1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Simultaneous OpenVPN client/server bricks the router

Discussion in 'Tomato Firmware' started by gfunkdave, May 6, 2012.

  1. gfunkdave

    gfunkdave LI Guru Member

    Just discovered that when an OpenVPN client is running on the router, setting it to run an OpenVPN server at the same time will brick the router and require a 30/30/30 reset.

    I noticed something was fishy when I was setting up the server and it wouldn't let me type in any port. The default of 1194 was blank, so I typed in 1195. I kept getting Javascript popups that I'd entered an invalid value, and that the value must be between -1 and some very large number. Rebooting the router resulted in its becoming unresponsive.

    This is on a RT-N-16 running TOastman 1.28.7498 MIPSR2-Toastman-RT K26 USB VPN.
     
  2. Goggy

    Goggy Network Guru Member

    Im almost sure you are running out of NVRAM - Space ...
    Server and Client running fine togegher.
     
  3. gfunkdave

    gfunkdave LI Guru Member

    Isn't NVRAM used to store settings? Why would that matter for running VPN?
     
  4. rs232

    rs232 Network Guru Member

    it matter because what you think it has been stored (setting) instead it's not. So the vpn process is run with less or even worst bad parameters this makes it fail.

    Keep en ye on the administration configuration page to see how many K you have left.
     
  5. gfunkdave

    gfunkdave LI Guru Member

    Ah, thanks...that makes more sense (though it still seems odd to me). I can't easily test it, since the router in question is remote and I don't want to bug my parents with resetting and reloading configuration.

    So a router with 60k of NVRAM would probably be OK then?
     
  6. rs232

    rs232 Network Guru Member

    I've been running few tomato on router with 32k for few years now. I strongly believe that 32K are more than enough for most of the users.
    One think I can advise is:
    - do erase/upgrade the router whenever you have the possibility (since you have experienced this problem)
    - never upgrade the firmware in the future without erase the nvram
    - do not install firmware with feature you're sure you'll never use e.g. nocat or bittorrent just to name few. more feature means more nvram needed.
    - any information you put into administration/scripts is stored in NVRAM. My work around to this is to save scripts on external storage such as cifs or usb. This way you can just call the external script from e.g. administration/scripts/init. e.g. if you use the adblock script it will use a huge amount of nvram as the script itself it's more or less 50 lines!

    P.S. I do administer the router of my parent too ;-) I used DDNS and have opened the administration page for the WAN on https only. It works like a charm.

    HTH
    rs232
     
  7. gfunkdave

    gfunkdave LI Guru Member

    Thanks for the help. I will try erasing NVRAM some day when I'm at their house and have nothing else to do. :)

    I keep remote HTTP/S turned off and instead use SSH with key-based authentication, and password auth disabled. Perhaps I'm paranoid... :)
     
  8. occamsrazor

    occamsrazor Network Guru Member

    I had similar problem when I had an Asus WL500GPv2 set up with two VPN servers and one VPN client. Only one was ever running at a time, but the multiple certificates/keys for each take up a lot of space in NVRAM, to the point where it was maxing out the NVRAM and causing major problems with settings getting overwritten and generally messed up.
    Switching to an E3000 with 60K NVRAM fixed all that with lots of NVRAM room left over. As "rs232" said above if you don't want to switch routers, you can move the certificate files away from the VPN setup page (i.e. being stored in NVRAM) to actual files in eg JFFS or USB drive or CIFS share, that get read each startup. I never did it myself but believe there is a thread on the forum somewhere that explains how to do it.
     
  9. Monk E. Boy

    Monk E. Boy Network Guru Member

    I'd stay away from JFFS if possible, simply because the internal flash has a write limit that will come back and bite you eventually. Moving things to a USB drive allows you to easily change it out in the event of failure, and with some flash drives, they don't even stick out.

    I've had one router in a public space for months and despite everyone and their mother shoving it around to peer at it, nobody has removed the USB drive. It looks like part of the router, unless you're really observant and notice the 2nd USB port it mostly blocks. If someone steals it or the router, every student will lose wireless internet access, and so far nobody's been enough of a dick to steal the $35 router or the $15 USB drive on it.
     
  10. gfunkdave

    gfunkdave LI Guru Member

    Interesting ideas, thanks. I wound up just creating a three-way VPN. So my connection from my house to my parents' goes through my dad's office. Latency is still only 80 ms, and so it's fast enough for my purposes.
     
  11. rs232

    rs232 Network Guru Member

    I see where you're coming from. I think this is quite difficult and unreliable to achieve with the current vpn implementation of tomato. The farther I went with this was to have the same route (same mask) with different metrics. The big issue is when one of the tunnel goes down tomato thinks it's still up.
    Can I suggest you spend time to make a one way VPN reliable instead? If you solve the NVRAM issue trust me it is very stable and reconnects if automatically if for whatever reason goes down.
     

Share This Page