Tag Archives: OpenWRT

OpenWRT TP-Link TL-WR1043ND

Back in the past I have installed OpenWRT BackFire 10.03 on my TP-Link TL-WR1043ND v1. It was quite pita that time, because I was using WAN port which get disabled after flashing OpenWRT firmware. It was necessary to revert back to crafted TP-Link firmware, which will not disable WAN port after flashing DD-WRT or OpenWRT firmware.

Now come the time to upgrade to currently newest OpenWRT BarrierBreaker 14.07. I decided not to use WAN port anymore (replaced by my Debian Server Router/Firewall/NAS/HTPC) and start with fresh configuration without keeping previous settings.

I have downloaded upgrade OpenWRT firmware to use it over existing OpenWRT installation. I used ‘Flash new firmware image’ option and unchecked ‘Keep setting’.

I did following basic settings:

'System' - 'System' - 'hostname' and 'Timezone'
'System' - 'System' - 'Logging' - 'External system log server' - ''
'System' - 'Administration' - 'router password'

'Network' - 'Interfaces' - 'LAN' - check 'Bring up on boot', 'Protocol' - 'Static address', check 'Disable DHCP for this interface' (I use Dnsmasq on my primary server).
'Network' - 'Interfaces' - 'WAN' - uncheck 'Bring up on boot'

'Network' - 'Wifi' - 'Scan' and see what channels are less busy
'Network' - 'Wifi' - 'Add' new wireless network

'General Setup' - 'ESSID', 'Mode' - 'Access Point' - 'Network' - 'LAN' - 'Network security' - 'Encryption' - 'WPA2-PSK'
'Advanced Settings' - 'Band' - 2,4GHz, 'Country Code' CZ

Don’t forget to Enable new WiFi network and Restart Log daemon in ‘System -> Startup’ services.

I like to use few extra services on my WiFi access point:

First of all update package database: opkg update

LuCI web interface

In case you did system upgrade from existing OpwnWrt, you may want to install administartion web interface.
opkg install luci

Swap on USB

I already created swap partition on my USB key /dev/sda2, which is automatically detected after installing necessary packages below.
opkg install block-mount kmod-usb-storage swap-utils
swapon -s

Filename        Type    Size  Used  Priority
/dev/sda2        partition  157132  1120  -1

DNS local resolution

I have my own local DNS server and I want name resolution from OpenWrt shell.
opkg install bind-host

search homelan

NFS client

opkg install nfs-utils kmod-fs-nfs kmod-fs-nfs-common
mkdir /disk
touch /etc/diskmount.sh
chmod 755 /etc/diskmount.sh

mount -t nfs home-server:/disk /disk -o nolock

Mail client

opkg install msmtp-nossl


account default
auto_from on
maildomain home-wifi.homelan
syslog LOG_MAIL

Cron backup task

ln -sf /etc/crontabs/root /etc/crontab


30 0 * * * /usr/bin/test -d /disk/backup || mount home-server:/disk /disk;/usr/bin/test -d /disk/backup; /bin/tar -zcf /disk/backup/home-wifi/home-wifi.tar.gz -C / bin etc lib root sbin tmp usr www

/etc/init.d/cron restart

Arpwatch new MAC monitoring

opkg install http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/oldpackages/arpwatch_2.1a15-3_ar71xx.ipk

ln -s /usr/bin/msmtp /usr/lib/sendmail
/etc/init.d/arpwatch start
/etc/init.d/arpwatch enable


opkg install htop

Collect daemon client

opkg install collectd collectd-mod-load collectd-mod-memory collectd-mod-network collectd-mod-cpu collectd-mod-df collectd-mod-disk collectd-mod-interface collectd-mod-wireless

mkdir /var/lib/collectd
/etc/init.d/collectd start
/etc/init.d/collectd enable

Monit monitoring client

opkg install monit-nossl
mkdir /etc/monit.d/
Comment ‘#’ everything except:
include /etc/monit.d/*


set daemon 120
set logfile syslog facility log_daemon
set idfile /var/.monit.id
set statefile /var/.monit.state
set eventqueue basedir /var/monit slots 1000

set httpd port 2812
use address localhost
    allow user:password

set mailserver home-server
set mmonit http://user:password@monit.faix.cz/collector

check system home-wifi
    if loadavg (1min) > 4 for 5 times within 15 cycles then alert
    if loadavg (5min) > 2 for 5 times within 15 cycles then alert
    if memory usage > 75% for 5 times within 15 cycles then alert
    if swap usage > 25% for 5 times within 15 cycles then alert
    if cpu usage (user) > 98% for 5 times within 15 cycles then alert
    if cpu usage (system) > 70% for 5 times within 15 cycles then alert
    if cpu usage (wait) > 60% for 5 times within 15 cycles then alert

check process sshd with pidfile /var/run/dropbear.1.pid
    start program "/etc/init.d/dropbear start"
    stop program "/etc/init.d/dropbear stop"
    if failed port 22 protocol ssh then restart
    if 5 restarts within 5 cycles then timeout

check filesystem root with path /
    if space usage > 80% for 5 times within 15 cycles then alert

/etc/init.d/monit start
/etc/init.d/monit enable

OpenWRT Boot from USB device


This guide covers fast (12mbit/s) USB and ext2 filesystem only. Make sure you install package kmod-usb2 and load module ehci-hcd or your disk will be (very, hdparm -t < 12,5mbit/s) slow. This tutorial is for OpenWRT (kamikaze, backfire) with 2.6 kernel, but it will probably work for other devices too running OpenWRT on a 2.6 kernel. If you are unsure what kernel you have use: uname -a which will give you something like this:

Linux OpenWrt #1 Fri Dec 28 11:04:49 UTC 2007 armv5teb unknown
First of all make sure you have all the modules required:
ipkg update
ipkg install kmod-usb-core kmod-usb-uhci kmod-scsi-core kmod-usb-storage kmod-fs-ext2 kmod-fs-ext3
Then load these modules:
insmod ext2
insmod jbd
insmod ext3
Install e2fsprogs and fdisk: ipkg install e2fsprogs fdisk Partition your disk. I have a 1GB Verbatim and used 700 MB for ext2 and 300 MB for swap. fdisk /dev/sdX <- change this to your device Then format your partition: mke2fs /dev/sdX1 <- change this to your device Mount it and copy the filesystem to your USB-device:
mount -t ext2 /dev/sda1 /mnt
mkdir /tmp/root
mount -o bind /rom /tmp/root
cp /tmp/root/* /mnt -a
umount /tmp/root
umount /mnt
vi /etc/init.d/pivotroot
copy and paste this into /etc/init.d/pivotroot
# change this to your boot device
/sbin/hotplug2 --override --persistent --max-children 1 --no-coldplug &
for module in usbcore uhci scsi_mod sd_mod usb-storage jbd ext2 ext3 ; do {
        insmod $module
        }; done

        # this may need to be higher if your disk is slow to initialize
        sleep 30s
        # mount the usb stick
        mount "$boot_dev" /mnt
        # if everything looks ok, do the pivot root
killall hotplug2
        [ -x /mnt/sbin/init ] && {
                mount -o move /proc /mnt/proc && \
                pivot_root /mnt /mnt/mnt && {
                mount -o move /mnt/dev /dev
                mount -o move /mnt/tmp /tmp
                mount -o move /mnt/jffs2 /jffs2 2>&-
                mount -o move /mnt/sys /sys 2>&-
Then make it executable: chmod a+x /etc/init.d/pivotroot Now, make the symlink so it will start at boot time: ln -s /etc/init.d/pivotroot /etc/rc.d/S10pivotroot replace everything in /etc/init.d/rcS with this vi /etc/init.d/rcS
# Copyright (C) 2006 OpenWrt.org
if test $2 == "boot" ; then
 for i in /etc/rc.d/$1*; do
 $i $2 2>&1
} | logger -s -p 6 -t '' &

Now reboot and telnet to your slug

Use 'passwd' to set your new root password

Log in with ssh. To make sure it works type df -h. Which will give you something like this

Filesystem                Size      Used Available Use% Mounted on
/dev/sda1                 1.0M      1.0M         0 100% /mnt/rom
/dev/mtdblock5            5.4M    752.0k      4.6M  14% /mnt/jffs
mini_fo:/jffs             1.0M      1.0M         0 100% /mnt
/dev/sda1               656.1M     19.0M    603.7M   3% /
Fixup resolv.conf symlink:
rm /etc/resolv.conf
ln -s /tmp/resolv.conf.auto /etc/resolv.conf
If you created a swap partition you may want to use it:
ipkg update
ipkg install swap-utils
mkswap /dev/sda2
swapon /dev/sda2
Make it start at boot time:
echo "#!/bin/sh" >> /etc/init.d/swapspace
echo "swapon /dev/sda2" >> /etc/init.d/swapspace
chmod a+x /etc/init.d/swapspace
ln -s /etc/init.d/swapspace /etc/rc.d/S99swapspace
Use free to see if it worked: free
              total         used         free       shared      buffers
  Mem:        30472        11628        18844            0          960
 Swap:       297192            0       297192
Total:       327664        11628       316036
OpenWRT full backup
tar cv /bin /etc /home /lib /root /sbin /tmp /usr /www > openwrt.tar
scp openwrt.tar user@backup-serve:/backup

How to setup OpenVPN with bridging on OpenWRT


opkg update
opkg install openvpn openvpn-easy-rsa

Or if you prefer configure openvpn via GUI:
opkg install luci-app-openvpn


export EASY_RSA="/etc/easy-rsa"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`/usr/sbin/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=1024
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_PROVINCE=""
export KEY_CITY="Praha"
export KEY_ORG=""
export KEY_EMAIL="jan.faix@gmail.com"
export KEY_CN=home-router
export KEY_NAME="Jan Faix"
export KEY_OU=""

Build your certificates:


Create the server key:
build-key-server server

Create as many client keys for each person who will connect:
build-key jan

PKCS12 Format (combines the key and ca certificate in one file):
build-key-pkcs12 jan

Copy the important files to the /etc/openvpn directory, so that they are duplicated:

cd /etc/easy-rsa/keys
cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn/

Copy ca.crt and the client crt/key files off the router and onto the machines that will be connecting.

Client Config

remote faix.homelinux.net
port 1194
proto udp
dev tap
ns-cert-type server
ca ca.crt
cert jan.crt
key jan.key
verb 4

Modify your firewall

config 'rule'
        option 'target' 'ACCEPT'
        option 'dest_port' '1194'
        option 'src' 'wan'
        option 'proto' 'tcpudp'
        option 'family' 'ipv4'
        option '_name' 'openvpn'

/etc/init.d/firewall restart

Restrict your DHCP leases

config 'dhcp' 'lan'
        option 'interface' 'lan'
        option 'start' '11'
        option 'limit' '20'
        option 'leasetime' '12h'
        list 'dhcp_option' '6,,'

/etc/init.d/dnsmasq restart

Create the server configuration

config 'openvpn' 'lan'
        option 'enable' '1'
        option 'port' '1194'
        option 'proto' 'udp'
        option 'dev' 'tap0'
        option 'ca' '/etc/openvpn/ca.crt'
        option 'cert' '/etc/openvpn/server.crt'
        option 'key' '/etc/openvpn/server.key'
        option 'dh' '/etc/openvpn/dh1024.pem'
        option 'keepalive' '10 120'
        option 'comp_lzo' '1'
        option 'persist_key' '1'
        option 'persist_tun' '1'
        option 'status' '/tmp/openvpn-status.log'
        option 'log_append' '/var/log/openvpn.log'
        option 'verb' '4'
        option 'up' '/etc/openvpn/bridge-start.sh'
        option 'down_pre' '1'
        option 'server_bridge' ''
        option 'down' '/etc/openvpn/bridge-stop.sh'

Note that addresses to are reserved for your VPN clients.

Bridged VPN Configuration


config 'interface' 'loopback'
        option 'ifname' 'lo'
        option 'proto' 'static'
        option 'ipaddr' ''
        option 'netmask' ''

config 'interface' 'lan'
        option 'type' 'bridge'
        option 'proto' 'static'
        option 'netmask' ''
        option 'dns' ''
        option 'ipaddr' ''
        option 'ifname' 'eth0.1'
        option 'broadcast' ''

config 'interface' 'wan'
        option 'ifname' 'eth0.2'
        option 'proto' 'static'
        option 'ipaddr' 'x.x.x.x'
        option 'netmask' ''
        option 'gateway' 'x.x.x.x'
        option 'broadcast' 'x.x.x.x'
        option 'dns' ''

Configure OpenVPN init script:

In section start_service() add following:

ARGS="--script-security 2"


Show brigde status:
brctl show
bridge name bridge id STP enabled interfaces
br-lan 8000.f8d111adbf84 no eth0.1 wlan0 tap0

Check system log: