Tuesday, September 23, 2008

Asterisk for OpenWRT

Asterisk for OpenWRT

last updated: september 19, 2007

This page contains binaries and sources for running the Asterisk PBX software on OpenWRT devices.

This page has become obsolete since the majority of these patches were merged and improved in the official OpenWRT repositories since version 1.4.11. All requests and bug reports should now be propagated through tickets in the OpenWRT development process. People are strongly advised to use the official repositories for further Asterisk development an installations since there will be no new releases or developement through this site.

The original repositories for version 1.4.9 are still maintained because of some extra features that have not been merged yet, but will be in the near future.
(obsolete) Asterisk 1.4.9
Asterisk 1.4 packages can be obtained through a package repository by adding a new line to your /etc/ipkg.conf:

For OpenWRT WhiteRussian 0.9 on mipsel/brcm (Broadcom and compatibles):
src asterisk14 http://members.home.nl/hans.zandbelt/openwrt/whiterussian/packages/asterisk-1.4

For OpenWRT Kamikaze 7.06 on mipsel/brcm (Broadcom and compatibles):
src asterisk14 http://members.home.nl/hans.zandbelt/openwrt/kamikaze/packages/asterisk-1.4

For OpenWRT Kamikaze 7.06 on mips/atheros (Fonera and compatibles):
src asterisk14 http://members.home.nl/hans.zandbelt/openwrt/kamikaze/packages/asterisk-1.4/atheros

For OpenWRT Kamikaze 7.06 on x86:
src asterisk14 http://members.home.nl/hans.zandbelt/openwrt/kamikaze/packages/asterisk-1.4/x86

NB1: The 1.4.x packages are named "asterisk14-*" to allow them to co-exist with the 1.2.x packages, *BUT* the 1.4 packages _do_ use the same installation directories so installing them next to 1.2 must be done with a different "-d" flag to "ipkg install".
NB2: For the Kamikaze releases based on kernel 2.6 the zaptel/ztdummy kernel module is not yet available thus app_meetme and IAX2 trunking are not yet usable on that platform.

Update: Asterisk core updated to version 1.4.9; added asterisk-addons 1.4.2 zaptel-libtonezone updated to version 1.4.4.
asterisk14-addons includes backported-from-trunk chan_mobile (svn 384)
asterisk14-app-fax package is included, including app_rxfax and app_txfax.
asterisk14-chan-gtalk is included, with stability fixes, providing GTalk support for Asterisk.
(obsolete) Building from source
You can build Asterisk 1.4.9 and addons for OpenWRT yourself, together with all supported modules, using the buildroot environment provided by the OpenWRT team, called the SDK. The script for doing so (download) :

#!/bin/sh

ZAPTEL="1.4.4"
IKSEMEL="1.2"
ASTERISK="1.4.9"
ADDONS="1.4.2"

URL="http://zandbelt.dyndns.org/asterisk"
PREFIX="openwrt-packages"

DIR="openwrt-devel"
SDK="OpenWrt-SDK-Linux-i686-1"

do_patch() {
PATCH=${PREFIX}-$1-$2.patch
wget ${URL}/${PATCH}
patch -p0 < ${PATCH}
}

mkdir ${DIR} && cd ${DIR}
wget http://downloads.openwrt.org/whiterussian/newest/${SDK}.tar.bz2
tar jxvf ${SDK}.tar.bz2
svn co https://svn.openwrt.org/openwrt/packages
do_patch zaptel ${ZAPTEL}
do_patch iksemel ${IKSEMEL}
do_patch asterisk ${ASTERISK}
do_patch asterisk-addons ${ADDONS}
cd ${SDK}/package && ln -s ../../packages/*/* . && cd ..
make package/asterisk14-compile V=99
make package/asterisk14-addons-compile V=99

After finishing successfully, packages can be found in:
openwrt-devel/OpenWrt-SDK-Linux-i686-1/bin/packages
(obsolete) Asterisk 1.2.16
NB: these packages are obsoleted by the 1.4.x ones; people are encouraged to switch to 1.4.x as OpenWRT support for 1.2.x will probably end in the near future. These packages can be obtained through a package repository by adding a new line to your /etc/ipkg.conf:

src asterisk http://members.home.nl/hans.zandbelt/openwrt/whiterussian/packages
Installing dummy Zaptel timer support (ztdummy)
This enables MeetMe audio tele-conferencing bridge support and IAX2 trunking.
It is only useful on routers with UHCI USB features such as the Asus WL-500GdL.

1. Install kmod-zaptel
2. Install kmod-usb-uhci-iv
3. Install asterisk-app-meetme
4. Remove the alternate USB kernel module (if loaded): rmmod uhci
5. Insert the required USB module required for Zaptel timer support: insmod ./usb-uhci.o
6. Insert the Zaptel module: insmod ./zaptel.o
7. Insert the dummy USB Zaptel timer module: insmod ./ztdumy.o
8. Install the Asterisk core package (or *-mini ipk for iax2-only support) from the list above.
9. For tele-conferencing: configure meetme.conf and extensions.conf and make sure the app_meetme.so is loaded.
10. For trunking: configure iax.conf.

Have fun with tele-conferencing and/or IAX2 trunking...
Sounds
Here's a package with Dutch (male) voices for Asterisk 1.x, created by Jeroen Naeff from the samples provided by Born Digital.
# asterisk-dutchmale-sounds_0.1_mipsel.ipk
Contact
Preferably send your comments to the OpenWRT forum in one of the topics on Asterisk in the section for Community Releases.

Thursday, September 11, 2008

OpenVPN - Site-to-Site Bridged VPN Between Two Routers

Procedure Summary

  1. Obtain a Linksys WRT54GL router
  2. Install the OpenVPN version of DD-WRT on both routers. NOTE: Use v23 sp3 or greater if you want to connect multiple clients to one server simultaneously. Single client to server works fine with sp2.
  3. Generate the necessary keys for public key authentication
  4. Configure a router as the server
  5. Configure the other router as the client
  6. Test the VPN

Obtain a Linksys WRT54GL Router

The author has experienced flawless performance from the two Linksys WRT54GL routers he has used to establish a site-to-site VPN. Although other routers will likely work equally well, if you obtain Linksys WRT54GL routers to set up a site-to-site VPN, you can have a high level of confidence that you will be successful.

Install DD-WRT onto Your Routers

  1. Download the latest stable release of the OpenVPN version of DD-WRT from DD-WRT. At the time this was written, the file you need to download is dd-wrt.v23_vpn_generic.bin. , I use dd-wrt.v23_vpn_wrt54g.bin. This is sp3.

Generate Keys for Authentication

  1. Download OpenVPN from HERE onto the computer that you are going to use to communicate with (i.e., configure) the routers.
  2. Follow these instructions to install OpenVPN onto your computer.
  3. Follow these instructions to generate keys for authentication. (Note: when generating the client key, create only one key and name it client, rather than client1.)

Configure the Server Router

Basic Setup

  1. Log onto the first router, which will be our server router, using the GUI.
  2. Go to Setup > Basic Setup.
  3. Set the Local IP Address of the first router to 192.168.1.1 with a Subnet Mask of 255.255.255.0. (Of course, you are not required to use the network address 192.168.1.0. You can use any network address you like, but this tutorial will assume you are using this network.)
  4. Make sure DHCP server is enabled.
  5. Set the Start IP Address to 100.
  6. Set Maximum DHCP Users to 50.
  7. Set the Time Zone. (The time zone you select is not important to the success of this tutorial, but setting the same time zone on both routers is important.)
  8. Click Save Settings.

Startup Script

  1. Go to Administration > Commands
  2. Paste the following into the Command Shell box:
cd /tmp
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up

echo "
# Tunnel options
mode server # Set OpenVPN major mode
proto udp # Setup the protocol (server)
port 1194 # TCP/UDP port number
dev tap0 # TUN/TAP virtual network device
keepalive 15 60 # Simplify the expression of --ping
daemon # Become a daemon after all initialization
verb 3 # Set output verbosity to n
comp-lzo # Use fast LZO compression

# OpenVPN server mode options
client-to-client # tells OpenVPN to internally route client-to-client traffic
duplicate-cn # Allow multiple clients with the same common name

# TLS Mode Options
tls-server # Enable TLS and assume server role during TLS handshake
ca ca.crt # Certificate authority (CA) file
dh dh1024.pem # File containing Diffie Hellman parameters
cert server.crt # Local peer's signed certificate
key server.key # Local peer's private key
" > openvpn.conf

echo "
-----BEGIN CERTIFICATE-----
INSERT YOUR ca.crt HERE
-----END CERTIFICATE-----
" > ca.crt
echo "
-----BEGIN RSA PRIVATE KEY-----
INSERT YOUR server.key HERE
-----END RSA PRIVATE KEY-----
" > server.key
chmod 600 server.key
echo "
-----BEGIN CERTIFICATE-----
INSERT YOUR server.crt HERE
-----END CERTIFICATE-----
" > server.crt
echo "
-----BEGIN DH PARAMETERS-----
INSERT YOUR dh1024.pem HERE
-----END DH PARAMETERS-----
" > dh1024.pem

sleep 5
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn --config openvpn.conf

route add -net 192.168.1.0/24 dev br0
  1. Replace the "INSERT YOUR [FILE] HERE" text with the appropriate text from the .crt or .key files you generated during the Generate Keys for Authentication step.
  2. Click Save Startup
  3. Paste the following into the Command Shell box:
/usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT
  1. Click Save Firewall
  2. Reboot the router

Configure the Client Router

Basic Setup

  1. Log onto the second router, which will be our client router, using the GUI.
  2. Go to Setup > Basic Setup.
  3. Set the Local IP Address of the second router to 192.168.1.254 with a Subnet Mask of 255.255.255.0. (Of course, if you used a different network address and subnet mask when setting up the server router, use that same address and mask for this router.)
  4. Make sure DHCP server is enabled.
  5. Set the Start IP Address to 50. NOTE: All the IP addresses of the client LAN and the server LAN must all be unique. You can't have 192.168.1.100 on the client LAN and 192.168.1.100 on the server LAN. In this case, all would be 192.168.1.x. Router IP addresses must also be different but must be 192.168.1.x as well. If you have multiple routers as simultaneous clients, all client's LAN IP addresses must be unique in the same way. Watch out that your DHCP assignments cannot create duplicate addresses.
  6. Set Maximum DHCP Users to 50.
  7. Set the Time Zone to the same time zone you set on the first (server) router.
  8. Click Save Settings.

Startup Script

  1. Go to Administration > Commands
  2. Paste the following into the Command Shell box:
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn
./myvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
sleep 5

echo "
client
daemon
dev tap0
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
" > /tmp/client.conf

echo "
-----BEGIN CERTIFICATE-----
INSERT YOUR ca.crt HERE
-----END CERTIFICATE-----
" > /tmp/ca.crt

echo "
-----BEGIN RSA PRIVATE KEY-----
INSERT YOUR client.key HERE
-----END RSA PRIVATE KEY-----
" > /tmp/client.key
chmod 600 /tmp/client.key

echo "
-----BEGIN CERTIFICATE-----
INSERT YOUR client.crt HERE
-----END CERTIFICATE-----
" > /tmp/client.crt

./myvpn --config client.conf

route add -net 192.168.1.0/24 dev br0

UPD from hryamzik: This script didn't work for me. I've composed the folowing:

cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn
./myvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 promisc

cat < /tmp/up.sh
/sbin/ifconfig tap0 0.0.0.0
EOF

chmod +x /tmp/up.sh

echo "
daemon # Become a daemon after all initialization
client
dev tap0
proto udp
remote domain.comt 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
verb 3
mssfix 1200
up \"/tmp/up.sh\"
" > client.conf

echo "
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
" > ca.crt
echo "
-----BEGIN RSA PRIVATE KEY-----

-----END RSA PRIVATE KEY-----
" > /tmp/client.key
chmod 600 /tmp/client.key

echo "
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
" > /tmp/client.crt

./myvpn --config client.conf

route add -net 192.168.1.0/24 dev br0

Be carefull with "route add", I had some problems with it when used wrong values. I did not updated iptables.

End of upd by hryamzik.

  1. Replace the "INSERT YOUR [FILE] HERE" text with the appropriate text from the .crt or .key files you generated during the Generate Keys for Authentication step.
  2. Replace the xxx.xxx.xxx.xxx text with the public IP address (or DNS name) of your first (server) router. (Note: if your Internet Service Provider gives your routers dynamic IP addresses (and they probably do), you might want to look into Dynamic DNS services such as DynDNS or No-IP.com. You can start to learn more about dynamic DNS by looking at this page
  3. Click Save Startup
  4. Reboot the router (i.e., In the GUI, click Administration > Management and click Reboot Router at the bottom)

Test the VPN

If all is well, and a VPN has been established between your two routers, you should be able to ping hosts behind either router.

Dynamic DNS

Dynamic DNS (DDNS) is a DNS caching service

DD-WRT v23 SP2 and later use inadyn as its embedded dyndns client solution.

Here's a list of Dynamic DNS service providers:

http://www.dyndns.com
http://www.easydns.com
http://freedns.afraid.org
http://www.no-ip.com
http://www.tzo.com
http://www.zoneedit.com
http://www.ChangeIP.com

Configuration

Predefined

DD-WRT provides a set of predefined configurations for the most common DDNS services. After choosing from one of the predefined DDNS services, you have to provide the "User Name" and the "Password" for the account of your DDNS service. In the "Host Name" field, you have to enter the fully qualified name of you dynamic domain (e.g. myhostname.example.org).

Multiple DDNS host names

If you have multiple host names registered at your DDNS service, you can enter them in the "Host Name" field using the "-a" option.

Example: You want to update the IP address for myhostname1.example.org, myhostname2.example.org and myhostname3.example.org; in this case, you have to enter in the "Host Name" field the following string: "myhostname1.example.org -a myhostname2.example.org -a myhostname3.example.org". (Note: no "-a" for the first host name.)

Custom (URL Updates)

With url updates, the client program usually submits a request using the hypertext transport protocal (HTTP) to a DDNS Server. The request may contain your requested hostname (your dynamic domain name) and/or your IP address. The server then asks for the username and password. The client program returns the information to authorize itself, and the update is completed with the server request response to verify the result.

When your DDNS Service provider uses URL updates, you need to know the url which the client program requests. An example of such a url is:

http://example.com/dyndns/update?hostname=hostname.example.org&ip=1.2.3.4

The URL is divided into parts, the parts should be simple to divide.

Protocol Usually appears first and is followed by "://"
Location Usually after protocol, this can be an IP address or a domain name
Port (optional) Sometimes appears after location, only appears after a colon.
URI The last part of the URL, which can be subdivided. It normally appears after the location and port.

The URI can be subdivided even futher. Most of the URI is optional.

URI Location Everything before the "?" or "#" ("?" first).
URI Parameters Everything after the "?" and before the "#". There can be many parameters. Many times, as in the above example is it specified in the "name=value" form. And commonly when more than one value needs to be specified, it is divided with "&" so "name1=value1&name2=value2&name3=value3" can be used to specify three parameters.
URI Link Everything after the "#", used to specify a specific point in a page.

The example request above is:

Protocol http
Location example.com
Port Not specified
URI /dyndns/update?hostname=hostname.example.org
URI Location /dyndns/update
URI Paramater "hostname" hostname.example.org

To confirm that you have the correct URL and can manually update your IP by using your web browser. When prompted, input your registered username and password. If you aren't registered, register one and setup (add) your dynamic domain name first. Once you have the information, you should be able to set it up using DD-WRT.

  1. Login to the Web GUI, Set DDNS under "Setup" to "custom"
  2. If the URL paramaters have "hostname" use "dyndns@dyndns.org" for DNS System. Otherwise use "custom@http_svr_basic_auth"
  3. Enter "Username" and "Password" with your registered username and password of your DDNS service provider.
  4. Fill in your hostname in "Host Name"
  5. Complete options in "Additional DDNS Options" textarea.
  6. Save Changes and Reboot Router

[edit] Additional DDNS Options

For the custom DDNS to work properly we must specify options so that the program knows what to do.

  • Specify the Server Name option, this is Location and perhaps the port (if specified) of the URL.
  • Specify Server URL Option. If you used the "dyndns@dyndns.org" as "DNS System" you need to specify the Server URL option as just the URI Location; otherwise you need to specify the entire URI.

Using the example above, the Additional DDNS Options should be:

" --dyndns_server_name example.com --dyndns_server_url /dyndns/update"

If this isn't working, try pinging checkip.dyndns.org. You may have to use the "ip_server_name" option if you are unable to recieve a response. The IP address option is used to specify an alternate source to get your IP. Many websites have options to view your IP Address. For the update to work properly, the IP Address check must be be done on the server side (no javascript/vbscript) and your ip address must be the first address on the page. You may need to confirm this by using "View Source" in your browser.

Example:

http://www.dnsstuff.com/tools/my-ip-address.ch

Dividing this URL is similar to dividing the one above:

Protocol http
Location www.dnsstuff.com
Port Not specified
URI /tools/my-ip-address.ch
URI Location /tools/my-ip-address.ch

The "ip_server_name" option uses the Location and the URI. If there is not a URI, use "/"

The "ip_server_name" string using the server above should be:

"--ip_server_name www.dnsstuff.com /tools/my-ip-address.ch"

Note the space beteen the Location and URI.

If you have multiple dyndns domains under the same account and need to update them together, you can add one or more "-a" options to do so. ie, "-a SECOND_HOSTNAME.example.com". This only works if the domains are under the same provider and account.

So, finally, the additional options should be complete and will work in general cases.

Examples

dnspark.com

dnspark.com
This configuration may be correct.
DDNS Service: Custom
DYNDNS Server: www.dnspark.net
Username: your ddns' username
Password: your ddns' password
Host Name: your domain
URL: /api/dynamic/update.php?mx=ON&mxpri=5


3222.org

Example option for 3322.org (a chinese dyndns provider)

Username: USERNAME Password: PASSWORD Registered Dynamic Domain Name: SAMPLEHOSTNAME.3322.org

3322.org Updating Methods typical url: http://www.3322.org/dyndns/update?system=dyndns&hostname=SAMPLEHOSTNAME.3322.org


option string, using a chinese ip_server

using dyndns@dyndns.org " --dyndns_server_name www.3322.org --dyndns_server_url /dyndns/update? --ip_server_name www.bliao.com:2000 /ip.phtml "

using custom@http_svr_basic_auth: " --dyndns_server_name www.3322.org --dyndns_server_url /dyndns/update?hostname= --ip_server_name www.bliao.com:2000 /ip.phtml "

freedns.afraid.org

DDNS Service: freedns.afraid.org

User Name: USERNAME

Password: PASSWORD

Host Name: yourdomain.com,EntireHashValueAfterTheQuestionMarkTakenFromAfraidDotOrgScript

Force Update Interval 10

DNS-O-Matic

DNS-O-Matic provides you a free and easy way to announce your dynamic IP changes to multiple services with a single update. Using DNS-O-Matic allows you to pick and choose what Dynamic DNS services you want to notify, all from one easy to use interface.

More info can be found in the forums. Using DNS-O-Matic is an easy way to update your favorite dynamic dns service and OpenDNS (which currently does not work with dd-wrt's built in inadyn).


DDNS Service: Custom
DYNDNS Server: updates.dnsomatic.com
User Name: your dns-o-matic username
Password: your dns-o-matic password
Host Name: all.dnsomatic.com
URL: /nic/update?

DynDNS

Note that as of v23, using DDNS in DD-WRT will not allow updates to the DynDNS server using the pre-set DynDNS settings. You must set settings to Custom, and following all instructions below.

The below is my setting for dynamic DDNS using dyndns.org

  • substitute your account setting for those in quotes
DDNS Service Custom
DYNDNS Server members.dyndns.org
User name 'Your DynDNS username'
Password 'Your DynDNS password'
Hostname 'Your DynDNS hostname'
URL /nic/update?
Additional DDNS Options --dyndns_system dyndns@dyndns.org --ip_server_name checkip.dyndns.org:8245 /

If static DNS is used, use statdns@dyndns.org instead of dyndns@dyndns.org.

EveryDNS

EveryDNS is a basic free dynamic DNS provider.

DDNS Service: Custom
DYNDNS Server: dyn.everydns.net
Username: 'Your EveryDNS Username'
Password: 'Your EveryDNS Password'
Host Name: 'Your Domain Name'
URL: /index.php?

Edit DNS

EditDNS

DDNS Service: Custom
DYNDNS Server: dyndns.editdns.net
Username: 'Your Email'
Password: 'Your Password' (optional?)
Host Name: 'Your Domain Name'
URL: /api/dynLinux.php?p=&r=

NameCheap

NameCheap is a domain registrar that includes free dynamic dns with the host registration. Under $10/year. NameCheap doesn't use normal http auth for updating, so you have to include your domain and password in the URL.

DDNS Service: Custom
DYNDNS Server: dynamicdns.park-your-domain.com
Username: (not used)
Password: (not used)
Host Name: 'Your subdomain (or @ for none)'
URL: /update?domain=[your domain]&password=[your password]&host=

DNSexit

DNSexit is a domain registrar that provides free to top level domains for both business and internet users.

DDNS Service: Custom
DYNDNS Server: www.dnsexit.com
Username: BOGUS
Password: BOGUS
Host Name: 'Your Domain Name'
URL: /RemoteUpdate.sv?login=USERNAME&password=PASSWORD&host=


CHANGEIP.COM

The information below is how to configure your router to update www.ChangeIP.com dynamic dns hostnames:

  • substitute your account setting for those in quotes
DDNS Service Custom
DYNDNS Server nic.changeip.com
User name 'Your ChangeIP.com username'
Password 'Your ChangeIP.com password'
Hostname 'Your DynDNS hostname' or '*1' for Group #1
URL /nic/update?system=dyndns&hostname=
Additional DDNS Options --ip_server_name ip.changeip.com

Give UP?

I gave up on trying to setup my freedns.afraid.org setup and just set a cron script at startup to use freedns' wget method of updating my dns every 5 minutes on the router. If this does not work for you, some variation on this theme might:

echo '*/5 * * * * root /usr/bin/wget http://freedns.afraid.org/dynamic/index.php?action=script&data_id=XXXXXX -o - >/dev/null 2>&1' >> /tmp/crontab

NOTE: In the above, the XXXXXX is an id number provided by freedns.afraid.org

Debugging your configuration

Internaly, DD-WRT uses inadyn and creates in the directory /tmp/ddns a configuration file from your settings in the web form. To check whether the expected configuration file is created from your settings in the web form, you can inspect this file as follows:

  • ssh or telnet to the router
  • navigate to /tmp/ddns: cd /tmp/ddns
  • inspect file inadyn.conf: cat /tmp/ddns/inadyn.conf

If you are not familiar with the format of the inadyn.conf file, you can just call /usr/sbin/inadyn from the command line and the allowed parameters are shown.

OpenVPN - Site-to-Site routed VPN between two routers

The following details the procedure for establishing a site-to-site routed VPN between two DD-WRT/vpn image enabled routers. The author tried the config on two Linksys WRT54GL(v1.1)

Procedure Summary

  1. Router Preparation.
  2. Install OpenVPN on your PC and generate your secret key.
  3. Configure one router as the server.
  4. Configure the second router as the client.
  5. Test the VPN connection.
  6. Advanced Configuration: Multiple routed networks.


Router Preparation

At the time of writing, the latest available DD-WRT package is DD-WRT v24sp1 (10/8/08). Before proceeding, you need to download the VPN-flavoured version of DD-WRT from the DD-WRT Download Page.

Due to the fact that most of us have DHCP-assigned dynamic IPs, you are also recommended to create a dynamic dns host for the server router. More information on this procedure is available here.

Finally, make sure that your two routers are not distributing an overlapping IP subnet range. Usually, all routers come preconfigured with a 192.168.1.0 DHCP range distribution. Since you are doing routed configurations, you need to change the 192.168.1.0 subnet to another one. The easiest way is to adopt a sequential assignment:

Server side: 192.168.1.0 Client1 side: 192.168.2.0 Client2 side: 192.168.3.0 etc...

This way, when your internal networks communicate with each other, they don't overlap and you don't end up having miscommunication.

If you are looking for a bridged configuration, you'd better check this page instead.

Secret Key Generation

Prior to configuring your routers, you need to create a shared secret key. This key will be used to authenticate and encrypt your site to site communication.

Start by downloading the latest OpenVPN package from OpenVPN's main site. Install the package (Usually gets installed in C:\Program Files\OpenVPN if you are running Windows). Now, get a command prompt and issue the following command from the OpenVPN directory:

openvpn --genkey --secret static.key

This will create a text file named 'static.key'. Opening it in Notepad, or any text editor will get you an output similar to the following one:

#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
aeb68165149e096d8f04252dd22fe67d
dd15d8c87e8a577c5c14ebd1ef0bf0b6
0e1d652f91fe66ed3774505e641936dd
458a6db60fb36b969d8bcd37803cf1d3
6d49383ec2daa1d2ae70e3ca49b950a4
bba985940e5e4a15fac702cbcf47f9d0
39f7939980bbb63d2964bb6216471162
0a519fe25d1e0d48044a1ad85dc94758
af6f7b7c52ccaaefa3d013fcbf621366
5ea18d9dc36c3b2a9ac277a9903998fe
45e10b0f79fd443727c3f30278981b3d
0fa525ad843645b4acc28969450bd601
4ce774aba0e830149489dc1592741580
fbd3cd24cc7baa68e06b3e3aedae2565
a36b8a3f687ddbb78411740d755249cf
45c0617c215b66eabc72f60f47b32c64
-----END OpenVPN Static key V1-----

Warning: Don't go lazy and copy the above, doing so will jeopardize your secure connection, recreate the file from scratch.


Server Configuration

Using Notepad or any text editor, create the following two configurations:


Config 1

# Move to writable directory and create scripts
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn

# Config for Site-to-Site SiteA-SiteB
echo "
proto udp
port 2000
dev tun0
secret /tmp/static.key
verb 3
comp-lzo
keepalive 15 60
daemon
" > SiteA-SiteB.conf

# Config for Static Key
echo "
-----BEGIN OpenVPN Static key V1-----
................................................
...YOUR SECRET KEY TEXT SHOULD BE PASTED HERE...
................................................
-----END OpenVPN Static key V1-----
" > static.key

# Create interfaces
/tmp/myvpn --mktun --dev tun0
ifconfig tun0 10.0.0.1 netmask 255.255.255.0 promisc up

# Create routes
route add -net OTHERSUBNET netmask 255.255.255.0 gw 10.0.0.2

# Initiate the tunnel
sleep 5
/tmp/myvpn --config SiteA-SiteB.conf

Warning: Watch out for the OTHERSUBNET chunk, you should replace it with your client network's subnet (for example: 192.168.2.0 or 192.168.3.0).

Also, do note that the static key that was created in the previous step should be pasted in the appropriate section, right after the 'echo text.


Now, create a second configuration with the following text.

Config 2

# Open firewall holes
iptables -I INPUT 2 -p udp --dport 2000 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Now, go to your Router configuration interface, click on 'Administration' then 'Commands'. Paste your 'Config 1' in your 'Startup' section and you 'Config 2' in your 'Firewall' section.

You're done with the server configuration!


Client Configuration

The client configuration is very similar to the server configuration, with a few small modifications.

Again, you need to create two configs:


Config 1

# Move to writable directory and create scripts
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn

# Config for Site-to-Site SiteA-SiteB
echo "
remote REMOTEADDRESS
proto udp
port 2000
dev tun0
secret /tmp/static.key
verb 3
comp-lzo
keepalive 15 60
daemon
" > SiteA-SiteB.conf

# Config for Static Key
echo "
-----BEGIN OpenVPN Static key V1-----
................................................
...YOUR SECRET KEY TEXT SHOULD BE PASTED HERE...
................................................
-----END OpenVPN Static key V1-----
" > static.key

# Create interfaces
/tmp/myvpn --mktun --dev tun0
ifconfig tun0 10.0.0.2 netmask 255.255.255.0 promisc up

# Create routes
route add -net OTHERSUBNET netmask 255.255.255.0 gw 10.0.0.1

# Initiate the tunnel
sleep 5
/tmp/myvpn --config SiteA-SiteB.conf

Warning: Watch out for the OTHERSUBNET chunk, you should replace it with your server network's subnet (for example: 192.168.1.0).

Also, do note that the static key that was created in the previous step should be pasted in the appropriate section, right after the 'echo text.

In addition to the above, and since this is your client, you need to replace the REMOTEADDRESS with your server's IP address or the dynamic DNS address you created in the previous Router Preparation section.


Now, create a second configuration with the following text.


Config 2

# Open firewall holes
iptables -I INPUT 2 -p udp --dport 2000 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Now, go to your Router configuration interface, click on 'Administration' then 'Commands'. Paste your 'Config 1' in your 'Startup' section and you 'Config 2' in your 'Firewall' section.

You're done with the client configuration!

VPN Tests

I am getting many emails from people asking for this section, so I'll try to add some meat. Let me know what you think about it.

Due to the fact that our routed VPN configuration is not 'natively' supported by DD-WRT, but rather an ad-hoc one. There is no direct way to get information through the router's web interface. Instead, I propose the following two alternatives/suggestions:


First Technique: Shell Logging

Add logging to the VPN tunnel operation. This can be done by inserting the following line in the client and/or server configuration:

log /tmp/openvpn.log

This will instruct openvpn to create a log file named 'openvpn.log' in /tmp. By enabling Telnet or SSH and connecting to your router, you should be able to get the logging output by issuing the following command:

router$ less /tmp/openvpn.log

You need to use your arrow keys to scroll up and down in the log and 'q' to exit the scroller.

Warning: This should only be used for testing and debugging purposes as it generates extra load on your router, as well as eating up valuable space in memory.


Second Technique: Use Syslog

Syslogging is an excellent way to get all sorts of information on your routers. In addition to OpenVPN alerts and tunnel stats, you can get router access, DHCP usage, etc... Pretty much everything using Syslogging. Unless a 'log' stanza is present in the openvpn config file, openvpn will dump all the logging to syslog by default.
The recipe:
1. Open your browser and connect to your router's interface. Click on 'Services' and scroll all the way down (I am assuming DD-WRT RC4 and above has been flashed on your router).
2. Locate the 'System Log' section and click on 'Enable' next to syslogd. This will add one more space called 'Remote Server' right underneath 'syslogd', type in your computer's IP address or preferably any other workstation that can successfully ping the router.

   Image:Syslogview.JPG  


3. Download a Syslog Daemon and viewer, there is an excellent freeware version available at Kiwi Enterprises' website that I'm linking here.
4. Install the syslog daemon and don't forget to enable it, this can be done in the Kiwi Sylog Application's toolbar: Click on the 'Manage' menu then successively select 'Install the Service' then 'Start the Service'. You can verify that the syslog service is operational by pressing 'Ctrl+T', this should send a test message on the console.
5. To test it immediately, force your router to reboot and voila! You should see all messages coming from your router (including VPN initiation and communication messages) appearing on your Kiwi Syslog console page. If you are creating several VPN connections, you can configure all your routers to redirect their syslog to one PC, allowing you to easily monitor all your networks from one site! I'm currently managing 4 VPNed locations and this tool has proved to be invaluable to me.

Advanced Configuration: Multiple routed networks

Warning: This section is not for the faint-hearted people. Please read carefully and email me should you have any questions/comments/thoughts. Wiki is all about teamplay!

Let's assume we need to configure a 3-sites VPN connection as per the following figure:
Image:3sites-vpn.jpg

Attention: I tried keeping this technique simple and didn't use Certificates/CAs. Should you be interested in more complex scenarios, I do consultancy work and would gladly assist you.

You need to first start by duplicating the above Client configuration on the two 'Client1' and 'Client2' routers. Pay extra attention to the IPs and IP ranges you are using and write down your configs. In essence, both clients will have pretty much the same configuration with one minor change. Since both will be connecting to the same server, you cannot use the same port number for both clients, so we will be giving port 1999 for the first client and 2000 for the second client.
Also, we need to tell Client1 how to reach Client2's subnet and vice-versa. This means including a second routing entry in our configuration. As such, our configurations will look pretty much like the following:

Client1 Configuration

Client1 -- Startup

# Move to writable directory and create scripts
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn

# Config for Site-to-Site Client1-Server
echo "
remote REMOTEADDRESS
proto udp
port 2000
dev tun0
secret /tmp/static.key
verb 3
comp-lzo
keepalive 15 60
daemon
" > Client1-Server.conf

# Config for Static Key
echo "
-----BEGIN OpenVPN Static key V1-----
................................................
...YOUR SECRET KEY TEXT SHOULD BE PASTED HERE...
................................................
-----END OpenVPN Static key V1-----
" > static.key

# Create interfaces
/tmp/myvpn --mktun --dev tun0
ifconfig tun0 10.0.1.2 netmask 255.255.255.0 promisc up

# Create routes
route add -net SERVERINTERNALSUBNET netmask 255.255.255.0 gw 10.0.1.1
route add -net CLIENT2INTERNALSUBNET netmask 255.255.255.0 gw 10.0.1.1

# Initiate the tunnel
sleep 5
/tmp/myvpn --config Client1-Server.conf


Client1 -- Firewall

# Open firewall holes
iptables -I INPUT 2 -p udp --dport 2000 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Client2 Configuration

Client2 -- Startup

# Move to writable directory and create scripts
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn

# Config for Site-to-Site Client2-Server
echo "
remote REMOTEADDRESS
proto udp
port 1999
dev tun0
secret /tmp/static.key
verb 3
comp-lzo
keepalive 15 60
daemon
" > Client2-Server.conf

# Config for Static Key
echo "
-----BEGIN OpenVPN Static key V1-----
................................................
...YOUR SECRET KEY TEXT SHOULD BE PASTED HERE...
................................................
-----END OpenVPN Static key V1-----
" > static.key

# Create interfaces
/tmp/myvpn --mktun --dev tun0
ifconfig tun0 10.0.2.2 netmask 255.255.255.0 promisc up

# Create routes
route add -net SERVERINTERNALSUBNET netmask 255.255.255.0 gw 10.0.2.1
route add -net CLIENT1INTERNALSUBNET netmask 255.255.255.0 gw 10.0.2.1

# Initiate the tunnel
sleep 5
/tmp/myvpn --config Client2-Server.conf


Client2 -- Firewall

# Open firewall holes
iptables -I INPUT 2 -p udp --dport 1999 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT


Server Configuration

As for the server, we need to perform three modifications:
1. Tell the server to listen to 2 connections, one on port 1999 and the other on port 2000. This can be done by running the openvpn daemon twice (As you will see in the coming configuration, we will be creating two TUN interface, called 'tun0' and 'tun1').
2. Make sure to add a route to the two clients.
3. Allow Client-to-Client connection in the Firewall configuration script.

Server -- Startup

# Move to writable directory and create scripts
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn

# Config for Site-to-Site Server-Client1
echo "
proto udp
port 2000
dev tun0
secret /tmp/static.key
verb 3
comp-lzo
keepalive 15 60
daemon
" > Server-Client1.conf

# Config for Site-to-Site Server-Client2
echo "
proto udp
port 1999
dev tun1
secret /tmp/static.key
verb 3
comp-lzo
keepalive 15 60
daemon
" > Server-Client2.conf

# Config for Static Key
echo "
-----BEGIN OpenVPN Static key V1-----
................................................
...YOUR SECRET KEY TEXT SHOULD BE PASTED HERE...
................................................
-----END OpenVPN Static key V1-----
" > static.key

# Create interfaces
/tmp/myvpn --mktun --dev tun0
/tmp/myvpn --mktun --dev tun1
ifconfig tun0 10.0.1.1 netmask 255.255.255.0 promisc up
ifconfig tun1 10.0.2.1 netmask 255.255.255.0 promisc up

# Create routes
route add -net CLIENT1INTERNALSUBNET netmask 255.255.255.0 gw 10.0.1.2
route add -net CLIENT2INTERNALSUBNET netmask 255.255.255.0 gw 10.0.2.2

# Initiate the tunnel
sleep 5
/tmp/myvpn --config Server-Client1.conf
/tmp/myvpn --config Server-Client2.conf

Server -- Firewall

# Open firewall holes for Client1
iptables -I INPUT 2 -p udp --dport 2000 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

# Open firewall holes for Client2
iptables -I INPUT 2 -p udp --dport 1999 -j ACCEPT
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT

# Allow Forwarding packets between Client1 and Client2
iptables -I FORWARD -i tun0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o tun0 -j ACCEPT


Troubleshooting / FAQ

I will be including in this section any troubleshooting questions I received as well as their solution (If I have one or if the sender found a fix for it).

DMZ feature is used on your DD-WRT router

If you decide to run OpenVPN on your DD-WRT based router, make sure to disable any DMZ as the DMZ will override the usual port forwarding needed by your OpenVPN clients/server and would forward all connection requests to the DMZ host.

My tunnel is up but I cannot ping the remote endpoint

Yes, this is normal if the router is set to be not 'pingable' (The option is set by default). To rectify this and allow your server-side and client-side hosts to ping both routers' endpoints while making sure that external hosts (Not belonging to your networks) still don't ping your routers' interfaces, add the following entry to your Firewall section in both routers:

iptables -I INPUT 3 -i tun0 -p icmp -j ACCEPT

Great! How about internal remote administration through HTTP?

Well, in that case you will have to do the same operation as in the previous issue (i.e. Cannot ping the remote endpoint) and add an extra iptables command in your Firewall section in both routers:

iptables -I INPUT 1 -i tun0 -p tcp --dport 80 -j ACCEPT

Why should I use a routed configuration and not a bridged configuration

Interesting question. Well, a bridged configuration will 'join' both networks together as one, same subnet, same IP range... Looks easier, but the problem here would be that all kinds of packets, including the infamous broadcasts will be traveling from one side of the network to the other, resulting in less-than-optimized usage of your precious bandwidth. On the other hand, a routed network will only send directed packets from one side of the network to the other.

I have a problem connecting my VPNs while using Chillispot, what's the issue?

The problem here is that Chillispot insists on using 'tun0' as a communication tunnel. The easiest solution is to simply replace your 'tun0' with another tunnel ('tun2', 'tun3', etc...)
Also, you need to make sure that both your firewall and startup sections are updated accordingly.

[edit] DHCP Forwarder / DHCP Server feature of DD-WRT

Please take note that this VPN configuration will not work if your router(s) is/are set up as DHCP forwarders. They must be DHCP servers in order for the VPN to connect properly.

Remarks

This should get you right in business and activate Site-to-Site routing between all Clients and the Server. I'm personally running 4 VPN connections using the above mentioned model without any issue whatsoever!

Please share your thoughts, comments and experiences!

Tuesday, September 9, 2008

Sunday, September 7, 2008

الشيرينج على الهيوماكس بدون كمبيوتر حقيقة باستخدام لينكسيس












الشيرينج على اي رسيفر بدون كمبيوتر أصبح حقيقة
فقط بتعديل الراوتر ولكن ليس كل الأنواع فقط بعض الأنواع القليلة وتمت التجربة على linksys
WRT54G ,WRT54GS ,
WRT54GL
الطريقة ببساطة أضافة سيريال بروت موضحة فى الصورة




ثم توصيله بالهيوماكس عن طريق كابل السيريال المعتاد
واليكم طريقة تشغيل الجى بوكس على الراوتر كمثال تطبيقى

All needed steps to install gbox on linksys router (WRT54gs):
1-install dd-wrt.v23_mini_wrt54gs
2-restore factory settings.
3-install dd-wrt.v23_wrt54gs FW (optional)
4-if linksys is not present keep pinging tell it replys (linksys-IP -t)
5-restore factory settings.
6-configure linksys
7-Go to Advanced TAB page and enable JFFS2 enabled.
or
telnet linksys root/admin
كود:
~ # nvram set jffs_mounted=1
~ # nvram set enable_jffs2=1
~ # nvram set clean_jffs2=1
~ # nvram set sys_enable_jffs2=1
~ # nvram set sys_clean_jffs2=0
~ # nvram commit
~ # reboot
8-keep pinging your router till it replys
9-Configuring gbox files
gbox_cfg
F: { 11 } /jffs
F: { 12 } /tmp
cwshare.cfg
normal configurtion params
10-Run your FTP server on your laptop (laptop IP is 192.168.1.100)
11-telnet linksys root/admin
كود:
~ # cd .. /tmp
# cd .. / # cd jffs /jffs
# ftpget -u hnaga -p hnaga 192.168.1.100 gboxmips gboxmips /jffs
# ftpget -u hnaga -p hnaga 192.168.1.100 gbox_cfg gbox_cfg /jffs
# ftpget -u hnaga -p hnaga 192.168.1.100 cwshare.cfg cwshare.cfg /jffs
# chmod 755 gboxmips /jffs
# nvram set rc_startup="sleep 20 && cd /jffs && ./gboxmips &" /jffs
# nvram commit /jffs
# reboot
12-keep pinging your router till it replys
13-check gbox is running
كود:
~ # ps
..
329 root 988 S ./gboxmips ..
14-Congratulations.