Changes between Version 61 and Version 62 of WikiStart
- Timestamp:
- May 17, 2013, 2:41:37 PM (12 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
WikiStart
v61 v62 148 148 149 149 touch customize/sbin/wifi-update 150 touch customize/sbin/openvpn-update 150 151 touch customize/usr/sbin/iopenvpn 151 152 … … 179 180 config dhcp lan #! I doubt this one is even used... <--- 180 181 option interface lan 181 option start 100 182 option limit 150 183 option leasetime 12h 182 option ignore 1 183 #! option start 100 184 #! option limit 150 185 #! option leasetime 12h 184 186 185 187 config dhcp wan … … 357 359 option ifname wlan0 358 360 option type bridge 361 # option proto dhcp #!TODO by this the AP's also get a real dhcp lease from the server, mac prefix range? 362 359 363 360 364 #!Add this interface if you internally NAT/Route the 2nd multiSSID instead of bridge <--- … … 372 376 option hostname eduroam-bullet #!Unique name differ! <--- 373 377 option timezone CET-1CEST,M3.5.0,M10.5.0/3 #!correct timezone Amsterdam Netherlands <--- 374 option log_ip 192.168.4.1 00#! destination of syslog-ng server <---378 option log_ip 192.168.4.1 #! destination of syslog-ng server <--- 375 379 option log_port 514 376 380 … … 529 533 }}} 530 534 535 #example code# /sbin/openvpn-update 536 {{{ 537 #!/bin/sh 538 539 MAC=$(/sbin/wifi detect | /usr/bin/awk '/macaddr/ { print $3 }') 540 541 /bin/sed -i "s/MACADDRESS/$MAC/g" /etc/openvpn/client.conf 542 }}} 543 531 544 #example code# /usr/sbin/iopenvpn 532 545 {{{ … … 547 560 }}} 548 561 562 #example code# /etc/openvpn/up.sh 563 {{{ 564 #!/bin/sh 565 #tap interface in openvpn/kernel generates unique new MAC address!!! 566 #TODO don't understand how ip of AP for the tunnel is created/assigned? 567 #Multiple AP devices work, but may conflict with dhcplease range of wireless clients? 568 #remove ${IP} and add proto dhcp to lan /etc/config/network 569 570 FROM=3 571 TO=4 572 573 brctl addif br-lan $1 574 IP=$(echo $4 | sed "s/\.$FROM\./\.$TO\./g" ) 575 ifconfig br-lan ${IP} up 576 echo "Using: $IP" 577 }}} 578 549 579 Setup openvpn key/certificates/config for the AP, skip to section 3.2 of this howto when you don't have a *.tar file with keys&config for your individual unique AP, comeback if you have a *.tar and continue. 550 580 … … 558 588 {{{ 559 589 chmod +x customize/usr/sbin/iopenvpn 560 561 590 chmod +x customize/sbin/wifi-update 562 563 591 chmod +x customize/etc/init.d/sysntpd 564 565 592 chmod +x customize/etc/init.d/openvpn 566 567 593 chmod +x customize/etc/openvpn/up.sh 568 569 594 chmod +x customize/etc/rc.local 570 571 595 chmod +x customize/etc/firewall.user 572 573 596 chmod +x customize/etc/inittab 574 597 }}} … … 582 605 ssh root@192.168.1.20 583 606 584 ## enable openvpn 585 chmod +x /usr/sbin/iopenvpn 586 chmod +x /etc/openvpn/up.sh 607 ## enable / activate at boottime openvpn 587 608 /etc/init.d/openvpn enable 588 609 589 610 ## activate wifi to add MACadress to /etc/config/wireless file 590 /sbin/wifi stop611 #/sbin/wifi stop 591 612 #/sbin/wifi start 592 613 #/bin/sleep 5 593 614 /sbin/wifi detect 594 615 /bin/sleep 10 595 chmod +x /sbin/wifi-update596 616 /sbin/wifi-update 597 617 #/bin/sleep 5 598 # check / correct following in chmod+x /etc /sbin /usr/sbin599 618 reboot;exit 600 619 601 620 ## done 602 621 #check your working "eduroam" accesspoint! 603 ##TODO check all execute writes on uploaded scripts!604 622 }}} 605 623 … … 845 863 default-lease-time 600; 846 864 max-lease-time 7200; 865 #subnet 192.168.4.0 netmask 255.255.255.0 { 866 # range 192.168.4.100 192.168.4.150; 867 # option routers 192.168.4.1; 868 869 #ap's different lease 870 class "ubntaps" { 871 match if (substring (hardware, 1, 3) = DC:9F:DB); 872 } 873 874 class "eduroamusers" { 875 match if not (substring (hardware, 1, 3) = DC:9F:DB); 876 } 877 847 878 subnet 192.168.4.0 netmask 255.255.255.0 { 848 range 192.168.4.100 192.168.4.150;849 879 option routers 192.168.4.1; 880 881 pool { 882 allow members of "ubntaps"; 883 range 192.168.4.3 192.168.4.66; 884 } 885 886 pool { 887 allow members of "eduroamusers"; 888 range 192.168.4.150 192.168.4.250; 889 } 890 891 } 892 893 850 894 } 851 895 }}} … … 909 953 }}} 910 954 911 To allow nat/routing and function as a local gateway/concentrator for the tunneld traffic from eduroam accesspoints (openvpn clients) the following config must be set once. 912 {{{ 913 ## Allows forwarding 914 cat /proc/sys/net/ipv4/ip_forward #shows current off state 955 To allow nat/routing and function as a local gateway/concentrator for the tunneld traffic from eduroam accesspoints (openvpn clients) the following config must be set every boot. 956 {{{ 957 ## add the following firewall masquerade code "quick and dirty" at the end of the rc.local file before exit0! 958 nano /etc/rc.local 959 }}} 960 961 #example code# /etc/rc.local 962 {{{ 963 964 #enable forwarding at ip level 915 965 echo "1" > /proc/sys/net/ipv4/ip_forward 916 cat /proc/sys/net/ipv4/ip_forward #shows current on state ? 917 918 ## add the following firewall masquerade code "quick and dirty" at the end of the file before exit0! 919 nano /etc/rc.local 920 }}} 921 922 #example code# /etc/rc.local 923 {{{ 924 #!/bin/sh 966 967 #enable nat/routing from eth0 925 968 /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 926 #/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT 927 #/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT 969 970 #enable nat/routing to eth0 directly 971 /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT 972 /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT 973 974 #enable nat/routing to tap0 openvpn 928 975 /sbin/iptables -A FORWARD -i eth0 -o tap0 -m state --state RELATED,ESTABLISHED -j ACCEPT 929 976 /sbin/iptables -A FORWARD -i tap0 -o eth0 -j ACCEPT 977 978 #before exit 0 930 979 }}} 931 980 … … 1058 1107 script-security 2 1059 1108 keepalive 10 180 #! these settings keep the tunnel alive on the W.L. network <--- 1109 #! run /bin/openvpnupdate update before uncommenting lladdress 1110 #! lladdress MACADDRESS #! overides random MAC adress of the br-lan interface for controlled dhcp lease! <--- 1111 1060 1112 }}} 1061 1113 … … 1309 1361 default AIROS reboot into tftp mode parameter 5.5.4 mtd cat /proc/mtd 1310 1362 1363 DHCP range for openwrt AP's fixen classes mac prefix? 1364 DHCPD.conf hoeft alleen nog een aanpassing voor andere lease time per klasse! 1365 op ieder ap, moet het openvpn fake mac address op dezelfde manier als het wifi-update script vervangen worden 1366 anders weet de dhcp server niet het juiste mac prefix te herkennen om de ap's in een andere interface te doen. 1367 ook een vraag is of die interface uberhaubt wel een ip hoeft te hebben? 1368 1311 1369 TODO Verzin leuke manier om dit in een batch workflow voor veel AP's clients in te passen... denken we vanuit dit concept met tar bestand of moeten we iets maken dat meteen meedere parameters zoals multiSSID ip-adres hostname wifichannel etc meeneemt op basis van MAC adres? Nog uitzoeken welk deel er naar de server moet 4 bestanden ca dh1024 server.crt/key? 1312 1370 … … 1315 1373 testen broadcast AP's onderling onmogelijk? 1316 1374 Filteren / dhcp bdup/stp requests 1317 DHCP range for ubnt AP's fixen 1375 1318 1376 1319 1377 Veiligheid aspect, VLAN/ radius authenticatie over zelfde tunnels als de clients... isolation tussen openvpn clients de AP's zelf is actief maar isolate van de wireless users op de client nog teste?
