OpenWrt on Linksys EA7300 V2

• OpenWrt Table of Hardware Record

• Linksys firmware download

Stock firmware runs on partion A. OpenWrt must be installed from partition B. Thus:

A --[ install stock firmware ]--> B
B --[ install OpenWrt ]--> A

Flash Linksys firmware to partition B, wait for reboot

• Connectivity > Router Firmware Update: manual

• open browser dev tools: shows diagnostics in console 🤓

• select file, confirm

• ends with [Fw update complete]

Flash openwrt

• Connectivity > Router Firmware Update: manual

• open browser dev tools: shows diagnostics in console 🤓

• ends with "_Rebooting"

First Login and SSH

• open private browser https://192.168.1.1/

• accept self-signed certificate

• default password is blank

• set password at https://192.168.1.1/cgi-bin/luci/admin/system/admin/password

• set ssh key at https://192.168.1.1/cgi-bin/luci/admin/system/admin/sshkeys

• https://192.168.1.1/cgi-bin/luci/admin/system/admin/dropbear

  • set interface to lan

  • disable “Password authentication”

  • disable “Allow root logins with password”

• Save & Apply

Configure SSH locally

cat <<'EOF' >> ~/.ssh/config
Host wrt
  Hostname 192.168.1.1
  User root
EOF

ssh wrt

Tail Logs

https://openwrt.org/docs/guide-user/base-system/log.essentials

logread -f

Essentials

opkg install less ripgrep htop curl
df -h /

Wifi

• country list and notes about regulatory domains from kernel.org

• read about DFS https://openwrt.org/docs/guide-user/network/wifi/basic#dfsradar_detection

• set country, e.g. DE

uci set wireless.radio1.country=DE
uci set wireless.radio0.country=DE

# list physical devices
iw phy | rg '^Wiphy (.+)' -or '$1' | sort

# show bands
iw reg get
iw phy0 reg get
iw phy1 reg get

uci commit

• check channels https://192.168.1.1/cgi-bin/luci/admin/status/channel_analysis

• check DFS

iw phy phy0 info
iw phy phy1 info

show bands

iw phy phy0 channels
iw phy phy1 channels

e.g.

root@wrt:~# iw phy1 reg get
global
country DE: DFS-ETSI
	(2400 - 2483 @ 40), (N/A, 20), (N/A)
	(5150 - 5250 @ 80), (N/A, 23), (N/A), NO-OUTDOOR, AUTO-BW
	(5250 - 5350 @ 80), (N/A, 20), (0 ms), NO-OUTDOOR, DFS, AUTO-BW
	(5470 - 5725 @ 160), (N/A, 26), (0 ms), DFS
	(5725 - 5875 @ 80), (N/A, 13), (N/A)
	(5945 - 6425 @ 160), (N/A, 23), (N/A), NO-OUTDOOR
	(57000 - 66000 @ 2160), (N/A, 40), (N/A)

hostname and timezone

uci set system.@system[0].hostname=wrt
uci set system.@system[0].timezone='Europe/Berlin'
uci commit

wireguard

Follow https://openwrt.org/docs/guide-user/services/vpn/wireguard/server for basic setup. The VPN network will be 192.168.9.1/24 with the server on 192.168.9.1 and a client on 192.168.9.2.

opkg update
opkg install wireguard-tools

VPN_IF="vpn"
VPN_PORT="51820"
VPN_ADDR="192.168.9.1/24"
VPN_ADDR6="fd00:9::1/64"

umask go=
wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
wg genkey | tee wgclient.key | wg pubkey > wgclient.pub
wg genpsk > wgclient.psk

VPN_KEY="$(cat wgserver.key)"
VPN_PSK="$(cat wgclient.psk)"
VPN_PUB="$(cat wgclient.pub)"

uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.lan.network="${VPN_IF}"
uci add_list firewall.lan.network="${VPN_IF}"
uci -q delete firewall.wg
uci set firewall.wg="rule"
uci set firewall.wg.name="Allow-WireGuard"
uci set firewall.wg.src="wan"
uci set firewall.wg.dest_port="${VPN_PORT}"
uci set firewall.wg.proto="udp"
uci set firewall.wg.target="ACCEPT"
uci commit firewall
service firewall restart

uci -q delete network.${VPN_IF}
uci set network.${VPN_IF}="interface"
uci set network.${VPN_IF}.proto="wireguard"
uci set network.${VPN_IF}.private_key="${VPN_KEY}"
uci set network.${VPN_IF}.listen_port="${VPN_PORT}"
uci add_list network.${VPN_IF}.addresses="${VPN_ADDR}"
uci add_list network.${VPN_IF}.addresses="${VPN_ADDR6}"

uci -q delete network.wgclient
uci set network.wgclient="wireguard_${VPN_IF}"
uci set network.wgclient.public_key="${VPN_PUB}"
uci set network.wgclient.preshared_key="${VPN_PSK}"
uci add_list network.wgclient.allowed_ips="${VPN_ADDR%.*}.2/32"
uci add_list network.wgclient.allowed_ips="${VPN_ADDR6%:*}:2/128"
uci set network.wgclient.route_allowed_ips=1
uci commit network
service network restart

To add another peer called wgclient3 given the IP address 192.168.9.3:

host_num=3
name=wgclient${host_num}

umask go=
wg genkey | tee ${name}.key | wg pubkey > ${name}.pub
wg genpsk > ${name}.psk
VPN_PUB="$(cat ${name}.pub)"
VPN_PSK="$(cat ${name}.psk)"
VPN_ADDR="192.168.9.1/24"
VPN_ADDR6="fd00:9::1/64"

uci -q delete network.${name}
uci set network.${name}="wireguard_vpn"
uci set network.${name}.public_key="${VPN_PUB}"
uci set network.${name}.preshared_key="${VPN_PSK}"
uci set network.${name}.description='foo'
uci add_list network.${name}.allowed_ips="${VPN_ADDR%.*}.${host_num}/32"
uci add_list network.${name}.allowed_ips="${VPN_ADDR6%:*}:${host_num}/128"
uci set network.${name}.route_allowed_ips=1
uci commit network
service network restart

See Network > Interfaces > "vpn" > Peers

QR Code for WG Tunnel

opkg install qrencode

OpenWRT needs the client’s private key to generate a QR code.

name=wgclient
uci set network.${name}.private_key="$(cat $name.key)"
uci commit network

• Network > Interfaces > “vpn”: edit

  • tab “Peers”: edit

  • scroll down, click Generate configuration

See also https://forum.openwrt.org/t/wireguard-qr-image-missing/136560/13

In WG Tunnel:

• Add from QR code

• long-press, edit

• check settings

• note “Endpoint”

To verify:

• disable wifi

• enable tunnel

• in termux: ifconfig

Linux Client

Xubuntu 22.04. Example public server IP: 123.123.123.123

First, get a wireguard config we can use to paste stuff from LuCI:

• Network > Interfaces > “vpn”: edit

  • tab “Peers”: add

    • Description: foo

    • hit Generate new key pair

    • DO NOT generate preshared key (NetworkManager bug? cannot set it)

    • Allowed IPs: 192.168.9.3/24

    • [x] Route Allowed IPs

  • scroll down, click “Generate configuration”

Install dependencies on notebook:

sudo apt-get update
sudo apt-get -y install resolvconf wireguard
nm-connection-editor

• Connection name: wg0

• Interface name: wg0

• Private key: <paste>

• [x] Add peer routes

• Peers > Add:

  • Public key: <paste pub key of server>

  • Allowed IPs: 0.0.0.0/0

  • Endpoint: 123.123.123.123:51820

• IPv4 Settings: Manual

  • Address: 192.168.9.3

  • Netmask: 24

  • Gateway: -

  • DNS servers: 192.168.1.1

Note

It’s important to NOT set gateway. This way, NetworkManager sets a default route based on a custom route table. See thaller’s blog below.

Commands cheatsheet:

nmcli --overview connection show wg0
nmcli --show-secrets connection show wg0

nmcli connection down wg0; nmcli connection up wg0

ip route get 123.123.123.123  # dev wg0 table 52044 ...
ip route get 192.168.9.1  # dev lo ...
ip route get 192.168.1.1  # dev wg0 ...
ip route get 8.8.8.8  # dev wg0 table 52044 ...

See also

• https://forum.manjaro.org/t/howto-configure-wireguard-via-the-networkmanager-gui-advanced-network-manager/138040

• https://blogs.gnome.org/thaller/2019/03/15/wireguard-in-networkmanager/

• https://developer-old.gnome.org/NetworkManager/stable/settings-wireguard.html

Neovim Spell Checking for Multiple Languages   git bisect