Turn a Pi into an
Learn the basics of OpenWRT using a Raspberry Pi as a router.
Controlling the interconnects between various devices is paramount to keeping systems secure and safe. Sadly, most router operating systems are closed source — finding vulnerabilities in them is difficult to impossible. Running dedicated open-source router operating systems is not a solution for the average user, as they tend to demand high-end hardware with prohibitively high prices.
OpenWRT is an affordable and efficient alternative. It foregoes some of the complexities found in traditional router operating systems, thereby allowing for lower hardware requirements. The community has ported the system to various routers: with a little care, a compatible router can be found for $150 or less.
Invest a few hours of your time to transform it into a lean and mean fileserver, torrent client or — configurations allowing — even a system capable of controlling realworld hardware via serial links. Here, we will introduce you to the basics of OpenWRT using the wellknown single-board computer. That knowledge can then be applied
to a variety of other, more suitable hardware solutions.
1 SET IT UP
Deploying an operating system requires you to be in possession of a suitable image: due to differences in the hardware, RPi 1 and 2 are targeted with different files which can be downloaded at bit.ly/1T7t4UC. The following steps are performed on a Raspberry Pi 2 using Chaos Calmer 15.05.1. Burn the image ‘openwrt15.05.1-brcm2708-bcm2709-sdcardvfat-ext4.img’ to the SD card in a fashion of your choice: Ubuntu’s Image Writer is the utility shown in the figure. Finally, insert the SD card, connect the RPi’s native Ethernet port to your PC and power up the contraption. Interested individuals can connect an HDMI monitor in order to see the boot process ‘ live’.
2 GET CONNECTED
Starting OpenWRT on a Raspberry Pi 2 takes about half a minute: when done, the message shown in the figure will appear. At this point, the Ethernet port of the Raspberry Pi 2 will be set to a fixed IP address of 192.168.1.1 and will await network connections from other workstations. Open the ‘Network connections’ applet of the host, and configure it to use a static IP address via the settings shown in the figure.
Be aware that 192.168.1.1 is a popular address for routers: if your Wi-Fi router uses it, the network connection needs to be disabled during the following steps.
3 TELNET OR SSH?
Chaos Calmer 15.05.1 keeps the Telnet service open on unconfigured instances. The first bit of work involves connecting to the Telnet client: invoke the passwd command to set a new password. Complaints about low password strength can be ignored at your own peril: passwd will not actually prevent you from setting the passcode to be whatever you want, but hackers might be delighted about the easier attack vector.
Once the new root password is set, the Telnet server will disable itself. From that moment onward, your OpenWRT instance can only be controlled via SSH.
tamhan@tamhan-thinkpad:~$ telnet 192.168.1.1
Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is ‘^]’. . . . root@OpenWrt:/# passwd hanging password for root New password: Bad password: too short Retype password:
Password for root changed by root
- - - tamhan@tamhan-thinkpad:~$ ssh firstname.lastname@example.org The authenticity of host ‘192.168.1.1 (192.168.1.1)’ can’t be established. RSA key fingerprint is 11:80:4b:14:cc:b8:9a:a6: 42:6a:bf:8d:96:2a:1b:fa.
Are you sure you want to continue connecting
(yes/no)? yes Warning: Permanently added ‘192.168.1.1’ (RSA) to the list of known hosts.
4 LET’S PLAY NICE
The following steps assume that your router will live behind another router. As the activation of USB support requires the downloading of a batch of packages, our first act involves making OpenWRT play nicely with the rest of the network. As the stock distribution includes only vi, open the web interface by entering “http://<ip>” into a computer of your choice. Next, click ‘Network > Interfaces’ and click Edit next to ‘ br-lan’. Set the protocol field to DHCP client and select the Switch Protocol button. Finally, click ‘ Save & Apply’, close the web page and disconnect the RPi from your PC. Next, connect both PC and Pi to the existing router and run nmap as root in order to find its newly-assigned IP address.
The command shown here is a little nifty in that it instructs nmap to scan the entire 255 addresses of the subnet — be sure to adjust it to your local environment. Furthermore, keep in mind that the IP settings of the PC must be restored to the ones used originally, with a reboot recommended for good practice. tamhan@tamhan-thinkpad:~$ sudo nmap -sn 192.168.1.0/24
Starting Nmap 6.40 ( http:// nmap.org ) at 2016-05-03 21:14 CEST . . . Nmap scan report for 192.168.1.104 Host is up (-0.099s latency).
MAC Address: B8:27:EB:53:4E:D9 (Raspberry Pi Foundation)
5 DEPLOY MISSING USB DRIVERS
At this point, our OpenWRT instance is connected to the internet at large. This allows opkg to download required packages — connect yourself using SSH and the IP address determined by NMAP, and proceed to downloading the packets listed in the code accompanying this step. When all modules are installed, entering dmesg will show that the ASIX Ethernet interface has been detected and configured as interface eth1 according to the figure. opkg update opkg install kmod-usb2 usbutils kmod-usb-core
opkg install kmod-usb-net kmod-usb-net-asix
Even though dongles based on the ASIX AX88772B are quite common, not being able to procure one does not totally condemn your experiment to
“Even though dongles based on the ASIX AX88772B are quite common, not being able to procure one does not totally condemn your experiment to failure.”
“If your router contains a USB port, it can — in theory — be used to access various external USB storage media. Sadly, the required packages are not provided out of the box.”
failure. Connect the USB to LAN bridge to a Raspberry Pi running Raspbian and enter the lsmod command. It will provide you with information about the driver modules being used, which can then be tracked down on OpenWRT. Googling “<chipset> openwrt” or “<productname> openwrt” can also yield some useful results.
7 OPEN THE WEB INTERFACE
After completing the kernel configuration process, our new interface is ready and awaits the deployment of a configuration. As the OpenWRT image provided for the Raspberry Pi restricts us to vi (nano will not install), configuration is best done via the web interface we touched on earlier. It can be accessed by pointing your browser at the URL of the router; log-in can be accomplished via the root password used on the command line.
8 LET’S GET ROUTING
The newly-created USB Ethernet port will be used to connect clients: you can connect either a ‘dumb switch’ or a single device. In both cases, a DHCP server is needed in order to provide IP addresses to the clients.
Click the ‘Add new interface’ button, and name the new interface ‘Clients’. Next, select the protocol to be Static address and select the newly created interface eth1. Next, scroll to the bottom of the window and click the Setup DHCP Server button in order to fully populate the form.
With that, the IPv4 address and broadcast fields must be set up. Finally, click ‘ Save & Apply’ in order to commit the changes to the network stack. Next, open up the network configuration once again and set the Firewall Settings to the firewall zone LAN.
9 REARRANGE THE INTERFACES
By default, the LAN interface is bridged, however, this is not necessary. To change this, open its properties, select the Physical Settings tab and unselect the Bridge interfaces checkpoint. Next, open the Firewall settings tab and assign the WAN zone.
Finally, another click on ‘ Save & Apply’ makes OpenWRT assign the attributes leading to the configuration shown in the image above.
10 FIREWALL AHOY!
From this point onward, attempting to interact with the LuCI frontend from ‘outside’ of the network will lead to ‘ Unable to connect’ errors — by default, remote configuration is not allowed to make attacks on OpenWRT more difficult.
Solve this problem by disconnecting the workstation from the ‘outer router’, and connect to the Raspberry Pi’s USB network interface instead. Then perform an ifconfig command and connect to the standard gateway in order to open the LuCI interface once again. Should you find yourself in the situation that no IP adress is
assigned to the workstation, reboot the process computer and reconnect the ethernet cable. tamhan@tamhan-thinkpad:~$ ifconfig eth0 Link encap:Ethernet HWaddr 28:d2:44:24:4d:eb inet addr:192.168.2.157 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::2ad2:44ff:fe24:4deb/64
Scope:Link 11 TEST THE PRESENCE OF THE ROUTER As long as all other network connections are disabled, the workstation can connect to the internet only via the RPi. Enter “mtr www.google.com” in a command line in order to generate the tree structure shown in the figure below — from a latency point of view, our OpenWRT access point looks quite good when operating under light load.
12 ANALYSE THE NETWORK STATUS
Generating live diagrams with further information about the state of the router is an interesting feature. Open LuCI and select ‘ Status > Realtime graph’ in order to open a set of diagrams telling you more about CPU and network loads.
13 DEPLOY FILE SYSTEM SUPPORT
If your router contains a USB port, it can — in theory — be used to access various external USB storage media. Sadly, the required packages are not provided out of the box. This problem can be remedied by deploying the following packages via opkg: kmod-usb-storage required kmod-usb-storage-extras block-mount kmod-scsi-core
In addition to that, a kmod-fs-* package containing the drivers for the file system is required. One small gotcha awaits all those who want to access FAT filesystems — the relevant package is named ‘ kmod-fs-msdos’.
14 LEARN MORE
OpenWRT can be used for a variety of topics not discussed here due to space constraints. The OpenWRT project team provides a set of step-by-step recipes at wiki.openwrt. org/doc/howto/start — if you feel like implementing something, check whether someone else has already walked the trek for you!
15 FIND SUPPORTED HARDWARE
Our current contraption — made up of a Raspberry Pi and a batch of peripherals — works well for evaluation purposes, but is not particularly well suited to practical deployments. Should you feel like finding a dedicated router, start out by looking at the compatibility list provided at wiki.openwrt.org/toh/start. Please be aware that router manufacturers tend to change their hardware frequently: in some cases, more than 12 revisions with completely different integrated circuits are known.
16 HARDCORE DEBUGGING
Should you lock yourself out of your OpenWRT router, fret not: if the memory is not soldered in, simply mount it with a cardreader of choice. Most, if not all, Linux distributions will display the contents of the file systems immediately — accessing some of the files requires that the file manager is run with root rights (sudo nautilus).