I managed to get this to work on the VPN firmware with only a startup script. No need for JFFS or anything. Just put this in the Commands box on the Administration/Commands tab and click Save Startup. Replace the Xs with your actual keys/certs, of course.
greetings //skipper.dk _________________ 1 Asus RT-N16 with DD-WRT v24-sp2 (08/12/10) mega - build 14929
1 Asus WL-500g Premium with DD-WRT v24-sp2 (08/12/10) mega - build 14929
1 Synology ds101g+ with ds109 firmware and optware running..
1 Synology DS101 bricked
1 Synology DS409 optware running..
Posted: Wed Jul 18, 2012 17:03 Post subject: NVRAM vs. /jffs mounts
@tjcravey:
NVRAM is very limited, so when you extend your configuration further, then you will hit its limit sooner or later (just some KiB, depending on the hardware).
When you use a stronger key with more bits you will enter an even longer string, again getting closer to the NVRAM limit.
Update: If you overfill the NVRAM of your router it may get "semi-bricked". Then you have to try to reset your configuration somehow.
Therefore most people use /jffs with
either A) the rest of the flash (at least several KiB, mostly 1 MiB or more, depending on the hardware)
or B) a cheap USB stick with several GiB
People heavily working with their config prefer USB sticks to avoid wear out of the router flash (some thousands writes, as always depending on your hardware).
Additionally just unplug the USB stick and you are close to DD-Wrt initial state.
Using NVRAM is still a valid option (as is modifying the firmware image as Woefdram wants to).
Just for your information
Maddes
Last edited by maddes.b on Tue Feb 24, 2015 17:23; edited 5 times in total
what are the difference between the key.pem and the privkey.pem ?
Did you already compare them? Either manually or with a tool (like diff)?
Did you use OpenSSL to look into the keys? (openssl rsa -in <keyfile> -noout -text)
what are the difference between the key.pem and the privkey.pem ?
Did you already compare them? Either manually or with a tool (like diff)?
Did you use OpenSSL to look into the keys? (openssl rsa -in <keyfile> -noout -text)
sorry if i was unclear i was talking of the 2 types in the guide key.pem and privkey.pem
_________________ 1 Asus RT-N16 with DD-WRT v24-sp2 (08/12/10) mega - build 14929
1 Asus WL-500g Premium with DD-WRT v24-sp2 (08/12/10) mega - build 14929
1 Synology ds101g+ with ds109 firmware and optware running..
1 Synology DS101 bricked
1 Synology DS409 optware running..
what are the difference between the key.pem and the privkey.pem ?
Did you already compare them? Either manually or with a tool (like diff)?
Did you use OpenSSL to look into the keys? (openssl rsa -in <keyfile> -noout -text)
sorry if i was unclear i was talking of the 2 types in the guide key.pem and privkey.pem
In DD-Wrt it is the same key: privkey.pem is encrypted (password protected) and key.pem is not.
Just look at src/router/httpd/gencert.sh.
Note that privkey.pem and cert.csr are meant to be temporary but are not deleted in the current versions (see last line of script).
In DD-Wrt it is the same key: privkey.pem is encrypted (password protected) and key.pem is not.
Just look at src/router/httpd/gencert.sh.
Note that privkey.pem and cert.csr are meant to be temporary but are not deleted in the current versions (see last line of script).
ok thx i got both _________________ 1 Asus RT-N16 with DD-WRT v24-sp2 (08/12/10) mega - build 14929
1 Asus WL-500g Premium with DD-WRT v24-sp2 (08/12/10) mega - build 14929
1 Synology ds101g+ with ds109 firmware and optware running..
1 Synology DS101 bricked
1 Synology DS409 optware running..
I managed to get this to work on the VPN firmware with only a startup script. No need for JFFS or anything. Just put this in the Commands box on the Administration/Commands tab and click Save Startup. Replace the Xs with your actual keys/certs, of course.
@brantdk:
According to your previous posts the SSL certificate replacement worked.
Not being able to connect from the Internet is offtopic, please create a separate thread for this issue.
I recommend to search the forum and wiki for something like "accessing DD-Wrt from Internet via HTTPS" and I think you will find some answers about firewall/iptables.
If still in doubt provide some more information in the new thread.
You can edit your previous post and add a link to the new thread.
Additionally keep in mind that you may have to use a multi-domain certificate as you connect via different DNS names (e.g. brantdk.dyndns.org, router.lan, 192.168.1.1, etc.).
Worked perfectly for me (tjcravey's startup script method)
and solves the problem with Microsoft's new patch that restricts usage of keys less than 1024 bits.
For some reason, BrainSlayer keeps the built-in key to only 512 bits?.. but I digress.
You don't need to create and echo the privkey.pem file
echo "-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,E510E0F0B0685BF8
Nor do you need these:
chmod 0600 /tmp/ssl/privkey.pem
mount -o bind /tmp/ssl/privkey.pem /etc/privkey.pem
HTTP doesn't ever reference the privkey.pem file, just the RSA private key file (key.pem). I just tried it and it works fine with just key.pem and cert.pem
I have used this fantastic customization for the last few years (I chose the jffs/startup method), however just replaced my router and with a newer model (& a newer kernel) I cannot get this to work anymore. Anyone have any help, explanation, or even if this is a known limitation (without a recompile)?
I'm running DD-WRT v24-sp2, Kernel Version
Linux 3.10.25.