Tomato RAF, site-to-site-(Open)VPN and Radius

Discussion in 'Tomato Firmware' started by plgvie, Jul 5, 2013.

  1. plgvie

    plgvie Networkin' Nut Member

    Although it's not really a Tomato-related problem but more due to an totally unskilled me, I hope you might help me out anyway:

    I've set up a generally very well working bidirectional VPN-connection between two sites:
    City*): Asus RT-N99U mit Tomato RAF = OpenVPN-Server
    Lake**): Linksys E4200 mit Tomato RAF = OpenVPN-Client

    As on both sites there are several WiFi-APs (mostly Linksys E4200, E3000 and some WRT54GL all "tomatoed", WPA/WPA2 Enterprise) and we need access for fluctuating visitors, I've set up a Radius Server in order to simplify user-administration.

    At my first attempts people could only connect to APs located at the same (VPN)side as the Radius-server. After some research I found someone with a similar problem and the following solution: "... Turned out that we had to NAT traffic from AP to Radius and then enter local gateway of radius box as a radius client."
    So I set up as Client and from that moment onward it has been working but unfortunately only from one (the wrong) side: If the Radius***)-Server is situated at the VPN-Client side all users can connect to all APs. If the Radius****)-Server is located at the VPN-Server side and an user wants to connect to an AP situated on the VPN-client-site, he seems to get authenticated (Log: "Auth ok") but receives a "no connection possible".

    I'd prefer to have the Radius at the VPN-Server-site due to the fact that there are much more APs and the connection speed to the client site (rural, recreational area) is rather poor.

    Perhaps I'm just missing the "we had to NAT traffic from AP to Radius" from the above mentioned idea, but I've no idea how to do that, or whatever else I've done wrong, so I'd be very grateful for all hints and help to achieve the goal.

    Many thanks in advance

    Thats so far the set up:

    *) VPN-Server site:
    Start with WAN +
    Interface Type TUN
    Protocol UDP
    Port 1194
    Firewall Auto
    Authorization Mode TLS
    VPN subnet/netmask /
    Push LAN to clients +
    Allow Client<->Client +
    Enable Common Name Subnet Netmask Push

    Common Name Real Address Virtual Address Bytes Received Bytes Sent Connected Since Connected Since (time_t)
    Router-am-See yy.yyy.yy.105:53400 23889336 76165747 Mon Jul 1 16:38:40 2013 1372689520

    Routing Table
    Virtual Address Common Name Real Address Last Ref Router-am-See yy.yyy.yy.105:53400 Mon Jul 1 16:38:41 2013 Router-am-See yy.yyy.yy.105:53400 Mon Jul 1 18:00:00 2013 Router-am-See yy.yyy.yy.105:53400 Mon Jul 1 18:35:25 2013

    Current Routing Table
    Destination Gateway / Next Hop Subnet Mask Metric Interface * 0 vlan2 (WAN) * 0 tun21 0 tun21 * 0 br0 (LAN) 0 tun21 * 0 vlan2 (WAN) * 0 lo
    default 0 vlan2 (WAN)

    **) VPN-Client-Site:

    Start with WAN +
    Interface Type TUN
    Protocol UDP
    Server Address IP/Port yy.yyy.yyy.67:1194
    Firewall Auto
    Authorization Mode TLS
    Username/Password Authentication
    Extra HMAC authorization (tls-auth)
    Create NAT on tunnel -

    General Statistics
    Name Value
    TUN/TAP read bytes 23459026
    TUN/TAP write bytes 73550464
    TCP/UDP read bytes 76094917
    TCP/UDP write bytes 25376305
    Auth read bytes 73556832
    pre-compress bytes 2000527
    post-compress bytes 2008226
    pre-decompress bytes 40469
    post-decompress bytes 54800

    Current Routing Table
    Destination Gateway / Next Hop Subnet Mask Metric Interface * 0 tun11
    yy.yyy.yy.105 * 0 ppp0 (WAN) * 0 vlan2 (MAN) * 0 br0 (LAN) 0 tun11 * 0 vlan2 (MAN) 0 tun11 * 0 lo
    default yy.yyy.yy.205 0 ppp0 (WAN)
    default 1 vlan2 (MAN)

    Radius Server
    ***) Qnap239 with Clients und at VPN-Client site
    ****)Qnap259 with Clients und at VPN-Server site
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice