LEDE is a fork of OpenWRT that arose because of some people being frustrated at the pace of development and lack of willingness to integrate with others in OpenWRT. It uses *much* newer kernel sources and software. Ostensibly the differences between distributions have been resolved and there is a path to remerging LEDE with OpenWRT using LEDE as code base, but retaining name/branding of OpenWRT (and lots of minor technical things aside). This is a very drawn out process, but I was happy to wait, until [[|KRACK Attack]] vulnerability was announced, at which point I decide to take the plunge and switch to LEDE. Below I document the process of upgrading my Linksys WRT1900ACS from OpenWRT 15.05.1 to LEDE 17.01.4. It is somewhat abbridged in comparison to the documentation I wrote when initially flashing the fresh out of the box router with [[linux:openwrt|OpenWRT]] but should be straight-forward and comprehensive enough to follow.
===== Flashing LEDE 17.01.4 =====
Under LEDE there is only one release regardless of which hardware version of the router you have, download the appropriate image from [[https://lede-project.org/toh/views/toh_fwdownload?dataflt%5BModel*%7E%5D=wrt1900acs|here]] depending on whether you are flashing from the Linksys firmware (which has a unique file structure) or are upgrading from OpenWRT/LEDE.
If upgrading from OpenWRT (my situation) grab ''lede-17.01.4-mvebu-linksys-wrt1900acs-squashfs-sysupgrade.bin'' and verify the checksum. It is wise to backup your existing structure, but there are [[|reports]] that restoring the backup using the LuCi interface resulted in problems, instead SSH into your router and as ''root'' make a backup of the ''/etc/'' directory...
tar cvf /tmp/backup_openwrt-15.05.1_20171020.tar && gzip /tmp/backup_openwrt-15.05.1_20171020.tar
Copy this off of the router and store it somewhere safe, you will need it later. I also made a copy of all installed packages from ''System > Software > Available Packages'' for reference so I could install things afterwards (installation and configuration of these are described below).
The LEDE documentation has [[https://lede-project.org/docs/guide-quick-start/sysupgrade.luci|clear instructions on system upgrades]].
- Flash the ''sysupgrade.bin'' image from LuCi by navigating to ''System > Backup/Flash Firmware''.
- Optionally make a backup from here just in case (although note the above advice that restoring it may not work).
- Uncheck the ''Keep settings'' check box.
- Select the image you downloaded.
- Click the ''Flash Image'' button.
The router should reboot and be accessible at ''http://192.168.1.1'' with the default username ''root'' with [[https://lede-project.org/docs/guide-quick-start/starterfaq|no password]]. You can now set about restoring configuration by SSHing into the router and manually copying settings over from the backup you made of ''/etc/''. The first thing you will want to do is copy over ''/etc/config/network'' which contains your network configuration for your ISP and local networks.
==== mwlwifi driver ====
The download page for the [[https://lede-project.org/toh/views/toh_fwdownload?dataflt%5BModel*%7E%5D=wrt1900acs|WRT1900ACS]] indicates that v2 of the routers requires a newer, more updated ''mwlwifi'' driver (although unhelpfully just says to see the forum). A bit of digging led me to several threads [[https://forum.lede-project.org/t/wrt1900acs-v2-how-to-update-mwlwifi-driver/1491/6|WRT1900ACS v2 how to update mwlwifi driver]] and [[https://forum.lede-project.org/t/confusion-with-wrt1900acs-v2-firmware/6733|Confusion with WRT1900ACS v2 firmware]] and ultimately the [[https://forum.lede-project.org/t/pre-compiled-updated-mwlwifi-drivers-for-stable-releases/3262|Pre-compiled mwlwifi drivers for stable releases]] thread. It suggests these are not essential, but are the latest drivers from Linksys so its perhaps worth the effort of using them. Installation is fairly straight-forward and you can use the link to the package directly with ''opkg''...
opkg install https://github.com/eduperez/mwlwifi_LEDE/releases/download/e119077/kmod-mwlwifi_4.4.89.10.3.4.0-20170810-e119077-1_arm_cortex-a9_vfpv3.ipk
==== Restoring Configuration ====
I copied over settings for the following manually...
* ''/etc/config/network''
* ''/etc/config/dhcp''
* ''/etc/config/wireless''
* ''/etc/config/dropbear''
* ''/etc/config/firewall''
* ''/etc/config/openvpn''
The modifications to ''/etc/config/dropbear'' change the port the SSH daemon is running on, for these to take effect you need to restart dropbear, I was lazy and rebooted the system.
I then installed all packages I had previously....
opkg install shadow-useradd shadow-userdel sudo shadow-su shadow-common shadow-groupadd shadow-groupdel shadow-groupmod shadow-groups shadow-utils openvpn-openssl openvpn-easy-rsa luci-app-openvpn adblock luci-app-adblock vpnbypass zile rsync transmission
Only two failed to install on first try, ''vpnbypass'' and ''transmission'' no big deal, the former I'd not yet got working the later I hadn't used.
I added as a user account as I had done under OpenWRT, but there is no wheel group...
useradd -m -s /bin/ash [username]
passwd [username]
==== ToDo ====
* [[https://lede-project.org/docs/user-guide/getting-rid-of-luci-https-certificate-warnings|https for LuCi]]
==== Links ====
* [[https://forum.lede-project.org/t/bricked-linksys-wrt1200ac-after-upgrading-openwrt-cc-to-lede/7525/9|Bricked Linksys WRT1200AC after Upgrading OpenWRT CC to LEDE]]
* [[https://forum.lede-project.org/t/pre-compiled-updated-mwlwifi-drivers-for-stable-releases/3262|Pre-compiled updated mwlwifi drivers for stable releases]]
* [[https://forum.lede-project.org/t/confusion-with-wrt1900acs-v2-firmware/6733/2|Confusion with WRT1900ACS v2 firmware]]
====== The mundane things... ======
What follows is a straight copy and paste from the [[linux:openwrt|OpenWRT]] pages I wrote, the tasks are the same, doing them is the same under LEDE...
===== Securing Installation =====
A couple of standard precautions should be taken to ensure your router is more secure, these boil down to adding a 'normal' user to SSH into the device and ensuring they have permission to ''su'' to ''root'' whilst at the same time blocking ''root'' SSH login. At the moment I rarely want to do any configuration to the router from outside of my own network so I prevent access via SSH and uhttpd (the WebUI) from the wider internet. General advice on the OpenWRT Wiki on how to [[https://wiki.openwrt.org/doc/howto/secure.access|secure your routers access]].
==== Adding a user ====
I'm happy adding users at the command line and using ''su'' rather than ''sudo'' which is recommended on the Wiki under [[https://wiki.openwrt.org/doc/howto/secure.access|Secure Access]].
opkg update
opkg install shadow-useradd shadow-userdel sudo shadow-su shadow-common shadow-groupadd shadow-groupdel shadow-groupmod shadow-groups shadow-utils
mkdir /home
useradd -m -G wheel -s /bin/ash [newuser]
passwd [newuser]
==== Securing SSH ====
SSH is part of ''dropbear'' under OpenWRT and configuration is stored in ''/etc/config/dropbear'', full options are listed [[https://wiki.openwrt.org/doc/uci/dropbear|here]] but the following will prevent ''root'' from SSH login and change the port.
config dropbear
option PasswrdAuth 'on'
option Port '2081'
option RootPasswordAuth 'off'
...however, the nice thing about this is that you can specify configurations based on the interface.
**TODO** Interface based settings.
=== Simplifying Connection ===
On your main computer you can take advantage of ''~/.ssh/config'' to save the port and user you SSH to OpenWRT with.
=== SSH Keys ===
If you already use pre-shared SSH keys to automate your login between servers you can copy your key over to OpenWRT and benefit from this functionality there too. The Luci interface has a section for uploading your key under ''System > Administration > SSH Access'' but since I opted to add a user and disable ''root'' SSH password access I had to copy the key to my users ''/home/[user]/.ssh/authorized_keys''.
SSH to OpenWRT as user and create the directory and file...
mkdir ~/.ssh
Exit back to your host and then copy your public key over...
scp ~/.ssh/id_rsa.pub openwrt:~/.ssh/authorized_keys
===== WiFi Configuration =====
By default WiFi is disabled on OpenWRT, you have to login and and enable the network. The default username is ''root'' and the password should already have been changed as advised above. Navigate to ''Network > Wifi'' and you will be presented with the available WiFi interfaces. They are currently both disabled, but you can ''Edit'' them before enabling. You might to change the following...
* **ESSID** : the name for your network.
* **Channel** : the frequency your devices operates on.
* **Width** : the width of the signal around the frequency.
* **Wireless Security** : It is **strongly** recommended that you set at ''WPA-PSK2'' password to restrict access to authorised devices. Do not use any ''WEP'' or ''WPA-PSK'' as they are less secure and everything should support ''WPA-PSK2''.
* **MAC Filter** : another layer of security you can choose to allow only your devices to connect to the wireless network (its not infallible though).
If you give your 2.4Ghz and 5Ghz the same names and passwords then devices will utilise their choice (fastest/strongest?) network automatically (**TODO** - Check : laptops, Android).
==== Secondary WiFi ====
A second WiFi network is useful if you wish guests to connect to a separate network or if you've some wireless devices you'd rather not have pass through the VPN you're going to set up. Navigate to ''Network > Wifi'' and you will be presented with the WiFi interfaces just configured above. You want to add a new network of either of the available devices. Simply ''Add'' a new one and configure it giving it a different ''ESSID'' so your devices can distinguish between them.
===== USB Drive =====
A short overview of how to install USB drives is [here](https://openwrt.org/docs/guide-user/storage/usb-drives-quickstart) and [here](https://medium.com/openwrt-iot/lede-openwrt-setting-up-usb-storage-support-adec9c0d484e) I found some differences though as `kmod-usb3` was not available and the second article advised to install `usbutils` too.
opkg update && opkg install block-mount e2fsprogs kmod-fs-ext4 kmod-usb3 kmod-usb2 kmod-usb-storage usbutils
I'd already formatted my disk on another computer and after making the above installs and connecting it I had `/dev/sda1` listed. A quick edit of `/etc/fstab` and creating the correct mount points...
mkdir /mnt/usb
echo '/dev/sda1 /mnt/usb auto auto,rw 0 0' >> /etc/fstab
===== Add-Ons =====
OpenWRT has its own package management system ''[[https://wiki.openwrt.org/doc/techref/opkg|opkg]]'' and there is a page on Luci for installing packages. If you are connected to the internet then you can use the Luci to install packages or at the command line you can use ''[[https://wiki.openwrt.org/doc/techref/opkg|opkg]]'' to install packages by...
opkg install openvpn-openssl openvpn-easy-rsa luci-app-openvpn
...it will resolve all package dependencies and install them for you. If for some reason you are like me doing some configuration before connecting your router to the internet you can still install packages manually by downloading them from the appropriate repository (look in ''/etc/opkg/distfeeds.conf'' for the URL of the package repositories for the install you have).
# cat /etc/opkg/distfeeds.conf
src/gz chaos_calmer_base http://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/packages/base
src/gz chaos_calmer_luci http://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/packages/luci
src/gz chaos_calmer_packages http://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/packages/packages
src/gz chaos_calmer_routing http://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/packages/routing
src/gz chaos_calmer_telephony http://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/packages/telephony
src/gz chaos_calmer_management http://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/packages/management
Download packages from the URLs then copy them to your OpenWRT installation using ''scp''. You will have to resolve dependencies yourself, so if you are told something is not available simply download it too.
==== Adblocker ====
An [[https://github.com/openwrt/packages/blob/master/net/adblock/files/README.md|Adblock package]] (along with LuCi addon) is available ([[https://github.com/openwrt/packages/tree/master/net/adblock/files|Github project]], [[https://forum.openwrt.org/viewtopic.php?id=59803&p=14|forum thread]] and some more information on configuration in [[https://forum.openwrt.org/viewtopic.php?pid=346943#p346943|this thread]]).
=== Private VPN hosted on VPS ===
==== uPnP ====
**TODO** Something separate?
==== Other ====
There are lots of other useful packages to install, but be mindful that these devices have limited space (albeit vastly increased from the WRT54g I used to use!). Some that I recommend (but haven't installed everything myself as I already use them on other systems) installed are...
=== Essential ===
* [[https://www.nano-editor.org/|nano]] : A basic, but feature rich text editor.
* [[https://www.gnu.org/software/zile/|zile]] : An Emacs (text-editor) clone.
* [[http://rsync.samba.org/|rsync]] : File transfer program to keep remote files in sync.
opkg install nano zile rsync
=== Optional ===
* [[https://transmissionbt.com/|transmission]] : As the WRT1900ACS has USB ports you can hook up drives and run this excellent BitTorrent client on your router.
* [[https://wiki.openwrt.org/doc/howto/usb.audio|USB Audio]] : Not an individual package but a method of streaming music from an attached USB device.
opkg install transmission
==== OpenVPN Client Configuration ====
**IMPORTANT** - Configuration will be //highly// dependent on the service provided by your VPN provider. Some examples are given and they should be useful to help guide you in your own configuration but you will have to consult your provider for details of their configuration and settings.
* [[https://wiki.openwrt.org/doc/howto/vpn.client.openvpn.tun|OpenVPN client with TUN (Layer 3) device]] how to configure OpenVPN under OpenWRT so that all devices on your home network pass through the VPN.
* [[https://wiki.openwrt.org/doc/howto/vpn.openvpn|OpenVPN Setup Guide for Beginners]] Main documentation for OpenVPN under OpenWRT.
This is where things get technical and can vary //massively// depending on who provides your VPN. I wanted more control over certain aspects of my VPN connection though so opted to pay for a VPS (Virtual Private Server) that I could install OpenVPN and set-up my own VPN server on. You should have installed the OpenVPN client software in the above sections, you now need to configure them. The information presented below is taken from two articles on the OpenWRT Wiki [[https://wiki.openwrt.org/doc/howto/vpn.client.openvpn.tun|OpenVPN client with TUN (Layer 3) device]] and [[https://wiki.openwrt.org/doc/howto/vpn.openvpn|OpenVPN Setup Guide for Beginners]].
=== Bypassing VPN ===
Some times its desirable to bypass the VPN, for example Netflix or BBC iPlayer are geo-restricted and if the exit node of the VPN is outside the UK they won't work. The 'trick' is to configure/route traffic from specific devices such as Chromecasts to bypass the VPN. There is a useful package [[https://github.com/openwrt/packages/tree/master/net/vpnbypass/files|vpnbypass]] (see also [[https://forum.openwrt.org/viewtopic.php?id=69489|this thread]]) that simplifies this process. If your running the development version you can follow the instructions to install. If however you're running the stable Chaos Calmer (15.05.1) then you have to install manually. Pre-built packages are [[https://github.com/stangri/Files|here]] and you have to switch from ''dnsmasq'' to ''dnsmasq-full'', ''ip'' to ''ip-full'' and install ''ipset'' and ''iptables''.
opkg remove dnsmasq ip; opkg install ip-full ipset iptables dnsmasq-full
cd /tmp
wget https://github.com/stangri/Files/raw/master/vpnbypass_1.0.0-5_all.ipk
wget https://github.com/stangri/Files/raw/master/luci-app-vpnbypass_git-17.027.48745-f546166-1_all.ipk
opkg install vpnbypass_1.0.0-5_all.ipk luci-app-vpnbypass_git-17.027.48745-f546166-1_all.ipk
rm vpnbypass_1.0.0-5_all.ipk luci-app-vpnbypass_git-17.027.48745-f546166-1_all.ipk
The default configuration routes PlexMedia past the VPN as well as the IP address' ''192.168.1.80-192.168.1.88'' so will likely need some tweaking, but this can be done through the LuCi interface as 'VPN Bypass' will now be listed under Services.
=== DNS ===
uci set network.tun0=network
uci set network.tun0.ifname=tun0
uci set network.tun0.dns='87.98.175.85 193.183.98.154 5.135.183.146'
uci commit
==== Self-hosted (VPS) VPN ====
There are tons of options for hosting a VPS, I can not really recommend any, my choice of [[https://www.ovh.co.uk/vps/vps-ssd.xml|OVH's VPS SSD1]] was based on a cheap price which included unlimited data (essential as a large portion of my browsing will be passing through the server). This section only details configuring OpenWRT to connect and use the services you will have to setup on the VPS yourself. That process is described [[linux:security:ovh|elsewhere]] and involves setting up an account, purchasing the service you want and then install and configure [[|OpenVPN]] and [[|dnssec]].
A simple install script for a secure [[https://github.com/Angristan/OpenVPN-install|OpenVPN Installation]] can be used to ease the process.
**ToDo** Complete this section
==== Excluding Specific Services ====
Increasingly these days more and more content is streamed whether thats [[https://www.bbc.co.uk/iplayer/|iPlayer]], [[https://www.netflix.com/|Netflix]], [[http://www.channel4.com/|4OD]], [[https://www.itv.com/hub/itv|ITVHub]] or any other service. Many of these are geo-restricted which means if your VPN exit node is based in a country other than the one you are in you may find that some services do not work (conversely many have been using VPNs for years to circumvent this and access content from countries that would normally be blocked by using a VPN with an exit node in the country of interest).
Whilst [[https://community.openvpn.net/openvpn/wiki/HOWTO|OpenVPN can probably be configured to bypass specific traffic on the server-side]] I have for now opted to simply have a second wireless network to allow certain devices (Chromecasts, PS3, TV) to connect via the ISP and //not// use the VPN which some providers block access from. I'll look to work around this at some point but this is my solution for now.
===== DNS over TLS =====
Securing your [[wp>dns|DNS]] means that your ISP (or VPS provider if you are using a self-hosted VPN) can not snoop on your DNS requests. There are two approaches, [[https://github.com/jedisct1/dnscrypt-proxy|DNSCrypt2]] (which grew from the ashes of the original [[https://www.reddit.com/r/linux/comments/7owb1s/psa_dnscrypt_is_now_abandoned/|DNScrypt]]) or the method described here of [[wp>NS_over_TLS|DNS over TLS]]. What is described below is mostly based on [[https://blog.grobox.de/2018/what-is-dns-privacy-and-how-to-set-it-up-for-openwrt/|this blog post]] and [[https://blog.cloudflare.com/dns-over-tls-for-openwrt/|this one from someone at Cloudflare]].
''ssh'' to your router and ''su'' to root.
Install [[|unbound]], a ''unbound-control '' and the LuCi interface...
opkg update
opkg install unbound unbound-control luci-app-unbound
Add the following to ''/etc/unbound/unbound_ext.conf''...
forward-zone:
name: "."
forward-addr: 1.1.1.1@853 # cloudflare IPv4 primary
forward-addr: 1.0.0.1@853 # cloudflare IPv4 secondary
forward-addr: 2606:4700:4700::1111@853 # cloudflare IPv6 primary
forward-addr: 2606:4700:4700::1001@853 # cloudflare IPv6 secondary
forward-addr: 9.9.9.9@853 # quad9.net primary
forward-addr: 149.112.112.112@853 # quad9.net secondary
forward-ssl-upstream: yes
...and some security options for the unbound server to ''/etc/unbound/unbound_srv.conf''...
do-tcp: yes
prefetch: yes
qname-minimisation: yes
rrset-roundrobin: yes
use-caps-for-id: yes
Backup ''/etc/config/dhcp'', ''/etc/config/unbound''
mkdir /tmp/bak
cp /etc/config/dhcp /tmp/bak/dhcp
cp /etc/config/unbound /tmp/bak/unbound
One guide [[https://blog.cloudflare.com/dns-over-tls-for-openwrt/|removes dnsmasq]] from LEDE, the other [[https://blog.grobox.de/2018/what-is-dns-privacy-and-how-to-set-it-up-for-openwrt/|leaves it in-situ but changes the port]] it listens on. I opted for the later...
uci set 'dhcp.@dnsmasq[0].port=53535'
uci add_list "dhcp.lan.dhcp_option=option:dns-server,$(uci get network.lan.ipaddr)"
uci set 'unbound.@unbound[0].dhcp_link=dnsmasq'
uci commit
Finally enable ''unbound'' and start it...
service unbound enable
service unbound start
====== Factory Reset ======
If you cock things up and flash the wrong image all is not lost as you can factory reset these devices by pressing and holding the reset button.
====== Links ======
* [Linksys WRT1900ACS (Product)](http://www.linksys.com/gb/p/P-WRT1900ACS/)
* [Linksys WRT1900ACS (Support)](http://www.linksys.com/us/support-product?pid=01t34000003qSgQAAU)
* [Linksys WRT1900ACS : FAQ](http://www.linksys.com/us/support-article?articleNum=178015)
* [OpenWRT : WRT1x00AC Series](https://wiki.openwrt.org/toh/linksys/wrt1x00ac_series)
* [Davidc502 OpenWrt Snapshots](https://dc502wrt.org/)