Important notes about anti-corona-measures in the Rommel

# Router

## Router at the Network Socket

### Overview

The more WiFi networks there are at the dormitory, the worse the quality of each network gets. Think twice, if you you really need your own WiFi Network.

• If you only want to connect several PCs to the network an don’t really need an own WiFi, you can use a Switch(Not a Nintendo Switch of Course).
• If you have a PC with LAN and WiFi, you can often activate an Hotspot for your devices (e.g. for Windows (German)). (Only works as long as your PC is connected to our network. Unfortunately this method is not allowed on all operating systems for incomprehensible reasons. If that doesn’t work, you will get error messages saying that we wouldn’t allow it.)
• At some places in the dormitory, there is an rommelwood-WiFi, which you can use. We’d like to provide the entire dormitory with this WiFi network, but we currently get faced with political/organisatorial problems. In order to help us, please contact the Studentenwerk or RRZE and tell them why you need WiFi.
• If you have a Laptop without a LAN-Port but with an USB-Port, you can use an USB-Network-Adapter.
• If you really need your own WiFi(for Handy or Gaming Console), you will need a Router that supports 802.1X authentication at the WAN-Port. Mostly very expensive or router that are supported by OpenWrt (currently e. g. TP-Link WR940N and WR940ND Version 3). Attention! The newest TP-Link TL-WR841N is not (yet) supported in the latest Version 14!
• We can’t configre the router for every resident in this dormitory. We do our best! Please forgive us, if we can’t manage to help you.

If you have experience with configuring OpenWRTand/or have already a router with one of these Operation Systems, you can try the manual tutorial at the bottom of the page.

### Router with OpenWRT

#### Caution

• First read everything and after that proceed.
• Under special circumstations you can render your Router useless, than only someone with knowledge can repair it.
• The operation system of your Router will be replaced.
• At the moment we are building a new infrastructure, where there is no need for authentication. However, this is still in the works and will need some more time. Please be patient.

You need a router that is supported by OpenWRT. These are mainly from TP-Link. But also other vendors like D-Link, Netgear etc. may be supported. A list can be found at https://wiki.openwrt.org/toh/start. (There are also not fully supported routers listed). At least one number should appear under “Supported Current Release”. Also check the router’s page. There you will also find which firmware fits your router and how to flash it with OpenWRT. See also the instructions below (For Tl-wr841n v13 use this link for now: https://rommelwood.de/media/uploads/openwrt/2018-05-31/).

If you have a supported router, you will be able to use the compiled imgages made by us. They should include everything you need. DO NOT download the images from OpenWRT instead use ours.

## Normal way of setting up a clean TP-Link Router

### When you have installed OpenWRT, [continue here](#configure_openwrt).

Attnetion! Before you start, inform yourself very good! Read the text above and the OpenWRT Wiki for your modell.

If you don't know what to do, ask us. But it would be nice if you try it yourself.

1. ### Download the OpenWRT Image for your router here

• Find the modellnumber of your router out. Help you can find here.
• The filenames are to understand like this: [openwrt/lede]-[Chipset]-generic/tiny-[Router Modell]-v[Revision]-[Filesystem]-[factory / sysupgrade].bin
• Filesystem is always squashfs
• Chipset is most of the time ar71xx
• factoryneed we, to flash the original TP-Link Software to OpenWRT, sysupgrade only functions for updates from OpenWRT to OpenWRT
• Check twice, that the download was complete and correct. To check this, there are checksums for you.
2. ### Connect the Router

• Plug the Router power adapter in and check, that there is no loose connection and the power supply is stable
• If there Routerhas more than 2 LAN-Ports, plug the LAN-Cable in the WAN-Port(most of the time coloured blue) in the network socket in your room.
• Connect your PC/Laptop if possible by LAN (if not possible by WiFi) with the router (if available, to the LAN-Port of the router (most of the time yellow)).
• Power your router on
• You should get per DHCP an IP adress. Most of the time 192.168.0.x
• (For example you can find it with CMD, when you type in ipconfig.)
• The IP adress of your router will be 192.168.0.1
3. ### In your Browser open the Webinterface of your router

• Mostly the standard login data isadmin and admin.
• If not, look on the bottom of your router or in the internet
5. ### Load the OpenWRT-Image form step 1 as update up

• System Tools > Firmware Upgrade and than on Browse.
• Search the file from step 1 on your Computer an upload it

You should be now 100% sure that this is the right image for your router and that the download was correct and complete. Otherwise something could get destroyed.

Sometime you will need to change the name of the imagefile. Than there would be an error message. If this happens, look in the OpenWRT-Wiki.

6. ### Flash the image

• Click on Upgrade.

Now the power supply mustn't be cut, or something may get destroyed!

7. ### Keep calm and keep waiting

• Press now OK.

Now the power supply mustn't be cut, or something may get destroyed!

If the network connection is cut, than it isn't a problem

8. ### Wait till the process is finished

Now the power supply mustn't be cut, or something may get destroyed!

If the network connection is cut, than it isn't a problem

9. ### After a reboot, OpenWRT should be installed

• Normally now, at the beginning, there is only LAN btw. PC and router possible. (If necessary unplug the WAN-Port)
• OpenWRT most of the time uses different IP adresses:
• It will take a moment, till your PC will be reconnected.
• You should get now per DHCP an IP adress. Mostly 192.168.1.x
• You can find it with CMD, when you type in ipconfig.
• The router IP adress will be than 192.168.1.1
• Short said: Type now http://192.168.1.1/ in your browser
• If no Webinterface loads, it may be possible, that it is missing in the image. You can try to connect by SSH or Telnet with the router and luci to install Luci afterwards (per opkg install luci). Information on the OpenWRT Wiki an in the internet.

• The standard login credentials are root and root.
11. ### Configure Settings

• System > System
12. ### General settings and time

• After a click on Sync with Browser the time should be somewhat accurate (it is important that the date is correct)
• register some NTP Servers. The following should work:
1. ntp0.rommelwood.de New and important!
2. use the default server. e.g. 2.openwrt.pool.ntp.org (or 0-3)
3. ntp2.fau.de (or ntp0-ntp3) not recommended! you will quickly reach the reques rate limit!
• Timezone: Here Europe/Berlin is correct, eventhough some people prefer to live on american time ;)
• Hostname is optional: e.g. your rommel-username, your WLAN-name or the name of your stuffed animal (but don't use special characters)
• After that press Save & Apply

14. ### Remember the WAN Interface

• Look for the interface with the name WAN (or WAN6)
• Remember the name of the interface. Quite often it is eth0, eth1 or eth0.1
• in the picture it is eth1

16. ### 802.1X configuration

• Interface is the name of the WAN interface from the "Remember the WAN Interface" section (e.g. eth1)
• EAP-Method is TTLS
• Authentication is PAP
• If CA-Certificate is not used you should never use the router anywhere else, otherwise your login is no longer secret! It's safer if you use this here . (right-click and "Save as...". If you run into problems you can also skip installing the certificate)
• Identity is your Rommel-username (just like for the website)
• Password is your Rommel-password (just like for the website)
• after that press Save & Apply

19. ### WLAN Settings

• For Transmit Power normal is enough 0 dBm. (the higher the setting, the more you jam your neighbor's network and the more power your device uses).
• ESSID is the name of the Network (creative names only ;)). Using the name of an already existing network in our dormitory is forbidden
• Continue with Wireless Security
20. ### Wireless Security settings

• Encryption is WPA2PSK. Using no or other encryption methods will lead to the termination of your internet access and possible legal prosecution!
• Key is the password you would like for your WLAN (what you have to put in to connect to your router from your e.g. laptop or mobile phone). It must have a length of at least 8 characters and may not be guessed by others. If your password is insecure you might have unbidden guests using your internet access soon!
• Continue with Advanced Settings (above, marking is missing)

WLAN networks have to be encrypted using WPA2PSK. Using no or other encryption methods will lead to the termination of your internet access and possible legal prosecution!

A weak password is no password! You have to ensure that the password of your choosing is secure, otherwise you will face prosecution in case someone abuses your internet access!

21. ### Advanced WLAN settings

• Region is DE - Germany. other wireless settings are illegal to use and will lead to prosecution from the radio authority (Funkaufsichtsbehörde)!
• Afterwards press Save & Apply

The WLAN settings have to be compliant with the regulations from the Bundesnetzagentur!

Eventhough no screenshot is availible it is of utmost importance that the region is set to DE - Germany

22. ### Activate WLAN

• (after Save & Apply) click on Enable
23. ### Set router password

• click on Go to password configuration
• set a password of your choosing (input twice, will be needed for later configuration of the router)
• Afterwards click on Save & Apply
24. ### Try it out

• now you can connect your devices to your router
• Search for the WLAN name that you put in as ESSID. The password is the WPA2PSK Key
• Visit sites like:
• If everything works you've earned yourself a medal! Perhaps you would like to join our network-team? ;)

### Something doesn't work?

Before contacting us, try the following:

• most problems arise becuse the routers local time is misconfigured. Make sure that everything is set up as detailed in the step “General settings and time”. Connect the router to your network outlet and restart it. After restarting make sure that the time under Status > System > Local Time is correct.
• make sure that you used the correct login credentials under”802.1X Config”. You can test your credentials best by trying to log in to our website.
• it might take a long time for the router to authenticate itself. Let the router run for at least 2 hours
• if your router has worked but doesn’t work anymore refollow the installation guide.

### Details for Experts (AKA manual guide)

Most of the (cheap) routers don’t support 802.1X Authentification.
Therefor installing OpenWRT, a free OS for routers with support for some linux programs like wpad, is required to utilize 802.1X wired authentification. If you happen to have a router that supports 802.1X by default, you can skip the process.

You don’t necessarily have to use one of our images, you are free to compile your own or use an official image and perform the necessary changes yourself

The reason why we compile images is due to most routers only having about 4MB of flash memory, which certainly does not fit all availible modules.

A few annotations to help configure your image:

• the firmware has to be based off of 2.6, otherwise 802.1X will not work
• you have to activate DHCP (already default setting)
• you do not need the web interface called LuCi, you can use ssh/telnet for the following commands

#### Let’s start:

• opkg remove wpad-mini
• opkg install wpad or download the package manually at https://downloads.openwrt.org/releases/ (Version, packages and choose architecture), copy to the router via scp to /tmp/ and install with opkg install /tmp/wpad...
• opkg install ntpclient or … (see previous step)
alternatively any other program for time synchronisation, as the time is needed to verify the TLS-certificate
• paste the following to /etc/config/wpa_supplicant.conf:
ctrl_interface=/var/run/wpa_supplicant
eapol_version=1
ap_scan=0
fast_reauth=1
network={
key_mgmt=IEEE8021X
eap=TTLS
ca_cert="/etc/config/lets-encrypt-x3-cross-signed.pem"
phase2="auth=PAP"
priority=10
}

• download lets-encrypt-x3-cross-signed.pem from https://letsencrypt.org/certificates/ and copy to /etc/config/lets-encrypt-x3-cross-signed.pem
• run uci get network.wan.ifname and paste the output to the location mentioned in the next step
• paste the following to /etc/init.d/rommelinternet (init-script):
#!/bin/sh /etc/rc.common

START=10
STOP=15

start() {
ntpclient -d -s -h ntp0.rommelwood.de
wpa_supplicant -i "output from previous step" -D wired -c /etc/config/wpa_supplicant.conf -B -dd -t
}

stop() {
killall wpa_supplicant
}


• chmod +x /etc/init.d/rommelinternet
• start WPA supplicant: /etc/init.d/rommelinternet start
• run on system startup: /etc/init.d/rommelinternet enable
• restart WAN Interface, so that the router authenticates itself and gets a new ip: ifdown wan and ifup wan
• for the authentification part there is a graphical tool for LuCi: Openwrt 8021x gui
• Profit.

if you want to build an image yourself you can download the config.seed from our website.