I have been using OpnSense for the last 4(?) years, mostly satisfied with it.
Inspired by HN article for fixing the NanoPi R4S issue and upgrading the kernel, I search for this device on Taobao, and found R5S is available. But wait, there is R6S!? Just 2 days after release, even lucky that find the company FriendlyELEC in my city(Guangzhou), ordered and received it. Let’s power on.
It installed OpenWrt by default, not the official one but a fork named FriendlyWrt, I can start it and connect it to monitoring and login to it, but all the network ports not working, as advised by the seller, I need to re-install the system. Installed the latest version with docker, powered it on again, networks working fine.
Here are some notes during I setup and learning in the first 3 days.
DDNS of CloudFlare
- Lookup Hostname:
- IP version:
- DDNS Service:
Since I am using wildcard domain names, the script can’t handle it and caused can’t find zone issue, the simple solution is hard-code your
zone_id`` in the file(/usr/lib/ddns/update_cloudflare_com_v4.sh`)
Reverse Proxy with Nginx
When using OpnSense I was using haproxy, and the setup of service is very cumbersome, need to manually click to create a lot of services and mapping, I am not clever enough to figure out how to manage by config files, because the config files of haproxy is too complicated to me and error-prone when doing it manually.
When researching reverse proxy on OpenWrt, I see people recommended nginx and finally figured out how to set up with config files, the easy to understand, and backup config files.
luci-ssl-nginx, and important
nginx-all-moduleotherwise some feature missing will cause you a headache, for me it was realip module which caused the
- Create TLS cert and key for your public service and save to e.g.
/etc/certs/myhome.example.tld, I am using cerbot.
- We will listen our services at port
10443since most ISPs blocked port
443. Create a port forwarding for the port
Network -> Firewall -> Port Forwardsfor the OpenWrt instance.
- Add services in
Error: [emerg] 4775#0: could not build server_names_hash, you should increase server_names_hash_bucket_size: 32
Add the below config in /etc/nginx/conf.d/custom.conf file, which will be inserted into http section of generated nginx conf file.
Proxy on OpenWrt
There is a lot of enthusiasm in China for using OpenWrt/LEDE, especially the VPN/Proxy features, but I failed to manage to set up passwall on my device, and seems it’s not possible to set up a transparent proxy for HTTPS traffic, so I just need to run a hysteria proxy client on the router and open port
3128 so any device can use it by explicitly set the
https_proxy environment variable.
But setup a service with init.d on OpenWrt is not straight(to me?), so I am going to use the docker service:
Some lists can’t be downloaded in China due to GFW, hence need proxy.
Additional Settings, choose
curl as Download Utility, input Parameter as
-x localhost:3128 --connect-timeout 20 --silent --show-error --location -o.
- Download to the client, ((my) server(OpenWrt) already has it).
- Start it on server:
- Run on the client: