meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
linux:openwrt [2017/01/31 12:28] niziaklinux:openwrt [2021/03/05 14:09] (current) niziak
Line 1: Line 1:
 +====== OpenWRT ======
 +
 ====== First steps ====== ====== First steps ======
 To use SSH, first telnet to router and set root password. To use SSH, first telnet to router and set root password.
Line 12: Line 14:
 uci commit firewall uci commit firewall
 /etc/init.d/firewall restart /etc/init.d/firewall restart
-</codE>+</code>
  
 ====== Multiple WAN IP ====== ====== Multiple WAN IP ======
 +===== same provider ====
 There are two method defining multiple WAN IP [[https://wiki.openwrt.org/doc/uci/network#multiple_ip_addresses]]. There are two method defining multiple WAN IP [[https://wiki.openwrt.org/doc/uci/network#multiple_ip_addresses]].
 In both cases, addresses are added to the same interface. In both cases, addresses are added to the same interface.
 It is not possible to create 2nd firewall zone, like WAN2, because all iptables rules are using physical interface name to connect iptables chain, and physical interface is the same. It is not possible to create 2nd firewall zone, like WAN2, because all iptables rules are using physical interface name to connect iptables chain, and physical interface is the same.
  
 +Better is to create second OpenWRT interface "WAN2" but assign it to firewall zone "WAN"
 +To use other external IP firewall needs to be configured manually by:
 +<file bash | /etc/firewall.user>
 +iptables -A input_wan_rule -d $WAN2_NET/29 -j reject
 +iptables -t nat -A prerouting_wan_rule -p tcp -d $WAN2_IP3 --dport 80  -j DNAT --to-destination 192.168.0.90:80  -m comment --comment "Web server"
  
-====== OpenVPN ======+# goal is to do not pass into default WAN rules 
 +iptables -t nat -A prerouting_wan_rule -d $WAN2_NET/29 -j ACCEPT 
 +</file>
  
-<code bash>opkg install openvpn-openssl luci-app-openvpn openvpn-easy-rsa</code> 
  
-Enable incoming OpenVPN connections:+====== PXE boot ======
  
-<code bash> +<file | /etc/dnsmasq.conf>
-uci add firewall rule +
-uci set firewall.@rule[-1]._name=openvpn +
-uci set firewall.@rule[-1].src=wan +
-uci set firewall.@rule[-1].target=ACCEPT +
-uci set firewall.@rule[-1].proto=udp +
-uci set firewall.@rule[-1].dest_port=1194 +
-uci commit firewall+
  
-echo "iptables -I OUTPUT -o tap+ -j ACCEPT>> /etc/firewall.user +# set tag "ENHif request comes from iPXE ("iPXE" user class) 
-echo "iptables -I INPUT -i tap+ -j ACCEPT>> /etc/firewall.user +dhcp-userclass=set:ENH,iPXE
-echo "iptables -I FORWARD -o tap+ -j ACCEPT" >> /etc/firewall.user +
-echo "iptables -I FORWARD -i tap+ -j ACCEPT" >> /etc/firewall.user +
-</code>+
  
-<code bash> +# alternative way, look for option 175 
-mkdir -o /etc/openvpn +#dhcp-match=set:ENH,175
-uci set openvpn.uservpn=openvpn +
-uci set openvpn.uservpn.config=/etc/openvpn/user-vpn.conf +
-uci set openvpn.uservpn.enable=1 +
-uci commit openvpn +
-</code>+
  
-cat > /etc/openvpn/user-vpn.conf+# UNDI 
 +dhcp-boot=tag:!ENH,netboot.xyz-undionly.kpxe,myserver,192.168.0.231
  
-   port 1194 +# PXE 
-   proto udp +dhcp-boot=tag:ENH,netboot.xyz.kpxe,myserver,192.168.0.231 
-   dev tap0 +</file>
-   keepalive 10 120 +
-   status /tmp/openvpn-status.log +
-   verb 3 +
-   secret /etc/openvpn/secret.key+
  
-Add VPN to local LAN bridge: 
  
-<code bash> 
-cat > /etc/init.d/openvpn-bridge 
-#!/bin/sh /etc/rc.common 
-     
-    START=94 
-     
-    start() { 
-        openvpn --mktun --dev tap0 
-        brctl addif br-lan tap0 
-        ifconfig tap0 0.0.0.0 promisc up 
-    } 
-                                                                                                         
-    stop() { 
-        ifconfig tap0 0.0.0.0 down 
-        brctl delif br-lan tap0 
-        openvpn --rmtun --dev tap0 
-    } 
  
  
-chmod 755 /etc/init.d/openvpn-bridge  +====== Backup ====== 
-/etc/init.d/openvpn-bridge enable +[[https://wiki.openwrt.org/doc/howto/generic.backup]] 
-/etc/init.d/openvpn-bridge start+ 
 +====== Periodic reboot ====== 
 + 
 +===== cron job ===== 
 +<code> 
 +# Reboot at 4:30am every day 
 +# Note: To avoid infinite reboot loop, wait 70 seconds 
 +# and touch a file in /etc so clock will be set 
 +# properly to 4:31 on reboot before cron starts. 
 +30 4 * * * sleep 70 && touch /etc/banner && reboot
 </code> </code>
  
-<code bash+or independent on system time 
-openvpn --genkey --secret /etc/openvpn/secret.key+<code> 
 +30 4 * * *  [ $( cat /proc/uptime | cut -d '.' -f 1 ) -gt 3600 ] && reboot
 </code> </code>
  
-Start VPN:+===== watchcat =====
 <code bash> <code bash>
-/etc/init.d/openvpn enable +opkg install watchcat luci-app-watchcat
-/etc/init.d/openvpn start+
 </code> </code>
  
 +And ''luci'' menu will be available under ''Services''
  
 ====== Issues ====== ====== Issues ======