Linux 2.4.x

• for hardware model V1.0/1.1 - take a look at the bottom label of the WRV - no version number means version 1.0
• improved security by extended IPTABLES firewall architecture (protection against CISCO_VR_2014_01_10)
• improved VPN security and stability at business level (based on OpenSwan Version 2.6.36)
• StableVPN : PC/MAC VPN - Client software for a small donation upon request, included is ImportCERT, a tool to import your own certificate for the VPN connection for stronger IPSEC tunnel encryption
• true world wide IPV6 support by public and reliable tunnel broker HURRICAN ELECTRIC, SIXXS with GUI for free
• speed improvement of 10 % for WLAN 20 % for WAN by system optimization
• Support for Dynamic DNS provider OpenDNS.com for efficient web content filtering, domain black listing, spam protection and customizable illegal content blocking for the home and the small business office
• improved FTP security : passive mode vulnerability removed
• monthly security updates based on the open source community
• For further details and HOWTO's write an E-Mail with your firmware question to marketing@tytec.de (PGP)
• Not vulnerable for ShellShock attacks (CVE-2014-6271) since the 1^st release
• Not vulnerable for KRACK attack due to customized WPA/WPA2/hostapd/wpa_supplicant implementation since Version V27.27.9 (i.e. since 4 years)

Power supply

• Problem : the original CISCO / LINKSYS power adaptor does NOT provide galvanic isolated DC voltage to the WRVS, i.e between the ethernet cable shielding (connected to the digital ground of the WRVS4400N electronic) and the AC earth wire a voltage level of at least 80 VAC can be measured ( see schematic for measurement details )
• Impact :Sporadic reboots or lock up's in certain situations : perhaps during boot, high work load due to many WLAN user using the WRVS or at high ambient temperatures. The AC error voltage provides sufficient electrical current to a person to feel an electrical hit !!!
• Solution : Use a power supply adaptor from a proven manufacturer with 12 Volts DC output voltage and at least 1,5 Amps output current and true galvanic isolation of the AC and the DC power supply circuits (CLASS I). Dont trust in company labels and price of the power adaptor : do the voltage measurement. Use perhaps an old notebook power supply adapter from any company, they are using true transformers with true galvanic isolation
• Recommendation :FWA020012A-10B from ICCENERGY (formerly ELPAC)
• Hardware affected : Rev. 1.0 / 1.1 / 2.0

Firewall management

• Important recommendation for a minimum set of required firewall rules
• Dont forget to add the final "DENY and LOG" rule for ANY interface (LAN or WAN or WLAN) from ANY IP - Address to ANY IP - Address (Only firmware version C27.19 and above)

Wireless security

• Create strong shared secrets with at least 63 chars - use this FREE crypto tool (Windows only)
• On Mac and Linux use "openssl rand -base64 63 > shared_secret.txt"
• Your wireless network may be attacked and wireless communication can be interrupted by radio jamming. Read this scientific white paper for protection hints and detection methods for the source of the radio jamming attack.
• Your wireless network communication may be interrupted by an intruder with mobile gadgets

Certificate management

• Install the TYTEC root certificates (for ECDHE-ECDSA-AES256-SHA SSL server encryption) in the memory of trusted root certificates
• Connect to the router with the following address line in your browser (IE,Mozilla): https://www.routerlogin.net
• The HTTPS connection is encrypted with a 2048 bit key and the AES-256 cipher algorithm - a necessary pre condition for a secure remote management of the router
• Install the certificate provided by the router in the certificate store on your computer

HURRICAN ELECTRIC

• In the "IP Mode" pane enable 6to4
• Disable in the "LAN pane" the option ">DHCPv6" and the option "Router Advertisement" the ipv6 daemon provides the needed functionality
• Register a free tunnel from HURRICAN ELECTRIC - done in few seconds, no approval necessary
• Enter in the "IPV6 Broker" pane the informations from HURRICAN ELECTRIC
• If the tunnel was successfully established, the router will create the tunnel and update your routers IPv4 WAN address to HE automatically on next boot or manually via the config page
• Very low packet latency ~40 ms (32 bytes) GOOGLE IPV6
• Now part of the "GOOGLE over IPv6 project" with an anycasted recursive caching nameserver for IPv6: 2001:470:20::2
• You can access via IPv6 now GOOGLE mail (2001:4860:a003::53) and more GOOGLE features (2001:4860:a003::68) - faster and more reliable with the IPv6 network !!!

SIXXS

• In the "IP Mode" pane enable 6to4
• Disable in the "LAN pane" the option "DHCPv6" and the option "Router Advertisement" the ipv6 daemon provides the needed functionality
• Request a free tunnel and a free subnet from SIXXS
• Enter in the "IPV6 Broker" pane the information received from SIXXS after approval - may take a long time
• If the tunnel was successfully established, the router will create the tunnel automatically on next boot
• Packet latency ~180 ms (32 bytes)

VPN - IPSEC

• Create a free DYNDNS entry for your router (link)
• Create a VPN User and a password (max 20 chars)
• install after a small donation the StableVPN client software on your computer
• Create your own self signed certificate for the WRV for stronger IPSEC tunnel encryption with either MakeCert.Exe (Win) or OpenSsl (Mac, Lin)
• Integrate with ImportCERT your own certificate (either self signed or signed by a known CA) to the WRV for stronger IPSEC tunnel encryption
• Select within StableVPNfrom the secured Windows certificate store your own simple, smartcard or biometric password protected certificate to verify the VPN gateway
• Export your router certificate (Export for client) to your computer and copy it into the QVPN install directory - set the name of the certificate to: WRVS4400N_Client.pem
• Enter in the StableVPN - Software the DYNDNS name of your router
• Check the IPSEC configuration of your PC with the integrated system check in StableVPN

FTP

• disable PASV mode in SAFARI, IE : the router will handle everything for you
• LINUX user - enter into your routers IP based firewall rule table the appropriate rules for the PASV FTP mode

Help

• The help menu files have been moved to the internet V1.0 & 1.1 folder

Client computer

• You can connect with Windows/Mac/Linux internet browser
• Windows Vista user are able to configure a very strong SSL encryption cipher with these steps

WRVS4400N (1.0/1.1)

NEW NEW NEWVersion_C27.27.127 NEW NEW NEW

Version: C27.27.127

Changes

• (russian) bullet proven router security
• Improved wireless speed with stable 300 MBit on Win7 / Win8 and Linux (kernel>=3.13.xx) with wireless notebook adapter from Linksys WUSB6300 (USB 3.0 or 2.0 HUB with external power supply required) : works perfect for "OLD" laptops with slow wlan adapters
• Improved network throughput achieved by dramatically reduced latency for DMA transfers of network packets between LAN/WAN/WLAN
• Improved wireless network security & connection stability - bullet proofed
• Improved wireless network throughput due to increased interrupt frequency
• Disabled SSL2.0 & SSL3.0 protocol for all router programs for protection against the POODLE - vulnerability (CVE-2014-3566)
• Upgrade to Openssl 0.9.8zc with fixed security advisorys ( CVE-2010-4180, CVE-2010-4252, CVE-2010-3864, CVE-2010-0742, CVE-2010-0740 )
• Added Protection against MAC address spoofing for WLAN
• DNSSEC with protection against phishing now supported, via the static DNS server fields on the LAN - setup page (validating resolver from internet provider, perhaps COMCAST : DNS1: 75.75.75.75 and DNS2: 75.75.76.76
• Improved speed and security for the wireless client computer authentication procedure for Windows, Mac OS and Linux
• Fixed a bug for the IP display in the port range forwarding page and the switch statistic page
• VPN Security bugfix for CVE-2009-2185 in OPENSWAN
• OpenDNS.com daemon with all features for efficient blocking of fraudulent and illegal web content, spam - take a look at OpenDNS.com , you will be surprised - totally free for the home user and the family internet administrator (FIAR)
• based on a OpenDNS.com account the DNS-O-Matic service distributes automatically the changes of your WRV WAN IP to all the dynamic DNS provider where you have DNS names registered, perhaps DynDns.com, NO-Ip.com ...
• When the DYNDNS provider is configured to OpenDNS.com their static DNS server's are the first choice for a DNS resolution request from any PC in the WRV subnet
• Upgrade for new Hurrican Electric server - faster access to the IPv6 server
• Solution for Openswan vulnerability reported in CVE-3380
• Improved memory management
• Improved DNS resolution speed

Version: C27.27.127.1

New Features

• Added STEALTH mode for LAN / WLAN
• Added Secure Admin control app for Stealth mode management
• Added Remote wakeup for LAN devices (PC, MAC, Server)

• NEW developed electronic circuitry for improved protection against special attack patterns for router hardware version 1.0 - 2.0
• Send in your router, we will add the electronic protection device and return the protected router
• For a qoute please send an e-mail to securitypp@tytec.de
• Service currently only available in Germany

Version 1.50

StableVPN

• works on all hardware versions V1.0/1.1/2.0

• works with the custom firmware as well as with the original Linksys/Cisco firmware

• was proven in the scenario PC->NAT-Device (GW)->Internet->WRVS4400N->PC (NAS,Server, whatever) Any question's? Don't hesitate to ask!

Android Phone (Android 4.3 „Jelly Bean“)

Coming soon ...