Khadas VIM as a router


I just got a VIM and I am trying to setup a router.
Let’s start simple, then we may add some fancy stuff:

1- get the wifi in AP mode (hostapd)
2- setup a local network with a dhcp server
3- route some packet…

With Vim_Ubuntu-server-16.04_Linux-4.9_V170604 points 1 and 2 are ok but when I try to use netfilter to start a NAT with:

iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

it fails. It seems the NAT support is not in the 4.9 kernel and trying the previous image (Vim_Ubuntu-server-16.04_V170515) it’s a no-go as hostapd too fails initializing the wlan0 interface.

Am I missing something? Any plan to release a kernel with a full netfilter (masquerading) support?

By the way, if this is of some interest for someone, I may write a short howto


Hi, Alex:

Kindly to do that, so other folks can follow your instructions and do more testing. (A good instruction can be publish at Khadas Docs )

We haven’t test the hostap on Ubuntu release yet, but I think we will do that before next build.



Ok, let’s go for a short howto.
This is just the start of the journey since right now, the best we could achieve is a switch, not a router.

Why we are doing this? Short answer: just for fun, long one… actually if the VIM provides enough bandwidth to be used on a DSL WAN then this could be a great base to build an OpenVPN endpoint without the CPU/RAM constraints from a typical consumer grade router.

Let’s set the goal: build a basic router with the WAN port on the VIM ethernet interface, the LAN port(s) will be supported by the VIM wireless interface operating in access point mode (AP).

From a logical point of view the LAN will operate on the 10.10.0.x address space and a local DHPCP server will manage the local clients. In order to route packets between the WAN interface and the LAN we need to use the linux kernel netfilter subsystem and specifically the NAT/masquerading function and this is the first problem we have to solve.

Assuming we can overcome this then it’s a matter of the bandwith we can achieve between LAN and WAN, if we are above 20-30 Mb/s then the whole thing becomes useful and we could integrate the VPN client and a firewall.

Last but not least, the credit for this fully goes to the thread at this link:

Let’s start.

First thing you want to install the Vim_Ubuntu-server-16.04_Linux-4.9_V170604 image, when done you need to connect the VIM ethernet port to a network with internet access and run these commands:

echo “auto eth0” >> /etc/network/interfaces
echo “iface eth0 inet dhcp” >> /etc/network/interfaces
/etc/init.d/networking restart

at this point you should have internet access on the VIM, you can test it pinging something, then we need some support packages:

apt update
apt upgrade
apt install openssh-server (this is optional but I just prefer to do the rest on my laptop on a remote ssh seession)
apt install man-db
apt install nano

now we need to enable some additional repository for the packages we actually need, you can use the editor “nano” you just installed so run:

nano /etc/apt/sources.list

in this file you want to uncomment (remove the # in the first column) the “universe” repositories (it’s in more than one line) where there are the packages we need for the next steps. When done save the file and run the following commands to reload the repositories and install everything:

apt update
apt upgrade
apt install iptables
apt install iw
apt install hostapd
apt install isc-dhcp-server

if everything is fine we are done, all the packages are installed and we can configure them.
To do so we need to edit some files, let’s go:

nano /etc/hostapd/hostapd.conf
and inside the file past this:


when activated this will open a WPA access point on the VIM broadcasting a “test” network you can join with passphrase 1234567890. To test the configuration run:

hostapd /etc/hostapd/hostapd.conf

and if you can see the test network then you can start it as a service with:

service hostapd restart

Right now the “test” netweork still lacks a dhcp server so if you attempt to join it then you will get an error.
Ok let’s fix this, edit this file:

nano /etc/default/isc-dhcp-server

and add this:


then edit this other file:

nano /etc/dhcp/dhcpd.conf

and at the end add this:

subnet netmask {
option domain-name-servers,;
option routers;

and then this one:

nano /etc/network/interfaces

at the end add this:

auto wlan0
iface wlan0 inet static

in order to activate the dhcp server you need to restart it with:

service isc-dhcp-server restart

and to check if everything is fine you can look at the syslog output running

journalctl -e

If you are still with me at this point you shold have (I can confirm I got it working):

  • the VIM ethernet (eth0) port connected to the internet
  • hostapd fully configured providing a WPA protected “test” WiFi network (passphrase 1234567890)
  • a dhcp server assigning client addresses on the range - and google/opendns dns servers

Now the only missing stuff should be this two commands:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

the first one tells the kernel to enable the routing and the second tells the kernel netfilter subsystem how to actually manage the routing between the LAN and the WAN (we need address translation since on the LAN we are using IPs from a not public range).

The problem here is that “iptables -t nat” fails complaing that the NAT is not available from the kernel.

I found another thread (Get Docker running on Khadas VIM) where it seems some netfiter stuff was not included in a previous VIM kernel image:

  • CONFIG_IP_NF_NAT: missing

Looking in the VIM filestem under /lib/modules/ I see very few modules are there. I do not have the full config file for the released VIM 4.9 kernel but at this point I understand this is how the kernel was configured.

Maybe @Gouwa has some additional infos here.

It would be great if someone can build a new kernel image with the full netfilter functions enabled and for the next official release this would be really appreciated.

In the meantime we are basically stuck. If you have any suggestion it is welcome


Hi, Alex:
Thanks for the instruction.

@numbqq please do test and confirm with this.



Hi alex24,

I try the kernel with CONFIG_IP_NF_NAT and CONFIG_NETFILTER_XT_MATCH_IPVS configured,command
‘iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE’ work well,and i can join the AP.


--- a/arch/arm64/configs/kvim_defconfig
+++ b/arch/arm64/configs/kvim_defconfig
@@ -69,6 +69,7 @@ CONFIG_IPV6_TUNNEL=y

And we will add this configuration in next release.



Using which network/netmask is eth0 itself being ‘connected to the internet’?
(a) Is it doing PPPOE via a modem that connects to the internet?
(b) Does it have a 192.168.c.d/24 -style address/subnet?
In case of (b) would it not be possible to bridge eth0 and wlan0?
Then you do not need NAT behind NAT and 2 DHCP servers (each one for each subnet).
In short, then you do not need


Hi guys,
first of all thanks for the support! It’s really a good news that you are going to include the NAT support in the next kernel.

@tasinofan Yes you are right the test setup we have is actually a DSL modem/router with a LAN on a 192.168.x.x/24 address space and the VIM ethernet port is on this LAN.

Since in the released 4.9 kernel the bridge module is there you can join the modem LAN and the VIM one quite easily, all you need is to stop the VIM DHCP server and do something such as:

ip addr flush dev eth0
ip addr flush dev wlan0
brctl addbr br0
brctl addif br0 eth0 wlan0
ip link set dev br0 up
dhclient br0

at this point the clients on the VIM wifi are managed by the DSL modem/router and the can reach the internet.

Unfortunately this does not suit the original goal of building a combo router/VPN client but we can use it as a way to test the VIM performances in AP mode.

On this topic I would add some info, the performance of the VIM wifi acting as AP are in several way surprising. On one hand it is a feature the VIM wifi can work out of the box with hostapd and, with the switch setup above, the bandwidth available to a client on the VIM wifi from is about 19-20 Mb/s vs. 23-24 Mb/s when the client is connected to the DSL AP wifi.

The performance drop seems to be related to a quite high ping time to the hostapd managed AP in the VIM. Let me explain, with a laptop connected as client to the VIM wifi in AP mode we have:

ping about 20 ms (average)
ping -f on the other hand reports a much faster 3-4 ms avg.

For reference, the same laptop connected as client to the DSL wifi gets an average ping time of 1-2 ms to the DSL wifi AP.

This results are interesting, the 20 ms ping is quite bad for a single hop, but this seems to change for the better when the traffic grows (the -f options “floods” the target with as much packets as possible).

On the internet some users are reporting similar issues (either on x86 and ARM) with hostapd and the suggested fix is to disable the wifi power save mode, this can be checked with:

iw dev wlan0 get power_save

the VIM reported it as enabled and it can be disabled with:

iw dev wlan0 set power_save off

unfortunately the poor performance for the “standard” ping was not much affected so we may need some specific knowledge about the AP6255.

Any suggestion is welcome and I hope someone can have a look on this when working on the next kernel


I have huge lag when using WiFi with mainline kernel, AP6255 is something what RPi3 uses to. There is discussion ongoing in linux-amlogic mailing list. So it could be related!

Heiner Kallweit:
Lagging is a quite frequent issue with WiFi and can have very different reasons.
I’m not sure we can blame the SDIO host driver for this in the case here.
E.g. RPi3 uses the same brcmfmac driver with other SDIO host driver and there
are also lot of complaints about poor Wifi performance.


Interesting, I see they are managing 40-50 Mb/s from the VIM wifi, that’s enough to be worth using this.

I made a little more testing and I can add a couple things:

-when the VIM/kernel 4.9 is connected as client to DSL AP above I have:

# ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=11.0 ms
64 bytes from icmp_seq=2 ttl=64 time=10.8 ms
64 bytes from icmp_seq=3 ttl=64 time=14.9 ms
64 bytes from icmp_seq=4 ttl=64 time=11.3 ms
64 bytes from icmp_seq=5 ttl=64 time=13.6 ms
64 bytes from icmp_seq=6 ttl=64 time=11.9 ms
— ping statistics —
6 packets transmitted, 6 received, 0% packet loss, time 5008ms
rtt min/avg/max/mdev = 10.891/12.307/14.933/1.500 ms

-in this case ping -f reports a better but closer behaviour:

# ping -f
PING ( 56(84) bytes of data.
— ping statistics —
452 packets transmitted, 451 received, 0% packet loss, time 3621ms
rtt min/avg/max/mdev = 1.056/8.487/18.595/6.795 ms, pipe 2, ipg/ewma 8.029/7.988 ms

so it could either be a driver issue or an hw limit, I hope the guys working on the kernel development can improve this

-I tested the 5 GHz band on the VIM with hostapd/kernel 4.9 and it works. With the /etc/hostapd/hostapd.conf below and VIM bridging his wifi with the AP LAN a client on the VIM wifi reports the same bandwith from as it gets when connected to the DSL wifi (around 25 Mb/s)


so now it’s a matter of waiting for the next kernel release or use the one built by @numbqq
I am new to u-boot so excuse me for this question, can I update only the kernel image on the VIM without using the serial interface, mine is still in some post office…



I agree: if one wants to combine with some sort of (transparent?) VPN then double dhcp/nat might need a private 10.0/16 net behind a 192.168.c/24 one. But myself I think I want to go minimal way and just only provide access point functionality. I also feel VPN is end user responsability. Thanks for the hints howto bridge L2, I +/- knew already how. So I am now challenged to just build a minimal amlogic AP (perhaps gentoo). Client connects ISO L1 to WiFI, box bridges L2 to ethernet, and done. No ISO L3 (apart from preferably one IP address on eth for switch management) involved. Of course the device should (but linux can) do L2 spanning tree (and hopefully not be configured as root). I think in terms of required resources and performance, such simple device would be great.


khadas vim pro as a simple wifi hotspot with armbian-config

tested with an debian jessie image 20170531 by balbes150
and Armbian_5.27_S9xxx_Ubuntu_xenial_3.14.29_server_20170625.img
new images here

on Khadas Vim Pro (activated multiboot)
(to activate in factory android go to update settings and load autoupdate zip from sd card, copy kvim.dtb to root folder and rename it to dtb.img, if you do not rename the standard kernel is used. if satisfied move install to emmc with in /root directory.

connect usb keyboard and hdmi monitor or serial uart adapter.


create sudo user

sudo apt-get install ssh

now you can reboot and login. find ip number with advanced ip scanner or look into the client list of your dsl-router.


start armbian-config and set your time zone
(for proper line drawing, in putty go to settings/translations and iso latin character set)

setup wifi access point
a) disable wpa_supplicant

systemctl disable wpa_supplicant
systemctl mask wpa_supplicant.service
systemctl stop wpa_supplicant.service

b) activate ap mode driver
rmmod dhd
modprobe cfg80211 (not needed in ubuntu)
modprobe dhd op_mode=2

check if all is ok, else repeat b)

load driver during startup
echo "dhd" >> /etc/modules

(or git clone )

select hotspot (create wifi access point), select NAS or bridge, reboot and apply settings

change clear text password, ssid in /etc/hostapd.conf with

just in case, the working wifi drivers for AP6255 aka brcmfmac43455, unpack and copy to /lib/firmware/brcm/


Resolved :slight_smile: Was trying 4.9, ended up realizing an older version works just fine.