CrowdSec package for OpenWrt

Tested on mvebu espressobin board ultra and espressobin board v7 eMMC, in OpenWrt 21.02-RC3 et OpenWrt 19.07.7…

Note : feedback welcome ! :wink:

1 Like
1 Like

packages available now for testing also for mipsel_24kc ( like Device: Xiaomi R3P (mt7621)… )
crowdsec-openwrt/package/custom at master · erdoukki/crowdsec-openwrt · GitHub

1 Like

PR to OpenWrt Package still in progress…

May need some more work on upgrade mode !


I get some tweaks from the Debian packages, but it may still be enhanced…
Fill free to give feedback !

root@ULTRA-5G:~# cscli version
2021/08/25 13:46:04 version: v1.1.1-v1.1.1
2021/08/25 13:46:04 Codename: alphaga
2021/08/25 13:46:04 BuildDate: 2021-08-25_13:09:10
2021/08/25 13:46:04 GoVersion: 1.16.2
2021/08/25 13:46:04 Constraint_parser: >= 1.0, <= 2.0
2021/08/25 13:46:04 Constraint_scenario: >= 1.0, < 3.0
2021/08/25 13:46:04 Constraint_api: v1
2021/08/25 13:46:04 Constraint_acquis: >= 1.0, < 2.0
root@ULTRA-5G:~# cscli metrics
INFO[25-08-2021 01:45:37 PM] Local Api Metrics:                           
|        ROUTE         | METHOD | HITS |
| /v1/decisions/stream | GET    |   34 |
| /v1/watchers/login   | POST   |    2 |
INFO[25-08-2021 01:45:37 PM] Local Api Bouncers Metrics:                  
|           BOUNCER            |        ROUTE         | METHOD | HITS |
| cs-firewall-bouncer-EJfPpO7s | /v1/decisions/stream | GET    |   34 |
root@ULTRA-5G:~# cs-firewall-bouncer -V
version: v0.0.13-v0.0.13
BuildDate: 2021-08-25_13:37:07
GoVersion: 1.16.2
root@ULTRA-5G:~# uname -ar
Linux ULTRA-5G 5.4.137 #0 SMP Sat Jul 31 17:21:01 2021 aarch64 GNU/Linux
root@ULTRA-5G:~# cat /etc/openwrt_release 
DISTRIB_DESCRIPTION='OpenWrt 21.02.0-rc4 r16256-2d5ee43dc6'

I get some questions on the OpenWrt package reviews, that I am not sure to answer correctly :

Actually I want to ask, is there a reason why the user would want crowdsec-firewall-bouncer to use iptables if they have both iptables and nftables installed? If there is no functional difference then there is no need to make it user-selectable.

Is it necessary to let the user choose between iptables/nftables, when the two are installed ?
Or is it better to get something like the script, and detect with a preference to nftables ?

Are all of these *.yaml files (perhaps all files in /etc/crowdsec ) configuration files?

Is it necessary to save all the files between package upgrade ?
Or, like I am suggesting;

the essentials only are /etc/crowdsec/config.yaml and /etc/crowdsec/local_api_credentials.yaml
others may be modified, as far as I now.

More can be seen in the PR, but it is mainly the ones where I need advanced users feedback !

I will get more fix to the PR, depends of your feedback…

I still have to better manage API keys and cscli register between upgrade or reinstall !
I do not use cscli backup/restore and had preferred an external OpenWrt specific config file.

Anyway, all feedback is welcome.

Thanks in advance.

Hello @Gandalf :slight_smile:

imho it sounds rather dangerous to attempt to do this, I’m afraid that we might end up breaking stuff :sweat:

The plan here is to not trash any “custom” parsers and scenarios created and/or patched by the users.

Thank you very much for your work. For the latest point, hopefully we are going to improve this in the not-so-distant future to clearly split “user” configs and the ones from the hub.


I do not understand, the do the detection…

Choice #1. What I mean is to do it at firewall-bouncer service restart.

  • If nftables is here, use it
  • if nftables is not here, use iptables and check ipset (wrote a message if it is missing)

Choice #2. Do a default mode detect at install (same as upper) and then use a user config mode setting.
This second choice will get more user error possibility (IMHO)

Will it be here for next release ?
If so, I can wait for it for packaging to OpenWrt ?


Crowdsec: Initial package v1.1.1 by erdoukki · Pull Request #16244 · openwrt/packages · GitHub package approved… soon to me merged !? :grinning:

1 Like

Updating the OpenWrt Package to Crowdsec v1.2.0 and Crowdsec-Firewall-Bouncer v0.15.0…

1 Like

This is a long time process…

Some good news about it;
The PR is now in two parts, the main Crowdsec component crowdsec: initial package v1.2.0 by erdoukki · Pull Request #16244 · openwrt/packages · GitHub and the Firewall Bouncer crowdsec-firewall-bouncer: initial package v0.0.15 by erdoukki · Pull Request #16844 · openwrt/packages · GitHub

They both have been reviewed, both approved twice, and may be merged in few days in snapshot !

Merged today ! :sunglasses:
Will try to make it available also in 21.02.x

great work on this Gandalf, many years ago I dream’t of simple, open, and seamless distributed security for SOHO… having a build a few people use, and having this package in the OpenWrt repo’s takes this one step closer…

I’m new to crowdsec, but I will definitely be having a crack at it over the next month or two…


1 Like

It’s the dream that shapes the world

(Aboriginal concept)


1 Like

The PR was merged this morning and packages will be available in few days for 21.02 !


Actually discussed here at OpenWrt Forum : Crowdsec: initial packages v1.2.0 for OpenWrt - For Developers - OpenWrt Forum

Welcome to the new users from the OpenWrt community…
More to come, soon !

1 Like

OpenWrt packages updated to version 1.2.1 of crowdsec.

Same, pushed also in 21.02