Skip to content

Latest commit

 

History

History
418 lines (385 loc) · 16.5 KB

README.md

File metadata and controls

418 lines (385 loc) · 16.5 KB

openwrt-scripts

OpenWrt scripts for USB 3.0, WPA3, SFTP, SMB, NFS, DDNS, SQM QoS, Acme, OpenVPN, IKEv2/IPsec, Adblock, Watchcat, mSMTP

Objective

Create a generic script to install custom OpenWrt configuration automatically on each new release, since 2018 and is now stable

Main functionalities

  • Wi-Fi SSID and password settings
  • Wi-Fi MESH SSID and password settings
  • Wi-Fi Guest SSID_Guest and password settings
  • TimeZone settings
  • Dynamic DNS settings
  • DHCP Static Leases settings
  • Host entries settings
  • Manage Firewall - Zone (wan/lan/guest/vpn) settings
  • Firewall - Port Forwards settings
  • Manage USB 3.0 and UAS Storage with ext4 / FAT / exFAT / ntfs supported filesystem
  • Create and moving Rootfs & Swap on USB storage
  • Able to use USB Dongle LTE/4G as wan interface
  • Enable WPA3 Wi-Fi security encryption - WPA2/WPA3 (PSK/SAE)
  • Adblock running on the router

Others functionalities

Legend

  • Include by default ✔️
  • Optional and depend on config env file 📄

List of packages / services

  • SFTP fileserver ✔️
  • Samba SMB/CIFS fileserver 📄
  • NFS fileserver 📄
  • Dynamic DNS for external IP naming ✔️
  • Advanced Reboot UI 📄
  • SQM QoS (aka Smart Queue Management) 📄
  • Enable Freebox TV QoS advices when Freebox Server is set as bridge 📄
  • Satistics with collectd 📄
  • Acme certificates and script ✔️
  • uHTTPd UI ✔️
  • OpenVPN 📄
    • Generate OpenVPN certificates files
    • Set server for clients to access to local network with local gateway (based on username/password)
    • Set server Site-to-Site config with domain suffix capability (based on username/password)
    • Import existing client config file
  • IKEv2/IPsec VPN server with strongSwan 📄
    • Set server for clients to access to local network with local gateway (based on username/password)
  • Adblock ✔️
  • Block ip addresses that track attacks, spyware, viruses ✔️
  • Watchcat - network watchdog (periodic reboot or reboot on internet drop) ✔️
  • mSMTP - SMTP clients ✔️

Terminal OpenWrt status on login

  • General system information
  • Disk usage
  • Network information
  • Network devices
  • IPsec connected users
  • OpenVPN connected users
  • Keep system up to date

Healthcheck

  • wifi: Check wifi radios/devices every 1 min ✔️
  • url: Check url(s) status every 3 mins ✔️
  • wwan: Check LTE connection every 3 mins 📄
  • nas: Check NAS status and Port Forwards http/https every 3 mins 📄

Hardware tested / Firmware to download

Supported OpenWrt build version

OpenWrt release My Branches/Tag Supported
18.06 19.07 ✔️
19.07 19.07 ✔️
21.02 Current ✔️

Supported VPN server environments

VPN server Linux Windows 10 Android 11 iOS
IKEv2/IPsec with strongSwan ✔️ ✔️ ✔️
OpenVPN ✔️ ✔️ ✔️

Requirements

How to use with OpenWrt UI

  1. Backup current config .tar.gz file and keep only :
  • /etc/shadow to keep the default login/password
  • /etc/acme/<sub.domain.com> to keep current Acme certificates
  • /et/easy-rsa/pki to keep current OpenVPN certificates
  1. Add this repository files under /root folder on your .tar.gz backup file
  2. Create your own /root/.env file based the example and add it on your .tar.gz backup file (optional, can be done by script)
  3. Flash new firmware image and Restore with your new .tar.gz backup file
  4. Open ssh terminal to connect to OpenWrt
$ ssh openwrt
  1. Start the installation setup and follow the questions
$ /root/opkg-install.sh 2>&1 | tee /var/log/opkg-install.log

Script usage

$ /root/opkg-install.sh 2>&1 | tee /var/log/opkg-install.log

Script steps

  1. Create and moving Rootfs & Swap on new USB storage
  2. Rebuild Rootfs on existing USB storage
  3. Start OpenWrt setup installation

Script setup variables

.env-readme

USB default partitions architecture

Device Type Label Default size
sda
├─sda1 swap 2 x existing RAM with max of 512Mb
├─sda2 ext4 rootfs 4Go
└─sda3 vfat data 10Go --> mount point /mnt/data

Screenshots

  • Wireless Overview
  • Interfaces
  • Firewall
  • Network Shares
  • Scheduled Tasks
  • Smart Queue Management
  • Adblock
  • OpenVPN instances
    • OpenVPN Server
    • OpenVPN Server Site-to-Site (s2s)

Output sample when "Create and moving Rootfs & Swap on new USB storage"

* Set access rights on uploaded files
*
* You are connected to the internet.
*
* Create and moving Rootfs & Swap on new USB storage? [y/N] y
* Please unplug USB storage <enter to continue>...
* Checking for updates, please wait...
* Package USB 3.0 disk management
* Package ext4/FAT
* Package mounted partitions
* Package exFAT/ntfs
* Package hd-idle
* Package SFTP fileserver
* Package wget
* Package disk utilities
* Please plug back in USB storage <enter to continue>...
*
* List of available USB devices:
*
Disk /dev/sda: 14.32 GiB, 15376318464 bytes, 30031872 sectors
Disk model: Ultra Fit
Disklabel type: dos
Device     Boot   Start      End  Sectors  Size Id Type
/dev/sda1          2048  1050623 20592640 13.8G 83 Linux
*
NAME   FSTYPE LABEL       UUID                                 FSAVAIL FSUSE% MOUNTPOINT
sda
└─sda1 vfat   data        8FC8-3FAD
*
* Enter USB device? </dev/sda>
* Unmount all 3 partitions on /dev/sda
* Built-in USB device for /dev/sda? [y/N] y
* Wiping all signatures for /dev/sda
*
*
*
* Reboot to complete wipefs on /dev/sda? [y/N]
* Please unplug and plug back in /dev/sda <enter to continue>...
* Info: Double RAM for machines with 512MB of RAM or less than, and same with more.
* Current RAM: 512MB
* Enter swap partition size? <512MB>
* Enter root partition size? <4GB>
* Create data partition of <10GB>
*
* Partitions detail for /dev/sda:
Disk /dev/sda: 14.32 GiB, 15376318464 bytes, 30031872 sectors
Disk model: Ultra Fit
Disklabel type: dos
Device     Boot   Start      End  Sectors  Size Id Type
/dev/sda1          2048  1050623  1048576  512M 83 Linux
/dev/sda2       1050624  9439231  8388608    4G 83 Linux
/dev/sda3       9439232 30031871 20592640  9.8G 83 Linux
*
*
*
*
* Reboot to complete partitions creation on /dev/sda? [y/N]
* Please unplug and plug back in /dev/sda <enter to continue>...
*
* Format partitions with swap/ext4/fat32
*
* Partitions detail for /dev/sda:
NAME   FSTYPE FSVER LABEL       UUID                                 FSAVAIL FSUSE% MOUNTPOINT
sda
├─sda1 swap
├─sda2 ext4         rootfs      98d50326-db8a-4314-ba22-2d91864e3381
└─sda3 vfat         data        8FC8-3FAD
*
* Remove disk utilities packages
*
* Add swap of 512MB on /dev/sda1
* Move overlayfs:/overlay to 4GB on /dev/sda2
* Add free storage of 9.6GB on /dev/sda3
*
* UCI config fstab
* Enable all mounted partitions
* Please check mounted partitions http://openwrt/cgi-bin/luci/admin/system/mounts
* Copy /overlay on /dev/sda2 partition...
*
*
*
* Reboot to complete "Rootfs & Swap on USB Storage" <enter to continue>...

Output sample when "Rebuild Rootfs on existing USB storage"

* Set access rights on uploaded files
*
* You are connected to the internet.
*
* Create and moving Rootfs & Swap on new USB storage? [y/N]
* Rebuild Rootfs on existing USB storage? [y/N] y
* Please unplug USB storage <enter to continue>...
* Checking for updates, please wait...
* Package USB 3.0 disk management
* Package ext4/FAT
* Package mounted partitions
* Package exFAT/ntfs
* Package hd-idle
* Package SFTP fileserver
* Package wget
* Package disk utilities
* Please plug back in USB storage <enter to continue>...
*
* List of available USB devices:
*
NAME   FSTYPE LABEL       UUID                                 FSAVAIL FSUSE% MOUNTPOINT
├─sda1 swap
├─sda2 ext4         rootfs      98d50326-db8a-4314-ba22-2d91864e3381
└─sda3 vfat         data        8FC8-3FAD
*
* Enter swap device? </dev/sda1>
* Enter rootfs device? </dev/sda2>
*
* Format partitions with swap/ext4
* Remove disk utilities packages
* UCI config fstab
* Enable all mounted partitions
* Please check mounted partitions http://openwrt/cgi-bin/luci/admin/system/mounts
* Copy /overlay on /dev/sda2 partition...
*
*
*
* Reboot to complete the "Rootfs & Swap on USB Storage" <enter to continue>...

Output sample when "Start OpenWrt setup installation"

* Set access rights on uploaded files
*
* You are connected to the internet.
*
* Create and moving Rootfs & Swap on new USB storage? [y/N]
* Rebuild Rootfs on existing USB storage? [y/N]
*
* The current setup:
*
*
* Do you accept this setup? [Y/n]
*
* Start time: Tue Apr 19 07:22:02 UTC 2022
*
* UCI config luci
* UCI config timezone
* UCI config lan network
* UCI config Guest network
* UCI config dhcp
* UCI config firewall
* UCI config firewall redirect
* UCI config firewall rule
* UCI config wireless
* UCI config dhcp static leases
* UCI config dhcp host
* UCI config dhcp domain
* Checking for updates, please wait...
* Package Advanced Reboot UI
* Package USB 3.0 disk management
* Package ext4/FAT/exFAT/ntfs
* Package mounted partitions
* UCI enable mounted partitions
* UCI mount partitions
* Package hd-idle
* UCI config hd-idle
* Package WPA2/WPA3 Personal (PSK/SAE) mixed mode
* UCI config WPA2/WPA3 (PSK/SAE)
* Package SFTP fileserver
* Package Samba SMB/CIFS fileserver
* UCI config samba
* Set Samba as local master = yes
* Package NFS fileserver
* UCI config nfs
* Package Dynamic DNS for external IP naming
* UCI config ddns
* Package firewall rtsp nat helper
* Add firewall rtsp config
* Package SQM QoS (aka Smart Queue Management)
* UCI config SQM QoS
* Package for ACME script
* Install ACME script
[Mon Oct 18 06:55:59 UTC 2021] It is recommended to install socat first.
[Mon Oct 18 06:55:59 UTC 2021] We use socat for standalone server if you use standalone mode.
[Mon Oct 18 06:55:59 UTC 2021] If you don't use standalone mode, just ignore this warning.
[Mon Oct 18 06:55:59 UTC 2021] Installing to /etc/acme
cp: can't stat 'acme.sh': No such file or directory
[Mon Oct 18 06:55:59 UTC 2021] Install failed, can not copy acme.sh
[Mon Oct 18 06:56:00 UTC 2021] Installing from online archive.
[Mon Oct 18 06:56:00 UTC 2021] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Mon Oct 18 06:56:05 UTC 2021] Extracting master.tar.gz
[Mon Oct 18 06:56:14 UTC 2021] It is recommended to install socat first.
[Mon Oct 18 06:56:14 UTC 2021] We use socat for standalone server if you use standalone mode.
[Mon Oct 18 06:56:14 UTC 2021] If you don't use standalone mode, just ignore this warning.
[Mon Oct 18 06:56:14 UTC 2021] Installing to /etc/acme
[Mon Oct 18 06:56:14 UTC 2021] Installed to /etc/acme/acme.sh
[Mon Oct 18 06:56:20 UTC 2021] OK
[Mon Oct 18 06:56:20 UTC 2021] Install success!
[Mon Oct 18 06:56:27 UTC 2021] Upgrade success!
* Package Acme UI
* UCI config acme
* Get ACME certificates
[Mon Oct 18 06:56:34 UTC 2021] Domains not changed.
[Mon Oct 18 06:56:34 UTC 2021] Skip, Next renewal time is: Fri Nov  5 07:50:47 UTC 2021
[Mon Oct 18 06:56:34 UTC 2021] Add '--force' to force to renew.
* Package uHTTPd UI
* UCI config uHTTPd
* Package VPN client with OpenVPN
* Set OpenVPN config files
* Set OpenVPN certificates files with network & firewall config
* UCI config firewall for IKEv2/IPsec VPN server
* UCI config network/interface for IKEv2/IPsec VPN server
* UCI config network/zone for IKEv2/IPsec VPN server
* UCI config network/route for IKEv2/IPsec VPN server
* UCI config dhcp/dnsmasq for IKEv2/IPsec VPN server
* Link ACME cetificates for IKEv2/IPsec VPN server
* Package IKEv2/IPsec VPN server with strongSwan
* Set config files for IKEv2/IPsec VPN server with strongSwan
* UCI config remove default firewall - Traffic Rules for IKEv2/IPsec VPN server
* Package adblock
* UCI config adblock
* Block ip addresses that track attacks, spyware, viruses
* Enable crontab 'Scheduled Taks'
* Package watchcat (periodic reboot or reboot on internet drop)
* UCI config watchcat
* Package mSMTP mail client
* Set mSMTP account free,gmail
* Set timezone Europe/Paris
* Package wget
* Package iperf3
* Set iperf3 server at startup
* Add custom scripts
* Remove duplicated conffile
*
*
******************************
 /!\ After reboot checks /!\\
******************************
*
*
* Please check swap mounted partition http://openwrt/cgi-bin/luci/admin/system/mounts
*
*
* Get ACME certificates command line to run, if encountered errors during installation!
*
* Certificates issue:
/etc/acme/acme.sh --home /etc/acme --upgrade > /etc/acme/log.txt 2>&1 && /root/fw-redirect.sh Allow-http=on && /etc/acme/acme.sh --home /etc/acme --issue --server letsencrypt -d $DOMAIN -w /www 2>&1 | tee -a /etc/acme/log.txt; /root/fw-redirect.sh Allow-http=off && /usr/sbin/ipsec restart
*
* Certificates renew:
/etc/acme/acme.sh --home /etc/acme --upgrade > /etc/acme/log.txt 2>&1 && /root/fw-redirect.sh Allow-http=on && /etc/acme/acme.sh --home /etc/acme --renew-all --standalone --force 2>&1 | tee -a /etc/acme/log.txt; /root/fw-redirect.sh Allow-http=off && /usr/sbin/ipsec restart
*
*
* End time: Tue Apr 19 07:25:54 UTC 2022
* Elapsed time: 0hrs 3min 52sec
* Reboot to complete the installation? [Y/n]