Joined: 12 Feb 2019
|Posted: Wed Feb 13, 2019 7:36 Post subject: nvoverlay
|I wanted to use a custom TLS certificate for the web UI, but didn't want to use LetsEncrypt/ACME. I also didn't want to switch to a Kong build or use JFFS or lighttpd or alla that. Like some posters in this topic, I fell onto the bind mount option, but I didn't want a lot of clumsy crud in my startup. I wanted a cleaner and more generalizable solution.
So, I wrote a tool that lets me overlay any file that exists in the root filesystem with custom content. It uses nvram storage only, no JFFS or other persistent storage required. It should work out of the box on any recent dd-wrt build. See https://bitbucket.org/dgc/nvoverlay/.
Here's a complete guide to setting it up for the specific TLS certificate case.
First, copy your certificate and key to your router's home directory. For example, using SSH:
|scp ddwrt.crt root@router:
scp ddwrt.key root@router:
You could create those files in other ways too.
Then install nvoverlay, initialize it, and store the key and certificate:
|curl -kO https://bitbucket.org/dgc/nvoverlay/raw/tip/nvoverlay
chmod 755 nvoverlay
./nvoverlay save /etc/cert.pem <ddwrt.crt
./nvoverlay save /etc/key.pem <ddwrt.key
That's it; on reboot you should have the new key and certificate running. You can restart just the web UI without a reboot if you want a preview:
stopservice httpd; startservice httpd
How it works:
When you run nvoverlay init, a couple of things happen:
* The "restore" functionality of nvoverlay is extracted and stored into nvram, in the nvover_restore parameter.
* The rc_startup parameter is modified to execute that code when the router reboots.
nvoverlay save saves files by encoding their final paths and saving them as nvram params. You can see them in nvram show. You can also list which files you've saved with ./nvoverlay list.
The nvover_restore code does the following:
* Scans nvram for saves files
* Copies each saved file to /tmp/nvram
* Uses a "bind mount" to map the file in /tmp/nvram to the location on the root filesystem that you want replaced (e.g. /etc/cert.pem)
You can replace files at any time by running ./nvoverlay save again. (Reboot or run ./nvoverlay restore to activate the newly saved file.)
You can remove a file from nvoverlay with ./nvoverlay rm /path/to/filename.
You can even make nvoverlay preserve itself: ./nvoverlay selfhost (This is not done by default because nvoverlay is over 2K in size, and nvram bytes are precious.) Doing so stores nvoverlay using nvoverlay, and stores a modified /etc/profile to add nvoverlay to your $PATH.
nvoverlay is a pretty simple shell script and does not require any additional software: just busybox, openssl, and nvram. It is versioned and if you should download a version with a newer nvram storage format, it can detect that it needs to be updated in nvram.
* In practice I find it easier to copy my cert.pem to my laptop's paste buffer, then run nvoverlay save /etc/cert.pem, paste, and press control-D (EOF).
* Remember that saving a new file does not make it visible in the root filesystem! You must run nvoverlay restore or reboot to do that.
* You can change your rc_startup and your /etc/profile (if using selfhost). nvoverlay will only modify them if it doesn't find the magic token "%nvoverlay%" in them.