The compilation of text and illustrations for this manual has been undertaken with the greatest care. However, errors and omissions cannot be completely ruled out.
The publisher accepts absolutely no responsibility for incorrect information.
We reserve the right to make changes to this documentation and the products described herein at any time with-out prior notice.
Our document department will be pleased to assist you should you experience problems with this document.
Tel.: +49 (8703) 929-00
Fax: +49 (8703) 929-201
© 2023 TDT AG – Stefan Haunreiter
We wish you success and enjoyment
Your TDT Team
This documentation contains instructions that need to be complied with for the safety of the user and/or to prevent damage to the G4000.
As part of ongoing security testing TDT always strives to design its products as secure as possible and attaches great importance to compliance with current safety and quality standards during development and regular firmware updates.
Hereby, TDT declares that the telecommunication terminal equipment type G4000 is in compliance with Directive 2014/35/EU.
The full text of the EU declaration of conformity is available at the following internet address: download.tdt.de
The following accessories are included with the G4000 router:
On the front of the G4000 are located:
|eth3||SFP Cage up to 1 Gbit/s.|
|eth0 - eth2||10/100/1000BaseT interface RJ45/RJ48s. Features an automatic speed detection as well as the cable type (1:1 or crossed).
|Console||9-pole RS-232 configuration port (speed: 115200 (8N1))|
|USB||Deactivated by default.
The USB 3.0 ports are intended for future applications (e.g. for external logging, UPS management).
|LCD Display||For displaying status information and performing a reboot or factory reset.|
With the LCD display, the G4000 offers the possibility to read out status information and to perform a reboot or to restore the delivery state by a factory reset.
Navigation is carried out using the arrow keys to the right of the display.
ˆ Menu level up
ˇ Menu level down
› Submenu ascending
‹ Submenu descending
○ is used to confirm actions.
1.1 Uptime, date and time
1.2 Software version
1.3 Serial number
eth0: IPv4 address and subnet mask
eth1: IPv4 address and subnet mask
eth2: IPv4 address and subnet mask
eth3: IPv4 address and subnet mask
3.1 Perform Reboot
3.2 Factory Reset
|Power supply||Redundant power supply, two separate modules.|
|Button (red)||A power supply error is indicated acoustically. The signal can be acknowledged/deactivated with this push-button.|
Our TDT Expert Support Team offers and provides assistance with all aspects concerning the configuration of your device. We will be glad to help you analyze and solve occurring problems.
You can reach the support hotline Monday to Friday from 08:00 to 18:00 by telephone* at
+49 8703 929-112
or at any time by e-mail to
To ensure an optimal support process, we kindly ask you to provide additional support data with your request. The support data** may be generated using the page
Help > TDT-Support.
* Except national bank holidays
** The support data file does not contain any confidential information like passwords or PIN codes.
Carefully open the transport packaging.
Take out the router by folding the cardboard flaps upwards and pulling out the device under the foil.
Only now connect the router to the power supply.
As soon as the initiation process is completed the router can be reached via IP.
The G4000 has the IP address 192.168.0.50 by »factory default«, additionally the user is
root. The password is individually generated for each router during production process and printed on the nameplate.
Besides, IP addresses are also provided via DHCP in the standard configuration.
Here the range is defined from
|Password:||Individually generated for each router (see nameplate).
If no password is printed, it equates the serial number.
In the delivery state, the G4000 has an individual password which can be found on the nameplate.
Anyway, it is highly recommended to assign a individual password before starting a configuration!
Before mounting the device, write down the password in order to retain access after a factory reset.
In order to be able to configure the router on the one hand the web interface can be utilized for an easy configuration in the web browser. On the other hand, you have the option to connect yourself directly to the router via SSH or serial.
192.168.0.0/24is required. For example,
192.168.0.1with subnet mask
To get to the web interface of the G4000 via a browser, simply enter the IP address of the router in the address bar. In the delivery state the IP address of
lan is set to
192.168.0.50. The router is also further accessible via the name
Since the web interface can only be accessed via SSL,
https:// must be prepended before the IP address.
In the now appearing login window you authenticate yourself with the user name root and the corresponding password.
The router also has a command line at its disposal that can be used to easily run analyses.
The shell can be accessed via IP or serial via the micro-USB port on the front of the G4000. In both cases access can be realized, for example, by using the open source software PuTTY. Recommended PuTTY configurations can be found here
For SSH access you open PuTTY, enter the IP of the G4000 at the
Host Name (or IP address) and click the
Open-button. In the newly opened window, log on to the system with the user name
root and the corresponding password.
In a Linux environment access can be gained directly via the terminal by using the command
In order to access the G4000 via serial, a terminal program is required. The connection can also be established via PuTTY.
First connect the router with a micro-USB cable via the console port to the computer. The driver for the USB serial port should then be installed automatically.
When trying to find out which COM interface is used, the device manager can be utilized under Windows. A USB serial port should appear after successful installation.
The following chart shows the values that must be configured in the terminal program in addition to the COM port for the serial interface.
To get the login prompt, press the Enter key
↵ once. Afterwards you can log on to the system with the user
root and the corresponding password.
In the web interface – as long as no individual password has been assigned – a warning including a link to the
System > Administration page is displayed, where the password can be set.
Password is entered and is to be repeated via
Confirmation. Finally, the new password is accepted with
Save & Apply.
A SSH session or micro-USB configuration can be used to initiate a password change by calling the
One of the first steps after commissioning is usually to adapt the local IP address to the required environment.
In order to do this, go to the
Network > Interfaces menu, select the interface
lan and click on the
IPv4 address and the
IPv4 netmask used for the network are now entered in the new mask.
Optionally a separate
IPv4 broadcast IP deviating from the standard can be entered.
If IPv6 is required instead of IPv4 or if an IPv6 configuration is to be implemented additionally, the necessary settings are also executed here.
At the end of this page are parameters for DHCP, which runs at this interface by default.
If the DHCP server for this interface is to be deactivated, simply put a check mark at
To adjust the DHCP range, the smallest IP address to be assigned is given at
Start. In the delivery state
100 is assigned here.
1. Thus, in the default configuration
192.168.0.100is the first IP address available for DHCP clients.
255.255.0.0, the number is incremented accordingly in 256 steps.
So if assuming the router IP of
10.10.10.254 with a netmask
255.255.0.0 and a start value of
610, the first address assigned via DHCP would be
Limit indicates the maximum number of IP addresses allowed by the DHCP server.
Limitcan only specify the number of DHCP hosts.
In our example, if the DHCP limit is
200, the last possible IP would be
Network > DHCP and DNS.
The G4000 provides various ways to set up an internet connection. On the one hand, there is the possibility of a DSL connection, and the WAN port can be used to implement various gateway connections or a connection via an external modem.
In the delivery state, all WAN interfaces are located in the firewall zone
External access to the router is not permitted by default.
The router is equipped with a default backup system in the default configuration.
The order here is – from the highest priority to the lowest –
wan (Ethernet gateway connection) before
xdsl (DSL connection) before
xdsl (DSL connection) and
wwan (cellular) are not started by default.
The router actively sends ICMP packets to check the individual connection paths.
In order to set up an internet connection via a gateway – which provides DHCP – genreally no changes are necessary. Only the WAN port is connected to the corresponding gateway.
To permanently configure the IP address of the WAN interface to a static address, go to the menu
Network > Interfaces. By pressing
Edit at the
wan interface, the configuration dialog is opened.
Protocol is changed from
DHCP Client to
Static address and the change is confirmed by the button
IPv4 netmask, and the IP address of the gateway to be used at the
IPv4 gateway are set in the new mask.
In regard to the name resolution,
Use custom DNS servers requires an appropriate server.
Optionally a separate
IPv4 broadcast IP deviating from the standard can be entered.
If IPv6 is required instead of IPv4 or if an IPv6 configuration is to be performed additionally, the necessary settings are also executed here.
TDT routers are shipped with a zone-based firewall as standard.
In the delivery state all WAN interfaces are located in the firewall zone
External access to the router is not permitted by default.
Out of the zone
wan the access to local devices that are behind the G4000 is rejected.
Local interfaces are located in the zone
lan of the firewall.
This is not subject to any restrictions.
On the overview page of the firewall you will first find the option to set the behavior that applies for interfaces without a zone.
In the combined view of the firewall zones, the zones with their contained interfaces are displayed as well as which forwardings are allowed in other zones. This describes how the behavior is when a data packet arrives at the router which is routed to another zone. An example of this would be a request from a client computer to a web server. The package arrives at an interface of the zone
lan and is passed on to the zone
wan via a routing entry, that is »forwarded«.
A port forwarding, as the name implies, is another example of a »forwarded packet«.
In addition, it defines how to handle packets that respond to an IP address of the router (input) or that are generated by the router (output).
An outgoing »Masquerading«, a special form of the source NAT, can be created for the zone here by activating the function
Masquerading. This replaces the sender IP address with the address of the interface through which the data stream is sent to its destination.
MSS Correction function is used to determine the »Maximum Segment Size« for data packets to the respective destination. The method is also known as »Path MTU Discovery« and is mainly used for DSL connections, since here a maximum transmission unit (MTU) is usually smaller than the common 1500 in local networks.
Forwarding packets are rejected by default configuration unless they are port forwarding packets (DNAT).
If the access is to be restricted accordingly, this must be taken into account in the port forwarding rule.
Port forwardings can be set up quickly and easily under
Firewall > Port Forwards.
To do this the
name is specified for the port forwarding, the
Protocol is selected, the zone on which the queries are running is picked under
External zone, and the addressed port is stated under
For the local page, the
Internal zone, destination,
Internal IP address and the
Internal port to be addressed to the target device are specified.
Add the rule is created with the specified parameters. To activate this rule press
Save & Apply to conclude.
Firewall > Traffic Rules port releasing can be managed.
Here are several predefined rules to be found. These are partly not activated.
To activate or deactivate a rule as needed, a checkmark is set or removed in the
Activate column in the overview table and the change is made with
Save & Apply.
To allow access to a port of the G4000, a name for the rule has to be assigned in the area
open ports on the router, the
Protocol and respectively the
External port have to be specified and the rule is then created via
Now the newly created rule can be further limited by
Edit, for example to allow access only from a defined sender (
Among other things, the
Source zone, where the package arrives at the router (the zone
wan is set here by default), and the
Destination zone can be adapted. When you create the rule using the
Open ports on the router routine, the
Destination zone is set to the value at
In order to change an incorrectly defined rule from
Accept input to
Accept forward, the
Destination zone is adapted to the desired zone.
In addition, a few more filters can also be set for the rule here.
Save & Apply puts the rule with the new change into effect and saves it.
If, however, a local network user is to be reached from outside, for example via port forwarding, a
New forward rule must be created.
This is added and opened immediately on the
Firewall > Traffic Rules page, specifying a rule-
Source zone – the rule case
wan – and the
Destination zone – for the local devices according to
lan – using
Add and edit.... Here the
Destination port is specified.
Other filters are - as already mentioned in Open ports for access to the router - to be adjusted.
Save & Apply, the new rule is saved and activated immediately.
Dynamic DNS allows the G4000 to be reachable under the same hostname, even if the public IP address changes.
To set up a dynamic DNS update, go to the
Services > Dynamic DNS area. Here you have the option to add a new entry.
The first step is to setup the
Lookup Hostname and select whether to update an IPv4 or IPv6 address on the configuration page.
DDNS service provider is picked, for example
dyntdt.de. If the service you are using has not yet been created, it can be prepared manually via the
-- custom -- option.
For this purpose, for example,
https://[USERNAME]:[PASSWORD]@www.dnshome.de/dyndns.php?ip=[IP] is specified for
Custom update-URL if https://www.dnshome.de is the provider.
How the update URL should look in particular can usually be found on the pages of the service provider.
After this the
Password are entered.
To transfer the data securely, it is recommended to enable
Use HTTP Secure and if the CA certificate is not present, to select
IGNORE for the
Path to CA-Certificate, otherwise the storage location.
Advanced Settings tab, the
IP address source to be updated is now selected. The default here is
Network and for
network it is
Save takes over the new settings.
Back on the overview page, the check mark is set to
Enabled and the settings are saved/activated via
Save & Apply.
A VPN is used to create another network over an existing one. Many different approaches are available for this purpose. In most cases, it is mistakenly assumed that a virtual private network is inevitably a secure data transmission and the transmission is secured by means of authentication and encryption. This is not necessarily the case.
Nowadays two different technologies are used for the implementation of a VPN:
These are used, for example, to link several company sites (site to site) or external / traveling employees (roadwarrior) to access (local) enterprise services.
The two approaches are briefly outlined below.
In addition, it should be mentioned here that the G4000-Serie routers contain the new VPN solution WireGuard as a further option. This offers, for example, modern cryptographic procedures and a simple configuration of cross-platform remote access via different terminal devices.
IPsec is the abbreviation for Internet Protocol Security. It enables a secure communication over potentially unsafe IP networks, e.g. the Internet.
In contrast to other encryption protocols, e.g. SSL, which is based on the transport layer, IPsec works directly on the internet layer of the TCP / IP protocol stack. This makes it transparent to applications.
IPsec uses two phases for connection negotiation.
In the first phase, encryption and authentication are performed (Internet Key Exchange = IKE). In this process secret keys are generated over several steps and a SA (security association) is negotiated. The so-called ISAKMP-SA or IKE-SA, where ISAKMP stands for internet security association and key management protocol.
The authentication is performed, for example, via pre-shared key (psk) or certificates (RSA or ECDSA).
In the second phase of the IPsec negotiation, the QuickMode is used. All communication in this phase is encrypted (protected by IKE SA). Once again SAs are generated which are used for the actual data exchange. In order to increase security, this »data SA« –
usually referred to as IPsec-SA or CHILD_SA – contains no information from phase 1.
One of the two modes is used to transfer the data: Transport or tunnel mode. For this purpose, the methods Authentication Header (AH) or Encryption Security Payload (ESP) are available, whereby ESP is generally used as a rule.
AH is based on an additional header that follows the normal IP header. For ESP, the user data also contains a header that contains the Security Parameters Index (SPI). The existence of these headers is indicated by the transport protocol number in the IP header.
Transport mode only the packet contents are encrypted, the IP header is retained.
AH is based on an additional header that follows the normal IP header.
ESP encrypts the data of the packet, the IP header is retained.
Tunnel mode encrypts the original package and sends it in a new package.
AH creates a new IP packet containing an authentication header over the original package.
ESP encrypts the complete IP packet and encapsulates the encrypted packet into a new package.
In order to successfully establish an IPsec connection, a number of points have to be considered / clarified in advance.
At least one page must be accessible via a public IP.
Authentication and encryption parameters must be set.
The networks / hosts to be connected must be known.
On the main page the following ports are to be released or forwarded in the firewall:
|ESP||Protocol for ESP (Encapsulated Security Payload)|
|500||UDP||Source and destination port for IKE (Internet Key Exchange)|
|4500||UDP||Required if the IPsec server is behind a NAT gateway or a masquerading firewall.|
The IPsec Implementation strongSwan is used in current firmware versions. Detailed documentation and sample configurations can be found in the strongSwan Wiki.
OpenVPN is not an unsafe VPN solution, as the name might suggest. This simply expresses the fact that the source code is open and free of charge. The software is licensed under the GNU GPL and supports a variety of (modern) operating systems.
OpenVPN is used to set up virtual private networks over an encrypted TLS connection (Transport Layer Security, more widely known under the predecessor name SSL = Secure Sockets Layer). Authentication can be done via username / password, certificates or a static secret key.
Routed-VPN (Layer 3) can be established with the help of OpenVPN . In this case an encrypted tunnel is established between two fictitious IP addresses of a subnetwork, the so called transport network. In order to establish a tunnel between two opposites, this is a simple form of secure communication.
Only IP packets are routed via a VPN tunnel in the routing mode. Layer 2 data are not transferred. Particularly in the case of internet connections with low bandwidth or even traffic limitation this variant is to be preferred, since without the ethernet frames much less data are transmitted over the tunnel.
The variant of the Bridged-VPN offers the advantage of the complete tunneling of Ethernet frames (Layer 2). A client is fully transparently integrated and receives an IP address of the subnet there. Thus this mode also allows the use of alternative protocols such as IPX or supports the transmission of wake-on-LAN packets.
WireGuard is a very young technology to implement secure and powerful virtual private networks (VPNs) with little effort. It is an open source protocol and open source software that is intended to offer an alternative to established VPN solutions such as OpenVPN or IPsec.
WireGuard was developed with the aim of making VPNs easier and to offer an alternative to existing VPN solutions. The open source software and protocol compete with VPN technologies such as IPsec or OpenVPN. Compared to existing solutions, the configuration of VPN connections should be easier and faster.
WireGuard works with high performance on Layer 3 of the OSI layer model and supports both IPv4 and IPv6. The software is deliberately kept simple and clear. It only consists of approximately 4,000 lines of programming code. Other VPN solutions sometimes have several hundred thousand lines of source code. The new VPN alternative was developed by Jason A. Donenfeld. It is available for different platforms such as different Linux distributions, macOS, Android or iOS. On Linux systems, the code runs as a module in the kernel and achieves high performance. VPN providers such as Mullvad and AzireVPN have been offering the first services based on the new VPN solution since 2018.
The development phase of WireGuard has not yet been completed.
The WireGuard support will be merged into the Linux kernel 5.6.
The following goals were pursued when designing the VPN alternative:
WireGuard is characterized by its simplicity compared to the existing mostly very complex VPN solutions. The software offers fewer configuration options and is limited to the essentials. This makes the solution easy to use and its security easy to check. Possible weaknesses are easy to find in the manageable code. To achieve a high level of security when encrypting data, WireGuard uses modern cryptographic methods. VPN subscribers’ identities are linked to their public keys. Similar to SSH, connections are established by exchanging public keys. The architecture is based on the peer-to-peer model.
WireGuard uses various protocols to establish VPN connections and exchange data. The main protocols are:
The VPN solution is deliberately limited to the three basic functions for encrypted connections. The keys are exchanged in a handshake using Curve25519 with Elliptic Curve Diffie-Hellman (ECDHE). BLAKE2s serves as a universal hash function and generates, for example, keyed hash message authentication codes (HMAC) or derives keys with HMAC-based key derivation function (HKDF). ChaCha20 and Poly1305 are responsible for the symmetrical encryption of the exchanged data. In addition to the native support of IPv4 and IPv6, it is possible to encapsulate IPv4 in IPv6 and vice versa.
Linus Torvalds also showed himself to be a fervent supporter of the incorporation. As the Linux father confirmed in the course of the inclusion of network patches from the experimental branch of the kernel, he also sees the common alternatives as too cumbersome and too complicated. According to Torvalds, WireGuard is a work of art in direct comparison with the »horror of OpenVPN and IPsec«. »He therefore loves the implementation – even if it is not yet perfect – and would like it to be included in the kernel soon,« says Torvalds.
Source: Security Insider
The router offers various possibilities to manage configurations under
System > Backup / Flash Firmware.
To create a configuration backup, the button
Generate archive is tripped on the
Download backup page.
Now the configuration is packed and offered for download. If the browser is set to “Automatically save to the following folder”, the configuration is stored in the specified folder – in most browsers Downloads by default –.
In doing so the file name is created according to the scheme
YYYY-MM-DD-backup HOSTNAME.tar.gz. If the browser queries before saving the filename can be chosen as desired, but the ending
.tar.gz must be retained.
The configuration can be stored locally on the PC or in the server infrastructure after downloading.
A once created backup can be imported again – also on another, identical device – at any time.
To do this, the desired file is searched for locally in the
Restore backup section and restored using the
Upload archieve... button. In the process the saved configuration is loaded and the changes are activated by a reboot.
The delivery state can be restored in various ways. On the one hand, this is using the web interface, on the other hand there is the option via command line and then it is further possible to trigger this via the reset button.
The factory reset can also be triggered via the web interface on the menu page
System > Backup / Firmware Update in the
Restore delivery state section by pressing the
In order to restore the delivery state via command line use
firstboot and confirm the reset with
y (= yes).
An update of the router firmware can be carried out in the web interface in various ways: On the one hand via a manual upload of the firmware image and on the other hand online via the TDT Updateserver.
Write new firmware image section on the menu page
System > Backup / Flash Firmware, the file is selected on the local system using
Keep configuration is preselected by default. If the router is to start with factory settings after the update, the checkmark must be removed at this point.
The update process is started by pressing
At first the checksum is reviewed. If this is correct, the image can be flashed with
Proceed, but it is also possible to abort the process.
In the menu under
System > Online Firmware Update you can search for a newer, available software version on the TDT update server.
To do this, click on
Check for updates. The server is then prompted and the result is output accordingly.
If a new firmware image is available, you can import it directly from this page.
Here the checkmark
Keep Configuration is also checked by default. To start with the factory settings after the update, the checkmark must be removed at this point.
The process is started using
Flash image... under
Perform update. First the signature and then the checksum are reviewed here. If these are correct, the new firmware is flashed without further interrogation.
In order to work optimally with the router in Windows environments, the following PuTTY settings are recommended.
Disable application keypad mode option is set under
Terminal > Features. This facilitates handling VI, for example, since the number block is thus usable.
Window menu, the value of
Lines of scrollback is set to
20000 lines to be able to scroll backwards.
In order to display the characters correctly, the character set should be set to
Window > Translation.
Since the color blue under PuTTY on black background is not optimally readable, it is recommended to change it. This is configured under
Window> Colors in
Select A Color to adjust for the color
ANSI Blue. The values corresponding to
Green are set to
Seconds between keepalives can be set to
Connection to maintain the SSH session.
Especially for slow connections, under
Connection > SSH you can set the checkbox for
Enable Compression to transfer the data compressed.
Ultimately the serial communication can be configured. The values are determined according to the following table via the menu
Connection > Serial.
Finally, the data is stored as a standard or as a separate profile under
Session. For this purpose, either the profile
Default Settings is marked or a separate session name is entered in the input field and saved with the button
|www.tdt.de||Official homepage of TDT AG|
|download.tdt.de||Download area on the official TDT homepage|
|OpenVPN||OpenVPN: Official open-source page|
|PuTTY||PuTTY, an open-source-SSH-client|
|strongSwan||Official page about strongSwan IPsec|
|strongSwan Wiki||strongSwan IPsec: Documentation and configuration examples|
|WireGuard||WireGuard®: the official web page|
|Security Insider: WireGuard||Security Insider: Definition – Was ist WireGuard® (german)|