Code Blog

Displaying 1-1 of 1 result.
2016/03/29 VPN,OpenWRT

I bought an old Netgear WNDR4300 router to play around with to install customised router firmware. This makes it possible to add a lot of functions a consumer router wouldn't normally have, which can be quite useful, especially here in China where you have the Great Firewαll to cope with.

There are actually made router firmware projects, "DD-WRT", "Tomato" and "OpenWRT" being the more wellknown. OpenWRT is built on Linux (as is DD-WRT and Tomato) but comes with a modular design and package-management system which makes it possible to configure the system according to the user's needs.

Netgear WNDR4300 was actually designed to run a version of OpenWRT as its firmware from the start, so it seems reasonable to assume that since it was designed for OpenWRT, its also a good choice of router to try out newer versions of OpenWRT. It is also one of the recommended routers to run OpenWRT which was the reason I decided to buy this model.

Step 1: Download firmware for WNDR4300

The WNDR4300 has actually been made in different versions, so first step is to check which version it actually is (it was WNDR4300 version 1 in my case). OpenWRT firmware builds are available for many different platforms, depending on CPU and other hardware. The documentation was a bit confusing but after some research I found that the WNDR4300 has a Atheros AR9344 560MHz CPU and belongs to the "ar71xx" OpenWRT platform. 

I downloaded latest stable build, the 15.05.1 (Chaos Calmer) release:
https://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/nand/openwrt-15.05.1-ar71xx-nand-wndr4300-ubi-factory.img
There is also a SquashFS version available, which I think will save RAM on the device as the read-only part of the filesystem can be compressed but I haven't tried that version. The WNDR4300 comes with 128 MB flash + 128 MB RAM memory, which should be quite ok. The OpenWRT website states that the smallest installation requires 4 MB flash + 16 MB ram.

Step 2: Upload firmware to router

There are different ways to do this, but uploading by tftp seems to be recommened. To do this reset the router and put it in listening mode.

  1. Power off the router
  2. Press the reset button and keep holding it down during power up. Keep pressing reset until the power LED starts blinking green.
  3. The router is now running with ip 192.168.1.1 and is waiting for firmware upload
  4. Connect to a LAN port on the back of the router with tp-cable (luckily I have my Macally usb-ethernet converter for my Macbook)
  5. Set a static ip for the computer in 192.168.1.x subnet (i.e. 192.168.1.2) and use 192.168.1.1 as gateway
  6. Upload the firmware to the router. I read somewhere that too long filename may cause problem so I renamed the firmware file “openwrt-15.05.1-ar71xx-nand-wndr4300-ubi-factory.img” to “firmware.img".
    Run the following commands:
    tftp -e 192.168.1.1
    mode binary
    put firmware.img
    quit
    

Then wait for power LED to turn green again. Go to http://192.168.1.1 using web browser and set a new root password. Also set the correct timezone in the System -> System menu.

I also changed the local LAN ip to 192.168.2.1 in order to not interfere with my other router. Need to re-apply the ssh settings under “administration” after updating the LAN ip number (otherwise ssh is refused, guess it expects 192.168.1.1).

Step 3: Install packages

The next step is to install "Shadowsocks" and "ChinaDNS" packages. Many guides online also list Redsocks2 in order to set up Shadowsocks as a transparent proxy but the current version of Shadowsocks has transparent proxy functionality built-in so Redsocks2 is not needed. Note that OpenWRT-shadowsocks comes in two versions - shadowsocks-libev and shadowsocks-libev-spec. I use the later one, it comes with LuCl web interface and does not need Redsocks2.

Shadowsocks SOCKS5 proxy client
ChinaDNS Resolve DNS (Determine if IP is in China or not; avoid DNS pollution etc)

Use terminal and ssh to login to the router:
ssh [email protected]

OpenWRT comes pre-installed with opkg package manager (an OpenWRT fork of ipkg). There is also a "Software" menu in the OpenWRT GUI which can also be used to install packages.

opkg update
opkg install shadowsocks-libev-spec
opkg install ChinaDNS

The commands above may work (opkg download and install packages) but here I run into a problem, because opkg couldn't find any prebuilt packages to install. I tried adding some custom package feeds but since OpenWRT version 15.05 the package manager (opkg) started checking signatures for all packages (which is a good thing), but unfortunately had the repository that keeps Shadowsocks / ChinaDNS no valid signatures!

It should be possible to change the configuration in /etc/opkg.conf from “option check_signature 1” to “option check_signature 0” to avoid the signature check but this didnt work for me for some reason (I later read a post that removing the line will cancel the signature check, but changing to zero doesn't work).

I instead installed them locally, which means I first need to manually download the packages and copy (scp) them over to the router.

The package files are available to download from:
http://openwrt-dist.sourceforge.net/releases/ar71xx/packages
http://openwrt-dist.sourceforge.net/releases/luci/packages

LuCI is the Web User Interface of OpenWRT. Each module has two packages, the actual router module software installation (ar71xx for this platform) and a corresponding GUI plugin.

shadowsocks-libev-spec_2.4.5-1_ar71xx.ipk
ChinaDNS_1.3.2-3_ar71xx.ipk

luci-app-shadowsocks-spec_1.3.8-1_all.ipk
luci-app-chinadns_1.3.8-1_all.ipk

Copy over all IPK packages to the router /tmp folder using scp:
scp *.ipk [email protected]:/tmp/

Then run installation of all packages. I don't think the installation order should make any difference.
Each package is installed by running "opkg install packagename.ipk".

opkg update
opkg install ChinaDNS_1.3.2-3_ar71xx.ipk
and so on ...

While installing shadowsocks I got an error message: "failed to find a module named nf_tproxy_core". Not sure about what this means, but I read at a forum that a router reboot is enough to solve this problem. I haven't noticed any problems after rebooting (no errors/warnings in kernel or system log files either).

Step 4: Configure software

  1. Input your Shadowsocks server settings (server ip & port, password and encryption). The configuration will be stored in /etc/config/shadowsocks 
  2. Update "DHCP and DNS" settings, see screenshots below. Need to change 2 settings - "DNS forwardings" and "Ignore resolve file" - for ChinaDNS to work correctly.
  3. Turn on "UDP Forward" for Shadowsocks (this may not be available for older versions). I don't run the global "UDP-Relay Server" for Shadowsocks.

Shadowsocks uses port 1080 as default for it's SOCKS5 proxy. Need to fill in server IP & port, password and encryption method. I haven't used "One-time authentication", wasn't sure what this function was, but from Shadowsocks documentation one can read:

One-time authentication (shortened as OTA) is a new experimental feature designed to improve the security against CCA (Chosen-ciphertext attack). 

DNS uses UDP protocol for DNS lookups which may get blocked going outside China (i.e. Google's DNS servers are blocked). To avoid this the UDP packets can be tunneled in a Shadowsocks TCP connection. Shadowsocks will use port 5300 to listen for UDP packets and forward to the public DNS server 8.8.4.4 (run by Google) at port 53. Port 53 is the standard port for DNS.

Bi-directional filter seems to try to solve inconsistencies in IP number for CDN-networks that has servers both in China and abroad. I haven't tried this yet, so I'm not sure when/how this helps.

I use the default settings for ChinaDNS. Regarding the upstreams servers, the server at 114.114.114.114 is DNS server run by China Telecom (located in Nanjing, China) and the server at 8.8.4.4 is Google's DNS server. The CHNRoute file is the IP subsets that ChinaDNS uses to determine if an IP is in China or not.

ChinaDNS is using port 5353 to listen for incoming connections by default. Set "DNS forwardings" to 127.0.0.1#5353 unless you changed this value.

Need to turn on the "Ignore resolve file" setting.

Extra stuff - tester script

Build a script to test connectivity and automatically restart shadowsocks if connection isn't working.
For this to work we first need to install wget (wget is already installed but it is the stripped down busybox version which will not work with the script below)

opkg update
opkg install wget

Create the file /root/tester (make executable chmod 755) and add the script below:

#!/bin/sh
LOGTIME=$(date "+%Y-%m-%d %H:%M:%S")
wget --spider --quiet --tries=1 --timeout=3 www.google.co.jp
if [ "$?" == "0" ]; then
echo '['$LOGTIME'] No Problem.'
exit 0
else
wget --spider --quiet --tries=1 --timeout=3 www.baidu.com
if [ "$?" == "0" ]; then
echo '['$LOGTIME'] Problem detected, restarting shadowsocks.'
/etc/init.d/shadowsocks restart
else
echo '['$LOGTIME'] Network Problem. Do nothing.'
fi
fi

 

*/10 * * * * /root/tester >> /var/log/shadowsocks_watchdog.log 2>&1
0 1 * * 7 echo "" > /var/log/shadowsocks_watchdog.log

Under scheduled tasks set up a cronjob as the screenshot above. This will run the tester script every 10 minutes to check status and automatically restart Shadowsocks if it detects a problem. A log file will be kept at /var/log/shadowsocks_watchdog.log

Increase DNS lookup speed

Download the files listed in table below from https://github.com/felixonmars/dnsmasq-china-list

accelerated-domains.china.conf Faster lookup of China domains
bogus-nxdomain.china.conf Certain China ISP return unwanted redirects when domain is not found
google.china.conf Speed up access to Google servers in China

Create the folder /etc/dnsmasq.d and copy all files to that folder 
Edit dnsmasq configuration file /etc/dnsmasq.conf and add the line below:
conf-dir=/etc/dnsmasq.d