1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato Mod v1.19.1464 with OpenVPN/Tomato Mod v1.21.TEST-v5 with OpenVPN-GUI,SDMMC,IP/MAC

Discussion in 'Tomato Firmware' started by roadkill, Jun 4, 2007.

  1. HighTechDad

    HighTechDad Addicted to LI Member

  2. srouquette

    srouquette Network Guru Member

    put the openvpn.conf and keys creation in the Init tab (you don't need to create these files each time your WAN is up), that will do the trick.
     
  3. HighTechDad

    HighTechDad Addicted to LI Member

    So are you saying putting all of this:

    Code:
    insmod tun.o
    cd /tmp
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    
    echo "
    # Tunnel options
    mode server
    proto udp
    port 1194
    dev tap0
    keepalive 15 60
    daemon
    verb 3
    comp-lzo
    # OpenVPN server mode options
    client-to-client
    # TLS Mode Options
    tls-server
    ca ca.crt
    dh dh1024.pem
    cert server.crt
    key server.key
    " > openvpn.conf
    
    echo "
    -----BEGIN CERTIFICATE-----
    
    Insert content of ca.crt here !!!!!!
    
    -----END CERTIFICATE-----
    " > ca.crt
    echo "
    -----BEGIN RSA PRIVATE KEY-----
    
    Insert content of server .key here !!!!!! (named widged.key on the linked manual)
    
    -----END RSA PRIVATE KEY-----
    " > server.key
    chmod 600 server.key
    echo "
    -----BEGIN CERTIFICATE-----
    
    Insert content of the server .crt here !!!!!! (named widged.crt on the linked manual)
    
    -----END CERTIFICATE-----
    " > server.crt
    echo "
    -----BEGIN DH PARAMETERS-----
    
    Insert content of dh1024.pem here !!!!!!
    
    -----END DH PARAMETERS-----
    " > dh1024.pem

    into the init script and this:
    Code:
    sleep 5
    ln -s /usr/sbin/openvpn /tmp/myvpn
    /tmp/myvpn --config openvpn.conf
    into the WAN Up section?

    I'm thinking my keys are too long potentially too and I might have to regenerate them.

    Sorry for the dumb questions.
     
  4. srouquette

    srouquette Network Guru Member

    you can let this too in the WAN up (I thought it might work in the Init, but I had some problem before, so...):
    The Init tab has been increased from 4096 to 8192, so you'll be able to store your keys in it.
    config file and keys won't change over time, so it safe to put them in Init.
     
  5. jyavenard

    jyavenard Network Guru Member

    I thought I had answered, but for some reasons my post is gone.

    I'm not a Web GUI person plus it doesn't interest me technically. I've put all the pieces together to provide all the low-level code required. Adding a GUI interface is trivial as all the infrastructure code is there.

    BTW, I have updated to code to use Tomato 1.19 as a base.
    The binary firmware is provided and a patch file for the 1.18 code (with VPN)
    http://avenard.org/wrt54-tomato/
     
  6. valnar

    valnar Network Guru Member

    Is that just PPTP client, or server as well? Your readme did not mention server.

    Robert
     
  7. jyavenard

    jyavenard Network Guru Member

    Currently, the binary only contains the PPTP client.
    But the source contains the server as well and it can be quite easily compiled in.

    As I don't need it, I didn't bother compiling it in... but it ain't difficult.
     
  8. VoipDeamon

    VoipDeamon Addicted to LI Member

    Greetings everyone!

    I'm trying to locate the original Tomato 1.16 source, pre-OpenVPN, but it's no longer available on the tomato site, and the author is unresponsive.

    Is there a link to this package?
    If it's not publicly available, but someone has the file, I would appreciate a copy, and I can even host it.

    Thank you!
     
  9. zmahomedy

    zmahomedy LI Guru Member

    OpenVPN MOD TOMATO .. WRT54GL crashes

    Hi

    I being trying to setup openvpn on tomato with the tomato mod firmware 1.16

    I have openvpn server and clients running with no problems on my regular linux boxes, however when running the client script in the tomato firmware it crashes very time.

    It makes the connection to the server and assigns the virtual IP address however I cant ping to the the client ( tomato box ). It then crashes after a few secs ( box becomes unresponsive)

    here is the script that I am using

    insmod tun.o
    cd /tmp
    ln -s /usr/sbin/openvpn /tmp/myvpn
    sleep 5

    echo "
    client
    dev tun0
    proto udp
    remote 192.168.1.110 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert client.crt
    key client.key
    comp-lzo
    verb 3
    " > /tmp/client.conf

    echo "
    -----BEGIN CERTIFICATE-----
    entered ca.crt
    -----END CERTIFICATE-----
    " > /tmp/ca.crt

    echo "
    -----BEGIN RSA PRIVATE KEY-----
    entered client.key
    -----END RSA PRIVATE KEY-----
    " > /tmp/client.key
    chmod 600 /tmp/client.key

    echo "
    -----BEGIN CERTIFICATE-----
    entered client.crt
    -----END CERTIFICATE-----
    " > /tmp/client.crt

    ./myvpn --config client.conf

    any ideas

    zakir
     
  10. roadkill

    roadkill Super Moderator Staff Member Member

    I think posting the log will be a good idea...
     
  11. xaric

    xaric Addicted to LI Member

    it would be very nice, if you support the new ND-Version of Tomato. :)

    thanks!
     
  12. roadkill

    roadkill Super Moderator Staff Member Member

    v1.19 will support the ND version as well, I'm still testing it..
     
  13. zmahomedy

    zmahomedy LI Guru Member

    RE: OpenVPN MOD TOMATO WRTGL Crashes

    Hi

    I had the openvpn box crash on me everytime however when I got home I
    retested the mod on another box with no problems at all. Will need to retest the box at work to see what happens

    2) Anyone know if there is a RP-PPPOE module with Tomato? I need to run multiple PPPoE connections and I believe it works with the RP-PPPOE module? If it is not included what are my options?

    zakir
     
  14. HighTechDad

    HighTechDad Addicted to LI Member

    Do we have an ETA on the next release? RoadKill, on my blog you mentioned very soon (as in this week). How goes it all?
     
  15. roadkill

    roadkill Super Moderator Staff Member Member

    I got a test build if you want to play...
     
  16. HighTechDad

    HighTechDad Addicted to LI Member

    How stable is it? What is the feature set? How close to being released is it. I am intrigued but don't want brink my main router with an alpha. :cool: Can't wait though! :biggrin:
     
  17. roadkill

    roadkill Super Moderator Staff Member Member

    Based on official Tomato v1.19, added/updated
    BusyBox 1.10.2
    OpenVPN v2.1_rc7
    Lzo2 v2.03
    SD/MMC with Module Selection via GUI
    Jhash patch for kernel (aka speedmod)
    GUI Addons Qos Limiter,App Limiter,Arp Binding,Toolbox
    and more :grin:
     
  18. srouquette

    srouquette Network Guru Member

    wow, looks great :)
     
  19. FRiC

    FRiC LI Guru Member

    Let me know if you need another tester. I have a number of routers for testing, and just got a Buffalo WHR-HP-G54 yesterday for testing.
     
  20. HighTechDad

    HighTechDad Addicted to LI Member

    I can't wait. Sounds like a great! When's it coming?
     
  21. somms

    somms Network Guru Member

    Hmm...Thread is no longer stickied at the top...

    For those with newer generation Linksys Pre-N routers may want to look at DD-WRT for OpenVPN support...
     
  22. LLigetfa

    LLigetfa LI Guru Member

  23. HarshReality

    HarshReality Network Guru Member

    RK... how goes the Legacy setting so I can manually set GPIO pins? Im still itching to get my card going :)
     
  24. roadkill

    roadkill Super Moderator Staff Member Member

    actually I need a test subject ... you want to try?
     
  25. HighTechDad

    HighTechDad Addicted to LI Member

    Any ETA on the new release...or should I just say BUMP? Anyone tested the new version?
     
  26. HarshReality

    HarshReality Network Guru Member

    Im game.. always game actually >: )
     
  27. ubergoober

    ubergoober Guest

    I've got a WRT54GL with your 1.16 mod running. Have successfully gotten openvpn working. If the beta version is pretty stable, I'd like to give it a try.
     
  28. rv1234

    rv1234 Guest

    Same here. I only need openvpn and none of the other mods...
     
  29. FRiC

    FRiC LI Guru Member

    Me too. It would be nice if there could be a "only OpenVPN" mod. :p
     
  30. jwchk

    jwchk Network Guru Member

    I will vote for a "OpenVPN only" mod :)
     
  31. TheGIZ

    TheGIZ Network Guru Member

    Use my openvpn mode everyday. Thanks as always.
     
  32. adeej

    adeej Addicted to LI Member

    openvpn on the router in access point mode

    dear all,
    this is my first post but I read a lot of discussions in the forum.

    I have a main router with adsl connection and second router (buffalo whr-g54s) that I use like an access point with Tomato Mod v1.16.1374 with OpenVPN.


    Is possible to configure openvpn on the router in access point mode?
    In the second router the wan is disabled.

    If is possible, which is the working configuration?

    Thanks in advance
     
  33. matthiaz

    matthiaz Network Guru Member

    Should work. Install openvpn mod, port forward 1194/udp to that router, configure, be happy.
     
  34. adeej

    adeej Addicted to LI Member

    Router 1 (adsl) -> forward 1194 to router 2 ok
    lan 192.168.x.1

    router 2 (access point mode - wan disabled)
    lan 192.168.x.10

    init script
    **********
    sleep 5
    insmod tun.o


    firewall script
    **********
    iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT


    WAN script
    **********
    cd /tmp
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    echo "
    -----BEGIN OpenVPN Static key V1-----

    MY STATIC.KEY

    -----END OpenVPN Static key V1-----

    " > /tmp/static.key

    sleep 5
    ln -s /usr/sbin/openvpn /tmp/myvpn
    /tmp/myvpn --dev tap0 --secret /tmp/static.key --comp-lzo --port 1194 --cipher BF-CBC --proto udp --keepalive 10 60 --verb 3 --daemon


    Client
    **********
    dev tap0
    ifconfig 192.168.x.11 255.255.255.0
    secret static.key
    proto udp
    remote mydynamicip.dyndns.org 1194
    keepalive 10 60
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    cipher BF-CBC
    comp-lzo
    verb 3
    float

    In access point mode it doesn't work

    If I set second router in router mode openvpn work fine. Clearly I change subnet on the client in router mode (wan second router 192.168.x.10, lan second router 192.168.y.1 - client 192.168.y.11)

    any suggestions?
     
  35. chent

    chent Addicted to LI Member

    Hi there,

    Thank you very much for this tip, it works like a charm between two small networks that I support.

    I have a question if anybody can help... using Fric's setup between two routers, I can ping hosts from either side, however I cannot connect to windows shares in the form of \\ip.address.

    Is this because I am using TUN rather than TAP?

    Thanks!

    PP
     
  36. FRiC

    FRiC LI Guru Member

    I'm glad my settings were useful to someone. :)

    But I have no problem using Windows shares between my two networks by IP address (or by name). I have Windows 2000 Server on both sides and a number of other devices (Buffalo NAS) sharing files, I also have users pulling data off SQL Servers from the remote side. Not very fast, since my uplink is only 512K, but it all seem to work without any problems.
     
  37. chent

    chent Addicted to LI Member

    Hi there gang,

    I was wondering if some of the more experienced users of OpenVPN could assist with a problem we seem to be experiencing.

    I used the setup compliments of FRiC on his post here, exactly as shown in the post.

    Everything seems to be working fine and dandy from my perspective, however some phone system vendors are trying to set up a VoIP trunk between the phone systems (BCM 50) at each site, and they are experiencing issues getting the phones to ring at each end.

    They seem to think that its the VPN. Through my (limited I suppose) testing, I can ping all devices across the tunnel, I ran a VoIP link test from a PC on either end with no issues, so this is leading me to believe it may be their problem, not mine.

    I guess my first question would be, in this type of configuration, is there any possibility of some traffic/ports getting blocked or discarded? I'm not sure about the protocols/ports used by the BCM phone system for their implementation of SIP/VoIP, but through my experience with Asterisk it must be UDP.

    As a test, I'm going to set up a VMware box with asterisk at one end and a phone at the other to see the how it works out.

    Aside from this, is there any other tests I can run that can verify that there is full communication across the tunnel?

    I really appreciate any tips and input!

    Thanks,

    PP
     
  38. roadkill

    roadkill Super Moderator Staff Member Member

    VOIP using asterisk works fine...
    you need to have two or more ports forwarded from the outside IP depending on your config
     
  39. chent

    chent Addicted to LI Member

    Thanks for the reply roadkill... I'm curious to know why ports would have to be forwarded from the outside IP if I'm going to attempt to run an extension over the tunnel... or are you refering to the open ports required for an external extension or SIP provider..

    Thanks,

    PP
     
  40. HighTechDad

    HighTechDad Addicted to LI Member

    My usual question. Roadkill do you have a time estimate for the release of the next outstanding version?
     
  41. gregg098

    gregg098 LI Guru Member

    I am having the same issue as adeej. I have three WRT54GL's, all with Tomato. One of them has the latest VPN version. One is the main router, the other two are wired to the main one with DHCP off, WAN disabled, in Router mode.

    They are 192.168.1.1 Main
    and .2 and .3 are the others. 192.168.1.3 has the VPN version, so I forwarded UDP port 443 to the .3 router.


    I followed the setup on this post:

    http://www.linksysinfo.org/forums/showpost.php?p=302642&postcount=3

    I adjusted for port 443 and my ip ranges accordingly.

    When I try to connect with OPENVPN, I get this error:

    Mon Jun 16 05:19:00 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)


    I had this setup working on DDWRT before and recently switched to Tomato. My old config and this config give the same results. Is there somthing special I need to do to have a VPN server in this setup?
     
  42. TheGIZ

    TheGIZ Network Guru Member

    Weren't you just supposed to forward port 1194 to the .3 unit? You put the script on the 3rd unit too right?
     
  43. The Master

    The Master LI Guru Member

    Hello Roadkill,

    nice FW you have here.
    You said a few pages back that you are working on a new version with "switchabel" gpio? is this right??
    With witch version of "how to" i have to make the sd mod? Or work all sorts of "How to" i found in google and co?!

    And is there a "release date" for the new version...sorry for that question but i need a newer version higher then 1.16 because of the "Fixed PPPoE connect on demand."
    But no hurry i have to make the mod first :D :D...I will wait better 1-xx months and it will WORK.

    I wish you a nice weekend and habby modding the FW.

    best wishes

    PS: My first Post i give to Your NICE FW :)
    pps: and my first edit in this forum
     
  44. gregg098

    gregg098 LI Guru Member

    I followed the post for single client instructions except I used port 443 and udp instead of tcp.
    On the main router, I port forwarded 443 udp to the .3 router. Then I get the error message when connecting. Ive since then put ddwrt on the .3 router (the other two are still tomato), and vpn works great. Would love to tomato it all around, but I couldnt find anything that I was doing wrong.
     
  45. drelkata

    drelkata LI Guru Member

    Check for new version........there is nothing on the table :confused::confused:
     
  46. srouquette

    srouquette Network Guru Member

    is there some problem with 1.19 ?
    why the release is on stand by ?
     
  47. User Name

    User Name Guest

    I've used my old PIII as OpenVPN Server and now I want to change to my WRT54GL.
    Home Network is 192.168.1.x, 192.168.1.1 Router, 192.168.1.2-10 PC, Mac, Notebook etc.
    I want to connect from inside aswell from outside (hotel etc.). I've used Splats instructions #3 and different ports but the clients show:

    Sat Jun 28 10:19:00 2008 UDPv4 link local (bound): [undef]:1194
    Sat Jun 28 10:19:00 2008 UDPv4 link remote: 123.456.789.000:1194

    What do I make wrong? I think the problem is that I call from inside the network xxx.dyndns.org. How can I fix it to have always the same client config?

    Firewall:
    Code:
    iptables -A INPUT -p udp --dport 1194 -j ACCEPT
    
    WAN UP:
    Code:
    insmod tun.o
    cd /tmp
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    killall -q openvpn
    
    echo "
    
    # Tunnel options
    dev tap0 
    proto udp 
    port 1194
    mode server 
    comp-lzo 
    
    # OpenVPN server mode options
    daemon 
    ifconfig 10.0.0.1 255.255.255.0
    ifconfig-pool 10.0.0.2 10.0.0.10
    client-to-client
    keepalive 15 60 
    
    # TLS Mode Options
    tls-server 
    ca ca.crt 
    dh dh1024.pem 
    cert server.crt 
    key server.key
    
    verb 3 
    
    " > openvpn.conf
    
    sleep 10
    ln -s /usr/sbin/openvpn /tmp/myvpn
    /tmp/myvpn --config openvpn.conf
    INIT
    Code:
    sleep 5
    insmod tun.o
    
    and certificates...
    
    Windows Client.ovpn
    Code:
    client
    dev tap
    proto udp
    remote xxx.dyndns.org
    
    port 1194
    tls-client
    comp-lzo
    
    ns-cert-type server
    
    ca ca.crt
    cert client.crt
    key client.key
    
    verb 3
    
     
  48. roadkill

    roadkill Super Moderator Staff Member Member

    yes, it's too damn big and I don't have the time to finish it..
     
  49. srouquette

    srouquette Network Guru Member

    ok, thanks for the feedback, I won't bitch again :)
     
  50. roadkill

    roadkill Super Moderator Staff Member Member

    you can bitch it won't help :grin:, but I can send you a test version if you want...
     
  51. jkondas

    jkondas Addicted to LI Member

    Hello roadkill,

    I've been using your mod for a long time (some routers still running the 1.07 version, it is rock solid :)). I'd love to see a version of 1.19 with no bells and whistles, only the original Tomato plus the OpenVPN addon (personally I don't use management extension as well). I think adding the new features mean much work, and make the release process sluggish. Also, they can make the router less stable because the used memory and bigger code...

    What's your, and other users' opinion about this?

    I did not think about recompiling it for myself till now, but the original Tomato is moving forward fast, and I'd love to run the fresh one with OpenVPN...
     
  52. occamsrazor

    occamsrazor Network Guru Member

    I'm with jkondas... Tomato seems to be moving forwards but we OpenVPN users are getting left behind a bit. I'm running v1.16.1374 with OpenVPN.

    I totally understand that this work must take up a huge amount of time for those kind enough to do it, and it's something I don't have the skills to do myself so am appreciative of those who do the hard work for us, but I just need Tomato + OpenVPN without all the extras so if keeping to that would speed up the upgrade process, I'm all for it. Either way, thanks to Roadkill and all others who help make Tomato a great firmware.

    PS - jkondas - what's the management extension you're talking of?
     
  53. jkondas

    jkondas Addicted to LI Member

    It's an API-like thing that can be used to control OpenVPN by an external program over the network.
     
  54. roadkill

    roadkill Super Moderator Staff Member Member

    I'll do a simple build...
    give me a few days
     
  55. xaric

    xaric Addicted to LI Member

    GREAT! :) :dance:
     
  56. FRiC

    FRiC LI Guru Member

    I'm looking forward to this too. :biggrin:
     
  57. patos

    patos Network Guru Member

    By creating simple openvpn mods you will be satisfying probably 98% of your users, the other 2% surely can wait until you got time to test their extra needs.

    Thanks for all the effort and for this wonderful mod.

    Is there any chance your project could be merged into mainstream Tomato, perhaps with a nice web-interface?
     
  58. ng12345

    ng12345 LI Guru Member

    roadkill - thanks for all of your efforts -- looking forward to the new release

    i'm definitely in the same boat as recent posters in wanting the base tomato + openVPN
     
  59. jkondas

    jkondas Addicted to LI Member

    IMHO, I don't think this would be a good idea, because of Tomato's "lean and simple" design. The less code in the original release, the less problems... :) I suppose only ~2% of us, Tomato users need the OpenVPN functionality, and people using the stock firmware shouldn't be forced to have needless add-ons.
     
  60. jkondas

    jkondas Addicted to LI Member

    This is great news! :)
    Personally I would be very happy to have the source too. Or maybe some diffs from the original release. Thanks! :cool:
     
  61. roadkill

    roadkill Super Moderator Staff Member Member

    Done!
    :drinking:
     
  62. FRiC

    FRiC LI Guru Member

    Thanks!! :hubba:
     
  63. srouquette

    srouquette Network Guru Member

    OpenVPN doesn't seem to start.
    In WAN UP, I have:
    Code:
    insmod tun.o
    cd /tmp
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    
    sleep 5
    ln -s /usr/sbin/openvpn /tmp/myvpn
    /tmp/myvpn --config openvpn.conf
    
    It worked with 1.16, but now it does nothing (or log nothing at least, and nothing can connect to the VPN).
    Any ideas ?

    The AdBlock script (with the host file) works, so WAN UP is called.
     
  64. DanRogl

    DanRogl Addicted to LI Member

    Router to Router VPN

    I've got a WRT54GL running Tomato 1.16 wi VPN etc, and I can connect using a windows PC with no problems. I've also got a WRT54GS running Tomato 1.16 wi VPN that I'd like to use a a client, in a diff location using it's own WAN connection. Both are on the same ISP network and ping between them is less than 30ms, they both use the same time settings in Tomato, but the WRT54GS seems to take a while to sync (which would cause an auth error?) so the VPN doesn't work. :-(

    Server Log:

    Code:
    Jul  5 08:26:42  daemon.err openvpn[350]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
    Jul  5 08:26:42  daemon.err openvpn[350]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
    Jul  5 08:27:51  daemon.notice openvpn[350]: x.x.x.x:1025 TLS: new session incoming connection from x.x.x.x:1025
    Jul  5 08:27:55  daemon.notice openvpn[350]: x.x.x.x:1025 VERIFY OK: depth=1, /C=UK/ST=NY/L=Home/O=Whatever/CN=home_router/Email=mail@whatever.lol
    Jul  5 08:27:55  daemon.notice openvpn[350]: x.x.x.x:1025 VERIFY OK: depth=0, /C=UK/ST=NY/O=Whatever/CN=remote_router/Email=mail@whatever.lol
    Jul  5 08:27:55  daemon.notice openvpn[350]: x.x.x.x:1025 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jul  5 08:27:55  daemon.notice openvpn[350]: x.x.x.x:1025 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jul  5 08:27:55  daemon.notice openvpn[350]: x.x.x.x:1025 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jul  5 08:27:55  daemon.notice openvpn[350]: x.x.x.x:1025 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jul  5 08:27:55  daemon.notice openvpn[350]: x.x.x.x:1025 TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
    Jul  5 08:27:55  daemon.notice openvpn[350]: x.x.x.x:1025 TLS: tls_multi_process: untrusted session promoted to trusted
    Jul  5 08:27:55  daemon.notice openvpn[350]: x.x.x.x:1025 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Jul  5 08:27:57  daemon.notice openvpn[350]: x.x.x.x:1025 PUSH: Received control message: 'PUSH_REQUEST'
    Jul  5 08:27:57  daemon.notice openvpn[350]: x.x.x.x:1025 SENT CONTROL [UNDEF]: 'PUSH_REPLY,ping 15,ping-restart 60' (status=1)
    Client Log:

    Code:
    Jul  5 08:27:16  user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
    Jul  5 08:27:43  cron.warn crond[90]: time disparity of 20254060 minutes detected
    
    I'll post the scripts I'm using when I get a chance, tho they are hardly changed from the suggested ones on the forum. If anyone can spot anything obvious that I could try that'd be ace!
     
  65. ng12345

    ng12345 LI Guru Member


    i tried using the bare essentials build and had the same problem so downgraded back to 1.16. if you telnet and execute those commands in the 1.19 bare essentials it says libssl could not be found (when creating tap0).
     
  66. roadkill

    roadkill Super Moderator Staff Member Member

    I saw the error, I'll release a fix in a few hours (hopefully).
    in the meanwhile I've taken the release offline.

     
  67. ng12345

    ng12345 LI Guru Member

    I'm actually having this same problem -- the windows client connects to the server router perfectly fine, but doing site to site won't work and I get that cron error -- in the client log, openvpn doesn't even start (beyond creating a tap0)! -- I also tried manually starting through a telnet prompt but the bridge doesn't work.

    I will post my client script below -- it is the same as what was shown in the template in the first post. Also, I noticed that for some reason a tap1 interface on the client was also created (it showed up in bandwidth).

    client init script
    Code:
    sleep 5
    insmod tun.o
    cd /tmp
    ln -s /usr/sbin/openvpn /tmp/myvpn
    ./myvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    
    echo "
    client
    dev tap
    ca ca.crt
    cert test.crt
    key test.key
    proto udp
    remote xxx.xxx.xxx.xxx
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ns-cert-type server
    comp-lzo
    verb 9
    " > openvpn.conf
    echo "" > ca.crt
    
    echo "" > test.key
    chmod 600 test.key
    
    echo "" > test.crt
    
    client wanup
    Code:
    sleep 5
    ln -s /usr/sbin/openvpn /tmp/myvpn
    cd /tmp
    ./myvpn --config openvpn.conf 
    
    client log
    Code:
    Dec 31 19:00:14 unknown user.info kernel: device tap0 entered promiscuous mode
    Dec 31 19:00:14 unknown user.info kernel: br0: port 3(tap0) entering learning state
    Dec 31 19:00:14 unknown user.info kernel: br0: port 3(tap0) entering forwarding state
    Dec 31 19:00:14 unknown user.info kernel: br0: topology change detected, propagating
    Jul  5 02:31:07 unknown cron.warn crond[90]: time disparity of 20253990 minutes detected
    
     
  68. srouquette

    srouquette Network Guru Member

    thanks for the quick feedback :)
     
  69. roadkill

    roadkill Super Moderator Staff Member Member

  70. xaric

    xaric Addicted to LI Member

    Dear roadkill

    Thank You for the 1.19 ND-Version.
    my WHR-G125 don't like the VPN-ND-Version. It don't want to boot anymore... :-(
     
  71. roadkill

    roadkill Super Moderator Staff Member Member

    Sorry to hear that..
     
  72. jkondas

    jkondas Addicted to LI Member

    Big thanks for the custom build, roadkill! :)

    The new one seems to run okay for me. There was just a slight problem - it failed to load the hosts.dnsmasq file (permission denied), therefore local authoritative DNS resolution didn't work - but I suppose it's not TomatoMod specific, and went away with a reboot.

    I'm a bit sorry to not seeing the source downloadable. :frown:
     
  73. ng12345

    ng12345 LI Guru Member

    Using the new 1.19 -- site to site is still giving me some issues.

    I am using the same subnet for both sites now (to start off simple)
    Site A (server):
    router 192.168.0.1
    server 192.168.0.254
    dhcp 192.168.0.100-149

    Site B (client):
    router 192.168.0.2
    dhcp 192.168.0.150-199

    I am using the scripts that roadkill posted in his first post;
    i'm not getting the cron error now that I put the two sites on the same subnet but I still can not ping or trace from one site to the other (on the routers or on computers behind them).

    It looks like a tunnel of some sort is functional -- both routers have been on for 24h and this morning I saw this in the server log:
    Code:
    ...  TLS: tls_process: killed expiring key
    Jul  6 10:59:13  daemon.notice openvpn[396]: xxx.xxx.xxx.xxx:2049 TLS: soft reset sec=0 bytes=299869/0 pkts=1938/0
    Jul  6 10:59:16  daemon.notice openvpn[396]: xxx.xxx.xxx.xxx:2049 VERIFY OK: depth=1, [removed cert info]
    Jul  6 10:59:16  daemon.notice openvpn[396]: xxx.xxx.xxx.xxx:2049 VERIFY OK: depth=0, [removed cert info]
    Jul  6 10:59:17  daemon.notice openvpn[396]: xxx.xxx.xxx.xxx:2049 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jul  6 10:59:17  daemon.notice openvpn[396]: xxx.xxx.xxx.xxx:2049 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jul  6 10:59:17  daemon.notice openvpn[396]: xxx.xxx.xxx.xxx:2049 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jul  6 10:59:17  daemon.notice openvpn[396]: xxx.xxx.xxx.xxx:2049 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jul  6 10:59:17  daemon.notice openvpn[396]: xxx.xxx.xxx.xxx:2049 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    
    both firewall scripts have the following line:
    iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT

    is there any thing else that I need to do to get the vpn operational?

    also I'm still seeing a tap0 and tap1 on the client side, though I only create one virtual interface in the code (as far as I can tell)

    thanks in advance for any help
     
  74. roadkill

    roadkill Super Moderator Staff Member Member

    It will be when I'm done with it.
    Like all my releases
     
  75. jkondas

    jkondas Addicted to LI Member

    Sorry, I thought the essentials build was done. :eek:
     
  76. occamsrazor

    occamsrazor Network Guru Member

    Just FYI... "TomatoMod ND 1.19.1464 - Binary" build (recompiled version) left my WHR-G54S unbootable.... Fortunately I was able to reflash it to the 1.16 version via TFTP.
     
  77. darkwish2

    darkwish2 Guest

    Same here, the 1.19 ND version bricked my router. I was able to recover by TFTP. The 1.19 non ND, VPN only version works fine though.
     
  78. jwchk

    jwchk Network Guru Member

    Flashed my WHR-HP-G54 with "TomatoMod 1.19.1464 - Binary" build (recompiled version) non ND works fine.
     
  79. kulmegil

    kulmegil Network Guru Member

    1.19 ND-Version also bricked my WRT54GL... had to take my very first router debrick vie tftp quick guide ;)
     
  80. occamsrazor

    occamsrazor Network Guru Member

    Reflashed it and the 1.19 non ND, VPN only version, works fine....
     
  81. Dragon2611

    Dragon2611 LI Guru Member

    Heres a slight varient of the client config.

    Code:
    dev tap0
    secret static.key
    proto udp
    route-gateway 192.168.2.1
    remote myip 1194
    keepalive 10 60
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    cipher BF-CBC
    comp-lzo
    verb 3
    float
    redirect-gateway
    I've found whist playing around that by taking the ifconfig line out the VPN starts up without assigning the VPN adaptor an IP address... BUT what then Happens is once the VPN is up the DHCP server in the router does it instead :cool:

    Route-gateway 192.168.2.1 (replace ip with your routers INTERNAL ip) manually sets the gateway ip, While this will set by DHCP fine if it's not set prior to the VPN coming up the redirect-gateway will fail you only need this line if you plan to do a redirect-gateway

    Redirect-gateway tells openVPN to replace the default route so that all traffic (INC internet) gets sent via the VPN.

    This works fine on XP with the current stable release of openvpn not sure about vista haven't tried it yet


    Tested Client config by Connecting a Laptop Running XP to a HSDPA modem and then OpenVPN'd to my WRT54GL and checked my External IP via whatsmyip.

    It correctly showed the External IP of my home broadband line :biggrin:
     
  82. occamsrazor

    occamsrazor Network Guru Member

    I also leave out the ifconfig line in order to get a DHCP address, it works fine. Once connected you can even assign a DHCP-served static IP based on the MAC address of the virtual tun/tap adapter.

    About the route-gateway then redirect-gateway commands.... Are you saying if you do this absolutely ALL traffic will be routed over the OpenVPN tunnel? This could be pretty handy for applications that don't support manual proxy configuration, simply to know for sure that all traffic is going over the VPN, or just to avoid having to configure applications back and forth.

    At the moment I use the "QuickProxy" add-on for Firefox but this is a neater solution. What happens when the OpenVPN tunnel is disconnected? Does it automatically release traffic back to the normal internet gateway?

    The only thing I find occasionally annoying about OpenVPn is that the remote LAN needs to be using a different IP addressing scheme to your home LAN - if you're in an internet cafe with 192.168.0.x addresses, and your home network uses the same addressing scheme, then it won't connect (if I recollect correctly).
     
  83. Dragon2611

    Dragon2611 LI Guru Member

    It does on XP although I seem to recall last time I played with OpenVPN on a Vista x64 machine it failed to set the gateway correctly for some reason :thumbdown: but that could have been the config I was using at the time.

    I'm pretty sure it does reset the gateway on disconnect but I will have to wait untill I try it again to be sure.

    I use it when I connect via my HSDPA modem so I can use my instant messenger.etc (it's not supposed to be blocked anyway but for some reason it signs in then drops out if I try using it via the mobile network.

    Only downside to routing everything over the VPN is of course your browsing would then be limited to the speed of the slowest connection, (In most cases if the Tomato router was on a Home connection probably the upstream speed of your home line)
     
  84. kspare

    kspare Computer Guy Staff Member Member

    Has anyone gotten this working with a cisco router or a cisco pix? We don't use open ssl we prefer ipsec with a static key using aes-256-sha or md5.

    Any help would be appreciated!
     
  85. chent

    chent Addicted to LI Member

    Just a quick followup on this issue... we removed the tomato routers and replaced them with 2 linksys befvp41 routers as per the phone vendors request. Once the tunnel was established the voip trunk worked as expected, no issues placing calls across the tunnel. I would like to know if anybody out there might have an idea why this didn't work with tomato/openvpn... any insight would be greatly appreciated!

    Thanks,

    PP
     
  86. kevanj

    kevanj LI Guru Member

    Sorry, OpenVPN is not an IPSEC VPN.

    Quoted from Wikipedia:
    "OpenVPN is...........not compatible with IPsec or any other VPN package."

    You would have to switch from IPSEC to SSL.
     
  87. srouquette

    srouquette Network Guru Member

    and a week later, tomato 1.20 ^^;
     
  88. devilkin

    devilkin LI Guru Member

    The -ND, does this mean support for eg the WRT150N? *hopes*

    edit: nevermind, it's the buffalo etc.
     
  89. besonen

    besonen LI Guru Member

    what is the difference between the "vpn-sdmmc" and "vpn-serialmod" releases?



    what's the difference between the 1.16.1374 releases and the 1.19.1464 "OnlyEssentials" release?



    what's the difference between the "OnlyEssentials" and "Extended" releases?
     
  90. azeari

    azeari LI Guru Member

    sdmmc = SDMMC mod included, to support users who wish to expand their router's flash memory by those means
    serialmod = errmm.. serial mod included? for those who wish to add jtag and stuff i'm guessing

    dunno abt the rest (=

    Would like to ask whats the diff with the New Drivers build too (=
     
  91. melonhead

    melonhead Guest

    This link is broken...
     
  92. roadkill

    roadkill Super Moderator Staff Member Member

    Link Fixed

     
  93. robert112

    robert112 LI Guru Member

    I have tried off and on to get openvpn working the past 2 years but for some reason it just wont work. The tutorials have been followed exactly and still nothing. I can connect if I forward the vpn port back to the router, but only if I'm on the local network. Remote/outside connections wont go through.. just restarts indefinitely.

    WanUP conf: http://pastebin.com/m66c5850d
    OpenVPN log: http://pastebin.com/m6aa73202:confused:
     
  94. roadkill

    roadkill Super Moderator Staff Member Member

    try verifying the TimeZone data is the same - it must be the same for the tunnel to work.
    and add
    Code:
    chmod 600 /tmp/client.key
    it also can solve your issue
    when posting a log next time set the verb parameter to 8 so you would have a more detailed log.
     
  95. ipse

    ipse LI Guru Member

    Just a quick note to say THANK YOU to roadkill and _splat_ for the code and detailed tutorial!!!!!!
    Worked fine for me from the first attempt. Only issue I had was that I didn't realize that the connection gets dropped on inactivity...a continuous ping in the background solved that.

    Awesome....keep up the good work.
     
  96. ipse

    ipse LI Guru Member

    DNS querries?

    Oh...one question though: even if I set the client (XP) to aquire an IP address, default route and DNS via DHCP (which it does fine), the DNS querry still goes outside the OpenVPN tunnel as well!
    This kind of defeats the purpose of sending traffic over the tunnel only (if the default route has changed correctly).
    Any suggestion to avoid DNS querries go outside the tunnel? At this time I see them on both LAN and TAPI (virtual, OpenVPN) interfaces.

    Thanks

    BTW I do have

    route-gateway 192.168.0.1
    redirect-gateway

    in my client config, as the OpenVPN manual seems to suggest.
    I've also checked and tried
    http://support.microsoft.com/kb/311218 - it does not make a difference.
     
  97. ipse

    ipse LI Guru Member

    Nevermind...fixed the problem with a good reboot :)
    It was indeed the "caveat" described in the Microsoft article:
    http://support.microsoft.com/kb/311218

    That plus I had to disable NBT (NetBIOS over TCP) and subsequently WINS to avoid same name query being sent over the LAN not just to the DNS server.
    Seems to be working now....
     
  98. ipse

    ipse LI Guru Member

    link-mtu?

    I'll shut up after this question :)

    Did you guys see the need to change the link-mtu parameter to 1492 if the router is on DSL (PPPoE)? The default is 1500.

    The log entry seems to indicate that some headers are already accounted for and subtracted:

    Fri Jul 18 09:48:53 2008 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1415)

    Thanks
     
  99. ipse

    ipse LI Guru Member

    Logs?

    Because of the timeouts, the OpenVPN daemon is restarted every 60 sec...this pollutes the logs big time.
    Is here any way to avoid the restart other than changing the timeout?

    [EDIT] Dang, I missed post #435 which talks about

    --ping-timer-rem

    seems to fix the problem but causes the following 60 errors (1/sec) after I disconnect the client:

    Jul 19 11:29:59 router daemon.err openvpn[318]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)

    Anyhoo....better than before.

    Back to the MTU question...please? Anyone? MTU=1492 from PPPoE...advice?

    Thanks
     
  100. FRiC

    FRiC LI Guru Member

    Hmm, I use site-to-site VPN over PPPoE and didn't have to set MTU. Does it make a difference?
     

Share This Page