OpenWRT - CAcert Wiki

Contents

Introduction
Flashing your WRT54G
1. Preparing your WRT54G
2. Installing OpenWRT
Getting started with OpenWRT
1. First Time Use
2. Cleaning things up a little
Installing OpenVPN
Client Configuration
1. Under WRT54G
2. Under Ubuntu
Gotchas
1. Out of Space
More information
1. Notes
2. Links
Simple web interface
Conclusion

Introduction

I went out and bought a WRT54G after playing with a work one that ended up being loaded with OpenWRT firmware and seeing first hand how neat these things really are if you get to tinker with them at a level beyond that of any simple webpage administration that Linksys ship by default.

The router I have is a WRT54G v3.1 and was pre-loaded with 4.00.7 firmware, which at first attempt wouldn't load OpenWRT firmware either by webpage or TFTP, as described on the OpenWRT website. My goal for the time being is fairly simple, I wanted a router I could take with me and plug into other peoples networks that wouldn't open the flood gates for the bad guys to get in, it also served as a testing and demonstration platform for customers that want a better then WEP security product for their network.

$/!\$ BIG FAT WARNING: Usual disclaimers about I'm not responsible for your actions, this information is provided for educational purposes only and if you turn your router into a brick it may be because you didn't research the topic enough before moving forward and doing anything.

Flashing your WRT54G

Preparing your WRT54G

This may or may not be optional, but I had to upgrade my WRT54G firmware to v4.20.7 before I could load the OpenWRT firmware via the webpage. You can grab this from the Linksys website.

Once loaded you will be able to telnet to your router, by default there is no web config that comes with OpenWRT, so you're stuck using vi for the most part, but then again you get the full power of the device at your disposal rather then a limited feature set.

Installing OpenWRT

Swatting up on the OpenWRT documentation wouldn't hurt before you do anything, it may take you a little time, but it could save you from turning your shiney new router into an expensive lump of plastic you are no longer able to use.

Firstly you will need to download a firmware image, the manual suggests using the squashfs version since this gives you a couple of more options if you screw up your install and will allow you to be able to fix it a lot easier then some of the other methods.

At the time of writting, the current stable image suitable for my WRT54G was WhiteRussian RC3 which seems to be pretty stable, at least I've not come across any problems that I didn't cause myself, all I did to get this working was download and then upload via the webpage, I waited about 30 seconds and was then able to telnet into the router.

Getting started with OpenWRT

First Time Use

I suggest for the first few steps you use a piece of cat5 connected to a computer to update the password on the router, otherwise if you come in over telnet via wireless it's possible someone else could of sniffed your packets while you add one. Enabling a password will then also enable SSH and disable telnet connections as well.

root@OpenWrt:~# passwd
Changing password for root
Enter the new password (minimum of 5, maximum of 8 characters)
Please use a combination of upper and lower case letters and numbers.
Enter new password:
Re-enter new password:

Cleaning things up a little

It's a VERY VERY good idea to set the clock on bootup, since every time you restart the router it will reset back to Jan 1st 2000, which can cause all sorts of issues with OpenVPN and time settings on certificates. The best solution is to install ntpclient and then run it to correct the system clock.

ipkg install ntpclient
/etc/init.d/S60ntpclient

It's also helpful to setup timezone information unless you prefer to view everything in GMT. For the east coast of Australia that has daylight savings time you'd do something along the lines of:

echo "EST-10EDT-11,M10.5.0/02:00:00,M3.5.0/03:00:00" > /etc/TZ

However due to the number of time zones and there are already articles written up in depth on other sites, so I won't duplicate their efforts, but instead point you to the other site: More TZ information here

You will also need a file to setup the SSID, default time (especially if you plan to run it in client mode), and transmit power level if you want to run lower then the default 255mW. vi /etc/init.d/S41defaults

SSID=$(nvram get wl0_ssid)
TXPWR1=$(nvram get wl0_txpwr1)

wl ssid $SSID
wl txpwr1 -m $TXPWR1
date -s '110401592005'

Since you won't be able to remotely access your router any longer with telnet you can do the following:

rm /etc/init.d/S50telnet
killall telnetd

Installing OpenVPN

Getting the packages

Next you will need to install OpenVPN, again due to all the effort put into OpenWRT there is a debian like packaging utility called ipkg, and just do the following:

ipkg update
ipkg upgrade
ipkg install openvpn wl

After installing if you run "df -h" you should have approximately 50% (1.1M) of free space left on your device.

Configuration

Once the packages have installed, this is where the fun begins, I've set my router up to trust the wired LAN ports, default firewall on the WAN port, and I've removed the wifi network from being bridged with my LAN ports, this way I can disable all traffic to and from the wifi network unless they've sucessfully connected via VPN.

I'd suggest wiping your nvram configuration and then rebooting:

mtd erase nvram
reboot

Once your router boots up you have a number of options, depending how locked down you want to make your router.

To disable SSID broadcasts:

nvram set wl0_closed=1

To allow G-Mode only (disables 802.11b clients from connecting and slowing your connection down):

nvram set wl0_gmode=2

You can set the channel (1-14 depending on your country) or set it to 0 for auto channel selection:

nvram set wl0_channel=0

To change the SSID:

nvram set wl0_ssid=My_AP

To allow you to recover from bad flash

nvram set boot_wait=on

To fix large file transfer problems

nvram set clkfreq=216

If you have a problem with your router rebooting unsetting the following may help

nvram unset watchdog

Next you need to remove the wifi network from the bridged network inside the router, and you simply do:

nvram set lan_proto=static
nvram set lan_ifname=br0
nvram set lan_ifnames=vlan0
nvram set lan_ipaddr=172.16.1.1
nvram set lan_netmask=255.255.255.0

Next you need to give your wifi network IP details

nvram set wifi_ifname=eth1
nvram set wifi_proto=static
nvram set wifi_ipaddr=172.16.2.1
nvram set wifi_netmask=255.255.255.0

If you are finished making changes do the following to make your changes go active:

nvram commit
reboot

Firewall Modifications

Next you'll need to modify your firewall slightly so people connecting via the wifi interface will only be able to request dhcp information and connect to the OpenVPN port.

cd /etc
rm firewall.user
cp -a /rom/etc/firewall.user .
vi firewall.user

When using vi, move the cursor down below the LAN= line and hit i (for insert), and then add the following line directly beneath it:

WLAN=$(nvram get wifi_ifname)

Now hit the escape key and move the cursor down below the warning section, and directly beneath this hit the i key again and insert the following lines:

if [ -n "$WLAN" ]
then
        iptables -A input_rule -i $WLAN -p udp --dport 67 -j ACCEPT
        iptables -A input_rule -i $WLAN -p udp --dport 1194 -j ACCEPT
        iptables -A input_rule -i $WLAN -j DROP
fi

Once you are sure everything is in place hit the escape key and type ":wq" (without the quotes) this will save and exit you out of the program.

DNSMASQ Configuration

Next you need to update dnsmasq so it has multiple subnet information, so do the following:

cd /etc
rm dnsmasq.conf
cp /rom/etc/dnsmasq.conf .
vi dnsmasq.conf

You'll need to scroll to the end of file, hit the "$" key then press "a" and paste the following lines into your config:

dhcp-range=lan,172.16.1.100,172.16.1.250,255.255.255.0,12h
dhcp-range=wlan,172.16.2.100,172.16.2.250,255.255.255.0,12h
dhcp-option=wlan,3
dhcp-option=6,172.16.1.1

Then hit the escape key and type ":wq", after which you'll need to restart dnsmasq:

killall dnsmasq
/etc/init.d/S50dnsmasq

OpenVPN Configuration

Next we can start with some of the more complicated configurations with OpenVPN itself. Due to the limited space on these devices you will also need a computer that has OpenSSL binaries installed as well.

mkdir /etc/openvpn
cd /etc/openvpn
vi openvpn.conf

Next hit the i key and paste the following:

mode server
tls-server
port 1194
proto udp
dev tap

local 172.16.2.1

up /etc/openvpn/server-tun.up
down /etc/openvpn/server-tun.down

cipher BF-CBC
auth SHA1

ifconfig-pool 172.16.1.50 172.16.1.99 255.255.255.0
ifconfig-pool-persist /tmp/ipp.txt
tls-verify /etc/openvpn/access-control.sh

ca /etc/openvpn/cacert.crt
dh /etc/openvpn/dh1024.pem
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key

push "route-gateway 172.16.1.1"
push "redirect-gateway"
push "route 0.0.0.0 0.0.0.0"

client-to-client

keepalive 10 60
persist-key
persist-tun
ping-timer-rem

daemon

log /tmp/openvpn.log
verb 3

Then hit the escape key and type ":wq"

next "vi server-tun.up"

LAN=$(nvram get lan_ifname)

# bring up the tap interface
$DEBUG ifconfig $1 0.0.0.0 up
# and add that to the bridge
$DEBUG brctl addif $LAN $1

Then hit the escape key and type ":wq"

next "vi server-tun.down"

LAN=$(nvram get lan_ifname)

# and delete that from the bridge
$DEBUG brctl delif $LAN $1
# bring down the tap interface
$DEBUG ifconfig $1 0.0.0.0 down

Then hit the escape key and type ":wq", followed by "chmod +x server-tun.up server-tun.down"

next "vi access-control.sh"

if [ "$1" != "0" ]; then
        exit 0
fi

whologin=$(grep $2 /etc/openvpn/access-control.txt)
if [ -z ${whologin}]; then
    exit 1
else
    exit 0
fi

Then hit the escape key and type ":wq", followed by "chmod +x access-control.sh"

next "vi access-control.txt"

/emailAddress=user@isp.com

You will need to have at least one domain/hostname registered with CAcert, then you will need to generate a certificate and submit a signing request to CAcert.

openssl req -nodes -new -keyout server.key -out server.csr

Once you have a valid certificate simply "vi server.crt" and paste the contents in there. You will need to set the permissions on server.key so only root can read the file.

You will also need to put the contents of the CAcert root certificate in the directory as well.

wget http://www.cacert.org/cacert.crt
chmod 600 /etc/openvpn/server.key

Finally you will need to create a 1024bit dh file:

openssl dhparam -out dh1024.pem 1024

If you want OpenVPN to auto-start (which you should) you need to vi /etc/init.d/openvpn

/usr/sbin/openvpn --config /etc/openvpn/openvpn.conf

and

ln -sf /etc/init.d/openvpn /etc/init.d/S75openvpn

At this point you should restart your router to see if everything is working, once your router has rebooted you can run "ps auxww" to see if openvpn is listed.

Client Configuration

Under WRT54G

You can use a WRT54G as a ethernet bridge/router, and use the WAN port as another LAN port so you end up with a 5 port ethernet bridge/router which is useful for linking buildings togeather or even just floors/rooms in the same house without the hassle/expense of having cat5 cables run, or tripping over them in the middle of the night. The best bit is the price, in Australia the going price for a WRT54G is about AU$120 (inc GST) if you were to buy an ethernet bridge or gaming adapter they are at least $50 more and you only get 1 ethernet port not 5!

So once you have a second unit flashed (see above) and ready to be worked on run the following commands:

nvram set wl0_ssid=My_AP
nvram set lan_ifnames='vlan0 vlan1'
nvram set wan_ifname=tap0
nvram set wan_proto=dhcp
nvram set wifi_proto=dhcp
nvram set wl0_mode=sta
nvram unset wl0_channel
nvram set wl0_closed=1
nvram set wl0_gmode=2
nvram set boot_wait=on
nvram set clkfreq=216
nvram unset watchdog
nvram set boot_wait=on
nvram set lan_proto=static
nvram set lan_ifname=br0
nvram set lan_ipaddr=172.17.1.1
nvram set lan_netmask=255.255.255.0
nvram set wifi_ifname=eth1
nvram set wifi_ipaddr=172.17.2.1
nvram set wifi_netmask=255.255.255.0
nvram commit
mkdir /etc/openvpn-client
reboot

Next you'll need to create an vi /etc/openvpn-client/openvpn.conf file:

tls-client
remote 172.16.2.1
port 1194
proto udp
dev tap

pull

resolv-retry infinite
nobind

cipher BF-CBC
auth SHA1

ca /etc/openvpn-client/cacert.crt
cert /etc/openvpn-client/client.crt
key /etc/openvpn-client/client.key

daemon
user nobody
group nogroup

ping 5
ping-restart 15
resolv-retry 300
ping-timer-rem
persist-tun
persist-key

log /tmp/openvpn-client.log
verb 1

You will need to have a signed client/email certificate from the CAcert website, this is a simple step by step process on the website, once you have one you will need to export it from your brower, and most likely it will be in pkcs12 format so you will need to split this using openssl.

openssl pkcs12 -in <file>.p12 -clcert

You'll need to split the output into a .key file and a .crt file, most likely openssl will force you to set a password on your private key you will also need to remove this if you plan to use OpenVPN in any sort of automate manner. You will need to mark the client private key as read/write by root only. You also need to grab a copy of the root certificate.

openssl rsa -in client.pem -out client.key
chmod 600 client.key
wget http://www.cacert.org/cacert.crt

One final thing you'll need to vi /etc/init.d/openvpn-client

/usr/sbin/openvpn --config /etc/openvpn-client/openvpn.conf

and

ln -sf /etc/init.d/openvpn-client /etc/init.d/S75openvpn

Under Ubuntu

OpenVPN has clients for a lot of platforms, at this point in time the only thing I need to connect via is my laptop running Ubuntu, hopefully others with experience on other platforms can add further information in this section.

firstly you will need to install OpenVPN and do some misc other things:

apt-get install openvpn
mkdir -p /etc/openvpn
cd /etc/openvpn
wget http://www.cacert.org/cacert.crt

Next you can start working on the openvpn.conf file:

tls-client
remote 172.16.2.1
port 1194
proto udp
dev tap

pull

resolv-retry infinite
nobind

cipher BF-CBC
auth SHA1

ca /etc/openvpn/cacert.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key

daemon
user nobody
group nogroup

ping 15
ping-restart 45
resolv-retry 300
ping-timer-rem
persist-tun
persist-key

log /var/log/openvpn/openvpn.log
verb 3

openssl pkcs12 -in <file>.p12 -clcert

openssl rsa -in client.pem -out client.key
chmod 600 client.key

To simplify things for myself, when my wireless interface is brought up on my laptop, I also trigger the vpn tunnel as well in /etc/network/interfaces:

auto eth0
iface eth0 inet dhcp
        wireless-mode managed
        wireless-essid My_AP
        post-up openvpn --config /etc/openvpn/openvpn.conf
        pre-down killall -KILL openvpn

Gotchas

Out of Space

If you've used your OpenWRT and installed and removed packages or other things I found it doesn't release the space 100% of the time and I was forced to erase the jffs2 partition and reboot the device, upon reboot the squashfs partition will simply rebuild the jffs2 partition and you will be on your way again.

$/!\$ Another big fat warning, this will erase all changes you've made including any packages you've downloaded and installed, I'd suggest you backup anything you want to save !!!BEFORE!!! going any futher.

To backup the device you could do a dd and dump the entire file system, but this is difficult to extract one or 2 files from, instead I suggest you simple tarball files in any directory you've altered, for me I've only touched files in /etc and of course the nvram memory, so that's all I need to backup, although there is no harm in archiving too much, but it'll be too late once you erase it:

cd /tmp
nvram show > /tmp/nvram-backup
tar czvf backup.tgz /etc /tmp/nvram-backup

You will need to download a copy of the file, the easiest way is via scp from another linux box:

scp 172.16.1.1:/tmp/backup.tgz .

Once you have that out of the way you are then able to erase your device and start over again:

mtd erase nvram
mtd -r erase mtd4

If the device doesn't power cycle itself you will need to do it manually. Within a minute you should be back up and running.

More information

Notes

The WRT54G and WRT54GS aren't the only products capable of running the OpenWRT firmware, but they are some of the most widely available, check out the OpenWRT documentation for a list of compatible routers.

Simple web interface

Installing Lighttpd and PHP

You will need to edit your /etc/ipkg.conf:

rm /etc/ipkg.conf
cp /rom/etc/ipkg.conf .
echo "src nico http://openwrt.org/downloads/people/nico/testing/mipsel/packages" >> /etc/ipkg.conf
ipkg update
ipkg install php4-cgi lighttpd lighttpd-mod-cgi
echo -n > /etc/lighttpd.conf
vi /etc/lighttpd.conf

Press "i" and paste the following lines:

server.modules = (
        "mod_cgi",
)

server.document-root = "/www/"
server.errorlog = "/var/log/lighttpd/error.log"
index-file.names = ( "index.php" )

mimetype.assign = (
        ".pdf"   => "application/pdf",
        ".class" => "application/octet-stream",
        ".pac"   => "application/x-ns-proxy-autoconfig",
        ".swf"   => "application/x-shockwave-flash",
        ".wav"   => "audio/x-wav",
        ".gif"   => "image/gif",
        ".jpg"   => "image/jpeg",
        ".jpeg"  => "image/jpeg",
        ".png"   => "image/png",
        ".css"   => "text/css",
        ".html"  => "text/html",
        ".htm"   => "text/html",
        ".js"    => "text/javascript",
        ".txt"   => "text/plain",
        ".dtd"   => "text/xml",
        ".xml"   => "text/xml"
 )

server.tag = "lighttpd"
static-file.exclude-extensions = ( ".php" )
server.pid-file = "/var/run/lighttpd.pid"
server.dir-listing = "disable"
cgi.assign = ( ".php" => "/usr/bin/php" )

Example Web Interface

Do to the size of this file, rather then posting the file to this page, it's available as a download instead. Simply wget it and save it as /www/index.php

wget http://wiki.cacert.org/wiki/OpenWRT?action=AttachFile&do=get&target=index.php

Screenshots:

Enabling PPPoE

You will need to install a couple of packages:

ipkg install kmod-ppp kmod-pppoe ppp ppp-mod-pppoe pppoe-client
echo "slhc
ppp_generic
ppp_async
pppox
pppoe" > /etc/modules.d/30-ppp

Conclusion

So far this is the sum total of how I have my personal router configured, and I'm pretty pleased with how things are progressing.