1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Out of NVRAM on RT-N16 Shibby build

Discussion in 'Tomato Firmware' started by Braveheart7, Dec 4, 2013.

  1. Braveheart7

    Braveheart7 Reformed Router Member

    Experts,

    Please forgive me if this has been addressed before. I have been researching the web on this prior to posting this. I have an RT-N16 running Tomato Firmware 1.28.0000 MIPSR2-114 K26 USB AIO Shibby Build. I have also tried other versions of Shibby's build and run into the same issue. After a period of time, I get messages saying I am out of NVRAM. I have 8 wired clients and up to 10 wifi clients at a any given time. I also use OpenVPN server and client with this setup. Can you guys tell me what I need to do to avoid this issue?

    BTW, whenever I clear NVRAM and start fresh I am not loading a previous config file. I have been setting it all up again from scratch.
     
  2. kthaddock

    kthaddock Network Guru Member

    Just put your client/server certs in usb-memory, then you have plenty of space.

     
    Last edited: Dec 4, 2013
    philess and Braveheart7 like this.
  3. Braveheart7

    Braveheart7 Reformed Router Member

    Thanks. Can you give me some steps for that? I assume this means I need a flash drive plugged into the back of the router.
     
  4. jerrm

    jerrm Network Guru Member

    With an RT-N16 you should have enough useable flash to enable JFFS and not need USB. Just enable JFFS from the Administration menu and store the files under the /jffs folder. Warning though - jffs has to be disabled and erased anytime you upgrade firmware, so keep a backup.
     
    Braveheart7 likes this.
  5. Braveheart7

    Braveheart7 Reformed Router Member

    OK. Thanks for sharing that. I suppose the USB method would still maintain them during a flash or nvram reset?

    On a side note... I am setting up an WRT54GL with tomato+vpn on that for a friend. I assume the jffs will not be possible. I know it does not have USB. Guess I am wondering how he will not run into the same issue.
     
  6. kthaddock

    kthaddock Network Guru Member

    Put your certs in JFFs is not recomended during limted lifetime in ram, read/write. You can replace usb memory but you can't replace ram memory.
     
  7. jerrm

    jerrm Network Guru Member

    Sorry, but that is being paranoid. Worrying about wearing out flash for a minimal and essentially read only application is nonsense. The chips are rated for tens to hundreds of thousands cycles.

    Even cutting the low end number in half to 5000 cycles and ignoring wear leveling, he could change keys daily and still have 10+ years of life. Any number of components are likely to wear out first.

    I wouldn't save my multi-megabyte, multiple writes per second logs to jffs, but wearing the flash out will not be an issue for anything mostly static like key storage.
     
    Goggy likes this.
  8. jerrm

    jerrm Network Guru Member

    Yes -that and more capacity (if you need it) are the biggest advantage of USB. Disadvantage if the router is not physically secure, someone can pull the USB drive copy the data. Probably not an issue for a home router.
     
  9. Braveheart7

    Braveheart7 Reformed Router Member

    OK. I understand the validity of storing them in JFFS or USB. And I understand the cons of each. Thanks guys!

    What I do not understand is how to access those spaces to store the files?

    KTHaddock - I can connect a usb stick to the back and have tomato mount it. But what do I do from there? Is there any other config in tomato I need to do? Or do I just browse to my usb stick and drop the files in the root of it and start my openvpn server? I doubt it is that easy.

    Jerrm - On a windows 7 client, how do I access the jffs space so I can place the files there?

    Thanks guys for the tips, knowledge, and assistance!
     
  10. Goggy

    Goggy Network Guru Member

    One way (my prefered way) is to connect via WinSCP using scp as protocol. SSH Daemon (Administration / Admin Access) has to be enabled - imho on shibby-builds its enabled by default ...
     
    jerrm likes this.
  11. jerrm

    jerrm Network Guru Member

    Agree WinSCP is probably easiest/preferred. You could also enable ftp or samba. Or for keys, just "echo" the text to a file under Tools->System or the command line.
     
  12. quihong

    quihong Serious Server Member

  13. mstombs

    mstombs Network Guru Member

    We have discussed the poor cfe config Asus used to only allocate 32kB for NVRAM in the N16 many times they managed to increase to 64kB in the N66u eventually - but its likely both write 128kB on each NVRAM commit.

    I prefer a cheap external USB stick it has advantage it survives firmware upgrades whereas a jffs partition gets trashed if new firmware bigger than previous.

    Discussions with easytomato (on RT-N16) point out that use of internal jffs would be better for security - but what we really need is a decent size jffs located well away from firmware that can be autocreated if not exist but preserved on firmware upgrades.
     
  14. Almaz

    Almaz Serious Server Member

    Another option you can always download them using "wget" command into RAM which you have more than plenty. Put them on FTP, DropBox, website or anywhere else. Also for a security reason you can always encrypt them and decrypt them on the router. Plenty of options.
     
  15. leandroong

    leandroong Addicted to LI Member

    In my RT-N56U, padavan fw, there is option for "Automatic I/O RAM Caches Reclaim:" option, which you can select from 3 options:
    1. 70% RAM
    2. 50% RAM
    3. none

    I set mine to 70% RAM. Maybe something like this is missing in tomato FW
     
  16. Braveheart7

    Braveheart7 Reformed Router Member

    Forgive my late reply... I have had some major health issues in my family. And the holidays... I'm sure y'all understand.

    So I am trying to do the USB method. (Please bear in mind I was brainwashed with Windows and have very little, self-taught Linux experience.)


    Here is my attempt at setting the USB method up. Please correct my mistakes...


    • I formatted a 2gb usb stick in Windows as FAT32. In the root of the stick I created a openvpn/server directory.
    • I then copied my ca.crt, dh1024.pem, "my-server".crt, and "my-server".key onto the stick in the Openvpn\Server directory. I do not have a "ta.key" file. And I was not using a "ta.key" file before.
    • I then plugged in my usb to the back of the router and went to the USB and NAS page in Tomato
    • At the bottom of the page it says:
    Attached Devices

    Type=Storage

    Host=1

    Description=SanDisk U3 Cruzer Micro Partition 'sda1' vfat (1,955.79 MB / 1,955.75 MB free) is mounted on /tmp/mnt/sda1

    Mounted?=Yes

    • Then I scrolled up to the section titled “Run after mounting” and entered the following:

    ca /mnt/openvpn/server/ca.crt

    dh /mnt/openvpn/server/dh1024.pem

    cert /mnt/openvpn/server/your-server.crt

    key /mnt/openvpn/server/your-server.key

    • After that, I went to start the server and it will not start.

    Obviously I am not getting it. Can someone please help me learn this better?
     
  17. kthaddock

    kthaddock Network Guru Member

    What openvpn message did you get in logfile ?

    This must be in Custom config in openvpn server.
     
    Braveheart7 likes this.
  18. Braveheart7

    Braveheart7 Reformed Router Member

    When I try to start it says: Server is not running or status could not be read

    I have this in the custom config exactly as it is shown below (except for the x's that have my custom name)
    ca /mnt/openvpn/server/ca.crt
    dh /mnt/openvpn/server/dh1024.pem
    cert /mnt/openvpn/server/XXXXXXXXX-Server.crt
    key /mnt/openvpn/server/XXXXXXXXX-Server.key

    Here is the last 25 lines in the log:
    Jan 7 17:31:17 unknown user.notice kernel: klogd: exiting
    Jan 7 17:31:17 unknown syslog.info syslogd exiting
    Jan 7 17:31:39 unknown syslog.info syslogd started: BusyBox v1.21.1
    Jan 7 17:31:39 unknown user.notice kernel: klogd started: BusyBox v1.21.1 (2013-10-19 11:20:13 CEST)
    Jan 7 17:33:05 unknown user.info kernel: br0: port 3(tap21) entering disabled state
    Jan 7 17:33:05 unknown user.info kernel: br0: port 3(tap21) entering disabled state
    Jan 7 17:34:04 unknown user.info kernel: tun: Universal TUN/TAP device driver, 1.6
    Jan 7 17:34:04 unknown user.info kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
    Jan 7 17:34:04 unknown user.info kernel: device tap21 entered promiscuous mode
    Jan 7 17:34:04 unknown user.info kernel: br0: port 3(tap21) entering forwarding state
    Jan 7 17:34:04 unknown daemon.notice openvpn[21195]: OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 19 2013
    Jan 7 17:34:04 unknown daemon.warn openvpn[21195]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
    Jan 7 17:34:04 unknown daemon.err openvpn[21195]: Cannot open /mnt/openvpn/server/dh1024.pem for DH parameters: error:02001002:lib(2):func(1):reason(2): error:2006D080:lib(32):func(109):reason(128)
    Jan 7 17:34:04 unknown daemon.notice openvpn[21195]: Exiting due to fatal error
    Jan 7 17:36:20 unknown user.info init[1]: VPN_LOG_ERROR: 603: Adding tunnel interface to bridge failed...
    Jan 7 17:36:20 unknown user.info kernel: br0: port 3(tap21) entering disabled state
    Jan 7 17:36:20 unknown user.info kernel: br0: port 3(tap21) entering disabled state
    Jan 7 17:36:54 unknown user.info kernel: tun: Universal TUN/TAP device driver, 1.6
    Jan 7 17:36:54 unknown user.info kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
    Jan 7 17:36:54 unknown daemon.notice openvpn[21262]: OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 19 2013
    Jan 7 17:36:54 unknown daemon.warn openvpn[21262]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
    Jan 7 17:36:54 unknown daemon.err openvpn[21262]: Cannot open /mnt/openvpn/server/dh1024.pem for DH parameters: error:02001002:lib(2):func(1):reason(2): error:2006D080:lib(32):func(109):reason(128)
    Jan 7 17:36:54 unknown daemon.notice openvpn[21262]: Exiting due to fatal error
    Jan 7 17:36:54 unknown user.info kernel: device tap21 entered promiscuous mode
    Jan 7 17:36:54 unknown user.info kernel: br0: port 3(tap21) entering forwarding state

    Did I setup the USB wrong? Should the custom config just start with /mnt or just mnt? Not sure what I've done wrong.

    Thanks for the help.
     
  19. gfunkdave

    gfunkdave LI Guru Member

    If the stick is mounted in /tmp/mnt/sda1 then in VPN Tunneling->Advanced for the relevant server/client you need:

    ca /mnt/sda1/openvpn/server/ca.crt
    dh /mnt/sda1/openvpn/server/dh1024.pem
    cert /mnt/sda1/openvpn/server/your-server.crt
    key /mnt/sda1/openvpn/server/your-server.key

    In other words, don't forget the sda1. :)
     
    Braveheart7 likes this.
  20. Braveheart7

    Braveheart7 Reformed Router Member

    Thanks! I hope this helps someone else besides just me.

    Tomato says: Description=SanDisk U3 Cruzer Micro Partition 'sda1' vfat (1,955.79 MB / 1,955.75 MB free) is mounted on /tmp/mnt/sda1

    So should I also add the /tmp?
     
  21. Mate Rigo

    Mate Rigo Serious Server Member

    Yes, and you may also need to set permissions on them. But we'll come back to that if this step didn't work out.

    Edit: here is a similar thread: http://www.linksysinfo.org/index.php?threads/nvram-32k-size-error-with-openvpn-use-jffs.36950/

    To chmod your files, go to Tools/System menu on the tomato admin page, and write:
    chmod -R 755 /tmp/mnt/sda1/openvpn/
    Then click on the execute button.

    Taken of course, if your files are located there.
    To see if, they really are there do this:
    cat /tmp/mnt/sda1/openvpn/ca.crt
    After clicking on execute, you should see a dump of the file bellow the execute buttton.
     
    Last edited: Jan 8, 2014
    Braveheart7 likes this.
  22. leandroong

    leandroong Addicted to LI Member

    I suggest that you reformat and use ext3 and label your sandisk, instead of relying on sda1, which is not fixed.

    Sample label, "sandisk". to refer to your harddisk, you may omit /tmp and just use /mnt/sandisk.
     
    Braveheart7 likes this.
  23. Braveheart7

    Braveheart7 Reformed Router Member

    OK Guys. Here is what I have done:

    I created a LinuxMint VM and re-partioned my usb to EXT3 in gparted. I then labeled it as "OpenVpnUSB". Then I created a folder under that called "openvpn". Then I copied my files as suggested above to that folder.

    I then inserted my new usb stick into my RT-N16

    I logged into Tomato and went to USB and NAS and this is what it sees: SanDisk U3 Cruzer Micro
    Partition 'OpenVpnUSB' ext3 (1,928.99 MB / 1,894.07 MB free) is mounted on /tmp/mnt/OpenVpnUSB

    I then changed my custom config in openvpn to this:

    ca mnt/OpenVpnUSB/openvpn/server/ca.crt
    dh mnt/OpenVpnUSB/openvpn/server/dh1024.pem
    cert mnt/OpenVpnUSB/openvpn/server/"my server".crt
    key mnt/OpenVpnUSB/openvpn/server/"my server".key

    After saving all of this I tried to start the VPN server and it would not start. I tried rebooting the router and the vpn still will not start. So then I tried to follow Mate Rigo's instructions to test the filesystem from within Tomato.

    When I run:

    chmod -R 755 /mnt/OpenVpnUSB/openvpn/ - I see nothing after clicking on Execute
    or
    cat /mnt/OpenVpnUSB/openvpn/ca.crt - I get a message saying: "cat: can't open '/mnt/OpenVpnUSB/openvpn/ca.crt': No such file or director"

    So what am I doing wrong?
     
  24. koitsu

    koitsu Network Guru Member

    You won't see anything when executing chmod unless there's an error. No output = the command did what you told it. That's how *IX systems work (or are supposed to work). The lack of error there implies there is some part of the pathname convention that exists (don't ask me why; I'm not going to spend a week diagnosing this. This is a lot easier to do using the CLI than it is the GUI).

    The error you get from cat seems quite clear: there is indeed no such file or directory with that pathname. Let me quote your own words and from there you should be able to see where your mistake lies (with the path). Look very closely:

    Hopefully you can figure out the mistake. The same goes for your OpenVPN configuration file.
     
    Braveheart7 likes this.
  25. Braveheart7

    Braveheart7 Reformed Router Member


    koitsu - That helped. Almost there...

    I changed to:

    chmod -R 755 /mnt/OpenVpnUSB/openvpn/server/ &
    cat /mnt/OpenVpnUSB/openvpn/server/ca.crt
    Both commands worked.
    I am able to run cat on all 4 files successfully.

    I am closer now thanks!

    But I still cannot get the vpn to start.
     
  26. kthaddock

    kthaddock Network Guru Member

    What i can se in your log your dh1024.pem file seems have some problem.
    Check if that contain some CR end of each line. Use eg Notepad++ to check with.

     
    Braveheart7 likes this.
  27. Braveheart7

    Braveheart7 Reformed Router Member

    OK. I was considering re-creating my keys anyway. So I will do that and report back.
     
  28. kthaddock

    kthaddock Network Guru Member

    Braveheart7 likes this.
  29. Braveheart7

    Braveheart7 Reformed Router Member

    Thanks. That is the exact guide I used before and am using now. I set it all back up from scratch. Created new certs, config files, etc. Also placed them onto the ext3 usb drive and mounted within Tomato. I then ran the chmod command and nothing came back which tells me it was successful. Then I ran the cat command and all 4 files showed output. I've also rebooted the router. Still, OpenVPN will not start. Here is the log:

    Jan 16 16:20:28 unknown user.info kernel: tun: Universal TUN/TAP device driver, 1.6
    Jan 16 16:20:28 unknown user.info kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
    Jan 16 16:20:28 unknown user.info kernel: device tap21 entered promiscuous mode
    Jan 16 16:20:29 unknown user.info kernel: br0: port 3(tap21) entering forwarding state
    Jan 16 16:20:29 unknown daemon.notice openvpn[1221]: OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 19 2013
    Jan 16 16:20:29 unknown daemon.warn openvpn[1221]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
    Jan 16 16:20:29 unknown daemon.err openvpn[1221]: Cannot open mnt/OpenVpnUSB/openvpn/server/dh1024.pem for DH parameters: error:02001002:lib(2):func(1):reason(2): error:2006D080:lib(32):func(109):reason(128)
    Jan 16 16:20:29 unknown daemon.notice openvpn[1221]: Exiting due to fatal error

    Not sure what else to do. The dh1024.pem file is a newly created file and it opens fine when using cat. I'm running Shibby build Tomato Firmware 1.28.0000 MIPSR2-114 K26 USB AIO

    Any idea what else I can do?
     
  30. gfunkdave

    gfunkdave LI Guru Member

    You're missing the leading / in front of the file path.
     
    Braveheart7 likes this.
  31. Braveheart7

    Braveheart7 Reformed Router Member

    Duh! I've already been burned by path-ing once. And now I did it again. Thanks! Up and running now. :)
     
    Last edited: Jan 16, 2014

Share This Page