OpenWrt Forum Archive

Topic: matrixtunnel

The content of this topic has been archived on 2 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
zn
7 May 2006, 14:30

hi

i'm working on a stripped down stunnel replacement which is based on matrixssl called matrixtunnel. i'm relatively unseasoned in things like socket programming and ssl, so i'd like some feedback concerning the code. additionally for some reason tunnelling https does not work with safari (but only when matrixtunnel runs on wrt/mipsel). ie and firefox work perfectly.

what's working:
e.g.: matrixtunnel -a servCert.pem -p privkeySrv.pem -d 443 -r 80
this reads the certivication and privkey files (stolen from matrixssl examples) and creates a tunnel from ssl port to http port. so it is possible to connect to the busybox http server with https.
runs on linux and mac os x.

what's not working:
client mode is not tested. don't know if it works now. certification validation is not tested and will not work (i beleive).

things which could be a problem
code uses fork to handle multiple requests. perhaps it would be better to use pthreads?

howto:
svn co http://znerol.ch/svn/matrixtunnel/

compiling for host machine
cd matrixtunnel
./configure --with-matrixssl-src=/path/to/matrxssl-x.y-open/
make

openwrt buildroot:
cp matrixtunnel/package/openwrt /path/to/openwrt-sdk/package/matrixtunnel
cd /path/to/openwrt-sdk/
make

building matrixssl before compiling matrixtunnel is nessesary.

any feedback, future ideas and tips on how to fix support for safari is very appreciated.

lorenz

Post #2
zn
28 Dec 2006, 02:56

hi

i've recently revised the stunnel-replacement called matrixtunnel. to keep memory footprints as small as possible i've reworked it to not depend on threads neither on forks. instead it uses a select based io-model.

matrixtunnel-0.3 does not provide additional functionality and is early alpha software. please report any issues/problems/suggestions. see the mini-guide in my previous post for help on setting it up.

please test especially this situation:
matrixtunnel -a servCert.pem -p privkeySrv.pem -d 443 -r 80

and browse to
h**tps://myrouter/

which is the original reasen why i began to patch up this little tool.

thanks
lorenz

Post #3
zn
4 Jan 2007, 00:31

hello again

i've decided to take down matrixtunnel releases 0.2 and 0.3 because they were buggy enough that i don't want to float them in the wild. same for 0.1. because of this i've now published a real 0.2 release, which actually works.

installation for https:
- install libmatrixssl on your openwrt box.
- grab matrixtunnel 0.2 from http://znerol.ch/ipkg/matrixtunnel_0.2-1_mipsel.ipk and install it on your router.
- prepare a self signed certificate with openssl or get a signed one from e.g. cacert.org

openssl genrsa -out host.key 2048
openssl req -new -nodes -key host.key -out host.csr
openssl x509 -req -days 365 -in host.csr -signkey host.key -out host.cert

- copy host.key and host.cert onto your openwrt box.
- start matrixtunnel like

matrixtunnel -A host.cert  -p host.key -d 443 -r 80

- point your browser to h**ps://routerip/

compiling from source:
check out matrixtunnel package into the package directory of your buildroot:

svn co https://znerol.ch/svn/matrixtunnel/package/openwrt/ matrixtunnel

or

svn co https://znerol.ch/svn/matrixtunnel/package/openwrt-ng/ matrixtunnel

more options:

root@znerol:~# matrixtunnel -h
usage: [-c] [-v] [-d localip:port] [-r remoteip:port]

    -A      Certificate Authority file 
    -p      private key and certificate chain PEM file name
    -c      client mode. remote is ssl, local plain
    -v      validate certificate
    -d      listen locally on this [host:]port
    -r      connect to remote machine on [host:]port
    -P      pidfile
    -f      foreground mode
    -D      syslog level (0...7)

i appreciate your feedback.
lorenz

Post #4
thepeople
27 Feb 2007, 23:10

I seem to be having a few nonfatal errors with matrixtunnel. This is on kamikaze x86 2.6 kernel.

select: Interrupted system call
debug matrixtunnel.c:820 select on 0 open connections. fdmax: 5
debug matrixtunnel.c:822 select returned: 1
info matrixtunnel.c:350 Accepting new connection.
debug matrixtunnel.c:375 Trying to accept ssl connection
debug matrixtunnel.c:820 select on 0 open connections. fdmax: 5
debug matrixtunnel.c:822 select returned: 1
info matrixtunnel.c:350 Accepting new connection.
debug matrixtunnel.c:375 Trying to accept ssl connection
debug matrixtunnel.c:820 select on 0 open connections. fdmax: 5
debug matrixtunnel.c:390 Trying to connect server localhost:80
info matrixtunnel.c:415 Connection established. 7 => 6
debug matrixtunnel.c:446 select on 0 open connections. fdmax: 7
debug matrixtunnel.c:448 select returned: 1
debug matrixtunnel.c:278 ssl->plain reading
debug matrixtunnel.c:235 secure read: contents in inbuf
debug matrixtunnel.c:315 ssl->plain read 523 bytes
debug matrixtunnel.c:320 ssl->plain writing
debug matrixtunnel.c:331 ssl->plain written 523 bytes. amt=523
debug matrixtunnel.c:235 secure read: contents in inbuf
debug matrixtunnel.c:248 secure read: 0, plain write: 1
debug matrixtunnel.c:282 ssl->plain connection not ready
debug matrixtunnel.c:278 plain->ssl reading
debug matrixtunnel.c:263 plain read: 1, secure write: 1
debug matrixtunnel.c:315 plain->ssl read 701 bytes
debug matrixtunnel.c:320 plain->ssl writing
debug matrixtunnel.c:331 plain->ssl written 701 bytes. amt=701
debug matrixtunnel.c:263 plain read: 1, secure write: 1
debug matrixtunnel.c:301 plain->ssl EOF. rc=0, status=0, errno=11
debug matrixtunnel.c:215 Closing connection
info matrixtunnel.c:229 Connection closed
debug matrixtunnel.c:474 done. exiting...
debug matrixtunnel.c:822 select returned: -1
select: Interrupted system call
debug matrixtunnel.c:820 select on 0 open connections. fdmax: 5
debug matrixtunnel.c:390 Trying to connect server localhost:80
info matrixtunnel.c:415 Connection established. 7 => 6
debug matrixtunnel.c:446 select on 0 open connections. fdmax: 7
debug matrixtunnel.c:448 select returned: 1
debug matrixtunnel.c:278 ssl->plain reading
debug matrixtunnel.c:235 secure read: contents in inbuf
debug matrixtunnel.c:315 ssl->plain read 520 bytes
debug matrixtunnel.c:320 ssl->plain writing
debug matrixtunnel.c:331 ssl->plain written 520 bytes. amt=520
debug matrixtunnel.c:235 secure read: contents in inbuf
debug matrixtunnel.c:248 secure read: 0, plain write: 1
debug matrixtunnel.c:282 ssl->plain connection not ready
debug matrixtunnel.c:278 plain->ssl reading
debug matrixtunnel.c:263 plain read: 1, secure write: 1
debug matrixtunnel.c:315 plain->ssl read 975 bytes
debug matrixtunnel.c:320 plain->ssl writing
debug matrixtunnel.c:331 plain->ssl written 975 bytes. amt=975
debug matrixtunnel.c:263 plain read: 1, secure write: 1
debug matrixtunnel.c:301 plain->ssl EOF. rc=0, status=0, errno=11
debug matrixtunnel.c:215 Closing connection
info matrixtunnel.c:229 Connection closed
debug matrixtunnel.c:474 done. exiting...
debug matrixtunnel.c:822 select returned: -1
select: Interrupted system call

(Last edited by thepeople on 27 Feb 2007, 23:11)

Post #5
zn
28 Feb 2007, 18:42

seems like you are running matrixtunnel with a high debug level. i mean, seems that i forgot to lower the standard-level in the code. try to reduce it using the -D flag.

Post #6
thepeople
1 Mar 2007, 01:47

I set the high debug level to get more information. The error I am refering to occurs on the default bug level "select: Interrupted system call"

Post #7
zn
1 Mar 2007, 09:26

ah okay. no worry, i forgot to wrap this one into the logging system. thanks for the report.

Post #8
ryan
5 Jun 2007, 13:22

Hi ....
         I just wanted to know is Client Authentication is there in the pkg of MatrixTunnel. Could anybody tell me how to use .ipk file ....

Ryan

The discussion might have continued from here.