nslu:openvpn

no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.


nslu:openvpn [2009/11/27 17:54] (current) – created - external edit 127.0.0.1
Line 1: Line 1:
 +====== Compiling OPENVPN for NSLU ======
  
 +The pre-compiled OPENVPN package works fine except that if you want to have your username and password credentials to be automatically supplied via the command line option **--auth-user-pass** your out of luck.
 +
 +If you don't care about this then you can just use the default package.
 +<code>
 +ipkg install openvpn
 +</code>
 +
 +To enable this additional command line option you need to recompile the **openvpn** source with the **--enable-password-save** option present.
 +
 +
 +
 +
 +===== So how do you go about recompiling this package? =====
 +
 +First you need a native development environment: [[http://www.nslu2-linux.org/wiki/HowTo/NativelyCompileUnslungPackages|Natively Compile Unslung Packages]]
 +<code>
 +ipkg install optware-devel
 +</code>
 +
 +Then you need to obtain the source code.  If the information below is out of date then refer to http://svn.openvpn.net/ for the latest SVN location.
 +<code>
 +ipkg install svn
 +
 +mkdir source
 +cd source
 +svn co http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn
 +</code>
 +
 +Then make sure some additional libraries are also present
 +<code>
 +ipkg install openssl-dev
 +ipkg install lzo
 +</code>
 +
 +There are many options that can be supplied to the configuration program.
 +<code>
 +# cd openvpn
 +# ./configure --help
 +`configure' configures OpenVPN 2.1_rc7b to adapt to many kinds of systems.
 +
 +Usage: ./configure [OPTION]... [VAR=VALUE]...
 +
 +To assign environment variables (e.g., CC, CFLAGS...), specify them as
 +VAR=VALUE.  See below for descriptions of some of the useful variables.
 +
 +Defaults for the options are specified in brackets.
 +
 +Configuration:
 +  -h, --help              display this help and exit
 +      --help=short        display options specific to this package
 +      --help=recursive    display the short help of all the included packages
 +  -V, --version           display version information and exit
 +  -q, --quiet, --silent   do not print `checking...' messages
 +      --cache-file=FILE   cache test results in FILE [disabled]
 +  -C, --config-cache      alias for `--cache-file=config.cache'
 +  -n, --no-create         do not create output files
 +      --srcdir=DIR        find the sources in DIR [configure dir or `..']
 +
 +Installation directories:
 +  --prefix=PREFIX         install architecture-independent files in PREFIX
 +                          [/usr/local]
 +  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
 +                          [PREFIX]
 +
 +By default, `make install' will install all the files in
 +`/usr/local/bin', `/usr/local/lib' etc.  You can specify
 +an installation prefix other than `/usr/local' using `--prefix',
 +for instance `--prefix=$HOME'.
 +
 +For better control, use the options below.
 +
 +Fine tuning of the installation directories:
 +  --bindir=DIR           user executables [EPREFIX/bin]
 +  --sbindir=DIR          system admin executables [EPREFIX/sbin]
 +  --libexecdir=DIR       program executables [EPREFIX/libexec]
 +  --sysconfdir=DIR       read-only single-machine data [PREFIX/etc]
 +  --sharedstatedir=DIR   modifiable architecture-independent data [PREFIX/com]
 +  --localstatedir=DIR    modifiable single-machine data [PREFIX/var]
 +  --libdir=DIR           object code libraries [EPREFIX/lib]
 +  --includedir=DIR       C header files [PREFIX/include]
 +  --oldincludedir=DIR    C header files for non-gcc [/usr/include]
 +  --datarootdir=DIR      read-only arch.-independent data root [PREFIX/share]
 +  --datadir=DIR          read-only architecture-independent data [DATAROOTDIR]
 +  --infodir=DIR          info documentation [DATAROOTDIR/info]
 +  --localedir=DIR        locale-dependent data [DATAROOTDIR/locale]
 +  --mandir=DIR           man documentation [DATAROOTDIR/man]
 +  --docdir=DIR           documentation root [DATAROOTDIR/doc/openvpn]
 +  --htmldir=DIR          html documentation [DOCDIR]
 +  --dvidir=DIR           dvi documentation [DOCDIR]
 +  --pdfdir=DIR           pdf documentation [DOCDIR]
 +  --psdir=DIR            ps documentation [DOCDIR]
 +
 +Program names:
 +  --program-prefix=PREFIX            prepend PREFIX to installed program names
 +  --program-suffix=SUFFIX            append SUFFIX to installed program names
 +  --program-transform-name=PROGRAM   run sed PROGRAM on installed program names
 +
 +System types:
 +  --build=BUILD     configure for building on BUILD [guessed]
 +  --host=HOST       cross-compile to build programs to run on HOST [BUILD]
 +  --target=TARGET   configure for building compilers for TARGET [HOST]
 +
 +Optional Features:
 +  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
 +  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
 +  --disable-lzo           Disable LZO compression support
 +  --disable-crypto        Disable OpenSSL crypto support
 +  --disable-ssl           Disable OpenSSL SSL support for TLS-based key exchange
 +  --disable-multi         Disable client/server support (--mode server + client mode)
 +  --disable-server        Disable server support only (but retain client support)
 +  --disable-plugins       Disable plug-in support
 +  --disable-management    Disable management server support
 +  --disable-pkcs11        Disable pkcs11 support
 +  --disable-socks         Disable Socks support
 +  --disable-http          Disable HTTP proxy support
 +  --disable-fragment      Disable internal fragmentation support (--fragment)
 +  --disable-multihome     Disable multi-homed UDP server support (--multihome)
 +  --disable-port-share    Disable TCP server port-share support (--port-share)
 +  --disable-debug         Disable debugging support (disable gremlin and verb 7+ messages)
 +  --enable-small          Enable smaller executable size (disable OCC, usage message, and verb 4 parm list)
 +  --enable-pthread        Enable pthread support (Experimental for OpenVPN 2.0)
 +  --enable-password-save  Allow --askpass and --auth-user-pass passwords to be read from a file
 +  --enable-iproute2       Enable support for iproute2
 +  --enable-strict         Enable strict compiler warnings (debugging option)
 +  --enable-pedantic       Enable pedantic compiler warnings, will not generate a working executable (debugging option)
 +  --enable-profiling      Enable profiling (debugging option)
 +  --enable-strict-options Enable strict options check between peers (debugging option)
 +  --disable-dependency-tracking  speeds up one-time build
 +  --enable-dependency-tracking   do not reject slow dependency extractors
 +
 +Optional Packages:
 +  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
 +  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
 +  --with-ssl-headers=DIR  Crypto/SSL Include files location
 +  --with-ssl-lib=DIR      Crypto/SSL Library location
 +  --with-lzo-headers=DIR  LZO Include files location
 +  --with-lzo-lib=DIR      LZO Library location
 +  --with-ifconfig-path=PATH   Path to ifconfig tool
 +  --with-iproute-path=PATH    Path to iproute tool
 +  --with-route-path=PATH  Path to route tool
 +  --with-mem-check=TYPE  Build with debug memory checking, TYPE = dmalloc or valgrind
 +
 +Some influential environment variables:
 +  CC          C compiler command
 +  CFLAGS      C compiler flags
 +  LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
 +              nonstandard directory <lib dir>
 +  LIBS        libraries to pass to the linker, e.g. -l<library>
 +  CPPFLAGS    C/C++/Objective C preprocessor flags, e.g. -I<include dir> if
 +              you have headers in a nonstandard directory <include dir>
 +  CPP         C preprocessor
 +
 +Use these variables to override the choices made by `configure' or to help
 +it to find libraries and programs with nonstandard names/locations.
 +
 +Report bugs to <openvpn-users@lists.sourceforge.net>.
 +</code>
 +
 +One problem that we need to address before doing anything is to avoid LD_LIBRARY_PATH hell.  So we check to see what library paths will be searched by default by the linker.
 +<code>
 +# ld --verbose | fgrep SEARCH
 +SEARCH_DIR("=/usr/local/lib"); SEARCH_DIR("=/lib"); SEARCH_DIR("=/usr/lib");
 +</code>
 +
 +On an UnSlugged NSLU the libraries live in **/opt/lib** and this is not in the path.  We will need to provide some additional runtime path (rpath) hints to the linker.  This can be done by including switches in the **LDFLAGS** environment variable before compilation.
 +<code>
 +# LDFLAGS="-Wl,--rpath -Wl,/opt/lib"
 +</code>
 +
 +I found that if openvpn uses **/opt/bin/ifconfig** instead of **/sbin/ifconfig** the link does not come up correctly.  So we need to explicitly tell configure which program to use in addition to the non standard locations for the dynamic link libraries and their headers.
 +
 +Now we can proceed with the compilation
 +<code>
 +# ./configure --enable-password-save --prefix=/opt --with-ssl-headers=/opt/include --with-ssl-lib=/opt/lib --with-lzo-headers=/opt/include --with-lzo-lib=/opt/lib --with-ifconfig-path=/sbin/ifconfig
 +</code>
 +
 +After the compilation we will end up with an executable that contains symbol table information useful for debugging however we don't need this so it can be safely removed.
 +<code>
 +strip openvpn
 +</code>
 +
 +If everything goes well running it should produce the following
 +<code>
 +# ./openvpn --version
 +OpenVPN 2.1_rc7b armv5b-unknown-linux-gnu [SSL] [LZO1] built on May  7 2008
 +Developed by James Yonan
 +Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
 +#
 +</code>
 +
 +
 +===== OpenVPN Client configuration =====
 +
 +Now we are able to configure OPENVPN to use this new feature.  We start by creating a new **/opt/etc/init.d/S20openvpn** startup file.
 +
 +<code bash>
 +#!/bin/sh
 +#
 +# Startup script for openvpn as standalone server
 +#
 +
 +# Make sure IP forwarding is enabled
 +echo 1 > /proc/sys/net/ipv4/ip_forward
 +
 +# Make device if not present (not devfs)
 +if ( [ ! -c /dev/net/tun ] ) then
 +  # Make /dev/net directory if needed
 +  if ( [ ! -d /dev/net ] ) then
 +        mkdir -m 755 /dev/net
 +  fi
 +  mknod /dev/net/tun c 10 200
 +fi
 +
 +# Make sure the tunnel driver is loaded
 +if ( !(lsmod | grep -q "^tun") ); then
 +        insmod /opt/lib/modules/tun.o
 +fi
 +
 +# I you want a standalone server (not xinetd), comment out the return statement below
 +#return 0
 +
 +## This is for standalone servers only!!!!
 +# Kill old server if still there
 +if [ -n "`pidof openvpn`" ]; then
 +    /bin/killall openvpn 2>/dev/null
 +fi
 +
 +# Start afresh - add as many daemons as you want
 +/opt/sbin/openvpn --daemon --cd /opt/etc/openvpn --config openvpn.conf --auth-user-pass vpn.password
 +</code>
 +
 +For details of how to configure openvpn.conf and this new option see http://openvpn.net/howto.html
 +
 +
 +====== Routing via the NSLU ======
 +
 +Once the NSLU has a tunnel to a remote host we want to be able to use this device as a gateway.  To do this we will use **iptables**
 +
 +<code>
 +ipkg install iptables
 +ipkg install kernel-module-ip-tables
 +ipkg install kernel-module-iptable-filter
 +ipkg install kernel-module-ip-conntrack
 +ipkg install kernel-module-ipt-masquerade
 +ipkg install kernel-module-ipt-state
 +ipkg install kernel-module-iptable-nat
 +</code>
 +
 +Then we need to setup the NSLU so that it will forward packets.  The follow code will achieve this.
 +
 +<code bash>
 +#!/bin/sh
 +insmod ip_tables
 +insmod iptable_filter
 +insmod ip_conntrack
 +insmod iptable_nat
 +insmod ipt_state
 +insmod ipt_MASQUERADE
 +
 +# Set IP-Forwarding
 +echo "1" > /proc/sys/net/ipv4/ip_forward
 +
 +WLAN=$1
 +iptables -t nat -A POSTROUTING -o $WLAN -j MASQUERADE
 +# Clear all chains
 +iptables -F
 +iptables -F -t nat
 +
 +# In the NAT table (-t nat), Append a rule (-A) after routing
 +# (POSTROUTING) for all packets going out the outside interface
 +# (-o $WLAN) which says to masquerade the connection
 +# (-j MASQUERADE)
 +iptables -t nat -A POSTROUTING -o $WLAN -j MASQUERADE
 +
 +# Create chain which blocks new connections, except if coming from inside.
 +iptables -N block
 +iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
 +iptables -A block -m state --state NEW -i ! $WLAN -j ACCEPT
 +
 +# Logging is turned off
 +#iptables -A block -j LOG --log-ip-options
 +
 +iptables -A block -j DROP
 +
 +# Jump to that chain from INPUT and FORWARD chains.
 +iptables -A INPUT -j block
 +iptables -A FORWARD -j block
 +</code>
 +
 +We will want this script to be started once the tunnel has come up so it will form part of the /opt/etc/openvpn/openvpn.conf configuration.
 +
 +The snippet in the openvpn.conf will look like this and the **openvpn.up** file will contain the above script.
 +<code>
 +up ./openvpn.up
 +</code>
 +
 +====== Reference ======
 +
 +  * http://www.nslu2-linux.org/wiki/HowTo/NativelyCompileUnslungPackages
 +  * http://www.nslu2-linux.org/wiki/HowTo/EnableIPMasquerading
 +  * http://svn.openvpn.net/
 +  * http://opensource.nus.edu.sg/wiki/index.php/SoCVPN
 +  * http://mail.gnome.org/archives/gtk-list/2002-July/msg00043.html
 +
 +{{tag>nslu2 network openvpn}}
  • nslu/openvpn.txt
  • Last modified: 2009/11/27 17:54
  • by 127.0.0.1