1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help! Tomato 1.28 VPN troubleshooting required

Discussion in 'Tomato Firmware' started by pants, Jan 28, 2011.

  1. pants

    pants Networkin' Nut Member

    Hi,

    First I need to give a thanks to pmason for his road-warrior VPN how-to found here:
    http://www.linksysinfo.org/forums/showthread.php?t=64765

    Unfortunately it does not work perfectly for my scenario, which would probably be considered a miracle by some if it did. One person's network scenario is rarely the same as the next person's.

    I need help troubleshooting. My goal is to be able to reach my home pc while away from home. I have access to my own DSL internet connection as well as the wi-fi connection from the network upstairs from the cable company. This I thought would be ideal for setup and testing purposes.

    I read the OpenVPN HowTo as suggested and using pmason's guide I believe I am close to success. My home computer is using Ubuntu 10.10 as is my laptop. My home computer also has Windows 7, but I would prefer to use Ubuntu for this experiment.

    My Asus WL-520GU has Tomato Firmware v1.28.8754 ND USB vpn3.6. At this point, all IP addresses are dynamic coming from this router. 192.168.168.1 - 192.168.168.254 is the range.

    The wi-fi enabled router upstairs is a Linksys WRT54GS with stock firmware as I do not have access to it. IP addresses are the default range 192.168.1.1 and assigned dynamically.

    I have been Googling like crazy to help with this issue I'm having, but some of my most basic queries have not been answered. I apolgize for the stupid questions that are about to follow......

    1st - Can someone tell me what is my server? My home computer or the Tomato-based router? I assume client1 is my laptop. Does my home computer need OpenVPN installed and is it where I generate my certificates? Does my laptop need OpenVPN installed too?

    2nd - If my home computer is the server, what exactly do I need the OpenVPN firmware on my router for?

    3rd - In pmason's HowTo, the first picture of his Tomato VPN setup shows the keys being pasted into server2. Is that correct? My server 2 "keys" tab does not contain a space to paste a static key. Further down pmason's guide, the settings have been configured for server1. I'm confused, server 1 or server 2 or both?

    All other settings have been configured according to pmason's guide. Since he was using a Windows client, the config file included the "dev-node OpenVPN" parameter. I understand that because I am using Linux, this parameter is not required so I removed it.

    So, moving forward from here what info should I post in order to receive further guidance from all the Tomato/OpenVPN gurus here?

    Many thanks,
    pants
     
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You can have the server on the home computer or on a router, either way (but you don't need it on both). If you have it on the router, it would be easier to have remote access to the entire LAN. If all you want access to is the one computer and it is usually turned on, it may be easier to just install the OpenVPN server on that computer.

    If you do use OpenVPN on the router, you'll have to have OpenVPN installed somewhere to generate the keys (that bit is left out of the firmware to save space), but you're already wanting OpenVPN on the client laptop anyway, so that will work for that.

    Does the computer you want remote access to use the Tomato router as its default gateway, or is it just on the same LAN as your computer?
     
  3. pants

    pants Networkin' Nut Member

    Thanks for the response SgtPepperKSU. You asked:

    Does the computer you want remote access to use the Tomato router as its default gateway, or is it just on the same LAN as your computer?

    The home computer I wish remote access to uses the Tomato router as its default gateway. My LAN consists of DSL modem -> Tomato router -> home computer, various xboxes, my brother's pc and that's about it. Nothing too complex. The home computer I wish to access currently has a static IP address.

    The laptop is currently using a dynamic IP from the upstairs Linksys router which I can not change any settings on. The default gateway is 192.168.1.1 as it contains the stock Linksys firmware and configuration. It uses a different ISP than me and right now is acting as though I was out of town for "proof of concept" purposes. It is a simple cable modem -> linksys router -> pc setup. It is an unsecured wireless network that I have access to if I need it.

    When I attempt to use the laptop to connect to the router using the terminal commands I receive the following output:

    pants@Tiny:~$ cd /etc/openvpn
    pants@Tiny:/etc/openvpn$ openvpn client1.conf
    Thu Jan 27 21:33:09 2011 OpenVPN 2.1.4 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Nov 5 2010
    Thu Jan 27 21:33:09 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Thu Jan 27 21:33:09 2011 WARNING: file 'client1.key' is group or others accessible
    Thu Jan 27 21:33:09 2011 WARNING: file 'ta.key' is group or others accessible
    Thu Jan 27 21:33:09 2011 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
    Thu Jan 27 21:33:09 2011 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu Jan 27 21:33:09 2011 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu Jan 27 21:33:09 2011 LZO compression initialized
    Thu Jan 27 21:33:09 2011 Control Channel MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Thu Jan 27 21:33:09 2011 Socket Buffers: R=[114688->131072] S=[114688->131072]
    Thu Jan 27 21:33:10 2011 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
    Thu Jan 27 21:33:10 2011 Local Options hash (VER=V4): '48527533'
    Thu Jan 27 21:33:10 2011 Expected Remote Options hash (VER=V4): '44bd8b5e'
    Thu Jan 27 21:33:10 2011 UDPv4 link local: [undef]
    Thu Jan 27 21:33:10 2011 UDPv4 link remote: 66.183.40.35:1194
    Thu Jan 27 21:33:10 2011 TLS: Initial packet from 66.183.40.35:1194, sid=2ca5691e eefdc08c
    Thu Jan 27 21:33:13 2011 VERIFY OK: depth=1, /C=CA/ST=BC/L=Vancouver/O=Pants/CN=Pants_CA/emailAddress=ajaggers@telus.net
    Thu Jan 27 21:33:13 2011 VERIFY OK: nsCertType=SERVER
    Thu Jan 27 21:33:13 2011 VERIFY OK: depth=0, /C=CA/ST=BC/L=Vancouver/O=Pants/CN=pants/emailAddress=ajaggers@telus.net
    Thu Jan 27 21:33:18 2011 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Thu Jan 27 21:33:18 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu Jan 27 21:33:18 2011 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Thu Jan 27 21:33:18 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu Jan 27 21:33:18 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Thu Jan 27 21:33:18 2011 [pants] Peer Connection Initiated with 66.183.40.35:1194
    Thu Jan 27 21:33:20 2011 SENT CONTROL [pants]: 'PUSH_REQUEST' (status=1)
    Thu Jan 27 21:33:20 2011 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.168.254,route-gateway 192.168.168.254,redirect-gateway def1,route-gateway dhcp,ping 15,ping-restart 60'
    Thu Jan 27 21:33:20 2011 OPTIONS IMPORT: timers and/or timeouts modified
    Thu Jan 27 21:33:20 2011 OPTIONS IMPORT: route options modified
    Thu Jan 27 21:33:20 2011 OPTIONS IMPORT: route-related options modified
    Thu Jan 27 21:33:20 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Thu Jan 27 21:33:20 2011 ROUTE default_gateway=192.168.1.1
    Thu Jan 27 21:33:20 2011 Note: Cannot ioctl TUNSETIFF tap: Operation not permitted (errno=1)
    Thu Jan 27 21:33:20 2011 Note: Attempting fallback to kernel 2.2 TUN/TAP interface
    Thu Jan 27 21:33:20 2011 Cannot allocate TUN/TAP dev dynamically
    Thu Jan 27 21:33:20 2011 Exiting

    Sorry if I don't need all the output above, but it shows exactly what I have been trying.
    In my opening post, I asked about the server1/server2 tabs in Tomato. My configuration only is entered into the server1 tab. Is there output from the Tomato router that will aid in resolving this?

    Thanks,
    pants
     
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    In order to set up the interfaces in Ubuntu, OpenVPN will need some escalated privileges. You could run OpenVPN with sudo (if your user has sudo rights) and add some commands to the client config to keep from running unsecurely as root. However, the Network Manager integration with OpenVPN is really slick. Install the network-manager-openvpn-gnome package, then setup your VPN through network manager. Then, whenever you want to connect, you just click on the network indicator/notification applet and select your VPN.

    I've used the OpenVPN, vpnc, and OpenConnect VPN network manager plugins (for connecting to different types of VPN, of course) to great effect. I suggest you do the same if you're on a platform that supports it (Ubuntu does). Much more convenient than setting things up and running manually.
     
  5. sultanoswing

    sultanoswing Addicted to LI Member

    I have had problems with Network Manager not 'seeing' the key files when using its GUI to locate their paths.

    Solved that one by importing the configuration from the ovpn.conf file with the paths, of course, specified in the conf.

    But in general, Network Manager makes the connection from a laptop into the Tomato-hosted VPN, very straight forward. As another FYI, you won't properly be able to test your VPN connectivity from within the LAN - you'll have to connect in from the WAN (I pulled out hair before figuring this out!).

    The unable to allocate TAP/TUN method indicates, as above, that you don't have permissions. You can run the tun as a daemon or startup service (check your distro's documentation), or use Network Manager.

    I have a similar setup to yours and it works very well, running the VPN on the router.
     
  6. pants

    pants Networkin' Nut Member

    Well I finally got it working. Thanks for the advice and patience. As it turns out, I was struggling with permissions on my Ubuntu laptop and to remedy that situation (i'm a little green with linux) I installed WinXP with OpenVPN and the GUI on the laptop. Worked right away while using laptop on cable ISP from upstairs to my DSL ISP LAN downstairs. Easy-peasy. For my next trick, I shall attempt to get Ubuntu and my permissions issues sorted out and the VPN up and running.

    Again, I thank you for your help and guidance.

    Pants
     
  7. pants

    pants Networkin' Nut Member

    Ok, same laptop, same certificates, same config file, but while using Ubuntu the VPN is not successful. First issue, is the permissions issue as above...."unable to allocate TAP/TUN". Now, I should be able to use the network-manager-openvpn-gnome package to setup and manage this VPN connection, but I seem to be doing something wrong.

    I used the "import" function to import my client1.conf parameters, checked the box "Available to all users" and placed all keys and certificates into the /etc/openvpn folder. My user account gets the "unable to allocate TAP/TUN" error still. I thought the "available to all users" check box elevated the permissions for my user account but it doesn't seem to be the case.

    So I thought I'd be a clever and try with the root account. Same imported config, same Available to all users option checked. Still does not work. This time the terminal log looks like this:

    root@tiny:~# cd /etc/openvpn
    root@tiny:/etc/openvpn# openvpn client1.conf
    Sun Jan 30 11:13:19 2011 OpenVPN 2.1.0 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 12 2010
    Sun Jan 30 11:13:19 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Sun Jan 30 11:13:19 2011 WARNING: file '/etc/openvpn/client1.key' is group or others accessible
    Sun Jan 30 11:13:19 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
    Sun Jan 30 11:13:19 2011 WARNING: file 'ta.key' is group or others accessible
    Sun Jan 30 11:13:19 2011 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
    Sun Jan 30 11:13:19 2011 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sun Jan 30 11:13:19 2011 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sun Jan 30 11:13:19 2011 LZO compression initialized
    Sun Jan 30 11:13:19 2011 Control Channel MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Sun Jan 30 11:13:19 2011 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
    Sun Jan 30 11:13:19 2011 Local Options hash (VER=V4): '48527533'
    Sun Jan 30 11:13:19 2011 Expected Remote Options hash (VER=V4): '44bd8b5e'
    Sun Jan 30 11:13:19 2011 Socket Buffers: R=[114688->131072] S=[114688->131072]
    Sun Jan 30 11:13:19 2011 UDPv4 link local: [undef]
    Sun Jan 30 11:13:19 2011 UDPv4 link remote: [AF_INET]66.183.46.55:1194
    Sun Jan 30 11:13:19 2011 TLS: Initial packet from [AF_INET]66.183.46.55:1194, sid=e58a50d5 880f043d
    Sun Jan 30 11:13:20 2011 VERIFY OK: depth=1, /C=CA/ST=BC/L=Vancouver/O=Home/CN=Home_CA/emailAddress=ajaggers@telus.net
    Sun Jan 30 11:13:20 2011 VERIFY OK: nsCertType=SERVER
    Sun Jan 30 11:13:20 2011 VERIFY OK: depth=0, /C=CA/ST=BC/L=Vancouver/O=Home/CN=tomato/emailAddress=ajaggers@telus.net
    Sun Jan 30 11:13:20 2011 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Sun Jan 30 11:13:20 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sun Jan 30 11:13:20 2011 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Sun Jan 30 11:13:20 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sun Jan 30 11:13:20 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Sun Jan 30 11:13:20 2011 [tomato] Peer Connection Initiated with [AF_INET]66.183.46.55:1194
    Sun Jan 30 11:13:23 2011 SENT CONTROL [tomato]: 'PUSH_REQUEST' (status=1)
    Sun Jan 30 11:13:23 2011 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.168.254,route-gateway 192.168.168.254,redirect-gateway def1,route-gateway dhcp,ping 15,ping-restart 60'
    Sun Jan 30 11:13:23 2011 OPTIONS IMPORT: timers and/or timeouts modified
    Sun Jan 30 11:13:23 2011 OPTIONS IMPORT: route options modified
    Sun Jan 30 11:13:23 2011 OPTIONS IMPORT: route-related options modified
    Sun Jan 30 11:13:23 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Sun Jan 30 11:13:23 2011 ROUTE default_gateway=192.168.1.1
    Sun Jan 30 11:13:23 2011 TUN/TAP device tap2 opened
    Sun Jan 30 11:13:23 2011 TUN/TAP TX queue length set to 100
    Sun Jan 30 11:13:23 2011 /sbin/route add -net 66.183.46.55 netmask 255.255.255.255 gw 192.168.1.1
    SIOCADDRT: File exists
    Sun Jan 30 11:13:23 2011 ERROR: Linux route add command failed: external program exited with error status: 7
    Sun Jan 30 11:13:23 2011 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 192.168.168.254
    SIOCADDRT: No such process
    Sun Jan 30 11:13:23 2011 ERROR: Linux route add command failed: external program exited with error status: 7
    Sun Jan 30 11:13:23 2011 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 192.168.168.254
    SIOCADDRT: No such process
    Sun Jan 30 11:13:23 2011 ERROR: Linux route add command failed: external program exited with error status: 7
    Sun Jan 30 11:13:23 2011 Initialization Sequence Completed
    ^CSun Jan 30 11:13:28 2011 event_wait : Interrupted system call (code=4)
    Sun Jan 30 11:13:28 2011 SIGTERM received, sending exit notification to peer
    Sun Jan 30 11:13:32 2011 TCP/UDP: Closing socket
    Sun Jan 30 11:13:32 2011 /sbin/route del -net 66.183.46.55 netmask 255.255.255.255
    Sun Jan 30 11:13:32 2011 /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
    SIOCDELRT: No such process
    Sun Jan 30 11:13:32 2011 ERROR: Linux route delete command failed: external program exited with error status: 7
    Sun Jan 30 11:13:32 2011 /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
    SIOCDELRT: No such process
    Sun Jan 30 11:13:32 2011 ERROR: Linux route delete command failed: external program exited with error status: 7
    Sun Jan 30 11:13:32 2011 Closing TUN/TAP interface
    Sun Jan 30 11:13:32 2011 SIGTERM[soft,exit-with-notification] received, process exiting
    root@tiny:/etc/openvpn#


    The network manager method of connecting simply says "vpn connection failed" The imported config file is as follows:

    dev tap
    proto udp
    remote pants.dyndns.tv 1194
    tls-client
    keepalive 15 120
    verb 3
    mute-replay-warnings
    ca /etc/openvpn/ca.crt
    cert /etc/openvpn/client1.crt
    key /etc/openvpn/client1.key
    tls-auth /etc/openvnc/ta.key 1
    ns-cert-type server
    cipher AES-256-CBC
    pull
    nobind
    explicit-exit-notify 3
    comp-lzo

    I have made a one change to the config file from windows. I removed "dev-node OpenVPN" as I understand this is not necessary for linux as well as saving the file as client1.conf.

    Again, any expertise getting this to work is greatly appreciated. I know the obvious choice is "use windows if if works" but I am really trying to migrate to linux.

    Thanks,
    Pants
     
  8. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I've never tried using the "import" or "available to all users" options. If I were you, I'd try just setting it up manually in Network Manager. There aren't that many options to go through.

    Then again, I've never used TAP with Network Manager, either. That could also be a factor.

    But, the errors you're getting are different than before. It doesn't appear to be a permissions problem now. I quick google seems to indicate you'd get that error if the routes it is trying to add already exist. You aren't using the same subnet for the client and the server are you (that also goes for testing it from within the server subnet)? Also, you don't already have a tunnel open when you try to use Network Manager, right?
     
  9. pants

    pants Networkin' Nut Member

    Ok, the router and internet connection I'm using to pretend I am away from home is using the linksys default ip address scheme of 192.168.1.1 for router's LAN IP, 192.168.1.100 - 192.168.1.200 for the dchp pool. My laptop's address is usually 192.168.1.117. The WAN ip is 24.*.*.*. There are no other routers attached to that network, only dchp client pc's, mac's, and various smart phones.

    The router and internet connection I'm using in my home is the Tomato VPN router and a different ISP from the laptop's connection. My home computer has an IP addresses of 192.168.168.1. This is the computer I wish to reach while away from home. The router's LAN ip address is 192.168.168.254 and it's WAN IP is 64.*.*.*. There are no other router's on this LAN either, only dhcp client computers.

    I'm very rusty regarding subnets & routing so I'm not sure if either of these are in the same subnet of not. Like I mentioned, this exact configuration works with windows, just not with Ubuntu.

    I'm not sure about your last question either.....how would I have a tunnel open when I try to use Network Manager? I simply turn on the laptop, go to Network Manager, select VPN Connections, and select client1 to try to connect.

    I have done some Googling and found this: https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/330833

    It appears to be a Ubuntu bug website. The topic is "NetworkManager always overwrites default route when connecting to OpenVPN network" And from the reading I did and the poor understanding I have, it looks like Network Manager OpenVPN has some bugs, but even using the terminal to start Openvpn doesn't work so I'm confused.

    It appears that "daniel" found a workaround in his post from the url above:

    I got around this problem by adding a route on the IPv4 tab when editing the VPN connection. The route I added was

    address: 172.x.y.0
    netmask: 255.255.255.0
    gateway: 172.x.y.117
    metric: 1000

    I also selected "ignore automatically obtained routes" and "use this connection only for resources on this network". The gateway was the remote open VPN server's private IP address. I'm also using a TAP device. The open VPN server gives the client an address in its pool of addresses.

    Regards,
    Daniel


    I have tried several combinations, but I cannot get his workaround to work. What should my entry look like to try his workaround?

    address: 192.168.168.0
    netmask: 255.255.255.0
    gateway: 192.168.168.254
    metric: 1000

    Or something else?

    Thanks. I will keep trying to work through this until I get it right.

    Pants
     
  10. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Could you try connecting from the command line (without Network Manager) using sudo? That way we can make sure things are okay before figuring out what problem you're having with Network Manager.
     
  11. pants

    pants Networkin' Nut Member

    When I use the sudo openvpn client1.conf command I get the same result as using the root account.

    pants@tiny:/etc/openvpn$ sudo openvpn client1.conf
    [sudo] password for pants:
    Mon Jan 31 08:11:29 2011 OpenVPN 2.1.0 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 12 2010
    Mon Jan 31 08:11:29 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Mon Jan 31 08:11:29 2011 WARNING: file '/etc/openvpn/client1.key' is group or others accessible
    Mon Jan 31 08:11:29 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
    Mon Jan 31 08:11:30 2011 WARNING: file '/etc/openvpn/ta.key' is group or others accessible
    Mon Jan 31 08:11:30 2011 Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file
    Mon Jan 31 08:11:30 2011 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Jan 31 08:11:30 2011 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Jan 31 08:11:30 2011 LZO compression initialized
    Mon Jan 31 08:11:30 2011 Control Channel MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Mon Jan 31 08:11:30 2011 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
    Mon Jan 31 08:11:30 2011 Local Options hash (VER=V4): '48527533'
    Mon Jan 31 08:11:30 2011 Expected Remote Options hash (VER=V4): '44bd8b5e'
    Mon Jan 31 08:11:30 2011 Socket Buffers: R=[114688->131072] S=[114688->131072]
    Mon Jan 31 08:11:30 2011 UDPv4 link local: [undef]
    Mon Jan 31 08:11:30 2011 UDPv4 link remote: [AF_INET]66.183.46.55:1194
    Mon Jan 31 08:11:30 2011 TLS: Initial packet from [AF_INET]66.183.46.55:1194, sid=b2cc62e4 44a1ffbe
    Mon Jan 31 08:11:32 2011 VERIFY OK: depth=1, /C=CA/ST=BC/L=Vancouver/O=Home/CN=Home_CA/emailAddress=ajaggers@telus.net
    Mon Jan 31 08:11:32 2011 VERIFY OK: nsCertType=SERVER
    Mon Jan 31 08:11:32 2011 VERIFY OK: depth=0, /C=CA/ST=BC/L=Vancouver/O=Home/CN=tomato/emailAddress=ajaggers@telus.net
    Mon Jan 31 08:11:38 2011 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Mon Jan 31 08:11:38 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Jan 31 08:11:38 2011 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Mon Jan 31 08:11:38 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Jan 31 08:11:38 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Mon Jan 31 08:11:38 2011 [tomato] Peer Connection Initiated with [AF_INET]66.183.46.55:1194
    Mon Jan 31 08:11:40 2011 SENT CONTROL [tomato]: 'PUSH_REQUEST' (status=1)
    Mon Jan 31 08:11:40 2011 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.168.254,route-gateway 192.168.168.254,redirect-gateway def1,route-gateway dhcp,ping 15,ping-restart 60'
    Mon Jan 31 08:11:40 2011 OPTIONS IMPORT: timers and/or timeouts modified
    Mon Jan 31 08:11:40 2011 OPTIONS IMPORT: route options modified
    Mon Jan 31 08:11:40 2011 OPTIONS IMPORT: route-related options modified
    Mon Jan 31 08:11:40 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Mon Jan 31 08:11:40 2011 ROUTE default_gateway=192.168.1.1
    Mon Jan 31 08:11:40 2011 TUN/TAP device tap1 opened
    Mon Jan 31 08:11:40 2011 TUN/TAP TX queue length set to 100
    Mon Jan 31 08:11:40 2011 /sbin/route add -net 66.183.46.55 netmask 255.255.255.255 gw 192.168.1.1
    SIOCADDRT: File exists
    Mon Jan 31 08:11:40 2011 ERROR: Linux route add command failed: external program exited with error status: 7
    Mon Jan 31 08:11:40 2011 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 192.168.168.254
    SIOCADDRT: No such process
    Mon Jan 31 08:11:40 2011 ERROR: Linux route add command failed: external program exited with error status: 7
    Mon Jan 31 08:11:40 2011 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 192.168.168.254
    SIOCADDRT: No such process
    Mon Jan 31 08:11:40 2011 ERROR: Linux route add command failed: external program exited with error status: 7
    Mon Jan 31 08:11:40 2011 Initialization Sequence Completed

    It then loops and tries again until I stop it.
     
  12. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Could you post your routing table before trying to connect (route -n)?
     
  13. pants

    pants Networkin' Nut Member

    Routing table pre-connection:

    pants@tiny:~$ route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    66.183.46.55 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan1
    192.168.1.0 0.0.0.0 255.255.255.0 U 2 0 0 wlan1
    169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wlan1
    0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan1
     
  14. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I think I can explain all those error messages:
    Code:
    Mon Jan 31 08:11:40 2011 /sbin/route add -net 66.183.46.55 netmask 255.255.255.255 gw 192.168.1.1
    SIOCADDRT: File exists
    That route already exists. Fine, no problem.
    Code:
    Mon Jan 31 08:11:40 2011 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 192.168.168.254
    SIOCADDRT: No such process
    This route says to use 192.168.168.254 as a gateway, but we don't have a route to 192.168.168.254.
    Code:
    Mon Jan 31 08:11:40 2011 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 192.168.168.254
    SIOCADDRT: No such process
    When OpenVPN set up the TAP device it should have assigned it an IP address, which should have set up routes for 192.168.168.0/24.
    You don't have your server configured as TUN with your clients using TAP, do you? That may work in Windows due to a quirk in how they implement TAP and TUN, but it certainly wouldn't work in Linux (or any other operating system with real TAP and TUN).

    If you do have the server set up as TAP, what do you have configured for "Client address pool"?
     
  15. pants

    pants Networkin' Nut Member

    My tomato router page VPN Server Configuration -> Server1 -> Basic is currently configured like this:

    Interface Type: TAP
    Client address pool: DHCP box is checked.
     
  16. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Try unchecking the DHCP box. The DHCP feature is relatively new to OpenVPN, and I've found it to be a bit flakey at times.
     
  17. pants

    pants Networkin' Nut Member

    I'm sure you've heard this before, but you were right :)

    I unchecked the DHCP box and can connect using the terminal sudo openvpn openvpn client1.conf. I thought using DHCP would make things easier.....

    Network manager doesn't work though. Just says failed, connection attempt timed out. I tried manually inputting the config into NM, and tried using the import feature. Both result in connection attempt timed out.

    Any thoughts?
     
  18. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Well, the logs will hopefully tell us what's up. Before starting it up, run the following from a terminal:
    Code:
    tail -n 0 -f /var/log/syslog
    Then paste the output from when you try to connect.
     
  19. pants

    pants Networkin' Nut Member

    Hmmm, the strangest thing is happening.......

    When I reboot, the VPN automatically starts and connects perfectly. The only problem is I don't want it to auto start.

    Because it auto starts I can't even use your code.

    Even more of an issue, I don't know how to stop it without unplugging the wifi adapter....lol.
     
  20. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Network Manager autoconnects? There is a "Connect Automatically" setting in the VPN settings. Also, there is a "Disconnect VPN" under the network manager icon.
     
  21. pants

    pants Networkin' Nut Member

    Yes, it appears the Network Manager seems to autoconnect. The 'connect automatically' box is not checked. If it is checked it seems to connect as well.

    And, the "disconnect VPN" option is greyed out and does not allow me to disconnect.

    I checked for these settings too, and messed with them before posting. Apparently something is not quite right, but hey, at least it connects. :)

    When I remove the network-manager-openvpn-gnome package in Synaptic, this behaviour does not occur. But then again, that is the behaviour I would expect when the package isn't installed.

    Network manager does auto-start my wifi connection, could that be somehow dragging forcing the VPN to auto-start too?

    Gotta say, this did make me laugh! I have nothing but problems for 3 days trying to connect and now I can't make it disconnect....so funny. Gotta have a sense of humour about it....just gotta.


    BTW, just used network manager to disable auto-start on wifi connection, rebooted, and both the wifi and the VPN did not start up. But then I connected to the wifi network and bam! the VPN auto-started too. How can I separate the two?
     
  22. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm sorry, but I have no idea. I've never had that happen. You'll probably have to ask somebody with more knowledge of Network Manager than my "I've used it and it works great for me."
     
  23. pants

    pants Networkin' Nut Member

    No worries. I'm going to live with it as is for now. I've got a much better understanding of how it works and can move forward from here. Thank you very much for your efforts. If I sort out the network manager I will post my solution.

    Many thanks SgtPepperKSU,
    Pants
     

Share This Page