Add OpenWrt/LEDE integration guide

doc/openwrt.md

@@ -0,0 +1,221 @@
+# OpenWrt/LEDE integration guide
+
+## Software dependencies
+
+On vanilla OpenWrt/LEDE box install software packages:
+
+```bash
+opkg update
+opkg install curl openssl-util
+opkg install strongswan-full kmod-crypto-echainiv
+```
+
+When using image builder specify these packages via PACKAGES environment variable.
+
+Grab 50-certidude script and place it to /etc/hotplug.d/iface/50-certidude:
+
+```bash
+wget https://raw.githubusercontent.com/laurivosandi/certidude/master/doc/50-certidude -O /etc/hotplug.d/iface/50-certidude
+```
+
+## As IPSec gateway
+
+Configure /etc/ipsec.conf:
+
+```
+config setup
+    cachecrls=yes
+    strictcrlpolicy=yes
+
+ca ca2
+    auto = add
+    cacert = /etc/config/ca.crt
+    ocspuri = http://ca.example.com/api/ocsp/
+
+conn %default
+    ikelifetime=60m
+    keylife=20m
+    rekeymargin=3m
+    keyingtries=1
+    keyexchange=ikev2
+
+conn site-to-client
+    auto=add
+    right=%any # Allow connecting from any IP address
+    rightsourceip=10.179.44.0/24 # Serve virtual IP-s from this pool
+    left=router.example.com # Gateway FQDN
+    leftcert=/etc/config/robo-router.crt # Gateway certificate
+    leftupdown=/usr/bin/certidude-updown
+    leftsubnet=192.168.12.0/24,10.179.0.0/16 # Push routes
+    rightdns=192.168.12.1 # Push DNS server to clients
+```
+
+When you want to make DNS queries possible via tunnel don't forget to 
+disable local service for dnsmasq:
+
+```bash
+uci set dhcp.@dnsmasq[0].localservice=0
+uci commit
+```
+
+Place following to /usr/bin/certidude-updown, when tunnel goes up submit lease to CA:
+
+```bash
+#!/bin/sh
+
+case $PLUTO_VERB in
+  up-client)
+    curl -f --data "outer_address=$PLUTO_PEER&inner_address=$PLUTO_PEER_SOURCEIP&client=$(echo $PLUTO_PEER_ID | cut -d '=' -f 2)" \
+      http://ca.example.com/api/lease/
+  ;;
+  *)
+    curl -f -X POST -d "client=$X509_0_CN&server=$X509_1_CN&outer_address=$untrusted_ip&inner_address=$ifconfig_pool_remote_ip&serial=$tls_serial_0" \
+      http://ca.example.com/api/lease/
+  ;;
+esac
+```
+
+
+## As client
+
+Grab 50-certidude script and place it to /etc/hotplug.d/iface/ as shown above.
+
+Place following to /etc/ipsec.conf:
+
+```
+config setup
+
+conn %default
+        keyexchange=ikev2
+        keyingtries=300
+        dpdaction=restart
+        closeaction=restart
+
+conn client-to-site
+        auto=add
+        leftupdown=/usr/bin/ipsec-updown
+        left=%defaultroute
+        leftsourceip=%config
+        leftcert=/etc/ipsec.d/certs/client.pem
+        right=router.example.com
+        rightsubnet=0.0.0.0/0
+```
+
+Scripting client, when tunnel goes up:
+
+```bash
+#!/bin/sh
+[ "$PLUTO_VERB" != "up-client" ] && exit 0
+
+case "$PLUTO_PEER_CLIENT" in
+    192.*|172.*|10.*)
+        # Do nothing
+        exit 0
+    ;;
+    *)
+        # Attempt to fetch script from server
+        logger -t certidude -s "IPsec SA to $PLUTO_PEER_CLIENT established, attempting to fetch script"
+        SCRIPT=$(mktemp -u)
+        wget --header='Accept: text/x-shellscript' http://ca.example.com/api/script -O $SCRIPT
+        sh $SCRIPT
+    ;;
+esac
+```
+at /etc/config/certidude you can use:
+
+```
+config authority
+    option url http://ca.example.com
+    option authority_path /etc/ipsec.d/cacerts/ca.pem
+    option request_path /etc/ipsec.d/reqs/client.pem
+    option certificate_path /etc/ipsec.d/certs/client.pem
+    option key_path /etc/ipsec.d/private/client.pem
+    option key_type rsa
+    option key_length 1024
+    option red_led gl-connect:red:wlan
+    option green_led gl-connect:green:lan
+```
+
+To test:
+
+```bash
+ACTION=ifup INTERFACE=wan sh /etc/hotplug.d/iface/50-certidude
+```
+
+# As site-to-site router
+
+In this example Omnia Turris is set up as a router which enables
+access to a subnet behind another IPSec gateway.
+
+Set up /etc/config/certidude:
+
+```bash
+config authority ca
+    option key_type rsa
+    option key_length 1024
+    option url http://ca.example.com
+    option common_name turris-123456 
+    option key_path /etc/ipsec.d/private/router.pem
+    option request_path /etc/ipsec.d/reqs/router.pem
+    option certificate_path /etc/ipsec.d/certs/router.pem
+    option authority_path /etc/ipsec.d/cacerts/ca.pem
+    option revocations_path /etc/ipsec.d/crls/router.pem
+    option red_led omnia-led:user1
+    option green_led omnia-led:user2
+```
+
+Set up /etc/ipsec.conf:
+
+```
+config setup
+    cachecrls=yes
+    strictcrlpolicy=yes
+
+conn s2s
+    auto=start
+    right=router.example.com
+    leftcert=/etc/ipsec.d/certs/router.pem
+    leftsubnet=172.26.1.0/24 # local subnet
+    rightsubnet=172.24.0.0/24 # subnet behind gateway
+```
+
+Reconfigure firewall:
+
+```bash
+# Prevent NAT-ing of IPSec tunnel packets
+iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
+
+# Trust packets from IPSec tunnel
+iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
+iptables -I FORWARD -m policy --dir in --pol ipsec -j ACCEPT
+```
+
+DNS forwarding and caching:
+
+```bash
+uci delete dhcp.@dnsmasq[0].local
+uci set dhcp.@dnsmasq[0].domain=example.lan
+uci add_list dhcp.@dnsmasq[0].server="/.example.lan/172.24.1.1"
+uci add_list dhcp.@dnsmasq[0].rebind_domain="example.lan"
+uci commit
+```
+
+On Omnia turris kresd is used instead of dnsmasq, to revert back to dnsmasq:
+
+```bash
+/etc/init.d/kresd stop
+/etc/init.d/kresd disable
+uci del_list dhcp.lan.dhcp_option="6,192.168.1.1"
+uci delete dhcp.@dnsmasq[0].port
+uci commit
+/etc/init.d/dnsmasq enable
+/etc/init.d/dnsmasq restart
+```
+
+To disable IPv6:
+
+```bash
+/etc/init.d/odhcpd stop
+/etc/init.d/odhcpd disable
+```
+