Linksys really hit a niche when they created the WRT54G line of wireless routers, although unintentional. These particular routers were originally written using Linux which, due to the GPL, requires Linksys to release the source code. Since then, many open source groups have gotten ahold of this code and hacked it to bits. As such, there are many different open source firmwares available for the WRT54G line of routers that you can install. (Warranty voiding of course)

One of the most popular third-party firmware available is OpenWRT. This firmware is essentially a stripped-down embedded Linux operation system with addon packages to allow it to be a wireless router. It’s small, simple, and powerful; though not for the light of geek, as any configuration must be done by CLI.

I recently got a WRT54GL wireless router, which is the same as a WRT54G v4 router. (Linksys changed the model number since v5 does not use Linux and will not run custom firmwares.) In only a few hours, I was able to install OpenWRT and setup a powerful router/firewall for my home network. Here’s how you can too…

Installing OpenWRT

There are two ways to install OpenWRT: the easy way, or the safe way. Now, one should follow the safe way as it is, hence, safe. However, it is also the most difficult way. Essentially what you want to do is reflash the router using TFTP; that is, if something goes wrong during the flash, you can just try again. In order to do this method, you need to enable boot_wait on the router. There used to be a very easy way of doing this on the older WRT54G routers using the Ping hack. However, Linksys has such patched this vulnerability and the only way to enable this feature is to downgrade the router to a previous version (< 3.01.3).

Now, the easy way is to just use Linksys’ Firmware Upgrade page and upload OpenWRT to the router. The only problem with this method that is if anything goes wrong you’ve got a bricked router. However, as long as you don’t bump any cords, use a bad firmware, or loose power during the flash and powerup, things will be fine. Since no challenge is without its risks, I decided to go about this route.

You can download the latest version of OpenWRT from the official website at http://downloads.openwrt.org/.

Note that this document is written for the WhiteRussian release.

The are several different versions of the firmware available depending on the hardware and filesystem configuration you want. The WRT54GL is the same as a WRT54G, so download the WRT54G firmware. There is also two different filesystem configurations you can have.

SquashFS is the recommended, more secure setup as it has a two part filesystem. One area is read-only which contains all the files that came with the firmware, while the other area is read/write which is the root of the file system and contains symlinks to the read-only files. OpenWRT recommends this setup since it reduces the chance of one rewritting something they shouldn’t. However, it also doesn’t restrict the normal usage as you can remove the symlinks and replace the file with one of your own (the extra step offers accidental protection). This is the setup I went with.

For completion sake, the JFFS2 setup is just a normal read/write filesystem that doesn’t offer a proper failsafe mode.

By using the Linksys Firmware Upgrade page on the router’s web administration pages, select the firmware to be uploaded and click on “Update”. It takes awhile to reflash the router so don’t hold your breath. At first, the textbox on the bottom will show somewhat of a progress bar. When the bars reach the end of the text field, the page will change indicating the router has been updated. DO NOT DO ANYTHING! Look at your router. If the DMZ light is on, it means that OpenWRT is booting up. It will take some time to start and initialize so you must be patient some more. You are not free to do anything until the DMZ light turns off and the router is operational. Then, and only then, can you proceed to the next step.

First thing you should do is log into the router via telent. (Remember, OpenWRT is primarily a CLI OS, so get comfortable with it) You should be able to access it by the previously set IP address, and no password is required (yet).

root@localhost:~$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
 
BusyBox v1.00 (2005.09.22-14:58+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
 
  _______                     ________        __
 |       |.---–.---–.---–.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 WHITE RUSSIAN  ------------------------------------
  * 2 oz Vodka   Mix the Vodka and Kahlua together
  * 1 oz Kahlua  over ice, then float the cream or
  * 1/2oz cream  milk on the top.
 ---------------------------------------------------
root@OpenWrt:~#

The first thing (after having logged in) that you should do right away is to turn boot_wait on. This is important since if you ever screw up in the future (as in, can’t log in), you can always reflash the firmware using the TFTP method. Otherwise, you may end up with a bricked router.

To do this, run at the command line:

nvram set boot_wait=on
nvram commit

For more information on nvram, see the wiki.

Securing your new box

It is recommended that you set a password for your root account so random people can’t just take over your box (this should be obvious). You can do this with the passwd command.

After setting a new password, the OS will automatically install and enable the SSH server (dropbear). It will also disable telnet logins but, unfortunately, will keep the daemon running. You can free up some resources by doing the following:

killall telnetd
rm /etc/init.d/S50telnet

Next is to secure your wireless access points. If you already secured your WAP while it was running the Linksys firmware, then this step is done - unless your using WPA/WPA2 encryption, in which you have one step left (see below). If not, then you will have several settings you need to change. Since my access point was already locked down I didn’t have to do this step. However, I will do my best to guide you in case you didn’t.

nvram refers to the wireless adapter as wl0, so we can see all the available configuration options for this interface by doing the following:

nvram show | grep "wl0"

I won’t print the list here as there are quite a few options to change. To save you some time, if you need to get your access point working, make sure the following options are set:

#WPA mode
#ap = Access Point (master mode), sta = Client mode
wl0_mode=ap
 
#WPA SSID
wl0_ssid=wap
 
#WPA channel
#For North America: 1..11
wl0_channel=6 #channel access point is on
 
#WPA intrastructure
#0 = Ad Hoc mode, 1 = normal AP/Client mode
wl0_infra=1
 
#WPA broadcast SSID
#0 = on, 1 = off
wl0_closed=0

Note that you must commit any changes that are made to nvram before they can take effect. If you find your changes (after committing) don’t have any effect, you may need to reboot the router.

nvram set option=value    #example
nvram set option2=value2  #don't acually do
...
nvram commit

Anyways, back to security. If you would like to enable mac filtering:

#WPA MAC filter
#disabled = any MAC allowed, allow = only listed MACs allowed, deny = deny only listed MACs
wl0_macmode=allow
 
#WPA MAC filter list
#Space seperated list of MAC address to allow/deny
wl0_maclist="00:02:2D:08:E2:1D 00:03:3E:05:E1:1B"

The WRT54GL supports both WEP and WPA encryption. WPA is much stronger then WEP, and is highly recommended unless you need to provide legacy access to outdated equipment. If your going to use WEP, you should take other precautions such as MAC filtering. To enable WEP:

#WPA WEP encryption
#disabled = disable WEP, enabled = enable WEP
wl0_wep=enabled
 
#WPA WEP key number
#Selects which key (wl0_key[1-4]) to use for WEP encryption: 1..4
wl0_key=1
 
#WPA WEP key [1..4]
#WEP key in hexadecimal format (allowed hex chars are 0-9a-f)
#Don't use WEP keys with 00 at the end. 128 bit WEP key must be 26 hex digits long.
wl0_key1=supersecretkey1
wl0_key2=supersecretkey2
wl0_key3=supersecretkey3
wl0_key4=supersecretkey4

For the rest of us, here are the options needed to configure WPA:
Note that enabling WPA disables WEP.

#WAP WPA mode
# open = No WPA
# psk = WPA Personal/PSK (Preshared Key)
# wpa = WPA with a RADIUS server
# psk2 = WPA2 Personal/PSK
# wpa2 = WPA2 with RADIUS
# "psk psk2" = Both WPA and WPA2 Personal/PSK
# "wpa wpa2" = Both WPA and WPA2 with RADIUS
wl0_akm="psk psk2"
 
#WPA WAP encryption algorithm
#tkip = RC4 encryption, aes = AES encryption, "aes+tkip" = support both 
wl0_crypto="aes+tkip"
 
#WPA WAP preshared key
#Password to use with WPA/WPA2 PSK (at least 8, up to 63 chars)
wl0_wpa_psk=supersecretkey
 
#RADIUS server information
wl0_radius_key=
wl0_radius_ipaddr=
wl0_radius_port=

Note that WPA does not work with the default install, and requires you to install the NAS package before you can authenticate. You can easily do so by running:

ipkg install nas

Setting up neccessary services

Cron

There are a bunch of services you should likely setup before putting your router in production. One of those services is cron. There are two steps to setting up cron. First is to create the crontabs file in /etc/:

mkdir /etc/crontabs
touch /etc/crontabs/root
ln -sf /etc/crontabs/root /etc/crontab

The last two lines are for compatibility/habit sake as many Linux distributions typically keep cron information in /etc/crontab.

The other step is to have cron startup automatically on boot. You can do so by creating the file /etc/init.d/S60cron with:

#!/bin/sh
[ -d /etc/crontabs ] && crond -c /etc/crontabs

You can then start cron by running this script:

chmod 775 S60cron  #Make script executable, only need to do once
./S60cron

Date/Time

If you haven’t noticed yet, your router will not have its time set. One of the problems with the WRT54G line is that they do not have an internal clock, so they loose their time after resets. Furthermore, they are horrible for drifting. So, we will need to set their internal date/time on boot, and periodically (good thing we have cron).

Before we start though, we should set our timezone. You can do this by writing a timezone identifier to /etc/TZ. For example, for me, I did:

echo "MST7MDT" > /etc/TZ

You can find out more information on the TZ file here.

Now, to set time on bootup, add the file /etc/init.d/S42rdate with the following:

#!/bin/sh
/usr/sbin/rdate 192.43.244.18  #time.nist.gov

To keep your clock up-to-date, add the following line to /etc/crontab:

0 * * * * /etc/init.d/S42rdate  #syncs every hour

Dnsmasq

One of the things you should check on before getting too comfortable with your setup is to look at Dnsmasq, “a lightweight, easy to configure DNS forwarder and DHCP server.” There was not much I had to change here, but you should be familiar with it incase you want to have control of your DHCP assignments. For example, you can see in this file that you can control static DHCP assignments by adding entries into /etc/ethers. You can find more information on dnsmasq here, and an example configuration script here.

This will likely be the first file that you have run into that is read-only as it is a symbolic link to the file in the rom. If you want to edit this file (or any other default file), simply run something like:

rm dnsmasq.conf
cp /rom/etc/dnsmasq.conf /etc/dnsmasq.conf

Firewall

I could spend all day telling you about how to setup OpenWRT to be the be-all, end-all of all routers. However, I have completed the goal of this article by describing how to install OpenWRT, and how to configure some basic essentials.

One of the things you should look at before forgetting your router password is setting up the firewall rules. I’m not going to go into details on this, but OpenWRT uses iptables for its firewall rules. You could either configure it using iptables by editing /etc/firewall.user, or install something like Shorewall and use its easier to define scripting language.

Update: I have written an article on how to setup a firewall using Shorewall on the WRT54GL, including other advanced topics such as customizing the internal switch and traffic shaping.

You should also be familiar with how the WRT54GL’s hardware maps to the network interfaces. You can see from this picture how things are wired, and is a good blueprint to keep around.

Conclusion

Well, hopefully this article helps and your roqing with your new connection hub. If you liked this article (or found some errors), please report them in the comments below. ‘night!