1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

TomatoVPN limited to four tunnels?

Discussion in 'Tomato Firmware' started by luv2chill, Jan 24, 2011.

  1. luv2chill

    luv2chill Network Guru Member

    Hi all,

    Apologies if this has been asked and answered before--I tried some google-fu and searched here but came up emtpy.

    I'm looking at replacing a hub and spoke VPN setup that currently uses a Linksys RV016 as the hub and various IPSec VPN routers (Linksys and Sonicwall, mainly) as the spokes.

    OpenVPN looks good, and the fact that it's been incorporated into the GUI of Tomato is even better (thanks SgtPepperKSU!). But from the screenshots I've seen, it looks like there are only spots to populate two server connections and two client connections. Therefore it looks like the maximum number of defined site-to-site tunnels that can be handled is four (by acting as a server for two of them and the client as two).

    My first question is am I correct in that assumption? Or is it one of those things where if you define two servers or clients an additional tab will appear for Server 3, Client 3, etc?

    Second of all, is that limitation arbitrary or does the limited horsepower of today's consumer routers not allow for more than four simultaneous tunnels without going to their knees?

    Thirdly, if it's not necessarily a CPU/Memory issue (certainly there are some Tomato-compatible routers with better specs) then are there any workarounds to allow for more defined tunnels? I suppose by setting them up using CLI and bypassing the GUI? Are there any plans to enhance TomatoVPN by allowing more tunnels in the GUI?

    For my case, I don't think I would ever need more than two or three tunnels set up at once, but would like to have about nine or ten configured so that they can be set up/torn down on demand when I need to access LAN resources on one of the spokes. So even if the hardware wouldn't be able to handle more than a few simultaneous tunnels, that wouldn't necessarily be a problem for me as I would only have a few up at any given time.

    If anyone can shed some light on this I would greatly appreciate your comments, tips, etc.
  2. dougisfunny

    dougisfunny LI Guru Member

    The way I configure my network is one 'hub' vpn server and all the others connect to that as clients, and they route to each other through the hub.

    But anyway, there is only so much storage space for configs and what not as one reason there aren't more configs in the UI. Another being that the router can't handle more.

    Besides, in the situations you're describing you might be better off setting up a vpn client on a computer if it has to connect to so many different servers.
  3. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The limit is based mostly on the available NVRAM space. Even as it is, there have been people that run into nasty problem when they've exhausted NVRAM due to just a couple of VPN configurations + QoS.

    As you guessed, these routers really can't handle more than 1 or 2 simultaneous tunnels, but that by itself wouldn't stop you from configuring multiple and only running 1 or 2 at once. However, the GUI only supports what you see (because of NVRAM), so if you want more, you'll have to configure them manually with config/keys/certs on a network share.

    While the NVRAM limitation isn't one I can avoid, I didn't really think of it as that bad. My thought was that anyone with enough know-how to set up a situation where more than 2 is needed would have enough know-how to to do it without the GUI.
  4. rs232

    rs232 Network Guru Member

    for the 3rd server look at this example WAN-UP script:

    mkdir /tmp/etc/openvpn/fw
    cd /tmp/etc/openvpn/fw
    echo "/usr/sbin/iptables -t nat -I PREROUTING -p udp --dport 1195 -j ACCEPT
    /usr/sbin/iptables -I INPUT -p udp --dport 1195 -j ACCEPT
    /usr/sbin/iptables -I INPUT -i tun23 -j ACCEPT
    /usr/sbin/iptables -I FORWARD -i tun23 -j ACCEPT" > server3-fw.sh
    chmod 777 server3-fw.sh
    mkdir /tmp/etc/openvpn/server3/
    cd /tmp/etc/openvpn
    ln -s /usr/sbin/openvpn vpnserver3
    cd /tmp/etc/openvpn/server3
    echo "daemon 
    proto udp
    port 1195
    dev tun23
    cipher AES-128-CBC
    keepalive 15 60
    verb 3
    secret static.key
    status-version 2
    status status
    script-security 2
    persist-tun" > /tmp/etc/openvpn/server3/config.ovpn
    chmod 777 /tmp/etc/openvpn/server3/config.ovpn
    sleep 5
    cp /etc/openvpn/server1/static.key /etc/openvpn/server3/
    /etc/openvpn/vpnserver3 --cd /etc/openvpn/server3 --config config.ovpn
    NOTE: this will use the same key as server1, but it can be easily modified.

  5. rs232

    rs232 Network Guru Member

    SgtPepperKSU is there any chance to change the code to save openvpn keys/config over custom path (e.g. cifs / usb) ?

    I guess this shouldn't take long... so that the multiple server/client tab could be easily implemented afterwards.

  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You can already have your keys/certs on a custom path. Just don't fill in the fields and add a "ca /path/to/ca.crt" (or whatever) in the custom config.

    Unfortunately, with the way things are organized in Tomato, all the NVRAM variables need to be initialized (in a hardcoded fashion) at compile time. To have a variable number of servers/clients would take a very large rewrite where there is only a single variable for each field, which would contain a delimited list of values for each of the clients/servers.

    Maybe someday...

Share This Page