Automated install script for OpenWrt in a Container on Proxmox!

thpryrchn · February 26, 2025, 12:51am

I have created an automated install script for ProxMox to install OpenWrt in a container. The beauty is that it downloads the rootfs directly from Openwrt, and not the Linux containers site.

The script detects bridges, and network devices that can be used for the WAN or LAN, and even has the option to set the subnet of the LAN, with a defaule value of 10.23.45.1/24. If you do not select any network devices, it will still configure the container for eth0 being the WAN, and eth1 being the LAN for manually adding network devices later.

Tested using 2 bridges. One for WAN, and the other for LAN. and had a VM connect through the LAN bridge. It detects the latest stable version, and installes that by default, but you can specify a version manually. I have tested it on 23.05.5 and the current 24.10.0.

If you have multiple Container storage locations, it will prompt you for which one you want to use!

gist.github.com

https://gist.github.com/jaminmc/7e786a8947746439f7b8a8e2726e629d

install_openwrt_proxmox.sh

#!/bin/bash

# Script to create an OpenWrt LXC container in Proxmox
# Downloads from openwrt.org with latest stable version, detects bridges/devices, IDs, configures network, sets optional password
# Pre-configures WAN/LAN in UCI, includes summary and confirmation

# Default resource values
DEFAULT_MEMORY="256"                      # MB
DEFAULT_CORES="2"                         # CPU cores
DEFAULT_STORAGE="0.5"                     # GB

This file has been truncated. show original

edit: Added support for Snapshot, and auto install prompt for LiCi web interface for snapshot. I couldn't test wireguard, as the repo is missing the ip package right now.

slh · February 26, 2025, 3:20am

[Insert the usualy disclaimer here that running OpenWrt in a container is NOT a supported setup and broken by design, with functional deficiencies and security issues ranging from subtle to glaring]

thpryrchn · February 26, 2025, 4:06am

Not supported, as in, don't bug the developers if some package breaks the container, or doesn't work?

The Install script does install UnPrivileged! So it does not run as root on the Kernel. So the security isn't as bad as it could be. Running in a VM is more secure, but running in a container is great for a VPN gateway, and other things. Especially if you are running on a mini-pc that has very limited resources.

slh · February 26, 2025, 4:15am

Not supported as in known broken, with parts 'just' not working and others ripping open security holes.

Yes, you will get a pretty webinterface, some aspects may randomly appear to work, others won't, even less securely.

I can't stop you from shooting off both of your feet, just don't say you haven't been warned, explicitly - and when you become part of a botnet or experience other security issues, you have only yourself to blame, not OpenWrt.

bright_plastik · May 31, 2025, 4:50pm

Hello Jam, I wonder if this script is useful in my case as well...I have a rk3588 Arm SBC. I managed to install proxmox fork (8.3.3) on it, and I'd be excited to use it as home lab, with a openwrt CT for networking and another CT for dockerized services, like jellyfin, nextcloud and the ARR stack.
Did you write the script to be compatible with ARM platforms? I'm a total noob, but reading it I see only x86_64 architecture.
If I follow the commands one by one searching for an arm compatible image what are the chances I end up with a working environment?
Any tip is hugely welcome!

Darin755 · May 31, 2025, 7:26pm

Why not use a VM?

OpenWRT is lightweight enough that the VM specs don't need to be all that much. Having a VM with PCIe/USB passthough is probably a better solution since it allows OpenWRT to have its own kernel and filesystem.

bright_plastik · June 8, 2025, 2:18pm

Hello Darin!
Actually I'm open to all solutions, as I'm trying to learn.
The reason I'd go for the CT is I cannot find a ISO for the arm64 version of OWRT.

So If you have a rk3588 SBC, and you managed to install proxmox and a openWRT virtual machine running on it, I wold beg you to show me how you do it, as the box has to mainly work as a router for me, and only after provide additional services.
Since @slh warns against using openwrt in containers, how do we run it as VM in a ARM64 proxmox setup?

thpryrchn · June 9, 2025, 6:49pm

Well, I just say your message on here, then on my Ghist, I ran the script through Grok, and had it try to work for ARM, but I have no way of testing it.

bright_plastik · June 10, 2025, 8:25pm

Thank you very much! I will try your neat solution, and if it doesn't work I'll just steer on openwrt with docker, and see if it fits my use case.
I will surely report my results, considering the complexity of ARM based platforms!

bright_plastik · June 11, 2025, 1:00pm

@thpryrchn, today I found some time to run the script, but apparently there's some glitch.
This is the result:

root@proxmox:~# wget https://gist.githubusercontent.com/jaminmc/7e786a8947746439f7b8a8e2726e629d/raw/17cd815c04f4a25866fb7d04885ea0068634ede8/install_openwrt_proxmox.sh -O install-openwrt-proxmox.sh
--2025-06-11 12:44:47--  https://gist.githubusercontent.com/jaminmc/7e786a8947746439f7b8a8e2726e629d/raw/17cd815c04f4a25866fb7d04885ea0068634ede8/install_openwrt_proxmox.sh
Resolving gist.githubusercontent.com (gist.githubusercontent.com)... 185.199.110.133, 185.199.109.133, 185.199.111.133, ...
Connecting to gist.githubusercontent.com (gist.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13477 (13K) [text/plain]
Saving to: 'install-openwrt-proxmox.sh'

install-openwrt-proxmox.sh           100%[======================================================================>]  13.16K  --.-KB/s    in 0.001s

2025-06-11 12:45:10 (18.6 MB/s) - 'install-openwrt-proxmox.sh' saved [13477/13477]

root@proxmox:~# chmod +x install-openwrt-proxmox.sh
root@proxmox:~# ./install-openwrt-proxmox.sh
Fetching latest stable OpenWrt version...
Detected latest stable version: 24.10.1
Enter OpenWrt stable version (default: 24.10.1): 24.10.1
Enter Container ID (default: 100): 100
Enter Container Name (default: openwrt-100): OpenWRT-24.10.1
Enter root password (leave blank to skip):
Confirm root password:
Enter memory size in MB (default: 256): 2048
Enter number of CPU cores (default: 2): 2
Enter storage limit in GB (default: 0.5): 4
Enter LAN subnet (default: 10.23.45.1/24): 192.168.1.1/24
Downloading OpenWrt 24.10.1 rootfs...
Error: Failed to download OpenWrt 24.10.1 image

It asked for my preferences about the interfaces in CLI as expected, and soon after it just quit with this error.
Can I ask you in case of aarch64 platforms (like my nanopc-t6 board) what are you telling the script to look for? A generic ARMv8 rootfs image? Where do you scrape it from?
Sorry, I hope not to bother you...This is maybe something that I should be able to fix myself...

Darin755 · June 11, 2025, 6:06pm

I think you need a generic arm image that has efi boot. It is much harder than x86 as ark isn't all that standardized. I'm also not sure if arm hardware even supports the needed virtualization instructions. You might be running a emulator.

My advise would be either to get a x86 machine or a wireless router that supports OpenWRT.

bright_plastik · June 11, 2025, 7:36pm

Hey Darin,
yes, finding a generic armv8 image is not that simple. But I want to explore the idea of using the sbc, because given that I succeed, the power consumption would be half of a N150 pc, and triple the power of whatever router, plus dedicated media transcoding, with the VPU. Atm I'm using several routers, all with owrt, but nothing I can call "my little homelab".

bright_plastik · June 14, 2025, 12:22pm

Hey Jam,
I'm surely not a genius, considering the effort I have to put in order to make little advancements, but...
The script is now halting here, after running it with your default parameters:

root@proxmox:~# ./install-openwrt-all-arch.sh 
Fetching latest stable OpenWrt version...
curl: (6) Could not resolve host: downloads.openwrt.org
Detected latest stable version: 24.10.0
Selected architecture: aarch64
Enter OpenWrt stable version (default: 24.10.0): 24.10.0
Enter Container ID (default: 100): 100
Enter Container Name (default: openwrt-100): openwrt-24.10.0
Enter root password (leave blank to skip): 
Confirm root password: 
Enter memory size in MB (default: 256): 256
Enter number of CPU cores (default: 2): 2
Enter storage limit in GB (default: 0.5): 0.5
Enter LAN subnet (default: 10.23.45.1/24): 10.23.45.1/24
Using existing OpenWrt image: openwrt-24.10.0-armsr-armv8.tar.gz
Creating LXC container 100...
Formatting '/var/lib/vz/images/100/vm-100-disk-0.raw', fmt=raw size=536870912 preallocation=off
Creating filesystem with 131072 4k blocks and 32768 inodes
Filesystem UUID: d92e1464-d3e9-4108-990e-682a692ab56d
Superblock backups stored on blocks: 
        32768, 98304
extracting archive '/var/lib/vz/template/cache/openwrt-24.10.0-armsr-armv8.tar.gz'

gzip: stdin: unexpected end of file
tar: Child returned status 1
tar: Error is not recoverable: exiting now
unable to create CT 100 - command 'lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- tar xpf - -z --totals --one-file-system -p --sparse --numeric-owner --acls --xattrs '--xattrs-include=user.*' '--xattrs-include=security.capability' '--warning=no-file-ignored' '--warning=no-xattr-write' -C /var/lib/lxc/100/rootfs --skip-old-files --anchored --exclude './dev/*'' failed: exit code 2
Error: Failed to create container

Can you spot something wrong?

P.S: sometimes it defaults on 24.10.0, some other it catches 24.10.1, but this is not the problem.
It seems to me a problem related to the extraction of the archive.

Can I run it in verbose mode, so to give you a wider scope?

In this section:

# Build pct create command with corrected network options
echo -e "${GREEN}Creating LXC container $CTID...${NC}"
NET_OPTS=()
[ -n "$WAN_BRIDGE" ] && NET_OPTS+=("--net0" "name=eth0,bridge=$WAN_BRIDGE")
[ -n "$WAN_DEVICE" ] && NET_OPTS+=("--net0" "name=eth0,hwaddr=$(ip link show "$WAN_DEVICE" | grep -o 'ether [0-9a-f:]\+' | cut -d' ' -f2)")
[ -n "$LAN_BRIDGE" ] && NET_OPTS+=("--net1" "name=eth1,bridge=$LAN_BRIDGE")
[ -n "$LAN_DEVICE" ] && NET_OPTS+=("--net1" "name=eth1,hwaddr=$(ip link show "$LAN_DEVICE" | grep -o 'ether [0-9a-f:]\+' | cut -d' ' -f2)")

pct create "$CTID" "$TEMPLATE_DIR/$TEMPLATE_FILE" \
    --arch "$PCT_ARCH" \
    --hostname "$CTNAME" \
    --rootfs "$STORAGE:$STORAGE_SIZE" \
    --memory "$MEMORY" \
    --cores "$CORES" \
    --unprivileged 1 \
    --features nesting=1 \
    --ostype unmanaged \
    "${NET_OPTS[@]}" || exit_script 1 "Error: Failed to create container"

what I can say is that my two VNETs are called "enlan" and "enwan", differing from the default naming scheme. Don't know if this is the culprit.

UPDATE: I'm trying to manually follow the logic of the script, because i can't bother someone if I don't know that my environment is perfectly functioning.
So, for example, this section here

extracting archive '/var/lib/vz/template/cache/openwrt-24.10.0-armsr-armv8.tar.gz'

gzip: stdin: unexpected end of file
tar: Child returned status 1
tar: Error is not recoverable: exiting now

is caused by my PVE instance. It was not downloading correctly the rootfs archive. And I don't know why, unfortunately.