Daniel Burrows: Installing OpenWRT on a Linksys WRT54GL v1.1

Posted by Tux De Luxe at 10:00 08/03/2010
Daniel Burrows: Installing OpenWRT on a Linksys WRT54GL v1.1: "

I finally got a few hours free this morning to check an item off my
home system administration checklist: upgrading the wireless router's
firmware to OpenWRT. There were a couple motivations for this,
including the fact that my SoundBridge Radio
couldn't maintain a connection to my firefly server using the
built-in firmware, and I had read that OpenWRT would work better.



Since this is posted on Planet Debian, I should mention why I didn't
use DebianWRT. The basic answer is this text at the top of the
DebianWRT homepage:




Currently the most common methods used to run Debian on these
systems is to install OpenWRT or a similar firmware, add disk space
either by USB storage or NFS, create a debian chroot by either
running cdebootstrap from inside OpenWRT or debootstrap --foreign on
a PC, and running Debian from this chroot. For example, instructions
for the WLHDD.




I'm not sure whether this is because DebianWRT is experimental, or
because its goal is to use routers as cheap general computers. Either
way, it sounds way too complicated and/or fragile for what I'm
interested in (i.e., a wireless router with better software). The
goal here is to get something that does a better job than the built-in
WRT firmware, but doesn't require too much tinkering to get working or
to maintain. I have plenty of outlets for my tinkering urges already.



Nothing here was exactly difficult, but it was hard to find all the
information I needed to get things working. Hopefully documenting the
steps I went through here will save someone else some time.



Step 1: acquire the firmware



This was trickier than you might think. If you click on the
download link at the OpenWRT web site, you end up at the
top of an FTP server populated with a vast quantity of stuff. Worse,
when you find the actual firmware images, you'll quickly discover that
there are piles and piles of them divided between sixteen directories,
and no guidance as to which one to pick. And picking the wrong one
will turn your beautiful router into a doorstop.



Luckily, the OpenWRT documentation contains a section called 'Getting
Started'. Unluckily, that section consists of the following text:




1.1 Getting started



1.1.1 Installation



1.1.2 Initial configuration



1.1.3 Failsafe mode




Whoops, someone forgot to execute on a TODO. :-)



Undeterred, I consulted the usual fallback reference, Google. It
pointed me at several references, some of which were hidden on other
parts of the OpenWRT site. Armed with these, I was able to determine
that:




  1. My WRT54GL v1.1 probably uses a Broadcom 5352 chipset.

  2. The correct firmware, according to multiple sources, is probably
    in the kamikaze top-level director, the latest version's
    subdirectory, and the bcrm-2.4 directory under the
    version (the link is to 8.09.2, which is current as of March 6,
    2010). Apparently the bcrm47xx directory doesn't have wireless
    support; it helpfully contains a file called
    NO-BROADCOM-WIRELESS to warn you off, but unhelpfully doesn't
    include any additional information in that file (like what exactly
    is broken or that you can find a working firmware in a sibling
    directory) ... oh well.

  3. The firmware file that you want is
    openwrt-wrt54g-squashfs.bin, even though it doesn't match the
    model number of the router. This directory could use a README
    file explaining which hardware is supported by each of the dozen
    or so firmware files it contains.



Step 2: install the firmware



After Step 1, this was a real relief. I just used the built-in
Linksys firmware installer, pointed it at the .bin file, and it went.



Step 3: configure the router



The installation guide I followed was pretty much silent about what to
do after I got the firmware on. Luckily, this is just a software
problem, meaning it's much more familiar territory for me.




  1. First things first: I checked that I could still get a DHCP lease.
    It worked.


  2. Armed with that, I tried telneting to the router. I used the
    resulting root prompt to set a password on the root account.


  3. I logged out and tried telneting in. Apparently the router is
    configured to disallow root logins over telnet if you don't have a
    password. Good for them (although why allow telnet at all?); oops
    for me.


  4. Luckily, an ssh server was installed by default. I like using
    keys to log in, so I tracked down the documentation on
    configuring the server to use public-key authentication;
    it turns out there's a single global key file named
    /etc/dropbear/authorized_keys that's exactly like OpenSSH's
    per-user authorized_keys file. No idea what would happen if I
    had multiple users, but I won't.


  5. The next obstacle: I didn't have an Internet connection. For some
    reason, my cable modem didn't want to give the router a DHCP
    lease. On the off-chance that it was remembering too much, I
    rebooted it and ran ifup wan. That fixed the problem. I still
    don't know why.


  6. Not a step, but a useful note: in the process of figuring the
    above out, I found readlog. It's basically dmesg for syslog
    files    ; it shows the most recent lines written to syslog. This
    is useful because there isn't a real syslog file, due to the fact
    that there would be no room to store it on the 54GL.


  7. Finally, I had to get wireless working. The documentation is very
    helpful when it comes to describing the syntax of the wireless
    configuration. Unfortunately, I read the list of encryption
    options and missed the section right below where their meanings
    are explained (although, to be honest, I might not have understood
    the implications of the explanation without the research I did
    anyway).




    option encryption none, wep, psk, psk2, wpa, wpa2




    I wanted WPA2 encryption, so I entered wpa2. And nothing
    worked. After a good hour of trying different options on the
    client, swapping software components in and out on the router,
    experimenting with the encryption key syntax, and crawling Google,
    I finally found my answer. If you just want WPA2 encryption, you
    must not use wpa2 as the encryption type. Instead, use
    psk2. It turns out out that wpa2 actually means use
    WPA2 and also use an external RADIUS server for
    authentication    . psk2 is the system you're familiar with
    from a typical consumer wireless router.




Step 4: enjoy



And with that, it works.



Unfortunately, contrary to what I wrote here originally, my Roku still
doesn't work. On the other hand, having a real Linux installation is
helpful for debugging it. Currently my suspicion is that the router
isn't passing multicast packets between the wired and wireless
interfaces (broadcast works fine, multicast doesn't). That said, it
seems like if I restart Firefly just before I start playing music, I
can play reasonably reliably -- as long as I don't stop, because if I
do, the Roku forgets that the music server is there. Either
way, I've spent about as much time fighting this as I can afford. :-/



One lingering worry I have is security; unlike Debian, which has both
a security mailing list and tools to inform me when I need to install
a security update, the OpenWRT firmware doesn't seem to have any
mechanism for distributing security notices. True, there is an
openwrt-security-announce list, but it
appears to be entirely unused, as is openwrt-announce. Something to
keep an eye on, then.



Also (file under note to self), I need to remember to verify
that the router isn't exposing services to the outside world. The
default iptables configuration is hideously complex; with just a
quick glance, it could be setting up a floral shop for all I can tell.
I'll need to test this empirically and maybe analyze the rules in more
depth.

"