- Generated by
|
DLI DC3 User's Guide
|
Installing third-party packages allows the administrator to improve connectivity and simplify administration of the controller.
To download the lists of packages available for installation, run:
# opkg update
All of the following command sequences expect you to have run opkg update.
By default, OpenWrt's base packages are configured, but the OpenWrt build key is not trusted by default, so they're not seen as available.
Please note that packages depending on the kernel, especially kernel modules, are not to be installed from OpenWrt feeds; this means installing e.g. VPN services from OpenWrt feeds is a bad idea (even packages performing userspace cryptography depend on e.g. kmod-tun); you will be warned about the kernel version mismatch and trying to override the dependency check will likely make the unit unbootable.
If you still want to use the OpenWrt feed, you need to install the public key.
# mkdir -p /etc/opkg/keys # curl -o /etc/opkg/keys/2f8b0b98e08306bf \ 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=usign/2f8b0b98e08306bf' # opkg update
or, equivalently:
# mkdir -p /etc/opkg/keys # echo untrusted comment: Public usign key for 21.02 release builds > /etc/opkg/keys/2f8b0b98e08306bf # echo RWQviwuY4IMGvwLfs6842A0m4EZU1IjczTxKMSk3BQP8DAQLHBwdQiaU >> /etc/opkg/keys/2f8b0b98e08306bf # opkg update
To disable OpenWrt package feeds, remove them from /etc/opkg/distfeeds.conf.
You can get a list of available packages using:
# opkg list
However, this is not necessarily a list of packages you may want to use (e.g. some of them are just utilities or libraries for other packages and not immediately useful on their own).
The way packages store configuration varies. Some packages store configuration in the /etc/config/ UCI store; another subset of packages keep state and settings in /storage/.pkg/<package name>; in both cases the configuration will persist across upgrades (as the /storage directory is reserved and persisted across upgrades). Finally, some packages store configuration in other places, in which case it's up to the package's maintainer to ensure that it persists across upgrades (some of the packages mentioned here aren't maintained by DLI).
By default, installed packages are not preserved across upgrades; to preserve packages installed manually, enable the related feature. To enable it from the command line, use:
# uom set system/preserve_packages true
Note that only manually installed packages are handled, not their dependencies; if you install a package that has a dependency, which has e.g. some scripts or data files, then remove that package but keep the dependency and rely on the scripts or data files in your own scripts, an upgrade would break your setup, as the dependency package; to avoid that, run an explicit opkg install on that package.
Package versions in the DLI repository are directly linked to the firmware version; on an upgrade, the version of the re-downloaded manually installed package will match the new firmware version.
Several modern VPN packages based on WireGuard are available, which provide encrypted mesh networking. A summary table is below; the 'Mode' column indicates whether the kernel WireGuard implemenation is used, which usually has better performance than a userland one; packages with "high" resource usage effectively consume all available flash and RAM resources, precluding installation of most other packages.
| Package | Mode | Resource usage | OS support | Self-hosting |
|---|---|---|---|---|
| Tailscale | userland | high | Linux, Windows, Mac OS, Android, iOS | limited |
| NetBird | kernel | high | Linux, Windows, Mac OS | possible |
| ZeroTier | userland | low | Linux, Windows, Mac OS | limited |
| Innernet | kernel | medium | Linux, Mac OS | mandatory |
Following instructions describe just the simplest default configuration of these third-party packages; refer to their documentation for details.
To use Tailscale, you need to sign in (note that there's currently no internal authentication support in Tailscale; you need to sign up with a Google, Microsoft or GitHub account), then run:
# opkg install tailscale-combined # tailscale up
Here you will be prompted to authorize the device like this (copy the URL and paste into the browser):
To authenticate, visit: https://login.tailscale.com/a/0123456789ab
This should get your device online. Check with
# ifconfig tailscale0
Self-hosting is partially made possible with Headscale. You may also want to use your own "DERP" servers which handle traffic between clients behind NATs.
To use NetBird, first prepare a NetBird account and verify the email, as activation will otherwise fail; then run:
# opkg install netbird # netbird up
Here you will be prompted to authorize the device like this (copy the URL and paste into the browser):
Please do the SSO login in your browser. If your browser didn't open automatically, use this URL to log in: https://login.netbird.io/activate?user_code=ABCD-EFGH
This should get your device online. Check with
# ifconfig wt0
Refer to NetBird documentation for self-hosting.
The instructions to use ZeroTier are largely outlined here.
You need to log into their site, create a network, take note of its ID, then run:
# opkg install zerotier
then either edit the existing sample network in /etc/config/zerotier to have the network ID match the one you have taken note of, or create a new network by running (with 0123456789abcdef replaced by the network ID you have taken note of):
# uci set zerotier.openwrt_network=zerotier # uci add_list zerotier.openwrt_network.join='0123456789abcdef' # uci set zerotier.openwrt_network.enabled='1' # uci commit zerotier
After editing the configuration, run:
# /etc/init.d/zerotier restart
(no need to reboot). The controller will appear in the net in the zerotier web UI control panel but will not be authorized yet (and thus will have no IP); after you tick the Auth checkbox, you should be all set.
Innernet is distinguished from the above packages by having no hosted version and its text-mode-UI configuration.
# opkg install innernet
Innernet coordination server needs to be hosted on a node with a public IP. If you wish to run the coordination server on a DLI unit, instead run:
# opkg install innernet-server
It's important that the two above packages are mutually exclusive: you cannot run innernet and innernet-server on the same node.
If you need to set up WireGuard tunnels manually, run:
# opkg install wireguard-tools
and follow the OpenWrt guide for further instructions.
IPSec-based VPN packages include strongSwan:
# opkg install strongswan
Please refer to OpenWrt strongSwan documentation for further setup.
OpenVPN is built with OpenSSL as the cryptography library, so you will need to run:
# opkg install openvpn-openssl
to install it. Please refer to OpenWrt OpenVPN documentation for further setup.
The following CLI utility package can be used to manage a local certificate authority for OpenVPN:
# opkg install openvpn-easy-rsa
The following packages are components of SoftEtherVPN which claims compatibility with OpenVPN, L2TP, IPsec, EtherIP, L2TPv3, Cisco VPN Routers and MS-SSTP VPN. Install the components you need:
# opkg install softethervpn-server
and/or
# opkg install softethervpn-client
and/or
# opkg install softethervpn-bridge
The eoip package can create ethernet tunnels compatible with Mikrotik EoIP tunnel:
# opkg install eoip
Yggdrasil is a decentralized overlay IPv6 network; to use it, run:
# opkg install yggdrasil
Follow the installation guide for further details.
Note that using it with the default public peers will expose you to untrusted third parties.
The vpn-policy-routing and vpnbypass can be used to customize VPN-related routes:
# opkg install vpn-policy-routing
or
# opkg install vpnbypass
For most operations, the default dropbear installation should cover all SSH needs. The default installation includes the openssh-sftp-server package for SFTP support, default mandatory since OpenSSH 9.0. Should you still have a need to install OpenSSH components, run (depending on your needs):
# opkg install openssh-client
and/or
# opkg install openssh-server
To install the Mosquitto MQTT broker, run:
# opkg install mosquitto
If you're interested in sending and receiving MQTT messages from the command line, run:
# opkg install mosquitto-client
If you're interested in sending and receiving SNMP messages from the command line, run:
# opkg install snmp-utils
The package contains the snmpget/snmpset/snmpstatus/snmptest/snmptrap/snmpwalk utilities.
The following package helps update various Dynamic DNS services for units with a public, but dynamic IP address:
# opkg install ddns-scripts
If you want to refer to a unit on the same LAN segment, it may be possible to use multicast DNS (i.e. address the unit as <hostname>.local) if you install the appropriate multicast DNS responder package:
# opkg install mdnsresponder
The traditional screen package, which allows multiplexing the terminal, detached operations and much more, is available:
# opkg install screen
The traditional script and scriptreplay utilities are available in the script-utils package:
# opkg install script-utils