1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help setting up VPN

Discussion in 'Tomato Firmware' started by rs232, Aug 28, 2009.

  1. rs232

    rs232 Network Guru Member

    Hi, I have 2x tomato running on buffalo hardware at different sites.
    I've installed 1.25vpn3.4 on both routers and I'm now trying to set up a connection between the 2.

    I have a problem as one of the 2 routers doesn't hold some of the information when I press start now
    e.g. If I set a server on this router pressing "start now" will clean the local endpoint address

    where is I set this router as a client it does the same with the vpn port.

    I'm now quite sure what the problem is but I suspect it could be the hardware. I re-flash the firmware but it still has the same problem. Is it possible to clean the openvpn config on the router using ssh?

    Any other advice?

    Thanks!
    rs232
     
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    If you didn't do an NVRAM clear (thorough) after upgrading, you really should.

    If you really want to reset the VPN settings only, you can ssh in and run
    Code:
    nvram set <variable>="<value>"
    for each setting found here, followed by a
    Code:
    nvram commit
    .
     
  3. rs232

    rs232 Network Guru Member

    Done, thanks! Cleaning the NVRAM was a good idea. I'm now trying to have routing working properly.

    Where do I add a static routing now?
    I do have the route add -net... commands for each device, not I'm not quite sure where's the best place where to put these.

    Thanks again!!!!
    rs232
     
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Under Advanced(from left navbar, not on VPN page)->Routing
     
  5. rs232

    rs232 Network Guru Member

    Yes, the problem is that here I need to specify an output interfact together with the gateway. The only options available are LAN and WAN but not TUN11.
    Same thing for RIP in case I wanted to use that instead.
     
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You can generate an "up" script in the router's Init script, then add "up /path/to/script" in the custom config section of the vpn pages. You won't directly be able to use the "accept DNS options" option on the VPN client router, but if you want that functionality, you can call my script from yours.
     
  7. rs232

    rs232 Network Guru Member

    Sorry for the ignorance, but where can I save the script in the tomato filesystem?
     
  8. rhester72

    rhester72 Network Guru Member

    CIFS mount, jffs mount, recreate it each time via init script in /tmp...

    Rodney
     
  9. rs232

    rs232 Network Guru Member

    Thanks for the quick replay.
    This is what I did:

    Under VPN Tunneling/advance/custom config
    Code:
    up /tmp/addroute.sh
    Under Administration/scripts/init
    Code:
    echo "/sbin/route add -net 10.10.9.0 netmask 255.255.255.0 gw 10.10.1.213" > /tmp/addroute.sh  && chmod 777 /tmp/addroute.sh
    The VPN doesn't come up alone now. Is the sintax
    up /tmp/addroute.sh

    correct?
     
  10. rs232

    rs232 Network Guru Member

    if I add
    Code:
    up /tmp/addroute.sh
    to the VPN custom config, the VPN is not starting. I press "start now" but it doesn't work. The log says:

    Code:
    Sep 22 15:46:13 213w daemon.warn openvpn[626]: openvpn_execve: external program may not be called unless '--script-security 2' or higher is enabled.  Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier.  See --help text or man page for
    Sep 22 15:46:13 213w daemon.err openvpn[626]: script failed: external program fork failed
    Sep 22 15:46:13 213w daemon.notice openvpn[626]: Exiting
    
    

    Thanks to read!
    rs232
     
  11. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Before the "up" line, add
    Code:
    script-security 2
     
  12. rs232

    rs232 Network Guru Member

    Thanks for the replay, it still doesn;t work and here is the full log related to openvpn:

    Code:
    Sep 22 18:54:01 213w user.info kernel: device tun21 entered promiscuous mode
    Sep 22 18:54:01 213w daemon.notice openvpn[423]: OpenVPN 2.1_rc19 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Aug 12 2009
    Sep 22 18:54:01 213w daemon.warn openvpn[423]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Sep 22 18:54:01 213w daemon.notice openvpn[423]: Static Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Sep 22 18:54:01 213w daemon.notice openvpn[423]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sep 22 18:54:01 213w daemon.notice openvpn[423]: Static Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Sep 22 18:54:01 213w daemon.notice openvpn[423]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sep 22 18:54:01 213w daemon.notice openvpn[423]: LZO compression initialized
    Sep 22 18:54:01 213w daemon.notice openvpn[423]: TUN/TAP device tun21 opened
    Sep 22 18:54:01 213w daemon.notice openvpn[423]: TUN/TAP TX queue length set to 100
    Sep 22 18:54:01 213w daemon.notice openvpn[423]: /sbin/ifconfig tun21 10.10.1.213 pointopoint 10.10.1.36 mtu 1500
    Sep 22 18:54:01 213w daemon.notice openvpn[423]: /tmp/addroute.sh tun21 1500 1561 10.10.1.213 10.10.1.36 init
    Sep 22 18:54:01 213w daemon.err openvpn[423]: script failed: could not execute external program
    Sep 22 18:54:01 213w daemon.notice openvpn[423]: Exiting
    Sep 22 18:54:01 213w user.info init[1]: VPN_LOG_ERROR: 732: Starting VPN instance failed...
    
    Here the content of my addroute.sh file
    Code:
    # ls -la /tmp/addroute.sh
    -rwxrwxrwx    1 root     root           69 Jan  1  1970 /tmp/addroute.sh
    # more addroute.sh
    /sbin/route add -net 10.10.9.0 netmask 255.255.255.0 gw 10.10.1.213
    
    The problem seems to be the
    up /tmp/addroute.sh
    in the custom config as if I remove it and run the script manually it works fine.
     
  13. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It would seem the /sbin/route call is returning error.

    However, I think all you need is
    Code:
    route 10.10.9.0 255.255.255.0
    to your custom config.
     
  14. rs232

    rs232 Network Guru Member

    I followed the advice, removed everything from custom config and added the

    route network mask

    on both server and client

    This is now the error log on the server:

    Code:
    Sep 22 21:09:27 213w user.info kernel: device tun21 entered promiscuous mode
    Sep 22 21:09:27 213w daemon.notice openvpn[477]: OpenVPN 2.1_rc19 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Aug 12 2009
    Sep 22 21:09:27 213w daemon.warn openvpn[477]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Sep 22 21:09:27 213w daemon.notice openvpn[477]: Static Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Sep 22 21:09:27 213w daemon.notice openvpn[477]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sep 22 21:09:27 213w daemon.notice openvpn[477]: Static Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Sep 22 21:09:27 213w daemon.notice openvpn[477]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sep 22 21:09:27 213w daemon.notice openvpn[477]: LZO compression initialized
    Sep 22 21:09:27 213w daemon.notice openvpn[477]: TUN/TAP device tun21 opened
    Sep 22 21:09:27 213w daemon.notice openvpn[477]: TUN/TAP TX queue length set to 100
    Sep 22 21:09:27 213w daemon.notice openvpn[477]: /sbin/ifconfig tun21 10.10.1.213 pointopoint 10.10.1.36 mtu 1500
    Sep 22 21:09:27 213w daemon.notice openvpn[477]: /sbin/route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.10.1.36
    Sep 22 21:09:27 213w daemon.notice openvpn[477]: Data Channel MTU parms [ L:1561 D:1450 EF:61 EB:135 ET:0 EL:0 AF:3/1 ]
    Sep 22 21:09:27 213w daemon.notice openvpn[483]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Sep 22 21:09:27 213w daemon.notice openvpn[483]: UDPv4 link local (bound): [undef]:1194
    Sep 22 21:09:27 213w daemon.notice openvpn[483]: UDPv4 link remote: [undef]
    Sep 22 21:09:32 213w daemon.err openvpn[483]: event_wait : Interrupted system call (code=4)
    
    And on the client:

    Code:
    Sep 22 21:06:27 36k daemon.err openvpn[120]: event_wait : Interrupted system call (code=4)
    Sep 22 21:06:30 36k daemon.info dnsmasq[124]: DHCPINFORM(br0) 192.168.1.99 00:1d:e0:83:79:59 
    Sep 22 21:06:30 36k daemon.info dnsmasq[124]: DHCPACK(br0) 192.168.1.99 00:1d:e0:83:79:59 Gateway
    Sep 22 21:07:04 36k cron.err crond[94]: time disparity of 20894166 minutes detected
    Sep 22 21:07:07 36k daemon.err openvpn[120]: event_wait : Interrupted system call (code=4)
    
     
  15. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Great. No errors now. Or was there something wrong in the client logs outside what you provided (it doesn't show anything to do with connecting to the VPN there).
     
  16. rs232

    rs232 Network Guru Member

    Ok, this is the score:

    Adding only
    route X.X.X.X M.M.M.M
    as a custom config (nothing else) both server and client are running fine, but I don't get any routing.
    The server is connected to 10.10.9.0 where the client is connected to 192.168.1.0
    So on the server side I add
    Code:
    network 192.168.1.0 255.255.255.0
    where on the client side:
    Code:
    network 10.10.9.0 255.255.255.0
    together with this I can tell you that ping from inside either LAN works through the router up to the local IP of the VPN but not the endpoint.
    Basically the p2p link has the 10.10.1.0 network (213 the server side, 36 the client)
    So if within the LAN on the server side I ping 10.10.1.213 it works but ping to 10.10.1.36 not.

    Not sure this can help the troubleshooting but these 2 are the status page of the VPN on

    Server:

    Code:
    Name	Value
    TUN/TAP read bytes	0
    TUN/TAP write bytes	0
    TCP/UDP read bytes	0
    TCP/UDP write bytes	0
    Auth read bytes	0
    pre-compress bytes	0
    post-compress bytes	0
    pre-decompress bytes	0
    post-decompress bytes	0
    Client:

    Code:
    Name	Value
    TUN/TAP read bytes	180
    TUN/TAP write bytes	0
    TCP/UDP read bytes	0
    TCP/UDP write bytes	348
    Auth read bytes	0
    From the config:
    TUN
    UDP
    Auth: static
    compression: disabled
    port: 1194
    firewall: automatic
    Respond to DNS enable on the server
    NAT disabled on the client
    Redirect Internet traffic disabled on the client

    I have to be honest I'm getting lost now. This was working this afternoon I've only been playing with custom config but even removing everything and using the old addroute.sh script it's not working any more. Do you think it's the case to reset to factory default and start from scratch?
     
  17. rs232

    rs232 Network Guru Member

    It is working now!
    I did remove all the config manually from client and server (even the server 2 and client 2!)
    Rebooted, re-created from scratch and now it works.
    I'm very happy about that, but I admit this wasn't straight forward :)
    I think a tomatoVPN mini howto would help other users as I guess the questions are always the same :)

    I just need to ask an additional question. What is this "Respond to DNS" doing exactly?
    I'd like machines in the 2 LANs to call each other by name... I know this is outside the VPN topic, but is there any dnsmasq custom config (or somethingelse) to add static hosts to the internal dns?
     
  18. rs232

    rs232 Network Guru Member

    Found!
    Still I have to define an internal domain this way but it does work!

    http://ponderer.org/tomato_firmware

    My original idea was to specify the local tomato to query the remote tomato before ask the ISP DNS. This way there would be no need to maintain a static configuration on any device, but may be this is not possible yet...

    I know I'm asking and answering questions to myself, but I thought this can be helpful to other users

    Thanks for all the help!
     
  19. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm glad you got it working!

    In case you haven't figured it out on your own yet, the "Respond to DNS" configures the Dnsmasq process running on the router to respond to DNS requests coming from the tunnel (by default it only listens on the LAN bridge).

    Selecting the "push" and "accept" (strict) DNS options should do what you want with it trying the VPN server for DNS before trying the ISP DNS.
     
  20. rs232

    rs232 Network Guru Member

    Interesting, does this push/accept go into the VPN or DNSMASQ custom config?
    I've found something in the OpenVPN documentation so I guess it's the first one.
    Is this the right syntax?

    Code:
    push dhcp-option DNS 10.10.1.213
    accept dhcp-option DNS 10.10.1.36
    Also I guess I would need these parameters on both sides...
     
  21. rs232

    rs232 Network Guru Member

    Another question:
    Will the VPN work is the Tomato VPN client is connecting to Internet behind a NAT and there is not port mapping facility available?
    I should try really, but before I mess up the configuration I'm asking instead!

    I know, that really sounds like I'm using the wireless connection of my neighbour, lol :smile:
     
  22. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    There are GUI options to select for this, so no custom config is necessary.

    And, yes, the VPN client should work behind a non-port-forwarded NAT. On the server needs that.
     
  23. rs232

    rs232 Network Guru Member

    Great, thanks for the quick answer.
    An additional topic is QoS over the tunnel. Is this supported?
    I guess it's just a matter to apply the config to tunxx rather than ethx
    but I understand the implications of the current GUI behind that...
     
  24. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Unfortunately, I've never attempted QoS over the tunnel. If you try it, report back!
     

Share This Page