How to play OpenWRT for Raspberry Pi CM4
Prepare build openfortivpn package environment on Ubuntu 20.04.3 LTS
Refer above example to optimization for CM4 (Raspberry Pi 4 Computer Module)
Download openwrt-sdk-bcm27xx-bcm2711_gcc-8.4.0_musl.Linux-x86_64.tar.xz from https://onedrive.live.com/?authkey=!AEcwsyZAovIBK-I&id=5219529519B9B6A1!963&cid=5219529519B9B6A1
Unpack on Ubuntu 20.04.3 LTS my T420 notebook and make openfortivpnThis step can skip because OpenWRT can manually install it online.
# 從原始碼編譯 openfortivpn ipk 檔
tar vxJf openwrt-sdk-bcm27xx-bcm2711_gcc-8.4.0_musl.Linux-x86_64.tar.xz
cd openwrt-sdk-bcm27xx-bcm2711_gcc-8.4.0_musl.Linux-x86_64/package
git clone https://github.com/excelwang/openwrt-openfortivpn openfortivpn
cd ..
./scripts/feeds update base
./scripts/feeds install libopenssl resolveip ppp
make package/openfortivpn/compile V=s
cd bin/packages/aarch64_cortex-a72/base/
ls openfortivpn_1.7.1_git467cab7-1_aarch64_cortex-a72.ipk
Refer the link https://note.amoiisacat.one/?p=35
We search and find out the build package files at
https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a72/
The OpenWRT luci feed refer link
https://forum.archive.openwrt.org/viewtopic.php?id=16599https://github.com/openwrt/luci
To install all its package definitions
./scripts/feeds update luci
./scripts/feeds install -a -p luci make menuconfig
make world
More reference
https://openwrt-nctu.gitbook.io/project/openwrt-compile-env/openwrt-opkg-manager
More packages for CM4
https://archive.openwrt.org/releases/packages-21.02/aarch64_cortex-a72/
Setup the OpenWRT manually, but I no use this example.
opkg install openfortivpn luci-proto-openfortivpn
reboot
In Luci add interface proto using openfortivpn fill username, password, ip address, port in advanced, fill “VPN Server’s certificate SHA1 hash” if your fortiSSL cert not trusted by your device.
Save and apply restart the interface will connected and get a ip from vpn. Let openwrt’s client can access fortiSSL
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o vpn-company -j MASQUERADE add static route then done in OpwnWRT UCI Network -> firewall -> static route
How to fix CM4 wifi problem on OpenWRT which have resolved in latest CM4 image
cd /lib/firmware/brcm
cp brcmfmac43455-sdio.raspberrypi,4-model-b.txt brcmfmac43455-sdio.raspberrypi,4-compute-module.txt
reboot
https://forum.openwrt.org/t/raspberry-pi-cm4-wifi-not-working/90280/3
root@OpenWrt:~# dmesg | grep brcmfmac
[ 6.865501] brcmfmac: brcmffwallocrequest: using brcm/brcmfmac43455-sdio for chip BCM4345/6
[ 6.889369] brcmfmac mmc1:0001:1: Direct firmware load for brcm/brcmfmac43455-sdio.raspberrypi,4-compute-module.txt failed with error -2
[ 6.901659] brcmfmac mmc1:0001:1: Falling back to sysfs fallback for: brcm/brcmfmac43455-sdio.raspberrypi,4-compute-module.txt
[ 6.917922] brcmfmac mmc1:0001:1: Direct firmware load for brcm/brcmfmac43455-sdio.txt failed with error -2
[ 6.927674] brcmfmac mmc1:0001:1: Falling back to sysfs fallback for: brcm/brcmfmac43455-sdio.txt
[ 11.913882] usbcore: registered new interface driver brcmfmac
[ 12.933667] brcmfmac: brcmfsdiohtclk: HT Avail timeout (1000000): clkctl 0x50
root@OpenWrt:~# iw dev
root@OpenWrt:~# wifi status
The IP Tables firewall tutorials video
Just reference for know what is VPN gateway
Set firewall rule for wifi to vpn https://mackonsti.wordpress.com/2021/02/20/install-openvpn-server-openwrt-router/
查詢網絡接口的狀態
root@OpenWrt:~# uci -P/var/state show network.wan
root@OpenWrt:~# uci -P/var/state show network network.loopback*=interface network.loopback.proto='static' network.loopback.ipaddr='127.0.0.1' network.loopback.netmask='255.0.0.0' network.loopback.device='lo' network.loopback.up='1' network.loopback.ifname='lo' network.globals=globals network.globals.ulaprefix='fd95:27c5:3e18::/48' network.globals.packetsteering='1' network.lan=interface network.lan.proto='static' network.lan.ipaddr='192.168.2.1' network.lan.netmask='255.255.255.0' network.lan.ip6assign='60' network.lan.device='br-lan' network.lan.up='1' network.lan.ifname='br-lan' network.wan=interface network.wan.proto='dhcp' network.wan.device='eth1' network.wan.up='1' network.wan.ifname='eth1' network.vpn0=interface network.vpn0.proto='openfortivpn' network.vpn0.peeraddr='VPN DNS' network.vpn0.username='VPN Login User' network.vpn0.password='VPN Login Password' network.vpn0.defaultroute='0' network.vpn0.up='1' network.vpn0.ifname='vpn-vpn0' network.docker=interface network.docker.device='docker0' network.docker.proto='none' network.docker.auto='0' network.@device[0]=device network.@device[0].type='bridge' network.@device[0].name='docker0' network.@device[1]=device network.@device[1].name='br-lan' network.@device[1].type='bridge' network.@device[1].ports='eth0' network.wwan=interface network.wwan.proto='dhcp' network.@route[0]=route network.@route[0].interface='vpn0' network.@route[0].target='Route target network segment' network.@route[0].netmask='255.255.0.0' network.@route[1]=route network.@route[1].interface='vpn0' network.@route[1].target='Route target network segment' network.@route[1].netmask='255.255.0.0' network.@route[2]=route network.@route[2].interface='vpn0' network.@route[2].target='Route target network segment' network.@route[2].netmask='255.255.0.0' network.@route[3]=route network.@route[3].target='Route target network segment' network.@route[3].netmask='255.255.255.0' network.@route[3].interface='vpn0' network.@route[4]=route network.@route[4].interface='vpn0' network.@route[4].target='Route target network segment' network.@route[4].netmask='255.255.255.0' network.@route[5]=route network.@route[5].interface='vpn0' network.@route[5].target='Route target network segment' network.@route[5].netmask='255.255.0.0' network.@route[6]=route network.@route[6].interface='vpn0' network.@route[6].target='Route target network segment' network.@route[6].netmask='255.255.0.0' network.@route[7]=route network.@route[7].interface='vpn0' network.@route[7].target='Route target network segment' network.@route[7].netmask='255.255.255.0' network.@route[8]=route network.@route[8].interface='vpn0' network.@route[8].target='Route target network segment' network.@route[8].netmask='255.255.255.0' network.@route[9]=route network.@route[9].interface='vpn0' network.@route[9].target='Route target network segment' network.@route[9].netmask='255.255.0.0'*
Base knowledge study
Use case study
偵錯參考資料
最後寫上此次設定VPN想法與心得
還是寫中文好懂一點,在決定要實作一個VPN路由器的動機,是疫情期間有很多機會需要在家工作,我在公司的工作模式習慣混用Windows平台與LINUX平台分別操作遠端網路與桌面程式等,最近又新購入的MacBook的macOS系統也就是說工作的異質平台都要能連上公司的內部網路。
一天在家工作我就必需在每一台電腦上安裝上VPN client軟體進行撥號登入公司內網,其麻煩程度是我所不能忍的。
這次花了約一週的時間研究如何所謂的科學上網,主要還是有分種網路連接方式
- 旁路由網路設置,適合套用在只有一個網路介面的路由機
- 中繼路由網路設置,適合套用在有一個以上網路介面的路由機
想當然而有一個以上的網路介面的中繼路能有效隔離家用網路與VPN網路層,對現存的網路幾乎不用做額外的設定。我只要專注在這個雙網路介面的RaspberryPi安裝上OpenWRT並做VPN Gateway的設置就可以透過其LAN與Wi-Fi來穿透到公司內部網路。
這台路由器的主要工作是把需要連接到辦公室的網段轉發到VPN Virtual Interface
其中有幾個知識點是必需要知道的
- OpenWRT Firmware 走的是IPtable的邏輯上面我找了影片來復習了基本觀念
- OpenForticlient 在Linux上的安裝改用OpenWRT介面設定,我事先用一台Linux筆電練習知道方式後,再套用在OpenWRT的LUI介面就明白多了
- OpenWRT的Wi-Fi 可以當Wi-Fi Client也可以當Wi-Fi AP,如果人在外面沒有WAN孔可以接上Internet就可以利用其Wi-Fi Client連上手機的AP當WAN的介面用,勾選[V] Replace Wireless Configuration
- 在OpenWRT的Network -> Interface -> VPN0 -> Advanced Settings -> 取消勾選 [ ] Use default gateway , 才不置於連不上家用網路的機器
- 最後是靜態路由的添加,這裡要把公司內的不同網段一行一行手動加入到OpenWRT的路由表中Interface = VPN0Target = 公司網段IPv4-NetMask = 255.255.0.0 or 255.255.255.0
- 測試一切都能正常工作後 download a tar archive of the current configuration files.
補充
OpenWRT用到的eMMC不大,充份利用剩餘空間打開Terminal Servicefdisk /dev/mmcblk0 來新增分割給SWAP與Docker Home
fdisk -l /dev/mmcblk0
Disk /dev/mmcblk0: 29.12 GiB, 31268536320 bytes, 61071360 sectors Units: sectors of 1 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0x5452574f
Device Boot Start End Sectors Size Id Type
/dev/mmcblk0p1 8192 532479 524288 256M c W95 FAT32 (LBA) /dev/mmcblk0p2 540672 4734975 4194304 2G 83 Linux
/dev/mmcblk0p3 4734976 13123583 8388608 4G 82 Linux swap / Solaris /dev/mmcblk0p4 13123584 61071359 47947776 22.9G 83 Linux
Automount the partition
- Generate a config entry for the fstab file:
block detec | uci import fstab
- Now enable automount on that config entry;
uci set fstab.@mount[-1].enabled='1'
uci commit fstab
- Optionally enable autocheck of the file system each time the OpenWrt device powers up:
uci set fstab.@global[0].check_fs='1'
uci commit fstab
- Reboot you OpenWrt device (to verify that automount works)
- After the reboot, check your results: Run
uci show fstab
fstab.@global[0]=global
fstab.@global[0].anon_swap='0'
fstab.@global[0].anon_mount='0'
fstab.@global[0].auto_swap='1'
fstab.@global[0].auto_mount='1'
fstab.@global[0].delay_root='5'
fstab.@global[0].check_fs='0'
fstab.@swap[0]=swap
fstab.@swap[0].device='/dev/mmcblk0p3'
fstab.@swap[0].enabled='1'
fstab.@mount[0]=mount
fstab.@mount[0].target='/mnt/mmcblk0p4'
fstab.@mount[0].uuid='8c474bac-22d3-4f17-bd78-a4f0f98bdec8'
fstab.@mount[0].enabled='1'
root@OpenWrt:~# mkdir /mnt/mmcblk0p4
root@OpenWrt:~# mkswap /dev/mmcblk0p3
Setting up swapspace version 1, size = 6534721536 bytes
How to upgrade OpenWrt 21.02 to 22.03.3
Before perform upgrade the firmware, must backup current configration as file for restore after upgraded.
The important thing, perform force upgrade will lost old partition table that will have to rebuild with fdisk command.
sysupgrade -F -v <upgrade firmware>
