Differences

This shows you the differences between two versions of the page.

Link to this comparison view

nslu:openvpn [2009/11/27 17:54] (current)
Line 1: Line 1:
 +====== Compiling OPENVPN for NSLU ======
  
 +The pre-compiled OPENVPN package works fine except that if you want to have your username and password credentials to be automatically supplied via the command line option **--auth-user-pass** your out of luck.
 +
 +If you don't care about this then you can just use the default package.
 +<​code>​
 +ipkg install openvpn
 +</​code>​
 +
 +To enable this additional command line option you need to recompile the **openvpn** source with the **--enable-password-save** option present.
 +
 +
 +
 +
 +===== So how do you go about recompiling this package? =====
 +
 +First you need a native development environment:​ [[http://​www.nslu2-linux.org/​wiki/​HowTo/​NativelyCompileUnslungPackages|Natively Compile Unslung Packages]]
 +<​code>​
 +ipkg install optware-devel
 +</​code>​
 +
 +Then you need to obtain the source code.  If the information below is out of date then refer to http://​svn.openvpn.net/​ for the latest SVN location.
 +<​code>​
 +ipkg install svn
 +
 +mkdir source
 +cd source
 +svn co http://​svn.openvpn.net/​projects/​openvpn/​branches/​BETA21/​openvpn
 +</​code>​
 +
 +Then make sure some additional libraries are also present
 +<​code>​
 +ipkg install openssl-dev
 +ipkg install lzo
 +</​code>​
 +
 +There are many options that can be supplied to the configuration program.
 +<​code>​
 +# cd openvpn
 +# ./configure --help
 +`configure'​ configures OpenVPN 2.1_rc7b to adapt to many kinds of systems.
 +
 +Usage: ./configure [OPTION]... [VAR=VALUE]...
 +
 +To assign environment variables (e.g., CC, CFLAGS...), specify them as
 +VAR=VALUE. ​ See below for descriptions of some of the useful variables.
 +
 +Defaults for the options are specified in brackets.
 +
 +Configuration:​
 +  -h, --help ​             display this help and exit
 +      --help=short ​       display options specific to this package
 +      --help=recursive ​   display the short help of all the included packages
 +  -V, --version ​          ​display version information and exit
 +  -q, --quiet, --silent ​  do not print `checking...'​ messages
 +      --cache-file=FILE ​  cache test results in FILE [disabled]
 +  -C, --config-cache ​     alias for `--cache-file=config.cache'​
 +  -n, --no-create ​        do not create output files
 +      --srcdir=DIR ​       find the sources in DIR [configure dir or `..']
 +
 +Installation directories:​
 +  --prefix=PREFIX ​        ​install architecture-independent files in PREFIX
 +                          [/​usr/​local]
 +  --exec-prefix=EPREFIX ​  ​install architecture-dependent files in EPREFIX
 +                          [PREFIX]
 +
 +By default, `make install'​ will install all the files in
 +`/​usr/​local/​bin',​ `/​usr/​local/​lib'​ etc.  You can specify
 +an installation prefix other than `/​usr/​local'​ using `--prefix',​
 +for instance `--prefix=$HOME'​.
 +
 +For better control, use the options below.
 +
 +Fine tuning of the installation directories:​
 +  --bindir=DIR ​          user executables [EPREFIX/​bin]
 +  --sbindir=DIR ​         system admin executables [EPREFIX/​sbin]
 +  --libexecdir=DIR ​      ​program executables [EPREFIX/​libexec]
 +  --sysconfdir=DIR ​      ​read-only single-machine data [PREFIX/​etc]
 +  --sharedstatedir=DIR ​  ​modifiable architecture-independent data [PREFIX/​com]
 +  --localstatedir=DIR ​   modifiable single-machine data [PREFIX/​var]
 +  --libdir=DIR ​          ​object code libraries [EPREFIX/​lib]
 +  --includedir=DIR ​      C header files [PREFIX/​include]
 +  --oldincludedir=DIR ​   C header files for non-gcc [/​usr/​include]
 +  --datarootdir=DIR ​     read-only arch.-independent data root [PREFIX/​share]
 +  --datadir=DIR ​         read-only architecture-independent data [DATAROOTDIR]
 +  --infodir=DIR ​         info documentation [DATAROOTDIR/​info]
 +  --localedir=DIR ​       locale-dependent data [DATAROOTDIR/​locale]
 +  --mandir=DIR ​          man documentation [DATAROOTDIR/​man]
 +  --docdir=DIR ​          ​documentation root [DATAROOTDIR/​doc/​openvpn]
 +  --htmldir=DIR ​         html documentation [DOCDIR]
 +  --dvidir=DIR ​          dvi documentation [DOCDIR]
 +  --pdfdir=DIR ​          pdf documentation [DOCDIR]
 +  --psdir=DIR ​           ps documentation [DOCDIR]
 +
 +Program names:
 +  --program-prefix=PREFIX ​           prepend PREFIX to installed program names
 +  --program-suffix=SUFFIX ​           append SUFFIX to installed program names
 +  --program-transform-name=PROGRAM ​  run sed PROGRAM on installed program names
 +
 +System types:
 +  --build=BUILD ​    ​configure for building on BUILD [guessed]
 +  --host=HOST ​      ​cross-compile to build programs to run on HOST [BUILD]
 +  --target=TARGET ​  ​configure for building compilers for TARGET [HOST]
 +
 +Optional Features:
 +  --disable-FEATURE ​      do not include FEATURE (same as --enable-FEATURE=no)
 +  --enable-FEATURE[=ARG] ​ include FEATURE [ARG=yes]
 +  --disable-lzo ​          ​Disable LZO compression support
 +  --disable-crypto ​       Disable OpenSSL crypto support
 +  --disable-ssl ​          ​Disable OpenSSL SSL support for TLS-based key exchange
 +  --disable-multi ​        ​Disable client/​server support (--mode server + client mode)
 +  --disable-server ​       Disable server support only (but retain client support)
 +  --disable-plugins ​      ​Disable plug-in support
 +  --disable-management ​   Disable management server support
 +  --disable-pkcs11 ​       Disable pkcs11 support
 +  --disable-socks ​        ​Disable Socks support
 +  --disable-http ​         Disable HTTP proxy support
 +  --disable-fragment ​     Disable internal fragmentation support (--fragment)
 +  --disable-multihome ​    ​Disable multi-homed UDP server support (--multihome)
 +  --disable-port-share ​   Disable TCP server port-share support (--port-share)
 +  --disable-debug ​        ​Disable debugging support (disable gremlin and verb 7+ messages)
 +  --enable-small ​         Enable smaller executable size (disable OCC, usage message, and verb 4 parm list)
 +  --enable-pthread ​       Enable pthread support (Experimental for OpenVPN 2.0)
 +  --enable-password-save ​ Allow --askpass and --auth-user-pass passwords to be read from a file
 +  --enable-iproute2 ​      ​Enable support for iproute2
 +  --enable-strict ​        ​Enable strict compiler warnings (debugging option)
 +  --enable-pedantic ​      ​Enable pedantic compiler warnings, will not generate a working executable (debugging option)
 +  --enable-profiling ​     Enable profiling (debugging option)
 +  --enable-strict-options Enable strict options check between peers (debugging option)
 +  --disable-dependency-tracking ​ speeds up one-time build
 +  --enable-dependency-tracking ​  do not reject slow dependency extractors
 +
 +Optional Packages:
 +  --with-PACKAGE[=ARG] ​   use PACKAGE [ARG=yes]
 +  --without-PACKAGE ​      do not use PACKAGE (same as --with-PACKAGE=no)
 +  --with-ssl-headers=DIR ​ Crypto/SSL Include files location
 +  --with-ssl-lib=DIR ​     Crypto/SSL Library location
 +  --with-lzo-headers=DIR ​ LZO Include files location
 +  --with-lzo-lib=DIR ​     LZO Library location
 +  --with-ifconfig-path=PATH ​  Path to ifconfig tool
 +  --with-iproute-path=PATH ​   Path to iproute tool
 +  --with-route-path=PATH ​ Path to route tool
 +  --with-mem-check=TYPE ​ Build with debug memory checking, TYPE = dmalloc or valgrind
 +
 +Some influential environment variables:
 +  CC          C compiler command
 +  CFLAGS ​     C compiler flags
 +  LDFLAGS ​    ​linker flags, e.g. -L<lib dir> if you have libraries in a
 +              nonstandard directory <lib dir>
 +  LIBS        libraries to pass to the linker, e.g. -l<​library>​
 +  CPPFLAGS ​   C/​C++/​Objective C preprocessor flags, e.g. -I<​include dir> if
 +              you have headers in a nonstandard directory <include dir>
 +  CPP         C preprocessor
 +
 +Use these variables to override the choices made by `configure'​ or to help
 +it to find libraries and programs with nonstandard names/​locations.
 +
 +Report bugs to <​openvpn-users@lists.sourceforge.net>​.
 +</​code>​
 +
 +One problem that we need to address before doing anything is to avoid LD_LIBRARY_PATH hell.  So we check to see what library paths will be searched by default by the linker.
 +<​code>​
 +# ld --verbose | fgrep SEARCH
 +SEARCH_DIR("​=/​usr/​local/​lib"​);​ SEARCH_DIR("​=/​lib"​);​ SEARCH_DIR("​=/​usr/​lib"​);​
 +</​code>​
 +
 +On an UnSlugged NSLU the libraries live in **/​opt/​lib** and this is not in the path.  We will need to provide some additional runtime path (rpath) hints to the linker. ​ This can be done by including switches in the **LDFLAGS** environment variable before compilation.
 +<​code>​
 +# LDFLAGS="​-Wl,​--rpath -Wl,/​opt/​lib"​
 +</​code>​
 +
 +I found that if openvpn uses **/​opt/​bin/​ifconfig** instead of **/​sbin/​ifconfig** the link does not come up correctly. ​ So we need to explicitly tell configure which program to use in addition to the non standard locations for the dynamic link libraries and their headers.
 +
 +Now we can proceed with the compilation
 +<​code>​
 +# ./configure --enable-password-save --prefix=/​opt --with-ssl-headers=/​opt/​include --with-ssl-lib=/​opt/​lib --with-lzo-headers=/​opt/​include --with-lzo-lib=/​opt/​lib --with-ifconfig-path=/​sbin/​ifconfig
 +</​code>​
 +
 +After the compilation we will end up with an executable that contains symbol table information useful for debugging however we don't need this so it can be safely removed.
 +<​code>​
 +strip openvpn
 +</​code>​
 +
 +If everything goes well running it should produce the following
 +<​code>​
 +# ./openvpn --version
 +OpenVPN 2.1_rc7b armv5b-unknown-linux-gnu [SSL] [LZO1] built on May  7 2008
 +Developed by James Yonan
 +Copyright (C) 2002-2005 OpenVPN Solutions LLC <​info@openvpn.net>​
 +#
 +</​code>​
 +
 +
 +===== OpenVPN Client configuration =====
 +
 +Now we are able to configure OPENVPN to use this new feature. ​ We start by creating a new **/​opt/​etc/​init.d/​S20openvpn** startup file.
 +
 +<code bash>
 +#!/bin/sh
 +#
 +# Startup script for openvpn as standalone server
 +#
 +
 +# Make sure IP forwarding is enabled
 +echo 1 > /​proc/​sys/​net/​ipv4/​ip_forward
 +
 +# Make device if not present (not devfs)
 +if ( [ ! -c /​dev/​net/​tun ] ) then
 +  # Make /dev/net directory if needed
 +  if ( [ ! -d /dev/net ] ) then
 +        mkdir -m 755 /dev/net
 +  fi
 +  mknod /​dev/​net/​tun c 10 200
 +fi
 +
 +# Make sure the tunnel driver is loaded
 +if ( !(lsmod | grep -q "​^tun"​) ); then
 +        insmod /​opt/​lib/​modules/​tun.o
 +fi
 +
 +# I you want a standalone server (not xinetd), comment out the return statement below
 +#return 0
 +
 +## This is for standalone servers only!!!!
 +# Kill old server if still there
 +if [ -n "​`pidof openvpn`"​ ]; then
 +    /​bin/​killall openvpn 2>/​dev/​null
 +fi
 +
 +# Start afresh - add as many daemons as you want
 +/​opt/​sbin/​openvpn --daemon --cd /​opt/​etc/​openvpn --config openvpn.conf --auth-user-pass vpn.password
 +</​code>​
 +
 +For details of how to configure openvpn.conf and this new option see http://​openvpn.net/​howto.html
 +
 +
 +====== Routing via the NSLU ======
 +
 +Once the NSLU has a tunnel to a remote host we want to be able to use this device as a gateway. ​ To do this we will use **iptables**
 +
 +<​code>​
 +ipkg install iptables
 +ipkg install kernel-module-ip-tables
 +ipkg install kernel-module-iptable-filter
 +ipkg install kernel-module-ip-conntrack
 +ipkg install kernel-module-ipt-masquerade
 +ipkg install kernel-module-ipt-state
 +ipkg install kernel-module-iptable-nat
 +</​code>​
 +
 +Then we need to setup the NSLU so that it will forward packets. ​ The follow code will achieve this.
 +
 +<code bash>
 +#!/bin/sh
 +insmod ip_tables
 +insmod iptable_filter
 +insmod ip_conntrack
 +insmod iptable_nat
 +insmod ipt_state
 +insmod ipt_MASQUERADE
 +
 +# Set IP-Forwarding
 +echo "​1"​ > /​proc/​sys/​net/​ipv4/​ip_forward
 +
 +WLAN=$1
 +iptables -t nat -A POSTROUTING -o $WLAN -j MASQUERADE
 +# Clear all chains
 +iptables -F
 +iptables -F -t nat
 +
 +# In the NAT table (-t nat), Append a rule (-A) after routing
 +# (POSTROUTING) for all packets going out the outside interface
 +# (-o $WLAN) which says to masquerade the connection
 +# (-j MASQUERADE)
 +iptables -t nat -A POSTROUTING -o $WLAN -j MASQUERADE
 +
 +# Create chain which blocks new connections,​ except if coming from inside.
 +iptables -N block
 +iptables -A block -m state --state ESTABLISHED,​RELATED -j ACCEPT
 +iptables -A block -m state --state NEW -i ! $WLAN -j ACCEPT
 +
 +# Logging is turned off
 +#iptables -A block -j LOG --log-ip-options
 +
 +iptables -A block -j DROP
 +
 +# Jump to that chain from INPUT and FORWARD chains.
 +iptables -A INPUT -j block
 +iptables -A FORWARD -j block
 +</​code>​
 +
 +We will want this script to be started once the tunnel has come up so it will form part of the /​opt/​etc/​openvpn/​openvpn.conf configuration.
 +
 +The snippet in the openvpn.conf will look like this and the **openvpn.up** file will contain the above script.
 +<​code>​
 +up ./​openvpn.up
 +</​code>​
 +
 +====== Reference ======
 +
 +  * http://​www.nslu2-linux.org/​wiki/​HowTo/​NativelyCompileUnslungPackages
 +  * http://​www.nslu2-linux.org/​wiki/​HowTo/​EnableIPMasquerading
 +  * http://​svn.openvpn.net/​
 +  * http://​opensource.nus.edu.sg/​wiki/​index.php/​SoCVPN
 +  * http://​mail.gnome.org/​archives/​gtk-list/​2002-July/​msg00043.html
 +
 +{{tag>​nslu2 network openvpn}}