/ openwrt

Openwrt config

I bought a new router(Linksys WRT1900AC), this post records my configs about this router, this post is updating.

Install OpenWRT

PPTP pass through

GRE protocol

I'm using the latest software, so just install kmod-nf-nathelper-extra

opkg install kmod-nf-nathelper-extra

Ref: https://wiki.openwrt.org/doc/howto/vpn.nat.pptp

SSHD on different interfaces

add another dropbear instance via web or you can edit /etc/config/dropbear, just like this:

config dropbear
        option PasswordAuth 'off'
        option RootPasswordAuth 'off'
        option Interface 'wan'
        option Port '9999'

config dropbear
        option Port '22'
        option Interface 'lan'
        option PasswordAuth 'off'
        option RootPasswordAuth 'off'

it will listen port 9999 on wan interface and port 22 on lan interface.

Don't forget add a firewall rule on wan interface, I create a "Traffic Rule" via web or you can add a rule config in /etc/config/firewall, just like this:

config rule                           
        option target 'ACCEPT'
        option src 'wan'  
        option proto 'tcp'   
        option name 'allow-external-ssh'
        option dest_port '9999'

Port forward

Why I need port forwarding? There is a query service on remote server, and I have to use it via VPN, but VPN needs GRE protocol and some ISP had blocked it for some security reason, fortunately, Beijing Unicom didn't do that, I just enable router's GRE capability, see PPTP pass through part. When I install pptp-linux package and create a VPN connection, a new interface appeared. I add a static route on box, and a DNAT for query service port, so I need another port forwarding on wan.

I want to forward a specified port to internal host's port, so I add a "port forward" via web or you can add a rule in /etc/config/firewall, just like this:

config redirect         
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'     
        option src_dport '8080'
        option dest_ip '192.168.1.100'
        option dest_port '8080'
        option name 'forward-8080'

it looks simple, but if you know iptables, it need a DNAT rule on PREROUTING chain and a MASQUERADE rule on POSTROUTING, and you need change net.ipv4.ip_forward to 1.

Shadowsocks & ChinaDNS

These ipks should be installed

  • ChinaDNS_1.3.2-4_mvebu.ipk
  • luci-app-chinadns_1.4.0-1_all.ipk
  • luci-app-shadowsocks_1.3.7-1_all.ipk
  • shadowsocks-libev_2.5.6-1_mvebu.ipk

update_chnroute script

#!/bin/sh

set -e -o pipefail

wget -O- 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | \
    awk -F\| '/CN\|ipv4/ { printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > \
    /tmp/chnroute.txt

mv /tmp/chnroute.txt /etc/

if pidof ss-redir>/dev/null; then
    /etc/init.d/shadowsocks restart
    /etc/init.d/chinadns restart
fi