Installing OpenWrt as a home Internet router

These instructions have been tested with OpenWrt version 17.01.

= First installation =

ssh-keygen -t rsa  -b 4096  -f "$HOME/.ssh/AccessFromMyPcToMyRouter.key"  -C "This key is for accessing my Router from my PC" "$HOME/Tools/RunInNewConsole/run-in-new-console.sh" --console-title="Router"  --console-icon="modem" -- "ssh root@192.168.x.x"
 * Plan your network not to use the very common 192.168.0.x and 192.168.1.x address ranges. You do not want to help opportunistic hackers with a very easy-to-guess router address.
 * Generate an SSH key on your local PC. Otherwise, you will have to manually enter your router password many times in the next steps:
 * Install OpenWrt and connect to its web interface (LuCI) on the default 192.168.1.1, user 'root', no password. Go to page System→Administration, and:
 * Set a password for user root.
 * Set SSH access to LAN only.
 * In the "SSH-Keys" section, place the contents of the .key.pub file generated above. Alternatively, append the contents of the .key.pub file to /etc/dropbear/authorized_keys on the Router.
 * Security-conscious admins may want to disable SSH password logins.
 * On page System→System:
 * Set your Timezone.
 * Enable the NTP client.
 * On page Network→Interfaces→LAN→Edit:
 * Set the "Static address" for the router. This usually makes accessing the router easier.
 * If this is an Internet router, set the DHCP Start and Limit in order to leave room for a few eventual static IP addresses in your network. If this is just a WLAN access point, then turn DHCP off.
 * Add a desktop icon to your PC so as to comfortably open an SSH connection to the router. For example, you can use my run-in-new-console.sh script:
 * You will probably have to edit some configuration files manually. You have several options:
 * Use Emacs Tramp to automatically access files on the router over SSH. For example, open a file like this: /scp:root@192.168.x.x:/etc/config/fstab
 * Connect via SSH and use 'vi', which is installed by default.
 * Install another editor like 'nano' with the router's package manager.
 * Replace the default SSH server Dropbear with OpenSSH, so that you can mount the router's filesystem over SSH with sshfs.
 * In order to install packages, use LuCI (the web interface), or manually run the following commands. The list of available packages is stored only in RAM and is lost upon reboot, so make sure to 'update' the list before trying to install a new package. Keep a note of all packages you install, as they will be lost upon system upgrade.     opkg update      opkg install
 * Set your WLAN up:
 * Set the appropriate WLAN country code.
 * Set the operating mode to 'N' only (or allow anything better too, if your router supports more). Unless you have very old client devices, older modes like B and G are not worth it anymore.
 * On 2.4 GHz, channels 1, 6, and 11 don't overlap.
 * On 2.4 GHz, 20 MHz wide channels, instead of 40 MHz, cause and suffer from less interference.
 * Set the WLAN mode to "Access Point".
 * Set the encryption to WPA2-PSK only.
 * Set the cipher to "Force CCMP (AES)".
 * Choose a good WLAN key (password).
 * Attach WLAN to LAN only.
 * Enable the WMM Mode, which is a kind of QoS packet prioritisation.
 * Enable the WLAN interface.


 * If this is an Internet router (and not just a WLAN access point):
 * If your Internet service provider requires a particular MAC address on your router, go to page Network→Interfaces→WAN→Edit→Advanced Settings and set "Override MAC address'. NOTE: OpenWrt version 17.01.1 has a bug, and that does not work from LuCI. The MAC address entered in LuCI lands in "config interface 'wan'", but it should land in "config device 'wan_dev'" instead. So edit the /etc/config/network config file manually.
 * Check your firewall:
 * In Network→Firewall→Zones, check that:
 * "lan: lan -> wan", 'input', 'output' and 'forward' are 'accept'. 'Masquerading' and 'MSS clamping' (claim a lower Maximum Segment Size for TCP packets) are off.
 * "wan: wan, wan6", 'input' is 'reject', 'output' is 'accept', and forward is 'reject'. 'Masquerading' and 'MSS clamping' are on.
 * Perform a port scan and/or security scan from outside (from the Internet). For example, the German publisher Heise has a web page with a "Netzwerkcheck" service.
 * Add any port-forwarding rules you need in Network→Firewall→Port Forwards. For example, I need some for the VNC listening mode. If you are copying them from another router, you can manually copy-and-paste them into /etc/config/firewall. Look for the "config redirect" entries.
 * Add any needed static IP address your need in Network→DHCP and DNS→Static Leases. If you are copying them from another router, you can manually copy-and-paste them into /etc/config/dhcp. Look for the "config host" entries.
 * Security-conscious admins may want to:
 * Install package 'luci-ssl' and redirect http requests to https.
 * Install package 'dnscrypt-proxy' and configure DNSCrypt manually.
 * Save the router's configuration to your PC from page System→Backup.
 * Install package 'iperf3' for convenient performance measurements. Its server remains inactive after installation. In order to use it:
 * On the router, bind only to the LAN IP addres, and, instead of the default 5201 port, use some other, for security reasons:     iperf3  --port 5123  --server  --bind 192.168.x.x
 * On your PC, run a 5-second test, giving results every second:     iperf3  --client 192.168.x.x  --port 5123  --time 5 --interval 1
 * Add to your calendar a recurrent event at regular intervals like this: "Update the OpenWrt router". Unfortunately, there does not seem to be a mailing list for notifications about new versions as of december 2017. There is an "announce" mailing list, but it does not seem to be used at all.

Automounting USB sticks
One caveat to consider is that most routers do not have a soft-off switch, so cleanly unmounting the disk before powering off is not feasible.

config 'global' option anon_swap '0' option anon_mount '1' option auto_swap '1' option auto_mount '1' option delay_root '5' option check_fs '0'
 * Package 'kmod-usb2' was already installed on my OpenWrt version, and its kernel module ehci-hcd was already automatically loaded, so I got the following message when I inserted an USB stick:     kern.info kernel: [13502.687181] usb 1-1: new high-speed USB device number 2 using ehci-platform
 * Install packages:     opkg update && opkg install  usbutils  kmod-usb-storage  kmod-fs-ext4  kmod-fs-msdos  kmod-fs-vfat  kmod-fs-exfat  kmod-fs-ntfs  block-mount  blkid
 * Package 'block-mount' is the automounter. Upon installation, service 'fstab' should be automatically enabled, so that it runs on router start-up. You can check page System→Startup, or manually enable it with command "service fstab enable".
 * Package 'blkid' installs tool 'blkid', which helps finding out what USB sticks have been detected. It also enables the automounter (block-mount) to mount exFAT volumes, which it does not support directly (as of december 2017).
 * Package 'kmod-fs-msdos' provides FAT16, and 'kmod-fs-vfat' FAT32. Writable NTFS support can be problematic.
 * Restart the router with the web interface, or with command 'reboot'.
 * Configure the automounter with the web interface, or manually edit /etc/config/fstab and add these lines:
 * 1) Whether to mount swap devices that don't have their own config section.
 * 1) Whether to mount block devices that don't have their own config section.
 * 1) Whether to automatically mount swap devices when they appear.
 * 1) Whether to automatically mount block devices when they appear.
 * 1) Wait X seconds before trying to mount root devices on boot.
 * 1) Whether to run e2fsck on device prior to a mount.
 * 1) Example for a specific device with a data partition (vfat).
 * 2) config 'mount'
 * 3)   option target '/mnt/MyMountpoint'
 * 4)   option uuid   'abcd-1234'
 * 5)   option  enabled '1'
 * 6)   # option 'options' 'rw,sync'
 * 7)   # option 'enabled_fsck' '0'


 * For maximum performance, consider using mount flag 'noatime' instead of the default 'relatime', and specifying a longer commit=x than the 5-second default. However, think about the caveat above about not being able to cleanly unmount filesystems.


 * Afterwards, reload the new config with: block umount && block mount


 * Insert the USB stick, which should be automatically mounted on a path like /mnt/sda1. The base dir is /mnt, the "sda1" mountpoint is automatically created based on the device name of the detected partition. The /mnt/sda1 mountpoint remains as an empty directory if you remove the USB stick. If automounting fails, there are several things you can do:
 * Look at the system log, either on the web interface (you need to refresh the page manually to see new log messages), or with the following command. The grep argument below filters by words starting with "sd", like "sda".     dmesg | grep "\\bsd"
 * Run "lsusb -t" to show all detected USB devices.
 * Run "ls -l /dev/sd*" to list all detected disks and partitions.
 * Run 'blkid' to see all detected filesystems, even if not yet mounted.
 * Tool "block info" shows similar information to blkid.
 * Run "df -h" to see all currently-mounted filesystems with used/available statistics, and "mount" to see the flags they were mounted with.
 * Try mounting manually:     mkdir -p /mnt/mymountpoint      mount  /dev/sda1  /mnt/mymountpoint      umount -l /mnt/mymountpoint
 * If you are connecting a mechanical disk, do not forget to install or enable support for spinning the disk down when it is not being used. Consider package 'hdparm', which can set a timer on the disk itself, or package 'hd-idle', which has a LuCI integration package called 'luci-app-hd-idle'.

Sharing your disk on the network
You can replace the default SSH server Dropbear with OpenSSH, so that you can mount the router's filesystem over SSH with sshfs. You probably want to install package 'shadow-useradd' in order to add a non-root user for your network files.

Otherwise, install Samba:


 * opkg update && opkg install samba36-server luci-app-samba  samba36-client  shadow-useradd

Package 'samba36-server' is necessary and 'luci-app-samba' is its LuCI integration. Optional package 'samba36-client' provides client tools helpful for troubleshooting. Package 'shadow-useradd' provides tool 'useradd', which helps you create users for your Samba shares.

You can configure Samba with the web interface. Otherwise, edit config files /etc/config/samba and /etc/samba/smb.conf.

Disable the insecure SMB1 protocol implementation with:
 * min protocol = SMB2

Unfortunately, OpenWrt only provides Samba version 3.6, which does not support anything newer than SMB2.

The Samba server listens by default on these interfaces:
 * option 'interface' 'loopback lan'

If that is not right for your network, it may become a security risk. Add or modify this option as necessary in config file /etc/config/samba.

You will need to create user accounts and give those accounts read and perhaps write permissions to the /mnt/mountpoints you want to share.

Do not name the network shares the same as the partitions they reference (like "sda1"), or the shares may turn read-only.

For any config file changes to take effect:
 * service samba restart

= Upgrading OpenWrt =

For security reasons, you need to upgrade your router's firmware every now and then.
 * Save the router's configuration to your PC from page System→Backup.
 * If there is a new base version:
 * All user-installed packages will be lost, so you may want to run "opkg list-installed" beforehand. Their config files should remain though, so everything should work fine after reinstalling the packages.
 * With the web interface, upload the new 'sysupgrade' firmware version, and not the 'factory' one.
 * Restart the router with the web interface, or with command 'reboot'.
 * Reinstall all user-installed packages. You may need to re-enable some of the new services, if they need to run at start-up.
 * Upgrade all packages. You can upgrade all packages even if you are running an older base version (with an older Linux Kernel etc).   opkg update    opkg list-upgradable | cut -f 1 -d ' ' | xargs opkg upgrade Restart with the web interface, or with command 'reboot'.
 * You may want to do a quick firewall check. See the installation steps above.