top | item 42959607

(no title)

OpenWRT is pretty great at offering features and security for consumer devices. Glad to see a release!

I used it for a while, but after I've had it for a few months, and want to improve/diagnose something, I can't easily tell which config I've changed from defaults, and so can't easily diagnose how I might have screwed it up, or predict how changes will impact the rest of the system.

I moved my router to NixOS, where I can now see the ~250 config that covers the custom setup needed for my ISP/LAN.

If asked, I'd still recommend OpenWRT for most techies, since it's easier to get started.

discuss

wryun|1 year ago

On most openwrt devices you can compare /rom/etc/config to /etc/config (though this will get you a bunch of automatic changes as well).

choobacker|1 year ago

Tracking config via VCS is great, but the automatic changes is what then makes it tricky to understand what you've actually configured.

RGamma|1 year ago

GP missed this basic fact and then moved to NixOS for a router target? What!?

hagbard_c|1 year ago

On virtual routers there is no content in /rom. What you can easily do is install another copy of the same image on another VM or container and run it through firstboot. Make a backup and compare it with a backup from your running system. Even better is to make a backup just after firstboot, then use the system and compare your current backup with the first one.

Do keep in mind that the OpenWRT backup does not contain information about which extra packages were installed after firstboot. I solved this adding a cron job which runs opkg list-installed > /etc/opkg_installed.txt and adding that last filepath to /etc/sysupgrade.conf so it gets added to backups.

yjftsjthsd-h|1 year ago

That's not complete, though, is it? Ex. if I follow https://openwrt.org/docs/guide-user/network/wifi/wifiextende... most of the config is covered, but not the parts that disable daemons.

patrakov|1 year ago

> OpenWRT is pretty great at offering features and security for consumer devices

That's a misconception. Nobody actually cares about security for packages that are not in the default install. For example, the initscript for sstp-client disables certificate validation unconditionally, see https://github.com/openwrt/packages/issues/25212

TheDong|1 year ago

It at least offers more security than the usual alternative on a consumer router of the manufacturer's OS (i.e. something updated once a decade running linux 2.6 with GPL-violating unreleased patches so you can't update it yourself, all written in C by the contractor that bid the lowest).

choobacker|1 year ago

Good job on raising that issue. TIL SSTP.

> Nobody actually cares about security for packages that are not in the default install.

Probably an exaggeration, but it's clear there are some packages that are insecure out-the-box.

xrisk|1 year ago

While this sounds good, you could just dump the contents of /etc into git and it would work about the same.

jillyboel|1 year ago

   cd /etc
   git init
   git add .
   git commit -m 'default config'
   git remote add ...
   git push
   # modify your configs
   git diff HEAD
   git commit -m 'yay i changed stuff and i know what i did'
   git push

stas2k|1 year ago

Why not both? I also use NixOS as the main router/fw/nat, and OpenWRT in bridge mode as dumb APs.

All updates except semi-recent DSA changes were seamless.

choobacker|1 year ago

Me too. My TP Link EAP605 is an AP running OpenWRT. Works well.

1vuio0pswjnm7|1 year ago

How does the size of OpenWRT compare with the size of NixOS.

https://discourse.nixos.org/t/how-minimal-can-a-nixos-image-...

https://openwrt.org/supported_devices/432_warning

choobacker|1 year ago

Size is a limiting factor for so.e hardware and architecture too.

NixOS works well for x86-64 and aarch64, but not so much armv7l, as so many consumer routers are.

The PC Engines happens to be x86-64 with decent storage expansion, but for sure if you want to target armv7l, NixOS is not a good choice.

p3t3|1 year ago

Are there well maintained nixos based router projects?

choobacker|1 year ago

Not that I'm aware of.

systemd-networkd + kea + corerad is the software I use.

cesarb|1 year ago

To see what was changed, I use the option to download a backup of the configuration, and compare it with an older copy I had downloaded earlier (it's a set of text files, it can be unpacked and compared with recursive diff).

arjvik|1 year ago

What hardware do you use for your router?

choobacker|1 year ago

I use a https://www.pcengines.ch/apu2.htm with a separate wifi access point.

That's EOL now, so nowadays I'd look to ARM e.g. https://radxa.com/products/network-computer/e52c

Piraty|1 year ago

I use ancient+cheap netgear SOHO routers (WNDR3700 v1 and v2 from ~2012) which can route 940Mbps on ethernet (with software flow offloading enabled).

For wireless AP i have an Mediatek MT7621 device, they are very well supported and provide proper wifi throuput

Firefishy|1 year ago

https://protectli.com/ Good quality devices. Real serial consoles to allow recovery when you make a networking configuration mistake ;-)

yjftsjthsd-h|1 year ago

Yeah, it's awkward that the usecase where I really want to be able to see (or really, commit) all my configuration like that is the place where I can't fit NixOS:( There was nixwrt, but that got discontinued. Actually it looks like Liminix is a thing now; I'll have to look at that.

choobacker|1 year ago

There's hardware that has the form factor of a router, but is powerful enough to run an ordinary Linux machine. PC Engines, various ARM64 SBCs.