Today I tested the backup+factory reset functionality with the mtdbk.sh script. Link
I created the backup and thought I could put it back through Luci, but it does not work.
Additionally the factory reset works neither: 'umount /overlay && firstboot && reboot'
After a reboot, all settings are gone. I could login again, make some changes, but after the next reboot, no changes were left. With the help of a guy from the irc, we found out that the overlayfs was mounted on temp.
So I had to flash my TP-Link 1043nd again.
Benefit: I could write this manuel.
#######################
VPN Guest Wifi with VPN
#######################
- Test the .ovpn file and create the tunnel interface in Luci
-- Install 'openvpn-openssl' with Luci
-- We put the clientconfig.ovpn from the vpn provider in the /etc/openvpn/ folder.
Look that the file hast the linux lf newline format.
-- Additional we add the password file. Put in the first line the vpn login and in the second line the vpn password.
We open the .ovpn file and write the name of this password file behind 'auth-user-pass' eg
auth-user-pass /etc/openvpn/my_vpn_login.txt
-- We test the file with this command:
openvpn --config nether.ovpn
Now, the last message in the shell should be 'Initialization Sequence Completed'
Now the tunnel should be up.
In another shell you should be able to see the tunnel interface in 'ifconfig'.
You should be able to ping through the tunnel with 'ping -I tun0 www.google.com'.
Proceed only if this works.
Sometimes the certificates are not included in the .opvn file and must be copied seperatly.
Or the vpn server in the 'remote' line in the .ovpn file is down, etc.
While openvpn is running the tun0 interface is up.
-- Create a interface for the vpn tunnel
Add a new Luci->Network->Interface based on tun0 interface, name it 'vpnif'
Protocol of the new interface: Unmanaged
Bring up on boot [x]
After submitting, press edit on the vpnif interface and place the interface in a new firewall zone called 'vpnzone'
-- Now the vpn tunnel can be closed with ctrl+c
- Create a second wifi
-- Add a second wifi in Luci->Network->Wireless
ESSID, Security how you like, but for the network create the 'guestwifi' interface.
-- Got to the Luci->Network->Interface section
Put the guestwifi into another net. Static address 192.168.77.1, netmask 255.255.255.0
Additonal place the guestwifi in a newly created firewall zone 'guestzone'.
We add DHCP support and write into advanced settings into the DHCP option field '6,8.8.8.8,8.8.4.4'
This will deliver the google nameservers to the client config, because most internet provider (like mine) dont allow access to their DNS server from outside their net and if the dns traffic is routed through the tunnel, it comes from outside. (If ping on numbers is working, but not on names, this is the problem.)
-- In /etc/config/wireless you can change the mac address of guestwifi if you want, otherwise the relationship between guest and main wifi will be obvious:
Look for the section with your guest wifi SSID and add:
option macaddr '11:22:33:44:55:66'
- Configure the firewall
-- Set the default rules for new connections in Luci->Network->Firewall:
For the vpnzone we take the same settings like from the wan zone: Per default we reject (or drop) Input and Forward but we allow output, plus Masquerading+MSS clamping+allow
For the guestzone we take similar settings like from the lan zone: Per default we reject (or drop) Input and Forward but we allow output.
Save+Apply
-- Then we edit the guestzone and allow forwarding from source:guestzone to dest:vpnzone
Save+Apply
-- Add a firewall traffic rule (Open ports on router) for DNS port tcp+udp 53
and set source zone to guestzone and dest zone to Device (input). Otherwise url resolving does not work.
-- In the same way add a rule for DHCP port udp 67-67.
Now new clients to the guest wifi can obtain IP addresses from the DHCP server.
- Now we must set up the routes
What we need is advanced routing, because we want to route traffic based on the origin and not only on the destination.
The routing has to be setup by openvpn, every time the tunnel comes up.
-- We add a second routing table in /etc/iproute2/rt_tables. For example:
echo "10 vpn_table" >> /etc/iproute2/rt_tables
We open the .ovpn file and add the following options, semicolon lines are comments:
#####################
; Retrieve routing infos and place them in shell variables, but dont apply them to the client:
route-noexec
; Allow calling a user script:
script-security 2
; Call a user script if the tunnel is up:
up /etc/openvpn/vpn_ready_up.sh
; Call a user script if the tunnel is up:
down /etc/openvpn/vpn_ready_down.sh
######################
Next we create a script that writes the routing infos to the second routing table.
vi /etc/openvpn/vpn_ready_up.sh
######################################
#!/bin/sh
#For testing purpose we could uncomment this line this line. It writes the net and gw to the file vpnvariables.txt
#/bin/echo -e " dev: $dev\n ifconfig_local: $ifconfig_local\n ifconfig_remote: $ifconfig_remote\n route_vpn_gateway:$route_vpn_gateway" > /etc/openvpn/vpnup.txt
#Write a default route into routing table 'vpn_table'
ip route add default via "$route_vpn_gateway" dev "$dev" table vpn_table
#Lets handle all traffic that comes from this net with routing table 'vpn_table'
ip rule add from 192.168.44.0/24 priority 30 table vpn_table
exit 0
#######################################
vi /etc/openvpn/vpn_ready_up.sh
######################################
#!/bin/sh
#For testing purpose we could uncomment this line this line. It writes the net and gw to the file vpnvariables.txt
#/bin/echo -e " dev: $dev\n ifconfig_local: $ifconfig_local\n ifconfig_remote: $ifconfig_remote\n route_vpn_gateway:$route_vpn_gateway" > /etc/openvpn/vpndown.txt
#Delete default gateway and rule.
ip route del default via "$route_vpn_gateway" dev "$dev" table vpn_table
ip rule del from 192.168.44.0/24 priority 30 table vpn_table
exit 0
#######################################
-- Make both scripts executable:
chmod +x /etc/openvpn/vpn_ready_up.sh /etc/openvpn/vpn_ready_up.sh
- We configure openvpn
-- Open /etc/config/openvpn and set in section 'config openvpn custom_config'
option enabled 1
option config /etc/openvpn/nether.ovpn
This will enable openvpn in client mode and use the configs from the .ovpn file directly, no translation between .ovpn and .conf is needed. The openvpn server mode beneath in the file is not needed and can be deleted.
-- Make sure that Luci starts openvpn automatically
Luci->System->Startup->Openvpn Enabled
- Checking and others
-- Take a look in the second routing table:
ip route show table vpn_table
-- Take a look at the rules:
ip rule show
-- Connect a client and test the ip:
Firefox: www.myip.com
-- Trace the hops
linux: > traceroute 8.8.8.8
windows: > tracert 8.8.8.8
-- Error messages on the router
dmesg
logread
-- At last we could add some firewall rules:
eg. allow only port 80 and 443 in guestwifi
-- Traffic shaping with Wshaper