1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato Mod v1.19.1464 with OpenVPN/Tomato Mod v1.21.TEST-v5 with OpenVPN-GUI,SDMMC,IP/MAC

Discussion in 'Tomato Firmware' started by roadkill, Jun 4, 2007.

  1. roadkill

    roadkill Super Moderator Staff Member Member

    could please post the output anyway so I can assume the reason...
     
  2. Trunkz

    Trunkz LI Guru Member

    Traceroute 195.178.106.225 from computer:

    Code:
    buntas-macbook:~ Bunta$ traceroute 195.178.106.225
    traceroute to 195.178.106.225 (195.178.106.225), 64 hops max, 40 byte packets
     1  195.178.106.225 (195.178.106.225)  2.582 ms  0.779 ms  0.549 ms
    
    Traceroute from router (via SSH):

    Code:
    # traceroute 195.178.106.225
    traceroute to 195.178.106.225 (195.178.106.225), 30 hops max, 38 byte packets
     1  195.178.106.225 (195.178.106.225)  0.939 ms  1.317 ms  0.683 ms
    Thats it =/
     
  3. roadkill

    roadkill Super Moderator Staff Member Member

    this is the ip of the openvpn server it was different in the configuration...
     
  4. dougisfunny

    dougisfunny LI Guru Member

    Not sure if this will be helpful, but I have two routers bridged together using these confs

    Server
    Code:
    echo "
    # Tunnel options
    mode server
    proto udp
    port 1195
    dev tap1
    keepalive 15 60
    daemon
    verb 3
    comp-lzo
    # OpenVPN server mode options
    server-bridge 192.168.5.1 255.255.255.0 192.168.5.50 192.168.5.99
    route 10.10.10.0 255.255.255.0 192.168.5.50
    client-to-client
    # TLS Mode Options
    tls-server
    ca ca.crt
    dh dh1024.pem
    cert server.crt
    key server.key
    " > openvpn.conf
    Client

    Code:
    echo "
    client
    dev tap1
    ifconfig 192.168.5.50 192.168.5.1
    route 192.168.5.0 255.255.255.0
    proto udp
    remote <myremote>.dyndns.org 1195
    resolv-retry infinite
    nobind
    user nobody
    group nobody
    persist-key
    persist-tun
    ca cacl.crt
    cert routercl.crt
    key routercl.key
    ns-cert-type server
    comp-lzo
    verb 3
    mute 20
    " > routercl.conf
    I found that I had to manually add the route command in there otherwise they wouldn't work properly
     
  5. roadkill

    roadkill Super Moderator Staff Member Member

    route add -host 195.178.106.139 dev br0?
     
  6. Trunkz

    Trunkz LI Guru Member

    I tried that command, got an error:

    Code:
    # route add -net 195.178.106.139 dev br0
    route: SIOC[ADD|DEL]RT: Invalid argument
    
     
  7. roadkill

    roadkill Super Moderator Staff Member Member

    try with host and would it be possible to post server config?
     
  8. Trunkz

    Trunkz LI Guru Member

    Tried it with host, same error. I cant get the server config, due to the server not actually being mine. (I pay for the VPN service) All I need is to basically use the server's internet connection. I can connect to it fine from OpenVPN (GUI) on Windows, use its internet connection without any real problems. I'll post the .conf file from the OpenVPN on Windows:

    Code:
    remote 195.178.106.139 # tree load: 0
    remote 66.90.117.9 # birdie load: 1 
    auth-user-pass 
    client 
    ca ca.crt 
    cert trunkz.crt 
    key trunkz.key 
    dev tap0 
    topology subnet 
    ns-cert-type server 
    proto tcp 
    port 443 
    nobind 
    persist-key 
    persist-tun 
    ping 15 
    ping-restart 45 
    ping-timer-rem 
    tls-client 
    pull
    comp-lzo  
    http-proxy cache.lsbu.ac.uk 8080
    verb 3
    
    Its exactly the same on my script, so I dont see why its not working. Here is the log from OpenVPN (GUI) when it connects to the VPN on windows:

    Code:
    Sat Dec 08 09:30:40 2007 OpenVPN 2.1_rc4 Win32-MinGW [SSL] [LZO2] built on Apr 25 2007
    Sat Dec 08 09:30:40 2007 LZO compression initialized
    Sat Dec 08 09:30:40 2007 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Sat Dec 08 09:30:40 2007 RESOLVE: NOTE: cache.lsbu.ac.uk resolves to 4 addresses, choosing one by random
    Sat Dec 08 09:30:40 2007 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
    Sat Dec 08 09:30:40 2007 Local Options hash (VER=V4): '69109d17'
    Sat Dec 08 09:30:40 2007 Expected Remote Options hash (VER=V4): 'c0103fa8'
    Sat Dec 08 09:30:40 2007 Attempting to establish TCP connection with 136.148.0.181:8080
    Sat Dec 08 09:30:40 2007 TCP connection established with 136.148.0.181:8080
    Sat Dec 08 09:30:40 2007 Send to HTTP proxy: 'CONNECT 195.178.106.139:443 HTTP/1.0'
    Sat Dec 08 09:30:41 2007 HTTP proxy returned: 'HTTP/1.0 200 Connection established'
    Sat Dec 08 09:30:43 2007 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Sat Dec 08 09:30:43 2007 TCPv4_CLIENT link local: [undef]
    Sat Dec 08 09:30:43 2007 TCPv4_CLIENT link remote: 136.148.0.181:8080
    Sat Dec 08 09:30:43 2007 TLS: Initial packet from 136.148.0.181:8080, sid=7688e9fc 077b52d3
    Sat Dec 08 09:30:43 2007 VERIFY OK: depth=1, /C=../ST=../L=./O=../CN=.._CA/emailAddress=..
    Sat Dec 08 09:30:43 2007 VERIFY OK: nsCertType=SERVER
    Sat Dec 08 09:30:43 2007 VERIFY OK: depth=0, /C=../ST=../L=./O=../CN=tree/emailAddress=..
    Sat Dec 08 09:30:44 2007 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Sat Dec 08 09:30:44 2007 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sat Dec 08 09:30:44 2007 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Sat Dec 08 09:30:44 2007 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sat Dec 08 09:30:44 2007 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Sat Dec 08 09:30:44 2007 [tree] Peer Connection Initiated with 136.148.0.181:8080
    Sat Dec 08 09:30:45 2007 SENT CONTROL [tree]: 'PUSH_REQUEST' (status=1)
    Sat Dec 08 09:30:45 2007 PUSH: Received control message: 'PUSH_REPLY,route-gateway 195.178.106.1,redirect-gateway def1,dhcp-option DNS  195.178.106.162,dhcp-option DOMAIN tree.vpntunnel.co.uk,topology subnet,ping 10,ping-restart 40,ifconfig 195.178.106.225 255.255.255.0'
    Sat Dec 08 09:30:45 2007 OPTIONS IMPORT: timers and/or timeouts modified
    Sat Dec 08 09:30:45 2007 OPTIONS IMPORT: --ifconfig/up options modified
    Sat Dec 08 09:30:45 2007 OPTIONS IMPORT: route options modified
    Sat Dec 08 09:30:45 2007 OPTIONS IMPORT: route-related options modified
    Sat Dec 08 09:30:45 2007 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Sat Dec 08 09:30:45 2007 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{1A8BC259-3EED-4BBC-9A22-D2A39C6F27E5}.tap
    Sat Dec 08 09:30:45 2007 TAP-Win32 Driver Version 9.3 
    Sat Dec 08 09:30:45 2007 TAP-Win32 MTU=1500
    Sat Dec 08 09:30:45 2007 Set TAP-Win32 TUN subnet mode network/local/netmask = 195.178.106.0/195.178.106.225/255.255.255.0 [SUCCEEDED]
    Sat Dec 08 09:30:45 2007 Notified TAP-Win32 driver to set a DHCP IP/netmask of 195.178.106.225/255.255.255.0 on interface {1A8BC259-3EED-4BBC-9A22-D2A39C6F27E5} [DHCP-serv: 195.178.106.254, lease-time: 31536000]
    Sat Dec 08 09:30:45 2007 Successful ARP Flush on interface [3] {1A8BC259-3EED-4BBC-9A22-D2A39C6F27E5}
    Sat Dec 08 09:30:50 2007 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
    Sat Dec 08 09:30:50 2007 route ADD 136.148.0.181 MASK 255.255.255.255 192.168.249.2
    Sat Dec 08 09:30:50 2007 Route addition via IPAPI succeeded [adaptive]
    Sat Dec 08 09:30:50 2007 route ADD 0.0.0.0 MASK 128.0.0.0 195.178.106.1
    Sat Dec 08 09:30:50 2007 Route addition via IPAPI succeeded [adaptive]
    Sat Dec 08 09:30:50 2007 route ADD 128.0.0.0 MASK 128.0.0.0 195.178.106.1
    Sat Dec 08 09:30:50 2007 Route addition via IPAPI succeeded [adaptive]
    Sat Dec 08 09:30:50 2007 Initialization Sequence Completed
    
     
  9. roadkill

    roadkill Super Moderator Staff Member Member

    you know you could probably load your windows config onto the one in the router right?
    simply use the conf as the config on the router it works on windows...
     
  10. Trunkz

    Trunkz LI Guru Member

    I am using my windows one =/
     
  11. roadkill

    roadkill Super Moderator Staff Member Member

    topology subnet parameter wasn't in your config
    protocol defined in your config is udp and the port is 1194 as well as the pull parameter

    Code:
    remote 195.178.106.139 # tree load: 0
    remote 66.90.117.9 # birdie load: 1 
    auth-user-pass 
    client 
    ca ca.crt 
    cert trunkz.crt 
    key trunkz.key 
    dev tap0 
    topology subnet 
    ns-cert-type server 
    proto tcp 
    port 443 
    nobind 
    persist-key 
    persist-tun 
    ping 15 
    ping-restart 45 
    ping-timer-rem 
    tls-client 
    pull
    comp-lzo  
    http-proxy cache.lsbu.ac.uk 8080
    verb 3
    
    the only common thing with your windows config is probably certificates/IPs... :knock:
     
  12. Trunkz

    Trunkz LI Guru Member

  13. roadkill

    roadkill Super Moderator Staff Member Member

    you have a username/password authentication when you connect from the gui right?
    use auth-user-pass /tmp/auth and put username and password in the first two lines in /tmp/auth
    you can also use auth-retry interact in your config for OpenVPN will prompt you for username and password if verification fails.
     
  14. Trunkz

    Trunkz LI Guru Member

    I tried what you said, doesnt seem to change the situation either. Anychance you can make a build of tomato with tcpdump? Atleast then we can see where all the lovely packets are going, and if the routing is actually working. Tcpdump itself has one dependency, and thats libpcap. I've listed both sources (obtained from openwrt):

    tcpdump: http://downloads.openwrt.org/sources/tcpdump-3.9.8.tar.gz
    libpcap: http://downloads.openwrt.org/sources/libpcap-0.9.4.tar.gz

    Appreciate it.

    (I tried running things over CIFS, but tcpdump kept complaining that it needed libpcap, even though the libpcap files where in the same directory as tcpdump..)
     
  15. roadkill

    roadkill Super Moderator Staff Member Member

    export LDPATH=/cifs1:LD_LIBRARY_PATH=/cifs1:LD=/cifs1 will make it run from cifs...
     
  16. K1nslayer

    K1nslayer LI Guru Member

    VPN mod for 1.13?

    Hey are we going to get a updated version of 1.13 with OpenVPN added? Please? :)

    -K1nslayer
     
  17. kameleon

    kameleon LI Guru Member

    I agree.... Please.... ;)

    Maybe with the dnsmasq tftp option compiled in. :-D
     
  18. roadkill

    roadkill Super Moderator Staff Member Member

    update to 1.13 is on the way...
     
  19. Leeoniya

    Leeoniya LI Guru Member

    was wondering if we'll see any progress on MMC mod, OpenVPN and/or VLAN GUI config capabilities in this upcoming 1.13 release?

    thanks,
    Leon
     
  20. roadkill

    roadkill Super Moderator Staff Member Member

    MMC mod implementation is in final GUI stages :grin:
     
  21. TheGIZ

    TheGIZ Network Guru Member

    Looking forward to it... and as always... thanks for all your efforts!
     
  22. kameleon

    kameleon LI Guru Member

    Quick question for roadkill and/or splat_.... I am about to resetup my openvpn setup. Before I followed splat_'s directions in post #3 to a T for the single client and static key. It worked. Now I will have multiple different clients. I will have at least 2 WRT54G clients, a winblows client, and a linux laptop client. The directions splat_ has for the multiple clients looks like it is just for winblows or "non-router" clients. And roadkills post #2 is just for router clients it appears. What would be the best way to set this up. I have followed the directions splat_ has in post #3 to a T for creating all the client1 through "howevermany" .crt and .key files so that much is done.

    Also I need the remote router clients to be able to do their own DHCP stuff. That shouldn't be a problem as long as I assign the client router an IP that is outside the DHCP range. Right?

    And lastly I am having to upgrade from my trusty old 1.07 tomato.... so going to the latest and greatest 1.13 would be cool *hint* ;)
     
  23. roadkill

    roadkill Super Moderator Staff Member Member

    I'm planning to finish it up for the weekend but I don't really have time so maybe I'll just do a quick VPN only build...

    as for your question OpenVPN conf are the same for all operating systems
    which means the same set of instruction can be used for ANY platform.
    well for most of the options ...
     
  24. kameleon

    kameleon LI Guru Member

    Ok. Running 1.11.1219 and trying to setup for the multiple clients. Following the stuff I should put in the wanup script I get this when going to save "The field "script_wanup" is invalid. Please report this problem."

    All I have in the wanup script is:
    Code:
    insmod tun.o
    cd /tmp
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    
    echo "
    # Tunnel options
    mode server
    proto udp
    port 1194
    dev tap0
    keepalive 15 60
    daemon
    verb 3
    comp-lzo
    # OpenVPN server mode options
    client-to-client
    # TLS Mode Options
    tls-server
    ca ca.crt
    dh dh1024.pem
    cert server.crt
    key server.key
    " > openvpn.conf
    
    echo "
    -----BEGIN CERTIFICATE-----
    
    I inserted the content of ca.crt here
    
    -----END CERTIFICATE-----
    " > ca.crt
    echo "
    -----BEGIN RSA PRIVATE KEY-----
    
    I inserted the content of server (widget) .key here 
    
    -----END RSA PRIVATE KEY-----
    " > server.key
    chmod 600 server.key
    echo "
    -----BEGIN CERTIFICATE-----
    
    I inserted the content of the widget.crt here but only from within the begin to end sections.
    
    -----END CERTIFICATE-----
    " > server.crt
    echo "
    -----BEGIN DH PARAMETERS-----
    
    I inserted the content of my dh1024.pem here 
    
    -----END DH PARAMETERS-----
    " > dh1024.pem
    
    sleep 5
    ln -s /usr/sbin/openvpn /tmp/myvpn
    /tmp/myvpn --config openvpn.conf
    Any ideas?

    Oh and that is fine on the 1.13. No rush. I just thank you for the addition to the community. ;)
     
  25. roadkill

    roadkill Super Moderator Staff Member Member

    I just had a problem with pppoe and 1.13 on my production router,
    I think I'll wait a few more days because something is wrong with it
    still stuck on connecting with pppoe from time to time...
    setting MTU manually fixed it :wall:
     
  26. roadkill

    roadkill Super Moderator Staff Member Member

    Init Script
    Code:
    sleep 5
    insmod tun.o
    ln -s /usr/sbin/openvpn /tmp/myvpn
    cd /tmp
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    
    echo "
    mode server
    proto udp
    port 1194
    dev tap0
    keepalive 15 60
    daemon
    verb 3
    comp-lzo
    client-to-client
    tls-server
    ca ca.crt
    dh dh1024.pem
    cert server.crt
    key server.key
    " > openvpn.conf
    
    echo "
    -----BEGIN CERTIFICATE-----
    
    I inserted the content of ca.crt here
    
    -----END CERTIFICATE-----
    " > ca.crt
    echo "
    -----BEGIN RSA PRIVATE KEY-----
    
    I inserted the content of server (widget) .key here 
    
    -----END RSA PRIVATE KEY-----
    " > server.key
    chmod 600 server.key
    echo "
    -----BEGIN CERTIFICATE-----
    
    I inserted the content of the widget.crt here but only from within the begin to end sections.
    
    -----END CERTIFICATE-----
    " > server.crt
    echo "
    -----BEGIN DH PARAMETERS-----
    
    I inserted the content of my dh1024.pem here 
    
    -----END DH PARAMETERS-----
    " > dh1024.pem
    
    Firewall Script
    Code:
    killall openvpn && killall myvpn
    ifconfig tap0 0.0.0.0 promisc down && sleep 5 && ifconfig tap0 0.0.0.0 promisc up
    /tmp/myvpn --config openvpn.conf
    
     
  27. kameleon

    kameleon LI Guru Member

    It took that. I guess I was putting it in the wrong place. oops. :) Now I will see tonight if a client can connect. Thanks for the help.
     
  28. elkabong33

    elkabong33 LI Guru Member

    Hello Everyone,

    Sorry, if you saw a similar thread started by me however, I am just taking RoadKills advice to post my issue here instead.

    This is my Setup:

    Buffalo WHR-HP-G54 running Tomato 1.11.1219 OpenVpn Mod >> ADSL Modem >> Internet >> Untangle (OpenVPN) Server

    1. My LAN is on 192.168.1.0 network
    2. The Untangle (OpenVPN) Server is on a Public IP and distributes IPs from the 172.16.16.0 pool to VPN Clients.

    However, I am unable to ping or connect to any other addresses via the tunnel.

    My Untangle OpenVPN server has provided me with the certificates and conf file.

    The contents of the .conf file which is automatically sent by the Untangle (OpenVPN) Server are here:

    # OpenVPN(v2.0) configuration script

    client
    proto udp
    resolv-retry 20
    keepalive 10 120
    nobind
    mute-replay-warnings
    ns-cert-type server
    cipher AES-128-CBC
    comp-lzo
    verb 2
    persist-key
    persist-tun
    verb 1
    tls-exit
    dev tun0
    cert untangle-vpn/myrouter1.crt
    key untangle-vpn/myrouter1.key
    ca untangle-vpn/server1-ca.crt
    remote trina.myserver.net 1194
    (The real hostname has been changed for security reasons)

    Can somebody please point me in the right direction?

    Thanks in advance.
     
  29. roadkill

    roadkill Super Moderator Staff Member Member

    Like I previously said I think AES is not supported and will not work.
    change cipher AES-128-CBC to cipher BF-CBC which I know that works.
    if that doesn't help run the vpn on the router from the shell and post the log.
     
  30. elkabong33

    elkabong33 LI Guru Member

    Roadkill,

    I don't think it is possible to change that because the openvpn config file is automatically generated by the untangle server. However, I started a thread over on the www.untangle.com site to find out if it can be done.

    Is there a work around in the VPN Mod?
     
  31. roadkill

    roadkill Super Moderator Staff Member Member

    yes AES could be added...this has been previously requested.
     
  32. elkabong33

    elkabong33 LI Guru Member

    Or maybe adding AES to the latest Official Tomato v1.13.1252 might even be better.
    Any idea of the time scales for this?

    regards

    Elkabong33
     
  33. roadkill

    roadkill Super Moderator Staff Member Member

    give me a couple of days maybe I'll include it with OpenVPN Mod v1.13
     
  34. TheGIZ

    TheGIZ Network Guru Member

    having trouble switching to certificates.

    The filed "script_wanup" is invalid. Please report the problem.

    I have been trying to switch my vpn config from static key to certificates. I have cut and pasted all the things requested. As soon as I add in all the things I get the error.

    Any help would be great.
     
  35. P()G()

    P()G() Guest

    I agree with elkabong33
    AES support with new version 1.13.1252 will be great !
    Currently, I cant use your Tomato mod :
    Code:
    Cipher algorithm 'AES-256-CBC' not found (OpenSSL)
    Tryin' to connect with a distant site using this Cipher (can't change the Cipher...).


    PoGo, waiting for your update ^^
     
  36. TheGIZ

    TheGIZ Network Guru Member

    Would it help if I posted the text file I tried to load to the wan_up script?
     
  37. occamsrazor

    occamsrazor Network Guru Member

    Strange logs

    Hi,

    I'm running v1.11.1218 with OpenVPN using static keys, and have noticed some strange logging going on:


    Dec 18 19:55:31 Tomato daemon.notice openvpn[326]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Dec 18 19:55:31 Tomato daemon.notice openvpn[326]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Dec 18 19:55:31 Tomato daemon.notice openvpn[326]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Dec 18 19:55:31 Tomato daemon.notice openvpn[326]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Dec 18 19:55:31 Tomato daemon.notice openvpn[326]: LZO compression initialized
    Dec 18 19:55:31 Tomato daemon.notice openvpn[326]: TUN/TAP device tap0 opened
    Dec 18 19:55:31 Tomato daemon.notice openvpn[326]: TUN/TAP TX queue length set to 100
    Dec 18 19:55:31 Tomato daemon.notice openvpn[326]: Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
    Dec 18 19:55:31 Tomato daemon.notice openvpn[326]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Dec 18 19:55:31 Tomato daemon.notice openvpn[326]: UDPv4 link local (bound): [undef]:1194
    Dec 18 19:55:31 Tomato daemon.notice openvpn[326]: UDPv4 link remote: [undef]
    Dec 18 19:56:31 Tomato daemon.notice openvpn[326]: Inactivity timeout (--ping-restart), restarting
    Dec 18 19:56:31 Tomato daemon.notice openvpn[326]: TCP/UDP: Closing socket
    Dec 18 19:56:31 Tomato daemon.notice openvpn[326]: Closing TUN/TAP interface
    Dec 18 19:56:31 Tomato daemon.notice openvpn[326]: SIGUSR1[soft,ping-restart] received, process restarting
    Dec 18 19:56:31 Tomato daemon.notice openvpn[326]: Restart pause, 2 second(s)

    This gets repeated over and over again about every minute.

    Any ideas what's the problem?

    Thanks,

    Ben
     
  38. elkabong33

    elkabong33 LI Guru Member

    Hello Roadkill,

    Any news regarding the new Tomato Mod v1.13 with OpenVPN + AES?
     
  39. TheGIZ

    TheGIZ Network Guru Member

    Finally figured out certificates!!! Thanks for all the help in the first few posts of this thread.
     
  40. devilkin

    devilkin LI Guru Member

    I've used AES on dd-wrt before - the WRT54G isn't powerful enough to keep up high throughput over such a link.

    So do keep that in mind if you want to transfer a lot of data over the AES openvpn tunnel :)
     
  41. Kris404

    Kris404 LI Guru Member

    Same messages in my log. I'm using the single client static key method. Is this normal?

    I tried TCP, but it's not working.

    Besides, if I either Renew/Release the WAN in 'Overview', I get the follow:

    Kris

    Edit: additional TCP log
     
  42. Kris404

    Kris404 LI Guru Member

    Update: I figured it out. I had earlier put my VoIP router in the DMZ which was causing the problem. I guess you would have to do explicit port-forwarding of the OpenVPN port to the router (192.168.x.1) if there is any host in your DMZ.

    Kris
     
  43. occamsrazor

    occamsrazor Network Guru Member

    Kris, could you elaborate a bit more?
    I don't have any DMZ on my network.
    Are you saying I should port-forward the OpenVPN ports on the router back to itself?
    Cheers,
    Ben
     
  44. Kris404

    Kris404 LI Guru Member

    Sorry, I should have been more clearer. UDP didn't work for me (Comcast?) so I tried TCP and portforwarded my 25000 port to the router itself (192.168.0.1)

    Firewall script:
    Code:
    iptables -I INPUT 1 -p tcp  --dport 25000 -j ACCEPT
    
    Wanup Script:
    Code:
    /tmp/myvpn --dev tap0 --secret /tmp/static.key --comp-lzo --port 25000 --cipher BF-CBC --proto tcp-server --keepalive 10 60 --verb 3 --daemon
    
    .ovpn file:
    Code:
    proto tcp-client
    
    This setup works for me, it didnt lose the connection for 11 hours, until I rebooted that is.

    But the port in use problem still persists after a WAN DHCP Release/Renewal.

    Kris
     
  45. Leeoniya

    Leeoniya LI Guru Member

    roadkill, any progress on v1.13 release?
     
  46. FRiC

    FRiC LI Guru Member

    This is my VPN setup, in case it could be useful to someone in the future. The two sides of the VPN are 192.168.1.x and 192.168.2.x. Any computers on either side can connect to any other computer on the other side. Both sides are using dynamic DNS and PPPoE. If the PPPoE disconnects and reconnects or if there's any setting changes in the router, the tunnel comes back automatically.

    Init script:
    Code:
    sleep 5
    insmod tun.o
    
    cd /tmp
    ln -s /usr/sbin/openvpn /tmp/myvpn
    ./myvpn --mktun --dev tun0
    
    ifconfig tun0 10.0.100.1 netmask 255.255.255.252 promisc up
    route add -net 192.168.2.0 netmask 255.255.255.0 gw 10.0.100.2
    
    echo "
    dev tun0
    proto udp
    port 1194
    persist-tun
    persist-key
    keepalive 10 60
    daemon
    verb 3
    comp-lzo
    secret static.key
    " > openvpn.conf
    
    echo "
    -----BEGIN OpenVPN Static key V1-----
    [snip]
    -----END OpenVPN Static key V1-----
    " > static.key
    
    ./myvpn --config openvpn.conf --remote [remote].dyndns.org --resolv-retry infinite
    
    Firewall script:
    Code:
    iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
    iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
    The other side has identical settings except the subnet numbers are reversed and the myvpn line just says ./myvpn --config openvpn.conf. I put the name of the remote site outside of the config file so the config file can be the same on both sides, and if I want to reverse the server/client roles I can easily do that on the last line of the script.
     
  47. FRiC

    FRiC LI Guru Member

    Oh, and the reason I want to reverse the server/client roles is because currenly I'm running a Linksys WRT54GL (server) and an ASUS WL-500gP (client). I seem to be able to get faster throughput when sending data from the server side to the client side. I don't know yet if it's due to the hardware, or if that's how the tunnel works. I have 2xLinksys and 2xASUS, so that's something I'll be trying out in the next few days. My Internet is ADSL 5120/512.
     
  48. treamy

    treamy Guest

  49. roadkill

    roadkill Super Moderator Staff Member Member

    when I'll have the time to make a new version I'll insert this into my todo list...
    I'm currently way over my head with some projects (Kamikaze/NetWRT/and such) so I really don't have enough time to make a new build, add new features, but the source is available...
     
  50. roadkill

    roadkill Super Moderator Staff Member Member

    I need beta testers for 1.13 and more specifically users with SD/MMC Mod and maybe later I'll add Buffalo WHR-G125 devices support.
    if you're willing PM me.
     
  51. drelkata

    drelkata LI Guru Member

    yes yes yes ..you come back ..hip-hip aaaa.
    :clap::clap::clap::clap::clap:
     
  52. humba

    humba Network Guru Member

    Could it be that the 4K script limit was somehow reintroduced? I just installed the latest version on three routers at work and I get the dreaded "The field "script_wanup" is invalid. Please report this problem" error again when attempting to save a script that is > 4KB.

    That's using WRT54G_WRT54GL.bin dated Nov 11 21:12 on a WRT54GL v1.1
     
  53. roadkill

    roadkill Super Moderator Staff Member Member

    don't worry guys we're in the final stages of 1.13... and I got that damn script limit patched already...
     
  54. roadkill

    roadkill Super Moderator Staff Member Member

    Version update at last!
     
  55. Kiwi8

    Kiwi8 LI Guru Member

    Haha roadkill, I think u might as well integrate your latest VPN changes in 1.13 into 1.14 and release the 1.14 VPN version instead. :)
     
  56. Toxic

    Toxic Administrator Staff Member

    give him a chance to download it. its only just been released!
     
  57. u3gyxap

    u3gyxap Network Guru Member

    Does it have mgetty?
    1.11 mod does, and it works so great!!
     
  58. roadkill

    roadkill Super Moderator Staff Member Member

    in 1.13/1.14 I built a config menu for options you can compile whatever flavor you want from source.
    1.14 Binary and Source to be released today... :grin:
     
  59. Nox997

    Nox997 LI Guru Member

    Tomato Mod 1.13 - no https-Access?

    Hello!

    I just upgraded from 1.11 to 1.13 Tomato Mod, I have NOT cleared NVRAM as I wanted to keep the settings.

    In the Log-File, I get the following errors when turning on https-Access:

    How can I fix this?
     
  60. Elbart

    Elbart LI Guru Member

    We are not worthy! [​IMG] [​IMG] [​IMG]
     
  61. ikarusx3

    ikarusx3 LI Guru Member

    Hi there, at first thanks for all the effort you put in this. I tried your new mod mainly because of the added mmc support since i have such mod made for dd-wrt long time ago.
    so i inserted a 1 partition, ext2-formatted sd card, hit enable, restarting some services appeared and after that it got reset. nothing happened, no log output, nothing...

    no idea what could be the problem.

    Okay, after some problems with testing dd-wrt sd/mmc function, i flashed dd-wrt v24RC5 and mmc mod working like a charm.
    So the problem seems to be with your implementation.
    My mod's GPIO config:
    DI - GPIO2
    CLK - GPIO5
    D0 - GPIO7
    CS - GPIO1

    Reverted back to standard-1.14 until upgrade / squashfs issue solved, will happily beta-test new vpn/mmc mod versions.

    greetings
     
  62. elkabong33

    elkabong33 LI Guru Member

    I have just installed the 1.14 version and getting a similar error "Init script is too long. The maximum size allowed is 4096 bytes".
     
  63. humba

    humba Network Guru Member

    @elkabong33 : as a workaround, I've split the wanup script - put the whole echo dumpjob code (echo " .....) into the startup script, so that your wanup script only contains the code starting with insmod tun.o.
     
  64. elkabong33

    elkabong33 LI Guru Member

    Humba,

    That is also what I did and got the same error!
     
  65. roadkill

    roadkill Super Moderator Staff Member Member

    I took the file link offline until I'll fix those issues.
     
  66. roadkill

    roadkill Super Moderator Staff Member Member

  67. Leeoniya

    Leeoniya LI Guru Member

    tried to do ext3 partition 1 and got this error:
    which logs do i check? where?

    Code:
    Jan 19 00:40:01  user.info init[1]: Started fsck
    Jan 19 00:40:01  user.info init[1]: fsck completed
    Jan 19 00:40:01  user.info init[1]: notice: Error mounting MMC. Check the logs to see if they contain more details about this error.
    
     
  68. roadkill

    roadkill Super Moderator Staff Member Member


    Okay
    try putting in the command manually
    Code:
    modprobe mmc
    and manually mount /dev/mmc/disc0/partX at /mmc mount point
    I don't have the mmc mod so I can't test it...

    also try posting the result of
    Code:
    nvram show | grep mmc
    so we may see whats really going on..
     
  69. ikarusx3

    ikarusx3 LI Guru Member

    Code:
    Jan 19 15:15:13  user.info init[1]: Started fsck
    Jan 19 15:15:13  user.info init[1]: fsck completed
    Jan 19 15:15:13  user.info init[1]: notice: Error mounting MMC. Check the logs to see if they contain more details about this error.
    trying ext2-formatted card (64MB-MMC) with ext2 / fat/fat32-formatted (256MB-SD) with vfat gave same results


    nvram show | grep mmc:
    Code:
    # nvram show | grep mmc
    mmc_exec_mount=
    mmc_exec_umount=
    mmc_fs_partition=1
    mmc_fs_type=vfat
    mmc_on=1
    no /mmc dir in /dev:
    Code:
    # cd /dev
    # ls
    console   kmem      mtd       nvram     pts       tts
    cua       log       mtdblock  port      pty       tty
    full      mem       net       ppp       random    urandom
    gpio      misc      null      ptmx      root      zero
     
  70. roadkill

    roadkill Super Moderator Staff Member Member

  71. ikarusx3

    ikarusx3 LI Guru Member

    Code:
    # modprobe mmc
    # modprobe ext2
    #
    no log output...
     
  72. roadkill

    roadkill Super Moderator Staff Member Member

    please post
    Code:
    cat /var/log/messages
    /dev/mmc exists?
     
  73. ikarusx3

    ikarusx3 LI Guru Member

    i had tail -f /var/log/messages running while modprobe'ing and there was no new output.

    no /dev/mmc...
     
  74. roadkill

    roadkill Super Moderator Staff Member Member

    I think I'll have to mod my router in order to make this thing work...
     
  75. ikarusx3

    ikarusx3 LI Guru Member

  76. AngusB

    AngusB LI Guru Member

  77. TheGIZ

    TheGIZ Network Guru Member

    I upgraded to 1.13 with VPN and need to report a bug.

    I access my router through SSL HTTP using the default port of 443. (https://) Since the update to 1.13 I can not access it via https from an outside IP.
     
  78. drelkata

    drelkata LI Guru Member

    TheGIZ , what is the port that openvpn is running ?
     
  79. roadkill

    roadkill Super Moderator Staff Member Member

    v1.13 was scrapped because of a few compatibility issues please upgrade to 1.14.1290

    Regretfully EBtables is not included yet.
     
  80. TheGIZ

    TheGIZ Network Guru Member

    Just tried upgrading and I get a "jffs2 is in use please disable it and reboot the router" or something to that effect. Then I can not upgrade. I have tried it 3 times now. But I am remote and VPN'ing back to my computer and using RDP.

    I am using a Buffalo HP router.

    "JFFS2 is currently in use. Since an upgrade may overwrite the JFFS2 partition, please backup the contents, disable JFFS2, then reboot the router "
     
  81. roadkill

    roadkill Super Moderator Staff Member Member

    you can't run the upgrade from the web interface you need to use the TFTP method.
    if you can't use the TFTP method and you are familiar with MTD you can telnet/ssh into the router and manually run mtd-write.
     
  82. TheGIZ

    TheGIZ Network Guru Member

    Default 1194
     
  83. TheGIZ

    TheGIZ Network Guru Member

    Forgive my stupidity...

    Is that the method I initially used when converting from default Buffalo to Tomato?

    I can telnet could you tell the command?

    Thanks for all the help BTW...
     
  84. drelkata

    drelkata LI Guru Member

    listen to roadkill
     
  85. TheGIZ

    TheGIZ Network Guru Member

    Jffs is not enabled when I look under administration --> jffs2

    And I get the above error.
     
  86. roadkill

    roadkill Super Moderator Staff Member Member

    your jffs is not enabled.
    the upgrade program which run through the web interface uses a check which verifies the existence of jffs partition using hard coded squashfs 2.1 signature.
    now I upgraded Tomato to squashfs 3.0 so the upgrade fails the check and gives out an error message.
    use TFTP method or mtd-write from telnet/ssh interface to bypass the check.
     
  87. TheGIZ

    TheGIZ Network Guru Member

    I really appreciate the help. Could you tell me the procedure of how to do this via telnet.

    I have the trx file on my desktop.
    I have RDP to home via the openvpn.
     
  88. roadkill

    roadkill Super Moderator Staff Member Member

    wget the trx file into the router
    Code:
    mtd-write -i <file> linux
    in White Russian it is
    Code:
    mtd –e linux –r write <filename> linux
    which means erase "linux" part and then write <filename> on it
    but Tomato has the two programs separated so I think you should start with write so you wont kill your router...
     
  89. TheGIZ

    TheGIZ Network Guru Member

    I moved it to my C directory..

    So If I use putty...

    mtd-write -i C:\tomato.trx linux

    mtd –e linux –r write C:\tomato.trx linux

    Is that right?

    Is that all I have to do?

    Not looking to brick the router if I can avoid it...
     
  90. roadkill

    roadkill Super Moderator Staff Member Member

    no you have to WinSCP it into the router
    the TFTP way is less dangerous as I gather you have a Buffalo unit which isn't really forgivable as Linksys is when is come to bad flash...
     
  91. roadkill

    roadkill Super Moderator Staff Member Member

    @Victek: very good!
    what I have left is making AES work :grin:
     
  92. AngusB

    AngusB LI Guru Member

    Any chance for EBtables in the future or did you run into some problems. As with most of the similar requests, I am trying to filter out DHCP in a wide area bridged configuration. Without it there seems to be a race condition on bootup where the remote DHCP becomes reachable and responds before the local DNSMASQ begins to serve up its local IP addresses. IPTABLES commands seem to have no effect on the bridged traffic.

    Perhaps I can have OPENVPN take on DHCP duties and turn off the router's built-in DHCP server altogether. Any thoughts? I will investigate some more...

     
  93. starry

    starry Guest

    I installed latest tomatomod(v1.14.1290 CRC32:53BA8414) on my Buffalo WHR-HP-G54.
    and tried to enable openvpn, but I got "The field "script_wanup" is invalid." error...
    Is 4096bytes-limit on this version?
     
  94. roadkill

    roadkill Super Moderator Staff Member Member

    I can resize the wan up script also...
    and since I need to release a patch to mmc and OpenSSL with AES
    it is possible
     
  95. TheGIZ

    TheGIZ Network Guru Member

    Thanks for all the help. Just used the TFTP method an I am back on line.

    Had to set router back to 192.168.11.1 and set default passwords. But it took the update.

    After that the router did not want to hand out IP addresses or be accessed at 192.168.1.1.

    Hit the reset button on the router (Buffalo) and it came back up.

    Loaded in my cfg file which I had saved before hand, and all seems well.
    Should I not have used the CFG file and just reentered all my settings into the GUI again?

    Once again... thanks for all the help.
     
  96. roadkill

    roadkill Super Moderator Staff Member Member

    sure, could you check that script size thing I made a change there...
     
  97. regular

    regular LI Guru Member

    I am using FW 1.14.1290 on my WRT54GL. I am also using windows vista with the latest version of openvpn and the gui.

    I followed the scripts from _splat_ on post 3 to setup openvpn on my network, but I modified my client config to be like this:

    dev tap0
    ifconfig 192.168.1.125 255.255.255.0
    secret static.key
    proto udp
    remote x.x.x.x 1194
    keepalive 10 60
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    cipher BF-CBC
    comp-lzo
    verb 3
    float

    I have also tried adding these lines to no avail:
    route-gateway 192.168.1.1
    redirect-gateway
    route-method exe
    route-delay 2

    I can connect to my home network and grab shared files etc while I'm on the school's wireless network. However, I cannot connect to the internet through my home network. I'm wondering what steps do I need to take to route all my traffic through the wan port instead of through the school's connection so if I can ensure my web browsing, etc will be more secure. I have also tried bridging the school wireless connection along with the openvpn connection, and that doesn't work either.

    I have read through all 40 pages of this thread and couldn't find anything on this subject.
     
  98. kacheng

    kacheng LI Guru Member

    TCP 443

    Hi all,

    I'm having troubles trying to connect from a laptop windows client to a home WRT54G server using TCP. I'm using Tomato 1.14.

    This is a typical 'roadwarrior' style configuration. The client will be behind a (potentially) restrictive firewall that changes day-to-day as the client is constantly connecting to different internet providers.

    The configuration files can't be too far off, because I can connect using UDP 1194. However, UDP 1194 is not always open in every environment.

    When I change the options in the server config, firewall config, and client config to use TCP 1194 or TCP 443, I get:
    TCP: connect to 99.233.130.146:443 failed, will try again in 5 seconds

    If it helps at all, I do not believe that I have 443 being used by anything else (no webservers running, but how can I check?).
    Also, I've found that connecting to the WRT54G via the remote access port 8080 also doesn't seem to work (why would that be?).
    Do TUN vs TAP make a difference? I understand TAP to be better for 'roadwarrior' configuration.

    Any ideas would be appreciated!
    Thanks

    My configs are here:

    Code:
    sleep 5
    insmod tun.o
    cd /tmp
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    
    echo "
    mode server
    float
    proto tcp
    port 443
    dev tap0
    keepalive 15 60
    daemon
    verb 3
    comp-lzo
    
    client-to-client
    duplicate-cn
    tls-server
    ca ca.crt
    dh dh1024.pem
    cert server.crt
    key server.key
    " > openvpn.conf
    
    echo "
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
    " > ca.crt
    echo "
    -----BEGIN RSA PRIVATE KEY-----
    -----END RSA PRIVATE KEY-----
    " > server.key
    chmod 600 server.key
    echo "
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
    " > server.crt
    echo "
    -----BEGIN DH PARAMETERS-----
    -----END DH PARAMETERS-----
    " > dh1024.pem
    
    sleep 5
    ln -s /usr/sbin/openvpn /tmp/myvpn
    /tmp/myvpn --config openvpn.conf 
    
    
    
    Code:
    
    /usr/sbin/iptables -I INPUT -p tcp --dport 443 -j ACCEPT
    
    
    Code:
    ##############################################
    # Sample client-side OpenVPN 2.0 config file #
    # for connecting to multi-client server.     #
    #                                            #
    # This configuration can be used by multiple #
    # clients, however each client should have   #
    # its own cert and key files.                #
    #                                            #
    # On Windows, you might want to rename this  #
    # file so it has a .ovpn extension           #
    ##############################################
    
    # Specify that we are a client and that we
    # will be pulling certain config file directives
    # from the server.
    client
    float
    
    # Show network routing table after client is connected.
    ;show-net-up
    
    # redirect all internet requests through VPN
    ;redirect-gateway def1
    
    # Use the same setting as you are using on
    # the server.
    # On most systems, the VPN will not function
    # unless you partially or fully disable
    # the firewall for the TUN/TAP interface.
    dev tap
    ;dev tun
    
    # Windows needs the TAP-Win32 adapter name
    # from the Network Connections panel
    # if you have more than one.  On XP SP2,
    # you may need to disable the firewall
    # for the TAP adapter.
    ;dev-node MyTap
    
    # Are we connecting to a TCP or
    # UDP server?  Use the same setting as
    # on the server.
    proto tcp
    ;proto udp
    
    # The hostname/IP and port of the server.
    # You can have multiple remote entries
    # to load balance between the servers.
    remote MYHOMESERVER  443
    ;remote MYHOMESERVER  1194
    ;remote MYHOMESERVER 443
    ;remote MYHOMESERVER 1194
    
    # Choose a random host from the remote
    # list for load-balancing.  Otherwise
    # try hosts in the order specified.
    ;remote-random
    
    # Keep trying indefinitely to resolve the
    # host name of the OpenVPN server.  Very useful
    # on machines which are not permanently connected
    # to the internet such as laptops.
    resolv-retry infinite
    
    # Most clients don't need to bind to
    # a specific local port number.
    nobind
    
    # Downgrade privileges after initialization (non-Windows only)
    ;user nobody
    ;group nobody
    
    # Try to preserve some state across restarts.
    persist-key
    persist-tun
    
    # If you are connecting through an
    # HTTP proxy to reach the actual OpenVPN
    # server, put the proxy server/IP and
    # port number here.  See the man page
    # if your proxy server requires
    # authentication.
    ;http-proxy-retry # retry on connection failures
    ;http-proxy [proxy server] [proxy port #]
    
    # Wireless networks often produce a lot
    # of duplicate packets.  Set this flag
    # to silence duplicate packet warnings.
    ;mute-replay-warnings
    
    # SSL/TLS parms.
    # See the server config file for more
    # description.  It's best to use
    # a separate .crt/.key file pair
    # for each client.  A single ca
    # file can be used for all clients.
    ca ca.crt
    cert user1.crt
    key user1.key
    
    # Verify server certificate by checking
    # that the certicate has the nsCertType
    # field set to "server".  This is an
    # important precaution to protect against
    # a potential attack discussed here:
    #  http://openvpn.net/howto.html#mitm
    #
    # To use this feature, you will need to generate
    # your server certificates with the nsCertType
    # field set to "server".  The build-key-server
    # script in the easy-rsa folder will do this.
    ns-cert-type server
    
    # If a tls-auth key is used on the server
    # then every client must also have the key.
    ;tls-auth ta.key 1
    
    # Select a cryptographic cipher.
    # If the cipher option is used on the server
    # then you must also specify it here.
    ;cipher BF-CBC        # Blowfish (default)
    ;cipher x
    
    # Enable compression on the VPN link.
    # Don't enable this unless it is also
    # enabled in the server config file.
    comp-lzo
    
    # Set log file verbosity.
    verb 9
    
    # Silence repeating messages
    mute 20
    
    
     
  99. wolf3d

    wolf3d Guest

    I have a same problem with you and the router model is WRT54G V2.0. :frown:
    Can you show more detail how to re-flash it?
    I try to use tftp2.exe to flash but it is not sucess.

    Anyone can use me? Thanks for all.
     
  100. ikarusx3

    ikarusx3 LI Guru Member

    solution in http://www.linksysinfo.org/forums/showthread.php?t=56339 worked fine for me. took a few tries but finally worked good.

    :)
     

Share This Page