Over the last week I was finally able to build (from source), install, configure, hook up and use my new TL-WR841N running OpenWRT (trunk dated Dec 2011) with the following features:
- Authentication/Authorisation done with external freeRADIUS server (separate machine on WAN) using:
* Self-generated certificates for CA, AP and two clients (using a RADIUS-provided makefile on which some apparent bugs were fixed to make it work properly);
* EAP-TTLS/EAP-TLS negotiation & log in (EAP-TTLS is with client certificate request option turned on);
* Full certificate verification (both Subject & Issuer) at both ends: RADIUS/Server as well as the Client;
* full accounting logs (failed/successful logins, packets/traffic stats, all courtesy of the freeRADIUS accounting feature);
- External SSHFS mount (used/mounted as /opt) using PKI (no passwords!) utilising more than 1GB worth of disk space (it performs rather fast, which I found very surprising, given that it is done over the network);
- Ditch the rather inefficient and cumbersome firewall and use shorewall-lite instead - configuration from the ground-up with masquerading, full connection tracking, zones & ipset all activated;
Even though there are some rough edges, which I need to iron out still (see below), I would like to start a series of Howtos on the above "achievements", so that others with the same needs/problems don't bang their heads in unnecessarily as I did (I have been researching & fighting various battles with this for well over 2 months now!).
The purpose of this thread is to get some information on the (admittedly) small outstanding issues I need to resolve, as well as get some feedback on the wiki pages - it will be my "first" on OpenWRT.org (I hope it won't be the last) and I would appreciate some guidance & advice as to how to create/edit/manage these.
So, how does one start with the wiki pages - is there a preliminary template/policy/style which I need to follow in order to do that? I intend to start with the freeRADIUS and EAP-TTLS/EAP-TLS setup first (OpenWRT/hostapd, freeRADIUS as well as client configurations) and then move onto the SSHFS and Shorewall-lite (the firewall I use on my WR841N).
The number of issues I need to resolve are as follows:
- I seem to be able to connect only using 'g' speeds (54Mbps) and I am yet unable to activate/set HT, which I think is crucial for allowing high-speed connections. I presume I have some of the options in my wireless config wrong, but I can't be certain.
- I am also unable to connect to the AP when I use the 'hidden' option in /etc/config/wireless (i.e. "hidden 1"). I've searched these forums, but could not find anything useful on this.
- As of now, SSHFS is mounted on /opt, but I'd like to mount it as /overlay instead (i.e. to be my new rw rootfs).
The difficulty with that is there are 2 Howtos dealing with that sort of issue, but I do not want to try this before I have a "secure" route to my router just in case something gets screwed up. The only way I could do that is configuring the Das-U bootloader - I tried to do that when installed uboot-envtools package, but I don't know how to build/create/edit my /etc/fw_env.config file as I don't really know what values to put in there.
I would like to change some values from the uboot environment to point to my own ftp server, as well as change the image file name and do other minor changes like this. I don't have any serial port hardware build yet (I know it exists on the router, I just haven't set the serial interface up yet). So, on this issue I am a bit stuck.
I've also made some modifications to various files part of the source tree - mainly to allow SSHFS mounting at startup (or, rather when WAN network is up), adding a few more options to /etc/config/wireless (to do with the hostapd config) and also modifying the firewall script to account for shorewall & ipset. I am probably going to submit these as patches, but where is the place to send these - is there a repository or email address I could send these to?
Thanks in advance!