system toolbox » router

gledao sam malo source openvpn-a

hernad@nmraka-1:~/devel/hg/openwrt/packages/net/openvpn/files/openvpn.init

#!/bin/sh /etc/rc.common
# Copyright (C) 2007 OpenWrt.org

START=70
BIN=openvpn
DEFAULT=/etc/default/$BIN
RUN_D=/var/run
PID_F=$RUN_D/$BIN.pid

start() {
    [ -f $DEFAULT ] && . $DEFAULT
    mkdir -p $RUN_D
    $BIN --writepid $RUN_D/$BIN.pid --daemon $OPTIONS
}

stop() {
    [ -f $PID_F ] && kill $(cat $PID_F)
}

znači u /etc/default/openvpn čita se varijabla OPTIONS ako nam je potrebno ...

na http://wiki.openwrt.org/OpenVPNTunHowTo

stoji standardni /etc/openvpn/client.conf

client
dev tun
proto udp
remote your.domain.com 1194
nobind
### (optional) degrade privileges to this user and group after initialization
#user nobody
#group nogroup
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
dh /etc/openvpn/dh.pem
### (optional) use a shared key to initialize TLS negotiation
tls-auth /etc/openvpn/shared.key
### (optional) compression (use only if the server has it)
comp-lzo

e sad pitanje je da li postoje razlike na kamikaze-u

ja sam za to da se kreira /mnt/1/etc/openvpn direktorij u koji će ići certifikati

ubacio ključeve i certifikate u /mnt/1/etc/openvpn

bring.out.ba.crt                              100% 1200     1.2KB/s   00:00    
rg.crt                                        100% 3169     3.1KB/s   00:00    
rg.csr                                        100%  684     0.7KB/s   00:00    
rg.key                                        100%  887     0.9KB/s   00:00    

kreirao client.conf na istoj lokaciji

root@router-wan-rg-2:/mnt/1/etc/openvpn# vi client.conf

client
dev tun
proto udp
remote  officesa.sigma-com.net 1194
nobind
### (optional) degrade privileges to this user and group after initialization
#user nobody
#group nogroup
ca /mnt/1/etc/openvpn/bring.out.ba.crt  
cert /mnt/1/etc/openvpn/rg.crt    
key /mnt/1/etc/openvpn/rg.key    
#dh /etc/openvpn/dh.pem
### (optional) use a shared key to initialize TLS negotiation
#tls-auth /etc/openvpn/shared.key
### (optional) compression (use only if the server has it)
#comp-lzo

ručno pokrenuo izgleda OK

root@router-wan-rg-2:/mnt/1/etc/openvpn# /mnt/1/usr/sbin/openvpn  /mnt/1/etc/openvpn/client.conf 
Thu Apr 24 16:30:56 2008 OpenVPN 2.0.9 mipsel-linux [SSL] [LZO] [EPOLL] built on Apr 21 2008
Thu Apr 24 16:30:56 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Thu Apr 24 16:30:56 2008 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu Apr 24 16:30:56 2008 WARNING: file '/mnt/1/etc/openvpn/rg.key' is group or others accessible
Thu Apr 24 16:30:56 2008 UDPv4 link local: [undef]
Thu Apr 24 16:30:56 2008 UDPv4 link remote: 89.146.180.84:1194
Thu Apr 24 16:30:57 2008 [hernad] Peer Connection Initiated with 89.146.180.84:1194
Thu Apr 24 16:30:58 2008 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:1: ip-win32 (2.0.9)
Thu Apr 24 16:30:58 2008 TUN/TAP device tun0 opened
Thu Apr 24 16:30:58 2008 /sbin/ifconfig tun0 10.8.0.180 pointopoint 10.8.0.1 mtu 1500
Thu Apr 24 16:30:59 2008 Initialization Sequence Completed

root@router-back:~# tail /var/log/syslog | grep rg

Apr 24 18:30:50 router-back ovpn-server[7380]: 89.146.156.176:2048 [rg] Peer Connection Initiated with 89.146.156.176:2048

i sa moje strane je sve OK

sa ove strane izgleda sve ok

<pre>
root@router-wan-rg-2:~# ping 10.8.0.180
PING 10.8.0.180 (10.8.0.180): 56 data bytes
64 bytes from 10.8.0.180: seq=0 ttl=64 time=0.928 ms

--- 10.8.0.180 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.928/0.928/0.928 ms
root@router-wan-rg-2:~# ping 10.8.0.1  
PING 10.8.0.1 (10.8.0.1): 56 data bytes
64 bytes from 10.8.0.1: seq=0 ttl=64 time=36.818 ms

--- 10.8.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 36.818/36.818/36.818 ms
root@router-wan-rg-2:~# 

</pre>

(18:31:38) bjasko: hernad
(18:31:46) Ernad Husremović: reci
(18:32:01) bjasko: jel ti mrsko vidjet jeli se javio ovaj ramaglas openvpn na naš router
(18:32:14) Ernad Husremović: ok
(18:33:09) Ernad Husremović: jestead
(18:33:11) Ernad Husremović: da
(18:33:18) bjasko: super
(18:33:51) Ernad Husremović: što se tiče options
(18:34:03) Ernad Husremović: to je onaj desni dio tvog poziva
(18:34:11) Ernad Husremović: ja pretpsotavljam
(18:34:39) bjasko: da i ja mislim
(18:34:54) Ernad Husremović: tebi ovo radi
18:35
(18:35:02) Ernad Husremović: da li radi /mnt/1/usr/sbin/openvpn  --daemon /mnt/1/etc/openvpn/client.conf  
(18:35:15) bjasko: provjeriću
(18:35:21) Ernad Husremović: jer init.d skripta satavlja --daemon pa onda opcije
(18:35:34) Ernad Husremović: ma vidi malo sintaksu openvpn-a
(18:35:44) Ernad Husremović: pingaš li ti nas
(18:36:01) Ernad Husremović: dobiješ li routu 192.168.45 ili 192.169.45
(18:36:09) Ernad Husremović: trebalo bi da da
(18:36:13) Ernad Husremović: koliko se sjećam
(18:36:29) bjasko: vidjeću

(18:33:54) hernad: što se tiče options
(18:34:04) hernad: to je onaj desni dio tvog poziva
(18:34:13) hernad: ja pretpsotavljam
(18:34:43) bjasko: da i ja mislim
(18:34:57) hernad: tebi ovo radi
(18:35:05) hernad: da li radi /mnt/1/usr/sbin/openvpn  --daemon /mnt/1/etc/openvpn/client.conf  
(18:35:18) bjasko: provjeriću
(18:35:24) hernad: jer init.d skripta satavlja --daemon pa onda opcije
(18:35:37) hernad: ma vidi malo sintaksu openvpn-a
(18:35:47) hernad: pingaš li ti nas
(18:36:04) hernad: dobiješ li routu 192.168.45 ili 192.169.45
(18:36:12) hernad: trebalo bi da da
(18:36:16) hernad: koliko se sjećam
(18:36:32) bjasko: vidjeću 
(18:36:57) hernad: pushiram route 192.168.45.0 znači trebao bi dobiti odmah pristup našim hostovima
(18:37:19) bjasko: ok
(18:37:19) hernad: config ti je port 1194 je li tako ?
(18:37:24) bjasko: da
(18:37:26) hernad: je 1195 je za windoze
(18:37:30) hernad: ok
(18:37:30) bjasko: hehe

hm jedino što možda treba na firewall-u dati prolaz openvpn paketima ... nisam siguran treba li ali nije isključeno

nakon uspostavljanja openvpn-a routa je odmah podešena OK i mogu pingati naše adrese

bjasko@n-book-bjasko-1:~/Desktop/rg.certs$ ping 192.168.45.189
PING 192.168.45.189 (192.168.45.189) 56(84) bytes of data.
64 bytes from 192.168.45.189: icmp_seq=1 ttl=64 time=730 ms
64 bytes from 192.168.45.189: icmp_seq=2 ttl=64 time=25.2 ms

ali ovaj --daemon u logu napravi tzapis o grešci

Apr 24 16:44:56 router-wan-rg-2 daemon.err /mnt/1/etc/openvpn/client.conf[2705]: Options error: You must define TUN/TAP device (--dev)
Apr 24 16:44:56 router-wan-rg-2 daemon.warn /mnt/1/etc/openvpn/client.conf[2705]: Use --help for more information.

i naravno vpn se ne uspostavi

You must define TUN/TAP device (--dev) ??

ne kontam što samo u deamon modu ovo mora pokušaću mu definisati

ovo je ispravan poziv za --daemon opcijom , mora mu se conf fajl navest nemože se samo proslijediti

root@router-wan-rg-2:/mnt/1/etc/openvpn# /mnt/1/usr/sbin/openvpn  --daemon --config /mnt/1/etc/openvpn/client.conf        

root@router-wan-rg-2:/mnt/1/etc/openvpn# ps ax | grep openvpn
 2745 root       4884 S   /mnt/1/usr/sbin/openvpn --daemon --config /mnt/1/etc/
 2765 root       2364 S   grep openvpn 
root@router-wan-rg-2:/mnt/1/etc/openvpn#

PING 192.168.45.189 (192.168.45.189): 56 data bytes
64 bytes from 192.168.45.189: seq=0 ttl=64 time=40.095 ms
64 bytes from 192.168.45.189: seq=1 ttl=64 time=38.197 ms

19:02:14) hernad: super
(19:02:24) hernad: radi fino i brzo
(19:02:30) bjasko: dobro je 
(19:02:31) bjasko: to
(19:02:48) bjasko: kako će mo za startup u /etc/init.d  ??
(19:02:56) hernad: ?
(19:02:58) hernad: openvpn
(19:03:01) bjasko: da
(19:03:24) hernad: ln -s /mnt/1/etc/init.d/openvpn /etc/init.d/openvpn
(19:04:30) hernad: i onda stavi ln -s /etc/init.d/openvpn /etc/rc.d/S99openvpn 
(19:04:37) hernad: i to bi trebalo da šljaka nakon restarta
(19:04:56) bjasko: vidjećemo

ubacio simlinkove

root@router-wan-rg-2:~# ls -l  /etc/rc.d/S99openvpn 
lrwxrwxrwx    1 root     root           19 Apr 24 17:06 /etc/rc.d/S99openvpn -> /etc/init.d/openvpn

root@router-wan-rg-2:~# ls -l  /etc/init.d/openvpn       
lrwxrwxrwx    1 root     root           25 Apr 24 17:05 /etc/init.d/openvpn -> /mnt/1/etc/init.d/openvpn

a evo kako izgleda skripta , ovo sada treba provjeriti

root@router-wan-rg-2:~# cat /etc/rc.d/S99openvpn

#!/bin/sh /etc/rc.common
# Copyright (C) 2007 OpenWrt.org

START=70
BIN=openvpn
DEFAULT=/etc/default/$BIN
RUN_D=/var/run
PID_F=$RUN_D/$BIN.pid

start() {
        [ -f $DEFAULT ] && . $DEFAULT
        mkdir -p $RUN_D
        $BIN --writepid $RUN_D/$BIN.pid --daemon $OPTIONS
}

stop() {
        [ -f $PID_F ] && kill $(cat $PID_F)
}

/etc/rc.common ne postoji

default je sada u /mnt/1/etc/default

trebaš prevariti brate da ne mjenjaš te skripte koje su dio instalacije

ln -s /mnt/1/etc/default/openvpn /etc/default/openvpn

ako budeš barkao po skriptama onda ćeš nakon upgrade-a paketa morati ponovo raditi te izmjene

pogledaj princip webif instalacija na -d net

može i tako

root@router-wan-rg-2:/etc# mkdir default 
root@router-wan-rg-2:/etc# ln -s /mnt/1/etc/default/openvpn /etc/default/openvpnroot@router-wan-rg-2:/etc# ls -l /etc/default/openvpn 
lrwxrwxrwx    1 root     root           26 Apr 24 17:17 /etc/default/openvpn -> /mnt/1/etc/default/openvpn
root@router-wan-rg-2:/etc# 

vratio sam prvobitno stanje

/etc/rc.d/S99openvpn

#!/bin/sh /etc/rc.common                                   
# Copyright (C) 2007 OpenWrt.org

START=70
BIN=openvpn
DEFAULT=/etc/default/$BIN      
RUN_D=/var/run
PID_F=$RUN_D/$BIN.pid

start() {
        [ -f $DEFAULT ] && . $DEFAULT
        mkdir -p $RUN_D
        $BIN --writepid $RUN_D/$BIN.pid --daemon $OPTIONS
}

stop() {
        [ -f $PID_F ] && kill $(cat $PID_F)
}

i resetujem router

nakon reboot-a od vpn-a ni traga

pokrenuo ručno, dobijem grešku

root@router-wan-rg-2:~# /etc/rc.d/S99openvpn start 
/etc/rc.common: eval: line 3: openvpn: not found

to je baš ova
DEFAULT=/etc/default/$BIN

što smo simlink sa nju napravili

i on je tu , ne kontam

root@router-wan-rg-2:/# ls -l /etc/default/
lrwxrwxrwx    1 root     root           26 Apr 24 17:17 openvpn -> /mnt/1/etc/default/openvpn

mislim da sam uhavizo treba se podesiti config

root@router-wan-rg-2:/etc/default# cat openvpn

CONFIG="/mnt/1/etc/openvpn/client.conf"            
OPTIONS="--config $CONFIG" 

nakon restarta opet ništa

ne kontam ni naopako neide a ja sam izgubio ideje

falio link na izvršni fajl openvpna

root@router-wan-rg-2:/usr/sbin# ln -s /mnt/1/usr/sbin/openvpn  /usr/sbin/openvpn

e sad da vidimo nakon reboot-a

sve je Ok ovo radi

root@router-wan-rg-2:~# ping 192.168.45.189
PING 192.168.45.189 (192.168.45.189): 56 data bytes
64 bytes from 192.168.45.189: seq=0 ttl=64 time=100.282 ms

eh sad treba napraviti backup

tražim kako je hernad ovo radio, izgleda da je čisto tarova etc routera