Using OpenWRT as Router

cheaper Router as a general problem

Some years ago,I had a very cheap router. A TP-Link DIR 600. The router made my very unhappy. For several reasons. I had this ‘unsecure’ Router and was unhappy about it.

First, the software that was operating on the Router were very limited. How limited? I was able only to set a few firewall rules (DNAT for example) on my own. When I recall correctly, i wasn’t able to redirect any port.

Second, the little insight to the devices I had. You just got a very basic logger on the devices that would only give the minimal amount of information. This is especially a problem when you tried to debug connections. My ISP at that time made it even harder, because they did Carrier-grade NAT. Means they was not really giving me any real public IP, but a private IP. The router on the other side of the DLS Modem them NAT them back. Not nice for forwarding traffic.

Last, the software had some flaws. To replace this devices was one of the better decision [0], when the router router apocalypse came I was prepared. The TP-LINK DIR 600 was affect very much. However back at the time this wasn’t much of an issue. The software had just some limitation and that drove me crazy.

OpenWrt

is a Linux distribution, that is intended to support small router(CPE). It’s focus in general is on WiFi. Another possible software to run on such small router is for example ddwrt.

However the old router (DIR 600) of mine didn’t supported any other Software. No drivers for some important part of the device. So a new devices was at need.

I choose OpenWRT over ddwrt for a simple reason. I know some people that work with it, they do freifunk. They heavily rely on OpenWrt and modified the software to they needs. Most of them did work with the TP-Link WDR3600.

Why such small devices after all? I mean it might be more reasonable to get better hardware to use it as router. The answer is simple. The router is very cheap. They don’t draw much power and I don’t have to play around with the hardware.

In addition to this, I liked to play with embedded hardware around. This way I would have touched something else than an x86 system. The TP-Link WDR3600 based on a MIPS CPU Architecture. Something completely different.

OpenWrt as router

So I got one like this.

The installation process is simple. You need to download the generic-tl-wdr3600-v1-squashfs-factory.bin. Drop this file in the update firmware page of the original firmware and you good to go! But you can find more details here

Next is to login via telnet to the box.

Please note: I had some upgrade issue I documented a while ago. One problem of OpenWRT is that you don’t have any type of auto update. At least I haven’t found them yet.

Install software on a openwrt router

Here some basic things. OpenWRT does provide a software like debians apt called opkg. information.

Installation openvpn

There are some remarks to the openvpn installation. They are using different libraries for SSL by default. You’ll get something like polarssl. I installed openvpn with openssl support. That makes my configuration quite alike and does not create snowflakes configuration files.

opkg install openvpn-openssl

Besides, you shouldn’t trust any SSL implementation that hasn’t been audit. openssl is bad, broken and fuck up. But I would bet it’s broken the least. Especially since the hearthbleed incident they infrastructure gain a big amount of attenchen and money. All what raises the changes that the software stop being such waste. Another possible ssl implementation to use would be libressl, but this getting of topic.

Installation openssh

While OpenWRT provides a dropbear ssh server, i always like to use OpenSSH instead. So you can install and setup openssh via:

opkg install openssh-server

Please note you need to disable the dropbear in favour of the ssh.

Issues

My experience so far: Very well. By now I do have a SSH Server on it with well set crypto settings in place (yay). WiFi is someway okish. Some of the hardware support for Wifi isn’t working. Nothing to bad.

IPv6 is pain

One exception is there: IPv6.

For some reason the IPv6 Stack is broken. It’s not broken in it’s function. I’m able to send and receive data. But any linux client does not get a correct routing information. Windows clients are not affected.

This made this strange.

I have a router in ISP provided modem. It connects me to my cable IPS. I have a Dual Stack Lite (DS-Lite) on this modem. By the way, don’t get starting about the security on this device…. DS-Lite means: I have fully working IPv6 address and again does my provided do a Carrier-grade NAT for IPv4. That’s acceptable.

So what this modem does, it announce it’s IPv6 Network Mask to the network. My OpenWRT is the next router that does the forwarding. It acts as gateway and protects me from the everything. I don’t trust the ISP modem. I do NAT for the IPv4.

But because this a nativ IPv6 modem it tries to auto configure IPv6 to all clients in the network. For this we’ll need Router Advertisement.

However the linux client seems to get the IPv6 route wrong. Instead of replacing the IPv6 with the correct IPv6 address of the OpenWRT Router, it keeps in using the IPv6 address of the modem. Windows however does get the correct IPv6 route…. I does to the OpenWRT gateway and that forwards all the IPv6 taffic to the modem. My linux however is miss the hope and can’t reach out to the web correctly with IPv6.

It seems to be a kernel bug in OpenWRT. But I might have to dig into this in sometime… My fix for the moment is to just have the IPv6 Route place manual on my linux clients…and don’t let me get starting on newer android devices….

Security aftermath

Two years ago(around 2015) there were something that was called ‘plastic router apocalypse’. tldr; Poor products with bad design flaws became victims to bad persons.

Long Story: Most router are left unattended and unmaintained. Because they are produces very cheap and on mass. They’re place only once after you purchases a DSL connection. No one brother about this type of devices.

At some point, some guys started to take a look onto them and looking for some security flaws. What they found was bad. Many flaws. This was partial bad because most of this plastic router are exposed directly to the internet. So they were victim to bad guys.

So replacing it

Resources

[0] http://www.s3cur1ty.de/m1adv2013-003

€dit: It took me 3.2 years to get this from a draft to a finished document….so things are moving!