Monthly Archives: December 2012

OpenWRT Boot from USB device

This guide covers fast (12mbit/s) USB and ext2 filesystem only. Make sure you install package kmod-usb2 and load module ehci-hcd or your disk will be (very, hdparm -t < 12,5mbit/s) slow. This tutorial is for OpenWRT (kamikaze, backfire) with 2.6 kernel, but it will probably work for other devices too running OpenWRT on a 2.6 kernel. If you are unsure what kernel you have use: uname -a which will give you something like this:

Linux OpenWrt #1 Fri Dec 28 11:04:49 UTC 2007 armv5teb unknown
First of all make sure you have all the modules required:
ipkg update
ipkg install kmod-usb-core kmod-usb-uhci kmod-scsi-core kmod-usb-storage kmod-fs-ext2 kmod-fs-ext3
Then load these modules:
insmod ext2
insmod jbd
insmod ext3
Install e2fsprogs and fdisk: ipkg install e2fsprogs fdisk Partition your disk. I have a 1GB Verbatim and used 700 MB for ext2 and 300 MB for swap. fdisk /dev/sdX <- change this to your device Then format your partition: mke2fs /dev/sdX1 <- change this to your device Mount it and copy the filesystem to your USB-device:
mount -t ext2 /dev/sda1 /mnt
mkdir /tmp/root
mount -o bind /rom /tmp/root
cp /tmp/root/* /mnt -a
umount /tmp/root
umount /mnt
vi /etc/init.d/pivotroot
copy and paste this into /etc/init.d/pivotroot
# change this to your boot device
/sbin/hotplug2 --override --persistent --max-children 1 --no-coldplug &
for module in usbcore uhci scsi_mod sd_mod usb-storage jbd ext2 ext3 ; do {
        insmod $module
        }; done

        # this may need to be higher if your disk is slow to initialize
        sleep 30s
        # mount the usb stick
        mount "$boot_dev" /mnt
        # if everything looks ok, do the pivot root
killall hotplug2
        [ -x /mnt/sbin/init ] && {
                mount -o move /proc /mnt/proc && \
                pivot_root /mnt /mnt/mnt && {
                mount -o move /mnt/dev /dev
                mount -o move /mnt/tmp /tmp
                mount -o move /mnt/jffs2 /jffs2 2>&-
                mount -o move /mnt/sys /sys 2>&-
Then make it executable: chmod a+x /etc/init.d/pivotroot Now, make the symlink so it will start at boot time: ln -s /etc/init.d/pivotroot /etc/rc.d/S10pivotroot replace everything in /etc/init.d/rcS with this vi /etc/init.d/rcS
# Copyright (C) 2006
if test $2 == "boot" ; then
 for i in /etc/rc.d/$1*; do
 $i $2 2>&1
} | logger -s -p 6 -t '' &

Now reboot and telnet to your slug

Use 'passwd' to set your new root password

Log in with ssh. To make sure it works type df -h. Which will give you something like this

Filesystem                Size      Used Available Use% Mounted on
/dev/sda1                 1.0M      1.0M         0 100% /mnt/rom
/dev/mtdblock5            5.4M    752.0k      4.6M  14% /mnt/jffs
mini_fo:/jffs             1.0M      1.0M         0 100% /mnt
/dev/sda1               656.1M     19.0M    603.7M   3% /
Fixup resolv.conf symlink:
rm /etc/resolv.conf
ln -s /tmp/ /etc/resolv.conf
If you created a swap partition you may want to use it:
ipkg update
ipkg install swap-utils
mkswap /dev/sda2
swapon /dev/sda2
Make it start at boot time:
echo "#!/bin/sh" >> /etc/init.d/swapspace
echo "swapon /dev/sda2" >> /etc/init.d/swapspace
chmod a+x /etc/init.d/swapspace
ln -s /etc/init.d/swapspace /etc/rc.d/S99swapspace
Use free to see if it worked: free
              total         used         free       shared      buffers
  Mem:        30472        11628        18844            0          960
 Swap:       297192            0       297192
Total:       327664        11628       316036
OpenWRT full backup
tar cv /bin /etc /home /lib /root /sbin /tmp /usr /www > openwrt.tar
scp openwrt.tar user@backup-serve:/backup

How to setup OpenVPN with bridging on OpenWRT

opkg update
opkg install openvpn openvpn-easy-rsa

Or if you prefer configure openvpn via GUI:
opkg install luci-app-openvpn


export EASY_RSA="/etc/easy-rsa"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`/usr/sbin/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=1024
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_PROVINCE=""
export KEY_CITY="Praha"
export KEY_ORG=""
export KEY_EMAIL=""
export KEY_CN=home-router
export KEY_NAME="Jan Faix"
export KEY_OU=""

Build your certificates:


Create the server key:
build-key-server server

Create as many client keys for each person who will connect:
build-key jan

PKCS12 Format (combines the key and ca certificate in one file):
build-key-pkcs12 jan

Copy the important files to the /etc/openvpn directory, so that they are duplicated:

cd /etc/easy-rsa/keys
cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn/

Copy ca.crt and the client crt/key files off the router and onto the machines that will be connecting.

Client Config

port 1194
proto udp
dev tap
ns-cert-type server
ca ca.crt
cert jan.crt
key jan.key
verb 4

Modify your firewall

config 'rule'
        option 'target' 'ACCEPT'
        option 'dest_port' '1194'
        option 'src' 'wan'
        option 'proto' 'tcpudp'
        option 'family' 'ipv4'
        option '_name' 'openvpn'

/etc/init.d/firewall restart

Restrict your DHCP leases

config 'dhcp' 'lan'
        option 'interface' 'lan'
        option 'start' '11'
        option 'limit' '20'
        option 'leasetime' '12h'
        list 'dhcp_option' '6,,'

/etc/init.d/dnsmasq restart

Create the server configuration

config 'openvpn' 'lan'
        option 'enable' '1'
        option 'port' '1194'
        option 'proto' 'udp'
        option 'dev' 'tap0'
        option 'ca' '/etc/openvpn/ca.crt'
        option 'cert' '/etc/openvpn/server.crt'
        option 'key' '/etc/openvpn/server.key'
        option 'dh' '/etc/openvpn/dh1024.pem'
        option 'keepalive' '10 120'
        option 'comp_lzo' '1'
        option 'persist_key' '1'
        option 'persist_tun' '1'
        option 'status' '/tmp/openvpn-status.log'
        option 'log_append' '/var/log/openvpn.log'
        option 'verb' '4'
        option 'up' '/etc/openvpn/'
        option 'down_pre' '1'
        option 'server_bridge' ''
        option 'down' '/etc/openvpn/'

Note that addresses to are reserved for your VPN clients.

Bridged VPN Configuration


config 'interface' 'loopback'
        option 'ifname' 'lo'
        option 'proto' 'static'
        option 'ipaddr' ''
        option 'netmask' ''

config 'interface' 'lan'
        option 'type' 'bridge'
        option 'proto' 'static'
        option 'netmask' ''
        option 'dns' ''
        option 'ipaddr' ''
        option 'ifname' 'eth0.1'
        option 'broadcast' ''

config 'interface' 'wan'
        option 'ifname' 'eth0.2'
        option 'proto' 'static'
        option 'ipaddr' 'x.x.x.x'
        option 'netmask' ''
        option 'gateway' 'x.x.x.x'
        option 'broadcast' 'x.x.x.x'
        option 'dns' ''

Configure OpenVPN init script:

In section start_service() add following:

ARGS="--script-security 2"


Show brigde status:
brctl show
bridge name bridge id STP enabled interfaces
br-lan 8000.f8d111adbf84 no eth0.1 wlan0 tap0

Check system log: