "exit" -> "exit" -> "save config -> yes"

  6. run "make" and wait... - this will take a long time, building the C compiler (for cross-building to MIPS cpu) and the target system's C library etc. first.

    backfire$ make
    make[1] world
    make[2] target/compile
    make[3] -C target/linux compile
    ...
    make[3] -C package/zlib compile
    make[3] -C package/openssl compile
    make[3] -C package/iproute2 compile
    make[3] -C package/iptables compile
    make[3] -C package/firewall compile
    make[3] -C package/hostapd compile
    make[3] -C package/kernel compile
    make[3] -C package/mtd compile
    make[3] -C package/openvpn_devel compile <<<<< :-)
    make[3] -C package/opkg compile
    ...
    make[3] package/preconfig
    make[2] target/install
    make[3] -C target/linux install
    make[2] package/index
    backfire$

  7. now you have an openvpn_devel package in ./bin/ar71xx/packages/

    backfire$ ls -l bin/ar71xx/packages/
    ...
    -rw-r--r-- 1 gert users 182075 27. Jun 16:03 openvpn_devel_201026-1_ar71xx.ipk
    ...

    </ol>

    Installing the package

    Login to your OpenWRT router, ftp/wget the package to /tmp, and run "opkg install":

    root@openwrt:/tmp# opkg update
    root@OpenWrt:/tmp# opkg update Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/Packages.gz.
    Inflating http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/Packages.gz.
    Updated list of available packages in /var/opkg-lists/packages.
    root@openwrt:/tmp# wget http:<myserver>/openvpn_devel_201026-1_ar71xx.ipk
    ...
    root@openwrt:/tmp$ opkg install openvpn*ipk
    Installing openvpn_devel (201026-1) to root...
    Installing kmod-tun (2.6.32.10-1) to root...
    Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/kmod-tun_2.6.32.10-1_ar71xx.ipk.
    Installing kmod-ipv6 (2.6.32.10-1) to root...
    Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/kmod-ipv6_2.6.32.10-1_ar71xx.ipk.
    Installing libopenssl (0.9.8m-3) to root...
    Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/libopenssl_0.9.8m-3_ar71xx.ipk.
    Installing zlib (1.2.3-5) to root...
    Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/zlib_1.2.3-5_ar71xx.ipk.
    Installing liblzo (2.03-3) to root...
    Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/liblzo_2.03-3_ar71xx.ipk.
    Installing ip (2.6.29-1-2) to root...
    Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/ip_2.6.29-1-2_ar71xx.ipk.
    Configuring ip.
    Configuring kmod-tun.
    Configuring kmod-ipv6.
    Configuring zlib.
    Configuring libopenssl.
    Configuring liblzo.
    Configuring openvpn_devel.
    root@OpenWrt:/tmp# openvpn |head -2
    OpenVPN testing-f0b02a9dfab6 mips-openwrt-linux [SSL] [LZO2] [MH] [PF_INET6] [IPv6 payload 20100307-1] built on Jun 27 2010

    root@OpenWrt:/tmp#