1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Selective VPN With Tomato

Discussion in 'Tomato Firmware' started by KraftDinner, Jul 28, 2009.

  1. KraftDinner

    KraftDinner Addicted to LI Member

    I've got a quick question about options with VPN in Tomato. Can Tomato allow selective VPN? To illustrate, imagine I have an app on port 8000 that I do no want to run through a VPN service that I already have setup, on another port say 9000 I have an app that needs to run through VPN. Is this possible? Or is there some other method that Tomato could do this? Any help would be greatly appreciated.

    I'm wanting to setup my network on a VPN service that I will be buying. The only thing is they only offer 50GB bandwidth per month, and I only need parts of my internet traffic running through it anyways.

    Thanks again to whoever replies,
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    First, I'm going to assume you are talking about TomatoVPN. If you aren't, please correct me.

    It could be possible using the iptables "ROUTE" target. I've offered to help people experiment with this a couple of times, but I don't think they ever replied.

    If you're interested in some experimentation, please reply with an example of how you want things divided up and your routing table while connected to the VPN. I think I know how it to get it to work, so it hopefully won't take much experimentation.
  3. baldrickturnip

    baldrickturnip LI Guru Member

    the VPN service that you are buying ? unless they are running openVPN server the tomato openVPN client will not be able to connect.

  4. KraftDinner

    KraftDinner Addicted to LI Member

    I'm certain that the service will work because they list two firmwares for that they support, Tomato and DD-WRT. To maybe answer some questions that don't need to be asked, this is the service I am talking about.

    Thank you for your concern though.
  5. KraftDinner

    KraftDinner Addicted to LI Member

    I had no idea that there was a specific TomatoVPN firmware. I had just assumed that it was rolled into one because the VPN service website doesn't say to download TomatoVPN, but just Tomato. Since I cannot go on the VPN site because of my work filter I can't double check that either. I will have to look later tonight.
  6. rhester72

    rhester72 Network Guru Member

    Looks like they host the VPN server/gateway and you install a standard OpenVPN client on your workstation - this has nothing to do with Tomato or DD-WRT (or any router firmware), since it's really just passing UDP traffic through. In that sense, all network gear is "compatible".

  7. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Actually, they specifically mention TomatoVPN (by a different name):
    Besides, even if their only instructions were for an OpenVPN client on the workstation, it could be run on the router to have the entire LAN on the VPN instead of just the single workstation.
  8. rhester72

    rhester72 Network Guru Member

    I can't imagine why that would be necessary unless they intend to use TomatoVPN as a client (which, all other things being equal, makes less sense to me than having the client on a workstation and simply using a static route to "expose" the VLAN to the rest of the LAN).

    *shrugs* Whatever works for folks. =)

  9. KraftDinner

    KraftDinner Addicted to LI Member

    So all I would have to do is create a static route in my regular router in order to accomplish what I want?
  10. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    As long as your workstation is always on, connected to the VPN, and is capable of IP traffic forwarding, then, yes, you can have your entire LAN use the VPN through that workstation. TomatoVPN basically places that workstation on the router itself (since it is always on. Plus it simplifies the routing).

    However, this says nothing about having different ports either use or not use the VPN. That would need to be configured on your router, and I don't know how to do that on your router (unless it is Tomato or another linux-based router that you can add iptables ROUTE rules to).
  11. rhester72

    rhester72 Network Guru Member

    This is absolutely true, of course, but the terrific performance hit from the relatively slow CPU is a deal-breaker for me...throughput is cut to less than 50% of wire speed because of the encryption overhead being handled on the router (which in turn also impacts everything else on the router).

    I know it works (I used to do this all the time on OpenWRT), and you're right, configuration is simpler - but for me personally, the convenience doesn't outweigh the performance drawbacks across the board.

    Your mileage may vary. =)

  12. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Absolutely, having the OpenVPN client/server on the router is not ideal for all situations. People need to weigh the performance gain vs the power costs and any other trade-offs that occur. I'm certainly not offended when people choose the non-TomatoVPN path, and I've helped them set it up as you've described on this forum before.
  13. KraftDinner

    KraftDinner Addicted to LI Member

    Well yes that is what I want. I need this to happen on the router and I will be using Tomato for it. Given what you just said, I think I should be able to figure out the rest on my own, I think.

    Thanks for your help in decrypting my request.
  14. baldrickturnip

    baldrickturnip LI Guru Member

    any numbers to go with the processor and encryption limiting the throughput ?

    the WAN is a 100mbit NIC , so say with all the traffic going over a VPN tunnel , what would be an educated guess at what the processor ( at normal 200 mHz ) will max out at for throughput ?

    just to add another query - does it make a difference for how may tcp/udp connections the tunnel is handling or it that overhead taken by the machines outside the tunnel at both ends ?
  15. rhester72

    rhester72 Network Guru Member

    I was able to saturate the CPU on a WRT54GS with a 1.5mbit uplink using OpenVPN on the router. 100mbit is simply unthinkable to encrypt on a 200MHz MIPS.

    The number of connections increases memory footprint, not CPU. CPU is only involved in actually moving packets, so packet rate (moreso than bitrate) is what is impacted. Thus, using OpenVPN on the router, normal non-tunneled TCP streams can be negatively impacted by use of OpenVPN since they are all competing for the same resource (CPU).

  16. KraftDinner

    KraftDinner Addicted to LI Member

    So what sort of impact does this have on my setup? I'm not planning on running any heavy connections through VPN, just web browsing(no video) and a couple of devices that communicate small amounts over the internet(I'm talking about a 200 page document every month worth of data). So I'm guessing this won't have an adverse affect on my regular net traffic, but am I wrong?

    My guess would be that my heavy traffic would hinder the VPN traffic before anything, but then I'll just have to play with QoS for that case.
  17. rhester72

    rhester72 Network Guru Member

    In your specific usage case, running the VPN client directly on the router should be inconsequential.

  18. jz2000

    jz2000 Addicted to LI Member

  19. SgtPepperKSU

    SgtPepperKSU Network Guru Member

Share This Page