I installed openwrt on my router the other day and wanted to share my experience. I mostly user my router in AP+STA mode (repeater) with a global vpn, and cellular fallback. Here is my attempt to recreate that. I got started with the following guide:
First you have to use u-boot to flash openwrt. My u-boot was out of date as per Critical Problem Notification for GL-MT2500/GL-X3000/GL-XE3000 so I updated that first, which was fairly straightforward.
I had to go out and buy a usb-c to ethernet adapter though. After updating uboot, I downloaded the latest openwrt firmware here: https://firmware-selector.openwrt.org/
Make sure you download the sysupgrade and not the factory as I mistakenly tried first. Use u-boot to flash the firmware.
Actually I made an error when writing this. You need an active internet connection before you can download packages, so you either have to connect an ethernet cable for internet or connect to a wifi network first.
Once done flashing, keep the ethernet cable connected and 192.168.1.1 should redirect to luci. Go to System->Software, update the lists, and then install the following packages:
luci-proto-qmi # luci support for modem interface
luci-app-travelmate # scan and manage access points similar to glinet
picocom # to send AT commands
luci-proto-wireguard # for wireguard vpn
luci-app-openvpn # for openvpn
luci-app-3ginfo-lite # Display cell connection status
luci-app-sms-tool-js # Send/receive sms
The last two will require adding a custom repo (GitHub - 4IceG/luci-app-sms-tool-js: Simple user interface to handle SMS / USSD / AT commands via sms_tool application. (LuCI JS) | OpenWrt >= 21.02):
ssh [email protected]
grep -q IceG_repo /etc/opkg/customfeeds.conf || echo 'src/gz IceG_repo https://github.com/4IceG/Modem-extras/raw/main/myrepo' >> /etc/opkg/customfeeds.conf
wget https://github.com/4IceG/Modem-extras/raw/main/myrepo/IceG-repo.pub -O /tmp/IceG-repo.pub
opkg-key add /tmp/IceG-repo.pub
opkg update
Now stay in ssh and we will set up the modem. Run picocom /dev/ttyUSB2 to connect to the modem via serial. Then send the following commands one at a time. it should respond with OK:
# Switch to USB interface
AT+QCFG="data_interface",0,0
# Set to QMI protocol
AT+QCFG="usbnet",0
Don't send the comments obviously. Now exit picocom (ctrl+x,e I believe) and then reboot the router with reboot. Ssh back in and ls /dev/cdc-wdm0 to make sure the modem is now active.
Now go back to luci and configure travelmate (Services->travelmate). Click the interface wizard button. Set the following settings:
interface name: trm_wwan
firewall zone: vpnfirewall (or whatever you want)
interface metric: 100
Let it create the interface. Then enable travelmate, switch to the wireless stations tab, and connect. That's the source for your repeater.
Now go to Network->Wireless and add or enable some access points. Those will be your router's access points. Make sure they're attached to the 'lan' network.
Now go to Network->Interfaces. First we will set up the cellular modem. Create a new interface and select QMI for the type. Select /dev/cdc-wdm0 for the device that we confirmed earlier. Add it to the vpnfirewall zone or whatever you chose earlier. Set any APN settings if necessary. It should connect automatically once enabled.
Now make another interface for your vpn. I chose wireguard and named it wg. The exact setup will depend on your provider. Now, I had AllowedIPs = 0.0.0.0/0, ::/0 as is usually recommended. But in repeater mode, this means that the connection to the vpn server itself will be routed through wireguard which creates a loop and obviously won't work. So a route is created to route traffic to the vpn IP only via the non-vpn interface. This seems to happen automatically, but it happens during wireguard startup and is static. Meaning if you switch connections (ie wifi to cellular) then the vpn will break. The only solution I could find for now is to manually restart wireguard which will update the route. This is one of the downsides to not using the glinet firmware, and would require a custom script to monitor the connection. This firmware also lacks auto failover for the same reason.
Now finally all our interfaces are set up. We just need to update the firewall rules in /etc/config/firewall:
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'nordvpntun'
list network 'wg'
list network 'trm_wwan'
list network 'trm_wwan6'
list network 'cell'
config forwarding
option src 'lan'
option dest 'vpnfirewall'
config forwarding
option src 'vpnfirewall'
option dest 'lan'
This just throws all the internet sources into the same zone, so there is no vpn killswitch. The final connection used depends on the gateway priority (set for each interface in Advanced->Use gateway metric). I have mine set to:
wg: 50
trm_wwan: 100
cell: 150
Meaning all clients will be routed through vpn, and the vpn routes through wifi. If you wanted to use cellular data, you'd swap cell and twm_wwan and restart wg. A length process compared to dragging the interface priority in the stock glinet firmware.
Now you should have a fully functional travel router. If you want to see cell signal or send/receive sms, go to the modem dropdown. You have to configure it to use /dev/ttyUSB2 device first. SMS worked fine for me.
And there you have it. The basic features minus the nice dashboard and auto failover, vpn killswitch, etc.