1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need help on DHCP and OpenVPN

Discussion in 'Tomato Firmware' started by zgep, Jun 17, 2009.

  1. zgep

    zgep Addicted to LI Member

    Hi there!

    I switched from dd-wrt to tomato a few days ago and I'm relly blown away. It never even occured to me a webinterface that responsive and requireing so few restarts was possible!

    Anyway, since I enjoy it that much I want to make the most of it. ATM I'm looking for a solution to a specific DHCP-problem. What I want is this:

    There's only laptops in my LAN/WLAN. They are connected to the router via WLAN (cause it's convenient) and via wire (cause transfering a 20GB+ C:-backup over WLAN sucks) but never(!) at the same time.

    I want to be able to stuff like "ping <hostname>" and "net use <drive> \\<hostname>\<share>". The problem is, as you might already have guessed, when one of the laptops connects via wire rather than wlan it has a different MAC. So I can't use static leases, because the laptops would still get different IPs/Hostnames depending on how they connect to the network.

    Basically I want to run something like a real DNS-Server on the router resolving the hostnames to dynamic local IP-Addresses.
    Well, how do I do that?

    Here's some of the settings I'm using that might be related:
    hostname of the router is zgep
    domain of the router is lan
    all laptops run windows xp or windows 7 rc and have quite simple hostnames (only upper- and lower-case letters, no spaces or numbers or whatnot)

    Feel free to ask anything you think is relevant to find a solution!

    Something else: I'm using this mod: http://tomatovpn.keithmoyer.com/2009/06/125vpn33-release.html
    Can anyone point me to a step-by-step-tutorial on how to set up the openvpn-server? I allready got all the certificates and keys (including a server-tls-key) cause I had it all running on my dd-wrt (which was a real pain setting up by the way, and WAY unreliable and unstable. It was indeed the reason I switched to tomato in the first place because someone told me there are better openvpn-tomato-builds).

    I apreciate your help,
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    This has been brought up a few times, and I don't think (someone correct me if I'm wrong) anyone's come up with anything other than giving a different static-DHCP lease (name and IP) to the laptop when wired vs wireless (eg keith-laptop and keith-laptop-wired in my case).

    However: Beginning with dnsmasq 2.46 (Just released this last november and is included in the Tomato/TomatoVPN version you are using), it appears dnsmasq can handle exactly the behavior you (and I) want.
    I would guess it can be achieved by not setting up static DHCP through the Static DHCP settings in Tomato, but rather through the Dnsmasq Custom Config section. If you need help forming such a statement, let me know (don't have time at the moment, but can look come up with one later).

    EDIT: Curiosity got the best of me. The manpage had an example:
    Would assign to the MAC addresses 11:22:33:44:55:66 and 12:34:56:78:90:12. Note that this will be unstable if both are connected at once (but you already said that wouldn't be the case).

    To match Tomato functionality, you'll also want to add
    echo hostname >> /etc/hosts.dnsmasq
    killall -SIGHUP dnsmasq
    to the WAN-Up script (Administration->Scripts).

    Now that you have the certificates, you're almost done! I recommend using TUN, UDP, and TLS. After those are selected (and they should be the defaults), just copy the contents of your certificate files to the appropriate fields in the Keys tab. That's it! You should be able to connect after that.

    If you are setting up a site-to-site VPN (router on both ends), you'll either need to set up the Client-Specific Options section (Advanced tab) on the server router with the client's commonname and LAN subnet or select the NAT checkbox (Basic tab) on the client router (the latter doesn't allow the server LAN machines to initiate connections to the client LAN machines, however).

    If you have more questions, let me know.
  3. zgep

    zgep Addicted to LI Member

    cool! I'll definitly try that, but not before tomorrow.
    If I get that right the echo would simply add the hostname to the dns-table so it can be looked up. But why do I need the killall?

    Thx for your help Pepper!
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Pretty much right on the echo. It makes it so that the DNS name is resolvable even when the client doesn't have an active DHCP lease. Even without that line, it would be resolvable with an active lease (but, at the DNS name specified by the client during DHCP negotiation - not necessary the same as what you put in the echo/Tomato GUI).

    The killall sends a message to Dnsmasq that tells it to re-read the hosts file. The -SIGHUP is a special message that doesn't actually kill the process (it just so happens that dnsmasq uses this to trigger the re-read behavior), despite the name of the command... :wink:
  5. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    FYI: I just gave this a try, and it works exactly as advertised:exclimation:

    I'll try to think of a way to incorporate it nicely into the GUI, and, if I'm happy with it, I'll send it to Jon for possible inclusion in Tomato.
  6. zgep

    zgep Addicted to LI Member

    Hello again,

    I finally got around to spend some time w/ my router and the dhcp thing works like a charm! Thx again for your help pepper!

    Maybe I'll find some more spare time later today to set up openvpn :biggrin:

    cu around and thank you!
  7. Vezado

    Vezado Addicted to LI Member

    Couldn't you just force the MAC of the wireless card to be the same as the LAN card in the driver properties, or vice-versa?

    Also, take a look at DeltaCopy, rsync for windows. It will make those big backups over wifi much faster.
  8. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I would think that that would cause a lot more problems if you accidentally did connect both at the same time.

    I tried connecting both at the same time on my laptop with this¹, and it worked quite well. After plugging/unplugging the ethernet cable (with wireless connected) there was only about a 5 second window before my internet connection resumed.

    EDIT: ¹ this being the dnsmasq method, not MAC cloning.
  9. Vezado

    Vezado Addicted to LI Member

    Good point.

    Also, it would be better using the new dnsmasq feature since it could be all done from the router without messing with the machines. I hope you can convince Jon to add this into a future release. BTW, is it possible to prioritize the MACs instead of handing the IP to the most recent? It sounds like someone who accidently toggled wifi while connected via ethernet would lose the ethernet connection.

    @zgep- here's the guide i used to get OpenVPN up and running. Very useful.
  10. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    In my experiment yesterday, I found that with both connected, the router takes about 5 seconds to "learn" which one is active. My laptop (Ubuntu 9.04) keeps both connections active, but places the default route on the ethernet connection when available. Unplugging the ethernet cable, the default route is moved to the wireless interface, and (without a new DHCP request) the router's ARP table is correctly changed to the new MAC address within 5 seconds. Further tests could be more conclusive, but I think this points to it not just going to the most recently connected interface, but rather the active one. Of course, it's possible that accidentally toggling wireless while connected with ethernet could make you lose connectivity for a short time (5-10 seconds), but I think that's reasonable. And, of course, if you are actively using both interfaces, all bets are off.
  11. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I think I've worked out all of the kinks with this (one IP for multiple MAC addresses). My patch is available here (raw).

    I will send it to Jon to see if he wants to include it in regular Tomato.

Share This Page