1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Looking for Site to Site VPN Tutorial or some help - Tomato VPN

Discussion in 'Tomato Firmware' started by graymen2, Mar 4, 2010.

  1. graymen2

    graymen2 Addicted to LI Member

    Hello,

    I am looking for a site to site vpn tutorial using the Tomato VPN build. I've googled around and searched this forum but haven't been able to find a simple tutorial. Plenty of tutorials on client to site, but nothing easy to follow and specific to the Tomato VPN gui.

    My setup is fairly basic. I got two Tomato VPN routers, one at my house and another at my brothers. I would like to connect the two networks together. I am using 192.168.100.x and he is using 192.168.1.x. Would love to be able to route traffic between the two networks so that we can hit each other's file shares seamlessly. We are both using dynamic dns.

    I assume one of us needs to be the client and the other the server. So I went ahead and configured his router as the server.

    So his VPN server configuration is:
    Start with WAN (Checked) - I have no idea what this means
    Interface Type = TUN
    Protocal = UDP
    Port = 1195
    Firewall = Automatic
    Authorization Key = Static Key
    Local/remote endpoint addresses = 10.8.0.1/10.8.0.2

    Regarding the static key, I shouldn't have to put anything in the "Keys" tab correct? The VPN Server would use the static.key file generated in the /etc/openvpn folder correct?

    On my side, I setup the client as follow:
    Start with WAN (Checked)
    Interface Type = TUN
    Protocal = UDP
    Server Address Port = DYNDNS:1195
    Firewall = Automatic
    Authorization Key = Static Key
    Create NAT on Tunnel = Not checked (I don't want out traffic NATed)
    Local/remote endpoint addresses = 10.8.0.2/10.8.0.1
    Under the "Keys" Tab, I cut/pasted in the content of the static.key file found on his router under /etc/openvpn/server1.

    I believe the tunnel is working. From my router using the Tools->Ping I am able to ping the vpn tunnel end point addresses (10.8.0.1/10.8.0.2). The ping also returns from his router. So I think I am close.

    What doesn't work is the routing. I can't ping his router's IP Address (192.168.1.1). I tried setting up the static route under Advanced->Routing, but wasn't what to put for the gateway. Also the Interface dropdown only allows me to pick LAN or WAN, and I am thinking I need to pick the tunnel interface (tun11).

    Any help is greatly appreciated.

    EDIT - I just realized from reading the DD-WRT site to site VPN wiki that its normal that I can't ping his router. It is setup not to respond! Duh. I still can't ping the other devices. So I still need some help setting up the route using the correct interface (not WAN/LAN)
     
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That means the VPN server will automatically start whenever his internet connection is active. Otherwise, you'd have to start it manually in the GUI each time.
    ??? There shouldn't be any static.key file "generated". You should have to enter keys in both routers (for static key mode, they would need to be the same).
    If you stick with Static key mode, you can add the routes in the Custom Configuration section of the client and server. HOWEVER, the far easier way would be to use TLS instead of static key. Once you generate the certificates and keys (see the howto link in the GUI on the keys tab), the proper routes are automatically sent from the server to the client. To be able to remove the NAT option on the client, you just need to fill in the Client-specific options table on the server. See here.
     
  3. graymen2

    graymen2 Addicted to LI Member

    Thanks for the reply.

    Sorry about the confusion on the static.key file being "generated". The static.key file is created from what is cut/paste into the "keys" tab. I generated the key from my workstation and pasted it into the keys tab and got confused (the content of the static.keys file in the /etc/openvpn/server1 is the same as what is in the keys tab.)

    I tried adding the route command in the Custom Configuration section, but got a strange error message in the logs.

    What I have in the Custom Config - "route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.8.0.1"

    What I saw in the logs:

    RESOLVE: Cannot resolve host address: add: [HOST_NOT_FOUND] The specified host is unknown.
    OpenVPN ROUTE: failed to parse/resolve route for host/network: add

    Strange because if I run the command via the command line via ssh, it runs fine and the route is added properly even with the correct tunnel interface.

    Thanks for the recommendation on TLS versus static key. I'll read up on it and will give it a try tomorrow. Thanks again


     
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I still recommend you go with TLS, but if you stick with static-key, you got the errors because the route commands are not the same as you would use at the shell. See the OpenVPN manpage for syntax (search for --route). In short, the custom config entry should just be:
    route 192.168.1.0 255.255.255.0
    and you'll need to put a route in the other router as well.
    That is, of course, unless you go with TLS, where you won't need any custom config at all.
     
  5. graymen2

    graymen2 Addicted to LI Member

    Thank you for the correct route command. That did it. I still plan on looking into TLS though.

    A couple of additional questions...

    Is the tunnel connection maintained? Or does it close and up depending on if there is traffic?

    Is there any advantages/disadvantages on which end should be the client versus the server?

    Whats a recommended solution for getting name resolution to work across the vpn tunnel?

    Thanks again
     

Share This Page