Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

OpenWRT is pretty great at offering features and security for consumer devices. Glad to see a release!

I used it for a while, but after I've had it for a few months, and want to improve/diagnose something, I can't easily tell which config I've changed from defaults, and so can't easily diagnose how I might have screwed it up, or predict how changes will impact the rest of the system.

I moved my router to NixOS, where I can now see the ~250 config that covers the custom setup needed for my ISP/LAN.

If asked, I'd still recommend OpenWRT for most techies, since it's easier to get started.



On most openwrt devices you can compare /rom/etc/config to /etc/config (though this will get you a bunch of automatic changes as well).


Tracking config via VCS is great, but the automatic changes is what then makes it tricky to understand what you've actually configured.


I had a look more into this. https://www.reddit.com/r/openwrt/comments/114kv0y/weeding_ou... has some people with the problem that I'm trying to avoid.

I see the fresh re-install suggestions probably work but that's tedious and risky.


GP missed this basic fact and then moved to NixOS for a router target? What!?


I use NixOS, btw


Does it run doom? Debian?


Is nixos new arch?


For sure. I feel like the arch joke has played itself out.

I use arch, btw.


As an Arch user I've always been a bit confused by the joke. I have more shit go wrong on my Macbook. Sure, on Arch I might get a bad Nvidia driver update and either have to roll back the driver, kernel, or both[0] but these are at least easily fixable. You can easily determine the problem, fix it, and you've learned how to avoid it or resolve it in 5 minutes if it happens again (thanks Nvidia ;). Other than that, the only breaking things are when I'm fucking around, and well... that seems like my own damn fault lol. But several Macbooks I've had will go to sleep and if I try too fast to wake it up I'll have a black screen that can't be recovered until I reboot. And I could go on about how weird and infuriating some shit is and how I can't even implement a fix myself and I just give up because I don't want to waste time fighting Apple and play that cat and mouse game with no good documentation. I've just come to understand that "just works" means "not as buggy as Winblows".

[0] https://forum.endeavouros.com/t/only-black-screen-after-logi...


AFAIAA the joke comes from Arch's purported superiority (rolling release, close to upstream, bleeding edge, KISS) as compared to "bloated/slow" e.g. Ubuntu. It's kinda old now and existed even before the controversial switch to systemd from SysVinit/rc.conf.


Tbh I thought that it was because people are scared of the terminal, this even somehow includes people who have used Linux for a decade. That and that basically you're forced to use the terminal for Arch and read the instructions.

So kinda like how people joke about Ikea furniture being difficult to build. I mean... it's not, it's quite intuitive. But even if it wasn't then it's purely an exercise in ability to read instructions


Isn't arch just linux for people who can't install gentoo?


Isn't Arch just Gentoo for people who think 90% of the time the provided build instructions are sufficient.


Gentoo is old arch.


He was missing a config to compare to previous versions so it makes sense from that perspective.


Could always add a git repo to track changes to config files if you need the full history.


On virtual routers there is no content in /rom. What you can easily do is install another copy of the same image on another VM or container and run it through firstboot. Make a backup and compare it with a backup from your running system. Even better is to make a backup just after firstboot, then use the system and compare your current backup with the first one.

Do keep in mind that the OpenWRT backup does not contain information about which extra packages were installed after firstboot. I solved this adding a cron job which runs opkg list-installed > /etc/opkg_installed.txt and adding that last filepath to /etc/sysupgrade.conf so it gets added to backups.


If you have an overlay, you can do something like this to list user-installed packages only:

    ls /overlay/upper/usr/lib/opkg/info/*.list | sed -e 's/.*\///' | sed -e 's/\.list//'


There is no overlay on ext4-based virtual routers.

    # mount|grep ext4
    /dev/mapper/pve-vm--501--disk--0 on / type ext4 (rw,relatime,stripe=512)
The /overlay directory exists just like the /rom one does but they're empty:

    # ls -l /|grep -E 'overlay|rom' 
    drwxr-xr-x    2 root     root          1024 Jan 27 23:53 overlay
    drwxr-xr-x    2 root     root          1024 Jan 27 23:53 rom
These are empty directories (there is a note file in /rom with some info for those using squashfs which is not applicable to these installations).


That's not complete, though, is it? Ex. if I follow https://openwrt.org/docs/guide-user/network/wifi/wifiextende... most of the config is covered, but not the parts that disable daemons.


> OpenWRT is pretty great at offering features and security for consumer devices

That's a misconception. Nobody actually cares about security for packages that are not in the default install. For example, the initscript for sstp-client disables certificate validation unconditionally, see https://github.com/openwrt/packages/issues/25212


It at least offers more security than the usual alternative on a consumer router of the manufacturer's OS (i.e. something updated once a decade running linux 2.6 with GPL-violating unreleased patches so you can't update it yourself, all written in C by the contractor that bid the lowest).


If others think this is in jest, there are recent TP-Link routers with 2.6 kernel and Broadcom.


Good job on raising that issue. TIL SSTP.

> Nobody actually cares about security for packages that are not in the default install.

Probably an exaggeration, but it's clear there are some packages that are insecure out-the-box.


While this sounds good, you could just dump the contents of /etc into git and it would work about the same.


   cd /etc
   git init
   git add .
   git commit -m 'default config'
   git remote add ...
   git push
   # modify your configs
   git diff HEAD
   git commit -m 'yay i changed stuff and i know what i did'
   git push


Why not both? I also use NixOS as the main router/fw/nat, and OpenWRT in bridge mode as dumb APs.

All updates except semi-recent DSA changes were seamless.


Me too. My TP Link EAP605 is an AP running OpenWRT. Works well.


How does the size of OpenWRT compare with the size of NixOS.

https://discourse.nixos.org/t/how-minimal-can-a-nixos-image-...

https://openwrt.org/supported_devices/432_warning


Size is a limiting factor for so.e hardware and architecture too.

NixOS works well for x86-64 and aarch64, but not so much armv7l, as so many consumer routers are.

The PC Engines happens to be x86-64 with decent storage expansion, but for sure if you want to target armv7l, NixOS is not a good choice.


Nice to hear PCEngines is still in business.

The website for the US distributor listed on PCEngines webssite is now selling "BoingFire" products instead of PCEngines.

https://manestate.com


Are there well maintained nixos based router projects?


Not that I'm aware of.

systemd-networkd + kea + corerad is the software I use.


Will have to look at kea and corerad. What hardware do you use for the wireless links? Intel has been very hit or miss in my experience. And the misses suuuck, like after enough hosts connect, you get kernel panic on every new client connection, or all but the one device I needed a separate wlan for are compatible with the host. So, NixOS on a router that doesn’t have to be a wifi ap is extremely nice in my experience.


For wireless I started with the PC Engines miniPCI cards, but moved to a seperate AP for wifi6, and because hostapd was not fun.

https://openwrt.org/toh/tp-link/eap615-wall is the device I use as an AP, which runs OpenWRT.


I also have a separate AP with OpenWRT (UniFi with OpenWRT).


Running a router built with systemd-networkd and kea myself, and I quite like both, even though I have not integrated them with each other. Would you be willing to share some details on how you use these components? Especially corerad as I am not familiar with it and wonder on the why+how, considering networkd does NDP. Thanks


systemd-networkd sets up a LAN interface, which Kea then serves DHCP for.

CoreRAD is about the same thing, but for NDP instead of DHCP.

I could have used systemd-networkd for serving DHCP and NDP, but prefer to use separate modular privilege-separated deamons, especially if I get memory safety too.


Just saying, I'd be interested in a blog post if either of you did one.


To see what was changed, I use the option to download a backup of the configuration, and compare it with an older copy I had downloaded earlier (it's a set of text files, it can be unpacked and compared with recursive diff).


What hardware do you use for your router?


I use a https://www.pcengines.ch/apu2.htm with a separate wifi access point.

That's EOL now, so nowadays I'd look to ARM e.g. https://radxa.com/products/network-computer/e52c


I use ancient+cheap netgear SOHO routers (WNDR3700 v1 and v2 from ~2012) which can route 940Mbps on ethernet (with software flow offloading enabled).

For wireless AP i have an Mediatek MT7621 device, they are very well supported and provide proper wifi throuput


https://protectli.com/ Good quality devices. Real serial consoles to allow recovery when you make a networking configuration mistake ;-)


Same here. Alpine Linux on top of that + Unbound DNS, dnsmasq for DHCP, netfilter, chronyd for time. I've never been able to make them break a sweat.


Curious: how did you set up firewall (nftables?), IPv6 delegation both ULA and public prefix? Happy to read if you have a write-up somewhere.


I disabled IPv6 as my little ISP has not yet figured out how they want to bill for or assign/segment it out for static assignment. I have multiple static IPv4 addresses. I only use static IP's but that is a requirement specific to me. The firewall is very simple and just forwards packets and uses a simple IPv4 SNAT. The only time I've had it set up more complicated was when a guest was abusing P2P so I had to block it using string matches on the unencrypted commands.

My setup is honestly simple enough that a write-up would not benefit many. My Unbound setup to block many malicious sites is also fairly well documented by others. The null routing of commonly used DoH servers is straight forward. My Chrony setup would just annoy people as I only use stratum-1 servers and the options would just look like cargo-culting to some.

About the only thing not commonly discussed is the combination of thc_cake and some sysctl options to keep buffer bloat low but OpenWRT has their own take on that topic already.


Yeah, it's awkward that the usecase where I really want to be able to see (or really, commit) all my configuration like that is the place where I can't fit NixOS:( There was nixwrt, but that got discontinued. Actually it looks like Liminix is a thing now; I'll have to look at that.


There's hardware that has the form factor of a router, but is powerful enough to run an ordinary Linux machine. PC Engines, various ARM64 SBCs.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: