gl-inet ar150 in openwrt onion sauce

Written by geneta on July 9, 2016

### Intro

I have been using and testing a lot of cheap routers throughout the years, and since wrt54g times none has impressed me as gl-inet’s gl-ar150 did. I tend not to voluntarily advert products, but, in dark times where companies like mikrotik and ubiqiuty openly violate the GPL without consequences, we can spend a good word for this chinese company publishing open hardware (sadly not all the devices) and installing OpenWrt by default Given that, I have no idea of how gl-inet acts in very important topics like environmental politics and worker’s politics, both of which could destroy their good reputation.

The gl-ar150 is a very small travel router, has 1 usb 2.0 port, 1 miniusb for power supply (works with ridiculous 5v amperages), a reset button, an assignable 2 way button, 4 internal gpio and an internal serial port. You can add a POE module, and choose between the internal/external antenna versions. I personally prefer the 5dbi external antenna version, which has a male SMA plug and the antenna itself is quite powerful. It works perfectly with a USB power source of 1000milliamperes.

gl-ar150_board

### Achievements

Until now I successfully let my little router (all at the same time):

  • connect to another router via the wan port or via wireless as a client
  • create a lan via the lan port and a wireless connection as an AP
  • create a tor-only connection network via another wireless connection as an AP, with client isolation
  • use the side 3 way button to assign rulesets like:
  • establish a “state of the art” VPN connection without stressing the cpu/ram too much
  • change the main wireless connection as a client (with a pre-made set)

so… let’s get started!

### Cleaning

Gl-inet adds some proprietary web interface page and some dubious firewall rules, so the first thing to do when receiving a gl-ar150 is to install the latest openwrt version (i prefer trunk to stable), and cleanup the firewall.

(i'll fill this once I receive a new router needing a cleanup)

##### Base setup

### Establish a connection and install needed opkg packages

Plug in with a cable to the LAN interface, the router’s default IP should be 192.168.8.1 (or 192.168.1.1 if you clean installed openwrt).

Modify /etc/config/wireless accordingly to your internet connection ( OR you can simply plug an ethernet cable to the WAN plug and skip this step!):


config wifi-device 'radio0'
option type 'mac80211'
option channel '1'
option hwmode '11g'
option path 'platform/ar933x_wmac'
option htmode 'HT20'
option txpower '18'
option country 'US'

### IMPORTANT: no not change the secuence of the wireless devices!

config wifi-iface
option device 'radio0'
option mode 'sta'
option ssid 'XXXXXXXXX'
option encryption 'psk2+tkip'
option key 'XXXXXXXX'
option network 'wwan'
option macaddr 'af:af:af:af:af:aa'

As you can see, you’ll have to chech the channel, ssid, encryption type (psk2+tkip stands for most wpa2). I modify the macaddr bacause it helps me in debugging.
In order for this to work, you’ll have to change some settings in /etc/config/network (modify lan interface section and add wwan).


config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.8.1'
option netmask '255.255.255.0'
option ip6assign '60'
option _orig_ifname 'eth1 wlan0'
option _orig_bridge 'true'
option ifname 'eth1'

config interface ‘wwan’
option proto ‘dhcp’

and add the created wwan interface to the firewall rules for WAN. In /etc/config/firewall modify accordingly this block:


config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6 wwan'

Cross your fingers, reboot and your openwrt system should be able to reach the internet.

### install opkg packages


opkg update
opkg install tor tor-geoip luci rsync

You now have a working luci interface listening at port :80 (but be aware: changing complex configuration in the luci inteface sometimes resets a lot of previous settings… use at own risk!), and I add rsync for simplicity in file transfer.

##### Better setup: LAN + TOR

Once everything is installed, we can prepare the full setup with LAN and ONION networks generated by the gl-ar150. The files we are going to modify are:

  • /etc/config/wireless
  • /etc/config/network
  • /etc/config/firewall
  • /etc/config/dhcp
  • /etc/tor/torrc
  • /etc/firewall.user

### /etc/config/wireless

# We have here 3 different wireless network: one as client for the upstream connection, and two as an AP for our clients.


config wifi-device 'radio0'
option type 'mac80211'
option channel '1'
option hwmode '11g'
option path 'platform/ar933x_wmac'
option htmode 'HT20'
option txpower '18'
option country 'US'

### IMPORTANT: no not change the secuence of the wireless devices!

config wifi-iface
option device 'radio0'
option mode 'sta'
option ssid 'XXXXXXXXX'
option encryption 'psk2+tkip'
option key 'XXXXXXXX'
option network 'wwan'
option macaddr 'af:af:af:af:af:aa'

config wifi-iface
option device 'radio0'
option mode 'ap'
option ssid 'Lan'
option encryption 'psk2+tkip'
option key 'XXXXXXXXXX'
option network 'lan'
option macaddr 'af:af:af:af:af:bb'

config wifi-iface
option device 'radio0'
option mode 'ap'
option ssid 'Onion'
option encryption 'none'
option network 'tor'
option isolate '1'
option macaddr 'af:af:af:af:af:cc'

### /etc/config/network

# We set LAN (lan port + wifi connection) TOR (wifi connection) and WAN interface (WAN port + wifi connection)


config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals ‘globals’
option ula_prefix ‘fd3b:ae98:46c1::/48’

### INTERFACES

config interface ‘lan’
option type ‘bridge’
option proto ‘static’
option ipaddr ‘192.168.8.1’
option netmask ‘255.255.255.0’
option ip6assign ’60’
option _orig_ifname ‘eth1 wlan0’
option _orig_bridge ‘true’
option ifname ‘eth1’

config interface ‘tor’
option type ‘bridge’
option proto ‘static’
option ipaddr ‘172.16.1.1’
option netmask ‘255.255.255.0’
option _orig_ifname ‘wlan0-2’
option _orig_bridge ‘true’

config interface ‘wan’
option proto ‘dhcp’
option _orig_ifname ‘eth0 radio0.network1’
option _orig_bridge ‘true’
option ifname ‘eth0’

config interface ‘wan6’
option ifname ‘eth0’
option proto ‘dhcpv6’

config interface ‘wwan’
option proto ‘dhcp’

### /etc/config/dhcp

# add a dhcp server for the TOR interface


config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'

config dhcp ‘lan’
option interface ‘lan’
option start ‘100’
option limit ‘150’
option leasetime ’12h’
option dhcpv6 ‘server’
option ra ‘server’
option ra_management ‘1’

config dhcp ‘tor’
option interface ‘tor’
option start ‘100’
option limit ‘150’
option leasetime ’12h’

config dhcp ‘wan’
option interface ‘wan’
option ignore ‘1’

config odhcpd ‘odhcpd’
option maindhcp ‘0’
option leasefile ‘/tmp/hosts/odhcpd’
option leasetrigger ‘/usr/sbin/odhcpd-update’

### /etc/config/firewall

# I am more than convinced that I could work harder on this firewall setup… comments appreciated!


config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

### ZONES (applies to INTERFACES)

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6 wwan'

config zone
option name 'tor'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'tor'
option conntrack '1'

config forwarding
option src 'lan'
option dest 'wan'

### WAN RULES

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'

### TOR RULES

config rule
option name 'Allow-Tor-DHCP'
option src 'tor'
option proto 'udp'
option dest_port '67'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Tor-DNS'
option src 'tor'
option proto 'udp'
option dest_port '9053'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Tor-Transparent'
option src 'tor'
option proto 'tcp'
option dest_port '9040'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Tor-SOCKS'
option src 'tor'
option proto 'tcp'
option dest_port '9050'
option target 'ACCEPT'
option family 'ipv4'

### /etc/firewall.user

# let tor forward all dns requests via tor itself, and act as sa sort of NAT


# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

tor_rules() {
iptables -t nat -A PREROUTING -i br-tor -p udp –dport 53 -j REDIRECT –to-ports 9053
iptables -t nat -A PREROUTING -i br-tor -p tcp –syn -j REDIRECT –to-ports 9040
}
tor_rules

### /etc/tor/torrc

# We create a “sort of vpn” to tor, remember that here you can add your favourites tor bridges and/or proxies if you need to use them. Here listed are only the lines I add at the beginning of the /etc/tortorrc file!


AllowUnverifiedNodes middle,rendezvous
VirtualAddrNetworkIPv4 172.16.1.0/11
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1

TransPort 9040
TransListenAddress 172.16.1.1

DNSPort 9053
DNSListenAddress 172.16.1.1

SocksPort 9050
SocksBindAddress 172.16.1.1:9050

### reboot

Cross your fingers very hard: if we did everything correctly, your router will survive a reboot and you’ll be able to see all that in production!

### the rest

I’ll soon continue this post adding how I control the buttons, how I successfully run a openvpn and how I assign different rulesets through the button commands…

No Comments on gl-inet ar150 in openwrt onion sauce

Leave a Reply

Your email address will not be published.