You are here

Setting up SSH and OpenVPN on Netgear WNDR4300

Unknown to many, the official Netgear WNDR4300 firmware is based on OpenWrt. The procedure described here involves making use of the OpenWrt repos to have openvpn up and running. It also involves recompiling the official firmware. So, this is certainly not for the faint hearted and expects you to have a good knowledge of Linux.

Stock Firmware Info
From the file /etc/banner on the router (I will tell later how you can telnet to the router), it is clear that stock firmware is based on OpenWrt kamikaze (bleeding edge, r18571). Based on, the closest available stable release is Kamikaze 8.09.2 r18801, released in 2010 January. Also, as there is a file /lib/ in the stock firmware, it indicates that the arch is ar71xx.

Stock Firmware Compilation And Installation

  1. For stock firmware source compilation, it is recommended to use Ubuntu 10.04 (server edition) as the official firmware binary has been compiled on Ubuntu 10.04.1 (Server) with gcc 4.1.3. So, download and install Ubuntu 10.04 (you can use a VM as it is more convenient).
  2. After installing Ubuntu 10.04 for building the firmware, install build dependencies.
    $ sudo apt-get install gcc-4.1 g++-4.1 libncurses-dev zlib1g-dev gawk flex
    $ cd /usr/bin
    $ sudo ln -s gcc-4.1 gcc
    $ sudo ln -s g++-4.1 g++
    $ sudo ln -s gcc cc
  3. Netgear stock firmwares can be downloaded from Download and extract You will also need for the toolchain.
    $ unzip /path/to/
    $ bunzip2 WNDR4300-V1.0.1.42_gpl_src.tar.bz2
    $ tar -xvf WNDR4300-V1.0.1.42_gpl_src.tar
    $ ls  wndr4300-GPL.git  wndr4300_gpl_source_list.txt  WNDR4300-V1.0.1.42_gpl_src.tar
  4. Add init script wndr4300-GPL.git/target/linux/wndr4300/base-files/etc/init.d/startup with below content:
    #!/bin/sh /etc/rc.common
    start() {
      if [ -x /jffs/ ]; then

    Also make the init script executable

    $ chmod +x wndr4300-GPL.git/target/linux/wndr4300/base-files/etc/init.d/startup

    Now, you can write any commands in /jffs/ and they will be executed whenever the router boots up.

  5. Follow remaining instructions in to finish the build.
  6. The final image is "bin/WNDR4300-V1.0.1.42.img". Go to the Router Upgrade Page and upgrade to this newly built firmware.

Logging in to the router (using Telnet)
You can use the software at to telnet to the router. The instructions for doing this are pretty straight forward.

OpenWrt wiki page also mentions other ways of accessing the telnet console but I haven't tried them as netgear-telnetenable worked like a charm.

Setting up ipkg

  1. wget, which is used by ipkg for downloading packages, is broken in the stock firmware. So, we need to download wget and dependent packages from and install them. However, as wget is broken, I didn't know how to download the packages directly to the router. So, I downloaded them to my laptop, started a tftp server on my laptop, logged into the router, and using the tftp client transferred and installed the packages.
    Setting up tftp server is out of the scope of this tutorial, but it is quite easy and you will find many tutorials on-line on how to do it.

    $ python <IP> <MAC> <Username> <Password>
    BusyBox v1.4.2 (2013-12-26 18:08:07 UTC) Built-in shell (ash)
    Enter 'help' for a list of built-in commands.
      _______                     ________        __
     |       |.-----.-----.-----.|  |  |  |.----.|  |_
     |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
     |_______||   __|_____|__|__||________||__|  |____|
              |__| W I R E L E S S   F R E E D O M
     KAMIKAZE (bleeding edge, unknown) ------------------
      * 10 oz Vodka       Shake well with ice and strain
      * 10 oz Triple sec  mixture into 10 shot glasses.
      * 10 oz lime juice  Salute!
    root@WNDR4300:~# tftp -g -r libopenssl_0.9.8i-3.2_mips.ipk 
    root@WNDR4300:~# ipkg install libopenssl_0.9.8i-3.2_mips.ipk
    root@WNDR4300:~# tftp -g -r libopenssl_0.9.8i-3.2_mips.ipk 
    root@WNDR4300:~# ipkg install wget_1.11.4-1_mips.ipk
  2. Create /etc/ipkg.conf and update ipkg list.
    root@WNDR4300:~# echo -e "dest root /jffs\nsrc openwrt" > /etc/ipkg
    root@WNDR4300:~# export PATH=/jffs/bin:/jffs/sbin:/jffs/usr/bin:/jffs/usr/sbin:$PATH
    root@WNDR4300:~# ipkg update

Installing SSH

  1. Now, you can install SSH from OpenWrt Kamikaze repos.
    root@WNDR4300:~# ipkg install openssh-server

    As a matter of fact, you can install any of the packages in and they should most probably work.

  2. Kindly note that the binaries and libraries are installed to /jffs partition and not /, as we we have configured the same in /etc/ipkg.conf (dest root /jffs). We did this so that the files persist when we reboot the router. So, to accommodate this, you will have to modify /jffs/etc/init.d/sshd accordingly. Here is the modified script.
    #!/bin/sh /etc/rc.common
    # Copyright (C) 2006
    start() {
            for type in rsa dsa; do {
                    # check for keys
                    [ ! -f $key ] && {
                            # generate missing keys
                            [ -x /jffs/usr/bin/ssh-keygen ] && {
                                    /jffs/usr/bin/ssh-keygen -N '' -t $type -f $key 2>&- >&- && exec /etc/rc.common "$initscript" start
                            } &
                            exit 0
            }; done
            mkdir -p /var/empty
            chmod 0700 /var/empty
            /jffs/usr/sbin/sshd -f /jffs/etc/ssh/sshd_config
    stop() {
            killall sshd
  3. To start OpenSSH server:

    root@WNDR4300:~# /jffs/etc/init.d/sshd start

Installing OpenVPN

  1. Install OpenVPN using ipkg
    root@WNDR4300:~# ipkg install openvpn
  2. Dump your config file (ex. amaram.vpn.conf) in /jffs/etc/openvpn/ directory.
  3. For OpenVPN, I preferred to start it directly and avoid calling the openvpn init.d script.
    root@WNDR4300:~# LD_LIBRARY_PATH=/jffs/usr/lib /jffs/usr/sbin/openvpn --daemon --cd /jffs/etc/openvpn --config amaram.vpn.conf --log /tmp/openvpn.log
  4. You might need to modify iptables rules whenever openvpn starts. This can be achieved by passing the --route-up option to the openvpn binary with argument as path to the script containing the firewall rules to be executed whenever a tunnel is established.

Configuring the launch script
We finally have to write the /jffs/ script to automate setting up of ipkg and starting ssh and openvpn servers whenever the router reboots. Here is the content of /jffs/ script that I am using:

# Set PATH
echo "export PATH=/jffs/bin:/jffs/sbin:/jffs/usr/bin:/jffs/usr/sbin:\$PATH" >> /etc/profile

echo "export LD_LIBRARY_PATH=/jffs/usr/lib" >> /etc/profile

# Setup ipkg
echo -e "dest root /jffs\nsrc openwrt" > /etc/ipkg.conf

# SSH authorized_keys
mkdir -p /tmp/.ssh
echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6emYnBS1NLG1j1HsuMb3X6nI0+jWrpRvjhBSuB9q4lOO4NpxNdgCiDd7+qoYGLd4fE7hy/GYN1TvXXuDtDZPnuIOg8XaRxZg5wSDZV0nRsDNKGH8NikGzvxGEI9KeqBNrl+iRLS/ipl0QRmLpNScwXWOW6h9eP+S7GaL6Y56YyL+uwuUg14ow2nA2YFYQKLRXM20EiEm4C419XknYHsIG16ix2AamrH1CGJrQCo0m6f1Kf5OUjX8gSQvaToaD2J5NFbdGfaykW/RvmQH+37PlVnfE24SVrZ0ylRHvnqMTgSE1ZQ54U/zAbRpwB3vpEQCdW/kNz/gLwzbUHW0yzEw+w== rahul@rahul-laptop" > /tmp/.ssh/authorized_keys

# Start SSH
/jffs/etc/init.d/sshd start

# Start openvpn
LD_LIBRARY_PATH=/jffs/usr/lib /jffs/usr/sbin/openvpn --daemon --cd /jffs/etc/openvpn --config amaram.vpn.conf --log /tmp/openvpn.log

Add new comment