Wifi setup for untrusted device

Set up wifi on openwrt router to limit access for untrusted devices.

created: 2021-07-10 | topic: freedom | tag: privacy,network | author: Jason Lenz

Purpose

This article describes how to set up an OpenWRT based router with a custom wifi network which restricts internet access for untrusted devices. Only IP addresses that are approved can be accessed from devices on this wifi network. Access to all other IP addresses are blocked.

Background

I have a BOOX Nova2 eReader that I love from a hardware standpoint, however I don’t consider it to be trustworthy enough to connect it unrestricted to the internet. I do however want the convenience of wirelessly transferring eBooks and personal notes back and forth from my personal server to the eReader.

Prerequisite skills

It’s helpful to have the following knowledge/background before tackling this:

Router setup

This assumes you already have Openwrt (or LibreCMC) installed on your router of choice. The instructions below assume the new wifi to be created will be named “MyWifi_UT”. The “Ut” tacked onto the end of the name is what I use to keep track of wifi SSID’s that are set up for untrusted devices. Obviously feel free to name the wifi however you want.

Make sure you can ssh into your router.

Once you’ve accessed the terminal in your router, execute the following commands to set up a separate restricted wifi. Note that the uci command line tool does not work well with names containing dashes. For example, do not use “MyWifi-Ut” as a name in the commands below. Underscores in contrast are fine.

Create a separate network interface for untrusted traffic. I use “ut” as the name and a base address of 192.168.11.1 but feel free to change that as desired.

# uci -q delete network.ut
# uci set network.ut=interface
# uci set network.ut.proto="static"
# uci set network.ut.ipaddr="192.168.11.1"
# uci set network.ut.netmask="255.255.255.0"
# uci commit network
# /etc/init.d/network restart

Configure wireless.

# WIFI_DEV="$(uci get wireless.@wifi-iface[0].device)"
# uci -q delete wireless.MyWifi_UT
# uci set wireless.MyWifi_UT=wifi-iface
# uci set wireless.MyWifi_UT.device="${WIFI_DEV}"
# uci set wireless.MyWifi_UT.mode="ap"
# uci set wireless.MyWifi_UT.network="ut"
# uci set wireless.MyWifi_UT.ssid="MyWifi_UT"
# uci set wireless.MyWifi_UT.encryption="psk2"
# uci set wireless.MyWifi_UT.key="MySecretPassword"
# uci commit wireless
# wifi reload

Configure DHCP.

# uci -q delete dhcp.ut
# uci set dhcp.ut="dhcp"
# uci set dhcp.ut.interface="ut"
# uci set dhcp.ut.start="100"
# uci set dhcp.ut.limit="150"
# uci set dhcp.ut.leasetime="12h"
# uci commit dhcp
# /etc/init.d/dnsmasq restart

Configure firewall. Allow specific traffic from ut network to wan. Allow DHCP requests and DNS queries. Allow specific IP addresses. Reject all else. Note that order of these firewall rules is important. In particular the “reject_remaining” rule should be last.

# uci -q delete firewall.ut
# uci set firewall.ut="zone"
# uci set firewall.ut.name="ut"
# uci set firewall.ut.network="ut"
# uci set firewall.ut.input="REJECT"
# uci set firewall.ut.output="ACCEPT"
# uci set firewall.ut.forward="REJECT"
# uci -q delete firewall.ut_wan
# uci set firewall.ut_wan="forwarding"
# uci set firewall.ut_wan.src="ut"
# uci set firewall.ut_wan.dest="wan"
# uci -q delete firewall.ut_dns
# uci set firewall.ut_dns="rule"
# uci set firewall.ut_dns.name="UT allow DNS"
# uci set firewall.ut_dns.src="ut"
# uci set firewall.ut_dns.dest_port="53"
# uci set firewall.ut_dns.proto="tcp udp"
# uci set firewall.ut_dns.target="ACCEPT"
# uci -q delete firewall.ut_dhcp
# uci set firewall.ut_dhcp="rule"
# uci set firewall.ut_dhcp.name="UT allow DHCP"
# uci set firewall.ut_dhcp.src="ut"
# uci set firewall.ut_dhcp.dest_port="67"
# uci set firewall.ut_dhcp.proto="udp"
# uci set firewall.ut_dhcp.family="ipv4"
# uci set firewall.ut_dhcp.target="ACCEPT"
# uci -q delete firewall.ut_allow_eff
# uci set firewall.ut_allow_eff="rule"
# uci set firewall.ut_allow_eff.name="UT allow eff.org"
# uci set firewall.ut_allow_eff.src="ut"
# uci set firewall.ut_allow_eff.dest="wan"
# uci set firewall.ut_allow_eff.dest_ip="173.239.79.196"
# uci set firewall.ut_allow_eff.target="ACCEPT"
# uci -q delete firewall.ut_reject_remaining
# uci set firewall.ut_reject_remaining="rule"
# uci set firewall.ut_reject_remaining.name="UT reject remaining"
# uci set firewall.ut_reject_remaining.src="ut"
# uci set firewall.ut_reject_remaining.dest="wan"
# uci set firewall.ut_reject_remaining.target="REJECT"
# uci commit firewall
# /etc/init.d/firewall restart

Conclusion

You should now be able to connect an untrusted device to this wifi knowing that only communication to specific servers of your choice will be allowed.

Limitations

References