OpenWrt

OpenWrt 21.02

End of life · latest 21.02.7 on 2023-05-01 · initial release 2021-09-04 · EoL 2023-05

Get firmware on Downloads (latest 21.02.7). Each version's full technical changelog lives on the wiki; the notes below are the per-release summary.

OpenWrt 21.02.7 — Service Release · 1 May 2023

Main changes between OpenWrt 21.02.6 and OpenWrt 21.02.7

Only the main changes are listed below. See https://openwrt.org/releases/21.02/changelog-21.02.7 for the full changelog.

Security fixes

  • CVE-2023-0464: openssl: Excessive Resource Usage Verifying X.509 Policy Constraints
  • CVE-2023-0465: openssl: Invalid certificate policies in leaf certificates are silently ignored

Device support

  • None

Various fixes and improvements

  • Fix UBI (Unsorted Block Images) bug which prevented some devices from booting

Core components

  • Update uclient from 2021-05-14 to 2023-04-13

OpenWrt 21.02.5 — Service Release · 17 October 2022

Main changes between OpenWrt 21.02.4 and OpenWrt 21.02.5

Only the main changes are listed below. See https://openwrt.org/releases/21.02/changelog-21.02.5 for the full changelog.

Security fixes

Device support

  • None

Various fixes and improvements

  • None

Core components

  • None

OpenWrt 21.02.4 — Service Release · 12 October 2022

Main changes between OpenWrt 21.02.3 and OpenWrt 21.02.4

Only the main changes are listed below. See https://openwrt.org/releases/21.02/changelog-21.02.4 for the full changelog.

Security fixes

  • wolfssl: Fix security problem (CVE-2022-34293, CVE-2022-38152, CVE-2022-38153 and CVE-2022-39173)
  • zlib: Fix security problem (CVE-2022-37434)
  • openssl: Fix security problem (CVE-2022-1292, CVE-2022-2068 and CVE-2022-2097)

Device support

  • Support for the following devices was added:
    • Wavlink WL-WN579X3
    • Sitecom WLR-4100 v1 002
    • Banana Pi M2 Berry
    • YunCore AX820/HWAP-AX820
    • MikroTik RouterBOARD hAP ac lite
    • MikroTik RouterBOARD mAP
  • Youku YK1: speed up spi frequency for YK-L1, split YK1 to YK-L1 and YK-L1c
  • ZBTLink ZBT-WG2626: add reset GPIO for PCIe port 1
  • ZBTLink ZBT-WE1026 5G: fix watchdog reset
  • Asus RT-AC57U: fix WPS button level
  • Archer VR2600: fix switch ports numbering
  • ZyXEL NBG-419N v2: Fix booting
  • Linksys MR8300: add WAN port
  • ramips: several fixes and improvements to mt7620 Ethernet
  • bcm53xx:
    • Disable GRO by default at kernel level
    • Enable & setup packet steering
  • ipq40xx: fix ar40xx driver
  • bcm4908:
    • Enable NVMEM U-Boot env data driver
    • Backport mtd parser for Broadcom’s U-Boot partition
    • fix -EPROBE_DEFER support in bcm4908_enet

Various fixes and improvements

  • kernel:
    • Fix IPv6 flow offloading (FS#3373)
    • Backport LEDs driver for BCMBCA devices
    • Backport mtd dynamic partition patch
    • Fix possible mtd NULL pointer dereference
  • mac80211: fix QCA9561 PA bias
  • mac80211: disable ft-over-ds by default
  • mt76: backport fix encap offload ethernet type check
  • hostapd fixes and improvements:
    • Add support for enabling link measurements
    • Fix uninitialized pointer
  • zlib: backport null dereference fix
  • build system:
    • Switch from xxd tool to xxdi.pl script
    • Check TLS certificates by default when downloading over HTTPS
    • feeds: use git-src-full to allow Git versioning
    • Fix build warnings with grep-3.8
    • Add compatibility with Python 3.11

Core components

  • Update Linux kernel from 5.4.188 to 5.4.215
  • Update openssl from 1.1.1n to 1.1.1q
  • Update wolfssl from 5.2.0 to 5.5.1
  • Update wireless-regdb from 2021.08.28 to 2022.08.12
  • Update intel-microcode from 20210608 to 20220809
  • Update exfat from 5.12.3 to 5.19.1
  • Update iwinfo from 2021-04-30 to 2022-04-26

OpenWrt 21.02.3 — Service Release · 20 April 2022

Main changes from OpenWrt 21.02.2

Only the main changes are listed below. See https://openwrt.org/releases/21.02/changelog-21.02.3 for the full changelog.

Security fixes

  • wolfssl: Fix multiple security problems (CVE-2022-25638, CVE-2022-25640)
  • openssl: Fix security problem (CVE-2022-0778)
  • zlib: Backport security fix for a reproducible crash in compressor

Device support

  • Support for the following devices was added:
    • Yuncore XD3200
    • Yuncore A930
    • MikroTik RouterBOARD mAPL-2nD (mAP lite)
  • ramips: Make memory detection more reliable
  • ramips: Fix reboot for remaining 32 MB boards
  • x86: Add pata_sis driver
  • ipTIME mt7620 devices: Fix flash detection
  • Turris Omnia: Improve detection of u-boot environment with U-boot 2021.09
  • Ubiquiti UniFi: Fix label MAC address
  • mvebu: udpu: Fix initramfs booting
  • a20-olinuxino-lime2: Fix Ethernet link detection on
  • TP-Link TL-WR1043ND v4: Fix TPLINK_HWREV field
  • OCEDO Raccoon: Fix link for long cables
  • Ubiquiti UniFi AP Outdoor+: Fix label MAC address
  • TP-Link WPA8630Pv2: Move to ath79-tiny target
  • Improve support for some GPON SFP modules

Various fixes and improvements

  • Fix SSL certificate validation with some sites especially sites using Let’s Encrypt certificates
  • hostapd fixes and improvemnts:
    • fix radius problem due to invalid attributes
    • Expose more data over ubus
  • base-files: Call “sync” after initial setup
  • imagebuilder: Fix broken image generation with external targets

Core components

  • Update Linux kernel from 5.4.179 to 5.4.188
  • Update openssl from 1.1.1m to 1.1.1n
  • Update cypress-firmware from 5.4.18-2020_0402 to 5.4.18-2021_0812
  • Update mac80211 from 5.10.85 to 5.10.110
  • Update wolfssl from 5.1.1 to 5.2.0

Regressions

Known issues

  • Some IPv6 packets are dropped when software flow offloading is used: FS#3373
    • As a workaround, do not activate software flow offloading, it is deactivate by default.

OpenWrt 21.02.2 — Service Release · 25 February 2022

Main changes from OpenWrt 21.02.1

Only the main changes are listed below. See https://openwrt.org/releases/21.02/changelog-21.02.2 for the full changelog.

Device support

  • Support for the following devices was added:
    • Xiaomi AIoT Router AC2350
    • Linksys EA6300 & EA9200
    • Netgear RAXE500
    • TP-Link TL-WA1201 v2
  • Minew G1-C: Allow dynamic RAM sizes
  • Fix U-Boot hang on lantiq danube-s v1.5 with MX29LV640EB NOR
  • TP-Link tl-mr3020-v3: Fix switch topology
  • Luxul XWR-3150 LAN: Fix ports numbering
  • WD MyBook Live DUO: Fix USB-Port
  • Turris Omnia: Use SFP module, if present
  • OpenMesh OM5P-AC v2: Fixed device tree

Various fixes and improvements

  • Add new rpcapd package
  • chmod 1777 /var/lock to follow FHS 3.0 guideline
  • netifd: fix deletion of ip tunnels (FS#4058)
  • multiple mac80211 backports:
    • Add support Wifi 6 GHz band and HE options in scripts
    • mac80211: fix IBSS/adhoc mode for brcmfmac
  • Add ath10k smallbuffers

Core components

  • Update Linux kernel from 5.4.154 to 5.4.179
  • Update mac80211 from 5.10.68 to 5.10.85
  • Update wolfssl from 4.8.1 to 5.1.1
  • Update wireless-regdb from 2021.04.21 to 2021.08.28
  • Update mt76 from 2021-06-06 to 2021-12-03
  • Update busybox from 1.33.1 to 1.33.2
  • Update intel-microcode from 20200616 to 20210608
  • Update linux-firmware from 20201118 to 20211216
  • Update openssl from 1.1.1l to 1.1.1m
  • Update mbedtls from 2.16.11 to 2.16.12

Regressions

  • Certificate validation fails in wolfssl against some sites especially sites using lets encrypt certificates. This affects for example wget in the default configuration #9283

Known issues

  • Some IPv6 packets are dropped when software flow offloading is used: FS#3373
    • As a workaround, do not activate software flow offloading, it is deactivate by default.

OpenWrt 21.02.1 — Service Release · 25 October 2021

Main changes from OpenWrt 21.02.0

Only the main changes are listed below. See https://openwrt.org/releases/21.02/changelog-21.02.1 for the full changelog.

Major bug fixes

  • Fix Let’s Encrypt certificate handling in WolfSSL
  • Fix sysupgrade for Mikrotik targets
  • Fix sysupgrade for Rockchip target when using squashfs

Device support

  • Add support for iEi Puzzle-M901/Puzzle-M902

Various fixes and improvements

  • Add build system support for Python 3.10
  • Fix which handling on Fedora and MacOS build systems
  • Add Tmux terminfo

Core components

  • Update Linux kernel from 5.4.143 to 5.4.154
  • Update mac80211 from 5.10.42 to 5.10.68
  • Update ath10k-ct to 2021-09-22
  • Update wolfssl from 4.7.0 to 4.8.1

Regressions

  • None

Known issues

  • Some IPv6 packets are dropped when software flow offloading is used: FS#3373
    • As a workaround, do not activate software flow offloading, it is deactivate by default.
  • The menu bar in LuCI is wrongly aligned
    • If this is a real problem for you update the LuCI theme: opkg upgrade luci-theme-bootstrap

OpenWrt 21.02.0 — First Stable Release · 4 September 2021

Highlights in OpenWrt 21.02.0

WPA3 support included by default

WPA3 was already supported in 19.07 but it was not provided by the default set of packages in OpenWrt images.

With 21.02, all packages necessary to provide WPA3 are installed by default in OpenWrt images. WPA3 is supported by most Wifi drivers in OpenWrt.

TLS and HTTPS support included by default

TLS support is now provided by default in OpenWrt images including the trusted CA certificates from Mozilla. It means that wget and opkg now support fetching resources over HTTPS out-of-the-box. The opkg download server is accessed through HTTPS by default. OpenWrt switched from mbedTLS to wolfSSL as the default SSL library. mbedTLS and OpenSSL are still available and can be installed manually.

In addition, LuCI is now available over HTTPS in addition to HTTP. There is no automatic redirection to HTTPS on a fresh OpenWrt 21.02 installation; however, redirection will be enabled after upgrading from OpenWrt 19.07 to OpenWrt 21.02.

It is always possible to activate or deactivate the redirection to HTTPS like this:

Initial DSA support

DSA stands for Distributed Switch Architecture and is the Linux standard to deal with configurable Ethernet switches.

OpenWrt 21.02 comes with initial support for DSA, which replaces the swconfig system that OpenWrt was using up until now. Not all targets have been ported: some devices still use swconfig while some devices already switched to DSA.

This is a significant change to how switch ports and VLANs are managed. As such, sysupgrade will not be able to convert existing swconfig configuration to DSA configuration (see “Upgrading” below).

See the OpenWrt DSA Networking documentation for details.

The following targets are using a switch managed with DSA in OpenWrt 21.02:

Increased minimum hardware requirements: 8 MB flash, 64 MB RAM

Due to new features being introduced and the general size increase of the Linux kernel, devices now need at least 8 MB of flash and 64 MB of RAM to run a default build of OpenWrt. More flash space is recommended for extensibility, see 8/64 warning

It is still possible to build custom OpenWrt images (e.g. using the ImageBuilder) that may fit devices with 4 MB of flash or 32 MB of RAM. However, the level of functionality will be reduced and there is no guarantee to stability. See OpenWrt on 4/32 devices for more details and guidance.

New network configuration syntax and board.json change

There have been several changes to the network configuration syntax in /etc/config/network:

  • in config interface, option ifname has been renamed to device (since it refers to a device section)
  • in config device of type bridge, ifname has been renamed to ports
  • for new installs, the generated configuration now creates separate sections for layer 2 (config device) and layer 3 (config interface) configuration

The old syntax is still supported to facilitate transition, and there is no automated migration when upgrading.

However, the LuCI web interface detects old-style configuration and will propose to migrate it to the new syntax. This is necessary to be able to edit network configuration through LuCI.

New UCI syntax

The new configuration style looks like this:

This example uses DSA with lanX interface names. A non-DSA device would use more classical ethX interface names.

Changes to board.json

In addition, network fields in board.json have also been renamed from “ifname” to “device”. In addition, DSA bridges now expose their list of ports in a “ports” attribute.

If you rely on board.json, this change is not backwards compatible.

Example for a DSA bridge:

Example for a classical swconfig switch configuration:

New hardware targets

A new https://openwrt.org/docs/techref/targets/realtek target has been added, which is often found in managed switches. As a result, it is now possible to run OpenWrt on devices with a significant number of Ethernet ports. See supported devices for realtek.

In addition, new https://openwrt.org/docs/techref/targets/bcm4908 and https://openwrt.org/docs/techref/targets/rockchip targets have been added.

Support for many new boards was added to the existing targets.

Dropped hardware targets

The https://openwrt.org/docs/techref/targets/ar71xx target was deprecated in OpenWrt 19.07 and has been gradually replaced by https://openwrt.org/docs/techref/targets/ath79, see ar71xx-ath79 migration.

With OpenWrt 21.02, the https://openwrt.org/docs/techref/targets/ar71xx has now been removed and users must use https://openwrt.org/docs/techref/targets/ath79 instead. If you are still running with the https://openwrt.org/docs/techref/targets/ar71xx target, it is recommended to reinstall OpenWrt 21.02 from scratch. Users already on the https://openwrt.org/docs/techref/targets/ath79 target can use sysupgrade to upgrade to OpenWrt 21.02.

Other targets were also removed: https://openwrt.org/docs/techref/targets/cns3xxx, https://openwrt.org/docs/techref/targets/rb532 and https://openwrt.org/docs/techref/targets/samsung.

ASLR activated

Network exposed user space applications are linked as position-independent executable (PIE) to allow full Address Space Layout Randomization (ASLR) support. This makes it harder for attackers to exploit OpenWrt. See Hardening build options for more details.

Kernel with container support

Multiple Linux kernel compile options, needed for Linux Containers (LXC) and procd-ujail are activated by default for most targets. This allows to use LXC and ujail with the normal release builds.

SELinux support

It is possible to compile OpenWrt with SELinux support. This is currently not activated by default.

Core components update

Core components have the following versions in 21.02.0:

  • Updated toolchain:
    • musl libc 1.1.24
    • glibc 2.33
    • gcc 8.4.0
    • binutils 2.34
  • Updated Linux kernel
    • 5.4.143 for all targets
  • Network:
    • hostapd 2020-06-08, dnsmasq 2.85, dropbear 2020.81
    • cfg80211/mac80211 from kernel 5.10.42
    • wireguard backport from upstream Linux kernel
  • System userland:
    • busybox 1.33.1

In addition to the listed applications, many others were also updated.

OpenWrt 21.02.0-rc4 — Fourth Release Candidate · 4 August 2021

Changes between OpenWrt 21.02.0-rc3 and 21.02.0-rc4

The OpenWrt community is proud to announce the new release candidate of the upcoming OpenWrt 21.02 stable version series. It incorporates over 5800 commits since branching the previous OpenWrt 19.07 release and has been under development for about one and a half year.

Changes in this release candidate since the previous 21.02.0-rc3 release candidate are:

Known issues

  • Some packets from IPv6 streams are getting dropped in software and hardware flow offloading: FS#3373

Software updates

  • Linux kernel updated to version 5.4.137 (from 5.4.124 in v21.02.0-rc3)
  • mt76 Update to version 2021-06-06 (from 2021-05-15 in v21.02.0-rc3)
  • wireguard Update with recent Linux stable fixes
  • exfat Update to version 5.12.3 (from 5.10.1 in v21.02.0-rc3)

Misc changes

  • failsafe: Fixes failsafe network configuration with swconfig and DSA: FS#3866
  • odhcpd: fix invalid DHCPv6 ADVERTSIE with small configured leasetime
  • ugps: parse $GPZDA and $GPGLL sentences, improve interoperability with kplex
  • netifd: WDS with bridge-vlan fixed

Device support

  • New devices MikroTik RouterBOARD 912UAG-2HPnD and Joy-IT JT-OR750i
  • Device fixes for TP-Link CPE, MikroTik RouterBOARDs and AVM FRITZRepeater 1200

OpenWrt 21.02.0-rc3 — Third Release Candidate · 17 June 2021

Changes between OpenWrt 21.02.0-rc2 and 21.02.0-rc3

The OpenWrt community is proud to announce the new release candidate of the upcoming OpenWrt 21.02 stable version series. It incorporates over 5800 commits since branching the previous OpenWrt 19.07 release and has been under development for about one and a half year.

Changes in this release candidate since the previous 21.02.0-rc2 release candidate are:

Known issues

  • Network is not working in failsafe mode: FS#3866

LuCI

  • LuCI network migration tool now migrates custom bridge MAC addresses.

Software updates

  • Linux kernel updated to version 5.4.124 (from 5.4.119 in v21.02.0-rc2)
  • mac80211 updated to version 5.10.42-1 (from 5.10.34-1 in v21.02.0-rc2)
  • wireless-regdb updated to version 2021.04.21 (from 2020.11.20 in v21.02.0-rc2)

Misc changes

  • opkg Shows better error message when some dependencies are missing
  • sdk, imagebuilder json-c, libnl-tiny, libubox, ubus, uci and lua are marked nonshared and will be taken from release build and not package build.

Device support

  • New devices SERCOMM NA502, Linksys EA8100 v1, Amped Wireless ALLY, Linksys E5600, JCG Q20, cudy WR2100, TP-Link Archer C6U v1 (EU), TP-Link Archer A6 v3, ZyXEL NR7101, ZTE MF283+
  • Device fixes for Xiaomi Router 3 Pro, HILINK HLK-7628N, WD My Net Wi-Fi Range Extender, ALLNET ALL-WAP02860AC, Senao APs, TP-Link AD7200

OpenWrt 21.02.0-rc2 — Second Release Candidate · 31 May 2021

Changes between OpenWrt 21.02.0-rc1 and 21.02.0-rc2

The OpenWrt community is proud to announce the second release candidate of the upcoming OpenWrt 21.02 stable version series. It incorporates over 5800 commits since branching the previous OpenWrt 19.07 release and has been under development for about one and a half year.

Changes in this release candidate since the previous 21.02.0-rc1 release candidate are:

Known issues

  1. LuCI network migration tool doesn’t migrate custom bridge MAC addresses. Custom device MAC has to be set again manually.

New network configuration syntax

There have been several changes to the network configuration syntax in /etc/config/network:

  • in config interface, option ifname has been renamed to device (since it refers to a device section)
  • in config device of type bridge, ifname has been renamed to ports
  • for new installs, the generated configuration now creates separate sections for layer 2 (config device) and layer 3 (config interface) configuration

The old syntax is still supported to facilitate transition, and there is no automated migration when upgrading.

However, the LuCI web interface detects old-style configuration and will propose to migrate it to the new syntax. This is necessary to be able to edit network configuration through LuCI.

The new configuration style looks like this:

This example uses DSA with lanX interface names. A non-DSA device would use more classical ethX interface names.

LuCI update

LuCI has been updated to support the most recent network syntax (and migrate old config files if needed). In some cases migration will take 2 steps.

Support for configuring devices (config device UCI sections) was added. It can be used for setting layer 2 options (like MTU and MAC address). It also supports bridge devices (including VLAN tagging).

LuCI HTTPS

LuCI is now available over HTTPS in addition to HTTP in the default images.

After an upgrade from OpenWrt 19.07 to OpenWrt 21.02 unencrypted HTTP requests are redirected to HTTPS. On fresh OpenWrt 21.02 installations they are not redirected.

It is possible to activate or deactivate the redirect to HTTPS like this:

Software updates

  • Linux kernel updated to version 5.4.119 (from 5.4.111 in v21.02.0-rc1)
  • mac80211 updated to version 5.10.34-1 (from 5.10.16-1 in v21.02.0-rc1)
  • mac80211 backport upstream fixes for the new FragAttacks vulnerabilities in 802.11
  • mt76 updated to latest version
  • dnsmasq updated to version 2.85 (from 2.84 in v21.02.0-rc1)
  • busybox updated to version 1.33.1 (from 1.33.0 in v21.02.0-rc1)

Misc changes

  • Linux kernel fix parsing fixed subpartitions
  • Linux kernel Activate FORTIFY_SOURCE for MIPS kernel 5.4
  • busybox add SRV support to nslookup_lede.c patch
  • busybox disable PREFER_IPV4_ADDRESS
  • openwrt-keyring only copy sign key for 21.02
  • sdk, imagebuilder unset BINARY_FOLDER and DOWNLOAD_FOLDER in final archives
  • uqmi fix network registration loop

Device support

  • Lantiq DSL multiple backports for DSL statistics
  • New devices MikroTik SXTsq 5 ac, MikroTik hAP ac2
  • Device fixes for ALFA Network devices, Youku YK1, TP-Link AD7200, TP-Link EAP-225, TP-Link TL-WR810N v1, MikroTik RB922UAGS-5HPaCD

OpenWrt 21.02.0-rc1 — First Release Candidate · 26 April 2021

← All releases