Securing OpenWRT

Enabling HTTPS:

  1. Install Required Packages:

opkg update
opkg install luci-lib-px5g px5g-standalone libustream-openssl luci-ssl
opkg install luci

2. Restart httpd server

/etc/init.d/uhttpd restart

This will generate the certificate:

about to generate keys
Generating RSA private key, 2048 bit long modulus
Generating selfsigned certificate with subject 'C=ZZ;ST=Somewhere;L=Unknown;CN=OpenWrt;' and validity 2016-09-19 19:52:32-2018-09-19 21:59:32
keys generated
  • Optionally remove the key generator:

opkg remove px5g

3. Disable or rebind router listening on plain HTTP:

  • Disable:

uci delete uhttpd.main.listen_http ; uci commit
  • Or rebind all LAN connections to redirect HTTP to HTTPS

uci set uhttpd.main.listen_http=192.168.70.1:80
uci set uhttpd.main.listen_https='192.168.70.1:443'
uci set uhttpd.main.redirect_https='1'
uci commit
  • Restart HTTPD

/etc/init.d/uhttpd restart

This should be reachable via HTTPS now. Done!


Setting up the root password:

LuCI

  1. Navigate to LuCI --> System --> Administration --> Router Password

  2. Enter new password

  3. Click Save & Apply

CLI

passwd

Done!


SSH Access:

  1. Do not offer access from the Internet at all

  2. Create a non-privaleged user:

  • Add user:

opkg update
opkg install shadow vim
useradd USERNAME
  • Change user password:

passwd USERNAME
  • Create user home:

mkdir -p /home/USERNAME
chown USERNAME: /home/USERNAME
vim /etc/passwd

Add entry:

USERNAME:x:1000:1000:USERNAME:/home/USERNAME:/bin/ash
  • Add user to sudo:

Install sudo:

opkg install sudo

Modify sudoers file to use sudo with root password prompt:

visudo

or

vim /etc/sudoers

Uncomment the following lines:

## Uncomment to allow any user to run sudo if they know the password         
## of the user they are running the command as (root by default).            
Defaults targetpw  # Ask for the password of the target user                 
ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'

This method is more secure because you don't need to protect both root and privileged (sudoer) users to keep the whole system safe.

  • Add SSH Key to new User:

mkdir -p /home/USERNAME/.ssh
touch /home/USERNAME/.ssh/authorized_keys
vim /home/USERNAMs/.ssh/authorized_keys

Add Public Key to file

Note: OpenWRT only works with RSA Keys. ed25519 Keys will not work!

  • Modify Port & Authentication

  1. Navigate to System --> Administration

  2. Click on SSH Access

  3. Change Port

  4. Disable Password authentication

  5. Disable Allow root logins with password

  6. Save & Apply

Done!

Disable IPV6:

uci set 'network.lan.ipv6=off'
uci set 'network.wan.ipv6=off'
uci set 'dhcp.lan.dhcpv6=disabled'
uci commit
/etc/init.d/odhcpd disable

Last updated