1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Quick and dirty VPN server HOWTO!!

Discussion in 'Tomato Firmware' started by Delta221, Apr 10, 2009.

  1. Delta221

    Delta221 Addicted to LI Member

    **The HowTo has been updated to provide instruction on the latest version of TomatoVPN (1.25VPN3.4).**

    Thanks to SgtPepperKSU, we have a version of Tomato with OpenVPN!!!!
    You can find it here: http://tomatovpn.keithmoyer.com/

    I tried to get an openvpn server running for hours, and hours, and hours... With some help, I finally got it up and running. I have compiled a really quick and dirty howto based on my experience, and I included the easy-rsa scripts which I manually edited so you can generate keys quickly. I have provided these scripts because they did not work out of the box for me. You should first go through the process at the bottom of the key generation section, to see if you require them or not.

    I have OpenVPN for windows installed at D:\openvpn and I recommend you do the same to get everything working without modification.

    I am no expert, and I recommend you read the openvpn manual for more options to use with openvpn... My config will create a UDP tunnel, and redirect all traffic through the VPN server (it is supposed to redirect DNS queries too).. Play around with the options once you have it up and running and enjoy!@

    Thanks again SgtPepperKSU :thumbup:

    **See post # 4 for the HOWTO.**
     
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Might I suggest you move your how-to to your top post is this thread, instead of placing it in the middle of your support thread? Might be easier to find.

    Also, to keep from having to go line-to-line through the batch files you posted (which by the way you can wrap in
    Code:
    ...
    tags to make it clearer where they start/end), what have you changed from the original easy-rsa scripts and why? Did they not work for you in some way?
     
  3. Delta221

    Delta221 Addicted to LI Member

    When I first installed openvpn, the default settings in the easy-rsa scripts were not working that well so I made some small adjustment. I added the path of the file directories, made the default key size 2048 bits, created a new bat file to generate secret keys, changed some of the personal info (location, city, etc) I also changed the certificate validity from 10 years to 3 years.
     
  4. Delta221

    Delta221 Addicted to LI Member

    **Updated on Oct 13, 2009 for latest version: 1.25VPN3.4
    Previous updates: Added build-key-pass.bat to generate client keys which are encrypted and password protected.

    I have compiled a quick and easy HowTo based on my experience with TomatoVPN. Don't be intimidated by the length of this post, most of it is stuff you have to paste into notepad.

    - If you don't want to edit/adjust any of the files I have pasted below(I recommend this), install openvpn to D:\openvpn.
    - I recommend users change their router's subnet to something uncommon, it will help you avoid difficulties with TAP setups. Log in to your router, go to Basic --> Network, change your ip address range to something odd like 192.168.188.100 - 192.168.188.150, and change your router address to the same .188 range. Click save, unplug your ethernet cable (Or disconnect your wifi connection) and plug it back in to ensure everything gets updated. If you have static DHCP on, you might have to update your static entries as well.

    If you already know how to generate your own key files, skip the GENERATING KEY FILES section and go down to the TOMATO VPN SETUP section.


    GENERATING KEY FILES:

    - Make a backup copy of the original files in your openvpn/easy-rsa folder, you may wish to restore them in the future.
    If you have it installed somewhere else, edit the program locations accordingly. Try to install it somewhere with a short path, and try to avoid folders containing spaces (i.e. Program Files) unless you know how to write them in 8:3 format (i.e progra~1).
    - My files will generate 2048 bit keys. If you want larger or smaller keys, edit the "default_bits" field in the openssl.cnf.sample file and "set KEY_SIZE" in the vars.bat.sample file.

    Let's begin:

    1. Open a command prompt shell in windows, by going to Start --> Run --> type "cmd" and hit enter.

    2. Go to the folder where you have openvpn installed, and enter the easy-rsa folder.

    3. Copy the text below for each file as is, paste it into notepad, and then save it as the filename specified in the easy-rsa folder. There are 9 files in total.

    1. Filename: build-ca.bat

    @echo off
    cd %HOME%
    rem build a cert authority valid for three years, starting now
    openssl req -days 1097 -nodes -new -x509 -sha1 -keyout D:\\OpenVPN\\easy-rsa\\keys\\ca.key -out D:\\OpenVPN\\easy-rsa\\keys\\ca.crt -config %KEY_CONFIG%

    2. Filename: build-dh.bat

    @echo off
    cd %HOME%
    rem build a dh file for the server side
    openssl dhparam -out D:\\OpenVPN\\easy-rsa\\keys\\dh%KEY_SIZE%.pem %KEY_SIZE%

    3. Filename: build-key.bat (To generate client keys with no password protection)

    @echo off
    cd %HOME%
    rem build a request for a cert that will be valid for three years
    openssl req -days 1097 -nodes -new -sha1 -keyout D:\\OpenVPN\\easy-rsa\\keys\\%1.key -out D:\\OpenVPN\\easy-rsa\\keys\\%1.csr -config %KEY_CONFIG%
    rem sign the cert request with our ca, creating a cert/key pair
    openssl ca -days 1097-sha1 -out D:\\OpenVPN\\easy-rsa\\keys\\%1.crt -in D:\\OpenVPN\\easy-rsa\\keys\\%1.csr -config %KEY_CONFIG%
    rem delete any .old files created in this process, to avoid future file creation errors
    del /q D:\\OpenVPN\\easy-rsa\\keys\\*.old

    4. Filename: build-key-pass.bat (To generate client keys with password protection)

    @echo off
    cd %HOME%
    openssl req -days 1097 -new -sha1 -keyout D:\\OpenVPN\\easy-rsa\\keys\\%1.key -out D:\\OpenVPN\\easy-rsa\\keys\\%1.csr -config %KEY_CONFIG%
    openssl rsa -in D:\\OpenVPN\\easy-rsa\\keys\\%1.key -out D:\\OpenVPN\\easy-rsa\\keys\\%1.key -aes256
    openssl ca -days 1097 -md sha1 -out D:\\OpenVPN\\easy-rsa\\keys\\%1.crt -in D:\\OpenVPN\\easy-rsa\\keys\\%1.csr -config %KEY_CONFIG%

    5. Filename: build-key-server.bat

    @echo off
    cd %HOME%
    rem build a request for a cert that will be valid for three years
    openssl req -days 1097 -nodes -new -sha1 -keyout D:\\OpenVPN\\easy-rsa\\keys\\%1.key -out D:\\OpenVPN\\easy-rsa\\keys\\%1.csr -config %KEY_CONFIG%
    rem sign the cert request with our ca, creating a cert/key pair
    openssl ca -days 1097 -md sha1 -out D:\\OpenVPN\\easy-rsa\\keys\\%1.crt -in D:\\OpenVPN\\easy-rsa\\keys\\%1.csr -extensions server -config %KEY_CONFIG%
    rem delete any .old files created in this process, to avoid future file creation errors
    del /q D:\\OpenVPN\\easy-rsa\\keys\\*.old

    6. Filename: clean-all.bat

    @echo off
    rem delete the KEY_DIR and any subdirs quietly
    rmdir /s /q keys
    rem make a new KEY_DIR
    mkdir D:\OpenVPN\easy-rsa\keys
    rem copy in a fesh index file so we begin with an empty database
    copy index.txt.start D:\OpenVPN\easy-rsa\keys\index.txt
    rem copy in a fresh serial file so we begin generating keys at index 01
    copy serial.start D:\OpenVPN\easy-rsa\keys\serial.

    7. Filename: openssl.cnf.sample (big file)

    #
    # OpenSSL example configuration file.
    # This is mostly being used for generation of certificate requests.
    #

    # This definition stops the following lines choking if HOME isn't
    # defined.
    HOME = D:\\OpenVPN\\easy-rsa\\
    RANDFILE = D:\\OpenVPN\\easy-rsa\\.rnd

    # Extra OBJECT IDENTIFIER info:
    #oid_file = D:\\OpenVPN\\easy-rsa\\.oid
    oid_section = new_oids

    # To use this configuration file with the "-extfile" option of the
    # "openssl x509" utility, name here the section containing the
    # X.509v3 extensions to use:
    # extensions =
    # (Alternatively, use a configuration file that has only
    # X.509v3 extensions in its main [= default] section.)

    [ new_oids ]

    # We can add new OIDs in here for use by 'ca' and 'req'.
    # Add a simple OID like this:
    # testoid1=1.2.3.4
    # Or use config file substitution like this:
    # testoid2=${testoid1}.5.6

    ####################################################################
    [ ca ]
    default_ca = CA_default # The default ca section

    ####################################################################
    [ CA_default ]

    dir = D:\\OpenVPN\\easy-rsa\\keys # Where everything is kept
    certs = D:\\OpenVPN\\easy-rsa\\keys # Where the issued certs are kept
    crl_dir = D:\\OpenVPN\\easy-rsa\\keys # Where the issued crl are kept
    database = D:\\OpenVPN\\easy-rsa\\keys\\index.txt # database index file.
    new_certs_dir = D:\\OpenVPN\\easy-rsa\\keys # default place for new certs.

    certificate = D:\\OpenVPN\\easy-rsa\\keys\\ca.crt # The CA certificate
    serial = D:\\OpenVPN\\easy-rsa\\keys\\serial # The current serial number
    crl = D:\\OpenVPN\\easy-rsa\\keys\\crl.pem # The current CRL
    private_key = D:\\OpenVPN\\easy-rsa\\keys\\ca.key # The private key
    RANDFILE = D:\\OpenVPN\\easy-rsa\\keys\\.rand # private random number file

    x509_extensions = usr_cert # The extentions to add to the cert

    # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
    # so this is commented out by default to leave a V1 CRL.
    # crl_extensions = crl_ext

    default_days = 1097 # how long to certify for
    default_crl_days= 30 # how long before next CRL
    default_md = sha1 # which md to use.
    preserve = no # keep passed DN ordering

    # A few difference way of specifying how similar the request should look
    # For type CA, the listed attributes must be the same, and the optional
    # and supplied fields are just that :)
    policy = policy_match

    # For the CA policy
    [ policy_match ]
    countryName = match
    stateOrProvinceName = match
    organizationName = match
    organizationalUnitName = optional
    commonName = supplied
    emailAddress = optional

    # For the 'anything' policy
    # At this point in time, you must list all acceptable 'object'
    # types.
    [ policy_anything ]
    countryName = optional
    stateOrProvinceName = optional
    localityName = optional
    organizationName = optional
    organizationalUnitName = optional
    commonName = supplied
    emailAddress = optional

    ####################################################################
    [ req ]
    default_bits = 2048
    default_keyfile = privkey.pem
    distinguished_name = req_distinguished_name
    attributes = req_attributes
    x509_extensions = v3_ca # The extentions to add to the self signed cert

    # Passwords for private keys if not present they will be prompted for
    # input_password = secret
    # output_password = secret

    # This sets a mask for permitted string types. There are several options.
    # default: PrintableString, T61String, BMPString.
    # pkix : PrintableString, BMPString.
    # utf8only: only UTF8Strings.
    # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
    # MASK:XXXX a literal mask value.
    # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
    # so use this option with caution!
    string_mask = nombstr

    # req_extensions = v3_req # The extensions to add to a certificate request

    [ req_distinguished_name ]
    countryName = Country Name (2 letter code)
    countryName_default = $ENV::KEY_COUNTRY
    countryName_min = 2
    countryName_max = 2

    stateOrProvinceName = State or Province Name (full name)
    stateOrProvinceName_default = $ENV::KEY_PROVINCE

    localityName = Locality Name (eg, city)
    localityName_default = $ENV::KEY_CITY

    0.organizationName = Organization Name (eg, company)
    0.organizationName_default = $ENV::KEY_ORG

    # we can do this but it is not needed normally :)
    #1.organizationName = Second Organization Name (eg, company)
    #1.organizationName_default = World Wide Web Pty Ltd

    organizationalUnitName = Organizational Unit Name (eg, section)
    #organizationalUnitName_default =

    commonName = Common Name (eg, your name or your server\'s hostname)
    commonName_max = 64

    emailAddress = Email Address
    emailAddress_default = $ENV::KEY_EMAIL
    emailAddress_max = 40

    # SET-ex3 = SET extension number 3

    [ req_attributes ]
    challengePassword = A challenge password
    challengePassword_min = 4
    challengePassword_max = 20

    unstructuredName = An optional company name

    [ usr_cert ]

    # These extensions are added when 'ca' signs a request.

    # This goes against PKIX guidelines but some CAs do it and some software
    # requires this to avoid interpreting an end user certificate as a CA.

    basicConstraints=CA:FALSE

    # Here are some examples of the usage of nsCertType. If it is omitted
    # the certificate can be used for anything *except* object signing.

    # This is OK for an SSL server.
    # nsCertType = server

    # For an object signing certificate this would be used.
    # nsCertType = objsign

    # For normal client use this is typical
    # nsCertType = client, email

    # and for everything including object signing:
    # nsCertType = client, email, objsign

    # This is typical in keyUsage for a client certificate.
    # keyUsage = nonRepudiation, digitalSignature, keyEncipherment

    # This will be displayed in Netscape's comment listbox.
    nsComment = "OpenSSL Generated Certificate"

    # PKIX recommendations harmless if included in all certificates.
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid,issuer:always

    # This stuff is for subjectAltName and issuerAltname.
    # Import the email address.
    # subjectAltName=email:copy

    # Copy subject details
    # issuerAltName=issuer:copy

    #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
    #nsBaseUrl
    #nsRevocationUrl
    #nsRenewalUrl
    #nsCaPolicyUrl
    #nsSslServerName

    [ server ]

    # JY ADDED -- Make a cert with nsCertType set to "server"
    basicConstraints=CA:FALSE
    nsCertType = server
    nsComment = "OpenSSL Generated Server Certificate"
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid,issuer:always

    [ v3_req ]

    # Extensions to add to a certificate request

    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment

    [ v3_ca ]


    # Extensions for a typical CA


    # PKIX recommendation.

    subjectKeyIdentifier=hash

    authorityKeyIdentifier=keyid:always,issuer:always

    # This is what PKIX recommends but some broken software chokes on critical
    # extensions.
    #basicConstraints = critical,CA:true
    # So we do this instead.
    basicConstraints = CA:true

    # Key usage: this is typical for a CA certificate. However since it will
    # prevent it being used as an test self-signed certificate it is best
    # left out by default.
    # keyUsage = cRLSign, keyCertSign

    # Some might want this also
    # nsCertType = sslCA, emailCA

    # Include email address in subject alt name: another PKIX recommendation
    # subjectAltName=email:copy
    # Copy issuer details
    # issuerAltName=issuer:copy

    # DER hex encoding of an extension: beware experts only!
    # obj=DER:02:03
    # Where 'obj' is a standard or added object
    # You can even override a supported extension:
    # basicConstraints= critical, DER:30:03:01:01:FF

    [ crl_ext ]

    # CRL extensions.
    # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

    # issuerAltName=issuer:copy
    authorityKeyIdentifier=keyid:always,issuer:always

    8. Filename: vars.bat.sample

    @echo off
    rem Edit this variable to point to
    rem the openssl.cnf file included
    rem with easy-rsa.

    set HOME=D:\\OpenVPN\\easy-rsa
    set KEY_CONFIG=openssl.cnf

    rem Edit this variable to point to
    rem your soon-to-be-created key
    rem directory.
    rem
    rem WARNING: clean-all will do
    rem a rm -rf on this directory
    rem so make sure you define
    rem it correctly!
    set KEY_DIR=keys

    rem Increase this to 2048 if you
    rem are paranoid. This will slow
    rem down TLS negotiation performance
    rem as well as the one-time DH parms
    rem generation process.
    set KEY_SIZE=2048

    rem These are the default values for fields
    rem which will be placed in the certificate.
    rem Change these to reflect your site.
    rem Don't leave any of these parms blank.

    set KEY_COUNTRY=CA
    set KEY_PROVINCE=CA
    set KEY_CITY=CA
    set KEY_ORG=none
    set KEY_EMAIL=mail@host.domain

    9. Filename: secret.bat

    start D:\OpenVPN\bin\openvpn --genkey --secret D:\OpenVPN\easy-rsa\keys\ta.key


    Very quick instructions on generating files. Run all of these commands from the command prompt window you opened up. If this doesn't work, follow the instructions on the openvpn howto: (http://openvpn.net/index.php/documentation/howto.html#pki)

    1. init-config
    2. vars
    3. clean-all
    4. build-ca
    5. build-key-server server (Common name must be server)
    3. build-key clientname (Each client certificate must be named differently, the client name you use MUST be used as the Common Name) *If you want to password protect your client keys use --> build-key-pass client
    4. build-dh
    5. secret

    All of the generated files will be in the openvpn/easy-rsa/keys folder.


    TOMATOVPN TUN SERVER SETUP:

    Copy the options in my setup below, and then paste your keys in the correct box. Save your settings after completing each screen:

    [​IMG]

    [​IMG]

    - Notice the line listing client1, with subnet 192.168.1.0. Creating an entry in this table is not mandatory. This line is intended to allow the users on the server network to access the client, and computers on the client network. If you do not know what the client subnet will be, leave it blank, and the client network will not be made accessible to the server network. The server network is made accessible to clients, when the box "Push LAN to clients" is checked off. Pushing the server network to clients will work if there is no entry in the client table.


    COPYING YOUR KEYS:

    [​IMG]

    FYI: Copy (DO NOT CUT) the contents of the files into the boxes, copy them until you successfully save the keys to prevent loss.:

    - TA.KEY goes into the STATIC KEY box

    -When you ran build-ca, you would have generated a certificate file (.crt) - Paste the contents of ca.crt into the Certificate Authority box.

    -when you ran build-key-server server - Paste the server.crt file in the Server Certificate box, and the server.key file in the Server Key box

    - when you ran build-dh, it would have generated a file called dh2048.pem (if you used my config) - paste the contents into the Diffie Helman parameters box.

    MAKE SURE you click on the "Save" button in the lower right of the page to save all of the settings, and keys. Now you can launch the server! Click on "Start Now".

    *To have the router periodically check if the VPN is running and restart it if it has stopped, access the Administration --> Scheduler section in Tomato. Enable one of the custom rules, and select the frequency you want it to run from the dropdown (i.e. 30 minutes).
    - If you configured openvpn in the Server1 tab in the VPN Tunneling menu, In the command box, simply enter: service vpnserver1 start
    - If you configured openvpn in the Server2 tab in the VPN Tunneling menu, In the command box, simply enter: service vpnserver2 start


    What you need on your client machine connecting to your VPN Server:

    1. Copy these files from the keys directory (4 files) which were generated onto a folder on your client machine. I recommend you create a folder called d:\openvpn\config and just put everything there. That way, when you run Openvpn gui, you can just left click on the icon and click "connect"...

    -The ca.crt file you pasted in the Certificate Authority box earlier on
    -The ta.key file
    - Your client certificate (client name.crt) and client name.key file (These were generated with build-key, or build-key-pass, and were not pasted on the vpn server page)

    2. Create a client config file. Just copy the text below and save it as whatever.ovpn on your client machine, in the same folder as the 4 files. Change YOUR_IP_ADDRESS to your router's WAN ip address, and CLIENT NAME to whatever you named your clients. One last thing. When you install openvpn, it installs a new network (Tap adaptor). Go to Control Panel --> Network connections, and rename it to openvpn

    dev tun
    proto udp
    dev-node openvpn
    remote YOUR_IP_ADDRESS 55555
    tls-client
    keepalive 15 120
    verb 3
    ca ca.crt
    cert CLIENT NAME.crt
    key CLIENT NAME.key
    tls-auth ta.key
    ns-cert-type server
    cipher AES-256-CBC
    pull
    nobind
    explicit-exit-notify 3
    topology subnet

    3. Open the config file with OpenVPN GUI, or left click on the .ovpn file and select "start OpenVPN on this config file"


    TOMATOVPN TAP SERVER SETUP:

    1. To generate keys, see the "GENERATING KEY FILES" section above if you need instruction on how to generate keys. Proceed to next section to configure your VPN server settings.


    CONFIGURE VPN SERVER SETTINGS:

    Copy the options in my setup below, and then paste your keys in the correct box. Save your settings after completing each screen:

    [​IMG]
    [​IMG]

    To copy your keys into the KEYS tab of your router configuration, see the "COPYING YOUR KEYS" section and the photo right above it for instructions on copying your keys.

    *To have the router periodically check if the VPN is running and restart it if it has stopped, access the Administration --> Scheduler section in Tomato. Enable one of the custom rules, and select the frequency you want it to run from the dropdown (i.e. 30 minutes).
    - If you configured openvpn in the Server1 tab in the VPN Tunneling menu, In the command box, simply enter: service vpnserver1 start
    - If you configured openvpn in the Server2 tab in the VPN Tunneling menu, In the command box, simply enter: service vpnserver2 start


    TAP CLIENT CONFIGURATION:
    What you need on your client machine connecting to your VPN Server:

    1. Copy these files from the keys directory (4 files) which were generated onto a folder on your client machine. I recommend you create a folder called d:\openvpn\config and just put everything there. That way, when you run Openvpn gui, you can just left click on the icon and click "connect"...

    -The ca.crt file you pasted in the Certificate Authority box earlier on
    -The ta.key file
    - Your client certificate (client.crt) and client.key file (These were generated with build-key, and were not pasted on the vpn server page)

    2. Create a client config file. Just copy the text below and save it as whatever.ovpn on your client machine, in the same folder as the 4 files. Change YOUR_IP_ADDRESS to your router's WAN ip address, and CLIENT NAME to whatever you named your clients. One last thing. When you install openvpn, it installs a new network (Tap adaptor). Go to Control Panel --> Network connections, and rename it to openvpn

    dev tap
    proto udp
    dev-node openvpn
    remote YOUR_IP_ADDRESS 29946
    tls-client
    keepalive 15 120
    verb 3
    ca ca.crt
    cert CLIENT NAME.crt
    key CLIENT NAME.key
    tls-auth ta.key 1
    ns-cert-type server
    cipher AES-256-CBC
    pull
    nobind
    explicit-exit-notify 3
    comp-lzo
    fragment 1500

    3. Open the config file with OpenVPN GUI, or left click on the .ovpn file and select "start OpenVPN on this config file"
     
  5. ir2lazy

    ir2lazy Addicted to LI Member

    Thanks for the instructions. Made it alot easier for me to set mines up.

    I do however have a question about redirect all traffic through the VPN server. I used a external connection outside of my home network and turned on wireshark to monitor my traffic when connected to the VPN. I can tell traffic is routed through the VPN because i don't see HTTP traffic, but I still see DNS traffic going through the normal gateway and not redirected to/from VPN.
     
  6. Delta221

    Delta221 Addicted to LI Member

    hmm... try taking out "bypass-dns" and add a separate line:

    push "dhcp-option DNS 10.10.0.1"

    Replace 10.10.0.1 with the ip of your vpn server (x.x.x.1). Let me know if this works.
     
  7. Delta221

    Delta221 Addicted to LI Member

    This issue has been fixed in 1.23vpn3.2 release which has just been released. There is now a box under the Advanced menu, "Respond to DNS" which you can enable.
     
  8. dragon042

    dragon042 Guest

    Thank you very much for this tutorial/howto!~ It definitely cleared up a LOT of questions for me as I set up my first OpenVPN server. ^_^ It saved a lot of time for me too! You really are a lifesaver. =)

    I have a couple questions though. And please forgive me, I'm a VPN newb, but I am trying very hard to learn! So please bear with me.

    I'm still a bit confused about what the "Direct clients to redirect Internet traffic" and "Respond to DNS" options do in the VPN server configuration tab. Can you explain this to me please?
     
  9. kenyloveg

    kenyloveg LI Guru Member

    Hi, Delta221
    I did follow your TAP part of procedure. I'm getting failed to start vpnserver at "persist key", which reported by syslog at line 26 of config.ovpn.
    Code:
    Jul  8 22:06:56 ? daemon.err openvpn[2728]: Options error: Unrecognized option or missing parameter(s) in config.ovpn:26: persist (2.1_rc15)
    I can connect to server from Windows client if I just omit "persist key" and "persist TUN". What did i miss, or what could happen if these 2 lines are omitted?
    And I'm testing site to site connection by Tomato OpenVPN MOD, i'd like to know how to fill corresponding setting in CLIENT->Advanced->Custom Configuration column. Like "replay-window", explicit-exit-notify, etc...
    Thanks in advance.
     
  10. kenyloveg

    kenyloveg LI Guru Member

    Well, i might figur it out. persist key means "openvpn will not re-read the keys on a restart", and persist tun means "Keeps tun/tap devices up when openvpn is restarted".
     
  11. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It's not "persist key" and "persist TUN". It's "persist-key" and "persist-tun". I imagine that's all that was wrong.
     
  12. joris1977

    joris1977 Addicted to LI Member

    Ok I am new to openvpn, so excuse me if this is a stupid question: but does this mean I can or have to remove

    push redirect-gateway
    push "dhcp-option DNS 10.10.0.1"

    from the custom options in tomato's openvpn if I enable 'respond to dns'

    Thanks a lot for this howto!
     
  13. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    "Respond to DNS" replaces the "interface" line in your "Dnsmasq Custom Configuration" field, and "Advertise DNS to clients" replaces the dhcp-option line in your VPN custom config. The "Direct clients to redirect Internet traffic" option replaces your redirect-gateway line.
     
  14. Delta221

    Delta221 Addicted to LI Member

    My answer depends on which version of TomatoVPN you have installed, because there have been changes since 1.25VPN3.2.

    To answer your question directly, no, if you check off Respond to DNS, those two lines should not be eliminated. The Respond to DNS checkbox was implemented to help DNS requests get through the VPN tunnel or firewall, I don't exactly remember which.

    If you have the latest version, 1.25VPN3.4, there are 2 new checkboxes in the server config which eliminate the need for manually entering:

    push redirect-gateway
    push "dhcp-option DNS 10.10.0.1"

    To eliminate line 1, check off the checkbox "Direct clients to redirect Internet traffic". To eliminate the need for line 2, check off the box: "Advertise DNS to clients" Using the checkboxes is recommended, at least until you learn how to get your server up and running, and you learn what the different OpenVPN configuration options do.

    Thanks for posting, I will try updating this HowTo in the next few days.
     
  15. joris1977

    joris1977 Addicted to LI Member

    Thank you both for the fast replies. I am running the latest version and will change my configuration

    BTW OpenVPN is working really nice. Internet is a bit slow but that seems logical, because I have 1 MBit upload on my adsl line at home.

    Since I am mostly using my laptop on open hotspots. It is good that i will have a more secure connection in the future. Very nice I could do this with an old WRT54G v2! :thumbup:
     
  16. Delta221

    Delta221 Addicted to LI Member

    The HowTo has been updated. Feel free to make any suggestions... Enjoy!
     
  17. wiiw

    wiiw Addicted to LI Member

    When I setup everything to TAP (TUN worked), I did not get an IP via DHCP.

    The fix (for TAP):

    On router; Set "Compression" to "Adaptive"
    In "Custom Configuration", delete "fragment 1500"

    In the configuration file (*.ovpn) add; comp-lzo

    It worked for me, and I got my IP via DHCP :biggrin:

    PS: THANKS FOR YOUR HowTo, Delta221!
     
  18. Delta221

    Delta221 Addicted to LI Member

    Did you try enabling compression on the server, and entering the line:
    comp-lzo on the client? This is what I had in the previous config, you shouldn't need to delete any of the custom settings. Some are meant to enhance security and optimize performance.

    I'm glad you found the howto's useful. I will update them.
     
  19. wiiw

    wiiw Addicted to LI Member

    Yes, with the compression enabled and the "fragment" removed it worked. If I did not make these two changes, then I didnt got an IP.
     
  20. Delta221

    Delta221 Addicted to LI Member

    That's probably because I forgot to put fragment 1500 in the client config file! It has to be in both server and client config files... I have corrected this. Thank you very much for pointing out these errors! All should be good now.
     
  21. wiiw

    wiiw Addicted to LI Member

    I added back the fragment 1500 to both sides and it works, THANKS!
    Should I change Compression from Adaptive to Enabled, as on your picture?

    PS: I know, that TUN worked, but the client file hasnt fragment 1500 in it and Compression enabled - is that OK?
     
  22. gawd0wns

    gawd0wns LI Guru Member

    Fragment 1500 is a completely different function from compression. You can have one, both, or neither enabled. If you enable either of these functions on the server, be sure to add them to the client configuration or they will not work. Some functions are intended to be run on the server only, and some have to be placed in the server and client config files.

    In response to your question, see which works better for you. I personally leave compression disabled, since I have a lot of stuff running on my router, and want to keep CPU usage as low as I can.

    OpenVPN has a ton of functions, you can read up on all of them, and what they do in the OpenVPN manual:

    http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html

    To see the server configuration file(s) on your router, you can login through telnet or ssh (if you have it enabled) to your router, and type the following in the shell prompt: cat /etc/openvpn/server1/config.ovpn (if you have Server 1 running) or cat /etc/openvpn/server2/config.ovpn (If you have server 2 running).
     
  23. wiiw

    wiiw Addicted to LI Member

    Thanks for the info!
     
  24. wiiw

    wiiw Addicted to LI Member

    Should I also add this to the client config. file (*.ovpn) as stated on <<http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html>>:

    persist-tun
    persist-key
    ;group nobody
    ;user nobody
    ;mute-replay-warnings

    or is it OK to be only on the server (except for ;mute-replay-warnings) AND should I remove the <;>, because arent the commands then only comments, so non-functional?

    Should I also change (add quotes) on the server to this command;
    push "route-gateway dhcp"
    or with IP
    push "route-gateway ROUTER_IP"
     
  25. agidi

    agidi LI Guru Member

    Newbie here.

    I followed above instructions. But sadly I cant get the router's server to start. I'm getting this on the log files.

    Jun 15 09:30:48 router user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
    Jun 15 09:30:48 router user.info kernel: device tun21 entered promiscuous mode
    Jun 15 09:30:48 router daemon.notice openvpn[3316]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Dec 20 2009
    Jun 15 09:30:48 router daemon.warn openvpn[3316]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Jun 15 09:30:52 router daemon.notice openvpn[3316]: Diffie-Hellman initialized with 2048 bit key
    Jun 15 09:30:52 router daemon.err openvpn[3316]: Cannot load certificate file server.crt: error:0906D06C:pEM routines:pEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:missing asn1 eos
    Jun 15 09:30:52 router daemon.notice openvpn[3316]: Exiting
    Jun 15 09:30:52 router user.info init[1]: VPN_LOG_ERROR: 788: Starting VPN instance failed...

    I do not know what it means. All pointers, suggestions are appreciated.
    thanks
     
  26. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It looks like the server certificate was entered incorrectly. Make sure that there is a "-----BEGIN CERTIFICATE-----" line, a "-----END CERTIFICATE-----" line, and certificate data in between.
     
  27. agidi

    agidi LI Guru Member

    Hi, what an honor, SgtPepper himself. :)

    Well mine actually reads -----BEGIN CERTIFICATE REQUEST-----
    You can see the screenshot:
    http://screencast.com/t/OTFiNzA1N

    Did I paste in the wrong string?
    thanks for the prompt reply, much appreciated
     
  28. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yep, you pasted the server.csr file (Certificate Signing Request) instead of the server.crt (Certificate) file.

    Easy mistake to make, and you're not the first to make it.

    BTW, you may want to regenerate all of the certificates now that you've posted the bulk of them to the internet. :wink:
     
  29. agidi

    agidi LI Guru Member

    Dear Gurus.
    True, I had pasted the wrong one. Thanks.

    I regenerated keys and got the server working. (i think)

    Then I went to WRT54GL#2 and set it up as a client, and started it.
    It says it connects, I can see it connect on the server.

    The server has 192.168.1.0 The client has 192.168.2.0

    When I ping 192.168.1.54 (live PC on the server LAN) FROM the client side, I can't reach it.
    I dont need to send internet traffic, just be able to reach IPs on both LANS.

    My settings:
    Server Side
    Network Basic http://screencast.com/t/M2NjNzMwY2Mt
    Basic http://screencast.com/t/ODcyOTM0MjY
    Advanced http://screencast.com/t/ZDFhZmI0
    Status http://screencast.com/t/YTYzMjcwOTYt

    Client Side
    Network Basic http://screencast.com/t/MWZiOGJjNTMt
    Basic http://screencast.com/t/MTIxNmY3
    Advanced http://screencast.com/t/ZTBmYTM4ZTgt
    Status http://screencast.com/t/YjA0MGUyOWMt

    Can this be done? Join 3 locations Server ClientA ClientB all using WRT54GLs?
    All pointers and suggestions are welcomed, I'm loosing my hair here. :(

    thanks!
     
  30. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You should start by removing everything you have in the custom configuration sections, and see how it goes.

    What you want to do is very possible. If you want access to the client LANs everywhere, not just the server LAN (by the fact you have client<->client selected, leads me to believe that's the case), you'll need to fill in the client specific options table and remove the NAT option from the clients. However, I'd suggest getting things working just accessing the server LAN from the clients before you make that change.
     
  31. pmason

    pmason Networkin' Nut Member

    First of all, thank you SO MUCH SgtPepperKSU for putting this all together! And thank you Delta for posting your configuration, seeing working configs is SO helpful to noobs like me.

    I have an Asus RT-N16 router with Tomato Firmware v1.27.9047 MIPSR2-beta15 K26 USB vpn3.6. I'm using an AT&T ADSL modem for WAN. Behind the Asus router I have one LAN client (desktop) and multiple wireless clients (netbooks). I have upnp enabled and I have a Samba share set up for a USB hard drive.

    My goal is to set up a road warrior style VPN to give me access to my home network AND to redirect internet traffic through my home router from wherever I am in the world. If possible, I would like to give clients the ability to choose whether internet traffic is redirected.

    I've tried more configurations than I can remember to set this up, using both TAP and TUN. I have been able to access my home LAN for a while with the configs I tried but never figured out how to redirect internet traffic over the VPN no matter what I did.

    When I found this thread I tossed out my old configuration and followed Delta's instructions exactly, creating both the TAP and TUN interfaces on server1 and server2 of my home router. I have had to finesse and tweak a bit and I'm still not able to make it work. I'm asking for help because I don't know why I'm having the problems I have now.



    I am able to connect to my home router from my neighbor's wifi but internet traffic is only redirected intermittently. Visits to www.whatismyipaddress.com showed my IP as fluctuating between my neighbor's public IP (99.xxx.xxx.xx) and my home router's public IP (76.xxx.xxx.xx). I was only able to ping my home router (192.168.7.1) when my public IP showed 76.xxx.xxx.xx.

    So redirection seems to be flipping off and on and I don't know why. Here's my config:

    My home network:
    192.168.7.0 255.255.255.0
    RT-N16 tomato router: 192.168.7.1

    Neighbor's wifi:
    192.168.1.0 255.255.255.0
    neighbor's router: 192.168.1.254

    [​IMG]

    [​IMG]

    [​IMG]

    Code:
    Fri Jun 18 14:30:09 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
    Fri Jun 18 14:30:09 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Fri Jun 18 14:30:10 2010 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
    Fri Jun 18 14:30:10 2010 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Fri Jun 18 14:30:11 2010 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Fri Jun 18 14:30:11 2010 LZO compression initialized
    Fri Jun 18 14:30:11 2010 Control Channel MTU parms [ L:1594 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Fri Jun 18 14:30:38 2010 RESOLVE: Cannot resolve host address: xxxx.gotdns.com:[NO_DATA] The requested name is valid but does not have an IP address.
    Fri Jun 18 14:30:38 2010 Data Channel MTU parms [ L:1594 D:1450 EF:62 EB:135 ET:32 EL:0 AF:3/1 ]
    Fri Jun 18 14:30:38 2010 Fragmentation MTU parms [ L:1594 D:1500 EF:61 EB:135 ET:33 EL:0 AF:3/1 ]
    Fri Jun 18 14:30:38 2010 Local Options hash (VER=V4): '812c5995'
    Fri Jun 18 14:30:38 2010 Expected Remote Options hash (VER=V4): 'b524e983'
    Fri Jun 18 14:31:01 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Fri Jun 18 14:31:01 2010 UDPv4 link local: [undef]
    Fri Jun 18 14:31:01 2010 UDPv4 link remote: 76.xxx.xxx.xx:1194
    Fri Jun 18 14:31:01 2010 TLS: Initial packet from 76.xxx.xxx.xxx:1194, sid=a0eab717 4e88479e
    Fri Jun 18 14:31:05 2010 VERIFY OK: depth=1, /C=US/ST=TX/L=Dallas/O=OpenVPN/CN=OpenVPN-TX/emailAddress=xx@yahoo.com
    Fri Jun 18 14:31:06 2010 VERIFY OK: nsCertType=SERVER
    Fri Jun 18 14:31:06 2010 VERIFY OK: depth=0, /C=US/ST=TX/O=OpenVPN/CN=server/emailAddress=xx@yahoo.com
    Fri Jun 18 14:31:07 2010 Data Channel Encrypt: Cipher 'AES-256-CBC' initializedwith 256 bit key
    Fri Jun 18 14:31:07 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Fri Jun 18 14:31:07 2010 Data Channel Decrypt: Cipher 'AES-256-CBC' initializedwith 256 bit key
    Fri Jun 18 14:31:07 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Fri Jun 18 14:31:07 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Fri Jun 18 14:31:07 2010 [server] Peer Connection Initiated with 76.xxx.xxx.xx:1194
    Fri Jun 18 14:31:10 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Fri Jun 18 14:31:10 2010 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.7.1,route-gateway 192.168.7.1,redirect-gateway def1,route-gateway 192.168.1.254,route-gateway dhcp,ping 10,ping-restart 60'
    Fri Jun 18 14:31:10 2010 OPTIONS IMPORT: timers and/or timeouts modified
    Fri Jun 18 14:31:10 2010 OPTIONS IMPORT: route options modified
    Fri Jun 18 14:31:10 2010 OPTIONS IMPORT: route-related options modified
    Fri Jun 18 14:31:10 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Fri Jun 18 14:31:10 2010 ROUTE: default_gateway=UNDEF
    Fri Jun 18 14:31:10 2010 TAP-WIN32 device [OpenVPN] opened: \\.\Global\{763D8EFF-D1AD-4FD8-A3CA-6B768xxA3CE}.tap
    Fri Jun 18 14:31:10 2010 TAP-Win32 Driver Version 9.6
    Fri Jun 18 14:31:10 2010 TAP-Win32 MTU=1500
    Fri Jun 18 14:31:10 2010 Successful ARP Flush on interface [16] {763D8EFF-D1AD-4FD8-A3CA-A6B768xxA3CE}
    Fri Jun 18 14:31:15 2010 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
    Fri Jun 18 14:31:15 2010 NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
    Fri Jun 18 14:31:15 2010 Initialization Sequence Completed
    And my client.ovpn file:

    Code:
    dev tap
    proto udp
    dev-node OpenVPN
    remote xxxx.gotdns.com 1194
    tls-client
    keepalive 15 120
    verb 3
    mute-replay-warnings
    ca ca.crt
    cert client1.crt
    key client1.key
    tls-auth ta.key 1
    ns-cert-type server
    cipher AES-256-CBC
    pull
    nobind
    explicit-exit-notify 3
    comp-lzo
    fragment 1500
    I've played with the custom configuration details quite a bit. One question I have is what to do with "push route-gateway xxx.xxx.xxx.xx". As you can see, I tried using the neighbor's router's address and it worked partially.

    What am I doing wrong?
     
  32. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Get rid of it :wink:

    A few things:
    1. Get rid of that route-gateway line. The firmware already takes care of it (as the server router's LAN IP). Putting the neighbor's address in there is what's causing the intermittent problems.
    2. persist-key and persist-tun are already in the auto-generated config. Take those out, too
    3. The auto-generated config has "keepalive 15 60". Unless you have a specific reason for 10 instead of 15, take that out.
    4. Unless you specifically need the fragment line, get rid of it.
    5. In short, you shouldn't need anything in the custom config
    6. Selecting the client-specific options and client-to-client doesn't do anything if you don't fill out the table. But, since you're just connecting PC clients, not whole subnets, you don't need those options at all.

    Give that a shot and provide the logs and routing table from the client while it is connected.
     
  33. pmason

    pmason Networkin' Nut Member

    Keith, thanks! That appears to have worked on the TAP setup.

    Now for the TUN setup problems...

    I have the same setup I described two posts up but server2 is using TUN. I followed the instructions in the first post in this thread. I've been able to connect to the router (as you can see in the router status screenshot below) and I've even routed internet traffic through the VPN. However, I have been unable to ping any computer behind the router and unable to see network resources in windows explorer.

    Since I'm assinging the 10.10.10.0 subnet, how do I ping my home office computer (192.168.7.3 behind the RT-N16 tomato router)? I understand that TUN works differently than TAP, but I'm not sure what additional steps I need to take to be able to access my LAN. Heck, I don't even know what I'm supposed to ping to test it out. Is my home office computer now 10.10.10.3? Or do I have to edit the routing table?

    Here is my setup:
    My home network:
    192.168.7.0 255.255.255.0
    RT-N16 tomato router: 192.168.7.1

    Neighbor's wifi:
    192.168.1.0 255.255.255.0
    neighbor's router: 192.168.1.254

    Client .ovpn:
    Code:
    dev tun
    proto udp
    dev-node OpenVPN
    remote xxxx.gotdns.com 1195
    tls-client
    keepalive 15 120
    resolv-retry infinite
    verb 3
    mute-replay-warnings
    ca ca.crt
    cert client1.crt
    key client1.key
    tls-auth ta.key 1
    ns-cert-type server
    cipher AES-256-CBC
    # comp-lzo
    pull
    nobind
    explicit-exit-notify 3
    # topology subnet
    [​IMG]

    [​IMG]

    Yes, I've tried it both ways, making sure to also adjust the client config each time.

    [​IMG]

    [​IMG]

    Code:
    Wed Jun 23 23:05:15 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] bui
    lt on Dec 11 2009
    Wed Jun 23 23:05:15 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig
    her to call user-defined scripts or executables
    Wed Jun 23 23:05:16 2010 Control Channel Authentication: using 'ta.key' as a Ope
    nVPN static key file
    Wed Jun 23 23:05:16 2010 Outgoing Control Channel Authentication: Using 160 bit
    message hash 'SHA1' for HMAC authentication
    Wed Jun 23 23:05:16 2010 Incoming Control Channel Authentication: Using 160 bit
    message hash 'SHA1' for HMAC authentication
    Wed Jun 23 23:05:16 2010 Control Channel MTU parms [ L:1557 D:166 EF:66 EB:0 ET:
    0 EL:0 ]
    Wed Jun 23 23:05:38 2010 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0
    EL:0 ]
    Wed Jun 23 23:05:38 2010 Local Options hash (VER=V4): 'ed844052'
    Wed Jun 23 23:05:38 2010 Expected Remote Options hash (VER=V4): '8a244582'
    Wed Jun 23 23:05:38 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Wed Jun 23 23:05:38 2010 UDPv4 link local: [undef]
    Wed Jun 23 23:05:38 2010 UDPv4 link remote: 76.xxx.xxx.xx:1195
    Wed Jun 23 23:05:38 2010 TLS: Initial packet from 76.xxx.xxx.xx:1195, sid=3f263d
    20 845b0e97
    Wed Jun 23 23:05:39 2010 VERIFY OK: depth=1, /C=US/ST=TX/L=Dallas/O=OpenVPN/CN=O
    penVPN-TX/emailAddress=xxxx@yahoo.com
    Wed Jun 23 23:05:39 2010 VERIFY OK: nsCertType=SERVER
    Wed Jun 23 23:05:39 2010 VERIFY OK: depth=0, /C=US/ST=TX/O=OpenVPN/CN=server/ema
    ilAddress=xxxx@yahoo.com
    Wed Jun 23 23:05:40 2010 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized
    with 256 bit key
    Wed Jun 23 23:05:40 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1'
     for HMAC authentication
    Wed Jun 23 23:05:40 2010 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized
    with 256 bit key
    Wed Jun 23 23:05:40 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1'
     for HMAC authentication
    Wed Jun 23 23:05:40 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-
    CBC3-SHA, 1024 bit RSA
    Wed Jun 23 23:05:40 2010 [server] Peer Connection Initiated with 76.xxxx.xxxx.xx:1
    195
    Wed Jun 23 23:05:42 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Wed Jun 23 23:05:42 2010 PUSH: Received control message: 'PUSH_REPLY,route 192.1
    68.7.0 255.255.255.0,dhcp-option DNS 192.168.7.1,redirect-gateway def1,route 10.
    10.10.0 255.255.255.0,topology net30,ping 15,ping-restart 60,ifconfig 10.10.10.6
     10.10.10.5'
    Wed Jun 23 23:05:42 2010 OPTIONS IMPORT: timers and/or timeouts modified
    Wed Jun 23 23:05:42 2010 OPTIONS IMPORT: --ifconfig/up options modified
    Wed Jun 23 23:05:42 2010 OPTIONS IMPORT: route options modified
    Wed Jun 23 23:05:42 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options
     modified
    Wed Jun 23 23:05:42 2010 ROUTE default_gateway=192.168.1.254
    Wed Jun 23 23:05:43 2010 TAP-WIN32 device [OpenVPN] opened: \\.\Global\{763D8EFF
    -D1AD-4FD8-A3CA-A6B768C4A3CE}.tap
    Wed Jun 23 23:05:43 2010 TAP-Win32 Driver Version 9.6
    Wed Jun 23 23:05:43 2010 TAP-Win32 MTU=1500
    Wed Jun 23 23:05:43 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 1
    0.10.10.6/255.255.255.252 on interface {763D8EFF-D1AD-4FD8-A3CA-A6B768C4A3CE} [D
    HCP-serv: 10.10.10.5, lease-time: 31536000]
    Wed Jun 23 23:05:43 2010 Successful ARP Flush on interface [16] {763D8EFF-D1AD-4
    FD8-A3CA-A6B768C4A3CE}
    Wed Jun 23 23:05:46 2010 write UDPv4: No Route to Host (WSAEHOSTUNREACH) (code=1
    0065)
    Wed Jun 23 23:05:49 2010 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Wed Jun 23 23:05:49 2010 Route: Waiting for TUN/TAP interface to come up...
    Wed Jun 23 23:05:54 2010 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Wed Jun 23 23:05:54 2010 Route: Waiting for TUN/TAP interface to come up...
    Wed Jun 23 23:05:55 2010 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Wed Jun 23 23:05:55 2010 Route: Waiting for TUN/TAP interface to come up...
    Wed Jun 23 23:05:56 2010 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Wed Jun 23 23:05:56 2010 Route: Waiting for TUN/TAP interface to come up...
    Wed Jun 23 23:05:57 2010 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Wed Jun 23 23:05:57 2010 Route: Waiting for TUN/TAP interface to come up...
    Wed Jun 23 23:05:58 2010 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Wed Jun 23 23:05:58 2010 Route: Waiting for TUN/TAP interface to come up...
    Wed Jun 23 23:05:59 2010 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Wed Jun 23 23:06:00 2010 Route: Waiting for TUN/TAP interface to come up...
    Wed Jun 23 23:06:01 2010 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Wed Jun 23 23:06:01 2010 Route: Waiting for TUN/TAP interface to come up...
    Wed Jun 23 23:06:02 2010 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Wed Jun 23 23:06:02 2010 Route: Waiting for TUN/TAP interface to come up...
    Wed Jun 23 23:06:03 2010 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Wed Jun 23 23:06:03 2010 Route: Waiting for TUN/TAP interface to come up...
    Wed Jun 23 23:06:05 2010 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Wed Jun 23 23:06:05 2010 Route: Waiting for TUN/TAP interface to come up...
    Wed Jun 23 23:06:06 2010 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Wed Jun 23 23:06:06 2010 Route: Waiting for TUN/TAP interface to come up...
    Wed Jun 23 23:06:07 2010 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Wed Jun 23 23:06:07 2010 Route: Waiting for TUN/TAP interface to come up...
    Wed Jun 23 23:06:09 2010 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
    Wed Jun 23 23:06:09 2010 C:\WINDOWS\system32\route.exe ADD 76.xxx.xxx.xx MASK 25
    5.255.255.255 192.168.1.254
    Wed Jun 23 23:06:09 2010 ROUTE: route addition failed using CreateIpForwardEntry
    : The object already exists.   [status=5010 if_index=15]
    Wed Jun 23 23:06:09 2010 Route addition via IPAPI failed [adaptive]
    Wed Jun 23 23:06:09 2010 Route addition fallback to route.exe
    The route addition failed: The object already exists.
    
    Wed Jun 23 23:06:09 2010 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.
    0 10.10.10.5
    Wed Jun 23 23:06:09 2010 ROUTE: route addition failed using CreateIpForwardEntry
    : The object already exists.   [status=5010 if_index=16]
    Wed Jun 23 23:06:09 2010 Route addition via IPAPI failed [adaptive]
    Wed Jun 23 23:06:09 2010 Route addition fallback to route.exe
     OK!
    Wed Jun 23 23:06:09 2010 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.
    0.0 10.10.10.5
    Wed Jun 23 23:06:09 2010 ROUTE: route addition failed using CreateIpForwardEntry
    : The object already exists.   [status=5010 if_index=16]
    Wed Jun 23 23:06:09 2010 Route addition via IPAPI failed [adaptive]
    Wed Jun 23 23:06:09 2010 Route addition fallback to route.exe
     OK!
    Wed Jun 23 23:06:09 2010 C:\WINDOWS\system32\route.exe ADD 192.168.7.0 MASK 255.
    255.255.0 10.10.10.5
    Wed Jun 23 23:06:09 2010 ROUTE: route addition failed using CreateIpForwardEntry
    : The object already exists.   [status=5010 if_index=16]
    Wed Jun 23 23:06:09 2010 Route addition via IPAPI failed [adaptive]
    Wed Jun 23 23:06:09 2010 Route addition fallback to route.exe
     OK!
    Wed Jun 23 23:06:10 2010 C:\WINDOWS\system32\route.exe ADD 10.10.10.0 MASK 255.2
    55.255.0 10.10.10.5
    Wed Jun 23 23:06:10 2010 ROUTE: route addition failed using CreateIpForwardEntry
    : The object already exists.   [status=5010 if_index=16]
    Wed Jun 23 23:06:10 2010 Route addition via IPAPI failed [adaptive]
    Wed Jun 23 23:06:10 2010 Route addition fallback to route.exe
     OK!
    Wed Jun 23 23:06:10 2010 Initialization Sequence Completed
     
  34. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You should use the version without the custom configuration.

    One thing to note: You should only fill in the subnet and netmask in the client-specific options table if your client will be routing between its LAN and the VPN (allowing other computers on the client LAN to use the VPN connection).

    You should be using the server LAN computers' actual IP addresses on the server subnet (192.168.7.X). The "Push LAN to clients" option lets the VPN clients know how to route things properly.
     
  35. pmason

    pmason Networkin' Nut Member

    Good to know, I've removed that line.

    Do I understand that with the config I have above (the version without the custom stuff) I should be able to reach my home office computer at 192.168.7.2 from my neighbor's wifi over the VPN? Can I leave the subnet field as 10.10.10.0 in the "Basic" tab?

    Or are you saying I need to have 192.168.7.0 in the subnet field like this:

    [​IMG]

    When I do that my home network goes down and I can no longer access the router from my home network computers. With that config my client was issued 192.168.7.6 which is a static IP of one of my home network computers. DHCP range on the RT-N16 is 192.168.7.10-100. Not sure why it issued the 192.168.7.6 IP to the client.

    I am so close! I can route internet traffic over the VPN but I can't ping any of the server side computers still.
     
  36. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    No, the VPN subnet still needs to be different than both the client and server subnet. It should be left as 10.10.10.0. Having two segments with the same subnet will definitely screw things up.

    What I'm saying is that the server sends directives to the client telling it, "Hey client, if you ever want to send anything to the 192.168.7.0/24 subnet, send it with me (the VPN server's address on the VPN subnet) as the gateway (still addressed to that 192.168.7.x device) and I'll forward it on to it". If you're on the client and try to connect to anything on the server LAN (using the device's address on the server LAN - not an address on the VPN subnet), it should automatically know it has to send it over the VPN and do so.
     
  37. pmason

    pmason Networkin' Nut Member

    Okay, so maybe something is screwed up with my routes. I am consistently able to forward internet traffic, but I have never been able to ping anything behind the server from the client, or vice versa.

    Here's my admin tab (other tabs are as they were before):

    [​IMG]

    Here is my routing table:

    Code:
    Windows IP Configuration
    
    
    Ethernet adapter OpenVPN:
    
       Connection-specific DNS Suffix  . :
       Link-local IPv6 Address . . . . . : fe80::f938:a7a6:83fa:6718%16
       IPv4 Address. . . . . . . . . . . : 10.10.10.6
       Subnet Mask . . . . . . . . . . . : 255.255.255.252
       Default Gateway . . . . . . . . . :
    
    Wireless LAN adapter Wireless Network Connection:
    
       Connection-specific DNS Suffix  . : gateway.2wire.net
       Link-local IPv6 Address . . . . . : fe80::47fe:5db9:ab4e:f587%15
       IPv4 Address. . . . . . . . . . . : 192.168.1.75
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.1.254
    
    Ethernet adapter Local Area Connection:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
    
    Tunnel adapter isatap.gateway.2wire.net:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : gateway.2wire.net
    
    Tunnel adapter Local Area Connection* 15:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
    
    Tunnel adapter isatap.{763D8EFF-D1AD-4FD8-A3CA-A6B768C4A3CE}:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
    
    Tunnel adapter isatap.{DA839737-15EE-4769-AF2F-403673F70872}:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
    
    Tunnel adapter 6TO4 Adapter:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
    
    C:\Users\Bryan Smith>route print
    ===========================================================================
    Interface List
     16...00 ff 76 4d 77 ff ......TAP-Win32 Adapter V9
     15...00 16 eb a3 3a a0 ......Intel(R) WiFi Link 5350
     11...00 23 54 a1 86 0a ......Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Contro
    ller(NDIS6.20)
      1...........................Software Loopback Interface 1
     24...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
     25...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
     26...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
     27...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
     21...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
    ===========================================================================
    
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0    192.168.1.254     192.168.1.75     40
              0.0.0.0        128.0.0.0       10.10.10.1       10.10.10.6     30
              0.0.0.0        128.0.0.0       10.10.10.5     192.168.1.75     41
              0.0.0.0        128.0.0.0      192.168.7.1     192.168.1.75     41
              0.0.0.0        128.0.0.0       10.10.10.5       10.10.10.6     30
           10.10.10.0    255.255.255.0       10.10.10.5     192.168.1.75     41
           10.10.10.0    255.255.255.0       10.10.10.5       10.10.10.6     30
           10.10.10.1  255.255.255.255       10.10.10.5       10.10.10.6     30
           10.10.10.4  255.255.255.252         On-link        10.10.10.6    286
           10.10.10.6  255.255.255.255         On-link        10.10.10.6    286
           10.10.10.7  255.255.255.255         On-link        10.10.10.6    286
        76.xxx.xxx.43  255.255.255.255      192.168.7.1     192.168.1.75     40
        76.xxx.xxx.43  255.255.255.255      192.168.7.1       10.10.10.6     31
       99.xxx.xxx.133  255.255.255.255    192.168.1.254     192.168.1.75     40
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
            128.0.0.0        128.0.0.0       10.10.10.1       10.10.10.6     30
            128.0.0.0        128.0.0.0       10.10.10.5     192.168.1.75     41
            128.0.0.0        128.0.0.0      192.168.7.1     192.168.1.75     41
            128.0.0.0        128.0.0.0       10.10.10.5       10.10.10.6     30
          192.168.1.0    255.255.255.0         On-link      192.168.1.75    296
         192.168.1.75  255.255.255.255         On-link      192.168.1.75    296
        192.168.1.255  255.255.255.255         On-link      192.168.1.75    296
          192.168.6.1  255.255.255.255      192.168.6.5       10.10.10.6     30
          192.168.7.0    255.255.255.0       10.10.10.1       10.10.10.6     30
          192.168.7.0    255.255.255.0       10.10.10.5     192.168.1.75     41
          192.168.7.0    255.255.255.0       10.10.10.5       10.10.10.6     30
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link        10.10.10.6    286
            224.0.0.0        240.0.0.0         On-link      192.168.1.75    296
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link        10.10.10.6    286
      255.255.255.255  255.255.255.255         On-link      192.168.1.75    296
    ===========================================================================
    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
              0.0.0.0          0.0.0.0          5.0.0.1  Default
    ===========================================================================
    
    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination      Gateway
     25     58 ::/0                     On-link
      1    306 ::1/128                  On-link
     25     58 2001::/32                On-link
     25    306 2001:0:4137:9e74:1476:31a1:9c4a:3b7a/128
                                        On-link
     16    286 fe80::/64                On-link
     15    296 fe80::/64                On-link
     25    306 fe80::/64                On-link
     26    296 fe80::5efe:10.10.10.6/128
                                        On-link
     25    306 fe80::1476:31a1:9c4a:3b7a/128
                                        On-link
     15    296 fe80::48fe:5db9:ab3e:f587/128
                                        On-link
     16    286 fe80::f938:a9a3:83fa:6718/128
                                        On-link
      1    306 ff00::/8                 On-link
     16    286 ff00::/8                 On-link
     15    296 ff00::/8                 On-link
     25    306 ff00::/8                 On-link
    ===========================================================================
    Persistent Routes:
      None
    And here is my latest client log:

    Code:
    Thu Jun 24 14:49:44 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] bui
    lt on Dec 11 2009
    Thu Jun 24 14:49:44 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig
    her to call user-defined scripts or executables
    Thu Jun 24 14:49:45 2010 Control Channel Authentication: using 'ta.key' as a Ope
    nVPN static key file
    Thu Jun 24 14:49:45 2010 Outgoing Control Channel Authentication: Using 160 bit
    message hash 'SHA1' for HMAC authentication
    Thu Jun 24 14:49:45 2010 Incoming Control Channel Authentication: Using 160 bit
    message hash 'SHA1' for HMAC authentication
    Thu Jun 24 14:49:45 2010 Control Channel MTU parms [ L:1557 D:166 EF:66 EB:0 ET:
    0 EL:0 ]
    Thu Jun 24 14:50:05 2010 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0
    EL:0 ]
    Thu Jun 24 14:50:05 2010 Local Options hash (VER=V4): 'ed844052'
    Thu Jun 24 14:50:05 2010 Expected Remote Options hash (VER=V4): '8a244582'
    Thu Jun 24 14:50:05 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Thu Jun 24 14:50:05 2010 UDPv4 link local: [undef]
    Thu Jun 24 14:50:05 2010 UDPv4 link remote: 76.xxx.xxx.133:1195
    Thu Jun 24 14:50:05 2010 TLS: Initial packet from 76.xxx.xxx.133:1195, sid=1eb96
    b7d 2c85e6b1
    Thu Jun 24 14:50:06 2010 VERIFY OK: depth=1, /C=US/ST=TX/L=Dallas/O=OpenVPN/CN=O
    penVPN-TX/emailAddress=xxxx@yahoo.com
    Thu Jun 24 14:50:06 2010 VERIFY OK: nsCertType=SERVER
    Thu Jun 24 14:50:06 2010 VERIFY OK: depth=0, /C=US/ST=TX/O=OpenVPN/CN=server/ema
    ilAddress=xxxx@yahoo.com
    Thu Jun 24 14:50:07 2010 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized
    with 256 bit key
    Thu Jun 24 14:50:07 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1'
     for HMAC authentication
    Thu Jun 24 14:50:07 2010 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized
    with 256 bit key
    Thu Jun 24 14:50:07 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1'
     for HMAC authentication
    Thu Jun 24 14:50:07 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-
    CBC3-SHA, 1024 bit RSA
    Thu Jun 24 14:50:07 2010 [server] Peer Connection Initiated with 76.xxx.xxx.133:
    1195
    Thu Jun 24 14:50:09 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Thu Jun 24 14:50:10 2010 PUSH: Received control message: 'PUSH_REPLY,route 192.1
    68.7.0 255.255.255.0,dhcp-option DNS 192.168.7.1,redirect-gateway def1,route 10.
    10.10.0 255.255.255.0,topology net30,ping 15,ping-restart 60,ifconfig 10.10.10.6
     10.10.10.5'
    Thu Jun 24 14:50:10 2010 OPTIONS IMPORT: timers and/or timeouts modified
    Thu Jun 24 14:50:10 2010 OPTIONS IMPORT: --ifconfig/up options modified
    Thu Jun 24 14:50:10 2010 OPTIONS IMPORT: route options modified
    Thu Jun 24 14:50:10 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options
     modified
    Thu Jun 24 14:50:10 2010 ROUTE default_gateway=192.168.1.254
    Thu Jun 24 14:50:10 2010 TAP-WIN32 device [OpenVPN] opened: \\.\Global\{763D8EFF
    -D1AD-4FD8-A3CA-A6B768C4A3CE}.tap
    Thu Jun 24 14:50:10 2010 TAP-Win32 Driver Version 9.6
    Thu Jun 24 14:50:10 2010 TAP-Win32 MTU=1500
    Thu Jun 24 14:50:10 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 1
    0.10.10.6/255.255.255.252 on interface {763D8EFF-D1AD-4FD8-A3CA-A6B768C4A3CE} [D
    HCP-serv: 10.10.10.5, lease-time: 31536000]
    Thu Jun 24 14:50:10 2010 Successful ARP Flush on interface [16] {763D8EFF-D1AD-4
    FD8-A3CA-A6B768C4A3CE}
    Thu Jun 24 14:50:15 2010 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
    Thu Jun 24 14:50:15 2010 C:\WINDOWS\system32\route.exe ADD 76.xxx.xxx.133 MASK 2
    55.255.255.255 192.168.1.254
    Thu Jun 24 14:50:15 2010 ROUTE: CreateIpForwardEntry succeeded with dwForwardMet
    ric1=40 and dwForwardType=4
    Thu Jun 24 14:50:15 2010 Route addition via IPAPI succeeded [adaptive]
    Thu Jun 24 14:50:15 2010 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.
    0 10.10.10.5
    Thu Jun 24 14:50:15 2010 ROUTE: CreateIpForwardEntry succeeded with dwForwardMet
    ric1=30 and dwForwardType=4
    Thu Jun 24 14:50:15 2010 Route addition via IPAPI succeeded [adaptive]
    Thu Jun 24 14:50:15 2010 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.
    0.0 10.10.10.5
    Thu Jun 24 14:50:15 2010 ROUTE: CreateIpForwardEntry succeeded with dwForwardMet
    ric1=30 and dwForwardType=4
    Thu Jun 24 14:50:16 2010 Route addition via IPAPI succeeded [adaptive]
    Thu Jun 24 14:50:16 2010 C:\WINDOWS\system32\route.exe ADD 192.168.7.0 MASK 255.
    255.255.0 10.10.10.5
    Thu Jun 24 14:50:16 2010 ROUTE: CreateIpForwardEntry succeeded with dwForwardMet
    ric1=30 and dwForwardType=4
    Thu Jun 24 14:50:16 2010 Route addition via IPAPI succeeded [adaptive]
    Thu Jun 24 14:50:16 2010 C:\WINDOWS\system32\route.exe ADD 10.10.10.0 MASK 255.2
    55.255.0 10.10.10.5
    Thu Jun 24 14:50:16 2010 ROUTE: route addition failed using CreateIpForwardEntry
    : The object already exists.   [status=5010 if_index=16]
    Thu Jun 24 14:50:16 2010 Route addition via IPAPI failed [adaptive]
    Thu Jun 24 14:50:16 2010 Route addition fallback to route.exe
    The route addition failed: The object already exists.
    
    Thu Jun 24 14:50:16 2010 Initialization Sequence Completed
    What should I be focusing on here? Just so I don't miss something, when I try to ping my home office computer from the client over the vpn, I'm typing
    Code:
    ping 192.168.7.2
    If I were to ping the client from a computer behind the server, would I type
    Code:
    ping 10.10.10.6
    ?

    Neither of those commands give me anything.

    I noticed that under my "OpenVPN" network connection above, I have no default gateway listed. Should 10.10.10.1 be the default gateway for that connection?
     
  38. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Exactly right on both accounts.

    Yes, your routing looks odd. For some reason, for each route being added via OpenVPN, your computer is adding three (one is the correct one, one is on the right interface but wrong gateway, and another is the wrong interface altogether). I don't know why that is, but, from your logs, it seems OpenVPN is passing them off to your OS correctly, so it would be an OS issue.

    You might try uncommenting "topology subnet" on the server (and possible the client as well, but I think it will get pushed there automatically) to see if it works around this Windows bug.

    By the way, what version of Windows are you running?
     
  39. pmason

    pmason Networkin' Nut Member

    I'm running Windows 7.

    I rebooted, fired up the same .ovpn with topology subnet on the client and server configs and the routing tables look different. I still couldn't ping anything.

    Code:
     ===========================================================================
    Interface List
     16...00 ff 76 xx xx ff ......TAP-Win32 Adapter V9
     15...00 16 eb xx xx a0 ......Intel(R) WiFi Link 5350
     11...00 23 54 xx xx 0a ......Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Contro
    ller(NDIS6.20)
      1...........................Software Loopback Interface 1
     25...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
     26...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
     24...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
     21...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
    ===========================================================================
    
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0    192.168.1.254     192.168.1.75     40
              0.0.0.0        128.0.0.0       10.10.10.5       10.10.10.2     30
              0.0.0.0        128.0.0.0       10.10.10.1       10.10.10.2     30
           10.10.10.0    255.255.255.0       10.10.10.5       10.10.10.2     30
           10.10.10.2  255.255.255.255         On-link        10.10.10.2    286
       99.xxx.xxx.133  255.255.255.255    192.168.1.254     192.168.1.75     40
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
            128.0.0.0        128.0.0.0       10.10.10.5       10.10.10.2     30
            128.0.0.0        128.0.0.0       10.10.10.1       10.10.10.2     30
          192.168.1.0    255.255.255.0         On-link      192.168.1.75    296
         192.168.1.75  255.255.255.255         On-link      192.168.1.75    296
        192.168.1.255  255.255.255.255         On-link      192.168.1.75    296
          192.168.7.0    255.255.255.0       10.10.10.5       10.10.10.2     30
          192.168.7.0    255.255.255.0       10.10.10.1       10.10.10.2     30
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link        10.10.10.2    286
            224.0.0.0        240.0.0.0         On-link      192.168.1.75    296
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link        10.10.10.2    286
      255.255.255.255  255.255.255.255         On-link      192.168.1.75    296
    ===========================================================================
    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
              0.0.0.0          0.0.0.0          5.0.0.1  Default
    ===========================================================================
    
    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination      Gateway
     26     58 ::/0                     On-link
      1    306 ::1/128                  On-link
     26     58 2001::/32                On-link
     26    306 2001:0:4137:9e74:1c95:xxxx:9c4a:3b7a/128
                                        On-link
     16    286 fe80::/64                On-link
     15    296 fe80::/64                On-link
     26    306 fe80::/64                On-link
     24    296 fe80::5efe:10.10.10.2/128
                                        On-link
     26    306 fe80::1c95:2e69:xxxx:3b7a/128
                                        On-link
     15    296 fe80::48fe:5db9:xxxx:f587/128
                                        On-link
     16    286 fe80::f938:a9a6:xxxx:6718/128
                                        On-link
      1    306 ff00::/8                 On-link
     26    306 ff00::/8                 On-link
     16    286 ff00::/8                 On-link
     15    296 ff00::/8                 On-link
    ===========================================================================
    Persistent Routes:
      None
    I then manually specified the IP, subnet, and default gateway for the openvpn network connection with my current IP in the server status tab (10.10.10.2) and the server IP of 192.168.7.1. I am now able to ping a computer behind the server from the client. I could not ping the client (10.10.10.2) from that pc but I could ping the server at 10.10.10.1

    So is there something that needs to be specified further regarding default gateways?

    Bridging network connections didn't help, at least the way I tried it.
     
  40. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You definitely shouldn't bridge the connections when using TUN. Just to try something, does it work if you delete all of the routes with 10.10.10.1 as the gateway (those are the problem)?
     
  41. pmason

    pmason Networkin' Nut Member

    Delete them from the client routing table? Or from the VPN server? I would have to read up on editing the routes manually if from the client routing table.

    Is something like "route delete 10.10.10.*" on the client what you're talking about?
     
  42. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I was talking about on the client, just to be sure I'm correct on what the problem is.

    The command would be of the form:
    Code:
    route delete 192.168.7.0 MASK 255.255.255.0 10.10.10.1
     
  43. pmason

    pmason Networkin' Nut Member

    I haven't determined if using the route delete command has been what has helped or not, but a couple times I have gotten the TUN adapter working enough that I can see my home LAN, and even access the USB drive on the RT-N16, but I can't actually browse any of the computers behind the home router. It's pretty slow discovering the LAN resources too.

    I've tried what seems like several dozen modifications on the last configuration I posted and no luck.
     
  44. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Discovering of (some) LAN resources and browsing to computers in Network Neighborhood will not work as if you were on the same LAN when using TUN. They use broadcast messages, which do not traverse the tunnel. However, you can still browse the computers' network resources by specifying its IP or name (//<iporname>/).
     
  45. Dagger

    Dagger Networkin' Nut Member

    If you got your client connected to your home LAN using TAP, then why are you trying to setup TUN?

    TUN is best for point-to-point... one router to another router, or one computer to another computer (server). TAP is best for host-to-LAN... remote computer to home network.

    Getting host-to-LAN functionality with a point-to-point topology requires extra routing effort on part of the remote client and the OpenVPN server.

    Using TCP vs UDP depends on the expected environment of your remote client. If there is a chance the remote client might be connecting to the OpenVPN server from behind a proxy, then use TCP. A lot of proxies block UDP.

    When using TCP, UDP traffic from the remote client to the home network will still function as normal... it is just encapsulated in a TCP packet when transmitted through the tunnel. The OpenVPN server unpacks the encapsulated UDP packet and dumps it on the home network so the UDP traffic appears to be generated locally. This is why broadcast-dependent protocols work with TAP (i.e. Network Neighborhood).

    Using TCP incurs some additional packet overhead, but it is negligible and you won't notice it.... and TCP will give you the best chance at connecting through a proxy.
     
  46. Dagger

    Dagger Networkin' Nut Member

    Based on the metric for those routes (30), I think they are being injected by OpenVPN. Could it be because of the redundant "topology subnet" directive since the --server directive expands into code that also adds routes? See the following for reference:

    Code:
    --server network netmask
        A helper directive designed to simplify the configuration of OpenVPN's server
     mode. This directive will set up an OpenVPN server which will allocate addresses
     to clients out of the given network/netmask. The server itself will take the ".1"
     address of the given network for use as the server-side endpoint of the local
     TUN/TAP interface.
    
    
        For example, --server 10.8.0.0 255.255.255.0 expands as follows:
    
         mode server
         tls-server
         push "topology [topology]"
    
         if dev tun AND (topology == net30 OR topology == p2p):
           ifconfig 10.8.0.1 10.8.0.2
           if !nopool:
             ifconfig-pool 10.8.0.4 10.8.0.251
           route 10.8.0.0 255.255.255.0
           if client-to-client:
             push "route 10.8.0.0 255.255.255.0"
           else if topology == net30:
             push "route 10.8.0.1"
    
         if dev tap OR (dev tun AND topology == subnet):
           ifconfig 10.8.0.1 255.255.255.0
           if !nopool:
             ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0
           push "route-gateway 10.8.0.1"
    
        Don't use --server if you are ethernet bridging(TAP). Use --server-bridge
     instead. 
     
  47. pmason

    pmason Networkin' Nut Member

    My goal is to set up a VPN to access my home LAN (and Windows Home Server in the future), but another important goal is to learn Virtual Private Networking. I can't leave "well enough" alone, I have to keep fooling with stuff until I understand it.

    I really appreciate the resource that these forums are. It's unbelievable to me that I'm able to get my noob questions answered by Mr. TomatoVPN himself (Keith Moyer) and other very knowledgeable and experienced people. The internets are so great!

    Would IPv6 TUN support allow me to make this point to multipoint setup work? Would IPv6 support allow the TUN server to specify routes as if iroute directive were used and routes specified manually for the home LAN clients? I'm interested in the work of Gert Döring over on http://www.greenie.net/ipv6/openvpn.html and wondering if IPv6 support will make point to multipoint TUN a better choice in the future.
     
  48. Dagger

    Dagger Networkin' Nut Member

    Fair enough... I can't think of a better reason.

    I'm not familiar at all yet with IPv6, so I can't help you there. I can tell you that what you're thinking of is not a point-to-multipoint VPN. Regardless of whether you are using TUN or TAP, there are only two tunnel endpoints... the road warrior and the OpenVPN server. An example of a point-to-multipoint tunnel would be a VPN between multiple branch offices... LA, New York, Dallas, and Denver for example. Each branch office would have an enpoint in the tunnel and all enpoints would be in the same subnet. Each branch office would likely communicate directly to any other branch office without going through a central HUB (also called a MESH).

    The distinction you are trying to make is the difference between Layer 2 and Layer 3. With TUN, traffic from the remote client to the home network has to be routed because the subnet between the remote client and the OpenVPN server is different than the subnet on the home LAN. With TAP, traffic from the remote client to the home network does not need to be routed because the remote client appears to be on the same subnet as the home network. Packets from the remote client to the home network are encapsulated inside internet packets... the OpenVPN server opens up these internet packets and dumps the remote client's packets on the home network as if they were generated locally. So even with TAP, the tunnel ends at the OpenVPN server and does not "extend" to the home LAN clients.

    I often call Layer 2 encapsulated tunnels host-to-LAN and Layer 3 tunnels point-to-point... but technically they are both point-to-point.
     
  49. pmason

    pmason Networkin' Nut Member

    Since I will have multiple clients connecting to the OpenVPN TAP server, won't I have a point-to-multipoint VPN since clients are assigned IPs by the server and are therefore accessible to other clients?
     
  50. Dagger

    Dagger Networkin' Nut Member

    Using TAP, all of the remote clients and the local LAN clients would be in the same subnet (Layer 2 Broadcast Domain). This is accomplished with a hybrid tunnel topology with the OpenVPN server having a point-to-multipoint tunnel with the clients, but the clients have a point-to-point tunnel with the OpenVPN server.

    By default the remote clients will not be able to communicate with each other, but you can use the client-to-client (?) directive on the server to allow remote clients to "see" each other by bouncing through the OpenVPN server.

    With a true point-to-multipoint topology each enpoint would have a tunnel to each of the other endpoints. Imagine a square with a router(endpoint) in each corner... now imagine lines connecting each of the corners diagonally... each side and each diagonal represents a tunnel. Usually there would be a unique subnet or network behind each router.

    The important distinction to be made for our purposes in regard to using OpenVPN with Tomato is between Layer 2 and Layer 3. TUN implements a connection at Layer 3 and TAP implements a connection at Layer 2. Layer 3 (TUN) is best for connecting one host to another host... one router to another router, or your road warrior laptop to your office computer for example. Layer 2 (TAP) is best for connecting remote hosts to a private network (hence Virtual Private Network)... your road warrior laptop to your office LAN for example.

    Because we have our OpenVPN server running on our home routers, as opposed to running on a host somewhere in our home LAN, TAP is most often the best way to go because most likely you are wanting to remotely connect to your home network. If you want to connect your home network to your brother's network in another state, TUN between your router and his router would be the way to go.
     
  51. Jo Claes

    Jo Claes Networkin' Nut Member

    Hi,

    I've just installed my first site-to-site routed vpn based on agidi's configuration and SgtPepperKSU's remarks.

    Everything is working fine accept the fact that from the server side i can't ping or resolve any client pc or other device / from the client side i don't have any problems.

    What i did ,
    I have a internet router 172.31.255.2 and connected both my 'server' ( wan ip 172.31.255.30) my 'client' ( wan 172.31.255.29) so the 172.31.255.0 range is askting as 'the internet' for my vpn-routers.

    My server is on 192.168.0.254 subnet 255.255.255.0 My client is on 192.168.1.1 subnet 255.255.255.0

    Tracert results from inside the 'client-network' :
    1 1 ms 2 ms 1 ms unknown [192.168.1.1]
    2 7 ms 5 ms 5 ms 10.10.10.1
    3 7 ms 6 ms 6 ms portable [192.168.0.115]

    when i perform a tracert from inside the 'server-network ' :
    1 1 ms 1 ms 2 ms unknown [192.168.0.254]
    2 4 ms 1 ms 1 ms 172.31.255.2
    3 21 ms 20 ms 20 ms 1.40-183-91.adsl-static.isp.belgacom.be [91.183.40.1]
    4 21 ms 27 ms 21 ms 30.241-183-91.adsl-static.isp.belgacom.be [91.183.241.30]
    5 25 ms 21 ms 22 ms ae-14-1000.ibrstr1.isp.belgacom.be [91.183.246.111]

    so it looks like my 'server-network' does not have the knowledge of the 'client-network' and i tries to find the answer on the real internet ..

    can someone help me out
     
  52. Goggy

    Goggy Network Guru Member

    OpenVPN-Server -> Server -> Advanced -> Manage Client-Specific Options - there you will find the Solution.
    Define your Client-LAN there: subnet 192.168.1.0, netmask 255.255.255.0 (dont forget to tick "enable" and "push"). The Common Name must be identical with the one you used when generating the Client Certificate. At last activate "Allow Client<->Client" ...

    Sorry for my englisch :D
     

Share This Page