A significant new version of OpenWrt 21.02.0 has just been released, which stands out for having increased minimum hardware requirements, Since in the default build, due to the inclusion of additional Linux kernel subsystems, a device with 8 MB of Flash and 64 MB of RAM is now required to use OpenWrt.
Although for users who intend to create their own build, they can still do so to simplify that it can run on devices with 4 MB of Flash and 32 MB of RAM, but the functionality of such a build will be limited and stability is not guaranteed. .
Basic package includes packages to support WPA3 wireless security technology, which is now available by default both when working in client mode and when creating an access point. WPA3 provides protection against brute force attacks (does not allow brute force attacks in offline mode) and uses the SAE authentication protocol. Most wireless controllers offer WPA3 capability.
Also eBasic package includes TLS and HTTPS support by default, allowing you to access the LuCI web interface over HTTPS and use utilities such as wget and opkg to retrieve information through encrypted communication channels. The servers through which packages downloaded via opkg are distributed are also switched by default to provide information over HTTPS.
The mbedTLS library used for encryption has been replaced by wolfSSL (If necessary, you can manually install the mbedTLS and OpenSSL libraries, which are still provided as options.) To configure automatic forwarding to HTTPS, the option «uhttpd.main.redirect_https = 1»In the web interface.
Another change that we can find is that initial support implemented for the core DSA subsystem, which provides tools to configure and manage cascades of interconnected Ethernet switches using the mechanisms used to configure ordinary network interfaces (iproute2, ifconfig). DSA can be used to configure ports and VLANs instead of the swconfig tool suggested above, but not all switch controllers support DSA yet.
Changes have been made to the syntax of the configuration files located in / etc / config / network. In the "config interface" block, the "ifname" option has been renamed to "device", and in the "config device" block, the "bridge" and "ifname" options have been renamed to "ports". Separate files with device configuration (layer 2, "configuration device" block) and network interfaces (layer 3, "configuration interface" block) are now generated for new installations.
To maintain backward compatibility, support for the old syntax is maintained, that is, previously created configurations will not require any changes. In this case, when the old syntax is found in the web interface, a proposal will be displayed to migrate to the new syntax, which is necessary to edit the configuration through the web interface.
Of the other changes that stand out:
- New bcm4908 and rockchip platforms have been added for Broadcom BCM4908 and Rockchip RK33xx SoC-based devices. Pre-supported platforms have fixed gaps in device compatibility.
- Support for the ar71xx platform has been removed, instead of which the ath79 platform should be used (for devices linked to ar71xx, it is recommended to reinstall OpenWrt from scratch). Additionally, support for the cns3xxx, rb532, and samsung (SamsungTQ210) platforms has been discontinued.
- The executable files of the applications involved in the processing of network connections are built in PIE mode (Position Independent Executables) with full support for Address Space Randomization (ASLR) to make it difficult to exploit vulnerabilities in such applications.
- When compiling the Linux kernel, the default options to support container isolation technologies are enabled, allowing the use of the LXC toolkit and procd-ujail mode in OpenWrt on most platforms.
- Provided the ability to build with support for the SELinux forced access control system (disabled by default).