1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato Mod v1.19.1464 with OpenVPN/Tomato Mod v1.21.TEST-v5 with OpenVPN-GUI,SDMMC,IP/MAC

Discussion in 'Tomato Firmware' started by roadkill, Jun 4, 2007.

  1. roadkill

    roadkill Super Moderator Staff Member Member

    Tomato Mod v1.07.1040 - Binary
    Tomato Mod v1.07.1040 - Source Code

    this is a small upgrade IPTables quota extension/kernel module
    Tomato Mod v1.07.1041 with OpenVPN and IPtables quota - Binary
    I won't be posting sources for v1.07.1041 get v1.07.1042 instead

    a few small things added,little code cleanup
    Tomato Mod v1.07.1042 - Binary
    Tomato Mod v1.07.1042 - Source Code

    source code for v1.09.1181 includes Linksys v4.30.11US/Tomato OFFICIAL v1.09.1180/Roadkill OpenVPN Mod
    Tomato Mod v1.09.1181 - Binary
    Tomato Mod v1.09.1181 - Source Code

    source code for v1.10.1189 includes Linksys v4.30.11US/Tomato OFFICIAL v1.10.1188/Roadkill OpenVPN Mod
    Tomato Mod v1.10.1189 - Binary
    Tomato Mod v1.10.1189 - Source Code
    Tomato Mod v1.10.1190 VPN/SerialMod - Binary

    Tomato Mod v1.11.1218 - Binary
    Source code for this version will not be published due to lack of webspace use 1.11.1219
    I upgraded OpenVPN to v2.1rc4 and LibLZO to v2.02 serial add on is still included.

    Tomato Mod v1.11.1219 - Binary
    Tomato Mod v1.11.1219 - Source Code
    added mgetty v1.1.35 due to request of u3gyxap

    Tomato Mod v1.14.1290 - Binary
    Tomato Mod VPN/SERIAL flavor v1.14.1290 - Binary
    Tomato Mod v1.14.1290 - Source Code

    TomatoMod 1.14.1291 - Binary
    TomatoMod VPN/SERIAL flavor 1.14.1291 - Binary
    Tomato Mod v1.14.1291 - Source Code

    TomatoMod 1.16.1374 - Binary
    TomatoMod VPN/SERIAL flavor 1.16.1374 - Binary<-u3gyxap this is what your looking for :grin:
    Tomato Mod v1.16.1374 - Source Code


    TomatoMod 1.19.1464 - Binary -This is the version with only the OpenVPN 2.1rc7 add-on and a few changes it should be rock solid.

    TomatoMod 1.21 *TEST VERSION 5* - This is a new test version it is only half baked for those who want to try.
    LZO 2.03
    OpenVPN v2.1rc13 + Management
    VPN GUI Interface
    SD/MMC GUI Interface with switchable gpio
    SFTP-Server
    QoS Limit
    App Limit
    Arp Binding
    IPID Adjust

    This build is no longer maintained, I advise everyone to move to SgtPepper's Build
    If you are interested in custom software you can contact me, I'm online most of the time

    :grin:
     
  2. roadkill

    roadkill Super Moderator Staff Member Member

    vpn scripts for the lazy...

    WRT54G VPN Server


    WRT54G VPN Client

    this was ripped from dd-wrt wiki and should work the same way for Tomato VPN implementation.
    I put the script in Wan Up and insmod tun.o in init after sleep 5 or something.
    this was initially made for Site-to-Site VPN connection should work with a computer too.
    I'm looking for a VPN Activity SES led script if anyone have an idea I got something half done.

    after some pondering on the led script I've come up with this...


    :grin:
     
  3. _splat_

    _splat_ LI Guru Member

    It works !!! :drinking:

    A big THANK YOU to roadkill for this great mod! :thumbups:

    It took a while for me to configure openvpn because i never used it before :biggrin:

    Here a short howto how i have got it working:

    My Setup:
    Network at Home with LAN and WLAN clients connected to a WRT54g.
    I wanted a OpenVPN server on my WRT to connect with my (WinXP)PC at work to my Home-Network.
    My Home IP-Range is 192.168.0.***
    I'am using a dyndns adress because my Internet-IP is changing with each reconnect of my Router.
    I am only using a static Key for the client. It makes the configuration very simple :biggrin:

    With a static Key only 1 client can access the openvpn server !!
    For multiclient you have to use the cert and key files! See the instructions later in this post


    On The Windows PC:
    1. Install OpenVPN on the Windows machine (openvpn-2.1_rc4)

    2. Start -> Programs -> OpenVPN -> Generate a static OpenVPN Key

    3. Go to the OpenVPN installation directory, open the directory "config", you will see a file named key.txt
    This is the Key for the Client and for the Server. You need the same key on both machines!!

    4. Rename key.txt to static.key

    5. Create a file Home.ovpn in the same directory (you can name it what you want, but it have to be *.ovpn)

    6. Open the .ovpn file with an editor and paste this into the file:
    Code:
    dev tap0
    ifconfig 192.168.0.102 255.255.255.0
    secret static.key
    proto udp
    remote mydynamicip.dyndns.org 1194
    keepalive 10 60
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    cipher BF-CBC
    comp-lzo
    verb 3
    float
    The second line says what IP the Remote client will got in the Routers Network. All my home PCs have the IP 192.168.0.*** so I choose a free ip on my home-Network. ( In my example 192.168.0.102 )

    The line beginning with "remote" is the adress to connect to your router from the internet. Followed by the port (1194 in my example)

    The PC needs to have another IP range on his own Network, than the IP-Range of the Home-Network.
    Example:
    At work my PC has the IP 192.168.1.2
    This is another IP-Range than 192.168.0.*** at Home.

    7. Save the file.

    On the Router:
    1. Install this Tomato Mod :biggrin:

    2. Router -> Administration -> Scripts
    Add this to the Init Script:
    Code:
    sleep 5
    insmod tun.o
    -> Save

    3. Add this to the Firewall Script:
    Code:
    iptables -I INPUT 1 -p udp  --dport 1194 -j ACCEPT
    (I am using port 1194 for my openvpn connection, you can use another port instead but have to change it on all other configurations)
    -> Save

    4. Add this to the WAN-UP script:
    Code:
    cd /tmp
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    echo "
    -----BEGIN OpenVPN Static key V1-----
    
    INSERT THE CONTENT OF YOUR STATIC.KEY FILE HERE !!!!!!!!!!!!!!!
    
    -----END OpenVPN Static key V1-----
    
    " > /tmp/static.key
    
    sleep 5
    ln -s /usr/sbin/openvpn /tmp/myvpn
    /tmp/myvpn --dev tap0 --secret /tmp/static.key --comp-lzo --port 1194 --cipher BF-CBC --proto udp --keepalive 10 60 --verb 3 --daemon
    
    Don't forget to insert the content of the static.key file !!!
    -> Save

    You should reboot your router now.

    Start OpenVPN GUI on the Windows PC and connect with the created openvpn config.
    Now you have a working OpenVPN connection :)

    Hope i could help some users configuring OpenVPN. And please report if you have had success with this howto :)

    greets

    Splat`

    --------------------------------------------------------------------------------------------------------------------

    Instruction for using OpenVPN with multiple clients. (after some requests ;) )

    On a Windows PC (the Client, we use it to create the certificate):
    1. Install OpenVPN on the Windows machine

    2. For multiple Clients we need server and client certificates and keys.
    There are many manuals online how to do that.
    Here ist one of them: http://www.runpcrun.com/howtoopenvpn

    Please do the following steps of this manual:
    - Set up a Certificate Authority (CA)
    - Set up server key and certificate

    leave the DOS-Box opened...

    3. Now we create the keys for the clients


    vars.bat
    build-key client1
    build-key client2
    build-key client3

    ...

    You can name the clients what you want...

    3. Copy the client1.crt, client1.key, and ca.crt to the config directory.
    Do the same for all other clients (For the second client copy: client2.crt, client2.key and ca.crt)

    4. Create a file Home.ovpn in the "config" directory (you can name it what you want, but it have to be *.ovpn)
    Code:
    client
    dev tap
    
    ifconfig 192.168.0.102 255.255.255.0
    
    ca ca.crt
    cert client1.crt
    key client1.key
    
    proto udp
    remote [B]your.homeip.net [/B]1194
    keepalive 10 60
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ns-cert-type server
    cipher BF-CBC
    comp-lzo
    verb 3
    float
    This should be all steps on the Client PC.


    On the Router:

    1. Install this Tomato Mod

    2. Router -> Administration -> Scripts
    Add this to the Init Script:
    Code:
    sleep 5
    insmod tun.o
    
    -> Save

    3. Add this to the Firewall Script:
    Code:
    iptables -I INPUT 1 -p udp  --dport 1194 -j ACCEPT
    
    (I am using port 1194 for my openvpn connection, you can use another port instead but have to change it on all other configurations)
    -> Save

    4. Add this to the WAN-UP script:

    Code:
    insmod tun.o
    cd /tmp
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    
    echo "
    # Tunnel options
    mode server
    proto udp
    port 1194
    dev tap0
    keepalive 15 60
    daemon
    verb 3
    comp-lzo
    # OpenVPN server mode options
    client-to-client
    # TLS Mode Options
    tls-server
    ca ca.crt
    dh dh1024.pem
    cert server.crt
    key server.key
    " > openvpn.conf
    
    echo "
    -----BEGIN CERTIFICATE-----
    
    Insert content of ca.crt here !!!!!!
    
    -----END CERTIFICATE-----
    " > ca.crt
    echo "
    -----BEGIN RSA PRIVATE KEY-----
    
    Insert content of server .key here !!!!!! (named widged.key on the linked manual)
    
    -----END RSA PRIVATE KEY-----
    " > server.key
    chmod 600 server.key
    echo "
    -----BEGIN CERTIFICATE-----
    
    Insert content of the server .crt here !!!!!! (named widged.crt on the linked manual)
    
    -----END CERTIFICATE-----
    " > server.crt
    echo "
    -----BEGIN DH PARAMETERS-----
    
    Insert content of dh1024.pem here !!!!!!
    
    -----END DH PARAMETERS-----
    " > dh1024.pem
    
    sleep 5
    ln -s /usr/sbin/openvpn /tmp/myvpn
    /tmp/myvpn --config openvpn.conf
    
    
    -> Save

    You should reboot your router now.

    Start OpenVPN GUI on the Windows PC and connect with the created openvpn config.
    Now you have a working OpenVPN connection

    Please report errors in this manual
     
  4. roadkill

    roadkill Super Moderator Staff Member Member

    Looking into OpenSwan

    I'm looking into integrating OpenSwan or FreeSwan before OpenVPN GUI due to some requests.
    and because the GUI takes so damn long if any of you have any experience in GUI designing in Tomato I'd love the help cause I never done it and I'm not skilled in Javascript so if I do it myself it might take a while.
     
  5. roadkill

    roadkill Super Moderator Staff Member Member

  6. jochen

    jochen LI Guru Member

    Is it possible to connect the router to a PPTP server like Relakks or Secureix with this OpenVPN mod?
     
  7. roadkill

    roadkill Super Moderator Staff Member Member

    OpenVPN (2.0.9) AFAIK currently not supporting PPTP tunnels
     
  8. fineghal

    fineghal Addicted to LI Member

    Speeds

    What kind of CPU usage can I expect with file transfers via VPN? Will this impact QoS?
     
  9. roadkill

    roadkill Super Moderator Staff Member Member

    depend on how you classify VPN in QOS I'm getting very decent file transfer speed since OpenVPN has LZMA compression on the tunnel it's very efficient...
    best way to test speed is to try because my line speed is not the same as your obviously... :grin:
     
  10. azeari

    azeari Addicted to LI Member

    heh tt sounds rather cool! i've always been keeping openwrt in mind cuz of the vpn support, but i love tomato's gui and ability to change settings without a reboot (=

    many thanks! i'll upgrade from my 1.04 when i have time :p
     
  11. zveroslav

    zveroslav Addicted to LI Member

    hi there :)
    about openvpn and cpu usage...

    I tested my wrt54gl (with tomato openvpn mod) as a client connecting to openvpn linux server (at my office).

    after little tweaking it worked fine but the speed is way, way low for me :( I couldn't go any higher than 270 KB/s with CPU usage maxed out.

    When I connect the vpn from my windows machine which is behind the router, I get speeds over 2MB/s limited only by the ISP speed. I tried switching to different compression - DES-EDE3-CBC instead of the blowfish but it performed worse. Also tried tcp instead of udp... same.
    My internet is through PPPoE having a mtu of 1492. I thought that the tun0 having a mtu of 1500 was a reason of the slow speed so I tried forcing a mtu of 1492 to the vpn tunnel as well... still the same speed...

    Is there something else I missed?
     
  12. azeari

    azeari Addicted to LI Member

    heh got a qn. how do i generate my own certificates? >_<
     
  13. zveroslav

    zveroslav Addicted to LI Member

    I generated mine on the server and then copy/paste into the script.
     
  14. azeari

    azeari Addicted to LI Member

    ok i finally got it running after LOTs and LOTs of tweaking.

    1. i didn't know how to generate e certs on the server since the openssl doesn't allow the ca option to sign the certs, so i did it on my laptop
    2. Windows Vista Woes!
    I am unable to access the keys directory
    Apparently the OpenSSL included with OpenVPN doesn't play nice with Vista. Found this page that explained everything.
    http://www.justincarmony.com/blog/windows-vista/2007/02/22/openvpn-server-on-vista-32-bit-machine/
    3. Ran into more roadblocks when openvpn refused to initialize when i changed the protocol to tcp. solved by using tcp-server instead
    4. Guess what.. my certificates were somehow invalid. Regenerating them solved the problem
    5. ERROR: --dev tun also requires --ifconfig
    added a ifconfig 10.0.0.1 10.0.0.2 line to the client config file to solve this
    I'm not sure of the implications though.. so if someone could elaborate a lil (=
    6. Now tinkering with push to try tunneling connections through the tomato (= i'd appreciate some help here too ^^

    Phew.. that took me awhile. I just hate it when i bump into error after error.. and the windows vista error had me stumped for a couple hrs.

    I guess i'll take a break from it now (= shall continue tomorrow
     
  15. docinthebox

    docinthebox Addicted to LI Member

    Hope Tomato will be ported to a more powerful router such as WRT350N or the new WHR-G125.

    Might also consider the Asus WL500gP which is already supported.
     
  16. fineghal

    fineghal Addicted to LI Member

    Script error

    I tried using the script posted, complete with all the requisite keys, and I keep getting a too long "Maximum allowed is 4096 bytes." Any suggestions?
     
  17. roadkill

    roadkill Super Moderator Staff Member Member

    you have one key which is longer than 4096 bytes, try generating the keys again
    or you could be forgetting a " somewhere.
    :grin:
     
  18. _splat_

    _splat_ LI Guru Member

    I got the same problem.
    You have to delete the comments in the script (all behind the # in a line and the # itself)

    My script looks like this (i have deleted my keys for this posting ;) ):
    Code:
    insmod tun.o
    cd /tmp
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    
    echo "
    # Tunnel options
    mode server
    proto udp
    port 1194
    dev tap0
    keepalive 15 60
    daemon
    verb 3
    comp-lzo
    # OpenVPN server mode options
    client-to-client
    # TLS Mode Options
    tls-server
    ca ca.crt
    dh dh1024.pem
    cert server.crt
    key server.key
    " > openvpn.conf
    
    echo "
    -----BEGIN CERTIFICATE-----
    
    -----END CERTIFICATE-----
    " > ca.crt
    echo "
    -----BEGIN RSA PRIVATE KEY-----
    
    -----END RSA PRIVATE KEY-----
    " > server.key
    chmod 600 server.key
    echo "
    -----BEGIN CERTIFICATE-----
    
    -----END CERTIFICATE-----
    " > server.crt
    echo "
    -----BEGIN DH PARAMETERS-----
    
    -----END DH PARAMETERS-----
    " > dh1024.pem
    
    sleep 5
    ln -s /usr/sbin/openvpn /tmp/myvpn
    /tmp/myvpn --config openvpn.conf
     
  19. azeari

    azeari Addicted to LI Member

    oh i think i know what he means.. its nth to do with the keys and certs but with the startup scripts

    1 solution is to put all the certifiate parameters into the init script, after the sleep 5 and the insmod tun.o, and put the openvpn configurations in the wanup script.

    The other solution(that i used) is to enable jffs2, put e certs and configuration files there (ca.crt, server.crt, server.key, dh1024.pem and openvpn.conf), change the path in the config to point to /jffs/ca.crt and so on, and do myvpn --config /jffs/openvpn.conf instead
     
  20. djr747

    djr747 Guest

    First off thanks Roadkill!!! This is exactly what I looking for to link a remote office to our pfsense firewall. Here is the code I used to get it working for me as a client of the pfsense box with both sides having access to each other's segments. I have also include grep/kill command to clean up the old tunnel and create a new one on wan up. If anyone uses pfsense and wants that side of the config let me know.

    Init script
    Code:
    sleep 5
    insmod tun.o

    Firewall Script
    Code:
    iptables -A INPUT -i tun0 -j ACCEPT
    iptables -A FORWARD -i tun0 -j ACCEPT

    Wan Up Script
    Code:
    cd /tmp
    openvpn --mktun --dev tun0
    brctl addif br0 tun0
    ifconfig tun0 0.0.0.0 promisc up
    ps | grep myvpn | grep ./ | awk '{print "kill "$1}' | sh

    echo "
    -----BEGIN OpenVPN Static key V1-----
    "Insert your key"
    -----END OpenVPN Static key V1-----

    " > /tmp/static.key

    sleep 5
    ln -s /usr/sbin/openvpn /tmp/myvpn
    ./myvpn --dev tun0 --secret /tmp/static.key --port 1194 --cipher RC2-CBC --proto udp --keepalive 10 60 --verb 3 --ifconfig 192.168.100.2 192.168.100.1 --route 192.168.0.0 255.255.255.0 --remote remote.hostname.com 1194 --comp-lzo --daemon
     
  21. DervMan

    DervMan Addicted to LI Member





    I'm having problems with the downloaded file, it's showing as 6KB which I assume is too small? I'm asking the question as I'm unable to extract the contents of the file.

    Can I get the file from elsewhere?

    Thanks
     
  22. Int15

    Int15 LI Guru Member

    I just tried the link and got a file of 3.02 MB (3,170,978 bytes).

    -Int15
     
  23. DervMan

    DervMan Addicted to LI Member

    Thanks, it is working now.
     
  24. roadkill

    roadkill Super Moderator Staff Member Member

    you can PM me with your e-mail address and get the complete file in case there are still problems.
     
  25. DervMan

    DervMan Addicted to LI Member

    Hi Roadkill

    I have my two wrt's running your modded firmware and have a site to site vpn running :)

    Many thanks for your efforts with this firmware.
     
  26. roadkill

    roadkill Super Moderator Staff Member Member

    I did it because I needed that solution for myself running exactly that site2site VPN
    and I didn't wanted to depend myself on dd-wrt due to flaky stability...
    I hope you like the Mod I included Victek Mod source base as well so you could have maximum features.
    and I also teamed up with Victek to create a gui and per mac address statistics I hope it will be finished soon.
    :grin:
     
  27. DervMan

    DervMan Addicted to LI Member

    I don't even know what the Victek mod is!!

    I'll start googling....
     
  28. roadkill

    roadkill Super Moderator Staff Member Member

  29. kameleon

    kameleon Addicted to LI Member

    so this is able to be setup as a wrt to wrt vpn correct? I need this to connect our 2 offices together. :) I will start reading up now.

    Also how hard would it be to make this work with multiple WAN's? I am looking to add a redundant connection through my main wrt54gs and need to know if this will still work with that. Thanks in advance.
     
  30. roadkill

    roadkill Super Moderator Staff Member Member

  31. kameleon

    kameleon Addicted to LI Member

    Thank you. I have already checked out the round robin load equilization and the other backup type connection. I was just wondering if it would work with your mod and all. I will give it a try. Thanks!
     
  32. roadkill

    roadkill Super Moderator Staff Member Member

    it should all the firmwares are basically the same some use the Linksys code base and some use OpenWRT as the code base but they are all the same.
    Kamikaze however is a whole different thing I personally hope Tomato will evolve into a GUI mod in similar to X-WRT then we could have all the features with no drawbacks.
    :grin:
     
  33. fineghal

    fineghal Addicted to LI Member

    I was just checking my logs and got a weird error:

    unknown daemon.err openvpn[7527]: TCP/UDP: Socket bind failed on local address [undef]:39773: Address already in use
    unknown daemon.notice openvpn[7527]: Exiting

    unknown daemon.err openvpn[19025]: TCP/UDP: Socket bind failed on local address [undef]:39773: Address already in use
    unknown daemon.notice openvpn[19025]: Exiting

    I'm using the posted script and have my vpn port forwarded internally to the router. It was formerly UDP, and I just switched it to TCP/UDP.

    Any ideas?
     
  34. roadkill

    roadkill Super Moderator Staff Member Member

    try to add the following
    replace ucp/tcp and port number to match your configuration
     
  35. kameleon

    kameleon Addicted to LI Member

    I must say....
    THIS ROCKS!!!!!!!



    I am using the exact instructions posted by _splat_ in this post:
    http://www.linksysinfo.org/forums/showpost.php?p=302642&postcount=3

    Now to see if I can get that dual wan stuff working on it. :)

    The compression is good. Before I would have to run 256 colors on my vnc connections just because the full color was unusable. Now I can use the full color setting and not be TOO lagged.

    The router cpu utilization under my normal working conditions never really hits over 5%. Now I will test that fully later with some file transfers.
     
  36. voxabox

    voxabox Addicted to LI Member

    uhm, just dl'ed the 3 files, they tested OK with 7z, but
    I tried to unzip it and ended up with 'Tomato_1.07.1040VPN-Source'
    how do I uncompress it?
    TIA,
    v
     
  37. roadkill

    roadkill Super Moderator Staff Member Member

    it's a tar.bz2 like Tomato's sourcecode
    :grin:
     
  38. voxabox

    voxabox Addicted to LI Member

    not a bz2 file!

    uhm, something wrong with my download?

    ok, tell me if I did this wrong
    downloaded the 3 files,
    extracted the 'Tomato_1.07.1040VPN-Source' with 7zip (windows)
    moved the file into linux
    rename it to 'Tomato_1.07.1040VPN-Source.tar.bz2'
    tar -xjvf Tomato_1.07.1040VPN-Source.tar.bz2

    TIA,
    v
     
  39. roadkill

    roadkill Super Moderator Staff Member Member

    pm me your e-mail I'll send you mine
    btw sorry for that
     
  40. LakeSolon

    LakeSolon Addicted to LI Member

    Sooo, how's that GUI coming? =)
     
  41. roadkill

    roadkill Super Moderator Staff Member Member

    I'm afraid I'm lost in the dark because of my lack of java script skills ...
    help will be much appreciated.
     
  42. zajad

    zajad Guest

    Hey roadkill ..
    First: Thank you for the great work!
    Second: OpenVPN works great for me but I wish you add "AES-256-CBC"-Support for OpenSSL. Is there a way?
    For the moment DES encrypt my data but I miss AES.
     
  43. ikarusx3

    ikarusx3 Addicted to LI Member

    so, at last some little comment from me...

    i also liked vpn in dd-wrt but since trying tomato im totally into that firmware and now having a great openvpn server rocks. everything worked almost instantly, created a 10-client-CA certificate and its very stable.

    thanks again for this build.

    now i'm going to try to add mmc card support to this, dunno what this will end with ;) but its the last thing i need for this great firmware to be perfect.
     
  44. roadkill

    roadkill Super Moderator Staff Member Member

    I'll have a look into my source tree maybe I can do it...
     
  45. azeari

    azeari Addicted to LI Member

    actually all thats needed for the gui is probably a button to enable, disable openvpn, a textbox to fill in the .conf info. i think :p
    the tap0 already appears in the bandwidth graph
     
  46. roadkill

    roadkill Super Moderator Staff Member Member

    I wanted to include mesh vpn mode also
    :grin:
     
  47. Overflow-ar

    Overflow-ar Addicted to LI Member

    I would be glad to help with JavaScript coding :) , but got my scheadule full for the next 10 days :frown1:
     
  48. SeeingWhite

    SeeingWhite LI Guru Member

    Any update to a possible openVPN GUI?
     
  49. roadkill

    roadkill Super Moderator Staff Member Member

    Soon....

    :grin:
     
  50. Ugoff85

    Ugoff85 Addicted to LI Member

    Buffalo??

    Does anyone know or tested if this will work on a Buffalo WHR-G54S?? I've got two that have tomato installed, one is at my house, the other at my condo, I want to do server-server (ie router-router) would this be possible??

    cheers!
     
  51. azeari

    azeari Addicted to LI Member

    this will work on any router out there that already supports tomato (=
     
  52. jockel

    jockel Addicted to LI Member

    Hi splat,
    your instructions worked fine for me, thank you for those explanations!
    ...except one step I do not understand:
    I think you are referring here to the Tomato router who is carrying the OpenVPN
    server/scripts and who is doing the connection to www?
    If I set this port forwarding in this very router, then I can not connect from
    outside. If I do not set it, everything works fine!
    Or, do you have a second router to do the www connection "in front" of
    your Tomato-VPN router, and you set this forwarding there?

    Regards
    Jockel
     
  53. _splat_

    _splat_ LI Guru Member

    I only own one router :)
    If i remember correctly my openVPN clients were not able to connect to the OpenVPN serven on my Router until i have set this portforwarding...

    But i have tested it again a few minutes ago. It works perfect without this portforwarding. I will remove the useless instruction. Thank you :)
     
  54. roadkill

    roadkill Super Moderator Staff Member Member

    because the port forwarding rule opens up the port on the router and route it to itself
    you can just add the following to the firewall script
    Code:
    /usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT
    
    of course you need to change it to match whatever port and protocol you use.

    :grin:
     
  55. cearum

    cearum Addicted to LI Member

    It appears that my VPN connection is working. Thanks to all of you who did the hard work! However, It also appears that the itunes shares are not finding their way over to me. Is there something that I can do to help ensure that those make their way over to me? I have the server running on my router. Any help would be appreciated since this is a new area for me. Thanks!
     
  56. roadkill

    roadkill Super Moderator Staff Member Member

    iTunes shares use upnp you need to disable to upnp service on the openvpn client in order to use the remote (openvpn server) upnp gateway.
     
  57. roadkill

    roadkill Super Moderator Staff Member Member

    I haven't forgotten you I'm working on it with some other features...
     
  58. lespaa

    lespaa LI Guru Member

    site-site openvpn

    does this openvpn version support the ability to connect a tunnel where both router endpoints are behind a NAT device? If so, I'll drop the WRV200 and learn linux in the WRT world.
     
  59. roadkill

    roadkill Super Moderator Staff Member Member

    what you are referring to is called site2site vpn and it doesn't really matter if it's behind NAT or not, the router "knows" that in order to reach a certain address range it needs to pass through a second gateway which is the vpn tunnel.
     
  60. lespaa

    lespaa LI Guru Member

    wow, that was a quick response. In clarification I'd like to make sure my scenario should work before banging my head in hours of configuration like I did with other devices. I'd like to connect two tomato devices together with a vpn tunnel, but both of those devices are behind other NAT routers. It looks to me like I've seen that openVPN can go through NAT devices, but I'd just like to make sure :) Thanks.
     
  61. roadkill

    roadkill Super Moderator Staff Member Member

    site2site vpn will merge both networks into one
    the client vpn tunnel will receive dhcp from the vpn server
     
  62. lespaa

    lespaa LI Guru Member

    sweet. thanks for your work with this firmware and communication. I'll get digging.
     
  63. roadkill

    roadkill Super Moderator Staff Member Member

    not too complicated...
    if you have problems you can post it here, my response time isn't that bad :grin:
     
  64. digitalgeek

    digitalgeek LI Guru Member

    Guys, is it possible with your OpenVPN to not allow access to local wireless users to have access to network resources (including the internet) without first logging into the VPN? This would be a wireless device associated with the access point?

    I have been discussing a theory where instead of using Wep/WPA or any encryption, but instead require lopgging into the VPN...?
     
  65. roadkill

    roadkill Super Moderator Staff Member Member

    you can set default wireless users an invalid gateway and use the vpn as the internet access gateway, I think I'll check if it's possible..
     
  66. bilu

    bilu Addicted to LI Member

    Hi,

    Does the included wget has SSL support? I'm asking since libssl is included and it could help in a non-VPN related issue from another thread.

    Thanks in advance,
    Bruno
     
  67. roadkill

    roadkill Super Moderator Staff Member Member

    I guess I could add it since all the related libraries exists, give me a few days...
    :grin:

    Follow up:
    I checked and wget is supplied by BusyBox doesn't support SSL only way to achieve SSL support it is to
    either recompile wget from external source or use curl along with several other libraries.
    there is however a port of curl for Mipsel you could get those three libraries to compile in tomato...
    curl - 7.14.0-1
    libcurl - 7.14.0-1
    libopenssl - 0.9.7i-1
     
  68. cearum

    cearum Addicted to LI Member

    I have another problem now. It appears that I can't get my wireless to work. Whenever I go to the Basic -> Network page it says it's on, however, it isn't broadcasting my ssid. That's not too big, but whenever I try to enable it, it just doesn't enable. I tried connecting to the non-broadcasted ssid with WPA enabled and that didn't work either. The only thing that did work was connecting to the non-broadcasted without any security enabled. What are your suggestions to my problem? I have friend come over and I would like to enable the broadcasting and use it with some protection.
     
  69. cearum

    cearum Addicted to LI Member

    I decided totry some more things. For some reason when I have WPA/WPA2 personal enabled it won't broadcast my ssid. WEP does work, but screw WEP. WPA seems to be culprit. It turns out the problem is Tomato.

    EDIT: I reflashed with the regular firmware and it still doesn't work.
     
  70. azeari

    azeari Addicted to LI Member

    usual problem here is "Please clear your nvram to defaults"

    if problem still exists, check your logs for any weirds errors, and possibly file a bug report
     
  71. dontbotherme

    dontbotherme LI Guru Member

    Thank you for this great mod, it's working very fine over here and I am going to use heavily in the next few days ...

    One more questions lasts:

    Mertech provides a GUI User Manager for OpenVPN servers, which I really would like to use (see http://www.mertech.com.au/mertech-products-openvpnusermanager.aspx).

    It's very simple to configure. Only insert in the init:

    Code:
    management IP Port (echoed pw.txt)
    and you are able to use the nice GUI. However, it's not working, even with echoed PW and I think it's due, that openvpn management is not compiled in your build, is it? I receive:

    Code:
    Sep 23 01:40:15  daemon.err openvpn[230]: Options error: Unrecognized option or missing parameter(s) in openvpn.conf:12: management (2.0.9)
    Thank you for your help.
     
  72. roadkill

    roadkill Super Moderator Staff Member Member

    I'm working on a new build, if it'll be possible in the existing space limitations I'll add that feature.
     
  73. dontbotherme

    dontbotherme LI Guru Member

    שלום

    Thanks for ultra fast answer and your ongoing work. Unfortunately I won't be able to flash it to my router then, as I will study abroad very soon, but not a problem. But now I know, why it didn't work last night (after 2 hours of trial & error :))

    Keep the good work up and again thank you.
     
  74. jboy

    jboy Guest

    memory leak?

    Hi,

    Does anyone know if there is a memory leak in Tomato with OpenVPN? I have noticed that the free memory on my WRT54GL has been steadily decreasing since I installed the version with OpenVPN. Since rebooting last night the free memory has decrease from 8,316 KB to 7,618 KB.

    FWIW, I have Tomato configured to show buffers as free memory. I have Open VPN configured to act as a VPN server only.
     
  75. lespaa

    lespaa LI Guru Member

    VPN Routing Configuration Help Request

    I currently have a test set up with two of these very nice VPN routers (192.168.22.1/24, 192.168.20.1/24) talking to one another across the subnet of a third non-vpn router simulating the internet (192.168.1.1/24). I am not a linux person yet and I wasn't able to correctly decipher the guides online for my desired scenario. I don't adequately know the difference between tap/tun, and the ifconfig and connection type settings. What I would like best would be a routed solution on two different router's subnets that can each access the internet via their own WAN/DHCP, but could resolve netbios names across the vpn for file sharing etc. I'd also like to be able to access both routers from one end, or both if possible. Could you help me change my scripts to do this?

    Here's the current scripts that I've pieced together. The keys referenced are created in the Init scripts.

    Firewall on both sides
    Code:
    iptables -I INPUT 1 -p udp  --dport 1194 -j ACCEPT
    
    Server WANUP 192.168.20.1(local) 192.168.1.40(WAN)
    Code:
    insmod tun.o
    cd /tmp
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    
    echo "
    # Tunnel options
    mode server
    proto udp
    port 1194
    dev tap0
    keepalive 15 60
    daemon
    verb 3
    comp-lzo
    # OpenVPN server mode options
    client-to-client
    duplicate-cn
    # TLS Mode Options
    tls-server
    ca ca.crt
    dh dh1024.pem
    cert phxrouter.crt
    key phxrouter.key
    " > openvpn.conf
    
    sleep 5
    ln -s /usr/sbin/openvpn /tmp/myvpn
    /tmp/myvpn --config openvpn.conf
    
    Client WANUP 192.168.22.1(local) 192.168.1.44(WAN)
    Code:
    insmod tun.o
    cd /tmp
    ln -s /usr/sbin/openvpn /tmp/myvpn
    ./myvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    sleep 5
    
    echo "
    client
    dev tap0
    ifconfig 192.168.20.66 255.255.255.0
    proto udp
    remote 192.168.1.40 1194
    keepalive 15 60
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert client1.crt
    key client1.key
    ns-cert-type server
    comp-lzo
    verb 3
    " > /tmp/client.conf
    
    sleep 5
    
    ./myvpn --config client.conf
    
    It took me a few minutes to figure out that DHCP had to be turned off at the client subnet router, then all DHCP recipients on both routers received one of the server subnet addresses. I couldn't connect to the web interface or ping the 192.168.20.66 or the 192.168.22.1 addresses for the client router. I would prefer for one location not to be dependent on the other being present for internet access, but I'd like to access all areas when both are up. Any help would be much appreciated. Thanks.
     
  76. dougisfunny

    dougisfunny Addicted to LI Member

    try something like this
    Found that on the following page, and while it is a win32 page it might do the trick.
    http://openvpn.net/INSTALL-win32.html
     
  77. roadkill

    roadkill Super Moderator Staff Member Member

    I've done the required modifications but I'll need some feedback on OpenVPN management functionality..

    :grin:
     
  78. dontbotherme

    dontbotherme LI Guru Member

    Hi there Roadkill,

    I have just been informed by a buddy, that you put a new version online and I couln't believe my eyes. Two modifications I required and both are included. Did you compile the new version for me especially? :)

    I am very glad and going to flash it to my router now. I will inform you about the new management fuction.

    Should report to you in a few hours at the latest.

    Thanks again for your great work and effort for the community. ;-)
     
  79. dontbotherme

    dontbotherme LI Guru Member

    Code:
    Oct  1 10:24:45  daemon.notice openvpn[271]: MANAGEMENT: TCP Socket listening on 192.168.1.1:5555
    Oct  1 10:10:27  daemon.notice openvpn[283]: Initialization Sequence Completed
    
    Works like a charm, see screenshot attached.

    Thanks for the great work buddy. :) Hope more users are reporting good feedback to you.
     

    Attached Files:

  80. roadkill

    roadkill Super Moderator Staff Member Member

    well it was time for an upgrade, so I wicked a few features off the todo list
    :grin:
     
  81. dontbotherme

    dontbotherme LI Guru Member

    Thanks.

    Could you check the tomato update? I receive an error when using custom DDNS.

    Under http://www.polarcloud.com/tomato_109 there's a fix from yesterday reporting about it. Can't use my script anymore ...

    Code:
    
    Custom URL: http://www.xxx.com/xxx.php?myip=@IP
    (Use @IP for the current IP address)
    
    01.10.2007 11:08:01:
    Invalid parameter (url).
    (2/3: Automatically retrying in 21 minutes)
    
     
  82. roadkill

    roadkill Super Moderator Staff Member Member

    I did the merge already it should work, I tested it with IE7 since that was the fix Jon removed one comma from the url
     
  83. dontbotherme

    dontbotherme LI Guru Member

    Damn, contacted tomato modder directly, but I only receive errors when trying to update the IP with the script.

    Ahhhhh, let's check again and wait for e-mail answer ...

    Definitely a problem 1.09 and the new DDNS. Works with 1.07 flawlessly.
     
  84. roadkill

    roadkill Super Moderator Staff Member Member

    what ddns supplier are you using?
     
  85. dontbotherme

    dontbotherme LI Guru Member

    Own script, which receives the IP and writes it to a txt, which then is displayed in a blog. Seems to be a problem with the "@" in the custom URL. You can enter anything, but when @ is included, the invalid path comes up.

    Hmm, will stay on 1.07 until this is resolved, however your 1.09 worked really like a charm.
     
  86. roadkill

    roadkill Super Moderator Staff Member Member

    try %40 instead of @
     
  87. dontbotherme

    dontbotherme LI Guru Member

    Wow, first I thought it works, but it's not delivering the IP it's sending @IP as text result then. I think the new DDNS has mixed up the custom URL update.

    Dunno, has to be the code itself. Hmm, very strange ...
     
  88. roadkill

    roadkill Super Moderator Staff Member Member

    you can PM me the script I can have a look later
    btw I just discovered I got a bug with IE7 :'( << bug is patched - IE is working now :) ...but I still hate IE
     
  89. dontbotherme

    dontbotherme LI Guru Member

    Great, script is on its way, but I think the variable @IP doesn't exist anymore.
     
  90. dontbotherme

    dontbotherme LI Guru Member

    Sent you a PM with updated bin from Jon. Have a look please, as he thinks he may found the problem.
     
  91. devilkin

    devilkin Addicted to LI Member

    First off, thanks for this mod. I had been looking for openvpn on tomato ever since I came from dd-wrt :)

    Everything works here; using tun. I had to split the script evenly over init and wanup; it kept nagging about a 4k limit for scripts.

    init script:
    Code:
    sleep 5
    insmod tun.o
    cd /tmp
    ln -s /usr/sbin/openvpn /tmp/myvpn
    sleep 5
    
    echo "
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    " > /tmp/ca.crt
    
    wan up script:
    Code:
    echo "
    remote xxx.xxx.xxx.xxx
    dev tun
    port 50033
    mlock
    nice -15
    link-mtu 1492
    tun-ipv6
    client
    ca ca.crt
    cert client.crt
    key client.key
    comp-lzo
    ifconfig xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
    persist-key
    persist-tun
    keepalive 5 30
    passtos
    verb 3
    " > /tmp/client.conf
    
    echo "
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    " > /tmp/client.crt
    
    echo "
    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----
    " > /tmp/client.key
    chmod 600 /tmp/client.key
    
    ./myvpn --config client.conf
    
     
  92. roadkill

    roadkill Super Moderator Staff Member Member

    Init/Firewall script were enlarged to 8K for OpenVPN script

    Server:

    Init Script
    Code:
    sleep 5
    insmod tun.o
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    cd /tmp
    
    echo "
    mode server
    proto udp
    port 1194
    dev tap0
    keepalive 15 60
    daemon
    verb 3
    comp-lzo
    
    client-to-client
    duplicate-cn
    tls-server
    ca ca.crt
    dh dh1024.pem
    cert server.crt
    key server.key
    " > openvpn.conf
    
    echo "
    -----BEGIN CERTIFICATE-----
    INSERT YOUR ca.crt HERE
    -----END CERTIFICATE-----
    " > ca.crt
    echo "
    -----BEGIN RSA PRIVATE KEY-----
    INSERT YOUR server.key HERE
    -----END RSA PRIVATE KEY-----
    " > server.key
    chmod 600 server.key
    echo "
    -----BEGIN CERTIFICATE-----
    INSERT YOUR server.crt HERE
    -----END CERTIFICATE-----
    " > server.crt
    echo "
    -----BEGIN DH PARAMETERS-----
    INSERT YOUR dh1024.pem HERE
    -----END DH PARAMETERS-----
    " > dh1024.pem
    ln -s /usr/sbin/openvpn /tmp/myvpn
    
    Firewall Script
    Code:
    iptables -I INPUT 1 -p udp  --dport 1194 -j ACCEPT
    WanUp Script
    Code:
    sleep 5
    /tmp/myvpn --config openvpn.conf
    
    Client:

    Init Script
    Code:
    sleep 5
    insmod tun.o
    ./myvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    cd /tmp
    ln -s /usr/sbin/openvpn /tmp/myvpn
    
    echo "
    client
    dev tap0
    proto udp
    remote xxx.xxx.xxx.xxx 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert client.crt
    key client.key
    ns-cert-type server
    comp-lzo
    verb 0
    " > /tmp/client.conf
    
    echo "
    -----BEGIN CERTIFICATE-----
    INSERT YOUR ca.crt HERE
    -----END CERTIFICATE-----
    " > /tmp/ca.crt
    
    echo "
    -----BEGIN RSA PRIVATE KEY-----
    INSERT YOUR client.key HERE
    -----END RSA PRIVATE KEY-----
    " > /tmp/client.key
    chmod 600 /tmp/client.key
    
    echo "
    -----BEGIN CERTIFICATE-----
    INSERT YOUR client.crt HERE
    -----END CERTIFICATE-----
    " > /tmp/client.crt
    
    WanUp Script:
    Code:
    ./myvpn --config client.conf
     
  93. devilkin

    devilkin Addicted to LI Member

    Then this clearly didn't take on my box. Do you have to do a full clear of the settings before this becomes active?

    whenever I enter more than 4k in the boxes, and try to save, the popup comes (blabla max 4k) and nothing happens.
     
  94. roadkill

    roadkill Super Moderator Staff Member Member

    My Mistake, I'll add the change you can get the new file in 30 minutes

    Followup: file updated
     
  95. devilkin

    devilkin Addicted to LI Member

    Thanks ;)
     
  96. roadkill

    roadkill Super Moderator Staff Member Member

    sure
    :grin:
     
  97. D_Reimer

    D_Reimer Addicted to LI Member

    Must be doing something wrong here.

    I've set everything up according to _splat's post over at post #3
    http://www.linksysinfo.org/forums/showpost.php?p=302642&postcount=3

    On a remote connection with a local IP of 192.168.2.10, I'm attempting to connect to this OpenVPN mod on my WRT54GL that has a local IP range of 192.168.1.xxx.

    Although OpenVPN GUI says that I have connected and have been assigned an IP of 192.168.1.108, the TAP adapter v8 doesn't actually pull an IP address. I'm just getting a 169 address at the moment with no packets sent or received. The VPN connection doesn't show up as a device in Device List in Tomato either.

    Any idea what I did wrong? Thanks in advance
     
  98. roadkill

    roadkill Super Moderator Staff Member Member

    post your scripts without the keys
     
  99. D_Reimer

    D_Reimer Addicted to LI Member

    Same as _splat's basically. That's all the scripts I had set up
     
  100. roadkill

    roadkill Super Moderator Staff Member Member

    I would recommend for start using the config file method.
    you can be missing a - on one of the switches...
     

Share This Page