The docs below once followed will setup a TPE-R1300 router using libreCMC 6.x for use with a ThinkPenguin USB 4G modem (TPE-USB4G2US) AND also provide the option of using the router as a wireless relay to another access point. All traffic passing through the router will be encrypted and sent over the wireless or cellular connection and through our PenguinVPN servers (subscription required). This configuration is compatible with access points using captive portals.
This documentation has been vetted on LibreCMC 6.5 OEM version w/ TPE-R1300 wireless router and a TPE-USB4G2US USB 4G modem. It assumes all required packages are already installed.
Note: These directions assume you have a clean router, if not reset the router using the reset button in System > Backup / Flash Firmware
1. Connect TPE-USB4G2US USB 4G modem, antennas, power, and an ethernet cable from the LAN port to an ethernet port on your computer
2. Open a web browser on the computer and go to https://192.168.10.1/
3. Click the Log in button
4. Click the Go to password configuration... button
5. Enter a password, the default that we use is 'none' without the quotes
6. Click the Save button
7. Go to Network > Interfaces
8. Click the Edit button for the LAN interface
9. Change the IPv4 address to 192.168.4.1
10. Click the Save button
11. Click the Save & Apply button
12. Click the Apply and keep settings button
13. Give the router 90 seconds to reboot
14. Go to the Network applet on the PC and disconnect, then reconnect, the router will issue you a new IP in the 192.168.4.x range
15. Open a browser on your PC and log in to the router at its new IP address: https://192.168.4.1
16. Go to Network > Wireless
17. Click the Scan button
18. Select the Join Network button for an access point you'd like to connect to
19. Enter a password for the access point (if one is required) into the WPA passphrase box
20. Click the Submit button
21. Click the Save button
22. Click the Save & Apply button
23. Go to Network > Interfaces
24. Click the Edit button for the wwan interface
24. Under the General Settings tab uncheck the box that says Bring up on boot
25. Click the Save button
26. Click the Save & Apply button
27. Click the Add new interface... button
28. In the Name box enter wwan0
29. In the Protocol drop down box select QMI Cellular
30. Click the Create interface button
31. Under the General Settings tab uncheck Bring up on boot
32. For Modem Device drop down / box select /dev/cdc-wdm0
33. In the APN box enter the APN for your cellular provider, example for AT&T it's broadband
34. Click the Save button
35. Click the Save & Apply button
36. Go to System > Reboot
37. Click the Perform reboot button
38. Give the router 90 seconds to reboot
39. Open a terminal on your PC and ssh into the router:
ssh root@192.168.4.1
40. Use the vi text editor to create a new script called 10-4g-down-wifi-up.sh, this will monitor for attempts to connect to an access point and call another script to apply any needed firewall rule changes automatically/bring up the VPN:
vi /etc/hotplug.d/iface/10-4g-down-wifi-up.sh
41. Hit the a key to enter edit mode
42. Copy and paste the following script:
#!/bin/sh
[ "$ACTION" = "ifup" ] || exit 0
case "$INTERFACE" in
wwan|wlan*|wlp*|radio*) ;;
*) exit 0 ;;
esac
# Use a temporary lock per interface (no persistent file)
LOCK="/tmp/wifi_up_${INTERFACE}_attempt"
# Avoid duplicate runs for same event (e.g., rapid triggers)
[ -f "$LOCK" ] && sleep 1 && [ -f "$LOCK" ] && exit 0
touch "$LOCK"
# Run script
/root/4g-down-wifi-up.sh
# Optional: Remove lock after short delay (not required, tmp cleared on reboot)
(sleep 5; rm -f "$LOCK") &
43. Save & exit text editor by hitting the escape key and typing in :wq! [enter]
44. Set the permissions for the 10-4g-down-wifi-up.sh script:
chmod +x /etc/hotplug.d/iface/10-4g-down-wifi-up.sh
45. Use the vi text editor to create a new script called 4g-down-wifi-up.sh, this will apply any needed firewall rule changes automatically, bring up the wifi, and call another script to connect to the VPN:
vi /root/4g-down-wifi-up.sh
46. Hit the a key to enter edit mode
47. Copy and paste the following script:
#!/bin/sh
#bring down the 4g modem
ubus call network.interface.wwan0 down
ubus call network.interface.WGINTERFACE down
# switch back to routing traffic through the wan
# this is for the firewall
uci set firewall.@forwarding[-1].dest='wan'
uci commit firewall
/etc/init.d/firewall restart
# Ensure the wireless interface is enabled and apply configuration
uci set wireless.radio0.disabled='0'
uci set wireless.wifinet1.disabled='0'
uci set wireless.wifinet2.disabled='0'
uci commit wireless
ubus call network.interface.wwan0 up
uci add_list dhcp.@dnsmasq[0].server='8.8.8.8'
uci commit dhcp
/etc/init.d/dnsmasq restart
# Bring up the VPN once internet access has been established
# this will give the user 3 minutes to get through any captive portals
# if general internet connectivity hasn't been established after
# 3 minutes this will also bring the wifi connection down
# to ensure the user isn't left thinking there is a VPN
# connected when there isn't
while true; do
if ping -c1 google.com >/dev/null 2>&1; then
/root/up-vpn.sh
break
fi
if [ $((SECONDS - start_time)) -ge 180 ]; then
wifi down
break
fi
sleep 4
done
48. Save & exit text editor by hitting the escape key and typing in :wq! [enter]
49. Set the permissions for the 4g-down-wifi-up.sh script
chmod +x /root/4g-down-wifi-up.sh
50. Use the vi text editor to create a new script called up-vpn.sh, this script brings up the VPN:
vi /root/up-vpn.sh
51. Hit the a key to enter edit mode
52. Copy and paste the following script:
#!/bin/sh
# Start the interface
ifup WGINTERFACE
sleep 10
uci set firewall.@forwarding[-1].dest='VPN'
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@zone[2].masq='1'
uci set firewall.@zone[2].mtu_fix='1'
uci commit firewall
/etc/init.d/firewall restart
53. Save & exit text editor by hitting the escape key and typing in :wq! [enter]
54. Set the permissions for the up-vpn.sh script:
chmod +x /root/up-vpn.sh
55. Go to Network > Wireless
56. Click the Restart button for radio0
57. Click the Save & Apply button
58. Go to Network > Interfaces
59. Click the Restart button for wwan
60. Click the Add new interface... button
61. In the Name box enter WGINTERFACE
62. Select WireGuard VPN from the Protocol drop down box
63. Click the Create interface button
64. Under the General Settings tab uncheck Bring up on boot
65. Copy the Private Key for your PenguinVPN subscription into the Private Key box
66. Copy the Public Key for your PenguinVPN subscription into the Public Key box
67. Copy over the Address to the IP Addresses box and click the + button
68. Click the Advanced Settings tab
69. Check the Force link box
70. Click on the Firewall Settings
71. For the Create / Assign firewall-zone drop down enter VPN in the custom field of the drop down and hit enter
72. Click the Peers tab
73. Click the Add peer button
74. In the Description box enter Europe
75. Copy the Public Key for your PenguinVPN subscription into the Public Key box
76. Copy the Private Key for your PenguinVPN subscription into the Private Key box
77. Copy the PresharedKey for your PenguinVPN subscription into the Preshared Key box
78. Copy the AllowedIPs for your PenguinVPN subscription into the Allowed IPs box
79. Check the box Route Allowed IPs
80. Enter europe.penguinvpn.com into the Endpoint Host box
81. Enter 1637 into the Endpoint Port box
82. Enter 25 into the Persistent Keep Alive box
83. Click the Save button
84. Click the Save button again
85. Click the Save & Apply button
86. Go to Network > Wireless
87. Click the Restart button next to radio0
88. Go to Status > WireGuard to and check that Latest Handshake shows a date/time
89. Use the vi text editor to create a new script called 10-cdc-wdm0, this script calls another to connect to the cellular service upon the USB 4G modem being connected:
vi /etc/hotplug.d/usb/10-cdc-wdm0
90. Hit the a key to enter edit mode
91. Copy and paste the following script:
#!/bin/sh
LOCK_FILE="/tmp/modem-finished-loading.txt"
STATE_FILE="/tmp/.modem_boot_state"
case "$ACTION" in
"add")
# Skip if already completed
[ -f "$LOCK_FILE" ] && exit 0
# Ensure 15s since last run
[ -f "$STATE_FILE" ] && {
elapsed=$(( $(date +%s) - $(cat "$STATE_FILE") ))
[ $elapsed -lt 15 ] && exit 0
}
date +%s > "$STATE_FILE"
sleep 10
date >> "$LOCK_FILE"
/root/on-usb-4g-modem-insert.sh
;;
"remove")
# Clean up all temporary and flag files
rm -f "$LOCK_FILE" "$STATE_FILE"
;;
esac
92. Save & exit text editor by hitting the escape key and typing in :wq! [enter]
93. Set the permissions for the 10-cdc-wdm0 script:
chmod +x /etc/hotplug.d/usb/10-cdc-wdm0
94. Use the vi text editor to create a new script called on-usb-4g-modem-insert.sh, this script connects to the cellular service, and then calls another script to bring the VPN up:
vi /root/on-usb-4g-modem-insert.sh
95. Hit the a key to enter edit mode
96. Copy and paste the following script:
#!/bin/sh
# bring down 4g and wifi and wireguard interfaces
ubus call network.interface.WGINTERFACE down
wifi down
ubus call network.interface.wwan0 down
# bring 4G modem up
ubus call network.interface.wwan0 up
uci add_list dhcp.@dnsmasq[0].server='2001:4860:4860::64'
# switch back to routing traffic through the wan
# this is for the firewall
uci set firewall.@forwarding[-1].dest='wan'
uci commit firewall
/etc/init.d/firewall restart
sleep 15
# bring up the VPN
/root/up-vpn.sh
92. Save & exit text editor by hitting the escape key and typing in :wq! [enter]
93. Set the permissions for the on-usb-4g-modem-insert.sh script:
chmod +x /root/on-usb-4g-modem-insert.sh
94. To clean up and make an archive of this for simplifying applying the configuration on multiple routers continue the directions here:
95. Go to Network > Interfaces
96. Click the Edit button for the WGINTERFACE
97. Click the Edit button under the Peers tab
98. Delete the Public Key from the Public Key box
99. Delete the Private Key from the Private Key box
100. Delete the Preshared Key from the Preshared Key box
101. Click the Save button
102. Open a terminal and ssh into the router:
ssh root@192.168.4.1
103. Use the vi text editor to edit /etc/config/network
vi /etc/config/network
104. Hit the a key to enter edit mode
105. Delete the option private_key line from the config interface 'WGINTERFACE' section
106. Delete the option public_key line from the config wireguard_WGINTERFACE section
107. Delete the option private_key line from the config wireguard_WGINTERFACE section
108. Delete the option preshared_key line from the config wireguard_WGINTERFACE section
109. Save & exit text editor by hitting the escape key and typing in :wq! [enter]
110. Use the vi text editor to edit /etc/config/wireless
vi /etc/config/wireless
111. Delete the whole config wifi-iface 'wifinet1' section
One last note: The Generate Archive button does not backup /root and does not back up /etc/hotplug.d so you'll have to download it, extract the archive, add these folders manually, then add the scripts, and then set the permissions to executable before creating a new tar.gz archive file. When a user restores the newly created archive it will extract the directories and scripts just fine and do so with the correct permissions (assuming you've set the scripts to executable as instructed).