====== Linksys WRT54G setup with WiFi Dog instructions ====== - make sure you have the supported version of OpenWRT -- get it here: * Linksys WRT54G (up to and including v4) & WRT54GL: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54g-squashfs.bin * Motorola WR850G: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wr850g-squashfs.bin * Linksys WRT54GS (up to and including v3): http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54gs-squashfs.bin * Linksys WRT54GS (v4): http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54gs_v4-squashfs.bin * Linksys WRT54G3G: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54g3g-squashfs.bin * Linksys WRTSL54GS: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrtsl54gs-squashfs.bin - plug an ethernet cable from your computer to the LAN1 port on the router - plug an ethernet cable from the router's WAN port to a DHCP-enabled Internet connection - turn off your computer's wifi connection (to ensure that it only has 'net access through the new router) - In a browser on your computer go to address 192.168.1.1 (this is the router's address) - Login leaving username blank and using password **admin** - Go to Wireless -> Basic Wireless Settings and change the Wireless Network Name to **wirelesstoronto**. Change the channel as necessary -- **1** is a good choice. Save settings. - Go to Administration -> Firmware Upgrade - Upgrade the firmware using the openwrt image -- DON'T INTERRUPT IT! - Watch the DMZ light -- it'll come on, then go off. when it goes off, connect to the router: http://192.168.1.1 - Click any link and you should be asked to set a password for the root account; use the standard WT router root password. - Connect to 192.168.1.1 using an SSH client (Linux and Mas OS have built in SSH, on Windows try "Putty":http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html): ssh root@192.168.1.1 - Update and download standard packages, then edit wifidog.conf: ipkg update ipkg install iptables-extra kmod-iptables-extra libpthread libgcc ipkg install http://wirelesstoronto.ca/dist/wifidog_1.1.5-1_mipsel_whiterussian.ipk vi /etc/wifidog.conf - Specify the GatewayID, as appropriate (this needs to be set on the auth server!). - Uncomment the ExternalInterface line, and change the value to vlan1 - Change the value of the GatewayInterface line to br0 - Paste the appropriate chunk into the AuthServer section: - for wifidog versions prior to 1.1.3: AuthServer { Hostname auth.wirelesstoronto.ca SSLAvailable yes Path / } - for wifidog versions 1.1.3 and later: AuthServer { Hostname auth.wirelesstoronto.ca SSLPort 443 Path / } - Save the changes to wifidog.conf file (esc **:wq**) - Set up ntpclient & timezone, then replace S99done: ipkg install ntpclient cd /etc/init.d wget http://wirelesstoronto.ca/dist/S55ntpclient chmod +x /etc/init.d/S55ntpclient /etc/init.d/S55ntpclient echo EST5EDT,M3.2.0/02:00,M11.1.0/02:00 > /etc/TZ cd /etc/init.d cp S99done S99done.real rm S99done mv S99done.real S99done vi /etc/init.d/S99done - add this to /etc/init.d/S99done: # start crond /usr/sbin/crond -c /etc/crontabs - set up the crontab and run cron: mkdir /etc/crontabs touch /etc/crontabs/root ln -sf /etc/crontabs/root /etc/crontab /usr/sbin/crond -c /etc/crontabs vi /etc/crontab - add this to the end of /etc/crontab: 0 * * * * /usr/sbin/ntpclient -l -h pool.ntp.org -i 5 -s - restart crond, then install openvpn client: killall crond /usr/sbin/crond -c /etc/crontabs ipkg install openvpn mkdir /etc/openvpn cd /etc/openvpn wget http://wirelesstoronto.ca/dist/client.conf vi /etc/openvpn/client.conf - replace NODEID with the real gateway id - download CA cert: cd /etc/openvpn wget http://wirelesstoronto.ca/dist/ca.crt - copy cert stuff from server (it'll prompt you for the password): scp wireless@openvpn.wirelesstoronto.ca:easy-rsa/keys/client(NODEID).* . - make the key private, then install auto-run script: chmod 600 client*.key cd /etc/init.d wget http://wirelesstoronto.ca/dist/S90openvpn chmod +x S90openvpn reboot - Congratulations, you're done! ===== Notes on using the Motorola WR850 ===== All instructions are the same, but use the correct OpenWRT package, of course. By default, the router comes configured with the LAN IP address 192.168.10.1. Either change this to 192.168.1.1 before installing OpenWRT, or after installing OpenWRT, issue the additional commands: nvram unset dhcp_start nvram unset dhcp_end nvram unset dhcp_dns nvram commit These variables confuse dnsmasq, and aren't required. ====== Other router-related stuff ====== ===== Other resources ===== NYC Wireless have a good "walkthrough":http://www.nycwireless.net/tiki-pagehistory.php?page=WifiDog&preview=39 ===== Location of old (pre-whiterussian) openvpn packages ===== - http://packages.milkfish.org/boozy/5.5.5/all_packages/libssl_0.9.7d-1_mipsel.ipk - http://212.222.128.68/sven-ola/ipkg/liblzo_1.08_mipsel.ipk - http://wrt54g.free.fr/openwrt/b4/ipkg/openvpn_2.0test19_mipsel.ipk ===== Upgrading OpenWRT to latest version ===== Perhaps refer to (newer?) instructions at: * http://wiki.openwrt.org/OpenWrtDocs/Installing#head-4f88301b6db87e0ff6c54cb4e65102e7aae8f6d9 * http://wiki.openwrt.org/OpenWrtDocs/Deinstalling - cd /tmp - wget http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-brcm-2.4-squashfs.trx - mtd -r write firmware.trx linux - telnet to 192.168.1.1 and set password using 'passwd'. Telnet will be disabled and SSH enabled. ===== Setting up a WDS router ===== - don't install wifidog on WDS "leaf" (as opposed to trunk/branch) routers - make sure channel & SSID are correct: nvram set wl_ssid=wirelesstoronto nvram set wl_channel=1 - do: nvram set wl0_lazywds=0 nvram set wl0_wds=00:13:10:44:3b:50 00:13:10:3d:65:59 00:13:10:2d:a9:98 nvram commit - on the "client" router(s) only: rm /etc/init.d/S??dnsmasq - reboot - **YOU MAY NEED TO ADD A STATIC ROUTE:** nvram set static_route=0.0.0.0:0.0.0.0:192.168.1.1:1:br0 nvram commit ===== making client certificate files on server: ===== - ssh to pwd.ca, login as "wireless" cd easy-rsa . ./vars - (ignore the output) ./build-key client[NODEID] - use defaults except for Common Name: **client[NODEID]** - find the client.crt and client.key files in the ./keys folder -- KEEP THESE PRIVATE - to copy them to the router, issue these commands on the router: scp wireless@pwd.ca:easy-rsa/keys/client.crt /etc/openvpn scp wireless@pwd.ca:easy-rsa/keys/client.key /etc/openvpn (it'll prompt you for the wireless@pwd.ca password each time) ===== resetting nvram the harsh not-recommended way ===== Might be especially bad on a WR850G. mtd -r erase nvram ===== resetting nvram the preferred way ===== (From the OpenWRT FAQ.) cd /tmp wget http://downloads.openwrt.org/people/kaloz/nvram-clean.sh (having access issues with the original URL http://wirelesstoronto.ca/dist/nvram-clean.sh PD, May 10, 2007) chmod a+x /tmp/nvram-clean.sh /tmp/nvram-clean.sh The before and after sizes will show you how much space was recovered. The nvram-clean.sh script does not commit the changes to NVRAM so you will have to do this manually with: nvram commit ===== setting up a router as a plain-ol' bridge ===== telnet 192.168.1.1 nvram set lan_proto=static nvram set lan_ipaddr=192.168.1.10 nvram set lan_gateway=192.168.1.1 nvram set lan_dns=192.168.1.1 nvram set wl_ssid=wirelesstoronto nvram set wl_channel=1 rm /etc/init.d/S50dnsmasq nvram commit reboot ===== preventing wifi users from accessing the local LAN ===== add to the end of /etc/firewall.user: ### secure the LAN iptables -A forwarding_rule -s 192.168.1.0/24 -d 172.18.92.0/24 -j DROP iptables -A input_rule -s 192.168.1.0/24 -d 172.18.92.0/24 -j DROP where 192.168.17.0 is the wired LAN. you won't be able to ping 192.168.17.1, but traffic will still flow through it ===== separating wifi & wired networks ("breaking the bridge") ===== You'd want to do this if you want wifi users to authenticate to wifidog, but for computers plugged into the ethernet ports to not have to authenticate. The original config on the router is probably: lan_ifname="br0" lan_proto=static lan_ipaddr=192.168.1.1 lan_netmask=255.255.255.0 wifi_ifname="" wifi_proto="" wifi_ipaddr="" wifi_netmask="" lan_ifnames="vlan0 eth1 eth2" Run these commands: nvram set lan_ifname=vlan0 nvram set lan_proto=static nvram set lan_ipaddr=192.168.2.1 nvram set lan_netmask=255.255.255.0 nvram set wifi_ifname=eth1 nvram set wifi_proto=static nvram set wifi_ipaddr=192.168.1.1 nvram set wifi_netmask=255.255.255.0 nvram set lan_ifnames=vlan0 nvram commit Edit /etc/dnsmasq.conf, adding these lines: dhcp-range=eth1,192.168.1.100,192.168.1.250,255.255.255.0,12h dhcp-range=vlan0,192.168.2.100,192.168.2.250,255.255.255.0,12h Edit /etc/wifidog.conf, and change "GatewayInterface" to eth1 Reboot (Done!)