travel_router_pi4.md

Build the Image

Simple steps to use with https://firmware-selector.openwrt.org to generate an OpenWrt image for Raspberrypi with Wifi enabled and network over usb (g_ether).

Packages:

# USB Gadget over USB-C
kmod-usb-gadget kmod-usb-gadget-eth kmod-usb-dwc2

# Expand root filesystem to whole sdcard
parted losetup resize2fs

# USB Tether for phones
kmod-usb-net-rndis kmod-usb-net-cdc-ncm kmod-usb-net-cdc-eem kmod-usb-net-cdc-ether kmod-usb-net-cdc-subset kmod-nls-base kmod-usb-core kmod-usb-net kmod-usb-net-cdc-ether kmod-usb2

# Extra drivers for usb wifi
kmod-mt7601u

# Wireguard
wireguard-tools luci-proto-wireguard

# Multi WAN Manager
luci-app-mwan3 mwan3 iptables-nft ip6tables-nft

uci-defaults:

# Change to not default network
uci set network.lan.ipaddr="192.168.7.1"
uci commit network

# Enable usb0 gadget via USB-C
grep -qxF 'dtoverlay=dwc2' /boot/config.txt || echo 'dtoverlay=dwc2' >> /boot/config.txt
echo "modprobe g_ether" > /etc/rc.local
uci add_list network.@device[0].ports='usb0'
uci del_list network.@device[0].ports='eth0'
uci commit network

# Configure wg0 interface (dummy)

# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.wan.network="wg0"
uci add_list firewall.wan.network="wg0"
uci commit firewall
service firewall restart

# Configure network
uci -q delete network.wg0
uci set network.wg0="interface"
uci set network.wg0.proto="wireguard"
uci commit network
service network restart

# Expand ROOTFS
cat << "EOF" > /etc/uci-defaults/70-rootpt-resize
if [ ! -e /etc/rootpt-resize ] \
&& type parted > /dev/null \
&& lock -n /var/lock/root-resize
then
ROOT_BLK="$(readlink -f /sys/dev/block/"$(awk -e \
'$9=="/dev/root"{print $3}' /proc/self/mountinfo)")"
ROOT_DISK="/dev/$(basename "${ROOT_BLK%/*}")"
ROOT_PART="${ROOT_BLK##*[^0-9]}"
parted -f -s "${ROOT_DISK}" \
resizepart "${ROOT_PART}" 100%
mount_root done
touch /etc/rootpt-resize
reboot
fi
exit 1
EOF

cat << "EOF" > /etc/uci-defaults/80-rootfs-resize
if [ ! -e /etc/rootfs-resize ] \
&& [ -e /etc/rootpt-resize ] \
&& type losetup > /dev/null \
&& type resize2fs > /dev/null \
&& lock -n /var/lock/root-resize
then
ROOT_BLK="$(readlink -f /sys/dev/block/"$(awk -e \
'$9=="/dev/root"{print $3}' /proc/self/mountinfo)")"
ROOT_DEV="/dev/${ROOT_BLK##*/}"
LOOP_DEV="$(awk -e '$5=="/overlay"{print $9}' \
/proc/self/mountinfo)"
if [ -z "${LOOP_DEV}" ]
then
LOOP_DEV="$(losetup -f)"
losetup "${LOOP_DEV}" "${ROOT_DEV}"
fi
resize2fs -f "${LOOP_DEV}"
mount_root done
touch /etc/rootfs-resize
reboot
fi
exit 1
EOF

cat << "EOF" >> /etc/sysupgrade.conf
/etc/uci-defaults/70-rootpt-resize
/etc/uci-defaults/80-rootfs-resize
EOF

reboot

Install Tailscale with luci frontend: luci-app-tailscale

• Install with Frontend:
  • https://github.com/asvow/luci-app-tailscale
  • https://pkgs.tailscale.com/stable/#static

    VERSION=1.1.2 # Version as of Aug 6 2024
    ARCH=arm64 # Use `uname -m` to figure out the arch: https://pkgs.tailscale.com/stable/#static
    wget -O luci-app-tailscale.ipk https://github.com/asvow/luci-app-tailscale/releases/download/v${VERSION}/luci-app-tailscale_${VERSION}_all.ipk
    opkg update
    opkg install ./luci-app-tailscale.ipk
    service tailscale stop
    cd /tmp
    wget https://pkgs.tailscale.com/stable/tailscale_1.70.0_${ARCH}.tgz
    tar -xvzf tailscale_1.70.0_${ARCH}.tgz
    cp tailscale_1.70.0_${ARCH}/tailscale /usr/sbin/tailscale
    cp tailscale_1.70.0_${ARCH}/tailscaled /usr/sbin/tailscaled
    service tailscale start
    reboot

Route traffic through Tailscale

• Follow this guide to add tailscale zone in firewall: https://openwrt.org/docs/guide-user/services/vpn/tailscale/start

    Name: tailscale
    Input: ACCEPT (default)
    Output: ACCEPT (default)
    Forward: ACCEPT
    Masquerading: on
    MSS Clamping: on
    Covered networks: tailscale
    Allow forward to destination zones: Ensure that your WAN zone is selected. (Add LAN here as well if you intend to allow hosts in your tailscale network to connect to hosts on your LAN)
    Allow forward from source zones: Select your LAN and/or other internal zones (Leave this blank if you do not want to route LAN traffic to hosts on your tailscale network, e.g a WAN-only exit node)
  

• Allow traffic through an exit node:
  1. Disable packet forwarding by default: Network → Firewall → General Settings → Forward: reject
  2. Disable LAN-to-WAN forwarding: Network → Firewall → Zones → lan → Edit Allow forward to destination zones: Ensure that your WAN zone is unselected.
• Add flags to tailscale, it can be done through luci-app-tailscale interface under "Services"
  • --exit-node=MY-EXIT-NODE --exit-node-allow-lan-access=true

---

• Expand rootfs: https://openwrt.org/docs/guide-user/advanced/expand_root
• kmod-mt7601u for: 148f:7601 MediaTek 802.11 n WLAN
• kmod-rtw88-8821cu for: 0bda:c811 Realtek Semiconductor Corp. 802.11ac NIC (inmortalwrt)

Try to automate the manual steps...