This is the configuration for our Linksys WRT3200ACM WiFi router.

We replaced the Linksys firmware with LEDE firmware. LEDE is the main-line OpenWRT fork.

The WRT3200ACM is well-supported, as the model is specifically sold as "Open Source Ready", supporting OpenWRT and DD-WRT. It's also got a powerful 1.8 GHz dual-core CPU and a very healthy amount of flash (256 MB) and RAM (512 MB).

We installed LEDE 17.01.4. Since we were going from the system firmware, we downloaded the IMG-format image.

The firmware came with HTTP interfaces and SSH enabled. I believe it reset to use a 192.168.1.0/24 network with the router itself at the 192.168.1.1 address.

We did the initial configuration via the web UI.

First, we set the admin password, as prompted.

We then set SSH to only be available on the LAN, so any random hacker on the Internet couldn't try to get in:

• System / Administration
  • SSH Access / Interface: lan

Then we change our network address. There's just too much on 192.168.0.0/16, especially the 0, 1, and 100 networks; we prefer to use something from the larger 10.0.0.0/8 address space.

• Network / Interfaces / LAN
  • IPv4 address: 10.42.69.0
  • IPv4 netmask: 255.255.255.0

We like to use OpenDNS as our upstream DNS resolver.

• Network / DHCP and DNS
  • DNS forwardings: 208.67.220.220
  • DNS forwardings: 208.67.222.222 (hit the + icon to give you a 2nd entry box)
  • Rebind protection: CHECKED
  • Allow localhost: CHECKED

We found that the "rebind protection" caused some problems when VPNed into a client, where they had a public DNS address that resolved to a private IP address. So we had to add their domain to the Domain whitelist field.

Finally, we configured the WiFi.

• Network / Wireless
  • Enable radio0
    • Operating frequency: AC / Auto / Auto
    • ESSID: Boochtek.PRIVATE
    • Network: lan
    • Wireless Security
      • Encryption: WPA2-PSK
      • Key: (key used to access Boochtek.PRIVATE)
  • Enable radio1
    • Operating frequency: N / Auto / Auto
    • ESSID: Boochtek.PRIVATE
    • Network: lan
    • Wireless Security
      • Encryption: WPA2-PSK
      • Key: (key used to access Boochtek.PRIVATE)

The rest of the configuration was done primarily via SSH.

# Set some variables that we'll use later in this script.
export GITHUB_USER='booch'
export PREFERRED_SHELL='bash' # Must be bash, zsh, tcsh, mksh, or ash.
 
 
# Update the list of packages.
opkg update
 
# Upgrade any packages that have updates.
opkg upgrade $(opkg list-upgradable | awk '{print $1}')
 
# Install our preferred shell, and set it as the login shell.
opkg install $PREFERRED_SHELL
sed -i -e "/^root:/ s|/bin/ash|/bin/${PREFERRED_SHELL}|" /etc/passwd
exec $PREFERRED_SHELL
 
# Install OpenSSL and everything it needs.
opkg install ca-certificates ca-bundle libopenssl openssl-util libustream-openssl
 
# Restart the HTTP server. It should pick up the OpenSSL, enabling HTTPS and HTTP redirecting to HTTPS.
/etc/init.d/uhttpd restart
 
# Set up SSH public keys, so we don't need to type the root password every time.
wget "https://github.com/${GITHUB_USER}.keys" -O /etc/dropbear/authorized_keys
 
# Install ad blocking via DNS (and its HTTP UI).
opkg install adblock luci-app-adblock
 
# Set up whitelist for ad blocking.
cat > /etc/adblock/adblock.whitelist <<WHITELIST
## Google
googleadservices.com
google-analytics.com
 
## URL Shorteners
ow.ly
bit.ly
 
# Work-related
newrelic.com
highcharts.com
 
# Games
zynga.com
app.adjust.com
mopub.com
crashlytics.com
zyngasupport.helpshift.com
zyngawithfriends.com
WHITELIST
 
# Enable all the blocklist sources.
sed -i -e "s/option enabled '0'/option enabled '1'/" /etc/config/adblock
 
# Reload the ad blocker.
/etc/init.d/adblock restart
 
# Ensure the adblock blocklists are updated every day.
grep -sq 'adblock reload' /etc/crontabs/root || cat >> /etc/crontabs/root <<CRONTAB_ADBLOCK
47 03 * * *  /etc/init.d/adblock reload
CRONTAB_ADBLOCK
 
# Install the *real* Less, instead of using the one in BusyBox, which has no search feature.
opkg install less
 
# Install Vim, and reset the aliases.
opkg install vim
source /etc/profile
 
# Install GNU findutils.
opkg install --force-overwrite findutils-find findutils-locate findutils-xargs
 
# Install GNU diffutils.
opkg install diffutils

• Generate valid SSL certificate to get rid of browser warnings
  • Read through instructions here: https://lede-project.org/docs/user-guide/getting-rid-of-luci-https-certificate-warnings
  • opkg install luci-ssl-openssl
  • uci delete uhttpd.main.listen_http ; uci commit # Disable HTTP
  • uci set uhttpd.main.redirect_https='1' ; uci commit ; /etc/init.d/uhttpd restart
• Replace BusyBox binaries with real GNU utilities, where applicable
  • opkg install coreutils # Or probably just specific individual packages
  • opkg install grep gzip lsof nano sysstat tmux htop netcat nmap ntpclient ntpd rsync rsyslog wget curl netdata
• Set up iTunes server
  • opkg install forked-daapd # iTunes server
  • opkg install shairplay luci-app-shairplay # Airplay emulation
  • opkg install shairport luci-app-shairport # Airport emulation
• Configure Guest WiFi
  • Terminal: https://wiki.openwrt.org/doc/recipes/guest-wlan
  • UI: https://wiki.openwrt.org/doc/recipes/guest-wlan-webinterface
• Captive WiFi Portal
  • opkg install wifidog wifidog-tls
• Icecast streaming of KSHE-2
  • Captured from HD-Radio receiver
• Anything I could server via Nginx or Apache?
• VPN endpoint
• Privoxy
• Snort
• Web Cache
  • Squid
  • HAProxy
  • Nginx
  • Apache
  • Polipo