How to create a LAN subnet using OpenWrt
Here at home, the combined modem/router box provided by the ISP is installed on the ground floor and serves as the access point (AP) that provides wireless internet access. I wanted to create a subnet on a different floor that uses a router with wired ethernet ports and more flexible network tools.
Home routers are more capable devices than their shipped firmware would lead you to believe. I replace that firmware with OpenWrt, which is an embedded Linux distribution that converts energy-efficient, network-capable devices into much more useful hackable computers.
GOAL: Create a subnet for my wired devices that connect to an OpenWrt-enabled router that, in turn, connects over wireless to the AP and outward to the internet.
This is how I did it ...
1. Install OpenWrt
1.1 Choose a router: TP-Link Archer C7 AC1750
My Archer C7 (version 5) is an inexpensive (often on sale ~$70CAN) router well-supported by OpenWrt.
Specs:
- 16MB Flash / 128MB RAM
- 5x Gbit ethernet ports
- 3x antennas with WLAN2.4GHz bgn and WLAN5.0GHz nac
- 1x USB 2.0 port
1.2 Download install image
OpenWrt builds different install images for different devices. Consult the Table of Hardware to confirm your router is supported and read the wiki entry for your particular device to identify the correct image.
WARNING: It is easy to brick a device using an incorrect install image.
Archer C7 is an OpenWrt ath79/generic target device. New installs use the "factory firmware" image, which is a *-squashfs-factory.bin file. Latest stable release (as of November 2023) is 23.05.0. Link
1.3 Flash image to router
OpenWrt can be installed on the Archer C7 by simply uploading the new firmware using the router's firmware-upgrade page accessed via a web browser. This page, however, will not accept firmware with long filenames.
Rename openwrt-23.05.0-ath79-generic-tplink_archer-c7-v5-squashfs-factory.bin to factory.bin.
Login page for this router is available at 192.168.0.1. Go to Advanced->System Tools->Firmware Upgrade->Manual Upgrade. Browse to the renamed firmware.bin image and click Upgrade.
When new firmware install is complete, the router reboots.
Link: Factory installation
1.4 Login and set password
NOTE: When using the web interface to modify values, all changes are staged and not saved to the file directly, so remember to save the changes after you have set them.
Navigate to new address 192.168.1.1. There is a notification that root user's password is not set. Login with username root and leave the password field empty.
Go to System->Administration->Router Password and set a new password.
1.5 Optional: SSH Keys
OpenWrt uses Dropbear as its SSH server and its set to auto-start and listen for connections on all interfaces by default.
I keep the auto-start enabled, but navigate to System->Administration->SSH Access and set Interface to lan to listen only to internal connections.
I use SSH keys for access. Go to System->Administration->SSH Keys and copy-paste a *.pub key.
Then, on a BSD/Linux client, modify ~/.ssh/config ...
Host router
Hostname 192.168.1.1
User root
Login to the router ...
$ ssh router
BusyBox v1.36.1 (2023-10-09 21:45:35 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 23.05.0, r23497-6637af95aa
-----------------------------------------------------
root@OpenWrt:~#
1.6 Optional: Static IP leases
Go to Network->DHCP and DNS->Static Leases. Click Add, then include a device's network interface MAC address, the hostname, and the desired IP address. When done click Save & Apply.
All subsequent connections to the local network by the device will see it assigned this IP address.
1.7 Optional: Packages
There is wealth of additional software packages that can be installed beyond the base system. After all, what would a Linux system be without htop?
GUI: Go to System->Software, click Update lists, then select a package to install.
Command line: OpenWrt uses the opkg package manager to install software and deal with dependencies ...
root@OpenWrt:~# opkg update
root@OpenWrt:~# opkg install htop
2. Routed Client using MASQUERADE
Resource: Routed Client
When the settings on the ISP modem/router are left unmodified (i.e. it acts solely as the AP), the subnet must be masqueraded to ensure proper routing.
2.1 Enable wireless
Login to router.
Enable the wireless interface and put in station mode ...
root@OpenWrt:~# uci del wireless.@wifi-device[0].disabled
root@OpenWrt:~# uci del wireless.@wifi-iface[0].network
root@OpenWrt:~# uci set wireless.@wifi-iface[0].mode=sta
root@OpenWrt:~# uci commit wireless
Start wireless ...
root@OpenWrt:~# wifi
2.2 AP Details
Gather these details of the AP to be used:
- SSID
- Password
- Channel
- Encryption type
Example used here:
- SSID is
foobox - Password is
c00lbird - Channel is
44 - Encryption is
WPA/WPA2mixed mode
If the SSID and other details of the AP that you want to connect to are unknown, scan to find any networks in range ...
root@OpenWrt:~# iwinfo wlan0 scan
2.3 Change the WAN interface
Edit /etc/config/network and change the WAN interface to ...
config interface 'wan'
option proto 'dhcp'
2.4 Change the wireless network
Edit /etc/config/wireless and change the wifi-iface 'default_radio0' section to point to the WAN interface and add the AP details.
Using the above example settings, it would look like this ...
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'wan'
option mode 'sta'
option ssid 'foobox'
option encryption 'psk2'
option key 'c00lbird'
Change the wifi-device 'radio0' to use the AP (example) channel 44 ...
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option channel '44'
option band '5g'
option htmode 'VHT80'
2.5 Activate
Apply the wireless interface changes and connect to the AP ...
root@OpenWrt:~# ifup wan
root@OpenWrt:~# wifi
NOTE: If the AP subnet uses 192.168.1.0/24 range, then OpenWrt's default LAN IP address must be changed to a different range.
At this point, the OpenWrt router should be connected via wireless to the AP and assigned an IP address, and OpenWrt will handle DHCP for devices connected to the router's ethernet ports.
You can like, share, or comment on this post on Mastodon 💬
» Next: Secure remote access to FreeBSD servers using SSH keys
« Previous: #37. The Galileo Project