mirror of
https://github.com/laurivosandi/certidude
synced 2024-12-22 08:15:18 +00:00
Add OpenWrt/LEDE integration guide
This commit is contained in:
parent
f7d8e95aa8
commit
783bba3474
221
doc/openwrt.md
Normal file
221
doc/openwrt.md
Normal file
@ -0,0 +1,221 @@
|
||||
# OpenWrt/LEDE integration guide
|
||||
|
||||
## Software dependencies
|
||||
|
||||
On vanilla OpenWrt/LEDE box install software packages:
|
||||
|
||||
```bash
|
||||
opkg update
|
||||
opkg install curl openssl-util
|
||||
opkg install strongswan-full kmod-crypto-echainiv
|
||||
```
|
||||
|
||||
When using image builder specify these packages via PACKAGES environment variable.
|
||||
|
||||
Grab 50-certidude script and place it to /etc/hotplug.d/iface/50-certidude:
|
||||
|
||||
```bash
|
||||
wget https://raw.githubusercontent.com/laurivosandi/certidude/master/doc/50-certidude -O /etc/hotplug.d/iface/50-certidude
|
||||
```
|
||||
|
||||
## As IPSec gateway
|
||||
|
||||
Configure /etc/ipsec.conf:
|
||||
|
||||
```
|
||||
config setup
|
||||
cachecrls=yes
|
||||
strictcrlpolicy=yes
|
||||
|
||||
ca ca2
|
||||
auto = add
|
||||
cacert = /etc/config/ca.crt
|
||||
ocspuri = http://ca.example.com/api/ocsp/
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn site-to-client
|
||||
auto=add
|
||||
right=%any # Allow connecting from any IP address
|
||||
rightsourceip=10.179.44.0/24 # Serve virtual IP-s from this pool
|
||||
left=router.example.com # Gateway FQDN
|
||||
leftcert=/etc/config/robo-router.crt # Gateway certificate
|
||||
leftupdown=/usr/bin/certidude-updown
|
||||
leftsubnet=192.168.12.0/24,10.179.0.0/16 # Push routes
|
||||
rightdns=192.168.12.1 # Push DNS server to clients
|
||||
```
|
||||
|
||||
When you want to make DNS queries possible via tunnel don't forget to
|
||||
disable local service for dnsmasq:
|
||||
|
||||
```bash
|
||||
uci set dhcp.@dnsmasq[0].localservice=0
|
||||
uci commit
|
||||
```
|
||||
|
||||
Place following to /usr/bin/certidude-updown, when tunnel goes up submit lease to CA:
|
||||
|
||||
```bash
|
||||
#!/bin/sh
|
||||
|
||||
case $PLUTO_VERB in
|
||||
up-client)
|
||||
curl -f --data "outer_address=$PLUTO_PEER&inner_address=$PLUTO_PEER_SOURCEIP&client=$(echo $PLUTO_PEER_ID | cut -d '=' -f 2)" \
|
||||
http://ca.example.com/api/lease/
|
||||
;;
|
||||
*)
|
||||
curl -f -X POST -d "client=$X509_0_CN&server=$X509_1_CN&outer_address=$untrusted_ip&inner_address=$ifconfig_pool_remote_ip&serial=$tls_serial_0" \
|
||||
http://ca.example.com/api/lease/
|
||||
;;
|
||||
esac
|
||||
```
|
||||
|
||||
|
||||
## As client
|
||||
|
||||
Grab 50-certidude script and place it to /etc/hotplug.d/iface/ as shown above.
|
||||
|
||||
Place following to /etc/ipsec.conf:
|
||||
|
||||
```
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
keyexchange=ikev2
|
||||
keyingtries=300
|
||||
dpdaction=restart
|
||||
closeaction=restart
|
||||
|
||||
conn client-to-site
|
||||
auto=add
|
||||
leftupdown=/usr/bin/ipsec-updown
|
||||
left=%defaultroute
|
||||
leftsourceip=%config
|
||||
leftcert=/etc/ipsec.d/certs/client.pem
|
||||
right=router.example.com
|
||||
rightsubnet=0.0.0.0/0
|
||||
```
|
||||
|
||||
Scripting client, when tunnel goes up:
|
||||
|
||||
```bash
|
||||
#!/bin/sh
|
||||
[ "$PLUTO_VERB" != "up-client" ] && exit 0
|
||||
|
||||
case "$PLUTO_PEER_CLIENT" in
|
||||
192.*|172.*|10.*)
|
||||
# Do nothing
|
||||
exit 0
|
||||
;;
|
||||
*)
|
||||
# Attempt to fetch script from server
|
||||
logger -t certidude -s "IPsec SA to $PLUTO_PEER_CLIENT established, attempting to fetch script"
|
||||
SCRIPT=$(mktemp -u)
|
||||
wget --header='Accept: text/x-shellscript' http://ca.example.com/api/script -O $SCRIPT
|
||||
sh $SCRIPT
|
||||
;;
|
||||
esac
|
||||
```
|
||||
at /etc/config/certidude you can use:
|
||||
|
||||
```
|
||||
config authority
|
||||
option url http://ca.example.com
|
||||
option authority_path /etc/ipsec.d/cacerts/ca.pem
|
||||
option request_path /etc/ipsec.d/reqs/client.pem
|
||||
option certificate_path /etc/ipsec.d/certs/client.pem
|
||||
option key_path /etc/ipsec.d/private/client.pem
|
||||
option key_type rsa
|
||||
option key_length 1024
|
||||
option red_led gl-connect:red:wlan
|
||||
option green_led gl-connect:green:lan
|
||||
```
|
||||
|
||||
To test:
|
||||
|
||||
```bash
|
||||
ACTION=ifup INTERFACE=wan sh /etc/hotplug.d/iface/50-certidude
|
||||
```
|
||||
|
||||
# As site-to-site router
|
||||
|
||||
In this example Omnia Turris is set up as a router which enables
|
||||
access to a subnet behind another IPSec gateway.
|
||||
|
||||
Set up /etc/config/certidude:
|
||||
|
||||
```bash
|
||||
config authority ca
|
||||
option key_type rsa
|
||||
option key_length 1024
|
||||
option url http://ca.example.com
|
||||
option common_name turris-123456
|
||||
option key_path /etc/ipsec.d/private/router.pem
|
||||
option request_path /etc/ipsec.d/reqs/router.pem
|
||||
option certificate_path /etc/ipsec.d/certs/router.pem
|
||||
option authority_path /etc/ipsec.d/cacerts/ca.pem
|
||||
option revocations_path /etc/ipsec.d/crls/router.pem
|
||||
option red_led omnia-led:user1
|
||||
option green_led omnia-led:user2
|
||||
```
|
||||
|
||||
Set up /etc/ipsec.conf:
|
||||
|
||||
```
|
||||
config setup
|
||||
cachecrls=yes
|
||||
strictcrlpolicy=yes
|
||||
|
||||
conn s2s
|
||||
auto=start
|
||||
right=router.example.com
|
||||
leftcert=/etc/ipsec.d/certs/router.pem
|
||||
leftsubnet=172.26.1.0/24 # local subnet
|
||||
rightsubnet=172.24.0.0/24 # subnet behind gateway
|
||||
```
|
||||
|
||||
Reconfigure firewall:
|
||||
|
||||
```bash
|
||||
# Prevent NAT-ing of IPSec tunnel packets
|
||||
iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
|
||||
|
||||
# Trust packets from IPSec tunnel
|
||||
iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
|
||||
iptables -I FORWARD -m policy --dir in --pol ipsec -j ACCEPT
|
||||
```
|
||||
|
||||
DNS forwarding and caching:
|
||||
|
||||
```bash
|
||||
uci delete dhcp.@dnsmasq[0].local
|
||||
uci set dhcp.@dnsmasq[0].domain=example.lan
|
||||
uci add_list dhcp.@dnsmasq[0].server="/.example.lan/172.24.1.1"
|
||||
uci add_list dhcp.@dnsmasq[0].rebind_domain="example.lan"
|
||||
uci commit
|
||||
```
|
||||
|
||||
On Omnia turris kresd is used instead of dnsmasq, to revert back to dnsmasq:
|
||||
|
||||
```bash
|
||||
/etc/init.d/kresd stop
|
||||
/etc/init.d/kresd disable
|
||||
uci del_list dhcp.lan.dhcp_option="6,192.168.1.1"
|
||||
uci delete dhcp.@dnsmasq[0].port
|
||||
uci commit
|
||||
/etc/init.d/dnsmasq enable
|
||||
/etc/init.d/dnsmasq restart
|
||||
```
|
||||
|
||||
To disable IPv6:
|
||||
|
||||
```bash
|
||||
/etc/init.d/odhcpd stop
|
||||
/etc/init.d/odhcpd disable
|
||||
```
|
||||
|
Loading…
Reference in New Issue
Block a user