1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato 1.23 VPN - Bridge Connection + WEP + trying to secure internet acces with VPN.

Discussion in 'Tomato Firmware' started by lipin, Apr 10, 2009.

  1. lipin

    lipin Addicted to LI Member

    Hello,
    My goal is to secure internet WEP bridge connection by using VPN access. I have WRT54GL+Tomato VPN (working as server) and Belkin 7230-4 v6000 bridged together unfortunately I am not able to force other encryption than WEP. My idea was to push all traffic from my PC this way.

    PC(VPN Client) -> Belkin -> WDS Bridge (WEP) -> Linksys (VPN Server) -> Internet
    (1 client is wired to Linksys using LAN)

    But I don’t know how to configure VPN (routing?) to allow internet traffic trough.

    MAC PC: 11:11:11 ….
    MAC Belkin 22:22:22 ….
    MAC Linkys 33:33:33 ….
    MAC from virtual card created by OpenVPN: 44:44:44….

    1. Wired client is getting his IP & internet access from DCHP server.
    2. Wireless client is getting his IP from Static DCHP - 192.168.1.120 (MAC – 11:11:11…)
    3. After OpenVPN connecting to router VPN New device is created (in router) and gets IP 192.168.1.147 (MAC – 44:44:44…)
    4. I am using access restriction to block all internet traffic except PC wired directly to router and VPN device (MAC – 44:44:44…) (kind of security if someone is able to hack wep on my belkin and connect with fake mac)
    5. I added in Server 1 -> Advanced -> Custom Configuration
    push "redirect-gateway local"

    Result:
    I can connect to VPN but I cannot surf internet. In vista I see message that my VPN is local and I can’t surf internet.

    It would be great if someone is able to help me with this problem.

    My second question is there a better way to block wifi internet traffic than my Acces Restriction rule?.

    Greetings
    Lipin

    PS.
    And no I don’t want to use SSH :/ too much effort configuring and not everything is working trough proxy.
     
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    First, I think it would be a lot simpler if you could just use a better wireless encryption, such as WPA(2)/AES, and skip the VPN altogether.

    But, if that's not possible, could you provide the actual error message you mention and the output of
    Code:
    route print
    on your client?
     
  3. lipin

    lipin Addicted to LI Member


    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.120 25
    0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.147 30
    127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
    127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
    127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
    169.254.0.0 255.255.0.0 On-link 192.168.1.147 30
    169.254.255.255 255.255.255.255 On-link 192.168.1.147 286
    192.168.1.0 255.255.255.0 On-link 192.168.1.120 281
    192.168.1.0 255.255.255.0 On-link 192.168.1.147 286
    192.168.1.120 255.255.255.255 On-link 192.168.1.120 281
    192.168.1.147 255.255.255.255 On-link 192.168.1.147 286
    192.168.1.255 255.255.255.255 On-link 192.168.1.120 281
    192.168.1.255 255.255.255.255 On-link 192.168.1.147 286
    224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
    224.0.0.0 240.0.0.0 On-link 192.168.1.120 281
    224.0.0.0 240.0.0.0 On-link 192.168.1.147 286
    255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
    255.255.255.255 255.255.255.255 On-link 192.168.1.120 281
    255.255.255.255 255.255.255.255 On-link 192.168.1.147 286
    ===========================================================================
    Persistent Routes:
    Network Address Netmask Gateway Address Metric
    0.0.0.0 0.0.0.0 5.0.0.1 Default
    ===========================================================================


    This is my routing table from vista. And error hmm no error i see in Network and sharing Center that VPN card connection is local only.
     
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm guess you're using TAP? Try using TUN.
     
  5. lipin

    lipin Addicted to LI Member

    Yes I tried TAP.
    Here is my try with TUN unfortunately no success : -(.

    Server:
    all fields default static key.

    Client config:
    dev tun
    proto tcp-client
    remote 192.168.1.1 1194
    ifconfig 10.8.0.2 10.8.0.1
    comp-lzo
    secret static.key
    route-gateway 192.168.1.1
    redirect-gateway

    I can ping server at 10.0.0.1. Internet doesn’t work.

    My route tables:
    (linksys)
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    10.8.0.2 * 255.255.255.255 UH 0 0 0 tun21
    192.168.1.0 * 255.255.255.0 U 0 0 0 br0
    xx.xx.126.0 * 255.255.254.0 U 0 0 0 vlan1
    127.0.0.0 * 255.0.0.0 U 0 0 0 lo
    default static-ip-xx-xx 0.0.0.0 UG 0 0 0 vlan1
    (windows)
    ===========================================================================
    Interface List
    19 ...00 ff de 86 de 60 ...... TAP-Win32 Adapter V9
    9 ...00 1c bf 5f ea 5c ...... Intel(R) PRO/Wireless 3945ABG Network Connection
    1 ........................... Software Loopback Interface 1
    18 ...00 00 00 00 00 00 00 e0 isatap.{11FED438-DA21-42CA-83F3-A66B1D77E9E4}
    21 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
    12 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
    ===========================================================================
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.120 25
    10.8.0.0 255.255.255.252 On-link 10.8.0.2 286
    10.8.0.2 255.255.255.255 On-link 10.8.0.2 286
    10.8.0.3 255.255.255.255 On-link 10.8.0.2 286
    127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
    127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
    127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
    169.254.0.0 255.255.0.0 On-link 10.8.0.2 30
    169.254.255.255 255.255.255.255 On-link 10.8.0.2 286
    192.168.1.0 255.255.255.0 On-link 192.168.1.120 281
    192.168.1.120 255.255.255.255 On-link 192.168.1.120 281
    192.168.1.255 255.255.255.255 On-link 192.168.1.120 281
    224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
    224.0.0.0 240.0.0.0 On-link 192.168.1.120 281
    224.0.0.0 240.0.0.0 On-link 10.8.0.2 286
    255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
    255.255.255.255 255.255.255.255 On-link 192.168.1.120 281
    255.255.255.255 255.255.255.255 On-link 10.8.0.2 286
    ===========================================================================
    Persistent Routes:
    Network Address Netmask Gateway Address Metric
    0.0.0.0 0.0.0.0 5.0.0.1 Default
    ===========================================================================
     
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Okay, there are definitely problems with the routing table. To get the internet-bound traffic to go over the tunnel, try adding "def1" to the end of your "route-gateway" line. That will add a default route to your client that should send all non-LAN traffic over the tunnel.

    Sending LAN traffic over the tunnel is a completely different ballgame. Since your router is still going to have to keep a non-tunnel LAN router in order to send the VPN traffic, it not nearly as simple. Before we delve in to that arena, let me know if it is sufficient to just send internet-bound traffic over the tunnel.
     
  7. lipin

    lipin Addicted to LI Member

    def1 (creates route tables same as above), dhcp-bypass, push "dhcp-option DNS 10.8.0.1" did not help.

    In windows connection status dchp server is 10.8.0.1 but default gateway and dns server are empty. (VPN adapter)

    I don't care for LAN traffic I just want to secure my wifi connection. Tomato is in my friends house and he is sharing internet for me. I have Belkin router working as a bridge (used as kind of signal boost) to let me surf internet in my flat. I blocked for test my static IP (from linksys - with access restriction) then I am making connection with VPN with routegateway i get ip 10.8.0.2 (non blocked, vpn adapter) but still I cant go outside local.

    Securing router should work like that : someone is spoofing my mac decrypting WEP connecting to my router but still he cant go outside router without using VPN with proper key. On the router side all wifi mac are blocked so no one can get IP. All internet traffic is secured by OpenVPN.

    I am not really IT guru :( and after reading many howto's nothing seems to work.
     
  8. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    For some reason the routes aren't getting added to your client correctly. You are getting a strange 169.254.0.0 route, but no default route. Have you tried it without "local" on your redirect-gateway directive? I've never used that option, and I'm not entirely clear what it is supposed to do as far as routing.
     
  9. lipin

    lipin Addicted to LI Member

    Ok thanks for replay I noticed with tracert that 10.8.0.1 is not VPN but it is going somewhere outside to ISP. So i did change default VPN IP to 172.16.130.1(server) & 172.16.130.2(client). Now tracert is going directly to 172.16.130.1. As for option local I dont use it anymore I suppose I tried all combinations def1, dhcp-server etc. Imo there is something wrong with routing or windows settings. My new route tables:
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.120 25
    127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
    127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
    127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
    169.254.0.0 255.255.0.0 On-link 172.16.130.2 30
    169.254.255.255 255.255.255.255 On-link 172.16.130.2 286
    172.16.130.0 255.255.255.252 On-link 172.16.130.2 286
    172.16.130.2 255.255.255.255 On-link 172.16.130.2 286
    172.16.130.3 255.255.255.255 On-link 172.16.130.2 286
    192.168.1.0 255.255.255.0 On-link 192.168.1.120 281
    192.168.1.120 255.255.255.255 On-link 192.168.1.120 281
    192.168.1.255 255.255.255.255 On-link 192.168.1.120 281
    224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
    224.0.0.0 240.0.0.0 On-link 172.16.130.2 286
    224.0.0.0 240.0.0.0 On-link 192.168.1.120 281
    255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
    255.255.255.255 255.255.255.255 On-link 172.16.130.2 286
    255.255.255.255 255.255.255.255 On-link 192.168.1.120 281
    ===========================================================================
    linksys
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    172.16.130.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun21
    192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
    xx.xx.126.0 0.0.0.0 255.255.254.0 U 0 0 0 vlan1
    127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
    0.0.0.0 xx.xx.126.1 0.0.0.0 UG 0 0 0 vlan1

    When i do tracert google.com it is always using 192.168.1.1 not 172.16.130.2 as it suppose to.

    Edit: After deleting route 169.254.0.0 - no effect.
     
  10. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, the problem is that there needs to be a 0.0.0.0 route using the 172.16.130.2 interface and 172.16.130.1 as the gateway. And, that route is supposed to be getting added by the redirect-gateway directive.
    I would suggest you hop on to the OpenVPN IRC channel and see if you can get help there. Of course, check back here and let us know if you get anywhere.
     
  11. lipin

    lipin Addicted to LI Member

    I gave up I couldn’t see hope. I didn’t find useful help on irc (1st time on IRC and I made small war hehe). Currently setting up SSH tunnel and configuring all programs for socks server. Next time when I am at home I will try to figure out this magic and put info in here if success. Thanks SgtPepperKSU for great mod and help.

    Greetings
    Lipin
     
  12. maistc07

    maistc07 Guest

    I have a very similar problem but maybe you can figure out the problem in my case. I also have a connection which gets lost after some seconds. But i get an ip from the server.

     

Share This Page