Could you try moving the
Code:
sleep 10
/tmp/vpnup.sh server1
VPN build with Web GUI
- Thread starter SgtPepperKSU
- Start date
Could you try moving the
N
nickgallis
Guest
with a wrt use like client what I put on static key if I use a tls system ... the dh.pem?
If you use TLS, then you should only see the Static Key field if you have chosen the "Additioninal HMAC authentication(tls-auth). If you do not know what that is, you should probably uncheck that box and not have anything in the Static Key field.
hey Sgt, i managed to get it working using an up script "ifconfig tap11 up"
then both server and client create the bridge and i can connect to all devices behind both routers
. Can you give me an easy setup to add a route to route all internet traffic over the correct wan? and if i enable dhcp servers on both devices will that give issues? Oh and where do i save my up script and route scripts so that they wont be deleted after reset
then both server and client create the bridge and i can connect to all devices behind both routers
. Can you give me an easy setup to add a route to route all internet traffic over the correct wan? and if i enable dhcp servers on both devices will that give issues? Oh and where do i save my up script and route scripts so that they wont be deleted after reset That's really strange. My code performs that command automatically...hey Sgt, i managed to get it working using an up script "ifconfig tap11 up"
then both server and client create the bridge and i can connect to all devices behind both routers
Internet traffic should already being going over the local WAN (it takes extra setup to make internet-bound traffic go over the tunnel - or is that what you meant by "correct" WAN?).
I think you may need to do a little extra iptables work to block the DHCP requests from crossing the tunnel. I haven't done this myself, so you may have better luck just googling it.
you could try adding aOh and where do i save my up script and route scripts so that they wont be deleted after reset
Code:
up /tmp/up.shYe it really need the up script or my tap device wont get listed under ifconfig and the tunnel wont work.
Anyway i have both dhcp servers enabled and i will do some tests but i think it will always accept the nearest dhcp server thus setting the correct gateway. Because of this i dont need to change the route table offcourse.
When i run into a situation where a device gets an ip from the remote dhcp server, i will look into blocking dhcp from the remote server with iptable
thanks for you help and nice mod
Anyway i have both dhcp servers enabled and i will do some tests but i think it will always accept the nearest dhcp server thus setting the correct gateway. Because of this i dont need to change the route table offcourse
.When i run into a situation where a device gets an ip from the remote dhcp server, i will look into blocking dhcp from the remote server with iptable
thanks for you help and nice mod
It appears that devices behind the routers do get DHCP traffic from the others routers. And setting up some iptables rules seems to be a huge issue on this matter. I googled a bit but only found other people with the same issue. Apparently the only easy method is using ebtables wich has been removed from tomato :x
Can you maybe specify how to configure the client (iptables) to make all internet-bound traffic pass through the server?
Thanks and great job.
Again, that's a configuration I've never desired, so I can't give you steps with certainty. However, the (experimental) redirect-gateway directive appears to do all of the legwork for that. The OpenVPN Manual has some specifics, but a search or the OpenVPN how-to (same site) might give you a step-by-step tutorial.
Roadkill to this Mod
Hi,
I posted this a couple weeks ago but never got a reply... Wanting to switch from Roadkill mod v1.19.1464 on my Buffalo WHR-G54s, to the latest SgtPepper VPN with Web GUI build, as it seems this is being more actively developed. A couple questions before I do...
1. Is this straightforward? Do I need to do anything in particular before switching (clear NVRAM?)
2. Will all my router settings be carried over?
3. Will I need to reconfigure my VPN settings?
I'm currently using static-key VPN with these scripts:
Firewall:
iptables -I INPUT 1 -p udp --dport 444 -j ACCEPT
WAN UP:
cd /tmp
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
echo "
-----BEGIN OpenVPN Static key V1-----
<deleted for forum post>
-----END OpenVPN Static key V1-----
" > /tmp/static.key
sleep 5
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn --dev tap0 --secret /tmp/static.key --comp-lzo --port 444 --cipher BF-CBC --proto udp --keepalive 10 300 --verb 3 --daemon
Client config:
dev tap0
secret static.key
proto udp
remote <my ip address> 444
keepalive 10 60
resolv-retry infinite
nobind
persist-key
persist-tun
cipher BF-CBC
comp-lzo
verb 3
float
It was so long ago I set it all up that I've forgotten what it all does! Thanks in advance for any help you can give...
Ben
Hi,
I posted this a couple weeks ago but never got a reply... Wanting to switch from Roadkill mod v1.19.1464 on my Buffalo WHR-G54s, to the latest SgtPepper VPN with Web GUI build, as it seems this is being more actively developed. A couple questions before I do...
1. Is this straightforward? Do I need to do anything in particular before switching (clear NVRAM?)
2. Will all my router settings be carried over?
3. Will I need to reconfigure my VPN settings?
I'm currently using static-key VPN with these scripts:
Firewall:
iptables -I INPUT 1 -p udp --dport 444 -j ACCEPT
WAN UP:
cd /tmp
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
echo "
-----BEGIN OpenVPN Static key V1-----
<deleted for forum post>
-----END OpenVPN Static key V1-----
" > /tmp/static.key
sleep 5
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn --dev tap0 --secret /tmp/static.key --comp-lzo --port 444 --cipher BF-CBC --proto udp --keepalive 10 300 --verb 3 --daemon
Client config:
dev tap0
secret static.key
proto udp
remote <my ip address> 444
keepalive 10 60
resolv-retry infinite
nobind
persist-key
persist-tun
cipher BF-CBC
comp-lzo
verb 3
float
It was so long ago I set it all up that I've forgotten what it all does! Thanks in advance for any help you can give...
Ben
You probably should clear NVRAM after the update, but it is not strictly required. You run a chance of having bizarre and hard to diagnose problem if you don't (this seems to be true of all Tomato-based upgrades).
You should be able to continue to use those same scripts if you'd like. Or, you can use the GUI, and it will do virtually the same thing for you.
If I clear NVRAM that will wipe ALL my router settings right? Hmmm... that's a lot of work restoring.
Is there any point to backup the config, erase NVRAM, then restore settings... or does that defeat the point of clearing NVRAM?
Thanks for your help... Ben
Yah, unfortunately, that does defeat the point. You can, however, try running without clearing NVRAM. It's just that if you start running into bizarre problems, it's the first thing you should try to fix it.
Well, I took the plunge without clearing NVRAM and all seems fine
A couple questions though:
1. I deleted the WAN UP script I had from the roadkill mod, I assume this is unnecessary now (it seems to work fine without). Correct?
2. My old firewall script "iptables -I INPUT 1 -p udp --dport 444 -j ACCEPT" - can I delete this also, is it dynamically created?
3. How can I add the option (I presume to client config, or can it be pushed?) to force ALL traffic from the client computer including normal internet traffic over the VPN?
4. How can I force DNS requests from the client computer to be sent to the Internal Caching DNS Forwarder of the Tomato router?
5. Finally, I'm seeing this in the router's logs every minute or so....
Jan 27 03:24:34 Tomato daemon.warn openvpn[521]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: LZO compression initialized
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: TUN/TAP device tap21 opened
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: TUN/TAP TX queue length set to 100
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: Socket Buffers: R=[32767->65534] S=[32767->65534]
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: UDPv4 link local (bound): [undef]:444
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: UDPv4 link remote: [undef]
Jan 27 03:25:34 Tomato daemon.notice openvpn[521]: Inactivity timeout (--ping-restart), restarting
Jan 27 03:25:34 Tomato daemon.notice openvpn[521]: TCP/UDP: Closing socket
Jan 27 03:25:34 Tomato daemon.notice openvpn[521]: Closing TUN/TAP interface
Jan 27 03:25:34 Tomato daemon.notice openvpn[521]: SIGUSR1[soft,ping-restart] received, process restarting
Jan 27 03:25:34 Tomato daemon.notice openvpn[521]: Restart pause, 2 second(s)
Any idea what this means, is it normal?
Thanks,
Ben
A couple questions though:
1. I deleted the WAN UP script I had from the roadkill mod, I assume this is unnecessary now (it seems to work fine without). Correct?
2. My old firewall script "iptables -I INPUT 1 -p udp --dport 444 -j ACCEPT" - can I delete this also, is it dynamically created?
3. How can I add the option (I presume to client config, or can it be pushed?) to force ALL traffic from the client computer including normal internet traffic over the VPN?
4. How can I force DNS requests from the client computer to be sent to the Internal Caching DNS Forwarder of the Tomato router?
5. Finally, I'm seeing this in the router's logs every minute or so....
Jan 27 03:24:34 Tomato daemon.warn openvpn[521]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: LZO compression initialized
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: TUN/TAP device tap21 opened
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: TUN/TAP TX queue length set to 100
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: Socket Buffers: R=[32767->65534] S=[32767->65534]
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: UDPv4 link local (bound): [undef]:444
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: UDPv4 link remote: [undef]
Jan 27 03:25:34 Tomato daemon.notice openvpn[521]: Inactivity timeout (--ping-restart), restarting
Jan 27 03:25:34 Tomato daemon.notice openvpn[521]: TCP/UDP: Closing socket
Jan 27 03:25:34 Tomato daemon.notice openvpn[521]: Closing TUN/TAP interface
Jan 27 03:25:34 Tomato daemon.notice openvpn[521]: SIGUSR1[soft,ping-restart] received, process restarting
Jan 27 03:25:34 Tomato daemon.notice openvpn[521]: Restart pause, 2 second(s)
Any idea what this means, is it normal?
Thanks,
Ben
Glad to hear it :smile: Keep a NVRAM in mind, though, in case weird stuff starts to happen.Well, I took the plunge without clearing NVRAM and all seems fine
If you are using the GUI, then yes, you shouldn't need anything in any of the scripts.
See above.
I think this was answered in the post immediately before you're first in this exchange. In short, I've never done it, but you should look into the redirect-gateway OpenVPN directive for your Custom Config (or the client config, I'm not sure).
Can't help you there. It may come along with the redirect-gateway, though. Once you're establishing a connection, there is nothing unique to the router setup. You may have more luck with these types of questions on the OpenVPN IRC channel.
It is normal in that several people are seeing it, but not normal in that it should be happening. It seems to have shown up after I upgraded the firmware from OpenVPN 2.1rc13 to 2.1rc15. I keep meaning to make a new release downgrading it back to 2.1rc13, but just know that as soon as I do, 2.1rc16 will come out and fix it...
On the plus side, it only seems to happen if the tunnel is inactive, and it reconnects automatically, so it should mostly go unnoticed aside from the log entries.
I am sick at the moment, but if a new OpenVPN version doesn't come out soon, I will release a new version with a downgraded openvpn.
Super... thanks for all your helpful answers. It's a really nice mod.
Hope you feel better soon.
Regards, Ben
Hope you feel better soon.
Regards, Ben
I found the answer to my own question on this page:
http://manoftoday.wordpress.com/2006/12/03/openvpn-20-howto/
It suggests a way to push this from the server, which I haven't tried yet. I prefer to set it from the client so I can choose whether to do this or not on a case by case basis. I just created one OpenVPN client config with it, and one without. That way I can connect with all traffic over VPN, or not, by simply choosing the different config files. This is using this OpenVPN client:
http://openvpn.se/
The key is to add this line to the client config:
redirect-gateway def1
I checked (well, as far as I can tell) and all traffic, and DNS, is being routed over the VPN when I have this line in the config. If you did want to push this to all clients from the server, you'd add this to the custom config on the server:
push "redirect-gateway def1"
Hope this helps. Let me know if I've got anything about this wrong.
Ben
I went about it the same way you did. Create 2 client config files.
However I'm using different commands, route-gateway x.x.x.x and redirect-gateway. x.x.x.x. being the IP address of the router.
I haven't tried redirect-gateway def1, but from the looks of it, it does the same thing.
.
.
My client config file:
client
dev tap
ifconfig 172.25.25.6 255.255.255.248
ca ca.crt
cert client1.crt
key client1.key
proto udp
route-gateway 172.25.25.1
remote x.x.x.x 60250
keepalive 10 60
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
cipher BF-CBC
comp-lzo
verb 3
float
redirect-gateway
You could run wireshark to sniff the traffic and see where your DNS requests are going to.
.
.
Theres a option to push DNS to clients, although from reading the description of what it does, I don't think its necessary.
When redirect-gateway is used, OpenVPN clients will route DNS queries through the VPN, and the VPN server will need handle them.
push "dhcp-option DNS 10.8.0.1"