OpenWRT
Contents
Essential packages
Well you just need it
Add user
There are some packages for shadow-accounting
1 opkg list |grep shadow-
Install package
Default group is "users" (GID=100). Add a non-privileged user with its own group and a login shell set.
Logging
You probably don't need a log-file, which fills up your system memory. OpenWRT System Configuration
logread to access logd membuffer
dmesg to access kernel messages
Read and follow logbuffer
1 logread -f
USB storage
If you hava only a very limited amount of space available (like 8MiB on a Archer C7 v1), you can use a extroot with an overlayfs on a usbstick. So you only need to install everything on the limited rom to mount the "next" root filesystem.
Block device support -> USB-storage
Install additional ext4 utilities
1 opkg install e2fsprogs gdisk
Please take a look at
OpenWRT Fstab Configuration
Swap
Mount swap persistently
Extroot
OpenWRT - Extroot configuration
Create a directory for the partition "rootfs_data" (jffs2) (from flash rom)
Mount the new device and sync the current overlay directory
Mount usb drive persistently as overlay (on next boot)
Good luck
reboot
Works 
1 root@openwrt:~# df -h
2 Filesystem Size Used Available Use% Mounted on
3 /dev/root 2.5M 2.5M 0 100% /rom
4 tmpfs 60.8M 76.0K 60.7M 0% /tmp
5 /dev/sda2 3.1G 7.1M 3.0G 0% /overlay
6 overlayfs:/overlay 3.1G 7.1M 3.0G 0% /
7 tmpfs 512.0K 0 512.0K 0% /dev
8 /dev/mtdblock4 3.9M 3.0M 856.0K 78% /mnt/mtdblock4
opkg
System upgrades
These files are kept during sysupgrades! Maintain this file carefully!
/etc/sysupgrade.conf
1 ## This file contains files and directories that should
2 ## be preserved during an upgrade.
3
4 # /etc/example.conf
5 #/etc/openvpn/
6
7 ### docu
8 /etc/user_installed_pkg.list
9 /etc/sysbackup.tar.gz
10
11 ### daemons
12 /etc/samba/
13 /etc/dropbear/
14 /etc/dnsmasq.hosts
15 /etc/collectd.conf
16 /etc/fwknop/
17 /etc/vsftpd/
18 /etc/vsftpd.conf
19 /etc/config/ahcpd
20 /etc/dnsmasq.conf
21 /etc/ppp/
22
23 ### configs
24 /etc/screenrc
25
26 ### login data
27 /etc/group
28 /etc/group-
29 /etc/passwd
30 /etc/passwd-
31 /etc/profile
32 /etc/shadow
33 /etc/shadow-
34 /etc/login.defs
35
36 ### system
37 /etc/config/
38 /etc/crontabs
39 /etc/dropbear/dropbear_rsa_host_key
40 /etc/exports
41 /etc/firewall.user
42 /etc/inittab
43 /etc/lvm/
44 #/etc/opkg
45 /etc/opkg/customfeeds.conf
46 /etc/opkg.conf
47 /etc/rc.local
48 /etc/sysctl.conf
49 /etc/sysctl.d/local.conf
50 /etc/sysupgrade.conf
51
52 ### databases
53 /etc/ethers
54 /etc/hosts
55 /etc/protocols
56 /etc/services
57 /etc/shells
58
59 ### scripts
60 /etc/listlinkedpkg.sh
61 /etc/listuserpackages.sh
62 /etc/opkg_color.sh
63 /sbin/opkg_upgrade
64 /sbin/opkg_remove_partly_installed_packages.sh
Freeing up space
When removing a package always specify the full name of the package! 
Opkg will report no packages to be removed. Try to find the name of the installed package with
1 opkg list |grep package
Autoremove orphaned packages during removal of a "higher-level" package.
1 opkg remove --autoremove package
Remove package and all packages that depend upon it.
1 opkg remove --force-removal-of-dependent-packages package
It happens that you accidentally installed a packages, which pull many dependencies and fill up the space on the device. Then pkg is not even capable to write the state, that a package was installed, to its database. The files reside on disk and use up space, but the package cannot be removed, since it's not installed.
To fix this behavior, i suggest to
- to free up space by forcefully uninstalling another "big" package (like libopenssl1.1). Please make sure you remember to reinstall all the packages, that were uninstalled, later.
opkg remove --force-removal-of-dependent-packages libopenssl1.1}
- and fully install the package that previously failed
opkg install failed-package
- uninstall the now fully installed previously failed-package and its dependencies
opkg remove --autoremove failed-package
- Install the packages you only uninstalled to free up space
opkg install top-level-packages that pulled libopenssl1.1
A quite invasive script that purges the files in a package from disk. Should only by used, if normal removal did not succeed
/sbin/opkg_remove_partly_installed_packages.sh
1 #!/bin/sh
2 # takes one argument/parameter: the name of the package
3 # which didn't install correctly and
4 # should be removed along with its dependencies
5 # example: opkg_remove_partly_installed_packages.sh pulseaudio-daemon
6
7 if [ -z "$1" ]; then
8 echo "Please specify one or more packages".
9 exit 1
10 fi
11
12 opkg update
13
14 #get list of all packages that would be installed along with package x
15 PACKAGES="$(opkg --force-space --noaction install $@ \
16 |grep "http:" \
17 |cut -f 2 -d ' ' \
18 |sed 's/\.$//')"
19
20 echo "Following packages will be destroyed."
21 echo "$PACKAGES"
22
23 read -p"Check and confirm with 'yes': " CONFIR_INPUT
24 if test "$CONFIR_INPUT" = "yes"; then
25 echo "Confirmed. Exterminating packages_"
26 else
27 echo "Not confirmed - aborting."
28 exit 0
29 fi
30
31 for i in $PACKAGES
32 do
33 LIST="$(wget -qO- $i \
34 |tar -Oxz ./data.tar.gz \
35 |tar -tz \
36 |sort -r \
37 |sed 's/^./\/overlay\/upper/')"
38 for f in $LIST; do
39 if [ -f "$f" ]; then
40 echo "Removing file $f"
41 rm -f "$f"
42 fi
43 if [ -d "$f" ];then
44 cat <<-EOF
45 Trying to remove directory '$f'
46 (will only work on empty directories)
47 EOF
48 rmdir "$f"
49 fi
50 done
51 done
52
53 echo "You may need to reboot for the free space to become visible."
This is only a slightly improved version of this script
opkg_upgrade
Speeds up the process
/sbin/opkg_upgrade
1 #!/bin/sh
2
3 PACKAGES="$(opkg list-upgradable|awk '{print $1}')"
4
5 if test "$PACKAGES"; then
6 echo -e "Packages to be upgraded:\n$PACKAGES"
7 read -p"Check and confirm with 'yes': " CONFIR_INPUT
8 if test "$CONFIR_INPUT" = "yes"; then
9 echo "Confirmed performing upgrade"
10 opkg upgrade $PACKAGES
11 else
12 echo "Input invalid - aborting."
13 fi
14 else
15 echo -e "No packages to be upgraded."
16 echo "Nothing to do - exiting ..."
17 fi
Automatic opkg_upgrade
crontab -e
1 0 2 * * * echo yes |/sbin/opkg_upgrade
HTTPs
Install luci https support
1 opkg update
2 opkg install luci-ssl
3 /etc/init.d/uhttpd restart
4 4+0 records in
5 4+0 records out
6 Generating RSA private key, 2048 bit long modulus
7 Generating selfsigned certificate with subject 'C=ZZ,ST=Somewhere,L=Unknown,O=OpenWrtcbba6ded,CN=OpenWrt,' and validity 20210315195149-20230315195149
DNS with dnsmasq
Strict order
DNS servers you specified in LUCI are queried in the opposite order. So if you are using --strict-order specify your backup DNS servers first.
No SRV records
By default the option filterwin2k is activated (1).
man dnsmasq
1 -f, --filterwin2k
2 Later versions of windows make periodic DNS requests
3 which don't get sensible answers from the public DNS
4 and can cause problems by triggering dial-on-demand
5 links. This flag turns on an option to filter such
6 requests. The requests blocked are for records of
7 types SOA and SRV, and type ANY where the requested
8 name has underscores, to catch LDAP requests.
In LUCI this option is toggled with Network -> DHCP and DNS -> Advanced Settings -> "filter useless".
/etc/config/dhcp
Remove the entire option or at least set this to "0"!
After applying the configuration, SRV records will resolve.
Adblock
A must have feature! But libopenssl1.1 takes some some space. If you are limied on disk space, consider installing it on a extroot.
Install adblocker and a tool to download the blocklists (like uclient-fetch, curl, wget, aria2) and TLS support
1 opkg install luci-app-adblock uclient-fetch libustream-openssl
This is a config that worked out to be fast
/etc/config/adblock
1 config adblock 'global'
2 option adb_dns 'dnsmasq'
3 option adb_fetchutil 'uclient-fetch'
4 option adb_trigger 'wan'
5 option adb_debug '0'
6 option adb_whitelist '/etc/adblock/adblock.whitelist'
7 option adb_whitelist_rset '\$1 ~/^([A-Za-z0-9_-]+\.){1,}[A-Za-z]+/{print tolower(\"^\"\$1\"\\\|[.]\"\$1)}'
8 option adb_backup '0'
9 option adb_backupdir '/mnt'
10 option adb_enabled '1'
11
12 config adblock 'extra'
13 option adb_debug '0'
14 option adb_nice '0'
15 option adb_whitelist '/etc/adblock/adblock.whitelist'
16 option adb_maxqueue '16'
17 option adb_forcedns '0'
18 option adb_forcesrt '1'
19
20 ### LIST SPECIFIC CONFIG OMITTED
21
You should not set adb_dnsflush = '1', it gets very slow.
Dynamic DNS
Install the luci app
1 opkg install luci-app-ddns curl
You might have problems with uclient-fetch. error: 8 is triggered when HTTP return code is different from 204 or 200. github libkit/uclient uclient/uclient-fetch.c To resolve this simply install curl…
Wake on LAN
Install the luci app
1 opkg install luci-app-wol
Windows shares
Install the luci app
1 opkg install luci-app-samba
VPN
Wireguard
Install Wireguard
1 opkg install luci-app-wireguard
OpenVPN
Install OpenVPN
1 opkg install luci-app-openvpn
UPnP
Install miniupnpc (client) on your pc
Install luci-app-upnp which depends on miniupnpd
1 opkg install luci-app-upnp
Enable UPNP IGD and NAT-PMP on Router via webif and query status again
1 % upnpc -s
2 upnpc : miniupnpc library test client, version 2.1.
3 (c) 2005-2018 Thomas Bernard.
4 Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
5 for more information.
6 List of UPNP devices found on the network :
7 desc: http://192.168.182.1:5000/rootDesc.xml
8 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1
9
10 desc: http://[fd93:56fb:daf7::1]:5000/rootDesc.xml
11 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1
12
13 Found valid IGD : http://192.168.179.1:5000/ctl/IPConn
14 Local LAN ip address : fd93:2709:de35:0:fc16:acff:fe54:157e
15 Connection Type : IP_Routed
16 Status : Connected, uptime=451723s, LastConnectionError : ERROR_NONE
17 Time started : Fri Apr 3 08:07:49 2020
18 MaxBitRateDown : 33554432 bps (33.5 Mbps) MaxBitRateUp 4194304 bps (4.1 Mbps)
19 ExternalIPAddress = ww.xx.yy.zz
20 Bytes: Sent: 2283027815 Recv: 2695217145
21 Packets: Sent: 12678549 Recv: 80009359
Get external IP-address via UPNP IGD
1 /usr/bin/external-ip
Trouble Shooting
Wrong Link Speed
I had a problem with link-speed between Docsis-modem in front and a OpenWRT-Router. OpenWRT displayed only 10Base-T (10Mbit/s).
It turns out that (against my expections/assumptions) OpenWRT did not support Auto MDI-X (Wikipedia EN: Medium Dependent Interface).
1 # ethtool eth0
2 Settings for eth0:
3 Supported ports: [ ]
4 Supported link modes: 1000baseT/Full
5 Supported pause frame use: No
6 Supports auto-negotiation: No
7 Supported FEC modes: Not reported
8 Advertised link modes: 1000baseT/Full
9 Advertised pause frame use: No
10 Advertised auto-negotiation: No
11 Advertised FEC modes: Not reported
12 Speed: 1000Mb/s
13 Duplex: Full
14 Port: MII
15 PHYAD: 0
16 Transceiver: external
17 Auto-negotiation: on
18 Current message level: 0x000000ff (255)
19 drv probe link timer ifdown ifup rx_err tx_err
20 Link detected: yes
So all you need to change to achieve the intended Link-Speed is to use
- a cross-over cable or
even simpler a (Amazon:) cross-over adapter, which turns some pins of any RJ-45 plug.
LUCI
Adjust container max-width to make tables readable.
/www/luci-static/bootstrap/cascade.css
Reduce horizontal padding between table cells