1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

TomatoVPN LAN to LAN Bridge Inside of LAN?

Discussion in 'Tomato Firmware' started by Sean L, Jan 18, 2012.

  1. Sean L

    Sean L Networkin' Nut Member

    Hello,

    I'm new to Tomato and TomatoVPN and have little LAN experience outside of setting up Airport base stations.

    I've currently got an Apple Airport Extreme connected to my cable modem and acting as my router (192.168.1.1) handing out IP addresses from 192.168.1.2-192.168.1.150 in Texas.

    I'd like to set up a Linksys WRT54GL as a TomatoVPN server to bridge my main LAN in Texas with a LAN in Oklahoma.

    The LAN in Oklahoma would have a WRT54GL as a TomatoVPN client connected to a DSL modem.

    My desired end state is computers on both LANs can interact with each other as if they were on the same LAN. From what little reading I've done, I think the VPN server would have to support tap in order to allow things like an iPad on one LAN to control or view content on a DirecTV DVR or TiVo on the other LAN.

    Can I bridge these two LANs while keeping the Apple Airport Extreme as the router that is connected to the cablemodem in Texas?

    Thanks!
     
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I don't use either type of device, but after a quick google, I don't see any reason you would need a bridged VPN. What lead you to that requirement?

    It should be possible to create a bridged or routed VPN leaving the Airport in place. You would, however, need a VPN server/client on the LAN and the ability to add routes to the Airport.
     
  3. Sean L

    Sean L Networkin' Nut Member

    Both devices (TiVo and DirecTV DVR) require your devices to be on the same subnet in order to allow access to view stored content. I believe that a tap VPN (?) will pass the multicast messages whereas some other types will not.

    So, could the WRT54GL operate as the VPN server within the Airport's network (say, 192.168.1.1 to 192.168.1.150) on the Texas side? Would it just get it's ip address from the Airport? Then, would the client WRT54GL in Oklahoma provide ip addresses in the same subnet, but starting just after the range of the Texas Airport (say 192.168.1.151 and up)?

    Do you now of any good tutorials for setting something like this up for a noob?

    Thanks!
     
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I think multicast works fine over TUN, but broadcast definitely does not. Things are much cleaner if you can use TUN, but sometimes you can't.

    I would think you could just disable the WAN and DHCP server on your WRT54GL server router, give it a static LAN address, plug a LAN port into the Airport LAN, and set up the VPN server like normal. The tunnel would be bridged to the Airport LAN and all of the client would receive addresses via Airport DHCP (or out of a pool if that's what you'd rather).
     
  5. Sean L

    Sean L Networkin' Nut Member

    Is using TAP more difficult to configure, or does it just put more of a strain on the network(s) by broadcasting more stuff?

    That sounds perfect!

    Thanks again,

    Sean
     
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    TAP is slightly less efficient, but probably not problematically so. When I say that things are cleaner with TUN, it's because it keeps subnets as a meaningful concept.

    With TUN, if an address is in subnet X (e.g., the local LAN), it follows route X' (e.g., direct). If an address is in subnet Y (e.g., the remote LAN), it follows route Y' (e.g., the VPN). This is how networking was meant to work.

    With TAP, everything is in the same subnet so you can't know how it should be routed until/unless the VPN server/client sees the traffic and passes it through. Thus, you have to make sure that the VPN server/client gets to see all traffic that could possibly need to go over the tunnel. With TUN, this is done by adding a route for the remote subnet using the VPN server/client as the gateway. With TAP, you just have to be sure your VPN server/client is located in the network topology such that all traffic passes by it by happenstance.
     
    Andrew_32 likes this.
  7. Sean L

    Sean L Networkin' Nut Member

    ank you, that clears a lot up.

    I've set up the two WRT54GL routers as follows:

    Server:

    Cable Modem -> Airport Extreme (router 192.168.1.1) -> WRT54GL (192.168.1.151)
    The Airport hands out DHCP addresses in the range 192.168.1.2 - 192.168.1.150

    Screenshots:


    View attachment 1366 View attachment 1366
    View attachment 1367
    View attachment 1368
    View attachment 1369


    Client:
    Hotel router -> WRT54GL (router with internal address 192.168.1.152)
    This WRT54GL hands out IPs in the range 192.168.1.160 - 192.168.1.179
    I probably shouldn't have it set up as a router, inside the hotel LAN, but I'll be deploying it as a router connected to a DSL modem and want to test it's internal configuration.

    Screenshots:


    And here are the logs (Note, the Server can ping devices on the LAN that it is on, but not the internet, so the time doesn't update, although the time zones are both set to US Central.

    Server:

    Code:
    an  1 14:06:55 ? daemon.err openvpn[125]: [TomatoVPN Client External IP]:36803 write UDPv4 []: Network is unreachable (code=128)
    Jan  1 14:06:56 ? daemon.err openvpn[125]: [TomatoVPN Client External IP]:36803 write UDPv4 []: Network is unreachable (code=128)
    Jan  1 14:06:57 ? daemon.err openvpn[125]: [TomatoVPN Client External IP]:36803 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Jan  1 14:06:57 ? daemon.err openvpn[125]: [TomatoVPN Client External IP]:36803 TLS Error: TLS handshake failed
    Jan  1 14:06:57 ? daemon.notice openvpn[125]: [TomatoVPN Client External IP]:36803 SIGUSR1[soft,tls-error] received, client-instance restarting
    Jan  1 14:06:59 ? daemon.notice openvpn[125]: MULTI: multi_create_instance called
    Jan  1 14:06:59 ? daemon.notice openvpn[125]: [TomatoVPN Client External IP]:36803 Re-using SSL/TLS context
    Jan  1 14:06:59 ? daemon.notice openvpn[125]: [TomatoVPN Client External IP]:36803 LZO compression initialized
    Jan  1 14:06:59 ? daemon.notice openvpn[125]: [TomatoVPN Client External IP]:36803 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Jan  1 14:06:59 ? daemon.notice openvpn[125]: [TomatoVPN Client External IP]:36803 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
    Jan  1 14:06:59 ? daemon.notice openvpn[125]: [TomatoVPN Client External IP]:36803 TLS: Initial packet from [TomatoVPN Client External IP]:36803, sid=daaa6911 493099b1
    Jan  1 14:06:59 ? daemon.err openvpn[125]: [TomatoVPN Client External IP]:36803 write UDPv4 []: Network is unreachable (code=128)
    Jan  1 14:07:01 ? daemon.err openvpn[125]: [TomatoVPN Client External IP]:36803 write UDPv4 []: Network is unreachable (code=128)
    Jan  1 14:07:01 ? daemon.err openvpn[125]: [TomatoVPN Client External IP]:36803 write UDPv4 []: Network is unreachable (code=128)
    Jan  1 14:07:03 ? daemon.err openvpn[125]: [TomatoVPN Client External IP]:36803 write UDPv4 []: Network is unreachable (code=128)
    Jan  1 14:07:03 ? daemon.err openvpn[125]: [TomatoVPN Client External IP]:36803 write UDPv4 []: Network is unreachable (code=128)
    client:
    View attachment 1366 View attachment 1367 View attachment 1368 View attachment 1369 View attachment 1370 View attachment 1371 View attachment 1372 clientlog.JPG
    [server's external IP]

    Thanks again!

    Sean
    Sent from my iPad
     
  8. Sean L

    Sean L Networkin' Nut Member

    Sorry about the last post, I had remoted in to my Mac at home to post it and the graphics got garbled.

    The graphics with the red background are from the server, those in blue from the client machine.
     

    Attached Files:

  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It looks like you have the server router set up to use DHCP for its WAN, but don't have it connected to anything. For your setup, I think you'll want to disable the WAN and configure the it to use the 192.168.1.1 as its default gateway.
     
  10. Sean L

    Sean L Networkin' Nut Member

    Thanks again, I disabled the WAN port (it wasn't connected anyway) on the Server. Here's what the logs look like now:


    Server:

    Jan 3 17:41:57 ? user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
    Jan 3 17:41:58 ? user.info kernel: device tap21 entered promiscuous mode
    Jan 3 17:41:58 ? user.info kernel: br0: port 3(tap21) entering learning state
    Jan 3 17:41:58 ? user.info kernel: br0: port 3(tap21) entering forwarding state
    Jan 3 17:41:58 ? user.info kernel: br0: topology change detected, propagating
    Jan 3 17:41:58 ? daemon.notice openvpn[9604]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Jan 31 2010
    Jan 3 17:41:58 ? daemon.warn openvpn[9604]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
    Jan 3 17:41:58 ? daemon.warn openvpn[9604]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Jan 3 17:41:58 ? daemon.notice openvpn[9604]: Diffie-Hellman initialized with 1024 bit key
    Jan 3 17:41:58 ? daemon.notice openvpn[9604]: TLS-Auth MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Jan 3 17:41:58 ? daemon.notice openvpn[9604]: TUN/TAP device tap21 opened
    Jan 3 17:41:58 ? daemon.notice openvpn[9604]: TUN/TAP TX queue length set to 100
    Jan 3 17:41:58 ? daemon.notice openvpn[9604]: Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
    Jan 3 17:41:58 ? daemon.notice openvpn[9608]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Jan 3 17:41:58 ? daemon.notice openvpn[9608]: UDPv4 link local (bound): [undef]:1194
    Jan 3 17:41:58 ? daemon.notice openvpn[9608]: UDPv4 link remote: [undef]
    Jan 3 17:41:58 ? daemon.notice openvpn[9608]: MULTI: multi_init called, r=256 v=256
    Jan 3 17:41:58 ? daemon.notice openvpn[9608]: IFCONFIG POOL: base=192.168.1.152 size=28
    Jan 3 17:41:58 ? daemon.notice openvpn[9608]: Initialization Sequence Completed


    ...And the client log (the last line is cut off, but lists the remote link showing the Server's external IP and port) which shows the client end of the VPN restarting every few seconds:
     

    Attached Files:

  11. Sean L

    Sean L Networkin' Nut Member

    It's working! I didn't realize the router's address wasn't listed anymore on the Server after I disabled the WAN port. Once I added it back in the connection picked right up.

    Thanks this is awesome!

    Cheers,

    Sean
     
  12. Sean L

    Sean L Networkin' Nut Member

    I'm having trouble reaching a computer on the client LAN from outside the LAN. I've got port forwarding set up to forward port 80 to the computer's internal IP. Inside the LAN I can connect just fine from my iPhone. If I turn off WiFi on my iPhone and try to connect via the cell connection I am unable to bring up the web site.

    Port forwarding seems pretty straight forward, I used Both, port 80 (external), internal port blank, 192.168.1.165

    Any thoughts?

    Thanks!
     

Share This Page