1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN build with Web GUI

Discussion in 'Tomato Firmware' started by SgtPepperKSU, Oct 10, 2008.

  1. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Well, I was wanting to set up a VPN between my parents and myself for off-site backup purposes, and I knew a non-GUI solution wouldn't cut it for them. So, I wrote one!

    I really just did this out of my own necessity, so I'm not sure if anybody is interested. But, here goes nothing!

    For the uninitiated, a VPN (Virtual Private Network) is a secure connection between two places that is sent encrypted over another network (most of the time this is the internet). By putting this on your router, you can have access to your LAN from anywhere with an internet connection (presuming you have the proper credentials). Or, if you place it on two routers, you can effectively bridge the two LANs together, making it appear to the LAN computers that it is one big LAN.

    Features:
    • Based on Tomato 1.27 (ND also available)
    • OpenVPN 2.1.1 is compiled in and fully integrated as a system service.
    • LZO 2.0.3 is compiled in for VPN compression option
    • Two separately configurable instances of each clients and servers can be configured in the GUI
    • TLS (optionally with static key HMAC authentication) and static-key encryption is supported
    • Custom configuration field is added to the end of the dynamically generated config file
    • UDP and TCP protocols supported
    • TAP and TUN style tunnels supported
    • Site-to-site tunnels without any custom configuration
    • Status tabs displaying connected clients, VPN routes, and/or statistics.
    • Sets up and tears down (including module insertion/removal) interfaces as appropriate to save memory
    • Automatically adds and removes firewall rules as needed.
    • Option to automatically start server/client with router
    • Option to redirect Internet traffic over tunnel
    • Options to accept/push DNS options.
    • Encryption cipher settings are available.
    • Client address allocation is handled via GUI.
    • Added capability to use hostnames in the access restrictions page (unrelated to VPN, but I wanted it)
    • and more...
    All config, key, and cert files are generated in /etc/openvpn at run time, so you can take a look at them if you're curious/concerned. If you find something wrong with the generated files, let me know.

    Now, Roadkill's VPN mod seemed to have a lot of changes that I wasn't interested in, so I started from scratch. If there is a feature he's added that you can convince me would be useful enough, I may add it.

    If there are any more common/useful configuration options that you would like to see added to the GUI, again, just let me know.

    Releases and useful information is now tracked at the TomatoVPN blog.

    If you would like to be notified of new releases, you can subscribe to the TomatoVPN Blog's RSS feed (releases only).

    A quick description of the settings can be found here. It is not guaranteed to be current, but I'll try to keep updating it as changes are made.

    An issue tracker has been set up at GitHub. However, if you're not sure it's really a bug, discuss it in this forum first.

    Let me know what you think!
  2. roadkill

    roadkill Super Moderator Staff Member Member

    Looks like job well done but I'm afraid download link is dead...
  3. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Sorry, it's back up. I forgot to turn off sleep mode on my computer before going to sleep. It should stay up now.

    And, I just added a MediaFire link to the file as well.
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Roadkill,

    I meant to mention: This was just 4-5 days of spare-time development, so I'm not feeling territorial or defensive. If you would like to add the changes to your build, I'd be open to it.
  5. CBR900

    CBR900 Addicted to LI Member

    @SgtPepperKSU

    what are you doing looks great.

    Could you add usb support to read/write files to usb flash memory/HDD.

    10x
  6. roadkill

    roadkill Super Moderator Staff Member Member

    Yes I think I'd like that, will you post source code?
  7. Davka

    Davka Addicted to LI Member

    My wish :D is to implement your VPN solution to TrzepakoTomato. It has USB support and some optimalizations. Maybe you could get in contact with wdca, TrzepakoTomato author?

    Anyway, big thanks for your work :D
  8. fyellin

    fyellin Addicted to LI Member

    Do I need to clear nvram in order to use this mod? Or can it be loaded on top of an existing vanilla Tomato configuration?

    (I'd hate to have to redo my entire configuration, if I can avoid it.)
  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    There a lot of new NVRAM options, but you should be okay not clearing it. Of course, the usual disclaimers apply. And, if you do run into any unusual problems, try clearing it (and let me know).

    For what it's worth, I never cleared my NVRAM during the development.
  10. der_Kief

    der_Kief Super Moderator Staff Member Member

    Hi,

    shall i put this to the modifications sticky ? :biggrin:

    der_Kief
  11. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Go for it. Seems that would be appropriate. :smile:
  12. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'll get the the sources all cleaned up and ready for distribution soon. But, as I'll be out of town for a bit, it will not be until sometime next week. I'll see if I can't quickly hammer out an automatic firewall solution as well.
  13. roadkill

    roadkill Super Moderator Staff Member Member

    Great, Thanks
  14. der_Kief

    der_Kief Super Moderator Staff Member Member

    OK. I put it to the "sticky" and also to "poll" section. Lets see :wink:

    der_Kief
  15. Victek

    Victek Network Guru Member

    My thought is, any mod should be attached with the source code in order to be identified and shared to improve Tomato. No sources, no stick. Is a GPL must.:rolleyes:
  16. der_Kief

    der_Kief Super Moderator Staff Member Member

    Come on Victek, dont be so fussy :biggrin:

    der _Kief
  17. Victek

    Victek Network Guru Member

    :halo: I remember what the guys took me the first time I posted the mod ... :rolleyes: anyway... welcome to the forum and as usual don't expect money but a lot of questions and also my congratulations for the job :biggrin:

    BTW.. Where is the source code? :biggrin:
  18. qubo

    qubo Networkin' Nut Member

    sounds good

    maybe I will give a try with the VPN nice. Could you add a bandwith limiter ? per ip/mac ?
  19. der_Kief

    der_Kief Super Moderator Staff Member Member

    Try robsons script generator, found in the download section here @ Linksysinfo !

    der_Kief
  20. ng12345

    ng12345 Addicted to LI Member

    This is pretty awesome!

    I will be trying this out soon

    I know one of the problems with roadkill's build was that it didn't support client-config-dir --> has anyone tried that command in their configs with this build? I will try and post in a bit.
  21. 123456

    123456 LI Guru Member

    hi,Could you add usb?thanks
  22. Toxic

    Toxic Administrator Staff Member

    he maybe fussy, but i have already been approached once already about gpl violations on this site.

    SgtPepperKSU could you please either show a link for the changes of you source code, the full code or make available the code on request of an individual.

    Thanks.
  23. humba

    humba LI Guru Member

    He already said that he'd post the source code this week.. I suppose that's acceptable.. after all when you request the source code, there's no obligation for a speedy delivery.

    Now imagine this mod together with Victec's.. yummie..
  24. fyellin

    fyellin Addicted to LI Member

    Is there documentation somewhere that describes how to configure VPN? I have four laptops that I'd like to give access to my local network.
  25. roadkill

    roadkill Super Moderator Staff Member Member

  26. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    :rolleyes: I'm back in town and I'll get the sources up soon. And, as I stated this as soon as someone asked for the source, I don't think there's a problem there. Also, I don't think I made any changes to GPL code anyway...

    edit: I take that back, I had to add a #include "ping.h" to an openVPN file to get it to compile. The rest is not GPLed.
  27. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    1.21vpn0087

    Okay, version 1.21vpn0087 is now released.

    You can download both the binaries and the source here.

    For those wanting to use the source, be sure to read the README file included in the source archive.

    Changes from 1.21vpn0086
    • To further clean up resources, the configuration and status files are deleted upon stopping a client/server.
      • If you want it to leave those files, set vpn_debug="1" in nvram

    Known limitations:
    • You still need to add the iptables command (see first post) to make the server port visible on the WAN. I just haven't had time to look into this yet.
  28. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    In response to the requests for USB support in my VPN builds, I'm afraid I am going to decline. I don't have the hardware to test it. If there were another mod that had this feature completed[sup]1[/sup], I may consider offering a separate build with those changes included. But, in that case, I suppose it would make as much sense for the author of that build to include my changes instead.

    [size=-2][sup]1[/sup]My definition of complete (such that I would consider including it) consists of relatively bug-free code with a working, user-friendly GUI.[/size]
  29. adeej

    adeej Networkin' Nut Member

    basic tomato vpn mod

    Hi SgtPepperKSU, Roadkill
    first of all thank you for the great work...

    I have a question:

    is possible to generate a basic Tomato Vpn Mod version without web gui and other mods?
    If it is not possible, could you write a little "how to" step by step? I have no enough skill to re-compile the source code but with an "how to" I can try.

    I think many users like me needed original tomato version + vpn working 100%

    I use config files on jffs partition and unfortunately "client-config-dir" and "ifconfig-pool-persist" seems not working on Roadkill Vpn Mod

    Thanks in advance
  30. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Well, the only things besides the GUI and firmware integration I've included are LZO (for VPN compression) and OpenVPN. The GUI and firmware integration should not affect stability and you are free to not use them. The WebGUI provides a custom configuration section that is appended to the config file, or you can just use openvpn directly from ssh/telnet/scripts.[/quote]
    Well, if really want to make your own, here is what you can do.
    1. Start with tomato source (follow instructions in tomato README)
    2. Download LZO and OpenVPN
    3. Place the LZO and OpenVPN sources in release/src/router
    4. Configure those two sources with desired options (using configure executable included, use --help option for usage information).
    5. Add LZO and OpenVPN to the release/src/router/Makefile (see the patch file in my source archive for changes needed there
    6. Compile tomato.
    If you need more detail, and I can expound where needed.

    That's the goal of my builds, and why I am not including other modifications so far.

    I don't know what is keeping those options from working with Roadkill's version, but perhaps more time should be spent understanding why before proceeding. It would be a shame to go through that work only to have the same problem. And, besides, if it is something simple to get working, I'm sure roadkill (and I, if it isn't working in mine) would be glad to make the changes to get it to work.
  31. diggyz

    diggyz Networkin' Nut Member

    I just registered on the forum to say thanks for the build. It was just what i was looking for. Keep up the good work.
  32. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    No problem. Like I originally said, this was mainly just to satisfy my own need. I'm just glad there's someone else who finds it useful.

    Be sure to let me know if you run into any problems, or if there are non-site-specific rules you are having to enter into the custom configuration field: it may be a candidate for inclusion in the GUI.
  33. Raere

    Raere LI Guru Member

    I'm a complete VPN newb, but I'm assuming you can set the router as a server and have a computer be a client if you're roaming on a foreign network, right? That's what I'd like to use VPN for, but I could never get roadkill's build to work for me.

    If this is the case, could anyone write up a quick how-to? That'd be extremely helpful, and I'm sure I'm not the only one.
  34. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That's actually the way I've been using it lately.

    The simplest way for a small VPN (one server, few clients) is static key encryption.

    On the router:
    • Interface Type: tap (tun would require you set up routes manually)
    • Port: 1194 (or whatever you want)
    • Protocol: UDP (TCP if you'll be going through an http proxy on the client side)
    • Encryption Mode: Static Key
    • Custom Configuration: Shouldn't need anything unless you want special routing, etc
    • Server Key: Paste in your static key here (see below)
    On the client (something similar to):
    Code:
    dev tap
    proto udp
    remote <router-WAN-IP> 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    secret static.key
    comp-lzo
    verb 3
    To generate your static key, simply run
    Code:
    openvpn --genkey --secret static.key
    on the client.

    If you run into problems, have a look at the log on the client. If that appears to be attempting a connection and failing, have a look at the router's system log (Status->logs in the GUI) for lines that contain "openvpn".

    Let me know how it goes!
  35. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    FYI: Sometime in the near future I'll be working on a new build with an updated OpenSSL in order to support the AES cipher with OpenVPN. If anybody has noticed any needed changes to the GUI, now would be a good time to say so to get it included in that build. :smile:

    - Keith
  36. humba

    humba LI Guru Member

    Support for the openvpn management interface including the definition of the keyfile might be something worth putting into the gui. And if you can go the extra mile and actually expose the management interface (so have a list of connected clients with connection time, data transferred, bandwidth used and the ability to disconnect them).

    Furthermore I was thinking what you need two server or client instances for, and besides exposing the same service on two ports using different protocols, I figure you'd be most likely dealing with site to site stuff..and that opens a whole can of worms on topics like subnetting. The device is perfectly capable of handling multiple subnets including the routing in between if needed, as well as dhcp but nothing like that is exposed in a gui.
    Similarly, you could imagine using multiple tunnels to connect to different networks and expose them on different ports on the router (I have a bunch of routers configured like that) which brings us to vlans, and which in turn could bring us back to subnetting.
    And both topics also lead to firewalling and that lack for an on device management thereof.

    I realize I've gone really far with that, but I suppose many of those topics will come up when you start dealing with VPN tunnels.
  37. diggyz

    diggyz Networkin' Nut Member

    i installed the openvpn firmware on 2 routers

    one client one server, after starting them both i checked the logs and it says
    unknown daemon.notice openvpn[1934]: UDPv4 link remote: xx.xxx.xxx.xx:20456
    unknown daemon.notice openvpn[1934]: Peer Connection Initiated with xx.xxx.xxx.xx:20456
    unknown daemon.notice openvpn[1934]: Initialization Sequence Completed

    whats next? i cant see or ping the other network
    mine is 192.168.0.* and the other network is 192.168.1.*
  38. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Please post all of the openvpn entry from your log on the client side.

    Also, did you add the iptables entries in your firewall script?
  39. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Perhaps down the line. For now, there is a server<1|2>.status file that is updated every minute in the /etc/openvpn folder with connected client information (including conneciton time and data transferred). No way to disconnect individual client, however.

    That's the reason I added the two servers. I have an occasional client that is behind an http proxy (TCP) but want to run the site-to-site connections as UDP. The two clients is because I have two remote sites to site-to-site to my own.
    The GUI as it is today is for pretty simple setups. If you're getting into more complicated scenerios, you probably have the know-how to use the "Custom Configuration" section in concert with the various scripts.
    Though, if you wrote a patch to enable all of that in the GUI, I'd definitely consider incorporating it :smile:
  40. SplendiD

    SplendiD Networkin' Nut Member

    Wireless stops working

    Im kind of new to both Tomato firmware and OpenVPN. I used DD-WRT for the past six months and it worked great, but now i'd like to access my home network from work via VPN. I couldn't get i working on DD-WRT, so I decided to give Tomato a go, but the same thing happens when I'm activating the VPN-server.

    The wireless network goes dead.. What could I be doing wrong?

    I got a Linksys WRT54GL v1.1 and it's working great except for this.

    Any suggestions?
  41. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That certainly is odd. Could you post any messages in your router log from around the time this happens?
    What do you mean by "dead", do connections just get dropped? Does the radio get disabled altogether? Does the wireless light on the front of your router turn off? If you turn off the VPN server, does the wireless come back? So, in general, more information would be helpful.
  42. diggyz

    diggyz Networkin' Nut Member

    Here is the log from the vpn client
    I added iptables -I INPUT 1 -p udp --dport 20456 -j ACCEPT on the server aswell

    Oct 16 19:44:16 unknown user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
    Oct 16 19:44:16 unknown user.info kernel: device tap11 entered promiscuous mode
    Oct 16 19:44:16 unknown user.info kernel: br0: port 3(tap11) entering learning state
    Oct 16 19:44:16 unknown user.info kernel: br0: port 3(tap11) entering forwarding state
    Oct 16 19:44:16 unknown user.info kernel: br0: topology change detected, propagating
    Oct 16 19:44:16 unknown daemon.notice openvpn[1932]: OpenVPN 2.1_rc12 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Oct 5 2008
    Oct 16 19:44:16 unknown daemon.notice openvpn[1932]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Oct 16 19:44:16 unknown daemon.notice openvpn[1932]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Oct 16 19:44:16 unknown daemon.notice openvpn[1932]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Oct 16 19:44:16 unknown daemon.notice openvpn[1932]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Oct 16 19:44:16 unknown daemon.notice openvpn[1932]: LZO compression initialized
    Oct 16 19:44:16 unknown daemon.notice openvpn[1932]: TUN/TAP device tap11 opened
    Oct 16 19:44:16 unknown daemon.notice openvpn[1932]: TUN/TAP TX queue length set to 100
    Oct 16 19:44:16 unknown daemon.notice openvpn[1932]: Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
    Oct 16 19:44:16 unknown daemon.notice openvpn[1934]: Socket Buffers: R=[65535->131070] S=[65535->131070]
    Oct 16 19:44:16 unknown daemon.notice openvpn[1934]: UDPv4 link local: [undef]
    Oct 16 19:44:16 unknown daemon.notice openvpn[1934]: UDPv4 link remote: xx.xx.xxx.xxx:20456
    Oct 16 19:44:17 unknown daemon.notice openvpn[1934]: Peer Connection Initiated with xx.xx.xx.xxx:20456
    Oct 16 19:44:18 unknown daemon.notice openvpn[1934]: Initialization Sequence Completed
  43. SplendiD

    SplendiD Networkin' Nut Member

    Solved wireless problem

    I still don't know what caused it, but when i erased all NVRAM memory under "Administration/Resore Default Configuration/Erase all data in NVRAM memory (thorough)" and just went through every setting again it started working. Strange..

    Thanks for the great work!
  44. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Hmm, that all looks pretty good. Does the client show up in the server's device list? Can you SSH to each and capture an ifconfig? And, to be sure, you are pinging from client-side to server-side, right? From a PC or from the router?
  45. diggyz

    diggyz Networkin' Nut Member

    tried pinging from both router and clients. no luck
    nope it doesnt show up in device list
    im not using dhcp btw if that matters, guess not.


    br0 Link encap:Ethernet HWaddr 00:1B:FC:E9:19:B4
    inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:4666588 errors:0 dropped:0 overruns:0 frame:0
    TX packets:8310411 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:383147872 (365.3 MiB) TX bytes:3325544824 (3.0 GiB)

    eth0 Link encap:Ethernet HWaddr 00:1B:FC:E9:19:B4
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:12883789 errors:0 dropped:0 overruns:0 frame:0
    TX packets:12628953 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:3862912149 (3.5 GiB) TX bytes:3614370190 (3.3 GiB)
    Interrupt:4 Base address:0x1000

    eth1 Link encap:Ethernet HWaddr 00:1B:FC:E9:19:B4
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:149595 errors:0 dropped:0 overruns:0 frame:8677081
    TX packets:405594 errors:375 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:20266945 (19.3 MiB) TX bytes:204897256 (195.4 MiB)
    Interrupt:2 Base address:0x2000

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
    RX packets:250 errors:0 dropped:0 overruns:0 frame:0
    TX packets:250 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:32446 (31.6 KiB) TX bytes:32446 (31.6 KiB)

    tap11 Link encap:Ethernet HWaddr 00:FF:D8:2C:71:72
    UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
    RX packets:19 errors:0 dropped:0 overruns:0 frame:0
    TX packets:100 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:2141 (2.0 KiB) TX bytes:25564 (24.9 KiB)

    vlan0 Link encap:Ethernet HWaddr 00:1B:FC:E9:19:B4
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:4574241 errors:0 dropped:0 overruns:0 frame:0
    TX packets:8197300 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:389369797 (371.3 MiB) TX bytes:3181109855 (2.9 GiB)

    vlan1 Link encap:Ethernet HWaddr 00:1B:FC:E9:19:B5
    inet addr:<hidden> Bcast:81.233.4.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:8309548 errors:0 dropped:0 overruns:0 frame:0
    TX packets:4431653 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:3241634150 (3.0 GiB) TX bytes:433260335 (413.1 MiB)


    ifconfig from my client
  46. diggyz

    diggyz Networkin' Nut Member

    br0 Link encap:Ethernet HWaddr 00:18:39:C5:CF:D8
    inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:44439 errors:0 dropped:0 overruns:0 frame:0
    TX packets:59778 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:8391190 (8.0 MiB) TX bytes:58493885 (55.7 MiB)

    eth0 Link encap:Ethernet HWaddr 00:18:39:C5:CF:D8
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:93701 errors:0 dropped:0 overruns:0 frame:0
    TX packets:97820 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:60630133 (57.8 MiB) TX bytes:67784660 (64.6 MiB)
    Interrupt:4 Base address:0x1000

    eth1 Link encap:Ethernet HWaddr 00:18:39:C5:CF:DA
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:78726
    TX packets:773 errors:832 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:0 (0.0 B) TX bytes:216515 (211.4 KiB)
    Interrupt:2 Base address:0x5000

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
    RX packets:1352 errors:0 dropped:0 overruns:0 frame:0
    TX packets:1352 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:83623 (81.6 KiB) TX bytes:83623 (81.6 KiB)

    tap21 Link encap:Ethernet HWaddr 00:FF:DF:16:F0:0B
    UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
    RX packets:4 errors:0 dropped:0 overruns:0 frame:0
    TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:519 (519.0 B) TX bytes:1856 (1.8 KiB)

    vlan0 Link encap:Ethernet HWaddr 00:18:39:C5:CF:D8
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:573 errors:0 dropped:0 overruns:0 frame:0
    TX packets:756 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:150213 (146.6 KiB) TX bytes:872673 (852.2 KiB)

    vlan1 Link encap:Ethernet HWaddr 00:12:93:1D:DC:C9
    inet addr:<hidden> Bcast:82.183.178.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:1114 errors:0 dropped:0 overruns:0 frame:0
    TX packets:979 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:916920 (895.4 KiB) TX bytes:369457 (360.7 KiB)

    ifconfig from server


    Do i need to route add or something like that?
  47. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That's probably the key thing right there. I think I accidentally made that assumption when I generate the OpenVPN configuration files. Try adding
    Code:
    ifconfig 192.168.1.75 255.255.255.0
    to your client Custom Configuration, replacing the IP address as appropriate.

    Let me know how it goes; one way or another, I should be automatically setting things up in this situation.

    EDIT: I just disabled DHCP on my server-side and reconnected. Saw the same symptoms as you, and the ifconfig line fixed it. Hopefully, that's all that was wrong for you.
  48. diggyz

    diggyz Networkin' Nut Member

    i did like u said
    192.168.1.0 * 255.255.255.0 0 tap11 was added under routing in the client



    in the client log file this was new
    Oct 16 23:13:59 unknown daemon.notice openvpn[2868]: /sbin/ifconfig tap11 192.168.1.75 netmask 255.255.255.0 mtu 1500 broadcast 192.168.1.255


    i cant ping though, and nothing different under device list

    EDIT: br0 00:FF:20:EB:11:34 192.168.1.75 is listed under device list on the server now
  49. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Hmmm, I'm not completely sure what is going on here. Could you try running the following on the client side (via ssh)?
    Code:
    brctl delif br0 tap11
    Then try pinging the server side from the client's ssh session.
  50. diggyz

    diggyz Networkin' Nut Member

    brctl delif br0 tap11 on the client side..
    Yes it works after that line
    what was wrong?

    cant ping the serverside from my client though, only from the router

    tap11 00:18:39:C5:CF:D8 192.168.1.1
    is showing on the clients device list now also =)
  51. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Well, now we just need to bridge the VPN connection over to your LAN, but adding it to the br0 bridge didn't seem to work...

    I am not an iptables expert, but try some combination the following on the client side firewall script (probably either just the first two, just the last, or all three):
    Code:
    iptables -A INPUT -i br+ -j ACCEPT
    iptables -A FORWARD -i br+ -j ACCEPT
    iptables -I FORWARD -i br+ -o tap+ -j ACCEPT
    edit:

    even if some combination of the above works, try this (all three):
    Code:
    iptables -A INPUT -i tap0 -j ACCEPT
    iptables -A INPUT -i br0 -j ACCEPT
    iptables -A FORWARD -i br0 -j ACCEPT
    edit2:

    One more thing to try. In fact, try this one first. Add the tunnel back to the bridge (without any of the above iptables commands):
    Code:
    brctl addif br0 tap0
    and try running
    Code:
    route add -net 192.168.1.0/24 dev br0
  52. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Also, could a forum moderator perhaps split out this exchange between diggyz and me into a new topic? (posts 37, 38, 42, 44-52) Title: "VPN GUI site-to-site"?

    Thanks!
  53. diggyz

    diggyz Networkin' Nut Member

    im gonna try that when im coming home today.
    brctl addif br0 tap0 , should be tap11 in my case right?
    When im setting up the vpn from router gui interface, is the tap interface added to the bridge then? on some router i get tap11 and on others i get tap20, is it random generated?
  54. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes sorry, good catch.
  55. diggyz

    diggyz Networkin' Nut Member

    after adding the tunnel to the bridge it stops working again

    brctl addif br0 tap11

    if i do brctl del br0 tap11 on the client, i can ping serverroute from the clientrouter
    if i do brctl del br0 tap21 on the serverrouter aswell, then i cant ping anymore

    if i del the tunnel from the bridge on the serverrouter but leaves it connected on the clientrouter
    only the serverrouter can ping clientrouter..
    if that makes any sense? =)
  56. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Did you try the route add command after adding the tap interface back into the bridge?

    And, I think we have the server side how we want it, all of the fiddling should be done on the client side.
  57. diggyz

    diggyz Networkin' Nut Member

    yes it did the route add command aswell, no luck
    i tried connect with with VPN windows client to the serverouter, works just fine.. well there is no routing involed..
    router-router works fine aswell, its when bridging it :[

    EDIT: if i dont remove the tunnel from the bridge, [leave it default] and pinging the serverrouter, i dont get any answer
    but
    br0 00:FF:EF:E8:05:BC 192.168.1.75
    is coming up on the serverrouters devices list
  58. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Have you had a chance to try the iptables commands (with and without the interface removed from the bridge)?

    Sorry for all of the trial and error here; I haven't had a chance to try a site-to-site yet. I should have access to one of my remote sites before too long, and I will try and hammer this out myself then. But, if we get it worked out now, all the better!
  59. diggyz

    diggyz Networkin' Nut Member

    yeah i tried iptables -vL before and after removing the interface..
    nothing changed :(
  60. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That just lists the iptables rules. I was referring to the iptables commands in post 51. But, if you've also tried those, I'm afraid I'll just be grasping at straws. You may try to search the web for bridged site-to-site OpenVPN how-tos to see if you find a combination of things that work. That's all I would be doing from here.

    If you do find something that works, let me know and I'll incorporate it into a build. I'll see if I can get access to a remote router sooner than later so I can try some of this out myself.
  61. diggyz

    diggyz Networkin' Nut Member

  62. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That how-to uses "Routed" (TUN) not "Bridged" (TAP) devices. If TUN is acceptable for you (only IP traffic can cross it, if I understand correctly), you may try setting both client and server to TUN and placing the route commands in the custom configuration section. TUN setups don't have any bridging involved, so it may solve the problem. I was trying to get TAP to work because there's no reason why it shouldn't.

    The push commands on the server are the same thing as putting it (without the push keyword) on the client. And, we already tried that.

    Like I said, though, I'll try getting a setup going that I can play with to get this figured out, but that will likely be at least a couple of days. :frown:
  63. diggyz

    diggyz Networkin' Nut Member

  64. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That page is why I had you try the route add command first in post 51. It seems they got things working doing pretty much the same things as us...

    There is another site that I already put Tomato on a while back that I will be visiting tonight. I will see if I can throw my VPN build on there. If so I'll be able to experiment as early as tomorrow.
  65. humba

    humba LI Guru Member

    if tomato ran asp.net I'd probably invest the time to learn iptables better but as it is, it's not really my cup of tea.
    If you ever entertain the notion of adding the gui, I've done some vlan and multiple dhcp server stuff so at least there I have some knowhow to help you get started.
  66. sunjon

    sunjon LI Guru Member

    Firstly, thanks for making the GUI version of this mod.
    I've had the TAP version up and running - site-to-site, but ran into a few DHCP/DNS niggles, with everything being broadcast over one subnet. So, I reconfigured to the TUN option - which is giving me 90% of the funcionality i wanted.

    With TUN, the main thing i`m missing now is the ability to communicate with machines behind the client, caused by the CCD options not working.

    Is there any word on why the client-config-dir and ifconfig-pool-persist ipp.txt are not working on Tomato firmware(posts suggest roadkill's version suffered from the same issue)?
    ifconfig-pool and ccd-exclusive seem also not to work, but they're less important(to me).

    Also, a small note: i think the 'Duplicate-CN' setting in the server config should be left to set by the user. Had the CCD options worked, having duplicate-CN set would have conflicted with my settings.
  67. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Could you share how you got site-to-site TAP working? I've been unsuccessful in trying to get diggyz up-and-running in that regard.

    I haven't tried client-config-dir yet, but I can't think of a reason they wouldn't work (completely trust that they don't, just can't think of why). Do you get error messages in your logs when you try to use it?

    I'll change that to an option in future releases. Thanks for the feedback!
  68. sunjon

    sunjon LI Guru Member

    Alright. This is from my less than reliable memory, so apologies if there are any errors :). Most of this config is taken care of by scripts on the GUI version (ie. VPN mode, protocol, port etc are all set to what you've entered in the UI, and the other necessary config parameters will be created automatically).

    ETHERNET TAP BRIDGE CONFIGURATION

    Router #1 - VPN Server
    On the server end of the tunnel, leave everything as it is by default:
    device == TAP
    port == 1194
    protocol == UDP
    encryption == TLS

    Fill in the appropriate key/certs.
    Nothing needs to be entered in 'Custom configuration', the following is optional:
    Code:
    #Following lines optional, but can improve tunnel stability
    persist-key
    persist-tun
    
    You will need to add the following rule to the (administration->scripts->)firewall, to allow incoming VPN connections:
    Code:
    iptables -I INPUT 1 -p udp  --dport 1194 -j ACCEPT

    Router #2 - VPN Client
    Again, very little needed here that isn't setup by default. Enter the server address in the GUI, then put the following in custom configuration:
    Code:
    # Set aaa.bbb.ccc.ddd to any free IP on the servers network.
    # Select something outside the scope of the servers DHCP pool.
    ifconfig aaa.bbb.ccc.ddd 255.255.255.0
    
    Enter your client key/cert details.

    One extra step I did take, is that once the client had connected and was visible in device list, I'd take the MAC address and assign it a static ip in the 'Static DHCP' section.

    That's it! I can't remember it being any more complicated than that for me, no special routing/firewall rules were needed as it is acting literally like an Ethernet switch.

    The problems I had with this setup were as follows: my work (server) had the ip range 192.168.99.0/24 and my home network(client) had the ip range 192.168.1.0/24. Both routers had DHCP enabled, as both routers needed to tend to their own networks when the tunnel wasn't in use. When additional clients connected to the VPN, the router that allocated the new client an ip and therefore the clients ip/subnet seemed random - whichever router happened to get there first. I could have perhaps tied this down with some additional routing for ports 67/68, or there are perhaps DNSmasq parameters that would take care of this.


    TUN configuration - CCD problems
    I`ll keep my TUN config out of this post for clarity, but a note on the CCD issue:
    Code:
    client-config-dir ccd            - these files are never read/executed.
    ifconfig-pool-persist ipp.txt    - no entries are ever made to this file.
    ifconfig-pool                    - doesn't seem to work - doesn't set the scope of the VPN's DHCP
    ccd-exclusive                    - works, but as it enforces non working CCD, the server has no way then to allocate IP's.
    
    CCD is needed primarily for static VPN ips, and to configure routes back to the clients with the 'iroute' parameter. Getting everything to work with firewall rules alone gets complicated.


    ** EDIT:
    Okay, I checked the logs:
    Code:
    Oct 19 22:49:29 unknown daemon.warn openvpn[687]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
    Oct 19 22:49:29 unknown daemon.warn openvpn[687]: WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
    
    This is after setting vpn_debug=1 in nvram(committing & rebooting) and removing the dulicate-cn line in server1.ovpn. Any manual edits to the server config file are overwritten by the defaults + GUI custom config entries when restarting the service through either the GUI or command line.

    Cheers, let me know if you need anymore info.

    Sunjon
  69. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Hmmm, that's all I was thinking it would take. But, alas, we've tried that with diggyz without positive results. I have a remote router to experiment with now, so perhaps I'll be able to get to the bottom of it.

    Where did you create ccd? You should try giving the absolute path to it (ie /etc/openvpn/ccd, if that's where it is). Same thing with ipp.txt. I guess to make things easier for the cusom config section, I could use "--cd /etc/openvpn" in my openvpn call to make everything look there by default.

    I have already made the changes in my local builds to have duplicate-cn be optional. In the meantime, though, you can hand-edit the ovpn file to get rid of that entry. However, you should use
    Code:
    /etc/openvpn/vncserver1 --config /etc/openvpn/server1.ovpn
    instead to start it so that it will not regenerate the config file.

    I'll try and get a build out in the next couple of days that will fix the duplicate-cn directive as optional. I didn't realize it would conflict with other options before.
  70. cmdr-flatus

    cmdr-flatus Guest

    I cannot get this to work with static keys configuration. I get the following error on the client:

    Mon Oct 20 15:34:43 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
    Mon Oct 20 15:34:43 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Mon Oct 20 15:34:43 2008 TAP-WIN32 device [OpenVPN] opened: \\.\Global\{3A69CFF8-0CE2-4334-9E75-AB95247C0ECE}.tap
    Mon Oct 20 15:34:43 2008 Successful ARP Flush on interface [65541] {3A69CFF8-0CE2-4334-9E75-AB95247C0ECE}
    Mon Oct 20 15:34:43 2008 UDPv4 link local (bound): [undef]:1194
    Mon Oct 20 15:34:43 2008 UDPv4 link remote: 1.2.3.4:1194
    Mon Oct 20 15:34:50 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
    Mon Oct 20 15:34:54 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)

    client config is simple and as follows:

    remote my.host.name (changed from the real one)
    dev tap
    secret static.key

    remote is set up very simply and with settings like the above. i also added a line to the firewall script to make a hole for port 1194.

    any pointers?

    Thanks! flatulently,
    commander flatus
  71. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Okay, so I have something working. Try running this on each router (substituting ip addresses for the ones on the other router):
    Code:
    ifconfig br0 promisc up
    route add 192.168.1.1 dev br0
    route add -net 192.168.1.0/24 gw 192.168.1.1 dev br0
    This is with the tunnel interface still bridged.

    Seems so simple, yet we didn't try using the opposing router as a gateway to the rest of the network... Let me know if it works for you, too.
  72. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Well, I think that error code indicates a firewall problem, not a VPN problem. Make sure you are using the same port number on the server, firewall script, and client (and you should probably explicitly name a port rather than rely on defaults there). Also, the same goes for protocol (both that it needs to be the same in all three places and that you should specify it on the client).

    Also, I don't think it's even getting this far, but you should specify comp-lzo in your client config. I'll probably change that to an option for the next release (don't know why I didn't to begin with), but for now the server is set up to use LZO compression on the VPN link.

    Try those things. If you are still having a problem, post back (in a new thread, this one is getting a bit crowded) with your settings on both sides and logs from both sides. Also, if one of the above works, please post a little note back saying which it was so if somebody else gets the same error, they will know a possible solution.
  73. jacgl

    jacgl Networkin' Nut Member

    Hi,
    Thank you for your great work. As I want to connect 3 routers using tun(s) into "family" network, I am interested in Sunjon conclusions (client-config-dir seems to be important). Currently, I do not have devices in place to do the experiment myself.
    Have you considered to add tls-auth key to GUI? I believe I am not paranoid, but from HOWTO it looks like the security is much better with it (DoS attacks, port flooding and scanning). Anyway, I hope it is still possible to add the key in Init Script.

    Cheers,
    Jacek
  74. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Unless you want to do some manual configuration/testing, I'd hold off for one of the next (hopefully, the next) reased build, as there are site-to-site issues I'm working out yet.
    Well, then you'll be happy to know that Sunjon found that client-config-dir is working fine!
    I'll keep that in mind for possible future additions. In the meantime, though, there shouldn't be any reason you couldn't generate the file in the Init Script and add the tls-auth directive in the Custom Configuration section.
  75. diggyz

    diggyz Networkin' Nut Member

    I did what i said it now its working great =) thanks alot for taking your time.
    i was thinking about the gateway aswell but didnt know how to add it correctly.
    Is this something u can include in the build in someway?
  76. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Glad it works, and there wasn't some other change I had made and couldn't remember :wink:

    I'll definitely get something in a a build to get this to work automatically. However, I think the "right" way would be to add the routes in the openvpn config file, and I'll experiment on getting that working properly.
  77. powersquad

    powersquad Networkin' Nut Member

    can you please write a guide on how to use the VPN function and set it up on windows xp/windows vista using your build? really like to test out the VPN function....
  78. rameshb_v

    rameshb_v Networkin' Nut Member

    Yup.. A Guide would be great...
  79. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    After I get this next release out, there won't be as much need for a guide. I'll write something up then, though.
  80. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    1.21vpn1.0016

    Version 1.21vpn1.0016

    NOTICE: I found a bug when using the TCP protocol with a VPN server. Please download 1.21vpn1.0017 instead.

    You can download the binaries and source from here.

    For those wanting to use the source, be sure to read the README file included in the source archive.

    Changes from 1.21vpn0087
    • Firewall entries (both external and internal) are automatically added and removed
    • Site-to-site TAN and TUN work with no custom configuration
      • TUN site-to-site only allows client->server communication (not visa versa, see below) unless you add client-config-dir or client-connect scripts.
    • Compression settings can be changed via GUI.
    • Encryption cipher can be chosen via GUI (sorry, so AES yet, as site-to-site updates trumped upgrading OpenSSL)
    • Client address allocation handled in GUI.
    • duplicate-cn and client-to-client no longer autogenerated in config file
      • You can still add them to Custom Configuration if you need them
      • They don't do any good without some custom config anyway

    The TUN (or TAP across different subnets) tunnels are only client->server (server LAN can't see client LAN) without Custom Configuration because a NAT is set up on the client side (optional via GUI). Without this NAT, the server side would need to have configuration settings specific to each client. If I did this automatically, it would be difficult to add your own settings in this manner on top of it. So I felt this was a good compromise. You can either a) set up two tunnels one each way or b) set up a client-config-dir setup.

    Known limitations:
    • None that I am aware of. If you find, some let me know.

    Sorry this update took so long. It took me a little while to settle on a compromise with what to do about automatic configuration of tunnels connecting different subnets. Also, since my day job is also firmware development, some days it is hard to convince myself to spend my free time doing it as well.

    Let me know what you think, and what can be improved. :smile:
  81. peyton

    peyton Networkin' Nut Member

  82. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    From there:
    Sorry about that. I saw your question, but got busy and assumed someone in that thread would have answered.

    As you can see from the OpenVPN HOWTO on generating certificates, you just need to generate it using the same set of tools used to generate your certificates. Assuming you used the easy-rsa utilities that come with OpenVPN, you just need to run the "build-dh" executable.

    That's it. It will generate your Diffie Hellman parameters for you.
  83. peyton

    peyton Networkin' Nut Member

    Thanks you.
    Now it init, i just have another problem.

    I don't really know where that's caused by.
    In my firewall script i put "iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT"
    Internet type is set as default (tap) and i didn't changed the port (1194). :confused:
  84. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Your signature says you are running 1.21.0013. Since you obviously have OpenVPN included, I assume this either isn't correct or it is different VPN build. So, I'm not sure how much help I'll be able to give, but I'll try.

    Please open a new thread, and include more of your log file (is there anything about failing to create a TAP interface before the OpenVPN entries?), and we'll see if we can straighten it out.
  85. sunjon

    sunjon LI Guru Member

    Could you list exactly which firewall rules are set? I've a few manually set rules for my tunnel, and would like to remove any duplicates.

    Thanks for the update, much appreciated as always.

    The GUI is looking comprehensive and my TUN setup is working fine, with only a few lines for CCD in my custom config. So no immediate improvements spring to mind. I did try a different config parameter today though - "client-connect" , which failed to work (and stopped the server from running). It's used to run scripts on the router when clients connect(duh!), similar to the "up" and "down" parameters that can also be set.

    This appears in the logs when any of these script running parameters are set:
    Code:
    openvpn_execve: external program may not be called due to setting of --script-security level
    script failed: external program fork failed
    
    This post explains that running these scripts is disabled in current builds of openVPN, and that to enable them you have to set a flag when compiling.

    On a separate note, do you have any advice to offer on how I'd go about including samba-server(running as a WINS server) in my tomato setup. It's 'related' in that it would solve my shared folder over TUN VPN issues that i mentioned here.
  86. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    While the server/client is running, you can ssh/telnet to the router and there will be a (server|client)[12]-fw.sh file that contains the iptables rules that were applied. On stopping the service, the -A and -I entries are turned to -D and the file is re-executed to remove the rules. If the vpn_debug nvram option is set, that file (with -Ds) will remain.
    I had seen the client-connect option and thought it looked like a good alternative to client-config-dir (since you can also use it to dynamically add server options on client connect). I had not tried it, though, and didn't realize it needed a special option at source configuration time. I will research that some and weigh any pros/cons on adding that flag for the next release. Thanks for bringing that to my attention.
    While I probably won't include it in this build, it may be interesting for another custom tomato version (probably not by me, though, as my routers don't have external storage attached). The general steps would be
    1. Download samba sources
    2. Configure sources for mips and any other non-default options you'd want
    3. Add sources to tomato source tree and add it to the appropriate makefile
    That's pretty much it. Of course, it's the unexpected complications that could possibly make it difficult.
  87. diggyz

    diggyz Networkin' Nut Member

    I tried the new build and connected together my 2 routers
    Same problem again, i cant ping the other network.
    It doesnt looks like it adds the gateway for the other machine and vice versa..
  88. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    What settings did you use?
  89. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    1.21vpn1.0017

    Version 1.21vpn1.0017

    You can download the binaries and source from here.

    For those wanting to use the source, be sure to read the README file included in the source archive.

    Changes from 1.21vpn1.0016
    • Fixed a bug when using TCP with a vpn server
    • See above link to 1.21vpn1.0016 for changes from previous release

    Known limitations:
    • None that I am aware of. If you find, some let me know.
  90. diggyz

    diggyz Networkin' Nut Member

    I used TAP
    static key with compression default
    only custom commands i used was ifconfig 192.168.0.85 255.255.255.0 to get ip addr
  91. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Are your two endpoints on the same subnet? Did you check the box saying they were on the same subnet? If not, did you check the box to add a NAT?

    EDIT: Oh, if you're still having a problem, please start a new thread. This one is getting long and crowded.
  92. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    For those who use Static Key authentication, I've created a test build that has a more complete solution for that case.

    It can be downloaded here: 1.21vpn1.9018.

    If no more bugs are found in the near future, I'll roll out the next release.
  93. VeNT

    VeNT Networkin' Nut Member

    so all I need to do to get this running is re-flash my router with the bin file?
  94. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Pretty much. Once you do, there will be a "VPN Tunneling" section in the web GUI for configurations.

    However, there have been a couple of reports of problems with wireless if you don't clear NVRAM after flashing. So, if you start having strange problems, you should do a thorough NVRAM clear and reconfigure.
  95. ng12345

    ng12345 Addicted to LI Member

    Great build!

    Had a quick question -- how are you testing your firmware out? I want to try compiling the firmware myself (would like to combine your mod with the speedmod), but I don't want to risk bricking my router unnecessarily. I searched the forums and google and saw a little bit about a program called bosch -- but it seems pretty complicated to just setup the env. would love to know how you set up your test environment.

    Also - a quick note and a tad nitpicky - certificate is misspelled in "Certifate Authority" in your vpn tunneling gui (i noticed it a while ago but not fixed in 0017)

    Another small quirk -- the server address field is character limited -- however openvpn supports name resolution (i.e the use of ddns addresses) and I can't fit my address in that spot
  96. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    By flashing my router! :wink: Unfortunately, I don't know of an artificial environment that would be able to adequately test all of the needed aspects.
    Thanks for that, I knew there was bound to be some little things like that.
    I already fixed that in the test build. It will be included in the next release (along with the typo fixes, and static key address management).

    Thanks again for pointing these out!
  97. ng12345

    ng12345 Addicted to LI Member

    Thanks for your quick response.

    I just noted something else that was missing from the config window (for me).

    I use the tls-auth command (which is an additional handshake at the beginning) and it requires a static key (in addition to the certificate keys). Unfortunately with your gui, I can't add the static key in if I want to; do you think it would be possible to add a box for the tls-auth key and an option for authorization with TLS + Auth key

    my config requires per client:
    ca.crt
    client.crt
    client.key
    -and-
    static.key (a static key that serves as the tls-authorization)

    If you aren't planning on adding this command to the gui, is there a way I can paste the key into the custom config so it creates it for me?
  98. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I should be able to add that. Currently, I reuse the same data for both server key and static key to save creating even more nvram variables. But, sicne that seems like a reasonable feature, I'll go ahead and divorce the two.

    But, in the meantime, you can add
    Code:
    echo "<paste static key>" > /tmp/tls-static.key
    to the init script (Admin-Scripts) and
    Code:
    tls-auth /tmp/tls-static.key
    to your Custom Configuration.
  99. ng12345

    ng12345 Addicted to LI Member

    Thanks for replying again and would appreciate that feature.

    One quick question -- can nvram variables easily be edited through telnet or sh (outside of using the nvram set command)? Something that would allow me to use vi or another editor?
  100. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    They cannot be "edited" per se, but you can display an nvram variable with
    Code:
    nvram get <nvram variable name>
    and set it with
    Code:
    nvram set <nvram variable nam>="<new value">
    nvram commit          (this makes it survive a reboot)

Share This Page