Enabling Elliptic Curve Cryptography in OpenWRT and strongSwan VPNs
OpenWRT currently ships an OpenSSL package with Elliptic Curve Cryptography (ECC) disabled. This is very inconvenient as ECC is now standard in other distributions like Debian and Ubuntu and it is necessary to solve certain problems such as making IPsec VPNs work reliably
It is relatively easy to enable it, this also provides a useful opportunity to see how the OpenWRT build system works.
Preparing the build environment
The build was done on a Debian 7 (wheezy) workstation. It is necessary to install some packages that provide tools needed for the build:
apt-get install gcc binutils flex make unzip gawk libz-dev linux-libc-dev
Rebuild the OpenSSL and StrongSwan packages
This was tested with an ar71xx CPU-based router. You can easily change the config (run make menuconfig just before make defconfig) for other variations of router.
Running strongSwan IPsec on a router requires a router with plenty of flash, RAM and CPU power. Cheap routers with limited flash will not be able to install the packages at all. I tested on the Buffalo WZR-HP-AG300H-EU which has 32MB flash and 128MB RAM
Here are the commands executed on the Debian build workstation:
mkdir ~/ws cd ~/ws svn checkout svn://svn.openwrt.org/openwrt/trunk openwrt-trunk cd openwrt-trunk ./scripts/feeds update -a ./scripts/feeds install -a wget -O .config \ http://danielpocock.com/sites/danielpocock.com/files/openwrt.config.txt sed -i -e 's/no-ec//' package/libs/openssl/Makefile make defconfig make -j 13
The "make" command will build all the packages. It takes some time.
Copy the packages to a router
The actual location of the packages in your source tree depends on the CPU architecture you chose to build for. You can find them with a command such as:
find . -name '*.ipk'
Here we look at how to copy the packages for the ar71xx based router into the /tmp directory on the router. The router IP is 192.168.1.1 below:
cd ./bin/ar71xx/packages/ scp libopenssl_1.0.1e-1_ar71xx.ipk strongswan*.ipk email@example.com:/tmp
Installing the packages
It is relatively easy to install the packages using the opkg utility on OpenWRT.
When using self-compiled packages, you are likely to get errors about the checksums. OpenWRT compares the checksum of the package to the checksum from the package catalog file. You can delete the catalog file (e.g. rm /var/opkg-lists/attitude_adjustment) and then opkg will install the package without complaining. The file is automatically placed there each time you run opkg update so there is no harm in deleting it.
In my earlier blog, I looked at how to link Android clients to the strongSwan VPN. Unfortunately Android has a bug in ECC support too and must still be used with RSA certificates. Nonetheless, the OpenWRT VPN will be quite happy talking to Linux laptops and servers - you may need to rebuild OpenSSL and StrongSwan on any Fedora, Red Hat or CentOS systems that require ECC support too.
As you migrate from RSA to ECC certificates it is quite feasible to have both types of certificates in use at the same time. strongSwan supports this type of hybrid environment. To make the migration to ECC go smoothly it is desirable to ensure all boxes have ECC support at the earliest opportunity.