Force of circumstance means I would like to upgrade some OpenWrt devices remotely. The major changes with DSA and firewalls means that a fresh install and rebuilding the configuration from scratch is a good idea: but that needs local (on-site) attendance. Which is difficult to do in a timely and inexpensive fashion.
I'd be happy with some way of connecting to the router with SSH after a fresh install. One problem is some of the devices are not on static IP addresses, some are behind CG-NAT and some providers have broken IPv6 implementations.
I'd love some way of getting a minimal system up that allowed me to SSH in and do the rest. I think this would either require some persistent configurations/scripts on the router (which is probably difficult to do), or modifying the flashable image in some way (which I think is the way to go).
Has anyone done this, and can point me to a recipe somewhere?
My suggestion (not tried)
Modify /etc/rc.local to:
download/install,configure and start a tunnel from outside to the local ssh server (using ngrok (or similar), ssh -R or vpn to your own server (eg n2n,tinc,wireguard)
Set root password
Create custom configuration file only containing /etc/rc.local
root@nelson:/tmp# cd /
root@nelson:/# tar czvf /tmp/minimalconfigfile.tgz etc/rc.local
Download the firmware to /tmp
and install with minimalconfig
When the firmware is installed, the router will get dhcp address and rc.local will setup tunnel or vpn, so you can connect.
Remember to restore original /etc/rc.local
I have never tried to use sysupgrade -f - I wish you luck.
I don't have the kind of problems you have to solve, but I still use two equal devices alternatively. I.e. when I upgraded from 18.06 to 21.02, I installed 21.02 on the standby device and configured it. Then I swapped the two devices and finished the configuration (18.06 to 21.02 is a big leap).
So if you have a spare for your remote devices, you might want to consider this route, especially for the first upgrade.
I'm sure there must be a better solution, but couldn't you test the new firmware on an identical router on your lan to get the settings right, and build the firmware including any needed packages and with your new config files in the appropriate directories and flash it on your local test router first to check everything works without intervention. Or else create a script that runs on first boot and uses UCI commands.