OpenWRT as internet filter for e.g. kids

The internet is for porn.

Therefor, when some content should to be blocked from somebody (e.g. kids), an internet filter is required. If course, primarily this should be handled by talking to the kids and trust! And im not promoting monitoring!

A technical filter solution can be implemented with OpenWRT (15.05 and up). It is an open linux plattform for various WLAN routers, e.g. the TP-Link WR841ND or its bigger brother TP-Link WR1043ND (moar power!).

After following the wiki pages on where to download and how to install the firmware, OpenWRT boots on the router. On first access, the webinterface asks for a password to be set. After setting the password, one can configure the device via ssh as user “root”.

In the default configuration, the LAN ports and the WLAN is put together into a virtual network called “lan”. The WAN port represents another network called “wan”. The internet filter will be set-up between those two, so that every package from the “lan” is checked against a set of criteria and then allowed (or not) to go into the “wan”. For this to work, the WAN port should be connected to the home network with internet access, the to-be-filtered clients can connect via WLAN or LAN.

First step after connecting via SSH is to install the required software (note: the WR841ND will be pretty full so if you want to install more software, get a bigger model or do some USB tricks):

# opkg update && opkg install ipset tinyproxy

Tinyproxy is used to allow access to some defined HTTP sites. It has to be enabled so /etc/config/tinyproxy has to be changed to contain option enabled 1 and it has to be started via /etc/init.d/tinyproxy start.

Next is the firewall. I am sticking to the configuration via /etc/config/firewall, although iptables can be used directly. This has the advantage of being able to use the webinterface as well to change the rules.

The order of the rules is important, as traffic is checked against all traffic until it finds a matching rule. See the attached file for reference. Some pieces are explained in more detail now.

To turn off the internet at certain times:

config rule
        option name             'time based morning'
        option src              'lan'
        option dest             'wan'
        option start_time       '00:00'
        option stop_time        '07:00'
        option weekdays         'mon tue wed thu fri'
        option proto            all
        option extra		'--kerneltz'
	option target           REJECT
        option enabled          '1'

config rule
        option name             'time based evening'
        option src              'lan'
        option dest             'wan'
        option start_time       '21:00'
        option stop_time        '00:00'
        option weekdays         'mon tue wed thu sun'
        option proto            all
        option extra		'--kerneltz'
        option target           REJECT
        option enabled          '1'

The option “–kerneltz” will make the firewall use the kernel timezone instead of the default, UTC. The kernel timezone is configured in /etc/config/system.

To redirect all webtraffic (port 80) to tinyproxy running on the router (whose ip is 172.29.0.1 here):

config redirect
        option name 		'redirect 80 to proxy'
        option src 		'lan'
        option dest 		'wan'
        option src_dport 	'80'
        option dest_ip 		'172.29.0.1'
        option dest_port 	'8888'
	option proto		'tcp'
	option target		'DNAT'

Tinyproxy can than be configured to (see option Filter) to allow certain pages. It is not possible to filter HTTPS (SSL) pages this way (as transparent proxy), recompilation of the packages with SSL support and some more tinkering is required. Squid can also be used.

For specific services, it is easier to make an ip whitelist:

config rule
        option name             'whitelist'
        option src              'lan'
        option dest             'wan'
        option proto            'tcpudp'
        option ipset            'wl'
        option target           'ACCEPT'
	option enabled		'1'

config ipset
        option external         'wl'
        option storage          'hash'
        option match            'dest_net'

This references an ipset with ips where traffic to is allowed. For this to work, /etc/rc.local should contain the following

# load the ipset for whitelisting 
/etc/init.d/firewall stop
ipset flush
ipset destroy
ipset restore < /etc/config/ipset.save
/etc/init.d/firewall start

exit 0

This script stops the firewall during startup, loads the list of ips and restarts the firewall. The ips are saved in /etc/config/ipset.save which could look like

create wl hash:net family inet hashsize 8192 maxelem 165536
add wl 127.0.0.1
add wl 172.29.0.1
add wl ......

Some companies provide their ip networks for easy addition, e.g. BlackBerry and WhatsApp.

The last rule should disallow all traffic (or make it the default behaviour).

Remember, when the “client” has physical access to the router, the failsafe mode can be used to gain access and change the config so disable it (note: be careful not to lock yourself out now).

Leave a Reply

You must be logged in to post a comment.