Optimized build for the TP-Link C2600 / Netgear R7x00 / Linksys EA8500 / Zyxel Armor Z2

Some of you may know me as arokh from the old OpenWrt community. Anyways, got a new router and decided to get up to date with latest master :wink: As always, my goal is to offer a useful set of features that works out of the box.

Features

  • Based on latest git
  • LuCI web interface with rosy theme
  • Pre-configured wireless with SSID OpenWrt and password "changemenow" (root pw is the same)
  • Built with GCC 8.3 and -O2 optimization
  • Unlocked 00 (world) domain all channels available
  • https-dns-proxy (not used by default)
  • UPnP, DDNS, SQM, luci-app-statistics
  • OpenVPN and IPsec IKEv2 (strongSwan) pre-configured and ready to go (instructions below)
  • UPnP / DLNA working over OpenVPN/IPsec through the use of multicast routing with smcroute
  • Isolated guest network that gets routed through Tor network (SSID OpenWrt Tor)
  • USB auto mounting and F2FS, exFAT, NTFS and EXT filesystem support
  • NFS kernel server with V4 support
  • OpenSSH
  • Full wpad

Cloudflare's 1.1.1.1 is used by default. If you'd like to use your ISP's DNS servers instead execute this command:

# uci set dhcp.@dnsmasq[0].noresolv='0' && set network.wan.peerdns='1' && uci commit

Instructions for VPN

At first boot, a CA is created under /etc/CA, then certificates for "phone", "laptop" and "workstation" are generated for you.

OpenVPN is configured to access your external IP address at udp port 1194 and fallback tcp 1194. Ready to go .ovpn files are found under /www/vpn which can be accessed like this:

https://openwrt/vpn/phone.ovpn

To use IKEv2 on iOS, import the following:

https://openwrt/vpn/phone.p12 (certificate and key) <- password to import is "openwrt"
https://openwrt/vpn/CA.pem (CA certificate)

Then set up an IKEv2 VPN, use your external IP address as server/remoteid and "phone" as localid. Then choose certificate and select the one you imported already.

The script /usr/sbin/vpn.sh can be used to create new certificates or re-generate the CA if you so wish.

PS: If there is no WAN connection at first boot, the VPN certificates won't be generated and will have to be done manually with the mentioned script.

Download

Builds can be found here: https://drive.google.com/open?id=1zUJ4HHPEYh1ecIhF7vlwAb9V3vs9nvDE
My github: https://github.com/escalade/LEDE/tree/escalade

My builds are provided as is. They should be flashed cleanly (sysupgrade -n or use factory image with tftp).

You can clone my repo and build yourself using the profiles/ipq806x file as a config template. If you are targetting a different device you will also need to change TARGET_OPTIMIZATION in the config.

10 Likes

Thanks for all your hard work! I've been using arokh builds with my c5/c7 before. Wifi was flaky in the past on c2600 with 17.x releases and latest git builds, I saw this commit but didn't have the time to check. So Wifi should work proper now or have you made some additional tweaks besides unlocking all channels?

Also have you heard about quad9.net (DNS 9.9.9.9, unfiltered 9.9.9.10).

Works great here getting very good speeds even without the antennas. I live in a relatively small apartment though. No I haven't heard about quad9. Sounds exactly like Cisco OpenDNS which I already use in this build.

Welcome back arokh/escalade!
Nice to see the VPN-updates, I was struggling to get your old stuff to work.
It still works on my phone but not on my Windows 10 laptop.

Did you abandoned the WRTXXXXACX? I loved your builds. Thanks for sharing

@escalade turn off your router immediately! Running WiFi equipment without the antennas attached will fry the radios due to a lack of resistance. Permanent performance degradation or even total failure can occur from running WiFi equipment without antennas. I hope your radios didn't degrade yet :frowning:

2 Likes

@bouwew

Thanks, good to be back :stuck_out_tongue: My old iOS template .mobileconfig does not seem to work anymore for some reason, tried switching to EAP-TLS as that seems to be the default choice when you create an IKEv2 profile manually. Although IPsec is a standard, implementations sure do vary a lot. strongSwan supports pretty much everything though, just a matter of trial, error, patience.... Don't know about Windows as I prefer Linux/Mac :wink:

@thagabe

I don't have one myself, but there's nothing router specific in my builds so you could build yourself.

@Mushoz

Didn't know that, I'll attach them :slight_smile:

There are 2 download directories. I have a simple setup, would I use the 'regular' version or the 'glibc' version? Thanks.

The glibc version is slightly faster but incompatible with upstream packages. So unless everything you need is in this build then use non-glibc (musl) version.

1 Like

Are the packages preinstalled for L2TP connections?

Short answer, no.

Nice! Thanks for building for R7800!

Do you have any plans to implement Fast-Path in your builds? I have a WDR4900.

See here:

https://git.openwrt.org/?p=openwrt/staging/nbd.git;a=shortlog

It's coming.

1 Like

@escalade FYI: https://taczanowski.net/strongswan-ipsec-on-lede-openwrt-with-fast-classifier-and-shortcut-fe-modules/

I believe that's specific to the Qualcomm fastpath.

Correct. I was thinking, maybe that's the reason why it is not in your build: problems with IPSEC/OpenVPN.

I'd rather use something supported by the upstream kernel.

Ok, understood. I will try to incorporate the mod by quarky to SFE, that provides fast-path-support for an IPSEC/OpenVPN tunnel, in a new firmware.

Hi there. I installed the firmware this morning. Wireless is working OK, but LAN speed is only set to 100Mbps. With stock firmware I got 1Gbps speed. Any suggestions on why this is? My networkcard is a Killer2400, so more than capable of getting 1Gbps Lan speed.