mirror of
https://github.com/laurivosandi/certidude
synced 2024-12-23 16:45:17 +00:00
222 lines
5.3 KiB
Markdown
222 lines
5.3 KiB
Markdown
|
# OpenWrt/LEDE integration guide
|
||
|
|
||
|
## Software dependencies
|
||
|
|
||
|
On vanilla OpenWrt/LEDE box install software packages:
|
||
|
|
||
|
```bash
|
||
|
opkg update
|
||
|
opkg install curl openssl-util
|
||
|
opkg install strongswan-full kmod-crypto-echainiv
|
||
|
```
|
||
|
|
||
|
When using image builder specify these packages via PACKAGES environment variable.
|
||
|
|
||
|
Grab 50-certidude script and place it to /etc/hotplug.d/iface/50-certidude:
|
||
|
|
||
|
```bash
|
||
|
wget https://raw.githubusercontent.com/laurivosandi/certidude/master/doc/50-certidude -O /etc/hotplug.d/iface/50-certidude
|
||
|
```
|
||
|
|
||
|
## As IPSec gateway
|
||
|
|
||
|
Configure /etc/ipsec.conf:
|
||
|
|
||
|
```
|
||
|
config setup
|
||
|
cachecrls=yes
|
||
|
strictcrlpolicy=yes
|
||
|
|
||
|
ca ca2
|
||
|
auto = add
|
||
|
cacert = /etc/config/ca.crt
|
||
|
ocspuri = http://ca.example.com/api/ocsp/
|
||
|
|
||
|
conn %default
|
||
|
ikelifetime=60m
|
||
|
keylife=20m
|
||
|
rekeymargin=3m
|
||
|
keyingtries=1
|
||
|
keyexchange=ikev2
|
||
|
|
||
|
conn site-to-client
|
||
|
auto=add
|
||
|
right=%any # Allow connecting from any IP address
|
||
|
rightsourceip=10.179.44.0/24 # Serve virtual IP-s from this pool
|
||
|
left=router.example.com # Gateway FQDN
|
||
|
leftcert=/etc/config/robo-router.crt # Gateway certificate
|
||
|
leftupdown=/usr/bin/certidude-updown
|
||
|
leftsubnet=192.168.12.0/24,10.179.0.0/16 # Push routes
|
||
|
rightdns=192.168.12.1 # Push DNS server to clients
|
||
|
```
|
||
|
|
||
|
When you want to make DNS queries possible via tunnel don't forget to
|
||
|
disable local service for dnsmasq:
|
||
|
|
||
|
```bash
|
||
|
uci set dhcp.@dnsmasq[0].localservice=0
|
||
|
uci commit
|
||
|
```
|
||
|
|
||
|
Place following to /usr/bin/certidude-updown, when tunnel goes up submit lease to CA:
|
||
|
|
||
|
```bash
|
||
|
#!/bin/sh
|
||
|
|
||
|
case $PLUTO_VERB in
|
||
|
up-client)
|
||
|
curl -f --data "outer_address=$PLUTO_PEER&inner_address=$PLUTO_PEER_SOURCEIP&client=$(echo $PLUTO_PEER_ID | cut -d '=' -f 2)" \
|
||
|
http://ca.example.com/api/lease/
|
||
|
;;
|
||
|
*)
|
||
|
curl -f -X POST -d "client=$X509_0_CN&server=$X509_1_CN&outer_address=$untrusted_ip&inner_address=$ifconfig_pool_remote_ip&serial=$tls_serial_0" \
|
||
|
http://ca.example.com/api/lease/
|
||
|
;;
|
||
|
esac
|
||
|
```
|
||
|
|
||
|
|
||
|
## As client
|
||
|
|
||
|
Grab 50-certidude script and place it to /etc/hotplug.d/iface/ as shown above.
|
||
|
|
||
|
Place following to /etc/ipsec.conf:
|
||
|
|
||
|
```
|
||
|
config setup
|
||
|
|
||
|
conn %default
|
||
|
keyexchange=ikev2
|
||
|
keyingtries=300
|
||
|
dpdaction=restart
|
||
|
closeaction=restart
|
||
|
|
||
|
conn client-to-site
|
||
|
auto=add
|
||
|
leftupdown=/usr/bin/ipsec-updown
|
||
|
left=%defaultroute
|
||
|
leftsourceip=%config
|
||
|
leftcert=/etc/ipsec.d/certs/client.pem
|
||
|
right=router.example.com
|
||
|
rightsubnet=0.0.0.0/0
|
||
|
```
|
||
|
|
||
|
Scripting client, when tunnel goes up:
|
||
|
|
||
|
```bash
|
||
|
#!/bin/sh
|
||
|
[ "$PLUTO_VERB" != "up-client" ] && exit 0
|
||
|
|
||
|
case "$PLUTO_PEER_CLIENT" in
|
||
|
192.*|172.*|10.*)
|
||
|
# Do nothing
|
||
|
exit 0
|
||
|
;;
|
||
|
*)
|
||
|
# Attempt to fetch script from server
|
||
|
logger -t certidude -s "IPsec SA to $PLUTO_PEER_CLIENT established, attempting to fetch script"
|
||
|
SCRIPT=$(mktemp -u)
|
||
|
wget --header='Accept: text/x-shellscript' http://ca.example.com/api/script -O $SCRIPT
|
||
|
sh $SCRIPT
|
||
|
;;
|
||
|
esac
|
||
|
```
|
||
|
at /etc/config/certidude you can use:
|
||
|
|
||
|
```
|
||
|
config authority
|
||
|
option url http://ca.example.com
|
||
|
option authority_path /etc/ipsec.d/cacerts/ca.pem
|
||
|
option request_path /etc/ipsec.d/reqs/client.pem
|
||
|
option certificate_path /etc/ipsec.d/certs/client.pem
|
||
|
option key_path /etc/ipsec.d/private/client.pem
|
||
|
option key_type rsa
|
||
|
option key_length 1024
|
||
|
option red_led gl-connect:red:wlan
|
||
|
option green_led gl-connect:green:lan
|
||
|
```
|
||
|
|
||
|
To test:
|
||
|
|
||
|
```bash
|
||
|
ACTION=ifup INTERFACE=wan sh /etc/hotplug.d/iface/50-certidude
|
||
|
```
|
||
|
|
||
|
# As site-to-site router
|
||
|
|
||
|
In this example Omnia Turris is set up as a router which enables
|
||
|
access to a subnet behind another IPSec gateway.
|
||
|
|
||
|
Set up /etc/config/certidude:
|
||
|
|
||
|
```bash
|
||
|
config authority ca
|
||
|
option key_type rsa
|
||
|
option key_length 1024
|
||
|
option url http://ca.example.com
|
||
|
option common_name turris-123456
|
||
|
option key_path /etc/ipsec.d/private/router.pem
|
||
|
option request_path /etc/ipsec.d/reqs/router.pem
|
||
|
option certificate_path /etc/ipsec.d/certs/router.pem
|
||
|
option authority_path /etc/ipsec.d/cacerts/ca.pem
|
||
|
option revocations_path /etc/ipsec.d/crls/router.pem
|
||
|
option red_led omnia-led:user1
|
||
|
option green_led omnia-led:user2
|
||
|
```
|
||
|
|
||
|
Set up /etc/ipsec.conf:
|
||
|
|
||
|
```
|
||
|
config setup
|
||
|
cachecrls=yes
|
||
|
strictcrlpolicy=yes
|
||
|
|
||
|
conn s2s
|
||
|
auto=start
|
||
|
right=router.example.com
|
||
|
leftcert=/etc/ipsec.d/certs/router.pem
|
||
|
leftsubnet=172.26.1.0/24 # local subnet
|
||
|
rightsubnet=172.24.0.0/24 # subnet behind gateway
|
||
|
```
|
||
|
|
||
|
Reconfigure firewall:
|
||
|
|
||
|
```bash
|
||
|
# Prevent NAT-ing of IPSec tunnel packets
|
||
|
iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
|
||
|
|
||
|
# Trust packets from IPSec tunnel
|
||
|
iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
|
||
|
iptables -I FORWARD -m policy --dir in --pol ipsec -j ACCEPT
|
||
|
```
|
||
|
|
||
|
DNS forwarding and caching:
|
||
|
|
||
|
```bash
|
||
|
uci delete dhcp.@dnsmasq[0].local
|
||
|
uci set dhcp.@dnsmasq[0].domain=example.lan
|
||
|
uci add_list dhcp.@dnsmasq[0].server="/.example.lan/172.24.1.1"
|
||
|
uci add_list dhcp.@dnsmasq[0].rebind_domain="example.lan"
|
||
|
uci commit
|
||
|
```
|
||
|
|
||
|
On Omnia turris kresd is used instead of dnsmasq, to revert back to dnsmasq:
|
||
|
|
||
|
```bash
|
||
|
/etc/init.d/kresd stop
|
||
|
/etc/init.d/kresd disable
|
||
|
uci del_list dhcp.lan.dhcp_option="6,192.168.1.1"
|
||
|
uci delete dhcp.@dnsmasq[0].port
|
||
|
uci commit
|
||
|
/etc/init.d/dnsmasq enable
|
||
|
/etc/init.d/dnsmasq restart
|
||
|
```
|
||
|
|
||
|
To disable IPv6:
|
||
|
|
||
|
```bash
|
||
|
/etc/init.d/odhcpd stop
|
||
|
/etc/init.d/odhcpd disable
|
||
|
```
|
||
|
|