This Docker container brings you OpenWrt, a software-based router solution, in an easy-to-use setup. Unlike other OpenWrt containers, this one provides a full system emulation, complete with OpenWrt's own Linux kernel. Thanks to powerful technologies like KVM and macvtap, OpenWrt runs at nearly native speeds here. We use the original OpenWrt binary builds, so most features should work seamlessly. If you notice any features that aren’t working as expected, please let us know!
- Supports all x86_64 and arm64 Linux based systems
- x86_64 tested on some Intel and AMD system
- arm64 tested on a Raspberry Pi 5 and Weidmueller UC20-M4000
- Uses official x86_64 and armsr (arm64) OpenWrt builds
- Full system virtualization with qemu
- Nearly native speed due KVM CPU acceleration and macvtap virtualized bridged networking
- Web-based viewer for tty console
- Attaches two physical Ethernet interfaces (LAN/WAN) exclusively into the docker container
- Create virtual LAN between OpenWrt and host system (LAN only)
- USB pass-through e.g. for modem or Wi-Fi dongles
- Automatic configuration migration when OpenWrt image is updated
Because OpenWrt doesn't provide a user installed package update mechanism, all required packages needs to be included into the OpenWrt rootfs image. This Docker images add the following software to the OpenWrt rootfs:
- Luci Web interface
- ssh server
- Wi-Fi client and access point support
- Wireguard
- mDNS support
- Mediathek MT7961AU Wi-Fi 6 AX chip-set based devices e.g. (FENVI 1800Mbps WiFi 6 USB Adapter)
- SIMCOM SIM8262E-M2 based devices (Multi-Band 5G NR/LTE-FDD/LTE-TDD/HSPA+ modem)
Adapt docker-compose.yml
to your needs and run docker compose up
.
Images are available at https://hub.docker.com/r/albrechtloh/openwrt-docker.
Currently, three images are available. For all of these images automated tests are applied.
albrechtloh/openwrt-docker:latest
Latest OpenWrt stable version e.g. 24.05.5albrechtloh/openwrt-docker:openwrt-2410-snapshot
Latest OpenWrt 24.10 snapshot versionalbrechtloh/openwrt-docker:openwrt-master-snapshot
Latest OpenWrt master version
- Yes, but only
LAN_IF="host"
andWAN_IF="host"
is supported because WSL doesn't support themacvtab
driver. - See issue #5 for details.
A have a board with two Ethernet ports and I want to use one as OpenWrt LAN and one as OpenWrt WAN without losing the access to the host Linux system.
- The easiest is to add simply a 3rd Ethernet port to the system, e.g. a USB-Ethernet dongle.
- You can also create a bridge in at the host and use the option
LAN_IF: "veth,nofixedip"
. See #8 for details.
- You need the u-OS version "u-OS 2.1.1-preview-kvm" to run OpenWrt correctly. Unfortunately, this version is not public available. If you are interested, feel free to fill out the contact form at https://www.weidmueller.com/int/solutions/technologies/edge_computing_u_os/index.jsp.
- This special u-OS version is necessary because we need the
kvm
andmacvtab
driver enabled in the Linux kernel.
In the LAN_IF: "veth"
mode the host virtual Ethernet interface IP address is fixed to 172.31.1.2/24. How can I change it?
You can use the option nofixedip
e.g. LAN_IF: "veth,nofixedip"
to avoid that an IP address is set after interface creation. But it is your responsibility to configure the Ethernet interface correctly. The OpenWrt LuCI web interface forwarding is only working correctly when the virtual Ethernet interfaces are configured correctly. Furthermore, the OpenWrt LuCI web interface forwarding is expecting OpenWrt at the IP address 172.31.1.1.
Clone this repo and run
docker build -t openwrt-docker .
If you like to specify a specific OpenWrt version, you can do
docker build -t openwrt-docker . --build-arg OPENWRT_VERSION="23.05.4"
or for the latest development master. The --no-cache
option is necessary to get always the newest version.
docker build --no-cache -t openwrt-docker . --build-arg OPENWRT_VERSION="master"
I would like to thanks to following Open Source projects. Without these great works this container would not be possible
-
Lack of User Management in the Web Interface: The web interface does not include built-in user management. Any user who can access the web interface automatically has root access to OpenWrt. To enhance security, it is strongly recommended to place the web interface behind a reverse proxy with proper user authentication and access controls.
-
Host Root Access Implications: By design, any user with root access to the host system also has full control over OpenWrt. Such users can sniff Ethernet traffic and perform man-in-the-middle (MITM) attacks, creating significant security risks. The same applies when OpenWrt runs as a virtual machine directly on the host. To mitigate these risks, strictly control and monitor root access to the host system.
-
Privileged Mode Requirement for OpenWrt Container: The OpenWrt container must run in privileged mode to ensure exclusive access to the host's Ethernet interfaces and to enable the reverse proxy for LuCI on the host. This is necessary for proper operation but comes with inherent security considerations.
Disclaimer: This software container is a proof of concept and has not undergone comprehensive cybersecurity assessments. Users are cautioned that potential vulnerabilities may exist, posing risks to system security and data integrity. By deploying or using this container, users accept the associated risks, and the developers disclaim any responsibility for security incidents or data breaches. A thorough security evaluation, including penetration testing and compliance checks, is strongly advised before production deployment. The software is provided without warranty, and users are encouraged to provide feedback for collaborative efforts in addressing security concerns. Users acknowledge reading and understanding this disclaimer, assuming responsibility for ensuring their environment's security.