-
-
Save diogopms/b83a132802419cc19d49c97079810838 to your computer and use it in GitHub Desktop.
my configs openwrt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
################### dhcp | |
config dnsmasq | |
option domainneeded '1' | |
option boguspriv '1' | |
option filterwin2k '0' | |
option localise_queries '1' | |
option rebind_protection '1' | |
option rebind_localhost '1' | |
option local '/lan/' | |
option domain 'lan' | |
option expandhosts '1' | |
option nonegcache '0' | |
option authoritative '1' | |
option readethers '1' | |
option leasefile '/tmp/dhcp.leases' | |
option resolvfile '/tmp/resolv.conf.auto' | |
option nonwildcard '1' | |
option localservice '1' | |
config dhcp 'lan' | |
option interface 'lan' | |
option dhcpv6 'server' | |
option ra 'server' | |
option ra_management '1' | |
option ignore '1' | |
config dhcp 'wan' | |
option interface 'wan' | |
option ignore '1' | |
config odhcpd 'odhcpd' | |
option maindhcp '0' | |
option leasefile '/tmp/hosts/odhcpd' | |
option leasetrigger '/usr/sbin/odhcpd-update' | |
option loglevel '4' | |
################### dropbear | |
config dropbear | |
option PasswordAuth 'on' | |
option RootPasswordAuth 'on' | |
option Port '22' | |
# option BannerFile '/etc/banner' | |
################### firewall | |
config defaults | |
option syn_flood 1 | |
option input ACCEPT | |
option output ACCEPT | |
option forward REJECT | |
# Uncomment this line to disable ipv6 rules | |
# option disable_ipv6 1 | |
config zone | |
option name lan | |
list network 'lan' | |
option input ACCEPT | |
option output ACCEPT | |
option forward ACCEPT | |
config zone | |
option name wan | |
list network 'wan' | |
list network 'wan6' | |
option input REJECT | |
option output ACCEPT | |
option forward REJECT | |
option masq 1 | |
option mtu_fix 1 | |
config forwarding | |
option src lan | |
option dest wan | |
# We need to accept udp packets on port 68, | |
# see https://dev.openwrt.org/ticket/4108 | |
config rule | |
option name Allow-DHCP-Renew | |
option src wan | |
option proto udp | |
option dest_port 68 | |
option target ACCEPT | |
option family ipv4 | |
# Allow IPv4 ping | |
config rule | |
option name Allow-Ping | |
option src wan | |
option proto icmp | |
option icmp_type echo-request | |
option family ipv4 | |
option target ACCEPT | |
config rule | |
option name Allow-IGMP | |
option src wan | |
option proto igmp | |
option family ipv4 | |
option target ACCEPT | |
# Allow DHCPv6 replies | |
# see https://dev.openwrt.org/ticket/10381 | |
config rule | |
option name Allow-DHCPv6 | |
option src wan | |
option proto udp | |
option src_ip fc00::/6 | |
option dest_ip fc00::/6 | |
option dest_port 546 | |
option family ipv6 | |
option target ACCEPT | |
config rule | |
option name Allow-MLD | |
option src wan | |
option proto icmp | |
option src_ip fe80::/10 | |
list icmp_type '130/0' | |
list icmp_type '131/0' | |
list icmp_type '132/0' | |
list icmp_type '143/0' | |
option family ipv6 | |
option target ACCEPT | |
# Allow essential incoming IPv6 ICMP traffic | |
config rule | |
option name Allow-ICMPv6-Input | |
option src wan | |
option proto icmp | |
list icmp_type echo-request | |
list icmp_type echo-reply | |
list icmp_type destination-unreachable | |
list icmp_type packet-too-big | |
list icmp_type time-exceeded | |
list icmp_type bad-header | |
list icmp_type unknown-header-type | |
list icmp_type router-solicitation | |
list icmp_type neighbour-solicitation | |
list icmp_type router-advertisement | |
list icmp_type neighbour-advertisement | |
option limit 1000/sec | |
option family ipv6 | |
option target ACCEPT | |
# Allow essential forwarded IPv6 ICMP traffic | |
config rule | |
option name Allow-ICMPv6-Forward | |
option src wan | |
option dest * | |
option proto icmp | |
list icmp_type echo-request | |
list icmp_type echo-reply | |
list icmp_type destination-unreachable | |
list icmp_type packet-too-big | |
list icmp_type time-exceeded | |
list icmp_type bad-header | |
list icmp_type unknown-header-type | |
option limit 1000/sec | |
option family ipv6 | |
option target ACCEPT | |
config rule | |
option name Allow-IPSec-ESP | |
option src wan | |
option dest lan | |
option proto esp | |
option target ACCEPT | |
config rule | |
option name Allow-ISAKMP | |
option src wan | |
option dest lan | |
option dest_port 500 | |
option proto udp | |
option target ACCEPT | |
# include a file with users custom iptables rules | |
config include | |
option path /etc/firewall.user | |
### EXAMPLE CONFIG SECTIONS | |
# do not allow a specific ip to access wan | |
#config rule | |
# option src lan | |
# option src_ip 192.168.45.2 | |
# option dest wan | |
# option proto tcp | |
# option target REJECT | |
# block a specific mac on wan | |
#config rule | |
# option dest wan | |
# option src_mac 00:11:22:33:44:66 | |
# option target REJECT | |
# block incoming ICMP traffic on a zone | |
#config rule | |
# option src lan | |
# option proto ICMP | |
# option target DROP | |
# port redirect port coming in on wan to lan | |
#config redirect | |
# option src wan | |
# option src_dport 80 | |
# option dest lan | |
# option dest_ip 192.168.16.235 | |
# option dest_port 80 | |
# option proto tcp | |
# port redirect of remapped ssh port (22001) on wan | |
#config redirect | |
# option src wan | |
# option src_dport 22001 | |
# option dest lan | |
# option dest_port 22 | |
# option proto tcp | |
### FULL CONFIG SECTIONS | |
#config rule | |
# option src lan | |
# option src_ip 192.168.45.2 | |
# option src_mac 00:11:22:33:44:55 | |
# option src_port 80 | |
# option dest wan | |
# option dest_ip 194.25.2.129 | |
# option dest_port 120 | |
# option proto tcp | |
# option target REJECT | |
#config redirect | |
# option src lan | |
# option src_ip 192.168.45.2 | |
# option src_mac 00:11:22:33:44:55 | |
# option src_port 1024 | |
# option src_dport 80 | |
# option dest_ip 194.25.2.129 | |
# option dest_port 120 | |
# option proto tcp | |
################### luci | |
config core 'main' | |
option lang 'auto' | |
option mediaurlbase '/luci-static/bootstrap' | |
option resourcebase '/luci-static/resources' | |
config extern 'flash_keep' | |
option uci '/etc/config/' | |
option dropbear '/etc/dropbear/' | |
option openvpn '/etc/openvpn/' | |
option passwd '/etc/passwd' | |
option opkg '/etc/opkg.conf' | |
option firewall '/etc/firewall.user' | |
option uploads '/lib/uci/upload/' | |
config internal 'languages' | |
config internal 'sauth' | |
option sessionpath '/tmp/luci-sessions' | |
option sessiontime '3600' | |
config internal 'ccache' | |
option enable '1' | |
config internal 'themes' | |
option Bootstrap '/luci-static/bootstrap' | |
config internal 'apply' | |
option rollback '30' | |
option holdoff '4' | |
option timeout '5' | |
option display '1.5' | |
config internal 'diag' | |
option dns 'openwrt.org' | |
option ping 'openwrt.org' | |
option route 'openwrt.org' | |
config ifstate | |
option interface 'lan' | |
option ifname 'eth0 radio0.network1' | |
option bridge 'true' | |
################### rpcd | |
config login | |
option username 'root' | |
option password '$p$root' | |
list read '*' | |
list write '*' | |
################### ucitrack | |
config network | |
option init network | |
list affects dhcp | |
list affects radvd | |
config wireless | |
list affects network | |
config firewall | |
option init firewall | |
list affects luci-splash | |
list affects qos | |
list affects miniupnpd | |
config olsr | |
option init olsrd | |
config dhcp | |
option init dnsmasq | |
list affects odhcpd | |
config odhcpd | |
option init odhcpd | |
config dropbear | |
option init dropbear | |
config httpd | |
option init httpd | |
config fstab | |
option exec '/sbin/block mount' | |
config qos | |
option init qos | |
config system | |
option init led | |
option exec '/etc/init.d/log reload' | |
list affects luci_statistics | |
list affects dhcp | |
config luci_splash | |
option init luci_splash | |
config upnpd | |
option init miniupnpd | |
config ntpclient | |
option init ntpclient | |
config samba | |
option init samba | |
config tinyproxy | |
option init tinyproxy | |
################### uhttpd | |
# Server configuration | |
config uhttpd main | |
# HTTP listen addresses, multiple allowed | |
list listen_http 0.0.0.0:80 | |
list listen_http [::]:80 | |
# HTTPS listen addresses, multiple allowed | |
list listen_https 0.0.0.0:443 | |
list listen_https [::]:443 | |
# Redirect HTTP requests to HTTPS if possible | |
option redirect_https 1 | |
# Server document root | |
option home /www | |
# Reject requests from RFC1918 IP addresses | |
# directed to the servers public IP(s). | |
# This is a DNS rebinding countermeasure. | |
option rfc1918_filter 1 | |
# Maximum number of concurrent requests. | |
# If this number is exceeded, further requests are | |
# queued until the number of running requests drops | |
# below the limit again. | |
option max_requests 3 | |
# Maximum number of concurrent connections. | |
# If this number is exceeded, further TCP connection | |
# attempts are queued until the number of active | |
# connections drops below the limit again. | |
option max_connections 100 | |
# Certificate and private key for HTTPS. | |
# If no listen_https addresses are given, | |
# the key options are ignored. | |
option cert /etc/uhttpd.crt | |
option key /etc/uhttpd.key | |
# CGI url prefix, will be searched in docroot. | |
# Default is /cgi-bin | |
option cgi_prefix /cgi-bin | |
# List of extension->interpreter mappings. | |
# Files with an associated interpreter can | |
# be called outside of the CGI prefix and do | |
# not need to be executable. | |
# list interpreter ".php=/usr/bin/php-cgi" | |
# list interpreter ".cgi=/usr/bin/perl" | |
# Lua url prefix and handler script. | |
# Lua support is disabled if no prefix given. | |
option lua_prefix /luci | |
option lua_handler /usr/lib/lua/luci/sgi/uhttpd.lua | |
# Specify the ubus-rpc prefix and socket path. | |
# option ubus_prefix /ubus | |
# option ubus_socket /var/run/ubus.sock | |
# CGI/Lua timeout, if the called script does not | |
# write data within the given amount of seconds, | |
# the server will terminate the request with | |
# 504 Gateway Timeout response. | |
option script_timeout 60 | |
# Network timeout, if the current connection is | |
# blocked for the specified amount of seconds, | |
# the server will terminate the associated | |
# request process. | |
option network_timeout 30 | |
# HTTP Keep-Alive, specifies the timeout for persistent | |
# HTTP/1.1 connections. Setting this to 0 will disable | |
# persistent HTTP connections. | |
option http_keepalive 20 | |
# TCP Keep-Alive, send periodic keep-alive probes | |
# over established connections to detect dead peers. | |
# The value is given in seconds to specify the | |
# interval between subsequent probes. | |
# Setting this to 0 will disable TCP keep-alive. | |
option tcp_keepalive 1 | |
# Basic auth realm, defaults to local hostname | |
# option realm OpenWrt | |
# Configuration file in busybox httpd format | |
# option config /etc/httpd.conf | |
# Do not follow symlinks that point outside of the | |
# home directory. | |
# option no_symlinks 0 | |
# Do not produce directory listings but send 403 | |
# instead if a client requests an url pointing to | |
# a directory without any index file. | |
# option no_dirlists 0 | |
# Do not authenticate any ubus-rpc requests against | |
# the ubus session/access procedure. | |
# This is dangerous and should be always left off | |
# except for development and debug purposes! | |
# option no_ubusauth 0 | |
# For this instance of uhttpd use the listed httpauth | |
# sections to require Basic auth to the specified | |
# resources. | |
# list httpauth prefix_user | |
# Defaults for automatic certificate and key generation | |
config cert defaults | |
# Validity time | |
option days 730 | |
# RSA key size | |
option bits 2048 | |
# Location | |
option country ZZ | |
option state Somewhere | |
option location Unknown | |
# Common name | |
option commonname 'OpenWrt' | |
# config httpauth prefix_user | |
# option prefix /protected/url/path | |
# option username user | |
# option password 'plaintext_or_md5_or_$p$user_for_system_user' | |
################### ubootenv | |
################### network | |
config interface 'loopback' | |
option ifname 'lo' | |
option proto 'static' | |
option ipaddr '127.0.0.1' | |
option netmask '255.0.0.0' | |
config globals 'globals' | |
option ula_prefix 'fd83:4f95:72e5::/48' | |
config interface 'lan' | |
option type 'bridge' | |
option ifname 'eth0' | |
option proto 'static' | |
option ipaddr '192.168.1.127' | |
option netmask '255.255.255.0' | |
option gateway '192.168.1.1' | |
option dns '192.168.1.254 192.168.1.1' | |
################### system | |
config system | |
option hostname 'OpenWrt' | |
option timezone 'UTC' | |
option ttylogin '0' | |
option log_size '64' | |
option urandom_seed '0' | |
config timeserver 'ntp' | |
option enabled '1' | |
option enable_server '0' | |
list server '0.openwrt.pool.ntp.org' | |
list server '1.openwrt.pool.ntp.org' | |
list server '2.openwrt.pool.ntp.org' | |
list server '3.openwrt.pool.ntp.org' | |
config led 'led_lan' | |
option name 'LAN' | |
option sysfs 'tp-link:green:lan' | |
option trigger 'netdev' | |
option mode 'link tx rx' | |
option dev 'eth0' | |
config led 'led_wlan' | |
option name 'WLAN' | |
option sysfs 'tp-link:green:wlan' | |
option trigger 'phy0tpt' | |
################### wireless | |
config wifi-device 'radio0' | |
option type 'mac80211' | |
option channel '11' | |
option hwmode '11g' | |
option path 'platform/ar933x_wmac' | |
option htmode 'HT20' | |
option country 'US' | |
option legacy_rates '1' | |
config wifi-iface 'default_radio0' | |
option device 'radio0' | |
option network 'lan' | |
option mode 'ap' | |
option ssid 'NetSP Iot ' | |
option encryption 'psk2' | |
option key 'password' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment