Previewing OpenWrt 15.05 [LWN.net]

By Jonathan Corbet
July 1, 2015

Network routers play an important role in the security of a home or business network. For that reason, it is important that they be kept current; routers running old software undoubtedly have a number of known security vulnerabilities in them. This is a problem for routers running their factory firmware; that firmware is likely to never be updated and, thus, full of problems. The good news is that more aware users, like your editor, can run a free router distribution like OpenWrt and, by keeping up with its releases, run a relatively secure network. Life in the real world does not always work so nicely, though — a fact unintentionally brought to your editor's mind by the upcoming OpenWrt 15.05 "Chaos Calmer" release.

Routers, it seems, are easy to forget. Your editor's router, at the beginning of the research for this article, was running OpenWrt 10.03.1, which was released in 2011 and featured a bleeding-edge 2.6.32 kernel. Routers, it seems, are easy to forget as long as they work; this one had been happily working away since this article was written nearly four years ago. This router could have been updated a number of times over those four years, but that didn't happen; your editor suspects that frequently updated routers will be the exception rather than the rule, especially when one is talking about small, consumer-level devices.

Calming the chaos

There is no question that this particular device was overdue for an update. Still, it takes a certain state of mind to take a working router (the only working router in the house) and flash a release-candidate version of the operating system onto it, skipping over several releases in the process, shortly before the weekly publication deadline. Your editor, not always known for his wisdom in such things, went for it — and got away with it. The upgrade worked, the router booted properly, and settings were preserved. Users with more complex setups may not have had such good luck, but, for a simple router configuration, this multi-version upgrade works fine.

Once it's done, the end result doesn't look a lot different than what was there before. The web-based LuCI management interface has been cleaned up a bit, but is essentially the same as it was in 2011. To a first approximation, the router does what it did before: it sits there and routes packets.

This impression overlooks the fact that quite a bit of work has been done in the less-visible parts of the system. The kernel has been pulled forward to 3.18.14; that will bring a lot of improvements with it. For example, quite a bit of work addressing the bufferbloat problem happened between 2.6.32 and 3.18; integrating and making use of those kernel changes happened mostly in the derivative CeroWrt project, but the changes have generally found their way back to OpenWrt. Support for IPv6 has improved considerably over the years. There is also, naturally, support for a number of new hardware platforms.

There are some new security features in the 15.05 release. The distribution's package-signing mechanism now evidently uses the ed25519 signature system. Work has gone into hardening the OpenWrt build using the various features (stack protection, for example) provided by GCC. The uhttpd web server can now force the use of TLS. And so on.

There is also a new "jails" mechanism built into the router, meant to prevent the compromise of one daemon process from being escalated into a compromise of the router as a whole. Documentation for this feature, it must be said, does not seem to have escaped from the jail yet, so there is little information available on how it works or how to use it. This posting from OpenWrt developer John Crispin offers some clues, though. It is based on the use of mount namespaces to isolate a jailed process from the filesystem as a whole; it also uses the seccomp mechanism to limit the system calls that a jailed program may invoke. Future plans call for the addition of user and network namespaces, fancier seccomp filtering, control-group support, and more.

All told, 15.05 looks to be a solid OpenWrt release, and the project is working hard on more useful stuff for future releases. Among other things, the next release after 15.05 will use the musl C library by default. Longtime OpenWrt release watchers will also be amused by the probable name for this release. OpenWrt's tradition has been to name its releases after alcoholic beverages in alphabetical order; the "D" name, instead, looks to be "Designated Driver."

A couple of concerns

Your editor can find things to worry about in any project, and OpenWrt is no exception. For example, if one looks at the above-linked message regarding the jail facility, one will find this bit of text:

We have extended the kernel's seccomp implementation and added an additional return action that works exactly like the errno action described above but also prints a line to the kernel log reporting which process triggered the exception and what syscall number is missing.

That simple change can be found in this patch in the OpenWrt repository. Where you will not find it, though, is in the mainline kernel. Similar things can be found throughout the OpenWrt kernel. There are 243 patches in the "generic" part of the repository; the ar71xx subdirectory (supporting your editor's WNDR3700v2 router) has 88 more. These patches represent features (and, crucially, hardware support) that are not available in the mainline kernel; they also make work for OpenWrt developers, who must go through a lengthy forward-porting process every time they move to a new kernel.

There are OpenWrt developers who push code back upstream, but one gets the impression that they are in the minority. It looks like OpenWrt is caught up in the same situation as embedded developers worldwide; they are busy just getting everything to work and don't necessarily have the time to push changes back upstream. If there are aspiring kernel developers out there looking for a place to get started, working to move some of OpenWrt's patches upstream would be a great service to both projects.

There is one other concern that is worth raising: the OpenWrt project still lacks processes for the creation, distribution, and application of security updates. The "application" part is a hard problem due to the limited amounts of storage available on most consumer-level routers (the WNDR3700v2 has a total of 16MB, for example). OpenWrt uses squashfs to cram as much software possible into that space; squashfs does not handle replacing existing files well. So, realistically, the only way to update the software on systems like that is to do a full update, which is a multi-step process whenever add-on packages are involved.

There were rumors a few years ago about a better package-update mechanism under development for OpenWrt, but that has never seen the light of day. Even the full-update approach could be made to work, though, if there were a process for identifying security issues and making the updates available. OpenWrt does not appear to have any such process. So there is no way to notify users of problems, and no way to get fixes out to them in a timely manner. Users are left to pay attention and apply upgrades when they become available, which is not all that frequently. And, as has already been seen, even relatively aware users are not always paying attention to the state of the software on their routers.

That said, a simple fact remains true: one of the best ways to improve the security of a consumer-grade router is to dump the factory firmware and install a distribution like OpenWrt on it, preferably before ever exposing it to the Internet. A default OpenWrt installation is configured for security, and the project's developers are working on improving security in a number of areas. But, someday, it would be nice to see a better process for reacting to the security issues that will inevitably come about after an OpenWrt installation is put online.

All told, OpenWrt is a solid contribution to the wider Linux ecosystem. This distribution allows us to take control of an important appliance, make it serve our needs precisely, and add interesting functionality. It serves as the base for other projects, including CeroWrt and Gargoyle; some commercial router vendors also base their firmware on OpenWrt. Your editor would not consider buying a router that lacked OpenWrt support. Happily, the project appears to be going strong and such support will only get better in the coming years.

Index entries for this article
Security	Distribution security
Security	Home network

Previewing OpenWrt 15.05

Posted Jul 2, 2015 6:33 UTC (Thu) by imitev (guest, #60045) [Link] (9 responses)

I've been running openwrt for years on a few routers without any major problem, the distribution is really stable.
However I find the lack of a proper security update mecanism - as underlined in the article (and the previous one on LWN, IIRC) - more and more worrying. I run a few openvpn instances, and while one "enjoy" for instance a frequent stream of ssl security updates on mainstream distros, there's no such thing in openwrt. So without actively monitoring updates or building packages with security patches, one can't consider running openvpn under openwrt secure. That's fine for low security traffic, but is a no-go otherwise. Same thing for VoIP software or anything that is facing internet.

Another thing is that updating a single package remotely is fine, but flashing the whole firmware of a critical router hundreds of miles away is a reliable source of (bad) adrenaline, thus encouraging one to let the router rot with multi-year old versions.

Last time I wanted to do something about it I ended up installing centos on my home x86 router (alix) ; but it trashed the CF card after 2 years (I'm still surprised how long it took though !). I still have to find a security conscious distribution with regular updates that is writing logs/temp files/... in RAM, with a minimum of writes on the root fs. Mounting /tmp and /var as tmpfs and populating it at boot time is feasible but the idea is to have something hassle free.
Or - I could just replace the CF with a SSD...
Anyway - distribution suggestions welcomed ! :)

Previewing OpenWrt 15.05

Posted Jul 2, 2015 12:42 UTC (Thu) by wodny (subscriber, #73045) [Link] (3 responses)

You can use an OS that works with squashfs as the base and allows filesystem overlays with AUFS or overlayfs. It's much simpler than finding directories that have to be writable by hand and mount tmpfs in every one of them. Debian Live is one example of a ready to use solution. Making a regular Debian a live one requires just some not that complicated initramfs mods. You do a tmpfs AUFS overlay for regular operation. When running you can mount AUFS with an underlying ext4 (e.g.), chroot to it and perform an upgrade. I've used that scheme on tens of machines working on uSD and CF memories. Tested with regular Debian Wheezy and Jessie (with sysv init, though).

Previewing OpenWrt 15.05

Posted Jul 2, 2015 16:19 UTC (Thu) by mtaht (guest, #11087) [Link]

Like other distros, openwrt needs a long term stable, and fully funded, maintainer.

Previewing OpenWrt 15.05

Posted Jul 4, 2015 14:52 UTC (Sat) by imitev (guest, #60045) [Link] (1 responses)

That sounds pretty neat. The problem, for one with scarce spare time and only a few devices, is if time spent to create and maintain patches/mods is worth it. For tens of devices there's no such question though.
Do you have those mod scripts published somewhere ? What was the maintenance "time cost" - did the modifications you've done ever break when Debian upgraded core packages ?

Previewing OpenWrt 15.05

Posted Jul 4, 2015 15:17 UTC (Sat) by wodny (subscriber, #73045) [Link]

I have done it for my employer and didn't publish it. But it was based on the Ubuntu live CD/USB image from around 2012.

Package upgrades (generally) worked. The first version hasn't been modified (at least not because of some breakage). I had problems during grub2 upgrades because one of the hook-scripts failed to work inside an AUFS chroot. But finally I've used extlinux because it's much easier to maintain with embedded solutions. Extlinux works (since a bug has been resolved[1]).

Still I think it's worth trying with Debian Live[2] first.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670515
[2] http://live.debian.net/

Previewing OpenWrt 15.05

Posted Jul 3, 2015 22:12 UTC (Fri) by gerdesj (subscriber, #5446) [Link] (2 responses)

"I still have to find a security conscious distribution with regular updates that is writing logs/temp files/... in RAM, with a minimum of writes on the root fs. Mounting /tmp and /var as tmpfs and populating it at boot time is feasible but the idea is to have something hassle free."

You have just described pfSense nano (nee m0n0wall, other forks are also available). It's FreeBSD based and is pretty damn good IMNSHO.

Cheers
Jon

Previewing OpenWrt 15.05

Posted Jul 4, 2015 15:03 UTC (Sat) by imitev (guest, #60045) [Link] (1 responses)

Actually I've looked a those and yes, the FreeBSD projects standed out from the crowd and seemed to be well maintained. The problem is that I have a lot of linux specific stuff running on my routers: advanced iptables and QoS scripts, custom built programs (eg. for serial communication with solar inverters, ...).
I'm sure I could do the same thing with FreeBSD and would be happy to learn in the process, but I don't have enough spare time in the foreseeable future to migrate those few routers :(

Previewing OpenWrt 15.05

Posted Jul 5, 2015 9:38 UTC (Sun) by gerdesj (subscriber, #5446) [Link]

You could put put a Raspberry Pi behind the pfSense box. pfSense has a complete webby GUI so you don't need to hit the command line unless you want to (most of my staff are unaware it even has one). Even then FreeBSD isn't much of a jump to get to grips with for a Linux sysadmin. Anyway, as we see in this article we have several great choices for our open source router distros and that is really good.

Tools for the job 8)

Previewing OpenWrt 15.05

Posted Sep 11, 2015 15:05 UTC (Fri) by fest3er (guest, #60379) [Link]

http://community.smoothwall.org

Previewing OpenWrt 15.05

Posted Sep 19, 2015 11:14 UTC (Sat) by envisage (guest, #104534) [Link]

I've only come across this thread recently, but am surprised that nobody mentioned Linux-based IPFire.
The developers are quick to patch security vulnerabilities and I've always found x86 support excellent (they do support other platforms, but I don't personally have any experience with those).

Here's a (now rather dated) review: http://lwn.net/Articles/385045/

Previewing OpenWrt 15.05

Posted Jul 3, 2015 21:54 UTC (Fri) by gerdesj (subscriber, #5446) [Link] (3 responses)

Jon

Your reader used to have a similar attitude towards home IT as your second para alludes to, until he discovered to his cost: The wife acceptance factor (WAF). There will be some here nodding sagely at this point.

My home intertubes access mechanism has UPS, two independent links and a two node pfSense (Nano) CARP cluster. I even put the BT cabling into conduit. Service uptime is now WAF compliant - for now. The only time I have had an outage was when the entire town lost power for several hours - I am now looking at a diesel generator, a small outbuilding and a 50m run of SWA.

Cheers
Jon

PS The fact that I enjoy trying to match or exceed "enterprise grade" at home on a reasonable(ish) budget is purely coincidental.

Previewing OpenWrt 15.05

Posted Jul 4, 2015 3:00 UTC (Sat) by pr1268 (guest, #24648) [Link] (2 responses)

My home intertubes access mechanism has UPS [...] The only time I have had an outage was when the entire town lost power for several hours

You mean the UPS didn't last that long? I thought most SoHo equipment (both consumer-grade and enterprise-level) didn't draw that much current.

Or, was your connection to "the pipes" also severed during this blackout? (That's something I've experienced with cable Internet.)

Previewing OpenWrt 15.05

Posted Jul 4, 2015 13:02 UTC (Sat) by gerdesj (subscriber, #5446) [Link]

"You mean the UPS didn't last that long? I thought most SoHo equipment (both consumer-grade and enterprise-level) didn't draw that much current."

The power out was for four hours I recall and the ESXi (Dell PE) helps drain the battery in 20 mins 8(

I'm only half joking about the genny - my house is our office DR site!

Cheers
Jon

Previewing OpenWrt 15.05

Posted Jul 5, 2015 19:28 UTC (Sun) by luto (subscriber, #39314) [Link]

> You mean the UPS didn't last that long? I thought most SoHo equipment (both consumer-grade and enterprise-level) didn't draw that much current.

I think I've only had a UPS help during a power outage once. On the other hand, I've had multiple different UPSes (all APC, but that's just because I've only really used APC UPSes) flip out frequently and shut off the load even though the input power was fine.

It got so bad that at one point I had a server with redundant power supplies with one supply plugged straight into the wall and the other plugged into the UPS. That way the UPS (which was flipping out about once per week) wasn't a single point of failure.

Previewing OpenWrt 15.05

Posted Jul 7, 2015 23:44 UTC (Tue) by kjp (guest, #39639) [Link] (1 responses)

I'm very pleased with how easily OpenWRT 14.04 does IPv6. My new $20 router didn't support it with stock firmware.

Previewing OpenWrt 15.05

Posted Sep 12, 2015 15:00 UTC (Sat) by Lennie (subscriber, #49641) [Link]

I wouldn't be surprised a significant part of IPv6 support came from the Cerowrt project.

Openwrt code missing at upstream

Posted Jul 14, 2015 15:03 UTC (Tue) by xose (subscriber, #535) [Link]

> A couple of concerns

> Your editor can find things to worry about in any project, and OpenWrt is no exception. [...]

If anyone is interested in digging into the code,
git repo is at http://git.openwrt.org/?p=openwrt.git

There are plenty of patches in: target/linux/* (target/linux/generic/patches-* specifically) and package/kernel/*