reset eth0 to dhcp (dhcpv4 only) client
# remove br-lan
uci delete network.@device[0]
uci set network.lan.device=eth0
uci set network.lan.proto=dhcp
# disable dhcp. also needed in VM/container.
uci set dhcp.lan=dhcp
uci set dhcp.lan.ignore=1
uci set dhcp.lan.dhcpv4=disabled
uci set dhcp.lan.dhcpv6=disabled
uci set dhcp.lan.ra=disabled
uci set dhcp.lan.ndp=disabled
# optional?
uci set dhcp.odhcpd.maindhcp=0
/etc/init.d/odhcpd disable
add wan6 (but wan6 will be in WAN zone, lan is in LAN zone?! that is quite wrong...)
uci set network.wan6=interface
uci set network.wan6.proto=dhcpv6
uci set network.wan6.device=eth0
uci set network.wan6.reqaddress=try
uci set network.wan6.reqprefix=no
optional: enable ipv6 privacy address. (Note: DONT USE ON ROUTER, it breaks openwrt's design. odhcp6c does not support privacy address. and those address will NOT be tracked by netifd!)
cat <<EOF > /etc/sysctl.d/12-ipv6-privacy.conf
net.ipv6.conf.default.use_tempaddr=2
net.ipv6.conf.all.use_tempaddr=2
net.ipv6.conf.eth0.use_tempaddr=2
net.ipv6.conf.all.accept_ra=2
net.ipv6.conf.default.accept_ra=2
net.ipv6.conf.eth0.accept_ra=2
EOF
open port on WAN zone (default is REJECT). you can set WAN zone to lan, wan, wan6 later.
uci add firewall rule
uci set firewall.@rule[-1].name='allow80'
uci add_list firewall.@rule[-1].proto='tcp'
# uci add_list firewall.@rule[-1].src_ip='192.168.0.0/16'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest_port='80'
uci set firewall.@rule[-1].target='ACCEPT'
uci add firewall rule
uci set firewall.@rule[-1].name='allow22'
uci add_list firewall.@rule[-1].proto='tcp'
# uci add_list firewall.@rule[-1].src_ip='192.168.0.0/16'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest_port='22'
uci set firewall.@rule[-1].target='ACCEPT'
switch zone (WARNING may lock out yourself!)
# find zone id (typically is zone[1] and zone[0])
# uci show firewall|grep wan6
# uci show firewall|grep lan
# uci add_list firewall.@zone[1].network=lan
# uci del_list firewall.@zone[0].network=lan
remember to commit
uci commit
wireguard: set route_allowed_ips=1 or defaultroute=1?
# if you use defaultroute=1, you should also retrigger ifup on wan reload
cat <<EOF >/etc/hotplug.d/iface/30-wg
[ "${ACTION}" = "ifup" ] && [ "${INTERFACE}" = "wan" ] && ifup wg
[ "${ACTION}" = "ifup" ] && [ "${INTERFACE}" = "wan6" ] && ifup wg
EOF
/etc/sysupgrade.conf (why you cant protect yourself):
echo /etc/sysupgrade.conf >> /etc/sysupgrade.conf
echo /etc/hotplug.d/iface/ >> /etc/sysupgrade.conf
disable raspberry pi HDMI and LED
tvservice -o || :
echo none | tee /sys/class/leds/led?/trigger
echo 0 | tee /sys/class/leds/led?/brightness
auto install package in rc.local:
while true; do
f=0
opkg list-installed > /dev/shm/installed
# socat screen lsof tcpdump mtr curl nano
for i in nginx-all-module watchcat wireguard-tools; do
grep -q $i /dev/shm/installed && continue
[ -f /tmp/opkg-lists/openwrt_base.sig ] || opkg update
opkg install $i || f=1
done
[ "$f" == "0" ] && rm /dev/shm/installed && break
sleep 60
done
