wifivpn/Documentation

This project aims to add VPN functionality to the Linksys WRT54G wireless router.

You might have already heard that WEP doesn't provide much security and it usually requires the same static keys to be used by every WLAN user. My proposed solution to these deficiencies is to require the use of state of the art VPN software for every WLAN user -- OpenVPN seems to be the best option, mostly because of its easy configuration for multiple clients.

Setting Up the Build System

Before you can start you will have to download the packages referenced in ~/src/wrt54g/setup-source.sh and put them into a local download directory (see DL="${HOME}/download" at the beginning of the script).

The next step will setup the WRT54G source-tree with the updated source code:

cd ~~/WRT54G_3_01_3_0922
~~/src/wrt54g/setup-source.sh

Now you should symlink /opt/brcm to your new WRT54G source tree and start the build of your WRT54G cross-compiling environment (gcc, binutils and uClibc):

ln -s ~~/WRT54G_3_01_3_0922/tools/brcm /opt/brcm
cd tools-src
./build_tools.sh

Finally, you have to add your WRT54G cross-compiler to your PATH:

PATH=$PATH:/opt/brcm/hndtools-mipsel-uclibc/bin

Building the Firmware

Once your build system is properly set up, you can start the build with a simple make and wait for the result to show up in ~/WRT54G_3_01_3_0922/release/image:

cd ~~/WRT54G_3_01_3_0922/release/src
make

Configuration Options

In adition to the standard NVRAM configuration options, my firmware modifications add a few more options which can be set using the nvram utility on the WRT54G command line (but don't forget to invoke "nvram commit" before rebooting)

  • dnsmasq_enable: enable/disable dns masquerading proxy
  • httpd_enable: enable plaintext HTTP
  • httpsd_enable: enable SSL-encrypted HTTP
  • syslogd_enable: enable syslogd
  • telnetd_enable: enable telnet daemon
  • dr_lan_rx: listen to RIP on the LAN interface
  • dr_lan_tx: send RIP on the LAN interface
  • dr_wan_rx: listen to RIP on the WAN interface
  • dr_wan_tx: send RIP on the WAN interface
  • filter=vpn: only allow VPN traffic to pass between LAN and WAN interfaces

Network Interfaces

By default WRT54G v1.x use the 4702.et driver which handles VLAN tags internally and exposes the LAN switch as eth0 and the WAN interface as eth1.

WRT54G v2 exposes the 5-port Ethernet switch as eth0 using VLANs (id 0 for the internal LAN and id 1 for the WAN interface).

WRT54G v1.x devices can also be switched to VLAN mode, but it uses VLAN id 2 for the internal LAN. The following settings can be used to switch the WRT54G v1.x to VLAN mode:

  • vlan1hwname=et0
  • vlan2hwname=et0
  • lan_ifnames=vlan2 eth2 eth3 eth4
  • wan_ifnames=vlan1
  • wan_ifname=vlan1
  • use_vlan_et=1

OpenVPN Configuration

List of NVRAM settings to customise the OpenVPN configuration. Up to 10 OpenVPN processes can be configured using the following NVRAM setting (the first OpenVPN process uses the prefix openvpn_, the second OpenVPN process uses openvpn2_ as its configuration prefix and so on). You can either choose to store the whole OpenVPN config in NVRAM (using openvpn_config), or you can use the individual options to configure OpenVPN. In any case, certificates or keys must be stored in the respective NVRAM settings.

  • openvpn_enable: enable OpenVPN (1 to enable)</li>
  • openvpn_config: OpenVPN configuration file (in this case, the lport, push, ifconfig, pool and route options will be ignored)
  • openvpn_lport: OpenVPN lport option (local UDP port, e.g. 5000)
  • openvpn_push: OpenVPN push options, separated by newlines (e.g. "route 0.0.0.0 0.0.0.0"
  • openvpn_ifconfig: OpenVPN ifconfig option (e.g. "10.20.30.1 10.20.30.2"
  • openvpn_pool: OpenVPN ifconfig-pool option (e.g. "10.20.30.4 10.20.30.255")
  • openvpn_route: OpenVPN route option (e.g. "10.20.30.0 255.255.255.0")
  • openvpn_ca: OpenVPN ca option (certificate authority file)
  • openvpn_cert: OpenVPN cert option (certificate file)
  • openvpn_key: OpenVPN key option (private key file)
  • openvpn_secret: OpenVPN secret option (pre-shared key file)
  • openvpn_secret_dir: additional parameter for the "secret" option (direction flag)

Before OpenVPN is started, the contents of openvpn_ca, openvpn_cert, openvpn_key and openvpn_secret will be written to the files /tmp/openvpn/ca.pem, /tmp/openvpn/cert.pem, /tmp/openvpn/key.pem and /tmp/openvpn/secret.key. BTW, the recommended way of setting these options is to use "nvram set openvpn_ca" (note, that there is no '=' after the NVRAM key name which will tell the nvram utility to read the value from stdin) then copy-and-paste the file and finish by pressing Ctrl-"D".

All other NVRAM settings for OpenVPN will be passed on the command line to OpenVPN.

Please note that OpenVPN's certificate validation requires that the system clock is set to the correct time.

The following OpenVPN configuration file is built into the firmware and used by OpenVPN. Commented out options can be set using the NVRAM setting shown above.

mode server

dev tun
#lport ~[openvpn_lport]
#ifconfig ~[openvpn_ifconfig]
#ifconfig-pool ~[openvpn_pool]
#route ~[openvpn_route]
#push "~[openvpn_push]"
link-mtu 1460
mssfix 0

tls-server
dh /~etc/dh1024.pem

persist-key

#comp-lzo
no-replay

ping-exit 600

verb 1
daemon

The following configuration can be used on a client to connect to the OpenVPN server on the WRT54G:

dev tun
remote ~[remote-ip-addr] ~[remote-port]
nobind
pull
link-mtu 1460
mssfix 0

tls-client
ca /~etc/openvpn/ca.crt
cert /~etc/openvpn/cert.crt
key /~etc/openvpn/key.crt

persist-key

ping 60
ping-restart 150

no-replay

verb 1
daemon

Firmware

Sorry, the binary is currently a bit outdated...

Download the current firmware image (about 3000 kB, md5sum 8d9e960b4a93007edd03aa8b98ba407a):

USE OF THIS FIRMWARE IS AT YOUR OWN RISK

Please note that most software included in the firmware image is licensed under the GNU General Public License which requires me to also provide the source code for the software. Unfortunately, the complete source code package would be rather large and I can't afford to put it on my Web site for free. Therefore, I offer to send anyone who is interested a CD containing the complete source code for a charge of EUR 15,-- (for preparing and shipping the CD), contact me for details. But please note that all modifications to the original Linksys source code are documented on this site and I am not really interested (except for complying with the GPL) in sending CDs.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).