For Techies Only - Your Router can do Tricks: DD-WRT does Relakks

Posted on July 5th, 2007 by Reiner.
Categories: English, at Home, Computers.

How can you share your WiFi with your neighbors without being forced to spy on them - just in order to proove that it wasn’t you who put the new Harry Potter into the public domain by mistake?

This post does not offer a ready-to-use solution, but instead provides some work-in-progress material on how to set up a DD-WRT device (using a static public IP) so that it tunnels its WiFi through Relakks. Maybe someone more knowledgeable than me might turn this into a clickable option :-)

There are numerous projects on the net (Google returns 50 million hits for share wifi), some of which most certainly will fit your requirements (notably fon - WiFi for EveryOne) but will require you and your neighbors to join some kind of community. They don’t fit mine, because I just want to share my WiFi locally (you won’t be able to pick it up from the street) without any administrative burdens whatsoever.

Swedish Relakks offer tremendous value at moderate costs (€5 or $7.65 p. month) that’s easy to set-up (see gHacks’ Relakks Revisited). There’s an in depth Review on Relakks on sharemywifi.com. But then, this only works for you and your PC, as your neighbours will continue to use your real internet connection.

Ok, so the tunnel must start from within your router.

Setting up DD-WRT to use a Relakks VPN as its default gateway turned out to be a real challenge. First attempts invariably failed, as Relakks used the very same public IP for connecting to their VPN server as for the far end gateway inside of the tunnel. Windows didn’t have any problems with this remarkable setup, but PPTP tried to route the physical connection through the tunnel itself. Relakks have changed that a couple of months ago, but at the same time have imposed another insurmountable barrier for DD-WRT by enforcing strong (i.e. 128 bit) encryption. DD-WRT was (and still is with all release versions) unable to use strong encryption due to defects within it’s Linux kernel. For half a year I had to switch to Findnot. They do not enforce any encryption policy, offer numerous connection options, local servers around the world, but they are more expensive and you won’t get a public IP from their VPN, so some applications refused to run properly with two NATs cascaded (one at Findnot, the other one inside DD-WRT).

By chance I learnt, that working towards v24 and v23 SP3, Brainslayer has updated the kernel and yes: DD-WRT current beta releases now seccessfully connect to Relakks - I used the dd-wrt.v23_std_nokaid_generic.bin dated 20-jun-07. I have to use the nokaid variant with my Linksys WRT54GL, because otherwise there’ll be no room left for the JFFS2 at all.

Here’s how:

  1. JFFS2 has to enabled
  2. Scripts have to be uploaded to jffs and the execute bit has to be set for the .sh files.
  3. The scripts have to be adopted to your network settings and Relakks account.
  4. In order to be activated on boot-up, nvram must be modified to start the main script. DD-WRT makes this particularly easy, just enter /jffs/bin/startvpn.sh into the Administration, Commands, Firewall box.
  5. For the SSID, use your email address or your telephone number, so people will know where to address their complaints and thanks to (in my case, a pair of theatre tickets from production staff that happened to use the flat of one of his friends to work in perfect seclution).

You’ll find the scripts within relakks-dd-wrt-jffs.zip.

My scripts do have several shortcomings:

  1. They require a fixed gateway address (in my case, it’s the router provided by my ISP) and thus will work with static IPs only.
  2. They require a fixed VPN server address. Relakks now uses round-robin DNS for their VPN servers, so one of those IPs has to be chosen and put into the scripts instead.
  3. They are quite ugly - due to the fact that I’m all but a Linux expert.

In order to document the (more precisely - my) state of affairs I’ll append a recent mail conversation here (names purposely mangled to preserve privacy):

On Sun, May 3, 2009 at 22:13, John Dow wrote:

You wrote some scripts to make a router with DD-WRT on it run all network traffic through Relakks, however, I can’t get it to work, and have a few questions. I would very much appreciate it if you could answer a few of them :-)

1. Where do I find my routers primary gateway(I have a static IP, which I know, but that doesn’t seem to work)?
2. Do I use my userID or username?
3. “They require a fixed VPN server address. Relakks now uses round-robin DNS for their VPN servers, so one of those IPs has to be chosen and put into the scripts instead.” Where do I find the IP-addresses I need?

Sincerely Yours
John Doe

Hi John,

my primary goal to use Relakks was to allow for anonymous neighbors to surf the web without having to bother about legal actions emerging from potential illegal P2P use.

Due to stability reasons (and the costs incurred by Relakks) I no longer use Relakks but instead reverted to applying port filters.

re Gateway

The actual IP of the gateway is only known to your DSL-router and your ISP. So the most reliable choice is to ask your router for the IP of the gateway. With the one I’m using right now (D-Link DIR-655) the current gateway is displayed on its initial device info page.

If your router does not provide this information, it might be available by tracing the IP packets from your PC to the Internet. Note that - depending on the actual way your ISP configures its routers - the routers of your ISP might choose not to respond to trace requests.

If the DD-WRT that is to establish the VPN to Relakks is directly connected to your ISP (which I do not recommend), just do a tracert (Windows) or traceroute (Linux) to some public IP (e.g. www.ibm.com). Assuming minimal network topology (i.e. your PC is directly connected to your router), within that list, the first IP is the gateway that your DSL-router forwards all packets destined for the internet.

Your current DSL-router might choose to respond to trace requests as well and thus appear as the first item on the list. So if either your public IP or the the private IP of your DSL router (e.g. 192.168….) appears on top of the list, the IP of your gateway most probably appears on the second line of the list.

I do not recommend to establish the VPN to Relakks on the same router that connects to your ISP for following reasons:

  • My Linksys would occasionally lock-up (about once a day), requiring a power cycle to restore operation
  • You’re no longer able to bypass the VPN to Relakks (e.g. for speeding up your own connections or to establish connections that cannot successfully pass through Relakks).
  • Even if Relakks were to offer 16+ MBit/s download speeds, due to the lack of processing power, current consumer devices (e.g. my Linksys WRT54GL) are not able to en- end decrypt more then 2-4 MBit/s (Relakks used to allow non-encrypted VPN-connections, but now enforces encryption regardless of the options set in your client)
  • Due to limitations of my scripts, the IP of the DD-WRT and the IP of its gateway must be fixed and known.

Instead, I advise to use two routers with separate LANs and WLANs:

  1. One that connects to the Internet through your ISP. Any router you currently use is fine. No configuration changes are required.
  2. The DD-WRT that connects to Relakks. Just connect its WAN upstream port to your local LAN (i.e. the DSL-router) using plain fixed IPs (no PPOE or the like). For this DD-WRT use an IP from your current LAN (e.g. 192.168.0.123) that should not conflict with the DHCP of your DSL router (otherwise a device connected to your LAN might be assigned the same IP as the router running DD-WRT - but due to several reasons beyond the scope of this mail, it’s quite unlikely). The gateway for the DD-WRT now remains stable, regardless of the ISP you use: DD-WRT now uses the private IP of your DSL-router within your LAN (e.g. 192.168.0.1) as its default gateway.
  3. You have to make sure, that both routers use different private subnets for the LANs (e.g. 192.168.0.* and 192.168.1.*). Otherwise your DD-WRT router trying to connect to Relakks might not be able to reach any public IP on the Internet at all.

re userID

Sorry, I no longer remember. Just try to establish the VPN from your PC as explained at Relakks. If that one works, it’s the one that will work for your DD-WRT as well, if any.

re fixed VPN server

Just use any one of the IPs the DNS resolves to. As far as I know, Relakks uses the round-robin just to implement a cost-effective way to load-balance their VPN servers.

A last word of caution: As I no longer use Relakks, I do not know, whether those scripts will still run with current versions of DD-WRT. They might not even be required at all, if DD-WRT now implements a handling for VPNs that is as stable and flexible as the one used by Windows (e.g. for the duration of the connection, set up a host route for the active connection to the VPN server using the physical interface that connects to the VPN server, and as well support default routes for the VPN).

Regards,

Reiner

17 comments.

none

Comment on October 16th, 2007.

Thank you!! After reading this post, I specifically bought a wrt54gl to run dd-wrt and use the relakks vpn on my router. I was sceptical at first because I couldn’t find any other posts supporting that it was possible, but after following your instructions, I am now writing this with a Swedish IP! You rock!

noone

Comment on January 6th, 2008.

Is it possible to use a gateway address which is double-natted? I connect to a local WISP and do not get a public IP. I get a private IP address (which is static) on my ‘internet side’. I further run another private subnet address range within my network. Private network->WISP (private IP’s)->public internet.

Reiner

Comment on January 6th, 2008.

Should be no problem to set up the wrt54gl within a private LAN, provided both your WISP and the device used to access the WISP allow PPTP to pass through to the wrt54gl and the wrt54gl uses a subnet different from your LAN that is connected to the WISP.

Ramnification: The gateway IP used by the relakksing wrt54gl is of course the gateway for the local LAN. This wrt54gl neither bothers nor is aware of that the IP of the gateway is a private instead of a public one.

As yet, I haven’t tested this myself, but will do so within a month, as I’m about to give up my public subnet and revert to a single public IP instead - my relakksing wrt54gl will then move from the public Internet to behind a NAT router.

noone

Comment on January 6th, 2008.

Hi.
I read your reply. Yes, I realize I should have known the answer to my own question - Relakks works fine from a Windows XP workstation within my private subnet. XP(on relakks)->router->router->public internet. So passthrough is no problem. And it gets rid of the GW on a dynamic IP ‘problem’, although a blogger copied your how-to into German, and receives the comment ‘Just use a DynIP service’ and substitute the GW IP with the Dynamic DNS name.

My question is possibly simple: I get the ERROR
‘root@:/jffs/bin# /bin/sh: Can’t open’
when trying to issue the command
‘root@:/jffs/bin# ./vpn.sh’

I am using the 1GB SD card mod for my router, and the ‘mount –bind’ command to put the contents of /jffs folder on the card (JFFS must be turned on in the Web Admin page): Once you have correctly setup the SD mod, and turned on JFFS, add this to your startup commands:
mount –bind /mmc/jffs /jffs. See:
https://www.dd-wrt.com/wiki/index.php/SD/MMC_mod

Thus I have a RW area of about 900+MB on the router.

I have used www.fs-driver.org as directed (make sure to reboot after install, or you get bluescreen), to write the edited contents of the relakks-dd-wrt-jffs.zip to both /jffs/bin and /jffs/ppp. I used the ‘chmod 555 (or 111 or 777) vpn.sh’ on all the .sh files.

Still, I get this error ‘Can’t open’. However, I can ‘cat vpn.sh’ and it displays just fine. There is no file corruption.

What do you think?

noone

Comment on January 6th, 2008.

I think I got it. There are a bunch of ^M’s in the file when I open it with vi. I wish there was a better text editor in DD-wrt than VI…..
I’ll post back.

noone

Comment on January 6th, 2008.

I’m not sure if it works. Also tried commenting out the IP for VPNSERVER and replace it with the pptp.relakks.com.

I tried editing all the scripts and using 83.233.180.2 instead of pptp.relakks.com, and had the same problem. I also tried increasing the delay from 30 seconds to 90 seconds in vpn.sh, as sometimes relakks takes a while to connect (I’m just guessing here, if it’s correct to do this).

I have the same problem either way. I can ping a domain, such as google.com, and i get google.com (ip address)… from ping, so DNS is working. However, there are no ping responses. I must reboot the router (to turn off this script, kill the processes and remove the route commands?) to get it working again.

Relakks works fine from any one of my desktops.

Regards

noone

Comment on January 6th, 2008.

I should be more clear. Editing out the ^M’s of all the files, made the scripts and all ‘behave’ properly, no more ‘Can’t Open’ errors. However, as I outline above, I’m not sure if the scripts are working. There is really no feedback as to what is going on, except that traffic does not seem to go out or back, except DNS requests are working.

Reiner

Comment on January 6th, 2008.

Shame on me, I’ll fix the ^Ms right away. They may have been introduced into all those scripts while editing the scripts for download (e.g. remove passwords and IPs).

Re Testing: Don’t auto-start the scripts in the first place or just kill them later from console. Add debug to the vpn options, change to the vpn.sh dir and start ./vpn.sh from console window.

noone

Comment on January 7th, 2008.

The ^M’s come from editing the files in Windows programs (notepad for example). The easiest way to avoid the problem, if you want to edit your how-to above, is to include a link to https://www.dd-wrt.com/wiki/index.php/WinSCP. Otherwise specialized editors or conversion utilities must be used.

Re: testing, debug. I did exactly as you said now. I edited options.vpn, uncommented ‘debug’, and started vpn.sh. There is a pause and then the shell prompt returns. Absolutely no messages. Where does the debug output go? I thought it should display all info on the console. I’m also going to try this on my debian box and report back.

Reiner

Comment on January 7th, 2008.

Re ^M: I’ve updated the relakks-dd-wrt-jffs.zip and changed the line ends (all of the files wihtin the zip had Windows line ends) to Unix style using Notepad++ (http://notepad-plus.sourceforge.net/uk/site.htm) whicjh allows to change lineends at will. Yes, I’m using WinSCP for the wrt54gl, but I don’t want to spoil by IPs and passwords within my wrt54gl, so I copy the files and then edit the scripts using Windows.

Re debug: Shame on me, I forgot that one: You’ll have to enable the dump parameter as well in order to see anything interesting, see http://pptpclient.sourceforge.net/howto-diagnosis.phtml#debug.

Reiner

Comment on January 7th, 2008.

Re: vpn.sh exiting.

That looks as if pptp is unable to connect to Relakks. You’ll have to investigate using the debug dump output. I had to do so for days in order to find out, that the release dd-wrt v23 cant’ connect to relakks due to bugs within its Linux kernel. So it’s important to use a newer version (e.g. “wrt.v23_std_nokaid_generic.bin dated 20-jun-07″) and to disable stateful compression as well because that’s still buggy).

And still another shortcoming within my scripts: You’ll have to use an IP for the Relakks PPTP server. A name may not work, as Relakks uses round-robin DNS that may return a different IP each time eventually causing the route commands to fail.

dj

Comment on January 22nd, 2008.

Thanks for this post and discussion. I’ve managed to connect to relakks and authenticate using the scripts in the zip, with the vpn.sh reporting:

local IP address 83.233.182.122
remote IP address 83.233.182.2

but I’ve got no internet once I’m connected to relakks through my router. As soon as I CTRL-C out of it, I’m back online. I feel like I’m so close, but something’s just not connecting properly. I have a feeling it’s the INTERNET or GATEWAY values in vpn-up.sh. Are these IP addresses, or aliases or what? It almost doesn’t seem to matter what I list them as, I still connect, but get no internet. Oh and I’m using a PPPoE connection.

Ofve

Comment on February 3rd, 2008.

This works great but it is exposing dd-wrt dropbear ssh and dd-wrt administration (http) ports to internet.

JP

Comment on August 4th, 2008.

Been trying to get this to work as well. I’m a bit confused however, by gateway address, do you mean the gateway IP address that my router normally obtains through DHCP from my ISP (what I see if I click Status -> WAN, look under Configuration Type and Gateway in DD-WRT v24)?

In order for this to work, I have to change from DHCP to Static IP for the router (under Setup -> Basic Setup), correct?

Problem is, the VPN connection seems to work just fine but I can’t acccess the Internet while it’s active. Have you tried doing this with DD-WRT v24? I’m using mini_generic v24 on a WRT54GL.

Thank you for putting together the zip files and the tutorial. These days there are many good reasons to be paranoid about surveillance . :)

J

Comment on March 28th, 2009.

Is there any firmware that´s not need any scripts for enable relakks on dd-wrt or is it the only way to get it work

Reiner

Comment on March 28th, 2009.

To be frank, I don’t know. Scripts were required a year ago or so, but as I have since given up using Relakks, I do not know, whether current DD-WRT versions are able to connect to Relakks. Not much of a help to you :-(

J

Comment on March 28th, 2009.

do you know if scripts work still? could you put together a How TO guide to mail me

Leave a comment

Comments can contain some xhtml. Names and emails are required (emails aren't displayed), url's are optional.