wiki.TerraBase.info

Linksys AC Series Router Configuration Tips for OpenWRT: Difference between revisions

← Older edit
VisualWikitext
mNo edit summary
 
(105 intermediate revisions by the same user not shown)
Line 1: Line 1:
This subject(s) of this article are the AC Series of routers manufactured by Linksys and the OpenWRT Firmware designed for themThe Linksys AC Routers include the WRT1200AC, WRT1900AC v1, WRT1900AC v2, WRT1900ACS v2, WR1900ACS v2, WRT3200ACM, and WRT32XThe WRT1900AC v2 is essentially a WRT1900ACS v1 and the WRT3200ACM and WRT32X are duplicate hardware models with different firmware (from Linksys) and the former blue / black and the latter black /grayThe models are sometimes referred to with out the suffix letters as WRT1200, WRT1900, WRT3200.   
This article has gotten huge.  Well, not really.  Actually yes.  It's an aggregation article that has a bunch of other articles on the same subject which links to and displays the content of the other pagesThere is a lot of information hereIt is in large part a brain dump of learned knowledge.  This means that there hasn't been a lot of editing or neatening up of what's writtenSorry, there just isn't enough time.  Maybe one day.   


Information covered in this article was written for and tested on both the WRT1900ACS v1, WRT1900ACS v2, and WRT3200ACMHowever the information applies to the other models as well.   
Anyway, what you'll find here is a bunch of information collected on a bunch of different subjectsMany of them relate to very difficult problems that have solutions which will hopefully be valuable and help anyone that can't figure out an issue or how to make something they've pictured in their head but aren't sure how to implement.   


All models are available on eBay and the ACS, ACM, and 32X series are available new as of the writing of this article in 2020.  The most powerful and expensive models are the WRT3200ACM and the WRT32X.  The best bargain used in terms of cost and "horsepower" is the ACS seriesOccasionally it is possible to find a less than observant vendor on eBay selling an ACS model that is advertised as an AC modelThose are the best deals.   
This subject(s) of this article are the AC Series of routers manufactured by Linksys and the OpenWRT Firmware designed for them.  The Linksys AC Routers include the WRT1200AC, WRT1900AC v1, WRT1900AC v2, WRT1900ACS v2, WR1900ACS v2, WRT3200ACM, and WRT32X (A and B versions, one generic, the other marketed to X-Box owners).  The WRT1900AC v2 is essentially a WRT1900ACS v1 and the WRT3200ACM and WRT32X are duplicate hardware models with different firmware (from Linksys)All have a blue / black color scheme except for the WRT32X which is all blackThe models are sometimes referred to without the suffix letters as WRT1200, WRT1900, WRT3200.   


Details on each model are very nicely summarized on the OpenWRT website here: https://openwrt.org/toh/linksys/wrt_ac_series?s[]=wrt1200ac
Information covered in this article was written for and tested on various models, including the WRT1900ACS v1, WRT1900ACS v2, WRT3200ACM, and WRT32X.  The information applies to all of the models with some variations on the technical details. 
 
All models are available used on eBay.  The ACS, ACM, and 32X series are still available new as of the writing of this article in 2020.  The most powerful and expensive models are the WRT3200ACM and the WRT32X.  The best bargain used in terms of cost and "horsepower" is the ACS series.  Occasionally it is possible to find a less than observant vendor on eBay selling an ACS model that is advertised as an AC model.  Those are the best deals. 
 
Details on each model are very nicely summarized on the OpenWRT website.  Here's a link for the 1200 series: https://openwrt.org/toh/linksys/wrt_ac_series?s[]=wrt1200ac


As it started out, this article was intended to be a quick how to on a couple of items, but then grew to enormous proportions.  There was some consideration on breaking it into smaller sections, but the Mediawiki interface with its table of contents mitigates that need to an acceptable level.
As it started out, this article was intended to be a quick how to on a couple of items, but then grew to enormous proportions.  There was some consideration on breaking it into smaller sections, but the Mediawiki interface with its table of contents mitigates that need to an acceptable level.


The information in this article comes from many sources and also from hard earned experience.  It was collected in orderd to have a definitive repository of knowledge on the subject.
The information in this article comes from many sources and also from hard earned experience.  It was collected in order to have a definitive repository of knowledge on the subject.


==Quick C (as in Quick Configuration)==
==Quick S (as in Quick Start)==
Because this article contains a lot of information in addition to "How to..." tutorials, this sections summarizes and provides links to the major "How to..." sections below.
Because this article contains a lot of information in addition to "How to..." tutorials, this sections summarizes and provides links to the major "How to..." sections below.


*Upgrade Firmware from Linksys to OpenWRT
*Upgrade Firmware from Linksys to OpenWRT.  The instructions on the OpenWRT website for upgrading from the stock Linksys firmware to OpenWRT are a bit behind the changes that Linksys is making with their GUI.  What that means is one might have to hunt around a bit to find where Linksys has tucked away the firmware upgrade functionality.
*Install a several basic software packages that add very useful utilities and access to USB and eSATA storage device (Flash Drive, HDD enclosures, and even mSATA and M.2 NGFF & NVMe SSDs in USB 3.0 enclosures).  This includes backup software too.
*Install several basic software packages that add very useful utilities.  This includes software related to USB and eSATA storage device (Flash Drive, HDD enclosures, and even mSATA and M.2 NGFF & NVMe SSDs in USB 3.0 enclosures) and backup software.  A suggested strategy is to install a bunch of basic utilities that can be used to recover from any issues related to an external USB Flash drive.
**And now a quick side note that you'll read about in more detail later in this article.  OpenWRT makes it possible to install a big chunk of the "operating system" (OS) for a router on a USB 3.0 Flash Drive.  The partition volume it is mounted as is referred to as an "overlay" (again, more on this later).  In a simple definition for this instance, which glosses over a lot of details, an ''overlay'' partition in OpenWRT can be equated to a ''[[wikipedia:Non-RAID_drive_architectures#Concatenation_(SPAN,_BIG)|spanned]]'' disk drive / volume.  Essentially the internal Flash Drive and an additional USB 3.0 Flash Drive are combined / "[[wikipedia:Concatenation_(disambiguation)|concated]]" (sort of).  In this simplistic comparison, the BIOS portion of a computer is equated to the internal Flash Drive and the disk drive is equated to the external USB Flash Drive.  An ''overlay'' allows for a much larger "disk drive" to be used instead of relying on and being limited to the internal USB Flash Drive (although the same ''overlay'' technology is used to mount the internal Flash Drive if no external drive is available).  Think of it like this, the basic Windows (or Linux) OS is installed on the Internal Flash Drive.  It includes all of the basics to get things up and running.  Then additional stuff is installed on the external USB 3.0 Flash Drive.  The internal Flash Drive can still function, even if the external USB 3.0 Flash Drive is removed, albiet with reduced functionality (probably).  It becomes advantageous in recovery / disaster scenarios to install as many utilities as possible on the internal Flash Drive that are focused on recovering a malfunctioning external USB 3.0 Flash Drive.  Below are the recommended utilities to install.  Note, they will also have to be installed on the ''overlay'' partition / volume once that is configured (again, it's covered later in this article).
**Run the below commands to install the following items (but first, run opkg update). They're broken down into groups;
***General Utilities: opkg install wget htop nano coreutils-dd netcat restic shadow-passwd shadow-useradd shadow-groupadd shadow-chsh lsof bash
***Disk Related: opkg install block-mount e2fsprogs kmod-fs-ext4 kmod-usb-storage kmod-usb2 kmod-usb3 ntfs-3g usbutils gdisk cfdisk tune2fs kmod-fs-exfat dosfstools kmod-fs-vfat f2fs-tools kmod-fs-f2fs lsblk ntfs-3g-utils fdisk sfdisk wipefs hdparm
***GUI Interface / Tools for "built-in" services: opkg install luci-app-advanced-reboot luci-app-uhttpd
***Ease of Use Software: opkg install samba4-server samba4-utils luci-app-samba4 (of all the utilities to install, this is by far the largest in terms of storage space consumed)
***Optional (if there's space or a need): opkg install mwan3 luci-app-mwan3 kmod-macvlan
***Other Items to consider: "Packages that begins with ''coreutils''", "Packages that begins with ''coreutils''", "Other LuCI GUI Packages"
*Partition and Configure OpenWRT to use external storage drives, not just for storage, but also as a replacement / addition to the internal non-volitile storage
*Partition and Configure OpenWRT to use external storage drives, not just for storage, but also as a replacement / addition to the internal non-volitile storage


Line 87: Line 99:
*The fourth time you turn the power switch on you can let the device boot and it should boot into the other partition.
*The fourth time you turn the power switch on you can let the device boot and it should boot into the other partition.


Remember: When attempting to utilize this within the LUCI GUI (if already logged in and connected), refresh the browser windows (CTRL Key plus Refresh Button in Firefox).
After some experimentation, 4-5 seconds seems to be the sweet spot.
 
Here's what's happening "behind the scenes" when the the power switch is cycled in the above fashion.  The observations were made with a TTL / Serial / USB cable attached to the header on a router board.
 
*The Marvell firmware starts the boot process (equivalent to the BIOS of a PC)
*There is a 2-3 second pause where one can press a key on the command console to instruct the router to boot into a very basic environment for loading firmware (sort of equivalent to a BIOS setup utility on a PC)
*Before the 2-3 second window described above expires (and the boot process continues) is when the power button is turned off.
 
Below are a few of lines of information displayed during the boot process;<syntaxhighlight lang="text">
 
---below is the boot information after the "3nd power cycle"


So how does one upgrade OpenWRT firmware on the current / active boot partition when the process upgrades the other inactive partition?  What about changing the boot partition to the inactive one and then upgrade the firmware (See the [https://wiki.terrabase.info/wiki/Linksys_AC_Series_Router_Configuration_Tips#Switching&#x20;Boot&#x20;Partitions Switching Boot Partitions] section of this article for the commands to view or change the boot partition)?  After several attempts, this trick didn't work.  Documentation exists that says this trick works with DD-WRT (https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=311117).  It seems the flashing of the NVRAM is left up to the Marvell SoS / CPU and there is no way around it via OpenWRT. Alternative? 
BootROM - 1.73
Booting from NAND flash


The solution is to upgrade from the other partition.  IE, if Partition 1 needs to be upgraded, boot to Partition 2 and perform an upgrade, which will then upgrade Partition 1. This will obviously work if OpenWRT is installed on both partitions. But how can one install DD-WRT on the other partition from OpenWRT?
General initialization - Version: 1.0.0
Detected Device ID 6820
High speed PHY - Version: 2.0


Solution: Use the command lineIE, it won't work from the OpenWRT LUCI GUI.
Init RD NAS topology Serdes Lane 3 is USB3
Serdes Lane 4 is SGMII
board SerDes lanes topology details:
| Lane #  | Speed |  Type      |
--------------------------------
|  0    |  06  |  SATA0      |
|  1    |  05  |  PCIe0      |
|  2    |  06  |  SATA1      |
|  3    |  05  |  USB3 HOST1 |
|  4    |  05  |  PCIe1      |
|  5    |  00  |  SGMII2    |
--------------------------------
:** Link is Gen1, check the EP capability
PCIe, Idx 0: Link upgraded to Gen2 based on client cpabilities
:** Link is Gen1, check the EP capability
PCIe, Idx 1: remains Gen1
High speed PHY - Ended Successfully
DDR3 Training Sequence - Ver TIP-1.26.0
mvSysEnvGetTopologyUpdateInfo: TWSI Read failed
DDR3 Training Sequence - Switching XBAR Window to FastPath Window
DDR3 Training Sequence - Ended Successfully
Not detected suspend to RAM indication
BootROM: Image checksum verification PASSED
__  __                      _ _
| \/  | __ _ _ ____  _____| | |
| |\/| |/ _` | '__\ \ / / _ \ | |
| |  | | (_| | |  \ V /  __/ | |
|_|  |_|\__,_|_|    \_/ \___|_|_|
        _  _    ____              _
        | | | |  | __ )  ___  ___ | |_
        | | | |___|  _ \ / _ \ / _ \| __|
        | |_| |___| |_) | (_) | (_) | |_
        \___/    |____/ \___/ \___/ \__|
** LOADER **


*Download the DD-WRT Factory Firmware (factory-to-ddwrt.bin) to the /tmp Directory
**For WGET to work, this may be needed: opkg install libustream-mbedtls
*Type the following command: sysupgrade -n -v -F /tmp/factory-to-ddwrt.bin (-n = do NOT keep current settings, -v = verbose, -F = Force)


The firmware will be installed on the other partition.
U-Boot 2013.01 (Mar 27 2015 - 16:50:46) Marvell version: 2014_T3.0p6


Boot version : v1.0.13


Only Upgrade versions of OpenWRT can be flashed via the GUI.  Factory firmware will result in an error.
Board: RD-NAS-88F6820-DDR3
, but not sure if it is possible to "cross update" between DD-WRT and OpenWRT.
SoC:  MV88F6820 Rev A0
      running 2 CPUs
CPU:  ARM Cortex A9 MPCore (Rev 1) LE
      CPU 0
      CPU    @ 1600 [MHz]
      L2    @ 800 [MHz]
      TClock @ 200 [MHz]
      DDR    @ 800 [MHz]
      DDR 32 Bit Width, FastPath Memory Access, DLB Enabled, ECC Disabled
DRAM:  512 MiB


Use the OpenWRT Install / Factory image in this instance.
Map:  Code:                    0x1fea9000:0x1ff7632c
      BSS:                    0x1ffef6b4
      Stack:                  0x1f9a8f20
      Heap:                    0x1f9a9000:0x1fea9000
raise: Signal # 8 caught
U-ENV offset == 0x200000
raise: Signal # 8 caught
U-ENV offset == 0x200000
      U-Boot Environment:      0x00200000:0x00220000 (NAND)
 
NAND:  128 MiB
MMC:  mv_sdh: 0
DEVINFO offset == 0x900000
U-ENV offset == 0x200000
U-ENV offset == 0x200000
S-ENV offset == 0x240000
 
 
#### auto_recovery ####
[u_env] get auto_recovery == yes
[u_env] get auto_recovery == yes
[u_env] get boot_part == 1
[u_env] get boot_part_ready == 3
auto_recovery enabled:1, boot_part:1, boot_part_ready:3
 
S-ENV offset == 0x240000
[boot_count_read] block:0x240000, size:128KB, records:64
[boot_count_read_record] boot_count:2, next_record:53
 
[boot_count_write] erase:0, auto_recovery->block_offset:0x240000 offset=0x25A800
 
Updating boot_count ...
[boot_count_write] offset:0x25A800 , length:2048
done
 
PCI-e 0 (IF 0 - bus 0) Root Complex Interface, Detected Link X1, GEN 2.0
PCI-e 1 (IF 1 - bus 1) Root Complex Interface, Detected Link X1, GEN 1.1
USB2.0 0: Host Mode
USB3.0 1: Host Mode
USB3.0 0: Host Mode
Board configuration detected:
mvEthE6171SwitchBasicInit init
Net: 
|  port  | Interface | PHY address  |
|--------|-----------|--------------|
| egiga0 |  RGMII  |    0x01    |
| egiga1 |  SGMII  |    0x00    |
egiga0 [PRIME], egiga1
auto_recovery_check changes bootcmd: run nandboot
Hit any key to stop autoboot:  2  <-- This is the countdown timer that starts at 3
 
--- and below is what it changes to after the "3rd power cycle / 4th power on" (minus all of the lines similar to above that come before it)
 
#### auto_recovery:2 ####
auto_recovery_check changes bootcmd: run altnandboot
Hit any key to stop autoboot:  0
 
</syntaxhighlight>


===Upgrading the "Other Partition" from OpenWRT (be it another OpenWRT installation, Linksys firmware, DD-WRT, etc.)===
===Upgrading the "Other Partition" from OpenWRT (be it another OpenWRT installation, Linksys firmware, DD-WRT, etc.)===
Using LuCI to upgrade firmware, as of about 19.07.3, the upgrade process in the GUI has changed slightly and states: "Upload a sysupgrade-compatible image here to replace the running firmware."  That might lead one to believe that the "running firmware", IE the currently booted and running version of OpenWRT will be upgraded.  That is NOT the case.  The LuCI GUI upgrade will upgrade the firmware on the ''other'' partition and then boot from the other partition.  The OpenWRT message is probably related to the fact most routers do not have the special dual boot flash partitions that the AC Series has.
As of 9.20.2020 much of the below is in question.  It has been determined that when using the LuCI GUI and an upgrade firmware image (not Linksys Factory to OpenWRT) that the ''CURRENT'' partition (not the other partition) will be upgraded...  Sometimes...  ...but not always.  The pattern seems to be very erratic.  This is not good.  Linksys Factory to OpenWRT seems to reliably flash the other partition.  None of this is noted in the OpenWRT documentation.
 
Additionally, if flashing DD-WRT (there's a reason) to the other partition, per this site: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318917&sid=ead6f3133aa640d078354c986b7c3981 and experimenting, it just does not seem possible to flash any recent version of DD-WRT to the other partition that works and doesn't create a "kernel panic" when booting.  The solution?
 
*From an OpenWRT partition, flash the other partition with OpenWRT
*Get an old firmware version of DD-WRT (Linksys Factory to DD-WRT), version 37xxx or below, sometime in 2018, and flash that
*The router won't reboot properly, but give it a minute or so to make sure the image is copied, then turn the router off, then on.  It will then boot to DD-WRT
*Note, if using Firefox or any other browser to access the DD-WRT GUI, it will probably keep redirecting to the LuCI GUI.  Clear the browsing history or open a private tab in Firefox to solve that issue.
*Get a more recent version of DD-WRT (upgrade version), flash that, good to go with OpenWRT on one partition and DD-WRT on the other.
 
OK, why DD-WRT?  Well, as it turns out, DD-WRT has a bunch of development tools that OpenWRT does not.  That means it is much, much easier to compile one's own sofware (packages, not firmware) on a router.  This includes perl packages, etc.  And, as tested, the binary / executables on DD-WRT are completely functional on OpenWRT as long as all the dependencies are in place.  It is even possible to have a huge chunk of DD-WRT software in the /opt Directory available on OpenWRT.  The easiest way to not run into conflicts is to only install software that is not available in OpenWRT in the /opt Directory.  That way environment paths can be set up to search /opt first, then the normal OpenWRT binary / executables.
 
One thing to keep in mind about OpenWRT VS DD-WRT is how each refers to the CPU / SoC of the Marvell based hardware.  OpenWRT refers to it as a Cortex A9.  And it is.  DD-WRT refers to it as ARMv7 and it is.  Technically (see above section for details on the hardware).  It's the same thing with both firmwares making a partial reference to the hardware's name.  Arm, DD-WRT, and OpenWRT can all share the blame on this.  See the chart on Wikipedia for some clarity: https://en.wikipedia.org/wiki/List_of_ARM_microarchitectures
 
<s>Using LuCI to upgrade firmware, as of about 19.07.3, the upgrade process in the GUI has changed slightly and states: "Upload a sysupgrade-compatible image here to replace the running firmware."  That might lead one to believe that the "running firmware", IE the currently booted and running version of OpenWRT will be upgraded.  That is NOT the case.  The LuCI GUI upgrade will upgrade the firmware on the ''other'' partition and then boot from the other partition.  The OpenWRT message is probably related to the fact most routers do not have the special dual boot flash partitions that the AC Series has.</s>
 
<s>Using the command line to upgrade the firmware will upgrade the ''other'' partition, the subsequent boot will be to the current partition (IE, the one it was flashed from): sysupgrade -n -v -F /tmp/factory-to-ddwrt.bin (-n = do NOT keep current settings, -v = verbose, -F = Force)</s>
 
<s>So how does one upgrade OpenWRT firmware on the current / active boot partition when the process upgrades the other inactive partition?  What about changing the boot partition to the inactive one and then upgrade the firmware (See the [https://wiki.terrabase.info/wiki/Linksys_AC_Series_Router_Configuration_Tips#Switching&#x20;Boot&#x20;Partitions Switching Boot Partitions] section of this article for the commands to view or change the boot partition)?  After several attempts, this trick didn't work.  Documentation exists that says this trick works with DD-WRT (https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=311117).  It seems the flashing of the NVRAM is left up to the Marvell SoS / CPU and there is no way around it via OpenWRT. Alternative?</s>
 
<s>The solution is to upgrade from the other partition.  IE, if Partition 1 needs to be upgraded, boot to Partition 2 and perform an upgrade, which will then upgrade Partition 1.  This will obviously work if OpenWRT is installed on both partitions.  But how can one install DD-WRT on the other partition from OpenWRT?</s>


Using the command line to upgrade the firmware will upgrade the ''other'' partition, the subsequent boot will be to the current partition (IE, the one it was flashed from): sysupgrade -n -v -F /tmp/factory-to-ddwrt.bin (-n = do NOT keep current settings, -v = verbose, -F = Force)
<s>Solution: Use the command line.  IE, it won't work from the OpenWRT LUCI GUI.</s>
 
*<s>Download the DD-WRT Factory Firmware (factory-to-ddwrt.bin) to the /tmp Directory</s>
**<s>For WGET to work, this may be needed: opkg install libustream-mbedtls</s>
*<s>Type the following command: sysupgrade -n -v -F /tmp/factory-to-ddwrt.bin (-n = do NOT keep current settings, -v = verbose, -F = Force)</s>
 
<s>The firmware will be installed on the other partition.</s>
 
<s>Remember: When attempting to utilize this within the LUCI GUI (if already logged in and connected), refresh the browser windows (CTRL Key plus Refresh Button in Firefox).</s>
 
<s>Only Upgrade versions of OpenWRT can be flashed via the GUI, not factory (unless the other partition is LinkSys firmware).</s>
 
<s>Use the OpenWRT Install / Factory image in this instance.</s>


==OpenWRT System Logging==
==OpenWRT System Logging==
Line 124: Line 278:


===Recommended Hardware Devices===
===Recommended Hardware Devices===
The best recommendation for a USB Flash Drive is the SanDisk Ultra Fit USB 3.1 Flash Drive Series.  And the recommendation is NOT because it is the fastest.  They brag speeds up to 130 MB/S.  Maybe downhill in a tornado, but under normal systems, that speed is a joke for this piece of hardware.  So why recommend it?  Well as it turns out, the fastest drive, USB, eSATA, or otherwise that has been tested on the AC Series is about 70 MB/S (this has been confirmed for eSATA) and around 45 MB/S for USB 3.0 (using a Patriot SuperSonic Rage Elite USB 3.1 Flash Drive that has been verified multiple times at over 200 MB/S sustained).  Based on that and the below reviews it seems the Ethernet Switch may be topping out at about 70 MB/S, which is quite respectable.
The best recommendation for a USB Flash Drive is the SanDisk Ultra Fit USB 3.1 Flash Drive Series.  And the recommendation is NOT because it is the fastest.  They brag speeds up to 130 MB/S.  Maybe downhill in a tornado, but under normal systems, that speed is a joke for this piece of hardware.  So why recommend it?  Well as it turns out, the fastest drive, USB, eSATA, or otherwise that has been tested on the AC Series is about 70 MB/S (this has been confirmed for eSATA) and around 45 MB/S for USB 3.0 (using a Patriot SuperSonic Rage Elite USB 3.1 Flash Drive that has been verified multiple times at over 200 MB/S sustained).  Based on that and the below reviews it seems the Ethernet Switch may be topping out at about 70 MB/S, which is quite respectable.[[File:Sabrent USB 3.0 Hub.jpg|alt=Sabrent USB 3.0 Hub (HB-R3MB)|thumb|158x158px|Sabrent USB 3.0 Hub|left]]Some reviews have the USB 3.0 speeds and eSATA speeds about the same at around 70 MB/S: https://www.eteknix.com/linksys-wrt3200acm-router-review/10/
 
Some reviews have the USB 3.0 speeds and eSATA speeds about the same at around 70 MB/S: https://www.eteknix.com/linksys-wrt3200acm-router-review/10/


Others have the USB 3.0 speeds measured considerably slower at about 20 MB/S: https://www.kitguru.net/peripherals/james-morris/linksys-wrt3200acm-ac3200-wireless-router-review/4/
Others have the USB 3.0 speeds measured considerably slower at about 20 MB/S: https://www.kitguru.net/peripherals/james-morris/linksys-wrt3200acm-ac3200-wireless-router-review/4/
Line 132: Line 284:
Anyway, the above mentioned SanDisk device tops out at about 70 MB/S on every system that the above mentioned Patriot device tops out at over 200 MB/S.  Notice that 70 MB/S speed mentioned twice?  Once for the SanDisk device and once for the AC Series.  The next item to consider is price.  The SanDisk is not the cheapest, but it is fairly low.  When price and performance are both considered, it turns out the SanDisk device beats everyone.  And since the AC series router and SanDisk USB Flash Drive both top out at around 70 MB/S, that makes it the perfect match.
Anyway, the above mentioned SanDisk device tops out at about 70 MB/S on every system that the above mentioned Patriot device tops out at over 200 MB/S.  Notice that 70 MB/S speed mentioned twice?  Once for the SanDisk device and once for the AC Series.  The next item to consider is price.  The SanDisk is not the cheapest, but it is fairly low.  When price and performance are both considered, it turns out the SanDisk device beats everyone.  And since the AC series router and SanDisk USB Flash Drive both top out at around 70 MB/S, that makes it the perfect match.


If one is considering using the USB Flash Drive for other purposes, go with the Patriot USB Flash Drive.  If using the USB flash drive as a dedicated device for an AC series routers then go with the SanDisk USB flash drive.  Plus it's also much smaller and has a lower profile than the patriot device.  Both drives claim speeds about double what they can deliver.  The final joke is that the Patriot device is USB 3.0 and the SanDisk is a USB 3.1 device.
If one is considering using the USB Flash Drive for other purposes, go with the Patriot USB Flash Drive.  If using the USB flash drive as a dedicated device for an AC series routers then go with the SanDisk USB flash drive.  Plus it's also much smaller and has a lower profile than the patriot device.  Both drives claim speeds about double what they can deliver.  The final joke is that the Patriot device is USB 3.0 and the SanDisk is a USB 3.1 device.[[File:USB 3.0 Extension.jpg|alt=USB 3.0 Extension|thumb|120x120px|USB 3.0 Extension|left]]Another nice item, which isn't necessary, but makes nice neat way to connect several USB flash drives to a router is a Sabrent USB 3.0 Hub (model HB-RBM3).  From [https://www.walmart.com/ip/Sabrent-Premium-3-Port-Aluminum-Mini-USB-3-0-90-180-Degree-Rotatable-HB-R3MB/114811464 Wal-Mart], only about $12.  There are other similar device, but this one is much higher quality.  Sadly, even with its ability to rotate, it won't plug into the router without blocking several of the Ethernet ports (including the WAN port) or the power connector.  Thanks to the overhang on the rear of the AC Series router, it can't be rotated up.  This is not the fault of the Sabrent USB 3.0 Hub, but the design of the Linksys Router that causes the issue.  It is also worth pointing out that in tests, there was ''no'' drop in transfer speeds between a single USB Flash Drive plugged directly into the router's USB 3.0 port and the same drive plugged into the router via the Sabrent USB 3.0 hub.
[[File:USB to mSATA.jpg|alt=USB to mSATA|left|thumb|120x120px|USB to mSATA Enclosure]]
 


Another nice item, which isn't necessary, but makes nice neat way to connect several USB flash drives to a router is a Sabrent USB 3.0 Hub (model HB-RBM3).  From [https://www.walmart.com/ip/Sabrent-Premium-3-Port-Aluminum-Mini-USB-3-0-90-180-Degree-Rotatable-HB-R3MB/114811464 Wal-Mart], only about $12.  There are other similar device, but this one is much higher quality.  Sadly, even with its ability to rotate, it won't plug into the router without blocking several of the Ethernet ports (including the WAN port) or the power connector.  Thanks to the overhang on the rear of the AC Series router, it can't be rotated up.
[[File:Sabrent USB 3.0 Hub.jpg|alt=Sabrent USB 3.0 Hub|none|thumb|158x158px|Sabrent USB 3.0 Hub]]
[[File:USB 3.0 Extension.jpg|alt=USB 3.0 Extension|none|thumb|120x120px|USB 3.0 Extension]]
But there is a solution...  A USB 3.0 A Male to A Female Adapter (Part # 1206-N, UPC 848076012233) from a company named CMPLE.  It is available from several places: [https://www.walmart.com/ip/Cmple-USB-3-0-A-Male-to-A-Female-Adapter/172246645 Wal-Mart], [https://www.ebay.com/itm/NEW-USB-3-0-A-MALE-TO-A-FEMALE-M-F-ADAPTER-CONNECTOR-NEW-/362695174727 eBAy], and from the company that appears to have it manufactured (in China), [https://www.cmple.com/ProductsBySKU/1206-N CMPLE].  Even at about $3.00 it is a bit more expensive than other similar products (and there are only a few).  But it has one advantage in that the orientation of the male and female part of the connector are arranged such that the above noted 3 Port USB 3.0 hub from Sabrent can connect and be in the "up" position.  All other similar items found require that the hub be rotated to the left, right, or down.  Down isn't a choice unless one's router is on the edge of a table.  Left and right are good as the adapter provides enough clearance for the hub so it doesn't contact the power cord or the Ethernet cable on the WAN port.
But there is a solution...  A USB 3.0 A Male to A Female Adapter (Part # 1206-N, UPC 848076012233) from a company named CMPLE.  It is available from several places: [https://www.walmart.com/ip/Cmple-USB-3-0-A-Male-to-A-Female-Adapter/172246645 Wal-Mart], [https://www.ebay.com/itm/NEW-USB-3-0-A-MALE-TO-A-FEMALE-M-F-ADAPTER-CONNECTOR-NEW-/362695174727 eBAy], and from the company that appears to have it manufactured (in China), [https://www.cmple.com/ProductsBySKU/1206-N CMPLE].  Even at about $3.00 it is a bit more expensive than other similar products (and there are only a few).  But it has one advantage in that the orientation of the male and female part of the connector are arranged such that the above noted 3 Port USB 3.0 hub from Sabrent can connect and be in the "up" position.  All other similar items found require that the hub be rotated to the left, right, or down.  Down isn't a choice unless one's router is on the edge of a table.  Left and right are good as the adapter provides enough clearance for the hub so it doesn't contact the power cord or the Ethernet cable on the WAN port.
===Overlay===
Before getting into the "how" with an external storage device, it is worth pointing out one of the more useful features available in OpenWRT.


Whatever external storage device is chosen, be it an old USB 2.0 Flash Drive that's been sitting in a drawer to an 8 TB or more HDD in an eSATA enclosure, it can be used in the capacity of just a storage deviceHowever, there is a nice feature that allows for additional software that acts in conjunction with the basic firmware of the router to be stored on an external storage deviceTo put it in terms of a computer, the router can be a computer that has two storage devicesOne for the Operating System (Firmware in the case of a router) and the other for file storage. But what if the Operating System (AKA firmware) could also reside on an external storage device. With OpenWRT it can.
[[File:90 Degree Cable.jpg|alt=90 Degee Cable|left|thumb|121x121px|90 Degee Cable]]
And did locate a cable that has chance (didn't test it by buying it) of fitting behind the above 90° USB 3.0 Hub noted aboveThe cable would also then have to bend at quite an angle to clear what ever the router was mounted on or sitting on.  But it seems possibleIt's from this company: http://www.wire-cable-solution.com/showing_2395_2071/ESATA-7Pin-small-90-to-SATA-First-generation.html


There are two choice to make in regards to relocating the OS of a routerThe first choice, referred to as "Overlay", has part of the OS continuing to reside on the internal Flash Storage with the rest on an external storage device.  The second choice, mounting the external storage device as the "root filesystem" can move almost all of the OS to the external storage device.  
Watch out for other idiot sellers that list an "eSATA" cable that isn'tLook closely and you'll see that it's an internal SATA connector.  The best tip when searching is to switch to Google or Bing images to find the proper cable.


Details on the OpenWRT booting process, overlay, file systems, etc. can be read about at the below links.  Don't do any of it yet, just read it for the technical background information;
Google also gives some false hope when searching for a cable like this when it shows just the item, but the link is dead or is redirected to generica SATA cables.
 
<br />
 
====Bottom Line====
Use an mSATA SSD in a USB 3.0 enclosure.
 
A quick test using the DD utility to copy a "Zero Byte" file to various devices (Flash Drive, mSATA SSD, etc.) resulted in the following speeds;
 
*Average USB 3.0 Flash Drive: 26 MB/S
*Good USB 3.0 Flash Drive: 45 MB/S
*mSATA SSD: 300 MB/S (in this enclosure: https://www.newegg.com/riitop-mstu3c-zhi-enclosure/p/0VN-006F-00017?Item=9SIA6V86C51798)
 
...not even close.  An mSATA SSD in the above enclosure blew everything else out of the water.  And it was just an average mSATA SSD (https://www.newegg.com/vaseky-v800-128gb/p/0D9-00D6-00008?Item=9SIAGKC7VJ8289).  Together, maybe a bit more expensive than a similar sized good Flash Drive, but as DeadPool said, "...worth it!"
 
===Overlay===
Before getting into the "how" with an external storage device, it is worth pointing out one of the more useful features available in OpenWRT.
 
Whatever external storage device is chosen, be it an old USB 2.0 Flash Drive that's been sitting in a drawer to an 8 TB or more HDD in an eSATA enclosure, it can be used in the capacity of just a storage device.  However, there is a nice feature that allows for additional software that acts in conjunction with the basic firmware of the router to be stored on an external storage device.  To put it in terms of a computer, the router can be a computer that has two storage devices.  One for the Operating System (Firmware in the case of a router) and the other for file storage.  But what if the Operating System (AKA firmware) could also reside on an external storage device.  With OpenWRT it can.
 
There are two choice to make in regards to relocating the OS of a router.  The first choice, referred to as "Overlay", has part of the OS continuing to reside on the internal Flash Storage with the rest on an external storage device.  The second choice, mounting the external storage device as the "root filesystem" can move almost all of the OS to the external storage device.
 
Details on the OpenWRT booting process, overlay, file systems, etc. can be read about at the below links.  Don't do any of it yet, just read it for the technical background information;


*File Systems & Summary of Boot Process: https://openwrt.org/docs/techref/filesystems
*File Systems & Summary of Boot Process: https://openwrt.org/docs/techref/filesystems
Line 163: Line 335:


*opkg update
*opkg update
*opkg install block-mount e2fsprogs kmod-fs-ext4 kmod-usb-storage kmod-usb2 kmod-usb3 ntfs-3g usbutils gdisk cfdisk tune2fs kmod-fs-exfat dosfstools kmod-fs-vfat f2fs-tools kmod-fs-f2fs lsblk ntfs-3g-utils fdisk sfdisk wipefs blkid
*opkg install block-mount e2fsprogs kmod-fs-ext4 kmod-usb-storage kmod-usb2 kmod-usb3 ntfs-3g usbutils gdisk cfdisk tune2fs kmod-fs-exfat dosfstools kmod-fs-vfat f2fs-tools kmod-fs-f2fs lsblk ntfs-3g-utils fdisk sfdisk wipefs blkid mkf2fs hdparm (block-mount is the package that enables the "Mount Points" menu to appear in the LuCI GUI interface, and a reboot is necessary after installation)


Please note, all of the above packages are not necessary.  But they do represent a broad range of tools that are very useful.  And since they don't take up a lot of space, it's worth installing them.  They don't run as active services or anything either, so no extra RAM or CPU usage unless one types the command.  Reboot after installing all of the above software.
Please note, all of the above packages are not necessary.  But they do represent a broad range of tools that are very useful.  And since they don't take up a lot of space, it's worth installing them.  They don't run as active services or anything either, so no extra RAM or CPU usage unless one types the command.  Reboot after installing all of the above software.
Line 226: Line 398:
Change a Volume Label;
Change a Volume Label;


*tune2fs -L WhatEverName /dev/sdaX
*For EXT4: tune2fs -L WhatEverName /dev/sdaX
*For NTFS: ntfslabel /dev/sdXy WhatEverLabelName
*For a Swap File (opkg install swap-utils): swaplabel /dev/sdXy WhatEverLabelName


====Performance Tuning for ExtX====
====Performance Tuning for ExtX====
Line 232: Line 406:


*tune2fs -o journal_data_writeback /dev/sdaX
*tune2fs -o journal_data_writeback /dev/sdaX
*tune2fs -O ^has_journal /dev/sdaX
*tune2fs -O has_journal /dev/sdaX


====Performance Tuning for NTFS====
====Performance Tuning for NTFS====
Line 241: Line 415:
*If compression is also desired, add this in the above noted location: big_writes,compression
*If compression is also desired, add this in the above noted location: big_writes,compression


===Clone a Partition===
===Resizing a Parition (and then resize the file system (ext4, etc.))===
Use CFDISK to resize the partition.  It's easy, just run CFDISK, use arrow keys to select resize, change the size of the partition (16G will result in a 16 Gigabyte Parition)
 
Then resize the files system to take advantage of the extra space: resize2fs /dev/sdXY (opkg install resize2fs if it isn't installed), example resize2fs /dev/sda1 (will resize file system to the full size of the partition), example resize2fs /dev/sda1 32G (will resize file system to 32 Gigabytes, note, partition must be at least 32 Gigabytes for this to work without an error).
 
===Clone a Partition (see DD section below Restic Section way down)===
It is recommended to make sure the destination partition is the same size or larger of course.  Be prepared to wait a while, even on a USB 3.0 port.  
It is recommended to make sure the destination partition is the same size or larger of course.  Be prepared to wait a while, even on a USB 3.0 port.  


*dd if=/dev/sda1 of=/dev/sda2 status=progress  
*dd if=/dev/sda1 of=/dev/sda2 status=progress (to take advantage of the "status=progress" feature, the full version of dd must be installed: opkg install coreutils-dd)


Note: After cloning, to save confusion and sanity, remove the source drive.  It also may be necessary to reboot the router or dismount and mount the drive if it was already mounted to see the "cloned" directories and files.  All of this is necessary because ''everything'' is cloned and OpenWRT may display two /dev/sdX devices that are exactly the same (IE sdb1 and sdb1 as two distinct, but duplicate device partitions).
Note: After cloning, to save confusion and sanity, remove the source drive.  It also may be necessary to reboot the router or dismount and mount the drive if it was already mounted to see the "cloned" directories and files.  All of this is necessary because ''everything'' is cloned and OpenWRT may display two /dev/sdX devices that are exactly the same (IE sdb1 and sdb1 as two distinct, but duplicate device partitions).  Also remember that DD is not a sophisticated cloning utility, so when cloning an entire partition, it will clone the ''entire'' partition, including empty / blank space.  Acronis, Clonezilla, etc. will ignore empty space by default (the option exists to do a "sector by sector" copy which includes blank space), thus speeding up the cloning process.


===Use an External Drive (USB Flash Drive, USB to mSATA) instead of internal Flash Memory using Overlay===
===Use an External Drive (USB Flash Drive, USB to mSATA) instead of internal Flash Memory using Overlay===
Line 309: Line 488:


====Viewing Available Internal Partitions and Information====
====Viewing Available Internal Partitions and Information====
'''''NOTE: Most of the below information in this section is from the perspective of OpenWRT.  DD-WRT has a slightly different "perspective" on the layout.'''''
See https://openwrt.org/toh/linksys/linksys_wrt1900ac, https://openwrt.org/toh/linksys/linksys_wrt1900acs, and https://openwrt.org/toh/linksys/linksys_wrt3200acm for Flash Memory Layouts of each AC Router Model.  The Flash Memory (non-volatile RAM / NVRAM) Layout is directly comparable to Partitions on a Personal Computer's disk drive or SSD.
See https://openwrt.org/toh/linksys/linksys_wrt1900ac, https://openwrt.org/toh/linksys/linksys_wrt1900acs, and https://openwrt.org/toh/linksys/linksys_wrt3200acm for Flash Memory Layouts of each AC Router Model.  The Flash Memory (non-volatile RAM / NVRAM) Layout is directly comparable to Partitions on a Personal Computer's disk drive or SSD.


Various commands to "see" the available internal Flash Memory partitions;
Various commands to "see" the available internal Flash Memory partitions;


*ls -la /dev/ub* : A directory listing of UBI devices
*ls -la /dev/ub*<span> </span>: A directory listing of UBI devices
*cat /proc/mtd : A list of the various MTD ([https://openwrt.org/docs/techref/mtd Memory Technology Device]) Partitions
*cat /proc/mtd<span> </span>: A list of the various MTD ([https://openwrt.org/docs/techref/mtd Memory Technology Device]) Partitions
*UBI (Unsorted Block Images) Commands;
*UBI (Unsorted Block Images) Commands;
**ubinfo - provides information about UBI devices and volumes found in the system
**ubinfo - provides information about UBI devices and volumes found in the system
Line 367: Line 548:


Remember, the flash memory layout of the AC Series was created by Linksys, not Marvell.  And as noted by some, it seems a bit wasteful in how it was utilized.  
Remember, the flash memory layout of the AC Series was created by Linksys, not Marvell.  And as noted by some, it seems a bit wasteful in how it was utilized.  
The below information illustrates the difference in "perspective" between OpenWRT and DD-WRT in terms of how each of them "sees" the underlying partitions.  The below information was obtained from a router with OpenWRT on partition 1 and DD-WRT on partition 2.  The naming of the first four partitions is similar.  The naming difference on mtd4 - mtd7 is a difference in naming conventions between the two firmwares.  But notice the last "2 or 3" partitions...  DD-WRT makes use of the "unused" mtd8 (from OpenWRT perspective) and divides it into two partitions (mtd8 and mtd9), nvram and dd-wrt.
There is no explanation for the size differences. <syntaxhighlight lang="text">
---OpenWRT (cat /proc/mtd)
dev:    size  erasesize  name
mtd0: 00200000 00020000 "u-boot"
mtd1: 00040000 00020000 "u_env"
mtd2: 00040000 00020000 "s_env"
mtd3: 00100000 00020000 "devinfo"
mtd4: 02800000 00020000 "kernel1"
mtd5: 02200000 00020000 "ubi"
mtd6: 02800000 00020000 "kernel2"
mtd7: 02200000 00020000 "rootfs2"
mtd8: 02600000 00020000 "syscfg"
mtd9: 00680000 00020000 "unused_area"
--DDWRT (cat /proc/mtd)
dev:    size  erasesize  name
mtd0: 00200000 00020000 "u-boot"
mtd1: 00040000 00020000 "u_env"
mtd2: 00040000 00020000 "s_env"
mtd3: 00100000 00020000 "devinfo"
mtd4: 02800000 00020000 "linux"
mtd5: 02500000 00020000 "rootfs"
mtd6: 02700000 00020000 "linux2"
mtd7: 02400000 00020000 "ubi"
mtd8: 00040000 00020000 "nvram"
mtd9: 02500000 00020000 "ddwrt"
mtd10: 00680000 00020000 "unused_area"
</syntaxhighlight>


====Mounting Internal Partitions====
====Mounting Internal Partitions====
'''WARNING:''' As of late 2021, with a WRT32X Model Router, it has been demonstrated that simply using the ''ubiattach'' command will render a partition unbootable and cause a "Bad Linux ARM zImage magic!" error message (Note: That error message is not a joke, it is a direct copy and paste, the magic is bad.).  As a result of that finding, it is recommended to NOT use the ''ubiattach'' command.  And there are exactly 6 results from Google that note this issue, with only one having any relavence (but with no solution other than reflashing an image, it only mentions the issue): https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=326162&sid=8eb66fb3cac5eebe932ce578eb34cacb
To view information about available UBI devices and partitions;
To view information about available UBI devices and partitions;


*ls -la /dev/ub* : A directory listing of UBI devices
*ls -la /dev/ub*<span> </span>: A directory listing of UBI devices
*cat /proc/mtd : A list of the various MTD ([https://openwrt.org/docs/techref/mtd Memory Technology Device]) Partitions
*cat /proc/mtd<span> </span>: A list of the various MTD ([https://openwrt.org/docs/techref/mtd Memory Technology Device]) Partitions


See http://www.linux-mtd.infradead.org/doc/ubi.html for additional information about UBI
See http://www.linux-mtd.infradead.org/doc/ubi.html for additional information about UBI
Line 904: Line 1,122:


=====Additional Notes=====
=====Additional Notes=====
Whenever the DNSMASQ service is started it overwrites the /tmp/resolve.conf file with it's own version of that same file.  It will also delete any symbolic link at /tmp/resolv.conf which typically points to /tmp/resolv.conf.auto.  When the DNSMASQ service is stopped it "politely" recreates that symbolic link.  An explanation is given here: https://forum.openwrt.org/t/solved-dnsmasq-resolv-conf-inconsitent/13972/2  Basically the site is saying that if the DNSMASQ service is started and you have your own "DNS Service", why do you need to use external DNS Servers (which makes sense).   
Whenever the DNSMASQ service is started it overwrites the /tmp/resolv.conf file with it's own version of that same file.  It will also delete any symbolic link at /tmp/resolv.conf which typically points to /tmp/resolv.conf.auto.  When the DNSMASQ service is stopped it "politely" recreates that symbolic link.  An explanation is given here: https://forum.openwrt.org/t/solved-dnsmasq-resolv-conf-inconsitent/13972/2  Basically the site is saying that if the DNSMASQ service is started and you have your own "DNS Service", why do you need to use external DNS Servers (which makes sense).   


A side effect of the above behavior is it overwrites MWAN3 settings that are stored in /tmp/resolv.conf.auto.  If one has custom external DNS servers enabled for multiple WAN ports they will no longer be used.  This is not a flaw with OpenWRT, just a behavior to be aware of.  If one needs to configure specific upstream DNS servers, any custom DNS servers configured with MWAN can be configured within DNSMASQ.  Again, this is just something to be aware of.
A side effect of the above behavior is it overwrites MWAN3 settings that are stored in /tmp/resolv.conf.auto.  If one has custom external DNS servers enabled for multiple WAN ports they will no longer be used.  This is not a flaw with OpenWRT, just a behavior to be aware of.  If one needs to configure specific upstream DNS servers, any custom DNS servers configured with MWAN can be configured within DNSMASQ.  Again, this is just something to be aware of.


The following is not an issue IF a custom /etc/dhcpd.conf file exists (IE, if the default OpenWRT method for configuring DHCPD is used via the /etc/config/dhcp file):  There is a problem if one wishes to use DHCPD and NAMED / BIND instead of DNSMASQ as the DHCPD service is not as "polite" as the DNSMASQ service (NAMED / BIND does not cause any conflict).  When the DHCPD service starts, as with DNSMASQ, the /tmp/resolv.conf file is replaced.  The settings DHCPD configures in the file are the same as DNSMASQ.  However, when the DHCPD service is stopped, as noted above, it is as "polite" as DNSMASQ because the symbolic link that directs /tmp/resolv.conf to /tmp/resolv.conf.auto is not recreated.  This leaves the /tmp/resolv.conf file configured with the setting ''nameserver 127.0.0.1''.  This can be an issue with BIND / NAMED if it is not configured to "answer" (listen and do recursive lookups) on 127.0.01 IP Address.  So make sure the BIND / NAMED configuration file includes 127.0.0.1 IP Address in both the allow-recursion and listen-on-port sections.
The following is not an issue IF a custom /etc/dhcpd.conf file exists (IE, if the default OpenWRT method for configuring DHCPD is used via the /etc/config/dhcp file):  There is a problem if one wishes to use DHCPD and NAMED / BIND instead of DNSMASQ as the DHCPD service is not as "polite" as the DNSMASQ service (NAMED / BIND does not cause any conflict).  When the DHCPD service starts, as with DNSMASQ, the /tmp/resolv.conf file is replaced.  The settings DHCPD configures in the file are the same as DNSMASQ.  However, when the DHCPD service is stopped, as noted above, it is not as "polite" as DNSMASQ because the symbolic link that directs /tmp/resolv.conf to /tmp/resolv.conf.auto is not recreated.  This leaves the /tmp/resolv.conf file configured with the setting ''nameserver 127.0.0.1''.  This can be an issue with BIND / NAMED if it is not configured to "answer" (listen and do recursive lookups) on 127.0.01 IP Address.  So make sure the BIND / NAMED configuration file includes 127.0.0.1 IP Address in both the allow-recursion and listen-on-port sections.


Oddly, when doing a Google, Bing, etc search for these three terms: "resolvfile" "openwrt" "isc_dhcpd" NOTHING exists on the internet.  Until now that is.
Oddly, when doing a Google, Bing, etc search for these three terms: "resolvfile" "openwrt" "isc_dhcpd" NOTHING exists on the internet.  Until now that is.
Line 918: Line 1,136:
When installing, be sure to disable or uninstall DNSMASQ.  Make sure DHCPD is installed if removing DNSMASQ (see DHCPD section below)
When installing, be sure to disable or uninstall DNSMASQ.  Make sure DHCPD is installed if removing DNSMASQ (see DHCPD section below)


*service stop dnsmasq
*service dnsmasq stop
*service dnsmasq disable
 
OR
 
*opkg remove dnsmasq
*opkg remove dnsmasq


Line 932: Line 1,154:
opkg update
opkg update


opkg install bind-server bind-tools (bind-tools includes: bind-rndc bind-check, plus dependencies)
opkg install bind-server bind-tools (bind-tools includes: bind-rndc bind-check, plus dependencies are all installed)
 
Configure via text files in /etc/bind/... (see example file below)


Enable and start the service (all of this is done automatically when the above packages are installed;
Enable and start the service (all of this is done automatically when the above packages are installed;
Line 944: Line 1,164:


====Configuration====
====Configuration====
Configure via text files in /etc/bind/... (see example file below)
If using Slave Zones, make sure permissions are set correctly for the Directory;
If using Slave Zones, make sure permissions are set correctly for the Directory;


Line 949: Line 1,171:
*chgrp bind /etc/bind/slaves
*chgrp bind /etc/bind/slaves


This is the command line OpenWRT uses (CHROOT is not employed): /usr/sbin/named -u bind -f -c /etc/bind/named.conf (-u = User, -f = Run in the Foreground not as a Daemon, -c = Configuration File)
This is the command line OpenWRT uses (CHROOT is not employed) in the /etc/init.d/named file: /usr/sbin/named -u bind -f -c /etc/bind/named.conf (-u = User, -f = Run in the Foreground not as a Daemon, -c = Configuration File)


*To disable IPv6, add the following to the command line: -4
*To disable IPv6, add the following to the command line: -4
Line 1,106: Line 1,328:
====Additional Information====
====Additional Information====
Make sure the BIND / NAMED configuration file includes 127.0.0.1 IP Address in both the allow-recursion and listen-on-port sections.  This can cause issues with DHCPD if it is not configured correctly.  See the MWAN3 and DHCPD sections for additional information.
Make sure the BIND / NAMED configuration file includes 127.0.0.1 IP Address in both the allow-recursion and listen-on-port sections.  This can cause issues with DHCPD if it is not configured correctly.  See the MWAN3 and DHCPD sections for additional information.
When operating a dual WAN router with multiple IP Addresses assigned to multiple interfaces using MWAN and a switch configured to operate three separate LAN subnets, there can be issues when restarting the router or network services.  The solution is to also restart BIND / NAMED.  This can be done automatically using the "hotplug.d" functionality available in OpenWRT (see https://openwrt.org/docs/guide-user/base-system/hotplug for additional information).  Below is a short script to add in /etc/hotplug.d/iface/80-named;<syntaxhighlight lang="text">
#!/bin/sh
[ "$ACTION" = ifup ] || exit 0
/etc/init.d/named enabled && /etc/init.d/named stop && /etc/init.d/named start
</syntaxhighlight>Adding the following to the /etc/rc.local file may be necessary too, when restarting the router: /etc/init.d/named enabled && /etc/init.d/named stop && /etc/init.d/named start


===DHCPD (AKA isc-dhcp-server-ipv4, etc.)===
===DHCPD (AKA isc-dhcp-server-ipv4, etc.)===
There are two versions of DHCPD, ISC and KEA.  ISC is the older server and KEA is the newer.  For simple or small networks, ISC will work fine and eliminates some configuration considerations.  Read here for more information: https://www.isc.org/kea/
Make sure DNSMASQ is disabled, as noted in the above DNS Section.


Another item to be aware of is the somewhat convoluted way the DHCPD service is configured within the OpenWRT "UCI Infrastructure" (Google OpenWRT and UCI for additional information).  It isn't as straight forward as DHCPD is in CentOS, or other Linux distributions.  But there is a reason for this, so please keep reading.
Also make sure ODHCPD is disabled.  According to OpenWRT documentation, ODHCPD is intended to be used for IPv6 DHCP services.  However, it also has IPv4 DHCP capability which can interfere with DHCPD.
 
*According to documentation in /etc/config/dhcp in the 'odhcpd' section, setting this directive in this manner causes ODHCPD to take over all DHCP duties from DNSMASQ (IPv4 and IPv6): option maindhcp '1'
*Setting the same above setting to zero, option maindhcp '0', may lead one to believe that it disables ODHCPD.  This is not the case.  This setting, option maindhcp '0', turns off ODHCPD IPv4 DHCP functionality.  IPv6 DHCP functionality remains intact.  With either setting, it can interfere with DHCPD starting.  So, do one of the following;
**service odhcpd disable
**opkg remove odhcpd odhcpd-ipv6only
 
There are two versions of DHCPD, ISC and KEA.  ISC is the older server and KEA is the newer.  For simple or small networks, ISC will work fine and eliminates some configuration considerations.  Read here for more information: https://www.isc.org/kea/
 
Another item to be aware of is the somewhat convoluted way the DHCPD service is configured within the OpenWRT "UCI Infrastructure" (Google OpenWRT and UCI for additional information).  It isn't as straight forward as DHCPD is in CentOS, or other Linux distributions.  But there is a reason for this, so please keep reading.


====Prerequisites & Things to Keep in Mind====
====Prerequisites & Things to Keep in Mind====
Line 1,128: Line 1,367:


====Configuration & Management====
====Configuration & Management====
Default Configuration File used during DHCPD package installation (and is then erased once those settings are applied to the /etc/config/dhcp file): /uci-defaults/dhcp.defaults
Default Configuration File used during DHCPD package installation (and is then erased once those settings are copied to the /etc/config/dhcp file): /uci-defaults/dhcp.defaults
 
Default Configuration File used by OpenWRT to control DNSMASQ and DHCPD: /etc/config/dhcp


Default Configuration File (remember, this is a temporary file, so settings will not persist across router reboots): /tmp/run/dhcpd.conf
Default Configuration File (remember, this is a temporary file, so settings will not persist across router reboots): /tmp/run/dhcpd.conf
Line 1,134: Line 1,375:
The Default Configuration File can be over-ridden by placing the DHCPD configuration file here: /etc/dhcpd.conf
The Default Configuration File can be over-ridden by placing the DHCPD configuration file here: /etc/dhcpd.conf


Default Leases File: /tmp/dhcpd.leases
Default Leases File: /tmp/dhcpd.leases (an odd recommendation to make, but even though it is in the /tmp directory, delete this file before using DHCPD, it will be recreated automatically)


DHCPD Executable / Binary File: /usr/sbin/dhcpd
DHCPD Executable / Binary File: /usr/sbin/dhcpd
Line 1,152: Line 1,393:


But also keep in mind the settings changes in the /etc/init.d/dhcpd startup script only affect the DHCPD service.  The /etc/resolv.conf File still derives its settings from the /etc/config/dhcp File when the DHCPD service is restarted or the router is rebooted (same for DNSMASQ).  IE, the /etc/config/dhcp File should not be completely dismissed as useless.
But also keep in mind the settings changes in the /etc/init.d/dhcpd startup script only affect the DHCPD service.  The /etc/resolv.conf File still derives its settings from the /etc/config/dhcp File when the DHCPD service is restarted or the router is rebooted (same for DNSMASQ).  IE, the /etc/config/dhcp File should not be completely dismissed as useless.
====Restricting the DHCPD Service to only Answer / Listen on Desired Interfaces====
To restrict the DHCPD service to a specific interface, edit the /etc/init.d/dhcpd file, scroll way down to the start_service section, and look for the following line;
*procd_set_param command $PROG -q -f -cf $config_file -lf $lease_file $dhcp_ifs
Change it in similar manner to the below examples;
*   procd_set_param command $PROG WhatEverAdapterName WhatEverOtherAdapterName -q -f -cf $config_file -lf $lease_file $dhcp_ifs
*   procd_set_param command $PROG eth0.1 br-LAN1_1 -q -f -cf $config_file -lf $lease_file $dhcp_ifs
Many sites suggest that creating a blank / empty zone for the subnet (on a multi-homed device) will make it so DHCPD doesn't answer for those interfaces.  But testing has prooven otherwise.  The below settings in /etc/dhcpd/dhcpd.conf will '''''00000000000000000000000000''''' prevent the DHCPD service from answering on the interface associated with the W.X.Y.Z IP Address;<syntaxhighlight lang="text">
subnet W.X.Y.Z netmask 255.255.255.0 {
}
</syntaxhighlight>The Edit Network Interfaces Button and Interfaces File Type setting in Webmin will not work with OpenWRT.


====Special Note====
====Special Note====
Line 1,166: Line 1,422:
*If a custom /etc/dhcpd.conf file is NOT being used and the standard OpenWRT method of using /etc/config/dhcp method is used (again, HINT: Use a custom /etc/dhcpd.conf file), the DHCPD startup script erases the symbolic link that connects /tmp/resolv.conf --> /tmp/resolv.conf.auto in favor of its own custom /tmp/resolv.conf file (/etc/resolv.conf).  This can break DNS settings for networking in general and MWAN3.
*If a custom /etc/dhcpd.conf file is NOT being used and the standard OpenWRT method of using /etc/config/dhcp method is used (again, HINT: Use a custom /etc/dhcpd.conf file), the DHCPD startup script erases the symbolic link that connects /tmp/resolv.conf --> /tmp/resolv.conf.auto in favor of its own custom /tmp/resolv.conf file (/etc/resolv.conf).  This can break DNS settings for networking in general and MWAN3.


Solution?  Add the following lines to the /etc/init.d/dhcpd startup script;<syntaxhighlight lang="text">
Solution?  Add the following lines to the /etc/init.d/dhcpd startup script to solve the above mentioned issue, plus some optional stuff;<syntaxhighlight lang="text">
# In the start_service() section after this line: config_file="/etc/dhcpd.conf"
# Add these two lines (completely option, not necessary);
 
echo -n $"Starting ISC-DHCPD with /etc/dhcpd.conf file"
echo
 
 
 
stop_service()
stop_service()
{
{
Line 1,172: Line 1,436:
rm /var/run/dhcpd.pid
rm /var/run/dhcpd.pid
}
}
</syntaxhighlight>And as of OpenWRT 22.0.Whatever, there's another issue.  The path for RESOLV.CONF has changed from /tmp/resolv.conf to /tmp/resolv.conf.d/resolv.conf.auto.  That change has been reflected in DNSMASQ, but it has NOT been reflected in DHCPD.  Solution: Modify the above noted code shown above for /etc/init/d/dhcpd file as follows;<syntaxhighlight lang="text">
ln -sf "/tmp/resolv.conf.d/resolv.conf.auto" /tmp/resolv.conf
</syntaxhighlight>The ''ln'' command corrects the symbolic link issue mentioned above.  And the ''rm'' command corrects the PID file issue that never goes away, again mentioned above.  Also note that if the DHCPD package is ever updated, the script will need to be modified again.  A startup script could be written, but haven't had time to write that yet.  This post gives a fairly goot hint on how to write it: https://askubuntu.com/questions/77149/how-to-find-text-and-replace-that-line-if-exists-with-terminal-otherwise-just-ap  Although regular expressions wouldn't be necessary, just a check to see if "stop_service" exists anywhere in the dhcpd startup script and if it doesn't, insert it at the end.
</syntaxhighlight>The ''ln'' command corrects the symbolic link issue mentioned above.  And the ''rm'' command corrects the PID file issue that never goes away, again mentioned above.  Also note that if the DHCPD package is ever updated, the script will need to be modified again.  A startup script could be written, but haven't had time to write that yet.  This post gives a fairly goot hint on how to write it: https://askubuntu.com/questions/77149/how-to-find-text-and-replace-that-line-if-exists-with-terminal-otherwise-just-ap  Although regular expressions wouldn't be necessary, just a check to see if "stop_service" exists anywhere in the dhcpd startup script and if it doesn't, insert it at the end.


===PPTP (Point to Point Tunneling Protocol) for Clients===
Also keep in mind the LuCI GUI interface, under Network, Interface, Edit Button for X Interface, DHCP Tab will always show "No DHCP Server configured for this interface".  This is because the LuCI GUI is not able to detect DHCPD (only DNSMASQ and ODHCPD)
OpenWRT defines the use of PPTP Clients on the LAN side of a router that wish to connect to a PPTP server via the internet as NAT traversal for PPTPDefault installations of OpenWRT do not have the capability to facilitate PPTP connections by clientsThe following software package must be installed;
 
As with BIND / NAMED, when operating a dual WAN router with multiple IP Addresses assigned to multiple interfaces using MWAN and a switch configured to operate three separate LAN subnets, there can be issues when restarting the router or network servicesThe solution is to also restart DHCPDThis can be done automatically using the "hotplug.d" functionality available in OpenWRT (see https://openwrt.org/docs/guide-user/base-system/hotplug for additional information).  Below is a short script to add in /etc/hotplug.d/iface/70-dhcpd;<syntaxhighlight lang="text">
#!/bin/sh


*opkg update
[ "$ACTION" = ifup ] || exit 0
*opkg install kmod-nf-nathelper-extra


The instructions on enabling the capability is a bit lacking on the OpenWRT site, so below is an improved explanation. After installing the above package, do the following;
/etc/init.d/dhcpd enabled && /etc/init.d/dhcpd stop && /etc/init.d/dhcpd start
</syntaxhighlight>Adding the following to the /etc/rc.local file may be necessary too, when restarting the router: /etc/init.d/dhcpd enabled && /etc/init.d/dhcpd stop && /etc/init.d/dhcpd start


*Create a file named 20-nf-conntrack-helper.conf in /etc/sysctl.d: nano /etc/sysctl.d/20n-nf-conntrack-helper.conf
===SOCKD (Dante)===
*Add a single line of code in the 20-nf-conntrack-helper.conf file to enable the program: net.netfilter.nf_conntrack_helper = 1
It exists. And that's about it. There is some indication in the past the package was more complete, but as of 2020, the SOCKD package is single binary file (sockd).
*Save the file: CTRL + O, then exit nano: CTRL + X
*Restart the sysctl service: service sysctl restart


PPTP should now work for clients wishing to use PPTP connections.
Installation: opkg install sockd


As has been mentioned and will continue to be mentioned, it is understandable that the OpenWRT documentation may be lacking in some ways.  Creating and writing good documentation is difficult and time consuming.  The nice people responsible for OpenWRT spend most of their time making things work, improving functionality, adding new firmware for new routers, etc..  This leaves little time for good documentation.  So for all the nice people that work so hard on OpenWRT, thank you.  And no offense meant.  The rather cryptic several lines written by the author of the below noted article for more information very likely uses that "shortcut" to create files or may have thought it was helpful to present it in that way.  And it may work for some people.  But it was decided to present it here slightly differently as done above.
File included: /usr/sbin/sockd


More information on enabling the feature can be found here: https://openwrt.org/docs/guide-user/services/vpn/pptp/nat_traversal
Log file (after the below configuration is done): /var/log/sockd.log (/tmp/log/sockd.log)


==LAMP (sort of) - Web Server (Apache, LighttpD, Nginx, and / or uHTTPd) MariaDB (MySQL), and PHP==
Configuration: Nothing is included in the OpenWRT package.  It all has to be configured manuallyThankfully, some really nice person (bjonas), created all of the configuration files that should be included in the SOCKD package for OpenWRT.  See this page for the "raw" / basic information: https://dev.archive.openwrt.org/ticket/21341#no1
OpenWRT has four different web server platforms availableApache, LighttpD, and Nginx are all full featured, whereas uHTTPd is more limited in its functionality.  uHTTPd also serves as the web server for the LuCI GUI interface for OpenWRT.  Apache does not have CGI or FastCGI built into the binary executable, but both Lighttpd and Nginx have CGI and FastCGI capability built in, making addon modules unecessary.


====Apache====
The really amazing thing is that if one Googles "openwrt" and "sockd", there are a grand total of 73 results (with most of those results being useless trash aggregation websites whose creators do not deserve to have air to breathe).  Most Google results and searches of OpenWRT packages for a SOCKS5 proxy return a lot of stuff related to ''client'' SOCKs software (and not really abundantly clear that it is client software as opposed to a SOCKS server service / daemon)DD-WRT has a functional version of the package, so why not OpenWRT?  The DD-WRT init.d script is very basic and relies on other functionality from DD-WRT to function, so isn't very useful for OpenWRT.
The Apache package in OpenWRT appears to only have CGI capability as the FastCGI module is not availableHowever, there are additional proxy modules included with Apache in OpenWRT that allow for PHP-FPM functionality with FastCGI.


=====Installation for Apache=====
The configuration file written by "bjonas" is below, tested, and it functions.  The below script should be put in this file: /etc/init.d/sockd.  This allows the service to be started, stopped, etc. with the OpenWRT service command.  One modification from the original script was made.  The configuration file was moved from /etc/sockd.conf to /etc/sockd/sockd.conf and the appropriate line in the below script was modified from the original version.;<syntaxhighlight lang="text">
opkg update
#!/bin/sh /etc/rc.common


opkg install apache apache-utils apache-mod-ssl
START=90


=====Configuration for Apache=====
USE_PROCD=1
There is no LuCI GUI interface, so use text configuration files and / or Webmin (see below section on Webmin)
PROG=/usr/sbin/sockd


*Initilization Script: /etc/init.d/apache2
CONFIGFILE="/var/etc/sockd.conf"
*Configuration File: /etc/apache2/apache2.conf
 
*Default Server Root: /usr
xappend() {
*Default Document Root: /usr/share/apache2/htdocs
        local value="$1"
*Executables / Binaries: /usr/lib/apache2
 
*User / Group (/etc/group): apache / apache
        echo "${value#--}" >> $CONFIGFILE
}
 
append_parm() {
        local section="$1"
        local option="$2"
        local switch="$3"
        local defval="$4"
        local _loctmp
        config_get _loctmp "$section" "$option"
        if [ -z "$_loctmp" ]; then
                [ -z "$defval" ] && return 0
                xappend "$switch:$defval"
        else
                xappend "$switch:$_loctmp"
        fi
}
 
sockd(){
        local cfg="$1"
        append_parm "$cfg" "clientmethod" "--clientmethod"
        append_parm "$cfg" "method" "--method"
        append_parm "$cfg" "user_privileged" "--user.privileged" "root"
        append_parm "$cfg" "user_notprivileged" "--user.notprivileged" "nobody"
        append_parm "$cfg" "logoutput" "--logoutput" "syslog"
        local _extif _intif _extip _intip
        config_get _extif "$cfg" "external"
        [ -z "$_extif" ] && _extif="wan"
        config_get _intif "$cfg" "internal"
        [ -z "$_intif" ] && _intif="lan"
        network_flush_cache
        network_get_ipaddr _extip $_extif
        xappend "--external:$_extip"
        network_get_ipaddr _intip $_intif
        local _port
        config_get _port "$cfg" "port" "1080"
        xappend "--internal:$_intip port = $_port"
        echo >> $CONFIGFILE
}
 
service_triggers() {
        procd_add_reload_trigger "sockd"
#      procd_add_network_trigger "wan"|"pppoe-wan"
}
 
boot() {
        # Will be launched through hotplug
        return 0
}
 
start_service() {
        include /lib/functions
 
        config_load sockd


Below is working configuration file for Apache with CGI capability;<div class="toccolours mw-collapsible mw-collapsed" style="overflow:auto; width:100%;">
        procd_open_instance
<div style="font-weight:bold;line-height:1.6;">Code Block</div>
        procd_set_param command $PROG -f $CONFIGFILE
<div class="mw-collapsible-content"><syntaxhighlight lang="text">
        procd_set_param file $CONFIGFILE
ServerRoot "/usr"
        procd_set_param netdev wan
        procd_set_param respawn
        procd_close_instance


        echo "# auto-generated config file from /etc/config/sockd" > $CONFIGFILE
        [ -f /etc/sockd/sockd.conf ] && {
                cat /etc/sockd/sockd.conf >> $CONFIGFILE
        }


Listen 192.168.2.66:80
        config_foreach sockd sockd
Listen 192.168.15.66:80
}
Listen 192.168.22.66:80
Listen 96.77.203.196:80
Listen 76.212.87.51:80


reload_service() {
        return 0
}


stop_service() {
        return 0
}


TimeOut 3600
</syntaxhighlight>After saving the above information, the SOCKD service should be displayed when the OpenWRT ''service'' command is typed.


There are two ways to configure the SOCKD / Dante SOCKS5 proxy.  With a configuration file (/etc/sockd/sockd.conf) or a standard OpenWRT configuration file in /etc/config/sockd.  All of this capability is made possible by the startup script created by bjonas (there are indications the version of the script may have been based on past packages from OpenWRT).  If using the sockd.conf method, make sure the /etc/config/sockd file is blank / empty as directives in that file will be included in addition to anything in the sockd.conf file.  Below is the /etc/config/sockd file (again, don't use it if the sockd.conf file is used;<syntaxhighlight lang="text">
config sockd
        option external                'wan'
        option internal                'lan'
        option clientmethod            'none'
        option method                  'none'
        option user_privileged          'root'
        option user_notprivileged      'nobody'
        option logoutput                'syslog'


</syntaxhighlight>Below is a functional /etc/sockd/sockd.conf file.  Change the W.X.Y.Z IP Address to match whatever subnets / IP Addresses are used.  Some sections of the below configuration file could be combined and are somewhat redundant.  However, to match the original example it was kept in this format.  The configuration is not restrictive and essentially allows all connectivity from the source subnet to anywhere via the SOCKD server / daemon.<syntaxhighlight lang="text">
logoutput: stderr /var/log/sockd.log


# LAN IP Address of router
internal: W.X.Y.Z port = 1080


# WAN Interface name for router (ifconfig, whichever interface is configured with an external IP Address)
# Note, this won't work if one's router is behind another router unless ports are forwarded from the "perimeter" router)
external: eth1.2


socksmethod: username none #rfc931


#LoadModule mpm_event_module lib/apache2/mod_mpm_event.so
clientmethod: none
LoadModule mpm_prefork_module lib/apache2/mod_mpm_prefork.so
 
#LoadModule mpm_worker_module lib/apache2/mod_mpm_worker.so
# Client subnet
LoadModule authn_file_module lib/apache2/mod_authn_file.so
# 0.0.0.0/0 equates to "Anywhere"
#LoadModule authn_dbm_module lib/apache2/mod_authn_dbm.so
client pass {
#LoadModule authn_anon_module lib/apache2/mod_authn_anon.so
        from: W.X.Y.Z/24 to: 0.0.0.0/0
LoadModule authn_dbd_module lib/apache2/mod_authn_dbd.so
log: error # connect disconnect
#LoadModule authn_socache_module lib/apache2/mod_authn_socache.so
}
LoadModule authn_core_module lib/apache2/mod_authn_core.so
 
LoadModule authz_host_module lib/apache2/mod_authz_host.so
socks pass {
LoadModule authz_groupfile_module lib/apache2/mod_authz_groupfile.so
        from: 0.0.0.0/0 to: W.X.Y.Z/24
LoadModule authz_user_module lib/apache2/mod_authz_user.so
        command: bindreply udpreply
#LoadModule authz_dbm_module lib/apache2/mod_authz_dbm.so
        log: connect error
#LoadModule authz_owner_module lib/apache2/mod_authz_owner.so
}
#LoadModule authz_dbd_module lib/apache2/mod_authz_dbd.so
 
LoadModule authz_core_module lib/apache2/mod_authz_core.so
socks pass { 
#LoadModule authnz_ldap_module lib/apache2/mod_authnz_ldap.so
        from: W.X.Y.Z/24 to: 0.0.0.0/0
LoadModule access_compat_module lib/apache2/mod_access_compat.so
        command: bind connect udpassociate bindreply udpreply
LoadModule auth_basic_module lib/apache2/mod_auth_basic.so
        log: error # connect disconnect iooperation
#LoadModule auth_form_module lib/apache2/mod_auth_form.so
}
#LoadModule auth_digest_module lib/apache2/mod_auth_digest.so
 
#LoadModule allowmethods_module lib/apache2/mod_allowmethods.so
</syntaxhighlight>As for starting the service, bjonas elected to create a "hot plug" method.  Below is the configuration file that should be placed here: /etc/hotplug.d/iface/60-sockd;<syntaxhighlight lang="text">
#LoadModule file_cache_module lib/apache2/mod_file_cache.so
#!/bin/sh
#LoadModule cache_module lib/apache2/mod_cache.so
 
#LoadModule cache_disk_module lib/apache2/mod_cache_disk.so
[ "$ACTION" = ifup ] || exit 0
#LoadModule cache_socache_module lib/apache2/mod_cache_socache.so
 
#LoadModule socache_shmcb_module lib/apache2/mod_socache_shmcb.so
/etc/init.d/sockd enabled && /etc/init.d/sockd start
#LoadModule socache_dbm_module lib/apache2/mod_socache_dbm.so
</syntaxhighlight>Executing the ''service sockd start'' command should start the service at this point.  The log file in /var/log/sockd.log will indicate any configuration issues.  Additionally the service / daemon can be run with this command line for troubleshooting: sockd -f /etc/sockd/sockd.conf
#LoadModule socache_memcache_module lib/apache2/mod_socache_memcache.so
 
#LoadModule socache_redis_module lib/apache2/mod_socache_redis.so
==LAMP (sort of) - Web Server (Apache, LighttpD, Nginx, and / or uHTTPd) MariaDB (MySQL), and PHP==
#LoadModule watchdog_module lib/apache2/mod_watchdog.so
OpenWRT has four different web server platforms available.  Apache, LighttpD, and Nginx are all full featured, whereas uHTTPd is more limited in its functionality.  uHTTPd also serves as the web server for the LuCI GUI interface for OpenWRT.  Apache does not have CGI or FastCGI built into the binary executable, but both Lighttpd and Nginx have CGI and FastCGI capability built in, making addon modules unecessary.
#LoadModule macro_module lib/apache2/mod_macro.so
 
#LoadModule dbd_module lib/apache2/mod_dbd.so
====Apache====
#LoadModule dumpio_module lib/apache2/mod_dumpio.so
The Apache package in OpenWRT appears to only have CGI capability as the FastCGI module is not available.  However, there are additional proxy modules included with Apache in OpenWRT that allow for PHP-FPM functionality with FastCGI.
#LoadModule echo_module lib/apache2/mod_echo.so
 
#LoadModule buffer_module lib/apache2/mod_buffer.so
=====Installation for Apache=====
#LoadModule data_module lib/apache2/mod_data.so
opkg update
#LoadModule ratelimit_module lib/apache2/mod_ratelimit.so
 
LoadModule reqtimeout_module lib/apache2/mod_reqtimeout.so
opkg install apache apache-utils apache-mod-ssl
#LoadModule ext_filter_module lib/apache2/mod_ext_filter.so
 
#LoadModule request_module lib/apache2/mod_request.so
OR for a more complete installation: opkg install apache apache-icons apache-mod-deflate apache-mod-http2 apache-mod-ldap apache-mod-lua apache-mod-proxy apache-mod-proxy-html apache-mod-session-crypto apache-mod-ssl apache-mod-suexec apache-mod-webdav apache-suexec apache-utils
#LoadModule include_module lib/apache2/mod_include.so
 
LoadModule filter_module lib/apache2/mod_filter.so
=====Configuration for Apache=====
#LoadModule reflector_module lib/apache2/mod_reflector.so
There is no LuCI GUI interface, so use text configuration files and / or Webmin (see below section on Webmin)
#LoadModule substitute_module lib/apache2/mod_substitute.so
 
#LoadModule sed_module lib/apache2/mod_sed.so
*Initilization Script: /etc/init.d/apache2
#LoadModule charset_lite_module lib/apache2/mod_charset_lite.so
*Configuration File: /etc/apache2/apache2.conf
#LoadModule deflate_module lib/apache2/mod_deflate.so
*Default Server Root: /usr
LoadModule xml2enc_module lib/apache2/mod_xml2enc.so
*Default Document Root: /usr/share/apache2/htdocs
LoadModule proxy_html_module lib/apache2/mod_proxy_html.so
*Executables / Binaries: /usr/lib/apache2
LoadModule mime_module lib/apache2/mod_mime.so
*User / Group (/etc/group): apache / apache
#LoadModule ldap_module lib/apache2/mod_ldap.so
*For Redhat or
LoadModule log_config_module lib/apache2/mod_log_config.so
 
#LoadModule log_debug_module lib/apache2/mod_log_debug.so
Below is working configuration file for Apache with CGI capability;<div class="toccolours mw-collapsible mw-collapsed" style="overflow:auto; width:100%;">
#LoadModule log_forensic_module lib/apache2/mod_log_forensic.so
<div style="font-weight:bold;line-height:1.6;">Code Block</div>
#LoadModule logio_module lib/apache2/mod_logio.so
<div class="mw-collapsible-content"><syntaxhighlight lang="text">
#LoadModule lua_module lib/apache2/mod_lua.so
ServerRoot "/usr"
LoadModule env_module lib/apache2/mod_env.so
 
LoadModule mime_magic_module lib/apache2/mod_mime_magic.so
Listen 192.168.1.1:80
#LoadModule expires_module lib/apache2/mod_expires.so
 
LoadModule headers_module lib/apache2/mod_headers.so
TimeOut 3600
#LoadModule usertrack_module lib/apache2/mod_usertrack.so
 
#LoadModule unique_id_module lib/apache2/mod_unique_id.so
#LoadModule mpm_event_module lib/apache2/mod_mpm_event.so
LoadModule setenvif_module lib/apache2/mod_setenvif.so
LoadModule mpm_prefork_module lib/apache2/mod_mpm_prefork.so
LoadModule version_module lib/apache2/mod_version.so
#LoadModule mpm_worker_module lib/apache2/mod_mpm_worker.so
#LoadModule remoteip_module lib/apache2/mod_remoteip.so
LoadModule authn_file_module lib/apache2/mod_authn_file.so
#LoadModule proxy_module lib/apache2/mod_proxy.so
#LoadModule authn_dbm_module lib/apache2/mod_authn_dbm.so
#LoadModule proxy_connect_module lib/apache2/mod_proxy_connect.so
#LoadModule authn_anon_module lib/apache2/mod_authn_anon.so
#LoadModule proxy_ftp_module lib/apache2/mod_proxy_ftp.so
LoadModule authn_dbd_module lib/apache2/mod_authn_dbd.so
#LoadModule proxy_http_module lib/apache2/mod_proxy_http.so
#LoadModule authn_socache_module lib/apache2/mod_authn_socache.so
#LoadModule proxy_fcgi_module lib/apache2/mod_proxy_fcgi.so
LoadModule authn_core_module lib/apache2/mod_authn_core.so
#LoadModule proxy_scgi_module lib/apache2/mod_proxy_scgi.so
LoadModule authz_host_module lib/apache2/mod_authz_host.so
#LoadModule proxy_uwsgi_module lib/apache2/mod_proxy_uwsgi.so
LoadModule authz_groupfile_module lib/apache2/mod_authz_groupfile.so
#LoadModule proxy_fdpass_module lib/apache2/mod_proxy_fdpass.so
LoadModule authz_user_module lib/apache2/mod_authz_user.so
#LoadModule proxy_wstunnel_module lib/apache2/mod_proxy_wstunnel.so
#LoadModule authz_dbm_module lib/apache2/mod_authz_dbm.so
#LoadModule proxy_ajp_module lib/apache2/mod_proxy_ajp.so
#LoadModule authz_owner_module lib/apache2/mod_authz_owner.so
#LoadModule proxy_balancer_module lib/apache2/mod_proxy_balancer.so
#LoadModule authz_dbd_module lib/apache2/mod_authz_dbd.so
#LoadModule proxy_express_module lib/apache2/mod_proxy_express.so
LoadModule authz_core_module lib/apache2/mod_authz_core.so
#LoadModule proxy_hcheck_module lib/apache2/mod_proxy_hcheck.so
#LoadModule authnz_ldap_module lib/apache2/mod_authnz_ldap.so
#LoadModule session_module lib/apache2/mod_session.so
LoadModule access_compat_module lib/apache2/mod_access_compat.so
#LoadModule session_cookie_module lib/apache2/mod_session_cookie.so
LoadModule auth_basic_module lib/apache2/mod_auth_basic.so
#LoadModule session_crypto_module lib/apache2/mod_session_crypto.so
#LoadModule auth_form_module lib/apache2/mod_auth_form.so
#LoadModule session_dbd_module lib/apache2/mod_session_dbd.so
#LoadModule auth_digest_module lib/apache2/mod_auth_digest.so
#LoadModule slotmem_shm_module lib/apache2/mod_slotmem_shm.so
#LoadModule allowmethods_module lib/apache2/mod_allowmethods.so
#LoadModule slotmem_plain_module lib/apache2/mod_slotmem_plain.so
#LoadModule file_cache_module lib/apache2/mod_file_cache.so
#LoadModule ssl_module lib/apache2/mod_ssl.so
#LoadModule cache_module lib/apache2/mod_cache.so
#LoadModule dialup_module lib/apache2/mod_dialup.so
#LoadModule cache_disk_module lib/apache2/mod_cache_disk.so
#LoadModule http2_module lib/apache2/mod_http2.so
#LoadModule cache_socache_module lib/apache2/mod_cache_socache.so
#LoadModule md_module lib/apache2/mod_md.so
#LoadModule socache_shmcb_module lib/apache2/mod_socache_shmcb.so
#LoadModule lbmethod_byrequests_module lib/apache2/mod_lbmethod_byrequests.so
#LoadModule socache_dbm_module lib/apache2/mod_socache_dbm.so
#LoadModule lbmethod_bytraffic_module lib/apache2/mod_lbmethod_bytraffic.so
#LoadModule socache_memcache_module lib/apache2/mod_socache_memcache.so
#LoadModule lbmethod_bybusyness_module lib/apache2/mod_lbmethod_bybusyness.so
#LoadModule socache_redis_module lib/apache2/mod_socache_redis.so
#LoadModule lbmethod_heartbeat_module lib/apache2/mod_lbmethod_heartbeat.so
#LoadModule watchdog_module lib/apache2/mod_watchdog.so
LoadModule unixd_module lib/apache2/mod_unixd.so
#LoadModule macro_module lib/apache2/mod_macro.so
#LoadModule heartbeat_module lib/apache2/mod_heartbeat.so
#LoadModule dbd_module lib/apache2/mod_dbd.so
#LoadModule heartmonitor_module lib/apache2/mod_heartmonitor.so
#LoadModule dumpio_module lib/apache2/mod_dumpio.so
#LoadModule dav_module lib/apache2/mod_dav.so
#LoadModule echo_module lib/apache2/mod_echo.so
LoadModule status_module lib/apache2/mod_status.so
#LoadModule buffer_module lib/apache2/mod_buffer.so
LoadModule autoindex_module lib/apache2/mod_autoindex.so
#LoadModule data_module lib/apache2/mod_data.so
#LoadModule asis_module lib/apache2/mod_asis.so
#LoadModule ratelimit_module lib/apache2/mod_ratelimit.so
#LoadModule info_module lib/apache2/mod_info.so
LoadModule reqtimeout_module lib/apache2/mod_reqtimeout.so
#LoadModule suexec_module lib/apache2/mod_suexec.so
#LoadModule ext_filter_module lib/apache2/mod_ext_filter.so
<IfModule !mpm_prefork_module>
#LoadModule request_module lib/apache2/mod_request.so
#LoadModule cgid_module lib/apache2/mod_cgid.so
#LoadModule include_module lib/apache2/mod_include.so
</IfModule>
LoadModule filter_module lib/apache2/mod_filter.so
<IfModule mpm_prefork_module>
#LoadModule reflector_module lib/apache2/mod_reflector.so
LoadModule cgi_module lib/apache2/mod_cgi.so
#LoadModule substitute_module lib/apache2/mod_substitute.so
</IfModule>
#LoadModule sed_module lib/apache2/mod_sed.so
#LoadModule dav_fs_module lib/apache2/mod_dav_fs.so
#LoadModule charset_lite_module lib/apache2/mod_charset_lite.so
#LoadModule dav_lock_module lib/apache2/mod_dav_lock.so
#LoadModule deflate_module lib/apache2/mod_deflate.so
LoadModule vhost_alias_module lib/apache2/mod_vhost_alias.so
LoadModule xml2enc_module lib/apache2/mod_xml2enc.so
#LoadModule negotiation_module lib/apache2/mod_negotiation.so
LoadModule proxy_html_module lib/apache2/mod_proxy_html.so
LoadModule dir_module lib/apache2/mod_dir.so
LoadModule mime_module lib/apache2/mod_mime.so
LoadModule actions_module lib/apache2/mod_actions.so
#LoadModule ldap_module lib/apache2/mod_ldap.so
#LoadModule speling_module lib/apache2/mod_speling.so
LoadModule log_config_module lib/apache2/mod_log_config.so
#LoadModule userdir_module lib/apache2/mod_userdir.so
#LoadModule log_debug_module lib/apache2/mod_log_debug.so
LoadModule alias_module lib/apache2/mod_alias.so
#LoadModule log_forensic_module lib/apache2/mod_log_forensic.so
LoadModule rewrite_module lib/apache2/mod_rewrite.so
#LoadModule logio_module lib/apache2/mod_logio.so
 
#LoadModule lua_module lib/apache2/mod_lua.so
 
LoadModule env_module lib/apache2/mod_env.so
 
LoadModule mime_magic_module lib/apache2/mod_mime_magic.so
 
#LoadModule expires_module lib/apache2/mod_expires.so
<IfModule unixd_module>
LoadModule headers_module lib/apache2/mod_headers.so
 
#LoadModule usertrack_module lib/apache2/mod_usertrack.so
User apache
#LoadModule unique_id_module lib/apache2/mod_unique_id.so
Group apache
LoadModule setenvif_module lib/apache2/mod_setenvif.so
 
LoadModule version_module lib/apache2/mod_version.so
#LoadModule remoteip_module lib/apache2/mod_remoteip.so
#LoadModule proxy_module lib/apache2/mod_proxy.so
#LoadModule proxy_connect_module lib/apache2/mod_proxy_connect.so
#LoadModule proxy_ftp_module lib/apache2/mod_proxy_ftp.so
#LoadModule proxy_http_module lib/apache2/mod_proxy_http.so
#LoadModule proxy_fcgi_module lib/apache2/mod_proxy_fcgi.so
#LoadModule proxy_scgi_module lib/apache2/mod_proxy_scgi.so
#LoadModule proxy_uwsgi_module lib/apache2/mod_proxy_uwsgi.so
#LoadModule proxy_fdpass_module lib/apache2/mod_proxy_fdpass.so
#LoadModule proxy_wstunnel_module lib/apache2/mod_proxy_wstunnel.so
#LoadModule proxy_ajp_module lib/apache2/mod_proxy_ajp.so
#LoadModule proxy_balancer_module lib/apache2/mod_proxy_balancer.so
#LoadModule proxy_express_module lib/apache2/mod_proxy_express.so
#LoadModule proxy_hcheck_module lib/apache2/mod_proxy_hcheck.so
#LoadModule session_module lib/apache2/mod_session.so
#LoadModule session_cookie_module lib/apache2/mod_session_cookie.so
#LoadModule session_crypto_module lib/apache2/mod_session_crypto.so
#LoadModule session_dbd_module lib/apache2/mod_session_dbd.so
#LoadModule slotmem_shm_module lib/apache2/mod_slotmem_shm.so
#LoadModule slotmem_plain_module lib/apache2/mod_slotmem_plain.so
#LoadModule ssl_module lib/apache2/mod_ssl.so
#LoadModule dialup_module lib/apache2/mod_dialup.so
#LoadModule http2_module lib/apache2/mod_http2.so
#LoadModule md_module lib/apache2/mod_md.so
#LoadModule lbmethod_byrequests_module lib/apache2/mod_lbmethod_byrequests.so
#LoadModule lbmethod_bytraffic_module lib/apache2/mod_lbmethod_bytraffic.so
#LoadModule lbmethod_bybusyness_module lib/apache2/mod_lbmethod_bybusyness.so
#LoadModule lbmethod_heartbeat_module lib/apache2/mod_lbmethod_heartbeat.so
LoadModule unixd_module lib/apache2/mod_unixd.so
#LoadModule heartbeat_module lib/apache2/mod_heartbeat.so
#LoadModule heartmonitor_module lib/apache2/mod_heartmonitor.so
#LoadModule dav_module lib/apache2/mod_dav.so
LoadModule status_module lib/apache2/mod_status.so
LoadModule autoindex_module lib/apache2/mod_autoindex.so
#LoadModule asis_module lib/apache2/mod_asis.so
#LoadModule info_module lib/apache2/mod_info.so
#LoadModule suexec_module lib/apache2/mod_suexec.so
<IfModule !mpm_prefork_module>
#LoadModule cgid_module lib/apache2/mod_cgid.so
</IfModule>
<IfModule mpm_prefork_module>
LoadModule cgi_module lib/apache2/mod_cgi.so
</IfModule>
</IfModule>
 
#LoadModule dav_fs_module lib/apache2/mod_dav_fs.so
ServerName wrt3200acm.fullspectrum.lan:80
#LoadModule dav_lock_module lib/apache2/mod_dav_lock.so
 
LoadModule vhost_alias_module lib/apache2/mod_vhost_alias.so
#LoadModule negotiation_module lib/apache2/mod_negotiation.so
LoadModule dir_module lib/apache2/mod_dir.so
LoadModule actions_module lib/apache2/mod_actions.so
#LoadModule speling_module lib/apache2/mod_speling.so
#LoadModule userdir_module lib/apache2/mod_userdir.so
LoadModule alias_module lib/apache2/mod_alias.so
LoadModule rewrite_module lib/apache2/mod_rewrite.so
 
<IfModule unixd_module>
 
User apache
Group apache
 
</IfModule>
 
ServerName wrt3200acm.fullspectrum.lan:80
 


DocumentRoot "/usr/share/apache2/htdocs"
DocumentRoot "/usr/share/apache2/htdocs"
Line 1,569: Line 1,971:
find /usr/share/apache2 -type f -exec chmod 644 {} \;
find /usr/share/apache2 -type f -exec chmod 644 {} \;
</syntaxhighlight>
</syntaxhighlight>
=====Notes for Apache=====
=====Additional Notes for Apache Installation=====
In other installations, such as Redhat or CentOS, apache or apache2 is referred to as HTTPD in binary / executables, configuration files, commands, etc.
In other installations, such as Redhat or CentOS, apache or apache2 is referred to as HTTPD in binary / executables, configuration files, commands, etc.


Line 1,579: Line 1,981:
*LoadModule proxy_scgi_module lib/apache2/mod_proxy_scgi.so (Module does NOT exist for OpenWRT)
*LoadModule proxy_scgi_module lib/apache2/mod_proxy_scgi.so (Module does NOT exist for OpenWRT)
*LoadModule cgid_module lib/apache2/mod_cgid.so (does NOT seem to work, even when setting the ScriptSock Directive)
*LoadModule cgid_module lib/apache2/mod_cgid.so (does NOT seem to work, even when setting the ScriptSock Directive)
For Redhat / CentOS / RockyOS and similar users who are used to having HTTPD stuff located in /var/www/html by default, below are some commands to put in the Startup of OpenWRT to make Apache stuff easier to find (if you're on 'auto pilot');
*mkdir /tmp/www
*ln -s /usr/share/apache2/htdocs /var/www/html
*ln -s /usr/share/apache2/cgi-bin /var/www/cgi-bin
*ln -s /usr/share/apache2/error /var/www/error
*ln -s /usr/share/apache2/icons /var/www/icons
...and the reason it's in startup is because the VAR Directory in OpenWRT is actually the TMP Directory (IE, VAR is a softlink / shortcut to TMP), so it disappears after rebooting.
Firewall: Open ports on the firewall if public availability is desired.


====Lighttpd====
====Lighttpd====
Line 1,664: Line 2,078:
opkg update
opkg update


opkg install php7 php7-cgi php7-cli php7-fastcgi php7-fpm The php-cli (PHP Command Line) is not necessary, but is useful for troubleshooting.  Most examples utilizing the PHP command line program refer to it as just php, not php-cli.  OpenWRT installs it as php-cli, so instead of having to remember that, it maybe useful to create a symbolic link with this command: ''ln -s /usr/bin/php-cli /usr/bin/php''
opkg install php7 php7-cgi php7-cli php7-fastcgi php7-fpm snmp-mibs The php-cli (PHP Command Line) is not necessary, but is useful for troubleshooting.  Most examples utilizing the PHP command line program refer to it as just php, not php-cli.  OpenWRT installs it as php-cli, so instead of having to remember that, it maybe useful to create a symbolic link with this command: ''ln -s /usr/bin/php-cli /usr/bin/php''


=====PHP Configuration in /etc/php.ini=====
=====PHP Configuration in /etc/php.ini=====
Line 1,925: Line 2,339:
As noted previously, but worth mentioning again, OpenWRT names the interactive command line interface for PHP ''php-cli''.  Most sites give examples that use the command ''php'', so to make it easier create a symbolic link with this command: ln -s /usr/bin/php-cli /usr/bin/php  
As noted previously, but worth mentioning again, OpenWRT names the interactive command line interface for PHP ''php-cli''.  Most sites give examples that use the command ''php'', so to make it easier create a symbolic link with this command: ln -s /usr/bin/php-cli /usr/bin/php  


====MariaDB Server====
====MariaDB Server (AKA MySQL)====


=====Installing=====
=====Installing=====
Line 1,936: Line 2,350:
**Move the database to an external eSATA drive: datadir        = /mnt/sdb3/mysql
**Move the database to an external eSATA drive: datadir        = /mnt/sdb3/mysql
**Move the tmp directory to an external eSATA drive: datadir        = /tmp (This directory is relative to the datadir, in that it will be created at the same level as the mysql directory, so this is not an abolute path where it will utilize the /tmp directory in the root of the file system)
**Move the tmp directory to an external eSATA drive: datadir        = /tmp (This directory is relative to the datadir, in that it will be created at the same level as the mysql directory, so this is not an abolute path where it will utilize the /tmp directory in the root of the file system)
*To create the default database: mysql_install_db --force --basedir=/usr
*To create the default database: mysql_install_db --force --basedir=/usr (basedir refers to where the binary files are, not where the database(s) will be)
*Start the service: service mysqldb start
*And of course from the beginning, OpenWRT doesn't have the proper permissions set for the /etc/mysql Service / Daemon files, so: chmod 644 -R /etc/mysql
*Start the service: service mysqld start
*And if there is an error, try this command again: mysql_install_db --force --basedir=/usr
*To create a password for the current user (blank if not configured): /usr/bin/mysqladmin -u root password 'new-password'
*To create a password for the current user (blank if not configured): /usr/bin/mysqladmin -u root password 'new-password'
*Log into the command line for the database: mysql -u root -p or use phpMyAdmin see below
*Log into the command line for the database: mysql -u root -p or use phpMyAdmin see below
Line 1,964: Line 2,380:
Show available storage engines: SHOW ENGINES\G or show engines;
Show available storage engines: SHOW ENGINES\G or show engines;


===phpMyAdmin===
===phpMyAdmin (make sure Apache or another web server is installed and functional)===


*opkg update
*opkg update
*opkg install php7-mod-mbstring php7-mod-json php7-mod-hash php7-mod-ctype php7-mod-zip php7-mod-gd php7-mod-mysqli php7-mod-session php7-mod-snmp zoneinfo-northamerica (if one is in North America, if not, choose another zone and remember, phpMyAdmin will display a blank page with no error if a zoneinfo-WhatEverZone is not installed in addition to the zoneinfo-core package, see additional information below, dependencies will also be installed automatically).
*opkg install php7-mod-mbstring php7-mod-json php7-mod-hash php7-mod-ctype php7-mod-zip php7-mod-gd php7-mod-mysqli php7-mod-session php7-mod-snmp zoneinfo-northamerica (if one is in North America, if not, choose another zone and remember, phpMyAdmin will display a blank page with no error if a zoneinfo-WhatEverZone is not installed in addition to the zoneinfo-core package, see additional information below, dependencies will also be installed automatically).


Make sure the /usr/share/apache2/htdocs/phpMyAdmin/tmp has 777 permissions, otherwise Apache based phpMyAdmin sites may stop responding: chmod 777 /usr/share/apache2/htdocs/phpMyAdmin/tmp
Make sure the /usr/share/apache2/htdocs/phpMyAdmin/tmp has 755 permissions (if 755 doesn't work, try 777, phpMyAdmin will whine about 'world permissions', otherwise Apache based phpMyAdmin sites may stop responding: chmod 755 /usr/share/apache2/htdocs/phpMyAdmin/tmp


The following item is VERY important, hence it's typeface in '''BOLD''' CAPITAL letters.  If the appropirate additional time zone module is not installed it can cause a completely invisible error (IE, no error in Apache, Lighttpd, or PHP logs).  IE, it only displays a blank page.  Even using a command line instance of PHP will not reveal the error.  This line in the /phpMyAdmin/libraries/classes/Core.php file: date_default_timezone_set(@date_default_timezone_get()); is the source of the issue (Note, this is not the fault of phyMyAdmin, but it would be nice if they wrote a bit of code to address this situation).  The error message that can be coaxed out of Lighttpd by taking that line of code and placing it in a file by itself is: Timezone database is corrupt – this should ''never'' happen! (thanks to this site for a key bit of information on that issue: https://e3fi389.wordpress.com/2014/12/07/timezone-database-is-corrupt-date-error-in-openwrt/)
The following item is VERY important, hence it's typeface in '''BOLD''' CAPITAL letters.  If the appropirate additional time zone module is not installed it can cause a completely invisible error (IE, no error in Apache, Lighttpd, or PHP logs).  IE, it only displays a blank page.  Even using a command line instance of PHP will not reveal the error.  This line in the /phpMyAdmin/libraries/classes/Core.php (or Common.php) file: date_default_timezone_set(@date_default_timezone_get()); is the source of the issue (Note, this is not the fault of phyMyAdmin, but it would be nice if they wrote a bit of code to address this situation).  The error message that can be coaxed out of Lighttpd by taking that line of code and placing it in a file by itself is: Timezone database is corrupt – this should ''never'' happen! (thanks to this site for a key bit of information on that issue: https://e3fi389.wordpress.com/2014/12/07/timezone-database-is-corrupt-date-error-in-openwrt/)


*'''ALSO MAKE SURE TO INSTALL THE APPROPRIATE TIME ZONE MODULE, IN ADDITION TO THE DEFAULT''' zoneinfo-core: opkg install zoneinfo-northamerica (for example)
*'''ALSO MAKE SURE TO INSTALL THE APPROPRIATE TIME ZONE MODULE, IN ADDITION TO THE DEFAULT''' zoneinfo-core: opkg install zoneinfo-northamerica (for example)
Line 1,978: Line 2,394:


*wget <nowiki>https://files.phpmyadmin.net/phpMyAdmin/4.9.5/phpMyAdmin-4.9.5-english.tar.gz</nowiki> (or whatever the latest version is)
*wget <nowiki>https://files.phpmyadmin.net/phpMyAdmin/4.9.5/phpMyAdmin-4.9.5-english.tar.gz</nowiki> (or whatever the latest version is)
*If not installed, wget needs: opkg install libustream-mbedtls20150806 (or whatever other version, type opkg list libustream* to see available packages)
*If not installed, wget needs: opkg install ca-certificates
*tar -xzvf phpMyAdmin-4.9.5-english.tar.gz
*tar -xzvf phpMyAdmin-4.9.5-english.tar.gz
*mv WhatEverUnTarredDirectory /usr/share/apache/htdocs OR WhatEverLighttpd Directory
*mv WhatEverUnTarredDirectory /usr/share/apache/htdocs OR WhatEverLighttpd Directory
Line 2,023: Line 2,439:
**post_max_size = 128M
**post_max_size = 128M
**max_file_uploads = 20
**max_file_uploads = 20
*If using FPM, change the following in /etc/php7-fpm.d/www.conf (Corrects a non-responsive condition with .PHP Files, perhaps due to how fast OpenWRT cleans up unused chlidren, but root cause unknown, only increasing resources solves the issue)
**pm.max_children = 50
**pm.min_spare_servers = 4
**pm.start_server = 5
**pm.max_spare_servers = 6
**If MIN and MAX aren't set appropriately, this error will occur: ALERT: [pool www] pm.start_servers(5) must not be less than pm.min_spare_servers(1) and not greater than pm.max_spare_servers(3)
*Make sure bzip2 is installed or the myAdminPHP will complain.
*PHP.ini: Add this line: extension=mysql.so
*To diagnose any issues when attempting to access the phpMyAdmin setup this will display the error message (look for the line that says WarnMissingExtension to spot missing modules): php-cli /usr/share/apache2/htdocs/phpMyAdmin/setup/index.php
*To diagnose any issues when attempting to access the phpMyAdmin setup this will display the error message (look for the line that says WarnMissingExtension to spot missing modules): php-cli /usr/share/apache2/htdocs/phpMyAdmin/setup/index.php
*One final note on Blank Page errors: Watch out for any minor typos in the config.inc.php file like a missing double quote ( " ) or single quote ( ' ) / AKA apostrophe.  It will cause a 'blank page error', with nothing in the PHP, Apache, or other error logs.


=====LetsEncrypt / ACME=====
=====LetsEncrypt / ACME=====
Line 2,058: Line 2,483:
*opkg install htop restic luci-app-uhttpd libustream-mbedtls20150806 zoneinfo-northamerica
*opkg install htop restic luci-app-uhttpd libustream-mbedtls20150806 zoneinfo-northamerica


==== Full Versions of Commands available in BusyBox (but limited in BB due to size constraints) ====
====Full Versions of Commands available in BusyBox (but limited in BB due to size constraints)====


* opkg list coreutils*
*opkg list coreutils*
* opkg list shadow*
*opkg list shadow*
* opkg list procps*
*opkg list procps*


Additional commands are hidden in various other non-intuitive locations.  If a desired command or utility isn't available, search for it by name in the LuCI GUI interface, System, Software, Filter Field and then install the package it is contained in.  Use caution as some package names and descriptions are a bit misleading and may install undesired programs.
And thankfully OPKG doesn't support installing utilities via wildcards.  Solution?  Up, see example below using ''coreutils-'' (which always has a dash after coreutils);<syntaxhighlight lang="text">
opkg list | grep coreutils- | awk '{print $1}' | xargs opkg install
</syntaxhighlight>Additional commands are hidden in various other non-intuitive locations.  If a desired command or utility isn't available, search for it by name in the LuCI GUI interface, System, Software, Filter Field and then install the package it is contained in.  Use caution as some package names and descriptions are a bit misleading and may install undesired programs.


====Alternate Shells====
====Alternate Shells====
OpenWRT uses the ASH (put in CAPS to make it stand out, but technically correctly referred to as ash) as the default shell within the BusyBox Binary / Executable.  There are other choices.  See the following two articles for an excellent explanation;
OpenWRT uses the ASH (put in CAPS to make it stand out, but technically correctly referred to as ash, same for bash / BASH) as the default shell within the BusyBox Binary / Executable.  There are other choices.  See the following two articles for an excellent explanation;


*https://www.howtogeek.com/68563/htg-explains-what-are-the-differences-between-linux-shells/
*https://www.howtogeek.com/68563/htg-explains-what-are-the-differences-between-linux-shells/
Line 2,074: Line 2,501:
To install the ''chsh'' utility: opkg install shadow-chsh
To install the ''chsh'' utility: opkg install shadow-chsh


====Network Tools for Diagnostics====
=====Login=====
A tool to see all the ports a router is listening on: lsof -i -P -n | grep LISTEN (install the package with this command: opkg install lsof)
When logging into a command prompt via SSH, by default DropBear is the SSH / SSHD Server / Daemon that responds.  Various things take place as configured in the /etc/init.d/dropbear file which also calls other scripts, including /lib/functions.sh and other scripts in the /lib/functions directory.  A quick examination of the scripts seem to indicate the capacity to detect if a full version of BASH has been installed, but upon testing it doesn't work (if the functionality is there at all).  To change the login shell, edit the /etc/passwd file (Caution: it is recommended to leave a shell open that will continue to use the old settings if something goes wrong when modifying the shell).


To see services listening on specific ports: netstat -lnp | grep WhatEverPortNumber
*ASH: root:x:0:0:root:/root:/bin/ash
*BASH: root:x:0:0:root:/root:/bin/bash


To install all of the above noted utilities;
=====SHELLS File=====
The /etc/shells file contains a list of the various shells installed.  By default, it contains a single line: /bin/ash


*opkg update
=====ASH (the BusyBox version of BASH (much smaller))=====
*opkg install lsof
Both /bin/''sh'' and /bin/''ash'' redirect to /etc/busybox by default in OpenWRT.


====File Transfer Programs====
Two main files are used to configure profile settings


=====SCP=====
*/etc/profile: All user settings
Copy files between Linux machines using SCP, which in turn uses the SSH protocol (IE, nothing has to be installed on the client)
*/~/.profile (/root/.profile for the root user): individual user settings


To copy from one router to another: scp -r /local/directory UserName@RemoteIPAddress:/remote/
Additional configuration documentation can be found here: https://linux.die.net/man/1/ash


=====WinSCP=====
=====BASH (the full version)=====
A free Windows based program that enables easy Explorer like file transfers between a Windows Computer and a router via the SSH protocol (built into OpenWRT and enabled by default): https://winscp.net/eng/index.php
As noted, the default shell for OpenWRT is ASH.  Check the /etc/passwd file for which shell the root user uses. For ASH, it will be /bin/ash, for BASH, it will be /bin/bash. Also try typing the ''env'' command, find the line in the output that states: SHELL=/bin/ash or /bin/bash


Note: SCP is not the fastest file transfer method, as it uses a copious CPU amount, but it is convenient.  For large file transfers configure SAMBA (see below).
opkg install bash


*
Bash has several advantages, including keeping a history of commands that persists across reboots.
 
=====FISH=====
 
=====ZSH=====
 
=====Changing Shells=====
Install "Change Shell": opkg install shadow-chsh
 
List available shells: cat /etc/shells OR chsh -l (NOTE: The chsh -l command doesn't work in OpenWRT as it does in other Linux distributions because chsh was compiled without the -l option, presumably for space considerations)
 
Change shell: chsh -s /bin/bash (this will also allow history commands to persist too.) OR just type chsh and it will prompt you to change to a different shell.
 
=====Profiles=====
By default, all profiles are configured via the /etc/profile file.  If multiple users are configured, each time a user logs into a command prompt, their profile will be configured with information in this file.
 
There are some indications that OpenWRT used /etc/scripts/misc/profile.sh as a method to configure profile environment variables about a decade ago.
 
====Network Tools for Diagnostics====
A tool to see all the ports a router is listening on: lsof -i -P -n | grep LISTEN (install the package with this command: opkg install lsof)
 
To see services listening on specific ports: netstat -lnp | grep WhatEverPortNumber
 
To install all of the above noted utilities;
 
*opkg update
*opkg install lsof
 
====File Transfer Programs====
 
=====SCP=====
Copy files between Linux machines using SCP, which in turn uses the SSH protocol (IE, nothing has to be installed on the client)
 
To copy from one router to another: scp -r /local/directory UserName@RemoteIPAddress:/remote/
 
=====WinSCP=====
A free Windows based program that enables easy Explorer like file transfers between a Windows Computer and a router via the SSH protocol (built into OpenWRT and enabled by default): https://winscp.net/eng/index.php
 
Note: SCP is not the fastest file transfer method, as it uses a copious CPU amount, but it is convenient.  For large file transfers configure SAMBA (see below).
 
*


===Samba Server and File Sharing===
===Samba Server and File Sharing===
Line 2,104: Line 2,573:
*opkg install samba36-server OR opkg install samba4-server samba4-utils
*opkg install samba36-server OR opkg install samba4-server samba4-utils
*opkg luci-app-samba OR opkg install luci-app-samba4
*opkg luci-app-samba OR opkg install luci-app-samba4
*For additional Samba related tools: opkg install samba4-client samba4-admin samba4-utils
*smbpasswd -a root (or whatever user is desired)
*smbpasswd -a root (or whatever user is desired)


Line 2,171: Line 2,641:
         # Below is the key to getting Samba Server to work with Windows 10
         # Below is the key to getting Samba Server to work with Windows 10
         map to guest = Never
         map to guest = Never
</syntaxhighlight></div></div>There are so many different sources that babble about solving the Samba / Windows 10 issues that include ntlm = true, server min protocol = SMB3, min protocol = SMB3, blah, blah, blah.  Nothing works.  All of these items seem to be set correctly with default values as of a version of Samba sometime after 2019, so they do not fix the issue.  For the "You can't access this shared folder because your organization's security policies block unauthenticated guest..." Error Message, the above noted ''map to guest = Never'' solves the issue
</syntaxhighlight></div></div>There are so many different sources that babble about solving the Samba / Windows 10 issues that include ntlm = true, server min protocol = SMB3, min protocol = SMB3, blah, blah, blah.  Nothing works.  All of these items seem to be set correctly with default values as of a version of Samba sometime after 2019, so they do not fix the issue.  For the "You can't access this shared folder because your organization's security policies block unauthenticated guest..." Error Message, the above noted ''map to guest = Never'' solves the issue.  And whenever creating new shared directories, uncheck "Allow guests" (OpenWRT enables this by default).


Then dd a Network Share: In LUCI GUI, Service, Network Shares, General Settings or Edit Template Tab, enter a Name and a Path, the other defaults are fine.
Then dd a Network Share: In LUCI GUI, Service, Network Shares, General Settings or Edit Template Tab, enter a Name and a Path, the other defaults are fine.
Line 2,179: Line 2,649:
And lastly, remember if one attempts to share the "Root Directory" ( / ), none of the sub directories will open, because of the way the OpenWRT file system works.
And lastly, remember if one attempts to share the "Root Directory" ( / ), none of the sub directories will open, because of the way the OpenWRT file system works.


===POPTOP / PPTPD===
====Free Space Tip for Samba====
First a warning so no one gets frustrated.  Right out of the box, the configuration for PPTPD from OpenWRT is brokenThe hint was found here: https://forum.openwrt.org/t/default-config-file-for-pptpd-lacks-logwtmp-option/4795  And as of 8.2020 it is still busted.  How to fix it?  Well, follow the below directions.
In some circumstances Samba will not report the correct amount of free spaceThis can be quite frustrating when one knows there is enough free space to copy a file, but an obnoxious error message pops up declaring that there needs to be X amount of more free space.


option 'logwtmp' '0'
This can occur when one is accessing an external USB Flash Drive under /mnt (for example /mnt/sda1).  Samba will report the free space of the root drive of the router instead of the USB Flash Drive.  The root drive of the router is often time the internal NVRAM.  If one is using the overlay capability of OpenWRT (look it up), this often won't come up as the issue will be masked by the /overlay having an abundant amount of free space.


====Installation====
The hint was found here: https://superuser.com/questions/1423396/samba-reports-incorrect-disk-space-when-on-shared-mount-points-not-directly-bene
opkg install pptpd ppp (dependencies will automatically be installed if just pptpd is installed)


There is no LuCI GUI available
And that person was kind enough to cite the Samba Documentation: https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#idm2835<nowiki/>(although they didn't include the anchor link at the end, but it was added here so there wouldn't be any need to scroll down to find it, plus the Samba people that created the documentation page were also kind enough to include a name (ID would work too) attribute so a URL anchor could be used).


====Configuration and other PPTPD Related File Locations====
Below is the code (minus the comments if one wishes) that can be added in the LuCI GUI, Services, Network Shares, Edit Template Tab.<syntaxhighlight lang="text">
OpenWRT PPTPD Configuration File: /etc/config/pptpd
### The dfree command refers to a script (next two lines) that cause Samba to correctly calculate free space for each
### Directory.  This comes into play when accessing an external USB Flash Drive under /mnt/sda1 for instance.  Samba
### will incorrectly report the internal NVRAM size instead of the USB Flash Drive free space.
### #!/bin/sh
### df  $1 | tail -1 | awk '{print $2" "$4}'
dfree command = /usr/local/samba/dfree
</syntaxhighlight>Don't forget to create the script file (see code above or below);<syntaxhighlight lang="text">
#!/bin/sh
df  $1 | tail -1 | awk '{print $2" "$4}'
</syntaxhighlight>


PPTPD Configuration File: /etc/pptpd.conf* (BIG Asterisk here, see below)
====WINS (Windows Internet Naming Service) for Samba====
{{:OpenWRT_WINS_with_Samba}}


(This can be seen in the /etc/init.d/pptpd startup script where the actual location is /tmp/etc/pptpd.conf.  This makes sense if PPTPD within the OpenWRT configuration paradigm)
===POPTOP / PPTPD===
First a warning so readers don't get frustrated:  Out of the box (as in a virgin installation of the POPTOP / PPTPD Package), the configuration for PPTPD from OpenWRT as of 8.2020 is broken and will not function.  Credit and thanks to this web site for a hint on correcting the default configuration was found here: https://forum.openwrt.org/t/default-config-file-for-pptpd-lacks-logwtmp-option/4795  How to fix it?  Well, follow the below directions.  Hint: The key is setting the ''option 'logwtmp' '0''' directive in the /etc/config/pptpd file (see below for more information).


PPP Configuration Files: /etc/ppp
And yes, for all the haters out there, PPTP is essentially broken as of 2021 and nobody is planning on fixing it or updating anything, so use OpenVPN to be secure.  But...  It is still useful to have this as a backup method of access to a router.  Plus the firewall can be configured such that the PPTP ports are only open to certain IP Addresses.  And given that we live in a world where the weakest link in any system is the human being, not technology, it's OK to have PPTP available if one needs it.  So to all the nay sayers: Shhhhhhh.  Because even if one is using PPTP and it has been compromised, guess what?  If one is using Secure Shell / SSH or the LuCI GUI over HTTPS then it doesn't matter that PPTP has been compromised.  So again, shhhhhh...


chap-secrets (AKA User Names and Passwords for PPTPD): /etc/ppp/chap-secrets (/tmp/etc/chap-secrets)
====Installation====
See the PPTP for Clients a couple of sub sectins below and make sure the package (opkg install kmod-nf-nathelper-extra) for that is installed and configured (read in the PPTP Client Section above) too.  The client software may or may not be necessary for the Server service to work. 


Resolve File: /etc/ppp/resolv.conf (/tmp/resolv.conf.ppp)
opkg install pptpd ppp (dependencies will automatically be installed if just pptpd is installed)


NOTE: Several of the above files are symbolic links.  The original files are noted in parenthesis ( ).
There is no LuCI GUI available.  Given there is no LuCI GUI it is a bit odd the configuration of PPTPD is done through an /etc/config/ppptd file, which is usually reserved for services that have a companion LuCI GUI available.  There is a dependency package named luci-proto-ppp that gets installed, but there doesn't seem to be any GUI interface other than maybe something in the System, Realtime Graphs section of the LuCI GUI for PPP traffic (and that's just speculation) .
 
====POPTOP / PPTPD Configuration Files and other Related File Locations====
 
*OpenWRT PPTPD Configuration File (Hint: Make use of this one, even though there is no LuCI GUI interface, see information later in this section): /etc/config/pptpd
*PPTPD Configuration File: /etc/pptpd.conf* (BIG Asterisk here, see below) (as part of the /etc/init.d/pptpd startup script, this file is copied to /var/etc/pptpd.conf.  This could be changed in the startup script, but to keep things withing the OpenWRT configuration paradigm things can be left as they are, but just know this is going on behind the scenes.)
*PPP Configuration Files: /etc/ppp
**/etc/ppp/chap-secrets (AKA User Names and Passwords for PPTPD): /etc/ppp/chap-secrets (the /etc/ppp/chap-secrets is actually "located" here /tmp/etc/chap-secrets and is dynamically generated by the /etc/init.d/pptpd startup script.  When PPTPD is started a symbolic link is created as /etc/ppp/chapt-secrets which is pointed to /tmp/etc/chap-secrets.  It should also be noted the pptpd package contains an /etc/ppp/chap-secrets file that is empty except for some commented out column headings.  This might lead one to believe that this is the file where user names and passwords are created for PPTPD.  This is not the case.  The user names and passwords are dynamicaly generated as previously noted and the information used when it is generated is derived from the /etc/config/ppptp file.  So make sure user names and passwords are created in the /etc/config/pptpd file in the format noted in the example below)
**/etc/ppp/filter (OpenWRT PPTPD doesn't seem to utilize the settings in this file, even though it is included, so probably relegated to PPP only stuff.  Research indicates it seems to be related to "allowed" outbound protocols)
**/etc/ppp/options (This file contains the ppp (Point to Point Protocol) configuration and can be left with default settings.  Do not confuse it with the options.pptpd file which is used for PPTPD PPP settings.  IE, PPP is used for more than PPTPD and the plain options file is just for PPP)
**/etc/ppp/options.pptpd (this file is copied to /var/etc/options.pptpd in the /etc/init.d/pptpd startup script)
**/etc/ppp/resolv.conf (this file isn't necessary for PPTPD to function, but can be used for DNS name resolution.) (The /etc/ppp/resolv.conf file is also a symbolic link pointing to /tmp/resolv.conf.ppp, which is created by other OpenWRT services.)


====Configuring PPTPD====
====Configuring PPTPD====
Again a reminder that there is no LuCI GUI for PPTP (maybe there once was, but not likely to see one in the future).  But it's still better to configure things within the confines of the OpenWRT system.
First, configure the /etc/config/pptpd file.  Below is a working example;<syntaxhighlight lang="text">
First, configure the /etc/config/pptpd file.  Below is a working example;<syntaxhighlight lang="text">
config service 'pptpd'
config service 'pptpd'
option 'enabled' '1'
option 'enabled' '1'
option 'localip' 'W.X.Y.Z-ABC'
option 'remoteip' 'W.X.Y.Z-ABC'
option 'logwtmp' '0'
option 'logwtmp' '0'


Line 2,219: Line 2,711:
option 'username' 'AnotherUserNameETC'
option 'username' 'AnotherUserNameETC'
option 'password' 'AnotherPaswordETC'
option 'password' 'AnotherPaswordETC'
</syntaxhighlight>Notice the ''option 'logwtmp' '0'<nowiki/>'' line.  It MUST be included for the service to start (or the startup script has to be modified).  And of course substitute the W.X.Y.Z and ABC with your own IP Address range.
</syntaxhighlight>Notice the ''option 'logwtmp' '0'<nowiki/>'' line.  It MUST be included for the service to start (or the startup script in /etc/init.d/pptpd has to be modified).  And of course substitute the W.X.Y.Z and ABC with your own IP Address range.


The above noted "logwtmp" setting is NOT included in the default pptpd file.  That's odd, because the /etc/init.d/pptpd startup script explicilty checks for the existence of that setting and will show an "sh: out of range" error message if it is not included.  And the main OpenWRT [https://openwrt.org/docs/guide-user/services/vpn/pptp/basic documentation page for PPTPD] does not mention it at all.  It's almost like the nice people at OpenWRT don't want PPTPD to be used.  It is a somewhat "old & busted" VPN protocol (Google it), so using a more modern alternative like OpenVPN would be a good choice.  But sometimes it is necessary to support older protocols such as this.
The above noted "logwtmp" setting is NOT included in the default pptpd file.  That is very, very odd, because the /etc/init.d/pptpd startup script explicilty checks for the existence of that setting and will show an "sh: out of range" error message if it is not included.  So why would the default startup script requre a setting that isn't included in the default configuration file?  Additionally the main OpenWRT [https://openwrt.org/docs/guide-user/services/vpn/pptp/basic documentation page for PPTPD] does not mention it at all.  It's almost like the nice people at OpenWRT don't want PPTPD to be used.  It is a somewhat "old & busted" VPN protocol (Google it), so using a more modern alternative like OpenVPN would be a good choice.  But sometimes it is necessary to support older protocols such as this.


From there everything gets better.  The following files can be manually configured and the PPTPD startup script copies them to the /var/etc directory for the service to use when it starts up;
From there everything gets better.  The following files can be manually configured and the PPTPD startup script copies them to the /var/etc directory for the service to use when it starts up;


*/etc/pptpd.conf (see below for a working version of this file, slightly different than the default OpenWRT version)
*/etc/pptpd.conf (see below for a working version of this file, slightly different than the default OpenWRT version)
*/etc/ppp/options
*/etc/ppp/options (this can be left with default OpenWRT settings)
*/etc/ppp/options.pptpd (see below for a working version of this file, slightly different than the default OpenWRT version)
*/etc/ppp/options.pptpd (see below for a working version of this file, slightly different than the default OpenWRT version)
*/etc/ppp/chap-secrets: This is actually a symbolic link to /var/etc/chap-secrets, and that file is in turn dynamically generated from the information in /etc/config/pptp


Below is a working example of the /etc/pptpd.conf file;<syntaxhighlight lang="text">
Below is a working example of the /etc/pptpd.conf file;<syntaxhighlight lang="text">
Line 2,308: Line 2,801:
option src 'wan'
option src 'wan'
option proto '47'
option proto '47'
</syntaxhighlight>The above ''list dest_ip 'W.X.Y.Z'<nowiki/>'' are only needed if using MWAN3 and can be eliminated from firewall configurations that don't have to consider multiple WAN ports.
 
# ...and while you're in here add the below to the CONFIG ZONE named 'lan' (more information in the next section)
 
list device 'ppp+'
</syntaxhighlight>The above ''list dest_ip 'W.X.Y.Z'<nowiki/>'' are only needed if using MWAN3 and can be eliminated from firewall configurations that don't have to consider multiple WAN ports. If configured it would be set to the WAN IP Addresses of the router.
 
Also in the /etc/config/firewall file is a setting that needs to be added to the 'lan' zone;<syntaxhighlight lang="text">
list device 'ppp+'
 
OR
 
option device 'ppp+'
 
...below is an example of a complete 'lan' zone as it is usually configure within OpenWRT with the 'ppp+' setting at the end;
 
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option family 'ipv4'
option network 'lan'
list device 'ppp+'
 
</syntaxhighlight>The above ''list device 'ppp+'<nowiki/>'' directive is needed for proper routing between remote clients and the router's local subnet.
 
See here for some additional documentation on /etc/config/firewall settings: https://openwrt.org/docs/guide-user/firewall/firewall_configuration


And one last thing to configure are couple of things the startup / shutdown script does not do.
And one last thing to configure are couple of things the startup / shutdown script does not do.
Line 2,323: Line 2,842:


====Additional Information====
====Additional Information====
The [https://openwrt.org/docs/guide-user/services/vpn/pptp/basic information on the OpenWRT site on PPTP] is a bit misleading, because as noted above /etc/pptpd.conf is not the true configuration file. It is actually generated dynamically as many OpenWRT services are.  It also references an issue with the /etc/init.d/pptpd startup script that no longer seems to exist.
The [https://openwrt.org/docs/guide-user/services/vpn/pptp/basic information on the OpenWRT site on PPTP] is a bit misleading (possibly just outdated), because as noted above /etc/pptpd.conf is not the true configuration file. It is actually generated dynamically as many OpenWRT services are.  The article also references an issue with the /etc/init.d/pptpd startup script that no longer seems to exist.
 
This option for the /etc/ppp/options.pptpd is NOT supported by the OpenWRT PPTPD service: require-mppe-128 (an error message of: In file /var/etc/options.pptpd: unrecognized option 'require-mppe-128' error will occur if it is included).  It should also be noted that the mppe-128 is built into the OpenWRT /usr/sbin/pptpd binary / executable file, thus making the setting unneccessary as it is enabled by default (pptp-server.log if enabled shows this: MPPE 128-bit stateless compression enabled).  So do not include require-mppe-128 in the /etc/ppp/options.pptpd.
 
And finally, just because the example given in the OpenWRT tuturoial, is so convoluted and opaqe, is their example (from here: https://openwrt.org/docs/guide-user/services/vpn/pptp/server) explained;<syntaxhighlight lang="text">
uci rename firewall.@zone[0]="lan" <-- Rename the first zone in the /etc/config/firewall file as 'lan'
 
uci rename firewall.@zone[1]="wan" <-- Rename the second zone in the /etc/config/firewall file as 'lan'
 
uci del_list firewall.lan.device="ppp+" <-- Delete the list device 'ppp+' directive in the 'lan' zone of the /etc/config/firewall file
 
uci add_list firewall.lan.device="ppp+" <-- Add that same directive back to the same spot (no it doesn't seem to make much sense to deleted it above, but adding it is a good choice if it isn't there already)


This option for the /etc/ppp/options.pptpd is NOT supported by the OpenWRT PPTPD service: require-mppe-128 (an In file /var/etc/options.pptpd: unrecognized option 'require-mppe-128' error will occur if it is included).  It should also be noted that the mppe-128 is built into the OpenWRT /usr/sbin/pptpd binary / executable file, thus making the setting unneccessary as it is enabled by default (pptp-server.log if enabled shows this: MPPE 128-bit stateless compression enabled).
uci -q delete firewall.pptp <-- Delete any zone titled pptp in the /etc/config/firewall file (maybe to make sure there aren't any incorrect legacy settings, but this assumes the zone is named 'pptp' and won't help if it is named differently


===OpenVPN===
uci set firewall.pptp="rule" <-- Create a new rule with the below settings;
This section is written for people that are experienced with OpenVPN.
uci set firewall.pptp.name="Allow-PPTP"
uci set firewall.pptp.src="wan"
uci set firewall.pptp.dest_port="1723"
uci set firewall.pptp.proto="tcp"
uci set firewall.pptp.target="ACCEPT"
uci commit firewall
</syntaxhighlight>Hint: The same settings can be configured with far fewer keystrokes by simply editing the /etc/config/firewall file.  The example could also be made far more cleary by directly editing the /etc/config/firewall file, instead of blindly entering a bunch of command, some of which are useless.  Additionaly, some won't work correctly if the 'lan' and 'wan' zones aren't at index 0, and 1, as they are by default (IE, if someone has manually added additional zones).


The LuCI interface provides a nice interface for keeping track of OpenVPN Server and Client configuration, plus editing and enabling and disabling a specific Server or Client configuration fileOpenVPN for OpenWRT operates as it did for CentOS 6 where a single "OpenVPN Service" would "spawn" multiple instances of the OpenVPN binary / executable depending on how many Server and Client configuration files there are.  CentOS 7 and newer has it configured such that each instance of an OpenVPN Server and / or Client configuration file requires a separate service.
====PPTP (Point to Point Tunneling Protocol) for PPTPD / Server and Clients (IE Clients behind the Router using a remote PPTP system)====
Again, to be clear, this section is not just about getting PPTP / POPTOP service / daemon working on a router, although it is necessaryThis section is also about a router allowing PPTP connections to pass through it, IE if you're not worried about a PPTPD / Server, but you want clients on an internal network to "dial out" to another PPTPD / Server, this is needed.


====Installation====
OpenWRT defines the use of PPTP Clients on the LAN side of a router that wish to connect to a PPTP server via the internet as NAT traversal for PPTP.  Default installations of OpenWRT do not have the capability to facilitate PPTP connections by clients (IE, computers on the LAN side of the router).  The following software package must be installed;


*opkg update
*opkg update
*opkg install openvpn-easy-rsa openvpn-openssl (Any dependencies will automatically be installed, also see Notes section below)
*opkg install kmod-nf-nathelper-extra
*Install the LuCI GUI interface for OpenVPN manually (see note below on the LuCI, System, Software installation for the OpenVPN LuCI GUI below)
**opkg download luci-app-openvpn
**opkg install WhatEverTheFileNameThatGetsDownloaded


====Files & Directories====
The instructions on enabling the capability is a bit lacking on the OpenWRT site, so below is an improved explanation.  After installing the above package, do the following;


*/etc/config/openvpn: File for OpenVPN connections configured within the LuCI GUI interface AND "includes" for additional OpenVPN configuration files
*Create a file named 20-nf-conntrack-helper.conf in /etc/sysctl.d: nano /etc/sysctl.d/20n-nf-conntrack-helper.conf
*/etc/openvpn: Directory for storing all other OpenVPN settings and OpenSSL settings related to OpenVPN
*Add a single line of code in the 20-nf-conntrack-helper.conf file to enable the program: net.netfilter.nf_conntrack_helper = 1
*/etc/openvpn/keys: Common directory name for storing OpenVPN certificates.  Manually create.
*Save the file: CTRL + O, then exit nano: CTRL + X
*/etc/openvpn/ccd: Common directory name for storing OpenVPN client configuration settings.  Manually create.
*Restart the sysctl service: service sysctl restart
*/etc/openvpn/client: Unused by the OpenWRT version of OpenVPN, sometimes used with other Linux distributions (CentOS, etc.).  It is recommended to store all Server and Client configuration files in /etc/openvpn as that is the only directory scanned by the /etc/init.d/openvpn OpenVPN Service startup script.
 
*/etc/openvpn/server: Unused by the OpenWRT version of OpenVPN, sometimes used with other Linux distributions (CentOS, etc.).  It is recommended to store all Server and Client configuration files in /etc/openvpn as that is the only directory scanned by the /etc/init.d/openvpn OpenVPN Service startup script.
PPTP should now work for clients wishing to use PPTP connections.
*etc/openvpn/openvpn-ssl.cnf: Common configuration file name for OpenSSL settings when creating certificates for OpenVPN
 
As has been mentioned and will continue to be mentioned, it is understandable that the OpenWRT documentation may be lacking in some ways.  Creating and writing good documentation is difficult and time consuming.  The nice people responsible for OpenWRT spend most of their time making things work, improving functionality, adding new firmware for new routers, etc..  This leaves little time for good documentation.  So for all the nice people that work so hard on OpenWRT, thank you.  And no offense meant.  The rather cryptic several lines written by the author of the below noted article for more information very likely uses that "shortcut" to create files or may have thought it was helpful to present it in that way.  And it may work for some people.  But it was decided to present it here slightly differently as done above.
 
More information on enabling the feature can be found here: https://openwrt.org/docs/guide-user/services/vpn/pptp/nat_traversal
 
===OpenVPN===
This section is written for people that are experienced with OpenVPN.
 
REMEMBER (It will make sense later, and is worth pointing out at the beginning):Certificates are a requirement of encrypted communication for OpenVPN.  That part of OpenVPN is made possible by OpenSSL.  Two things to remember are these;
 
*The /etc/openvpn/openvpn-ssl.cnf file contains a major flaw as it delivered by OpenWRT in the software package.  There is a directive line (default_md    = md5) that will not work with the version of OpenVPN provided by OpenWRT (it's actually been that way for several versions.  The directive instructs OpenSSL to produce certificates using a method that has been deemed comprimised.  The line should instead read: default_md    = sha256
*There's also a frustrating issue that comes up with a newly created certificate that won't work until the next day.  Solution?  Set the time of the router to a day or so in the past.  Now that can be an adventure because it can't be done via the LuCI GUI.  It can of course be done via the command line or Webmin.
 
The LuCI interface provides a nice interface for keeping track of OpenVPN Server and Client configuration, plus editing and enabling and disabling a specific Server or Client configuration file.  OpenVPN for OpenWRT operates as it did for CentOS 6 where a single "OpenVPN Service" would "spawn" multiple instances of the OpenVPN binary / executable depending on how many Server and Client configuration files there are.  CentOS 7 and newer has it configured such that each instance of an OpenVPN Server and / or Client configuration file requires a separate service.
 
====Installation====
 
*opkg update
*opkg install openvpn-easy-rsa openvpn-openssl (Any dependencies will automatically be installed, also see Notes section below)
*Install the LuCI GUI interface for OpenVPN manually (see note below on the LuCI, System, Software installation for the OpenVPN LuCI GUI below)
**opkg download luci-app-openvpn
**opkg install WhatEverTheFileNameThatGetsDownloaded
 
====Files & Directories====
 
*/etc/config/openvpn: File for OpenVPN connections configured within the LuCI GUI interface AND "includes" for additional OpenVPN configuration files
*/etc/openvpn: Directory for storing all other OpenVPN settings and OpenSSL settings related to OpenVPN
*/etc/openvpn/keys: Common directory name for storing OpenVPN certificates.  Manually create.
*/etc/openvpn/ccd: Common directory name for storing OpenVPN client configuration settings.  Manually create.
*/etc/openvpn/client: Unused by the OpenWRT version of OpenVPN, sometimes used with other Linux distributions (CentOS, etc.).  It is recommended to store all Server and Client configuration files in /etc/openvpn as that is the only directory scanned by the /etc/init.d/openvpn OpenVPN Service startup script.
*/etc/openvpn/server: Unused by the OpenWRT version of OpenVPN, sometimes used with other Linux distributions (CentOS, etc.).  It is recommended to store all Server and Client configuration files in /etc/openvpn as that is the only directory scanned by the /etc/init.d/openvpn OpenVPN Service startup script.
*etc/openvpn/openvpn-ssl.cnf: Common configuration file name for OpenSSL settings when creating certificates for OpenVPN


====Configuration====
====Configuration====
Working example of a Server configuration file;<syntaxhighlight lang="text">
OpenWRT LuCI Configuration File (/etc/config/openvpn) for a single OpenVPN Service instance;<syntaxhighlight lang="text">
config openvpn 'Server'
option config '/etc/openvpn/Server.conf'
option enabled '1'
</syntaxhighlight>
The LuCI GUI can be used in a myriad of ways.  The most basic of which is to manage OpenVPN configuration files that are created in a text editor.
 
Working example of an OpenVPN Server configuration file (not to be confused with the OpenWRT Luci configuration file, see above);<syntaxhighlight lang="text">
#If more than one WAN then use multihome directive
#multihome
dev tun2
dev tun2
topology subnet
push "topology subnet"
mode server
ifconfig W.X.Y.Z 255.255.255.0
ifconfig-pool W.X.Y.100 W.X.Y.199 255.255.255.0
route-gateway W.X.Y.Z
push "route-gateway W.X.Y.Z"
port 1194
port 1194
proto udp
proto udp
verb 3
verb 3
push "route 192.168.1.0 255.255.255.0"
route W.X.Y.Z 255.255.255.0
#Can be handled in CCD files
#push "route 192.168.1.0 255.255.255.0"
client-config-dir ccd
client-config-dir ccd
client-to-client
client-to-client
tls-server
tls-server
keepalive 15 120
keepalive 15 120
ca /etc/openvpn/keys/CA.for.WRT3200ACM/ca.crt
ca /etc/openvpn/keys/WhatEverPath/ca.crt
cert /etc/openvpn/keys/CA.for.WRT3200ACM/server.wrt3200acm.crt
cert /etc/openvpn/keys/WhatEverPathserver/WhatEverCrt.crt
key /etc/openvpn/keys/CA.for.WRT3200ACM/server.wrt3200acm.key
key /etc/openvpn/keys/WhatEverPath/WhatEverKey.key
dh /etc/openvpn/keys/CA.for.WRT3200ACM/dh2048.pem
dh /etc/openvpn/keys/WhatEverPath/dh2048.pem
</syntaxhighlight>In the above configuration file, it is assumed the local subnet is 192.168.1.0/24 and that keys have already been generated (see below section for using Webmin to generate certificates).  The above storage location for keys is just an example that can be customized to any directory.
</syntaxhighlight>In the above configuration file, it is assumed that keys have already been generated (see below section for using Webmin to generate certificates).  The above storage location for keys is just an example that can be customized to any directory.
 
=====PID File (if needed)=====
If there's a situation where a PID file is needed to keep track of OpenVPN functionality, thankfully OpenWRT has not included that in their init.d configuration.  But it can be added.  Below is what needs to be added to the /etc/init.d/openvpn file.  It can also be added to the configuration file for an instance of OpenVPN Server or Client.<syntaxhighlight lang="text">
...in the "openvpn_add_instance" section, add the line in between --->  <----.  The rest of the surrounding code for that single line is already there and is just put here for reference.  An obviously don't include the ---> or <--- "arrows";
 
openvpn_add_instance() {
local name="$1"
local dir="$2"
local conf="$3"
 
procd_open_instance "$name"
procd_set_param command "$PROG" \
--syslog "openvpn($name)" \
--status "/var/run/openvpn.$name.status" \
--cd "$dir" \
--->    --writepid "/var/run/openvpn.$name.pid" \    <----
--config "$conf"
procd_set_param file "$dir/$conf"
procd_set_param term_timeout 15
procd_set_param respawn
procd_append_param respawn 3600
procd_append_param respawn 5
procd_append_param respawn -1
procd_close_instance
}
 
 
 
...and at the bottom of the file, add the following (it removes the PID file after the OpenVPN service / daemon is stopped;
 
stop_service()
{
rm /var/run/openvpn*
}
</syntaxhighlight>


=====Firewall=====
=====Firewall=====
Line 2,378: Line 2,996:
The standard OpenVPN Server Port is 1194 UDP
The standard OpenVPN Server Port is 1194 UDP


=====Certificate Management for OpenVPN with Webmin=====
=====Network=====
First the reminders;
...this section not complete (among others)


*Do NOT use Webmin for OpenVPN settings
/etc/config/firewall;
*ONLY use it for Certificate management for OpenVPN.


Settings for the OpenVPN + CA (Certificat Managment) Module;<syntaxhighlight lang="text">
config zone
status_cmd=
openvpn_servers_subdir=
start_cmd=/etc/init.d/openvpn start
openvpn_home=/etc/openvpn
openvpn_keys_subdir=keys
stop_cmd=/etc/init.d/openvpn stop
openvpn_pid_path=/var/run
openvpn_version=2.4.7
openvpn_path=/usr/sbin/openvpn
zip_cmd=/usr/bin/gzip
log_lines=9999
openvpn_clients_subdir=
openvpn_pid_prefix=openvpn
openssl_home=/etc/openvpn/openvpn-ssl.cnf
openssl_path=/usr/bin/openssl
openssl_version=1.1.1g
log_refresh=
default_server=
tail_cmd=


</syntaxhighlight>
   option name 'OpenVPN'


====Notes====
   option input 'ACCEPT'


*Use the OpenSSL version of OpenVPN (openvpn-openssl), not the mbedTLS (openvpn-mbedtls), and definately not openvpn-nossl (there is no security, but possibly good for testing configuration files).  See [https://community.openvpn.net/openvpn/wiki/Using-mbedtls?__cf_chl_jschl_tk__=ff3c180e8bbe2b915b0183749a92b047e7d74777-1595651545-0-AX2laPnquTrHAziLcg-vt2ugt_LSqNFn5HBLAiMbNYHMAMochho8hSmQ7j94L_lu71l0UE4riG5ue4jwMfskumWXabSBHXcSICCRTMPy1isqlrz6XYDWZZg4sa7cpHJ1clUqABtwFpMLy4jJYqIGdq0MOqmzBR46YCIHim-bxfB_JtAqi4ZpLEfqyF1TSaEYaEaHn0sqxvx2T-8L6d6M3OcHUoL0SL3aoAokmm-mweQTmUWRXSlz4h94_u7DakllFWkPk_xpIAhCKsSNPon3M5Fd62uoFpZCPRFTHP8_nNuWT98oo-IbkeHi8oxbYKU1OQ here] for additional information
   option forward 'ACCEPT'
*If the /etc/config/openvpn file contains any sort of syntax error (if the file has been modified in a text editor for example), the configuration file will upload, but it will not be displayed as available in the LuCI OpenVPN GUI.
*There's a bit of an issue with the OpenVPN LuCI interface when using the OVPN configuration file upload.  When the Browse button is clicked, the initial "Choose File to Upload" dialogue selects .ovpn as the default file extension.  This might lead one to believe that any files uploaded should have a file name that ends in .ovpn.  This is not the case.  A quick inspection of the /etc/init.d/openvpn file for the OpenVPN service reveals that it scans for files ending in .conf. So make sure any files uploaded via the LuCI GUI interface for OpenVPN end in .conf.
*The /etc/openvpn Directory contains two sub-directories: client and server.  These are default OpenVPN directories, but it also implies that Server and Client configuration files should be placed in these directories.  This is not the case.  An examination of the /etc/init.d/openvpn OpenVPN configuration file revealse that it only scans the /etc/openvpn Directory for configuration files.  Additionally, the LuCI GUI interface for OpenVPN places the files in /etc/openvpn and does not scan the sever and client sub-directories for additional configuration files.
*As of 8.2020, there is also an issue with the version number of of the LuCI GUI for OpenVPN (luci-app-openvpn).  The package version displayed via the System, Software page in the LuCI GUI displays git-2.229...  Downloading the IPK file manually (opkg download luci-app-openvpn) results in version git-2.234...  Additionally, the installation or upgrade via the LuCI GUI for the OpenVPN LuCI GUI interface seems to be unreliable.  The recommendation is to download manually (opkg download luci-app-openvpn) and install the downloaded file (opkg install WhatEverTheNameOfTheFileIs)
*Sadly, possibly due to space constraints and the desire to have the smallest binary / executable file possible for OpenVPN, the OpenWRT version does not contain any "help" information (IE, openvpn --help produces no output)


To install OpenVPN with OpenSSL and the LUCI GUI for it (under VPN)
   option output 'ACCEPT'
 
   option network 'TUN002 TUN1'
 
config rule


*opkg update
   option dest_port '1194'
*opkg install openvpn-openssl openvpn-easy-rsa luci-app-openvpn luci-ssl-openssl (openssl-util and other dependencies will automatically install)
*OpenVPN will be available under LuCI GUI, VPN, OpenVPN (Remember to refresh the web browser window to display the new category (Firefox: CTRL + Refresh) or log out and log back into the LuCI GUI)


===ProFTPD===
   option src 'wan'
ProFTPD does not seem to be available as an OpenWRT package anymore.  At some point (appx. 2012 or earlier) it was, as evidenced by: https://openwrt.org/docs/guide-user/services/nas/ftp.overview


Use vsFTPD instead.
   option name 'OpenVPN_TCP_UDP_1194_WRT1900ACS'


===vsFTPD===
   list dest_ip <nowiki>''</nowiki>


====Installation====
   option target 'ACCEPT'
opkg update


opkg install vsftpd
   option family 'ipv4'


====Configuration====
   list proto 'tcp'
Configuration File: /etc/vsftpd.conf


NOTE 1: The default configuration file (/etc/vsftpd.conf) for VSFTPD will never work under any circumstances for an OpenWRT router that is in a "normal" / default configuration in regards to its firewall and several other items.  It is understood that the OpenWRT developers have better things to do than configuring an old FTP server, but they may as well leave the configuration file blank or perhaps include all of the options, but comment everything out rather than having a configuration file that does nothing more than give an end user false hope.
   list proto 'udp'


NOTE 2: The OpenWRT Package creates an /etc/vsftpd Directory, but it isn't used.  Case in point: The default userlist_file name for the OpenWRT version of VSFTPD is /etc/vsftpd.user_list.  For other platforms such as CentOS, that file is located in the /etc/vsftpd Directory, but for OpenWRT it is located in the /etc Directory.  So why is the /etc/vsftpd Directory created (with nothing in it)?  Best guess is that since other Platforms like CentOS that put configuration files in the /etc/vsftpd Directory, there might be some "template" in the vsftpd source code that creates that Directory by default and the OpenWRT developers forgot to disable that function.
config forwarding


NOTE 3: The /etc/init.d/vsftpd startup script is very simple.  So simple in fact that it requires a setting (listen=YES) in the .conf file for vsFTPD for vsFTPD that documentation indicates is set to "yes" if vsFTPD is NOT run via an init.d script.  In OpenWRT's case, the startup script is so simple it essentially runs vsFTPD as if it were starting from the command line.  This causes no issues, but is a bit counter intutive if one reads the vsFTPD documentation on the "listen" directive.
   option dest 'OpenVPN'


Below is a working configuration file;<syntaxhighlight lang="text">
   option src 'lan'
listen_address=W.X.Y.Z
ftp_data_port=20
listen_port=21


# Remember to configure Firewall settings with equivalent values
config forwarding
pasv_enable=YES
pasv_address=W.X.Y.Z
pasv_min_port=10012
pasv_max_port=10021


session_support=NO
   option dest 'lan'


# OpenWRT Oddity: Even though the vsFTPD Service / Daemon is started via an init.d script, it is a very simple script that essentially does the same thing as starting vsFTPD from the command line, so the following must be set to YES;
   option src 'OpenVPN'
listen=YES


# Banner display does not appear to function in an modern web browser
config forwarding
ftpd_banner=Hello
banner_file=/etc/vsftpd1.banner_file


dirmessage_enable=YES
   option dest 'lan'
message_file=.message


max_login_fails=3
   option src 'wan'
anonymous_enable=NO
check_shell=NO


#
/etc/config/network
chroot_local_user=YES
 
write_enable=NO
config interface 'TUN1'
allow_writeable_chroot=YES
 
local_umask=022
   option ifname 'tun1'
 
   option proto 'static'
 
   option ipaddr 'W.X.Y.Z'
 
   option netmask '255.255.255.0'<br />


# Equivalent to "Run As" Service / Daemon
=====Certificate Management for OpenVPN with Webmin (see Webmin Section below)=====
background=YES
First the reminders;


# Set logged items go to the vsFTPD log instead of the system message log
*Do NOT use Webmin for OpenVPN settings.  Instead use the LuCI GUI and / or edit text files (starting and stopping the service is fine)
syslog_enable=NO
*ONLY use it for Certificate management for OpenVPN.
*Watch out when clicking the "Keys list" link as it is very close to the Remove link.  If the Remove link is clicked, there is no confirmation about deleting the entire Certificate infrastructure.


log_ftp_protocol=YES
======Configuring a Certificate Authority Infrastructure (Certificate Authority, Server Certificate, Client Certificate(s)======
xferlog_std_format=YES
For some odd reason (possibly troubleshooting), it is possible to create an OpenVPN infrastructure that transmits information ''without'' encryption. That's a bit too "open". In order to encrypt communication one must create a "Certificate Infrastructure". This includes first, a Certificate Authority (CA), then a certificate for a Server, then certificate(s) for clients.
xferlog_enable=YES
dual_log_enable=YES
vsftpd_log_file=/var/log/vsftpd1.standard.log
xferlog_file=/var/log/vsftpd1.xfer.log


local_enable=YES
There are many tutorials on this, all of them use the command line.  Webmin makes it very easy to do and keep track of certificates.  Even with that capability, keeping things in an organized structure is important.  This includes naming conventions.  A CA could be named Mary Poppins.  But that isn't very helpful as a name for a CA if others are involved in managing an infrastructure.
userlist_enable=NO
userlist_deny=NO


# In OpenWRT, the default location is: userlist_file=/etc/vsftpd.user_list (this is very odd given that OpenWRT creates an /etc/vsftpd Directory)
If the Webmin module is configured as noted below, the entire certificate infrastructure (minus OpenSSL settings) will be stored in /etc/openvpn/keys
# On other platforms, like CentOS, the default location is /etc/vsftpd/vsftpd.conf
# Do NOT create the list in anything other than VI or NANO (IE, don't use Windows Explorer, Directory Opus, etc. to create a new file) as there is an issue with Carriage Return / Line Feeds.
# Editing with TextPad later is fine as it seems to respect how the file was created in terms of using CR/LF VS just LF.
userlist_file=/etc/vsftpd1.user_list


</syntaxhighlight>In the above working example, of course replace W.X.Y.Z with an appropriate IP Address.  Astute readers will notice all the file names that might generally start have "vsftpd" in their names instead have "vsftpd1".  The reason for that is because the above working configuration file was used in a situation where a router is configured with two WAN interfaces, with two IP Addresses on two different networks.  See the section on Dual WAN vsFTPD for additional information.
*Create a Certificate Authority


The /etc/vsftpd1.user_list contains a list of users that will be allowed to login if the userlist_enable=YES and userlist_deny=NO settings are present.
======Tips======


NOTE 1: If any of the above referenced files (vsftpd1.user_list, etc.) are not present, the vsftpd service will start and appear to be functioning (PS, TOP, HTOP, etc. will all show it as running), but...  There will be nothing displayed on client FTP software.
*Change the date before configuring any CA infrastructure or Certificate to at least the previous day as sometimes a frustrating problem occurs where the created certificate is not yet valid.
*Routers with Multiple WAN Ports
**For any OpenVPN Server File, use this directive: multihome (research it or Google it)
*Had a "magic / matrix" moment happen when installing the LuCI GUI for OpenVPN. OpenWRT instead downloaded the .ipk file and saved it in the /etc/init.d directory. That messed up all the init.d scripts after that


NOTE 2: Users and Groups can be managed by editing the /etc/passwd (User File) and /etc/group (Group File).  If Webmin (see below) is installed and properly configured, Users & Groups can be managed through its interfaceThe useradd command can be added with: opkg install shadow-useradd
====Webmin for OpenVPN and Certificate Management====
Only some features of the Webmin Module are useful.  First and foremost is the Certificate management.  Works great.  As noted above, watch out when clicking the "Keys list" link as it is very close to the Remove link.  If the Remove link is clicked, there is no confirmation about deleting the entire Certificate infrastructureBad design, oh, well.


NOTE 3: Remember, OpenWRT also uses the /etc/shadow file to store user passwords with MD5 ($1) encryption.
Between the LuCI GUI and Certificate Management portion of Webmin, all aspects of OpenVPN can be conveniently controlled via a GUI interface.


====Firewall====
The log display doesn't work properly, even when log files are configured properly.
Below are the pertienent settings for vsFTPD in the /etc/config/firewall file;<syntaxhighlight lang="text">
config rule
option dest_port '20'
option src 'wan'
option name 'FTP_TCP_20'
list dest_ip 'W.X.Y.Z'
option target 'ACCEPT'
option family 'ipv4'
list proto 'tcp'
 
config rule
option dest_port '21'
option src 'wan'
option name 'FTP_TCP_21'
list dest_ip 'W.X.Y.Z'
option target 'ACCEPT'
option family 'ipv4'
list proto 'tcp'
 
config rule
option src 'wan'
option name 'FTP_PASV'
list dest_ip 'W.X.Y.Z'
option target 'ACCEPT'
option family 'ipv4'
list proto 'tcp'
option dest_port '10012:10021'
</syntaxhighlight>And as usual, substitute a functional IP Address for W.X.Y.Z.  The above configuration includes settings necessary for Passive FTP (see [[wikipedia:File_Transfer_Protocol#Communication_and_data_transfer|here]] for an explanation) used by clients behind a firewall.


====Internet Explorer Workaround====
Editing and managment of the OpenVPN service
If one is using Internet Explorer's FTP capability, there will be an issue if userlist_enable=YES and userlist_deny=NO are set.  Solution?  Add the users 'anonymous' in the vsftpd.user_list file.  Thanks to a top tip from a user named JAYCLEN here: https://bbs.archlinux.org/viewtopic.php?id=158184


====vsFTPD for a dual WAN router====
The Webmin module for OpenVPN & Certificate management is not a "standard module".
According to documentation, the vsFTPD Service / Daemon can only "listen" on a single IP Address (listen_address=W.X.Y.Z).  This also appears to apply to Passive FTP settings (pasv_address=W.X.Y.Z).  There is a solution.  Run multiple instances of vsFTPD.  Easy to say, but a bit more complex to accomplish.


Because of the simplicity of the /etc/init.d/vsftpd startup script, it is not possible to use the same binary / executable File (/usr/sbin/vsftpd) for multiple vsFTPD instancesThe solution is to create two symbolic links to the /usr/sbin/vsftpd binary / executable File.
*Install in the Webmin interface: Webmin, Webmin Configuration, Webmin Modules, Install from Local File, Select File, Install Module.
**Download the module if the Webmin interface doesn't populate with available modules
***Go to: https://www.webmin.com/cgi-bin/search_third.cgi?search=openvpn, then download the module using wget and the URL, as of 11.2020, wget http://www.openit.it/downloads/OpenVPNadmin/openvpn-3.2.wbm.gz
****If wget displays an error, make sure the full version of wget is installed (not the one built into BusyBox): opkg install wget
****If a certificate error occurs, add this to the end of the wget line: --no-check-certificate
***Site: https://www.webmin.com/cgi-bin/search_third.cgi?modules=1
***OpenVPN & Certificate Management Module Link (version 3.2): http://www.openit.it/downloads/OpenVPNadmin/openvpn-3.2.wbm.gz
***Sometimes the interface seems to work, sometimes it doesn't.  Possibly due to Wemin site issues or Perl issues on a local machine.
*By default, the OpenVPN... Module is located in ServersGiven that it deals with Networking and an equivalent Module (PPTP) is located in Networking, it makes sense to relocate the Module to Networking
**Webmin, Webmin Configuration, Reassign Modules, OpenVPN..., Networking, Save


*ln -s /usr/sbin/vsftpd /usr/sbin/vsftpd1
Below is a working configuration file for the OpenVPN & Certificate Authority Module (/etc/webmin/openvpn/config)<syntaxhighlight lang="text">
*ln -s /usr/sbin/vsftpd /usr/sbin/vsftpd2
openvpn_path=/usr/sbin/openvpn
br_start_cmd=
openssl_version=1.1.1g
default_server=
br_end_cmd=
zip_cmd=/usr/bin/gzip
openssl_home=/etc/openvpn/openvpn-ssl.cnf
tail_cmd=
openvpn_pid_path=/var/run
log_refresh=
status_cmd=
start_cmd=/etc/init.d/openvpn start
openvpn_version=2.4.7
openvpn_clients_subdir=client
down_root_plugin=
openssl_path=/usr/bin/openssl
openvpn_pid_prefix=openvpn
openvpn_keys_subdir=keys
openvpn_home=/etc/openvpn
log_lines=9999
stop_cmd=/etc/init.d/openvpn stop
openvpn_servers_subdir=server
</syntaxhighlight>


This allows one to create two startup scripts in /etc/init.d for vsFTPD (vsftpd1 and vsftpd2) that contain the following (below is the vsftpd1 example);<syntaxhighlight lang="text">
====Notes====
#!/bin/sh /etc/rc.common
# Copyright (C) 2006-2011 OpenWrt.org


# Remember: There are two symbolic links in /usr/sbin, vsftpd1 and vsftpd2, that point to /usr/sbin/vsftpd
*Use the OpenSSL version of OpenVPN (openvpn-openssl), not the mbedTLS (openvpn-mbedtls), and definately not openvpn-nossl (there is no security, but possibly good for testing configuration files).  See [https://community.openvpn.net/openvpn/wiki/Using-mbedtls?__cf_chl_jschl_tk__=ff3c180e8bbe2b915b0183749a92b047e7d74777-1595651545-0-AX2laPnquTrHAziLcg-vt2ugt_LSqNFn5HBLAiMbNYHMAMochho8hSmQ7j94L_lu71l0UE4riG5ue4jwMfskumWXabSBHXcSICCRTMPy1isqlrz6XYDWZZg4sa7cpHJ1clUqABtwFpMLy4jJYqIGdq0MOqmzBR46YCIHim-bxfB_JtAqi4ZpLEfqyF1TSaEYaEaHn0sqxvx2T-8L6d6M3OcHUoL0SL3aoAokmm-mweQTmUWRXSlz4h94_u7DakllFWkPk_xpIAhCKsSNPon3M5Fd62uoFpZCPRFTHP8_nNuWT98oo-IbkeHi8oxbYKU1OQ here] for additional information
*If the /etc/config/openvpn file contains any sort of syntax error (if the file has been modified in a text editor for example), the configuration file will upload, but it will not be displayed as available in the LuCI OpenVPN GUI.
*There's a bit of an issue with the OpenVPN LuCI interface when using the OVPN configuration file upload.  When the Browse button is clicked, the initial "Choose File to Upload" dialogue selects .ovpn as the default file extension.  This might lead one to believe that any files uploaded should have a file name that ends in .ovpn.  This is not the case.  A quick inspection of the /etc/init.d/openvpn file for the OpenVPN service reveals that it scans for files ending in .conf. So make sure any files uploaded via the LuCI GUI interface for OpenVPN end in .conf.
*The /etc/openvpn Directory contains two sub-directories: client and server.  These are default OpenVPN directories, but it also implies that Server and Client configuration files should be placed in these directories.  This is not the case.  An examination of the /etc/init.d/openvpn OpenVPN configuration file revealse that it only scans the /etc/openvpn Directory for configuration files.  Additionally, the LuCI GUI interface for OpenVPN places the files in /etc/openvpn and does not scan the sever and client sub-directories for additional configuration files.
*As of 8.2020, there is also an issue with the version number of of the LuCI GUI for OpenVPN (luci-app-openvpn).  The package version displayed via the System, Software page in the LuCI GUI displays git-2.229...  Downloading the IPK file manually (opkg download luci-app-openvpn) results in version git-2.234...  Additionally, the installation or upgrade via the LuCI GUI for the OpenVPN LuCI GUI interface seems to be unreliable.  The recommendation is to download manually (opkg download luci-app-openvpn) and install the downloaded file (opkg install WhatEverTheNameOfTheFileIs)
*Sadly, possibly due to space constraints and the desire to have the smallest binary / executable file possible for OpenVPN, the OpenWRT version does not contain any "help" information (IE, openvpn --help produces no output)
*Do NOT use periods in the name of an OpenVPN instance in the /etc/config/openvpn file, ''config openvpn'' 'WhatEverName' directive.  OpenVPN will work, but you won't see it in the LuCI GUI.


START=50
To install OpenVPN with OpenSSL and the LUCI GUI for it (under VPN)


start() {
*opkg update
mkdir -m 0755 -p /var/run/vsftpd1
*opkg install openvpn-openssl openvpn-easy-rsa luci-app-openvpn luci-ssl-openssl (openssl-util and other dependencies will automatically install)
service_start /usr/sbin/vsftpd1 /etc/vsftpd1.conf
*OpenVPN will be available under LuCI GUI, VPN, OpenVPN (Remember to refresh the web browser window to display the new category (Firefox: CTRL + Refresh) or log out and log back into the LuCI GUI)
}


stop() {
===ProFTPD===
service_stop /usr/sbin/vsftpd1
ProFTPD does not seem to be available as an OpenWRT package anymoreAt some point (appx. 2012 or earlier) it was, as evidenced by: https://openwrt.org/docs/guide-user/services/nas/ftp.overview
}
</syntaxhighlight>For the other startup script (vsftpd2), copy and change the above references of vsftpd1 to vsftp2Be sure to enable (service vsftpd1 enable AND service vsftpd2 enable) both scripts for automatic startup.  The reason for needing the above symbolic links can be seen in the above init.d startup script.  Specifically the "service_stop /usr/sbin/vsftpd" (minus the 1 or 2 naming convention).  If there were two startup scripts using the same /usr/sbin/vsftpd reference, two instances could be started, but when stopping the service / daemon, weird things happen.


Make sure there are two configuration files for each vsFTPD service / daemon as they'll have some unique settings, like IP Addresses, etc.
Use vsFTPD instead.


Also make sure any additional files that are referenced (userlist_file=/etc/vsftpd1.user_list, etc) are duplicated (userlist_file=/etc/vsftpd2.user_list) for each service.
===vsFTPD===


And finally, make sure the /etc/config/firewall file has the additional IP Address included.  Simply insert an additional ''list dest_ip 'A.B.C.D'<nowiki/>'' line after each ''list dest_ip 'W.X.Y.Z''' line in the above firewall example (of course substitute A.B.C.D with an appropriate IP Address).
====Installation====
opkg update


====Webmin====
opkg install vsftpd
Download the module using WGET: wget http://www.bit-worker.com/download/vsftpd.tar.gz


Install using the Webmin interface: Webmin, Webmin configuration, Webmin Modules, Install from, From local file
====Configuration====
Configuration File: /etc/vsftpd.conf


Available under: Server, vsftpd
*Be sure to read the
*The default configuration file (/etc/vsftpd.conf) for VSFTPD will never work under any circumstances for an OpenWRT router that is in a "normal" / default configuration in regards to its firewall and several other items.  It is understood that the OpenWRT developers have better things to do than configuring an old FTP server, but they may as well leave the configuration file blank or perhaps include all of the options, but comment everything out rather than having a configuration file that does nothing more than give an end user false hope.
*The OpenWRT Package creates an /etc/vsftpd Directory, but it isn't used.  Case in point: The default userlist_file name for the OpenWRT version of VSFTPD is /etc/vsftpd.user_list.  For other platforms such as CentOS, that file is located in the /etc/vsftpd Directory, but for OpenWRT it is located in the /etc Directory.  So why is the /etc/vsftpd Directory created (with nothing in it)?  Best guess is that since other Platforms like CentOS that put configuration files in the /etc/vsftpd Directory, there might be some "template" in the vsftpd source code that creates that Directory by default and the OpenWRT developers forgot to disable that function.
*The /etc/init.d/vsftpd startup script is very simple.  So simple in fact that it requires a setting (listen=YES) in the .conf file for vsFTPD for vsFTPD that documentation indicates is set to "yes" if vsFTPD is NOT run via an init.d script.  In OpenWRT's case, the startup script is so simple it essentially runs vsFTPD as if it were starting from the command line.  This causes no issues, but is a bit counter intutive if one reads the vsFTPD documentation on the "listen" directive.


Webmin configuration;<syntaxhighlight lang="text">
Below is a working configuration file;<syntaxhighlight lang="text">
openssl=/usr/bin/openssl
listen_address=W.X.Y.Z
path=/etc/vsftpd1.conf
ftp_data_port=20
listen_port=21


</syntaxhighlight>
# Remember to configure Firewall settings with equivalent values
pasv_enable=YES
pasv_address=W.X.Y.Z
pasv_min_port=10012
pasv_max_port=10021


====CAUTION!====
session_support=NO


*If the configuration of vsFTPD includes the use of userlist_enable or userlist_deny, make sure that the /etc/vsftpd.user_list File is created with VI or NANO as opposed to a Windows utility through Samba. The reason is vsFTPD will not be able to read the file properly if it contains CR/LF (Carriage Return / Line Feeds).
# OpenWRT Oddity: Even though the vsFTPD Service / Daemon is started via an init.d script, it is a very simple script that essentially does the same thing as starting vsFTPD from the command line, so the following must be set to YES;
*If one reads any documentation about the CentOS (possible others) version of vsFTPD, there are references to using the included "user_list" file and a custom named version of the file.  After some experimentation, it was determined that it may not work in the fashion noted for the OpenWRT version of vsFTPD as it does for other platforms.  Feel free to experiment.
listen=YES
*It is worth repeating this warning: If any of the files (vsftpd1.user_list, etc.) referenced in a vsFTPD configuration file are not present, the vsftpd service will start and appear to be functioning (PS, TOP, HTOP, etc. will all show it as running), but...  There will be nothing displayed on client FTP software.


====Notes & Questions====
# Banner display does not appear to function in an modern web browser
It seems very odd that the choice for FTP server that OpenWRT provides is vsFTPD as the latest version is half a decade old.  Why not use something that still gets updated on a regular basis like ProFTPD?  Perhaps the developers of OpenWRT are attempting to send a quiet message that FTP is not a good thing to use because it is not encrypted. But if that's the case, why not remove every FTP server package that doesn't contain SFTP (SSH FTP) or FTPS (SSL/TSL FTP) functionality?
ftpd_banner=Hello
banner_file=/etc/vsftpd1.banner_file


===Telnet===
dirmessage_enable=YES
TelnetD is supported (and works) on DD-WRT, but OpenWRT has essentially discontinued use of telnet in the name of security.  It is possible to [https://openwrt.org/inbox/howto/telnet_enable build] a custom version of the OpenWRT firmware that supports telnetd (and telnet the client), but they've effectively made it very difficult (sad, but probably as it should be).  The below section of the source configuration file for OpenWRT says it all;<div class="toccolours mw-collapsible mw-collapsed" style="overflow:auto; width=100%">
message_file=.message
<div style="font-weight:bold;line-height:1.6;">Code Block</div>
<div class="mw-collapsible-content"><syntaxhighlight lang="text">
bool "telnetd"
default BUSYBOX_DEFAULT_TELNETD
select BUSYBOX_CONFIG_FEATURE_SYSLOG
help
  A daemon for the TELNET protocol, allowing you to log onto the host
  running the daemon. Please keep in mind that the TELNET protocol
  sends passwords in plain text. If you can't afford the space for an
  SSH daemon and you trust your network, you may say 'y' here. As a
  more secure alternative, you should seriously consider installing the
  very small Dropbear SSH daemon instead:
        http://matt.ucc.asn.au/dropbear/dropbear.html


  Note that for busybox telnetd to work you need several things:
max_login_fails=3
  First of all, your kernel needs:
anonymous_enable=NO
          CONFIG_UNIX98_PTYS=y
check_shell=NO


  Next, you need a /dev/pts directory on your root filesystem:
#
chroot_local_user=YES
write_enable=NO
allow_writeable_chroot=YES
local_umask=022


          $ ls -ld /dev/pts
# Equivalent to "Run As" Service / Daemon
          drwxr-xr-x  2 root root 0 Sep 23 13:21 /dev/pts/
background=YES


  Next you need the pseudo terminal master multiplexer /dev/ptmx:
# Set logged items go to the vsFTPD log instead of the system message log
syslog_enable=NO


          $ ls -la /dev/ptmx
log_ftp_protocol=YES
          crw-rw-rw-  1 root tty 5, 2 Sep 23 13:55 /dev/ptmx
xferlog_std_format=YES
xferlog_enable=YES
dual_log_enable=YES
vsftpd_log_file=/var/log/vsftpd1.standard.log
xferlog_file=/var/log/vsftpd1.xfer.log


  Any /dev/ttyp[0-9]* files you may have can be removed.
local_enable=YES
  Next, you need to mount the devpts filesystem on /dev/pts using:
userlist_enable=NO
userlist_deny=NO


          mount -t devpts devpts /dev/pts
# In OpenWRT, the default location is: userlist_file=/etc/vsftpd.user_list (this is very odd given that OpenWRT creates an /etc/vsftpd Directory)
# On other platforms, like CentOS, the default location is /etc/vsftpd/vsftpd.conf
# Do NOT create the list in anything other than VI or NANO (IE, don't use Windows Explorer, Directory Opus, etc. to create a new file) as there is an issue with Carriage Return / Line Feeds.
# Editing with TextPad later is fine as it seems to respect how the file was created in terms of using CR/LF VS just LF.
userlist_file=/etc/vsftpd1.user_list


  You need to be sure that busybox has LOGIN and
</syntaxhighlight>In the above working example, of course replace W.X.Y.Z with an appropriate IP Address.  Astute readers will notice all the file names that might generally start have "vsftpd" in their names instead have "vsftpd1". The reason for that is because the above working configuration file was used in a situation where a router is configured with two WAN interfaces, with two IP Addresses on two different networks.  See the section on Dual WAN vsFTPD for additional information.
  FEATURE_SUID enabled. And finally, you should make
  certain that Busybox has been installed setuid root:


        chown root.root /bin/busybox
The /etc/vsftpd1.user_list contains a list of users that will be allowed to login if the userlist_enable=YES and userlist_deny=NO settings are present.
        chmod 4755 /bin/busybox


  with all that done, telnetd _should_ work....
NOTE 1: If any of the above referenced files (vsftpd1.user_list, etc.) are not present, the vsftpd service will start and appear to be functioning (PS, TOP, HTOP, etc. will all show it as running), but...  There will be nothing displayed on client FTP software.
</syntaxhighlight></div></div>
Finding a version of BusyBox that includes TelnetD will not suffice as there are additional items that need to be configured for it to work. However, a telnet client program seems appropriateSee the "signoff" on TELNET here: https://github.com/openwrt/openwrt/commit/a35a7afc9f15b4c084c996ab0dbcd833b45f30d5  But there is an alternative (see the next section)


===NETCAT or NC===
NOTE 2: Users and Groups can be managed by editing the /etc/passwd (User File) and /etc/group (Group File).  If Webmin (see below) is installed and properly configured, Users & Groups can be managed through its interface.  The useradd command can be added with: opkg install shadow-useradd
opkg update


opkg install netcat
NOTE 3: Remember, OpenWRT also uses the /etc/shadow file to store user passwords with MD5 ($1) encryption.


Use as a Telnet Client: nc -T -v W.X.Y.Z (-T = Answer using telnet negotiation, -v = Verbose)
====Firewall====
 
Below are the pertienent settings for vsFTPD in the /etc/config/firewall file;<syntaxhighlight lang="text">
Instead of simply pressing the Enter Key in NETCAT, one must instead using the following key commands: CTRL+V, CTRL+M, ENTER (That equates to pressing the ENTER Key.  OpenWRT's version of NETCAT in BusyBox does not include the -C switch which allows for easy "carriage returns")
config rule
option dest_port '20'
option src 'wan'
option name 'FTP_TCP_20'
list dest_ip 'W.X.Y.Z'
option target 'ACCEPT'
option family 'ipv4'
list proto 'tcp'


===Statistics===
config rule
CollectD
option dest_port '21'
<br />
option src 'wan'
option name 'FTP_TCP_21'
list dest_ip 'W.X.Y.Z'
option target 'ACCEPT'
option family 'ipv4'
list proto 'tcp'


===Task Scheduling with Cron===
config rule
Additional Information: https://openwrt.org/docs/guide-user/base-system/cron
option src 'wan'
option name 'FTP_PASV'
list dest_ip 'W.X.Y.Z'
option target 'ACCEPT'
option family 'ipv4'
list proto 'tcp'
option dest_port '10012:10021'
</syntaxhighlight>And as usual, substitute a functional IP Address for W.X.Y.Z.  The above configuration includes settings necessary for Passive FTP (see [[wikipedia:File_Transfer_Protocol#Communication_and_data_transfer|here]] for an explanation) used by clients behind a firewall.


===BackUps===
====Internet Explorer Workaround====
If one is using Internet Explorer's FTP capability, there will be an issue if userlist_enable=YES and userlist_deny=NO are set.  Solution?  Add the users 'anonymous' in the vsftpd.user_list file.  Thanks to a top tip from a user named JAYCLEN here: https://bbs.archlinux.org/viewtopic.php?id=158184


==== Restic ====
====vsFTPD for a dual WAN router====
opkg install restic
According to documentation, the vsFTPD Service / Daemon can only "listen" on a single IP Address (listen_address=W.X.Y.Z).  This also appears to apply to Passive FTP settings (pasv_address=W.X.Y.Z).  There is a solution.  Run multiple instances of vsFTPD.  Easy to say, but a bit more complex to accomplish.


To create a backup repository: restic init --repo "WhatEverRepositoryPath"
Because of the simplicity of the /etc/init.d/vsftpd startup script, it is not possible to use the same binary / executable File (/usr/sbin/vsftpd) for multiple vsFTPD instances.  The solution is to create two symbolic links to the /usr/sbin/vsftpd binary / executable File.  Be sure to set the permissions on the new startup script to 755: chmod 755 WhatEverScriptFileName (chmod 755 /etc/init.d/vsftpd)


To make a backup: restic -r "WhatEverRepositoryPath" --verbose backup /WhatEverPathToBackUp
*ln -s /usr/sbin/vsftpd /usr/sbin/vsftpd1
*ln -s /usr/sbin/vsftpd /usr/sbin/vsftpd2


*Example: restic -r "/mnt/sdb2/RESTIC/WRT3200ACM/" --verbose --tag "What Ever Note" backup /overlay
This allows one to create two startup scripts in /etc/init.d for vsFTPD (vsftpd1 and vsftpd2) that contain the following (below is the vsftpd1 example);<syntaxhighlight lang="text">
#!/bin/sh /etc/rc.common
# Copyright (C) 2006-2011 OpenWrt.org


To view backups: restic -r "WhatEverRepositoryPath" snapshots
# Remember: There are two symbolic links in /usr/sbin, vsftpd1 and vsftpd2, that point to /usr/sbin/vsftpd


*Example: restic -r "/mnt/sdb2/RESTIC/WRT3200ACM/" snapshots
START=50


To restore a backup: restic -r "WhatEverRepositoryPath" restore ID --target /WhatEverPathToRestoreTo (the ID can be obtained from the above "snapshots" command, the target does not have to be the original source, --verbose doesn't work)
start() {
# /var/run/vsftpd is the secure_chroot_dir default value that vsFTPD requires to run
# It can be shared amongst multiple instances of vsFTPD
mkdir -m 0755 -p /var/run/vsftpd
service_start /usr/sbin/vsftpd1 /etc/vsftpd1.conf
}


Additional Information: https://restic.readthedocs.io/en/stable/ (Note: In some of their examples a tilde ( ~ ) is used, which is a user's home directory)
stop() {
service_stop /usr/sbin/vsftpd1
}
</syntaxhighlight>For the other startup script (vsftpd2), copy and change the above references of vsftpd1 to vsftp2.  Be sure to enable (service vsftpd1 enable AND service vsftpd2 enable) both scripts for automatic startup. The reason for needing the above symbolic links can be seen in the above init.d startup script.  Specifically the "service_stop /usr/sbin/vsftpd" (minus the 1 or 2 naming convention).  If there were two startup scripts using the same /usr/sbin/vsftpd reference, two instances could be started, but when stopping the service / daemon, weird things happen.


==== DD ====
Make sure there are two configuration files for each vsFTPD service / daemon as they'll have some unique settings, like IP Addresses, etc.
Another program that functions as an effective cloning utility is ''dd'' (noted in an earlier section).  Ideally an additional USB Flash drive should be used.  Note, to utilize the full dd program, instead of the one built into BusyBox: opkg install corutils


* dd if=/dev/sdXy of=/dev/sdXy bs=64K conv=noerror,sync status=progress (if = source, of = destination, bs=block size (IE amount to copy at a time), noerror=Don't stop on read errors, sync=If an error occurs use zeros or nuls to pad file, progress=show the progress)
Also make sure any additional files that are referenced (userlist_file=/etc/vsftpd1.user_list, etc) are duplicated (userlist_file=/etc/vsftpd2.user_list) for each service.


To copy to a compressed file;
And finally, make sure the /etc/config/firewall file has the additional IP Address included.  Simply insert an additional ''list dest_ip 'A.B.C.D'<nowiki/>'' line after each ''list dest_ip 'W.X.Y.Z''' line in the above firewall example (of course substitute A.B.C.D with an appropriate IP Address).


* dd if=/dev/sdXy conv=sync,noerror bs=64K status=progress | gzip -c  > /WhatEverPath/WhatEverFile.img.gz (-c=Do not change files)
====Webmin====
* Example: dd if=/dev/sdb1 conv=sync,noerror bs=64K status=progress | gzip -c  > /mnt/sdb2/DD/EXT4a-9.20.2020.img.gz
Download the module using WGET: wget http://www.bit-worker.com/download/vsftpd.tar.gz


Everything will be cloned, including the UUID of the partition.  If the second flash drive is being used for the sole purpose of backing up settings, as opposed to replacing a bootable flash drive, then to prevent confusion with the source USB Flash Drive or Partition, change the UUID;
Install using the Webmin interface: Webmin, Webmin configuration, Webmin Modules, Install from, From local file


* tune2fs -U random /dev/sdXy*
Available under: Server, vsftpd


OR
Webmin configuration;<syntaxhighlight lang="text">
openssl=/usr/bin/openssl
path=/etc/vsftpd1.conf


* tune2fs -U UUID /dev/sdXy* (where UUID is the actual UUID)
</syntaxhighlight>
Also note that vsFTPD module has a behavior where it will add items that are left blank in the GUI interface as commented out configuration items in the /etc/vsftpd.conf file.


To verify the change, use the following command;
For multiple vsFTPD instances, Webmin allows for cloning modules.  Remember to change the configuration file location if taking advantage of this feature.


* blkid /dev/sdXy
====CAUTION!====


In the above examples X and y should be replaced with actual mount point references.  IE, sda1, sdb3, sde2, etc.
*If the configuration of vsFTPD includes the use of userlist_enable or userlist_deny, make sure that the /etc/vsftpd.user_list File is created with VI or NANO as opposed to a Windows utility through Samba.  The reason is vsFTPD will not be able to read the file properly if it contains CR/LF (Carriage Return / Line Feeds).
*If one reads any documentation about the CentOS (possible others) version of vsFTPD, there are references to using the included "user_list" file and a custom named version of the fileAfter some experimentation, it was determined that it may not work in the fashion noted for the OpenWRT version of vsFTPD as it does for other platforms.  Feel free to experiment.
*It is worth repeating this warning: If any of the files (/var/run/vsftpd, vsftpd1.user_list, etc.) referenced in a vsFTPD configuration file are not present, the vsftpd service will start and appear to be functioning (PS, TOP, HTOP, etc. will all show it as running), but...  There will be nothing displayed on client FTP software.
*If the background= setting is configured as background=NO (as one might do for troubleshooting), it will prevent a router from starting any services after vsFTPD.  Since vsFTPD's "start order" is 50, any services after that will not start.
*Several older forum postings and other web sites, as far back as 2007, make references to installing various additional pieces of software such as kmod-nf-ipvs-<ins>ftp</ins> along with other kernel modules.  They are not necessary.
*Remember, OpenWRT provides two different vsFTPD packages, one without FTPS capability (opkg install vsftpd) and one with FTPS capability (opkg install vsftpd-tls)


==Border Mail System (Postfix, MailScanner, MailWatch, ClamD,==
====Notes & Questions====
<br />
It seems very odd that the choice for FTP server that OpenWRT provides is vsFTPD as the latest version is half a decade old.  Why not use something that still gets updated on a regular basis like ProFTPD?  Perhaps the developers of OpenWRT are attempting to send a quiet message that FTP is not a good thing to use because it is not encrypted.  But if that's the case, why not remove every FTP server package that doesn't contain SFTP (SSH FTP) or FTPS (SSL/TSL FTP) functionality?


===Postfix===
====Tips for Troubleshooting====
As with anything related to computers, it can be difficult to figure out what is wrong with a configuration of a service and why it isn't working as expected.  vsFTPD is no exception.  To eliminate a potential issue, namely the firewall, consider configuring vsFTPD to listen on a LAN interface.  This will eliminate problems related to PASV / Passive FTP issues.  Also consider using a command line version of FTP as opposed to a browser version.  Command line versions of FTP will often times display more error information than a web browser that has FTP capability.


====Files & Permissions====
===Telnet===
Configuration: /etc/postfix (that's a directory, not a file)
TelnetD is supported (and works) on DD-WRT, but OpenWRT has essentially discontinued use of telnet in the name of security.  It is possible to [https://openwrt.org/inbox/howto/telnet_enable build] a custom version of the OpenWRT firmware that supports telnetd (and telnet the client), but they've effectively made it very difficult (sad, but probably as it should be).  The below section of the source configuration file for OpenWRT says it all;<div class="toccolours mw-collapsible mw-collapsed" style="overflow:auto; width=100%">
<div style="font-weight:bold;line-height:1.6;">Code Block</div>
<div class="mw-collapsible-content"><syntaxhighlight lang="text">
bool "telnetd"
default BUSYBOX_DEFAULT_TELNETD
select BUSYBOX_CONFIG_FEATURE_SYSLOG
help
  A daemon for the TELNET protocol, allowing you to log onto the host
  running the daemon. Please keep in mind that the TELNET protocol
  sends passwords in plain text. If you can't afford the space for an
  SSH daemon and you trust your network, you may say 'y' here. As a
  more secure alternative, you should seriously consider installing the
  very small Dropbear SSH daemon instead:
        http://matt.ucc.asn.au/dropbear/dropbear.html


Startup Script: /etc/init.d/postfix
  Note that for busybox telnetd to work you need several things:
  First of all, your kernel needs:
          CONFIG_UNIX98_PTYS=y


Main Binary / Executable Files: /usr/sbin/post*
  Next, you need a /dev/pts directory on your root filesystem:


Additional Binary / Executable Files: /usr/sbin/sendmail* (sendmail related compatibility)
          $ ls -ld /dev/pts
          drwxr-xr-x  2 root root 0 Sep 23 13:21 /dev/pts/


Other Binary / Executalbe Files: /usr/bin/mailq, mailq.postfix, newaliaases, newaliases.postfix (sendmail related compatibility)
  Next you need the pseudo terminal master multiplexer /dev/ptmx:


Library (sub-function) Files: /usr/libexec/postfix
          $ ls -la /dev/ptmx
          crw-rw-rw-  1 root tty 5, 2 Sep 23 13:55 /dev/ptmx


There is no LuCI GUI or any sort of OpenWRT configuration paradigm.  Everything can be configured via text files and all safely done with Webmin.
  Any /dev/ttyp[0-9]* files you may have can be removed.
  Next, you need to mount the devpts filesystem on /dev/pts using:


Postfix User and Group items are configured in /etc/passwd and /etc/group automatically.
          mount -t devpts devpts /dev/pts


Owner for /etc/postfix: root:root
  You need to be sure that busybox has LOGIN and
  FEATURE_SUID enabled. And finally, you should make
  certain that Busybox has been installed setuid root:


Permissions for /etc/postfix: 644
        chown root.root /bin/busybox
        chmod 4755 /bin/busybox


====Commands====
  with all that done, telnetd _should_ work....
</syntaxhighlight></div></div>
Finding a version of BusyBox that includes TelnetD will not suffice as there are additional items that need to be configured for it to work.  However, a telnet client program seems appropriate.  See the "signoff" on TELNET here: https://github.com/openwrt/openwrt/commit/a35a7afc9f15b4c084c996ab0dbcd833b45f30d5  But there is an alternative (see the next section)


*postconf -d (configuration settings)
===NETCAT or NC===
*postmap /etc/postfix/transport (updates the transport.db file)
opkg update
**Note: Most linux distributions name the transport database file transport.db, but by default the OpenWRT version of Postfix names it transport.cdb
*postfix reload (after changes are made to master.cf file, or just restart the service)


====Warnings====
opkg install netcat
The below warning message(s) are displayed each time Postfix is started.  This is because OpenWRT left the default setting ''smtputf8_enable = 0'' when Postfix was compiled.  The ''smtputf8_enable'' setting relates to other text encoding (UTF8), etc.  According to documentation it creates a much larger binary / executable for Postfix.  Since OpenWRT focuses on small and compact service files this makes sense.  But the fix is easy.  Add this line to the /etc/postfix/main.cf file: smtputf8_enable = no<syntaxhighlight lang="text">
postfix: warning: smtputf8_enable is true, but EAI support is not compiled in
postsuper: warning: smtputf8_enable is true, but EAI support is not compiled in
postfix/postlog: warning: smtputf8_enable is true, but EAI support is not compiled in
postfix/postfix-script: starting the Postfix mail system
</syntaxhighlight>


===MailScanner===
Use as a Telnet Client: nc -T -v W.X.Y.Z (-T = Answer using telnet negotiation, -v = Verbose)
Download the latest version from: https://github.com/MailScanner/v5/releases (The year this was written was 2020, so if they've moved onto v6, check the URL)


tar -xvzf WhatEverTheNameOfTheTarGzFile
Instead of simply pressing the Enter Key in NETCAT, one must instead using the following key commands: CTRL+V, CTRL+M, ENTER (That equates to pressing the ENTER Key.  OpenWRT's version of NETCAT in BusyBox does not include the -C switch which allows for easy "carriage returns")


The installation script ./install.sh relies on the full BASH shell (OpenWRT includes the [[wikipedia:Almquist_shell|ASH]] shell by default): opkg install bash, then type the command ''bash ./install.sh'' (plain ASH won't work, they even explicitly state the [[wikipedia:Shebang_(Unix)|shebang]] of their file as ''#!/bin/bash'', not #!/bin/sh, and just for the fun of it attempted to run it with ASH, and it errors out) Read here for more information or to change it permanently: https://www.howtogeek.com/669835/how-to-change-your-default-shell-on-linux-with-chsh/
===Statistics===
CollectD
<br />


==Webmin==
===Task Scheduling with Cron===
Webmin can be successfully installed on OpenWRT, '''AND IT IS USEFUL'''.  The end of the previous sentence is in all CAPS and '''BOLD''' because of the large number websites and posts that do nothing more than question why anyone would want to install Webmin on OpenWRT instead of just answering the original question of how to install it.  Sometimes it is just nice to have a GUI.  The editor for config files alone is worth it.
Additional Information: https://openwrt.org/docs/guide-user/base-system/cron


There is however a word of caution to address: Do NOT use Webmin for any OpenWRT services that have an associated LuCI GUI or /etc/config/WhatEverConfigurationFile because modifications made by Webmin will be wiped out by changes made via LuCI or the /etc/config/Files...  There are many, many services such as BIND / NAMED, Apache / HTTPD, ProFTPD, OpenSSL for OpenVPN Certificate generation that have no LuCI GUI, nor are they "controlled" or configured via the /etc/config/ Files.  That means these services are safe to configure via text or by GUI.
===BackUps===


===Pre-Installation Tasks for Installing Webmin===
====Restic====
Download the Webmin ...tar.gz file: wget https://prdownloads.sourceforge.net/webadmin/webmin-1.953.tar.gz
opkg install restic


Unzip and UnTAR the file;
To create a backup repository: restic init --repo "WhatEverRepositoryPath"
 
To make a backup: restic -r "WhatEverRepositoryPath" --verbose backup /WhatEverPathToBackUp


*The location chosen when unzipping and untarring Webmin ''can'' be the installation directory where the program runs;
*Example: restic -r "/mnt/sdb2/RESTIC/WRT3200ACM/" --verbose --tag "What Ever Note" backup /overlay
**Typical installation locations for other Linux distributions (do NOT use the /tmp directory or it will be gone when the router reboots);
***CentOS typical location: /usr/libexec/webmin
***Debian: /usr/share/webmin
***Locations suggested by Webmin tutorials: /usr/libexec/webmin, /usr/local/webmin
***Location noted by https://doxfer.webmin.com/Webmin/Installation_-_the_old_fashioned_way as the most common for "TAR" Installations: /usr/local/webmin
*gunzip webmin-1.955.tar.gz and tar xvf webmin-1.955.tar


OR
To view backups: restic -r "WhatEverRepositoryPath" snapshots


*tar zxvf webmin-1.955.tar
*Example: restic -r "/mnt/sdb2/RESTIC/WRT3200ACM/" snapshots


(be patient, there are a LOT of files, even on a fast USB 3.0 flash drive it takes a couple of minutes.
To restore a backup: restic -r "WhatEverRepositoryPath" restore WhatEverID --target /WhatEverPathToRestoreTo --no-cache (the ID can be obtained from the above "snapshots" command, the target does not have to be the original source, --verbose doesn't work)


*If "untarred" a directory other than the installation, do one of the following;
There is a really frustrating problem with Restic on OpenWRT when restoring a backup.  Many websites recommend setting the TMPDIR environment variable to a location with a lot of space.  Sadly that does not work.  With careful observation, it was noticed that Retic sets up a cache file in the current user's "home / root" directory.  If one is logged on as the "root" user, then this will be the /root, AKA ~ (tilde), Directory.  If one has booted up the router using from the internal flash drive while attempting to recover a backup that normally resides on a USB Flash Drive and is normally mounted on /overlay, the 60 or 70 some odd MB on the internal Flash Drive will quickly fill up and cause a no space left on device" error.  The simple solution when restoring is to use the --no-cache directive as shown in the above example.  For additional information, see here: https://restic.readthedocs.io/en/latest/manual_rest.html (scroll down to the Caching section). Also make sure plenty of RAM is available. IE, the 512 MB built in may not be sufficient, so be sure to enable a SWAP File or SWAP Partition (see section above on SWAP)
**Move the untarred directory to the desired location
**When installing use the command (not yet): ./setup.sh /WhatEverPath


*Before running the setup program;
Additional Information: https://restic.readthedocs.io/en/stable/ (Note: In some of their examples a tilde ( ~ ) is used, which is a user's home directory)
**Add the bin Group to /etc/group using this: bin:x:10000:
**Make sure PERL is installed with necessary modules
***opkg update
***opkg install perl perlbase-http-tiny coreutils-stty perlbase-gdbm-file perlbase-extutils perlbase-storable
**Possible Errors & Solutions during and after Installation;
***"Perl Socket module not installed" Error will occur if perlbase-http-tiny is not installed.
***"stty: not found" / "Login password: ./setup.sh: line 396: stty: not found" (the line number may be different depending on the version of the setup script an Webmin being installed) Error will occur if coreutils-stty is not installed
***"The Perl SSLeay library is not installed. SSL not available" Error will occur because the PERL SSLeay module is not available in OpenWRT
***"Can't locate Time/Local.pm in" / "you may need to install the Time::Local module" will occur if the perlbase-time module is not installed
***"No dbm on this machine at" error will occur if perlbase-gdbm-file
***"Error - Perl execution failed  Undefined subroutine &main::get_miniserv_config called at /usr/local/webmin/authentic-theme/session_login.cgi line 17" and / or ""GET / HTTP/1.1" 500 166" (in miniserv.log file) error occurs if perlbase-storable is not installed
***"Can't locate ExtUtils/CBuilder.pm in @INC (you may need to install the ExtUtils::CBuilder module" error occurs if perlbase-extutils is not installed
***" can't open '/var/log/webmin/miniserv.pid': No such file or directory" error occurs when stopping Webmin with /etc/webmin/stop


====A Special note on HTTPS (not the Module) for Webmin: Do NOT worry about itForget it. Almost impossible to get working.====
====DD====
During installation, Webmin states the Net::SSLeay Perl Module is necessary for HTTPS to workIf not, the Webmin site is only accessible via HTTP.
DD is a program that functions as a cloning utility, among other capabilities and functions (noted in an earlier section for a different purpose).  When cloning an entire drive (SSD in the form of an mSATA, M.2 (NVME, NGFF), etc. device) / disk / flash drive* (* the term "drive" used later in this section will apply to whatever storage medium is being cloned), the image file should of couse be cloned to a separate device as with any other cloning softwareDD is capable of cloning an entire drive, etc. or a single partition


The instructions on the Webmin site for enabling this functionality are here (Hint: It won't work): http://www.webmin.com/ssl.html
Note, the DD command is built into BusyBox, but does not have all options available.  To take advantage of all the options DD offers, install the full package with this command: '''''opkg install coreutils-dd'''''


Here's why;
Below is a generic example command to clone a partition from one drive to another (remember, any data on the destination will be overwritten);


*The Net::SSLeay Perl Module is not available in OpenWRT, nor is and trying to build said modules results the error "fatal error: EXTERN.h: No such file or directory".  OpenWRT does not include some of the GCC files necessary.  Several sites (https://www.perlmonks.org/?node_id=1227113) mention using an external cross compile computer as a method of solving the issue
*dd if=/dev/sdXy of=/dev/sdXy bs=64K conv=noerror,sync status=progress
*Crypt::SSLeay is not available either, becuase there seems to be an issue (https://rt.cpan.org/Public/Bug/Display.html?id=120862) with the Crypt-SSLeay-0.72.tar.gz version that is attempted to download during compile.  But even the newer version (https://cpan.metacpan.org/authors/id/N/NA/NANIS/) doesn't work either.  Downloading the newer version (https://cpan.metacpan.org/authors/id/N/NA/NANIS/Crypt-SSLeay-0.73_06.tar.gz) and changing the Makefile.PL line ( unless( require( catfile qw(inc IO Interactive Tiny.pm) ) ) { ) to ( unless( require( catfile qw(IO Interactive Tiny.pm) ) ) { ), to get rid of the inc corrects the issue.  But then there's a "fatal error: openssl/opensslv.h" issue that is similar to the above mentioned Net:SSLeay issue where OpenWRT does not make certain Devel files available, in this case for OpenSSL, so the cross compiling method is the only solution available.
**sdXy = X is the drive (as in sda, sdb, sdc, etc.) and y is the partition (sda1, sdb1, sdb3, sdc2, etc.), In Linux, sd = Storage Device, sda is the first storage device which is more or less equivalent to C: in Windows, see https://en.wikipedia.org/wiki/Device_file#Naming_conventions for more information.
*Some information suggests IO::Socket::SSL as an alternative (http://www.cpan.org/authors/id/N/NA/NANIS/Crypt-SSLeay-0.72.readme), but in order to build it, the Net:SSLeay Module is necessary, so that's a circular issue.
**if = source
**of = destination
**conv=noerror,sync = Don't stop for any read errors and make sure any data stored in RAM / Buffers is written to the physical drive
**status = Show progress
**bs=block size, amount of source data to be read and then written, IE read 64K at a time, then write that, and repeat.
**conv = noerror = Don't stop on read errors, sync = If an error occurs use zeros or nuls to pad file, progress=show the progress


*
=====Tip for Preparing a Drive or Partition for Cloning to an Image File=====
Before cloning a partition to an image file, to save space on the image file, "zero out" all unallocated space.


====Installing Webmin====
With every file system there are potentially sections of the drive that have had data written to them at some point in time that has since been erased.  And as we all know, when a file is "erased" from a drive, the actual file itself is left on the drive and the space it occupied is simply marked as available in a file system.  DD has no method of determining alocated or unallocated space.  It copies everything.  And in the below example where everything it copies is put into a compressed TAR file, compressing a bunch of zeros is very easy to make quite small.  IE, "zeroing out" unallocated space on a disk drive really reduces the size of an image file in a compressed file.  Advanced cloning utilities like Acronis True Image, Clonezilla, etc. take care of this automatically.  But since DD is a multifaceted utility that isn't specifically designed for cloning, it does not have this capability built in.
Run the setup and configuration questions during setup (Note: OpenWRT does not provide the NET::SSLeay Perl Module, so SSL will not be available for Webmin);


*Detailed instructions to install "The Old Fashion Way..." can be found here: https://doxfer.webmin.com/Webmin/Installation_-_the_old_fashioned_way
The below example writes 0s / zeros to a file named ZeroByteFile in a directory named overlay (that happens to be located on a USB Flash Drive) in 64 Kilobyte chunks (of all the words like portion, segment, section, piece, etc., chunk is the most commonly used word in this instance with block coming in second)
*In chosen Webmin installation directory, run: ./setup.sh /WhatEverPathToInstallWebmin (see above for potential locations)
 
**Config Directory: /etc/webmin
*dd if=[[wikipedia:/dev/zero|/dev/zero]] bs=64K conv=noerror,sync status=progress of=/overlay/ZeroByteFile (change the destination to suit your needs)
**Log file directory: /var/log/webmin (NOTE: This directory is actually a symbolic link for /tmp, so it will not persist across reboots of a routerIf permanent logs for Webmin are desired, change the path)
**When the /overlay partition is full DD will produce an error (IE, the partition is full, which is the objective, so this is a good "error")
**Full path to perl: /usr/bin/perl
*sync (this writes any unwritten files stored in RAM / Buffer to the physical media)
**MiniServe Configuration (the web process for webmin): /etc/webmin/miniserv.conf
*rm /overlay/ZeroByteFile (this deletes the "Zero Byte File" to free up space as the above DD command made the ZeroByteFile as large as all of the available free space on the drive.)
**Configure OS as: 110 - Generic Linux
 
***OS Choices available when installing Webmin: Pick 110) Geric Linux for OpenWRT;
=====Backing Up a Partition using DD Example (AKA Imaging OR IE, Partition Cloning via a TAR / GZ File)=====
<syntaxhighlight lang="text">
The below example(s) copies a single partition (on a drive that contains multiple partitions) in 64K chunks to an image in a compressed (GZ (GunZip), no need to "TAR" it as there is just a single image file that will be created) file.
  1) Pardus Linux          2) SmartOS                3) Sun Solaris         
 
  4) Lycoris Desktop/LX    5) Caldera OpenLinux eS  6) Caldera OpenLinux   
*Generic Example: dd if=/dev/sdXy conv=sync,noerror bs=64K status=progress | gzip -9 -c > /WhatEverPath/WhatEverFile.img.gz (-c=Do not change files, -9=Best Compression, but slower)
  7) Asianux Server        8) Asianux                9) Whitebox Linux     
**Example: dd if=/dev/sdb1 conv=sync,noerror bs=64K status=progress | gzip -c  > /mnt/sdb2/DD/EXT4a-9.20.2020.img.gz (this file is named after the partition it exists on and the date, but can be named anything)
10) Tao Linux            11) CentOS Linux          12) Springdale Linux   
 
13) Virtuozzo Linux      14) Scientific Linux      15) Gralinux           
Remember;
16) NeoShine Linux        17) Endian Firewall Linu  18) Oracle Enterprise Li
 
19) Oracle Linux          20) Oracle VM            21) XenServer Linux     
*The TAR/GZ file will contain a single image file, which in turn contains all of the individual files and directories from the source partition or drive (similar to an ISO File or files created by other cloning software).
  22) CloudLinux            23) MostlyLinux          24) Cloudrouter Linux   
*If DD is used with out GZ, the resulting file produced by DD will be exactly the same size as the partition it is "cloning".  This is because DD has no facility to do data compression.
  25) Sangoma Linux        26) Citrix Hypervisor    27) Redhat Enterprise Li
*Use the above noted (in the section immediately above this one) method to "zero out" unused space as this will aid in reducing the final GZ file size.
  28) Redhat Linux Desktop 29) AlphaCore Linux      30) X/OS Linux         
*The GZ method has the distinct advantage of allowing one to open the GZ file and extract out single files (after it is mounted of course, look a couple of sections down).
  31) Haansoft Linux        32) cAos Linux            33) Wind River Linux   
 
34) Amazon Linux          35) Redhat Linux          36) Fedora Linux       
=====Restoring a Partition using DD Example=====
37) White Dwarf Linux    38) Slamd64 Linux        39) Slackware Linux     
 
40) Xandros Linux        41) APLINUX              42) BigBlock           
*gzip -dk WhatEverFileName.img.gz
43) Ubuntu Linux          44) Mepis Linux          45) Devuan Linux       
*dd if=/mnt/sdb1/EXT4b-08.08.2020.img of=/dev/sda1 conv=sync,noerror bs=64K status=progress
46) Raspbian Linux        47) Linux Mint            48) Debian Linux       
 
49) SuSE OpenExchange Li  50) SuSE SLES Linux      51) SuSE Linux         
=====Tip for Configuring a Cloned Drive after Cloning=====
52) United Linux          53) Corel Linux          54) TurboLinux         
WARNING: When cloning an entire drive, ''everything'' will be cloned, including the [[wikipedia:Universally_unique_identifier|UUID]] of the partition. One of the "U"s in UUID stands for "unique". After a drive is cloned, the UUID isn't "unique" anymore.  Two drives will have the same UUID. If the second flash drive is being used for the sole purpose of backing up settings with the intent of disconnecting the drive and putting it aside, the UUID can be left as it is. If the second drive is left connected the UUID should be changed to to prevent confusion with the source drive. The below command will change the UUID to a random ID (see above section for installing the tune2fs utility)
55) Cobalt Linux          56) Mandrake Linux Corpo  57) pclinuxos Linux     
 
58) Mageia Linux          59) Mandrake Linux        60) Mandriva Linux     
*tune2fs -U random /dev/sdXy*
61) Mandriva Linux Enter  62) Conectiva Linux      63) ThizLinux Desktop   
*It might be necessary to run this command first: e2fsck -f /dev/sdXy (this is equivalent to CHKDSK in windows, where sdXy should be changed to match the appropriate drive, sda1, sdb2, etc.)
64) ThizServer            65) MSC Linux            66) SCI Linux           
 
67) LinuxPPC              68) Trustix SE            69) Trustix             
This command will change the UUID to the one specified;
  70) Tawie Server Linux    71) TinySofa Linux        72) Cendio LBS Linux   
 
73) Ute Linux            74) Lanthan Linux        75) Yellow Dog Linux   
*tune2fs -U UUID /dev/sdXy* (where UUID is the actual UUID)
76) Corvus Latinux        77) Immunix Linux        78) Gentoo Linux       
 
  79) Secure Linux          80) OpenNA Linux          81) SoL Linux           
To verify the change, use the following command;
82) Coherent Technology  83) Playstation Linux    84) StartCom Linux     
 
85) Yoper Linux          86) Caixa Magica          87) openmamba Linux     
*blkid /dev/sdXy
  88) FreeBSD              89) DragonFly BSD        90) OpenBSD             
 
91) NetBSD                92) BSDI                  93) HP/UX               
<nowiki>*</nowiki> In the above examples X and y should be replaced with actual mount point references. IE, sda1, sdb3, sde2, etc.
94) SGI Irix              95) DEC/Compaq OSF/1      96) IBM AIX             
 
97) SCO UnixWare          98) SCO OpenServer        99) macOS Catalina     
=====Accessing an Image File (IE, mount it like a drive)=====
100) macOS Mojave          101) macOS High Sierra    102) macOS Sierra       
In the above example where a partition was cloned to an image file, utilities like WinRAR, WinImage, etc. cannot be used to access the file. Since the image file represents an entire drive or partition, it can be mounted just like a physical drive.
103) OS X                  104) Mac OS X              105) Darwin             
 
106) OpenDarwin            107) Cygwin                108) Sun Java Desktop Sys
NOTE: If it is a compressed GZ file, the image must be extracted from the compressed file first: gzip --verbose -d WhatEverFileName (BusyBox has a version of GZIP installed with it, the full gzip utility can be installed with: opkg install gzipAnd remember, whereever the file is decompressed, it must have enough space for the original image which will be the size of the partition imaged.
109) Synology DSM          110) Generic Linux        111) Windows
 
</syntaxhighlight>
NOTE: The below example is for mounting an Image that was made from a partition, not an entire disk/SSD/USB Flash Drive.
 
To mount a partition (not a drive);


*Version: 4
*mkdir /tmp/WhatEverMountPoint (the directory can be any directory or file name, an advantage to using the /tmp directory is one doesn't have to worry about dismounting the image as it will not be mounted after a router reboot because the mount point is in the /tmp directory, the image file will exist of course, assuming it is not also in the /tmp directory)
*mount -o loop -t WhatEverFileSystem /WhatEverPath/WhatEverImage.img /tmp/WhatEverMountPoint
**-t = the type of file system (this could be -t vfat, -t ntfs, -t ext2, -t ext4 etc., and it should obviously match the type of the original file system, no experiments were done to see if mount utility could "auto detect" the file system, but it may have the capability)
**-o = Option (let the mount command know it is a "loop" device)


The running Webmin service when viewed by PS or equivalent: {miniserv.pl} /usr/bin/perl /usr/local/webmin/miniserv.pl /etc/webmin/miniserv.conf
When accessing the mounted image file, the directories shown at the first level may not be familiary as they are organized in the fashion that OpenWRT "sees" them. Open the directory titled ''upper'' and you should see all of the directories one is accustomed to seeing at the root level directory.  


====Post Installation====
====Good 'ole Fashion, just make a copy====
Webmin seems to have an issue detecting ARM CPUs in the Marvell SoC with OpenWRT.  This results in an Error 500 Perl execution failed... ...proc::list_processesTo correct the issue modify the /overlay/webmin/proc/module.info File as follows (It disables the Webmin Processor Module because that module does not run correctly on OpenWRT for the AC Series of routers) by removing the generic-linux or *-linux setting;<syntaxhighlight lang="text">
Forget all the fancy backup stuff for this one.  Sometimes it's good just to make a manual copy of things.  This method works great for configuration files.  Not so much to avoid a failed drive, but more to preserve a working copy of a known good configuration file. The idea is whenever one embarks on an upgrade or a major change (even a minor one too) to a service, sometimes it's good to make a copy of a working configuration fileFor instance, using the /etc/config/network configuration file: cp /etc/config/network /etc/config/network-09.30.2020  There, a copy of the original file with a date on the end of it.  Simple and effective if one needs to take a "single step back", instead of walking through the complexity of restoring files from Restic or a DD Tar.GZ file.
Original Line: os_support=solaris generic-linux hpux freebsd osf1 irix unixware openserver macos aix netbsd openbsd windows


OR
====LuCI GUI BackUp====
And of course one can also use the LuCI GUI under System, BackUp / Flash Firmware to create a copy of configuration files and even MTDBLOCK contents.


Original Line: os_support=solaris *-linux hpux freebsd osf1 irix unixware openserver macos aix netbsd openbsd windows
==Border Mail System (Postfix, MailScanner, MailWatch, ClamD,==


Modified Line: os_support=solaris hpux freebsd osf1 irix unixware openserver macos aix netbsd openbsd windows
===Postfix===


</syntaxhighlight>
====Files & Permissions====
Verify the /etc/webmin/config file contains the following settings;<syntaxhighlight lang="text">
Configuration: /etc/postfix (that's a directory, not a file)
os_type=generic-linux
os_version=4
real_os_type=OpenWRT
real_os_version=19.07.03
</syntaxhighlight>
Alternative Method of Configuring Webmin settings in /etc/webmin/config file;<syntaxhighlight lang="text">
os_type=linux
os_version=4
real_os_type=OpenWRT
real_os_version=19.07.03
</syntaxhighlight>...however, this necessitates that any Webmin modules that require certain operating systems (apache, bind, etc.) need to have their module.info files modified to include the os_type of linux.


And again, the /overlay/webmin/proc/module.info will need to be modified as above.
Startup Script: /etc/init.d/postfix


Also, most of the Webmin modules will need to be custom configured for the OpenWRT environment in order to function properly.  See below...
Main Binary / Executable Files: /usr/sbin/post*


===Adding and Configuring Webmin Features & Modules===
Additional Binary / Executable Files: /usr/sbin/sendmail* (sendmail related compatibility)
Before any modules are moved from the Unused-Modules Category, they must be properly configured for Webmin to detect.


====Date and Time====
Other Binary / Executalbe Files: /usr/bin/mailq, mailq.postfix, newaliaases, newaliases.postfix (sendmail related compatibility)
The LuCI GUI does not provide a method to manually change the date or time (see https://openwrt.org/docs/guide-user/services/ntp/client-server). The reason appears to be that the AC Series of routers, among many other router models, lacks the hardware capability to maintain an internal clock when the router is off or unplugged.  Instead, it syncronizes with a known NTP (Network Time Protocol) server after booting up. This seems to be confirmed, in that during booting, part of the boot process is to set the clock to midnight January 1, 1970 (see https://openwrt.org/toh/linksys/linksys_wrt3200acm).


Once booted, the the Webmin interface provides a relatively easy method to configure the date and time when the module is properly configured properly.  In the default Webmin Dashboard, Time on System;
Library (sub-function) Files: /usr/libexec/postfix


*CLOCK, Settings Icon (the gear at the top left of the configuration payne), System configuration, System time setting format, YYYYMMDDHHMM.SS Radio Button
There is no LuCI GUI or any sort of OpenWRT configuration paradigm.  Everything can be configured via text files and all safely done with Webmin.


OR
Postfix User and Group items are configured in /etc/passwd and /etc/group automatically.


*/etc/webmin/config: dateformat=dd/mon/yyyy
Owner for /etc/postfix: root:root


Remember, the modified time will not persist across reboots.  The setting for the format in Webmin will persist, but the AC series of routers, as most others, does not maintain an internal clock when off or unplugged.  The time is set by accessing an NTP server when the router boots up.
Permissions for /etc/postfix: 644


====Users and Groups====
====Commands====
System, Users and Groups, Settings;


Password File (User & Password File): /etc/passwd (/etc/passwd- seems to be the OpenWRT template file for passwd)
*postconf -d (configuration settings)
*postmap /etc/postfix/transport (updates the transport.db file)
**Note: Most linux distributions name the transport database file transport.db, but by default the OpenWRT version of Postfix names it transport.cdb
*postfix reload (after changes are made to master.cf file, or just restart the service)


Group file: /etc/group
====Warnings====
 
The below warning message(s) are displayed each time Postfix is started.  This is because OpenWRT left the default setting ''smtputf8_enable = 0'' when Postfix was compiled.  The ''smtputf8_enable'' setting relates to other text encoding (UTF8), etc.  According to documentation it creates a much larger binary / executable for Postfix.  Since OpenWRT focuses on small and compact service files this makes sense.  But the fix is easy.  Add this line to the /etc/postfix/main.cf file: smtputf8_enable = no<syntaxhighlight lang="text">
====Webmin Performance====
postfix: warning: smtputf8_enable is true, but EAI support is not compiled in
To decrease the Webmin CPU load on the OpenWRT router (this isn't really necessary for the AC router series as there is "horsepower" to spare);
postsuper: warning: smtputf8_enable is true, but EAI support is not compiled in
postfix/postlog: warning: smtputf8_enable is true, but EAI support is not compiled in
postfix/postfix-script: starting the Postfix mail system
</syntaxhighlight>
 
===MailScanner===
Download the latest version from: https://github.com/MailScanner/v5/releases (The year this was written was 2020, so if they've moved onto v6, check the URL)


*Disable Real-Time Monitoring: Webmin, Webmin Configuration, Themes, Real-time monitoring options, Enable real-time monitoring, NO
tar -xvzf WhatEverTheNameOfTheTarGzFile
*Reduce Real-Time Monitoring Refresh: Interval for performing update, 10000 (Increasing the default value of 1000 (ms) will also cause delays in information in certain categories, such as Network I/O to be displayed slowly)


====Other Notes for Webmin====
The installation script ./install.sh relies on the full BASH shell (OpenWRT includes the [[wikipedia:Almquist_shell|ASH]] shell by default): opkg install bash, then type the command ''bash ./install.sh'' (plain ASH won't work, they even explicitly state the [[wikipedia:Shebang_(Unix)|shebang]] of their file as ''#!/bin/bash'', not #!/bin/sh, and just for the fun of it attempted to run it with ASH, and it errors out) Read here for more information or to change it permanently: https://www.howtogeek.com/669835/how-to-change-your-default-shell-on-linux-with-chsh/
Some modules, such as NAMED / BIND, may not accurately show the Stop / Start status after a stop or start until after a screen refresh, which is possibly related to the Monitoring Refresh time mentioned above, if increased.


====Apache / Apache2 / HTTPD Webmin Module (/etc/webmin/apache/config)====
===NTP (Network Time Protocol)===
<div class="toccolours mw-collapsible mw-collapsed" style="width:400px; overflow:auto;">
By default OpenWRT provides an NTP Client ''and Server'' (suprise, suprise, and a really good thing) within [[wikipedia:BusyBox|BusyBox]]. Since most routers (if any) do not provide a method (IE, battery) of maintaining an internal clock when the router is off a method must exist to set the proper time for the router when it starts up. This client service is supplied within the BusyBox version of ntpclient.
<div style="font-weight:bold;line-height:1.6;">Code Block</div>
<div class="mw-collapsible-content"><syntaxhighlight lang="text">
allow_virtualmin=0
apply_cmd=/etc/init.d/apache2 restart
test_apachectl=1
pid_file=/var/run/apache2/httpd.pid
httpd_path=/usr/sbin/apache2
test_manual=0
apachectl_path=/usr/sbin/apachectl
auto_mods=1
httpd_dir=/etc/apache2
test_config=1
stop_cmd=/etc/init.d/apache2 stop
max_servers=100
mime_types=/etc/apache2/mime.types
start_cmd=/etc/init.d/apache2 start
graceful_cmd=/etc/init.d/apache2 reload
httpd_version=2.4.43
httpd_conf=/etc/apache2/apache2.conf


</syntaxhighlight></div></div>
It is also possible to install the full version of ntpclient (opkg install ntpclient) along with a LuCI GUI (opkg install luci-app-ntpc).  No research was done on the difference between the two versions of the ntp client as the BusyBox version of ntpclient satisfied all functional needs.


====BIND / BIND8 / NAMED Webmin Module (/etc/webmin/bind8/config);====
For and NTP Daemon / Server, the BusyBox also includes NTPD.  A full version of NTPD can be installed (opkg install ntpd), but there is no LuCI GUI inteface as there is with the client.  An alternative NTP client, CHRONYD can be installed (opkg install chonry) instead of NTPD.  But since the daemon / server version of NTPD in BusyBox will function for client NTP devices (including Windows) no further research was done on alternative NTP daemons / services like NTPD or CHRONYD.
The below Code Block contains the settings to customize the Webmin interface for BIND / NAMED;
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:400px; overflow:auto;">
One additional note worth mentioning relates to internet service providers.  Some providers, such as AT&T, block client devices attempting to using the NTP protocol to syncronize clocks.  Some websites indicate this is a "slow-down" or some other type of limit imposed on the NTP protocol, but the end result is the same.  And that end result is the NTP protocol does not work.  And that means devices, computers, etc. are not able to syncronize with a time server.  AT&T claims this is for security reasons.  HA!  See more information about it here: https://about.att.com/sites/broadband/network
<div style="font-weight:bold;line-height:1.6;">Code Block</div>
 
<div class="mw-collapsible-content"><syntaxhighlight lang="text">
==Webmin==
rndc_conf=/etc/bind/rndc.conf
Webmin can be successfully installed on OpenWRT, '''AND IT IS USEFUL''' (unlike so many other ignorant (notice the word 'stupid' wasn't used, but they are) web posters claim or question).  The end of the previous sentence is in all CAPS and '''BOLD''' because of the large number websites and posts that do nothing more than question why anyone would want to install Webmin on OpenWRT instead of just answering the original question of how to install it.  Sometimes it is just nice to have a GUI.  The editor for config files alone is worth it.
force_random=0
 
keygen=/usr/sbin/dnssec-keygen
There is however a word of caution to address: Do NOT use Webmin for any OpenWRT services that have an associated LuCI GUI or /etc/config/WhatEverConfigurationFile because modifications made by Webmin will be wiped out by changes made via LuCI or the /etc/config/Files...  There are many, many services such as BIND / NAMED, Apache / HTTPD, ProFTPD, OpenSSL for OpenVPN Certificate generation that have no LuCI GUI, nor are they "controlled" or configured via the /etc/config/ Files. That means these services are safe to configure via text or by GUI.
rev_def=0
 
tmpl_dnssec_dt=1
===Pre-Installation Tasks for Installing Webmin===
spf_record=0
Download the Webmin ...tar.gz file: wget https://prdownloads.sourceforge.net/webadmin/webmin-1.953.tar.gz (that's the version number as of this writing, so adjust as they update and locate an updated URL)
by_view=0
 
other_slaves=1
Unzip and UnTAR the file;
updserial_def=0
 
soa_start=0
*The location chosen when unzipping and untarring Webmin ''can'' be the installation directory where the program runs;
rndc_cmd=/usr/sbin/rndc
**Typical installation locations for other Linux distributions (do NOT use the /tmp directory or it will be gone when the router reboots);
whois_cmd=
***CentOS typical location: /usr/libexec/webmin
allow_wild=1
***Debian: /usr/share/webmin
updserial_man=1
***Locations suggested by Webmin tutorials: /usr/libexec/webmin, '''/usr/local/webmin'''
records_order=0
***Location noted by https://doxfer.webmin.com/Webmin/Installation_-_the_old_fashioned_way as the most common for "TAR" Installations: /usr/local/webmin
checkzone=/usr/sbin/named-checkzone
*gunzip webmin-1.955.tar.gz and tar xvf webmin-1.955.tar
updserial_on=1
 
dnssec_period=21
OR
ndc_cmd=
 
allow_long=0
*tar zxvf webmin-1.955.tar.gz OR tar zxvf webmin-1.955.tar.gz -C /WhatEverPath/WhatEverDirectory (Example: tar zxvf webmin-1.955.tar.gz -C /usr/local/)
tmpl_dnssec=0
 
allow_underscore=1
(be patient, there are a LOT of files, even on a fast USB 3.0 flash drive it takes a couple of minutes.
rev_must=0
 
master_ttl=1
*If "untarred" a directory other than the installation, do one of the following;
confirm_zone=1
**Move the untarred directory to another location than the untarred location, if desired, not necessary
restart_cmd=/etc/init.d/named reload
**When installing use the command (not yet): ./setup.sh /WhatEverPath (/usr/local/webmin seems to be a fairly standard location, but of course it can be placed anywhere)
short_names=0
 
max_zones=999
*Before running the setup program;
no_chroot=1
**Add the bin Group to /etc/group using this directive: bin:x:1000: (OR, use the groupadd command: groupadd bin, the opkg install shadow-groupadd will be necessary for the groupadd command)
soa_style=0
**Make sure PERL is installed with necessary modules (dependencies will automatically download, and not all of the below are necessary for a base installation of webmin, but come in handy later, and if installing on a USB Flash Drive, as you should be, instead of internal storage, space is not a consideration)
master_dir=/etc/bind/masters
***opkg update
confirm_rec=1
***opkg install perl perlbase-http-tiny coreutils-stty perlbase-gdbm-file perlbase-extutils perlbase-storable perlbase-time perl-device-serialport perl-encode-locale perlbase-perlio perlbase-anydbm-file perlbase-anydbm-file perlbase-benchmark perlbase-charnames perlbase-db-file perlbase-dbm-filter perlbase-filecache perlbase-filetest perlbase-getopt perlbase-hash perlbase-sdbm-file perlbase-tap perlbase-test perlbase-unicode
reversezonefilename_format=ZONE.rev
***...and because the above list was trial and error and as Webmin has progressed over the months and years, it needs more PERL (yes, I know about the caps thing) modules, just throw the fistful of darts and install most perl stuff so these in addition too (will need to break it down into two lines probably because of line length limit): opkg install perlbase-bigint perlbase-bignum perlbase-blib perlbase-bytes perlbase-compress perlbase-data perlbase-db perlbase-devel perlbase-diagnostics perlbase-digest perlbase-dumpvalue perlbase-dumpvar perlbase-encoding perlbase-english perlbase-env perlbase-fatal perlbase-fields perlbase-filter perlbase-json-pp perlbase-math perlbase-memoize perlbase-meta-notation perlbase-module perlbase-mro perlbase-next perlbase-o perlbase-open perlbase-ops perlbase-pod perlbase-search perlbase-sigtrap perlbase-sort perlbase-term perlbase-thread perlbase-threads perlbase-universal perlbase-user perlbase-version
support_aaaa=1
**Possible Errors & Solutions during and after Installation;
start_cmd=/etc/init.d/named start
***Most errors will be due to missing PERL modules.  So if space isn't an issue, just see the above 'throw all the darts at the dart board strategy' and install all PERL modules.  Thanks Webmin for not making a complete list of all the necessary modules and also having your script not properly detect missing modules either.
stop_cmd=/etc/init.d/named stop
***"Perl Socket module not installed" Error will occur if perlbase-http-tiny is not installed.
largezones=0
***"stty: not found" / "Login password: ./setup.sh: line 396: stty: not found" (the line number may be different depending on the version of the setup script an Webmin being installed) Error will occur if coreutils-stty is not installed
dnssectools_rollmgr_pidfile=
***"The Perl SSLeay library is not installed. SSL not available" Error will occur because the PERL SSLeay module is not available in OpenWRT
dnssectools_conf=
***"Can't locate Time/Local.pm in" / "you may need to install the Time::Local module" will occur if the perlbase-time module is not installed
signzone=/usr/sbin/dnssec-signzone
***"No dbm on this machine at" error will occur if perlbase-gdbm-file
no_pid_chroot=0
***"Error - Perl execution failed  Undefined subroutine &main::get_miniserv_config called at /usr/local/webmin/authentic-theme/session_login.cgi line 17" and / or ""GET / HTTP/1.1" 500 166" (in miniserv.log file) error occurs if perlbase-storable is not installed
relative_paths=0
***"Can't locate ExtUtils/CBuilder.pm in @INC (you may need to install the ExtUtils::CBuilder module" error occurs if perlbase-extutils is not installed
ipv6_mode=1
***" can't open '/var/log/webmin/miniserv.pid': No such file or directory" error occurs when stopping Webmin with /etc/webmin/stop
checkconf=/usr/sbin/named-checkconf
***failed to open /var/webmin/miniserv.error<span> </span>: No such file or directory at /usr/local/webmin/miniserv.pl line XYZ: This is because webmin wants to put its error log at the /var/webmin location.  Nope, how about conforming to some standards and putting in the /var/log directory by default?  Up to the end user to configure here: /etc/webmin/miniserv.conf
named_conf=/etc/bind/named.conf
 
dnssectools_rollrec=
====A Special note on HTTPS (not the Module) for Webmin: Do NOT worry about it.  Forget it.  Almost impossible to get working.====
slave_dir=/etc/bind/masters
During installation, Webmin states the Net::SSLeay Perl Module is necessary for HTTPS to work.  If not, the Webmin site is only accessible via HTTP.
dnssectools_keydir=
rndcconf_cmd=/usr/sbin/rndc-confgen
show_list=1
pid_file=/tmp/run/named/named.pid
named_path=/usr/sbin/named
forwardzonefilename_format=ZONE.hosts
allow_comments=0
extra_forward=
file_owner=bind:bind
default_view=
this_ip=
keys_dir=
extra_reverse=
slave_file_perms=
named_group=
default_master=
named_user=
extra_slaves=
auto_chroot=
chroot=
free_nets=
default_prins=
file_perms=
zones_file=


</syntaxhighlight></div></div>
The instructions on the Webmin site for enabling this functionality are here (Hint: It won't work): http://www.webmin.com/ssl.html
Sadly, for the BIND / NAMED module, it didn't seem that OpenWRT included the ''named-compilezone'' command.  However, after some quick research with a major hint (from here: http://www.linuxfromscratch.org/blfs/view/svn/server/bind.html) which included a notation that the ''named-compilezone'' command was a symbolic link, then a quick check on a CentOS system which showed the /usr/sbin/named-compilezone pointing to /usr/sbin/named-checkzone, which confirmed the utility as a standalone file does NOT exist, but is simply a softlink to another file.  The solution is to add this line to the rc.local file: ln /usr/sbin/named-checkzone /usr/sbin/named-compilezone  That way the command is available to Webmin.
 
Here's why;


====PPTP VPN Server Webmin Module (AKA PPTPD / POPTOP)====
*The Net::SSLeay Perl Module is not available in OpenWRT, nor is and trying to build said modules results the error "fatal error: EXTERN.h: No such file or directory".  OpenWRT does not include some of the GCC files necessary.  Several sites (https://www.perlmonks.org/?node_id=1227113) mention using an external cross compile computer as a method of solving the issue
This module can be used for everything except the PPP Accounts (It ''can'' be used, but any changes will not persist across router reboots).  The reason is that the /etc/ppp/chap-secrets file (actually a symbolic link to /tmp/etc/chap-secrets) that it accesses is dynamically configured by the /etc/init.d/pptpd startup script based on information in the /etc/config/pptpd file. The Webmin module can be used to view the information, but as noted, do NOT use it to modify user names and passwords for PPTPDInstead change user names and passwords in the /etc/config/pptpd file.
*Crypt::SSLeay is not available either, becuase there seems to be an issue (https://rt.cpan.org/Public/Bug/Display.html?id=120862) with the Crypt-SSLeay-0.72.tar.gz version that is attempted to download during compileBut even the newer version (https://cpan.metacpan.org/authors/id/N/NA/NANIS/) doesn't work either.  Downloading the newer version (https://cpan.metacpan.org/authors/id/N/NA/NANIS/Crypt-SSLeay-0.73_06.tar.gz) and changing the Makefile.PL line ( unless( require( catfile qw(inc IO Interactive Tiny.pm) ) ) { ) to ( unless( require( catfile qw(IO Interactive Tiny.pm) ) ) { ), to get rid of the inc corrects the issueBut then there's a "fatal error: openssl/opensslv.h" issue that is similar to the above mentioned Net:SSLeay issue where OpenWRT does not make certain Devel files available, in this case for OpenSSL, so the cross compiling method is the only solution available.
*Some information suggests IO::Socket::SSL as an alternative (http://www.cpan.org/authors/id/N/NA/NANIS/Crypt-SSLeay-0.72.readme), but in order to build it, the Net:SSLeay Module is necessary, so that's a circular issue.


As noted above in the PPTPD section, OpenWRT does not support the ''require-mppe-128'' option in the /etc/ppp/options.pptpd file.  Webmin will insert that value if the "Use 128-bit MPPE encryption?" is set to "Must be used" and that will "break" PPTPD.  Leave it set to Default (Allowed).  It should also be noted that the mppe-128 is built into the OpenWRT /usr/sbin/pptpd binary / executable file, thus making the setting unneccessary as it is enabled by default (pptp-server.log if enabled shows this: MPPE 128-bit stateless compression enabled).
*


Below are settings for the PPTPD Module (etc/webmin/pptp-server/config);<syntaxhighlight lang="text">
====Installing Webmin====
pid_file=/var/run/pptpd.pid
Run the setup and configuration questions during setup (Note: OpenWRT does not provide the NET::SSLeay Perl Module, so SSL will not be available for Webmin);
pptpd=/usr/sbin/pptpd
log_file=/var/log/ppp.pptpd
file=/etc/pptpd.conf
pap_file=/etc/ppp/chap-secrets
ppp_options=/etc/ppp/options
start_cmd=/etc/init.d/pptpd start
stop_cmd=/etc/init.d/pptpd stop
pptp_ppp_options=/etc/ppp/options.pptpd


</syntaxhighlight>The Active Connections feature also appears to be broken for the same reason Webmin can't show processor information with the PROC module. It results in an error of: HTTP/1.0 500 Perl execution failed Server: MiniServ/1.955 Content-type: text/html; Charset=utf-8 Connection: closeError - Perl execution failed, Undefined subroutine &proc::list_processes called at ./pptp-server-lib.pl
*Detailed instructions to install "The Old Fashion Way..." can be found here: https://doxfer.webmin.com/Webmin/Installation_-_the_old_fashioned_way
====DHCPD Webmin Module (/etc/webmin/dhcpd/config)====
*In the Webmin installation directory, run: ./setup.sh /WhatEverPathToInstallWebmin (see above for potential locations)
As noted in the main DHCPC section, there is no LuCI GUI, nor is there any good reason to stay within the OpenWRT managment paradigm (at least for DHCPD). Unlike some other instances like Samba Server where it makes sense to maintain the "OpenWRT management style" of services, with DHCPD every aspect of Webmin can be utilized.  Below are the configuration settings for the DHCPD Webmin Module;<syntaxhighlight lang="text">
**Config Directory: /etc/webmin
lease_file=/tmp/dhcpd.leases
**Log file directory: /var/log/webmin (NOTE: This directory is actually a symbolic link for /tmp, so it will not persist across reboots of a routerIf permanent logs for Webmin are desired, change the path)
group_name=0
***/var/log/webmin (note, this directory is actually located here: /tmp/log/webmin, and needs to be created each time the router is booted as the /tmp directory is just that, temporary)
dhcpd_conf=/etc/dhcpd.conf
***As of the 11.2020 version of Webmin, the default location seems to be /var/webmin, so watch out for that and change it to /var/log/webmin, otherwise, other items described in this article won't work, because Webmin won't start without the correct log path.
pid_file=/var/run/dhcpd.pid
***The Log File path can also be created in the /etc/init.d/webmin startup script
dhcpd_path=/usr/sbin/dhcpd
**Full path to perl: /usr/bin/perl
desc_name=0
**MiniServe Configuration (the web process for webmin): /etc/webmin/miniserv.conf
lease_tz=0
**Configure OS as: 110 - Generic Linux (it changed to 111 some time in late 2020, and in late 2021 the Webmin installation script seems to now autodetect OpenWRT at Generic Linux, OS version 5.4)
show_mac=0
***OS Choices available when installing Webmin: Pick 110) Geric Linux for OpenWRT (note, the number changes as Webmin adds OSs, so adjust as necessary);
dhcpd_nocols=5
<syntaxhighlight lang="text">
show_ip=0
  1) Pardus Linux          2) SmartOS                3) Sun Solaris         
lease_sort=0
  4) Lycoris Desktop/LX    5) Caldera OpenLinux eS  6) Caldera OpenLinux   
display_max=100
  7) Asianux Server        8) Asianux                9) Whitebox Linux     
dhcpd_version=4.4.1
10) Tao Linux            11) CentOS Linux          12) Springdale Linux   
dhcpd_size=2249541
13) Virtuozzo Linux      14) Scientific Linux      15) Gralinux           
dhcpd_mtime=1598660246
16) NeoShine Linux        17) Endian Firewall Linu  18) Oracle Enterprise Li
lease_refresh=
19) Oracle Linux          20) Oracle VM            21) XenServer Linux     
start_cmd=/etc/init.d/dhcpd start
22) CloudLinux            23) MostlyLinux          24) Cloudrouter Linux   
stop_cmd=/etc/init.d/dhcpd stop
25) Sangoma Linux        26) Citrix Hypervisor    27) Redhat Enterprise Li
restart_cmd=/etc/init.d/dhcpd reload
28) Redhat Linux Desktop  29) AlphaCore Linux      30) X/OS Linux         
version=
31) Haansoft Linux        32) cAos Linux            33) Wind River Linux   
add_file=
34) Amazon Linux          35) Redhat Linux          36) Fedora Linux       
interfaces_type=
37) White Dwarf Linux    38) Slamd64 Linux        39) Slackware Linux     
hostnet_list=
40) Xandros Linux        41) APLINUX              42) BigBlock           
</syntaxhighlight>Items such as dhcpd_version can be modified to reflect whatever version of DHCPD is available in the future. No modifications need to be made to the /overlay/webmin/dhcpd/module.info (assuming the root path of Webmin is /overlay) file as this Module seems to be compatible with every version of DHCPD on every Linux distribution.
43) Ubuntu Linux          44) Mepis Linux          45) Devuan Linux       
 
46) Raspbian Linux        47) Linux Mint            48) Debian Linux       
====Samba Server Webmin Module (/etc/webmin/samba/config)====
49) SuSE OpenExchange Li  50) SuSE SLES Linux      51) SuSE Linux         
First, if it hasn't already been stated, a LuCI GUI (Services, Network Shares) for Samba existsAND it makes sense to stay within the OpenWRT management / configuration paradigm for services (/etc/config/samba3 or samba4). Having noted that, the LuCI GUI does not have all the bells and whistles of Webmin, but what is there looks a whole lot better. So for this one, a hybrid approach is best.
52) United Linux          53) Corel Linux          54) TurboLinux         
55) Cobalt Linux          56) Mandrake Linux Corpo  57) pclinuxos Linux     
58) Mageia Linux          59) Mandrake Linux        60) Mandriva Linux     
61) Mandriva Linux Enter  62) Conectiva Linux      63) ThizLinux Desktop   
64) ThizServer            65) MSC Linux            66) SCI Linux           
67) LinuxPPC              68) Trustix SE            69) Trustix             
70) Tawie Server Linux    71) TinySofa Linux        72) Cendio LBS Linux   
73) Ute Linux            74) Lanthan Linux        75) Yellow Dog Linux   
76) Corvus Latinux        77) Immunix Linux        78) Gentoo Linux       
79) Secure Linux          80) OpenNA Linux          81) SoL Linux           
82) Coherent Technology  83) Playstation Linux    84) StartCom Linux     
85) Yoper Linux          86) Caixa Magica          87) openmamba Linux     
88) FreeBSD              89) DragonFly BSD        90) OpenBSD             
91) NetBSD                92) BSDI                  93) HP/UX               
94) SGI Irix              95) DEC/Compaq OSF/1      96) IBM AIX             
97) SCO UnixWare          98) SCO OpenServer        99) macOS Catalina     
100) macOS Mojave          101) macOS High Sierra    102) macOS Sierra       
103) OS X                  104) Mac OS X              105) Darwin             
106) OpenDarwin            107) Cygwin                108) Sun Java Desktop Sys
109) Synology DSM          110) Generic Linux        111) Windows
</syntaxhighlight>
 
*Version: 4
 
The running Webmin service when viewed by PS or equivalent: {miniserv.pl} /usr/bin/perl /usr/local/webmin/miniserv.pl /etc/webmin/miniserv.conf
 
====Post Installation====
PID File: By default the PID file for Webmin will be here:var/log/webmin/miniserv.pid  That makes sense (NOT).  The PID is to indicate whether a process is running, which should go in /var/run.  /var/log is for log filesCome on!  Really?!  It's OK to leave it in the default location, but to put it in a place that makes more sense, modify the /etc/webming/miniserv.conf file and change the pidfile= setting to /var/run/minserv.pid
 
The setup script may display some errors, the following is related to having Webmin start automatically and an easy fix);
 
*Error: Failed to open /etc/rc.d/init.d/webmin for writing<span> </span>: No such file or directory


Making so Webmin recognizes the Samba Module as an active module requires editing the /overlay/webmin/samba/module file (assuming /overlay is the root of the Wemin installation path chosen).  For some reason the wildcard version of Linux (*-linux) setting is not respected with OpenWRT / Webmin.  That makes it necessary to add the full name of the os_type setting in the /etc/webmin/config file (which should be ''generic_linux'') into the /overlay/webmin/samba/module file os_support setting.  See below;
There is a choice for solving the above error, choose one of the following two items;


*Original line: os_support=solaris *-linux aix hpux freebsd osf1 irix openserver unixware openbsd macos netbsd
*In /etc/rc.local (or using LuCI GUI, System, Startup, Local Startup), add the following line: /etc/webmin/start
*New line: os_support=solaris generic-linux *-linux aix hpux freebsd osf1 irix openserver unixware openbsd macos netbsd


The below configuration for the Samba Webmin Module allows for management of Samba features not included in the LuCI GUI. The Webmin GUI for Samba also provides a path to overstep what should be configured with Samba via Webmin, so use the "restraint" items noted below the configuration section;<syntaxhighlight lang="text">
OR
smb_conf=/etc/samba/smb.conf.template
 
samba_server=/usr/sbin/smbd
*Create the File /etc/init.d/webmin with the following directives;
smb_passwd=/etc/samba/smbpasswd
<syntaxhighlight lang="text">
net=
#!/bin/sh /etc/rc.common
samba_password_program=/usr/bin/smbpasswd
dont_convert=-499
pdbedit=
text_lists=0
run_from_inetd=0
name_server=/usr/sbin/nmbd
sort_mode=0
swat_path=
samba_status_program=/usr/bin/smbstatus
list_printers_command=lpc status | grep "[A-z0-9]:" | sed -e 's/://g'
smbgroupedit=
start_cmd_wb=fuckytheducky
stop_cmd=/etc/init.d/samba4 stop
stop_cmd_wb=
start_cmd=/etc/init.d/samba4 start
winbind_server=
restart_cmd=/etc/init.d/samba4 restart


</syntaxhighlight>Notice a key item in the above configuration settings: smb_conf=/etc/samba/smb.conf.template (NOT smb.conf).  This is the key in allowing the Samba Webmin Module to control many Webmin settings.  The down side of this is that none of the shared resources will be displayed.  But that's OK, because the LuCI GUI interface does display shared resources.  Plus any changes made with the Samba Webmin Module would not be persistent and would be overwritten each time the Samba service or router is restarted.
START=99


The general rule of what NOT to configure within Webmin is as follows;
reload() {
/etc/webmin/reload
}


*If it can be configured within the LuCI GUI interface, do NOT configure it with Webmin.
restart() {
*If there is an item / setting within the /etc/samba/smb.conf.template of visible within Webmin that is deliniated with a leading and trailing pipe symbol ( | ), do NOT configure it with Webmin.
/etc/webmin/restart
*If the Webmin Module is configured correctly with the /etc/samba/smb.conf.template file as the configuration file, not the /etc/samba/smb.conf file, then configuration of shared resources (directories, printers, etc) will not be an issue as they will not be available within the Webmin interface for configuration.
}


Additional information can be found here: https://openwrt.org/docs/guide-user/services/nas/samba  It also illustrates the limits of the what the LuCI GUI interface can and can't do. And it demonstrates at which point editing of the smb.conf.template via a text editor (available within the LuCI GUI on the Edit Template Tab) or in this case Webmin is necessary.
start() {
mkdir -p -m 0750 /var/log/webmin
mkdir -p -m 0750 /var/webmin
/etc/webmin/start
# And don't forget to configure the logfile and errorlog settings in /etc/webmin/miniserv.conf to reflect the above OR leave the Webmin version of the miniserv.conf file as it is and make sure the ...0750 /var/webmin line is above too (then hunt for your log files somewhere besides in a log directory)


====Postfix Server Webmin Module (/etc/webmin/postfix/config)====
# In fact, best to leave that /var/webmin directory creation in place too as webmin puts other temporary crap in there that isn't related to log files.
There is no OpenWRT LuCI GUI interface for Postfix.  Nor is there any sort of OpenWRT service managment paradigm implimented in /etc/config for Postfix as there is for many other services.  That means it is 100% OK to administer with Webmin with no limitations or fear of interfering with anything else. PERIOD
}


Below are the configuration settings for the Webmin Postfix Module;<syntaxhighlight lang="text">
stop() {
delete_confirm=1
/etc/webmin/stop
fwd_mode=0
}
max_records=999
 
postfix_master=/etc/postfix/master.cf
</syntaxhighlight>
perpage=999
The above directories are created for logging and the Webmin PID file.
prefix_cmts=0
 
max_maps=999
chmod 755 /etc/init.d/webmin (changes the permissions of the above created file), then service webmin enable
postfix_config_command=/usr/sbin/postconf
 
postfix_aliases_table_command=/usr/sbin/postalias
The second method has the advantage of making it so these commands work: service webmin stop, service webmin start, as opposed to /etc/webmin/start, /etc/webmin/stop
mailq_sort=0
 
postfix_super_command=/usr/sbin/postsuper
It also may claim that it has started webmin (immediately after the installation), but sometimes it doesn't really do that, so: /etc/webmin/stop, then /etc/webmin/start
postfix_lookup_table_command=/usr/sbin/postmap
 
postfix_queue_command=/usr/sbin/postqueue
This seems to have been corrected with Webmin versions as of approxomately early 2021: <s>Webmin seems to have an issue detecting ARM CPUs in the Marvell SoC with OpenWRT.  This results in an Error 500 Perl execution failed... ...proc::list_processes.  To correct the issue modify the /overlay/webmin/proc/module.info File as follows (It disables the Webmin Processor Module because that module does not run correctly on OpenWRT for the AC Series of routers) by removing the generic-linux or *-linux setting;</s>
columns=2
 
mailq_count=0
NOTE: As of 11.2020, a newer version of Webmin overcomes the issue OR version 19.07.04 of OpenWRT's perl corrects the issue (didn't test which one it was, just noticed it)<syntaxhighlight lang="text">
wrap_width=80
Original Line: os_support=solaris generic-linux hpux freebsd osf1 irix unixware openserver macos aix netbsd openbsd windows
mailq_cmd=/usr/sbin/postqueue -p
 
mailq_dir=/var/spool/postfix
OR
ldap_doms=0
 
postfix_control_command=/usr/sbin/postfix
Original Line: os_support=solaris *-linux hpux freebsd osf1 irix unixware openserver macos aix netbsd openbsd windows
postfix_config_file=/etc/postfix/main.cf
 
check_config=1
Modified Line: os_support=solaris hpux freebsd osf1 irix unixware openserver macos aix netbsd openbsd windows
top_buttons=1
 
index_check=1
</syntaxhighlight>
delete_warn=1
<s>Verify the /etc/webmin/config file contains the following settings;</s><syntaxhighlight lang="text">
show_cmts=0
os_type=generic-linux
sort_mode=0
os_version=4
postfix_newaliases_command=/usr/bin/newaliases
real_os_type=OpenWRT
postcat_cmd=/usr/sbin/postcat
real_os_version=19.07.03
mysql_host=
</syntaxhighlight>
ldap_attrs=
<s>Alternative Method of Configuring Webmin settings in /etc/webmin/config file;</s><syntaxhighlight lang="text">
ldap_id=
os_type=linux
ldap_user=
os_version=4
mysql_pass=
real_os_type=OpenWRT
reload_cmd=/etc/init.d/postfix reload
real_os_version=19.07.03
mysql_user=
</syntaxhighlight><s>...however, this necessitates that any Webmin modules that require certain operating systems (apache, bind, etc.) need to have their module.info files modified to include the os_type of linux.</s>
init_name=
 
ldap_pass=
<s>And again, the /overlay/webmin/proc/module.info will need to be modified as above.</s>
stop_cmd=/etc/init.d/postfix stop
 
ldap_host=
<s>Also, most of the Webmin modules will need to be custom configured for the OpenWRT environment in order to function properly.  See below...</s>
start_cmd=/etc/init.d/postfix start
ldap_class=


As of mid 2021, none of the above items seem to be a concern anymore (at least with a WRT3200ACM, the only one tested thus far with this new tidbit of information).  The default /etc/webmin/config file works fine;<syntaxhighlight lang="text">
passwd_pindex=1
passwd_mindex=4
passwd_uindex=0
passwd_file=/etc/shadow
ld_env=LD_LIBRARY_PATH
path=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin
find_pid_command=ps auwwwx | grep NAME | grep -v grep | awk '{ print $2 }'
by_view=0
passwd_cindex=2
tempdelete_days=7
os_type=generic-linux
os_version=5.4
real_os_type=Generic Linux
real_os_version=5.4
lang=en
log=1
referers_none=1
md5pass=1
theme=authentic-theme
product=webmin
</syntaxhighlight>
</syntaxhighlight>


====Third Party Modules (OpenVPN Certificate Authority, not OpenVPN itself as that is configured via LuCI or /etc/config, etc)====
===Adding and Configuring Webmin Features & Modules===
Install via the Webmin GUI and remember to configure the module.info file if necessary and settings
Before any modules are moved from the Unused-Modules Category, they must be properly configured for Webmin to detect.


OpenVPN (/etc/webmin/openvpn/config);<div class="toccolours mw-collapsible mw-collapsed" style="overflow:auto; width:100%;">
====Date and Time====
<div style="font-weight:bold;line-height:1.6;">Code Block</div>
The LuCI GUI does not provide a method to manually change the date or time (see https://openwrt.org/docs/guide-user/services/ntp/client-server). The reason appears to be that the AC Series of routers, among many other router models, lacks the hardware capability to maintain an internal clock when the router is off or unplugged. Instead, it syncronizes with a known NTP (Network Time Protocol) server after booting up. This seems to be confirmed, in that during booting, part of the boot process is to set the clock to midnight January 1, 1970 (see https://openwrt.org/toh/linksys/linksys_wrt3200acm).
<div class="mw-collapsible-content"><syntaxhighlight lang="text">
status_cmd=systemctl status openvpn@%s
openvpn_servers_subdir=servers
start_cmd=/etc/init.d/openvpn start
openvpn_home=/etc/openvpn
br_end_cmd=/usr/share/webmin/openvpn/br_scripts/bridge_end
openvpn_keys_subdir=keys
stop_cmd=/etc/init.d/openvpn stop openvpn@%s
down_root_plugin=/usr/share/webmin/openvpn/ovpn_plugin/openvpn-plugin-down-root.so
openvpn_pid_path=/var/run
openvpn_version=2.4.7
openvpn_path=/usr/sbin/openvpn
zip_cmd=/usr/bin/gzip
br_start_cmd=/usr/share/webmin/openvpn/br_scripts/bridge_start
log_lines=200
openvpn_clients_subdir=clients
openvpn_pid_prefix=openvpn/
openssl_home=/etc/openvpn/openvpn-ssl.cnf
openssl_path=/usr/bin/openssl
openssl_version=1.1.1g


</syntaxhighlight></div></div>
Once booted, the the Webmin interface provides a relatively easy method to configure the date and time when the module is properly configured properly.  In the default Webmin Dashboard, Time on System;


===Starting and Stopping Webmin===
*CLOCK, Settings Icon (the gear at the top left of the configuration payne), System configuration, System time setting format, YYYYMMDDHHMM.SS Radio Button
Start: /etc/webmin/start
*...but wait, as of late 2021, something has changed with Webmin or OpenWRT, the above setting now needs to be: MMDDHHMMYY  Radio Button


Stop: /etc/webmin/stop
OR


Additonally, /etc/webmin/start can be added to the /etc/rc.local file to automatically start Webmin at boot.
*/etc/webmin/config: dateformat=dd/mon/yyyy


A service can even be created in /etc/init.d/webmin with the following code;<syntaxhighlight lang="text">
Remember, the modified time will not persist across reboots.  The setting for the format in Webmin will persist, but the AC series of routers, as most others, does not maintain an internal clock when off or unplugged. The time is set by accessing an NTP server when the router boots up.
#!/bin/sh /etc/rc.common


START=99
====Users and Groups====
System, Users and Groups, Settings;


reload() {
Password File (User & Password File): /etc/passwd (/etc/passwd- seems to be the OpenWRT template file for passwd)
        /etc/webmin/reload
}


restart() {
Group file: /etc/group
        /etc/webmin/restart
}


start() {
====Webmin Performance====
        mkdir -p -m 0750 /var/log/apache2
To decrease the Webmin CPU load on the OpenWRT router (this isn't really necessary for the AC router series as there is "horsepower" to spare);
        /etc/webmin/start
}


stop() {
*Disable Real-Time Monitoring: Webmin, Webmin Configuration, Themes, Real-time monitoring options, Enable real-time monitoring, NO
        /etc/webmin/stop
*Reduce Real-Time Monitoring Refresh: Interval for performing update, 10000 (Increasing the default value of 1000 (ms) will also cause delays in information in certain categories, such as Network I/O to be displayed slowly)
}
</syntaxhighlight>


==Sources==
====Other Notes for Webmin====
https://forum.openwrt.org/t/script-mount-alternate-nand-firmware-linksys/33588
Some modules, such as NAMED / BIND, may not accurately show the Stop / Start status after a stop or start until after a screen refresh, which is possibly related to the Monitoring Refresh time mentioned above, if increased.


https://forum.openwrt.org/t/solved-how-to-mount-ubifs-in-openwrt-kirkwood/32443/4
====Apache / Apache2 / HTTPD Webmin Module (/etc/webmin/apache/config)====
 
<div class="toccolours mw-collapsible mw-collapsed" style="width:400px; overflow:auto;">
==Startup Scripts==
<div style="font-weight:bold;line-height:1.6;">Code Block</div>
/etc/rc.local
<div class="mw-collapsible-content"><syntaxhighlight lang="text">
 
allow_virtualmin=0
LuCI, System, Startup, Local Startup
apply_cmd=/etc/init.d/apache2 restart
 
test_apachectl=1
Some useful startup items;<syntaxhighlight lang="text">
pid_file=/var/run/apache2/httpd.pid
# In order to make the named-compilezone command work for webmin, add the following line (research indicated it was a symbolic link)
httpd_path=/usr/sbin/apache2
ln /usr/sbin/named-checkzone /usr/sbin/named-compilezone
test_manual=0
 
apachectl_path=/usr/sbin/apachectl
 
auto_mods=1
# Create a TEMP Folder for phpMyAdmin
httpd_dir=/etc/apache2
mkdir /tmp/phpMyAdmin
test_config=1
chmod 777 /tmp/phpMyAdmin
stop_cmd=/etc/init.d/apache2 stop
 
max_servers=100
 
mime_types=/etc/apache2/mime.types
# If it is desirable to have the non-active Flash Memory RootFS2 partition available on a WRT3200ACM, then do the following;
start_cmd=/etc/init.d/apache2 start
#ubiattach -m 8
graceful_cmd=/etc/init.d/apache2 reload
#mkdir /mnt/MTD8
httpd_version=2.4.43
#mount -t ubifs /dev/ubi2_1 /mnt/MTD8
httpd_conf=/etc/apache2/apache2.conf
 
 
# If an external drive is used as the overlay, the mtb9 / syscfg partition is attached and mounted by default as /tmp/syscfg as UBI1, so these commands aren't needed, but achieve the same result. This appears to be a minor flaw in the OpenWRT boot process.;
#ubiattach -m 9
#mkdir /tmp/MTD9
#mount -t ubifs /dev/ubi1_0 /tmp/MTD9
 
 
# Webmin Related
# Added as a SERVICE, so not needed
#mkdir /tmp/log/webmin
#/etc/webmin/start


</syntaxhighlight></div></div>


====BIND / BIND8 / NAMED Webmin Module (/etc/webmin/bind8/config)====
The below Code Block contains the settings to customize the Webmin interface for BIND / NAMED;
<div class="toccolours mw-collapsible mw-collapsed" style="width:400px; overflow:auto;">
<div style="font-weight:bold;line-height:1.6;">Code Block</div>
<div class="mw-collapsible-content"><syntaxhighlight lang="text">
rndc_conf=/etc/bind/rndc.conf
force_random=0
keygen=/usr/sbin/dnssec-keygen
rev_def=0
tmpl_dnssec_dt=1
spf_record=0
by_view=0
other_slaves=1
updserial_def=0
soa_start=0
rndc_cmd=/usr/sbin/rndc
whois_cmd=
allow_wild=1
updserial_man=1
records_order=0
checkzone=/usr/sbin/named-checkzone
updserial_on=1
dnssec_period=21
ndc_cmd=
allow_long=0
tmpl_dnssec=0
allow_underscore=1
rev_must=0
master_ttl=1
confirm_zone=1
restart_cmd=/etc/init.d/named reload
short_names=0
max_zones=999
no_chroot=1
soa_style=0
master_dir=/etc/bind/masters
confirm_rec=1
reversezonefilename_format=ZONE.rev
support_aaaa=1
start_cmd=/etc/init.d/named start
stop_cmd=/etc/init.d/named stop
largezones=0
dnssectools_rollmgr_pidfile=
dnssectools_conf=
signzone=/usr/sbin/dnssec-signzone
no_pid_chroot=0
relative_paths=0
ipv6_mode=1
checkconf=/usr/sbin/named-checkconf
named_conf=/etc/bind/named.conf
dnssectools_rollrec=
slave_dir=/etc/bind/masters
dnssectools_keydir=
rndcconf_cmd=/usr/sbin/rndc-confgen
show_list=1
pid_file=/tmp/run/named/named.pid
named_path=/usr/sbin/named
forwardzonefilename_format=ZONE.hosts
allow_comments=0
extra_forward=
file_owner=bind:bind
default_view=
this_ip=
keys_dir=
extra_reverse=
slave_file_perms=
named_group=
default_master=
named_user=
extra_slaves=
auto_chroot=
chroot=
free_nets=
default_prins=
file_perms=
zones_file=


# OpenWRT puts the Apache directory in an unusual location for those with a CentOS / RedHat backgroundInstead of modifying all of the default
</syntaxhighlight></div></div>
# locations, it is easier to set up a softlink to the more familiar CentOS locationsRemember, VAR redirects to TMP, hence the mkdir /tmp/www instead
Sadly, for the BIND / NAMED module, it didn't seem that OpenWRT included the ''named-compilezone'' command.  However, after some quick research with a major hint (from here: http://www.linuxfromscratch.org/blfs/view/svn/server/bind.html) which included a notation that the ''named-compilezone'' command was a symbolic link, then a quick check on a CentOS system which showed the /usr/sbin/named-compilezone pointing to /usr/sbin/named-checkzone, which confirmed the utility as a standalone file does NOT exist, but is simply a softlink to another file.  The solution is to add this line to the rc.local file: ln /usr/sbin/named-checkzone /usr/sbin/named-compilezone That way the command is available to Webmin.
# of mkdir /var/www
 
mkdir /tmp/www
Another feature that doesn't work "out of the box" is the View Records File Button.  This error message is displayed when clicking on the button: ''This zone is in raw binary format, and so cannot be displayed as text''.  But this is not the fault of Webmin, well, not exactly.  If they rewrote the code for the module to detect whether the zone file was stored in binary or text format, this issue wouldn't be an issue.  The claim by BIND is that storing information in a binary format is better for performance.  However, this only applies to very busy DNS servers.  For "average" DNS servers, storing the zone records in plain text format will not be an issue.  Thanks to a hint from this site: http://geekdom.wesmo.com/2014/06/05/bind9-dns-slave-file-format/, it indicated the setting below applied to both master and slave zone files.  To enable the button functionality add the following line to the named.conf file;
ln -s /usr/share/apache2/htdocs /var/www/html
 
ln -s /usr/share/apache2/cgi-bin /var/www/cgi-bin
*masterfile-format text;
ln -s /usr/share/apache2/error /var/www/error
 
ln -s /usr/share/apache2/icons /var/www/icons
The above setting can be applied on a zone by zone basis or it can be placed in the main ''options'' section to apply to all zonesAnd again, even though the name of the setting seems to apply to master zone files, it also changes the format setting for slave zone files (IE, there is no slavefile-format directive / command).
 
Also Note: The Setup RDNC Button in Webmin seems to work (IE, it generates the rndc.conf file, updates the named.conf file, etc.), but the format it applies in the named.conf doesn't seem to work.  Syntax wise it is correct, but it doesn't work.  Solution?  Run the rndc-config command manually;
 
*rndc-config > /etc/bind/rndc.conf
*...then open the rndc.conf file and copy the section at the bottom into the named.conf file.
 
====PPTP VPN Server Webmin Module (AKA PPTPD / POPTOP)====
This module can be used for everything except the PPP Accounts (It ''can'' be used, but any changes will not persist across router reboots).  The reason is that the /etc/ppp/chap-secrets file (actually a symbolic link to /tmp/etc/chap-secrets) that it accesses is dynamically configured by the /etc/init.d/pptpd startup script based on information in the /etc/config/pptpd file.  The Webmin module can be used to view the information, but as noted, do NOT use it to modify user names and passwords for PPTPD.  Instead change user names and passwords in the /etc/config/pptpd file.
 
As noted above in the PPTPD section, OpenWRT does not support the ''require-mppe-128'' option in the /etc/ppp/options.pptpd file.  Webmin will insert that value if the "Use 128-bit MPPE encryption?" is set to "Must be used" and that will "break" PPTPD.  Leave it set to Default (Allowed).  It should also be noted that the mppe-128 is built into the OpenWRT /usr/sbin/pptpd binary / executable file, thus making the setting unneccessary as it is enabled by default (pptp-server.log if enabled shows this: MPPE 128-bit stateless compression enabled).


</syntaxhighlight>
Below are settings for the PPTPD Module (etc/webmin/pptp-server/config);<syntaxhighlight lang="text">
pid_file=/var/run/pptpd.pid
pptpd=/usr/sbin/pptpd
log_file=/var/log/ppp.pptpd
file=/etc/pptpd.conf
pap_file=/etc/ppp/chap-secrets
ppp_options=/etc/ppp/options
start_cmd=/etc/init.d/pptpd start
stop_cmd=/etc/init.d/pptpd stop
pptp_ppp_options=/etc/ppp/options.pptpd
 
</syntaxhighlight>The Active Connections feature also appears to be broken for the same reason Webmin can't show processor information with the PROC module.  It results in an error of: HTTP/1.0 500 Perl execution failed Server: MiniServ/1.955 Content-type: text/html; Charset=utf-8 Connection: close.  Error - Perl execution failed, Undefined subroutine &proc::list_processes called at ./pptp-server-lib.pl
====DHCPD Webmin Module (/etc/webmin/dhcpd/config)====
As noted in the main DHCPC section, there is no LuCI GUI, nor is there any good reason to stay within the OpenWRT managment paradigm (at least for DHCPD).  Unlike some other instances like Samba Server where it makes sense to maintain the "OpenWRT management style" of services, with DHCPD every aspect of Webmin can be utilized.  Below are the configuration settings for the DHCPD Webmin Module;<syntaxhighlight lang="text">
lease_file=/tmp/dhcpd.leases
group_name=0
dhcpd_conf=/etc/dhcpd.conf
pid_file=/var/run/dhcpd.pid
dhcpd_path=/usr/sbin/dhcpd
desc_name=0
lease_tz=0
show_mac=0
dhcpd_nocols=5
show_ip=0
lease_sort=0
display_max=100
dhcpd_version=4.4.1
dhcpd_size=2249541
dhcpd_mtime=1598660246
lease_refresh=
start_cmd=/etc/init.d/dhcpd start
stop_cmd=/etc/init.d/dhcpd stop
restart_cmd=/etc/init.d/dhcpd reload
version=
add_file=
interfaces_type=
hostnet_list=
</syntaxhighlight>Items such as dhcpd_version can be modified to reflect whatever version of DHCPD is available in the future.  No modifications need to be made to the /overlay/webmin/dhcpd/module.info (assuming the root path of Webmin is /overlay) file as this Module seems to be compatible with every version of DHCPD on every Linux distribution.
 
The Edit Network Interfaces Button and Interfaces File Type setting in Webmin will not work with OpenWRT.
 
====Samba Server Webmin Module (/etc/webmin/samba/config)====
First, if it hasn't already been stated, a LuCI GUI (Services, Network Shares) for Samba exists.  AND it makes sense to stay within the OpenWRT management / configuration paradigm for services (/etc/config/samba3 or samba4).  Having noted that, the LuCI GUI does not have all the bells and whistles of Webmin, but what is there looks a whole lot better.  So for this one, a hybrid approach is best.
 
Making so Webmin recognizes the Samba Module as an active module requires editing the /usr/local/webmin/samba/module file (assuming /usr/local is the root of the Wemin installation path chosen).  For some reason the wildcard version of Linux (*-linux) setting is not respected with OpenWRT / Webmin.  That makes it necessary to add the full name of the os_type setting in the /etc/webmin/config file (which should be ''generic_linux'') into the /usr/local/webmin/samba/module.info file os_support setting.  See below;
 
*Original line: os_support=solaris *-linux aix hpux freebsd osf1 irix openserver unixware openbsd macos netbsd
*New line: os_support=solaris generic-linux *-linux aix hpux freebsd osf1 irix openserver unixware openbsd macos netbsd
 
The below configuration for the Samba Webmin Module allows for management of Samba features not included in the LuCI GUI.  The Webmin GUI for Samba also provides a path to overstep what should be configured with Samba via Webmin, so use the "restraint" items noted below the configuration section;<syntaxhighlight lang="text">
smb_conf=/etc/samba/smb.conf.template
samba_server=/usr/sbin/smbd
smb_passwd=/etc/samba/smbpasswd
net=
samba_password_program=/usr/bin/smbpasswd
dont_convert=-499
pdbedit=
text_lists=0
run_from_inetd=0
name_server=/usr/sbin/nmbd
sort_mode=0
swat_path=
samba_status_program=/usr/bin/smbstatus
list_printers_command=lpc status | grep "[A-z0-9]:" | sed -e 's/://g'
smbgroupedit=
start_cmd_wb=fuckytheducky
stop_cmd=/etc/init.d/samba4 stop
stop_cmd_wb=
start_cmd=/etc/init.d/samba4 start
winbind_server=
restart_cmd=/etc/init.d/samba4 restart
 
</syntaxhighlight>Notice a key item in the above configuration settings: smb_conf=/etc/samba/smb.conf.template (NOT smb.conf).  This is the key in allowing the Samba Webmin Module to control many Webmin settings.  The down side of this is that none of the shared resources will be displayed.  But that's OK, because the LuCI GUI interface does display shared resources.  Plus any changes made with the Samba Webmin Module would not be persistent and would be overwritten each time the Samba service or router is restarted.
 
The general rule of what NOT to configure within Webmin is as follows;
 
*If it can be configured within the LuCI GUI interface, do NOT configure it with Webmin.
*If there is an item / setting within the /etc/samba/smb.conf.template of visible within Webmin that is deliniated with a leading and trailing pipe symbol ( | ), do NOT configure it with Webmin.
*If the Webmin Module is configured correctly with the /etc/samba/smb.conf.template file as the configuration file, not the /etc/samba/smb.conf file, then configuration of shared resources (directories, printers, etc) will not be an issue as they will not be available within the Webmin interface for configuration.
 
Additional information can be found here: https://openwrt.org/docs/guide-user/services/nas/samba  It also illustrates the limits of the what the LuCI GUI interface can and can't do.  And it demonstrates at which point editing of the smb.conf.template via a text editor (available within the LuCI GUI on the Edit Template Tab) or in this case Webmin is necessary.
 
====Postfix Server Webmin Module (/etc/webmin/postfix/config)====
There is no OpenWRT LuCI GUI interface for Postfix.  Nor is there any sort of OpenWRT service managment paradigm implimented in /etc/config for Postfix as there is for many other services.  That means it is 100% OK to administer with Webmin with no limitations or fear of interfering with anything else.  PERIOD
 
Below are the configuration settings for the Webmin Postfix Module;<syntaxhighlight lang="text">
delete_confirm=1
fwd_mode=0
max_records=999
postfix_master=/etc/postfix/master.cf
perpage=999
prefix_cmts=0
max_maps=999
postfix_config_command=/usr/sbin/postconf
postfix_aliases_table_command=/usr/sbin/postalias
mailq_sort=0
postfix_super_command=/usr/sbin/postsuper
postfix_lookup_table_command=/usr/sbin/postmap
postfix_queue_command=/usr/sbin/postqueue
columns=2
mailq_count=0
wrap_width=80
mailq_cmd=/usr/sbin/postqueue -p
mailq_dir=/var/spool/postfix
ldap_doms=0
postfix_control_command=/usr/sbin/postfix
postfix_config_file=/etc/postfix/main.cf
check_config=1
top_buttons=1
index_check=1
delete_warn=1
show_cmts=0
sort_mode=0
postfix_newaliases_command=/usr/bin/newaliases
postcat_cmd=/usr/sbin/postcat
mysql_host=
ldap_attrs=
ldap_id=
ldap_user=
mysql_pass=
reload_cmd=/etc/init.d/postfix reload
mysql_user=
init_name=
ldap_pass=
stop_cmd=/etc/init.d/postfix stop
ldap_host=
start_cmd=/etc/init.d/postfix start
ldap_class=
 
</syntaxhighlight>
 
====Third Party Modules (OpenVPN Certificate Authority, not OpenVPN itself as that is configured via LuCI or /etc/config, etc)====
Install via the Webmin GUI and remember to configure the module.info file if necessary and settings too.  IE, download the module from the Webmin website, and then under the Webmin, Wemin Configuration, Webmin Modules menu, select From uploaded file, and Install Module
 
OpenVPN (/etc/webmin/openvpn/config);<div class="toccolours mw-collapsible mw-collapsed" style="overflow:auto; width:100%;">
<div style="font-weight:bold;line-height:1.6;">Code Block</div>
<div class="mw-collapsible-content"><syntaxhighlight lang="text">
status_cmd=systemctl status openvpn@%s
openvpn_servers_subdir=servers
start_cmd=/etc/init.d/openvpn start
openvpn_home=/etc/openvpn
br_end_cmd=/usr/share/webmin/openvpn/br_scripts/bridge_end
openvpn_keys_subdir=keys
stop_cmd=/etc/init.d/openvpn stop openvpn@%s
down_root_plugin=/usr/share/webmin/openvpn/ovpn_plugin/openvpn-plugin-down-root.so
openvpn_pid_path=/var/run
openvpn_version=2.4.7
openvpn_path=/usr/sbin/openvpn
zip_cmd=/usr/bin/gzip
br_start_cmd=/usr/share/webmin/openvpn/br_scripts/bridge_start
log_lines=200
openvpn_clients_subdir=clients
openvpn_pid_prefix=openvpn/
openssl_home=/etc/openvpn/openvpn-ssl.cnf
openssl_path=/usr/bin/openssl
openssl_version=1.1.1g
 
</syntaxhighlight></div></div>
 
====Cron====
It works with one minor exception.  For older versions of Webmin, the "Display running status of jobs?" may not work.  Other than that, the below configuration /etc/webmin/cron/config file works;<syntaxhighlight lang="text">
show_comment=1
hourly_only=
match_mode=
cron_dir=
run_parts=
cron_input=1
cron_delete_command=
cron_copy_command=
show_time=1
single_file=/etc/crontabs/root
cronfiles_dir=
cron_allow_file=
cron_edit_command=
max_jobs=
cron_get_command=
match_user=
cron_deny_all=
max_len=
cron_deny_file=
kill_subs=
vixie_cron=0
show_next=1
system_crontab=
show_run=2
add_file=
</syntaxhighlight>
 
===Starting and Stopping Webmin===
Start: /etc/webmin/start
 
Stop: /etc/webmin/stop
 
Additonally, /etc/webmin/start can be added to the /etc/rc.local file to automatically start Webmin at boot.
 
A service can even be created in /etc/init.d/webmin with the following code;<syntaxhighlight lang="text">
#!/bin/sh /etc/rc.common
 
START=99
 
reload() {
        /etc/webmin/reload
}
 
restart() {
        /etc/webmin/restart
}
 
start() {
        mkdir -p -m 0750 /var/log/apache2
        /etc/webmin/start
}
 
stop() {
        /etc/webmin/stop
}
</syntaxhighlight>
 
==Sources==
https://forum.openwrt.org/t/script-mount-alternate-nand-firmware-linksys/33588
 
https://forum.openwrt.org/t/solved-how-to-mount-ubifs-in-openwrt-kirkwood/32443/4
 
==Startup Scripts==
/etc/rc.local
 
LuCI, System, Startup, Local Startup
 
Some useful startup items;<syntaxhighlight lang="text">
# In order to make the named-compilezone command work for webmin, add the following line (research indicated it was a symbolic link)
ln /usr/sbin/named-checkzone /usr/sbin/named-compilezone
 
 
# Create a TEMP Folder for phpMyAdmin
mkdir /tmp/phpMyAdmin
chmod 777 /tmp/phpMyAdmin
 
 
# If it is desirable to have the non-active Flash Memory RootFS2 partition available on a WRT3200ACM, then do the following;
#ubiattach -m 8
#mkdir /mnt/MTD8
#mount -t ubifs /dev/ubi2_1 /mnt/MTD8
 
 
# If an external drive is used as the overlay, the mtb9 / syscfg partition is attached and mounted by default as /tmp/syscfg as UBI1, so these commands aren't needed, but achieve the same result.  This appears to be a minor flaw in the OpenWRT boot process.;
#ubiattach -m 9
#mkdir /tmp/MTD9
#mount -t ubifs /dev/ubi1_0 /tmp/MTD9
 
 
# Webmin Related
# Added as a SERVICE, so not needed
#mkdir /tmp/log/webmin
#/etc/webmin/start
 
 
 
# OpenWRT puts the Apache directory in an unusual location for those with a CentOS / RedHat background.  Instead of modifying all of the default
# locations, it is easier to set up a softlink to the more familiar CentOS locations.  Remember, VAR redirects to TMP, hence the mkdir /tmp/www instead
# of mkdir /var/www
mkdir /tmp/www
ln -s /usr/share/apache2/htdocs /var/www/html
ln -s /usr/share/apache2/cgi-bin /var/www/cgi-bin
ln -s /usr/share/apache2/error /var/www/error
ln -s /usr/share/apache2/icons /var/www/icons
 
</syntaxhighlight>


==Console Connectivity==
==Console Connectivity==
Console connectivity on the AC Series of routers can be made via a 6 pin JST-PH 2.0 [[wikipedia:Electrical_connector|electrical connector]] (2.0 refers to the 'pitch' or space between the pins, not a version number) that provides a [[wikipedia:Port_(circuit_theory)|port]] with [[wikipedia:Serial_communication|serial communication]] capability.
Console connectivity on the AC Series of routers can be made via a 6 pin JST-PH 2.0 [[wikipedia:Electrical_connector|electrical connector]] (2.0 refers to the 'pitch' or space between the pins, not a version number) that provides a [[wikipedia:Port_(circuit_theory)|port]] with [[wikipedia:Serial_communication|serial communication]] capability.
 
 
Unlike many models of routers that require a similar connector be soldered to a circuit board, the AC Series of routers has this feature installed during manufacturing.  Even though the cost is quite small per unit, it can add up to a significant amount of money with a large production run.  This implies Linksys was anticipating the router would be used by a modding community.  So thank you to the Linksys engineers and management that made sure that feature was included with the router.  On the cynical "bean counter" side of things, including a feature which makes it easier to salvage a "[[wikipedia:Brick_(electronics)|bricked]]" router, also probably cuts down on the number customers attempting to return "failed" units to Linksys.
Unlike many models of routers that require a similar connector be soldered to a circuit board, the AC Series of routers has this feature installed during manufacturing.  Even though the cost is quite small per unit, it can add up to a significant amount of money with a large production run.  This implies Linksys was anticipating the router would be used by a modding community.  So thank you to the Linksys engineers and management that made sure that feature was included with the router.  On the cynical "bean counter" side of things, including a feature which makes it easier to salvage a "[[wikipedia:Brick_(electronics)|bricked]]" router, also probably cuts down on the number customers attempting to return "failed" units to Linksys.
 
 
===Serial Ports and TTL Serial Communication===
==Serial TTL Cable and Connectors==
Even thought this port provides serial communication, it should not be confused with a Serial Port ([[wikipedia:D-subminiature|DE-9]], AKA DB-9 or DB9) as found on older personal computer or with a USB to Serial Port adapter.  A Serial Port on a computer utilizes the [[wikipedia:RS-232|RS-232]]<nowiki/>standard for communication.  The port on the AC Series of routers uses a similar [[wikipedia:Single-ended_signaling|single-ended signaling]] method, but with lower voltages (typically 3.3 V - 5.0 V VS voltages up to 15 V for RS-232) often referred to as a [[wikipedia:Single-ended_signaling|TTL]] or more accurately as a TTL Serial Port or Port using [[wikipedia:Transistor–transistor_logic#Interfacing_considerations|TTL Serial Communication]].  Many [[wikipedia:System_on_a_chip|SOC]] (System on a Chip) and [[wikipedia:Microcontroller|MCU]] (MicroController Unit) systems besides Linksys use TTL Serial ports as a method of communication and control.
{{:Serial_TTL_Cable_and_Connectors}}
 
 
CAUTION: If one connects an RS-232 Serial Port directly to a "TTL Serial Port", at best gibberish will be displayed by whatever terminal / serial console software is being used ([[wikipedia:PuTTY|PuTTY]], [[wikipedia:SecureCRT|SecureCRT]], Windows [[wikipedia:HyperACCESS|HyperTerminal]], etc.).  At worst, the higher voltage may permananently damage electronic components on the router's circuit board, rendering it unusable.
===Serial Ports and TTL Serial Communication===
 
Even thought this port provides serial communication, it should not be confused with a Serial Port ([[wikipedia:D-subminiature|DE-9]], AKA DB-9 or DB9) as found on older personal computer or with a USB to Serial Port adapter.  A Serial Port on a computer utilizes the [[wikipedia:RS-232|RS-232]]<nowiki/>standard for communication.  The port on the AC Series of routers uses a similar [[wikipedia:Single-ended_signaling|single-ended signaling]] method, but with lower voltages (typically 3.3 V - 5.0 V VS voltages up to 15 V for RS-232) often referred to as a [[wikipedia:Single-ended_signaling|TTL]] or more accurately as a TTL Serial Port or Port using [[wikipedia:Transistor–transistor_logic#Interfacing_considerations|TTL Serial Communication]].  Many [[wikipedia:System_on_a_chip|SOC]] (System on a Chip) and [[wikipedia:Microcontroller|MCU]] (MicroController Unit) systems besides Linksys use TTL Serial ports as a method of communication and control.
===Connection with a PC===
 
There are several methods of connecting a PC (Windows, Linux, etc.) to an AC Series router.  The simplest of which is a USB to TTL Adapater (originally created by [[wikipedia:FTDI|FTDI]]).  USB Adapters typically have a Fanout Pigtail (a term often used when referring to Fiber Optic cables) which allows individual connections to pins on a circuit board port as there is no standard ordering of pins of a TTL Port between manufacturers.  Another method utilizes a Serial to TTL Adapter which will likely include a [[wikipedia:MAX232|MAX232]] (or descendant) IC.
CAUTION: If one connects an RS-232 Serial Port directly to a "TTL Serial Port", at best gibberish will be displayed by whatever terminal / serial console software is being used ([[wikipedia:PuTTY|PuTTY]], [[wikipedia:SecureCRT|SecureCRT]], Windows [[wikipedia:HyperACCESS|HyperTerminal]], etc.).  At worst, the higher voltage may permananently damage electronic components on the router's circuit board, rendering it unusable.
 
 
The COM port settings are as follows;
===Connection with a PC===
 
There are several methods of connecting a PC (Windows, Linux, etc.) to an AC Series router.  The simplest of which is a USB to TTL Adapater (originally created by [[wikipedia:FTDI|FTDI]]).  USB Adapters typically have a Fanout Pigtail (a term often used when referring to Fiber Optic cables) which allows individual connections to pins on a circuit board port as there is no standard ordering of pins of a TTL Port between manufacturers.  Another method utilizes a Serial to TTL Adapter which will likely include a [[wikipedia:MAX232|MAX232]] (or descendant) IC.
*115200 bits per second
 
*Data bits: 8
The COM port settings are as follows;
*Parity: None
 
*Stop bits: 1
*115200 bits per second
*Flow Control: None
*Data bits: 8
 
*Parity: None
===The Real Pin # 1===
*Stop bits: 1
Many website tutorials, YouTube videos, diagrams, and even images on the OpenWRT website show the TTL Serial Port for the AC series of routers numbered from left to right, starting with "pin 1", as viewed from the top / front of the circuit board.  This is NOT correct, although both the names / labels of the pins and what their function is (Ground, TX (Transmit), and RX (Receive)), ''are correct''.  It is an industry standard to identify "Pin 1" on a circuit board in several manners.  The most common methods includes a triangle printed on the circuit board closest to "Pin 1" and a square solder connection (as viewed from the bottom).  Another convention that is typically followed, but is not an absolute rule, is putting "Pin 1" closest to the nearest edge of a circuit board.  The AC Series of routers all have a square solder connection on the bottom and a triangle printed on top of the circuit board for "Pin 1" on the right side of the connector, as viewed from the top.  Since there is no pinout standard for that type of connector, the manufacturer (Linksys in this case) gets to define where "Pin 1" is located.
*Flow Control: None
===Additional Information===
 
OpenWRT article for WRT3200ACM that applies to other models too: https://openwrt.org/toh/linksys/linksys_wrt3200acm#serial1
===Hardware for Serial Connection===
 
After much research and examination of the internal physical layout of the AC Series of routers, the these items seemed the best fit for easily connecting a computer to the router.  It allows one to connect everything with no soldering, using standard USB cables.  There are of course many other choices, using different hardware ranging from USB to Serial Adapter (with TTL), 9 pin serial ports, etc.
For a detailed explanation of Serial Ports: https://en.wikipedia.org/wiki/Serial_port
 
Link as of late 2020: https://www.ebay.com/itm/Switchcraft-EHUSBBABX-USB-B-to-A-EH-Panel-Mount-Feed-Thru-Connector-Black/153365243032
[[File:USBA.jpg|alt=USB A Connector|none|thumb|126x126px|USB A Connector]]
[[File:USBB.jpg|alt=USB B Connector|none|thumb|126x126px|USB B Connector]]
OR
[[File:USBABCable.jpg|none|thumb|126x126px|USB B to USB A with Cable]]
Link as of Late 2020:https://www.ebay.com/itm/PL2303TA-USB-to-TTL-RS232-COM-UART-Module-Serial-Cable-Adapter-for-Arduino/233559278066
[[File:PL2303TA.jpg|none|thumb|126x126px|USB PL2303TA Serial to 2.54mm Pitch Molex "70553 Style" Female Pigtail]]
[[File:JSTPH2mmFemale.jpg|left|thumb|126x126px|JST-PH 2.0mm Pitch 6 Pin Female Connector (notice the striped wires that are soldered.]]
<br />
 
 
 
 
 
 
 
As of early 2021, there doesn't appear to be anyone that manufactures a 6 pin 2.0mm pitch JST-PH female connector / adapter / converter to a "pigtail" 2.54 breadboard / jumper Molex "70553 style" male connector.  And that was just when you thought everything existed in the world.  Oh, well.
 
The best "non-soldering" / "plug it all together" solution is the above noted "USB B to USB A with Cable" Connector + the PL2303TA USB (the USB version of a MAX3232) to 2.54 breadboard / jumper Molex "70553 style" female connector to the JST-PH 2.0mm Pitch 6 Pin Female Connector.  The stripped off wires that are soldered with fit nicely into the "70553 style" female connector.  Everything else is just plugged together, minus the hole in the side of the router for the USB connector.  In the end, once put together, it makes it so a router can be connected to a computer via an ordinary USB cable.
 
===The Real Pin # 1===
Many website tutorials, YouTube videos, diagrams, and even images on the OpenWRT website show the TTL Serial Port for the AC series of routers numbered from left to right, starting with "pin 1", as viewed from the top / front of the circuit board.  This is NOT correct, although both the names / labels of the pins and what their function is (Ground, TX (Transmit), and RX (Receive)), ''are correct''.  It is an industry standard to identify "Pin 1" on a circuit board in several manners.  The most common methods includes a triangle printed on the circuit board closest to "Pin 1" and a square solder connection (as viewed from the bottom).  Another convention that is typically followed, but is not an absolute rule, is putting "Pin 1" closest to the nearest edge of a circuit board.  The AC Series of routers all have a square solder connection on the bottom and a triangle printed on top of the circuit board for "Pin 1" on the right side of the connector, as viewed from the top.  Since there is no pinout standard for that type of connector, the manufacturer (Linksys in this case) gets to define where "Pin 1" is located. And per the triangle marking, pin closest to edge, and square solder connection pin number one is located as indicated by the below image.  PERIOD.  Image is courtesy of: http://wtarreau.blogspot.com/2018/
===Additional Information===
[[File:PinOut.png|alt=Pinout for TTL Connector on AC Series of Routers|left|thumb|Pinout for TTL Connector]]
OpenWRT article for WRT3200ACM that applies to other models too: https://openwrt.org/toh/linksys/linksys_wrt3200acm#serial1
 
For a detailed explanation of Serial Ports: https://en.wikipedia.org/wiki/Serial_port
 
[[wikipedia:JST_connector|JST Connector]] Specifications: http://www.jst-mfg.com/product/pdf/eng/ePH.pdf  And a nice video on the subject: https://www.youtube.com/watch?v=wn3ixZ-sv5w
 
Various comparisons between RS-232 and TTL: https://learn.sparkfun.com/tutorials/serial-communication/wiring-and-hardware
 
A general tuturial on configuring connectivity with an AC Series router: http://wtarreau.blogspot.com/2018/ (this person has the pin numbers labeled correctly and everyone else's incorrect opinion labeled as "theoretical", see image)
 
<br />
 
==History==
One question that has never been precisely determined is this: Which version of Linux is OpenWRT based on?  Yes, it is known that the Linksys WRT54G started it all, but what version of Linux in the all the different [[wikipedia:List_of_Linux_distributions|distributions]] and branches is OpenWRT based on?  OpenWRT is on the [[wikipedia:List_of_Linux_distributions|chart]] at the bottom, but no lines are drawn to it.
 
Perhaps a better question would be: What did Linksys use way back in the early noughties as the basis of their OS for the WRT54G?
 
Here are some of the first discussions on the subject;
 
*https://hardware.slashdot.org/story/03/06/08/1749217/is-linksys-violating-the-gpl
*https://hardware.slashdot.org/story/03/07/06/2121234/linksys-releases-gpled-code-for-wrt54g
 
One aptly named project that preceeds the WRT54G and OpenWRT is this: https://en.wikipedia.org/wiki/Linux_Router_Project
 
The Linux distribution that would seem to be the most modern descendant and perhaps relative of OpenWRT is [[wikipedia:Alpine_Linux|Alpine Linux]].
 
==Package Installation==
Here's an all in one line for installing a bunch of useful package.  Keep in mind this should only be done if one is using an external USB Flash Drive as even the internal flash storage of a WRT3200ACM won't be enough;
 
opkg update
 
opkg install luci-app-advanced-reboot block-mount e2fsprogs kmod-fs-ext4 kmod-usb-storage kmod-usb2 kmod-usb3 ntfs-3g usbutils gdisk cfdisk tune2fs kmod-fs-exfat dosfstools kmod-fs-vfat f2fs-tools kmod-fs-f2fs lsblk ntfs-3g-utils fdisk sfdisk wipefs samba4-server samba4-utils install luci-app-samba4
 
==Tethering==
{{:OpenWRT_Tethering}}
 
==DDNS (Dynamic DNS) Client==
{{:OpenWRT_DDNS}}
 
==MWAN Failover==
{{:OpenWRT_MWAN_Failover}}
 
==Samba Scare on WAN==
{{:OpenWRT_Samba_Scare_on_WAN}}
 
==NMAP Utility (Port Scanner)==
{{:OpenWRT_NMAP_Utility}}
 
==PPPoE (Point to Point over Ethernet)==
{{:OpenWRT_PPPoE}}
 
==Wireless Client Bridge Mode with OpenWRT==
{{:WRT_Router_Series_Wireless_Client_Bridge_Mode_with_OpenWRT}}
 
==Monitoring Services with Monit==
{{:WRT_Router_Series_Monit}}
 
==eXtplorer==
{{:EXtplorer_on_OpenWRT}}
 
==De Brick or Un Bricking a WRT Series Router==
{{:De_Brick_or_Un_Bricking_a_WRT_Series_Router}}
 
==WRT Series COPY MTD Partitions==
{{:WRT_Series_COPY_MTD_Partitions}}
 
==AC Series Recommended Software and Utilities==
{{:AC_Series_Recommended_Software_and_Utilities}}
 
==U Boot for WRT Series==
{{:U_Boot_for_WRT_Series}}
 
==Serial Port Communication on Linksys AC Series with OpenWRT==
{{:Serial_Port_Communication_on_Linksys_AC_Series_with_OpenWRT}}
 
==User Names and Passwords
 
opkg update
opkg install shadow-passwd shadow-useradd shadow-groupadd


[[wikipedia:JST_connector|JST Connector]] Specifications: http://www.jst-mfg.com/product/pdf/eng/ePH.pdf
===Resetting a Password for OpenWRT with systems that use /overlay===
Simply remove the encrypted password from the /etc/shadow file;


Various comparisons between RS-232 and TTL: https://learn.sparkfun.com/tutorials/serial-communication/wiring-and-hardware
Before: root:$1EncryptedPassword#@#asoi41:18475:0:99999:7:::


A general tuturial on configuring connectivity with an AC Series router: http://wtarreau.blogspot.com/2018/
After: root::18475:0:99999:7:::<br />


==History==
===Weak Passwords===
One question that has never been precisely determined is this: Which version of Linux is OpenWRT based on? Yes, it is known that the Linksys WRT54G started it all, but what version of Linux in the all the different [[wikipedia:List_of_Linux_distributions|distributions]] and branches is OpenWRT based onOpenWRT is on the [[wikipedia:List_of_Linux_distributions|chart]] at the bottom, but no lines are drawn to it.
Not that one would ever want to configure a "weak password", and out of the box, the OpenWRT GUI doesn't allow that. As it should be.  But the frustrating part is having that limitation imposed with no way around it.  Maybe there is a good reason to temporarily configure a weak password.  Is that possible with the OpenWRT LuCI GUI interfaceNo, not by default.  Is there a way around it?  Not via that same GUI as far as Google is concerned.  But there is a way...


Perhaps a better question would be: What did Linksys use way back in the early noughties as the basis of their OS for the WRT54G?
Install the above passwd command, and at a command prompt type: passwd (then enter whatever password one wants)
 
Here are some of the first discussions on the subject;
 
*https://hardware.slashdot.org/story/03/06/08/1749217/is-linksys-violating-the-gpl
*https://hardware.slashdot.org/story/03/07/06/2121234/linksys-releases-gpled-code-for-wrt54g
 
One aptly named project that preceeds the WRT54G and OpenWRT is this: https://en.wikipedia.org/wiki/Linux_Router_Project
 
The Linux distribution that would seem to be the most modern descendant and perhaps relative of OpenWRT is [[wikipedia:Alpine_Linux|Alpine Linux]].


*
*
Retrieved from "https://wiki.terrabase.info/wiki/Linksys_AC_Series_Router_Configuration_Tips_for_OpenWRT"