1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN build with Web GUI

Discussion in 'Tomato Firmware' started by SgtPepperKSU, Oct 10, 2008.

  1. i1135t

    i1135t Network Guru Member

    Ok, now routes are being added correctly even after it reconnects. Thanks, that problem was bugging me for a while. I'm wondering if I could add an IPtable rule to allow ICMP/UDP packets through from my TUN interface to troubleshoot the idle disconnect problem. How would I go about that? Would this work for inserting this into my firewall script?
    Code:
    iptables -A INPUT -i tun21 -j ACCEPT
    iptables -A FORWARD -i tun21 -j ACCEPT
    I saw this on your other post here:
    Code:
    http://www.linksysinfo.org/forums/showpost.php?p=344570&postcount=14
    I'm sorry I don't know much about iptables...
     
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Those rules are exactly what is added when you choose "Automatic" for the firewall setting (except they are now -I rather than -A). That's why I'm not sure what could be going wrong. I suppose you could try adding a rule for icmp specifically:
    Code:
    iptables -I INPUT -i tun21 -p icmp -j ACCEPT
    But, since I can already ping over the tunnels, I'm pretty sure it's already getting through with the rules mentioned before.

    For some reason, though, the keep-alive "pings" (quoted because I don't even know that they really use icmp pings) are not completing successfully. And, I don't know enough about how OpenVPN handles them internally to be able to debug further than I have. :sad:
     
  3. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Fair enough. If the sites need to have the same subnet, then you do, indeed, need to use TAP. Though, ideally, the sites would have been placed on different subnets from the beginning (not that it's feasible to change now). Having ambiguous routing (multiple interfaces with the same subnet) just seems error-prone (but, through very careful use and planning, I'm sure it can be fine).
    Yeah, it sounds like GUI-configurable VLANs would be a help for quite a few people. If that happens, I'll certainly update the VPN GUI to integrate with it.

    I just had a thought, though. You could write an up script that is run whenever the TAP device is up that removes it from the br0 bridge and adds it to your desired VLAN. If that's the only deviation from the existing GUI behavior that you need, I think it'd be pretty simple to do.
     
  4. i1135t

    i1135t Network Guru Member

    Well, it looks like that iptable rule didn't affect it at all. It was worth a try though. I will just switch over to TCP for now and see how that goes with the idling issue.
     
  5. occamsrazor

    occamsrazor Network Guru Member

    i1135t & SgtPepper,

    This a probably unrelated longshot, but... I was having some similar problems with a Mac OS X VPN client Viscosity connecting to a commercial VPN provider, and then losing all network activity on disconnect including internet. Somehow I fixed the problem (some checkbox in the app, but I'm not sure what I did). I mention it only as while looking for answers I came across this, which may or may not be of help...

    http://www.viscosityvpn.com/support/?section=faq&supportid=15

    Sorry if this is unrelated, but just thought I'd mention it.
     
  6. baldrickturnip

    baldrickturnip LI Guru Member

    I had a VPN server stop on Current Version: 1.23vpn2.0005

    error message in the logs was

    Code:
    May 20 12:26:35 unknown daemon.err openvpn[23558]: 3129client2/10.31.29.1:4802 write UDPv4 []: No buffer space available (code=132)
    
     
  7. occamsrazor

    occamsrazor Network Guru Member

    SgtPepper, A question... I have my TomatoVPN server running on Port 1194 for remote access purposes. I also use a VPN client on a LAN machine behind the router, when at home, to connect through the router (but not to it) to a commercial VPN provider also using port 1194. When I'm doing that there are no remote clients connected to the TomatoVPN server, but it is running.

    Do you think that is likely to be problematic? I've just been having some weird but unrepeatable problems with the LAN machine's networking and wondered if this is possibly the cause. I guess I could just change the TomatoVPN server port.... but wondered if this immediately struck you as something that would be a problem.
     
  8. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Having the same port for both shouldn't be a problem. When your LAN machine is connected to the VPN provider, the local port used to receive response packets on the router will not be 1194.
     
  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Looks like your router just ran out of memory. I'm afraid the best you can do is run a cron job (like in the README) to restart the server if it fails.
     
  10. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The problem i1135t was having was on a reconnect, not a disconnect, but I think we solved it anyway. It could very well have been caused by something similar (his internet connection could very well pass through a subnet that is the same as his remote LAN), but I don't think the same remedy would work (resetting the network connection).

    Thanks for the thought, though. It was certainly at least partially related.
     
  11. i1135t

    i1135t Network Guru Member

    occamsrazor, Thanks for the suggestion, but that is not the case. I am on the 10.x.x.x at home, and at work, on the 192.168.x.x subnet. That's the very reason why I am on the 10.x.x.x at home. Most private networks are setup on the 192.168.x.x these days, so chances of being on the same subnet on the outside and at home are minimized.

    I just tested my TCP VPN connection and it appears to be stable, at 1+ hours, so it does appear to be that UDP packets are only affected when idling. I will just use TCP for now, even though it's not recommended encapsulating TCP packets within TCP packets, as it hinders network performance, but at least it's stable. Thanks anyways guys...

    Oh, I fixed that problem of not being able to connect to any of my network devices after renegotiating the connection by adding (push "route 10.x.x.x") to my server custom config. That fixed the issue of my Windows VPN connections adding an invalid route statement to another interface. It still adds it sometimes, but with the correct one there as well, it's a non-issue now.
     
  12. i1135t

    i1135t Network Guru Member

    OK, I finally figured out why my Windows boxes were not tunneling my DNS requests through my VPN connection. This explains it all..

    http://support.microsoft.com/default.aspx?scid=kb;en-us;311218

    I also had make the following change below for it to truely work:

    1. Go to CONTROL PANEL --> NETWORK CONNECTIONS
    2. Go to ADVANCED --> ADVANCED SETTINGS
    3. Move "Remote Access Connections" to the very top, with your TUN/TAP second in line.
    4. Reboot and it should now work perfectly.

    FYI, note that with every change in adapter (adding/removing), you have to go back into the registry and update that setting again. I don't think MS is planning to fix this bug at all, but good to know how to fix it. It was bugging me for a while. :)

    -- EDIT --

    OK, looks like I spoke a little too early. Hopefully this setting will finally keep this change permanent. I also had to change a reg key somewhere else as well.

    Code:
    HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\**MY TUN Adapter**\
    I changed "DefaultGatewayMetric" from blank to "1".

    We will see if this finally sticks... sigh!?
     
  13. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Good catch! I hadn't heard about that Windows bug (or even noticed those settings :blush:) before. That workaround will probably be very useful to many people (it could probably explain the problems at least a few people have had).

    Off-topic #1: Damn Windows... so many bugs... I moved to Ubuntu on my main laptop about a year ago (only used it for tinkering before), and now I'd really hate to go back. Just having to be in Windows at work for long enough to VNC into a Solaris machine (where I do my real work) seems painful now that I'm spending so much time on Linux...

    You mention having to redo this every time you add/remove an adapter. But, does it need to be done if you disable one? If the only reason you're removing and adding the OpenVPN adapters is because of the annoying tray icon that appears when it is disconnected, I've found disabling it does just as well. And, unless you need more than one simultaneous TAP/TUN connection, then just leaving the one in place should be fine.

    Off-topic #2: ... (or Text) instead of
    Code:
    ...
    can be used on this forum to make links clickable :wink:
     
  14. i1135t

    i1135t Network Guru Member

    Yes, I use to be an only Windows user, but now I am in Ubuntu for most of the time when I am at work and home. It's my preferred OS now.. mainly Ubuntu. I never knew it would grow on me, but it has and now I am forever changed...

    I haven't tried disabling it yet, but will have to try it and see if that's the case.

    Hehe, I haven't coded HTML in years, so I forgot about all the programming language. :)
     
  15. Low-WRT

    Low-WRT LI Guru Member

    This is correct, right?
    Code:
    cru a CheckVPNServer "*/30 * * * * service vpnserver1 start"
     
  16. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yep, that would check if the server is running every 30 minutes.
     
  17. dvd-guy

    dvd-guy Guest

    Any 1.25 love?
     
  18. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I wanted to implement a few features that I've worked out the logistics of in my head before making the next release, but I've been really busy lately and haven't had any time to work on actually implementing them. I found some time last night and implemented a couple of them - with one to go (smaller than either of the other two, btw). After I do that (today?), I'll need to do some testing and work out any bugs. But, expect a 1.25 based release "soon".

    Out of curiosity, was there something in particular in 1.24/1.25 that you were wanting? It looked like a pretty incremental update to me.
     
  19. humba

    humba Network Guru Member

    Does brctl really work properly if you leave interfaces up? IIRC I had to take down the vlans to bridge tap interfaces to them. I'd anticipate issues when you try to unbridge and rebridge an active tap interface.

    any chance something like a gui for subnetting or a gui for firewall rules? ;)
     
  20. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I just started a TAP server, and while it was running (not connected, though), I removed it and readded it from br0 with brctl. What kind of issues were you expecting?
    (no sarcasm, I really want to know what issues you were expecting because I might just not be looking for them in the right place)
     
  21. dougisfunny

    dougisfunny LI Guru Member

    So, I have looked quickly through about the last 10 pages of posts, but I can't find what I'm looking for. I would assume it has been covered though. So my situation since I'm having problems finding the solution....

    I'm in a hotel, and I have a wrt with me, and it is connected as a client to a more secure network at my office. I want know how to route the internet traffic from my laptop through my routers tunnel to my work. You mentioned routing traffic through the tunnel on your road map as an addition to the gui, so until that is done, what can I add to my custom config?

    Thanks!
     
  22. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Well, that feature should be in the next release (hopefully in the next few days), but for now it should just be
    Code:
    route-gateway <server LAN gateway IP>
    redirect-gateway def1
    in the client config.
     
  23. gregg098

    gregg098 LI Guru Member

    Ive posted about this before and never really found an answer. Maybe someone can help.

    Im using the 3.0001 VPN version on my WRT54GL and have OpenVPN 2.1_rc15 on my Xp laptop.

    On the router for the server, I have the following settings:

    Interface Type: TAP
    Protocol: UDP
    Port: 1195
    Firewall: Automatic
    Authorization: TLS
    HMAC: Disabled
    DHCP Checked

    All other tabs have defaults and the keys tab has all the proper keys.

    My client config is as follows:
    Now, it connects perfectly, but then I can't do anything. Every web page I goto just timesout. I tried to leave out the last two lines to make it just a simple VPN connection, and I get the same results.

    If I change the server to TCP, then my config to "proto tcp-client", everything works great, just really slow. I know UDP is the preferred VPN protocol, I just cant figure out what Im doing wrong and why identical UDP and TCP connections work differently.

    Ive had this issue for a long time and have upgraded multiple versions of both router firmware and computer software. When I upgrade my router, I always clear the NVRAM and start from scratch so I dont think its a random variable leftover from another version.

    Anyone have any ideas?
     
  24. humba

    humba Network Guru Member

    Let me dig up the original vlan/openvpn scripts and get back to you (by now I've converted everything to static vlans so my current scripts no longer contain the bringing interfaces up/down parts).
     
  25. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    1.25vpn3.3 release

    Release 1.25vpn3.3 is now available.

    The major new features include AES cipher (thanks fyellin!), automatic redirect gateway options, and automatic DNS options (push DNS to clients, and accept DNS options on clients).

    Let me know if you have any problems - especially with the new features: I think I have the major kinks out, but I only thoroughly tested with TLS+TUN.
     
  26. Vezado

    Vezado Addicted to LI Member

    Wow, that was fast... Thanks for all your hard work on this. I will give it a test this weekend.

    Is the AES cipher a little more cpu intensive btw?
     
  27. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, there's a good chance AES is slower than blowfish (the default). However, it seems on some hardware it's actually faster. It would be interesting for someone to benchmark the two...
     
  28. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I just realized that the use of the redirect options may not be entirely clear. To clarify: You don't need to select the option on both the client and server to get it to work. Selecting it in the client should redirect Internet-bound traffic regardless of what is set on the server, and selecting it in the server should redirect all clients' Internet-bound traffic as long as they don't configure specifically to reverse it.
     
  29. fyellin

    fyellin LI Guru Member

    Wikipedia has a self-contradictory paragraph the speed of BF vs AES. The first sentence seems to indicate that AES is faster, while the second and third seem to indicate that although BF is faster, AES is more likely to improve in speed.

    The main reason I had for wanting AES is that it is a national standard. It is possibly the most studied cipher in history and no serious flaws have been found. The NSA lets it be used for secret documents. BlowFish probably has no flaws, and I fully respect its creator, but it hasn't been studied nearly as much.

    It's worth noting OpenSSL has assembly language implementions for both AES and BF on the x86, and both claim significant improvements over the gcc-generated code. Tomato could gain from a MIPS-assembly implementation.
     
  30. fyellin

    fyellin LI Guru Member

    I recompiled the "openssl" application to include the "speed" command. Here is the output I got:

    Code:
    The 'numbers' are in 1000s of bytes per second processed.
    type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    blowfish cbc      2753.76k     3504.49k     3556.34k     3580.92k     3456.69k
    aes128 cbc         920.04k     1939.76k     1980.94k     1981.47k     1939.05k
    aes192 cbc         824.55k     1708.19k     1726.53k     1714.85k     1699.49k
    aes256 cbc         712.45k     1494.59k     1520.52k     1513.17k     1489.45k
    So yes, it appears that AES is about half the speed of blowfish for large block sizes. Slower on small block sizes (because its minimum block size is 16 bytes).

    I haven't tried a long download using VPN to see if encryption/decryption is the actual bottleneck, though.
     
  31. kisenberg

    kisenberg Addicted to LI Member

    I found this: http://wiki.openvpn.eu/index.php/Geschwindigkeitstest
     
  32. Vezado

    Vezado Addicted to LI Member

    wow, that's a pretty massive difference, i assumed it would be a little slower but not by that much. it might be worth adding warning in the GUI, especially for those expecting to have many vpn clients connecting at the same time. i wish openvpn would add support for twofish, it's very light on the cpu and the creator of blowfish advises users to switch (link).

    thanks for checking the speeds.
     
  33. fyellin

    fyellin LI Guru Member

    The problem with twofish, I hate to say, is that it's mostly a niche market. This cipher was in an international competition to be named the Advanced Encryption Standard (AES) and lost to Rijndael. The selection criteria were security, speed, and ease of implementation across a wide variety of platforms. Rijndael beat Twofish and three other finalists by a fairly large margin and earned the right to be named AES. Even Schneier was happy with the final choice.

    I should also note that these speed tests do not include initial key setup. Key setup is known to be particularly slow on blowfish, so I suspect it's also slow on twofish. You could change keys every ten seconds in AES and barely notice the difference, while Blowfish would slow down horribly.

    For my personal VPN? I'm not running a heavily loaded network. Nor do I suspect that there's anything of much value for someone to steal: my concern is hackers breaking in for the fun of it rather than looking for something. I'll probably switch to AES-128, but be on the lookout for signs of slowdown.
     
  34. fyellin

    fyellin LI Guru Member

    For comparison, here are the numbers when I run the same command on a Linux/x86.
    Code:
    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    blowfish cbc     79383.41k    84204.80k    84454.57k    86600.50k    86774.31k
    aes-128 cbc     115732.98k   124604.48k   125447.46k   127702.08k   127425.33k
    aes-192 cbc     103292.97k   105422.13k   109484.93k   111216.78k   111199.43k
    aes-256 cbc      92887.16k    97286.53k    99807.17k    98443.86k    97784.01k
    Note that
    1. In this newer version of OpenSSL, the 8-byte test is replaced with a 16-byte test, which is a little bit fairer to AES
    2. All three key sizes of AES are faster than BF.
    3. Both algorithms use handwritten assembly language. I'm tempted to recompile openssl without the assembly language, and see how the two compare.
    In any case, I suspect that both AES and BF would work better on the tomato if their low-level key setup, encryption, and decryption were written in assembly. Do I remember my MIPS assembly from fifteen years ago?
     
  35. gawd0wns

    gawd0wns LI Guru Member

    Great work for adding the AES cipher, and keeping the TomatoVPN project going. --My ISP only allows a 30kb/s upload rate, so I probably won't notice any slowdows :)

    I'm just curious; how important are TLS ciphers in the whole negotiation process? Should they be updated as well to DHE-RSA-AES256, or whatever is out there, or are they safe enough as they are?

    Edit: OpenVPN 2.1rc17 is out! :)
     
  36. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    For the record, I've recompiled TomatoVPN-ND with the newer ND driver from the 1.25 release of Tomato (previously it was the ND driver from 1.23, but the core from 1.25) and uploaded it to the download site.

    If you want to check, 1.25vpn3.3.4a23693f(ND) is the old version and 1.25vpn3.3.4a25d7c7(ND) is the new one.
     
  37. opt1m4l

    opt1m4l Addicted to LI Member

    SgtPepperKSU: I'd love to see an implementation of PPTP or L2TP. The iPhone does not support OpenVPN at the moment, so this mod doesn't work for me...
     
  38. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Just a bit ago, I noticed an area the new "Accept DNS configuration" client option has room for improvement.

    I noticed that, mysteriously, my DNS requests suddenly started not going through the VPN tunnel. After some debugging, I realized that on the first request after restarting dnsmasq, it "simultaneously" issues the request to all nameserver entries in the resolv.dnsmasq file. Then, it seems it chooses whichever one responds first for all subsequent requests. If the VPN tunnel is a bit slow for whatever reason, it could very well not be the first to respond.

    This came as a surprise to me since the rules of operation for resolv files are to use them in the order they appear, only going down the list if you don't get a response. In my "Accept NDS configuration" implementation, I exploited that fact by leaving the existing DNS servers in there just in case the tunnel goes down (it will just move on to the other DNS servers). It appears this isn't a good assumption with dnsmasq.

    After a bit of research, I found you can disable this optimization by adding "strict-order" to the dnsmasq config file. If it is very important to you to have the DNS requests go over the tunnel, I suggest you add that to your Dnsmasq Custom configuration (Advanced->DHCP/DNS) until I implement a suitable fix (keep reading).

    However, for the next release (not saying that'll be soon), I plan to change the "Accept DNS configuration" checkbox to a dropdown box with the following options:
    • Disabled
      • This is obvious
    • Relaxed
      • This will be the current behavior - it'll add the VPN DNS to (the beginning of) the list of servers, but won't guarantee its use
    • Strict
      • This will add strict-order to the configuration while the tunnel is up (I have an idea on how this might be possible - but haven't tested it). The VPN tunnel should always be used unless it isn't available.
    • Exclusive
      • The only server(s) in the list will be the VPN server(s). If the tunnel stops responding, you're SOL until either it comes back or OpenVPN calls the down script, but you're guaranteed your DNS queries aren't going over the non-VPN connection.

    Sound good? Any comments?
     
  39. gawd0wns

    gawd0wns LI Guru Member

    I think it is an option many users (myself included) have trouble with, so I think it is a good idea. One thing about this though, I noticed I was having problems when I installed OpenVPN 2.1rc17 with my settings, but when I rolled back to rc15, everything worked as it was. If you upgraded to rc17, I recommend you try rolling back to rc15 and see if it works properly.

    I personally believe additional options in the tick boxes or drop down menu should be for options which are essential for the operation of the OpenVPN server or client, or for options which are heavily used by users. Having said that, I think your work has grown to a point where it might be a good idea to start compiling a manual to explain all of the features. I'm afraid new users might get confused or overwhelmed by the options, and won't know what to do. I'd gladly volunteer some of my spare time to write up something explaining server configurations, though I really suck at client configs on the router. I'm not an expert by any means, and I would need help with related things like firewall rules, or dnsmasq.
     
  40. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm glad someone said they thought was a good idea, since I finished its implementation earlier today (though, still untested). :smile:
    I agree. I don't see many more options showing up now. Any not-oft-used options should be able to be configured manually in the custom configuration sections.

    I plan on adding a quick start how-to and a settings guide to the blog, but haven't gotten around to it yet. Now that I don't have anything in mind for any more new features, I should be able to get to it soon. A while back, though, I posted a settings summary in this thread (linked to from the first post and blog). I haven't updated it in the last couple of releases, but I'll try to do that soon, too. That can be used in the meantime before I get something proper up on the blog.
     
  41. Delta221

    Delta221 Addicted to LI Member

  42. gawd0wns

    gawd0wns LI Guru Member

    SgtPepperKSU, would you consider upgrading the TLS-ciphers for future releases?
     
  43. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    TLS is only used in OpenVPN for the initial authentication, not to encrypt any of the data going over the tunnel. So, it doesn't seem too much of a priority to upgrade it. Plus, I don't know enough about TLS ciphers to care much about the differences. If someone ports upgraded ciphers to our version of OpenSSL (or upgrades OpenSSL), I'd certainly consider including it, though.
     
  44. i1135t

    i1135t Network Guru Member

    Sounds great... but I've haven't had a problem with my VPN DNS queries on my Linux boxes so far. I think I also solved the Windows VPN DNS routing issues, so it appears to working 100% all the time for me (keeping my fingers crossed). But something like this would be great as it gives us more options to configure our tunnels, so I see it as a plus. Great work SgtPepper ...
     
  45. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yeah, I didn't have any problems with it either in my testing before release, but it seems non-deterministic and gets more likely to not tunnel DNS if your tunnel slows for whatever reason.

    Also note, this was with DNS queries going over the tunnel and internet traffic not going over the tunnel (this can be useful to resolve host names on the remote LAN). The same problem could occur with internet traffic being tunneled (DNS traffic may still be tunneled, but it would be to the wrong DNS server), but I think it would be less likely.
     
  46. i1135t

    i1135t Network Guru Member

    Cool, that would be great if it would work that way. It would save lots of bandwidth as well as increase speed and throughput without any DNS blocks. That would be a great feature to add onto your build.
     
  47. mony

    mony Guest

    Hi. I have speed related question. I can't transfer faster (at best) than 350kb/s with WRT54G v2.2 + tomatovpn 1.25/3.3 as client. My "server side" is a linux server running gentoo. If i use my laptop (behind the same router) to use openvpn directly from the server - I get speed 2 to 2.5MB/s (basically the limit of wifi g), but if "the termination" of the vpn is done by the WRT54G the speed is 300-350kb/s. All this with blowfish enc. I tried aes, but as i expected the results was worst. The tunnel is configured with tun + ssl certs + static routing tables ( i can see the network behind gentoo, and from network behind gentoo i can see the one behind wrt...) over udp (tried tcp but no change). Is this the maximum traffic that the router can handle or there is a problem? How can i optimise it?
    PS. Tried +/- lzo. No change.
    PS2. Sorry for my bad english :)
     
  48. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That very well could be the limit for the router due to its small CPU. I've never done any speed testing, though, so I can't say for sure.
     
  49. baldrickturnip

    baldrickturnip LI Guru Member

    your work is much appreciated SgtPepperKSU

    the script to place in the init

    does this work with all versions of your GUI - as I have some much older ones running which I cannot upgrade as yet
     
  50. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    How much older? If it is 1.23vpn3.0000 or newer, adding that line should be fine. If it is older than that, you should use the commands in those release READMEs.
     
  51. dorkiedoode

    dorkiedoode Addicted to LI Member

    hey, is anyone able do download the newest version? doesn't seem to be working for me.
     
  52. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    What happens when you try to download it? I just downloaded tomatovpn-ND-1.25vpn3.3.7z and tomatovpn-ND-1.25vpn3.3.7z.sig. They completed successfully and quickly with the .sig file successfully verifying the .7z file.
     
  53. dorkiedoode

    dorkiedoode Addicted to LI Member

    hi, i'm trying to download TomatoVPN Source and it would not work. looks like its trying to connect to it but could not. i used 3 different browsers. As of now when i click on TomatoVPN Source it takes about a minute for the download to appear and is slowly downloading. How big is this file? Took me 10 mins for 10mb lol.
     
  54. Low-WRT

    Low-WRT LI Guru Member

    I just downloaded all 4 files...no problem at all.
     
  55. dorkiedoode

    dorkiedoode Addicted to LI Member

    ahh i'm not sure whats wrong. so i left it there and i downloaded 113mb already...
     
  56. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The source is large (it contains a linux kernel, uClibc, gcc cross-compiler, plus the source of a lot of applications). It is probably quicker to download the Linksys source, Tomato-fy it (follow directions with Tomato source), then apply the patch for TomatoVPN. That should give you the same result, without having to wait for the git site to serve up the whole thing. Or, best yet, use git to clone the repository and checkout the tomatovpn branch.

    And, just to be sure: you are wanting to compile the firmware, right? You don't need the source just to run it.
     
  57. i1135t

    i1135t Network Guru Member

    Hi, I just upgraded to teddy's latest USB mod that includes your newest VPN mod. I see you have two new options "Advertise DNS to clients" and "Direct clients to redirect internet traffic". Are these the equivalent to "push dhcp-option DNS" and "push redirect-gateway def1" in the server custom config or are they new features?
     
  58. dorkiedoode

    dorkiedoode Addicted to LI Member

    thank you! i got it to work now. i am noob as you can see. really appreciate your work though :thumbup:
     
  59. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That's pretty much what those do. It also handles the "push route-gateway" stuff when needed, too (I think that might be why so many people had trouble with redirect-gateway. I found that it actively screws things up for TUN, but is needed for TAP).

    I also added an "Accept DNS configuration" to the client pages. That one is the hardest to reproduce with a custom configuration script because it has up/down scripts and interoperates with dnsmasq in multiple ways.
     
  60. dorkiedoode

    dorkiedoode Addicted to LI Member

  61. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Look in the router's log (Status->Logs) and look to see what kind of error it is reporting.

    Also, I recommend using TUN , which is not what that guide uses (edit: apparently, it has directions for both). It is also a bit out of date as much of the options he has in the Custom Configuration box are built in to the GUI now. Finally, there should be no need to edit the easy-rsa utilities (except vars.bat) like is done there. Just follow the instructions here to generate your certificates, then copy them to the applicable fields in the GUI, select TUN/TLS/UDP (should be the defaults), and (if you are doing a site-to-site - if you will just have PCs connecting, don't worry about this) either fill in the Client-Specific Options on the server or check the NAT option on the client. There should be no needed configuration beyond that.
     
  62. Delta221

    Delta221 Addicted to LI Member

    The guide has instructions for both TUN and TAP interfaces. Post your configuration here please.
     
  63. dorkiedoode

    dorkiedoode Addicted to LI Member

    Hi, so i followed the guide to generate my certificate and keys. I posted it VPN Tunneling > Sever > Keys. My configs are TUN, UDP, 1194 (forwarded already), TLS, and everything else is at default. After entering my keys I get "Server is not running or status could not be read" status.

    This is what i get off my log

    Jun 11 17:01:37 unknown user.info kernel: device tun21 entered promiscuous mode
    Jun 11 17:01:37 unknown daemon.notice openvpn[1611]: OpenVPN 2.1_rc15 mipsel-unknown-linux-gnu [SSL] [LZO2] built on May 31 2009
    Jun 11 17:01:37 unknown daemon.warn openvpn[1611]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Jun 11 17:01:38 unknown daemon.notice openvpn[1611]: Diffie-Hellman initialized with 1024 bit key
    Jun 11 17:01:38 unknown daemon.err openvpn[1611]: Cannot load certificate file server.crt: error:0906D06C:pEM routines:pEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:missing asn1 eos
    Jun 11 17:01:38 unknown daemon.notice openvpn[1611]: Exiting
    Jun 11 17:01:38 unknown user.info init[1]: VPN_LOG_ERROR: 719: Starting VPN instance failed...
     
  64. Delta221

    Delta221 Addicted to LI Member

    Did you experience any errors or anything unusual in the generation process?

    Remember, you have to run build-ca.bat first. When you generate the server and client certificates, there are two questions to sign the certificates at the end of each process. Answer Yes to both of them.

    When you open server.crt with notepad, everything has to be copied in as it is with no changes. Just highlight it all, and paste it in. Don't make any changes to the copied text at all.

    The certificate generation should look like this: The Common Name has to be 'server':
    [​IMG]
     
  65. dorkiedoode

    dorkiedoode Addicted to LI Member

    Hi, i'll write out exactly how i did it
    installed openvpn x:

    cd x:\openvpn\easy-rsa
    init-config
    vars
    clean-all
    build-ca (did not ask me to sign here)
    common name= openvpn
    build-key-server server
    common name= server
    yes
    yes
    *the only error i'm getting is unable to write 'random state'
    build-key client1
    common name=client1
    same error : unable to write 'random state'
    build-dh

    [​IMG]
     
  66. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That means the server certificate you put in the "Server Certificate" field is not valid. It should start with "-----BEGIN CERTIFICATE-----" and end with "-----END CERTIFICATE-----" and must include those lines. Is that what you have there?

    All of the fields on the key page need a "BEGIN" and an "END" line, and you cannot leave any of them empty.
     
  67. dorkiedoode

    dorkiedoode Addicted to LI Member

    hi, yes everything has a begin and ending.
    for server certificate it beings with "-----BEGIN CERTIFICATE REQUESTS-----"
    and ends with "-----END CERTIFICATE REQUESTS-----"

    i copied and paste it exactly how it was in the txt files to all of them.
     
  68. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That's the problem. Something must have gone wrong during your certificate generation (it should not be a certificate request, it should be a certificate).

    Please try to uninstall/reinstall OpenVPN on your computer and just use the official OpenVPN How-to I posted a couple of times (don't edit the scripts like in Delta221's how-to). Then make sure you use the files that the how-to indicates.
     
  69. dorkiedoode

    dorkiedoode Addicted to LI Member

    hey ok i will give it one more try. this is about my 5th time reinstalling and making new keys :thumbup:.
     
  70. dorkiedoode

    dorkiedoode Addicted to LI Member

    ok i'm still getting the same error. err if this helps i'm running window 7 x64
     
  71. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I've never tried to run these scripts on Windows 7 before. Try copying the entire easy-rsa folder into your user directory (on your Desktop, for example) before running them. There may be a weird permissions problem.

    And, just to be sure, you are using the server.crt file, right?
     
  72. dorkiedoode

    dorkiedoode Addicted to LI Member

    yup i am using server.crt. i guess i can install window xp as a virtual machine. i'll get to it. thanks for the help.

    edited: i just tried installing and creating the keys on window xp professional and is still getting begin certificate request. hmm am i missing a step to get it sign?
     
  73. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Here is a sample run I just did on a Windows XP Professional system:
    Code:
    [b]C:\Program Files\OpenVPN\easy-rsa>init-config[/b]
    
    C:\Program Files\OpenVPN\easy-rsa>copy vars.bat.sample vars.bat
            1 file(s) copied.
    
    C:\Program Files\OpenVPN\easy-rsa>copy openssl.cnf.sample openssl.cnf
            1 file(s) copied.
    
    [B]C:\Program Files\OpenVPN\easy-rsa>notepad vars.bat[/B]
    <edited the last block of variables>
    [B]C:\Program Files\OpenVPN\easy-rsa>vars[/B]
    
    [B]C:\Program Files\OpenVPN\easy-rsa>clean-all[/B]
            1 file(s) copied.
            1 file(s) copied.
    
    [B]C:\Program Files\OpenVPN\easy-rsa>build-ca[/B]
    WARNING: can't open config file: /usr/local/ssl/openssl.cnf
    Loading 'screen' into random state - done
    Generating a 1024 bit RSA private key
    ..........................................++++++
    ..............................++++++
    writing new private key to 'keys\ca.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [US]:
    State or Province Name (full name) [ST]:
    Locality Name (eg, city) [MyCity]:
    Organization Name (eg, company) [MyOrg]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:cacn
    Email Address [vpn@example.com]:
    
    [B]C:\Program Files\OpenVPN\easy-rsa>build-key-server server[/B]
    WARNING: can't open config file: /usr/local/ssl/openssl.cnf
    Loading 'screen' into random state - done
    Generating a 1024 bit RSA private key
    .....................++++++
    ..................++++++
    writing new private key to 'keys\server.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [US]:
    State or Province Name (full name) [ST]:
    Locality Name (eg, city) [MyCity]:
    Organization Name (eg, company) [MyOrg]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:server
    Email Address [vpn@example.com]:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    WARNING: can't open config file: /usr/local/ssl/openssl.cnf
    Using configuration from openssl.cnf
    Loading 'screen' into random state - done
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :PRINTABLE:'US'
    stateOrProvinceName   :PRINTABLE:'ST'
    localityName          :PRINTABLE:'MyCity'
    organizationName      :PRINTABLE:'MyOrg'
    commonName            :PRINTABLE:'server'
    emailAddress          :IA5STRING:'vpn@example.com'
    Certificate is to be certified until Jun 10 15:03:00 2019 GMT (3650 days)
    Sign the certificate? [y/n]:y
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    
    [B]C:\Program Files\OpenVPN\easy-rsa>build-key client[/B]
    WARNING: can't open config file: /usr/local/ssl/openssl.cnf
    Loading 'screen' into random state - done
    Generating a 1024 bit RSA private key
    .................++++++
    ......................................................++++++
    writing new private key to 'keys\client.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [US]:
    State or Province Name (full name) [ST]:
    Locality Name (eg, city) [MyCity]:
    Organization Name (eg, company) [MyOrg]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:client
    Email Address [vpn@example.com]:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    WARNING: can't open config file: /usr/local/ssl/openssl.cnf
    Using configuration from openssl.cnf
    Loading 'screen' into random state - done
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :PRINTABLE:'US'
    stateOrProvinceName   :PRINTABLE:'ST'
    localityName          :PRINTABLE:'MyCity'
    organizationName      :PRINTABLE:'MyOrg'
    commonName            :PRINTABLE:'client'
    emailAddress          :IA5STRING:'vpn@example.com'
    Certificate is to be certified until Jun 10 15:04:00 2019 GMT (3650 days)
    Sign the certificate? [y/n]:y
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    
    [B]C:\Program Files\OpenVPN\easy-rsa>build-dh[/B]
    WARNING: can't open config file: /usr/local/ssl/openssl.cnf
    Loading 'screen' into random state - done
    Generating DH parameters, 1024 bit long safe prime, generator 2
    This is going to take a long time
    .....................+..............................................+................................................+..
    .................................................+.+...+.....+..........................................................
    ...........+........................................+...................................................................
    ...........+............................................................................................................
    ...+......................+..............+..................................+...........................................
    .......................................+................................................................................
    ........................+.......+.......................................................................................
    ...............................+.........................................+.....................................+........
    ............................+......+..................................+.............+.+..........+....+.................
    ..........+.............................................................................................................
    ....................................+............+.+...............+...............................................+....
    .......................+................................................................................................
    ........................................................................................................................
    ...........................+................................................+....+.......+..............................
    ........+........................+............................+.............................................+...........
    .................+..............................................................................+.......................
    ........+................+..+.............................................................+.............................
    ...........+.....................+..........................................................+........+..................
    .....................+..........+......................+...+.........+................+.................................
    .......................................+................................................................................
    ............+..............................................++*++*++*
    
    [B]C:\Program Files\OpenVPN\easy-rsa>cd keys[/B]
    
    [B]C:\Program Files\OpenVPN\easy-rsa\keys>dir[/B]
     Volume in drive C has no label.
     Volume Serial Number is 5C78-A5AA
    
     Directory of C:\Program Files\OpenVPN\easy-rsa\keys
    
    06/12/2009  10:06 AM    <DIR>          .
    06/12/2009  10:06 AM    <DIR>          ..
    06/12/2009  10:04 AM             3,514 01.pem
    06/12/2009  10:04 AM             3,411 02.pem
    06/12/2009  10:03 AM             1,147 ca.crt
    06/12/2009  10:03 AM               887 ca.key
    06/12/2009  10:04 AM             3,411 client.crt
    06/12/2009  10:04 AM               655 client.csr
    06/12/2009  10:04 AM               887 client.key
    06/12/2009  10:06 AM               245 dh1024.pem
    06/12/2009  10:04 AM               174 index.txt
    06/12/2009  10:04 AM                21 index.txt.attr
    06/12/2009  10:04 AM                 3 serial
    06/12/2009  10:04 AM             3,514 server.crt
    06/12/2009  10:03 AM               655 server.csr
    06/12/2009  10:03 AM               887 server.key
                  14 File(s)         19,411 bytes
                   2 Dir(s)  205,391,163,392 bytes free
    [B]C:\Program Files\OpenVPN\easy-rsa\keys>cat client.crt[/B]
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 2 (0x2)
            Signature Algorithm: md5WithRSAEncryption
            Issuer: C=US, ST=ST, L=MyCity, O=MyOrg, CN=cacn/emailAddress=vpn@example.com
            Validity
                Not Before: Jun 12 15:04:00 2009 GMT
                Not After : Jun 10 15:04:00 2019 GMT
            Subject: C=US, ST=ST, O=MyOrg, CN=client/emailAddress=vpn@example.com
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                RSA Public Key: (1024 bit)
                    Modulus (1024 bit):
                        00:bd:a9:34:69:38:3b:b6:8c:a8:20:20:10:30:0d:
                        44:16:1f:8d:12:1f:69:61:eb:26:0c:28:ba:0f:44:
                        e9:b8:f2:db:37:5b:2c:93:48:c3:a1:9c:80:0f:56:
                        fd:21:2e:2e:de:cb:c1:f6:b9:a5:13:8a:d9:4b:4e:
                        f4:4f:f2:33:5c:29:70:aa:9b:b8:8c:10:9a:82:bc:
                        dd:4e:94:ec:a5:81:0a:48:75:4e:8b:67:63:e0:18:
                        d4:42:74:f7:09:1b:23:04:53:85:0f:8a:1b:dd:6c:
                        3a:94:9d:09:67:18:2a:25:b6:b3:38:32:99:22:d1:
                        61:dc:f6:91:a3:50:f3:03:65
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Basic Constraints:
                    CA:FALSE
                Netscape Comment:
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier:
                    CB:A1:64:BE:61:67:84:C3:E0:AC:53:44:B5:9A:8D:95:D2:DD:5F:9E
                X509v3 Authority Key Identifier:
                    keyid:A8:52:24:D9:11:A7:09:0B:B3:A8:BF:56:99:63:87:41:85:AC:AF:31
                    DirName:/C=US/ST=ST/L=MyCity/O=MyOrg/CN=cacn/emailAddress=vpn@example.com
                    serial:AF:6D:75:24:5B:34:82:86
    
        Signature Algorithm: md5WithRSAEncryption
            72:f2:fe:7a:92:f6:78:84:fa:c3:17:0c:d7:de:08:bd:c5:c3:
            ec:da:58:31:82:84:2b:c8:49:9b:ec:2b:a3:b5:9b:93:c0:4d:
            f9:88:e5:06:a0:10:2f:7d:76:9c:6d:87:17:35:45:31:64:da:
            04:19:4f:eb:85:92:91:ac:bf:5e:d2:59:6d:ac:8d:5b:a5:2d:
            26:b9:30:bd:7b:a1:11:8c:2b:58:fc:b5:61:94:e2:1d:76:86:
            34:29:8e:fa:7d:63:b3:e5:79:66:a1:25:a2:fb:e4:28:33:e7:
            89:d0:64:52:9a:e8:3c:2c:a9:54:a8:6a:43:43:d0:0c:40:f7:
            c2:17
    -----BEGIN CERTIFICATE-----
    MIIDNjCCAp+gAwIBAgIBAjANBgkqhkiG9w0BAQQFADBqMQswCQYDVQQGEwJVUzEL
    MAkGA1UECBMCU1QxDzANBgNVBAcTBk15Q2l0eTEOMAwGA1UEChMFTXlPcmcxDTAL
    BgNVBAMTBGNhY24xHjAcBgkqhkiG9w0BCQEWD3ZwbkBleGFtcGxlLmNvbTAeFw0w
    OTA2MTIxNTA0MzhaFw0xOTA2MTAxNTA0MzhaMFsxCzAJBgNVBAYTAlVTMQswCQYD
    VQQIEwJTVDEOMAwGA1UEChMFTXlPcmcxDzANBgNVBAMTBmNsaWVudDEeMBwGCSqG
    SIb3DQEJARYPdnBuQGV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
    iQKBgQC9qTRpODu2jKggIBAwDUQWH40SH2lh6yYMKLoPROm48ts3WyyTSMOhnIAP
    Vv0hLi7ey8H2uaUTitlLTvRP8jNcKXCqm7iMEJqCvN1OlOylgQpIdU6LZ2PgGNRC
    dPcJGyMEU4UPihvdbDqUnQlnGColtrM4Mpki0WHc9pGjUPMDZQIDAQABo4H6MIH3
    MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl
    cnRpZmljYXRlMB0GA1UdDgQWBBTLoWS+YWeEw+CsU0S1mo2V0t1fnjCBnAYDVR0j
    BIGUMIGRgBSoUiTZEacJC7Oov1aZY4dBhayvMaFupGwwajELMAkGA1UEBhMCVVMx
    CzAJBgNVBAgTAlNUMQ8wDQYDVQQHEwZNeUNpdHkxDjAMBgNVBAoTBU15T3JnMQ0w
    CwYDVQQDEwRjYWNuMR4wHAYJKoZIhvcNAQkBFg92cG5AZXhhbXBsZS5jb22CCQCv
    bXUkWzSChjANBgkqhkiG9w0BAQQFAAOBgQBy8v56kvZ4hPrDFwzX3gi9xcPs2lgx
    goQryEmb7CujtZuTwE35iOUGoBAvfXacbYcXNUUxZNoEGU/rhZKRrL9e0lltrI1b
    pS0muTC9e6ERjCtY/LVhlOIddoY0KY76fWOz5XlmoSWi++QoM+eJ0GRSmug8LKlU
    qGpDQ9AMQPfCFw==
    -----END CERTIFICATE-----
    
    C:\Program Files\OpenVPN\easy-rsa\keys>
    Note that all the junk before "-----BEGIN CERTIFICATE-----" isn't necessary, but shouldn't hurt anything (besides using up NVRAM space), in the VPN GUI field.

    Check to see if your process is different.

    EDIT: I just noticed that the server.csr file is of the form you descibe. You're sure you're using the .crt file, not the .csr file?
     
  74. Delta221

    Delta221 Addicted to LI Member

    You should not be getting that "unable to load random state" error. I don't see anything wrong with the way you are generating certificates, my certificates all have ---BEGIN CERTIFICATE and --END Certificate. Though you have to paste ALL of the text in the server.crt file as it is, not just the section below --BEGIN CERTIFICATE---.

    I read somewhere that you have to run openvpn with admin privileges in Windows 7, try granting openssl.exe admin privileges as well.

    I had problems with the newer version of openvpn, try an older one. I'm using 2.1rc15 and it works fine.

    Test out the certificates I attached and see if you get the same error, I generated them with the .bat files on the howto page.
     

    Attached Files:

  75. dorkiedoode

    dorkiedoode Addicted to LI Member

    Sorry but I'm not sure what you mean by using server.CRT? All I did was copied the keys from server.CSR into tomato.
     
  76. dorkiedoode

    dorkiedoode Addicted to LI Member

    I just downloaded your file and it did not work. Same error =\. I uninstall my previous r17 and install r15 that you suggested with running it in VISTA mode and ADMINSTRATION RIGHTS but no luck. I still get the error, "unable to write random state"

    Code:
    C:\Program Files (x86)\OpenVPN\easy-rsa>init-config
    
    C:\Program Files (x86)\OpenVPN\easy-rsa>copy vars.bat.sample vars.bat
            1 file(s) copied.
    
    C:\Program Files (x86)\OpenVPN\easy-rsa>copy openssl.cnf.sample openssl.cnf
            1 file(s) copied.
    
    C:\Program Files (x86)\OpenVPN\easy-rsa>vars
    
    C:\Program Files (x86)\OpenVPN\easy-rsa>clean-all
    The system cannot find the path specified.
            1 file(s) copied.
            1 file(s) copied.
    
    C:\Program Files (x86)\OpenVPN\easy-rsa>build-ca
    The system cannot find the path specified.
    WARNING: can't open config file: /usr/local/ssl/openssl.cnf
    Loading 'screen' into random state - done
    Generating a 1024 bit RSA private key
    .......................++++++
    ....++++++
    unable to write 'random state'
    writing new private key to 'keys\ca.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [US]:
    State or Province Name (full name) [CA]:
    Locality Name (eg, city) [SanFrancisco]:
    Organization Name (eg, company) [OpenVPN]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:openvpn
    Email Address [mail@host.domain]:
    
    C:\Program Files (x86)\OpenVPN\easy-rsa>build-key-server server
    The system cannot find the path specified.
    WARNING: can't open config file: /usr/local/ssl/openssl.cnf
    Loading 'screen' into random state - done
    Generating a 1024 bit RSA private key
    ...........++++++
    ............++++++
    unable to write 'random state'
    writing new private key to 'keys\server.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [US]:
    State or Province Name (full name) [CA]:
    Locality Name (eg, city) [SanFrancisco]:
    Organization Name (eg, company) [OpenVPN]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:server
    Email Address [mail@host.domain]:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:14756
    An optional company name []:
    WARNING: can't open config file: /usr/local/ssl/openssl.cnf
    Using configuration from openssl.cnf
    Loading 'screen' into random state - done
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :PRINTABLE:'US'
    stateOrProvinceName   :PRINTABLE:'CA'
    localityName          :PRINTABLE:'SanFrancisco'
    organizationName      :PRINTABLE:'OpenVPN'
    commonName            :PRINTABLE:'server'
    emailAddress          :IA5STRING:'mail@host.domain'
    Certificate is to be certified until Jun 10 15:43:00 2019 GMT (3650 days)
    Sign the certificate? [y/n]:y
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    unable to write 'random state'
    
    C:\Program Files (x86)\OpenVPN\easy-rsa>build-key client1
    The system cannot find the path specified.
    WARNING: can't open config file: /usr/local/ssl/openssl.cnf
    Loading 'screen' into random state - done
    Generating a 1024 bit RSA private key
    .....................................++++++
    .............++++++
    unable to write 'random state'
    writing new private key to 'keys\client1.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [US]:
    State or Province Name (full name) [CA]:
    Locality Name (eg, city) [SanFrancisco]:
    Organization Name (eg, company) [OpenVPN]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:client1
    Email Address [mail@host.domain]:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:1475
    An optional company name []:
    WARNING: can't open config file: /usr/local/ssl/openssl.cnf
    Using configuration from openssl.cnf
    Loading 'screen' into random state - done
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :PRINTABLE:'US'
    stateOrProvinceName   :PRINTABLE:'CA'
    localityName          :PRINTABLE:'SanFrancisco'
    organizationName      :PRINTABLE:'OpenVPN'
    commonName            :PRINTABLE:'client1'
    emailAddress          :IA5STRING:'mail@host.domain'
    Certificate is to be certified until Jun 10 15:43:00 2019 GMT (3650 days)
    Sign the certificate? [y/n]:y
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    unable to write 'random state'
    
    C:\Program Files (x86)\OpenVPN\easy-rsa>build-dh
    The system cannot find the path specified.
    WARNING: can't open config file: /usr/local/ssl/openssl.cnf
    Loading 'screen' into random state - done
    Generating DH parameters, 1024 bit long safe prime, generator 2
    This is going to take a long time
    ................................................................................
    ................................................................................
    ................................................................................
    ..................................................+.............................
    ................................................++*++*++*
    unable to write 'random state'
    
    C:\Program Files (x86)\OpenVPN\easy-rsa>
    
     
  77. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That's the problem. server.CSR is not the right file to use. There should be a server.CRT as well. THAT is what needs to be used.

    CRT = Certificate
    CSR = Certificate signing request
     
  78. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That error isn't what is keeping your config from working. However, a google search turned up that setting the RANDFILE environment variable to a file you have write access to will make the error go away.
     
  79. dorkiedoode

    dorkiedoode Addicted to LI Member

    it works!! i did the mistake to Certificate Authority as well. yes!! thank you! I never knew we could open certificates with notepad. first time first time.

    edited: got client to connect but they are can't surf the internet.
     
  80. scooter32

    scooter32 Addicted to LI Member

    Speed drops after upgrade

    Not sure if this is the right place to post, so please let me know if it should go elsewhere.

    One of the reasons I moved away from ddwrt is that I had these strange problems.
    I'm a little old school, and still use usenet for my downloads (through giganews).
    The problem I had with ddwrt was after some amount of time or some amount of
    data, the connection to giganews would start to slow down, trickle then stop all
    together. The only way to fix it was to stop the application and restart. I tried all
    the usual things, changing ports, authentication, other routers (standard firmware
    and open), downloading from work.

    I upgraded to tomato and it fixed the problem. Last night I upgraded from 1.23vpn2.0006
    to 1.25.vpn3.3. The problem has now returned.

    Any ideas where to start troubleshooting?

    This is with a WRT54G V1. I've also had the same issue with a V4 router.
    Right now I've reverted back to 1.23 and all is fine.

    Thanks,

    Scott
     
  81. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    A few thoughts:
    • The first thing I would try is Tomato (non-VPN) 1.25. There have been people reporting problems with that version in general, and if the problem goes away/persists it would imply it isn't/is the VPN changes that are causing your problem.
    • Next, I have to check if you did a thorough NVRAM erase after the upgrade. All sorts of bizzare, often subtle problems seem to pop up with Tomato upgrades if NVRAM isn't wiped afterwards. I suspect there is something not-quite-right in the nvram mechanism used in Tomato, but I've never dug into it.
    • You could try lowering the maximum number of connections (Advanced->Conntrack / Netfilter).
    • When you're having the problem log in to the Tomato GUI (can you?) and check the router CPU load, free memory, and current number of connections.

    Other than that, I'm not sure what to have you check.
     
  82. scooter32

    scooter32 Addicted to LI Member

    Excellent, thanks for the reply. I'll start the tests and post the results.
    I didn't do a complete NVRAM erase after the upgrade, so that could also be
    affecting things. I'll also try the other suggestions.

    I have complete GUI or CLI access, so I can easily check memory and load when this happens.

    Thanks again for the reply, I've got some work to do ;)

    Scott
     
  83. anik

    anik Addicted to LI Member

    Questions from Tomato newbie

    I have some questions regarding your build of Tomato and VPN in general. Even if you can't answer all of these, an answer to any one would be helpful. Please keep in mind that it's taken me close to a MONTH to get VPN tunneling to even work, so I'm not by any means an expert at this stuff.

    We are using an Asus WL-520gu as an OpenVPN CLIENT. We want anything plugged into the router to be tunneled through the VPN server.

    Questions are in order of importance - #1 is the most important:

    Question #1: When the tunnel is running and I go to Advanced | Routing, the last three entries in the routing table are this:

    default 10.8.0.9 128.0.0.0 0 tun11
    128.0.0.0 10.8.0.9 128.0.0.0 0 tun11
    default 192.168.1.1 0.0.0.0 0 vlan1 (WAN)


    Why are there TWO default routes and more to the point, why is the netmask on the first tunnel 128.0.0.0? Shouldn't it be 0.0.0.0? I can't see anything in my configuration that would cause that!

    Question #2: We want a device plugged into the router to use the VPN tunnel only. If the server is unavailable we absolutely do NOT want the traffic to go through the local Internet connection. The problem that occurs is that if the server is unreachable for any reason and the router loses power momentarily and then reboots, it attempts to connect to the VPN server but if it cannot, it simply allows traffic to flow out the normal Internet connection. This is absolutely unacceptable - if a device is plugged into a port on the router and a tunnel cannot be established then the ONLY thing we want it to be able to reach is other devices on the local network (including the router configuration pages), but not ANYTHING on the Internet. I understand that the router itself has to be able to connect to the Internet to establish the tunnel in the first place, but how can we keep devices that are plugged into the router from accessing the Internet if the tunnel isn't up?

    Question 2a: Would you consider adding a checkbox in your next firmware relaese that would make it easy to establish that mode of operation?

    Question 3: While I can live without this, it would be nice to be able to "split" router ports - that is to say, force anything plugged into ports 1 or 2 to use the tunnel, or anything plugged into ports 3 or 4 to use the local connection. Ideally I wish there were a GUI page in the VPN Client configuration that would have priority dropdowns:. Say (just for example):

    Port 1 priority: 1st 2nd 3rd (these are dropdowns)
    (Repeat for each available router port)

    Where the choices under each dropdown would be as follows:

    VPN Client 1
    VPN Client 2
    Local Internet Connection
    No Route


    So for each port you could specify which VPN client you want to use first, and which as backups, but if you don't want backups you could restrict it to one route only. So for example:

    VPN Client 1 | Local Internet Connection | No Route

    Would behave as it seems to be doing now (when only one client is eanbled)

    VPN Client 2 | No Route | No Route

    Would force that port to use VPN Client 2 only - if that tunnel is not avaliable that port would only permit local net connections

    Local Internet Connection | No Route | No Route

    Would force that port to use the local connection, even if a VPN tunnel were available

    No Route | No Route | No Route

    Would mean anything plugged into that port could ONLY access other devices on the LAN, but could not under any circumstances get to the Internet.

    So the question is - can you tell me how I can emulate that functionality with the existing firmware, in particular specifying that a particular router port can ONLY use a particular VPN tunnel, or can ONLY use the local Internet connection regardless of whether a VPN tunnel is available? (Of course if a new version was available that actually had that settings page I'd download it in a heartbeat!)

    Thanks for any answers you can provide, they will be much appreciated.
     
  84. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Each of the tun11 routes cause one half of the 0.0.0.0 subnet to go over the tunnel, so together they are the same thing as:
    default 10.8.0.9 0.0.0.0 0 tun11
    The reason is so that the existing route can be left there (but be overridden) while the tunnel is running.
    Try adding the following to your WAN up script:
    Code:
    route del -net 0.0.0.0
    route add -host `nvram get vpn_client1_addr` gw `nvram get wan_gateway`
    That should make it so the only address that can be accessed over the internet is the vpn server.

    If you really need it to be per port or per IP, there may be a way, but it would be more complicated...
     
  85. anik

    anik Addicted to LI Member

    Thanks VERY much, that was the ticket! But I still have questions... :)

    Thanks, I'm not that familiar with networking to realize what you were doing there. Now it makes perfect sense!

    That's fantastic… that does EXACTLY what we need. Thank you VERY much!

    The only reason I brought it up was because it would save us from having to use two routers back-to-back, one for the unrestricted access needed by one PC and one other device, and the other (the one running your firmware) for the devices that need to use the tunnel. Running two routers isn't that big a deal, it just falls into the category of "it would be nice if you didn't have to." Plus, when were were trying to get this to work using DD-WRT (unsuccessfully, which is why we wound up trying Tomato, which is a joy to use by comparison), it did appear as though had we got this working, there is a way to assign individual ports on the router - since we never got that far I can't really give you specifics, I just recall that there was a page that looked like it might be useful for the purpose. If it didn't work any better than their OpenVPN client, we'd probably never have gotten that to work either.

    I do have one more question related to VPN usage, and two somewhat less related questions, if you or anyone might know the answer offhand:

    First, other than the settings in the VPN client itself, are there any other settings in the Tomato configuration pages that you'd advise changing from the defaults for best possible operation?

    Second is there a really good page anywhere that explains (in terms a newbie can understand) how to set up Tomato's QoS? For example, if we were to plug a hardware VoIP adapter into one of the ports, how could we make sure its packets get priority going through the tunnel? I did find the page at http://www.linksysinfo.org/forums/showthread.php?t=55874 which seems like a good start, but I was just wondering if there's a better page that actually explains how to set up QoS, particularly with regard to traffic going through a VPN.

    And for a completely unrelated question - is it possible to install Midnight Commander under your firmware on an Asus WL-520GU that does NOT have any extra memory added? I found that the ipkg command seems to work but if you try to actually do anything with it, you get the error /usr/sbin/ipkg: line 1160: can't open /etc/ipkg.conf: no such file. And also I'm not sure if there's enough free memory to do an install… typing df show that /dev/root has 2496 blocks used out of 2496 (100% use), which can't be right, can it? And it doesn't show any other memory, which seems a bit odd. I'm a bit confused by this. We had originally tried teddy bear's firmware but I was told yours has better OpenVPN support so we switched, but for some reason I'm thinking when we were running his, it showed a lot more free memory on the Asus, so I'm not really understanding what's happening there (did I mention I'm NOT a Linux expert?).

    Anyway, thanks much for your assistance, it is very much appreciated!
     
  86. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The settings in DD-WRT are probably related to VLANs, of which there is no GUI configuration in Tomato. Several people have come up with use-cases where they need or want VLANs. It would be nice if it were added to Tomato, but I have no experience with VLANs, so I haven't taken it on myself. That said, it is still possible in Tomato as is, but not through the Web GUI. Try searching this forum for VLAN to see if you find anything useful if you want to go down that road.
    Nothing comes to mind.
    This thread by Toastman seems to summarize QoS pretty well. I have to admit that I've never actually set up QoS in Tomato, so I probably won't be of much help.
    Actually, the VPN support in teddy_bear's USB+VPN builds is the stuff in my builds added into his, so the VPN support should be just as good there. There isn't much room to install stuff on the fly without having a USB drive attached to install it to, but, again, I don't have any experience with that and can't really help.
     
  87. anik

    anik Addicted to LI Member

    That's okay, I appreciate the help so far. I went back to teddy_bear's simply because his build does include the USB support, now that I realize that his build includes your mods. When I re-flashed it appears that everything just worked, even though I did not do an NVRAM erase - hope I'm not living on the edge by not doing that. Strangely, in his it appears that extra memory is enabled by default - df shows this:

    Filesystem 1K-blocks Used Available Use% Mounted on
    /dev/root 3200 3200 0 100% /
    tmpfs 7216 196 7020 3% /tmp

    … but the ipkg command doesn't appear to be enabled at all. Strange.

    Anyway, thanks again!
     
  88. kameleon

    kameleon LI Guru Member

    SgtPepperKSU: quick question (I hope)...

    I am running your mod on a WRT54G-TM and have the VPN setup and working. BUT... I don't want ALL traffic to route through the VPN. Only stuff that is on a few /19's we have here at work. Here is my server config from the router

    Code:
    # Automatically generated configuration
    daemon
    server-bridge
    proto udp
    port 1194
    dev tap21
    comp-lzo adaptive
    keepalive 15 60
    verb 3
    push "dhcp-option DOMAIN XXXXXXX.com"
    push "dhcp-option DNS xxx.xxx.xxx.101"
    push "route-gateway xxx.xxx.xxx.101"
    push "redirect-gateway def1"
    ca ca.crt
    dh dh.pem
    cert server.crt
    key server.key
    status-version 2
    status status
    
    # Custom Configuration The 2 /19's I need to be accessible (they are public IP's... I just replaced them with these addresses.)
    push "route 192.137.0.0 255.255.0.0"
    push "route 192.148.0.0 255.255.0.0"
    
    I am figuring I need to remove the 'push "redirect-gateway def1"' line and replace it with something else but currently it works mostly like this. If I need to explain more please let me know. Thanks in advance!
     
  89. kameleon

    kameleon LI Guru Member

    Anyone have an idea?
     
  90. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Sorry, I didn't see your previous message.

    If you don't want all internet traffic to go over the tunnel, you need to not choose the "Direct clients to redirect Internet traffic" option :wink:. Instead just add (uncensored, of course):
    Code:
    push "route-gateway xxx.xxx.xxx.101"
    to your custom config (before your other routes).
     
  91. kameleon

    kameleon LI Guru Member

    It can't be that easy!!! LOL

    I am trying that now. ;)
     
  92. Troy

    Troy Addicted to LI Member

    Is there a way to specify the client's crt on the server side?

    I.e. in the way most openvpn tutorials are done.

    Or otherwise, is there any tutorial to set up TSL auth system?
     
  93. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I don't understand what you're asking. Based on your second question, I assume your talking about Static Key authentication. In that case, the certificates used are the same on the server and client.
    http://openvpn.net/index.php/open-source/documentation/howto.html#pki
     
  94. kameleon

    kameleon LI Guru Member

    Well.... it wasn't that easy. I added that (push "route-gateway xxx.xxx.xxx.101") you mentioned but now x-lite is acting weird... one way audio like it was on the TUN connection. I got it working fine on the TAP with a static public IP being assigned but now the boss wants more... not all the traffic going thorough the VPN. The main thing I need is for anything on the "192.148.0.0" and "192.137.0.0" networks to go across the vpn but nothing else. How should that be accomplished? I know I am missing something easy. I have poured over the openvpn documentation for 2 days now and must be missing it.
     
  95. Troy

    Troy Addicted to LI Member

    SgtPepperKSU thanks for your response,

    Atm, a so-called pre-shader VPN is to generate RSA private/public pairs for server and clients on the server, and then, while already having the keys on the server, give the client pairs and ca.crt to the clients. That way server already has the client public certificate.

    I will read through the link, thank you.


    Edit :

    reading the link you posted, the server is TomatoVPN, and I cannot generate keys there, only input the CA.crt and the server key pair + dh.
    They do say about possibility to avoid that by a signing authority, but I would rather prefer the paranoid method of generating on one side and then giving them away on the usb stick.

    If it is not possible to achieve through GUI, how would I go about doing that through console?
     
  96. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm not sure what you mean by "x-lite is acting weird... one way audio like it was on the TUN connection".

    Let me try and layout what you want. Just correct me if I'm wrong:
    Code:
           Site A   <-----VPN----->  Site B
          Subnet X                  Subnet X
              ^
              | Locally routed
              |-------------
              |            |
              v            v
          Subnet Y      Subnet Z
    
    You want Site B send traffic over the VPN to X, Y, and Z at Site A.

    Access to subnet X should occur automatically with TAP, and the two routes you added should tell it to route Y and Z over the tunnel as well. Since it doesn't work, I assume this isn't your configuration... What do I have wrong?

    EDIT: No matter what your answer is, I'll probably need the routing table from each VPN router when they're connected (Advanced->Routing), so you may as well grab that for your reply.
     
  97. kameleon

    kameleon LI Guru Member

    Well... let's see if I can get this right... lol

    Before I go too in-depth would it be easier if I pm/email you or wanna carry it out on the board?
     
  98. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    On the board would be fine, but you might want to start a new thread.
     
  99. kameleon

    kameleon LI Guru Member

    Composing new thread now. Thanks!
     
  100. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The two choices with OpenVPN are:
    • Static Key: the same certificates/keys are used on both endpoints
    • TLS: All of the certificates/keys are generated in one place (preferably not on any endpoint) and distributed to the server and clients. The server does not need a copy of the client certificates.
    You can't generate the keys/certs on the router at all (at least not easily, the needed scripts aren't included in the firmware). You need to install OpenVPN on a stand-alone computer and generate the certificates there following the howto I provided. Then, you can distribute the certificates however you'd like.
     

Share This Page