This shows you the differences between two versions of the page.
router_setup_instructions [2010/03/04 08:09] cherryvongreen |
router_setup_instructions [2013/09/28 16:06] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Linksys WRT54G setup with WiFi Dog instructions ====== x | ||
- | |||
- | - make sure you have the supported version of OpenWRT -- get it here: | ||
- | * Linksys WRT54G (up to and including v4) & WRT54GL: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54g-squashfs.bin | ||
- | * Motorola WR850G: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wr850g-squashfs.bin | ||
- | * Linksys WRT54GS (up to and including v3): http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54gs-squashfs.bin | ||
- | * Linksys WRT54GS (v4): http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54gs_v4-squashfs.bin | ||
- | * Linksys WRT54G3G: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54g3g-squashfs.bin | ||
- | * Linksys WRTSL54GS: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrtsl54gs-squashfs.bin | ||
- | * [[http://www.911essay.com|essays]] | ||
- | - plug an ethernet cable from your computer to the LAN1 port on the router | ||
- | - plug an ethernet cable from the router's WAN port to a DHCP-enabled Internet connection | ||
- | - turn off your computer's wifi connection (to ensure that it only has 'net access through the new router) | ||
- | - In a browser on your computer go to address 192.168.1.1 (this is the router's address) | ||
- | - Login leaving username blank and using password **admin** | ||
- | - Go to Wireless -> Basic Wireless Settings and change the Wireless Network Name to **wirelesstoronto**. Change the channel as necessary -- **1** is a good choice. Save settings. | ||
- | - Go to Administration -> Firmware Upgrade | ||
- | - Upgrade the firmware using the openwrt image -- DON'T INTERRUPT IT! | ||
- | - Watch the DMZ light -- it'll come on, then go off. when it goes off, connect to the router: http://192.168.1.1 | ||
- | - Click any link and you should be asked to set a password for the root account; use the standard WT router root password. | ||
- | - Connect to 192.168.1.1 using an SSH client (Linux and Mas OS have built in SSH, on Windows try "Putty":http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html): ssh root@192.168.1.1 | ||
- | - Update and download standard packages, then edit wifidog.conf: <code> | ||
- | ipkg update | ||
- | ipkg install iptables-extra kmod-iptables-extra libpthread libgcc | ||
- | ipkg install http://wirelesstoronto.ca/dist/wifidog_1.1.5-1_mipsel_whiterussian.ipk | ||
- | vi /etc/wifidog.conf | ||
- | </code> | ||
- | - Specify the GatewayID, as appropriate (this needs to be set on the auth server!). | ||
- | - Uncomment the ExternalInterface line, and change the value to vlan1 | ||
- | - Change the value of the GatewayInterface line to br0 | ||
- | - Paste the appropriate chunk into the AuthServer section: | ||
- | - for wifidog versions prior to 1.1.3:<code> | ||
- | AuthServer { | ||
- | Hostname auth.wirelesstoronto.ca | ||
- | SSLAvailable yes | ||
- | Path / | ||
- | } | ||
- | </code> | ||
- | - for wifidog versions 1.1.3 and later:<code> | ||
- | AuthServer { | ||
- | Hostname auth.wirelesstoronto.ca | ||
- | SSLPort 443 | ||
- | Path / | ||
- | } | ||
- | </code> | ||
- | - Save the changes to wifidog.conf file (esc **:wq**) | ||
- | - Set up ntpclient & timezone, then replace S99done:<code> | ||
- | ipkg install ntpclient | ||
- | cd /etc/init.d | ||
- | wget http://wirelesstoronto.ca/dist/S55ntpclient | ||
- | chmod +x /etc/init.d/S55ntpclient | ||
- | /etc/init.d/S55ntpclient | ||
- | |||
- | echo EST5EDT,M3.2.0/02:00,M11.1.0/02:00 > /etc/TZ | ||
- | |||
- | cd /etc/init.d | ||
- | cp S99done S99done.real | ||
- | rm S99done | ||
- | mv S99done.real S99done | ||
- | vi /etc/init.d/S99done | ||
- | </code> | ||
- | - add this to /etc/init.d/S99done:<code> | ||
- | # start crond | ||
- | /usr/sbin/crond -c /etc/crontabs | ||
- | </code> | ||
- | - set up the crontab and run cron:<code> | ||
- | mkdir /etc/crontabs | ||
- | touch /etc/crontabs/root | ||
- | ln -sf /etc/crontabs/root /etc/crontab | ||
- | /usr/sbin/crond -c /etc/crontabs | ||
- | vi /etc/crontab | ||
- | </code> | ||
- | - add this to the end of /etc/crontab:<code> | ||
- | 0 * * * * /usr/sbin/ntpclient -l -h pool.ntp.org -i 5 -s | ||
- | </code> | ||
- | - restart crond, then install openvpn client:<code> | ||
- | killall crond | ||
- | /usr/sbin/crond -c /etc/crontabs | ||
- | |||
- | ipkg install openvpn | ||
- | mkdir /etc/openvpn | ||
- | cd /etc/openvpn | ||
- | wget http://wirelesstoronto.ca/dist/client.conf | ||
- | vi /etc/openvpn/client.conf | ||
- | </code> | ||
- | - replace NODEID with the real gateway id | ||
- | - download CA cert:<code> | ||
- | cd /etc/openvpn | ||
- | wget http://wirelesstoronto.ca/dist/ca.crt | ||
- | </code> | ||
- | - copy cert stuff from server (it'll prompt you for the password):<code> | ||
- | scp wireless@openvpn.wirelesstoronto.ca:easy-rsa/keys/client(NODEID).* . | ||
- | </code> | ||
- | - make the key private, then install auto-run script:<code> | ||
- | chmod 600 client*.key | ||
- | |||
- | cd /etc/init.d | ||
- | wget http://wirelesstoronto.ca/dist/S90openvpn | ||
- | chmod +x S90openvpn | ||
- | reboot | ||
- | </code> | ||
- | - Congratulations, you're done! | ||
- | |||
- | ===== Notes on using the Motorola WR850 ===== | ||
- | All instructions are the same, but use the correct OpenWRT package, of course. | ||
- | |||
- | By default, the router comes configured with the LAN IP address 192.168.10.1. Either change this to 192.168.1.1 before installing OpenWRT, or after installing OpenWRT, issue the additional commands: | ||
- | <code> | ||
- | nvram unset dhcp_start | ||
- | nvram unset dhcp_end | ||
- | nvram unset dhcp_dns | ||
- | nvram commit | ||
- | </code> | ||
- | |||
- | These variables confuse dnsmasq, and aren't required. | ||
- | |||
- | |||
- | ====== Other router-related stuff ====== | ||
- | |||
- | ===== Other resources ===== | ||
- | |||
- | NYC Wireless have a good "walkthrough":http://www.nycwireless.net/tiki-pagehistory.php?page=WifiDog&preview=39 | ||
- | |||
- | |||
- | ===== Location of old (pre-whiterussian) openvpn packages ===== | ||
- | - http://packages.milkfish.org/boozy/5.5.5/all_packages/libssl_0.9.7d-1_mipsel.ipk | ||
- | - http://212.222.128.68/sven-ola/ipkg/liblzo_1.08_mipsel.ipk | ||
- | - http://wrt54g.free.fr/openwrt/b4/ipkg/openvpn_2.0test19_mipsel.ipk | ||
- | |||
- | |||
- | ===== Upgrading OpenWRT to latest version ===== | ||
- | |||
- | Perhaps refer to (newer?) instructions at: | ||
- | * http://wiki.openwrt.org/OpenWrtDocs/Installing#head-4f88301b6db87e0ff6c54cb4e65102e7aae8f6d9 | ||
- | * http://wiki.openwrt.org/OpenWrtDocs/Deinstalling | ||
- | |||
- | - cd /tmp | ||
- | - wget http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-brcm-2.4-squashfs.trx | ||
- | - mtd -r write firmware.trx linux | ||
- | - telnet to 192.168.1.1 and set password using 'passwd'. Telnet will be disabled and SSH enabled. | ||
- | |||
- | ===== Setting up a WDS router ===== | ||
- | |||
- | - don't install wifidog on WDS "leaf" (as opposed to trunk/branch) routers | ||
- | - make sure channel & SSID are correct:<code> | ||
- | nvram set wl_ssid=wirelesstoronto | ||
- | nvram set wl_channel=1 | ||
- | </code> | ||
- | - do:<code> | ||
- | nvram set wl0_lazywds=0 | ||
- | nvram set wl0_wds=00:13:10:44:3b:50 00:13:10:3d:65:59 00:13:10:2d:a9:98 | ||
- | nvram commit | ||
- | </code> | ||
- | - on the "client" router(s) only:<code> | ||
- | rm /etc/init.d/S??dnsmasq | ||
- | </code> | ||
- | - <code>reboot</code> | ||
- | - **YOU MAY NEED TO ADD A STATIC ROUTE:**<code> | ||
- | nvram set static_route=0.0.0.0:0.0.0.0:192.168.1.1:1:br0 | ||
- | nvram commit | ||
- | </code> | ||
- | |||
- | |||
- | ===== making client certificate files on server: ===== | ||
- | |||
- | - ssh to pwd.ca, login as "wireless"<code> | ||
- | cd easy-rsa | ||
- | . ./vars | ||
- | </code> | ||
- | - (ignore the output)<code> | ||
- | ./build-key client[NODEID] | ||
- | </code> | ||
- | - use defaults except for Common Name: **client[NODEID]** | ||
- | - find the client<NODEID>.crt and client<NODEID>.key files in the ./keys folder -- KEEP THESE PRIVATE | ||
- | - to copy them to the router, issue these commands on the router:<code> | ||
- | scp wireless@pwd.ca:easy-rsa/keys/client<NODEID>.crt /etc/openvpn | ||
- | scp wireless@pwd.ca:easy-rsa/keys/client<NODEID>.key /etc/openvpn | ||
- | </code> | ||
- | (it'll prompt you for the wireless@pwd.ca password each time) | ||
- | |||
- | ===== resetting nvram the harsh not-recommended way ===== | ||
- | |||
- | Might be especially bad on a WR850G. | ||
- | |||
- | <code> | ||
- | mtd -r erase nvram | ||
- | </code> | ||
- | |||
- | |||
- | |||
- | |||
- | ===== resetting nvram the preferred way ===== | ||
- | |||
- | (From the OpenWRT FAQ.) | ||
- | |||
- | <code> | ||
- | cd /tmp | ||
- | wget http://downloads.openwrt.org/people/kaloz/nvram-clean.sh | ||
- | (having access issues with the original URL http://wirelesstoronto.ca/dist/nvram-clean.sh PD, May 10, 2007) | ||
- | chmod a+x /tmp/nvram-clean.sh | ||
- | /tmp/nvram-clean.sh | ||
- | </code> | ||
- | |||
- | The before and after sizes will show you how much space was recovered. | ||
- | |||
- | The nvram-clean.sh script does not commit the changes to NVRAM so you will have to do this manually with: | ||
- | |||
- | <code>nvram commit</code> | ||
- | |||
- | ===== setting up a router as a plain-ol' bridge ===== | ||
- | |||
- | <code> | ||
- | telnet 192.168.1.1 | ||
- | nvram set lan_proto=static | ||
- | nvram set lan_ipaddr=192.168.1.10 | ||
- | nvram set lan_gateway=192.168.1.1 | ||
- | nvram set lan_dns=192.168.1.1 | ||
- | nvram set wl_ssid=wirelesstoronto | ||
- | nvram set wl_channel=1 | ||
- | rm /etc/init.d/S50dnsmasq | ||
- | nvram commit | ||
- | reboot | ||
- | </code> | ||
- | |||
- | ===== preventing wifi users from accessing the local LAN ===== | ||
- | |||
- | add to the end of /etc/firewall.user: | ||
- | |||
- | <code> | ||
- | ### secure the LAN | ||
- | iptables -A forwarding_rule -s 192.168.1.0/24 -d 172.18.92.0/24 -j DROP | ||
- | iptables -A input_rule -s 192.168.1.0/24 -d 172.18.92.0/24 -j DROP | ||
- | </code> | ||
- | |||
- | where 192.168.17.0 is the wired LAN. you won't be able to ping 192.168.17.1, but traffic will still flow through it | ||