人生在世，看得透，又看得远者prevail everywhere. v.gd/YLHADG v.gd/cRqvfD v.gd/bKvfFH v.gd/sRm3tA

routers · backfire 10.03.166中文版

Comments (41)

July 13, 2011 4:44 pm

Srivatsan Venkatesh
1 question. Once I set everything up on the router, do I need the PC at home to be on, or is the server on the router itself?
July 13, 2011 4:54 pm

Jason Fitzpatrick
The server is run by the embedded Linux within the router, as long as your broadband modem and router are on the only other component you need is a remote computer with PuTTY and a SOCKS-enabled application like Firefox.
July 13, 2011 5:27 pm

Dan Weston
You should also look at the free (and portable) program called MyEnTunnel. It also runs through putty, but is slightly easier to configure and save to a USB drive. I’ve been using it for years.
July 13, 2011 5:51 pm

jasray
Question mark on this one. Rather than go into a lengthy response, I honestly hope readers will research SSH servers and find out how many options they have. The tutorial here is much more complicated than setting up SSH needs to be. The best bet, so one doesn’t have to leave a machine on at home, is to use Hotspot Shield or some other free VPN service. In short, don’t go running out the door to purchase a Linksys router thinking Tomato and/or DDWRT are needed or that any port mentioned in the article is the only port which will work. (A lot to iron out to make this a viable tutorial, Jason.)
July 13, 2011 7:34 pm

Johann
Good article – though why didn’t you show where to save the logon username in the putty session so you don’t have to type ‘root’ each time that you connect? Or show that if you’ve done a ‘normal’ putty install you can double-click your .ppk file to have it launched with pageant and prompting for password once but caching it for subsequent use?
Also seeing as you’re effectively creating a SOCKS proxy it’d be good form to get people used to using the ‘correct’ default SOCKS port of 1080, not 80 which is obviously the HTTP default port and so could become confusing if users later want to expand their knowledge. You can obviously use anything but if you’re educating people, why not give them information worth learning and remembering?
@jasray: Firstly this is ‘howtogeek’ where people enjoy learning how to do stuff themselves rather than just using an off the shelf product. Secondly setting up your own ssh server means you aren’t trusting your data to a third-party. Do you REALLY know Hotspot shield or other firms aren’t logging your activity, let alone monitoring it thoroughly? I read an article the other month where one of the free online PGP email services (where they kindly offer to ‘house’ your private key) was actually an NSA shill so worse than just using unencrypted mail!! Also, using this technique allows you to access services and data you have on your home network (I frequently access my home iTunes, wake-on-lan my PC and remote desktop to it etc.) which isn’t possible with Hotspot shield.
July 13, 2011 8:17 pm

Kevin
Thanks Jason. I leave my router on 24/7, so I appreciate that with that “machine on at home” and these instructions I can make a viable SSH tunnel.
July 13, 2011 9:19 pm

Rod
I wonder if I can access my NAS on my home network remotely.
July 13, 2011 9:31 pm

Jason Fitzpatrick
@jasray: Complicated? It takes longer to read the article and download PuTTY than it does to actually configure everything. I spent more time taking the screenshots for the article than I did setting everything up. Furthermore, this tutorial has nothing to do with leaving a computer running at home as it runs off the router (you turn your router off when you leave the house?). I’ve been writing for a long time and fully expect criticism regarding anything I write but come on… this is a perfectly viable tutorial, it’s easy to do, and a significant portion of the readers won’t need to buy anything.
@Rod: Can you run an SFTP or SCP server on your NAS? If not, here’s a guide to setting up Samba sharing through an SSH tunnel. It’s a bit of a hassle but doable: http://www.bitvise.com/file-sharing
July 13, 2011 11:30 pm

mark
This is a good tutorial for setting up an SSH tunnel. Some people will complain it’s too complicated or it’s easier to do X, Y, and Z. If it’s too difficult to understand, this isn’t for you. If it’s so much easier to do it another way, then establish your own website and tell us about it.
Anyone can criticize. It’s far more difficult to create or write something. Howtogeek is now what Lifehacker used to be and I thoroughly enjoy it.
July 13, 2011 11:49 pm

Jason Fitzpatrick
@Mark: Thanks for the kind word! =)
You don’t even have to establish your own website… if a How-To Geek reader feels like they have a superior way of doing something and is willing to take the time to write up a guide with screen shots and/or video there’s a very high probability of that write up ending up as a featured tip post here. We love reader submitted tips and tutorials!
July 14, 2011 12:33 am

wt73
Thanks, Jason. Great work. I love how – to’s like this. Regardless of whether it’s the “best” or not it always leads me down a learning path to what will work best for me. I have DD-WRT and other than boost the tw a little, I have been eager to utilize it’s potential.
July 14, 2011 1:57 am

Maksym Kozlenko
Another option is to use some Internet connected server to use as a proxy via SSH tunnel.
With Amazon EC2 you can get a free tier server which comes with 10Gb traffic, install Linux on it and use just the same way as you would use your home router. Connection speed will be faster, since it’s not hampered by your home ADSL connection uplink speed.
People from outside US, using US based EC2 instances, can also use it to watch online videos from Hulu and other websites, which are blocked from use by foreign IP addresses.
July 14, 2011 3:41 am

Hmm
Im still a bit confused. Does this mean after setting up a secure tunnel, the encrypted data is transfered to my home router and then the internet? And can be used on any wifi spot? And the Wifi spot act as extender so that i can connect to my router to connect to the internet.
July 14, 2011 3:59 am

Rod
Thanks for the tip towards bitvise Jason, I really appreciate it.
July 14, 2011 4:21 am

Murphy
Instead of PuTTY you could use the “Bitvise Tunneliner”, where it is quite easy to set up all this tunnel settings. In past I was using Putty, but I moved to tunneliner since I found it.
Also if somebody does not have such Tomato router but has a Windows machine which is running at home, then Bitvise WinSSHD server might be a good companion to the tunneliner.
July 14, 2011 7:02 am

Jason
@Jason , Good article Do you have any links or plan on an article for setting up a ssh server on whs?
July 14, 2011 8:29 am

Tim
Are DNS requests through SOCKS automatically done w/ Chrome? Anyone know?
I’ve always known you had to change it on FF, but I’m not sure how it works with Chrome
July 14, 2011 9:48 am

Abhishek
Would it not be a better option to use a online proxy server instead? Please correct me if am wrong..
July 14, 2011 9:54 am

Greg
Hi Jason,
You talked about mobile devices, any advice about Ipod3 touch/Iphones, is it possible? For a laptop, it seems pretty easy though. I’ll try it, many thanks to you!
July 14, 2011 10:01 am

riverfest
any quick tips on how to use this in combination with a dynamic DNS service? in other words if I hard code (in PuTTY) the dynamic IP my ISP hands out and it changes and I’m away from home, how can this work? thanks in advance
July 14, 2011 10:26 am

rodmunch
That is great, but what about for Mac users. I know part of what Putty does, you can do in terminal but what about key generation????
July 14, 2011 10:35 am

Jason Fitzpatrick
@Hmm: That’s correct; once you set things up as laid out in this guide… all your browser traffic (or traffic from any other SOCKS-enabled app you’re using) will travel inside an encrypted tunnel from your laptop or mobile device all the way to your router and then will enter the “open” internet just like it would if you were browsing from your house. Nobody between your laptop at the coffee shop and your router at home can touch the traffic.
@Jason: I hadn’t… although I have a WHS and I leave it on nearly 24/7 (I use the Lights Out extension to shut it down in the middle of the night for a few hours to save power when I’m not awake) I liked the router solution better… less power, always on, quick to reboot and become active again if there is a power outage or such.
@Tim: Chrome doesn’t have a separate SOCKS config like Firefox does; it uses the system wide proxy configuration by default. This means, unfortunately, that Chrome’s DNS resolution is as leaky as the entire system (which is quite leaky). If you’re interested in using Chrome and securing the DNS requests you might want to check out this thread at the Perfect Privacy forums: https://forum.perfect-privacy.com/showthread.php?t=702 regarding forcing Windows to route DNS requests through the tunnel.
@Greg: Unfortunately it’s not easy with iOS but it *is* possible. Here’s a guide to setting things up for iOS: http://blog.c22.cc/2009/06/21/iphone-ssh-tunnel/ –you’ll need a jailbroken iOS device. Alternatively, Here’s an SSH tunnel tool for Android: https://market.android.com/details?id=org.sshtunnel&feature=search_result
@Riverfest: You’ll need to set up your router to communicate with a Dynamic DNS service and then use the hostname of your DDNS service (PuTTY will accept both IP addresses and hostnames). So for example, after signing up for a DDNS service you might have a hostname like riverfest.someDDNSservice.com that always points to your home internet connection regardless of how many times your ISP changes your IP–you would put that hostname in the IP slot instead of your current IP address.
You can read how to setup a DDNS service with DD-WRT here: http://www.dd-wrt.com/wiki/ind.....yn_-_HOWTO and for Tomato here: http://blog.dreamdevil.com/ind.....th-dyndns/
from http://www.howtogeek.com/68061/setup-ssh-on-your-router-for-secure-web-access-from-anywhere
-----------------------------------------------------------------------------------------
related post: http://www.howtogeek.com/60774/connect-to-your-home-network-from-anywhere-with-openvpn-and-tomato/

Connect to Your Home Network From Anywhere with OpenVPN and Tomato
A few weeks ago we covered installing Tomato, an open-source router firmware, on your Linksys WRT54GL. Today we’ll be going over how to install OpenVPN alongside Tomato, and setting it up to access your home network from anywhere in the world!

What is OpenVPN?

A virtual private network (VPN) is a trusted, secure connection between one local area network (LAN) and another. Think of your router as the middle man between the networks that you’re connecting to. Both your computer and the OpenVPN server (your router in this case) “shake hands” using certificates that validate each other. Upon validation, both the client and server agree to trust each other and the client is then allowed access on the server’s network.
Typically, VPN software and hardware cost a lot of money to implement. If you haven’t guessed it already, OpenVPN is an open-source VPN solution that is (drum roll) free. Tomato, alongside OpenVPN, is a perfect solution for those who want a secured connection between two networks without having to open their wallet. Of course, OpenVPN won’t work right out of the box. It takes a little bit of tweaking and configuring to get it just right. Not to worry though; we’re here to make that process easier for you, so grab yourself a warm cup of coffee and let’s get started.
For more information about OpenVPN, visit the official What Is OpenVPN? page.

Prerequisites
This guide assumes that you are currently running Windows 7 on your PC and that you’re using an administrative account. If you’re a Mac or Linux user, this guide will give you an idea of how things work, however, you may have to do a little more research on your own to get things perfect. Also, we will be installing a special version of Tomato called TomatoUSB VPN on a Linksys WRT54GL version 1.1 router. To find out if your router is compatible with TomatoUSB check out their Build Types page.
The beginning of this guide assumes you have either:
1. the original Linksys firmware installed on your router or
2. the Tomato firmware we described in our last article
Take note of the text above certain steps indicating whether it’s for Linksys firmware or Tomato firmware.

Installing TomatoUSB
In a previous article we discussed how to install the original Tomato v1.28 firmware from PolarCloud’s website. Unfortunately, that version of Tomato didn’t come with OpenVPN support, so we’ll be installing a newer version called TomatoUSB VPN.
The first thing you’ll want to do is head over to the TomatoUSB homepage and click the Download Tomato USB link.

Download VPN under the Kernel 2.4 (stable) section. Save the .rar file to your computer.

You’ll need a program to extract the .rar file. We suggest using WinRAR since it’s free to try and easy to use. You can download yourself a copy of the free version on their website. After installing WinRAR, right click on the file you downloaded and click Extract Here. You should then see two files called CHANGELOG and tomato-NDUSB-1.28.8754-vpn3.6.trx.

If you’re running Linksys firmware…
Open up your browser and enter in your router’s IP address (default is 192.168.1.1). You’ll be prompted for a username and password. The defaults for a Linksys WRT54GL are “admin” and “admin”.

Click the Administration tab at the top. Next, click Firmware Upgrade as seen below.

Click the Browse button and navigate to the extracted TomatoUSB VPN files. Select the tomato-NDUSB-1.28.8754-vpn3.6.trx file, and click the Upgrade button in the web interface. Your router will start installing TomatoUSB VPN, and should take less than a minute to complete. After about a minute, open up a command prompt and type ipconfig –release to determine your router’s new IP address. Then type ipconfig –renew. The IP address to the right of Default Gateway… is your router’s IP address.

Note: After installing Tomato go to Administration > Configuration and select “Erase all NVRAM…”.

If you’re running Tomato firmware…
Open up your browser and enter in your router’s IP address. We assume that if you installed Tomato, you know the IP address of your router. If you’re not sure, then it’s probably set to the default of 192.168.1.1. After, type in your username and password.

Although it’s not required, you may want to backup your current Tomato configuration before upgrading to TomatoUSB VPN, just in case. To save your configuration, navigate to Administration > Configuration and click the Backup button. This will prompt you to save the .cfg file to your computer.

Now it’s time to upgrade Tomato to TomatoUSB VPN. Click Upgrade in the left column and click the Choose File button. Navigate to the files we extracted earlier and choose the tomato-NDUSB-1.28.8754-vpn3.6.trx file. Then click the upgrade button.

You’ll be asked to confirm the upgrade; just click OK.

Your router will begin uploading the new firmware and will restart within a minute.

It may have the same or a different IP address after it restarts. In our case, the router configuration was still the same therefore our IP address was still the same. To determine your router’s new IP address, open up a command prompt and type ipconfig –release. Then type ipconfig –renew. The IP address to the right of Default Gateway… is your router’s address. If your configuration is set back to the defaults, go back to the Configuration page (Administration > Configuration) and click the Choose File button under Restore Configuration. Browse for the .cfg file you saved to your computer earlier and click the Restore button.

Configuring OpenVPN
Whether you had Linksys firmware or Tomato firmware installed, you should now have the new TomatoUSB VPN installed on your router. You’ll notice a few new menus in the left column including Web Usage, USB and NAS, and VPN Tunneling. For this guide, we’re only concerned with the VPN Tunneling menu so go ahead and click VPN Tunneling. Keep this browser window open; We’ll be coming back to it shortly.

Now let’s head over to OpenVPN’s Downloads page and download the OpenVPN Windows Installer. In this guide, we’ll be using the second latest version of OpenVPN called 2.1.4. The latest version (2.2.0) has a bug in it that would make this process even more complicated. The file we’re downloading will install the OpenVPN program that allows you to connect to your VPN network, so be sure to install this program on any other computers that you want to act as clients (as we’ll be seeing how to do that later). Save the openvpn-2.1.4-install .exe file to your computer.

Navigate to the OpenVPN file we just downloaded and double click it. This will begin the installation of OpenVPN on your computer. Run through the installer with all the defaults checked. During the installation, a dialog box will pop up asking to install a new virtual network adapter called TAP-Win32. Click the Install button.

Now that you have OpenVPN installed on your computer, we have to start creating the certificates and keys to authenticate devices.

Creating the Certificates and Keys
Click the Windows Start button and navigate under Accessories. You’ll see the Command Prompt program. Right click on it and click Run as administrator.

In the command prompt, type cd c:\Program Files (x86)\OpenVPN\easy-rsa if you’re running 64-bit Windows 7 as seen below. Type cd c:\Program Files\OpenVPN\easy-rsa if you’re running 32-bit Windows 7. Then hit Enter.
Now type init-config and hit Enter to copy two files called vars.bat and openssl.cnf into the easy-rsa folder. Keep your command prompt up as we’ll be coming back to it shortly.

Navigate to C:\Program Files (x86)\OpenVPN\easy-rsa (or C:\Program Files\OpenVPN\easy-rsa on 32-bit Windows 7) and right click on the file called vars.bat. Click Edit to open it up in Notepad. Alternatively, we recommend opening this file with Notepad++ as it formats the text in the file much better. You can download Notepad++ from their homepage.

The bottom portion of the file is what we are concerned with. Starting at line 31, change the KEY_COUNTRY value, KEY_PROVINCE value, etc. to your country, province, etc. For example, we changed our province to “IL”, city to “Chicago”, org to “HowToGeek”, and email to our own email address. Also, if you’re running Windows 7 64-bit, change the HOME value in line 6 to %ProgramFiles (x86)%\OpenVPN\easy-rsa. Do not change this value if you’re running 32-bit Windows 7. Your file should look similar to ours below (with your respective values, of course). Save the file by overwriting it once you’re done editing.

Go back to your command prompt and type vars and hit Enter. Then type clean-all and hit Enter. Finally, type build-ca and hit Enter.

After executing the build-ca command, you will be prompted to enter in your Country Name, State, Locality, etc. Since we already set up these parameters in our vars.bat file, we can skip past these options by hitting Enter, but! Before you start slamming away at the Enter key, watch out for the Common Name parameter. You can enter anything in this parameter (i.e. your name). Just make sure you enter something. This command will output two files (a Root CA certificate and a Root CA key) in the easy-rsa/keys folder.

Now we’re going to build a key for a client. In the same command prompt type build-key client1. You can change “client1” to anything you’d like (i.e. Acer-Laptop). Just be sure to enter the same name as the Common Name when prompted. For example, when you run the command build-key Acer-Laptop, your Common Name should be “Acer-Laptop”. Run through all the defaults like the last step we did (except for Common Name, of course). However, at the end you will be asked to sign the certificate and to commit. Type “y” for both and click Enter.
Also, don’t worry if you received the “unable to write ‘random state’” error. I’ve noticed that your certificates still get made without a problem. This command will output two files (a Client1 Key and a Client1 Certificate) in the easy-rsa/keys folder. If you want to create another key for another client, repeat the previous step, but be sure to change the Common Name.

The last certificate we’ll be generating is the server key. In the same command prompt, type build-key-server server. You can replace “server” at the end of the command with anything you’d like (i.e. HowToGeek-Server). As always, be sure to enter the same name as the Common Name when prompted. For example, when you run the command build-key-server HowToGeek-Server, your Common Name should be “HowToGeek-Server”. Hit Enter and run through all the defaults except Common Name. At the end, type “y” to sign the certificate and commit. This command will output two files (a Server Key and a Server Certificate) in the easy-rsa/keys folder.

Now we have to generate the Diffie Hellman parameters. The Diffie Hellman protocol “allows two users to exchange a secret key over an insecure medium without any prior secrets”. You can read more about Diffie Hellman on RSA’s website.
In the same command prompt type build-dh. This command will output one file (dh1024.pem) in the easy-rsa/keys folder.

Creating the Configuration Files for the Client
Before we edit any configuration files, we should set up a dynamic DNS service. Use this service if your ISP issues you a dynamic external IP address every so often. If you have a static external IP address, skip down to the next step.
We suggest using DynDNS.com, a service that allows you to point a hostname (i.e. howtogeek.dyndns.org) to a dynamic IP address. It’s important for OpenVPN to always know your network’s public IP address, and by using DynDNS, OpenVPN will always know how to locate your network no matter what your public IP address is. Sign up for a free hostname and point it to your public IP address. Once you’ve signed up for the service, don’t forget to set up the auto-update service in Tomato under Basic > DDNS.
Now back to configuring OpenVPN. In Windows Explorer, navigate to C:\Program Files (x86)\OpenVPN\sample-config if you’re running 64-bit Windows 7 or C:\Program Files\OpenVPN\sample-config if you’re running 32-bit Windows 7. In this folder you will find three sample configuration files; we’re only concerned with the client.ovpn file.

Right click on client.ovpn and open it with Notepad or Notepad++. You’ll notice your file will look like the picture below:

However, we want our client.ovpn file to look similar to this picture below. Be sure to change the DynDNS hostname to your hostname in line 4 (or change it to your public IP address if you have a static one). Leave the port number to 1194 as it is the standard OpenVPN port. Also, be sure to change lines 11 and 12 to reflect the name of your client’s certificate file and key file. Save this as new file .ovpn file in the OpenVPN/config folder.

Configuring Tomato’s VPN Tunneling
The basic idea now is to copy the server certificates and keys we made earlier and paste them into the Tomato VPN server menus. Then we will check a few settings in Tomato, test the VPN connection, and then we’ll be able to wash our hands and call it a day!
Open up a browser and navigate to your router. Click the VPN Tunneling menu in the left sidebar. Make sure Server1 and Basic are selected, too. Set up your settings exactly as they appear below. Click Save.

Next, click the Advanced tab next to Basic. Just like before, make sure your settings are exactly as they appear below. Click Save.

Our last step is pasting the keys and certificates we originally created. Open up the Keys tab next to Advanced. In Windows Explorer, navigate to C:\Program Files (x86)\OpenVPN\easy-rsa\keys on 64-bit Windows 7 (or C:\Program Files\OpenVPN\easy-rsa\keys on 32-bit Windows 7). Open each corresponding file below (ca.crt, server.crt, server.key, and dh1024.pem) with Notepad or Notepad++ and copy the contents. Paste the contents in the corresponding boxes as seen below. Click Save and then click Start Now.

Before we test our VPN connection, there’s one more thing we have to check inside of Tomato. Click Basic in the left hand column and then Time. Be sure that the Router Time is correct and Time Zone displays your current time zone. Set the NTP Time Server to your country.

Setting Up an OpenVPN Client
In this example we will be using a Windows 7 laptop as our client. The first thing you’ll want to do is install OpenVPN on your client like we did above in the first steps under Configuring OpenVPN. Then navigate to C:\Program Files\OpenVPN\config which is where we’ll be pasting our files.
Now we have to go back on our original computer and collect a total of four files to copy over to our client laptop. Navigate to C:\Program Files (x86)\OpenVPN\easy-rsa\keys again and copy ca.crt, client1.crt, and client1.key. Paste these files in the client’s config folder.

Finally, we need to copy one more file over. Navigate to C:\Program Files (x86)\OpenVPN\config and copy over the new client.ovpn file we created earlier. Paste this file in the client’s config folder also.

Testing the OpenVPN Client
On the client laptop, click the Windows Start button and navigate to All Programs > OpenVPN. Right click on the OpenVPN GUI file and click Run as administrator. Note that you must always run OpenVPN as an administrator in order for it to work properly. To permanently set the file to always run as administrator, right click the file and click Properties. Under the Compatibility tab check Run this program as an administrator.

The OpenVPN GUI icon will appear next to the clock in the taskbar. Right click the icon and click Connect. Since we only have one .ovpn file in our config folder, OpenVPN will connect to that network by default.

A dialog box will pop up displaying a connection log.

Once you’re connected to the VPN, the OpenVPN icon in the taskbar will turn green and will display your virtual IP address.

And that’s it! You now have a secured connection between your server and client’s network using OpenVPN and TomatoUSB. To further test the connection, try opening a browser on the client laptop and navigating to your Tomato router on the server’s network.
------------------------------------------------------------------------------------------------------------------

Hack Attack: Turn your $60 router into a $600 router
Of all the great DIY projects at this year's Maker Faire, the one project that really caught my eye involved converting a regular old $60 router into a powerful, highly configurable $600 router. The router has an interesting history, but all you really need to know is that the special sauce lies in embedding Linux in your router. I found this project especially attractive because: 1) It's easy, and 2) it's totally free.
So when I got the chance, I dove into converting my own router. After a relatively simple firmware upgrade, you can boost your wireless signal, prioritize what programs get your precious bandwidth, and do lots of other simple or potentially much more complicated things to improve your computing experience. Today I'm going to walk you through upgrading your router's firmware to the powerful open source DD-WRT firmware.
Update: For an alternative to DD-WRT with a simplified interface and fancy charts and graphs, check out our other guide to turning your $60 router into a user-friendly super router with Tomato.

Update two: This is a rather old post at this point, and much has changed in the world of DD-WRT. For one, DD-WRT now supports considerably more devices, and since the installation procedure varies by device, I'd recommend the following: 1) Visit the DD-WRT wiki's list of supported devices, 2) searching for your device, and 3) if it's supported, following the DD-WRT installation notes for your device. I realize we're sending you off into the wild to fend for yourself, but we can't practically maintain instructions for all the different possibilities in this post. Good luck!
What you'll need:
1. One of the supported routers. I used a Linksys WRT54GL Wireless router that I picked up from Newegg, and the instructions that follow detail the upgrade process specifically for that router and its close siblings. If you're upgrading one of the other supported routers, you might want to look into instructions specific to your router. These instructions may generally work for other supported routers, but I'm not making any promises.
2. The generic DD-WRT v23 SP1 mini firmware version located here.*
3. The generic DD-WRT v23 SP1 standard firmware version located here.*
*You'll be upgrading the firmware twice, first using the mini firmware, then using the standard.

Upgrading your router to the DD-WRT firmware
Check out this gallery for the detailed step-by-step upgrade with screenshots. When you're finished, come back here for some of my favorite tweaks.
Update, October '07: Reader Josh Harris writes in:

All the new WRT54G routers being sold now are v8, and the previous DD-WRT software didn't work on them. However, recent versions added support for the new v8 router— but it's a little more in depth.
Got this to work on the WRT54G v8 (should work on 7 as well, just replace the files with the corresponding 7 version):
First of all, use IE explorer. Firefox didn't work at all on this for me, even after install. Second, go to this page. Read the textfile carefully and follow its instructions. Two edits to the textfile:
1. Make sure you go to command prompt and type ipconfig /all. Record the default gateway, the subnet mask, and the two DNS addresses. When you set the IP address manually on your desktop/laptop to 192.168.1.100 as per the instructions, you will need to set these 4 numbers as well.
2. Don't forget when you do the tftp that you need to be in the folder that contains the downloaded dd-wrt.v24_micro_wrt54gv8.bin file (for example, if it is in C:/Downloads, type /cd C:/Downloads).
Lastly don't forget you need to be on a wire to the router, and download both vxworkskillerGv8.bin and dd-wrt.v24_micro_wrt54gv8.bin before you start. Following this procedure will install the micro version on your router.
After this, switch your laptop/desktop back to receiving your IP address via DHCP rather than the manual configuration you set as per the instructions. You will be able to access the DD-WRt micro install via 192.168.1.1 with the login username root and the password admin. From here, you still need to install the DD-WRT standard.
Unfortunately, you cannot go any farther than this with WRT54G v7 and v8 because Linksys downgraded the physical memory in these recent models. However, micro is still an improvement over the original Linksys firmware.

Boost your wireless signal
The first thing I did after I finished the firmware upgrade was give my wireless signal a much needed boost ("needed" in the sense any signal boosting that can be done needs to be done, right?). Doing so is trivial.
Go to the Wireless tab, then to Advanced Settings. Find the entry labeled Xmit Power, which is set by default at a paltry 28mW, and can be set up to 251mW. To be honest, I don't know much about the science of the whole process, but I do know that 251 is WAY bigger than 28. However, you probably don't want to pump it up to 251mW right away.

Full size
The DD-WRT manual suggests that a "safe increase of up to 70 would be suitable for most users." Anything too much above that and you'd be flirting with overheating your router and damaging the life of your router (though I've heard that many people have pushed it up to 100 or above). So go ahead and change your Xmit Power to 70 and click the Save Settings button at the bottom of the page.
I can't measure for sure how the signal boost has improved things for me since I've just moved into this apartment, but I can say that the signal is full bars pretty much anywhere I go. How's that for scientific?

Throttling your bandwidth by program
While most routers treat one request for bandwidth the same as any other, your new $600 router is a step above. By setting up QoS (Quality of Service) rules, you can give priority to your interactive traffic (like VoIP, web browsing, or gaming) while throttling traffic that doesn't require a steady rate of bandwidth to function (like P2P programs).
Doing so will ensure that even if your network gets clogged with lots of file sharing, you'll still have enough bandwidth left over to make all of your free SkypeOut phone calls. If you've got roommates who tend to sponge up a lot of bandwidth, you can even prioritize by IP address.

What to do if you brick your router

If, god forbid, while flashing your firmware you end up "bricking" your router, don't worry - all is not lost. The DD-WRT wiki (a great resource of all things DD-WRT) can help you recover from a bad flash.
Of course, your router will handle securing your network, port forwarding, and all the other things your regular old router does.
Obviously I've just scratched the surface here, so if you decide to try this out, there's a lot of potential for other things you can do. Any readers tricked out a router with DD-WRT or one of the other open source distros? Tell us what tweaks have worked for you in the comments or at tips at lifehacker.com.
Adam Pash is an associate editor for Lifehacker who loves a good signal boost. His special feature Hack Attack appears every Tuesday on Lifehacker. Subscribe to the Hack Attack RSS feed to get new installments in your newsreader.
Related Stories
- Belkin N750 Dual Band Router
  from http://lifehacker.com/software/router/hack-attack-turn-your-60-router-into-a-600-router-178132.php
-------------------------------------------------------------------------------------------------------

Turn Your $60 Router into a User-Friendly Super-Router with Tomato

A year-and-a-half ago, we showed you how to turn your $60 router into a highly configurable $600 router with DD-WRT, a free, open source firmware. Since then there's been a lot of development of open source firmwares, and today we're taking a look at my new favorite, a firmware called Tomato. Tomato does almost everything DD-WRT does—from Wi-Fi signal boosting to Quality of Service bandwidth allocation—in addition to offering a simplified interface chock-full of fancy charts and graphs. Sound good? Let's get started.

Check If Your Router's Supported
Before you go upgrading your firmware willy-nilly, be sure to check Tomato's list of supported devices. The router I'll be using is the very same router I used for the original DD-WRT guide, this Linksys WRT54GL router. Several of the Linksys WRT54G series routers are supported, but they aren't all, so make sure you check your model number. In addition to the pervasive Linksys router, Tomato will also install on some Buffalo, ASUS, and Microsoft routers.

Upgrade Your Router to the Tomato Firmware
So you've either ensured that you're current router is supported or you've ordered a new cheap one off the internet? Then it's time to upgrade that router to Tomato. First, go download the latest Tomato firmware (as of this writing, that's version 1.13). You'll download a 7zip archive, so use your favorite unarchiver (may I suggest 7-Zip), and extract the contents to an easy-to-find folder on your desktop.
Now you'll need to log into your current router to upgrade. This process may vary slightly depending on what router you're using and the firmware it's running, but for the most part it's very simple. You can go through the old DD-WRT step-by-step here if you're using a Linksys router with the default firmware (just replace DD-WRT with Tomato and quit after step 2). Below I'll describe the simple update process from DD-WRT to Tomato (which is virtually the same as it would be for any other router with one small difference).
First, point your browser to 192.168.1.1/, the default admin page for your router. If your router has a username/password set, you'll need to enter it to continue. Next you need to navigate to the firmware upgrade section of your router's admin panel. In both DD-WRT and the default Linksys firmware, you'll click the Administration tab followed by the Firmware Upgrade tab. Now just click the Browse button and direct your router to the appropriate firmware file for your router in the folder you unzipped earlier.
See the README file included in the Tomato_1_13 folder to determine which version you'll need to choose at this point. If you're using the same WRT54GL router as I am, pick the file named WRT54G_WRT54GL.bin. Now just click the upgrade button and wait. Be sure not to turn off your router during this upgrade.
When it's finished, you're ready to start using Tomato. (Pretty simple, right?) Point your browser back to 192.168.1.1/ and log with "admin" (without quotes) as both your username and password. If you upgraded from DD-WRT, this may not be working for you. If the login isn't working off the bat, you've got one more thing to do: Perform a hard reset on your router. To do so, just find the little Reset button on the back of your router, then press and hold it for a few seconds. When your router comes back online, the "admin" username and password should work.

Boost Your Wi-Fi Signal
There's a lot you can do now that you're running Tomato on your router, but let's go straight to one of the sexiest tweaks supported by Tomato: Wi-Fi signal boosting. Just click on Advanced -> Wireless in the Tomato sidebar and find the entry labeled Transmit Power. The default transmit power is 42mW, but it's capable of transmitting at up to 251mW.
Tomato is a little low on documentation on this subject (okay, so it's low on documentation all-around), but the DD-WRT documentation suggests that an increase of up to 70mW would be "suitable for most users." A boost much above that could cause heat issues and considerably decrease the life of your router.
I can't attest to the certainty of damage beyond what the DD-WRT documentation says, but here is what I can tell you: I've been running my router with DD-WRT for over a year transmitting at 70mW, haven't seen any hiccups in performance and so far have seen no smoke. Even better, my Wi-Fi signal easily reaches to every corner of my apartment.

Track Your Bandwidth Usage, Set Quality of Service Rules, and More
From this point on, if there's something you want to do with your router, chances are Tomato can do it for you. In particular the bandwidth logging is both attractive and handy, allowing you to track bandwidth usage in real-time, over the last 24 hours, or with daily, weekly, or monthly reports.
A few weeks back I showed you how to set up Quality of Service rules on your DD-WRT router to ensure you don't drop Skype calls, lag on Xbox Live, and generally get your bandwidth when and where you need it. Tomato does all the same while providing even more granular control over how much bandwidth goes where... and, like the bandwidth reports, it graphs it all.
If you've assigned a domain name to your home server (like adam-lh.homeip.net), Tomato can send alerts to the service if you've got a dynamic IP address so that the domain will always point to your computer—even if your external IP address changes.
For a few other worthwhile uses, check out these videos for setting up Tomato's Access Restriction rules (allows you to set up rules to block browsing of certain topics at certain times, for example), using the Bandwidth Monitor, and putting your router into Wireless Client mode.
As I said above, documentation on Tomato is slim, but this Tomato wiki is a good place to start if you want to figure out a feature.

So Which Is Better, Tomato or DD-WRT?
After reading this, you may have noticed that Tomato shares a lot of features with DD-WRT; if you did, you're probably wondering which is better. Honestly, the two firmwares are both excellent—you won't go wrong running either. DD-WRT has a slightly more robust feature set and a bit more polish in the layout of the admin, but most features that you'll find in DD-WRT that are not in Tomato are features most home users will never use. Both do Quality of Service (in fact, we've already gone step-by-step through how to set up QoS in DD-WRT), though Tomato seems to do it a bit better; both can boost your Wi-Fi signal; and both will transform your router into something much better than it was before you started. At the moment I prefer Tomato for the simplicity of its layout, the excellent bandwidth monitoring tools, and of course, its attractive charts. If you're a DD-WRT or Tomato fan, let's hear which you prefer and why in the comments.
from http://lifehacker.com/344765/turn-your-60-router-into-a-user+friendly-super+router-with-tomato
----------------------------------------------
Update: See the discussion on Hacker News This is one of those posts that is meant to save time for myself in the future when I’ll have to figure all of this out from scratch.
I spend a lot of time in coffee shops and public places with unsecure wifi. Unsecure wifi scares the bejeesus out of me so I wanted to figure out a way to secure any traffic going through. It would also be nice to access things on my home network. It turns out there are a million different ways to do this and I found one that worked for me. Here were the constraints that I imposed.
- It should be secure (duh !) for coffee-shop, public wifi browsing. This is not designed to hold up to connecting to DefCon/blackhat conference wifi.
- It should work from anywhere in the world.
- It shouldn’t require me to have any computing devices booted up and running at home apart from my wifi router running a DD-WRT build.
- It should work on all my computing devices, especially on iOS.
- It shouldn’t use any external VPN/SSH services. No good reason apart from the fact that I’m just masochistic about these things.
If you don’t have these constraints, there are many different ways to do this. Here are some alternate options

Alternate paths
- If you are only using laptops, you should just use SSH using the excellent instructions here. I still use this when I’m using my MBP
- If you’re ok with using an external service, you should use something like LogMeIn Hamachi, which is an excellent product and more secure than the setup I lay out below.
- If you don’t need to use iOS, you should use OpenVPN instead. OpenVPN is way more secure but not supported by iOS out of the box (but jailbroken iOS will get you support).
- If you’re ok with having a machine apart from your DD-WRT router running, there are several options. For example, there are tons of VPN servers that will let you set up a OpenVPN or a L2TP/PPTP server (both protocols supported by iOS out of the box). See this comparison of the various protocols.
But if you happen to have these specific set of constraints I do and like DIY-hacks, read on.

DO NOT SKIP - IMPORTANT - Security risks of using PPTP
VPNs can be created using a multitude of protocols and the one we are going to use, PPTP, is the most insecure of the lot. Wait, what? Why are we picking the most insecure one if the whole purpose of the exercise is to make internet usage more secure? Worse, by using something insecure, we could let somebody get into our home network and rampage around. If you’re not going to use a long passphrase/password, you shouldn’t be doing this.
Here’s why I picked PPTP and I believe using it with very long passwords/passphrases is acceptable.
1. OpenVPN is the most secure solution, arguably but iOS doesn’t support it out of the box. iOS does support L2TP but DD-WRT doesn’t support that. So we’re stuck with PPTP. If you’re willing to run a server at home, you should be using L2TP.
2. PPTP’s security increases when using long passwords. The security attacks are typically dictionary based. So make sure you use a long password.
3. And finally, chances are low that an attacker at a public wifi station is going to put in the effort to go after you. If that isn’t true, you’re in trouble.
If you don’t understand what I’m talking about or if you don’t agree, you shouldn’t be doing this.

END SECURITY SECTION
Setting up your DD-WRT wifi router as a VPN server
- If you don’t have DD-WRT installed on your wifi router, stop reading right now and go install it. It will not only give you all sorts of extra features you never knew wifi routers could do, it also boosts performance over most stock firmwares. In our case, we’ll use the VPN service.
- Get the right version of DD-WRT installed. I have v24-sp2 installed but I believe anything over v24 should be fine.
- Read the instructions on the DD-WRT wiki. This saved me a lot of headache and when I didn’t see bits (like the one on special characters in passwords, for example), I regretted it later.
- Go to the Services -> VPN tab on your router’s administration page (which is typically at http://192.168.1.1 ). DD-WRT moves this UI around from version to version so you might need to hunt a little.
- The wiki tells you what each of these settings mean but here’s what I used to get it working.
  
  PPTP Server -> Enable
  Broadcast support -> Enable
  Force MPPE Encryption -> Enable
  Server IP -> 192.168.1.1 (you can pick anything here, just remember to use this when you forward traffic a bit later)
  Client IP -> 192.168.1.110-120 ( you can use any valid range here)
  DNS1/DNS2 -> 8.8.8.8/8.8.4.4 (not using Google’s DNS also worked for me but others on the web have reported issues here)
  CHAP-Secrets -> __ * username * “password” *
  
  The format of the username/password line is critical. It is asterisk-space-username-space-asterisk-space-password enclosed by quotes-space-asterisk. If you don’t have special characters in your password, you can skip the quotes. If you have multiple usernames and passwords, just use the same format in a new line. REMEMBER - use a long password with special characters or you will be in trouble.
Hit ‘Apply Settings’.
- Now, you need to do a couple of things to work around some iOS and OSX quirks. The first is around DNS. Add the below as a startup command in the Administration->Commands tab.
```
  #!/bin/sh  echo "nopcomp" >> /tmp/pptpd/options.pptpd  echo "noaccomp" >> /tmp/pptpd/options.pptpd  kill `ps | grep pptp | cut -d ' ' -f 1`  pptpd -c /tmp/pptpd/pptpd.conf -o /tmp/pptpd/options.pptpd 
```
- Run this command using Adminstration->Commands to force encryption (the DD-WRT wiki explains this in detail if you want to understand what this does)
```
  sed -i -e 's/mppe .*/mppe required,stateless/' /tmp/pptpd/options.pptpd 
```
- Go to Security->VPN Passthrough and make sure PPTP passthrough is enabled.
Setting up DynDNS
The next step is to get this accessible from anywhere in the world. DD-WRT has built-in support for DynDNS which makes this easy.
- Create an account on DynDNS. You’ll get a host-name, something of the form username.dyndyns-server.com.
- In DD-WRT, go to Setup->DDNS. Select DDNS service as DynDNS.org, enter your DynDNS username, password and hostname and make sure the status textarea doesn’t have any errors when you hit ‘Apply Settings’. In you type in dig username.dyndns-server.com in a terminal (or use nslookup on Windows), you should now see your public IP.
- Now comes the scary step - forwarding traffic from the outside world. We’re going to forward two ports only (one should be sufficient but some users report errors here). Go to the NAT/QoS->Port Forwarding tab and add the following entries. If you didn’t pick 192.168.1.1 before as the server IP address, you need to change that here.
  
  Application - vpn, Port from - 1723, Protocol - Both, IP Address - 192.168.1.1, Port To - 1723, Enabled - Check
  Application - vpn, Port from - 1792, Protocol - Both, IP Address - 192.168.1.1, Port To - 1792, Enabled - Check
- Hit ‘Apply Settings’.
- Reboot the router. I typically do this by pulling out the power cord and plugging it back in.
Setting up OSX as a VPN Client
At this point, you should have a functional VPN server. Let’s connect to it! I’m going to lay out the instructions for OSX and since Apple uses the same terminology, iOS setup is almost identical from inside the General Settings->Network UI. All other VPN clients should have a similar configuration experience as well.
- Open up the ‘Network’ preferences pane in System Preferences.
- Use the ’+’ button at the left bottom of the pane.
- Pick VPN as the interface, PPTP as VPN Type and name it anything you want (I used ‘Home VPN’).
- You should have a VPN interface created for you. Here, enter your DynDNS hostname in ‘Server Address’, your username that you entered in the CHAP Secrets section as ‘Account Name’. Press ‘Advanced…’ and check the option to send all traffic through this connection. Now, back in the main pane, press ‘Connect’. Enter the password you typed out back in the CHAP Secrets section and…
- Voila! You are now connected to your own VPN server. If this actually worked on your first attempt, congratulations! You can now browse securely from anywhere in the world by channeling all traffic through your home network.
If this didn’t work
There are several things that could go wrong above. Here are some common debugging tasks
- Check the username, password format. This was the cause of much pain, especially around special characters.
- Check the output at every step. For example, try connecting using 192.168.1.1 instead of the public hostname if you think DynDNS is the problem.
- The DD-WRT forums are excellent. Search there and try posting there if you have an unresolved issue.
- Of course, there’s always your favorite search engine to fall back on :).
Happy VPNing.
FROM http://sriramk.com/blog/2011/08/ddwrt-pptp-vpn.html
--------------------------------------------------------------------------

OpenWRT设置Openvpn并自动智能翻墙

网络拓朴
1) 在NW300R上编辑openvpn client配置如下：
cat /etc/config/openvpn
```
config 'openvpn' 'client'
 option 'enable' '1'
 option 'client' '1'
 option 'dev' 'tun'
 option 'proto' 'udp'
 option 'keepalive' '10 120'
 option 'resolv_retry' 'infinite'
 option 'nobind' '1'
 option 'persist_key' '1'
 option 'persist_tun' '1'
 option 'comp_lzo' '1'
 option 'verb' '3'
 option 'tun_ipv6' '0'
 option 'remote' ' '
 option 'ca' '/etc/openvpn/client.ca'
 option 'cert' '/etc/openvpn/client.cert'
 option 'key' '/etc/openvpn/client.key'
 option 'max-routes' '3000'
```
注意your_openvpn_port在服务器端最好设置成非缺省端口1194，因为这个端口在实际使用时由于GFW监控而不稳定。
openvpn相关的CA证书/etc/openvpn/client.ca等需要通过scp传上去。
2) /etc/init.d/openvpn start启动openvpn
3）可以输入route命令来校验（注意如下的路由表显示所有外网流量都将经过vpn服务器，这是因为在服务器端有设置push “redirect-gateway def1″）
```
root@OpenWrt2:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
  192.168.1.1     255.255.255.255 UGH   0      0        0 br-lan
10.8.0.5        *               255.255.255.255 UH    0      0        0 tun0
10.8.0.0        10.8.0.5        255.255.255.0   UG    0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
default         10.8.0.5        128.0.0.0       UG    0      0        0 tun0
128.0.0.0       10.8.0.5        128.0.0.0       UG    0      0        0 tun0
default         192.168.1.1     0.0.0.0         UG    0      0        0 br-lan
```
或者通过ifconfig命令可以看到多了一个tun0接口
这时可以通过ping 10.8.0.1来确认openvpn已通
4) 修改NW300R的DNS服务器设置，确保DNS解析不被污染；否则DNS解析会走192.168.1.1而未经VPN保护
root@OpenWrt2:~# cat /etc/resolv.conf
```
search lan
nameserver 127.0.0.1
```
root@OpenWrt2:~# cat /etc/config/dhcp
```
config 'dnsmasq'
 option 'domainneeded' '1'
 option 'boguspriv' '1'
 option 'localise_queries' '1'
 option 'rebind_protection' '1'
 option 'rebind_localhost' '1'
 option 'local' '/lan/'
 option 'domain' 'lan'
 option 'expandhosts' '1'
 option 'readethers' '1'
 option 'leasefile' '/tmp/dhcp.leases'
 option 'resolvfile' '/etc/openvpn/resolv.conf'

config 'dhcp' 'lan'
 option 'interface' 'lan'
 option 'ignore' '1'

config 'dhcp' 'wan'
 option 'interface' 'wan'
 option 'ignore' '1'
```
root@OpenWrt2:~# cat /etc/openvpn/resolv.conf
```
nameserver 8.8.8.8
nameserver 8.8.4.4
```
5) 设置智能路由
这里用到了chnroutes项目，点击下载openvpn版本，并找一台有python的机器执行生成最新的路由规则脚本然后上传到路由器。
该脚本会生成两个命令：vpnup, vpndown分别是启动和关闭openvpn时需要修改的路由规则（原理是把所有中国IP路由到192.168.1.1)。
执行vpnup命令后再用route命令列出路由表会发现多了2000多路由规则。。。
这时分别找一个中国和一个外国的IP来traceroute
```
root@OpenWrt2:~# traceroute tao123.com
traceroute to tao123.com (121.14.24.241), 30 hops max, 38 byte packets
 1  192.168.1.1 (192.168.1.1)  1.496 ms  1.322 ms  1.440 ms
 2  61.130.120.156 (61.130.120.156)  2.910 ms  2.218 ms  3.183 ms
 3  220.191.156.181 (220.191.156.181)  2.214 ms  2.136 ms  13.653 ms
 4  61.164.19.205 (61.164.19.205)  5.299 ms  2.298 ms  2.576 ms
 5  61.164.17.61 (61.164.17.61)  8.297 ms  7.966 ms  8.335 ms
 6  202.97.56.241 (202.97.56.241)  24.566 ms^C

root@OpenWrt2:~# traceroute facebook.com
traceroute to facebook.com (69.63.189.11), 30 hops max, 38 byte packets
 1  10.8.0.1 (10.8.0.1)  231.700 ms  210.645 ms  224.737 ms
 2  184.105.143.85 (184.105.143.85)  239.952 ms  259.713 ms  266.340 ms
 3  10gigabitethernet2-3.core1.fmt1.he.net (64.62.250.5)  273.158 ms  285.133 ms  285.376 ms
 4  10gigabitethernet1-1.core1.pao1.he.net (66.160.158.242)  284.708 ms  277.205 ms  277.986 ms
 5  paix.pr02.pao1.tfbnw.net (198.32.176.108)  275.467 ms  321.888 ms^C
```
可以注意到第一行走的路由正确了！
6) 设置iptable
iptables -I FORWARD -o br-lan -j ACCEPT #允许br-lan端口流量被转发
iptables -I FORWARD -o tun0 -j ACCEPT #允许tun0端口流量被转发
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE #tun0出口的流量SNAT出去
7) 设置客户端
因为NW300R关掉了DHCP（如果开启NW300R就需要设一个不同的子网如：192.168.2.1，这样还需要特殊设置来使得两个子网的机器可以互相访问），所以使用DHCP连上的客户端的gateway和dns都是192.168.1.1，这样是不能自动翻墙的，需要要手工配一下需要自动翻墙的网络设备的gateway和dns都为192.168.1.2，当然如果你只有一个无线路由器，就没这个问题了。这个部分我还没找到有多个无线路由器时比较好的解决办法，还请高手指教一下。
from http://hugozhu.wordpress.com/2011/07/17/opwrt%E8%AE%BE%E7%BD%AEopenvpn%E5%B9%B6%E8%87%AA%E5%8A%A8%E7%BF%BB%E5%A2%99/
--------------------------------------------------------------------------------------------------

OpenWRT设置WDS

如果你家里需要多个无线路由器，并需要组成一个局域网，使得所有连上的电脑（有线或无线）都能互相访问，WDS就是最简单的一种配置方法，无线组网还有Client + AP（需要设置两个网络），或Bridaged Client（仅适用与Broadcom芯片）等方法，这里只讨论WDS。

WDS原理图
使用WDS组网最好采用相同无线芯片的路由器，原因是各个厂商对WDS的实现不完全相同。
OpenWRT是一个强大的基于Linux的开源路由器操作系统。关于无线的配置文件在/etc/config/wireless。
假设你有两个路由器分别为A和B，其中A通过ADSL拨号上网，B则通过无线连接A。
假设A的mac地址是aa:aa:aa:aa:aa:aa，B的mac地址是：bb:bb:bb:bb:bb:bb
首先配置A的LAN IP为192.168.1.1/24，并开启DHCP服务；B的LAN IP为192.168.1.2/24，Gateway,DNS都设成192.168.1.1，并一定关闭DHCP服务。

A的/etc/config/wireless设置
```
config 'wifi-device' 'radio0'
 option 'type' 'mac80211'
 option 'macaddr' 'aa:aa:aa:aa:aa:aa'
 option 'hwmode' '11ng'
 list 'ht_capab' 'SHORT-GI-20'
 list 'ht_capab' 'SHORT-GI-40'
 list 'ht_capab' 'TX-STBC'
 list 'ht_capab' 'RX-STBC1'
 list 'ht_capab' 'DSSS_CCK-40'
 option 'channel' '3'
 option 'txpower' '20'
 option 'country' 'US'
 option 'htmode' 'HT20'
 option 'disabled' '0'
 option 'noscan' '1'

config 'wifi-iface'
 option 'device' 'radio0'
 option 'mode' 'ap'
 option 'ssid' 'hugo'
 option 'wds' '1'
 option 'network' 'lan'
 option 'encryption' 'psk2'
 option 'key' 'password'
```
B的/etc/config/wireless设置
```
config 'wifi-device' 'radio0'
 option 'type' 'mac80211'
 option 'macaddr' 'bb:bb:bb:bb:bb:bb'
 option 'hwmode' '11ng'
 list 'ht_capab' 'SHORT-GI-20'
 list 'ht_capab' 'SHORT-GI-40'
 list 'ht_capab' 'TX-STBC'
 list 'ht_capab' 'RX-STBC1'
 list 'ht_capab' 'DSSS_CCK-40'
 option 'channel' '3'
 option 'country' 'US'
 option 'txpower' '20'
 option 'htmode' 'HT20'
 option 'noscan' '1'
 option 'disabled' '0'

config 'wifi-iface'
 option 'device' 'radio0'
 option 'ssid' 'hugo'
 option 'mode' 'sta'
 option 'wds' '1'
 option 'network' 'lan'
 option 'essid' 'aa:aa:aa:aa:aa:aa'
 option 'encryption' 'psk2'
 option 'key' 'password'

config 'wifi-iface'
 option 'device' 'radio0'
 option 'mode' 'ap'
 option 'ssid' 'hugo2'
 option 'network' 'lan'
 option 'encryption' 'psk2'
 option 'key' 'password'
```
修改配置文件后可以执行wifi命令使之生效，这样就基本可以了。
配置好后可以通过A的openWRT的web界面登录进去看已经连上的无线终端中是否有B的mac地址，如果不成功，请注意无线的加密方式，我采用WPA2中继成功，但采用WEP就不行。
from http://hugozhu.wordpress.com/2011/07/13/openwrt%E8%AE%BE%E7%BD%AEwds/
--------------------------------------------------------------------------------------

利用block-extroot，让你的openwrt运行在USB设备上

一、我需要这个功能吗？
如果你对跑openwrt的设备的要求仅仅是可以上上网，那下面的可以不用看了。
openwrt运行在USB设备上的好处：
可以安装openwrt官方的N多软件了（但官方暂时没有mysql，郁闷），象P2P类的transmision-daemon、amule、 web服务器类的lighttpd/apache、ftp服务器类的vsftpd等等，还可以再安装其他驱动程序包驱动摄像头、USB声卡、显卡等等。这部分功能optware也可以实现，各论坛的教程多数是基于optware的。

二、需要的设备及环境：
1、可以运行openwrt的设备；
2、带USB接口；
3、openwrt要版本比较新，往前哪个版本可以，我不知道，新版本的trunk版（最新的开发版）、Backfire版（最新的稳定版）都可以。

三、步骤：
1、实现USB存储支持，已实现此功能的此步骤可略。需要用到的包：
1. kmod-usb-ohci、kmod-usb2、kmod-usb-uhci、kmod-usb-storage
复制代码
说明：
kmod-usb-ohci对应usb1.1
kmod-usb2对应USB2.0
kmod-usb-uhci对应部分intel和VIA的usb控制器
（这3个可能不必全部都安装，像7231-4P等只支持USB1.1的设备应该只安装kmod-usb-ohci即可）
kmod-usb-stroage对应USB硬盘设备，如U盘、USB移动硬盘。
为了方便新手（其实我也是个新手，汗……），将详细命令也写一下：
1. opkg update
2. opkg install kmod-usb-storage kmod-usb-ohci kmod-usb2 kmod-usb-uhci
复制代码
2、实现USB存储设备自动挂载并从USB启动，需要用到的包：block-mount、block-hotplug（这两个是自动挂载用的）和block-extroot（这个是USB启动用的）
1. opkg update
2. opkg install block-mount block-hotplug block-extroot
复制代码
3、安装linux文件系统支持，ext2、ext3、ext4以及其他文件系统众多，用哪个看个人爱好了，推荐经典传统的ext2/ext3。我用ext4 遇到过问题，后来上openwrt果然有人报到这个bug。另，在linux下，尽量少用或者放弃fat32/ntfs
1. opkg install kmod-fs-ext3
复制代码
说明：不安装文件系统支持的话，分区不能mount。

有人会问，你为何不一下子opkg install了，当然可以，我分开来是为了帮助新手了解一下linux下设备驱动、功能包、文件系统支持的一些简单概念。

完成以上步骤后，openwrt默认设置下，U盘插上还不能识别，openwrt有默认设置模板，但此时还是关闭U盘自动挂载功能的。

4、准备USB硬盘及拷贝根目录所有文件。以下均以插一个U盘的情况为例：
4.1前3个步骤完成后，你最好重启一下设备，插上U盘（USB移动硬盘）。

4.2　准备U盘为linux分区及linux文件系统，需要用到的包：e2fsprogs，如果你在其他系统里准备分区并格式化为ext2/ext3，应该也可以
准备分区这个步骤略过不表了，默认一个分区也可以用，如果有人想多分几个区，请看其他教程。
1. opkg update
2. opkg install e2fsprogs
复制代码
ls /dev/sd*，应该有sda sda1 字样（这是只有一个U盘一个分区的情况，如果有多个U盘，会有sdb sdc……）

4.3　格式化U盘为ext2或ext3……，以ext3为例，。
在命令行下执行：
1. mkfs.ext3 /dev/sda1
复制代码
3.4　拷贝root根目录下的所有文件到U盘，过程：mount设备，复制文件,以一个U盘的为例，在tmp目录下创建一个目录（本例是“root”）、mount　U盘到这个目录、拷贝/tmp/root目录里的所有文件到U盘。
“#”后面为注释，粘贴命令的话，不要复制粘贴。
1. mount /dev/sda1 /mnt　#挂载U盘第一个分区到/mnt
2. mkdir /tmp/root #在/tmp目录下创建名叫root的一个目录
3. mount -o bind / /tmp/root #挂载并同步系统根目录“/”到　/tmp/root
4. cp /tmp/root/* /mnt -a 　#拷贝/tmp/root下所有文件到　“/mnt”，这个其实就是你的U盘了
5. umount /tmp/root 卸载 /tmp/root#
复制代码
修改/mnt/etc/config/banner，添加一点点标识，方便你以后知道是不是从U盘启动了。（此步非必须）
vi /mnt/etc/config/banner
我添加了一行： Boot from USB ROOT
注意：还有一个是/etc/config/banner，这个是系统默认的，在flash闪存上的。

4.3　修改/etc/config/fstab。以插了一个U盘的为例：
修改前（openwrt默认设置）：

config mount
option target /home
option device /dev/sda1
option fstype ext3
option options rw,sync
option enabled 0

config swap
option device /dev/sda2
option enabled 0

修改后的（注意红色部分修改的和新增的一行）：

config mount
# option target /home　这一行要不要无所谓了，我一般是去掉或者在前面加一个“#”
option device /dev/sda1
option fstype ext3
option options rw,sync
option enabled 1
option is_rootfs 1
config swap
option device /dev/sda2
option enabled 0

5、我怎么知道我已经运行在USB下了呢？
方法一：修改u盘上etc/config/banner文件，添加标识

BusyBox v1.16.1 (2010-04-17 04:55:14 EDT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                   ________       __
|    |.-----.-----.-----.|  |  |  |.----.|  |_
| - ||  _  |  -__|    ||  |  |  || _|| _|
|_______|| __|_____|__|__||________||__|  |____|
      |__| W I R E L E S S F R E E D O M
KAMIKAZE (bleeding edge, r20950) ------------------
  * 10 oz Vodka    Shake well with ice and strain
  * 10 oz Triple sec  mixture into 10 shot glasses.
  * 10 oz lime juice  Salute!

   Boot from USB root!

方法二：用df -h命令查看挂载点，查看 mini_fo:/overlay是否为　'/" 根目录。

Filesystem             Size    Used Available Use% Mounted on
/dev/root                6.8M    5.6M    1.2M  82% /rom
tmpfs                   30.3M 216.0K    30.1M 1% /tmp
tmpfs                512.0K       0 512.0K 0% /dev
/dev/sdb1             118.6M    32.3M    80.2M  29% /overlay
mini_fo:/overlay       6.8M    5.6M    1.2M  82% /
/dev/sda1             36.7G    29.9G    4.9G  86% /mnt

（我这台设备上装了2个USB存储设备）

2010年10月2日补充说明：
如果按教程操作无效，建议直接编译一个自己的openwrt固件，编译时把上述的几个添加进去。

补：openwrt的许多设置都在/etc/config/里，很多设置都是option enable 0/1，改一下0、1就打开关闭某项功能了
---------------------------------------------------------------------------------------------

OpenWrt + OpenVPN

前不久入手一个buffalo wzr-hp-g300nh,丢掉默认的系统，换成OpenWrt，配和yegle的VPN一起用，效果还不错。
war-hp-g300nh hardware list(From OpenWrt):
- Architecture: MIPS
- Vendor: Atheros
- CPU: Atheros AR9132
- CPU Speed: 400 Mhz
- Flash size: 32 MB
- RAM: 64 MB
- Network: 4×1
- Wireless: Atheros AR9160 BB/MAC and AR9103 2.4 GHz 3×3 MIMO radio b/g/n
- USB: Yes
- Serial: Yes
- JTAG: ?
优点
1. 可以多人共享VPN。
2. 不需要每次开机后都打开OpenVPN，或者其他VPN软件。
3. yegle的VPN不限制流量。
我所在地方网络环境如下：
一台Netgear路由器连接ADSL Modem，buffalo路由器连接Netgear路由器，其IP属于Netgear的子网。
Netgear路由器IP: 192.168.1.1
buffalo路由器DHCP获得IP: 192.168.1.3
具体步骤如下
1. 重新下载路由器的系统。
```
参考: http://wiki.openwrt.org/toh/buffalo/wzr-hp-g300h?s[]=wzr&s[]=hp
```
PS: 我就是按照这个文档的说明做的。
2.安装好后需要进行系统设置。
a. 设置root密码,设置密码后，就不允许telnet登录了。
b. 设置WAN口连接方式，我选的是automatic(DHCP)。
c. 连上网后就可以安装软件了,OpenVPN，Iptables是必须要安装的(可以参考下附录一：我安装的软件列表)。
3. 设置OpenVPN
a. 启用custom_config配置(/etc/config/openvpn):
config 'openvpn' 'custom_config'
option 'config' '/etc/openvpn/vpn.conf'
option 'enable' '1'
config 'openvpn' 'sample_server'
option 'port' '1194'
option 'proto' 'udp'
option 'dev' 'tun'
option 'ca' '/etc/openvpn/ca.crt'
option 'cert' '/etc/openvpn/server.crt'
option 'key' '/etc/openvpn/server.key'
option 'dh' '/etc/openvpn/dh1024.pem'
option 'server' '10.8.0.0 255.255.255.0'
option 'ifconfig_pool_persist' '/tmp/ipp.txt'
option 'keepalive' '10 120'
option 'comp_lzo' '1'
option 'persist_key' '1'
option 'persist_tun' '1'
option 'status' '/tmp/openvpn-status.log'
option 'verb' '3'
config 'openvpn' 'sample_client'
option 'client' '1'
option 'dev' 'tun'
option 'proto' 'udp'
option 'resolv_retry' 'infinite'
option 'nobind' '1'
option 'persist_key' '1'
option 'persist_tun' '1'
option 'comp_lzo' '1'
option 'verb' '3'
list 'remote' 'xx.xx.xx.xx xxxx'
list 'remote' 'xx.xx.xx.xx xxxx'
PS: sample_server和sample_client配置可以不管，因为没有用到。
b. 设置OpenVPN连接配置文件(/etc/openvpn/vpn.conf):
其实就是把VPN的配置文件复制到指定位置，注意添加下面的配置，否则在OpenVPN启动时时要求输入密码。
auth-user-pass /root/vpnpass.txt
c. 密码配置文件(/root/vpnpass.txt): (文件只有两行内容，注意是两行)
用户名
密码
4. 设置路由表因为全局如果都使用VPN，将导致访问国内速度下降，所以需要把国内的流量指向本地网关。
国内IP段众多，实在是不好做，所以依靠chnroutes，我就不过多介绍，主要功能一个获取国内IP段，并且插入路由表中。OpenWrt中安装Python有点太奢侈了，所以就在PC端生成路由文件，用awk转了一下，生成一个bash脚本。
设置前我的路由表:
root@OpenWrt:~# route
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
192.168.10.0 * 255.255.255.0 U 0 0 0 br-lan
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
添加路由的命令例子:
/sbin/route add -net 203.55.116.0 netmask 255.255.254.0 gw 192.168.1.1 metric 5
我用先用chnroutes_ovpn_linux生成shroutes.txt文件。
awk命令:
cat shroutes.txt |awk '{print $1 " add -net "$2" netmask "$3" gw 192.168.1.1 metric "$5"}' > sh.txt
生成的sh.txt就是可执行的bash脚本文件。
其实还有另外一项目autoddvpn可以参考，是针对dd-wrt的，我没深入研究。
5. 设置Iptables
在连接VPN成功后，执行下面两条命令，就一切OK了。
iptables -I FORWARD -o tun1 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j MASQUERADE
tun1 – 对应本地VPN虚拟网卡
192.168.10.0/24 – 对应本地网络
参考资料
[1] OpenWrt, https://openwrt.org/
[2] OpenWrt Buffalo WZR-HP-G300NH Document, http://wiki.openwrt.org/toh/buffalo/wzr-hp-g300h?s[]=wzr&s[]=hp
[3] Buffalo WZR-HP-G300NH, http://www.buffalotech.com/products/wireless/wireless-n-routers-access-points/airstation-high-power-n300-gigabit-wireless-router-ap-wzr-hp-g300nh/
[4] http://www.tolaris.com/2010/09/01/openwrt-10-03-on-buffalo-wzr-hp-g300nh/
[5] autoddvpn, http://code.google.com/p/autoddvpn/
[6] chnroutes, http://code.google.com/p/chnroutes/
附录一
root@OpenWrt:~# opkg list-installed
base-files - 42-r20728
busybox - 1.15.3-2
crda - 1.1.0-2
dnsmasq - 2.52-2
dropbear - 0.52-4
firewall - 1-10
hotplug2 - 1.0-beta-1
iptables - 1.4.6-2
iptables-mod-conntrack - 1.4.6-2
iptables-mod-nat - 1.4.6-2
iw - 0.9.19-1
kernel - 2.6.32.10-1
kmod-ath - 2.6.32.10+2010-03-24-5
kmod-ath9k - 2.6.32.10+2010-03-24-5
kmod-button-hotplug - 2.6.32.10-1
kmod-cfg80211 - 2.6.32.10+2010-03-24-5
kmod-crc-ccitt - 2.6.32.10-1
kmod-crypto-aes - 2.6.32.10-1
kmod-crypto-arc4 - 2.6.32.10-1
kmod-crypto-core - 2.6.32.10-1
kmod-gre - 2.6.32.10-1
kmod-input-core - 2.6.32.10-1
kmod-input-gpio-buttons - 2.6.32.10-1
kmod-input-polldev - 2.6.32.10-1
kmod-ipt-conntrack - 2.6.32.10-1
kmod-ipt-core - 2.6.32.10-1
kmod-ipt-nat - 2.6.32.10-1
kmod-ipt-nathelper - 2.6.32.10-1
kmod-leds-gpio - 2.6.32.10-1
kmod-mac80211 - 2.6.32.10+2010-03-24-5
kmod-nls-base - 2.6.32.10-1
kmod-ppp - 2.6.32.10-1
kmod-pppoe - 2.6.32.10-1
kmod-tun - 2.6.32.10-1
kmod-usb-core - 2.6.32.10-1
kmod-usb2 - 2.6.32.10-1
libc - 0.9.30.1-42
libgcc - 4.3.3+cs-42
libiptc - 1.4.6-2
liblua - 5.1.4-6
liblzo - 2.03-3
libnl-tiny - 0.1-1
libopenssl - 0.9.8m-3
libuci - 12012009.5-1
libuci-lua - 12012009.5-1
libxtables - 1.4.6-2
lua - 5.1.4-6
luci - 0.9.0-1
luci-admin-core - 0.9.0-1
luci-admin-full - 0.9.0-1
luci-admin-mini - 0.9.0-1
luci-app-firewall - 0.9.0-1
luci-app-initmgr - 0.9.0-1
luci-app-openvpn - 0.9.0-1
luci-cbi - 0.9.0-1
luci-core - 0.9.0-1
luci-http - 0.9.0-1
luci-i18n-english - 0.9.0-1
luci-ipkg - 0.9.0-1
luci-lmo - 0.9.0-1
luci-nixio - 0.9.0-1
luci-sgi-cgi - 0.9.0-1
luci-sys - 0.9.0-1
luci-theme-base - 0.9.0-1
luci-theme-openwrt - 0.9.0-1 luci-uci - 0.9.0-1
luci-uvl - 0.9.0-1
luci-web - 0.9.0-1
mtd - 12
openvpn - 2.1.1-1
opkg - 513-2
ppp - 2.4.4-5
ppp-mod-pppoe - 2.4.4-5
pptp - 1.6.0-6
swconfig - 5
uci - 12012009.5-1
udevtrigger - 106-1
uhttpd - 7
unzip - 5.52-1
wireless-tools - 29-4
wpad-mini - 20100309-1
zlib - 1.2.3-5
from http://xtaoyumo.wordpress.com/2011/05/20/openwrt-openvpn/
------------------------------------------------------------------------------
通过路由器访问猫的方法

通常猫下面接了个路由器之后，我们不能再通过网络浏览器访问猫的设置界面了。因为通常来说，路由器和猫不在同一个网段，而且路由器通常是设置为网关而不是路由模式。如果你的路由器可以刷 DD-WRT 或者 Tomato 固件，则使用以下方法可以“穿透”路由器访问猫。
DD-WRT:
1. 假设你的路由器 IP 地址为 192.168.1.1 ；
2. 假设你的猫 IP 地址为 192.168.2.1
3. 用浏览器打开 DD-WRT 设置界面, 转到管理员>命令；
4. 键入：

代码:ifconfig vlan1:0 192.168.2.2 netmask 255.255.255.0
然后点击 <保存在启动项>
5. 键入：

代码:/usr/sbin/iptables -I POSTROUTING -t nat -o vlan1 -d 192.168.2.0/24 -j MASQUERADE
然后点击 <保存在防火墙>
注意：脚本中的 IP 子网范围其实只与猫的子网有关，如上例，猫的子网是 192.168.2.X，则脚本中两个涉及子网的参数都为 192.168.2.X；我们只需保证路由器和猫的子网不同即可，这是基本原则。这个规则同样适用于以下 Tomato 的方法；
Tomato：
1.现在我们假设猫的 IP 地址是： 192.168.0.1 ；根据上述规则，我们不必关心路由器的 IP 地址；
2.在浏览器中访问 Tomato 设置界面，转到管理/脚本页面:
初始化或者外网上线中键入:

代码:sleep 5
ip addr add 192.168.0.13/24 dev $(nvram get wan_ifname) brd +
防火墙中键入:

代码:iptables -I POSTROUTING -t nat -o $(nvram get wan_ifname) -d 192.168.0.0/24 -j MASQUERADE
3.重启路由器即可。
2011-06-05 补充一个硬件的方法，适合通用路由器（未测试）：
把猫和路由设置为同一网段但是不同的 IP，例如路由器是 192.168.1.1，猫是 192.168.1.2，注意路由器的 DHCP 不要和猫的 IP 冲突（只在猫或者路由器上启用 DHCP），电脑网卡也要分配同网段的 IP 才能访问。
接线方法是：猫连接到路由器上的任意 LAN 口，路由器的 WAN 口连接到自身的任意 LAN 口，电脑连接到路由器的任意 LAN 口。
电脑设置好 IP 后直接访问猫的 IP 即可，缺点就是你少了两个可用的 LAN 口，优点是可以直接访问猫，而且如果你的帐号如果支持多次拨号的话还可以用电脑直接拨号上网。
from http://www.quakemachinex.com/blog/?p=181
-----------------------------------------------------------------
Linksys WRT54G2 在 Tomato 下 WPS 以及无线灯设置

关于无线灯，也就是 WLED ，用 telnet 登录路由器，输入以下指令：

代码:nvram set wl0gpio0=8
nvram commit
reboot
(wl0gpio0=8 是指无线开启LED不亮，有流量闪动，无线关闭LED常亮，这好象是 Linksys 以及 DD-WRT 默认的设置；如果设为136，则无线开启 LED 就亮，有流量闪动，无线关闭 LED 就不亮，这是我目前的设置）
关于那个 WPS 灯，也就是 SES LED(或者叫 WPS LED 什么的都行，反正就是 WPS 加密按钮上面那个灯），加入以下启动脚本：

代码:while sleep 1; do if [ `nvram get security_mode` = "disabled" ]; then gpio disable 3; else gpio enable 3; fi; done &
实现的效果是，如果打开无线加密，灯是绿色，如果关闭就是黄色。
这玩意折磨我最久，关键是 security_mode 这个参数，网络上找到的基本都是 wl0_security_mode，而这个参数在我的 WRT54G2 上，无论设置无线加密与否它都是 psk2 不变！所以脚本根本不起作用。通过不停的开关无线加密，然后用 nvram show|grep 查看参数，最后找到了这个适用于表示 WRT54G2 的无线加密切换参数。
参考资料：
Security LED Script WRT300n v1.1
WZR-G300N gpio
Useful Scripts
Linksys WRT54G2 V1 with DD-WRT (Fixing WPS lights)
from http://www.quakemachinex.com/blog/?p=182
--------------------------------------------------------------------------------------------
Tomato DNSMASQ 的优化设置

Tomato 内置的 DNS 服务器 DNSMASQ 默认缓存条目是 150 条，默认设置不能抵挡 127.0.0.1 段的 DNS-rebind attacks 。

如上图设置 Tomato 的 DNS，并且添加如下自定义参数：

代码:## Some Tweak
cache-size=8192
stop-dns-rebind
log-async=5
## Additional DNS servers
# Hong Kong BroadBand Network DNS servers
server=203.80.96.10
server=203.80.96.9
# Huchison Whampoa DNS servers
server=202.45.84.58
server=202.45.84.59
这样设置后用 DNS Benchmark 测试可以得到一个完全安全的本地 DNS 服务器，并且增加 DNS 缓存数量到 8192 条；添加的 DNS 服务器位于香港，适用于广州深圳用户，其他地方的用户可以修改这些服务器地址。

在 Telnet 控制台输入 killall -USR1 dnsmasq ，然后去 Tomato 的日志目录可以查看全部 DNS 服务器查询命中情况。
以上适用于 TomatoUSB 或者原版，如果要用在 Tomato Duelwan 上面，要去掉 cache-size=8192 这条，因为 TD 已经内置了 cache-size=512 ，另行设置会出错导致 DNSMASQ 不能启动。
Tomato Duelwan 修改 cache-size 的方法，telnet 登录路由器：

代码:nvram set dnsmasq_cachesize=1024
nvram commit
reboot

from http://www.quakemachinex.com/blog/?p=173
-----------------------------------------------------------------
路由器刷DD-WRT或tomato第三方固件的方法

Tomato固件因其稳定性而著称，当然，它优点绝不止这点，图形化显示流量，QOS功能效果显著（上网优先级设定功能，常用封BT，迅雷等，就算不封也能让它们尽量少对浏览网页或玩游戏造成影响），中文版作者达人还为我们提供了硬件信息查看功能（可以看到CPU主频，内存容量，闪存容量，有线及无线网卡详细信息等），最新的1.11版还提供了定时重启系统的功能，越来越多的朋友都加入到Tomato阵营中来了！
现在网上流传刷Tomato的方法，看起来很复杂，说要刷Tomato，必须先刷DD-WRT，再用进telnet用nvram show | grep http_passwd取得密码，再刷Tomato等，这样搞得一些想用Tomato的朋友，因此望而却步了……
其实，刷Tomato哪用这么复杂？现在，我就用大家用得最多的几种环境下分别介绍如何简装快速的刷Tomato！Are you ready?Let’s go!
首先，你得确定自己的机器支持Tomato固件，否则请不要尝试刷Tomato，关于哪些机器支持Tomato，请看上一篇文章，如果你的机器型号及硬件版本号出现在了列表中，那么，恭喜你，你可以使用Tomato了
下载最新的Tomato中文版，一般你会得到image.7z的文件(也可能会是image.rar，解压后仍会得到image.7z)。这个文件也是个压缩文件，需要用最新版的WinRar解压缩软件下解压，如果你的WinRar不能打开image.7z，请上网下载最新版的WinRar来解压。解压后，会得到WRTSL54GS.bin，WRT54GSv4.bin，WRT54GS.bin,WRT54G.bin，WR850G.bin，tomato.trx，readme.htm这些文件，其中tomato.trx是通用固件，在支持列表中的机器都可以用它，那我们就用它吧！
因为一些固件只认bin文件，所以，请先把tomato.trx改名成tomato.bin
然后，就下面的环境刷到tomato分别进行介绍

切记：升级固件请用有线而不要用无线，并且在升级过程中千万不要断网断电
一、下面先说说从原厂固件的开始刷番茄：
先登录路由器，默认的IP地址是192.168.1.1，密码和用户名都是admin，如果你更好了路由器的IP及密码，请用你自己的设置进行登录，在此我按默认的设置进行介绍：

在浏览器中输入192.168.1.1，在弹出的输入框的两项都输入admin后就成功登录了路由器。
下图以WRT54GS原厂固件为例进行说明：

1.jpg：

进去后，点红圈那里的“Administrator”（在WRT54G中文固件就是“管理”），

进入下图

2.jpg：

点击“Firmware Upgrade”（WRT54G中文固件叫“固件升级”），进入固件升级页面，选“浏览”，然后，到你解压tomato的路径下选中刚刚的tomato.bin，如下图
3.jpg：

点击红圈中的“Upgrade”（WRT54G中文固件叫“升级”），然后就等着Tomato中文版固件出现在你面前吧！


请记住，从WRT54G/GS/GL等固件直接刷过来，你路由器原来的IP和密码是什么，现在仍然是什么！用户名则是admin或root都行！（因为原厂固件和Tomato都采用不加密保存密码的方式，所以刷过来密码是不会变的，并不像网上流传的要先刷DD-WRT再刷Tomato，这样就自找麻烦了！）
在左边的菜单选“超级用户->备份恢复”中，有个“恢复默认设置”下面，选择“清除NVRAM中所有数据(完全清除)”后，点“确定”，
  如下图
5.jpg：

清除成功后，会出现下面的页面：
.
6.jpg：

点红圈中的“继续”按纽，路由器会恢复默认设置，不管你以前路由器IP和密码是多少，清完后的IP都是：192.168.1.1，用户名admin或root都行，密码是admin，如果点“继续”后要你输入登录账号信息的话，只要照此输入就行了。

耶耶耶！搞定！什么？还想知道怎么使用，这不在本教程范围内了，你先慢慢研究一下，或到网上找找其它高手请教吧！


二：从DD-WRT固件刷到Tomato
DD-WRT因出来的较早，功能也强大，能做中继及有VPN SEVER是它最大的优点，而且当时Tomato还没有中文版，所以DD-WRT是大家很熟悉的第三方固件了，但是，DD的弱点也很明显的，稳定性不好，经常进不了管理页面，一些功能根本没用！这样也导不少用户对他失去了一些信心，而Tomato中文版问世以后，更多的朋友就加入了Tomato阵营中来了，我也是从DD-WRT转学过来的^_^

首先，DD用户想刷Toamto的要注意了，特别是那些路由器没有复位键的朋友，本段一要看要做，如果你的DD登录密码不是admin，请先把登录密码改成admin再进行后面的工作！就是在DD的工“管理->普通管理”中进行设置
因为DD采用了加密方式保存密码，admin加密码后是bJz7PcC1rCRJQ这一串字符，刷到tomato后，用户名是admin或root都行，但密码是bJz7PcC1rCRJQ这串字符，这就是我要求你改 DD管理密码为admin的原因。
然后，到DD的“管理-固件升级”中选“浏览”，在弹出的窗口中，定位到你解压Tomato的文件夹，双击tomato.bin，回到DD的界面，点“升级”按纽
dd1.jpg：

  升级成功后，会出现如下页面：
dd2.jpg：

点红圈中的“继续”按纽，出来tomato的登录页面，用户名输入admin或root都行，密码输入“admin”加密后的密文：bJz7PcC1rCRJQ到密码输入框中，点“确定”按纽，哈哈，Tomato就会展示在你面前了！（其实有硬件复位功能的大多数机器，如果刷后登录密码不对，都可以通过复位键来设定成默认值，比如linksys系列的都支持。）
别高兴太早，登录到Tomato后的第一件事，清Nvram，如何清？请看第1种环境教程中的“清理NVRAM”部分
第3种环境：从Buffalo原厂固件刷到Tomato
         还有一种从Buffalo升级到Tomato，需要用TFTP的方式上传固件，在这里就不叙述了，感兴趣的朋友自己搞了。
补充：如果想刷回原厂固件，如从Tomato刷回原厂，参考第一种环境，如果从DD-WRT刷回原厂，参考第二种环境！
from http://www.diybl.com/course/6_system/linux/Linuxjs/2008813/135846.html
-------------------------------------------------------------------------------------------
路由器从DD-WRT固件刷到Tomato(番茄)的详细过程

一、准备工作
注:升级固件请用有线而不要用无线,并且在升级过程中千万不要断网断电 .
首先,你得确定自己的机器支持Tomato固件,否则请不要尝试刷Tomato,关于哪些机器支持Tomato,请看buffalo系列:WHR- G54S, WHR-HP-G54, WZR-G54系列, WBR2-G54,WZR-RS-G54HP,WZR-HP-G54,WZR-RS-G54,WVR-G54-NF,WHR2-A54G54,WHR3-AG54
linksys系列: WRT54G v1-v4, WRT54GS v1-v4, WRT54GL v1.x, WRTSL54GS
moto系列:WR850G
FUJI:RT390W(无线模块无法驱动,可以识别型号)
从DD-WRT固件刷到Tomato
首先,想刷Toamto的用户要注意了,特别是那些路由器没有复位键的朋友,如果你的DDWRT登录密码不是admin,请先把登录密码改成admin再进行后面的工作!就是在DDWRT的”管理->普通管理”中进行设置,因为DDWRT采用了加密方式保存密码,admin加密码后是 bJz7PcC1rCRJQ这一串字符,刷到tomato后,用户名是admin或root都行,但密码是bJz7PcC1rCRJQ这串字符,这就是要 DD管理密码为admin的原因.
如果不想改动就可TELNET进入取得密码再进行下去,否则刷完机后会发现密码不对了.
手动读取密码:命令行模式下 telnet登陆路由器,
运行 nvram show|grep http_pass 命令取得http登陆密码并记录下来
然后清除nvram,命令如下:
mtd -r erase nvram
输入后回车,路由会断开连接.等待路由器重启.
3.重新登陆路由器,检查语言是否为英文.如果是,证明nvram清除成功.
二、升级方法
到DD的”管理-固件升级”中选”浏览”,在弹出的窗谥?定位到你解压Tomato的文件夹,双击tomato.bin(因为一些固件只认bin文件,所以,请先把tomato.trx改名成tomato.bin),回到DD的界面,点”升级”按纽.
耐心等待一会,然后自动重启,返回界面.点 “继续”按纽,出来tomato的登录页面,用户名输入admin或root都行,密码输入”admin”加密后的密文:bJz7PcC1rCRJQ到密码输入框中,点”确定”按纽,哈哈,Tomato就会展示在你面前了!（其实有硬件复位功能的大多数机器,如果刷后登录密码不对,都可以通过复位键来设定成默认值,比如linksys系列的都支持.）
别高兴太早,登录到Tomato后的第一件事,清Nvram,如何清？请看下面”清理NVRAM”部分.
清理NVRAM:
为了你的路由器能稳定的工作,在刷到Tomato后,你需要清一下Nvram,这并不是什么复杂的工作,Tomato已提供了这个功能.
在左边的菜单选”超级用户->备份恢复”中,有个
“恢复默认设置”下面,选择”清除NVRAM中所有数据(完全清除)”后,会有警告提示.点”确定”.不管你以前路由器IP和密码是多少,清完后的IP都是:192.168.1.1,用户名admin或root都行,密码是admin
完成后重启,记得先修改密码.重启后WR850G会发现无线灯不亮了,用下面的方法恢复:
WR850G清NVRAM后,无线状态正常,但是指示灯不亮,恢复的办法:
telnet到WR850G后,
输入 nvram ren wl0gpio0 wl0gpio4
执行 nvram commit
执行 reboot
路由重启,无线指示灯状态就正常了,OK

引用:恩山WIFI论坛
摩托罗拉wr850g v2和v3版刷ddwrt后MAC地址的问题解决办法
摩托罗拉的wr850g v2和v3版本现在都能刷ddwrt的v24了,而且支持硬件按钮复位,不过如果复位的话,lan、wan、无线这3个MAC地址全会变成以下模式:
LAN MAC00:11:22:33:44:55
WAN MAC00:11:22:33:44:56
无线MAC00:11:22:33:44:57
如果是单台AP使用无所谓,但如果几台AP桥接或者中继的话就麻烦了,有2种办法恢复:
一、刷回原厂、然后再刷到openwrt,清空nvram,最后再刷回ddwrt即可,不过这个过程烦杂,所以下面说第二种方法.
二、
先说一下涉及到的几个地址的含义:
il0macaddr 这个是无线mac地址
et0macaddr 这个是LAN mac地址
et1macaddr 这个是WAN mac地址
lan_hwaddr 这个也是指LAN mac地址
wl_hwaddr 这个也是指无线mac地址
wan_hwaddr 这个也是指WAN mac地址
wl0_hwaddr 这个也是指无线mac地址
moto在ddwrt下mac地址必须遵循一个规律:
lan mac地址
我给一个范例:
00:0C:E5:4B:F2:85 这个地址就可以作为LAN MAC地址
00:0C:E5:4B:F2:86 这个地址就可以作为WAN MAC地址
00:0C:E5:4B:F2:87 这个地址就可以作为无线 MAC地址
下面开始说方法:
1、XP下打开一个DOS窗口,然后输入:telnet 192.168.1.1 回车,这里的192.168.1.1是指你AP的地址,如果更改过,那就用新地址；
2、用户名为root 密码为admin 如果你改过用户名和密码,那当然要输入新的,没改过,就用上面的；
3、用户名和密码输入完成后,复制下面的命令直接粘贴到命令窗口内,然后回车,每条命令粘贴后按一下回车,一共9条命令、9次回车,地址你可以自己编,不过需要遵循上面说的规律:
nvram set il0macaddr=00:0C:E5:4B:F2:87
nvram set et0macaddr=00:0C:E5:4B:F2:85
nvram set et1macaddr=00:0C:E5:4B:F2:86
nvram set lan_hwaddr=00:0C:E5:4B:F2:85
nvram set wl_hwaddr=00:0C:E5:4B:F2:87
nvram set wan_hwaddr=00:0C:E5:4B:F2:86
nvram set wl0_hwaddr=00:0C:E5:4B:F2:87
nvram commit（这条命令运行后稍等10秒再运行最后一条命令）
reboot（这个就是重启路由器,重启后路由器的地址就会变成上面的地址了）
第二种环境:从Linksys WRT54G/GL/GS等原厂固件刷到Tomato
先登录路由器,默认的IP地址是192.168.1.1,密码和用户名都是admin,如果你更好了路由器的IP及密码,请用你自己的设置进行登录,在此我按默认的设置进行介绍:
在浏览器中输入192.168.1.1,在弹出的输入框的两项都输入admin后就成功登录了路由器.
以WRT54GS原厂固件为例进行说明:
进去后,点”Administrator”（在WRT54G中文固件就是”管理”）,点击”Firmware Upgrade”（WRT54G中文固件叫”固件升级”）,进入固件升级页面,选”浏览”,然后,到你解压tomato的路径下选中刚刚的 tomato.bin,点击红圈中的”Upgrade”（WRT54G中文固件叫”升级”）,然后就等着Tomato中文版固件出现在你面前吧!
请记住,从WRT54G/GS/GL等固件直接刷过来,你路由器原来的IP和密码是什么,现在仍然是什么!用户名则是admin或root都行!（因为原厂固件和Tomato都采用不加密保存密码的方式,所以刷过来密码是不会变的,并不像网上流传的要先刷DD-WRT再刷Tomato,这样就自找麻烦了!）清理NVRAM:
为了你的路由器能稳定的工作,在刷到Tomato后,你需要清一下Nvram,这并不是什么复杂的工作,Tomato已提供了这个功能.
--------------------------------------------------------------------------------------------------
VPN Router is actually a normal router that has firmware that directly connects to VPN service helping all devices connected to that router to use that VPN service. This helps you pay for one VPN connection while all devices within the network use the VPN connection. Saves money, eh?

Although it is possible to flash (if it runs a variation of Linux) your usual router to become a VPN router, I will suggest you to avoid doing any such thing as it is quiet complex and you might end up messing up your already running router.

Recently, lot of companies have started to launch routers that are capable of connecting to VPN services directly without any hassles. This helps you route all your traffic within your network through the VPN server henceforth hiding your IP address for all the devices inside your network.

Basic features of such VPN routers:

    Connect to any famous VPN service from around the Internet via the VPN router using VPN tunnel connections.
    Serve the VPN connection to other VPN devices in your network.
    Use wireless network for your network within your VPN router.
    Have the freedom to configure everything yourself using the famous DD-WRT open source firmware or use the pre-build firmware of that specific VPN router.

In the weeks to come I will review some of the famous VPN routers present around the planet so as to make your life easy. Then you will be able to chose from the best possible VPN routers.


How Secure Are Your Saved Internet Explorer Passwords?	The Beginner’s Guide to Shell Scripting 2: For Loops	Setup SSH on Your Router for Secure Web Access from Anywhere

Total Pageviews

Thursday, 17 November 2011

用第三方路由固件dd-wrt翻墙

基于openwrt的超低廉目田猫制作

OpenVPN (Windows/Mac/Linux, Free)

Cisco VPN (Windows/Mac/Linux, Variable Cost)

LogMeIn Hamachi (Windows/Mac/Linux, Free)

Shrew Soft (Windows/Linux, Free)

Windows Built-In VPN (Windows, Free)

基于DD-WRT和OpenVPN的透明翻墙路由

在自己的无线路由器上开代理（HTTPS2Socks)

多台电脑使用DD-WRT路由器 同时使用VPN

Tomato DualWan

Setup SSH on Your Router for Secure Web Access from Anywhere

What is and Why Set Up a Secure Tunnel?

What You’ll Need

Generating Keys for Our Encrypted Tunnel

Configuring Your Router for SSH

Configuring Your Remote Computer to Access Your SSH Server

Configuring Your Browser to Connect to PuTTY

Comments (41)

Connect to Your Home Network From Anywhere with OpenVPN and Tomato

What is OpenVPN?

Prerequisites

Installing TomatoUSB

If you’re running Linksys firmware…

If you’re running Tomato firmware…

Configuring OpenVPN

Creating the Certificates and Keys

Creating the Configuration Files for the Client

Configuring Tomato’s VPN Tunneling

Setting Up an OpenVPN Client

Testing the OpenVPN Client

Hack Attack: Turn your $60 router into a $600 router

What you'll need:

Upgrading your router to the DD-WRT firmware

Boost your wireless signal

Throttling your bandwidth by program

What to do if you brick your router

Belkin N750 Dual Band Router

Turn Your $60 Router into a User-Friendly Super-Router with Tomato

Check If Your Router's Supported

Upgrade Your Router to the Tomato Firmware

Boost Your Wi-Fi Signal

Track Your Bandwidth Usage, Set Quality of Service Rules, and More

So Which Is Better, Tomato or DD-WRT?

Alternate paths

DO NOT SKIP - IMPORTANT - Security risks of using PPTP

END SECURITY SECTION

Setting up your DD-WRT wifi router as a VPN server

Setting up DynDNS

Setting up OSX as a VPN Client

If this didn’t work

OpenWRT设置Openvpn并自动智能翻墙

OpenWRT设置WDS

利用block-extroot，让你的openwrt运行在USB设备上

OpenWrt + OpenVPN

No comments:

Post a Comment

多台电脑使用DD-WRT路由器同时使用VPN