OpenWrt Forum Archive

Topic: How to Howto

The content of this topic has been archived on 20 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Over the last week I was finally able to build (from source), install, configure, hook up and use my new TL-WR841N running OpenWRT (trunk dated Dec 2011) with the following features:

- Authentication/Authorisation done with external freeRADIUS server (separate machine on WAN) using:
  * Self-generated certificates for CA, AP and two clients (using a RADIUS-provided makefile on which some apparent bugs were fixed to make it work properly);
  * EAP-TTLS/EAP-TLS negotiation & log in (EAP-TTLS is with client certificate request option turned on);
  * Full certificate verification (both Subject & Issuer) at both ends: RADIUS/Server as well as the Client;
  * full accounting logs (failed/successful logins, packets/traffic stats, all courtesy of the freeRADIUS accounting feature);
- External SSHFS mount (used/mounted as /opt) using PKI (no passwords!) utilising more than 1GB worth of disk space (it performs rather fast, which I found very surprising, given that it is done over the network);
- Ditch the rather inefficient and cumbersome firewall and use shorewall-lite instead - configuration from the ground-up with masquerading, full connection tracking, zones & ipset all activated;

Even though there are some rough edges, which I need to iron out still (see below), I would like to start a series of Howtos on the above "achievements", so that others with the same needs/problems don't bang their heads in unnecessarily as I did (I have been researching & fighting various battles with this for well over 2 months now!).

The purpose of this thread is to get some information on the (admittedly) small outstanding issues I need to resolve, as well as get some feedback on the wiki pages - it will be my "first" on OpenWRT.org (I hope it won't be the last) and I would appreciate some guidance & advice as to how to create/edit/manage these.

So, how does one start with the wiki pages - is there a preliminary template/policy/style which I need to follow in order to do that? I intend to start with the freeRADIUS and EAP-TTLS/EAP-TLS setup first (OpenWRT/hostapd, freeRADIUS as well as client configurations) and then move onto the SSHFS and Shorewall-lite (the firewall I use on my WR841N).

The number of issues I need to resolve are as follows:

- I seem to be able to connect only using 'g' speeds (54Mbps) and I am yet unable to activate/set HT, which I think is crucial for allowing high-speed connections. I presume I have some of the options in my wireless config wrong, but I can't be certain.
- I am also unable to connect to the AP when I use the 'hidden' option in /etc/config/wireless (i.e. "hidden 1"). I've searched these forums, but could not find anything useful on this.
- As of now, SSHFS is mounted on /opt, but I'd like to mount it as /overlay instead (i.e. to be my new rw rootfs).

The difficulty with that is there are 2 Howtos dealing with that sort of issue, but I do not want to try this before I have a "secure" route to my router just in case something gets screwed up. The only way I could do that is configuring the Das-U bootloader - I tried to do that when installed uboot-envtools package, but I don't know how to build/create/edit my /etc/fw_env.config file as I don't really know what values to put in there.

I would like to change some values from the uboot environment to point to my own ftp server, as well as change the image file name and do other minor changes like this. I don't have any serial port hardware build yet (I know it exists on the router, I just haven't set the serial interface up yet). So, on this issue I am a bit stuck.

I've also made some modifications to various files part of the source tree - mainly to allow SSHFS mounting at startup (or, rather when WAN network is up), adding a few more options to /etc/config/wireless (to do with the hostapd config) and also modifying the firewall script to account for shorewall & ipset. I am probably going to submit these as patches, but where is the place to send these - is there a repository or email address I could send these to?

Thanks in advance!

alain13 wrote:

Over the last week I was finally able to build (from source), install, configure, hook up and use my new TL-WR841N running OpenWRT (trunk dated Dec 2011) with the following features:

- Authentication/Authorisation done with external freeRADIUS server (separate machine on WAN) using:
  * Self-generated certificates for CA, AP and two clients (using a RADIUS-provided makefile on which some apparent bugs were fixed to make it work properly);
  * EAP-TTLS/EAP-TLS negotiation & log in (EAP-TTLS is with client certificate request option turned on);
  * Full certificate verification (both Subject & Issuer) at both ends: RADIUS/Server as well as the Client;
  * full accounting logs (failed/successful logins, packets/traffic stats, all courtesy of the freeRADIUS accounting feature);
- External SSHFS mount (used/mounted as /opt) using PKI (no passwords!) utilising more than 1GB worth of disk space (it performs rather fast, which I found very surprising, given that it is done over the network);
- Ditch the rather inefficient and cumbersome firewall and use shorewall-lite instead - configuration from the ground-up with masquerading, full connection tracking, zones & ipset all activated;

Even though there are some rough edges, which I need to iron out still (see below), I would like to start a series of Howtos on the above "achievements", so that others with the same needs/problems don't bang their heads in unnecessarily as I did (I have been researching & fighting various battles with this for well over 2 months now!).

And some documentation from you would be well appreciated!
1. Use the right forum: Howtos and Documentation
2. Use the wiki: OpenWrt Wiki

alain13 wrote:

So, how does one start with the wiki pages - is there a preliminary template/policy/style which I need to follow in order to do that? I intend to start with the freeRADIUS and EAP-TTLS/EAP-TLS setup first (OpenWRT/hostapd, freeRADIUS as well as client configurations) and then move onto the SSHFS and Shorewall-lite (the firewall I use on my WR841N).

Not really, just give it a try. If in doubt, use the INBOX.


alain13 wrote:

The number of issues I need to resolve are as follows:

- I seem to be able to connect only using 'g' speeds (54Mbps) and I am yet unable to activate/set HT, which I think is crucial for allowing high-speed connections. I presume I have some of the options in my wireless config wrong, but I can't be certain.

HmHm.

alain13 wrote:

- I am also unable to connect to the AP when I use the 'hidden' option in /etc/config/wireless (i.e. "hidden 1"). I've searched these forums, but could not find anything useful on this.

Hmmm, this is developer issue? You write on developer forum...

alain13 wrote:

- As of now, SSHFS is mounted on /opt, but I'd like to mount it as /overlay instead (i.e. to be my new rw rootfs).

HmmHmm, this says it is possible but not OOTB. You did read it?


alain13 wrote:

The difficulty with that is there are 2 Howtos dealing with that sort of issue, but I do not want to try this before I have a "secure" route to my router just in case something gets screwed up. The only way I could do that is configuring the Das-U bootloader - I tried to do that when installed uboot-envtools package, but I don't know how to build/create/edit my /etc/fw_env.config file as I don't really know what values to put in there.

If I knew, that info would be in the wiki! However, I imagine to remeber that I did write, that e.g. Tp-Link uses a very old version of U-Boot, one that the current docu does not fit. You did read?

However, since you are not willing to invest time into trial-and-error, it doesn't lookks goodd.


alain13 wrote:

I would like to change some values from the uboot environment to point to my own ftp server, as well as change the image file name and do other minor changes like this. I don't have any serial port hardware build yet (I know it exists on the router, I just haven't set the serial interface up yet). So, on this issue I am a bit stuck.

HmHm, ever tried to ask for help on the U-Boot Homepage? You could then come back and share new insights directly through the OpenWrt Wiki Page for "Das U-Boot" bootloader or in the Howto-Forum.


alain13 wrote:

I've also made some modifications to various files part of the source tree - mainly to allow SSHFS mounting at startup (or, rather when WAN network is up), adding a few more options to /etc/config/wireless (to do with the hostapd config) and also modifying the firewall script to account for shorewall & ipset. I am probably going to submit these as patches, but where is the place to send these - is there a repository or email address I could send these to?

Personally I am not interested in shorewall and I still haven't tried ipset yet. However, try Welcome to the OpenWrt development center.

The discussion might have continued from here.