1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato & OpenVPN

Discussion in 'Tomato Firmware' started by moscito, Nov 16, 2011.

  1. moscito

    moscito Networkin' Nut Member

    Hello,

    i installed Tomato v1.27 on my Wrt54gs router with openvpn plugin.
    I set up the vpn configuration and the vpn connection works as you can see in the logfile:

    Code:
    Nov 16 23:43:41 ? daemon.warn openvpn[1724]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Nov 16 23:43:41 ? daemon.warn openvpn[1724]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Nov 16 23:43:41 ? daemon.notice openvpn[1724]: Re-using SSL/TLS context
    Nov 16 23:43:41 ? daemon.notice openvpn[1724]: LZO compression initialized
    Nov 16 23:43:41 ? daemon.notice openvpn[1724]: Control Channel MTU parms [ L:1562 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Nov 16 23:43:41 ? daemon.err openvpn[1724]: RESOLVE: NOTE: nl.gigabit.perfect-privacy.com resolves to 2 addresses, choosing one by random
    Nov 16 23:43:41 ? daemon.notice openvpn[1724]: Data Channel MTU parms [ L:1562 D:1300 EF:62 EB:135 ET:0 EL:0 AF:3/1 ]
    Nov 16 23:43:41 ? daemon.notice openvpn[1724]: Fragmentation MTU parms [ L:1562 D:1300 EF:61 EB:135 ET:1 EL:0 AF:3/1 ]
    Nov 16 23:43:41 ? daemon.notice openvpn[1724]: Socket Buffers: R=[65535->131070] S=[65535->131070]
    Nov 16 23:43:41 ? daemon.notice openvpn[1724]: UDPv4 link local: [undef]
    Nov 16 23:43:41 ? daemon.notice openvpn[1724]: UDPv4 link remote: 213.163.64.43:1149
    Nov 16 23:43:41 ? daemon.notice openvpn[1724]: TLS: Initial packet from 213.163.64.43:1149, sid=6c7b846a f5cfc44e
    Nov 16 23:43:41 ? daemon.warn openvpn[1724]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Nov 16 23:43:42 ? daemon.notice openvpn[1724]: VERIFY OK: depth=1, /C=NL/ST=North_Holland/L=Amsterdam/O=PP_Internet_Services/CN=OpenVPN-CA/Email=admin@perfect-privacy.com
    Nov 16 23:43:42 ? daemon.notice openvpn[1724]: VERIFY OK: depth=0, /C=NL/ST=North_Holland/L=Amsterdam/O=PP_Internet_Services/CN=server/Email=admin@perfect-privacy.com
    
    The Problem is, that the vpn connection works, but i surf with my real ip. What can i do that the hole traffic is cryptet over the vpn tunnel?

    I also want to set up firewall rules:

    Iptables:
    -----------

    Code:
    ## Set tun device to act as default connection to the Internet.
    ## Notice the -o tun+. This indicates that it is looking for outbound packets on tun+
    iptables -t nat -I POSTROUTING -o tun+ -j MASQUERADE
    
    ## Accept all outgoing traffic to the Internet via the tun device
    iptables -I OUTPUT -o tun+ -j ACCEPT
    
    ## Allow all outgoing forwarding connections
    iptables -I FORWARD -o tun+ -j ACCEPT
    
    ## Allow only ESTABLISHED incoming packets.
    ## I guess this is for normal web browsing as you establish a connection first via a HTTP request
    iptables -I INPUT -i tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    ## Allow all incoming forwarded connections through the tun interface
    iptables -I FORWARD -i tun+ -j ACCEPT
    
    ## Defining specific routes
    iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 40066 -j DNAT --to 192.168.1.102
    Firewall rules:
    -----------------

    Code:
    config rule
    option src lan
    option src_ip 192.168.1.100
    option dest wan
    option proto tcp
    option target REJECT
    
    # UDP
    option src lan
    option src_ip 192.168.1.100
    option dest wan
    option proto udp
    option target REJECT
    In which file I need to enter the ip tables an firewall rule? I can't connect with putty on the router (i have set the ssh button in administrastion) i only can connect with Win SCP

    best reagards

    moscito
     
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Select the "redirect internet traffic" checkbox.

    I think you're confused, though. iptables is the firewall. Enter your iptables commands in the admin->scripts->firewall section of the GUI. Your other stuff, I believe, is specific to OpenWrt and doesn't apply to Tomato.

    With Tomato, you don't put stuff in a file. You configure it in the GUI.
     
  3. moscito

    moscito Networkin' Nut Member

    Hello,

    thx for your response. I have already set the option you describe...

    [​IMG]

    [​IMG]

    ... but it doesnet work for me.
    Ok the Iptables i will set up in the gui, but is it possible to block all trafic if the vpn connection breaks up?

    thx

    regards

    msocito
     
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    First get rid of all of those iptables rules and see if it works for you. Then, if it does, add them back and debug them.

    You could block all non-VPN traffic with a single iptables rule, but get your tunnel working first.
     
  5. lancethepants

    lancethepants Network Guru Member

    Could there be something done in "updown.sh" to remove and restore routes to prevent any traffic from leaving the router except over the vpn? Or perhaps create a custom updown script that will do it and place it in the custom confg section.
     
  6. moscito

    moscito Networkin' Nut Member

    Hello,

    i have flashed the firmeware again at my router (all iptables ar deleted) but the conenction works not for me. He connects but the internet traffic is with my real ip.
    What can i do?

    regards
     
  7. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    What version of firmware are you running and where did you get it?
     
  8. moscito

    moscito Networkin' Nut Member

  9. moscito

    moscito Networkin' Nut Member

    Hello,
    now it works with v. 1.28usb Edition. V 1.28 adds the route automatically.
    How can i setup up the firewall, that if the vpn connection break all trafic will be blocked?

    The Speed is very slow, i only get a speed of 2 Mbit, but if i connect to the Server wit windows openvpn i have a speed of 6 Mbit. Is the processor of the wrt54gs too weak?

    regards
     
  10. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, that's a limitation of the processor.

    Try adding this to the firewall script:
    Code:
    iptables -t filter -I wanout -d ! <vpn server> -j DROP
    replacing "<vpn server>" with the ip or dns name of your VPN server.
     
  11. moscito

    moscito Networkin' Nut Member

    hello,

    i have tested the iptable command but it doesnt work for me. If i interrupt the vpn conenction, i surf with my original ip. It doesn't block the traffic.

    regards
     
  12. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Make sure you've typed it correctly. It would block any LAN->Internet traffic, except to the VPN server. Try typing it at the ssh/telnet shell to make sure there aren't syntax errors.
     
  13. moscito

    moscito Networkin' Nut Member

    Hello,
    thank's for your help. I tested it with ssh client and the was no syntax error. Now it works for me but i think i change to pptp vpn because i only have speed with 200kb/s if i use openvpn.

    regards
    moscito
     

Share This Page