Setting up a R1510-4L 3G router in Australia
The setup is R1510-4L router with Telstra SIM card and Jasper web control. The goal is to setup the router on 3G and configure data allowances, etc.
Connect to it locally
- Plug into a computer and login to 192.168.0.1. If you have another network gateway at this address and want to prioritise one (or if you later login to the router via Wifi and want to do the same) then prioritise your network adaptors (sorry about the awful ads)
- If you change the DHCP settings,don’t forget (like me) to change the DHCP pool address too!
- Setup the WiFi (straightforward) and now you can WiFi to it.
Get the WLAN (Cellular / 4G) connected
- In theory the SIM should just connect and on Jasper you see “activated” it can take a while.
- In practice I need to change APN in Interface>WWAN1 from Auto to “telstra.internet”
- System>Debug is good to watch to see it trying to activate.
- Interface>WWAN1 has a upload rate and data allowance setting
Security
- Turn off everything not required (e.g. ssh, telnet) and
- Using a VPN, ‘local’ appears to apply to the VPN (?)
- Telnet appears open and working AFTER disabling ! A firmware upgrade and reboot did not fix this.
- Consider WiFi Access Control Lists
VPN (Open VPN)
We want the router to act as a client to a VPN server and hence be visible on the VPN. It was hard to get going.
On the router
Here are the files we need to update in the X509 tab.
- Root CA: ca.crt
- This is the Certification Authority (Public) Certificate, stored on my CA machine at pki/ca.crt
- Certficiate File: client01.crt
- Client’s (i.e. router’s) (public) certificate
- Extract from client01.ovpn (created by ovpn). Starts with X509 “Certificate:” header, then has “— BEGIN CERTIFICATE —” <cert> and ends “—END CERTIFICATE—“.
- Maybe can automate extraction
- Private key: client01.key (SECRET!)
- Client’s (i.e. router’s) (private) key
- Extract from client01.ovpn (created by ovpn). Starts “–BEGIN PRIVATE KEY–“
- TLS-Auth: ta.key
- Available from CA machine.
- Contains “—–BEGIN OpenVPN Static key V1—–“
- P
KCS#12 Certificate: client01.p12- It’s not required
- Dunno what this does. Googled it.
- If required: goto the folder with all cert files and run:
openssl pkcs12 -export -in client01.crt -inkey client01.key -certfile ca.crt -name client01 -out client01.p12
- It’s a binary file
Here are my client settings (not shown are defaults) in the OpenVPN tab:
- Mode: Client
- Auth Type: X509CA
- Encrypt: AES-256
- Auth Algo: SHA256
- Compression: OFF (1)
- Enable NAT: OFF
- Enable DNS O/R: OFF
- HMAC Firewall: ON (2)
- PKCS12: OFF
The ones in bold are not that obvious.
If you get errors start by looking at the “Certificate FIles” (should be 4: ta.key, client.key, client.crt, ca.crt) and then check System>Debug.
- (1) ensure this is on at the server. Symptom was “unknown IP version=15” openvpn server log indicating compression problems. Also not contactable even if connected.
- (2) symptom was “HMAC” errors in the openvpn server log
On the OpenVPN Server
Here are my server settings of import:
# This creates the HMAC firewall. I don't know what that is. But it works.
tls-auth ta.key 0
# I figure as long as server=client, we're good
cipher AES-256-CBC
auth SHA256
# I turn OFF compression to allow robustel routers to connect
# I think they run old VPN clients that don't understand it.
# My new clients can dynamically change (via the 'push') to match the server.
# At least, that's my guess...
# Note semi-colon is a comment (hence "off")
;compress lz4-v2
;push "compress lz4-v2"
# Old compression (non-push) also off.
;comp-lzo
- tls-auth ta.key 0 # This file is secret, this creates the HMAC firewall. I don’t know what this.
- cipher AES-256-CBC
- auth SHA256
Routing
Once on the VPN, we want to be about to access devices ‘behind’ the router. That is, devices on it’s Wifi subnet (192.16.8.0.*). For this application, it’s a IoT device on port 80.
Firstly, we can access the Robustel device’s web server on port 80 via the VPN (e.g. 10.8.0.23). That’s good.
Let’s RFTM here. We can make a static route, but it needs an IP (not hostname). How to set a static ip? On p41 of the manual it says set Interface>Lan>Edit>DHCP Advanced>Static Leases. I set my IoT device to 192.168.0.2 and it works ok.
One option is “Static Route” but I’m unsure how to configure. Let’s try Network>Firewall>Port Mapping. I set all incoming (null) on port 81 to 192.168.0.2:80. And now we can browse to (eg) http://10.8.0.23:81 to see our IoT device.
Reducing idle data
- A resting router with an active openvpn seems to use a lot of data (5 Mb/hour = 100 Mb/day!)
- I increased ping and openvpn keep alive (60 ping : 600 failed)
- New test with computer disconnected and openvpn running
- RX:8224KiB TX:15511KiB ALL:23MiB @ 21:55
- RX:8489KiB TX:15762KiB ALL:23MiB @ 12:00 next day
- Hence 516kB/hour or ~1Mb/day or 26Mb/month
- More testing / reduction required