Installing OpenWrt as a home Internet router

These instructions have been tested with LEDE version 17.01.

= First installation =

ssh-keygen -t rsa  -b 4096  -f "$HOME/.ssh/AccessFromMyPcToMyRouter.key"  -C "This key is for accessing my Router from my PC" "$HOME/Tools/RunInNewConsole/run-in-new-console.sh" --console-title="Router"  --console-icon="modem" -- "ssh root@192.168.x.x"
 * Plan your network not to use the very common 192.168.0.x and 192.168.1.x address ranges. You do not want to help opportunistic hackers with a very easy-to-guess router address.
 * Generate an SSH key on your local PC. Otherwise, you will have to manually enter your router password many times in the next steps:
 * Install LEDE and connect to its web interface (LuCI) on the default 192.168.1.1, user 'root', no password. Go to page System→Administration, and:
 * Set a password for user root.
 * Set SSH access to LAN only.
 * In the "SSH-Keys" section, place the contents of the .key.pub file generated above. Alternatively, append the contents of the .key.pub file to /etc/dropbear/authorized_keys on the Router.
 * Security-conscious admins may want to disable SSH password logins.
 * On page System→System:
 * Set your Timezone.
 * Enable the NTP client.
 * On page Network→Interfaces→LAN→Edit:
 * Set the "Static address" for the router.
 * Set the DHCP Start and Limit in order to leave room for a few eventual static IP addresses in your network.
 * Add a desktop icon to your PC so as to comfortably open an SSH connection to the router. For example, you can use my run-in-new-console.sh script:
 * You will probably have to edit some configuration files manually. You have several options:
 * Use Emacs Tramp to automatically access files on the router over SSH. For example, open a file like this: /root@192.168.x.x:/etc/config/fstab
 * Connect via SSH and use 'vi', which is installed by default.
 * Install another editor like 'nano' with the router's package manager.
 * Replace the default SSH server Dropbear with OpenSSH, so that you can mount the router's filesystem over SSH with sshfs.
 * In order to install packages, use LuCI (the web interface), or manually run the following commands. The list of available packages is stored only in RAM and is lost upon reboot, so make sure to 'update' the list before trying to install a new package. Keep a note of all packages you install, as they will be lost upon system upgrade.     opkg update      opkg install
 * If your Internet service provider requires a particular MAC address on your router, go to page Network→Interfaces→WAN→Edit→Advanced Settings and set "Override MAC address'. NOTE: LEDE version 17.01.1 has a bug, and that does not work from LuCI. The MAC address entered in LuCI lands in "config interface 'wan'", but it should land in "config device 'wan_dev'" instead. So edit the /etc/config/network config file manually.
 * Set your WLAN up:
 * Set the appropriate WLAN country code.
 * Set the operating mode to 'N' only (or allow anything better too, if your router supports more). Unless you have very old client devices, older modes like B and G are not worth it anymore.
 * Set the WLAN mode to "Access Point".
 * Set the encryption to WPA2-PSK only.
 * Set the cipher to "Force CCMP (AES)".
 * Choose a good WLAN key (password).
 * Attach WLAN to LAN only.
 * Enable the WMM Mode, which is a kind of QoS packet prioritisation.
 * Enable the WLAN interface.
 * Check your firewall:
 * In Network→Firewall→Zones, check that:
 * "lan: lan -> wan", 'input', 'output' and 'forward' are 'accept'. 'Masquerading' and 'MSS clamping' (claim a lower Maximum Segment Size for TCP packets) are off.
 * "wan: wan, wan6", 'input' is 'reject', 'output' is 'accept', and forward is 'reject'. 'Masquerading' and 'MSS clamping' are on.
 * Perform a port scan and/or security scan from outside (from the Internet). For example, the German publisher Heise has a web page with a "Netzwerkcheck" service.
 * Add any needed static IP address your need in Network→DHCP and DNS→Static Leases. If you are copying them from another router, you can manually copy-and-paste them into /etc/config/dhcp. Look for the "config host" entries.
 * Add any port-forwarding rules you need in Network→Firewall→Port Forwards. For example, I need some for the VNC listening mode. If you are copying them from another router, you can manually copy-and-paste them into /etc/config/firewall. Look for the "config redirect" entries.
 * Save the router's configuration to your PC from page System→Backup.
 * Install package 'iperf3' for convenient performance measurements. Its server remains inactive after installation. In order to use it:
 * On the router, bind only to the LAN IP addres, and, instead of the default 5201 port, use some other, for security reasons:     iperf3  --port 5123  --server  --bind 192.168.x.x
 * On your PC, run a 5-second test, giving results every second:     iperf3  --client 192.168.x.x  --port 5123  --time 5 --interval 1
 * Add to your calendar a recurrent event at regular intervals like this: "Update the LEDE router". Unfortunately, there does not seem to be a mailing list for notifications about new versions as of december 2017. There is an "announce" mailing list, but it does not seem to be used at all.

Automounting USB sticks

 * Package kmod-usb2 was already installed on my LEDE version, and its kernel module ehci-hcd was already automatically loaded, so I got the following message when I inserted an USB stick:     kern.info kernel: [13502.687181] usb 1-1: new high-speed USB device number 2 using ehci-platform
 * Install packages:     opkg update && opkg install  usbutils  kmod-usb-storage  kmod-fs-ext4  kmod-fs-msdos  kmod-fs-vfat  kmod-fs-exfat  kmod-fs-ntfs  block-mount  blkid
 * Package 'block-mount' is the automounter.
 * Package 'blkid' installs tool 'blkid', which helps finding out what USB sticks have been detected. It also enables the automounter (block-mount) to mount exFAT volumes, which it does not support directly.
 * Package kmod-fs-msdos provides FAT16, and kmod-fs-vfat FAT32. Writable NTFS support can be problematic.

= Upgrading LEDE = For security reasons, you need to upgrade your router's firmware every now and then.
 * Save the router's configuration to your PC from page System→Backup.
 * If there is a new base version:
 * All user-installed packages will be lost, so you may want to run "opkg list-installed" beforehand.
 * With the web interface, upload the new 'sysupgrade' firmware version, and not the 'factory' one.
 * Restart with the web interface, or with command 'reboot'.
 * Reinstall all user-installed packages. You may need to re-enable some of the new services, if they need to run at start-up.
 * Upgrade all packages. You can upgrade all packages even if you are running an older base version (with an older Linux Kernel etc).   opkg update    opkg list-upgradable | cut -f 1 -d ' ' | xargs opkg upgrade Restart with the web interface, or with command 'reboot'.