[Updating] Preferred way of updating OpenWrt devices with lots of custom configuration

I currently use a router with OpenWrt 19.07.4 r11208-ce6496d796 - which was a clean install (no upgrade) - but with a lot of customizing that took some days if not weeks of fine-tuning.

I installed unbound so I could resolve global DNS on my own, hook a Pi-Hole next to it, which is using OpenWRT's unbound as its only upstream.
I configured unbound to serve my local private zone with a bunch of static leases, removed dnsmasq in the process.
Configured the OpenWRT firewall so it allows usage of unbound only for the Pi-Hole, blocking all direct connections, blocking connection to public DNS ports (so the infamous 8.8.8.8 isn't usable anymore) and blocking every host from Wikipedia's public DNS-over-HTTP list.
I added scripts to update delegated IPv6 prefixes and update my Route53 DynDNS entries, etc.

I want to update to the latest 19.07.7 release but fear losing my unbound installation and especially the big changes to /etc regarding unbound.conf and the firewall rules I am using.

I configured all of this during the Christmas holidays with some days to spare, but as the next holiday season is far away and I could only spare 1-2 hours at a weekend for maintenance, I'd rather keep my current (possibly insecure) firmware, instead of having to reconfigure this all over again!

But I also want the newest security patches, so...

  • Will I have to reinstall and reconfigure unbound and other third-party packages when triggering the OpenWRT update?
    (via web interface or ssh - I don't care)

  • What is the preferred way / best practice of updating OpenWRT and still have all custom additions and configuration for third-party packages still working?
    (minor adjustments to paths or the like wouldn't matter)

the general advice i'd give... while unconventional... is when you do something new... copy the whole /etc... and anything else you can thing of off the router via scp or to usb and make a normal tar.gz backup with -k... ( also keep copies of all images! )

then immediately remove / re-install and repeat... (restoring where possible)

it's the repetition that makes this task easier / clear...

The best way is to compile a personal firmware (either with the full toolchain or the imagebuilder), and include all your add-on packages in that build. Thus your new firmware would already include all needed packages. Then you can just sysupgrade to the new version with the old settings.

Config settings themselves should survive the sysupgrade, assuming that all of them are properly marked as config files by the packages, or you have added them to the sysupgrade keep list. (See "sysupgrade -l" or look at LuCI tab: System - Flash - Configuration - Open list)

2 Likes
1 Like

You may also want to wait until 21.02 is released for your big upgrade.

Thank you all.

I feared I would have to build my own images, but I shy away from it a bit.

As I am already building de-Googled Custom ROMs for personal use and stuff from other developer communities, I am not sure whether having another custom workflow will fit my free time.
Compiling in the week for a living and then compiling at weekends to get all the personal devices up to date seems a bit overwhelming - at least sometimes I'd like to take a walk. :wink:

I was hoping anybody already had an Ansible workflow that I could just customize for example.
Like: Flashing the newest stock firmware, just config enough to open SSH. Then run the Playbook that does all the heavy lifting of installing unbound, removing dnsmasq, put all configs and runlevel scripts back into place etc.

But I will look into it. Maybe the imagebuilder thingie is a good middle ground I can live with.

Yeah, realizing there is a RC already, this is a good idea.

I prefer a “setup” script with the uci and opkg code for most of my settings. Then you always install a clean version and run the script and a couple of weeks of work (as you mentioned) is written to the router in about 2seconds.

But you will have some work to do the first time when doing the actual script. But once done it will work over a looong time in to the future.

And even over mega big version changes like for 19.07 to 21.02 with DSA implementation it is very easy to rewrite UCI code to work with DSA and the new system settings in the script.
It is even relative easy to make adjustments to a script to work for different routers with the same setup if you have some programmer knowledge.

There are known problem with moving old configs over versions over and over again since the config files are not setup the same way over the versions of openwrt (not even service updates like for the updated dnsmasq). And over the time you will have more and more inactive or faulty config lines in your configs.