OpenVPN/OpenWRT

From Secure Computing Wiki
Revision as of 11:26, 6 July 2010 by Cron2 (Talk | contribs) (OpenVPN-devel package for OpenVPN)

Jump to: navigation, search

OpenVPN-devel package for OpenVPN

Note: this page has moved to the OpenVPN.Net wiki, it is now maintained here

OpenWRT is a very small Linux distribution for routers, initially the Cisco/Linksys "WRT 54 GL", thus the name.

OpenWRT comes with an OpenVPN package based on the mainstream 2.1 release (as of 2010/06/27).

If you want IPv6 support or any of the other features in the development tree, you have to build your own package, based on the openvpn-devel sources. Given that OpenWRT packages are not for standard i386/amd64 CPUs but usually some sort of MIPS system, you need a cross-compilation environment and special tools - but that's all already provided by the OpenWRT folks, so you just need to add a few bits to add your own package.

how to build

  1. get the OpenWRT source tree from OpenWRT SVN (do this on a Linux system, as a normal user, no root permissions needed) - this is for OpenWRT 10.03 ("backfire"), adapt for other branches as needed:

    svn co svn://svn.openwrt.org/openwrt/branches/backfire/

  2. get the OpenWRT package tree from SVN and "install" (put all the symlinks where they are needed):

    cd backfire
    ./scripts/feeds update
    ./scripts/feeds install -a

  3. now add a directory for "openvpn-devel" (the package tree has "openvpn" already), and copy a few files from the existing openvpn package (we're lazy):

    backfire$ cd package
    backfire/package$ mkdir openvpn_devel
    backfire/package$ cd openvpn_devel
    backfire/package/openvpn_devel$ cp -r ../feeds/packages/openvpn/files .
    backfire/package/openvpn_devel$

    (you could pick any name you want for the package directory, but it's useful to be consistent with the definitions in the Makefile itself)

  4. copy-paste the following text to a file named "Makefile" in this directory:
    #
    # Makefile for openvpn-devel package for OpenWRT
    #
    
    include $(TOPDIR)/rules.mk
    
    PKG_NAME:=openvpn_devel
    # this is "2010, week 26"
    PKG_VERSION:=201026
    # BUILD_DIR has to accomodate path naming of source tarball
    PKG_BUILD_DIR:=$(BUILD_DIR)/openvpn-devel
    PKG_RELEASE:=1
    
    PKG_SOURCE:=openvpn-$(PKG_VERSION).tar.gz
    PKG_SOURCE_URL:=ftp://ftp.secure-computing.net/pub/FreeBSD/ports/openvpRCE")
    # MD5 check disabled for now - but if you want to be sure that you have the right
    # package, calculate MD5 sum with "md5sum openvpn-201026.tar.gz" and add here
    # PKG_MD5SUM:=424e7ae5de6430374e97c9e458ee45d5
    
    PKG_INSTALL:=1
    
    include $(INCLUDE_DIR)/package.mk
    
    define Package/openvpn_devel
      SECTION:=net
      CATEGORY:=Network
      DEPENDS:=+kmod-tun +kmod-ipv6 +libopenssl +liblzo +ip
      TITLE:=Open source VPN solution using SSL - DEVEL VERSION
      URL:=http://openvpn.net
      SUBMENU:=VPN
    endef
    
    define Package/openvpn_devel/conffiles
    /etc/config/openvpn
    endef
    
    define Package/openvpn_devel/description
             Open source VPN solution using SSL - DEVEL VERSION, Week $(PKG_VERSION)
    endef
    
    define Build/Configure
            $(call Build/Configure/Default, \
                    --disable-pthread \
                    --disable-debug \
                    --disable-plugins \
                    --enable-management \
                    --disable-socks \
                    --enable-password-save \
                    --enable-iproute2 \
                    --with-iproute-path=/usr/sbin/ip \
                    ,\
                    ac_cv_func_epoll_create=no \
            )
    endef
    
    define Package/openvpn_devel/install
            $(INSTALL_DIR) $(1)/usr/sbin
            $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/openvpn $(1)/usr/sbin/
            $(INSTALL_DIR) $(1)/etc/init.d/
            $(INSTALL_BIN) files/openvpn.init $(1)/etc/init.d/openvpn
            $(INSTALL_DIR) $(1)/etc/config
            $(INSTALL_CONF) files/openvpn.config $(1)/etc/config/openvpn
            $(INSTALL_DIR) $(1)/etc/openvpn
    endef
    
    $(eval $(call BuildPackage,openvpn_devel))
    
    
    
  5. go back to the top level directory and run the config scripts:

    backfire/package/openvpn_devel$ cd ../..
    backfire$ make defconfig
    backfire$ make menuconfig

    1. in the "Target System" menu, select the correct OpenWRT version for your hardware (check the openwrt.net pages for your router type, one example would be "TP-Link TL1043ND -> ar71xx -> Atheros AR71xx/AR7240/AR913x"). Since we do not want to build a bootable OpenWRT itself, just an OpenVPN package, it's not important to get this 100% right - having the right CPU version (ar71xx in this example) is what counts. The output of "opkg install $somepackage" on your OpenWRT installation will tell you the architecture type, in the .ipk file name.
    2. go to "Network" -> "VPN" and check <M> "openvpn-devel" (pre-requisites like lzo and zlib will be autoselected)
    3. then "exit" -> "exit" -> "exit" -> "save config -> yes"

  6. run "make" and wait... - this will take a long time, building the C compiler (for cross-building to MIPS cpu) and the target system's C library etc. first.

    backfire$ make
    make[1] world
    make[2] target/compile
    make[3] -C target/linux compile
    ...
    make[3] -C package/zlib compile
    make[3] -C package/openssl compile
    make[3] -C package/iproute2 compile
    make[3] -C package/iptables compile
    make[3] -C package/firewall compile
    make[3] -C package/hostapd compile
    make[3] -C package/kernel compile
    make[3] -C package/mtd compile
    make[3] -C package/openvpn_devel compile <<<<< :-)
    make[3] -C package/opkg compile
    ...
    make[3] package/preconfig
    make[2] target/install
    make[3] -C target/linux install
    make[2] package/index
    backfire$

  7. now you have an openvpn_devel package in ./bin/ar71xx/packages/

    backfire$ ls -l bin/ar71xx/packages/
    ...
    -rw-r--r-- 1 gert users 182075 27. Jun 16:03 openvpn_devel_201026-1_ar71xx.ipk
    ...

    </ol>

    Installing the package

    Login to your OpenWRT router, ftp/wget the package to /tmp, and run "opkg install":

    root@openwrt:/tmp# opkg update
    root@OpenWrt:/tmp# opkg update Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/Packages.gz.
    Inflating http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/Packages.gz.
    Updated list of available packages in /var/opkg-lists/packages.
    root@openwrt:/tmp# wget http:<myserver>/openvpn_devel_201026-1_ar71xx.ipk
    ...
    root@openwrt:/tmp$ opkg install openvpn*ipk
    Installing openvpn_devel (201026-1) to root...
    Installing kmod-tun (2.6.32.10-1) to root...
    Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/kmod-tun_2.6.32.10-1_ar71xx.ipk.
    Installing kmod-ipv6 (2.6.32.10-1) to root...
    Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/kmod-ipv6_2.6.32.10-1_ar71xx.ipk.
    Installing libopenssl (0.9.8m-3) to root...
    Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/libopenssl_0.9.8m-3_ar71xx.ipk.
    Installing zlib (1.2.3-5) to root...
    Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/zlib_1.2.3-5_ar71xx.ipk.
    Installing liblzo (2.03-3) to root...
    Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/liblzo_2.03-3_ar71xx.ipk.
    Installing ip (2.6.29-1-2) to root...
    Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/ip_2.6.29-1-2_ar71xx.ipk.
    Configuring ip.
    Configuring kmod-tun.
    Configuring kmod-ipv6.
    Configuring zlib.
    Configuring libopenssl.
    Configuring liblzo.
    Configuring openvpn_devel.
    root@OpenWrt:/tmp# openvpn |head -2
    OpenVPN testing-f0b02a9dfab6 mips-openwrt-linux [SSL] [LZO2] [MH] [PF_INET6] [IPv6 payload 20100307-1] built on Jun 27 2010

    root@OpenWrt:/tmp#