Running secnet on OpenWRT

Posted on in software, articles with tags systems.

I wanted to run the secnet VPN software on a WRT54g running OpenWRT.

Diziet told me I was mad. This didn’t dissuade me :-)


(Or, in other words, what am I going on about and do you really need to read this?)

The WRT54g is a wireless access point/router/firewall appliance made by Linksys, apparently targetted at the domestic market. (NB. Various models exist, some under different brands).

OpenWRT is a third-party cut-down Linux distribution for the WRT54g and related appliances which give you a root prompt and a few Mb of flash storage space to bend to your will. The obvious reason for doing this is in order to achieve more flexible routing and firewalling, internal DNS and static DHCP, your own choice of VPN software ... essentially, network infrastructure that you'd otherwise run on a general-purpose PC or similar. My goal was to remove that clunky old P200 from the living room, replacing it with an appliance I could sit in the bookcase :-).

secnet is VPN software written by Steve Early.

This page describes (roughly) the steps I took in getting a working build of secnet on my WRT54g. Just in case it's not blindingly obvious, running OpenWRT almost certainly voids the warranty on the hardware. If you get things wrong you will turn your shiny new WRT54g into an expensive paperweight. These notes are deliberately on the sketchy side in order to reinforce the on-your-own nature. You will need to be familiar with the standard GNU-style build process; in particular, you'll need to have successfully built OpenWRT first as you'll need the toolchain and uClibc around.


secnet requires the following:

  • A way of getting packets between the kernel and userland. The "Universal TUN/TAP driver" satisfies this and is a Linux kernel option. In fact, I didn't even need to rebuild my OpenWRT image; it builds (but does not install) tun.o by default. All I needed to do was copy it over and write a startup script to run insmod.
  • GNU's getopt. This is included in uClibc, so there's nothing to do.
  • gmp, flex, bison and adns. I configured these for a cross-compile with ./configure --host=mipsel-linux and my PATH including the OpenWRT toolchain.
    • NB. Make sure adns is happy before continuing! The adns package includes the statically linked adnshost_s client; I copied it over to the WRT to test. I found I had to create /etc/protocols:
    ``` # /etc/protocols ip 0 IP tcp 6 TCP icmp 1 ICMP udp 17 UDP ```
  • I copied the built .a files and relevant headers to a handy directory to make my life easier later.
## Building secnet

Configuring secnet wasn't trivial, because it wants to run programs to autodetect the target CPU endian and sizes of types.

I peered closely at configure, ran the endian check by hand and concocted some lines for config.cache (see below). Configuration was as for gmp et al, but with CFLAGS and LDFLAGS set pointing them at the directory I had stashed the depended-on libraries in. ``` # add to config.cache ac_cv_c_bigendian=${ac_cv_c_bigendian='no'} ac_cv_sizeof_unsigned_char=${ac_cv_sizeof_unsigned_char='1'} ac_cv_sizeof_unsigned_int=${ac_cv_sizeof_unsigned_int='4'} ac_cv_sizeof_unsigned_long=${ac_cv_sizeof_unsigned_long='4'} ac_cv_sizeof_unsigned_long_long=${ac_cv_sizeof_unsigned_long_long='8'} ac_cv_sizeof_unsigned_short=${ac_cv_sizeof_unsigned_short='2'} ```

It then nearly built straight out of the box; unfortunately gcc 3.3.3 choked on some conditioned-out inline i386 assembler in the old syntax. I ripped that bit out, and the rest just built; I stripped the binary (it weighed in at 462k) and copied it over to the WRT54g. When I fed it my existing config, it just worked :-)

Later changes

I have since submitted a patch upgrading secnet to use autoconf 2.50 which obviates the troubles I had with the endian and size checks, so the furtling with config.cache should no longer be necessary. Hopefully either some kind soul will update the i386 asm syntax, or Steve will just rip it out altogether. With this patch I needed to set CPPFLAGS on the configure command line, as well as CFLAGS and LDFLAGS, in order to fully shut up all of its warnings.

Configuration note

If you are configuring secnet from scratch, you will at some point need to run make-secnet-sites (it's a Python script) to turn a sites file into the format that secnet expects. I haven't addressed that here; there seemed no need to cross-compile Python for the WRT54g, and it would probably need more storage than I have free flash on mine. Instead, I'm just going to run make-secnet-sites on a handy PC whenever I need to.