The following lines were added (+) and removed (-):
''update note 8/9/2010: This guide is for the Asus WL-500g Premium version 1 which has the Broadcom 4704 (Broadcom 4318). Asus rereleased the WL-500gP with a slower chip that is not yet supported.'' nvram set wl0_mode="ap" (skip, default) nvram set wl0_mode="ap" (skip, default) nvram wl0_closed=0 (set to 1 to hide ssid) nvram wl0_closed=0 (set to 1 to hide ssid) nvram set wl0_radio=0 (disabled radio if you run 'wifi' afterwards) nvram set wl0_radio=0 (disabled radio if you run 'wifi' afterwards) wifi (command to apply changes) wifi (command to apply changes) nvram show (see the configuration) nvram show (see the configuration)'''incomplete, more to come...'''== DNS and DHCP ==The Asus WL-500gP has internal DHCP capabilities. Using the nvram option the Asus router own DHCP server can be enabled, however, to make the router respond to dns queries as a caching names server you should use dnsmasq instead.Disable the router dhcp server and enable dhcp assignment via dnsmasq. To use dnsmasq simply edit the following file: /etc/dnsmasq.conf I used dnsmasq.conf instead of nvram. I wiped the S60dnsmasq file and created my own. My init script for dnsmasq contains only the fillowing line: killall -9 dnsmasq ; dnsmasq -K -I vlan1My /etc/dnsmasq.conf contains the following: <nowiki># filter what we send upstream</nowiki> <nowiki>domain-needed</nowiki> <nowiki>bogus-priv</nowiki> <nowiki>filterwin2k</nowiki> <nowiki>localise-queries</nowiki> <nowiki></nowiki> <nowiki># allow /etc/hosts and dhcp lookups via *.lan</nowiki> <nowiki>local=/lan/</nowiki> <nowiki>domain=lan</nowiki> <nowiki>expand-hosts</nowiki> <nowiki>no-negcache</nowiki> <nowiki>resolv-file=/etc/resolv.conf</nowiki> <nowiki></nowiki> <nowiki># enable dhcp (start,end,netmask,leasetime)</nowiki> <nowiki>dhcp-authoritative</nowiki> <nowiki></nowiki> <nowiki># dhcp-range=[network-id,]<start-addr>,<end-addr>[[,<netmask>],<broadcast>][,<default lease time>]</nowiki> <nowiki>dhcp-range=lan,192.168.XX.100,192.168.XX.150,255.255.255.0,24h</nowiki> <nowiki>dhcp-range=wifi,192.168.XY.100,192.168.XY.105,255.255.255.0,2h</nowiki> <nowiki></nowiki> <nowiki>dhcp-leasefile=/var/dhcp.leases</nowiki> <nowiki></nowiki> <nowiki># use /etc/ethers for static hosts; same format as --dhcp-host</nowiki> <nowiki># <hwaddr> <ipaddr></nowiki> <nowiki>read-ethers</nowiki> <nowiki></nowiki> <nowiki># other useful options:</nowiki> <nowiki># default route(s): dhcp-option=3,192.168.1.1,192.168.1.2</nowiki> <nowiki># dns server(s): dhcp-option=6,192.168.1.1,192.168.1.2</nowiki> <nowiki>dhcp-option=6,64.21.192.5,64.21.192.6</nowiki>== Configuring dnsmasq to use different IP ranges for wired and wireless ==Firewall initialization by running a startup script in /etc/init.d Next it calls the user configuration file /etc/firewall.user To better understand the firewall rules I will document notes about them in this section.Starting with /etc/init.d/S35firewall== OpenVPN Installation and Configuration ==First, install the package and then generate a static key file /etc/static.key ipkg install openvpn mkdir /etc/openvpn openvpn --genkey --secret /etc/openvpn/wlan.keyOther guides advise the installation of openssl, lzo, and kmod-tun, however, I found them to already be installed. Allow OpenVPN connections from the Wifi to the LAN - rules need to be added to firewall.user. iptables -t nat -A prerouting_rule -i br0 -p udp --dport 1194 -j ACCEPT iptables -A input_rule -i br0 -p udp --dport 1194 -j ACCEPTThe tunneling module insmod tun echo "tun" >> /etc/modulesNow /etc/modules should look like this: wl tunCreate /etc/openvpn/wlan.conf dev tap0 proto udp port 1194 keepalive 10 120 ;comp-lzo status openvpn-status.log secret /etc/openvpn/wlan.key persist-key persist-tun verb 6 max-clients 10''note: I have tried "proto tcp-server" using tcp protocol. It is much slower than using udp. For some people udp won't work and therefore they have to use tcp.''Create /etc/openvpn/makebridge <nowiki>#!/bin/sh</nowiki> <nowiki>br="br0"</nowiki> <nowiki>tap="tap0"</nowiki> <nowiki>case "$1" in</nowiki> <nowiki> up)</nowiki> <nowiki> insmod tun</nowiki> <nowiki> for t in $tap; do</nowiki> <nowiki> openvpn --mktun --dev $t</nowiki> <nowiki> done</nowiki> <nowiki> for t in $tap; do</nowiki> <nowiki> brctl addif $br $t</nowiki> <nowiki> done</nowiki> <nowiki> for t in $tap; do</nowiki> <nowiki> ifconfig $t 0.0.0.0 promisc up</nowiki> <nowiki> done</nowiki> <nowiki> ;;</nowiki> <nowiki> down)</nowiki> <nowiki> for t in $tap; do</nowiki> <nowiki> ifconfig $t 0.0.0.0 down</nowiki> <nowiki> done</nowiki> <nowiki> for t in $tap; do</nowiki> <nowiki> brctl delif $br $t</nowiki> <nowiki> done</nowiki> <nowiki> for t in $tap; do</nowiki> <nowiki> openvpn --rmtun --dev $t</nowiki> <nowiki> done</nowiki> <nowiki> rmmod tun</nowiki> <nowiki> ;;</nowiki> <nowiki> *)</nowiki> <nowiki> echo "$0 {up|down}"</nowiki> <nowiki> ;;</nowiki> <nowiki>esac</nowiki>Create /etc/init.d/S65openvpn <nowiki>#!/bin/sh</nowiki> <nowiki>case "$1" in</nowiki> <nowiki> start)</nowiki> <nowiki> /etc/openvpn/makebridge up</nowiki> <nowiki> openvpn --daemon --config /etc/openvpn/wlan_roachnet.conf</nowiki> <nowiki> ;;</nowiki> <nowiki> restart)</nowiki> <nowiki> $0 stop</nowiki> <nowiki> sleep 3</nowiki> <nowiki> $0 start</nowiki> <nowiki> ;;</nowiki> <nowiki> reload)</nowiki> <nowiki> killall -SIGHUP openvpn</nowiki> <nowiki> ;;</nowiki> <nowiki> stop)</nowiki> <nowiki> killall openvpn</nowiki> <nowiki> /etc/openvpn/makebridge down</nowiki> <nowiki> ;;</nowiki> <nowiki>esac</nowiki>Execute permissions on file chmod a+x /etc/init.d/S65openvpnStart the OpenVPN and check out interfacesSome modifications to the iptables firewall /etc/firewall.user iptables -t nat -A prerouting_rule -i br1 -p udp --dport 1194 -j ACCEPT iptables -A input_rule -i br1 -p udp --dport 1194 -j ACCEPT== WPA Wireless Security ==Enable WPA Wireless Security (as opposed to WEP)# WiFi Protected Access (WPA) is the new security standard adopted by the WiFi Alliance consortium.# nas is the proprietary binary tool that sets up dynamic encryption (WEP/WPA) on the wireless device.To use WPA the NAS package must be installed. ipkg install nas nvram set wl0_auth_mode="" was wl0_auth_mode=open nvram set wl0_akm=psk was wl0_akm=none nvram set wl0_crypto=aes+tkip was wl0_crypto=tkip nvram set wl0_auth=0 was wl0_auth=0 nvram set wl0_wpa_psk=yoursecretp was wl0_wpa_psk=""''(replace yoursecretp with a password of your choice, I used something with letters, numbers, and symbols)'' nvram commitNote: I chose to use PSK instead of PSK2 because PSK2 is not supported on my WinXP laptop OOB without updating something (probably wifi related driver).The startup script for NAS has to be modified for our interface configuration. It defaults to br0, but with our setup our wifi is on br1. vi /etc/init.d/S41wpaReplace all references to br0 with br1. There should be two references.Line 7: brctl show 2>&- | grep "${real_ifname}" >&- 2>&- && ifname=br1line 86: [ "$ifname" = "br1" ] && exitWhen the NAS service is running, doing a ps ax should show the process: /usr/sbin/nas -P /var/run/nas.lan.pid -l br1 -H 34954 -i eth2 -A -m 4 -k yoursecretp -s icarus -w 6 -g 360 [[Category:WiFi]][[Category:Hacking]]