Hey! Listen! There are a few posts about installing OpenWrt on these travel routers. Make sure you’re reading the latest version, below.
|2015-08-26||OpenWrt with OpenVPN server on TP-Link Archer C7|
|2015-02-15||OpenWrt with OpenVPN client on TP-Link TL-MR3020|
|2015-01-24||OpenWrt with OpenVPN client on TP-Link TL-MR3020|
|2014-10-19||OpenWrt with OpenVPN client on TP-Link TL-MR3020|
|2014-06-28||OpenWrt with PPTP VPN on TP-Link TL-MR3020|
A few weeks ago, the team at OpenWrt released version 14.07 of OpenWrt, called Barrier Breaker. I’m going to be installing Barrier Breaker on my MR3020 and replacing the PPTP VPN client with an OpenVPN client. If you don’t know the difference between PPTP/IPSec/OpenVPN, IVPN has a great comparison chart.
Before we get started, I need to get up on my soapbox and say a few things. If you’re not using a VPN, you should be. VPNs aren’t just for hackers, thieves, or people doing illegal things (you wouldn’t download a car, would you?). VPNs are great for:
- Adding a layer of security to your browsing (VPNs encrypt everything!)
- Securely connecting two routers to create one large network over the internet (businesses do this all the time)
- Students/employees connecting back to their university/office to work remotely (again, a common practice)
- Circumventing geoblocking (i.e., content blocked based on your physical location)
- Watch Netflix from outside the US
- Watch BBC iPlayer from outside the UK
- FREEDOM OF SPEECH! Use a VPN to circumvent government restrictions put on the internet (e.g., China, Iran, North Korea, etc…)
Anyway, I better stop. VPNs are great. If you don’t have one, get one. Personally, I like using Private Internet Access (I’m not compensated, just a happy customer). If you don’t know where to start, TorrentFreak has a great article on which VPN services take your anonymity seriously (newsflash, PIA is at the top of their list).
That was the “why”, this is the “how”.
My plan for this router is to use it when I travel. I plan on plugging it into the Ethernet port in a hotel (or my house/friend’s house/Airbnb host) and having it broadcast a wireless network. Since the router is an OpenVPN client, any devices that join that wireless network will be VPNed into PIA’s servers. Eventually, when I install OpenVPN on my home router, I can route my connection back home. It’s probably easier illustrated than explained, as below.
There are a few advantages to this setup, as opposed to installing the OpenVPN client on each device:
- Devices that don’t support OpenVPN can be protected (XBox, Roku, etc…)
- Multiple machines (phone, laptop, Roku, etc…) can share one VPN connection
- You can switch between an insecure wireless network (home/friend’s house/hotel) and a secure wireless network (OpenWrt) whenver needed
Ready? Let’s get started!
I’m going to assume you’re already running Attitude Adjustment (AA) and want to upgrade to Barrier Breaker (BB). If you’re installing OpenWrt for the first time, see my older post on how to login and install OpenWrt from the factory firmware.
Disconnect your PC from all wired and wireless networks, then connect your MR3020 to your PC. Because of the way I have this router setup from my previous post (eth0 is a DHCP client), I’m going to connect to the WiFi network it’s broadcasting (the DHCP server). I checked my IP, opened my browser, and navigated to 10.80.1.1 (your address may be different). I then logged in with the username and password I had set before.
Once you’re logged into OpenWrt, go to the System tab, then the Backup/Flash Firmware tab. At this point, it’s a good idea to make a backup of your config by pressing Generate Archive.
As-of this writing, the OpenWrt wiki page for the MR3020 doesn’t list BB as the newest firmware. There are two options for the BB download: a file for the factory firmware, and a file for upgrading. We’ll choose the upgrade.
Back at your router, under Flash new firmware image, make sure Keep settings is checked to keep your current settings. I’m going to uncheck this, since I want to start from scratch. Browse to your downloaded firmware, and press Flash image to upgrade it.
Verify the checksum, and press Proceed to continue.
Wait a few minutes and the router will reboot. Check your IP again after it’s back up, as mine had changed since I erased my settings.
At this point, my MR3020 is running stock BB and I’m going to reconfigure it from scratch. Since the wireless network was wiped out, I’m going to reconnect with Ethernet.
From here, the OpenWrt wiki page recommends going through the basic configuration for any OpenWrt installation. I’m going to be combining some of the basic configuration with my configuration for the VPN client.
Navigate to 192.168.1.1 in your browser and you’ll be greeted by LuCI, the web interface for OpenWrt. OpenWrt recently switched to the Unified Configuration Interface, also known as UCI. The UCI is basically a collection of easy-to-read configuration files that are all centrally located, making OpenWrt much easier to configure. What’s nice about LuCI is that it reads/writes from/to the UCI files. Any changes you make in LuCI are reflected in the UCI files, and vice versa, meaning you can configure the MR3020 from the web interface, or from the command line.
Anyway, moving on. Leave the username as “root” and the password field empty. Press Login to continue.
Set a password
From the main status screen, we’re going to set a root password by using the link in the yellow box at the top of the page. If you haven’t noticed, LuCI is a lot easier on the eyes in BB than AA.
Here, you can (and should) set a root password, as well as setup SSH access (which we’ll need later). Press Save & Apply to continue.
Look for Password successfully changed! at the top of the screen.
Verify SSH access by using PuTTY or another SSH client.
logan@fedora20 ~$ ssh firstname.lastname@example.org The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA key fingerprint is ff:cd:03:c1:bd:b2:e4:cc:12:d8:45:12:29:b1:b1:65. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA) to the list of known hosts. email@example.com's password: BusyBox v1.22.1 (2014-09-20 22:01:35 CEST) built-in shell (ash) Enter 'help' for a list of built-in commands. _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M ----------------------------------------------------- BARRIER BREAKER (14.07, r42625) ----------------------------------------------------- * 1/2 oz Galliano Pour all ingredients into * 4 oz cold Coffee an irish coffee mug filled * 1 1/2 oz Dark Rum with crushed ice. Stir. * 2 tsp. Creme de Cacao ----------------------------------------------------- root@OpenWrt:~#
The MR3020 doesn’t have a real-time clock or CMOS battery. Because of this, every time it loses power, the clock resets to October 1st. To circumvent this, we’re going to use NTP to get our time from the internet. You don’t have to setup NTP, but it makes troubleshooting easier when you’re looking at timestamped log files. Keep in mind, since the MR3020 is connected directly to your PC (not the internet), this won’t take effect until after we get it online. Don’t freak out if it’s not working right away.
Go to the System dropdown, then select System. Under System Properties, select the General Settings tab. Here, you can set a hostname, as well as select a timezone. Then, under Time Synchronization, make sure the box is checked for Enable NTP client and provide a few NTP servers in the boxes below. I’m using US servers from the NTP Pool Project. Press Save & Apply to continue.
Set default IP
Next, we’re going to change the default IP of the router from 192.168.1.1 to 10.80.1.1 (or whatever scheme you want). Most devices ship with 192.168.1.1 as the default, and since we’re going to be double-NATed, we can’t have two identical IPs on the same network.
Go to the Network dropdown, then select Interfaces. Select Edit on the LAN interface (which is actually a bridge of the wired and wireless interfaces). Under Common Configuration, then the General Setup tab, change the IPv4 address field from 192.168.1.1 to 10.80.1.1 (or whatever scheme you want).
Under DHCP Server, then the General Setup tab, you can also limit the number of addresses available in the DHCP pool (optional). Press Save & Apply to continue.
You’ll have to reboot your MR3020, and then check your IP settings again to verify the change. Log back into the web interface at the new address using your new root password.
Create wireless network
We need to create a wireless network for the MR3020 to broadcast. Eventually, we’re going to turn off LAN access on the Ethernet port, and we’ll need a way to connect to the router locally.
Go to the Network dropdown, then select Wifi. Select Enable on the wireless network. Once enabled, select Edit. Setup your network as needed (name, channel, etc…).
Under Interface Configuration, then the Wireless Security tab, you can choose a WiFi password, preferably WPA2-PSK. Remember, this device may be a direct link back to your home network. Even if you have a strong VPN password, a weak WiFi password with weak encryption (e.g., WEP) could compromise your network. Press Save & Apply to continue.
At this point, you should disconnect the Ethernet cable from the MR3020 and connect to the WiFi network we just setup. Normally, it’s not recommended to configure routers over wireless, but since we’re not going to be transferring files or upgrading firmware, we should be ok.
Setup WAN interface
We need the MR3020 to request an IP address from another router when it is plugged in. For this, we’ll need to make a new interface that will act as a DHCP client.
Go to the Network dropdown, then select Interfaces. Here, you can see the default interface, br-lan, which is a bridge of the wired and wireless interfaces. We’re going to create the WAN interface by pressing Add new interface at the bottom of the screen. Name the interface something like WAN, with the protocol being set to DHCP client, covering the eth0 interface. Press Submit to continue.
On the next screen, under Common Configuration, go to the Firewall Settings tab and select WAN. Press Save & Apply to continue.
Unbridge LAN interfaces
By default, the wired and wireless interfaces are bridged. I want them to be separate, so that I can plug the MR3020 into another router and use the wireless interface of the MR3020 to broadcast a SSID. Essentially, I making it so that only another router can use the Ethernet port, and only clients can use the wireless network. If you don’t unbridge the interfaces, you’ve basically just created a wireless AP for the other router.
Go to the Network dropdown, then select Interfaces. Select Edit on the LAN interface. Under Common Configuration, then the Physical Settings tab, uncheck the box for Bridge interfaces. Then, check the radio button next to the OpenWrt (or whatever you named it) wireless network. Press Save & Apply to continue, then reboot your MR3020.
Verify internet access
At this point, plug your MR3020 into a LAN port on your other router, and connect your PC to the MR3020’s wireless network. It doesn’t matter what IP your MR3020 gets from the other router, as your PC should see the MR3020 as 10.80.1.1 (or whatever your made it). You should be able to access the internet, as well as ping websites through SSH.
In addition, go to the Status dropdown, then select Overview to make sure your Local Time field is updated with the correct time, now that we’re on the internet.
Congratulations, you are now double-NATed.
Make some space
Before we get started, we need to make some space for OpenVPN. The MR3020 only has 4MB of flash. After OpenWrt is installed, we’re only left with about 400KB, which won’t be enough for the 600KB+ of OpenSSL libraries we’ll need, in addition to other packages that will make life easier.
root@OpenWrt:~# df -h Filesystem Size Used Available Use% Mounted on rootfs 640.0K 228.0K 412.0K 36% / /dev/root 2.3M 2.3M 0 100% /rom tmpfs 14.1M 448.0K 13.7M 3% /tmp /dev/mtdblock3 640.0K 228.0K 412.0K 36% /overlay overlayfs:/overlay 640.0K 228.0K 412.0K 36% / tmpfs 512.0K 0 512.0K 0% /dev
There are two ways around this:
- ExtRoot, which can either extend or move the root filesystem to a USB flash drive
- Build a custom image of OpenWrt from scratch, leaving out unnecessary packages
My first instinct was to build a custom image, leaving out PPP. However, after a few hours of trying and multiple images, it still didn’t give me the space I needed. The only way to get OpenVPN on the MR3020 would be to leave LuCI out of the image, and I’m not willing to give that up.
That leaves me with using a USB flash drive to extend or move the filesystem. Thankfully, setting up ExtRoot is pretty easy, and we won’t need a huge flash drive since we’re only after a few extra MB. I plan on picking up something like this, since it’s small.
Start by reading the theory on ExtRoot, then go over the how-to guide. You need to decide whether you’ll be using external overlay (also called pivot-overlay) or external root (also called pivot-root). Essentially, external overlay extends the root filesystem to include the flash drive, while external root copies the root filesystem to the flash drive, then boots from the flash drive. External root has a couple advantages (that I can see):
- You can boot from multiple flash drives, each with a different config (one flash drive with a config for home, another with a config for traveling, etc…)
- If the flash drive dies, OpenWrt still boots from the internal root filesystem
In this guide, I’m going to be using external root.
Get stared by formatting your flash drive with an ext4 (or ext3) filesystem from your PC. If you’re running Windows, use this to format the drive. Then, SSH into your router, and install a few packages.
opkg update opkg install block-mount kmod-usb-storage kmod-fs-ext4
There’s a good chance your kernel modules didn’t load.
kmod: failed to insert /lib/modules/3.10.49/sd_mod.ko Configuring kmod-usb-storage. Configuring kmod-crypto-hash. Configuring kmod-lib-crc16. Configuring block-mount. Configuring kmod-fs-ext4. kmod: failed to insert /lib/modules/3.10.49/ext4.ko
If that’s the case, reboot your router and then plug in your flash drive.
Find the name of your flash drive with the block info command. Mine was /dev/sda1.
root@OpenWrt:~# block info /dev/mtdblock2: UUID="20ad40ea-d33a421e-785b7d2d-ada99230" VERSION="4.0" TYPE="squashfs" /dev/mtdblock3: TYPE="jffs2" /dev/sda1: UUID="9fa36631-ac09-42a0-b090-f61efe6c1bfb" NAME="EXT_JOURNAL" VERSION="1.0" TYPE="ext4"
Create a directory and mount your device on it. Create a mount point of your choosing, and substitute /dev/sda1 with your device name.
mkdir /mnt/batman mount /dev/sda1 /mnt/batman
Now, copy the router’s internal flash to the flash drive. Obviously, replace /mnt/batman with whatever mount point you’re using.
mkdir -p /tmp/cproot mount --bind / /tmp/cproot tar -C /tmp/cproot -cvf - . | tar -C /mnt/batman -xf - umount /tmp/cproot
Your flash drive now has a copy of the router’s root filesystem on it (don’t lose it). But, the router will still boot from its internal memory, so we need to change that by editing the /etc/config/fstab file.
cat >> /etc/config/fstab << EOF config mount option target / option device /dev/sda1 option fstype ext4 option options rw,sync option enabled 1 option enabled_fsck 0 EOF
Reboot your router. When it starts up, check your mount points and you should see that /dev/sda1 has been mounted on /.
root@OpenWrt:~# mount rootfs on / type rootfs (rw) /dev/root on /rom type squashfs (ro,noatime) proc on /proc type proc (rw,noatime) sysfs on /sys type sysfs (rw,noatime) tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noatime) /dev/sda1 on / type ext4 (rw,relatime,data=ordered) tmpfs on /dev type tmpfs (rw,relatime,size=512k,mode=755) devpts on /dev/pts type devpts (rw,relatime,mode=600) debugfs on /sys/kernel/debug type debugfs (rw,noatime)
If you check your space again, you’ll see that your root filesystem is now much larger.
root@OpenWrt:~# df -h Filesystem Size Used Available Use% Mounted on rootfs 14.7G 47.0M 13.9G 0% / /dev/root 2.3M 2.3M 0 100% /rom tmpfs 14.1M 360.0K 13.7M 2% /tmp /dev/sda1 14.7G 47.0M 13.9G 0% / tmpfs 512.0K 0 512.0K 0% /dev
Now we need to install the OpenVPN client and configure it. The VPN termination point is going to be one of PIA’s servers, but it could be any OpenVPN server. You should read OpenWrt’s VPN overview, as well the OpenVPN beginner’s guide and the client guide.
First, we’ll need to install a couple packages: openvpn-openssl for obvious reasons, the real version of wget to downlad the configuration files from PIA, and unzip to unzip the downloaded files. This is easiest done by connecting through SSH and running the commands below.
opkg update opkg install openvpn-openssl wget unzip mv /etc/config/openvpn /etc/config/openvpn_old
Unfortunately, there is no LuCI package for OpenVPN in BB, like there is in AA. As-of this writing, the package luci-app-openvpn is marked as broken. There appears to be a package for Chaos Calmer, located here, but I don’t think that will work in BB. That means we’re doing everything from the command line, which isn’t as intimidating as it may sound. Plus, since LuCI runs from the UCI files, we’ll be able to see some of our changes in LuCI when we log back in.
We’ll need to create a new interface for the VPN by using the commands below. Name the network interface, as well as the physical (even though it’s virtual) interface.
cat >> /etc/config/network << EOF config interface 'PIA_VPN' option proto 'none' option ifname 'tun0' EOF
Download the OpenVPN configuration files from PIA.
cd /etc/openvpn wget --no-check-certificate https://www.privateinternetaccess.com/openvpn/openvpn.zip unzip openvpn.zip rm openvpn.zip
Now, we need to edit each .ovpn file in /etc/openvpn to include your username and password. However, it’s a pain editing all those files manually. Instead, we’ll create a single file that stores your login credentials. The file I created is called authuser. Substitute your username and password, obviously.
cat >> /etc/openvpn/authuser << EOF PIA_USERNAME PIA_PASSWORD EOF
However, now we’ll have to go back and edit each .ovpn file to look for the authuser file, which is still too much work for me. If you look at each .ovpn file, you’ll see the only difference between them is the server address. What if we created a generic .ovpn connection file which omitted the server address (and port), but specified to use the authuser file? We could pass the server address and port as an option in our command to start the VPN connection.
Create the file with the command below. See how we removed the line for the server/port, and added a line for the authuser file and auth-nocache options?
cat >> /etc/openvpn/piageneric.ovpn << EOF client dev tun proto udp resolv-retry infinite nobind persist-key persist-tun ca ca.crt tls-client remote-cert-tls server auth-user-pass authuser auth-nocache comp-lzo verb 1 reneg-sec 0 crl-verify crl.pem keepalive 10 120 EOF
To compare, this is the US East.ovpn file…
client dev tun proto udp remote us-east.privateinternetaccess.com 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt tls-client remote-cert-tls server auth-user-pass comp-lzo verb 1 reneg-sec 0 crl-verify crl.pem
Now, we need to create a new firewall zone for this VPN connection. This is actually the same config as the WAN zone, but it’s easier to make a new zone in case we need to change anything in the future. Name the firewall zone, and substitute the network interface name you created above. We’ll also be forwarding LAN traffic to the VPN.
cat >> /etc/config/firewall << EOF config zone option name 'VPN_FW' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' option network 'PIA_VPN' config forwarding option dest 'VPN_FW' option src 'lan' EOF
Reboot your router. If you’d like, you can login to LuCI and see the new network interface, physical (but really, it’s virtual) interface, and firewall zone. Back on the command line, use the following command to start the VPN. Specify your generic configuration file, and choose a server from PIA.
openvpn --cd /etc/openvpn --config /etc/openvpn/piageneric.ovpn --remote us-east.privateinternetaccess.com 1194
If everything went well, you should see something like below, ending in Initialization Sequence Completed. If not, you did something wrong. Check your logs and start looking here.
root@OpenWrt:~# openvpn --cd /etc/openvpn --config /etc/openvpn/piageneric.ovpn --remote us-east.privateinternetaccess.com 1194 Sun Oct 19 20:27:00 2014 OpenVPN 2.3.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Sep 20 2014 Sun Oct 19 20:27:00 2014 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08 Sun Oct 19 20:27:00 2014 WARNING: file 'authuser' is group or others accessible Sun Oct 19 20:27:00 2014 UDPv4 link local: [undef] Sun Oct 19 20:27:00 2014 UDPv4 link remote: [AF_INET]220.127.116.11:1194 Sun Oct 19 20:27:06 2014 [Private Internet Access] Peer Connection Initiated with [AF_INET]18.104.22.168:1194 Sun Oct 19 20:27:09 2014 TUN/TAP device tun0 opened Sun Oct 19 20:27:09 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Sun Oct 19 20:27:09 2014 /sbin/ifconfig tun0 10.137.1.6 pointopoint 10.137.1.5 mtu 1500 Sun Oct 19 20:27:09 2014 Initialization Sequence Completed
Check ifconfig to see if you have a tunnel interface. If you do, that’s good!
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.137.1.6 P-t-P:10.137.1.5 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:646 errors:0 dropped:0 overruns:0 frame:0 TX packets:693 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:289558 (282.7 KiB) TX bytes:181814 (177.5 KiB)
Next, try to get on the internet. If you can’t, there’s a good chance it’s a DNS issue. To resolve this, we’ll set our DNS servers on this connection to use PIA’s DNS servers. It looks like we can set the DNS servers for a specific interface, so we’ll add them for the LAN interface.
uci add_list dhcp.lan.dhcp_option="6,22.214.171.124,126.96.36.199" uci commit dhcp reboot
Now we should have DNS working, and since we’re using PIA VPN and PIA DNS servers, we shouldn’t have any DNS leaks.
Restart your VPN connection and try it again! Check your IP with an external tool, like WhatIsMyIP, both on your local wireless network, as well as the OpenWrt network. You should see the difference, meaning you are successfully connected!
Before (on my local network)…
After (VPNed in)…
Now is a good time to check for DNS leaks while on the VPN.
Run at startup
If you’d like your VPN connection to run at startup, go to the System dropdown, then select Startup. In the box at the bottom, paste the following command before exit 0. The ampersand tells OpenWrt not to output anything to the screen.
openvpn --cd /etc/openvpn --config /etc/openvpn/piageneric.ovpn --remote us-east.privateinternetaccess.com 1194 &
Backup your config
You did all this work, don’t lose it. Go to the System dropdown, then select Backup/Flash Firmware and press Generate Archive to download a backup of all your configuration files.
At some point during this build, you’ll probably break something and lock yourself out of your router. Thankfully, you’re not left with a paper-weight. OpenWrt includes a failsafe mode that will let you telnet to your router. Steps for the MR3020 are below.
- Power off your MR3020 and connect it to your PC via Ethernet
- Set your PC’s IP to 192.168.1.2 with a subnet of 255.255.255.0 and a gatway of 192.168.1.1
- Plug in the power to the MR3020
- When the WPS button starts to flash, slide the switch labeled 3G/4G/WISP/AP back and forth really fast. At this point, the WPS button will start blinking faster than it was before. You are in failsafe mode.
- Connect to the router via telnet and you should see that you are in failsafe mode.
logan@fedora20 ~$ telnet 192.168.1.1 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. === IMPORTANT ============================ Use 'passwd' to set your login password this will disable telnet and enable SSH ------------------------------------------ BusyBox v1.22.1 (2014-09-20 22:01:35 CEST) built-in shell (ash) Enter 'help' for a list of built-in commands. _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M ----------------------------------------------------- BARRIER BREAKER (14.07, r42625) ----------------------------------------------------- * 1/2 oz Galliano Pour all ingredients into * 4 oz cold Coffee an irish coffee mug filled * 1 1/2 oz Dark Rum with crushed ice. Stir. * 2 tsp. Creme de Cacao -----------------------------------------------------
- Now, you should be able to change your password by entering passwd, but you may get an error about the filesystem being read-only, like below.
passwd: /etc/passwd: Read-only file system passwd: can't update password file /etc/passwd
- If that happens, enter mount_root, then try the passwd command again. At this point, you should be able to SSH into the MR3020.
- If you installed too many packages and filled up the filesystem, you can wipe it and do a factory reset with the command below.
- Reboot the router, as below.
- Try to SSH in. If it doesn’t work (mine didn’t), telnet in again, set your password again, and then try SSH again.
- If you want to transfer a new firmware file to the router, you can do that with the SCP utility on your PC.
scp /path/to/file.bin firstname.lastname@example.org:/path/to/file.bin
- Then, flash the new firmware file with the command below.
sysupgrade -v /path/to/file.bin
Out of the box, LuCI does not support HTTPS. For that, you’ll need a couple packages.
opkg update opkg install luci-ssl uhttpd-mod-tls
First, backup the original /etc/config/uhttpd file. Then, edit the file to change your certificate settings as needed.
cp -p /etc/config/uhttpd /etc/config/uhttpd_old vi /etc/config/uhttpd
config cert 'px5g' option days '730' option bits '1024' option country 'DE' option state 'Berlin' option location 'Berlin' option commonname 'OpenWrt'
config cert 'px5g' option days '730' option bits '2048' option country 'US' option state 'Pennsylvania' option location 'Pennsylvania' option commonname '10.80.1.1'
Once you have your certificate setup, restart the webserver.
You should see a message similar to the one below.
Generating RSA private key, 2048 bit long modulus Generating selfsigned certificate with subject 'C=US;ST=Pennsylvania;L=Pennsylvania;CN=10.80.1.1;' and validity 20141021000526-20161020000526
If you navigate to /etc, you should see a certificate and a key file.
-rw-r--r-- 1 root root 828 Oct 20 20:50 /etc/uhttpd.crt -rw-r--r-- 1 root root 1192 Oct 20 20:50 /etc/uhttpd.key
Open your browser, and instead of going to http://10.80.1.1, go to https://10.80.1.1. If you get a scary looking error message, that’s ok. Click Advanced.
Then, proceed to your site.
In the URL bar, you’ll still probably see some intimidating red error message.
Upon further inspection, we can see this error is because the certificate wasn’t generated by a trusted CA (Thawte, Symatec, etc…).
If you inspect the actual certificate, you can see it’s the certificate we created, so you know it can be trusted.