Wireless Home Network ===================== This article describes how I set up two wireless routers in my apartment, to provide a PSK2 encrypted wireless connection for all my household equipment. They are linked together using WDS (also PSK2). I use OpenWRT built directly from SVN. For hardware, I'm using two Asus WL-500G Premium (which uses a broadcom-based wlan). image:wlan.png[Wireless Network Illustration] If you need a 3G connection as well, you may find my link:internet.html[summer house wireless+3g network] writeup more relevant. If you want to comment on this, please go to the link:http://blog.josefsson.org/?p=44[blog entry]. Created by Simon Josefsson on 2008-05-08. Building OpenWRT ---------------- Building OpenWRT is quite easy these days. I'm using Debian x86 lenny, and you will need to install gcc and other development tools. Here are the commands I used: ---- svn co https://svn.openwrt.org/openwrt/trunk/ mv trunk openwrt cd openwrt make menuconfig # toggle 'select all packages by default' # quit and save config make ---- That's it! The complete build takes up about 2GB on my machine, and it will take quite some time to build (up to several hours). The output files will be stored into the bin/ directory. In case you also have the WL-500gP, and trust my build, you can download files from my link:/openwrt/brcm-2.4[online build tree]. You will probably only need the 'openwrt-brcm-2.4-squashfs.trx' file. Installing OpenWRT ------------------ There are generic link:http://wiki.openwrt.org/OpenWrtDocs/Installing[Installation instructions] on the the link:http://wiki.openwrt.org/[OpenWRT Wiki]. You'll have to use a ethernet cable at this point. Connect it to LAN1-LAN4, not WAN. Configure your local machine on the 192.168.1.x network, for example as 192.168.1.42. The router will use 192.168.1.1. On many routers, including the link:http://wiki.openwrt.org/OpenWrtDocs/Hardware/Asus/WL500GP[Asus WL-500g Premium] that I use, you flash an image by disconnecting power, press and hold down the reset button, and connect the power again. Wait a few seconds and the PWR led will start to blink. Release the reset button. The device will now have a tftp server running on 192.168.1.1. ------------- tftp 192.168.1.1 tftp> trace Packet tracing on. tftp> binary tftp> put openwrt-brcm-2.4-squashfs.trx ... ------------- Wait a few minutes and restart the box by disconnecting power briefly. Some documentations claim that the device should restart by itself but I have never seen this happen. Configuring OpenWRT ------------------- When the router has restarted, it will have a telnet server running listening on 192.168.1.1. ---------------- jas@mocca:~$ telnet 192.168.1.1 Trying 192.168.1.1... Automatic decryption of input is enabled Automatic encryption of output is enabled Will send login name and/or authentication information. Connected to 192.168.1.1. Escape character is '^]'. === IMPORTANT ============================ Use 'passwd' to set your login password this will disable telnet and enable SSH ------------------------------------------ BusyBox v1.8.2 (2008-05-07 15:40:57 CEST) built-in shell (ash) Enter 'help' for a list of built-in commands. _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M KAMIKAZE (bleeding edge, r11058) ------------------- * 10 oz Vodka Shake well with ice and strain * 10 oz Triple sec mixture into 10 shot glasses. * 10 oz lime juice Salute! --------------------------------------------------- root@OpenWrt:~# ---------------- Now you can configure OpenWRT. I'll go through each step I made, but obviously you may deviate from this description. Set hostname ~~~~~~~~~~~~ My first step was to set a hostname on the machine, use vi to edit '/etc/config/system' to make it read: --------- config system option hostname caramel --------- If you prefer to cut'n'paste a command line invocation to do this, try: --------- root@OpenWrt:~# cat /etc/config/system | sed -e 's/OpenWrt/YOURHOSTNAME/' > /etc/config/system --------- Setting a hostname will help when you have multiple OpenWRT boxes running, as the command prompt will show your hostname instead of 'OpenWRT' (after you have restarted the router). Set IP address ~~~~~~~~~~~~~~ If you want the device to use another IP address than 192.168.1.1 you can modify /etc/config/network, in the LAN configuration section. A quick command to do this: --------- root@OpenWrt:~# cat /etc/config/network | sed -e 's/192.168.1.1/192.168.1.15/' > /etc/config/network --------- Replace telnet with SSH ~~~~~~~~~~~~~~~~~~~~~~~ As you do not want to use insecure telnet, you will need to set up ssh. You can type 'passwd' to set a root password, and this will disable telnet. I dislike passwords, even if used over ssh, so I always set up public-key authentication instead. For reference, there is a link:http://wiki.openwrt.org/DropbearPublicKeyAuthenticationHowto[dropbear public key authentication howto for OpenWRT wiki page]. The command to make your ssh key authorized to login as root on the router is: --------- root@OpenWrt:/# echo 'PUBLICKEY' > /etc/dropbear/authorized_keys --------- Replace PUBLICKEY with the content of the ~/.ssh/id*.pub file on your own machine. Disable password based login using: --------- root@OpenWrt:/# cat /etc/config/dropbear | sed -e "s/'on'/'off'/" > /etc/config/dropbear --------- Alternatively, edit /etc/config/dropbear to look like: --------- config dropbear option PasswordAuth 'off' option Port '22' --------- The final touch is to disable the telnet server. I also disable the httpd server too, since it doesn't seem to serve any purpose. --------- root@OpenWrt:~# rm /etc/rc.d/S50telnet /etc/rc.d/S50httpd --------- At this point, you can print the ssh host key fingerprint using: --------- root@OpenWrt:~# dropbearkey -y -f /etc/dropbear/dropbear_rsa_host_key Public key portion is: ssh-rsa AAAA... root@OpenWrt Fingerprint: md5 ae:... --------- Telnet should now be disabled, and you should be able to login as root using SSH. Try it from your machine. The SSH fingerprint should match what was printed by 'dropbearkey' earlier. ---------------- jas@mocca:~$ ssh -l root 192.168.1.15 The authenticity of host '192.168.1.1 (192.168.1.15)' can't be established. RSA key fingerprint is ae:... Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.15' (RSA) to the list of known hosts. BusyBox v1.8.2 (2008-05-07 15:40:57 CEST) built-in shell (ash) Enter 'help' for a list of built-in commands. _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M KAMIKAZE (bleeding edge, r11058) ------------------- * 10 oz Vodka Shake well with ice and strain * 10 oz Triple sec mixture into 10 shot glasses. * 10 oz lime juice Salute! --------------------------------------------------- root@OpenWrt:~# ---------------- Setup wireless ~~~~~~~~~~~~~~ Wireless is disabled by default, and you will have to modify ``/etc/config/wireless'' to configure it. A simple setup that use (insecure) WEP would be: ---- config wifi-device wl0 option type broadcom option channel 5 config wifi-iface option device wl0 option network lan option mode ap option ssid YourNetworkName option encryption wep option key DEADBEEF ---- A better setup that use shared secrets but the more secure PSK2 would be: ---- config wifi-device wl0 option type broadcom option channel 5 config wifi-iface option device wl0 option network lan option mode ap option ssid YourNetworkName option encryption psk2 option key DEADBEEFDEADBEEFDEADBEEFDEADBEEF ---- Remember, your security is never better than your password. As you may recall, the point of my exercise was to set up two routers with WDS and PSK2. For discussion, let's say the MAC address of box 1 is 12:34:56:78:89:ab and the MAC address of box 2 is cd:ef:01:23:45:67. You can use 'ifconfig' on each of the routers to find out the MAC address. On the first box, my /etc/config/wireless file looks like: ---- # /etc/config/wireless configuration for device 12:34:56:78:89:ab config wifi-device wl0 option type broadcom option channel 5 config wifi-iface option device wl0 option network lan option mode ap option ssid YourNetworkName option encryption psk2 option key UserNetworkPassword config wifi-iface option device wl0 option network lan option mode wds option bssid cd:ef:01:23:45:67 option encryption psk2 option ssid WDSNetworkName option key InternalWDSPassword ---- Replace YourNetworkName and WDSNetworkName with something more appropriate. You want to use a different ssid for the WDS than for the normal network. On the second box, the /etc/config/wireless will look the same except that the bssid will contain the MAC address of the other box. Here is the file: ---- # /etc/config/wireless configuration for device cd:ef:01:23:45:67 config wifi-device wl0 option type broadcom option channel 5 config wifi-iface option device wl0 option network lan option mode ap option ssid YourNetworkName option encryption psk2 option key UserNetworkPassword config wifi-iface option device wl0 option network lan option mode wds option bssid 12:34:56:78:89:ab option encryption psk2 option ssid WDSNetworkName option key InternalWDSPassword ---- Disable DHCP on one router ~~~~~~~~~~~~~~~~~~~~~~~~~~ Both routers will by default run a DHCP server. The DHCP server and/or DHCP clients may be confused by having two, so it is typically better to just have one running. Disable it on one of the boxes. --------- root@OpenWrt:~# rm /etc/rc.d/S60dnsmasq --------- Restart router ~~~~~~~~~~~~~~ After you have made your changes, try the new configuration by rebooting both devices. ---------------- root@OpenWrt:/etc/config# reboot ---------------- After 30 seconds or so, the devices should have connected via WDS and you should be able to ping the IP addresses of router A from router B and vice verse. The default configuration is to bridge the wireless networks with the LAN ethernet sockets, so you can connect desktop machines etc and they should be able to reach all devices connected to the wireless network or the ethernet sockets on any of the two WDS connected routers. Bonus ----- Given that I placed link:brcm-2.4/[my OpenWRT bin/ directory] accessible over the internet, you can use 'ipkg' to download packages from me. Make sure '/etc/ipkg.conf' reads: ----- src snapshots http://josefsson.org/openwrt/brcm-2.4/packages/mipsel dest root / dest ram /tmp ----- Then you can install some tools easily: ----- root@caramel:~# ipkg update Downloading http://josefsson.org/openwrt/brcm-2.4/packages/mipsel/Packages Updated list of available packages in /usr/lib/ipkg/lists/snapshots Done. root@caramel:~# ipkg install ez-ipupdate avahi-daemon Installing ez-ipupdate (3.0.11b8-3) to root... Downloading http://josefsson.org/openwrt/brcm-2.4/packages/mipsel/./ez-ipupdate_3.0.11b8-3_mipsel.ipk Installing avahi-daemon (0.6.21-1) to root... Downloading http://josefsson.org/openwrt/brcm-2.4/packages/mipsel/./avahi-daemon_0.6.21-1_mipsel.ipk Installing libavahi (0.6.21-1) to root... Downloading http://josefsson.org/openwrt/brcm-2.4/packages/mipsel/./libavahi_0.6.21-1_mipsel.ipk Installing libdaemon (0.12-1) to root... Downloading http://josefsson.org/openwrt/brcm-2.4/packages/mipsel/./libdaemon_0.12-1_mipsel.ipk Installing libpthread (0.9.29-12) to root... Downloading http://josefsson.org/openwrt/brcm-2.4/packages/mipsel/./libpthread_0.9.29-12_mipsel.ipk Installing libexpat (1.95.8-1) to root... Downloading http://josefsson.org/openwrt/brcm-2.4/packages/mipsel/./libexpat_1.95.8-1_mipsel.ipk Configuring avahi-daemon Configuring ez-ipupdate Configuring libavahi Configuring libdaemon Configuring libexpat Configuring libpthread Done. root@caramel:~# ipkg install miniupnpd Installing miniupnpd (1.0-RC8-1) to root... Downloading http://josefsson.org/openwrt/brcm-2.4/packages/mipsel/./miniupnpd_1.0-RC8-1_mipsel.ipk Configuring miniupnpd Done. root@caramel:~# ipkg install openntpd Installing openntpd (3.9p1-2) to root... Downloading http://josefsson.org/openwrt/brcm-2.4/packages/mipsel/./openntpd_3.9p1-2_mipsel.ipk Configuring openntpd adding group ntp to /etc/group adding user ntp to /etc/passwd Done. root@caramel:~# ----- The End ------- link:http://blog.josefsson.org/?p=44[Comments or feedback?] Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved.