1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato Mod v1.19.1464 with OpenVPN/Tomato Mod v1.21.TEST-v5 with OpenVPN-GUI,SDMMC,IP/MAC

Discussion in 'Tomato Firmware' started by roadkill, Jun 4, 2007.

  1. humba

    humba Network Guru Member

    I'm getting a
    Code:
    The field "script_init" is invalid. Please report this problem.
    error when trying to save my script. If I take out one of the certificates, the file gets below 4k and saving is no problem but of course then I won't be able to connect via VPN.
    Could it be that the file with the 8kb limit was not yet uploaded? The firmware I loaded for my WRT54GL was WRT54G.bin dated October 3rd 18:45:55 and has a size of 3'036'160 bytes.
     
  2. roadkill

    roadkill Super Moderator Staff Member Member

  3. humba

    humba Network Guru Member

    It's working now :)

    Just one question..

    myvpn --management <my router's lan ip> <port> pass.txt

    results in
     
  4. dopee

    dopee LI Guru Member

    Hello,
    I´ve got two (possibly stupid) questions:
    First, why is that mod not working for me, did I miss something?
    And second, is it possible to assign the IP adresses via DHCP to the clients instead of writing them to the config file like ifconfig 192.168.x.y 255.255.255.0
    regards,
    dopee
     
  5. humba

    humba Network Guru Member

    It might be helpful if you provided some details about your problem. E.g. don't automatically start openvpn in the wanup script, but ssh into the router, and start it manually and report any output you get.
    If you are refering to the management thing, you have my own post with questions right above yours, which should give you an idea what to try (management 192.168.1.1 7505 in the config file brings up the management thingie for me.. I just don't have any password protection).

    The readme file that comes with the modified firmware lists a config which imho should result in clients getting an IP address from the DHCP server running on the router - I have a similar config (though taken from my dd-wrt and thus it comes from the dd-wrt wiki), and I get IPs assigned by my router.

    @edit: I may have spoken prematurely.. using the same config file for server and client as I have been using for dd-wrt 24 RC2 and above, my notebook doesn't get an IP address from my Tomato, whereas this works like a charm on dd-wrt.
     
  6. roadkill

    roadkill Super Moderator Staff Member Member

    you have to change your dhcp mask so the addresses wont overlap...
    :grin:
     
  7. humba

    humba Network Guru Member

    Could you elaborate on that?

    Just so that we're on the same page, here's my openvpn server config file:
    Code:
    # Tunnel options
    mode server       # Set OpenVPN major mode
    proto udp         # Setup the protocol (server)
    port 1194         # TCP/UDP port number
    dev tap0          # TUN/TAP virtual network device
    keepalive 15 60   # Simplify the expression of --ping 
    daemon            # Become a daemon after all initialization
    verb 3            # Set output verbosity to n 
    comp-lzo          # Use fast LZO compression 
    
    # OpenVPN server mode options
    client-to-client  # tells OpenVPN to internally route client-to-client traffic 
    duplicate-cn      # Allow multiple clients with the same common name
    
    # TLS Mode Options
    tls-server        # Enable TLS and assume server role during TLS handshake 
    ca ca.crt         # Certificate authority (CA) file
    dh dh1024.pem     # File containing Diffie Hellman parameters 
    cert server.crt   # Local peer's signed certificate
    key server.key    # Local peer's private key 
    
    #Management interface
    management 192.168.1.1 7505
    And here's how I create the tap interface:

    Code:
    insmod tun.o
    cd /tmp
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    Besides the insmod line, it's the same as on my dd-wrt (and notably, I'm not using openvpn to assign IP addresses), where I also made no changes to the dhcp - since I'm bridging the LAN (using a tap and not tun interface), once the tunnel is up, the remote machine should be "on the lan" and thus all services available to the lan should be available, including dhcp. Even if I manually assign an IP address to the openvpn interface on the notebook (which of course isn't connected to the lan for these tests.. I'm using an umts data card which has a completely different address than anything used in my internal network) which is part of my internal address range (but not the range assigned by my dhcp), I'm unable to get any kind of service working.. I see packets going out the virtual interface, but there's not a peep coming back.
     
  8. Toxic

    Toxic Administrator Staff Member

  9. humba

    humba Network Guru Member

    @toxic: are you sure you posted in the right thread... IE seems to have very little to do with openvpn ;)
     
  10. cgondo

    cgondo Network Guru Member

    I tried to use the 1 client option from my Win XP machine and it works. For some reason, using the same static key etc from the Windows Vista machine does not work.

    It seems that it is connecting to the Server but timed out by closing the TCP/UDP socket.

    Any idea if this is Vista Business particular?

    Thanks
     
  11. u3gyxap

    u3gyxap Network Guru Member

    Bug found with v1.09.1181
    Administration --> Configuration --> Restore Default Configuration.
    Unable to proceed with restoring defaults or erasing nvram. Confirm dialog window does not appear.
     
  12. roadkill

    roadkill Super Moderator Staff Member Member

    I'm Looking into it...
    >Bug Fixed - admin-config.asp patched
     
  13. u3gyxap

    u3gyxap Network Guru Member

    10x, it is working fine.
     
  14. roadkill

    roadkill Super Moderator Staff Member Member

    Yes I know, it was a small javascript error...
    :grin:
     
  15. alinpa

    alinpa LI Guru Member

    Hello Roadkill,
    You made a great job and we appreciated this. Thank you! :)
    I want to ask you, if it's possible to introduce also support for mmc mod (mmc.o).
    My WRT54GL is sd modded, but tomato doesn't have support for this and I think will be nice to have also support for this thing.
    Cheers!
     
  16. roadkill

    roadkill Super Moderator Staff Member Member

    It's currently being worked on, I'm trying to make it available for next release.
     
  17. jwchk

    jwchk Network Guru Member

    It works great!!

    Thank you very much to Roadkill!!!
     
  18. xworm

    xworm LI Guru Member

    Works with Moto WR850G ?

    I've noticed Jon provide a firmware specially for WR850G, I think that is because WR850G has some difference with Linksys WRT54G series, therefore have to make some modification on the original firmware designed for WRT54G.
    So, I wonder that should this VPN firmware be modified to match WR850G? or, is it already OK for all routers supporting official tomoto firmware?
     
  19. Sunspark

    Sunspark LI Guru Member

    To the best of my knowledge, already ok.. The individual firmwares are for bootstrap reasons from a factory firmware.. after tomato is installed, then any image can be used to upgrade, according to the readme.
    VPN is software, so it doesn't require 'router specific' images because it doesn't deal with changing bootstraps, and it is a tomato being installed on top of tomato, so.. it's fine.

    That said, since I don't need it right this second, I'm going to wait till all the bugs are hammered out of this, and hoping that it'll get a fancy GUI, and maybe even eventual integration into the official. That'll catch some real eyes.
     
  20. xworm

    xworm LI Guru Member

    Does it mean that I can flash any router-tailored tomato(firmware for WRT54GS,for example) on WR850G just after I load the WR850G-tailored tomato?

    I understand VPN isn't "router specific", but what I'm worrying about is: as a whole package, maybe roadkill's VPN firmware has some "router specific" limitation like the official tomato release.
     
  21. roadkill

    roadkill Super Moderator Staff Member Member

    should work on any Tomato supported router
     
  22. humba

    humba Network Guru Member

    @roadkill.. sorry to bug you again, but could you elaborate on
    I'm really hoping to avoid to descend into all the details of openvpn at this point.. dd-wrt was a breeze there (well, almost, you have to combine the various wiki pages and forum posts to get the complete picture). As you can see from my openvpn server config file, I'm not assigning any IP addresses via openvpn and the virtual interface is bridged to the LAN.
     
  23. roadkill

    roadkill Super Moderator Staff Member Member

    the dhcp server netmask should be configured with no overlapping addresses.
    e.g. client 192.168.1.100-150, server 192.168.1.151-200
    or different netmasks e.g. client 172.16.1.1-100 server 192.168.1.1-100
    and then IP addresses can be assigned via openvpn with no problems.

    another possible way is to change the dhcp range from 192.168.1.1-100 to 192.168.1.254-154
    by entering a custom dnsmasq configuration
    Code:
    dhcp-range=192.168.1.254,192.168.1.154,255.255.255.0,12h
    dhcp-authoritative
    strict-order
    
     
  24. humba

    humba Network Guru Member

    Umm.. I'm sorry to be so thick..
    What do you mean by
    I have one DHCP server on the Tomato with one dhcp range: 192.168.1.100-150.
    Are you refering to openvpn's ability to act as a dhcp server and give out IP addresses on its own - would that be the server range you mentioned?

    If so, how come my config allows me to get a dhcp from the router's dhcp server on dd-wrt without needing to set up dhcp on openvpn but not on tomato?
    If not, I'm completely dumbstruck..

    For reference, here's the client config I'm using
    Code:
    client
    remote mypublicip
    resolv-retry infinite
    port 1194
    dev tap
    proto udp
    comp-lzo
    persist-key
    persist-tun
    ca ca.crt
    cert client1.crt
    key client1.key
    ns-cert-type server
    route-gateway 192.168.1.1
    redirect-gateway
    nobind
    verb 3
     
  25. roadkill

    roadkill Super Moderator Staff Member Member

    I was referring to dhcp server range
     
  26. humba

    humba Network Guru Member

    Hmm.. I don't know what it is.. I'm unable to follow what you're saying :(
    You mentioned a DHCP client and server range. In a single subnet scenario, wouldn't there be one dhcp server with one IP address, handing out a range of addresses (the dhcp client range). What is the dhcp server range?
    Would you mind posting your working openvpn client & server config files and any custom dnsmasq settings you might have.. perhaps in looking at them I will finally understand what you mean, or at least can try to replicate a working setup even if it means making changes to my current environment.
     
  27. roadkill

    roadkill Super Moderator Staff Member Member

  28. humba

    humba Network Guru Member

    Ahh.. I think I realize now where we missed each other. Your second link refers to a site to site VPN. What I am trying to do is have a remote client (PC) roaming the Internet who wants to connect to my home network (so this).

    I do have two routers (both WRT54GL) at home each with its own public IP address. Router one serves the internal subnet 192.168.1.0/24 and runs Tomato 1.09 with your VPN mod. Router two serves the internal subnet 192.168.2.0/24 and runs dd-wrt v24 RC3 vpn edition.

    I have set up my dd-wrt router according to the manual I linked to earlier in this post. I have posted my openvpn client and server configuration here - it works just fine (note that I have to change the "route-gateway 192.168.1.1" line to "route-gateway 192.168.2.1" to connect to the dd-wrt router and of course change the public IP).

    Now I'm using the exact same server and client config file (minus the public IP and internal router IP of course) on my tomato. openvpn is running on the router, I can connect to it from a machine outside my network, but I don't get any traffic through the tunnel, starting with the dhcp request. So, since the configuration is the same, as is the DHCP server config (on the dd-wrt I have the same 50 address range, it just is in the 192.168.2.0 net), I figure it should work on both routers.

    Naturally, I have also opened the appropriate port in the firewall script of both routers:
    Code:
    iptables -I INPUT -p udp --dport 1194 -j ACCEPT
    So you see.. identical configurations, yet one works and the other doesn't for no apparent reason.
     
  29. roadkill

    roadkill Super Moderator Staff Member Member

    different SSL/LZO/OpenVPN Version or time zone don't match,
    it will be more productive to telnet/ssh into your client router and initiate vpn connection manually so you could see the log...
     
  30. humba

    humba Network Guru Member

    I checked the clock on both router and notebook.. it's the same (and timezones are configured the same).

    Will report back on what openvpn dumps on the tomato when attempting a connection and check version numbers.
     
  31. scaredwitless

    scaredwitless LI Guru Member

    I've been banging my head against the wall all morning on this problem! I couldn't figure out why it wasn't generating the CRT file, realized that error message probably had something to do with it and finally decided it probably wasn't playing nice with Vista somehow. Did a google search on the error and it brought me straight back to your post. Glad I've not gone completely insane.... Unfortunately that link you gave is throwing up a 404... So is there a solution to this problem? Or could you point me in the right direction to finding the solution myself? I'd be eternally grateful. But on that note were I to generate the CRTs on a XP machine and just copy them over to my laptop Vista's openVPN config directory would that get me past the problem or would I just encounter another one down the line?

    Thanks much appreciated. And Roadkill thanks for all your work on this! AND Splat thanks for your tutorial!
     
  32. roadkill

    roadkill Super Moderator Staff Member Member

    OpenVPN on Vista howto
    eternally grateful you said :wink1:
     
  33. xworm

    xworm LI Guru Member

    Success on WR850G V2

    Thanks,

    for 1st step, the VPN tomato works well with WR850G, I upgrade it from official Moto 6.1.4

    I'll try to setup the VPN server later.
     
  34. humba

    humba Network Guru Member

    alright.. I started openvpn on both routers manually and copied out every output.. same thing for the client and I have zipped it all up. On the server side, it's pretty much the same. The only difference is the line indicating that the management interface is up on the tomato, plus a line indicating that the connection was successfully brought up

    Code:
    Tue Oct  9 21:53:01 2007 myip:port [client1] Peer Connection Initiated with myip:port
    On the client side I see that the client cannot get an ip address when connecting to the router running tomato. I have scrubbed all public IP addresses, hashes and certificate information from the logs.
     

    Attached Files:

  35. kameleon

    kameleon LI Guru Member

    How well does this work with a dynamic IP on the "server" side? Supposedly I have a dynamic IP address with my home internet connection but it has not changed in many months. I still have a dynamic dns type account for just incase. I was just wondering what I put in for the IP's if I were to swap to this kind of multiple connection setup.
     
  36. roadkill

    roadkill Super Moderator Staff Member Member

    the dynamic ip address...
     
  37. kameleon

    kameleon LI Guru Member

    so I just put the hostname like whatever.dyndns.com right? I must be having a slow day. lol
     
  38. roadkill

    roadkill Super Moderator Staff Member Member

    yeah exactly like that :clap2:
     
  39. roadkill

    roadkill Super Moderator Staff Member Member

    could you elaborate on the client pc ?
    OS/OpenVPN version?
    set verb 5 or 6 while saving the log
     
  40. scaredwitless

    scaredwitless LI Guru Member

    Thanks Roadkill for the link on Vista with OpenWRT. I'm still having issues. THe link you gave is a little dated. I've been searching and I think this link is the most commonly solution repeared over and over: https://sales.hotspotvpn.com/helpdesk/issue_view.asp?ID=2153&CATE=0

    So that I think solves the problem of running openVPN on a Vista machine (which frankly I didn't know was a problem because I hadn't gotten that far yet). But I still have not been able to find the solution to being able to generate the certificate under Vista... Should I just givw up on that and find myself an XP machine to do it on?

    Anyway soo, if anyone has gotten everything to fully work under Vista, I would LOVE to hear your experience and what you did to smooth it all.

    I'm trying to get this all setup on my WRT54GS and Vista laptop because in a weeks time I'm flying across the country for surgery and i'd like to be able to access my home network resources while I'm in recovery. So again thanks. And really I mean it Roadkill, you're doing excellent work on top of Jon's already excellent work. I think you should consider setting up your own paypal donations account I'm sure some would contribute. :)
     
  41. roadkill

    roadkill Super Moderator Staff Member Member

    thought about it but Jon deserves all the credit I haven't done anything but added a few packages and integrated some sources that was sent to me.
    I wouldn't offend Jon with that kind of action, I think it's his work we should be thanking for :smile1:.
    maybe in the long run I'll do a project of my own but the time for that is still far away from public release.
    thanks for the support.

    :grin:
     
  42. humba

    humba Network Guru Member

    WinXP and OpenVPN 2.0.9 (I believe the version number is on both server and client log).

    Will do the whole thing again with a higher log level when I don't fall almost asleep.
     
  43. scaredwitless

    scaredwitless LI Guru Member

    Okay I finally got everything working! This is very excellent.

    I never got the key/certificate route working. I even tried generating the certificates on an XP machine. I got much farther along in the process but when it came to generating the certificates for the individual PCs, i'd get an error message and it would create the certifi cate file, but the file would be empty and 0 bytes--So really I have no idea what was going on there.

    But I am running out of time to get this setup so I decided to scale back on my ambitions and fall back to the 1 PC static key setup option. That went much smoother I was able to do everything on Vista just fine, and after following the directions from the link I posted earlier, the OpenVPN-GUI ran just fine. (basically you have to run as administrator and add a couple extra lines to the config file).

    Anyway after that openVPN connected to my router on the first try! I'm really excited to have this setup, it will make things a lot easier to go about when I'm away from home.

    Splat, I followed your excellent guide to the T, and it worked perfectly for me (well in static key mode anyway, haha)--Thanks so much for that. You made it quite easy to do.

    And it need not be said again, but thanks Roadkill for making it all possible!
    (PS I do understand your feelings about the donation thing, and I applaud your feelings on the matter, because yes Jon certainly does deserve as much thanks as he can get for this firmware!)
     
  44. azeari

    azeari LI Guru Member

    i have it working on vista anyway. lots of issues yes i know, i had to manually upgrade the SSL package included with openvpn to the latest beta version to get pathing working on vista. this is in addition to already using the latest openvpn beta since the routeadd API was changed in vista, and resolved in the beta. a couple more issues i can't remembber. feel free to ask me if you need any help or if you want a sample config. I've gotten both routing and bridging modes to work
     
  45. cgondo

    cgondo Network Guru Member

    Hi Azeari,

    So the problem is with Vista? I loaded the beta version of OpenVPN and while I do have the same setting with my XP, I can not connect using the simplest set up (static key).

    Any help/guide will be much appreciated
     
  46. azeari

    azeari LI Guru Member

    alright the problems you'll get using vista is this

    1. Weird errors while trying to generate certificates (get the beta openssl)
    2. Route add failures (get the beta openvpn)

    In your case, i think its to do with the configuration. i haven't tried out static key configs yet so i'm not sure what could go wrong in your setup. If you don't mind, attach a copy of your config files so we can take a look (=
     
  47. cgondo

    cgondo Network Guru Member

    Thanks Azerai

    But i dont think it is the config file. The thing is that the same config works with Windows XP machine but the Vista just doesnt work. I'll post the config when I have the chance. Thanks
     
  48. scaredwitless

    scaredwitless LI Guru Member

    Did you try doing the steps for the Vista solution in the link I posted earlier?"
    https://sales.hotspotvpn.com/helpdesk/issue_view.asp?ID=2153&CATE=0

    I don't know if the steps are necessary as I did them before I even tried running the openVPN gui. But I can say mine works good on Vista, I'm using the latest beta of openVPN and the solutions listed in that link.
     
  49. humba

    humba Network Guru Member

    @roadkill.. I do not know what happened.. but now that I finally found some time to do more testing, I find that all of a sudden it works. The only thing remaining is reboot the router and see if it still works after that.

    @edit: of course it won't work :( I've attached traces with verbosity 6 on both sides. I don't see anything pertinent though, and there are a few warning which are just bogus.

    E.g.
    Tue Oct 16 22:09:50 2007 us=262789 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo' (comp-lzo is part of my server config file)
    same for
    WARNING: 'dev-type' is present in local config but missing in remote config, local='dev-type tap'
    proto and tls-server.+

    P.S. I switched to tcp in the meantime, hence the different port. I had tcp working though before the reboot.
     

    Attached Files:

  50. roadkill

    roadkill Super Moderator Staff Member Member

    thanks I'll look at the logs
    @humba is it possible you have different TZ set?, they both must be time synchronized.

    Client
    Server
    The time is a bit off, I noticed nothing special besides that but I'll go through it again tomorrow.
     
  51. azeari

    azeari LI Guru Member

    i think the problem lies here
    Since the route delete 0.0.0.0 has already been executed earlier, you'd be left with no internet connection whatsoever after that.

    Well the error says "route gateway is not reachable on any active network adapters" so perhaps the push route command shouldn't be pushing 192.168.1.1 there.

    Just a qn: do you happen to be using push "redirect gateway"? didn't see it appear in the config files posted earlier, or maybe i missed it.

    Also, i tend to specify the client ip pool in the server configs (=
     
  52. humba

    humba Network Guru Member

    I believe the time offset is due to the router synchronizing more frequently than the PC - doesn't windows only synchronize once every week or even once every month? I see this quite often that despite having a time server configured, machine time can vary (I run a bunch of machines hosting virtual machines at work.. and they always have small clock discrepancies even though they all use the same time server - unless I manually trigger a time resynch).

    @azeari: that log entry just means one thing: the virtual interface has no IP address when openvpn tries to push the route. At the point when it tries to do this, the interface IP is still undetermined. It should be something like 192.168.1.1xx, and then you have no problem adding the route. Unfortunately I didn't keep the log from the successfull connection or you'd see how the route addition was successful then.

    No.. it's part of the client config file:

    Code:
    client
    remote mydyndns
    resolv-retry infinite
    port 443
    dev tap
    proto tcp-client
    comp-lzo
    persist-key
    persist-tun
    ca ca.crt
    cert client1.crt
    key client1.key
    ns-cert-type server
    route-gateway 192.168.1.1
    redirect-gateway
    nobind
    verb 3
     
  53. humba

    humba Network Guru Member

    I'd rather have Tomat's DHCP take care of everything, but just in case.. would you mind sharing your server config? I guess I could give openvpn's dhcp a shot and see if it changes anything.
     
  54. lboregard

    lboregard LI Guru Member

    Share Tomato/OpenVPN QOS settings

    hello everyone,

    i'm wondering if someone could please share their qos settings for openvpn. i'm currently getting decent speeds, but i think it can be optimized with qos.

    not sure how to do it, since it's an incoming connection and tomato works better with outbound qos.

    great firmware and great mod !

    thanks in advance
     
  55. roadkill

    roadkill Super Moderator Staff Member Member

    depends on your working conditions.. I usually classify QOS to a high priority after dns queries and I'm getting reasonable 2500/250 20-40MS on a site2site VPN with no P2P.
    what bandwidth speed are you using?
     
  56. lboregard

    lboregard LI Guru Member

    did you mean classify "VPN" ?

    what rule do you use ? port-based ?

    I have 800k down and about 128k up. i've read about optimizing upload bandwidth, and i will check into it this weekend.
     
  57. roadkill

    roadkill Super Moderator Staff Member Member

    yes I classify it by port
     
  58. occamsrazor

    occamsrazor Network Guru Member

    I've been using Tomato for a few months on a WHR-G54s and love it. I wanted the OpenVPN and have now managed to get it working via the "static key" method helpfully posted by Splat on page 1 of this thread. Thanks to everyone involved. I have a question about IP ranges though:

    The PC needs to have another IP range on his own Network, than the IP-Range of the Home-Network.
    Example:
    At work my PC has the IP 192.168.1.2
    This is another IP-Range than 192.168.0.*** at Home.


    My home network is 192.168.0.x
    My office network is 10.11.x.x
    but I also use a lot of internet cafes whose ranges vary

    I initially tested it from *within my home wireless network* using this config:

    ifconfig 192.168.0.102 255.255.255.0

    but the OpenVPN client hung with:

    Fri Oct 19 13:30:37 2007 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    Fri Oct 19 13:30:37 2007 Route: Waiting for TUN/TAP interface to come up...


    and it wouldn't connect, so I changed the .ovpn file to:

    ifconfig 192.168.1.102 255.255.255.0

    ...and it connected fine. My question therefore is if I'm going to be connected from a variety of networks, what is the best way to set this up. Once connected remotely I would like to be able to access my home machines via their local IP address i.e. 192.168.0.2 etc

    Thanks in advance for your help, sorry if these are dumb questions, and thanks again to all who've contributed to making this firmware work...

    Regards,

    Ben
     
  59. _splat_

    _splat_ Network Guru Member

    All the clients are getting a 192.168.0.* adress if connected to the router. You can access each client with the 192.168.0.* IPs from all other clients and your home-network. It doesnt matter what IP range you are using on your clients network, but it can NOT to be 192.168.0.*

    If you are connecting from within your Home-Network to the OpenVPN server, there will be a routing conflict.
    There is already a route on your PC for the destination 192.168.0.*, and now the OpenVPN client tries to create another route for this destination...

    This is the reason why you need another IP-Range on your clients than on your OpenVPN network.

    Edit: It should be possible to dynamically set the client IPs via DHCP. But i dont know how to do that with OpenVPN because i like static IPs ;)
     
  60. occamsrazor

    occamsrazor Network Guru Member

    Thanks for the advice...

    All the clients are getting a 192.168.0.* adress if connected to the router. You can access each client with the 192.168.0.* IPs from all other clients and your home-network. It doesnt matter what IP range you are using on your clients network, but it can NOT to be 192.168.0.*

    OK... I think I get it, sort of... Assuming my home network is 192.168.0.* then if I need to connect from a cafe also using 192.168.0.* addresses then I would have to change ifconfig to something like 192.168.1.102 right?

    But if I do that then can I still access my home devices via their 192.168.0.* addresses? And if I set ifconfig to 192.168.1.102 does my router see my remote client device as having 192.168.1.102 or a 192.168.0.* address? So does it matter at all what ifconfig is set to so long as it doesn't conflict with the client network?

    Sorry for all the questions... :)

    Ben

    PS - What Windows OpenVPN GUI client do you recommend? I've been using this one - http://openvpn.se/ - and it seems fine, just wondering if there is anything better.
     
  61. _splat_

    _splat_ Network Guru Member

    No, because you still have the same subnet on your cafe-Network and on your home network.
     
  62. humba

    humba Network Guru Member

    I figured out how to make openvpn assign IP addresses from my subnet on its own by adding
    Code:
    server-bridge 192.168.1.1 255.255.255.0 192.168.1.90 192.168.1.95
    to my openvpn.conf.

    Now the connection comes up and the tap interface on the client gets an IP address, but there's no traffic coming into the LAN segment. That would also explains the problems I'm having without that line in the config file - since no traffic gets to br0, the virtual interface on the client can try as long as it wants to get an IP address via DHCP.
     
  63. occamsrazor

    occamsrazor Network Guru Member

    I removed the ifconfig line entirely from the client config, and now when I connect remotely the router's DHCP server assigns the OpenVPN client a DHCP address. Then by checking the admin pages' device list whilst connected I was able to fix a static DHCP address based on the mac address reported. I'm not really sure if this is the best way to get DHCP addresses, but it seems to work :)

    Following on from my previous points about IP address ranges, so is it the case that if I'm in a client network with 192.168.0.* addressing, and my home network is the same, then there is no way I can access my home network devices (without changing my home network addressing which isn't viable)?

    Thanks,

    Ben
     
  64. lbento

    lbento LI Guru Member

    I would like to replace my dd-wrt firmware with tomato VPN but i need the ebtables module to block the dhcp request from each end so that i don't get clents from one end assigned a ip address and gateway address from the other end. I installed the ebtables module under dd-wrt but i cannot do it with tomato. Can anyone help me with this? Thank you in advance.
     
  65. roadkill

    roadkill Super Moderator Staff Member Member

    I think I can help you with that... do you have a preferred version?
    lbento: send me your e-mail in PM I'll send you a test version in a day or two.
     
  66. lbento

    lbento LI Guru Member

    Roadkill, thank you in advance for your prompt help.
    A preferred version of tomato firmware?, no i don't have a preferred version ( only a stable one that works ;-) ). As i said earlier i have a openvpn bridge between two linksys wrt54gs v1.1 router with dd-wrt 2.3 sp2. For what i've read in this thread i can use both startup and firewall scripts that i use with dd-wrt 2.3 sp2 except the ebtables ones:

    startup script:
    /sbin/insmod ebtables
    /sbin/insmod ebtable_filter
    /sbin/insmod /jffs/lib/modules/2.4.30/ebt_ip.o

    firewall script:
    /usr/sbin/ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP

    The reason that i want to drop the dd-wrt configuration is because i believe that the tomato firmware project is a more open and free one.
    Thank you in advance.
     
  67. roadkill

    roadkill Super Moderator Staff Member Member

    /sbin/insmod /jffs/lib/modules/2.4.30/ebt_ip.o
    I can include that extension as a module so you won't have to enable jffs...
     
  68. lbento

    lbento LI Guru Member

    please do!
    Thank you so much!
     
  69. roadkill

    roadkill Super Moderator Staff Member Member

    please PM me your e-mail, so I could send a test build...
     
  70. roadkill

    roadkill Super Moderator Staff Member Member

    I will probably release this evening the program already compiles what left is only the symbol stripping routines...
    if anyone here needs special extension/module support please notify me so I can add it.
     
  71. rela

    rela LI Guru Member

    Fehler:

    Oct 21 18:33:52 daemon.notice openvpn[224]: 127.257.585.xxx:2049 [client4] Peer Connection Initiated with 127.257.585.xxx:2049
    Oct 21 18:33:52 daemon.err openvpn[224]: client4/127.257.585.xxx:2049 MULTI: no dynamic or static remote --ifconfig address is available for client4/127.257.585.xxx:2049
    Oct 21 18:33:53 daemon.notice openvpn[224]: client4/127.257.585.xxx:2049 PUSH: Received control message: 'PUSH_REQUEST'
    Oct 21 18:33:53 daemon.notice openvpn[224]: client4/127.257.585.xxx:2049 SENT CONTROL [client4]: 'PUSH_REPLY,ping 15,ping-restart 60' (status=1)
    Oct 21 18:33:54 daemon.notice openvpn[224]: client4/127.257.585.xxx:2049 MULTI: Learn: 00:18:39:d4:c3:7a -> client4/127.257.585.xxx:2049
    Oct 21 18:33:55 daemon.notice openvpn[224]: client4/127.257.585.xxx:2049 MULTI: Learn: 00:1b:f4:22:e4:b9 -> client4/127.257.585.xxx:2049
    Oct 21 18:35:05 daemon.notice openvpn[224]: client4/217.243.47.10:2050 [client4] Inactivity timeout (--ping-restart), restarting
    Oct 21 18:35:05 daemon.notice openvpn[224]: client4/217.243.47.10:2050 SIGUSR1[soft,ping-restart] received, client-instance restarting


    client conf linksys
    ----
    tls-client
    dev tap0
    proto udp
    remote xxxxxx.dyn.org 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca /jffs/ca.crt
    key /jffs/client4.key
    cert /jffs/client4.crt
    ns-cert-type server
    comp-lzo
    verb 3
    ----
    init script
    ----
    sleep 5
    insmod tun.o
    cd /tmp
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    sleep 5
    ln -s /usr/sbin/openvpn /tmp/myvpn
    /tmp/myvpn --config /jffs/openvpn.conf
    ---



    srv linksys
    ---
    # Tunnel options
    mode server # Set OpenVPN major mode
    proto udp # Setup the protocol (server)
    port 1194 # TCP/UDP port number
    dev tap0 # TUN/TAP virtual network device
    keepalive 15 60 # Simplify the expression of --ping
    daemon # Become a daemon after all initialization
    verb 3 # Set output verbosity to n
    comp-lzo # Use fast LZO compression

    # OpenVPN server mode options
    client-to-client # tells OpenVPN to internally route client-to-client traffic
    duplicate-cn # Allow multiple clients with the same common name

    # TLS Mode Options
    tls-server # Enable TLS and assume server role during TLS handshake
    ca /jffs/ca.crt # Certificate authority (CA) file
    dh /jffs/dh1024.pem # File containing Diffie Hellman parameters
    cert /jffs/server.crt # Local peer's signed certificate
    key /jffs/server.key # Local peer's private key
    ---

    init
    ---
    sleep 5
    insmod tun.o
    cd /tmp
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    sleep 5
    ln -s /usr/sbin/openvpn /tmp/myvpn
    /tmp/myvpn --config /jffs/openvpn.conf
    ---


    aber irgendwie kommt am anfang immer der error, weiss einer wo der fehler liegt?
    bin mit anderen clients schon verbunden gewesen.

    grüße rela
     
  72. roadkill

    roadkill Super Moderator Staff Member Member

    sorry, I don't understand german
     
  73. JohnnyO

    JohnnyO Network Guru Member

    Here is what Babelfish translated:

    From:



    aber irgendwie kommt am anfang immer der error, weiss einer wo der fehler liegt?
    bin mit anderen clients schon verbunden gewesen.

    To:

    but always the error comes somehow, white one where the error is because of the beginning? with others clients were already connected.
     
  74. roadkill

    roadkill Super Moderator Staff Member Member

    Google Translate give out:
    But somehow always comes at the beginning of the error, one knows where the error is?
    Bin with other clients have been connected.

    but it's still not readable.
     
  75. rela

    rela LI Guru Member

    hi! Sorry i'll translate it.

    that are my config files and at the beginning of the connection, there's an error. I can see the error text in the log file of my router. Now I asked here where I have to change something in my config to get connected to my router.

    other clients work with the router (server) there i'm connected, but router to router it doesn't work :/

    greetz rela
     
  76. lbento

    lbento LI Guru Member

    Have you opened port 1194 in the server router?

    iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
     
  77. roadkill

    roadkill Super Moderator Staff Member Member

    check location of keys again or more likely that you have addresses over lapping (same netmask in source and destination)...
     
  78. u3gyxap

    u3gyxap Network Guru Member

    roadkill, is it possible to include few binaries in the mod, to support serial console via modem? What I believe is needed is:
    setserial
    stty
    mgetty
    These are available via "ipkg install" in openwrt. I can mail them to you if you like.
    I have a nice serial mod, with 2 serial ports, but I am unable to set up the second port.
     
  79. roadkill

    roadkill Super Moderator Staff Member Member

    depends on the size but send me the links I'll take care of it since I'm now working on ebtables add on I guest I can add a few more binaries.
     
  80. u3gyxap

    u3gyxap Network Guru Member

  81. roadkill

    roadkill Super Moderator Staff Member Member

    I prefer to compile them from source that way I can strip unused stuff...
     
  82. u3gyxap

    u3gyxap Network Guru Member

  83. roadkill

    roadkill Super Moderator Staff Member Member

    10x
    :grin:
     
  84. mstombs

    mstombs Network Guru Member

    Can you tell me what version of gcc Tomato should use? I had to edit 1 Makefile (mksquashfs) to remove a "-Wno-pointer-sign" flag that my system compiler didn't understand to complete a Tomato build. Seems as though this is a gcc >v4 flag, I appear to have 3.4.6, and the resulting bins a bit smaller than official Tomato (no changes) so I have no intention of flashing... I haven't checked for other errors in the build log yet!
     
  85. roadkill

    roadkill Super Moderator Staff Member Member

    the recommended crosscompiling platform is gcc 3.4.6 I had a rough time creating a toolchain with a newer version although I know there is a size difference between the compilers Tomato uses 3.2.3 - same as Linksys's Firmware version 4.11.30
    BTW if you would like to share your toolchain I'd love that...
     
  86. mstombs

    mstombs Network Guru Member

    My Toolchain? - I thought I was using the Linksys cross-compiler one for everything except the build tools! Or do you mean the path - I only added the last 2 items as per README?

    Code:
    /usr/local/sbin:/usr/sbin:/sbin::/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin:/opt/bin:/usr/local/games:/usr/lib/java/bin:/usr/lib/java/jre/bin:/opt/kde/bin:/usr/lib/qt/bin:/opt/seamonkey/bin:/usr/local/sbin:/usr/sbin:/sbin:/opt/brcm/hndtools-mipsel-uclibc/bin:/opt/brcm/hndtools-mipsel-linux/bin

    I have an old pentium PC with a single CD distro called vectorlinux

    Vector Linux 5.8 SOHO Beta 1 Feb-22-2007 on Linux 2.6.20

    (its now out of beta, and I have the final version on a dodgy disk, so never upgraded - their new version beta uses gcc-4.1.2)

    I don't recall adding any tools manually, the distro can build its own kernel sources, for example, and has ssh/ samba so I can use it remotely - I was looking for squashfs-lzma at the time, but was never able to mount firmware filesystems and I later found unsquashfs tools which were more use. There's a lot of stuff in my /bin , some of which got there by accident - path error on creating a firmware filesystem!

    I've built and run firmwares for my adsl modem, have also built but never run Linksys WAG200G, Netgear DM111P from their GPL source without much difficulty so something must be OK with the 'make' command!
     
  87. roadkill

    roadkill Super Moderator Staff Member Member

    I tried creating my own cross compiling toolchain from scratch with all sources from svn and fought with it for a week until 1.10 came out, since then I haven't had much time to make modifications...
     
  88. u3gyxap

    u3gyxap Network Guru Member

    No, thank YOU! :)
     
  89. mstombs

    mstombs Network Guru Member

    best of luck with cross-compilers, that's scary stuff - I see that mipsel is not well supported by automatic tools http://www.kegel.com/crosstool/crosstool-0.43/buildlogs/ which explains why I have HardHat/Montavista, Broadcom, Linksys/ Acorp chains on my disk - built by someone-else!
     
  90. rela

    rela LI Guru Member

    yes opend on both routers

    and the keys are in the correct folder /jffs/

    greetz rela
     
  91. existenz

    existenz Guest

    does anyone know what this error means?

    Oct 27 23:52:45 router daemon.warn openvpn[347]: WARNING: file '/jffs/server.key' is group or others accessible
     
  92. roadkill

    roadkill Super Moderator Staff Member Member

    please post your config and a copy of ls -al /jffs
    you can also try chmod 600 server.key
     
  93. roadkill

    roadkill Super Moderator Staff Member Member

  94. u3gyxap

    u3gyxap Network Guru Member

    OK, even better.
     
  95. roadkill

    roadkill Super Moderator Staff Member Member

    could you please PM me your e-mail so I can send you a test build.
    >>never mind tested it myself... it works
    Link Added Here
     
  96. u3gyxap

    u3gyxap Network Guru Member

    PM sent anyway :)
     
  97. ng12345

    ng12345 LI Guru Member

    Hi,

    new to this forum -- switched from dd-wrt to tomato just this evening and really appreciate the working and speedy QoS. I saw this mod and I am really interested in getting OpenVPN working. I just read through the whole thread and learned a lot, but have a little different scenario than what I've read about so far.

    If possible, I want to do 2 site-to-site vpns. That is router A is the vpn server and router B and router C have independent internet connections and each forms a site to site with router A (B & C do not need to communicate with each other). All 3 routers serve DHCP to their respective clients.

    As I understand it, I can not use the static key method since that only works with 1 link, so instead I will have to issue certificates using a certificate authority for each "client."

    Is there any code (outside of what is in your templates) that I need to add so B and C communicate with A?

    currently the DHCP servers are set up like this -
    Router A: 192.168.0.100-192.168.0.150/255.255.255.0
    Router B: 192.168.1.100-192.168.1.150/255.255.255.0
    Router C: 192.168.2.100-192.168.2.150/255.255.255.0

    Do these need to be altered in any way (should they all have different ranges on the 192.168.0.x range?)?

    Thanks for all your help

    Also -- do I need to have ebtables set up to ensure the dhcp servers don't get all mangled up?

    Another link/guide I found (for OpenWRT):
    http://www.linux.com/feature/58336
     
  98. roadkill

    roadkill Super Moderator Staff Member Member

    Dropping DHCP packets using iptables sounds like a good idea...

    Yes that is correct.

    I would first try with the standard template but you may have to add routes for each router's scope if you'll use the same netmask.

    you can do it on any range/netmask you want as long as the ip addresses are not overlapping, if you choose a different netmask the tap device simply used as a bridge.
    I personally think it would be cleaner to have
    A 10.0.0.X/255.0.0.0,B 172.16.0.X/255.255.0.0,C 192.168.1.X/255.255.255.0

    your most welcome!

    I use IPtables for that but an ebtables add on has been requested and I'm working on it.
     
  99. ng12345

    ng12345 LI Guru Member

    Excuse my ignorance, but what would the iptables code look like -- where would it go?

    Is it just this code?
     
  100. roadkill

    roadkill Super Moderator Staff Member Member

    life is about ever evolving :grin: and for dropping dhcp packets I think this will do
    Code:
    iptables -I INPUT $(expr $(iptables -L INPUT|wc -l) - 2) -i $(nvram get lan_ifname) -p udp --dport 67:68 --sport 67:68 -j DROP
    and if you want to drop the packets from TAP you do it like this
    Code:
    iptables -A INPUT -p UDP -i tap0 -d 255.255.255.255 --destination-port 67:68 -j DROP
    
    iptables -A FORWARD -p UDP -i tap0 -d 255.255.255.255 --destination-port 67:68 -j DROP
    
    iptables -A OUTPUT -p UDP -i tap0 -d 255.255.255.255 --destination-port 67:68 -j DROP
    but u3gyxap has much better knowledge of iptables than me.
     

Share This Page