1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Make router VPN gateway

Discussion in 'Tomato Firmware' started by animorph, Mar 20, 2009.

  1. animorph

    animorph Addicted to LI Member

    I've been trying to figure out how to make my tomato router work as a vpn gateway for a few days now with no luck. I want to be able to connect to the router while I'm away, and surf the internet through it. I don't need to access anything on my network.

    The only thing I was able to do was setup a vpn tunnel server on my desktop with a proxy server (Apache) running on it. Is there any way to get openvpn configured on my router, so that I don't have to use this setup? The VPN would connect fine, but nothing would happen when I tried browsing the internet. All the traffic was being sent through the proxy, and I saw that when I typed a URL, it would get translated into the real address through the proxy server (using TCPview), but nothing would happen after that.

    Thanks for your help
     
  2. bigclaw

    bigclaw Network Guru Member

    Look up redirect-gateway. You either specify it in your client config or push it through your server config.

    If all you want to do is surfing the web through your home Internet connection while on the road, VPN is overkill. You can enable the SSH server on your router and create a dynamic SSH tunnel locally as a proxy that your browsers can use.

    I do so with Firefox, the FoxyProxy plugin (to make switching back and forth really easily), and Putty.
     
  3. animorph

    animorph Addicted to LI Member

    Will my DNS queries be sent through the SSH proxy if I set it up this way?


    I already have that command active, here is my router configuration:

    tls-server
    push "redirect-gateway"
    persist-key
    persist-tun
    fragment 1500
    key-method 2
    auth SHA1
    user nobody
    group nobody
    mute 20

    Thank you
     
  4. bigclaw

    bigclaw Network Guru Member

    DNS queries are often resolved locally even if you use a proxy or VPN connection. If you are using Firefox, it at least allows you to configure it. Type "about:config" without quote in the address bar, and the setting you need to change is network.proxy.socks_remote_dns. Flip it to true.
     
  5. animorph

    animorph Addicted to LI Member

    My DNS queries are resolved over at the VPN gateway with my current setup, that is why I used the redirect-gateway option. I was monitoring all my connections with TCPview to make sure of it.
     
  6. jza80

    jza80 Network Guru Member

    Tomato with OpenVPN mod:

    http://www.linksysinfo.org/forums/showthread.php?t=59416

    Most things that use TCP can be tunneled over SSH. I don't know about UDP though.

    DNS uses UDP port 53.

    .
    .

    As for redirect-gateway in OpenVPN, you may also need route-gateway x.x.x.x, where x.x.x.x = IP address of your router.

    I don't use redirect-gateway on the server (router) as I prefer to put it into the client config and have a choice of transparent tunnel or split tunnel. I have 2 client config files, one with redirect-gateway and one without.

    The client side gives an error if I just put in redirect-gateway without a route-gateway x.x.x.x.
     
  7. animorph

    animorph Addicted to LI Member

    Thanks for the suggestion jza80, but it isn't working with route-gateway... I already have the vpn version of tomato, it's great.

    The tomato firewall must be blocking something.. Or there is something wrong with the routes, because I have the same config on my desktop, which I can access from the outside with port forwarding on the router. I can connect, but I can't ping.. I'm stumped. :wall:





    ...
    :drinking:
     
  8. jza80

    jza80 Network Guru Member

    Does the client show the routes coming up?

    You should see something like: c:\windows\system32\route add blah blah blah

    Another check you can do is on the client itself after you make the VPN connection. From a command prompt use: netstat -r or route print to see the routing table.


    Hmm...

    I assume that the connection is successful and the virtual adapter on the client has a valid ip address, subnet mask, and gateway (if redirect-gateway is used)?

    I don't know what would be causing ping to not work. You could try running wireshark on both ends (client and server) and see where the pings are failing.
     
  9. animorph

    animorph Addicted to LI Member

    130.x.x.x is the vpn host.
    10.28.81.0 is the VPN subnet.
    192.168.17.0 is the subnet of my home network.
    The address of the network my laptop is on will depend where I go (office, coffee shop etc).


    I hope this helps: my openvpn client log:

    Sat Mar 21 09:24:53 2009 OpenVPN 2.1_rc15 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 19 2008
    Sat Mar 21 09:24:53 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Sat Mar 21 09:24:54 2009 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Sat Mar 21 09:24:54 2009 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
    Sat Mar 21 09:24:54 2009 Local Options hash (VER=V4): '3514370b'
    Sat Mar 21 09:24:54 2009 Expected Remote Options hash (VER=V4): '239669a8'
    Sat Mar 21 09:24:54 2009 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Sat Mar 21 09:24:54 2009 UDPv4 link local: [undef]
    Sat Mar 21 09:24:54 2009 UDPv4 link remote: 130.x.x.x:1194
    Sat Mar 21 09:24:54 2009 TLS: Initial packet from 130.x.x.x::1194, sid=4305e47a af266571
    Sat Mar 21 09:24:55 2009 VERIFY OK: depth=1, /C=CA/ST=CA/L=CA/O=none/CN=vpn-ca/emailAddress=mail@host.domain
    Sat Mar 21 09:24:55 2009 VERIFY OK: nsCertType=SERVER
    Sat Mar 21 09:24:55 2009 VERIFY OK: depth=0, /C=CA/ST=CA/O=none/CN=WRT54GL/emailAddress=mail@host.domain
    Sat Mar 21 09:24:57 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Sat Mar 21 09:24:57 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sat Mar 21 09:24:57 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Sat Mar 21 09:24:57 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sat Mar 21 09:24:57 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Sat Mar 21 09:24:57 2009 [WRT54GL] Peer Connection Initiated with 130.x.x.x:1194
    Sat Mar 21 09:24:58 2009 SENT CONTROL [WRT54GL]: 'PUSH_REQUEST' (status=1)
    Sat Mar 21 09:24:58 2009 PUSH: Received control message: 'PUSH_REPLY,route 192.168.17.0 255.255.255.0,redirect-gateway,dhcp-option DNS 10.28.81.1,dhcp-option WINS 10.28.81.1,route-gateway 10.28.81.1,topology subnet,ping 15,ping-restart 120,ifconfig 10.28.81.2 255.255.255.0'
    Sat Mar 21 09:24:58 2009 OPTIONS IMPORT: timers and/or timeouts modified
    Sat Mar 21 09:24:58 2009 OPTIONS IMPORT: --ifconfig/up options modified
    Sat Mar 21 09:24:58 2009 OPTIONS IMPORT: route options modified
    Sat Mar 21 09:24:58 2009 OPTIONS IMPORT: route-related options modified
    Sat Mar 21 09:24:58 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Sat Mar 21 09:24:58 2009 ROUTE default_gateway=192.168.1.1
    Sat Mar 21 09:24:58 2009 TAP-WIN32 device [openvpn] opened: \\.\Global\{975D6663-0316-4384-A2D5-591D9E8EA565}.tap
    Sat Mar 21 09:24:58 2009 TAP-Win32 Driver Version 9.4
    Sat Mar 21 09:24:58 2009 TAP-Win32 MTU=1500
    Sat Mar 21 09:24:58 2009 Set TAP-Win32 TUN subnet mode network/local/netmask = 10.28.81.0/10.28.81.2/255.255.255.0 [SUCCEEDED]
    Sat Mar 21 09:24:58 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.28.81.2/255.255.255.0 on interface {975D6663-0316-4384-A2D5-591D9E8EA565} [DHCP-serv: 10.28.81.254, lease-time: 31536000]
    Sat Mar 21 09:24:58 2009 Successful ARP Flush on interface [4] {975D6663-0316-4384-A2D5-591D9E8EA565}
    Sat Mar 21 09:25:03 2009 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
    Sat Mar 21 09:25:03 2009 C:\WINDOWS\system32\route.exe ADD 130.x.x.x MASK 255.255.255.255 192.168.1.1
    Sat Mar 21 09:25:03 2009 Route addition via IPAPI succeeded [adaptive]
    Sat Mar 21 09:25:03 2009 C:\WINDOWS\system32\route.exe DELETE 0.0.0.0 MASK 0.0.0.0 192.168.1.1
    Sat Mar 21 09:25:03 2009 Route deletion via IPAPI succeeded [adaptive]
    Sat Mar 21 09:25:03 2009 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 0.0.0.0 10.28.81.1
    Sat Mar 21 09:25:03 2009 Route addition via IPAPI succeeded [adaptive]
    Sat Mar 21 09:25:03 2009 C:\WINDOWS\system32\route.exe ADD 192.168.17.0 MASK 255.255.255.0 10.28.81.1
    Sat Mar 21 09:25:03 2009 Route addition via IPAPI succeeded [adaptive]
    Sat Mar 21 09:25:03 2009 Initialization Sequence Completed

    My current router config (firewall rules set to automatic, hmac disabled because it doesn't work):

    tls-server
    topology subnet
    server 10.28.81.0 255.255.255.0
    push redirect-gateway
    push "dhcp-option DNS 10.28.81.1"
    push "dhcp-option WINS 10.28.81.1"
    proto udp
    key-method 2
    comp-lzo
    keepalive 15 120
    verb 3
    fragment 1500
    persist-key
    persist-tun
    auth SHA1

    client config:

    dev tun
    dev-node openvpn
    remote 130.x.x.x 1194
    proto udp
    tls-client
    keepalive 15 120
    verb 3
    status openvpn-status.log
    ca ca.crt
    cert client.crt
    key client.key
    ns-cert-type server
    key-method 2
    auth SHA1
    pull
    nobind

    I am not sure what to look for in the routing table. The VPN subnet ips come up, along with the subnet for my network. I tried the VPN configuration with little options, and with all the options in these configurations with no success. I really think it is a problem with routing or a missing rule the tomato firewall has not added.
     
  10. animorph

    animorph Addicted to LI Member

    Wait there is one thing I don't have on my router configuration that I have on my desktop. I set up my server to run in unprivilaged mode like is says here: http://openvpn.net/index.php/documentation/howto.html#security. you can go to the section "Unprivileged mode (Linux only)". Would this make a difference to make it work? I mean, this is only an extra feature.
     
  11. jza80

    jza80 Network Guru Member

    From what I see in the client log, the routes look good. Although I do see somethings that are questionable.

    1. ROUTE default_gateway=192.168.1.1

    You don't have 192.168.1.x anywhere on your network.

    The line below shows that it doesn't matter as there is no route (delete) to 192.168.1.1 from any/any.

    C:\WINDOWS\system32\route.exe DELETE 0.0.0.0 MASK 0.0.0.0 192.168.1.1


    2. C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 0.0.0.0 10.28.81.1

    any/any to gateway of VPN subnet


    3. C:\WINDOWS\system32\route.exe ADD 192.168.17.0 MASK 255.255.255.0 10.28.81.1

    Destination = LAN subnet. Gateway = gateway of VPN subnet


    # 2 and 3 are okay, but # 1 is questionable.
    .
    .

    In a previous post you said ping does not work, is that with this setup? Are you able to access anything on the 192.168.17.0 sub from the client?


    I've never used a TUN setup. I use TAP and the client gets an IP address on the same subnet as my LAN.
     
  12. animorph

    animorph Addicted to LI Member

    The lan I was on and accessing the internet with was on the 192.168.1.0 subnet, and the router was 192.168.1.1.

    So this was my situation:

    laptop (192.168.1.116) ---> Router (192.168.1.1) -----> Internet ------> My Home router with tomato-vpn (IP addr: 130.x.x.x, Lan subnet 192.168.17.0, VPN subnet 10.28.81.0).

    I tried both tap and tun, and none work. When I have tap on, I get assigned a lan ip as well. But I can not contact anyone on the network, or the vpn host. I don't know if this is right, but the lan ip address I get with tap does not show when you go to the Tomato Status/Device List page.
     

Share This Page