How to create a LAN subnet using OpenWrt

Last edited on 2023-11-24 Tagged under  #openwrt   #network   #linux 

Here at home, the combined modem/router box provided by the ISP is installed on the ground floor and serves as the access point (AP) that provides wireless internet access. I wanted to create a subnet on a different floor that uses a router with wired ethernet ports and more flexible network tools.

Home routers are more capable devices than their shipped firmware would lead you to believe. I replace that firmware with OpenWrt, which is an embedded Linux distribution that converts energy-efficient, network-capable devices into much more useful hackable computers.

GOAL: Create a subnet for my wired devices that connect to an OpenWrt-enabled router that, in turn, connects over wireless to the AP and outward to the internet.

This is how I did it ...

1. Install OpenWrt

My Archer C7 (version 5) is an inexpensive (often on sale ~$70CAN) router well-supported by OpenWrt.


  • 16MB Flash / 128MB RAM
  • 5x Gbit ethernet ports
  • 3x antennas with WLAN2.4GHz bgn and WLAN5.0GHz nac
  • 1x USB 2.0 port

1.2 Download install image

OpenWrt builds different install images for different devices. Consult the Table of Hardware to confirm your router is supported and read the wiki entry for your particular device to identify the correct image.

WARNING: It is easy to brick a device using an incorrect install image.

Archer C7 is an OpenWrt ath79/generic target device. New installs use the "factory firmware" image, which is a *-squashfs-factory.bin file. Latest stable release (as of November 2023) is 23.05.0. Link

1.3 Flash image to router

OpenWrt can be installed on the Archer C7 by simply uploading the new firmware using the router's firmware-upgrade page accessed via a web browser. This page, however, will not accept firmware with long filenames.

Rename openwrt-23.05.0-ath79-generic-tplink_archer-c7-v5-squashfs-factory.bin to factory.bin.

Login page for this router is available at Go to Advanced->System Tools->Firmware Upgrade->Manual Upgrade. Browse to the renamed firmware.bin image and click Upgrade.

When new firmware install is complete, the router reboots.

Link: Factory installation

1.4 Login and set password

NOTE: When using the web interface to modify values, all changes are staged and not saved to the file directly, so remember to save the changes after you have set them.

Navigate to new address There is a notification that root user's password is not set. Login with username root and leave the password field empty.

Go to System->Administration->Router Password and set a new password.

1.5 Optional: SSH Keys

OpenWrt uses Dropbear as its SSH server and its set to auto-start and listen for connections on all interfaces by default.

I keep the auto-start enabled, but navigate to System->Administration->SSH Access and set Interface to lan to listen only to internal connections.

I use SSH keys for access. Go to System->Administration->SSH Keys and copy-paste a *.pub key.

Then, on a BSD/Linux client, modify ~/.ssh/config ...

Host router
User root

Login to the router ...

$ ssh router

BusyBox v1.36.1 (2023-10-09 21:45:35 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 OpenWrt 23.05.0, r23497-6637af95aa

1.6 Optional: Static IP leases

Go to Network->DHCP and DNS->Static Leases. Click Add, then include a device's network interface MAC address, the hostname, and the desired IP address. When done click Save & Apply.

All subsequent connections to the local network by the device will see it assigned this IP address.

1.7 Optional: Packages

There is wealth of additional software packages that can be installed beyond the base system. After all, what would a Linux system be without htop?

GUI: Go to System->Software, click Update lists, then select a package to install.

Command line: OpenWrt uses the opkg package manager to install software and deal with dependencies ...

root@OpenWrt:~# opkg update
root@OpenWrt:~# opkg install htop

2. Routed Client using MASQUERADE

Resource: Routed Client

When the settings on the ISP modem/router are left unmodified (i.e. it acts solely as the AP), the subnet must be masqueraded to ensure proper routing.

2.1 Enable wireless

Login to router.

Enable the wireless interface and put in station mode ...

root@OpenWrt:~# uci del wireless.@wifi-device[0].disabled
root@OpenWrt:~# uci del wireless.@wifi-iface[0].network
root@OpenWrt:~# uci set wireless.@wifi-iface[0].mode=sta
root@OpenWrt:~# uci commit wireless

Start wireless ...

root@OpenWrt:~# wifi

2.2 AP Details

Gather these details of the AP to be used:

  • SSID
  • Password
  • Channel
  • Encryption type

Example used here:

  • SSID is foobox
  • Password is c00lbird
  • Channel is 44
  • Encryption is WPA/WPA2 mixed mode

If the SSID and other details of the AP that you want to connect to are unknown, scan to find any networks in range ...

root@OpenWrt:~# iwinfo wlan0 scan

2.3 Change the WAN interface

Edit /etc/config/network and change the WAN interface to ...

config interface 'wan'
        option proto 'dhcp'

2.4 Change the wireless network

Edit /etc/config/wireless and change the wifi-iface 'default_radio0' section to point to the WAN interface and add the AP details.

Using the above example settings, it would look like this ...

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'wan'
        option mode 'sta'
        option ssid 'foobox'
        option encryption 'psk2'
        option key 'c00lbird'

Change the wifi-device 'radio0' to use the AP (example) channel 44 ...

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option channel '44'
        option band '5g'
        option htmode 'VHT80'

2.5 Activate

Apply the wireless interface changes and connect to the AP ...

root@OpenWrt:~# ifup wan
root@OpenWrt:~# wifi

NOTE: If the AP subnet uses range, then OpenWrt's default LAN IP address must be changed to a different range.

At this point, the OpenWrt router should be connected via wireless to the AP and assigned an IP address, and OpenWrt will handle DHCP for devices connected to the router's ethernet ports.

You can like, share, or comment on this post on Mastodon 💬

Thanks for reading! Read other posts?

» Next: Secure remote access to FreeBSD servers using SSH keys

« Previous: #37. The Galileo Project