OpenWRT 19.07.2

OpenWRT (https://openwrt.org, LEDE-project got merged back to OpenWrt) is a Linux firmware distribution for routers and low performance devices.

Installation of OpenWRT is device specific. Please check the OpenWRT wiki before buying a device and follow the guide there.

Upgrade guide: https://openwrt.org/docs/guide-quick-start/sysupgrade.luci

Linux Hardware Vendors

Please check the the OpenWrt database before buying a router https://openwrt.org/toh/views/toh_available_16128. But keep in mind that almost all router require proprietary firmware and it is not clear to the user which parts are required on which devices when checking the OpenWrt website!

To get the best OpenWrt support, try to buy a router that got support by the hardware vendor.

  • Zyxel is selling some router with Linux and OpenWrt (e.g. the Armor Z2)
  • Linksys provides very few devices with Linux and OpenWrt (e.g. the WRT1900 and WRT3200)

Warning

If you have a fast cable connection with IPv6 and you want to use OpenWrt, please try to get a device (see examples above) with 512MB RAM to avoid soft and hard crashes.

Upgrade

If you upgrade OpenWrt, usually all settings will be copied over. But you loose all manual installed packages. Check the following:

  • Reinstall software packages like luci-ssl-openssl
  • Add again /etc/hosts.local for local IPv4 resolution
  • If you have used DNS over TLS, do the complete setup again

General

Setting up a new router requires some recommended steps:

  • System
    • Software
      • Install luci-ssl-openssl (to access the webinterface via https)
    • Administration
      • Password = Make sure to define a strong one
      • SSH Access
        • Interface = set it to LAN only
        • SSH-Keys = add public key if available, if it works disable Password authentication and Allow root logins with password
    •  System
      • Hostname = XXX
      • Timezone = XXX (important if you want to have the right time in the logs)
  • Network
    • Interfaces
      • Create new Interface for wifi (for security remove access to home lan from wlan if you run servers at home).
      • Remove from LAN interface WLAN0, WLAN1, remove bridge settings (this requires to restart the router)
      • Create a new Interface wifiguest for untrusted devices like devices from guests, smart home, smart tv, Windows, Google, Apple, …
      • WAN – Unselect Use DNS servers advertised by peer. Then enter 1.1.1.1 and 1.0.0.1 to use cloudflare DNS.
      • WAN6 – Unselect Use DNS servers advertised by peer. Then enter 2606:4700:4700::1111 and 2606:4700:4700::1001 to use cloudflare DNS.
      • If you use a bridge, then check IGMP
        • Enable IGMP Snooping to avoid sending unnecessary network management traffic to clients
      • Gloabl network options
        • IPv6 ULA-Prefix: By default the router uses a quite complex IPv6 address for his own local network. You can change this to something simple like fd1:1:1::/48 so that you can remember it easely like an IPv4 address.
    • Wireless
      • Change wireless network in the the bgn band to a GUEST network for insecure devices (e.g. smart home, externally managed devices)
      • Create in the nac band a wireless network for your trusted home devices
      • If you have trusted home devices that need the old bgn band, you can create an additional network for these devices. As the nac band is not hat crowded as the bgn, try it first without this.
      • Geneneric for all wireless networks
        • Key = Make sure to define a strong key
        • Encryption = WPA2-PSK
        • Enable key reinstallation (Crack countermeassure) = Yes
        • Allow legacy 802.11b = No
        • Set the country code correct
    • Firewall
      • General Settings
        • Enable Drop Invalid Packages
        • Enable Software Flow Offloading (it will help to reduce network load)
        • Add zone wlan similar to lan and link it to the interface wifi
        • Add zone ext similar to lan and link it to the interface wifiguest
      • Traffic Rules
        • As there are 3 zones now (lan, wlan and ext), adjust all existing OpenWrt default traffic rules with the lan destination and change it to any zone.
        • Add ANY (mostly WAN, but also for WIFI and WIFIGUEST) to LAN forward access rules if you run a server
        • Add WIFI and WIFIGUEST to LAN forward access rules if you run a server, in case it is not covered by the rules before
        • If you need to block certain devices like Smart TV’s from accessing the internet, add a rule based on the MAC address
    • DHCP and DNS
      • Static Leases = Add entries for fixed IPv4 addresses for certain devices like servers which need a fixed IP.
      • Resolve and Host Files
        • Additional Host Files
          • /etc/hosts.local (and see below IPv4 Domain Server)
  • Software (Optional)
    • Install luci-app-statistics collectd (if you want to see and collect statistics about network and CPU usage). If you do not use it after analyzing, remove it again to avoid statistic collection.
    • Install ddns-scripts (ca-certificates wget) luci-app-ddns if you have a dynamic ipv4 address and you run a server that must be available from the internet (not required for ipv6)
  • Services
    • Dynamic DNS
      • If you have a separate but dynamic IPv4 Address, setup your dynamic DNS service (not available with DS-Lite cable providers)

IPv4 Domain Server

If you host own web server/service via a own domain, you usually don’t want to send all traffic to the internet and then back to your local network. IPv4 is not aware about the local service. This will improve transfer speed. IPv6 instead is using the same sub network address and therefore you do not need to adjust something locally.

Check after every Router update:

vi /etc/hosts.local
192.168.1.21 YOURDOMAINNAME.COM
192.168.1.21 www.YOURDOMAINNAME.COM
192.168.1.21 ipv4.YOURDOMAINNAME.COM
...

Package update via console

$ opkg update
$ opkg list-upgradable
$ opkg list-upgradable|xargs opkg upgrade

DNS over HTTPS

Update: Since OpenWrt 19.07.2 I had massive stability issues where DNS wouldn’t be resolved anymore (mostly when downloading games from Steam, removing odhcpd-ipv6only didn’t help), sometimes even connecting to the router with the IPv4 or IPv6 address was not possible anymore. RAM usage was quite high too. Besides this it made upgrading OpenWrt just more complicated. As of this, I’ve decided to disable DNS over HTTPS and DNSSEC again on my router and now I will do this directly on the client, adding the advantage that my notebook and mobile will not depend from the home network infrastructure anymore. Only as a DNS servers I continue the classic unencrypted cloudflare DNS servers, see above in Interfaces WAN and WAN6. I distrust the DNS server of my internet providers as they added IP blocks and censorship.

Upgrade Note: If you upgrade OpenWRT without returning to default DNS, your DNS will not work anymore afterwards. Undo the following two lines or in Luci undo the settings in section Enable dnsmasq via Stubby (you need to use the default DNS of the provider as well to reinstall stubby). Plus use DNS servers advertised by peer for WAN interface.

$ vi /etc/config/dhcp   #see config dnsmasq
option dnssec '1'
option dnsseccheckunsigned '1'

Installation/After OpenWrt Upgrade: Install stubby (adds ca-certificates, libyaml, getdns), and then follow the guide here or at https://github.com/openwrt/packages/blob/master/net/stubby/files/README.md. >> Previously ca-bundle was required as well to get stubby running without this error message: “stubby[22301]: Could not schedule query: None of the configured upstreams could be used to send queries on the specified transports“.

After Stubby is install, create the setup in Luci:

  1. Select Network / DHCP and DNS / General Settings and enter in “DNS Forwardings” the address 127.0.0.1#5453
  2. In the “Resolv and Host files” tab tick the “Ignore resolve file” checkbox. Save & Apply.

Then block forwarding DNS requests to internet provider:

  1. Select Network / Interfaces. Edit on WAN interfaces. Advanced Settings tab.
  2. Unselect the Use DNS servers advertised by peer checkbox
  3. Enter 127.0.0.1 in the Use custom DNS servers box.
  4. Save & Apply.
  5. Repeat the above steps for the WAN6 interface, but use the address 0::1 instead of 127.0.0.1.

Enable DNSSEC via the terminal (connect via ssh to router):

opkg install dnsmasq-full --download-only && opkg remove dnsmasq odhcpd-ipv6only && opkg install dnsmasq-full --cache . && rm *.ipk

It is recommended to remove odhcpd-ipv6only too.

Restart your router now if you use OpenWrt >= 19.07.

Enable dnsmasq via Stubby:

  1. Select the Network / DHCP and DNS / Advanced Settings.
  2. Enable DNSSEC and DNSSEC check unsigned.
  3. Save & Apply.

Verify if DNS over Https works from your local machine:

nslookup -type=TXT resolver.dnscrypt.info

This will print the IP address of the resolver you are using. Check that this is a Cloudflare IP address here: https://iptoasn.com/

Verify if DNSSEC works from you local machine:

dig dnssectest.sidn.nl +dnssec +multi @192.168.1.1
; <<>> DiG 9.11.4-P1-RedHat-9.11.4-5.P1.fc28 <<>> dnssectest.sidn.nl +dnssec +multi @192.168.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26579
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

It should return ad in the flags line.

Another check you can run: https://www.cloudflare.com/ssl/encrypted-sni/

WireGuard

WireGuard is the new in implemenation of a VPN like tunnel, but simple and secure by default. Install luci-app-wireguard. The how-to guide on the internet are actually a little complex, hope there will be an easier one soon.

Bug

Actually OpenWrt is plagued by crashes on newer devices like Linksys EA8300 and Fritz!Box 4040 (this is actually much worse than the Linksys) that require hard router resets when using IPv6 on a fast internet connection (500Mbit cable).

OpenWrt still offers neither an automatic update mechanism nor an integrated update download. This essential feature is still missing most probably because there are too many different devices and setups. But at least an integrated update check, download new release and verify checksum should be provided!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.