VPN build with Web GUI
- Thread starter SgtPepperKSU
- Start date
You want to use restart instead of start. This starts the VPN server only if it isn't already running currently.
That command certainly shouldn't cause dropped connections. I just tested it and the only thing that happens when it is triggered is a "VPN Server 1 already running..." message being printed to the syslog.
Can you expand more on what kind of problem you are seeing?
Normally, my router "Listening for incoming TCP connection on [undef]:1863" and it do printed the message "VPN Server 1 already running..." if there is no client-server connection. I just found at the syslog yesterday that it seems dropped Tcp-client to Tcp-server connection at every 30 minutes after the above message .
Because the tcp-client computer is in UK, I will ask my friend later what was the situation yesterday. I don't think he closed connection actively at every 30 minutes and then make connection again,maybe it is something wrong with my vpn setup. I'll check again.
Thank you for your replay.
Because the tcp-client computer is in UK, I will ask my friend later what was the situation yesterday. I don't think he closed connection actively at every 30 minutes and then make connection again,maybe it is something wrong with my vpn setup. I'll check again.
Thank you for your replay.
Thank you. I'll try it.
You have it backwards. start only starts it if it isn't already running. restart always stops it and restarts it.
Why don't you try going without that cru command and see what happens. If the dropped connections still occur, you'll know it's something else. Several people have seen periodic connection restarts if no data is going across the tunnel. We have not been able to get to the bottom of why it is happening yet. However, it only seems to happen when the tunnel isn't actively being used, and it always immediately reconnects so other than extra entries in the syslog, it shouldn't be noticeable.
Can you post the entries in the syslog that occur periodically?
Yes, it is the same I thought and I have tried going without that cru command more than 6 hours till now, the router works very well! Thanks for your great Tomato Mod. Consider the net delay between UK and China, so many Internet equipments are used, I guess maybe the cru command cause another something delay? There are "keepalive 15 60" at two side (your vpn GUI and my client setup) now, Do you think I should make another test with "keepalive 15 120"? How to change it in your vpnGUI?
Thank you again.
Thank you again.
The cru command doesn't do anything unless the server is not running. I think your connection restarts were completely unrelated to the cru command. If you see them again, post the entries that show up in the syslog. If it is the same as what others have seen, it will only happen if you aren't sending data over the tunnel.
If you want to change the keepalive timeouts, you can just add that line to the Custom Configuration section in the GUI.
1194 is the default port for the server to listen on - but does it then negotiate another port to use for the tunnel ? if so , how do you prioritise that ?
hy.
try to connect to vpn it seems to have connectet but then i get this error:
Fri Apr 24 13:21:10 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Fri Apr 24 13:21:10 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri Apr 24 13:21:10 2009 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Fri Apr 24 13:21:10 2009 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 24 13:21:10 2009 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 24 13:21:10 2009 Control Channel MTU parms [ L:1541 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Apr 24 13:21:10 2009 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Fri Apr 24 13:21:10 2009 Local Options hash (VER=V4): 'e1cabb67'
Fri Apr 24 13:21:10 2009 Expected Remote Options hash (VER=V4): 'f78928cd'
Fri Apr 24 13:21:10 2009 UDPv4 link local: [undef]
Fri Apr 24 13:21:10 2009 UDPv4 link remote: 89.212.xxx.xx:1193
Fri Apr 24 13:21:10 2009 TLS: Initial packet from 89.212.xxx.xx:1193, sid=f5abea64 492a2e0a
Fri Apr 24 13:21:11 2009 VERIFY OK: depth=1, /C=si/ST=si/L=ljubljana/O=dl/OU=it/CN=dl/emailAddress=janbocko@gmail.com
Fri Apr 24 13:21:11 2009 VERIFY OK: nsCertType=SERVER
Fri Apr 24 13:21:11 2009 VERIFY OK: depth=0, /C=si/ST=si/O=dl/OU=it/CN=dl/emailAddress=janbocko@gmail.com
Fri Apr 24 13:21:12 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr 24 13:21:12 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 24 13:21:12 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr 24 13:21:12 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 24 13:21:12 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
Fri Apr 24 13:21:12 2009 [dl] Peer Connection Initiated with 89.212.xxx.xx:1193
Fri Apr 24 13:21:13 2009 SENT CONTROL [dl]: 'PUSH_REQUEST' (status=1)
Fri Apr 24 13:21:13 2009 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.1.1,ping 15,ping-restart 60,ifconfig 192.168.1.142 255.255.255.0'
Fri Apr 24 13:21:13 2009 OPTIONS IMPORT: timers and/or timeouts modified
Fri Apr 24 13:21:13 2009 OPTIONS IMPORT: --ifconfig/up options modified
Fri Apr 24 13:21:13 2009 OPTIONS IMPORT: route options modified
Fri Apr 24 13:21:13 2009 WARNING: Since you are using --dev tun, the second argument to --ifconfig must be an IP address. You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
Fri Apr 24 13:21:13 2009 There is a problem in your selection of --ifconfig endpoints [local=192.168.1.142, remote=255.255.255.0]. The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver. Try 'openvpn --show-valid-subnets' option for more info.
Fri Apr 24 13:21:13 2009 Exiting
my settins in client1.ovpn are:
dev tun
proto udp
dev-node openvpn
remote 89.212.xxx.xx 1193
tls-client
keepalive 15 120
verb 3
status openvpn-status.log
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key
ns-cert-type server
key-method 2
auth SHA1
cipher BF-CBC
pull
nobind
what did i do wrong??
tnx for help
try to connect to vpn it seems to have connectet but then i get this error:
Fri Apr 24 13:21:10 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Fri Apr 24 13:21:10 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri Apr 24 13:21:10 2009 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Fri Apr 24 13:21:10 2009 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 24 13:21:10 2009 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 24 13:21:10 2009 Control Channel MTU parms [ L:1541 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Apr 24 13:21:10 2009 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Fri Apr 24 13:21:10 2009 Local Options hash (VER=V4): 'e1cabb67'
Fri Apr 24 13:21:10 2009 Expected Remote Options hash (VER=V4): 'f78928cd'
Fri Apr 24 13:21:10 2009 UDPv4 link local: [undef]
Fri Apr 24 13:21:10 2009 UDPv4 link remote: 89.212.xxx.xx:1193
Fri Apr 24 13:21:10 2009 TLS: Initial packet from 89.212.xxx.xx:1193, sid=f5abea64 492a2e0a
Fri Apr 24 13:21:11 2009 VERIFY OK: depth=1, /C=si/ST=si/L=ljubljana/O=dl/OU=it/CN=dl/emailAddress=janbocko@gmail.com
Fri Apr 24 13:21:11 2009 VERIFY OK: nsCertType=SERVER
Fri Apr 24 13:21:11 2009 VERIFY OK: depth=0, /C=si/ST=si/O=dl/OU=it/CN=dl/emailAddress=janbocko@gmail.com
Fri Apr 24 13:21:12 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr 24 13:21:12 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 24 13:21:12 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr 24 13:21:12 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 24 13:21:12 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
Fri Apr 24 13:21:12 2009 [dl] Peer Connection Initiated with 89.212.xxx.xx:1193
Fri Apr 24 13:21:13 2009 SENT CONTROL [dl]: 'PUSH_REQUEST' (status=1)
Fri Apr 24 13:21:13 2009 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.1.1,ping 15,ping-restart 60,ifconfig 192.168.1.142 255.255.255.0'
Fri Apr 24 13:21:13 2009 OPTIONS IMPORT: timers and/or timeouts modified
Fri Apr 24 13:21:13 2009 OPTIONS IMPORT: --ifconfig/up options modified
Fri Apr 24 13:21:13 2009 OPTIONS IMPORT: route options modified
Fri Apr 24 13:21:13 2009 WARNING: Since you are using --dev tun, the second argument to --ifconfig must be an IP address. You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
Fri Apr 24 13:21:13 2009 There is a problem in your selection of --ifconfig endpoints [local=192.168.1.142, remote=255.255.255.0]. The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver. Try 'openvpn --show-valid-subnets' option for more info.
Fri Apr 24 13:21:13 2009 Exiting
my settins in client1.ovpn are:
dev tun
proto udp
dev-node openvpn
remote 89.212.xxx.xx 1193
tls-client
keepalive 15 120
verb 3
status openvpn-status.log
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key
ns-cert-type server
key-method 2
auth SHA1
cipher BF-CBC
pull
nobind
what did i do wrong??
tnx for help
ok now i've come arround this issue. but vhen i'm connected thru vpn i can not access internet thru router's external IP, cannot ping or access any of my internal network. i's not a IP issue since my external ip is 89.212.xxx.xxx, and internal is 192.168.1.145. the only issue i can see is that i have subnetmask of 255.255.255.252. and i still don't know why i had to incorporate two IPs in ifconfig line,(don't realy know what it means). on my router i can see that i'm present, but my computer doesen't get deault gateway ip. below is my .ovpn file if it helps:
dev tun
ifconfig 192.168.1.145 192.168.1.146
proto udp
#dev-node MyTAP
remote 89.212.xxx.xx 1193
tls-client
keepalive 15 120
verb 3
status openvpn-status.log
ca ca.crt
cert client-jan.crt
key client-jan.key
tls-auth ta.key
ns-cert-type server
key-method 2
auth SHA1
cipher BF-CBC
pull
nobind
comp-lzo
explicit-exit-notify 3
replay-window 60 15
please help me with this issue.
tnx in advance
dev tun
ifconfig 192.168.1.145 192.168.1.146
proto udp
#dev-node MyTAP
remote 89.212.xxx.xx 1193
tls-client
keepalive 15 120
verb 3
status openvpn-status.log
ca ca.crt
cert client-jan.crt
key client-jan.key
tls-auth ta.key
ns-cert-type server
key-method 2
auth SHA1
cipher BF-CBC
pull
nobind
comp-lzo
explicit-exit-notify 3
replay-window 60 15
please help me with this issue.
tnx in advance
You shouldn't need that ifconfig line in the config file. It likely masking your problem, not fixing it. Your problem appears on the surface to be either
- The server is configured to use TAP, but the client is configured to use TUN.
- You are using an OpenVPN client version that is 2½ years old. Please upgrade to 2.1rc15.
- Both of the above
Code:
cat /etc/openvpn/server1/config.ovpnLook at the last five lines of your error message. You seem to still have a bad ifconfig message of some sort on the server that is being "pushed" to the client. The client doesn't know what to do with the TAP ifconfig since it's running TUN.
The error messages are surprisingly good in this case
I've been trying to get my tomato router to act as a openvpn client and route all traffic passing through it to the vpn for half a day now but I can't seem to get it to work.
If anyone would have a spare minute to help me, I'd be most grateful.
My network is setup like this.
isp->ethernet->router1 (192.168.0.1)->ethernet->tomato router (wan ip 192.168.0.100, lan ip 192.168.1.250)
I can reach internet successfully though the tomato router and have configured the openvpn client on it to be able to connect to my vpn provider successfully (if I read the logs correctly, but atleast I can connect to it and stay connected.)
My current routing table looks like this:
Destination Gateway Subnet Mask Metric Interface
192.168.1.0 * 255.255.255.0 0 br0 (LAN)
192.168.0.0 * 255.255.255.0 0 vlan1 (WAN)
127.0.0.0 * 255.0.0.0 0 lo
default 192.168.0.1 0.0.0.0 0 vlan1 (WAN)
(And "Create NAT on tunnel" is enabled, perhaps that is of interest.)
And I've been trying add different commands to the "custom configuration" box, such as:
"route-gateway 192.168.1.250
redirect-gateway"
Which to me would seem to be able to do the trick, but apparently not.
If I understand correctly the "redirect-gateway" option is somewhat of a key to the problem, or doing some changes to the routing table and firewall, but I've been reading around and just can't figure out how to really use it.
Best regards,
If anyone would have a spare minute to help me, I'd be most grateful.
My network is setup like this.
isp->ethernet->router1 (192.168.0.1)->ethernet->tomato router (wan ip 192.168.0.100, lan ip 192.168.1.250)
I can reach internet successfully though the tomato router and have configured the openvpn client on it to be able to connect to my vpn provider successfully (if I read the logs correctly, but atleast I can connect to it and stay connected.)
My current routing table looks like this:
Destination Gateway Subnet Mask Metric Interface
192.168.1.0 * 255.255.255.0 0 br0 (LAN)
192.168.0.0 * 255.255.255.0 0 vlan1 (WAN)
127.0.0.0 * 255.0.0.0 0 lo
default 192.168.0.1 0.0.0.0 0 vlan1 (WAN)
(And "Create NAT on tunnel" is enabled, perhaps that is of interest.)
And I've been trying add different commands to the "custom configuration" box, such as:
"route-gateway 192.168.1.250
redirect-gateway"
Which to me would seem to be able to do the trick, but apparently not.
If I understand correctly the "redirect-gateway" option is somewhat of a key to the problem, or doing some changes to the routing table and firewall, but I've been reading around and just can't figure out how to really use it.
Best regards,
You're correct that redirect-gateway is the key. However, the route-gateway needs to have the IP address of the gateway on the server side of the tunnel.
You can use the Custom Config section.
would you mind add the snmp function in the firmware? i have tried to compile your code with the snmp binary file. it seems ok, but after one day, lots of problem find and can't access the web interface anymore.
would you mind simply add the binary file in you build? no gui is needed. if you have a gui, it will be perfect!
you can get the binary here:
http://bok.xs4all.nl/downloads/snmpd.zip
i am using ND. thank you in advance
would you mind simply add the binary file in you build? no gui is needed. if you have a gui, it will be perfect!
you can get the binary here:
http://bok.xs4all.nl/downloads/snmpd.zip
i am using ND. thank you in advance