Initial Configuration

Web Administration

After a fresh installation of factory reset, OpenWRT is listenting on IP

To connect to the your router point your browser to

Login as user root without a password.

Default Configuration





not set

Administration Password

Before anything else, secure the administration account root with s secure password.

In the web administration interface, open the menu System and select Administration.

Setup a secure password with your KeePassXC and enter it in the two form fields.

Setup SSH Access

Also on the System Administration page, setup the SSH server of the router.

Choose a random TCP port, for the SSH server to listen to.

De-activate “Password authentication”.

De-activate “Allow root logins with password”.

De-activate “Gateway ports”.

Paste the public SSH client-keys of your workstation.

You can display your public keys by opening a terminal on your workstation and entering the following command:

workstation$ cat ~/.ssh/*.pub

Copy all of the displayed unreadable garbage into the clipboard and paste it into the filed at the bottom of the System Administration page in your browser.

Click the Save & Apply button when you are done.

Test SSH Access

You should be able to connect to the router by SSH now:

workstation$ ssh -v -p <YOUR_RANDOM_TCP_PORT> root@

BusyBox v1.28.3 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 OpenWrt 18.06.0, r7188-b0b5c64c22


System Properties

In the web administration interface, open the menu System and select System.

Set a Host Name

Enter a host-name and domain in the form fields.

Set the Timezone

Select your timezone from the drop-down list. (i.e Zurich/Switzerland)

Time Synchronization

The Network Time Protocol (NTP) is used to keep the routers clock accurate. This is very important for two reasons:

  1. Network devices like routers, usually don’t have a battery-backed reatlime-clock, like PCs do. When the router has been switched off, it will not even remember in what century he is.

  2. Accurate time information is important for a lot of security and encryption related tasks.

To setup the router as NTP client and synchronize its clock from the Internet.

Choose four servers from the public NTP pool, preferably in your own country, where the router should get its time from.

NTP server candidates (for Switzerland):

Server 1

Server 2

Server 3

Server 4

All hosts in a network should have reliable time synchronization. The router, as the local network provider and manager is usually the best choice for local hosts to synchronize their time with.

By activating the option Provide NTP server, other hosts in the local network will be able to synchronize their clocks with the accurate time of the router.

This way NTP time synchronization, will also work in the local network, even if there is no Internet connection.

Click the Save & Apply button when you are done.

Setup your local network (LAN)

Setup WiFi Networks

Setup default Firewall rules

Upgrade packages

Install additional software

  • ca-certificates

  • diffutils

  • haveged

  • htop

  • nano

  • openssh-sftp-server

router$ opkg install ca-certificates diffutils haveged htop nano openssh-sftp-server

Setup server certificates

Command-Line Interface

The command-line shell ash interpreter in OpenWRT is very basic and lacks some common configuration options that I am used to.

Configuration for the shell is stored globally in /etc/profile and /root/.profile for the root user.

We want to show some additional features:

  • Show system uptime and load averages after login.

  • Show how long ago the installed packages where checked for updates.

  • List packages in need of an updates, if any.

  • Define some common command-line aliases.

  • Add some color.

  • Display hostname and path in your terminal window title.

 3# If not running interactively, don't do anything
 4case $- in
 5    *i*) ;;
 6      *) return;;
 9# set variable identifying the chroot you work in (used in the prompt below)
10if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
11    debian_chroot=$(cat /etc/debian_chroot)
14# set a fancy prompt (non-color, unless we know we "want" color)
15case "$TERM" in
16    xterm-color|*-256color) color_prompt=yes;;
19# uncomment for a colored prompt, if the terminal has the capability; turned
20# off by default to not distract the user: the focus in a terminal window
21# should be on the output of commands, not on the prompt
24if [ -n "$force_color_prompt" ]; then
25    if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
26	# We have color support; assume it's compliant with Ecma-48
27	# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
28	# a case would tend to support setf rather than setaf.)
29	color_prompt=yes
30    else
31	color_prompt=
32    fi
35if [ "$color_prompt" = yes ]; then
36    PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
38    PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
40unset color_prompt force_color_prompt
42# If this is an xterm set the title to user@host:dir
43case "$TERM" in
45    PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
46    ;;
48    ;;
51alias ls='ls --color=auto'
52#alias dir='dir --color=auto'
53#alias vdir='vdir --color=auto'
55#alias grep='grep --color=auto'
56alias fgrep='fgrep --color=auto'
57alias egrep='egrep --color=auto'
59# some more ls aliases
60alias ll='ls -alF'
61alias la='ls -A'
62alias l='ls -CF'
64echo "Uptime: $(uptime)"
67#opkgInstalled="$(opkg list-installed 2> /dev/null | wc -l)" # Silencing error output
68opkgUpgradable="$(opkg list-upgradable 2> /dev/null | wc -l)" # Silencing error output
70echo The list of available packages has been updated $((($(date +%s) - $(date +%s -r "/var/opkg-lists/")) / 3600 )) hours ago && \
71	echo "$opkgUpgradable packages can be upgraded." && \
72	echo && \
73	opkg list-upgradable && \
74	echo