OpenWrt Forum Archive

Topic: Update on Linksys WRT1900AC support

The content of this topic has been archived between 16 Sep 2014 and 7 May 2018. Unfortunately there are posts – most likely complete pages – missing.

@kaloz

RC2 is working fine, my set-up all working.:)

Statistics
Network Shares
OpenVPN
QoS
VnStat Graphs
Ad Blocking (my script)
Fan Control (my script)
Wifi

OpenVPN STATISTICS
Updated,Sat Jul  4 13:33:14 2015
TUN/TAP read bytes,5967889
TUN/TAP write bytes,84425460
TCP/UDP read bytes,88281376
TCP/UDP write bytes,8864164
Auth read bytes,84506388
pre-compress bytes,4156813
post-compress bytes,4168235
pre-decompress bytes,3177369
post-decompress bytes,4187882
END

root@AC1900M:~# uptime
13:36:26 up 5 days, 14:55,  load average: 0.01, 0.02, 0.04
root@AC1900M:~#

gufus wrote:

@kaloz

RC2 is working fine, my set-up all working.:)

Statistics
Network Shares
OpenVPN
QoS
VnStat Graphs
Ad Blocking (my script)
Fan Control (my script)
Wifi

OpenVPN STATISTICS
Updated,Sat Jul  4 13:33:14 2015
TUN/TAP read bytes,5967889
TUN/TAP write bytes,84425460
TCP/UDP read bytes,88281376
TCP/UDP write bytes,8864164
Auth read bytes,84506388
pre-compress bytes,4156813
post-compress bytes,4168235
pre-decompress bytes,3177369
post-decompress bytes,4187882
END

root@AC1900M:~# uptime
13:36:26 up 5 days, 14:55,  load average: 0.01, 0.02, 0.04
root@AC1900M:~#

I've also had no issues since installing RC2 a few days back

What script are you using for ad blocking?

Your welcome :-)

JW0914 wrote:

I strongly encourage you to scrap the VPN Server on your NAS (unless it's a public web or ftp server) because your NAS should never... I cannot stress this enough... never be directly exposed to WAN (the internet).

I would say the reason you wouldn't want to run a VPN server on a Synology NAS, is that it only supports username / password for OpenVPN configurations (at last I'd use it).  I'd prefer a password protected key system (the same with SSH).  A "real" OpenVPN setup also allows you to tweak other options via the config files.  It's more flexible.

quagga wrote:
JW0914 wrote:

I strongly encourage you to scrap the VPN Server on your NAS (unless it's a public web or ftp server) because your NAS should never... I cannot stress this enough... never be directly exposed to WAN (the internet).

I would say the reason you wouldn't want to run a VPN server on a Synology NAS, is that it only supports username / password for OpenVPN configurations (at last I'd use it).  I'd prefer a password protected key system (the same with SSH).  A "real" OpenVPN setup also allows you to tweak other options via the config files.  It's more flexible.

Good points.

It's simply a bad idea in general to expose servers to the WAN unless that's the purpose they were created for (web and FTP servers, for instance).  The whole point of a VPN is a secure connection, of which can only truly occur with asymmetric public key encryption.  Exposing your server to the WAN defeats the purpose of the security you're trying to maintain... sure, your traffic will be secure, but the server itself is not.

(Last edited by JW0914 on 5 Jul 2015, 02:33)

FYI -

For some reason on the snapshot (7/03) vs RC2, there's an issue with ChrootDirectory not being recognized or obeyed.

Basically, I'll remove dropbear use openssh-server and openssh-sftp-server to add users and chroot some of them to a specific folder (USB drive). RC2 and earlier works fine, but the snapshot (tested 7/03) fails when "ChrootDirectory %h" is added to /etc/ssh/sshd_config (it will even fail with "ChrootDirectory /home/username")

Match Group sftp_user
        ForceCommand internal-sftp
        ChrootDirectory %h
        AllowTcpForwarding no
        PermitTunnel no
        X11Forwarding no
        AllowAgentForwarding no

Trying to sftp with ChrootDirectory in /etc/ssh/sshd_config results in this error via command-line:

$ sftp user@10.0.0.1
user@10.0.0.1's password:
Connected to 10.0.0.1.
Couldn't canonicalize: No such file or directory
Need cwd

Trying with FileZilla returns:

Status:    Connecting to 10.0.0.1:22...
Status:    Connected to 10.0.0.1
Error:    Warning: failed to resolve home directory: no such file or directory
Status:    Retrieving directory listing...
Command:    pwd
Response:    Current directory is: "."
Error:    Failed to parse returned path.
Error:    Failed to retrieve directory listing

Spent all day checking if it was any config changes I made - but everything checked out. Moving back to RC2 immediately resolved the issue. Not sure what the root cause is, just posting here for publicity's sake.

(Last edited by iwrotecode on 5 Jul 2015, 03:56)

Not sure where to ask this... To whom do I report errors on the site to?

I made a mistake when trying to create a wiki from the template page, mistakenly saving my wiki in place of the How To Template.  I'm hoping if I can alert the proper person soon enough, the template page can be restored.

(Last edited by JW0914 on 5 Jul 2015, 04:59)

JW0914 wrote:
quagga wrote:
JW0914 wrote:

I strongly encourage you to scrap the VPN Server on your NAS (unless it's a public web or ftp server) because your NAS should never... I cannot stress this enough... never be directly exposed to WAN (the internet).

I would say the reason you wouldn't want to run a VPN server on a Synology NAS, is that it only supports username / password for OpenVPN configurations (at last I'd use it).  I'd prefer a password protected key system (the same with SSH).  A "real" OpenVPN setup also allows you to tweak other options via the config files.  It's more flexible.

Good points.

It's simply a bad idea in general to expose servers to the WAN unless that's the purpose they were created for (web and FTP servers, for instance).  The whole point of a VPN is a secure connection, of which can only truly occur with asymmetric public key encryption.  Exposing your server to the WAN defeats the purpose of the security you're trying to maintain... sure, your traffic will be secure, but the server itself is not.

Agreed. However, my Synology offers a full OpenVPN solution incl. certificates. Whether you break the Router and it's OpenVPN implementation and get then full access to the NAS or you break the OpenVPN implementation of the NAS and get then full access to the NAS, doesn't really matter, IMHO. Nevertheless, I am building my keys on the WRT1900AC as I type.

Many thanks for your help!

Update: I somehow blocked myself and had to re-flash the image. The howto is only self-explanatory to those who know. So I need to spend the next weekend or so to understand the configuration...it would be very nice to be able to configure this in LuCI in a more user-friendly fashion...

(Last edited by gaga on 5 Jul 2015, 12:24)

gaga wrote:
JW0914 wrote:
quagga wrote:

I would say the reason you wouldn't want to run a VPN server on a Synology NAS, is that it only supports username / password for OpenVPN configurations (at last I'd use it).  I'd prefer a password protected key system (the same with SSH).  A "real" OpenVPN setup also allows you to tweak other options via the config files.  It's more flexible.

Good points.

It's simply a bad idea in general to expose servers to the WAN unless that's the purpose they were created for (web and FTP servers, for instance).  The whole point of a VPN is a secure connection, of which can only truly occur with asymmetric public key encryption.  Exposing your server to the WAN defeats the purpose of the security you're trying to maintain... sure, your traffic will be secure, but the server itself is not.

Agreed. However, my Synology offers a full OpenVPN solution incl. certificates. Whether you break the Router and it's OpenVPN implementation and get then full access to the NAS or you break the OpenVPN implementation of the NAS and get then full access to the NAS, doesn't really matter, IMHO. Nevertheless, I am building my keys on the WRT1900AC as I type.

Many thanks for your help!

Update: I somehow blocked myself and had to re-flash the image. The howto is only self-explanatory to those who know. So I need to spend the next weekend or so to understand the configuration...it would be very nice to be able to configure this in LuCI in a more user-friendly fashion...

No problem at all =]

It's literally impossible to break 2048 bit asymmetric public key encryption, and will be until at least 2100 on non-supercomputers.  For supercomputers, it will be impossible to break until at least 2030 (realistically, much longer).

  • It would currently take millions of years using the fastest desktop PC to break 2048bit asymmetric encryption

  • 2048bit keys are  2^32 times harder to break than 1024bit

  • No public key encryption of any key size is secure if sufficiently large quantum computers are employed using Shor's algorithym

The issue with exposing a non-public server to WAN is not about exploiting the VPN, but about the entire server itself being exploited.  Routers are way different than servers, and provided one doesn't punch an exploitable hole in their own fw3 iptables implementation on OpenWRT, it's almost impossible to gain access to networks behind an OpenWRT router.

(Last edited by JW0914 on 5 Jul 2015, 17:53)

gaga wrote:

Update: I somehow blocked myself and had to re-flash the image. The howto is only self-explanatory to those who know. So I need to spend the next weekend or so to understand the configuration...it would be very nice to be able to configure this in LuCI in a more user-friendly fashion...

You can configure a VPN server/client via LuCI (pkg luci-app-openvpn), however the LuCI interface for OpenVPN is extremely convoluted, and even with knowing how to setup a VPN, I got confused using it.  The main reason I install luci-app-openvpn is simply for the ability to quickly glance at the OpenVPN service page to ensure the VPN server is functioning normally.

When you say you locked yourself out, I'm assuming you're referring to the VPN.  At which point/step did you experience this? 

If you're referring to the VPN Server Setup Wiki I wrote, please let me know what information you'd like to see in the How To to make it more understandable for users who've never setup a VPN server before

(Last edited by JW0914 on 5 Jul 2015, 17:22)

Just reporting that my WRT1900AC is bricked with the blinking power light. Won't reset. Tried the reset/power on/off 3 times trick and still dead.

I believe I have version 1 of the HW.

It was running the latest Linksys Firmware before the update. I updated using hardwired connection.
the name for the update was: openwrt-15.05-rc2-mvebu-armada-385-linksys-cobra-squashfs-factory

Please let me know if you have any suggestions on unbricking or the correct forum for this are appreciated.

Armik wrote:
gufus wrote:
JW0914 wrote:

What script are you using for ad blocking?

My script (works fine with RC2)
https://forum.openwrt.org/viewtopic.php … 50#p277650

and that it blocks and how it works?

It utilizes the MVPS hosts file Mike Burgess developed for his site MVPS Hosts.  He offers it for free and many utilize it as a replacement for the Hosts file on their PC.

There are a few caveats to using it, mainly if you attempt to shop from Google (Google Search - Shopping), you'll be unable to navigate to any of the links for products that are returned.  This is because those links (for legitimate retailer analytic services) are passed through several analytics/tracking services before being delivered to the product page.  If you do utilize Google Shopping a lot, as I do, don't simply pass on it, as what Mr. Burgess has created is amazing; simply implement it on your individual PCs instead of the router.  Then, create a script on your PC to auto switch between the default Hosts file and the MVPS Hosts file whenever you do shop.

For example, I created a batch file (after giving my user modify privileges for the two hosts files)

ren C:\Windows\System32\drivers\etc\hosts hosts.mvps
ren C:\Windows\System32\drivers\etc\hosts.bak1 hosts
pause
ren C:\Windows\System32\drivers\etc\hosts hosts.bak1
ren C:\Windows\System32\drivers\etc\hosts.mvps hosts
pause
Jesse_G wrote:

Just reporting that my WRT1900AC is bricked with the blinking power light. Won't reset. Tried the reset/power on/off 3 times trick and still dead.

I believe I have version 1 of the HW.

It was running the latest Linksys Firmware before the update. I updated using hardwired connection.
the name for the update was: openwrt-15.05-rc2-mvebu-armada-385-linksys-cobra-squashfs-factory

Please let me know if you have any suggestions on unbricking or the correct forum for this are appreciated.

You'll need a USB-TTL cable to do a TFTP flash of the firmware via the serial port on the motherboard.  Please refer to the WRT1900 Wiki Recovery instructions on how to do so.

(Last edited by JW0914 on 5 Jul 2015, 17:07)

Jesse_G wrote:

I believe I have version 1 of the HW. The name for the update was: openwrt-15.05-rc2-mvebu-armada-385-linksys-cobra-squashfs-factory

You flashed the wrong firmware... I've made the same mistake before =]

Mamba is the v1 --> openwrt-15.05-rc2-mvebu-armada-xp-linksys-mamba-squashfs-factory.img
Cobra is the v2 --> openwrt-15.05-rc2-mvebu-armada-385-linksys-cobra-squashfs-factory.img

Refer to the WRT1900 Wiki

(Last edited by JW0914 on 5 Jul 2015, 17:18)

Jesse_G wrote:

Just reporting that my WRT1900AC is bricked with the blinking power light. Won't reset. Tried the reset/power on/off 3 times trick and still dead.

I believe I have version 1 of the HW.

It was running the latest Linksys Firmware before the update. I updated using hardwired connection.
the name for the update was: openwrt-15.05-rc2-mvebu-armada-385-linksys-cobra-squashfs-factory

Please let me know if you have any suggestions on unbricking or the correct forum for this are appreciated.

FYI

WRT1900AC(v1) - Mamba
WRT1900AC(v2) - Cobra
WRT1200AC - Caiman

Thanks- I'll get the usb-ttl cable to fix it.

JW0914 wrote:
Jesse_G wrote:

Just reporting that my WRT1900AC is bricked with the blinking power light. Won't reset. Tried the reset/power on/off 3 times trick and still dead.

I believe I have version 1 of the HW.

It was running the latest Linksys Firmware before the update. I updated using hardwired connection.
the name for the update was: openwrt-15.05-rc2-mvebu-armada-385-linksys-cobra-squashfs-factory

Please let me know if you have any suggestions on unbricking or the correct forum for this are appreciated.

You'll need a USB-TTL cable to do a TFTP flash of the firmware via the serial port on the motherboard.  Please refer to the WRT1900 Wiki Recovery instructions on how to do so.

I can absolutely buy a TTL cable, but i do have a usb to serial already. If i just get connectors on the right pins, do you think that would work? or is it different voltage?

Voltage has to be 3.3v, while serial is 12v... you could use the serial with a MAX232 RS-232 module or equivalent.

I could be wrong, but I believe the cable firmware between a USB - TTL and USB - Serial are different, which is why you need an RS-232 module; plus the 3.3v has to be upped to 12v for the serial interface

USB - TTL are sold in two voltages, 3.3v and 5v, so make sure it's the 3.3v

(Last edited by JW0914 on 5 Jul 2015, 22:38)

JW0914 wrote:

There are a few caveats to using it, mainly if you attempt to shop from Google (Google Search - Shopping), you'll be unable to navigate to any of the links for products that are returned.  This is because those links (for legitimate retailer analytic services) are passed through several analytics/tracking services before being delivered to the product page.  If you do utilize Google Shopping a lot, as I do, don't simply pass on it, as what Mr. Burgess has created is amazing; simply implement it on your individual PCs instead of the router.  Then, create a script on your PC to auto switch between the default Hosts file and the MVPS Hosts file whenever you do shop.

I do this similarly, except I use the yoyo.org list and rather than use host files I use a local DNS server.  That has the advantage that I can push the DNS settings to the iPhones / iPads, etc and they also get the benefits of ad blocking.  As you mentioned, you will occasionally have to turn it off to make something work but overall it's pretty handy and its lightweight on the client systems.  It's not as comprehensive as Adblock, but it gets about 85% there with little to no overhead on the clients.

JW0914 wrote:
gaga wrote:

Update: I somehow blocked myself and had to re-flash the image. The howto is only self-explanatory to those who know. So I need to spend the next weekend or so to understand the configuration...it would be very nice to be able to configure this in LuCI in a more user-friendly fashion...

You can configure a VPN server/client via LuCI (pkg luci-app-openvpn), however the LuCI interface for OpenVPN is extremely convoluted, and even with knowing how to setup a VPN, I got confused using it.  The main reason I install luci-app-openvpn is simply for the ability to quickly glance at the OpenVPN service page to ensure the VPN server is functioning normally.

When you say you locked yourself out, I'm assuming you're referring to the VPN.  At which point/step did you experience this? 

If you're referring to the VPN Server Setup Wiki I wrote, please let me know what information you'd like to see in the How To to make it more understandable for users who've never setup a VPN server before

My main challenge is to understand what all the options and rules are (I can read-up on them, which is probably wise but nevertheless takes a lot of time) and how to really set it up.

It would be great to have some scenario-tutorials, maybe even with a scheme-picture.

For example, my setup looks the following:

* ISP Router on 192.168.2.1
* Linksys WRT1900AC on 192.168.2.2, which serves IPs from 192.168.1.2-192.168.1.150 (the router itself has 192.168.1.1)
* My NAS has the IP 192.168.1.10

Now I would like to get OpenVPN installed on my WRT1900AC, so I can safely access my data on the NAS.

I am sure that already exists, somewhere, but a quick search showed many different solutions for many different versions (of OpenWRT) and I have to find the working one.  :-)

As soon as I managed to get it working, I will report back...

gaga wrote:
JW0914 wrote:
gaga wrote:

Update: I somehow blocked myself and had to re-flash the image. The howto is only self-explanatory to those who know. So I need to spend the next weekend or so to understand the configuration...it would be very nice to be able to configure this in LuCI in a more user-friendly fashion...

You can configure a VPN server/client via LuCI (pkg luci-app-openvpn), however the LuCI interface for OpenVPN is extremely convoluted, and even with knowing how to setup a VPN, I got confused using it.  The main reason I install luci-app-openvpn is simply for the ability to quickly glance at the OpenVPN service page to ensure the VPN server is functioning normally.

When you say you locked yourself out, I'm assuming you're referring to the VPN.  At which point/step did you experience this? 

If you're referring to the VPN Server Setup Wiki I wrote, please let me know what information you'd like to see in the How To to make it more understandable for users who've never setup a VPN server before

The Wiki I wrote does all that lol

I would encourage you to read that wiki, as I wrote it with the intent of it being streamlined so one can immediately get a VPN up and running, then afterwards learn about different scenarios and all the options from other links (such as the wealth of information contained within all the links at the bottom of my wiki, especially OpenVPN's).

My main challenge is to understand what all the options and rules are (I can read-up on them, which is probably wise but nevertheless takes a lot of time) and how to really set it up.

It would be great to have some scenario-tutorials, maybe even with a scheme-picture.

For example, my setup looks the following:

* ISP Router on 192.168.2.1
* Linksys WRT1900AC on 192.168.2.2, which serves IPs from 192.168.1.2-192.168.1.150 (the router itself has 192.168.1.1)
* My NAS has the IP 192.168.1.10

Now I would like to get OpenVPN installed on my WRT1900AC, so I can safely access my data on the NAS.

I am sure that already exists, somewhere, but a quick search showed many different solutions for many different versions (of OpenWRT) and I have to find the working one.  :-)

As soon as I managed to get it working, I will report back...

gaga wrote:
JW0914 wrote:
gaga wrote:

Update: I somehow blocked myself and had to re-flash the image. The howto is only self-explanatory to those who know. So I need to spend the next weekend or so to understand the configuration...it would be very nice to be able to configure this in LuCI in a more user-friendly fashion...

You can configure a VPN server/client via LuCI (pkg luci-app-openvpn), however the LuCI interface for OpenVPN is extremely convoluted, and even with knowing how to setup a VPN, I got confused using it.  The main reason I install luci-app-openvpn is simply for the ability to quickly glance at the OpenVPN service page to ensure the VPN server is functioning normally.

When you say you locked yourself out, I'm assuming you're referring to the VPN.  At which point/step did you experience this? 

If you're referring to the VPN Server Setup Wiki I wrote, please let me know what information you'd like to see in the How To to make it more understandable for users who've never setup a VPN server before

My main challenge is to understand what all the options and rules are (I can read-up on them, which is probably wise but nevertheless takes a lot of time) and how to really set it up.

It would be great to have some scenario-tutorials, maybe even with a scheme-picture.

For example, my setup looks the following:

* ISP Router on 192.168.2.1
* Linksys WRT1900AC on 192.168.2.2, which serves IPs from 192.168.1.2-192.168.1.150 (the router itself has 192.168.1.1)
* My NAS has the IP 192.168.1.10

Now I would like to get OpenVPN installed on my WRT1900AC, so I can safely access my data on the NAS.

I am sure that already exists, somewhere, but a quick search showed many different solutions for many different versions (of OpenWRT) and I have to find the working one.  :-)

As soon as I managed to get it working, I will report back...

The Wiki I wrote does all that lol

I would encourage you to read that wiki, as I wrote it with the intent of it being streamlined so one can immediately get a VPN up and running, then afterwards learn about different scenarios and all the options from other links (such as the wealth of information contained within all the links at the bottom of my wiki, especially OpenVPN's).

(Last edited by JW0914 on 6 Jul 2015, 12:57)