From eb31e4588f3ede82bda6eb9a2c8b63f9696f69bf Mon Sep 17 00:00:00 2001 From: William Sutton Date: Thu, 11 Nov 2021 10:29:16 -0500 Subject: [PATCH 1/5] Create opnatt-supplicant.sh Successful configuration file to be placed in /usr/local/etc/syshook.d/early/99-opnatt. To be used in conjunction with a /conf/pfatt/wpa/wpa_supplicant.conf file. --- bin/opnatt-supplicant.sh | 106 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 bin/opnatt-supplicant.sh diff --git a/bin/opnatt-supplicant.sh b/bin/opnatt-supplicant.sh new file mode 100644 index 0000000..58d71c0 --- /dev/null +++ b/bin/opnatt-supplicant.sh @@ -0,0 +1,106 @@ +#!/usr/bin/env sh +#Required Config +# =============== +ONT_IF="" +RG_ETHER_ADDR="" +EAP_MODE="supplicant" + +# Supplicant Config +# ================= +EAP_SUPPLICANT_IDENTITY="" + +##### DO NOT EDIT BELOW ################################################################################# + +/usr/bin/logger -st "pfatt" "starting pfatt..." +/usr/bin/logger -st "pfatt" "configuration:" +/usr/bin/logger -st "pfatt" " ONT_IF = $ONT_IF" +/usr/bin/logger -st "pfatt" " RG_ETHER_ADDR = $RG_ETHER_ADDR" +/usr/bin/logger -st "pfatt" " EAP_MODE = $EAP_MODE" +/usr/bin/logger -st "pfatt" " EAP_SUPPLICANT_IDENTITY = $EAP_SUPPLICANT_IDENTITY" + +/usr/bin/logger -st "pfatt" "resetting netgraph..." +/usr/sbin/ngctl shutdown waneapfilter: +/usr/sbin/ngctl shutdown laneapfilter: +/usr/sbin/ngctl shutdown $ONT_IF: +/usr/sbin/ngctl shutdown o2m: +/usr/sbin/ngctl shutdown vlan0: +/usr/sbin/ngctl shutdown ngeth0: + +/usr/bin/logger -st "pfatt" "configuring EAP environment for $EAP_MODE mode..." +/usr/bin/logger -st "pfatt" "cabling should look like this:" +/usr/bin/logger -st "pfatt" " ONT---[] [$ONT_IF]$HOST" +/usr/bin/logger -st "pfatt" "creating vlan node and ngeth0 interface..." + +#/usr/sbin/ngctl mkpeer $ONT_IF: vlan lower downstream +/usr/sbin/ngctl mkpeer em1: vlan lower downstream + +#/usr/sbin/ngctl name $ONT_IF:lower vlan0 +/usr/sbin/ngctl name em1:lower vlan0 + +/usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether +/usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }' + +/usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR + +/usr/bin/logger -st "pfatt" "enabling promisc for $ONT_IF..." + +/sbin/ifconfig $ONT_IF ether $RG_ETHER_ADDR +/sbin/ifconfig $ONT_IF up + +/sbin/ifconfig $ONT_IF promisc + +/usr/bin/logger -st "pfatt" "starting wpa_supplicant..." + +WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -i$ONT_IF -B -C /var/run/wpa_supplicant -c /conf/pfatt/wpa/wpa_supplicant.conf" + +# kill any existing wpa_supplicant process +PID=$(pgrep -f "wpa_supplicant.*ngeth0") +if [ ${PID} > 0 ]; +then + /usr/bin/logger -st "pfatt" "terminating existing wpa_supplicant on PID ${PID}..." + RES=$(kill ${PID}) +fi + +# start wpa_supplicant daemon +RES=$(${WPA_DAEMON_CMD}) +PID=$(pgrep -f "wpa_supplicant.*ngeth0") +/usr/bin/logger -st "pfatt" "wpa_supplicant running on PID ${PID}..." + +# Set WPA configuration parameters. +/usr/bin/logger -st "pfatt" "setting wpa_supplicant network configuration..." +IFS="," +for STR in ${WPA_PARAMS}; +do + echo $STR + STR="$(echo -e "${STR}" | sed -e 's/^[[:space:]]*//')" + RES=$(eval wpa_cli ${STR}) +done + +# wait until wpa_cli has authenticated. +WPA_STATUS_CMD="wpa_cli status | grep 'suppPortStatus' | cut -d= -f2" +IP_STATUS_CMD="ifconfig ngeth0 | grep 'inet\ ' | cut -d' ' -f2" + +/usr/bin/logger -st "pfatt" "waiting EAP for authorization..." + +# TODO: blocking for bootup +while true; +do + WPA_STATUS=$(eval ${WPA_STATUS_CMD}) + if [ X${WPA_STATUS} = X"Authorized" ]; + then + /usr/bin/logger -st "pfatt" "EAP authorization completed..." + IP_STATUS=$(eval ${IP_STATUS_CMD}) + if [ -z ${IP_STATUS} ] || [ ${IP_STATUS} = "0.0.0.0" ]; + then + /usr/bin/logger -st "pfatt" "no IP address assigned, force restarting DHCP..." + RES=$(eval /etc/rc.d/dhclient forcerestart ngeth0) + IP_STATUS=$(eval ${IP_STATUS_CMD}) + fi + /usr/bin/logger -st "pfatt" "IP address is ${IP_STATUS}..." + break + else + sleep 1 + fi +done +/usr/bin/logger -st "pfatt" "ngeth0 should now be available to configure as your WAN..." +/usr/bin/logger -st "pfatt" "done!" -- 2.45.2 From a6ef2870cdff89146f071ca5b1e340495fd2df32 Mon Sep 17 00:00:00 2001 From: William Sutton Date: Thu, 11 Nov 2021 10:31:22 -0500 Subject: [PATCH 2/5] Create wpa_supplicant.conf Added wpa_supplicant configuration file. The bash parsing of the list in the original opnatt.sh was complicated and unnecessary. --- wpa/wpa_supplicant.conf | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 wpa/wpa_supplicant.conf diff --git a/wpa/wpa_supplicant.conf b/wpa/wpa_supplicant.conf new file mode 100644 index 0000000..2248198 --- /dev/null +++ b/wpa/wpa_supplicant.conf @@ -0,0 +1,13 @@ +eapol_version=1 +ap_scan=0 +fast_reauth=1 +network={ + ca_cert="/conf/pfatt/wpa/ca.pem" + client_cert="/conf/pfatt/wpa/client.pem" + eap=TLS + eapol_flags=0 + identity="" #Set to the same value as $EAP_SUPPLICANT_IDENTITY + key_mgmt=IEEE8021X + phase1="allow_canned_success=1" + private_key="/conf/pfatt/wpa/private.pem" +} -- 2.45.2 From 686bf73455b1ab3b7060b32fd0ec27a7a9fc8b87 Mon Sep 17 00:00:00 2001 From: William Sutton Date: Thu, 11 Nov 2021 10:42:41 -0500 Subject: [PATCH 3/5] Update opnatt-supplicant.sh Removed some additional hardcoded entries. --- bin/opnatt-supplicant.sh | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/bin/opnatt-supplicant.sh b/bin/opnatt-supplicant.sh index 58d71c0..6dc7524 100644 --- a/bin/opnatt-supplicant.sh +++ b/bin/opnatt-supplicant.sh @@ -31,11 +31,9 @@ EAP_SUPPLICANT_IDENTITY="" /usr/bin/logger -st "pfatt" " ONT---[] [$ONT_IF]$HOST" /usr/bin/logger -st "pfatt" "creating vlan node and ngeth0 interface..." -#/usr/sbin/ngctl mkpeer $ONT_IF: vlan lower downstream -/usr/sbin/ngctl mkpeer em1: vlan lower downstream +/usr/sbin/ngctl mkpeer $ONT_IF: vlan lower downstream -#/usr/sbin/ngctl name $ONT_IF:lower vlan0 -/usr/sbin/ngctl name em1:lower vlan0 +/usr/sbin/ngctl name $ONT_IF:lower vlan0 /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }' -- 2.45.2 From 24d1784c66b2fc48e052a9004aa3015516c07192 Mon Sep 17 00:00:00 2001 From: William Sutton Date: Fri, 11 Feb 2022 11:08:38 -0500 Subject: [PATCH 4/5] Update opnatt-supplicant.sh Explicitly load ng_ether module to prevent wpa_supplicant from hanging later in the script. --- bin/opnatt-supplicant.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bin/opnatt-supplicant.sh b/bin/opnatt-supplicant.sh index 6dc7524..c69fe59 100644 --- a/bin/opnatt-supplicant.sh +++ b/bin/opnatt-supplicant.sh @@ -11,6 +11,8 @@ EAP_SUPPLICANT_IDENTITY="" ##### DO NOT EDIT BELOW ################################################################################# +/sbin/kldload -nq ng_ether + /usr/bin/logger -st "pfatt" "starting pfatt..." /usr/bin/logger -st "pfatt" "configuration:" /usr/bin/logger -st "pfatt" " ONT_IF = $ONT_IF" -- 2.45.2 From c3ed173d2942a67168dce928aaf949ef26e9668b Mon Sep 17 00:00:00 2001 From: William Sutton Date: Thu, 24 Feb 2022 12:50:02 -0500 Subject: [PATCH 5/5] Adding OPNSense 22.1 support Added "-vlanhwtag -vlanhwfilter -vlanhwtso" to line 50 to enable supplicant auth on OPNSense 22.1 per https://github.com/MonkWho/pfatt/issues/65 --- bin/opnatt-supplicant.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/opnatt-supplicant.sh b/bin/opnatt-supplicant.sh index c69fe59..186684d 100644 --- a/bin/opnatt-supplicant.sh +++ b/bin/opnatt-supplicant.sh @@ -47,7 +47,7 @@ EAP_SUPPLICANT_IDENTITY="" /sbin/ifconfig $ONT_IF ether $RG_ETHER_ADDR /sbin/ifconfig $ONT_IF up -/sbin/ifconfig $ONT_IF promisc +/sbin/ifconfig $ONT_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso /usr/bin/logger -st "pfatt" "starting wpa_supplicant..." -- 2.45.2