OpenWrt Forum Archive

Topic: Stunnel for OpenWRT

The content of this topic has been archived on 4 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
Graham Cobb
7 Aug 2004, 18:15

I have built stunnel (version 4.05) for the OpenWRT environment and created an ipkg for it in my repository http://www.cobb.uk.net/openwrt/.  It is dependent on libssl (available from ab0oo) and libpthread (available from ab0oo or Nico).  As usual, I have left out all the documentation -- see the FAQ and examples on http://www.stunnel.org/.

Use stunnel -version to see the compiled-in defaults and take a look at the example stunnel.conf in /etc/stunnel/stunnel.conf-sample to see the configuration options I recommend.  Note that I do not use chroot mode -- there is no good directory in the OpenWRT filesystems to chroot to where it can both write a .pid file and have access to certificates and other long term data.  If you set uid and gid to -2, as I do, you will need to change the protection on the /tmp directory (use chmod o+wt /tmp).

It works for me (in client mode, for my particular requirement).  I haven't tested other uses but let me know if it does not work for you.

Many thanks to Nico and ab0oo as well as to the stunnel folks for making it fairly straightforward to port.

Graham Cobb

Post #2
Graham Cobb
8 Aug 2004, 13:34

If you followed my suggestion and made /tmp world-writable, you will have found that SSH login using a public key has broken (because dropbear doesn't like root's home directory being world writeable).  You need to remove the world write from the directory using: chmod 700 /tmp.

I have changed the sample configuration script to use /var/run/ as the directory for the pid file (and /var/log for the log file if you use that).  However, stunnel needs to be able to write these files while it is running as "nobody" so I have created a startup script (/etc/init.d/S51stunnel) which creates the directories and gives them the right protections.

There is an update to the package (revision wrt2) in my repository.

Graham

Post #3
james
16 Oct 2004, 00:24

I've attempted to wrap a http webserver using this stunnel package, and i've found some strange results.

If I use a stunnel 4.05 on my own x86 debian sarge machine, it works great with no problems.

If I try the same on a linksys wrt54gs using this stunnel package, I get SSL read errors, and connection reset by peer messages in the middle of a response.

I'm wondering if anyone else has tried to use this package in a similar fashion...

As a side note, i've tried to cross compile stunnel myself using the mipsel toolchain with little success.    Are there any tips out there for cross compiling source packages such as stunnel?

Post #4
Graham Cobb
17 Oct 2004, 00:43

Sorry it isn't working for you.  I use it all the time but it is only ever talking to other stunnel implementations (although these are standard debian versions, not versions I have built myself).  I do not attempt to actually let it talk SSL to a non-stunnel program (either client or server).

If you want to build it yourself, here is the script I use to invoke configure to set the right options for the cross-compilation:

#!/bin/sh
#
# Configure with options necessary for building stunnel for OpenWRT on WRT54G
#
# --with-ssl=<ssl directory>
#
#       This directory must contain three further directories:
#       include/openssl - the header files for the version of openssl on the target OpenWRT host
#       lib - the openssl shared libraries for the target OpenWRT host
#       bin - an openssl executable for the *build* system (not the target OpenWRT host)
#
# --with-random=/dev/random
#
#       As this is a cross-compilation, the configure script needs to be told the random device to be used on the WRT54G
#
# --prefix=/usr
# --sysconfdir=/etc
# --sharedstatedir=/var
# --localstatedir=/var
#
#       Directories to use on the WRT54G.  Note that /var == /tmp in OpenWRT.
#
# --host=mipsel
#
#       cross-compilation required
#
# CC=<compiler>
# CFLAGS="-I<include-dir> -Os -mips2"
# LIBS=-L<lib-dir>
#
#       Location of cross-compiler, flags, libraries and tools from the OpenWRT buildroot
#

./configure 
    --with-ssl=/home/wrt54g/packages/libssl 
    --with-random=/dev/random 
    --prefix=/usr --sysconfdir=/etc --sharedstatedir=/var --localstatedir=/var 
    --host=mipsel 
    CC=/home/wrt54g/buildroot/build_mipsel/staging_dir/bin/mipsel-linux-gcc 
    CFLAGS="-I/home/wrt54g/buildroot/build_mipsel/staging_dir/mipsel-linux-uclibc/include -Os -mips2" 
    LIBS="-L/home/wrt54g/buildroot/build_mipsel/staging_dir/lib/" 
    NM=/home/wrt54g/buildroot/build_mipsel/staging_dir/bin/mipsel-linux-nm 
    LD=/home/wrt54g/buildroot/build_mipsel/staging_dir/bin/mipsel-linux-ld 
    STRIP=/home/wrt54g/buildroot/build_mipsel/staging_dir/bin/mipsel-linux-strip 
    RANLIB=/home/wrt54g/buildroot/build_mipsel/staging_dir/bin/mipsel-linux-ranlib 
        "$@"

Graham

Post #5
Graham Cobb
22 Apr 2005, 11:54

I have had two separate people contact me this week about rebuilding stunnel, which turns not to be quite as simple as I remembered.  So here, for posterity, is the information I think is needed.

Note: this is based on stunnel 4.05.  I have no idea if this will work with other versions.  Also, this information is how to build in the "stable" Openwrt environment.  At least one of the people who cantacted me want to build in the "experimental" environment -- if you get it working please add a note here with any differences required.

The stunnel configure script is not designed to work in a cross-compiler environment.  It is necessary to comment out the tests for /dev/ptmx and /dev/ptc in the configure script and the corresponding tests in configure.ac.  In addition, it is necessary to run the configure script with lots of arguments (as in the previous reply) to tell it where to find things in the build environment. 

The patch file at http://www.cobb.uk.net/openwrt/openwrt-stunnel-patches makes the necessary edits to configure and configure.ac and creates a script called openwrt-configure.  Edit openwrt-configure to match your own needs, make sure you have correctly created the SSL directory and then run the following commands:

chmod +x openwrt-configure
./openwrt-configure
make

On one of my systems (with newer version of automake) I found I had to run the following commands before ./openwrt-configure:

aclocal
autoconf
automake -a

Graham

Post #6
netprince
27 Apr 2005, 14:41

Thanks for posting Graham.  I have recently built stunnel 4.09 on experimental by using your configure script (slightly modified) and removing those sections of configure and configure.ac.  I have attatched the modified configure script for others to use:

#!/bin/sh
#
# Configure with options necessary for building stunnel for OpenWRT on WRT54G
#
# --with-ssl=<ssl directory>
#
#       This directory must contain three further directories:
#       include/openssl - the header files for the version of
#                         openssl on the target OpenWRT host
#       lib - the openssl shared libraries for the target OpenWRT host
#       bin - an openssl executable for the *build* system (not the target OpenWRT host)
#
# --with-random=/dev/random
#
#       As this is a cross-compilation, the configure script needs to be
#     told the random device to be used on the WRT54G
#
# --prefix=/usr
# --sysconfdir=/etc
# --sharedstatedir=/var
# --localstatedir=/var
#
#       Directories to use on the WRT54G.  Note that /var == /tmp in OpenWRT.
#
# --host=mipsel
#
#       cross-compilation required
#
# CC=<compiler>
# CFLAGS="-I<include-dir> -Os -mips2"
# LIBS=-L<lib-dir>
#
#       Location of cross-compiler, flags, libraries and
#     tools from the OpenWRT buildroot
#

buildroot="/home/testuser/buildroot"

./configure \
  --with-ssl=${buildroot}/build_mipsel/stunnel-ssl \
  --with-random=/dev/random  \
  --prefix=/usr --sysconfdir=/etc --sharedstatedir=/var --localstatedir=/var \
  --host=mipsel-linux-uclibc \
  CC=${buildroot}/staging_dir_mipsel/bin/mipsel-linux-uclibc-gcc  \
  CPP=${buildroot}/staging_dir_mipsel/bin/mipsel-linux-uclibc-cpp  \
  CFLAGS="-I${buildroot}/staging_dir_mipsel/mipsel-linux-uclibc/sys-include -Os -mips2"  \
  LIBS="-L${buildroot}/staging_dir_mipsel/lib/"  \
  NM=${buildroot}/staging_dir_mipsel/bin/mipsel-linux-uclibc-nm \
  LD=${buildroot}/staging_dir_mipsel/bin/mipsel-linux-uclibc-ld  \
  STRIP=${buildroot}/staging_dir_mipsel/bin/mipsel-linux-uclibc-strip  \
  RANLIB=${buildroot}/staging_dir_mipsel/bin/mipsel-linux-ranlib  \
        "$@"

And here are the links in my stunnel-ssl folder:

bin -> /usr/bin/
include -> /home/testuser/buildroot/build_mipsel/openssl-0.9.7e/include/
lib -> /home/testuser/buildroot/build_mipsel/openssl-0.9.7e/

(Last edited by netprince on 27 Apr 2005, 17:39)

Post #7
Torch
27 Apr 2010, 07:27

Hi, can you please compile the latest version of stunnel. I don't have a linux dev PC.

The discussion might have continued from here.