I'm going to try TR069/CWMP on OpenWRT. Right now I'm building my first image with easycwmp. And I guess I will try genieacs for acs server. But I'd like to know:
a) if there are any completely free implementations, i.e; not a commercial offering striped down
I have heard about freeacs, what you think of it and possibly other alternatives?
b) if there are other alternatives, some pointers to download code and get any doc about compiling it on openwrt would be helpful
c) are those things safe? Or is it a security hell like IoT seems to be?
TR069 typically runs over the carrier's infrastructure, not over the open Internet. Not something I personally trust, but more based on my lack of trust on someone like Comcast having control over my devices. See https://en.wikipedia.org/wiki/TR-069#Security for some opinions and references for further research.
What are you trying to accomplish that can't be done with, for example, SSH with a pre-shared, potentially command-restricted key?
Well, we are a small, grassroots, not-for-profit organization sharing FTTH via WiFi links, between some 50 partners, mostly rural dwellers owning quite isolated farms about ten kilometers away from urban zone.
Our partners don't want to have any tech struggles, just to have it working, period, so it's up to the (trusted) staff to configure partner's router. Staff actually works over SHH, but sometimes, routers get back to factory defaults; then some of us has to go to that farm, driving off-road, to get it working again. And being a not-for-profit, making all as cheap as possible is paramount.
So, if cwnp works fine and can save us that driving, would be useful.
Thanks for the link. However, it does seem that not so many openwrt people is working with that.
I hoped somebody could say something like "freeacs is safer" or so.
If you build and provide images, you could "burn in" the appropriate bootstrap setting and keys into the image. This would be the case for either an SSH-based approach or use of TR069 or the like.
I understand your point. We could burn an image for each partner, but we hoped to find something
easier. We could burn a "factory image" for each subnet so we could look if router has reverted to,
say, 10.0.1.254/24, that will be easier and would escalate better... however, we are just exploring the landscape and cwmp looks as a possible solution... so we will do some test and then decide about it.
I did various remote support functions for openwrt-routers, using VPN for remote access, remote firmware upgrade etc. Needs custom openwrt image, though. In case of interest send me PM.
No problem. Will suffice for small amount of routers. But not in case of many of these, as in case for hotspot service providers etc. I.e. I did this one: wifibus.com.mx
Look for the line: PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
Add this just under it: PKG_HASH:=skip
Save change
Get back to build_dir
cd ../..
make menuconfig
Select easycwmp (*)
Libmicroxml is in "Libaries" and should have been automatically selected sinde easycwmp depends on it