Finally decided to take network security at home a bit more seriously and put all my Internet-of-Shit devices into a contained network that I can monitor, control and isolate better. I am still in the process of setting this up and toying with both OpnSense and OpenWRT. My current plan is to run either one as the router as a VM on my home server which has three NICs. Since installing OpenWRT as a VM was a lot more interesting, decided to document the steps here:
OpenWRT is just Linux, so I thought booting it up in a VM would be straightforward. It mostly is once I understood some of the limitations of the distribution image format. Unlike OpnSense, OpenWRT as far as I can tell, does not have ISO images. What we instead get are raw images. Here is the sequence of steps to get a OpenWRT image booted as a VM in ProxMox, making sure you have it setup to route across two networks and optionally resizing the root filesystem to be large enough to install what you want:
- CPU configuration – host (emulation is slower, so always prefer this)
- Network configuration – two ProxMox bridges, the one that is the default which acts as WAN side of the OpenWRT VM and the new one that acts as the LAN side of the OpenWRT VM.
- OpenWRT Image – you want an image downloaded from targets/x86/64/ in the OpenWRT download page. I think generic-ext4-combined is a good option. You can read more about the different images here.
- You will need to create a raw disk with the uncompressed image using the following command in your proxmox console as root after the VM is created. VM ID is the ID of the VM that you created to run OpenWRT:
- qm importdisk <VM ID> <path-to-unpacked-openwrt-raw-image> local-lvm
- Next, detach and remove the disk that was attached to the OpenWRT VM. Attach the new disk to it.
- Next, boot your VM. Make sure it has network connectivity. If it does not, ensure that the WAN/LAN configuration is how you expect. For example, I had two interfaces defined in the VM and the one that was supposed to be the WAN was picked up as LAN. This is easy to fix – just edit /etc/config/network and make sure your desired WAN interface is listed as follows:
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
- Optional, but highly recommended: Resize the disk. By default, the image is tiny and will have a few 100 MB of spare space. Resizing is an annoying multi-step process.
- Shutdown the VM
- First, resize the disk in proxmox to the desired size. I picked 32 GB for now.
- Boot the VM
- Run opkg update, opkg install parted losetup resize2fs
- Resize the root partition by running
parted -s /dev/sda resizepart 2 100%
- Reboot
- Expand the root filesystem to occupy the entire partition by running
- losetup /dev/loop0 /dev/sda2
- resize2fs -f /dev/loop0
- reboot