Download the OpenWRT bin at Firmware OpenWrt Install URL (I renamed it to a shorter name, not sure if needed) and use the firmare update form of the TP-Link webinterface.
Since I already have a setup with a Fritz.box I wanted the Fritz.box to provide the network connection and let the TP-Link run as a server in that network. The TP-Link (WAN port) is connected to the Fritz.box (LAN port) via network cable. To access the SSH server on the TP-Link I need to allow SSH access through the firewall.
Webinterface - Network > Firewall > Traffic Rules > Open ports on router > Add
- Name: Allow-SSH-WAN
- Protocol: TCP
- Port: 12345 [SSH port see below]
Webinterface - System > Administration
Port: 12345
Set to a random port above 10k (this prevents many attacks)
Add a key under SSH-Keys and uncheck Password authentication and Allow root logins with password
To still use the Webinterface I creted a entry in ~/.ssh/config
Host tplink-http-tunnel
Hostname tplink
Port 12345
User root
LocalForward 127.0.0.1:8000 127.0.0.1:80
This allows me to connect to the server with ssh tplink-http-tunnel and also access the webinterface at http://localhost:8000. I could have also created a firewall rule for the webinterface but since I want this to be exposed to the internet at some point I decided for this more secure option.
The Hostname can be configured in the webinterface - System > System. This allows you to use the name instead of an ip address e.g.
ssh [email protected] is the same as ssh root@tplink.
The storage on the router is very limited (8 MB). To use the router as a proper server you need an USB stick or similar that is ext4 formatted (this filesystem works, e.g. fat32 is not supported) that you stick into the USB port of the router and then use as its harddrive.
I followed the Devices > 8 MiB instructions for the Extroot configuration.
When I was playing around at first I installed some packages, that I needed to remove again to make space for the packages needed to set up the external storage.
When I ran block info my ext4 formatted drive was not showing up.
I found that the install instructions were missing the package kmod-usb-storage-uas that I needed for my mSATA drive. Here is the packages I installed.
opkg update && opkg install block-mount kmod-fs-ext4 kmod-usb-storage e2fsprogs kmod-usb-ohci kmod-usb-uhci fdisk kmod-usb-storage-uas
The instructions to copy the existing data from /overlay to the new drive were failing so I just ran
mount /dev/sda1 /mnt
cp -r /overlay/* /mnt/
umount /mnt
umount needed a while but worked eventually.
Generate fstab > Automatically worked just fine.
I installed the sftp package openssh-sftp-server, though I'm not sure if it's needed.
Then I could connect to the folder with Nautilus (aka GNOME files) - + Other Locations > Connect to Server
sftp://root@tplink:12345
For the host and port read above.
opkg install mosquitto mosquitto-client libmosquitto
To listen to all
local> ssh tplink
tplink> mosquitto_sub -v -h localhost -t '#'
Sonoff-Tasmota configuration: Einstellungen > Sonstige Konfiguration > MQTT aktivieren
Then Einstellugen > MQTT Konfigurieren
- Host: tplink (see above)
- topic: rollo1 (if you have multiple devices set different topics so you can controll them seperately)
Test the MQTT control
local> ssh tplink
tplink> mosquitto_pub -h localhost -t cmnd/rollo1/POWER2 -m on
The router is connected a typical German DSL line that changed the IP address every other day. Therefore a method is needed to get access to the server from the outside. One method would be to use a free dynDNS server. I however have a vserver that is running several websites through wich I will connect to the router.
I will use the router to do a remote port forward. Which then allows me to access the router through my vserver (I will call this the jump server).
Install the sshtunnel package that creates a presistent
remote SSH connection to your jumpserver. That means when the router or the jumpserver restarts the SSH tunnel is restablished after a short while.
tplink> opkg install sshtunnel
Now configure the SSH tunnel at /etc/config/sshtunnel
config server jumpserver
option user myuser
option hostname jumpserver.org
option port 22
option IdentityFile /root/.ssh/id_rsa.tplink
config tunnelR local_ssh
option server jumpserver
option remoteport 22022
option localaddress 127.0.0.1
option localport 12345
The server part of the config assumes that you can establish a SSH connection to the jump server jumpserver.org from the router using a SSH key file. However there is no tool to create SSH keys on OpenWRT that work with the openssh client installed on it. Just create a key locally and copy it to the router
local> ssh-keygen
Enter file in which to save the key (/home/myuser/.ssh/id_rsa): /home/myuser/.ssh/id_rsa.tplink
I coose the name id_rsa.tplink for the key file and then uploaded the private an public key to the router. Then I verified that the connection works.
local> ssh tplink
tplink> ssh [email protected] -i /root/.ssh/id_rsa.tplink
jumpserver> # login worked
Now I enabled the SSH tunnel service and started it
tplink> /etc/init.d/sshtunnel enable
tplink> /etc/init.d/sshtunnel start
On the jumpserver I verified that the connection is set up
local> ssh [email protected]
jumpserver> sudo netstat -tulpn|grep 22022
tcp 0 0 127.0.0.1:22022 0.0.0.0:* LISTEN 20543/sshd: myuser
tcp6 0 0 ::1:22022 :::* LISTEN 20543/sshd: myuser
now I connected to from the jump server to the router. Sice I configured the router to only allow logins with keyfiles I needed to create keyfiles on the server and register them in the router (Webinterface - System > Administration (as discussed above))
jumpserver> ssh-keygen
...
jumpserver> cat ~/.ssh/id_rsa.pub
... # copy to router
jumpserver> ssh root@localhost -p 22022 -i ~/.ssh/id_rsa
tplink> # login worked
To automate the login from my laptop I now created ssh config entries that allow me to login with one command. Edit ~/.ssh/config
Host jumpserver
HostName jumpserver.org
User myuser
IdentityFile ~/.ssh/id_rsa.jumpserver
Host tplink-jumpserver
HostName localhost
Port 22022
User root
ProxyJump jumpserver
LocalForward 127.0.0.1:8000 127.0.0.1:80
IdentityFile ~/.ssh/id_rsa.tplink
Now the SSH shell and the webinterface can be reached with
local> ssh tplink-jumpserver
tplink> # login worked