- from another Router/Network, more or less a Point-To-Point connection with routing. See Blog Post OpenVPN Routed Client Config for OpenWRT
- from my Laptop when i am on a public (hostile) WiFi, called as a RoadWarrior setup
- from my Phone behind degraded LTE/3G and CGNAT networks
First we need to make the OpenVPN available on the WAN Port. For this we add a Firewall Rule to /etc/config/firewall.
config 'rule' option 'name' 'openvpn-udp' option 'src' 'wan' option 'target' 'ACCEPT' option 'proto' 'udp' option 'dest_port' '1194'
Generation of Certificates
Import From Future Blog Post to create your own Certificate Authority with a Root CA, different Intermediate CA’s, and Server + Client Certificates.
For this tutorial we need following Certificate and Key files:
- RootCA (CA)
- Intermediate CA (ICA)
- Server Certificate
- Server Cert & Key (+ Client Cert & Keys for Testing)
- CRL File
- TLS-Auth Key
- Diffie Hellman parameters
Regarding an ENISA – Algorithms, Key Sizes and Parameters Report keys specified to be at least ten years in use, RSA keys of 3072 bits or more are recommended.
Creation of 4096 bit RSA keys is recommended by me.
The RootCA and the ICA Certificates should be bundled into a ca-chain.cert file.
cat RootCa.pem IntermediateCA.pem > ca-chain.pem
openvpn --genkey --secret openvpn/tls-auth.key
openssl dhparam -out dhparam4096.pem 4096
- Server Certificate 2048 bit => DH 4096 bit
- Server Certificate 4096 bit => DH 8192 bit
Your Server Certificate should have at least 4096 bit in size.
The VPN will create a subnet. You should choose a Net which will not overlap with any other Subnet you will possibly encounter. Stay away from 192.168.0.0/24, 192.168.0.0/24 or 10.0.0.0/24 as these nets are often seen to be used for default LAN ranges in home routers.
My assumption was for this tutorial a /29 net. For example any CIDR Net from a private “Class B” Address Range in between 172.16.0.0–172.31.255.255 can be choosen. Class B has not been used that often, at least it seems to me. Just try to pick a “random” net private, which has a rare chance to be unused by others.
CIDR Net Notation: 172.16.10.0/29 Subnet Mask: 255.255.255.248 Broadcast: 172.16.10.7 CIDR Address Range: 172.16.10.0 - 172.16.10.7 Useable Adresses: 6 (1 Server + 5 Clients) Server: 172.16.10.1 Clients: 172.16.10.2 - 172.16.10.6
If the VPN is only planned for a Point-To-Point connection between two Routers or for a single Client, a /30 Net should be chosen instead. It is still a MultiClient Net, but with only two Points.
CIDR Net Notation: 172.18.25.64/30 Subnet Mask: 255.255.255.252 Broadcast: 172.18.25.67 CIDR Address Range: 172.18.25.64 - 172.18.25.67 Useable Adresses: 2 (1 Server + 1 Client) Server: 172.18.25.65 Client: 172.18.25.66
OpenWRT OpenVPN Settings
config openvpn 'cyber' option enabled '1' #Protocol option dev_type 'tun' option dev 'cyber_tun0' option topology 'subnet' option proto 'udp' option port '1194' #Routes option server '172.16.10.0 255.255.255.248' option ifconfig '172.16.10.1 255.255.255.248' list push 'route 192.168.100.0 255.255.255.0' #Client Config option ccd_exclusive '1' option client_config_dir '/etc/openvpn/ccd/' option max_clients '5' option client_to_client '1' #Encryption option ca '/etc/ssl/certs/vpn.cavebeat.lan.ca-chain.cert.pem' option cert '/etc/ssl/certs/ptree.vpn.cavebeat.lan.cert.pem' option key '/etc/ssl/private/ptree.vpn.cavebeat.lan.key.pem' option dh '/etc/ssl/dh4096.pem' option tls_crypt '/etc/ssl/tls-auth.key' option cipher 'AES-256-CBC' option auth 'SHA512' option tls_server '1' option tls_version_min '1.2' option tls_cipher ' option reneg_sec '1800' option remote_cert_tls 'client' #Logging option log_append '/var/log/openvpn/openvpn.log' option status '/var/log/openvpn-status.log' option mute '5' option verb '4' #Connection option keepalive '10 60' option compress 'lzo' option script_security '1' #Connection Reliability option persist_key '1' option persist_tun '1' #Permissions option user 'nobody' option group 'nogroup'
The parameter Deprecated OpenVPN Settings
The default value should require to verify the client cert given to the server. I have placed a PullRequest with a change for OpenWRT to add this setting.
Description of used Settings and Parameters
option enabled '1'
option dev_type 'tun' --dev-type device-type Which device type are we using? device-type should be tun (OSI Layer 3) or tap (OSI Layer 2). Use this option only if the TUN/TAP device used with --dev does not begin with tun or tap.
option dev 'tun1' --dev tunX | tapX | null tun devices encapsulate IPv4 or IPv6 (OSI Layer 3) while tap devices encapsulate Ethernet 802.3 (OSI Layer 2).
option topology 'subnet' --topology mode Configure virtual addressing topology when running in --dev tun mode. subnet -- Use a subnet rather than a point-to-point topology by configuring the tun interface with a local IP address and subnet mask, similar to the topology used in --dev tap and ethernet bridging mode. This mode allocates a single IP address per connecting client and works on Windows as well. Note: Using --topology subnet changes the interpretation of the arguments of --ifconfig to mean "address netmask", no longer "local remote".
option server '172.16.10.0 255.255.255.248' --server network netmask ['nopool'] A helper directive designed to simplify the configuration of OpenVPN's server mode. This directive will set up an OpenVPN server which will allocate addresses to clients out of the given network/netmask. The server itself will take the ".1" address of the given network for use as the server-side endpoint of the local TUN/TAP interface.
option ifconfig '172.16.10.1 255.255.255.248' --ifconfig l rn Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TAP devices, or TUN devices used with --topology subnet,rn is the subnet mask of the virtual network segment which is being created or connected to. For TAP devices, which provide the ability to create virtual ethernet segments, or TUN devices in --topology subnet mode (which create virtual "multipoint networks"), --ifconfig is used to set an IP address and subnet mask just as a physical ethernet adapter would be similarly configured.
list push 'route 192.168.100.0 255.255.255.0' --push option Push a config file option back to the client for remote execution. Note that option must be enclosed in double quotes ("").
option client_config_dir '/etc/openvpn/ccd/' --client-config-dir dir Specify a directory dir for custom client config files. After a connecting client has been authenticated, OpenVPN will look in this directory for a file having the same name as the client's X509 common name. If a matching file exists, it will be opened and parsed for client-specific configuration options. If no matching file is found, OpenVPN will instead try to open and parse a default file called "DEFAULT", which may be provided but is not required. Note that the configuration files must be readable by the OpenVPN process after it has dropped it's root privileges.
option ccd_exclusive '1' --ccd-exclusive Require, as a condition of authentication, that a connecting client has a --client-config-dir file.
option max_clients '5' --max-clients n Limit server to a maximum of n concurrent clients.
option client_to_client '0' --client-to-client Because the OpenVPN server mode handles multiple clients through a single tun or tap interface, it is effectively a router. The --client-to-client flag tells OpenVPN to internally route client-to-client traffic rather than pushing all client-originating traffic to the TUN/TAP interface.
option ca '/etc/ssl/certs/vpn.cavebeat.lan.ca-chain.cert.pem' --ca file Certificate authority (CA) file in .pem format, also referred to as the root certificate.
option cert '/etc/ssl/certs/ptree.vpn.cavebeat.lan.cert.pem' --cert file Local peer's signed certificate in .pem format -- must be signed by a certificate authority whose certificate is in --ca file. Each peer in an OpenVPN link running in TLS mode should have its own certificate and private key file. In addition, each certificate should have been signed by the key of a certificate authority whose public key resides in the --ca certificate authority file.
option key '/etc/ssl/private/ptree.vpn.cavebeat.lan.key.pem' --key file Local peer's private key in .pem format.
option dh '/etc/ssl/dh4096.pem' --dh file File containing Diffie Hellman parameters in .pem format (required for --tls-server only).
option tls_crypt '/etc/ssl/tls-auth.key' --tls-auth file [direction] Add an additional layer of HMAC authentication on top of the TLS control channel to mitigate DoS attacks and attacks on the TLS stack. In a nutshell, --tls-auth enables a kind of "HMAC firewall" on OpenVPN's TCP/UDP port, where TLS control channel packets bearing an incorrect HMAC signature can be dropped immediately without response. file (required) is a file in OpenVPN static key format which can be generated by --genkey Use --tls-crypt instead if you want to use the key file to not only authenticate, but also encrypt the TLS control channel. --tls-crypt keyfile Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.) Encrypting (and authenticating) control channel packets: + provides more privacy by hiding the certificate used for the TLS connection, + makes it harder to identify OpenVPN traffic as such, + provides "poor-man's" post-quantum security, against attackers who will never know the pre-shared key (i.e. no forward secrecy). In contrast to --tls-auth, --tls-crypt does *not* require the user to set --key-direction.
option cipher 'AES-256-CBC' --cipher alg Encrypt data channel packets with cipher algorithm alg.
option auth 'SHA512' --auth alg Authenticate data channel packets and (if enabled) tls-auth control channel packets with HMAC using message digest algorithm alg. If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead. Note that alg still specifies the digest used for tls-auth.
option tls_server '1' --tls-server Enable TLS and assume server role during TLS handshake.
option tls_version_min '1.2' --tls-version-min version ['or-highest'] Sets the minimum TLS version we will accept from the peer (default is "1.0"). Examples for version include "1.0", "1.1", or "1.2". https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-version-min Since OpenVPN 2.3.3, the --tls-version-min option is available to enforce a minimum TLS version. Hardened setups should set --tls-version-min to 1.2 if possible. But be aware that setting tls-version-min to 1.2 will make it impossible to connect for pre-2.3.3 clients
option tls_cipher ' --tls-cipher l A list l of allowable TLS ciphers delimited by a colon (":"). This setting can be used to ensure that certain cipher suites are used (or not used) for the TLS connection. You should use a DHE cipher-suite as well for forward-secrecy. https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher To use ECDH(E) or ECDSA cipher-suites, both client and server must be OpenVPN 2.4.0 or newer.
option reneg_sec '3600' --reneg-sec n Renegotiate data channel key after n seconds (default=3600).
option remote_cert_tls 'server' --remote-cert-tls client|server Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules.
option log_append '/var/log/openvpn/openvpn.log' --log-append file Append logging messages to file. If file does not exist, it will be created. This option behaves exactly like --log except that it appends to rather than truncating the log file. --log file Output logging messages to file, including output to stdout/stderr which is generated by called scripts. If file already exists it will be truncated.
option status '/var/log/openvpn-status.log' --status file [n] Write operational status to file every n seconds.
option mute '4' --mute n Log at most n consecutive messages in the same category. This is useful to limit repetitive logging of similar message types.
option verb '4' --verb n Set output verbosity to n (default=1). Each level shows all info from the previous levels. Level 3 is recommended if you want a good summary of what's happening without being swamped by output. - 0 -- No output except fatal errors. - 1 to 4 -- Normal usage range.
option keepalive '10 60' --keepalive interval timeout A helper directive designed to simplify the expression of --ping and --ping-restart. This option can be used on both client and server side, but it is in enough to add this on the server side as it will push appropriate --ping and --ping-restart options to the client. --ping n Ping remote over the TCP/UDP control channel if no packets have been sent for at least n seconds --ping-restart n Restart after n seconds pass without reception of a ping or other packet from remote. In server mode, --ping-restart, --inactive, or any other type of internally generated signal will always be applied to individual client instance objects, never to whole server itself. Note also in server mode that any internally generated signal which would normally cause a restart, will cause the deletion of the client instance object instead.
option compress 'lzo' --compress [algorithm] Enable a compression algorithm. The algorithm parameter may be "lzo", "lz4", or empty. LZO and LZ4 are different compression algorithms, with LZ4 generally offering the best performance with least CPU usage. For backwards compatibility with OpenVPN versions before v2.4, use "lzo" (which is identical to the older option "--comp-lzo yes").
option script_security '1' --script-security level This directive offers policy-level control over OpenVPN's usage of external programs and scripts. Lower level values are more restrictive, higher values are more permissive. Settings for level: 0 -- Strictly no calling of external programs. 1 -- (Default) Only call built-in executables such as ifconfig, ip, route, or netsh. 2 -- Allow calling of built-in executables and user-defined scripts. 3 -- Allow passwords to be passed to scripts via environmental variables (potentially unsafe).
option persist_key '1' --persist-key Don't re-read key files across SIGUSR1 or --ping-restart. This option can be combined with --user nobody to allow restarts triggered by the SIGUSR1 signal. Normally if you drop root privileges in OpenVPN, the daemon cannot be restarted since it will now be unable to re-read protected key files.
option persist_tun '1' --persist-tun Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts.
option user 'nobody' --user user Change the user ID of the OpenVPN process to user after initialization, dropping privileges in the process.
option group 'nogroup' --group group Similar to the --user option, this option changes the group ID of the OpenVPN process to group after initialization.
WooCommerce version < 3.2.4 WordPress version >= 4.8.3 Impact – What can an attacker do The vulnerability discussed in the following can only be exploited by an attacker that already benefits of some higher privileges. The ability to edit/add products in WooCommerce are required but not a full administration account that would allow to execute code anyway.
Evocative Announces Acquisition of Cyberverse, Inc. and expansion into the Los Angeles, Phoenix and Dallas Data Center Markets
FOR IMMEDIATE RELEASE
Evocative Announces Acquisition of Cyberverse, Inc. and expansion into the Los Angeles, Phoenix and Dallas Data Center Markets
Evocative is expanding its footprint and bringing its highly secure edge colocation and hybrid IT solutions to the Phoenix and Dallas Markets.
San Jose, CA, February 20, 2018 – Evocative, LLC, a leading provider of secure compliant Internet infrastructure services, today announced that it has acquired Cyberverse, Inc., one of the pioneering companies in Internet services. Cyberverse was founded in 1994 by Greg Domeno and Jay Smith and over the past two and a half decades has earned the reputation of being one of the most trusted Internet infrastructure services companies. Jay Smith and the entire Cyberverse team will continue with the company. This acquisition provides Evocative additional capacity in downtown Los Angeles and expands its footprint to the Phoenix and Dallas markets. The newly acquired Tier III carrier neutral data center is located at 600 West 7th Street Los Angeles, CA in the heart of downtown and is owned and operated by Digital Realty Trust. Through the acquisition, the company now has a major presence with Aligned Data Centers in Phoenix, Arizona and Plano, Texas. The newly acquired data centers will be connected to the other 4 Evocative data centers. This is Evocative’s 4th acquisition during the last 12 months, expanding its reach as a national data center operator.
The newly added edge data and compute center adds an additional 30,000 Square Feet and 2.0 MW of capacity with expansion available to 100,000 Square Feet and 10 MW of capacity across its existing national footprint. This addition brings the company’s total capacity to over 170,000 Square Feet and 8.7 MW of IT load. All locations will be connected via multiple 40+ Gbps transport services and will create a nationwide IP backbone enabling the company to rollout active-active disaster recovery, managed distributed private cloud and complex hosting, distributed storage as well as provide direct connection to the major 4 public cloud platforms. Evocative is the trusted guardian of Internet infrastructure to over 570 clients with a roaster of Fortune 500, international and some of the best known Internet brands. Evocative is well positioned to handle flexible lab and high-density computing requirements alongside mission critical compliant colocation services. All of the company’s data centers are carrier neutral with direct access to at least 15+ native carriers and dark and lit services to major interconnection hubs. Evocative’s facilities are HIPAA, PCIDSS, SSAE16, SSAE-18, SOC 2 and ISAE3402 certified, meeting rigorous security and compliance requirements. In addition, they have consistently achieved a 100% uptime availability over the past 10 years.
Enterprises, large and small businesses and startups can benefit from Evocative’s comprehensive suite of fully customizable pay per use colocation services; managed services; public cloud interconnection, private and hybrid cloud solutions; complex hosting; network and security services. Evocative can provide visibility in terms of large scale power usage down to virtual machine resource allocation. A true pay-per-use Internet services company.
“Our primary goal as a trusted pay-per-use Internet services company is to listen to our clients and provide them the most effective solutions at fair prices. We’ve known the Cyberverse team for years and shared the same passion for providing quality services and superior customer experience. We’d like to take this opportunity to welcome our new clients, employees and partners to the Evocative family,” said Arman Khalili, Evocative’s CEO. “This acquisition is in line with our expansion plans and our acquisitions earlier this year. We look forward to continuing to grow the company both organically and through additional acquisitions.”
“I am thrilled with this acquisition and our new mission moving forward with the rest of the Evocative team,” said Jay Smith, Cyberverse’s Vice President. “We share the same views on providing top notch, high availability colocation and hosting services, while still maintaining the personalized customer service and support that our clients have come to know over the last 25 years.”
Evocative is a North American company and an owner and operator of secure, compliant, highly available data and compute centers. We are the trusted guardians of our clients’ Internet infrastructure. To tour an Evocative data center or receive additional information on data center services, please visit http://www.evocative.com.
Since 1994, Cyberverse has been a pioneer in providing quality Internet services in the greater Los Angeles community. Cyberverse is Los Angeles’s most trusted provider, located at 600 W 7th Street – one of the highest-rated carrier hotels with unrivaled reliability. The company specializes in colocation, managed services and network with emphases on top-tier product quality and personalized service for its clients.
Sadly Matrix/Synapse still lacks a AdminUI (issue #2032) but Users still tend to forget their passwords.
Log on to your matrix account and download the hash_password script. Make it executeable and run it to create a new hash for a password.
root@matrix:~# ./hash_password -p trustno1 $2b$12$TDvI.fxdmTDA64jO657mm.SFzoq6Xs4Fvf2XWQl7G8otiPrcr6s5m
Go to your location where your sqlite Database is located, stop the synapse server and make a backup first.
root@matrix:~# cd /var/lib/matrix-synapse root@matrix:/var/lib/matrix-synapse# service matrix-synapse stop root@matrix:/var/lib/matrix-synapse# cp homeserver.db homeserver.db.bkp
Log in to your sqlite3 database.
root@matrix:/var/lib/matrix-synapse# sqlite3 homeserver.db
Have a Check of the already created users.
sqlite> select * from users;
Set the Hash for the User and exit.
sqlite> UPDATE users SET password_hash='$2b$12$TDvI.fxdmTDA64jO657mm.SFzoq6Xs4Fvf2XWQl7G8otiPrcr6s5m' WHERE name='@foo:matrix.cavebeat.org'; sqlite> .exit
root@matrix:/var/lib/matrix-synapse# service matrix-synapse restart
That’s it, should be working fine.
Media Alert – Evocative President and COO Derek Garnier to Speak at Seventh Annual Northern California Data Center Summit
Garnier and other panel members will discuss how blockchain and digital currencies are affecting the modern data center.
WHO: Evocative President and COO Derek Garnier will speak at the Seventh Annual Northern California Data Center Summit.
Derek Garnier is the President & COO of Evocative and brings with him 29 years of provider experience in data center, network, and compute. Prior to joining Evocative, he served as CEO of Layer42 Networks, which was acquired by Wave Broadband in 2015, with Garnier assuming the position of SVP Data Center Services for Wave.
He has held both management and engineering roles at many top internet infrastructure providers including QTS Datacenters, United Layer, AboveNet Communications, SiteSmith, Global Crossing, Global Center, MFS Datanet, and Cabletron Systems. Garnier frequently moderates industry panels, speaks at both industry events and on radio, and provides consult for investors and companies during M&A processes.
WHAT: Blockchain & Data Centers: The Effect of Cryptocurrency on the Industry.
Garnier and other panel members will examine how blockchain technology and digital currencies are transforming data center architecture, design and development, and cloud platforms. The panel will discuss whether the requirements of cryptocurrency producers will fundamentally change the role of the traditional data center and whether the technology behind cryptocurrency will shift the demand requirements for other business verticals.
WHERE: St. Francis Yacht Club – 99 Yacht Rd., San Francisco, CA
WHEN: February 20, 2018 from 8:00am – 4:00pm
For more information on Evocative’s suite of data center services or to take a tour of one of the company’s data centers, please visit http://www.evocative.com.
Evocative is a North American company and an owner and operator of secure, compliant, highly available data centers. We are the trusted guardians of our clients’ Internet infrastructure. For additional information, please visit http://www.evocative.com.
There exists a seemingly endless number of VPN Providers with different kinds of quality, features and trustworthiness. They are not perfect and can not be considered as an anonymizer for everything, but they increase the privacy at least for specific use cases.
- untrusted hostile network environment
- public WiFi
- P2P Torrent Traffic
- ISP Data Retention
- Censorship Circumvention
You should know when it’s time to use a VPN and when not. Depending on your threat-model this can secure your traffic.
In my case the Service Provider premiumize.me has added also a VPN Service. Though i usually use them for other services. But if it is in the basket, why not use it.
Other providers are for example, without any order:
- and many other more…
There exists a nice overview why you should not use or rely on a VPN service for anonymization. https://gist.github.com/joepie91/5a9909939e6ce7d09e29#dont-use-vpn-services
In this tutorial i’ll show how to run an OpenVPN client on your Router with OpenWRT. This makes it possible to have the connection always on, and reuse it in your network when u need it.
Install openvpn on OpenWRT
Following packages need to be installed:
opkg update ; opkg install openvpn-openssl luci-app-openvpn openssl-util
The Service/OpenVPN section should become available in the LuCi Webinterface.
root@openwrt:~# openvpn --version OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10 Originally developed by James Yonan Copyright (C) 2002-2017 OpenVPN Technologies, Inc.
Obtaining VPN Provider Settings
First we need the Settings for our Provider to connect with OpenVPN. Premiumize hands out client settings and their CA.crt file.
Client Settings – .ovpn file
Premiumize.me – Netherlands.ovpn
remote vpn-nl.premiumize.me verify-x509-name CN=vpn-nl.premiumize.me auth-user-pass client dev tun proto udp cipher AES-256-CBC resolv-retry infinite nobind persist-key persist-tun mute-replay-warnings
-----BEGIN CERTIFICATE----- MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ -----END CERTIFICATE-----verb 3 reneg-sec 0
Manually test tunnel with .ovpn file
The easiest way is to use the .ovpn file directly. SCP it to your router and place it under /etc/openvpn/nl.ovpn
root@openwrt:/etc/openvpn# ls nl.ovpn
It’s easiest possible to test the .ovpn file directly.
root@openwrt:/etc/openvpn# openvpn nl.ovpn Sat Feb 17 21:10:36 2018 OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] Sat Feb 17 21:10:36 2018 library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10 Enter Auth Username: Enter Auth Password: ... ... ... Sat Feb 10 19:25:15 2018 Initialization Sequence Completed
When “Initialization Sequence Completed” is printed to the screen, the device /dev/tun0 should be available and the tunnel up. Test it with ifconfig, ping and traceroute.
root@openwrt:~# ifconfig tun0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.29 P-t-P:10.8.0.29 Mask:255.255.0.0 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:1 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:48 (48.0 B) TX bytes:0 (0.0 B) root@openwrt:~# ping -I tun0 blog.cavebeat.org PING blog.cavebeat.org (188.8.131.52): 56 data bytes 64 bytes from 184.108.40.206: seq=0 ttl=58 time=59.759 ms 64 bytes from 220.127.116.11: seq=1 ttl=58 time=59.055 ms 64 bytes from 18.104.22.168: seq=2 ttl=58 time=59.755 ms 64 bytes from 22.214.171.124: seq=3 ttl=58 time=59.384 ms ^C --- blog.cavebeat.org ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 59.055/59.488/59.759 ms
OpenWRT Settings with .ovpn
One can use the .ovpn directly in the OpenWRT Settings as an additional section in /etc/config/openvpn.
config openvpn 'nl_vpn' option enabled '1' option config "/etc/openvpn/nl.ovpn"
OpenWRT Settings with UCI/LUCI
Options from the .ovpn file are similar to VPN-Settings in OpenWRT. Though they are not exactly the same naming convention.
|remote vpn-nl.premiumize.me||list remote ‘vpn-nl.premiumize.me 1194’|
|verify-x509-name CN=vpn-nl.premiumize.me||option verify_x509_name ‘vpn-nl.premiumize.me name’|
|auth-user-pass||option auth_user_pass ‘/etc/openvpn/prem_userpass.txt’|
|client||option client ‘1’|
|dev tun||option dev ‘tun0’|
|proto udp||option proto ‘udp’|
|cipher AES-256-CBC||option cipher ‘aes-256-cbc’|
|resolv-retry infinite||option resolv_retry ‘infinite’|
|nobind||option nobind ‘1’|
|persist-key||option persist_key ‘1’|
|persist-tun||option persist_tun ‘1’|
|mute-replay-warnings||option mute_replay_warnings ‘1’|
|verb 3||option verb ‘3’|
|reneg-sec 0||option reneg_sec ‘0’|
|ca||option ca ‘/etc/openvpn/nl_prem_ca.crt’|
|option auth ‘sha1’|
|option enabled ‘1’|
OpenVPN Setting in /etc/config/openvpn
root@openwrt:~# cat /etc/config/openvpn config openvpn 'nl_prem' option verify_x509_name 'vpn-nl.premiumize.me name' list remote 'vpn-nl.premiumize.me 1194' option auth_user_pass '/etc/openvpn/prem_userpass.txt' option client '1' option dev 'tun0' option proto 'udp' option auth 'sha256' option cipher 'aes-256-cbc' option resolv_retry 'infinite' option nobind '1' option persist_key '1' option persist_tun '1' option ca '/etc/openvpn/nl_prem_ca.crt' option verb '3' option reneg_sec '0' option route_nopull '1' option mute_replay_warnings '1' option enabled '1'
It’s possible to add the settings also in Luci, but it’s easier to avoid this and add the settings manually via command line at the end of the file /etc/config/openvpn.
User Pass File
The setting auth_user_pass tells to use a Customer ID and PIN for authentication from a file.
I have created a file in /etc/openvpn and added in line 1 my Customer ID and in line 2 my Premiumize PIN.
root@openwrt:~# cat /etc/config/openvpn | grep auth_user_pass option auth_user_pass '/etc/openvpn/prem_userpass.txt' root@openwrt:~# cat /etc/openvpn/prem_userpass.txt 1234567890 trustno1
CA – Certificate Authority
I have placed the ca parts from the nl.ovpn file under /etc/openvpn.
root@openwrt:/etc/openvpn# cat nl_prem_ca.crt
-----BEGIN CERTIFICATE----- MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ ... ... ... Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ -----END CERTIFICATE-----
If you are running OpenVPN as a client, and the server you use is using push “redirect-gateway” then your client redirects all internet traffic over the VPN. Sometimes clients do not want this, but they can not change the server’s configuration. In our case, we just want the OpenVPN Tunnel Available as an additional WAN Interface and not push just everything into it always.
I myself prefer to set the client option “option route_nopull ‘1’” and care and control the routing myself.
|route-nopull||option route_nopull ‘1’|
--route-nopull When used with --client or --pull, accept options pushed by server EXCEPT for routes and dhcp options like DNS servers. When used on the client, this option effectively bars the server from adding routes to the client's routing table, however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface.
from the OpenVPN Manpage about route-nopull
Settings in LUCI
In Luci it should be also available.
Create VPN Interface
In the Section Network/Interface create a new Interface with Protocol Unmanaged.
root@openwrt:~# cat /etc/config/network config interface 'nl_vpn' option proto 'none' option ifname 'tun0' option auto '1'
Bring Up on Boot / Auto
Connected Interface name: tun0
Firewall Zone Settings
root@openwrt:~# cat /etc/config/firewall config zone option name 'vpn' option output 'ACCEPT' option network 'nl_vpn' option masq '1' option input 'REJECT' option forward 'REJECT' option mtu_fix '1' config forwarding option dest 'vpn' option src 'lan'
VPN-WAN Interface Checks
Check your Interface is up and available in ifconfig.
root@openwrt:~# ifconfig tun0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.33 P-t-P:10.8.0.33 Mask:255.255.0.0 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:64 errors:0 dropped:0 overruns:0 frame:0 TX packets:24 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:5158 (5.0 KiB) TX bytes:912 (912.0 B)
Compare a traceroute with your Tunnel Interface and with your WAN Interface.
root@openwrt:~# traceroute -i tun0 126.96.36.199 traceroute to 188.8.131.52 (184.108.40.206), 30 hops max, 38 byte packets 1 10.8.0.1 (10.8.0.1) 41.615 ms 43.000 ms 42.597 ms 2 po-24.ce38.ams-01.nl.leaseweb.net (220.127.116.11) 42.245 ms 41.426 ms 42.694 ms 3 te-0-5-0-10.br02.ams-01.nl.leaseweb.net (18.104.22.168) 42.514 ms xe-2-0-0.br01.ams-01.nl.leaseweb.net (22.214.171.124) 41.695 ms xe-2-1-3.br01.ams-01.nl.leaseweb.net (126.96.36.199) 41.572 ms 4 te-0-4-0-7.bb03.ams-01.leaseweb.net (188.8.131.52) 43.000 ms te-0-0-0-7.bb03.ams-01.leaseweb.net (184.108.40.206) 42.761 ms te-0-4-0-6.bb03.ams-01.leaseweb.net (220.127.116.11) 42.602 ms 5 unused.nl-ix.net (18.104.22.168) 43.564 ms 44.046 ms google.telecity-2-equinix-am7.nl-ix.net (22.214.171.124) 42.834 ms 6 * * 126.96.36.199 (188.8.131.52) 44.326 ms 7 184.108.40.206 (220.127.116.11) 44.441 ms 18.104.22.168 (22.214.171.124) 43.350 ms 126.96.36.199 (188.8.131.52) 44.816 ms 8 google-public-dns-a.google.com (184.108.40.206) 43.820 ms 44.058 ms 44.582 ms
vs. traceroute with your WAN Interface
root@openwrt:~# traceroute -i eth0.2 220.127.116.11 traceroute to 18.104.22.168 (22.214.171.124), 30 hops max, 38 byte packets 1 10.198.64.1 (10.198.64.1) 6.240 ms 6.092 ms 5.463 ms 2 ME36X-Manzb-01.kabsi.at (126.96.36.199) 6.701 ms 6.127 ms 7.363 ms 3 188.8.131.52 (184.108.40.206) 8.222 ms 8.433 ms 9.342 ms 4 te0103-asr9k-upst-inx-01.net.kabelplus.at (220.127.116.11) 18.626 ms te0011-asr9k-upst-inx-01.net.kabelplus.at (18.104.22.168) 11.888 ms 9.353 ms 5 google.peering.cz (22.214.171.124) 15.892 ms 16.902 ms 16.608 ms 6 126.96.36.199 (188.8.131.52) 17.024 ms 184.108.40.206 (220.127.116.11) 15.660 ms 15.917 ms 7 18.104.22.168 (22.214.171.124) 18.292 ms 126.96.36.199 (188.8.131.52) 16.173 ms 184.108.40.206 (220.127.116.11) 18.121 ms 8 google-public-dns-a.google.com (18.104.22.168) 15.487 ms 15.610 ms 15.236 ms
A route should be added to your tun interface
root@openwrt:~# route | grep tun0 10.8.0.0 * 255.255.0.0 U 0 0 0 tun0
Search for a line with “Initialization Sequence Completed” in your Syslog
root@openwrt:/etc/config# logread | grep openvpn | grep Seq Sun Feb 18 17:04:21 2018 daemon.notice openvpn(nl_prem): Initialization Sequence Completed
This new VPN-WAN Interface is now available for guest LAN/WLANs, SplitTunnel or for MultiWan Setups.
"I knew it’s also true that a good way to invent the future is to predict it. So I predicted Utopia, hoping to give Liberty a running start before the laws of Moore and Metcalfe delivered up what Ed Snowden now correctly calls 'turn-key totalitarianism.'”
by Josh Anderson
SAN FRANCISCO, CA — Arman Khalili is the CEO of Evocative and brings with him over 25 years of experience in Internet Infrastructure industry. Prior to joining the company, He served as a Principal at Industry Capital a real asset based private equity firm in San Francisco. Arman was the founder and CEO of CentralColo. Prior to that he was the CEO of Black Lotus, a leader in DDoS mitigation company which was acquired by Level 3. The Founder/CEO of UnitedLayer, the largest privately held colocation provider in San Francisco. He was the founder of Sirius – one of the first ISPs in Silicon Valley. Co-founder and CTO of MusicBank, the first music subscription company. In anticipation of CapRE’s Northern California Data Center Summit February 20, we chatted with Arman about the Northern California data center arena.
The post Evocative’s Arman Khalili Talks Northern California Data Center Market appeared first on Evocative Data Centers.
I tend to push things too far and lock me out from my Hardware from time to time.
This time i set some wrong interface settings on my new Access Point running LEDE/OpenWRT. Sadly there is no working failsave mode available to repair the network settings.
But that’s not a problem, the board is provided with a serial port.
First it’s necessary to remove the front plate which is held by 5 tabs.
This port has the pinout +3,3V – RxD – TxD – GND.I have soldered pins on it to have it easy accessible.
root@laptop:/home/cave# dmesg | tail [19840.798867] usbcore: registered new interface driver usbserial [19840.798904] usbcore: registered new interface driver usbserial_generic [19840.798932] usbserial: USB Serial support registered for generic [19840.800388] usbcore: registered new interface driver cp210x [19840.800404] usbserial: USB Serial support registered for cp210x [19840.800447] cp210x 2-2:1.0: cp210x converter detected [19840.912702] usb 2-2: reset full-speed USB device number 2 using xhci_hcd [19841.050680] xhci_hcd 0000:03:00.0: xHCI xhci_drop_endpoint called with disabled ep ffff88009ea91388 [19841.050690] xhci_hcd 0000:03:00.0: xHCI xhci_drop_endpoint called with disabled ep ffff88009ea91340 [19841.053055] usb 2-2: cp210x converter now attached to ttyUSB0
In Linux minicom is the terminal emulation program to go. Settings are 115200 Baud, 8N1, no flow control.
The Boot Log from LEDE looks as following:
U-Boot unifi-v22.214.171.124-g1aad87ce (Jun 30 2015 - 21:30:38) DRAM: sri ath_ddr_initial_config(278): (ddr2 init) ath_sys_frequency: cpu 775 ddr 650 ahb 258 Tap values = (0xf, 0xf, 0xf, 0xf) 128 MB Top of RAM usable for U-Boot at: 88000000 Reserving 231k for U-Boot at: 87fc4000 Reserving 192k for malloc() at: 87f94000 Reserving 44 Bytes for Board Info at: 87f93fd4 Reserving 36 Bytes for Global Data at: 87f93fb0 Reserving 128k for boot params() at: 87f73fb0 Stack Pointer at: 87f73f98 Now running in RAM - U-Boot at: 87fc4000 Flash: 16 MB In: serial Out: serial Err: serial Net: ath_gmac_enet_initialize... No valid address in Flash. Using fixed address ath_gmac_enet_initialize: reset mask:c02200 athr_mgmt_init ::done Dragonfly ----> S17 PHY * ath_gmac_enet_initialize: is_s17()=0, is_ar8033()=1, phy id1=4d phy_id2=d074 WAN AR8033 PHY init athrs_ar8033_reg_init: Done 111 Max resets limit reached exiting... athr_gmac_sgmii_setup SGMII done : cfg1 0x80000000 cfg2 0x7114 eth0: 00:03:7f:09:0b:ad eth0 up eth0 Setting 0x181162c0 to 0x20402100 Board: Copyright Ubiquiti Networks Inc. 2014 Hit any key to stop autoboot: 0 ## Starting application at 0x80200020 ... Board: Ubiquiti Networks AR956X board (e517-33.1150.0030.0040) 0. Name = u-boot, offset = 0, start_addr=9f000000, size=393216,start_sector=0, end_sector=5 1. Name = u-boot-env, offset = 60000, start_addr=9f060000, size=65536,start_sector=6, end_sector=6 2. Name = kernel0, offset = 70000, start_addr=9f070000, size=7929856,start_sector=7, end_sector=127 3. Name = kernel1, offset = 800000, start_addr=9f800000, size=7929856,start_sector=128, end_sector=248 4. Name = bs, offset = f90000, start_addr=9ff90000, size=131072,start_sector=249, end_sector=250 5. Name = cfg, offset = fb0000, start_addr=9ffb0000, size=262144,start_sector=251, end_sector=254 6. Name = EEPROM, offset = ff0000, start_addr=9fff0000, size=65536,start_sector=255, end_sector=255 get_mtd_params: name=bs ubnt_flash_read: addr=8023b480, sa=9ff90000, sz=131072 ubnt_bootsel_init: bootsel magic=a34de82b, bootsel = 1 UBNT application initialized ## Application terminated, rc = 0x0 ## Starting application at 0x80200020 ... keep cfg partition. ## Application terminated, rc = 0x0 ## Starting application at 0x80200020 ... ubnt_uwrite: Nothing to flash, exiting ## Application terminated, rc = 0x0 ## Starting application at 0x80200020 ... Number of boot partitions = 2 get_mtd_params: name=bs ubnt_flash_read: addr=8023b480, sa=9ff90000, sz=131072 ubnt_get_bootsel: Boot partition selected = 1 Loading Kernel Image @ 81000000, size = 7929856 Verifying 'kernel1' parition:OK ## Application terminated, rc = 0x0 ## Booting image at 9f800000 ... Image Name: MIPS LEDE Linux-4.4.92 Created: 2017-10-17 17:46:20 UTC Image Type: MIPS Linux Kernel Image (lzma compressed) Data Size: 1258164 Bytes = 1.2 MB Load Address: 80060000 Entry Point: 80060000 Verifying Checksum at 0x9f800040 ...OK Uncompressing Kernel Image ... OK No initrd ## Transferring control to Linux (at address 80060000) ... ## Giving linux memsize in bytes, 134217728 Starting kernel ... [ 0.000000] Linux version 4.4.92 (email@example.com) (gcc version 5.4.0 (LEDE GCC 5.4.0 r3101-bce140e) ) #0 Tue Oct 17 14:59:45 2017 [ 0.000000] bootconsole [early0] enabled [ 0.000000] CPU0 revision is: 00019750 (MIPS 74Kc) [ 0.000000] SoC: Qualcomm Atheros QCA956X ver 1 rev 0 [ 0.000000] Determined physical RAM map: [ 0.000000] memory: 08000000 @ 00000000 (usable) [ 0.000000] Initrd not found or empty - disabling initrd [ 0.000000] No valid device tree found, continuing without [ 0.000000] Zone ranges: [ 0.000000] Normal [mem 0x0000000000000000-0x0000000007ffffff] [ 0.000000] Movable zone start for each node [ 0.000000] Early memory node ranges [ 0.000000] node 0: [mem 0x0000000000000000-0x0000000007ffffff] [ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff] [ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes. [ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes [ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 32512 [ 0.000000] Kernel command line: board=UBNT-UF-AC-LITE mtdparts=spi0.0:384k(u-boot)ro,64k(u-boot-env)ro,7744k(firmware),7744k(ubnt-airos)ro,128k(bs)ro,256k(cfg)ro,64k(EEPROM)ro console=ttyS0,11d [ 0.000000] PID hash table entries: 512 (order: -1, 2048 bytes) [ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes) [ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes) [ 0.000000] Writing ErrCtl register=00000000 [ 0.000000] Readback ErrCtl register=00000000 [ 0.000000] Memory: 125328K/131072K available (3076K kernel code, 160K rwdata, 412K rodata, 312K init, 205K bss, 5744K reserved, 0K cma-reserved) [ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 [ 0.000000] NR_IRQS:51 [ 0.000000] Clocks: CPU:775.000MHz, DDR:650.000MHz, AHB:258.333MHz, Ref:25.000MHz [ 0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 4932285024 ns [ 0.000006] sched_clock: 32 bits at 387MHz, resolution 2ns, wraps every 5541893118ns [ 0.008207] Calibrating delay loop... 385.84 BogoMIPS (lpj=1929216) [ 0.071016] pid_max: default: 32768 minimum: 301 [ 0.075981] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes) [ 0.082957] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes) [ 0.092341] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns [ 0.102742] futex hash table entries: 256 (order: -1, 3072 bytes) [ 0.110072] NET: Registered protocol family 16 [ 0.115891] MIPS: machine is Ubiquiti UniFi-AC-LITE [ 0.339426] registering PCI controller with io_map_base unset [ 0.345661] Can't analyze schedule() prologue at 800670fc [ 0.358984] PCI host bridge to bus 0000:00 [ 0.363307] pci_bus 0000:00: root bus resource [mem 0x12000000-0x13ffffff] [ 0.370588] pci_bus 0000:00: root bus resource [io 0x0001] [ 0.376452] pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0] [ 0.383608] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff] [ 0.392012] pci 0000:00:00.0: invalid calibration data [ 0.397797] pci 0000:00:00.0: BAR 0: assigned [mem 0x12000000-0x121fffff 64bit] [ 0.405512] pci 0000:00:00.0: BAR 6: assigned [mem 0x12200000-0x1220ffff pref] [ 0.413156] pci 0000:00:00.0: using irq 40 for pin 1 [ 0.418979] clocksource: Switched to clocksource MIPS [ 0.425232] NET: Registered protocol family 2 [ 0.430583] TCP established hash table entries: 1024 (order: 0, 4096 bytes) [ 0.437935] TCP bind hash table entries: 1024 (order: 0, 4096 bytes) [ 0.444682] TCP: Hash tables configured (established 1024 bind 1024) [ 0.451462] UDP hash table entries: 256 (order: 0, 4096 bytes) [ 0.457625] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes) [ 0.464480] NET: Registered protocol family 1 [ 0.472711] Crashlog allocated RAM at address 0x3f00000 [ 0.490033] squashfs: version 4.0 (2009/01/31) Phillip Lougher [ 0.496181] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc. [ 0.508521] io scheduler noop registered [ 0.512696] io scheduler deadline registered (default) [ 0.518282] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled [ 0.527170] console [ttyS0] disabled [ 0.551022] serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11, base_baud = 1562500) is a 16550A [ 0.560121] console [ttyS0] enabled [ 0.560121] console [ttyS0] enabled [ 0.567662] bootconsole [early0] disabled [ 0.567662] bootconsole [early0] disabled [ 0.580366] m25p80 spi0.0: mx25l12805d (16384 Kbytes) [ 0.585606] 7 cmdlinepart partitions found on MTD device spi0.0 [ 0.591759] Creating 7 MTD partitions on "spi0.0": [ 0.596707] 0x000000000000-0x000000060000 : "u-boot" [ 0.603635] 0x000000060000-0x000000070000 : "u-boot-env" [ 0.610446] 0x000000070000-0x000000800000 : "firmware" [ 0.629799] 2 uimage-fw partitions found on MTD device firmware [ 0.635927] 0x000000070000-0x0000001b0000 : "kernel" [ 0.642182] 0x0000001b0000-0x000000800000 : "rootfs" [ 0.648580] mtd: device 4 (rootfs) set to be root filesystem [ 0.654512] 1 squashfs-split partitions found on MTD device rootfs [ 0.660909] 0x000000420000-0x000000800000 : "rootfs_data" [ 0.667848] 0x000000800000-0x000000f90000 : "ubnt-airos" [ 0.674680] 0x000000f90000-0x000000fb0000 : "bs" [ 0.680842] 0x000000fb0000-0x000000ff0000 : "cfg" [ 0.686988] 0x000000ff0000-0x000001000000 : "EEPROM" [ 0.699934] libphy: ag71xx_mdio: probed [ 1.370523] ag71xx ag71xx.0: connected to PHY at ag71xx-mdio.0:04 [uid=004dd074, driver=Atheros 8031/8033 ethernet] [ 1.381861] eth0: Atheros AG71xx at 0xb9000000, irq 4, mode:SGMII [ 1.389623] NET: Registered protocol family 10 [ 1.396970] NET: Registered protocol family 17 [ 1.401669] bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this. [ 1.414787] 8021q: 802.1Q VLAN Support v1.8 [ 1.425064] VFS: Mounted root (squashfs filesystem) readonly on device 31:4. [ 1.434102] Freeing unused kernel memory: 312K [ 2.242449] init: Console is alive [ 2.246134] init: - watchdog - [ 3.083296] kmodloader: loading kernel modules from /etc/modules-boot.d/* [ 3.104439] kmodloader: done loading kernel modules from /etc/modules-boot.d/* [ 3.113279] init: - preinit - [ 3.913129] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready [ 3.935766] random: procd: uninitialized urandom read (4 bytes read, 6 bits of entropy available) Press the [f] key and hit [enter] to enter failsafe mode Press the , ,  or  key and hit [enter] to select the debug level [ 6.521268] eth0: link up (100Mbps/Full duplex) [ 6.525976] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready [ 7.213159] jffs2: notice: (362) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found. [ 7.230901] mount_root: switching to jffs2 overlay [ 7.243259] urandom-seed: Seeding with /etc/urandom.seed [ 7.340310] eth0: link down [ 7.352452] procd: - early - [ 7.355510] procd: - watchdog - [ 7.966201] procd: - watchdog - [ 7.970066] procd: - ubus - [ 8.067457] random: ubusd: uninitialized urandom read (4 bytes read, 13 bits of entropy available) [ 8.078176] random: ubusd: uninitialized urandom read (4 bytes read, 13 bits of entropy available) [ 8.088227] random: ubusd: uninitialized urandom read (4 bytes read, 13 bits of entropy available) [ 8.097567] random: ubusd: uninitialized urandom read (4 bytes read, 13 bits of entropy available) [ 8.107182] random: ubusd: uninitialized urandom read (4 bytes read, 13 bits of entropy available) [ 8.116514] random: ubusd: uninitialized urandom read (4 bytes read, 13 bits of entropy available) [ 8.125980] random: ubusd: uninitialized urandom read (4 bytes read, 13 bits of entropy available) [ 8.135784] random: ubusd: uninitialized urandom read (4 bytes read, 13 bits of entropy available) [ 8.145437] procd: - init - Please press Enter to activate this console. [ 8.483520] kmodloader: loading kernel modules from /etc/modules.d/* [ 8.506009] ip6_tables: (C) 2000-2006 Netfilter Core Team [ 8.519402] Loading modules backported from Linux version wt-2017-01-31-0-ge882dff19e7f [ 8.527672] Backport generated by backports.git backports-20160324-13-g24da7d3c [ 8.587506] PCI: Enabling device 0000:00:00.0 (0000 -> 0002) [ 8.593567] ath10k_pci 0000:00:00.0: pci irq legacy oper_irq_mode 1 irq_mode 0 reset_mode 0 [ 8.813379] ath10k_pci 0000:00:00.0: Direct firmware load for ath10k/pre-cal-pci-0000:00:00.0.bin failed with error -2 [ 8.824471] ath10k_pci 0000:00:00.0: Falling back to user helper [ 9.019462] firmware ath10k!pre-cal-pci-0000:00:00.0.bin: firmware_loading_store: map pages failed [ 9.220586] ath10k_pci 0000:00:00.0: qca988x hw2.0 target 0x4100016c chip_id 0x043222ff sub 0000:0000 [ 9.230152] ath10k_pci 0000:00:00.0: kconfig debug 0 debugfs 1 tracing 0 dfs 1 testmode 1 [ 9.243146] ath10k_pci 0000:00:00.0: firmware ver 10.2.4-1.0-00016 api 5 features no-p2p,raw-mode,mfp crc32 0c5668f8 [ 9.254134] ath10k_pci 0000:00:00.0: Direct firmware load for ath10k/QCA988X/hw2.0/board-2.bin failed with error -2 [ 9.264928] ath10k_pci 0000:00:00.0: Falling back to user helper [ 9.343343] firmware ath10k!QCA988X!hw2.0!board-2.bin: firmware_loading_store: map pages failed [ 9.364515] ath10k_pci 0000:00:00.0: board_file api 1 bmi_id N/A crc32 bebc7c08 [ 10.475587] ath10k_pci 0000:00:00.0: htt-ver 2.1 wmi-op 5 htt-op 2 cal file max-sta 128 raw 0 hwcrypto 1 [ 10.695182] ip_tables: (C) 2000-2006 Netfilter Core Team [ 10.707106] nf_conntrack version 0.5.0 (1963 buckets, 7852 max) [ 10.740206] xt_time: kernel timezone is -0000 [ 10.765475] PPP generic driver version 2.4.2 [ 10.818507] NET: Registered protocol family 24 [ 10.852803] ieee80211 phy1: Atheros AR9561 Rev:0 mem=0xb8100000, irq=47 [ 10.866164] kmodloader: done loading kernel modules from /etc/modules.d/* [ 11.743364] random: jshn: uninitialized urandom read (4 bytes read, 19 bits of entropy available) [ 15.375016] device eth0 entered promiscuous mode [ 15.390029] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready [ 17.281331] eth0: link up (100Mbps/Full duplex) [ 17.418004] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready [ 17.459082] br-lan: port 1(eth0) entered forwarding state [ 17.464711] br-lan: port 1(eth0) entered forwarding state [ 17.499544] device wlan1 entered promiscuous mode [ 19.458989] br-lan: port 1(eth0) entered forwarding state [ 19.646999] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready [ 19.660881] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready [ 19.689299] device wlan0 entered promiscuous mode [ 21.179912] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 21.186686] br-lan: port 2(wlan1) entered forwarding state [ 21.192431] br-lan: port 2(wlan1) entered forwarding state [ 23.189012] br-lan: port 2(wlan1) entered forwarding state [ 39.059895] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 39.066638] br-lan: port 3(wlan0) entered forwarding state [ 39.072394] br-lan: port 3(wlan0) entered forwarding state [ 41.068994] br-lan: port 3(wlan0) entered forwarding state [ 44.663058] random: nonblocking pool is initialized BusyBox v1.25.1 () built-in shell (ash) _________ / / _ ___ ___ ___ / LE / | | | __| | __| / DE / | |__| _|| |) | _| /________/ LE |____|___|___/|___| lede-project.org DE / LE / ----------------------------------------------------------- DE / Reboot (17.01.4, r3560-79f57e422d) ________/ ----------------------------------------------------------- root@uap-ac-lite:/#
If you have access to the root user, you can reconfigure as much as you want and repair your settings.
If it’s better to do a factory reset, you can also boot into failsafe by pressing [ f ] when asked for it.
[ 3.935766] random: procd: uninitialized urandom read (4 bytes read, 6 bits of entropy available) Press the [f] key and hit [enter] to enter failsafe mode Press the , ,  or  key and hit [enter] to select the debug level [ 6.521268] eth0: link up (100Mbps/Full duplex)