proxy70

         ___   ___  __  _____  _______    ___            __
        / _ | / _ \/ / / /_  |/ __/ _ \  / _ \___  __ __/ /____ ____
       / __ |/ ___/ /_/ / __// _// // / / , _/ _ \/ // / __/ -_) __/
      /_/ |_/_/   \____/____/___/\___/ /_/|_|\___/\_,_/\__/\__/_/


I've finally found some time to upgrade my home router.  I'm keeping
some notes here about my configuration, should I need to upgrade it
again in future.


1. INSTALLATION

My router is a APU6B4 by TekLager (teklager.se), running OpenWRT.

It is trivial to access the serial console: connect a USB-Serial cable
and fire up a serial communication software.
I like tio(1).

A debian "standard" live, or any other distro for what it matters, can
be loaded on a plain USB drive, and booted normally.
https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/
console=ttyS0,115200n8

A second USB drive can be loaded with the "combined" image of OpenWRT.
At present date, the URL looks like this:
https://archive.openwrt.org/releases/<release>/targets/x86/64/openwrt-<version>-x86-64-generic-ext4-combined.img.gz

The file(1) command will identify the uncompressed image as "DOS/MBR
boot sector".
It can be copied with a regular dd over /dev/sda (or whatever the disk
name is).


2. INITIAL TWEAKS

2.1. Reduce attack surface: disable web-based configuration

# service uhttpd stop
# service uhttpd disable

2.2. Hardening of dropbear configuration

Just edit /etc/config/dropbear and install a SSH key.

    config dropbear
        option PasswordAuth 'off'
        option RootPasswordAuth 'off'
        option Port '22'
        option Interface 'lan'

(NOTE: the Interface option is set to 'lan' even if the bridged
interface is actually called 'br-lan').


3. ENABLE WIFI

The wifi is turned off by default.
https://openwrt.org/docs/guide-user/network/wifi/basic

Actually, the wireless card is not even detected.
I'm running a wle900vx network card, so I have to install a few
dependencies:

opkg install hostapd ath10k-firmware-qca988x kmod-ath10k

(source: https://teklager.se/en/knowledge-base/openwrt-wifi-configuration-instructions/)

A reboot will be necessary for the kernel to detect the Atheros
driver, then the wireless interface will be listed, for example, in
the output of ifconfig -a.

The wireless is configured in /etc/config/wireless, which can be auto-generated
with the 'wifi config' command, and then edited.
In a nutshell:

    config wifi-device 'radio0'
            option disabled '0'

    config wifi-iface 'default_radio0'
            option ssid 'SET SSID HERE'
            option encryption 'psk2
            option key 'SET PASSPHRASE HERE'

See also:
https://openwrt.org/docs/guide-user/network/wifi/basic


4. ENABLE PORT FORWARDING

FIXME: review this section, update info for OpenWRT 23.05.0

The relevant documentation is here:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_nat

In short, /etc/config/firewall must be modified with a configuration
section along the following lines:

  config redirect
       option target          DNAT
       option src             wan
       option dest            lan
       option proto           tcp
       option src_dport       2222
       option dest_ip         192.168.x.y
       option dest_port       22
       option enabled         1