# OpenWrt/LEDE integration guide

## Software dependencies

On vanilla OpenWrt/LEDE box install software packages:

```bash
opkg update
opkg install curl openssl-util
opkg install strongswan-full kmod-crypto-echainiv kmod-crypto-gcm
```

When using image builder specify these packages via PACKAGES environment variable.

Grab 50-certidude script and place it to /etc/hotplug.d/iface/50-certidude:

```bash
wget https://raw.githubusercontent.com/laurivosandi/certidude/master/doc/50-certidude -O /etc/hotplug.d/iface/50-certidude
```

## As IPSec gateway

Configure /etc/ipsec.conf:

```
config setup
    cachecrls=yes
    strictcrlpolicy=yes

ca ca2
    auto = add
    cacert = /etc/config/ca.crt
    ocspuri = http://ca.example.com/api/ocsp/

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2

conn site-to-client
    auto=add
    right=%any # Allow connecting from any IP address
    rightsourceip=10.179.44.0/24 # Serve virtual IP-s from this pool
    left=router.example.com # Gateway FQDN
    leftcert=/etc/config/robo-router.crt # Gateway certificate
    leftupdown=/usr/bin/certidude-updown
    leftsubnet=192.168.12.0/24,10.179.0.0/16 # Push routes
    rightdns=192.168.12.1 # Push DNS server to clients
```

When you want to make DNS queries possible via tunnel don't forget to 
disable local service for dnsmasq:

```bash
uci set dhcp.@dnsmasq[0].localservice=0
uci commit
```

Place following to /usr/bin/certidude-updown, when tunnel goes up submit lease to CA:

```bash
#!/bin/sh

case $PLUTO_VERB in
  up-client)
    curl -f --data "outer_address=$PLUTO_PEER&inner_address=$PLUTO_PEER_SOURCEIP&client=$(echo $PLUTO_PEER_ID | cut -d '=' -f 2)" \
      http://ca.example.com/api/lease/
  ;;
  *)
    curl -f -X POST -d "client=$X509_0_CN&server=$X509_1_CN&outer_address=$untrusted_ip&inner_address=$ifconfig_pool_remote_ip&serial=$tls_serial_0" \
      http://ca.example.com/api/lease/
  ;;
esac
```


## As client

Grab 50-certidude script and place it to /etc/hotplug.d/iface/ as shown above.

Place following to /etc/ipsec.conf:

```
config setup

conn %default
        keyexchange=ikev2
        keyingtries=300
        dpdaction=restart
        closeaction=restart

conn client-to-site
        auto=add
        leftupdown=/usr/bin/ipsec-updown
        left=%defaultroute
        leftsourceip=%config
        leftcert=/etc/ipsec.d/certs/client.pem
        right=router.example.com
        rightsubnet=0.0.0.0/0
```

Scripting client, when tunnel goes up:

```bash
#!/bin/sh
[ "$PLUTO_VERB" != "up-client" ] && exit 0

case "$PLUTO_PEER_CLIENT" in
    192.*|172.*|10.*)
        # Do nothing
        exit 0
    ;;
    *)
        # Attempt to fetch script from server
        logger -t certidude -s "IPsec SA to $PLUTO_PEER_CLIENT established, attempting to fetch script"
        SCRIPT=$(mktemp -u)
        wget --header='Accept: text/x-shellscript' http://ca.example.com/api/script -O $SCRIPT
        sh $SCRIPT
    ;;
esac
```
at /etc/config/certidude you can use:

```
config authority
    option url http://ca.example.com
    option authority_path /etc/ipsec.d/cacerts/ca.pem
    option request_path /etc/ipsec.d/reqs/client.pem
    option certificate_path /etc/ipsec.d/certs/client.pem
    option key_path /etc/ipsec.d/private/client.pem
    option key_type rsa
    option key_length 1024
    option red_led gl-connect:red:wlan
    option green_led gl-connect:green:lan
```

To test:

```bash
ACTION=ifup INTERFACE=wan sh /etc/hotplug.d/iface/50-certidude
```

# As site-to-site router

In this example Omnia Turris is set up as a router which enables
access to a subnet behind another IPSec gateway.

Set up /etc/config/certidude:

```bash
config authority ca
    option key_type rsa
    option key_length 1024
    option url http://ca.example.com
    option common_name turris-123456 
    option key_path /etc/ipsec.d/private/router.pem
    option request_path /etc/ipsec.d/reqs/router.pem
    option certificate_path /etc/ipsec.d/certs/router.pem
    option authority_path /etc/ipsec.d/cacerts/ca.pem
    option revocations_path /etc/ipsec.d/crls/router.pem
    option red_led omnia-led:user1
    option green_led omnia-led:user2
```

Set up /etc/ipsec.conf:

```
config setup
    cachecrls=yes
    strictcrlpolicy=yes

conn s2s
    auto=start
    right=router.example.com
    leftcert=/etc/ipsec.d/certs/router.pem
    leftsubnet=172.26.1.0/24 # local subnet
    rightsubnet=172.24.0.0/24 # subnet behind gateway
```

Reconfigure firewall:

```bash
# Prevent NAT-ing of IPSec tunnel packets
iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT

# Trust packets from IPSec tunnel
iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
iptables -I FORWARD -m policy --dir in --pol ipsec -j ACCEPT
```

DNS forwarding and caching:

```bash
uci delete dhcp.@dnsmasq[0].local
uci set dhcp.@dnsmasq[0].domain=example.lan
uci add_list dhcp.@dnsmasq[0].server="/.example.lan/172.24.1.1"
uci add_list dhcp.@dnsmasq[0].rebind_domain="example.lan"
uci commit
```

On Omnia turris kresd is used instead of dnsmasq, to revert back to dnsmasq:

```bash
/etc/init.d/kresd stop
/etc/init.d/kresd disable
uci del_list dhcp.lan.dhcp_option="6,192.168.1.1"
uci delete dhcp.@dnsmasq[0].port
uci commit
/etc/init.d/dnsmasq enable
/etc/init.d/dnsmasq restart
```

To disable IPv6:

```bash
/etc/init.d/odhcpd stop
/etc/init.d/odhcpd disable
```