OpenWRT on GL.iNET GL-AR750/MT300N_V2 with eduroam, openVPN client, and hardware switch

!openwrt-config.md

This shows how to flash OpenWRT to a GL.iNET GL-AR750 or GL-MT300N_V2 and how to set up eduroam, openVPN client, and their hardware switch.

Please read the content for more information.

content.md

OpenWRT configuration

This describes my setup of a GL.iNET GL-AR750 or GL-MT300N_V2 with pure OpenWRT (instead of GL.iNET's modified version), eduroam client (university WiFi), OpenVPN client, hardware toggle (for VPN), ... (I may add functionality to this guide in the future)

The WAN interface is configured as DHCP client by default, so the router can simply be plugged between an existing router and the configuring computer. If the subnets of the two routers are different, both (and the Internet) should be reachable at the same time. Alternatively, the new router can be connected to a second physical interface, if the computer has another one and routes correctly.

Flashing OpenWRT on a GL.iNET GL-AR750 or GL-MT300N_V2

• Download the "Firmware OpenWrt Upgrade" from the table on:
  • GL-AR750: https://openwrt.org/toh/gl.inet/gl-ar750 (http://downloads.openwrt.org/releases/19.07.2/targets/ar71xx/generic/openwrt-19.07.2-ar71xx-generic-gl-ar750-squashfs-sysupgrade.bin)
  • GL-MT300N_V2: https://openwrt.org/toh/gl.inet/gl.inet_gl-mt300n_v2 (http://downloads.openwrt.org/releases/19.07.3/targets/ramips/mt76x8/openwrt-19.07.3-ramips-mt76x8-gl-mt300n-v2-squashfs-sysupgrade.bin)
• Go to http://192.168.8.1/cgi-bin/luci/admin/system/flash (or http://192.168.8.1/cgi-bin/luci/admin/system/flashops if the former 404s), log in as root:root if no password was set, upload the *-sysupgrade.bin as "Flash new firmware image", confirm the checksum, flash and wait.
• [optional] If available before flashing, uncheck "keep settings" or after the reboot, on the same page, do a "Restore" > "Reset to defaults".
• Visit http://192.168.1.1/ (note the changed IP) and set passwords and SSH settings.
• [optional] To access SSHd from WAN, create a port forward (http://192.168.4.1/cgi-bin/luci/admin/network/firewall/forwards) from TCP/WAN/22 to LAN/any/22.
• [optional] Go to http://192.168.1.1/cgi-bin/luci/admin/network/network and change the IPv4 address of the LAN interface back to 192.168.8.1.

Connect OpenWRT as client to eduroam

"eduroam" is a WWPA2-EAP network that allows members of higher education and other institution around the world to use each others WiFi networks with their home credentials. As such, the setup is slightly more complicated than that of other WiFi clients. Especially, the wpad package needs to be upgraded:

• Install the full version of wpad: opkg update; opkg remove wpad-mini; opkg remove wpad-basic; opkg install wpad; reboot (via SSH, but the web UI works as well).
• Click "Scan" on either WiFi interface (but doing this for both seems to create problems with DHCP client) on http://192.168.8.1/cgi-bin/luci/admin/network/wireless, select "Join network" for any "eduroam" connection/AP.
• Select the few possible settings as appropriate, enter anything as password for now, "submit".
• Under "Wireless Security", select WWPA2-EAP as "Encryption", and set everything else according to your institutions eduroam configuration.

OpenWRT as OpenVPN client

• Install openvpn-openssl and luci-app-openvpn, then reboot and reload the web interface.
• To allow LAN devices to use the VPN, add the VPN's interface to the wan zone; with the default configuration, that can be done by running uci add_list firewall.@zone[1].device="tun0"; uci commit firewall; /etc/init.d/firewall restart.
• Get your *.ovpn client config file.
• Under "OVPN configuration file upload", enter an instance_name, select the file, and "Upload".
• OpenVPN client configurations can list DNS servers (as dhcp-option DNS <ip> lines), but OpenWRT 19.07 currently ignores them. If different external DNS servers have to be used with and without the VPN, a fix that applies the listed entries to the internal dnsmasq (which is what will be advised to the DHCP clients) is outlined here, specifically, set VPN_CONFIG_NAME=<instance_name> and run this:

cat << "#EOF" > /etc/openvpn/${VPN_CONFIG_NAME:?}.sh
#!/bin/sh
env | sed -n -e "
/^foreign_option_.*=dhcp-option.*DNS/s//nameserver/p
/^foreign_option_.*=dhcp-option.*DOMAIN/s//domain/p
" | sort -u > /tmp/resolv.conf.vpn
case "${script_type}" in
    up) uci set dhcp.@dnsmasq[0].resolvfile=/tmp/resolv.conf.vpn ;;
    down) uci set dhcp.@dnsmasq[0].resolvfile=/tmp/resolv.conf.auto ;;
esac
/etc/init.d/dnsmasq restart
uci commit dhcp # commit to keep DNS and (hopefully committed) openvpn state in sync after restart
#EOF
chmod +x /etc/openvpn/${VPN_CONFIG_NAME:?}.sh
printf '%s' "
script-security 2
up /etc/openvpn/${VPN_CONFIG_NAME:?}.sh
down /etc/openvpn/${VPN_CONFIG_NAME:?}.sh
" >> /etc/openvpn/${VPN_CONFIG_NAME:?}.conf
/etc/init.d/openvpn restart

• Under "OpenVPN instances", set the "Enabled" check mark, and click "Save & Apply".
• Add /etc/openvpn/ as line on http://192.168.8.1/cgi-bin/luci/admin/system/flash to preserve the config when updating the system.
• To enable the VPN from a terminal or script, run uci set openvpn.${VPN_CONFIG_NAME:?}.enabled=1; /etc/init.d/openvpn reload; uci commit openvpn. To disable it, run the same with 0 instead of 1.

GL.iNET (GL-AR750/GL-MT300N_V2) hardware switch

• To enable button support, create the /etc/hotplug.d/button/00-button script below (from https://openwrt.org/docs/guide-user/hardware/hardware.button#using_atheros_00-button_uci):

mkdir -p /etc/hotplug.d/button
cat << "#EOF" > /etc/hotplug.d/button/00-button
##
# Allows to specify button actions via UCI configuration, see:
# <https://openwrt.org/docs/guide-user/hardware/hardware.button#using_atheros_00-button_uci>
##

source /lib/functions.sh

check_button () {
    local button;  config_get button  "${1}" button
    local action;  config_get action  "${1}" action
    local handler; config_get handler "${1}" handler
    local min;     config_get min     "${1}" min
    local max;     config_get max     "${1}" max

    # logger "DEBUG: checking: { button: ${button}, action: ${action}, handler: ${handler}, }"

    [ "${ACTION}" = "${action}" -a "${BUTTON}" = "${button}" -a -n "${handler}" ] && ((
        [ -z "${min}" -o -z "${max}" ]
    ) || (
        [ -n "${min}" -a -n "${max}" ] && [ "${min}" -le "${SEEN}" -a "${max}" -ge "${SEEN}" ]
    )) && {
        # logger "DEBUG: running ${handler}"
        eval ${handler}
    }
}

logger "DEBUG: button ${BUTTON} was ${ACTION} after ${SEEN}s"

config_load system
config_foreach check_button button
#EOF
chmod +x /etc/hotplug.d/button/00-button

• To configure the toggle slider (VPN client on/off in this example), run:

uci add system button # left/off ==> enabled='0'
uci set system.@button[-1].button="BTN_0" # from the "BUTTON" table in the Wiki, or from `cat /sys/kernel/debug/gpio`
uci set system.@button[-1].action="pressed" # also from the Wiki, or just try it, there are just two options: pressed & released
uci set system.@button[-1].handler="uci set openvpn.${VPN_CONFIG_NAME:?}.enabled=0; /etc/init.d/openvpn reload; uci commit openvpn"
uci add system button # right/on ==> enabled='1'
uci set system.@button[-1].button="BTN_0"
uci set system.@button[-1].action="released"
uci set system.@button[-1].handler="uci set openvpn.${VPN_CONFIG_NAME:?}.enabled='1'; /etc/init.d/openvpn reload; uci commit openvpn"
uci commit system

• Add /etc/hotplug.d/button/00-button as line on http://192.168.8.1/cgi-bin/luci/admin/system/flash to preserve the config when updating the system.
• Note that some buttons, like reset or WPS, may have preconfigured functionality (which can be disabled).

Misc

• List explicitly installed or updated packages: ls /overlay/upper/usr/lib/opkg/info/*.list | sed -e 's/.*\///' | sed -e 's/\.list//'
• set the default locale for WiFi hardware: iw reg set DE