Management Platforms for Thousands of OpenWrt Routers?

@Geekuino By Secure TR069, do you mean regular TR069? I know it is the decato managment standard used by the big boys, but its slow and not realtime.

We are small and working on a shoe string budget.

I guess I was under the impression that OpenWRT is linux, and linux has thousands of commercial and opensouce projects to remotely monitor, update, and maintain linux boxes remotely.

@colton.conor Indeed, TR069 is designed to be used over TLS, so it's secure by default. Well, that's what it says on the tin. Like all software, TR069 is only as secure as the next zero day exploit. ACS servers are a golden goose target for hackers. An interesting background read: Best Practices for Securing TR-069

As for rollout times, you'll obviously want to push updates ASAP, but with TR069, clients can be trailing weeks behind the latest build. But as things stand, TR069 is the best supported and understood technology.

On the subject of updates and security, you must consider if your client boxes are going to be flashed with a secure bootloader. This is a bootloader which prohibits unauthorized changes - such as reflashing with malware - by authenticating the firmware before the OS starts. Customer routers that allow over-the-wire updates must have secure bootloaders to maintain their integrity. The provisioning of private/public keys adds extra costs to your rollout, but avoids future litigation.

:jack_o_lantern: Yikes!

Well, it look like one ISP in the UK uses openwrt based, but they aren't very good at it

Yes there are lots of linux management systems, most of them not specifically tailored for embedded type hardware, for example desktops would primarily just install new packages, but routers should probably download and install whole images.

if I were going to do something like this, I'd want to do telemetry via mqtt or similar and updates probably by https with a self-managed certificate trust system (ie. a client cert signed by my signing cert pre-installed on the device, the device connects to my system, provides its client cert, checks my website's cert, and only then gets a valid firmware image to download and install via sysupgrade)

You could do a similar thing for configs by having it request a uci config via mutually authenticated https, and you could trigger the request via mqtt messages.

Hi, I'm one of the developers of OpenWISP so my opinion is highly biased of course.

It is not true that OpenWRT is not suitable for ISPs, infact many ISPs use OpenWISP to manage thousands of routers (all APs shown on this public map are running OpenWRT and are being managed with OpenWISP) . It may not have all the features colton.conor is looking for at the present moment but it has the basics and can be easily extended, programmed and integrated with other networking solutions.

Moreover, the community is active and the project is moving ahead steadily, by 2019 we should manage to land an integrated monitoring solution, firmware upgrades and a full RESTful API to handle all aspects of the software (now the API is available only for some modules).

There are other organizations and companies in the same situation of colton.conor which are joining forces to build a programmable network solution to manage an OpenWRT based network which does not restrict their liberty in managing their own network as many other commercial solutions do.

Best regards
Federico

4 Likes

Is there an API?

OpenWRT provides a simple JSON-RPC API access to ubus via uhttpd.
This is quite simple and powerful tool.

3 Likes

Turris Omnia routers are using OpenWRT base and have automatic update and many other features, check if they use open source tools with those.

Hi Colton,
if you are searching for a platform that is capable to manage any number of multi-brand access points or routers, on a single dashboard from the cloud, I would suggest you to take a look at Tanaza.
The compatibility list seems pretty dense and they are vendor agnostic, so open to support more models (compatibility list here ).
It also comes with a 15 day free trial so you can give it a try and check if it's the solution you are searching for.

I hope this could help you

Does Tanaza communicate with an API to OpenWRT, or how does it configure and control OpenWRT? What about monitoring is it doing something special, or just using SNMP?

Tanaza is a software that let you manage access points from a dashboard on its cloud, providing you the firmware to install, so that they can automatically connect to the Tanaza infrastructure with an encrypted connection.
From that moment, you can manage and configure everything from there, since any different brand or model will have the same user interface, which is also a great plus IMO, especially when you have to deal with many different ones.

@colton.conor Are you still looking for cloud management platform for OpenWRT based device?

Yes we are why do you ask?

I did various custom management services for different hotspot providers, hundreds of devices. Did openwrt firmware only, UI done by providers themselves. Not open source, though. In case of interest, PM, pls.

Good to know that, We have developed couple of Cloud management solution for OpenWRT devices. So let me know if you need any help.

I'm interested in chatting about this further if you have a solution already in place?

I'm looking to manage custom OpenWRT routers along the lines of TR-069 for our small ISP.

1 Like

Thanks, Yes, we do have. I have sent you PM. Would you please check the same?

Do you plan to make some development public ?

1 Like

Haven't decided yet!

I'm sure the community may be a lot interested in such tools.
In fact I am also interested for private usage...
May we be in touch directly ?

1 Like

Thanks,Good to know your interest and review about same.
Sure, sent you the contact detail.