1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato Mod v1.19.1464 with OpenVPN/Tomato Mod v1.21.TEST-v5 with OpenVPN-GUI,SDMMC,IP/MAC

Discussion in 'Tomato Firmware' started by roadkill, Jun 4, 2007.

  1. humba

    humba Network Guru Member

    @kacheng : are you sure openvpn is running in the tcp scenario (ssh into the router, do a ps and check if the myvpn process is running)? I've had it happen to me a bunch of times that I thought I had it all worked out, but openvpn would immediately exit due to a configuration problem or port that is already in use.
     
  2. bagu

    bagu Network Guru Member

    I don't know if it's possible to have a mac based forward ?

    The goal is to make a forward only if the ip AND mac find a match.

    Example :
    forward port 80 only for 86.112.31.225 AND/OR (possibility to have the choice between AND and OR) mac 00:00:ff:11:22:33 on port 8080
     
  3. ikarusx3

    ikarusx3 LI Guru Member

    dont know why you would need both to match since mac filtering is pretty restrictive...

    could be realized through iptables:
    Code:
    iptables -A INPUT -p tcp --destination-port 80 -m mac --mac-source
    00:12:34:56:78:90 -j ACCEPT
     
  4. kacheng

    kacheng LI Guru Member

    @humba

    Thanks for the tip. Looks like OpenVPN is failing to start. However, there are no errors when I try to manually start myvpn.

    Code:
    # cd /tmp
    # ls
    ca.crt          home            openvpn.conf    server.crt
    dh1024.pem      mnt             script_fire.sh  server.key
    etc             myvpn           script_init.sh  var
    # myvpn --config openvpn.conf
    #
    
    Now, how can I troubleshoot this?

    So
    UDP 1194 works.
    TCP 443 doesn't work.
    TCP 1194 doesn't work.

    Here's the results of ps:
    Code:
    # ps
      PID  Uid        VSZ Stat Command
        1 root       1716 S   init noinitrd
        2 root            SW  [keventd]
        3 root            RWN [ksoftirqd_CPU0]
        4 root            SW  [kswapd]
        5 root            SW  [bdflush]
        6 root            SW  [kupdated]
        7 root            SW  [mtdblockd]
       39 root       1688 S   buttons
       82 root       2004 S   syslogd -m 60 -L -s 50
       85 root       1992 S   klogd
       91 root       2016 S   crond -l 9
       97 root       1244 S   rstats
      109 nobody      856 S   dnsmasq
      181 root       1608 S   upnp -D -L br0 -W vlan1 -I 60 -A 180
      259 root       2008 S   udhcpc -i vlan1 -s dhcpc-event -a -H firebreathingdra
      649 root       1644 S   httpd
      654 root       1520 S   dropbear -p 22
      655 root       1584 S   dropbear -p 22
      657 root       2032 S   -sh
      659 root       2016 R   ps
    #
    
    Thanks again for your help!
     
  5. ikarusx3

    ikarusx3 LI Guru Member

    hey kacheng,

    i would at first try not to use relative but absolute paths to your certificates etc:
    Code:
    ca /tmp/ca.crt
    dh /tmp/dh1024.pem
    cert /tmp/server.crt
    key /tmp/server.key
    that could be the cause that its possible to start openvpn then started manually from /tmp.

    also, try to look which ports are used by which application:
    Code:
    netstat -an
     
  6. kacheng

    kacheng LI Guru Member

    @ikarusx3

    Great ideas, thanks.

    Setting the certificates to absolute paths didn't seem to help. I rebooted the router and tried to connect again and it failed.

    It doesn't seem that much has changed.

    Code:
    # ps
      PID  Uid        VSZ Stat Command
        1 root       1712 S   init noinitrd
        2 root            SW  [keventd]
        3 root            RWN [ksoftirqd_CPU0]
        4 root            SW  [kswapd]
        5 root            SW  [bdflush]
        6 root            SW  [kupdated]
        7 root            SW  [mtdblockd]
       39 root       1688 S   buttons
       84 root       2004 S   syslogd -m 60 -L -s 50
       87 root       1992 S   klogd
       90 root       1520 S   dropbear -p 22
       94 root       2008 S   crond -l 9
       98 root       1244 S   rstats
      109 root       1644 S   httpd
      115 nobody      824 S   dnsmasq
      185 root       1604 S   upnp -D -L br0 -W vlan1 -I 60 -A 180
      274 root       2008 S   udhcpc -i vlan1 -s dhcpc-event -a -H firebreathingdra
      342 root       1584 S   dropbear -p 22
      343 root       2032 S   -sh
      350 root       2016 R   ps
    # netstat -an
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State
    tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:5431            0.0.0.0:*               LISTEN
    tcp        0    132 192.168.1.1:22          192.168.1.114:1820      ESTABLISHED
    udp        0      0 0.0.0.0:2048            0.0.0.0:*
    udp        0      0 0.0.0.0:53              0.0.0.0:*
    udp        0      0 0.0.0.0:67              0.0.0.0:*
    udp        0      0 0.0.0.0:1900            0.0.0.0:*
    raw        0      0 0.0.0.0:255             0.0.0.0:*               7
    Active UNIX domain sockets (servers and established)
    Proto RefCnt Flags       Type       State         I-Node Path
    unix  6      [ ]         DGRAM                       371 /dev/log
    unix  2      [ ]         DGRAM                       816
    unix  2      [ ]         DGRAM                       498
    unix  2      [ ]         DGRAM                       414
    unix  2      [ ]         DGRAM                       375
    #
    
    
     
  7. kacheng

    kacheng LI Guru Member

    I'm not positive that myvpn is starting manually.
    There's no error message, but the ps and netstat -an results don't show a myvpn entry.

    Code:
    # myvpn --config openvpn.conf
    # ps
      PID  Uid        VSZ Stat Command
        1 root       1712 S   init noinitrd
        2 root            SW  [keventd]
        3 root            RWN [ksoftirqd_CPU0]
        4 root            SW  [kswapd]
        5 root            SW  [bdflush]
        6 root            SW  [kupdated]
        7 root            SW  [mtdblockd]
       39 root       1688 S   buttons
       84 root       2004 S   syslogd -m 60 -L -s 50
       87 root       1992 S   klogd
       90 root       1520 S   dropbear -p 22
       94 root       2008 S   crond -l 9
       98 root       1244 S   rstats
      109 root       1644 S   httpd
      115 nobody      824 S   dnsmasq
      185 root       1604 S   upnp -D -L br0 -W vlan1 -I 60 -A 180
      274 root       2008 S   udhcpc -i vlan1 -s dhcpc-event -a -H firebreathingdra
      342 root       1584 S   dropbear -p 22
      343 root       2032 S   -sh
      358 root       2016 R   ps
    # netstat -an
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State
    tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:5431            0.0.0.0:*               LISTEN
    tcp        0    132 192.168.1.1:22          192.168.1.114:1820      ESTABLISHED
    udp        0      0 0.0.0.0:2048            0.0.0.0:*
    udp        0      0 0.0.0.0:53              0.0.0.0:*
    udp        0      0 0.0.0.0:67              0.0.0.0:*
    udp        0      0 0.0.0.0:1900            0.0.0.0:*
    raw        0      0 0.0.0.0:255             0.0.0.0:*               7
    Active UNIX domain sockets (servers and established)
    Proto RefCnt Flags       Type       State         I-Node Path
    unix  6      [ ]         DGRAM                       371 /dev/log
    unix  2      [ ]         DGRAM                       816
    unix  2      [ ]         DGRAM                       498
    unix  2      [ ]         DGRAM                       414
    unix  2      [ ]         DGRAM                       375
    #
    
     
  8. ikarusx3

    ikarusx3 LI Guru Member

    openvpn configuration must not be
    Code:
    proto tcp
    but
    Code:
    proto tcp-server
    additionally, openvpn does not accept to run on ports below 1025, so if you need to connect through lets say 443, you need to forward external 443 to internal openvpn port > 1025

    for any other info, check the logs for output, best is to run a second terminal with
    Code:
    tail -f /var/log/messages
    to get live syslog output
     
  9. bagu

    bagu Network Guru Member

    Thanks for the tips.

    But, the goal is to have a web-based interface to make advance restriction from outside to inside forward...Just because, as i see on the front page, i can suggest feature.

    I want both MAC and IP match to allow forwarding 3306 port from outside to inside.
     
  10. kacheng

    kacheng LI Guru Member

    @ikarusx3

    Thanks!

    proto tcp-server seems to work!
    I must have copied that from an OpenVPN config for an older version of OpenVPN.

    I did not have to do any port forwarding. As I understand it OpenVPN 2.0+ can operate on 443 without probs and OpenVPN 2.1+ can even port share with an https server using the port-share servername 443 directive.

    I'll test it from the office tomorrow.

    Thanks!
     
  11. kacheng

    kacheng LI Guru Member

    @ikarusx3

    Your sharp eyes solved my problem. Connecting from the office (all ports blocked except 443 and 80) works now.

    Thanks!
     
  12. elkabong33

    elkabong33 LI Guru Member

    Hello Roadkill,

    Any news on the AES as yet?
     
  13. roadkill

    roadkill Super Moderator Staff Member Member

    well I can compile AES with OpenSSL 0.9.8g BUT libfoo routines doesn't work for that version.
    I'm looking into it, I can compile it already but the build becomes very large (3.5mb) without libfoo...
     
  14. TheGIZ

    TheGIZ Network Guru Member

    Roadkill... With Tomato Downgrading the version of Busybox for 1.15... is there going to be a change for Tomato Openvpn Mod 1.14. Or more to the point is there a change needed?
     
  15. roadkill

    roadkill Super Moderator Staff Member Member

    I think there is not need for change, but if you have any issues I can make it
    maybe simply choosing the stable version of busybox instead of going back
     
  16. mstombs

    mstombs Network Guru Member

    Phoenix for the AG241 is also using busybox 1.9.0, stock 1.14 didn't attempt to do the dhcp renewals for me, also the log mark not working. Do these work in this mod?
     
  17. PJMDS

    PJMDS LI Guru Member

    I cant use the SD card with your mod, the SD worked with DD-WRT months ago, the log shows:

    Jan 1 00:00:06 unknown user.warn kernel: [INFO] mmc_hardware_init: initializing GPIOs
    Jan 1 00:00:06 unknown user.warn kernel: [INFO] mmc_card_init: the period of a 380KHz frequency lasts 524 CPU cycles
    Jan 1 00:00:06 unknown user.warn kernel: [INFO] mmc_card_init: powering card on. sending 80 CLK
    Jan 1 00:00:06 unknown user.warn kernel: [INFO] mmc_card_init: 80 CLK sent in 44012 CPU cycles
    Jan 1 00:00:06 unknown user.warn kernel: [INFO] mmc_card_init: resetting card (CMD0)
    Jan 1 00:00:06 unknown user.warn kernel: [FATAL] mm
    Jan 1 00:00:06 unknown user.info kernel: c_card_init: invalid response from card: 00 found, waiting for 01
    Jan 1 00:00:06 unknown user.warn kernel: [INFO] mmc_card_init: the period of a 380KHz frequency lasts 524 CPU cycles
    Jan 1 00:00:06 unknown user.warn kernel: [INFO] mmc_card_init: powering card on. sending 80 CLK
    Jan 1 00:00:06 unknown user.warn kernel: [INFO] mmc_card_init: 80 CLK sent in 43648 CPU cycles
    Jan 1 00:00:06 unknown user.warn kernel: [INFO] mmc_card_init: resetting card (CMD0)
    Jan 1 00:00:06 unknown user.warn kernel: [FATAL] mmc_card_init: invalid response from card: 00 found, waiting for 01
    Jan 1 00:00:06 unknown user.warn kernel: [ERROR] mmc_init: got an error calling mmc_card_init: 01
    Jan 1 00:00:06 unknown user.warn kernel: [ERROR] mmc_check_media: change detected but was not able to initialize new card: ffffffff


    After enabling the SD card and saving, the power led starts blinking and the SES button keeps changing color very slow (white, yellow, white, ...), any idea why this happens ?
     
  18. roadkill

    roadkill Super Moderator Staff Member Member

    SES gpio point...
    try with another card and see if you get the same result
    DD-WRT uses SD/MMC legacy module which is a little different maybe I can implant it too to improve compatibility.
     
  19. PJMDS

    PJMDS LI Guru Member

    I cannot change card :( might damage it because its soldered and glued inside the router, please add the legacy module when you have time, thank you very much and best regards :)
     
  20. roadkill

    roadkill Super Moderator Staff Member Member

    will do...
     
  21. robert112

    robert112 LI Guru Member

    Dropbear is a bit too limited. Openssh would be a much better option. Mostly for reverse tunnels and the ability to establish a VPN using TUN/TAP
     
  22. humba

    humba Network Guru Member

    Isn't the whole point of having openvpn in the firmware so you can use openvpn in client mode to connect to the openvpn deamon in server mode running on your route? And with all the things you can do with openvpn (and the help of iptables in certain instances), I don't see any application that would require anything else - you can't beat fully transparent access to the net you're connecting to.
     
  23. dontbotherme

    dontbotherme Network Guru Member

    Thanks a lot for your work, but I have a problem to tunnel my inet traffic to my VPN clients. OpenVPN can establish a tunnel but i don't recieve any packets from the server. I'm using the following server and client.conf.

    For a better comprehension:

    Router with Tomato OpenVPN Mod IP: 192.168.2.1
    The Port 1194 is forwarded, and the routing settings are also set.

    Destination Gateway Subnet Mask Metric Interface Description
    192.168.10.0 192.168.2.1 255.255.255.252 0 LAN OPENVPN

    My friend is using also this config etc. but he is using a NSLU2, and its working.

    Any Ideas?
     

    Attached Files:

  24. roadkill

    roadkill Super Moderator Staff Member Member

    there's not point publishing config and censoring everything please move to verb 8 and repost the log
     
  25. dontbotherme

    dontbotherme Network Guru Member

  26. elkabong33

    elkabong33 LI Guru Member

    I think 3.5Mb would be OK because dd-wrt's is about 3.6Mb and seems to work okay but I think I prefer Tomato!
     
  27. humba

    humba Network Guru Member

    I have a few questions with regard to that config and what you posted:

    Do you mean he's using his slug to connect to your router, or that he has a slug configured and connects to it using his own client PC? If it's the latter, any chance he could temporarily create a client for you for trial purposes so you know there's nothing wrong with OpenVPN on the client box?

    Then

    local 192.168.2.1

    Makes openvpn listen on the local interface 192.168.2.1 which I assume is the local IP of your router (and thus the IP of br0)

    server 192.168.10.0 255.255.255.128

    Does the following:

    Assigns the IP 192.168.10.1/25 to tap0 (which is different from the IP of br0.. so now you have an inteface within a different subnet connected to the same physical bridge but you haven't defined any routing in between so nothing will pass between 192.168.10.x and 192.168.2.x

    It will also do the following
    Assign IP 192.168.10.x addresses so your client gets an IP address from openvpn and not the dhcp server already running on the tomato (I don't really see the point in openvpn giving out IPs in a bridged config.. after all bridged is supposed to be transparent so why not have one dhcp handle it all?)

    Then you have

    push "dhcp-option DNS 192.168.2.1"

    Which tells the client to use 192.168.2.1 as DNS server..
    and
    push "redirect-gateway def1"

    what's def1?
    (and while we're at it, what's up with vpn_gateway in the client config?)

    Now I assume you want to use your tomato as default gateway.. so def1 would be 192.168.2.1.. so your DNS packets go through the tunnel and end up on the bridge, and the dhcp may even try to reply (not sure about that as I don't know the components), but it has no route to the net 192.168.10.x.. so nothing will get back. Likewise for any traffic that's supposed to go to your net..

    Finally, in the client config you have

    route 192.168.2.0 255.255.255.0 vpn_gateway 3

    Apart from the vpn_gateway that I already mentioned.. there's no point in adding routes from client and server.. you already push the default gateway to the client upon connection.. so all the traffic will be routed through your tomato anyway.

    @edit: if you want to work with different subnets, I think you should use tun mode - bridge mode is meant for something else (see the documentation).
     
  28. roadkill

    roadkill Super Moderator Staff Member Member

    if I could make libfoo work it will be much smaller...
     
  29. dontbotherme

    dontbotherme Network Guru Member

    Hi Humba,
    thanks for your reply :)

    My Friend has a slug and and he is running an OpenVPN server. His config is so far running and stable! So I put his config on my tomato and thought this would be enough :). (I changed certainly some variables)

    His first Problem before getting OpenVPN on the debian slug working was, that he wasn't using this command "echo "1" > /proc/sys/net/ipv4/ip_forward". But now after changing this small command, everthing is working. We can play over his VPN some Games, I can use his Internet Connection etc. And that is all what I like to have, but using my tomato instead of a NSLU2 :)

    Back to my tomato config:
    I reconfigured a litte part and my friend can connect now to my VPN but he can't still use either my Internet Connection. What do I missed here? It can only be a routing Problem!?

    I attached the new Server and Client config and a Picture auf my Advanced routing settings.
     

    Attached Files:

  30. humba

    humba Network Guru Member

    If you're not going to correct the part that I wrote about (tap => bridged => don't use another subnet for openvpn), then at least explain in detail what you want to do and what this is about with the 192.168.2 and 192.168.10 networks.. (and as a little help.. if you want machines connected via vpn be in the 192.168.10.x subnet and locally connected clients to be in the 192.168.2.x subnet then you are most definitely looking at a tunnel interface and not a bridge interface and should follow the instructions on how to set up the tun interface on this wiki page.)

    You also have duplicate lines in your server configuration:

    keepalive 15 60
    keepalive 10 60

    And I have some doubts about other stuff.. e.g. you select the blowfish cypher but that's the default so specifying it is redundant (and as I said, specifying the local IP address as listening address is redundant too.. tap0 is bridged to the untagged part of the switch so nothing ever goes out vlan1 anyway.. so unless you have different internal subnets there's no point in specifying a listening address).

    Last but not least.. forget that it works for your friend.. the Slug is a different animal and you don't know what he might have done with iptables and routing (and I assume the slug is behind his router which makes it even more different from running openvpn directly on your router). Instead, first figure out exactly what you want to do (network topology is a crucial part of that), then build it from scratch following the examples in the dd-wrt wiki and don't try to go headfirst through a wall (like using a bridged interface and then try to force it to route something - using a tap interface means you are directly connected to your 192.168.2.x network... if you want 192.168.10.x for VPN clients.. use tun - and I know I'm repeating myself but I cannot stress the importance of this difference enough).
     
  31. occamsrazor

    occamsrazor Network Guru Member

  32. bigl2

    bigl2 LI Guru Member

    Hello,

    Im currently running latest Tomato with OpenVPN (1.14.1291) and have configured it with static Key. Everything works as expected fresh after reboot and client can connect to my router. But after few hours without connection myvpn process dies so nobody can connect. When I start it again from console it works again without problems until next few hours. Anybody had such problems? What can i do to prevent it?
     
  33. FRiC

    FRiC LI Guru Member

    Do the logs show anything?
     
  34. bigl2

    bigl2 LI Guru Member

    Here is output. As you can see server restarts every 60 seconds:

     
  35. bigl2

    bigl2 LI Guru Member

    I discovered what should be added to server config to remove 60 seconds restarting. My static key config is from third post in this thread and is with parameter --keepalive 10 60. So after 60 seconds with no link it restarts server.

    But after consulting Static Key Mini-HOWTO on OpenVPN site I discovered that I need --ping-timer-rem parameter. As OpenVPN 2.1 manual says:

    Now my server works without restarting every minute - time will show if it will work longer with it.

    UPDATE: With --ping-timer-rem myvpn process is rock-solid since 2 days :)
     
  36. peckec

    peckec LI Guru Member

    Hello!

    Is there way to turn off "SES/AOSS Button" completely?

    I'm using sd card and if there is some I/O on the sd card then tomato thinks that someone is pressing the SES button.

    Right now i have set all the "When Pushed For..." choices to "Do nothing" but i think there is still a process monitoring this button.

    If you have default settings on the "Buttons/Led" page it will toggle randomly your wireless radio off and on.
     
  37. roadkill

    roadkill Super Moderator Staff Member Member

    my guess would be killall buttons ... :grin:
     
  38. peckec

    peckec LI Guru Member

    Thanks, i'll put it into init script:)
    I was hoping there is a nicer way to do it...
     
  39. elkabong33

    elkabong33 LI Guru Member

    My Routed VPN configuration

    Hello All,

    Firstly, many thanks to Jon for this great Tomato Firmware and Roadkill for the excellent Mod!

    I noticed that many of you are using bridged (tap) Mod and people like myself are using the Routed (tun) mode, so this just a guide to compliment Roadkills instructions at the beginning of the thread.

    My configuration is currently working on a Buffalo WHR-HR-G54 router.

    Requirements
    You will need to have your own OpenVPN Server setup either on a another router or using a Standalone Server like I did.

    1. On the Router copy this script into the Administration >> Scripts >> Init. I was never able to get this to work in the WanUP section.

    Client Configuration

    You can find a more detailed explanation of the different commands here:
    http://www.openvpn.net/index.php/documentation/manuals/openvpn-21.html

    When I used the default configuration at the beginning of the thread I was able to connect to the VPN but devices on the LAN behind the VPN weren't able to connect to the internet. I tried dd-wrt and that worked, then I tried OpenWrt and couldn't get that to work either. The difference was the dd-wrt was using the route-up and route-down scripts, so I implemented the route-up and route-down in mine with success.

    2. Click Save

    3. Add this script to Adminstration >> Firewall

    I am using the default UDP Port 1194 for OpenVPN but feel free to change it to what ever you like.

    4. Click Save

    5. Reboot your router and you should have a VPN connection with internet behind the tunnel.

    Please be aware that the above was just a guide to compliment Roadkills instructions at the beginning of the thread.

    This script works great for me and I even made VoIP calls thru the tunnel with no problem. From my Firewall I also have a SNAT to an external IP which correctly shows up when I go to http://www.whatismyip.com.

    Connecting to a Server behind the Tunnel needs your help!
    I am able to connect to my router's web interface on the public IP. However, I have a server (192.168.1.2) behind the VPN on the network 192.168.1.0 255.255.255.0 that I am trying to connect to using port 8001. I have redirected the port 8001 to Port 80 on 192.168.1.2 in the router under Port Forwarding >> Basic but I am not able to connect to it. Maybe I have overlooked something but this works fine outside of the VPN but need to be able to connect to it inside of the tunnel.

    Any feedback would be greatly appreciated.

    Enjoy!

    El Kabong.
     
  40. humba

    humba Network Guru Member

    The way I understand it, the port forwarding works by adding certain iptables rules to allow communication between

    wan-ip:eek:utside port <-> specified-lan-ip:inside port

    Your tun0 inteface is bridged onto br0, which is on the LAN side of your router.. so the port mapping you have defined (on the openvpn server I presume.. network diagrams always help if you want to talk about a routed scenario) won't come into play.
     
  41. HarshReality

    HarshReality Network Guru Member

    OK, so VPN or no.. which of all those links has the SDMod support? Been waiting for this for some time now and would love to finalize it.

    **Already have the mod installed, I just dumped another popular firmware for Tomato rock solid stability.

    Scratch that, found it. Some issues mounting BUT if it works like the other mods I will have to format outside the box and then try. Will let you know if that is the case or not.

    ***Scratch, 2 cards both formatted outside the unit reset config and enabled and mount fails on both. Logs and dmesg yield nothing about mmc at all. Tell me what you need and I'll get it hreality@gmail.com). Might need a feature similar to another firmware.. where you can manually set the GPIO numbers for CS, D0, D1 & CLK

    Also, not too fond of the green on black etc. but would love to see a "Red Tomato" then I can have the office red and the livingroom/xbox green :)
     
  42. HarshReality

    HarshReality Network Guru Member

    Seperate note: Is there a complete tutorial on compiling your own build of this? If so I'd love to see it as I have a few projects Id like to try out.
     
  43. PeterT

    PeterT Network Guru Member

    What would be nice is someone creating a VMWare image of a complete, working environment that could be used for building firmware...
     
  44. HarshReality

    HarshReality Network Guru Member

    It 'could' be done but there are a few things missing.
    1. I have yout to see a complete dum-dum how to guide for compiling.
    2. The size of a VM env. would be the OS etc. which could be HUGE
    3. Hosting for such a thing (bandwidth considerations etc.)
     
  45. mstombs

    mstombs Network Guru Member

    I haven't tried to compile Roadkill's mod but first you need to be able to compile the Linksys firmware and then Tomato and then the Tomato mod. The tricky step is having a Linux environment will all the right tools installed in the expected places, then building the firmware is easy!

    If you have a spare old PC I can recommend a single CD distro called VectorLinux VL5.8-SOHO-final.iso - which doesn't need any extras installed to be able to build firmwares (it also can recompile its own kernel from included sources). VL 5.9 didn't work for me, as it uses a later version of gcc/make. I tried a few others but gave up as too tricky to configure. The above VL 5.8 install has ssh/samba so doesn't need a keyboard/monitor - but my P3-560 is a bit slow...
     
  46. HarshReality

    HarshReality Network Guru Member

    OK, this is definately a start in the right direction. Now if we have an idiots guide to compile and then add the tomato mod we will be 3/4 of the way there.
     
  47. roadkill

    roadkill Super Moderator Staff Member Member

    okay I think I can provide some assistance with it on Ubuntu/Debian
    sudo apt-get build-essential bison flex
    and you should be able to compile the Linksys source.
     
  48. Victek

    Victek Network Guru Member

  49. devilkin

    devilkin LI Guru Member

    Any possibility for 1.16+openvpn?

    :) :)
     
  50. adex

    adex LI Guru Member

    Hello,

    Is there any way to detach serial port 0 (/dev/tts/0) from Console (Terminal, BusyBox....)??? In openWRT there is inittab file, where I can comment one line and console is detached. But OpenWRT is not stable on my Linksys WRT54GL

    PS Tomato RULZ!!!
     
  51. PacoBell

    PacoBell Network Guru Member

    Ooh! I second that motion heartily!
     
  52. HarshReality

    HarshReality Network Guru Member

    Im sure RK is upgrading his local as it becomes available once his current reaches a level of stability. Me.. just waiting for my SD card to work LOL
     
  53. ikarusx3

    ikarusx3 LI Guru Member

    what router do you use? sdmod in my WRT54GL is working like a charm...
     
  54. HarshReality

    HarshReality Network Guru Member

    WRT54G v2.2

    Its something over the GPIO pin settings.. I had to use non defaults when I used WRT (sorry I said a bad word). Current I think was 1.4 on front page refused to mount orformat, external format still failed mounting.
     
  55. ikarusx3

    ikarusx3 LI Guru Member

    why dont you change it to the standard gpio settings?

    just change the soldering and you should be fine. autodetection worked for me. if you want i can try to figure out my gpio assignments
     
  56. xworm

    xworm LI Guru Member

    Confused with version

    I'm a newbie, anyone can tell me the difference between "TomatoMod 1.14.1291 - Binary" and "TomatoMod VPN/SERIAL flavor 1.14.1291 - Binary" ?

    Only the later one support VPN/Serial ?

    Thanks
     
  57. ikarusx3

    ikarusx3 LI Guru Member

    no i think vpn is included with both builds, but the serial mod only in the later one.
     
  58. HarshReality

    HarshReality Network Guru Member

    Because the pinout on the board for the 2.2 was different (per OpwenWRT wiki). I get a chance I'll give mine a confirmation look and see what I can see. Has bee nawhile since I actually went in and messed with the hardware side.

    Ref: http://wiki.openwrt.org/OpenWrtDocs/Customizing/Hardware/MMC
     
  59. FidgetyRat

    FidgetyRat LI Guru Member

    Edit:

    Got the card to be recognized, but its not automatically formatting. I'm going to have to format it outside the router I guess..

    Im using:
    CS 7
    DI 2
    DO 4
    CLK 3

    Turns out I soldered GPIO 2 and 3 on the wrong side of the LEDs.
     
  60. HarshReality

    HarshReality Network Guru Member

    Out of curiosity what are your pin settings (GPIO)?
    Im using: DI=5, D0=4, CLK=3, CS=7
     
  61. elkabong33

    elkabong33 LI Guru Member

    Let me explain further:

    It appears that when my VPN is connected I am not able to access my router's web interface or ssh from it's public IP. However, I can access the web interface and ssh through the vpn tunnel. I can also connect to any other device that is on the LAN behind the tunnel.

    This is my setup:

    DSL Modem <> [PUBLIC IP] WHR-HR-G54 192.168.1.1[LAN] & 172.16.8.29[VPN]) >> (192.168.1.0/24) LAN

    Router Config
    PUBLIC IP = 1.2.3.4
    VPN IP = 172.16.8.29
    LAN IP = 192.168.1.1

    Local access: http 8080
    Remote access: https

    Firewall Script
    iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
    iptables -A INPUT -p udp --dport 1804 -j ACCEPT
    iptables -A INPUT -i tun0 -j ACCEPT
    iptables -A FORWARD -i tun0 -j ACCEPT
    iptables -A OUTPUT -o tun0 -j ACCEPT
    iptables -A FORWARD -o tun0 -j ACCEPT

    With this setup I am able to access any device on the LAN once I am connected to the VPN.

    I need to be able to connect to the web interface of the device on internal IP 192.168.1.2 and I have setup forwarding for port 80 below.

    PORT FORWARDING
    TCP 8001 >> 80 >> 192.168.1.2

    Any ideas please?

    El Kabong
     
  62. roadkill

    roadkill Super Moderator Staff Member Member

    guys I'll post 1.16 soon it's already done and I also upgraded busybox to version 191 and located the bug which caused all the dhcp client issues from version 1.13+ it's now working perfectly I'll post it within a week :grin:
     
  63. humba

    humba Network Guru Member

    Code:
    TCP 8001 >> 80 >> 192.168.1.2
    That (on the WHR-HR-G54 I presume) would allow you to access the device with IP 192.168.1.2 on port 80 by accessing

    http://your-public-ip:8001/ from outside your network.

    You still didn't mention the rest of the network diagram.. what's on the other side of the VPN and where are you making these tests from?
     
  64. elkabong33

    elkabong33 LI Guru Member

    Humba,

    Please see attached my impression of a network diagram. I hope you are able to get the idea here nevertheless.

    regards,

    Elkabong
     

    Attached Files:

  65. humba

    humba Network Guru Member

    That drawing makes it a lot easier to understand.

    So as I said, your setup doesn't really get you where you want to go.. what you should be able to do now is access http://1.2.3.4:8001 and that should get you to your VoIP device. The port forwarding always forwards ports between the WAN (VLAN1) and LAN (br0).. you want tun0 to br0 and you cannot do that via the web GUI.

    Some questions: Do you have routing and firwalls properly set up on all locations (your PC client needs to know the routes to access machines on the branch office LAN, your server needs to route between the two VPN tunnels? Did you check out the routed branch office example in the DD-WRT Wiki? It mentions how you set this all up.

    Also, I'm wondering.. what exactly do you want to expose to your PC client? Just access to the VoIP device on that single port and nothing else (that's going to involve quite some configuration.. the openvpn site has an example on how to set up different clients with different permissions.. it's quite a PITA since openvpn alone cannot do user management.. you need to resort to special IP ranges and iptables commands to get this done) or would it be okay to simply expose the ip range of the branch office?
     
  66. FidgetyRat

    FidgetyRat LI Guru Member

    Just an update to my post about SD/MMC on the previous page.

    Confirming the mod works fine wiht my WRT54GL using the GPIO configuration I posted towards the bottom of the previous page.

    So nice to have all my custom software, configs, etc. be within the routher rather then dependant on a cifs link.
     
  67. elkabong33

    elkabong33 LI Guru Member

    I am not able to access the router's web interface outside the tunnel on http://1.2.3.4:8080 or https://1.2.3.4 either even though that is enabled for remote access but I can thru the tunnel. My concern is that since the router is in a "very" remote location (5,000 miles away) I need to be able to access it should the vpn go down.

    I create an ssh tunnel then connect via that tunnel as a proxy with Firefox or IE I can access the web interface of the Voip Gateway but I am not able to do so via the vpn or via the routers public IP example http://1.2.3.4:8001

    I can connect to the router once my Laptop is connected to the VPN as well. I even have a pubic IP assigned to the router using SNAT on the OpenVPN Server which works as well.

    My PC is being used to manage the devices on the remote site. As I mentioned before I am able to access the router on 172.16.8.29 once my Laptop is connected to the VPN. However I believe the problem may be Tomato's firewall configuration but I am not 100% sure.

    Is the Tomato's firewall enabled to block everything by default? See my script below:

    Firewall Script
    iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
    iptables -A INPUT -p udp --dport 1804 -j ACCEPT
    iptables -A INPUT -i tun0 -j ACCEPT
    iptables -A FORWARD -i tun0 -j ACCEPT
    iptables -A OUTPUT -o tun0 -j ACCEPT
    iptables -A FORWARD -o tun0 -j ACCEPT

    regards,

    Elkabong
     
  68. HarshReality

    HarshReality Network Guru Member


    I didnt make use of a GPIO 2 as there was no montion of one for the 2.2.... guess Ima have to take a chance and do some poking around and see if I can actually find a 2 instead of my 5
     
  69. roadkill

    roadkill Super Moderator Staff Member Member

    TomatoMod 1.16.1374 is HERE
     
  70. FidgetyRat

    FidgetyRat LI Guru Member

    Use of GPIO 2 is typically limited to just the WRT54GL because for some reason they removed GPIO 5 from the board on this model. So technically your configuration would be considered "standard" and ours is the freak.

    I admit, some sort of support for choosing your own GPIO configuration should be supplied.

    But, since this does work with 2, maybe soldering a toggle switch between 2 and 5 might help for any future problems. Then you can just switch from one to the other without desoldering.



    Edit:

    Roadkill, any chance to clean up the original post? Its starting to get quite confusing for some people. There seem to be different versions floating around and we can't figure out what functionality is in what file.

    For example,
    TomatoMod 1.16.1374 - Binary
    TomatoMod VPN/SERIAL flavor 1.16.1374

    Of these two versions, do both contain all the same mod packages wiht the exception of the second one also containing VPN/Serial mod? Or is the second only VPN/Serial. etc.

    Also, the bulleted sections seem to have different versions of busy box then what you mentioned earlier.

    Thanks, I've been the "in-between" for some other forums interested in your work and even I'm getting confused now.
     
  71. roadkill

    roadkill Super Moderator Staff Member Member

    well builds that are symboled with the SerialMod have Setrial,Nanocom,Mgetty added to them otherwise they are the same.
     
  72. FidgetyRat

    FidgetyRat LI Guru Member

    Last clarification:

    Does that include VPN as well or is the VPN only included in the VPN/Serial version. I only ask because I'm trying to keep everything as minimal as possible since all I really need is the SD and VPN mods. The rest just takes up space.

    Thanks.
     
  73. CBR900

    CBR900 LI Guru Member

    Does TomatoMod 1.16.1374 - Binary enable USB connection in Asus WL-500Gp?
     
  74. drelkata

    drelkata LI Guru Member

    I upgrade to Tomato Mod v1.16.1374 with OpenVPN , SD/MMC Support ,
    but in web interface no NVRAM Show item in tools menu ?!?! is this removed in last version (v1.16.1374 )?
     
  75. Victek

    Victek Network Guru Member

  76. roadkill

    roadkill Super Moderator Staff Member Member

    Yes SerialMod is bundled with VPN/SDMMC as well

    Victek,drelkata: I added the NVramshow link to the tree on the left side please download the firmware again.
     
  77. occamsrazor

    occamsrazor Network Guru Member

    Firstly, Roadkill thanks for the update....

    Also, I asked this before but never found an answer, I'm currently running v1.11.1218 with OpenVPN, and sRelay installed as per this post:

    http://www.linksysinfo.org/forums/showthread.php?t=55755&highlight=srelay

    If I upgrade to the latest version will I have to re-install sRelay, or will it remain installed?
    And the OpenVPN settings/scripts/keys?

    I'm just wondering if this is a one-click upgrade, or if there are certain things I need to back up first and then re-install... and if so what.

    Many thanks,

    Ben
     
  78. roadkill

    roadkill Super Moderator Staff Member Member

    if it is installed on jffs2 you'll have to reinstall
     
  79. tstrike2000

    tstrike2000 Network Guru Member

    A really nice set of features you've added in the last several releases of Tomato. I was curious if USB support perhaps might be added in future releases.
     
  80. roadkill

    roadkill Super Moderator Staff Member Member

    usb support can be made available Victek got something brewing I'm hoping to integrate it :grin:
     
  81. tstrike2000

    tstrike2000 Network Guru Member

    Cool stuff you guys are doing with it. Thanks to you and Jon and the rest of the people who make routing life easier for the rest of us.
     
  82. HarshReality

    HarshReality Network Guru Member

    Im not going to even begin hoping this is pertaining to the WRT54G.. if I got a USB drive hooked to the thing is would be ON.

    How goes the Legacy for the SD RK?
     
  83. roadkill

    roadkill Super Moderator Staff Member Member

    I think I'll do a gpio switch
     
  84. FidgetyRat

    FidgetyRat LI Guru Member

    Do you mean a physical switch like I suggested? or are you switching the GPIO settings in the build?


    That would make me sad since my board completely lacks GPIO5 :(
     
  85. Leeoniya

    Leeoniya LI Guru Member

    @roadkill, did you have any plans for making a GUI for creating vlans, openvpn options.

    if you'd like, i can make the xhtml/js form for OpenVPN config, pehaps with selectable common config presets.

    Leon
     
  86. roadkill

    roadkill Super Moderator Staff Member Member

    Yes that would be great
     
  87. peckec

    peckec LI Guru Member

    Firstly, thanks for the great job ...

    I've upgraded my router to 1.16.1374, but i've got a problem.
    The new version lacks ext2 module, so i'm unable to mount my sd card.

    @roadkill, maybe you can add it?

    Thanks
     
  88. roadkill

    roadkill Super Moderator Staff Member Member

    Mmmmm that shouldn't have happened...
    I'll upload a fix tomorrow..
     
  89. HarshReality

    HarshReality Network Guru Member

    Hmmm... sweet!
     
  90. srouquette

    srouquette Network Guru Member

    is it possible to push DHCP IP address to VPN client ?
    how can I see connected clients ?
     
  91. srouquette

    srouquette Network Guru Member

    I'm lost ^^;
    I read everything in this thread, but I couldn't find an answer for my problem.
    I have 2 networks with 192.168.1.* addresses (home and work), but I don't want to bridge them.
    One of them has the VPN server, and I'd like to create a new network (like 10.8.0.*) when I connect to it.
    I can connect 2 computers to the VPN, but I have a problem to reach each computer.

    I made a few modification to the Init script:
    Code:
    insmod tun.o
    cd /tmp
    openvpn --mktun --dev tun0
    ifconfig tun0 10.42.0.1 netmask 255.255.255.0 promisc up
    
    echo "
    # Tunnel options
    server 10.42.0.0 255.255.255.0
    proto udp
    port 1194
    dev tun0
    keepalive 15 60
    daemon
    verb 3
    comp-lzo
    
    # OpenVPN server mode options
    client-to-client
    duplicate-cn
    
    # TLS Mode Options
    tls-server
    ca ca.crt
    dh dh1024.pem
    cert server.crt
    key server.key
    " > openvpn.conf
    
    firewall:
    Code:
    iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
    iptables -A INPUT -i tun0 -j ACCEPT
    iptables -A FORWARD -i tun0 -j ACCEPT
    iptables -A OUTPUT -o tun0 -j ACCEPT
    iptables -A FORWARD -o tun0 -j ACCEPT
    
    I try to read the OpenVPN FAQ, but I didn't fully grasp the TAP/TUN thing, so maybe my conf is wrong.

    Windows get this IP : 10.42.0.102/255.255.255.252
    And Ubuntu get this : 10.42.0.106/255.255.255.255

    The problem seems to be the mask, but I don't know how I should set IP in the server.
    Windows can ping Ubuntu, but Ubuntu can't ping Windows.
    And each one can ping the server.

    I also tried that in openvpn.conf : push "route 10.42.0.0 255.255.255.0"
    But it didn't improve the situation.

    can someone help me please ? :)
     
  92. FRiC

    FRiC LI Guru Member

    Change your home network.
     
  93. roadkill

    roadkill Super Moderator Staff Member Member

    I updated the binary and the source code today to include the missing fs modules you can re download
    everything should work as expected, also I want to know if the dhcp issues have been really fixed now
    please post feedback if you have any troubles.
    RK
    :grin:
     
  94. srouquette

    srouquette Network Guru Member

    will it work with something like 192.168.50.* if the work network stay at 192.168.1.* ?
    or should I move to 172.16 or 10.* ?
     
  95. FRiC

    FRiC LI Guru Member

    You can use whatever you want, as long as the two sides are not the same. I assume you can't change your office network. :p
     
  96. srouquette

    srouquette Network Guru Member

    yes I can, and I changed it :)
     
  97. FidgetyRat

    FidgetyRat LI Guru Member

    Roadkill, Thanks for updating the original post. Much more clear now. Looking good.

    When upgrading from the previous version to the new 1.16 version, will a saved configuration file be compatible? do I need to flush nvram?

    I realise I'll have to copy any extra stuff I added before flashing, but since I have all that residing on SD card, It shouldn't make too much of an impact.
     
  98. roadkill

    roadkill Super Moderator Staff Member Member

    NVram should be compatible with previous version.
    I'm not sure about the config file but I think it should also be compatible
     
  99. peckec

    peckec LI Guru Member

    Thanks for the update.
    Fs modules are ok now:). But there is still a little problem:

    I can mount the SD card only from command line.
    Nothing happened if i enabled it from GUI.

    To be sure i have erased nvram and tried again.
    Also downgraded to 1.14.1291 and there it worked well.

    So right now i had to put the insmod and mount commands to init script.
     
  100. occamsrazor

    occamsrazor Network Guru Member

    Has anyone tried using OpenVPN on port 443? I have OpenVPN with static key working fine on port 1194, but when I change the port number in the settings (firewall script, wan up script, and client OpenVPN config) to 443, and make sure the https admin access is something different than 443, I get the following error from my OpenVPN client:

    Tue Mar 11 19:01:58 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)

    Any ideas? Thanks...

    Ben

    PS - I'd like to use 443 because some places I've been (hotels etc) were blocking non-standard ports.
     

Share This Page