1
0
mirror of https://github.com/laurivosandi/certidude synced 2024-11-16 18:06:44 +00:00
certidude/doc/openwrt.md

222 lines
5.3 KiB
Markdown

# OpenWrt/LEDE integration guide
## Software dependencies
On vanilla OpenWrt/LEDE box install software packages:
```bash
opkg update
opkg install curl openssl-util
opkg install strongswan-full kmod-crypto-echainiv
```
When using image builder specify these packages via PACKAGES environment variable.
Grab 50-certidude script and place it to /etc/hotplug.d/iface/50-certidude:
```bash
wget https://raw.githubusercontent.com/laurivosandi/certidude/master/doc/50-certidude -O /etc/hotplug.d/iface/50-certidude
```
## As IPSec gateway
Configure /etc/ipsec.conf:
```
config setup
cachecrls=yes
strictcrlpolicy=yes
ca ca2
auto = add
cacert = /etc/config/ca.crt
ocspuri = http://ca.example.com/api/ocsp/
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn site-to-client
auto=add
right=%any # Allow connecting from any IP address
rightsourceip=10.179.44.0/24 # Serve virtual IP-s from this pool
left=router.example.com # Gateway FQDN
leftcert=/etc/config/robo-router.crt # Gateway certificate
leftupdown=/usr/bin/certidude-updown
leftsubnet=192.168.12.0/24,10.179.0.0/16 # Push routes
rightdns=192.168.12.1 # Push DNS server to clients
```
When you want to make DNS queries possible via tunnel don't forget to
disable local service for dnsmasq:
```bash
uci set dhcp.@dnsmasq[0].localservice=0
uci commit
```
Place following to /usr/bin/certidude-updown, when tunnel goes up submit lease to CA:
```bash
#!/bin/sh
case $PLUTO_VERB in
up-client)
curl -f --data "outer_address=$PLUTO_PEER&inner_address=$PLUTO_PEER_SOURCEIP&client=$(echo $PLUTO_PEER_ID | cut -d '=' -f 2)" \
http://ca.example.com/api/lease/
;;
*)
curl -f -X POST -d "client=$X509_0_CN&server=$X509_1_CN&outer_address=$untrusted_ip&inner_address=$ifconfig_pool_remote_ip&serial=$tls_serial_0" \
http://ca.example.com/api/lease/
;;
esac
```
## As client
Grab 50-certidude script and place it to /etc/hotplug.d/iface/ as shown above.
Place following to /etc/ipsec.conf:
```
config setup
conn %default
keyexchange=ikev2
keyingtries=300
dpdaction=restart
closeaction=restart
conn client-to-site
auto=add
leftupdown=/usr/bin/ipsec-updown
left=%defaultroute
leftsourceip=%config
leftcert=/etc/ipsec.d/certs/client.pem
right=router.example.com
rightsubnet=0.0.0.0/0
```
Scripting client, when tunnel goes up:
```bash
#!/bin/sh
[ "$PLUTO_VERB" != "up-client" ] && exit 0
case "$PLUTO_PEER_CLIENT" in
192.*|172.*|10.*)
# Do nothing
exit 0
;;
*)
# Attempt to fetch script from server
logger -t certidude -s "IPsec SA to $PLUTO_PEER_CLIENT established, attempting to fetch script"
SCRIPT=$(mktemp -u)
wget --header='Accept: text/x-shellscript' http://ca.example.com/api/script -O $SCRIPT
sh $SCRIPT
;;
esac
```
at /etc/config/certidude you can use:
```
config authority
option url http://ca.example.com
option authority_path /etc/ipsec.d/cacerts/ca.pem
option request_path /etc/ipsec.d/reqs/client.pem
option certificate_path /etc/ipsec.d/certs/client.pem
option key_path /etc/ipsec.d/private/client.pem
option key_type rsa
option key_length 1024
option red_led gl-connect:red:wlan
option green_led gl-connect:green:lan
```
To test:
```bash
ACTION=ifup INTERFACE=wan sh /etc/hotplug.d/iface/50-certidude
```
# As site-to-site router
In this example Omnia Turris is set up as a router which enables
access to a subnet behind another IPSec gateway.
Set up /etc/config/certidude:
```bash
config authority ca
option key_type rsa
option key_length 1024
option url http://ca.example.com
option common_name turris-123456
option key_path /etc/ipsec.d/private/router.pem
option request_path /etc/ipsec.d/reqs/router.pem
option certificate_path /etc/ipsec.d/certs/router.pem
option authority_path /etc/ipsec.d/cacerts/ca.pem
option revocations_path /etc/ipsec.d/crls/router.pem
option red_led omnia-led:user1
option green_led omnia-led:user2
```
Set up /etc/ipsec.conf:
```
config setup
cachecrls=yes
strictcrlpolicy=yes
conn s2s
auto=start
right=router.example.com
leftcert=/etc/ipsec.d/certs/router.pem
leftsubnet=172.26.1.0/24 # local subnet
rightsubnet=172.24.0.0/24 # subnet behind gateway
```
Reconfigure firewall:
```bash
# Prevent NAT-ing of IPSec tunnel packets
iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
# Trust packets from IPSec tunnel
iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
iptables -I FORWARD -m policy --dir in --pol ipsec -j ACCEPT
```
DNS forwarding and caching:
```bash
uci delete dhcp.@dnsmasq[0].local
uci set dhcp.@dnsmasq[0].domain=example.lan
uci add_list dhcp.@dnsmasq[0].server="/.example.lan/172.24.1.1"
uci add_list dhcp.@dnsmasq[0].rebind_domain="example.lan"
uci commit
```
On Omnia turris kresd is used instead of dnsmasq, to revert back to dnsmasq:
```bash
/etc/init.d/kresd stop
/etc/init.d/kresd disable
uci del_list dhcp.lan.dhcp_option="6,192.168.1.1"
uci delete dhcp.@dnsmasq[0].port
uci commit
/etc/init.d/dnsmasq enable
/etc/init.d/dnsmasq restart
```
To disable IPv6:
```bash
/etc/init.d/odhcpd stop
/etc/init.d/odhcpd disable
```