meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
linux:openwrt [2015/07/10 08:44] niziaklinux:openwrt [2021/03/05 14:09] (current) niziak
Line 1: Line 1:
 +====== OpenWRT ======
 +
 ====== First steps ====== ====== First steps ======
 To use SSH, first telnet to router and set root password. To use SSH, first telnet to router and set root password.
Line 4: Line 6:
 ====== Enable SSH on WAN ====== ====== Enable SSH on WAN ======
  
 +<code bash>
 uci add firewall rule uci add firewall rule
 uci set firewall.@rule[-1].src=wan uci set firewall.@rule[-1].src=wan
Line 11: Line 14:
 uci commit firewall uci commit firewall
 /etc/init.d/firewall restart /etc/init.d/firewall restart
 +</code>
  
 +====== Multiple WAN IP ======
 +===== same provider ====
 +There are two method defining multiple WAN IP [[https://wiki.openwrt.org/doc/uci/network#multiple_ip_addresses]].
 +In both cases, addresses are added to the same interface.
 +It is not possible to create 2nd firewall zone, like WAN2, because all iptables rules are using physical interface name to connect iptables chain, and physical interface is the same.
  
-====== OpenVPN ======+Better is to create second OpenWRT interface "WAN2" but assign it to firewall zone "WAN".  
 +To use other external IP firewall needs to be configured manually by: 
 +<file bash | /etc/firewall.user> 
 +iptables -A input_wan_rule -d $WAN2_NET/29 -j reject 
 +iptables -t nat -A prerouting_wan_rule -p tcp -d $WAN2_IP3 --dport 80  -j DNAT --to-destination 192.168.0.90:80  -m comment --comment "Web server"
  
-<code bash>opkg install openvpn-openssl luci-app-openvpn openvpn-easy-rsa</code>+# goal is to do not pass into default WAN rules 
 +iptables -t nat -A prerouting_wan_rule -d $WAN2_NET/29 -j ACCEPT 
 +</file>
  
-Enable incoming OpenVPN connections: 
  
-<code bash> +====== PXE boot ======
-uci add firewall rule +
-uci set firewall.@rule[-1]._name=openvpn +
-uci set firewall.@rule[-1].src=wan +
-uci set firewall.@rule[-1].target=ACCEPT +
-uci set firewall.@rule[-1].proto=udp +
-uci set firewall.@rule[-1].dest_port=1194 +
-uci commit firewall+
  
-echo "iptables -I OUTPUT -o tap+ -j ACCEPT" >> /etc/firewall.user +<file | /etc/dnsmasq.conf>
-echo "iptables -I INPUT -i tap+ -j ACCEPT" >> /etc/firewall.user +
-echo "iptables -I FORWARD -o tap+ -j ACCEPT" >> /etc/firewall.user +
-echo "iptables -I FORWARD -i tap+ -j ACCEPT" >> /etc/firewall.user +
-</code>+
  
-<code bash> +# set tag "ENH" if request comes from iPXE ("iPXE" user class) 
-mkdir -o /etc/openvpn +dhcp-userclass=set:ENH,iPXE
-uci set openvpn.uservpn=openvpn +
-uci set openvpn.uservpn.config=/etc/openvpn/user-vpn.conf +
-uci set openvpn.uservpn.enable=1 +
-uci commit openvpn +
-</code>+
  
-cat > /etc/openvpn/user-vpn.conf+# alternative way, look for option 175 
 +#dhcp-match=set:ENH,175
  
-   port 1194 +# UNDI 
-   proto udp +dhcp-boot=tag:!ENH,netboot.xyz-undionly.kpxe,myserver,192.168.0.231 
-   dev tap0 + 
-   keepalive 10 120 +# PXE 
-   status /tmp/openvpn-status.log +dhcp-boot=tag:ENH,netboot.xyz.kpxe,myserver,192.168.0.231 
-   verb 3 +</file>
-   secret /etc/openvpn/secret.key+
  
-Add VPN to local LAN bridge: 
  
-<code bash> 
-cat > /etc/init.d/openvpn-bridge 
-#!/bin/sh /etc/rc.common 
-     
-    START=94 
-     
-    start() { 
-        openvpn --mktun --dev tap0 
-        brctl addif br-lan tap0 
-        ifconfig tap0 0.0.0.0 promisc up 
-    } 
-                                                                                                         
-    stop() { 
-        ifconfig tap0 0.0.0.0 down 
-        brctl delif br-lan tap0 
-        openvpn --rmtun --dev tap0 
-    } 
  
  
-chmod 755 /etc/init.d/openvpn-bridge  +====== Backup ====== 
-/etc/init.d/openvpn-bridge enable +[[https://wiki.openwrt.org/doc/howto/generic.backup]] 
-/etc/init.d/openvpn-bridge start+ 
 +====== Periodic reboot ====== 
 + 
 +===== cron job ===== 
 +<code> 
 +# Reboot at 4:30am every day 
 +# Note: To avoid infinite reboot loop, wait 70 seconds 
 +# and touch a file in /etc so clock will be set 
 +# properly to 4:31 on reboot before cron starts. 
 +30 4 * * * sleep 70 && touch /etc/banner && reboot
 </code> </code>
  
-<code bash+or independent on system time 
-openvpn --genkey --secret /etc/openvpn/secret.key+<code> 
 +30 4 * * *  [ $( cat /proc/uptime | cut -d '.' -f 1 ) -gt 3600 ] && reboot
 </code> </code>
  
-Start VPN:+===== watchcat =====
 <code bash> <code bash>
-/etc/init.d/openvpn enable +opkg install watchcat luci-app-watchcat
-/etc/init.d/openvpn start+
 </code> </code>
  
 +And ''luci'' menu will be available under ''Services''
  
 ====== Issues ====== ====== Issues ======