Quick Start Guide


Warning:

I am not responsible for any damage of your router if you decide to try this custom
firmware. You should do all under your own risk and responsibility. Your router is 
your router and you should understand the risk to brick it.

NOTE: it is adviced to update to the stock firmware 2.5.1.x before flashing this
version.


1. Flashing Voxels custom firmware build and rolling back to the stock.

Nothing special. The procedure is similar to flashing downloaded official stock
firmware. In general all your current settings (used in the stock firmware) should be
kept. But it is recommended to make the backup of your current settings before flashing.
Identically you can revert to the stock firmware.


2. Overlay partition on USB.

Original stock firmware uses tmpfs overlay partition (in RAM). So all you changes in
the files/dirs are kept only until next reboot of router/satellite. If you need to keep
your changed/added files you should use external USB disk/stick formatted as
ext2/ext3/ext4 with /overlay directory on the root where you should add your new or
modified files keeping the dirtree of Orbi. For example, if you wish to use your own
/etc/dnscrypt-proxy-2.toml just place it into /overlay/etc/dnscrypt-proxy-2.toml.


3. Setting up ssh access to the router and satellite.

After flashing and your settings you may need to have SSH access to router (e.g. if you
wish to use Entware). SSH daemon dropbear in Orbi uses port 22 and accepts root login
with your WebGUI password.


4. Entware.

You can use Entware prepared by me for R7500/R7800/R9000. It works fine with Orbi.

(1) Prepare new USB stick or disk with ext2 or ext3 or ext4 filesystem from telnet/ssh
    console. Label it optware. ext4 is highly recommended for USB HDD. Example how
    to create ext2 filesystem with label optware:

    mkfs.ext4 -L optware /dev/sda1

    or 

    mkfs.ext4 -L optware -O ^metadata_csum /dev/sda1

    to provide compatibility for routers having kernel < 3.6, such as R7500/R7800.

(2) Unpack entware-cortexa15-3x-initial.tar at the root of your stick/disk:

    cd /mnt/sda1
    wget https://www.voxel-firmware.com/Downloads/Voxel/Entware/entware-cortex-a15-3x-initial-generic.tar.gz
    tar xf entware-cortexa15-3x-initial.tar

(3) Run the command from telnet/ssh console:

    nvram set nocloud=1
    nvram commit

(4) Create the file /overlay/root/ .profile to set PATH for Entware:
    ------------------------------------------------------------------------
    #!/bin/sh

    export PATH=/opt/bin:/opt/sbin:/bin:/sbin:/usr/bin:/usr/sbin
    ------------------------------------------------------------------------

(5) Reboot the router/satellite. Check that ls -l /opt/* shows entware directories 
   or symlinks (bin, usr, share, var etc.)


5. Open your own firewall ports.

If you need to make several ports accessible from WAN then create the text file 
/overlay/etc/netwall.conf with ports you need to open. Example of this file:
    ------------------------------------------------------------------------
    ACCEPT		net	  fw		tcp	22,8443
    ACCEPT		net	  fw		udp	1194
    ------------------------------------------------------------------------
(to open TCP ports 22 and 8443 and UDP port 1194).

NOTE: this file should contain LF symbol at the end of last line (press ENTER key in
your text editor).

Additionally you can use your own custom script to add your own iptables rules. This 
script should be named firewall-start.sh and be placed in the /overlay/opt/scripts/
directory, i.e. /overlay/opt/scripts/firewall-start.sh with 755 permission attributes
(i.e. executable).


6. Enable DNSCtypt Proxy-2 or stubby.

To enable DNSCrypt Proxy-2 run from telnet console the commands:

    nvram set dnscrypt2=1
    nvram commit
    reboot

To enable stubby run from telnet console the commands:

    nvram set stubby=1
    nvram commit
    reboot

If both DNSCrypt Proxy-2 and stubby are enabled, only stubby will be used.
To disable DNSCrypt Proxy-2 or/and stubby set them to "0" by nvram.


7. Disable Armor (BitDefender) and Circle update startup.

To disable Armor update daemon run from telnet console the command:

    nvram set noarmor=1
    nvram commit
    reboot

To disable Circle update daemon run from telnet console the command:

    nvram set nocircle=1
    nvram commit
    reboot


8. Disable ReadyCLOUD (XAgent/XCloud).

To disable ReadyCLOUD update daemon run from telnet console the command:

    nvram set nocloud=1
    nvram commit
    reboot


9. Disable SAMBA server start (Network Drive).

To disable SAMBA server run from telnet console the command:

    nvram set samba_disable=1
    nvram commmit
    reboot


10. Custom SAMBA config.

You can use your own custom SAMBA config file using Overlay partition on USB if you
place your custom smb.conf to /overlay/etc/config/samba directory on USB drive i.e.

/overlay/etc/config/samba/smb.conf


11. Custom script to run (for Orbi v2 owners, units w/o USB port).

You can create you own script to execute it after every reboot. Script should be placed
to /mnt/ntgr directory (internal nand) with name: rc.user. I.e.

/mnt/ntgr/rc.user


12. WireGuard client.

To start its using you should

(1). Prepare the text file in Unix format (https://en.wikipedia.org/wiki/Text_file#Unix_text_files)
with name wireguard.conf defining the following values: EndPoint, LocalIP, PrivateKey, 
PublicKey and Port of you WireGuard client config from WG provider.

Example:
------------------------- cut here ---------------------------------------
EndPoint="wireguard.5july.net"
LocalIP="10.0.xxx.xxx/24"
PrivateKey="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX="
PublicKey="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX="
Port="48574"
------------------------- cut here ---------------------------------------

NOTE: no spaces before/after "=" symbol in example above.
NOTE: the name of the file wireguard.conf is lowercase.

(2) Place this wireguard.conf file to /overlay/etc/ directory of your USB drive 
formatted as ext4 filesystem. I.e. /overlay/etc/wireguard.conf. 

(3) Insert this flash drive into your Orbi RBR50.

(4) Enter by telnet to your router (RBR50) and set the nvram variable wg-client to 1

Code:
nvram set wg-client=1
nvram commit

(5) Reboot your router.

(6) Alternative way: place this file wireguard.conf to the root of your USB drive 
(any format), attach it to the router and reboot your router. This drive should be 
attached every time you reboot your RBR50.


NOTE: to disable WireGuard client starting just set wg-client to "0" and reboot
the router.


13. OpenVPN client.

Important: only TUN clients are supported

To install OpenVPN client you can use two methods. First, semiautomatic:

(1) Create the folder /openvpn-client at the root of USB stick (name of folder should be lowercase).
(2) Put your *.ovpn config file into this folder (.ovpn extension of the file must be 
    lowercase). 
(3) Insert this USB stick into router. OpenVPN client will be started after 30 seconds.
    And it will be started automatically every time after next reboot if USB drive
    is attached.

Advice: use CA/CERT/KEY of client embedded into you *.ovpn. But separate 
CA/CERT/KEY files also could be used. Every file from /openvpn-client folder on the 
USB stick will be copied to /etc/openvpn/config/client directory of your router. 
To disable OpenVPN client just create the file disable in the folder /openvpn-client 
(/openvpn-client/disable) on your USB stick and insert it into router. 
Now OpenVPN client will not be used.

Second method of installation uses Overlay partition on USB feature: just create 
/overlay/etc/openvpn/config/client directory on your USB drive formated as 
ext2/ext3/ext4 and put your *.ovpn file (and CA/CERT/KEY if any). 
See "Overlay partition on USB".

You can start/stop OpenVPN client manually from telnet console for testing:

    /etc/init.d/openvpn-client start

or 

    /etc/init.d/openvpn-client stop

to stop it. Log file for OpenVPN client is /var/log/openvpn-client.log, check it if you
have problems.

NOTE: you can add your own delay for starting OpenVPN client after reboot by the 
command from telnet:

    nvram set vpn_client_delay=120
    nvram commit

(to set 120 sec. delay)


14. Mounting a CIFS Share.

It is possible to mount remote network share using the Common Internet File System (CIFS).

This feature could be useful for Orbi v2 owners, units w/o USB port for example to
use Entware mounting remote Windows/Mac/Linux/NAS shared network disk to /opt directory.

Example how to mount CIFS Share:

mkdir /mnt/share
mount.cifs //192.168.1.100/DiskC /mnt/share -o user=username,iocharset=utf8,vers=3.02


Voxel.
