OpenVPN/OpenWRT

From Secure Computing Wiki
Revision as of 18:53, 23 November 2010 by Esubiguxoc (Talk | contribs)

Jump to: navigation, search

This Page Is Currently Under Construction And Will Be Available Shortly, Please Visit Reserve Copy Page

OpenVPN-devel package for OpenVPN

Note: this page has moved to the OpenVPN.Net wiki, it is now maintained here

OpenWRT is a very small Linux distribution for routers, initially the Cisco/Linksys "WRT 54 GL", thus the name.

OpenWRT comes with an OpenVPN package based on the mainstream 2.1 release (as of 2010/06/27).

If you want IPv6 support or any of the other features in the development tree, you have to build your own package, based on the openvpn-devel sources. Given that OpenWRT packages are not for standard i386/amd64 CPUs but usually some sort of MIPS system, you need a cross-compilation environment and special tools - but that's all already provided by the OpenWRT folks, so you just need to add a few bits to add your own package.

how to build

<ol> <li> get the OpenWRT source tree from OpenWRT SVN (do this on a Linux system, as a normal user, no root permissions needed) - this is for OpenWRT 10.03 ("backfire"), adapt for other branches as needed: <blockquote> svn co svn://svn.openwrt.org/openwrt/branches/backfire/ </blockquote>

<li> get the OpenWRT package tree from SVN and "install" (put all the symlinks where they are needed): <blockquote> cd backfire<br> ./scripts/feeds update<br> ./scripts/feeds install -a<br> </blockquote>

<li> now add a directory for "openvpn-devel" (the package tree has "openvpn" already), and copy a few files from the existing openvpn package (we're lazy): <blockquote> backfire$ cd package<br> backfire/package$ mkdir openvpn_devel<br> backfire/package$ cd openvpn_devel<br> backfire/package/openvpn_devel$ cp -r ../feeds/packages/openvpn/files .<br> backfire/package/openvpn_devel$<br> </blockquote>

(you could pick any name you want for the package directory, but it's useful to be consistent with the definitions in the Makefile itself)

<li> copy-paste the following text to a file named "Makefile" in this directory: <blockquote><pre>

  1. Makefile for openvpn-devel package for OpenWRT

include $(TOPDIR)/rules.mk

PKG_NAME:=openvpn_devel

  1. this is "2010, week 26"

PKG_VERSION:=201026

  1. BUILD_DIR has to accomodate path naming of source tarball

PKG_BUILD_DIR:=$(BUILD_DIR)/openvpn-devel PKG_RELEASE:=1

PKG_SOURCE:=openvpn-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=ftp://ftp.secure-computing.net/pub/FreeBSD/ports/openvpRCE")

  1. MD5 check disabled for now - but if you want to be sure that you have the right
  2. package, calculate MD5 sum with "md5sum openvpn-201026.tar.gz" and add here
  3. PKG_MD5SUM:=424e7ae5de6430374e97c9e458ee45d5

PKG_INSTALL:=1

include $(INCLUDE_DIR)/package.mk

define Package/openvpn_devel

 SECTION:=net
 CATEGORY:=Network
 DEPENDS:=+kmod-tun +kmod-ipv6 +libopenssl +liblzo +ip
 TITLE:=Open source VPN solution using SSL - DEVEL VERSION
 URL:=http://openvpn.net
 SUBMENU:=VPN

endef

define Package/openvpn_devel/conffiles /etc/config/openvpn endef

define Package/openvpn_devel/description

        Open source VPN solution using SSL - DEVEL VERSION, Week $(PKG_VERSION)

endef

define Build/Configure

       $(call Build/Configure/Default, \
               --disable-pthread \
               --disable-debug \
               --disable-plugins \
               --enable-management \
               --disable-socks \
               --enable-password-save \
               --enable-iproute2 \
               --with-iproute-path=/usr/sbin/ip \
               ,\
               ac_cv_func_epoll_create=no \
       )

endef

define Package/openvpn_devel/install

       $(INSTALL_DIR) $(1)/usr/sbin
       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/openvpn $(1)/usr/sbin/
       $(INSTALL_DIR) $(1)/etc/init.d/
       $(INSTALL_BIN) files/openvpn.init $(1)/etc/init.d/openvpn
       $(INSTALL_DIR) $(1)/etc/config
       $(INSTALL_CONF) files/openvpn.config $(1)/etc/config/openvpn
       $(INSTALL_DIR) $(1)/etc/openvpn

endef

$(eval $(call BuildPackage,openvpn_devel))


</pre></blockquote>

<li> go back to the top level directory and run the config scripts: <blockquote> backfire/package/openvpn_devel$ cd ../..<br> backfire$ make defconfig<br> backfire$ make menuconfig<br> </blockquote>

<ol> <li>in the "Target System" menu, select the correct OpenWRT version for your hardware (check the openwrt.net pages for your router type, one example would be "TP-Link TL1043ND -> ar71xx -> Atheros AR71xx/AR7240/AR913x"). Since we do not want to build a bootable OpenWRT itself, just an OpenVPN package, it's not important to get this 100% right - having the right CPU version (ar71xx in this example) is what counts. The output of "opkg install $somepackage" on your OpenWRT installation will tell you the architecture type, in the .ipk file name. <li>go to "Network" -> "VPN" and check <M> "openvpn-devel" (pre-requisites like lzo and zlib will be autoselected) <li>then "exit" -> "exit" -> "exit" -> "save config -> yes" </ol><p>

<li>run "make" and wait... - this will take a long time, building the C compiler (for cross-building to MIPS cpu) and the target system's C library etc. first.

<blockquote> backfire$ make<br>

make[1] world<br>
make[2] target/compile<br>
make[3] -C target/linux compile<br>

...<br>

make[3] -C package/zlib compile<br>
make[3] -C package/openssl compile<br>
make[3] -C package/iproute2 compile<br>
make[3] -C package/iptables compile<br>
make[3] -C package/firewall compile<br>
make[3] -C package/hostapd compile<br>
make[3] -C package/kernel compile<br>
make[3] -C package/mtd compile<br>
make[3] -C package/openvpn_devel compile   <<<<< :-)<br> 
make[3] -C package/opkg compile<br>

...<br>

make[3] package/preconfig<br>
make[2] target/install<br>
make[3] -C target/linux install<br>
make[2] package/index<br>

backfire$ <br> </blockquote>

<li> now you have an openvpn_devel package in ./bin/ar71xx/packages/

<blockquote> backfire$ ls -l bin/ar71xx/packages/<br> ...<br> -rw-r--r-- 1 gert users 182075 27. Jun 16:03 openvpn_devel_201026-1_ar71xx.ipk<br> ...<br> </blockquote>

</ol><p>

Installing the package

Login to your OpenWRT router, ftp/wget the package to /tmp, and run "opkg install":

<blockquote> root@openwrt:/tmp# opkg update<br>root@OpenWrt:/tmp# opkg update Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/Packages.gz.<br> Inflating http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/Packages.gz.<br> Updated list of available packages in /var/opkg-lists/packages.<br> root@openwrt:/tmp# wget http:<myserver>/openvpn_devel_201026-1_ar71xx.ipk<br> ...<br> root@openwrt:/tmp$ opkg install openvpn*ipk<br> Installing openvpn_devel (201026-1) to root...<br> Installing kmod-tun (2.6.32.10-1) to root...<br> Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/kmod-tun_2.6.32.10-1_ar71xx.ipk.<br> Installing kmod-ipv6 (2.6.32.10-1) to root...<br> Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/kmod-ipv6_2.6.32.10-1_ar71xx.ipk.<br> Installing libopenssl (0.9.8m-3) to root...<br> Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/libopenssl_0.9.8m-3_ar71xx.ipk.<br> Installing zlib (1.2.3-5) to root...<br> Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/zlib_1.2.3-5_ar71xx.ipk.<br> Installing liblzo (2.03-3) to root...<br> Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/liblzo_2.03-3_ar71xx.ipk.<br> Installing ip (2.6.29-1-2) to root...<br> Downloading http://downloads.openwrt.org/backfire/10.03/ar71xx/packages/ip_2.6.29-1-2_ar71xx.ipk.<br> Configuring ip.<br> Configuring kmod-tun.<br> Configuring kmod-ipv6.<br> Configuring zlib.<br> Configuring libopenssl.<br> Configuring liblzo.<br> Configuring openvpn_devel.<br> root@OpenWrt:/tmp# openvpn |head -2<br> OpenVPN testing-f0b02a9dfab6 mips-openwrt-linux [SSL] [LZO2] [MH] [PF_INET6] [IPv6 payload 20100307-1] built on Jun 27 2010<br> <br> root@OpenWrt:/tmp# </blockquote>