<> == Start service on boot == OpenWrt does not have update-rc.d or chkconfig. To start a service called service-name on boot, run: {{{#!highlight sh /etc/init.d/service-name enable /etc/init.d/service-name start }}} == Enable SSH from WAN == Place into /etc/firewall.user: {{{#!highlight sh iptables --append input_wan --protocol tcp --dport 22 --jump ACCEPT }}} When SSH from WAN is enabled, it's probably a good idea to disable password logins via SSH (only public key authentication will be allowed): {{{#!highlight sh sed -i -e "s/'on'/'off'/" /etc/config/dropbear }}} will set PasswordAuth option to "off", making /etc/config/dropbear look like: {{{ config dropbear option PasswordAuth 'off' option Port '22' }}} == Unlock root data partition == OpenWrt sometimes does not unlock the data partition. I've particularly noticed this on the WRT54GL and OpenWrt 10.03. {{{ mtd unlock rootfs_data }}} == Increase DNS cache size == {{{ uci set dhcp.@dnsmasq[-1].cachesize=8192 uci commit dhcp }}} Or place into `/etc/config/dhcp`: {{{ config dnsmasq # ... option cachesize '8192' }}} == Use custom DNS server == Create /etc/resolv.local containing nameserver entries. Add resolv-file to dnsmasq.conf: {{{ echo resolv-file=/etc/resolv.local >> /etc/dnsmasq.conf }}} and restart dnsmasq: {{{ /etc/init.d/dnsmasq restart }}} == Useful packages == || '''Package''' || '''Use''' || || miniupnpd luci-app-upnp || Enable UPnP so ports in firewall can automatically be opened || || umdns || Lightweight Avahi/mDNS server || == IPv6 == {{{#!highlight sh opkg install iputils-traceroute6 # IPv6 traceroute }}} == Statistcs and collectd == {{{#!highlight sh # Install luci statistics app, collectd, and some useful collectd modules opkg update opkg install luci-app-statistics opkg install collectd-mod-interface collectd-mod-memory collectd-mod-ping collectd-mod-rrdtool collectd-mod-wireless collectd-mod-conntrack collectd-mod-cpu collectd-mod-iptables collectd-mod-uptime opkg install luci-proto-vpnc uci get luci_statistics.collectd_interface.Interfaces uci set luci_statistics.collectd_interface.Interfaces='br-lan 6in4-henet' # wan interfaces only uci set luci_statistics.collectd_interface.Interfaces='eth1 6in4-henet' # set wireless interfaces uci get luci_statistics.collectd_iwinfo.Interfaces uci add_list luci_statistics.collectd_iwinfo.Interfaces='wlan0' uci add_list luci_statistics.collectd_iwinfo.Interfaces='wlan1' uci set luci_statistics.collectd.Interval=60 uci commit luci_statistics /etc/init.d/luci_statistics enable /etc/init.d/collectd enable }}} == Pass through SSH and Mosh for IPv6 == Into /etc/config/firewall: {{{ config rule option src 'wan' option proto 'tcp' option dest 'lan' option dest_port '22' option family 'ipv6' option target 'ACCEPT' option name 'SSH for IPv6' config rule option src 'wan' option proto 'udp' option dest 'lan' option dest_port '60000-61000' option family 'ipv6' option target 'ACCEPT' option name 'Mosh for IPv6' }}} == SQM (Smart Queue Management) to reduce Bufferbloat == {{{#!highlight sh # Remove QoS opkg remove qos-scripts luci-app-qos # Install SQM opkg install luci-app-sqm # Configure (see below) # Enable /etc/init.d/sqm start /etc/init.d/sqm enable }}} Configuration (see [[https://openwrt.org/docs/guide-user/network/traffic-shaping/sqm|SQM page on OpenWrt wiki]] for more information): {{{ config queue 'eth1' option qdisc_advanced '0' option enabled '1' option interface 'eth0' option download '250000' option upload '250000' option debug_logging '0' option verbosity '5' option qdisc 'cake' option script 'piece_of_cake.qos' option linklayer 'ethernet' option overhead '44' }}} and adjust download and upload (in kbps) appropriately. == UPnP == {{{#!highlight sh opkg install luci-app-upnp uci set upnpd.config.enabled=1 uci commit }}} == List packages installed after flash == Not 100% accurate, from https://gist.github.com/devkid/8d4c2a5ab62e690772f3d9de5ad2d978#gistcomment-2658305: {{{#!highlight sh #!/bin/sh PRECISION=6 trunk_time () { PKGTIME=$(opkg info "$1" | grep '^Installed-Time: ' | cut -f2 -d ' ') PKGTIME=${PKGTIME:0:$2} return } trunk_time busybox $PRECISION && BUILD_TIME=$PKGTIME for i in $(opkg list-installed | cut -d' ' -f1) do trunk_time $i $PRECISION if [ "$PKGTIME" != "$BUILD_TIME" ] then echo $i fi done }}} == Misc configuration == {{{#!highlight sh # max number of NAT connections tracked, prevent: # nf_conntrack: nf_conntrack: table full, dropping packet cat << EOF > /etc/sysctl.d/12-nf-conntrack-max.conf net.netfilter.nf_conntrack_max=65536 EOF }}} == Useful reads == [[http://tech.sybreon.com/2015/05/05/nat64dns64-on-openwrt/|Setting up NAT64 and DNS64 on OpenWRT]], for IPv6-only networks. [[http://www.jauu.net/2015/03/03/complete-openwrt-guide/|My complete OpenWrt setup guide]]. Comprehensive, from-scratch setup guide. [[https://github.com/imaginator/home-network/blob/master/build-firmware]]: git repository for storing configuration for building an OpenWrt image == Device-specific notes == === TP-Link Archer C7 === * Latest community built firmware, many patches & optimizations: [[https://github.com/vurrut/openwrt-optimized-archer-c7-v2|vurrut/openwrt-optimized-archer-c7-v2]]. Based off of widely used [[https://github.com/infinitnet/lede-ar71xx-optimized-archer-c7-v2|infinitnet/lede-ar71xx-optimized-archer-c7-v2]]. == Misc notes == {{{#!highlight sh # Enable cron. Edit w/ `crontab -e` /etc/init.d/cron enable /etc/init.d/cron start # set hostname uci set system.@system[0].hostname=mynewhostname uci commit system /etc/init.d/system reload }}} * SSH keys for Dropbear should be appended to `/etc/dropbear/authorized_keys` [[https://kuther.net/2014/02/05/analyzing-openwrt-firewall-logs-with-splunk/|Analyzing OpenWrt firewall logs w/ Splunk]]. Forward log information to another syslog server, have Splunk index thse files. [[https://feeding.cloud.geek.nz/posts/debugging-openwrt-routers-by-shipping/|Debugging OpenWrt by shipping logs to rsyslog]] details rsyslog writing files. == Packages == * iptables-mod-extra ---- CategoryCheatSheet