The Interceptor - Basic Install
These instructions will leave you with a device which only responds on the wireless interface. For testing, if you want to leave the wired interface with an IP address you will need to modify /etc/config/network and /etc/init.d/interceptor and change the 0.0.0.0 IP address to the one you want.
On the Fon+
Flash with OpenWrt 8.09. This is a good guide. Stop at "Luvzzzzz ! Next step :"
This guide assumes you are connecting via a serial cable, if not you need to telnet to 192.168.1.1 and use passwd to set your root password. This then disables telnet and enables ssh.
Crate/edit the following files:
# /etc/config/wireless
config 'wifi-device' 'wifi0'
option 'type' 'atheros'
option 'disabled' '0'
option 'channel' '6'
config 'wifi-iface'
option 'device' 'wifi0'
option 'mode' 'ap'
option 'ssid' 'interceptor'
option 'encryption' 'psk2'
option 'key' '<KEY HERE>'
This assumes you want to use WPA2-PSK. Even though the data will encrypted by the VPN this prevents unauthorized users connecting to the interface and using it as a way into the device. Make sure you modify your wpa_supplicant file on the laptop so that it can connect to the AP.
# /etc/config/network
config 'interface' 'loopback'
option 'ifname' 'lo'
option 'proto' 'static'
option 'ipaddr' '127.0.0.1'
option 'netmask' '255.0.0.0'
config 'interface' 'lan'
option 'type' 'bridge'
option 'proto' 'static'
option 'netmask' '255.255.255.0'
option 'ifname' 'eth0.0'
option 'ipaddr' '0.0.0.0'
config 'interface' 'wan'
option 'ifname' 'eth0.1'
I can't find a way to specify in this file that I want both eth0.0 and eth0.1 to startup on the same bridge so I manually have to add eth0.1 to the lan bridge, br-lan, in a startup script. If anyone can tell me how to do this please get in touch.
Install the following packages:
- kmod-tun_2.6.26.5-atheros-1_mips.ipk
- libopenssl_0.9.8i-3_mips.ipk
- libdnet_1.10-2_mips.ipk
- libpcap_0.9.8-1_mips.ipk
- wpa-supplicant_0.6.3-1_mips.ipk
- liblzo_2.03-1_mips.ipk
- openvpn_2.0.9-4_mips.ipk
- zlib_1.2.3-5_mips.ipk
These can be downloaded from OpenWrt package page.
Make sure you copy them to /tmp on the device and you can install all at once with:
opkg install /tmp/*ipk
Copy over and install the interceptor package:
- interceptor_1.0_mips.ipk
Delete the following files:
- /etc/rc.d/*httpd
- /etc/rc.d/*dnsmasq
This prevents the automatic startup of the web server and the dns/dhcp server. The web server isn't needed and the dhcp server can interfere with legitimate dhcp traffic flowing over the bridge. This doesn't not remove these applications only the symlinks that are used to automatically start them, they can be restored by recreating the symlinks to /etc/init.d .
Reboot
On the laptop
The first job is to create the openvpn certificates. The instructions on the OpenVpn site describe this best.
Follow the naming scheme used but only create a client certificate for client1.
Copy the following files just created to /interceptor/openvpn/client on the Fon+:
- client1.crt
- ca.crt
- client1.key
Modify the server.conf file on the laptop so the certificate lines point at the correct locations. These are lines starting ca, key, cert and dh.
Starting it all up
Bring up the wireless on the laptop and connect to the AP on the Fon+.
Manually set the wireless IP to 10.255.255.253.
Run the startup.sh script. This starts the openvpn server on the laptop, waits a short period to allow it to come up correctly then, via ssh, executes a startup script on the Fon+. The Fon+ will ask for the root password for the ssh login.
You should see a lot of log output with the DaemonLogger startup message towards the end. If all goes well all traffic flowing across the bridge should now appear on tap0 on the laptop. Test it by running:
tcpdump -i tap0
while generating traffic across the bridge.
Shutting it all down
To shut it down run the shutdown.sh script. This reverses the startup script, first killing DaemonLogger and the VPN client on the Fon+ via ssh and finally killing the VPN server on the laptop. Again, you will need to enter the Fon+ root password for the ssh.
