1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Toastman firmware VPN setup help

Discussion in 'Tomato Firmware' started by Jedis, Mar 23, 2012.

  1. Jedis

    Jedis LI Guru Member

    Hello,

    I am using "Tomato Firmware v1.28.7633 .2-Toastman-VALN-IPT-ND ND VPN". I followed the instructions below to setup a vpn server on my home router, and the client on a family member's lan. The client connects initially, but disconnects soon after. I cannot seem to ping from the server's lan to the client's lan.

    http://www.serverwatch.com/tutorial...Up-a-VPN-Server-on-a-Tomato-Router-Part-1.htm
    http://www.serverwatch.com/tutorial...Up-a-VPN-Server-on-a-Tomato-Router-Part-2.htm

    Any ideas why this is not working? I want the VPN tunnel to be seamless and not require any software on the client side, thus I followed that part of the instructions. Here is the log from the client side:

    Code:
    Mar 23 01:15:30 RT-0013107D4005 daemon.notice openvpn[902]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Mar 14 2012
    Mar 23 01:15:30 RT-0013107D4005 daemon.warn openvpn[902]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Mar 23 01:15:30 RT-0013107D4005 daemon.warn openvpn[902]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Mar 23 01:15:30 RT-0013107D4005 daemon.notice openvpn[902]: Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Mar 23 01:15:30 RT-0013107D4005 daemon.notice openvpn[902]: Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
    Mar 23 01:15:30 RT-0013107D4005 daemon.notice openvpn[908]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Mar 23 01:15:30 RT-0013107D4005 daemon.notice openvpn[908]: UDPv4 link local: [undef]
    Mar 23 01:15:30 RT-0013107D4005 daemon.notice openvpn[908]: UDPv4 link remote: 1.2.3.4:10456
    Mar 23 01:15:30 RT-0013107D4005 daemon.notice openvpn[908]: TLS: Initial packet from 1.2.3.4:10456, sid=10b06bf5 ea029693
    Mar 23 01:15:31 RT-0013107D4005 daemon.notice openvpn[908]: VERIFY OK: depth=1, /C=US/ST=CA/L=SanDiego/O=Server123/OU=Server123/CN=Server123/name=Server123/emailAddress=noneya@Server123.net
    Mar 23 01:15:31 RT-0013107D4005 daemon.notice openvpn[908]: VERIFY OK: depth=0, /C=US/ST=CA/L=SanDiego/O=Server123/OU=Server123/CN=Server123/name=Server123/emailAddress=noneya@Server123.net
    Mar 23 01:15:33 RT-0013107D4005 daemon.notice openvpn[908]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mar 23 01:15:33 RT-0013107D4005 daemon.notice openvpn[908]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mar 23 01:15:33 RT-0013107D4005 daemon.notice openvpn[908]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mar 23 01:15:33 RT-0013107D4005 daemon.notice openvpn[908]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mar 23 01:15:33 RT-0013107D4005 daemon.notice openvpn[908]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Mar 23 01:15:33 RT-0013107D4005 daemon.notice openvpn[908]: [Server123] Peer Connection Initiated with 1.2.3.4:10456
    Mar 23 01:15:36 RT-0013107D4005 daemon.notice openvpn[908]: SENT CONTROL [Server123]: 'PUSH_REQUEST' (status=1)
    Mar 23 01:15:36 RT-0013107D4005 daemon.notice openvpn[908]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.1.1,route-gateway 192.168.1.1,ping 15,ping-restart 60,ifconfig 192.168.1.200 255.255.255.0'
    Mar 23 01:15:36 RT-0013107D4005 daemon.notice openvpn[908]: OPTIONS IMPORT: timers and/or timeouts modified
    Mar 23 01:15:36 RT-0013107D4005 daemon.notice openvpn[908]: OPTIONS IMPORT: --ifconfig/up options modified
    Mar 23 01:15:36 RT-0013107D4005 daemon.notice openvpn[908]: OPTIONS IMPORT: route-related options modified
    Mar 23 01:15:36 RT-0013107D4005 daemon.notice openvpn[908]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Mar 23 01:15:36 RT-0013107D4005 daemon.warn openvpn[908]: WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address.  You are using something (255.255.255.0) that looks more like a netmask. (silence this warnin
    Mar 23 01:15:36 RT-0013107D4005 daemon.notice openvpn[908]: TUN/TAP device tun11 opened
    Mar 23 01:15:36 RT-0013107D4005 daemon.notice openvpn[908]: TUN/TAP TX queue length set to 100
    Mar 23 01:15:36 RT-0013107D4005 daemon.notice openvpn[908]: /sbin/ifconfig tun11 192.168.1.200 pointopoint 255.255.255.0 mtu 1500
    Mar 23 01:15:36 RT-0013107D4005 daemon.err openvpn[908]: Linux ifconfig failed: external program exited with error status: 1
    Mar 23 01:15:36 RT-0013107D4005 daemon.notice openvpn[908]: Exiting
    
     
  2. Jedis

    Jedis LI Guru Member

    The server's log is being spammed with:
    Code:
    Mar 23 01:30:05 RT-0013107D400E daemon.err openvpn[671]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
    Mar 23 01:30:08 RT-0013107D400E daemon.err openvpn[671]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
    Mar 23 01:30:10 RT-0013107D400E daemon.err openvpn[671]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
    Mar 23 01:30:12 RT-0013107D400E daemon.err openvpn[671]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
    Mar 23 01:30:14 RT-0013107D400E daemon.err openvpn[671]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
    Mar 23 01:30:16 RT-0013107D400E daemon.err openvpn[671]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
    Mar 23 01:30:16 RT-0013107D400E daemon.err openvpn[671]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
    Mar 23 01:30:16 RT-0013107D400E daemon.err openvpn[671]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
    Mar 23 01:30:16 RT-0013107D400E daemon.err openvpn[671]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
    Mar 23 01:30:16 RT-0013107D400E daemon.err openvpn[671]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
    Mar 23 01:30:16 RT-0013107D400E daemon.err openvpn[671]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
    Mar 23 01:30:18 RT-0013107D400E daemon.err openvpn[671]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
    Mar 23 01:30:21 RT-0013107D400E daemon.err openvpn[671]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
    Mar 23 01:30:22 RT-0013107D400E daemon.err openvpn[671]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
    Mar 23 01:30:24 RT-0013107D400E daemon.err openvpn[671]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
     
  3. PBandJ

    PBandJ Networkin' Nut Member

    Google is your friend. Search for that error message and you shall find a discussion about it in the OpenVPN forum.
     
  4. Jedis

    Jedis LI Guru Member

    I did, but didn't have much luck.

    Client:
    client1.png
    client2.png

    Server:
    server1.png
    server2.png
     
  5. kthaddock

    kthaddock Network Guru Member

  6. Jedis

    Jedis LI Guru Member

    Thanks. Changing the client to TAP got them to connect.

    From what I have been reading, TAP is better than TUN, when wanting to play LAN games via linked networks? Basically, I want to bridge the two networks together, to be able to share all resources (printers, shares, pingable to everyone on either end, and LAN games).

    When it's set to TAP, I do not have the option to change the subnet - that option is only there went it's set to TUN.

    Do you know what the default cipher is? Should I switch it to something else?
     
  7. kthaddock

    kthaddock Network Guru Member

    Yes, TUN is a layer 3 network (with NAT) and TAP is layer 2 network (without NAT).
    A TAP device is a virtual ethernet adapter, while a TUN device is a virtual point-to-point IP link.
    More complex encryption comsume more cpu power. Use "AES-128-CBC" that is enough.
    Why do you need other subnet?

    kthaddock
     
  8. Jedis

    Jedis LI Guru Member

    Thanks. I was responding to your comment in red about the subnet. I don't need one :)

    Do I need to add routes to make devices pingable on both sides? I was able to add a network printer and successfully printed a test page, so I know it is working. I just need to get computers to be able to ping each other. Should I set the firewall on the VPN server to External only, to get devices pingable to each other? How can I ping the remote router over the VPN?

    Also, my home LAN is the 192.168.1.* range and the remote LAN is the 192.168.2.* range. I have static DHCP leases setup for most devices on their respective router. The remote printer's IP is 192.168.2.20, but when I added it, Windows shows it as 192.168.1.20. The client address pool range on the VPN server is set to 192.168.1.200 - 192.168.1.205. I am assuming that devices with a static DHCP entry will ignore that, and get assigned the 192.168.1.* address over the VPN, which would explain why the IP is different on the printer? So, I just need to ensure that on either router, no two devices have the same last octet?
     
  9. Jedis

    Jedis LI Guru Member

    I tried changing the firewall setting, without much luck. After reading, I don't think that will help make devices pingable to each other.

    I'm not quite sure what else to try at this point.
     
  10. Jedis

    Jedis LI Guru Member

    I'm still having issues.

    I have "Redirect internet traffic" unchecked on the client, and "Direct clients toredirect Internet traffic" unchecked on the server. However, when I turn on the vpn on the client router, all of the client devices are getting the public IP of the server and traffic is being redirected.

    Also, devices are still not pingable. I've ran out of things to try. Most guides I have found consist of using OpenVPN client on the individual computers, or they consist of using TUN and then setting up routes to make devices pingable. I was under the impression this was not needed with TAP.
     

Share This Page