Month: February 2018

OpenVPN Server Hardening – OpenWRT TUN device

OpenVPN Server Hardening – OpenWRT TUN device

This is a tutorial for a hardened OpenVPN Server with all important settings in a paranoid TLS based setup. I have read through different other tutorials, more or less good tutorials, but most of them lacked serious settings or had just set them wrong. So i decided to read through the complete ManPage from OpenVPN to find all the important settings by myself.
This Tutorial covers OpenVPN Version v2.4 (with compatibility to v2.3.3 clients). The next OpenVPN will cover the Client Settings for different scenarios.

Network Topology

OpenVPN Server Hardening – OpenWRT TUN device 1My Home Router is on the LAN Network and i want to access it from other devices from different networks.

Firewall Rule

First we need to make the OpenVPN available on the WAN Port. For this we add a Firewall Rule to /etc/config/firewall.

OpenVPN Server Hardening – OpenWRT TUN device 2

config 'rule'
 option 'name' 'openvpn-udp'
 option 'src' 'wan' 
 option 'target' 'ACCEPT'
 option 'proto' 'udp' 
 option 'dest_port' '1194'

Generation of Certificates

Import From Future Blog Post to create your own Certificate Authority with a Root CA, different Intermediate CA’s, and Server + Client Certificates.

For this tutorial we need following Certificate and Key files:

  • RootCA (CA)
  • Intermediate CA (ICA)
  • Server Certificate
  • Server Cert & Key (+ Client Cert & Keys for Testing)
  • CRL File
  • TLS-Auth Key
  • Diffie Hellman parameters


Regarding an ENISA – Algorithms, Key Sizes and Parameters Report keys specified to be at least ten years in use, RSA keys of 3072 bits or more are recommended.

Creation of 4096 bit RSA keys is recommended by me.

CA-Chain File

The RootCA and the ICA Certificates should be bundled into a ca-chain.cert file.

cat RootCa.pem IntermediateCA.pem > ca-chain.pem

TLS-Auth Key

Generate TLS-Auth key 
openvpn --genkey --secret openvpn/tls-auth.key
This key is available on all devices and should be kept secret.

DH Parameters

Generating DH keys takes substantial amounts of time.
openssl dhparam -out dhparam4096.pem 4096
 The DH Parameters should exceed your Server Certificate size.
  • Server Certificate 2048 bit => DH 4096 bit
  • Server Certificate 4096 bit => DH 8192 bit

Your Server Certificate should have at least 4096 bit in size.


The VPN will create a subnet. You should choose a Net which will not overlap with any other Subnet you will possibly encounter. Stay away from, or as these nets are often seen to be used for default LAN ranges in home routers.


My assumption was for this tutorial a /29 net. For example any CIDR Net from a private “Class B” Address Range in between– can be choosen. Class B has not been used that often, at least it seems to me. Just try to pick a “random” net private, which has a rare chance to be unused by others.

CIDR Net Notation:  
Subnet Mask: 
CIDR Address Range: - 
Useable Adresses:   6 (1 Server + 5 Clients) 
Clients:   -


If the VPN is only planned for a Point-To-Point connection between two Routers or for a single Client, a /30 Net should be chosen instead. It is still a MultiClient Net, but with only two Points.

CIDR Net Notation:  
Subnet Mask: 
CIDR Address Range: -
Useable Adresses:   2 (1 Server + 1 Client) 

OpenVPN Server Hardening – OpenWRT TUN device 3

OpenWRT OpenVPN Settings

OpenVPN config for a TLS based and hardened Setup in /etc/config/openvpn
config openvpn 'cyber'
        option enabled '1'
        option dev_type 'tun'
        option dev 'cyber_tun0'
        option topology 'subnet'
        option proto 'udp'
        option port '1194'

        option server ''
        option ifconfig ''
        list push 'route'

#Client Config
        option ccd_exclusive '1'
        option client_config_dir '/etc/openvpn/ccd/'
        option max_clients '5'
        option client_to_client '1' 

        option ca '/etc/ssl/certs/'
        option cert '/etc/ssl/certs/ptree.vpn.cavebeat.lan.cert.pem'
        option key '/etc/ssl/private/ptree.vpn.cavebeat.lan.key.pem'
        option dh '/etc/ssl/dh4096.pem'
        option tls_crypt '/etc/ssl/tls-auth.key'
        option cipher 'AES-256-CBC'
        option ncp_ciphers 'AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC'
        option auth 'SHA512'
        option tls_server '1'
        option tls_version_min '1.2'
        option reneg_sec '1800'
        option reneg_bytes '64000000'
        option remote_cert_tls 'client'
#        option verify_client_cert '1'

        option log_append '/var/log/openvpn/openvpn.log'
        option status '/var/log/openvpn-status.log'
        option mute '5'
        option verb '4'

        option keepalive '10 60'
        option compress 'lzo'
        option script_security '1'

#Connection Reliability
        option persist_key '1'
        option persist_tun '1'

       option  user 'nobody'
       option group 'nogroup'

The parameter verify_client_cert / –verify-client-cert is new in OpenVPN 2.4 and is replacing the deprecated parameter –client-cert-not-required. For more information on deprecated parameters check Deprecated OpenVPN Settings

The default value should require to verify the client cert given to the server. I have placed a PullRequest with a change for OpenWRT to add this setting.

Description of used Settings and Parameters

option enabled '1'


option dev_type 'tun'
--dev-type device-type 
  Which device type are we using? device-type should be tun (OSI Layer 3) or tap (OSI Layer 2). 
  Use this option only if the TUN/TAP device used with --dev does not begin with tun or tap. 
option dev 'tun1'
--dev tunX | tapX | null
  tun devices encapsulate IPv4 or IPv6 (OSI Layer 3) while tap devices encapsulate Ethernet 802.3 (OSI Layer 2). 
option topology 'subnet'
--topology mode 
  Configure virtual addressing topology when running in --dev tun mode. 
  subnet -- Use a subnet rather than a point-to-point topology by configuring the tun interface with a local IP address and subnet mask, similar to the topology used in --dev tap and ethernet bridging mode. 
  This mode allocates a single IP address per connecting client and works on Windows as well. 
  Note: Using --topology subnet changes the interpretation of the arguments of --ifconfig to mean "address netmask", no longer "local remote". 


option server ''
--server network netmask ['nopool'] 
  A helper directive designed to simplify the configuration of OpenVPN's server mode.  
  This directive will set up an OpenVPN server which will allocate addresses to clients out of the given network/netmask. 
  The server itself will take the ".1" address of the given network for use as the server-side endpoint of the local TUN/TAP interface.
option ifconfig ''
--ifconfig l rn
  Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. 
  For TAP devices, or TUN devices used with --topology subnet,rn is the subnet mask of the virtual network segment which is being created or connected to. 
  For TAP devices, which provide the ability to create virtual ethernet segments, or TUN devices in --topology subnet mode (which create virtual "multipoint networks"), --ifconfig is used to set an IP address and subnet mask just as a physical ethernet adapter would be similarly configured.
list push 'route'
--push option 
  Push a config file option back to the client for remote execution.  
  Note that option must be enclosed in double quotes ("").

Client Config

option client_config_dir '/etc/openvpn/ccd/'
--client-config-dir dir 
  Specify a directory dir for custom client config files.  
  After a connecting client has been authenticated, OpenVPN will look in this directory for a file having the same name as the client's X509 common name.  
  If a matching file exists, it will be opened and parsed for client-specific configuration options. 
  If no matching file is found, OpenVPN will instead try to open and parse a default file called "DEFAULT", which may be provided but is not required. 
  Note that the configuration files must be readable by the OpenVPN process after it has dropped it's root privileges. 
option ccd_exclusive '1'
  Require, as a condition of authentication, that a connecting client has a --client-config-dir file. 
option max_clients '5'
--max-clients n 
  Limit server to a maximum of n concurrent clients.
option client_to_client '0' 
  Because the OpenVPN server mode handles multiple clients through a single tun or tap interface, it is effectively a router.  
  The --client-to-client flag tells OpenVPN to internally route client-to-client traffic rather than pushing all client-originating traffic to the TUN/TAP interface. 


option ca '/etc/ssl/certs/'
--ca file 
  Certificate authority (CA) file in .pem format, also referred to as the root certificate. 
option cert '/etc/ssl/certs/ptree.vpn.cavebeat.lan.cert.pem'
--cert file 
  Local peer's signed certificate in .pem format -- must be signed by a certificate authority whose certificate is in --ca file. 
  Each peer in an OpenVPN link running in TLS mode should have its own certificate and private key file.  
  In addition, each certificate should have been signed by the key of a certificate authority whose public key resides in the --ca certificate authority file. 
option key '/etc/ssl/private/ptree.vpn.cavebeat.lan.key.pem'
--key file 
  Local peer's private key in .pem format. 
option dh '/etc/ssl/dh4096.pem'
--dh file 
  File containing Diffie Hellman parameters in .pem format (required for --tls-server only). 
option tls_crypt '/etc/ssl/tls-auth.key'
--tls-auth file [direction] 
  Add an additional layer of HMAC authentication on top of the TLS control channel to mitigate DoS attacks and attacks on the TLS stack. 
  In a nutshell, --tls-auth enables a kind of "HMAC firewall" on OpenVPN's TCP/UDP port, where TLS control channel packets bearing an incorrect HMAC signature can be dropped immediately without response. 
  file (required) is a file in OpenVPN static key format which can be generated by --genkey
  Use --tls-crypt instead if you want to use the key file to not only authenticate, but also encrypt the TLS control channel. 
--tls-crypt keyfile
  Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.) 
  Encrypting (and authenticating) control channel packets: 
  + provides more privacy by hiding the certificate used for the TLS connection, 
  + makes it harder to identify OpenVPN traffic as such, 
  + provides "poor-man's" post-quantum security, against attackers who will never know the pre-shared key (i.e. no forward secrecy). 
  In contrast to --tls-auth, --tls-crypt does *not* require the user to set --key-direction
option cipher 'AES-256-CBC' 
  --cipher alg  
  Encrypt data channel packets with cipher algorithm alg.  Of the currently supported ciphers, OpenVPN currently recommends using AES-256-CBC or AES-128-CBC.  
  OpenVPN 2.4 and newer will also support GCM.  
  For 2.4+, we recommend using AES-256-GCM or AES-128-GCM. 
option ncp-ciphers 'AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC'
--ncp-ciphers cipher_list 
  Restrict the allowed ciphers to be negotiated to the ciphers in cipher_list. 
  cipher_list is a colon-separated list of ciphers, and defaults to "AES-256-GCM:AES-128-GCM".
  For servers, the first cipher from cipher_list will be pushed to clients that support cipher negotiation. 
  If both peers support and do not disable NCP, the negotiated cipher will override the cipher specified by --cipher
option auth 'SHA512'
--auth alg 
  Authenticate data channel packets and (if enabled) tls-auth control channel packets with HMAC using message digest algorithm alg. 
  If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead.  
  Note that alg still specifies the digest used for tls-auth. 
option tls_server '1'
  Enable TLS and assume server role during TLS handshake. 

option tls_version_min '1.2'
--tls-version-min version ['or-highest'] 
  Sets the minimum TLS version we will accept from the peer (default is "1.0"). 
  Examples for version include "1.0", "1.1", or "1.2".
  Since OpenVPN 2.3.3, the --tls-version-min option is available to enforce a minimum TLS version. 
  Hardened setups should set --tls-version-min to 1.2 if possible.
  But be aware that setting tls-version-min to 1.2 will make it impossible to connect for pre-2.3.3 clients
--tls-cipher l 
  A list l of allowable TLS ciphers delimited by a colon (":"). 
  This setting can be used to ensure that certain cipher suites are used (or not used) for the TLS connection.
  You should use a DHE cipher-suite as well for forward-secrecy.
  To use ECDH(E) or ECDSA cipher-suites, both client and server must be OpenVPN 2.4.0 or newer.
option reneg_sec '3600'
--reneg-sec n 
  Renegotiate data channel key after n seconds (default=3600). 
option reneg_bytes '64000000'
--reneg-bytes n 
  Renegotiate data channel key after n bytes sent or received.
option remote_cert_tls 'server'
--remote-cert-tls client|server 
  Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules. 
option verify_client_cert '1'
--verify-client-cert none|optional|require 
  Specify whether the client is required to supply a valid certificate. 
  require : this is the default option. A client is required to present a certificate, otherwise VPN access is refused. 
option crl_verify ''etc/ssl/crl.pem'
--crl-verify crl ['dir'] 
  Check peer certificate against the file crl in PEM format. 
  A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. 
  Note: As the crl file (or directory) is read every time a peer connects, if you are dropping root privileges with --user, make sure that this user has sufficient privileges to read the file. 


option log_append '/var/log/openvpn/openvpn.log'
--log-append file 
  Append logging messages to file. If file does not exist, it will be created. 
  This option behaves exactly like --log except that it appends to rather than truncating the log file. 
--log file 
  Output logging messages to file, including output to stdout/stderr which is generated by called scripts. 
  If file already exists it will be truncated. 
option status '/var/log/openvpn-status.log'
--status file [n] 
  Write operational status to file every n seconds. 
option mute '4'
--mute n 
  Log at most n consecutive messages in the same category. 
  This is useful to limit repetitive logging of similar message types. 
option verb '4'
--verb n 
  Set output verbosity to n (default=1).  
  Each level shows all info from the previous levels. 
  Level 3 is recommended if you want a good summary of what's happening without being swamped by output. 
  - 0 -- No output except fatal errors. 
  - 1 to 4 -- Normal usage range. 


option keepalive '10 60'
--keepalive interval timeout
  A helper directive designed to simplify the expression of --ping and --ping-restart.
  This option can be used on both client and server side, but it is in enough to add this on the server side as it will push appropriate --ping and --ping-restart options to the client. 
  --ping n 
    Ping remote over the TCP/UDP control channel if no packets have been sent for at least n seconds
  --ping-restart n
    Restart after n seconds pass without reception of a ping or other packet from remote. 
    In server mode, --ping-restart, --inactive, or any other type of internally generated signal will always be applied to individual client instance objects, never to whole server itself. 
    Note also in server mode that any internally generated signal which would normally cause a restart, will cause the deletion of the client instance object instead. 
option compress 'lzo'
--compress [algorithm] Enable a compression algorithm. 
  The algorithm parameter may be "lzo", "lz4", or empty.  
  LZO and LZ4 are different compression algorithms, with LZ4 generally offering the best performance with least CPU usage. 
  For backwards compatibility with OpenVPN versions before v2.4, use "lzo" (which is identical to the older option "--comp-lzo yes"). 
option script_security '1'
--script-security level
  This directive offers policy-level control over OpenVPN's usage of external programs and scripts. 
  Lower level values are more restrictive, higher values are more permissive. 
  Settings for level:
  0 -- Strictly no calling of external programs.
  1 -- (Default) Only call built-in executables such as ifconfig, ip, route, or netsh. 
  2 -- Allow calling of built-in executables and user-defined scripts. 
  3 -- Allow passwords to be passed to scripts via environmental variables (potentially unsafe).

Connection Reliability

option persist_key '1'
  Don't re-read key files across SIGUSR1 or --ping-restart. 
  This option can be combined with --user nobody to allow restarts triggered by the SIGUSR1 signal. 
  Normally if you drop root privileges in OpenVPN, the daemon cannot be restarted since it will now be unable to re-read protected key files. 
option persist_tun '1'
  Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts. 


option  user 'nobody'
--user user 
  Change the user ID of the OpenVPN process to user after initialization, dropping privileges in the process. 
option group 'nogroup'
--group group 
  Similar to the --user option, this option changes the group ID of the OpenVPN process to group after initialization. 

Privilege Escalation in 2.3M WooCommerce Shops

Who is affected Installations with the following requirements are affected by this vulnerability:
WooCommerce version < 3.2.4 WordPress version >= 4.8.3 Impact – What can an attacker do The vulnerability discussed in the following can only be exploited by an attacker that already benefits of some higher privileges. The ability to edit/add products in WooCommerce are required but not a full administration account that would allow to execute code anyway.

Evocative Announces Acquisition of Cyberverse, Inc. and expansion into the Los Angeles, Phoenix and Dallas Data Center Markets



Lisa Masiello

Evocative Announces Acquisition of Cyberverse, Inc. and expansion into the Los Angeles, Phoenix and Dallas Data Center Markets

Evocative is expanding its footprint and bringing its highly secure edge colocation and hybrid IT solutions to the Phoenix and Dallas Markets.

San Jose, CA, February 20, 2018 – Evocative, LLC, a leading provider of secure compliant Internet infrastructure services, today announced that it has acquired Cyberverse, Inc., one of the pioneering companies in Internet services. Cyberverse was founded in 1994 by Greg Domeno and Jay Smith and over the past two and a half decades has earned the reputation of being one of the most trusted Internet infrastructure services companies. Jay Smith and the entire Cyberverse team will continue with the company. This acquisition provides Evocative additional capacity in downtown Los Angeles and expands its footprint to the Phoenix and Dallas markets. The newly acquired Tier III carrier neutral data center is located at 600 West 7th Street Los Angeles, CA in the heart of downtown and is owned and operated by Digital Realty Trust. Through the acquisition, the company now has a major presence with Aligned Data Centers in Phoenix, Arizona and Plano, Texas. The newly acquired data centers will be connected to the other 4 Evocative data centers. This is Evocative’s 4th acquisition during the last 12 months, expanding its reach as a national data center operator.

The newly added edge data and compute center adds an additional 30,000 Square Feet and 2.0 MW of capacity with expansion available to 100,000 Square Feet and 10 MW of capacity across its existing national footprint. This addition brings the company’s total capacity to over 170,000 Square Feet and 8.7 MW of IT load. All locations will be connected via multiple 40+ Gbps transport services and will create a nationwide IP backbone enabling the company to rollout active-active disaster recovery, managed distributed private cloud and complex hosting, distributed storage as well as provide direct connection to the major 4 public cloud platforms. Evocative is the trusted guardian of Internet infrastructure to over 570 clients with a roaster of Fortune 500, international and some of the best known Internet brands. Evocative is well positioned to handle flexible lab and high-density computing requirements alongside mission critical compliant colocation services. All of the company’s data centers are carrier neutral with direct access to at least 15+ native carriers and dark and lit services to major interconnection hubs. Evocative’s facilities are HIPAA, PCIDSS, SSAE16, SSAE-18, SOC 2 and ISAE3402 certified, meeting rigorous security and compliance requirements. In addition, they have consistently achieved a 100% uptime availability over the past 10 years.

Enterprises, large and small businesses and startups can benefit from Evocative’s comprehensive suite of fully customizable pay per use colocation services; managed services; public cloud interconnection, private and hybrid cloud solutions; complex hosting; network and security services. Evocative can provide visibility in terms of large scale power usage down to virtual machine resource allocation. A true pay-per-use Internet services company.

“Our primary goal as a trusted pay-per-use Internet services company is to listen to our clients and provide them the most effective solutions at fair prices. We’ve known the Cyberverse team for years and shared the same passion for providing quality services and superior customer experience. We’d like to take this opportunity to welcome our new clients, employees and partners to the Evocative family,” said Arman Khalili, Evocative’s CEO. “This acquisition is in line with our expansion plans and our acquisitions earlier this year. We look forward to continuing to grow the company both organically and through additional acquisitions.”

“I am thrilled with this acquisition and our new mission moving forward with the rest of the Evocative team,” said Jay Smith, Cyberverse’s Vice President. “We share the same views on providing top notch, high availability colocation and hosting services, while still maintaining the personalized customer service and support that our clients have come to know over the last 25 years.”

About Evocative
Evocative is a North American company and an owner and operator of secure, compliant, highly available data and compute centers.  We are the trusted guardians of our clients’ Internet infrastructure. To tour an Evocative data center or receive additional information on data center services, please visit

About CyberVerse

Since 1994, Cyberverse has been a pioneer in providing quality Internet services in the greater Los Angeles community. Cyberverse is Los Angeles’s most trusted provider, located at 600 W 7th Street – one of the highest-rated carrier hotels with unrivaled reliability.  The company specializes in colocation, managed services and network with emphases on top-tier product quality and personalized service for its clients.

The post Evocative Announces Acquisition of Cyberverse, Inc. and expansion into the Los Angeles, Phoenix and Dallas Data Center Markets appeared first on Evocative Data Centers.

Integrate Security Testing into PhpStorm

New State-of-the-Art Reduces Costs Typically, application security testing is performed after the source code was already committed to the source code repository. For example, a security scan is manually performed before deployment, or continuous integration is used that automatically tests the build. Our PhpStorm plugin, however, enables a new and even more efficient approach to security testing. Using our PhpStorm integration, security issues are detected where they are made – directly in the IDE.
reset password for matrix/synapse accounts

reset password for matrix/synapse accounts

Sadly Matrix/Synapse still lacks a AdminUI (issue #2032) but Users still tend to forget their passwords.

reset password for matrix/synapse accounts 4

Create Hash

Log on to your matrix account and download the hash_password script. Make it executeable and run it to create a new hash for a password.

root@matrix:~# ./hash_password -p trustno1 

Backup Database

Go to your location where your sqlite Database is located, stop the synapse server and make a backup first.

root@matrix:~# cd /var/lib/matrix-synapse
root@matrix:/var/lib/matrix-synapse# service matrix-synapse stop
root@matrix:/var/lib/matrix-synapse# cp homeserver.db homeserver.db.bkp

Set Password

Log in to your sqlite3 database.

root@matrix:/var/lib/matrix-synapse# sqlite3 homeserver.db

Have a Check of the already created users.

sqlite> select * from users;

Set the Hash for the User and exit.

sqlite> UPDATE users SET password_hash='$2b$12$TDvI.fxdmTDA64jO657mm.SFzoq6Xs4Fvf2XWQl7G8otiPrcr6s5m' 
  WHERE name='';
sqlite> .exit

Restart Matrix

root@matrix:/var/lib/matrix-synapse# service matrix-synapse restart

That’s it, should be working fine.


Media Alert – Evocative President and COO Derek Garnier to Speak at Seventh Annual Northern California Data Center Summit

Garnier and other panel members will discuss how blockchain and digital currencies are affecting the modern data center.

WHO: Evocative President and COO Derek Garnier will speak at the Seventh Annual Northern California Data Center Summit.

Derek Garnier is the President & COO of Evocative and brings with him 29 years of provider experience in data center, network, and compute. Prior to joining Evocative, he served as CEO of Layer42 Networks, which was acquired by Wave Broadband in 2015, with Garnier assuming the position of SVP Data Center Services for Wave.

He has held both management and engineering roles at many top internet infrastructure providers including QTS Datacenters, United Layer, AboveNet Communications, SiteSmith, Global Crossing, Global Center, MFS Datanet, and Cabletron Systems. Garnier frequently moderates industry panels, speaks at both industry events and on radio, and provides consult for investors and companies during M&A processes.

WHAT: Blockchain & Data Centers: The Effect of Cryptocurrency on the Industry.

Garnier and other panel members will examine how blockchain technology and digital currencies are transforming data center architecture, design and development, and cloud platforms. The panel will discuss whether the requirements of cryptocurrency producers will fundamentally change the role of the traditional data center and whether the technology behind cryptocurrency will shift the demand requirements for other business verticals.

WHERE: St. Francis Yacht Club – 99 Yacht Rd., San Francisco, CA

WHEN: February 20, 2018 from 8:00am – 4:00pm

Register for CAPRE’s Seventh Annual Northern California Data Center Summit

For more information on Evocative’s suite of data center services or to take a tour of one of the company’s data centers, please visit

About Evocative

Evocative is a North American company and an owner and operator of secure, compliant, highly available data centers. We are the trusted guardians of our clients’ Internet infrastructure. For additional information, please visit


Lisa Masiello

The post Media Alert – Evocative President and COO Derek Garnier to Speak at Seventh Annual Northern California Data Center Summit appeared first on Evocative Data Centers.

VPN tunnel as a WAN Interface on OpenWRT/LEDE Router

VPN tunnel as a WAN Interface on OpenWRT/LEDE Router

There exists a seemingly endless number of VPN Providers with different kinds of quality, features and trustworthiness. They are not perfect and can not be considered as an anonymizer for everything, but they increase the privacy at least for specific use cases.

  • untrusted hostile network environment
  • public WiFi
  • P2P Torrent Traffic
  • ISP Data Retention
  • Censorship Circumvention

You should know when it’s time to use a VPN and when not. Depending on your threat-model this can secure your traffic.

In my case the Service Provider has added also a VPN Service. Though i usually use them for other services. But if it is in the basket, why not use it.

Other providers are for example, without any order:

  • and many other more…

There exists a nice overview why you should not use or rely on a VPN service for anonymization.

In this tutorial i’ll show how to run an OpenVPN client on your Router with OpenWRT. This makes it possible to have the connection always on, and reuse it in your network when u need it.

VPN tunnel as a WAN Interface on OpenWRT/LEDE Router 5

Install openvpn on OpenWRT

Following packages need to be installed:

 opkg update ; opkg install openvpn-openssl luci-app-openvpn openssl-util

The Service/OpenVPN section should become available in the LuCi Webinterface.

OpenVPN Luci Settings in OpenWRT

root@openwrt:~# openvpn --version
OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. 

Obtaining VPN Provider Settings

First we need the Settings for our Provider to connect with OpenVPN. Premiumize hands out client settings and their CA.crt file.

Client Settings – .ovpn file – Netherlands.ovpn

dev tun
proto udp
cipher AES-256-CBC
resolv-retry infinite


verb 3
reneg-sec 0

Manually test tunnel with .ovpn file

The easiest way is to use the .ovpn file directly. SCP it to your router and place it under /etc/openvpn/nl.ovpn

root@openwrt:/etc/openvpn# ls

It’s easiest possible to test the .ovpn file directly.

root@openwrt:/etc/openvpn# openvpn nl.ovpn 
Sat Feb 17 21:10:36 2018 OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Feb 17 21:10:36 2018 library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10
Enter Auth Username:
Enter Auth Password:
Sat Feb 10 19:25:15 2018 Initialization Sequence Completed

When “Initialization Sequence Completed” is printed to the screen, the device /dev/tun0 should be available and the tunnel up. Test it with ifconfig, ping and traceroute.

root@openwrt:~# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
 inet addr: P-t-P: Mask:
 RX packets:1 errors:0 dropped:0 overruns:0 frame:0
 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:100 
 RX bytes:48 (48.0 B) TX bytes:0 (0.0 B)

root@openwrt:~# ping -I tun0
PING ( 56 data bytes
64 bytes from seq=0 ttl=58 time=59.759 ms
64 bytes from seq=1 ttl=58 time=59.055 ms
64 bytes from seq=2 ttl=58 time=59.755 ms
64 bytes from seq=3 ttl=58 time=59.384 ms
--- ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 59.055/59.488/59.759 ms

OpenWRT Settings with .ovpn

One can use the .ovpn directly in the OpenWRT Settings as an additional section in /etc/config/openvpn.

config openvpn 'nl_vpn' 
 option enabled '1' 
 option config "/etc/openvpn/nl.ovpn"

OpenWRT Settings with UCI/LUCI

Options from the .ovpn file are similar to VPN-Settings in OpenWRT. Though they are not exactly the same naming convention.

.ovpn OpenWRT
remote list remote ‘ 1194’
verify-x509-name option verify_x509_name ‘ name’
auth-user-pass option auth_user_pass ‘/etc/openvpn/prem_userpass.txt’
client option client ‘1’
dev tun option dev ‘tun0’
proto udp option proto ‘udp’
cipher AES-256-CBC option cipher ‘aes-256-cbc’
resolv-retry infinite option resolv_retry ‘infinite’
nobind option nobind ‘1’
persist-key option persist_key ‘1’
persist-tun option persist_tun ‘1’
mute-replay-warnings option mute_replay_warnings ‘1’
verb 3 option verb ‘3’
reneg-sec 0 option reneg_sec ‘0’
ca option ca ‘/etc/openvpn/nl_prem_ca.crt’
option auth ‘sha1’
option enabled ‘1’

OpenVPN Setting in /etc/config/openvpn

root@openwrt:~# cat /etc/config/openvpn

config openvpn 'nl_prem'
 option verify_x509_name ' name'
 list remote ' 1194'
 option auth_user_pass '/etc/openvpn/prem_userpass.txt'
 option client '1'
 option dev 'tun0'
 option proto 'udp'
 option auth 'sha256'
 option cipher 'aes-256-cbc'
 option resolv_retry 'infinite'
 option nobind '1'
 option persist_key '1'
 option persist_tun '1'
 option ca '/etc/openvpn/nl_prem_ca.crt'
 option verb '3'
 option reneg_sec '0'
 option route_nopull '1'
 option mute_replay_warnings '1'
 option enabled '1'

It’s possible to add the settings also in Luci, but it’s easier to avoid this and add the settings manually via command line at the end of the file /etc/config/openvpn.

User Pass File

The setting auth_user_pass tells to use a Customer ID and PIN for authentication from a file.

VPN tunnel as a WAN Interface on OpenWRT/LEDE Router 6I have created a file in /etc/openvpn and added in line 1 my Customer ID and in line 2 my Premiumize PIN.

root@openwrt:~# cat /etc/config/openvpn | grep auth_user_pass
 option auth_user_pass '/etc/openvpn/prem_userpass.txt'
root@openwrt:~# cat /etc/openvpn/prem_userpass.txt

CA – Certificate Authority

I have placed the ca parts from the nl.ovpn file under /etc/openvpn.

root@openwrt:/etc/openvpn# cat nl_prem_ca.crt 


Ignoring redirect-gateway

If you are running OpenVPN as a client, and the server you use is using push “redirect-gateway” then your client redirects all internet traffic over the VPN. Sometimes clients do not want this, but they can not change the server’s configuration. In our case, we just want the OpenVPN Tunnel Available as an additional WAN Interface and not push just everything into it always.

I myself prefer to set the client option “option route_nopull ‘1’” and care and control the routing myself.

.ovpn OpenWRT
route-nopull option route_nopull ‘1’
 When used with --client or --pull, accept options pushed by server EXCEPT for routes and dhcp options like DNS servers.
 When used on the client, this option effectively bars the server from adding routes to the client's routing table, however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface.

from the OpenVPN Manpage about route-nopull

Settings in LUCI

In Luci it should be also available.

VPN tunnel as a WAN Interface on OpenWRT/LEDE Router 7VPN tunnel as a WAN Interface on OpenWRT/LEDE Router 8


Create VPN Interface

In the Section Network/Interface create a new Interface with Protocol Unmanaged.

VPN tunnel as a WAN Interface on OpenWRT/LEDE Router 9VPN tunnel as a WAN Interface on OpenWRT/LEDE Router 10Interface Configuration

root@openwrt:~# cat /etc/config/network
config interface 'nl_vpn'
 option proto 'none'
 option ifname 'tun0'
 option auto '1'

Protocol: unmanaged/none

VPN tunnel as a WAN Interface on OpenWRT/LEDE Router 11Bring Up on Boot / Auto

VPN tunnel as a WAN Interface on OpenWRT/LEDE Router 12Connected Interface name: tun0

VPN tunnel as a WAN Interface on OpenWRT/LEDE Router 13FireWall Zone – put it into a new Zone similar to your WAN Zone.

VPN tunnel as a WAN Interface on OpenWRT/LEDE Router 14

Firewall Zone Settings

root@openwrt:~# cat /etc/config/firewall 

config zone
 option name 'vpn'
 option output 'ACCEPT'
 option network 'nl_vpn'
 option masq '1'
 option input 'REJECT'
 option forward 'REJECT'
 option mtu_fix '1'

config forwarding
 option dest 'vpn'
 option src 'lan'

VPN tunnel as a WAN Interface on OpenWRT/LEDE Router 15

VPN-WAN Interface Checks

Check your Interface is up and available in ifconfig.

root@openwrt:~# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
 inet addr: P-t-P: Mask:
 RX packets:64 errors:0 dropped:0 overruns:0 frame:0
 TX packets:24 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:100 
 RX bytes:5158 (5.0 KiB) TX bytes:912 (912.0 B)

Compare a traceroute with your Tunnel Interface and with your WAN Interface.

root@openwrt:~# traceroute -i tun0
traceroute to (, 30 hops max, 38 byte packets
 1 ( 41.615 ms 43.000 ms 42.597 ms
 2 ( 42.245 ms 41.426 ms 42.694 ms
 3 ( 42.514 ms ( 41.695 ms ( 41.572 ms
 4 ( 43.000 ms ( 42.761 ms ( 42.602 ms
 5 ( 43.564 ms 44.046 ms ( 42.834 ms
 6 * * ( 44.326 ms
 7 ( 44.441 ms ( 43.350 ms ( 44.816 ms
 8 ( 43.820 ms 44.058 ms 44.582 ms

vs. traceroute with your WAN Interface

root@openwrt:~# traceroute -i eth0.2
traceroute to (, 30 hops max, 38 byte packets
 1 ( 6.240 ms 6.092 ms 5.463 ms
 2 ( 6.701 ms 6.127 ms 7.363 ms
 3 ( 8.222 ms 8.433 ms 9.342 ms
 4 ( 18.626 ms ( 11.888 ms 9.353 ms
 5 ( 15.892 ms 16.902 ms 16.608 ms
 6 ( 17.024 ms ( 15.660 ms 15.917 ms
 7 ( 18.292 ms ( 16.173 ms ( 18.121 ms
 8 ( 15.487 ms 15.610 ms 15.236 ms

A route should be added to your tun interface

root@openwrt:~# route | grep tun0 * U 0 0 0 tun0

Search for a line with “Initialization Sequence Completed” in your Syslog

root@openwrt:/etc/config# logread | grep openvpn | grep Seq
Sun Feb 18 17:04:21 2018 daemon.notice openvpn(nl_prem)[2752]: Initialization Sequence Completed


This new VPN-WAN Interface is now available for guest LAN/WLANs, SplitTunnel or for MultiWan Setups.

A Declaration of the Independence of Cyberspace

A Declaration of the Independence of Cyberspace

"I knew it’s also true that a good way to invent the future is to predict it. So I predicted Utopia, hoping to give Liberty a running start before the laws of Moore and Metcalfe delivered up what Ed Snowden now correctly calls 'turn-key totalitarianism.'”

A Declaration of the Independence of Cyberspace 16A Declaration of the Independence of Cyberspace

Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather.

We have no elected government, nor are we likely to have one, so I address you with no greater authority than that with which liberty itself always speaks. I declare the global social space we are building to be naturally independent of the tyrannies you seek to impose on us. You have no moral right to rule us nor do you possess any methods of enforcement we have true reason to fear.

Governments derive their just powers from the consent of the governed. You have neither solicited nor received ours. We did not invite you. You do not know us, nor do you know our world. Cyberspace does not lie within your borders. Do not think that you can build it, as though it were a public construction project. You cannot. It is an act of nature and it grows itself through our collective actions.

You have not engaged in our great and gathering conversation, nor did you create the wealth of our marketplaces. You do not know our culture, our ethics, or the unwritten codes that already provide our society more order than could be obtained by any of your impositions.

You claim there are problems among us that you need to solve. You use this claim as an excuse to invade our precincts. Many of these problems don't exist. Where there are real conflicts, where there are wrongs, we will identify them and address them by our means. We are forming our own Social Contract. This governance will arise according to the conditions of our world, not yours. Our world is different.

Cyberspace consists of transactions, relationships, and thought itself, arrayed like a standing wave in the web of our communications. Ours is a world that is both everywhere and nowhere, but it is not where bodies live.

We are creating a world that all may enter without privilege or prejudice accorded by race, economic power, military force, or station of birth.

We are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity.

Your legal concepts of property, expression, identity, movement, and context do not apply to us. They are all based on matter, and there is no matter here.

Our identities have no bodies, so, unlike you, we cannot obtain order by physical coercion. We believe that from ethics, enlightened self-interest, and the commonweal, our governance will emerge. Our identities may be distributed across many of your jurisdictions. The only law that all our constituent cultures would generally recognize is the Golden Rule. We hope we will be able to build our particular solutions on that basis. But we cannot accept the solutions you are attempting to impose.

In the United States, you have today created a law, the Telecommunications Reform Act, which repudiates your own Constitution and insults the dreams of Jefferson, Washington, Mill, Madison, DeToqueville, and Brandeis. These dreams must now be born anew in us.

You are terrified of your own children, since they are natives in a world where you will always be immigrants. Because you fear them, you entrust your bureaucracies with the parental responsibilities you are too cowardly to confront yourselves. In our world, all the sentiments and expressions of humanity, from the debasing to the angelic, are parts of a seamless whole, the global conversation of bits. We cannot separate the air that chokes from the air upon which wings beat.

In China, Germany, France, Russia, Singapore, Italy and the United States, you are trying to ward off the virus of liberty by erecting guard posts at the frontiers of Cyberspace. These may keep out the contagion for a small time, but they will not work in a world that will soon be blanketed in bit-bearing media.

Your increasingly obsolete information industries would perpetuate themselves by proposing laws, in America and elsewhere, that claim to own speech itself throughout the world. These laws would declare ideas to be another industrial product, no more noble than pig iron. In our world, whatever the human mind may create can be reproduced and distributed infinitely at no cost. The global conveyance of thought no longer requires your factories to accomplish.

These increasingly hostile and colonial measures place us in the same position as those previous lovers of freedom and self-determination who had to reject the authorities of distant, uninformed powers. We must declare our virtual selves immune to your sovereignty, even as we continue to consent to your rule over our bodies. We will spread ourselves across the Planet so that no one can arrest our thoughts.

We will create a civilization of the Mind in Cyberspace. May it be more humane and fair than the world your governments have made before.

Davos, Switzerland
February 8, 1996
by John Perry Barlow

Image from EFF License CC-BY

Evocative’s Arman Khalili Talks Northern California Data Center Market

Feb 14, 2018
by Josh Anderson

SAN FRANCISCO, CA — Arman Khalili is the CEO of Evocative and brings with him over 25 years of experience in Internet Infrastructure industry. Prior to joining the company, He served as a Principal at Industry Capital a real asset based private equity firm in San Francisco. Arman was the founder and CEO of CentralColo. Prior to that he was the CEO of Black Lotus, a leader in DDoS mitigation company which was acquired by Level 3. The Founder/CEO of UnitedLayer, the largest privately held colocation provider in San Francisco. He was the founder of Sirius – one of the first ISPs in Silicon Valley. Co-founder and CTO of MusicBank, the first music subscription company. In anticipation of CapRE’s Northern California Data Center Summit February 20, we chatted with Arman about the Northern California data center arena.

Click here to read the full interview.

The post Evocative’s Arman Khalili Talks Northern California Data Center Market appeared first on Evocative Data Centers.

UAP-AC-LITE serial mod – debricking

UAP-AC-LITE serial mod – debricking

I tend to push things too far and lock me out from my Hardware from time to time.

This time i set some wrong interface settings on my new Access Point running LEDE/OpenWRT. Sadly there is no working failsave mode available to repair the network settings.

But that’s not a problem, the board is provided with a serial port.

First it’s necessary to remove the front plate which is held by 5 tabs.

UAP-AC-LITE serial mod – debricking 17UAP-AC-LITE serial mod – debricking 18

This port has the pinout +3,3V – RxD – TxD – GND.UAP-AC-LITE serial mod – debricking 19I have soldered pins on it to have it easy accessible.

UAP-AC-LITE serial mod – debricking 20I use as a Serial Port on my Laptop a CP2102 UART Bridge.

UAP-AC-LITE serial mod – debricking 21

root@laptop:/home/cave# dmesg | tail
[19840.798867] usbcore: registered new interface driver usbserial
[19840.798904] usbcore: registered new interface driver usbserial_generic
[19840.798932] usbserial: USB Serial support registered for generic
[19840.800388] usbcore: registered new interface driver cp210x
[19840.800404] usbserial: USB Serial support registered for cp210x
[19840.800447] cp210x 2-2:1.0: cp210x converter detected
[19840.912702] usb 2-2: reset full-speed USB device number 2 using xhci_hcd
[19841.050680] xhci_hcd 0000:03:00.0: xHCI xhci_drop_endpoint called with disabled ep ffff88009ea91388
[19841.050690] xhci_hcd 0000:03:00.0: xHCI xhci_drop_endpoint called with disabled ep ffff88009ea91340
[19841.053055] usb 2-2: cp210x converter now attached to ttyUSB0

In Linux minicom is the terminal emulation program to go. Settings are 115200 Baud, 8N1, no flow control.

UAP-AC-LITE serial mod – debricking 22

The Boot Log from LEDE looks as following:

U-Boot unifi-v1.6.2.235-g1aad87ce (Jun 30 2015 - 21:30:38)

ath_ddr_initial_config(278): (ddr2 init)
ath_sys_frequency: cpu 775 ddr 650 ahb 258
Tap values = (0xf, 0xf, 0xf, 0xf)
128 MB
Top of RAM usable for U-Boot at: 88000000
Reserving 231k for U-Boot at: 87fc4000
Reserving 192k for malloc() at: 87f94000
Reserving 44 Bytes for Board Info at: 87f93fd4
Reserving 36 Bytes for Global Data at: 87f93fb0
Reserving 128k for boot params() at: 87f73fb0
Stack Pointer at: 87f73f98
Now running in RAM - U-Boot at: 87fc4000
Flash: 16 MB
In: serial
Out: serial
Err: serial
Net: ath_gmac_enet_initialize...
No valid address in Flash. Using fixed address
ath_gmac_enet_initialize: reset mask:c02200 
athr_mgmt_init ::done
Dragonfly ----> S17 PHY *
 ath_gmac_enet_initialize: is_s17()=0, is_ar8033()=1, phy id1=4d phy_id2=d074 
WAN AR8033 PHY init 
athrs_ar8033_reg_init: Done 111 
Max resets limit reached exiting...
athr_gmac_sgmii_setup SGMII done
: cfg1 0x80000000 cfg2 0x7114
eth0: 00:03:7f:09:0b:ad
eth0 up
Setting 0x181162c0 to 0x20402100
Board: Copyright Ubiquiti Networks Inc. 2014
Hit any key to stop autoboot: 0 
## Starting application at 0x80200020 ...
Board: Ubiquiti Networks AR956X board (e517-33.1150.0030.0040)
 0. Name = u-boot, offset = 0, start_addr=9f000000, size=393216,start_sector=0, end_sector=5 
 1. Name = u-boot-env, offset = 60000, start_addr=9f060000, size=65536,start_sector=6, end_sector=6 
 2. Name = kernel0, offset = 70000, start_addr=9f070000, size=7929856,start_sector=7, end_sector=127 
 3. Name = kernel1, offset = 800000, start_addr=9f800000, size=7929856,start_sector=128, end_sector=248 
 4. Name = bs, offset = f90000, start_addr=9ff90000, size=131072,start_sector=249, end_sector=250 
 5. Name = cfg, offset = fb0000, start_addr=9ffb0000, size=262144,start_sector=251, end_sector=254 
 6. Name = EEPROM, offset = ff0000, start_addr=9fff0000, size=65536,start_sector=255, end_sector=255 
get_mtd_params: name=bs
ubnt_flash_read: addr=8023b480, sa=9ff90000, sz=131072 
ubnt_bootsel_init: bootsel magic=a34de82b, bootsel = 1 
UBNT application initialized 
## Application terminated, rc = 0x0
## Starting application at 0x80200020 ...
keep cfg partition. 
## Application terminated, rc = 0x0
## Starting application at 0x80200020 ...
ubnt_uwrite: Nothing to flash, exiting 
## Application terminated, rc = 0x0
## Starting application at 0x80200020 ...
Number of boot partitions = 2 
get_mtd_params: name=bs
ubnt_flash_read: addr=8023b480, sa=9ff90000, sz=131072 
ubnt_get_bootsel: Boot partition selected = 1 
Loading Kernel Image @ 81000000, size = 7929856 
Verifying 'kernel1' parition:OK
## Application terminated, rc = 0x0
## Booting image at 9f800000 ...
 Image Name: MIPS LEDE Linux-4.4.92
 Created: 2017-10-17 17:46:20 UTC
 Image Type: MIPS Linux Kernel Image (lzma compressed)
 Data Size: 1258164 Bytes = 1.2 MB
 Load Address: 80060000
 Entry Point: 80060000
 Verifying Checksum at 0x9f800040 ...OK
 Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80060000) ...
## Giving linux memsize in bytes, 134217728

Starting kernel ...

[ 0.000000] Linux version 4.4.92 ( (gcc version 5.4.0 (LEDE GCC 5.4.0 r3101-bce140e) ) #0 Tue Oct 17 14:59:45 2017
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 00019750 (MIPS 74Kc)
[ 0.000000] SoC: Qualcomm Atheros QCA956X ver 1 rev 0
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 08000000 @ 00000000 (usable)
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] No valid device tree found, continuing without
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 32512
[ 0.000000] Kernel command line: board=UBNT-UF-AC-LITE mtdparts=spi0.0:384k(u-boot)ro,64k(u-boot-env)ro,7744k(firmware),7744k(ubnt-airos)ro,128k(bs)ro,256k(cfg)ro,64k(EEPROM)ro console=ttyS0,11d
[ 0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Writing ErrCtl register=00000000
[ 0.000000] Readback ErrCtl register=00000000
[ 0.000000] Memory: 125328K/131072K available (3076K kernel code, 160K rwdata, 412K rodata, 312K init, 205K bss, 5744K reserved, 0K cma-reserved)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS:51
[ 0.000000] Clocks: CPU:775.000MHz, DDR:650.000MHz, AHB:258.333MHz, Ref:25.000MHz
[ 0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 4932285024 ns
[ 0.000006] sched_clock: 32 bits at 387MHz, resolution 2ns, wraps every 5541893118ns
[ 0.008207] Calibrating delay loop... 385.84 BogoMIPS (lpj=1929216)
[ 0.071016] pid_max: default: 32768 minimum: 301
[ 0.075981] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.082957] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.092341] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 0.102742] futex hash table entries: 256 (order: -1, 3072 bytes)
[ 0.110072] NET: Registered protocol family 16
[ 0.115891] MIPS: machine is Ubiquiti UniFi-AC-LITE
[ 0.339426] registering PCI controller with io_map_base unset
[ 0.345661] Can't analyze schedule() prologue at 800670fc
[ 0.358984] PCI host bridge to bus 0000:00
[ 0.363307] pci_bus 0000:00: root bus resource [mem 0x12000000-0x13ffffff]
[ 0.370588] pci_bus 0000:00: root bus resource [io 0x0001]
[ 0.376452] pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0]
[ 0.383608] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[ 0.392012] pci 0000:00:00.0: invalid calibration data
[ 0.397797] pci 0000:00:00.0: BAR 0: assigned [mem 0x12000000-0x121fffff 64bit]
[ 0.405512] pci 0000:00:00.0: BAR 6: assigned [mem 0x12200000-0x1220ffff pref]
[ 0.413156] pci 0000:00:00.0: using irq 40 for pin 1
[ 0.418979] clocksource: Switched to clocksource MIPS
[ 0.425232] NET: Registered protocol family 2
[ 0.430583] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.437935] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.444682] TCP: Hash tables configured (established 1024 bind 1024)
[ 0.451462] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 0.457625] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 0.464480] NET: Registered protocol family 1
[ 0.472711] Crashlog allocated RAM at address 0x3f00000
[ 0.490033] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.496181] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 0.508521] io scheduler noop registered
[ 0.512696] io scheduler deadline registered (default)
[ 0.518282] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled
[ 0.527170] console [ttyS0] disabled
[ 0.551022] serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11, base_baud = 1562500) is a 16550A
[ 0.560121] console [ttyS0] enabled
[ 0.560121] console [ttyS0] enabled
[ 0.567662] bootconsole [early0] disabled
[ 0.567662] bootconsole [early0] disabled
[ 0.580366] m25p80 spi0.0: mx25l12805d (16384 Kbytes)
[ 0.585606] 7 cmdlinepart partitions found on MTD device spi0.0
[ 0.591759] Creating 7 MTD partitions on "spi0.0":
[ 0.596707] 0x000000000000-0x000000060000 : "u-boot"
[ 0.603635] 0x000000060000-0x000000070000 : "u-boot-env"
[ 0.610446] 0x000000070000-0x000000800000 : "firmware"
[ 0.629799] 2 uimage-fw partitions found on MTD device firmware
[ 0.635927] 0x000000070000-0x0000001b0000 : "kernel"
[ 0.642182] 0x0000001b0000-0x000000800000 : "rootfs"
[ 0.648580] mtd: device 4 (rootfs) set to be root filesystem
[ 0.654512] 1 squashfs-split partitions found on MTD device rootfs
[ 0.660909] 0x000000420000-0x000000800000 : "rootfs_data"
[ 0.667848] 0x000000800000-0x000000f90000 : "ubnt-airos"
[ 0.674680] 0x000000f90000-0x000000fb0000 : "bs"
[ 0.680842] 0x000000fb0000-0x000000ff0000 : "cfg"
[ 0.686988] 0x000000ff0000-0x000001000000 : "EEPROM"
[ 0.699934] libphy: ag71xx_mdio: probed
[ 1.370523] ag71xx ag71xx.0: connected to PHY at ag71xx-mdio.0:04 [uid=004dd074, driver=Atheros 8031/8033 ethernet]
[ 1.381861] eth0: Atheros AG71xx at 0xb9000000, irq 4, mode:SGMII
[ 1.389623] NET: Registered protocol family 10
[ 1.396970] NET: Registered protocol family 17
[ 1.401669] bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this.
[ 1.414787] 8021q: 802.1Q VLAN Support v1.8
[ 1.425064] VFS: Mounted root (squashfs filesystem) readonly on device 31:4.
[ 1.434102] Freeing unused kernel memory: 312K
[ 2.242449] init: Console is alive
[ 2.246134] init: - watchdog -
[ 3.083296] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[ 3.104439] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[ 3.113279] init: - preinit -
[ 3.913129] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[ 3.935766] random: procd: uninitialized urandom read (4 bytes read, 6 bits of entropy available)
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[ 6.521268] eth0: link up (100Mbps/Full duplex)
[ 6.525976] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ 7.213159] jffs2: notice: (362) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
[ 7.230901] mount_root: switching to jffs2 overlay
[ 7.243259] urandom-seed: Seeding with /etc/urandom.seed
[ 7.340310] eth0: link down
[ 7.352452] procd: - early -
[ 7.355510] procd: - watchdog -
[ 7.966201] procd: - watchdog -
[ 7.970066] procd: - ubus -
[ 8.067457] random: ubusd: uninitialized urandom read (4 bytes read, 13 bits of entropy available)
[ 8.078176] random: ubusd: uninitialized urandom read (4 bytes read, 13 bits of entropy available)
[ 8.088227] random: ubusd: uninitialized urandom read (4 bytes read, 13 bits of entropy available)
[ 8.097567] random: ubusd: uninitialized urandom read (4 bytes read, 13 bits of entropy available)
[ 8.107182] random: ubusd: uninitialized urandom read (4 bytes read, 13 bits of entropy available)
[ 8.116514] random: ubusd: uninitialized urandom read (4 bytes read, 13 bits of entropy available)
[ 8.125980] random: ubusd: uninitialized urandom read (4 bytes read, 13 bits of entropy available)
[ 8.135784] random: ubusd: uninitialized urandom read (4 bytes read, 13 bits of entropy available)
[ 8.145437] procd: - init -
Please press Enter to activate this console.
[ 8.483520] kmodloader: loading kernel modules from /etc/modules.d/*
[ 8.506009] ip6_tables: (C) 2000-2006 Netfilter Core Team
[ 8.519402] Loading modules backported from Linux version wt-2017-01-31-0-ge882dff19e7f
[ 8.527672] Backport generated by backports.git backports-20160324-13-g24da7d3c
[ 8.587506] PCI: Enabling device 0000:00:00.0 (0000 -> 0002)
[ 8.593567] ath10k_pci 0000:00:00.0: pci irq legacy oper_irq_mode 1 irq_mode 0 reset_mode 0
[ 8.813379] ath10k_pci 0000:00:00.0: Direct firmware load for ath10k/pre-cal-pci-0000:00:00.0.bin failed with error -2
[ 8.824471] ath10k_pci 0000:00:00.0: Falling back to user helper
[ 9.019462] firmware ath10k!pre-cal-pci-0000:00:00.0.bin: firmware_loading_store: map pages failed
[ 9.220586] ath10k_pci 0000:00:00.0: qca988x hw2.0 target 0x4100016c chip_id 0x043222ff sub 0000:0000
[ 9.230152] ath10k_pci 0000:00:00.0: kconfig debug 0 debugfs 1 tracing 0 dfs 1 testmode 1
[ 9.243146] ath10k_pci 0000:00:00.0: firmware ver 10.2.4-1.0-00016 api 5 features no-p2p,raw-mode,mfp crc32 0c5668f8
[ 9.254134] ath10k_pci 0000:00:00.0: Direct firmware load for ath10k/QCA988X/hw2.0/board-2.bin failed with error -2
[ 9.264928] ath10k_pci 0000:00:00.0: Falling back to user helper
[ 9.343343] firmware ath10k!QCA988X!hw2.0!board-2.bin: firmware_loading_store: map pages failed
[ 9.364515] ath10k_pci 0000:00:00.0: board_file api 1 bmi_id N/A crc32 bebc7c08
[ 10.475587] ath10k_pci 0000:00:00.0: htt-ver 2.1 wmi-op 5 htt-op 2 cal file max-sta 128 raw 0 hwcrypto 1
[ 10.695182] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 10.707106] nf_conntrack version 0.5.0 (1963 buckets, 7852 max)
[ 10.740206] xt_time: kernel timezone is -0000
[ 10.765475] PPP generic driver version 2.4.2
[ 10.818507] NET: Registered protocol family 24
[ 10.852803] ieee80211 phy1: Atheros AR9561 Rev:0 mem=0xb8100000, irq=47
[ 10.866164] kmodloader: done loading kernel modules from /etc/modules.d/*
[ 11.743364] random: jshn: uninitialized urandom read (4 bytes read, 19 bits of entropy available)
[ 15.375016] device eth0 entered promiscuous mode
[ 15.390029] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready
[ 17.281331] eth0: link up (100Mbps/Full duplex)
[ 17.418004] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[ 17.459082] br-lan: port 1(eth0) entered forwarding state
[ 17.464711] br-lan: port 1(eth0) entered forwarding state
[ 17.499544] device wlan1 entered promiscuous mode
[ 19.458989] br-lan: port 1(eth0) entered forwarding state
[ 19.646999] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 19.660881] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready
[ 19.689299] device wlan0 entered promiscuous mode
[ 21.179912] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
[ 21.186686] br-lan: port 2(wlan1) entered forwarding state
[ 21.192431] br-lan: port 2(wlan1) entered forwarding state
[ 23.189012] br-lan: port 2(wlan1) entered forwarding state
[ 39.059895] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[ 39.066638] br-lan: port 3(wlan0) entered forwarding state
[ 39.072394] br-lan: port 3(wlan0) entered forwarding state
[ 41.068994] br-lan: port 3(wlan0) entered forwarding state
[ 44.663058] random: nonblocking pool is initialized

BusyBox v1.25.1 () built-in shell (ash)

 / / _ ___ ___ ___
 / LE /  | | | __| | __|
 / DE /  | |__| _|| |) | _|
 /________/ LE  |____|___|___/|___|
   DE /
  LE  / -----------------------------------------------------------
  DE  / Reboot (17.01.4, r3560-79f57e422d)
 ________/ -----------------------------------------------------------


UAP-AC-LITE serial mod – debricking 23

If you have access to the root user, you can reconfigure as much as you want and repair your settings.

If it’s better to do a factory reset, you can also boot into failsafe by pressing [ f ] when asked for it.

[ 3.935766] random: procd: uninitialized urandom read (4 bytes read, 6 bits of entropy available) 
Press the [f] key and hit [enter] to enter failsafe mode 
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level 
[ 6.521268] eth0: link up (100Mbps/Full duplex)