Open WRT VM script - instructions for dummies

[TimoDinnesen]

I've used many of the scripts here with great success, however the OpenWRT one does not work for me.

I've tried using it completely default, and also by setting parameters like LAN IP etc. but in none of these cases I was able to get to the user interface.

Like most of the other scripts I was expecting that I would be able to go the IP, and see the user interface, and start setting up the "router". But at this point I simply do not know if the script is not working or if it's just me being incompetent :-D

Can there be added some sort of "getting started"-instructions to the script?

It is a bit of a special case using this on a VM compared to the devices where it is usually installed. For example the default install picks the ip 192.168.1.1, which will probably lead to conflicts for many users who already have their main router on this ip. Perhaps the script needs to be adjusted a bit since this "VM install" is a rather special case?

[gh2023-aesun]

This is how I Allow OpenWrt Router Admin Access

First some background. At one point the script allowed accessing the luci interface via the wan ip address.  The script was changed (see here) to disable this capability due to security concerns.

Below I outline how I allow OpenWrt admin access. I'm not sure if it's the most secure, so use at you own risk. My use-case has the wan interface exposed to a local subnet, not the Internet. I would not use this technique if the wan interface was exposed to the Internet, as it is not secure enough for me.

I know you could access the luci interface and ssh via the lan interface (ip address 192.168.1.1) on the Proxmox vmbr0 network bridge, but for my use-case I find this way easier as it was similar to how I used the original tteck authored script.

Note as copy/paste is not available in the Proxmox VM console, I keep the number of Proxmox VM console commands to a minimum to reduce the amount of typing and then switch to ssh and copy/paste commands en masse.

Once the VM has started, in the Proxmox host > openwrt vm > Console I type ip a and make a note of the router's dhcp assigned ip address for the wan interface which is network interface eth1 (this ip address in referred to as wan-ipaddress below).

In the Proxmox host > openwrt vm > Console I type the following commands to temporarily allow all traffic to the device so I can SSH into the VM (this will make the device very insecure ):

uci set firewall.@zone[1].input='ACCEPT'
uci set firewall.@zone[1].forward='ACCEPT'
uci commit firewall
service firewall restart

On my device, I SSH into the Openwrt VM using wan-ipaddress found above.  ssh root@wan-ipaddress in my case.

I paste the following into the ssh session, to force https

uci set uhttpd.main.redirect_https='1'
uci commit uhttpd
service uhttpd restart

I paste the following into the ssh session, to add a rule to allow my device to access ssh and luci via the wan interface.

uci add firewall rule  
uci set firewall.@rule[-1].name='Allow Luci and SSH Access via WAN'  
uci set firewall.@rule[-1].proto='tcp'  
uci set firewall.@rule[-1].src='wan'  
uci add_list firewall.@rule[-1].src_ip='device-ipaddress'
uci set firewall.@rule[-1].dest_port='22 443'  
uci set firewall.@rule[-1].target='ACCEPT'  
uci commit firewall  
service firewall restart

Notes:

• device-ipaddress is the ip address of my device.
• dest_port 22 allows ssh
• dest_pot 443 allows https access
• I add additional uci add_list firewall.@rule[-1].src_ip= lines to allow more devices to access luci and ssh.

I paste the following into the ssh session, to reverse the settings used earlier that allowed all traffic to the device.

uci set firewall.@zone[1].input='REJECT'
uci set firewall.@zone[1].forward='REJECT'
uci commit firewall
service firewall restart

From my device I can now access:

• luci at https://wan-ipaddress
• ssh via root@wan-ipaddress

I can then proceed to make the router more secure (add password, firewall rules, setup ssh keys, etc.) and setup for my use-case.

I know this is an old post, but I'm posting here hoping it helps someone out.

[TimoDinnesen]

Thanks for your explanation on why is seems "unreachable" when the script has completed.
I tried your approach a few times with no luck though.
After the first set of commands I am still not able to SSH into the system.
Instead I continued with all the commands, but was also not able to reach the gui either.
I am familiar with these types of firewall setups via commands, but as you mention it is a pain in the a## to type them into the Proxmox console. (My keyboard even has a different mapping in that window...)

I might have run into problems because the default IP is 192.168.1.1 which is already in use on my network. I can see that the WAN-part gets another ip, but none of the ip's reply to anything.

Anyways, thanks again for your helpful message. I'll probably just do a normal install if I get around to it.

[gh2023-aesun]

I just setup an new openwrt router yesterday, so while it's fresh in my mind let me try to help.

The first set of commands should open up the router to all traffic, so luci and ssh should be available then, so try these commands again in the Proxmox host > openwrt vm > Console:

uci set firewall.@zone[1].input='ACCEPT'
uci set firewall.@zone[1].forward='ACCEPT'
uci commit firewall
service firewall restart

Then reboot the router for good measure.

You also confirm the changes took place by typing this into in the Proxmox host > openwrt vm > Console:
uci show firewall | grep '@zone\[1\]'

The result should be something like:

firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='ACCEPT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan' 'wan6'

uci set firewall.@zone[1].input='ACCEPT' and uci set firewall.@zone[1].forward='ACCEPT' should be in the result, if not the changes did not stick so repeat the above process.

Get the wan-ipaddress of the router (in the format of x.x.x.x, drop the /24) by typing the following into the Proxmox host > openwrt vm > Console:
ip a show dev eth1

Luci should be available via browser at either http://wan-ipaddress or maybe https://wan-ipaddress, don't type any ports just the wan-ipaddress. If Luci is not available you can also try clearing your browser cache, or use a different browser that hasn't tried to access that address.

Please confirm you can get to Luci, then we can go from there.

[TimoDinnesen]

Thanks again for some even clearer suggestions.
They didn't help directly however, since even after following them the gui was still not reachable.
But they made me realize that I was actually doing everything correctly... something else had to be wrong.

So, I dug some more into it, and ran the script some more times etc. also in advanced mode etc.
I figured out that the problem is that the script builds the VM with the LAN VLAN tag set to 999. (Even if you delete the number in the advanced mode.)
So no matter how OpenWrt is set up, the packages never reach it, because they are filtered even before they reach the VM.
(I don't know why it was not reachable on the WAN, since it is not tagged.. but it is bound to the same bridge (vmbr0) so perhaps Proxmox gets a bit confused about this?)

As soon as I removed the VLAN-tagging in Proxmox, I was able to reach the GUI on BOTH ip's.

So well, to conclude:

1. The default settings leads to a LAN ip 192.168.1.1 that is probably already in use on many users networks.
2. The added security, that removed WAN access to Luci, made it even more difficult for users hit by the above.
3. The default VLAN tagging basically makes the installation unreachable.

So, yes I guess the script could use a "getting started" document. :-D

[gh2023-aesun]

The instructions I outlined use the wan interface to access the vm not the lan interface, so the lan ip address and vlan id should not be a factor. Once you have access to ssh or luci, you can change them to whatever you want. I use the wan interface because I don't have a physical device connected to the Proxmox vmbr0 network, only lxc containers and other vms, so it's easier for me.

You can also change the lan settings by selecting the Advanced option when the script prompts for Use Default Settings?

The only thing I can think of is that the device you are accessing the vm needs to be on the same network subnet to have ssh or luci access (unless you have previously setup the appropriate traffic rules on your network).

Please share the results of executing the following commands:

• uci show firewall | grep '@zone\[1\]' in the Proxmox host > openwrt vm > Console.
• ip a show dev eth1 in the Proxmox host > openwrt vm > Console.
• ping -c 3 wan-ipaddress, in a terminal on the device you are trying to access luci (where wan-ipaddress is the address returned in the command above).
• what happens when you type http://wan-ipaddress in a browser on the device you are trying to access luci?