OpenWRT as client (ver 2022)

reset eth0 to dhcp (dhcpv4 only) client

# remove br-lan
uci delete network.@device[0]
uci set network.lan.device=eth0
uci set network.lan.proto=dhcp

# disable dhcp. also needed in VM/container.
uci set dhcp.lan=dhcp
uci set dhcp.lan.ignore=1
uci set dhcp.lan.dhcpv4=disabled
uci set dhcp.lan.dhcpv6=disabled
uci set dhcp.lan.ra=disabled
uci set dhcp.lan.ndp=disabled
# optional?
uci set dhcp.odhcpd.maindhcp=0
/etc/init.d/odhcpd disable

add wan6 (but wan6 will be in WAN zone, lan is in LAN zone?! that is quite wrong...)

uci set network.wan6=interface
uci set network.wan6.proto=dhcpv6
uci set network.wan6.device=eth0
uci set network.wan6.reqaddress=try
uci set network.wan6.reqprefix=no

optional: enable ipv6 privacy address. (Note: DONT USE ON ROUTER, it breaks openwrt's design. odhcp6c does not support privacy address. and those address will NOT be tracked by netifd!)

cat <<EOF > /etc/sysctl.d/12-ipv6-privacy.conf 
net.ipv6.conf.default.use_tempaddr=2
net.ipv6.conf.all.use_tempaddr=2
net.ipv6.conf.eth0.use_tempaddr=2
net.ipv6.conf.all.accept_ra=2
net.ipv6.conf.default.accept_ra=2
net.ipv6.conf.eth0.accept_ra=2
EOF

open port on WAN zone (default is REJECT). you can set WAN zone to lan, wan, wan6 later.

uci add firewall rule
uci set firewall.@rule[-1].name='allow80'
uci add_list firewall.@rule[-1].proto='tcp'
# uci add_list firewall.@rule[-1].src_ip='192.168.0.0/16'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest_port='80'
uci set firewall.@rule[-1].target='ACCEPT'
uci add firewall rule
uci set firewall.@rule[-1].name='allow22'
uci add_list firewall.@rule[-1].proto='tcp'
# uci add_list firewall.@rule[-1].src_ip='192.168.0.0/16'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest_port='22'
uci set firewall.@rule[-1].target='ACCEPT'

switch zone (WARNING may lock out yourself!)

# find zone id (typically is zone[1] and zone[0])
# uci show firewall|grep wan6
# uci show firewall|grep lan
# uci add_list firewall.@zone[1].network=lan
# uci del_list firewall.@zone[0].network=lan

remember to commit

uci commit

wireguard: set route_allowed_ips=1 or defaultroute=1?

# if you use defaultroute=1, you should also retrigger ifup on wan reload
cat <<EOF >/etc/hotplug.d/iface/30-wg
[ "${ACTION}" = "ifup" ] && [ "${INTERFACE}" = "wan" ] && ifup wg
[ "${ACTION}" = "ifup" ] && [ "${INTERFACE}" = "wan6" ] && ifup wg
EOF

/etc/sysupgrade.conf (why you cant protect yourself):

echo /etc/sysupgrade.conf >> /etc/sysupgrade.conf
echo /etc/hotplug.d/iface/ >> /etc/sysupgrade.conf

disable raspberry pi HDMI and LED

tvservice -o || :
echo none | tee /sys/class/leds/led?/trigger
echo 0 | tee /sys/class/leds/led?/brightness

auto install package in rc.local:

while true; do
f=0
opkg list-installed > /dev/shm/installed
# socat screen lsof tcpdump mtr curl nano
for i in nginx-all-module watchcat wireguard-tools; do
  grep -q $i /dev/shm/installed && continue
  [ -f /tmp/opkg-lists/openwrt_base.sig ] || opkg update
  opkg install $i || f=1
done
[ "$f" == "0" ] && rm /dev/shm/installed && break
sleep 60
done