Things to do after installing Linux LEDE 17.01

Introduction

In a previous tutorial we installed Linux LEDE, pelase check it if you didn't installed LEDE.

We are going to explain things we recommend to do after installing Linux LEDE. Feel free to skip sections that you don't need.

We are going to shwo you the following thing to do:

  • Adding a USB drive and using as Rootfs on Linux LEDE.
  • Stop using the root user, add your user with sudo.
  • Add ssl to the web ui.
  • Replace dropbear with openssh.
  • DNSCrypt configuration on LEDE.

Using https to download packages from opkg

This is very important since there is a chance of someone changing your packages in your router:

sudo opkg update
sudo opkg install wget
sudo opkg install ca-certificates

Open the file /etc/opkg/distfeeds.conf and replace http by https.

test the changes with:

opkg update

Adding a USB drive and using as Rootfs on Linux LEDE

opkg update
opkg install kmod-usb-storage kmod-fs-ext4 kmod-usb-storage-extras block-mount fdisk

Use fdisk to create a swap (in this tutorial is sdX1) and a linux partition (in this tutorial is sdX2).

mkswap /dev/sdX1
swapon /dev/sdX1

Next we need to prepare the sdX2 drive:

mount /dev/sdX2 /mnt ; tar -C /overlay -cvf - . | tar -C /mnt -xf - ; umount /mnt
``` bash

Update yout /etc/config/fstab with:

``` bash
block detect > /etc/config/fstab; \
   sed -i s/option$'\t'enabled$'\t'\'0\'/option$'\t'enabled$'\t'\'1\'/ /etc/config/fstab; \
   sed -i s#/mnt/sdX1#/overlay# /etc/config/fstab; \
   cat /etc/config/fstab;

You will have a fstab similar to this one:

config 'global'
    option  anon_swap   '0'
    option  anon_mount  '0'
    option  auto_swap   '1'
    option  auto_mount  '1'
    option  delay_root  '5'
    option  check_fs    '0'

config 'swap'
    option  device  '/dev/sdX1'
    option  enabled '1'

config 'mount'
    option  target  '/mnt/sdX2'
    option  uuid    '2830da70-05af-4ec7-b044-8d2b50ad662c'
    option  enabled '1'

Edit the new fstab and change /mnt/sdX2 to /overlay

Now reboot with check with df that empty space is the right one:

df -h

The output should be:

Filesystem                Size      Used Available Use% Mounted on
/dev/root                 2.3M      2.3M         0 100% /rom
tmpfs                    61.3M     92.0K     61.3M   0% /tmp
/dev/sdX2                 6.7G     17.9M      6.4G   0% /overlay
overlayfs:/overlay        6.7G     17.9M      6.4G   0% /
tmpfs                   512.0K         0    512.0K   0% /dev

You are done! Reboot and enjoy your usb drive.

Stop using the root user, add your user with sudo

Linux LEDE by default forces you to use the ssh user, we are going to add a new user to use it for ssh login with sudo permissions.

opkg install shadow-useradd
useradd tutorials

Set the password and create the home directory:

passwd tutorials
mkdir /home
mkdir /home/tutorials
chown nicolaus /home/tutorials

Now we are going to install sudo and configure it:

opkg install sudo

Add the user with visudo command, add the following line:

tutorials ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'

we recommend to disable root access to dropbear or ssh, just google to know how to do it :).

Add ssl to the web ui

Using http could leak your root credentials when using luci web interface, to enable ssl execute:

opkg install luci-ssl
uci delete uhttpd.main.listen_http ; uci commit

The second command will disable http port.

YOu can access luci using https now.

Replace dropbear with openssh

First we are going to change the drop bear port from 22 to 2222, we will do this to avoid losing access to the router.

Edit the file /etc/config/dropbear and change the port.

Restart dropbear with

/etc/init.d/dropbear restart

Now we are going to install openssh-server and remove dropbear:

opkg install openssh-server

Now check that you can login to the port 22. Disable dropbear and remove root login on the file /etc/ssh/sshd_config.

To disable dropbear execute:

/etc/init.d/dropbear disable

DNSCrypt configuration on LEDE

DNSCrypt offers a way to protect clients against attacks related to the modification and manipulation of DNS traffic.

opkg update
opkg install dnscrypt-proxy

After installation is done, dnscrypt will be listening to the port 5353. Now we will configure DHCP of LEDE to use the service on the port 5353.

First enable and start DNScrypt:

/etc/init.d/dnscrypt-proxy enable
/etc/init.d/dnscrypt-proxy start

Now change the dhcp configuration to use the port 5353 on the file /etc/config/dhcp. We are going to change settings on the dnsmasq section, in particular:

  • command the line that starts with "option resolvfile".
  • comment any like that starts with "list server" (We didn't have any).
  • add a new line with this content: list server '127.0.0.1#5353'
  • add a new line with this content: list server '/pool.ntp.org/208.67.222.222'

The dhcp configuration dnsmasq section should be similar to this one:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option noresolv '1' # VERY IMPORTANT CONFIG LINE!
        option leasefile '/tmp/dhcp.leases'
        list server                 '127.0.0.1#5353'
        list server                 '/pool.ntp.org/208.67.222.222'
#        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'

Reboot the dnsmasq service:

/etc/init.d/dnsmasq restart

Testing the new configuration

Here we will show some different ways to check if DNSCrypt is working:

On linux or macOS execute:

dig txt debug.opendns.com

you should see in the response "dnscrypt enabled" somewhere.

Use online pages to check dns:

DNS leak test DNS Sec check