OpenWrt Forum Archive

Topic: Optimized and feature rich trunk build for select routers

The content of this topic has been archived between 20 Aug 2014 and 5 May 2018. Unfortunately there are posts – most likely complete pages – missing.

Trunk build, complete and tweaked for performance. As with my previous build I'm going for an out of the box experience with no setup needed after flashing.


Please keep discussions in this thread related to the build feature set or generally interesting stuff happening in trunk etc. There's a dedicated forum section for general support. Posting there will help you faster, help others and keep this thread clean.

Currently there are images for the following routers:

* Netgear WNDR3700 V1
* Netgear WNDR3700/WNDR3800/WNDRMAC
* Netgear WNDR3700V4/WNDR4300
* TP-Link WDR3500/WDR36X0/WDR43x0
* TP-Link WDR4900
* TP-Link Archer C5/C7
* Archer C2600
* Netgear Nighthawk X6 R8000
* Linksys WRT1900AC/WRT1200AC

Source tarball


For other routers just download the source tarball, copy one of profiles/* to .config, run make menuconfig and select your router as a target. Go to "advanced configuration" and deselect "target options". Exit, save, run make V=99.

To make it easier, there's a build.sh script which automatically starts a build with one of the supplied profiles.


---------------------------
Recommended installation method is sysupgrade -n or TFTP. If you keep settings when you upgrade, expect things to break! This is a trunk build, so stuff can and will change that require certain stuff in UCI config that gets overwritten when you keep settings. Same goes for my customization. To keep settings without breakage, you can create a script using UCI commands that you run after upgrading.
---------------------------

  SSID: OpenWRT Password: changeme
  root password: changeme

Highlights:

- All frequencies and channels at full power - when country is set to world (default)
- strongSwan IKEv1/IKEv2
- OpenVPN
- Pushbullet notifications for IPsec/OpenVPN logins - includes IP address and client/user info (add your API key in /etc/config/arokh)
- USB tethering of Android/iOS devices
  * mwan3 for load balancing and failover two or more WAN connections
  * Simply plug in your device, enable tethering and enable the mwan3 WAN/USB interfaces
  * iOS has a different interface, needs to be changed under Network -> Interfaces -> USB -> Phsyical Settings
- Multicast discovery (UPnP) and mDNS (i.e. Airplay) supported over OpenVPN through the use of SMCRoute/Avahi
- DNSCrypt (encrypts DNS requests with minimal overhead, uses OpenDNS by default which has some additional benefits)
- Tor transparent proxy through dedicated and secure SSID (no access to LAN)
  * nodogsplash out of the box on Tor SSID
  * the Tor service is disabled by default so you need to start it for things to work
  * optionally tunnel traffic from VPN (enable the provided rule)
- F2FS / exFAT filesystem support
- Adblocking through hosts file
  * disabled by default, enable and start init script to activate
  * downloads several lists into /tmp/hosts (currently eats about 4MB of RAM)
  * configuration in /etc/config/adblock
  * serves transparent gif instead of ads like pixelserv
  * works transparently for Tor/VPN/LAN
- SQM QoS traffic shaping from CeroWrt
- SSH brute force protection
  * max 4 new connections pr minute
  * ban for a week after 10 failed login attempts with dropBrute.sh (leasefile is in /tmp so doesn't survive a reboot)
  * SSH is not open by default, an example how to open/redirect from port 222 is provided

- Overclock for WNDR3X00 (760MHz/800MHz)
- Compiled with GCC 5.2 and properly optimized for the target CPU
- Packages compiled with -O2 optimization: openssl, dropbear, openvpn, libsodium, nettle, dnscrypt-proxy
- miniupnpd
- DNSSec support
  * Change resolver in /etc/config/dnscrypt-proxy to one that supports dnssec (see which one supports it in the resolver list)
  * Add option dnssec 1 in /etc/config/dhcp
  * Restart dnscrypt-proxy / dnsmasq as needed
- Enabled utmp/wtmp login records (for last/who applets)
- Busybox saves ash history, enabled reverse search
- Increased log size to 64kb and made some services more quiet to make the log readable
- Dynamic DNS support
- IPv6 support (native/6in4/6to4/6rd)
- LuCI web interface with SSL support
  * apps: ddns/mwan3/hd-idle/sqm/statistics/upnp/wol
- USB storage support
* hd-idle for putting connected drive to sleep when idle
- SFTP server (openssh-sftp-server)
- NFS server (unfs3)
  * shares /mnt automatically when a disk is connected
- Jumbo frames (passthrough enabled by default)
- ECDSA host key support for dropbear
- Some handy tools (tcpdump-mini, etherwake, wassup.lua)

snake & tetris available through opkg :-)

Diffs and config available in release dir.


---------------------------
Recommended installation method is sysupgrade -n or TFTP. If you keep settings when you upgrade, expect things to break! This is a trunk build, so stuff can and will change that require certain stuff in UCI config that gets overwritten when you keep settings. Same goes for my customization. To keep settings without breakage, you can create a script using UCI commands that you run after upgrading.
---------------------------

Download: http://enduser.subsignal.org/~trondah

Changelog: http://enduser.subsignal.org/~trondah/changelog.txt

OpenWrt trunk changelog: http://git.openwrt.org/?p=openwrt.git;a=log

(Last edited by arokh on 8 Mar 2016, 09:29)

VPN instructions
------------------

This build supports three types of VPNs:

- OpenVPN (certificates)
- IPsec IKEv1/strongSwan (username & password + pre-shared key)
- IPsec IKEv2/strongSwan (certificates)

1. Enable and start either the openvpn or the ipsec service, depending on which you'd like to use. Firewall rules are already in place.
2. Download the appropriate configuration for your client.

Three client configurations are generated for you on first boot: "phone", "laptop" and "workstation".

OpenVPN client configuration: http://192.168.3.254/phone.ovpn
Note that OpenVPN Connect for iOS can only import from an e-mail attachment, so you need to send it to yourself.

strongSwan/IKEv2 on iOS client configuration: http://192.168.3.254/phone.mobileconfig

For strongSwan/IKEv2 on Android, you can download a p12 bundle like this: http://192.168.3.254/phone.p12
After importing, choose IKEv2/certificate in the strongSwan app and point it to your WAN IP.

For IKEv1, the default username/password is "openwrt" and "changeme" with PSK "changeme". This can be changed in /etc/ipsec.secrets (then run "ipsec restart"). This configuration is supported natively on most operating systems.

Question: "I get a blank page trying to download the client configuration!"
Answer: If there is no IP address on your WAN interface during the first boot you need to generate client configurations manually. Follow the below manual steps.

Question: "What about if I want to use a DDNS name instead of IP?"
Answer: Follow the manual steps below to generate configuration.

For generating configurations manually, log in to your router with SSH and execute the following commands:

# vpn.sh buildserver 1.2.3.4

Replace "1.2.3.4" with your WAN IP or DDNS name.

# vpn.sh buildclient myclient 1.2.3.4

Replace "myclient" with the name of your client and "1.2.3.4" with your WAN IP or DDNS name. This step can be repeated for as many clients as you like.

If your WAN IP or your DDNS name changes you will need to repeat both the buildserver and buildclient commands.

Tips & Tricks

* VPN traffic can be optionally sent through Tor, simply enable the "Redirect-traffic-from-VPN-to-Tor" rule in LuCI.

* Client configurations are generated under /www_blank on your router. You should delete them after downloading to your client, as they are available without any authentication.

* OpenVPN is set up with both UDP and TCP for better compatibility. The client configurations first try UDP port 1194, then falls back to TCP port 443.

(Last edited by arokh on 26 Nov 2015, 15:15)

I'm not familiar at all with this - can it be installed after the unit is flashed, or does minidlna need to be compiled in?
I don't have any facilities to compile it.
-- ok, I looked it up ---  it begs some other questions however - like USB support?  NTFS support?  Thanks.

(Last edited by joevella on 5 Jun 2014, 19:13)

Yes, USB support is enabled by default for this target. Filesystem support are available as modules in the package directory of the latest release.

Install like this:

# opkg install --force-checksum http://enduser.subsignal.org/~trondah/r41055/packages/kmod-fs-ntfs_3.10.36-1_ar71xx.ipk

(Last edited by arokh on 9 Jun 2014, 08:15)

Hello, and welcome back! I was wondering, are you going to update your 3 older builds (Alt, fat, and normal)?

Probably not, I moved all file and download services off my router smile

No, I mean my previous builds were tailored to run all kinds of file services (AFP/SMB/FTP/NFS). I spent quite a lot of time making sure those worked out of the box. I could simply build with the same config, but that would not work automagically like before. I have simply no time or interest to play with those things since I am not using them myself anymore.

Are you using a custom build-script for this as well.

No I'm just building by hand.

I just updated to this build up from the older one, and it's working great so far (even the settings from the old build were successfully transferred over!). Could you put in IPv6 support so it works out-of-the-box? That's the only thing I disliked about the build (although this build is very small and leaves room for a few packages such as IPv6).

However, when I try to install 6to4, I get the following message:

Collected errors:
* satisfy_dependencies_for: Cannot satisfy the following dependencies for 6to4:
*     kernel (= 3.10.36-1-404772c42219692ff867cc0f88cd6980) *     kernel (= 3.10.36-1-404772c42219692ff867cc0f88cd6980) *     kernel (= 3.10.36-1-404772c42219692ff867cc0f88cd6980) *
* opkg_install_cmd: Cannot install package 6to4.

Also, Radvd isn't even in the package lists, and I can't find it anywhere either.

Is there anything I'm missing?

Edit: After using --force-depends to install all IPv6 related packages, it seems to nearly work, but I can't get wan6 to assign my LAN an IPv6 address.

(Last edited by bmccoy11 on 12 Jun 2014, 08:41)

Actually, Barrier Breaker supports native IPv6 by default. The use of radvd/6relayd is now superseded by odhcpd.

http://wiki.openwrt.org/doc/uci/network … .and.later

The dependency error for 6to4 you get is probably due to kmod-sit not being included in my build. opkg tries downloading the one from snapshots which has wrong checksum. Forcing probably works but I wouldn't recommend it. I'm doing a new build now (r41150) which includes 6in4, 6rd, 6to4, the kmod-sit module and adds a bunch of other network support modules as installable packages.

Oh, and the reason you can't download lots of packages (including radvd which you don't need) is because the devs have moved the packages feed to github, and their build system is messed up atm not including oldpackages.

BTW, if you only did a sysupgrade from AA to BB I recommend that you wipe your configuration (reset button should work) and start fresh. Old configuration could cause issues with BB.

:-)

(Last edited by arokh on 12 Jun 2014, 09:18)

Alright, I'll just wait until the next build and see if that will fix my problems with IPv6. Thanks!

Also, I'd recommend a good CSS-based file manager for your download page such as http://larsjung.de/h5ai/ (if possible). It makes everything look much neater and easier to find. If h5ai doesn't work or you don't like it, here's another option - http://adamwhitcroft.com/apaxy/

(Last edited by bmccoy11 on 12 Jun 2014, 09:57)

I find it pretty easy to navigate the current structure, but I'll have a look at that. Seems like I need PHP which isn't available on the hosting server, I've asked jow maybe it can be installed.

New release out smile

6in4 and 6to4 tunnels are working great, and are very easy to set up! Could you add QOS and a SFTP server (for router file access) in the next build, maybe? Also, I can't install kmod-usb-storage without --force-depends, or else I get this message:

Collected errors:
* satisfy_dependencies_for: Cannot satisfy the following dependencies for kmod-usb-storage:
*     kernel (= 3.10.36-1-404772c42219692ff867cc0f88cd6980) *     kernel (= 3.10.36-1-404772c42219692ff867cc0f88cd6980) *
* opkg_install_cmd: Cannot install package kmod-usb-storage.

(Last edited by bmccoy11 on 12 Jun 2014, 21:02)

New build coming with USB block storage support and SFTP server included. I'm not including QoS but I'm adding it as packages so you can opkg install it without problems with checksums.

In the next build, could you also add luci-app-openvpn?

There is no luci-app-openvpn any more AFAIK.

Can't include an ipk in the build, need the source package. Looks like it's included in the ticket, but why isn't it in the feed? I'll look at it later.

I have yet another request: Jumbo frame (AKA Jumbo Packet) support.

I believe jumbo frame support passthrough for the WNDR3700 switch was included in OpenWRT a long time ago, should work already. Try this:

swconfig dev rtl8366s set max_length 3

I could make it the default, but guess there's a reason it's not default already?

What OpenVPN client are you using? It works fine here. Like it says in the first post, the official Android app does not work with static keys. You need to use the "OpenVPN for Android" app by a third party.

(Last edited by arokh on 13 Jun 2014, 15:33)

You can install QoS-scripts on the last build. Only adds like 150kb guess I can include it with the luci app in the next.

EDIT: Anything in the system log about OpenVPN? Works inside LAN here.

EDIT2: DOH! I wasn't on LAN, got wifi turned off. Same thing here, stuck on adding routes from LAN tongue Works from wan though.

(Last edited by arokh on 13 Jun 2014, 00:16)

Looks like you made some modifications to the config, there's no shared-secret.key in my build only static.key.

Didn't you install luci-app-openvpn? Looks like you got a section named Example_simple_routed_Server. The one in my build is named default. Compare your /etc/config/openvpn to /rom/etc/config/openvpn.