1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato VPN Client Configuration Problem...

Discussion in 'Tomato Firmware' started by acfc81, Oct 27, 2009.

  1. acfc81

    acfc81 Addicted to LI Member

    Hi, I am trying to configure my WRT54G flashed with the modded VPN enabled firmware but am not able to use the internet after starting the VPN client...I have recently paid for a VPN service and received 2 certificate files (1 user certificate and the other should be a CA one) and 1 user key file along with 2 OVPN files. The VPN provider provides support for usage of these files using the OpenVPN client on a local machine but there wasn't any support for configuring router with built-in VPN clients. I have tried my best to mix and match the details included in the mentioned files to their corresponding fields on my router's VPN Client Configuration page but am still not able to use the internet after starting the VPN Client. Are there any guides available for the VPN Client Configuration page or can anyone help me out? My apologies for sounding a bit dumb but I am a newbie with regards to VPN and would really appreciate some help... :wall: ...Thanks in advance! :)
     
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You can SSH/telnet to the router, output the contents of /etc/openvpn/client1/config.ovpn, and compare with the provided ovpn files.

    You should have the NAT checkbox on the client configuration checked, if you don't already.
     
  3. acfc81

    acfc81 Addicted to LI Member

    Hi...I executed the ls command and received 'ls: /etc/openvpn/client1/: No such file or directory' via SSH...It seems that the client1 directory does not exist..Am I typing the wrong commands as I am unfamiliar with SSH and Telnet commands in BusyBox..still picking my way through the commands via the BusyBox online documentation...
     
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Sorry, I meant to mention that you have to have the client started when you look at the config file (it doesn't have to actually connect).
     
  5. acfc81

    acfc81 Addicted to LI Member

    Right...understood...I am not home at the moment so will try it out later...However, how do I actually open the config file for viewing via SSH / Telnet? Sorry for the newbie question again... :-S ...And yes I did have the NAT checkbox checked all along...Thanks again...
     
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Code:
    cat /etc/openvpn/client1/config.ovpn
     
  7. acfc81

    acfc81 Addicted to LI Member

    Hi...Thanks for the help...I have managed to view the contents of config.ovpn on my router and have compared them againt the ovpn file provided to me by my VPN provider and have found a few differences. The config.ovpn file from my router contains the following:
    # Automatically generated configuration
    daemon
    client
    dev tun11
    proto udp
    remote 94.23.114.100 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    comp-lzo no
    cipher none
    verb 3
    ca ca.crt
    cert client.crt
    key client.key
    status-version 2
    status status

    # Custom Configuration

    The ovpn file sent by my VPN provider contains the following:
    client
    dev tun
    proto udp
    cipher none

    # Server List
    remote 94.23.114.100 1194

    resolv-retry infinite
    nobind

    persist-key
    persist-tun

    ns-cert-type server

    verb 1

    mute 20

    ca ca.crt
    cert pri-user.crt
    key pri-user.key

    I notice that the differences are the verb 1, mute 20 and comp-lzo no settings...I have tried changing the settings on the client configuration page but still get disconnected from the internet everytime I start the VPN client with these settings. Am I putting the wrong settings here? I have Firewall = Automatic, Authorization Mode = TLS, Extra HMAC authorization (tls-auth) = Disabled, Create NAT on tunnel checked, Redirect Internet traffic checked, Accept DNS configuration checked, Encryption cipher = none, Compression = Disabled, Connection retry = -1, Custom Configuration = blank and all the relevant crt and key files in place. The Certificate Authority and Client Certificate contains the contents between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- of each respective file while the Client Key contains the contents between -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----...Are there any additional settings that need to be in place or have I done something really dumb here? :-S ... Thanks again...
     
  8. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    When you are connected, can you ping IP addresses (eg, 64.233.169.105) from connected computers? From the router itself? Can you ping DNS names (eg, google.com) from connected computers? From the router itself?
    Can you post the router logs from when try to connect?
     
  9. acfc81

    acfc81 Addicted to LI Member

    Hi...My router logs upon VPN connection are detailed below:
    Oct 29 00:04:45 Router daemon.notice openvpn[393]: OpenVPN 2.1_rc15 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Jul 9 2009
    Oct 29 00:04:45 Router daemon.warn openvpn[393]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Oct 29 00:04:45 Router daemon.warn openvpn[393]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Oct 29 00:04:46 Router daemon.notice openvpn[393]: LZO compression initialized
    Oct 29 00:04:46 Router daemon.notice openvpn[393]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Oct 29 00:04:46 Router daemon.notice openvpn[393]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Oct 29 00:04:46 Router daemon.notice openvpn[397]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Oct 29 00:04:46 Router daemon.notice openvpn[397]: UDPv4 link local: [undef]
    Oct 29 00:04:46 Router daemon.notice openvpn[397]: UDPv4 link remote: 94.23.114.100:1194
    Oct 29 00:04:46 Router daemon.notice openvpn[397]: TLS: Initial packet from 94.23.114.100:1194, sid=f4c395d1 b08b552f
    Oct 29 00:04:48 Router daemon.notice openvpn[397]: VERIFY OK: depth=1, /C=MY/ST=WP/L=KualaLumpur/O=VPNService/OU=CertAuth/CN=VPN-Server/Email=admin.gar@gmail.com
    Oct 29 00:04:48 Router daemon.notice openvpn[397]: VERIFY OK: depth=0, /C=MY/ST=WP/O=VPNService/CN=server/Email=admin.gar@gmail.com
    Oct 29 00:04:49 Router daemon.err openvpn[397]: event_wait : Interrupted system call (code=4)
    Oct 29 00:04:54 Router daemon.notice openvpn[397]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Oct 29 00:04:54 Router daemon.notice openvpn[397]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Oct 29 00:04:54 Router daemon.notice openvpn[397]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Oct 29 00:04:54 Router daemon.notice openvpn[397]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Oct 29 00:04:54 Router daemon.notice openvpn[397]: Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Oct 29 00:04:54 Router daemon.notice openvpn[397]: [server] Peer Connection Initiated with 94.23.114.100:1194
    Oct 29 00:04:55 Router daemon.notice openvpn[397]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Oct 29 00:04:56 Router daemon.notice openvpn[397]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.222.222,ping 20,ping-restart 60,ifconfig 10.10.11.6 10.10.11.5'
    Oct 29 00:04:56 Router daemon.notice openvpn[397]: OPTIONS IMPORT: timers and/or timeouts modified
    Oct 29 00:04:56 Router daemon.notice openvpn[397]: OPTIONS IMPORT: --ifconfig/up options modified
    Oct 29 00:04:56 Router daemon.notice openvpn[397]: OPTIONS IMPORT: route options modified
    Oct 29 00:04:56 Router daemon.notice openvpn[397]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Oct 29 00:04:56 Router daemon.notice openvpn[397]: TUN/TAP device tun11 opened
    Oct 29 00:04:56 Router daemon.notice openvpn[397]: TUN/TAP TX queue length set to 100
    Oct 29 00:04:56 Router daemon.notice openvpn[397]: /sbin/ifconfig tun11 10.10.11.6 pointopoint 10.10.11.5 mtu 1500
    Oct 29 00:04:56 Router daemon.notice openvpn[397]: updown.sh tun11 1500 1542 10.10.11.6 10.10.11.5 init
    Oct 29 00:04:57 Router daemon.info dnsmasq[101]: exiting on receipt of SIGTERM
    Oct 29 00:04:57 Router daemon.info dnsmasq[423]: started, version 2.49 cachesize 150
    Oct 29 00:04:57 Router daemon.info dnsmasq[423]: compile time options: no-IPv6 GNU-getopt no-RTC no-DBus no-I18N DHCP no-TFTP
    Oct 29 00:04:57 Router daemon.info dnsmasq-dhcp[423]: DHCP, IP range 192.168.2.1 -- 192.168.2.1, lease time 7d
    Oct 29 00:04:57 Router daemon.info dnsmasq[423]: reading /etc/resolv.dnsmasq
    Oct 29 00:04:57 Router daemon.info dnsmasq[423]: using nameserver 202.188.0.182#53
    Oct 29 00:04:57 Router daemon.info dnsmasq[423]: using nameserver 202.188.1.5#53
    Oct 29 00:04:57 Router daemon.info dnsmasq[423]: using nameserver 202.188.0.133#53
    Oct 29 00:04:57 Router daemon.info dnsmasq[423]: using nameserver 208.67.222.222#53
    Oct 29 00:04:57 Router daemon.info dnsmasq[423]: read /etc/hosts - 0 addresses
    Oct 29 00:04:57 Router daemon.info dnsmasq[423]: read /etc/hosts.dnsmasq - 14 addresses
    Oct 29 00:04:58 Router daemon.notice openvpn[397]: /sbin/route add -net 94.23.114.100 netmask 255.255.255.255 gw 219.93.218.177
    Oct 29 00:04:58 Router daemon.notice openvpn[397]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.10.11.5
    Oct 29 00:04:58 Router daemon.notice openvpn[397]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.10.11.5
    Oct 29 00:04:58 Router daemon.notice openvpn[397]: Initialization Sequence Completed
    Oct 29 00:05:56 Router daemon.notice openvpn[397]: [server] Inactivity timeout (--ping-restart), restarting
    Oct 29 00:05:56 Router daemon.notice openvpn[397]: TCP/UDP: Closing socket
    Oct 29 00:05:56 Router daemon.notice openvpn[397]: SIGUSR1[soft,ping-restart] received, process restarting
    Oct 29 00:05:56 Router daemon.notice openvpn[397]: Restart pause, 2 second(s)
    Oct 29 00:05:58 Router daemon.warn openvpn[397]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Oct 29 00:05:58 Router daemon.warn openvpn[397]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Oct 29 00:05:58 Router daemon.notice openvpn[397]: Re-using SSL/TLS context
    Oct 29 00:05:58 Router daemon.notice openvpn[397]: LZO compression initialized
    Oct 29 00:05:58 Router daemon.notice openvpn[397]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Oct 29 00:05:58 Router daemon.notice openvpn[397]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Oct 29 00:05:58 Router daemon.notice openvpn[397]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Oct 29 00:05:58 Router daemon.notice openvpn[397]: UDPv4 link local: [undef]
    Oct 29 00:05:58 Router daemon.notice openvpn[397]: UDPv4 link remote: 94.23.114.100:1194
    Oct 29 00:05:58 Router daemon.notice openvpn[397]: TLS: Initial packet from 94.23.114.100:1194, sid=c6f35dd6 82b84c09
    Oct 29 00:05:59 Router daemon.notice openvpn[397]: VERIFY OK: depth=1, /C=MY/ST=WP/L=KualaLumpur/O=VPNService/OU=CertAuth/CN=VPN-Server/Email=admin.gar@gmail.com
    Oct 29 00:05:59 Router daemon.notice openvpn[397]: VERIFY OK: depth=0, /C=MY/ST=WP/O=VPNService/CN=server/Email=admin.gar@gmail.com
    Oct 29 00:06:04 Router daemon.notice openvpn[397]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Oct 29 00:06:04 Router daemon.notice openvpn[397]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Oct 29 00:06:04 Router daemon.notice openvpn[397]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Oct 29 00:06:04 Router daemon.notice openvpn[397]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Oct 29 00:06:04 Router daemon.notice openvpn[397]: Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Oct 29 00:06:04 Router daemon.notice openvpn[397]: [server] Peer Connection Initiated with 94.23.114.100:1194
    Oct 29 00:06:05 Router daemon.notice openvpn[397]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Oct 29 00:06:05 Router daemon.notice openvpn[397]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.222.222,ping 20,ping-restart 60,ifconfig 10.10.11.6 10.10.11.5'
    Oct 29 00:06:05 Router daemon.notice openvpn[397]: OPTIONS IMPORT: timers and/or timeouts modified
    Oct 29 00:06:05 Router daemon.notice openvpn[397]: OPTIONS IMPORT: --ifconfig/up options modified
    Oct 29 00:06:05 Router daemon.notice openvpn[397]: OPTIONS IMPORT: route options modified
    Oct 29 00:06:05 Router daemon.notice openvpn[397]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Oct 29 00:06:05 Router daemon.notice openvpn[397]: Preserving previous TUN/TAP instance: tun11
    Oct 29 00:06:05 Router daemon.notice openvpn[397]: Initialization Sequence Completed
    Oct 29 00:06:11 Router daemon.err openvpn[397]: event_wait : Interrupted system call (code=4)
    Oct 29 00:06:17 Router daemon.err openvpn[397]: event_wait : Interrupted system call (code=4)
    Oct 29 00:06:21 Router daemon.info dnsmasq-dhcp[423]: DHCPINFORM(br0) 192.168.2.255 00:21:70:8b:e8:26
    Oct 29 00:06:21 Router daemon.info dnsmasq-dhcp[423]: DHCPACK(br0) 192.168.2.255 00:21:70:8b:e8:26 PC-PC

    I can't ping both IP addresses and DNS names from either my PC or the router itself... Thanks again for all your help!
     
  10. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Can you ping 10.10.11.5? What if you try to traceroute it and the IP previously given?
    Can you provide the routing table when the client is connected (webGUI->advanced->routing)?
     
  11. acfc81

    acfc81 Addicted to LI Member

    Hi...I can't ping 10.10.11.5 or 64.233.169.105 and trace returns no results for both the IPs when I run them both from the router...My routing table when connected is as follows:

    Destination Gateway Subnet Mask Metric Interface
    219.93.218.177 * 255.255.255.255 0 ppp0
    94.23.114.100 219.93.218.177 255.255.255.255 0 ppp0
    10.10.11.5 * 255.255.255.255 0 tun11
    192.168.2.0 * 255.255.255.0 0 br0 (LAN)
    127.0.0.0 * 255.0.0.0 0 lo
    default 10.10.11.5 128.0.0.0 0 tun11
    128.0.0.0 10.10.11.5 128.0.0.0 0 tun11
    default 219.93.218.177 0.0.0.0 0 ppp0
     
  12. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That looks fine. Could you provide the output of
    Code:
    iptables -vnL -t nat
    ?
     
  13. acfc81

    acfc81 Addicted to LI Member

    Hi...iptables -vnL -t nat returns:

    # iptables -vnL -t nat
    Chain PREROUTING (policy ACCEPT 16445 packets, 1797K bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP 0 -- ppp+ * 0.0.0.0/0 192.168.2.0/24
    23 1472 DNAT icmp -- * * 0.0.0.0/0 60.48.180.206 to:192.168.2.1

    Chain POSTROUTING (policy ACCEPT 899 packets, 61484 bytes)
    pkts bytes target prot opt in out source destination
    52 2956 MASQUERADE 0 -- * tun11 192.168.2.0/24 0.0.0.0/0
    7261 706K MASQUERADE 0 -- * ppp+ 0.0.0.0/0 0.0.0.0/0
    471 33236 MASQUERADE 0 -- * br0 192.168.2.0/24 192.168.2.0/24

    Chain OUTPUT (policy ACCEPT 2733 packets, 184K bytes)
    pkts bytes target prot opt in out source destination
    #

    Thanks again! :)
     
  14. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Everything looks fine. What version of firmware are you using?
     
  15. acfc81

    acfc81 Addicted to LI Member

    Hi...I am using Tomato Firmware v1.25.8515...Are there any other settings that may be causing the VPN connection to fail? When I run the OpenVPN software from my machine, the VPN connection succeeds but whenever I start the VPN client on the router, the internet connection fails...Could the settings that I have in my DHCP / DNS Server section of the router have any effect? I have Use Internal Caching DNS Forwarder checked, Use Received DNS With Static DNS checked, Intercept DNS Port
    (UDP 53) unchecked, Maximum Active DHCP Leases = 255, Static Lease Time = Infinite, Dnsmasq Custom Configuration = strict-order and Reduce Packet Size unchecked. Would I also need to put any additional settings on my Port Forwarding section or even any proxy settings on my physical machine? Thanks again!
     
  16. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I don't know what version of the VPN GUI v1.25.8515 uses (which mod is that?). How many options does your "Compression" drop-down box have? There should be "Disabled", "None", "Enabled", and "Adaptive". If it is missing a "None" option (even though you want to select "Disabled"), your version is too old and won't work with your VPN provider.
     
  17. acfc81

    acfc81 Addicted to LI Member

    Hi...I am specifically using Tomato Version 1.25.8515 .5 RAF ND Thor MOD...My Compression dropdown list only has Enabled, Disabled and Adaptive...yikes...I suppose I would need to upgrade my firmware?? :-(
     
  18. acfc81

    acfc81 Addicted to LI Member

    Hi...I am curious as to what version of the firmware should I be upgrading to as the lastest Thor mod is Tomato 1.25.8515 .7 v6 which uses vpn 3.3 which is the same as the the vpn version that I am currently using based on the About page on my router (OpenVPN & Inteface v3.3 (Keith Moyer's implementation))?...Apart from that, I am currently using the OpenVPN 2.1 RC19 on my local machine to connect and there are no issues with this...Thanks!
     
  19. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It will need to be something with vpn3.4 included. If Thor hasn't included that in any of his builds, then his mod won't work with this VPN provider.
     
  20. acfc81

    acfc81 Addicted to LI Member

    Hi...Thanks so much for the advise...It looks like I will either have to wait for an updated firmware from Thor or choose to use another mod of the Tomato firmware... :)
     

Share This Page