OpenWrt 21.02.0 - First Stable Release

Hauke Mehrtens hauke at
Sat Sep 4 16:16:04 PDT 2021


The OpenWrt community is proud to announce the first stable release of 
the OpenWrt 21.02 stable version series. It incorporates over 5800 
commits since branching the previous OpenWrt 19.07 release and has been 
under development for about one and a half year.

Highlights in OpenWrt 21.02.0

- ---
WPA3 support included by default

WPA3 was already supported in 19.07 but it was not provided by the 
default set of packages in OpenWrt images.

With 21.02, all packages necessary to provide WPA3 are installed by 
default in OpenWrt images. WPA3 is supported by most Wifi drivers in 

- ---
TLS and HTTPS support included by default

TLS support is now provided by default in OpenWrt images including the 
trusted CA certificates from Mozilla. It means that wget and opkg now 
support fetching resources over HTTPS out-of-the-box. The opkg download 
server is accessed through HTTPS by default. OpenWrt switched from 
mbedTLS to wolfSSL as the default SSL library. mbedTLS and OpenSSL are 
still available and can be installed manually.

In addition, LuCI is now available over HTTPS in addition to HTTP. There 
is no automatic redirection to HTTPS on a fresh OpenWrt 21.02 
installation; however, redirection will be enabled after upgrading from 
OpenWrt 19.07 to OpenWrt 21.02.

It is always possible to activate or deactivate the redirection to HTTPS 
like this:

uci set uhttpd.main.redirect_https=1   # 1 to enable redirect,
					 0 to disable redirect
uci commit uhttpd
service uhttpd reload

- ---
Initial DSA support

DSA stands for Distributed Switch Architecture and is the Linux standard 
to deal with configurable Ethernet switches.

OpenWrt 21.02 comes with initial support for DSA, which replaces the 
swconfig system that OpenWrt was using up until now. Not all targets 
have been ported: some devices still use swconfig while some devices 
already switched to DSA.

This is a significant change to how switch ports and VLANs are managed. 
As such, sysupgrade will not be able to convert existing swconfig 
configuration to DSA configuration (see “Upgrading” below).

See the OpenWrt DSA Networking documentation for details.

The following targets are using a switch managed with DSA in OpenWrt 21.02:
  * ath79 (only TP-Link TL-WR941ND)
  * bcm4908
  * gemini
  * kirkwood
  * mediatek (most boards)
  * mvebu
  * octeon
  * ramips (mt7621 subtarget only)
  * realtek

- ---
Increased minimum hardware requirements: 8 MB flash, 64 MB RAM

Due to new features being introduced and the general size increase of 
the Linux kernel, devices now need at least 8 MB of flash and 64 MB of 
RAM to run a default build of OpenWrt. More flash space is recommended 
for extensibility, see 8/64 warning:

It is still possible to build custom OpenWrt images (e.g. using the 
ImageBuilder) that may fit devices with 4 MB of flash or 32 MB of RAM. 
However, the level of functionality will be reduced and there is no 
guarantee to stability. See OpenWrt on 4/32 devices for more details and 

- ---
New network configuration syntax and board.json change

There have been several changes to the network configuration syntax in 

  * in config interface, option ifname has been renamed to device (since
    it refers to a device section)
  * in config device of type bridge, ifname has been renamed to ports
  * for new installs, the generated configuration now creates separate
    sections for layer 2 (config device) and layer 3 (config interface)

The old syntax is still supported to facilitate transition, and there is 
no automated migration when upgrading.

However, the LuCI web interface detects old-style configuration and will 
propose to migrate it to the new syntax. This is necessary to be able to 
edit network configuration through LuCI.

New UCI syntax
The new configuration style looks like this:

config device
	option name 'br-lan'
	option type 'bridge'
	option macaddr '00:01:02:XX:XX:XX'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr ''
	option netmask ''
	option ip6assign '60'

config device
	option name 'eth1'
	option macaddr '00:01:02:YY:YY:YY'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

This example uses DSA with lanX interface names. A non-DSA device would 
use more classical ethX interface names.
Changes to board.json

In addition, network fields in board.json have also been renamed from 
“ifname” to “device”. In addition, DSA bridges now expose their list of 
ports in a “ports” attribute.

If you rely on board.json, this change is not backwards compatible.

Example for a DSA bridge:

"network": {
         "lan": {
                 "ports": [
                 "protocol": "static"
         "wan": {
                 "device": "wan",
                 "protocol": "dhcp"

Example for a classical swconfig switch configuration:

"network": {
         "lan": {
                 "device": "eth0",
                 "protocol": "static"
         "wan": {
                 "device": "eth1",
                 "protocol": "dhcp"

- ---
New hardware targets

A new realtek target has been added, which is often found in managed 
switches. As a result, it is now possible to run OpenWrt on devices with 
a significant number of Ethernet ports. See supported devices for realtek.

In addition, new bcm4908 and rockchip targets have been added.

Support for many new boards was added to the existing targets.

- ---
Dropped hardware targets

The ar71xx target was deprecated in OpenWrt 19.07 and has been gradually 
replaced by ath79, see ar71xx-ath79 migration.

With OpenWrt 21.02, the ar71xx has now been removed and users must use 
ath79 instead. If you are still running with the ar71xx target, it is 
recommended to reinstall OpenWrt 21.02 from scratch. Users already on 
the ath79 target can use sysupgrade to upgrade to OpenWrt 21.02.

Other targets were also removed: cns3xxx, rb532 and samsung.

- ---
ASLR activated

Network exposed user space applications are linked as 
position-independent executable (PIE) to allow full Address Space Layout 
Randomization (ASLR) support. This makes it harder for attackers to 
exploit OpenWrt. See Hardening build options for more details.

- ---
Kernel with container support

Multiple Linux kernel compile options, needed for Linux Containers (LXC) 
and procd-ujail are activated by default for most targets. This allows 
to use LXC and ujail with the normal release builds.

- ---
SELinux support

It is possible to compile OpenWrt with SELinux support. This is 
currently not activated by default.

- ---
Core components update

Core components have the following versions in 21.02.0:

  * Updated toolchain:
   * musl libc 1.1.24
   * glibc 2.33
   * gcc 8.4.0
   * binutils 2.34
  * Updated Linux kernel
   * 5.4.143 for all targets
  * Network:
   * hostapd 2020-06-08, dnsmasq 2.85, dropbear 2020.81
   * cfg80211/mac80211 from kernel 5.10.42
   * wireguard backport from upstream Linux kernel
  * System userland:
   * busybox 1.33.1

In addition to the listed applications, many others were also updated.

- ---
Upgrading to 21.02.0

Sysupgrade can be used to upgrade a device from 19.07 to 21.02, and 
configuration will be preserved in most cases.

  * Sysupgrade from 18.06 to 21.02 is not supported.

  * There is no migration path for targets that switched from swconfig to
    DSA. In that case, sysupgrade will refuse to proceed with an
    appropriate error message:
    Image version mismatch. image 1.1 device 1.0 Please wipe config
    during upgrade (force required) or reinstall. Config cannot be
    migrated from swconfig to DSA Image check failed

  * The default root file system partition size changed for
    targets/devices relying on booting from mass storage (HDD, USB flash,
    SD card, etc.), so MBR will change and any additional partition will
    be deleted when sysupgrading.

- ---
Known issues

  * Some IPv6 packets are dropped when software flow offloading is used:
   * As a workaround, do not activate software flow offloading, it is
     deactivate by default.

- ---

Full release notes and upgrade instructions are available at

In particular, make sure to read the regressions and known issues before 

For a detailed list of all changes since 19.07 was branched off, refer to:

To download the 21.02.0 images, navigate to:

- ---

To stay informed of new OpenWrt releases and security advisories, there
are new channels available:

* a low-volume mailing list for important announcements:

* a dedicated "announcements" section in the forum:

* other announcement channels (such as RSS feeds) might be added in the
   future, they will be listed at

As always, a big thank you goes to all our active package maintainers, 
testers, documenters, and supporters.

Have fun!

The OpenWrt Community
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x93DD20630910B515.asc
Type: application/pgp-keys
Size: 13571 bytes
Desc: OpenPGP public key
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the openwrt-devel mailing list