OpenVPN/OpenWRT

From Secure Computing Wiki
Revision as of 06:48, 27 June 2010 by Cron2 (Talk | contribs) (building OpenVPN devel versions for OpenWRT)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

OpenVPN-devel package for OpenVPN

OpenWRT is a very small Linux distribution for routers, initially the Cisco/Linksys "WRT 54 GL", thus the name.

OpenWRT comes with an OpenVPN package based on the mainstream 2.1 release (as of 2010/06/27).

If you want IPv6 support or any of the other features in the development tree, you have to build your own package, based on the openvpn-devel sources. Given that OpenWRT packages are not for standard i386/amd64 CPUs but usually some sort of MIPS system, you need a cross-compilation environment and special tools - but that's all already provided by the OpenWRT folks, so you just need to add a few bits to add your own package.

how to build

  1. get the OpenWRT source tree from OpenWRT SVN (do this on a Linux system, as a normal user, no root permissions needed):

    svn co svn://svn.openwrt.org/openwrt/branches/backfire/

  2. get the OpenWRT package tree from SVN and "install" (put all the symlinks where they are needed):

    cd backfire
    ./scripts/feeds update
    ./scripts/feeds install -a

  3. now add a directory for "openvpn-devel" (the package tree has "openvpn" already), and copy a few files from the existing openvpn package (we're lazy):

    backfire$ cd package
    backfire/package$ mkdir openvpn_devel
    backfire/package$ cd openvpn_devel
    backfire/package/openvpn_devel$ cp -r ../feeds/packages/openvpn/files .
    backfire/package/openvpn_devel$

(you could pick any name you want for the package directory, but it's useful to be consistent with the definitions in the Makefile itself)

  • copy-paste the following text to a file named "Makefile" in this directory:
    #
    # Makefile for openvpn-devel package for OpenWRT
    #
    
    include $(TOPDIR)/rules.mk
    
    PKG_NAME:=openvpn-devel
    # this is "2010, week 26" 
    PKG_VERSION:=201026
    PKG_RELEASE:=1
    
    PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
    PKG_SOURCE_URL:=ftp://ftp.secure-computing.net/pub/FreeBSD/ports/openvpn-devel/
    # if you change the PKG_VERSION, adjust this checksum ("md5sum $PKG_SOURCE")
    PKG_MD5SUM:=424e7ae5de6430374e97c9e458ee45d5
    
    PKG_INSTALL:=1
    
    include $(INCLUDE_DIR)/package.mk
    
    define Package/openvpn_devel
      SECTION:=net
      CATEGORY:=Network
      DEPENDS:=+kmod-tun +kmod-ipv6 +libopenssl +liblzo +ip
      TITLE:=Open source VPN solution using SSL - DEVEL VERSION
      URL:=http://openvpn.net
      SUBMENU:=VPN
    endef
    
    define Package/openvpn_devel/conffiles
    /etc/config/openvpn
    endef
    
    define Package/openvpn_devel/description
             Open source VPN solution using SSL - DEVEL VERSION, Week $(PKG_VERSION)
    endef
    
    define Build/Configure
            $(call Build/Configure/Default, \
                    --disable-pthread \
                    --disable-debug \
                    --disable-plugins \
                    --enable-management \
                    --disable-socks \
                    --enable-password-save \
                    --enable-iproute2 \
                    --with-iproute-path=/usr/sbin/ip \
                    ,\
                    ac_cv_func_epoll_create=no \
            )
    endef
    
    define Package/openvpn_devel/install
            $(INSTALL_DIR) $(1)/usr/sbin
            $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/openvpn $(1)/usr/sbin/
            $(INSTALL_DIR) $(1)/etc/init.d/
            $(INSTALL_BIN) files/$(PKG_NAME).init $(1)/etc/init.d/$(PKG_NAME)
            $(INSTALL_DIR) $(1)/etc/config
            $(INSTALL_CONF) files/$(PKG_NAME).config $(1)/etc/config/$(PKG_NAME)
            $(INSTALL_DIR) $(1)/etc/openvpn
    endef
    
    $(eval $(call BuildPackage,openvpn_devel))
    
    
    
  • go back to the top level directory and run the config scripts:

    backfire/package/openvpn_devel$ cd ../..
    backfire$ make defconfig
    backfire$ make menuconfig

    1. in the "Target System" menu, select the correct OpenWRT version for your hardware (check the openwrt.net pages for your router type, one example would be "TP-Link TL1043ND -> ar71xx -> Atheros AR71xx/AR7240/AR913x"). Since we do not want to build a bootable OpenWRT itself, just an OpenVPN package, it's not important to get this 100% right - having the right CPU version (ar71xx in this example) is what counts. The output of "opkg install $somepackage" on your OpenWRT installation will tell you the architecture type, in the .ipk file name.
    2. go to "Network" -> "VPN" and check <M> "openvpn-devel"
    3. then "exit" -> "exit" -> "exit" -> "save config -> yes"

  • run "make" and wait... - this will take a long time, building the C compiler (for cross-building to MIPS cpu) and the target system's C library etc. first.

    backfire$ make
    make[1] world
    make[2] target/compile
    make[3] -C target/linux compile



  • now you have an openvpn_devel package in ... (to be finished), which can be installed with (to be completed)