1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

More than 3 VPN tunnels with full routing between server and clients networks

Discussion in 'Tomato Firmware' started by tenskwatawa, Aug 15, 2011.

  1. tenskwatawa

    tenskwatawa Networkin' Nut Member

    Hello,
    I have a question regarding VPN and several tunnels configured on it. My router it is Asus RT-N16.
    On it has set up a VPN server on UDP TUN with enabled Allow Only These Clients and below I have listed the names of CommonName networks to which it wants to have a routing from server. All routing is working nicely with internal routing. I have access to clients from a server network and from clients networks to server network. However, the problem comes at a time when I want to add client a number four.
    Configuration stores nicely in ccd folder - but the server no longer starts. When I try start it in the log I see
    user.info kernel: device tun21 entered promiscuous mode

    Simply if remove the fourth client everything works again.
    I would be grateful for any tips. I want to have more an 3 VPN tunnels with full routing between all networks.
    Best regards
    tenskwatawa
     
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Is that all you see in the logs when you try to start up the server? Or were there other messages as well?

    With all four setup, what does the "bytes used, bytes free" part of "nvram show" (run from telnet/ssh) say?

    When you upgraded to your current version of firmware, did you do a (thorough) nvram erase?
     
  3. tenskwatawa

    tenskwatawa Networkin' Nut Member

    no only this one
    Aug 16 08:35:15 TecumsehRoot user.info kernel: device tun21 entered promiscuous mode

    5181 bytes used, 7587 bytes free.

    Yes
     
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Could you run the following from an ssh/telnet shell and try again (no reboot between running the command and starting the server)?
    Code:
    nvram set vpn_debug=2
     
  5. tenskwatawa

    tenskwatawa Networkin' Nut Member

    My procedure and logs:

    1. Stopped VPN Server, added fourth client, started VPN Server, logs:

    Code:
    Aug 17 09:25:49 TecumsehRoot user.info init[1]: VPN_LOG_INFO: 487: VPN GUI server backend starting...
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 577: Writing config file
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 670: CCD: enabled: 1
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 681: CCD: Common name: BRBHome
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 693: CCD: Route: 192.168.2.0 255.255.255.0
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 708: CCD: Push: 0
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 716: CCD leftover: 0
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 670: CCD: enabled: 1
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 681: CCD: Common name: Aquila
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 693: CCD: Route: 192.168.10.0 255.255.255.0
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 708: CCD: Push: 0
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 716: CCD leftover: 0
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 670: CCD: enabled: 1
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 681: CCD: Common name: BRB
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 693: CCD: Route: 192.168.4.0 255.255.255.0
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 708: CCD: Push: 0
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 716: CCD leftover: 0
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 670: CCD: enabled: 1
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 681: CCD: Common name: KaliszHome
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 693: CCD: Route: 192.168.6.0 255.255.255.0
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 708: CCD: Push: 0
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 716: CCD leftover: 0
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 721: CCD processing complete
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 778: Done writing config file
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 781: Writing certs/keys
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 842: Done writing certs/keys
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_INFO: 845: Starting OpenVPN: /etc/openvpn/vpnserver1 --cd /etc/openvpn/server1 --config config.ovpn
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 853: Done starting openvpn
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 860: Creating firewall rules
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 883: Done creating firewall rules
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 886: Running firewall rules
    Aug 17 09:25:50 TecumsehRoot user.info kernel: device tun21 entered promiscuous mode
    Aug 17 09:25:50 TecumsehRoot daemon.err miniupnpd[703]: addnatrule() : iptc_commit() error : Resource temporarily unavailable
    Aug 17 09:25:50 TecumsehRoot daemon.err miniupnpd[703]: Failed to add NAT-PMP 5881 udp->192.168.0.12:5881 'NAT-PMP 1276769'
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 891: Done running firewall rules
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 898: Adding cron job
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 907: Done adding cron job
    Aug 17 09:25:50 TecumsehRoot user.info init[1]: VPN_LOG_INFO: 910: VPN GUI server backend complete.
    
    2. After that i have disabled Enable NAT-PMP opton and repeated all in the point 1. Logs:

    Code:
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_INFO: 487: VPN GUI server backend starting...
    Aug 17 09:38:46 TecumsehRoot user.info kernel: device tun21 entered promiscuous mode
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 577: Writing config file
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 670: CCD: enabled: 1
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 681: CCD: Common name: BRBHome
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 693: CCD: Route: 192.168.2.0 255.255.255.0
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 708: CCD: Push: 0
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 716: CCD leftover: 0
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 670: CCD: enabled: 1
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 681: CCD: Common name: Aquila
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 693: CCD: Route: 192.168.10.0 255.255.255.0
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 708: CCD: Push: 0
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 716: CCD leftover: 0
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 670: CCD: enabled: 1
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 681: CCD: Common name: BRB
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 693: CCD: Route: 192.168.4.0 255.255.255.0
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 708: CCD: Push: 0
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 716: CCD leftover: 0
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 670: CCD: enabled: 1
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 681: CCD: Common name: KaliszHome
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 693: CCD: Route: 192.168.6.0 255.255.255.0
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 708: CCD: Push: 0
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 716: CCD leftover: 0
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 721: CCD processing complete
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 778: Done writing config file
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 781: Writing certs/keys
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 842: Done writing certs/keys
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_INFO: 845: Starting OpenVPN: /etc/openvpn/vpnserver1 --cd /etc/openvpn/server1 --config config.ovpn
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 853: Done starting openvpn
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 860: Creating firewall rules
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 883: Done creating firewall rules
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 886: Running firewall rules
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 891: Done running firewall rules
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 898: Adding cron job
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_EXTRA: 907: Done adding cron job
    Aug 17 09:38:46 TecumsehRoot user.info init[1]: VPN_LOG_INFO: 910: VPN GUI server backend complete.
    But VPN server doesnt work.
     
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Interesting. It looks like my code is running clear through to completion, including being told by the system that OpenVPN started successfully, but OpenVPN is never actually started.

    I know it's not what you want to hear, but the only things I can think of are NVRAM full (you've already pretty much ruled that out), memory full , or NVRAM corruption. If you could check on the free memory (you could run "free" after "starting" the server to see), then all I have left is to do another thorough NVRAM wipe and set it up again (no restore).
     
  7. tenskwatawa

    tenskwatawa Networkin' Nut Member

    OK! Thank you very much for your help and good work!
    I will try with NVRAM clearing and will configure my router from begin.
    br
    Piotr
     
  8. tenskwatawa

    tenskwatawa Networkin' Nut Member

    Hi again,
    I have tested again during the weekend the configurtion of more an 3 VPN tunnels with full routing bewtween server and clients networks.
    I have done backup of my router and after that I have chosen clearing of NVRAM.
    After restart I have re-configured all of my VPN tunnels and I hade the same issue, three clients works but no more than three.
    I have testet even other firmware on my asus RT-N16 (dual WAN build 534) - the seme problem.
    br
    Piotr
     
  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    What if you just uncheck the "Enabled" checkbox next to the fourth entry? Still have the problem, or does that make it work (for the other 3)?
     
  10. tenskwatawa

    tenskwatawa Networkin' Nut Member

    no, even with unchecked "Enabled" checkbox - the same issue
     
  11. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Took a look back at the code, and it only works if the ccd_val nvram variable (which stores the client-specific options for all the entries) is less than 128 characters long. You're probably going over that limit. To fix it, the 128 number would have to be increased, or that section of code would need to be completely reworked to remove the limitation altogether (wouldn't be terribly hard). I never liked that code anyway, so I'm leaning toward the latter.

    The only way to get this working for you will be compiling the firmware with a fix in it. The quickest way to get that would be do download and compile the sources yourself (changing the "#define BUF_SIZE 128" to "#define BUF_SIZE 256" in release/src/router/rc/vpn.c). If that isn't feasible, shoot me an email at tomatovpn@keithmoyer.com; I can spin a build for you sometime (no guarantee on timeliness, but I'd try to fit it in sooner than later).

    Sorry this limitation has been causing you this headache, and that I didn't recognize what was causing it sooner. :(
     

Share This Page