Looking for OpenVPN Site to Site How To...

Discussion in 'Tomato Firmware' started by PGalati, May 10, 2013.

  1. PGalati

    PGalati Network Guru Member

    Is there a tutorial on how to create a site to site openvpn connection using 2 or more tomato routers? All of the documentation I have found seems to use the scenario of a computer being the client.

    Is it possible to create multiple VLANS and have only one of the VLANS tunneled while the other does not? So depending on which SSID I connect to will reflect on what network services are available to the device.

  2. quihong

    quihong Networkin' Nut Member

  3. PGalati

    PGalati Network Guru Member

    Is it possible to configure openvpn to accept a client that may have it's IP address change from time to time? I would like to carry the client router with me and connect to any public network and create the tunnel from there. In your tutorial you have the client using a public address. Maybe site to site is not necessarily what I am looking for. The client should see everything inside the server's network but the clients on the servers side does not necessarily need to see behind the clients network.

    Thanks for any additional advice you may have.
  4. gfunkdave

    gfunkdave LI Guru Member

    OpenVPN shouldn't care what the client's IP is.

    There have been many threads here on this very topic (OpenVPN between two Tomato routers). Search for them. Lots of how-tos.
  5. quihong

    quihong Networkin' Nut Member

    My tutorial states you need two public IP address to keep things simple. In addition, that was how I tested it.

    Technically, a OpenVPN client can connect to OpenVPN servers behind a NAT. Basically the client doesn't require a public IP address.

    Give it a try. All it will cost you is 30 minutes :)
  6. PGalati

    PGalati Network Guru Member

    Quihong, I currently do not have a router with a USB port to follow your directions step by step. I am currently using a pair of WRT54GL's for this solution.

    I downloaded and installed the OpenVPN client for Windows from openvpn's web site. I could not find any clue as to what version either link was. I downloaded and installed the version that did not require the .net framework. After doing so, I began what seemed to be a straight forward tutorial on generating the necessary certs. Immediately realizing that the directory I was supposed to see didn't exist, I assume that should download easy-rsa from github. Really? The link sure seems self explanatory. After downloading the whole thing, I start to replicate the directories that did not get created when the openvpn client software was installed. I modify the Vars.bat file as needed. I run vars.bat, good. I run clean-all, error file not found. openssl 1.0.0 was not in the same folder with the rest of the windows stuff. ok, moved that. rerun vars, good there. rerun clean-all, no errors this time. run build.ca, openssl error message. Is it really necessary to cobble this stuff together to generate a few text files?
  7. Malitiacurt

    Malitiacurt Networkin' Nut Member

    You want the community downloads. It's the opensource version that provides the stuff required to make the certificates.


    The one you linked is the client used for their 'company's vpn service. It's really bad how they've named things and confuses most new users.

    I followed this guide last time I set up OpenVPN on my tomato routers. And no you don't need a public IP for the OpenVPN client. I have a router with OpenVPN client as a tunneler/proxy when I'm travelling and no it doesn't need a 'public' IP at all. (Plus makes it much easier than setting up SSH tunneling for every device I want to hook up.)

  8. quihong

    quihong Networkin' Nut Member

  9. Malitiacurt

    Malitiacurt Networkin' Nut Member

    I just looked through quihong's tutorial. I think the howtogeek one is slightly easier. You generate the certificates on a computer instead of on the router itself.

    I installed openvpn 2.x on my laptop and generated the certificates there. Should work fine on a WRT54GL, I recently installed Shibby's 107 MiniVPN on an M10 which has no USB and 4MB flash just like the 54GL. It has just enough space for the certificates/keys on the NVRAM (32kB) and RAM shouldn't be an issue (M10 has 32MB ram but atm it's only using 12MB anyways so that shouldn't matter for the 54GL).
  10. PGalati

    PGalati Network Guru Member

    @quihong, I apologize if I discounted your tutorial. It is a great tutorial if the hardware is applicable. I do plan on purchasing some newer routers than contain USB ports and may revisit your tutorial. Thanks for your contributions to this thread and the Tomato community.

    @Malitiacurt, thanks for the explanation and the link for the openvpn software to generate the certs, that worked much better. I successfully generated the keys and have successfully applied them to a server and client router and they connect.

    Using this scenario, once the routers are configured and connected, would I be able to stream iTunes from a shared library across the VPN, meaning could I be on the same subnet as the iTunes computer?
  11. Malitiacurt

    Malitiacurt Networkin' Nut Member

    Should be able to yes. Same subnet requires TAP though, and I used TUN in my configurations so I'm unsure how to make it work properly. I can get pinging and filesharing through TUN across my devices on different subnets, both from VPN-client to VPN-server and vice versa. (To enable server to client, had to add the common name and subnet of the VPN-client for the server to properly route IP requests for that subnet).

    Oh also make sure you add access the other subnet to your firewall on your computer. I forgot to do that and was driving me nuts during testing on why I couldn't access server from client for my new set up.
  12. quihong

    quihong Networkin' Nut Member

    @ogalati, no problem. Because of your post, I now realize the documented requirements for the tutorial is a little bit too restrictive - only the OpenVPN server router needs a public IP Address and the Client Router can run plain old Tomato versus requiring TomatoUSB.

    @malitiacurt, you really think its easier to generate the certificates on a computer versus the OpenVPN server itself, in this case the router?
  13. philess

    philess Networkin' Nut Member

    As Malitiacurt said, such things would require you being in the same subnet, thus using TAP instead of TUN.

    You can take a look at mDNSresponder, search for it here on the forum. It could help accessing the
    shared iTunes library from a different subnet. Same with using Airplay etc.

    I personally just install the Logitechmediaserver on the computer with the iTunes library (Win or Mac),
    add the library to it and then i can access it through the Webinterface or different Apps, regardless if
    same subnet or not.

    Generating the certificates on a computer rather than the router makes no real difference. Its just
    that the computer is obviously faster when creating the keys... But in total, makes no difference.
    And i dont think its really easier. Just once you have your keys, make a good backup of them so
    you dont have to do it all over again when you flash a new firmware on the router etc.
    I personally like the Howtogeek tutorial too.
  14. PGalati

    PGalati Network Guru Member

    Update. I now have all the needed certs generated and the client and server from an authentication standpoint are communicating. I am having trouble accessing content from the server side though. Here is what I can and cannot see:

    Client router is at work and Server router is at home, both are running Shibby VPN 108 K24 on WRT54GLs. Client computers on either side of the VPN can access the internet without trouble.

    MacBook running Airport Utility on client side CAN manage Airport Expresses located on server side. iTunes CAN see Airport Expresses as eligible Airplay devices, but when I select an Airplay device, it fails to connect after about 15 seconds indicating there is a network error.

    MacBook running iTunes on client side can see HomeShare iTunes on Server side and see it's library contents. iTunes is currently pulling down Movie Poster artwork. An iPhone on the client side errors trying to connect to the same Homeshare located on the server side.

    MacBook on client side cannot ping any known devices located on server side. MacBook on client side cannot connect to Mac Mini located on server side using afp://

    MacBook on client CAN see and add Airprint Bonjour advertised printer located on server side.

    Will post configs soon. Anything obvious in the meantime?
  15. philess

    philess Networkin' Nut Member

    I suppose you have enabled "Push LAN to Clients" on the OpenVPN server?
    Try manually adding a route in the LAN Access menu, from the MacBook client
    to the Mac Mini in the other network and back.
    How are all your IP ranges set up?
  16. PGalati

    PGalati Network Guru Member

    Attached are the screen shots that I believe are relevant to this discussion.

    I am unable to do any LAN Access modifications because I only have 1 active interface on the client router, br0. The router tells me it needs 2 interfaces for it to work.

    Push LAN to Clients I believe is active probably under a different name
    Client Router DHCP - -
    Server DHCP - -

    MacBook on client side can stream music from iTunes Sharing on server side but iPhone times out. Not sure what the difference would be between the two.

    Attached Files:

  17. philess

    philess Networkin' Nut Member

    Hmm looks ok to me so far. Your WebUI looks a bit different than mine tho.
    Can you please post the contents of your servers openvpn config that is in use?
    "/etc/openvpn/server1/config.ovpn" should do. maybe bit different path.
    It should show the config that is generated by the WebUI and with your custom confi appended below.
    Same for client then.
  18. PGalati

    PGalati Network Guru Member

    Unfortunately I am not sure how to obtain that info from the router. Researching that now. Will post when I can gather that data.
  19. PGalati

    PGalati Network Guru Member

    Well apparently I can't seem to get the syntax correct for the system command screen or telnet to cat the config.ovpn files. Am I right that in Shibby they are located in the /usr/sbin/openvpn/ directory. Truth be told, I am not a very good command line operator.

    It seems that I am not able to achieve a completely functional same subnet tap vpn connection via the gui, only partial, which seems odd to me. The computer running iTunes on the client side can see and stream music and videos from the home share iTunes located on the server side. I can also manage from the client side the 2 airport express devices that are located on the server side of the vpn via the airport utility. For whatever reason the iphone connected to the same client router cannot stream. The progress wheel loads halfway and times out. I cannot ping anything from the client side to the server side or vice versa.

    I have tried a multitude of different configuration choices to try an find the right combo. I assume I should expect the clients on the client side to obtain a local DHCP address, 10.0.0.x in the case, while the server side is 10.0.1.x. Interestingly enough, I could have swore at one point I made a change to the config, renewed the DHCP lease, and obtained a 10.0.1.x address despite being on the client side of the vpn. It seemed that at that point, I was not longer able to communicate with the client router. I had to power cycle the router with the WAN port disconnected so the client would not make a connection to the server and inherit whatever config that caused it to behave that way. Unfortunately I did not document what that config looked like.

    Still plugging away.
  20. Bird333

    Bird333 Network Guru Member

    Just thinking out load here but isn't it necessary to have server and client running on both routers? Maybe you mentioned it and just missed it.
  21. PGalati

    PGalati Network Guru Member

    All of the directions and howto's that I have read mention nothing about repeating the process in reverse. The main router only runs the server module and the roamer router only runs the client module. If you were to create a larger 3+ vpn network then there may be a situation where the router is playing server to a client and being a client to another server in the chain.

    If that is the case than how would the home router be able to connect as a client back to the roamer server if the IP address is not immediately known or if a double nat takes place and port 1194 is not open?
  22. philess

    philess Networkin' Nut Member

  23. Bird333

    Bird333 Network Guru Member

    Well how does the 'server' router's clients connect to the 'client' router? It seems there would only be a 'one-way street' so to speak.
  24. philess

    philess Networkin' Nut Member

    Client-Server connection works both ways, routing. And thats why you should/must have different subnets on both sides. Not using 192.168.1.x on both sides.
  25. PGalati

    PGalati Network Guru Member

    Update: I am sure if this is expected behavior or not. I was able to create a config using only the Basic and Advanced tabs of the VPN Server and Client screens that somehow caused the laptop located on the client side to obtain a DHCP address from the Server's DHCP pool. After obtaining that, I was then able to stream music and videos from both the laptop and the iphone from an iTunes share. However, even though I obtained an IP address from the server's DHCP server, I did not obtain a router address or DNS. Because of that, I was not able to access the internet or the client side router's GUI since it was on a different subnet. I believe that I had to force the laptop to take on a static address which allowed me to enter a router address and DNS manually. I am not sure if that allowed me to gain access to the internet though.

    Is it possible I would run into similar difficulties if I attempted to use the PPTP server and client? I don't anticipate this being an always on solution but would like to be secure if possible. Is PPTP vulnerable enough to not recommend?

  26. evilsabc

    evilsabc Reformed Router Member

    Anyone have an idea why i can ping certain host from server side and but not every host and i cant ping any host on client side... My setup use TUN my server IP is my client ip is The connection is made and route seem ok but i cant understand whats wrong ....

    Here is the route from client site * 0 tun11 * 0 vlan2 (WAN) 0 tun11 * 0 br0 (LAN) * 0 vlan2 (WAN) 0 tun11 * 0 lo
    default 0 vlan2 (WAN)

    And here is the route from the server side

    Destination Gateway / Next Hop Subnet Mask Metric Interface * 0 vlan2 (WAN) * 0 tun21 * 0 vlan2 (WAN) * 0 br0 (LAN) 0 tun21 0 tun21 * 0 lo
    default 0 vlan2 (WAN)

    Thanks for your help
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice