January 30, 2006

OpenWrt nears prime-time

Author: Joe Barr

OpenWrt, the GPLed Linux distribution for wireless routers, is at RC4 and is nearing the 1.0 release. We looked at RC2 last August, but things have changed since then -- for the better.

The biggest change is probably the addition of webif, the Web-based Admin Console that lets you install and remove packages with a click or two. There are more applications available for OpenWrt almost every day, and RC4 -- based on the official 2.4.30 kernel sources -- now runs on routers from 23 different manufacturers.

Getting started

I've been running a D-Link DI-524 wireless router in my home office for the past couple of years. Unfortunately, it is not one of OpenWrt's supported routers, so in order to test OpenWrt I needed to purchase a router that is supported. I settled on a lightly used Linksys WRT54GS from an online auction site that I got for $44 plus shipping.


I had a backup router available so that no matter how badly I bricked the Linksys, I could still restore my Internet access by swapping it for the D-Link. I mention this because it's not an unusual event. This is not software for the faint of heart. It's close to bleeding edge. You should always leave yourself with an alternate way back to connectivity as you explore OpenWrt. Read the BIG FAT WARNING in the installation documentation before proceeding. That said, I've been using the Linksys with OpenWrt installed full time for almost a month, and I have not bricked it nor lost my connectivity. Yet.

Part of the instructions for installation are router-specific. Keep in mind that I was installing it on a Linksys WRT54GS, and what I did may or may not work for you. Be sure to read the documentation.

White Russian RC4 is available for the WRT54GS in two different versions, depending on the filesystem you prefer: SquashFS or JFFS2. The SquashFS version uses a combination of read-only and writable filesystems. The JFFS2 version has no read-only component. According to the docs, the SquashFS version is more secure, and the JFFS2 version for more experienced users, so I chose SquashFS.

Give me two seconds, please

You can install OpenWrt using the router's existing firmware administration tool, but that's not the recommended procedure. A safer path -- especially on the first install -- is to set a parameter in the router's NVRAM to wait two seconds at power-on time before booting the firmware. This gives you a brief window you can use to install firmware using tftp, whether it's a new version of OpenWrt or a version of the stock firmware that originally came with the router.

Once that parameter is set, you power down the router and start a tftp client running on your PC so that it is constantly trying to connect with the router, then power the router back on. If you've been successful setting the two-second delay, the router will accept the new firmware rather than boot the existing code.

The problem is that in order to reset that parameter on the WRT54GS, you have to crack the router using an old exploit, and the newer versions of the firmware are no longer vulnerable to the exploit. I tried the "ping.asp exploit" described in the OpenWrt online documentation, as well as several variations I found in the OpenWrt forum, but I couldn't get in -- although others using the same version of hardware and firmware apparently did.

Finally, I bit the bullet and simply installed OpenWrt using the Linksys install firmware tool. It worked perfectly. The DMZ light on the front of the router came on and stayed on for a minute while OpenWrt was booting. When it went out, I was connected to the Internet and a basic iptables firewall was in place.

We know telnet is insecure

The OpenWrt documentation explains that the developers know telnet is insecure, but they use it as the default means of access anyway. Their thinking, as explained in the documentation, is: "Telnet is an insecure protocol with no encryption, we try to make a point of this insecurity by not enabling a password. If you're in an environment that requires password protection we suggest setting a password with the passwd command, which will disable the telnet server and enable the Dropbear SSH server."

Here's what the login screen looks like in White Russian:

BusyBox v1.00 (2005.11.23-21:46+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 WHITE RUSSIAN (RC4) -------------------------------
  * 2 oz Vodka   Mix the Vodka and Kahlua together
  * 1 oz Kahlua  over ice, then float the cream or
  * 1/2oz cream  milk on the top.

I expected to have to do OpenWrt configuration, package installation, and so on, at the CLI. Of course you can do it that way if you like -- but you don't have to. A Web administration program called webif is installed by default in White Russian RC4. To access it, just point your browser at the router's IP address.

From the main screen of webif's OpenWrt Admin Console you can go to one of four areas: Info, Status, System, or Network. If you've set a password for OpenWrt -- and you should -- you'll need to use that password with webif, too.

Meet the Admin Console developer

I ran into Felix Fietkau -- the OpenWrt developer who is developing the Admin Console -- on IRC and later asked him by email to fill us in on how he got involved with the project. Here's what he had to say:

I bought my first WRT54G because I had just bought a new laptop with built-in Wi-Fi and I had read that it was a fun thing to hack and that you could run your own software on it. Looking for things to run on it, I played with the idea of creating custom firmware myself. Naturally I didn't want to write everything from scratch, so I checked out the other firmware projects that existed back then. I found that of all the WRT54G-compatible firmware projects, OpenWrt was (and still is) the only project that is not just trying to cram some extra features into the standard firmware or adapt it for a specific usage scenario, but instead created a new, modular system that others like myself could hack and build on. So I started experimenting with it and after publishing some of my hacks, I was given access to the 'experimental' branch (which formed the basis of 'White Russian' and the current development tree 'Kamikaze') and became an active OpenWrt core developer.

We also asked why he wrote the Web interface. He said, "We have had so many people on the Forums and in the IRC channel asking for a Web interface for OpenWrt. In all that time we've had quite a lot of attempts at creating one, but all of them were unsuccessful, mostly because the software was abandoned by its developer, often before it became usable. My main reason for writing the Web interface was that I wanted to see if I could come up with something that fits into the modular software architecture of OpenWrt, looks nice, and is small enough to not create a noticeable flash space loss in the default image."

Finally, we asked if anything would be added to the Admin Console in the future. Fietkau said, "Yes. I plan on adding configuration front ends for at least firewalling/port-forwarding and traffic shaping before we release 1.0. The back ends for both are already finished and will be added to the Subversion repository soon."

From the Networking screen, you can display and set your LAN, WAN, Wireless, and Hosts settings. You can control the IP address for the LAN, netmask, gateway, and DNS servers from the LAN screen. From the WAN page you can tweak your connection type (None, DHCP, Static IP, or PPPoE), external IP address, and subnet mask. The Hosts page allows you to associate the names of hosts with IP addresses and MAC addresses for static IP addresses for DHCP.

But it's the Wireless page that really shows off webif at its best. From that screen you can enable or disable the router's wireless capabilities, set the ESSID, choose the operating mode (Access Point, Bridge, Client, or Ad Hoc), and the type of encryption (WEP, WPA-preshared key, or WPA-RADIUS), if any. You can also add WDS connections. The current version of OpenWrt comes with a default ESSID setting of "bears2973" using channel 6, and includes four default 128-bit WEP keys.

From the System page you can assign a host name for the router and turn the critical two-second boot_wait NVRAM parameter on and off. You can also install and remove software packages and update the lists of available packages from your repositories -- very cool.

This is probably a good time to explain OpenWrt's package management. It's another key in making OpenWrt human-usable.

OpenWrt uses ipkg for package management. It's similar in concept to apt-get, so if you're familiar with the concept of repositories such as those for Debian-based distributions, you'll find ipkg easy to use.

To install a package from the CLI, enter ipkg install package-name and ipkg will fetch it and any prerequisites from the repositories listed in the /etc/ipkg.conf configuration file. To install an available package from the Admin Console, click Install from the list of available packages. Be sure to click "update the package lists" before installing packages, as coders are constantly adding new packages or updating existing ones.

If you don't want to always be adding new repositories to ipkg.conf, and you notice an interesting new package on the OpenWrt Package Tracker, you can download it to your PC. Use scp to copy it to /tmp or /etc on the router, and then use ipkg to install it from that directory. Just remember that anything the package depends upon has to either be available through your current repositories or downloaded as well.

Before I forget, if you've installed the SquashFS version of White Russian, you'll need to rm the ipkg.conf file in /etc, then copy it from /rom/etc/ipkg.conf to /etc/ipkg.conf before you can modify the default list of repositories. That's because -- in a space-saving move -- it is simply a link to the /rom version to begin with.

All in all, the OpenWrt Admin Console (webif) is a nice tool that makes OpenWrt a little more accessible to non-guru users like me. I've heard unofficial chatter on the #openwrt channel on the FreeNode IRC network that iptables management will be included in a future version.

One final tip

There is a lot of good documentation for OpenWrt, but with the frantic level of activity going on in all areas of the project, it goes out of date quickly. Use the most recent posts in the forums or ask on the IRC channel to resolve difficulties not covered by the docs.

Now you have OpenWrt on your router - so what?

Click to enlarge

OK. You're cool. You have Linux running on your router. So what? So a lot more than I ever would have imagined, that's for sure. Putting OpenWrt on your router is like adding the magic sauce that can turn your ordinary router into something special. A lot of different something specials, actually.

If you like, you can do fun-but-pointless things like chat on IRC, using one of several IRC client packages available. But you can do things that matter, too, like run any of a wide range of network and wireless security tools that are available for OpenWrt. The list includes such well-known programs as Snort, Nmap, aircrack, fwmon, OpenSSH, GnuPG, Portsentry, Kismet, Tor, Shorewall, and many more.

Not impressed yet? How about such well-known applications as Samba, SANE, Chillispot, CUPS, DansGuardian, gPhoto2, and Asterisk? Yes, Asterisk. No need to dedicate a PC to have your own personal open source PBX -- just run it on your router. All of these apps are available for OpenWrt today. Not bad for a new distribution of Linux that is still in the RC stage.

My experience with OpenWrt has been nothing but positive. It's fun and it's useful. Given the magic of open source and the level of activity around OpenWrt that I see on IRC, in the forums, and in the repositories, I believe there are a lot more good things to come.

Click Here!