Bitbull Tech Notes - home of free minds ...

Simple Ping Monitoring with OpenWRT and aspsms

I use this to get informed by SMS, when VirtHost or Monitoring goes down.

ssh -lroot openwrt-box

/etc/config/bin/aspsms.sh
------
#!/bin/sh
# send aspsms messages
PATH=/usr/bin:/usr/sbin:/bin:/sbin:/etc/config/bin
export PATH

UserKey='AABBCC112233'
Password='secret9'
FROM=fw-owrt
MOBILE="$1"
SMS="$2"
SMS="`echo $SMS | tr ' ' '_'`"
echo $SMS

curl -k "https://webservice.aspsms.com/aspsmsx2.asmx/SendSimpleTextSMS?UserKey=$UserKey&Password=$Password&Recipients=$MOBILE&Originator=$FROM&MessageText=$SMS"
------


/etc/config/bin/checkhost.sh
------
#!/bin/sh

# check some hosts and send ping

PATH=/usr/bin:/usr/sbin:/bin:/sbin:/etc/config/bin
export PATH

HOSTS='kvm1:10.2.1.30 kvm2:10.2.1.31 fw-a-u008-01:10.2.100.1 nagios1:10.2.1.24 uplink_to_google:8.8.8.8'

MOBILES='+41794221100 +41782112120'

for HOST in $HOSTS
do
  IP=`echo $HOST | cut -d: -f2`
  NAME=`echo $HOST | cut -d: -f1`
  ping -c1 -w1 $IP >/dev/null 2>&1 || ping -c1 -w1 $IP >/dev/null 2>&1
  if [ $? -ne 0 ]
  then
    test -f /tmp/$NAME.fail
    if [ $? -ne 0 ]
    then  
      touch /tmp/$NAME.fail
      for MOBILE in $MOBILES
      do    
         aspsms.sh $MOBILE "$NAME is down"
      done
    fi
  else
    test -f /tmp/$NAME.fail
    if [ $? -eq 0 ]
    then
      rm -f /tmp/$NAME.fail
      for MOBILE in $MOBILES
      do
         aspsms.sh $MOBILE "$NAME is online"
      done
    fi
  fi
done
------

insert cron job

crontab -e
------
* * * * * /etc/config/bin/checkhost.sh
------

put things together:

opkg update
opkg install curl
chmod 700 /etc/config/bin/*
/etc/init.d/cron enable
/etc/init.d/cron stop
/etc/init.d/cron start

 

 

 

Provide Static Routes via DNSMasq on OpenWRT

OpenWRT ist great for creating simple Site2Site VPNs by OpenVPN.

I often use this settings (example) for Site2Site VPN:

  • Local Network: 192.168.1.0/24
  • Local ADSL Gateway: 192.168.1.1
  • Local OpenWRT VPN Gateway: 192.168.1.2
  • Remote Network: 192.168.9.0/24
  • Remote ADSL Gateway: 192.168.9.1
  • Remote OpenWRT VPN Gateway: 192.168.9.2

To Configure Local Gateway DNSMasq (DHCP Server) providing static routes for its clients, you can make this config:

/etc/config/dhcp

config dhcp 'lan'
	[...]
	list dhcp_option '249,192.168.9.0/24,192.168.1.2'
	list dhcp_option '121,192.168.9.0/24,192.168.1.2'

You can also set this options on luci web interface:

Network > Interfaces > LAN > Edit > DHCP Server > Advanced Settings > Dhcp-Options

  • 249,192.168.9.0/24,192.168.1.2
  • 121,192.168.9.0/24,192.168.1.2

I use 2 different options for the same route, that is not really needed.
Windows clients are reading option 249 (old clients) and linux clients are reading both options.
But I did only few tests, so you have to test what is the best way for you to implement.

https://tools.ietf.org/html/rfc3442

https://msdn.microsoft.com/en-us/library/cc227282.aspx


 PS: For ISC Dhcp Server, you can do it this way

option rfc3442-classless-routes code 121 = array of unsigned integer 8;
option ms-classless-routes code 249 = array of unsigned integer 8;
subnet 192.168.1.0 netmask 255.255.255.0 {
   option rfc3442-classless-static-routes 24, 192,168,9, 192,168,1,2;
   option ms-classless-static-routes 24, 192,168,9, 192,168,1,2;
}

 

 

 

 

OpenDNS, google SafeSearch and Youtube restricted by OpenWrt Router

For parental control, I testet to build a cheap solution which can protect a small network.
I testet with a D-Link DIR-505 and OpenWRT BB v14.7 r42625

https://support.google.com/youtube/answer/6214622?hl=de

With DNSMasq, it is not possible to configure "Response Policy Zones" than creates the needed CNAME to force the protected mode on youtube and google searches. BUT, we can create simple A records, that do the job.

It is a good idea to block the whole categorie "search engines" in OpenDNS dashboard. After that, do an exception for google, that is safe enough to protect growing children at home.

Here are my notes, how to build this protection with a simple OpenWRT router.

Setup OpenWRT and configure IP Range as needed.

  • Configure DNS Masq to serve OpenDNS Nameserver by dhcp /etc/config/dhcp
config dnsmasq
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option rebind_protection '0'
list server '208.67.222.222'
list server '208.67.220.220'
option local '/lan/'
option domain 'lan'
option authoritative '1'
option logqueries '0'

config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option start '20'
option limit '50'
option force '1'
#option dhcp_option '3,192.168.1.254' #default route
  • Register account on www.opendns.com and configure your network depending on your needs
  • Install DDNS scripts on OpenWRT
opkg update
opkg install wget ca-certificates
  • Configure ddns script to update your home wan ip
    /etc/config/opendns_updater.sh
#!/bin/sh
# DESC: script to change dyn IP at openvpn.com
# $Revision: 1.1 $
# $RCSfile: opendns_updater.sh,v $
# $Author: chris $
# Copyright (c) Chris Ruettimann <chris@bitbull.ch>

# This software is licensed to you under the GNU General Public License.
# There is NO WARRANTY for this software, express or
# implied, including the implied warranties of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
# along with this software; if not, see
# http://www.gnu.org/licenses/gpl.txt

# OpenWRT: opkg update ; opkt install wget
#           vi /etc/config/opendns_updater.sh #put script here
#           chmod 700 /etc/config/opendns_updater.sh
#           crontab -e  #put: */10 * * * * /etc/config/opendns_updater.sh
#           /etc/init.d/cron enable ; /etc/init.d/cron restart

PATH=/sbin:/bin:/usr/sbin:/usr/bin
#------------------ MyVariables -------------------------------------
USR=user@domain.com
PW=secret123
NETW=MyNetworkName
#------------------------------------------------------------------
URL="https://updates.opendns.com/nic/update?hostname=$NETW"

test -f /tmp/odns.ip || touch /tmp/odns.ip
LASTIP=`cat /tmp/odns.ip`
CURRENTIP=`wget -q -O - ip.changeip.com | grep ^[0-9]`

# compare
if [ "$CURRENTIP" != "$LASTIP" ]
then
   logger -t `basename $0` "LASTIP=$LASTIP CURRENTIP=$CURRENTIP, update it now"
   wget -nv --http-user="$USR" --http-password="$PW" -O - "$URL" 2>&1 | grep -q good
   if [ $? -eq 0 ]
   then                                                                    
      logger -t `basename $0` "update successful"                          
      echo "$CURRENTIP" > /tmp/odns.ip                                     
   else                                                                                                                     
      logger -t `basename $0` "update failed, try exec: wget -nv --http-user=\"$USR\" --http-password=\"$PW\" -O - \"$URL\""
   fi                                                                           
else                                                                            
   logger -t `basename $0` "LASTIP=$LASTIP CURRENTIP=$CURRENTIP, do noting"     
fi                                                                              
                                                                                
                                                                                
################################################################################
  • Change the VARS according your needs and enable the script
chmod 700 /etc/config/opendns_updater.sh

crontab -e  
---------------------
*/10 * * * * /etc/config/opendns_updater.sh
---------------------

/etc/init.d/cron enable 
/etc/init.d/cron restart

Configure DNS Masq to force Google and Youtube safe search in /etc/dnsmasq.conf

# youtube restricted search
address=/youtubei.googleapis.com/216.239.38.120
address=/m.youtube.com/216.239.38.120
address=/www.youtube.com/216.239.38.120

# youtube mobile clients
address=/android.googleapis.com/216.239.38.120
address=/android.clients.google.com/216.239.38.120
address=/www.youtube-nocookie.com/216.239.38.120
address=/android.googleapis.com/216.239.38.120
address=/www.googleapis.com/216.239.38.120

# google safe search
address=/www.google.com/216.239.38.120
address=/www.google.ac/216.239.38.120
address=/www.google.ad/216.239.38.120
address=/www.google.ae/216.239.38.120
address=/www.google.af/216.239.38.120
address=/www.google.ag/216.239.38.120
address=/www.google.al/216.239.38.120
address=/www.google.am/216.239.38.120
address=/www.google.as/216.239.38.120
address=/www.google.at/216.239.38.120
address=/www.google.az/216.239.38.120
address=/www.google.ba/216.239.38.120
address=/www.google.be/216.239.38.120
address=/www.google.bf/216.239.38.120
address=/www.google.bg/216.239.38.120
address=/www.google.bi/216.239.38.120
address=/www.google.bj/216.239.38.120
address=/www.google.bs/216.239.38.120
address=/www.google.bt/216.239.38.120
address=/www.google.by/216.239.38.120
address=/www.google.ca/216.239.38.120
address=/www.google.cat/216.239.38.120
address=/www.google.cc/216.239.38.120
address=/www.google.cd/216.239.38.120
address=/www.google.cf/216.239.38.120
address=/www.google.cg/216.239.38.120
address=/www.google.ch/216.239.38.120
address=/www.google.ci/216.239.38.120
address=/www.google.cl/216.239.38.120
address=/www.google.cm/216.239.38.120
address=/www.google.cn/216.239.38.120
address=/www.google.co.ao/216.239.38.120
address=/www.google.co.bw/216.239.38.120
address=/www.google.co.ck/216.239.38.120
address=/www.google.co.cr/216.239.38.120
address=/www.google.co.hu/216.239.38.120
address=/www.google.co.id/216.239.38.120
address=/www.google.co.il/216.239.38.120
address=/www.google.co.im/216.239.38.120
address=/www.google.co.in/216.239.38.120
address=/www.google.co.je/216.239.38.120
address=/www.google.co.jp/216.239.38.120
address=/www.google.co.ke/216.239.38.120
address=/www.google.co.kr/216.239.38.120
address=/www.google.co.ls/216.239.38.120
address=/www.google.co.ma/216.239.38.120
address=/www.google.co.mz/216.239.38.120
address=/www.google.co.nz/216.239.38.120
address=/www.google.co.th/216.239.38.120
address=/www.google.co.tz/216.239.38.120
address=/www.google.co.ug/216.239.38.120
address=/www.google.co.uk/216.239.38.120
address=/www.google.co.uz/216.239.38.120
address=/www.google.co.ve/216.239.38.120
address=/www.google.co.vi/216.239.38.120
address=/www.google.co.za/216.239.38.120
address=/www.google.co.zm/216.239.38.120
address=/www.google.co.zw/216.239.38.120
address=/www.google.com.af/216.239.38.120
address=/www.google.com.ag/216.239.38.120
address=/www.google.com.ai/216.239.38.120
address=/www.google.com.ar/216.239.38.120
address=/www.google.com.au/216.239.38.120
address=/www.google.com.bd/216.239.38.120
address=/www.google.com.bh/216.239.38.120
address=/www.google.com.bn/216.239.38.120
address=/www.google.com.bo/216.239.38.120
address=/www.google.com.br/216.239.38.120
address=/www.google.com.by/216.239.38.120
address=/www.google.com.bz/216.239.38.120
address=/www.google.com.cn/216.239.38.120
address=/www.google.com.co/216.239.38.120
address=/www.google.com.cu/216.239.38.120
address=/www.google.com.cy/216.239.38.120
address=/www.google.com.do/216.239.38.120
address=/www.google.com.ec/216.239.38.120
address=/www.google.com.eg/216.239.38.120
address=/www.google.com.et/216.239.38.120
address=/www.google.com.fj/216.239.38.120
address=/www.google.com.ge/216.239.38.120
address=/www.google.com.gh/216.239.38.120
address=/www.google.com.gi/216.239.38.120
address=/www.google.com.gr/216.239.38.120
address=/www.google.com.gt/216.239.38.120
address=/www.google.com.hk/216.239.38.120
address=/www.google.com.iq/216.239.38.120
address=/www.google.com.jm/216.239.38.120
address=/www.google.com.jo/216.239.38.120
address=/www.google.com.kh/216.239.38.120
address=/www.google.com.kw/216.239.38.120
address=/www.google.com.lb/216.239.38.120
address=/www.google.com.ly/216.239.38.120
address=/www.google.com.mm/216.239.38.120
address=/www.google.com.mt/216.239.38.120
address=/www.google.com.mx/216.239.38.120
address=/www.google.com.my/216.239.38.120
address=/www.google.com.na/216.239.38.120
address=/www.google.com.nf/216.239.38.120
address=/www.google.com.ng/216.239.38.120
address=/www.google.com.ni/216.239.38.120
address=/www.google.com.np/216.239.38.120
address=/www.google.com.nr/216.239.38.120
address=/www.google.com.om/216.239.38.120
address=/www.google.com.pa/216.239.38.120
address=/www.google.com.pe/216.239.38.120
address=/www.google.com.pg/216.239.38.120
address=/www.google.com.ph/216.239.38.120
address=/www.google.com.pk/216.239.38.120
address=/www.google.com.pl/216.239.38.120
address=/www.google.com.pr/216.239.38.120
address=/www.google.com.py/216.239.38.120
address=/www.google.com.qa/216.239.38.120
address=/www.google.com.ru/216.239.38.120
address=/www.google.com.sa/216.239.38.120
address=/www.google.com.sb/216.239.38.120
address=/www.google.com.sg/216.239.38.120
address=/www.google.com.sl/216.239.38.120
address=/www.google.com.sv/216.239.38.120
address=/www.google.com.tj/216.239.38.120
address=/www.google.com.tn/216.239.38.120
address=/www.google.com.tr/216.239.38.120
address=/www.google.com.tw/216.239.38.120
address=/www.google.com.ua/216.239.38.120
address=/www.google.com.uy/216.239.38.120
address=/www.google.com.vc/216.239.38.120
address=/www.google.com.ve/216.239.38.120
address=/www.google.com.vn/216.239.38.120
address=/www.google.cv/216.239.38.120
address=/www.google.cz/216.239.38.120
address=/www.google.de/216.239.38.120
address=/www.google.dj/216.239.38.120
address=/www.google.dk/216.239.38.120
address=/www.google.dm/216.239.38.120
address=/www.google.dz/216.239.38.120
address=/www.google.ee/216.239.38.120
address=/www.google.es/216.239.38.120
address=/www.google.eus/216.239.38.120
address=/www.google.fi/216.239.38.120
address=/www.google.fm/216.239.38.120
address=/www.google.fr/216.239.38.120
address=/www.google.frl/216.239.38.120
address=/www.google.ga/216.239.38.120
address=/www.google.gal/216.239.38.120
address=/www.google.ge/216.239.38.120
address=/www.google.gg/216.239.38.120
address=/www.google.gl/216.239.38.120
address=/www.google.gm/216.239.38.120
address=/www.google.gp/216.239.38.120
address=/www.google.gr/216.239.38.120
address=/www.google.gy/216.239.38.120
address=/www.google.hk/216.239.38.120
address=/www.google.hn/216.239.38.120
address=/www.google.hr/216.239.38.120
address=/www.google.ht/216.239.38.120
address=/www.google.hu/216.239.38.120
address=/www.google.ie/216.239.38.120
address=/www.google.im/216.239.38.120
address=/www.google.in/216.239.38.120
address=/www.google.info/216.239.38.120
address=/www.google.iq/216.239.38.120
address=/www.google.ir/216.239.38.120
address=/www.google.is/216.239.38.120
address=/www.google.it/216.239.38.120
address=/www.google.it.ao/216.239.38.120
address=/www.google.je/216.239.38.120
address=/www.google.jo/216.239.38.120
address=/www.google.jobs/216.239.38.120
address=/www.google.jp/216.239.38.120
address=/www.google.kg/216.239.38.120
address=/www.google.ki/216.239.38.120
address=/www.google.kz/216.239.38.120
address=/www.google.la/216.239.38.120
address=/www.google.li/216.239.38.120
address=/www.google.lk/216.239.38.120
address=/www.google.lt/216.239.38.120
address=/www.google.lu/216.239.38.120
address=/www.google.lv/216.239.38.120
address=/www.google.md/216.239.38.120
address=/www.google.me/216.239.38.120
address=/www.google.mg/216.239.38.120
address=/www.google.mk/216.239.38.120
address=/www.google.ml/216.239.38.120
address=/www.google.mn/216.239.38.120
address=/www.google.ms/216.239.38.120
address=/www.google.mu/216.239.38.120
address=/www.google.mv/216.239.38.120
address=/www.google.mw/216.239.38.120
address=/www.google.ne/216.239.38.120
address=/www.google.ne.jp/216.239.38.120
address=/www.google.net/216.239.38.120
address=/www.google.ng/216.239.38.120
address=/www.google.nl/216.239.38.120
address=/www.google.no/216.239.38.120
address=/www.google.nr/216.239.38.120
address=/www.google.nu/216.239.38.120
address=/www.google.off.ai/216.239.38.120
address=/www.google.pk/216.239.38.120
address=/www.google.pl/216.239.38.120
address=/www.google.pn/216.239.38.120
address=/www.google.ps/216.239.38.120
address=/www.google.pt/216.239.38.120
address=/www.google.ro/216.239.38.120
address=/www.google.rs/216.239.38.120
address=/www.google.ru/216.239.38.120
address=/www.google.rw/216.239.38.120
address=/www.google.sc/216.239.38.120
address=/www.google.se/216.239.38.120
address=/www.google.sh/216.239.38.120
address=/www.google.si/216.239.38.120
address=/www.google.sk/216.239.38.120
address=/www.google.sm/216.239.38.120
address=/www.google.sn/216.239.38.120
address=/www.google.so/216.239.38.120
address=/www.google.sr/216.239.38.120
address=/www.google.st/216.239.38.120
address=/www.google.td/216.239.38.120
address=/www.google.tel/216.239.38.120
address=/www.google.tg/216.239.38.120
address=/www.google.tk/216.239.38.120
address=/www.google.tl/216.239.38.120
address=/www.google.tm/216.239.38.120
address=/www.google.tn/216.239.38.120
address=/www.google.to/216.239.38.120
address=/www.google.tt/216.239.38.120
address=/www.google.ua/216.239.38.120
address=/www.google.us/216.239.38.120
address=/www.google.uz/216.239.38.120
address=/www.google.vg/216.239.38.120
address=/www.google.vu/216.239.38.120
address=/www.google.ws/216.239.38.120

Move DNS Masq config file into config folder

mv /etc/dnsmasq.conf /etc/config/
ln -s /etc/config/dnsmasq.conf /etc/dnsmasq.conf
ls -l /etc/dnsmasq.conf
  • Enable all the services (make sure :)
for d in /etc/init.d/cron /etc/init.d/dnsmasq /etc/init.d/uhttpd
do
   $d enable
   $d restart
done

That's all, not bad for 25 CHF :-)

 

A small note at the end:

Android Youtube clients drove me crazy, safe search did not work with it and I got no hint on the internet ... even not with google :-)
Enable DNS query logging: option logqueries '1' in /etc/config/dhcp
/etc/init.d/dnsmasq restart
lograd -r
Fire pron query on mobile client :-)

 

 

 

OpenVPN Server on OpenWRT

http://wiki.openwrt.org/doc/howto/vpn.openvpn

Remote Network: 192.168.11.0/24
Transport Network: 10.8.0.0/24
WAN IP: myvpn.bitbull.ch

opkg update
opkg install openvpn-openssl openvpn-easy-rsa
  • /etc/easy-rsa/vars
export KEY_COUNTRY="CH"
export KEY_PROVINCE="SG"
export KEY_CITY="St. Gall"
export KEY_ORG="Bitbull Tech"
export KEY_EMAIL="crn@bitbull.ch"
export KEY_OU="Office"
export KEY_NAME="work.bitbull.ch" 
cd /etc/easy-rsa/

source /etc/easy-rsa/keys
clean-all

pkitool --initca ## equivalent to the 'build-ca' script
pkitool --server fw3 ## equivalent to the 'build-key-server' script

build-dh ## and grab some coffee

cd $KEY_DIR
mkdir -p /etc/openvpn
cp ca.crt fw3.* dh2048.pem /etc/openvpn/

uci set network.vpn0=interface
uci set network.vpn0.ifname=tun0
uci set network.vpn0.proto=none
uci commit network; /etc/init.d/network reload

uci add firewall rule
uci set firewall.@rule[-1].name=Allow-OpenVPN-Inbound
uci set firewall.@rule[-1].target=ACCEPT
uci set firewall.@rule[-1].src=*
uci set firewall.@rule[-1].proto=udp
uci set firewall.@rule[-1].dest_port=1194

uci add firewall zone
uci set firewall.@zone[-1].name=vpn
uci set firewall.@zone[-1].input=ACCEPT
uci set firewall.@zone[-1].forward=ACCEPT
uci set firewall.@zone[-1].output=ACCEPT
uci set firewall.@zone[-1].network=vpn0

uci commit firewall
/etc/init.d/firewall reload
  • /etc/config/openvpn
config openvpn 'myvpn'
option enabled '1'
option dev 'tun'
option proto 'udp'
option log '/tmp/openvpn.log'
option verb '3'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/fw3.crt'
option key '/etc/openvpn/fw3.key'
option clr_verify '/etc/easy-rsa/keys/clr.pem'
option server '10.8.0.0 255.255.255.0'
option port '1194'
option keepalive '10 120'
option dh '/etc/openvpn/dh2048.pem'
option comp_lzo 'adaptive'
list push 'route 192.168.11.0 255.255.255.0'
/etc/init.d/openvpn start
sleep 3
ps -w | grep openvpn
ifconfig | grep tun0
netstat -an | grep 1194
cat /tmp/openvpn.log
  • /etc/easy-rsa/keys/client-ovpn-create.sh
#!/bin/sh
[ $# -ne 1 ] && exit 1
CONF=$1.ovpn
test -r $CONF && exit 1
echo "client
dev tun
proto udp
remote myvpn.bitbull.ch 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
<ca>
$(cat ca.crt)
</ca>
<cert>
$(cat $1.crt)
</cert>
<key>
$(cat $1.key)
</key>" > $PWD/$CONF
pkitool user1.bitbull.ch ## equivalent to the 'build-key' script
pkitool user2.bitbull.ch ## equivalent to the 'build-key' script

sh client-ovpn-create.sh user1.bitbull.ch
sh client-ovpn-create.sh user2.bitbull.ch

ls -l *.ovpn

 

Home