Table of Contents

Linksys WRT54G setup with WiFi Dog instructions

  1. make sure you have the supported version of OpenWRT – get it here:
  2. plug an ethernet cable from your computer to the LAN1 port on the router
  3. plug an ethernet cable from the router's WAN port to a DHCP-enabled Internet connection
  4. turn off your computer's wifi connection (to ensure that it only has 'net access through the new router)
  5. In a browser on your computer go to address 192.168.1.1 (this is the router's address)
  6. Login leaving username blank and using password admin
  7. Go to Wireless → Basic Wireless Settings and change the Wireless Network Name to wirelesstoronto. Change the channel as necessary – 1 is a good choice. Save settings.
  8. Go to Administration → Firmware Upgrade
  9. Upgrade the firmware using the openwrt image – DON'T INTERRUPT IT!
  10. Watch the DMZ light – it'll come on, then go off. when it goes off, connect to the router: http://192.168.1.1
  11. Click any link and you should be asked to set a password for the root account; use the standard WT router root password.
  12. Connect to 192.168.1.1 using an SSH client (Linux and Mas OS have built in SSH, on Windows try “Putty”:http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html): ssh root@192.168.1.1
  13. Update and download standard packages, then edit wifidog.conf:
    ipkg update
    ipkg install iptables-extra  kmod-iptables-extra libpthread libgcc
    ipkg install http://wirelesstoronto.ca/dist/wifidog_1.1.5-1_mipsel_whiterussian.ipk
    vi /etc/wifidog.conf
  14. Specify the GatewayID, as appropriate (this needs to be set on the auth server!).
  15. Uncomment the ExternalInterface line, and change the value to vlan1
  16. Change the value of the GatewayInterface line to br0
  17. Paste the appropriate chunk into the AuthServer section:
    1. for wifidog versions prior to 1.1.3:
      AuthServer {
      Hostname auth.wirelesstoronto.ca
      SSLAvailable yes
      Path /
      }
    2. for wifidog versions 1.1.3 and later:
      AuthServer {
      Hostname auth.wirelesstoronto.ca
      SSLPort 443
      Path /
      }
  18. Save the changes to wifidog.conf file (esc :wq)
  19. Set up ntpclient & timezone, then replace S99done:
    ipkg install ntpclient
    cd /etc/init.d
    wget http://wirelesstoronto.ca/dist/S55ntpclient
    chmod +x /etc/init.d/S55ntpclient
    /etc/init.d/S55ntpclient
    
    echo EST5EDT,M3.2.0/02:00,M11.1.0/02:00 > /etc/TZ
    
    cd /etc/init.d
    cp S99done S99done.real
    rm S99done
    mv S99done.real S99done
    vi /etc/init.d/S99done
  20. add this to /etc/init.d/S99done:
    # start crond
    /usr/sbin/crond -c /etc/crontabs
  21. set up the crontab and run cron:
    mkdir /etc/crontabs
    touch /etc/crontabs/root
    ln -sf /etc/crontabs/root /etc/crontab
    /usr/sbin/crond -c /etc/crontabs
    vi /etc/crontab
  22. add this to the end of /etc/crontab:
    0 * * * * /usr/sbin/ntpclient -l -h pool.ntp.org -i 5 -s
  23. restart crond, then install openvpn client:
    killall crond
    /usr/sbin/crond -c /etc/crontabs
    
    ipkg install openvpn
    mkdir /etc/openvpn
    cd /etc/openvpn
    wget http://wirelesstoronto.ca/dist/client.conf
    vi /etc/openvpn/client.conf
  24. replace NODEID with the real gateway id
  25. download CA cert:
    cd /etc/openvpn
    wget http://wirelesstoronto.ca/dist/ca.crt
  26. copy cert stuff from server (it'll prompt you for the password):
    scp wireless@openvpn.wirelesstoronto.ca:easy-rsa/keys/client(NODEID).* .
  27. make the key private, then install auto-run script:
    chmod 600 client*.key
    
    cd /etc/init.d
    wget http://wirelesstoronto.ca/dist/S90openvpn
    chmod +x S90openvpn
    reboot
  28. Congratulations, you're done!

Notes on using the Motorola WR850

All instructions are the same, but use the correct OpenWRT package, of course.

By default, the router comes configured with the LAN IP address 192.168.10.1. Either change this to 192.168.1.1 before installing OpenWRT, or after installing OpenWRT, issue the additional commands:

nvram unset dhcp_start
nvram unset dhcp_end
nvram unset dhcp_dns
nvram commit

These variables confuse dnsmasq, and aren't required.

Other router-related stuff

Other resources

NYC Wireless have a good “walkthrough”:http://www.nycwireless.net/tiki-pagehistory.php?page=WifiDog&preview=39

Location of old (pre-whiterussian) openvpn packages

Upgrading OpenWRT to latest version

Perhaps refer to (newer?) instructions at:

  1. cd /tmp
  2. mtd -r write firmware.trx linux
  3. telnet to 192.168.1.1 and set password using 'passwd'. Telnet will be disabled and SSH enabled.

Setting up a WDS router

  1. don't install wifidog on WDS “leaf” (as opposed to trunk/branch) routers
  2. make sure channel & SSID are correct:
    nvram set wl_ssid=wirelesstoronto
    nvram set wl_channel=1
  3. do:
    nvram set wl0_lazywds=0
    nvram set wl0_wds=00:13:10:44:3b:50 00:13:10:3d:65:59 00:13:10:2d:a9:98
    nvram commit
  4. on the “client” router(s) only:
    rm /etc/init.d/S??dnsmasq
  5. reboot
  6. YOU MAY NEED TO ADD A STATIC ROUTE:
    nvram set static_route=0.0.0.0:0.0.0.0:192.168.1.1:1:br0
    nvram commit

making client certificate files on server:

  1. ssh to pwd.ca, login as “wireless”
    cd easy-rsa
    . ./vars
  2. (ignore the output)
    ./build-key client[NODEID]
  3. use defaults except for Common Name: client[NODEID]
  4. find the client<NODEID>.crt and client<NODEID>.key files in the ./keys folder – KEEP THESE PRIVATE
  5. to copy them to the router, issue these commands on the router:
    scp wireless@pwd.ca:easy-rsa/keys/client<NODEID>.crt /etc/openvpn
    scp wireless@pwd.ca:easy-rsa/keys/client<NODEID>.key /etc/openvpn

(it'll prompt you for the wireless@pwd.ca password each time)

Might be especially bad on a WR850G.

mtd -r erase nvram

resetting nvram the preferred way

(From the OpenWRT FAQ.)

cd /tmp
wget http://downloads.openwrt.org/people/kaloz/nvram-clean.sh 
(having access issues with the original URL http://wirelesstoronto.ca/dist/nvram-clean.sh PD, May 10, 2007)
chmod a+x /tmp/nvram-clean.sh
/tmp/nvram-clean.sh

The before and after sizes will show you how much space was recovered.

The nvram-clean.sh script does not commit the changes to NVRAM so you will have to do this manually with:

nvram commit

setting up a router as a plain-ol' bridge

telnet 192.168.1.1
nvram set lan_proto=static
nvram set lan_ipaddr=192.168.1.10 
nvram set lan_gateway=192.168.1.1
nvram set lan_dns=192.168.1.1
nvram set wl_ssid=wirelesstoronto
nvram set wl_channel=1
rm /etc/init.d/S50dnsmasq
nvram commit
reboot

preventing wifi users from accessing the local LAN

add to the end of /etc/firewall.user:

### secure the LAN
iptables -A forwarding_rule -s 192.168.1.0/24 -d 172.18.92.0/24 -j DROP
iptables -A input_rule -s 192.168.1.0/24 -d 172.18.92.0/24 -j DROP

where 192.168.17.0 is the wired LAN. you won't be able to ping 192.168.17.1, but traffic will still flow through it

separating wifi & wired networks ("breaking the bridge")

You'd want to do this if you want wifi users to authenticate to wifidog, but for computers plugged into the ethernet ports to not have to authenticate.

The original config on the router is probably:

lan_ifname="br0"
lan_proto=static
lan_ipaddr=192.168.1.1
lan_netmask=255.255.255.0
wifi_ifname=""
wifi_proto=""
wifi_ipaddr=""
wifi_netmask=""
lan_ifnames="vlan0 eth1 eth2"

Run these commands:

nvram set lan_ifname=vlan0
nvram set lan_proto=static
nvram set lan_ipaddr=192.168.2.1
nvram set lan_netmask=255.255.255.0
nvram set wifi_ifname=eth1
nvram set wifi_proto=static
nvram set wifi_ipaddr=192.168.1.1
nvram set wifi_netmask=255.255.255.0
nvram set lan_ifnames=vlan0
nvram commit

Edit /etc/dnsmasq.conf, adding these lines:

dhcp-range=eth1,192.168.1.100,192.168.1.250,255.255.255.0,12h
dhcp-range=vlan0,192.168.2.100,192.168.2.250,255.255.255.0,12h

Edit /etc/wifidog.conf, and change “GatewayInterface” to eth1

Reboot

(Done!)