Keeping the Router Updated
Let the router tell us when there are updates available.
Software Packages
The excellent opkg upgrade script from Gustavo Arnosti Neves.
The router must be able to send out mails.
Installing the Script
router$ opkg install ca-certificates openssl-util
router$ wget 'https://raw.githubusercontent.com/tavinus/opkg-upgrade/master/opkg-upgrade.sh' \
-O "/tmp/opkg-upgrade.sh"
router$ chmod 755 "/tmp/opkg-upgrade.sh"
router$ /tmp/opkg-upgrade.sh --install
Checking for Updates
router$ opkg-upgrade
Cron Job
Let’s create a scheduled job, that checks for updated packages every 16 hours, and notifies us by mail:
router$ EDITOR=$(which nano) crontab -e
Insert the line as follows:
1 # Send any output by mail to hostmaster@example.net
2 MAILTO=hostmaster@example.net
3 #
4 #min hour mday month wday cmd
5 35 */16 * * * /usr/sbin/opkg-upgrade --text-only --ssmtp hostmaster@example.net
6
7 # crontab and fstab must end with the last line a space or comment
Use CTRL+X and Y to save and exit.
Restart cron to re-read its configuration:
router$ /etc/init.d/cron restart
OpenWRT Releases
No automation here.
You need to follow the OpenWrt Project page.
Firmware Download
The OpenWRT firmware images have a checksum to verify its integrity after download.
The file containing the checksum are signed with an OpenPGP key. The OpenWRT team uses a distinct “release signing key” to sign the checksum files of a major OpenWRT release and subsequent point releases.
The release keys are published on the OpenWrtPublic Keys page.
So the steps necessary to download and verify a firmware image:
Find appropriate firmware image file on the download site or one of the mirror sites.
Download the image file.
Download the checksum file (found at the bottom of the download page).
Download the OpenPGP signature file of the checksum file (also found at the bottom of the download page).
Download the public OpenPGP release key from the OpenWrtPublic Keys page
Add the release key to your public keyring, set trust and sign it locally.
Verify the OpenPGP signature of the checksum file.
Verify the integrity of the image file with the checksum file.
Thats a lot of work. Fortunately there is a script which takes care of all the steps, except the first one.
OpenWRT supplies a convenience script to automate the required download and signature verification steps.
With the download script its enough to supply the URL of the firmware image to download:
desktop$ cd ~/Downloads
desktop$ wget -O openwrt-download.sh https://openwrt.org/_export/code/docs/guide-user/security/release_signatures?codeblock=1
desktop$ chmod 755 openwrt-download.sh
desktop$ ./openwrt-download.sh https://downloads.lede-project.urown.net/releases/18.06.0/targets/ar71xx/generic/openwrt-18.06.0-ar71xx-generic-wndr3800-squashfs-sysupgrade.bin
Transfer the verified image to the router:
desktop$ scp openwrt-18.06.0-ar71xx-generic-wndr3800-squashfs-sysupgrade.bin \
root@router.lan:/tmp/sysupgrade.bin
Preparation
Make sure you have all your relevant config-files listed in the
/etc/sysupgrade.conf file on the router:
router$ less /etc/sysupgrade.conf
Make sure you have all your user-installed packages listed in the file
/root/opkg-user-installed.txt:
router$ awk '/^Package:/{PKG= $2} /^Status: .*user installed/{print PKG}' /usr/lib/opkg/status \
> /root/opkg-user-installed.txt
Make one last backup before starting the system upgrade procedure:
router$ /root/openwrt-backup.sh
Firmware Upgrade
router$ sysupgrade -v /tmp/sysupgrade.bin
Post-Upgrade
TBD