FAQ o OpenWrt | Sprzedam różne routery | Oddam

badziewiak · 2015-05-26 23:21:09

badziewiak
Użytkownik
Nieaktywny

Skąd: Chrząszczyżewoszyce Łękołody:)
Zarejestrowany: 2010-08-26
Posty: 1,810

Temat: OpenVPN wg Cezarego

Cezary, nie probowalem tego poradnika do openvpn, ktory ostatnio zamiesciles, domyslam sie ze dziala i to przetestowales. Zastanawiam sie tylko, czy moglbys napisac jakis skrypt dla luci, ktory tylko przyjmuje dane wejsciowe (niech bedzie osobny dla serwera) i modyfikuje ustawienia systemowe. Osobny skrypt by byl uruchamiany dla nowego klienta. Trzeci skrypt by sluzyl do wygenerowania nowych kluczy dla wszystkich lub wybranych uzytkownikow, a czwarty do odinstalowania konfiguracji openvpn z systemu. Cos jak w gargoyle, idealnie by bylo z polami tekstowymi i chceckboxami. Jesli to za duzo roboty, to moze byc w konsoli, ale zeby to wszystko bylo robione za uzytkownika. Pliki konfiguracyjne uzytkownika w osobnych katalogach gdzies w /tmp/openvpn_clients czy jakos tak. To bylby wypas...

MiniPC 6xRJ45 2Gb, N100, 16GB DDR5, 1TB NVMe (Gargoyle)
Linksys WRT3200ACM (Gargoyle)
Tp-link 1043NDv2 (Gargoyle)

badziewiak · 2015-05-30 15:44:01

badziewiak
Użytkownik
Nieaktywny

Skąd: Chrząszczyżewoszyce Łękołody:)
Zarejestrowany: 2010-08-26
Posty: 1,810

Odp: OpenVPN wg Cezarego

Cezary, czy bierzesz pod uwage mozliwosc zrobienia powyzszego?

MiniPC 6xRJ45 2Gb, N100, 16GB DDR5, 1TB NVMe (Gargoyle)
Linksys WRT3200ACM (Gargoyle)
Tp-link 1043NDv2 (Gargoyle)

Cezary · 2015-05-30 15:47:41

Cezary
...
Nieaktywny

Skąd: Warszawa
Zarejestrowany: 2006-02-25
Posty: 116,230

Odp: OpenVPN wg Cezarego

W 15.05 jest gui do openvpn. Nie taki jak w gargoyle, ale do wyklikania opcji się da.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

badziewiak · 2015-05-30 15:59:16

badziewiak
Użytkownik
Nieaktywny

Skąd: Chrząszczyżewoszyce Łękołody:)
Zarejestrowany: 2010-08-26
Posty: 1,810

Odp: OpenVPN wg Cezarego

Czy da sie normalnie wyklikac wszystko bez ingerencji w pliki konfiguracyjne?

MiniPC 6xRJ45 2Gb, N100, 16GB DDR5, 1TB NVMe (Gargoyle)
Linksys WRT3200ACM (Gargoyle)
Tp-link 1043NDv2 (Gargoyle)

Cezary · 2015-05-30 16:02:31

Cezary
...
Nieaktywny

Skąd: Warszawa
Zarejestrowany: 2006-02-25
Posty: 116,230

Odp: OpenVPN wg Cezarego

Nie wiem, nigdy tego nie używałem.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

g0f3r · 2015-05-30 17:57:06

g0f3r
Użytkownik
Nieaktywny

Skąd: Wwa
Zarejestrowany: 2014-07-22
Posty: 332

Odp: OpenVPN wg Cezarego

Co ci ludzie z "klikaniem" mają...

badziewiak · 2015-05-31 01:07:15

badziewiak
Użytkownik
Nieaktywny

Skąd: Chrząszczyżewoszyce Łękołody:)
Zarejestrowany: 2010-08-26
Posty: 1,810

Odp: OpenVPN wg Cezarego

Po prostu czyste lenistwo. Jak ja pisze pluginy do autocada, to tak, zeby byly "wszystkomajace", typu "wloz i juz" (czy po "informatycznemu" typu "plug and play"). Do tego stopnia robie je "wszystkomajace", ze jak je zaktualizuje na dropboxie i uruchomie autocada w pracy, to z dropboxa mi wrzuca je do publicznej korporacyjnej lokalizacji sieciowej, a z niej kazdy lokalny autocad je aktualizuje i ja mam problem z glowy. Uzywanie moich zabawek jest dosc proste, bo kazda z nich wykonuje konkretna robote i zawiera jasny interfejs uzytkownika. Zero zabawy w konfigurowanie poza jednorazowym wczytaniem do autocada "instalator.dll". Tenze instalator ustawia odpowiednie wpisy do rejestru, zeby dalo sie to uzywac jak kazda wbudowana funkcjonalnosc autocada. Gdybym pani "jadzi" powiedzial, ze jak chce skorzystac z pluginu X, to ma wczytac DLLa X.dll, to by powiedziala, ze jednak zrobi to bez wspomagania. Ale wiem, tu nie ma "pani jadzi", tylko ludzie ktorzy wiedza czego chca. Chcialem tylko troche podniesc poprzeczke, zeby i mnie i innym korzystalo sie wygodniej.

MiniPC 6xRJ45 2Gb, N100, 16GB DDR5, 1TB NVMe (Gargoyle)
Linksys WRT3200ACM (Gargoyle)
Tp-link 1043NDv2 (Gargoyle)

build000 · 2015-05-31 12:58:58

build000
Zbanowany
Nieaktywny

Zarejestrowany: 2013-06-25
Posty: 2,058

Odp: OpenVPN wg Cezarego

Co za problem dobrać się do Luci/basha/i.t.d. i napisać samemu odpowiednią wtykę/zamiennik do luci-app-openvpn ? - w końcu programujesz autocada to i z tym też sobie poradzisz...
Miast prosić stwórz to sam...ba...możesz się nawet z innymi podzielić wrzucając to gdzieś na np. githuba (swojego git-a czy ogólnego - to bez znaczenia - byle był zgodny z infrastrukturą openwrt, by można łatwo dodać do feedsów, jako zewnętrzne repo do dodania do opkg.conf, i.t.d....).

badziewiak · 2015-05-31 15:31:52

badziewiak
Użytkownik
Nieaktywny

Skąd: Chrząszczyżewoszyce Łękołody:)
Zarejestrowany: 2010-08-26
Posty: 1,810

Odp: OpenVPN wg Cezarego

Hehe tylko widzisz, autocada ogarnalem, bo pracuje z nim na co dzien i mam ok. 15 lat doswiadczenia na nim. To o czym pisalem z openwrt to dla mnie nieznane lady, ktore musze odkrywac na nowo. Myslalem, ze dla osob ktore siedza w openwrt, bedzie to taka sama pestka jak dla mnie zrobienie wzglednie prostego plugina do autocada, ale jesli nie, to trudno. Tymczasem sprobowalem na najnowszym luci i oto co mi wyszlo:

root@OpenWrt:~# opkg update
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/base/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_base.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/luci/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_luci.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/management/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_management.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/oldpackages/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_oldpackages.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/packages/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_packages.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/routing/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_routing.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/telephony/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_telephony.
Downloading http://dl.eko.one.pl/barrier_breaker/ar71xx/packages/Packages.gz.
Updated list of available packages in /var/opkg-lists/eko1.
root@OpenWrt:~# opkg install openvpn-openssl openvpn-easy-rsa
Installing openvpn-openssl (2.3.6-2) to root...
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/base/openvpn-openssl_2.3.6-2_ar71xx.ipk.
Installing kmod-tun (3.10.49-1) to root...
Downloading http://dl.eko.one.pl/barrier_breaker/ar71xx/packages/kmod-tun_3.10.49-1_ar71xx.ipk.
Installing liblzo (2.08-1) to root...
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/base/liblzo_2.08-1_ar71xx.ipk.
Installing openvpn-easy-rsa (2013-01-30-2) to root...
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/base/openvpn-easy-rsa_2013-01-30-2_ar71xx.ipk.
Installing openssl-util (1.0.2a-0) to root...
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/base/openssl-util_1.0.2a-0_ar71xx.ipk.
build-caConfiguring kmod-tun.
Configuring openssl-util.
Configuring liblzo.
Configuring openvpn-openssl.
Configuring openvpn-easy-rsa.
root@OpenWrt:~# build-ca
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/easy-rsa/keys
Generating a 2048 bit RSA private key
.....+++
.......................................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:PL
State or Province Name (full name) [CA]:Silesia
Locality Name (eg, city) [SanFrancisco]:Gliwice
Organization Name (eg, company) [Fort-Funston]:Home
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:Home
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:OpenWRT Server
Name [EasyRSA]:Router
Email Address [me@myhost.mydomain]:badziewiak@jakasPoczta.com
root@OpenWrt:~# build-dh
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/easy-rsa/keys
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...............................................................................................................+.....................................................................+........................+................................................................................................................................................................................................................+...........................................................................................................................................................................................................+..................................................................................+........................................................................................................+............................................................................................................................................................................................................................................................................................................+..................................................................................+...................................................................................................+............................+...............................................................................+..+...........................................................................................+.......................................................................................................................+...................................+.....+.................................+.........+.............+..............................................................+...............................................................................+.....................................................+......................+.....................+.................................................................................+......+..................................................................................................................................................................................+.....................................................................+..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+...........................................................................................+..........................................................................................+..............................................+................................................................................................................................................................................................................................................................+......................................................+...............................+.............................................................................................+.............+......................................................+....................................................................................+.......................+...............................................................+..................................................................+........................+..........+.+...............................................................................................................................................................................................................................................................................+...........+...........................................+................................................................................................................................+.......................................................................................................................................................................................+...............................+..............+.......................................................................+............................................................................................................................................................................................................................................................................................................................................................................................................................................................................+................................+.+.+.......+.....................................................................+...........................................................................................................................................................+...........................................................................................................................+.........................................................................................................................+...........................+...........................................+.........................+......................................................+........................................................................................................................................................................................................................................................................................................++*++*
root@OpenWrt:~# build-key-server serwer
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/easy-rsa/keys
Generating a 2048 bit RSA private key
...........+++
...................................................................+++
writing new private key to 'serwer.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:PL
State or Province Name (full name) [CA]:Silesia
Locality Name (eg, city) [SanFrancisco]:Gliwice
Organization Name (eg, company) [Fort-Funston]:Home
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:Home
Common Name (eg, your name or your server's hostname) [serwer]:OpenWRT Server
Name [EasyRSA]:Router
Email Address [me@myhost.mydomain]:badziewiak@jakasPoczta.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'PL'
stateOrProvinceName   :PRINTABLE:'Silesia'
localityName          :PRINTABLE:'Gliwice'
organizationName      :PRINTABLE:'Home'
organizationalUnitName:PRINTABLE:'Home'
commonName            :PRINTABLE:'OpenWRT Server'
name                  :PRINTABLE:'Router'
emailAddress          :IA5STRING:'badziewiak@jakasPoczta.com'
Certificate is to be certified until May 28 14:12:06 2025 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@OpenWrt:~# build-key-pkcs12 abcPraca
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/easy-rsa/keys
Generating a 2048 bit RSA private key
.................................................+++
..................................................................+++
writing new private key to 'abcPraca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:PL
State or Province Name (full name) [CA]:Silesia
Locality Name (eg, city) [SanFrancisco]:Gliwice
Organization Name (eg, company) [Fort-Funston]:Home
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:Home
Common Name (eg, your name or your server's hostname) [abcPraca]:OpenWRT Server
Name [EasyRSA]:Router
Email Address [me@myhost.mydomain]:badziewiak@jakasPoczta.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'PL'
stateOrProvinceName   :PRINTABLE:'Silesia'
localityName          :PRINTABLE:'Gliwice'
organizationName      :PRINTABLE:'Home'
organizationalUnitName:PRINTABLE:'Home'
commonName            :PRINTABLE:'OpenWRT Server'
name                  :PRINTABLE:'Router'
emailAddress          :IA5STRING:'badziewiak@jakasPoczta.com'
Certificate is to be certified until May 28 14:14:06 2025 GMT (3650 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
root@OpenWrt:~# build-key-pkcs12 abcPraca
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/easy-rsa/keys
Generating a 2048 bit RSA private key
..........................+++
......................................................................+++
writing new private key to 'abcPraca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:PL
State or Province Name (full name) [CA]:Silesia
Locality Name (eg, city) [SanFrancisco]:Gliwice
Organization Name (eg, company) [Fort-Funston]:Home
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:Home
Common Name (eg, your name or your server's hostname) [abcPraca]:abc praca
Name [EasyRSA]:Router
Email Address [me@myhost.mydomain]:abcas@jakasPoczta.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'PL'
stateOrProvinceName   :PRINTABLE:'Silesia'
localityName          :PRINTABLE:'Gliwice'
organizationName      :PRINTABLE:'Home'
organizationalUnitName:PRINTABLE:'Home'
commonName            :PRINTABLE:'abc praca'
name                  :PRINTABLE:'Router'
emailAddress          :IA5STRING:'abcas@jakasPoczta.com'
Certificate is to be certified until May 28 14:16:15 2025 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Enter Export Password:
Verifying - Enter Export Password:
root@OpenWrt:~# cp /etc/easy-rsa/keys/ca.crt /etc/easy-rsa/keys/serwer.* /etc/easy-rsa/keys/dh2048.pem /etc/openvpn
root@OpenWrt:~# uci set network.vpn=interface
root@OpenWrt:~# uci set network.vpn.ifname=tun0
root@OpenWrt:~# uci set network.vpn.proto=none
root@OpenWrt:~# uci commit
root@OpenWrt:~# uci add firewall zone
cfg17dc81
root@OpenWrt:~# uci set firewall.@zone[-1].name=vpn
root@OpenWrt:~# uci set firewall.@zone[-1].input=ACCEPT
root@OpenWrt:~# uci set firewall.@zone[-1].forward=ACCEPT
root@OpenWrt:~# uci set firewall.@zone[-1].output=ACCEPT
root@OpenWrt:~# uci set firewall.@zone[-1].network=vpn
root@OpenWrt:~# uci add firewall forwarding
cfg18ad58
root@OpenWrt:~# uci set firewall.@forwarding[-1].src='vpn'
root@OpenWrt:~# uci set firewall.@forwarding[-1].dest='wan'
root@OpenWrt:~# uci add firewall rule
cfg1992bd
root@OpenWrt:~# uci set firewall.@rule[-1].name=OpenVPN
root@OpenWrt:~# uci set firewall.@rule[-1].target=ACCEPT
root@OpenWrt:~# uci set firewall.@rule[-1].src=wan
root@OpenWrt:~# uci set firewall.@rule[-1].proto=udp
root@OpenWrt:~# uci set firewall.@rule[-1].proto=tcp
root@OpenWrt:~# uci set firewall.@rule[-1].dest_port=443
root@OpenWrt:~# uci commit firewall
root@OpenWrt:~# /etc/init.d/network reload
'radio0' is disabled
'radio0' is disabled
root@OpenWrt:~# /etc/init.d/firewall reload
Warning: Unable to locate ipset utility, disabling ipset support
 * Clearing IPv4 filter table
 * Clearing IPv4 nat table
 * Clearing IPv4 mangle table
 * Clearing IPv4 raw table
 * Populating IPv4 filter table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
Warning: fw3_ipt_rule_append(): Can't find target 'input_vpn_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'output_vpn_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'forwarding_vpn_rule'
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'OpenVPN'
   * Forward 'lan' -> 'wan'
   * Forward 'vpn' -> 'wan'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_vpn_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_vpn_rule'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
 * Populating IPv4 raw table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
 * Clearing IPv6 filter table
 * Clearing IPv6 mangle table
 * Clearing IPv6 raw table
 * Populating IPv6 filter table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
Warning: fw3_ipt_rule_append(): Can't find target 'input_vpn_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'output_vpn_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'forwarding_vpn_rule'
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'OpenVPN'
   * Forward 'lan' -> 'wan'
   * Forward 'vpn' -> 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
 * Populating IPv6 raw table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/usr/share/miniupnpd/firewall.include'

Zrobilem to na najnowszym luci na 1043NDv2, po firstboot. Gdzie popelnilem blad?

MiniPC 6xRJ45 2Gb, N100, 16GB DDR5, 1TB NVMe (Gargoyle)
Linksys WRT3200ACM (Gargoyle)
Tp-link 1043NDv2 (Gargoyle)

Cezary · 2015-05-31 15:53:41

Cezary
...
Nieaktywny

Skąd: Warszawa
Zarejestrowany: 2006-02-25
Posty: 116,230

Odp: OpenVPN wg Cezarego

Po prostu /etc/init. d/firewall stop; /etc/init. d/firewall start zrób.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

badziewiak · 2015-05-31 15:56:50

badziewiak
Użytkownik
Nieaktywny

Skąd: Chrząszczyżewoszyce Łękołody:)
Zarejestrowany: 2010-08-26
Posty: 1,810

Odp: OpenVPN wg Cezarego

root@OpenWrt:~# /etc/init.d/firewall stop
Warning: Unable to locate ipset utility, disabling ipset support
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv4 raw table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing IPv6 raw table
 * Flushing conntrack table ...
root@OpenWrt:~# /etc/init.d/firewall start
Warning: Unable to locate ipset utility, disabling ipset support
 * Populating IPv4 filter table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'OpenVPN'
   * Forward 'lan' -> 'wan'
   * Forward 'vpn' -> 'wan'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
 * Populating IPv4 raw table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
 * Populating IPv6 filter table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'OpenVPN'
   * Forward 'lan' -> 'wan'
   * Forward 'vpn' -> 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
 * Populating IPv6 raw table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
 * Flushing conntrack table ...
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'
 * Running script '/usr/share/miniupnpd/firewall.include'

MiniPC 6xRJ45 2Gb, N100, 16GB DDR5, 1TB NVMe (Gargoyle)
Linksys WRT3200ACM (Gargoyle)
Tp-link 1043NDv2 (Gargoyle)

Cezary · 2015-05-31 15:58:50

Cezary
...
Nieaktywny

Skąd: Warszawa
Zarejestrowany: 2006-02-25
Posty: 116,230

Odp: OpenVPN wg Cezarego

No leć dalej.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

build000 · 2015-05-31 19:36:27

build000
Zbanowany
Nieaktywny

Zarejestrowany: 2013-06-25
Posty: 2,058

Odp: OpenVPN wg Cezarego

badziewiak napisał/a:

(...)
Myslalem, ze dla osob ktore siedza w openwrt, bedzie to taka sama pestka jak dla mnie zrobienie wzglednie prostego plugina do autocada, ale jesli nie, to trudno.
(...)

Skoro nie ma do tej pory w źródłach w takiej formie jak oczekujesz to:
a) może wcale nie jest to pestka i dlatego nie ma
b) nikomu nie było to do tej pory potrzebne
c) luci tego nie ogarnie i/lub będzie się wykładał router przy uruchomieniu (trzeba brać pod uwagę wszystkie wspierane maszyny w openwrt - w końcu tak są tworzone źródła)
d) użyj konkurencyjnych api, gdzie to już jest bardziej rozwinięte o takie dodatkowe funkcjonalności
W openwrt nic nigdy nie jest takim jak by się oczekiwało - w końcu to amatorski projekt i jedynie jako rama do osobistych przemyśleń - szczególnie jak się coś "maca" ze źródeł.

badziewiak · 2015-11-11 12:58:55

badziewiak
Użytkownik
Nieaktywny

Skąd: Chrząszczyżewoszyce Łękołody:)
Zarejestrowany: 2010-08-26
Posty: 1,810

Odp: OpenVPN wg Cezarego

Wykonuję kolejne podejście, ale bez powodzenia. Oto co zrobiłem:

root@OpenWrt:~# opkg update
Downloading [url]http://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages[/url]                     /base/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_base.
Downloading [url]http://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages[/url]                     /base/Packages.sig.
Signature check passed.
Downloading [url]http://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages[/url]                     /luci/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_luci.
Downloading [url]http://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages[/url]                     /luci/Packages.sig.
Signature check passed.
Downloading [url]http://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages[/url]                     /management/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_management.
Downloading [url]http://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages[/url]                     /management/Packages.sig.
Signature check passed.
Downloading [url]http://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages[/url]                     /packages/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_packages.
Downloading [url]http://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages[/url]                     /packages/Packages.sig.
Signature check passed.
Downloading [url]http://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages[/url]                     /routing/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_routing.
Downloading [url]http://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages[/url]                     /routing/Packages.sig.
Signature check passed.
Downloading [url]http://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages[/url]                     /telephony/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_telephony.
Downloading [url]http://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages[/url]                     /telephony/Packages.sig.
Signature check passed.
Downloading [url]http://dl.eko.one.pl/chaos_calmer/ar71xx/packages/Packages.gz.[/url]
Updated list of available packages in /var/opkg-lists/eko1.
Downloading [url]http://dl.eko.one.pl/chaos_calmer/ar71xx/packages/Packages.sig.[/url]
Signature check passed.
root@OpenWrt:~# opkg install openvpn-openssl openvpn-easy-rsa
Package openvpn-openssl (2.3.6-5) installed in root is up to date.
Package openvpn-easy-rsa (2013-01-30-2) installed in root is up to date.
root@OpenWrt:~# build-ca
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/easy-rsa/keys
Generating a 2048 bit RSA private key
........+++
....+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:PL
State or Province Name (full name) [CA]:Masovian
Locality Name (eg, city) [SanFrancisco]:Warsaw
Organization Name (eg, company) [Fort-Funston]:Home
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:Home
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:OpenWrt Ser                     ver
Name [EasyRSA]:Router
Email Address [me@myhost.mydomain]:cezary@eko.one.pl
root@OpenWrt:~# build-dh
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/easy-rsa/keys
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
....................................................................................................................................................+..........................................................+.......................................................................................................................................................................................................+..........................................................................................................................+...........................................................................................................................+...........................................+...............................................+.................................................................+.................................................................................................................................+...................................+...+.....................................+.........................+............................................................................................................................................................................................................................+............................................+.........................................................................................+..............................................................................................................................................................+...............................................................+..........................................................+..........................+.....................................+......................................................+.......................................................................................................................................................+....................................................................................................................................................................................................................................................................+..........................+.....................................................................................................................................................................................................................................+..............................................................................................................................................................................................+..................................................................................++*++*
root@OpenWrt:~# build-key-server serwer
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/easy-rsa/keys
Generating a 2048 bit RSA private key
..+++
...............................................................................................................................................................+++
writing new private key to 'serwer.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:PL
State or Province Name (full name) [CA]:Masovian
Locality Name (eg, city) [SanFrancisco]:Warsaw
Organization Name (eg, company) [Fort-Funston]:Home
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:Home
Common Name (eg, your name or your server's hostname) [serwer]:OpenWrt Server
Name [EasyRSA]:Router
Email Address [me@myhost.mydomain]:cezary@eko.one.pl

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'PL'
stateOrProvinceName   :PRINTABLE:'Masovian'
localityName          :PRINTABLE:'Warsaw'
organizationName      :PRINTABLE:'Home'
organizationalUnitName:PRINTABLE:'Home'
commonName            :PRINTABLE:'OpenWrt Server'
name                  :PRINTABLE:'Router'
emailAddress          :IA5STRING:'cezary@eko.one.pl'
Certificate is to be certified until Nov  8 10:52:25 2025 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@OpenWrt:~# build-key-pkcs12 malgosia
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/easy-rsa/keys
Generating a 2048 bit RSA private key
........................................................................+++
......................................................................................+++
writing new private key to 'malgosia.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:PL
State or Province Name (full name) [CA]:Masovian
Locality Name (eg, city) [SanFrancisco]:Warsaw
Organization Name (eg, company) [Fort-Funston]:Home
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:Home
Common Name (eg, your name or your server's hostname) [malgosia]:malgosia
Name [EasyRSA]:Router
Email Address [me@myhost.mydomain]:malgosia@eko.one.pl

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'PL'
stateOrProvinceName   :PRINTABLE:'Masovian'
localityName          :PRINTABLE:'Warsaw'
organizationName      :PRINTABLE:'Home'
organizationalUnitName:PRINTABLE:'Home'
commonName            :PRINTABLE:'malgosia'
name                  :PRINTABLE:'Router'
emailAddress          :IA5STRING:'malgosia@eko.one.pl'
Certificate is to be certified until Nov  8 10:53:50 2025 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Enter Export Password:
Verifying - Enter Export Password:
root@OpenWrt:~# cp /etc/easy-rsa/keys/ca.crt /etc/easy-rsa/keys/serwer.* /etc/easy-rsa/keys/dh2048.pem /
etc/openvpn
root@OpenWrt:~# uci set network.vpn=interface
root@OpenWrt:~# uci set network.vpn.ifname=tun0
root@OpenWrt:~# uci set network.vpn.proto=none
root@OpenWrt:~# uci commit
root@OpenWrt:~# uci add firewall zone
cfg1edc81
root@OpenWrt:~# uci set firewall.@zone[-1].name=vpn
root@OpenWrt:~# uci set firewall.@zone[-1].input=ACCEPT
root@OpenWrt:~# uci set firewall.@zone[-1].forward=ACCEPT
root@OpenWrt:~# uci set firewall.@zone[-1].output=ACCEPT
root@OpenWrt:~# uci set firewall.@zone[-1].network=vpn
root@OpenWrt:~# uci add firewall forwarding
cfg1fad58
root@OpenWrt:~# uci set firewall.@forwarding[-1].src='vpn'
root@OpenWrt:~# uci set firewall.@forwarding[-1].dest='wan'
root@OpenWrt:~# uci add firewall rule
cfg2092bd
root@OpenWrt:~# uci set firewall.@rule[-1].name=OpenVPN
root@OpenWrt:~# uci set firewall.@rule[-1].target=ACCEPT
root@OpenWrt:~# uci set firewall.@rule[-1].src=wan
root@OpenWrt:~# uci set firewall.@rule[-1].proto=udp
root@OpenWrt:~# uci set firewall.@rule[-1].proto=tcp
root@OpenWrt:~# uci set firewall.@rule[-1].dest_port=443
root@OpenWrt:~# uci commit firewall
root@OpenWrt:~# reboot



root@OpenWrt:~# uci set openvpn.home=openvpn
root@OpenWrt:~# uci set openvpn.home.enabled=1
root@OpenWrt:~# uci set openvpn.home.dev=tun
root@OpenWrt:~# uci set openvpn.home.port=443
root@OpenWrt:~# uci set openvpn.home.proto=tcp
root@OpenWrt:~# uci set openvpn.home.log=/tmp/openvpn.log
root@OpenWrt:~# uci set openvpn.home.verb=3
root@OpenWrt:~# uci set openvpn.home.ca=/etc/openvpn/ca.crt
root@OpenWrt:~# uci set openvpn.home.cert=/etc/openvpn/serwer.crt
root@OpenWrt:~# uci set openvpn.home.key=/etc/openvpn/serwer.key
root@OpenWrt:~# uci set openvpn.home.server='10.8.0.0 255.255.255.0'
root@OpenWrt:~# uci set openvpn.home.dh=/etc/openvpn/dh2048.pem
root@OpenWrt:~# uci commit openvpn
root@OpenWrt:~# /etc/init.d/openvpn enable
root@OpenWrt:~# /etc/init.d/openvpn start

**********Klient windows**********
    client
    ca ca.crt
    cert malgosia.crt
    dev tun
    key malgosia.key
    log malgosia.log
    proto tcp
    remote xx.xx.xx.xx 443
    remote-cert-tls server
    verb 3

Klient zwrócił:

Wed Nov 11 12:55:14 2015 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Wed Nov 11 12:55:14 2015 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Nov 11 12:55:14 2015 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Nov 11 12:55:14 2015 Socket Buffers: R=[8192->8192] S=[64512->64512]
Wed Nov 11 12:55:14 2015 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Wed Nov 11 12:55:14 2015 Local Options hash (VER=V4): 'db02a8f8'
Wed Nov 11 12:55:14 2015 Expected Remote Options hash (VER=V4): '7e068940'
Wed Nov 11 12:55:14 2015 Attempting to establish TCP connection with 192.168.10.249:8080
Wed Nov 11 12:55:14 2015 TCP connection established with 192.168.10.249:8080
Wed Nov 11 12:55:14 2015 Send to HTTP proxy: 'CONNECT xx.xx.xx.xx:443 HTTP/1.0'
Wed Nov 11 12:55:14 2015 HTTP proxy returned: 'HTTP/1.0 200 Connection established'
Wed Nov 11 12:55:16 2015 TCPv4_CLIENT link local: [undef]
Wed Nov 11 12:55:16 2015 TCPv4_CLIENT link remote: 192.168.10.249:8080
Wed Nov 11 12:55:44 2015 Connection reset, restarting [0]
Wed Nov 11 12:55:44 2015 TCP/UDP: Closing socket
Wed Nov 11 12:55:44 2015 SIGUSR1[soft,connection-reset] received, process restarting
Wed Nov 11 12:55:44 2015 Restart pause, 5 second(s)

Lista plików klienta:

malgosia.ovpn
malgosia.crt
malgosia.key
ca.crt

Co pochrzaliłem?

MiniPC 6xRJ45 2Gb, N100, 16GB DDR5, 1TB NVMe (Gargoyle)
Linksys WRT3200ACM (Gargoyle)
Tp-link 1043NDv2 (Gargoyle)

Cezary · 2015-11-11 13:06:36

Cezary
...
Nieaktywny

Skąd: Warszawa
Zarejestrowany: 2006-02-25
Posty: 116,230

Odp: OpenVPN wg Cezarego

Na 443 nie słucha ci luci domyślnie?

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

badziewiak · 2015-11-11 13:07:36

badziewiak
Użytkownik
Nieaktywny

Skąd: Chrząszczyżewoszyce Łękołody:)
Zarejestrowany: 2010-08-26
Posty: 1,810

Odp: OpenVPN wg Cezarego

Całkiem możliwe, ale nie znalazłem jeszcze gdzie to wyłączyć.

MiniPC 6xRJ45 2Gb, N100, 16GB DDR5, 1TB NVMe (Gargoyle)
Linksys WRT3200ACM (Gargoyle)
Tp-link 1043NDv2 (Gargoyle)

badziewiak · 2015-11-11 13:13:45

badziewiak
Użytkownik
Nieaktywny

Skąd: Chrząszczyżewoszyce Łękołody:)
Zarejestrowany: 2010-08-26
Posty: 1,810

Odp: OpenVPN wg Cezarego

Tak, loguję się faktycznie po 443. Gdzie można w gui zmienić to na zwykły 80?

MiniPC 6xRJ45 2Gb, N100, 16GB DDR5, 1TB NVMe (Gargoyle)
Linksys WRT3200ACM (Gargoyle)
Tp-link 1043NDv2 (Gargoyle)

badziewiak · 2015-11-11 13:30:47

badziewiak
Użytkownik
Nieaktywny

Skąd: Chrząszczyżewoszyce Łękołody:)
Zarejestrowany: 2010-08-26
Posty: 1,810

Odp: OpenVPN wg Cezarego

Zmieniłem port w /etc/config/uhttpd i zrestartowałem router, ale klient wywalił:

Wed Nov 11 13:27:14 2015 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Wed Nov 11 13:27:14 2015 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Nov 11 13:27:14 2015 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Nov 11 13:27:14 2015 Socket Buffers: R=[8192->8192] S=[64512->64512]
Wed Nov 11 13:27:14 2015 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Wed Nov 11 13:27:14 2015 Local Options hash (VER=V4): 'db02a8f8'
Wed Nov 11 13:27:14 2015 Expected Remote Options hash (VER=V4): '7e068940'
Wed Nov 11 13:27:14 2015 Attempting to establish TCP connection with 192.168.10.249:8080
Wed Nov 11 13:27:14 2015 TCP connection established with 192.168.10.249:8080
Wed Nov 11 13:27:14 2015 Send to HTTP proxy: 'CONNECT xx.xx.xx.xx:443 HTTP/1.0'
Wed Nov 11 13:27:14 2015 HTTP proxy returned: 'HTTP/1.0 200 Connection established'
Wed Nov 11 13:27:16 2015 TCPv4_CLIENT link local: [undef]
Wed Nov 11 13:27:16 2015 TCPv4_CLIENT link remote: 192.168.10.249:8080
Wed Nov 11 13:27:16 2015 TLS: Initial packet from 192.168.10.249:8080, sid=99cfce1d 1d54aae6
Wed Nov 11 13:27:16 2015 VERIFY OK: depth=1, /C=PL/ST=Masovian/L=Warsaw/O=Home/OU=Home/CN=OpenWrt_Server/name=Router/emailAddress=cezary@eko.one.pl
Wed Nov 11 13:27:16 2015 Validating certificate key usage
Wed Nov 11 13:27:16 2015 ++ Certificate has key usage  00a0, expects 00a0
Wed Nov 11 13:27:16 2015 VERIFY KU OK
Wed Nov 11 13:27:16 2015 Validating certificate extended key usage
Wed Nov 11 13:27:16 2015 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Nov 11 13:27:16 2015 VERIFY EKU OK
Wed Nov 11 13:27:16 2015 VERIFY OK: depth=0, /C=PL/ST=Masovian/L=Warsaw/O=Home/OU=Home/CN=OpenWrt_Server/name=Router/emailAddress=cezary@eko.one.pl
Wed Nov 11 13:27:17 2015 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Nov 11 13:27:17 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Nov 11 13:27:17 2015 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Nov 11 13:27:17 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Nov 11 13:27:17 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Nov 11 13:27:17 2015 [OpenWrt_Server] Peer Connection Initiated with 192.168.10.249:8080

i że połączenie nie zakończyło się powodzeniem.

MiniPC 6xRJ45 2Gb, N100, 16GB DDR5, 1TB NVMe (Gargoyle)
Linksys WRT3200ACM (Gargoyle)
Tp-link 1043NDv2 (Gargoyle)

FAQ o OpenWrt | Sprzedam różne routery | Oddam

OpenVPN wg Cezarego

Posty: 18

1 Temat przez badziewiak 2015-05-26 23:21:09

Temat: OpenVPN wg Cezarego

2 Odpowiedź przez badziewiak 2015-05-30 15:44:01

Odp: OpenVPN wg Cezarego

3 Odpowiedź przez Cezary 2015-05-30 15:47:41

Odp: OpenVPN wg Cezarego

4 Odpowiedź przez badziewiak 2015-05-30 15:59:16

Odp: OpenVPN wg Cezarego

5 Odpowiedź przez Cezary 2015-05-30 16:02:31

Odp: OpenVPN wg Cezarego

6 Odpowiedź przez g0f3r 2015-05-30 17:57:06

Odp: OpenVPN wg Cezarego

7 Odpowiedź przez badziewiak 2015-05-31 01:07:15

Odp: OpenVPN wg Cezarego

8 Odpowiedź przez build000 2015-05-31 12:58:58 (edytowany przez build000 2015-05-31 13:06:01)

Odp: OpenVPN wg Cezarego

9 Odpowiedź przez badziewiak 2015-05-31 15:31:52 (edytowany przez badziewiak 2015-05-31 15:33:30)

Odp: OpenVPN wg Cezarego

10 Odpowiedź przez Cezary 2015-05-31 15:53:41

Odp: OpenVPN wg Cezarego

11 Odpowiedź przez badziewiak 2015-05-31 15:56:50

Odp: OpenVPN wg Cezarego

12 Odpowiedź przez Cezary 2015-05-31 15:58:50

Odp: OpenVPN wg Cezarego

13 Odpowiedź przez build000 2015-05-31 19:36:27

Odp: OpenVPN wg Cezarego

14 Odpowiedź przez badziewiak 2015-11-11 12:58:55

Odp: OpenVPN wg Cezarego

15 Odpowiedź przez Cezary 2015-11-11 13:06:36

Odp: OpenVPN wg Cezarego

16 Odpowiedź przez badziewiak 2015-11-11 13:07:36

Odp: OpenVPN wg Cezarego

17 Odpowiedź przez badziewiak 2015-11-11 13:13:45

Odp: OpenVPN wg Cezarego

18 Odpowiedź przez badziewiak 2015-11-11 13:30:47

Odp: OpenVPN wg Cezarego

Posty: 18