Discussion in 'Tomato Firmware' started by p3300, May 28, 2009.

  1. p3300

    p3300 Addicted to LI Member


    I want to create a high secure site2site vpn connection.

    Asus 500GP v1, tomatovpn-ND-1.23vpn3.2.7, static ISP IP
    Linksys WRT54GL, tomatovpn-ND-1.23vpn3.2.7, static ISP IP

    This special tomato firmware has a vpn web gui, but I have no plan what I have to do. :confused:

    I hope you can help me. :)

  2. Low-WRT

    Low-WRT LI Guru Member

  3. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Out of curiosity, where are you getting your TomatoVPN binaries? The official version is just 1.23vpn3.2, 1.23vpn3.2.49fb2c51 if you include the build number. Or is the .7 just a typo?

    The first thing you need to do is generate your certificates. This needs to be done on a separate computer (ie, not directly on the routers) that has OpenVPN installed. Directions on how to do this can be found here.

    After that, you just need to put the right certificates and keys in the right fields in the GUI, add an entry in the Client-Specific options on the VPN server router. Then you should be good to go! Of course, if you have further questions, feel free to ask.

    One thing to note is that the best way to do it is to have the two router LANs on different subnets. For example, on my setup I have the server router as on its LAN with the client routers as and on their LANs.
  4. p3300

    p3300 Addicted to LI Member

    thanks for the quick response.

    firmware version .7 was just a copy/past failure :redface:

    Tomorrow I will test the following config:

    Interface Type: TAP
    Protocol UDP
    Port 1194
    Firewall Auto
    Authorization Mode static key

    Respond to DNS :?
    Encryption cipher :?
    Compression: ?

    Client1: configured like server1

    Can you tell me something about the "advanced" options?
    What does respond to DNS, Encryption cipher and Compression means?
    What is the best advanced configuration?

  5. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I would recommend TUN over TAP, and TLS over static-key. It makes things run much more cleanly and easier to maintain - there's just a few extra certificates to generate during setup (which is what is outlined in the link I gave).

    Respond to DNS allows computers (or routers) connected via the VPN to use it as their DNS server. If you don't plan to send internet-bound traffic over the tunnel, then you don't need to worry about it.

    Encryption cipher is what algorithm is actually used to encrypt the traffic going over the tunnel. The default should be fine.

    Compression attempts to intelligently squish the traffic before it goes over the tunnel (and unsquish it on the other end) so that the overall bandwidth used is less. I recommend "Adaptive" as I think that tries to see if the compression is helping and automatically disables it if it isn't.

    If you use TLS (which I strongly recommend), then there'll be another option on the advanced page of the server, "Configure Client-Specific options". This is where you can enter a bit of information on the client and automagically have a full bi-directional site-to-site.
  6. Delta221

    Delta221 Addicted to LI Member

  7. fyellin

    fyellin LI Guru Member

    I'm curious why you recommend TUN over TAP.

    In my case, I have a laptop running VPN. Using TAP, my computer thinks it's on my home network. It automatically discovers the local file servers and printers. Other machines on my home network see me. I don't get the same nice behavior from TUN.

    Obviously there are advantages to TUN if I want to join together two separate networks. But is there advantage to TUN if the goal is just one laptop?
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice