1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need help setting up simple site to site VPN

Discussion in 'Tomato Firmware' started by QSxx, Dec 12, 2013.

  1. QSxx

    QSxx LI Guru Member

    As the title says, I need help setting up (Open) VPN bridge between two networks.

    I have two routers. One is RT-N16 (running latest VLAN Toastman) and the other is WRT54G v2 (also running latest K2.4 Toastman). RT-N16 is server with LAN ip range 10.1.1.1/24 and WRT is client with range 10.1.2.1/24. My goal is to have two networks "see" each other so I can browse computers on both side from either side (most importantly NAS which is on RT-N16 side). And if old LAN games work (Warcraft 3, Starcraft, BOTF, Unreal Tournament etc etc) it's an added bonus - they should.

    Everything it done according to tutorials. I created certificates, keys for both routers. I've set up dyndns since i don't have fixed WAN IPs. Client connects to server but other than that, it doesn't really work. Logs aren't of much help since i'm only getting bytecount and similar stuff from it.

    On server side, under advanced tab i tried enabling Push LAN to clients with no success. When i try to enable Manage Client-Specific Options and enable Allow Client <-> Client with custom route subnet 10.1.1.0 / 255.255.255.0 (push is ticked) - server crashes and halts router, sometimes even resulting in nvram reset.

    I would therefore ask if there is a kind soul to provide an insight to my problem... What am i doing wrong, and can it be done otherwise if it's possible at all...

    P.S. I followed mostly this guide and several similar ones: http://www.wasagacomputers.com/home...te-vpn-using-tomato-firmware-and-openvpn.html

    Thank you!
     
  2. quihong

    quihong Serious Server Member

  3. QSxx

    QSxx LI Guru Member

    Yep, skipped part about key creation since i already had them. Otherwise, I tried yours too. Btw when i follow your tutorial, routes never get pushed to client (Server / Status / Routing table) - only shows 10.8.0.6 as virtual address... I tried rebooting both servers and clients several times. And internet access dies on client, but router remains accessible from outside (luckily i enabled that, otherwise i would be lookin' at another reset).
     
  4. quihong

    quihong Serious Server Member

    The tutorial is solid and been tested by multiple people, plus I have a video to prove it works.

    My recommendation would be to follow it exactly as is from start to finish with a NVRAM reset prior on both routers. It's a 23 minute process from start to completion.

    One common mistake (I made it myself when with my first site to site vpn), is that the "Common Name" matters, so you need to make sure its correct and consistent.

    Maybe you want to share some screenshot of your configuration and issue.
     
  5. QSxx

    QSxx LI Guru Member

    IF Common Name has to be identical to router name or even hostname in Basic / Identification then it makes sense to recreate certificates/keys.

    In any case, I will try to follow your tutorial to the letter to identify potential mistakes - will post my results here (aldo I'm quite sure, there were no mistakes but i'm only human)
     
  6. Malitiacurt

    Malitiacurt Networkin' Nut Member

    Sounds like the setup is correct (you can connect and ping the openvpn server from a connected client) but you're incorrectly creating the routes for connected clients.

    The 'Common Name' is the name YOU set when you created the keys, it has nothing to do with the router name/hostname.

    Since you said your RTN16 is the server with subnet 10.1.1.1/24, under the 'Allow these clients' you need to add the route for your client, not server. So add your WRT's Common Name, with subnet 10.1.2.1/24 and push it.
     
    Last edited: Dec 14, 2013
  7. QSxx

    QSxx LI Guru Member

    Yes, that might be the issue - i'm pushing client subnet... but not Common Name... let's try that (yes... i'm obviously blind, stupid and can't RTFM)
     
  8. QSxx

    QSxx LI Guru Member

    Okay just to update my own thread:

    Qui - i encountered some errors following your tutorial (mostly because it wouldn't pick up proper openssl after installing entware and packages), it worked nevertheless with existing keys i had before so i could skip entire part about generating keys. i will however reduce key to 1024bit since it takes forever to handshake when client connects

    Malitiacurt - you were right, it was typo in Common Name (that's why i was so sure i configured it correctly) - works flawlessly now and routes get pushed properly as soon as client connects

    Now for the final question - is windows network discovery possible over VPN?

    I know VPN insists on different subnets for server and client and creates one of it's own too... Since i have server and client networks pretty close one to another (10.1.1.1/10.1.2.1) - would it work if i specified 255.255.252.0 as subnet mask (that should theoretically make windows look everywhere from 10.1.0.1 to 10.1.3.254)?


    P.S. VERY IMPORTANT

    On server side - DO NOT ATTEMPT TO KEEP KEYS IN WEBGUI PART as it will max out NVRAM space and result in partial or complete loss nvram data

    UPDATE - Switching from TUN to TAP actually solved all my "problems". I now have fully functional VPN bridge between two networks that see each other and can browse each other without a hickup. TAP also appears to be working better than TUN in terms of speed but also router load.

    Will update this post as testing continues
     
    Last edited: Dec 15, 2013
  9. quihong

    quihong Serious Server Member

    Thanks for the feedback. I have the following line to address the openssl issue you mentioned (did it not work)?

    #update PATH to pick up correct openssl (save a reboot)
    #correct = /opt/bin/openssl
    PATH=/opt/bin:$PATH

    Glad to hear you got you VPN working.
     
  10. QSxx

    QSxx LI Guru Member

    Nope... it still goes looking for the original install folder - fails with error. I will provide you with exact error message soon (not at home ATM; holidays, family, and so on...)
     

Share This Page