Securing OpenWRT

Enabling HTTPS:

  1. Install Required Packages:

opkg update
opkg install luci-lib-px5g px5g-standalone libustream-openssl luci-ssl
opkg install luci

2. Restart httpd server

/etc/init.d/uhttpd restart

This will generate the certificate:

about to generate keys
Generating RSA private key, 2048 bit long modulus
Generating selfsigned certificate with subject 'C=ZZ;ST=Somewhere;L=Unknown;CN=OpenWrt;' and validity 2016-09-19 19:52:32-2018-09-19 21:59:32
keys generated

  • Optionally remove the key generator:

opkg remove px5g

3. Disable or rebind router listening on plain HTTP:

  • Disable:

uci delete uhttpd.main.listen_http ; uci commit

  • Or rebind all LAN connections to redirect HTTP to HTTPS

  • Restart HTTPD

This should be reachable via HTTPS now. Done!

Setting up the root password:

LuCI

  1. Navigate to LuCI --> System --> Administration --> Router Password

  2. Enter new password

  3. Click Save & Apply

CLI

Done!

SSH Access:

  1. Do not offer access from the Internet at all

  2. Create a non-privaleged user:

  • Add user:

  • Change user password:

  • Create user home:

Add entry:

  • Add user to sudo:

Install sudo:

Modify sudoers file to use sudo with root password prompt:

or

Uncomment the following lines:

This method is more secure because you don't need to protect both root and privileged (sudoer) users to keep the whole system safe.

  • Add SSH Key to new User:

Add Public Key to file

Note: OpenWRT only works with RSA Keys. ed25519 Keys will not work!

  • Modify Port & Authentication

  1. Navigate to System --> Administration

  2. Click on SSH Access

  3. Change Port

  4. Disable Password authentication

  5. Disable Allow root logins with password

  6. Save & Apply

Done!

Disable IPV6:

PreviousOpenWRTNextOpenWRT - Read logs

Last updated