Initial Configuration

Web Administration

After a fresh installation of factory reset, OpenWRT is listenting on IP 192.168.1.1.

To connect to the your router point your browser to 192.168.1.1.

Login as user root without a password.

Default Configuration

URL http://192.168.1.1/
User root
Password not set

Administration Password

Before anything else, secure the administration account root with s secure password.

In the web administration interface, open the menu System and select Administration.

Setup a secure password with your KeePassXC and enter it in the two form fields.

Setup SSH Access

Also on the System Administration page, setup the SSH server of the router.

Choose a random TCP port, for the SSH server to listen to.

De-activate “Password authentication”.

De-activate “Allow root logins with password”.

De-activate “Gateway ports”.

Paste the public SSH client-keys of your workstation.

You can display your public keys by opening a terminal on your workstation and entering the following command:

workstation$ cat ~/.ssh/*.pub

Copy all of the displayed unreadable garbage into the clipboard and paste it into the filed at the bottom of the System Administration page in your browser.

Click the Save & Apply button when you are done.

Test SSH Access

You should be able to connect to the router by SSH now:

workstation$ ssh -v -p <YOUR_RANDOM_TCP_PORT> root@192.168.1.1

BusyBox v1.28.3 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 18.06.0, r7188-b0b5c64c22
 -----------------------------------------------------

root@router:~#

System Properties

In the web administration interface, open the menu System and select System.

Set a Host Name

Enter a host-name and domain in the form fields.

Set the Timezone

Select your timezone from the drop-down list. (i.e Zurich/Switzerland)

Time Synchronization

The Network Time Protocol (NTP) is used to keep the routers clock accurate. This is very important for two reasons:

  1. Network devices like routers, usually don’t have a battery-backed reatlime-clock, like PCs do. When the router has been switched off, it will not even remember in what century he is.
  2. Accurate time information is important for a lot of security and encryption related tasks.

To setup the router as NTP client and synchronize its clock from the Internet.

Choose four servers from the public NTP pool, preferably in your own country, where the router should get its time from.

NTP server candidates (for Switzerland):

Server 1 0.ch.pool.ntp.org
Server 2 1.ch.pool.ntp.org
Server 3 2.ch.pool.ntp.org
Server 4 3.ch.pool.ntp.org

All hosts in a network should have reliable time synchronization. The router, as the local network provider and manager is usually the best choice for local hosts to synchronize their time with.

By activating the option Provide NTP server, other hosts in the local network will be able to synchronize their clocks with the accurate time of the router.

This way NTP time synchronization, will also work in the local network, even if there is no Internet connection.

Click the Save & Apply button when you are done.

Setup your local network (LAN)

Setup WiFi Networks

Setup default Firewall rules

Upgrade packages

Install additional software

  • ca-certificates
  • diffutils
  • haveged
  • htop
  • nano
  • openssh-sftp-server
router$ opkg install ca-certificates diffutils haveged htop nano openssh-sftp-server

Setup server certificates

Command-Line Interface

The command-line shell ash interpreter in OpenWRT is very basic and lacks some common configuration options that I am used to.

Configuration for the shell is stored globally in /etc/profile and /root/.profile for the root user.

We want to show some additional features:

  • Show system uptime and load averages after login.
  • Show how long ago the installed packages where checked for updates.
  • List packages in need of an updates, if any.
  • Define some common command-line aliases.
  • Add some color.
  • Display hostname and path in your terminal window title.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#!/bin/sh

# If not running interactively, don't do anything
case $- in
    *i*) ;;
      *) return;;
esac

# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
    debian_chroot=$(cat /etc/debian_chroot)
fi

# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
    xterm-color|*-256color) color_prompt=yes;;
esac

# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
force_color_prompt=yes

if [ -n "$force_color_prompt" ]; then
    if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
	# We have color support; assume it's compliant with Ecma-48
	# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
	# a case would tend to support setf rather than setaf.)
	color_prompt=yes
    else
	color_prompt=
    fi
fi

if [ "$color_prompt" = yes ]; then
    PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
    PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt

# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
    PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
    ;;
*)
    ;;
esac

alias ls='ls --color=auto'
#alias dir='dir --color=auto'
#alias vdir='vdir --color=auto'

#alias grep='grep --color=auto'
alias fgrep='fgrep --color=auto'
alias egrep='egrep --color=auto'

# some more ls aliases
alias ll='ls -alF'
alias la='ls -A'
alias l='ls -CF'

echo "Uptime: $(uptime)"
echo

#opkgInstalled="$(opkg list-installed 2> /dev/null | wc -l)" # Silencing error output
opkgUpgradable="$(opkg list-upgradable 2> /dev/null | wc -l)" # Silencing error output

echo The list of available packages has been updated $((($(date +%s) - $(date +%s -r "/var/opkg-lists/")) / 3600 )) hours ago && \
	echo "$opkgUpgradable packages can be upgraded." && \
	echo && \
	opkg list-upgradable && \
	echo