1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

need some help with OpenVPN on Tomato firmware

Discussion in 'Tomato Firmware' started by LeSilverFox, Feb 2, 2013.

  1. LeSilverFox

    LeSilverFox Network Guru Member

    I can not complete my OpenVPN setup working properly - I need some help and advise. I have been searching this site, hence I managed to get certain things up and running but I am still short of some knowledge.
    Objective: remotely connect to my home setup and access all hosts running on the home network. Also, redirect my internet traffic to my home ADSL exit point.
    I got the certificates sorted and I can can bring up the openvpn tunnel connecting to the homer server. Once connected, from the client I can surf the web and all traffic goes through my vpn tunnel and exits at home. This I verified. I can not, however, ping any of the hosts on the server side lan. I can ping 192.168.1.1, although I am not sure if this is the home router or the one at the remote site..

    here's my setup:
    home router: E4200 v1 running Toastman tomato-E4200USB-NVRAM60K-1.28.0500.5 MIPSR2Toastman-RT-N-VPN
    server setup:
    interface: tun
    protocol: udp
    port 1194
    firewall: automatic
    author: tis
    vpn subnet:10.8.0.0 - 255.255.255.0
    push LAN to clients = checked
    respond to DNC = checked

    server side LAN: 192.168.1.0

    Client: macbook pro running viscosity as the VPN client, connected to internet via stock standard linksys router.
    client config file:
    client
    remote xxxx.dyndns.org 1194
    tls-client
    dhcp-option DNS 8.8.8.8
    dhcp-option DNS 8.8.4.4

    proto udp
    dev tun

    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    comp-lzo
    ca ca.crt
    cert client1.crt
    key client1.key
    ns-cert-type server

    float
    verb 4

    How do I get access to the hosts sitting on my home LAN? What additional configuration do I need to make to succeed.
    Please do f=offer some advise here, I've been banging my head over this for many days!!!

    PS: in my desperation I tried changing the interface from tun to tap (on the server and client) hoping that will put me into the same lag segment and access would be easier. Still the same thing, the tunnel comes up but can not ping any of the hosts on the lan.

    Many thanks in advance for any help !
     
  2. gfunkdave

    gfunkdave LI Guru Member

    If you can't ping something on the remote network using only its IP, then your VPN tunnel is not actually connected. Check your logs on the router and in your client to find the error, and get back to us.
     
  3. LeSilverFox

    LeSilverFox Network Guru Member

    gfunkdave, thanks for coming back.

    I tried with different clients (tunnelblick and viscosity) and both clients report back that tunnel is connected and I have the 10.8.0.6 ip address which is what it should be.

    Anyways, here's the server log on the connection. I can't get the client right now, this may take a day or so. I hopeful that the server log may give some clues...

    Thanks for helping :)
    Feb 3 17:31:20 unknown daemon.notice openvpn[866]: MULTI: multi_create_instance called
    Feb 3 17:31:20 unknown daemon.notice openvpn[866]: 78.100.53.5:22437 Re-using SSL/TLS context
    Feb 3 17:31:20 unknown daemon.notice openvpn[866]: 78.100.53.5:22437 LZO compression initialized
    Feb 3 17:31:20 unknown daemon.notice openvpn[866]: 78.100.53.5:22437 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Feb 3 17:31:20 unknown daemon.notice openvpn[866]: 78.100.53.5:22437 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Feb 3 17:31:20 unknown daemon.notice openvpn[866]: 78.100.53.5:22437 TLS: Initial packet from 78.100.53.5:22437, sid=4f069479 e4c70fa9
    Feb 3 17:31:26 unknown daemon.notice openvpn[866]: 78.100.53.5:22437 VERIFY OK: depth=1, /C=AU/ST=WA/L=Perth/O=LSFHOME/OU=foxVPN/CN=OpenVPN-CA/name=foxVPN/emailAddress=removed email address
    Feb 3 17:31:26 unknown daemon.notice openvpn[866]: 78.100.53.5:22437 VERIFY OK: depth=0, /C=AU/ST=WA/L=Perth/O=LSFHOME/OU=foxVPN/CN=Client1/name=foxVPN/emailAddress=removed email address
    Feb 3 17:31:26 unknown daemon.notice openvpn[866]: 78.100.53.5:22437 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Feb 3 17:31:26 unknown daemon.notice openvpn[866]: 78.100.53.5:22437 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb 3 17:31:26 unknown daemon.notice openvpn[866]: 78.100.53.5:22437 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Feb 3 17:31:26 unknown daemon.notice openvpn[866]: 78.100.53.5:22437 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb 3 17:31:29 unknown daemon.notice openvpn[866]: 78.100.53.5:22437 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Feb 3 17:31:29 unknown daemon.notice openvpn[866]: 78.100.53.5:22437 [Client1] Peer Connection Initiated with 78.100.53.5:22437
    Feb 3 17:31:29 unknown daemon.notice openvpn[866]: Client1/78.100.53.5:22437 MULTI: Learn: 10.8.0.6 -> Client1/78.100.53.5:22437
    Feb 3 17:31:29 unknown daemon.notice openvpn[866]: Client1/78.100.53.5:22437 MULTI: primary virtual IP for Client1/78.100.53.5:22437: 10.8.0.6
    Feb 3 17:31:34 unknown daemon.notice openvpn[866]: Client1/78.100.53.5:22437 PUSH: Received control message: 'PUSH_REQUEST'
    Feb 3 17:31:34 unknown daemon.notice openvpn[866]: Client1/78.100.53.5:22437 SENT CONTROL [Client1]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,dhcp-option DNS 192.168.1.1,route 10.8.0.1,topology net30,ping 15,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5' (status=1)


     
  4. gfunkdave

    gfunkdave LI Guru Member

    And you still can't ping 192.168.1.1? All seems fine with your log.

    Ensure your client is correctly set to accept the LAN push? I really don't know.
     
  5. 00_ren

    00_ren Serious Server Member

    Is there a particular reason you used TUN vs TAP ? As if you had used TAP you would have an issue with routing. As TAP creates an Ethernet bridge with your local network and you wouldn't have an issue with routing
     
  6. LeSilverFox

    LeSilverFox Network Guru Member

    :gfunkdave - I think I mentioned in my original post that I can ping 192.168.1.1 - but none of the other hosts on the same segment. And, none of hosts can ping the remote PC connecting to the VPN tunnel.

    :00_ren - I tried TAP but didn't help.

    Later today I will do a ping trace and will post the result - maybe that will help.
     
  7. Bird333

    Bird333 Network Guru Member

    I don't know but it sounds like you have a routing issue. Try to make rules that allow traffic between your lan and vpn subnets.
     
  8. LeSilverFox

    LeSilverFox Network Guru Member

    Finally success :) After nearly two weeks of going nuts over not being able to resolve this..

    My issue was with the client configuration file itself - I used an editor on the Mac that inserted 'strange' line breaks and other charaters. And, the OpenVPN client application I used on the MAC did not complain at all - it just took whatever it could understand.
    So yesterday I borrowed a windows laptop to try to connect from that by using OpenVPN client on Win7. This was when I had to open my config file with plain old "Notepad.exe" and realized the problem. After recreating the file it all went fine. Moved everything back to OsX and it's going just fine.

    Thanks for the help I received from here :) , it confirmed to me the server was running fine and made me dig at the client.
    I am happy camper with the Toastman firmware - many thanks to all who contributed to make it happen.
     

Share This Page