1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

My working Roadwarrior OpenVPN TAP setup and howto

Discussion in 'Tomato Firmware' started by pmason, Jul 4, 2010.

  1. pmason

    pmason Networkin' Nut Member

    I want to share with you my working OpenVPN TAP setup and the steps I took along the way as I learned. I was a total noob four months ago and I know how steep the learning curve is. I hope you can benefit from seeing my configuration.

    This is a host-to-LAN VPN setup. In my case I'm accessing my home LAN from my netbook as I travel. Internet traffic is routed through the VPN.

    I must state my gratitude to SgtPepperKSU (Keith Moyer) for developing TomatoVPN and for his patience as he has personally helped me and many others on these forums. You can donate to him at the above link.

    I tried the configurations and instructions found in this thread: http://www.linksysinfo.org/forums/showthread.php?t=61253 but was not able to make them work. You can read through my problems and solutions in that thread or just read below for the solution.

    I recommend reading the OpenVPN HowTo FIRST.

    You need to download and install OpenVPN from the Downloads Page. Find the install instructions in the OpenVPN HowTo.

    Before I post my configuration screenshots and client.ovpn, you will need to generate your own keys. Just follow the instructions found in the OpenVPN HowTo exactly in order to generate all the necessary keys. It doesn't take long.

    IMPORTANT: One additional step needed is to use the command
    Code:
    openvpn --genkey --secret ta.key
    For the following steps you need to open each of the files with notepad (for windows) and copy and paste the text starting with "-----BEGIN" into the following fields in the "Keys" tab of TomatoVPN:

    [​IMG]

    ta.key into the "Static Key" field
    ca.crt into the "Certificate Authority" field
    server.crt into the "Server Certificate" field
    server.key into the "Server Key" field
    dh1024.pem into the "Diffie Hellman parameters" field

    Now copy the following keys to a folder on your first client pc:
    ta.key
    ca.crt
    client1.key
    client1.crt

    With the keys loaded on the TomatoVPN server and the client, let's now create our config files.

    Open up notepad in Windows and copy and paste the following text:
    Code:
    dev tap
    proto udp
    dev-node OpenVPN
    remote YOUR.PUBLIC.IP 1194
    tls-client
    keepalive 15 120
    verb 3
    mute-replay-warnings
    ca ca.crt
    cert client1.crt
    key client1.key
    tls-auth ta.key 1
    ns-cert-type server
    cipher AES-256-CBC
    pull
    nobind
    show-net-up
    explicit-exit-notify 3
    comp-lzo
    add your public IP or dyndns.com address in place of "YOUR.PUBLIC.IP". Click "File", then "Save As...", then input "client1.ovpn" (including the quotation marks) in the "File name" field. Select "All Files" in the "Save as type" dropdown box and save the file to the newly created keys folder on your first client.

    Now configure Server1 on TomatoVPN as I have here:
    [​IMG]

    [​IMG]

    Click the "Start Now" button.

    If you're interested in seeing the server.ovpn file the TomatoVPN gui generates, here's mine:
    Code:
    daemon
    server-bridge
    proto udp
    port 1194
    dev tap21
    cipher AES-256-CBC
    comp-lzo yes
    keepalive 15 60
    verb 3
    push "dhcp-option DNS 192.168.7.1"
    push "route-gateway 192.168.7.1"
    push "redirect-gateway def1"
    tls-auth static.key 0
    ca ca.crt
    dh dh.pem
    cert server.crt
    key server.key
    status-version 2
    status status
    Then connect to a different network with your client PC and run client1.ovpn. You can right click the file and click "start OpenVPN on this config file" to start it.

    Additional notes:
    1. It's a good idea to choose a less common IP for your TomatoVPN router. Choose something like 192.168.94.1 instead of the common 192.168.1.1
    2. If you're using dyndns on your Tomato router (it's in the Basic tab under DDNS), make sure it's showing "update successful" next to "Last Result" and that the displayed IP is correct.
    3. If your client will access the server through a proxy server that blocks UDP, choose TCP instead and update the client1.ovpn along with Server1.
    4. If you don't want to direct internet traffic through the VPN, uncheck "direct clients to redirect internet traffic".
    5. For more information on the TomatoVPN gui, see SgtPepperKSU's post.

    I'm a newbie, so if I've made errors here please let me know so I can update this post. I just hope I can help someone who is just starting out. If you hit a wall and get errors you don't understand, post up your network setup, client log, client.ovpn, and screenshots of your TomatoVPN VPN tabs.
     
    pksml likes this.
  2. Dagger

    Dagger Networkin' Nut Member

    Very good... This should help a lot of people get their OpenVPN up and running...
     
  3. fbazsa

    fbazsa Networkin' Nut Member

    It's great thank you very much!!!

    Do you have any idea how can I reach the maximum speed via VPN? I tried to change the encryption to AES-128-CBC, but there wan't any significant difference.
     
  4. TikiG

    TikiG Networkin' Nut Member

    Thank you (and the others who helped you) for providing the excellent directions. This is not easy for most people and the instructions are quite good!

    Do want to add a few comments. These were based on my experience. ymmv

    1.) If you have Windows 7 64 bit, the key generation instructions provided on OpenVPNHowTo are not going to work. You have to rename the path to include the (x86) in the vars.bat file. I did find instructions for this on a "How to Geek" article. http://www.howtogeek.com/64433/how-to-install-and-configure-openvpn-on-your-dd-wrt-router

    I recommend following the instructions in the sequence that they provide. This article is also helpful if you need general assistance making the keys.

    2.) Do not forget to make the ta.key using the command line, openvpn --genkey --secret ta.key , note that it is saved in the "easy-rsa folder", not the "key folder". (At least in my case it was...)

    3.) Make sure you rename your Tap-Win32 Adapter to OpenVPN, the virtual adapter is located in your Windows Network Connections. (If you don't you will get an error that the Tap-Win32 OpenVPN cannot be found.)

    Again thanks for your time and others who helped you as well.

    TikiG
     
  5. lancethepants

    lancethepants Network Guru Member

    As long as you don't explicitly specify the tap adapter in the config file (ie, take out 'dev-node OpenVPN'), it will automatically find a suitable adapter (if it exists) and use that. Then you don't have to rename the Tap adapter.
     
  6. TikiG

    TikiG Networkin' Nut Member

    In testing further, my install is not redirecting client traffic as it should. Where can you find/see the gui generated server.ovpn file?

    Any suggestions or changes recommended? I am configured the same as the original post.

    TikiG
     
  7. lancethepants

    lancethepants Network Guru Member


    /tmp/etc/openvpn/server1/config.ovpn
     
  8. TikiG

    TikiG Networkin' Nut Member

    Here is my server config...

    # Automatically generated configuration
    daemon
    server-bridge 192.168.1.1 255.255.255.0 192.168.1.25 192.168.1.35
    proto udp
    port 50002
    dev tap21
    cipher AES-256-CBC
    comp-lzo yes
    keepalive 15 60
    verb 3
    client-config-dir ccd
    client-to-client
    push "dhcp-option DNS 192.168.1.1"
    push "route-gateway 192.168.1.1"
    push "redirect-gateway def1"
    tls-auth static.key 0
    ca ca.crt
    dh dh.pem
    cert server.crt
    key server.key
    status-version 2
    status status

    # Custom Configuration

    -----------------------------------------------------

    I did notice that when I do an Ipconfig on the OpenVPN adapter it does not list a default gateway (it's blank), so it's not getting pushed???
    It does show the DNS server in the adapter , 192.168.1.1 (correct for my scenario)

    I'm using OpenVPN v 2.1.4, Gui v 1.0.3

    -----------------------------------------------------

    My client config...

    dev tap
    proto udp
    dev-node OpenVPN
    remote **.**.**.** 50002 (J)
    tls-client
    keepalive 15 120
    verb 3
    mute-replay-warnings
    ca ca.crt
    cert client1.crt
    key client1.key
    tls-auth ta.key 1
    ns-cert-type server
    cipher AES-256-CBC
    pull
    nobind
    show-net-up
    explicit-exit-notify 3
    comp-lzo

    -----------------------------------------------------

    Ideas to try?

    Thanks,

    TikiG
     
  9. lancethepants

    lancethepants Network Guru Member

    I think you need to change 'tls-client' to just plain 'client'.

    --client A helper directive designed to simplify the configuration of OpenVPN's client mode. This directive is equivalent to:
    pull
    tls-client

    --pull This option must be used on a client which is connecting to a multi-client server. It indicates to OpenVPN that it should accept options pushed by the server, provided they are part of the legal set of pushable options (note that the --pull option is implied by --client ).
    In particular, --pull allows the server to push routes to the client, so you should not use --pull or --client in situations where you don't trust the server to have control over the client's routing table.
     
  10. TikiG

    TikiG Networkin' Nut Member

    Fixed.

    Updated my Open VPN to 2.2.2, opened read me file...

    ---------------------------

    IMPORTANT NOTE FOR WINDOWS VISTA/7 USERS
    Note that on Windows Vista, you will need to run the OpenVPN
    GUI with administrator privileges, so that it can add routes
    to the routing table that are pulled from the OpenVPN server.
    You can do this by right-clicking on the OpenVPN GUI
    desktop icon, and selecting "Run as administrator".
    -----------------------------

    This made a difference. Ran Gui as administrator and it works now. Ipconfig still shows no gateway listed (blank) but it is routing all traffic over VPN

    My final config has the 'tls-client'.

    As an experiment, it appears to work with 'tls-client' changed to 'client' and the later 'pull' removed as well...

    -TikiG

    Note:
    Win 7 application config setting "always run as admin" everytime,
    http://technet.microsoft.com/en-us/magazine/ff431742.aspx
     
  11. lancethepants

    lancethepants Network Guru Member

    Ah, I missed that you had pull in your config too.
     
  12. pksml

    pksml Connected Client Member

    Great tutorial! I just migrated from DD-WRT to Victek's Tomato build. VPN is a necessity for me to keep Tomato on my router, and this tutorial gave me what I needed to get it working! I had to change two little things to my client.ovpn file. I took out the dev-node line and change the first line from tap to tap0. Thanks so much for this tutorial, pmason!
     

Share This Page