Differences

This shows you the differences between two versions of the page.

--- router_setup_instructions [2011/04/26 15:16]
gabe
+++ router_setup_instructions [2013/09/28 16:06]
@@ Line 1: / Line 1: @@
-====== Linksys WRT54G setup with WiFi Dog instructions ======
-  - make sure you have the supported version of OpenWRT -- get it here:
-    * Linksys WRT54G (up to and including v4) & WRT54GL: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54g-squashfs.bin
-    * Motorola WR850G: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wr850g-squashfs.bin
-    * Linksys WRT54GS (up to and including v3): http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54gs-squashfs.bin
-    * Linksys WRT54GS (v4): http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54gs_v4-squashfs.bin
-    * Linksys WRT54G3G: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrt54g3g-squashfs.bin
-    * Linksys WRTSL54GS: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-wrtsl54gs-squashfs.bin
-  - plug an ethernet cable from your computer to the LAN1 port on the router
-  - plug an ethernet cable from the router's WAN port to a DHCP-enabled Internet connection
-  - turn off your computer's wifi connection (to ensure that it only has 'net access through the new router)
-  - In a browser on your computer go to address 192.168.1.1 (this is the router's address)
-  - Login leaving username blank and using password **admin**
-  - Go to Wireless -> Basic Wireless Settings and change the Wireless Network Name to **wirelesstoronto**.  Change the channel as necessary -- **1** is a good choice.  Save settings.
-  - Go to Administration -> Firmware Upgrade
-  - Upgrade the firmware using the openwrt image -- DON'T INTERRUPT IT!
-  - Watch the DMZ light -- it'll come on, then go off.  when it goes off, connect to the router: http://192.168.1.1
-  - Click any link and you should be asked to set a password for the root account; use the standard WT router root password.
-  - Connect to 192.168.1.1 using an SSH client (Linux and Mas OS have built in SSH, on Windows try "Putty":http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html): ssh root@192.168.1.1
-  - Update and download standard packages, then edit wifidog.conf: <code>
-ipkg update
-ipkg install iptables-extra  kmod-iptables-extra libpthread libgcc
-ipkg install http://wirelesstoronto.ca/dist/wifidog_1.1.5-1_mipsel_whiterussian.ipk
-vi /etc/wifidog.conf
-</code>
-  - Specify the GatewayID, as appropriate (this needs to be set on the auth server!).
-  - Uncomment the ExternalInterface line, and change the value to vlan1
-  - Change the value of the GatewayInterface line to br0
-  - Paste the appropriate chunk into the AuthServer section:
-    - for wifidog versions prior to 1.1.3:<code>
-AuthServer {
-Hostname auth.wirelesstoronto.ca
-SSLAvailable yes
-Path /
-}
-</code>
-    - for wifidog versions 1.1.3 and later:<code>
-AuthServer {
-Hostname auth.wirelesstoronto.ca
-SSLPort 443
-Path /
-}
-</code>
-  - Save the changes to wifidog.conf file (esc **:wq**)
-  - Set up ntpclient & timezone, then replace S99done:<code>
-ipkg install ntpclient
-cd /etc/init.d
-wget http://wirelesstoronto.ca/dist/S55ntpclient
-chmod +x /etc/init.d/S55ntpclient
-/etc/init.d/S55ntpclient
-echo EST5EDT,M3.2.0/02:00,M11.1.0/02:00 > /etc/TZ
-cd /etc/init.d
-cp S99done S99done.real
-rm S99done
-mv S99done.real S99done
-vi /etc/init.d/S99done
-</code>
-  - add this to /etc/init.d/S99done:<code>
-# start crond
-/usr/sbin/crond -c /etc/crontabs
-</code>
-  - set up the crontab and run cron:<code>
-mkdir /etc/crontabs
-touch /etc/crontabs/root
-ln -sf /etc/crontabs/root /etc/crontab
-/usr/sbin/crond -c /etc/crontabs
-vi /etc/crontab
-</code>
-  - add this to the end of /etc/crontab:<code>
-* * * * /usr/sbin/ntpclient -l -h pool.ntp.org -i 5 -s
-</code>
-  - restart crond, then install openvpn client:<code>
-killall crond
-/usr/sbin/crond -c /etc/crontabs
-ipkg install openvpn
-mkdir /etc/openvpn
-cd /etc/openvpn
-wget http://wirelesstoronto.ca/dist/client.conf
-vi /etc/openvpn/client.conf
-</code>
-  - replace NODEID with the real gateway id
-  - download CA cert:<code>
-cd /etc/openvpn
-wget http://wirelesstoronto.ca/dist/ca.crt
-</code>
-  - copy cert stuff from server (it'll prompt you for the password):<code>
-scp wireless@openvpn.wirelesstoronto.ca:easy-rsa/keys/client(NODEID).* .
-</code>
-  - make the key private, then install auto-run script:<code>
-chmod 600 client*.key
-cd /etc/init.d
-wget http://wirelesstoronto.ca/dist/S90openvpn
-chmod +x S90openvpn
-reboot
-</code>
-  - Congratulations, you're done!
-===== Notes on using the Motorola WR850 =====
-All instructions are the same, but use the correct OpenWRT package, of course.
-By default, the router comes configured with the LAN IP address 192.168.10.1.  Either change this to 192.168.1.1 before installing OpenWRT, or after installing OpenWRT, issue the additional commands:
-<code>
-nvram unset dhcp_start
-nvram unset dhcp_end
-nvram unset dhcp_dns
-nvram commit
-</code>
-These variables confuse dnsmasq, and aren't required.
-====== Other router-related stuff ======
-===== Other resources =====
-NYC Wireless have a good "walkthrough":http://www.nycwireless.net/tiki-pagehistory.php?page=WifiDog&preview=39
-===== Location of old (pre-whiterussian) openvpn packages =====
-  - http://packages.milkfish.org/boozy/5.5.5/all_packages/libssl_0.9.7d-1_mipsel.ipk
-  - http://212.222.128.68/sven-ola/ipkg/liblzo_1.08_mipsel.ipk
-  - http://wrt54g.free.fr/openwrt/b4/ipkg/openvpn_2.0test19_mipsel.ipk
-===== Upgrading OpenWRT to latest version =====
-Perhaps refer to (newer?) instructions at:
-  * http://wiki.openwrt.org/OpenWrtDocs/Installing#head-4f88301b6db87e0ff6c54cb4e65102e7aae8f6d9
-  * http://wiki.openwrt.org/OpenWrtDocs/Deinstalling
-  - cd /tmp
-  - wget http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-brcm-2.4-squashfs.trx
-  - mtd -r write firmware.trx linux
-  - telnet to 192.168.1.1 and set password using 'passwd'. Telnet will be disabled and SSH enabled.
-===== Setting up a WDS router =====
-  - don't install wifidog on WDS "leaf" (as opposed to trunk/branch) routers
-  - make sure channel & SSID are correct:<code>
-nvram set wl_ssid=wirelesstoronto
-nvram set wl_channel=1
-</code>
-  - do:<code>
-nvram set wl0_lazywds=0
-nvram set wl0_wds=00:13:10:44:3b:50 00:13:10:3d:65:59 00:13:10:2d:a9:98
-nvram commit
-</code>
-  - on the "client" router(s) only:<code>
-rm /etc/init.d/S??dnsmasq
-</code>
-  - <code>reboot</code>
-  - **YOU MAY NEED TO ADD A STATIC ROUTE:**<code>
-nvram set static_route=0.0.0.0:0.0.0.0:192.168.1.1:1:br0
-nvram commit
-</code>
-===== making client certificate files on server: =====
-  - ssh to pwd.ca, login as "wireless"<code>
-cd easy-rsa
-. ./vars
-</code>
-  - (ignore the output)<code>
-./build-key client[NODEID]
-</code>
-  - use defaults except for Common Name: **client[NODEID]**
-  - find the client<NODEID>.crt and client<NODEID>.key files in the ./keys folder -- KEEP THESE PRIVATE
-  - to copy them to the router, issue these commands on the router:<code>
-scp wireless@pwd.ca:easy-rsa/keys/client<NODEID>.crt /etc/openvpn
-scp wireless@pwd.ca:easy-rsa/keys/client<NODEID>.key /etc/openvpn
-</code>
-(it'll prompt you for the wireless@pwd.ca password each time)
-===== resetting nvram the harsh not-recommended way =====
-Might be especially bad on a WR850G.
-<code>
-mtd -r erase nvram
-</code>
-===== resetting nvram the preferred way =====
-(From the OpenWRT FAQ.)
-<code>
-cd /tmp
-wget http://downloads.openwrt.org/people/kaloz/nvram-clean.sh
-(having access issues with the original URL http://wirelesstoronto.ca/dist/nvram-clean.sh PD, May 10, 2007)
-chmod a+x /tmp/nvram-clean.sh
-/tmp/nvram-clean.sh
-</code>
-The before and after sizes will show you how much space was recovered.
-The nvram-clean.sh script does not commit the changes to NVRAM so you will have to do this manually with:
-<code>nvram commit</code>
-===== setting up a router as a plain-ol' bridge =====
-<code>
-telnet 192.168.1.1
-nvram set lan_proto=static
-nvram set lan_ipaddr=192.168.1.10
-nvram set lan_gateway=192.168.1.1
-nvram set lan_dns=192.168.1.1
-nvram set wl_ssid=wirelesstoronto
-nvram set wl_channel=1
-rm /etc/init.d/S50dnsmasq
-nvram commit
-reboot
-</code>
-===== preventing wifi users from accessing the local LAN =====
-add to the end of /etc/firewall.user:
-<code>
-### secure the LAN
-iptables -A forwarding_rule -s 192.168.1.0/24 -d 172.18.92.0/24 -j DROP
-iptables -A input_rule -s 192.168.1.0/24 -d 172.18.92.0/24 -j DROP
-</code>
-where 192.168.17.0 is the wired LAN.  you won't be able to ping 192.168.17.1, but traffic will still flow through it
-===== separating wifi & wired networks ("breaking the bridge") =====
-You'd want to do this if you want wifi users to authenticate to wifidog, but for computers plugged into the ethernet ports to not have to authenticate.
-The original config on the router is probably:<code>
-lan_ifname="br0"
-lan_proto=static
-lan_ipaddr=192.168.1.1
-lan_netmask=255.255.255.0
-wifi_ifname=""
-wifi_proto=""
-wifi_ipaddr=""
-wifi_netmask=""
-lan_ifnames="vlan0 eth1 eth2"
-</code>
-Run these commands:<code>
-nvram set lan_ifname=vlan0
-nvram set lan_proto=static
-nvram set lan_ipaddr=192.168.2.1
-nvram set lan_netmask=255.255.255.0
-nvram set wifi_ifname=eth1
-nvram set wifi_proto=static
-nvram set wifi_ipaddr=192.168.1.1
-nvram set wifi_netmask=255.255.255.0
-nvram set lan_ifnames=vlan0
-nvram commit
-</code>
-Edit /etc/dnsmasq.conf, adding these lines:<code>
-dhcp-range=eth1,192.168.1.100,192.168.2.250,255.255.255.0,12h
-dhcp-range=vlan0,192.168.2.100,192.168.2.250,255.255.255.0,12h
-</code>
-Edit /etc/wifidog.conf, and change "GatewayInterface" to eth1
-Reboot
-(Done!)

Wireless Toronto

User Tools

Site Tools

Differences

Page Tools