I had blogged back in October of last year about setting up DNS over HTTPS, and it’s been very reliable, except for the parts where I’ve had to run Software Update on the Mac mini to pick up security update, and while it’s restarting all of our DNS resolution stops working! I’d come across OpenWRT a while back, which is an open-source and very extensible firmware for a whole variety of different routers, but I did a bunch of searching and hadn’t come across any reports of people fully-successfully using it on our specific router, the Netgear D7800 (also known as the Nighthawk X4S), just people having various problems. One of the reasons I was interested in OpenWRT because it’s Linux-based and extensible and I would be able to move the DHCP and DNS functionality off the Mac mini back onto the router where it belongs, and in theory bring the encrypted-DNS over as well.
I finally bit the bullet and decided to give installing it a go today, and it was surprisingly easy. I figured I’d document it here for posterity and in the hopes that it’ll help someone else out in the same position as I was.
Important note: The DSL/VDSL modem in the X4S is not supported under OpenWRT!
Installation
- Download the firmware file from the “Firmware OpenWrt Install URL” (not the Upgrade URL) on the D7800’s entry on OpenWRT.org.
- Make sure you have a TFTP client, macOS comes with the built-in
tftp
command line tool. This is used to transfer the firmware image to the router. - Unplug everything from the router except power and the ethernet cable for the machine you’ll be using to install OpenWRT from (this can’t be done wirelessly).
- Set your machine to have a static IP address in the range of 192.168.1.something. The router will be .1.
- Reset the router back to factory settings by holding the reset button on the back of it in until the light starts flashing.
- Once it’s fully started up, turn it off entirely, hold the reset button in again and while still holding the button in, turn the router back on.
- Keep the reset button held in until the power light starts flashing white.
Now the OpenWRT firmware file needs to be transferred to the router via TFTP. Run tftp -e 192.168.1.1
(-e
turns on binary mode), then put <path to the firmware file>
. It’ll transfer the file and then install it and reboot, this will take several minutes.
Once it’s up and running, the OpenWRT interface will be accessible at http://192.168.1.1, with a username of root
and no password. Set a password then follow the quick-start guide to turn on and secure the wifi radios — they’re off by default.
Additional dnsmasq configuration and DNS-over-TLS
I mentioned in my DNS-over-HTTPS post that I’d also set up dnsmasq
to do local machine name resolution, this is very trivially set up in OpenWRT under Network > DHCP and DNS and putting in the MAC address and desired IP and machine name under the Static Leases section, then hitting Save & Apply.
The other part I wanted to replicate was having my DNS queries encrypted. In OpenWRT this isn’t easily possible with DNS-over-HTTPS, but is when using DNS-over-TLS, which gets you to the same end-state. It requires installing Stubby, a DNS stub resolver, that will forward DNS queries on to Cloudflare’s DNS.
- On the router, go to System > Software, install
stubby
. - Go to System > Startup, ensure Stubby is listed as
Enabled
so it starts at boot. - Go to Network > DHCP and DNS, under “DNS Forwardings” enter
127.0.0.1#5453
sodnsmasq
will forward DNS queries on tostubby
, which in turns reaches out to Cloudflare; Cloudflare’s DNS servers are configured by default. Stubby’s configuration can be viewed at/etc/config/stubby
. - Under the “Resolv and Hosts Files” tab, tick the “Ignore resolve file” box.
- Click Save & Apply.
Many thanks to Craig Andrews for his blog post on this subject!
Quality of Service (QoS)
The last thing I wanted to set up was QoS, which allows for prioritisation of traffic when your link is saturated. This was pretty straightforward as well, and just involved installing the luci-app-sqm
package and following the official OpenWRT page to configure it!
Ongoing findings
I’ll update this section as I come across other little tweaks and changes I’ve needed to make.
Plex local access
We use Plex on the Xbox One as our media player (the Plex Media Software runs on the Mac mini), and I found that after installing OpenWRT on the router, the Plex client on the Xbox couldn’t find the server anymore despite being on the same LAN. I found a fix on Plex’s forums, which is to go to Network > DHCP and DNS, and add the domain plex.direct
to the “Domain whitelist” field for the Rebind Protection setting.
Xbox Live and Plex Remote Access (January 2020)
Xbox Live is quite picky about its NAT settings, and requires UPnP to be enabled or you can end up with issues with voice chat or gameplay in multiplayer, and similarly Plex’s Remote Access requires UPnP as well. This isn’t provided by default with OpenWRT but can be installed with the luci-app-upnp
and the configuration shows up under Services > UPnP in the top navbar. It doesn’t start by default, so tick the “Start UPnP and NAT-PMP service” and “Enable UPnP” boxes, then click Save & Apply.
Upgrading to a new major release (February 2020)
When I originally wrote this post I was running OpenWRT 18.06, and now that 19.07 has come out I figured I’d upgrade, and it was surprisingly straightforward!
- Connect to the router via ethernet, make sure your network interface is set to use DHCP.
- Log into the OpenWRT interface and go to System > Backup/Flash Firmware and generate a backup of the configuration files.
- Go to the device page on openwrt.org and download the “Firmware OpenWrt Upgrade” image (not the “Firmware OpenWrt Install” one).
- Go back to System > Backup/Flash Firmware, choose “Flash image” and select your newly-downloaded image.
- In the next screen, make sure “Keep settings and retain the current configuration” is not ticked and continue.
- Wait for the router light to stop flashing, then renew your DHCP lease (assuming you’d set it up to be something other than 192.168.1.x like I did).
- Log back into the router at http://192.168.1.1 and re-set your root password.
- Go back to System > Backup/Flash Firmware and restore the backup of the settings you made (then renew your DHCP lease again if you’d changed the default range).
I had a couple of conflicts with files in /etc/config
between my configuration and the new default file, so I SSHed in and manually checked through them to see how they differed and updated them as necessary. After that it was just a case of re-installing the luci-app-sqm
, luci-app-upnp
, and stubby
packages, and I was back in business!
Hello.
Well done with your instructions.
Please put details in bold re: use network cable and do not perform over wireless connection.
Also, how do I modify this file and change to more secure DNS servers?
—> /etc/config/stubby.
THANK YOU!
Hey, thanks!
With regards to `/etc/config/stubby`, you don’t really need to change anything IMO… it defaults to using Cloudflare’s 1.1.1.1 servers. If you _do_ want to change it, it’s just a case of modifying the four `config resolver` entries to point to somewhere other than Cloudflare. 🙂
Hi virtualwolf,
Thanks for posting these instructions, great reference for the D7800!
I was wondering do you find the device storage to be on the low side? I think there is something like 15MB free after install, a bit disappointing, not much space for packages.
Also I thought it had 512MB memory but OpenWrt reports only around 215MB, is this the case for you too?
Cheers! Yeah, same thing here… 215MB RAM and 15MB of free free space.
I managed to fix both these problems, the memory issue required a DTS edit so needs to be done as part of a build from source, while the limited storage can be kinda worked around by adding the packages you want as part of a custom build using the image builder. The limited storage is still there but by adding the packages to the build you can squeeze more in without having to setup extroot.
Simon, have you done your fixed? Is there your build, somewhere?