Linksys WRT1900ACS v2 is a great router. Apart from it’s great specs it has a very nice design in my opinion. But it’s really undermined by it’s stock firmware. It comes equipped with a Marvell Armada 1.6Ghz dual-core embedded CPU, 512MB RAM, and great wireless networking capabilities. But these capabilities are merely utilized from the stock firmware. To boost the potential of this router I decided to use DD-WRT. I have been using DD-WRT many years now in many different routers and I believe it’s a great option.

Installing DD-WRT on Linksys WRT1900ACS v2

You can install either the recommended firmware from DD-WRT Router database or you can install the latest beta from the ftp area. Of course using the beta has it’s pros and cons. You get the latest and greatest but you maybe also encounter problems. You can always check for issues and solutions in the DD-WRT forum and more specifically to the  Marvell MVEBU based Hardware forum.

Alternative 1: Install the recommended firmware

  1. Navigate to the DD-WRT website and go to the Router Database.
  2. Type in your model number, in our case it’s WRT1900ACS v2 and select the supported version.
  3. Download the factory-to-ddwrt.bin file.
  4. Navigate to the Linksys administration UI (http://192.168.1.1) and perform a firmware upgrade using the new downloaded firmware.

Alternative 2: Install the latest beta firmware

  1. Navigate to the DD-WRT ftp beta area and navigate to the current year and latest release i.e /2017/11-16-2017-r33772/.
  2. Navigate to your model number, which in our case it’s linksys-wrt1900acsv2
  3. Proceed as in alternative 1, step 3

Initial configuration of DD-WRT

Once the firmware is installed, you can connect to the router using the default SSID “dd-wrt” which by default is not secured. Navigate to http://192.168.1.1 and when prompted change the default username and password.

After install you will want to activate SSH connectivity to the router.

Navigate to Services–>Services

Secure Shell – SSHd: Enable
You can leave the rest of Secure Shell settings to default

Click Apply Settings

Navigate to Administration–>Managment
Remote Access – SSH Management: Enable

Click Apply Settings

Establish an SSH connection to your router and test that is working (the SSH user in DD-WRT is always root and the password is the router password you defined when first accessed the router)

WAN Setup

My cable router/modem has DHCP enabled, and uses the IP address of 192.168.0.1. For my setup I want both the cable router/modem and my WRT1900ACS to act as DHCP servers, so I will use a different subnet for WRT1900ACS (192.168.1.x)

Navigate to Setup–>Basic Setup

WAN Connection Type: Automatic Configuration-DHCP
Optional Settings: Use your preferred settings here but I recommend disabling Shortcut Forwarding Engine cause it’s causing few issues.
Network Setup – Router IP: 192.168.1.1 (This is the Client IP your WRT1900ACS will use)
Network Setup – Subnet Mask: 255.255.255.0
Network Setup – Gateway: 0.0.0.0
Network Setup – Local DNS: 0.0.0.0
DHCP – DHCP Type: DHCP Server
DHCP – DHCP Server: Enable
DHCP – Start IP Address: 192.168.1.100 (depends on the number of IP’s you want to serve)
DHCP – Static DNS x: 0.0.0.0 (with this setting your ISP’s DNS will be used or else specify the ones of your preference)

You can leave the rest of DHCP options as is. Would be good at this point to also configure your NTP.

Time Settings – NTP Client: Enable
Time Settings – Time Zone: Select your time zone
Time Settings – Server IP/Name: provide an NTP server (i.e pool.ntp.org)

Click Apply Settings

Note: As both the router/modem and the router has DHCP enabled, your router will also be assigned and IP address in the 192.168.0.1 subnet (i.e 192.168.0.10).If you connect to your router network (over WiFi  or eth port) then you can connect to 192.168.1.1 for management. But you can also access the router management when you are connected to the cable/router network by accessing 192.168.0.10

Wireless Setup

The basic wireless settings has two default interfaces, ath0 (5Ghz) and ath1 (2.4Ghz). Let’s configure those. We will also configure 2 extra virtual interfaces for each band, ath0.1 (5Ghz) and ath1.1 (2.4Ghz), which will be later used for VPN connectivity.

Navigate to Wireless–>Basic Settings

Physical Interface ath0 (5Ghz)
Wireless Mode: AP
Wireless Network Mode: AC/N-Mixed
Channel Width: VHT80 (80 MHz)
Wireless Channel: Choose a Wireless channel (i.e 100, Auto is not a good option)
Extension Channel: Choose the Extension channel (i.e UU)
Wireless Network Name (SSID): DD-WRT-5G (name it at your own wish)

Check Advanced Settings

Network Configuration: Bridged

Physical Interface ath1 (2.4Ghz)
Wireless Mode: AP
Wireless Network Mode: NG-Mixed
Channel Width: Wide HT40 (40 MHz)
Wireless Channel: Choose a Wireless channel (i.e 13, Auto is not a good option)
Extension Channel: Choose the Extension channel (i.e Lower)
Wireless Network Name (SSID): DD-WRT (name it at your own wish)

Click Apply Changes.

Note: In Advanced settings, changing the Tx Power and Antenna Gain has no affect in this router as they are locked. Also make sure you choose the right Regulatory Domain to match your region. This will affect the Wireless channel availability when you select a Wireless channel.

Now lets create two extra Interfaces that we will later use for VPN connectivity

Click Add virtual interface under either ath0.

Virtual Interfaces ath0.1
Wireless Mode: AP
Wireless Network Name (SSID): DD-WRT-5G-VPN (name it at your own wish)
Wireless SSID Broadcast: Enable

Check ‘Advanced Settings’
Network Configuration: Bridged

Click Apply Changes.

Click ‘Add’ virtual interface under ath1.

Virtual Interfaces ath1.1
Wireless Mode: AP
Wireless Network Name (SSID): DD-WRT-VPN (name it at your own wish)
Wireless SSID Broadcast: Enable

Check ‘Advanced Settings’
Network Configuration: Bridged

Click Apply Changes.

Wireless Security

For each of the wireless interfaces (ath0, ath1, ath0.1 and ath1.1) configure your wireless security.

Note: You should use AES for maximum wireless speeds.

Navigate to Wireless–>Wireless Security

Wireless Security ath0
Security Mode: WPA2 Personal
WPA Algorithms: AES
WPA Shared Key: (Some strong passkey here)

Click Apply Changes.

Repeat for each of ath1, ath0.1 and ath1.1 interfaces.

Using different Subnets per SSID

Right now all connected devices (connected either by eth port or WiFi) belong to the same subnet 192.168.1.1. We will create new subnets for each of the WiFi SSID. This way all connections over eth ports will belong to 192.168.1.1 subnet while the ones connected over WiFi, they will belong to different subnets depending on the WiFi interface they are connected to. This way you have more control on your network (you can use VPN for specific subnets while route the traffic normally for others, you can isolate subnets to each other etc)

Networking Setup

Navigate to Setup–>Networking

We need to create a bridge for each one of the Wifi interfaces. You will already have the default br0 and STP (Spanning Tree Protocol) is off.

Bridging
Click Add to add a new bridge and name it br1.
Turn off STP.

Click Apply Changes.

Assign to Bridge
Click Add, choose br1 and select ath0 wireless interface form the drop-down.

Click Apply Changes.

Port Setup
Under “Network Configuration br1” enter the following.

Label: 5G (Choose anything you like here)
IP Address: 192.168.2.1 (gateway for new subnet)
Subnet Mask: 255.255.255.0

Click Apply Settings.

DHCPD
1. Click Add, choose “br1 – 5G” and set the start range at 128 (depends on how many clients you want to serve).

Click Apply Settings.

Note: You should now have wireless and internet connectivity from the new SSID and receive an IP address in the 192.168.2.128/28 range.

Repeat the same procedure for the rest of the WiFi interfaces

For ath1 use 192.168.3.1 as IP Address and ‘2.5G’ for label

For ath0.1 use 192.168.4.1 as IP Address and ‘5G-VPN’ for label

For ath1.1 use 192.168.5.1 as IP Address and ‘2.5G-VPN’ for label

OpenVPN Setup

We will configure now OpenVPN client with policy based routing.

Navigate to Services –>VPN

OpenVPN Client
Start OpenVPN Client: Enable
Server IP/Name: (Obtain this from your VPN provider)
Port: (Obtain this from your VPN provider)
Tunnel Device: TUN
Tunnel Protocol: UDP
Encryption Cipher: AES-128 CBC
Hash Algorithm: SHA1 (Depending on VPN provider)
User Pass Authentication: Disable (This is for my VPN provider. Other providers use this option)
Advanced Options: Enable
TLS Cipher: None or the one specified by your provider
LZO Compression: Yes (Depending on VPN provider)
NAT: Enable
Firewall Protection: Enable
IP Address: 192.168.1.1 (The router IP)

Additional Config
(Add here additional configuration provided by your VPN provider)

Policy based Routing
192.168.4.128/28 (This is our 5G VPN subnet configured above)
192.168.5.128/28 (This is our 2.5G VPN subnet configured above)

TLS Auth Key – PKCS12 Key – Static Key – CA Cert – Public Client Cert – Private Client Key
(Add here keys and/or Certificates provided by your VPN provider)

Note: With the above Policy based routing only the two subnets specified in there will be routed over VPN. You can use single IP’s or subnets, each one in a new line.

OpenVPN Killswitch

One thing you would want to avoid, is traffic meant to be routed through the VPN to leak outside when the VPN is down. If you don’t mind that, then you don’t have to use any additional settings. When the VPN goes down the VPN subnets will still have access to the internet.

But if you want to block traffic to the VPN subnets when the VPN is down, you need to configure a killswitch in your firewall

Navigate to Administration–>Commands

In Command Shell paste the below firewall rules in the Command box

iptables -I FORWARD -s 192.168.4.128/28 -o $(nvram get wan_iface) -j DROP
iptables -I FORWARD -s 192.168.5.128/28 -o $(nvram get wan_iface) -j DROP

Click Save Firewall

Note: You should test that the killswitch is working.You can disable VPN and make sure that clients connected to DD-WRT-5G-VPN and DDW-RT-VPN SSiD’s have no internet connectivity anymore.

OpenVPN DNS

If your VPN provider has his own DNS Servers you may want to use those for the VPN traffic.

Navigate to Setup–>Networking

Scroll down to Port Setup and find the previously configured Network Configurations for VPN

Forced DNS Redirection: Enable
Optional DNS Target: (DNS server IP adress provided by your VPN provider)