The compilation of text and illustrations for this manual has been undertaken with the greatest care. However, errors and omissions cannot be completely ruled out.
The publisher accepts absolutely no responsibility for incorrect information.
We reserve the right to make changes to this documentation and the products described herein at any time with-out prior notice.
Our document department will be pleased to assist you should you experience problems with this document.
Tel.: +49 (8703) 929-00
Fax: +49 (8703) 929-201
© 2023 TDT AG – Stefan Haunreiter
We wish you success and enjoyment
Your TDT Team
This documentation contains instructions that need to be complied with for the safety of the user and/or to prevent damage to the VR2020-LD.
As part of ongoing security testing TDT always strives to design its products as secure as possible and attaches great importance to compliance with current safety and quality standards during development and regular firmware updates.
If the router contains a GSM modem and/or WLAN transmitter module, the following must also be considered:
The VPN router – VR2020-LD with VDSL / ADSL and cellular communications – is manufactured to the highest quality standards and is highly suitable for the establishment of secure branch networks as well as for the connection of mobile external sites due to its flexibility.
The VR2020-LD offers high-speed internet access with an extremely high reliability through its intelligent backup management and the use of two SIM cards (Dual SIM support).
In order for the router to operate on all modern xDSL connections, including all-IP, the VR2020-LD has an integrated DSL modem that supports the ADSL / 2/2 + and VDSL / VDSL2 standards as well as VDSL2 vectoring.
The 2G, 3G and 4G (LTE = Long Term Evolution) radio connections are being carried out via a multiband modem that handles the LTE, HSPA +, HSDPA / HSUPA, UMTS, EDGE, and GPRS standards.
The ethernet WAN port allows you to implement any type of gateway connections, as well as the installation of external modems (e.g., SDSL, cable, FTTH).
Via a permanently built-in VPN tunnel, a VR2020-LD router can be easily integrated into a branch network, or connected to a central office, and is directly accessible via private IP addressing.
In this case, DynDNS is not required for access, but can be set up at any time.
The fully implemented VPN standards IPsec and OpenVPN ensure the highest level of security during data transmission. The authentication is optionally performed by deposited certificates or pre-shared keys while the VPN router supports all modern encryption algorithms such as AES with up to 256 bit key length.
In terms of security, the integrated Trusted Platform Module (TPM) is also particularly noteworthy which is used for the secure storage of secret keys. Cryptographic keys can be generated, used and safely stored within the TPM with the support of the integrated and safe random number generator (RNG).
The Trusted Platform Module provides both protection against software attacks as well as hardware manipulation.
A configurable high-security firewall is available to protect your network against attacks. This can be easily adapted to your individual needs by means of rules and scripts.
The VPN router can be configured comfortably – both locally and remotely – via the intuitive web interface. Experts can also manage the VR2020-LD via command line (SSH).
Automated remote configuration / maintenance via TDT ACS – an Auto-Configuration Server according to the TR-069 standard – as well as monitoring via a network management system such as Check _MK are available for use in branch networks.
Hereby, TDT declares that the radio equipment type VR2020-LD is in compliance with Directive 2014/53/EU.
The full text of the EU declaration of conformity is available at the following internet address: download.tdt.de
The following accessories are included with the VR2020-LD router:
On the front of the VR2020-LD router are arranged from left to right:
SIM card slot
LANfor the link status of the LAN-Ports
WANfor the link status of the WAN-Ports
VPNfor the status of a VPN connection
Cellularfor the mobile radio connection status
Signalfor the mobile radio signal level
Micro-USB console port with integrated USB-to-serial adapter.
Alarm-LED to display important / critical events.
xDSL-LED for the status of the DSL connection
Power-LED as an indicator for an existing voltage supply
|off||No link existing on one of the LAN ports.|
|on||At least one LAN port has an active link.|
|flashing||Data transfer via at least one LAN port.|
|off||No link existing on one of the WAN ports.|
|on||The LAN port has an active link.|
|flashing||Data transfer via the WAN-Port.|
|off||If the signal LEDs are off as well the router is not registered on any mobile cell and it has no signal in its own network.
If any signal LED is on it is registered in the 2G network (GPRS / EDGE).
|blinking||The router is registered in the mobile network and a 3G signal (UMTS / HSPA / +) is present.|
|on||The current technology is 4G (LTE) and the router is registered in a cell.|
|I||Registered on a mobile cell. Signal level between 0% and 17%||Signal level between 17% and 33%|
|II||Signal level between 33% and 50%.||Signal level between 50% and 66%.|
|III||Signal level between 66% and 83%.||Signal level between 83% und 100%.|
|off||Not synchronized/no pilot tones.|
|on||The xDSL-interface is successfully synchronized.|
|flashing||Data transmission via xDSL.|
|off||Router is not connected to the power supply.|
|xDSL||RJ45/RJ48s connection for linking the TAE socket to the router.|
|WAN||10/100/1000BaseT interface RJ45/RJ48s.
Features an automatic speed detection as well as the cable type (1:1 or crossed).
|GPS/GNSS||Optional connection for an antenna determining the position via a global navigation satellite system (GPS/GLONASS).|
|Serial||Optional serial interface in the form of a clamping strip (triple-pole Rx, Tx, GND).|
|LAN 1-4||10/100BaseT 4-Port switch.
These ports have their own MAC addresses, are auto-sensing and can be separated virtually as required.
|USB (2x)||Deactivated by default.
The USB ports are intended for future applications (e.g. for external logging, UPS management).
|Cellular MIMO||SMA socket for the connection of the second antenna / second antenna cable.|
|Cellular MAIN||Connection for the primary antenna / first antenna cable. This connection is mandatory.|
|Power||Wide range voltage input 9V..30V DC with coaxial power connector. Optionally available as clamping strip.|
Our TDT Expert Support Team offers and provides assistance with all aspects concerning the configuration of your device. We will be glad to help you analyze and solve occurring problems.
You can reach the support hotline Monday to Friday from 08:00 to 18:00 by telephone* at
+49 8703 929-112
or at any time by e-mail to
To ensure an optimal support process, we kindly ask you to provide additional support data with your request. The support data** may be generated using the page
Help > TDT-Support.
* Except national bank holidays
** The support data file does not contain any confidential information like passwords or PIN codes.
Carefully open the transport packaging.
Take out the router by folding the cardboard flaps upwards and pulling out the device under the foil.
Only now connect the router to the power supply.
As soon as the initiation process is completed the router can be reached via IP.
The VR2020-LD has the IP address 192.168.0.50 by »factory default«, additionally the user is
root. The password is individually generated for each router during production process and printed on the nameplate.
Besides, IP addresses are also provided via DHCP in the standard configuration.
Here the range is defined from
|Password:||Individually generated for each router (see nameplate).
If no password is printed, it equates the serial number.
In the delivery state, the VR2020-LD has an individual password which can be found on the nameplate.
Anyway, it is highly recommended to assign a individual password before starting a configuration!
Before mounting the device, write down the password in order to retain access after a factory reset.
In order to be able to configure the router on the one hand the web interface can be utilized for an easy configuration in the web browser. On the other hand, you have the option to connect yourself directly to the router via SSH or serial.
192.168.0.0/24is required. For example,
192.168.0.1with subnet mask
To get to the web interface of the VR2020-LD via a browser, simply enter the IP address of the router in the address bar. In the delivery state the IP address of
lan is set to
192.168.0.50. The router is also further accessible via the name
Since the web interface can only be accessed via SSL,
https:// must be prepended before the IP address.
In the now appearing login window you authenticate yourself with the user name root and the corresponding password.
The router also has a command line at its disposal that can be used to easily run analyses.
The shell can be accessed via IP or serial via the micro-USB port on the front of the VR2020-LD. In both cases access can be realized, for example, by using the open source software PuTTY. Recommended PuTTY configurations can be found here
For SSH access you open PuTTY, enter the IP of the VR2020-LD at the
Host Name (or IP address) and click the
Open-button. In the newly opened window, log on to the system with the user name
root and the corresponding password.
In a Linux environment access can be gained directly via the terminal by using the command
In order to access the VR2020-LD via serial, a terminal program is required. The connection can also be established via PuTTY.
First connect the router with a micro-USB cable via the console port to the computer. The driver for the USB serial port should then be installed automatically.
When trying to find out which COM interface is used, the device manager can be utilized under Windows. A USB serial port should appear after successful installation.
The following chart shows the values that must be configured in the terminal program in addition to the COM port for the serial interface.
To get the login prompt, press the Enter key
↵ once. Afterwards you can log on to the system with the user
root and the corresponding password.
In the web interface – as long as no individual password has been assigned – a warning including a link to the
System > Administration page is displayed, where the password can be set.
Password is entered and is to be repeated via
Confirmation. Finally, the new password is accepted with
Save & Apply.
A SSH session or micro-USB configuration can be used to initiate a password change by calling the
One of the first steps after commissioning is usually to adapt the local IP address to the required environment.
In order to do this, go to the
Network > Interfaces menu, select the interface
lan and click on the
IPv4 address and the
IPv4 netmask used for the network are now entered in the new mask.
Optionally a separate
IPv4 broadcast IP deviating from the standard can be entered.
If IPv6 is required instead of IPv4 or if an IPv6 configuration is to be implemented additionally, the necessary settings are also executed here.
At the end of this page are parameters for DHCP, which runs at this interface by default.
If the DHCP server for this interface is to be deactivated, simply put a check mark at
To adjust the DHCP range, the smallest IP address to be assigned is given at
Start. In the delivery state
100 is assigned here.
1. Thus, in the default configuration
192.168.0.100is the first IP address available for DHCP clients.
255.255.0.0, the number is incremented accordingly in 256 steps.
So if assuming the router IP of
10.10.10.254 with a netmask
255.255.0.0 and a start value of
610, the first address assigned via DHCP would be
Limit indicates the maximum number of IP addresses allowed by the DHCP server.
Limitcan only specify the number of DHCP hosts.
In our example, if the DHCP limit is
200, the last possible IP would be
Network > DHCP and DNS.
The VR2020-LD provides the ability to separate each switch port. For this, VLANs are being used. The configuration is done via the menu
Network > Switch.
Below the procedure is presented as an example. The goal is that the port
LAN 1 is used as interface wan2 and the port
LAN 2 is used for a Guest Network (
To simplify the configuration, tables are used.
|VLAN ID||CPU (eth1)||LAN 1||LAN 2||LAN 3||LAN 4|
The new VLANs are inserted via the button
Add. As V Als VLAN ID werden
tagged for the internal port
Each LAN interface can only be assigned the attribute
The VLAN ID range
4030 is reserved for internal purposes.
|VLAN ID||CPU (eth1)||LAN 1||LAN 2||LAN 3||LAN 4|
Save & Apply to activate the configuration.
Afterwards the ports are configured under
Network > Interfaces. A new interface is created with
Add new interface ....
On the configuration page a Name will be given and at
Cover the following interface the newly created VLAN interface is specified.
After sending the data via
Send, the configuration is carried out as usual.
The VR2020-LD provides various ways to set up an internet connection. On the one hand, there is the possibility of a DSL connection, in addition mobile radio with MultiSIM support is available, and the WAN port can be used to implement various gateway connections or a connection via an external modem.
In the delivery state, all WAN interfaces are located in the firewall zone
External access to the router is not permitted by default.
The router is equipped with a default backup system in the default configuration.
The order here is – from the highest priority to the lowest –
wan (Ethernet gateway connection) before
xdsl (DSL connection) before
xdsl (DSL connection) and
wwan (cellular) are not started by default.
The router actively sends ICMP packets to check the individual connection paths.
In order to establish an ADSL or VDSL connection, generally only the provider access data have to be entered.
This is done in the menu
Network > Interfaces using the default
xdsl interface. The configuration page is accessed via the
PAP / CHAP username will be entered on the page that now appears with the user name provided by the DSL provider and the corresponding password under
PAP / CHAP password.
Since the interface is not active by default, a checkmark at
Bring up on boot is set to establish the DSL connection after a system start.
Save & Apply button is used to save the changes and set up the connection (new).
In the delivery state, the VR2020-LD is prepared in such a way that a mobile radio connection can be established quickly and simply using the SIM card in slot
SIM1. The APN is preset to
web.vodafone.de in the active SIM profile and no PIN is set.
If a Vodafone SIM card without a PIN query is used, the connection must simply be started. In order to do this, set a checkmark at
Bring up on boot under
Network > Interfaces > wwan and the connection setup is then initiated via the
Save & Apply button.
Otherwise only a few steps are required to establish a connection.
The configuration of the interface is carried out on the menu page
network > interfaces > wwan.
On the wwan Edit page the SIM profile for the
SIM is selected and the
Default SIM is selected for the default SIM slot.
By pressing the
Save & Apply button the changes will be accepted immediately and the connection will be established with the new parameters.
If the provider is not known or a PIN is required, this is configured at
Network > Mobile Service under the tab
SIM Profiles. In the
SIM Configuration tab the PIN and in case of an error also the PUK can be verified. Moreover, the PIN can be changed here and the PIN request can be activated or deactivated.
The VR2020-LD offers the possibility for the interface
wwan to automatically switch between two provider SIM cards.
In order to switch on this function deactivated in the delivery state the checkmark
Activate DualSIM support is set on the configuration page
Network > Interfaces > wwan. In order to do this, the feature
Automatically establish/recover connection must be activated.
recovery time specifies when to automatically attempt to switch back from the backup to the standard SIM slot. If
never is selected at this point the router remains on the backup connection until an error is detected.
This change is accepted by
Save & Apply.
To change an existing SIM profile in the menu
Network > Mobile > SIM Profiles, for example if the PIN request is activated, the
PIN for the SIM card is entered for the corresponding profile.
If user name and password are additionally required, the type of
WWAN Authentication is specified and these access data are specified under
PAP / CHAP username and
PAP / CHAP password.
Allowed network modes can be defined here for each SIM profile. It is also possible to set the
PLMN (Public Land Mobile Network Code), for example, in order to actively prevent roaming.
The configuration is saved by
Save & Apply. To activate the changes, the
wwan interface must be reconnected under
Network > Interfaces.
In order to set up an internet connection via a gateway – which provides DHCP – genreally no changes are necessary. Only the WAN port is connected to the corresponding gateway.
To permanently configure the IP address of the WAN interface to a static address, go to the menu
Network > Interfaces. By pressing
Edit at the
wan interface, the configuration dialog is opened.
Protocol is changed from
DHCP Client to
Static address and the change is confirmed by the button
IPv4 netmask, and the IP address of the gateway to be used at the
IPv4 gateway are set in the new mask.
In regard to the name resolution,
Use custom DNS servers requires an appropriate server.
Optionally a separate
IPv4 broadcast IP deviating from the standard can be entered.
If IPv6 is required instead of IPv4 or if an IPv6 configuration is to be performed additionally, the necessary settings are also executed here.
TDT routers are shipped with a zone-based firewall as standard.
In the delivery state all WAN interfaces are located in the firewall zone
External access to the router is not permitted by default.
Out of the zone
wan the access to local devices that are behind the VR2020-LD is rejected.
Local interfaces are located in the zone
lan of the firewall.
This is not subject to any restrictions.
On the overview page of the firewall you will first find the option to set the behavior that applies for interfaces without a zone.
In the combined view of the firewall zones, the zones with their contained interfaces are displayed as well as which forwardings are allowed in other zones. This describes how the behavior is when a data packet arrives at the router which is routed to another zone. An example of this would be a request from a client computer to a web server. The package arrives at an interface of the zone
lan and is passed on to the zone
wan via a routing entry, that is »forwarded«.
A port forwarding, as the name implies, is another example of a »forwarded packet«.
In addition, it defines how to handle packets that respond to an IP address of the router (input) or that are generated by the router (output).
An outgoing »Masquerading«, a special form of the source NAT, can be created for the zone here by activating the function
Masquerading. This replaces the sender IP address with the address of the interface through which the data stream is sent to its destination.
MSS Correction function is used to determine the »Maximum Segment Size« for data packets to the respective destination. The method is also known as »Path MTU Discovery« and is mainly used for DSL connections, since here a maximum transmission unit (MTU) is usually smaller than the common 1500 in local networks.
Forwarding packets are rejected by default configuration unless they are port forwarding packets (DNAT).
If the access is to be restricted accordingly, this must be taken into account in the port forwarding rule.
Port forwardings can be set up quickly and easily under
Firewall > Port Forwards.
To do this the
name is specified for the port forwarding, the
Protocol is selected, the zone on which the queries are running is picked under
External zone, and the addressed port is stated under
For the local page, the
Internal zone, destination,
Internal IP address and the
Internal port to be addressed to the target device are specified.
Add the rule is created with the specified parameters. To activate this rule press
Save & Apply to conclude.
Firewall > Traffic Rules port releasing can be managed.
Here are several predefined rules to be found. These are partly not activated.
To activate or deactivate a rule as needed, a checkmark is set or removed in the
Activate column in the overview table and the change is made with
Save & Apply.
To allow access to a port of the VR2020-LD, a name for the rule has to be assigned in the area
open ports on the router, the
Protocol and respectively the
External port have to be specified and the rule is then created via
Now the newly created rule can be further limited by
Edit, for example to allow access only from a defined sender (
Among other things, the
Source zone, where the package arrives at the router (the zone
wan is set here by default), and the
Destination zone can be adapted. When you create the rule using the
Open ports on the router routine, the
Destination zone is set to the value at
In order to change an incorrectly defined rule from
Accept input to
Accept forward, the
Destination zone is adapted to the desired zone.
In addition, a few more filters can also be set for the rule here.
Save & Apply puts the rule with the new change into effect and saves it.
If, however, a local network user is to be reached from outside, for example via port forwarding, a
New forward rule must be created.
This is added and opened immediately on the
Firewall > Traffic Rules page, specifying a rule-
Source zone – the rule case
wan – and the
Destination zone – for the local devices according to
lan – using
Add and edit.... Here the
Destination port is specified.
Other filters are - as already mentioned in Open ports for access to the router - to be adjusted.
Save & Apply, the new rule is saved and activated immediately.
Dynamic DNS allows the VR2020-LD to be reachable under the same hostname, even if the public IP address changes.
To set up a dynamic DNS update, go to the
Services > Dynamic DNS area. Here you have the option to add a new entry.
The first step is to setup the
Lookup Hostname and select whether to update an IPv4 or IPv6 address on the configuration page.
DDNS service provider is picked, for example
dyntdt.de. If the service you are using has not yet been created, it can be prepared manually via the
-- custom -- option.
For this purpose, for example,
https://[USERNAME]:[PASSWORD]@www.dnshome.de/dyndns.php?ip=[IP] is specified for
Custom update-URL if https://www.dnshome.de is the provider.
How the update URL should look in particular can usually be found on the pages of the service provider.
After this the
Password are entered.
To transfer the data securely, it is recommended to enable
Use HTTP Secure and if the CA certificate is not present, to select
IGNORE for the
Path to CA-Certificate, otherwise the storage location.
Advanced Settings tab, the
IP address source to be updated is now selected. The default here is
Network and for
network it is
Save takes over the new settings.
Back on the overview page, the check mark is set to
Enabled and the settings are saved/activated via
Save & Apply.
A VPN is used to create another network over an existing one. Many different approaches are available for this purpose. In most cases, it is mistakenly assumed that a virtual private network is inevitably a secure data transmission and the transmission is secured by means of authentication and encryption. This is not necessarily the case.
Nowadays two different technologies are used for the implementation of a VPN:
These are used, for example, to link several company sites (site to site) or external / traveling employees (roadwarrior) to access (local) enterprise services.
The two approaches are briefly outlined below.
In addition, it should be mentioned here that the VR2020 series routers contain the new VPN solution WireGuard as a further option. This offers, for example, modern cryptographic procedures and a simple configuration of cross-platform remote access via different terminal devices.
IPsec is the abbreviation for Internet Protocol Security. It enables a secure communication over potentially unsafe IP networks, e.g. the Internet.
In contrast to other encryption protocols, e.g. SSL, which is based on the transport layer, IPsec works directly on the internet layer of the TCP / IP protocol stack. This makes it transparent to applications.
IPsec uses two phases for connection negotiation.
In the first phase, encryption and authentication are performed (Internet Key Exchange = IKE). In this process secret keys are generated over several steps and a SA (security association) is negotiated. The so-called ISAKMP-SA or IKE-SA, where ISAKMP stands for internet security association and key management protocol.
The authentication is performed, for example, via pre-shared key (psk) or certificates (RSA or ECDSA).
In the second phase of the IPsec negotiation, the QuickMode is used. All communication in this phase is encrypted (protected by IKE SA). Once again SAs are generated which are used for the actual data exchange. In order to increase security, this »data SA« –
usually referred to as IPsec-SA or CHILD_SA – contains no information from phase 1.
One of the two modes is used to transfer the data: Transport or tunnel mode. For this purpose, the methods Authentication Header (AH) or Encryption Security Payload (ESP) are available, whereby ESP is generally used as a rule.
AH is based on an additional header that follows the normal IP header. For ESP, the user data also contains a header that contains the Security Parameters Index (SPI). The existence of these headers is indicated by the transport protocol number in the IP header.
Transport mode only the packet contents are encrypted, the IP header is retained.
AH is based on an additional header that follows the normal IP header.
ESP encrypts the data of the packet, the IP header is retained.
Tunnel mode encrypts the original package and sends it in a new package.
AH creates a new IP packet containing an authentication header over the original package.
ESP encrypts the complete IP packet and encapsulates the encrypted packet into a new package.
In order to successfully establish an IPsec connection, a number of points have to be considered / clarified in advance.
At least one page must be accessible via a public IP.
Authentication and encryption parameters must be set.
The networks / hosts to be connected must be known.
On the main page the following ports are to be released or forwarded in the firewall:
|ESP||Protocol for ESP (Encapsulated Security Payload)|
|500||UDP||Source and destination port for IKE (Internet Key Exchange)|
|4500||UDP||Required if the IPsec server is behind a NAT gateway or a masquerading firewall.|
The IPsec Implementation strongSwan is used in current firmware versions. Detailed documentation and sample configurations can be found in the strongSwan Wiki.
OpenVPN is not an unsafe VPN solution, as the name might suggest. This simply expresses the fact that the source code is open and free of charge. The software is licensed under the GNU GPL and supports a variety of (modern) operating systems.
OpenVPN is used to set up virtual private networks over an encrypted TLS connection (Transport Layer Security, more widely known under the predecessor name SSL = Secure Sockets Layer). Authentication can be done via username / password, certificates or a static secret key.
Routed-VPN (Layer 3) can be established with the help of OpenVPN . In this case an encrypted tunnel is established between two fictitious IP addresses of a subnetwork, the so called transport network. In order to establish a tunnel between two opposites, this is a simple form of secure communication.
Only IP packets are routed via a VPN tunnel in the routing mode. Layer 2 data are not transferred. Particularly in the case of internet connections with low bandwidth or even traffic limitation this variant is to be preferred, since without the ethernet frames much less data are transmitted over the tunnel.
The variant of the Bridged-VPN offers the advantage of the complete tunneling of Ethernet frames (Layer 2). A client is fully transparently integrated and receives an IP address of the subnet there. Thus this mode also allows the use of alternative protocols such as IPX or supports the transmission of wake-on-LAN packets.
WireGuard is a very young technology to implement secure and powerful virtual private networks (VPNs) with little effort. It is an open source protocol and open source software that is intended to offer an alternative to established VPN solutions such as OpenVPN or IPsec.
WireGuard was developed with the aim of making VPNs easier and to offer an alternative to existing VPN solutions. The open source software and protocol compete with VPN technologies such as IPsec or OpenVPN. Compared to existing solutions, the configuration of VPN connections should be easier and faster.
WireGuard works with high performance on Layer 3 of the OSI layer model and supports both IPv4 and IPv6. The software is deliberately kept simple and clear. It only consists of approximately 4,000 lines of programming code. Other VPN solutions sometimes have several hundred thousand lines of source code. The new VPN alternative was developed by Jason A. Donenfeld. It is available for different platforms such as different Linux distributions, macOS, Android or iOS. On Linux systems, the code runs as a module in the kernel and achieves high performance. VPN providers such as Mullvad and AzireVPN have been offering the first services based on the new VPN solution since 2018.
The development phase of WireGuard has not yet been completed.
The WireGuard support will be merged into the Linux kernel 5.6.
The following goals were pursued when designing the VPN alternative:
WireGuard is characterized by its simplicity compared to the existing mostly very complex VPN solutions. The software offers fewer configuration options and is limited to the essentials. This makes the solution easy to use and its security easy to check. Possible weaknesses are easy to find in the manageable code. To achieve a high level of security when encrypting data, WireGuard uses modern cryptographic methods. VPN subscribers’ identities are linked to their public keys. Similar to SSH, connections are established by exchanging public keys. The architecture is based on the peer-to-peer model.
WireGuard uses various protocols to establish VPN connections and exchange data. The main protocols are:
The VPN solution is deliberately limited to the three basic functions for encrypted connections. The keys are exchanged in a handshake using Curve25519 with Elliptic Curve Diffie-Hellman (ECDHE). BLAKE2s serves as a universal hash function and generates, for example, keyed hash message authentication codes (HMAC) or derives keys with HMAC-based key derivation function (HKDF). ChaCha20 and Poly1305 are responsible for the symmetrical encryption of the exchanged data. In addition to the native support of IPv4 and IPv6, it is possible to encapsulate IPv4 in IPv6 and vice versa.
Linus Torvalds also showed himself to be a fervent supporter of the incorporation. As the Linux father confirmed in the course of the inclusion of network patches from the experimental branch of the kernel, he also sees the common alternatives as too cumbersome and too complicated. According to Torvalds, WireGuard is a work of art in direct comparison with the »horror of OpenVPN and IPsec«. »He therefore loves the implementation – even if it is not yet perfect – and would like it to be included in the kernel soon,« says Torvalds.
Source: Security Insider
The router offers various possibilities to manage configurations under
System > Backup / Flash Firmware.
To create a configuration backup, the button
Generate archive is tripped on the
Download backup page.
Now the configuration is packed and offered for download. If the browser is set to “Automatically save to the following folder”, the configuration is stored in the specified folder – in most browsers Downloads by default –.
In doing so the file name is created according to the scheme
YYYY-MM-DD-backup HOSTNAME.tar.gz. If the browser queries before saving the filename can be chosen as desired, but the ending
.tar.gz must be retained.
The configuration can be stored locally on the PC or in the server infrastructure after downloading.
A once created backup can be imported again – also on another, identical device – at any time.
To do this, the desired file is searched for locally in the
Restore backup section and restored using the
Upload archieve... button. In the process the saved configuration is loaded and the changes are activated by a reboot.
The delivery state can be restored in various ways. On the one hand, this is using the web interface, on the other hand there is the option via command line and then it is further possible to trigger this via the reset button.
The factory reset can also be triggered via the web interface on the menu page
System > Backup / Firmware Update in the
Restore delivery state section by pressing the
In order to restore the delivery state via command line use
firstboot and confirm the reset with
y (= yes).
An update of the router firmware can be carried out in the web interface in various ways: On the one hand via a manual upload of the firmware image and on the other hand online via the TDT Updateserver.
Write new firmware image section on the menu page
System > Backup / Flash Firmware, the file is selected on the local system using
Keep configuration is preselected by default. If the router is to start with factory settings after the update, the checkmark must be removed at this point.
The update process is started by pressing
At first the checksum is reviewed. If this is correct, the image can be flashed with
Proceed, but it is also possible to abort the process.
In the menu under
System > Online Firmware Update you can search for a newer, available software version on the TDT update server.
To do this, click on
Check for updates. The server is then prompted and the result is output accordingly.
If a new firmware image is available, you can import it directly from this page.
Here the checkmark
Keep Configuration is also checked by default. To start with the factory settings after the update, the checkmark must be removed at this point.
The process is started using
Flash image... under
Perform update. First the signature and then the checksum are reviewed here. If these are correct, the new firmware is flashed without further interrogation.
The DSL front end is to be deactivated under
System > Startup. For this purpose search for the
dsl_control process on the page and press the
*Disable button to not load it during a system startup.
To disable DSL during operation, the process
dsl_control is stopped by clicking on
In order to work optimally with the router in Windows environments, the following PuTTY settings are recommended.
Disable application keypad mode option is set under
Terminal > Features. This facilitates handling VI, for example, since the number block is thus usable.
Window menu, the value of
Lines of scrollback is set to
20000 lines to be able to scroll backwards.
In order to display the characters correctly, the character set should be set to
Window > Translation.
Since the color blue under PuTTY on black background is not optimally readable, it is recommended to change it. This is configured under
Window> Colors in
Select A Color to adjust for the color
ANSI Blue. The values corresponding to
Green are set to
Seconds between keepalives can be set to
Connection to maintain the SSH session.
Especially for slow connections, under
Connection > SSH you can set the checkbox for
Enable Compression to transfer the data compressed.
Ultimately the serial communication can be configured. The values are determined according to the following table via the menu
Connection > Serial.
Finally, the data is stored as a standard or as a separate profile under
Session. For this purpose, either the profile
Default Settings is marked or a separate session name is entered in the input field and saved with the button
|www.tdt.de||Official homepage of TDT AG|
|download.tdt.de||Download area on the official TDT homepage|
|OpenVPN||OpenVPN: Official open-source page|
|PuTTY||PuTTY, an open-source-SSH-client|
|strongSwan||Official page about strongSwan IPsec|
|strongSwan Wiki||strongSwan IPsec: Documentation and configuration examples|
|WireGuard||WireGuard®: the official web page|
|Security Insider: WireGuard||Security Insider: Definition – Was ist WireGuard® (german)|