1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need some help setting up a VPN Using TomatoVPN 1.27vpn3.6 Please!

Discussion in 'Tomato Firmware' started by ep1centre, Feb 10, 2012.

  1. ep1centre

    ep1centre Networkin' Nut Member

    Hi there,


    I know I'm only new here but I have been a long term user of the awesome Tomato f/w, I've always been able to find out how to do everything I need to networking wise but I feel for the first time I may have gone in over my head.


    For the past few days I have searched everywhere for answers and read a lot about VPN in general as well as how to set one up using TomatoVPN but sometimes I end up reading things which to be honest I don't fully understand so I may have even read the answers to what I need but I wasn't able to understand them, which is why I've come here, I was hoping some of you may be able to dumb some things down a bit in order to help me get this working.




    The scenario is as follows:


    I run my business (Site2) and as such I have files there which would be nice to access at home (Site1) and vice versa, to make things more complicated I'm not always at home sometimes I'm at my partners house (Site3), so what I would like to create is a VPN between those 3 points so that any site was accessible from another.


    I would also like for it to behave like a normal LAN, so if you need to browse a machine, you just go to Network Places and literally just browse for it.




    Hardware Specs/Setup:


    Site1 - All Linux (Ubuntu) PCs Android Phone & Tablet
    (Home) Router - WRT54GS (V1.1) Runnning TomatoVPN (VPN Server)


    Site2 - All Kinds of machines, tablets, phones & OSs
    (Work) Router - WRT54GS (V1.1) Running TomatoVPN (VPN Clien1)


    Site3 - Currently not part of the mix as I am still trying to get the VPN set up between the other 2.




    I have the error logs for both the VPN Server and Client and looking at them it seems to indicate problems with the certificates and keys I generated (it is possible as I couldn't seem to do it properly using Terminal so I installed a program called gnoMint which seems to do the same job but has a GUI).


    Despite the problem with the keys/certificates I also tried to use Shared Key for authentication and I still get errors in the logs, basically I can't seem to get the service started, every time I slick "Start Now" both on the server or client it just displays the following message in "Status" tab "Client is not running or status could not be read.".


    If you'd like to see the logs let me know, I didn't post them up because I didn't want to flood the thread.


    Can anybody shed some light on this?


    Thank you in advance for any help.
     
  2. kthaddock

    kthaddock Network Guru Member

  3. ep1centre

    ep1centre Networkin' Nut Member

    Thank you for your quick reply, that is the guide I used to set it all up to begin with its a great guide but unfortunately I haven't got access to a windows machine at the moment to create the certificates/keys besides it seems my problems will still persist since I can't seem to get the service running for no love nor money!

    Also on a side note i have tried erasing the NVRAM and resetting everything back up from scratch.
     
  4. kthaddock

    kthaddock Network Guru Member

  5. ep1centre

    ep1centre Networkin' Nut Member

    Nice one - I'm cool with that can you please shed some light on the naming convension tho to help me pick the right file?

    I'm thinking that either of the below are right but I'm not sure which:




    tomato-WRT54GS-1.28.7632.3-Toastman-IPT-ND-VPN.bin


    tomato-WRT54GS-1.28.7632.3-Toastman-VLAN-IPT-ND-VP N.bin
    Out of curiosity what does "IPT" and "ND" Stand for and what's the difference between the normal TomatoVPN and Toastman's version?
     
  6. kthaddock

    kthaddock Network Guru Member

    No I can't cause I don't use them. I use RT-N builds. maby some user can help you with that.
     
  7. ep1centre

    ep1centre Networkin' Nut Member

    Right then, I installed the following version:
    tomato-WRT54GS-1.28.7632.3-Toastman-IPT-ND-VPN.bin

    After installing I re-set it all up (using the same certificates I had before) and I got the following output on the Client Log File:

    Feb 10 14:59:36 unknown user.info init[1]: VPN_LOG_ERROR: 155: Adding tunnel interface to bridge failed... Feb 10 14:59:36 unknown user.info kernel: br0: port 3(tap11) entering disabled state Feb 10 14:59:36 unknown user.info kernel: br0: port 3(tap11) entering disabled state Feb 10 15:00:02 unknown syslog.info root: -- MARK --
     
  8. ep1centre

    ep1centre Networkin' Nut Member

    So... I got hold of a windows machine followed that guide recommended earlier and recreated all my CAs/KEYs without any apparent issues, then re-checked all my settings and copy/pasted all the CAs/KEYS into the right places, saved, pressed "Start Now" and nothing...

    This is what I got in the loggs:

    Feb 10 18:06:47 unknown user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
    Feb 10 18:06:47 unknown user.info kernel: device tap11 entered promiscuous mode
    Feb 10 18:06:47 unknown user.info kernel: br0: port 3(tap11) entering learning state
    Feb 10 18:06:47 unknown user.info kernel: br0: port 3(tap11) entering forwarding state
    Feb 10 18:06:47 unknown user.info kernel: br0: topology change detected, propagating
    Feb 10 18:06:47 unknown daemon.notice openvpn[943]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on
    Feb 3 2012 Feb 10 18:06:47 unknown daemon.warn openvpn[943]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Feb 10 18:06:47 unknown daemon.warn openvpn[943]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Feb 10 18:06:47 unknown daemon.err openvpn[943]: Cannot load certificate file client.crt: error:0906D06C:lib(9):func(109):reason(108): error:140AD009:lib(20):func(173):reason(9)
    Feb 10 18:06:47 unknown daemon.notice openvpn[943]: Exiting

    I'm off home now to try things on the server end to see if its any different there.
     
  9. ep1centre

    ep1centre Networkin' Nut Member

    And after endless of pissing around with this as usual with networking, it was one small, daft seemingly insignificant mistake...

    ... as oposed to what those guides tell you, you ABSOLUTLY DO NEED to copy -----BEGIN PRIVATE KEY----- & -----END PRIVATE KEY----- as well as -----BEGIN CERTIFICATE----- & -----END CERTIFICATE----- or else the server/client processes error and wont start, seems daft now how I never thought of it earlier...
     
  10. ep1centre

    ep1centre Networkin' Nut Member

    Today I got to work and set up the client end of the VPN and it connected - brilliant! (I thought) so I set about seeing what I could access on my home network from work but to my surprise the network browser identifies a few machines from but wont let me access them.

    I can't seem to access anything on my home network no matter what i do.

    I am somewhat confused as to what some settings do, under Open VPN Client > Basic > Server is on the same subnet - does that option refer to the subnet ie LAN both at home and work or the WAN subnet mask ?
     
  11. kthaddock

    kthaddock Network Guru Member

    Are you using TAP or TUN?
    TAP (Level 2 network) device is a virtual ethernet adapter, while a TUN (Level 3 network with NAT) device is a virtual point-to-point IP link.

    - Can you ping 192.168.1.1?
    - Can you ping other computers, 192.168.1.?
    - What have you flipped in in Basic and Advanced setting ?
     
  12. ep1centre

    ep1centre Networkin' Nut Member

    I'm using TAP from what understand that is the method that will most closely resemble an actual LAN even though it spans across various physical sites.

    I am currently phisically at the client site and I can ping everything on this side of the network (192.168.20.xxx) but I can't seem to ping anything on the server side of the network (192.168.1.10.xxx).

    The settings on the client side are as follows.

    ______
    Basic
    ----------
    Start with WAN -(ticked)
    Interface Type - (TAP)
    Protocol - (UDP)
    Server Address/Port - (mydomain.com) (1194)
    Firewall - (Auto)
    Auth Mode - (TLS)
    Username/Password Authentication - (unticked)
    Extra HMAC authorization (tls-auth) - (Disabled)
    Server is on the same subnet - (unticked)

    _________
    Advanced
    ---------------
    Poll interval - 0
    Redirect Internet traffic - unticked
    Accept DNS configuration - disabled
    Encryption cipher - Use Default
    Compression - Adaptive
    TLS Renegotiation Time - (-1)
    Connection retry - 30
    Verify server certificate (tls-remote) - unticked

    Thanks for helping, I'm sure its going to be something daft but you know what its like, when you look at something wrong long enough it starts looking right.
     
  13. ep1centre

    ep1centre Networkin' Nut Member

    And there we go, about that simple mistake, basically I read somewhere to set my IP address range different between sites to avoid DHCP conflicts and so I had set the range at home in the 192.168.10.xxx range and at work in the 192.168.20.xxx not realizing of course that what they meant by different range was something like 192.168.1.100 to 192.168.1.149 at home (server side) and 192.168.1.150 to 192.168.1.199 Client 1 side and so on so forth...

    Everything appears to work fine even if somewhat slower than I expected.

    If there's any settings I should try for speed improvement please let me know.

    Thank you so much for all the help.
     
  14. kthaddock

    kthaddock Network Guru Member

  15. ep1centre

    ep1centre Networkin' Nut Member

    I've fine tuned those options like you said but though things are working I am having some trouble with DHCP because routers on either end seem to be assigning IP addresses to devices on the other (eg router at work assigns IP address to device at home and vice versa), so i decided to do some searching around and found a thread on this forum which you had actually posted on with the following custom configuration:

    ebtables -A INPUT --in-interface tapX --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
    ebtables -A INPUT --in-interface tapX --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
    ebtables -A FORWARD --out-interface tapX --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
    ebtables -A FORWARD --out-interface tapX --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP


    Now i figured this was to copy and paste on the server side of things, now i dont know if it did much for my dhcp problem but it certainly cut my access to the client site for sure, any ideas on how i can stop this happening, is this a by-product of me using TAP instead of TUN?
     
  16. kthaddock

    kthaddock Network Guru Member

    This rules only work for TAP-interface "TAP (Level 2 network) device is a virtual ethernet adapter" same as a "computer"
    If you use TAP then you have to decide wich side you put it, Tap 11 or Tap21 if you follow the guide.
     
  17. RonV

    RonV Network Guru Member

    I think the toughest thing is understanding the differences in TAP vs. TUN configuration and capabilites. The How To Geek article is ok but is lacking in explaining the mechanics of the configurations. It's a good starting point. Maybe we need to get a good "pinned" thread on VPN configuration here?
     
  18. ep1centre

    ep1centre Networkin' Nut Member

    TAP11/TAP21 is new to me... I only have TUN/TAP as choices, no TAP11/TAP21.

    When i added those rules i did have it set as TAP but they made me lose connection with the client site as soon as i pressed "save".

    I then (now) decided to try TUN to see the differences unfortunatly I must have done something wrong and I have now lost connection with the client router so I am unable to revert settings back - i guess i must wait untill tomorrow when i go into work so I can log in localy and check my settings again. So frustrating... All i did was change the interface from TAP to TUN on both routers and to make it even more frustrating it even shows as being connected on the VPN server list and i can ping the virtual VPN adapter's IP address but nothing further than that which means i just cannot log in to the remote router.
     
  19. ep1centre

    ep1centre Networkin' Nut Member

    @RonV - I totally agree, I consider myself to be fairly able to deal with network problems and understand generally how things work but on this TAP and TUN subject I've spent hours on and I am still somewhat at a loss as to what exactly are the advantages and disadvantages to each.


    Edit: It is also near impossible to find a guide that talks about setting up a VPN between 2 routers (in my case 2 Tomato running routers) and whilst its fairly intuitive to do the client side of a router it'd be reassuring if there was a guide talking about best practices for such set up, as normally the guides always talk about 1 router as the server and a PC or Laptop as the client.
     
  20. kthaddock

    kthaddock Network Guru Member

Share This Page