How to download LXC version of OpenWRT and run it on Proxmox

[kavejo]

Hi,

I am looking to run an OpenWRT container to provide network access to my VMs.

I have seen on https://us.images.linuxcontainers.org/ that there is a template built for OpenWRT 19.07.
When I run pveam available, the containers at the URL above are not listed but other ones are listed instead.

Looking at https://bugzilla.proxmox.com/show_bug.cgi?id=2044, this seem to have been requested already.
I have just updated the bug informing about the availability of a pre-built template from https://us.images.linuxcontainers.org/images/openwrt/.

Is there any chance to have this container included in the one Proxom VE has access to?
Otherwise is there an easy way to downlaod it from the linuxcontainers.org images repository using pveam?

Thank you.

 

[oguz]

hi,

you can use wget to download the rootfs (rootfs.tar.xz) to your PVE host and use it as a template (however since this isn't officially supported by PVE some things may not work properly)

 

[kavejo]

Thank you @oguz,

Would I need to convert the file from tar.xz to tar.gz? Do I need to observe any specific naming convention in the way I rename the file?

Thank you.

 

[oguz]

i think it should work as tar.xz
place it on one of your storages with CT templates (for example local) and use it as the template while running CT creation wizard

 

[MadalinC]

i think it should work as tar.xz
place it on one of your storages with CT templates (for example local) and use it as the template while running CT creation wizard

Thanks for the info. I tried this with the latest Arch Linux and all seems to be working just fine.

I am wondering, are there any changes that the Proxmox team made to the provided archlinux-base template?

OR is it simply a LxC archlinux template from September 2019?
Weirdly enough, the latest Arch Linux template has working networking and the provided one (from Sept. 2019) breaks when updated.

Thanks!

 

[radumamy]

Hi All.

I have used an LXC/LXD openwrt 21.02 image from Canonical but I cannot get any Internet on the LAN. The openwrt router has Internet access, I can install packages, and use diagnostic utilities. It might be an issue with openwrt firewall not loading properly as I can access Luci via WAN interface which is normally blocked. Has anyone else come across this? Many thanks.

 

[largem]

I was following this post to install the openwrt on proxmox LXC, I have the same problem. From openwrt I can access internet, but any VM behind openwrt is not able to ping any machine outside the proxmox.
I noticed the iptables -L does not show any iptables rules, so, I update something in firewall settings via Luci Web UI, and iptables seems appear. After that I added some NAT rules in firewall, studently everything works, but after I reboot the openwrt, everything stops working again, and I tried to redo all the work, seems no luck.

Btw, install openwrt as VM seems work well, just I see a constant small CPU usage(1-2%) on proxmox dashboard, but inside operwrt VM, cpu usage is zero, not sure why.

 

[radumamy]

Hi. I have used a Snapshot image of OpenWrt and it's working as expected. https://uk.lxd.images.canonical.com/images/openwrt/snapshot/amd64/default/
Download one of the available images, and create your container in the Proxmox shell.

pct create 301 local:vztmpl/openwrt-20221011-rootfs.tar.xz --rootfs local-lvm:0.256 --ostype unmanaged --hostname openwrt --arch amd64 --cores 1 --memory 256 --swap 0 --unprivileged 1

Now, create a new Linux bridge in Proxmox (e.g. 192.168.3.0/24).
Add 2 new network devices to your new container eth0 (this is the OpenWrt WAN interface, so I connected mine to vmbr0 for Internet access) and eth1 (LAN interface in OpenWrt - connected to new linux bridge vmbr1)
Start your container and from the Proxmox shell connect to it.

pct enter 301

Update packages, install nano and luci

opkg update
opkg isntall nano
opkg install luci-ssl
/etc/init.d/uhttpd restart

Edit the firewall configuration to allow HTTPS traffic from WAN. nano /etc/config/firewall
Add this to end of file and save with Ctrl + X

config rule
    option target 'ACCEPT'
    option src 'wan'
    option proto 'tcp'
    option dest_port '443'
    option name 'Allow-WAN-Web'

Get your WAN ip address with ip a | grep eth0 and reboot the container.

Open a browser tab and go to https://ContainerWanIP, log in and change your root password.

Now go to Network -> Interfaces -> Add new interface.

Name: lan
Protocol: Static address
Device: eth1

Click Create Interface. Now add...

IP Address: 192.168.3.1 (or whatever subnet you wish to use)
IPv4 Netmask: 255.255.255.0

Click Firewall Settings tab and select LAN from the dropdown list and on the DHCP server tab, select Setup DHCP server and then click Save.

Now move a VM to vmbr1 and test connectivity. Thank you.

 

[Brandon168]

OpenWRT 21 does not seem to NAT correctly for some reason. I have the same problem, the LXC can ping a wan address but anything on the lan doesn't make it through. I was also able to get it working just once by fiddling with NAT but then I lost it and can't seem to get it working again.

OpenWRT 22.03 seems to pass traffic in an LXC just fine. In fact, I was able to get openvpn, mwan3, wireguard, even iphone backup working, and more with a weeks worth of work. Where I'm stumped at the moment is getting ipset working. This is needed to complete my dynamic (best attempt) split vpn working properly as I have it configured in pfsense today. This appears to be a problem because ipset is not compiled in the latest dnsmasq version: https://forum.openwrt.org/t/dnsmasq-full-ipset-support-removed-in-master/150274/5


Why:
The efficiency potential for this is incredible.

VM: Pfsense/Opnsense Lan -> IP (VM) routing speed (iperf3) is ~ 3 Gbps for me. And that's with many months of trying things (pci pass through, etc). I noticed

LXC: openwrt 21 direct can do ~ 55 Gbps but no routing
LXC: openwrt 22 can route ~ 22 Gbps! And pretty much everything works as expected except ipset

I only need ~1.2 gbps to max out my home internet provider but I'm mainly after the efficiency gains on this. The cpu usage is drastically reduced.

My hardware is Intel(R) Pentium(R) Gold 7505 (quad 2.5 gbps intel nics)

 

[vesalius]

@Brandon168 following this post. I have set up a couple 22.03 OpenWRT LXC to see if they might be a more efficient and performant option as my home network router/firewall.

it’s early days, but can do you have resources on mwan3 for dual wan setup you can point me toward.

I plan to try and replicate my simple WireGuard home network access and adguard home use on Openwrt before any potential switch from OPNsense.

Lastly, how do you update the OpenWRT firmware when run as an LXC with the least and shortest impact on your network? Install new and restore from backup? Maybe I am missing something obvious there.

 

[Brandon168]

@Brandon168 following this post. I have set up a couple 22.03 OpenWRT LXC to see if they might be a more efficient and performant option as my home network router/firewall.

it’s early days, but can do you have resources on mwan3 for dual wan setup you can point me toward.

I plan to try and replicate my simple WireGuard home network access and adguard home use on Openwrt before any potential switch from OPNsense.

Lastly, how do you update the OpenWRT firmware when run as an LXC with the least and shortest impact on your network? Install new and restore from backup? Maybe I am missing something obvious there.

Nice. Please share your findings. I’m excited about getting this all to work.

I pretty much followed this: https://openwrt.org/docs/guide-user/network/wan/multiwan/mwan3

Imho WireGuard with openwrt seems much more straightforward than via pfsense. I know my outbound route is working but I can’t easily test the inbound until this switches over to primary.

Upgrading the “firmware” is an open question of mine as well. I don’t know how to goo about this easily. Worst case, I’m thinking backup production, restore to the upgraded lab and see how it goes. Honestly, I’m not exited about this route though.

It’s looking like pfsense will remain my primary for a while longer while a few of these things are ironed out.

 

[vesalius]

updated my test OpenWRT LXC from 22.03.4 to 22.03.5 by creating a new container then restoring it from a backup of the 22.03.4 config I made. Can't figure out how to update the already running container.

OpenWrt in LXC containers

 

[Brandon168]

updated my test OpenWRT LXC from 22.03.4 to 22.03.5 by creating a new container then restoring it from a backup of the 22.03.4 config I made. Can't figure out how to update the already running container.

OpenWrt in LXC container

Thanks for sharing

Hopefully there’s a better way to do this soon.

 

[Tmanok]

Thanks for the great information everyone!

Does anyone know where OpenWRT LXC/LXD images are available now that Canonical has stopped funding for the LXD project's image servers?
Thanks,


Tmanok

 

[vesalius]

Now can be found:
https://images.linuxcontainers.org/images/openwrt/

 

[MON@H]

Now can be found:
https://images.linuxcontainers.org/images/openwrt/

When 23.05 was just released it wasn't instantly added there and when I contacted the administration, they told me that this server is out of date and suggested to use jenkins server instead: https://jenkins.linuxcontainers.org/job/image-openwrt/

 

[Tmanok]

Hey Vesalius,

Thanks for the link, I'm glad they're temporarily available. I'm going to mirror that site (https://images.linuxcontainers.org/images/) for the time being - if anyone 6mos from now needs a copy, I will do my best to create a large archive and if enough people want it I'll publish to https. Using wget for the mirror so it should be easy enough to create a DMZ web server and host it as an archive with Let's Encrypt.


Tmanok

 

[Tmanok]

Update for anyone desperate to get their hands on images when they're no longer available, I've used wget to mirror them and then hosted them in one of my personal hypervisor clusters in my DMZ. Let's Encrypt was also used on the webserver for added security:

https://linuxcontainers.mirror.lightyearlabs.ca/

Please let me know if you have any trouble reaching the site, I'll do my best to leave it alone for as long as possible (ideally a couple years) and I may refresh the mirror. Mind you I will of course perform infrastructure maintenance from time to time. For example, there is a brand new OPNSense virtual firewall in front of my DMZ, but I may set it up in HA paired mode in the future. It's worth noting, I do not have a huge bandwidth at the location I'm hosting from, it's a 32U rack full of my equipment but I've rationed out the networking so this archive is limited to 6MB/s. If there is a lot of demand I will try to make some adjustments. Downloading a debian rootfs.tar.xz takes <20 seconds and an Ubuntu desktop .qcow2 (1GB) takes <5 minutes for a single user right now.

Final comment, I've not changed a single file on the webserver at this time, but I may decide to:

1. Update the initial index.html to indicate to users that the site is an archive.
2. "Refresh" the mirror if I detect changes on the source (https://images.linuxcontainers.org/images)
3. Some files may not have been 100% copied across, meaning there is a chance that they were damaged. The archive is 320GB, I have not verified the entire thing in order to quickly setup this archive for public (emergency or reference) access.

If you happen to have any other wastes of disk space- I mean good causes to mirror or archive, let me know and I will consider it. When my bandwidth increases, I am considering the idea of hosting an apt mirror for my region long-term.

Cheers,


Tmanok

 

[shodan]

Hi,

To answer this thread's title, how actually do you download and install it ?


After following a somewhat meandering path you will eventually make it here

https://jenkins.linuxcontainers.org/job/image-openwrt/architecture=amd64,release=23.05,variant=default/

or here

https://images.lxd.canonical.com/images/openwrt/23.05/amd64/default/20240925_0014/

Which contain these files

SHA256SUMS                                         25-Sep-2024 02:13                 403
image.yaml                                         25-Sep-2024 00:15               19360
lxd.tar.xz                                         25-Sep-2024 00:15                 636
rootfs.20240923_0015.vcdiff                        25-Sep-2024 02:13              965966
rootfs.squashfs                                    25-Sep-2024 00:15             3952640
serial                                             25-Sep-2024 00:15                  14

    image.yaml    18.88 KiB   
incus.tar.xz    636 B   
meta.tar.xz    744 B   
rootfs.squashfs    3.60 MiB   
rootfs.tar.xz    3.41 MiB   
serial    15 B

And at the current time it unclear what is to be done with these files ?

Proxmox expects a single .tar.zst file so which of these file is it ? And does it need to be modified ?


For example I took a look inside the debian-12-standard_12.2-1_amd64.tar.zst file which I've been using

tar --use-compress-program=unzstd -xvf  debian-12-standard_12.2-1_amd64.tar.zst

And inside I found the following, a typical linux system

   0 lrwxrwxrwx  1 root root    7 Oct 10  2023 bin -> usr/bin
4.0K drwxr-xr-x  2 root root 4.0K Sep 29  2023 boot
121M -rw-r--r--  1 root root 121M Sep 25 06:17 debian-12-standard_12.2-1_amd64.tar.zst
4.0K drwxr-xr-x  2 root root 4.0K Dec 10  2008 dev
4.0K drwxr-xr-x 62 root root 4.0K Oct 10  2023 etc
4.0K drwxr-xr-x  2 root root 4.0K Sep 29  2023 home
   0 lrwxrwxrwx  1 root root    7 Oct 10  2023 lib -> usr/lib
   0 lrwxrwxrwx  1 root root    9 Oct 10  2023 lib32 -> usr/lib32
   0 lrwxrwxrwx  1 root root    9 Oct 10  2023 lib64 -> usr/lib64
   0 lrwxrwxrwx  1 root root   10 Oct 10  2023 libx32 -> usr/libx32
4.0K drwxr-xr-x  2 root root 4.0K Oct 10  2023 media
4.0K drwxr-xr-x  2 root root 4.0K Oct 10  2023 mnt
4.0K drwxr-xr-x  2 root root 4.0K Oct 10  2023 opt
4.0K drwxr-xr-x  2 root root 4.0K Sep 29  2023 proc
4.0K drwx------  3 root root 4.0K Oct 10  2023 root
4.0K drwxr-xr-x  9 root root 4.0K Oct 10  2023 run
   0 lrwxrwxrwx  1 root root    8 Oct 10  2023 sbin -> usr/sbin
4.0K drwxr-xr-x  2 root root 4.0K Oct 10  2023 srv
4.0K drwxr-xr-x  2 root root 4.0K Sep 29  2023 sys
4.0K drwxrwxrwt  2 root root 4.0K Oct 10  2023 tmp
4.0K drwxr-xr-x 14 root root 4.0K Oct 10  2023 usr
4.0K drwxr-xr-x 11 root root 4.0K Oct 10  2023 var

 

[shodan]

So since the following appears to be the file, I gave it a shot

https://jenkins.linuxcontainers.org/job/image-openwrt/architecture=amd64,release=23.05,variant=default/lastSuccessfulBuild/artifact/rootfs.tar.xz

wget "https://jenkins.linuxcontainers.org...lt/lastSuccessfulBuild/artifact/rootfs.tar.xz" -O /var/lib/vz/template/cache/openwrt-amd64,23.05,default.tar.xz


When tried to make it

pct create 999 local:vztmpl/openwrt-amd64,23.05,default.tar.xz --arch amd64 --cores 4 --memory 1000 --hostname openwrt --net0 name=eth0,bridge=vmbr0,firewall=1,hwaddr=DE:AD:BE:EF:00:99,ip=dhcp,type=veth --rootfs local-lvm:4 --features nesting=1 --unprivileged 1 --ostype debian

And here is the output of that

WARNING: You have not turned on protection against thin pools running out of space.
  WARNING: Set activation/thin_pool_autoextend_threshold below 100 to trigger automatic extension of thin pools before they get full.
  Logical volume "vm-999-disk-0" created.
  WARNING: Sum of all thin volume sizes (<1.93 TiB) exceeds the size of thin pool pve/data and the size of whole volume group (<446.13 GiB).
Creating filesystem with 1048576 4k blocks and 262144 inodes
Filesystem UUID: ca0ab8e5-c560-4f9d-8975-d8c703b7bc2f
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376, 294912, 819200, 884736
extracting archive '/var/lib/vz/template/cache/openwrt-amd64,23.05,default.tar.xz'
Total bytes read: 13455360 (13MiB, 56MiB/s)
unknown ID 'openwrt' in /etc/os-release file, trying fallback detection
  Logical volume "vm-999-disk-0" successfully removed.
unable to create CT 999 - unable to detect OS distribution

So it is complaining about the /etc/os-release file, here are its contents

NAME="OpenWrt"
VERSION="23.05.5"
ID="openwrt"
ID_LIKE="lede openwrt"
PRETTY_NAME="OpenWrt 23.05.5"
VERSION_ID="23.05.5"
HOME_URL="https://openwrt.org/"
BUG_URL="https://bugs.openwrt.org/"
SUPPORT_URL="https://forum.openwrt.org/"
BUILD_ID="r24106-10cc5fcd00"
OPENWRT_BOARD="x86/generic"
OPENWRT_ARCH="i386_pentium4"
OPENWRT_TAINTS=""
OPENWRT_DEVICE_MANUFACTURER="OpenWrt"
OPENWRT_DEVICE_MANUFACTURER_URL="https://openwrt.org/"
OPENWRT_DEVICE_PRODUCT="Generic"
OPENWRT_DEVICE_REVISION="v0"
OPENWRT_RELEASE="OpenWrt 23.05.5 r24106-10cc5fcd00"

It seems the "ostype" parameter of the creation command is the issue here

I tried "linux" and got the following reply

ostype: value 'linux' does not have a value in the enumeration 'debian, devuan, ubuntu, centos, fedora, opensuse, archlinux, alpine, gentoo, nixos, unmanaged'

Well debian seems like the most applicable out of that list so I'll try unmanaged

pct create 999 local:vztmpl/openwrt-amd64,23.05,default.tar.xz --arch amd64 --cores 4 --memory 1000 --hostname openwrt --net0 name=eth0,bridge=vmbr0,firewall=1,hwaddr=DE:AD:BE:EF:00:99,ip=dhcp,type=veth --rootfs local-lvm:4 --features nesting=1 --unprivileged 1 --ostype unmanaged
  WARNING: You have not turned on protection against thin pools running out of space.
  WARNING: Set activation/thin_pool_autoextend_threshold below 100 to trigger automatic extension of thin pools before they get full.
  Logical volume "vm-999-disk-0" created.
  WARNING: Sum of all thin volume sizes (<1.93 TiB) exceeds the size of thin pool pve/data and the size of whole volume group (<446.13 GiB).
Creating filesystem with 1048576 4k blocks and 262144 inodes
Filesystem UUID: ba002075-4e7c-48a5-9b9e-ba6fd4cf6dac
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376, 294912, 819200, 884736
extracting archive '/var/lib/vz/template/cache/openwrt-amd64,23.05,default.tar.xz'
Total bytes read: 13455360 (13MiB, 66MiB/s)

This appears to have worked successfully !

However, web and ssh does not respond, I tried disabling the firewall option in proxmox and reboot, no effect

root@openwrt:/# ifconfig
eth0      Link encap:Ethernet  HWaddr DE:AD:BE:EF:00:99 
          inet addr:192.168.1.237  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::dcad:beff:feef:99/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:41 errors:0 dropped:0 overruns:0 frame:0
          TX packets:54 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4882 (4.7 KiB)  TX bytes:6896 (6.7 KiB)

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

root@openwrt:/# ps
  PID USER       VSZ STAT COMMAND
    1 root      1184 S    /sbin/procd
  100 ubus       952 S    /sbin/ubusd
  101 root      1140 S    /bin/ash --login
  135 root       856 S    /sbin/urngd
  306 logd      1012 S    /sbin/logd -S 64
  360 root      1820 S    /sbin/rpcd -s /var/run/ubus/ubus.sock -t 30
  501 dnsmasq   1288 S    /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsm
  565 root       964 S    /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p 22 -K 300 -T 3 -W 26
  681 root      1320 S    /sbin/netifd
  817 root       872 S    odhcp6c -s /lib/netifd/dhcpv6.script -P0 -t120 eth0
  819 root      1108 S    /usr/sbin/odhcpd
  823 root      1136 S    udhcpc -p /var/run/udhcpc-eth0.pid -s /lib/netifd/dhcp.script -f -t 0 -i
  967 root      1708 S    /usr/sbin/uhttpd -f -h /www -r OpenWrt -x /cgi-bin -u /ubus -t 60 -T 30
 1405 root      1144 R    ps

root@openwrt:/# ping google.com
PING google.com (172.217.13.174): 56 data bytes
64 bytes from 172.217.13.174: seq=0 ttl=118 time=2.536 ms
--- google.com ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 2.536/2.536/2.536 ms
root@openwrt:/# opkg update
Downloading https://downloads.openwrt.org/releases/23.05.5/targets/x86/generic/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_core
Downloading https://downloads.openwrt.org/releases/23.05.5/targets/x86/generic/packages/Packages.sig
Signature check passed.
[...]
Downloading https://downloads.openwrt.org/releases/23.05.5/packages/i386_pentium4/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_telephony
Downloading https://downloads.openwrt.org/releases/23.05.5/packages/i386_pentium4/telephony/Packages.sig
Signature check passed.
root@openwrt:/#

root@openwrt:/# service
Usage: service <service> [command]
/etc/init.d/boot                   enabled         stopped
/etc/init.d/cron                   enabled         stopped
/etc/init.d/dnsmasq                enabled         running
/etc/init.d/done                   enabled         stopped
/etc/init.d/dropbear               enabled         running
/etc/init.d/firewall               enabled         stopped
/etc/init.d/gpio_switch            enabled         stopped
/etc/init.d/led                    enabled         stopped
/etc/init.d/log                    enabled         running
/etc/init.d/network                enabled         running
/etc/init.d/odhcpd                 enabled         running
/etc/init.d/packet_steering        enabled         stopped
/etc/init.d/rpcd                   enabled         running
/etc/init.d/sudo                   enabled         stopped
/etc/init.d/sysctl                 enabled         stopped
/etc/init.d/sysfixtime             enabled         stopped
/etc/init.d/sysntpd               disabled         stopped
/etc/init.d/system                 enabled         stopped
/etc/init.d/ucitrack               enabled         stopped
/etc/init.d/uhttpd                 enabled         running
/etc/init.d/umount                 enabled         stopped
/etc/init.d/urandom_seed           enabled         stopped
/etc/init.d/urngd                  enabled         running

Trying to connect to ssh 127.0.0.1, that works, confirms sshd is working

root@openwrt:/# ssh 127.0.0.1

Host '127.0.0.1' is not in the trusted hosts file.
(ssh-ed25519 fingerprint SHA256:GVmJwH0stLsephQYLW9AtDoh8E4ZwkS2XEfpFzuM/XE)
Do you want to continue connecting? (y/n) y


BusyBox v1.36.1 (2024-09-23 12:34:46 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M

Tried wget http://127.0.0.1, this also works

root@openwrt:/# wget http://127.0.0.1
Downloading 'http://127.0.0.1'
Connecting to 127.0.0.1:80
Writing to 'index.html'
index.html           100% |*******************************|   838   0:00:00 ETA
Download completed (838 bytes)
root@openwrt:/# cat index.html
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
        <head>
                <meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
                <meta http-equiv="Pragma" content="no-cache" />
                <meta http-equiv="Expires" content="0" />
                <meta http-equiv="Expires" content="Thu, 01 Jan 1970 00:00:00 GMT" />
                <meta http-equiv="refresh" content="0; URL=cgi-bin/luci/" />
                <style type="text/css">
                        body { background: white; font-family: arial, helvetica, sans-serif; }
                        a { color: black; }

                        @media (prefers-color-scheme: dark) {
                                body { background: black; }
                                a { color: white; }
                        }
                </style>
        </head>
        <body>
                <a href="cgi-bin/luci/">LuCI - Lua Configuration Interface</a>
        </body>
</html>
root@openwrt:/#

So, something is wrong but not sure what, it is close to working however !