Building an OpenWrt Router System with Docker

Introduction of the Author

Author: Dean

Position: Operations Development Engineer

Website: https://deanit.cn

Blog: https://blog.deanit.cn

Expertise:

[Virtualization, Containerization, Automated Operations, CICD, Monitoring, Logging, Middleware, Dual Machine Hot Backup, Distributed Storage, Database, Authentication, Networking Tunnel, Kali Security Penetration, Network Attacks, Load Balancing, HTML, CSS, JS, jQuery, Vue3, Shell, Python, Go, Frontend and Backend Frameworks]

Preface

OpenWrt provides router functionalities, allowing it to manage traffic from switches that cannot install software. Additionally, changing the gateway to OpenWrt when connecting to Wi-Fi on a mobile phone is much more convenient for scientific internet access than launching software on the phone.

Deployment Installation

1: Install Docker

1. Use Aliyun mirror acceleration (downloading from the official website may be slow)

curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun

Command Detailed Explanation:

Download a script from “https://get.docker.com” and execute it via the bash command while passing docker as a parameter to the script, using Aliyun as the mirror accelerator.

-fsSL:

• -f: If the server returns an error code, curl will terminate immediately. Fail silently.
• -s: Silent mode, no progress bar or error messages displayed. Silent mode.
• -S: Show error messages. Show errors.
• -L: Automatically follow redirects. Location.

Using -fsSL options allows the curl command to run in silent mode, terminating operations on errors, and supports automatic redirection. This is a common configuration for providing a more reliable and clean execution environment when downloading and executing scripts or fetching remote files.

| bash: is the command used to execute scripts, passing the downloaded script from curl to the bash command for execution.

-s docker –mirror Aliyun: is the parameter for the bash command, which passes docker as a parameter to the script while using Aliyun as the mirror accelerator.

2. Not using Aliyun acceleration, download directly from the official website

curl -sSL https://get.daocloud.io/docker | sh

Command Explanation: Download a script from “https://get.daocloud.io/docker” and pass the downloaded script from curl to the sh command for execution. The difference between bash and sh is minimal; most Linux systems have bash installed by default, and using sh maintains compatibility.

2. Configure Network

1. Enable promiscuous mode on the network card (in this mode, the network card will receive all data packets on the network it is connected to, not just those with the target MAC address of itself, making it convenient for network traffic capture and analysis).

Input ifconfig to check which network card has the LAN IP (if only one network card is enabled), then enable promiscuous mode.

[root@192 ~]# ifconfig
enp3s0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet 192.168.50.109  netmask 255.255.255.0  broadcast 192.168.50.255
        inet6 fe80::dc42:1f26:c32b:5bdf  prefixlen 64  scopeid 0x20<link>
        ether 00:e0:4c:68:19:69  txqueuelen 1000  (Ethernet)
        RX packets 10019437  bytes 7646766799 (7.1 GiB)
        RX errors 0  dropped 10119  overruns 0  frame 0
        TX packets 9294960  bytes 10802889814 (10.0 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0  
# From the above, I can see my network card is enp3s0

[root@192 ~]# ip link set enp3s0 promisc on

2. Create a virtual network MACVLAN (macvlan is a Linux kernel network virtualization technology that can be used to create and manage virtual network interfaces. It can create a virtual network card bound to the host’s physical network card for each virtual machine or container, and each virtual machine or container has its own IP address. This allows virtual machines or containers to communicate directly with other devices on the physical network as if they are directly connected to the physical network)

docker network create -d macvlan --subnet=192.168.50.0/24 --gateway=192.168.50.1 -o parent=enp3s0 macnet

Command Explanation: This command creates a macvlan network named macnet using Docker.

• -d macvlan: Specifies the network driver to be created as macvlan.
• --subnet=192.168.50.0/24: Sets the subnet of the network; here it is set to 192.168.50.0/24, indicating the range of host IP addresses in the network from 192.168.50.1 to 192.168.50.254. 192.168.50.0 is the network segment, and /24 indicates the subnet mask is 255.255.255.0. My computer’s IP is 192.168.50.193, so /24 is written as 192.168.50.0.
• --gateway=192.168.50.1: Sets the gateway address of the network to 192.168.50.1. Since I can enter the router’s (not the optical modem!) background management address by typing 192.168.50.1 in the browser, so 192.168.50.1 is the router’s IP address. Setting the gateway to it means that this OpenWrt network accesses the internet through the router, just like other mobile phones and computers.
• -o parent=enp3s0: Specifies the parent interface of the macvlan network, which is the upper-level network interface. Here, enp3s0 is the name of the physical network card, which will become the parent interface of the macvlan network. -o is the flag for specifying options, indicating that additional options will be passed to the docker network create command.
• macnet: Sets the name of the macvlan network to macnet. After creating the network, you can check the configured networks with the following command.

[root@192 ~] docker network ls
NETWORK ID     NAME              DRIVER    SCOPE
6e1a0e16742d   bridge            bridge    local
136b63f0da30   host              host      local
3b647a96f9dc   macnet            macvlan   local  # This one
b0265f7d9516   none              null      local

3. Configure the network for OpenWrt (the previous step is for the host’s network configuration).

Note: If vim is not installed, please enter sudo yum install vim to install it.

# Create the directory to store the configuration files
mkdir -p /home/docker/openwrt

# Create and edit the network configuration file
vim /home/docker/openwrt/network

After entering the editing interface, press ctrl+shift+v to paste the configuration file below, then modify as required.

Only the ipaddr, gateway, and dns in config interface ‘lan’ need to be modified. The gateway is naturally the same as before, the dns should also be filled in with the router, and ipaddr is the IP you want OpenWrt to use. After setting it up this way, you can enter 192.168.50.254 in the browser to access the OpenWrt background.

config  interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
config globals 'globals'
        option packet_steering '1'
config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.50.254'
        option gateway '192.168.50.1'
        option dns '192.168.50.1'
config interface 'vpn0'
        option ifname 'tun0'
        option proto 'none'

Note: If the format is incorrect after pasting, follow these steps:

1. Ensure that the output is in lowercase letters.

2. Type the English quotation mark “:” (press and hold shift then press the semicolon key, which is the key next to the letter L).

3. Type set paste (combined with the previous step, the display in the lower left corner should be “:set paste”), then press enter.

4. Press “i” (the successful sign is that the lower left corner has an insert prompt, followed by parentheses, and the parentheses contain “paste”).

5. Press ctrl+shift+v.

3: Pull OpenWrt Image and Start

docker run --restart always --name openwrt -d --network macnet --privileged --ip 192.168.50.254  -v /home/docker/openwrt/network:/etc/config/network registry.cn-shanghai.aliyuncs.com/suling/openwrt:x86_64 /sbin/init

Command Explanation: This command will use the specified OpenWrt image to run a container in the background, connecting the container to the macvlan network named macnet. The container will have privileged permissions (which means processes inside the container will have the same privilege level as those on the host, allowing operations that are not permitted in ordinary containers) and will use the IP address 192.168.50.254. The /etc/config/network directory inside the container will be mounted with the /home/docker/openwrt/network directory on the host (these two network files are essentially the same file on the host). The initialization process of OpenWrt will be executed when the container starts.

• --restart always: Specifies that the container should always restart when it exits. The container will also restart if the Docker daemon restarts.
• -d: Runs the container in the background (daemon mode), executing it in the background.
• --privileged: Grants the container privileges, allowing processes inside the container to perform privileged operations on the host.
• registry.cn-shanghai.aliyuncs.com/suling/openwrt:x86_64: Specifies the name and tag of the OpenWrt image to use.
• /sbin/init: /sbin/init is the initialization process for starting OpenWrt. It is the root process of the entire system, responsible for initializing the system and starting other services and processes that need to run. By specifying /sbin/init as the command to execute when the container starts, it allows the container to start OpenWrt and run normally.

4: Some Common Commands

If the previous steps are executed normally, OpenWrt should start successfully after a while, and you can enter the set IP address to access the OpenWrt background management interface.

1. Check the running Docker containers to see if OpenWrt is running:

docker ps

2. Enter the OpenWrt container:

docker exec -it openwrt bash

• docker exec is a Docker command used to execute commands in a running container.
• -it combines two options; -i indicates interactive mode, and -t allocates a pseudo-terminal.
• openwrt is the name of the target container where the command is to be executed.
• bash is the command to be executed inside the container, which opens an interactive bash shell. This allows you to interact with the container as if you were logging into it from a separate terminal.

Note: Since OpenWrt has its own IP, you can also connect via SSH. If you haven’t set a password in the OpenWrt background management interface, just use the username root and no password to connect via SSH.

3. Stop OpenWrt:

docker stop openwrt

4. Delete the created Docker container (if it gets messed up, you can delete it and create a new one from the image):

docker rm openwrt

Access Web

Username: root

Password: password

Disable DHCP Service

In the “Network – Interface – Lan – Modify” interface, check the option “Ignore this interface (do not provide DHCP service on this interface)” and “Save & Apply“.