1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenVPN Server on TomatoUSB firmware [Help]

Discussion in 'Tomato Firmware' started by Dr Strangelove, Sep 8, 2011.

  1. Dr Strangelove

    Dr Strangelove Networkin' Nut Member

    I'm attempting to configure an OpenVPN server on a Linksys E4200 with Toastman TomatoUSB firmware.

    My goals are to use a Linksys E4200 gateway with Tomato firmware as a OpenVPN server and have a Notebook using Win7 client connect to my local LAN using the OpenVPN server on my E4200 router.

    Then using this as a model extent that service to my Android smart phone using a VPN client.

    This means creating a VPN to my local home network and allowing access to my local home NAS.

    Local LAN 172.16.64.0/24

    Local WAN 172.17.64.252/30

    NAS IP 172.16.64.10 (My NAS which is what I want to connect to and use)

    Router IP 172.16.64.254 (My E4200 gateway router)

    Have a dyndns name setup and the ADLS2 modem sees the port being passed (NAT) as does the E4200. This is only via IP port test thus far.

    I have the following VPN Tunnel server configuration:

    Basic

    Start with WAN: Yes
    Interface Type: TUN
    Protocol: UDP
    Port: 1194
    Firewall Automatic: Automatic
    Authorization Mode: TLS
    Extra HMAC authorization (tls-auth): Disable
    VPN subnet/netmask: 172.16.63.0/24

    Advanced

    Poll Interval: 0 (in minutes, 0 to disable)
    Push LAN to clients: Yes
    Direct clients to redirect Internet traffic : n/a
    Respond to DNS : Yes
    Advertise DNS to clients: Yes
    Encryption cipher: AES-128-CBC
    Compression: Adaptive
    TLS Renegotiation Time: -1 (in seconds, -1 for default)
    Manage Client-Specific Options: n/a

    I have created the Key certification information as per OpenVPN instructions for a server, with the addition of three client key certificates.

    Now then, my first hurdle is that my OpenVPN client on Win7 is asking for a Username and Password.

    Where would I define that?

    Is this because I haven't pre-configured the client with client key certificate?

    Never done this before, but guess you knew that. :)

    Thanks for any help and hopefully I won't make this to painful.

    Just trying to avoid have to buy an OpenVPN book as blogs and four paragraph OpenVPN examples that start with configure your OpenVPN server, now that you have your server configured you should be able to connect... etc.
     
  2. EOC_Jason

    EOC_Jason Networkin' Nut Member

    What OpenVPN client are you using? I've successfully used the one from: http://openvpn.net/index.php/open-source/downloads.html (Make sure you downloaded the community / open source version and NOT their commercial version)... Configuring it might be a little more difficult, I believe you have to edit the openvpn.conf file and put in all you settings, but clients aren't too difficult.

    Oh yes, one last note. On the Win7 client, be sure you start the OpenVPN client in "Run As Administrator"... Otherwise it can't add the necessary routes when it connects.

    I'll try to dig up my settings and more info for you later, but hopefully this will lead you in the right direction. I bet you downloaded the wrong OpenVPN software. ;)
     
  3. Dr Strangelove

    Dr Strangelove Networkin' Nut Member

    Thank you for your reply. Thought I may be flamed for attempting to be spoon feed. :D

    Yes, the link you have provided is the one I'm using.
    And yes, I am aware of the administrator rights, but it's always good to be reminded.

    Just re-doing all my certificates again as I may have 'muffed' the previous ones.
    I have moved the 'client1' key certificates as I may be having 64bit path issues... maybe
     
  4. EOC_Jason

    EOC_Jason Networkin' Nut Member

    Okay, here's how my config goes on my Win7 machine with the OpenVPN client...

    Start -> All Programs -> OpenVPN -> Shortcuts -> OpenVPN Configuration File Directory

    A window should popup with the directory C:\Program Files\OpenVPN\config

    Put all your certs/keys in that directory, naming them as appropriate... Mine are as follows:

    - ca.crt
    - client.crt
    - client.key
    - dh.pem
    - ta.key

    Create your client.ovpn file in that directory too... Here's what my file looks like:

    It's just a minimal config, and it worked for me so I didn't do any more tinkering.

    Now for the fun part...

    Right-Click -> Run As Administrator on the "OpenVPN GUI" (Should be installed by default on your desktop)

    A little icon should appear in the task tray... right click on it and choose "Connect". A windows should popup logging the progress of the connection. If it all works then that will dissapear and a balloon will popup saying you have connected and your vpn IP is x.x.x.x

    Good Luck! If it doesn't work then post back and we can start to do some debugging. ;)
     
  5. Dr Strangelove

    Dr Strangelove Networkin' Nut Member

    Dude, you're like Santa's like helper. Way cool. Thank you very much for your help.

    My problem was ... well lets face it I had no idea what I was doing. But hay I'm almost there now.

    I had "Program Files" instead of "Program Files (x86)" in my client1.opvn file on my client notebook. Doh!!!!!

    But now I can connect (or at least my OpenVPN GUI says I'm connected and the E4200 logging says my connection has been VERIFY OK). Now I just have to work out how to connect to my NAS :confused:

    When I check the Linksys E4200 router log file, I see a lot of IPv6 errors

    Sep 9 05:17:33 unknown daemon.warn openvpn[28629]: client1/nnn.227.nnn.nnn:54748 Need IPv6 code in mroute_extract_addr_from_packet
    Sep 9 05:17:33 unknown daemon.warn openvpn[28629]: client1/nnn.227.nnn.nnn:54748 Need IPv6 code in mroute_extract_addr_from_packet
    Sep 9 05:17:36 unknown daemon.warn openvpn[28629]: client1/nnn.227.nnn.nnn:54748 Need IPv6 code in mroute_extract_addr_from_packet
    Sep 9 05:17:36 unknown daemon.warn openvpn[28629]: client1/nnn.227.nnn.nnn:54748 Need IPv6 code in mroute_extract_addr_from_packet

    Not using IPv6, but maybe I left something switched on somewhere. Or it's an indicator I've mis-configured something.

    Just before I managed to connect I found the following URL which mirrors my config also to the letter... Doh! where was it when I needed it.

    http://www.howtogeek.com/60774/connect-to-your-home-network-from-anywhere-with-openvpn-and-tomato/
     
  6. EOC_Jason

    EOC_Jason Networkin' Nut Member

    I *think* there are some separate IPv6 configure lines for OpenVPN, however those errors look (to me at least) that certain IPv6 features weren't compiled in the OpenVPN build on the router....

    Now that you are connected, you should be able to connect to your NAS via it's IP...

    \\172.16.64.10\share ???

    If you can't access your network where the OpenVPN server is, you might be missing some push statements (i.e. your client doesn't get the routes to your server network).
     
  7. Dr Strangelove

    Dr Strangelove Networkin' Nut Member

    True, we've both turned a page in the book and it's the same page. :)

    So ... routing.

    The routing table shows the IP network, but doesn't give me the next hop. I thought I'd be able to http://172.16.64.254/ onto the router.

    -----------------------------------------------------
    Fri Sep 09 06:31:05 2011 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul 1 2011
    Fri Sep 09 06:31:05 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Fri Sep 09 06:31:05 2011 LZO compression initialized
    Fri Sep 09 06:31:05 2011 UDPv4 link local: [undef]
    Fri Sep 09 06:31:05 2011 UDPv4 link remote: 209.51.75.139:1194
    Fri Sep 09 06:31:08 2011 [server] Peer Connection Initiated with 209.51.75.139:1194
    Fri Sep 09 06:31:10 2011 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{E546ED5D-77FD-4B0E-96BA-698756F81F9A}.tap
    Fri Sep 09 06:31:10 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 172.16.63.6/255.255.255.252 on interface {E546ED5D-77FD-4B0E-96BA-698756F81F9A} [DHCP-serv: 172.16.63.5, lease-time: 31536000]
    Fri Sep 09 06:31:15 2011 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=33]
    The requested operation requires elevation.
    Fri Sep 09 06:31:15 2011 ERROR: Windows route add command failed [adaptive]: returned error code 1
    Fri Sep 09 06:31:15 2011 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=33]
    The requested operation requires elevation.
    Fri Sep 09 06:31:15 2011 ERROR: Windows route add command failed [adaptive]: returned error code 1
    Fri Sep 09 06:31:15 2011 Initialization Sequence Completed
    ---------------------------------------------------------------

    The login process in the client OpenVPN GUI does indicate routing errors.

    In my client1.opvn I have the following:

    #This is the IP address scheme and subnet of your normal network your server is on. Your router would usually be 192.168.1.1
    route 172.16.64.0 255.255.255.0 vpn_gateway 3

    I wasn't sure about the vpn_gateway 3 in the route statement as it's not of my doing, but I did enter my local LAN my IP network just in case there was some magic at work.

    Just seems I'm not getting from network 172.16.63.4/30 to network 172.16.64.0/2

    Current Routing Table

    Destination -----Gateway/Next Hop --Subnet Mask --Metric -----Interface
    172.17.64.253 -- * -----------------------255.255.255.255 ----0 ------vlan2 (WAN)
    172.16.63.2 -----* -----------------------255.255.255.255 ----0 ------tun21
    172.17.64.252---* -----------------------255.255.255.252 ----0 ------vlan2 (WAN)
    172.16.63.0 -----172.16.63.2 -----------255.255.255.0 -------0 ------tun21
    172.16.64.0 -----* -----------------------255.255.255.0 -------0 ------br0 (LAN)
    127.0.0.0 -------*------------------------255.0.0.0 ------------0 ------lo
    default ----------172.17.64.253-------- 0.0.0.0 ---------------0 -----vlan2 (WAN)

    Miscellaneous

    Mode: Gateway
    RIPv1 & v2: Disabled
    Efficient Multicast Forwarding: n/a
    DHCP routes: Yes
    Spanning-Tree Protocol: n/a
    --------------------

    It seems like there are two networks in play in the 172.16.63.0 network range 172.16.63.0/30 and 172.16.63.4/30 , both on interface tun21.

    Is is standard to put in a static route to the local LAN if one is not using a routing protocol?
    Not that keen on RIP even when it's version 2 with VLSM.
     
  8. kthaddock

    kthaddock Network Guru Member

    Do I need to generate this key, " tls-auth ta.key" at the same time as the other server key´s or is this stand "alone key" ?

    # For extra security beyond that provided
    # by SSL/TLS, create an "HMAC firewall"
    # to help block DoS attacks and UDP port flooding.
    #
    # Generate with:
    # openvpn --genkey --secret ta.key
    #
    # The server and each client must have
    # a copy of this key.
    # The second parameter should be '0'
    # on the server and '1' on the clients.
    ;tls-auth ta.key 0 # This file is secret
     
  9. EOC_Jason

    EOC_Jason Networkin' Nut Member

    I believe it's a stand alone key... It just needs to be the same on both the server & clients...
     
  10. EOC_Jason

    EOC_Jason Networkin' Nut Member

    Dr. Strangelove - Did you right-click on the OpenVPN GUI icon and "run as administrator"? I believe you will get that error on Windows vista/7 if you don't....

    If that doesn't solve it...

    Do you have any push / route statements in the server config?

    Also, look in the VPN docs for "iroute" and "client-config-dir"
     
  11. Dr Strangelove

    Dr Strangelove Networkin' Nut Member

    Yerp, remember how I said, I know all about Administrator rights... Well, anyway, after I enabled the OpenVPN GUI as Administrator... there are no more Routing denied messages. ;)

    Fri Sep 09 11:59:48 2011 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul 1 2011
    Fri Sep 09 11:59:48 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Fri Sep 09 11:59:48 2011 LZO compression initialized
    Fri Sep 09 11:59:50 2011 UDPv4 link local: [undef]
    Fri Sep 09 11:59:50 2011 UDPv4 link remote: 209.51.75.139:1194
    Fri Sep 09 11:59:52 2011 [server] Peer Connection Initiated with 122.59.75.139:1194
    Fri Sep 09 11:59:55 2011 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{E546ED5D-77FD-4B0E-96BA-698756F81F9A}.tap
    Fri Sep 09 11:59:55 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 172.16.63.6/255.255.255.252 on interface {E546ED5D-77FD-4B0E-96BA-698756F81F9A} [DHCP-serv: 172.16.63.5, lease-time: 31536000]
    Fri Sep 09 11:59:55 2011 Successful ARP Flush on interface [33] {E546ED5D-77FD-4B0E-96BA-698756F81F9A}
    Fri Sep 09 12:00:00 2011 Initialization Sequence Completed

    Still can't get to the NAS yet, but still early days and more to read and look at and learn.
    As I just installed Toastman TomatoUSB-VPN firmware on a router for the first time a few days ago and I've never installed an OpenVPN server/client, I may need to take a few hours to review where I'm at and look at the routing information EOC_Jason has provided.

    Thanks again EOC_Jason you're really been a boon and a wealth of information. ... I may be back. :D

    Update - All good. Think I'm going insane in the left brain. My NAS had some very clever IP network access lists. And yes you guessed it, it didn't include IP network 172.16.63.0/24

    So there was no additional routing required, in general access should be dynamically available (excluding access-lists/firewalls)

    My Windows7 library folders on my Notebook are now available both inside and from outside(internet) of my local LAN environment.
    For those interested I use Zorn Software Win7 Library Tool to bind my NAS folders into the Win7 library structure via symbolic links. Works will on a stable NAS with fair/good bandwidth.

    OK. Now it's all working I have a template to work from.

    Anybody enabled a VPN on a Sony Ericsson X10i and attached to a QNAP NAS (With correct access-list) via an OpenVPN server on a Linksys E4200 router with TomatoUSB firmware?
    Just thought I be cheeky and ask... you never know.:D

    Update II - Android mobile phones generally only support IPSec and thus without a functional OpenVPN application an Android mobile is stuck without support in conjunction with a Tomato firmware VPN router.
     
  12. EOC_Jason

    EOC_Jason Networkin' Nut Member

    Glad you got it working... Hopefully it wasn't too terribly difficult of an ordeal for ya... ;)

    VPNs are great for accessing remote networks, just don't expect super throughput with home routers, they simply don't have the CPU power.
     
  13. lancethepants

    lancethepants Network Guru Member

    If you're brave enough to root your phone, you can try out "OpenVPN Installer" and "OpenVPN Settings", both found in the android market. I've installed it with success on my phone, but your milage may vary. I actually use cyanogenmod, a custom android rom, which conveniently has it built into the OS. I don't see any Sony supported devices for cyanogenmod, but there could possibly be other derivatives too.
     
  14. Dr Strangelove

    Dr Strangelove Networkin' Nut Member

    Yes, I saw OpenVPN on the Android app store and noted the rooted only for some features.
    I have an 'FTP' hole punched through my modem and router using NAT and PAT on known IP addresses. It's not pretty but gives my Android phone the required access.
    For completeness and security a VPN would be nice, but the rest of my Sony Ericsson X10i v2.3.3 does everything I require at the moment.
    And given my heart was in my mouth from just upgrading from Android v2.1 to v2.3 on supported firmware, I don't think I could handle rooting my phone (at the moment anyway)

    But thanks for investigating the option and at least we know it works on some phones.
     
  15. molnart

    molnart Networkin' Nut Member

    any word on making the OpenVPN client work?

    i have successfully set up a server on both of my routers and i can connect to them with the windows OpenVPN client. However when i attempt to start the OpenVPN client on the router, i immediately loose internet connection and the router becomes unresponsive (no ping reply). This happens on both of my routers. Basically what i did was entering correct server address, choosing the encryption type according to the server setting and entering all the certificates and key. Do i need to tinker with the rest of the settings as well?
     
  16. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    OpenVPN client in the firmware should work fine. You'll have to tinker with the other settings if they don't match the server already...
     
  17. EOC_Jason

    EOC_Jason Networkin' Nut Member

    +1 that it should work...

    Check your logfile as OpenVPN is pretty verbose in connections / configuration issues... You can also look at the configuration it generates from the GUI if you go to /tmp/etc/openvpn/...
     
  18. molnart

    molnart Networkin' Nut Member

    i am unable to check any logs, as i immediately loose connection to the router after attempting to start the client. i have doublechecked the settings, everything on the client side seems to match the server settings. I have found a good tutorial how to set up the server with a windows client, do you happen no know about something like that for the in-router client? Maybe it could help more....
     
  19. EOC_Jason

    EOC_Jason Networkin' Nut Member

    My client is a WRT54GS running DD-WRT... I can post up both my server & client configs a little later today.
     
  20. EOC_Jason

    EOC_Jason Networkin' Nut Member

    Okay, here's my settings (I'm using routed method):

    Network with the VPN Server: 192.168.88.0
    Network with the VPN Client: 192.168.10.0

    Server Settings in Tomato:
    - Start with WAN
    - TUN
    - UDP
    - Port 1194
    - Firewall: Automatic
    - Authorization Mode: TLS
    - tls-auth: Incoming (0)
    - VPN Subnet / Netmask: 10.10.10.0 / 255.255.255.0

    - Push Lan To Clients - Check
    - Compression - Disabled
    - Manage Client-Specific Options - Check
    - Allow Client<->Client - Check
    (In the table now visible from checking above box)
    -- client1 / 192.168.10.0 / 255.255.255.0

    Custom Config:
    ca /tmp/mnt/sda/openvpn/ca.crt
    cert /tmp/mnt/sda/openvpn/server.crt
    key /tmp/mnt/sda/openvpn/server.key
    dh /tmp/mnt/sda/openvpn/dh2048.pem
    tls-auth /tmp/mnt/sda/openvpn/ta.key 0
    ifconfig-pool-persist /tmp/mnt/sda/openvpn/ipp.txt
    ping-timer-rem
    persist-key
    persist-tun

    (Note: I have my certs/keys on a USB flash drive. You can also store them on a JFFS partition if you have room. I wouldn't store them in NVRAM as they eat a lot of space.) For the most part Tomato does an excellent job generating config files, firewall settings, routing, etc... You can lookup in the OpenVPN manual what the extra options do if you don't know.

    Client running DD-WRT:

    client
    dev tun0
    proto udp
    remote you.servername.org 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    mute-replay-warnings
    mute 5
    ca /jffs/openvpn/ca.crt
    cert /jffs/openvpn/client1.crt
    key /jffs/openvpn/client1.key
    tls-auth /jffs/openvpn/ta.key 1
    tls-client
    ns-cert-type server
    remote-cert-tls server
    verb 3
    daemon
    float
     
  21. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    To debug your issue, be sure to remove any redirect-gateway ("Redirect Internet" in GUI) business. Get everything else working first before you try to add that. If you still lose connection, it's likely that you have a subnet conflict somewhere. All of the subnets must be unique unless you're explicitly bridging them. I recommend against doing that, but since I don't know your configuration, I don't know if that's what you're trying to do or not.
     
  22. molnart

    molnart Networkin' Nut Member

    Hi, I am using the settings as seen on the screenshots. both of my routers are on the same subnet and their ip is 192.168.1.1 but i guess that shouldnt be the problem given the VPN subnet setting.... any attempt to start the vpn client crashes the router...

    server_basic.png server_advanced.png client_basic.png client_advanced.png
     
  23. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That actually is a problem. They need to be on different subnets when using TUN.
     
  24. molnart

    molnart Networkin' Nut Member

    Thanks for the tip, putting the server on a different subnet solved the problem of the crash. Now i have the server and client running and connected, but there is one remaining issue: i still cant see the files shared on the server on the client (in the network neighborhood) .

    When looking in the server logs i see the following message:
    Code:
    Sep 28 19:22:01 RT-N16 daemon.err nmbd[2629]: There is already a domain master browser at IP 192.168.1.1 for workgroup WORKGROUP registered on subnet UNICAST_SUBNET.
    The server is on the 192.168.0.1 subnet, the client on 192.168.1.1

    Thanks again
     
  25. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Using TUN, the computers won't show up directly in Network Neighborhood. This is because discovery of other computers in your "neighborhood" relies on broadcast communication, which doesn't span subnets. You can still access the windows shares by going directly to that computer, though (eg, "//192.168.1.108/"). I believe you can also set up a WINS server to make computers show up in your network neighborhood across subnets, but that's probably overkill for your situation.

    Alternatively, you could use TAP and have both sides on the same subnet (but using none of the same addresses!). But, beware! This brings a whole set of new, harder-to-conquer, problems.

    The easiest way is to accept that if the computer is not locally on your subnet, it's not in your "neighborhood". You can still access and connect that computer just the same, but it won't be list in the list of computers in Network Neighborhood.

    Make sense?
     
  26. molnart

    molnart Networkin' Nut Member

    i dont want to access the shares on a computer connected to the server, but the shares on the server itself (attached USB drive). so the ip address is the IP address of the server (192.168.0.1) what takes me to the webui and not the fileshares.
     
  27. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I don't think I understand the question. Everything ip-based should work. Could you describe your network topology (addresses and subnets)?
     
  28. molnart

    molnart Networkin' Nut Member

    OK, so it looks like the following:

    Server:
    Asus RT-N16 on 192.168.0.1 with the following devices connected:
    - 80 GB USB HDD (the one i want to access)
    - a notebook on 192.168.0.20

    Client:
    Asus WL-500gP on 192.168.1.1
    - connected desktop on 192.168.1.20

    I want to access the share on the server from the desktop connected to the client. Now as i cant see anything in the net neighborhood i assumed i need to enter the IP of the server (192.168.0.1) to see the share. I also assume that if i wanted to access the shares on the notebook connected to the client, i would need to enter its address (192.168.0.20). But entering 192.168.0.1 takes me to the tomato web interface instead of the fileshare.
     
  29. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You assumed right. You'll need to enter the IP addresses. But, it sounds like you're trying to visit it as a web page, so it's opening the data provided by the web server running at that IP address.

    Notice the format I provided before; to get to the shares at 192.168.0.1, you'll enter
    Code:
    \\192.168.0.20\
    . I'm guessing you went to a web browser and entered something like
    Code:
    http://192.168.0.20/
    .

    You can enter that in Start->Run, Windows Explorer, or even Internet Explorer I believe (pretty much anywhere that can open a folder). You can even set it up in "My Network Places" so you don't have to type it in every time.

    Make sense?
     
  30. ppmoore

    ppmoore Reformed Router Member

    Excellent thread. Lots of hints here.

    I have one extra question. What can you do if access to the windows share you are trying to open across the VPN tunnel is protected with a password? Is there any way to get access to the share. I get the pop-up window
    "Windows cannot access \\192.168.101.100\home-video
    You do not have permission to access \\192.168.101.100\home-video. Contact your network administrator..."

    I'm trying to get access from a domain-based Windows7 computer at work, to a workgroup-based Windows7 computer attached to my home LAN behind my tomato-based router.

    Many thanks
     
  31. bhall7

    bhall7 Addicted to LI Member

    Sometimes, you can map a network drive letter and there is an option that allows you to connect using a different set of credentials. Try that and see if that helps. Sometimes, if it's a workgroup machine, you'll have to enter the username as MACHINENAME\username.
     

Share This Page