1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenVPN functionality

Discussion in 'Tomato Firmware' started by Delta221, Sep 20, 2009.

  1. Delta221

    Delta221 Addicted to LI Member

    Why does TAP mode with static key authorization mode require both the client and server to have the same subnet, when running the OpenVPN client? I am curious because I have always known this to be the opposite.

    Second, I wanted to run static key with one-way HMAC. It needs to the following string in the server config:
    secret static.key 0
    How can I do this? When starting a server, "secret static.key" is automatically provided in the server configuration.

    Thank you
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It shouldn't require it, unless you're going to bridge the interface.
    Have you tried adding it to your custom configuration? I don't know if it'll override the other "secret" line. I wasn't aware of that option. Perhaps I'll add it to a future version.
  3. Delta221

    Delta221 Addicted to LI Member

    I also run an openvpn server on my router (, and the clients which connect from the internet are all on different LAN subnets (such as, x.x.3.0, x.x.50.0). Is it different when running a client from a TomatoVPN router? I imagine it is more difficult, though I assumed it was still possible.

    I'm trying to setup a client in TAP mode right now. When unchecking the "Server is on the same subnet" box, two additional rows come up:
    Create NAT on tunnel, Tunnel address/netmask. Am I supposed to set the remote LAN subnet in the tunnel address row (, different from my own)? When I do, and try to save it tells me my address in invalid.
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You need to put the IP that this client will use, not the subnet.
  5. Delta221

    Delta221 Addicted to LI Member

    Thanks for the information. We are on two different subnets and it appears to be working very well. At first it was not connecting, I was able to fix it after recalling the changes with comp-lzo and the gui between build 3.3(which is on the server router) and 3.4 (my router as client).

    Is there a way to make sure nothing gets sent over the link, unless it is directed? I just used an online bandwith tester and my down/upstream is still the same, so I'm guessing no data is being redirected (as I unchecked the redirect box) or else my download speed would be much much lower... Traceroute doesn't show the vpn server either. How can I make sure dns is not being sent over? My /etc/resolv.dnsmasq is still the same. Is there anything else I should check?

    Also, the server's network has been pushed to me ok, though the server's network can't see my network. I have tried adding route to the server configuration, though it does not work. What else should I add?

    Thanks for your help.
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    No, that's it. Without checking the DNS and/or redirect options, it won't be going through the tunnel.
    TAP+Static-key is the worst combination as far as ease of administration for this type of thing. That's why I always suggest people use TUN+TLS unless they have a specific reason not to.

    But, what it comes down to is unchecking the NAT checkbox on the client, and adding the route to the server.
  7. Delta221

    Delta221 Addicted to LI Member

    To make things simple, I changed both subnets to the same, and all appears to be working... Weird behaviour from wifi clients who use both networks, so I will restrict every wifi client to its own router.

  8. Delta221

    Delta221 Addicted to LI Member

  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Interesting! Thanks for posting a link. I had no idea about concatenating two static key files together.

Share This Page