Lightning Router Config - Max Fang's Notes

# [[-Projects/-Lightning Router/Lightning Router]] Config Links: [[OpenWrt]] ### Note Creating a non-privileged user may be unnecessary, as the `opkg install ipk/opennds_5.2.0-1_arm_cortex-a9_vfpv3-d16.ipk` command during the install errored unless run with `sudo`, and was the only install command run as the `build` user... The steps below document a working method of installing [[OpenNDS]] on [[OpenWrt]], but in the future (e.g. when writing the [[Dockerfile]] for [[OpenWrt]] routers, we should try installing the [[OpenNDS]] fork as root. ## Create non-privileged `build` user for installing packages ### Caveat https://openwrt.org/docs/guide-user/base-system/users "If you prefer to create new users and manage existing users by using the traditional Unix/Linux commands such as `useradd` and `passwd`, you will need to install additional packages that require precious amounts of storage space. For most embedded devices, if you have not installed and configured additional memory, these packages will be much too large for your stock device. However, if your hardware supports storage such as USB, at the time of this update, 64 GB USB drives can be purchased for less than $10 USD." ### Steps https://openwrt.org/docs/guide-user/security/secure.access#create_a_non-privileged_user_in_openwrt ```shell # Log in as root ssh [email protected] # Enable user creation capability opkg update opkg install shadow-useradd # Create user useradd build # Set password passwd build # and type in a password # Create home folder mkdir /home mkdir /home/build chown build /home/build # Specify shell for build user vim /etc/passwd # change build:x:1000:1000::/home/build: # to build:x:1000:1000:build:/home/build:/bin/ash # the /bin/ash at the end is not a typo # Allow temporary privileged access as sudo # Install sudo opkg install sudo # Require root password whenever sudo is executed # Open the file `'/etc/sudoers`' by entering the command visudo # And uncomment the 2 lines below in that file: # Defaults targetpw # Ask for the password of the target user # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' ``` ## Working with [[OpenNDS]] ### Notes - Starting / stopping [[OpenNDS]] using `service opennds <command>` errors if run with sudo or without root permissions - [[OpenNDS]] can alternatively be started / restarted by rebooting the router ### Start / Stop / Restart ```bash service opennds start service opennds stop service opennds restart ``` ### Uninstall ```bash # Check opennds is installed opkg list-installed # Uninstall opkg remove opennds # Check opennds is uninstalled opkg list-installed ``` ## Misc config ```bash # Prevent random deauths during development uci set opennds.@opennds[0].sessiontimeout='0' # Default '1200' # Make compatible with version 9 uci set opennds.@opennds[0].use_outdated_mhd='0' # TODO Set default volume limit for unpaid users ``` ## [[OpenNDS]] 9.x.x on [[OpenWrt]] 19.x ### Notes [[OpenNDS]] maintainer: "You do not have to reflash to 21.03, just download openNDS and MHD from 21.03 packages repository." https://github.com/openNDS/openNDS/issues/210 - "MHD" is `libmicrohttpd` - May also need to disable the `opennds.@opennds[0].use_outdated_mhd='1'` in the config ### Router specs https://openwrt.org/toh/linksys/wrt3200acm - CPU: `ARM Cortex A9 MPCore` (ctrl+f for it) It may also be "`vfpv3`": ```text [ 3.549351] VFP support v0.3: implementor 41 architecture 3 part 30 variant 9 rev 4 ``` ### Download 21.02 Packages for `arm_cortex-a9` - [[OpenNDS]]: https://downloads.openwrt.org/releases/packages-21.02/arm_cortex-a9_vfpv3-d16/routing/ - [[libmicrohttpd]]: https://downloads.openwrt.org/releases/packages-21.02/arm_cortex-a9_vfpv3-d16/packages/ - Includes ssl and no-ssl versions, might as well get the version with SSL - 21.02-rc3 info page: https://openwrt.org/releases/21.02/notes-21.02.0-rc3 - 19.07 packages: https://downloads.openwrt.org/releases/19.07.8/packages/ - [[OpenWrt]] version history: https://openwrt.org/about/history ### Transfer and Install I've stored the packages locally at `~/projects/misc/ipk` ```bash ssh [email protected] "mkdir -p /root/ipk" scp opennds_9.3.0-1_arm_cortex-a9.ipk [email protected]:/root/ipk scp libmicrohttpd-ssl_0.9.71-1_arm_cortex-a9.ipk [email protected]:/root/ipk # Inside router # Check opkg list-installed # Install cd /root/ipk opkg install libmicrohttpd-no-ssl_0.9.71-1_arm_cortex-a9_vfpv3-d16.ipk --force-reinstall # This OpenNDS package appears to include libmicrohttpd-no-ssl with # it, so it should be installed second, otherwise the included # libmicrohttpd will be out of date opkg install opennds_9.3.0-1_arm_cortex-a9_vfpv3-d16.ipk --force-reinstall If it doesn't work try removing them first opkg remove opennds opkg remove libmicrohttpd-no-ssl # opkg remove libmicrohttpd-ssl # Wasn't even there I hink # Check opkg list-installed ``` ### Notes Packages not installed: - `libmicrohttpd-ssl_0.9.71-1_arm_cortex-a9.ipk `: should be no-ssl - `libmicrohttpd-ssl_0.9.71-1_arm_cortex-a9_vfpv3-d16.ipk`: - was not sufficient for opennds install to succeed, i.e. didn't satisfy opennds's requirements - `opennds_9.3.0-1_arm_cortex-a9.ipk`: wrong architecture Post-installation warnings: ```text Collected errors: * resolve_conffiles: Existing conffile /etc/config/opennds is different from the conffile in the new package. The new conffile will be placed at /etc/config/opennds-opkg ``` I stored these in `/Users/fang/projects/misc/etc-config-opennds` ## Backend setup ![[OpenNDS Version 9 Config#Level 0 FAS Setup with Rust Backend]] ## Latest working config: Aug 31 2021 ### `uci show opennds` ```text root@OpenWrt:~/ipk# uci show opennds opennds.@opennds[0]=opennds opennds.@opennds[0].enabled='1' opennds.@opennds[0].fwhook_enabled='1' opennds.@opennds[0].unescape_callback_enabled='0' opennds.@opennds[0].gatewayinterface='br-lan' opennds.@opennds[0].gatewayname='OpenWrt openNDS' opennds.@opennds[0].maxclients='250' opennds.@opennds[0].preauthidletimeout='30' opennds.@opennds[0].authidletimeout='120' opennds.@opennds[0].checkinterval='60' opennds.@opennds[0].uploadrate='0' opennds.@opennds[0].downloadrate='0' opennds.@opennds[0].ratecheckwindow='2' opennds.@opennds[0].uploadquota='0' opennds.@opennds[0].downloadquota='0' opennds.@opennds[0].users_to_router='allow tcp port 53' 'allow udp port 53' 'allow udp port 67' 'allow tcp port 22' 'allow tcp port 23' 'allow tcp port 80' 'allow tcp port 443' 'allow tcp port 53' 'allow udp port 53' 'allow udp port 67' 'allow tcp port 22' 'allow tcp port 23' 'allow tcp port 80' 'allow tcp port 443' 'allow tcp port 2080' opennds.@opennds[0].sessiontimeout='0' opennds.@opennds[0].authenticated_users='allow all' opennds.@opennds[0].webroot='/root/frontend/build' opennds.@opennds[0].use_outdated_mhd='0' opennds.@opennds[0].login_option_enabled='0' opennds.@opennds[0].fas_secure_enabled='0' opennds.@opennds[0].fasport='2080' opennds.@opennds[0].faspath='/auth' ```