Add Linux power to wireless routers with advanced tips and tricks for DD-WRT

Install, secure, and foolproof your DD-WRT-powered wireless routers

DD-WRT is a Linux-based firmware that turbocharges low-end consumer wireless broadband routers, transforming a $70 toy into a mighty networking powerhouse. DD-WRT brings all the power of the Linux networking stack to these little devices: wired and wireless routing, firewalls, QoS, DHCP server and forwarder, RADIUS server, OpenVPN, VLAN, wake-on-LAN, Wireless Distribution System repeater mode, Kai gaming engine, WPA2 encryption and authentication, and more (see Related topics). DD-WRT supplies a nice web GUI administration interface, and powerful, script-able command-line tools.

You will learn how to get DD-WRT, to set up secure GUI and command-line administration, and to probe and configure hardware.

Sebastian Gottschall, also known as BrainSlayer, is the primary author and maintainer of DD-WRT. The DD-WRT team includes a core team of developers, and also community contributors (see Related topics). DD-WRT is free for non-commercial use. Commercial users must pay for a license. There are professional services options, and you can purchase good hardware components such as Ubiquiti and Senao in the DD-WRT store. Donations of hardware, money, and helping other users in the forums are always welcome.

Supported and OEM devices

DD-WRT is designed for Atheros- and Broadcom-based IEEE802.11a/b/g/h/n wireless routers, like the Linksys WRT54GL which actually advertises that it supports DD-WRT. A valuable feature of the DD-WRT project is their supported device database and list of incompatible devices. Please consult these first. Don't waste your time with an unsupported router, unless you want to test it and contribute your findings to the community.

A minimal build for Broadcom routers with only 2MB flash memory still provides more functionality than the vendor's original firmware. Atheros-based routers need a minimum of 4MB. The supported device database helpfully lists device specifications.

You might not have to install DD-WRT yourself, as a growing number of vendors now pre-load with DD-WRT. Buffalo, Netgear, ASUS, Linksys, and Toplink all advertise routers "Preloaded with DD-WRT firmware."

Installation

Installation varies depending on which router you have. I use a Cisco/Linksys WRT160NL broadband router. This is a pretty nice little gadget: four Ethernet LAN ports, one WAN port, 8MB flash memory and 32MB RAM, MIMO, and a USB port for connecting to an external storage device, so it can act as a file or media server.

All routers on the supported list have detailed installation instructions—follow these to the letter. Do not improvise, and all will be well. You'll see many warnings that any interruption to the installation process will "brick" your router. Bricking means it won't boot, so you might as well use it as a doorstop. If you do brick your router, consult "Recover from a bad flash" in the DD-WRT wiki (see Related topics). It is possible to corrupt the software so thoroughly it cannot be re-flashed, and then it really is a brick, but in real life this is a rare event.

Web browsers don't always play nice, and you might run into some annoyances when you use the web GUI. When you make a successful configuration change the page should refresh automatically. If it goes blank then your changes weren't saved so you have to clear the browser cache, restart the browser, and try again.

Enable Boot Wait: Brick insurance

The default login is root and the default password is admin, and the default IP address of your router is 192.168.1.1. To open the DD-WRT web GUI, point a web browser on a neighboring PC to http://192.168.1.1.

Before you do anything else, go to the Administration > Management page, and check that Boot Wait is enabled, as in Figure 1:

Figure 1. Always enable Boot Wait

This should be enabled by default. It creates a five-second delay at boot, so if your router ever becomes unbootable you have this little window of opportunity to re-flash the firmware. Consider this as your no-brick insurance.

Save versus Apply Settings versus Reboot Router

Every configuration page in the web GUI has Save and Apply Settings buttons at the bottom, and sometimes a Reboot Router button. The Save button saves your changes without applying them, so they won't be activated until the router restarts, or you click the Apply Settings button. Apply Settings saves and applies your changes immediately, and restarts services if necessary. The Reboot Router button is for changes that require a reboot—make sure you save them first.

Securely talking to your router

You can handle most of your administration chores through the DD-WRT web GUI, which is comprehensive and well-organized. Figure 2 shows what it looks like on my router.

Figure 2. The DD-WRT web GUI incorporates a wealth of configurations and status information

By default it allows HTTP, which is insecure clear-text, so change this to HTTPS-only to encrypt your DD-WRT web administration in Administration > Management > Web Access. Click the Apply Settings to immediately save and activate your change, and you'll be kicked out of your existing session. Clear your browser cache, restart your browser, and then point it to https://192.168.1.1. (Or whatever is the IP address for your router, if you changed it.) The first time you do this you'll get a scary warning about the site certificate, which is verified by NewMedia-NET GmbH. Go ahead and accept it permanently. You can generate your own certificate and use your own certificate authority, which is a fun topic for another day.

You also can administer DD-WRT from the command line, and this gives you access to configuration options not supported by the web GUI. It's an extra door into your router if your web GUI fails. Telnet is enabled by default, while SSH is not. You can telnet in to your router this way, using the IP address of your own router:

$ telnet 192.168.1.1 DD-WRT login: root Password:

The login is always root, regardless of what username you configured, while the password is your real password that you created. Type exit to close the telnet session. Telnet is all right while you get acquainted with DD-WRT, but because telnet is completely insecure you must disable it on a production router and use SSH instead. Go to Services > Services to do this, as in Figure 3:

Figure 3. Enable SSH, disable Telnet

Then click Apply Settings, and you should be able to log in through SSH. Again, the username is always root, and the password is your real password:

$ ssh root@192.168.1.1 DD-WRT v24-sp2 std (c) 2010 NewMedia-NET GmbH Release: 08/07/10 (SVN revision: 14896) root@192.168.1.1's password: ========================================================== ____ ___ __ ______ _____ ____ _ _ | _ \| _ \ \ \ / / _ \_ _| __ _|___ \| || | || | || ||____\ \ /\ / /| |_) || | \ \ / / __) | || |_ ||_| ||_||_____\ V V / | _ < | | \ V / / __/|__ _| |___/|___/ \_/\_/ |_| \_\|_| \_/ |_____| |_| DD-WRT v24-sp2 http://www.dd-wrt.com ========================================================== BusyBox v1.13.4 (2010-08-07 05:06:30 CEST) built-in shell (ash) Enter 'help' for a list of built-in commands.

Want to tighten this up even more? Then set up a password-less public-key login. This is proof against brute-force password attacks, and nobody can log in without a copy of the private key. The first step is to create an encryption key pair on the Linux PC you'll log in from with the ssh-keygen command:

$ ssh-keygen -t rsa -C router1 -f ~/.ssh/linksys

This example creates an RSA key pair which I named linksys. The public key is linksys.pub, the private key is linksys, and both are stored in the ~/.ssh directory. This is the standard place to store SSH keys, though you can put yours wherever you want. Next, add a line to /etc/ssh/ssh_config to identify the key:

IdentityFile ~/.ssh/linksys

The -C option creates a comment inside the public key file, which is a plain text file, which I use for identifying it in case I ever lose track. Now copy your new public key to DD-WRT in the field provided in the SSH section of Services > Services, and disable password logins as in Figure 4:

Figure 4. Copying a public SSH key to DD-WRT for public-key authentication

Click Save, and then Reboot Router, and that's all you need to do. If you have an SSH session open it will be closed, and when you log back in it shouldn't ask for a password. To paste in multiple keys, insert a line break between each one.

You can do this from the command-line, using the nvram command. Make sure your public key is all one unbroken line between single quotes. You can have spaces but no line breaks:

root@linksys:~# nvram set sshd_authorized_keys='ssh-rsa AAAAB3NzaC...89Suj router1' root@linksys:~# nvram commit root@linksys:~# reboot

You can also set multiple keys with nvram in a space-delimited list and each one enclosed in single quotes:

root@linksys:~# nvram set sshd_authorized_keys='key1' 'key2' 'key3' root@linksys:~# nvram commit

Type this out first in a text editor so you can see what you're doing, and then copy and paste the whole thing onto your command line.

nvram command

nvram has multiple meanings. It is short for non-volatile RAM, a special type of persistent memory that retains data when the power is off. The flash memory in your router is a type of nvram. The nvram command is for managing hardware settings, which are stored on the last block of the flash memory. This memory segment is often called "the nvram." Different versions of the nvram command include IBM, Cisco, Oracle, and Apple variations. The nvram command in DD-WRT is fairly simple as it only displays and changes the values assigned to variables, and deletes variables. Run it with no options to see options and syntax:

root@linksys:~# nvram usage: nvram [get name] [set name=value] [unset name] [show]

nvram show displays all the settings on your router, and there are a lot of them. You can use less to break it down to a page at a time:

root@linksys:~# nvram show | less

Or look for a specific variable with grep , like this:

root@linksys:~# nvram show | grep ssh

Quick tip for free: If you accidentally disable the web interface but still have telnet or SSH, re-enable it this way:

root@linksys:~# nvram set http_enable=1 root@linksys:~# nvram commit root@linksys:~# reboot

The change will be applied after reboot. Remember the boot_wait setting? The GUI won't let you change its length, but nvram will. First find out how long it is:

root@linksys:/etc# nvram show |grep wait boot_wait=on wait_time=5

I'm the nervous type, so I want it to be ten seconds:

root@linksys:/etc# nvram set wait_time=10 root@linksys:~# nvram commit

This is how you clear a variable of any value:

root@linksys:~# nvram set http_enable="" root@linksys:~# nvram commit

If you don't want a particular change to survive a reboot omit nvram commit , which is a good tactic when you're experimenting because you can simply reboot to discard changes.

nvram unset [variable] deletes the variable entirely. The OpenWrt Wiki has a good nvram command reference, NVRAM usage on OpenWrt 'WhiteRussian' (see Related topics).

Your last resort to clean up a bollixed configuration is to reset all your settings to the firmware defaults by pressing and holding the reset button on your router for 30 seconds and then rebooting it. This restores the DD-WRT defaults, and does not restore the original firmware as some people mistakenly believe.

Creating a second partition

The normal DD-WRT image occupies a 4MB partition even if your flash memory is 8MB or more. You can create a partition on that unused space and use it to store files. This should be primarily read-storage, for example wireless hotspot splash and configuration pages, web pages, extra configuration files, and storage for ipkg, the Itsy Package Management System for embedded devices. Don't use it for files that generate a lot of writes like logfiles, because flash memory supports a limited number of writes and eventually fails. Modern flash memory is pretty durable, but it still has a finite write lifespan. You can see your existing filesystem with the good old df command:

root@linksys:/# df -h Filesystem Size Used Available Use% Mounted on /dev/root 4.0M 4.0M 0 100% /

My router has 8 MB flash, so where is the rest of it? It's just sitting quietly, waiting to be used. Go to Administration > Management and check JFFS2 > Enable and Clean JFFS2 > Enable. Click Apply Settings, then Reboot Router. When it comes back up you should see something like this:

root@linksys:~# df -h Filesystem Size Used Available Use% Mounted on /dev/root 4.0M 4.0M 0 100% / /dev/mtdblock/3 2.3M 196.0K 2.1M 9% /jffs

JFFS2 is the Journalling Flash File System version 2, designed for flash storage media. Let's talk a bit about what kind of medium this flash memory is. It is a special device called Memory Technology Device, or MTD for short. It is not a block device like a hard drive and USB sticks, and it is not a character device like a keyboard or mouse. Block devices are organized in fixed-size sectors, like 512 and 1024 bytes. MTDs have eraseblocks of 128KB and bigger. Block devices do two things: read sector and write sector. MTDs do three things: read from eraseblock, write to eraseblock, and erase eraseblock.

Compact Flash, SD cards, and USB sticks are all MTDs deep down inside. But they look like block devices to your operating system because they have Flash Translation Layers (FTL) which emulate block devices on top of flash hardware. This FTL can be on the host computer, or on firmware on a hardware controller inside the device. If you sacrifice a USB stick (a noble sacrifice for the advancement of knowledge) and pry it open, chances are you'll see some NAND chips, which are the raw flash chips, and a microcontroller.

You need to know a few things about flash memory for your DD-WRT adventures. One, NAND eraseblocks are all or nothing—the whole block has to be erased before new data can be written. Two, Linux has an MTD subsystem, and an mtd command for performing basic tasks such as erasing or writing an image to the device. You can run the mtd command with no options on DD-WRT to see syntax and options. You'll encounter some how-tos that use the mtd command in the DD-WRT wiki, so now you know what it is. Three, nvram resides on the last eraseblock, and it is programatically limited to 32KB no matter how large the eraseblock is.

Command-line hints

These hints can guide you in your DD-WRT explorations:

DD-WRT is built on BusyBox, the wildly popular embedded Linux toolkit. BusyBox contains stripped-down versions of the core Linux utilities. To save space there are no man pages, so to learn about the BusyBox commands, which are called applets, read man busybox (see Related topics). You can run ls -l /bin , and also on /sbin, /usr/bin , and the other executable binary directories to see which commands are symlinked to BusyBox.

, and also on , and the other executable binary directories to see which commands are symlinked to BusyBox. DD-WRT uses the ash shell, which comes with BusyBox. Type builtin at the command line to see all the shell builtins.

at the command line to see all the shell builtins. Just like big grownup Linuxes, you can read the /proc and /sys pseudo-filesystems to dig up hardware information, and read configuration files in /etc.

Downloadable resources

Related topics