1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenVPN Heartbleed fix.

Discussion in 'Tomato Firmware' started by lancethepants, Apr 9, 2014.

  1. lancethepants

    lancethepants Network Guru Member

    Here's a temp fix until Heartbleed is fixed in firmware. (I also do this to have the latest version of OpenVPN).

    1. Download static OpenVPN that uses the latest OpenSSL, and place it in /jffs or on USB.
    http://files.lancethepants.com/Binaries/openvpn/ (mipsel only).

    Make sure to run
    Code:
    chmod +x /path/to/openvpn
    
    to make sure it's executable.

    2.Place the following in
    Scripts -> Init (If stored in jffs)
    USB and NAS -> USB Support -> Run after mounting (If stored on USB) (edit)
    Code:
    /bin/mount --bind /jffs/openvpn /usr/sbin/openvpn
    
    Adjust path to OpenVPN as needed.

    3. Reboot.


    The binary was created with this script, then stripped and compressed with upx.
    https://github.com/lancethepants/openvpn-mipsel-static
     
    Last edited: Apr 10, 2014
  2. Morac

    Morac Network Guru Member

    Thanks.

    Is rebooting really necessary though? Can't one manually run the mount command and then stop and start the OpenVPN server?

    When I did so the following appeared in the logs so it looks like it works.

    Code:
    TITLE,OpenVPN 2.3.3 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Apr 9 2014
     
    Last edited: Apr 9, 2014
  3. lancethepants

    lancethepants Network Guru Member

    Yes you can just run it manually the first time too.
    Edit: Then you must manually restart OpenVPN too, like you mentioned.
     
  4. dc361

    dc361 LI Guru Member

    Also .. if you put the file on USB, the init script may not be the best place for the mount --bind as the device may not be mounted when the script is executed.
     
  5. lancethepants

    lancethepants Network Guru Member

    True. /jffs is the best option, it's always mounted before wanup/openvpn executes. Some disks may mount too slowly. In that case put the script in
    Code:
    USB and NAS -> USB Support -> Run after mounting
    
    and hopefully it still mounts fast enough before wanup when OpenVPN executes.
     
  6. dc361

    dc361 LI Guru Member

    Works like a charm on my system .. thanks.
     
  7. BikeHelmet

    BikeHelmet Networkin' Nut Member

    Could I use /cifs1/ rather than /jffs/? I have a remote router already configured to log to a network share, and can dump the binary there fairly easily.

    Do init scripts run before or after the shares are mounted?

    Edit: I was thinking...
    Code:
    /bin/mount --bind /cifs1/openvpn /usr/sbin/openvpn
    service openvpn restart
    Under WAN Up?
     
    Last edited: Apr 9, 2014
  8. lancethepants

    lancethepants Network Guru Member

    It depends on how fast cifs1 mounts. If it's not fast enough, I would create '.autorun' in the root of cifs that runs the command. Make sure it's exectuable, and starts with '#!/bin/sh'.
    If OpenVPN starts before the .autorun does its thing, perhaps change OpenVPN to not start on wan, and tell .autorun to start it up for you. 'service openvpn start' I think it would be.
     
  9. BikeHelmet

    BikeHelmet Networkin' Nut Member

    Err - wait - Tomato has an autorun feature? Or do I need to script it to check that file, somewhere?

    For security I disable all Autorun stuff on my Windows PCs. If Tomato automatically runs any .autorun file on a network share - well, I'm surprised. Probably my fault for never digging into the sourcecode.
     
  10. lancethepants

    lancethepants Network Guru Member

    I've never test .autorun on cifs. It works on /opt and /mmc I know. I imagine it would work.
     
  11. Mate Rigo

    Mate Rigo Serious Server Member

    Thanks for the fast fix! Got it up and running.
     
  12. i1135t

    i1135t Network Guru Member

    Thanks for the share lancethepants. I'm running the latest shibby 116 AC build for N66U and getting this error
    Code:
    daemon.err openvpn[5082]: PLUGIN_INIT: could not load plugin shared object /lib/openvpn_plugin_auth_nvram.so: File not found: No such file or directory (errno=2)
    daemon.notice openvpn[5082]: Exiting due to fatal error
    
    I see the plugin in my path but I think the static build is not compiled with it? Any chance of compiling it with that dependency?
     
  13. lancethepants

    lancethepants Network Guru Member

    I was actually just playing around with OpenVPN plugins today. Despite the binary reporting it was built with plugin support (openvpn --version), it will not work. Plugins support requires the binary to be built dynamically (at least libc I imainge). This is true with all binaries I've encountered anyway.
    The advantage of a static binary is that I can use the entware toolchain (which I prefer).

    I'll try and grab the tomato toolchain however, and compile something you can use, just with static libs openssl and lzo2.

    btw, what is the plugin you're using? Something specially made in Shibby firmware?
     
  14. i1135t

    i1135t Network Guru Member

    I think it's with the GUI support for username/password authentication with openvpn. I reverted back to my scripting for user/pass auth so it appears to load fine now. I'll have to test it tomorrow to see if it works from the outside, but I think it should be OK. Thanks anyways.
     
  15. lancethepants

    lancethepants Network Guru Member

    That works. The binary I created from the tomatousb toolchain doesn't want to work with plugins anyway. Your scripting method I'm guessing uses 'auth-user-pass-verify ...', which I don't think is really a plugin.
     
  16. Joeviocoe

    Joeviocoe Network Newbie Member

    Getting error on OpenVPN clients:
    Code:
    Apr 10 09:04:59 daemon.notice openvpn[3300]: OpenVPN 2.3.3 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Apr  9 2014                                                                                             
    Apr 10 09:04:59 daemon.err openvpn[3300]: Sorry, 'Auth' password cannot be read from a file                    
    Apr 10 09:04:59 daemon.notice openvpn[3300]: Exiting due to fatal error 
    The OpenVPN server works (it uses certs)... but the two clients have username/passwords typed into the gui, not in a separate file.

    Shibby 116 for Asus RT-N16
     
  17. lancethepants

    lancethepants Network Guru Member

    Due to the nature static binaries work, it breaks plugin support, which is what the built in username/password uses.
    I've uploaded another binary labaled 'tomato toolchain'. Give that one a test, maybe it will work. Only openssl and lzo2 are statically linked.
     
  18. BikeHelmet

    BikeHelmet Networkin' Nut Member

    Doesn't work - but putting the init script under WAN Up seems to work fine.

    Thanks for getting a fixed binary out so fast!

    -BikeHelmet
     
  19. koitsu

    koitsu Network Guru Member

    Be aware you should not be putting bind mounts under WAN Up. If you MUST do this, then you need surrounding logic to ensure you don't end up with multiple bind mounts; Linux WILL allow you to do multiple bind mounts to the same mountpoint -- yes really -- and this can cause serious problems. The workaround is to throw some logic into the script to ensure this only happens once. I use the following in my mount.autorun (the logic of which is universal, i.e. can be used in Scripts not just *.autorun stuff):

    Code:
    if /bin/grep -q /usr/sbin/openvpn /proc/mounts
    then
        /bin/mount -o bind /jffs/openvpn /usr/sbin/openvpn
    fi
    
    How this works is simple: grep -q returns no output, instead setting the exit code ($? variable) to 0 if there was at least one match match, or to 1 otherwise. if will effectively test against exit code by default.

    So in English, the above reads: "if /proc/mounts doesn't contain any mention of /usr/sbin/openvpn, then run /bin/mount -o bind ..."

    I should note /bin/mount --bind ... is effectively the same thing as /bin/mount -o bind ... but I prefer the latter syntax because it correlates directly with the usage syntax shown in mount -h. There is already enough chaos in Busybox's mount command/syntax with all the different underlying layers handling different one-offs/features that I try to stick to their shown help/usage syntax as much as possible.
     
  20. BikeHelmet

    BikeHelmet Networkin' Nut Member

    Thanks, Koitsu! I've made the adjustments so that things don't get weird.

    Edit: It doesn't work if I put that in the WAN Up script, so I've rolled it back for now.

    -BikeHelmet
     
    Last edited: Apr 10, 2014

Share This Page