At the beginning of the month, I received my Ubiquiti EdgeRouter Lite. It’s a powerful router built on Vayatta Core but lacks the easy-to-use user interface for the advanced functionality. The price point brings it into the consumer market but the required use of SSH command line makes for a niche market.
My first weekend learning about the EdgeRouter Lite and getting it configured for my home use, I stuck to the basics. I had one port configured for WAN as a DHCP client and another port configured for LAN with a DHCP server. It was certainly quite functional. It worked reliably but I wasn’t done with my wishlist of how I wanted it to operate. I wanted to rearrange the ports so that eth0 was WAN, eth1 was LAN, eth2 was WLAN with eth1 and eth2 being bridged. I also wanted to be able to send a wake-on-LAN magic packet to my computer to wake it up and then I wanted to be able to access the files from my NAS and remote desktop into my computer.
Ports
In version 1.3.0 of the ERL firmware, they introduced a wizard that made setting up a typical SOHO very easy. It configured the DHCP server and set eth0 to LAN1, eth1 to WAN, and eth2 to LAN2. I started with the configuration that the wizard created. I then exported the configuration as a backup so I could revert to something that worked. I exported the boot.config file from the configuration backup and modified it to swap the interfaces around to my preference. I gave the bridge the subnet address settings and assigned eth1 and eth2 to the bridge. Once the config matched my minor setting change, I copied it into the config export and reimported the configuration. I rebooted the router and rearranged the cables to how I wanted them and everything worked great.
interfaces {
bridge br0 {
address 192.168.1.1/24
aging 300
hello-time 2
max-age 20
priority 0
stp false
}
ethernet eth0 {
address dhcp
description WAN
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
bridge-group {
bridge br0
}
description LAN
duplex auto
speed auto
}
ethernet eth2 {
bridge-group {
bridge br0
}
description WLAN
duplex auto
speed auto
}
loopback lo {
}
}
VPN
In version 1.4.0 of the ERL firmware, they introduced new feature wizards and one of them makes setting up port forwarding very easy. I could have configured the port for remote desktop and called it a day but that would not have been that secure. Instead I took advantage of the ERL’s ability as a VPN server. I created a PPTP VPN and then factory reset the router and created an L2TP VPN. The real trick to figuring out the VPN was dealing with the fact that I get a dynamic IP address from my ISP, so it may change. The instructions on the Ubiquiti wiki have a command where you set the outside address to a fixed IP. Instead, through the Vayatta documentation, I found another command that allows it to be configured to the port: set vpn pptp remote-access dhcp-interface eth0
PPTP
Upon SSHing into the router, you can enter configure and enter these lines to configure the PPTP router. This uses an IP range outside of what the DHCP server offers.
[bash]configure
set vpn pptp remote-access authentication mode local
set vpn pptp remote-access authentication local-users username wizard password toto
set vpn pptp remote-access client-ip-pool start 192.168.1.240
set vpn pptp remote-access client-ip-pool stop 192.168.1.250
set vpn pptp remote-access dhcp-interface eth0
#(optional)
set vpn pptp remote-access mtu 1024
set vpn pptp remote-access dns-servers server-1 8.8.8.8
set vpn pptp remote-access dns-servers server-2 8.8.8.9
commit
save
exit[/bash]
You will then need to make exceptions in the firewall rules to allow TCP traffic to destination port 1723 and to allow GRE protocol (47) traffic.
L2TP
Alternatively, you can use L2TP. I found this only worked if you used 0.0.0.0/0 as the allowed subnets (all subnets) and it would balk if you tried to specify a subnet.
[bash]configure
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal enable
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username wizard password toto
set vpn l2tp remote-access client-ip-pool start 192.168.2.10
set vpn l2tp remote-access client-ip-pool stop 192.168.2.20
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret 5ecre7
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
set vpn l2tp remote-access dhcp-interface eth0
#(optional)
set vpn l2tp remote-access mtu 1024
commit
save
exit[/bash]
L2TP requires four firewall exceptions to be made for destination traffic:
IKE – UDP port 500
L2TP – UDP port 1701
ESP – protocol 50
NAT-T – UDP port 4500 (if using NAT-T)
For Android, I found the app VPN Show provided a simple shortcut to get to the built-in VPN settings faster and start the connection.
Wake-On-Lan
Now that I had VPN configured on the router, I could connect to it no matter where I was. I setup the L2TP VPN under my Android Network settings. Once I connect, I am able to SSH into the router using the app JuiceSSH. Once I connected, I wanted to be able to send a magic packet from the router to the network to wake up my computer. In order to do this, I had to install the wakeonlan package to the router.
SSH into the router and add a repository. Then you can run the commands necessary to install the wake-on-lan package.
[bash]configure
set system package repository squeeze components ‘main contrib non-free’
set system package repository squeeze distribution squeeze
set system package repository squeeze url http://http.us.debian.org/debian
set system package repository squeeze-security components main
set system package repository squeeze-security distribution squeeze/updates
set system package repository squeeze-security url http://security.debian.org
commit
save
exit
sudo apt-get update
sudo apt-get install wakeonlan[/bash]
Now, to wake up my computer. I can connect to the router’s VPN. I then SSH into the router using its private IP address and send this command, with the last part being the MAC address of my computer’s LAN interface. I saved this command to a memo on my phone and just copy+paste it into the SSH terminal to send the WOL magic packet.
[bash]sudo wakeonlan -i 192.168.1.255 dw:3f:3e:4c:a7:c2[/bash]
Dynamic DNS
At this point, I was able to VPN to the router using the IP address I had received from my ISP. However, since that could change, I wanted to use a dynamic DNS service to keep my IP address updated to an easy to remember hostname. The Dynamic DNS wiki entry is out of date. With the 1.3.0 firmware, afraid.org was added. It is free and I was using that before.
[bash]configure
set service dns dynamic interface eth0 service freedns host-name <host>
set service dns dynamic interface eth0 service freedns login <username>
set service dns dynamic interface eth0 service freedns password <password>
commit
save
exit[/bash]
After running through that, the dynamic DNS service keeps the hostname up to date with my home IP address.
Conclusions
With everything in place, I feel like I now have a pretty good setup. I can VPN to the dynamic DNS hostname I have setup. Once that VPN is connected, I can remote desktop into my computer using the Remote Desktop app for Android from Microsoft. If my computer is asleep or powered off, I can send a wake-on-LAN command to boot it up. I can also access the files from my NAS using the app ES File Explorer file manager. At the same time, my WAN is at eth0 (which seems more intuitive to me), my LAN is on eth1, and my WLAN is on eth2.