openvpn not enabling 'enable_plugins?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
jberlet
DD-WRT Novice


Joined: 14 Apr 2011
Posts: 13

PostPosted: Mon May 20, 2019 4:14    Post subject: openvpn not enabling 'enable_plugins? Reply with quote
Hello,
It appears no BS or kong builds of dd-wrt (as recent as May 18, 2019 were compiled to support plugins. Is this an oversight or intentional as looking at the latest source 'config' directive file seems to allow this compile/config. option for openvpn?

Excerpt of configure for openvpn module dd-wrt:
>>>>>>>>>>>>>>>>>>>>>>>
# Check whether --enable-plugins was given.
if test "${enable_plugins+set}" = set; then :
enableval=$enable_plugins;
else
enable_plugins="yes"
>>>>>>>>>>>>>>>>>>>>>>>>

Here is the output of the last kong dd-wrt openvpn:

(Kong) v3.0-r37015M: OpenVPN 2.4.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Sep 23 2018 library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.09 Originally developed by James Yonan Copyright (C) 2002-2018 OpenVPN Inc <sales@…> Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=no enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_eurephia=no enable_fast_install=yes enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=no enable_plugin_down_root=no

enable_plugins=no


Is there a way to enable this (building from source the BS/Kong releases) - I have asked BS/Kong to enable this in a future daily or dd-wrt milestone build.

https://svn.dd-wrt.com/ticket/6645

Thank you.

J
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Mon May 20, 2019 4:27    Post subject: Reply with quote
Don't really know the reason why, only BS or Kong can provide those answers. Perhaps there's a security issue, or some other less than obvious reason.

If you're desperate, you might want to consider installing Entware and the OpenVPN packages and use your own scripting. That might enable this option.

You *might* even be able to overlay the router's binaries w/ the Entware binaries (using the mount command and bind option) and thus continue using the GUI.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
jberlet
DD-WRT Novice


Joined: 14 Apr 2011
Posts: 13

PostPosted: Mon May 20, 2019 8:32    Post subject: Reply with quote
eibgrad wrote:
Don't really know the reason why, only BS or Kong can provide those answers. Perhaps there's a security issue, or some other less than obvious reason.

If you're desperate, you might want to consider installing Entware and the OpenVPN packages and use your own scripting. That might enable this option.

You *might* even be able to overlay the router's binaries w/ the Entware binaries (using the mount command and bind option) and thus continue using the GUI.



Appreciate those recommendations. However, after installing Entware and the openvpn-openssl 2.4.6-3 opkg, unfortunately - even in this Entware/opkg package, the 'enable_plugins' compile option was set to 'no' Sad:

:/opt/sbin# ./openvpn --version
OpenVPN 2.4.6 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
library versions: OpenSSL 1.1.1a 20 Nov 2018, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=no enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=no enable_multihome=yes enable_nls=no enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=no enable_plugin_down_root=no

enable_plugins=no

enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no


I did not find any documentation to build my own ARM_MIPS openvpn package to enable this option for openvpn...any suggestions there?

Thank you.

JB
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Mon May 20, 2019 14:47    Post subject: Reply with quote
Are you trying to install your own PAM module? Is that the end game here?
_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
jberlet
DD-WRT Novice


Joined: 14 Apr 2011
Posts: 13

PostPosted: Mon May 20, 2019 16:11    Post subject: Reply with quote
eibgrad wrote:
Are you trying to install your own PAM module? Is that the end game here?



Hi, yes that is what I am trying to accomplish.

Tks.

J
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Mon May 20, 2019 16:21    Post subject: Reply with quote
While it would be nice to be able to insert PAM modules into the OpenVPN server, fact is, I don't know of anyway to do it short of recompiling the firmware. And at that point, you're on your own and risk bricking your router. So it's not something I take lightly or am willing to recommend. You'll have to make that decision for yourself.

Since it is possible to script your own handling of username/password rather than rely on a PAM module, that's one other solution. I know that's not a good solution if your PAM module is perhaps far more sophisticated, perhaps integrated w/ your domain control, for example. But it is a solution. Or perhaps a workaround until you can convince BS or Kong about the need to enable plugins.

Another possibility is perhaps using your own script to load the module (e.g., w/ insmod or modprobe) and interfacing directly w/ that module. Now whether that's possible or practical, I don't know. It's not something I even attempted. But it's just a thought I had.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
jberlet
DD-WRT Novice


Joined: 14 Apr 2011
Posts: 13

PostPosted: Tue May 21, 2019 0:26    Post subject: Reply with quote
eibgrad wrote:
While it would be nice to be able to insert PAM modules into the OpenVPN server, fact is, I don't know of anyway to do it short of recompiling the firmware. And at that point, you're on your own and risk bricking your router. So it's not something I take lightly or am willing to recommend. You'll have to make that decision for yourself.

Since it is possible to script your own handling of username/password rather than rely on a PAM module, that's one other solution. I know that's not a good solution if your PAM module is perhaps far more sophisticated, perhaps integrated w/ your domain control, for example. But it is a solution. Or perhaps a workaround until you can convince BS or Kong about the need to enable plugins.

Another possibility is perhaps using your own script to load the module (e.g., w/ insmod or modprobe) and interfacing directly w/ that module. Now whether that's possible or practical, I don't know. It's not something I even attempted. But it's just a thought I had.


I was hoping per your earlier suggestion to go with an Entware openvpn package. I did actually download and set that up but even that .ipk build does not have enable_plugins=yes as a compile-time option!!!! I can only assume OpenWrt/whoever the contributor is that built that .ipk followed the same compile options as Brainslayer/Kong (unfortunately).

I don't have much hope/faith that BS/Kong would fix this issue with a subpackage in the dd-wrt firmware...maybe they will who knows. Is it possible to build an OpenWRT package with OpenVpn that would have enable_plugins set to yes? Any experience/recommendations for building an ipk? I don't think I would brick my router trying to build/run an .ipk in JFFS so the risk would be low but really have no idea the work involved to build an ipk for openvpn similar to this:

https://pkg.entware.net/binaries/armv7/openvpn-openssl_2.4.4-2_armv7soft.ipk


Tks.
J
jberlet
DD-WRT Novice


Joined: 14 Apr 2011
Posts: 13

PostPosted: Tue Jun 04, 2019 6:35    Post subject: Update on progress to build/deploy OpenVpn PAM plugin Reply with quote
Hello eibgrad,
Just thought I would update you on my progress building a custom OpenVpn package (using Entware package builder), a USB thumb drive, and integrating it with Google Authenticator for MFA:

1.) I decided that BS/Kong probably are not going to build a version of their dd-wrt firmware that enables plugins to allow things like OpenVPN PAM, so instead of trying to build from their source, your suggestion to use Entware package manager seemed a better option.

2.) I had a spare external hard drive and a CentOS VM to build my Entware package dev. environment and went through the process of building that out following Entware's wiki:
https://github.com/Entware/Entware/wiki

3.) Once I learned the ins/outs of this build environment, I then checked out the full source of Entware as well as Openwrt to this environment and figured out how to modify the included OpenVPN package that Entware provides to build/enable 2 things:
enable_plugins
&
enable_pam_authentication

in the OpenVPN package that Entware includes by default (it also pulls down the most current 2.4.7 OpenVPN source code along with OpenSSL 1.1.1 libs.

4.) Once I modified the Makefile for this package, I was able to run 'make' and create both an OpenVPN 2.4.7 .ipkg installer (I already setup Opkg to mount/run on my router's USB drive) as well as the openvpn-plugin-auth-pam.so file which is not included/installed/built by default in Entware's OpenVPN package.

5.) I then copied these .ipkg file and .so files to my router and following this guide:
https://medium.com/we-have-all-been-there/using-google-authenticator-mfa-with-openvpn-on-ubuntu-16-04-774e4acc2852

was able to install Entware/opkg's Google-Authenticator package that allowed me to generate Google Authenticator codes for my router and setup user-specific VPN logins with MFA. Using the modified OpenVPN server/daemon I initially played around with Duo Security's MFA plugin but I think I will stick with Google Authenticator for now.


I now have my router restart/init. scripts and firewall rules all setup to accommodate loading my custom OpenVPN server/daemon (took some tweaking to turn this off properly in dd-wrt unfortunately) but in the end was just a matter of turning off the VPN service in the dd-wrt admin. UI and reconfiguring all certs./startup config. by hand comparing what the UI wrote to the config. files /jffs & /tmp directories on the router (NOTE: 'modprobe tun' was also needed to enable the 'tun' interface on startup of my router that OpenVPN expects when it starts).

Probably a good week's worth of work to get this and MFA w/Google Authenticator but I should be able to maintain this "custom" VPN service through future BS/Kong dd-wrt builds (unless one day they decide to enable plugins but even then they would need to include PAM authentication plugin as an option for their built-in OpenVPN).
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Thu Jun 06, 2019 5:30    Post subject: Reply with quote
Thanks for the feedback. Sounds like a major hassle, but I suppose if you get what you want and learn some new things along the way, it's worth it. That's what I often do. I just pick a project and work it through until I either get it working or it exhaust me (and sometimes I do lose). Sounds like it might make a good write-up for a blog or similar.
_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum