OpenWrt

As it happened, Attended Sysupgrade with the latest version of OpenWrt 25.12, since it became the default approach to update OpenWrt devices, started seeing a spike in popularity.

When I first tried this, I was either 1st in the queue or just a few users behind. Days later, when the next version (25.12.1) was released, this jumped to around 200-300. Now, with another release (25.12.2), the servers cannot handle it anymore.

Server response: server overload, queue contains too many build requests: 1001

Following a discussion with one of my visitors, it was suggested that I use someone else’s server for Attended Sysupgrade, but there is always a catch to that. The recommended server uses SNAPSHOT builds as default, which I do not recommend for a production or business environment. While you can play with it on a home router, in business, you need to rely on stability.

I have been thinking that maybe I will create my own server for that purpose. I already have a small mini-PC at home (and at work) — a Chromebox repurposed as an Ubuntu Server running Docker. My usage is not massive, and there is plenty of computing power available.

I should have discovered this years ago!

I never came across this feature, and it was apparently available a few versions ago. Just now, when version 25.12.0 was officially released, I learned how to simplify upgrading from one version to another (I did this from 24.10.2 to 25.12.0).

I have developed my own routine for backing up packages and configuration files, installing a new image, and restoring everything. To be honest, I always hate doing that, especially in a business environment, as it always requires some downtime. This is why I sometimes fall behind on some sub-versions of OpenWrt firmware (I was still on 24.10.2 instead of 24.10.5).

When you cannot afford extended downtime, you can minimise it with this approach: Attended Sysupgrade (ASU).

For some time, I have been covering topics concerning OpenWrt on my website. One of the primary interests among my users has been the implementation of WireGuard and adding a Cloudflare WARP tunnel, as well as managing multiple internet connections on a single router.

What I have not yet covered is how to conditionally route traffic once we have established two internet connections, or when we have added a virtual connection (such as a VPN) to the router on a single physical connection.

While firewall rules can be used to route traffic, they are not always straightforward to implement; consequently, I looked for an alternative solution.

I was particularly interested in being able to quickly configure a router to direct traffic from a specific device over a VPN tunnel whenever necessary. To assist with this, I looked into the PBR (Policy-Based Routing) package.

In the past, I have followed a method of updating OpenWrt devices with an option to restore all installed packages and their configurations without needing to spend hours on reconfiguring and testing everything.

This method uses a simple script run in the terminal to generate a list of installed packages, followed by a web interface to generate a backup file used to restore everything.

As long as the backup file is generated correctly, the restoration process works well, but the problem arises when it isn’t!

On several routers with OpenWrt (24.10.x) that I worked with over recent weeks, I experienced a strange issue that caused me to rethink how I generate a backup file to later use to restore all packages and settings after updating OpenWrt to the latest version.

I discovered this issue the hard way when I wanted to extract a backup to retrieve some configuration from individual files. I noticed that the backup failed to extract correctly.

This was fixed in OpenWrt 25.12; however, I have left it for reference. If you are upgrading from 24.10 to 25.12 and your backup is generated incorrectly, you will not be able to upgrade to 25.12 while retaining packages using Attended Sysupgrade.

The day has come when my £25pm Toob Fibre 900/900Mbps, via CityFibre infrastructure, was finally installed.

After all the wiring was done, the new Toob router was connected, and I started testing.

To my surprise, Toob switched to a different Linksys Velop model than I initially expected. I have been supplied with Linksys SPNMX56 (SPNMX56TB to be exact), which, by default, comes with a 2.5 Gbps WAN port.

From my previous post, where I chose £40 Linksys MX4200 as my next router, I did an analysis of my needs, and I concluded that I am fine with a 1Gbps WAN port. Toob’s approach to go with 2.5Gbit is more future-proof thinking. If they want to offer higher plans, they will not need to replace hardware. For my needs and 900Mbps connection, the 1Gbps (1000Mbps) port is more value for money.

In my previous post, In search of the perfect OpenWrt router, I discussed my potential future router. When I started researching it more thoroughly, I paused purchasing the Brume 2 and tried to think of what would be better.

I looked into the Brume 2 when I began researching a potential change of broadband provider from Virgin Media to a full (synchronous) fibre connection (CityFibre).

With the provider (reseller) that I am currently considering (Toob), a 900/900Mbps connection offered the best value for money (£25 per month with no price increases over the whole contract period). However, to achieve that speed, they need to provide me with the right hardware.

I’ve noticed that most resellers of CityFibre services utilise Linksys devices, particularly the MX4200 in its second version (v2). This model is sometimes branded as the Linksys Velop MX4200 (AX4200) or ISP-branded as the Linksys SPNMX42, which is simply a v2 in disguise. However, Linksys has already discontinued this device.

Recently, I faced an issue with mwan3, a package on OpenWrt routers that is designed to manage multiple internet connections, either for load balancing or a failover.

At work, we have two fibre connections, where the main one is used primarily and the second is online, but only activated when the first goes down – typical failover approach.

First connection (lets call it fibre) is with metric 10 wheras second connection (fibre2) is with metric 20.

For tech guys, first fibre is uncontended with static IP, whereas our backup fibre is contended over PPPoE.

My main policy in mwan3 is fibre_fibre2.

fibre_fibre2 policy contain fibre_m1_w3 (Metric 1, Weight 3) and fibre2_m2_w2 (Metric 2, Weight 2) member.

When fibre is down, the fibre2 takes over and all traffic flows through nicely, almost.

A router with custom firmware (OpenWrt) is a basic device on my home network, but I am also using it in the business environment as a main device, and all works great.

In the past I used DD-WRT on my routers. Despite that their project is still ongoing, I found it lacking behind current needs.

OpenWrt use strictly depends on the device – router, that I am using. I always choose a device that will work for me and it will not bend under spikes of load.

Cloudflare, let’s be honest, is an incredibly generous organization, offering a range of services that we rarely have to pay for. Individuals, families, small or medium-sized businesses can use their technology without having to spend money unless they need to.

Among the range of services, DNS servers (1.1.1.1) and DNS encryption service deserve recognition. In combination with their software available on a range of platforms, not only can we speed up our internet surfing, but we can also increase our security.

OpenWrt on the other hand is an incredible software designed to increase the security of our network device, which is the router, and also adds the ability to expand the capabilities of our hardware.

By combining Cloudflare with OpenWrt software and an additional software package, we can introduce Secure DNS to our network, which I wrote about some time ago.

Moreover, when we need to access our local network resources from anywhere in the world, we can use the Cloudflare Zero Trust service by creating a secure tunnel.

Zero Trust, offered as part of our Cloudflare account (and in the free version), is not just a “VPN” tunnel. Zero Trust also offers a number of other options. One of them is the ability to create “your own” secure DNS server.

If you follow my website and posts related to OpenWrt you have probably come across my post about installing a VPN server on an OpenWrt router using WireGuard.

WireGuard is one of the fastest protocols available for creating a VPN connection. Thanks to it, from the Internet, we can easily connect to our network and use it, either for local purposes (access to a printer or network drive) or to limit regional restrictions. Being outside the country, I can connect to my router at any time and my device will appear on the Internet as if it were where the router is, i.e. in the UK.

This super fast solution, however, requires configuration, which can sometimes be complex and cause various errors (although it is usually much easier than other VPNs).

WireGuard also has a limitation. To connect to our router, we need an external (static or dynamic, it doesn’t matter) IP address.