I have created a print-router-label.sh script (OpenWrtScripts repo) that reads the config of a router, and prints the information below. I tape it to the side of my router so I can come back to it easily. (I got tired of scribbling this info on a tiny slip of paper. Now I let the computer do the work for me...)
My questions: It's my belief that this process is reasonably secure. After all, if the bad guy can read the label, they can also factory-reset the router (or steal your TV or your silverware).
Do you agree?
Could this become a built-in feature of OpenWrt?
Thanks.
This is part of my larger "Spare Router" project that resets decommissioned routers to a known good state so it's easy to pass them along or donate them to a good cause. See the config-spare-router.sh script.
Your spare router inspired me, but I took a different direction.
I came with the idea of using UCI defaults to create the settings that a router has on the vendor's firmware and it's usually printed on their labels.
For example, TP-Link routers (like my trusty WDR4300) have their SSIDs named TP-LINK(last 6 digits of the MAC) and the password is inside their bootloader and it's 8 characters long. With that in mind, I set up an UCI defaults script to set that up, a hostname different than OpenWRT, a custom login page like on the label (tplinklogin.net) and made sure that script survives sysupgrades.
Now, when I reset it to factory defaults, it automatically is configured as the sticker on the bottom.
The same happens to both my RT3200s but I had to set the SSID and password manually on the script because basically the whole flash is replaced by OpenWRT.
I don't think your approach is insecure, but, like you say, if someone has access to it, it will be the least of your problems
No, but here it is (This worked fine on my WDR4300 and potentially many other TP-Link Routers):
# log potential errors
exec >/tmp/setup.log 2>&1
[ "$(uci -q get system.@system[0].zonename)" = "America/Caracas" ] && exit 0
# Set root password
root_password="admin"
if [ -n "$root_password" ]; then
(echo "$root_password"; sleep 1; echo "$root_password") | passwd > /dev/null
fi
echo "Setting router generals..."
uci set system.@system[0].hostname='TPLink'
uci set system.@system[0].timezone='<-04>4'
uci set system.@system[0].zonename='America/Caracas'
echo "Setting DNS..."
# Configure WAN DNS to cloudflare. Optional
uci set network.wan.peerdns='0'
uci add_list network.wan.dns='1.1.1.1'
uci add_list network.wan.dns='1.0.0.1'
# Configure WAN6 DNS to cloudflare. Optional
uci set network.wan6.peerdns='0'
uci add_list network.wan6.dns='2606:4700:4700::1111'
uci add_list network.wan6.dns='2606:4700:4700::1001'
echo "Setting WiFi..."
# Configure WLAN
uci set wireless.@wifi-device[0].disabled='0'
uci set wireless.@wifi-iface[0].disabled='0'
uci set wireless.@wifi-device[1].disabled='0'
uci set wireless.@wifi-iface[1].disabled='0'
# Here we set the SSIDs of the radios. TP-Link routers make this from the MAC address. Other routers might need to be set up manually according to the sticker.
uci set wireless.@wifi-iface[0].ssid="TP-LINK_$(ifconfig eth0 | awk '/HWaddr/ { printf $5 }' | tr -d : | tail -c 6)"
# here we set the WiFi password. On TP-Link routers is set from data from the flash. Other routers will need to be set up manually according to the sticker.
uci set wireless.@wifi-iface[0].key="$(dd if=/dev/mtdblock0 bs=1 skip=130560 count=8 2>/dev/null)"
uci set wireless.@wifi-iface[0].encryption='psk2+aes'
# The 5G radio. Same thing as above.
uci set wireless.@wifi-iface[1].ssid="TP-LINK_$(ifconfig eth0 | awk '/HWaddr/ { printf $5 }' | tr -d : | tail -c 6)_5G"
uci set wireless.@wifi-iface[1].key="$(dd if=/dev/mtdblock0 bs=1 skip=130560 count=8 2>/dev/null)"
uci set wireless.@wifi-iface[1].encryption='psk2+aes'
echo "Setting Hostname..."
# Configure router hostname
uci add dhcp domain
uci set dhcp.@domain[-1].name='tplinklogin.net'
uci set dhcp.@domain[-1].ip='192.168.1.1'
echo "Setting persistence of this script..."
# Configure owut to include the script.
uci set attendedsysupgrade.owut=owut
uci set attendedsysupgrade.owut.init_script='/rom/etc/uci-defaults/99-asu-defaults'
echo "Comiting changes..."
uci commit
echo "All done!"
exit 0
This script can be pasted on the Firmware Selector, or as a script that owut (on snapshots) an use. It has a check that if something like the Timezone is set, the rest of the script won't be executed; meaning that the router is already set up.
In the case of using Attended Sysupgrade, it needs to at least run once from the Firmware Selector, in order to create an image that includes the script on /rom/etc/uci-defaults/99-asu-defaults . Then, when you run Luci Attended Sysupgrade, it'll use that script from now on.
I've taken to always using the "internal" device name in labels because then I can then go to downloads or sysupgrade and find the exactly correct image or imagebuilder without any guessing. The format I decided on is "target/subtarget:profile", like this:
That script has a slightly different purpose from the print-router-label.sh script. Your script has the terrific goal of setting up the router to match its manufacturer-printed label.
I posted about a script that simply prints the configuration as it currently is. I'm aiming for something that works on every device (even x86 boxes or RPi). Thanks!
Good point. uci get dhcp.@dnsmasq[0].domain gives the proper TLD.
And some routers don't have mDNS turned on, so $HOSTNAME.$TLD doesn't work. I'll have to modify the script not to print that name when it's not available. Thanks.
The one thing that seems to be missing is a qrcode that will auto connect someone onto the wifi network. For more elderly folks it's much easier to get them to open an app and point it at the code.
I agree that QR codes are a terrific way to convey information from a printed page to a phone.
It might be a very good enhancement to the Network -> Wireless page, perhaps as another tab ("Print QR Code") in the Interface section. The page/QR Code could display the Wifi credentials that you could post in your house. I would strongly encourage someone to do this.
But I think that's separate from the role of the print-router-label.sh script. I use those labels as a reminder of my router's basic configuration on the rare occasion that I actually have to touch it. (Especially for my spare routers.)
It would be great if someone added the capability of this script into OpenWrt: perhaps as a new "Print System Info" tab on the System -> System page.
Mm. For me the labels for end users and the management are separate.
Sometimes MAC, hostname or just an arbitrary unique identifier.
But I find that most people in a residential application now expect labels on the router. either not visible on the base, or clearly visible on the device so that they can connect their phone.
I fully agree sir. My sons, guests, and family rely solely on the QR code pasted on the refrigerator to access my network to my chagrin, but far less stress on me.