Manual VR2020-LD

Version 2.0.0

Imprint

Liability

The compilation of text and illustrations for this manual has been undertaken with the greatest care. However, errors and omissions cannot be completely ruled out.

The publisher accepts absolutely no responsibility for incorrect information.

We reserve the right to make changes to this documentation and the products described herein at any time with-out prior notice.

Contact

Our document department will be pleased to assist you should you experience problems with this document.

Copyright

TDT AG
Siemensstraße 18
84051 Essenbach

Tel.: +49 (8703) 929-00
Fax: +49 (8703) 929-201

Web: www.tdt.de
Email: support@tdt.de

© 2020 TDT AG – Stefan Haunreiter



We wish you success and enjoyment
Your TDT Team

1 Safety instructions

This documentation contains instructions that need to be complied with for the safety of the user and/or to prevent damage to the VR2020-LD.

As part of ongoing security testing TDT always strives to design its products as secure as possible and attaches great importance to compliance with current safety and quality standards during development and regular firmware updates.

1.1 General safety instructions

1.2 Safety instructions for devices with cellular equipment

If the router contains a GSM modem and/or WLAN transmitter module, the following must also be considered:

2 Product information

2.1 Description VR2020-LD

The VPN router – VR2020-LD with VDSL / ADSL and cellular communications – is manufactured to the highest quality standards and is highly suitable for the establishment of secure branch networks as well as for the connection of mobile external sites due to its flexibility.

The VR2020-LD offers high-speed internet access with an extremely high reliability through its intelligent backup management and the use of two SIM cards (Dual SIM support).

In order for the router to operate on all modern xDSL connections, including all-IP, the VR2020-LD has an integrated DSL modem that supports the ADSL / 2/2 + and VDSL / VDSL2 standards as well as VDSL2 vectoring.
The 2G, 3G and 4G (LTE = Long Term Evolution) radio connections are being carried out via a multiband modem that handles the LTE, HSPA +, HSDPA / HSUPA, UMTS, EDGE, and GPRS standards.

The ethernet WAN port allows you to implement any type of gateway connections, as well as the installation of external modems (e.g., SDSL, cable, FTTH).

Via a permanently built-in VPN tunnel, a VR2020-LD router can be easily integrated into a branch network, or connected to a central office, and is directly accessible via private IP addressing.

In this case, DynDNS is not required for access, but can be set up at any time.

The fully implemented VPN standards IPsec and OpenVPN ensure the highest level of security during data transmission. The authentication is optionally performed by deposited certificates or pre-shared keys while the VPN router supports all modern encryption algorithms such as AES with up to 256 bit key length.

In terms of security, the integrated Trusted Platform Module (TPM) is also particularly noteworthy which is used for the secure storage of secret keys. Cryptographic keys can be generated, used and safely stored within the TPM with the support of the integrated and safe random number generator (RNG).
The Trusted Platform Module provides both protection against software attacks as well as hardware manipulation.

A configurable high-security firewall is available to protect your network against attacks. This can be easily adapted to your individual needs by means of rules and scripts.

The VPN router can be configured comfortably – both locally and remotely – via the intuitive web interface. Experts can also manage the VR2020-LD via command line (SSH).

Automated remote configuration / maintenance via TDT ACS – an Auto-Configuration Server according to the TR-069 standard – as well as monitoring via a network management system such as Check _MK are available for use in branch networks.

2.2 EU declaration of conformity

Hereby, TDT declares that the radio equipment type VR2020-LD is in compliance with Directive 2014/53/EU.

The full text of the EU declaration of conformity is available at the following internet address: download.tdt.de

2.3 Package contents

The following accessories are included with the VR2020-LD router:

2.4 Front Side

On the front of the VR2020-LD router are arranged from left to right:

Warning!

  • To prevent damage to the device or the SIM card, said card is only to be inserted or removed in a voltage-free state!

2.4.1 LED status

LAN
off No link existing on one of the LAN ports.
on At least one LAN port has an active link.
flashing Data transfer via at least one LAN port.
WAN
off No link existing on one of the WAN ports.
on The LAN port has an active link.
flashing Data transfer via the WAN-Port.
Cellular
off If the signal LEDs are off as well the router is not registered on any mobile cell and it has no signal in its own network.
If any signal LED is on it is registered in the 2G network (GPRS / EDGE).
blinking The router is registered in the mobile network and a 3G signal (UMTS / HSPA / +) is present.
on The current technology is 4G (LTE) and the router is registered in a cell.
If all Signal LEDs are off the router isn’t registered in the cellular network or hasn’t any signal level at all.
Signal blinking o n
I Registered on a mobile cell. Signal level between 0% and 17% Signal level between 17% and 33%
II Signal level between 33% and 50%. Signal level between 50% and 66%.
III Signal level between 66% and 83%. Signal level between 83% und 100%.
xDSL
off Not synchronized/no pilot tones.
blinking Synching/training phase.
on The xDSL-interface is successfully synchronized.
flashing Data transmission via xDSL.
Power
off Router is not connected to the power supply.
on Voltage applied.

2.4.2 Reset button

Reset button actions
Duration Action
press briefly (<1 second) : Restarts the router.
press and hold (>5 seconds): Resets the device to its factory defaults.

2.5 Rear side

Connection overview
Connection Description
xDSL RJ45/RJ48s connection for linking the TAE socket to the router.
WAN 10/100/1000BaseT interface RJ45/RJ48s.
Features an automatic speed detection as well as the cable type (1:1 or crossed).
GPS/GNSS Optional connection for an antenna determining the position via a global navigation satellite system (GPS/GLONASS).
Serial Optional serial interface in the form of a clamping strip (triple-pole Rx, Tx, GND).
LAN 1-4 10/100BaseT 4-Port switch.
These ports have their own MAC addresses, are auto-sensing and can be separated virtually as required.
USB (2x) Deactivated by default.
The USB ports are intended for future applications (e.g. for external logging, UPS management).
Cellular MIMO SMA socket for the connection of the second antenna / second antenna cable.
Cellular MAIN Connection for the primary antenna / first antenna cable. This connection is mandatory.
Power Wide range voltage input 9V..30V DC with coaxial power connector. Optionally available as clamping strip.

3 TDT-Support

Our TDT Expert Support Team offers and provides assistance with all aspects concerning the configuration of your device. We will be glad to help you analyze and solve occurring problems.

You can reach the support hotline Monday to Friday from 08:00 to 18:00 by telephone* at

+49 8703 929-112

or at any time by e-mail to

support@tdt.de.

To ensure an optimal support process, we kindly ask you to provide additional support data with your request. The support data** may be generated using the page Help > TDT-Support.

* Except national bank holidays
** The support data file does not contain any confidential information like passwords or PIN codes.

4 First Steps

4.1 Initiation

Warning

  • To prevent damage to the device or the SIM card, said card is only to be inserted or removed in a voltage-free state!

Caution

  • To prevent damage caused by condensation the router must be brought to room temperature before it is supplied with voltage.
  • Therefore, the router should be taken out of the packaging about one hour before initiation.
  • In order to avoid damage to the device, handle with care.
  1. Carefully open the transport packaging.

  2. Take out the router by folding the cardboard flaps upwards and pulling out the device under the foil.

  3. Connect the necessary cables to the router (see Connection overview), for example:
    • Ethernet cable to the LAN-port.
    • Ethernet cable to the WAN-port.
    • TAE cable to the xDSL-socket.
    • Antenna cables for mobile radio at the designated ports.
  4. Only now connect the router to the power supply.

As soon as the initiation process is completed the router can be reached via IP.

Caution

  • It can take up to two minutes for the router to be reachable when booting the first time.

4.2 Login details and IP addresses

The VR2020-LD has the IP address 192.168.0.50 by »factory default«, additionally the user is root. The password is individually generated for each router during production process and printed on the nameplate.

Besides, IP addresses are also provided via DHCP in the standard configuration.

Here the range is defined from 192.168.0.100 to 192.168.0.250.

Login details and IP addresses in the delivery state
Parameter Value
IP address: 192.168.0.50
DNS name: tdt.router or VR2020-LD.lan
Username: root
Password: Individually generated for each router (see nameplate).
If no password is printed, it equates the serial number.

Warning

  • In the delivery state, the VR2020-LD has an individual password which can be found on the nameplate.

  • Anyway, it is highly recommended to assign a individual password before starting a configuration!

  • Before mounting the device, write down the password in order to retain access after a factory reset.

4.3 How to connect to the router?

In order to be able to configure the router on the one hand the web interface can be utilized for an easy configuration in the web browser. On the other hand, you have the option to connect yourself directly to the router via SSH or serial.

Caution

  • When trying to access the router via LAN the PC must be located in the same network as the router.

Note

  • IPs are provided via DHCP by default configuration.
  • If the IP address is not automatically obtained, an IP address from the range 192.168.0.0/24 is required. For example, 192.168.0.1 with subnet mask 255.255.255.0.

4.3.1 Access via the web interface

To get to the web interface of the VR2020-LD via a browser, simply enter the IP address of the router in the address bar. In the delivery state the IP address of lan is set to 192.168.0.50. The router is also further accessible via the name tdt.router.

Since the web interface can only be accessed via SSL, https:// must be prepended before the IP address.

Example:

https://tdt.router or https://192.168.0.50

In the now appearing login window you authenticate yourself with the user name root and the corresponding password.

Warning

4.3.2 Command line

The router also has a command line at its disposal that can be used to easily run analyses.

The shell can be accessed via IP or serial via the micro-USB port on the front of the VR2020-LD. In both cases access can be realized, for example, by using the open source software PuTTY. Recommended PuTTY configurations can be found here

4.3.2.1 Secure shell (SSH) via IP

For SSH access you open PuTTY, enter the IP of the VR2020-LD at the Host Name (or IP address) and click the Open-button. In the newly opened window, log on to the system with the user name root and the corresponding password.

In a Linux environment access can be gained directly via the terminal by using the command ssh root@192.168.0.50.

4.3.2.2 Serial via USB configuration port

In order to access the VR2020-LD via serial, a terminal program is required. The connection can also be established via PuTTY.

First connect the router with a micro-USB cable via the console port to the computer. The driver for the USB serial port should then be installed automatically.

When trying to find out which COM interface is used, the device manager can be utilized under Windows. A USB serial port should appear after successful installation.

The following chart shows the values that must be configured in the terminal program in addition to the COM port for the serial interface.

Parameter for the terminal program
Parameter Value
Speed (baud): 115200
Data bits: 8
Stop bits: 1
Parity: None
Flow control: None

To get the login prompt, press the Enter key once. Afterwards you can log on to the system with the user root and the corresponding password.

5 Quick Start

5.1 Set/change password

Attention!

  • It is strongly recommended to set a individual password before starting a configuration!

In the web interface – as long as no individual password has been assigned – a warning including a link to the System > Administration page is displayed, where the password can be set.

Here the Password is entered and is to be repeated via Confirmation. Finally, the new password is accepted with Save & Apply.

A SSH session or micro-USB configuration can be used to initiate a password change by calling the passwd command.

Warning

  • A secure password should be chosen for your own safety!

5.2 Customize the LAN interface(s)

One of the first steps after commissioning is usually to adapt the local IP address to the required environment.

In order to do this, go to the Network > Interfaces menu, select the interface lan and click on the Edit button.

The IPv4 address and the IPv4 netmask used for the network are now entered in the new mask.

Optionally a separate IPv4 broadcast IP deviating from the standard can be entered.

If IPv6 is required instead of IPv4 or if an IPv6 configuration is to be implemented additionally, the necessary settings are also executed here.

5.2.1 Customize DHCP-Server

At the end of this page are parameters for DHCP, which runs at this interface by default.

If the DHCP server for this interface is to be deactivated, simply put a check mark at Ignore interface.

To adjust the DHCP range, the smallest IP address to be assigned is given at Start. In the delivery state 100 is assigned here.

Note

  • It is counted starting from 1. Thus, in the default configuration 192.168.0.100 is the first IP address available for DHCP clients.
  • For larger networks, for example with a netmask of 255.255.0.0, the number is incremented accordingly in 256 steps.
  • An indication of the start IP is also possible in this field, which is easier for larger networks.

So if assuming the router IP of 10.10.10.254 with a netmask255.255.0.0 and a start value of 610, the first address assigned via DHCP would be 10.10.2.98.

The value Limit indicates the maximum number of IP addresses allowed by the DHCP server.

Note

  • The parameter Limit can only specify the number of DHCP hosts.

In our example, if the DHCP limit is 200, the last possible IP would be 10.10.3.41.

Note

  • A static IP assignment via DHCP is configured under Network > DHCP and DNS.

5.2.2 Separate switch ports

The VR2020-LD provides the ability to separate each switch port. For this, VLANs are being used. The configuration is done via the menu Network > Switch.

Below the procedure is presented as an example. The goal is that the port LAN 1 is used as interface wan2 and the port LAN 2 is used for a Guest Network (lan_guest).

To simplify the configuration, tables are used.

Initial situation
VLAN ID CPU (eth1) LAN 1 LAN 2 LAN 3 LAN 4
1 tagged untagged untagged untagged untagged

The new VLANs are inserted via the button Add. As V Als VLAN ID werden 200 und 300 verwendet.

Attention

  • Always select tagged for the internal port CPU (eth1).

  • Each LAN interface can only be assigned the attribute untagged once.

  • The VLAN ID range 4020-4030 is reserved for internal purposes.

Configuration after adding the new VLANs
VLAN ID CPU (eth1) LAN 1 LAN 2 LAN 3 LAN 4
1 tagged off off untagged untagged
200 tagged untagged off off off
300 tagged off untagged off off

Click on Save & Apply to activate the configuration.

Afterwards the ports are configured under Network > Interfaces. A new interface is created with Add new interface ....

On the configuration page a Name will be given and at Cover the following interface the newly created VLAN interface is specified.

After sending the data via Send, the configuration is carried out as usual.

5.3 Establishing an internet connection

The VR2020-LD provides various ways to set up an internet connection. On the one hand, there is the possibility of a DSL connection, in addition mobile radio with MultiSIM support is available, and the WAN port can be used to implement various gateway connections or a connection via an external modem.

Note

  • In the delivery state, all WAN interfaces are located in the firewall zone wan.
    External access to the router is not permitted by default.

  • The router is equipped with a default backup system in the default configuration.
    The order here is – from the highest priority to the lowest – wan (Ethernet gateway connection) before xdsl (DSL connection) before wwan (cellular).

Warning

  • The interfaces xdsl (DSL connection) and wwan (cellular) are not started by default.

  • The router actively sends ICMP packets to check the individual connection paths.

5.3.1 Configure the DSL connection

In order to establish an ADSL or VDSL connection, generally only the provider access data have to be entered.

This is done in the menu Network > Interfaces using the default xdsl interface. The configuration page is accessed via the Edit button.

The parameters PAP / CHAP username will be entered on the page that now appears with the user name provided by the DSL provider and the corresponding password under PAP / CHAP password.

Since the interface is not active by default, a checkmark at Bring up on boot is set to establish the DSL connection after a system start.

The Save & Apply button is used to save the changes and set up the connection (new).

Note

  • Composition of the user name for Telekom (de) connections.
    AnschlusskennungZugangsnummerMitbenutzernummer@t-online.de
  • If there is an older “Zugangsnummer” (formerly T-Online number), which is not 12 digits long, a diamond must be entered between “Zugangsnummer” and “Mitbenutzernummer” (#).
  • In most cases, the “Mitbenutzernummer” is 0001.

5.3.2 Configure cellular

Attention

  • Insert or change SIM card(s) only if the VR2020-LD is disconnected from the power supply to prevent damage to the device or the SIM card.

In the delivery state, the VR2020-LD is prepared in such a way that a mobile radio connection can be established quickly and simply using the SIM card in slot SIM1. The APN is preset to web.vodafone.de in the active SIM profile and no PIN is set.

If a Vodafone SIM card without a PIN query is used, the connection must simply be started. In order to do this, set a checkmark at Bring up on boot under Network > Interfaces > wwan and the connection setup is then initiated via the Save & Apply button.

Otherwise only a few steps are required to establish a connection.

The configuration of the interface is carried out on the menu page network > interfaces > wwan.

On the wwan Edit page the SIM profile for the SIM1 or SIM is selected and the Default SIM is selected for the default SIM slot.

By pressing the Save & Apply button the changes will be accepted immediately and the connection will be established with the new parameters.

If the provider is not known or a PIN is required, this is configured at Network > Mobile Service under the tab SIM Profiles. In the SIM Configuration tab the PIN and in case of an error also the PUK can be verified. Moreover, the PIN can be changed here and the PIN request can be activated or deactivated.

5.3.2.1 MultiSIM support

The VR2020-LD offers the possibility for the interface wwan to automatically switch between two provider SIM cards.

In order to switch on this function deactivated in the delivery state the checkmark Activate DualSIM support is set on the configuration page Network > Interfaces > wwan. In order to do this, the feature Automatically establish/recover connection must be activated.

The recovery time specifies when to automatically attempt to switch back from the backup to the standard SIM slot. If never is selected at this point the router remains on the backup connection until an error is detected.

This change is accepted by Save & Apply.

5.3.2.2 Add/change SIP profiles

To change an existing SIM profile in the menu Network > Mobile > SIM Profiles, for example if the PIN request is activated, the PIN for the SIM card is entered for the corresponding profile.

If user name and password are additionally required, the type of WWAN Authentication is specified and these access data are specified under PAP / CHAP username and PAP / CHAP password.

The Allowed network modes can be defined here for each SIM profile. It is also possible to set the PLMN (Public Land Mobile Network Code), for example, in order to actively prevent roaming.

The configuration is saved by Save & Apply. To activate the changes, the wwan interface must be reconnected under Network > Interfaces.

5.3.3 Configuring a gateway connection

5.3.3.1 Connection setup via DHCP

In order to set up an internet connection via a gateway – which provides DHCP – genreally no changes are necessary. Only the WAN port is connected to the corresponding gateway.

5.3.3.2 Set WAN-IP to static

To permanently configure the IP address of the WAN interface to a static address, go to the menu Network > Interfaces. By pressing Edit at the wan interface, the configuration dialog is opened.

First, the Protocol is changed from DHCP Client to Static address and the change is confirmed by the button Switch protocol.

The IPv4 address, IPv4 netmask, and the IP address of the gateway to be used at the IPv4 gateway are set in the new mask.

In regard to the name resolution, Use custom DNS servers requires an appropriate server.

Optionally a separate IPv4 broadcast IP deviating from the standard can be entered.

If IPv6 is required instead of IPv4 or if an IPv6 configuration is to be performed additionally, the necessary settings are also executed here.

5.4 Firewall Configuration

TDT routers are shipped with a zone-based firewall as standard.

Caution

  • In the delivery state all WAN interfaces are located in the firewall zone wan.

    External access to the router is not permitted by default.

    Out of the zone wan the access to local devices that are behind the VR2020-LD is rejected.

  • Local interfaces are located in the zone lan of the firewall.

    This is not subject to any restrictions.

On the overview page of the firewall you will first find the option to set the behavior that applies for interfaces without a zone.

In the combined view of the firewall zones, the zones with their contained interfaces are displayed as well as which forwardings are allowed in other zones. This describes how the behavior is when a data packet arrives at the router which is routed to another zone. An example of this would be a request from a client computer to a web server. The package arrives at an interface of the zone lan and is passed on to the zone wan via a routing entry, that is »forwarded«.

A port forwarding, as the name implies, is another example of a »forwarded packet«.

In addition, it defines how to handle packets that respond to an IP address of the router (input) or that are generated by the router (output).

An outgoing »Masquerading«, a special form of the source NAT, can be created for the zone here by activating the function Masquerading. This replaces the sender IP address with the address of the interface through which the data stream is sent to its destination.

The MSS Correction function is used to determine the »Maximum Segment Size« for data packets to the respective destination. The method is also known as »Path MTU Discovery« and is mainly used for DSL connections, since here a maximum transmission unit (MTU) is usually smaller than the common 1500 in local networks.

5.4.1 Establish port forwarding

Caution

  • Forwarding packets are rejected by default configuration unless they are port forwarding packets (DNAT).

    If the access is to be restricted accordingly, this must be taken into account in the port forwarding rule.

Port forwardings can be set up quickly and easily under Firewall > Port Forwards.

To do this the name is specified for the port forwarding, the Protocol is selected, the zone on which the queries are running is picked under External zone, and the addressed port is stated under External port.

For the local page, the Internal zone, destination, Internal IP address and the Internal port to be addressed to the target device are specified.

Using Add the rule is created with the specified parameters. To activate this rule press Save & Apply to conclude.

5.4.2 Allow access to defined ports

Under Firewall > Traffic Rules port releasing can be managed.

Here are several predefined rules to be found. These are partly not activated.

To activate or deactivate a rule as needed, a checkmark is set or removed in the Activate column in the overview table and the change is made with Save & Apply.

5.4.2.1 Open ports for access to the router

To allow access to a port of the VR2020-LD, a name for the rule has to be assigned in the area open ports on the router, the Protocol and respectively the External port have to be specified and the rule is then created via Add.

Now the newly created rule can be further limited by Edit, for example to allow access only from a defined sender (Source address).

Among other things, the Source zone, where the package arrives at the router (the zone wan is set here by default), and the Destination zone can be adapted. When you create the rule using the Open ports on the router routine, the Destination zone is set to the value at Device (input).

In order to change an incorrectly defined rule from Accept input to Accept forward, the Destination zone is adapted to the desired zone.

In addition, a few more filters can also be set for the rule here.

Save & Apply puts the rule with the new change into effect and saves it.

5.4.2.2 Access to devices behind the router

If, however, a local network user is to be reached from outside, for example via port forwarding, a New forward rule must be created.

This is added and opened immediately on the Firewall > Traffic Rules page, specifying a rule-Name, the Source zone – the rule case wan – and the Destination zone – for the local devices according to lan – using Add and edit.... Here the Destination port is specified.

Other filters are - as already mentioned in Open ports for access to the router - to be adjusted.

With Save & Apply, the new rule is saved and activated immediately.

5.5 Set up dynamic DNS

Dynamic DNS allows the VR2020-LD to be reachable under the same hostname, even if the public IP address changes.

Warning

  • Since most mobile providers only distribute private IP addresses, access to the router usually does not work through wwan.

To set up a dynamic DNS update, go to the Services > Dynamic DNS area. Here you have the option to add a new entry.

The first step is to setup the Lookup Hostname and select whether to update an IPv4 or IPv6 address on the configuration page.

Afterwards the DDNS service provider is picked, for example dyntdt.de. If the service you are using has not yet been created, it can be prepared manually via the -- custom -- option.

For this purpose, for example, https://[USERNAME]:[PASSWORD]@www.dnshome.de/dyndns.php?ip=[IP] is specified for Custom update-URL if https://www.dnshome.de is the provider.

How the update URL should look in particular can usually be found on the pages of the service provider.

After this the Hostname/Domain, Username and Password are entered.

To transfer the data securely, it is recommended to enable Use HTTP Secure and if the CA certificate is not present, to select IGNORE for the Path to CA-Certificate, otherwise the storage location.

In the Advanced Settings tab, the IP address source to be updated is now selected. The default here is Network and for network it is lan.

Save takes over the new settings.

Back on the overview page, the check mark is set to Enabled and the settings are saved/activated via Save & Apply.

6 Advanced Configuration

6.1 Virtual private network

A VPN is used to create another network over an existing one. Many different approaches are available for this purpose. In most cases, it is mistakenly assumed that a virtual private network is inevitably a secure data transmission and the transmission is secured by means of authentication and encryption. This is not necessarily the case.

Nowadays two different technologies are used for the implementation of a VPN:

These are used, for example, to link several company sites (site to site) or external / traveling employees (roadwarrior) to access (local) enterprise services.

The two approaches are briefly outlined below.

In addition, it should be mentioned here that the VR2020 series routers contain the new VPN solution WireGuard as a further option. This offers, for example, modern cryptographic procedures and a simple configuration of cross-platform remote access via different terminal devices.

6.1.1 IPsec

IPsec is the abbreviation for Internet Protocol Security. It enables a secure communication over potentially unsafe IP networks, e.g. the Internet.

In contrast to other encryption protocols, e.g. SSL, which is based on the transport layer, IPsec works directly on the internet layer of the TCP / IP protocol stack. This makes it transparent to applications.

IPsec uses two phases for connection negotiation.

6.1.1.1 Phase 1 – Key exchange

In the first phase, encryption and authentication are performed (Internet Key Exchange = IKE). In this process secret keys are generated over several steps and a SA (security association) is negotiated. The so-called ISAKMP-SA or IKE-SA, where ISAKMP stands for internet security association and key management protocol.

The authentication is performed, for example, via pre-shared key (psk) or certificates (RSA or ECDSA).

6.1.1.2 Phase 2 – Negotiation of the data exchange parameters

In the second phase of the IPsec negotiation, the QuickMode is used. All communication in this phase is encrypted (protected by IKE SA). Once again SAs are generated which are used for the actual data exchange. In order to increase security, this »data SA« –
usually referred to as IPsec-SA or CHILD_SA – contains no information from phase 1.

One of the two modes is used to transfer the data: Transport or tunnel mode. For this purpose, the methods Authentication Header (AH) or Encryption Security Payload (ESP) are available, whereby ESP is generally used as a rule.

AH is based on an additional header that follows the normal IP header. For ESP, the user data also contains a header that contains the Security Parameters Index (SPI). The existence of these headers is indicated by the transport protocol number in the IP header.

  • Transport mode only the packet contents are encrypted, the IP header is retained.

    • AH is based on an additional header that follows the normal IP header.

    • ESP encrypts the data of the packet, the IP header is retained.

  • Tunnel mode encrypts the original package and sends it in a new package.

    • AH creates a new IP packet containing an authentication header over the original package.

    • ESP encrypts the complete IP packet and encapsulates the encrypted packet into a new package.

      • PFS Perfect Forward Secrecy optionally backs up the integrity of the data.

6.1.1.3 Conclusion

  • Widely spreaded with firewalls, gateways, servers and routers, and thus applicable almost everywhere.

6.1.1.4 Requirements

In order to successfully establish an IPsec connection, a number of points have to be considered / clarified in advance.

  • At least one page must be accessible via a public IP.

  • Authentication and encryption parameters must be set.

  • The networks / hosts to be connected must be known.

  • On the main page the following ports are to be released or forwarded in the firewall:

Port Protocol Description
ESP Protocol for ESP (Encapsulated Security Payload)
500 UDP Source and destination port for IKE (Internet Key Exchange)
4500 UDP Required if the IPsec server is behind a NAT gateway or a masquerading firewall.

6.1.1.5 Implementation

The IPsec Implementation strongSwan is used in current firmware versions. Detailed documentation and sample configurations can be found in the strongSwan Wiki.

6.1.2 OpenVPN

OpenVPN is not an unsafe VPN solution, as the name might suggest. This simply expresses the fact that the source code is open and free of charge. The software is licensed under the GNU GPL and supports a variety of (modern) operating systems.

OpenVPN is used to set up virtual private networks over an encrypted TLS connection (Transport Layer Security, more widely known under the predecessor name SSL = Secure Sockets Layer). Authentication can be done via username / password, certificates or a static secret key.

6.1.2.1 Routing mode

Routed-VPN (Layer 3) can be established with the help of OpenVPN . In this case an encrypted tunnel is established between two fictitious IP addresses of a subnetwork, the so called transport network. In order to establish a tunnel between two opposites, this is a simple form of secure communication.

Only IP packets are routed via a VPN tunnel in the routing mode. Layer 2 data are not transferred. Particularly in the case of internet connections with low bandwidth or even traffic limitation this variant is to be preferred, since without the ethernet frames much less data are transmitted over the tunnel.

6.1.2.2 Bridge mode

The variant of the Bridged-VPN offers the advantage of the complete tunneling of Ethernet frames (Layer 2). A client is fully transparently integrated and receives an IP address of the subnet there. Thus this mode also allows the use of alternative protocols such as IPX or supports the transmission of wake-on-LAN packets.

6.1.2.3 Conclusion

  • Only one port is required which is also freely configurable. (Standard: 1194)
  • Protocol freely selectable: TCP or UDP (Standard: UDP)
  • Two operating modes: routed und bridged

6.1.3 WireGuard®

WireGuard is a very young technology to implement secure and powerful virtual private networks (VPNs) with little effort. It is an open source protocol and open source software that is intended to offer an alternative to established VPN solutions such as OpenVPN or IPsec.

WireGuard was developed with the aim of making VPNs easier and to offer an alternative to existing VPN solutions. The open source software and protocol compete with VPN technologies such as IPsec or OpenVPN. Compared to existing solutions, the configuration of VPN connections should be easier and faster.

WireGuard works with high performance on Layer 3 of the OSI layer model and supports both IPv4 and IPv6. The software is deliberately kept simple and clear. It only consists of approximately 4,000 lines of programming code. Other VPN solutions sometimes have several hundred thousand lines of source code. The new VPN alternative was developed by Jason A. Donenfeld. It is available for different platforms such as different Linux distributions, macOS, Android or iOS. On Linux systems, the code runs as a module in the kernel and achieves high performance. VPN providers such as Mullvad and AzireVPN have been offering the first services based on the new VPN solution since 2018.

Note

  • The development phase of WireGuard has not yet been completed.

  • The WireGuard support will be merged into the Linux kernel 5.6.

6.1.3.1 Design principles of WireGuard®

The following goals were pursued when designing the VPN alternative:

  • easy usability
  • high performance
  • high security through the use of current cryptographic procedures
  • manageable code with minimal attack surface
  • carefully thought-out overall concept

WireGuard is characterized by its simplicity compared to the existing mostly very complex VPN solutions. The software offers fewer configuration options and is limited to the essentials. This makes the solution easy to use and its security easy to check. Possible weaknesses are easy to find in the manageable code. To achieve a high level of security when encrypting data, WireGuard uses modern cryptographic methods. VPN subscribers’ identities are linked to their public keys. Similar to SSH, connections are established by exchanging public keys. The architecture is based on the peer-to-peer model.

6.1.3.2 Used Protocols

WireGuard uses various protocols to establish VPN connections and exchange data. The main protocols are:

  • Curve25519 (ECDHE) for key exchange
  • ChaCha20 and Poly1305 for the exchange and encryption of data
  • BLAKE2s for hashing
  • Ed25519 for the public key authentication process

The VPN solution is deliberately limited to the three basic functions for encrypted connections. The keys are exchanged in a handshake using Curve25519 with Elliptic Curve Diffie-Hellman (ECDHE). BLAKE2s serves as a universal hash function and generates, for example, keyed hash message authentication codes (HMAC) or derives keys with HMAC-based key derivation function (HKDF). ChaCha20 and Poly1305 are responsible for the symmetrical encryption of the exchanged data. In addition to the native support of IPv4 and IPv6, it is possible to encapsulate IPv4 in IPv6 and vice versa.

Linus Torvalds also showed himself to be a fervent supporter of the incorporation. As the Linux father confirmed in the course of the inclusion of network patches from the experimental branch of the kernel, he also sees the common alternatives as too cumbersome and too complicated. According to Torvalds, WireGuard is a work of art in direct comparison with the »horror of OpenVPN and IPsec«. »He therefore loves the implementation – even if it is not yet perfect – and would like it to be included in the kernel soon,« says Torvalds.

Source: Security Insider

6.1.3.3 Conclusion

  • Modern, slim VPN protocol.
  • Simple configuration, because WireGuard is deliberately limited to the three basic functions of encrypted connections.
  • Fast handover in the event of a backup, since it is not connection-oriented.
  • Available on almost all software platforms.
  • Simple auditability through short source code.
  • High security through state of the art cryptography.

7 Instructions and HowTos

7.1 Backup and restore configuration

The router offers various possibilities to manage configurations under System > Backup / Flash Firmware.

7.1.1 Create backup

To create a configuration backup, the button Generate archive is tripped on the Download backup page.

Now the configuration is packed and offered for download. If the browser is set to “Automatically save to the following folder”, the configuration is stored in the specified folder – in most browsers Downloads by default –.

In doing so the file name is created according to the scheme YYYY-MM-DD-backup HOSTNAME.tar.gz. If the browser queries before saving the filename can be chosen as desired, but the ending .tar.gz must be retained.

The configuration can be stored locally on the PC or in the server infrastructure after downloading.

7.1.2 Import backup

A once created backup can be imported again – also on another, identical device – at any time.

To do this, the desired file is searched for locally in the Restore backup section and restored using the Upload archieve... button. In the process the saved configuration is loaded and the changes are activated by a reboot.

7.1.3 Restore the delivery state

The delivery state can be restored in various ways. On the one hand, this is using the web interface, on the other hand there is the option via command line and then it is further possible to trigger this via the reset button.

7.1.3.1 Web interface

The factory reset can also be triggered via the web interface on the menu page System > Backup / Firmware Update in the Restore delivery state section by pressing the Reset 'button.

7.1.3.2 Command line

In order to restore the delivery state via command line use firstboot and confirm the reset with y (= yes).

7.1.3.3 Reset button

By holding down the Reset-button on the frontside of the VR2020-LD for more than five seconds, the delivery state is loaded and the device rebooted after releasing it.

7.2 Update Firmware

An update of the router firmware can be carried out in the web interface in various ways: On the one hand via a manual upload of the firmware image and on the other hand online via the TDT Updateserver.

7.2.1 Offline Update

In the Write new firmware image section on the menu page System > Backup / Flash Firmware, the file is selected on the local system using Image.

The checkbox Keep configuration is preselected by default. If the router is to start with factory settings after the update, the checkmark must be removed at this point.

The update process is started by pressing Flash image....

At first the checksum is reviewed. If this is correct, the image can be flashed with Proceed, but it is also possible to abort the process.

7.2.2 Online Update

In the menu under System > Online Firmware Update you can search for a newer, available software version on the TDT update server.

To do this, click on Check at Check for updates. The server is then prompted and the result is output accordingly.

If a new firmware image is available, you can import it directly from this page.

Here the checkmark Keep Configuration is also checked by default. To start with the factory settings after the update, the checkmark must be removed at this point.

The process is started using Flash image... under Perform update. First the signature and then the checksum are reviewed here. If these are correct, the new firmware is flashed without further interrogation.

8 Tipps and tricks

8.1 Deactivate DSL

Note

  • To reduce the power consumption of the VR2020-LD, the DSL front end can be deactivated.

The DSL front end is to be deactivated under System > Startup. For this purpose search for the dsl_control process on the page and press the *Disable button to not load it during a system startup.

To disable DSL during operation, the process dsl_control is stopped by clicking on Stop.

9 Appendix