OpenWrt Forum Archive

Topic: Optimized and feature rich trunk build for select routers

The content of this topic has been archived between 20 Aug 2014 and 5 May 2018. Unfortunately there are posts – most likely complete pages – missing.

Did you.... restart the service? smile

Looks like you're still on LAN? Maybe you didn't see my edit above, it doesn't work on LAN here either. Try outside smile

(Last edited by arokh on 13 Jun 2014, 01:23)

Maybe something to do with my config using addresses from the LAN for VPN (192.168.1.50 and 192.168.1.51). Perhaps it would work if configured to use a different subnet. Anyway why would you use VPN from your LAN?

Cool smile Doing a rebuild of r41173 which includes ext4 and a working fstab. Plugging a disk should "just work".

bmccoy11 wrote:

In the next build, could you also add luci-app-openvpn?

I added it to the latest version, but it seems to be pretty broken. Messes up my config on save (doesn't keep the "secret" option for instance). Going to make into a module instead in the next build.

ext4 works great out of the box now, thanks! I've found out that (I live in a rural area with 1-2 other weak 2.4GHZ wireless signals in my home) the sweet spot for the best speed:range ratio, I had to set the transmit power on 2.4GHZ to 22dBm (158mW) and 24dBm for 5ghz (251mW), I set the Fragmentation Threshold on both radios to 2346, and the RTS/CTS Threshold to 2347. Is there a way to set the 5ghz radio to N-only?

(Last edited by bmccoy11 on 13 Jun 2014, 19:25)

option hwmode '11n' in /etc/config/wireless should do the trick. Or use luci.

(Last edited by arokh on 13 Jun 2014, 19:48)

arokh wrote:

I find it pretty easy to navigate the current structure, but I'll have a look at that. Seems like I need PHP which isn't available on the hosting server, I've asked jow maybe it can be installed.

New release out smile

x10Hosting would work good for hosting these builds, as long as you build a small website that links to these builds so your account won't get suspended. I've been using them for a few months, with no major issues. They have PHP 5.4, Litespeed web server, unlimited storage, they support h5ai/Apaxy, and best of all, it's free. If you'd like, I could even build a website for you during my spare time that mirrors the files hosted on enduser.subsignal.org/~trondah/

(Last edited by bmccoy11 on 13 Jun 2014, 21:32)

Post your /var/etc/openvpn.conf and your OpenWRT.ovpn.

Hey if you want to build a nice website with h5ai that mirrors enduser at a daily interval, I'm all for it smile

In your client .ovpn file, change

option compress 'lzo'

to

comp-lzo

You changed the port to 450, I'm assuming you've opened that in the firewall as well? BTW, if you remove /etc/openvpn/OpenWRT.ovpn it should create a new one.

(Last edited by arokh on 14 Jun 2014, 09:22)

Well, then everything is correctly set up. What OpenVPN client are you using? Next step would be tcpdump -nn -i eth1 port 450 and check log while you connect.

(Last edited by arokh on 14 Jun 2014, 09:23)

I deleted all of my VPN related posts because they really aren't directly related to this build smile.
I'll start working on the website as soon as Freenom comes back up (so I can get a domain for the website)

So u got it working?

? are the various bit and pieces, things like VPN removable.
You build sounds good, but some there are somethings I would prefer not to have on board.

I'm trying to make the build as minimal as possible with only necessary services, it's not even 5 MB. OpenVPN is like 135 KB, what is it you feel is a waste of space? You can't remove stuff from the ROM, but patches are provided so you can build yourself.

(Last edited by arokh on 14 Jun 2014, 17:23)

So, apparently my Freenom account has been blacklisted for no reason.

If you'd like a website, all I ask is that you sign up at http://www.freenom.com/en/index.html , get a free domain (such as arokh-router.tk), and set its nameservers to ns1.x10hosting.com and ns2.x10hosting.com . That way you will have full control over the domain.

arokh wrote:

I'm trying to make the build as minimal as possible with only necessary services, it's not even 5 MB. OpenVPN is like 135 KB, what is it you feel is a waste of space? You can't remove stuff from the ROM, but patches are provided so you can build yourself.

I appreciate that, but your definition of "necessary" and mine a different.

I don't think they are a waste of space for everybody, just they are not of interest to me.

However, I am concerned that adding software that I do not need adds unnecessary complexity.
With complexity comes increased risk of system failure, and a greater attack surface for hackers et al.

The following are not things I use:

  • OpenVPN - this might be of use some time in the future, I currently use webdav. caldav, opencloud ...

  • Dynamic DNS Support - I run my own DNS (bind 9)

  • USB Storage support & SFTP - not needed see openVPN

One thing that i have been trying to do is to send commands from systems behind the router to the router.
I run two servers that provide email, calendar, address book, cloud stuff ... (I am missing some).
I run fail2ban as part of my attempt to keep the bad guys out.
My usual "ban" time is 60 minutes, but if I get a very persistent then the "recidivist" filter kicks in and bans the IP for a week.
It would be nice to hand off the bans to the routers firewall, even if only for the "recidivist" bans.

(Last edited by zzz2002 on 15 Jun 2014, 12:44)

OpenVPN: 140KB
ddns-scripts: 7KB
USB2+SFTP:~100KB

See what I'm getting at?

OpenVPN is installed with a static key, it's impossible to use it without acquiring the key from your router. Don't like it? Turn it off. DDNS is a set of scripts, does nothing by itself. SFTP is just a binary called by dropbear when the SSH/SFTP client asks for it. SSH is not available from the outside by default. The things you mention are useful to most people, and are standard in most routers. Your concerns about security and complexity with regards to the mentioned software are unfounded.

In this build, there's builtin SSH brute force detection from wan in firewall.user. It limits the amount of new connections to 4 pr minute, and drops the packet if it exceeds that. SSH from the outside is not allowed by default, a disabled rule to redirect port 222 from outside to SSH is included. Combine those and you don't need fail2ban IMO. You can also look into port knocking if you're worried about brute force attacks. Your concerns about security and complexity are invalid. My build is 1.9MB larger than the official releases which are completely stripped for features.

Anyways, you are free to not use this build or build yourself. I'm not here to cater to your specific needs, I'm making this build for myself and sharing it in case someone else find it useful.

(Last edited by arokh on 15 Jun 2014, 14:03)

Be careful, if you have Dropbear listening on WAN, then you might get someone from China trying to get in. Luckily this build has built in SSH brute force detection, and automatically blocks IPs after 10 failed log-in attempts. I had someone/something from China trying to get into my router yesterday, but their IPs were automatically blocked.

(Last edited by bmccoy11 on 15 Jun 2014, 19:12)

I think this build is great, because it's only missing three packages that I use (samba36-server, luci-app-samba, and dnscrypt-proxy).

Not 10 failed log-in attempts, but 4 new connections pr minute. It does not matter if the login succeeds or not, if there has been 4 new connections within the past 60 seconds then the packet is dropped. If you want it to be more strict, just lower the value in firewall.user and optionally increase the time.

It's possible to do more fancy things like block a client for an extended period of time upon a set amount of failed login attempts, but at least for me the problem is mostly solved just by using a redirect from port 222 instead of the default port 22. I've only had one attempt there and this added protection stopped the automated attack.

ok so question on the openvpn

how can I change the IP range? I use 192.168.2.1 for my ip range

I would like to have a road warrior and this default connection does not seem to work.

I am missing something to get my laptop to connect to the router and see everything at my house when I am away, some type of road warrior configuration will work great,

I cannot change the ROM files which looks like is what auto generates these settings

Just change your /etc/config/openvpn and your client .ovpn file to reflect those settings. You'll need to update /etc/config/igmpproy as well for UPnP to work.

(Last edited by arokh on 16 Jun 2014, 01:30)

OpenVPN is constantly restarting. Ugh.

Sun Jun 15 20:31:10 2014 daemon.warn openvpn(default)[1831]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Sun Jun 15 20:31:10 2014 daemon.notice openvpn(default)[1831]: Socket Buffers: R=[163840->131072] S=[163840->131072]
Sun Jun 15 20:31:10 2014 daemon.notice openvpn(default)[1831]: setsockopt(IPV6_V6ONLY=0)
Sun Jun 15 20:31:10 2014 daemon.notice openvpn(default)[1831]: UDP link local (bound): [AF_INET6][undef]:450
Sun Jun 15 20:31:10 2014 daemon.notice openvpn(default)[1831]: UDP link remote: [AF_UNSPEC]
Sun Jun 15 20:33:10 2014 daemon.notice openvpn(default)[1831]: Inactivity timeout (--ping-restart), restarting
Sun Jun 15 20:33:10 2014 daemon.notice openvpn(default)[1831]: SIGUSR1[soft,ping-restart] received, process restarting
Sun Jun 15 20:33:10 2014 daemon.notice openvpn(default)[1831]: Restart pause, 5 second(s)
Sun Jun 15 20:33:15 2014 daemon.notice openvpn(default)[1831]: Re-using pre-shared static key
Sun Jun 15 20:33:15 2014 daemon.notice openvpn(default)[1831]: Preserving previous TUN/TAP instance: tun0
Sun Jun 15 20:33:15 2014 daemon.warn openvpn(default)[1831]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Sun Jun 15 20:33:15 2014 daemon.notice openvpn(default)[1831]: Socket Buffers: R=[163840->131072] S=[163840->131072]
Sun Jun 15 20:33:15 2014 daemon.notice openvpn(default)[1831]: setsockopt(IPV6_V6ONLY=0)
Sun Jun 15 20:33:15 2014 daemon.notice openvpn(default)[1831]: UDP link local (bound): [AF_INET6][undef]:450
Sun Jun 15 20:33:15 2014 daemon.notice openvpn(default)[1831]: UDP link remote: [AF_UNSPEC]
Sun Jun 15 20:35:15 2014 daemon.notice openvpn(default)[1831]: Inactivity timeout (--ping-restart), restarting
Sun Jun 15 20:35:15 2014 daemon.notice openvpn(default)[1831]: SIGUSR1[soft,ping-restart] received, process restarting
Sun Jun 15 20:35:15 2014 daemon.notice openvpn(default)[1831]: Restart pause, 5 second(s)
Sun Jun 15 20:35:20 2014 daemon.notice openvpn(default)[1831]: Re-using pre-shared static key
Sun Jun 15 20:35:20 2014 daemon.notice openvpn(default)[1831]: Preserving previous TUN/TAP instance: tun0
Sun Jun 15 20:35:20 2014 daemon.warn openvpn(default)[1831]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Sun Jun 15 20:35:20 2014 daemon.notice openvpn(default)[1831]: Socket Buffers: R=[163840->131072] S=[163840->131072]
Sun Jun 15 20:35:20 2014 daemon.notice openvpn(default)[1831]: setsockopt(IPV6_V6ONLY=0)
Sun Jun 15 20:35:20 2014 daemon.notice openvpn(default)[1831]: UDP link local (bound): [AF_INET6][undef]:450
Sun Jun 15 20:35:20 2014 daemon.notice openvpn(default)[1831]: UDP link remote: [AF_UNSPEC]

P.S, could you sign up for a domain at Freenom and PM me the domain?

Sorry, posts 51 to 50 are missing from our archive.