add doc for openwrt setup

ekoby · ekoby · commit 59e6910ee28a · 2020-08-26T15:53:56.000-04:00
diff --git a/docs/openwrt/setup.md b/docs/openwrt/setup.md
@@ -0,0 +1,28 @@
+Setup Ziti Edge Tunnel on Teltonica RUT240
+------------------------------------------
+
+# Download and install
+1. get ziti-edge-tunnel bundle from https://ziti-public.s3.us-east-2.amazonaws.com/mips-teltonica/ziti-edge-tunnel-Linux_mips.zip
+1. unzip and copy `ziti-edge-tunnel` executable to `/usr/sbin` (location could be different with appropriate adjustments to init script) 
+1. get ziti init script from https://ziti-public.s3.us-east-2.amazonaws.com/mips-teltonica/ziti.init
+1. put init script as `/etc/init.d/ziti`
+
+# Configure Ziti identity
+1. create folder '/etc/ziti'
+1. copy CA auto-enrollment JWT as `/etc/ziti/ca.jwt`
+1. generate unique device SSL client certificate and copy to '/etc/ziti' along with private key:
+   - key should be saved as `/etc/ziti/id.key`
+   - certificate should be saved as `/etc/ziti/id.crt`
+
+# Configure Ziti service to autostart
+`# /etc/init.s/ziti enable`
+The first time ziti service starts it enrolls with controller specified by `ca.jwt`
+
+# Alternative enrollment
+It is possible to enroll with OTT (one time token) JWT manually.
+- create endpoint in MOP and download enrollment key -- JWT file
+- move JWT file to the device somewhere (e.g. `/tmp/enroll.jwt`)
+- enroll with the following command:  
+  `# /usr/sbin/ziti-edge-tunnel enroll -j /tmp/enroll.jwt -i /etc/ziti/id.json`
+- this create `/etc/ziti/id.json` file and ziti service can be started normally or automatically on next power up
+
diff --git a/docs/openwrt/ziti.init b/docs/openwrt/ziti.init
@@ -0,0 +1,44 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2020 NetFoundry, Inc
+
+START=65
+STOP=65
+USE_PROCD=1
+
+prog=/usr/sbin/ziti-edge-tunnel
+
+idfile=/etc/ziti/id.json
+jwtfile=/etc/ziti/ca.jwt
+certfile=/etc/ziti/id.crt
+keyfile=/etc/ziti/id.key
+
+log_opts="-s -t ziti"
+
+start_service() {
+	enroll
+  # commands to launch application
+  if [ ! -f "$idfile" ]; then
+		logger -p err $log_opts "identity is not enrolled"
+		return 1
+	fi
+
+	procd_open_instance ziti-edge-tunnel
+	procd_set_param command ${prog} run
+	procd_append_param command -c ${idfile}
+	procd_append_param command --dns=dnsmasq:/tmp/hosts
+
+	procd_set_param respawn ${respawn_threshold:-3600} ${respawn_timeout:-5} ${respawn_retry:-5}
+	procd_set_param stderr 1
+	procd_set_param stdout 1
+	procd_set_param pidfile /var/run/${prog}.pid
+	procd_close_instance
+}
+
+enroll() {
+	if [ -f "$idfile" ]; then
+		logger $log_opts "enrollment $idfile exists"
+	else
+		logger $log_opts "enrolling with Ziti.."
+		${prog} enroll -i ${idfile} -j ${jwtfile} -c ${certfile} -k ${keyfile} 2>&1 | logger -p info $log_opts
+	fi
+}
