Openwrt, TP-Link MR3020 and OpenVPN installation every time at power up

http://wp.me/ph3BR-1EL

 

有些鳥客戶的公司, 需要供應商提供固定IP才能連接它們的採購系統, 才能讓你抓取訂單, 才能讓你安排交貨, 據說是為了 [保安理由]. 到底有多可靠, 天曉得. 用這個方法, 不會更安全, 但是製造很多麻煩.

問題來了, 現代很多代理商都是跑單幫的所謂代理商, 也有是兩人的蚊型企業 (還能歸類為企業!?), 或者租個小地方就干起來的非大型企業, 常常每個人都是用手機上網, 哪裡來的的固定IP呢! 如果不知道甚麼是固定IP, 試試看上網連接到一些只提供HTTP查詢的網站, 它會回應並顯示你的IP, 例如 :

http://ipecho.net/

https://myip.com.tw/

如果你用手機上網, 大概每次進入地下室再出來, 訊號斷掉重來, 你的 IP 就變化了. 如果是室內的固網, 像是中華電信, 遠傳, 中國移動, AT&T 等等, 電信公司有個DSL數據機(小烏龜)或者光纖盒子放在你的屋子內租給你用, 除非申請固定 IP, 不然絕大部分都是浮動IP的, 只要小烏龜斷電或重新啟動, 你的 IP 就變化了. 如果要, 那就是必須申請一個固定IP在一個固定的地方上網, 對方的才能看到你是固定IP而不會隨時改變.

需要固定IP, 對於流動的人口來說, 解決方法很早以前已經有 VPN 這個東西. 好久以前, 設定一個 Microsoft Outlook, 接收公司用的 EMAIL, 設定初期已經要使用 VPN 連接到總公司才成, 後來也用過 LOUTS, 也是要撥接電話回總公司才能收發EMAIL, 那時候的民用的 INTERNET 還沒發達 (大約公元2000年以前), 33.6K 的MODEM已經是最快速的, 還要自己設定撥號連線的Trumpet軟體, 應該稱為窄頻上網, 所以出差最大筆的開銷是長途電話費用, 平均都是4000多元的的電話費, 只為了在飯店撥電話回公司的MODEM收發EMAIL. 後來, 有了寬頻, 2M, 10M, 20M, 100M, 有了 WIFI, 有了 SKYPE, 有了 WECHAT 之類的, 長途電話費就變成0, 取而代之的是漫遊上網費用, 今天就有了短期租約的當地上網卡, 費用大的問題是解決了, 但是, 還需要 VPN, 這樣鳥客戶的公司需要供應商提供固定IP, 就是一例, 當然, 出差到中國境內, 想要 GOOGLE, YOUTUBE 等等, 也需要這個, 沒特別理由, 就是愛自有和受管制的對立.

每次讓那些妹妹試驗 VPN, 總會鬧出各種小問題, 用電腦撥接 VPN, 都會有些麻煩和插曲. 所以試驗一下, 每人配個小小的 ROUTER, 在飯店自動配接VPN, 成為一個WIFI熱點讓她們在不知不覺中連上VPN, 看來是最低成本也有最有效的方案之一. 因此花了3天時間, 研究了一下 OpenVPN 還有一些剩餘物資和最新產品, 例如 ASUS RT-N13U B1, TP-LINK MR3020, Raspberry Pi 3, 這些都是 LINUX 的小電腦, 功能和價格都不貴. 結果是 ASUS RT-N13U B1 爛透了, 設定完畢斷電重開機就錯誤百出, 使用中也會莫名當掉, 翻出送修紀錄, 應該是沒修過就刷韌體送回來的, 一直都有問題就不再送修報廢了事, 現在改機刷成 OpenWRT 的韌體, 狀況一致就說明是機王爛貨, 拆來機殼, 裡面的 PCB 印刷著REV.1.20, 沒有貼MAC Adress標籤, CPU 的屏蔽鐵殼上面超多指紋, 都氧化成了黑色, 而且CPU和穩壓管很高溫. 至於 TP-LINK MR3020呢, 當年手機的費用高, 個人熱點也不流行, 採用了一陣子, 慢慢淘汰了, 改機刷成 OpenWRT 的韌體, 因為只有 4M FLASH, 32M RAM, 容量不過安裝其它的軟體 (OpenVPN). 另外Raspberry Pi 3 是2016年3月最新的產品, 大約2000台幣, 很容易就安裝好, 算是最簡單的, 可玩性也最高, 但是比對 TP-Link TL-MR3020 v1 的500圓售價, 當然高了4倍. 因為這樣, 有需要多些了解 LINUX 的操作和上網建立. 無意間看到這篇網路文章,

https://blog.zauberstuhl.de/openwrt_tplink_openvpn/

http://blog.ciberterminal.net/2013/06/18/openvpn-in-the-tp-link-wr841nd/

它們的大意是, 例如 TP-LINK MR3020, TP-Link WR841N(D) 這類低階的 ROUTER, 雖然 FLASH 只有 4M, 但是 RAM 有 32M, 刷好 OpenWRT 的系統後, FLASH 容量幾乎耗盡, 但是 RAM 的容量還有約14M沒動到, 稱為 tmpfs (臨時存放文件的空間, 可隨時讀寫), 可以作為安裝 OpenVPN 或其他軟體的用途, 不過呢, 拔電源後就會化為烏有. 所以他們寫了一個劇本, 每次上電, ROUTER 自動連接 INTERNET 後, 自動下載 OpenVPN 和相關的軟體, 安裝在 tmpfs 這個地方, 並且解壓縮和自動安裝, 而 OpenVPN 的設定檔案, 則寫死在 FLASH 裡面, 因為體積很小, 所以就解決了這個問題. 有空來試試這個方法.

以下兩段劇本是複製那兩個網站的, 版權屬於源作者, 作為學習 SHELL SCRIPT 的基礎.


#REF : https://blog.zauberstuhl.de/openwrt_tplink_openvpn/
# Do not forget setting the right environment variables and we are good to go (/etc/profile):
#export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/tmp/libopenssl/lib
#export PATH=$PATH:/tmp/openvpn/bin


#!/bin/sh /etc/rc.common

START=99

. /etc/profile

install() {
local OVPNPATH=/tmp/openvpn
local OSSLPATH=/tmp/libopenssl
[ ! -d ${OVPNPATH} ] && mkdir ${OVPNPATH}
[ ! -d ${OSSLPATH} ] && mkdir ${OSSLPATH}
command opkg update || exit 1
# install openvpn
cd ${OVPNPATH}
tar xzf $(opkg download openvpn-openssl |grep Downloaded |cut -d\  -f4 |sed '$s/.$//')
tar xzf data.tar.gz
# delete unnecessary things (save space)
rm -f pkg.tar.gz data.tar.gz control.tar.gz debian-binary getopenvpn.sh
# install libopenssl
cd ${OSSLPATH}
tar xzf $(opkg download libopenssl |grep Downloaded |cut -d\  -f4 |sed '$s/.$//')
tar xzf data.tar.gz
# delete unnecessary things (save space)
rm -f control.tar.gz debian-binary data.tar.gz
}

start () {
# lvl 99 is not enough the script is too
sleep 10 # fast for the install step
install # setup openvpn and libssl
command openvpn --writepid /tmp/openvpn/ovpn.pid --daemon --config /etc/openvpn/client.conf
}

stop() {
PIDOF=$(ps |egrep openvpn |egrep  -v grep |awk '{print $1}')
kill ${PIDOF}
}

#REF : http://blog.ciberterminal.net/2013/06/18/openvpn-in-the-tp-link-wr841nd/
# opkg install kmod-tun
# opkg install liblzo
# opkg install libopenssl
# mkdir /etc/openvpn
#And import there your openvpn config files+certificates wathching any path reference 😛
#You’ll have to change the --config ciberterminal.conf inside my script with the name of your config file!
#Then create the init script:
# vi /etc/init.d/openvpn
#And give it permissions:
# chmod 755 /etc/init.d/openvpn
#You’ll be able to set it up in the Luci webUI as the rest of the services, or run it manually (for debugging), as always with:
# /etc/init.d/openvpn start
#Warning!
#This howto is not compatible with old versions of the WR841N[D] which only has 700kbs of rom.
#Warning!

#!/bin/sh /etc/rc.common
# Copyright (C) 2013 dodger@ciberterminal.net

START=99

start() {
local TMPPATH=/tmp/openvpn
[ ! -d ${TMPPATH} ] && mkdir ${TMPPATH}
cd ${TMPPATH}
opkg update || exit 1
tar xzf $(opkg download openvpn | grep Downloaded | cut -d\  -f4 | sed '$s/.$//')
tar xzf data.tar.gz
rm -f pkg.tar.gz data.tar.gz control.tar.gz debian-binary getopenvpn.sh
${TMPPATH}/usr/sbin/openvpn  --writepid /tmp/ovpn_ciberterminal.pid --daemon --cd /etc/openvpn --config ciberterminal.conf
}

stop() {
PIDOF=$(ps | egrep openvpn | egrep  -v grep | awk '{print $1}')
kill ${PIDOF}
}

 

 

抄了這個SCRIPT試驗, https://blog.zauberstuhl.de/openwrt_tplink_openvpn/

結果完全沒動作, 然後花了3個小時, 學了一下 SHELL SCRIPT 的寫法和執行的方式, 參考這個 http://linux.vbird.org/linux_basic/0340bashshell-scripts.php#script,  做了一個 HELLO WORLD 試驗, 應該是OK的.

shell_script_test, ok
shell_script_test, ok

 

然後在用一些時間, 熟悉了一下很久沒用的 LINUX 指令

df -h, 顯示系統檔案和容量大小

df -f, show disk size
df -f, show disk size

 

在 OPENWRT 的系統底下, 若希望 OPENVPN CLIENT 運行, 要安裝以下的套件.

opkg install openvpn-openssl 
opkg install kmod-tun 
opkg install liblzo 
opkg install libopenssl

創建一個資料夾 /etc/openvpn, 把 OpenVPN Client 的證書檔案放進去, 證書檔案由管理員提供給使用者, 例如 client.ovpn

創建一個文字檔 /etc/init.d/openvpn, (因為放在/etc/init.d/ 裡面, 所以上電開機會自動執行), 以下SCRIPT內容寫到這個文字檔案裡面,

#### begin-of-script
#!/bin/sh  /etc/rc.common
START=99

. /etc/profile

install() {

local OVPNPATH=/tmp/openvpn
local OSSLPATH=/tmp/libopenssl
local LIBLZOPATH=/tmp/liblzo
local KMODTUNPATH=/tmp/kmod-tun

[ ! -d ${OVPNPATH} ] && mkdir ${OVPNPATH}
[ ! -d ${OSSLPATH} ] && mkdir ${OSSLPATH}
[ ! -d ${LIBLZOPATH} ] && mkdir ${LIBLZOPATH}
[ ! -d ${KMODTUNPATH} ] && mkdir ${KMODTUNPATH}

echo "----> opkg update, now"
command opkg update || exit 1
echo "----> opkg update is done"

# install openvpn
cd ${OVPNPATH}

echo "----> To download & install openvpn-openssl to RAM disk at ${OVPNPATH}"
tar xzf $(opkg download openvpn-openssl |grep Downloaded |cut -d\  -f4 |sed '$s/.$//')
tar xzf data.tar.gz
# delete unnecessary things (save space)
rm -f pkg.tar.gz data.tar.gz control.tar.gz debian-binary getopenvpn.sh

echo " "

# install libopenssl
cd ${OSSLPATH}
echo "----> To download & install libopenssl to RAM disk at ${OSSLPATH}"
tar xzf $(opkg download libopenssl |grep Downloaded |cut -d\  -f4 |sed '$s/.$//')
tar xzf data.tar.gz
# delete unnecessary things (save space)
rm -f control.tar.gz debian-binary data.tar.gz

echo " "

# install liblzo
cd ${LIBLZOPATH}
echo "----> To download & install liblzo to RAM disk at ${LIBLZOPATH}"
tar xzf $(opkg download liblzo |grep Downloaded |cut -d\  -f4 |sed '$s/.$//')
tar xzf data.tar.gz
# delete unnecessary things (save space)
rm -f control.tar.gz debian-binary data.tar.gz

#  echo " "

#  # install kmod-tun
#  cd ${KMODTUNPATH}
#  echo "----> To download & install liblzo to RAM disk at ${KMODTUNPATH}"
#  tar xzf $(opkg download kmod-tun |grep Downloaded |cut -d\  -f4 |sed '$s/.$//')
#  tar xzf data.tar.gz
# delete unnecessary things (save space)
#  rm -f control.tar.gz debian-binary data.tar.gz

echo " "

echo "----> done"
}

start () {
echo "REFERENCE : https://blog.zauberstuhl.de/openwrt_tplink_openvpn/"
echo " "
echo "modified for debug purpose, xiaolaba, 2016-MAR-20"
echo " "

# lvl 99 is not enough the script is too
sleep 10 # fast for the install step
install # setup openvpn and libssl and liblzo
#command openvpn --writepid /tmp/openvpn/ovpn.pid --daemon --config /etc/openvpn/client.conf
command openvpn --writepid /tmp/openvpn/ovpn.pid --daemon --config /etc/openvpn/my-client.ovpn
echo " "
echo "if you are asked user name and password here, it imply that openvpn is up and running, for debug purpose, xiaolaba, 2016-MAR-20"
}

stop() {
PIDOF=$(ps |egrep openvpn |egrep  -v grep |awk '{print $1}')
kill ${PIDOF}
}
#### end-of-script



然後執行指令,
chmod 755 /etc/init.d/openvpn
這樣系統才會知道這個SCRIPT文件是可執行檔案.


修改檔案 /etc/profile, 在最後加入兩行文字, (OPENVPN 安裝在RAM DISK 的引用位置, 隨版本改變),
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/tmp/libopenssl/usr/lib:/tmp/liblzo/usr/lib 
export PATH=$PATH:/tmp/openvpn/usr/sbin


修改檔案 /etc/config/network, 在最後加入以下三行文字, 增加介面 VPN,
config interface 'VPN'
    option proto 'dhcp'
    option ifname 'tun0'


修改檔案 /etc/config/firewall, 在最後加入以下多行文字, LAN 資訊流通過VPN出去,
config zone
    option name 'VPN'
    option input 'REJECT'
    option forward 'REJECT'
    option output 'ACCEPT'
    option masq '1'
    option mtu_fix '1'
    option network 'VPN'
config forwarding
    option dest 'VPN'
    option src 'lan'


要手動測試這個劇本能否安裝 OPENVPN, 執行以下, 如果看到問你密碼帳號的畫面, 說明成功.
/etc/init.d/openvpn start


要手動關閉這個劇本, 執行以下,
/etc/init.d/openvpn stop


要直直接執行,
openvpn --cd /etc/openvpn --config /etc/openvpn/client.ovpn --remote 123.123.123.123 1179
或者,
openvpn --writepid /tmp/openvpn/ovpn.pid --daemon --config /etc/openvpn/my-client.ovpn

要看執行狀態執行ps, 會看到pid 和 openvpn 的對應.

開另外一個終端機, 執行ifconfig, 會看到tun0

要解除,
kill pid

openvpn done, TP-LiNK MR3020
openvpn done, TP-LiNK MR3020

REF:
https://www.loganmarchione.com/2014/10/openwrt-with-openvpn-client-on-tp-link-tl-mr3020/

OpenVPN setup for DD-WRT

http://wp.me/ph3BR-12G

machine : ASUS RT-N13U B1

DD-WRT, latest version, download here
http://www.dd-wrt.com/site/support/router-database

.

.

SSH setup for login
ref: http://www.dd-wrt.com/wiki/index.php/SSH#Using_Telnet

1) download puttygen.exe, to generate public key and private key,
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

2) run puttygen.exe
copy the public key content, and paste to clipbroad

nEO_IMG_putty key generated_something_like_this

3) go to DD-WRT web interface, click [系統管理], [遠端管理], [SSH 管理], [啟用], [port 22], [儲存重啟]

4) go to DD-WRT web interface, click [伺服器], [信任授權機制(Secure Shell)], [授權金鑰], paste the public key, [儲存重啟]

5) disable telnet now, and use SSH for router login from now onward.

6) test and screen shot of SSH login, done
user name : root
password : your own password
nEO_IMG_DD-WRT_SHH_login
.
.
.
.

DDNS and bug

this verison of dd-wrt has been confirmed DDNS has problem with update dynamic IP to those free DNS service, unless power on reset, and some webpages about solution of how to write own script or to use cron to achive such free DDNS update ontime. My own solution and seems working well, the free DNS no-ip.org is not working, and I am using http://freedns.afraid.org.

goto http://freedns.afraid.org/subdomain/, register and login, setup a free DNS service and your preferred host name.

goto [Dynamic DNS], http://freedns.afraid.org/dynamic/
under this page, looking for and click [ quick cron example], then a web page will be generated with your very own sub-domian and setup things, example followings,

###############################################################################
# This is a crontab example for xiaolaba.mooo.com - (uid: xiao_test)
# Generated 2013-11-01 21:40:33 PST @ http://freedns.afraid.org/
################################################################################
# NOTES:
# * Works on Mac/Linux/*BSD/*NIX type systems
# * Updates automatically each 5 minutes
#
# INSTRUCTIONS:
# 1) To install, goto a system console, then type: 'crontab -e' (without
#      apostrophe's) then paste the bottom last line/entry from this file (all
#      on 1 line) and then save
# 2) To list installed crontabs (verifying installation), type: 'crontab -l'
# 3) To verify updates are occuring, wait 5 minutes, then 'cat /tmp/freedns_xiaolaba_mooo_com.log'
# 4) To read more about how crontab works, check out 'man -a crontab' or search
#      the web for 'installing a crontab' or 'cron' (same thing)
#
# SOME THOUGHTS:
# - This example is for simplicity, and ultra compatibility
# - I urge you to make updates only when a IP change occurs if you know how
#      (such as on ifup), or by polling your router status/snmp device first.
#      I wrote a client/daemon 'lastip2.phps' listed on the clients page that
#      can pull a router status page - however it requires some skill and
#      knowledge of your particular network to set it up properly
# - This below generated example avoids updates when seconds is between :55
#      and :05 to prevent a thundering herd of updates at the minute
# - PATH line may optional, or not! Depends on your system, you may need it
#      somewhere (at the top) of your cron entry if you don't have one already
#      defined, include in your path where 'wget' and 'sleep' commands live on
#      your system
# - You can also run this @reboot, which is great for cloud image / instances,
#      (no 'sleep' needed if @reboot)
# - 'fetch', 'wget' or 'curl' all basically do the same thing, and should
#      interchangeably work - you may prefer or use one of those.  There is also
#      'lynx -dump', or 'w3m -dump' - I am sure there are many more!
#
# Have a better method, or directions? Send it to me!

################################################################################
# Things to check if if doesn't work...:
################################################################################
# Do you need to install wget?  As root, try:
# pkg_add -r wget; apt-get install wget; yum install wget
#
# Run a manual freedns dynamic update right from your console to check for
# errors, here's some examples (you can use/modify any update line that works
# within your cron):
#
# Example #1:
# wget -O - http://freedns.afraid.org/dynamic/update.php?NWphNWxQeEtHdENIS3hveTZib3BZZ1RjOjEwNTAxMzY4
#
# Example #2:
# curl http://freedns.afraid.org/dynamic/update.php?NWphNWxQeEtHdENIS3hveTZib3BZZ1RjOjEwNTAxMzY4
#
# Example #3:
# fetch -o - http://freedns.afraid.org/dynamic/update.php?NWphNWxQeEtHdENIS3hveTZib3BZZ1RjOjEwNTAxMzY4

# You might need to include this path line in crontab, (or specify full paths)
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin

1,6,11,16,21,26,31,36,41,46,51,56 * * * * sleep 6 ; wget -O - http://freedns.afraid.org/dynamic/update.php?NWphNWxQeEtHdENIS3hveTZib3BZZ1RjOjEwNTAxMzY4 >> /tmp/freedns_xiao_test_com.log 2>&1 &

.
.
.
.

and the last line should be looks like following,

1,6,11,16,21,26,31,36,41,46,51,56 * * * * sleep 6 ; wget -O - http://freedns.afraid.org/dynamic/update.php?NWphNWxQeEtHdENIS3hveTZib3BZZ1RjOjEwNTAxMzY4 >> /tmp/freedns_xiao_test_com.log 2>&1 &

.
.
.

and then I change this to following, paste to [系統管理], [新增 Cron Jobs]

*/5 * * * * wget -O - http://freedns.afraid.org/dynamic/update.php?NWphNWxQeEtHdENIS3hveTZib3BZZ1RjOjEwNTAxMzY4 >> /tmp/freedns_xiao_test_com.log 2>&1 &

.
.
.

OpenVPN setup

Download (openvpn-2.1.4-install.exe) and install OpenVPN & easy-rsa in PC, to run and to generate certificate CA required,
http://openvpn.net/index.php/open-source/documentation/howto.html
https://github.com/OpenVPN/easy-rsa, download ZIP, upzip and copy easy-rsa windows version to C:\Program Files\OpenVPN\easy-rsa (no need this if openvpn-2.1.4)

run in windows start menu (as adminstrator), Generate a static OpenVPN key
C:\Program Files\OpenVPN\config\key.txt will be generated, (no need this if openvpn-2.1.4)

goto to C:\Program Files (x86)\OpenVPN\easy-rsa (openvpn-2.1.4)
edit vars.bat.sample as following,

win7 64 bit,


@echo off
rem Edit this variable to point to
rem the openssl.cnf file included
rem with easy-rsa.

rem the line following is only for WIN7 64 bit
set HOME=%ProgramFiles(x86)%\OpenVPN\easy-rsa\
set KEY_CONFIG=openssl.cnf

rem Edit this variable to point to
rem your soon-to-be-created key
rem directory.
rem
rem WARNING: clean-all will do
rem a rm -rf on this directory
rem so make sure you define
rem it correctly!
set KEY_DIR=keys

rem Increase this to 2048 if you
rem are paranoid.  This will slow
rem down TLS negotiation performance
rem as well as the one-time DH parms
rem generation process.
rem set KEY_SIZE=1024
rem set KEY_SIZE=2048

rem These are the default values for fields
rem which will be placed in the certificate.
rem Change these to reflect your site.
rem Don't leave any of these parms blank.

rem my config file for CA build
set KEY_COUNTRY=TW
set KEY_PROVINCE=TPE
set KEY_CITY=KHH
set KEY_ORG=OpenVPN_1234
set KEY_EMAIL=xiaolabacn@yahoo.com.tw

Enter following command line,
C:\Program Files (x86)\OpenVPN\easy-rsa\keys\ca.crt and ca.key will be build

 

</pre>
init-config
vars
clean-all
build-ca
<pre>

ref : http://www.dd-wrt.com/wiki/index.php/VPN_(the_easy_way)_v24%2B#The_Server_Config_File
.

.

ref

ref : http://bbs.chdbits.org/forum.php?mod=viewthread&tid=553995
ref : http://brontosaurusrexng.wordpress.com/2009/06/10/afraid-org-and-wget-on-windows/
ref : http://freedns.afraid.org/dynamic/

http://www.dd-wrt.com/wiki/index.php/Jffs_sharing_in_a_Linux_server

ref : http://bbs.chanki.net/forum.php?mod=viewthread&tid=184

ref : http://freemanv1.blogspot.tw/2012/05/dd-wrt-openvpn.html