OpenWRT Backend¶
The OpenWrt
backend allows to generate OpenWRT compatible configurations.
Note
This backend purposely generates only named UCI blocks.
UCI stands for Unified Configuration Interface and it is the default configuration system installed on OpenWRT and its fork LEDE.
Initialization¶
-
OpenWrt.
__init__
(config=None, native=None, templates=None, context=None)¶ Parameters: - config –
dict
containing a valid NetJSON configuration dictionary - native –
str
or file object representing a native configuration that will be parsed and converted to a NetJSON configuration dictionary - templates –
list
containing NetJSON configuration dictionaries that will be used as a base for the main config - context –
dict
containing configuration variables
Raises: TypeError – raised if
config
is not of typedict
or iftemplates
is not of typelist
- config –
If you are unsure about the meaning of the initalization parameters, read about the following basic concepts:
Initialization example (forward conversion):
from netjsonconfig import OpenWrt
router = OpenWrt({
"general": {
"hostname": "HomeRouter"
}
})
Initialization example (backward conversion):
from netjsonconfig import OpenWrt
router = OpenWrt(native=open('./openwrt-config.tar.gz'))
Render method¶
-
OpenWrt.
render
(files=True)¶ Converts the configuration dictionary into the corresponding configuration format
Parameters: files – whether to include “additional files” in the output or not; defaults to True
Returns: string with output
Code example:
from netjsonconfig import OpenWrt
o = OpenWrt({
"interfaces": [
{
"name": "eth0.1",
"type": "ethernet",
"addresses": [
{
"address": "192.168.1.2",
"gateway": "192.168.1.1",
"mask": 24,
"proto": "static",
"family": "ipv4"
},
{
"address": "192.168.2.1",
"mask": 24,
"proto": "static",
"family": "ipv4"
},
{
"address": "fd87::2",
"gateway": "fd87::1",
"mask": 64,
"proto": "static",
"family": "ipv6"
}
]
}
]
})
print(o.render())
Will return the following output:
package network
config interface 'eth0_1'
option gateway '192.168.1.1'
option ifname 'eth0.1'
option ip6addr 'fd87::2/64'
option ip6gw 'fd87::1'
list ipaddr '192.168.1.2/24'
list ipaddr '192.168.2.1/24'
option proto 'static'
Generate method¶
-
OpenWrt.
generate
()¶ Returns a
BytesIO
instance representing an in-memory tar.gz archive containing the native router configuration.Returns: in-memory tar.gz archive, instance of BytesIO
Example:
>>> import tarfile
>>> from netjsonconfig import OpenWrt
>>>
>>> o = OpenWrt({
... "interfaces": [
... {
... "name": "eth0",
... "type": "ethernet",
... "addresses": [
... {
... "proto": "dhcp",
... "family": "ipv4"
... }
... ]
... }
... ]
... })
>>> stream = o.generate()
>>> print(stream)
<_io.BytesIO object at 0x7fd2287fb410>
>>> tar = tarfile.open(fileobj=stream, mode='r:gz')
>>> print(tar.getmembers())
[<TarInfo 'etc/config/network' at 0x7fd228790250>]
As you can see from this example, the generate
method does not write to disk,
but returns an instance of io.BytesIO
which contains a tar.gz file object with the
following file structure:
/etc/config/network
The configuration archive can then be written to disk, served via HTTP or uploaded
directly on the OpenWRT router where it can be finally “restored” with sysupgrade
:
sysupgrade -r <archive>
Note that sysupgrade -r
does not apply the configuration, to do this you have
to reload the services manually or reboot the router.
Note
the generate
method intentionally sets the timestamp of the tar.gz archive and its
members to 0
in order to facilitate comparing two different archives: setting the
timestamp would infact cause the checksum to be different each time even when contents
of the archive are identical.
Write method¶
-
OpenWrt.
write
(name, path='./')¶ Like
generate
but writes to disk.Parameters: - name – file name, the tar.gz extension will be added automatically
- path – directory where the file will be written to, defaults to
./
Returns: None
Example:
>>> import tarfile
>>> from netjsonconfig import OpenWrt
>>>
>>> o = OpenWrt({
... "interfaces": [
... {
... "name": "eth0",
... "type": "ethernet",
... "addresses": [
... {
... "proto": "dhcp",
... "family": "ipv4"
... }
... ]
... }
... ]
... })
>>> o.write('dhcp-router', path='/tmp/')
Will write the configuration archive in /tmp/dhcp-router.tar.gz
.
Parse method¶
-
OpenWrt.
parse
(native)¶ Parses a native configuration and converts it to a NetJSON configuration dictionary
This method is automatically called when initializing the backend
with the native
argument:
from netjsonconfig import OpenWrt
router = OpenWrt(native=open('./openwrt-config.tar.gz'))
The argument passed to native
can be a string containing a dump obtained via
uci export
, or a file object (real file or BytesIO
instance) representing
a configuration archive in tar.gz format typically used in OpenWRT/LEDE.
JSON method¶
-
OpenWrt.
json
(validate=True, *args, **kwargs)¶ returns a string formatted as NetJSON DeviceConfiguration; performs validation before returning output;
*args
and*kwargs
will be passed tojson.dumps
;Returns: string
Code example:
>>> from netjsonconfig import OpenWrt
>>>
>>> router = OpenWrt({
... "general": {
... "hostname": "HomeRouter"
... }
... })
>>> print(router.json(indent=4))
{
"type": "DeviceConfiguration",
"general": {
"hostname": "HomeRouter"
}
}
General settings¶
The general settings reside in the general
key of the
configuration dictionary, which follows the
NetJSON General object definition
(see the link for the detailed specification).
Currently only the hostname
option is processed by this backend.
General object extensions¶
In addition to the default NetJSON General object options, the OpenWrt
backend
also supports the following custom options:
key name | type | function |
---|---|---|
timezone |
string | one of the allowed timezone values (first element of each tuple) |
General settings example¶
The following configuration dictionary:
{
"general": {
"hostname": "routerA",
"timezone": "UTC",
"ula_prefix": "fd8e:f40a:6701::/48"
}
}
Will be rendered as follows:
package system
config system 'system'
option hostname 'routerA'
option timezone 'UTC'
option zonename 'UTC'
package network
config globals 'globals'
option ula_prefix 'fd8e:f40a:6701::/48'
Network interfaces¶
The network interface settings reside in the interfaces
key of the
configuration dictionary, which must contain a list of
NetJSON interface objects
(see the link for the detailed specification).
There are 4 main types of interfaces:
- network interfaces: may be of type
ethernet
,virtual
,loopback
orother
- wireless interfaces: must be of type
wireless
- bridge interfaces: must be of type
bridge
- dialup interfaces: must be of type
dialup
- modem manager interfaces: must be of type
modem-manager
Interface object extensions¶
In addition to the default NetJSON Interface object options, the OpenWrt
backend
also supports the following custom options for every type of interface:
key name | type | allowed values |
---|---|---|
network |
string | logical interface name (UCI specific) |
In the following sections some examples of the most common use cases are shown.
Loopback interface example¶
The following configuration dictionary:
{
"interfaces": [
{
"name": "lo",
"type": "loopback",
"addresses": [
{
"address": "127.0.0.1",
"mask": 8,
"proto": "static",
"family": "ipv4"
}
]
}
]
}
Will be rendered as follows:
package network
config interface 'lo'
option ifname 'lo'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option proto 'static'
Dualstack (IPv4 & IPv6)¶
The following configuration dictionary:
{
"interfaces": [
{
"name": "eth0",
"type": "ethernet",
"addresses": [
{
"family": "ipv4",
"proto": "static",
"address": "10.27.251.1",
"mask": 24
},
{
"family": "ipv6",
"proto": "static",
"address": "fdb4:5f35:e8fd::1",
"mask": 48
}
]
}
]
}
Will be rendered as follows:
package network
config interface 'eth0'
option ifname 'eth0'
option ip6addr 'fdb4:5f35:e8fd::1/48'
option ipaddr '10.27.251.1'
option netmask '255.255.255.0'
option proto 'static'
DNS servers and search domains¶
DNS servers can be set using dns_servers
, while search domains can be set using
dns_search
.
If specified, these values will be automatically added in every interface which has
at least one static ip address; interfaces which have no ip address configured or are using
dynamic ip address configuration won’t get the dns
option in the UCI output, eg:
{
"dns_servers": ["10.11.12.13", "8.8.8.8"],
"dns_search": ["openwisp.org", "netjson.org"],
"interfaces": [
{
"name": "eth0",
"type": "ethernet",
"addresses": [
{
"address": "192.168.1.1",
"mask": 24,
"proto": "static",
"family": "ipv4"
}
]
},
# the following interface has DHCP enabled
# and it won't contain the dns setting
{
"name": "eth1",
"type": "ethernet",
"addresses": [
{
"proto": "dhcp",
"family": "ipv4"
}
]
},
# the following VLAN interface won't get
# the dns nor the dns_search settings
{
"name": "eth1.31",
"type": "ethernet"
}
]
}
Will return the following UCI output:
package network
config interface 'eth0'
option dns '10.11.12.13 8.8.8.8'
option dns_search 'openwisp.org netjson.org'
option ifname 'eth0'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option proto 'static'
config interface 'eth1'
option dns_search 'openwisp.org netjson.org'
option ifname 'eth1'
option proto 'dhcp'
config interface 'eth1_31'
option ifname 'eth1.31'
option proto 'none'
DHCP ipv6 ethernet interface¶
The following configuration dictionary:
{
"interfaces": [
{
"name": "eth0",
"network": "lan",
"type": "ethernet",
"addresses": [
{
"proto": "dhcp",
"family": "ipv6"
}
]
}
]
}
Will be rendered as follows:
package network
config interface 'lan'
option ifname 'eth0'
option proto 'dchpv6'
Using different protocols¶
OpenWRT and LEDE support many protocols (pppoe, pppoa, pptp, l2tp, ecc) and the list of supported protocols evolves over time.
OpenWISP and netjsonconfig try to stay out of your way by leaving you maximum
flexibility to use any protocol and any configuration option you may need,
just set type
to other
, then proceed by setting proto and any other
configuration option according to your needs, see the example below.
PPPoE proto example¶
The following configuration dictionary:
{
"interfaces": [
{
"type": "other",
"name": "eth0",
"network": "wan",
"proto": "pppoe",
"username": "<username>",
"password": "<password>"
}
]
}
Will be rendered as follows:
package network
config interface 'wan'
option ifname 'eth0'
option password '<password>'
option proto 'ppoe'
option username '<username>'
Bridge settings¶
Interfaces of type bridge
can contain a few options that are specific for network bridges:
bridge_members
: interfaces that are members of the bridgestp
: spanning tree protocol
The OpenWrt
backend NetJSON extensions for bridge interfaces:
key name | type | default | allowed values |
---|---|---|---|
igmp_snooping |
boolean | True |
sets the multicast_snooping kernel setting for a bridge |
Bridge interface example¶
The following configuration dictionary:
{
"interfaces": [
{
"name": "eth0.1",
"network": "lan",
"type": "ethernet"
},
{
"name": "eth0.2",
"network": "wan",
"type": "ethernet"
},
{
"name": "lan_bridge", # will be named "br-lan_bridge" by OpenWRT
"type": "bridge",
"stp": True, # enable spanning tree protocol
"igmp_snooping": True, # enable imgp snooping
"bridge_members": [
"eth0.1",
"eth0.2"
],
"addresses": [
{
"address": "172.17.0.2",
"mask": 24,
"proto": "static",
"family": "ipv4"
}
]
}
]
}
Will be rendered as follows:
package network
config interface 'lan'
option ifname 'eth0.1'
option proto 'none'
config interface 'wan'
option ifname 'eth0.2'
option proto 'none'
config interface 'lan_bridge'
option ifname 'eth0.1 eth0.2'
option igmp_snooping '1'
option ipaddr '172.17.0.2'
option netmask '255.255.255.0'
option proto 'static'
option stp '1'
option type 'bridge'
Wireless settings¶
Interfaces of type wireless
may contain a lot of different combination
of settings to configure wireless connectivity: from simple access points,
to 802.1x authentication, 802.11s mesh networks, adhoc mesh networks, WDS repeaters and much more.
The OpenWrt
backend NetJSON extensions for wireless interfaces:
key name | type | default | allowed values |
---|---|---|---|
network |
array | [] |
attached networks; if left blank will be automatically determined |
Some extensions are applicable only when mode
is access_point
:
key name | type | default | allowed values |
---|---|---|---|
wmm |
boolean | True |
enables WMM (802.11e) support |
ieee80211r |
boolean | False |
enables fast BSS transition (802.11r) support |
reassociation_deadline |
integer | 1000 |
reassociation deadline in time units (TUs / 1.024 ms, 1000-65535) |
ft_psk_generate_local |
boolean | False |
whether to generate FT response locally for PSK networks |
ft_over_ds |
boolean | True |
whether to enable FT-over-DS |
rsn_preauth |
boolean | False |
allow pre-authentication for WPA2-EAP networks |
isolate |
boolean | False |
isolate wireless clients from one another |
macfilter |
string | disable |
ACL policy, accepts: “disable”, “allow” and “deny” |
maclist |
array | [] |
mac addresses filtered according to macfilter policy |
These extensions must be used the wireless
object of a wireless interface eg:
{
"interfaces": [
{
"name": "wlan0",
"type": "wireless",
"wireless": {
"radio": "radio0",
"mode": "access_point",
"ssid": "myWiFi",
# OpenWrt backend NetJSON extensions
"wmm": True,
"isolate": True
}
}
]
}
The same applies for custom configuration options not included in the OpenWrt
backend schema:
{
"interfaces": [
{
"name": "wlan0",
"type": "wireless",
"wireless": {
"radio": "radio0",
"mode": "access_point",
"ssid": "myWiFi",
# custom configuration options not defined
# in the OpenWrt backend schema
"beacon_int": 200,
"noscan": True,
"custom1": "made-up-for-example-purposes",
}
}
]
}
In the following sections some examples of the most common use cases are shown.
Wireless access point¶
The following configuration dictionary represent one of the most common wireless access point configuration:
{
"interfaces": [
{
"name": "wlan0",
"type": "wireless",
"wireless": {
"radio": "radio0",
"mode": "access_point",
"ssid": "myWiFi",
"wmm": True, # 802.11e
"isolate": True # client isolation
}
}
]
}
UCI output:
package network
config interface 'wlan0'
option ifname 'wlan0'
option proto 'none'
package wireless
config wifi-iface 'wifi_wlan0'
option device 'radio0'
option ifname 'wlan0'
option isolate '1'
option mode 'ap'
option network 'wlan0'
option ssid 'myWiFi'
option wmm '1'
Note
the network
option of the wifi-iface
directive is filled in automatically
but can be overridden if needed by setting the network
option in the wireless
section of the configuration dictionary. The next example shows how to do this.
Wireless attached to a different network¶
In most cases you want to bridge a wireless interface to a different network, usually the LAN bridge:
{
"interfaces": [
{
"name": "eth0",
"type": "ethernet"
},
{
"name": "wlan0",
"type": "wireless",
"wireless": {
"radio": "radio0",
"mode": "access_point",
"ssid": "wifi service",
# "network": ["lan"] this proeprty can be omitted
# but may be overridden if needed
}
},
{
"name": "lan", # the bridge will be named br-lan by OpenWRT
"type": "bridge",
"bridge_members": [
"eth0",
"wlan0"
],
"addresses": [
{
"proto": "dhcp",
"family": "ipv4"
}
]
}
]
}
Will be rendered as follows:
package network
config interface 'eth0'
option ifname 'eth0'
option proto 'none'
config interface 'wlan0'
option ifname 'wlan0'
option proto 'none'
config interface 'lan'
option ifname 'eth0 wlan0'
option proto 'dhcp'
option type 'bridge'
package wireless
config wifi-iface 'wifi_wlan0'
option device 'radio0'
option ifname 'wlan0'
option mode 'ap'
option network 'lan'
option ssid 'wifi service'
Wireless access point with macfilter ACL¶
The OpenWrt
backend supports a custom NetJSON extension for wireless access point
interfaces: macfilter
(read more about macfilter
and maclist
on the
OpenWRT documentation for Wireless configuration).
In the following example we ban two mac addresses from connecting to a wireless access point:
{
"interfaces": [
{
"name": "wlan0",
"type": "wireless",
"wireless": {
"radio": "radio0",
"mode": "access_point",
"ssid": "MyWifiAP",
"macfilter": "deny",
"maclist": [
"E8:94:F6:33:8C:1D",
"42:6c:8f:95:0f:00"
]
}
}
]
}
UCI output:
package network
config interface 'wlan0'
option ifname 'wlan0'
option proto 'none'
package wireless
config wifi-iface 'wifi_wlan0'
option device 'radio0'
option ifname 'wlan0'
option macfilter 'deny'
list maclist 'E8:94:F6:33:8C:1D'
list maclist '42:6c:8f:95:0f:00'
option mode 'ap'
option network 'wlan0'
option ssid 'MyWifiAP'
Wireless access point with roaming (802.11r)¶
The OpenWrt
backend supports custom NetJSON extensions to support
(802.11r) in wireless access point interfaces (refer
“Fast BSS transition options” section in the OpenWRT documentation for Wireless configuration).
In the following example we configure roaming options for a wireless access point:
{
"interfaces": [
{
"name": "wlan0",
"type": "wireless",
"wireless": {
"radio": "radio0",
"mode": "access_point",
"ssid": "MyWifiAP",
"ieee80211r": True,
"ft_over_ds": False,
"ft_psk_generate_local": True,
"rsn_preauth": True,
"reassociation_deadline": 1000,
"network": ["lan"]
}
}
]
}
UCI output:
package network
config interface 'wlan0'
option ifname 'wlan0'
option proto 'none'
package wireless
config wifi-iface 'wifi_wlan0'
option device 'radio0'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option ieee80211r '1'
option ifname 'wlan0'
option mode 'ap'
option network 'lan'
option reassociation_deadline '1000'
option rsn_preauth '1'
option ssid 'MyWifiAP'
Wireless mesh (802.11s) example¶
Setting up 802.11s interfaces is fairly simple, in the following example we
bridge eth0
with mesh0
, the latter being a layer2 802.11s
wireless interface.
Note
in 802.11s mesh mode the ssid
property is not required,
while mesh_id
is mandatory.
{
"interfaces": [
{
"name": "eth0",
"type": "ethernet"
},
{
"name": "mesh0",
"type": "wireless",
"wireless": {
"radio": "radio0",
"mode": "802.11s",
"mesh_id": "ninux",
"network": ["lan"]
}
},
{
"name": "lan",
"type": "bridge",
"bridge_members": ["eth0", "mesh0"],
"addresses": [
{
"address": "192.168.0.1",
"mask": 24,
"proto": "static",
"family": "ipv4"
}
]
}
]
}
UCI output:
package network
config interface 'eth0'
option ifname 'eth0'
option proto 'none'
config interface 'mesh0'
option ifname 'mesh0'
option proto 'none'
config interface 'lan'
option ifname 'eth0 mesh0'
option ipaddr '192.168.0.1'
option netmask '255.255.255.0'
option proto 'static'
option type 'bridge'
package wireless
config wifi-iface 'wifi_mesh0'
option device 'radio0'
option ifname 'mesh0'
option mesh_id 'ninux'
option mode 'mesh'
option network 'lan'
Wireless mesh (adhoc) example¶
In wireless adhoc mode, the bssid
property is required.
The following example:
{
"interfaces": [
{
"name": "wlan0",
"type": "wireless",
"wireless": {
"radio": "radio0",
"ssid": "freifunk",
"mode": "adhoc",
"bssid": "02:b8:c0:00:00:00"
}
}
]
}
Will result in:
package network
config interface 'wlan0'
option ifname 'wlan0'
option proto 'none'
package wireless
config wifi-iface 'wifi_wlan0'
option bssid '02:b8:c0:00:00:00'
option device 'radio0'
option ifname 'wlan0'
option mode 'adhoc'
option network 'wlan0'
option ssid 'freifunk'
WDS repeater example¶
In the following example we show how to configure a WDS station and repeat the signal:
{
"interfaces": [
# client
{
"name": "wlan0",
"type": "wireless",
"wireless": {
"mode": "station",
"radio": "radio0",
"network": ["wds_bridge"],
"ssid": "FreeRomaWifi",
"bssid": "C0:4A:00:2D:05:FD",
"wds": True
}
},
# repeater access point
{
"name": "wlan1",
"type": "wireless",
"wireless": {
"mode": "access_point",
"radio": "radio1",
"network": ["wds_bridge"],
"ssid": "FreeRomaWifi"
}
},
# WDS bridge
{
"name": "br-wds",
"network": "wds_bridge",
"type": "bridge",
"addresses": [
{
"proto": "dhcp",
"family": "ipv4"
}
],
"bridge_members": [
"wlan0",
"wlan1",
]
}
]
}
Will result in:
package network
config interface 'wlan0'
option ifname 'wlan0'
option proto 'none'
config interface 'wlan1'
option ifname 'wlan1'
option proto 'none'
config interface 'br_wds'
option ifname 'wlan0 wlan1'
option network 'wds_bridge'
option proto 'dhcp'
option type 'bridge'
package wireless
config wifi-iface 'wifi_wlan0'
option bssid 'C0:4A:00:2D:05:FD'
option device 'radio0'
option ifname 'wlan0'
option mode 'sta'
option network 'wds_bridge'
option ssid 'FreeRomaWifi'
option wds '1'
config wifi-iface 'wifi_wlan1'
option device 'radio1'
option ifname 'wlan1'
option mode 'ap'
option network 'wds_bridge'
option ssid 'FreeRomaWifi'
WPA2 Enterprise (802.1x) ap¶
The following example shows a typical wireless access point using WPA2 Enterprise (802.1x) security on OpenWRT, you can use this type of configuration for networks like eduroam:
{
"interfaces": [
{
"name": "wlan0",
"type": "wireless",
"wireless": {
"radio": "radio0",
"mode": "access_point",
"ssid": "eduroam",
"encryption": {
"protocol": "wpa2_enterprise",
"cipher": "auto",
"key": "radius_secret",
"server": "192.168.0.1",
"port": 1812,
"acct_server": "192.168.0.2",
"acct_port": 1813,
"nasid": "hostname"
}
}
}
]
}
UCI Output:
package network
config interface 'wlan0'
option ifname 'wlan0'
option proto 'none'
package wireless
config wifi-iface 'wifi_wlan0'
option acct_port '1813'
option acct_server '192.168.0.2'
option device 'radio0'
option encryption 'wpa2'
option ifname 'wlan0'
option key 'radius_secret'
option mode 'ap'
option nasid 'hostname'
option network 'wlan0'
option port '1812'
option server '192.168.0.1'
option ssid 'eduroam'
WPA2 Enterprise (802.1x) client¶
WPA2 Enterprise (802.1x) client with EAP-TLS example:
{
"interfaces": [
{
"name": "wlan0",
"type": "wireless",
"wireless": {
"radio": "radio0",
"mode": "station",
"ssid": "enterprise-client",
"bssid": "00:26:b9:20:5f:09",
"encryption": {
"protocol": "wpa2_enterprise",
"cipher": "auto",
"eap_type": "tls",
"identity": "test-identity",
"password": "test-password",
}
}
}
]
}
UCI Output:
package network
config interface 'wlan0'
option ifname 'wlan0'
option proto 'none'
package wireless
config wifi-iface 'wifi_wlan0'
option bssid '00:26:b9:20:5f:09'
option device 'radio0'
option eap_type 'tls'
option encryption 'wpa2'
option identity 'test-identity'
option ifname 'wlan0'
option mode 'sta'
option network 'wlan0'
option password 'test-password'
option ssid 'enterprise-client'
WPA3 Personal (Simultaneous Authentication of Equals)¶
The following example shows a typical wireless access point using WPA3 Personal (SAE) encryption:
{
"interfaces": [
{
"name": "wlan0",
"type": "wireless",
"wireless": {
"radio": "radio0",
"mode": "access_point",
"ssid": "wpa3-personal",
"encryption": {
"protocol": "wpa3_personal",
# WPA3 only supports ccmp
"cipher": "ccmp",
"key": "passphrase012345",
# Management Frame Protection is required for WPA3
"ieee80211w": "2",
}
}
}
]
}
UCI output:
package network
config interface `'wlan0'
option ifname 'wlan0'
option proto 'none'
package wireless
config wifi-iface 'wifi_wlan0'
option device 'radio0'
option encryption 'sae+ccmp'
option ieee80211w '2'
option ifname 'wlan0'
option key 'passphrase012345'
option mode 'ap'
option network 'wlan0'
option ssid 'wpa3-personal'
WPA3 Enterprise (802.1x) ap¶
The following example shows a typical wireless access point using WPA3 Enterprise (802.1x) security on OpenWRT, you can use this type of configuration for networks like eduroam:
{
"interfaces": [
{
"name": "wlan0",
"type": "wireless",
"wireless": {
"radio": "radio0",
"mode": "access_point",
"ssid": "eduroam",
"encryption": {
"protocol": "wpa3_enterprise",
# WPA3 only supports ccmp
"cipher": "ccmp",
"key": "radius_secret",
"server": "192.168.0.1",
"port": 1812,
"acct_server": "192.168.0.2",
"acct_port": 1813,
"nasid": "hostname",
"ieee80211w": "2",
}
}
}
]
}
UCI Output:
package network
config interface 'wlan0'
option ifname 'wlan0'
option proto 'none'
package wireless
config wifi-iface 'wifi_wlan0'
option acct_port '1813'
option acct_server '192.168.0.2'
option device 'radio0'
option encryption 'wpa3+ccmp'
option ieee80211w '2'
option ifname 'wlan0'
option key 'radius_secret'
option mode 'ap'
option nasid 'hostname'
option network 'wlan0'
option port '1812'
option server '192.168.0.1'
option ssid 'eduroam'
WPA3 Enterprise (802.1x) client¶
WPA3 Enterprise (802.1x) client example:
{
"interfaces": [
{
"name": "wlan0",
"type": "wireless",
"wireless": {
"radio": "radio0",
"mode": "station",
"ssid": "enterprise-client",
"bssid": "00:26:b9:20:5f:09",
"encryption": {
"protocol": "wpa3_enterprise",
# WPA3 only supports ccmp
"cipher": "ccmp",
"eap_type": "tls",
"identity": "test-identity",
"password": "test-password",
"ieee80211w": "2",
}
}
}
]
}
UCI Output:
package network
config interface 'wlan0'
option ifname 'wlan0'
option proto 'none'
package wireless
config wifi-iface 'wifi_wlan0'
option bssid '00:26:b9:20:5f:09'
option device 'radio0'
option eap_type 'tls'
option encryption 'wpa3+ccmp'
option identity 'test-identity'
option ieee80211w '2'
option ifname 'wlan0'
option mode 'sta'
option network 'wlan0'
option password 'test-password'
option ssid 'enterprise-client'
WPA2 Enterprise (802.1x) client with EAP-TTLS example:
{
"interfaces": [
{
"name": "wlan0",
"type": "wireless",
"wireless": {
"radio": "radio0",
"mode": "station",
"ssid": "enterprise-client",
"bssid": "00:26:b9:20:5f:09",
"encryption": {
"protocol": "wpa2_enterprise",
"cipher": "auto",
"eap_type": "ttls",
"auth": "MSCHAPV2",
"identity": "test-identity",
"password": "test-password",
},
},
}
]
}
UCI Output:
package network
config interface 'wlan0'
option ifname 'wlan0'
option proto 'none'
package wireless
config wifi-iface 'wifi_wlan0'
option auth 'MSCHAPV2'
option bssid '00:26:b9:20:5f:09'
option device 'radio0'
option eap_type 'ttls'
option encryption 'wpa2'
option identity 'test-identity'
option ifname 'wlan0'
option mode 'sta'
option network 'wlan0'
option password 'test-password'
option ssid 'enterprise-client'
WPA2 Enterprise (802.1x) client with EAP-PEAP example:
{
"interfaces": [
{
"name": "wlan0",
"type": "wireless",
"wireless": {
"radio": "radio0",
"mode": "station",
"ssid": "enterprise-client",
"bssid": "00:26:b9:20:5f:09",
"encryption": {
"protocol": "wpa2_enterprise",
"cipher": "auto",
"eap_type": "peap",
"auth": "EAP-MSCHAPV2",
"identity": "test-identity",
"password": "test-password",
},
},
}
]
}
UCI Output:
package network
config interface 'wlan0'
option ifname 'wlan0'
option proto 'none'
package wireless
config wifi-iface 'wifi_wlan0'
option auth 'EAP-MSCHAPV2'
option bssid '00:26:b9:20:5f:09'
option device 'radio0'
option eap_type 'peap'
option encryption 'wpa2'
option identity 'test-identity'
option ifname 'wlan0'
option mode 'sta'
option network 'wlan0'
option password 'test-password'
option ssid 'enterprise-client'
Dialup settings¶
Interfaces of type dialup
contain a few options that are specific to dialup connections.
The OpenWrt
backend NetJSON extensions for dialup interfaces:
key name | type | default | allowed values |
---|---|---|---|
proto |
string | pppoe |
3g , 6in4 , aiccu , l2tp , ncm , ppp , pppoa , pppoe , pptp , qmi , wwan |
password |
string | "" |
|
username |
string | "" |
Dialup interface example¶
The following configuration dictionary:
{
"interfaces": [
{
"name": "dsl0",
"network": "xdsl",
"proto": "pppoe",
"password": "jf93nf82o023$",
"username": "dsluser",
"mtu": 1448
}
]
}
Will be rendered as follows:
package network
config interface 'xdsl'
option ifname 'dsl0'
option proto 'pppoe'
option username 'dsluser'
option password 'jf93nf82o023$'
option mtu '1448'
Modem Manager settings¶
Interfaces of type modem-manager
contain a few options
that are specific to modem-manager interfaces (2G, 3G, 4G, LTE, etc).
These are the OpenWrt
backend NetJSON extensions for Modem Manager interfaces:
key name | type | default | allowed values |
---|---|---|---|
proto |
string | modemanager |
modemanager |
apn |
string | empty | APN, can be left blank |
pin |
string | empty | PIN code, can be left blank |
device |
string | empty | path to device (see note below) |
password |
string | empty | password, can be left blank |
username |
string | empty | username, can be left blank |
metric |
integer | 50 |
metric, can be left blank |
iptype |
string | ipv4 |
One of ipv4 , ipv6 , ipv4v6 |
lowpower |
boolean | False |
low power mode |
Note
device
is a required property but can be left empty so that
the default value supplied by the hardware itself and already
present on the device can be left untouched by merging the
configuration generated with netjsonconfig
(instead of fully overwriting it).
Modem Manager interface example¶
The following configuration dictionary:
{
"interfaces": [
{
"type": "modem-manager",
"apn": "apn.operator.com",
"pin": "1234",
"device": "/sys/devices/platform/ahb/1b000000.usb/usb1/1-1",
"username": "user123",
"password": "pwd123456",
"metric": 50,
"lowpower": False,
"name": "modem0",
"mtu": 1500
}
]
}
Will be rendered as follows:
package network
config interface 'modem0'
option apn 'apn.operator.com'
option device '/sys/devices/platform/ahb/1b000000.usb/usb1/1-1'
option ifname 'wwan0'
option lowpower '0'
option metric '50'
option mtu '1500'
option password 'pwd123456'
option pincode '1234'
option proto 'modemmanager'
option username 'user123'
Radio settings¶
The radio settings reside in the radio
key of the configuration dictionary,
which must contain a list of NetJSON radio objects
(see the link for the detailed specification).
Radio object extensions¶
In addition to the default NetJSON Radio object options, the OpenWrt
backend
also requires setting the following additional options for each radio in the list:
key name | type | allowed values |
---|---|---|
driver |
string | mac80211, atheros, ath5k, ath9k, broadcom |
protocol |
string | 802.11a, 802.11b, 802.11g, 802.11n, 802.11ac, 802.11ax |
Radio example¶
The following configuration dictionary:
{
"radios": [
{
"name": "radio0",
"phy": "phy0",
"driver": "mac80211",
"protocol": "802.11n",
"channel": 11,
"channel_width": 20,
"tx_power": 5,
"country": "IT"
},
{
"name": "radio1",
"phy": "phy1",
"driver": "mac80211",
"protocol": "802.11n",
"channel": 36,
"channel_width": 20,
"tx_power": 4,
"country": "IT"
}
]
}
Will be rendered as follows:
package wireless
config wifi-device 'radio0'
option channel '11'
option country 'IT'
option htmode 'HT20'
option hwmode '11g'
option phy 'phy0'
option txpower '5'
option type 'mac80211'
config wifi-device 'radio1'
option channel '36'
option country 'IT'
option disabled '0'
option htmode 'HT20'
option hwmode '11a'
option phy 'phy1'
option txpower '4'
option type 'mac80211'
Automatic channel selection example¶
If you need to use the “automatic channel selection” feature of OpenWRT, you must set
the channel to 0
. You must also set the hwmode
property to tell OpenWRT which
band to use (11g for 2.4 Ghz, 11a for 5 GHz).
The following example sets “automatic channel selection” for two radios, the first radio uses 802.11n in the 2.4 GHz band, while the second uses 802.11ac in the 5 GHz band.
{
"radios": [
{
"name": "radio0",
"phy": "phy0",
"driver": "mac80211",
"protocol": "802.11n",
"channel": 0, # 0 stands for auto
"hwmode": "11g", # must set this explicitly, 11g means 2.4 GHz band
"channel_width": 20
},
{
"name": "radio1",
"phy": "phy1",
"driver": "mac80211",
"protocol": "802.11ac",
"channel": 0, # 0 stands for auto
"hwmode": "11a", # must set this explicitly, 11a means 5 GHz band,
# but this is optional for "802.11ac" because it only
# support 5 GHz band.
"channel_width": 80
}
]
}
UCI output:
package wireless
config wifi-device 'radio0'
option channel 'auto'
option htmode 'HT20'
option hwmode '11g'
option phy 'phy0'
option type 'mac80211'
config wifi-device 'radio1'
option channel 'auto'
option htmode 'VHT80'
option hwmode '11a'
option phy 'phy1'
option type 'mac80211'
802.11ac example¶
In the following example we show how to configure an 802.11ac capable radio:
{
"radios": [
{
"name": "radio0",
"phy": "phy0",
"driver": "mac80211",
"protocol": "802.11ac",
"channel": 36,
"channel_width": 80,
}
]
}
UCI output:
package wireless
config wifi-device 'radio0'
option channel '36'
option htmode 'VHT80'
option hwmode '11a'
option phy 'phy0'
option type 'mac80211'
802.11ax example¶
In the following example we show how to configure an 802.11ax capable radio:
{
"radios": [
{
"name": "radio0",
"phy": "phy0",
"driver": "mac80211",
"protocol": "802.11ax",
"channel": 36,
"channel_width": 80,
}
]
}
UCI output:
package wireless
config wifi-device 'radio0'
option channel '36'
option htmode 'HE80'
option hwmode '11a'
option phy 'phy0'
option type 'mac80211'
Static Routes¶
The static routes settings reside in the routes
key of the configuration dictionary,
which must contain a list of NetJSON Static Route objects
(see the link for the detailed specification).
Static route object extensions¶
In addition to the default NetJSON Route object options, the OpenWrt
backend
also allows to define the following optional settings:
key name | type | default | description |
---|---|---|---|
type |
string | unicast |
unicast, local, broadcast, multicast, unreachable prohibit, blackhole, anycast |
mtu |
string | None |
MTU for route, only numbers are allowed |
table |
string | None |
Routing table id, only numbers are allowed |
onlink |
boolean | False |
When enabled, gateway is on link even if the gateway does not match any interface prefix |
Static route example¶
The following configuration dictionary:
{
"routes": [
{
"device": "eth1",
"destination": "192.168.4.1/24",
"next": "192.168.2.2",
"cost": 2,
"source": "192.168.1.10",
"table": "2",
"onlink": True,
"mtu": "1450"
},
{
"device": "eth1",
"destination": "fd89::1/128",
"next": "fd88::1",
"cost": 0,
}
]
}
Will be rendered as follows:
package network
config route 'route1'
option gateway '192.168.2.2'
option interface 'eth1'
option metric '2'
option mtu '1450'
option netmask '255.255.255.0'
option onlink '1'
option source '192.168.1.10'
option table '2'
option target '192.168.4.1'
config route6 'route2'
option gateway 'fd88::1'
option interface 'eth1'
option metric '0'
option target 'fd89::1/128'
Policy routing¶
The policy routing settings reside in the ip_rule
key of the
configuration dictionary, which is a custom NetJSON extension not present in the
original NetJSON RFC.
The ip_rule
key must contain a list of rules, each rule allows the following options:
key name | type |
---|---|
in |
string |
out |
string |
src |
string |
tos |
string |
mark |
string |
invert |
boolean |
lookup |
string |
goto |
integer |
action |
string |
For the function and meaning of each key consult the relevant OpenWrt documentation about rule directives.
Policy routing example¶
The following configuration dictionary:
{
"ip_rules": [
{
"in": "eth0",
"out": "eth1",
"src": "192.168.1.0/24",
"dest": "192.168.2.0/24",
"tos": 2,
"mark": "0x0/0x1",
"invert": True,
"lookup": "0",
"action": "blackhole"
},
{
"src": "192.168.1.0/24",
"dest": "192.168.3.0/24",
"goto": 0
},
{
"in": "vpn",
"dest": "fdca:1234::/64",
"action": "prohibit"
},
{
"in": "vpn",
"src": "fdca:1235::/64",
"action": "prohibit"
}
]
}
Will be rendered as follows:
package network
config rule 'rule1'
option action 'blackhole'
option dest '192.168.2.0/24'
option in 'eth0'
option invert '1'
option lookup '0'
option mark '0x0/0x1'
option out 'eth1'
option src '192.168.1.0/24'
option tos '2'
config rule 'rule2'
option dest '192.168.3.0/24'
option goto '0'
option src '192.168.1.0/24'
config rule6 'rule3'
option action 'prohibit'
option dest 'fdca:1234::/64'
option in 'vpn'
config rule6 'rule4'
option action 'prohibit'
option in 'vpn'
option src 'fdca:1235::/64'
Programmable switch settings¶
The programmable switch settings reside in the switch
key of the configuration dictionary,
which is a custom NetJSON extension not present in the original NetJSON RFC.
The switch
key must contain a list of dictionaries, all the following keys are required:
key name | type |
---|---|
name |
string |
reset |
boolean |
enable_vlan |
boolean |
vlan |
list |
The elements of the vlan
list must be dictionaries, all the following keys are required:
key name | type |
---|---|
device |
string |
reset |
boolean |
vlan |
integer |
ports |
string |
For the function and meaning of each key consult the relevant OpenWrt documentation about switch directives.
Switch example¶
The following configuration dictionary:
{
"switch": [
{
"name": "switch0",
"reset": True,
"enable_vlan": True,
"vlan": [
{
"device": "switch0",
"vlan": 1,
"ports": "0t 2 3 4 5"
},
{
"device": "switch0",
"vlan": 2,
"ports": "0t 1"
}
]
}
]
}
Will be rendered as follows:
package network
config switch 'switch0'
option enable_vlan '1'
option name 'switch0'
option reset '1'
config switch_vlan 'switch0_vlan1'
option device 'switch0'
option ports '0t 2 3 4 5'
option vid '1'
option vlan '1'
config switch_vlan 'switch0_vlan2'
option device 'switch0'
option ports '0t 1'
option vid '2'
option vlan '2'
Overriding or disabling vid
UCI option¶
The OpenWRT/LEDE UCI vid
option of switch_vlan
sections is automatically inferred
from the vlan
number, although it’s possible to override it or disable it if needed:
{
"switch": [
{
"name": "switch0",
"reset": True,
"enable_vlan": True,
"vlan": [
{
"device": "switch0",
"vlan": 1,
"vid": 110, # manual override
"ports": "0t 2 3 4 5"
},
{
"device": "switch0",
"vlan": 2,
# ``None`` or empty string will remove
# ``vid`` output from the UCI result
"vid": None,
"ports": "0t 1"
}
]
}
]
}
Will be rendered as follows:
package network
config switch 'switch0'
option enable_vlan '1'
option name 'switch0'
option reset '1'
config switch_vlan 'switch0_vlan1'
option device 'switch0'
option ports '0t 2 3 4 5'
option vid '110'
option vlan '1'
config switch_vlan 'switch0_vlan2'
option device 'switch0'
option ports '0t 1'
option vlan '2'
NTP settings¶
The Network Time Protocol settings reside in the ntp
key of the
configuration dictionary, which is a custom NetJSON extension not present in
the original NetJSON RFC.
The ntp
key must contain a dictionary, the allowed options are:
key name | type | function |
---|---|---|
enabled |
boolean | ntp client enabled |
enable_server |
boolean | ntp server enabled |
server |
list | list of ntp servers |
NTP settings example¶
The following configuration dictionary:
{
"ntp": {
"enabled": True,
"enable_server": False,
"server": [
"0.openwrt.pool.ntp.org",
"1.openwrt.pool.ntp.org",
"2.openwrt.pool.ntp.org",
"3.openwrt.pool.ntp.org"
]
}
Will be rendered as follows:
package system
config timeserver 'ntp'
list server '0.openwrt.pool.ntp.org'
list server '1.openwrt.pool.ntp.org'
list server '2.openwrt.pool.ntp.org'
list server '3.openwrt.pool.ntp.org'
option enable_server '0'
option enabled '1'
LED settings¶
The led settings reside in the led
key of the configuration dictionary,
which is a custom NetJSON extension not present in the original NetJSON RFC.
The led
key must contain a list of dictionaries, the allowed options are:
key name | type |
---|---|
name |
string |
default |
boolean |
dev |
string |
sysfs |
string |
trigger |
string |
delayoff |
integer |
delayon |
integer |
interval |
integer |
message |
string |
mode |
string |
The required keys are:
name
sysfs
trigger
For the function and meaning of each key consult the relevant OpenWrt documentation about led directives.
LED settings example¶
The following configuration dictionary:
{
"led": [
{
"name": "USB1",
"sysfs": "tp-link:green:usb1",
"trigger": "usbdev",
"dev": "1-1.1",
"interval": 50
},
{
"name": "USB2",
"sysfs": "tp-link:green:usb2",
"trigger": "usbdev",
"dev": "1-1.2",
"interval": 50
},
{
"name": "WLAN2G",
"sysfs": "tp-link:blue:wlan2g",
"trigger": "phy0tpt"
}
]
}
Will be rendered as follows:
package system
config led 'led_usb1'
option dev '1-1.1'
option interval '50'
option name 'USB1'
option sysfs 'tp-link:green:usb1'
option trigger 'usbdev'
config led 'led_usb2'
option dev '1-1.2'
option interval '50'
option name 'USB2'
option sysfs 'tp-link:green:usb2'
option trigger 'usbdev'
config led 'led_wlan2g'
option name 'WLAN2G'
option sysfs 'tp-link:blue:wlan2g'
option trigger 'phy0tpt'
Including custom options¶
It is very easy to add configuration options that are not explicitly
defined in the schema of the OpenWrt
backend.
For example, in some cases you may need to define a “ppp” interface, which can use quite a few properties that are not defined in the schema:
from netjsonconfig import OpenWrt
o = OpenWrt({
"interfaces": [
{
"name": "ppp0",
"type": "other",
"proto": "ppp",
"device": "/dev/usb/modem1",
"username": "user1",
"password": "pwd0123",
"keepalive": 3,
"ipv6": True
}
]
})
print(o.render())
UCI output:
package network
config interface 'ppp0'
option device '/dev/usb/modem1'
option ifname 'ppp0'
option ipv6 '1'
option keepalive '3'
option password 'pwd0123'
option proto 'ppp'
option username 'user1'
Including custom lists¶
Under specific circumstances, OpenWRT allows adding configuration options in the form of lists.
Many of these UCI options are not defined in the JSON-Schema of the OpenWrt
backend,
but the schema allows adding custom properties.
The OpenWrt
backend recognizes list options for the following sections:
- interface settings
- ip address settings
- wireless settings
- radio settings
Interface list setting example¶
The following example shows how to set a list of ip6class
options:
o = OpenWrt({
"interfaces": [
{
"name": "eth0",
"type": "ethernet",
"ip6class": ["wan6", "backbone"]
}
]
})
print(o.render())
UCI Output:
package network
config interface 'eth0'
option ifname 'eth0'
list ip6class 'wan6'
list ip6class 'backbone'
option proto 'none'
Address list setting example¶
The following example shows how to set a list of dhcp reqopts
settings:
o = OpenWrt({
"interfaces": [
{
"name": "eth0",
"type": "ethernet",
"addresses": [
{
"proto": "dhcp",
"family": "ipv4",
"reqopts": ["43", "54"]
}
]
}
]
})
print(o.render())
UCI Output:
package network
config interface 'eth0'
option ifname 'eth0'
option proto 'dhcp'
list reqopts '43'
list reqopts '54'
Radio list setting example¶
The following example shows how to set a list of advanced capabilities supported
by the radio using ht_capab
:
o = OpenWrt({
"radios": [
{
"name": "radio0",
"phy": "phy0",
"driver": "mac80211",
"protocol": "802.11n",
"channel": 1,
"channel_width": 20,
"ht_capab": ["SMPS-STATIC", "SHORT-GI-20"]
}
]
})
print(o.render())
UCI output:
package wireless
config wifi-device 'radio0'
option channel '1'
list ht_capab 'SMPS-STATIC'
list ht_capab 'SHORT-GI-20'
option htmode 'HT20'
option hwmode '11g'
option phy 'phy0'
option type 'mac80211'
Wireless list setting example¶
The following example shows how to set the supported basic rates of a
wireless interface using basic_rate
:
o = OpenWrt({
"interfaces": [
{
"name": "wlan0",
"type": "wireless",
"wireless": {
"radio": "radio0",
"mode": "access_point",
"ssid": "open",
"basic_rate": ["6000", "9000"]
}
}
]
})
print(o.render())
UCI output:
package network
config interface 'wlan0'
option ifname 'wlan0'
option proto 'none'
package wireless
config wifi-iface 'wifi_wlan0'
list basic_rate '6000'
list basic_rate '9000'
option device 'radio0'
option ifname 'wlan0'
option mode 'ap'
option network 'wlan0'
option ssid 'open'
Including additional files¶
The OpenWrt
backend supports inclusion of arbitrary plain text files through
the files
key of the configuration dictionary. The value of the files
key must be a list in which each item is a dictionary representing a file, each
dictionary is structured as follows:
key name | type | required | function |
---|---|---|---|
path |
string | yes | filesystem path, will be encoded in the tar.gz archive |
contents |
string | yes | plain text contents of the file, new lines must be
encoded as \n |
mode |
string | yes | filesystem permissions, defaults to 0644 |
The files
key of the configuration dictionary is a custom NetJSON extension not
present in the original NetJSON RFC.
Warning
The files are included in the output of the render
method unless you pass
files=False
, eg: openwrt.render(files=False)
Plain file example¶
The following example code will generate an archive with one file in /etc/crontabs/root
:
from netjsonconfig import OpenWrt
o = OpenWrt({
"files": [
{
"path": "/etc/crontabs/root",
"mode": "0644",
# new lines must be escaped with ``\n``
"contents": '* * * * * echo "test" > /etc/testfile\n'
'* * * * * echo "test2" > /etc/testfile2'
}
]
})
o.generate()
Executable script file example¶
The following example will create an executable shell script:
o = OpenWrt({
"files": [
{
"path": "/bin/hello_world",
"mode": "0755",
"contents": "#!/bin/sh\n"
"echo 'Hello world'"
}
]
})
o.generate()
OpenVPN¶
This backend includes the schema of the OpenVpn
backend, inheriting its features.
For details regarding the OpenVPN schema please see OpenVPN backend schema.
Schema additions¶
The OpenWrt
backend adds a few properties to the OpenVPN schema, see below.
key name | type | default | allowed values |
---|---|---|---|
disabled |
boolean | False |
OpenVPN example¶
The following configuration dictionary:
{
"openvpn": [
{
"ca": "ca.pem",
"cert": "cert.pem",
"dev": "tap0",
"dev_type": "tap",
"dh": "dh.pem",
"disabled": False,
"key": "key.pem",
"mode": "server",
"name": "test-vpn-server",
"proto": "udp",
"tls_server": True
}
]
}
Will be rendered as follows:
package openvpn
config openvpn 'test_vpn_server'
option ca 'ca.pem'
option cert 'cert.pem'
option dev 'tap0'
option dev_type 'tap'
option dh 'dh.pem'
option enabled '1'
option key 'key.pem'
option mode 'server'
option proto 'udp'
option tls_server '1'
WireGuard¶
This backend includes the schema of the Wireguard
backend, inheriting its features.
For details regarding the WireGuard schema please see WireGuard backend schema.
Schema additions¶
The OpenWrt
backend adds a few properties to the WireGuard schema, see below.
key name | type | default | description |
---|---|---|---|
network |
string | None |
logical interface name (UCI specific), 2 to 15 alphanumeric characters, dashes and underscores |
nohostroute |
boolean | False |
do not add routes to ensure the tunnel endpoints are routed via non-tunnel device |
fwmark |
string | None |
firewall mark to apply to tunnel endpoint packets |
ip6prefix |
list | [] |
IPv6 prefixes to delegate to other interfaces |
addresses |
list | [] |
list of unique IPv4 or IPv6 addresses |
The OpenWrt
backend also adds wireguard_peers
option for sepecifying a list of
WireGuard Peers. It add the following properties to the wireguard_peers
property of
WireGuard schema.
key name | type | default | description |
---|---|---|---|
interface |
string | None |
name of the wireguard interface, 2 to 15 alphanumeric characters, dashes and underscores |
route_allowed_ips |
boolean | False |
automatically create a route for each of the Allowed IPs for this peer |
WireGuard example¶
The following configuration dictionary:
{
"interfaces": [
{
"name": "wg",
"type": "wireguard",
"private_key": "QFdbnuYr7rrF4eONCAs7FhZwP7BXX/jD/jq2LXCpaXI=",
"port": 51820,
"mtu": 1420,
"nohostroute": False,
"fwmark": "",
"ip6prefix": [],
"addresses": [
{
"proto": "static",
"family": "ipv4",
"address": "10.0.0.5/32",
"mask": 32,
}
],
"network": "",
}
],
"wireguard_peers": [
{
"interface": "wg",
"public_key": "94a+MnZSdzHCzOy5y2K+0+Xe7lQzaa4v7lEiBZ7elVE=",
"allowed_ips": ["10.0.0.1/32"],
"endpoint_host": "wireguard.test.com",
"endpoint_port": 51820,
"preshared_key": "",
"persistent_keepalive": 60,
"route_allowed_ips": True,
}
]
}
Will be rendered as follows:
package network
config interface 'wg'
list addresses '10.0.0.5/32/32'
option listen_port '51820'
option mtu '1420'
option nohostroute '0'
option private_key 'QFdbnuYr7rrF4eONCAs7FhZwP7BXX/jD/jq2LXCpaXI='
option proto 'wireguard'
config wireguard_wg 'wgpeer'
list allowed_ips '10.0.0.1/32'
option endpoint_host 'wireguard.test.com'
option endpoint_port '51820'
option persistent_keepalive '60'
option public_key '94a+MnZSdzHCzOy5y2K+0+Xe7lQzaa4v7lEiBZ7elVE='
option route_allowed_ips '1'
VXLAN¶
OpenWrt
backend includes the schema requied for generating VXLAN
interface configouration. This is useful of setting up layer 2 tunnels.
VXLAN Settings¶
key name | type | default | description |
---|---|---|---|
network |
string | None |
name of interface, 2 to 15 alphanumeric characters, dashes and underscores |
vtep |
string | False |
VXLAN tunnel endpoint |
port |
integer | 4789 |
port for VXLAN connection |
vni |
integer or string | None |
VXLAN Network Identifier |
tunlink |
list | [] |
interface to which the VXLAN tunnel will be bound |
rxcsum |
boolean | True |
use checksum validation in RX direction |
txcsum |
boolean | True |
use checksum validation in TX direction |
mtu |
integer | 1280 |
MTU for route, only numbers are allowed |
ttl |
integer | 64 |
TTL of the encapsulation packets |
VXLAN example¶
The following configuration dictionary:
{
"interfaces": [
{
"name": "vxlan",
"type": "vxlan",
"vtep": "10.0.0.1",
"port": 4789,
"vni": 1,
"tunlink": "",
"rxcsum": True,
"txcsum": True,
"mtu": 1280,
"ttl": 64,
"mac": "",
"disabled": False,
"network": "",
},
]
}
Will be rendered as follows:
package network
config interface 'vxlan'
option enabled '0'
option ifname 'vxlan'
option mtu '1280'
option peeraddr '10.0.0.1'
option port '4789'
option proto 'vxlan'
option rxcsum '1'
option ttl '64'
option txcsum '1'
option vid '1'
VXLAN over WireGuard example¶
Since a layer 2 tunnel can be encapsulated in a layer 3 tunnel, here is an example configuration for setting up a VXLAN tunnel over WireGuard.
The following configuration dictionary:
{
"interfaces": [
{
"name": "wgvxlan",
"type": "wireguard",
"private_key": "QFdbnuYr7rrF4eONCAs7FhZwP7BXX/jD/jq2LXCpaXI=",
"port": 51820,
"mtu": 1420,
"nohostroute": False,
"fwmark": "",
"ip6prefix": [],
"addresses": [
{
"proto": "static",
"family": "ipv4",
"address": "10.0.0.5/32",
"mask": 32,
}
],
"network": "",
},
{
"name": "vxlan",
"type": "vxlan",
"vtep": "10.0.0.1",
"port": 4789,
"vni": 1,
"tunlink": "wgvxlan",
"rxcsum": True,
"txcsum": True,
"mtu": 1280,
"ttl": 64,
"mac": "",
"disabled": False,
"network": "",
},
],
"wireguard_peers": [
{
"interface": "wgvxlan",
"public_key": "94a+MnZSdzHCzOy5y2K+0+Xe7lQzaa4v7lEiBZ7elVE=",
"allowed_ips": ["10.0.0.1/32"],
"endpoint_host": "wireguard.test.com",
"endpoint_port": 51820,
"preshared_key": "",
"persistent_keepalive": 60,
"route_allowed_ips": True,
}
]
}
Will be rendered as follows:
package network
config interface 'wgvxlan'
list addresses '10.0.0.5/32/32'
option listen_port '51820'
option mtu '1420'
option nohostroute '0'
option private_key 'QFdbnuYr7rrF4eONCAs7FhZwP7BXX/jD/jq2LXCpaXI='
option proto 'wireguard'
config interface 'vxlan'
option enabled '1'
option ifname 'vxlan'
option mtu '1280'
option peeraddr '10.0.0.1'
option port '4789'
option proto 'vxlan'
option rxcsum '1'
option ttl '64'
option tunlink 'wgvxlan'
option txcsum '1'
option vid '1'
config wireguard_wgvxlan 'wgpeer'
list allowed_ips '10.0.0.1/32'
option endpoint_host 'wireguard.test.com'
option endpoint_port '51820'
option persistent_keepalive '60'
option public_key '94a+MnZSdzHCzOy5y2K+0+Xe7lQzaa4v7lEiBZ7elVE='
option route_allowed_ips '1'
All the other settings¶
Do you need to include some configuration directives that are not defined in
the NetJSON spec nor in the schema of the OpenWrt
backend? Don’t panic!
Because netjsonconfig aims to be very flexible, it ships code that will try to render extra parts of the configuration dictionary into meaningful UCI output.
In order to accomplish this, you must add extra keys to the configuration dictionary which have to meet the following requirements:
- the name of the key must be the name of the package that needs to be configured
- the value of the key must be a
list
- each element in the list must be a
dict
- each
dict
MUST contain a key namedconfig_name
- each
dict
MAY contain a key namedconfig_value
This feature is best explained with a few examples.
Dropbear example¶
The following configuration dictionary:
{
"dropbear": [
{
"config_name": "dropbear",
"config_value": "dropbear_1",
"PasswordAuth": "on",
"RootPasswordAuth": "on",
"Port": 22
}
]
}
Will be rendered as follows:
package dropbear
config dropbear 'dropbear_1'
option PasswordAuth 'on'
option Port '22'
option RootPasswordAuth 'on'
OLSRd2 example¶
The following configuration dictionary:
{
"olsrd2": [
{
"config_name": "global",
"config_value": "global",
"pidfile": "/var/run/olsrd2.pid",
"lockfile": "/var/lock/olsrd2"
},
{
"config_name": "log",
"config_value": "log",
"syslog": "true",
"stderr": "true",
"file": "/var/log/olsrd2.log"
},
{
"config_name": "interface",
"config_value": "olsr2_common",
"ifname": [
"loopback",
"wlan0",
"wlan1"
]
}
]
}
Will be rendered as follows:
package olsrd2
config global 'global'
option lockfile '/var/lock/olsrd2'
option pidfile '/var/run/olsrd2.pid'
config log 'log'
option file '/var/log/olsrd2.log'
option stderr 'true'
option syslog 'true'
config interface 'olsr2_common'
list ifname 'loopback'
list ifname 'wlan0'
list ifname 'wlan1'