no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
— | nslu:openvpn [2009/11/27 17:54] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Compiling OPENVPN for NSLU ====== | ||
+ | The pre-compiled OPENVPN package works fine except that if you want to have your username and password credentials to be automatically supplied via the command line option **--auth-user-pass** your out of luck. | ||
+ | |||
+ | If you don't care about this then you can just use the default package. | ||
+ | < | ||
+ | ipkg install openvpn | ||
+ | </ | ||
+ | |||
+ | To enable this additional command line option you need to recompile the **openvpn** source with the **--enable-password-save** option present. | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ===== So how do you go about recompiling this package? ===== | ||
+ | |||
+ | First you need a native development environment: | ||
+ | < | ||
+ | ipkg install optware-devel | ||
+ | </ | ||
+ | |||
+ | Then you need to obtain the source code. If the information below is out of date then refer to http:// | ||
+ | < | ||
+ | ipkg install svn | ||
+ | |||
+ | mkdir source | ||
+ | cd source | ||
+ | svn co http:// | ||
+ | </ | ||
+ | |||
+ | Then make sure some additional libraries are also present | ||
+ | < | ||
+ | ipkg install openssl-dev | ||
+ | ipkg install lzo | ||
+ | </ | ||
+ | |||
+ | There are many options that can be supplied to the configuration program. | ||
+ | < | ||
+ | # cd openvpn | ||
+ | # ./configure --help | ||
+ | `configure' | ||
+ | |||
+ | Usage: ./configure [OPTION]... [VAR=VALUE]... | ||
+ | |||
+ | To assign environment variables (e.g., CC, CFLAGS...), specify them as | ||
+ | VAR=VALUE. | ||
+ | |||
+ | Defaults for the options are specified in brackets. | ||
+ | |||
+ | Configuration: | ||
+ | -h, --help | ||
+ | --help=short | ||
+ | --help=recursive | ||
+ | -V, --version | ||
+ | -q, --quiet, --silent | ||
+ | --cache-file=FILE | ||
+ | -C, --config-cache | ||
+ | -n, --no-create | ||
+ | --srcdir=DIR | ||
+ | |||
+ | Installation directories: | ||
+ | --prefix=PREFIX | ||
+ | [/ | ||
+ | --exec-prefix=EPREFIX | ||
+ | [PREFIX] | ||
+ | |||
+ | By default, `make install' | ||
+ | `/ | ||
+ | an installation prefix other than `/ | ||
+ | for instance `--prefix=$HOME' | ||
+ | |||
+ | For better control, use the options below. | ||
+ | |||
+ | Fine tuning of the installation directories: | ||
+ | --bindir=DIR | ||
+ | --sbindir=DIR | ||
+ | --libexecdir=DIR | ||
+ | --sysconfdir=DIR | ||
+ | --sharedstatedir=DIR | ||
+ | --localstatedir=DIR | ||
+ | --libdir=DIR | ||
+ | --includedir=DIR | ||
+ | --oldincludedir=DIR | ||
+ | --datarootdir=DIR | ||
+ | --datadir=DIR | ||
+ | --infodir=DIR | ||
+ | --localedir=DIR | ||
+ | --mandir=DIR | ||
+ | --docdir=DIR | ||
+ | --htmldir=DIR | ||
+ | --dvidir=DIR | ||
+ | --pdfdir=DIR | ||
+ | --psdir=DIR | ||
+ | |||
+ | Program names: | ||
+ | --program-prefix=PREFIX | ||
+ | --program-suffix=SUFFIX | ||
+ | --program-transform-name=PROGRAM | ||
+ | |||
+ | System types: | ||
+ | --build=BUILD | ||
+ | --host=HOST | ||
+ | --target=TARGET | ||
+ | |||
+ | Optional Features: | ||
+ | --disable-FEATURE | ||
+ | --enable-FEATURE[=ARG] | ||
+ | --disable-lzo | ||
+ | --disable-crypto | ||
+ | --disable-ssl | ||
+ | --disable-multi | ||
+ | --disable-server | ||
+ | --disable-plugins | ||
+ | --disable-management | ||
+ | --disable-pkcs11 | ||
+ | --disable-socks | ||
+ | --disable-http | ||
+ | --disable-fragment | ||
+ | --disable-multihome | ||
+ | --disable-port-share | ||
+ | --disable-debug | ||
+ | --enable-small | ||
+ | --enable-pthread | ||
+ | --enable-password-save | ||
+ | --enable-iproute2 | ||
+ | --enable-strict | ||
+ | --enable-pedantic | ||
+ | --enable-profiling | ||
+ | --enable-strict-options Enable strict options check between peers (debugging option) | ||
+ | --disable-dependency-tracking | ||
+ | --enable-dependency-tracking | ||
+ | |||
+ | Optional Packages: | ||
+ | --with-PACKAGE[=ARG] | ||
+ | --without-PACKAGE | ||
+ | --with-ssl-headers=DIR | ||
+ | --with-ssl-lib=DIR | ||
+ | --with-lzo-headers=DIR | ||
+ | --with-lzo-lib=DIR | ||
+ | --with-ifconfig-path=PATH | ||
+ | --with-iproute-path=PATH | ||
+ | --with-route-path=PATH | ||
+ | --with-mem-check=TYPE | ||
+ | |||
+ | Some influential environment variables: | ||
+ | CC C compiler command | ||
+ | CFLAGS | ||
+ | LDFLAGS | ||
+ | nonstandard directory <lib dir> | ||
+ | LIBS libraries to pass to the linker, e.g. -l< | ||
+ | CPPFLAGS | ||
+ | you have headers in a nonstandard directory <include dir> | ||
+ | CPP C preprocessor | ||
+ | |||
+ | Use these variables to override the choices made by `configure' | ||
+ | it to find libraries and programs with nonstandard names/ | ||
+ | |||
+ | Report bugs to < | ||
+ | </ | ||
+ | |||
+ | One problem that we need to address before doing anything is to avoid LD_LIBRARY_PATH hell. So we check to see what library paths will be searched by default by the linker. | ||
+ | < | ||
+ | # ld --verbose | fgrep SEARCH | ||
+ | SEARCH_DIR(" | ||
+ | </ | ||
+ | |||
+ | On an UnSlugged NSLU the libraries live in **/ | ||
+ | < | ||
+ | # LDFLAGS=" | ||
+ | </ | ||
+ | |||
+ | I found that if openvpn uses **/ | ||
+ | |||
+ | Now we can proceed with the compilation | ||
+ | < | ||
+ | # ./configure --enable-password-save --prefix=/ | ||
+ | </ | ||
+ | |||
+ | After the compilation we will end up with an executable that contains symbol table information useful for debugging however we don't need this so it can be safely removed. | ||
+ | < | ||
+ | strip openvpn | ||
+ | </ | ||
+ | |||
+ | If everything goes well running it should produce the following | ||
+ | < | ||
+ | # ./openvpn --version | ||
+ | OpenVPN 2.1_rc7b armv5b-unknown-linux-gnu [SSL] [LZO1] built on May 7 2008 | ||
+ | Developed by James Yonan | ||
+ | Copyright (C) 2002-2005 OpenVPN Solutions LLC < | ||
+ | # | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== OpenVPN Client configuration ===== | ||
+ | |||
+ | Now we are able to configure OPENVPN to use this new feature. | ||
+ | |||
+ | <code bash> | ||
+ | #!/bin/sh | ||
+ | # | ||
+ | # Startup script for openvpn as standalone server | ||
+ | # | ||
+ | |||
+ | # Make sure IP forwarding is enabled | ||
+ | echo 1 > / | ||
+ | |||
+ | # Make device if not present (not devfs) | ||
+ | if ( [ ! -c / | ||
+ | # Make /dev/net directory if needed | ||
+ | if ( [ ! -d /dev/net ] ) then | ||
+ | mkdir -m 755 /dev/net | ||
+ | fi | ||
+ | mknod / | ||
+ | fi | ||
+ | |||
+ | # Make sure the tunnel driver is loaded | ||
+ | if ( !(lsmod | grep -q " | ||
+ | insmod / | ||
+ | fi | ||
+ | |||
+ | # I you want a standalone server (not xinetd), comment out the return statement below | ||
+ | #return 0 | ||
+ | |||
+ | ## This is for standalone servers only!!!! | ||
+ | # Kill old server if still there | ||
+ | if [ -n " | ||
+ | / | ||
+ | fi | ||
+ | |||
+ | # Start afresh - add as many daemons as you want | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | For details of how to configure openvpn.conf and this new option see http:// | ||
+ | |||
+ | |||
+ | ====== Routing via the NSLU ====== | ||
+ | |||
+ | Once the NSLU has a tunnel to a remote host we want to be able to use this device as a gateway. | ||
+ | |||
+ | < | ||
+ | ipkg install iptables | ||
+ | ipkg install kernel-module-ip-tables | ||
+ | ipkg install kernel-module-iptable-filter | ||
+ | ipkg install kernel-module-ip-conntrack | ||
+ | ipkg install kernel-module-ipt-masquerade | ||
+ | ipkg install kernel-module-ipt-state | ||
+ | ipkg install kernel-module-iptable-nat | ||
+ | </ | ||
+ | |||
+ | Then we need to setup the NSLU so that it will forward packets. | ||
+ | |||
+ | <code bash> | ||
+ | #!/bin/sh | ||
+ | insmod ip_tables | ||
+ | insmod iptable_filter | ||
+ | insmod ip_conntrack | ||
+ | insmod iptable_nat | ||
+ | insmod ipt_state | ||
+ | insmod ipt_MASQUERADE | ||
+ | |||
+ | # Set IP-Forwarding | ||
+ | echo " | ||
+ | |||
+ | WLAN=$1 | ||
+ | iptables -t nat -A POSTROUTING -o $WLAN -j MASQUERADE | ||
+ | # Clear all chains | ||
+ | iptables -F | ||
+ | iptables -F -t nat | ||
+ | |||
+ | # In the NAT table (-t nat), Append a rule (-A) after routing | ||
+ | # (POSTROUTING) for all packets going out the outside interface | ||
+ | # (-o $WLAN) which says to masquerade the connection | ||
+ | # (-j MASQUERADE) | ||
+ | iptables -t nat -A POSTROUTING -o $WLAN -j MASQUERADE | ||
+ | |||
+ | # Create chain which blocks new connections, | ||
+ | iptables -N block | ||
+ | iptables -A block -m state --state ESTABLISHED, | ||
+ | iptables -A block -m state --state NEW -i ! $WLAN -j ACCEPT | ||
+ | |||
+ | # Logging is turned off | ||
+ | #iptables -A block -j LOG --log-ip-options | ||
+ | |||
+ | iptables -A block -j DROP | ||
+ | |||
+ | # Jump to that chain from INPUT and FORWARD chains. | ||
+ | iptables -A INPUT -j block | ||
+ | iptables -A FORWARD -j block | ||
+ | </ | ||
+ | |||
+ | We will want this script to be started once the tunnel has come up so it will form part of the / | ||
+ | |||
+ | The snippet in the openvpn.conf will look like this and the **openvpn.up** file will contain the above script. | ||
+ | < | ||
+ | up ./ | ||
+ | </ | ||
+ | |||
+ | ====== Reference ====== | ||
+ | |||
+ | * http:// | ||
+ | * http:// | ||
+ | * http:// | ||
+ | * http:// | ||
+ | * http:// | ||
+ | |||
+ | {{tag> |