1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

E3000 TomatoUSB and OpenVPN, need help getting bi-directional to work

Discussion in 'Tomato Firmware' started by coinslots, Apr 20, 2011.

  1. coinslots

    coinslots Networkin' Nut Member

    I have been working on this for the past 2 days and cannot get it to work correctly. I have 2 sites connected through the VPN.

    I used the following guides to help me make the connection:

    http://todayguesswhat.blogspot.com/2011/03/quick-simple-vpn-setup-guide-using.html

    http://www.wasagacomputers.com/home...te-vpn-using-tomato-firmware-and-openvpn.html


    I have 2 Brand new E3000 loaded from default with Victek's Tomato Firmware RAF1.28.8501 MIPSR2_RAF E3000 USB VPN.

    Lan1 (Client) - 192.168.2.1
    Lan2 (Server) - 192.168.1.1

    Both sites have static public IPs

    The VPN status is connected.

    The problem is Client can ping and route to Server. The Server cannot ping Client or any IP on Client side.

    I need the VPN to be bi-directional.

    Server VPN config:
    Basic
    Start with WAN: [checked]
    Interface Type: TUN
    Protocol: UDP
    PORT: 1194 [added port forwarding to 192.168.1.1/server and 192.168.2.1/client]
    Firewall: Automatic
    Authorization mode: TLS
    Extra HMAC authorization (tls-auth): Disabled
    VPN subnet/mask: 10.8.0.0 255.255.255.0
    Advanced
    only Push LAN to clients is checked
    Keys
    Downloaded OpenVPN client and created the key files.
    Status
    Client List
    Common Name Real Address Virtual Address Bytes Received Bytes Sent Connected Since
    client [public IP]:20076 10.8.0.6 99038371 659227218 Tue Apr 19 00:47:06 2011
    Routing Table
    Virtual Address Common Name Real Address Last Ref
    10.8.0.6 client [public IP]:20076 Wed Apr 20 08:27:14 2011
    General Statistics
    Name Value
    Max bcast/mcast queue length 0

    Client VPN Config
    Basic
    Start with WAN: [checked]
    Interface Type: TUN
    Protocol: UDP
    Server Address/Port: [Server Public IP] 1194
    Firewall: Automatic
    Authorization mode: TLS
    Extra HMAC authorization (tls-auth): Disabled
    Create NAT on tunnel: [Checked]
    Advanced
    defaults
    Keys
    created with OpenVPN client
    Status
    Connected


    Added static route to Server:
    root@unknown:/tmp/home/root# route add -net 192.168.2.0 netmask 255.255.255.0 gw 10.8.0.2

    to get:
    root@unknown:/tmp/home/root# netstat -r
    Kernel IP routing table
    Destination Gateway Genmask Flags MSS Window irtt Iface
    x.10.8.0.2 * 255.255.255.255 UH 0 0 0 tun21
    x..200.177.112 * 255.255.255.248 U 0 0 0 vlan2
    192.168.2.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun21
    10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun21
    192.168.1.0 * 255.255.255.0 U 0 0 0 br0
    127.0.0.0 * 255.0.0.0 U 0 0 0 lo
    default x-200-177-113. 0.0.0.0 UG 0 0 0 vlan2
    root@unknown:/tmp/home/root#


    I have not added any routes to client side.
    Client routing table:

    root@unknown:/tmp/home/root# netstat -r
    Kernel IP routing table
    Destination Gateway Genmask Flags MSS Window irtt Iface
    x.200.177.114 x-43-0-209.sta 255.255.255.255 UGH 0 0 0 vlan2
    10.8.0.5 * 255.255.255.255 UH 0 0 0 tun11
    x.43.0.209 * 255.255.255.255 UH 0 0 0 vlan2
    10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun11
    x.43.0.0 * 255.255.255.0 U 0 0 0 vlan2
    192.168.2.0 * 255.255.255.0 U 0 0 0 br0
    192.168.1.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun11
    127.0.0.0 * 255.0.0.0 U 0 0 0 lo
    default 10.8.0.5 128.0.0.0 UG 0 0 0 tun11
    128.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun11
    default x-43-0-209.sta 0.0.0.0 UG 0 0 0 vlan2
    root@unknown:/tmp/home/root#


    I am stuck and any help would be appreciated.
    Thanks in advance.
     
  2. phones001

    phones001 Addicted to LI Member

    Same problem

    Did you ever get this resolved? I have the same one way VPN issue.
     
  3. Goggy

    Goggy Network Guru Member

    I had the same Problems a few Days ago. The Solution is simple: on the VPN-Server-Router you have to activate the "client specific options" und the advanced Tab. Then activate "allow only these clients" and there you have to specify your Client-Side-Settings. As "Common Name" you MUST use the one you used to create the Certificates, Subnet and Netmask are self-explaining (in your Case 192.168.2.0 and 255.255.255.0). Finally tick "PUSH" and "ENABLE", then add this "Rule" and save it.
    I have also "allow Client <-> Client" enabled - dont know if it is a "must".
    Restart VPN on Server and Client and it should work as expected.

    PS: there is NO Need for Portforwardings or added Routes - that may have contra-productive Effects ...

    Greets

    PS2: sorry for my English ;-)
     

Share This Page