OpenWrt 筆記
Important note before installation
Officeal Failsafe: http://wiki.openwrt.org/doc/howto/generic.failsafeMy Failsafe Note: http://jeffkwan.blogspot.hk/2015/02/failsafe-mode-in-buffalo-wzr-hp-g300nh2.html
Set your anther router as dumbAP: https://wiki.openwrt.org/doc/recipes/dumbap
1. Secure Your Router
Read This: http://wiki.openwrt.org/doc/howto/secure.accessCreate a non-privileged user in OpenWrt
root@openwrt:~# opkg update
root@openwrt:~# opkg install shadow-useradd
root@openwrt:~# useradd nicolaus
root@openwrt:~# passwd nicolaus
root@openwrt:~# mkdir /home/nicolaus
root@openwrt:~# vi /etc/passwd
nicolaus:x:1000:1000:nicolaus:/home/nicolaus:/bin/ash
root@openwrt:~# opkg install sudo
root@openwrt:~# visudo
請依照你喜好更改config。root@openwrt:~# opkg install shadow-useradd
root@openwrt:~# useradd nicolaus
root@openwrt:~# passwd nicolaus
root@openwrt:~# mkdir /home/nicolaus
root@openwrt:~# vi /etc/passwd
nicolaus:x:1000:1000:nicolaus:/home/nicolaus:/bin/ash
root@openwrt:~# opkg install sudo
root@openwrt:~# visudo
Install sftp function - add to dropbear
http://wiki.openwrt.org/doc/howto/sftp.server
root@openwrt:~# opkg install openssh-sftp-server
然后就行了。Install Bash and Screen
TP-Link WR703N OpenWrt post installation tips
root@openwrt:~# opkg update
root@openwrt:~# opkg install bash
root@openwrt:~# vi /etc/passwd
Then you can either use your own .bashrc or download the one that I use (I got it from Arch wiki a few years ago) and put it in your root directory like this (if you would like to use your own .bashrc, make sure to put it in /root as well):root@openwrt:~# opkg install bash
root@openwrt:~# vi /etc/passwd
# Then edit /etc/passwd and change the root user line to this: root:x:0:0:root:/root:/bin/bashroot@openwrt:~# echo ". $HOME/.bashrc" > /root/.bash_profile
root@openwrt:~# wget -P /root/ http://cmikavac.net/download/.bashrc
Now log out, and log in again and you should have a brand new prompt.Now it is time to install screen (GNU Screen)
root@openwrt:~# opkg update && opkg install screen
Download Useful tools
root@openwrt:~# opkg install vim fdisk e2fsprogs ntfs-3g
買了張32g usb , 要加大router 容量以供proxy 使用, ntfs-3g mount ntfs HD 之用Prepare your USB (For AA only, what's AA?)
http://wiki.openwrt.org/doc/howto/usb.essentials雖然插了USB 這時候還未認到. 要加入USB mod
USB 1.x and 2.x
root@openwrt:~# opkg update
root@openwrt:~# opkg install kmod-usb-storage
root@openwrt:~# opkg install kmod-usb-uhci
root@openwrt:~# insmod usbcore
root@openwrt:~# insmod uhci
root@openwrt:~# opkg install kmod-usb2
root@openwrt:~# insmod ehci-hcd
root@openwrt:~# opkg install block-mount kmod-fs-ext4 libext2fs
我試左好耐都認唔到個USB ,原來係未有認到個format, 所以要format左 USB 先認到。root@openwrt:~# opkg install kmod-usb-storage
root@openwrt:~# opkg install kmod-usb-uhci
root@openwrt:~# opkg install kmod-usb2
root@openwrt:~# opkg install block-mount kmod-fs-ext4 libext2fs
root@openwrt:~# mkfs.ext4 /dev/sda1
root@openwrt:~# mount /dev/sda1 /mnt
http://wiki.openwrt.org/doc/howto/extroot?s[]=rootfsroot@openwrt:~# mount /dev/sda1 /mnt
跟住移個root
root@openwrt:~# mkdir -p /tmp/cproot
root@openwrt:~# mount --bind / /tmp/cproot
root@openwrt:~# tar -C /tmp/cproot -cvf - . | tar -C /mnt -x
root@openwrt:~# umount /tmp/cproot
root@openwrt:~# vi /etc/config/fstab
我用的方法是Pivot-rootroot@openwrt:~# mount --bind / /tmp/cproot
root@openwrt:~# tar -C /tmp/cproot -cvf - . | tar -C /mnt -x
root@openwrt:~# umount /tmp/cproot
root@openwrt:~# vi /etc/config/fstab
[...] For AA or BB
config mount
option target /
option device /dev/sda1
option fstype ext4
option options rw,sync
option enabled 1
option enabled_fsck 0
[...]
root@openwrt:~# reboot後來發現如果用這個方法,我的Buffalo 會很容易死機,但另一部TP-Link 反而沒有問題。所以請有心理預備。
Prepare your USB (For CC)
root@openwrt:~# opkg update ; opkg install block-mount kmod-fs-ext4 kmod-usb-storage-extras
root@openwrt:~# mount /dev/sda1 /mnt ; tar -C /overlay -cvf - . | tar -C /mnt -xf - ; umount /mnt
root@openwrt:~# block detect > /etc/config/fstab; \
sed -i s/option$'\t'enabled$'\t'\'0\'/option$'\t'enabled$'\t'\'1\'/ /etc/config/fstab; \
sed -i s#/mnt/sda1#/overlay# /etc/config/fstab; \
cat /etc/config/fstab;
root@openwrt:~# reboot
root@openwrt:~# mount /dev/sda1 /mnt ; tar -C /overlay -cvf - . | tar -C /mnt -xf - ; umount /mnt
root@openwrt:~# block detect > /etc/config/fstab; \
sed -i s/option$'\t'enabled$'\t'\'0\'/option$'\t'enabled$'\t'\'1\'/ /etc/config/fstab; \
sed -i s#/mnt/sda1#/overlay# /etc/config/fstab; \
cat /etc/config/fstab;
root@openwrt:~# reboot
安裝Proxy server
呢個係筆記,當然試完之試,第一次我你用squid + Dansguardian + openDNS 不過反應唔係太好,Squid 功能大之餘,不過因為用usb read write cache file, 速度其慢,故要改做no cache mode 先快一點。因為上網速度的樽頸己去左寫落usb 到。Dansgardian 有content filter 殺手之稱,不過不用左,可能我setup 唔全面,好多圖比佢去左,變得好怪。
OpenDNS 原理係好,不過太慢,可能我要clone 左佢個dns database 落嚟自己個openwrt 先可行。
Test #1: Squid
Cons: http://squid-web-proxy-cache.1019090.n4.nabble.com/Anybody-using-squid-on-openWRT-td4667335.html
Transparent Proxy using SquidOpenWRT Squid transparent configurationhttp://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
要建立對應folder
root@openwrt:~# mkdir /var/squid/cache
root@openwrt:~# mkdir /var/squid/logs
root@openwrt:~# chown -R nobody:nogroup /var/squid
root@openwrt:~# vi /etc/squid/squid.conf
root@openwrt:~# mkdir /var/squid/logs
root@openwrt:~# chown -R nobody:nogroup /var/squid
root@openwrt:~# vi /etc/squid/squid.conf
More useful information
Accesslog problem: http://www.linuxquestions.org/questions/linux-server-73/squid-2-7-not-writing-to-access-log-919523/setup squid boot script into /etc/init.d: https://gist.github.com/frank4565/7166629
remember the don't set it transparent
root@openwrt:~# /etc/init.d/squid enable
root@openwrt:~# /etc/init.d/squid start
root@openwrt:~# /etc/init.d/squid start
Test #2: Install dansguardian
root@openwrt:~# opkg install dansguardian
setup dansguardian at /var/dansguardian/
setup iprule to redirect to Web -> Dans -> Squid -> Internet
vi /etc/config/firewall
redirect ip from port 80 to 8080
Improve performance of Dansguardian & Squid
http://www.clearcenter.com/support/documentation/clearosguides/optimizingperformanceforproxyandcontent_filter- 發現增加了DansGuardian 的conf performance 不是增加太多,原來是router 本身的Hard ware 同 usb 的read write speed 太慢,故以關掉caching 反而可以提速。
如果用 DansGuardian+Squid 在squid.conf 內的 http_port 就要唔用transparent. 若果不用Dansguardian 就要加返,如果唔係會出Error
[...] 2014/12/13 15:22:43| clientTryParseRequest: FD 12 (192.168.xx.xxx:33076) Invalid Request [...]
Test #3: 安裝OpenDNS
https://forum.openwrt.org/viewtopic.php?id=31208
root@openwrt:~# vi /etc/config/wan
[...]
config interface 'wan'
[...] Add this
option dns '208.67.220.220 208.67.222.222'
[...]
[...] Add this
option dns '208.67.220.220 208.67.222.222'
[...]
Edit Firewall setting
root@openwrt:~# vi /etc/config/firewall
[...]
[...]
config rule
option src 'lan'
option dest 'wan'
option name 'Block DNS from LAN to WAN'
option dest_port '53'
option target 'REJECT'
[...]
config rule
option src 'lan'
option dest 'wan'
option name 'Block DNS from LAN to WAN'
option dest_port '53'
option target 'REJECT'
[...]
Install DDNS Package
root@openwrt:~# opkg install luci-app-ddns
以下為AA 筆記... 現在可在luci-DDNS 內直選用dnsomatic update 了。
root@openwrt:~# vi /etc/config/ddns
[...]
config service 'myddns'
option interface 'wan'
option force_interval '72'
option force_unit 'hours'
option check_interval '10'
option check_unit 'minutes'
option retry_interval '60'
option retry_unit 'seconds'
option ip_source 'web'
option username 'USERNAME'
option update_url 'https://[USERNAME]:[PASSWORD]@updates.dnsomatic.com/nic/update?hostname=[DOMAIN]&myip=[IP]&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG'
option password 'PASSWORD'
option enabled '1'
option domain 'Home'
[...]
option interface 'wan'
option force_interval '72'
option force_unit 'hours'
option check_interval '10'
option check_unit 'minutes'
option retry_interval '60'
option retry_unit 'seconds'
option ip_source 'web'
option username 'USERNAME'
option update_url 'https://[USERNAME]:[PASSWORD]@updates.dnsomatic.com/nic/update?hostname=[DOMAIN]&myip=[IP]&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG'
option password 'PASSWORD'
option enabled '1'
option domain 'Home'
[...]
發現有太多warning.. 試下用openDNS 提供的script
https://support.opendns.com/entries/23554765-Linux-IP-Updater-for-Dynamic-Networks
Test #4: Privoxy
http://blog.vanutsteen.nl/2014/01/05/installing-privoxy-with-adblock-filters-on-openwrt/
root@openwrt:~# opkg update
root@openwrt:~# opkg install privoxy
root@openwrt:~# vi /etc/privoxy/config
[...]
listen-address 192.168.11.1:8118
accept-intercepted-requests 1
permit-access 192.168.11.0/24
option debug_1 '1'
option debug_512 '1'
option debug_1024 '1'
option debug_4096 '1'
option debug_8192 '1'
[...]
root@openwrt:~# /etc/init.d/privoxy enable
root@openwrt:~# /etc/init.d/privoxy start
root@openwrt:~# vi /etc/config/firewall
[...] #transpart proxy for privoxy config redirect option proto 'tcp' option target 'DNAT' option dest 'lan' option name 'transparent-proxy for HTTP' option src 'lan' option dest_port '8118' option src_dport '80' option dest_ip '192.168.11.1' option src_dip '!192.168.11.1' [...]
To better protected by privoxy, one of the great tools is up-to-date block list. There is a great adblock filter provide by adblock plus. When I google the web, find out 2 scripts to convert the adblock plus filter (easy list) but I think they are copied from the same source.
1. http://blog.vanutsteen.nl/2014/01/05/installing-privoxy-with-adblock-filters-on-openwrt/
2. http://andrwe.org/scripting/bash/privoxy-blocklist
They both copy the adblock plus list and convert it to privoxy format.
https://easylist-downloads.adblockplus.org/easylist.txt
https://easylist-downloads.adblockplus.org/chinalist+easylist.txt
Preparation:
1. get essentals
2. get bash (see previous note)
1. Get up-to-date wget version and get wget support SSL
https://wiki.openwrt.org/doc/howto/wget-ssl-certs
root@openwrt:~# opkg update
root@openwrt:~# opkg install coreutils-install wget bash sed
root@openwrt:~# opkg install coreutils-install wget bash sed
Create Certificate Directory wget/lib -SSL certificate directory:
mkdir -p /etc/ssl/certs
So wget knows where to look, update /etc/profile and add the line:
root@openwrt:~# export SSL_CERT_DIR=/etc/ssl/certs
root@openwrt:~# opkg install ca-certificates
Update shell:
root@openwrt:~# source /etc/profileroot@openwrt:~# opkg install ca-certificates
Install the script
root@openwrt:~# cd /etc/privoxy
root@openwrt:~# wget https://raw.github.com/Andrwe/privoxy-blocklist/master/privoxy-blocklist.sh --no-check-certificate root@openwrt:~# chmod +x privoxy-blocklist.sh
root@openwrt:~# sed -i s/^SCRIPTCONF.*/SCRIPTCONF=\\/etc\\/privoxy\\/blocklist.conf/ privoxy-blocklist.sh
Create the block list conf and edit it
root@openwrt:~# wget https://raw.github.com/Andrwe/privoxy-blocklist/master/privoxy-blocklist.sh --no-check-certificate root@openwrt:~# chmod +x privoxy-blocklist.sh
root@openwrt:~# sed -i s/^SCRIPTCONF.*/SCRIPTCONF=\\/etc\\/privoxy\\/blocklist.conf/ privoxy-blocklist.sh
root@openwrt:~# touch /etc/privoxy/blocklist.conf
root@openwrt:~# vi /etc/privoxy/blocklist.conf
# Config of privoxy-blocklist
# array of URL for AdblockPlus lists
# for more sources just add it within the round brackets
URLS=(
"https://easylist-downloads.adblockplus.org/malwaredomains_full.txt"
"https://easylist-downloads.adblockplus.org/fanboy-social.txt" "https://easylist-downloads.adblockplus.org/easyprivacy.txt" "https://easylist-downloads.adblockplus.org/easylist.txt" "https://easylist-downloads.adblockplus.org/easylistdutch.txt" "https://easylist-downloads.adblockplus.org/easylistdutch+easylist.txt"
"https://easylist-downloads.adblockplus.org/chinalist+easylist.txt"
)
# config for privoxy initscript providing PRIVOXY_CONF, PRIVOXY_USER and PRIVOXY_GROUP
INIT_CONF="/etc/conf.d/privoxy"
# !! if the config above doesn't exist set these variables here !!
# !! These values will be overwritten by INIT_CONF !!
PRIVOXY_USER="root"
PRIVOXY_GROUP="root"
PRIVOXY_CONF="/etc/privoxy/config"
# name for lock file (default: script name)
TMPNAME="$(basename ${0})"
# directory for temporary files
TMPDIR="/tmp/${TMPNAME}"
# Debug-level
# -1 = quiet
# 0 = normal
# 1 = verbose
# 2 = more verbose (debugging)
# 3 = incredibly loud (function debugging)
DBG=0
root@openwrt:~# vi /etc/privoxy/blocklist.conf
# Config of privoxy-blocklist
# array of URL for AdblockPlus lists
# for more sources just add it within the round brackets
URLS=(
"https://easylist-downloads.adblockplus.org/malwaredomains_full.txt"
"https://easylist-downloads.adblockplus.org/fanboy-social.txt" "https://easylist-downloads.adblockplus.org/easyprivacy.txt" "https://easylist-downloads.adblockplus.org/easylist.txt" "https://easylist-downloads.adblockplus.org/easylistdutch.txt" "https://easylist-downloads.adblockplus.org/easylistdutch+easylist.txt"
"https://easylist-downloads.adblockplus.org/chinalist+easylist.txt"
)
# config for privoxy initscript providing PRIVOXY_CONF, PRIVOXY_USER and PRIVOXY_GROUP
INIT_CONF="/etc/conf.d/privoxy"
# !! if the config above doesn't exist set these variables here !!
# !! These values will be overwritten by INIT_CONF !!
PRIVOXY_USER="root"
PRIVOXY_GROUP="root"
PRIVOXY_CONF="/etc/privoxy/config"
# name for lock file (default: script name)
TMPNAME="$(basename ${0})"
# directory for temporary files
TMPDIR="/tmp/${TMPNAME}"
# Debug-level
# -1 = quiet
# 0 = normal
# 1 = verbose
# 2 = more verbose (debugging)
# 3 = incredibly loud (function debugging)
DBG=0
china list added FYI.
Then, run the script and download the all action & filter files
root@openwrt:~# bash /etc/privoxy/privoxy-blocklist.sh
Edit the privoxy conf file
root@openwrt:~# vi /etc/config/privoxy
[...]
list actionsfile 'easyprivacy.script.action'
list filterfile 'easyprivacy.script.filter'
list actionsfile 'fanboy-social.script.action'
list filterfile 'fanboy-social.script.filter'
#list actionsfile 'easylist.script.action'
list actionsfile 'malwaredomains_full.script.action'
#list filterfile 'easylist.script.filter'
list filterfile 'malwaredomains_full.script.filter'
#list actionsfile 'chinalist+easylist.script.action'
#list filterfile 'chinalist+easylist.script.filter'
[...]
list actionsfile 'easyprivacy.script.action'
list filterfile 'easyprivacy.script.filter'
list actionsfile 'fanboy-social.script.action'
list filterfile 'fanboy-social.script.filter'
#list actionsfile 'easylist.script.action'
list actionsfile 'malwaredomains_full.script.action'
#list filterfile 'easylist.script.filter'
list filterfile 'malwaredomains_full.script.filter'
#list actionsfile 'chinalist+easylist.script.action'
#list filterfile 'chinalist+easylist.script.filter'
[...]
## easylist is comment out as it will crash the privoxy function
set cron job for regular downlaod.
root@openwrt:~# vi /etc/crontabs/root
0 12 * * 0 bash /etc/privoxy/privoxy-blocklist.sh && /etc/init.d/privoxy restart
Install samba
http://upsangel.com/dd-wrt/samba-easy-share-usb-storage/
root@openwrt:~# opkg update
root@openwrt:~# opkg install luci-app-samba
root@openwrt:~# opkg install samba36-server
root@openwrt:~# vi /etc/config/firewall
(follow http://wiki.openwrt.org/doc/howto/cifs.server)
# change workgroups
# enable start up when reboot
root@openwrt:~# /etc/init.d/samba enable
root@openwrt:~# /etc/init.d/firewall restart
root@openwrt:~# /etc/init.d/samba start
root@openwrt:~# opkg install luci-app-samba
root@openwrt:~# opkg install samba36-server
root@openwrt:~# vi /etc/config/firewall
(follow http://wiki.openwrt.org/doc/howto/cifs.server)
[...]
config 'rule'
option 'src' 'lan'
option 'proto' 'udp'
option 'dest_port' '137-138'
option 'target' 'ACCEPT'
config 'rule'
option 'src' 'lan'
option 'proto' 'tcp'
option 'dest_port' '139'
option 'target' 'ACCEPT'
config 'rule'
option 'src' 'lan'
option 'proto' 'tcp'
option 'dest_port' '445'
option 'target' 'ACCEPT'
[...]
root@openwrt:~# vi /etc/config/samba# change workgroups
# enable start up when reboot
root@openwrt:~# /etc/init.d/samba enable
root@openwrt:~# /etc/init.d/firewall restart
root@openwrt:~# /etc/init.d/samba start
Install Bittorrent Client - Transmission
http://wiki.openwrt.org/doc/uci/transmission
root@openwrt:~# opkg update
root@openwrt:~# opkg install transmission-daemon transmission-cli transmission-web transmission-remote luci-app-transmission
Got some problem in error logroot@openwrt:~# opkg install transmission-daemon transmission-cli transmission-web transmission-remote luci-app-transmission
root@openwrt:~# logread
root@openwrt:~# vi /etc/sysctl.con
[...] Dec 13 23:34:04 OpenWrt daemon.err transmission-daemon[17437]: UDP Failed to set receive buffer: requested 4194304, got 327680 (tr-udp.c:77) Dec 13 23:34:04 OpenWrt daemon.err transmission-daemon[17437]: UDP Failed to set send buffer: requested 1048576, got 327680 (tr-udp.c:88) [...]add value as log suggested
root@openwrt:~# vi /etc/sysctl.con
[...]
#for bittorrent
net.core.rmem_max = 4194304
net.core.wmem_max = 1048576
[...] start() {
config load 'transmission' config foreach start_instance 'transmission' } [...]
root@openwrt:~# vi /etc/init.d/transmission
[...]
start_service() {
if [ "$(ls -A /mnt)" ]; then
echo start service
else
echo [Panic!] exit as no usb mount!!
exit
fi
echo start service
else
echo [Panic!] exit as no usb mount!!
exit
fi
config load 'transmission' config foreach start_instance 'transmission' } [...]
Install minidlna
root@openwrt:~# opkg install minidlna
root@openwrt:~# opkg install luci-app-minidlna
無用到,發現這個minidlna 不太支援 mp4,太多片看不到。
root@openwrt:~# opkg install luci-app-minidlna
Comments