Openwrt: Unterschied zwischen den Versionen
Aus Vosp.info
F (Diskussion | Beiträge) |
F (Diskussion | Beiträge) (→Überflüssiges deinstallieren) |
||
(22 dazwischenliegende Versionen von 2 Benutzern werden nicht angezeigt) | |||
Zeile 1: | Zeile 1: | ||
− | [[LEDE]] | + | Router: [[Openwrt]] | [[LEDE]] | [[Libre Mesh]] | [[qMp]] | [[RUT9XX]] |
= allgemein = | = allgemein = | ||
+ | |||
+ | == Installation == | ||
+ | |||
+ | === Installation von dd-wrt === | ||
+ | * From DDwrt to OpenWrt: | ||
+ | <source lang=bash> | ||
+ | # Enable SSH in services tab of ddwrt. | ||
+ | scp (winscp) openwrt-your-router-FACTORY.bin (factory not upgrade) to /tmp | ||
+ | ssh login to ddwrt, cd /tmp | ||
+ | mtd -f write openwrt-your-router-factory.bin linux | ||
+ | reboot | ||
+ | </source> | ||
+ | |||
+ | * From Openwrt to DDwrt: | ||
+ | <source lang=bash> | ||
+ | mtd write /tmp/factory-to-ddwrt.bin firmware | ||
+ | </source> | ||
+ | |||
+ | * https://forum.openwrt.org/t/reverting-back-to-openwrt-from-dd-wrt/47619/4 | ||
+ | |||
==Befehle== | ==Befehle== | ||
===Interfaces anzeigen=== | ===Interfaces anzeigen=== | ||
Zeile 7: | Zeile 27: | ||
=== Anzeige der Clients die mit wlan verbunden sind === | === Anzeige der Clients die mit wlan verbunden sind === | ||
− | |||
+ | <source lang=bash> | ||
+ | # wlan info | ||
+ | iwinfo wlan0 assoclist | ||
+ | |||
+ | |||
+ | # über dhcp vergabe | ||
+ | cat /tmp/dhcp.leases | ||
+ | |||
+ | for ip in $(arp | grep -v IP | awk '{print $1}'); do grep $ip /tmp/dhcp.leases; done | ||
+ | |||
+ | </source> | ||
+ | |||
+ | = Probleme = | ||
+ | |||
+ | ==opkg update - Failed to download the package list - opkg_download: Check your network settings and connectivity. == | ||
+ | |||
+ | |||
+ | evt ipv6 probleme, weil zb. haupt netz es nicht zu läßt | ||
+ | |||
+ | |||
+ | <source lang=bash> | ||
+ | # mit folgendem testen | ||
+ | wget http://downloads.openwrt.org/releases/18.06.5/targets/ar71xx/tiny/packages/Packages.gz | ||
+ | |||
+ | # Lösung: ipv6 ausschalten | ||
+ | # folgendes alternativ zu /etc/config/network per hand bearbeiten | ||
+ | uci set network.wan6.disabled="1" | ||
+ | uci commit network | ||
+ | service network reload | ||
+ | |||
+ | |||
+ | |||
+ | </source> | ||
+ | |||
+ | = wlan client => wired gateway = | ||
+ | |||
+ | * http://192.168.1.1/cgi-bin/luci/admin/network/wireless => scan, wlan netz auswählen und hinzufügen | ||
+ | * OpenWrt deaktivieren (falls aktiv und mensch es will) | ||
+ | * Probleme (gab es bei CPE210, nicht aber CPE510) | ||
+ | ** der computer client hat kein dns auflösung (ping 8.8.8.8 funzt aber) | ||
+ | * http://192.168.1.1/cgi-bin/luci/admin/network/dhcp | ||
+ | ** DNS forwardings => DNS Ip eintragen (z.B. google 8.8.8.8) | ||
− | = | + | = wireless = |
+ | |||
+ | <source lang=bash> | ||
+ | # checken was geht | ||
+ | iwinfo wlan0-ap txpower | ||
+ | # checken was eingestellt ist | ||
+ | uci show wireless.radio0.txpower | ||
+ | # bzw. txpower | ||
+ | iwinfo | ||
+ | </source> | ||
+ | |||
+ | = openvpn = | ||
Zeile 30: | Zeile 102: | ||
=== riseup openvpn client auf den openwrt einrichten === | === riseup openvpn client auf den openwrt einrichten === | ||
+ | ==== Zertifikat ==== | ||
* /etc/openvpn/[https://riseup.net/security/network-security/riseup-ca/RiseupCA.pem RiseupCA.pem] | * /etc/openvpn/[https://riseup.net/security/network-security/riseup-ca/RiseupCA.pem RiseupCA.pem] | ||
<source lang=bash> | <source lang=bash> | ||
Zeile 68: | Zeile 141: | ||
</source> | </source> | ||
− | + | ||
+ | (zum testen) openvpn starten mit Passwortabfrage | ||
'''start befehl''' | '''start befehl''' | ||
<source lang=bash> | <source lang=bash> | ||
openvpn --client --dev tun --auth-user-pass --remote vpn.riseup.net 1194 --keysize 256 --auth SHA256 --cipher AES-256-CBC --ca /etc/openvpn/RiseupCA.pem | openvpn --client --dev tun --auth-user-pass --remote vpn.riseup.net 1194 --keysize 256 --auth SHA256 --cipher AES-256-CBC --ca /etc/openvpn/RiseupCA.pem | ||
</source> | </source> | ||
− | |||
==== openvpn starten mit Passwortdatei ==== | ==== openvpn starten mit Passwortdatei ==== | ||
Zeile 83: | Zeile 156: | ||
</source> | </source> | ||
− | '''start befehl''' | + | (zum testen) '''start befehl''' |
<source lang=bash> | <source lang=bash> | ||
openvpn --client --dev tun --auth-user-pass /etc/openvpn/riseup_auth.txt --remote vpn.riseup.net 1194 --keysize 256 --auth SHA256 --cipher AES-256-CBC --ca /etc/openvpn/RiseupCA.pem | openvpn --client --dev tun --auth-user-pass /etc/openvpn/riseup_auth.txt --remote vpn.riseup.net 1194 --keysize 256 --auth SHA256 --cipher AES-256-CBC --ca /etc/openvpn/RiseupCA.pem | ||
Zeile 112: | Zeile 185: | ||
# logging | # logging | ||
− | log-append /var/log/openvpn.log | + | #log-append /var/log/openvpn.log |
− | log /var/log/openvpn.log | + | #log /var/log/openvpn.log |
− | verb 4 | + | #verb 4 |
</source> | </source> | ||
− | '''start befehl''' | + | (zum testen) '''start befehl''' |
<source lang=bash> | <source lang=bash> | ||
openvpn /etc/openvpn/riseup2.ovpn | openvpn /etc/openvpn/riseup2.ovpn | ||
Zeile 137: | Zeile 210: | ||
− | '''start befehl''' | + | (zum testen) '''start befehl''' |
<source lang=bash> | <source lang=bash> | ||
/etc/init.d/openvpn start | /etc/init.d/openvpn start | ||
Zeile 148: | Zeile 221: | ||
<source lang=bash> | <source lang=bash> | ||
# .... | # .... | ||
− | config interface ' | + | config interface 'ncvpnif' |
option proto 'dhcp' | option proto 'dhcp' | ||
option ifname 'tun0' | option ifname 'tun0' | ||
− | option hostname ' | + | option hostname 'ncvpnhostname' |
</source> | </source> | ||
− | ''' start befehle ''' | + | (zum testen) ''' start befehle ''' |
/etc/init.d/network restart | /etc/init.d/network restart | ||
− | + | === Firewall === | |
'''/etc/config/firewall''' | '''/etc/config/firewall''' | ||
<source lang=bash> | <source lang=bash> | ||
Zeile 170: | Zeile 243: | ||
config zone | config zone | ||
− | option name ' | + | option name 'ncvpnzone' |
option forward 'REJECT' | option forward 'REJECT' | ||
option output 'ACCEPT' | option output 'ACCEPT' | ||
Zeile 176: | Zeile 249: | ||
option masq '1' | option masq '1' | ||
option mtu_fix '1' | option mtu_fix '1' | ||
− | option network ' | + | option network 'ncvpnif' |
config forwarding | config forwarding | ||
− | option dest ' | + | option dest 'ncvpnzone' |
option src 'lan' | option src 'lan' | ||
</source> | </source> | ||
− | ''' start befehle ''' | + | (zum testen) ''' start befehle ''' |
/etc/init.d/firewall restart | /etc/init.d/firewall restart | ||
+ | |||
+ | |||
+ | === check openvpn cronjob === | ||
+ | <source lang="bash"> | ||
+ | * * * * * /etc/config/nccheckopenvpn.sh | ||
+ | </source> | ||
+ | |||
+ | nccheckopenvpn.sh | ||
+ | <source lang="bash"> | ||
+ | #!/bin/sh | ||
+ | DEST="8.8.8.8" | ||
+ | DATE=$(date +%Y-%m-%d_%H:%M:%S) | ||
+ | if ! [ $(ping -q -c 1 ${DEST} 2>&1 | grep "1 packets received" | sed "s/.*\(1\) packets received.*/\1/") ]; then | ||
+ | echo "${DATE} FAIL ERROR Not alive ${DEST} , restarting VPNC" >> /etc/config/nc_vpnuptime.log | ||
+ | /etc/init.d/openvpn stop ; /etc/init.d/openvpn start | ||
+ | else | ||
+ | echo "${DATE} Alive ${DEST}" >> /etc/config/nc_vpnuptime.log | ||
+ | fi | ||
+ | |||
+ | </source> | ||
+ | |||
+ | === Dienste aktivieren === | ||
+ | <source lang=bash> | ||
+ | /etc/init.d/openvpn enable | ||
+ | /etc/init.d/firewall enable | ||
+ | |||
+ | </source> | ||
+ | |||
+ | = Überflüssiges deinstallieren = | ||
+ | |||
+ | <source lang=bash> | ||
+ | # evt. falsche reihenfolge, dann mehrmals ausführen | ||
+ | opkg remove luci luci-app-firewall luci-base luci-lib-ip luci-lib-jsonc luci-lib-nixio luci-mod-admin-full luci-proto-ipv6 luci-proto-ppp luci-theme-bootstrap ppp ppp-mod-pppoe | ||
+ | |||
+ | </source> |
Aktuelle Version vom 2. Mai 2020, 14:22 Uhr
Router: Openwrt | LEDE | Libre Mesh | qMp | RUT9XX
Inhaltsverzeichnis
allgemein
Installation
Installation von dd-wrt
- From DDwrt to OpenWrt:
# Enable SSH in services tab of ddwrt.
scp (winscp) openwrt-your-router-FACTORY.bin (factory not upgrade) to /tmp
ssh login to ddwrt, cd /tmp
mtd -f write openwrt-your-router-factory.bin linux
reboot
- From Openwrt to DDwrt:
mtd write /tmp/factory-to-ddwrt.bin firmware
Befehle
Interfaces anzeigen
iwinfo
Anzeige der Clients die mit wlan verbunden sind
# wlan info
iwinfo wlan0 assoclist
# über dhcp vergabe
cat /tmp/dhcp.leases
for ip in $(arp | grep -v IP | awk '{print $1}'); do grep $ip /tmp/dhcp.leases; done
Probleme
opkg update - Failed to download the package list - opkg_download: Check your network settings and connectivity.
evt ipv6 probleme, weil zb. haupt netz es nicht zu läßt
# mit folgendem testen
wget http://downloads.openwrt.org/releases/18.06.5/targets/ar71xx/tiny/packages/Packages.gz
# Lösung: ipv6 ausschalten
# folgendes alternativ zu /etc/config/network per hand bearbeiten
uci set network.wan6.disabled="1"
uci commit network
service network reload
wlan client => wired gateway
- http://192.168.1.1/cgi-bin/luci/admin/network/wireless => scan, wlan netz auswählen und hinzufügen
- OpenWrt deaktivieren (falls aktiv und mensch es will)
- Probleme (gab es bei CPE210, nicht aber CPE510)
- der computer client hat kein dns auflösung (ping 8.8.8.8 funzt aber)
- http://192.168.1.1/cgi-bin/luci/admin/network/dhcp
- DNS forwardings => DNS Ip eintragen (z.B. google 8.8.8.8)
wireless
# checken was geht
iwinfo wlan0-ap txpower
# checken was eingestellt ist
uci show wireless.radio0.txpower
# bzw. txpower
iwinfo
openvpn
Anleitungen
https://blog.doenselmann.com/openvpn-server-auf-openwrt-router-betreiben/ http://www.kammerath.net/openwrt-mit-openvpn-client.html https://www.portunity.de/access/wiki/OpenVPN-Tunnel_(IPv4)_auf_einem_OpenWRT_Router_einrichten_(Anleitung)
ssh root@192.168.1.1
opkg update
opkg install openvpn-openssl
Alternative zur folgenden config über gui mit paket luci-app-openvpn
riseup openvpn client auf den openwrt einrichten
Zertifikat
- /etc/openvpn/RiseupCA.pem
-----BEGIN CERTIFICATE-----
MIIF2jCCA8KgAwIBAgIIVogyQTSIzc8wDQYJKoZIhvcNAQELBQAwgYYxGDAWBgNV
BAMTD1Jpc2V1cCBOZXR3b3JrczEYMBYGA1UEChMPUmlzZXVwIE5ldHdvcmtzMRAw
DgYDVQQHEwdTZWF0dGxlMQswCQYDVQQIEwJXQTELMAkGA1UEBhMCVVMxJDAiBgkq
hkiG9w0BCQEWFWNvbGxlY3RpdmVAcmlzZXVwLm5ldDAiGA8yMDE2MDEwMjIwMjU0
MFoYDzIwMjYwMzMwMjAyNjAxWjCBhjEYMBYGA1UEAxMPUmlzZXVwIE5ldHdvcmtz
MRgwFgYDVQQKEw9SaXNldXAgTmV0d29ya3MxEDAOBgNVBAcTB1NlYXR0bGUxCzAJ
BgNVBAgTAldBMQswCQYDVQQGEwJVUzEkMCIGCSqGSIb3DQEJARYVY29sbGVjdGl2
ZUByaXNldXAubmV0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAw2VV
uoz4xqeB1ROIwXBRaj0prOqEFX89A7+2rslGRfjM8NPHyBLGleoHTK3DPwadtQeg
ulaEOAjM5EMXTEX/o9H46L6h729HUWPCwVssvvOjyxTyGJDf7Ihd/Ab7ODtlJSyc
g31aXMioA5pGz5QnS3VGz4nE9+NL+jobc/NbhaacsEPR/7xO7meRNu/1S+YiHK1y
BSVrfap3XItlcNHDGNQkPyyJbS3pAS1lQs2HCBTzcFCamCkDOC7cRh9wZ4GH8U2f
2s0mDD5zhRpheNW4gFBtGpqHiRXv7WJW612aaXzKQQoIq2loGNvOpnyBPKL3jjUT
Rxv5IzWMV0nAofMCy25u/S4J65uSEd9mLNXFJ3rl+cFaybcOUXktTbS7bZy6cMyf
/gO28bEXIWr5WfZf8jCbPyOVfExZquG3aS+0YPWmIJCheXQzgiwplZy93oND1GGQ
f+1R2F7GPwNXQdefv2xm7PTWhHbSWHHmeY89qYED+yFJrX5ChoFoBbYs1lMmdU/C
2MnQBFtvcVockXFAUONyMKiq8ZP6sQ1lu0rO9Bvkhx55sJLZOmjN3g4S1K97PbbI
5DzHKcR0JQSt8ZtCY/MuMbwvlNYo98bFWvlfKET0KPtogNNH0PNfJmStKR8jWGjE
HnUNXo7YDfK90iEKTjLz2K5CYzH5Dm6iYJNaaykCAwEAAaNGMEQwEgYDVR0TAQH/
BAgwBgEB/wIBADAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBTGek7ebtq2Ibm+
2K6je1IMobvEkzANBgkqhkiG9w0BAQsFAAOCAgEAO2B3jnL+8LeoRkc282qUpHyu
xYj0Qd68l0CJ0FjfA2OCR/6h1W4gZVH+fTd/mhgrNXj28GRT53JEh1jdRC7ENTXu
W9O8I9gCbWQ6V4nkZ9lpq8UEmKTFGnngVu8VCmSDF+y0kFuEtmt0jyd2UkJfC/vy
Gh78OCHEdGAeOTYHXamiuA9Z7wMuncPjP476gSW2kfWTdxV25ad4tT5dA5d42xDm
YE2UKzHeB9amOmvyh08LPD0idT5oROCIHsHBhQC9oltJXO5j6GyHRg88C1inyv6R
xk+w9ek4wSBpoJg5t3hdbZr3JTUsuu4WPtAET0fMQpJC+niaBbegwtvdLZFM+d8x
ead3ZpMO+XrpazDFGtdPTQdi5EIYmr2RL9eTeQbVPwMB9TgFpBXP+iYIuTpNo8jn
8zS4EcPRmz6PQJVK4zkHczfvquyU9RuOwEgb8qN4tSNxF0Z94uSVUoXCG9WZLf8q
MfsGesYiR/qLnLn3MfAyWm3OVOUvGzczDE2T8VvY7rXc2+8ra5aK0TNAgEz9ey6D
/dGzM1JCCe1A08s+2+eRX//pmqmOCoGrY7zwIVS2T249h6iIMM9yT0C3ZXRoTnVN
osyidOkVuQr0YK6shJ0WaK4F1MktdjOZKPoIc9QLw+TrSU2hfyla36T0bNWMC/TJ
YtxDI+d1jIFZ7zMmts4=
-----END CERTIFICATE-----
(zum testen) openvpn starten mit Passwortabfrage
start befehl
openvpn --client --dev tun --auth-user-pass --remote vpn.riseup.net 1194 --keysize 256 --auth SHA256 --cipher AES-256-CBC --ca /etc/openvpn/RiseupCA.pem
openvpn starten mit Passwortdatei
/etc/openvpn/riseup_auth.txt
user
secret
(zum testen) start befehl
openvpn --client --dev tun --auth-user-pass /etc/openvpn/riseup_auth.txt --remote vpn.riseup.net 1194 --keysize 256 --auth SHA256 --cipher AES-256-CBC --ca /etc/openvpn/RiseupCA.pem
openvpn starten mit configfile
/etc/openvpn/riseup2.ovpn
client
dev tun
auth-user-pass /etc/openvpn/riseup_auth.txt
remote vpn.riseup.net 1194
keysize 256
auth SHA256
cipher AES-256-CBC
ca /etc/openvpn/RiseupCA.pem
#
auth-nocache
#
remote-cert-tls server
script-security 2
persist-tun
persist-key
#route-noexec
#route-up /etc/openvpn/ruvpnrouteadd.sh
# logging
#log-append /var/log/openvpn.log
#log /var/log/openvpn.log
#verb 4
(zum testen) start befehl
openvpn /etc/openvpn/riseup2.ovpn
openvpn starten mit /etc/init.d/openvpn
/etc/config/openvpn
config openvpn cryptn_vpn
# Set to 1 to enable this instance:
option enable 1
# Include OpenVPN configuration
option config /etc/openvpn/riseup2.ovpn
(zum testen) start befehl
/etc/init.d/openvpn start
/etc/init.d/openvpn restart
/etc/init.d/openvpn stop
Netzwerkeinstellungen auf openwrt für openvpn
/etc/config/network
# ....
config interface 'ncvpnif'
option proto 'dhcp'
option ifname 'tun0'
option hostname 'ncvpnhostname'
(zum testen) start befehle /etc/init.d/network restart
Firewall
/etc/config/firewall
# ....
config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option src '*'
option proto 'udp'
option dest_port '1194'
config zone
option name 'ncvpnzone'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'ncvpnif'
config forwarding
option dest 'ncvpnzone'
option src 'lan'
(zum testen) start befehle /etc/init.d/firewall restart
check openvpn cronjob
* * * * * /etc/config/nccheckopenvpn.sh
nccheckopenvpn.sh
#!/bin/sh
DEST="8.8.8.8"
DATE=$(date +%Y-%m-%d_%H:%M:%S)
if ! [ $(ping -q -c 1 ${DEST} 2>&1 | grep "1 packets received" | sed "s/.*\(1\) packets received.*/\1/") ]; then
echo "${DATE} FAIL ERROR Not alive ${DEST} , restarting VPNC" >> /etc/config/nc_vpnuptime.log
/etc/init.d/openvpn stop ; /etc/init.d/openvpn start
else
echo "${DATE} Alive ${DEST}" >> /etc/config/nc_vpnuptime.log
fi
Dienste aktivieren
/etc/init.d/openvpn enable
/etc/init.d/firewall enable
Überflüssiges deinstallieren
# evt. falsche reihenfolge, dann mehrmals ausführen
opkg remove luci luci-app-firewall luci-base luci-lib-ip luci-lib-jsonc luci-lib-nixio luci-mod-admin-full luci-proto-ipv6 luci-proto-ppp luci-theme-bootstrap ppp ppp-mod-pppoe