-
-
Save HackingGate/b75ac856397075756ea878380c5b848c to your computer and use it in GitHub Desktop.
VERSION=19.07.7 | |
# Download imagebuilder for R7800. | |
aria2c -c -x4 -s4 https://downloads.openwrt.org/releases/${VERSION}/targets/ipq806x/generic/openwrt-imagebuilder-${VERSION}-ipq806x-generic.Linux-x86_64.tar.xz | |
# Extract & remove used file & cd to the directory | |
tar -xvf openwrt-imagebuilder-${VERSION}-ipq806x-generic.Linux-x86_64.tar.xz | |
rm openwrt-imagebuilder-${VERSION}-ipq806x-generic.Linux-x86_64.tar.xz | |
cd openwrt-imagebuilder-${VERSION}-ipq806x-generic.Linux-x86_64/ | |
# Use https when making image | |
sed -i 's/http:/https:/g' repositories.conf | |
# Make all kernel modules built-in | |
sed -i -e "s/=m/=y/g" build_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/linux-ipq806x_generic/linux-*/.config | |
# Run the final build configuration | |
make image PROFILE=netgear_r7800 \ | |
PACKAGES="ca-bundle ca-certificates libustream-openssl -ppp -ppp-mod-pppoe \ | |
uhttpd uhttpd-mod-ubus libiwinfo-lua luci-base luci-app-firewall luci-mod-admin-full luci-theme-bootstrap \ | |
-wpad-mini -wpad-basic wpad-openssl usbutils block-mount e2fsprogs samba4-server luci-app-samba4 \ | |
aria2 luci-app-aria2 ariang stubby curl wget tcpdump kmod-fs-ext4 kmod-usb-storage kmod-usb-storage-uas" | |
# list result | |
ls $PWD/bin/targets/ipq806x/generic |
# To use opkg via https | |
opkg update | |
opkg install ca-bundle ca-certificates libustream-openssl curl wget | |
sed -i 's/http:/https:/g' /etc/opkg/distfeeds.conf | |
# DoH with Dnsmasq and https-dns-proxy | |
# https://openwrt.org/docs/guide-user/services/dns/doh_dnsmasq_https-dns-proxy | |
opkg install https-dns-proxy luci-app-https-dns-proxy | |
# pkg-upgrade.sh | |
wget https://gist.github.com/HackingGate/b75ac856397075756ea878380c5b848c/raw/db404b6028b9136b47192ce90f3520e97a3faa3e/pkg-upgrade.sh | |
chmod +x pkg-upgrade.sh | |
./pkg-upgrade.sh | |
# sys-upgrade.sh | |
wget https://gist.github.com/HackingGate/b75ac856397075756ea878380c5b848c/raw/725c991f7286400e4f0d6ae5f993f8dd17caca90/sys-upgrade.sh | |
chmod +x sys-upgrade.sh | |
./sys-upgrade.sh | |
# Capturing packets | |
opkg install tcpdump | |
# Deploy WPA3 Wi-Fi | |
opkg remove wpad-mini wpad-basic | |
opkg install wpad-openssl | |
/etc/init.d/network restart | |
# Using storage devices | |
opkg update | |
opkg install kmod-usb-storage | |
opkg install kmod-usb-storage-uas | |
opkg install usbutils | |
lsusb -t | |
opkg install block-mount | |
block info | grep "/dev/sd" | |
lsusb -t | |
opkg install e2fsprogs | |
opkg install kmod-fs-ext4 | |
block detect | uci import fstab | |
uci set fstab.@mount[-1].enabled='1' | |
uci set fstab.@global[0].check_fs='1' | |
uci commit fstab | |
uci show fstab | |
service fstab boot | |
# SMB Samba4 | |
opkg install samba4-server | |
opkg install luci-app-samba4 | |
# Aira2 and ariang | |
opkg install aria2 | |
opkg install luci-app-aria2 | |
opkg install ariang |
#!/bin/sh | |
set -e | |
# Force HTTPS | |
sed -i 's/http:/https:/g' /etc/opkg/distfeeds.conf | |
# Update packages | |
opkg update | |
for ipk in $(opkg list-upgradable | awk '$1!~/^base-files|^kmod|^Multiple/{print $1}'); do | |
opkg upgrade $ipk | |
done | |
# Download bt trackers | |
TRACKERS=`curl -s https://raw.githubusercontent.com/ngosang/trackerslist/master/trackers_best.txt \ | |
| tr '\n' ' ' \ | |
| sed 's/ *$//'` | |
echo "Updating /etc/config/aria2 bt_tracker" | |
# Delete config | |
sed -i "/list bt_tracker/d" /etc/config/aria2 | |
# Append config | |
echo -e "\tlist bt_tracker '$TRACKERS'" | tee -a /etc/config/aria2 | |
# Download netboot.xyz | |
wget https://boot.netboot.xyz/ipxe/netboot.xyz.efi -O /root/tftp/netboot.xyz.efi |
#!/bin/sh | |
set -e | |
OPENWRT_TAG=`git ls-remote git://github.com/openwrt/openwrt.git | grep -E -o 'v[0-9]+\.[0-9]+\.[0-9]+' | tail -1` | |
OPENWRT_VERSION=`echo ${OPENWRT_TAG} | grep -E -o '[0-9]+\.[0-9]+\.[0-9]+'` | |
rm -f *.manifest manifest.diff | |
# Use sed remove vlmcsd | |
opkg list-installed | sed '/vlmcsd/d' | tee list-installed.manifest | |
wget https://downloads.hackinggate.com/openwrt-${OPENWRT_VERSION}-ipq806x-generic-netgear-r7800/openwrt-${OPENWRT_VERSION}-ipq806x-generic-device-netgear-r7800.manifest | |
diff openwrt-${OPENWRT_VERSION}-ipq806x-generic-device-netgear-r7800.manifest list-installed.manifest | tee manifest.diff | |
FILE1_LINES=`cat manifest.diff | grep '<' | wc -l` | |
FILE2_LINES=`cat manifest.diff | grep '>' | wc -l` | |
# n1 -ge n2 True if the integer n1 is algebraically greater than or equal to the integer n2. | |
# n1 -gt n2 True if the integer n1 is algebraically greater than the integer n2. | |
if [ ${FILE1_LINES} -ge 0 ] && [ ${FILE1_LINES} -eq ${FILE2_LINES} ] | |
then | |
echo "Upgrading to ${OPENWRT_TAG}" | |
rm -f openwrt-${OPENWRT_TAG}-ipq806x-generic-netgear_r7800-squashfs-sysupgrade.bin | |
wget https://downloads.hackinggate.com/openwrt-${OPENWRT_VERSION}-ipq806x-generic-netgear-r7800/openwrt-${OPENWRT_VERSION}-ipq806x-generic-netgear_r7800-squashfs-sysupgrade.bin | |
# -o attempt to preserve all changed files in /, except those | |
# from packages but including changed confs. | |
sysupgrade -o openwrt-${OPENWRT_VERSION}-ipq806x-generic-netgear_r7800-squashfs-sysupgrade.bin | |
fi |
Ad blocking
https://openwrt.org/docs/guide-user/services/ad-blocking
opkg install adblock luci-app-adblock
reboot
IPv6 tunnel
Object
- Obtain IPv6 for IPv4 only network
Requirement
- IPv4
Background
I'm using a free PPPoE access point on NTT East FLET'S HIKARI provided by SoftEther.
I don't have a useable IPv6 connection.
I don't have a public IPv4 address. My internal IPv4 address and DNS is in 100.64.0.0/10
.
Looks like I'm connecting with CGN (Carrier Grade NAT).
Setup
Get a free IPv6 tunnel on HE.net by clicking Create Regular Tunnel.
If you already have one. It will show on the homepage: tunnelbroker.net.
opkg install 6in4
config interface 'henet'
option proto '6in4'
option tunlink 'wan'
option peeraddr '' # Server IPv4 Address
option ip6addr '' # Copy Client IPv6 Address
option tunnelid ''
option username ''
list ip6prefix ''
option password '' # Update Key in Advanced tab
Dynamic IPv6-in-IPv4 Tunnel (HE.net only) - OpenWrt Document
Setup WireGuard server
Last modified: 2021/04/04 14:23 by vgaetera
The document is missing LuCI app, client psk, key and pub. The fixed command here:
- Preparation
# Install packages
opkg update
opkg install luci-proto-wireguard
# Configuration parameters
WG_IF="vpn"
WG_PORT="51820"
WG_ADDR="192.168.9.1/24"
WG_ADDR6="fdf1:e8a1:8d3f:9::1/64"
- Key management
# Generate keys
umask go=
wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
wg genpsk > wgclient.psk
wg genkey | tee wgclient.key | wg pubkey > wgclient.pub
# Server private key
WG_KEY="$(cat wgserver.key)"
# Pre-shared key
WG_PSK="$(cat wgclient.psk)"
# Client public key
WG_PUB="$(cat wgclient.pub)"
Follow the rest of the document.
Setup WireGuard client
This will allow you access home resources from anywhere in the world.
I don't have public IPv4 address. I have public IPv6 addresses from HE.net. So my Endpoint is IPv6 only.
Replace wgclient.key
, wgserver.pub
, wgclient.psk
, OpenWrt_LAN_Interface_Private_IPv6_Subnet
, OpenWrt_Public_IPv6_Address
with actual value.
DNS is optional.
[Interface]
PrivateKey = wgclient.key
Address = 192.168.9.2/32, fdf1:e8a1:8d3f:9::2/128
DNS = 192.168.9.1, fdf1:e8a1:8d3f:9::1
[Peer]
PublicKey = wgserver.pub
PresharedKey = wgclient.psk
AllowedIPs = 192.168.0.0/16, fdf1:e8a1:8d3f:9::/64, OpenWrt_LAN_Interface_Private_IPv6_Subnet
Endpoint = [OpenWrt_Public_IPv6_Address]:51820
Restart WireGuard server
/etc/init.d/network restart
Route all connections to VPN
(client side settings only)
You can change AllowedIPs
to 0.0.0.0/0, ::/0
. It will route all IP connection (OSI layer 3) (except some private addresses like default gateway) to WireGuard VPN.
To show routing table on macOS:
netstat -rn
192.168.1.1
is the default gateway and it goes through en0
which is the default Wi-Fi interface on macOS.
http://192.168.1.1
will be my friend's home router's authentication page.
Route 192.168.1.1
to WireGuard VPN. (utun2
is my WireGuard's interface, run ifconfig
to see yours.)
sudo route change 192.168.1.1 -interface utun2
http://192.168.1.1
will be my router so I can maintenance my home network remotely.
And Internet will down.
To reset it turn off/on Wi-Fi and re-enable WireGuard.
R7800 Debricking
[OpenWrt Wiki] Netgear R7800 (Nighthawk X4S AC2600) Debricking
On macOS the tftp
command is a little different.
References
# Enable TFTP server
sudo launchctl unload -w /System/Library/LaunchDaemons/tftp.plist
# Check if TFTP server running
sudo lsof -i:69
More about launchctl
: https://apple.stackexchange.com/a/308421/105981
Commands
$ tftp
tftp> connect 192.168.1.1
tftp> mode binary
tftp> put openwrt-21.02.0-rc3-ipq806x-generic-netgear_r7800-squashfs-factory.img
DoH with Dnsmasq and https-dns-proxy
https://openwrt.org/docs/guide-user/services/dns/doh_dnsmasq_https-dns-proxy
opkg install https-dns-proxy luci-app-https-dns-proxy
PS4 Remote Play
Common Ways To Remote Play While Away Home
-
The official PS Remote Play app away home play feature
I'm currently using v6プラス(based on MAP-E) option from my ISP. I have public IPv4/v6 addresses but I have only SOME IPv4 ports available. I failed to connect my PS4. -
The official PS Remote Play app in-home play feature with a home VPN server
This method works on OSI-layer 2 VPN but not on layer 3.
WireGuard is layer 3. And I have no plan to start a OpenVPN TAP mode (layer 2) VPN.
The solution (the third way to remote play)
Prepare a layer 3 home VPN server.
Use Chiaki instead of official PS Remote Play. (I learned here)
Seems Chiaki don't wake PS4 on LAN. So I installed ps4-waker on my home Raspberry Pi.
Just follow the link and setup it.
The result
- Set PS4 to Rest Mode before leave home. (Don't Power Off)
- SSH into home Raspberry Pi.
- Run
ps4-waker
command will wake up PS4. - Connect to home VPN (layer 3).
- Open Chiaki any enjoy it.
Block Country IPs
Tutorial for how to boycott CN IPv4 on OpenWrt.
Script from here https://github.com/kravietz/blacklist-scripts
CIDR IP list from my project https://country-ip-blocks.hackinggate.com
OpenWrt Setup
Install
opkg install ipset curl
wget https://raw.githubusercontent.com/kravietz/blacklist-scripts/master/blacklist.sh
mv blacklist.sh /etc/firewall.user
Create /etc/ip-blacklist.conf
URLS="https://country-ip-blocks.hackinggate.com/CN_IPv4.txt"
Edit /etc/firewall.user
I don't have pppoe-wan
and the blocklist don't work.
I replaced IN_OPT="-i $wan_iface"
with IN_OPT=""
and it works now. (kravietz/blacklist-scripts#6)
Activate
# Manual run
sh /etc/firewall.user
# Daily update
echo "01 01 * * * sh /etc/firewall.user" >>/etc/crontabs/root
Check & Test
ipset list -name
Two new sets are added
manual-blacklist
country-ip-blocks.hac
View blocked CN IPv4 entries
ipset list country-ip-blocks.hac
Here's how to use manual-blacklist
.
ipset add manual-blacklist 8.8.8.8
ipset list manual-blacklist
ping 8.8.8.8
ipset del manual-blacklist 8.8.8.8
ping 8.8.8.8
Block Multi Lists
Example of /etc/ip-blacklist.conf
# Emerging Threats lists offensive IPs such as botnet command servers
URLS="https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"
# Blocklist.de collects reports from fail2ban probes, listing password brute-forces, scanners and other offenders
URLS="$URLS https://www.blocklist.de/downloads/export-ips_all.txt"
URLS="$URLS https://country-ip-blocks.hackinggate.com/CN_IPv4.txt"
URLS="$URLS https://country-ip-blocks.hackinggate.com/HK_IPv4.txt"
URLS="$URLS https://country-ip-blocks.hackinggate.com/MO_IPv4.txt"
All set will name country-ip-blocks.hac
and override.
To fix it. Edit /etc/firewall.user
. Insert script between the two lines. L116
# download the blocklist
set_name=$(echo "$url" | awk -F/ '{print substr($3,0,21);}') # set name is derived from source URL hostname
curl -L -v -s ${COMPRESS_OPT} -k "$url" >"${unsorted_blocklist}" 2>"${headers}"
Will be
# download the blocklist
set_name=$(echo "$url" | awk -F/ '{print substr($3,0,21);}') # set name is derived from source URL hostname
# autodetect country-ip-blocks.hackinggate.com
if echo "${url}" | grep -q 'country-ip-blocks.hackinggate.com'; then
set_name=$(echo "$url" | awk -F/ '{print substr($4,0,21);}')
fi
curl -L -v -s ${COMPRESS_OPT} -k "$url" >"${unsorted_blocklist}" 2>"${headers}"
sh /etc/firewall.user
and ipset list -name
will be
manual-blacklist
rules.emergingthreats
www.blocklist.de
CN_IPv4.txt
HK_IPv4.txt
MO_IPv4.txt
Check if there's entries
ipset list CN_IPv4.txt | wc -l
netboot.xyz
cd /root
mkdir tftp
cd tftp
wget https://boot.netboot.xyz/ipxe/netboot.xyz.efi
Edit /etc/config/dhcp
config dnsmasq
...
option enable_tftp '1'
option dhcp_boot 'netboot.xyz.efi'
option tftp_root '/root/tftp'
config dhcp 'lan'
...
list dhcp_option '66,0.0.0.0'
/etc/init.d/dnsmasq restart
Upgrade OpenWrt
auc
Advertise DNS server
/etc/config/dhcp
config dhcp 'lan'
...
list dhcp_option '6,192.168.4.45'
Monitor multi wan usage
Add 'eth0.2 eth0.3' on LuCI:
Or edit
/etc/config/luci_statistics
: