SamatsWiki

• Diff for "CheatSheet/OpenWrt"

Start service on boot

OpenWrt does not have update-rc.d or chkconfig. To start a service called service-name on boot, run:

   1 /etc/init.d/service-name enable
   2 /etc/init.d/service-name start

Enable SSH from WAN

Place into /etc/firewall.user:

   1 iptables --append input_wan --protocol tcp --dport 22 --jump ACCEPT

When SSH from WAN is enabled, it's probably a good idea to disable password logins via SSH (only public key authentication will be allowed):

   1 sed -i -e "s/'on'/'off'/"  /etc/config/dropbear

will set PasswordAuth option to "off", making /etc/config/dropbear look like:

config dropbear
        option PasswordAuth 'off'
        option Port         '22'

Unlock root data partition

OpenWrt sometimes does not unlock the data partition. I've particularly noticed this on the WRT54GL and OpenWrt 10.03.

mtd unlock rootfs_data

Increase DNS cache size

uci set dhcp.@dnsmasq[-1].cachesize=8192
uci commit dhcp

Or place into /etc/config/dhcp:

config dnsmasq
    # ...
    option cachesize '8192'

Use custom DNS server

Create /etc/resolv.local containing nameserver entries. Add resolv-file to dnsmasq.conf:

echo resolv-file=/etc/resolv.local >> /etc/dnsmasq.conf

and restart dnsmasq:

/etc/init.d/dnsmasq restart

Useful packages

IPv6

   1 opkg install iputils-traceroute6 # IPv6 traceroute
   2 

Statistcs and collectd

   1 # Install luci statistics app, collectd, and some useful collectd modules
   2 opkg update
   3 opkg install luci-app-statistics
   4 opkg install collectd-mod-interface collectd-mod-memory collectd-mod-ping collectd-mod-rrdtool collectd-mod-wireless collectd-mod-conntrack collectd-mod-cpu collectd-mod-iptables collectd-mod-uptime
   5 opkg install luci-proto-vpnc
   6 
   7 uci get luci_statistics.collectd_interface.Interfaces
   8 uci set luci_statistics.collectd_interface.Interfaces='br-lan 6in4-henet'
   9 # wan interfaces only
  10 uci set luci_statistics.collectd_interface.Interfaces='eth1 6in4-henet'
  11 
  12 # set wireless interfaces
  13 uci get luci_statistics.collectd_iwinfo.Interfaces
  14 uci add_list luci_statistics.collectd_iwinfo.Interfaces='wlan0'
  15 uci add_list luci_statistics.collectd_iwinfo.Interfaces='wlan1'
  16 
  17 uci set luci_statistics.collectd.Interval=60
  18 uci commit luci_statistics
  19 
  20 /etc/init.d/luci_statistics enable
  21 /etc/init.d/collectd enable

Pass through SSH and Mosh for IPv6

Into /etc/config/firewall:

config rule
        option src 'wan'
        option proto 'tcp'
        option dest 'lan'
        option dest_port '22'
        option family 'ipv6'
        option target 'ACCEPT'
        option name 'SSH for IPv6'

config rule
        option src 'wan'
        option proto 'udp'
        option dest 'lan'
        option dest_port '60000-61000'
        option family 'ipv6'
        option target 'ACCEPT'
        option name 'Mosh for IPv6'

SQM (Smart Queue Management) to reduce Bufferbloat

   1 # Remove QoS
   2 opkg remove qos-scripts luci-app-qos
   3 # Install SQM
   4 opkg install luci-app-sqm
   5 # Configure (see below)
   6 
   7 # Enable
   8 /etc/init.d/sqm start
   9 /etc/init.d/sqm enable

Configuration (see SQM page on OpenWrt wiki for more information):

config queue 'eth1'
        option qdisc_advanced '0'
        option enabled '1'
        option interface 'eth0'
        option download '250000'
        option upload '250000'
        option debug_logging '0'
        option verbosity '5'
        option qdisc 'cake'
        option script 'piece_of_cake.qos'
        option linklayer 'ethernet'
        option overhead '44'

and adjust download and upload (in kbps) appropriately.

UPnP

   1 opkg install luci-app-upnp
   2 uci set upnpd.config.enabled=1
   3 uci commit

List packages installed after flash

Not 100% accurate, from https://gist.github.com/devkid/8d4c2a5ab62e690772f3d9de5ad2d978#gistcomment-2658305:

   1 #!/bin/sh
   2 
   3 PRECISION=6
   4 
   5 trunk_time () {
   6 PKGTIME=$(opkg info "$1" | grep '^Installed-Time: ' | cut -f2 -d ' ')
   7 PKGTIME=${PKGTIME:0:$2}
   8 return
   9 }
  10 
  11 trunk_time busybox $PRECISION && BUILD_TIME=$PKGTIME
  12 
  13 for i in $(opkg list-installed | cut -d' ' -f1)
  14 do
  15 trunk_time $i $PRECISION
  16 if [ "$PKGTIME" != "$BUILD_TIME" ]
  17 then
  18 echo $i
  19 fi
  20 done

Misc configuration

   1 # max number of NAT connections tracked, prevent:
   2 #  nf_conntrack: nf_conntrack: table full, dropping packet
   3 cat << EOF > /etc/sysctl.d/12-nf-conntrack-max.conf
   4 net.netfilter.nf_conntrack_max=65536
   5 EOF

Useful reads

Setting up NAT64 and DNS64 on OpenWRT, for IPv6-only networks.

My complete OpenWrt setup guide. Comprehensive, from-scratch setup guide.

https://github.com/imaginator/home-network/blob/master/build-firmware: git repository for storing configuration for building an OpenWrt image

Device-specific notes

TP-Link Archer C7

• Latest community built firmware, many patches & optimizations: vurrut/openwrt-optimized-archer-c7-v2. Based off of widely used infinitnet/lede-ar71xx-optimized-archer-c7-v2.

Misc notes

   1 # Enable cron. Edit w/ `crontab -e`
   2 /etc/init.d/cron enable
   3 /etc/init.d/cron start
   4 
   5 # set hostname
   6 uci set system.@system[0].hostname=mynewhostname
   7 uci commit system
   8 /etc/init.d/system reload

• SSH keys for Dropbear should be appended to /etc/dropbear/authorized_keys

Analyzing OpenWrt firewall logs w/ Splunk. Forward log information to another syslog server, have Splunk index thse files. Debugging OpenWrt by shipping logs to rsyslog details rsyslog writing files.

Packages

• iptables-mod-extra

CategoryCheatSheet