Add Linux power to wireless routers with advanced tips and tricks for DD-WRT
Install, secure, and foolproof your DD-WRT-powered wireless routers
DD-WRT is a Linux-based firmware that turbocharges low-end consumer wireless broadband routers, transforming a $70 toy into a mighty networking powerhouse. DD-WRT brings all the power of the Linux networking stack to these little devices: wired and wireless routing, firewalls, QoS, DHCP server and forwarder, RADIUS server, OpenVPN, VLAN, wake-on-LAN, Wireless Distribution System repeater mode, Kai gaming engine, WPA2 encryption and authentication, and more (see Related topics). DD-WRT supplies a nice web GUI administration interface, and powerful, script-able command-line tools.
You will learn how to get DD-WRT, to set up secure GUI and command-line administration, and to probe and configure hardware.
Sebastian Gottschall, also known as BrainSlayer, is the primary author and maintainer of DD-WRT. The DD-WRT team includes a core team of developers, and also community contributors (see Related topics). DD-WRT is free for non-commercial use. Commercial users must pay for a license. There are professional services options, and you can purchase good hardware components such as Ubiquiti and Senao in the DD-WRT store. Donations of hardware, money, and helping other users in the forums are always welcome.
Supported and OEM devices
DD-WRT is designed for Atheros- and Broadcom-based IEEE802.11a/b/g/h/n wireless routers, like the Linksys WRT54GL which actually advertises that it supports DD-WRT. A valuable feature of the DD-WRT project is their supported device database and list of incompatible devices. Please consult these first. Don't waste your time with an unsupported router, unless you want to test it and contribute your findings to the community.
A minimal build for Broadcom routers with only 2MB flash memory still provides more functionality than the vendor's original firmware. Atheros-based routers need a minimum of 4MB. The supported device database helpfully lists device specifications.
You might not have to install DD-WRT yourself, as a growing number of vendors now pre-load with DD-WRT. Buffalo, Netgear, ASUS, Linksys, and Toplink all advertise routers "Preloaded with DD-WRT firmware."
Installation varies depending on which router you have. I use a Cisco/Linksys WRT160NL broadband router. This is a pretty nice little gadget: four Ethernet LAN ports, one WAN port, 8MB flash memory and 32MB RAM, MIMO, and a USB port for connecting to an external storage device, so it can act as a file or media server.
All routers on the supported list have detailed installation instructions—follow these to the letter. Do not improvise, and all will be well. You'll see many warnings that any interruption to the installation process will "brick" your router. Bricking means it won't boot, so you might as well use it as a doorstop. If you do brick your router, consult "Recover from a bad flash" in the DD-WRT wiki (see Related topics). It is possible to corrupt the software so thoroughly it cannot be re-flashed, and then it really is a brick, but in real life this is a rare event.
Web browsers don't always play nice, and you might run into some annoyances when you use the web GUI. When you make a successful configuration change the page should refresh automatically. If it goes blank then your changes weren't saved so you have to clear the browser cache, restart the browser, and try again.
Enable Boot Wait: Brick insurance
The default login is root and the default password is admin, and the default IP address of your router is 192.168.1.1. To open the DD-WRT web GUI, point a web browser on a neighboring PC to http://192.168.1.1.
Before you do anything else, go to the Administration > Management page, and check that Boot Wait is enabled, as in Figure 1:
Figure 1. Always enable Boot Wait
This should be enabled by default. It creates a five-second delay at boot, so if your router ever becomes unbootable you have this little window of opportunity to re-flash the firmware. Consider this as your no-brick insurance.
Save versus Apply Settings versus Reboot Router
Every configuration page in the web GUI has Save and Apply Settings buttons at the bottom, and sometimes a Reboot Router button. The Save button saves your changes without applying them, so they won't be activated until the router restarts, or you click the Apply Settings button. Apply Settings saves and applies your changes immediately, and restarts services if necessary. The Reboot Router button is for changes that require a reboot—make sure you save them first.
Securely talking to your router
You can handle most of your administration chores through the DD-WRT web GUI, which is comprehensive and well-organized. Figure 2 shows what it looks like on my router.
Figure 2. The DD-WRT web GUI incorporates a wealth of configurations and status information
By default it allows HTTP, which is insecure clear-text, so change this to HTTPS-only to encrypt your DD-WRT web administration in Administration > Management > Web Access. Click the Apply Settings to immediately save and activate your change, and you'll be kicked out of your existing session. Clear your browser cache, restart your browser, and then point it to https://192.168.1.1. (Or whatever is the IP address for your router, if you changed it.) The first time you do this you'll get a scary warning about the site certificate, which is verified by NewMedia-NET GmbH. Go ahead and accept it permanently. You can generate your own certificate and use your own certificate authority, which is a fun topic for another day.
You also can administer DD-WRT from the command line, and this gives you access to configuration options not supported by the web GUI. It's an extra door into your router if your web GUI fails. Telnet is enabled by default, while SSH is not. You can telnet in to your router this way, using the IP address of your own router:
$ telnet 192.168.1.1 DD-WRT login: root Password:
The login is always root, regardless of what username you configured, while the password is your real password that you created. Type exit to close the telnet session. Telnet is all right while you get acquainted with DD-WRT, but because telnet is completely insecure you must disable it on a production router and use SSH instead. Go to Services > Services to do this, as in Figure 3:
Figure 3. Enable SSH, disable Telnet
Then click Apply Settings, and you should be able to log in through SSH. Again, the username is always root, and the password is your real password:
$ ssh firstname.lastname@example.org DD-WRT v24-sp2 std (c) 2010 NewMedia-NET GmbH Release: 08/07/10 (SVN revision: 14896) email@example.com's password: ========================================================== ____ ___ __ ______ _____ ____ _ _ | _ \| _ \ \ \ / / _ \_ _| __ _|___ \| || | || | || ||____\ \ /\ / /| |_) || | \ \ / / __) | || |_ ||_| ||_||_____\ V V / | _ < | | \ V / / __/|__ _| |___/|___/ \_/\_/ |_| \_\|_| \_/ |_____| |_| DD-WRT v24-sp2 http://www.dd-wrt.com ========================================================== BusyBox v1.13.4 (2010-08-07 05:06:30 CEST) built-in shell (ash) Enter 'help' for a list of built-in commands.
Want to tighten this up even more? Then set up a password-less public-key
login. This is proof against brute-force password attacks, and nobody can
log in without a copy of the private key. The first step is to create an
encryption key pair on the Linux PC you'll log in from with the
$ ssh-keygen -t rsa -C router1 -f ~/.ssh/linksys
This example creates an RSA key pair which I named linksys. The public key is linksys.pub, the private key is linksys, and both are stored in the ~/.ssh directory. This is the standard place to store SSH keys, though you can put yours wherever you want. Next, add a line to /etc/ssh/ssh_config to identify the key:
-C option creates a comment inside the
public key file, which is a plain text file, which I use for identifying
it in case I ever lose track. Now copy your new public key to DD-WRT in
the field provided in the SSH section of Services > Services, and disable
password logins as in Figure 4:
Figure 4. Copying a public SSH key to DD-WRT for public-key authentication
Click Save, and then Reboot Router, and that's all you need to do. If you have an SSH session open it will be closed, and when you log back in it shouldn't ask for a password. To paste in multiple keys, insert a line break between each one.
You can do this from the command-line, using the
nvram command. Make sure your public key is all
one unbroken line between single quotes. You can have spaces but no
root@linksys:~# nvram set sshd_authorized_keys='ssh-rsa AAAAB3NzaC...89Suj router1' root@linksys:~# nvram commit root@linksys:~# reboot
You can also set multiple keys with
nvram in a
space-delimited list and each one enclosed in single quotes:
root@linksys:~# nvram set sshd_authorized_keys='key1' 'key2' 'key3' root@linksys:~# nvram commit
Type this out first in a text editor so you can see what you're doing, and then copy and paste the whole thing onto your command line.
nvram has multiple meanings. It is short for
non-volatile RAM, a special type of persistent memory that retains data
when the power is off. The flash memory in your router is a type of nvram.
nvram command is for managing hardware
settings, which are stored on the last block of the flash memory. This
memory segment is often called "the nvram." Different
versions of the
nvram command include IBM, Cisco,
Oracle, and Apple variations. The
nvram command in DD-WRT is fairly simple as it
only displays and changes the values assigned to variables, and deletes
variables. Run it with no options to see options and syntax:
root@linksys:~# nvram usage: nvram [get name] [set name=value] [unset name] [show]
nvram show displays all the settings on your
router, and there are a lot of them. You can use
less to break it down to a page at a time:
root@linksys:~# nvram show | less
Or look for a specific variable with
root@linksys:~# nvram show | grep ssh
Quick tip for free: If you accidentally disable the web interface but still have telnet or SSH, re-enable it this way:
root@linksys:~# nvram set http_enable=1 root@linksys:~# nvram commit root@linksys:~# reboot
The change will be applied after reboot. Remember the boot_wait setting?
The GUI won't let you change its length, but
nvram will. First find out how long it is:
root@linksys:/etc# nvram show |grep wait boot_wait=on wait_time=5
I'm the nervous type, so I want it to be ten seconds:
root@linksys:/etc# nvram set wait_time=10 root@linksys:~# nvram commit
This is how you clear a variable of any value:
root@linksys:~# nvram set http_enable="" root@linksys:~# nvram commit
If you don't want a particular change to survive a reboot omit
nvram commit, which is a good tactic when
you're experimenting because you can simply reboot to discard changes.
nvram unset [variable] deletes the variable entirely.
The OpenWrt Wiki has a good
nvram command reference,
NVRAM usage on OpenWrt 'WhiteRussian' (see Related topics).
Your last resort to clean up a bollixed configuration is to reset all your settings to the firmware defaults by pressing and holding the reset button on your router for 30 seconds and then rebooting it. This restores the DD-WRT defaults, and does not restore the original firmware as some people mistakenly believe.
Creating a second partition
The normal DD-WRT image occupies a 4MB partition even if your flash memory
is 8MB or more. You can create a partition on that unused space and use it
to store files. This should be primarily read-storage, for example
wireless hotspot splash and configuration pages, web pages, extra
configuration files, and storage for ipkg, the Itsy Package Management
System for embedded devices. Don't use it for files that generate a lot of
writes like logfiles, because flash memory supports a limited number of
writes and eventually fails. Modern flash memory is pretty durable, but it
still has a finite write lifespan. You can see your existing filesystem
with the good old
root@linksys:/# df -h Filesystem Size Used Available Use% Mounted on /dev/root 4.0M 4.0M 0 100% /
My router has 8 MB flash, so where is the rest of it? It's just sitting quietly, waiting to be used. Go to Administration > Management and check JFFS2 > Enable and Clean JFFS2 > Enable. Click Apply Settings, then Reboot Router. When it comes back up you should see something like this:
root@linksys:~# df -h Filesystem Size Used Available Use% Mounted on /dev/root 4.0M 4.0M 0 100% / /dev/mtdblock/3 2.3M 196.0K 2.1M 9% /jffs
JFFS2 is the Journalling Flash File System version 2, designed for flash storage media. Let's talk a bit about what kind of medium this flash memory is. It is a special device called Memory Technology Device, or MTD for short. It is not a block device like a hard drive and USB sticks, and it is not a character device like a keyboard or mouse. Block devices are organized in fixed-size sectors, like 512 and 1024 bytes. MTDs have eraseblocks of 128KB and bigger. Block devices do two things: read sector and write sector. MTDs do three things: read from eraseblock, write to eraseblock, and erase eraseblock.
Compact Flash, SD cards, and USB sticks are all MTDs deep down inside. But they look like block devices to your operating system because they have Flash Translation Layers (FTL) which emulate block devices on top of flash hardware. This FTL can be on the host computer, or on firmware on a hardware controller inside the device. If you sacrifice a USB stick (a noble sacrifice for the advancement of knowledge) and pry it open, chances are you'll see some NAND chips, which are the raw flash chips, and a microcontroller.
You need to know a few things about flash memory for your DD-WRT
adventures. One, NAND eraseblocks are all or nothing—the whole block has
to be erased before new data can be written. Two, Linux has an MTD
subsystem, and an
mtd command for
performing basic tasks such as erasing or writing an image to the device.
You can run the
mtd command with no options on
DD-WRT to see syntax and options. You'll encounter some how-tos that use
mtd command in the DD-WRT wiki, so now you
know what it is. Three, nvram resides on the last eraseblock, and it is
programatically limited to 32KB no matter how large the eraseblock is.
These hints can guide you in your DD-WRT explorations:
- DD-WRT is built on BusyBox, the wildly popular embedded Linux toolkit.
BusyBox contains stripped-down versions of the core Linux utilities.
To save space there are no man pages, so to learn about the BusyBox commands,
which are called applets, read man busybox (see Related topics).
You can run
ls -l /bin, and also on
/sbin, /usr/bin, and the other executable binary directories to see which commands are symlinked to BusyBox.
- DD-WRT uses the ash shell, which comes with BusyBox. Type
builtinat the command line to see all the shell builtins.
- Just like big grownup Linuxes, you can read the /proc and /sys pseudo-filesystems to dig up hardware information, and read configuration files in /etc.
- Read Implement strong WiFi encryption the easy way with hostapd (Carla Schroder, developerWorks, April 2012) to learn how to set up strong WPA2 authentication and encryption for WiFi users on your DD-WRT router.
- Check out the DD-WRT features listed in the DD-WRT wiki.
- Learn more about DD-WRT and the core team of developers who support it.
- Visit NVRAM usage on OpenWrt 'WhiteRussian' for a good
- Consult Recover from a bad flash if you do brick your router.
- Visit the DD-WRT project site.
- Visit Linux MTD, a great site to learn all about memory technology devices.
- Explore the DD-WRT Wiki for tutorials and device databases.
- In the developerWorks Linux zone, find hundreds of how-to articles and tutorials, as well as downloads, discussion forums, and a wealth of other resources for Linux developers and administrators.
- Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, use a product in a cloud environment, or spend a few hours in the SOA Sandbox learning how to implement Service Oriented Architecture efficiently.
- Follow developerWorks on Twitter, or subscribe to a feed of Linux tweets on developerWorks.