!openwrt@lemdro.id
OpenWrt news, tools, tips and discussion. Related projects, such as DD-WRT, Tomato and OpenSAN, are also on-topic.
Stay on topic: All posts should be related to OpenWrt and related projects, including DD-WRT, Tomato, OpenSAN, and more!
No offensive or low-effort content: Don't post offensive or unhelpful content. Be nice - keep it civil and friendly!
Describe images/videos, no memes: Please include a text description when sharing images or videos.
No self-promotion spam: Active community members can post their apps if they answer any questions in the comments. Please do not post links to your own website, YouTube, blog content, or communities.
No reposts or rehosted content: Share only the original source of an article, unless it's not available in English, behind a paywall or requires logging in (like Twitter). Avoid reposting the same topic from other sources.
No editorializing titles: You can add the author or website's name if helpful, but keep article titles unchanged.
No piracy: Do not share links or direct people to pirated content.
No unauthorized polls, bots, or giveaways: Do not create polls, use bots, or organize giveaways without first contacting mods for approval.
No affiliate links: Posting affiliate links is not allowed.
!openwrt
@lemdro.idhttps://slrpnk.net/post/12643756
I dont even know how to summarize that machine 😄 It is absolutely awesome. Turris [https://www.turris.com] is a company by the czech TLD registrar CZ.NIC [https://www.nic.cz/], which is ran as a nonprofit and invests a ton in open source network software. ## The Origin This talk summarizes it well: https://www.youtube.com/watch?v=cB5OG_V3aSE [https://www.youtube.com/watch?v=cB5OG_V3aSE] They wanted to build a device to analyze hacking attacks on the people in Czechia. The device should be as close to the network as possible (i.e. a router) and have compelling and understandable hardware that could be upgraded over time. So… they made a router. Originally using PowerPC, now on ARMv7 (poorly only their mobile MOX already is on ARMv8). ## Where to get it Originally they gave the devices away for free, under the agreement that the users contributed the Sentinel analysis data. Then they opened an indiegogo campain [https://www.indiegogo.com/projects/turris-omnia-hi-performance-open-source-router#/], which far exceeded their expected amount of funding. Afterwards they had their own webshop [shop.turris.com], which is now discontinued. Instead, these stores are available: - Rubytech DE [https://www.rubytech.de/turris-router/] (The strangest signup method I ever had :) but all fine) - Discomp CZ [https://www.discomp.cz/turris-omnia-wi-fi-6-silver_d116907.html?action=setcur&curid=14] - Amazon [https://www.amazon.com/-/de/stores/Turris/page/4EB82124-A160-4117-9404-00DA2DF8FE26] Note: they sent me an additional Tshirt, ethernet cable and tube scarf, which is… interesting. Also, they dont have a good system to determine the recipient country, so I have an additional power supply cable for another country. They also included a wall mount, with a set of perfectly fitting, longer screws. All screws have regular phillips heads. ## Software They took OpenWRT, but extended it a ton. As they have 8GB of storage and 2GB of RAM, they can do stuff way above the minimum hardware requirements of OpenWRT. They have a graphical package manager in the WebUI, and use BTRFS snapshots for atomic updates. Which is totally cool! That was over 10 years ago and the first router they made is still supported with updates. ## Hardware The data sheet can be obtained here [https://secure.nic.cz/files/Turris-web/Omnia/Omnia_wifi6_datasheet_EN.pdf]. The “Omnia Wifi6” I got uses a bit outdated hardware, similar to my Thinkpad T430. They will very likelybswitch to m.2 slots and ARMv8, so you may want to wait for such a revised model. The current Omnia has 3 mini-PCIe Slots, 2 USB-3 ports and a ton of pins accessible from the inside. Picture of a disassembled Omnia Router [https://slrpnk.net/pictrs/image/f0141886-6bc6-4146-aae1-3b5514311967.jpeg] - The left one supports USB, and below you can plug in a SIM card and use an 3G/4G/5G card. With an additional package, this can be used to automatically fallback to cell network, when the regular connection fails. - The middle one is just mini-PCIe - The right one supports mSATA so with a simple adapter you can use SATA SSDs for near-native speed. (I want to do that, but it may need an additional power supply) Article picture of a mSATA to SATA adapter [https://slrpnk.net/pictrs/image/4987f8ca-bcac-4844-b9e5-968661fc60da.webp] And, of couse in the front it has fancy RGB LEDs. They are used as indicators for the running state, and for the action you do by pressing the “Reset” button. In the back it has 4 ethernet sockets, 1 WAN ethernet socket to connect to the internet, one SFP socket for a fiber connection, a multi-purpose button and a power socket. The button in combo with the LEDs is used for various things like reboot, reset, update, update from local file, update from internet. ## Setup To set it up, connect it to power and with one of the LAN (not WAN) sockets to a Laptop, using ethernet. Right, before setup it doesnt open a wireless connection! This was confusing for me but really make sense. In the browser enter http://192.168.1.1 [http://192.168.1.1] and a very nice graphical WebUI guides you through the setup. If you use it over LAN, accept the self-signed TLS certificate in your browser, then HTTPS should work. ## Applications It runs a highly extended variant of OpenWRT. There is a huge amount of software [https://docs.turris.cz/basics/apps/librespeed]. It varies from preinstalled installable through packages, from Foris WebUI integrated to advanced, requiring the normal OpenWRT LuCI or requiring configuration through the terminal. An incomplete and chaotic overview: - file server: SMB, DLNA, encrypted storage, mdadm - Transmission bittorrent client - OpenVPN server & client - Wireguard (advanced) - Nextcloud, Syncthing (both have acessible login pages from the main WebUI) - Tor - Adblock - Dynamic firewall - haas: honeypot as a service (needs a public forwarded IPv4 address) - Turris Sentinel: security data collection service, analyze incoming threats (the use they originally intended) - Librespeed: lightweight network speed test - support for LXC containers to run your favourite Linux distro - schnapps to manipulate BTRFS snapshots - LAN monitoring with PaKon and Morce NOTE: the data collection service “Sentinel” is opt-in and disabled by default. ## DNS The DNS Server is not set, I used nic.cz [http://nic.cz] with DNSSEC, other providers like Cloudflare and Quad9 are also available, just like manual setup. DNSSEC works with a single button press, without any issues! ## Configuration You can configure things with a config file, that you insert over a USB stick. ## Storage You can plug in an external drive (USB of course, but I want to try mSATA to SATA) and it formats it and moves all data on there. It sets up different RAID systems, I dont know if encryption is supported. So, you have over 7 different ways to host a fileserver on there, up to a full instance of Nextcloud. This is crazy! ## Wifi Routing You can open 2 Wifis (no idea how that works) and each can also have a separated Guest network. Security: - By default, WPA3 with WPA2 fallback is used. I changed it to WPA3-only, as WPA2 is vulnerable to attacks (see this video on how to sniff passwords with Kali Linux, which requires a custom kernel driver [https://www.youtube.com/watch?v=X49lIPHcurE]) - 2 Guest networks possible, I highly recommend to use those for everyone apart from Admins - VLANs are also supported, and need to be enabled. - Reminder: before first configuration, no Wifi is enabled. There is no initial password set. - you can have different passwords for the admin WebUI and ssh. The reach is great, but roughly equal to the modern Fritzbox we already have, which only has a single, hidden antenna. The time to connect to the Wifi is a bit longer than at the FritzBox. ## Community & Support Their code is all hosted on the CZ.NIC Gitlab [https://gitlab.nic.cz/turris]. The Turris team can be contacted via email and they respond pretty quickly. The same contact is used for repairs. They also have a Discourse Forum [forum.turris.cz] for a long time, where people can exchange bugs, issues, software and hardware mods, adapters etc. ## Other fun stuff The founder of Turris has a Blog [https://michal.hrusecky.net/]
With so many devices implementing there own proprietary standards it is nice to have a way to have something open and standard
Unfortunately, a Linksys E8450 of mine has succumbed to the OKOD (OpenWRT Kiss of Death) (in case you are unfamiliar). From what I understand, it should be recoverable from it's current effectively bricked state. I've tried going through the process, but I haven't had too much luck, and I'm somewhat stuck at the moment, so I would appreciate some guidance. There's two potential objectives that I am hoping to acheive: the first, and primary, objective is to simply recover the router from its currently bricked state so that it can be used like normal, and secondly, if possible, recover the data, and configuration that was on it.
I have tried following this guide, but I'm not sure what I am supposed to do at the end. I completed the last step, but the router still isn't able to boot on its own. If I run boot
from the U-Boot console, it appears to be able to boot into the OpenWRT CLI, but if I then reboot from that CLI, it shows the following error:
F0: 102B 0000
F6: 0000 0000
V0: 0000 0000 [0001]
00: 0000 0000
BP: 0400 0041 [0000]
G0: 1190 0000
T0: 0000 02D7 [000F]
Jump to BL
NOTICE: BL2: v2.9(release):OpenWrt v2023-07-24-00ac6db3-2 (mt7622-snand-1ddr)
NOTICE: BL2: Built : 21:45:35, Oct 9 2023
NOTICE: CPU: MT7622
NOTICE: WDT: [40000000] Software reset (reboot)
NOTICE: SPI-NAND: FM35Q1GA (128MB)
ERROR: BL2: Failed to load image id 3 (-2)
That same error is what shows when I watch the serial output of the router while it boots from the power switch.
My Linksys E8450 has succumbed to the OKOD (OpenWRT Kiss of Death). In case you are unaware, the OKOD essentially is the E8450 spontaneously dying. loss of power, or a reboot can lead to it completely dying — the lights don't come on, and it is essentially bricked. Afaik, it is currently unknown exactly what causes it.
Anyways, it may be possible to recover, and I am currently working on that, but should I not be able to recover it, I will need to purchase a new router. To that end, I am looking for recommendations for a new router that is equal to, or better than the Linksys E8450 (it must be well supported by OpenWRT).
I may just buy another E8450, but I am curious if there is a better alternative.
I've noticed a few prosumer type devices are now on the market.
https://openwrt.org/toh/tp-link/eap225
Hello everyone!
I'm trying to set up wireguard on my phone to access hosts in my LAN and the internet through my router.
I managed to set up wireguard on both ends and get the handshake working, but that's it. I can't ping any hosts in my LAN nor on the WAN.
I created a firewall rule to forward traffic from wg to the lan.
And changed the lan one to allow forwards from wg as well as allow forwards (so it can route the traffic to the wan)
https://imgur.com/a/b7yE0ul
So far no luck. Any ideas?
Hi!
Can anyone please help me to make my MAC be randomly generated after each reboot?
I need some kind of script or instructions. Thanks you!
Found this one:
#!/bin/sh
INSTALL_PATH="/etc/init.d/randomize_mac"
echo "Creating MAC randomizer script..."
cat << 'EOF' > $INSTALL_PATH
#!/bin/sh /etc/rc.common
START=99
start() {
generate_random_mac() {
echo $(printf '%02x' $((RANDOM%256)))":"$(printf '%02x' $((RANDOM%256)))":"$(printf '%02x' $((RANDOM%256)))":"$(printf '%02x' $((RANDOM%256)))":"$(printf '%02x' $((RANDOM%256)))":"$(printf '%02x' $((RANDOM%256)))
}
change_mac() {
local iface=$1
local new_mac=$(generate_random_mac)
ip link set dev $iface down
ip link set dev $iface address $new_mac
ip link set dev $iface up
}
for iface in $(ip link show | grep -E '^[0-9]+:' | cut -d ':' -f 2 | cut -d ' ' -f 2); do
if [ "$iface" != "lo" ]; then
change_mac $iface
fi
done
}
EOF
echo "Making MAC randomizer script executable..."
chmod +x $INSTALL_PATH
echo "Success!"
echo "Enabling MAC randomizer script to run at boot time..."
/etc/init.d/randomize_mac enable
echo "Success!"
echo "Deleting installation script..."
rm -- "$0"
Here is example of output of this command:
echo $(printf '%02x' $((RANDOM%256)))":"$(printf '%02x' $((RANDOM%256)))":"$(printf '%02x' $((RANDOM%256)))":"$(printf '%02x' $((RANDOM%256)))":"$(printf '%02x' $((RANDOM%256)))":"$(printf '%02x' $((RANDOM%256)))
Output:
a7:03:f2:fa:45:5d
I need to make my router Admin panel be accessible not by HTTPS and block HTTP.
I am using Mudi v2
Chat gpt prompted to generate custom CA:
#!/bin/sh
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 36500 -key ca.key -out ca.crt -subj "/C=XX/ST=XX/L=XX/O=Example/OU=CA/CN=ca.example.lan"
openssl genrsa -out router.lan.key 4096
openssl req -new -key router.lan.key -out router.lan.csr -subj "/C=XX/ST=XX/L=XX/O=Example/OU=Devices/CN=router.lan"
openssl x509 -req -days 36500 -in router.lan.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out router.lan.crt
echo "CA and signed router.lan certificate generated in current directory"
It will generate certificates and key. What to do next?