expand all
Projects Research Private Contact

Michael Pfeiffer
Imprint, Disclaimer

OpenVPN tls-server running under OpenWRT on a WRT54G (V1.1)

I was angry about the floating point exceptions gotten from openvpn imediately after starting openvpn in tls_server mode. As I have read the comment of cmeerw in the OpenWRT forum I tried to do it as christof had suggested it. With that proceeding I got success, and that is what I am describing on this page here. If you just want to install the packages jump here.

Creating a OpenVPN package

First of all I've built the OpenWRT system on my linux distribution. There was no problem to build up the main flashable module, which I have built and installed as described on the OpenWRT main pages. But I've got some problems to build some default packages. Because of these weren't necessary in my installation I've kicked them out by changing the PACKAGES target in the main Makefile. This is my current setting of PACKAGES in the main Makefile located in buildroot. 

PACKAGES:=oidentd iproute2 kmod-sched wshaper zlib openssl openvpn pppoecd \
	dropbear chillispot dhcp-fwd ip6tables kmod-ipt6 kmod-ipv6 kmod-nfs \
	kmod-ppp-async kmod-ppp-mppe-mppc ppp pppoecd pptp-server kmod-tun fprobe \
	libpcap libpthread pptp-client vsftpd matrixssl ntpclient strace

OpenVPN isn't a default package of OpenWRT. So I had to produce some required but missing files for building the desired package. First this is openvpn.mk, which is a partition of the makefile and used to build openvpn and secondly the descibing control which is used as description of the installable ipkg file. 

# get the missing/correct files
cd <path-to-OpenWRT>/buildroot

wget http://p3f.gmxhome.de/OpenWRT/config/openvpn.mk
mv openvpn.mk make

wget http://p3f.gmxhome.de/OpenWRT/config/control
mkdir -p sources/openwrt/ipkg/openvpn/CONTROL
mv control sources/openwrt/ipkg/openvpn/CONTROL

The openvpn.mk I am providing here is a derivate of the openvpn.mk which is part of the downloadable OpenWRT distribution already! After installing the two files in the named directories I've altered the Makefile. I have added the openvpn in the Packages target as shown above. 

# to build all packages do:
cd <path-to-OpenWRT>/buildroot
make packages

After the work is done you can find all packages, including the openvpn_2.0_beta15_mipsel.ipk file, in the packages subdirectory.

Now you should install the packages of your desire onto the WRT54G. It's important to do the installation for the libssl package too to get the last step of the next section working. The installation is automatically triggered by the dependencies of openvpn so I should better say: leave the libssl package installed on the WRT54G!

Creating a working libSSL package

The libSSL package wich was created in the OpenWRT distribution isn't usable in connection with OpenVPN because of it creates the floating point exception as described above. To get the system running I followed the hint of Christof Meerwald. This part of the installation is extremely dirty (sometimes you have to close both eyes to get success) but I think it's OK if you don't plan to update your system every week or even more often.

To get the working libssl we only have to do some of the steps outlined on that page. The following box is a summary of that what I have done (hopefully I haven't forget too much to mention ;-)) ). To avoid any mixups: "I am using version 2.07.1 of the linksys distribution and openssl version 0.9.7d just as OpenWRT does! That is the reason why I distribute a different openssl-wrt54g.diff. 


###############################
# setting up the build system
###############################
mkdir <some path>/linksys
cd <some-path>/linksys
tar xzf <path-to-OpenWRT>/buildroot/source/dl/wrt54gs.2.07.1.tgz

cd WRT54GS/release/src/linux/linux
wget http://svn.cmeerw.net/src/wrt54g/trunk/linux/arch/mips/defconfig-bcm947xx
cp defconfig-bcm947xx arch/mips
mv defconfig-bcm947xx .config
make menuconfig
# just leave and save the configuration
make depend

# now we have to create a link in the /opt directory
# therefore you have to become root normally
su -
ln -s <some-path>/linksys/WRT54GS/tools/brcm /opt
# leave root shell

export PATH=$PATH:/opt/brcm/hndtools-mipsel-uclibc/bin:/opt/brcm/hndtools-mipsel-linux/bin

###############################
# Updating OpenSSL
###############################
cd <some-path>/linksys/WRT54GS/release/src/router
rm -rf openssl
tar xzf <path-to-OpenWRT>/buildroot/source/dl/openssl-0.9.7d.tar.gz
mv openssl-0.9.7d openssl

cd openssl
wget http://p3f.gmxhome.de/OpenWRT/config/openssl-wrt54g.diff
patch -sp1 < openssl-wrt54g.diff
rm openssl-wrt54g.diff

###############################
# build everything
###############################
cd <some-path>/linksys/WRT54G/release/src
make

###############################
# installing the result libs
###############################
cd <some-path>/linksys/WRT54GS/release/src/router/mipsel-uclibc/target/usr/lib/
mv libssl.so libssl.so.0.9.7
mv libcrypto.so libcrypto.so.0.9.7
# you have to install dropbear to do the next step
scp libssl.so.0.9.7 libcrypto.so.0.9.7 root@<WRT-IP-ADDRESS>:/usr/lib

Do it as simple as possible

If you trust my skills you can download the two packages from my site. Just alter your ipkg.conf file as described on the OpenWRT pages. Create the new entry (show below) in the topmost position. 

src p3f http://p3f.gmxhome.de/OpenWRT/ipkg

To install the package do: 

ipkg update
ipkg remove libssl
ipkg install openvpn

Disclaimer

Although I have made and documented everything with care there are probably some bugs on this page or the downloadable stuff. This is the reason why I don't give any warranty of any kind!

If you find a bug or if you have any suggestions for improvement or changes of the described configuration feel free to contact me!

Cheers,
Pfeiffer

OpenWrt