1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato VPN connection is established but cannot ping

Discussion in 'Tomato Firmware' started by jgoo, Jan 13, 2010.

  1. jgoo

    jgoo Addicted to LI Member

    Hi Everyone,

    I need some help.

    I'm brand new to the Tomato firmware. I'm running a test environment (that needs to go production), with 2 Linksys WRT54GL routers that are both running the TomatoVPN 1.25vpn3.4 firmware.

    They're both on public IPs for the WAN connection.
    Router A has the 192.168.10.0 subnet behind it (with my test server)
    Router B has the 192.168.9.0 subnet behind it (with my test laptop)

    The only change I made to the default settings was to use TAP instead of TUN.

    I've used the OpenVPN software to generate CA, Server, and Client Certificates & Keys. The VPN tunnel establishes just fine. Both routers say the VPN tunnel is connected.

    But when I try to ping from my laptop to my server, I get a request timed out. I am also not able to remote desktop or access any of the file shares.

    When I try to ping using the tools on Router B to any 192.168.10.x address (including the internal address of Router A), it doesn't work either.

    Can someone please tell me what I'm missing or doing wrong?

    I really appreciate it!
     
  2. TurtleFang

    TurtleFang Addicted to LI Member

    Any reason why your using TAP with two different subnets?

    Think you should use TUN, and push the routes.

    Do your logs show the remote routes getting push across?

    Hope this helps,
    -TurtleFang
     
  3. jgoo

    jgoo Addicted to LI Member

    Well, I thought that I needed to use TAP for Windows File Sharing & RDP.

    I tried using TUN instead, specifying the VPN subnet as 192.168.9.0/24.

    Now, from my laptop on the 192.168.9.0 subnet, I am able to ping the inside interface of Router A on the 192.168.10.0 subnet (192.168.10.254). But I am still not able to ping the address of my server (192.168.10.2).

    I tried adding a static route on my laptop:
    route add 192.168.10.0 mask 255.255.255.0 192.168.10.254
    But it still didn't work.

    I am also not able to ping the server from the ping tools on Router B.

    Am I still missing something?
     
  4. jgoo

    jgoo Addicted to LI Member

    Here are the last 25 logs on Router A (the server side):

    Jan 14 17:31:19 unknown daemon.notice openvpn[1516]: UDPv4 link local (bound): [undef]:1194
    Jan 14 17:31:19 unknown daemon.notice openvpn[1516]: UDPv4 link remote: [undef]
    Jan 14 17:31:19 unknown daemon.notice openvpn[1516]: MULTI: multi_init called, r=256 v=256
    Jan 14 17:31:19 unknown daemon.notice openvpn[1516]: IFCONFIG POOL: base=192.168.8.4 size=62
    Jan 14 17:31:19 unknown daemon.notice openvpn[1516]: Initialization Sequence Completed
    Jan 14 17:31:24 unknown daemon.err openvpn[1516]: event_wait : Interrupted system call (code=4)
    Jan 14 17:31:57 unknown daemon.notice openvpn[1516]: MULTI: multi_create_instance called
    Jan 14 17:31:57 unknown daemon.notice openvpn[1516]: 72.253.42.131:2050 Re-using SSL/TLS context
    Jan 14 17:31:57 unknown daemon.notice openvpn[1516]: 72.253.42.131:2050 LZO compression initialized
    Jan 14 17:31:57 unknown daemon.notice openvpn[1516]: 72.253.42.131:2050 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Jan 14 17:31:57 unknown daemon.notice openvpn[1516]: 72.253.42.131:2050 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Jan 14 17:31:57 unknown daemon.notice openvpn[1516]: 72.253.42.131:2050 TLS: Initial packet from 72.253.42.131:2050, sid=cdac5a7a dc5077af
    Jan 14 17:31:59 unknown daemon.notice openvpn[1516]: 72.253.42.131:2050 VERIFY OK: depth=1, /C=US/ST=HI/L=Honolulu/O=TomatoVPN/OU=OpihiNet/CN=OpihiVPN/Email=jgoo@opihinet.com
    Jan 14 17:31:59 unknown daemon.notice openvpn[1516]: 72.253.42.131:2050 VERIFY OK: depth=0, /C=US/ST=HI/O=TomatoVPN/OU=OpihiNet/CN=Client1/Email=jgoo@opihinet.com
    Jan 14 17:32:00 unknown daemon.notice openvpn[1516]: 72.253.42.131:2050 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jan 14 17:32:00 unknown daemon.notice openvpn[1516]: 72.253.42.131:2050 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 14 17:32:00 unknown daemon.notice openvpn[1516]: 72.253.42.131:2050 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jan 14 17:32:00 unknown daemon.notice openvpn[1516]: 72.253.42.131:2050 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 14 17:32:00 unknown daemon.notice openvpn[1516]: 72.253.42.131:2050 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Jan 14 17:32:00 unknown daemon.notice openvpn[1516]: 72.253.42.131:2050 [Client1] Peer Connection Initiated with 72.253.42.131:2050
    Jan 14 17:32:00 unknown daemon.notice openvpn[1516]: Client1/72.253.42.131:2050 MULTI: Learn: 192.168.8.6 -> Client1/72.253.42.131:2050
    Jan 14 17:32:00 unknown daemon.notice openvpn[1516]: Client1/72.253.42.131:2050 MULTI: primary virtual IP for Client1/72.253.42.131:2050: 192.168.8.6
    Jan 14 17:32:01 unknown daemon.notice openvpn[1516]: Client1/72.253.42.131:2050 PUSH: Received control message: 'PUSH_REQUEST'
    Jan 14 17:32:01 unknown daemon.notice openvpn[1516]: Client1/72.253.42.131:2050 SENT CONTROL [Client1]: 'PUSH_REPLY,route 192.168.10.0 255.255.255.0,route 192.168.8.1,topology net30,ping 15,ping-restart 60,ifconfig 192.168.8.6 192.168.8.5' (status=1)
    Jan 14 17:32:06 unknown daemon.err openvpn[1516]: event_wait : Interrupted system call
     
  5. jgoo

    jgoo Addicted to LI Member

    Well, I finally got it to work!!

    What I did was put it back on TAP (Both Routers), and put both the server side and the client side on the SAME subnet (192.168.10.0), and turned off NATing.

    So essentially the VPN tunnel is just a big bridged network now, which works fine for me anyway. I don't need separate subnets. Although I am curious as to why it didn't work with TUN on separate subnets. This should be good enough to deploy to my client.
     
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

Share This Page