I believe we should aspire to have our basic secure router be broadly usable - to the consumer (or a "pro-sumer"). We are almost all the way there: we work on lots of devices, the installation process from Vendor GUI to OpenWrt is smooth and well-tested, and the base installation is as secure, robust and reliable as an vendor firmware.
As for updates, we can do better (of course). But I also suspect that an 18.06 OpenWrt install (even if un-upgraded) is more secure than most vendor firmwares.
So we must never be ashamed of our progress - there's a huge amount to be proud of. I think what we're talking about here is our next steps to make OpenWrt better. Thanks.
@richb-hanover-priv I feel like you are a little offended by my last post (maybe I’m reading to much into it). Nobody said that the project hasn’t come a long way. And nobody implied that there is not a lot to be proud of.
But: The first problem here: maintaining a router. Updating / upgrading package or the kernel “in place” is complicated given the limited resources on our embedded devices. I’m afraid that it will add to much “bloat”, which needs to be compensated by using higher end devices (with more flash / ram).
Second problem: if you want to make it more available to consumers vs pro-sumers, maybe there is a need for a “full” installation image vs “minimal” and the end user adds his/her own packages. A “full” installation will have all the features like Adblock, guest-network, file-share, OpenVPN, maybe WireGuard, SQM etc.
That will make it more “friendly” for many consumers, but is moving away from the original intention of this project: making everything user customizable.
In the end it is even related to the 4/32 question: those will never be able to have all the eye-candy and features AND be very user friendly in terms of updates (without basically flashing a clean install and reconfigure). So which group do you want to leave “behind”. Or, like I mentioned: make a “full featured” image available for those devices that could handle that (still leaving the 4/x behind).
Another option (not sure how workable it would be)...copy all relevant config files to the end users PC, do all the reconfiguration on that PC with a “tool”, which needs to be created for that. Merge everything back together into a “final” image, which in turn can be flashed as “full configured custom-update”.
Something like that, but in order to do an upgrade, it should "read" the flash from the device and based on that update / upgrade relevant packages while keeping all the config files associated with that package. Any non related (user) files should be kept "as-is". Maybe even "merge" the writable overlay with the original flash, and flash the whole thing back and by doing so, freeing up blocks which could be used for new overlay stuff. The "merged" version would be squashed again.
I think this should not be done directly on the device because of limited resources. I haven't given it a lot of thought yet. It might not be such a great idea in the end, depending how "secure" we can do this.
No offense taken at all (and thank you for checking in.) Your comments are really important. They get to the question of "What is the 'purpose' of OpenWrt?" Who are we designing OpenWrt for?
Is OpenWrt just is a low-level platform, where all things are possible, and equally easy (or difficult)?
Or is it worth focusing some of our attention to make sure OpenWrt is very well suited to one or a few tasks?
As I've stated elsewhere, my focus is on newcomers to OpenWrt. I believe our challenge is to design OpenWrt to provide some variation on a Basic Secure Router that offers easy installation and maintenance (e.g., updates) on a Recommended piece of hardware. For total transparency, my other bias/goal is that I am weary of seeing dozens of posts on different forums, "My network is really slow when someone's streaming..." I want to be able to respond with, "It may not be for everyone, but you could just install OpenWrt and configure SQM" and know that they're highly likely to succeed.
I am willing to spend energy envisioning a router GUI that provides a simple install/maintenance process for newer, more capable devices. (That is why I say we're most of the way there...) My advocacy here is to see if there are others who would like to work with me to envision what that would look like. Thanks!
"My network is really slow when someone's streaming..." I want to be able to respond with, "It may not be for everyone, but you could just install OpenWrt and configure SQM" and know that they're highly likely to succeed.
I have the same experience when playing with others in Overwatch. People will constantly complain that the game is laggy, yet I almost never have any latency issue. I try to explain that their internet, not the game servers, is to blame. I try to explain what OpenWrt is and why they should get it but I've literally never had anyone seriously take me up on the offer. I have two brothers. the oldest was the one that told me about Lede. I turned an old PC into an overpowered router with quite a bit of pain and research. I FINALLY got my older brother to put it on his formerly Tomato router and he has had a lot of success with it as well. We don't all have networking backgrounds but we are all working in the IT space in our individual verticals. I still worry the default firewall settings are leaving my home vulnerable to boogymen. All that to say: I'd rather the project move towards being inclusive of consumers.
I would compare it to US personal tax filings. If you don't own a home, make lots of charitable donations, trade securities, etc, The standard EZ form with a standard deduction is great, simple, won't get you in trouble if you just input the info from your tax forms. For people who benefit from itemizing their taxes, there is a process for that as well, but it takes longer, requires more knowledge, and opens you up to the risk of getting something wrong. In router-speak, I'm the first type of person. I don't want to mess around with the firewall, ports, VPN's.....it just needs to connect to the internet and not leave my home at risk to major known threats.
@anon50098793's suggestion for a wizard would be something I'd be interested in seeing. By that I mean, a wizard for setting up WAN (Who is your ISP? Centurylink: PPPOE), SQM (What does your ISP claim your download and upload speeds are?), Firewall.....
@thompdre841 I love stories like this. It shows the value that OpenWrt can bring to thoughtful people who are new to the project.
The challenge lies in the balance between simplifying everything as much as possible (but no further) to produce a basic router that is secure, robust, and does "the things people need". Let's take @anon50098793's suggestion about a wizard to the extreme:
How few questions can we require for a "good-enough secure router" setup? I think the minimum is Login Password and Router name.
Could the router auto-fill the SSID's based on the router name?
Could the device automatically determine up/download speeds to set SQM?
Could the router automatically configure a Guest Wi-Fi network?
What other settings could be automatically set in a 'basic secure router' to minimize the expertise required?
(Of course, the additional OpenWrt GUI or settings in /etc/... allow experts to extend the router.)
But if we could design a system where people could get a good-enough secure router running with a minimum of hassles, we would have accomplished something really important.
A wizard can be confusing at times and it makes it hard to see the whole picture of configuration. What about a single page with several tabs? Each tab would show if it is filled with data or not. A tab for WAN, a tab for trusted network, guest network, Adblock, etc.
This page could save all data into a single file and it would be used to re-generate the config files after every save or reboot.
I’m not sure if this is the way to go. Have a quick google about “wizards” from different vendors. Probably I like the Netgear Genie the most, it gives very little options, and basically gets the user online with a few simple clicks.
Besides the “wizard”, who is going to decide the preinstalled packages? Basic routing, firewall and WiFi, but than: guest network? Adblock? SQM? VPN: which? OpenVPN, softether, Wireguard, IPSEC? Samba, FTP? USB 3g/4g? I want it all! Preconfigured, preinstalled and everything in my TP-Link Arcer C7 for my 1 gigabit fiber connection!
We know that the “consumer” has to high expectations already...will this not just make it worse?? Have a look at dd-wrt (as example). It comes “preinstalled with a lot”, than look at the questions in their forum. Padavan, Tomato, all more preinstalled with “stuff”, but in the end is that what we wanted??
Isn’t OpenWRT supposed to be “Open”, as in, the end “pro-sumer” decides what to install (either build the firmware from source) or add later via opk?
BTW: isn’t this moving away from the original post: how to maintain the router? As in: it’s installed and working, now we need to update/upgrade packages? And how to do that painless and maybe even remotely?
Totally agree. I moved my list to the other topic.
Perhaps the sole remaining item is solving the easy-upgrade problem. I suspect the people who are interested in that are also interested in the "easier configuration" problem as well, and we can treat them as another essential requirement.
I've always seen OpenWrt as a way to take a consumer-grade router that costs, on average, a couple hundred dollars (let's say ~ US$50-US$400), and gain the configurability and management features of a US$2,000+ enterprise-grade piece of hardware, for example one of the Cisco Catalysts that is often used by one of the major public universities that I used to work for as a systems/network administrator.
Now that I do independent contract work providing IT support services for small businesses, I would never suggest to someone who is not tech savvy enough to use SSH and a command line that it would be a good idea to tell them "Hey, you can replace the software on your router with one called OpenWrt and gain a bunch of features." I do, however, install OpenWrt on every single one of my small business clients' routers for which I provide continuing support services for, because it makes managing their networks much easier for me.
Now regarding updates/upgrades, I have to say that I've never once used sysupgrade, but I do very occasionally perform an opkg upgrade <pkg-names> between upgrades; on average once, maybe twice, between upgrading OpenWrt versions. I never use the "Keep settings" checkbox when flashing the firmware, and always perform a "clean install" whenever upgrading OpenWrt. Instead, I maintain a set of shell scripts that go through and install services and run UCI commands to configure settings each time after I do a clean install. This allows me the ability to perform disaster recovery in the event that one of my clients has a router that suddenly dies or gets bricked for any reason. It takes me just under 15 minutes, from the time I unwrap the shrink wrap on a new router, to the time where the new router is back in a state that was running OpenWrt and all of its services just before the old router died.
I believe that this methodology I have developed to install and maintain routers is only possible because OpenWrt has evolved into a top-notch router firmware. Again, I would never recommend using OpenWrt (or dd-wrt, or tomato, or anything else that is non-stock firmware) to someone else who does not have at least a small amount of sys admin experience (I'm not even talking professional-level experience here... but at a minimum, maintaining the entire home-computing infrastructure of, say, a family of 4 or larger). I feel like that would be like suggesting to someone who has never used Windows or macOS at any deeper level than that of a regular consumer that it would be a good idea to try installing Linux. Yeah, Linux is great, and opens up an entire universe of free and open-source software, but managing and maintaining Linux is also not easy, unless you are a "tech DIY" sort of person who is willing to tinker around to get the darned thing to do what you want.
Basically my bottom line is: "Yeah, Linux OpenWrt is great, and opens up an entire universe of free and open-source (router) software, but managing and maintaining Linux OpenWrt is also not easy, unless you are a "tech DIY" sort of person who is willing to tinker around to get the darned thing to do what you want."
Unless the goal is to make the GUI interface as simple to maintain as having a single "Check for Updates" button which, when clicked goes through a
Checking for updates... found new version.
Downloading updates... done.
Installing updates... done.
Update completed.
Reboot router for changes to take effect.
process, I don't foresee my opinion changing. Most stock firmware, like those on Netgear and Linksys routers, have such a button.
Which flash a complete, self-consistent image, avoiding three, crucial issues:
Kernel and modules that not self-consistent
ABIs that are not consistent among packages and libraries
Storage "explosion" as installed packages do not remove the RAM-based versions and, when installed on the overlay, are not compressed at all (NOR), or moderately compressed if the UBIFS was built with compression (I have not checked to see if this is default)
Edit: This is why I, in an early post here, suggested a reasonable, predictable cadence for releases. I put forward 2-3 times per year as a "strawman", faster than, for example, Linksys (annual?), but perhaps still reasonable for a volunteer organization.
This is how I see it too. But I do think it should be possible for someone nontechnical to choose a piece of hardware that supports flashing from the factory GUI, and put OpenWrt on it, and configure it with a few configs, and get something that is better than and no harder for them to use than a typical factory GUI.
If the device requires ssh and sysupgrade I see it as not recommended for the nontechnical type you're describing.
I think this is possible when the user is using a near-out-of-the-box config. Like they've set the password, and the machine hostname, and a couple of SSIDs and passwords... and that's it. Other than that, it would be a mistake to have an auto-upgrade button in my opinion. So basically if there's an auto-upgrade button it should check first whether the router is configured in a simple enough way to make the auto-upgrade work (like check that there are no add-on installed packages, etc)
Or have the Lua page do the check when loading the web page, and if auto-upgrade is not possible, then either simply do not display the button, or display the button greyed out/disabled.
I do think it would be useful to have the front page LUCI page check to see if a newer version of the firmware has been released for the device and notify the user "OpenWrt 19.2.1 is out and includes enhancements and security fixes, you can click here to download the image for your device, after downloading you can install this update whenever it is convenient for you"
If it even checked at most once per day at random time and then put the URL in a file in /etc/latest_firmware_url for LuCI to look at that'd be a useful thing.
I've stayed out of this to a great extent, as it headed to solutions long before the problem was stated.
If you know what the goals are, then the solutions can be evaluated against them.
As a starter, a set of use cases might be
As a non-technical user that may have installed packages after installing OpenWrt
I want to have confidence that my system is current and patched against significant, known, and resolved threats
I would like to be promptly informed when new releases are available
I would like to be install the newest release, without more than a button-click, and have my currently installed packages and config preserved
After upgrading my system using a "one-click" approach, I would like guidance as to how to resolve any issues that arose if that upgrade was not completely transparent to me.
No, I meant see if there's a new firmware, and if it's not already listed in /etc/latest_firmware_url then put it there (persistently). You'd only write it when the url changed not every time you check to see if there's something new.