1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato Mod v1.19.1464 with OpenVPN/Tomato Mod v1.21.TEST-v5 with OpenVPN-GUI,SDMMC,IP/MAC

Discussion in 'Tomato Firmware' started by roadkill, Jun 4, 2007.

  1. ipse

    ipse LI Guru Member

    @FRiC
    I don't see the difference...was just hoping to avoid more fragmentation. But it's bound to happen anyways, since MTU is 1500 on all interfaces other then WAN and OpenVPN.
     
  2. ng12345

    ng12345 LI Guru Member

    Hey everyone,

    I have read through the 70 pages here and I can't find a script that will make my site to site vpn work. Using roadkill's server and client side scripts and _splat_'s tutorial, i can get a single client to connect to the vpn server fine; but I can not get the two routers to connect to each other.

    I was wondering if anyone was able to get the site to site bridge working and if so if they could paste their client and server scripts.

    I am trying to connect two routers on two different subnets, and right now I can't ping across the vpn, and the client long (on verb 9) keeps showing similar to this:
    Code:
    Jul 20 11:19:01 tomato daemon.notice openvpn[341]: UDPv4 WRITE [357] to xxx.xxx.xxx.xxx: P_DATA_V1 kid=0 DATA 056da604 1122b10b 4beac4bc 85ee6e2f 09694311 cf9b6f83 91ebc649 efeaeef[more...]
    Jul 20 11:19:01 tomato daemon.notice openvpn[341]: UDPv4 write returned 357
    Jul 20 11:19:01 tomato daemon.notice openvpn[341]:  event_wait returned 2
    Jul 20 11:19:01 tomato daemon.notice openvpn[341]: UDPv4 read returned 77
    Jul 20 11:19:01 tomato daemon.notice openvpn[341]: UDPv4 READ [77] from xxx.xxx.xxx.xxx: P_DATA_V1 kid=0 DATA 9a764255 5fcee21d b773b3e9 2220efe8 4dfd753b 6b5bb805 d581328e 5e09fd5[more...]
    Jul 20 11:19:01 tomato daemon.notice openvpn[341]:  event_wait returned 1
    Jul 20 11:19:01 tomato daemon.notice openvpn[341]:  write to TUN/TAP returned 42
    Jul 20 11:19:01 tomato daemon.notice openvpn[341]:  event_wait returned 1
    Jul 20 11:19:01 tomato daemon.notice openvpn[341]:  read from TUN/TAP returned 380
    Jul 20 11:19:01 tomato daemon.notice openvpn[341]:  event_wait returned 1
    
     
  3. roadkill

    roadkill Super Moderator Staff Member Member

    Server Side
    Init Script
    Code:
    insmod tun.o
    sleep 2
    cd /tmp
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    
    echo "
    mode server
    proto udp
    port 1194
    dev tap0
    keepalive 15 60
    daemon
    verb 3
    comp-lzo
    client-to-client
    duplicate-cn
    tls-server
    ca ca.crt
    dh dh1024.pem
    cert server.crt
    key server.key
    " > openvpn.conf
    
    echo "
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
    " > ca.crt
    
    echo "
    -----BEGIN RSA PRIVATE KEY-----
    -----END RSA PRIVATE KEY-----
    " > server.key
    chmod 600 server.key
    
    echo "
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
    
    " > server.crt
    echo "
    -----BEGIN DH PARAMETERS-----
    -----END DH PARAMETERS-----
    " > dh1024.pem
    
    sleep 5
    ln -s /usr/sbin/openvpn /tmp/myvpn
    /tmp/myvpn --config openvpn.conf
    
    Firewall Script
    Code:
    /usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT
    Client Side
    Init Script
    Code:
    insmod tun.o
    sleep 5
    cd /tmp
    ln -s /usr/sbin/openvpn /tmp/myvpn
    ./myvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    sleep 5
    
    echo "
    client
    dev tap0
    proto udp
    remote <vpn-server-external-ip> <vpn server external port (default 1194)>
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert client.crt
    key client.key
    ns-cert-type server
    comp-lzo
    verb 3
    " > /tmp/client.conf
    
    echo "
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
    " > /tmp/ca.crt
    
    echo "
    -----BEGIN RSA PRIVATE KEY-----
    -----END RSA PRIVATE KEY-----
    " > /tmp/client.key
    chmod 600 /tmp/client.key
    
    echo "
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
    " > /tmp/client.crt
    
    ./myvpn --config client.conf
    
    This script is working at one of my sites so I know it's working.
     
  4. ng12345

    ng12345 LI Guru Member

    Thanks for the quick reply -- these are the exact scripts that I am using and I am unable to ping across the network or connect to any clients from one side to the other. I remember reading in a previous post that you were using routers that were on the same subnet. Does anything need to be modified if I am bridging two different subnets?

    I get similar logs on both sides (server and client) with lots of UDP reads and writes, but no packets sent and neither side can see the other. Additionally, it does note that a connection was initialized, but I can't send anything through it. After telnetting to both routers, I see that neither tap interface has an ip address assigned it.

    Like I said, using these scripts, I can get a single laptop/desktop client to connect -- but I can't get it to work with the two routers; so I don't think there is anything wrong with my server side script at the least

    Thanks for your help.

    EDIT: the scripts and the vpn works when I put the two routers on the same subnet -- does anyone know what modifications I would need to make to get it working on different subnets?
     
  5. roadkill

    roadkill Super Moderator Staff Member Member

    Client Init Script
     
  6. besonen

    besonen LI Guru Member

    tap and tun

    are "tap" and "tun" acronyms?
     
  7. mopsi

    mopsi Guest

    TLS common name problem

    Hello everybody,

    first of all many thanks to roadkill for this gread Mod.:)

    I have one annoying problem. I'm using the client-config-dir option to specifiy a directory where openvpn can find configuration files for each client. Openvpn determines the required file with the common name of the certificate of the client.
    This can be used for 'fixed' ip addresses for the clients. I like it because it keeps the openvpn config file on the clients simpler, i.e. I can use the same config for each client and only have to replace the certificate and key files on the clients.

    The problem is that openvpn on the Mod does not retrieve the common name from the certificate, so openvpn cannot determine the correct configuration file.
    On PCs with an openvpn server I get the following message in the log:
    openvpn[238]: nn.nn.nn.nn:1194 [<common name>] Peer Connection Initiated with nn.nn.nn.nn:1194

    On my router with the Mod it says:
    openvpn[238]: nn.nn.nn.nn:1194 [] Peer Connection Initiated with nn.nn.nn.nn:1194

    But I can see the common name on the VERIFY messages in the log.

    Does anyone experience a similar problem or kowns help?

    Thanks,
    Mopsi
     
  8. besonen

    besonen LI Guru Member

    is this true for just site2site configurations? or also 'openvpn client' -> tomato router connections?

    also, it's just the date/time data that needs to be identical, correct (iow, it's not necessary to retrieve the "correct" date/time from the tomato router)?
     
  9. ipse

    ipse LI Guru Member

  10. roadkill

    roadkill Super Moderator Staff Member Member

    I think that every connection that uses temporal verification needs it .
    and "correct" is not a good term... TZ data must be the same (e.g. GMT+3)
     
  11. besonen

    besonen LI Guru Member

  12. advnet

    advnet Addicted to LI Member

    Hi

    I am new to this VPN using Tomato so please forgive my stupidity. I have a linksys AM200 modem with a WRT54GL running Tomato. I want to create 2 types of VPN connections. The first into my Windows XP PC at home to either take it over via VNC. The other is to create a VPN into a Windows server 2003 with mapped drives so that I can use applications like Pastel account and access the data on the server. I want to do this using Tomato and pref. openvpn.

    The first thing i want to know is do I need to make any changes on the AM200 modem. Do I need to setup Dyndns on the AM200 or on the WRT54GL? I have read your solutions above but need some help to start with. Also do I need to have WRT54GL on both sites or can any PC anywhere with a ADSL or 3G connection running openvpn client software on them make the connection?

    Thanks a lot.
     
  13. besonen

    besonen LI Guru Member

    so you think that the serialmod fw is a super-set of the sdmmc fw (iow, all sdmmc fw mods are part of the serialmod fw)?
     
  14. besonen

    besonen LI Guru Member

    i don't know how you could have possibly missed that post :)

    seriously, at 700+ posts this thread has become difficult to mine for data.

    does anyone else think it's time for roadkill's mod to have it's own sub-forum?

    does anyone know the linksysinfo.org/forums admin(s)? if so, do you think they would be amenable to creating a sub-forum for roadkill's mod?


    -- david
     
  15. besonen

    besonen LI Guru Member

    done!

    i've just completed reading every post in this 700+ post thread, whew.

    on to setting up an openvpn test-bed.

    thank you roadkill for all of the effort you've put into creating, maintaining, and supporting this mod.
     
  16. jza80

    jza80 Network Guru Member

    Since both ends are on different subnets, I believe that you need to specify a route on both ends. Its under advanced --> routing.


    Example
    ----------

    Server end: 10.0.0.0/24
    Client end: 192.168.1.0/24

    IP address of server WRT: 10.0.0.1
    IP address of client WRT: 192.168.1.1


    Server end, advanced --> routing.

    Destination: 192.168.1.0
    Gateway: 10.0.0.1
    Subnet Mask: 255.255.255.0
    Metric: 1
    Interface: LAN



    Client end, advanced --> routing.

    Destination: 10.0.0.0
    Gateway: 192.168.1.1
    Subnet Mask: 255.255.255.0
    Metric: 1
    Interface: LAN





    You may also need to add this to your server config file:

    # Advertise the server's network to connecting clients
    push "route 10.0.0.0 255.255.255.0"

    # Route server-side traffic bound for the client network
    route 192.168.1.0 255.255.255.0
     
  17. jza80

    jza80 Network Guru Member


    1. Is the AM200 modem just a modem? If it does nat and/or firewalling, you want to disable it otherwise your going to run into issues with double nat'ing and whatnot.

    Basicly you want the modem to function just as a modem and the WRT to do the routing / nat / firewall.

    2. If you need dyndns, I would set it up on the WRT.

    3. Just a PC with openvpn client and a WRT. No need for a WRT at both sites.

    4. Is the windows 2003 server at your house or somewhere else?


    After you get openvpn installed and setup properly, you can tunnel VNC over it to access your XP computer at home.
     
  18. advnet

    advnet Addicted to LI Member

    Hi

    This is my setup:

    AM200 Modem with IP 192.168.2.1
    The NAT and DMZ has been enabled on it, no firewall. If I disable NAT here, I loose internet connectivity via the WRT - I could be mistaken with this as I see it's taking my WRT a bit of time to pick up a internet connection via the modem.

    My WRT54GL

    Tomato 1.9 with the VPN mod loaded
    WAN IP 192.168.2.2
    LAN IP 192.168.1.1
    I have the scripts as per Splat's config.
    Im using a Static Key just to see if I can get it to work first
    Under Port Forwarding Basic I have UDP, 1194 ext, 1194 int, IP 192.168.1.1

    On my win xp laptop
    OpenVPN client
    Static key file
    config file has a ipconfig of 192.168.1.20
    i have been trying to connect through a 3g connection. When it gets to my dyndns ip address it just sits there then gives a timeout. I notice that in the log files it says
    peer connection initiated with (my 3g ip address):3693

    Please can someone help me.
     
  19. mstombs

    mstombs Network Guru Member

    If you can use pppoe you should setup the AM200 in full bridge mode and enter the username:password on the WRT54GL. If pppoa mode you either run in double nat +dmz (as it looks like you are trying) or enable "half-bridge" modem on the AM200 which will pass on the WAN IP to the WRT54GL.
     
  20. advnet

    advnet Addicted to LI Member

    Ok I tested the connection from my office through my ADSL line and it works fine. When I try to connect using a 3G modem on my laptop I have a problem. Any clues?

    Thanks
     
  21. roadkill

    roadkill Super Moderator Staff Member Member

    I assume the 3G is NATed and/or Restricted check with your ISP
     
  22. jza80

    jza80 Network Guru Member

    Weird.

    How is the IP assigned to you by your ISP? Static, dhcp, pppoe, or pppoa?

    Have you tried placing the modem in bridge mode, so that it functions just as a modem without any nat / dmz / firewall? The WRT would need to make the connection if your using pppoe or pppoa.

    You shouldn't have to port forward.

    This placed in the firewall script takes care of it: iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
     
  23. ng12345

    ng12345 LI Guru Member

    Trying roadkill's suggestion did not work (changing ifconfig 0.0.0.0 to a valid ip on the server site's network) -- also these additional changes did not fix the issue either.

    EDIT: got it working with a static key using a tun configuration (after doing some research found that a tap configuration is not efficient with different subnets and dhcp) -- now i have to just fix the routing problems i'm having with the PKI config and I'll post configs for anyone else -- I think the main page should show both tap and tun configs for reference.
     
  24. wasaab

    wasaab Guest

    I was wondering if there is and update to your firmware with VPN support. I have a Buffalo WHR-G125 router and I tried using Open VPN but it is not working for me. I am using the ND version. It tells me openvpn: can't load library '/home/ofer/tomato/release/src/router/openssl/libssl.so'. Any help to remedy this would be greatly appreciated. I was wondering also how you would go about adding extra packages to this firmware if possible? Thanks in advance and great work with the firmware roadkill!
     
  25. ng12345

    ng12345 LI Guru Member

    finally working!

    after lots of effort and googling -- i finally got the script working;

    turned out I needed to put a masquerade line into my firewall in order for computers behind the client wrt to connect to computers behind the server wrt (otherwise they got dropped with a bad source error).

    In case anyone else needs a site-to-site tun that works here is the full code; it is pretty similar to the sample configs on the openvpn site, but they don't tell you how the firewall code should look; see below; additionally this script allows multiple clients to connect to the server without needing additional openvpn instances running

    Server script:
    Code:
    server 10.9.0.0 255.255.255.0 #tls-server no longer needed since the above line automatically assumes that
    dev tun # no need for mktun or ifconfig outside of the script anymore
    ca /jffs/ca.crt
    cert /jffs/server.crt
    key /jffs/server.key
    dh /jffs/dh1024.pem
    comp-lzo
    port 1194  # this is default and redundant
    proto udp # this is default and redundant
    verb 3 # probably also redundant
    daemon
    keepalive 10 60
    client-config-dir ccd
    ifconfig-pool-persist ipp.txt #ensures that when client disconnects and reconnects it gets the same ip
    route 192.168.4.0 255.255.255.0 #route of client network
    push "route 192.168.0.0 255.255.255.0" #pushes route to server network to clients
    float #ip address of client can change
    
    in directory ccd, there is a file called test (common name of client in certificate) with a single line:
    Code:
    iroute 192.168.4.0 255.255.255.0
    
    Client Script:
    Code:
    
    client
    dev tun
    ns-cert-type server #prevents MITM attacks (need to build server key with build-key-server)
    ca /jffs/ca.crt
    cert /jffs/test.crt
    key /jffs/test.key
    comp-lzo
    port 1194 #redundant
    proto udp #redundant
    verb 3 #probably redundant
    daemon
    remote XYZ.DNS.COM
    resolv-retry infinite
    nobind #allows use of dynamic port to connect
    float #allows server ip address to change -- is necessary if using ddns service
    keepalive 10 60 #don't know if i need this line on both sides
    
    Firewall Script (same on both sides except for the network in last three lines):
    Code:
    iptables -I FORWARD -i br+ -o tun+ -j ACCEPT
    iptables -I FORWARD -i tun+ -o br+ -j ACCEPT
    iptables -A INPUT -i tun+ -p icmp -j ACCEPT
    iptables -A OUTPUT -o tun+ -p icmp -j ACCEPT
    iptables -t nat -A POSTROUTING -s 192.168.4.0/16 -o tun+ -j MASQUERADE
    iptables -A FORWARD -s 192.168.4.0/16 -o tun+ -j ACCEPT
    iptables -A FORWARD -d 192.168.4.0/16 -m state --state ESTABLISHED,RELATED -i tun+ -j ACCEPT
    # don't know if the last two lines are necessary
    
    scripts, keys and certificates are stored in a jffs2 partition on the router and the init script requires 4 lines:
    Code:
    insmod tun.o
    sleep 5
    ln -s /usr/sbin/openvpn /tmp/myvpn
    /tmp/myvpn --config /jffs/openvpn.conf
    

    If you guys see any room for improvement in the scripts that would be great!
     
  26. besonen

    besonen LI Guru Member

    tap and tun are not acronyms.

    tap = a 'network tap'
    tun = a 'network tunnel'
     
  27. besonen

    besonen LI Guru Member

    Kaminsky's DNS exploit

    i hate to ask for another simple build only one month after the last one was released but it's pretty important--the details:

    dnsmasq 2.43 was released to patch Kaminsky's DNS exploit. unfortunately there were a number of bugs in this release. dnsmasq 2.44 was then released 9 days later but this too had problems. dnsmasq 2.45 was released a few hours later and this version seems stable (folks have been using it for two weeks without a single problem report).

    roadkill, could we please get a simple build with tomato 1.21 (which includes dnsmasq 2.45)?


    --
    for reference:

    [Dnsmasq-discuss] dnsmasq version 2.43 released.
    http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2008q3/002183.html
    This release includes the fixes needed to secure dnsmasq
    against the security problems described in CERT VU#800113
    http://www.kb.cert.org/vuls/id/800113

    [Dnsmasq-discuss] dnsmasq 2.44 available.
    http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2008q3/002214.html
    This is a stability release. It fixes crash problems in 2.43.

    [Dnsmasq-discuss] dnsmasq 2.45 released.
    http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2008q3/002225.html
    This fixes a regression in 2.44 which breaks DNS unless min-port is set.

    Tomato 1.21
    http://www.polarcloud.com/tomato_121
    Updated dnsmasq 2.45.
    --
     
  28. besonen

    besonen LI Guru Member

    the above steps only need to be performed on one computer, correct?



    and these steps need to be performed on each client with the openvpn client software installed, correct?

    in other words, for a client that was not used for setting up the CA, all the necessary configuration files will simply be copied from the computer that was used to setup the CA (including the specific "build-key" files*). and then this client will be ready to function properly?

    * what are the minimum set of files that are necessary for a client to function properly, just the "build-key" files?


    thanks,
    david
    --
    P.S.
    and _splat_, thank you very much for this walk-through, it's been most helpful
     
  29. azeari

    azeari LI Guru Member

    * minimum set of files would be using secret keys, but i guess i'm too lazy to go over that =p

    anyway perform the above steps but u gotta copy the appropriate files over to the router or put em in the config as per the instructions, and on a com with openvpn installed (u gotta run them in the easy-rsa folder where open vpn is installed too)
     
  30. besonen

    besonen LI Guru Member

    and in the meantime how can i manually update to dnsmasq 2.45?
     
  31. besonen

    besonen LI Guru Member

    everything up until this point works fine.



    this next step is where i encountered my first trouble.

    build-key.bat outputs *.crt, a *.crs, a *.key files. the problem is that all the "*.crt" files are empty (zero bytes)--i'm assuming there should be data in the *.crt files?

    build-key.bat did generate an error message--see the build-key.bat out below. does anyone have any ideas as to why this error message may have been generated?


    here's an example of the build-key.bat output:

    --
    C:\Program Files\OpenVPN\easy-rsa>build-key client-1
    Loading 'screen' into random state - done
    Generating a 1024 bit RSA private key
    ....++++++
    ......++++++
    writing new private key to 'keys\client-1.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [US]:
    State or Province Name (full name) [OR]:
    Locality Name (eg, city) [xxxxxxx]:
    Organization Name (eg, company) [yyyyyyyyyyyyyyyyyyy]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:zzzzzzzz
    Email Address [username@example.com]:

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    Using configuration from openssl.cnf
    Loading 'screen' into random state - done
    DEBUG[load_index]: unique_subject = "yes"
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName :pRINTABLE:'US'
    stateOrProvinceName :pRINTABLE:'OR'
    localityName :pRINTABLE:'xxxxxxx'
    organizationName :pRINTABLE:'yyyyyyyyyyyyyyyyyyy'
    commonName :pRINTABLE:'zzzzzzzz'
    emailAddress :IA5STRING:'username@example.com'
    Certificate is to be certified until Aug 2 09:36:19 2018 GMT (3650 days)
    Sign the certificate? [y/n]:y
    failed to update database
    TXT_DB error number 2
    Could Not Find C:\Program Files\OpenVPN\easy-rsa\keys\*.old
    --
     
  32. besonen

    besonen LI Guru Member


    i figured out what the problem was.

    i was using an identical commonName for all of the keys i generated. when i generated a key with a unique commonName everything worked fine.

    my misunderstanding was that i thought that the commonName variable needed to be identical (i.e., common) to all of the keys i was generating.


    -- david
     
  33. 2647-4EG

    2647-4EG LI Guru Member

    Hi @all,

    I'd like to know if my setup is ok and secure.

    Three things in advance:

    * roadkill, thanks a lot for the openvnp-mod. _splat_, thanks for your howto.
    * I did not read all the 74 pages of this thread. Anyway, I hope that I've covered the important bits, though...
    * I'm a total n00b regarding all that network stuff. :(

    I've used _splat_'s howto (static key) to set up my openvnp. That worked fine: I had access to my network from abroad immediately. :)

    But I still wasn't able to connect to the Internet through my openvnc (TAP-Win32 Adapter). Since the openvnc is encrypted, I reckon that it is a lot more secure than direct access to the internet via an unencrypted and unreliable WLAN-connection. It is, isn't it?

    Somehow Google helped me out: I've added these two lines to my notebook's ...\OpenVPN\config\home.opnv :

    Code:
    route-gateway 192.168.25.49 [that's my router's internal IP]
    redirect-gateway
    Finally I've added my tomato-router's internal IP and my provider's DNS-Server as static DNS servers to the "TAP-Win32-Adapter" config in XP.

    Now it appears that with this configuration all the internet traffic from my notebook is safely encrypted and being "tunneled" right through my tomato-router at home. At least http://www.heise.de/netze/tools/ip/ now shows an IP which belongs to my DSL-provider, even when I'm not at home.

    I'd really appreciate some comments regarding my configuration. Is it junk or can I feel safe with it?
     
  34. jza80

    jza80 Network Guru Member

    The route-gateway and redirect-gateway commands tunnel all traffic thru the OpenVPN tunnel.

    Without these 2 commands you'd have a split tunnel (VPN and local network).



    P.S. Its OpenVPN, not openvnp or openvnc.
     
  35. besonen

    besonen LI Guru Member


    is the "ifconfig 192.168.0.102 255.255.255.0" command used to set the ip address of the openvpn client once it connects to the openvpn server?

    shouldn't the dnsmasq dhcp server be able to assign an ip address to an openvpn client after it connects to the openvpn server?


    -- david
     
  36. jza80

    jza80 Network Guru Member

    Yes.

    1. dnsmasq and dhcp are 2 different things.

    2. Yes, the server (router) can assign an IP address to the client. To have it do this, delete the ifconfig line. The router has to be setup to do DHCP on the LAN though.
     
  37. besonen

    besonen LI Guru Member

    thank you!

    i've been hunting for the answer unsuccessfully, so your reply is greatly appreciated.



    dnsmasq can provide dhcp service. i've just assumed that this is how tomato offers dhcp service. is there another dhcp server included with tomato?



    great.



    thanks again,
    david
     
  38. 2647-4EG

    2647-4EG LI Guru Member

    @jza80: Thanks for your answer! "Split tunnel" was the magic word: I googled for it and now I understand a lot better what's going on.
    Ouch... I must have been quite excited, when I finally had things running. ;)
     
  39. jza80

    jza80 Network Guru Member


    Hmm... I've always thought of it as 2 different things.

    DNS = domain name server / service
    DHCP = dynamic host configuration protocol


    Under Advanced --> DHCP / DNS. The only thing in their is reduce packet size for DHCP client (WAN).

    Theres also DHCP under Basic --> Network --> LAN section --> DHCP Server (check box).




    Why DHCP is listed in 2 different places, I don't know. But DHCP for LAN is configured under Basic --> Network --> LAN section.

    You may be correct about dnsmasq, but I always thought it was 2 different things. The way Tomato is setup, it seems like its 2 different things to.
     
  40. azeari

    azeari LI Guru Member

    actually, dnsmasq is the tomato dhcp SERVER (= so they are one and the same

    the dhcp CLIENT for tomato is udhcp though

    just thought i cleared a lil stuff up
     
  41. besonen

    besonen LI Guru Member

    does "you don't need to create these files" literally mean files are being created? i thought the scripts were simply setting values in ram?
     
  42. besonen

    besonen LI Guru Member

    NVRam not working

    i'm using Tomato Mod v1.19.1464 with OpenVPN on a WRT54GL v1.1.

    when i select the 'NVRAM Show' link nothing is displayed.

    here's all that is output:

    --
    Tomato
    Version1.19
    WRT54GL
    NVRam contants
    --


    how do i go about trouble-shooting this problem?
     
  43. besonen

    besonen LI Guru Member

    almost working

    i've successfully setup and established an openvpn client/server connection with a win xp sp2 client and a 'WRT54GL v1.1 Tomato Mod v1.19.1464 with OpenVPN' server.

    the setup procedure i followed was for a multi-client configuration.

    i am unable to get a second client working.

    on the second client (another win xp sp2 system) i installed the openvpn software and copied these files (from the first machine) to the config directory (on the second machine):

    - client2.crt
    - client2.key
    - ca.crt
    - Home2.ovpn


    problem:

    on the second computer, when i start the 'OpenVPN GUI' and then right-click on the system tray icon, i am missing the "connect" option in the pop-up dialog box.

    the only options i'm presented with are:
    - Proxy Settings
    - About
    - Exit


    question, after generating keys for the second client on the first machine, and then copying these keys to the second computer, shouldn't i then be able to connect to the vpn? iow, can i generate keys for one computer on a different computer? and if i do this, do i then need to do anything to the second installation of openvpn in addition to copying the keys to the config directory?



    thanks for any help,
    david
     
  44. jsauve

    jsauve LI Guru Member

    It sounds to me like OVPN simply isn't picking up on the config file for some reason. Even if you had the settings in the config file screwed up, the OVPN client should still be able acknowledge that you have a config file in the directory. Sure its in the right place?
     
  45. amel0815

    amel0815 Guest

    Hi guys

    I'm using Debian Lenny on my laptop. I want to establish a VPN connection to my home network.

    I installed the Tomato MOD on my WRT54G v3.1. It works fine.
    Unfortunately I'm not able to connect to it with my laptop. I followed the instructions fort the one client configuration. I don't know how to set up OpenVPN client on my laptop.
    I have installed OpenVPN and the OpenVPN plugin for Network-Manager. If it's possible, I want to use Network-Manager with the plugin.

    Maybe someone here is a more advanced Linux user than I am and is able to help me.

    BTW: This thread is loooooong. Maybe someone can put the How-To's into a separate thread. I think this would be a lot easier. And it would nice if someone adds a instruction for Linux users.

    And of course:
    Many thanks to you Roadkill, for this fine piece of software :)
     
  46. jsauve

    jsauve LI Guru Member

    Roadkill,

    Any chance that a 1.21. version is in the works? I see that 1.20 released on the same day in July that the last version of your mod became available. I love OpenVPn and configured it extensively in DD-WRT, but I'm more of a Tomato fan. Hope to see a new version soon! Thanks for the great mod!

    - Joe
     
  47. jsauve

    jsauve LI Guru Member

    Roadkill,

    Another idea for future versions: perhaps including ebtables? It would mean that a little extra bulk would be onboard for all those that never use it. But most anyone interested in this firmware is so because of their interest in VPNs. For those not familiar, ebtables is similar to iptables, but does its job on bridged tap interfaces. Very useful for blocking specific types of traffic on the a bridged tunnel link, like DHCP, for example. If you're running a site-to-site bridged VPN, you probably don't want clients at either end to be assigned an IP from the server at the other side of the tunnel. Or maybe you do! ;) But, I don't.

    Just a suggestion.

    - Joe
     
  48. wooden

    wooden Guest

    Roadkill,

    In my opinion there is only one thing that your firmware lack - possibility to do policy routing. "Advanced router" and "Policy Routing" options in kernel must be checked to do so, and tomato kernel is compiled without them. I need this functionality to make few hosts from my network use openvpn host as gateway (so I need routing based on source ip address).
     
  49. roadkill

    roadkill Super Moderator Staff Member Member

    I'll try to include it next release.. depends on the increase in size though..
     
  50. jsauve

    jsauve LI Guru Member

    Is that in response to my ebtables suggestion, or wooden's comment?

    P.S. If I had the time or the know-how, I'd do it myself. I can compile linux, but most of my time is spent on web development, so a bunch of the linux dev stuff is over my head, especially when it comes to a highly specialized package like this one for the WRT's.

    As a side note, I'll be using this in conjunction with a 1.5 mile wifi link I'm shooting across a lake. That's just so I can get DSL at my location. I currently pay $50/month for a 256kbps connection 'cause it's the best I can get. :frown: I have a neighbor that's going to host the DSL demarc at her place so I can shoot the service to my place. Wheeee!!!! The 1.5Mbps will be paltry compared to an urban connection, but its better than what I have.

    Once again, thanks for the great work!

    - Joe
     
  51. hrts

    hrts LI Guru Member

    Hi. Currently I am using 1.16 and I want to move/upgrade to 1.19.
    I've read all pages from 67 (where 1.19 was rebuild) to this one and I saw no info regarding the upgrade. I have the following questions:

    Are the backups (old one done in 1.16) usable under 1.19?
    Do OpenVPN cfg files (and firewall and init cfg files) need changes?

    Thank you!

    PS: did anybody done this upgrade already?
     
  52. srouquette

    srouquette Network Guru Member

    yes, I did the upgrade on 2 WRT54GL 1.1 and didn't have any problems.
    I didn't need to backup the config, just upgrade, then the router will reboot, and you'll have a new 1.19 tomato router.
     
  53. ffbadkill

    ffbadkill LI Guru Member

    Does ND version support G125 or new driver only for old model?
     
  54. prowler1968

    prowler1968 Network Guru Member

    I am interested in a VPN solution to reach my Tomato at home - if I install the Open VPN mod of Tomato, can I use a VPN (TheGreenBow) to connect to the router via IPSec instead of installing OpenVPN client on the PC?

    Also, how would this be configured in the router if this is possible? Are there any plans to put a GUI version of the VPN on the router - I have also used the Linksys BEFSX41 VPN endpoint and this is a very easy configuration between it and TheGreenBow client, especially using a GUI configuration screen.
     
  55. ng12345

    ng12345 LI Guru Member

    openvpn uses ssl for its vpn so i don't think it is compatible with other protocols (like ipsec)
     
  56. prowler1968

    prowler1968 Network Guru Member

    Thanks.

    If OpenVPN uses SSL, are there any other mods of Tomato that use the standard IPSec VPN. OR, is there a way to bridge my home network so my computer (work) sees my home network?
     
  57. jyavenard

    jyavenard Network Guru Member

  58. prowler1968

    prowler1968 Network Guru Member

    @jyavenard

    Thanks for the links - I don't think this is what I was looking for as this mod connects to a server, and I am looking to have my work PC act as the client to a Tomato VPN server. I am looking to find something that would allow the WRT54 to be a VPN endpoint (like the BEFXs41) so I can attach to my home network via an IPSec tunnel.
     
  59. jamesvan

    jamesvan Addicted to LI Member

    I don't know of any build for these routers that supports IPsec.

    IPsec is not recommended anyway unless you already have experience with working IPsec configurations. It can be incredibly difficult to make work and has some notable problems (dynamic IPs, NAT incompatibility, non-UDP non-TCP dependencies).

    (you were fortunate it worked readily with TGB and the BEFSX41. Windows has IPsec built in yet I have never found anyone who said they were able to to IPsec with it without resorting to TGB)

    If it is possible to install OpenVPN on the work/client machine then that is the recommended route. I think the security is comparable and you are far more likely to succeed in spite of hostile or poorly-designed firewalls, routers and proxy servers.
     
  60. prowler1968

    prowler1968 Network Guru Member

    @jamesvan

    Thanks for your input - You're correct that I could not get the XP IPSec tunnel to connect and had to resort to a third party VPN Client. I would not have a work restriction preventing me from installing the openvpn client at work.

    This is an extremely big thread - as far as configuration, does the HOW TO on page one of the thread (from a very early version) continue to be the correct way to configure the router and client? As I am only looking to configure one client into the router, the instructions seem pretty straight forward for this type of set up.

    EDIT - As I am a person who know basically NOTHING about Linux, I felt I would be more comfortable with a GUI type of VPN configuration in the router.
     
  61. jyavenard

    jyavenard Network Guru Member

    I'll look at compiling the pptp daemon at some stage ...
     
  62. jamesvan

    jamesvan Addicted to LI Member

    I think that OpenVPN is a better solution in most cases because it can be used in far more restrictive environments than PPTP.

    PPTP needs to be able to pass GRE packets which won't work in some places, whereas OpenVPN uses either UDP or TCP. I suspect OpenVPN can be used from anywhere HTTPS web pages can be accessed, even through a proxy. PPTP on the other hand won't work from some hotels or jobs that don't forward GRE.

    The advantage to PPTP is that there's a client in almost every system made for the the last few years. And if your job has policies against installing foreign software on work systems, especially foreign software that initiates network connections, then a built-in PPTP client might be safer just in case you get called on the carpet to explain strange network activity...
     
  63. bigclaw

    bigclaw Network Guru Member

    Count me in as a new user of this mod. Very cool! Effortless to set up, and everything worked as expected. I took the advice in some of the later posts to not specify an IP for my client PC in the config file. DHCP worked just fine.
     
  64. kacheng

    kacheng LI Guru Member

    Can't ping LAN

    Hi,
    I'm having a problem with my configuration. I can seem to connect from my laptop from an external IP to my home server and get an OpenVPN IP (usually 192.168.1.130), but I can't ping/connect to any computers on the home LAN.

    Do I have a configuration error in my scripts?
    Here they are if that helps.
    Let me know if you need any log files to check over.

    tomato server firewall script
    Code:
    # Allow port 443 connections to OpenVPN server
    /usr/sbin/iptables -I INPUT -p tcp --dport 443 -j ACCEPT
    
    tomato server init script
    Code:
    sleep 5
    insmod tun.o
    cd /tmp
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    
    echo "
    port 443
    proto tcp
    dev tap0
    ca /tmp/ca.crt
    cert /tmp/server.crt
    key /tmp/server.key
    dh /tmp/dh2048.pem
    server 192.168.1.128 255.255.255.128
    ifconfig-pool-persist /tmp/ipp.txt
    ;push \"route 192.168.1.0 255.255.255.0\"
    ;push \"route-gateway 192.168.1.1\"
    ;push \"dhcp-option DNS 192.168.1.1\"
    ;push \"dhcp-option WINS 192.168.1.1\"
    ;push \"redirect-gateway\"
    client-to-client
    keepalive 10 120
    ;tls-auth /tmp/ta.key 0
    ;cipher AES-256-CBC
    comp-lzo
    max-clients 2
    ;user nobody
    ;group nobody
    persist-key
    persist-tun
    status openvpn-status.log
    verb 3
    mute 20
    " > openvpn.conf
    
    echo "
    -----BEGIN CERTIFICATE-----
    ***
    -----END CERTIFICATE-----
    " > ca.crt
    echo "
    -----BEGIN RSA PRIVATE KEY-----
    ***
    -----END RSA PRIVATE KEY-----
    " > server.key
    chmod 600 server.key
    echo "
    -----BEGIN CERTIFICATE-----
    ***
    -----END CERTIFICATE-----
    " > server.crt
    echo "
    -----BEGIN DH PARAMETERS-----
    ***
    -----END DH PARAMETERS-----
    " > dh2048.pem
    echo "
    -----BEGIN OpenVPN Static key V1-----
    ***
    -----END OpenVPN Static key V1-----
    " > ta.key
    
    sleep 5
    ln -s /usr/sbin/openvpn /tmp/myvpn
    /tmp/myvpn --config openvpn.conf 
    client.ovpn
    Code:
    ##############################################
    # Sample client-side OpenVPN 2.0 config file #
    # for connecting to multi-client server.     #
    #                                            #
    # This configuration can be used by multiple #
    # clients, however each client should have   #
    # its own cert and key files.                #
    #                                            #
    # On Windows, you might want to rename this  #
    # file so it has a .ovpn extension           #
    ##############################################
    
    # Specify that we are a client and that we
    # will be pulling certain config file directives
    # from the server.
    client
    
    # Use the same setting as you are using on
    # the server.
    # On most systems, the VPN will not function
    # unless you partially or fully disable
    # the firewall for the TUN/TAP interface.
    dev tap
    ;dev tun
    
    # Windows needs the TAP-Win32 adapter name
    # from the Network Connections panel
    # if you have more than one.  On XP SP2,
    # you may need to disable the firewall
    # for the TAP adapter.
    ;dev-node MyTap
    
    # Are we connecting to a TCP or
    # UDP server?  Use the same setting as
    # on the server.
    proto tcp
    ;proto udp
    
    # The hostname/IP and port of the server.
    # You can have multiple remote entries
    # to load balance between the servers.
    remote myserver.dyndns.org 443
    ;remote my-server-2 1194
    
    # Choose a random host from the remote
    # list for load-balancing.  Otherwise
    # try hosts in the order specified.
    ;remote-random
    
    # Keep trying indefinitely to resolve the
    # host name of the OpenVPN server.  Very useful
    # on machines which are not permanently connected
    # to the internet such as laptops.
    resolv-retry infinite
    
    # Most clients don't need to bind to
    # a specific local port number.
    nobind
    
    # Downgrade privileges after initialization (non-Windows only)
    ;user nobody
    ;group nobody
    
    # Try to preserve some state across restarts.
    persist-key
    persist-tun
    
    # If you are connecting through an
    # HTTP proxy to reach the actual OpenVPN
    # server, put the proxy server/IP and
    # port number here.  See the man page
    # if your proxy server requires
    # authentication.
    ;http-proxy-retry # retry on connection failures
    ;http-proxy [proxy server] [proxy port #]
    
    # Wireless networks often produce a lot
    # of duplicate packets.  Set this flag
    # to silence duplicate packet warnings.
    mute-replay-warnings
    
    # SSL/TLS parms.
    # See the server config file for more
    # description.  It's best to use
    # a separate .crt/.key file pair
    # for each client.  A single ca
    # file can be used for all clients.
    ca ca.crt
    cert kacheng.crt
    key kacheng.key
    
    # Verify server certificate by checking
    # that the certicate has the nsCertType
    # field set to "server".  This is an
    # important precaution to protect against
    # a potential attack discussed here:
    #  http://openvpn.net/howto.html#mitm
    #
    # To use this feature, you will need to generate
    # your server certificates with the nsCertType
    # field set to "server".  The build-key-server
    # script in the easy-rsa folder will do this.
    ns-cert-type server
    
    # If a tls-auth key is used on the server
    # then every client must also have the key.
    ;tls-auth ta.key 1
    
    # Select a cryptographic cipher.
    # If the cipher option is used on the server
    # then you must also specify it here.
    ;cipher AES-256-CBC
    ;cipher x
    
    # Enable compression on the VPN link.
    # Don't enable this unless it is also
    # enabled in the server config file.
    comp-lzo
    
    # Set log file verbosity.
    verb 3
    
    # Silence repeating messages
    mute 20
    
    It all seems bog standard and in accordance with the sample config files?
     
  65. srouquette

    srouquette Network Guru Member

    you have to put some stuff in WanUP script (due to time synchronisation) like:
    Code:
    insmod tun.o
    cd /tmp
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    
    sleep 5
    ln -s /usr/sbin/openvpn /tmp/myvpn
    /tmp/myvpn --config openvpn.conf
    
     
  66. jamesvan

    jamesvan Addicted to LI Member

    kacheng may need more firewall rules to allow data in and out of the tunnel?

    Code:
    iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
    iptables -I INPUT -i tun+ -j ACCEPT
    iptables -I FORWARD -i br+ -o tun+ -j ACCEPT
    iptables -I FORWARD -i tun+ -o br+ -j ACCEPT
    
     
  67. kacheng

    kacheng LI Guru Member

    srouquette,

    I've got these directives in the init script already.
    Do you want me to duplicate them? Or just move them to WanUP?
    The tutorial samples seem to have them in the init section?

    Thanks,
    K.



     
  68. kacheng

    kacheng LI Guru Member

    jamesvan,

    I've had this working in the past without those extra firewall rules, but I'll try them and let you know how it goes.

    K.


     
  69. ng12345

    ng12345 LI Guru Member

    are you able to get the ifconfig-pool-persist to work?

    i've put it in my server config and it creates an ipp.txt file in the folder i designated but it is always an empty file and the clients keep changing ip addresses -- so it doesn't seem to be working.

    also i can't seem to get any of the commands with client-config-dir to work (i.e. the user-specific scripts are identified but the commands don't run on the client) --> neither iroute nor ifconfig-push seem to do anything
     
  70. kacheng

    kacheng LI Guru Member

    jamesvan,
    Adding more firewall rules didn't help me at all.

    I'm using the tap adapter, so I tried

    /usr/sbin/iptables -I INPUT -i tap+ -j ACCEPT
    /usr/sbin/iptables -I FORWARD -i br+ -o tap+ -j ACCEPT
    /usr/sbin/iptables -I FORWARD -i tap+ -o br+ -j ACCEPT

    and also these rules with I found on the OpenVPN website

    /usr/sbin/iptables -A INPUT -i tap0 -j ACCEPT
    /usr/sbin/iptables -A INPUT -i br0 -j ACCEPT
    /usr/sbin/iptables -A FORWARD -i br0 -j ACCEPT


    srouquette,
    Moving those directives to the WanUp section killed my ability to connect at all. i changed it back.


    Do I have something funny in my configuration? Do I need to push routes? I thought that you don't if you are using the tap device.

    Can anyone post their working config files?

    Thanks
     
  71. srouquette

    srouquette Network Guru Member

    yes, you had to move it to wanUP script.
    sorry if it didn't work for you :-/
     
  72. ng12345

    ng12345 LI Guru Member

    I use a tun interface and my config is posted already (somewhere between page 72 and here)

    The firewall stuff can be kept in the firewall tab and work just fine. Given that openvpn is providing a valid ip address, the problem is not the openvpn config, but most likely the routing/firewall from the client computer to the openvpn server.

    my firewall script looks like yours except I added a couple lines to specifically allow icmp packets -- since those are blocked by the router -- this way you can ping the router directly and determine if the problem is routing to the router or routing behind the router.
     
  73. kacheng

    kacheng LI Guru Member

    ng12345,

    Thanks, I added the ICMP firewall rules with no result.
    Code:
    /usr/sbin/iptables -A INPUT -i tap+ -p icmp -j ACCEPT
    /usr/sbin/iptables -A OUTPUT -o tap+ -p icmp -j ACCEPT
    
    My router is on 192.168.1.1. It hands out DHCP to 192.168.1.100-127.
    OpenVPN takes 129.168.1.128. It gives me 192.168.1.130 or 131.

    The tomato router does not see 192.168.1.130 as a connected device, nor can it ping 192.168.1.130.

    From my 'connected' laptop, I cannot ping 192.168.1.1, 192.168.1.128, only 192.168.1.130 (i.e. localhost).

    I thought the advantage of tap was to reduce the configuration needed regarding routes that need to be pushed etc. Is that correct? If not what advantage is that over tun? I thought tap is preferred for the 'roadwarrior' type configuration (laptop connecting from many various locations), where tun is preferred for permanent 'bridged' configurations. Is that correct?

    Thanks.
     
  74. ng12345

    ng12345 LI Guru Member

    Actually I have been posting over in the openvpn-users list to get some of my openvpn questions answered and the feeling over there is that tun is in fact more efficient (but requires more configuration). Tap is actually used for "bridging" in the technical sense, but you are right, I think more people use that for temporary connections. The reason you have to add the icmp packet rule is because the routers by default ignore ping requests -- but this should not affect pinging any other ip in the lan.

    I'm really confused by your setup -- you have openvpn serving dhcp in the same subnet as your router (both on the same physical segment?)?

    The correct way of doing it is (if you want to use tap) to have your server router and client router on the same subnet, and have openvpn serving out a different subnet.

    so server lan will have ips 192.168.1.1 (router) and 192.168.1.100-120
    and client lan will have ips 192.168.1.2 (router) and 192.168.1.121-140
    and the openvpn configuration on the server will have a line:
    server 10.32.1.0 255.255.255.0 (so all clients will receive a vpn address from this subnet)
     
  75. wukaijie

    wukaijie Guest

    i followed the setup tutorial post by roadkill, but my client cannot communicate with the sever, like the following.

    how can i check if my server is running correctly?

    Wed Sep 03 22:33:14 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2
    006
    Wed Sep 03 22:33:14 2008 IMPORTANT: OpenVPN's default port number is now 1194, b
    ased on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earl
    ier used 5000 as the default port.
    Wed Sep 03 22:33:14 2008 WARNING: using --pull/--client and --ifconfig together
    is probably not what you want
    Wed Sep 03 22:33:14 2008 LZO compression initialized
    Wed Sep 03 22:33:14 2008 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:
    0 EL:0 ]
    Wed Sep 03 22:33:14 2008 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:
    32 EL:0 AF:3/1 ]
    Wed Sep 03 22:33:14 2008 Local Options hash (VER=V4): 'd79ca330'
    Wed Sep 03 22:33:14 2008 Expected Remote Options hash (VER=V4): 'f7df56b8'
    Wed Sep 03 22:33:14 2008 UDPv4 link local: [undef]
    Wed Sep 03 22:33:14 2008 UDPv4 link remote: 24.14.52.46:1194
    Wed Sep 03 22:34:14 2008 [UNDEF] Inactivity timeout (--ping-restart), restarting

    Wed Sep 03 22:34:14 2008 TCP/UDP: Closing socket
    Wed Sep 03 22:34:14 2008 SIGUSR1[soft,ping-restart] received, process restarting

    Wed Sep 03 22:34:14 2008 Restart pause, 2 second(s)
     
  76. sshanky

    sshanky Addicted to LI Member

    Send all traffic through VPN

    Hi!

    I finally got my connection script to work! But, my intention is to use OpenVPN from public hotspots to ensure privacy and prevent packet sniffing. After connecting, I checked my IP number (at www.whatismyip.com), and it was still the local IP, not my home IP where the router I'm connecting to is located.

    How can I ensure that all traffic goes through the VPN whenever I am connected? Is this even possible? I guess with the current script, only traffic destined for my home network will go through the vpn, right?

    Thanks a lot! Here is the script I used:

    dev tap0
    ifconfig 192.168.21.160 255.255.255.0 # my home network is on 192.168.21.x)
    secret static.key
    proto udp
    remote my.dynamic.domain 1194
    keepalive 10 60
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    cipher BF-CBC
    comp-lzo
    verb 3
    float
     
  77. 2647-4EG

    2647-4EG LI Guru Member

    Hi, I had exactly the same problem. This should also work for you. Hope that helps!
     
  78. sshanky

    sshanky Addicted to LI Member

    Thanks...I did have those two lines in my config, but I hadn't assigned static info to the network connection. Now, how can we really be sure? I was at a public wifi location today and connected fine to the vpn, saw my home ip number when I checked. But, it was one of those hotspots where you have to agree with their terms, and their splash page showed up even though the vpn was active. Not sure if I understand why, but it would appear that that traffic was making it to me even from their local lan, despite my vpn being connected.
     
  79. jsauve

    jsauve LI Guru Member

    Perhaps running through a port in the dynamic/private range instead, like 53446 or something. 1194 MIGHT be clocked at a public hotspot. Make sure to open it up on your firewall as well as specifying it the script.

    Please post results...I'm curious. ;)
     
  80. VeNT

    VeNT Addicted to LI Member

    just a quick Q
    to do this will I have to re-install Tomato?
     
  81. jsauve

    jsauve LI Guru Member

    To vent:

    Yes, but most settings will survive the re-flash, I believe.
     
  82. VeNT

    VeNT Addicted to LI Member

    hmm, I'll have to wait till it gets quiet in the office (hahaha) as we can't deal with downtime.
     
  83. jsauve

    jsauve LI Guru Member

    If you'd like to minimize any downtime issues, do a config backup. Then you can always flash back to the current version and restore all settings if the 1.19 VPN flavor doesn't work out.
     
  84. VeNT

    VeNT Addicted to LI Member

    I'm running 1.21, is that an issue?
     
  85. jsauve

    jsauve LI Guru Member

    Shouldn't be a problem. I've downgraded to 1.19 from 1.21 without issue.
     
  86. VeNT

    VeNT Addicted to LI Member

    any reason for 1.19 rather than 1.21?
     
  87. jsauve

    jsauve LI Guru Member

    Well, this thread is all about the VPN-modified version of Tomato. The most recent version that contains VPN capabilities is 1.19. At this time, there is no VPN-modified 1.21 version.

    This means, presumably, that the most recent VPN-modified version also contains the DNS vulnerability that 1.2.1 does not. BTW, it should be noted that vulnerability was not specific to the firmware, but to the entire DNS specification itself. Basically any operating system in the world that utilizes DNS was affected, and most have now been patched, including Tomato 1.21. The VPN-modified version MAY have been patched by its creator, Roadkill, but I'm not sure. Not really that big of a deal anyway.
     
  88. mandrzej

    mandrzej LI Guru Member

    How persist IP address for client?

    I have OpenVPN with multiple clients. Each time when client connect to VPN get different IP. Is it possible to keep IP address for client?
     
  89. jsauve

    jsauve LI Guru Member

    I believe openvpn is using the same dhcp service that is configurable via the web interface. You ought to be able to set static leases, just like any other machine. If it works, please post the results!
     
  90. mandrzej

    mandrzej LI Guru Member

    My openvpn.conf (on linksys):

    Code:
    port 1190
    proto tcp
    dev tun
    ca ca.crt
    cert server.crt
    key server.key
    dh dh1024.pem
    server 10.9.1.0 255.255.255.0
    ifconfig-pool-persist /tmp/ipp.txt
    keepalive 10 120
    comp-lzo
    persist-key
    persist-tun
    tls-server
    key server.key
    management localhost 7505
    verb 5

    clients conf:

    Code:
    client
    proto tcp
    dev tun
    remote xxx.xxxx.xxx.xxx 1190
    #ifconfig-push 10.9.1.10
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert client.crt
    key client.key
    comp-lzo
    verb 3
    1. connect - client get 10.9.1.6
    2. connect - 10.9.1.10
    etc.

    every time this same client get another IP. What is wrong?
     
  91. humba

    humba Network Guru Member

    From the manpage on the subject of ifconfig-pool-persist:

    And for ifconfig-push

    And then I recalled reading an example of a config with different access permissions for different users.. and those permissions being based on IP addresses that are associated with different accounts. You can find that example in the howto by searching for "Configuring client-specific rules and access policies"
     
  92. adeej

    adeej Addicted to LI Member

    I have the same problem:
    my config is similar, I set ipp.txt and client-config-dir on jffs.
    ipp.txt is created but it is always empty and the personal settings on ccd doesn't work.

    The client get everytime another ip address.
    The same config on dd-wrt works fine.
    I tried with tomato 1.19 and 1.16 without success.
    Did someone use successfully ipp.txt and client-config-dir on tomato?
     
  93. adeej

    adeej Addicted to LI Member

    I can confirm, after many tests, that "client-config-dir" and "ifconfig-pool-persist" seems not working on Tomato Vpn Mod.

    Openvpn on Tomato Vpn Mod does not retrieve the common name from the certificate and search config options in ccd/DEFAULT file.
     
  94. hrts

    hrts LI Guru Member

    I've just moved from 1.16 to 1.19. Very quick and very clean upgrade.
    I've noticed in openvpn.log file some error messages that request to push a route/redirect the gateway or use ifconfig - never had such errors under 1.16. I've added the redirect gateway toward the Tomato internal IP and the error messages do not appear anymore.
    Is it mandatory to have this default route defined through ifconfig or using redirect gateway?

    Beside that, everything is working as usual: no problems at all.
     
  95. skyanvi1

    skyanvi1 Addicted to LI Member

    Multiple instance (udp and tcp) RoadWarrior setup (using tun):

    Multiple instance (udp and tcp) RoadWarrior setup (using tun):
    The idea here is to maximize the availability of the VPN for roadWarrior configurations, since there is a ~30% throughput penalty (my tests...) when using tcp however some networks block udp. I have this running using 2 vpn instances on the same TomatoRouter (WRT54GLv1.1).

    Is there a way to do this using just one openVpn instance?

    My Configuration:
    (based on ng12345's clientRouter to serverRouter config. post 725)
    Firmware: TomatoMod_ND_1.19.1464-OnlyEssentials
    RoadWarrior Setup: (openVpnClient)LapTop - Lan1(Don't Care) - WhateverRouter - Internet - (WAN address)TomatoServerRtr - Lan2(192.168.1.0) - PC2

    Enable jffs2 before you start you may need to format... (Adminisration -> jffs2)

    Init Script (Adminisration -> Scripts -> Init):
    Code:
    insmod tun.o
    sleep 5
    ln -s /usr/sbin/openvpn /tmp/myvpn
    /tmp/myvpn --config /jffs/openvpnudp.conf
    /tmp/myvpn --config /jffs/openvpntcp.conf
    
    Firewall Script (Adminisration -> Scripts -> Firewall):
    Code:
    # Open WAN ports for openVpn:
    iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
    iptables -I INPUT 1 -p tcp --dport 1195 -j ACCEPT
    
    #these lines allow access to the lan behind the server
    iptables -I FORWARD -i br+ -o tun+ -j ACCEPT
    iptables -I FORWARD -i tun+ -o br+ -j ACCEPT
    
    #allow ping of the router from the tunnel
    iptables -A INPUT -i tun+ -p icmp -j ACCEPT
    iptables -A OUTPUT -o tun+ -p icmp -j ACCEPT
    
    #allow ssh and web router administration through the tunnel
    iptables -A INPUT -i tun+ -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -i tun+ -p tcp --dport 80 -j ACCEPT
    
    #required for access to windows XP shares...
    iptables -t nat -A POSTROUTING -s  10.4.4.0/24 -o br0 -j MASQUERADE
    iptables -t nat -A POSTROUTING -s  10.4.5.0/24 -o br0 -j MASQUERADE
    
    WAN Up Script (Adminisration -> Scripts -> WAN Up): Not Used!


    Now Login using telnet or ssh and execute the following commands:

    Code:
    echo "
    dev tun
    proto udp
    port 1194
    server 10.4.4.0 255.255.255.0 #tls-server no longer needed since the above line automatically assumes that
    ca /jffs/keys/ca.crt
    cert /jffs/keys/server.crt
    key /jffs/keys/server.key
    dh /jffs/keys/dh1024.pem
    comp-lzo
    verb 3
    daemon
    keepalive 10 60
    client-config-dir ccd
    ifconfig-pool-persist ipp.txt #ensures that when client disconnects and reconnects it gets the same ip
    push "route 192.168.1.0 255.255.255.0" #pushes route to tomatoRtr subnetwork to Clients
    float #ip address of client can change
    " > /jffs/openvpnudp.conf
    
    echo "
    dev tun
    proto tcp
    port 1195
    server 10.4.5.0 255.255.255.0 
    ca /jffs/keys/ca.crt
    cert /jffs/keys/server.crt
    key /jffs/keys/server.key
    dh /jffs/keys/dh1024.pem
    comp-lzo
    verb 3
    daemon
    keepalive 10 60
    client-config-dir ccd	#this is not used may be able to be removed...
    ifconfig-pool-persist ipp.txt #ensures that when client disconnects and reconnects it gets the same ip
    push "route 192.168.1.0 255.255.255.0" #pushes route to tomatoRtr subnetwork to Clients
    float #ip address of client can change
    " > /jffs/openvpntcp.conf
    
    
    mkdir /jffs/keys
    chmod 600 /jffs/keys
    
    echo "
    -----BEGIN CERTIFICATE-----
    Insert certificate auth cert here.
    -----END CERTIFICATE-----
    " > /jffs/keys/ca.crt
    
    echo "
    -----BEGIN RSA PRIVATE KEY-----
    Insert server key here.
    -----END RSA PRIVATE KEY-----
    " > /jffs/keys/server.key
    
    chmod 600 /jffs/keys/server.key
    
    echo "
    -----BEGIN CERTIFICATE-----
    Insert server certificate here.
    -----END CERTIFICATE-----
    " > /jffs/keys/server.crt
    
    echo "
    -----BEGIN DH PARAMETERS-----
    Insert DH paramerters here.
    -----END DH PARAMETERS-----
    " > /jffs/keys/dh1024.pem
    
    Client Configuration on RoadWarrior LapTop for udp connect:
    Code:
    client
    dev tun
    port 1194 
    proto udp 
    remote xxx.xxx.xxx.xxx #TomatoVPN Router's WAN address
    ns-cert-type server # I don't remember doing this but it works...
    ca ca.crt
    cert client.crt
    key client.key
    comp-lzo
    verb 3
    resolv-retry infinite
    nobind #allows use of dynamic port to connect
    float #allows server ip address to change -- is necessary if using ddns service
    keepalive 10 60 #don't know if i need this line on both sides
    

    Client Configuration on RoadWarrior LapTop for tcp connect:
    Code:
    client
    dev tun
    port 1195 
    proto tcp 
    remote xxx.xxx.xxx.xxx #TomatoVPN Router's WAN address
    ns-cert-type server # I don't remember doing this but it works...
    ca ca.crt
    cert client.crt
    key client.key
    comp-lzo
    verb 3
    resolv-retry infinite
    nobind #allows use of dynamic port to connect
    float #allows server ip address to change -- is necessary if using ddns service
    keepalive 10 60 #don't know if i need this line on both sides
    
    Note:
    I haven't tried to watch the same port for both protocols.
    useful ssh commands (for me so I don't forget...):
    actively watch log: tail -f /var/log/messages
    output contents of a file/script: cat <path>
    view the firewall: iptables -L -v
    Local lan throughput (using DHCP WAN) 200Mhz:
    udp -> ~360 KBs
    tcp -> ~260k KBs
    I think I can do away with the client config directory but this works now for now.

    Edit:
    Added Masqurade lines for access to windows shares. SAMBA (incidentally also my WINS server) works fine over openVPN without the lines, while Windows XP requires the computers to be on the same subnet (I think) for access to the shared folders. Without Masqurade I was able to connect to the computer but no shared folders would appear in the file browser.
     
  96. bigclaw

    bigclaw Network Guru Member

    Just curious. Any updates to bring this wonderful mod up to 1.21?
     
  97. rossiza

    rossiza Guest

    I am new to Tomato - used dd-wrt vpn up to the moment. Upgraded to 1.19.1464 today - looks nice and work faster. However I do not see any VPN options in the GUI. Looks like official 1.19. Am I missing something? And what is this tomato.trx file in the binary package.
    Thank you for your help
     
  98. bigclaw

    bigclaw Network Guru Member

    See post #3 by _splat_.
     
  99. ng12345

    ng12345 LI Guru Member

    I am glad other users are noticing this -- I posted on this thread about this problem nearly a month ago. It seems to be a firmware specific issue, since the client config command works fine in openvpn built in linux. I wasn't sure what you meant by your last statement -- but the config does in fact read the DEFAULT file (but none of the common name files).

    also, openvpn has a preference system -- it looks at client config first and then the ipp.txt (neither of which work in tomato + openvpn).

    do you know of anyway of getting the current firmware to retrieve the common name?

    if not do you know of another way to identify individual clients?
     
  100. tastyfish

    tastyfish Addicted to LI Member

    Remote access and Internet tunneling, don't know what to do!

    EDIT---Solution found, see bottom of post! :biggrin:

    Hello,

    I am trying to set up a Tomato/OpenVPN configuration that will allow me to access both my LAN from the road AND tunnel internet through my home connection.

    I am trying to do this using TAP but I'm having some trouble. I have the OpenVPN server portion working, and I can connect to it successfully using my laptop from the Internet, but nothing else from there. I can't ping anything on the LAN, and I can't ping the laptop from a computer on the LAN.

    I am new to this sort of routing so I don't know what I've omitted or done wrong. I've read many pages of this thread but have not found the answer. I'm not sure where to go from here.

    Server config in Init script:

    Code:
    insmod tun.o
    cd /tmp
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    
    echo "
    mode server
    proto tcp
    port 1194
    dev tap0
    push "redirect-gateway def1"
    push "route 192.168.1.0 255.255.255.0"
    push "dhcp-option DNS 192.168.1.1"
    push "dhcp-option DOMAIN local"
    keepalive 15 60
    daemon
    verb 3
    comp-lzo
    
    server-bridge 192.168.1.1 255.255.255.0 192.168.1.231 192.168.1.240
    
    tls-server
    ca ca.crt
    dh dh1024.pem
    cert server.crt
    key server.key
    " > openvpn.conf
    
    << certs and keys are echoed to files here >>
    
    sleep 5
    ln -s /usr/sbin/openvpn /tmp/myvpn
    /tmp/myvpn --config openvpn.conf
    Client config:
    Code:
    client
    dev tap
    pull
    
    << cert files specified here >>
    
    proto tcp
    
    remote XXX.XXX.XXX.XXX
    port 1194
    keepalive 10 60
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ns-cert-type server
    verb 3
    float
    
    comp-lzo
    Firewall init:
    Code:
    iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
    
    I know that TCP is slower than UDP; I would use UDP were it not for the fact that I am sometimes using wifi that does not even allow UDP through.

    As I said before, I can connect to the OpenVPN server and do not get any errors in the server logs or the client window. I think I am missing something very simple with bridging or routing because I am a total newbie when it comes to Linux routing.

    Thanks in advance... :)

    EDIT FOR SOLUTION:

    Well wouldn't you know it, I solved the problem! I'd been fumbling around with this thing on and off for a while, but today was the first time I actually telnetted into the router... Turns out, brctl wasn't doing what it was supposed to! (I guess the interface wasn't up yet?) I put a "sleep 5" before the brctl line and all is well.

    I will leave this post as it is as an example for anyone else who has this problem. If you're banging your head against the wall, try it!
     

Share This Page