But will it run Crysis?
Take some OpenWrt with a dash of AdGuardHome, add a splash of Unbound and install it all on a SheevaPlug; will it be a recipe for disaster?
I have a SheevaPlug Dev Kit from 2009 (?).
For many years it ran a host of static and WordPress websites, booting from a multimedia card (a 32 GB MMC running Ubuntu).
But my SheevaPlug was retired a few years ago in favour of a RasPi4 with an solid state drive (a 1 TB SSD running Ubuntu Server).
So, I decided to bring the ‘Plug back to life and use it as a DNS server, VPN and for Pi-hole.
What on Earth is a SheevaPlug?
The SheevaPlug is a “ plug computer ” designed to allow standard computing features in as small a space as possible. It was a small embedded Linux ARM computer without a display which can be considered an early predecessor to the subsequent Raspberry Pi .
OpenWrt? Never heard of it
The OpenWrt Project is a Linux operating system targeting embedded devices.
Prerequisites
Note:
Some of the content below is taken directly from the source documents.
These commands were correct at the time this page was published.
If you are going to follow my notes it would be prudent to check the source documents for updates and additions.
TFTP server
Trivial File Transfer Protocol (TFTP) is a simple lockstep File Transfer Protocol which allows a client to get a file from or put a file onto a remote host .
https://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol
It is entirely possible to do all of the updating from USB but having done both, I find that pulling files on to the SheevaPlug from my local machine (which is acting as the TFTP server) to be the far easier route.
A TFTP server can be installed by running the following in a Terminal:
sudo apt install tftpd-hpa
Then, check that it is running:
sudo systemctl status tftpd-hpa
Then, take ownership of the TFTP server directory:
sudo chown -R $USER /srv/tftp
Accordingly, any files now placed in this directory will be available to pull onto the Plug.
A working u-boot
The following process assumes that there is a working u-boot in place, and that the SheevaPlug can actually boot.
There is another post about how to unbrick a SheevaPlug if that needs to be done prior to following this post.
However, if a new u-boot is needed, follow these steps.
Updating u-boot if needed
First, plug in the ‘Plug and power up.
In Terminal 1 run the following:
screen /dev/ttyUSB0 115200
Then, interrupt the boot process to get to the ‘Plug command prompt and set the ‘Plug IP:
setenv ipaddr 192.168.0.55
Now, set the local machine’s IP (or the TFTP server IP):
setenv serverip 192.168.0.205
Then, set the ‘Plug MAC Address:
setenv ethaddr 00:50:43:01:63:EA
Finally, boot from the u-boot.kwb that was placed in the TFTP directory:
tftpboot u-boot.kwb
The output should be similar to the below.
=> tftpboot u-boot.kwb
Using egiga0 device
TFTP from server 192.168.0.205; our IP address is 192.168.0.55
Filename 'u-boot.kwb'.
Load address: 0x800000
Loading: ###################################
625 KiB/s
done
Bytes transferred = 502516 (7aaf4 hex)
=>
Wipe and then Write to NAND
Firstly, wipe the NAND:
nand erase 0x0 0x100000
=> nand erase 0x0 0x100000
NAND erase: device 0 offset 0x0, size 0x100000
Erasing at 0xe0000 -- 100% complete.
OK
=>
Secondly, write the new u-boot to NAND:
nand write 0x800000 0x0 0x100000
=> nand write 0x800000 0x0 0x100000
NAND write: device 0 offset 0x0, size 0x100000
1048576 bytes written: OK
=>
Finally, reboot the ‘Plug:
reset
Then, interrupt the boot process to get to the ‘Plug command prompt.
The new u-boot will now need its environment variables re-setting.
Run the following in a Terminal to set the ‘Plug IP:
setenv ipaddr 192.168.0.55
Then, set the local machine’s IP (or the tftp server IP):
setenv serverip 192.168.0.205
Then, set the ‘Plug MAC Address:
setenv ethaddr 00:50:43:01:63:EA
Finally, save the current set of environment variables:
saveenv
=> saveenv
Saving Environment to NAND... Erasing NAND...
Erasing at 0x80000 -- 100% complete.
Writing to NAND... OK
OK
=>
Install OpenWrt
Resources
https://downloads.openwrt.org/releases/23.05.0-rc4/targets/kirkwood/generic/
Boot the ‘Plug
Interrupt the boot process to get to the ‘Plug command prompt.
Then boot the ‘Plug from the OpenWrt .bin file:
tftpboot openwrt-23.05.0-rc4-kirkwood-generic-globalscale_sheevaplug-squashfs-factory.bin
=> tftpboot openwrt-23.05.0-rc4-kirkwood-generic-globalscale_sheevaplug-squashfs-factory.bin
Using egiga0 device
TFTP from server 192.168.0.205; our IP address is 192.168.0.55
Filename 'openwrt-23.05.0-rc4-kirkwood-generic-globalscale_sheevaplug-squashfs-factory.bin'.
Load address: 0x800000
Loading: #################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
###
694.3 KiB/s
done
Bytes transferred = 5767168 (580000 hex)
=>
Now, erase the part of NAND where OpenWRT is to be installed:
nand erase.part ubi
=> nand erase.part ubi
NAND erase.part: device 0 offset 0x100000, size 0x1ff00000
Skipping bad block at 0x169c0000
Erasing at 0x1ffe0000 -- 100% complete.
OK
=>
Then, write to those sectors:
nand write 0x800000 ubi 0x600000
=> nand write 0x800000 ubi 0x600000
NAND write: device 0 offset 0x100000, size 0x600000
6291456 bytes written: OK
=>
Finally, reboot the ‘Plug:
reset
After booting there should be the OpenWRT prompt.
OpenWRT BusyBox Prompt
Post OpenWrt Installation
Find the SheevaPlug IP on the network, I use ‘ fing ‘.
Login via SSH
ssh root@
Change the password
passwd
Update the firmware
cd /tmp
wget https://downloads.openwrt.org/releases/23.05.0/targets/kirkwood/generic/openwrt-23.05.0-kirkwood-generic-globalscale_sheevaplug-squashfs-sysupgrade.bin
sysupgrade openwrt-23.05.0-kirkwood-generic-globalscale_sheevaplug-squashfs-sysupgrade.bin
Update existing packages
OpenWrt uses the opkg package management system.
Opkg is a full package manager for the root file system, including kernel modules and drivers
https://openwrt.org/docs/guide-user/additional-software/opkg
Run the following in a Terminal to update:
opkg update
Then, update all of the installed packages:
opkg list-upgradable | cut -f 1 -d ' ' | xargs opkg upgrade
(Might need 2 passes)
Install a few extra packages
These are pretty much the packages that I use all the time.
nanofor editing text filesmcor Midnight Commander for a visual file managerhtopfor viewing running processes
Run the following in a Terminal to update:
opkg update
Then, install the packages:
opkg install nano
opkg install mc
opkg install htop
Set the hostname
Run the following in a Terminal to edit the config file:
nano /etc/config/system
Then, change:
option hostname 'OpenWrt'
To:
option hostname 'sheevaplug'
Then, restart:
reboot
Set a fixed IP
Run the following in a Terminal to edit the config file:
nano /etc/config/network
Then, change where needed / appropriate for your network:
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.0.55'
option netmask '255.255.255.0'
option gateway '192.168.0.1'
option broadcast '192.168.0.255'
list dns '8.8.8.8'
/etc/init.d/network restart
Add a non-root user ‘foo‘ who can ‘su‘
https://openwrt.org/docs/guide-user/additional-software/create-new-users
Install the packages needed to create new users
Run the following in a Terminal to update:
opkg update
Then, install the packages:
opkg install shadow-useradd shadow-su
Create a new ‘foo’ user
useradd -m -s /bin/ash foo
Set a new user ‘foo’ password
passwd foo
Add the SSH Keys and secure login
https://openwrt.org/docs/guide-user/security/dropbear.public-key.auth
Firstly, make a .ssh dir for ‘foo‘:
mkdir /home/foo/.ssh
Secondly, add the key ‘id_rsa_sheevaplug.pub‘:
nano /home/foo/.ssh/authorized_keys
Finally, restart the SSH service
service log restart; service dropbear restart
Test that you can connect to the ‘Plug from another machine
ssh -o PasswordAuthentication=no sheevaplug
And:
ssh -o PasswordAuthentication=no -o PubkeyAcceptedKeyTypes=ssh-rsa sheevaplug
Harden security
Disable password authentication
uci set dropbear.@dropbear[0].PasswordAuth="0"
Disable logging in with root privileges
uci set dropbear.@dropbear[0].RootPasswordAuth="0"
Commit the changes
uci commit dropbear
Then, restart
service dropbear restart
Test SSH Security
Logging in as a normal user:
ssh foo@192.168.0.55
Should fail with a message like this:
foo@192.168.0.55: Permission denied (publickey).
Logging in as a root user:
ssh root@192.168.0.55
Should fail with a message like this:
root@192.168.0.55: Permission denied (publickey).
However, logging in using the SSH key should work:
ssh sheevaplug
User ‘foo‘ can then ‘su‘.
Install AdGuardHome
AdGuard Home is a network-wide software for blocking ads & tracking.
https://openwrt.org/docs/guide-user/services/dns/adguard-home
AdGuardHome Dashboard Screenshot
Run the following in a Terminal to update:
opkg update
Then install AdGuardHome:
opkg install adguardhome
Make AdGuardHome the Primary DNS
After installing the opkg package, run the following commands through SSH to prepare for making AdGuard Home the primary DNS resolver.
DNS and DHCP are a bit of a hole in my knowledge so the majority of the following commands came from:
https://openwrt.org/docs/guide-user/services/dns/adguard-home
Get the first IPv4 and IPv6 Address of router and store them in following variables for use during the script:
NET_ADDR=$(/sbin/ip -o -4 addr list br-lan | awk 'NR==1{ split($4, ip_addr, "/"); print ip_addr[1] }')
NET_ADDR6=$(/sbin/ip -o -6 addr list br-lan scope global | awk 'NR==1{ split($4, ip_addr, "/"); print ip_addr[1] }')
See the results of the above changes:
echo "Router IPv4 : ""${NET_ADDR}"
echo "Router IPv6 : ""${NET_ADDR6}"
Configure the AdGuardHome DHCP server
Again, the following commands come from:
https://openwrt.org/docs/guide-user/services/dns/adguard-home
1. Enable dnsmasq to do PTR requests:
uci set dhcp.@dnsmasq[0].noresolv="0"
2. Reduce dnsmasq cache size as it will only provide PTR/rDNS info:
uci set dhcp.@dnsmasq[0].cachesize="1000"
3. Disable rebind protection. Filtered DNS service responses from blocked domains are 0.0.0.0 which causes dnsmasq to fill the system log with possible DNS-rebind attack detected messages:
uci set dhcp.@dnsmasq[0].rebind_protection='0'
4. Move dnsmasq to port 54:
uci set dhcp.@dnsmasq[0].port="54"
5. Set Ipv4 DNS advertised by option 6 DHCP:
uci -q delete dhcp.@dnsmasq[0].server
6. Set Ipv6 DNS advertised by DHCP:
uci add_list dhcp.@dnsmasq[0].server="${NET_ADDR}"
Then delete existing configs, ready to install new options:
uci -q delete dhcp.lan.dhcp_option
uci -q delete dhcp.lan.dns
More DHCP configuration
Again, the following commands come from:
https://openwrt.org/docs/guide-user/services/dns/adguard-home
DHCP option 6: which DNS (Domain Name Server) to include in the IP configuration for name resolution:
uci add_list dhcp.lan.dhcp_option='6,'"${NET_ADDR}"
DHCP option 3: default router or last resort gateway for this interface:
uci add_list dhcp.lan.dhcp_option='3,'"${NET_ADDR}"
Set IPv6 Announced DNS:
for OUTPUT in $(ip -o -6 addr list br-lan scope global | awk '{ split($4, ip_addr, "/"); print ip_addr[1] }')
do
echo "Adding $OUTPUT to IPV6 DNS"
uci add_list dhcp.lan.dns=$OUTPUT
done
Commit the changes and restart:
uci commit dhcp
/etc/init.d/dnsmasq restart
Finally, setup AdGuardHome
AdGuard Home has it’s own web interface for configuration and management and is not managed through LuCI.
https://openwrt.org/docs/guide-user/services/dns/adguard-home#web_interface
AdGuardHome is accessed through the web interface.
On first time setup the default web interface port is TCP 3000.
Go to http://192.168.0.55:3000/
(This is the ‘Plug IP in my case, not the Router IP as my Router sends ALL traffic to the ‘Plug.)
First, setup the Admin Web Interface to listen on all interfaces, port 8080.
Then set the DNS server to listen on all interfaces, port 53.
Finally, create an AdGuardHome user and choose a strong password.
Login to AdGuardHome
Go to http://192.168.0.55:8080/
(Again, this is the ‘Plug IP in my case.)
First, setup the DHCP server.
Then turn off DHCP on the router.
Finally, reboot the router.
My SheevaPlug is now acting as my DHCP server!
AdGuardHome DHCP Settings Screenshot
Use Unbound and odhcpd
Unbound is a validating, recursive, and caching DNS resolver.
Why use Unbound?
Dependence on the upstream resolver can be cause for concern. It is often provided by the ISP, and some users have switched to public DNS providers. Either way can result in problems due to performance, hijacking, trustworthiness, or several other reasons. Running a recursive resolver is a solution.
Remove dnsmasq and use odhcpd for both DHCP and DHCPv6
Again, the following commands come from:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#dhcp_and_dns_examples
opkg update
opkg remove dnsmasq odhcpd-ipv6only
opkg install odhcpd
uci -q delete dhcp.@dnsmasq[0]
uci set dhcp.lan.dhcpv4="server"
uci set dhcp.odhcpd.maindhcp="1"
uci commit dhcp
service odhcpd restart
Use Unbound for DNS
Again, the following commands come from:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#dhcp_and_dns_examples
opkg update
opkg install unbound-control unbound-daemon
uci set unbound.@unbound[0].add_local_fqdn="3"
uci set unbound.@unbound[0].add_wan_fqdn="1"
uci set unbound.@unbound[0].dhcp_link="odhcpd"
uci set unbound.@unbound[0].dhcp4_slaac6="1"
uci set unbound.@unbound[0].unbound_control="1"
uci commit unbound
service unbound restart
uci set dhcp.odhcpd.leasefile="/var/lib/odhcpd/dhcp.leases"
uci set dhcp.odhcpd.leasetrigger="/usr/lib/unbound/odhcpd.sh"
uci commit dhcp
service odhcpd restart
Enable DNS encryption
Encrypt your DNS traffic improving security and privacy.
Prevent DNS leaks and DNS hijacking.
Bypass regional restrictions using public DNS providers.
Escape DNS-based content filters and internet censorship.
https://openwrt.org/docs/guide-user/services/dns/dot_unbound
uci set unbound.fwd_google.enabled="1"
uci set unbound.fwd_google.fallback="0"
uci commit unbound
service unbound restart
Using LuCI
While OpenWrt can be managed completely using SSH and the terminal, the LuCI WebUI makes many administration tasks easier
Unbound LuCI interface
To manage the settings using the LuCI web interface, install the necessary packages:
Run the following in a Terminal to update:
opkg update
Then, install the packages:
opkg install luci-app-unbound
service rpcd restart
service odhcpd restart
Congratulations!
Yes, it’s a long winded process!
Hopefully you made it this far and now have OpenWrt with AdGuardHome and Unbound running on a SheevaPlug.