OpenWRT in Vmware as a light weight router and virtual host - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Friday, January 22, 2021

OpenWRT in Vmware as a light weight router and virtual host

OpenWrt is a Linux distribution for embedded devices and provides a fully writable filesystem with package management.

Also for me, it is perfect for running OpenWRT as a small router or virtual host in my virtual rack. I was using BSD Router (BSDRP) for this purpose quite a while. Now it seems better one coming.

To make a mark on it, I list all steps regarding how to load it in the Vmware workstation.


Using OVA file


No password for root. 

Follow these steps to get an Up to Date VM with the latest code running on ESX in 15 minutes:

  1. Import the OVA to VMware ESXi (tested with latest version 6 in July 2016)
    The base image only has 1 virtual NIC setup with DHCP
  2. Power on the VM - observe the MAC Address - find that on you DHCP server
  3. Confirm the OpenWrt VM's IP address by opening the console
  4. Press enter to get a prompt
  5. Type ifconfig | more to see the DHCP assigned IP address for the Bridge assigned to the NIC
  6. If you don't have a DHCP server on your network you can set the IP Address manually: vi /etc/config/network
    The whole goal here is to get the OpenWrt VM on the network so you can hit the LuCI Web User Interface with a web browser. This way we can update the base image.
  7. Once you've logged in to the LuCI web interface set a root password so you can ssh in
  8. With the Web UI navigate to the System/Flash Operations page and find this text: Flash new firmware image - Upload a sysupgrade-compatible image here to replace the running firmware. Check “Keep settings” to retain the current configuration (requires an OpenWrt compatible firmware image).
  9. On your admin system with the web browser download the latest file to prepare for the flash upgrade of OpenWrt: https://downloads.openwrt.org/chaos_calmer/15.05.1/x86/generic/openwrt-15.05.1-x86-generic-combined-ext4.img.gz ←- this was the most current available from https://downloads.openwrt.org/ dated 16 March 2016 (last checked 11 Sept 2016)
  10. Then upload that to your running OpenWrt system and click “Flash Image…”
  11. Reboot and login again.
  12. Now you can add the second NIC to use the OpenWrt VM as a WAN router. I set mine up with both DHCP and Static IP addresses for the WAN - and the LAN interface was configured as a DHCP server.
  13. To prepare for testing: install iperf3 and nmap from the System/Software page of the Web UI.
  14. See the testing section below for details…
  15. That's pretty much it. I'm very happy with this new setup. I was also looking at M0n0wall (monowall), and pfsense to run as VMs but OpenWrt has a lot more going for it as far as an Open Source eco-system and developer/vendor support.

Notes: https://openwrt.org/docs/guide-user/virtualization/vmware


Using VMDK file


1. Download the package from

https://downloads.openwrt.org/backfire/10.03.1/x86_generic/openwrt-x86-generic-combined-ext2.vmdk
MD5Sums:  a258b7a5787f6bd8c8169391941813f4  

There are some other versions we can use :

version 10.03.1 - https://archive.openwrt.org/backfire/10.03.1/x86_generic/openwrt-x86-generic-combined-ext2.vmdk

version 15.05.1 - https://downloads.libremesh.org/community_chaos/16.07/x86/generic/openwrt-15.05.1-x86-generic-combined-ext4.vmdk

It is also able to convert from any raw image file to vmdk format using qumu-img program. Here is the command in case you have latest image file:
qemu-img convert -f raw openwrt-15.05.1-x86-generic-combined-squashfs.img -O vmdk openwrt-15.05.1-x86-generic-combined-squashfs.vmdk

2. Create a vm with following configurations 

almost all are default settings except choosing Other Linux 2.6.x kernel as guest operating systemMemory = 32M
Hard Disk = 52M


Note: Named pipe configuration is not needed anymore. You can directly press enter to get into console after completed installation. 

In OpenWrt, the first interface (eth0) is setup as LAN by default. The second (eth1) is setup as WAN. You might need to adjust LAN and WAN interface configuration to match the VMWare network settings.

3. Choose IDE as your hard disk type

If the default SCSI type makes your vm stop at "Waiting for root device /dev/sda2...", you can choose IDE.

It wont be an issue in newer version of OpenWRT.

4. Booting Console Windows Outputs

Please be patient, while OpenWrt loads ...
- preinit -
Press the [f] key and hit [enter] to enter failsafe mode
- regular preinit -
- init -

Please press Enter to activate this console. natsemi dp8381x driver, version 2.1, Sept 11, 2006
  originally by Donald Becker <[email protected]>
  2.4.x kernel port by Jeff Garzik, Tjeerd Mulder
PPP generic driver version 2.4.2
ip_tables: (C) 2000-2006 Netfilter Core Team
NET: Registered protocol family 24
nf_conntrack version 0.5.0 (449 buckets, 1796 max)
CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use
nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or
sysctl net.netfilter.nf_conntrack_acct=1 to enable it.
8139too Fast Ethernet driver 0.9.28
e100: Intel(R) PRO/100 Network Driver, 3.5.24-k2-NAPI
e100: Copyright(c) 1999-2006 Intel Corporation
Intel(R) PRO/1000 Network Driver - version 7.3.21-k5-NAPI
Copyright (c) 1999-2006 Intel Corporation.
ne2k-pci.c:v1.03 9/22/2003 D. Becker/P. Gortmaker
pcnet32.c:v1.35 21.Apr.2008 [email protected]
pcnet32 0000:02:00.0: PCI INT A -> GSI 18 (level, low) -> IRQ 18
pcnet32: PCnet/PCI II 79C970A at 0x2000, 00:0c:29:cb:1b:48 assigned IRQ 18.
eth0: registered as PCnet/PCI II 79C970A
pcnet32 0000:02:01.0: PCI INT A -> GSI 19 (level, low) -> IRQ 19
pcnet32: PCnet/PCI II 79C970A at 0x2080, 00:0c:29:cb:1b:52 assigned IRQ 19.
eth1: registered as PCnet/PCI II 79C970A
pcnet32: 2 cards_found.
eth0: link up
sis900.c: v1.08.10 Apr. 2 2006
device eth0 entered promiscuous mode
br-lan: port 1(eth0) entering forwarding state
via-rhine.c:v1.10-LK1.4.3 2007-03-06 Written by Donald Becker



BusyBox v1.15.3 (2011-11-24 18:38:13 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 Backfire (10.03.1, r29592) ------------------------
  * 1/3 shot Kahlua    In a shot glass, layer Kahlua
  * 1/3 shot Bailey's  on the bottom, then Bailey's,
  * 1/3 shot Vodka     then Vodka.
 ---------------------------------------------------
root@OpenWrt:/#


5. Basic Configuration with UCI Show command

root@OpenWrt:/# uci
Usage: uci [<options>] <command> [<arguments>]

Commands:
        batch
        export     [<config>]
        import     [<config>]
        changes    [<config>]
        commit     [<config>]
        add        <config> <section-type>
        add_list   <config>.<section>.<option>=<string>
        show       [<config>[.<section>[.<option>]]]
        get        <config>.<section>[.<option>]
        set        <config>.<section>[.<option>]=<value>
        delete     <config>[.<section[.<option>]]
        rename     <config>.<section>[.<option>]=<name>
        revert     <config>[.<section>[.<option>]]
        reorder    <config>.<section>=<position>

Options:
        -c <path>  set the search path for config files (default: /etc/config)
        -d <str>   set the delimiter for list values in uci show
        -f <file>  use <file> as input instead of stdin
        -L         do not load any plugins
        -m         when importing, merge data into an existing package
        -n         name unnamed sections on export (default)
        -N         don't name unnamed sections
        -p <path>  add a search path for config change files
        -P <path>  add a search path for config change files and use as default
        -q         quiet mode (don't print error messages)
        -s         force strict mode (stop on parser errors, default)
        -S         disable strict mode
        -X         do not use extended syntax on 'show'

root@OpenWrt:/# uci show
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded=1
dhcp.@dnsmasq[0].boguspriv=1
dhcp.@dnsmasq[0].filterwin2k=0
dhcp.@dnsmasq[0].localise_queries=1
dhcp.@dnsmasq[0].rebind_protection=1
dhcp.@dnsmasq[0].rebind_localhost=1
dhcp.@dnsmasq[0].local=/lan/
dhcp.@dnsmasq[0].domain=lan
dhcp.@dnsmasq[0].expandhosts=1
dhcp.@dnsmasq[0].nonegcache=0
dhcp.@dnsmasq[0].authoritative=1
dhcp.@dnsmasq[0].readethers=1
dhcp.@dnsmasq[0].leasefile=/tmp/dhcp.leases
dhcp.@dnsmasq[0].resolvfile=/tmp/resolv.conf.auto
dhcp.lan=dhcp
dhcp.lan.interface=lan
dhcp.lan.start=100
dhcp.lan.limit=150
dhcp.lan.leasetime=12h
dhcp.wan=dhcp
dhcp.wan.interface=wan
dhcp.wan.ignore=1
dropbear.@dropbear[0]=dropbear
dropbear.@dropbear[0].PasswordAuth=on
dropbear.@dropbear[0].RootPasswordAuth=on
dropbear.@dropbear[0].Port=22
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood=1
firewall.@defaults[0].input=ACCEPT
firewall.@defaults[0].output=ACCEPT
firewall.@defaults[0].forward=REJECT
firewall.@zone[0]=zone
firewall.@zone[0].name=lan
firewall.@zone[0].network=lan
firewall.@zone[0].input=ACCEPT
firewall.@zone[0].output=ACCEPT
firewall.@zone[0].forward=REJECT
firewall.@zone[1]=zone
firewall.@zone[1].name=wan
firewall.@zone[1].network=wan
firewall.@zone[1].input=REJECT
firewall.@zone[1].output=ACCEPT
firewall.@zone[1].forward=REJECT
firewall.@zone[1].masq=1
firewall.@zone[1].mtu_fix=1
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src=lan
firewall.@forwarding[0].dest=wan
firewall.@rule[0]=rule
firewall.@rule[0].name=Allow-DHCP-Renew
firewall.@rule[0].src=wan
firewall.@rule[0].proto=udp
firewall.@rule[0].dest_port=68
firewall.@rule[0].target=ACCEPT
firewall.@rule[0].family=ipv4
firewall.@rule[1]=rule
firewall.@rule[1].name=Allow-Ping
firewall.@rule[1].src=wan
firewall.@rule[1].proto=icmp
firewall.@rule[1].icmp_type=echo-request
firewall.@rule[1].family=ipv4
firewall.@rule[1].target=ACCEPT
firewall.@rule[2]=rule
firewall.@rule[2].name=Allow-DHCPv6
firewall.@rule[2].src=wan
firewall.@rule[2].proto=udp
firewall.@rule[2].src_ip=fe80::/10
firewall.@rule[2].src_port=547
firewall.@rule[2].dest_ip=fe80::/10
firewall.@rule[2].dest_port=546
firewall.@rule[2].family=ipv6
firewall.@rule[2].target=ACCEPT
firewall.@rule[3]=rule
firewall.@rule[3].name=Allow-ICMPv6-Input
firewall.@rule[3].src=wan
firewall.@rule[3].proto=icmp
firewall.@rule[3].icmp_type=echo-request destination-unreachable packet-too-big time-exceeded bad-header unknown-header-type router-solicitation neighbour-solicitation
firewall.@rule[3].limit=1000/sec
firewall.@rule[3].family=ipv6
firewall.@rule[3].target=ACCEPT
firewall.@rule[4]=rule
firewall.@rule[4].name=Allow-ICMPv6-Forward
firewall.@rule[4].src=wan
firewall.@rule[4].dest=*
firewall.@rule[4].proto=icmp
firewall.@rule[4].icmp_type=echo-request destination-unreachable packet-too-big time-exceeded bad-header unknown-header-type
firewall.@rule[4].limit=1000/sec
firewall.@rule[4].family=ipv6
firewall.@rule[4].target=ACCEPT
firewall.@include[0]=include
firewall.@include[0].path=/etc/firewall.user
luci.main=core
luci.main.lang=auto
luci.main.mediaurlbase=/luci-static/openwrt.org
luci.main.resourcebase=/luci-static/resources
luci.flash_keep=extern
luci.flash_keep.uci=/etc/config/
luci.flash_keep.dropbear=/etc/dropbear/
luci.flash_keep.openvpn=/etc/openvpn/
luci.flash_keep.passwd=/etc/passwd
luci.flash_keep.opkg=/etc/opkg.conf
luci.flash_keep.firewall=/etc/firewall.user
luci.flash_keep.uploads=/lib/uci/upload/
luci.languages=internal
luci.languages.en=English
luci.sauth=internal
luci.sauth.sessionpath=/tmp/luci-sessions
luci.sauth.sessiontime=3600
luci.ccache=internal
luci.ccache.enable=1
luci.themes=internal
luci.themes.OpenWrt=/luci-static/openwrt.org
network.loopback=interface
network.loopback.ifname=lo
network.loopback.proto=static
network.loopback.ipaddr=127.0.0.1
network.loopback.netmask=255.0.0.0
network.lan=interface
network.lan.ifname=eth0
network.lan.type=bridge
network.lan.proto=static
network.lan.ipaddr=192.168.1.1
network.lan.netmask=255.255.255.0
system.@system[0]=system
system.@system[0].hostname=OpenWrt
system.@system[0].timezone=UTC
system.ntp=timeserver
system.ntp.server=0.openwrt.pool.ntp.org 1.openwrt.pool.ntp.org 2.openwrt.pool.ntp.org 3.openwrt.pool.ntp.org
ucitrack.@network[0]=network
ucitrack.@network[0].init=network
ucitrack.@network[0].affects=dhcp radvd
ucitrack.@wireless[0]=wireless
ucitrack.@wireless[0].affects=network
ucitrack.@firewall[0]=firewall
ucitrack.@firewall[0].init=firewall
ucitrack.@firewall[0].affects=luci-splash qos miniupnpd
ucitrack.@olsr[0]=olsr
ucitrack.@olsr[0].init=olsrd
ucitrack.@dhcp[0]=dhcp
ucitrack.@dhcp[0].init=dnsmasq
ucitrack.@dropbear[0]=dropbear
ucitrack.@dropbear[0].init=dropbear
ucitrack.@httpd[0]=httpd
ucitrack.@httpd[0].init=httpd
ucitrack.@fstab[0]=fstab
ucitrack.@fstab[0].init=fstab
ucitrack.@qos[0]=qos
ucitrack.@qos[0].init=qos
ucitrack.@system[0]=system
ucitrack.@system[0].init=led
ucitrack.@system[0].affects=luci_statistics
ucitrack.@luci_splash[0]=luci_splash
ucitrack.@luci_splash[0].init=luci_splash
ucitrack.@upnpd[0]=upnpd
ucitrack.@upnpd[0].init=miniupnpd
ucitrack.@ntpclient[0]=ntpclient
ucitrack.@ntpclient[0].init=ntpclient
ucitrack.@samba[0]=samba
ucitrack.@samba[0].init=samba
ucitrack.@tinyproxy[0]=tinyproxy
ucitrack.@tinyproxy[0].init=tinyproxy
uhttpd.main=uhttpd
uhttpd.main.listen_http=0.0.0.0:80
uhttpd.main.listen_https=0.0.0.0:443
uhttpd.main.home=/www
uhttpd.main.rfc1918_filter=1
uhttpd.main.cert=/etc/uhttpd.crt
uhttpd.main.key=/etc/uhttpd.key
uhttpd.main.cgi_prefix=/cgi-bin
uhttpd.main.script_timeout=60
uhttpd.main.network_timeout=30
uhttpd.main.tcp_keepalive=1
uhttpd.px5g=cert
uhttpd.px5g.days=730
uhttpd.px5g.bits=1024
uhttpd.px5g.country=DE
uhttpd.px5g.state=Berlin
uhttpd.px5g.location=Berlin
uhttpd.px5g.commonname=OpenWrt

6. Change Interface IP Address

  • VI /etc/config/network
  • or use UCI command
root@OpenWrt:/# ifconfig
br-lan    Link encap:Ethernet  HWaddr 00:0C:29:CB:1B:48 
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:109 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:25588 (24.9 KiB)  TX bytes:812 (812.0 B)

eth0      Link encap:Ethernet  HWaddr 00:0C:29:CB:1B:48 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:109 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:27114 (26.4 KiB)  TX bytes:812 (812.0 B)
          Interrupt:18 Base address:0x2000

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:864 errors:0 dropped:0 overruns:0 frame:0
          TX packets:864 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:60480 (59.0 KiB)  TX bytes:60480 (59.0 KiB)


root@OpenWrt:/# uci set network.lan.proto=static
root@OpenWrt:/# uci set network.lan.ipaddr=192.168.1.130
root@OpenWrt:/# uci set network.lan.netmask=255.255.255.0
root@OpenWrt:/# uci set network.lan.gateway=192.168.1.1
root@OpenWrt:/# uci set network.lan.dns=8.8.8.8

 
root@OpenWrt:/# /etc/init.d/network restart
br-lan: port 1(eth0) entering disabled state
device eth0 left promiscuous mode
br-lan: port 1(eth0) entering disabled state
eth0: link up
eth0: link up
device eth0 entered promiscuous mode
br-lan: port 1(eth0) entering forwarding state
root@OpenWrt:/# ifconfig
br-lan    Link encap:Ethernet  HWaddr 00:0C:29:CB:1B:48 
          inet addr:192.168.1.130  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

 7. Upload it to ESXi




8. Second Interface

By default, only eth0 is activated as lan interface and assigned ip address 192.168.1.1. It is much easier to add another Interface into OpenWRT through Web UI as shown below screenshot.



9. Second Interface

If you have forgotten the root password or if the root password no longer works, you have to use the Failsafe Mode and Factory Reset.

From there, you don't have to reset the whole configuration. Note that fail safe mode does not require a password for authentication of root (!)

You only have to mount the root file system and set a new password with passwd and then trigger a restart. In fail safe mode, passwd will not ask for the old password (that you may have forgotten):

root@(none):~# mount_root
switching to jffs2 overlay
root@(none):/rom/root# passwd
Changing password for root
New password:
Retype password:
passwd: password for root changed by root
root@(none):/rom/root# reboot -f
Note: https://openwrt.org/docs/guide-user/troubleshooting/root_password_reset

KoolShare Firmware:


Download: http://firmware.koolshare.cn/LEDE_X64_fw867/

VMDK format can be download from: http://firmware.koolshare.cn/LEDE_X64_fw867/虚拟机转盘或PE下写盘专用


References:

1 comment: