I am trying to setup a vpn on my router so that I can securely login to it remotely as a client to upgrade it when necessary using vpn or any other secure method to achieve this goal but I dont know much and just read the guides
I tried to install openvpn as first step but getting an error described here
There is a possibility that it is not compatible with my router or some other problem
Is there an alternative to this? I checked wireguard but problem is I dont know how to connect to it on the client side. Can openvpn client connect to it? What are the available solutions?
If you install a systemupdate OpenWRT image from a VPN, well this will work but how do you plan after the install has finished to connect to the router to config it, install the VPN package and activate the VPN tunnel again?
If you want to do this as a beginner, I highly recommend to use the working stable OpenWRT 19.07.7.
Not a 21.02 release candidate 1.
To “update” you install the systemupdate xx.xx.1(,2,3,4,5,6,7…) and so on when they are released about every 6month.
This is a lot better than original, if they ever get a update it is usually years between them. And those updates doesn’t fix the problems anyway. They work a lot to change the color on the web interface to look nice and feel new. But for the functionality they have the same fault from day one to discontinued after two years.
Updates like xx.02 to xx.03 never comes. That number is year and month when the release version is locked from the main branch.
It will be like 19.07 to 21.02 meaning firmware version 2019.July to 2021.February.
Usually configs can be moved between service updates (the last numbers) but not between major updates (the two first numbers)
I will be after updates from now on yes, which are far apart but when one is out it patches security flaws and updates kernel and default packages, so its not really just cosmetic.
I might have used the wrong terminlogy upgrade vs update, but I meant sysupdate images, because the router is already setup with factory image.
So in this case when you say 'configs can be moved' you meant manually or it gets preserved between minor updates?
Now the other question is will 19.07.7 be the final in this series or will continue on recieving updates?
You should establish the VPN connection with DDNS.
And then use the LAN or VPN IP to access the router.
Works for me, try again by copy-pasting the entire block of code.
OpenWrt doesn't preserve user-installed packages over upgrades.
But you can work around the problem with the following method: Saving/restoring user-installed packages
LuCI has a checkbox “save settings” when you are installing a systemupgrade file.
It is supposed to save the configs. This is not a failsafe system, for some it works and for some like myself it doesn’t work that well.
For me it works best by always installing a clean install and then run my own config scripts that writes all setting in a second, then a reboot and of we go.
Or you can do it manually every time.
You have some alternatives with pros and cons no matter which way you go. I think it is more a question how complex your network rig is which method works best for you.
My experience is that the 19.07 will be alive and have security updates until 21.02 will become second in line.
Here we have two preferences also. First is the ones that want the newest stuff with most errors and they are happy with that.
And the other ones that want stability, they will keep going on 19.07 because it works and then maybe switch to 21.02 when next release comes along and 21.02 are rock solid after a couple of years testing.
My own preference is on this somewhat right in the middle. I never upgrade the operational routers firmware when xx.xx.1 is released because xx.xx.2 and xx.xx.3 and probably also xx.xx.4 will be released within the first 6months before it really is a “stable” release fit for my operational demands.
SSH when configured for public-key based authentication is quite secure, another reason why it's usually the default method of accessing your VMs/containers in the cloud. It's possible the Dropbear SSH server might have zero-days somewhere in the code that would allow remote authentication bypassing, no code is secure but again it's just my paranoid rambling.
I provision my own images for OpenWRT and that allows me to add the necessary packages for Wireguard + configuration for WAN/Wireguard peers out of the box.
However, if you want to do remote firmware updates keep a second device on hand so you can do testing. If something goes wrong and it's a 30m drive away, it becomes annoying. If it's 6 hours away and you need to call in favours to have someone go on site and help you fix it, well.
You will be able to access only the router, but the router itself will be able to reach internet. You will not route all your traffic through the connection, but you will be able to download packages from the router.
