In this write-up we discuss using a Raspberry Pi
to run a network router for your home or lab using the open source router openwrt
. The router os will get installed like a regular Raspberry Pi
image onto the SD card. Then, you can login to the openwrt
web interface and enable WIFI to reach your ISP.
Also, we configure our ethernet connection as well, since all of your internal devices that connect to that router (i.e. via a "5 port netgear hub"), will then get an IP Address from DHCP (issued by openwrt
). Once a client has an address it can surf the net across your Pi router!
Note: For this setup we need to connect to our ISP across WIFI so our ethernet can be dedicated to routing our client traffic (this happens automatically when a device gets DHCP from openwrt).
You can use any ISP or hardware. For reference though, I am using Verizon as my ISP, and connect my Raspberry Pi
(running openwrt
) via WIFI, to a hardware device called MIFI
(a mobile hotspot available from Verizon).
You can use the GUI to do everything and that is the recommendation for this setup. We do discuss the location of config files if interested, but this is not required.
The motivation for using openwrt
came from "Network Chuck" on YouTube and his video "my SUPER secure Raspberry Pi Router (wifi VPN travel router)"
https://youtu.be/jlHWnKVpygw
OpenWrt
is an open source operating system that is designed to be a network router. This gets installed onto an SD card just like we normally would for a Raspberry Pi
.
To get the bits for the Rapberry Pi
you will need to know your model (i.e. 2, 3 or 4) and then select the ext
image from the "firmware selector" page:
https://firmware-selector.openwrt.org/
Note: DO not place the bits onto your SD card yet, until reading the next section.
Before preparing your SD with openwrt
you can optionally update the Raspberry Pi
firmware by running a regular Raspberry Pi
operating system first.
The Raspberry Pi
firmware is applied during our regular apt
updates, but only when running an official Raspberry Pi
release such as bullseye
or similar.
## update package list
sudo apt-get update
## update the packages (this also does firmware)
sudo apt-get -u upgrade
If you only want the Raspberry Pi
firmware perform the following:
## update firmware
sudo rpi-eeprom-update
## show cpu details
cat /proc/cpuinfo
Now that the Raspberry Pi firmware is up to date, we can wipe that SD and install openwrt
onto the SD just like we do for a Raspberry Pi
.
If you have not already, navigate to https://openwrt.org
to get the desired download for your Raspberry Pi
.
Then, use the Raspberry Pi Imager
to write the image to SD (using the Custom option at the bottom).
You can go right to the web interface (https://192.168.0.1
or you can optionally use ssh
.
If using ssh
from terminal, then press "Enter" on your keyboard to bring up the openwrt
splash screen. Prior to hitting Enter, it may appear like the system is doing something, but it's simply waiting for you to press Enter.
You will probably be logged in already on the first boot, but if needed the default login is root
with no password.
Tip: You can optionally set a password now, but do not use any "real" or important password until we add https
later. Remember that the default of http
is totally plain text, so your roommate could capture the flag on you.
First, try to connect using https
which is secure. It that works, you will get some errors about unsigned certs, but that is expected. If you cannot reach the page with https
, then try http
, which is not secure (but we fix that later).
#try this first
https://192.168.1.1
#use plain text if needed (http)
http://192.168.1.1
When your system boots it will have the date/time of the build itself. This means that your date/time will likely be days off by default. Once connected to the internet, ntp
will handle time for us without any work on our part. However, until we are on the internet, our time will likely be wrong.
This becomes important when we need to get updates for openwrt
packages (i.e. using opkg
, the package manager or the web interface). The problem is that "downloads" will fail via opkg
if our system time if not correct. This date/time problem is especially observable on Raspberry Pi, which does not have a CMOS battery to keep the date/time after power off.
The way the Raspberry Pi
team handled this is they read the last time/date known from the logs, and consider that the system time. The openwrt
team handles this the same way. As you would expect with these limitations, the date/time can easily be multiple days off. Technically, we want to be within 5 minutes of "real" time for best results.
To mitigate the problem of bad time, when using the web interface we can click the button to sync time with browser
. However, be sure that the time on your own device (i.e. your desktop/laptop, or another Raspberry Pi) has the correct time itself. Specifically, if you use the browser time, but your time is wrong, then the openwrt
device will have the wrong time, and updates for openwrt
may fail.
In openwrt
(via ssh
) we can issue the the date
command to see the current date and optionally set it with -s
.
#get date
date
#set date
date -s "2022-01-11 10:58:00"
You can do everything via the web interface (recommended) without even knowing about the config files. However, you might prefer to set the eth0
manually (/etc/config/network
) just so the web interface does not freak out at the end of the configuration.
Again, not needed since you can do everything in the web interface, but this is the location of the configuration files.
/etc/config/network
/etc/config/wireless
/etc/config/firewall
The default address for openwrt
is 192.168.1.1
, until you have updated that in the web interface or in the /etc/config/network
file. Instead of the default, you will likely configure an address on the 10.x.x.x/24
network or similar.
https://10.100.0.1 #or http if needed
From the web interface, navigate to Network > Wireless
and click Scan
.
Once configured, you can see your WIFI connection at:
Network > Wireless
-or-
Status > Overview
The following enables https
for the for the web interface of openwrt
.
# confirm internet access
ping google.com
#update package list
opkg update
#install https
opkg install luci-ssl
#optional sync
sync; sync
#reboot the system
reboot
Now that we have ssl
installed, we can use a "real" password when logging into the web interface. We can set the password in the web interface itself, or using the passwd
command from terminal.
passwd
Open a browser and navigate to https://<your router ip>
and agree to the security warning for using self-signed certs (we can always replace those later). The important bit is that we are now https
instead of http
when using the web interface. This means we can safely enter our "real" password now.
We can updates packages in the web interface or via terminal. In both cases, the recommendation is to update one at a time. When using terminal, the opkg
command is similar to apt
in that it can download, list, update and install packages.
Once connected to WIFI, we can check for updates using the web interface, or with opkg update
from terminal.
opkg update
Note: If opkg update
fails, check your system time.
opkg list-upgradable
root@OpenWrt:~# opkg list-upgradable
luci-app-opkg - git-21.079.58598-6639e31 - git-21.312.69848-4745991
iw - 5.9-8fab0c9e-1 - 5.9-8fab0c9e-3
busybox - 1.33.1-6 - 1.33.2-1
luci-mod-system - git-21.295.66903-8acd0d7 - git-21.305.74567-388dae9
luci-theme-bootstrap - git-21.298.68362-d24760e - git-21.320.44446-0cee46b
wpad-basic-wolfssl - 2020-06-08-5a8b3662-35 - 2020-06-08-5a8b3662-37
netifd - 2021-07-26-440eb064-1 - 2021-10-30-8f82742c-1
luci-app-firewall - git-21.295.66767-8eceb63 - git-21.312.70727-3eac573
luci-base - git-21.295.67054-13df80d - git-21.340.48972-61cc3b1
luci-mod-network - git-21.295.67048-4d3de0e - git-21.335.80427-5091496
hostapd-common - 2020-06-08-5a8b3662-35 - 2020-06-08-5a8b3662-37
wireless-regdb - 2021.04.21-1 - 2021.08.28-1
root@OpenWrt:~#
We can use the web interface to do updates, or use the terminal. If using the web interface, we need to click updates one at a time, and be okay with getting no feedback. Or do it from the terminal like boss.
opkg upgrade <name of package>
You should really update things one at a time, but if you want to go all out perform the following.
This is not recommended, but you can optionally run the following until failure and then reboot. Eventually you will have all packages.
#Update package list (required after any reboot)
opkg update
#Yolo Mode - Install All Updates (until failure)
opkg list-upgradable | cut -f 1 -d ' ' | xargs -r opkg upgrade
#After failure
sync; sync; reboot
Note: Credit for yolo mode https://unix.stackexchange.com/questions/400231/how-do-i-upgrade-all-of-my-installed-packages-in-openwrt
To update with opkg
requires good name resolution and good time sync. Assuming you have those done right and a package is still failing to download a signature during opkg update
then you can try to wget
the package manually just to wake the network up so to speak. You will not use the download, but if it succeeds, then you can try your opkg update
again.
All other packages (not shown) were fine, except for this one.
Collected errors:
* opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.1/packages/aarch64_cortex-a72/routing/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.
root@DesktopUSB:~# wget -O package.gz https://downloads.openwrt.org/releases/21.02.1/packages/aarch64_cortex-a72/routing/Packages.gz
Downloading 'https://downloads.openwrt.org/releases/21.02.1/packages/aarch64_cortex-a72/routing/Packages.gz'
Connecting to 168.119.138.211:443
Writing to 'package.gz'
package.gz 100% |*******************************| 12295 0:00:00 ETA
Download completed (12295 bytes)
root@DesktopUSB:~#
opkg update
Note: Once you have opkg update
working, scroll up in this guide and learn how to install the available packages, if you have not already.
You can run without using vpn, but this would be a nice to have. Using VPN may require more work depending on what vendor (if any) you use for your VPN service.
## optional - install openvpn
opkg install openvpn-openssl
## optional - install luci gui app for vpn
opkg install luci-app-openvpn
In this write-up we got you up and running with the openwrt
router on Raspberry Pi
hardware. Big thanks to Network Chuck for the motivation. See his excellent video first linked above for a guided tour of openwrt
. The only thing we do different is we do not need any extra WIFI drivers since we use the on-board Rapsberry Pi
WIFI to connect to our ISP, and then our "lab" devices connect to openwrt
via ethernet (by simply being connected to the same physical hub).