For Techies Only - Your Router can do Tricks: DD-WRT does Relakks

Posted on July 5th, 2007 by Reiner.
Categories: English, at Home, Computers.

How can you share your WiFi with your neighbors without being forced to spy on them - just in order to proove that it wasn’t you who put the new Harry Potter into the public domain by mistake?

This post does not offer a ready-to-use solution, but instead provides some work-in-progress material on how to set up a DD-WRT device (using a static public IP) so that it tunnels its WiFi through Relakks.  Maybe someone more knowledgeable than me might turn this into a clickable option :-)

There are numerous projects on the net (Google returns 50 million hits for share wifi), some of which most certainly will fit your requirements (notably fon - WiFi for EveryOne) but will require you and your neighbors to join some kind of community. They don’t fit mine, because I just want to share my WiFi locally (you won’t be able to pick it up from the street) without any administrative burdens whatsoever.

Swedish Relakks offer tremendous value at moderate costs (€5 or $7.65 p. month) that’s easy to set-up (see gHacks’ Relakks Revisited). There’s an in depth Review on Relakks on sharemywifi.com.  But then, this only works for you and your PC, as your neighbours will continue to use your real internet connection.

Ok, so the tunnel must start from within your router. 

Setting up DD-WRT to use a Relakks VPN as its default gateway turned out to be a real challenge. First attempts invariably failed, as Relakks used the very same public IP for connecting to their VPN server as for the far end gateway inside of the tunnel. Windows didn’t have any problems with this remarkable setup, but PPTP tried to route the physical connection through the tunnel itself. Relakks have changed that a couple of months ago, but at the same time have imposed another insurmountable barrier for DD-WRT by enforcing strong (i.e. 128 bit) encryption. DD-WRT was (and still is with all release versions) unable to use strong encryption due to defects within it’s Linux kernel. For half a year I had to switch to Findnot. They do not enforce any encryption policy, offer numerous connection options, local servers around the world, but they are more expensive and you won’t get a public IP from their VPN, so some applications refused to run properly with two NATs cascaded (one at Findnot, the other one inside DD-WRT).

By chance I learnt, that working towards v24 and v23 SP3, Brainslayer has updated the kernel and yes: DD-WRT current beta releases now seccessfully connect to Relakks - I used the dd-wrt.v23_std_nokaid_generic.bin dated 20-jun-07. I have to use the nokaid variant with my Linksys WRT54GL, because otherwise there’ll be no room left for the JFFS2 at all.

Here’s how:

  1. JFFS2 has to enabled
  2. Scripts have to be uploaded to jffs and the execute bit has to be set for the .sh files.
  3. The scripts have to be adopted to your network settings and Relakks account.
  4. In order to be activated on boot-up, nvram must be modified to start the main script. DD-WRT makes this particularly easy, just enter /jffs/bin/startvpn.sh into the Administration, Commands, Firewall box.
  5. For the SSID, use your email address or your telephone number, so people will know where to address their complaints and thanks to (in my case, a pair of theatre tickets from production staff that happened to use the flat of one of his friends to work in perfect seclution).

You’ll find the scripts within relakks-dd-wrt-jffs.zip.

My scripts do have several shortcomings:

  1. They require a fixed gateway address (in my case, it’s the router provided by my ISP) and thus will work with static IPs only.
  2. They require a fixed VPN server address. Relakks now uses round-robin DNS for their VPN servers, so one of those IPs has to be chosen and put into the scripts instead.
  3. They are quite ugly - due to the fact that I’m all but a Linux expert. 

14 comments.

none

Comment on October 16th, 2007.

Thank you!! After reading this post, I specifically bought a wrt54gl to run dd-wrt and use the relakks vpn on my router. I was sceptical at first because I couldn’t find any other posts supporting that it was possible, but after following your instructions, I am now writing this with a Swedish IP! You rock!

noone

Comment on January 6th, 2008.

Is it possible to use a gateway address which is double-natted? I connect to a local WISP and do not get a public IP. I get a private IP address (which is static) on my ‘internet side’. I further run another private subnet address range within my network. Private network->WISP (private IP’s)->public internet.

Reiner

Comment on January 6th, 2008.

Should be no problem to set up the wrt54gl within a private LAN, provided both your WISP and the device used to access the WISP allow PPTP to pass through to the wrt54gl and the wrt54gl uses a subnet different from your LAN that is connected to the WISP.

Ramnification: The gateway IP used by the relakksing wrt54gl is of course the gateway for the local LAN. This wrt54gl neither bothers nor is aware of that the IP of the gateway is a private instead of a public one.

As yet, I haven’t tested this myself, but will do so within a month, as I’m about to give up my public subnet and revert to a single public IP instead - my relakksing wrt54gl will then move from the public Internet to behind a NAT router.

noone

Comment on January 6th, 2008.

Hi.
I read your reply. Yes, I realize I should have known the answer to my own question - Relakks works fine from a Windows XP workstation within my private subnet. XP(on relakks)->router->router->public internet. So passthrough is no problem. And it gets rid of the GW on a dynamic IP ‘problem’, although a blogger copied your how-to into German, and receives the comment ‘Just use a DynIP service’ and substitute the GW IP with the Dynamic DNS name.

My question is possibly simple: I get the ERROR
‘root@:/jffs/bin# /bin/sh: Can’t open’
when trying to issue the command
‘root@:/jffs/bin# ./vpn.sh’

I am using the 1GB SD card mod for my router, and the ‘mount –bind’ command to put the contents of /jffs folder on the card (JFFS must be turned on in the Web Admin page): Once you have correctly setup the SD mod, and turned on JFFS, add this to your startup commands:
mount –bind /mmc/jffs /jffs. See:
https://www.dd-wrt.com/wiki/index.php/SD/MMC_mod

Thus I have a RW area of about 900+MB on the router.

I have used www.fs-driver.org as directed (make sure to reboot after install, or you get bluescreen), to write the edited contents of the relakks-dd-wrt-jffs.zip to both /jffs/bin and /jffs/ppp. I used the ‘chmod 555 (or 111 or 777) vpn.sh’ on all the .sh files.

Still, I get this error ‘Can’t open’. However, I can ‘cat vpn.sh’ and it displays just fine. There is no file corruption.

What do you think?

noone

Comment on January 6th, 2008.

I think I got it. There are a bunch of ^M’s in the file when I open it with vi. I wish there was a better text editor in DD-wrt than VI…..
I’ll post back.

noone

Comment on January 6th, 2008.

I’m not sure if it works. Also tried commenting out the IP for VPNSERVER and replace it with the pptp.relakks.com.

I tried editing all the scripts and using 83.233.180.2 instead of pptp.relakks.com, and had the same problem. I also tried increasing the delay from 30 seconds to 90 seconds in vpn.sh, as sometimes relakks takes a while to connect (I’m just guessing here, if it’s correct to do this).

I have the same problem either way. I can ping a domain, such as google.com, and i get google.com (ip address)… from ping, so DNS is working. However, there are no ping responses. I must reboot the router (to turn off this script, kill the processes and remove the route commands?) to get it working again.

Relakks works fine from any one of my desktops.

Regards

noone

Comment on January 6th, 2008.

I should be more clear. Editing out the ^M’s of all the files, made the scripts and all ‘behave’ properly, no more ‘Can’t Open’ errors. However, as I outline above, I’m not sure if the scripts are working. There is really no feedback as to what is going on, except that traffic does not seem to go out or back, except DNS requests are working.

Reiner

Comment on January 6th, 2008.

Shame on me, I’ll fix the ^Ms right away. They may have been introduced into all those scripts while editing the scripts for download (e.g. remove passwords and IPs).

Re Testing: Don’t auto-start the scripts in the first place or just kill them later from console. Add debug to the vpn options, change to the vpn.sh dir and start ./vpn.sh from console window.

noone

Comment on January 7th, 2008.

The ^M’s come from editing the files in Windows programs (notepad for example). The easiest way to avoid the problem, if you want to edit your how-to above, is to include a link to https://www.dd-wrt.com/wiki/index.php/WinSCP. Otherwise specialized editors or conversion utilities must be used.

Re: testing, debug. I did exactly as you said now. I edited options.vpn, uncommented ‘debug’, and started vpn.sh. There is a pause and then the shell prompt returns. Absolutely no messages. Where does the debug output go? I thought it should display all info on the console. I’m also going to try this on my debian box and report back.

Reiner

Comment on January 7th, 2008.

Re ^M: I’ve updated the relakks-dd-wrt-jffs.zip and changed the line ends (all of the files wihtin the zip had Windows line ends) to Unix style using Notepad++ (http://notepad-plus.sourceforge.net/uk/site.htm) whicjh allows to change lineends at will. Yes, I’m using WinSCP for the wrt54gl, but I don’t want to spoil by IPs and passwords within my wrt54gl, so I copy the files and then edit the scripts using Windows.

Re debug: Shame on me, I forgot that one: You’ll have to enable the dump parameter as well in order to see anything interesting, see http://pptpclient.sourceforge.net/howto-diagnosis.phtml#debug.

Reiner

Comment on January 7th, 2008.

Re: vpn.sh exiting.

That looks as if pptp is unable to connect to Relakks. You’ll have to investigate using the debug dump output. I had to do so for days in order to find out, that the release dd-wrt v23 cant’ connect to relakks due to bugs within its Linux kernel. So it’s important to use a newer version (e.g. “wrt.v23_std_nokaid_generic.bin dated 20-jun-07″) and to disable stateful compression as well because that’s still buggy).

And still another shortcoming within my scripts: You’ll have to use an IP for the Relakks PPTP server. A name may not work, as Relakks uses round-robin DNS that may return a different IP each time eventually causing the route commands to fail.

dj

Comment on January 22nd, 2008.

Thanks for this post and discussion. I’ve managed to connect to relakks and authenticate using the scripts in the zip, with the vpn.sh reporting:

local IP address 83.233.182.122
remote IP address 83.233.182.2

but I’ve got no internet once I’m connected to relakks through my router. As soon as I CTRL-C out of it, I’m back online. I feel like I’m so close, but something’s just not connecting properly. I have a feeling it’s the INTERNET or GATEWAY values in vpn-up.sh. Are these IP addresses, or aliases or what? It almost doesn’t seem to matter what I list them as, I still connect, but get no internet. Oh and I’m using a PPPoE connection.

Ofve

Comment on February 3rd, 2008.

This works great but it is exposing dd-wrt dropbear ssh and dd-wrt administration (http) ports to internet.

JP

Comment on August 4th, 2008.

Been trying to get this to work as well. I’m a bit confused however, by gateway address, do you mean the gateway IP address that my router normally obtains through DHCP from my ISP (what I see if I click Status -> WAN, look under Configuration Type and Gateway in DD-WRT v24)?

In order for this to work, I have to change from DHCP to Static IP for the router (under Setup -> Basic Setup), correct?

Problem is, the VPN connection seems to work just fine but I can’t acccess the Internet while it’s active. Have you tried doing this with DD-WRT v24? I’m using mini_generic v24 on a WRT54GL.

Thank you for putting together the zip files and the tutorial. These days there are many good reasons to be paranoid about surveillance . :)

Leave a comment

Comments can contain some xhtml. Names and emails are required (emails aren't displayed), url's are optional.