In a previous tutorial we installed Linux LEDE, pelase check it if you didn't installed LEDE.
We are going to explain things we recommend to do after installing Linux LEDE. Feel free to skip sections that you don't need.
We are going to shwo you the following thing to do: * Adding a USB drive and using as Rootfs on Linux LEDE. * Stop using the root user, add your user with sudo. * Add ssl to the web ui. * Replace dropbear with openssh. * DNSCrypt configuration on LEDE.
Using https to download packages from opkg
This is very important since there is a chance of someone changing your packages in your router:
sudo opkg update sudo opkg install wget sudo opkg install ca-certificates
Open the file /etc/opkg/distfeeds.conf and replace http by https.
test the changes with:
Adding a USB drive and using as Rootfs on Linux LEDE
opkg update opkg install kmod-usb-storage kmod-fs-ext4 kmod-usb-storage-extras block-mount fdisk
Use fdisk to create a swap (in this tutorial is sdX1) and a linux partition (in this tutorial is sdX2).
mkswap /dev/sdX1 swapon /dev/sdX1
Next we need to prepare the sdX2 drive:
mount /dev/sdX2 /mnt ; tar -C /overlay -cvf - . | tar -C /mnt -xf - ; umount /mnt ``` bash Update yout /etc/config/fstab with: ``` bash block detect > /etc/config/fstab; \ sed -i s/option$'\t'enabled$'\t'\'0\'/option$'\t'enabled$'\t'\'1\'/ /etc/config/fstab; \ sed -i s#/mnt/sdX1#/overlay# /etc/config/fstab; \ cat /etc/config/fstab;
You will have a fstab similar to this one:
config 'global' option anon_swap '0' option anon_mount '0' option auto_swap '1' option auto_mount '1' option delay_root '5' option check_fs '0' config 'swap' option device '/dev/sdX1' option enabled '1' config 'mount' option target '/mnt/sdX2' option uuid '2830da70-05af-4ec7-b044-8d2b50ad662c' option enabled '1'
Edit the new fstab and change /mnt/sdX2 to /overlay
Now reboot with check with df that empty space is the right one:
The output should be:
Filesystem Size Used Available Use% Mounted on /dev/root 2.3M 2.3M 0 100% /rom tmpfs 61.3M 92.0K 61.3M 0% /tmp /dev/sdX2 6.7G 17.9M 6.4G 0% /overlay overlayfs:/overlay 6.7G 17.9M 6.4G 0% / tmpfs 512.0K 0 512.0K 0% /dev
You are done! Reboot and enjoy your usb drive.
Stop using the root user, add your user with sudo
Linux LEDE by default forces you to use the ssh user, we are going to add a new user to use it for ssh login with sudo permissions.
opkg install shadow-useradd useradd tutorials
Set the password and create the home directory:
passwd tutorials mkdir /home mkdir /home/tutorials chown nicolaus /home/tutorials
Now we are going to install sudo and configure it:
opkg install sudo
Add the user with visudo command, add the following line:
tutorials ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
we recommend to disable root access to dropbear or ssh, just google to know how to do it :).
Add ssl to the web ui
Using http could leak your root credentials when using luci web interface, to enable ssl execute:
opkg install luci-ssl uci delete uhttpd.main.listen_http ; uci commit
The second command will disable http port.
YOu can access luci using https now.
Replace dropbear with openssh
First we are going to change the drop bear port from 22 to 2222, we will do this to avoid losing access to the router.
Edit the file /etc/config/dropbear and change the port.
Restart dropbear with
Now we are going to install openssh-server and remove dropbear:
opkg install openssh-server
Now check that you can login to the port 22. Disable dropbear and remove root login on the file /etc/ssh/sshd_config.
To disable dropbear execute:
DNSCrypt configuration on LEDE
DNSCrypt offers a way to protect clients against attacks related to the modification and manipulation of DNS traffic.
opkg update opkg install dnscrypt-proxy
After installation is done, dnscrypt will be listening to the port 5353. Now we will configure DHCP of LEDE to use the service on the port 5353.
First enable and start DNScrypt:
/etc/init.d/dnscrypt-proxy enable /etc/init.d/dnscrypt-proxy start
Now change the dhcp configuration to use the port 5353 on the file /etc/config/dhcp. We are going to change settings on the dnsmasq section, in particular:
- command the line that starts with "option resolvfile".
- comment any like that starts with "list server" (We didn't have any).
- add a new line with this content: list server '127.0.0.1#5353'
- add a new line with this content: list server '/pool.ntp.org/220.127.116.11'
The dhcp configuration dnsmasq section should be similar to this one:
config dnsmasq option domainneeded '1' option boguspriv '1' option filterwin2k '0' option localise_queries '1' option rebind_protection '1' option rebind_localhost '1' option local '/lan/' option domain 'lan' option expandhosts '1' option nonegcache '0' option authoritative '1' option readethers '1' option noresolv '1' # VERY IMPORTANT CONFIG LINE! option leasefile '/tmp/dhcp.leases' list server '127.0.0.1#5353' list server '/pool.ntp.org/18.104.22.168' # option resolvfile '/tmp/resolv.conf.auto' option localservice '1'
Reboot the dnsmasq service:
Testing the new configuration
Here we will show some different ways to check if DNSCrypt is working:
On linux or macOS execute:
dig txt debug.opendns.com
you should see in the response "dnscrypt enabled" somewhere.
Use online pages to check dns: