1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenVPN Server2 Fail (w/workaround) on Shibby 1.28

Discussion in 'Tomato Firmware' started by soapee01, Jan 24, 2013.

  1. soapee01

    soapee01 Networkin' Nut Member

    This may only apply to Asus RT-N16 and maybe there's already a proper fix somewhere...

    It is possible to have two servers running. For one client, we configured server1 as a tap server for the WAN with 2 other tomato routers as clients, and server 2 as a tun server for remote clients (who do not get access to the WAN, and since TAP is a pain to configure on Windows anyhow).

    Unfortunately, the settings do not configure properly for server2. Namely the server certificate is not saved, no matter how many times you enter it, and custom configuration is not saved. Consequently the openvpn.conf file doesn't get the cert server.crt line either. Here's a procedure that I thought I'd share in case it helps somebody else as a workaround. USB Flash drive is required (jffs seems to break the wan for me [no idea why]. I did look over the code, but not being very well versed with nvram settings or tomato source code itself, nothing jumped out at me...


    The server certificate is saved in /opt/openvpn/server2.crt (flash drive). The cru command gets added as a WAN script in the tomato gui sets a cron job to call the script /opt/openvpn/fix_server2.sh every minute. Once the script sees that openvpn is available, it changes the configuration, and starts openvpn server 2. Then it deletes the cron job so it shouldn't waste any further resources.

    If OpenVPN Server2 ever crashes, you will have to reboot the router. I'm about out of nvram, so saving that for other stuff instead of another cron job to monitor it.

    Administration -> Scripts -> Wan UP
    Add the following to the end:
    #fix openvpn server2
    cru a fixvpnserver2 "*/1 * * * * /opt/openvpn/fix_server2.sh"
    Open a ssh terminal to the router, and paste the following into the terminal.
    mkdir /opt/openvpn
    cat > /opt/openvpn/fix_server2.sh <<DELIM
    #location: /opt/openvpn/fix_server2.sh
    #cron echo "*/1 * * * * /opt/openvpn/fix_server2.sh #fixvpn#" >> /tmp/var/spool/cron/crontabs/root
    #add to cron
    #add the next line to your wan startup script... minus the #
    # cru a fixvpnserver2 "*/1 * * * * /opt/openvpn/fix_server2.sh"
            #openvpn2 is busted.  won't save server cert connection.
            #manually added via ssh, does not persist.  Also server2 config.ovpn will
            #not show link to server cert.
    if [ -e /etc/openvpn/server2/config.ovpn ]; then
            #openvpn has started. let's set up server2
            grep "cert server.crt" /etc/openvpn/server2/config.ovpn > /dev/null
            if [ $? -eq 0 ]; then
                    echo "server2 openvpn settings have already been fixed."
                    logger "[/opt/openvpn/fix_server2.sh] server2 openvpn settings have already been fixed."
                    echo "cert server.crt" >> /etc/openvpn/server2/config.ovpn
                    #every tweak seems to remove server.crt as well.
                    cp /opt/openvpn/server2.crt /etc/openvpn/server2/server.crt
                    logger "[/opt/openvpn/fix_server2.sh] server2 openvpn settings have BEEN CORRECTED."
                    echo "server2 openvpn settings have been CORRECTED."
                    /etc/openvpn/vpnserver2 --cd /etc/openvpn/server2 --config config.ovpn
                    #delete the cronjob.
                    cru d fixvpnserver2
    chmod 700 /opt/openvpn/fix_server2.sh
    Now you need to save the server certificate that was generated wherever you configure openvpn certs and keys. In a ssh session, paste your certificate into the following file (use i to get to insert mode, and right click in putty to paste):
    vi /opt/openvpn/server2.crt
    Reboot your router. The VPN interface should be available after about 2 minutes.
  2. gfunkdave

    gfunkdave LI Guru Member

    Probably running out of NVRAM.
  3. soapee01

    soapee01 Networkin' Nut Member

    Very probable. The next logical question is why are certs stored in nvram and not flash? my server.crt is 3.9k the key is 887bytes, the ca.crt 1224 bytes, and dh is 245. Total is 6,246 bytes (times 2). That's an awful lot of wasted space when you're limited to 32k.
  4. jerrm

    jerrm Network Guru Member

    The only method Tomato has for writing to flash on demand is jffs, which has to be manually enabled, and even then may not be useable in some build/router combos.

    The gui for the most part tries to keep everything in nvram because it is the only universally available storage. For the most part, this is a good choice, but certs are one area that cry out for custom paths to be an option. It could be as simple as checking if the entered value is a valid file if so use it.
  5. cerberii

    cerberii New Member Member

    don't listen to this guy. he's crazy. don't need to setup some crazy script. set in advanced options :

    ca /opt/openvpn/ca.crt
    ETC ETC..
    don't need to put certs to nvram.

Share This Page