Turn a Pi into an

Learn the ba­sics of OpenWRT us­ing a Rasp­berry Pi as a router.

APC Australia - - Contents -

OpenWRT router

Con­trol­ling the in­ter­con­nects be­tween var­i­ous de­vices is paramount to keep­ing sys­tems se­cure and safe. Sadly, most router op­er­at­ing sys­tems are closed source — find­ing vul­ner­a­bil­i­ties in them is dif­fi­cult to im­pos­si­ble. Run­ning ded­i­cated open-source router op­er­at­ing sys­tems is not a so­lu­tion for the av­er­age user, as they tend to de­mand high-end hard­ware with pro­hib­i­tively high prices.

OpenWRT is an af­ford­able and ef­fi­cient al­ter­na­tive. It fore­goes some of the com­plex­i­ties found in tra­di­tional router op­er­at­ing sys­tems, thereby al­low­ing for lower hard­ware re­quire­ments. The com­mu­nity has ported the sys­tem to var­i­ous routers: with a lit­tle care, a com­pat­i­ble router can be found for $150 or less.

In­vest a few hours of your time to trans­form it into a lean and mean file­server, tor­rent client or — con­fig­u­ra­tions al­low­ing — even a sys­tem ca­pa­ble of con­trol­ling re­al­world hard­ware via se­rial links. Here, we will in­tro­duce you to the ba­sics of OpenWRT us­ing the well­known sin­gle-board com­puter. That knowl­edge can then be ap­plied

to a va­ri­ety of other, more suit­able hard­ware so­lu­tions.


De­ploy­ing an op­er­at­ing sys­tem re­quires you to be in pos­ses­sion of a suit­able im­age: due to dif­fer­ences in the hard­ware, RPi 1 and 2 are tar­geted with dif­fer­ent files which can be down­loaded at bit.ly/1T7t4UC. The fol­low­ing steps are per­formed on a Rasp­berry Pi 2 us­ing Chaos Calmer 15.05.1. Burn the im­age ‘open­wrt15.05.1-brcm2708-bcm2709-sd­card­v­fat-ext4.img’ to the SD card in a fash­ion of your choice: Ubuntu’s Im­age Writer is the util­ity shown in the fig­ure. Fi­nally, in­sert the SD card, con­nect the RPi’s na­tive Eth­er­net port to your PC and power up the con­trap­tion. In­ter­ested in­di­vid­u­als can con­nect an HDMI mon­i­tor in or­der to see the boot process ‘ live’.


Start­ing OpenWRT on a Rasp­berry Pi 2 takes about half a minute: when done, the mes­sage shown in the fig­ure will ap­pear. At this point, the Eth­er­net port of the Rasp­berry Pi 2 will be set to a fixed IP ad­dress of and will await net­work con­nec­tions from other work­sta­tions. Open the ‘Net­work con­nec­tions’ ap­plet of the host, and con­fig­ure it to use a static IP ad­dress via the set­tings shown in the fig­ure.

Be aware that is a pop­u­lar ad­dress for routers: if your Wi-Fi router uses it, the net­work con­nec­tion needs to be dis­abled dur­ing the fol­low­ing steps.


Chaos Calmer 15.05.1 keeps the Telnet ser­vice open on un­con­fig­ured in­stances. The first bit of work in­volves con­nect­ing to the Telnet client: in­voke the passwd com­mand to set a new pass­word. Com­plaints about low pass­word strength can be ig­nored at your own peril: passwd will not ac­tu­ally pre­vent you from set­ting the pass­code to be what­ever you want, but hack­ers might be de­lighted about the eas­ier at­tack vec­tor.

Once the new root pass­word is set, the Telnet server will dis­able it­self. From that mo­ment on­ward, your OpenWRT in­stance can only be con­trolled via SSH.

tamhan@tamhan-thinkpad:~$ telnet

Try­ing Con­nected to Es­cape char­ac­ter is ‘^]’. . . . root@OpenWrt:/# passwd hang­ing pass­word for root New pass­word: Bad pass­word: too short Re­type pass­word:

Pass­word for root changed by root

- - - tamhan@tamhan-thinkpad:~$ ssh root@ The au­then­tic­ity of host ‘ (’ can’t be es­tab­lished. RSA key fingerprint is 11:80:4b:14:cc:b8:9a:a6: 42:6a:bf:8d:96:2a:1b:fa.

Are you sure you want to con­tinue con­nect­ing

(yes/no)? yes Warn­ing: Per­ma­nently added ‘’ (RSA) to the list of known hosts.


The fol­low­ing steps as­sume that your router will live be­hind an­other router. As the activation of USB sup­port re­quires the down­load­ing of a batch of pack­ages, our first act in­volves mak­ing OpenWRT play nicely with the rest of the net­work. As the stock dis­tri­bu­tion in­cludes only vi, open the web in­ter­face by en­ter­ing “http://<ip>” into a com­puter of your choice. Next, click ‘Net­work > In­ter­faces’ and click Edit next to ‘ br-lan’. Set the pro­to­col field to DHCP client and se­lect the Switch Pro­to­col but­ton. Fi­nally, click ‘ Save & Ap­ply’, close the web page and dis­con­nect the RPi from your PC. Next, con­nect both PC and Pi to the ex­ist­ing router and run nmap as root in or­der to find its newly-as­signed IP ad­dress.

The com­mand shown here is a lit­tle nifty in that it in­structs nmap to scan the en­tire 255 ad­dresses of the sub­net — be sure to ad­just it to your lo­cal en­vi­ron­ment. Fur­ther­more, keep in mind that the IP set­tings of the PC must be re­stored to the ones used orig­i­nally, with a re­boot rec­om­mended for good prac­tice. tamhan@tamhan-thinkpad:~$ sudo nmap -sn

Start­ing Nmap 6.40 ( http:// nmap.org ) at 2016-05-03 21:14 CEST . . . Nmap scan re­port for Host is up (-0.099s la­tency).

MAC Ad­dress: B8:27:EB:53:4E:D9 (Rasp­berry Pi Foun­da­tion)


At this point, our OpenWRT in­stance is con­nected to the in­ter­net at large. This al­lows opkg to down­load re­quired pack­ages — con­nect your­self us­ing SSH and the IP ad­dress de­ter­mined by NMAP, and pro­ceed to down­load­ing the pack­ets listed in the code ac­com­pa­ny­ing this step. When all mo­d­ules are in­stalled, en­ter­ing dmesg will show that the ASIX Eth­er­net in­ter­face has been de­tected and con­fig­ured as in­ter­face eth1 ac­cord­ing to the fig­ure. opkg up­date opkg in­stall kmod-usb2 us­bu­tils kmod-usb-core

opkg in­stall kmod-usb-net kmod-usb-net-asix


Even though don­gles based on the ASIX AX88772B are quite com­mon, not be­ing able to pro­cure one does not to­tally con­demn your ex­per­i­ment to

“Even though don­gles based on the ASIX AX88772B are quite com­mon, not be­ing able to pro­cure one does not to­tally con­demn your ex­per­i­ment to fail­ure.”

“If your router con­tains a USB port, it can — in the­ory — be used to ac­cess var­i­ous ex­ter­nal USB stor­age me­dia. Sadly, the re­quired pack­ages are not pro­vided out of the box.”

fail­ure. Con­nect the USB to LAN bridge to a Rasp­berry Pi run­ning Rasp­bian and en­ter the lsmod com­mand. It will pro­vide you with in­for­ma­tion about the driver mo­d­ules be­ing used, which can then be tracked down on OpenWRT. Googling “<chipset> openwrt” or “<pro­duct­name> openwrt” can also yield some use­ful re­sults.


Af­ter com­plet­ing the ker­nel con­fig­u­ra­tion process, our new in­ter­face is ready and awaits the de­ploy­ment of a con­fig­u­ra­tion. As the OpenWRT im­age pro­vided for the Rasp­berry Pi re­stricts us to vi (nano will not in­stall), con­fig­u­ra­tion is best done via the web in­ter­face we touched on ear­lier. It can be ac­cessed by point­ing your browser at the URL of the router; log-in can be ac­com­plished via the root pass­word used on the com­mand line.


The newly-cre­ated USB Eth­er­net port will be used to con­nect clients: you can con­nect ei­ther a ‘dumb switch’ or a sin­gle de­vice. In both cases, a DHCP server is needed in or­der to pro­vide IP ad­dresses to the clients.

Click the ‘Add new in­ter­face’ but­ton, and name the new in­ter­face ‘Clients’. Next, se­lect the pro­to­col to be Static ad­dress and se­lect the newly cre­ated in­ter­face eth1. Next, scroll to the bot­tom of the win­dow and click the Setup DHCP Server but­ton in or­der to fully pop­u­late the form.

With that, the IPv4 ad­dress and broad­cast fields must be set up. Fi­nally, click ‘ Save & Ap­ply’ in or­der to com­mit the changes to the net­work stack. Next, open up the net­work con­fig­u­ra­tion once again and set the Fire­wall Set­tings to the fire­wall zone LAN.


By de­fault, the LAN in­ter­face is bridged, how­ever, this is not nec­es­sary. To change this, open its prop­er­ties, se­lect the Phys­i­cal Set­tings tab and un­s­e­lect the Bridge in­ter­faces check­point. Next, open the Fire­wall set­tings tab and as­sign the WAN zone.

Fi­nally, an­other click on ‘ Save & Ap­ply’ makes OpenWRT as­sign the at­tributes lead­ing to the con­fig­u­ra­tion shown in the im­age above.


From this point on­ward, at­tempt­ing to in­ter­act with the LuCI fron­tend from ‘out­side’ of the net­work will lead to ‘ Un­able to con­nect’ er­rors — by de­fault, re­mote con­fig­u­ra­tion is not al­lowed to make at­tacks on OpenWRT more dif­fi­cult.

Solve this prob­lem by dis­con­nect­ing the work­sta­tion from the ‘outer router’, and con­nect to the Rasp­berry Pi’s USB net­work in­ter­face in­stead. Then per­form an if­con­fig com­mand and con­nect to the stan­dard gate­way in or­der to open the LuCI in­ter­face once again. Should you find your­self in the sit­u­a­tion that no IP adress is

as­signed to the work­sta­tion, re­boot the process com­puter and re­con­nect the eth­er­net ca­ble. tamhan@tamhan-thinkpad:~$ if­con­fig eth0 Link en­cap:Eth­er­net HWaddr 28:d2:44:24:4d:eb inet addr: Bcast: Mask:

inet6 addr: fe80::2ad2:44ff:fe24:4deb/64

Scope:Link 11 TEST THE PRES­ENCE OF THE ROUTER As long as all other net­work con­nec­tions are dis­abled, the work­sta­tion can con­nect to the in­ter­net only via the RPi. En­ter “mtr www.google.com” in a com­mand line in or­der to gen­er­ate the tree struc­ture shown in the fig­ure be­low — from a la­tency point of view, our OpenWRT ac­cess point looks quite good when op­er­at­ing un­der light load.


Gen­er­at­ing live di­a­grams with fur­ther in­for­ma­tion about the state of the router is an in­ter­est­ing fea­ture. Open LuCI and se­lect ‘ Sta­tus > Re­al­time graph’ in or­der to open a set of di­a­grams telling you more about CPU and net­work loads.


If your router con­tains a USB port, it can — in the­ory — be used to ac­cess var­i­ous ex­ter­nal USB stor­age me­dia. Sadly, the re­quired pack­ages are not pro­vided out of the box. This prob­lem can be reme­died by de­ploy­ing the fol­low­ing pack­ages via opkg: kmod-usb-stor­age re­quired kmod-usb-stor­age-ex­tras block-mount kmod-scsi-core

In ad­di­tion to that, a kmod-fs-* pack­age con­tain­ing the driv­ers for the file sys­tem is re­quired. One small gotcha awaits all those who want to ac­cess FAT filesys­tems — the rel­e­vant pack­age is named ‘ kmod-fs-ms­dos’.


OpenWRT can be used for a va­ri­ety of top­ics not dis­cussed here due to space con­straints. The OpenWRT project team pro­vides a set of step-by-step recipes at wiki.openwrt. org/doc/howto/start — if you feel like im­ple­ment­ing some­thing, check whether some­one else has al­ready walked the trek for you!


Our cur­rent con­trap­tion — made up of a Rasp­berry Pi and a batch of pe­riph­er­als — works well for eval­u­a­tion pur­poses, but is not par­tic­u­larly well suited to prac­ti­cal de­ploy­ments. Should you feel like find­ing a ded­i­cated router, start out by look­ing at the com­pat­i­bil­ity list pro­vided at wiki.openwrt.org/toh/start. Please be aware that router man­u­fac­tur­ers tend to change their hard­ware fre­quently: in some cases, more than 12 re­vi­sions with com­pletely dif­fer­ent in­te­grated cir­cuits are known.


Should you lock your­self out of your OpenWRT router, fret not: if the mem­ory is not sol­dered in, sim­ply mount it with a cardreader of choice. Most, if not all, Linux dis­tri­bu­tions will dis­play the con­tents of the file sys­tems im­me­di­ately — ac­cess­ing some of the files re­quires that the file man­ager is run with root rights (sudo nau­tilus).

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.