Divested-WRT: No-nonsense hardened builds for Linksys WRT series

@SkewedZeppelin could you please shed some more light on this?

Is there a technical reasons it won't be possible to use OpenVPN (if we say, compile the firmware ourselves and add the relevant packages), say due to package incompatibility or anything.

I know your stance on OpenVPN (and why wireguard is superior), but personally I have a colocated server and to access the management device, my hosting partner provides only OpenVPN to access that private network, meaning i don't have much choice in the matter

With the understanding you're not offering to provide any support/guidance in getting OpenVPN working, could i just ask if you're aware of any obstacles one would face trying to getting it to work, say because of the way DivestedWRT is put together, packages it might choose to use, etc or anything?

Just curious but since you have a fairly specific use case why not just install 23.05-rc3 and install all the packages you need for your setup? It should be trivial to setup for you.

thanks for the suggestion, but before i would even consider going down that road, i'd need to have a very compelling reason to do that instead, seeing as the DivestedWRT build has so many advantages (one of which being the owner's apparent extensive experience and security background that have helped shape all the fine tuning they're obviously staying on top very well - that's certainly not a small task to undertake myself, effectively having to re-inventing the wheel on, just to be able to use openvpn).

(and that's not even to mention all the scripting/tooling work i've already done to setup automated config-baking (immutable-build-like) support also customizing DivestedWRT further for my own needs, i just am hoping openvpn can be added to the list of tweaks i've made (nothing major, just being more selective about which packages to include as part of the basebuild).

@aleks-mariusz

you quoted a post from over two years ago... a few posts after it I did add back the modules for OpenVPN compatibility.

Yup sorry, i didn't realize you had eased your stance on OpenVPN Just in case anyone else is interested, i got my OpenVPN-client use-case to work flawlessly with little fuss on DivestedWRT!

So I've made some significant progress on my "personal-fork" of DivestedWRT and am in a place where i feel like i can boast^H^H^H^H^Hshare a bit.

Some background, i had an OK internet provider (500mb down/50ish up) but when my contracted ended they wanted to double the price, and someone else just rolled out fibre in the neighborhood.. so tl;dr - i switched to the new company and got faster speeds/a nice discount

longer version: it seemed the perfect time to dust off the WRT32X that's been sitting in storage since i bought it, once i found out my block got wired for fibre this summer.. while my. old ISP had a decent modem and i was using a linux-VM as my auxiliary router (for things like VPN'ing, DHCP/DNS via PiHole, giving IPv6 where my ISP had been falling behind (almost 150 pages of a forum topic going back to 2010)... badly... i never actually got around to deploying/playing with OpenWRT when i picked the router up on eBay (for cheap) two years ago.. until a month ago... *cue the suspenseful music *

So anyway, the rest was a no brainer. I waited until the existing ISP's contract was up this mkd-month and at the beginning of the month signed up for the same speed down ~500 up but now symmetric (kinda).. and i was off to the races (e.g. get all the network services i had set up working over the last few years, but on a new network and new router, before my old service got torn down next month)..

Oh and a very pleasant surprise: seems my upload didn't get capped correctly to be the same as my download and i can actually upload almost at gigabit speeds (closer to ~900mbps but way higher than the 500mbps i signed up for i can download at).. hmmm yahhh i don't think i'll be opening a support ticket to get that fixed though

The rest below is a report on the details of my setup, in case anyone was interested in the tweaks i've chosen to make or had questions/needed help on how I did anything:

• tweaked the build-system to be containerized (but using an alpine-based "lightweight" setup, or as lightweight as can be given all the build dependencies needed)

• tracking all changes for the router's config's/customizations using git (this however is a private repo so i can't share that however, as it's got security-sensitive information specific for my network - if there's interest around something specific perhaps i can share extracts from it) - essentially i'm patching the DivestedWRT patches that might sound dirty to you but it seems so far to work surprisingly well (tho trying to understand git diff of a diff is uhmm.. interesting, to say the least)!

• the rebuild process "bakes-in" the current set of configs, so the whole router can be upgraded with all settings intact, without relying on sysupgrade doing any config preservation of its own (not that there's anything wrong with sysupgrade, but i prefer the immutable-infrastructure approach where i can just blow it all away to an earlier working-config when i inevitably screw up - something i've already had to do a few times).

Then i went and removed (and some reasoning behind those decisions - prove me wrong ):

• all other build-targets, except the one for my WRT32x (no need to build the other dozen WRT-flavors or buffalos, etc)

• all localizations (i don't speak the other 30+ languages DivestedWRT bundles, this build is only intended for me... though understandably as DivestedWRT is intended for the masses, others might)

• Bluetooth/SDIO-based junk.. (i mean who really needs that third antenna? it was reported to potentially cause issues (though i admittedly haven't had this device long enough to know if i even experienced them, just seemed like a low-risk tweak that's easy to back-out if needed), and i supposedly could enable 160MHz on 5GHz.. though i haven't quite gotten 160MHz to work yet myself tho, on the left-TODO list, any guidance appreciated!))

• USB/MMC support from the kernel (c'mon it's just supposed to be router not a storage server, for me it's one less attack-vector if someone has physical access and i've no interest in usb-based network adapters either)

• all UPnP traces (it's a security risk and i don't currently need/would make use of its functionality)

• WireGuard, just cuz i don't need it at the moment and to further slim down the build (ya ya this wasn't going to be that-huge a space-saver.. it was more about only leaving packages that i'm aiming to use in the near-future - mainly for security's sake, i say)

...ok come to think of it, i may add WG back one day, as it's amazingly-simple to setup but only when/if i need it.. mmm yah could be nice-to-have functionality one-day.

Next I added the following packages:

• rsync (needed for my syncing/building scripts to copy multiple files/dirs off the router for future rebuilds, in lieu of me relying on sysupgrade)
• bash (yahh... perhaps it's gotten a bit bloated for a shell, but i have come to rely on some advanced shell-history tricks and with all the tweaking often need to log in and do things, and busybox just wasn't cutting it)..
• openvpn (incl luci support), as per my recent post
• strongswan, for my road-warrior clients to VPN in (but oh man.. more on this below)

And here's some functionality i now have:

• half a dozen or so networks/separate VLANs for different things (think: layered security each level can only reach the adjacent one: separate mgmt network, lan network, wifi network, wan-network, guest network, etc), along with 802.1q trunking to a "baby"-core switch.. anyone remember router-on-a-stick?

• locked down access to router (and switch) that's on my mgmt network, so that it's only accessible from lan network, not from wifi or home networks (or guest wifi, of course).

• providing NTP for internal hosts (on the TODO: fw redirect outgoing requests to the router), as well as DNS (ditto re FW), and DHCP (via dnsmasq for ipv4/odchpd for ipv6, but i'm also doing multi-dnsmasq instances so each VLAN has its own sub-domain).. that last one was a quirky-one! And was after much struggles and misunderstandings.. ...ugh.. DHCP is a bit of an odd-bird i think many folks eventually find this invention rather aggravating when it doesn't work (and like magic when it does)! they say, with great power comes.. sorry, wrong story.

• more about the filtered-DNS: using OpenDNS (this seems to work only intermittently for some reason at the moment, if i had kids i'd be more on it to fix, but obviously i spend all my time on tech and seems i'm am too busy to have kids).. oh and divblock (tho divblock has been a bit of a PITA, i've already found 4 sub-domains blocked i need to make domain-level exceptions, related to me doing my day-job in the last week and a half.. might disable this or go back to pi-hole for the shiney GUI & graphs).

• able to use WPA3 fully.. yeeehhh NOPE kidding folks - that's still broken on these WRT series with the crappy closed-source marvell wifi drivers :-/

• able to use OpenVPN to get to my colo-servers' private mgmt network

• able to allow "road-warrior" clients to VPN into my home-network via strongswan, using the newish swanctl config support (i have 2 apple-based device i rely on mainly that need this ability

  • i'm using TLS for auth, and no extra software needed on the devices themselves as ipsec-support is native)..

This last one was the hardest part for me, and i encountered a lot of openwrt-documentation woes (the OpenWRT wiki's saying one things while that approach not yet being updated for UCI, also other new functionality not being documented on that wiki.. i'll probably roll up my sleeves and have to update the wiki myself) and even a bug, for good measure..

Now I'm still in disbelief this setup works! But yah.. I spent what-felt like days on just that reading all the various "water-bird"-related references and trying to piece together based on a previous example and my rusty knowledge of ipsec (most of the forum posts just tell people to just use wireguard instead - i KNOW wireguard is way simpler, but it also requires additional software on the clients, which i really wanted to avoid needing - plus i seem to be a big masochistic and i get to learn quite a few IPSec-ey things along the way).

For more info on the above, see this post where i elaborate on some of the more technical details of my ipsec-journey..

Welp, I still need to do more thorough testing on the functionality of VPN clients, but at least i reached a break-through milestone for VPN services, where when my old internet service stops working next week, i won't be stranded vpn-less..

linksys will benefit from this update?

(10 char)

Huh?

Presumably an interest in the functionality forthcoming as noted in push comment, but for mvebu target.

Missed that. Thanks.

Although ipq806x is very different from our target the switch to DSA (years after mvebu did) will help OpenWrt as a whole since that will only be improved further with the most popular wifi 5 target using it.

Multi CPU DSA is huge if true. It would make mvebu (WRT3200ACM / WRT32x specifically) capable of doing SQM Cake at 1Gbit. This would be a huge enhancement for people with those connection speeds (although those users really should consider an R4S or DL-WRX36 which does it).

That said, it's still a dream for mvebu, this patch is for QCA8K. By the time it could happen on mvebu I'll likely be using a more performant Wifi 6 main device like the WRX36

Does anyone know why the software acceleration is not working? I have a 600/600 connection and I dial pppoe np wrt3200 and it is very difficult to use without the offloading software? Is there any prediction or way to adjust this? SQM is almost impossible to exceed 293 megabits.

I'm doing SQM cake at 350Mbits without CPU0 maxed so not sure what you mean? But no, software flow offloading is broken for mvebu, and has been since DSA I think. No one seems to know how (or care?) to fix it, don't think it works in kernel 6.1 either. If you need more speed might be time for a DL-WRX36.

I used ddwrt for a few days and noticed that SFE, which is the alternative to offloading software, works perfectly there, it's worth remembering that CPU usage is always below 30% under the same conditions using sqm in your totality, however the wifi does not have the same quality but I cannot say why this is. I hope someone is interested in solving this problem because it affects us severely in terms of performance.

Noted as broken during 5.15 WIP, do not recall anyone tying breakage to DSA or anything else than the kernel push. I have not actually tried again with 6.1. @phinn, have you actually tested?

Software flow offload might not actually be connected to DSA, it's just been broken so long I thought they were associated. I haven't tried to enable it with 6.1 since I'm using SQM, but someone should test it out. Right now I'm putting rc4 through its paces, once I switch back to the Divested build with 6.1 I can test it.

Still pooched on 6.1.48.

I would like to know if there is any way to try to make the new drives wifi work in version 19.x of openwrt, I tested it and yes, the offloading software works and it performs very satisfactorily, despite the kernel being old but the performance being quite capable, can anyone do it? that ?

I would say no. As @anomeome notes, it failed when I first moved to 5.15. I used it well after DSA, so it’s not related afik.

I guess you could try a 5.4 build, but that is not something I would advise.

@tamer.hassan (and anyone else) curious what kind of speed you get with these settings?

Me, I've yet to get 160MHz to be stable on my WRT32x.. My macbook (m1 from 2021) being held less than a foot from the wifi antenna's, alternates between 160MHz and 80MHz (but stays connected continuously), and my speedtest is not very impressive..

I've set channel 36 / 160MHz and force (as per your recommendation), and while I've got fibre half-gig so 500mbps up/down, i can barely get > 250mbps on the download (curiously upload often exceeds 350mbps) over wifi:

Screenshot 2023-10-06 at 12.09.341470×946 94.1 KB

Meanwhile when i'm wired via ethernet, i can easily get a healthy 455mbps down and 520mbps up (i have SQM enabled on wan interface w/ the default settings).

Here's what my /etc/config/wireless looks like:

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT160'
        option cell_density '0'
        option country 'FR'
        option noscan '1'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option network 'home'
        option mode 'ap'
        option ssid 'MyNetworkSSID'
        option encryption 'psk2'
        option key 'the-preshared-key'
        option wpa_disable_eapol_key_retries '1'
        option macaddr '60:xx:xx:xx:xx:12'

Also, I've never gotten WPA3 to be usable (after i try to connect, the router starts lagging more and more until it's unusable and needs a reboot) and have all but given up on WPA3 :-/