I wanted to toggle my DD-WRT router radio (=WiFi) on and off with a gesture from my iPad (long pressing home button for instance), and with a shortcut key from Windows. This is possible with SSH, and you are not limited to only toggling the router radio on and off, you can run many other commands on SSH capable devices/applications.

To do this, you need to enable SSH on your device/application first (if it’s not already enabled). For DD-WRT this can be done via the web interface (at 192.168.1.1 by default) > administration (or services in v24) > services > secure shell > SSHd.

I cover iOS (8.1) and Windows (7) solutions, Android will be similar.

Note: in case of toggling the router radio (=WiFi) on and off from a mobile device, it’s clear that if you turn it off, you need a route to the router to turn it back on e.g. from another WiFi enabled router that has wired connection to the first router i.e. if you have a single router and you turn the WiFi off, you cannot turn it back on from a mobile device.

Security tips:

• You have already changed your router’s root password, right?
• For strong security (and passwordless login) you can consider using public key authentication for SSH login, and disable password login. This is covered in this post.
• Change default SSH port (22 for DD-WRT) to a random unconventional port greater than 1024 (and less than 65535) for added security. In DD-WRT routers this can be done via router control panel (accessed at 192.168.1.1 by default) > administration (or services in v24) > services > secure shell > port.

iOS (iPhone, iPad, …):

First you need a jailbroken device. You also need to install OpenSSH by Jay Freeman (saurik) from Cydia/Telesphoreo repository.

Security tips: 

• change your iOS ‘root’ and ‘mobile’ users password, especially if you install OpenSSH (this reduces the chance of unauthorized ssh  access to your iDevice).
• You can disable (inbound) ssh when you are not using it (again to prevent unauthorized ssh access). The section “Disabling SSH on iOS for enhanced security” below describes how to do that.

Let’s start with some easy stuff initially. Install a terminal. I use “iOS Terminal” by ichitaso from BigBoss repository, there are other alternatives like NewTerm & MobileTerminal as well. Now open the terminal app. To ssh to your router as root user run this (assuming your router ip is 192.168.1.1 and you’ve changed your SSH port to 11223):

ssh root@192.168.1.1 -p 11223

If everything goes right, you’ll be asked for root password, enter it (keep in mind that you’ll be asked for a confirmation as well when you ssh to a new device for the first time). This is the same password as router web GUI. After successfully logging in, you can run different commands. To test, you can run help command which lists built-in commands. Now to turn off radio (WiFi) you need to enter this line which has two commands:

stopservice nas; wl -i eth1 radio off

To turn radio back on (from another route or from a wired connection) you need these three commands:

stopservice nas
wl -i eth1 radio on
startservice nas

Public key authentication

To do the above procedure with a gesture from iOS we need to put everything in a single command which doesn’t need user interaction in the process. That being said, entering root password by the user becomes a problem here. As mentioned before to do passwordless login which is also more secure, we need to use public key authentication. And for this, we need to generate a pair of public/private key. You can do this with ssh-keygen command right from iOS terminal.

To use the latter type the command in terminal (exit the ssh if you are still in it by entering exit command), specify a name for the files, and leave the passphrase empty to make things easier. Let’s say you entered “key” as file name, two files will be created at /var/mobile, “key” (the private key) and “key.pub” (the public key). Open the key.pub file in a text editor (if you cannot do it on iOS transfer the file to a computer and use something like Notepad++) and copy what’s inside, then paste it in the router web interface > administration (or services in v24) > services > secure shell > authorized keys. Now, with this command you should be able to do automatic ssh login without password (If you can’t, it could be because of an issue that is explained further down in troubleshooting section):

ssh root@192.168.1.1 -p 11223 -i /var/mobile/key

Password login method is no longer needed, so you can turn it off for better security. To do this in DD-WRT go to router web interface > administration (or services in v24) > services > secure shell > password login, and select disable.

Finalizing

To embed the two commands required to turn off the radio into the ssh command, use the following:

ssh root@192.168.1.1 -p 11223 -i /var/mobile/key 'stopservice nas; wl -i eth1 radio off'

And for turning on:

ssh root@192.168.1.1 -p 11223 -i /var/mobile/key 'stopservice nas; wl -i eth1 radio on; startservice nas'

Finally, to assign these commands to a gesture in iOS, you need the following:

• “Activator” by Ryan Petrich, from BigBoss repository
• “Activate Command” by rjharris, from BigBoss repository

Just put the command in “Active Command” and assign a gesture to it in “Activator”.

Disabling SSH on iOS for enhanced security

As mentioned above in a security tip, you can disable (incoming) ssh on iOS when not in use for added security. A combination of the 3 following tweaks creates an easy to use toggle in your control center for enabling/disabling ssh:

• “Flipswitch” by rpetrich & A3Teawks, from BigBoss repository
• “SSH Toggle (Flipswitch)” by ichitaso, from BigBoss repository
• “FlipControlCenter” by Ryan Petrich, again from BigBoss repository

Perhaps it’s worth noting that this method does not actually disable ssh service, it just denies incoming requests, which is fine. That means you can still do ssh from iOS, you just can’t do ssh to iOS. So for doing the stuff in this post you can keep (inbound) ssh disabled on your iDevice. If for some reason you really want to stop the ssh service, you can do that by command line tools (not difficult to find).

---

Windows

To do ssh from windows you can use PuTTY. For public key authentication you can use the existing private key generated with ssh-keygen command, or you can generate a new pair of keys. To use the existing private key, transfer it (/var/mobile/key) to a computer, load it in PuTTYgen, and hit the button named ‘Save private key’ to save the key as a .ppk file which is PuTTY compatible. If you want to generate new keys, PuTTYgen can do that as well.

Now, open PuTTY. In Session section enter root@192.168.1.1 as “Host Name (or IP address)” and 11223 as port. Go to Connection > SSH > Auth > Authentication parameters > Private key file for authentication, and open your .ppk private key file (converted or newly generated). Come back to Session and save your session, let’s say you have saved it with the name ‘router’. You should be able to ssh to your router now with these settings without password (keep in mind that you’ll be asked for a confirmation as well when you ssh to a new device for the first time).

To feed commands, first create a txt file in the same folder as putty.exe (could normally be C:\Program Files (x86)\PuTTY in 64-bit versions of windows if you installed PuTTY by its exe installer) with your desired commands. I created a file named wifi_off.txt with the following commands:

stopservice nas
wl -i eth1 radio off

Next, open a command prompt, go to putty.exe path, and run the following:

putty.exe -load "router" -m wifi_off.txt

This should turn your WiFi off. Put the above command in a batch (.bat) file. Now whenever you want to turn off the WiFi, you just need to run the batch file. After having a batch file, you can use it in many scenarios. You can create a shortcut of it in the start menu, assign a shortcut key to it, put it in the startup, or schedule it to run whenever you want (when shutting down your PC for example). For turning on the WiFi you can create another batch file which calls another txt file with the commands below:

stopservice nas
wl -i eth1 radio on
startservice nas

---

Additional info

I covered iOS 8.1 and windows 7, you can achieve the same on Android by using similar tools.

I want to point out some more information next.

Troubleshooting

I mentioned that the ssh command may not work as expected, it may ask you for confirmation even after the first time ssh connection (which interrupts the automatic sequence of running commands), or it may not allow you to connect at all. This is a security feature to prevent man-in-the-middle attacks, but a changed router’s key fingerprint (resulted from a router reset and/or upgrade) can trigger this as well. In command line, these two switches combined can bypass this check:

-o UserKnownHostsFile=/dev/null

-o StrictHostKeyChecking=no

These switches used in a sample command:

ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@192.168.1.1 -p 11223 -i /var/mobile/key 'stopservice nas; wl -i eth1 radio off'

Be careful as this approach makes you vulnerable to man-in-the-middle attacks, so if this a concern to you, you need to find another method.

More info on this here.

Right way to turn WiFi on/off on DD-WRT

You saw the commands for turning the radio on/off:

Off:

stopservice nas
wl -i eth1 radio off

On:

stopservice nas
wl -i eth1 radio on
startservice nas

You may ask why not using the wl command alone to do these, as it seems to be in charge of that. That’s not the proper way. You can turn the radio off with wl -i eth1 radio off, but then you are in a state that you cannot turn the radio back on with entering wl -i eth1 radio on. Although the radio status will be ‘Radio is On‘ in router web interface > status > wireless > wireless status > radio, you cannot connect to WiFi.

Additional reading

Telnet/SSH And The Command Line in DD-WRT