TomatoVPN Connected - Client Cannot Get to Internet

Discussion in 'Tomato Firmware' started by jgoo, Jan 27, 2010.

  1. jgoo

    jgoo Addicted to LI Member

    Hi Everyone,

    I've just deployed the TomatoVPN 1.25vpn3 on Linksys WRT54GL routers for one of my clients. I am using TAP (rather than TUN), since everything is on the same subnet.
    The computers at Site A are - .53.
    The computer at Site B is
    Router A is
    Router B is
    Under the VPN tab on Router A, I define the client address range as

    The VPN tunnel establishes correctly according to the routers on both ends.

    However, when the tunnel is established, the client computer (at site B), cannot surf the Internet! In fact, it cannot even ping the router!

    As soon as I turn off the VPN, the client computer is able to connect to the Internet again. So something in the VPN config must be interfering with Internet routing, but I can't find anything to explain why.

    The "Redirect Internet Traffic" checkbox on the Advanced tab is NOT checked.

    Can anyone tell me what I'm doing wrong?
  2. dougisfunny

    dougisfunny LI Guru Member

    I would guess it would be from confusion of where the gateway is.
    What are the route tables?
  3. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Try changing the client address range to an unused range. If it ended up with the same IP address on both interfaces and they didn't both go where it expected, it could very well confuse it.

    Are you using Static Key or TLS?

    But, I agree with dougisfunny. The most useful information is what the routing table looks like on the client when it is connected. On Windows,that can be gathered by running "route print" from a command prompt.
  4. jgoo

    jgoo Addicted to LI Member

    Okay, I changed the client range to: - .219

    That seems to have done the trick. The client seems to be able to connect to the Internet now, and is still able to access the main site.

    I was confused, I thought since it said "Client Range", that the range needed to match whatever range was at the client site. But I guess this creates conflicts and they actually shouldn't overlap?
  5. jgoo

    jgoo Addicted to LI Member

    Thanks for your help guys.
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Glad it's working.

    The "Client Address Pool" is the range of addresses that will be given to the VPN interface on the clients. Note that this refers to the actual VPN client, not any computers that are on a network beyond that client (if client is a router). Also note that this refers to the actual VPN interface, and it's up to the client to decide how it wants to relate that to existing network devices (which may have different IP addresses or may be bridged into a single virtual device, etc).

    I really do need to get around to making a setting-by-setting description blog post. However, in the meantime, there's this slightly out-of-date forum post.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice