Router Backup

Goto Sytem - Backup / Flash Firmware

Prerequisites

Required Software

The backup script uses the following programs:

  • gnupg - GNU Privacy Guard
  • gnupg-utils - Key management utilities.
  • gzip - compression utility
  • rsync - copy files to and from remote machines.
  • tar - utility to package a set of files in a archive file.

To install these:

$ opkg install gnupg gnupg-utils gzip rsync tar

SSH Keys

To transfer the backups to our network attached storage, we need a user-profile on that system along with SSH private and public keys:

$ cd /root
$ mkdir .ssh
$ dropbearkey -t rsa -f .ssh/id_rsa

The command will print out the public key and fingerprint when done.

Dropbear does not create a public key file as OpenSSH. You can display the public key anytime again with the following command:

$ dropbearkey -f .ssh/id_rsa -y

Install the public key on the storage system in the users home folder.

OpenPGP keys

We need the public key of the user backups are encrypted.

$ gpg –keyserver pgpkeys.urown.net –search-keys 0x0123456789ABCDEF $ gpg –edit-key 0x0123456789ABCDEF gpg> trust

1 = I don’t know or won’t say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu

Your decision? 5 gpg> quit

What to Back Up

Gather information on the differences between a freshly installed OpenWRT system and your actual currently running system:

Installed Packages

Create a list of all installed packages and save it to a file for later backup:

$ opkg list-installed > /root/opkg-installed.txt

Create a list of modified configuration files:

$ opkg list-changed-conffiles > /root/opkg-conffiles.txt

System Default Backup

System default and installed packages backup:

  • /etc/config/ddns
  • /etc/config/dhcp
  • /etc/config/dropbear
  • /etc/config/firewall
  • /etc/config/luci
  • /etc/config/network
  • /etc/config/ntpclient
  • /etc/config/openvpn
  • /etc/config/openvpn.opkg
  • /etc/config/qos
  • /etc/config/radvd
  • /etc/config/system
  • /etc/config/ubootenv
  • /etc/config/ucitrack
  • /etc/config/uhttpd
  • /etc/config/upnpd
  • /etc/config/wifitoggle
  • /etc/config/wireless
  • /etc/dropbear/authorized_keys
  • /etc/dropbear/dropbear_dss_host_key
  • /etc/dropbear/dropbear_rsa_host_key
  • /etc/firewall.user
  • /etc/group
  • /etc/hosts
  • /etc/inittab
  • /etc/ntp.conf
  • /etc/openvpn/alainwolf.net.crl.pem
  • /etc/openvpn/alainwolf.net_CA.cert.pem
  • /etc/openvpn/dh1024.pem
  • /etc/openvpn/dh2048.pem
  • /etc/openvpn/home.alainwolf.net.cert.pem
  • /etc/openvpn/home.alainwolf.net.key.pem
  • /etc/openvpn/road-warrior-server.conf
  • /etc/openvpn/tls-auth.key
  • /etc/passwd
  • /etc/profile
  • /etc/rc.local
  • /etc/shadow
  • /etc/shells
  • /etc/sysctl.conf
  • /etc/uhttpd.crt
  • /etc/uhttpd.key
  • /etc/unbound/unbound.conf

Manually added

Unbound DNS resolver:

  • /etc/unbound/ICANN.cache
  • /etc/unbound/ORSN.cache
  • /etc/unbound/root.key
  • /etc/unbound/dlv.isc.org.key
  • /etc/unbound/unbound.conf.d/local-zone.conf
  • /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf

Custom DNS resolver files:

  • /etc/resolv.conf.google
  • /etc/resolv.conf.lan
  • /etc/resolv.conf.local

List of Installed software packages and configuration files:

  • /root/opkg-installed.txt
  • /root/opkg-conffiles.txt

Backup Script

By backing up the /etc and /root directories with the up-to-date list of installed packages we might be on the save side.

#!/bin/ash
#
# OpenWRT router backup script
#

# List of directories and files to backup
BACKUP_LIST='/etc /root'

# Where to save backup archives
LOCAL_DIR='/tmp'
BACKUP_FILE="${HOSTNAME}-$(date +'%F_%H-%M-%S')"

# OpenPGP key ID to encrypt backup files to.
PGP_ID='0x0123456789ABCDEF'

# Remote system to store backups
SSH_HOST='scott.example.net'
SSH_PORT='17251'
SSH_USER='ohura'
SSH_ID='/root/.ssh/id_rsa'
REMOTE_DIR='/volume1/backup'

LOGFILE='/var/log/backup.log'
RSYNC_RSH="ssh -p ${SSH_PORT}"
source="$LOCAL_DIR"
target="${SSH_USER}@${SSH_HOST}:${REMOTE_DIR}"

# Remove old backups
rm ${LOCAL_DIR}/${HOSTNAME}-*.tar.gz
rm ${LOCAL_DIR}/${HOSTNAME}-*.tar.gz.pgp

# Backup, compress an encrypt
tar --create --exclude-backups --verify --auto-compress \
        --file ${BACKUP_FILE}.tar.gz \
        ${BACKUP_LIST}
gpg --batch --recipient ${PGP_ID} --encrypt ${BACKUP_FILE}.tar.gz

# Transfer to remote storage
/bin/rsync --archive --delete --super --rsh "${RSYNC_RSH}" \
            --log-file ${LOGFILE} \
            --human-readable --stats \
            "${source}" "${target}"