Андрей Смирнов
Время чтения: ~21 мин.
Просмотров: 20

Установка и настройка openwrt


Users that are not expert users of OpenWrt (those that can build their own images) should consider

16/64 as an absolute minimum for any device, with at least 128 MB of RAM being preferred.

Users should expect that devices with less than 16 MB of flash and/or 64 MB of RAM may be unstable in basic operation under current versions of OpenWrt (17.X, 18.X). They should further expect that support for the device may be dropped at any time and that security patches/updates to the kernel, drivers, and/or application software will not be available. While there is no warranty of ongoing support for any device under OpenWrt, those with insufficient resources are at great risk for “end of support”.

Previous versions of OpenWrt (such as earlier versions of 17.X, 15.X, “Chaos Calmer” and prior) contain now-known security vulnerabilities in the kernel, wireless implementation, and/or application code. The OpenWrt community cannot support running known-vulnerable code under any situation. “It’s just my router” is not justification as your router becoming compromised can impact others as a jump-point, command-and-control, or other participant in an attack. In many cases, these known vulnerabilities are being actively targeted, potentially including by advanced, likely state-sponsored or state-affiliated actor or actors.


and are meta-packages. Here you see what they comprise, the sizes are in Bytes compiled for the ar71xx platform. They should differ too much from binaries compiled for other architectures. Also note, that with JFFS2 it is not possible to precisely predict the occupied space.

In case you want to use a different web server than uhttpd and not install uhttpd at all, do not install the meta-package because it includes it. Install the individual components instead and a web server of your choice. The article webserver shows you some choices from the repos.

Name Size Description
luci 779 Meta package. Standard OpenWrt set including full and mini admin and the standard theme
uhttpd 23778 uHTTPd is a tiny single threaded HTTP server with TLS, CGI and Lua support. It is intended as a drop-in replacement for the Busybox HTTP daemon.
luci-mod-admin-full 60827 LuCI Administration — full-featured for full control
luci-mod-admin-core 5257 Web UI Core module
luci-theme-openwrt 7226 OpenWrt.org (default)
luci-i18n-english 1252 English
luci-app-firewall 16630 Firmware and Portforwarding application
firewall 11603 UCI based firewall for OpenWrt /etc/config/firewall /etc/firewall.user. Dependencies: iptables, iptables-mod-conntrack, iptables-mod-nat
luci-app-initmgr 5713 LuCI Initscript Management
libiwinfo 25362 Wireless information library with consistent interface for proprietary Broadcom, madwifi, nl80211 and wext driver interfaces.
luci-lib-ipkg 2846 LuCI IPKG/OPKG call abstraction library
luci-theme-base 25065 Common base for all themes
libnl-tiny 14390 This package contains a stripped down version of libnl
liblua 81477 Lua is a powerful light-weight programming language designed for extending applications. Lua is also frequently used as a general-purpose, stand-alone language. Lua is free software. This package contains the Lua shared libraries, needed by other programs.
lua 9069 Lua is a powerful light-weight programming language designed for extending applications. Lua is also frequently used as a general-purpose, stand-alone language. Lua is free software. This package contains the Lua language interpreter. (5.1.4-7)
luci-lib-web 59695 MVC Webframework
luci-lib-sys 15795 LuCI Linux/POSIX system library
luci-lib-nixio 31683 NIXIO POSIX library
luci-lib-core 28096 LuCI core libraries
luci-sgi-cgi 2420 CGI Gateway behind existing Webserver
luci-lib-lmo 4714 LuCI LMO I18N library
Additionally Required for HTTPS
luci-ssl 782 Meta package. Standard OpenWrt set including full and mini admin, the standard theme + HTTPS support
uhttpd-mod-tls 5825 The TLS plugin adds HTTPS support to uHTTPd.
uhttpd-mod-lua 9178 The Lua plugin adds a CGI-like Lua runtime interface to uHTTPd.
libcyassl 69682 CyaSSL is an SSL library optimized for small footprint, both on disk and for memory use.
px5g 28480 Px5g is a tiny standalone X.509 certificate generator. It’s suitable to create key files and certificates in DER and PEM format for use with stunnel, uhttpd and others.
Internationalization and localization packages
luci-i18n-xxx ????? Please confer to http://i18n.luci.subsignal.org/pootle/ for an overview of the translation progress.
According to a is no longer available

Protocol «ppp» (PPP over Modem)

The package must be installed to use PPP.

Name Type Required Default Description
file path yes (none) Modem device node
string no(?) (none) Username for PAP/CHAP authentication
string no(?) (none) Password for PAP/CHAP authentication
file path no (none) Path to custom PPP connect script
file path no (none) Path to custom PPP disconnect script
number no (none) Number of unanswered echo requests before considering the peer dead. The interval between echo requests is 5 seconds.
number no (none) Number of seconds to wait before closing the connection due to inactivity
boolean no Replace existing default route on PPP connect
boolean no Use peer-assigned DNS server(s)
list of ip addresses no (none) Override peer-assigned DNS server(s)
no Enable IPv6 on the PPP link
0: IPv6 disabled
1: IPv6 enabled
auto: IPv6 enabled. DHCPv6 client enabled.
string no (none) Additional command line arguments to pass to the pppd daemon

PPP-based protocols negotiate IPv4 and IPv6 support when the link is established. These protocols require to be specified in the parent section if IPv6 support is required. Further configuration can be given in the alias section – see ipv6.



A good way to configure your internet is using two devices: A dedicated modem that just accepts all ATM traffic and bridges it to its ethernet port, and a second device that acts as a router to your internal LAN, and the WAN port authenticates to your ISP via pppoe, and is physically connected to the first device over ethernet cable.

Below, I show two configs, one config for the modem, (here Netgear DM200 ADSL2+/VDSL modem) and the second config showing the necessary authentication to TPG ISP for the second device (another OpenWrt router).

package network                                                                 
config atm-bridge 'atm'                                                         
        option vpi '8'                                                          
        option vci '35'                                                         
        option encaps 'llc'                                                     
        option payload 'bridged'                                                
config dsl 'dsl'                                                                
        option annex 'a2p'                                                      
        option fwannex 'a'                                                      
        option firmware '/lib/firmware/lantiq-vrx200-a.bin'                     
        option xfer_mode 'atm'                                                  
config interface 'lan'                                                          
        option type 'bridge'                                                    
        option ifname 'eth0 nas0'                                               
        option proto 'none'                                                     
        option auto '1'                                                         
config device 'lan_dev'                                                         
        option name 'eth0'                                                      
        option macaddr 'yy.yy.yy.yy.yy.yy'                                      
config device 'wan_dev'                                                         
        option name 'nas0'                                                      
        option macaddr 'xx.xx.xx.xx.xx.xx'

Second device authenticates to ISP with:

config interface 'wan'
	option ifname 'eth1'
	option proto 'pppoe'
	option username 'xxxx@tpg.com.au'
	option password 'zzzz'


Simply set the WAN port to use the PPPoE protocol and enter your TPG username and password. That’s all. No VLAN configuration, such as setting WAN to use VLAN2 was required.

Czech Republic


  • Protocol: PPPoE
  • VLAN: 848
  • Username: O2
  • Password: O2
config interface 'wan'
        option proto 'pppoe'
        option username 'O2'
        option ifname 'dsl0.848'
        option ipv6 'auto'
        option password 'O2'
config dsl 'dsl'
        option annex 'a'
        option ds_snr_offset '0'
        option line_mode 'vdsl'
        option tone 'av'        

O2 provides documentation for IPTV here.

  • Bridge mode
  • VLAN: 835

Example configuration on TP-Link TD-W8980B / TD-9980B. IPTV is plugged in port ‘LAN2’.

config interface 'iptv'
        option type 'bridge'
        option proto 'dhcp'
        option hostname 'O2TV'
        option peerdns '0'
        option defaultroute '0'
        option ifname 'dsl0.835 eth0.835'
config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '6t 5 2 4'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '835'
        option ports '6t 0'        


Bell Canada Fibe

Bell Canada Fibe provides for fiber to the home (FTTH).

They use VLAN tagging and PPPoE protocol.

The VLAN tagging is usually as follows:

  • Phone: VLAN 34
  • Internet: PPPoE over VLAN 35
  • TV: VLAN 36
config interface 'wan'
    option ifname 'eth1.35'
    option proto 'pppoe'
    option username 'b1xxxxxx'
    option password 'xxxxxx'
    option ipv6 'auto'

config interface 'wan6'
    option proto 'dhcpv6'
    option reqaddress 'try'
    option reqprefix 'auto'
    option ifname '@wan'

MTU Settings

Follow the MTU recommendations here:

  • Fiddle with your MTU settings to make sure that your router doesn’t have to fragment IP packets. (IP fragmentation will use more CPU on your router, increase overhead on your WAN connection, slightly degrade performance, and cause problems when connecting to networks behind misconfigured firewalls on the Internet).
  • At first I used all the default settings and was getting an MTU of 1480.
  • I increased the MTU on both my SFP interface and VLAN to 1520 and then set the advertised MTU and MRU settings on my PPPoE interface to 1500 and was able to get an actual MTU of 1500 on my WAN link.
  • You can verify your MTU value using ping or a webservice such as the MTU test at Let Me Check.it.


  • How to get Bell Fibe in Quebec/Ontario (Internet and IPTV) working with pfSense https://forum.netgate.com/topic/78892/how-to-get-bell-fibe-in-quebec-ontario-internet-and-iptv-working-with-pfsense

  • How to bypass Bell hub and use your own Route http://forums.redflagdeals.com/please-sticky-how-bypass-bell-hub-use-your-own-router-1993629/

  • Bell PPPoE and IPTV with FTTH, Guide, configuration and tidbits. https://community.ubnt.com/t5/EdgeRouter/Bell-PPPoE-and-IPTV-with-FTTH-Guide-configuration-and-tidbits/td-p/1686977

  • Bell Fibe WAN PPPoE (in French) http://blog.th0ma7.com/pages/Bell-Fibe-WAN-PPPoE

  • Bell Fibe with your own Router

Альтернативные процедуры обновления ОС до Luci или sysupgrade

В OS параметры обновления гораздо более ручной, чем при использовании либо LuCI или sysupgrade. Они нужны только в необычных обстоятельствах.


  1. Если sysupgrade не поддерживается для встроенного устройства,вы должны использовать вместо:
    mtd -r write /tmp/openwrt-ar71xx-generic-wzr-hp-ag300h-squashfs-sysupgrade.bin firmware


Прямой метод

Netcat можно было бы использовать, если вы не можете свободно достаточно оперативной памяти. См netcat. Netcat должен быть установлен первым.

Этот метод НЕ рекомендуется!
  1. На компьютере Linux запустите:
    nc -q0 1234 
  2. На маршрутизаторе выполните:
    nc -l -p 1234 | mtd write - firmware

Косвенный метод

Этот метод намного безопаснее, если у вас достаточно оперативной памяти.

Этот метод отлично подходит для самостоятельной сборки firmwares.

Вы должны проверить, сколько оперативной памяти у вас есть в настоящее время.(В случае, если у вас нет достаточно осталось, обратитесь бесплатно оперативную память.)


Передача файла изображения во временную папку

На вашем GNU/Linux PC запустите run:cat .bin | pv -b | nc -l -p 3333

На маршрутизаторе выполните:run:nc 3333 > /tmp/.bin

Порт 3333 адрес IP только примеры. Команда «’pv -b’» является обязательным для отслеживания прогресса, но возможно вы должны установить рv к вашей системе ранее.

Напишите это для вспышки




Я тестировал под Ubuntu 11.10.

Некоторые полезные ссылки для Netcat

  • http://www.g-loaded.eu/2006/11/06/netcat-a-couple-of-useful-examples/

  • http://www.screenage.de/blog/2007/12/30/using-netcat-and-tar-for-network-file-transfer/

  • https://help.ubuntu.com/community/BackupYourSystem/TAR

  • http://www.aboutdebian.com/tar-backup.htm


Убедитесь, что маршрутизатор имеет достаточно памяти.

root@OpenWrt:/# free

Убедитесь, что вы установили пароль для маршрутизатора (для включения SSH необходимо установить пароль для маршрутизатора). См. First Login для получения более подробной информации.

Скопируйте прошивку на маршрутизаторе

На вашем компьютере Linux запустите:

linux$ scp openwrt-ar71xx-tl-wr1043nd-v1-squashfs-sysupgrade.bin root@

Ввод «да» estabilish подлинность,а затем введите пароль вашего маршрутизатора. Подождите scp команда завершена.Теперь вы можете видеть прошивку в /tmp каталог.

Написать прошивку вашего маршрутизатора

root@OpenWrt:/# sysupgrade -v /tmp/.bin 

Заметка является IP — адрес (можно назвать GateWay) вашего маршрутизатора. Проверка бегом:

linux$ ip r 

или вы можете проверить файл /etc/config/network file, является петлевой IP адрес, другой является IP адрес вашего маршрутизатора.

root@OpenWrt:/# grep ipaddr /etc/config/network 


Server configuration

There is no need to modify server configuration files /etc/pptpd.conf /etc/ppp/options.pptpd, however some parameters needs to be adjusted depending from clients and network configuration ( such as mtu, mru, ms-dns, proxyarp). See documentation and tips below.

Clients configuration is located in /etc/config/pptpd. Modify it to enable pptpd and configure clients and network. Following is example for two clients. You can add multiple config ‘login’.

config service 'pptpd'
	option 'enabled' '1'
	option 'localip' ‘xxx.yyy.www.zzz’

config 'login' 
	option 'username' ‘foo’
	option 'password' ‘bar’
	option 'remoteip' 'xxx.yyy.zzz.1’

config 'login' 
	option 'username' ‘foo’
	option 'password' ‘bar’
	option 'remoteip' 'xxx.yyy.zzz.2’

Network configuration

If you are using different subnet for VPN clients you need to add route to /etc/network:

config route
	option interface 'lan'
	option target 'xxx.yyy.zzz.0'
	option netmask ''
	option gateway 'xxx.yyy.www.zzz'

Firewall configuration

Accept traffic from wan

In order to accept pptp traffic in wan to router you need to open following protocols and ports. Add following to /etc/config/network:

config rule
	option target 'ACCEPT'
	option name 'pptp'
	option src 'wan'
	option proto 'tcp'
	option dest_port '1723'

config rule
	option target 'ACCEPT'
	option name 'gre'
	option src 'wan'
	option proto '47'
Accept VPN traffic

In order to enable traffic inside VPN to enter, leave and pass trough router you need to add following. Be aware, that if you are using ppp (PPPoE or similar) in wan following configuration is insecure and shall be modified. You can add it to /etc/firewall.user:

# Allow all traffic in and out of the ppp interface. No reason to specify nets.
iptables -A input_rule -i ppp+ -j ACCEPT
iptables -A output_rule -o ppp+ -j ACCEPT
# This rule will allow traffic towards internet
iptables -A forwarding_rule -i ppp+ -j ACCEPT
iptables -A forwarding_rule -o ppp+ -j ACCEPT

As a safer way you can automate these rules by creating


if ]
	iptables -A forwarding_rule -i "$ifname" -j ACCEPT



if ]
	iptables -D forwarding_rule -i "$ifname" -j ACCEPT
/etc/init.d/pptpd enable
/etc/init.d/pptpd start

Подключение через telnet

BusyBox v1.17.3 (2011-02-22 23:42:42 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.
  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 ATTITUDE ADJUSTMENT (bleeding edge, r26290) ----------
  * 1/4 oz Vodka      Pour all ingredents into mixing
  * 1/4 oz Gin        tin with ice, strain into glass.
  * 1/4 oz Amaretto
  * 1/4 oz Triple sec
  * 1/4 oz Peach schnapps
  * 1/4 oz Sour mix
  * 1 splash Cranberry juice

наберите passwd в строке ввода. Вам будет предложено создать новый пароль для пользователя root:

root@openwrt:~$ passwd
Changing password for root
New password:
Retype password:
Password for root changed by root
  • пожалуйста, используйте надежный пароль.
  • после того как вы установили пароль telnet daemon будет отключен, наберите в командной строке
  • SSH уже доступен без перезагрузки; подключайтесь через HTTPS, если Web-интерфейс (LuCI) уже установлен TLS-модули
  • подключитесь опять с помощью команды или используйте signature.authentication

  • продолжайте с базовой конфигурацией


=== Vodafone SIRO 1G

* igmpproxy need to be installed for TV
for my setup im using separated interface for STB, you can connect your and into LAN (but then plz change configuration of igmpproxy to point to LAN instead of eth3)
config files:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr ''
	option netmask ''

config globals 'globals'
	option ula_prefix 'fda0:8093:6a4c::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask ''
	option ip6assign '60'
	option ipaddr ''
	option stp '1'
	option igmp_snooping '1'
	option ifname 'eth1 eth3'

config interface 'wan'
	option proto 'pppoe'
	option ifname 'eth0.10'
	option username 'VODAFONE_ROUTER_SERIAL@vfieftth.ie'
	option password 'broadband'
	option ipv6 'auto'

config interface 'wan6'
	option ifname 'eth0'
	option proto 'dhcpv6'

config interface 'iptv'
	option proto 'dhcp'
	option delegate '0'
	option broadcast '1'
	option defaultroute '0'
	option ifname 'eth0.10'

config interface 'stb'
	option proto 'static'
	option ifname 'eth2'
	option type 'bridge'
	option igmp_snooping '1'
	option ipaddr ''
	option ip6assign '64'
	option netmask ''
config igmpproxy
	option quickleave 1
#	option verbose (none, minimal, more, maximum)

config phyint
	option network iptv
	option zone wan
	option direction upstream
	list altnet

config phyint
	option network stb
	option zone lan
	option direction downstream



  • Study the documentation available in sourceforge.
  • Plan your networks. Remote clients can be in “lan”, but it is feasible to configure dedicated network for clients and set up routing accordingly.
  • Modify your firewall rules as described below.
  • If upgrading from previous OpenWrt version make backup from pptpd configuration files. 14.07 init script overwrites chap-secrets file.
  • pptpd
  • kmod-mppe
  • ppp

See OpenWrt log for other required packages.


 opkg install pptpd kmod-mppe

There are bugs in BARRIER BREAKER (14.07, r42625) init script.
Modify /etc/init.d/pptpd to clean up temporary pptp.conf and chap-secrets. Original init script does not enable multiple simultaneous clients with fixed remote IP‘s. Following script and modified configuration file enables it:

#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org


setup_login() {
	local section="$1"
	config_get username "$section" username
	config_get password "$section" password
	config_get remoteip "$section" remoteip
	 || return 0
	 || return 0
	 || return 0

	echo "$username pptp-server $password $remoteip" >> $CHAP_SECRETS

setup_config() {
	local section="$1"

	config_get enabled "$section" enabled
	 && return 1

	mkdir -p /var/etc
	cp /etc/pptpd.conf $CONFIG

	config_get localip "$section" localip
	 && echo "localip  $localip" >> $CONFIG
	return 0

start_pptpd() {
	 && . $DEFAULT
	mkdir -p $RUN_D
	for m in arc4 sha1_generic slhc crc-ccitt ppp_generic ppp_async ppp_mppe; do
		insmod $m >/dev/null 2>&1
	ln -sfn $CHAP_SECRETS /etc/ppp/chap-secrets
	service_start $BIN $OPTIONS -c $CONFIG

start() {
	config_load pptpd
	setup_config pptpd || return
	config_foreach setup_login login

stop() {
	service_stop $BIN
	rm -rf $CHAP_SECRETS $CONFIG /etc/ppp/chap-secrets


GlobalConnect Pack

This enterprise VoIP and Internet services package includes a Thomson/Technicolor gateway which can be configured (by the tecnician only) in bridge mode, at installation time. In this configuration, the connection presents itself untagged at the gateway’s switch port 4.
The Internet service is somewhat unusual, in the sense that it requires IP aliasing (it allows the provider to spare one public IP address per connection). The addressing is static, and the configuration provided is (as an example) something along these lines:

  • Local WAN IP:
  • Remote WAN IP:
  • Internet IP:

Both the Local and Remote WAN IP addresses belong to a /30 subnet. Inbound traffic arrives at the interface with the Internet IP address as the destination.
To configure this connection on an OpenWrt device (let’s assume interface eth1), on , we need:

config interface 'wan'
	option ifname 'eth1'
	option proto 'static'
	list ipaddr ''
	list ipaddr ''
	option gateway ''

Now, since the addressing is static, we can do source NAT instead of masquerading. To do so, we configure /etc/config/firewall as follows:

config nat
	option name 'MEO SNAT'
	option device 'eth1'
	option src_dip ''
	option src 'wan'
	option target 'SNAT'


  1. 在软件库中检索可用软件包的最新列表:
opkg update


opkg install luci


opkg install luci-ssl

OPKG 安装 luci


基本的LuCI Web用户界面是英文的。但是,志愿者们正积极的把它翻译成许多语言。参见http://i18n.luci.subsignal.org/pootle/ 可以参与!有关可用包的列表,运行

opkg list | grep luci-i18n-


opkg install luci-i18n-chinese 

您还可以通过网页界面安装语言包,你可以同时安装多个LuCI语言包,要在它们之间切换可通过网页界面或编辑这个文件 →



etcinit.duhttpd start
etcinit.duhttpd enable

现在,你应该能够连接到Web服务器 享受LuCI提供的服务了。


尤其是,它安装了uHTTPd Web服务器,配置为供LuCI使用。

  • uhttpd
  • uhttpd-mod-ubus
  • luci-mod-admin-full
  • luci-theme-bootstrap
  • luci-app-firewall
  • luci-proto-core
  • luci-proto-ppp
  • libiwinfo-lua

uHTTPd默认配置为用CGI加载路径下的页面,从而通过 脚本为这些网页开启服务。

可以参考上uHTTPd的UCI配置的相关文章和章节 。

Extensibility issues

Barely enough Flash to accommodate OpenWrt firmware image

  • 4MB min (won’t be able to install luci web interface) / 8MB better (will fit luci and some other applications)
  • 4MB can work, but are no fun to work with. >4MB will make you happier than 4MB or below.
  • 4MB devices can’t fit anything noteworthy unless you use the Image Generator (Image Builder) (that requires a Linux system and some mild experience) or use Extroot. Experienced users creating custom builds may be able to Saving firmware space, but many packages won’t ever fit no matter what you do.
  • If you want to be sure you can install at least a few additional software packages, 8MB (or more) of flash and 64MB (or more) of RAM are the only choice.

Most probably, you will not be able to install the following popular packages (and others) on a device with only 4MB flash:

  • VPNs and any other package requiring encryption
  • Samba (shared folders)
  • 3G/4G dongle support
  • filesystem drivers/tools for formatting and checking a filesystem for Extroot

Protocol «ncm» (USB modems using NCM protocol)

The package + modem specific driver must be installed to use NCM.

Name Type Required Default Description
file path yes (none) NCM device node, typically /dev/cdc-wdm0 or /dev/ttyUSB#
string yes (none) Used APN
number no (none) PIN code to unlock SIM card
string no (none) Username for PAP/CHAP authentication
string no (none) Password for PAP/CHAP authentication
string no (none) Authentication type: pap, chap, both, none
string no (modem default) Used network mode, not every device support every mode: preferlte, preferumts, lte, umts, gsm, auto
string no Used IP-stack mode, (for IPv4), (for IPv6) or (for dual-stack) (Designated Driver #46844 and later)
number no Seconds to wait before trying to interact with the modem (some modems require up to 30 s.)
Рейтинг автора
Материал подготовил
Максим Иванов
Наш эксперт
Написано статей
Ссылка на основную публикацию
Похожие публикации