1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato OpenVPN Server behind another Router w/NAT

Discussion in 'Tomato Firmware' started by aeonone, Sep 2, 2011.

  1. aeonone

    aeonone Network Guru Member

    Just wondering how the Tomato OpenVPN server would work behind another router w/NAT?

    Should I be using it as a "Gateway" or a "Router" in this setup (in the routing tab)? If I switch from Gateway to Router does that mean the OpenVPN server will stop listening to requests since it expects a connection to be made from the WAN port instead of the LAN?

    My main router will assign IP addresses, so I should disable DHCP on the Tomato router.

    Also, how will the OpenVPN start assigning IP addresses if I use TAP? Should I let the Main router or OpenVPN handle the assignment of IPs?

    I'm puzzled at how to setup the portforwarding on the Tomato OpenVPN?

    Any help is greatly appreciated!
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It should be able to work in either gateway or router mode.

    If you go with router mode, don't have DHCP enabled.

    It will give out IP addresses the same as always: Either using a block of addresses you provide or by letting the DHCP server decide.

    You shouldn't need to do any port forwarding on the TomatoVPN router. But, you'll need to forward the VPN port on the router that your TomatoVPN router is behind.
    aeonone likes this.
  3. aeonone

    aeonone Network Guru Member

    Ok I tried it in Router mode. I connected a wire to the WAN port, it grabs an IP via DHCP. Disabled the DHCP on the LAN side. Set the LAN internal network address to the same as the main router.

    I port mapped through my main router to the Tomato Router's VPN port. I have connected successfully from an outside IP to the OpenVPN server behind my main router.

    It seems as though when I connect this way, the Tomato Router has it's own network which the OpenVPN assigns an IP in this range, but it's not related to the main router's network, even though they are the same network. Could this be because I connected through the WAN port into the OpenVPN server? The WAN to LAN (on the Tomato Router) is still treating those two networks as distinct unrelated networks?

    Not sure if that made any sense, I'm a little confused myself. :)
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You definitely don't want to do it that way. If you want the two to be on the same subnet, just plug into a LAN port (in the GUI you can even disable the WAN and turn that port into an extra LAN port).
    aeonone likes this.
  5. aeonone

    aeonone Network Guru Member

    I also have tried connecting my main router to the LAN port and it appears OpenVPN doesn't listen on the LAN interface. Only WAN.

    Where can I SSH into on the Tomato Router to access the OpenVPN server configuration?

    Is another solution to try using a different network than on both?
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    No, the OpenVPN instance does listen on the LAN, too.

    But, yes, if you plug into the WAN port, you definitely want to use different subnets on each.
    aeonone likes this.
  7. aeonone

    aeonone Network Guru Member

    I've made progress! Almost there!

    Thank you for the suggestion of using a different subnet. I am able to ping and access machines from the connected VPN client to the main network.

    Using the Hostnames doesn't work though (eg: Instead of using \\MACHINE_NAME I have to use

    Is there something else I've missed? I've enabled the ICMP ping on the firewall on the Tomato Router, but it doesn't appear to do anything.
  8. wetwilly

    wetwilly Addicted to LI Member

    This applies to the WAN side and it does what it should. Responds to ICMP queries for the WAN interface.
    aeonone likes this.
  9. aeonone

    aeonone Network Guru Member

    I've connected my Tomato router through my WAN port to my main router. I still can't ping it. It grabs an IP via DHCP from my main router.

    EDIT: I did some routing on my main router (not sure if it did anything) and Ping appears to be working. -___- Spoke too soon I guess.
  10. aeonone

    aeonone Network Guru Member

    I'm still not able to use Hostnames when trying to access the main LAN. Is it because I'm doing NAT twice?
  11. EOC_Jason

    EOC_Jason Networkin' Nut Member

    A couple comments...

    First, your "VPN Subnet" needs to be totally different from any subnets of your main/client networks. Many people skip over this and can't figure out why their openvpn doesn't work. As you said, your local LAN was, but you also assigned the VPN subnet the same... Easiest to change the VPN subnet to something else and all should be good.

    Second, hostname resolution like you are trying to do in windows (i.e. \\hostname\share) is via netbios, which doesn't route over subnets. Likewise you have separate DNS servers at your server location and client(s) location, so the clients have no idea what hosts are at the server location.

    Solutions... I don't remember the commands, but I believe you can push your server DNS to the clients... Or, easier thing if you have a Samba server is to enable WINS resolution, and either add the IP of the WINS server to your Tomato dhcp config or manually add it in the window's TCP/IP adapter settings. Lastly, you can always edit your windows hosts file to add the hostname/ip of the machines.

    I know some builds of tomato have Samba... I don't know if they can do WINS too or not (I would assume so)...
    aeonone likes this.
  12. aeonone

    aeonone Network Guru Member

    Thanks for educating me on the Hostname situation. I had no idea it was NetBIOS that was doing it.

    What DNS server should I be pushing to the clients? It should be the main router's DNS servers right?

    I ended up using the Host file method, but I was looking for something more permanent. Looks like I'll have to see if my Samba does the WINS. Thanks for the suggestion!

    Seems like I'm just a few steps away from getting this to 100% done. Thank you everyone for contributing towards this thread. Hopefully it will help whoever else comes this way.

    I'll continue to post my status if I find anything new.
  13. EOC_Jason

    EOC_Jason Networkin' Nut Member

    You know, I just realized you didn't say if you were using TAP or TUN for your VPN...

    Pushing your main router's DNS to the client networks is what I was talking about, however it could have undesirable effects depending on how the networks are configured.

    WINS is probably the easiest and most transparent way. Besides the usual samba config, to enable it as a WINS server all you need is the line:

    wins support = yes
  14. aeonone

    aeonone Network Guru Member

    :) First post, forth paragraph in the middle. I wasn't explicitly explicit. Plus I should have made it one of the first or second things I mentioned. :) EDIT: It's TAP. (haha I just posted without answering)

    I've tried pushing stuff before and it messed it up. That's why I'll try anything before doing it that way.

    Is this Samba WINS section in the Samba Server? The Advanced (the long page on the web administration) page/screen?

    After I set that up, I can just point my Tomato router to use that WINS IP address?

    Thanks again!
  15. EOC_Jason

    EOC_Jason Networkin' Nut Member

    I finally got a chance to check my tomato config... Go to this page:

    USB and NAS -> File Sharing

    There's actually a checkbox to enable WINS Server... how nifty... ;)

    Now you just have to tell your clients to use the Tomato router IP as the WINS server. If you can configure your DHCP server to include the WINS IP then that makes it the easiest and most transparent. Otherwise you will have to go to your adapter config (assuming windows), advanced button, and add the WINS IP manually on the machines.

    FYI, I don't use TAP, I use TUN... Reason being is that being a bridged network you are going to get a lot more cross-traffic (broadcast and such as you have found out)...

Share This Page