====== Linksys WRT54G setup with WiFi Dog instructions ====== 

  - make sure you have the supported version of OpenWRT -- get it here:
    * Linksys WRT54G (up to and including v4) & WRT54GL: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54g-squashfs.bin
    * Motorola WR850G: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wr850g-squashfs.bin 
    * Linksys WRT54GS (up to and including v3): http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54gs-squashfs.bin
    * Linksys WRT54GS (v4): http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54gs_v4-squashfs.bin
    * Linksys WRT54G3G: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54g3g-squashfs.bin
    * Linksys WRTSL54GS: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrtsl54gs-squashfs.bin
  - plug an ethernet cable from your computer to the LAN1 port on the router
  - plug an ethernet cable from the router's WAN port to a DHCP-enabled Internet connection
  - turn off your computer's wifi connection (to ensure that it only has 'net access through the new router)
  - In a browser on your computer go to address 192.168.1.1 (this is the router's address)
  - Login leaving username blank and using password **admin**
  - Go to Wireless -> Basic Wireless Settings and change the Wireless Network Name to **wirelesstoronto**.  Change the channel as necessary -- **1** is a good choice.  Save settings.
  - Go to Administration -> Firmware Upgrade
  - Upgrade the firmware using the openwrt image -- DON'T INTERRUPT IT!
  - Watch the DMZ light -- it'll come on, then go off.  when it goes off, connect to the router: http://192.168.1.1
  - Click any link and you should be asked to set a password for the root account; use the standard WT router root password.
  - Connect to 192.168.1.1 using an SSH client (Linux and Mas OS have built in SSH, on Windows try "Putty":http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html): ssh root@192.168.1.1
  - Update and download standard packages, then edit wifidog.conf: <code>
ipkg update
ipkg install iptables-extra  kmod-iptables-extra libpthread libgcc
ipkg install http://wirelesstoronto.ca/dist/wifidog_1.1.5-1_mipsel_whiterussian.ipk
vi /etc/wifidog.conf
</code>
  - Specify the GatewayID, as appropriate (this needs to be set on the auth server!).
  - Uncomment the ExternalInterface line, and change the value to vlan1
  - Change the value of the GatewayInterface line to br0
  - Paste the appropriate chunk into the AuthServer section:
    - for wifidog versions prior to 1.1.3:<code>
AuthServer {
Hostname auth.wirelesstoronto.ca
SSLAvailable yes
Path /
}
</code>
    - for wifidog versions 1.1.3 and later:<code>
AuthServer {
Hostname auth.wirelesstoronto.ca
SSLPort 443
Path /
}
</code>
  - Save the changes to wifidog.conf file (esc **:wq**)
  - Set up ntpclient & timezone, then replace S99done:<code>
ipkg install ntpclient
cd /etc/init.d
wget http://wirelesstoronto.ca/dist/S55ntpclient
chmod +x /etc/init.d/S55ntpclient
/etc/init.d/S55ntpclient

echo EST5EDT,M3.2.0/02:00,M11.1.0/02:00 > /etc/TZ

cd /etc/init.d
cp S99done S99done.real
rm S99done
mv S99done.real S99done
vi /etc/init.d/S99done
</code>
  - add this to /etc/init.d/S99done:<code>
# start crond
/usr/sbin/crond -c /etc/crontabs
</code>
  - set up the crontab and run cron:<code>
mkdir /etc/crontabs
touch /etc/crontabs/root
ln -sf /etc/crontabs/root /etc/crontab
/usr/sbin/crond -c /etc/crontabs
vi /etc/crontab
</code>
  - add this to the end of /etc/crontab:<code>
0 * * * * /usr/sbin/ntpclient -l -h pool.ntp.org -i 5 -s
</code>
  - restart crond, then install openvpn client:<code>
killall crond
/usr/sbin/crond -c /etc/crontabs

ipkg install openvpn
mkdir /etc/openvpn
cd /etc/openvpn
wget http://wirelesstoronto.ca/dist/client.conf
vi /etc/openvpn/client.conf
</code>
  - replace NODEID with the real gateway id
  - download CA cert:<code>
cd /etc/openvpn
wget http://wirelesstoronto.ca/dist/ca.crt
</code>
  - copy cert stuff from server (it'll prompt you for the password):<code>
scp wireless@openvpn.wirelesstoronto.ca:easy-rsa/keys/client(NODEID).* .
</code>
  - make the key private, then install auto-run script:<code>
chmod 600 client*.key

cd /etc/init.d
wget http://wirelesstoronto.ca/dist/S90openvpn
chmod +x S90openvpn
reboot
</code>
  - Congratulations, you're done!

===== Notes on using the Motorola WR850 =====
All instructions are the same, but use the correct OpenWRT package, of course.  

By default, the router comes configured with the LAN IP address 192.168.10.1.  Either change this to 192.168.1.1 before installing OpenWRT, or after installing OpenWRT, issue the additional commands:
<code>
nvram unset dhcp_start
nvram unset dhcp_end
nvram unset dhcp_dns
nvram commit
</code>

These variables confuse dnsmasq, and aren't required.


====== Other router-related stuff ======

===== Other resources =====

NYC Wireless have a good "walkthrough":http://www.nycwireless.net/tiki-pagehistory.php?page=WifiDog&preview=39


===== Location of old (pre-whiterussian) openvpn packages =====
  - http://packages.milkfish.org/boozy/5.5.5/all_packages/libssl_0.9.7d-1_mipsel.ipk
  - http://212.222.128.68/sven-ola/ipkg/liblzo_1.08_mipsel.ipk
  - http://wrt54g.free.fr/openwrt/b4/ipkg/openvpn_2.0test19_mipsel.ipk


===== Upgrading OpenWRT to latest version =====

Perhaps refer to (newer?) instructions at: 
  * http://wiki.openwrt.org/OpenWrtDocs/Installing#head-4f88301b6db87e0ff6c54cb4e65102e7aae8f6d9
  * http://wiki.openwrt.org/OpenWrtDocs/Deinstalling

  - cd /tmp
  - wget http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-brcm-2.4-squashfs.trx
  - mtd -r write firmware.trx linux
  - telnet to 192.168.1.1 and set password using 'passwd'. Telnet will be disabled and SSH enabled.

===== Setting up a WDS router =====

  - don't install wifidog on WDS "leaf" (as opposed to trunk/branch) routers
  - make sure channel & SSID are correct:<code>
nvram set wl_ssid=wirelesstoronto
nvram set wl_channel=1
</code>
  - do:<code>
nvram set wl0_lazywds=0
nvram set wl0_wds=00:13:10:44:3b:50 00:13:10:3d:65:59 00:13:10:2d:a9:98
nvram commit
</code>
  - on the "client" router(s) only:<code>
rm /etc/init.d/S??dnsmasq
</code>
  - <code>reboot</code>
  - **YOU MAY NEED TO ADD A STATIC ROUTE:**<code>
nvram set static_route=0.0.0.0:0.0.0.0:192.168.1.1:1:br0
nvram commit
</code>


===== making client certificate files on server: =====

  - ssh to pwd.ca, login as "wireless"<code>
cd easy-rsa
. ./vars
</code>
  - (ignore the output)<code>
./build-key client[NODEID]
</code>
  - use defaults except for Common Name: **client[NODEID]**
  - find the client<NODEID>.crt and client<NODEID>.key files in the ./keys folder -- KEEP THESE PRIVATE
  - to copy them to the router, issue these commands on the router:<code>
scp wireless@pwd.ca:easy-rsa/keys/client<NODEID>.crt /etc/openvpn
scp wireless@pwd.ca:easy-rsa/keys/client<NODEID>.key /etc/openvpn
</code>
(it'll prompt you for the wireless@pwd.ca password each time)

===== resetting nvram the harsh not-recommended way =====

Might be especially bad on a WR850G.

<code>
mtd -r erase nvram
</code>




===== resetting nvram the preferred way =====

(From the OpenWRT FAQ.)

<code>
cd /tmp
wget http://downloads.openwrt.org/people/kaloz/nvram-clean.sh 
(having access issues with the original URL http://wirelesstoronto.ca/dist/nvram-clean.sh PD, May 10, 2007)
chmod a+x /tmp/nvram-clean.sh
/tmp/nvram-clean.sh
</code>

The before and after sizes will show you how much space was recovered.

The nvram-clean.sh script does not commit the changes to NVRAM so you will have to do this manually with:

<code>nvram commit</code>

===== setting up a router as a plain-ol' bridge =====

<code>
telnet 192.168.1.1
nvram set lan_proto=static
nvram set lan_ipaddr=192.168.1.10 
nvram set lan_gateway=192.168.1.1
nvram set lan_dns=192.168.1.1
nvram set wl_ssid=wirelesstoronto
nvram set wl_channel=1
rm /etc/init.d/S50dnsmasq
nvram commit
reboot
</code>

===== preventing wifi users from accessing the local LAN =====

add to the end of /etc/firewall.user:

<code>
### secure the LAN
iptables -A forwarding_rule -s 192.168.1.0/24 -d 172.18.92.0/24 -j DROP
iptables -A input_rule -s 192.168.1.0/24 -d 172.18.92.0/24 -j DROP
</code>

where 192.168.17.0 is the wired LAN.  you won't be able to ping 192.168.17.1, but traffic will still flow through it

===== separating wifi & wired networks ("breaking the bridge") =====

You'd want to do this if you want wifi users to authenticate to wifidog, but for computers plugged into the ethernet ports to not have to authenticate.

The original config on the router is probably:<code>
lan_ifname="br0"
lan_proto=static
lan_ipaddr=192.168.1.1
lan_netmask=255.255.255.0
wifi_ifname=""
wifi_proto=""
wifi_ipaddr=""
wifi_netmask=""
lan_ifnames="vlan0 eth1 eth2"
</code>

Run these commands:<code>
nvram set lan_ifname=vlan0
nvram set lan_proto=static
nvram set lan_ipaddr=192.168.2.1
nvram set lan_netmask=255.255.255.0
nvram set wifi_ifname=eth1
nvram set wifi_proto=static
nvram set wifi_ipaddr=192.168.1.1
nvram set wifi_netmask=255.255.255.0
nvram set lan_ifnames=vlan0
nvram commit
</code>

Edit /etc/dnsmasq.conf, adding these lines:<code>
dhcp-range=eth1,192.168.1.100,192.168.1.250,255.255.255.0,12h
dhcp-range=vlan0,192.168.2.100,192.168.2.250,255.255.255.0,12h
</code>

Edit /etc/wifidog.conf, and change "GatewayInterface" to eth1

Reboot

(Done!)