1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Simple VPN Setup Help Needed : Tomato Firmware v1.27.8747 VPN 3.6

Discussion in 'Tomato Firmware' started by Aquafire, Jul 2, 2010.

  1. Aquafire

    Aquafire LI Guru Member

    Hi All,

    I am running Tomato Firmware v1.27.8747 ND USB vpn3.6 on Linksys WRTSL54GS running in PPoE mode, connected to a bridged DSL Modem.

    The DynDNS service is configured on the router so it updates the domain name with the WAN IP whenever needed.

    I can reach the standard configuration page and other services on my home network via respective port forwardings (i.e, Downloader, Webcams etc).

    Running on Windows 7 Ultimate (32-Bit) I am trying to connect to my home router (via VPN) from the office to use internet browsing for the blocked sites.

    The aim is to use my home router would be used as DNS / DHCP / Gateway for all outgoing internet requests once the VPN connection is established. So please also mention which settings/parameters to declare in my server and client config files.

    I have tried to follow the guide at http://www.linksysinfo.org/forums/showthread.php?t=61253 but this is a bit complicated, as it needs to generte certificates / key / certification authority in order to move forward and same settings are to copied individually to each client.

    I have read some basic information about the parameters to be configured from here

    Since in my setup for now there would be only one server and one client, I decided to go through the more simpler way of having a static key.

    The internal LAN IP address of my router is as follows :

    From whatever I could understand I have done the following basic settings in the VPN Server 1 :

    I did generate a standard static key using the option available in the OpenVPN menu as follows :

    which puts a "key.txt" file in the folder "C:\Program Files\OpenVPN\config".

    I have opened the "key.txt" file and copied the contents to the following window in the router settings


    For the client side configuration, I did read a couple of guides on the internet, also tried to use the sample.opvn file provided with the OpenVPN installation.

    Whatever I could understand based on my desired setup I have made the trimmed down client config file(saved as home.opvn) as follows

    I want to use the "TAP" mode since I need to access my home network windows share, as if I am connected directly to the network, hence the bridged mode.

    I select the protocol as TCP connection, because I might be behind a corporate proxy server when trying to connect to my home network via VPN.

    You can guide if my understanding of the above options is correct and they are set accordingly.

    However whenever I try to run this Home.Ovpn, I always see the following error box, with one or varying errors.


    I am unable to understand that when I have not used tlsserver or tlsclient then why is it showing this message. I am simply trying to use the static key.

    I have tried using the options "key" or "secret" in line no 8 of the configuration file, with giving the full directory path (with double slashes \\) , but all in vain, I still could not get past the error.

    The client configuration at the office (from where I am trying to connect), via a wireless connection to a DSL modem is as follows :

    I would really appreciate if someone could read and guide as to what could be wrong.

    It would be really nice that a very basic beginner's How-To using static key is posted by any of the experienced members here.

    Thanks for your replies.
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The line "client" implies "tls-client".

    Also, you can't "push" anything when using static key mode, so that line in your server config does nothing. Further, "client" implies "pull", so that was redundant, but you can't "pull" when using static key either.

    Currently, your setup (once the above is resolved) would connect, but not route internet traffic over the tunnel at all or provide access to your LAN. This can be accomplished by putting directives in your client config that are specific to your server LAN setup, but the easiest way to accomplish what you want is to use TLS (where all of the needed settings are pushed from the server to the client).
  3. Aquafire

    Aquafire LI Guru Member

    Thanks for the reply and analyses.

    But how to do what you have guided.

    I mean what should I write instead of the word "Client" on client-side config file. Should i remove it or replace it with something else, similarly should I remove push and pull directives from the client and server side only.

    Based on your advice I did edit the client config as follows:
    However when now it is connecting it is showing me the following errors as appended in the connection log:

    Can you help me with that.

    Also if you say that no internet traffic routing will take place and I need to use TLS, then can you guide an easy way to use TLS. Possible a step wise/screen shot guide so being a newbie I make sure I dont get lost along the way.

    Thanks again.
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, just remove all those lines.
    You have the encryption cipher set to "none" on the server, but left the client with the default. This mismatch leaves them unable to communicate. I suggest changing the server back to default.

    You don't need to use TLS. It's just much, much simpler to setup and maintain. There is a link to a HOWTO on generating certificates on the Keys tab (the link changes depending on which method you currently have selected, so select TLS, then click on the HOWTO link).
  5. Aquafire

    Aquafire LI Guru Member

    Ok I have set the following value in the client configuration :

    and now I can connect the my home network.

    I can browse the local lan via Network Neighbourhood and can see my home machine windows share and can browse them similarly as if I am directly connected.

    However I can see that all my internet browsing is NOT done through my home router connection. I can see and have verfied (by running mywanip.com) that all internet browsing is still done through the local office wireless connection and hence not redirected and served by the home router (as it was supposed to be via this VPN connection)

    Please guide me how to achieve a working VPN connection while make the following possible :

    1. Connect to the home LAN like a local PC, to be able to directly access Windows share (by writing \\MACHINE_NAME in the run command windows)

    2. All internet traffic redirected and served by the home router connected via VPN. So the home router acts as the main Gateway, DNS and DHCP server. In other words browsing the internet like the machine is directly connected to the router when in the home environment.

    I am confused, do i need to use TLS or not. Where are these how-to links which you are mentioning about. Can you post the links instead and an easy how-to which describes to use TLS in case I need it.

    Thanks for your support.
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I did. The easiest way is to use TLS.
    It can be done with static key, but is much easier with TLS. That's why I'm suggesting you use it. Like I said before, the HOWTO link is in the GUI on the Keys tab.
  7. Aquafire

    Aquafire LI Guru Member

    Is there a How-to about configuring it with TLS.

    The how-to link in the Tomato GUI opens this web-page


    which is just a how-to about the static key and I have almost followed it correctly, but still I am not able to get my internet browsing re-directed to my home router/server.

    Please remember I am trying to use VPN in "TAP" mode with "TCP" protocol while the how-to guide at the above link is for "TUN" mode with "UDP" protocol. Will it make any difference for the commands I have to write.

    Can you please re-check all the settings and IP addresses I have mentioned in my very first post and can possible identify any conflicting / misfit parameters which need adjustment.

    Thanks for support.
  8. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Like I originally said, the HOWTO link changes depending on the mode currently selected. So, to get to the TLS How-to, you need to select TLS then click on the HOWTO link. Since this is somehow turning into a difficult task, I'll go ahead and connect to my home network and open my GUI to get that link for you:

    [size=-5]For help generating keys, refer to the OpenVPN HOWTO.[/size]

    Once you're using TLS, there will be options like "Direct clients to redirect Internet traffic", "Respond to DNS", and "Advertise DNS to clients" that do what you want by simply clicking on checkboxes.

    It isn't a matter of conflicting or misfit parameters that are keeping you from browsing the internet over the tunnel. You just haven't told it that that is what you want to do (the primary purpose of a VPN is to create a trusted, secure channel between two devices over an untrusted network - browsing the Internet is just a bonus feature that happens to be easy to tack on). With TLS, that configuration is all done on the server (which I've provided GUI options for all the things you want to do).
  9. Aquafire

    Aquafire LI Guru Member


    Will try working with it and will post results.

    All the best to me ;-)
  10. Dagger

    Dagger Networkin' Nut Member

    You were really close when you were able to browse your home network shares. Go back to that configuration and in the client config file include "redirect-gateway def1" and possibly "route-gateway dhcp" ('dhcp' or the LAN IP of your home router)... set it manually instead of trying to pull it from the server.

    I recommend against setting the cipher to none... your tunnel may not be encrypted... I'm not sure.

    For what you're trying to do I would use TAP/TCP as well...
  11. Aquafire

    Aquafire LI Guru Member


    I tried following all the steps from the "How-To" at, by issuing commands and generating the CA, Server and Client Key/Certificates.

    [size=-5] HOWTO.[/size]

    Then I followed the steps mentioned at


    in order to input and copy these certificate/key values to the VPN section of tomato.

    The screen shots are as below :




    The client config file at my side is as follows :

    Now when i try to connect to the VPN, it connects and assigns me an address of (mention to the first screen shot, to be honest I dont understand which IP address is this, I just followed from the mentioned post by Delta221)

    However I am still not able to browse internet and or network shares at my home LAN.

    I cannot find out what might be missing now. I just followed your suggestion of having a TLS connection with the checkboxes ticked for "Direct clients to redirect Internet traffic", "Respond to DNS", and "Advertise DNS to clients".

    Can it be something to do with my remote client IP configuration, my Home LAN IP configuration, and my VPN IP settings.

    My home LAN IP settings (where VPN server is running)

    My remote cilent settings (As I am consultant at various client sites, they can can change and vary based on my location. It can be a fixed or dynamic IP. With or without proxy, currently they are on a fixed IP/DNS setup)


    Does this affects I would have to reconfigure the VPN server settings or method (TAP/TUN) everytime ?

    The VPN server settings (as followed from the post)

    Any ideas what could be conflicting now ?

  12. Dagger

    Dagger Networkin' Nut Member

    For your goals you want to use TAP/TCP... not TUN/UDP.

    Your encryption cipher is still set to none on the server and client, best left as default.

    In client config, tls-client and pull, are implied by "client"... so aren't needed if you just have "client". But the way you have it works...

    Your client picked up because you assigned the network to the VPN tunnel... so the server side of the tunnel is and the client side of the tunnel is But you you really want is an ethernet bridge from your client to the home network, not a point-to-point tunnel. So use TAP/TCP. With a tunnel your client has to be ROUTED from the VPN network to your home network.

    It appears that your client's LAN and your home LAN are using the same private network ( it's best to give your home network a range that is not likely going to be used at one of your client sites. Obviously is the most common network range you are going to be seeing... so give your home network something like
  13. Aquafire

    Aquafire LI Guru Member


    Now its getting confusing to the best..:)

    In the post


    SgtPepperKSU has written as follows :

    apparently he think that my intended goals as mentioned

    can be met by using TLS in TUN/UDP mode and you are just saying the opposite.

    I am at a loss now (of course with my limited understanding) as what to do and how to make it work.

    Rescue needed.
  14. Dagger

    Dagger Networkin' Nut Member

    I am not saying the opposite. He is saying TLS is easier to configure if you want your client to direct all traffic through the VPN rather than static key. I am saying that TAP/TCP is what you want to use rather than TUN/UDP. One has nothing to do with the other.

    He is saying that TLS is easier because when you select TLS in the Tomato GUI additional check boxes will appear that allow you to choose whether or not your clients will direct all traffic through the VPN. The same can be accomplished with static key, but the GUI does not give you the check box... you have to add the directive manually to the client config file.

    You were extremely close when you were able to access your home network and browse Network Neighborhood. I think you were just missing the "redirect-gateway def1" and "route-gateway dhcp" directives in the client config file. These can be pushed from the server, if using the TLS option and check the appropriate box in the Tomato GUI... which is why he said TLS would be easier to configure.

    Because you've generated the certs and keys... stick with TLS and just switch to TAP/TCP (or UDP if you don't forsee connecting to your VPN server from behind a proxy).
  15. Aquafire

    Aquafire LI Guru Member


    Then I would try using TAP/TCP with TLS as recommended by you.

    As per your recommendation I have changed my home LAN network to .

    So apparently then it should not conflict with any incoming client connections from networks right.?

    Should I leave then the VPN network to Otherwise what does the VPN Start and End point IP address mean and what should I assign over there. Do they need to be from an exclusive range as well other than the Server or Client LANs (like 192.168.x.x/24) . How are they used in building the VPN connection. Sorry for too many question, just want to clear my concepts for these.

    As you recommended I only need to to enter the following exactly in the client config file if using the static KEY:

    Otherwise the same can be done by appropriate checkboxes if using TLS.

    Sounds good. I will give it a try tomorrow and will post the results.

    How can I particularly check if along with local LAN browsing, my internet access if also redirected via the Home LAN gateway and internet connection. Any particular idea.

    Also suggest any specific directive to be able to optimize the VPN speed when using a dial up DSL (1Mbps/2Mbps) internet connection on both client and server side. Assume the client machines are connected wirelessly while the server is wired directly with the router wired to the DSL modem.

    Thanks for your help.
  16. Dagger

    Dagger Networkin' Nut Member


    TAP should connect your client to your home network via Layer 2. So your VPN client should receive an IP address from your router the same as a local client on your home network. So, in your case, your VPN client should receive an IP via DHCP in the range.

    redirect-gateway, yes...
    route-gateway dhcp (or home gateway IP, i.e. route-gateway might not be needed... then again, it might :)

    You can check to see what the "internet" thinks your IP address is via a site such as http://www.hashemian.com/whoami/ Your IP should be seen as the WAN IP of your home router. You could also try a trace route via command line to see what path you are taking (i.e. c:\>tracert, the first hop should be your home network's gateway.

    OpenVPN is already tweaked pretty well... just keep in mind that if all traffic is routed through your home network, your clients DOWNLOAD speed is limited by your home routers UPLOAD speed. So if you're at a client site with a 12Mb download speed and your home internet service is 2Mb DOWN / 512Kb UP... then your VPN download speed will be 512Kb.
  17. Aquafire

    Aquafire LI Guru Member

    Thank You Very Much,

    With the valuable help and expert guidance from Dagger and SgtPepperKSU, I am now able to get my VPN set up as TAP/TCP.

    It is running in TLS with all the relevant generated based on the default openVPN settings. All the settings are explained in this thread in various posts as they were fine tuned and tweaked/modified every time based on the touble shooting help i was getting. Still have to try it behind my coporate proxy but I hope it will work.

    So if anyone wants to setup the VPN using these settings to be able to :

    1. Browse Home LAN as a direct connected client.
    2. Redirect and get the internet served by the home router/gateway .

    then you can use a similar setup.

    Thank you once again for the excellent work done to share with the community at large for the common benefit.

  18. kojigushi

    kojigushi Networkin' Nut Member

    can you please post a how to that wraps up all the correct settings.
    thank you
  19. Dagger

    Dagger Networkin' Nut Member

Share This Page