<> == Introduction == I went out and bought a WRT54G after playing with a work one that ended up being loaded with OpenWRT firmware and seeing first hand how neat these things really are if you get to tinker with them at a level beyond that of any simple webpage administration that Linksys ship by default. The router I have is a [[http://www1.linksys.com/products/product.asp?grid=33&scid=35&prid=601|WRT54G v3.1]] and was pre-loaded with 4.00.7 firmware, which at first attempt wouldn't load OpenWRT firmware either by webpage or TFTP, as described on the [[http://www.openwrt.org|OpenWRT]] website. My goal for the time being is fairly simple, I wanted a router I could take with me and plug into other peoples networks that wouldn't open the flood gates for the bad guys to get in, it also served as a testing and demonstration platform for customers that want a better then WEP security product for their network. /!\ BIG FAT WARNING: Usual disclaimers about I'm not responsible for your actions, this information is provided for educational purposes only and if you turn your router into a brick it may be because you didn't research the topic enough before moving forward and doing anything. == Flashing your WRT54G == === Preparing your WRT54G === This may or may not be optional, but I had to upgrade my WRT54G firmware to v4.20.7 before I could load the OpenWRT firmware via the webpage. You can grab this from the [[http://www.linksys.com/servlet/Satellite?childpagename=US%2FLayout&packedargs=c%3DL_Download_C2%26cid%3D1115417109974%26sku%3D1123637915061&pagename=Linksys%2FCommon%2FVisitorWrapper|Linksys]] website. Once loaded you will be able to telnet to your router, by default there is no web config that comes with OpenWRT, so you're stuck using vi for the most part, but then again you get the full power of the device at your disposal rather then a limited feature set. === Installing OpenWRT === Swatting up on the [[http://wiki.openwrt.org/OpenWrtDocs|OpenWRT documentation]] wouldn't hurt before you do anything, it may take you a little time, but it could save you from turning your shiney new router into an expensive lump of plastic you are no longer able to use. Firstly you will need to download a firmware image, the manual suggests using the squashfs version since this gives you a couple of more options if you screw up your install and will allow you to be able to fix it a lot easier then some of the other methods. At the time of writting, the current stable image suitable for my WRT54G was [[http://downloads.openwrt.org/whiterussian/rc3/bin/openwrt-wrt54g-squashfs.bin|WhiteRussian RC3]] which seems to be pretty stable, at least I've not come across any problems that I didn't cause myself, all I did to get this working was download and then upload via the webpage, I waited about 30 seconds and was then able to telnet into the router. == Getting started with OpenWRT == === First Time Use === I suggest for the first few steps you use a piece of cat5 connected to a computer to update the password on the router, otherwise if you come in over telnet via wireless it's possible someone else could of sniffed your packets while you add one. Enabling a password will then also enable SSH and disable telnet connections as well. {{{ root@OpenWrt:~# passwd Changing password for root Enter the new password (minimum of 5, maximum of 8 characters) Please use a combination of upper and lower case letters and numbers. Enter new password: Re-enter new password: }}} === Cleaning things up a little === It's a VERY VERY good idea to set the clock on bootup, since every time you restart the router it will reset back to Jan 1st 2000, which can cause all sorts of issues with OpenVPN and time settings on certificates. The best solution is to install ntpclient and then run it to correct the system clock. {{{ ipkg install ntpclient /etc/init.d/S60ntpclient }}} It's also helpful to setup timezone information unless you prefer to view everything in GMT. For the east coast of Australia that has daylight savings time you'd do something along the lines of: {{{ echo "EST-10EDT-11,M10.5.0/02:00:00,M3.5.0/03:00:00" > /etc/TZ }}} However due to the number of time zones and there are already articles written up in depth on other sites, so I won't duplicate their efforts, but instead point you to the other site: [[http://wiki.openwrt.org/OpenWrtDocs/Configuration#head-29ce2ea9da8dfba2f1c0dc0eca6fec0a138df148|More TZ information here]] You will also need a file to setup the SSID, default time (especially if you plan to run it in client mode), and transmit power level if you want to run lower then the default 255mW. vi /etc/init.d/S41defaults {{{ #!/bin/ash SSID=$(nvram get wl0_ssid) TXPWR1=$(nvram get wl0_txpwr1) wl ssid $SSID wl txpwr1 -m $TXPWR1 date -s '110401592005' }}} Since you won't be able to remotely access your router any longer with telnet you can do the following: {{{ rm /etc/init.d/S50telnet killall telnetd }}} == Installing OpenVPN == === Getting the packages === Next you will need to install OpenVPN, again due to all the effort put into OpenWRT there is a debian like packaging utility called ipkg, and just do the following: {{{ ipkg update ipkg upgrade ipkg install openvpn wl }}} After installing if you run "df -h" you should have approximately 50% (1.1M) of free space left on your device. === Configuration === Once the packages have installed, this is where the fun begins, I've set my router up to trust the wired LAN ports, default firewall on the WAN port, and I've removed the wifi network from being bridged with my LAN ports, this way I can disable all traffic to and from the wifi network unless they've sucessfully connected via VPN. I'd suggest wiping your nvram configuration and then rebooting: {{{ mtd erase nvram reboot }}} Once your router boots up you have a number of options, depending how locked down you want to make your router. To disable SSID broadcasts: {{{ nvram set wl0_closed=1 }}} To allow G-Mode only (disables 802.11b clients from connecting and slowing your connection down): {{{ nvram set wl0_gmode=2 }}} You can set the channel (1-14 depending on your country) or set it to 0 for auto channel selection: {{{ nvram set wl0_channel=0 }}} To change the SSID: {{{ nvram set wl0_ssid=My_AP }}} To allow you to recover from bad flash {{{ nvram set boot_wait=on }}} To fix large file transfer problems {{{ nvram set clkfreq=216 }}} If you have a problem with your router rebooting unsetting the following may help {{{ nvram unset watchdog }}} Next you need to remove the wifi network from the bridged network inside the router, and you simply do: {{{ nvram set lan_proto=static nvram set lan_ifname=br0 nvram set lan_ifnames=vlan0 nvram set lan_ipaddr=172.16.1.1 nvram set lan_netmask=255.255.255.0 }}} Next you need to give your wifi network IP details {{{ nvram set wifi_ifname=eth1 nvram set wifi_proto=static nvram set wifi_ipaddr=172.16.2.1 nvram set wifi_netmask=255.255.255.0 }}} If you are finished making changes do the following to make your changes go active: {{{ nvram commit reboot }}} === Firewall Modifications === Next you'll need to modify your firewall slightly so people connecting via the wifi interface will only be able to request dhcp information and connect to the OpenVPN port. {{{ cd /etc rm firewall.user cp -a /rom/etc/firewall.user . vi firewall.user }}} When using vi, move the cursor down below the LAN= line and hit i (for insert), and then add the following line directly beneath it: {{{ WLAN=$(nvram get wifi_ifname) }}} Now hit the escape key and move the cursor down below the warning section, and directly beneath this hit the i key again and insert the following lines: {{{ if [ -n "$WLAN" ] then iptables -A input_rule -i $WLAN -p udp --dport 67 -j ACCEPT iptables -A input_rule -i $WLAN -p udp --dport 1194 -j ACCEPT iptables -A input_rule -i $WLAN -j DROP fi }}} Once you are sure everything is in place hit the escape key and type ":wq" (without the quotes) this will save and exit you out of the program. === DNSMASQ Configuration === Next you need to update dnsmasq so it has multiple subnet information, so do the following: {{{ cd /etc rm dnsmasq.conf cp /rom/etc/dnsmasq.conf . vi dnsmasq.conf }}} You'll need to scroll to the end of file, hit the "$" key then press "a" and paste the following lines into your config: {{{ dhcp-range=lan,172.16.1.100,172.16.1.250,255.255.255.0,12h dhcp-range=wlan,172.16.2.100,172.16.2.250,255.255.255.0,12h dhcp-option=wlan,3 dhcp-option=6,172.16.1.1 }}} Then hit the escape key and type ":wq", after which you'll need to restart dnsmasq: {{{ killall dnsmasq /etc/init.d/S50dnsmasq }}} === OpenVPN Configuration === Next we can start with some of the more complicated configurations with OpenVPN itself. Due to the limited space on these devices you will also need a computer that has OpenSSL binaries installed as well. {{{ mkdir /etc/openvpn cd /etc/openvpn vi openvpn.conf }}} Next hit the i key and paste the following: {{{ mode server tls-server port 1194 proto udp dev tap local 172.16.2.1 up /etc/openvpn/server-tun.up down /etc/openvpn/server-tun.down cipher BF-CBC auth SHA1 ifconfig-pool 172.16.1.50 172.16.1.99 255.255.255.0 ifconfig-pool-persist /tmp/ipp.txt tls-verify /etc/openvpn/access-control.sh ca /etc/openvpn/cacert.crt dh /etc/openvpn/dh1024.pem cert /etc/openvpn/server.crt key /etc/openvpn/server.key push "route-gateway 172.16.1.1" push "redirect-gateway" push "route 0.0.0.0 0.0.0.0" client-to-client keepalive 10 60 persist-key persist-tun ping-timer-rem daemon log /tmp/openvpn.log verb 3 }}} Then hit the escape key and type ":wq" next "vi server-tun.up" {{{ #!/bin/ash LAN=$(nvram get lan_ifname) # bring up the tap interface $DEBUG ifconfig $1 0.0.0.0 up # and add that to the bridge $DEBUG brctl addif $LAN $1 }}} Then hit the escape key and type ":wq" next "vi server-tun.down" {{{ #!/bin/ash LAN=$(nvram get lan_ifname) # and delete that from the bridge $DEBUG brctl delif $LAN $1 # bring down the tap interface $DEBUG ifconfig $1 0.0.0.0 down }}} Then hit the escape key and type ":wq", followed by "chmod +x server-tun.up server-tun.down" next "vi access-control.sh" {{{ #!/bin/ash if [ "$1" != "0" ]; then exit 0 fi whologin=$(grep $2 /etc/openvpn/access-control.txt) if [ -z ${whologin}]; then exit 1 else exit 0 fi }}} Then hit the escape key and type ":wq", followed by "chmod +x access-control.sh" next "vi access-control.txt" {{{ /emailAddress=user@isp.com }}} You will need to have at least one domain/hostname registered with CAcert, then you will need to generate a certificate and submit a signing request to CAcert. {{{ openssl req -nodes -new -keyout server.key -out server.csr }}} Once you have a valid certificate simply "vi server.crt" and paste the contents in there. You will need to set the permissions on server.key so only root can read the file. You will also need to put the contents of the CAcert root certificate in the directory as well. {{{ wget http://www.cacert.org/cacert.crt chmod 600 /etc/openvpn/server.key }}} Finally you will need to create a 1024bit dh file: {{{ openssl dhparam -out dh1024.pem 1024 }}} If you want OpenVPN to auto-start (which you should) you need to vi /etc/init.d/openvpn {{{ #!/bin/ash /usr/sbin/openvpn --config /etc/openvpn/openvpn.conf }}} and {{{ ln -sf /etc/init.d/openvpn /etc/init.d/S75openvpn }}} At this point you should restart your router to see if everything is working, once your router has rebooted you can run "ps auxww" to see if openvpn is listed. == Client Configuration == === Under WRT54G === You can use a WRT54G as a ethernet bridge/router, and use the WAN port as another LAN port so you end up with a 5 port ethernet bridge/router which is useful for linking buildings togeather or even just floors/rooms in the same house without the hassle/expense of having cat5 cables run, or tripping over them in the middle of the night. The best bit is the price, in Australia the going price for a WRT54G is about AU$120 (inc GST) if you were to buy an ethernet bridge or gaming adapter they are at least $50 more and you only get 1 ethernet port not 5! So once you have a second unit flashed (see above) and ready to be worked on run the following commands: {{{ nvram set wl0_ssid=My_AP nvram set lan_ifnames='vlan0 vlan1' nvram set wan_ifname=tap0 nvram set wan_proto=dhcp nvram set wifi_proto=dhcp nvram set wl0_mode=sta nvram unset wl0_channel nvram set wl0_closed=1 nvram set wl0_gmode=2 nvram set boot_wait=on nvram set clkfreq=216 nvram unset watchdog nvram set boot_wait=on nvram set lan_proto=static nvram set lan_ifname=br0 nvram set lan_ipaddr=172.17.1.1 nvram set lan_netmask=255.255.255.0 nvram set wifi_ifname=eth1 nvram set wifi_ipaddr=172.17.2.1 nvram set wifi_netmask=255.255.255.0 nvram commit mkdir /etc/openvpn-client reboot }}} Next you'll need to create an vi /etc/openvpn-client/openvpn.conf file: {{{ tls-client remote 172.16.2.1 port 1194 proto udp dev tap pull resolv-retry infinite nobind cipher BF-CBC auth SHA1 ca /etc/openvpn-client/cacert.crt cert /etc/openvpn-client/client.crt key /etc/openvpn-client/client.key daemon user nobody group nogroup ping 5 ping-restart 15 resolv-retry 300 ping-timer-rem persist-tun persist-key log /tmp/openvpn-client.log verb 1 }}} You will need to have a signed client/email certificate from the CAcert website, this is a simple step by step process on the website, once you have one you will need to export it from your brower, and most likely it will be in pkcs12 format so you will need to split this using openssl. {{{ openssl pkcs12 -in .p12 -clcert }}} You'll need to split the output into a .key file and a .crt file, most likely openssl will force you to set a password on your private key you will also need to remove this if you plan to use OpenVPN in any sort of automate manner. You will need to mark the client private key as read/write by root only. You also need to grab a copy of the root certificate. {{{ openssl rsa -in client.pem -out client.key chmod 600 client.key wget http://www.cacert.org/cacert.crt }}} One final thing you'll need to vi /etc/init.d/openvpn-client {{{ #!/bin/ash /usr/sbin/openvpn --config /etc/openvpn-client/openvpn.conf }}} and {{{ ln -sf /etc/init.d/openvpn-client /etc/init.d/S75openvpn }}} === Under Ubuntu === OpenVPN has clients for a lot of platforms, at this point in time the only thing I need to connect via is my laptop running Ubuntu, hopefully others with experience on other platforms can add further information in this section. firstly you will need to install OpenVPN and do some misc other things: {{{ apt-get install openvpn mkdir -p /etc/openvpn cd /etc/openvpn wget http://www.cacert.org/cacert.crt }}} Next you can start working on the openvpn.conf file: {{{ tls-client remote 172.16.2.1 port 1194 proto udp dev tap pull resolv-retry infinite nobind cipher BF-CBC auth SHA1 ca /etc/openvpn/cacert.crt cert /etc/openvpn/client.crt key /etc/openvpn/client.key daemon user nobody group nogroup ping 15 ping-restart 45 resolv-retry 300 ping-timer-rem persist-tun persist-key log /var/log/openvpn/openvpn.log verb 3 }}} You will need to have a signed client/email certificate from the CAcert website, this is a simple step by step process on the website, once you have one you will need to export it from your brower, and most likely it will be in pkcs12 format so you will need to split this using openssl. {{{ openssl pkcs12 -in .p12 -clcert }}} You'll need to split the output into a .key file and a .crt file, most likely openssl will force you to set a password on your private key you will also need to remove this if you plan to use OpenVPN in any sort of automate manner. You will need to mark the client private key as read/write by root only. {{{ openssl rsa -in client.pem -out client.key chmod 600 client.key }}} To simplify things for myself, when my wireless interface is brought up on my laptop, I also trigger the vpn tunnel as well in /etc/network/interfaces: {{{ auto eth0 iface eth0 inet dhcp wireless-mode managed wireless-essid My_AP post-up openvpn --config /etc/openvpn/openvpn.conf pre-down killall -KILL openvpn }}} == Gotchas == === Out of Space === If you've used your OpenWRT and installed and removed packages or other things I found it doesn't release the space 100% of the time and I was forced to erase the jffs2 partition and reboot the device, upon reboot the squashfs partition will simply rebuild the jffs2 partition and you will be on your way again. /!\ Another big fat warning, this will erase all changes you've made including any packages you've downloaded and installed, I'd suggest you backup anything you want to save !!!BEFORE!!! going any futher. To backup the device you could do a dd and dump the entire file system, but this is difficult to extract one or 2 files from, instead I suggest you simple tarball files in any directory you've altered, for me I've only touched files in /etc and of course the nvram memory, so that's all I need to backup, although there is no harm in archiving too much, but it'll be too late once you erase it: {{{ cd /tmp nvram show > /tmp/nvram-backup tar czvf backup.tgz /etc /tmp/nvram-backup }}} You will need to download a copy of the file, the easiest way is via scp from another linux box: {{{ scp 172.16.1.1:/tmp/backup.tgz . }}} Once you have that out of the way you are then able to erase your device and start over again: {{{ mtd erase nvram mtd -r erase mtd4 }}} If the device doesn't power cycle itself you will need to do it manually. Within a minute you should be back up and running. == More information == === Notes === The WRT54G and WRT54GS aren't the only products capable of running the OpenWRT firmware, but they are some of the most widely available, check out the [[http://wiki.openwrt.org/TableOfHardware|OpenWRT documentation]] for a list of compatible routers. === Links === * [[http://www.OpenWRT.org|OpenWRT]] * [[http://www.OpenVPN.org|OpenVPN]] * [[openVPN|Using OpenVPN with CAcert]] == Simple web interface == === Installing Lighttpd and PHP === You will need to edit your /etc/ipkg.conf: {{{ rm /etc/ipkg.conf cp /rom/etc/ipkg.conf . echo "src nico http://openwrt.org/downloads/people/nico/testing/mipsel/packages" >> /etc/ipkg.conf ipkg update ipkg install php4-cgi lighttpd lighttpd-mod-cgi echo -n > /etc/lighttpd.conf vi /etc/lighttpd.conf }}} Press "i" and paste the following lines: {{{ server.modules = ( "mod_cgi", ) server.document-root = "/www/" server.errorlog = "/var/log/lighttpd/error.log" index-file.names = ( "index.php" ) mimetype.assign = ( ".pdf" => "application/pdf", ".class" => "application/octet-stream", ".pac" => "application/x-ns-proxy-autoconfig", ".swf" => "application/x-shockwave-flash", ".wav" => "audio/x-wav", ".gif" => "image/gif", ".jpg" => "image/jpeg", ".jpeg" => "image/jpeg", ".png" => "image/png", ".css" => "text/css", ".html" => "text/html", ".htm" => "text/html", ".js" => "text/javascript", ".txt" => "text/plain", ".dtd" => "text/xml", ".xml" => "text/xml" ) server.tag = "lighttpd" static-file.exclude-extensions = ( ".php" ) server.pid-file = "/var/run/lighttpd.pid" server.dir-listing = "disable" cgi.assign = ( ".php" => "/usr/bin/php" ) }}} === Example Web Interface === Do to the size of this file, rather then posting the file to this page, it's available as a download instead. Simply wget it and save it as /www/index.php wget [[attachment:index.php|http://wiki.cacert.org/wiki/OpenWRT?action=AttachFile&do=get&target=index.php]] Screenshots: * [[attachment:Screenshot1.png|Uplink Configuration]] * [[attachment:Screenshot2.png|Wifi Configuration]] * [[attachment:Screenshot3.png|OpenVPN Configuration]] * [[attachment:Screenshot4.png|Syslog Output]] === Enabling PPPoE === You will need to install a couple of packages: {{{ ipkg install kmod-ppp kmod-pppoe ppp ppp-mod-pppoe pppoe-client echo "slhc ppp_generic ppp_async pppox pppoe" > /etc/modules.d/30-ppp }}} == Conclusion == So far this is the sum total of how I have my personal router configured, and I'm pretty pleased with how things are progressing.