Custom firmware build for R7800

[sfx2000]

-O3 -pipe

Try building with -O2 instead as with the -O3 switch, the GCC will try to vectorize certain loops, translating them into auto generated NEON - which might not be favorable, as Neon is a shared unit with the VFP, and the context shift there is expensive - since a router isn't doing any media (audio/video playback), better not to use the Neon except when inlining the code -

GCC sometimes guesses wrong - but vfp4 is pretty nice

Still, include the vfp4+neon, as it doesn't hurt, and neon will build as directed by the source code.

Good notes about this (and other things) inside ARM's documentation - Cortex-A Series Programming Guide (with A15, you want version 4.0 of that document at a minimum - search around the google, and it's out there).

 

[.dissent]

sfx2000:

Probably you are right:



I tried not full FW, but only OpenSSL lib and util. Results are:

With “Cortex-A15” options:

compiler: arm-openwrt-linux-uclibcgnueabi-gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -I/home/voxel/Netgear/R7800-V1.0.2.21SF_gpl_src/staging_dir/target-arm_uClibc-0.9.33.2_eabi/usr/include -I/home/voxel/Netgear/R7800-V1.0.2.21SF_gpl_src/staging_dir/target-arm_uClibc-0.9.33.2_eabi/include -I/home/voxel/Netgear/R7800-V1.0.2.21SF_gpl_src/staging_dir/toolchain-arm_gcc-4.8.5_uClibc-0.9.33.2_eabi/usr/include -I/home/voxel/Netgear/R7800-V1.0.2.21SF_gpl_src/staging_dir/toolchain-arm_gcc-4.8.5_uClibc-0.9.33.2_eabi/include -DNDEBUG -DTERMIOS -O3 -pipe -mcpu=cortex-a15 -mfpu=neon-vfpv4 -mtune=cortex-a15 -mfloat-abi=softfp -fhonour-copts -fpic -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
md5              10128.63k    36545.39k    93454.51k   153856.34k   189498.22k
sha1             16474.96k    53733.59k   135326.65k   217987.34k   264574.29k
des cbc          26221.11k    27420.80k    27933.27k    28034.05k    28207.79k
des ede3         10142.87k    10337.56k    10384.90k    10445.48k    10455.72k
aes-128 cbc      72408.69k    82055.94k    86703.27k    87590.23k    87941.12k
aes-192 cbc      60969.95k    69711.85k    72732.07k    73784.32k    73160.02k
aes-256 cbc      55063.74k    61723.03k    64029.53k    64774.83k    64208.90k
sha256           23738.07k    57545.79k   105103.10k   133155.84k   144332.12k
sha512            8178.97k    32457.71k    48657.92k    67710.98k    76425.90k
                  sign    verify    sign/s verify/s
rsa 2048 bits 0.007161s 0.000150s    139.6   6688.2
                  sign    verify    sign/s verify/s
dsa 2048 bits 0.001657s 0.001707s    603.6    585.7

With “Cortex-A9” options:

compiler: arm-openwrt-linux-uclibcgnueabi-gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -I/home/voxel/Netgear/R7800-V1.0.2.21SF_gpl_src/staging_dir/target-arm_uClibc-0.9.33.2_eabi/usr/include -I/home/voxel/Netgear/R7800-V1.0.2.21SF_gpl_src/staging_dir/target-arm_uClibc-0.9.33.2_eabi/include -I/home/voxel/Netgear/R7800-V1.0.2.21SF_gpl_src/staging_dir/toolchain-arm_gcc-4.8.5_uClibc-0.9.33.2_eabi/usr/include -I/home/voxel/Netgear/R7800-V1.0.2.21SF_gpl_src/staging_dir/toolchain-arm_gcc-4.8.5_uClibc-0.9.33.2_eabi/include -DNDEBUG -DTERMIOS -O3 -pipe -mcpu=cortex-a9 -mfpu=neon-vfpv4 -mtune=cortex-a9 -mfloat-abi=softfp -fhonour-copts -fpic -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
md5              10022.17k    41657.64k   102296.15k   164775.64k   198860.80k
sha1             13419.31k    43169.64k    97664.74k   210976.90k   265323.28k
des cbc          27856.06k    29065.88k    29455.36k    29668.26k    29955.41k
des ede3         10784.32k    10995.03k    11063.30k    11085.14k    11131.80k
aes-128 cbc      76241.89k    84184.15k    87586.90k    74547.20k    89189.00k
aes-192 cbc      64065.86k    71197.72k    73326.34k    74055.75k    74907.65k
aes-256 cbc      57941.90k    62713.00k    64122.88k    65218.83k    65892.17k
sha256           22869.00k    56828.15k   104521.22k   132966.91k   144001.71k
sha512            8096.11k    32368.51k    48547.67k    67888.46k    76414.98k
                  sign    verify    sign/s verify/s
rsa 2048 bits 0.007003s 0.000149s    142.8   6697.3
                  sign    verify    sign/s verify/s
dsa 2048 bits 0.001627s 0.001647s    614.5    607.3

(We should compare mainly tests where no assembler acceleration is used e.g. to drop sha256 results from comparison, assembler is assembler, i.e. results will be the same)

OK, thanks. Will try to use “Cortex-A9” for next build.

Voxel.

This test is on the border of statistical error, some points are higher, some lower. Actually, according to my tests, I suspect it's close to no difference which mtune to use.
According to my googling, qca engineers suggest using mtune=krait if compiler supports it and cortex-a15 if not.

 

[sfx2000]

This test is on the border of statistical error, some points are higher, some lower. Actually, according to my tests, I suspect it's close to no difference which mtune to use.

With the libs and code paths - yes...

According to my googling, qca engineers suggest using mtune=krait if compiler supports it and cortex-a15 if not.

With Snapdragon LLVM - yes, krait is a specific build target - but it ain't ARM Cortex-A15

Don't confuse APQ with IPQ - they're different chips with different features and capabilities...

And I'm ex-QCOM by the way...

 

[Voxel]

Nice project...

@Voxel - have you considered putting your project up on GitHub?

After conversation with you in P.M (thanks for your help, your arguments were solid):

https://github.com/SVoxel/R7800

Voxel.

 

[pege63]

Will there be a update file to download?

 

[Voxel]

Will there be a update file to download?

If you mean that it is necessary to put somewhere this project into single archive file, available for download, I do not plan to do that. What for? GitHub allows to download the project in ZIP.

Voxel.

 

[pege63]

What i mean was where you going to put the finished *.img file when you do a new updated Ver of your FW?

 

[Voxel]

Try building with -O2 instead as with the -O3 switch, the GCC will try to vectorize certain loops, translating them into auto generated NEON - which might not be favorable, as Neon is a shared unit with the VFP, and the context shift there is expensive - since a router isn't doing any media (audio/video playback), better not to use the Neon except when inlining the code -

GCC sometimes guesses wrong - but vfp4 is pretty nice

I'd say, that -O2 at least is not better than -O3:


With “Cortex-A15”, -O3 options:

compiler: arm-openwrt-linux-uclibcgnueabi-gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -I/home/voxel/Netgear/R7800-V1.0.2.21SF_gpl_src/staging_dir/target-arm_uClibc-0.9.33.2_eabi/usr/include -I/home/voxel/Netgear/R7800-V1.0.2.21SF_gpl_src/staging_dir/target-arm_uClibc-0.9.33.2_eabi/include -I/home/voxel/Netgear/R7800-V1.0.2.21SF_gpl_src/staging_dir/toolchain-arm_gcc-4.8.5_uClibc-0.9.33.2_eabi/usr/include -I/home/voxel/Netgear/R7800-V1.0.2.21SF_gpl_src/staging_dir/toolchain-arm_gcc-4.8.5_uClibc-0.9.33.2_eabi/include -DNDEBUG -DTERMIOS -O3 -pipe -mcpu=cortex-a15 -mfpu=neon-vfpv4 -mtune=cortex-a15 -mfloat-abi=softfp -fhonour-copts -fpic -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
md5              10128.63k    36545.39k    93454.51k   153856.34k   189498.22k
sha1             16474.96k    53733.59k   135326.65k   217987.34k   264574.29k
des cbc          26221.11k    27420.80k    27933.27k    28034.05k    28207.79k
des ede3         10142.87k    10337.56k    10384.90k    10445.48k    10455.72k
aes-128 cbc      72408.69k    82055.94k    86703.27k    87590.23k    87941.12k
aes-192 cbc      60969.95k    69711.85k    72732.07k    73784.32k    73160.02k
aes-256 cbc      55063.74k    61723.03k    64029.53k    64774.83k    64208.90k
sha256           23738.07k    57545.79k   105103.10k   133155.84k   144332.12k
sha512            8178.97k    32457.71k    48657.92k    67710.98k    76425.90k
                  sign    verify    sign/s verify/s
rsa 2048 bits 0.007161s 0.000150s    139.6   6688.2
                  sign    verify    sign/s verify/s
dsa 2048 bits 0.001657s 0.001707s    603.6    585.7

With “Cortex-A9”, -O3 options:

compiler: arm-openwrt-linux-uclibcgnueabi-gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -I/home/voxel/Netgear/R7800-V1.0.2.21SF_gpl_src/staging_dir/target-arm_uClibc-0.9.33.2_eabi/usr/include -I/home/voxel/Netgear/R7800-V1.0.2.21SF_gpl_src/staging_dir/target-arm_uClibc-0.9.33.2_eabi/include -I/home/voxel/Netgear/R7800-V1.0.2.21SF_gpl_src/staging_dir/toolchain-arm_gcc-4.8.5_uClibc-0.9.33.2_eabi/usr/include -I/home/voxel/Netgear/R7800-V1.0.2.21SF_gpl_src/staging_dir/toolchain-arm_gcc-4.8.5_uClibc-0.9.33.2_eabi/include -DNDEBUG -DTERMIOS -O3 -pipe -mcpu=cortex-a9 -mfpu=neon-vfpv4 -mtune=cortex-a9 -mfloat-abi=softfp -fhonour-copts -fpic -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
md5              10022.17k    41657.64k   102296.15k   164775.64k   198860.80k
sha1             13419.31k    43169.64k    97664.74k   210976.90k   265323.28k
des cbc          27856.06k    29065.88k    29455.36k    29668.26k    29955.41k
des ede3         10784.32k    10995.03k    11063.30k    11085.14k    11131.80k
aes-128 cbc      76241.89k    84184.15k    87586.90k    74547.20k    89189.00k
aes-192 cbc      64065.86k    71197.72k    73326.34k    74055.75k    74907.65k
aes-256 cbc      57941.90k    62713.00k    64122.88k    65218.83k    65892.17k
sha256           22869.00k    56828.15k   104521.22k   132966.91k   144001.71k
sha512            8096.11k    32368.51k    48547.67k    67888.46k    76414.98k
                  sign    verify    sign/s verify/s
rsa 2048 bits 0.007003s 0.000149s    142.8   6697.3
                  sign    verify    sign/s verify/s
dsa 2048 bits 0.001627s 0.001647s    614.5    607.3

With “Cortex-A9”, -O2 options:

compiler: arm-openwrt-linux-uclibcgnueabi-gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -I/home/voxel/Netgear/R7800-V1.0.2.21SF_gpl_src/staging_dir/target-arm_uClibc-0.9.33.2_eabi/usr/include -I/home/voxel/Netgear/R7800-V1.0.2.21SF_gpl_src/staging_dir/target-arm_uClibc-0.9.33.2_eabi/include -I/home/voxel/Netgear/R7800-V1.0.2.21SF_gpl_src/staging_dir/toolchain-arm_gcc-4.8.5_uClibc-0.9.33.2_eabi/usr/include -I/home/voxel/Netgear/R7800-V1.0.2.21SF_gpl_src/staging_dir/toolchain-arm_gcc-4.8.5_uClibc-0.9.33.2_eabi/include -DNDEBUG -DTERMIOS -O2 -pipe -mcpu=cortex-a9 -mfpu=neon-vfpv4 -mtune=cortex-a9 -mfloat-abi=softfp -fhonour-copts -fpic -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
md5              11445.51k    39866.42k   101187.93k   163333.46k   198471.06k
sha1             15799.80k    52445.83k   132858.01k   215165.95k   263763.29k
des cbc          27467.95k    28662.57k    29492.91k    29915.53k    29622.27k
des ede3         10675.16k    10978.46k    11037.87k    11108.17k    11070.12k
aes-128 cbc      72595.75k    79870.08k    84763.83k    85766.83k    85581.66k
aes-192 cbc      61778.84k    67680.64k    70656.00k    71640.06k    71223.82k
aes-256 cbc      56069.07k    60223.91k    63047.92k    63603.37k    63045.63k
sha256           21689.09k    54840.21k   102997.02k   131965.27k   143919.79k
sha512            8013.42k    31970.30k    48283.56k    67662.08k    76256.60k
                  sign    verify    sign/s verify/s
rsa 2048 bits 0.006979s 0.000148s    143.3   6750.1
                  sign    verify    sign/s verify/s
dsa 2048 bits 0.001696s 0.001644s    589.6    608.2

(Again, we should compare mainly tests where no assembler acceleration is used e.g. to drop sha256 results from comparison, assembler is assembler, i.e. results will be the same)

Voxel.

 

[Voxel]

Wath i mean was where you going to put the finished *.img file when you do a new updated Ver of your FW?

Yes, sure. I'll continue to create firmware versions (*.img) ready-to-flash. Putting in this thread the links for download.

Voxel.

 

[thiggins]

Yes, sure. I'll continue to create firmware versions (*.img) ready-to-flash. Putting in this thread the links for download.

You might consider starting separate threads for each firmware revision, at least major ones. That way bug reports and discussion specific to each release can be more easily found.

 

[RMerlin]

You might consider starting separate threads for each firmware revision, at least major ones. That way bug reports and discussion specific to each release can be more easily found.

Plus, people rarely go through a 20+ pages thread before posting, so you often get the same question asked over and over again within the thread. With shorter threads, people are more likely to take the time to read them first.

 

[Voxel]

You might consider starting separate threads for each firmware revision, at least major ones. That way bug reports and discussion specific to each release can be more easily found.

OK, right. Good idea. Thank you. I hope it will be not necessary to ask you for a help again to start a thread ;-)

Plus, people rarely go through a 20+ pages thread before posting, so you often get the same question asked over and over again within the thread. With shorter threads, people are more likely to take the time to read them first.

Yes, I agree. Eric, my respect. All of my ASUS routers were bought only because of your FW.

Voxel.

 

[pege63]

Yes, sure. I'll continue to create firmware versions (*.img) ready-to-flash. Putting in this thread the links for download.
Voxel.

Ok I understand, I thought you had already made some changes in the latest edition after all juggling with sfx2000.
Coding FW is none of my strengths, I'm just a simple networker who likes to be in the forefront of new technology.

 

[cpunerd]

To be clear to use your FW all I have to do is download the .img file and upload it to the router through the stock GUI same as I would a normal FW update. Also thanks for the FW you have provided. I have been wanting a better FW than stock.
I read the readme and it mainly describes enabling webcam use correct?
Thanks again

 

[sfx2000]

After conversation with you in P.M (thanks for your help, your arguments were solid):

https://github.com/SVoxel/R7800

Voxel.

I think everyone wins here...

Source is very good, and this keeps things clean for every one...

Thanks for doing this effort.

 

[sfx2000]

Plus, people rarely go through a 20+ pages thread before posting, so you often get the same question asked over and over again within the thread. With shorter threads, people are more likely to take the time to read them first.

@thiggins @RMerlin - completely agree here...

Had some off thread discussions with @Voxel - and I think we've found a way that works...

Eric - he might touch base with you - you're highly recommended...

 

[Voxel]

Ok I understand, I thought you had already made some changes in the latest edition after all juggling with sfx2000.
Coding FW is none of my strengths, I'm just a simple networker who likes to be in the forefront of new technology.

You know, not so significant changes to release a new version right now. Increase in speed in about 1-2 per cents for some operations: you would not feel it. I prefer to pick up all changes such as closed security vulnerability, newer versions of key packages etc. Then put them all and new release. As a rule people dislike to flash newer version very often. Store/restore configs, etc. I’ll use of course what we got in as result of our discussion with sfx2000 in new version, but no release of this version right now.

To be clear to use your FW all I have to do is download the .img file and upload it to the router through the stock GUI same as I would a normal FW update. Also thanks for the FW you have provided. I have been wanting a better FW than stock.
I read the readme and it mainly describes enabling webcam use correct?
Thanks again

Thanks for your thanks ;-) Readme is for people who wants to extend their router functionality using e.g. Entware and who are in touch with configuration of Linux machine from console. E.g. I use my R7800 (additionally) for temperature monitoring in my country house and as a video surveillance. I used it also in past as a ownCloud server for me and my family.

Voxel.

 

[Voxel]

I think everyone wins here...

Source is very good, and this keeps things clean for every one...

Thanks for doing this effort.

;-)

 

[kyle55555]

For beginner to set up TUN VPN on R7500 V1 router for phones etc...



This TUN VPN only can access internet right now, it is for who want to improve security on public WIFI or go through firewall blocking. If someone knows more about the uses please share it. Thanks in advance. also you can use the firmware TAP VPN on the same time for more advance uses.(if who knows how to run both TUN and TAP in Entware in the same time, please share it, thanks)



This guide is not a step by step guide, it is a hint guide for you to move on to avoid some difficulty. I do not respond the brick of your router, take your own risks.



Tested environment:

• R7500 V1 with Voxel’s V1.0.1.12SF firmware
• Entware-ng (Voxel’s second or 3x version)
• Iphone 6 S plus
• Windows 10(on both TAP and TUN)

Issue found:

• One instant message app on iPhone can not connect(it could be the security setup on the app)

Requirments

• some basic commands usage

• Windows: cd dir etc…
• Linux: cd ls cp vi etc…
• Please search and study the usage of them first, make sure you know how to use vi command.

• How to flash the firmware and how to set up the Entware-ng please see the Voxel’s readme,And related posts.

1. Telnet and ssh

• also how to telnet and ssh to the router please see Voxel’s posts too, normally you just need to telnet.if you just use telnet, you can skip the ssh section.Here just to give a example on command line on telnet and ssh.

• for telnet on the windows terminal type in the following command to login after you enable the telnet (on your router’s default setting. And I have problems on windows command prompt, please use putty or on Mac.)

telnet 192.168.1.1

• For the ssh, I just explain how to on the Mac OS,
• First run the following commands on your Mac command terminal to create the key:

ssh-keygen -t rsa

cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

• Now you just copy the file “authorized_keys” that local at ~/.ssh/ to the router at /root/.ssh/ (by default the .ssh folder is not exist at the router, you can create it by using mkdir command). you can use Voxel’s setssh method to copy it into the router(see readme).

• Right now you can ssh to the router by using the following command (on your router’s default setting)

ssh root@192.168.1.1

• More detail see:
• https://help.dreamhost.com/hc/en-us...gure-passwordless-login-in-Mac-OS-X-and-Linux

2. Entware packages installation

• Version: Voxel’s Entware-3x

• Here just to talk how to install packages on the usb driver.

• First copy entware-cortex-a15-3x.tar.gz to root of the of the stick where you installed the Entware. And run the follow command.
• (the following commands are not work, if Entware is running. You can delete the autorun folder on the root at your usb driver and restart your router, then untar entware-cortex-15-3x-initial.tar.gz use the similar command to reinstall the Entware)

cd /tmp/mnt/optware/

tar xof entware-cortex-a15-3x.tar.gz

• Second need to modify the opkg.conf file use the following command.

vi /tmp/mnt/optware/entware/etc/opkg.conf

• and the content need to look like the following.

src/gz local file:///tmp/mnt/optware/cortex-a15

dest root /

dest ram /opt/tmp

lists_dir ext /opt/var/opkg-lists

option tmp_dir /opt/tmp

• Perform the following to Update list of available packages

opkg update

• Right now you can install the package

cd /tmp/mnt/optware/cortex-a15-3x/

opkg install openvpn-openssl_2.3.14-1_cortex-a15-3x.ipk

• More detail see the following page, and begin from the middle of the page about the Configuration Adjust Repositories, then continue from the beginning.
• https://wiki.openwrt.org/doc/techref/opkg

 

[kyle55555]

3. TUN VPN setup

• Before you begin, please disable the firmware VPN first. (How to please see Netgear support page, by default it is disabled)

• Highly suggest to change the default gateway to other than 192.168.1.1 and 192.168.0.1, due to the possible conflicting with your client network.

• How to create the keys for OPENVPN please google it, there are a lot of resources. If you are lazy or something, you can just turn on the firmware VPN, and copy them from /tmp/openvpn/(firmware VPN only use dh1024.pem, but it is ok to use it. And there is no ta.key, you can do not use it, just a little bit less security)
• place ca.crt dh2048.pem server.key server.crt ta.key to /tmp/mnt/optware/entware/etc/openvpn/

Server side​

• Create OPENVPN server config file

vi /tmp/mnt/optware/entware/etc/openvpn/openvpn.conf

• It could look like following:

port 1194

proto udp

dev tun

server 192.168.66.0 255.255.255.0

push "dhcp-option DNS 8.8.8.8"

push "route 192.168.55.0 255.255.255.0"

push "redirect-gateway def1"

keepalive 10 120

dh /opt/etc/openvpn/dh2048.pem

ca /opt/etc/openvpn/ca.crt

cert /opt/etc/openvpn/server.crt

key /opt/etc/openvpn/server.key

tls-auth /opt/etc/openvpn/ta.key 0

cipher AES-256-CBC

#multi users

duplicate-cn

user nobody

persist-key

persist-tun

verb 4

log openvpn.log

comp-lzo

• If you create separate client keys for each client or only have one client, delete the #multi users and duplicate-cn, it use the same key for all users. If you do no have ta.key, delete tls-auth /opt/etc/openvpn/ta.key 0. In this example default router gateway has changed to 192.168.55.1(you could change it at GUI setup)

Client side​

• Create client config file, you can use other program in Mac or windows as you like. The router does not need it. You can change “client”on the file name to what ever you want.

vi /tmp/mnt/optware/entware/etc/openvpn/client.ovpn

• It could be look like the following:

remote your.mynetgear.com 1194

client

remote-cert-tls server

dev tun

proto udp

resolv-retry infinite

nobind

persist-key

persist-tun

float

route-delay 30

ca ca.crt

cert client.crt

key client.key

tls-auth ta.key 1

cipher AES-256-CBC

comp-lzo

• Please modify your.mynetgear.com to your Dynamic DNS address or static IP address. If you do not have ta.key, delete tls-auth ta.key 1.

• Copy your client.ovpn ca.crt client.crt client.key ta.key to your client.

1. On windows, default location c:\Program Files\OpenVPN\config\
2. On iPhone, use iTunes, choose your device, choose Apps, on File sharing choose OpenVPN app, and drop the files in it.(if you did not install OpenVPN, install it. TUN version is for free)

4. Firewall setup

• Open a hole for the VPN server and nat the traffic etc…

(warning: this could brick your router, before all you did could do it again, but may not this if have any mistake)


vi /usr/sbin/net-wall

• It should be look like this(adds the lines on button)

#!/bin/sh



if [ ! -f /tmp/modem ]; then

/usr/sbin/net-wall-bin $*

else

/usr/sbin/net-wall-bin -w eth2 $*

fi



if [ "$1" = "rule" ]; then

# Check config file existence

if [ -f /etc/netwall.conf ]; then

config=/etc/netwall.conf

elif [ -f /root/netwall-rules ]; then

config=/root/netwall-rules

else

exit 0

fi



# Add own rules

mv /tmp/netwall-rules /tmp/netwall-rules.tmp

cat $config > /tmp/netwall-rules

cat /tmp/netwall-rules.tmp >> /tmp/netwall-rules

rm -f /tmp/netwall-rules.tmp

else

# OpenVPN settings of iptables for TUN

iptables -I INPUT -p udp --dport 1194 -j ACCEPT

iptables -I FORWARD -i tun0 -j ACCEPT

iptables -I FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -t nat -A POSTROUTING -s 192.168.66.0/24 -o eth0 -j MASQUERADE

fi

• More detail please see: http://allanmcrae.com/2013/09/routing-traffic-with-openvpn/

• Restart your router, It should be working now. If you alternate any port or proto, they need to match on server, client, and firewall rule.

Troubleshooting​

• Use the following to check if the VPN server is up

/tmp/mnt/optware/entware/etc/init.d/S20openvpn check

• Use the following to check if the TUN0 interface is up

Ifconfig

• Use the following to check the detail log of the VPN server

cat /tmp/mnt/optware/entware/etc/openvpn/openvpn.log



5. Firmware TAP VPN

• By default, the Voxel’s firmware needs to add ca.crt dh2048.pem server.key server.crt to /root/openvpn/ after this it could running when you turn on it on the GUI setup.

Troubleshooting

• Use the following to check if the TAP0 interface is up

Ifconfig

• Use the following to check the detail log of the VPN server

cat /tmp/openvpn_log



6. Solve problem when turn on the firmware VPN, the Entware VPN TUN0 interface is down.


vi /tmp/mnt/optware/autorun/scripts/post-mount.sh

• Modify it to look like following:

#!/bin/sh



# Create symlinks to Entware

if [ -d /opt ]; then

if [ ! -e /opt/bin ]; then

/bin/ln -sf /tmp/mnt/$1/entware/bin /opt/bin

/bin/echo "Create link" > /tmp/entware.log

fi



if [ ! -e /opt/etc ]; then

/bin/ln -sf /tmp/mnt/$1/entware/etc /opt/etc

/bin/echo "Create link" >> /tmp/entware.log

fi



if [ ! -e /opt/lib ]; then

/bin/ln -sf /tmp/mnt/$1/entware/lib /opt/lib

/bin/echo "Create link" >> /tmp/entware.log

fi



if [ ! -e /opt/sbin ]; then

/bin/ln -sf /tmp/mnt/$1/entware/sbin /opt/sbin

/bin/echo "Create link" >> /tmp/entware.log

fi



if [ ! -e /opt/share ]; then

/bin/ln -sf /tmp/mnt/$1/entware/share /opt/share

/bin/echo "Create link" >> /tmp/entware.log

fi



if [ ! -e /opt/tmp ]; then

/bin/ln -sf /tmp/mnt/$1/entware/tmp /opt/tmp

/bin/echo "Create link" >> /tmp/entware.log

fi



if [ ! -e /opt/usr ]; then

/bin/ln -sf /tmp/mnt/$1/entware/usr /opt/usr

/bin/echo "Create link" >> /tmp/entware.log

fi



if [ ! -e /opt/var ]; then

/bin/ln -sf /tmp/mnt/$1/entware/var /opt/var

/bin/echo "Create link" >> /tmp/entware.log

fi



if [ ! -e /opt/swap ]; then

/bin/ln -sf /tmp/mnt/$1/entware/swap /opt/swap

/bin/echo "Create link" >> /tmp/entware.log

fi

else

/bin/ln -sf /tmp/mnt/$1/entware /tmp/opt

fi

#restart Entware-ng VPN

sleep 200

/tmp/mnt/optware/entware/etc/init.d/S20openvpn restart

#start firmware VPN again

sleep 30

/etc/init.d/openvpn start

• The both VPN will up after turning on the router for about 5 minutes. I still could not find out what is the exactly problem to cause it. Someone knows it, please share it.

7. Finally, I want to thanks Voxel’s great work and helps. He give us a chance to use more advance features on R7500. Thanks.