# Securing OpenWRT ### Enabling HTTPS: 1. Install Required Packages: ```bash opkg update opkg install luci-lib-px5g px5g-standalone libustream-openssl luci-ssl opkg install luci ``` 2\. Restart httpd server ```shell /etc/init.d/uhttpd restart ``` This will generate the certificate: ```shell about to generate keys Generating RSA private key, 2048 bit long modulus Generating selfsigned certificate with subject 'C=ZZ;ST=Somewhere;L=Unknown;CN=OpenWrt;' and validity 2016-09-19 19:52:32-2018-09-19 21:59:32 keys generated ``` * Optionally remove the key generator: ```shell opkg remove px5g ``` 3\. Disable or rebind router listening on plain `HTTP`: * Disable: ```shell uci delete uhttpd.main.listen_http ; uci commit ``` * Or rebind all `LAN` connections to redirect `HTTP` to `HTTPS` ```shell uci set uhttpd.main.listen_http=192.168.70.1:80 uci set uhttpd.main.listen_https='192.168.70.1:443' uci set uhttpd.main.redirect_https='1' uci commit ``` * Restart `HTTPD` ```shell /etc/init.d/uhttpd restart ``` This should be reachable via HTTPS now. Done! *** ### Setting up the root password: **LuCI** 1. Navigate to `LuCI` --> `System` --> `Administration` --> `Router Password` 2. Enter new password 3. Click `Save & Apply` **CLI** ```shell passwd ``` Done! *** ### SSH Access: 1. **Do not offer access from the Internet at all** 2. Create a non-privaleged user: * Add user: ```shell opkg update opkg install shadow vim useradd USERNAME ``` * Change user `password`: ```bash passwd USERNAME ``` * Create user `home`: ```bash mkdir -p /home/USERNAME chown USERNAME: /home/USERNAME vim /etc/passwd ``` Add entry: ```bash USERNAME:x:1000:1000:USERNAME:/home/USERNAME:/bin/ash ``` * Add user to `sudo`: Install sudo: ```bash opkg install sudo ``` Modify `sudoers` file to use `sudo` with `root` password prompt: ```bash visudo ``` or ```bash vim /etc/sudoers ``` Uncomment the following lines: ``` ## Uncomment to allow any user to run sudo if they know the password ## of the user they are running the command as (root by default). Defaults targetpw # Ask for the password of the target user ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' ``` **This method is more secure because you don't need to protect both root and privileged (sudoer) users to keep the whole system safe.** * Add `SSH` Key to new `User`: ```bash mkdir -p /home/USERNAME/.ssh touch /home/USERNAME/.ssh/authorized_keys vim /home/USERNAMs/.ssh/authorized_keys ``` **Add Public Key to file** {% hint style="info" %} Note*:* `OpenWRT` only works with `RSA` Keys. `ed25519` Keys will not work! {% endhint %} * Modify Port & Authentication 1. Navigate to `System` --> `Administration` 2. Click on `SSH Access` 3. Change `Port` 4. Disable `Password authentication` 5. Disable `Allow root logins with password` 6. `Save & Apply` Done! ### Disable IPV6: ```bash uci set 'network.lan.ipv6=off' uci set 'network.wan.ipv6=off' uci set 'dhcp.lan.dhcpv6=disabled' uci commit /etc/init.d/odhcpd disable ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.arkannis.net/networking/openwrt/securing-openwrt.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.