Skip to content

Instantly share code, notes, and snippets.

Last active March 14, 2024 08:56
Show Gist options
  • Save HackingGate/b75ac856397075756ea878380c5b848c to your computer and use it in GitHub Desktop.
Save HackingGate/b75ac856397075756ea878380c5b848c to your computer and use it in GitHub Desktop.
upgrade ipk on OpenWrt
# Download imagebuilder for R7800.
aria2c -c -x4 -s4${VERSION}/targets/ipq806x/generic/openwrt-imagebuilder-${VERSION}-ipq806x-generic.Linux-x86_64.tar.xz
# Extract & remove used file & cd to the directory
tar -xvf openwrt-imagebuilder-${VERSION}-ipq806x-generic.Linux-x86_64.tar.xz
rm openwrt-imagebuilder-${VERSION}-ipq806x-generic.Linux-x86_64.tar.xz
cd openwrt-imagebuilder-${VERSION}-ipq806x-generic.Linux-x86_64/
# Use https when making image
sed -i 's/http:/https:/g' repositories.conf
# Make all kernel modules built-in
sed -i -e "s/=m/=y/g" build_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/linux-ipq806x_generic/linux-*/.config
# Run the final build configuration
make image PROFILE=netgear_r7800 \
PACKAGES="ca-bundle ca-certificates libustream-openssl -ppp -ppp-mod-pppoe \
uhttpd uhttpd-mod-ubus libiwinfo-lua luci-base luci-app-firewall luci-mod-admin-full luci-theme-bootstrap \
-wpad-mini -wpad-basic wpad-openssl usbutils block-mount e2fsprogs samba4-server luci-app-samba4 \
aria2 luci-app-aria2 ariang stubby curl wget tcpdump kmod-fs-ext4 kmod-usb-storage kmod-usb-storage-uas"
# list result
ls $PWD/bin/targets/ipq806x/generic
# To use opkg via https
opkg update
opkg install ca-bundle ca-certificates libustream-openssl curl wget
sed -i 's/http:/https:/g' /etc/opkg/distfeeds.conf
# DoH with Dnsmasq and https-dns-proxy
opkg install https-dns-proxy luci-app-https-dns-proxy
chmod +x
chmod +x
# Capturing packets
opkg install tcpdump
# Deploy WPA3 Wi-Fi
opkg remove wpad-mini wpad-basic
opkg install wpad-openssl
/etc/init.d/network restart
# Using storage devices
opkg update
opkg install kmod-usb-storage
opkg install kmod-usb-storage-uas
opkg install usbutils
lsusb -t
opkg install block-mount
block info | grep "/dev/sd"
lsusb -t
opkg install e2fsprogs
opkg install kmod-fs-ext4
block detect | uci import fstab
uci set fstab.@mount[-1].enabled='1'
uci set fstab.@global[0].check_fs='1'
uci commit fstab
uci show fstab
service fstab boot
# SMB Samba4
opkg install samba4-server
opkg install luci-app-samba4
# Aira2 and ariang
opkg install aria2
opkg install luci-app-aria2
opkg install ariang
set -e
# Force HTTPS
sed -i 's/http:/https:/g' /etc/opkg/distfeeds.conf
# Update packages
opkg update
for ipk in $(opkg list-upgradable | awk '$1!~/^base-files|^kmod|^Multiple/{print $1}'); do
opkg upgrade $ipk
# Download bt trackers
TRACKERS=`curl -s \
| tr '\n' ' ' \
| sed 's/ *$//'`
echo "Updating /etc/config/aria2 bt_tracker"
# Delete config
sed -i "/list bt_tracker/d" /etc/config/aria2
# Append config
echo -e "\tlist bt_tracker '$TRACKERS'" | tee -a /etc/config/aria2
# Download
wget -O /root/tftp/
set -e
OPENWRT_TAG=`git ls-remote git:// | grep -E -o 'v[0-9]+\.[0-9]+\.[0-9]+' | tail -1`
OPENWRT_VERSION=`echo ${OPENWRT_TAG} | grep -E -o '[0-9]+\.[0-9]+\.[0-9]+'`
rm -f *.manifest manifest.diff
# Use sed remove vlmcsd
opkg list-installed | sed '/vlmcsd/d' | tee list-installed.manifest
diff openwrt-${OPENWRT_VERSION}-ipq806x-generic-device-netgear-r7800.manifest list-installed.manifest | tee manifest.diff
FILE1_LINES=`cat manifest.diff | grep '<' | wc -l`
FILE2_LINES=`cat manifest.diff | grep '>' | wc -l`
# n1 -ge n2 True if the integer n1 is algebraically greater than or equal to the integer n2.
# n1 -gt n2 True if the integer n1 is algebraically greater than the integer n2.
if [ ${FILE1_LINES} -ge 0 ] && [ ${FILE1_LINES} -eq ${FILE2_LINES} ]
echo "Upgrading to ${OPENWRT_TAG}"
rm -f openwrt-${OPENWRT_TAG}-ipq806x-generic-netgear_r7800-squashfs-sysupgrade.bin
# -o attempt to preserve all changed files in /, except those
# from packages but including changed confs.
sysupgrade -o openwrt-${OPENWRT_VERSION}-ipq806x-generic-netgear_r7800-squashfs-sysupgrade.bin
Copy link

HackingGate commented Apr 4, 2021

MWAN3 with domain support


opkg info mwan3

When you install mwan3, ipset is also installed.

/etc/dnsmasq.conf example:


Follow this article.
OpenWRT conditional hostname routing using MWAN3 and ipset

opkg remove dnsmasq
opkg install dnsmasq-full

Download the script

cd /etc/init.d/


vim autoipset


chmod +x autoipset
/etc/init.d/autoipset enable
/etc/init.d/autoipset start
/etc/init.d/dnsmasq restart
/etc/init.d/mwan3 restart

My configuration

  • Cygames returns 503 to my IPv4 address and Cygames is not available in IPv6
  • Engadget JP says my IPv6 (JP node / US address) from is in EU and don't let me access so I have to force it to use IPv4


  • cygames (IPv4 only)
  • engadget_jp (IPv6 only)
ipset -N cygames hash:ip
ipset -N engadget_jp hash:ip family inet6


  • and all subdomains
# Unblock Cygames

# Unblock Engadget JP


config rule 'cygames'
	option proto 'all'
	option sticky '1'
	option timeout '60'
	option ipset 'cygames'
	option use_policy 'wanb_wan'

config rule 'engadget_jp'
	option proto 'all'
	option sticky '1'
	option timeout '60'
	option ipset 'engadget_jp'
	option use_policy 'wan_wanb'

Copy link

Monitor multi wan usage

Add 'eth0.2 eth0.3' on LuCI:

Or edit /etc/config/luci_statistics:

config statistics 'collectd_interface'
        option enable '1'            
        option IgnoreSelected '0'
        option Interfaces 'br-lan eth0.2 eth0.3'

Copy link

Ad blocking

opkg install adblock luci-app-adblock

Copy link

HackingGate commented Apr 6, 2021

IPv6 tunnel


  • Obtain IPv6 for IPv4 only network


  • IPv4


I'm using a free PPPoE access point on NTT East FLET'S HIKARI provided by SoftEther.
I don't have a useable IPv6 connection.
I don't have a public IPv4 address. My internal IPv4 address and DNS is in
Looks like I'm connecting with CGN (Carrier Grade NAT).



Get a free IPv6 tunnel on by clicking Create Regular Tunnel.

If you already have one. It will show on the homepage:

opkg install 6in4
config interface 'henet'
	option proto '6in4'
	option tunlink   'wan'
	option peeraddr '' # Server IPv4 Address
	option ip6addr '' # Copy Client IPv6 Address
	option tunnelid ''
	option username ''
	list ip6prefix ''
	option password ''  # Update Key in Advanced tab

Dynamic IPv6-in-IPv4 Tunnel ( only) - OpenWrt Document

Copy link

HackingGate commented Apr 8, 2021

Setup WireGuard server

WireGuard server

Last modified: 2021/04/04 14:23 by vgaetera

The document is missing LuCI app, client psk, key and pub. The fixed command here:

  1. Preparation
# Install packages
opkg update
opkg install luci-proto-wireguard

# Configuration parameters
  1. Key management
# Generate keys
umask go=
wg genkey | tee wgserver.key | wg pubkey >
wg genpsk > wgclient.psk
wg genkey | tee wgclient.key | wg pubkey >

# Server private key
WG_KEY="$(cat wgserver.key)"

# Pre-shared key
WG_PSK="$(cat wgclient.psk)"

# Client public key

Follow the rest of the document.

Setup WireGuard client

This will allow you access home resources from anywhere in the world.

I don't have public IPv4 address. I have public IPv6 addresses from So my Endpoint is IPv6 only.

Replace wgclient.key,, wgclient.psk, OpenWrt_LAN_Interface_Private_IPv6_Subnet, OpenWrt_Public_IPv6_Address with actual value.
DNS is optional.

PrivateKey = wgclient.key
Address =, fdf1:e8a1:8d3f:9::2/128
DNS =, fdf1:e8a1:8d3f:9::1

PublicKey =
PresharedKey = wgclient.psk
AllowedIPs =, fdf1:e8a1:8d3f:9::/64, OpenWrt_LAN_Interface_Private_IPv6_Subnet
Endpoint = [OpenWrt_Public_IPv6_Address]:51820

Restart WireGuard server

/etc/init.d/network restart

Route all connections to VPN

(client side settings only)

You can change AllowedIPs to, ::/0. It will route all IP connection (OSI layer 3) (except some private addresses like default gateway) to WireGuard VPN.

To show routing table on macOS:

netstat -rn is the default gateway and it goes through en0 which is the default Wi-Fi interface on macOS. will be my friend's home router's authentication page.

Route to WireGuard VPN. (utun2 is my WireGuard's interface, run ifconfig to see yours.)

sudo route change -interface utun2 will be my router so I can maintenance my home network remotely.

And Internet will down.
To reset it turn off/on Wi-Fi and re-enable WireGuard.

Copy link

R7800 Debricking

[OpenWrt Wiki] Netgear R7800 (Nighthawk X4S AC2600) Debricking

On macOS the tftp command is a little different.


# Enable TFTP server
sudo launchctl unload -w /System/Library/LaunchDaemons/tftp.plist
# Check if TFTP server running
sudo lsof -i:69 

More about launchctl:


$ tftp
tftp> connect
tftp> mode binary
tftp> put openwrt-21.02.0-rc3-ipq806x-generic-netgear_r7800-squashfs-factory.img

Copy link

DoH with Dnsmasq and https-dns-proxy

opkg install https-dns-proxy luci-app-https-dns-proxy

Copy link

HackingGate commented Jul 7, 2021

PS4 Remote Play

Common Ways To Remote Play While Away Home

  1. The official PS Remote Play app away home play feature
    I'm currently using v6プラス(based on MAP-E) option from my ISP. I have public IPv4/v6 addresses but I have only SOME IPv4 ports available. I failed to connect my PS4.

  2. The official PS Remote Play app in-home play feature with a home VPN server
    This method works on OSI-layer 2 VPN but not on layer 3.
    WireGuard is layer 3. And I have no plan to start a OpenVPN TAP mode (layer 2) VPN.

The solution (the third way to remote play)

Prepare a layer 3 home VPN server.

Use Chiaki instead of official PS Remote Play. (I learned here)

Seems Chiaki don't wake PS4 on LAN. So I installed ps4-waker on my home Raspberry Pi.

Just follow the link and setup it.

The result

  1. Set PS4 to Rest Mode before leave home. (Don't Power Off)
  2. SSH into home Raspberry Pi.
  3. Run ps4-waker command will wake up PS4.
  4. Connect to home VPN (layer 3).
  5. Open Chiaki any enjoy it.

Copy link

HackingGate commented Aug 4, 2021

Block Country IPs

Tutorial for how to boycott CN IPv4 on OpenWrt.
Script from here
CIDR IP list from my project

OpenWrt Setup


opkg install ipset curl
mv /etc/firewall.user

Create /etc/ip-blacklist.conf


Edit /etc/firewall.user

I don't have pppoe-wan and the blocklist don't work.
I replaced IN_OPT="-i $wan_iface" with IN_OPT="" and it works now. (kravietz/blacklist-scripts#6)


# Manual run
sh /etc/firewall.user
# Daily update
echo "01 01 * * * sh /etc/firewall.user" >>/etc/crontabs/root

Check & Test

ipset list -name

Two new sets are added


View blocked CN IPv4 entries

ipset list country-ip-blocks.hac

Here's how to use manual-blacklist.

ipset add manual-blacklist
ipset list manual-blacklist
ipset del manual-blacklist

Block Multi Lists

Example of /etc/ip-blacklist.conf

# Emerging Threats lists offensive IPs such as botnet command servers

# collects reports from fail2ban probes, listing password brute-forces, scanners and other offenders


All set will name country-ip-blocks.hac and override.

To fix it. Edit /etc/firewall.user. Insert script between the two lines. L116

# download the blocklist                                                                                            
set_name=$(echo "$url" | awk -F/ '{print substr($3,0,21);}') # set name is derived from source URL hostname         
curl -L -v -s ${COMPRESS_OPT} -k "$url" >"${unsorted_blocklist}" 2>"${headers}"     

Will be

# download the blocklist                                                                                            
set_name=$(echo "$url" | awk -F/ '{print substr($3,0,21);}') # set name is derived from source URL hostname         
# autodetect                                                                      
if echo "${url}" | grep -q ''; then                                                
    set_name=$(echo "$url" | awk -F/ '{print substr($4,0,21);}')                                                    
curl -L -v -s ${COMPRESS_OPT} -k "$url" >"${unsorted_blocklist}" 2>"${headers}"     

sh /etc/firewall.user and ipset list -name will be


Check if there's entries

ipset list CN_IPv4.txt | wc -l

Copy link

HackingGate commented Oct 3, 2021

cd /root
mkdir tftp
cd tftp

Edit /etc/config/dhcp

config dnsmasq
        option enable_tftp '1'
        option dhcp_boot ''
        option tftp_root '/root/tftp'
config dhcp 'lan'
	list dhcp_option '66,'

/etc/init.d/dnsmasq restart

Copy link

Upgrade OpenWrt


Copy link

HackingGate commented Sep 9, 2022

Advertise DNS server


config dhcp 'lan'
	list dhcp_option '6,'

Copy link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment