DD-WRT OpenVPN

I need to VPN back to home, it looks like with the DD-WRT firmware load on a Linksys WRT-54GL, this is quite doable. Here are the steps:

* “Install DD-WRT”:http://www.dd-wrt.com/wiki/index.php/Index:Install. This is open source firmware for the popular Linksys WRT-54GL router. These routers have 4MB of nvRAM and can run a nice version of Linux. Its a little complicated, you have to first load in the mini version of DD-WRT, then the VPN version.
* “Configure OpenVPN”:http://www.geek-pages.com/articles/latest/openvpn_server_and_client_on_dd-wrt_–_bridged.html. This is an open source project that turns your home router into a VPN server, pretty neat actually gives a good overview. The only problem with these instructions is that it assumes you can use JFSS (journaled file system) which only works “WRT54GS Version 3 or lower”:http://www.dd-wrt.com/wiki/index.php/JFFS_File_System routers with more memory
* “DD-WRT OpenVPN”:http://www.dd-wrt.com/wiki/index.php/OpenVPN#Server_mode_with_Static_Key. These instructions are work with any WRT54G v3 or WRT54GL where you put the key for the VPN into the script itself. The only change is that to create the key, you can telnet to your router and run the _openvpn –genky –secret static.key” command there instead of having to load the Windows verson of Openvpn.
* “BSR-Clan.de”:http://forum.bsr-clan.de/ftopic5111.html has specific instructions on how to get this working on a low memory WRT54G v4
* “Windows OpenVPN Client”:http://www.osnews.com/story.php/5803/Introduction-to-OpenVPN/page2/. YOu do need to load OpenVPN on each machine, it is SSL based and Windows doesn’t have a built in client for it. You get it from “Openvpn.net”:http://openvpn.net

Here are the instructions that seem to work, it is the simplest in that it uses a single key and only allows a single client to login, which is all I need:

1. Create a static key by downloading “OpenVPN”:http://openvpn.net and on Windows running Start/OpenVPN/Generate a static OpenVPN Key which dumps it into _c:\program files\openvpn\configs\key.txt_
2. Go to your routers web page (typically at “http://192.168.1.1”:http://192.168.1.1) and go to Administration/Commands and enter into the Commands text box and click on Save firewall
bq. iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT
3. Now enter the code below and insert the text from key.txt into the echo command and click on Save Startup

openvpn –mktun –dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
echo ”
—–BEGIN OpenVPN Static key V1—–
…INSERT YOUR OWN KEY.TXT HERE…
—–END OpenVPN Static key V1—–
” > /tmp/static.key
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn –dev tap0 –secret /tmp/static.key –comp-lzo –port 443 –proto tcp-server –verb 3 –daemon

4. Reboot the router and go to the web interface Administration/Commands and look for mypvn when you type in
5. Because your router is probably on an ISP with rotating, connection, create an account at “dyndns.org”:http://dyndns.org so that you get a DNS address for your home that looks like “myhome”.dyndns.org
6. Create an openvpn config file on your client computer (see the openvpn instructions)

# Use the following for simple connections:
remote XXXX.dyndns.org
port 443
dev tap
secret key.txt
proto tcp-client
comp-lzo
7. Start Openvpn on your windows machine and click connect.
bq. ps | grep vpn

DD-WRT Installation

“DD-WRT”:http://www.dd-wrt.com/wiki/index.php/WRT54G_v4_Installation_Tutorial has a great tutorial for the somewhat tricky installation with V23 and above. You have to install the mini version first which is called mini_generic.bin then you reset and you upgrade to DD-WRT standard and again use generic.bin

You only want to use generic.bin by the way when using the web user interface which is the normal way. If you use TFTP then you have to use the specific versions.

In terms of recovery, there are two different set of instructions on the web. Linksys used to have a dedicated utility, but now you just use tftp built into Windows XP. YOu basically run the tftp command as the router is booting and it should take using the “TFTP”:http://www.dd-wrt.com/wiki/index.php/Installation#Flashing_with_TFTP instructions on the DD-WRT wiki.

There is amazing “feature list”:http://www.dd-wrt.com/wiki/index.php/What_is_%22DD-WRT%22%3F#Feature_List includes things like Client Mode, Afterburner that are too numerous to understand, although the “HOW TO”:http://www.dd-wrt.com/wiki/index.php/Configuration_HOWTOs#HOWTOs_for_basic_configuration_scenarios list is really useful:

* “Afterburner”:http://www.dd-wrt.com/wiki/index.php/Afterburner you should only use this is you have the special client cards from Linksys that enable this kind of optimization or if you have a notebook with a Broadcom chipset. Look in the Wireless LAN Card setup and see if there is a property in Advanced Tab called Afterburner. “Hyperwrt”:http://www.hyperwrt.org/forum/viewtopic.php?pid=5228 has more information on this which has lots of trade names include Afterburner, Speedbooster, SuperSpeed, 125mbps, Gplu and G+

Linksysinfo on Linksys firmware projects

“Linksysinfo”:http://www.linksysinfo.org/portal/forums/forumdisplay.php seems to be the place where all the various firmware projects are discussed.

I’ve used DD-WRT and it worked OK, but when I upgraded our WRT54G to HyperWRT Beta 21, it completely bricked it, so beware.
Other projects I haven’t tried include Svearsoft, EWRT, HyperWAP. Also there is the MustDie Firmware for WAP54Gs.

Another thing is that “Linksysinfo”:http://www.linksysinfo.org/portal/forums/showthread.php?t=42554 has a post for a fix for v3 WAP54 that lets you set the power up to 100dbm so past the FCC limit, but you get more power. Of course you also need more power at your clients too.

Link WAP54G V3

We have a bunch of these APs

Linksys.com – Support/Technical Support/Downloads

WAP54G – Wireless-G Access Point

. One thing is the use of “hyperwap”:http://www.hyperwap.org/forum/viewtopic.php?id=53 on it to give it more features. This is a version of Hyperwap based on the 3.04 firmware that is the latest from linksys.

Apparently the DD-WRT firmware “works”:http://www.hyperwap.org/forum/viewtopic.php?id=53&p=2 with both the wap54g and the wrt54g . Who knew?

powered by performancing firefox

Linksys Diagnostics, Firmware Hacks and Intel Driver Updates

OK, now that we’ve got our network basically working, we’ve run “DSL Reports”:http://dslreports.com/tools to figure out that we do have the speed, but it still doesn’t seem very responsive. There are also various attacks by different folks, so we need some sort of el cheapo monitoring software. There are quite a few of these utilities that you could try:

As an example, “Link Logger”:http://www.linklogger.com/download.htm is a tool that isn’t expensive, but does require that you burn a third party firmware load onto your Linksys BEFSR41 that we have for instance has mulitple hardware “versions”:http://www.linklogger.com/linksys_config_issues.htm so you ahve to be careful.

There is also a whole market in firmware hacks for the very popular WRT54G line that include such tools as “HyperWRT”:, “DD-WRT”:http://www.dd-wrt.com/dd-wrtv2/index.php and “SveaSoft”:http://www.sveasoft.com. There is also lots of information on “Linksysinfo.org”:http://linksysinfo.org is a great resource to understand all of this. The main lesson though is that if you are buying a new one, you want a Linksys WRT54G V4 or *lower*. The V5 and later are cost reduced and have less memory!!!

Let’s review each

h2. Sveasoft

Sveasoft is a good example, they add lots of features but have a $20/month subscription fee to keep the software alive. What are some of the new “features”. BTW we can thank Linksys for using an open source Linux and distributing the firmware. These companies are added features because of that. Makes the WRT54G a pretty good line to buy into.

The most interesting thing is that apparently, the earlier models, WRT54G V1-4 were better because the new ones V5 and on actually have less RAM and ROM and switched operating environments, so if you can get the V4, they are probably the best for hacking around.

* Separate SSIDs per box with unique encryption rules for each SSID so you can on one box host both inside the firewall employees and outside the firewall visiters
* About a zillion repeater, bridge and routing modes that you normally only get with the dedicate WAP54G access point. These are now available on the WRT54G
* Lots of file wall improvements including blocking of bad adware sites
* Boosting the power of the system to 251 milliwatts to increase range, the addition of “Afterburner” support to increase speeds

h2. DD-WRT

“DD-WRT”:http://www.dd-wrt.com/dd-wrtv2/ddwrt.php is an open source project based on Sveasoft so it is free and has a very active “forum”:http://www.dd-wrt.com/phpBB2/viewforum.php?f=1&sid=6dfef779420445922429af2b43d36a49 with lots of the various flavors of the Linksys and other related hardware all based on the Broadcom chipset. Features from their “wiki”:http://www.dd-wrt.com/wiki/index.php/Main_Page include:

“AP Client Mode”:http://www.dd-wrt.com/phpBB2/viewtopic.php?t=68 is the most important for providing more coverage where on WRT54G reaches out only so far, so at the edge, you put another WRT54G to extend the coverage. As an aside, the AP Client Bridge Mode only allows a single ethernet device behind the bridge, so you need to use WDS if you want mulitples. Also there are lots of posts about whether this is implemented properly, so probably not a good candidate.

The main thing it doesn’t do is multiple SSIDs on the one box. There is a pre-alpha V0.24 that does that

h2. HyperWRT

“HyperWRT”:http://www.hyperspacehome.com/hyperwrt/ is another option. The main page says it won’t work on anything new that V3 hardware. So it is a good candidate for Qiming which has three V3 routers, but not for John who has a pair of V4’s. But there is a “forum”:http://www.hyperwrt.org/forum/viewtopic.php?id=957 that describes how to load it on a WRT54G/GS V4. Confused yet? Also interesteing to see that there is a feature called Speedbooster which are basically hacks to the Wifi protocols that are firmware based, so save yourself some money if you are geek and buy a WRT54G and use this hack to save the $20 extra it costs for a WRT54GS. Specifically its “features”:http://www.hyperwrt.org/Features.shtml are:

* Adjustable power and ability to get up to 13 wireless channels. Apparently on the WRT54G by default, it is at 100Mw, the maximum according to the 802.11 specification, but you can artificially boost it to 200Mw with a firmware change
* “AP+WDS”:http://www.hyperwrt.org/wiki/BasicWirelessSettings. This is the mode that we really need, it merges the AP mode and WDS mode together so you can connect together multiple WRT54G servicing wired and wireless clients. (so it is too bad it doesn’t work with John’s hardware).
* The main complexity is that for WRT54G routers, you have to upgrade them with Linksys firmware to WRT54GS and from there go to HyperWRT.

Hat tip to the genius to figure this out at Hyperwrt named Danielhaden, you basically load DD-WRT to get the V4 in the right state of mind as a V4 GS then from there you can use HyperWRT’s GS version. That is because the WRT54G HyperWRT only works for V1-3 of that that hardware. Confused yet:

# Used the Linksys CD that came with the router to set it up initially and make sure the thing worked out of the box.” It is always wise to check out a brand-new product before modifying it. wink
# After confirming the router worked, I went to 192.168.1.1 and reset the factory defaults. Did I need to? Probably not, but I wanted to start clean with no funny business. . .” This is a very important part of the official directions for DD-WRT mini generic that is used in the next step. Setting factory defaults before loading firmware reduces risk.
# Navigated to the ‘Upgrade Firmware’ section of the Linksys interface and browsed for the dd-wrt mini generic (121005 release, v23) I downloaded from “DD-WRT”:http://www.dd-wrt.com/. Note that there is no specific download for mini generic. It is in the 121005-2.dd-wrt.v23.mini_beta1.zip archive and you will see it after unpacking the archive.” This information may have changed, but others have had success with the final version of DD-WRT mini generic V23.
# Clicked the ‘upgrade’ button. danielhaden suggested that due to the v4’s alleged stubborn nature, it is a good idea to wait five minutes and walk away. So I did. I even set a timer. However, the upgrade was successful in about one minute with no hang or apparent problems. I waited five minutes anyway. Hey, why not?” Also a vital part of the DD-WRT directions is that you wait 5 minutes after loading. This is specific to DD-WRT.
# I clicked the ‘continue’ button on the page that said the upgrade was successful and verified that dd-wrt was indeed running.
# Then I navigated to the “Upgrade Firmware” section of dd-wrt’s interface and browsed for Thibor’s HyperWRT 201105 .bin file I had already downloaded from “Hyperwrt”:http://www.hyperwrt.org/Downloads.shtml and held my breath as I continued.” See the FAQ on where to get the latest HyperWRT.
# I set my timer for five minutes, just to keep me honest. And again, I didn’t need it- after approximately one minute, I saw the page that said the upgrade was successful…and again, I waited the five minutes anyway. I wasn’t in a big hurry.” It wasn’t necessary to wait 5 minutes after loading HyperWRT. The router was ready to use as soon as HyperWRT appeared. Still, not a bad idea. wink
# After my (probably unnecessary) five minutes, I continued from the upgrade successful page and found that HyperWRT was running. I had a momentary bout of panic as the interface looks very similar to the stock Linksys interface. Uh oh. Then I saw the Thibor HyperWRT firmware description up in the right corner. Whew.” HyperWRT adds many features onto the original Linksys sources, and it is made from the latest Linksys code for the latest in fixes and security. That is why it looks similar.
# I then performed a hard reset on the router. Unplugged, pressed the reset button- one one thousand, two one thousand…thirty one thousand- then plugged it back in for ten more seconds with the reset button still pressed. One one thousand, two one thousand….”
# After the reset, I went to 192.168.1.1 in my browser and HyperWRT was still there. Yay. I navigated to the startup script page and entered “erase nvram; reboot” into the. . .” run command section of the administration page. At first, it is difficult to figure out where to type, but the single line is where you type, not the big box.
# At this time, it is recommended that you set your router to factory defaults. It will restart. Now, set an administration (admin) password, and then login with username admin and your new password. Until you save an admin password, many of your changes will not save.
# Success! Thibor’s HyperWRT made the 54G appear as a 54GS. Neat. I don’t know if it’s faster or better since this is my first wireless router, but it was fun to stick it to The Man (?) and turn it into the more expensive model.”

h2. Fix your Intel Drivers they have security holes!

As another aside, it turns out the 2200BG Intel driver we have has all kinds of security issues, so if you have downloaded as of August 9, 2006, you should download the new Intel drivers at “http://support.intel.com/support/wireless/wlan/sb/cs-010623.htm”:http://support.intel.com/support/wireless/wlan/sb/cs-010623.htm