1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Disabling NAT

Discussion in 'Tomato Firmware' started by tomatodude, Apr 26, 2009.

  1. tomatodude

    tomatodude Addicted to LI Member

    Dear all,

    I have a question please. I have the following setup.

    Modem ISP ---> TomatoFirmware 1.23 ( --> All my PCs and Devices
    v--> DD-WRT V24 (Mega) ( OpenVPN Server --> <Nothing>

    As you can see above my home's network Gateway ( is a Tomato Firmware 1.23 router that controls everything DHCP, QOS, Access Restrictions etc. The only thing I do not have on this router is the OpenVPN since the tomato firmware does not support this.

    In order to enable OpenVPN in my home network I had to put another router that runs DD-WRT firmware v.24 (Mega), and creates another subnet in my home LAN (

    This works fine but the main problem with this setup is that every time I want to access my PCs and devices on my home LAN ( I have to tell to my OpenVPN client to route all the traffic through my home network. This needs to be done since whenever I connect to the DD-WRT router through OpenVPN I only see that router's subnet ( and I am unable to see the subnet. But by routing my traffic through home, the traffic passes through the gateway and therefore is possible to see the PCs and devices in that LAN. But the problem with this is that my home bandwidth is reduce substantially since everything that I am doing online has to pass through home.

    What I want to do, is to somehow disable the NAT functionality on the DD-WRT router and use it as a simple VPN server. What I hope here is that whenever I connect to my home LAN I would get an IP from the subnet and therefore, If no NAT exists on router, I would be able to access my PCs and devices without the need to route all my traffic through my home LAN.

    Thanks in advance,

  2. fyellin

    fyellin LI Guru Member

    There are at several mods of Tomato v1.23 that include OpenVPN. I have been using the one described here for several months with no problems.
  3. tomatodude

    tomatodude Addicted to LI Member

    Hi fyellin,

    I am using Victek's mod 1.23. There are some of the features that I find useful there as well. Is there a mod with OpenVPN that is based on Victek's mod?


  4. fyellin

    fyellin LI Guru Member

    Sorry. I assumed that you were running vanilla Tomato, rather than running another mod. Victek or SgtPepperKSU can probably give you more information about the availability of a mod that features from both of their mods.

    SgtPepperKSU has also been working on putting all the mods under a single source tree, so that you can pick and choice the features you want, and build your own. I don't know its current status.
  5. fyellin

    fyellin LI Guru Member

    I hope that SgtPepperKSU is following this thread, because he is more familiar with OpenVPN than I am.

    You ought to be able to put your DD-WRT behind your Tomato, and tell it that it is a "router" rather than a "gateway". You will need to tell the Tomato to forward all traffic on UDP 1194 (or whatever you use) to the OpenVPN machine.

    I'm sure there are some details I'm leaving out, but there is no reason that the machine running OpenVPN needs to be talking directly to the ISP, rather than just being another machine on your LAN.
  6. tomatodude

    tomatodude Addicted to LI Member

    Hi fyellin,

    Thanks a lot you are a great help. If I understand you well, what you are saying is that if I set the DD-WRT as "router" rather than a "gateway" I will be able to "see" the subnet when I connect from outside my home. Is this correct?


  7. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I think it should work fine even with the router in "Gateway" mode, but since you don't really need a separate subnet, you may as well change it to "Router" mode (that way if you plug computers into the DD-WRT router someday, they'll be on the same subnet as everything else).

    Right now, you likely are able to send packets from across the VPN to the entire subnet (depending on the OpenVPN configuration and routing on the DD-WRT router), but the computers don't know where to send the return packets for their response. You will need to either place a NAT on the DD-WRT traffic (so it looks like it comes directly from the DD-WRT router) or add a route to your Tomato router (so the return traffic knows it needs to be routed through the DD-WRT router). I would suggest the latter.

    I can help you establish the rules needed for either method, but it would help tremendously if you provided the OpenVPN config from your DD-WRT router.

    FYI: if you place
    tags around ascii diagrams (like what you drew in your first post), it keeps the spacing. I think fyellin fell into the same thing I did at first - it looked like you had both routers plugged directly into your modem.
  8. tomatodude

    tomatodude Addicted to LI Member

    Hi SgtPepperKSU,

    Thanks a lot for the reply. This is what I have on my DD-WRT router's startup script for OpenVPN.

    cd /tmp
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 promisc up
    echo "
    # Tunnel options
    mode server       # Set OpenVPN major mode
    proto udp         # Setup the protocol (server)
    port ******       # TCP/UDP port number
    dev tap0          # TUN/TAP virtual network device
    keepalive 15 60   # Simplify the expression of --ping 
    daemon            # Become a daemon after all initialization
    verb 3            # Set output verbosity to n 
    comp-lzo          # Use fast LZO compression 
    # OpenVPN server mode options
    client-to-client  # tells OpenVPN to internally route client-to-client traffic 
    duplicate-cn      # Allow multiple clients with the same common name
    # TLS Mode Options
    tls-server        # Enable TLS and assume server role during TLS handshake 
    ca ca.crt         # Certificate authority (CA) file
    dh dh2048.pem     # File containing Diffie Hellman parameters 
    cert server.crt   # Local peer's signed certificate
    key server.key    # Local peer's private key 
    " > openvpn.conf
    echo "
    -----END CERTIFICATE-----
    " > ca.crt
    echo "
    -----END RSA PRIVATE KEY-----
    " > server.key
    chmod 600 server.key
    echo "
    -----END CERTIFICATE-----
    " > server.crt
    echo "
    -----END DH PARAMETERS-----
    " > dh2048.pem
    sleep 5
    cp /jffs/passfile.sh .
    #echo auth-user-pass-verify /tmp/passfile.sh via-file >>openvpn.conf
    ln -s /usr/sbin/openvpn /tmp/myvpn
    cp /jffs/openvpn.conf.backup /tmp/openvpn.conf
    /tmp/myvpn --config openvpn.conf >/dev/null 2>&1 &
    I think that the best choice for me will be to place a NAT route on either the tomato or DD-WRT. But I am afraid that I do not know how to do that exactly. What is the main concept behind this idea? I tell the router to route all traffic that is designated for the subnet to router and back?



Share This Page