1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Gaming over VPN

Discussion in 'Tomato Firmware' started by mrcanngo, Mar 17, 2010.

  1. mrcanngo

    mrcanngo Addicted to LI Member

    Hi,

    Using the following:

    2 WRT54GL routers with any tomato firmware
    2 xbox 360's

    How would i setup a vpn that allowed the 2 xboxs to see each other in different households?

    In my research, it seems that a VPN tunnel (site to site or routed) drops UDP Broadcasts, when sent across the VPN.

    Could someone help with some instrucitons on how to do this? I have searched the forums and web can couldn't find much help.

    I would preferably like to use SgtPepperKSU Mod firmware since it has a gui version of VPN.
     
  2. rhester72

    rhester72 Network Guru Member

    UDP broadcast works fine over a TAP-based tunnel, since it is a layer 2 (Ethernet) bridge. I would advise against trying to do it with a router-based VPN solution, though, because the encryption overhead tends to introduce a lot of latency and seriously restrict bandwidth due to the very small CPU in SoHo routers. A PC-based VPN solution will probably produce much better results.

    Rodney
     
  3. mrcanngo

    mrcanngo Addicted to LI Member

    If i wanted less encryption so that it wasn't so CPU intensive, could i do it any other way?

    I just want to be able to play xbox 360 from house to house. Maybe somehow segment the network in 2 so that my personal computers are on one subnet, and the xbox is on another?

    Thanks for the advice.
     
  4. rhester72

    rhester72 Network Guru Member

    The encryption used is already pretty light as these things go - software-based encryption on these tiny ARM CPUs is just problematic no matter how you slice it. :)

    I see your issue - you can't put a VPN client on the endpoint devices. The easiest solution is to connect the two routers over OpenVPN and see if the latency and bandwidth are acceptable - if so, you're done. If not, you could consider some type of man-in-the-middle construct using proxy PCs on each end to manage the OpenVPN tunnel and do some pretty hairy routing to allow the 360s to see each other's network...you're probably better off trying a site-to-site with Tomato first.

    Rodney
     
  5. mrcanngo

    mrcanngo Addicted to LI Member

    Thanks for the info. I will definetly try it out.

    Do you think having this router would help?

    Asus RT-N16 Broadcom4718@533.

    I got the info from the tomtato wiki supported devices section. As i am to understand, it has a 533MHz processor as opposed to my 200mhz one in my WRT54GL. Would that be enough boost in power if the WRT's aren't strong enough?
     
  6. rhester72

    rhester72 Network Guru Member

    The RT-N16 is the modern-day weapon of choice for a lot of power users. In the ARM category, I'd say it's the best thing going right now. Whether it's enough, you'll have to tell us ;)

    Rodney
     
  7. mrcanngo

    mrcanngo Addicted to LI Member

    Looks like I'm going to have to give that a try.

    Btw, i'm just in the beginning stages of this project and have successfully bridged a site to site vpn using SgtPepperKSU mod firmware.

    Another friend wants to join in so i would have 2 clients and 1 server.

    Does this mod only accept a max of 1 client per server that is setup?

    When the second client connected, using TAP mode and static key, it looks like it connects but client 1's connection seems to have dropped.

    In the mean time, i created a second server on the same router and pointed the newest client to that. It seems to work but that would mean that the WRT54GL router (acting as a server) can only support a max of 2 vpn client connections simultaneously.

    Is this true or did i do something wrong?
     
  8. mrcanngo

    mrcanngo Addicted to LI Member

    Looks like I'm going to have to give that a try.

    Btw, i'm just in the beginning stages of this project and have successfully bridged a site to site vpn using SgtPepperKSU mod firmware.

    Another friend wants to join in so i would have 2 clients and 1 server.

    Does this mod only accept a max of 1 client per server that is setup?

    When the second client connected, using TAP mode and static key, it looks like it connects but client 1's connection seems to have dropped.

    In the mean time, i created a second server on the same router and pointed the newest client to that. It seems to work but that would mean that the WRT54GL router (acting as a server) can only support a max of 2 vpn client connections simultaneously.

    Is this true or did i do something wrong?
     
  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Static key authentication only supports one client at a time. TLS authentication can do more.
     
  10. mrcanngo

    mrcanngo Addicted to LI Member

    When i try to do TLS authorization mode, i get an error when saving.

    "Invalid Netmask"

    Here is currently how network is setup:

    Server Router IP 192.168.8.1 with DHCP on with clients on that router getting 192.168.8.100/149

    Client 1 Router IP 192.168.8.2 with DHCP on with clients on router getting 192.168.8.10/49

    Client 2 Router IP 192.168.8.3 with DHCP on with clients on router getting 192.168.8.50/99

    All have a subnetmask of 255.255.255.0
    Gateways are 192.168.8.1/2/3 respectively.

    When i set it up this way with Static Key Auth mode, everything works good and each side is able to ping one another.

    Did i do something wrong?
     
  11. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I assume you're talking about getting that error on the server configuration pages. If it's in the clients', instead, please correct me.

    What do you have in the "VPN subnet/netmask" fields? Do have have "Manage Client-Specific Options" selected? If so, what do you have in the fields of that table?
     
  12. mrcanngo

    mrcanngo Addicted to LI Member

    yes you are right, I have this error on the vpn server side.

    I have left all settings at default besides the following:

    Server 1 Basic

    Interface TAP
    Protocol UDP
    Port 1194
    Firewall Automatic
    Auth TLS
    extra-HMAC Disabled
    Client address pool DHCP is checked

    Advanced

    All default values. Mange Client - Specific Options is unchecked.
     
  13. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Somehow, your NVRAM settings must have been corrupted. After upgrading your firmware, did you erase NVRAM? Not doing so can often lead to these types of problems.

    However, you might be able to keep from doing that for now by temporarily switching from TAP to TUN so that the "netmask" field is visible. Make sure it has a valid netmask value before switching back to TAP. Repeat for both server tabs.
     
  14. mrcanngo

    mrcanngo Addicted to LI Member

    Your right, i didnt nvram clear it.

    i switched to tun and saw the netmask field.

    i put 255.255.255.0 in it and saved...it still says invalid netmask.

    time to clear nvram?
     
  15. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Assuming you checked both server tabs, then yes. I think your best best is an nvram clear and manual reconfigure (don't backup and restore the config).
     
  16. mrcanngo

    mrcanngo Addicted to LI Member

    Clearning the NVRAM thorough, seemed to do the trick.

    But now i have a new problem.

    The client side of the VPN is always getting its DHCP address from the Server side VPN.

    I wanted each router to DHCP addresses by themselves.

    I noticed that traffic on the client side is also now being routed through the VPN.

    I just did a quick check of "whats my ip" from the client side and noticed that it showed the server sides IP.

    Does all this change when changing from Static Key to a TLS key?
     
  17. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It doesn't have anything to do with TLS vs Static key. It is due to using TAP. DHCP uses broadcast messages, and TAP forwards broadcast messages. Since you have multiple routers seeing the DHCP broadcast messages, it's really just the first one to respond that wins. If the gaming you do doesn't rely on broadcast messages, I would suggest having the different routers use different LAN subnets and use TUN. If you do need the broadcast messages for your gaming, then you'll have to find some way to these particular broadcast messages (or their responses) from going over the tunnel using iptables.
     
  18. mrcanngo

    mrcanngo Addicted to LI Member

    I switched back to static key and for some reason, the clients always get there proper ip's from the router on their side.

    Yes the games i need require broadcast messages.

    I've tried this multiple times now, and have found that enabling a static key, allows each router to assign dhcp properly. Maybe it has something to do with load on the router?

    For whatever reason, it works exactly as i need it with static keys.

    The only problem is that i might wanna add more clients one day and TLS seems to be the only way i can do this.

    What is the proper procedure making this site-to-site vpn work properly? How/where are the iptables you speak of, and what must i do to assign them to ignore dhcp broadcasts from one another?
     
  19. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Actually, I wonder if it would work if you just added the following to the Dnsmasq custom configuration section (Advanced->DHCP/DNS, not in the VPN section) on each router:

    Code:
    no-dhcp-interface=tun21
    On the clients, replace 21 with 11 (assuming you're using server 1 and client 1, respectively).

    Also, be sure that the "Redirect Internet Traffic" options are disabled on all the routers in their VPN configs.
     
  20. mrcanngo

    mrcanngo Addicted to LI Member

    Actually, i'm using 1 server and 3 possibly 4 clients. I tried the command you specified and i think it "sorta" worked. A few computers are always getting the proper IP range and a few dont. I'm doing this all remotely and perhaps the ones that aren't getting the proper IP range need to be rebooted. I dont know for sure till i can get to them.

    How did you know that tun11 is the correct tunnel to enter? Can i check it somewhere to confirm i blocked the right tun?

    Also, the openvpn how-to instructed how to make up to 3 client certificates and keys but how do i got about making a 4th? Is that even possible/handleable?

    Thanks for all the help so far!
     
  21. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I made the assumption that you're still just using TomatoVPN routers as the clients and that the DHCP servers for each LAN is running on said routers. Is that correct?
    In TomatoVPN, the TUN/TAP interface names are fixed:
    tun21 (or tap21): Server 1
    tun22 (or tap22): Server 2
    tun11 (or tap11): Client 1
    tun12 (or tap12): Client 2
    As I mentioned, I assumed you were using the Server 1 and Client 1 tabs. If you're using Server 2 or Client 2, you'll need to adjust the dnsmasq directive.
    Sure, you can make as many as you want.
     

Share This Page