Monthly Archives: March 2014

OpenWRT, IPv6, VPN and Replacing WRT54GL

After having relied on the router my Internet provider has supplied me with for years, I decided to take back control over my LAN. There were a few factors that inspired me to put some effort into this:

  1. The announcement of the WRT1900AC could open up the door for a new generation of routers
  2. IPv6 is getting somewhere and I want to be able to play with it to learn – so I want IPv6 at home
  3. I want a VPN solution at home, for different reasons, but one of them is to be able to access the Internet more safely when using public Wifis, and another is to access services when I am abroad
  4. My Wifi at home (supplied by my router from my Internet provider) was not 100% stable

I ended up keeping my WRT54GL, Installing OpenWRT 10.03.1 on it, and configuring it to provide VPN using PPTP and IPv6 using 6to4. I mostly followed documentation on the OpenWRT web page, but there were and are some issues.
Update 2014-04-12: Details about IPv4 using 6to4.

OpenWRT and WRT54GL
The WRT54GL is not supported by the most recent versions of OpenWRT, and the final release with good WRT54GL support was 10.03.1. Everything I write in this article applies to 10.03.1 (the brcm-2.4 edition).

OpenWRT is very nice. It used to be more hardcore compared to other router firmware. With that I mean that Tomato (and DD-WRT) are 100% Web-GUI-configurable, while OpenWRT was more dependent on the command line. Most things can now be handled using the Web-GUI. But dont attempt to get advanced things (like VPN/PPTP and IPv6) working without using the command line. If you dont feel comfortable with that, just stay with Tomato (which is very nice). This is for OpenWRT 10.03.1 – perhaps more recent version are more configurable without the command line.

For end user needs in 2014, IPv6 is not needed. However, if you anyway decide to play with it, IPv6 is in some ways a more simple protocol than IPv4: not needing a NAT (all your clients get to have real IPs) takes away a lot of things that just happens to be complicated with IPv4. However, although NAT was never meant to provide security it did as a side effect – with IPv6 you need to think about really firewalling incoming traffic to your network. Things like port forwarding and VPN (to access internal resources) suddenly are not needed.

There is also no need for DHCP (as the clients can autoconfigure themselves, and there are so many available addresses on each network, that a conflict is very unlikely). But your IPv6 router must advertise the network so the clients know it exist.

IPv6 – How to get it
How can you get IPv6 if your internet provider only provides IPv4? There are different transition mechanisms that you can use (that are designed just to give you IPv6 when you only have IPv4):

  • Teredo needs to be configured on each client computer seperately, but requires nothing of the network (except that the firewall does not block the traffic). Teredo is the easiest way to access IPv6, but it gives you no IPv6 network. In Debain you just #apt-get install miredo, that is all.
  • Tunnel Brokers provide you IPv6 in a VPN-fashion, much like there are VPN-providers who give you an IP-address in another country, or for anonymization purposes. You can set up the tunnel on a single client, or even better on your router. Your IPv4 router does not have to be your IPv6 router, so it is possible to configure for example a Raspberry Pi as an internal IPv6 router behind a (IPv4) NAT. A Tunner Broker is probably the best and most reliable solution if you have real IPv6 needs. I havn’t tried this, but I suggest start looking at SixXS (who provides free tunnels)
  • 6to4 is a very elegant idea. However, in practice it seems to be a not very popular transition mechanism (supposed to be fading). 6to4 requires that you have a real public IPv4 address (it may be dynamic). This is what I tried, and it works well for me.

Note, when you have IPv6 via a transition mechanism, your cliens may still prefer to use IPv4 when accessing services that are available on IPv4 (which might be all the services you can possibly want to use). There are services to test IPv6.

IPv6 – 6to4 – OpenWRT 10.03.1 on WRT54GL
I followed these instructions (the 6to4 part). I ended up with Firewall problems: the internal IPv6 worked, but I had problems accessing the rest of the world. I have not really stabilized my firewall scripts yet (they give some errors), but if you are not too paranoid, you can try to ACCEPT IPv6 FORWARD on lan (allowing IPv6 traffic from Internet to your local network) and ACCEPT IPv4 INPUT on lan (allowing all IPv4 traffic from Internet to get to your router).
Update 2014-04-12: Details about IPv4 using 6to4.

VPN/PPTP – OpenWRT 10.03.1 on WRT54GL
First, before you set up a PPTP server and use it, consider the security problems with MS-CHAP-v2! If you are aware of the risk and the threat, the advantages with VPN/PPTP are:

  • No need for certificates
  • Good client support

I followed these instructions. Again, I ended up with firewall problems, but found a solution. Try:

iptables -A input_rule -i ppp+ -j ACCEPT
iptables -A forwarding_rule -i ppp+ -j ACCEPT
iptables -A forwarding_rule -o ppp+ -j ACCEPT
iptables -A output_rule -o ppp+ -j ACCEPT

Now, the confusing part is the IP-addresses of your VPN. Each VPN-connection will get both a local and a remote IP-address. And none of these will probably be on your LAN. And this is ok! There is a “localip” option for pptpd which is no longer supported, and I wasted some time trying to assign IP-numbers. But the above firewall rules fixed everything if I just didnt think about about IP-numbers at all.

Best router for OpenWRT
So, what happened to my WRT1900AC plans? Well, the WRT1900AC is not available yet, and I decided to play with my old WRT54GL to see how far I could get with it, and it turned out that for now it does everything I want it to.

OpenWRT has a long list of supported routers (they even have a buyers guide). I did some research (only reading on the Internet) and it seems that TP-link provides fine routers for OpenWRT, for example WDR3600, WDR4300 (N750) or WR1043ND. TP-link also seems to have a good Open Source policy. The N750 is probably what I would buy today, if I were to replace that WRT54GL.

So, what about that WRT1900AC? With Dual core CPU, 256MB of RAM, ESata and USB 3.0 port it is clearly a very capable router. And with 128Mb of storage, much more potent firmwares (or OpenWRT versions) are possible. But is it a good idea? Perhaps the router should only be a router, and other services (fileserver, print server, backup, sql, webserver) are better handled by something else (why not a Raspberry Pi), to not ever disturb the critical router function? I like OpenWRT for having a normal editable filesystem (compared to Tomato or DD-WRT) and packages instead of everything in one image. But 128Mb? Perhaps it would make more sense to just use an SD-card and run Debian?

The WRT1900AC is expensive for being a router, and if it ends up providing no more value/function than the TP N750 mentioned above, what is the point? On the other hand it is not very much money – just expensive for a router. For now I will keep my WRT54GL, but the WRT1900AC is still tempting.

Streaming media on the Mac : Ace Player HD

There are many great reasons to use a Mac. Easy access to propriatory Windows software isn’t one of them. Watching sports online usually include one of a few technologies:

  • Flash: Works fine on a Mac
  • Sopcast: There is a native Mac client these days
  • Acestream: No native client available

As more and more events are being streamed using acestream (free as in beer for windows), being able to take part in these streams would be great. And using bootcamp and reboot isn’t really a viable option…

I was able to follow instructions on this web page to wrap Ace Player HD (itself wrapping VLC) using Winebottler to get it all to work. All the information is in the thread, but as it is spanning over many months, it isn’t quite clear what hints work and what hints did not. Below is a little summary of what I did to make it work on Mac OS X 10.9.1:

Follow this instruction post:

Winetricks were critical.

What you need:

  • Ace_Stream_Media (Ace Player HD 2.1.9 (VLC 2.0.5)) As pointed out in some posts, more recent versions DONT work. Perhaps they will now, but these combos did at least work fine.
  • WineBottlerCombo_1.7.11.dmg (post suggest 1.7.9, i used 1.7.11 with no problems)

What you don’t need:

  • Registry hacks

Where I got stuck (and how I solve it)

  • Streams working fine, but picture is very choppy (a few fps). Fixed by switching to OpenGL in VLC config:
  • Engine fails to start with some strange error: Reboot (yes…)


Final notes

When shutting down the app, you also need to exit the engine. You do this by right clicking the little “Windowsy” icon in your Menu bar, and choosing Quit. It will take 20 or so seconds before they all shut down (wine, wineserver processes).

TV på Mina villkor

Ganska många innehållsleverantörer av TV-tjänster marknadsför sig med “TV på Dina Villkor”. Det gillar jag inte. Det är Mina villkor ifall jag har bestämt dem. Ifall leverantören bestämt villkor så är det Deras villkor.

Så här kommer nu mina villkor:

  1. Ingen bindningstid
  2. Ingen uppsägningstid
  3. Ingen krypteringsavgift
  4. Ingen kryptering alls
  5. Inget “baspaket” som krävs för att teckna “tilläggspaket” eller “tilläggskanaler”
  6. Kunna zappa bland alla kanaler utan att betala för dem, börja betala för en kanal när jag tittat 3 minuter
  7. Kunna betala bara för de minuter eller för de program jag tittar på
  8. Box bara om jag själv vill
  9. HTML/Standard-streaming som fungerar utan propritär mjukvara (Flash, Silverlight)
  10. Stöd för AppleTV och ChromeCast
  11. Kunna använda tjänsten på flera enheter samtidigt (och självklart betala för det jag tittar på – varken mer eller mindre)
  12. Bred tillgång till utländska nationella kanaler (ex BBC1, BB2 osv), inte bara internationella varianter (ex BBC World)
  13. Kunna spara/prenumerera program för att se off-line (som PodCasts)
  14. Inte betala för kanaler som redan är reklamfinansierade
  15. Hela Play-utbudet tillgängligt som PayPerView
  16. Kunna använda tjänsten när jag är utomlands

Inget av detta är konstigare än att jag kan gå in på en restaurang, beställa bara det jag vill ha, äta, betala, gå och aldrig komma tillbaka.

Eller att jag kan gå till en livsmedelsbutik och köpa ett paket sockerbitar utan att samtidigt behöva köpa bryggkaffe, kokkaffe, koffeinfritt kaffe, snabbakaffe, kaffebönor och kaffepraliner eller nudlar eller dagstidningar eller kiosklitteratur. Inte heller behöver jag förbinda mig att köpa mer socker de närmaste 24 månaderna.