1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Quick free nvram questions

Discussion in 'Tomato Firmware' started by sultanoswing, Mar 28, 2010.

  1. sultanoswing

    sultanoswing Addicted to LI Member

    I've just come back to Tomato from dd-wrt. My main use is openVPN, using TLS certificates, so I'm using the TomatoVPN mod (ver. 1.27). All is running well.

    Running "nvram show | grep free" from an ssh terminal shows just 295 bytes free.

    On dd-wrt with a similar setup I had around 1500 bytes free.

    1) Should I be concerned about the low free nvram?

    2) Is there a facility in Tomato, as in dd-wrt, to 'apply settings' without committing to nvram?

    Thanks!
     
  2. mstombs

    mstombs Network Guru Member

    There is a setting in Administration -> Debugging to "avoid doing an nvram commit", which does reduce writing to flash, useful when doing a lot of changes - you can decide (on same web gui page) when to do the commit.

    I would be a bit concerned about that low free - can you store things on jffs? Not sure ho well tomato handles overfilling nvram - some versions of firmware brick!
     
  3. sultanoswing

    sultanoswing Addicted to LI Member

    Ta.

    I've enabled JFFS and formatted it, but how can I shift stuff out of nvram space onto it?

    I've also checked the "don't commit to nvram" button and will get around to trying to move some stuff tomorrow. Wondering if the best way is to save the backup, then do a reset, then reload the backup file. Hmmmm.

    Am up to 310 bytes free now.
     
  4. mstombs

    mstombs Network Guru Member

    I suggest you post in the VPN mod thread, in the early days many external files were needed, now they are auto generated by the web gui, but I'm sure there is a syntax to store certs (with plenty of comments) on /jffs/ and just refer to them from the web gui custom config boxes.

    It is easy to move init and firewall scripts, by creating executable shell scripts on /jffs/ (I recommend winscp and notepad++ to create unix line ending files) and just referring to them in the Tomato config, ie

    /jffs/myfirewall.sh
     
  5. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Actually, that thread is so long, I think it's better to have new topics rather than adding to that.
    Hmmm, the file's have always been auto-generated in my builds, so there's not a direct way to do that. However, in the last couple of releases, I made a change that could have a side effect of allowing this. The change makes it so that if you leave a cert/key field blank, the directives referring to those are left out of the config. So, you can just leave the certs you want on JFFS empty in the GUI and add the proper directives (eg, ca /jffs/ca.crt) to the custom config section.
     
  6. sultanoswing

    sultanoswing Addicted to LI Member

    Brilliant... just what I was after, and similar to how dd-wrt handles things. I'll get around it to in the next few days and report back.

    As I use Arch linux, the Unix-endings won't be a problem, but it's good to know the location (/jffs/) to 'scp' the files via ssh.
     
  7. sultanoswing

    sultanoswing Addicted to LI Member

    No dice.

    I setup the custom config with the following:
    dh /jffs/dh.pem
    ca /jffs/ca.crt
    cert /jffs/server.crt
    key /jffs/server.key
    tls-auth /jffs/ta.key 0

    Then used /bin/vi via a putty ssh login to the router to copy and paste the relevant certificates and dh.pem, thus creating each file in the /jffs/ partition. VPNserver didn't start.

    Oh well - it's now running fine again using the GUI, and because I haven't committed any settings to nvram, I now have 16209 bytes free (FWIW).
     
  8. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    No reason it shouldn't work. Did you get an error in the router logs?
     
  9. mstombs

    mstombs Network Guru Member

    - Sorry must have been thinking of roadkill's older mod!

    There is a potential issue with /jffs/ -if router not shut down correctly data can be lost, on other devices sometimes the "sync" command works, sometimes the partition has to be umounted. Are the files still there?
     
  10. sultanoswing

    sultanoswing Addicted to LI Member

    I'm going away for the weekend, so need my VPN - bit will have another crack at it next week & report back. The only downside with the 'don't commit to nvram' approach is that rebooting the router loses everything! Maybe I'll commit everything except the certificates, so the jffs will be most useful if/when I get it working!

    Anyway, merry Easter all.
     
  11. sultanoswing

    sultanoswing Addicted to LI Member

    Yup!! All is working!!

    I had mispasted the certificates. I'd used gedit to copy the text, then pasted into each certificate on /jffs/ using /bin/vi *filename*. What I had missed was that each certificate was messed up, starting with:

    Code:
    N CERTIFICATE-----
    QIWDdTCCAt7TawIBAgIJA etc. etc.
    
    rather than

    Code:
    -----BEGIN CERTIFICATE-----
    QIWDdTCCAt7TAwIBAgIJA etc. etc.
    
    Having corrected the certificate headers, openVPN is now running using certs on the jffs partition. Sweet!

    I've just committed the nvram, and it's showing:

    Code:
    584 entries    12296 bytes used     20472 bytes free
    
    I love it when a plan comes together :)
     
  12. mstombs

    mstombs Network Guru Member

    HaHa, vi waited for the first "i" to insert!, but good result.
     

Share This Page