1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato RAF, site-to-site-(Open)VPN and Radius

Discussion in 'Tomato Firmware' started by plgvie, Jul 5, 2013.

  1. plgvie

    plgvie Reformed Router Member

    Although it's not really a Tomato-related problem but more due to an totally unskilled me, I hope you might help me out anyway:

    I've set up a generally very well working bidirectional VPN-connection between two sites:
    City*): Asus RT-N99U mit Tomato RAF = OpenVPN-Server
    Lake**): Linksys E4200 mit Tomato RAF = OpenVPN-Client

    As on both sites there are several WiFi-APs (mostly Linksys E4200, E3000 and some WRT54GL all "tomatoed", WPA/WPA2 Enterprise) and we need access for fluctuating visitors, I've set up a Radius Server in order to simplify user-administration.

    At my first attempts people could only connect to APs located at the same (VPN)side as the Radius-server. After some research I found someone with a similar problem and the following solution: "... Turned out that we had to NAT traffic from AP to Radius and then enter local gateway of radius box as a radius client."
    So I set up 10.8.1.0/24 as Client and from that moment onward it has been working but unfortunately only from one (the wrong) side: If the Radius***)-Server is situated at the VPN-Client side all users can connect to all APs. If the Radius****)-Server is located at the VPN-Server side and an user wants to connect to an AP situated on the VPN-client-site, he seems to get authenticated (Log: "Auth ok") but receives a "no connection possible".

    I'd prefer to have the Radius at the VPN-Server-site due to the fact that there are much more APs and the connection speed to the client site (rural, recreational area) is rather poor.

    Perhaps I'm just missing the "we had to NAT traffic from AP to Radius" from the above mentioned idea, but I've no idea how to do that, or whatever else I've done wrong, so I'd be very grateful for all hints and help to achieve the goal.

    Many thanks in advance
    Peter


    Thats so far the set up:

    *) VPN-Server site:
    Start with WAN +
    Interface Type TUN
    Protocol UDP
    Port 1194
    Firewall Auto
    Authorization Mode TLS
    VPN subnet/netmask 10.8.1.0 / 255.255.255.0
    Push LAN to clients +
    Allow Client<->Client +
    Enable Common Name Subnet Netmask Push
    Router-am-See 192.168.30.0 255.255.255.0
    Status:

    Common Name Real Address Virtual Address Bytes Received Bytes Sent Connected Since Connected Since (time_t)
    Router-am-See yy.yyy.yy.105:53400 10.8.1.6 23889336 76165747 Mon Jul 1 16:38:40 2013 1372689520

    Routing Table
    Virtual Address Common Name Real Address Last Ref
    192.168.30.0/24 Router-am-See yy.yyy.yy.105:53400 Mon Jul 1 16:38:41 2013
    10.8.1.6 Router-am-See yy.yyy.yy.105:53400 Mon Jul 1 18:00:00 2013
    192.168.30.72C Router-am-See yy.yyy.yy.105:53400 Mon Jul 1 18:35:25 2013

    Current Routing Table
    Destination Gateway / Next Hop Subnet Mask Metric Interface
    xx.xxx.xxx.1 * 255.255.255.255 0 vlan2 (WAN)
    10.8.1.2 * 255.255.255.255 0 tun21
    192.168.30.0 10.8.1.2 255.255.255.0 0 tun21
    192.168.3.0 * 255.255.255.0 0 br0 (LAN)
    10.8.1.0 10.8.1.2 255.255.255.0 0 tun21
    xx.xxx.xxx.0 * 255.255.255.0 0 vlan2 (WAN)
    127.0.0.0 * 255.0.0.0 0 lo
    default xx.xxx.xxx.1 0.0.0.0 0 vlan2 (WAN)



    **) VPN-Client-Site:

    Start with WAN +
    Interface Type TUN
    Protocol UDP
    Server Address IP/Port yy.yyy.yyy.67:1194
    Firewall Auto
    Authorization Mode TLS
    Username/Password Authentication
    Extra HMAC authorization (tls-auth)
    Create NAT on tunnel -

    General Statistics
    Name Value
    TUN/TAP read bytes 23459026
    TUN/TAP write bytes 73550464
    TCP/UDP read bytes 76094917
    TCP/UDP write bytes 25376305
    Auth read bytes 73556832
    pre-compress bytes 2000527
    post-compress bytes 2008226
    pre-decompress bytes 40469
    post-decompress bytes 54800

    Current Routing Table
    Destination Gateway / Next Hop Subnet Mask Metric Interface
    10.8.1.5 * 255.255.255.255 0 tun11
    yy.yyy.yy.105 * 255.255.255.255 0 ppp0 (WAN)
    10.0.0.138 * 255.255.255.255 0 vlan2 (MAN)
    192.168.30.0 * 255.255.255.0 0 br0 (LAN)
    192.168.3.0 10.8.1.5 255.255.255.0 0 tun11
    10.0.0.0 * 255.255.255.0 0 vlan2 (MAN)
    10.8.1.0 10.8.1.5 255.255.255.0 0 tun11
    127.0.0.0 * 255.0.0.0 0 lo
    default yy.yyy.yy.205 0.0.0.0 0 ppp0 (WAN)
    default 10.0.0.138 0.0.0.0 1 vlan2 (MAN)


    Radius Server
    ***) Qnap239 with Clients 192.168.0.0/16 und 10.8.1.0/24 at VPN-Client site
    ****)Qnap259 with Clients 192.168.0.0/16 und 10.8.1.0/24 at VPN-Server site
     

Share This Page