___   ___  __  _____  _______    ___            __
       / _ | / _ \/ / / /_  |/ __/ _ \  / _ \___  __ __/ /____ ____
      / __ |/ ___/ /_/ / __// _// // / / , _/ _ \/ // / __/ -_) __/
     /_/ |_/_/   \____/____/___/\___/ /_/|_|\___/\_,_/\__/\__/_/


I've finally found some time to upgrade my home router.  I'm keeping
some notes here about my configuration, should I need to upgrade it
again in future.


1. INSTALLATION

My router is a APU6B4 by TekLager (teklager.se), running OpenWRT.

It is trivial to access the serial console: connect a USB-Serial cable
and fire up a serial communication software.
I like tio(1).

A debian "standard" live, or any other distro for what it matters, can
be loaded on a plain USB drive, and booted normally.
https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/
console=ttyS0,115200n8

A second USB drive can be loaded with the "combined" image of OpenWRT.
At present date, the URL looks like this:
https://archive.openwrt.org/releases/<release>/targets/x86/64/openwrt-<version>-x86-64-generic-ext4-combined.img.gz

The file(1) command will identify the uncompressed image as "DOS/MBR
boot sector".
It can be copied with a regular dd over /dev/sda (or whatever the disk
name is).


2. INITIAL TWEAKS

2.1. Reduce attack surface: disable web-based configuration

# service uhttpd stop
# service uhttpd disable

2.2. Hardening of dropbear configuration

Just edit /etc/config/dropbear and install a SSH key.

   config dropbear
       option PasswordAuth 'off'
       option RootPasswordAuth 'off'
       option Port '22'
       option Interface 'lan'

(NOTE: the Interface option is set to 'lan' even if the bridged
interface is actually called 'br-lan').


3. ENABLE WIFI

The wifi is turned off by default.
https://openwrt.org/docs/guide-user/network/wifi/basic

Actually, the wireless card is not even detected.
I'm running a wle900vx network card, so I have to install a few
dependencies:

opkg install hostapd ath10k-firmware-qca988x kmod-ath10k

(source: https://teklager.se/en/knowledge-base/openwrt-wifi-configuration-instructions/)

A reboot will be necessary for the kernel to detect the Atheros
driver, then the wireless interface will be listed, for example, in
the output of ifconfig -a.

The wireless is configured in /etc/config/wireless, which can be auto-generated
with the 'wifi config' command, and then edited.
In a nutshell:

   config wifi-device 'radio0'
           option disabled '0'

   config wifi-iface 'default_radio0'
           option ssid 'SET SSID HERE'
           option encryption 'psk2
           option key 'SET PASSPHRASE HERE'

See also:
https://openwrt.org/docs/guide-user/network/wifi/basic


4. ENABLE PORT FORWARDING

FIXME: review this section, update info for OpenWRT 23.05.0

The relevant documentation is here:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_nat

In short, /etc/config/firewall must be modified with a configuration
section along the following lines:

 config redirect
      option target          DNAT
      option src             wan
      option dest            lan
      option proto           tcp
      option src_dport       2222
      option dest_ip         192.168.x.y
      option dest_port       22
      option enabled         1

You are viewing proxied material from dacav.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.