Differences

This shows you the differences between two versions of the page.

Link to this comparison view

project:openwrt-wds [2009/09/02 20:44] (current)
micha created
Line 1: Line 1:
 +===== OpenWRT and WDS =====
 +
 +This article describes how I set up two wireless routers in my apartment, to provide a PSK2 encrypted wireless connection for all my household equipment. They are linked together using WDS (also PSK2). For software, I’m using OpenWRT. For hardware, I’m using two broadcom-based Asus WL-500G Premium boxes.
 +
 +Chosing OpenWRT Image
 +
 +You may build your own OpenWRT image, or you may download one from openwrt.org.
 +
 +For the ASUS WL-500gP device I chose the brcm-2.4 variant of OpenWRT for this device. The plain brcm variant will work, and uses the newer 2.6 kernel, but wireless will not work.
 +
 +Downloading Image
 +
 +To avoid building the image yourself, you may download it from openwrt.org.
 +
 +  wget --quiet http://​downloads.openwrt.org/​kamikaze/​8.09.1/​brcm-2.4/​openwrt-brcm-2.4-squashfs.trx
 +  md5sum openwrt-brcm-2.4-squashfs.trx
 +6ccb44d015a8477e2eb0fa81b9b83f1a ​ openwrt-brcm-2.4-squashfs.trx
 +
 +Building OpenWRT
 +
 +You may skip this section if you do not want to build your own image.
 +
 +Building OpenWRT is quite easy these days. I’m using Debian x86 lenny, and you will need to install gcc and other development tools. Here are the commands I used:
 +
 +  svn co https://​svn.openwrt.org/​openwrt/​trunk/​
 +  mv trunk openwrt
 +  cd openwrt
 +  make menuconfig
 +  #  toggle '​select all packages by default'​
 +  #  quit and save config
 +  make
 +
 +That’s it! The complete build takes up about 2GB on my machine, and it will take quite some time to build (up to several hours).
 +
 +The output files will be stored into the bin/ directory.
 +
 +Installing OpenWRT
 +
 +There are generic Installation instructions on the the OpenWRT Wiki.
 +
 +You’ll have to use a ethernet cable at this point. Connect it to LAN1-LAN4, not WAN. Configure your local machine on the 192.168.1.x network, for example as 192.168.1.42. The router will use 192.168.1.1.
 +
 +On many routers, including the Asus WL-500g Premium that I use, you flash an image by disconnecting power, press and hold down the reset button, and connect the power again. Wait a few seconds and the PWR led will start to blink. Release the reset button. The device will now have a tftp server running on 192.168.1.1.
 +
 +  tftp 192.168.1.1
 +  tftp> trace
 +  Packet tracing on.
 +  tftp> binary
 +  tftp> put openwrt-brcm-2.4-squashfs.trx
 +  ...
 +
 +Wait a minute and restart the box by disconnecting and reconnecting power. Some documentations claim that the device should restart by itself but I have never seen this happen.
 +
 +Configuring OpenWRT
 +
 +When the router has restarted, it will have a telnet server running listening on 192.168.1.1.
 +
 +  telnet 192.168.1.1
 +  Trying 192.168.1.1...
 +  Connected to 192.168.1.1.
 +  Escape character is '​^]'​.
 +
 +   === IMPORTANT ============================
 +    Use '​passwd'​ to set your login password
 +    this will disable telnet and enable SSH
 +   ​------------------------------------------
 +
 +
 +  BusyBox v1.11.2 (2009-05-28 19:38:17 UTC) built-in shell (ash)
 +  Enter '​help'​ for a list of built-in commands.
 +
 +    _______ ​                    ​________ ​       __
 +   ​| ​      ​|.-----.-----.-----.| ​ |  |  |.----.| ​ |_
 +   ​| ​  ​- ​  ​|| ​ _  |  -__|     ​|| ​ |  |  ||   ​_|| ​  _|
 +   ​|_______|| ​  ​__|_____|__|__||________||__| ​ |____|
 +            |__| W I R E L E S S   F R E E D O M
 +   ​KAMIKAZE (8.09.1, r16278) ----------------------------
 +    * 10 oz Vodka       Shake well with ice and strain
 +    * 10 oz Triple sec  mixture into 10 shot glasses.
 +    * 10 oz lime juice  Salute!
 + ​---------------------------------------------------
 +  root@OpenWrt:/#​
 +
 +Now you can configure OpenWRT. I’ll go through each step I made, but obviously you may deviate from this description.
 +
 +Set hostname
 +
 +My first step was to set a hostname on the machine, use vi to edit /​etc/​config/​system to make it read:
 +
 +  config system
 +          option hostname caramel
 +
 +If you prefer to cut’n'​paste a command line invocation to do this, try:
 +
 +  root@OpenWrt:​~#​ cat /​etc/​config/​system | sed -e '​s/​OpenWrt/​caramel/'​ > /​etc/​config/​system
 +
 +Setting a hostname will help when you have multiple OpenWRT boxes running, as the command prompt will show your hostname instead of OpenWRT (after you have restarted the router).
 +
 +Set IP address
 +
 +If you want the device to use another IP address than 192.168.1.1 you can modify /​etc/​config/​network,​ in the LAN configuration section. A quick command to do this:
 +
 +root@OpenWrt:​~#​ cat /​etc/​config/​network | sed -e '​s/​192.168.1.1/​192.168.1.15/'​ > /​etc/​config/​network
 +Replace telnet with SSH
 +As you do not want to use insecure telnet, you will need to set up ssh. You can type passwd to set a root password, and this will disable telnet. I dislike passwords, even if used over ssh, so I always set up public-key authentication instead. For reference, there is a dropbear public key authentication howto for OpenWRT wiki page.
 +
 +The command to make your ssh key authorized to login as root on the router is:
 +
 +root@OpenWrt:/#​ echo '​PUBLICKEY' ​ > /​etc/​dropbear/​authorized_keys
 +Replace PUBLICKEY with the content of the ~/​.ssh/​id*.pub file on your own machine.
 +
 +Disable password based login using:
 +
 +root@OpenWrt:/#​ cat /​etc/​config/​dropbear | sed -e "​s/'​on'/'​off'/" ​ > /​etc/​config/​dropbear
 +Alternatively,​ edit /​etc/​config/​dropbear to look like:
 +
 +config dropbear
 +        option PasswordAuth '​off'​
 +        option Port         '​22'​
 +At this point, you can print the ssh host key fingerprint using:
 +
 +root@OpenWrt:​~#​ dropbearkey -y -f /​etc/​dropbear/​dropbear_rsa_host_key
 +Public key portion is:
 +ssh-rsa AAAA... root@OpenWrt
 +Fingerprint:​ md5 b4:...
 +To use the web interface, you may want to set a root password.
 +
 +root@OpenWrt:/#​ passwd
 +Changing password for root
 +New password:
 +Retype password:
 +Password for root changed by root
 +root@OpenWrt:/#​
 +If you do not set a root password, you will need to manually disable the telnet server as follows.
 +
 +root@OpenWrt:​~#​ rm /​etc/​rc.d/​S50telnet
 +After you have made your changes, try the new configuration by rebooting both devices.
 +
 +root@OpenWrt:/​etc/​config#​ reboot
 +You should now be able to login as root using SSH. Try it from your machine. The SSH fingerprint should match what was printed by dropbearkey earlier.
 +
 +jas@mocca:​~$ ssh -l root 192.168.1.15
 +The authenticity of host '​192.168.1.15 (192.168.1.15)'​ can't be established.
 +RSA key fingerprint is b4:...
 +Are you sure you want to continue connecting (yes/no)? yes
 +Warning: Permanently added '​192.168.1.15'​ (RSA) to the list of known hosts.
 +
 +
 +BusyBox v1.11.2 (2009-05-28 19:38:17 UTC) built-in shell (ash)
 +Enter '​help'​ for a list of built-in commands.
 +
 +  _______ ​                    ​________ ​       __
 + ​| ​      ​|.-----.-----.-----.| ​ |  |  |.----.| ​ |_
 + ​| ​  ​- ​  ​|| ​ _  |  -__|     ​|| ​ |  |  ||   ​_|| ​  _|
 + ​|_______|| ​  ​__|_____|__|__||________||__| ​ |____|
 +          |__| W I R E L E S S   F R E E D O M
 + ​KAMIKAZE (8.09.1, r16278) ----------------------------
 +  * 10 oz Vodka       Shake well with ice and strain
 +  * 10 oz Triple sec  mixture into 10 shot glasses.
 +  * 10 oz lime juice  Salute!
 + ​---------------------------------------------------
 +root@caramel:​~#​
 +Setup wireless
 +Wireless is disabled by default, and you will have to modify “/​etc/​config/​wireless” to configure it.
 +
 +A simple setup that use (insecure) WEP would be:
 +
 +config wifi-device ​ wl0
 +        option type     ​broadcom
 +        option channel ​ 5
 +
 +config wifi-iface
 +        option device ​  wl0
 +        option network ​ lan
 +        option mode     ap
 +        option ssid     ​YourNetworkName
 +        option encryption wep
 +        option key      DEADBEEF
 +A better setup that use shared secrets but the more secure PSK2 would be:
 +
 +config wifi-device ​ wl0
 +        option type     ​broadcom
 +        option channel ​ 5
 +
 +config wifi-iface
 +        option device ​  wl0
 +        option network ​ lan
 +        option mode     ap
 +        option ssid     ​YourNetworkName
 +        option encryption psk2
 +        option key      DEADBEEFDEADBEEFDEADBEEFDEADBEEF
 +Remember, your security is never better than your password.
 +
 +As you may recall, the point of my exercise was to set up two routers with WDS and PSK2. For discussion, let’s say the MAC address of box 1 is 12:​34:​56:​78:​89:​ab and the MAC address of box 2 is cd:​ef:​01:​23:​45:​67. You can use ifconfig on each of the routers to find out the MAC address.
 +
 +On the first box, my /​etc/​config/​wireless file looks like:
 +
 +# /​etc/​config/​wireless configuration for device 12:​34:​56:​78:​89:​ab
 +
 +  config wifi-device ​ wl0
 +        option type     ​broadcom
 +        option channel ​ 5
 +
 +  config wifi-iface
 +        option device ​  wl0
 +        option network ​ lan
 +        option mode     ap
 +        option ssid     ​YourNetworkName
 +        option encryption psk2
 +        option key      UserNetworkPassword
 +
 +  config wifi-iface
 +        option device ​  wl0
 +        option network ​ lan
 +        option mode     wds
 +        option bssid    cd:​ef:​01:​23:​45:​67
 +        option encryption psk2
 +        option ssid     ​WDSNetworkName
 +        option key      InternalWDSPassword
 +
 +Replace YourNetworkName and WDSNetworkName with something more appropriate. You want to use a different SSID for the WDS than for the normal network.
 +
 +On the second box, the /​etc/​config/​wireless will look the same except that the BSSID will contain the MAC address of the first box. Here is the file:
 +
 +# /​etc/​config/​wireless configuration for device cd:​ef:​01:​23:​45:​67
 +  config wifi-device ​ wl0
 +        option type     ​broadcom
 +        option channel ​ 5
 +
 +  config wifi-iface
 +        option device ​  wl0
 +        option network ​ lan
 +        option mode     ap
 +        option ssid     ​YourNetworkName
 +        option encryption psk2
 +        option key      UserNetworkPassword
 +
 +  config wifi-iface
 +        option device ​  wl0
 +        option network ​ lan
 +        option mode     wds
 +        option bssid    12:​34:​56:​78:​89:​ab
 +        option encryption psk2
 +        option ssid     ​WDSNetworkName
 +        option key      InternalWDSPassword
 +
 +Disable DHCP on one router
 +Both routers will by default run a DHCP server. You probably want to disable it on one of the boxes.
 +
 +  root@kladdkaka:​~#​ /​etc/​init.d/​dnsmasq disable
 +  root@kladdkaka:​~#​
 +
 +Restart router
 +After you have made your changes, try the new configuration by rebooting both devices.
 +
 +  root@kladdkaka:/​etc/​config#​ reboot
 +
 +After 30 seconds or so, the devices should have connected via WDS and you should be able to ping the IP addresses of router A from router B and vice verse.
 +
 +The default configuration is to bridge the wireless networks with the LAN ethernet sockets, so you can connect desktop machines etc and they should be able to reach all devices connected to the wireless network or the ethernet sockets on any of the two WDS connected routers.
 +
 +Additional software
 +
 +You can use opkg to install additional tools easily. First run opkg update to update the package list:
 +
 +  root@caramel:​~#​ opkg update
 +  Downloading ​    ​http://​downloads.openwrt.org/​kamikaze/​8.09.1/​brcm-2.4/​packages/​Packages.gz
 +  Connecting to downloads.openwrt.org (195.56.146.238:​80)
 +  Packages.gz ​         100%   ​|*******************************| ​  130k 00:00:00 ETA
 +  Inflating ​  ​http://​downloads.openwrt.org/​kamikaze/​8.09.1/​brcm-2.4/​packages/​Packages.gz
 +  Updated list of available packages in /​var/​opkg-lists/​snapshots
 +  root@caramel:​~#​
 +
 +Use opkg list to list all available packages.
 +
 +Useful tools to install on a typical router includes avahi-daemon,​ miniupnpd, and openntpd.
 +
 +Avahi allows DNS based service discovery. Install and enable as follows:
 +
 +  root@caramel:​~#​ opkg install avahi-daemon
 +  Installing avahi-daemon (0.6.23-2) to root...
 +Downloading ​  ​http://​downloads.openwrt.org/​kamikaze/​8.09.1/​brcm-2.4/​packages/​avahi-daemon_0.6.23-2_mipsel.ipk
 +  Connecting to downloads.openwrt.org (195.56.146.238:​80)
 +  avahi-daemon_0.6.23- 100%   ​|*******************************| 19698  00:00:00 ETA
 +  Installing libavahi (0.6.23-2) to root...
 +  Downloading http://​downloads.openwrt.org/​kamikaze/​8.09.1/​brcm-2.4/​packages/​libavahi_0.6.23-2_mipsel.ipk
 +  Connecting to downloads.openwrt.org (195.56.146.238:​80)
 +  libavahi_0.6.23-2_mi 100%   ​|*******************************| 69773  00:00:00 ETA
 +  Installing libdaemon (0.12-1) to root...
 +  Downloading ​  ​http://​downloads.openwrt.org/​kamikaze/​8.09.1/​brcm-2.4/​packages/​libdaemon_0.12-1_mipsel.ipk
 +  Connecting to downloads.openwrt.org (195.56.146.238:​80)
 +libdaemon_0.12-1_mip 100%   ​|*******************************| ​ 8352  --:--:-- ETA
 +  Installing libpthread (0.9.29-14.1) to root...
 +Downloading ​  ​http://​downloads.openwrt.org/​kamikaze/​8.09.1/​brcm-2.4/​packages/​libpthread_0.9.29-14.1_mipsel.ipk
 +Connecting to downloads.openwrt.org (195.56.146.238:​80)
 +libpthread_0.9.29-14 100% |*******************************| 19278  00:00:00 ETA
 +  Installing libexpat (1.95.8-1) to root...
 +Downloading http://​downloads.openwrt.org/​kamikaze/​8.09.1/​brcm-2.4/​packages/​libexpat_1.95.8-1_mipsel.ipk  ​
 +  Connecting to downloads.openwrt.org (195.56.146.238:​80)
 +libexpat_1.95.8-1_mi 100%     ​|*******************************| 47267  00:00:00 ETA  ​
 +  Configuring avahi-daemon
 +  Configuring libavahi
 +  Configuring libdaemon
 +  Configuring libexpat
 +  Configuring libpthread
 +  root@caramel:​~#​ /​etc/​init.d/​avahi-daemon enable ​
 +  root@caramel:​~#​
 +
 +Bittorrent clients, for example, can use UPnP to open up ports in the firewall. For this to work, you need a UPnP server on your router:
 +
 +  root@caramel:​~#​ opkg install miniupnpd luci-app-upnp
 +  Installing miniupnpd (1.1-5) to root...
 +  Downloading http://​downloads.openwrt.org/​kamikaze/​8.09.1/​brcm-2.4/​packages/​miniupnpd_1.1-5_mipsel.ipk
 +  Connecting to downloads.openwrt.org (195.56.146.238:​80)
 +miniupnpd_1.1-5_mips 100%   ​|*******************************| 36923  00:00:00 ETA
 +  Installing luci-app-upnp (0.8.7-1) to root...
 +  Downloading http://​downloads.openwrt.org/​kamikaze/​8.09.1/​brcm-2.4/​packages/​luci-app-upnp_0.8.7-1_mipsel.ipk
 +  Connecting to downloads.openwrt.org (195.56.146.238:​80)
 +luci-app-upnp_0.8.7- 100% |*******************************| ​ 2748  00:00:00 ETA
 +  Configuring luci-app-upnp
 +  Configuring miniupnpd
 +  root@caramel:​~#​ /​etc/​init.d/​miniupnpd enable
 +  root@caramel:​~#​
 +
 +The clock will typically be way off unless you set it. Install a NTP client to automate this. (The package openntpd also works but takes more space.)
 +
 +  root@caramel:​~#​ opkg install luci-app-ntpc
 +Installing luci-app-ntpc (0.8.7-1) to root...
 +  Downloading http://​downloads.openwrt.org/​kamikaze/​8.09.1/​brcm-2.4/​packages/​luci-app-ntpc_0.8.7-1_mipsel.ipk
 +  Connecting to downloads.openwrt.org (195.56.146.238:​80)
 +luci-app-ntpc_0.8.7- 100%   ​|*******************************| ​ 2894  00:00:00 ETA
 +  Installing ntpclient (2007_365-1) to root...
 +  Downloading http://​downloads.openwrt.org/​kamikaze/​8.09.1/​brcm-2.4/​packages/​ntpclient_2007_365-1_mipsel.ipk
 +  Connecting to downloads.openwrt.org (195.56.146.238:​80)
 +  ntpclient_2007_365-1 100% |*******************************| 12512  00:00:00 ETA
 +  Configuring luci-app-ntpc
 +  Configuring ntpclient
 +  root@caramel:​~#​
 +