Posts Tagged ‘OpenWRT’

TP-Link WR1043ND + OpenWRT + OpenVPN

November 25, 2011 1 comment

The Story

Yesterday I went to my local computer store (k&m computer) to buy a four port switch to connect some of my devices at home. But after some time in the store I decided to buy a TP-Link WR1043ND, because it cost 48 euro instead of 20 euro for a 4-port switch. And while I was in the store I checked whether OpenWRT would run on this device. The first link I found on Google was how to install OpenWRT on the TL-1043ND. So the decision was made.

The Setup

I’m living in a WG and my flatmate handles everything related to our Internet connection because he is paying for it and I’m just allowed to use it via WLAN. I wanted my own home network behind our Internet router to have a secure encapsulated network for all my private devices. So my setup looks like in the graphic taken from the OpenWRT wiki.

But I didn’t want just an encapsulated network apart from the rest of the net, I also wanted some way to access this network from the outside. For SSH access to my iMac. Since OpenVPN was the first VPN service that came to my mind I decided to use this one.

Installing OpenWRT on WR1043ND


Installing OpenWRT on the Wr1043ND is pretty simple:

  1. Pull the latest version of OpenWRT from their FTP server
  2. Now connect your computer to the WR1043ND via the included network cable and disable all other connections on your computer like wifi, 3g, etc.
  3. Open up a web browser and type into the address bar, the web interface of the WR1043ND should appear. Default password and username are admin:admin
  4.  Now navigate to ‘System Tools’->’Firmware Upgrade’.
  5. Select the OpenWRT image you downloaded in the previous step and click ‘Upgrade’
  6. Now it takes some time, while the router flashes the new image, be patient!!
  7. Now its time to log into our newly installed OpenWRT. Call telnet to log into the device. A screen like the following should appear.
  8. Now the first thing is to set an appropriate password for the root user. This is done by calling passwd
  9. After setting up a password call reboot to restart your device.
  10. Now you are able login to the machine via ssh. By calling ssh root@
  11. We are done!

Routed client mode


When you freshly installed OpenWRT on your router the next command is not necessary but when you already played around and miss configured something you can call

rm -f /etc/config/wireless
wifi detect > /etc/config/wireless

to get a clean and fresh start. After cleaning everything up we are ready to start:

  1. Call the following commands one after another
    uci del wireless.@wifi-device[0].disabled
    uci del wireless.@wifi-iface[0].network
    uci set wireless.@wifi-iface[0].mode=sta
    uci commit wireless
  2. Now open up the file vi /etc/config/wireless and change the bolted lines according to your wifi connection
    config wifi-device radio0
        option type mac80211
        option channel xx
        option macaddr xx:xx:xx:xx:xx:xx
        option hwmode llng
        option htmode HT20
        option ht_capab SHORT-GI-40
        option ht_capab DSSS_CCK-40
    config wifi-iface
        option device radio0

        option 'network' 'wan'
        option 'mode 'sta'
        option 'ssid' 'my-ssid'
        option 'encryption' 'psk2'
        option 'key' 'my-secret-key'
  3. Now we have to remove an option from the WAN interface, open the file vi /etc/config/network
    and remove the line with the ifnameoption from the entry

    config 'interface' 'wan'
    option 'proto' 'dhcp'
  4. The last step is to call
    ifup wan

    to reconfigure the wireless network.

  5. Now be patient again it takes some time until the device is connected and the routes are setup. In the meantime you can test the OpenWRT web interface, go to tab ‘Network’->’Diagnostics’ to test the connection

OpenVPN Server + Client

Original: +

The following section describes how to set up an OpenVPN server on the TL-WR1043ND and, how to configure the client (in my case my N900).

Certificate magic

  1. First of all we have to login to our router ssh root@ and install a few packets opkg install openvpn openvpn-easy-rsa luci-app-openvpn
  2. We now give some information so that the certificate will be generated for the right entity
    cd /etc/easy-rsa
    vi vars

    Edit the following lines

    # Uncomment those lines, so that your certificates never expire
    export CA_EXPIRE=3650
    export KEY_EXPIRE=3650
    # Fill these fields with the right information
    export KEY_COUNTRY="DE"
    export KEY_PROVINCE="BE"
    export KEY_CITY="Berlin"
    export KEY_ORG="Kaos & Theory AG"
    export KEY_EMAIL=""
  3. Now we create the certificates, it is important to use the same password for the server and client certificate
    build-key-server server
    build-key client
  4. Then we copy all generated keys from /etc/easy-rsa/keys to /etc/openvpn cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn
  5. You can also already copy the client stuff to your host computer. Call the following commands from a shell of your host computer not, from your router
    scp root@ .
    scp root@ .
    scp root@ .
    scp root@ .

Server configuration

  1. First of all configure the dhcp server running on the TP-Link, vi /etc/config/dhcp. The section ‘lan’ should look like the following
    config 'dhcp' 'lan'
        option 'interface' 'lan'
        option 'ignore' '0'
        option 'start' '50'
        option 'limit' '150'

    Now you will only get IP addresses in the range of to

  2. Now that we have configured the dhcp we have to configure the firewall, so that it doesn’t drop packets for our OpenVPN server. Edit the file vi /etc/config/firewall to the following (In my case I have selected port 9001 for my server, the normal OpenVPN port is 1194)
    config 'rule'
        option 'target' 'ACCEPT'
        option 'name' 'VPN'
        option 'src' 'wan'
        option 'proto' 'udp'
        option 'dest_port' '9001'
  3. It’s time to generate the actual configuration file for our server open the file vi /etc/config/openvpn and remove everything in it and replace it with the following
    config 'openvpn' 'lan'
        option 'enable' '1'
        option 'port' '1194'
        option 'proto' 'udp'
        option 'dev' 'tap0'
        option 'ca' '/etc/openvpn/ca.crt'
        option 'cert' '/etc/openvpn/server.crt'
        option 'key' '/etc/openvpn/server.key'
        option 'dh' '/etc/openvpn/dh1024.pem'
        option 'ifconfig_pool_persist' '/tmp/ipp.txt'
        option 'keepalive' '10 120'
        option 'comp_lzo' '1'
        option 'persist_key' '1'
        option 'persist_tun' '1'
        option 'status' '/tmp/openvpn-status.log'
        option 'verb' '3'
        option 'server_bridge' ''
        list push "dhcp-option DNS lan-server-ip"
        list push "redirect-gateway def1"
  4. Last step is to restart your router and access the web-interface ones more. After the restart in the entry ‘Network’->’Interfaces’->’LAN’->’Physical Settings’ should be a new interface called tap0. Uncheck the entry ‘VLAN Interface: “eth0.1″‘ and then check the following three entries ‘Bridge Interfaces’, ‘Ethernet Switch: “eth0″‘ and ‘Ethernet Adapter: “tap0″‘, now click ‘Save & Apply’
  5. Finally we start the OpenVPN server on the router. This can also be done from the web interface. Browse to ‘System’->’Startup’ and make sure that the OpenVPN daemon is running and is also started at startup.
  6. We are done with the server side.

Client configuration

  1. The client configuration is very easy. Run a terminal on your N900 and type sudo gainroot to get root access.
  2. Call apt-get install openvpn to install the OpenVPN client software
  3. Attach the following lines to a configuration file and store it under /etc/openvpn/client.ovpn
    remote external-server-ip 9001
    proto udp
    dev tap
    ca ca.crt
    cert client1.crt
    key client1.key
    verb 3
    keepalive 10 120
    resolv-retry infinite
    mute 20
  4. In a previous step we already copied the necessary certificates from the router to a host, now copy these certificates to the N900 into the folder /etc/openvpn/
  5. Finally we start the client, with the following script
    cd /etc/openvpn
    openvpn client.ovpn

The Ending

Now you should be able to connect your devices to the four LAN ports of the WR1043ND and they are protected from the other network. If you are somewhere else, like Starbucks or some other place that offers free Wifi you should also be able to tunnel your N900 to your local network with the OpenVPN client.
If you want a static IP for your WR1043ND you can always use a service like DynDNS. OpenWRT has a packet called DDNS that handles that and the OpenWRT wiki also describes how to configure that service.

Categories: tech foo Tags: , , ,