Slightly less Random Ramblings

July 1, 2016

Installing OpenWRT on a Cheap Laptop

Filed under: computing, Firewall, linux, OpenWRT, security — Tags: , , , , , , — Robert Wicks @ 4:20 pm

I got a deal ($125) on an Acer ES1-111M laptop. This class of laptop is intended to be a Windows-running equivalent to Google’s Chromebook. It came with 8GB of RAM and an embedded 32GB eMMC drive. I gave it to my daughter, until the shoddy trackpad made it too frustrating for her and I got her a newer and better laptop. I upgraded the onboard RAM to 8GB. I’ve run Windows 10 and Ubuntu on it, but I don’t really need another personal laptop. Considering the RAM, the light weight, the low temperature and power usage, along with onboard Gigabit Ethernet and a USB 3.0 port, I figured it might make a decent VPN gateway.

I first set it up as a router, which led to the discovery that the existing router in my house, a Buffalo WZR-HP-G300NH, was holding me back. I had a USB 3.0 Gigabit Ethernet dongle as the second interface for the laptop, and when I set up simple IP Masquerading on Ubuntu and pointed a computer at it, I found that my download speeds jumped from ~70Mb/s to ~170Mbs. That led me to look for a wife-friendly (i.e., free) way to improve things. My first choice was my favorite firewall software, OpenWRT. There is an x86 version which is developed alongside the embedded device versions I am so accustomed to using. I grabbed the ISO, then discovered the issue I’ve seen with other Linux distributions, it would not see the storage. Eventually, I installed it to a USB key, which was fine. Along the way, I upgraded to the trunk build and discovered that the OpenWRT which was running could now see the (unused) MMC storage. Perhaps it would now work.

Initially, I wrote an image to the eMMC storage, and booted, but it froze during the boot process. After a bit of tinkering, I found out that if you edit the grub entry so that root=/dev/mmcblk0p2 rather than UUID=-2, it would boot correctly. After booting, just mount /dev/mmcblk0p1 to /mnt, then edit /mnt/boot/grub/grub.cfg to change the UUID entry to /dev/mmcblk0p2, and everything works correctly. You will need to install kmod-usb-net-asix-ax88179 to use the USB Ethernet adaptor. From there, it’s a very normal OpenVPN setup.

Advertisements

May 17, 2014

A Chat on Cybersecurity

Filed under: encryption, Firewall, OpenVPN, OpenWRT, security, Truecrypt, Windows — Robert Wicks @ 5:47 pm

I was recently interviewed by Manuel Lora for Liberty.me on the topic of cybersecurity. You can listen to it here.

July 22, 2008

Cheap solid state router using Endian Firewall

Filed under: Firewall, linux — Robert Wicks @ 2:55 am
I wanted to run Endian Firewall on compact flash, something which is not explicitly supported, apparently. I had 1.5GB of RAM, and Endian runs in 512 with no problem, so I figured I could use tmpfs to do /var and /tmp, helping prevent the card wearing out. I could not get Endian to install to a USB device, but a $12 CF-IDE adapter allowed me to install it on a 2GB flash card with no problem. It will disable swap automatically. You can either pop it out after you install, or you can boot off a Knoppix CD next so that you can make some modifications to your installation. If you are using the CF card via USB (I could not get Endian to install on a USB connected CF card, but I imagine I could get it to boot and run, once I installed it over IDE. After you perfect the installation, you can just dd the boot sector and each partition so that you can clone your install to new media), mount /dev/sdb3 to /mnt to access the root directory (/). Once you mount the / partition for editing, change the etc/fstab file on the CF card to read something like this:

/dev/hdb1 /boot ext3 nodev,nosuid,noatime 1 2
/dev/hdb3 / ext3 noatime 1 1
/dev/hdb4 /varperm ext3 noatime,mand 1 1
none /var tmpfs noatime,mand 0 0
none /tmp tmpfs defaults 0 0
none /home tmpfs defaults 0 0
none /proc proc defaults 0 0
none /dev/pts devpts gid=5,mode=620 0 0
/dev/cdrom /mnt/cdrom udf,iso9660 noauto,owner,kudzu,ro 0 0

Note that I moved /var to /varperm and /home to /homeperm. You can mkdir those directories under your root partition which has been mounted to /mnt.
Next, edit the etc/rc.d/rc.sysinit file. Locate the line which reads

mount -a

Add three lines immediately below it:

######copy stuff to the tmpfs filesystems
/usr/bin/rsync -a /varperm/ /var/
/usr/bin/rsync -a /homeperm/ /home/

I also added /etc/cron.d/syncflash to /etc/rc.d/rc.halt, right after the “Shutting down” line at the top of the file so that I flush to flash whenever I shut down.

This will get the necessary directories and files on boot from the flash to RAM so that scripts start correctly. That’s all which is actually required! You can (and probably should) add a cron job (under /etc/cron.{minutely|hourly|daily} to periodically rsync stuff from /var to /varperm to keep historical logs. This is in /etc/cron.d/syncflash on my system:

#!/bin/sh
/usr/bin/rsync -a /var/ /varperm/
/usr/bin/rsync -a /home/ /homeperm/

I’d probably exclude the gzipped stuff, myself, but that depends on the amount of space you have. Since tmpfs allocates half your RAM by default, we effectively have a 750MB combined /tmp and /var filesystem. This is plenty, really. We can even enable the proxy and ntop, so long as we set the limits to something reasonable. I may hack it further to keep longer logs on flash and continually flush tmpfs, but what I have works for now. I think this may be a really good solution for a dedicated router box, maybe using something like a Fit PC. Addendum: Fit PC does not have enough memory for this application. But an old laptop and a PC Card CF reader might do the trick. I also had to change the options from defaults in the /var line to enable mandatory locks. Havp would not start without this setting, which kept squid from working correctly.

Create a free website or blog at WordPress.com.

%d bloggers like this: