This is a placeholder topic for a future upgrade of the router.
Background: I am still in the Philippines, but my mother still lives in Russia. She still has a TP-Link Archer C7 v2 with OpenWrt 21.02.1, r16325-88151b8303 installed. I have remote access to the unit, but returning to Russia is completely out of the question for obvious safety reasons. If I screw anything up, there is no way to recover.
The ISP provides plain old DHCP + DHCPv6 with prefix delegation (but needs a MAC changed from the default). However, the router runs quite some non-default stuff: PPtP VPN for censorship circumvention, mwan3 for applying the policy regarding which devices go through the VPN and which don't, dynamic DNS client (just in case - the ISP reserves the right to change the IP, but did not do it in the past 2 years), and a WireGuard VPN to my home in the Philippines. mwan3 has some firewall trickery because of IPv6. The 5 GHz WiFi is not used because the laptop only supports 2.4 GHz, and everything else is on the wired connection.
The router needs to be upgraded to a supported version, but I have seen enough stories where something was wrong after upgrading and preserving settings.
I have another TP-Link Archer C7 v2 locally.
Would the below be a sensible procedure? If not - what would you recommend as an alternative?
Make a backup, and, just in case, a tarball of everything in /etc, for future reference
Use the Firmware Selector to build a custom image containing the minimum stuff to get a working connection (i.e. the defaults + luci-app-ddns),
While building the image, add a custom startup script that enables the WiFi and sets the correct security settings, sets the correct WAN MAC, sets the correct LAN IP network, sets the correct root password, adds my SSH key, configures dynamic DNS, allows SSH on the WAN zone, and allows connecting from WAN to LAN over IPv6 (so that I maintain my access to the laptop)
Test the image locally without keeping the settings
Flash that image on the remote router without keeping the settings
Configure the VPNs and mwan3 manually according to what is in the backup
You really need a backup plan like another router or your mother being able to use the internet without a router.
Having an identical unit brings in another posibility (possibly expensive) by configuring the unit in your premises and shipping it over to your mother.
The backup plan of shipping the router would have been of course much better, but it has already failed. It is literally impossible to ship anything due to sanctions. All postal services (even the state ones) reject everything, even documents.
A USB Ethernet adapter exists, and plugging the ISP's cable into it might be a viable choice if the current router ends up being bricked.
You could eventually use the laptop as gateway for any small twicks in case router boots but the internet is not up.
I would tend to keep the remote config as close as possible to defaults having only the wifi and wireguard configured as a management connection and the downside would be that you risk breaking the router when you bring up you other networking services...
Well...there is no perfect plan and you could just live dangerously and test the upgrade with your local unit then press the red button
I decided to return to this project. Progress so far:
I have examined various backup options that are offered by sysupgrade (default, keeping everything modified, keeping all modified files in /etc, not keeping files identical to those in /rom), made all possible backups, and concluded that there is nothing of importance that is not included in the sysupgrade -u -b backup.tar.gz archive.
Since I had posted this topic, the PPtP VPN broke and had to be replaced with SSTP.
I examined the list of installed packages and reduced it by excluding the redundant ones, i.e., those that are dependencies of something else already in the list.
I tried to build a 21.02.1 sysupgrade image with the same packages to have an identical setup locally, but the online firmware selector no longer works for building such old OpenWrt versions. Therefore, I had to use the image builder locally, which still worked after fixing the Python version check.
I examined the list of non-configuration files on the remote router and in the just-built image. They match.
I compared my seed list of packages and the default list offered in the firmware selector. Then, I compared the default package lists in various OpenWrt versions and made the corresponding adjustment to my seed list. Then I built three more sysupgrade images (21.02.7, 22.03.7, 23.05.5) locally with the adjusted lists.
I created a few extra bridge interfaces on my laptop and tried to model the whole desired setup with virtual machines, even keeping the same IPs as in the real world:
The internet at large, modeled as a NAT router (both for IPv4 and IPv6) with multiple LAN interfaces (OpenWrt 23.05.5 x86_64)
The router in question (also OpenWrt 23.05.5 x86_64)
The router in the Philippines (another OpenWrt 23.05.5 x86_64)
The SSTP VPN server (using accel-ppp on Alpine; I could not use OpenWrt here, because accep-ppp is not included, and SoftEther is not good enough due to lack of IPv6 support in SSTP tunnels)
Laptops and TVs in both countries (Debian 12)
Once I became confident that the model was accurate, I turned off the "Russian" part of the model and added a passed-through USB network card to the main router, adding it to the same bridge where the "Russian" x86_64 router was connecting.
I flashed the 21.02.1 sysupgrade image to my TP-Link Archer C7 v2 and, at the same time (sysupgrade allows that), restored the backup, then connected the WAN port of my router to the USB network card. It connected and got the correct IP addresses.
I connected a Lenovo x86_64 tablet to the WiFi provided by my router and examined whether routing worked correctly—it did.
I tried to sysupgrade the router to 22.03.7 using the command line. Result: broken internet connectivity on the tablet, but at least the WireGuard tunnel worked. The following had to be fixed:
The route metric on the SSTP interface was wrong (actually, it was wrong even before the upgrade), and this confused mwan3. Bug filed, workaround added, and the configuration adjusted on the real router in Russia.
The custom firewall.user script had to be marked as compatible with firewall4 (option fw4_compatible 1)
The upgrade of my test router to 23.05.5 was unremarkable.
So, the conclusion seems to be that I have an upgrade path.
Also, it does look like just adding the option fw4_compatible 1 line and upgrading to 23.05.5 using the previously built image without any extra precautions should work. I have not tried it yet, but, obviously, this has to be done on the local test unit first.
Indeed, it was as "easy" as removing the no-longer-needed workaround from /etc/rc.local, adding option fw4_compatible 1 to /etc/config/firewall, and running a sysupgrade -u using the manually built 23.05.5 image with the correct packages. Yes, I skipped the whole 22.03.x line, even though it is unsupported.
and test the upgrade with your local unit then press the red button 