OpenWrt: Backup/Restore

(2013-03-17)

OpenWrt is a nice FOSS Linux firmware (primarily) for wireless routers, which I use for many years. Even though I never experienced a problem with my routers, I’d like to be prepared for hardware failures, software failures and getting my router compromised. Here is a short description of each scenario so that it is clear what I mean:

  • Hardware failure: The flash in my router dies and after rebooting, neither the read-only part nor my configuration can be read, so the device does not work anymore. The only solution is to buy a new router, or have a hot spare ready. This is the worst case.
  • Software failure: After my network provider’s intern decides to fuzz the customer IP range instead of their testbed, he discovers an implementation flaw in the router’s PPPoE software and subsequently, the router deletes all the read/write data (i.e. my configuration). The solution is to reformat the read/write part of the flash and restore the latest backup. This story covers not only software failure, but also human failure when upgrading the router firmware.
  • Compromised router: Some software has a security vulnerability and an attacker obtains access to the router. Since a backdoor might have been installed, I need to re-flash the firmware image and restore my configuration.

All of these points imply having a backup. But did you actually verify that your OpenWrt backup works? What’s your disaster recovery plan for each of the scenarios above?

Backing up

OpenWrt ships with a feature to provide a tar archive containing all your configuration files. You can find it in LUCI’s “System → Backup” tab. Obviously, you need to repeat this step after every configuration change you do.

If you have installed any additional packages, you also need to save the list of packages:

opkg list_installed | cut -f 1 -d ' '

If you have installed any services that ship an init script (e.g. OpenVPN), you also need to keep a note of which ones are enabled/disabled in LUCI’s “System → Startup” tab.

Restoring

The correct order in which to restore your router to a working state is this:

  1. Flash your firmware image (save the original one whenever you flashing, or at least note which precise version you used).
  2. Configure your router so that it can access the internet.
  3. Re-install your packages:
    opkg update && for i in $(cat /tmp/pkgs); do opkg install $i; done
    
  4. Restore your configuration by uploading the tar archive in LUCI’s “System → Backup” tab.
  5. Re-enable any services you have installed (e.g. OpenVPN) in LUCI’s “System → Startup” tab, because that information is not contained in the tar archive.

Restoring to a different device

In case you have a different router, for example because a hardware failure occured or because you want to setup that hot spare I have been talking about, you need to watch out for one little subtlety in the process:

The MAC addresses of the radio interfaces need to be replaced before restoring the backup. Otherwise, OpenWrt will not apply your wireless configuration to the interfaces it finds.

In order to do that, simply edit the relevant file with a text editor and re-pack the tarball:

mkdir /tmp/fix && cd /tmp/fix
tar xf ~/Downloads/backup-OpenWrt-2013-03-13.tar.gz
vi etc/config/wireless
tar czf ~/Downloads/backup-OpenWrt-2013-03-13-fixed.tar.gz *

Building your own firmware image

In case you are dissatisfied with the dependency on the internet in step 3 of the restore procedure, you could build your own firmware image which contains the extra packages that you use. I don’t want to describe that process in depth, but it seems worth pointing out that this is one way to go.

Alternatively, you could also keep a copy of the extra packages, scp them to the router and install them with opkg. Depending on your number of extra packages, one of these will clearly seem easier :-).