Openwrt network config (WIP)

This is just for reminder on how to configure my home network.

The openwrt router that I use is a WND3800 from ~2015 era. Great value with 680mhz MIPS, 128mb ram 16mb flash. I actual have a few of them 🙂 I think it runs at around 5W-7W from memory. This makes it a perfect device to run a few important jobs.

Before getting started

I don’t like to have to build custom images and all. But this is the easiest path to build a fully configured sysupgrade capable image. The objective is to generate the image such that I can flash a new device and get it up and running without any modification on the device itself.

More than one way to get it done !

  1. You can build yourself the whole kernel and applications.
  2. You can use the image builder to make it quicker and still use opkg for additional packages during the same day.
  3. Have minimal image and use a usb as overlay to install all the applications before restoring configuration backup. Writing a 4Mb image instead of a 10Mb image could save some flash wear ?

I found that enabling CONFIG_TARGET_INITRAMFS_COMPRESSION_XZ=y and generating a xz squashfs saved me a 0.8Mb on a 10Mb file for the effort of building it myself. Worth the wait for the build process ?

I also mess with the router once every 6-18 month. Writing a few time an image and testing a bit should keep the device alive for at least an other 10-15 years right ?

Secret sauce

In both cases, you can supply a /files folder that holds all your configuration and customization.
You could decompress a backup archive there and when you reset your router, it returns to this configuration if you ever mess it up 🙂

Services to be handled by the router

dhcpd
firewall-wan
duckdns.org ip update
freenom automatic domain renewal
unbound
wireless-ap
wireguard

Network topology

I want to have my VMs on other IP subnet than the rest of my network. This can be archived with VLANs. I will use VLAN 20+ for VMs and create a vmbr20 linux bridge interface that will tag traffic on that vlan in proxmox.

Description VLAN IP Range
ISP->openwrt->switch->1u_switch->PCs vlan1 192.168.1.1/16
->Servers & VMs vlan20+ 10.x.x.1/16
->Infrastructure vlan7 172.16.0.1/16
->wifi->wifi_0->daily_usage wlan1 192.168.1.1/16
->wifi_1->adblock wlan2 192.168.2.1/16
->wifi_2->iot wlan3 192.168.3.1/16
->wifi_3->iot_nonet wlan4 192.168.4.1/16

Routing

It’s all done in the firewall, no hard route to create and maintain !

Allow vlan1->vlan4->vlan1
Allow vlan1->vlan20-50
Allow vlan1->vlan10
Allow vlan10->vlan3,vlan4
Block vlan3->vlan1,vlan20-50,vlan10
Block vlan4->vlan1
Block vlan5->vlan1-4,vlan6-50

Build environment

Set up build environment

I was able to build the images inside a toolbox container after installing a few things. This is for Fedora !

sudo dnf install -skip-broken bash-completion bzip2 gcc gcc-c++ git make ncurses-devel patch perl-Data-Dumper perl-Thread-Queue python2 python3 rsync tar unzip wget perl-base perl-File-Compare perl-File-Copy perl-FindBin diffutils which python flex git-core gettext openssl-devel subversion zlib-devel gawk python3-distutils-extra

There are a few important thing to understand for building images custom images of OpenWRT.

  1. If you use latest version, you may not be able to download packages with opkg.
  2. Bundle all your needed application inside the system image if you use snapshot.
  3. Build all packages just in case and put them on a usb disk on the router
    • Once your image is build and produces no error, uncomment CONFIG_ALL_KMODS=y
  4. Put all configuration files in folder ./files/ so they can be baked in the image.
  5. Build and upload your image to the device. Configure any last bit, export the configuration and update your files.
  6. Rebake new image and test all works well.
  7. Use external USB drive if you want persistent data like logs.

Get source code

Git code and all feeds
git clone https://github.com/openwrt/openwrt.git
git checkout v19.07.6  
cd openwrt
./scripts/feeds update -a
./scripts/feeds install -a

I did run snapshot, but the router crashed once, it would not route and all. Not best if you want to use it as your main router. Just stick to tested release.

Get .config
  1. You can get my own
  2. You can get hnyman‘s config and patch
  3. You can get make your own
  4. You can download official openwrt’s version
curl -s https://downloads.openwrt.org/releases/19.07.6/targets/ar71xx/generic/config.buildinfo > .config

Using the .config file

cp .config.wndr3800 .config; make defconfig
make menuconfig

Fixing the damn thing :

Once you ran make defconfig, compilation may break at 2 things; here’s how I fixed it :

sed -i '/^[^#]/ s/\(^.*wolf.*$\)/#\ \1/' .config
sed -i '/^[^#]/ s/(^.openvswitch.$)/#\ \1/' .config

Put all your customization in files/

It’s important that you get things running right before attempting to do this. So if you press the reset button, it will defaults to this configuration. Really useful !

1. Create folders

mkdir -p /etc/config; mkdir -p /etc/cron.d; mkdir -p /etc/dropbear; mkdir -p /etc/opkg; mkdir -p /etc/uci-defaults; mkdir -p /usr/local/bin;

2. Add your ssh key

tee -a files/etc/dropbear/authorized_keys < ~/.ssh/id_ed25519.pub

3. Your own repository with /etc/opkg/distfeeds.conf

I plug a USB key in the modem that will have 2 partitions:
sda1 8Gb for overlay to install additional packages
sda2 ~56Gb for permanent storage, including my own package repository

src/gz local file:///mnt/sda2/openwrt

4. Specify special folders to keep between upgrades

Write them to /etc/sysupgrade.conf

5. Get things cleaned to change version

rm -rf tmp build_dir && make clean &&  ./scripts/feeds update -a -i && ./scripts/feeds install -a -f

It’s all about DNS

  1. DNS query to the internet must be secured with DNSSEC
  2. Requests must be cached
  3. Block any unwanted domains
  4. Custom blocking per device/groupe possible
  5. Serve name resolution for local devices

dnsmasq->adblock->unbound
->piholeVM->

Quick commands

# Create backup with installed package list
sysupgrade -k -b /tmp/backup-$(date +%Y-%m-%d_%H-%M-%S).tar.gz
# Restore backup
sysupgrade -r /tmp/backup-TIMESTAMP.tar.gz

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s