Well, I was wanting to set up a VPN between my parents and myself for off-site backup purposes, and I knew a non-GUI solution wouldn't cut it for them. So, I wrote one! I really just did this out of my own necessity, so I'm not sure if anybody is interested. But, here goes nothing! For the uninitiated, a VPN (Virtual Private Network) is a secure connection between two places that is sent encrypted over another network (most of the time this is the internet). By putting this on your router, you can have access to your LAN from anywhere with an internet connection (presuming you have the proper credentials). Or, if you place it on two routers, you can effectively bridge the two LANs together, making it appear to the LAN computers that it is one big LAN. Features: Based on Tomato 1.27 (ND also available) OpenVPN 2.1.1 is compiled in and fully integrated as a system service. LZO 2.0.3 is compiled in for VPN compression option Two separately configurable instances of each clients and servers can be configured in the GUI TLS (optionally with static key HMAC authentication) and static-key encryption is supported Custom configuration field is added to the end of the dynamically generated config file UDP and TCP protocols supported TAP and TUN style tunnels supported Site-to-site tunnels without any custom configuration Status tabs displaying connected clients, VPN routes, and/or statistics. Sets up and tears down (including module insertion/removal) interfaces as appropriate to save memory Automatically adds and removes firewall rules as needed. Option to automatically start server/client with router Option to redirect Internet traffic over tunnel Options to accept/push DNS options. Encryption cipher settings are available. Client address allocation is handled via GUI. Added capability to use hostnames in the access restrictions page (unrelated to VPN, but I wanted it) and more... All config, key, and cert files are generated in /etc/openvpn at run time, so you can take a look at them if you're curious/concerned. If you find something wrong with the generated files, let me know. Now, Roadkill's VPN mod seemed to have a lot of changes that I wasn't interested in, so I started from scratch. If there is a feature he's added that you can convince me would be useful enough, I may add it. If there are any more common/useful configuration options that you would like to see added to the GUI, again, just let me know. Releases and useful information is now tracked at the TomatoVPN blog. If you would like to be notified of new releases, you can subscribe to the TomatoVPN Blog's RSS feed (releases only). A quick description of the settings can be found here. It is not guaranteed to be current, but I'll try to keep updating it as changes are made. An issue tracker has been set up at GitHub. However, if you're not sure it's really a bug, discuss it in this forum first. Let me know what you think!
Sorry, it's back up. I forgot to turn off sleep mode on my computer before going to sleep. It should stay up now. And, I just added a MediaFire link to the file as well.
Roadkill, I meant to mention: This was just 4-5 days of spare-time development, so I'm not feeling territorial or defensive. If you would like to add the changes to your build, I'd be open to it.
@SgtPepperKSU what are you doing looks great. Could you add usb support to read/write files to usb flash memory/HDD. 10x
My wish is to implement your VPN solution to TrzepakoTomato. It has USB support and some optimalizations. Maybe you could get in contact with wdca, TrzepakoTomato author? Anyway, big thanks for your work
Do I need to clear nvram in order to use this mod? Or can it be loaded on top of an existing vanilla Tomato configuration? (I'd hate to have to redo my entire configuration, if I can avoid it.)
There a lot of new NVRAM options, but you should be okay not clearing it. Of course, the usual disclaimers apply. And, if you do run into any unusual problems, try clearing it (and let me know). For what it's worth, I never cleared my NVRAM during the development.
I'll get the the sources all cleaned up and ready for distribution soon. But, as I'll be out of town for a bit, it will not be until sometime next week. I'll see if I can't quickly hammer out an automatic firewall solution as well.
My thought is, any mod should be attached with the source code in order to be identified and shared to improve Tomato. No sources, no stick. Is a GPL must.
:halo: I remember what the guys took me the first time I posted the mod ... anyway... welcome to the forum and as usual don't expect money but a lot of questions and also my congratulations for the job :biggrin: BTW.. Where is the source code? :biggrin:
sounds good maybe I will give a try with the VPN nice. Could you add a bandwith limiter ? per ip/mac ?
This is pretty awesome! I will be trying this out soon I know one of the problems with roadkill's build was that it didn't support client-config-dir --> has anyone tried that command in their configs with this build? I will try and post in a bit.
he maybe fussy, but i have already been approached once already about gpl violations on this site. SgtPepperKSU could you please either show a link for the changes of you source code, the full code or make available the code on request of an individual. Thanks.
He already said that he'd post the source code this week.. I suppose that's acceptable.. after all when you request the source code, there's no obligation for a speedy delivery. Now imagine this mod together with Victec's.. yummie..
Is there documentation somewhere that describes how to configure VPN? I have four laptops that I'd like to give access to my local network.
I'm back in town and I'll get the sources up soon. And, as I stated this as soon as someone asked for the source, I don't think there's a problem there. Also, I don't think I made any changes to GPL code anyway... edit: I take that back, I had to add a #include "ping.h" to an openVPN file to get it to compile. The rest is not GPLed.
1.21vpn0087 Okay, version 1.21vpn0087 is now released. You can download both the binaries and the source here. For those wanting to use the source, be sure to read the README file included in the source archive. Changes from 1.21vpn0086 To further clean up resources, the configuration and status files are deleted upon stopping a client/server. If you want it to leave those files, set vpn_debug="1" in nvram Known limitations: You still need to add the iptables command (see first post) to make the server port visible on the WAN. I just haven't had time to look into this yet.
In response to the requests for USB support in my VPN builds, I'm afraid I am going to decline. I don't have the hardware to test it. If there were another mod that had this feature completed[sup]1[/sup], I may consider offering a separate build with those changes included. But, in that case, I suppose it would make as much sense for the author of that build to include my changes instead. [size=-2][sup]1[/sup]My definition of complete (such that I would consider including it) consists of relatively bug-free code with a working, user-friendly GUI.[/size]
basic tomato vpn mod Hi SgtPepperKSU, Roadkill first of all thank you for the great work... I have a question: is possible to generate a basic Tomato Vpn Mod version without web gui and other mods? If it is not possible, could you write a little "how to" step by step? I have no enough skill to re-compile the source code but with an "how to" I can try. I think many users like me needed original tomato version + vpn working 100% I use config files on jffs partition and unfortunately "client-config-dir" and "ifconfig-pool-persist" seems not working on Roadkill Vpn Mod Thanks in advance
Well, the only things besides the GUI and firmware integration I've included are LZO (for VPN compression) and OpenVPN. The GUI and firmware integration should not affect stability and you are free to not use them. The WebGUI provides a custom configuration section that is appended to the config file, or you can just use openvpn directly from ssh/telnet/scripts.[/quote] Well, if really want to make your own, here is what you can do. Start with tomato source (follow instructions in tomato README) Download LZO and OpenVPN Place the LZO and OpenVPN sources in release/src/router Configure those two sources with desired options (using configure executable included, use --help option for usage information). Add LZO and OpenVPN to the release/src/router/Makefile (see the patch file in my source archive for changes needed there Compile tomato. If you need more detail, and I can expound where needed. That's the goal of my builds, and why I am not including other modifications so far. I don't know what is keeping those options from working with Roadkill's version, but perhaps more time should be spent understanding why before proceeding. It would be a shame to go through that work only to have the same problem. And, besides, if it is something simple to get working, I'm sure roadkill (and I, if it isn't working in mine) would be glad to make the changes to get it to work.
I just registered on the forum to say thanks for the build. It was just what i was looking for. Keep up the good work.
No problem. Like I originally said, this was mainly just to satisfy my own need. I'm just glad there's someone else who finds it useful. Be sure to let me know if you run into any problems, or if there are non-site-specific rules you are having to enter into the custom configuration field: it may be a candidate for inclusion in the GUI.
I'm a complete VPN newb, but I'm assuming you can set the router as a server and have a computer be a client if you're roaming on a foreign network, right? That's what I'd like to use VPN for, but I could never get roadkill's build to work for me. If this is the case, could anyone write up a quick how-to? That'd be extremely helpful, and I'm sure I'm not the only one.
That's actually the way I've been using it lately. The simplest way for a small VPN (one server, few clients) is static key encryption. On the router: Interface Type: tap (tun would require you set up routes manually) Port: 1194 (or whatever you want) Protocol: UDP (TCP if you'll be going through an http proxy on the client side) Encryption Mode: Static Key Custom Configuration: Shouldn't need anything unless you want special routing, etc Server Key: Paste in your static key here (see below) On the client (something similar to): Code: dev tap proto udp remote <router-WAN-IP> 1194 resolv-retry infinite nobind persist-key persist-tun secret static.key comp-lzo verb 3 To generate your static key, simply run Code: openvpn --genkey --secret static.key on the client. If you run into problems, have a look at the log on the client. If that appears to be attempting a connection and failing, have a look at the router's system log (Status->logs in the GUI) for lines that contain "openvpn". Let me know how it goes!
FYI: Sometime in the near future I'll be working on a new build with an updated OpenSSL in order to support the AES cipher with OpenVPN. If anybody has noticed any needed changes to the GUI, now would be a good time to say so to get it included in that build. :smile: - Keith
Support for the openvpn management interface including the definition of the keyfile might be something worth putting into the gui. And if you can go the extra mile and actually expose the management interface (so have a list of connected clients with connection time, data transferred, bandwidth used and the ability to disconnect them). Furthermore I was thinking what you need two server or client instances for, and besides exposing the same service on two ports using different protocols, I figure you'd be most likely dealing with site to site stuff..and that opens a whole can of worms on topics like subnetting. The device is perfectly capable of handling multiple subnets including the routing in between if needed, as well as dhcp but nothing like that is exposed in a gui. Similarly, you could imagine using multiple tunnels to connect to different networks and expose them on different ports on the router (I have a bunch of routers configured like that) which brings us to vlans, and which in turn could bring us back to subnetting. And both topics also lead to firewalling and that lack for an on device management thereof. I realize I've gone really far with that, but I suppose many of those topics will come up when you start dealing with VPN tunnels.
i installed the openvpn firmware on 2 routers one client one server, after starting them both i checked the logs and it says unknown daemon.notice openvpn[1934]: UDPv4 link remote: xx.xxx.xxx.xx:20456 unknown daemon.notice openvpn[1934]: Peer Connection Initiated with xx.xxx.xxx.xx:20456 unknown daemon.notice openvpn[1934]: Initialization Sequence Completed whats next? i cant see or ping the other network mine is 192.168.0.* and the other network is 192.168.1.*
Please post all of the openvpn entry from your log on the client side. Also, did you add the iptables entries in your firewall script?
Perhaps down the line. For now, there is a server<1|2>.status file that is updated every minute in the /etc/openvpn folder with connected client information (including conneciton time and data transferred). No way to disconnect individual client, however. That's the reason I added the two servers. I have an occasional client that is behind an http proxy (TCP) but want to run the site-to-site connections as UDP. The two clients is because I have two remote sites to site-to-site to my own. The GUI as it is today is for pretty simple setups. If you're getting into more complicated scenerios, you probably have the know-how to use the "Custom Configuration" section in concert with the various scripts. Though, if you wrote a patch to enable all of that in the GUI, I'd definitely consider incorporating it :smile:
Wireless stops working Im kind of new to both Tomato firmware and OpenVPN. I used DD-WRT for the past six months and it worked great, but now i'd like to access my home network from work via VPN. I couldn't get i working on DD-WRT, so I decided to give Tomato a go, but the same thing happens when I'm activating the VPN-server. The wireless network goes dead.. What could I be doing wrong? I got a Linksys WRT54GL v1.1 and it's working great except for this. Any suggestions?
That certainly is odd. Could you post any messages in your router log from around the time this happens? What do you mean by "dead", do connections just get dropped? Does the radio get disabled altogether? Does the wireless light on the front of your router turn off? If you turn off the VPN server, does the wireless come back? So, in general, more information would be helpful.
Here is the log from the vpn client I added iptables -I INPUT 1 -p udp --dport 20456 -j ACCEPT on the server aswell Oct 16 19:44:16 unknown user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky Oct 16 19:44:16 unknown user.info kernel: device tap11 entered promiscuous mode Oct 16 19:44:16 unknown user.info kernel: br0: port 3(tap11) entering learning state Oct 16 19:44:16 unknown user.info kernel: br0: port 3(tap11) entering forwarding state Oct 16 19:44:16 unknown user.info kernel: br0: topology change detected, propagating Oct 16 19:44:16 unknown daemon.notice openvpn[1932]: OpenVPN 2.1_rc12 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Oct 5 2008 Oct 16 19:44:16 unknown daemon.notice openvpn[1932]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Oct 16 19:44:16 unknown daemon.notice openvpn[1932]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 16 19:44:16 unknown daemon.notice openvpn[1932]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Oct 16 19:44:16 unknown daemon.notice openvpn[1932]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 16 19:44:16 unknown daemon.notice openvpn[1932]: LZO compression initialized Oct 16 19:44:16 unknown daemon.notice openvpn[1932]: TUN/TAP device tap11 opened Oct 16 19:44:16 unknown daemon.notice openvpn[1932]: TUN/TAP TX queue length set to 100 Oct 16 19:44:16 unknown daemon.notice openvpn[1932]: Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ] Oct 16 19:44:16 unknown daemon.notice openvpn[1934]: Socket Buffers: R=[65535->131070] S=[65535->131070] Oct 16 19:44:16 unknown daemon.notice openvpn[1934]: UDPv4 link local: [undef] Oct 16 19:44:16 unknown daemon.notice openvpn[1934]: UDPv4 link remote: xx.xx.xxx.xxx:20456 Oct 16 19:44:17 unknown daemon.notice openvpn[1934]: Peer Connection Initiated with xx.xx.xx.xxx:20456 Oct 16 19:44:18 unknown daemon.notice openvpn[1934]: Initialization Sequence Completed
Solved wireless problem I still don't know what caused it, but when i erased all NVRAM memory under "Administration/Resore Default Configuration/Erase all data in NVRAM memory (thorough)" and just went through every setting again it started working. Strange.. Thanks for the great work!
Hmm, that all looks pretty good. Does the client show up in the server's device list? Can you SSH to each and capture an ifconfig? And, to be sure, you are pinging from client-side to server-side, right? From a PC or from the router?
tried pinging from both router and clients. no luck nope it doesnt show up in device list im not using dhcp btw if that matters, guess not. br0 Link encap:Ethernet HWaddr 00:1B:FC:E9:19:B4 inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4666588 errors:0 dropped:0 overruns:0 frame:0 TX packets:8310411 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:383147872 (365.3 MiB) TX bytes:3325544824 (3.0 GiB) eth0 Link encap:Ethernet HWaddr 00:1B:FC:E9:19:B4 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:12883789 errors:0 dropped:0 overruns:0 frame:0 TX packets:12628953 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:3862912149 (3.5 GiB) TX bytes:3614370190 (3.3 GiB) Interrupt:4 Base address:0x1000 eth1 Link encap:Ethernet HWaddr 00:1B:FC:E9:19:B4 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:149595 errors:0 dropped:0 overruns:0 frame:8677081 TX packets:405594 errors:375 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:20266945 (19.3 MiB) TX bytes:204897256 (195.4 MiB) Interrupt:2 Base address:0x2000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1 RX packets:250 errors:0 dropped:0 overruns:0 frame:0 TX packets:250 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:32446 (31.6 KiB) TX bytes:32446 (31.6 KiB) tap11 Link encap:Ethernet HWaddr 00:FF8:2C:71:72 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:19 errors:0 dropped:0 overruns:0 frame:0 TX packets:100 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:2141 (2.0 KiB) TX bytes:25564 (24.9 KiB) vlan0 Link encap:Ethernet HWaddr 00:1B:FC:E9:19:B4 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4574241 errors:0 dropped:0 overruns:0 frame:0 TX packets:8197300 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:389369797 (371.3 MiB) TX bytes:3181109855 (2.9 GiB) vlan1 Link encap:Ethernet HWaddr 00:1B:FC:E9:19:B5 inet addr:<hidden> Bcast:81.233.4.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8309548 errors:0 dropped:0 overruns:0 frame:0 TX packets:4431653 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:3241634150 (3.0 GiB) TX bytes:433260335 (413.1 MiB) ifconfig from my client
br0 Link encap:Ethernet HWaddr 00:18:39:C5:CF8 inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:44439 errors:0 dropped:0 overruns:0 frame:0 TX packets:59778 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:8391190 (8.0 MiB) TX bytes:58493885 (55.7 MiB) eth0 Link encap:Ethernet HWaddr 00:18:39:C5:CF8 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:93701 errors:0 dropped:0 overruns:0 frame:0 TX packets:97820 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:60630133 (57.8 MiB) TX bytes:67784660 (64.6 MiB) Interrupt:4 Base address:0x1000 eth1 Link encap:Ethernet HWaddr 00:18:39:C5:CFA UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:78726 TX packets:773 errors:832 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 B) TX bytes:216515 (211.4 KiB) Interrupt:2 Base address:0x5000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1 RX packets:1352 errors:0 dropped:0 overruns:0 frame:0 TX packets:1352 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:83623 (81.6 KiB) TX bytes:83623 (81.6 KiB) tap21 Link encap:Ethernet HWaddr 00:FFF:16:F0:0B UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:4 errors:0 dropped:0 overruns:0 frame:0 TX packets:17 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:519 (519.0 B) TX bytes:1856 (1.8 KiB) vlan0 Link encap:Ethernet HWaddr 00:18:39:C5:CF8 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:573 errors:0 dropped:0 overruns:0 frame:0 TX packets:756 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:150213 (146.6 KiB) TX bytes:872673 (852.2 KiB) vlan1 Link encap:Ethernet HWaddr 00:12:93:1DC:C9 inet addr:<hidden> Bcast:82.183.178.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1114 errors:0 dropped:0 overruns:0 frame:0 TX packets:979 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:916920 (895.4 KiB) TX bytes:369457 (360.7 KiB) ifconfig from server Do i need to route add or something like that?
That's probably the key thing right there. I think I accidentally made that assumption when I generate the OpenVPN configuration files. Try adding Code: ifconfig 192.168.1.75 255.255.255.0 to your client Custom Configuration, replacing the IP address as appropriate. Let me know how it goes; one way or another, I should be automatically setting things up in this situation. EDIT: I just disabled DHCP on my server-side and reconnected. Saw the same symptoms as you, and the ifconfig line fixed it. Hopefully, that's all that was wrong for you.
i did like u said 192.168.1.0 * 255.255.255.0 0 tap11 was added under routing in the client in the client log file this was new Oct 16 23:13:59 unknown daemon.notice openvpn[2868]: /sbin/ifconfig tap11 192.168.1.75 netmask 255.255.255.0 mtu 1500 broadcast 192.168.1.255 i cant ping though, and nothing different under device list EDIT: br0 00:FF:20:EB:11:34 192.168.1.75 is listed under device list on the server now
Hmmm, I'm not completely sure what is going on here. Could you try running the following on the client side (via ssh)? Code: brctl delif br0 tap11 Then try pinging the server side from the client's ssh session.
brctl delif br0 tap11 on the client side.. Yes it works after that line what was wrong? cant ping the serverside from my client though, only from the router tap11 00:18:39:C5:CF8 192.168.1.1 is showing on the clients device list now also =)
Well, now we just need to bridge the VPN connection over to your LAN, but adding it to the br0 bridge didn't seem to work... I am not an iptables expert, but try some combination the following on the client side firewall script (probably either just the first two, just the last, or all three): Code: iptables -A INPUT -i br+ -j ACCEPT iptables -A FORWARD -i br+ -j ACCEPT iptables -I FORWARD -i br+ -o tap+ -j ACCEPT edit: even if some combination of the above works, try this (all three): Code: iptables -A INPUT -i tap0 -j ACCEPT iptables -A INPUT -i br0 -j ACCEPT iptables -A FORWARD -i br0 -j ACCEPT edit2: One more thing to try. In fact, try this one first. Add the tunnel back to the bridge (without any of the above iptables commands): Code: brctl addif br0 tap0 and try running Code: route add -net 192.168.1.0/24 dev br0
Also, could a forum moderator perhaps split out this exchange between diggyz and me into a new topic? (posts 37, 38, 42, 44-52) Title: "VPN GUI site-to-site"? Thanks!
im gonna try that when im coming home today. brctl addif br0 tap0 , should be tap11 in my case right? When im setting up the vpn from router gui interface, is the tap interface added to the bridge then? on some router i get tap11 and on others i get tap20, is it random generated?
after adding the tunnel to the bridge it stops working again brctl addif br0 tap11 if i do brctl del br0 tap11 on the client, i can ping serverroute from the clientrouter if i do brctl del br0 tap21 on the serverrouter aswell, then i cant ping anymore if i del the tunnel from the bridge on the serverrouter but leaves it connected on the clientrouter only the serverrouter can ping clientrouter.. if that makes any sense? =)
Did you try the route add command after adding the tap interface back into the bridge? And, I think we have the server side how we want it, all of the fiddling should be done on the client side.
yes it did the route add command aswell, no luck i tried connect with with VPN windows client to the serverouter, works just fine.. well there is no routing involed.. router-router works fine aswell, its when bridging it :[ EDIT: if i dont remove the tunnel from the bridge, [leave it default] and pinging the serverrouter, i dont get any answer but br0 00:FF:EF:E8:05:BC 192.168.1.75 is coming up on the serverrouters devices list
Have you had a chance to try the iptables commands (with and without the interface removed from the bridge)? Sorry for all of the trial and error here; I haven't had a chance to try a site-to-site yet. I should have access to one of my remote sites before too long, and I will try and hammer this out myself then. But, if we get it worked out now, all the better!
That just lists the iptables rules. I was referring to the iptables commands in post 51. But, if you've also tried those, I'm afraid I'll just be grasping at straws. You may try to search the web for bridged site-to-site OpenVPN how-tos to see if you find a combination of things that work. That's all I would be doing from here. If you do find something that works, let me know and I'll incorporate it into a build. I'll see if I can get access to a remote router sooner than later so I can try some of this out myself.
hmm there is nothing more with the route command i need to change? like the default route? some ppl used push commando in their configs push route 192.168.1.0 255.255.255.0 EDIT: http://www.dd-wrt.com/wiki/index.php/OpenVPN_-_Site-to-Site_routed_VPN_between_two_routers i found that site, maybe u can see something thats not in your conf
That how-to uses "Routed" (TUN) not "Bridged" (TAP) devices. If TUN is acceptable for you (only IP traffic can cross it, if I understand correctly), you may try setting both client and server to TUN and placing the route commands in the custom configuration section. TUN setups don't have any bridging involved, so it may solve the problem. I was trying to get TAP to work because there's no reason why it shouldn't. The push commands on the server are the same thing as putting it (without the push keyword) on the client. And, we already tried that. Like I said, though, I'll try getting a setup going that I can play with to get this figured out, but that will likely be at least a couple of days. :frown:
http://www.dd-wrt.com/wiki/index.php/OpenVPN_-_Site-to-Site_Bridged_VPN_Between_Two_Routers hmm there is a guide, but cant find anything special
That page is why I had you try the route add command first in post 51. It seems they got things working doing pretty much the same things as us... There is another site that I already put Tomato on a while back that I will be visiting tonight. I will see if I can throw my VPN build on there. If so I'll be able to experiment as early as tomorrow.
if tomato ran asp.net I'd probably invest the time to learn iptables better but as it is, it's not really my cup of tea. If you ever entertain the notion of adding the gui, I've done some vlan and multiple dhcp server stuff so at least there I have some knowhow to help you get started.
Firstly, thanks for making the GUI version of this mod. I've had the TAP version up and running - site-to-site, but ran into a few DHCP/DNS niggles, with everything being broadcast over one subnet. So, I reconfigured to the TUN option - which is giving me 90% of the funcionality i wanted. With TUN, the main thing i`m missing now is the ability to communicate with machines behind the client, caused by the CCD options not working. Is there any word on why the client-config-dir and ifconfig-pool-persist ipp.txt are not working on Tomato firmware(posts suggest roadkill's version suffered from the same issue)? ifconfig-pool and ccd-exclusive seem also not to work, but they're less important(to me). Also, a small note: i think the 'Duplicate-CN' setting in the server config should be left to set by the user. Had the CCD options worked, having duplicate-CN set would have conflicted with my settings.
Could you share how you got site-to-site TAP working? I've been unsuccessful in trying to get diggyz up-and-running in that regard. I haven't tried client-config-dir yet, but I can't think of a reason they wouldn't work (completely trust that they don't, just can't think of why). Do you get error messages in your logs when you try to use it? I'll change that to an option in future releases. Thanks for the feedback!
Alright. This is from my less than reliable memory, so apologies if there are any errors . Most of this config is taken care of by scripts on the GUI version (ie. VPN mode, protocol, port etc are all set to what you've entered in the UI, and the other necessary config parameters will be created automatically). ETHERNET TAP BRIDGE CONFIGURATION Router #1 - VPN Server On the server end of the tunnel, leave everything as it is by default: device == TAP port == 1194 protocol == UDP encryption == TLS Fill in the appropriate key/certs. Nothing needs to be entered in 'Custom configuration', the following is optional: Code: #Following lines optional, but can improve tunnel stability persist-key persist-tun You will need to add the following rule to the (administration->scripts->)firewall, to allow incoming VPN connections: Code: iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT Router #2 - VPN Client Again, very little needed here that isn't setup by default. Enter the server address in the GUI, then put the following in custom configuration: Code: # Set aaa.bbb.ccc.ddd to any free IP on the servers network. # Select something outside the scope of the servers DHCP pool. ifconfig aaa.bbb.ccc.ddd 255.255.255.0 Enter your client key/cert details. One extra step I did take, is that once the client had connected and was visible in device list, I'd take the MAC address and assign it a static ip in the 'Static DHCP' section. That's it! I can't remember it being any more complicated than that for me, no special routing/firewall rules were needed as it is acting literally like an Ethernet switch. The problems I had with this setup were as follows: my work (server) had the ip range 192.168.99.0/24 and my home network(client) had the ip range 192.168.1.0/24. Both routers had DHCP enabled, as both routers needed to tend to their own networks when the tunnel wasn't in use. When additional clients connected to the VPN, the router that allocated the new client an ip and therefore the clients ip/subnet seemed random - whichever router happened to get there first. I could have perhaps tied this down with some additional routing for ports 67/68, or there are perhaps DNSmasq parameters that would take care of this. TUN configuration - CCD problems I`ll keep my TUN config out of this post for clarity, but a note on the CCD issue: Code: client-config-dir ccd - these files are never read/executed. ifconfig-pool-persist ipp.txt - no entries are ever made to this file. ifconfig-pool - doesn't seem to work - doesn't set the scope of the VPN's DHCP ccd-exclusive - works, but as it enforces non working CCD, the server has no way then to allocate IP's. CCD is needed primarily for static VPN ips, and to configure routes back to the clients with the 'iroute' parameter. Getting everything to work with firewall rules alone gets complicated. ** EDIT: Okay, I checked the logs: Code: Oct 19 22:49:29 unknown daemon.warn openvpn[687]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want Oct 19 22:49:29 unknown daemon.warn openvpn[687]: WARNING: --ifconfig-pool-persist will not work with --duplicate-cn This is after setting vpn_debug=1 in nvram(committing & rebooting) and removing the dulicate-cn line in server1.ovpn. Any manual edits to the server config file are overwritten by the defaults + GUI custom config entries when restarting the service through either the GUI or command line. Cheers, let me know if you need anymore info. Sunjon
Hmmm, that's all I was thinking it would take. But, alas, we've tried that with diggyz without positive results. I have a remote router to experiment with now, so perhaps I'll be able to get to the bottom of it. Where did you create ccd? You should try giving the absolute path to it (ie /etc/openvpn/ccd, if that's where it is). Same thing with ipp.txt. I guess to make things easier for the cusom config section, I could use "--cd /etc/openvpn" in my openvpn call to make everything look there by default. I have already made the changes in my local builds to have duplicate-cn be optional. In the meantime, though, you can hand-edit the ovpn file to get rid of that entry. However, you should use Code: /etc/openvpn/vncserver1 --config /etc/openvpn/server1.ovpn instead to start it so that it will not regenerate the config file. I'll try and get a build out in the next couple of days that will fix the duplicate-cn directive as optional. I didn't realize it would conflict with other options before.
I cannot get this to work with static keys configuration. I get the following error on the client: Mon Oct 20 15:34:43 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006 Mon Oct 20 15:34:43 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Mon Oct 20 15:34:43 2008 TAP-WIN32 device [OpenVPN] opened: \\.\Global\{3A69CFF8-0CE2-4334-9E75-AB95247C0ECE}.tap Mon Oct 20 15:34:43 2008 Successful ARP Flush on interface [65541] {3A69CFF8-0CE2-4334-9E75-AB95247C0ECE} Mon Oct 20 15:34:43 2008 UDPv4 link local (bound): [undef]:1194 Mon Oct 20 15:34:43 2008 UDPv4 link remote: 1.2.3.4:1194 Mon Oct 20 15:34:50 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054) Mon Oct 20 15:34:54 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054) client config is simple and as follows: remote my.host.name (changed from the real one) dev tap secret static.key remote is set up very simply and with settings like the above. i also added a line to the firewall script to make a hole for port 1194. any pointers? Thanks! flatulently, commander flatus
Okay, so I have something working. Try running this on each router (substituting ip addresses for the ones on the other router): Code: ifconfig br0 promisc up route add 192.168.1.1 dev br0 route add -net 192.168.1.0/24 gw 192.168.1.1 dev br0 This is with the tunnel interface still bridged. Seems so simple, yet we didn't try using the opposing router as a gateway to the rest of the network... Let me know if it works for you, too.
Well, I think that error code indicates a firewall problem, not a VPN problem. Make sure you are using the same port number on the server, firewall script, and client (and you should probably explicitly name a port rather than rely on defaults there). Also, the same goes for protocol (both that it needs to be the same in all three places and that you should specify it on the client). Also, I don't think it's even getting this far, but you should specify comp-lzo in your client config. I'll probably change that to an option for the next release (don't know why I didn't to begin with), but for now the server is set up to use LZO compression on the VPN link. Try those things. If you are still having a problem, post back (in a new thread, this one is getting a bit crowded) with your settings on both sides and logs from both sides. Also, if one of the above works, please post a little note back saying which it was so if somebody else gets the same error, they will know a possible solution.
Hi, Thank you for your great work. As I want to connect 3 routers using tun(s) into "family" network, I am interested in Sunjon conclusions (client-config-dir seems to be important). Currently, I do not have devices in place to do the experiment myself. Have you considered to add tls-auth key to GUI? I believe I am not paranoid, but from HOWTO it looks like the security is much better with it (DoS attacks, port flooding and scanning). Anyway, I hope it is still possible to add the key in Init Script. Cheers, Jacek
Unless you want to do some manual configuration/testing, I'd hold off for one of the next (hopefully, the next) reased build, as there are site-to-site issues I'm working out yet. Well, then you'll be happy to know that Sunjon found that client-config-dir is working fine! I'll keep that in mind for possible future additions. In the meantime, though, there shouldn't be any reason you couldn't generate the file in the Init Script and add the tls-auth directive in the Custom Configuration section.
I did what i said it now its working great =) thanks alot for taking your time. i was thinking about the gateway aswell but didnt know how to add it correctly. Is this something u can include in the build in someway?
Glad it works, and there wasn't some other change I had made and couldn't remember :wink: I'll definitely get something in a a build to get this to work automatically. However, I think the "right" way would be to add the routes in the openvpn config file, and I'll experiment on getting that working properly.
can you please write a guide on how to use the VPN function and set it up on windows xp/windows vista using your build? really like to test out the VPN function....
After I get this next release out, there won't be as much need for a guide. I'll write something up then, though.
1.21vpn1.0016 Version 1.21vpn1.0016 NOTICE: I found a bug when using the TCP protocol with a VPN server. Please download 1.21vpn1.0017 instead. You can download the binaries and source from here. For those wanting to use the source, be sure to read the README file included in the source archive. Changes from 1.21vpn0087 Firewall entries (both external and internal) are automatically added and removed Site-to-site TAN and TUN work with no custom configuration TUN site-to-site only allows client->server communication (not visa versa, see below) unless you add client-config-dir or client-connect scripts. Compression settings can be changed via GUI. Encryption cipher can be chosen via GUI (sorry, so AES yet, as site-to-site updates trumped upgrading OpenSSL) Client address allocation handled in GUI. duplicate-cn and client-to-client no longer autogenerated in config file You can still add them to Custom Configuration if you need them They don't do any good without some custom config anyway The TUN (or TAP across different subnets) tunnels are only client->server (server LAN can't see client LAN) without Custom Configuration because a NAT is set up on the client side (optional via GUI). Without this NAT, the server side would need to have configuration settings specific to each client. If I did this automatically, it would be difficult to add your own settings in this manner on top of it. So I felt this was a good compromise. You can either a) set up two tunnels one each way or b) set up a client-config-dir setup. Known limitations: None that I am aware of. If you find, some let me know. Sorry this update took so long. It took me a little while to settle on a compromise with what to do about automatic configuration of tunnels connecting different subnets. Also, since my day job is also firmware development, some days it is hard to convince myself to spend my free time doing it as well. Let me know what you think, and what can be improved. :smile:
Sorry to post it there but all the vpn tomato's firmware use the same openvpn and i still don't have a clue. http://www.linksysinfo.org/forums/showpost.php?p=334029&postcount=99
From there: Sorry about that. I saw your question, but got busy and assumed someone in that thread would have answered. As you can see from the OpenVPN HOWTO on generating certificates, you just need to generate it using the same set of tools used to generate your certificates. Assuming you used the easy-rsa utilities that come with OpenVPN, you just need to run the "build-dh" executable. That's it. It will generate your Diffie Hellman parameters for you.
Thanks you. Now it init, i just have another problem. I don't really know where that's caused by. In my firewall script i put "iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT" Internet type is set as default (tap) and i didn't changed the port (1194).
Your signature says you are running 1.21.0013. Since you obviously have OpenVPN included, I assume this either isn't correct or it is different VPN build. So, I'm not sure how much help I'll be able to give, but I'll try. Please open a new thread, and include more of your log file (is there anything about failing to create a TAP interface before the OpenVPN entries?), and we'll see if we can straighten it out.
Could you list exactly which firewall rules are set? I've a few manually set rules for my tunnel, and would like to remove any duplicates. Thanks for the update, much appreciated as always. The GUI is looking comprehensive and my TUN setup is working fine, with only a few lines for CCD in my custom config. So no immediate improvements spring to mind. I did try a different config parameter today though - "client-connect" , which failed to work (and stopped the server from running). It's used to run scripts on the router when clients connect(duh!), similar to the "up" and "down" parameters that can also be set. This appears in the logs when any of these script running parameters are set: Code: openvpn_execve: external program may not be called due to setting of --script-security level script failed: external program fork failed This post explains that running these scripts is disabled in current builds of openVPN, and that to enable them you have to set a flag when compiling. On a separate note, do you have any advice to offer on how I'd go about including samba-server(running as a WINS server) in my tomato setup. It's 'related' in that it would solve my shared folder over TUN VPN issues that i mentioned here.
While the server/client is running, you can ssh/telnet to the router and there will be a (server|client)[12]-fw.sh file that contains the iptables rules that were applied. On stopping the service, the -A and -I entries are turned to -D and the file is re-executed to remove the rules. If the vpn_debug nvram option is set, that file (with -Ds) will remain. I had seen the client-connect option and thought it looked like a good alternative to client-config-dir (since you can also use it to dynamically add server options on client connect). I had not tried it, though, and didn't realize it needed a special option at source configuration time. I will research that some and weigh any pros/cons on adding that flag for the next release. Thanks for bringing that to my attention. While I probably won't include it in this build, it may be interesting for another custom tomato version (probably not by me, though, as my routers don't have external storage attached). The general steps would be Download samba sources Configure sources for mips and any other non-default options you'd want Add sources to tomato source tree and add it to the appropriate makefile That's pretty much it. Of course, it's the unexpected complications that could possibly make it difficult.
I tried the new build and connected together my 2 routers Same problem again, i cant ping the other network. It doesnt looks like it adds the gateway for the other machine and vice versa..
1.21vpn1.0017 Version 1.21vpn1.0017 You can download the binaries and source from here. For those wanting to use the source, be sure to read the README file included in the source archive. Changes from 1.21vpn1.0016 Fixed a bug when using TCP with a vpn server See above link to 1.21vpn1.0016 for changes from previous release Known limitations: None that I am aware of. If you find, some let me know.
I used TAP static key with compression default only custom commands i used was ifconfig 192.168.0.85 255.255.255.0 to get ip addr
Are your two endpoints on the same subnet? Did you check the box saying they were on the same subnet? If not, did you check the box to add a NAT? EDIT: Oh, if you're still having a problem, please start a new thread. This one is getting long and crowded.
For those who use Static Key authentication, I've created a test build that has a more complete solution for that case. It can be downloaded here: 1.21vpn1.9018. If no more bugs are found in the near future, I'll roll out the next release.
Pretty much. Once you do, there will be a "VPN Tunneling" section in the web GUI for configurations. However, there have been a couple of reports of problems with wireless if you don't clear NVRAM after flashing. So, if you start having strange problems, you should do a thorough NVRAM clear and reconfigure.
Great build! Had a quick question -- how are you testing your firmware out? I want to try compiling the firmware myself (would like to combine your mod with the speedmod), but I don't want to risk bricking my router unnecessarily. I searched the forums and google and saw a little bit about a program called bosch -- but it seems pretty complicated to just setup the env. would love to know how you set up your test environment. Also - a quick note and a tad nitpicky - certificate is misspelled in "Certifate Authority" in your vpn tunneling gui (i noticed it a while ago but not fixed in 0017) Another small quirk -- the server address field is character limited -- however openvpn supports name resolution (i.e the use of ddns addresses) and I can't fit my address in that spot
By flashing my router! :wink: Unfortunately, I don't know of an artificial environment that would be able to adequately test all of the needed aspects. Thanks for that, I knew there was bound to be some little things like that. I already fixed that in the test build. It will be included in the next release (along with the typo fixes, and static key address management). Thanks again for pointing these out!
Thanks for your quick response. I just noted something else that was missing from the config window (for me). I use the tls-auth command (which is an additional handshake at the beginning) and it requires a static key (in addition to the certificate keys). Unfortunately with your gui, I can't add the static key in if I want to; do you think it would be possible to add a box for the tls-auth key and an option for authorization with TLS + Auth key my config requires per client: ca.crt client.crt client.key -and- static.key (a static key that serves as the tls-authorization) If you aren't planning on adding this command to the gui, is there a way I can paste the key into the custom config so it creates it for me?
I should be able to add that. Currently, I reuse the same data for both server key and static key to save creating even more nvram variables. But, sicne that seems like a reasonable feature, I'll go ahead and divorce the two. But, in the meantime, you can add Code: echo "<paste static key>" > /tmp/tls-static.key to the init script (Admin-Scripts) and Code: tls-auth /tmp/tls-static.key to your Custom Configuration.
Thanks for replying again and would appreciate that feature. One quick question -- can nvram variables easily be edited through telnet or sh (outside of using the nvram set command)? Something that would allow me to use vi or another editor?
They cannot be "edited" per se, but you can display an nvram variable with Code: nvram get <nvram variable name> and set it with Code: nvram set <nvram variable nam>="<new value"> nvram commit (this makes it survive a reboot)
