OpenWrt Forum Archive

Topic: Edimax BR-6104KP as standard home router (but with openvpn+socksproxy)

The content of this topic has been archived on 26 Feb 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Device: Edimax BR-6104KP (as I don't use USB, everything should work with BR-6104K)
Goal: Using Device as standard home router with OpenWRT while acting als OpenVPN-tunnelserver, socksproxy and locally as UPNP-server.
cablemodem/whatever.with.ethernet.out-----Edimax.OpenWRt-----local.PCs

A mate of mine has very restricted internet access, can only access http-ports, so i run OpenVPN on port 443 and as simple alternative srelay (the socks-proxy) on port 80. Luckily it is not checked whether using http so i don't have to use a http-tunnel-program.

The Edimax has 2MB flash, but the image has to be smaller than 1780(?) KByte in order for the jffs2-filesystem to work. So in lack of space, OpenVPN etc have to get downloaded and installed on every boot, i wrote some simple start-scripts in etc/rc.d to make this moreorless foolproof - though it would be much nicer to have scripts in /etc/init.d which accept start/stop/restart/enable/disable commands. I provide those file here for adaption, note they won't work out-of-the-box as i replaced passwords and accountnames ... with dummy parameters. My config files start as last files on boot though changing settings could be possilbe earlier, possibly even bevor compiling, but ... it is working and easy to understand.

Building the image:

svn co https://svn.openwrt.org/openwrt/trunk/ kamikaze #i got Revision 13021
cd kamikaze/package
svn co https://svn.openwrt.org/openwrt/packages/net/miniupnpd #gets the miniupnp package
cd ..
#copy content of  my files.zip/files to kamikaze/files, propably you will have to mkdir files
#adapt all files to your needs and get openvpn-certs,-keys,... see below
#ensure you start with blank config: rm .config, rm .config.old
make menuconfig
--> target system: Infineon ADMtek ADM 5120 2.6
--> Subtarget: Little Endian
--> Target Profile: Edimax BR-6104KP (Unofficial)
--> Target Images: squashfs
#--> Image configuration: not used as done on first boot through files/etc/rc.d/...
--> Base system: # "-":do not install, "*":build-in
    -bridge
    -busybox ->Networking Utilities -> Enable IPv6 support
    -Network --> ppp
    *Netword --> miniupnpd #using it as package "M" did not work
    -USB-Support kmod-usb-core
    *Kernel modules -> Other modules -> kmod-leds-gpio and kmod-ledtrig-adm5120-switch
    *Kernel modules -> Network Support -> kmod-tun
make V=99 #use V=99, if not, you might miss some y/n questions and make would not finish

To get the image on the device look here: http://midge.vlad.org.ua/wiki/console_cable (i used a m35 noname(!) serial data cable - you find the image in kamikaze/bin)
The OpenVPN-config is based on this article: http://wiki.openwrt.org/OpenVPNTunHowTo … goryHowTo)
To create the necessary openvpn-key files look here: http://openvpn.net/index.php/documentat … o.html#pki (in my files.zip there are just dummies)
To read the logs: logread
To know your dhcp-clients: cat /tmp/dhcp.leases
Telnet the device, set a password --> telnet is automaticly disabled --> ssh -p17777 youredimax

references:
http://wiki.openwrt.org/OpenWrtDocs/Packages
http://forum.openwrt.org/viewtopic.php?id=13767
http://forum.openwrt.org/viewtopic.php?id=14360
http://www.linux-mips.org/wiki/ADM5120_switch
http://downloads.openwrt.org/kamikaze/docs/openwrt.html
http://wiki.openwrt.org/CategoryHowTo?a … enWrtHowTo
http://dev.luci.freifunk-halle.net/docs … direct.xml
http://wiki.openwrt.org/OpenWrtDocs/Kam … figuration #warning: some stuff outdated or wrong
http://wiki.openwrt.org/DDNSHowTo?highl … goryHowTo)
http://openvpn.net/index.php/documentat … o.html#pki
http://wiki.openwrt.org/OpenVPNTunHowTo … goryHowTo)

Services running:

wan+lan:
443       OpenVPN
80         srelay
17777    ssh
81         httpd
lan:
23         telnet until you set an password
5000     miniupnpd
53         dnsmasq
67         dhcp-server

however, making open source but closed forums/wikis? where can i upload the config files? also in the (very! slow) wiki i found nothing to upload my files? would someone attach my file if i email it?
---
edith says: look here: http://www.file-upload.net/download-120 … s.zip.html

(Last edited by rxgknpbo on 27 Oct 2008, 01:45)

most important files:
kamikaze/files/etc/rc.d/S99xSWandLED

#!/bin/sh

# Init LED-states, LED act like common connection indicator
echo "port_state"> /sys/class/leds/wan_speed/trigger
echo "port_state"> /sys/class/leds/wan_lnkact/trigger
echo "speed"> /sys/class/leds/wan_speed/port_state
echo "link_act"> /sys/class/leds/wan_lnkact/port_state
echo "port_state"> /sys/class/leds/lan1_speed/trigger
echo "port_state"> /sys/class/leds/lan1_lnkact/trigger
echo "speed"> /sys/class/leds/lan1_speed/port_state
echo "link_act"> /sys/class/leds/lan1_lnkact/port_state
echo "port_state"> /sys/class/leds/lan2_speed/trigger
echo "port_state"> /sys/class/leds/lan2_lnkact/trigger
echo "speed"> /sys/class/leds/lan2_speed/port_state
echo "link_act"> /sys/class/leds/lan2_lnkact/port_state
echo "port_state"> /sys/class/leds/lan3_speed/trigger
echo "port_state"> /sys/class/leds/lan3_lnkact/trigger
echo "speed"> /sys/class/leds/lan3_speed/port_state
echo "link_act"> /sys/class/leds/lan3_lnkact/port_state
echo "port_state"> /sys/class/leds/lan4_speed/trigger
echo "port_state"> /sys/class/leds/lan4_lnkact/trigger
echo "speed"> /sys/class/leds/lan4_speed/port_state
echo "link_act"> /sys/class/leds/lan4_lnkact/port_state

# Init Switch (c is the cpu) - common edimax br6104kp layout
admswconfig eth0 "1234c"
admswconfig eth1 "0c"
admswconfig eth2
admswconfig eth3
admswconfig eth4

# Init Lan/Wan - neccassary after admswconfig!
ifdown lan
ifdown wan
ifup lan
ifup wan

kamikaze/files/etc/rc.d/S99yMyFirstRun

#!/bin/sh
#Run-Once Initial Config File
#Run-Once check by checking existence of ..
if ! test -f /etc/FirstRunPassed
then

#Wan Config
uci set network.wan=interface
uci set network.wan.ifname=eth1
uci set network.wan.proto=dhcp
uci set network.wan.hostname=MyHomePc #Choose a name for your edimax, proably not necessary
#uci set network.wan.macaddr=00:11:22:33:44:55 # manual "clone-mac" ;-)

#Lan Config
uci set network.lan.ifname=eth0
uci set network.lan.proto=static
uci set network.lan.ipaddr=192.168.7.1
uci set network.lan.netmask=255.255.255.0

#Lan DHCP-Server Config
uci set dhcp.lan.interface=lan
uci set dhcp.lan.start=100
uci set dhcp.lan.limit=100
uci set dhcp.lan.leasetime=48h

#SSH-Port verlegen: / change ssh port
uci set dropbear.@dropbear[-1].Port=17777

#LAN-->WAN NAT-masquerading aktivieren: / activate lan->wan masquerading
uci set firewall.@defaults[-1].forward=ACCEPT

#Open SSH Port - Remotezugriff erlauben / allow ssh from wan (internet)
uci add firewall rule
uci set firewall.@rule[-1].dest_port=17777 #[-1] letzter 'rule' eintrag in etc/config/firewall / [-1] means the last section in config file
uci set firewall.@rule[-1].proto=tcp
uci set firewall.@rule[-1].src=wan
uci set firewall.@rule[-1].target=ACCEPT

#Allow ICMP
uci add firewall rule
uci set firewall.@rule[-1].proto=icmp
uci set firewall.@rule[-1].target=ACCEPT

#forwarde Port-bereich auf fixen Rechner / port-forward setup for portrange
#uci add firewall redirect
#uci set firewall.@redirect[-1].dest=lan
#uci set firewall.@redirect[-1].src=wan
#uci set firewall.@redirect[-1].dest_ip=192.168.7.100
#uci set firewall.@redirect[-1].dest_port=55700-55999
#uci set firewall.@redirect[-1].src_dport=55700-55999 #Wichtig! sonst werden alle ports umgeleitet und ssh geht nimmer / src_dport option is VERY important, if not set, all ports are redirected, and you won't reach ssh from wan
#uci set firewall.@redirect[-1].proto=tcpudp

#noch einen (fuer den ersten openvpn-client) / same as above
#uci add firewall redirect
#uci set firewall.@redirect[-1].src=wan
#uci set firewall.@redirect[-1].dest_ip=10.8.0.6
#uci set firewall.@redirect[-1].dest_port=50000-50010
#uci set firewall.@redirect[-1].src_dport=50000-50010
#uci set firewall.@redirect[-1].proto=tcpudp

#Add HTTPS-Port-access (OpenVPN running on this Port)
uci add firewall rule
uci set firewall.@rule[-1].dest_port=443
uci set firewall.@rule[-1].proto=tcp
uci set firewall.@rule[-1].src=wan
uci set firewall.@rule[-1].target=ACCEPT

#Add HTTP-Port-access (srelay socks-proxy running on this port)
uci add firewall rule
uci set firewall.@rule[-1].dest_port=80
uci set firewall.@rule[-1].proto=tcp
uci set firewall.@rule[-1].src=wan
uci set firewall.@rule[-1].target=ACCEPT
#uci set firewall.@rule[-1].src_ip=88.88.0.0/16 #zugriff auf diesen port nur von dieser einen ip aus / access to this port only from the 88.88.0.0-net

#Setting httpd webserver Port to 81
uci set httpd.@httpd[-1].port=81

#Add access to Port 81 (httpd webserver running in this port)
uci add firewall rule
uci set firewall.@rule[-1].dest_port=81
uci set firewall.@rule[-1].proto=tcp
uci set firewall.@rule[-1].src=wan
uci set firewall.@rule[-1].target=ACCEPT

#Setup for Dyndns.org Client
touch /etc/config/ddns        #creating config file
echo "config 'service' 'myddns'" > /etc/config/ddns #sorry, did not find the uci commadn for this
uci set ddns.@service[-1].service_name=dyndns.org
uci set ddns.@service[-1].domain=yourremotehostname.dyndns.org
uci set ddns.@service[-1].username=yourusername
uci set ddns.@service[-1].password=yourpassword
uci set ddns.@service[-1].ip_source=network
uci set ddns.@service[-1].ip_network=wan
uci set ddns.@service[-1].enabled=1
ln -s /tmp/usr/lib/ddns/ /usr/lib/ddns #ddns-scripts seems not to expect to get installed to -d ram --> /tmp/...

#Commit Changes
uci commit

#Apply Changes
touch /etc/FirstRunPassed #remember that this script has done its job by creating that file
sync
reboot
fi

kamikaze/files/etc/rc.dS99zMySecondRun

#!/bin/sh
#Run Initial Config File on every boot

while ! ping downloads.openwrt.org -c 1 >/dev/null 2>/tmp/errooor
  do
      logger "No connection to downloads.openwrt.org"
      sleep 5s
  done
logger "ping to downloads.openwrt.org possible"

#opkg update Package List
while ! opkg update >/dev/null 2>/tmp/errooor
  do
      logger "opkg update failed"
    sleep 5s
  done
logger "opkg update successful"

#Install NTP client to RAM
while ! opkg -d ram install ntpclient >/dev/null 2>/tmp/errooor
  do
      logger "ntp-client install failed"
      sleep 5s
  done
logger "ntp-client install successful"

#set time once, try in both servers
while  ! ( /tmp/usr/sbin/ntpclient -s -h ptbtime2.ptb.de >/dev/null 2>/tmp/errooor || /tmp/usr/sbin/ntpclient -s -h ptbtime1.ptb.de >/dev/null 2>/tmp/errooor )
  do
      logger "ntp client got/set no time yet"
      sleep 2s
  done
logger "ntp got/set time successful"

#set time every 4000 seconds
/tmp/usr/sbin/ntpclient -i 4000 -h ptbtime1.ptb.de &

#Install Dyndns-Client, setup Dyndns
while ! opkg -d ram install ddns-scripts >/dev/null 2>/dev/errooor
  do
      logger "ddns-scripts waiting for install"
      sleep 5s
  done
logger "ddns-scripts install successful"

/tmp/usr/lib/ddns/dynamic_dns_updater.sh myddns &

#Install,prepare,start OpenVPN
#Keys etc already in trunk/files/etc/openvpn
chmod 600 /etc/openvpn/server.key
while ! opkg -d ram install openvpn >/dev/null 2>/dev/errooor
  do
      logger "openvpn waiting for install"
      sleep 5s
  done
logger "Openvpn install successful"
ln -s /tmp/usr/lib/* /usr/lib >/dev/null 2>/dev/null #garantied errors due to existing files and links - doesn't matter
ln -s /tmp/usr/sbin/openvpn /usr/sbin

openvpn --daemon --config /etc/openvpn/server.conf
#Wirklich noetig?? / i don't know whether following 4 lines are necessary, propably yes
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT

#Install and run Srelay Socks proxy at port 80
while ! opkg -d ram install srelay >/dev/null 2>/dev/errooor
  do
      logger "srelay waiting for install"
      sleep 5s
  done
logger "Srelay install successful"

/tmp/usr/bin/srelay -a n -o 5 -i :80

#Miniupnpd creates correct iptables-rules, but at the wrong line number
#iptables -D FORWARD 8
#iptables -D FORWARD 7
iptables -D FORWARD 6
iptables -I FORWARD 5 -p all -s 0/0 -d 0/0 -j MINIUPNPD

logger "Iptables corrected for miniupnpd"

#Script success message for this script
logger "EOF S99zMySecondRun reached"

backup/save/flash/restore

#### preparing backup pc:
#### linuxmachine 192.168.0.66:
user1@linuxmachine:~/openwrt/tst$ nc -l -p 7777 | dd of=mtdblock2
2978+1485 records in      #<---- those lines appear after backup
3968+0 records out
2031616 bytes (2.0 MB) copied, 3.96442 seconds, 512 kB/s

#### preparing openwrt backup
#### "firmware" is including everything except /tmp
root@OpenWrt:/# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00008000 00004000 "admboot"
mtd1: 00008000 00008000 "config"
mtd2: 001f0000 00010000 "firmware"
mtd3: 000b93e4 00010000 "kernel"
mtd4: 00134c00 00010000 "rootfs"
mtd5: 00070000 00010000 "rootfs_data"

root@OpenWrt:/# mount -o remount,ro /jffs
root@OpenWrt:/# dd if=/dev/mtdblock2 | nc 192.168.0.66 7777
3968+0 records in
3968+0 records out

#### restore:
root@OpenWrt:/# cd tmp/
root@OpenWrt:/tmp# scp user1@192.168.0.66:~/openwrt/tst/mtdblock2 .
root@OpenWrt:/# dd if=/tmp/mtdblock2 of=/dev/mtdblock2 && reboot
3968+0 records in
3968+0 records out

#### original firmware restore: serial cable (slower) or like this:
root@OpenWrt:/tmp# scp  user1@192.168.0.66:~/openwrt/tst/orig.bin .
root@OpenWrt:/tmp# mtd -r -e firmware write orig.bin firmware

#### flashing Openwrt to Device: use webinterface (faster) or serial cable (failsafe) - openwrt/bin has different files for that

##### references:
http://wiki.openwrt.org/BackupAndRestore

oh yes updating goes the same way like restoring original firmware :-)
be careful before trying on other devices - the edimax thing is the only openwrt device i have, and i don't know wheter one should do some remount,ro before flashing.

(Last edited by rxgknpbo on 8 Nov 2008, 18:02)

The discussion might have continued from here.