User Tools

Site Tools


Linksys WRT54G setup with WiFi Dog instructions

  1. make sure you have the supported version of OpenWRT – get it here:
  2. plug an ethernet cable from your computer to the LAN1 port on the router
  3. plug an ethernet cable from the router's WAN port to a DHCP-enabled Internet connection
  4. turn off your computer's wifi connection (to ensure that it only has 'net access through the new router)
  5. In a browser on your computer go to address (this is the router's address)
  6. Login leaving username blank and using password admin
  7. Go to Wireless → Basic Wireless Settings and change the Wireless Network Name to wirelesstoronto. Change the channel as necessary – 1 is a good choice. Save settings.
  8. Go to Administration → Firmware Upgrade
  9. Upgrade the firmware using the openwrt image – DON'T INTERRUPT IT!
  10. Watch the DMZ light – it'll come on, then go off. when it goes off, connect to the router:
  11. Click any link and you should be asked to set a password for the root account; use the standard WT router root password.
  12. Connect to using an SSH client (Linux and Mas OS have built in SSH, on Windows try “Putty”: ssh root@
  13. Update and download standard packages, then edit wifidog.conf:
    ipkg update
    ipkg install iptables-extra  kmod-iptables-extra libpthread libgcc
    ipkg install
    vi /etc/wifidog.conf
  14. Specify the GatewayID, as appropriate (this needs to be set on the auth server!).
  15. Uncomment the ExternalInterface line, and change the value to vlan1
  16. Change the value of the GatewayInterface line to br0
  17. Paste the appropriate chunk into the AuthServer section:
    1. for wifidog versions prior to 1.1.3:
      AuthServer {
      SSLAvailable yes
      Path /
    2. for wifidog versions 1.1.3 and later:
      AuthServer {
      SSLPort 443
      Path /
  18. Save the changes to wifidog.conf file (esc :wq)
  19. Set up ntpclient & timezone, then replace S99done:
    ipkg install ntpclient
    cd /etc/init.d
    chmod +x /etc/init.d/S55ntpclient
    echo EST5EDT,M3.2.0/02:00,M11.1.0/02:00 > /etc/TZ
    cd /etc/init.d
    cp S99done S99done.real
    rm S99done
    mv S99done.real S99done
    vi /etc/init.d/S99done
  20. add this to /etc/init.d/S99done:
    # start crond
    /usr/sbin/crond -c /etc/crontabs
  21. set up the crontab and run cron:
    mkdir /etc/crontabs
    touch /etc/crontabs/root
    ln -sf /etc/crontabs/root /etc/crontab
    /usr/sbin/crond -c /etc/crontabs
    vi /etc/crontab
  22. add this to the end of /etc/crontab:
    0 * * * * /usr/sbin/ntpclient -l -h -i 5 -s
  23. restart crond, then install openvpn client:
    killall crond
    /usr/sbin/crond -c /etc/crontabs
    ipkg install openvpn
    mkdir /etc/openvpn
    cd /etc/openvpn
    vi /etc/openvpn/client.conf
  24. replace NODEID with the real gateway id
  25. download CA cert:
    cd /etc/openvpn
  26. copy cert stuff from server (it'll prompt you for the password):
    scp* .
  27. make the key private, then install auto-run script:
    chmod 600 client*.key
    cd /etc/init.d
    chmod +x S90openvpn
  28. Congratulations, you're done!

Notes on using the Motorola WR850

All instructions are the same, but use the correct OpenWRT package, of course.

By default, the router comes configured with the LAN IP address Either change this to before installing OpenWRT, or after installing OpenWRT, issue the additional commands:

nvram unset dhcp_start
nvram unset dhcp_end
nvram unset dhcp_dns
nvram commit

These variables confuse dnsmasq, and aren't required.

Other router-related stuff

Other resources

Location of old (pre-whiterussian) openvpn packages

Upgrading OpenWRT to latest version

Perhaps refer to (newer?) instructions at:

  1. cd /tmp
  2. mtd -r write firmware.trx linux
  3. telnet to and set password using 'passwd'. Telnet will be disabled and SSH enabled.

Setting up a WDS router

  1. don't install wifidog on WDS “leaf” (as opposed to trunk/branch) routers
  2. make sure channel & SSID are correct:
    nvram set wl_ssid=wirelesstoronto
    nvram set wl_channel=1
  3. do:
    nvram set wl0_lazywds=0
    nvram set wl0_wds=00:13:10:44:3b:50 00:13:10:3d:65:59 00:13:10:2d:a9:98
    nvram commit
  4. on the “client” router(s) only:
    rm /etc/init.d/S??dnsmasq
  5. reboot
    nvram set static_route=
    nvram commit

making client certificate files on server:

  1. ssh to, login as “wireless”
    cd easy-rsa
    . ./vars
  2. (ignore the output)
    ./build-key client[NODEID]
  3. use defaults except for Common Name: client[NODEID]
  4. find the client<NODEID>.crt and client<NODEID>.key files in the ./keys folder – KEEP THESE PRIVATE
  5. to copy them to the router, issue these commands on the router:
    scp<NODEID>.crt /etc/openvpn
    scp<NODEID>.key /etc/openvpn

(it'll prompt you for the password each time)

Might be especially bad on a WR850G.

mtd -r erase nvram

resetting nvram the preferred way

(From the OpenWRT FAQ.)

cd /tmp
(having access issues with the original URL PD, May 10, 2007)
chmod a+x /tmp/

The before and after sizes will show you how much space was recovered.

The script does not commit the changes to NVRAM so you will have to do this manually with:

nvram commit

setting up a router as a plain-ol' bridge

nvram set lan_proto=static
nvram set lan_ipaddr= 
nvram set lan_gateway=
nvram set lan_dns=
nvram set wl_ssid=wirelesstoronto
nvram set wl_channel=1
rm /etc/init.d/S50dnsmasq
nvram commit

preventing wifi users from accessing the local LAN

add to the end of /etc/firewall.user:

### secure the LAN
iptables -A forwarding_rule -s -d -j DROP
iptables -A input_rule -s -d -j DROP

where is the wired LAN. you won't be able to ping, but traffic will still flow through it

separating wifi & wired networks ("breaking the bridge")

You'd want to do this if you want wifi users to authenticate to wifidog, but for computers plugged into the ethernet ports to not have to authenticate.

The original config on the router is probably:

lan_ifnames="vlan0 eth1 eth2"

Run these commands:

nvram set lan_ifname=vlan0
nvram set lan_proto=static
nvram set lan_ipaddr=
nvram set lan_netmask=
nvram set wifi_ifname=eth1
nvram set wifi_proto=static
nvram set wifi_ipaddr=
nvram set wifi_netmask=
nvram set lan_ifnames=vlan0
nvram commit

Edit /etc/dnsmasq.conf, adding these lines:


Edit /etc/wifidog.conf, and change “GatewayInterface” to eth1



router_setup_instructions.txt · Last modified: 2013/09/28 17:06 (external edit)