SSH into newly flashed/upgraded router?

I'm looking for some techniques/advice here.

Force of circumstance means I would like to upgrade some OpenWrt devices remotely. The major changes with DSA and firewalls means that a fresh install and rebuilding the configuration from scratch is a good idea: but that needs local (on-site) attendance. Which is difficult to do in a timely and inexpensive fashion.

I'd be happy with some way of connecting to the router with SSH after a fresh install. One problem is some of the devices are not on static IP addresses, some are behind CG-NAT and some providers have broken IPv6 implementations.

I'd love some way of getting a minimal system up that allowed me to SSH in and do the rest. I think this would either require some persistent configurations/scripts on the router (which is probably difficult to do), or modifying the flashable image in some way (which I think is the way to go).

Has anyone done this, and can point me to a recipe somewhere?

My suggestion (not tried)
Modify /etc/rc.local to:

  1. download/install,configure and start a tunnel from outside to the local ssh server (using ngrok (or similar), ssh -R or vpn to your own server (eg n2n,tinc,wireguard)
  2. Set root password

Create custom configuration file only containing /etc/rc.local

root@nelson:/tmp# cd /
root@nelson:/# tar czvf /tmp/minimalconfigfile.tgz etc/rc.local

Download the firmware to /tmp
and install with minimalconfig

sysupgrade -f /tmp/minimalconfigfile.tgz <URLTOFIRMWARE>

When the firmware is installed, the router will get dhcp address and rc.local will setup tunnel or vpn, so you can connect.
Remember to restore original /etc/rc.local
I have never tried to use sysupgrade -f - I wish you luck.

For reference:

1 Like

Thank you for the suggestion!

It isn't an approach I had thought was possible, but I'll have to investigate it. If nothing else, it looks interesting.

I don't have the kind of problems you have to solve, but I still use two equal devices alternatively. I.e. when I upgraded from 18.06 to 21.02, I installed 21.02 on the standby device and configured it. Then I swapped the two devices and finished the configuration (18.06 to 21.02 is a big leap).

So if you have a spare for your remote devices, you might want to consider this route, especially for the first upgrade.