Hi!

Here is my configuration where wan is bridged to lan :
(replace XXXX)

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'XXXXX::/48'

config interface 'lan'
    option ifname 'eth0'
    option force_link '1'
    option type 'bridge'
    option proto 'dhcp'
    option gateway 'XXXXXXX'
    option ip6assign '60'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '0 1 2 3 4 5 6'

Other interesting pieces they don't mention:
The OpenVPN service has actually been there all the time, but they have obviously enabled the GUI parts by adding an openvpn applet now. Comparing parts of the rootfs shows that the service always has been present:

bjorn@nemi:~/docs/hardware/linksys/wrt1900ac/stock$ ls -ld */etc/init.d/*openvpn*
drwxr-xr-x 2 root root  4096 Feb 24  2014 FW_WRT1900AC_1.1.7.159143/etc/init.d/openvpn
-r-xr-xr-x 1 root root 12225 Feb 24  2014 FW_WRT1900AC_1.1.7.159143/etc/init.d/service_openvpn.sh
drwxr-xr-x 2 root root  4096 Apr  5  2014 FW_WRT1900AC_1.1.7.160177/etc/init.d/openvpn
-r-xr-xr-x 1 root root 12225 Apr  5  2014 FW_WRT1900AC_1.1.7.160177/etc/init.d/service_openvpn.sh
drwxr-xr-x 2 root root  4096 Nov 20 19:04 FW_WRT1900AC_1.1.8.164461/etc/init.d/openvpn
-r-xr-xr-x 1 root root 12225 Nov 20 19:04 FW_WRT1900AC_1.1.8.164461/etc/init.d/service_openvpn.sh
drwxr-xr-x 2 root root  4096 Apr 22 02:59 FW_WRT1900AC_1.1.9.166760/etc/init.d/openvpn
-r-xr-xr-x 1 root root 19310 Apr 22 02:59 FW_WRT1900AC_1.1.9.166760/etc/init.d/service_openvpn.sh

But other (previously planned?) services have silently been removed:

bjorn@nemi:~/docs/hardware/linksys/wrt1900ac/stock$ ls -ld */etc/init.d/*freeradius*
-rwxr-xr-x 1 root root 6061 Feb 24  2014 FW_WRT1900AC_1.1.7.159143/etc/init.d/service_freeradius.sh
-rwxr-xr-x 1 root root 6061 Apr  5  2014 FW_WRT1900AC_1.1.7.160177/etc/init.d/service_freeradius.sh
-rwxr-xr-x 1 root root 6061 Nov 20 18:40 FW_WRT1900AC_1.1.8.164461/etc/init.d/service_freeradius.sh

Don't know what to read out of that.  It's also interesting to note that there are absolutely no news about wireless.  The stock driver is obviously "finished".

Other than this there doesn't seem to be much to be excited about. Except for the WRT1200AC icons in the network map of course.  I really missed those

Hi guys,

Just received a v1 of this router.
Should I send it back and ask for a v2?

I would definetely do that. Hardware wise, specs are a bit better compared to v1. Openwrt support is identical for both. So why not benefit from newer hardware especially when you can.

Hope this helps!

(Last edited by Nihilanth on 20 May 2015, 20:54)

if you want a fan then only v1 has one of those

JW0914 I appreciated your original post, though I do not appreciate your follow up, I have severe ADHD and Autisim, I used your original information and was able to get OpenVPN installed and the Luci component installed and got a connection at one point, although could not route traffic through it, you gave me a lot of information 80% which I don't believe applies to my situation making it very difficult for me to pull out what I needed, I am confused I don't believe I need to run an OpenVPN Server to get what I need working only the client.

When setting this up in LUCI I am presented with 6 options I am confused as to which of the 6 options I need to use to accomplish my goal, once I have selected the proper option I know all the settings that need to go into that option for VyprVPN but the 6 options are:

Client configuration for an Ethernet bridge VPN
Client configuration for a routed multi-client VPN
Simple client configuration for a routed point-to-point VPN
Server configuration for an Ethernet bridge VPN
Server configuration for a routed multi-client VPN
Simple cserver configuration for a routed point-to-point VPN

once I know which I should be using I know the settings for the VPN itself after that I know I need to change or add a firewall rule I prefer to do this in LUCI than through SSH as I am not as comfortable with that.

If the documentation provides which of these 6 options I need than I do not see it, again considering my disabilities when presented with an overwhelming amount of information especially a lot that does not apply is difficult for me to pick out what I need, I would still like to get this working but at this moment am taking a break to reduce my frustration level.

(Last edited by W4LNY on 20 May 2015, 22:31)

I thought that it had only a different CPU, slightly faster, without a fan.
That wouldn't convince me.
But the RAM that has been doubled...

I can't fault the vendor's website, he mentioned the 1.2 ghz CPU speed, so it's my mistake...

V2 Power Transformer is now a "Wall Wort" instead of V1 Inline "Laptop Style"

I didn't realize you were trying to do this all via luci, which I wouldn't recommend to anyone, as it's convoluted and far more difficult than it needs to be. (Although I have the openvpn luci app installed, it's only there as a quick reference to make sure it's running without errors at a quick glance.)

Do you know how to ssh into your router to use command line? If not, ssh is easy to do via PuTTY, by selecting the ssh circle, entering your router's LAN IP in the Host Name box, and the ssh port number into the port box (22 if left at default on your router).

I'm not sure if VyperVPN is a pay service or not, but if it is, it's far cheaper to setup your own OpenVPN server (which is free) on your router (and my hunch is it would be a faster connection speed as well if you have broadband).  It would help to have the information for VyperVPN (minus any security information, such as encryption keys, port numbers, and WAN IP), as I can research what options you need and then post them.

EDIT
Also, the VyperVPN config file I'm looking at is for the U.S. and has the option

tls-remote

in it and it is not safe to use that option if your ca has been signed by a third party issuer (such as VyperVPN).

I think this is what you're looking for, but if it's not, please let me know:

Routing all client traffic (including web-traffic) through the VPN

Overview

By default, when an OpenVPN client is active, only network traffic to and from the OpenVPN server site will pass over the VPN. General web browsing, for example, will be accomplished with direct connections that bypass the VPN.

In certain cases this behavior might not be desirable -- you might want a VPN client to tunnel all network traffic through the VPN, including general internet web browsing. While this type of VPN configuration will exact a performance penalty on the client, it gives the VPN administrator more control over security policies when a client is simultaneously connected to both the public internet and the VPN at the same time.

Implementation

Add the following directive to the server configuration file:

push "redirect-gateway def1"
If your VPN setup is over a wireless network, where all clients and the server are on the same wireless subnet, add the local flag:

push "redirect-gateway local def1"
Pushing the redirect-gateway option to clients will cause all IP network traffic originating on client machines to pass through the OpenVPN server. The server will need to be configured to deal with this traffic somehow, such as by NATing it to the internet, or routing it through the server site's HTTP proxy.

On Linux, you could use a command such as this to NAT the VPN client traffic to the internet:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
This command assumes that the VPN subnet is 10.8.0.0/24 (taken from the server directive in the OpenVPN server configuration) and that the local ethernet interface is eth0.

When redirect-gateway is used, OpenVPN clients will route DNS queries through the VPN, and the VPN server will need handle them. This can be accomplished by pushing a DNS server address to connecting clients which will replace their normal DNS server settings during the time that the VPN is active. For example:

push "dhcp-option DNS 10.8.0.1"
will configure Windows clients (or non-Windows clients with some extra server-side scripting) to use 10.8.0.1 as their DNS server. Any address which is reachable from clients may be used as the DNS server address.

Depending on your reasons for going with a pay for VPN service, it might serve your needs better to setup your own VPN server on the WRT 1900ac, as you would not only have full control over everything, its far more secure.  The security is more of an issue since you're needing to route all traffic through the VPN.  If you'd like to explore that, I'll give you my IM name so you don't have to wait longer to get everything setup. 

Setting up a server and client with OpenVPN is extremely simple and takes a relatively short amount of time to do (~15 - 20 min for an extremely simple setup, 30 - 45 for a more complex one). The Server is created via the server configs (like the one I posted on page 202), the client config is created (however I believe if you're looking to route all traffic through the VPN, and the VPN Server is also your router, client configs wouldn't be necessary... I'd have to research that to be certain, as I've never chosen to do that due to the speed constraints of ~15 mbps on a 65 mbps connection), the vpn interface is created with 4 or 5 commands, a few firewall rules are created, and you're up and running.

(Last edited by JW0914 on 21 May 2015, 03:13)

JW0914 Thanks you have restored my faith<G>

I don't mind paying a few bucks a month for the VyprVPN service, I choose that because my current home internet is the AT&T LTE network, which is using Carrier Grade NAT and the double NAT stops several apps and devices I have from working correctly, even with port forwarding setup on my router, I have an AT&T HomeBase device with a single Ethernet port that connects to the WAN port of my router I have several devices like an XBOX, that read strict NAT when on this connection, I also use several apps that do not work on it because they require certain ports to be open and they don't work with the Carrier Grade NAT, some of these apps are on my PC, and some are on my cell phone. On my VyprVPN account I have their NAT disabled which is an option, and I have verified that all my apps work correctly when using VyprVPN on the LTE connection at least from the PC so I am confident they will all work if I can get it working on the router. I also chose their service for speed, since I am using some speed sensitive apps like games speed is important to me and they seem to be recommended for gaming.

I do know how to SSH in but don't know my way around very much if I had specific things to cut and paste into the SSH session I can manage but can't stray far from a pre-defined script, in LUCI I found all the proper settings and seem to be able to make a connection to the service at one point.

VyprVPN settings for OpenVPN:

Remote VPN Server: us3.vyprvpn.com

Port: 1194
Tunnel Device: TUN
Tunnel Protocol: UDP
LZO Compression: Yes
resolv-retry infinite
keepalive 10 60
nobind
persist-key
persist-tun
persist-remote-ip
tls-remote us3.vyprvpn.com
auth-user-pass /tmp/auth.conf
comp-lzo
verb 3

I was able to create the correct username password file using vi, I also have a CA from them which I was able to load through LUCI.
I was able to do this in the LUCI GUI with your original posts using one of the three client connections in that list I posted earlier when I tried to connect it seemed to work but could get no traffic through it, I know at this point changes have to be made to the firewall and I believe networking portions but how to do it in LUCI wasn't fully clear from the materials you posted. This is where I am stuck.

Since we're on the topic of VPN's w/ OWRT, I also have a pay-for vpn service. Here's an additional how-to for anyone using PIA (privateinternetaccess.com) that went quite easily as a client.

http://blog.matthewurch.ca/?p=120#comment-17408

This is going to be a bit long, as I'm going to copy and paste from other sources and try to make it as streamlined as possible

Five things are needed to make a ssl vpn work: Certificates, Server Config (which doesn't apply to you), Client Config, VPN Interface creation, and Firewall rules to allow the VPN Traffic.

You already have the client config and certificate(s) provided by VyperVPN, so if you haven't already created the VPN interface, we need to do that via uci (it can just as easily be done via luci, however most of what we need to do is faster if done in uci):

Create the VPN interface:

uci set network.vpn0=interface ; uci set network.vpn0.ifname=tun0 ; uci set network.vpn0.proto=none

Allow OpenVPN tunnel utilization:

uci add firewall zone
uci set firewall.@zone[-1].name=VyperVPN
uci set firewall.@zone[-1].input=ACCEPT
uci set firewall.@zone[-1].forward=ACCEPT
uci set firewall.@zone[-1].output=ACCEPT
uci set firewall.@zone[-1].network=vpn0
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='vpn'
uci set firewall.@forwarding[-1].dest='wan'

Commit the changes:

uci commit network ; /etc/init.d/network reload ; uci commit firewall ; /etc/init.d/firewall reload

Now, we need to allow forwarding from vpn -> lan, vpn -> wan, lan -> vpn, and wan -> vpn (you can copy and paste; paste in vi via right click):

vi /etc/config/firewall

Add to the top:

config rule
        option target 'ACCEPT'
        option proto 'tcp udp'
        option family 'ipv4'
        option src '*'
        option dest_port '1194'
        option name 'Allow Inbound VyperVPN Traffic'

config rule
        option target 'ACCEPT'
        option proto 'tcp udp'
        option name 'Allow Forwarded VyperVPN Traffic'
        option src '*'
        option dest '*'
        option dest_port '1194'
        option src_ip '*'

(The Inbound and Forwarding rules are TCP and UDP for troubleshooting purposes on my setup; however, since you're not running your own server, you can remove TCP.) 

Add to the bottom:

config forwarding
        option dest 'lan'
        option src 'vpn'

config forwarding
        option dest 'wan'
        option src 'vpn'

config forwarding
        option dest 'vpn'
        option src 'lan'

config forwarding
        option dest 'vpn'
        option src 'wan'

I'm not sure if the LAN forwarding configuration is correct to allow all traffic over the VPN, and I'd try only these two first VPN --> WAN, WAN --> VPN  then add the LAN interzone forwarding if there's an issue.  Since you're not using it to connect to devices on your LAN remotely, I don't think the LAN interzone forwarding is needed.

Save the changes via :wq then:

/etc/init.d/firewall restart

Please verify under "Traffic Rules" in LuCI the Inbound Rule is listed as "Accept Input" and the Forward Rule listed as "Accept forward"; if the latter is not, edit it and select "Any Zone" under Destination Zone.

By default, lan should already be forwarding to wan (wan should never be forwarded to anything other than the vpn).  These zone forwarding rules will show as colored boxes under the Network - General Settings - Zones; however, for wan, Input and Forward should still be listed as drop and Output as accept. To change the zone forwarding we put in place, click edit under Zone => Forwardings and at the bottom of the Zone Settings will be Inter-Zone Forwarding. 

I made a mistake in that redirect-gateway is only utilized in the server config.  For most options, the server and client configs must mirror one another (if you add udp to one, udp must be added to the other, or if you adjust the mtu value, the same must be mirrored in the other, etc.); however, there are certain options that are server or client specific and are not mutually exclusive.

I don't have a thorough understanding of NAT and how it's applied, nor have I ever configured a VPN to route all traffic through it, so the worse case scenario is we may have to post on the OpenVPN forum for more experienced help.  I think the above should get you up and running with all traffic being routed through the VPN, as it appears, if my assumption is correct, that you are missing the interface creation and firewall inbound and forwarding rules.  Make sure the first two rules are at the top of the firewall traffic rules list, as they must be processed first if all traffic is being sent and received over the VPN.

(Last edited by JW0914 on 22 May 2015, 05:58)

@bmork

Have you found a way to ssh into the official firmware?

nitroshift

That's not a significant upgrade :-)
Can someone confirm the RAM has in fact doubled in v2?
There's just one forum thread where I see this mentioned.

I'm trying to decide if it's worth the hassle to send it back, and I'm responsible for the shipping cost as well.

Not without installing additional software.  There doesn't appear to be any ssh daemon installed by default.

bjorn@nemi:~/docs/hardware/linksys/wrt1900ac/stock$ find -name ssh\*
./FW_WRT1900AC_1.1.8.164461/etc/l7-protocols/protocols/ssh.pat
./FW_WRT1900AC_1.1.7.160177/etc/l7-protocols/protocols/ssh.pat
./FW_WRT1900AC_1.1.7.160177/etc/l7-protocols/testing/data/ssh-2
./FW_WRT1900AC_1.1.7.160177/etc/l7-protocols/testing/data/ssh-5
./FW_WRT1900AC_1.1.7.160177/etc/l7-protocols/testing/data/ssh-4
./FW_WRT1900AC_1.1.7.160177/etc/l7-protocols/testing/data/ssh-3
./FW_WRT1900AC_1.1.7.160177/etc/l7-protocols/testing/data/ssh-1
./FW_WRT1900AC_1.1.7.160177/etc/l7-protocols/testing/data/ssh-6
./FW_WRT1900AC_1.1.9.166760/etc/l7-protocols/protocols/ssh.pat
./FW_WRT1900AC_1.1.7.159143/etc/l7-protocols/protocols/ssh.pat
./FW_WRT1900AC_1.1.7.159143/etc/l7-protocols/testing/data/ssh-2
./FW_WRT1900AC_1.1.7.159143/etc/l7-protocols/testing/data/ssh-5
./FW_WRT1900AC_1.1.7.159143/etc/l7-protocols/testing/data/ssh-4
./FW_WRT1900AC_1.1.7.159143/etc/l7-protocols/testing/data/ssh-3
./FW_WRT1900AC_1.1.7.159143/etc/l7-protocols/testing/data/ssh-1
./FW_WRT1900AC_1.1.7.159143/etc/l7-protocols/testing/data/ssh-6
bjorn@nemi:~/docs/hardware/linksys/wrt1900ac/stock$ find -name dropbear\*
./FW_WRT1900AC_1.1.8.164461/etc/dropbear_dss_host_key
./FW_WRT1900AC_1.1.8.164461/etc/dropbear_rsa_host_key
./FW_WRT1900AC_1.1.7.160177/etc/dropbear_dss_host_key
./FW_WRT1900AC_1.1.7.160177/etc/dropbear_rsa_host_key
./FW_WRT1900AC_1.1.9.166760/etc/dropbear_dss_host_key
./FW_WRT1900AC_1.1.9.166760/etc/dropbear_rsa_host_key
./FW_WRT1900AC_1.1.7.159143/etc/dropbear_dss_host_key
./FW_WRT1900AC_1.1.7.159143/etc/dropbear_rsa_host_key

Interesting to note that there are two dropbear host keys.  But I guess those are just leftovers from some test system.

(Last edited by bmork on 21 May 2015, 09:12)

@bmork

What additional software must be installed and how?

nitroshift

I'm not sure about ddr3, however I could have sworn I read that it has 256MB of flash

@JW0914

Flash is a different thing from RAM.

nitroshift

I didn't know that... what is flash memory then?

@JW0914

Think in terms of computers: flash is the hard-disk of the device (non-volatile memory) and RAM is RAM (volatile memory).

nitroshift

Thanks! =]

some kind of ssh daemon

I don't know how you would install it without a serial console, which makes the exercise rather pointless.  And why would you want to do something like that anyway?  The only reason for running stock firmware is...uhm, well... wanting to run stock firmware.  If you start messing with it, then it won'ẗ be stock firmware anymore, will it?

You are much better off running OpenWRT IMHO.  Then you can fix and tune it as you like, and even get your fixes merged and made available for the whole community.

@bmork

As OpenWRT doesn't support (yet at least) hardware acceleration and I have serial access, I only want to install transmission onto stock firmware.

nitroshift

(Last edited by nitroshift on 21 May 2015, 14:09)

I have no clue about serial, however, could a serial console be set up virtually if someone wanted to keep stock firmware and only add a couple of features?