LEDE is a fork of OpenWRT that arose because of some people being frustrated at the pace of development and lack of willingness to integrate with others in OpenWRT. It uses much newer kernel sources and software. Ostensibly the differences between distributions have been resolved and there is a path to remerging LEDE with OpenWRT using LEDE as code base, but retaining name/branding of OpenWRT (and lots of minor technical things aside). This is a very drawn out process, but I was happy to wait, until KRACK Attack vulnerability was announced, at which point I decide to take the plunge and switch to LEDE. Below I document the process of upgrading my Linksys WRT1900ACS from OpenWRT 15.05.1 to LEDE 17.01.4. It is somewhat abbridged in comparison to the documentation I wrote when initially flashing the fresh out of the box router with OpenWRT but should be straight-forward and comprehensive enough to follow.

Flashing LEDE 17.01.4

Under LEDE there is only one release regardless of which hardware version of the router you have, download the appropriate image from here depending on whether you are flashing from the Linksys firmware (which has a unique file structure) or are upgrading from OpenWRT/LEDE.

If upgrading from OpenWRT (my situation) grab lede-17.01.4-mvebu-linksys-wrt1900acs-squashfs-sysupgrade.bin and verify the checksum. It is wise to backup your existing structure, but there are reports that restoring the backup using the LuCi interface resulted in problems, instead SSH into your router and as root make a backup of the /etc/ directory…

tar cvf /tmp/backup_openwrt-15.05.1_20171020.tar && gzip /tmp/backup_openwrt-15.05.1_20171020.tar

Copy this off of the router and store it somewhere safe, you will need it later. I also made a copy of all installed packages from System > Software > Available Packages for reference so I could install things afterwards (installation and configuration of these are described below).

The LEDE documentation has clear instructions on system upgrades.

  • Flash the sysupgrade.bin image from LuCi by navigating to System > Backup/Flash Firmware.
  • Optionally make a backup from here just in case (although note the above advice that restoring it may not work).
  • Uncheck the Keep settings check box.
  • Select the image you downloaded.
  • Click the Flash Image button.

The router should reboot and be accessible at http://192.168.1.1 with the default username root with no password. You can now set about restoring configuration by SSHing into the router and manually copying settings over from the backup you made of /etc/. The first thing you will want to do is copy over /etc/config/network which contains your network configuration for your ISP and local networks.

mwlwifi driver

The download page for the WRT1900ACS indicates that v2 of the routers requires a newer, more updated mwlwifi driver (although unhelpfully just says to see the forum). A bit of digging led me to several threads WRT1900ACS v2 how to update mwlwifi driver and Confusion with WRT1900ACS v2 firmware and ultimately the Pre-compiled mwlwifi drivers for stable releases thread. It suggests these are not essential, but are the latest drivers from Linksys so its perhaps worth the effort of using them. Installation is fairly straight-forward and you can use the link to the package directly with opkg

opkg install https://github.com/eduperez/mwlwifi_LEDE/releases/download/e119077/kmod-mwlwifi_4.4.89.10.3.4.0-20170810-e119077-1_arm_cortex-a9_vfpv3.ipk

Restoring Configuration

I copied over settings for the following manually…

  • /etc/config/network
  • /etc/config/dhcp
  • /etc/config/wireless
  • /etc/config/dropbear
  • /etc/config/firewall
  • /etc/config/openvpn

The modifications to /etc/config/dropbear change the port the SSH daemon is running on, for these to take effect you need to restart dropbear, I was lazy and rebooted the system.

I then installed all packages I had previously….

opkg install shadow-useradd shadow-userdel sudo shadow-su shadow-common shadow-groupadd shadow-groupdel shadow-groupmod shadow-groups shadow-utils openvpn-openssl openvpn-easy-rsa luci-app-openvpn adblock luci-app-adblock vpnbypass zile rsync transmission

Only two failed to install on first try, vpnbypass and transmission no big deal, the former I'd not yet got working the later I hadn't used.

I added as a user account as I had done under OpenWRT, but there is no wheel group…

useradd -m -s /bin/ash [username]
passwd [username]

ToDo

The mundane things...

What follows is a straight copy and paste from the OpenWRT pages I wrote, the tasks are the same, doing them is the same under LEDE…

Securing Installation

A couple of standard precautions should be taken to ensure your router is more secure, these boil down to adding a 'normal' user to SSH into the device and ensuring they have permission to su to root whilst at the same time blocking root SSH login. At the moment I rarely want to do any configuration to the router from outside of my own network so I prevent access via SSH and uhttpd (the WebUI) from the wider internet. General advice on the OpenWRT Wiki on how to secure your routers access.

Adding a user

I'm happy adding users at the command line and using su rather than sudo which is recommended on the Wiki under Secure Access.

opkg update
opkg install shadow-useradd shadow-userdel sudo shadow-su shadow-common shadow-groupadd shadow-groupdel shadow-groupmod shadow-groups shadow-utils
mkdir /home
useradd -m -G wheel -s /bin/ash [newuser]
passwd [newuser]

Securing SSH

SSH is part of dropbear under OpenWRT and configuration is stored in /etc/config/dropbear, full options are listed here but the following will prevent root from SSH login and change the port.

config dropbear
        option PasswrdAuth 'on'
        option Port '2081'
        option RootPasswordAuth 'off'

…however, the nice thing about this is that you can specify configurations based on the interface.

TODO Interface based settings.

Simplifying Connection

On your main computer you can take advantage of ~/.ssh/config to save the port and user you SSH to OpenWRT with.

SSH Keys

If you already use pre-shared SSH keys to automate your login between servers you can copy your key over to OpenWRT and benefit from this functionality there too. The Luci interface has a section for uploading your key under System > Administration > SSH Access but since I opted to add a user and disable root SSH password access I had to copy the key to my users /home/[user]/.ssh/authorized_keys.

SSH to OpenWRT as user and create the directory and file…

mkdir ~/.ssh

Exit back to your host and then copy your public key over…

scp ~/.ssh/id_rsa.pub openwrt:~/.ssh/authorized_keys

WiFi Configuration

By default WiFi is disabled on OpenWRT, you have to login and and enable the network. The default username is root and the password should already have been changed as advised above. Navigate to Network > Wifi and you will be presented with the available WiFi interfaces. They are currently both disabled, but you can Edit them before enabling. You might to change the following…

  • ESSID : the name for your network.
  • Channel : the frequency your devices operates on.
  • Width : the width of the signal around the frequency.
  • Wireless Security : It is strongly recommended that you set at WPA-PSK2 password to restrict access to authorised devices. Do not use any WEP or WPA-PSK as they are less secure and everything should support WPA-PSK2.
  • MAC Filter : another layer of security you can choose to allow only your devices to connect to the wireless network (its not infallible though).

If you give your 2.4Ghz and 5Ghz the same names and passwords then devices will utilise their choice (fastest/strongest?) network automatically (TODO - Check : laptops, Android).

Secondary WiFi

A second WiFi network is useful if you wish guests to connect to a separate network or if you've some wireless devices you'd rather not have pass through the VPN you're going to set up. Navigate to Network > Wifi and you will be presented with the WiFi interfaces just configured above. You want to add a new network of either of the available devices. Simply Add a new one and configure it giving it a different ESSID so your devices can distinguish between them.

USB Drive

A short overview of how to install USB drives is here and here I found some differences though as kmod-usb3 was not available and the second article advised to install usbutils too.

opkg update && opkg install  block-mount e2fsprogs kmod-fs-ext4 kmod-usb3 kmod-usb2 kmod-usb-storage usbutils

I'd already formatted my disk on another computer and after making the above installs and connecting it I had /dev/sda1 listed. A quick edit of /etc/fstab and creating the correct mount points…

mkdir /mnt/usb
echo '/dev/sda1	/mnt/usb	auto	auto,rw 0 0' >> /etc/fstab

</code>

Add-Ons

OpenWRT has its own package management system opkg and there is a page on Luci for installing packages. If you are connected to the internet then you can use the Luci to install packages or at the command line you can use opkg to install packages by…

opkg install openvpn-openssl openvpn-easy-rsa luci-app-openvpn

…it will resolve all package dependencies and install them for you. If for some reason you are like me doing some configuration before connecting your router to the internet you can still install packages manually by downloading them from the appropriate repository (look in /etc/opkg/distfeeds.conf for the URL of the package repositories for the install you have).

# cat /etc/opkg/distfeeds.conf 
src/gz chaos_calmer_base http://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/packages/base
src/gz chaos_calmer_luci http://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/packages/luci
src/gz chaos_calmer_packages http://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/packages/packages
src/gz chaos_calmer_routing http://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/packages/routing
src/gz chaos_calmer_telephony http://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/packages/telephony
src/gz chaos_calmer_management http://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/packages/management

Download packages from the URLs then copy them to your OpenWRT installation using scp. You will have to resolve dependencies yourself, so if you are told something is not available simply download it too.

Adblocker

An Adblock package (along with LuCi addon) is available (Github project, forum thread and some more information on configuration in this thread).

Private VPN hosted on VPS

uPnP

TODO Something separate?

Other

There are lots of other useful packages to install, but be mindful that these devices have limited space (albeit vastly increased from the WRT54g I used to use!). Some that I recommend (but haven't installed everything myself as I already use them on other systems) installed are…

Essential

  • nano : A basic, but feature rich text editor.
  • zile : An Emacs (text-editor) clone.
  • rsync : File transfer program to keep remote files in sync.
opkg install nano zile rsync

Optional

  • transmission : As the WRT1900ACS has USB ports you can hook up drives and run this excellent BitTorrent client on your router.
  • USB Audio : Not an individual package but a method of streaming music from an attached USB device.
opkg install transmission

OpenVPN Client Configuration

IMPORTANT - Configuration will be highly dependent on the service provided by your VPN provider. Some examples are given and they should be useful to help guide you in your own configuration but you will have to consult your provider for details of their configuration and settings.

This is where things get technical and can vary massively depending on who provides your VPN. I wanted more control over certain aspects of my VPN connection though so opted to pay for a VPS (Virtual Private Server) that I could install OpenVPN and set-up my own VPN server on. You should have installed the OpenVPN client software in the above sections, you now need to configure them. The information presented below is taken from two articles on the OpenWRT Wiki OpenVPN client with TUN (Layer 3) device and OpenVPN Setup Guide for Beginners.

Bypassing VPN

Some times its desirable to bypass the VPN, for example Netflix or BBC iPlayer are geo-restricted and if the exit node of the VPN is outside the UK they won't work. The 'trick' is to configure/route traffic from specific devices such as Chromecasts to bypass the VPN. There is a useful package vpnbypass (see also this thread) that simplifies this process. If your running the development version you can follow the instructions to install. If however you're running the stable Chaos Calmer (15.05.1) then you have to install manually. Pre-built packages are here and you have to switch from dnsmasq to dnsmasq-full, ip to ip-full and install ipset and iptables.

opkg remove dnsmasq ip; opkg install ip-full ipset iptables dnsmasq-full
cd /tmp
wget https://github.com/stangri/Files/raw/master/vpnbypass_1.0.0-5_all.ipk
wget https://github.com/stangri/Files/raw/master/luci-app-vpnbypass_git-17.027.48745-f546166-1_all.ipk
opkg install vpnbypass_1.0.0-5_all.ipk luci-app-vpnbypass_git-17.027.48745-f546166-1_all.ipk
rm vpnbypass_1.0.0-5_all.ipk luci-app-vpnbypass_git-17.027.48745-f546166-1_all.ipk

The default configuration routes PlexMedia past the VPN as well as the IP address' 192.168.1.80-192.168.1.88 so will likely need some tweaking, but this can be done through the LuCi interface as 'VPN Bypass' will now be listed under Services.

DNS

uci set network.tun0=network
uci set network.tun0.ifname=tun0
uci set network.tun0.dns='87.98.175.85 193.183.98.154 5.135.183.146'
uci commit

Self-hosted (VPS) VPN

There are tons of options for hosting a VPS, I can not really recommend any, my choice of OVH's VPS SSD1 was based on a cheap price which included unlimited data (essential as a large portion of my browsing will be passing through the server). This section only details configuring OpenWRT to connect and use the services you will have to setup on the VPS yourself. That process is described elsewhere and involves setting up an account, purchasing the service you want and then install and configure OpenVPN and dnssec.

A simple install script for a secure OpenVPN Installation can be used to ease the process.

ToDo Complete this section

Excluding Specific Services

Increasingly these days more and more content is streamed whether thats iPlayer, Netflix, 4OD, ITVHub or any other service. Many of these are geo-restricted which means if your VPN exit node is based in a country other than the one you are in you may find that some services do not work (conversely many have been using VPNs for years to circumvent this and access content from countries that would normally be blocked by using a VPN with an exit node in the country of interest).

Whilst OpenVPN can probably be configured to bypass specific traffic on the server-side I have for now opted to simply have a second wireless network to allow certain devices (Chromecasts, PS3, TV) to connect via the ISP and not use the VPN which some providers block access from. I'll look to work around this at some point but this is my solution for now.

DNS over TLS

Securing your DNS means that your ISP (or VPS provider if you are using a self-hosted VPN) can not snoop on your DNS requests. There are two approaches, DNSCrypt2 (which grew from the ashes of the original DNScrypt) or the method described here of DNS over TLS. What is described below is mostly based on this blog post and this one from someone at Cloudflare.

ssh to your router and su to root.

Install unbound, a unbound-control and the LuCi interface…

opkg update
opkg install unbound unbound-control luci-app-unbound

Add the following to /etc/unbound/unbound_ext.conf

forward-zone:
  name: "."
  forward-addr: 1.1.1.1@853 # cloudflare IPv4 primary
  forward-addr: 1.0.0.1@853 # cloudflare IPv4 secondary
  forward-addr: 2606:4700:4700::1111@853 # cloudflare IPv6 primary
  forward-addr: 2606:4700:4700::1001@853 # cloudflare IPv6 secondary
  forward-addr: 9.9.9.9@853         # quad9.net primary
  forward-addr: 149.112.112.112@853 # quad9.net secondary
  forward-ssl-upstream: yes

…and some security options for the unbound server to /etc/unbound/unbound_srv.conf

do-tcp: yes
prefetch: yes
qname-minimisation: yes
rrset-roundrobin: yes
use-caps-for-id: yes

Backup /etc/config/dhcp, /etc/config/unbound

mkdir /tmp/bak
cp /etc/config/dhcp    /tmp/bak/dhcp
cp /etc/config/unbound /tmp/bak/unbound

One guide removes dnsmasq from LEDE, the other leaves it in-situ but changes the port it listens on. I opted for the later…

uci set 'dhcp.@dnsmasq[0].port=53535'
uci add_list "dhcp.lan.dhcp_option=option:dns-server,$(uci get network.lan.ipaddr)"
uci set 'unbound.@unbound[0].dhcp_link=dnsmasq'
uci commit

Finally enable unbound and start it…

service unbound enable
service unbound start

Factory Reset

If you cock things up and flash the wrong image all is not lost as you can factory reset these devices by pressing and holding the reset button.

Links

linux/lede.txt · Last modified: 2021/03/20 19:21 by 127.0.0.1
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0