OpenWRT on NSLU2 (part 2)

by cmur2 on 2013-05-30 in Linux

Dropbear public key authentication

When using LuCI I assumed that entering my public (RSA based) SSH key in System > Administration should be enough to login without password anymore. But obviously something screwed the file permissions in a way that Dropbear isn’t happy so fix via:<

chmod 0700 /etc/dropbear
chmod 0600 /etc/dropbear/authorized_keys

And yes, each user’s ~/.ssh/authorized_keys is reported to work too besides using /etc/dropbear/authorized_keys.

Uninstall preinstalled packages?

In one word: Don’t. The same goes for updating preinstalled packages (those that are already included in the OpenWRT image) - since that will eat up your free flash memory instead of replacing the old package which is stored on a read-only (squashed) partition.

The better way (without the need of compiling the whole OpenWRT stuff on your computer) is to use the OpenWRT Image Generator and include only the packages you need in your fully customizable OpenWRT image :) that will a) only include really necessary stuff for you and b) compress them using SquashFS which should make them even smaller compared to storing them in flash (on JFFS2 filesystem).

OpenVPN

I’m using OpenVPN for internal purposes for quite a long time now and wanted to connect my NSLU2 as an isolated client (no bridging with the network behind, maybe routing later) so that a can manage it remotely via ssh or LuCI through other VPN-connected clients.

First: Don’t use luci-app-openvpn (which aims to deliver a UI under Services > OpenVPN for configuring multiple OpenVPN client and/or server profiles) even if it looks nice to you - it’s completely buggy. Whenever I try to edit an existing config it instead creates a new one named ‘client_bridge_tap’ or something. Same goes for tying to save a newly created config. So I fell back to ssh and editing /etc/config/openvpn is nearly all you have to do.

If you use certificates like me to authenticate your clients make sure to copy them (and the key and CA files) to your device in some persistent location like the internal flash (the luci-app-openvpn uses /lib/uci/upload/) or some thumbdrive. In /etc/config/openvpn you can configure OpenVPN using the known OpenVPN options but with the UCI syntax! So a configuration basically looks like this (shorted for brevity so you get the concept):

config 'openvpn' 'example_org'
option client '1'
option dev 'tun0

This file may contain multiple config-sections describing multiple OpenVPN daemons to start. Hope you like it!

Replacing Dropbear with OpenSSH?

After my first (failed) attempt to copy the OpenVPN configuration files to my slug via SFTP I found out that Dropbear is an .. ähm .. let’s call it an underfeatured SSH server. Obviously I’m not the first one having this problems. The instructions are very straight forward and as long as you keep an eye on your firewall settings (e.g. open the alternative SSH port 2222 before restarting Dropbear) to not lock you out nothing bad should happen.

Be warned: the openssh-server package is big (> 500 KiB - not including SFTP yet that would be openssh-sftp-server) which possibly leads to the conclusion that it might be worth to install it on your USB storage but that introduces a strong dependency and USB sticks are not the most reliable storage on earth.

Dropbear SSH client

Btw. even as SSH client Dropbear sucks (besides having its own format for storing private keys): You can’t use it out of the box with git since Dropbear has no key autodetection. You have to use the GIT_SSH environment variable to point to a script that invokes the Dropbear ssh client with an explicitly specified key file:

#!/bin/sh
ssh -i ~/.ssh/id_rsa $*

Don’t forget to chmod a+x ~/gitssh.sh!

And then do

export GIT_SSH=~/gitssh.sh

e.g. in your ~/.profile file to load this on every login.

Future

Maybe there will be a third part describing my IPv6 setup and more…

The post »OpenWRT on NSLU2 (part 2)«
is licensed under Creative Commons BY-NC-SA 3.0.

cmur2

https://www.mycrobase.de/

GitHub