VTUN for the Sharp Zaurus 5500

IMPORTANT NOTE!

Do NOT install vtund on out-of-the-box OZ 3.2! There's a broken mknod which will cause you all sorts of grief. Basically, vtund will silently fail. If you've got syslog running, you'll see:

  Can't allocate tun device tun1. No such file or directory(2)

You can confirm this by doing ls /dev/net/tun: the major and minor numbers will be 0, 0 (they should be 10, 200).

Solution: install a new busybox from the unstable feed (note: this info current as of May 2, 2003. There may be other problems with whatever busybox you happen to pick up.)

If I can find a good way to test for the problem, I'll update the .ipk. But if you're reading this, it means the .ipk will install but vtund will not work!

Sharp ROM

I use OZ (3.2). I don't know if vtund will work on the Sharp ROM, since it requires openssl libraries and the tun kernel modules. If someone lets me know, I'll update this page.

iPKG

For those of you who know vtun and just want the package, it is here:

• vtun_2.6-1_arm.ipk

What Is It?

VTUN is a simple, robust, and easy to use VPN solution. I have compiled it for the Sharp Zaurus 5500, and the above .ipk contains it and a sample config file. For full details, see:

    http://vtun.sourceforge.net

Building

Want to compile it yourself? I've written some notes about configuring and building vtun for arm, and included them as a script which builds an ipk. Notes and script combined are available here as README.Zaurus.

Running on Zaurus

I've created two simple scripts on the Zaurus:

• /etc/apm/suspend.d/suspend-vtun -- simply does killall vtund when you suspend the Zaurus. This is a friendly gesture to the server, so it doesn't time out, and to our client, so it doesn't get confused on resume.
• /etc/udhcpc.d/S99local -- gets called by udhcpc (the BusyBox DHCP client) whenever anything interesting happens. We translate that into either starting or stopping vtund.

Note that the latter script takes some work to set up. I recommend starting here (thanks, boyns, whoever you are). But don't follow those steps exactly! Instead:

• Skip the /etc/init.d/udhcpc bit. udhcpc is started by /sbin/ifup on the Zaurus, and there's no (apparent) way to change that.
• # mkdir /etc/udhcpc.d
• # mv /usr/share/udhcpc/default.script /etc/udhcpc.d/S50default
• Instead of /etc/udhcpc.script, write your run-parts invocation to /usr/share/udhcpc/default.script
• Download my S99local, make your changes to it (ESSID and IP addresses), and write it to /etc/udhcpc.d

That should get you started at least. And if you figure out what the shutdown sequence is for ejecting a card (cardctl eject, or using the icon in the taskbar), please let me know. Otherwise you'll have to kill vtund manually before you can eject your WiFi card.

Paranoia

vtun is useless without some sort of protection. Here's my /etc/init.d/iptables script:

#!/bin/sh

iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  ACCEPT

# Accept ping, ssh from anywhere
iptables -A INPUT -p icmp                  -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Accept anything from USB interface.  Gotta trust that, and localhost
iptables -A INPUT -i usbd0 -j ACCEPT
iptables -A INPUT -i   lo  -j ACCEPT

# I should probably restrict this to VNC, but come on... if someone
# manages to crack my VPN, I've got bigger things to worry about
# than my PDA.
iptables -A INPUT -i tun0  -j ACCEPT

# Anything already on
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

With iptables and vtun, I can finally run VNC!

Links

• VTUN home page
• IPSec, another VPN solution. Probably the most recognized one.