How to play OpenWRT for Raspberry Pi CM4

Prepare build openfortivpn package environment on Ubuntu 20.04.3 LTS

Refer above example to optimization for CM4 (Raspberry Pi 4 Computer Module)‌‌

Download openwrt-sdk-bcm27xx-bcm2711_gcc-8.4.0_musl.Linux-x86_64.tar.xz from https://onedrive.live.com/?authkey=!AEcwsyZAovIBK-I&id=5219529519B9B6A1!963&cid=5219529519B9B6A1

Unpack on Ubuntu 20.04.3 LTS my T420 notebook and make openfortivpn‌‌This step can skip because OpenWRT can manually install it online.

# 從原始碼編譯 openfortivpn ipk 檔
tar vxJf openwrt-sdk-bcm27xx-bcm2711_gcc-8.4.0_musl.Linux-x86_64.tar.xz 
cd openwrt-sdk-bcm27xx-bcm2711_gcc-8.4.0_musl.Linux-x86_64/package 
git clone https://github.com/excelwang/openwrt-openfortivpn openfortivpn 
cd ..
./scripts/feeds update base 
./scripts/feeds install libopenssl resolveip ppp 
make package/openfortivpn/compile V=s 
cd bin/packages/aarch64_cortex-a72/base/ 
ls openfortivpn_1.7.1_git467cab7-1_aarch64_cortex-a72.ipk

Refer the link https://note.amoiisacat.one/?p=35‌‌

We search and find out the build package files at

https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a72/

https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a72/packages/openfortivpn_1.17.1-1_aarch64_cortex-a72.ipk

https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a72/luci/luci-proto-openfortivpn_git-20.240.06846-642f738_all.ipk

The OpenWRT luci feed ‌‌refer link

https://forum.archive.openwrt.org/viewtopic.php?id=16599‌‌https://github.com/openwrt/luci‌‌

To install all its package definitions

./scripts/feeds update luci
./scripts/feeds install -a -p luci make menuconfig
make world

More reference
‌‌https://openwrt-nctu.gitbook.io/project/openwrt-compile-env/openwrt-opkg-manager

More packages for CM4
‌‌https://archive.openwrt.org/releases/packages-21.02/aarch64_cortex-a72/

Setup the OpenWRT manually, but I no use this example.

opkg install openfortivpn luci-proto-openfortivpn
reboot

In Luci add interface proto using openfortivpn fill username, password, ip address, port in advanced, fill “VPN Server’s certificate SHA1 hash” if your fortiSSL cert not trusted by your device.

Save and apply restart the interface will connected and get a ip from vpn. Let openwrt’s client can access fortiSSL
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o vpn-company -j MASQUERADE add static route then done in OpwnWRT UCI Network -> firewall -> static route

How to fix CM4 wifi problem on OpenWRT which have resolved in latest CM4 image

cd /lib/firmware/brcm
cp brcmfmac43455-sdio.raspberrypi,4-model-b.txt brcmfmac43455-sdio.raspberrypi,4-compute-module.txt
reboot

https://forum.openwrt.org/t/raspberry-pi-cm4-wifi-not-working/90280/3

root@OpenWrt:~# dmesg | grep brcmfmac
[ 6.865501] brcmfmac: brcmffwallocrequest: using brcm/brcmfmac43455-sdio for chip BCM4345/6
[ 6.889369] brcmfmac mmc1:0001:1: Direct firmware load for brcm/brcmfmac43455-sdio.raspberrypi,4-compute-module.txt failed with error -2
[ 6.901659] brcmfmac mmc1:0001:1: Falling back to sysfs fallback for: brcm/brcmfmac43455-sdio.raspberrypi,4-compute-module.txt
[ 6.917922] brcmfmac mmc1:0001:1: Direct firmware load for brcm/brcmfmac43455-sdio.txt failed with error -2
[ 6.927674] brcmfmac mmc1:0001:1: Falling back to sysfs fallback for: brcm/brcmfmac43455-sdio.txt
[ 11.913882] usbcore: registered new interface driver brcmfmac
[ 12.933667] brcmfmac: brcmfsdiohtclk: HT Avail timeout (1000000): clkctl 0x50

root@OpenWrt:~# iw dev
root@OpenWrt:~# wifi status
The IP Tables firewall tutorials video
Just reference for know what is VPN gateway

Set firewall rule for wifi to vpn‌‌ https://mackonsti.wordpress.com/2021/02/20/install-openvpn-server-openwrt-router/

查詢網絡接口的狀態

root@OpenWrt:~# uci -P/var/state show network.wan
root@OpenWrt:~# uci -P/var/state show network network.loopback*=interface network.loopback.proto='static' network.loopback.ipaddr='127.0.0.1' network.loopback.netmask='255.0.0.0' network.loopback.device='lo' network.loopback.up='1' network.loopback.ifname='lo' network.globals=globals network.globals.ulaprefix='fd95:27c5:3e18::/48' network.globals.packetsteering='1' network.lan=interface network.lan.proto='static' network.lan.ipaddr='192.168.2.1' network.lan.netmask='255.255.255.0' network.lan.ip6assign='60' network.lan.device='br-lan' network.lan.up='1' network.lan.ifname='br-lan' network.wan=interface network.wan.proto='dhcp' network.wan.device='eth1' network.wan.up='1' network.wan.ifname='eth1' network.vpn0=interface network.vpn0.proto='openfortivpn' network.vpn0.peeraddr='VPN DNS' network.vpn0.username='VPN Login User' network.vpn0.password='VPN Login Password' network.vpn0.defaultroute='0' network.vpn0.up='1' network.vpn0.ifname='vpn-vpn0' network.docker=interface network.docker.device='docker0' network.docker.proto='none' network.docker.auto='0' network.@device[0]=device network.@device[0].type='bridge' network.@device[0].name='docker0' network.@device[1]=device network.@device[1].name='br-lan' network.@device[1].type='bridge' network.@device[1].ports='eth0' network.wwan=interface network.wwan.proto='dhcp' network.@route[0]=route network.@route[0].interface='vpn0' network.@route[0].target='Route target network segment' network.@route[0].netmask='255.255.0.0' network.@route[1]=route network.@route[1].interface='vpn0' network.@route[1].target='Route target network segment' network.@route[1].netmask='255.255.0.0' network.@route[2]=route network.@route[2].interface='vpn0' network.@route[2].target='Route target network segment' network.@route[2].netmask='255.255.0.0' network.@route[3]=route network.@route[3].target='Route target network segment' network.@route[3].netmask='255.255.255.0' network.@route[3].interface='vpn0' network.@route[4]=route network.@route[4].interface='vpn0' network.@route[4].target='Route target network segment' network.@route[4].netmask='255.255.255.0' network.@route[5]=route network.@route[5].interface='vpn0' network.@route[5].target='Route target network segment' network.@route[5].netmask='255.255.0.0' network.@route[6]=route network.@route[6].interface='vpn0' network.@route[6].target='Route target network segment' network.@route[6].netmask='255.255.0.0' network.@route[7]=route network.@route[7].interface='vpn0' network.@route[7].target='Route target network segment' network.@route[7].netmask='255.255.255.0' network.@route[8]=route network.@route[8].interface='vpn0' network.@route[8].target='Route target network segment' network.@route[8].netmask='255.255.255.0' network.@route[9]=route network.@route[9].interface='vpn0' network.@route[9].target='Route target network segment' network.@route[9].netmask='255.255.0.0'*

‌Routing basics Routing basics See also: IP Layer Network Administration, IP routing tutorial Routing is the process of selecting a path to send network traffic. There are several routing protocols for dynamic routing, specifically B.A.T.M.A.N. and OLSR for mesh networking, however static routing is typically eno… OpenWrt Wiki Vladislav Grigoryev

Base knowledge study

OpenWRT with two gateways

Use case study‌

‌ OpenVPN SplitTunneling on OpenWRT Split-tunneling is a networking technique that lets you route traffic to different network gateways depending on where it is coming from… Medium Amedeo Baragiola

‌有關連接VPN後的route table問題 - iT 邦幫忙::一起幫忙解決難題，拯救 IT 人的一天大家好..Cisco asa弄vpn小弟已經修好了xD.. 現在發現了另一個問題.. 我是使用AnyConnect去連接我自己設定的vpn 但連接該VPN後我卻發現我不能使用原本網路的功能

偵錯參考資料

VPN does not add network route Using Openwrt 4.9.120 I have set up a pptp vpn to connect to another site, the link comes up and I can ping Internet sites and the vpn remote gateway, but not any hosts on the remote LAN. Basically, I want to set up a LAN-LAN vpn for traffic between the LANs and all other traffic to go the default…OpenWrt Forum Larry

最後寫上此次設定VPN想法與心得

還是寫中文好懂一點，在決定要實作一個VPN路由器的動機，是疫情期間有很多機會需要在家工作，我在公司的工作模式習慣混用Windows平台與LINUX平台分別操作遠端網路與桌面程式等，最近又新購入的MacBook的macOS系統也就是說工作的異質平台都要能連上公司的內部網路。

一天在家工作我就必需在每一台電腦上安裝上VPN client軟體進行撥號登入公司內網，其麻煩程度是我所不能忍的。

這次花了約一週的時間研究如何所謂的科學上網，主要還是有分種網路連接方式

旁路由網路設置，適合套用在只有一個網路介面的路由機
中繼路由網路設置，適合套用在有一個以上網路介面的路由機

想當然而有一個以上的網路介面的中繼路能有效隔離家用網路與VPN網路層，對現存的網路幾乎不用做額外的設定。我只要專注在這個雙網路介面的RaspberryPi安裝上OpenWRT並做VPN Gateway的設置就可以透過其LAN與Wi-Fi來穿透到公司內部網路。

這台路由器的主要工作是把需要連接到辦公室的網段轉發到VPN Virtual Interface

其中有幾個知識點是必需要知道的

OpenWRT Firmware 走的是IPtable的邏輯上面我找了影片來復習了基本觀念
OpenForticlient 在Linux上的安裝改用OpenWRT介面設定，我事先用一台Linux筆電練習知道方式後，再套用在OpenWRT的LUI介面就明白多了
OpenWRT的Wi-Fi 可以當Wi-Fi Client也可以當Wi-Fi AP，如果人在外面沒有WAN孔可以接上Internet就可以利用其Wi-Fi Client連上手機的AP當WAN的介面用，勾選[V] Replace Wireless Configuration
在OpenWRT的Network -> Interface -> VPN0 -> Advanced Settings -> 取消勾選 [ ] Use default gateway , 才不置於連不上家用網路的機器
最後是靜態路由的添加，這裡要把公司內的不同網段一行一行手動加入到OpenWRT的路由表中‌‌Interface = VPN0‌‌Target = 公司網段‌‌IPv4-NetMask = 255.255.0.0 or 255.255.255.0
測試一切都能正常工作後 download a tar archive of the current configuration files.

補充

OpenWRT用到的eMMC不大，充份利用剩餘空間打開Terminal Service‌‌fdisk /dev/mmcblk0 來新增分割給SWAP與Docker Home

fdisk -l /dev/mmcblk0 
Disk /dev/mmcblk0: 29.12 GiB, 31268536320 bytes, 61071360 sectors Units: sectors of 1  512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0x5452574f 
Device         Boot    Start      End  Sectors  Size Id Type 
/dev/mmcblk0p1       8192   532479   524288  256M  c W95 FAT32 (LBA) /dev/mmcblk0p2        540672  4734975  4194304    2G 83 Linux 
/dev/mmcblk0p3       4734976 13123583  8388608    4G 82 Linux swap / Solaris /dev/mmcblk0p4     13123584 61071359 47947776 22.9G 83 Linux

Automount the partition

Generate a config entry for the fstab file:

block detec | uci import fstab

Now enable automount on that config entry;

uci set fstab.@mount[-1].enabled='1'
uci commit fstab

Optionally enable autocheck of the file system each time the OpenWrt device powers up:

uci set fstab.@global[0].check_fs='1'
uci commit fstab

Reboot you OpenWrt device (to verify that automount works)
After the reboot, check your results: Run

uci show fstab
fstab.@global[0]=global
fstab.@global[0].anon_swap='0'
fstab.@global[0].anon_mount='0'
fstab.@global[0].auto_swap='1'
fstab.@global[0].auto_mount='1'
fstab.@global[0].delay_root='5'
fstab.@global[0].check_fs='0'
fstab.@swap[0]=swap
fstab.@swap[0].device='/dev/mmcblk0p3'
fstab.@swap[0].enabled='1'
fstab.@mount[0]=mount
fstab.@mount[0].target='/mnt/mmcblk0p4'
fstab.@mount[0].uuid='8c474bac-22d3-4f17-bd78-a4f0f98bdec8'
fstab.@mount[0].enabled='1'
root@OpenWrt:~# mkdir /mnt/mmcblk0p4
root@OpenWrt:~# mkswap  /dev/mmcblk0p3
Setting up swapspace version 1, size = 6534721536 bytes

How to upgrade OpenWrt 21.02 to 22.03.3

Before perform upgrade the firmware, must backup current configration as file for restore after upgraded.
The important thing, perform force upgrade will lost old partition table that will have to rebuild with fdisk command.

sysupgrade -F -v <upgrade firmware>