The compilation of text and illustrations for this manual has been undertaken with the greatest care. However, errors and omissions cannot be completely ruled out.
The publisher accepts absolutely no responsibility for incorrect information.
We reserve the right to make changes to this documentation and the products described herein at any time with-out prior notice.
Our document department will be pleased to assist you should you experience problems with this document.
TDT AG
Siemensstraße 18
84051 Essenbach
Tel.: +49 (8703) 929-00
Fax: +49 (8703) 929-201
Web: www.tdt.de
Email: support@tdt.de
© 2021 TDT AG – Stefan Haunreiter
We wish you success and enjoyment
Your TDT Team
This documentation contains instructions that need to be complied with for the safety of the user and/or to prevent damage to the VR2020-LD.
As part of ongoing security testing TDT always strives to design its products as secure as possible and attaches great importance to compliance with current safety and quality standards during development and regular firmware updates.
If the router contains a GSM modem and/or WLAN transmitter module, the following must also be considered:
The VPN router – VR2020-LD with VDSL / ADSL and cellular communications – is manufactured to the highest quality standards and is highly suitable for the establishment of secure branch networks as well as for the connection of mobile external sites due to its flexibility.
The VR2020-LD offers high-speed internet access with an extremely high reliability through its intelligent backup management and the use of two SIM cards (Dual SIM support).
In order for the router to operate on all modern xDSL connections, including all-IP, the VR2020-LD has an integrated DSL modem that supports the ADSL / 2/2 + and VDSL / VDSL2 standards as well as VDSL2 vectoring.
The 2G, 3G and 4G (LTE = Long Term Evolution) radio connections are being carried out via a multiband modem that handles the LTE, HSPA +, HSDPA / HSUPA, UMTS, EDGE, and GPRS standards.
The ethernet WAN port allows you to implement any type of gateway connections, as well as the installation of external modems (e.g., SDSL, cable, FTTH).
Via a permanently built-in VPN tunnel, a VR2020-LD router can be easily integrated into a branch network, or connected to a central office, and is directly accessible via private IP addressing.
In this case, DynDNS is not required for access, but can be set up at any time.
The fully implemented VPN standards IPsec and OpenVPN ensure the highest level of security during data transmission. The authentication is optionally performed by deposited certificates or pre-shared keys while the VPN router supports all modern encryption algorithms such as AES with up to 256 bit key length.
In terms of security, the integrated Trusted Platform Module (TPM) is also particularly noteworthy which is used for the secure storage of secret keys. Cryptographic keys can be generated, used and safely stored within the TPM with the support of the integrated and safe random number generator (RNG).
The Trusted Platform Module provides both protection against software attacks as well as hardware manipulation.
A configurable high-security firewall is available to protect your network against attacks. This can be easily adapted to your individual needs by means of rules and scripts.
The VPN router can be configured comfortably – both locally and remotely – via the intuitive web interface. Experts can also manage the VR2020-LD via command line (SSH).
Automated remote configuration / maintenance via TDT ACS – an Auto-Configuration Server according to the TR-069 standard – as well as monitoring via a network management system such as Check _MK are available for use in branch networks.
Hereby, TDT declares that the radio equipment type VR2020-LD is in compliance with Directive 2014/53/EU.
The full text of the EU declaration of conformity is available at the following internet address: download.tdt.de
The following accessories are included with the VR2020-LD router:
On the front of the VR2020-LD router are arranged from left to right:
SIM card slot SIM1
LAN
for the link status of the LAN-PortsWAN
for the link status of the WAN-PortsVPN
for the status of a VPN connectionCellular
for the mobile radio connection statusSignal
for the mobile radio signal levelMicro-USB console port with integrated USB-to-serial adapter.
Alarm
-LED to display important / critical events.
xDSL
-LED for the status of the DSL connection
Power
-LED as an indicator for an existing voltage supply
Reset
button
Warning!
LAN | |
---|---|
off | No link existing on one of the LAN ports. |
on | At least one LAN port has an active link. |
flashing | Data transfer via at least one LAN port. |
WAN | |
---|---|
off | No link existing on one of the WAN ports. |
on | The LAN port has an active link. |
flashing | Data transfer via the WAN-Port. |
Cellular | |
---|---|
off | If the signal LEDs are off as well the router is not registered on any mobile cell and it has no signal in its own network. If any signal LED is on it is registered in the 2G network (GPRS / EDGE). |
blinking | The router is registered in the mobile network and a 3G signal (UMTS / HSPA / +) is present. |
on | The current technology is 4G (LTE) and the router is registered in a cell. |
Signal | blinking o | n |
---|---|---|
I | Registered on a mobile cell. Signal level between 0% and 17% | Signal level between 17% and 33% |
II | Signal level between 33% and 50%. | Signal level between 50% and 66%. |
III | Signal level between 66% and 83%. | Signal level between 83% und 100%. |
xDSL | |
---|---|
off | Not synchronized/no pilot tones. |
blinking | Synching/training phase. |
on | The xDSL-interface is successfully synchronized. |
flashing | Data transmission via xDSL. |
Power | |
---|---|
off | Router is not connected to the power supply. |
on | Voltage applied. |
Connection | Description |
---|---|
xDSL | RJ45/RJ48s connection for linking the TAE socket to the router. |
WAN | 10/100/1000BaseT interface RJ45/RJ48s. Features an automatic speed detection as well as the cable type (1:1 or crossed). |
GPS/GNSS | Optional connection for an antenna determining the position via a global navigation satellite system (GPS/GLONASS). |
Serial | Optional serial interface in the form of a clamping strip (triple-pole Rx, Tx, GND). |
LAN 1-4 | 10/100BaseT 4-Port switch. These ports have their own MAC addresses, are auto-sensing and can be separated virtually as required. |
USB (2x) | Deactivated by default. The USB ports are intended for future applications (e.g. for external logging, UPS management). |
Cellular MIMO | SMA socket for the connection of the second antenna / second antenna cable. |
Cellular MAIN | Connection for the primary antenna / first antenna cable. This connection is mandatory. |
Power | Wide range voltage input 9V..30V DC with coaxial power connector. Optionally available as clamping strip. |
Our TDT Expert Support Team offers and provides assistance with all aspects concerning the configuration of your device. We will be glad to help you analyze and solve occurring problems.
You can reach the support hotline Monday to Friday from 08:00 to 18:00 by telephone* at
+49 8703 929-112
or at any time by e-mail to
To ensure an optimal support process, we kindly ask you to provide additional support data with your request. The support data** may be generated using the page Help > TDT-Support
.
* Except national bank holidays
** The support data file does not contain any confidential information like passwords or PIN codes.
Warning
Caution
Carefully open the transport packaging.
Take out the router by folding the cardboard flaps upwards and pulling out the device under the foil.
Only now connect the router to the power supply.
As soon as the initiation process is completed the router can be reached via IP.
Caution
The VR2020-LD has the IP address 192.168.0.50 by »factory default«, additionally the user is root
. The password is individually generated for each router during production process and printed on the nameplate.
Besides, IP addresses are also provided via DHCP in the standard configuration.
Here the range is defined from 192.168.0.100
to 192.168.0.250
.
Parameter | Value |
---|---|
IP address: | 192.168.0.50 |
DNS name: | tdt.router or VR2020-LD.lan |
Username: | root |
Password: | Individually generated for each router (see nameplate). If no password is printed, it equates the serial number. |
Warning
In the delivery state, the VR2020-LD has an individual password which can be found on the nameplate.
Anyway, it is highly recommended to assign a individual password before starting a configuration!
Before mounting the device, write down the password in order to retain access after a factory reset.
In order to be able to configure the router on the one hand the web interface can be utilized for an easy configuration in the web browser. On the other hand, you have the option to connect yourself directly to the router via SSH or serial.
Caution
Note
192.168.0.0/24
is required. For example, 192.168.0.1
with subnet mask 255.255.255.0.
To get to the web interface of the VR2020-LD via a browser, simply enter the IP address of the router in the address bar. In the delivery state the IP address of lan
is set to 192.168.0.50
. The router is also further accessible via the name tdt.router
.
Since the web interface can only be accessed via SSL, https://
must be prepended before the IP address.
Example:
https://tdt.router
or https://192.168.0.50
In the now appearing login window you authenticate yourself with the user name root and the corresponding password.
Warning
The router also has a command line at its disposal that can be used to easily run analyses.
The shell can be accessed via IP or serial via the micro-USB port on the front of the VR2020-LD. In both cases access can be realized, for example, by using the open source software PuTTY. Recommended PuTTY configurations can be found here
For SSH access you open PuTTY, enter the IP of the VR2020-LD at the Host Name (or IP address)
and click the Open
-button. In the newly opened window, log on to the system with the user name root
and the corresponding password.
In a Linux environment access can be gained directly via the terminal by using the command ssh root@192.168.0.50
.
In order to access the VR2020-LD via serial, a terminal program is required. The connection can also be established via PuTTY.
First connect the router with a micro-USB cable via the console port to the computer. The driver for the USB serial port should then be installed automatically.
When trying to find out which COM interface is used, the device manager can be utilized under Windows. A USB serial port should appear after successful installation.
The following chart shows the values that must be configured in the terminal program in addition to the COM port for the serial interface.
Parameter | Value |
---|---|
Speed (baud): | 115200 |
Data bits: | 8 |
Stop bits: | 1 |
Parity: | None |
Flow control: | None |
To get the login prompt, press the Enter key ↵
once. Afterwards you can log on to the system with the user root
and the corresponding password.
Attention!
In the web interface – as long as no individual password has been assigned – a warning including a link to the System > Administration
page is displayed, where the password can be set.
Here the Password
is entered and is to be repeated via Confirmation
. Finally, the new password is accepted with Save & Apply
.
A SSH session or micro-USB configuration can be used to initiate a password change by calling the passwd
command.
Warning
One of the first steps after commissioning is usually to adapt the local IP address to the required environment.
In order to do this, go to the Network > Interfaces
menu, select the interface lan
and click on the Edit
button.
The IPv4 address
and the IPv4 netmask
used for the network are now entered in the new mask.
Optionally a separate IPv4 broadcast
IP deviating from the standard can be entered.
If IPv6 is required instead of IPv4 or if an IPv6 configuration is to be implemented additionally, the necessary settings are also executed here.
At the end of this page are parameters for DHCP, which runs at this interface by default.
If the DHCP server for this interface is to be deactivated, simply put a check mark at Ignore interface
.
To adjust the DHCP range, the smallest IP address to be assigned is given at Start
. In the delivery state 100
is assigned here.
Note
1
. Thus, in the default configuration 192.168.0.100
is the first IP address available for DHCP clients.255.255.0.0
, the number is incremented accordingly in 256 steps.So if assuming the router IP of 10.10.10.254
with a netmask255.255.0.0
and a start value of 610
, the first address assigned via DHCP would be 10.10.2.98
.
The value Limit
indicates the maximum number of IP addresses allowed by the DHCP server.
Note
Limit
can only specify the number of DHCP hosts.In our example, if the DHCP limit is 200
, the last possible IP would be 10.10.3.41
.
Note
Network > DHCP and DNS
.The VR2020-LD provides the ability to separate each switch port. For this, VLANs are being used. The configuration is done via the menu Network > Switch
.
Below the procedure is presented as an example. The goal is that the port LAN 1
is used as interface wan2 and the port LAN 2
is used for a Guest Network (lan_guest
).
To simplify the configuration, tables are used.
VLAN ID | CPU (eth1) | LAN 1 | LAN 2 | LAN 3 | LAN 4 |
---|---|---|---|---|---|
1 | tagged | untagged | untagged | untagged | untagged |
The new VLANs are inserted via the button Add
. As V Als VLAN ID werden 200
und 300
verwendet.
Attention
Always select tagged
for the internal port CPU (eth1)
.
Each LAN interface can only be assigned the attribute untagged
once.
The VLAN ID range 4020
-4030
is reserved for internal purposes.
VLAN ID | CPU (eth1) | LAN 1 | LAN 2 | LAN 3 | LAN 4 |
---|---|---|---|---|---|
1 | tagged | off |
off |
untagged | untagged |
200 | tagged |
untagged |
off | off | off |
300 | tagged |
off | untagged |
off | off |
Click on Save & Apply
to activate the configuration.
Afterwards the ports are configured under Network > Interfaces
. A new interface is created with Add new interface ...
.
On the configuration page a Name will be given and at Cover the following interface
the newly created VLAN interface is specified.
After sending the data via Send
, the configuration is carried out as usual.
The VR2020-LD provides various ways to set up an internet connection. On the one hand, there is the possibility of a DSL connection, in addition mobile radio with MultiSIM support is available, and the WAN port can be used to implement various gateway connections or a connection via an external modem.
Note
In the delivery state, all WAN interfaces are located in the firewall zone wan
.
External access to the router is not permitted by default.
The router is equipped with a default backup system in the default configuration.
The order here is – from the highest priority to the lowest – wan
(Ethernet gateway connection) before xdsl
(DSL connection) before wwan
(cellular).
Warning
The interfaces xdsl
(DSL connection) and wwan
(cellular) are not started by default.
The router actively sends ICMP packets to check the individual connection paths.
In order to establish an ADSL or VDSL connection, generally only the provider access data have to be entered.
This is done in the menu Network > Interfaces
using the default xdsl
interface. The configuration page is accessed via the Edit
button.
The parameters PAP / CHAP username
will be entered on the page that now appears with the user name provided by the DSL provider and the corresponding password under PAP / CHAP password
.
Since the interface is not active by default, a checkmark at Bring up on boot
is set to establish the DSL connection after a system start.
The Save & Apply
button is used to save the changes and set up the connection (new).
Note
Anschlusskennung
Zugangsnummer
Mitbenutzernummer
@t-online.de
#
).0001
.Attention
In the delivery state, the VR2020-LD is prepared in such a way that a mobile radio connection can be established quickly and simply using the SIM card in slot SIM1
. The APN is preset to web.vodafone.de
in the active SIM profile and no PIN is set.
If a Vodafone SIM card without a PIN query is used, the connection must simply be started. In order to do this, set a checkmark at Bring up on boot
under Network > Interfaces > wwan
and the connection setup is then initiated via the Save & Apply
button.
Otherwise only a few steps are required to establish a connection.
The configuration of the interface is carried out on the menu page network > interfaces > wwan
.
On the wwan Edit page the SIM profile for the SIM1
or SIM
is selected and the Default SIM
is selected for the default SIM slot.
By pressing the Save & Apply
button the changes will be accepted immediately and the connection will be established with the new parameters.
If the provider is not known or a PIN is required, this is configured at Network > Mobile Service
under the tab SIM Profiles
. In the SIM Configuration
tab the PIN and in case of an error also the PUK can be verified. Moreover, the PIN can be changed here and the PIN request can be activated or deactivated.
The VR2020-LD offers the possibility for the interface wwan
to automatically switch between two provider SIM cards.
In order to switch on this function deactivated in the delivery state the checkmark Activate DualSIM support
is set on the configuration page Network > Interfaces > wwan
. In order to do this, the feature Automatically establish/recover connection
must be activated.
The recovery time
specifies when to automatically attempt to switch back from the backup to the standard SIM slot. If never
is selected at this point the router remains on the backup connection until an error is detected.
This change is accepted by Save & Apply
.
To change an existing SIM profile in the menu Network > Mobile > SIM Profiles
, for example if the PIN request is activated, the PIN
for the SIM card is entered for the corresponding profile.
If user name and password are additionally required, the type of WWAN Authentication
is specified and these access data are specified under PAP / CHAP username
and PAP / CHAP password
.
The Allowed network modes
can be defined here for each SIM profile. It is also possible to set the PLMN
(Public Land Mobile Network Code), for example, in order to actively prevent roaming.
The configuration is saved by Save & Apply
. To activate the changes, the wwan
interface must be reconnected under Network > Interfaces
.
In order to set up an internet connection via a gateway – which provides DHCP – genreally no changes are necessary. Only the WAN port is connected to the corresponding gateway.
To permanently configure the IP address of the WAN interface to a static address, go to the menu Network > Interfaces
. By pressing Edit
at the wan
interface, the configuration dialog is opened.
First, the Protocol
is changed from DHCP Client
to Static address
and the change is confirmed by the button Switch protocol
.
The IPv4 address
, IPv4 netmask
, and the IP address of the gateway to be used at the IPv4 gateway
are set in the new mask.
In regard to the name resolution, Use custom DNS servers
requires an appropriate server.
Optionally a separate IPv4 broadcast
IP deviating from the standard can be entered.
If IPv6 is required instead of IPv4 or if an IPv6 configuration is to be performed additionally, the necessary settings are also executed here.
TDT routers are shipped with a zone-based firewall as standard.
Caution
In the delivery state all WAN interfaces are located in the firewall zone wan
.
External access to the router is not permitted by default.
Out of the zone wan
the access to local devices that are behind the VR2020-LD is rejected.
Local interfaces are located in the zone lan
of the firewall.
This is not subject to any restrictions.
On the overview page of the firewall you will first find the option to set the behavior that applies for interfaces without a zone.
In the combined view of the firewall zones, the zones with their contained interfaces are displayed as well as which forwardings are allowed in other zones. This describes how the behavior is when a data packet arrives at the router which is routed to another zone. An example of this would be a request from a client computer to a web server. The package arrives at an interface of the zone lan
and is passed on to the zone wan
via a routing entry, that is »forwarded«.
A port forwarding, as the name implies, is another example of a »forwarded packet«.
In addition, it defines how to handle packets that respond to an IP address of the router (input) or that are generated by the router (output).
An outgoing »Masquerading«, a special form of the source NAT, can be created for the zone here by activating the function Masquerading
. This replaces the sender IP address with the address of the interface through which the data stream is sent to its destination.
The MSS Correction
function is used to determine the »Maximum Segment Size« for data packets to the respective destination. The method is also known as »Path MTU Discovery« and is mainly used for DSL connections, since here a maximum transmission unit (MTU) is usually smaller than the common 1500 in local networks.
Caution
Forwarding packets are rejected by default configuration unless they are port forwarding packets (DNAT).
If the access is to be restricted accordingly, this must be taken into account in the port forwarding rule.
Port forwardings can be set up quickly and easily under Firewall > Port Forwards
.
To do this the name
is specified for the port forwarding, the Protocol
is selected, the zone on which the queries are running is picked under External zone
, and the addressed port is stated under External port
.
For the local page, the Internal zone
, destination, Internal IP address
and the Internal port
to be addressed to the target device are specified.
Using Add
the rule is created with the specified parameters. To activate this rule press Save & Apply
to conclude.
Under Firewall > Traffic Rules
port releasing can be managed.
Here are several predefined rules to be found. These are partly not activated.
To activate or deactivate a rule as needed, a checkmark is set or removed in the Activate
column in the overview table and the change is made with Save & Apply
.
To allow access to a port of the VR2020-LD, a name for the rule has to be assigned in the area open ports on the router
, the Protocol
and respectively the External port
have to be specified and the rule is then created via Add
.
Now the newly created rule can be further limited by Edit
, for example to allow access only from a defined sender (Source address
).
Among other things, the Source zone
, where the package arrives at the router (the zone wan
is set here by default), and the Destination zone
can be adapted. When you create the rule using the Open ports on the router
routine, the Destination zone
is set to the value at Device (input)
.
In order to change an incorrectly defined rule from Accept input
to Accept forward
, the Destination zone
is adapted to the desired zone.
In addition, a few more filters can also be set for the rule here.
Save & Apply
puts the rule with the new change into effect and saves it.
If, however, a local network user is to be reached from outside, for example via port forwarding, a New forward rule
must be created.
This is added and opened immediately on the Firewall > Traffic Rules
page, specifying a rule-Name
, the Source zone
– the rule case wan
– and the Destination zone
– for the local devices according to lan
– using Add and edit...
. Here the Destination port
is specified.
Other filters are - as already mentioned in Open ports for access to the router - to be adjusted.
With Save & Apply
, the new rule is saved and activated immediately.
Dynamic DNS allows the VR2020-LD to be reachable under the same hostname, even if the public IP address changes.
Warning
wwan
.To set up a dynamic DNS update, go to the Services > Dynamic DNS
area. Here you have the option to add a new entry.
The first step is to setup the Lookup Hostname
and select whether to update an IPv4 or IPv6 address on the configuration page.
Afterwards the DDNS service provider
is picked, for example dyntdt.de
. If the service you are using has not yet been created, it can be prepared manually via the -- custom --
option.
For this purpose, for example, https://[USERNAME]:[PASSWORD]@www.dnshome.de/dyndns.php?ip=[IP]
is specified for Custom update-URL
if https://www.dnshome.de is the provider.
How the update URL should look in particular can usually be found on the pages of the service provider.
After this the Hostname/Domain
, Username
and Password
are entered.
To transfer the data securely, it is recommended to enable Use HTTP Secure
and if the CA certificate is not present, to select IGNORE
for the Path to CA-Certificate
, otherwise the storage location.
In the Advanced Settings
tab, the IP address source
to be updated is now selected. The default here is Network
and for network
it is lan
.
Save
takes over the new settings.
Back on the overview page, the check mark is set to Enabled
and the settings are saved/activated via Save & Apply
.
A VPN is used to create another network over an existing one. Many different approaches are available for this purpose. In most cases, it is mistakenly assumed that a virtual private network is inevitably a secure data transmission and the transmission is secured by means of authentication and encryption. This is not necessarily the case.
Nowadays two different technologies are used for the implementation of a VPN:
These are used, for example, to link several company sites (site to site) or external / traveling employees (roadwarrior) to access (local) enterprise services.
The two approaches are briefly outlined below.
In addition, it should be mentioned here that the VR2020 series routers contain the new VPN solution WireGuard as a further option. This offers, for example, modern cryptographic procedures and a simple configuration of cross-platform remote access via different terminal devices.
IPsec is the abbreviation for Internet Protocol Security. It enables a secure communication over potentially unsafe IP networks, e.g. the Internet.
In contrast to other encryption protocols, e.g. SSL, which is based on the transport layer, IPsec works directly on the internet layer of the TCP / IP protocol stack. This makes it transparent to applications.
IPsec uses two phases for connection negotiation.
In the first phase, encryption and authentication are performed (Internet Key Exchange = IKE). In this process secret keys are generated over several steps and a SA (security association) is negotiated. The so-called ISAKMP-SA or IKE-SA, where ISAKMP stands for internet security association and key management protocol.
The authentication is performed, for example, via pre-shared key (psk) or certificates (RSA or ECDSA).
In the second phase of the IPsec negotiation, the QuickMode is used. All communication in this phase is encrypted (protected by IKE SA). Once again SAs are generated which are used for the actual data exchange. In order to increase security, this »data SA« –
usually referred to as IPsec-SA or CHILD_SA – contains no information from phase 1.
One of the two modes is used to transfer the data: Transport or tunnel mode. For this purpose, the methods Authentication Header (AH) or Encryption Security Payload (ESP) are available, whereby ESP is generally used as a rule.
AH is based on an additional header that follows the normal IP header. For ESP, the user data also contains a header that contains the Security Parameters Index (SPI). The existence of these headers is indicated by the transport protocol number in the IP header.
Transport mode only the packet contents are encrypted, the IP header is retained.
AH is based on an additional header that follows the normal IP header.
ESP encrypts the data of the packet, the IP header is retained.
Tunnel mode encrypts the original package and sends it in a new package.
AH creates a new IP packet containing an authentication header over the original package.
ESP encrypts the complete IP packet and encapsulates the encrypted packet into a new package.
In order to successfully establish an IPsec connection, a number of points have to be considered / clarified in advance.
At least one page must be accessible via a public IP.
Authentication and encryption parameters must be set.
The networks / hosts to be connected must be known.
On the main page the following ports are to be released or forwarded in the firewall:
Port | Protocol | Description |
---|---|---|
ESP | Protocol for ESP (Encapsulated Security Payload) | |
500 | UDP | Source and destination port for IKE (Internet Key Exchange) |
4500 | UDP | Required if the IPsec server is behind a NAT gateway or a masquerading firewall. |
The IPsec Implementation strongSwan is used in current firmware versions. Detailed documentation and sample configurations can be found in the strongSwan Wiki.
OpenVPN is not an unsafe VPN solution, as the name might suggest. This simply expresses the fact that the source code is open and free of charge. The software is licensed under the GNU GPL and supports a variety of (modern) operating systems.
OpenVPN is used to set up virtual private networks over an encrypted TLS connection (Transport Layer Security, more widely known under the predecessor name SSL = Secure Sockets Layer). Authentication can be done via username / password, certificates or a static secret key.
Routed-VPN (Layer 3) can be established with the help of OpenVPN . In this case an encrypted tunnel is established between two fictitious IP addresses of a subnetwork, the so called transport network. In order to establish a tunnel between two opposites, this is a simple form of secure communication.
Only IP packets are routed via a VPN tunnel in the routing mode. Layer 2 data are not transferred. Particularly in the case of internet connections with low bandwidth or even traffic limitation this variant is to be preferred, since without the ethernet frames much less data are transmitted over the tunnel.
The variant of the Bridged-VPN offers the advantage of the complete tunneling of Ethernet frames (Layer 2). A client is fully transparently integrated and receives an IP address of the subnet there. Thus this mode also allows the use of alternative protocols such as IPX or supports the transmission of wake-on-LAN packets.
WireGuard is a very young technology to implement secure and powerful virtual private networks (VPNs) with little effort. It is an open source protocol and open source software that is intended to offer an alternative to established VPN solutions such as OpenVPN or IPsec.
WireGuard was developed with the aim of making VPNs easier and to offer an alternative to existing VPN solutions. The open source software and protocol compete with VPN technologies such as IPsec or OpenVPN. Compared to existing solutions, the configuration of VPN connections should be easier and faster.
WireGuard works with high performance on Layer 3 of the OSI layer model and supports both IPv4 and IPv6. The software is deliberately kept simple and clear. It only consists of approximately 4,000 lines of programming code. Other VPN solutions sometimes have several hundred thousand lines of source code. The new VPN alternative was developed by Jason A. Donenfeld. It is available for different platforms such as different Linux distributions, macOS, Android or iOS. On Linux systems, the code runs as a module in the kernel and achieves high performance. VPN providers such as Mullvad and AzireVPN have been offering the first services based on the new VPN solution since 2018.
Note
The development phase of WireGuard has not yet been completed.
The WireGuard support will be merged into the Linux kernel 5.6.
The following goals were pursued when designing the VPN alternative:
WireGuard is characterized by its simplicity compared to the existing mostly very complex VPN solutions. The software offers fewer configuration options and is limited to the essentials. This makes the solution easy to use and its security easy to check. Possible weaknesses are easy to find in the manageable code. To achieve a high level of security when encrypting data, WireGuard uses modern cryptographic methods. VPN subscribers’ identities are linked to their public keys. Similar to SSH, connections are established by exchanging public keys. The architecture is based on the peer-to-peer model.
WireGuard uses various protocols to establish VPN connections and exchange data. The main protocols are:
The VPN solution is deliberately limited to the three basic functions for encrypted connections. The keys are exchanged in a handshake using Curve25519 with Elliptic Curve Diffie-Hellman (ECDHE). BLAKE2s serves as a universal hash function and generates, for example, keyed hash message authentication codes (HMAC) or derives keys with HMAC-based key derivation function (HKDF). ChaCha20 and Poly1305 are responsible for the symmetrical encryption of the exchanged data. In addition to the native support of IPv4 and IPv6, it is possible to encapsulate IPv4 in IPv6 and vice versa.
Linus Torvalds also showed himself to be a fervent supporter of the incorporation. As the Linux father confirmed in the course of the inclusion of network patches from the experimental branch of the kernel, he also sees the common alternatives as too cumbersome and too complicated. According to Torvalds, WireGuard is a work of art in direct comparison with the »horror of OpenVPN and IPsec«. »He therefore loves the implementation – even if it is not yet perfect – and would like it to be included in the kernel soon,« says Torvalds.
Source: Security Insider
The router offers various possibilities to manage configurations under System > Backup / Flash Firmware
.
To create a configuration backup, the button Generate archive
is tripped on the Download backup
page.
Now the configuration is packed and offered for download. If the browser is set to “Automatically save to the following folder”, the configuration is stored in the specified folder – in most browsers Downloads by default –.
In doing so the file name is created according to the scheme YYYY-MM-DD-backup HOSTNAME.tar.gz
. If the browser queries before saving the filename can be chosen as desired, but the ending .tar.gz
must be retained.
The configuration can be stored locally on the PC or in the server infrastructure after downloading.
A once created backup can be imported again – also on another, identical device – at any time.
To do this, the desired file is searched for locally in the Restore backup
section and restored using the Upload archieve...
button. In the process the saved configuration is loaded and the changes are activated by a reboot.
The delivery state can be restored in various ways. On the one hand, this is using the web interface, on the other hand there is the option via command line and then it is further possible to trigger this via the reset button.
The factory reset can also be triggered via the web interface on the menu page System > Backup / Firmware Update
in the Restore delivery state
section by pressing the Reset 'button
.
In order to restore the delivery state via command line use firstboot
and confirm the reset with y
(= yes).
An update of the router firmware can be carried out in the web interface in various ways: On the one hand via a manual upload of the firmware image and on the other hand online via the TDT Updateserver.
In the Write new firmware image
section on the menu page System > Backup / Flash Firmware
, the file is selected on the local system using Image
.
The checkbox Keep configuration
is preselected by default. If the router is to start with factory settings after the update, the checkmark must be removed at this point.
The update process is started by pressing Flash image...
.
At first the checksum is reviewed. If this is correct, the image can be flashed with Proceed
, but it is also possible to abort the process.
In the menu under System > Online Firmware Update
you can search for a newer, available software version on the TDT update server.
To do this, click on Check
at Check for updates
. The server is then prompted and the result is output accordingly.
If a new firmware image is available, you can import it directly from this page.
Here the checkmark Keep Configuration
is also checked by default. To start with the factory settings after the update, the checkmark must be removed at this point.
The process is started using Flash image...
under Perform update
. First the signature and then the checksum are reviewed here. If these are correct, the new firmware is flashed without further interrogation.
Note
The DSL front end is to be deactivated under System > Startup
. For this purpose search for the dsl_control
process on the page and press the *Disable
button to not load it during a system startup.
To disable DSL during operation, the process dsl_control
is stopped by clicking on Stop
.
In order to work optimally with the router in Windows environments, the following PuTTY settings are recommended.
The Disable application keypad mode
option is set under Terminal > Features
. This facilitates handling VI, for example, since the number block is thus usable.
In the Window
menu, the value of Lines of scrollback
is set to 20000
lines to be able to scroll backwards.
In order to display the characters correctly, the character set should be set to UTF-8
under Window > Translation
.
Since the color blue under PuTTY on black background is not optimally readable, it is recommended to change it. This is configured under Window> Colors
in Select A Color to adjust
for the color ANSI Blue
. The values corresponding to Red
and Green
are set to 54
and Blue
to 216
respectively.
The parameter Seconds between keepalives
can be set to 30
under Connection
to maintain the SSH session.
Especially for slow connections, under Connection > SSH
you can set the checkbox for Enable Compression
to transfer the data compressed.
Ultimately the serial communication can be configured. The values are determined according to the following table via the menu Connection > Serial
.
Parameter | Value |
---|---|
Speed (baud): | 115200 |
Data bits: | 8 |
Stop bits: | 1 |
Parity: | None |
Flow control: | None |
Finally, the data is stored as a standard or as a separate profile under Session
. For this purpose, either the profile Default Settings
is marked or a separate session name is entered in the input field and saved with the button Save
Link | Description |
---|---|
www.tdt.de | Official homepage of TDT AG |
download.tdt.de | Download area on the official TDT homepage |
OpenVPN | OpenVPN: Official open-source page |
PuTTY | PuTTY, an open-source-SSH-client |
strongSwan | Official page about strongSwan IPsec |
strongSwan Wiki | strongSwan IPsec: Documentation and configuration examples |
WireGuard | WireGuard®: the official web page |
Security Insider: WireGuard | Security Insider: Definition – Was ist WireGuard® (german) |