meta data for this page
This is an old revision of the document!
First steps
To use SSH, first telnet to router and set root password.
Enable SSH on WAN
uci add firewall rule uci set firewall.@rule[-1].src=wan uci set firewall.@rule[-1].target=ACCEPT uci set firewall.@rule[-1].proto=tcp uci set firewall.@rule[-1].dest_port=22 uci commit firewall /etc/init.d/firewall restart
Multiple WAN IP
same provider
There are two method defining multiple WAN IP https://wiki.openwrt.org/doc/uci/network#multiple_ip_addresses. In both cases, addresses are added to the same interface. It is not possible to create 2nd firewall zone, like WAN2, because all iptables rules are using physical interface name to connect iptables chain, and physical interface is the same.
Better is to create second OpenWRT interface “WAN2” but assign it to firewall zone “WAN”. To use other external IP firewall needs to be configured manually by:
- | /etc/firewall.user
iptables -A input_wan_rule -d $WAN2_NET/29 -j reject iptables -t nat -A prerouting_wan_rule -p tcp -d $WAN2_IP3 --dport 80 -j DNAT --to-destination 192.168.0.90:80 -m comment --comment "Web server" # goal is to do not pass into default WAN rules iptables -t nat -A prerouting_wan_rule -d $WAN2_NET/29 -j ACCEPT
PXE boot
- /etc/dnsmasq.conf
# set tag "ENH" if request comes from iPXE ("iPXE" user class) dhcp-userclass=set:ENH,iPXE # alternative way, look for option 175 #dhcp-match=set:ENH,175 # UNDI dhcp-boot=tag:!ENH,netboot.xyz-undionly.kpxe,myserver,192.168.0.231 # PXE dhcp-boot=tag:ENH,netboot.xyz.kpxe,myserver,192.168.0.231
OpenVPN
opkg install openvpn-openssl luci-app-openvpn openvpn-easy-rsa
Enable incoming OpenVPN connections:
uci add firewall rule uci set firewall.@rule[-1]._name=openvpn uci set firewall.@rule[-1].src=wan uci set firewall.@rule[-1].target=ACCEPT uci set firewall.@rule[-1].proto=udp uci set firewall.@rule[-1].dest_port=1194 uci commit firewall echo "iptables -I OUTPUT -o tap+ -j ACCEPT" >> /etc/firewall.user echo "iptables -I INPUT -i tap+ -j ACCEPT" >> /etc/firewall.user echo "iptables -I FORWARD -o tap+ -j ACCEPT" >> /etc/firewall.user echo "iptables -I FORWARD -i tap+ -j ACCEPT" >> /etc/firewall.user
mkdir -o /etc/openvpn uci set openvpn.uservpn=openvpn uci set openvpn.uservpn.config=/etc/openvpn/user-vpn.conf uci set openvpn.uservpn.enable=1 uci commit openvpn
cat > /etc/openvpn/user-vpn.conf
port 1194 proto udp dev tap0 keepalive 10 120 status /tmp/openvpn-status.log verb 3 secret /etc/openvpn/secret.key
Add VPN to local LAN bridge:
cat > /etc/init.d/openvpn-bridge #!/bin/sh /etc/rc.common START=94 start() { openvpn --mktun --dev tap0 brctl addif br-lan tap0 ifconfig tap0 0.0.0.0 promisc up } stop() { ifconfig tap0 0.0.0.0 down brctl delif br-lan tap0 openvpn --rmtun --dev tap0 } chmod 755 /etc/init.d/openvpn-bridge /etc/init.d/openvpn-bridge enable /etc/init.d/openvpn-bridge start
openvpn --genkey --secret /etc/openvpn/secret.key
Start VPN:
/etc/init.d/openvpn enable /etc/init.d/openvpn start
Backup
Periodic reboot
cron job
# Reboot at 4:30am every day # Note: To avoid infinite reboot loop, wait 70 seconds # and touch a file in /etc so clock will be set # properly to 4:31 on reboot before cron starts. 30 4 * * * sleep 70 && touch /etc/banner && reboot
or independent on system time
30 4 * * * [ $( cat /proc/uptime | cut -d '.' -f 1 ) -gt 3600 ] && reboot
watchcat
opkg install watchcat luci-app-watchcat
And luci menu will be available under Services
Issues
Problem: Port-forwarded traffic are always from router local IP instead of real external IP address. Solution: Disable masq option for LAN zone (should be only on WAN) zone