1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

TomatoVPN - problem connecting to OpenVPN Access Server

Discussion in 'Tomato Firmware' started by Dave Finley, Jul 25, 2011.

  1. Dave Finley

    Dave Finley Networkin' Nut Member

    I'm trying to connect my router TomatoVPN v1.27vpn3.6.4b664ba6 to an OpenVPN Access Server that is setup on a VPS. I can connect fine using the OpenVPN client for Windows along with a user name and password.

    I've done the following:
    VPN Tunneling\Client\Basic
    Start with WAN = Yes
    Interface Type = TUN
    Protocol=TCP
    Server Address/Port = set to values setup on the server
    Firewal=Automatic
    Authorization Mode = TLS
    Extra-HMAC Auth = Disabled
    Create NAT on Tunnel = No

    VPN Tunneling\Client\Advanced
    Poll Interval = 4
    Redirect Internet traffic = No
    Accept DNS config = Disabled
    Encryption cipher = Use Default
    Compression = Adaptive
    TLS Renegotation Time = -1
    Connection Retry = 30
    Custom Config
    auth-user-pass /tmp/vpnlogin.txt
    script-security 3

    The file vpnlogin.txt contains two lines: the first is the user name and the second is the password.

    VPN Tunneling\Client\Keys

    I copied the text for the keys for the Certificate Authority, Client Certificate and Client Key from the client.ovpn file I downloaded from the OpenVPN Access Server.

    I also added the following to the Static Routing Table (under Advanced):

    Destination: 5.5.10.1
    Gateway: 192.168.10.1 (this is the IP of the Tomato router)
    Subnet Mask: 255.255.255.0
    Metric: 0
    Interface: LAN

    If I go to the VPN Client Status, the tunnel seems to be running, but all the read / write byte values are 0, even if I refresh.

    If I try to ping 5.5.10.1 from Windows, it times out.

    If I view the Tomato log, I see:
    Jul 25 14:36:51 unknown daemon.warn openvpn[3214]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Jul 25 14:36:51 unknown daemon.warn openvpn[3214]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jul 25 14:36:51 unknown daemon.notice openvpn[3214]: Re-using SSL/TLS context
    Jul 25 14:36:51 unknown daemon.notice openvpn[3214]: LZO compression initialized
    Jul 25 14:36:51 unknown daemon.notice openvpn[3214]: Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Jul 25 14:36:51 unknown daemon.notice openvpn[3214]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
    Jul 25 14:36:51 unknown daemon.notice openvpn[3214]: Attempting to establish TCP connection with XX.XXX.XXX.XX:1194 [nonblock]
    Jul 25 14:36:52 unknown daemon.notice openvpn[3214]: TCP connection established with XX.XXX.XXX.XX:1194
    Jul 25 14:36:52 unknown daemon.notice openvpn[3214]: Socket Buffers: R=[43689->65534] S=[16384->65534]
    Jul 25 14:36:52 unknown daemon.notice openvpn[3214]: TCPv4_CLIENT link local: [undef]
    Jul 25 14:36:52 unknown daemon.notice openvpn[3214]: TCPv4_CLIENT link remote: XX.XXX.XXX.XX:1194
    Jul 25 14:36:52 unknown daemon.err openvpn[3214]: Connection reset, restarting [0]
    Any help would be appreciated.
    Thanks,
    Dave
     
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    What's the config you used on the Windows client look like?
     
  3. Dave Finley

    Dave Finley Networkin' Nut Member

    client
    setenv SERVER_POLL_TIMEOUT 4
    nobind
    remote XX.XXX.XXX.XX 1194 udp
    remote XX.XXX.XXX.XX 1194 tcp
    dev tun
    dev-type tun
    ns-cert-type server
    reneg-sec 604800
    sndbuf 100000
    rcvbuf 100000
    auth-user-pass
    auth-retry interact
    # NOTE: LZO commands are pushed by the Access Server at connect time.
    # NOTE: The below line doesn't disable LZO.
    comp-lzo no
    verb 3
     
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You have compression set to "Adaptive", but it looks like (based on the working config) that it needs to be set to "None". Give that a shot.
     
  5. Dave Finley

    Dave Finley Networkin' Nut Member

    I changed compression to none, but it didn't help. I also powered off / powered on the router, just in case, but that didn't help either.

    Here's what I get in the log:
    Jul 27 09:23:19 unknown daemon.warn openvpn[510]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Jul 27 09:23:19 unknown daemon.warn openvpn[510]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jul 27 09:23:19 unknown daemon.notice openvpn[510]: Re-using SSL/TLS context
    Jul 27 09:23:19 unknown daemon.notice openvpn[510]: LZO compression initialized
    Jul 27 09:23:19 unknown daemon.notice openvpn[510]: Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Jul 27 09:23:19 unknown daemon.notice openvpn[510]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
    Jul 27 09:23:19 unknown daemon.notice openvpn[510]: Attempting to establish TCP connection with XX.XXX.XXX.XX:1194 [nonblock]
    Jul 27 09:23:20 unknown daemon.notice openvpn[510]: TCP connection established with XX.XXX.XXX.XX:1194
    Jul 27 09:23:20 unknown daemon.notice openvpn[510]: Socket Buffers: R=[43689->65534] S=[16384->65534]
    Jul 27 09:23:20 unknown daemon.notice openvpn[510]: TCPv4_CLIENT link local: [undef]
    Jul 27 09:23:20 unknown daemon.notice openvpn[510]: TCPv4_CLIENT link remote: XX.XXX.XXX.XX:1194
    Jul 27 09:23:20 unknown daemon.err openvpn[510]: Connection reset, restarting [0]
    Jul 27 09:23:20 unknown daemon.notice openvpn[510]: TCP/UDP: Closing socket
    Jul 27 09:23:20 unknown daemon.notice openvpn[510]: SIGUSR1[soft,connection-reset] received, process restarting
    Jul 27 09:23:20 unknown daemon.notice openvpn[510]: Restart pause, 5 second(s)

    Do you think I should try upgrading my router to TomatoUSB 1.28 to see if that makes a difference?

    Thanks,
    Dave
     
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The windows config file looks like the server supports both TCP and UDP. Try changing to UDP - it's more reliable.

    You don't, by chance, have access to the server logs, do you? They would probably shine quite a bit of light on what's going on...
     
  7. Dave Finley

    Dave Finley Networkin' Nut Member

    UDP did not make a difference.

    The server log doesn't show anything for the VPN service for today from when I tried to connect to it from Tomato.

    Thanks,
    Dave
     
  8. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    If it shows nothing at all, it's not your config that the problem (unless you entered the wrong server IP/port). You need to make sure there is no firewall issue on the server. If the config was just wrong, it would have something in the logs.
     
  9. Dave Finley

    Dave Finley Networkin' Nut Member

    Sorry - I was looking at the log in the OpenVPN web admin, not the proper log file.

    I'm getting this error over and over again:
    2011-08-02 22:02:41-0700 [-] OVPN 10 OUT: 'Tue Aug 2 22:02:41 2011 TLS Error: cannot locate HMAC in incoming packet from XXX.XX.XX.XXX:1042'

    Thanks,
    Dave
     
  10. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You have "Extra HMAC authorization (tls-auth)" disabled, but it looks like your server is expecting it to be enabled (with a static key entered on the keys tab). Without knowing your server configuration, I can't say for sure which "enabled" setting to use, but it's probably "Outgoing (1)".
     
  11. Dave Finley

    Dave Finley Networkin' Nut Member

    That worked great - thanks a lot.

    I have a further question: It seems that the ip the router gets varies depending on if other users are logged in. Sometimes it starts with 5.5.10, sometimes it's 5.5.11 etc. When this happens the database server is also accessible at at a different address, e.g. 5.5.11.1 or 5.5.12.1. The router also seems to be jumping from address to address for no reason. How do I lock it into one particular address?

    Thanks,
    Dave
     
  12. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    If your server is configured properly with a client-config-dir, you should need to address anything by its VPN-provided IP. The VPN server should "automagically" set up the routes so that you address them by their local LAN IPs. Then, it isn't an issue that the VPN-provided IP changes.

    However, if, for some reason, that's not an option, you can configure the server to provide certain IPs to certain clients. However, that also requires client-config-dir (or the more complicated client-connect script). So, before going into that solution, is there a reason you can't just use the device's local LAN IP? Since you originally said you don't have "Create NAT on tunnel" selected, I assume the server already has some sort of client-specific routing in place.

    EDIT: To clarify: Ideally, in a TLS/TUN config, the VPN IPs should only be an artifact of the internal routing between LANs. As far as any attached devices are concerned, traffic originates on one LAN and "somehow" finds its way to the other LAN.
     

Share This Page