1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN build with Web GUI

Discussion in 'Tomato Firmware' started by SgtPepperKSU, Oct 10, 2008.

  1. kameleon

    kameleon LI Guru Member

  2. Troy

    Troy Addicted to LI Member

    Thanks! I got it working, partially, at least it connects, but I am getting

    write to TUN/TAP : Invalid argument (code=22)

    constantly.
    tomatovpn is rc16, client vpn is rc18.
     
  3. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm not sure what'd cause that. Are you seeing it on the client or server? Is everything working okay otherwise? Perhaps try installing rc16 on client?
     
  4. Troy

    Troy Addicted to LI Member

    I cant seem to find rc16 anywhere, the spam is on the client, but I do not have any way to test it yet, since the client is laptop with ethernet + wifi, and openvpn adds interrupt only to ethernet for some reason...
     
  5. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You can get rc16 by just changing the 8 to a 6 in the download link :smile:

    http://openvpn.net/release/openvpn-2.1_rc16-install.exe
     
  6. Troy

    Troy Addicted to LI Member

    Got the error fixed, make sure that both client and server have the tap-tap or tun-tun, but not tap-tun.

    Still trying to get it working, I can connect, but it disconnects in matter of seconds :

    TomatoVPN config :
    TAP
    TCP
    1194
    Automatic
    TLS
    Incoming(0)
    DHCP

    Advanced :
    Direct clients to route the traffic
    DNS
    Advertice DNS
    AES-256-CBC
    Disabled compression
    Manage client specific
    Allow clients to see eachother
    keepalive 10 120
    all 5 key fields filled in.


    Client :
    client
    dev tap
    proto tcp
    tls-auth ta.key 1
    remote EXTERNAL IP 1194
    float
    resolv-retry infinite
    nobind
    cipher AES-256-CBC
    persist-key
    persist-tun
    keepalive 5 120
    ca ca.crt
    cert client1.crt
    key client1.key
    ns-cert-type server
    verb 3


    Server log says: Connection reset, restarting [0]
    Client says the same thing, but without any obvious errors.

    Before it was also giving me the SIGUSR1[soft,tls-error] received, client-instance restarting in server log.

    Thanks for the help!
     
  7. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Sounds like you likely have a problem with your certificates.

    What are the 5 lines before that message (even if they don't seem relevant)?
     
  8. Troy

    Troy Addicted to LI Member

    problem is, internally, from the local network, I can connect with exactly the same parameters (and certificates), without any errors. I am trying to set up a VPN for one of my friend, so that he can access the internet through my IP.

    i.e. Client > internet > router > internet. Does not work
    but Client > LAN > router > internet does work.

    There are no network confilicts as far I as understand, its a bit of a trouble asking for the log, since he is new with MAC and does not even know how to take a screenshot.

    If this doesnt help, I will try to get more info tomorrow.
     
  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Try changing from TCP to UDP or changing the port. One of your ISP could be blocking things.
     
  10. remarks

    remarks LI Guru Member

    I have a quick question:

    I am using this VPN build with the "VPN Client" connecting to a paid OpenVPN server (In China = enforced censorship).

    How do I allow one device (VOIP Device) on my network to connect to the internet without going through the VPN gateway?

    I am connecting to my ISP using PPPoE with a dynamic IP address and my LAN device has a private static IP.

    Code:
     
    daemon
    client
    dev tun11
    proto udp
    remote vpnserver 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    comp-lzo adaptive
    cipher BF-CBC
    verb 3
    script-security 2
    up updown.sh
    down updown.sh
    ca ca.crt
    cert client.crt
    key client.key
    status-version 2
    status status
    
     
  11. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Generally speaking, I think having one device routed differently than others would require VLAN configuration, of which I have no knowledge.

    HOWEVER, since it is just a VOIP appliance, and it probably only contacts one IP (or a set of IPs), it should be pretty easy.

    First, you'll need to determine what the addresses are for your VOIP servers, then add
    Code:
    route add -host <IP Address> gw `nvram get wan_gateway` dev `nvram get wan_ifname`
    to your WAN Up script. This will add an explicit route to use the WAN for your VOIP.
     
  12. Bukkit

    Bukkit Addicted to LI Member

    First, thanx for your great Tomato mod.

    I successfully configured a ovpn client connection on my tomato that connects to my ovpn-server (with certificates).

    Also i tried to setup a server on my tomato so that i could connect from the internet into my homenetwork (roadwarrior setup with PSK) but that failed. Dont know why, client just cant connect (no usefull log on server and client).
    I gave it up and want to try it another time. But i really cant delete/clear my server-config in Tomato. Could you add an option like that?

    I also want to suggest an option to import ovpn settings from a config file.
    Maybe trough uploading of that config-file or copy+paste into a textbox.
    Would be a nice feature or?

    Next Point i want to suggest is to make the read/write/compressed bytes in the Status page human readable (convert to kByte/mByte/gByte).

    A nice documentation of the TomatoVPN specific options would be nice and helpfull or? (Something like http://de.wikibooks.org/wiki/Tomato_(Firmware))


    I think huge threads like this are really bad for searching for specific problems (or other information).
    Could you post important Stuff that would be interested to a wide range of users of your VPN mod on your Blogwebsite (http://tomatovpn.keithmoyer.com/).
    Like Basic and working vpn-configs, hints and stuff.
    Would be very kind.

    -----------------------------
    Edit:

    Exporting of the vpn-Setting into ovpn-config file format would also be awesome. :)
     
  13. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Can't you just change the settings to how you want them and put your new certificates in? Having the GUI have a concept of resetting or default values would be a major change with very little benefit.
    Generating the settings from a config file would be very complicated and very error-prone. There are lots of settings possible with OpenVPN and I'd have to somehow keep track of conflicts and compatibility. Besides, if you already have a config file, you're free to not use the GUI and use the openvpn binary compiled into the firmware.
    I don't generate these statistics. The OpenVPN program generates them and I just parse the file and place them in a table.
    Yes, I plan to put something on the blog. In the meantime, see the one I already wrote up in this forum (link in first post).
    That's the whole idea behind the blog. There will eventually be a couple of howtos and a feature guide. If things pop up here that I think would be beneficial there, I'll make a post.
    That is more possible than importing, but still would require a redesign. Again, I don't think this would be very useful and can already be grabbed via telnet/ssh while the tunnel is running.
     
  14. anik

    anik Addicted to LI Member

    VPN tunnel operation question

    I was asked this question today and don't know the answer, so thought I'd ask here. Let's say you have a tunnel set up this way:

    (Client side) Devices to be tunneled <--> Tomato router (OpenVPN client) <--> primary router (Tomato router in DMZ on this router) <--> Cable modem <--> Internet <--> Cable Modem <--> Router <--> OpenVPN Server (Server side)

    We have it set up so that anything connected to the Tomato router on the client side can access anything on the LAN on the server side. Also, anything on the LAN on the server side can connect to anything that is plugged into the Tomato router, or to the Tomato router itself, by going to the direct IP address that the Tomato router hands out (or, in the case of the Tomato router, the router's on-net address - that is, if the router is handing out addresses in the 192.168.2.x range, we can get to the Tomato router's web interface from the server side of the tunnel by going to 192.168.2.1).

    So far, so good. But then the question came up, is there any way from the server side to get to the web interface of the OTHER router (the primary router that sits between the Tomato router and the cable modem on the client side). Bear in mind that the only connection to THAT router is via the Tomato router's WAN port, and it's my belief that only the LAN ports are tunneled and therefore anything behind the WAN port (on the primary router's LAN, including that router itself) would be inaccessible from the tunnel.

    Let's say for the sake of argument that the LAN on the server side has addresses in the 192.168.0.x range, that the LAN on the client side that is managed by the primary router has addresses in the 192.168.1.x range, and that the Tomato router is handing out addresses in the 192.168.2.x range. My guess is that when the tunnel is operational, a computer at 192.168.0.2 can connect to the Tomato router at 192.168.2.1, but cannot connect to the primary client-side router at 192.168.1.1, correct? What would happen if, for example, a ping packet came through the tunnel addressed to 192.168.1.1? Would the tomato router just drop it on the floor, or would it send it back out the WAN port to the primary router?

    If my assumption (that it would drop the packets on the floor) are correct, my question then becomes, is there any way from within the Tomato router's interface to overcome that limitation?

    I'm sorry if this is simple networking stuff but I'm not that good at this sort of thing, and my mind just isn't able to fathom how a CLIENT might reroute packets at its end (if that is indeed what needs to happen). I get that the server can do it; that's part of it's job (I'd guess), but can it also happen at the client end?
     
  15. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You should be able to connect to that router just fine (if you push a route to the client with the primary routers LAN subnet so that it knows to try to send the packets over the tunnel - that or use redirect-gateway). The packets will come in on the tomato LAN and get NATed to the other LAN. The router you're trying to get to will see it just as if the Tomato router itself is accessing it.
     
  16. anik

    anik Addicted to LI Member

    Thanks, but apparently something isn't working right. At the server side we are using push redirect-gateway and also an "up" script that includes route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.8.0.2 tun0, and if I type "route" at the server it shows

    192.168.1.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0

    So it is supposedly pushing the packets through the tunnel. At the client end, it shows this in the routing table:

    192.168.1.0 * 255.255.255.0 0 vlan1 (WAN)

    But if I ping 192.168.1.1 from the server (or try to browse to it) I get no response. No idea why, though.

    Also, if I SSH into the router, from there I can ping any of the addresses on any of the subnets (including 192.168.0.1 and 192.168.1.1), so the problem isn't that the client router running Tomato can't &quot;see&quot; both both of the other routers. I'm wondering now if the problem is that the router at 192.168.1.1 doesn't know that it's supposed to send packets destined for the 192.168.0.x subnet to the Tomato router at 192.168.2.1, and that's why pings aren't working???

    EDIT: Could it be an iptables issue? On the Tomato router it shows this:

    Code:
    # iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    ACCEPT     0    --  anywhere             anywhere
    DROP       0    --  anywhere             192.168.1.100
    DROP       0    --  anywhere             anywhere            state INVALID
    ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
    shlimit    tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW
    shlimit    tcp  --  anywhere             anywhere            tcp dpt:telnet state NEW
    ACCEPT     0    --  anywhere             anywhere
    ACCEPT     0    --  anywhere             anywhere
    ACCEPT     tcp  --  anywhere             Tomato              tcp dpt:https
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ACCEPT     0    --  anywhere             anywhere
    ACCEPT     0    --  anywhere             anywhere
    DROP       0    --  anywhere             anywhere            state INVALID
    TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN tcpmss match 1461:65535 TCPMSS set 1460
    ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
    wanin      0    --  anywhere             anywhere
    wanout     0    --  anywhere             anywhere
    ACCEPT     0    --  anywhere             anywhere
    
    Chain OUTPUT (policy ACCEPT) target     prot opt source               destination
    
    Chain shlimit (2 references) target     prot opt source               destination
               0    --  anywhere             anywhere            recent: SET name: shlimit side: source
    DROP       0    --  anywhere             anywhere            recent: UPDATE seconds: 60 hit_count: 3 name: shlimit side: source
    
    Chain wanin (1 references) target     prot opt source               destination
    
    Chain wanout (1 references) target     prot opt source               destination
    (192.168.1.100 is the address of the Tomato router on the local subnet at the client end)

    I'm just wondering if some rules would need to be added to allow traffic to pass from the local subnet at the client end back to the local subnet at the server end).
     
  17. Bukkit

    Bukkit Addicted to LI Member

    I have my roadwarrior2net-tuneel working now.

    But when it'm not connected it regularly restarts because of Inactivity timeout.
    Code:
    Jul  3 12:19:58 Tomate daemon.warn openvpn[13191]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Jul  3 12:19:58 Tomate daemon.notice openvpn[13191]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jul  3 12:19:58 Tomate daemon.notice openvpn[13191]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jul  3 12:19:58 Tomate daemon.notice openvpn[13191]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jul  3 12:19:58 Tomate daemon.notice openvpn[13191]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jul  3 12:19:58 Tomate daemon.notice openvpn[13191]: LZO compression initialized
    Jul  3 12:19:58 Tomate daemon.notice openvpn[13191]: TUN/TAP device tun21 opened
    Jul  3 12:19:58 Tomate daemon.notice openvpn[13191]: TUN/TAP TX queue length set to 100
    Jul  3 12:19:58 Tomate daemon.notice openvpn[13191]: /sbin/ifconfig tun21 10.2.0.1 pointopoint 10.2.0.2 mtu 1500
    Jul  3 12:19:58 Tomate daemon.notice openvpn[13191]: Data Channel MTU parms [ L:1545 D:1450 EF:45 EB:135 ET:0 EL:0 AF:3/1 ]
    Jul  3 12:19:58 Tomate daemon.notice openvpn[13191]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Jul  3 12:19:58 Tomate daemon.notice openvpn[13191]: UDPv4 link local (bound): [undef]:1194
    Jul  3 12:19:58 Tomate daemon.notice openvpn[13191]: UDPv4 link remote: [undef]
    Jul  3 12:20:58 Tomate daemon.notice openvpn[13191]: Inactivity timeout (--ping-restart), restarting
    Jul  3 12:20:58 Tomate daemon.notice openvpn[13191]: TCP/UDP: Closing socket
    Jul  3 12:20:58 Tomate daemon.notice openvpn[13191]: Closing TUN/TAP interface
    Jul  3 12:20:58 Tomate daemon.notice openvpn[13191]: /sbin/ifconfig tun21 0.0.0.0
    Jul  3 12:20:58 Tomate daemon.notice openvpn[13191]: SIGUSR1[soft,ping-restart] received, process restarting
    Jul  3 12:20:58 Tomate daemon.notice openvpn[13191]: Restart pause, 2 second(s)
    TomatoVPN config:
    Code:
    # Automatically generated configuration
    daemon
    ifconfig 10.2.0.1 10.2.0.2
    proto udp
    port 1194
    dev tun21
    comp-lzo yes
    keepalive 15 60
    verb 3
    secret static.key
    status-version 2
    status status
    
    # Custom Configuration
    mode p2p
    client-config (openvpn portable 2.1_rc7)
    Code:
    mode p2p
    proto udp
    dev tun
    remote <my-home-dyndns> 1194
    resolv-retry infinite
    
    ifconfig 10.2.0.2 10.2.0.1         # Lokale IP <-> Remote IP
    route 192.168.0.0 255.255.255.0 10.2.0.1
    secret static.key
    
    ping 10
    ping-restart 60
    ping-timer-rem
    
    comp-lzo yes
    
    verb 2
    it doesn't hurt, but i thinks its useless and a pure resource-waste/log-flooding.
    Is there a config-option to stop that?
     
  18. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    unfortunately, I haven't been able to determine what causes the timeouts or how to stop them. I can't reproduce it, and noone that has has been willing to try and get help from the OpenVPN folks at there IRC channel. would you be willing to do this and post there determination?
     
  19. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    rather than using an up script, you just push a route. if you run a traceroute from the client side to the desired subnet, what does it show?

    the other subnet shouldnlt need to know about any of this as the connection gets NATed.
     
  20. anik

    anik Addicted to LI Member

    While you were posting this I was editing my previous post, so you may not have seen my comments about iptables. Anyway, I'm not sure what you mean by "push a route" and how that would differ from what we are doing now. On the server side we are doing this (note the server is NOT running on a Tomato router, but rather on a Linux box using Webmin and the OpenVPN + CA Webmin module - this is what's in the "Additional Configurations" section:

    push "route 192.168.0.0 255.255.255.0"
    push "route default 0.0.0.0"
    push redirect-gateway
    push "dhcp-option WINS 192.168.0.50"
    script-security 2 system

    Anyway, if I run a traceroute from the Tomato router to the router on the server side of the tunnel it works normally:

    # traceroute 192.168.0.1
    traceroute to 192.168.0.1 (192.168.0.1), 30 hops max, 38 byte packets
    1 10.8.0.1 (10.8.0.1) 75.106 ms 74.257 ms 71.293 ms
    2 192.168.0.1 (192.168.0.1) 73.836 ms 74.534 ms 75.605 ms

    One interesting thing I discovered is that I can ping the primary router (192.168.2.1) on the client side from Tomato, but a traceroute fails! I don't understand that, but then there's not much about this that I do understand.

    Oh, and if I try a tracert to 192.168.0.1 from a Windows box connected to the primary router at the client side it fails totally - nothing but asterisks.

    Sorry that I just don't "get" this stuff!
     
  21. Incidentflux

    Incidentflux Addicted to LI Member

    Will this mod work with commerical VPN providers like WiTopia (http://wiki.witopia.net)? I'm planning on connecting to WiTopia's personal VPN service (OpenVPN/SSL).

    So a SIP ATA (Analog telephony adapter) will work freely, since SIP is blocked in the UAE.

    Update:

    Successfully flashed my Buffalo WHR-HP-G54 (Buffalo WHR-HP-G54-5-EU) from the standard 1.19 version. Using the 'Upgrade' option from the web interface.

    Noticed the Total / Free Memory drops from 14.19 MB / 2,980.00 KB (20.51%) drops to 14.19 MB / 396.00 KB (2.73%) after starting the VPN client config from the web interface. Is it supposed to get so low?


    ##############################################
    # Configuration file for use with #
    # WiTopia.Net's personalVPN service #
    # #
    # Please do not modify this file unless #
    # instructed to by WiTopia.Net support staff #
    ##############################################

    client
    dev tun <--- Interface Type
    proto udp
    remote zzz.zzz.zzz 1194
    resolv-retry infinite
    nobind
    mssfix 1400
    persist-key
    persist-tun
    mute-replay-warnings
    ns-cert-type server
    cipher BF-CBC
    comp-lzo <--- Compression 'Adaptive'?
    verb 3
    mute 20
    ca "C:\\Program Files\\OpenVPN\\config\\ca.crt" <--- Certificate Authority

    ### The following lines were added by the My Certificate Wizard.
    key "C:\\Program Files\\OpenVPN\\config\\zzz.key" <--- Client Key
    cert "C:\\Program Files\\OpenVPN\\config\\zzz.crt" <--- Client Certificate
    ### ---


    Think I'm missing something, "Client is not running or status could not be read". I think I need to enable some more options like 'nsCert' or whichever corresponding missing options from the config file.

    They're running DD-WRT...

    Cloakbox Changing Gateways
    http://wiki.witopia.net/wiki/Cloakbox_Changing_Gateways

    Renewing Cloakbox
    http://wiki.witopia.net/wiki/Renewing_Cloakbox
     
  22. ng12345

    ng12345 LI Guru Member

    Hey SgtPepperKSU,

    I just wanted to say thanks for creating a great mod to Tomato. Your OpenVPN mod has definitely come a long way since you began, and it is a great out of the box solution.

    When I first started with OpenVPN on a WRT54G (more than a year ago), I was on this forum a lot trying to learn the ins and outs of iptables, subnets, linux bash to try and get my 3 sites connected seamlessly. I probably put in a good 40 to 50 hours over a few weeks trying out different versions, poring over configuration files, and testing and retesting to get a working solution. I remember spending endless hours trying to get client configs to work, only to determine in the end that my compiled version did not support it.

    I just upgraded all of my routers to your latest firmware, and I can't believe how easy it was to set up the VPN. It probably took me a total of 10 minutes, to create an almost zero config setup. I got rid of my old firewall scripts, most of my custom config, my jffs containing client config files, and everything worked! To my surprise, it actually worked better than my previous config did! I can now access the tomato web settings across subnets (something that didn't working before).

    This solution is not only, in my opinion, as secure as commercial versions, but also is saving my company quite a bundle in IT administration and proprietary licensing for me to accomplish the same task. I now have 5 sites interconnected and multiple remote clients -- all with no issues.

    So, thank you!
     
  23. ng12345

    ng12345 LI Guru Member

    I am pretty sure you are not supposed to have "push route default 0.0.0.0"

    If you want the client to see the server you push the server's subnet to the client
    If you want the server to see the client you route the client's subnet on the server

    Also you need a client configuration file that lets the server know the internal subnet of the client, using the iroute command
    http://openvpn.net/index.php/open-source/documentation/howto.html#scope

    That describes the config file and parameters.

    Lastly, I think you will need to have the correct forwarding of packets for different subnets in your firewall script. As my previous post indicates, I was able to successfully ping and share files across the vpn using my script, but could not open the tomato web gui through it. SgtPepperKSU's automatic script did the trick for me. So I don't know the correct config there.
     
  24. Vezado

    Vezado Addicted to LI Member

    Agreed completely! SgtPepperKSU, your support for members in this forum and your contributions to the Tomato firmware have been outstanding. You are a shining example of what open source can be and I'm extremely appreciative of your efforts and work with this community. Thank you so much.
     
  25. anik

    anik Addicted to LI Member

    Correct - that was causing issues I wasn't even aware of until today. Don't know where I got that but it's gone now - good catch!

    THAT'S the thing I forgot (not the file itself, but to add another line to it). I had one of those for the subnet of the Tomato router, but not for the subnet behind the router that I was trying to reach. Dang, you're good! :thumbup:

    Actually I discovered that the one other thing I had to do was expand the scope of a netmask in my etc/hosts.allow file (from 255.255.255.0 to 255.255.0.0) - apparently until I did that, the server machine wouldn't pass on (some) packets from the distant end.

    Anyway, it's working now and I'm not even going to breathe on it! :biggrin:

    But one thing I have noticed: If the SERVER goes down and then comes back up, the Tomato router will not reconnect until someone reboots it. I wish there were some way to ping the server (via the tunnel) every 5 minutes or so, and if it can't connect, try restarting the VPN client, until it is able to reconnect.
     
  26. ng12345

    ng12345 LI Guru Member

    Actually there is; it is on your client configuration side
    you put in the following two commands:

    Code:
    keepalive 10 120
    resolv-retry infinite
    
    The first command tells the client to check if the connection is alive every 10 seconds, and assume it is not if there is no reply for 120 seconds. It then attempts a reconnect.

    The second command tells the client to attempt an infinite number of reconnects until it connects to the server (good if you expect extended downtime).

    I have updated firmware, edited configs, and rebooted the server router, and my connections come back up automatically

    As an aside, I thought of a feature that could be beneficial:
    to have a way to download the OpenVPN config file from the gui -- this way we could transport/back it up if we need to. I know there would be some redundancy with the "backup tomato configuration" option under administration, but this would be good for strictly openvpn purposes (especially if we could download it in a .format usable with a stand alone/linux instance of OpenVPN).
     
  27. anik

    anik Addicted to LI Member

    Okay, I went to the Tomato VPN client configuration, Advanced tab, and pasted those two lines to the Custom Configuration field, and clicked Save. And, unfortunately, the client tried to restart then and there, causing total loss of connectivity, and of course there's no one there to reboot the thing.

    One suggestion I might have is to have a way that when you are making changes remotely, you can do it without restarting the server so you have a chance to look at the configuration file to see if things look as you think they should, before committing the changes (and then can do an actual reboot if you think that might be necessary)!

    (Alternate suggestion: A timed reboot page — think of the self-destruct in the Star Trek series — you enable it and in five minutes it will reboot the router unless you specifically go back and cancel it, giving you some safety if you think something you're about to do might just "hang" the router).

    Anyway, did I do it wrong, or is it just going to need one more manual reboot before it will work? EDIT: It did come back up after a reboot, at least. But when looking at the automatically generated part of the client1 config.ovpn file vs. the custom configuration, it seems there is a slight conflict:

    Code:
    # Automatically generated configuration
    daemon
    client
    dev tun11
    proto udp
    remote my.server.com 1194
    resolv-retry 30  [B]<—— NOTE[/B]
    nobind
    persist-key
    persist-tun
    comp-lzo adaptive
    cipher DES-CBC
    redirect-gateway def1
    verb 3
    script-security 2
    up updown.sh
    down updown.sh
    ca ca.crt
    cert client.crt
    key client.key
    status-version 2
    status status
    
    # Custom Configuration
    keepalive 10 120
    resolv-retry infinite [B]<—— NOTE[/B]
    I wonder which one takes precedence? It appears that the first one is generated by the "Connection retry" field under the advanced settings - if I change that to -1 and then remove the resolv-retry from the custom configuration it comes out a bit saner:

    Code:
    # Automatically generated configuration
    daemon
    client
    dev tun11
    proto udp
    remote my.server.com 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    comp-lzo adaptive
    cipher DES-CBC
    redirect-gateway def1
    verb 3
    script-security 2
    up updown.sh
    down updown.sh
    ca ca.crt
    cert client.crt
    key client.key
    status-version 2
    status status
    
    # Custom Configuration
    keepalive 10 120
    Anyway, thanks for the suggestion!
     
  28. ng12345

    ng12345 LI Guru Member

    My apologies; I forgot you were using this mod; I thought you said somewhere above you were using a different router without this firmware (and in looking back, it looks like that was a different person).

    If you are using this mod; the resolv-retry is the Connection retry field, as you figured out.

    After you made this change; did the reconnect work correctly? I actually do not have the keepalive command in my custom script and it still reconnects fine (i guess resolv-retry is the only thing you need). In my pre-Tomato OpenVPN gui days, I used both those commands to achieve the same result.

    My custom script is:
    Code:
    ns-cert-type server   ; extra security check
    nobind ;allows client to connect at a random port
    float ;allows client to change ip addresses during connection 
    ;(i.e. my sites have dynamic ips from the isp)
    


    BTW, how do you access the gui generated ovpn?

    Also to get around the remote user issue; I use logmein (similar to tightvnc) on a client computer behind the router. This way as long as the internet connection wasn't fooled around with, I always have backup access to my router (key when fiddling with VPN scripts remotely).
     
  29. anik

    anik Addicted to LI Member

    I'm not 100% sure it works yet, because it's one of those situations where I can't just keep trying to break it to see it it will come back up, but hopefully I'll know soon enough. The VPN thing is a good idea, but not workable in this particular situation. As for how I get in to see the files, I FTP in - you get to the FTP server setup under the USB and NAS selection in the left-hand menu, then FTP server. I enabled it for LAN only (it will work through the tunnel), disabled anonymous access, and allowed the super-user to connect - strangely, the user name is admin even though in other places it's root. I also put just a forward slash in the public and private root directory fields, and save the configuration.

    I can then FTP in (on a Mac there's actually a way to make FTP servers appear in Finder, so it's pretty transparent operation) and then pull the .ovpn file into a text editor for viewing. The file itself is in /tmp/etc/openvpn/client1/config.ovpn (also aliased from /etc/openvpn/client1/config.ovpn).

    There may be better ways to do it (under Windows you can use WinSCP, which works quite well to view the file structure as long as you can SSH in) but it's something I do so seldom that I'm not going to spend a lot of time looking for a better way.

    One caveat, I'm actually using teddy_bear's build, so things might be a bit different on your build (not the VPN stuff, but maybe in other parts of the interface), but this seems like the better place to get info on the VPN stuff.
     
  30. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm glad you've had such a good experience with it! When I started with this, it was just a proof-of-concept that I thought may be useful me and I wasn't even sure if anybody else would even be interested in it. The level of use I've seen out of it has completely blown me away.

    By the way, I've been out of town the last several days, and I really appreciate you posting help in this thread while I was away. Thanks!
     
  31. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    As I just said in my last reply, I've been on vacation the last four days (brewery tour of Colorado - tried/critiqued 96 different microbrews :biggrin:). In fact, my posts a couple of days ago were from my cell phone while my buddies needed some "downtime" (light-weights!). My first pass over this thread looks like everything is wrapped up. So, if I've overlooked an outstanding issue that could use my attention, please re-post it and I'll do my best. :smile:
     
  32. baldrickturnip

    baldrickturnip LI Guru Member

    you have made running a open VPN server on a cheap low power always connected device very easy - and you can see the demand

    I am very thankful for your effort
     
  33. Incidentflux

    Incidentflux Addicted to LI Member

    Thanks for your most excellent work SgtPepperKSU!

    But I can't get my commercial VPN provider to run on the router. Please help?

    Details here:
    http://www.linksysinfo.org/forums/showpost.php?p=348306&postcount=1021
     
  34. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It should work fine with commercial OpenVPN providers.

    A drop in free memory is pretty normal. If you ssh/telnet to the router and run
    Code:
    cat /proc/meminfo
    You'll see that the memory is just being used as cache (if the memory is needed by something it can be reused, so it isn't really "taken").

    Can you post the router logs from around the time you attempt to start the client? It usually gives some clue as to what is wrong.

    Oh, and I think you'll need Compression->Enabled instead of Adaptive.
     
  35. Vezado

    Vezado Addicted to LI Member

    Yeah, I'm stuck in Thailand with a bunch a lousy lagers and you're enjoying a Colorado brewfest. Can you fix this?

    Just kidding, hope you enjoyed your trip.
     
  36. Incidentflux

    Incidentflux Addicted to LI Member

    Compression has been 'Enabled'. I also noticed on WiTopia's 'Cloakbox' screenshot, they had a checkbox for 'nsCert'. How do I go about enabling that? I even copy-pasted the OpenVPN config file (minus the path to the certs/key) in the advanced section.

    Logs will show my lame attempts at trying to get it connected.

    Code:
    Jul  6 04:38:55 ? daemon.notice openvpn[2310]: OpenVPN 2.1_rc15 mipsel-unknown-linux-gnu [SSL] [LZO2] built on May 31 2009
    Jul  6 04:38:55 ? daemon.warn openvpn[2310]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jul  6 04:38:55 ? daemon.err openvpn[2310]: Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:missing asn1 eos
    Jul  6 04:38:55 ? daemon.notice openvpn[2310]: Exiting
    Jul  6 04:38:55 ? user.info init[1]: VPN_LOG_ERROR: 281: Starting OpenVPN failed...
    Jul  6 04:39:22 ? daemon.notice openvpn[2331]: OpenVPN 2.1_rc15 mipsel-unknown-linux-gnu [SSL] [LZO2] built on May 31 2009
    Jul  6 04:39:22 ? daemon.warn openvpn[2331]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jul  6 04:39:22 ? daemon.err openvpn[2331]: Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:missing asn1 eos
    Jul  6 04:39:22 ? daemon.notice openvpn[2331]: Exiting
    Jul  6 04:39:22 ? user.info init[1]: VPN_LOG_ERROR: 281: Starting OpenVPN failed...
    Jul  6 04:39:30 ? daemon.notice openvpn[2351]: OpenVPN 2.1_rc15 mipsel-unknown-linux-gnu [SSL] [LZO2] built on May 31 2009
    Jul  6 04:39:30 ? daemon.warn openvpn[2351]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jul  6 04:39:30 ? daemon.err openvpn[2351]: Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:missing asn1 eos
    Jul  6 04:39:30 ? daemon.notice openvpn[2351]: Exiting
    Jul  6 04:39:30 ? user.info init[1]: VPN_LOG_ERROR: 281: Starting OpenVPN failed...
    Jul  6 04:39:36 ? daemon.notice openvpn[2367]: OpenVPN 2.1_rc15 mipsel-unknown-linux-gnu [SSL] [LZO2] built on May 31 2009
    Jul  6 04:39:36 ? daemon.warn openvpn[2367]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jul  6 04:39:36 ? daemon.err openvpn[2367]: Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:missing asn1 eos
    Jul  6 04:39:36 ? daemon.notice openvpn[2367]: Exiting
    Jul  6 04:39:36 ? user.info init[1]: VPN_LOG_ERROR: 281: Starting OpenVPN failed...
    Jul  6 04:39:42 ? daemon.notice openvpn[2383]: OpenVPN 2.1_rc15 mipsel-unknown-linux-gnu [SSL] [LZO2] built on May 31 2009
    Jul  6 04:39:42 ? daemon.warn openvpn[2383]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jul  6 04:39:42 ? daemon.err openvpn[2383]: Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:missing asn1 eos
    Jul  6 04:39:42 ? daemon.notice openvpn[2383]: Exiting
    Jul  6 04:39:42 ? user.info init[1]: VPN_LOG_ERROR: 281: Starting OpenVPN failed...
    Code:
    Jul  6 20:36:47 ? daemon.notice openvpn[2703]: OpenVPN 2.1_rc15 mipsel-unknown-linux-gnu [SSL] [LZO2] built on May 31 2009
    Jul  6 20:36:47 ? daemon.warn openvpn[2703]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jul  6 20:36:47 ? daemon.err openvpn[2703]: Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:missing asn1 eos
    Jul  6 20:36:47 ? daemon.notice openvpn[2703]: Exiting
    Jul  6 20:36:47 ? user.info init[1]: VPN_LOG_ERROR: 281: Starting OpenVPN failed...
    Jul  6 20:36:55 ? daemon.notice openvpn[2719]: OpenVPN 2.1_rc15 mipsel-unknown-linux-gnu [SSL] [LZO2] built on May 31 2009
    Jul  6 20:36:55 ? daemon.warn openvpn[2719]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jul  6 20:36:55 ? daemon.err openvpn[2719]: Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:missing asn1 eos
    Jul  6 20:36:55 ? daemon.notice openvpn[2719]: Exiting
    Jul  6 20:36:55 ? user.info init[1]: VPN_LOG_ERROR: 281: Starting OpenVPN failed...
    Jul  6 20:37:01 ? daemon.notice openvpn[2735]: OpenVPN 2.1_rc15 mipsel-unknown-linux-gnu [SSL] [LZO2] built on May 31 2009
    Jul  6 20:37:01 ? daemon.warn openvpn[2735]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jul  6 20:37:01 ? daemon.err openvpn[2735]: Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:missing asn1 eos
    Jul  6 20:37:01 ? daemon.notice openvpn[2735]: Exiting
    Jul  6 20:37:01 ? user.info init[1]: VPN_LOG_ERROR: 281: Starting OpenVPN failed...
    Jul  6 20:37:10 ? daemon.notice openvpn[2751]: OpenVPN 2.1_rc15 mipsel-unknown-linux-gnu [SSL] [LZO2] built on May 31 2009
    Jul  6 20:37:10 ? daemon.warn openvpn[2751]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jul  6 20:37:10 ? daemon.err openvpn[2751]: Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:missing asn1 eos
    Jul  6 20:37:10 ? daemon.notice openvpn[2751]: Exiting
    Jul  6 20:37:10 ? user.info init[1]: VPN_LOG_ERROR: 281: Starting OpenVPN failed...
    Jul  6 20:40:51 ? user.warn kernel: nvram_commit(): init
    Jul  6 20:40:53 ? user.warn kernel: nvram_commit(): end
    Jul  6 20:41:00 ? daemon.notice openvpn[2791]: OpenVPN 2.1_rc15 mipsel-unknown-linux-gnu [SSL] [LZO2] built on May 31 2009
    Jul  6 20:41:00 ? daemon.warn openvpn[2791]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Jul  6 20:41:00 ? daemon.warn openvpn[2791]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jul  6 20:41:00 ? daemon.err openvpn[2791]: Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:missing asn1 eos
    Jul  6 20:41:00 ? daemon.notice openvpn[2791]: Exiting
    Jul  6 20:41:00 ? user.info init[1]: VPN_LOG_ERROR: 281: Starting OpenVPN failed...
    
     
  37. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    To emulate the "nsCert" checkbox, just add
    Code:
    ns-cert-type server
    to the custom configuration (don't just copy everything, that could cause problems). However, that line should not be necessary and doesn't affect the operation of the tunnel (it just slightly enforces that you are connecting to a VPN server that is using a certificate explicitly designated as for a server).

    The logs show what the problem is: the client certificate you entered is invalid. It should have both a -----BEGIN CERTIFICATE----- and a -----END CERTIFICATE----- line (with the actual certificate data in between).
     
  38. Incidentflux

    Incidentflux Addicted to LI Member

    It worked! You sir are awesome!

    The certificate wasn't copy pasted properly, although it was the same cert. By the way Compression works either way 'Enabled' or 'Adaptive'. You're right about the 'ns-cert-type server' it works either way as well.

    I just have one usablity comment about the interface. Perhaps I was the only who got this impression, about the ''Start Now' button. I thought I had to click on each Start Now, like it was was unique start button for each service tab. To up the entire connection. Maybe leaving just one button on the status page would be enough. Just a thought...

    Now I just need to figure out how to create a VLAN and route OpenVPN's Internet traffic to clients only within that VLAN which would be a SIP ATA for VOIP and another computer.
     
  39. ng12345

    ng12345 LI Guru Member


    Here is a step by step on how to do it in dd-wrt. It is not much different for tomato, since there is no good gui to actually carry out the commands. In reading the forum post, it looks like Step 1 and Step 2 do the same thing, and since tomato does not have a vlan page, just start at step 2 --

    http://www.dd-wrt.com/phpBB2/viewtopic.php?t=1160

    I think one of the mods does have a vlan gui in place; but i can't remember which one it was.
     
  40. Bukkit

    Bukkit Addicted to LI Member

    I read that mode p2p ist mainly for persistent tunnels. Could be a reason why it always restarts when the peer is not connected.

    I actually don't want to use TLS with Certificates, this is oversized for two peers.

    I did not checked "Start with Router" but after i manually stopped the server, it will be restarted after a time.
     
  41. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    People have been seeing the restarts with clients connected, too (but, I think only when no data is going across). This should not happen.
    TLS does more than allow you to have multiple clients. Being able to push directives from server to client makes for much cleaner solutions.
    This should not be the case unless you've added something to restart it. Did you add anything to your init (or firewall/WAN up) script?
     
  42. kenyloveg

    kenyloveg LI Guru Member

    Hi, SgtPepperKSU
    just a quick question, where is the portal to site-site openvpn guide. I remember it should reside in this long threads......
     
  43. Bukkit

    Bukkit Addicted to LI Member

    No my Administration-> Scripts are empty.
     
  44. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I don't believe there is one, but it could be simplified to the following:

    1. Generate certificates and enter them in the GUI
    2. Set the basic settings as desired (I recommend TUN/TLS/UDP)
    3. Fill in the Client-specific options table with the client LAN information, and uncheck the NAT option on the client
    4. Connect away, that's it.
     
  45. mferrigno

    mferrigno LI Guru Member

    Upgrade Questions

    Hi - I recently attempted upgrading from roadkill 1.19 to your latest Build 1.25vpn3.3 and have several questions.

    My requirements are as follows. Single external laptop VPN into home router.

    Previously with roadkill this worked fine, after the upgrade VPN failed.

    My previous config with roadkill:
    On Router
    Init
    sleep 5
    insmod tun.o

    Firewall
    iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT

    Wan Up
    cd /tmp
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    echo "
    -----BEGIN OpenVPN Static key V1-----

    -----END OpenVPN Static key V1-----

    " > /tmp/static.key

    sleep 5
    ln -s /usr/sbin/openvpn /tmp/myvpn
    /tmp/myvpn --dev tap0 --secret /tmp/static.key --comp-lzo --port 1194 --cipher BF-CBC --proto udp --keepalive 10 60 --verb 3 --daemon

    OpenVPN Config
    dev tap0
    ifconfig 192.168.1.77 255.255.255.0
    secret static.key
    proto udp
    remote {homeIP} 1194
    keepalive 10 60
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    cipher BF-CBC
    comp-lzo
    verb 3
    float

    ---------------------
    Initially after upgrading Build 1.25vpn3.3 I removed the scripts and used the GUI.

    Under the GUI tab for Server 1 I
    Interface Type TAP
    Protocol UDP
    Port 1194
    Firewall Automatic
    Authorization Mode StaticKey

    In Keys I entered the static key.

    After this I hit the start now button, I noticed that after doing this there was no change in Status "Server is not running or status could not be read." Is this normal operation?

    I tried connecting remotely with no sucess, after that I tried entering my original scripts with no success.

    Any recomendations?

    Thank you
     
  46. baldrickturnip

    baldrickturnip LI Guru Member

    if your server will not start it helps to see the logs with the relevant entries - copy and paste them into a code box here

    when you hit the start button and the server is running it changes to a stop button
     
  47. mferrigno

    mferrigno LI Guru Member

    What is the best way to view the logs?
     
  48. mferrigno

    mferrigno LI Guru Member

    Jul 7 10:13:27 unknown user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
    Jul 7 10:13:27 unknown user.info kernel: device tap21 entered promiscuous mode
    Jul 7 10:13:27 unknown user.info kernel: br0: port 3(tap21) entering learning state
    Jul 7 10:13:27 unknown user.info kernel: br0: port 3(tap21) entering forwarding state
    Jul 7 10:13:27 unknown user.info kernel: br0: topology change detected, propagating
    Jul 7 10:13:27 unknown daemon.notice openvpn[436]: OpenVPN 2.1_rc15 mipsel-unknown-linux-gnu [SSL] [LZO2] built on May 31 2009
    Jul 7 10:13:27 unknown daemon.warn openvpn[436]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Jul 7 10:13:27 unknown daemon.err openvpn[436]: Insufficient key material or header text not found found in file 'static.key' (0/128/256 bytes found/min/max)
    Jul 7 10:13:27 unknown daemon.notice openvpn[436]: Exiting
    Jul 7 10:13:27 unknown user.info init[1]: VPN_LOG_ERROR: 719: Starting VPN instance failed...
    Jul 7 10:13:28 unknown user.info kernel: br0: port 3(tap21) entering disabled state
    Jul 7 10:13:28 unknown user.info kernel: br0: port 3(tap21) entering disabled state
    Jul 7 10:13:35 unknown user.info kernel: device tap21 entered promiscuous mode
    Jul 7 10:13:36 unknown user.info kernel: br0: port 3(tap21) entering learning state
    Jul 7 10:13:36 unknown user.info kernel: br0: port 3(tap21) entering forwarding state
    Jul 7 10:13:36 unknown user.info kernel: br0: topology change detected, propagating
    Jul 7 10:13:36 unknown daemon.notice openvpn[458]: OpenVPN 2.1_rc15 mipsel-unknown-linux-gnu [SSL] [LZO2] built on May 31 2009
    Jul 7 10:13:36 unknown daemon.warn openvpn[458]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Jul 7 10:13:36 unknown daemon.err openvpn[458]: Insufficient key material or header text not found found in file 'static.key' (0/128/256 bytes found/min/max)
    Jul 7 10:13:36 unknown daemon.notice openvpn[458]: Exiting
    Jul 7 10:13:36 unknown user.info init[1]: VPN_LOG_ERROR: 719: Starting VPN instance failed...
    Jul 7 10:13:36 unknown user.info kernel: br0: port 3(tap21) entering disabled state
    Jul 7 10:13:36 unknown user.info kernel: br0: port 3(tap21) entering disabled state
    Jul 7 10:13:45 unknown user.info kernel: device tap21 entered promiscuous mode
    Jul 7 10:13:45 unknown user.info kernel: br0: port 3(tap21) entering learning state
    Jul 7 10:13:45 unknown user.info kernel: br0: port 3(tap21) entering forwarding state
    Jul 7 10:13:45 unknown user.info kernel: br0: topology change detected, propagating
    Jul 7 10:13:45 unknown daemon.notice openvpn[476]: OpenVPN 2.1_rc15 mipsel-unknown-linux-gnu [SSL] [LZO2] built on May 31 2009
    Jul 7 10:13:45 unknown daemon.warn openvpn[476]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Jul 7 10:13:45 unknown daemon.err openvpn[476]: Insufficient key material or header text not found found in file 'static.key' (0/128/256 bytes found/min/max)
    Jul 7 10:13:45 unknown daemon.notice openvpn[476]: Exiting
    Jul 7 10:13:45 unknown user.info init[1]: VPN_LOG_ERROR: 719: Starting VPN instance failed...
    Jul 7 10:13:45 unknown user.info kernel: br0: port 3(tap21) entering disabled state
    Jul 7 10:13:45 unknown user.info kernel: br0: port 3(tap21) entering disabled state
     
  49. mferrigno

    mferrigno LI Guru Member

    I found the problem.

    Under the Keys tab on the router I didn't add the following. Guess it need that.

    -----BEGIN OpenVPN Static key V1-----


    -----END OpenVPN Static key V1-----

    Sorry for the bother.
     
  50. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The static key you entered is invalid. Please double check what you have there. It needs to have a start line and an end line with the key data between.
     
  51. Incidentflux

    Incidentflux Addicted to LI Member

    mferrigno,

    Get get rid of any blank spaces before and after the keys.
     
  52. besonen

    besonen LI Guru Member

    tomato 1.25 responsive issue(s)

    SgtPepperKSU, have you noticed the same tomato 1.25 responsiveness issue(s) that thor2002ro mentions:

    http://www.linksysinfo.org/forums/showpost.php?p=348309&postcount=148 :

    i was planning on testing your mod and was wondering whether i should go with Build 1.25vpn3.3 or 1.23vpn3.2.



    thanks,
    david
     
  53. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I have not noticed anything like that. If I were you, I'd go with 1.25vpn3.3 and only revert to 1.23vpn3.2 if you run into troubles (if they seem VPN related be sure to let me know - though, I haven't had any such reports yet).
     
  54. dorkiedoode

    dorkiedoode Addicted to LI Member

    Hi, so the past few weeks I been working on getting VPN to work. I didn't want to ask any questions until I tried to solved it out myself but I am BEAT! I definitely have no idea how to work this VPN. The server is up and running on with the basic TLS/UDP. I left the original port 1194 forwarded as well. I also checked Direct clients to redirect Internet traffic, Respond to DNS, Advertise DNS to clients (I believe this allows all traffic to go thru my network?).

    For my client config i have the follow:

    client
    dev tun
    proto udp
    remote myipaddress 1194
    ;resolv-retry infinite
    ;nobind
    persist-key
    persist-tun
    ;comp-lzo adaptive
    ;cipher BF-CBC
    verb 3
    script-security 2
    ca ca.crt
    cert client.crt
    key client.key
    status-version 2
    ;status status
    ns-cert-type server

    I have no idea what some of those are as I just got it off the internet. Now I am able to connect to my network but once I am connected I could not surf the net. Can anyone help me get this running with just the basics? I just want to be able to access my secure network anywhere and route all traffic to my network so it could be secure, thats all! I'm pretty sure this is a cake for some but I can't seem to get it to work.
     
  55. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Is the server also configured as TUN? What subnet does the server LAN and client machine use?

    Could you post your VPN log from the client? It could have a clue as to what is wrong.

    Also, try to (from the client):
    • ping the server router's LAN IP
    • ping a server LAN computer
    • nslookup www.google.com
    • ping 74.125.95.99
    • traceroute 74.125.95.99
     
  56. kenyloveg

    kenyloveg LI Guru Member

    Hi, SgtPepperKSU
    Sorry to bother you again:wink:
    --------------------------------------------------------------------------------
    Tomato VPN Server
    IP 192.168.10.1/255.255.255.0

    Setting under "VPN Tunneling->Server 1->Basic"
    Start with Router checked
    Interface Type
    Protocol UDP
    Port 45646
    Firewall Automatic
    Authorization Mode TLS
    Extra HMAC authorization Incoming (0)
    Client address pool checked DHCP

    Setting under "VPN Tunneling->Server 1->Advanced"
    Direct clients to redirect Internet traffic unchecked
    Respond to DNS unchecked
    Encryption cipher BF-CBC
    Compression Disabled
    Manage Client-Specific Options unchecked
    Custom Configuration
    auth SHA1
    key-method 2
    route-gateway 192.168.10.1
    push redirect-gateway
    push "dhcp-option DNS 192.168.10.1"
    replay-window 60 15
    #persist key
    #persist tun
    group nobody
    user nobody
    --------------------------------------------------------------------------------
    Tomato VPN Client 192.168.30.1/255.255.255.0

    Setting under "VPN Tunneling->Client 1->Basic"
    Start with Router checked
    Interface Type TAP
    Protocol UDP
    Server Address/Port xxxx.xxxx.xxxx 45646
    Firewall Automatic
    Authorization Mode TLS
    Extra HMAC authorization Outgoing
    Server is on the same subnet checked

    Setting under "VPN Tunneling->Client 1->Advanced"
    Redirect Internet traffic Gateway unchecked
    Accept DNS configuration unchecked
    Encryption cipher BF-CBC
    Compression Disabled
    Connection retry 30
    Custom Configuration pull
    --------------------------------------------------------------------------------

    The problem is client can connect to server side, but virtual address in status is empty.
    Code:
    Wed Jul 08 22:51:46 2009 SENT CONTROL [xxx.xxx.xxx]: 'PUSH_REQUEST' (status=1)
    Wed Jul 08 22:51:47 2009 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway,dhcp-option DNS 192.168.10.1,route-gateway dhcp,ping 15,ping-restart 60'
    Wed Jul 08 22:51:47 2009 OPTIONS IMPORT: timers and/or timeouts modified
    Wed Jul 08 22:51:47 2009 OPTIONS IMPORT: route options modified
    Wed Jul 08 22:51:47 2009 OPTIONS IMPORT: route-related options modified
    Wed Jul 08 22:51:47 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Wed Jul 08 22:51:47 2009 ROUTE default_gateway=192.168.30.1
    Wed Jul 08 22:51:47 2009 TAP-WIN32 device [ZGQC] opened: \\.\Global\{531CE697-4755-4AEF-A2A1-C344582726F4}.tap
    Wed Jul 08 22:51:47 2009 TAP-Win32 Driver Version 9.4 
    Wed Jul 08 22:51:47 2009 TAP-Win32 MTU=1500
    Wed Jul 08 22:51:47 2009 Successful ARP Flush on interface [30] {531CE697-4755-4AEF-A2A1-C344582726F4}
    Wed Jul 08 22:51:52 2009 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
    Wed Jul 08 22:51:52 2009 NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing
    Wed Jul 08 22:51:52 2009 Initialization Sequence Completed
    Another question is I always get failed to start vpnservice, log indicate that "persist key" and "persist tun" caused the problem, how can i get them to work?

    Thanks for your kindly help.
     
  57. kenyloveg

    kenyloveg LI Guru Member

    I was wondering if server and client are not on same subnet (one is 192.168.10.1, and another is 192.168.30.1) would cause the problem?
     
  58. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    On the server: "auth SHA1" and "key-method 2" don't do anything (those values are the defaults), so just get rid of those. Rather than doing doing the route-gateway, redirect-gateway, and dhcp-option manually, why don't use use the GUI options that do the same thing? However, the problem there is that you need to push the route-gateway, not just have it execute on the server. The replay-window is close enough to the defaults (64 15) that I'd say to get rid of that as well unless you specifically need a value of 60.

    On the client: "pull" is also redundant and already part of the auto-generated configuration.
    Add hyphens like I said in the other thread :wink: However, those are already automatically generated and don't need to be in the custom configuration.

    So, in short, get rid of everything you put in custom configuration except maybe the user and group lines (which are of arguably little benefit on a router).
     
  59. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Well, you did check "Server is on the same subnet" on the client, so, yeah, it will cause problems :wink:

    If you are using two subnets, just use TUN and your life will be much simpler (TAP has no benefits if using two subnets, and TUN has much less headache).
     
  60. kenyloveg

    kenyloveg LI Guru Member

    Hi, SgtPepperKSU
    I did what you said to remove everything in Custom Configuration but user/group on server. But I've no idea of which GUI to enable redirect gateway. I checked my TAP device, it always get blank gateway address.

    PS: I've changed to TUN as you advised.
     
  61. kenyloveg

    kenyloveg LI Guru Member

    Almost forgot that I've been using firewall script:
    Code:
    iptables -D FORWARD -i br0 -j ACCEPT
    iptables -A FORWARD -i br0 -j ACCEPT
    iptables -A wanout -i br0 -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT
    iptables -A wanout -i br0 -m mac --mac-source 66:77:88:29:00:11 -j ACCEPT
    iptables -A wanout -i br0 -d www.microsoft.com -j ACCEPT
    iptables -A wanout -i br0 -d www.eset.com -j ACCEPT
    iptables -A wanout -i br0 -d 121.198.84.229 -j ACCEPT
    iptables -A wanout -i br0 -d 124.74.201.70 -j ACCEPT
    iptables -A wanout -i br0 -d 222.173.188.36 -j ACCEPT
    iptables -A wanout -i br0 -d 124.238.254.31 -j ACCEPT
    iptables -A wanout -i br0 -d 61.191.55.141 -j ACCEPT
    iptables -A wanout -i br0 -d 222.186.11.191 -j ACCEPT
    iptables -A wanout -i br0 -d 221.130.197.253 -j ACCEPT
    iptables -A wanout -i br0 -d windowsupdate.microsoft.com -j ACCEPT
    iptables -A wanout -i br0 -d update.microsoft.com -j ACCEPT
    iptables -A wanout -i br0 -p udp --dport 8000 -j ACCEPT
    iptables -A wanout -i br0 -p tcp --dport 443 -j ACCEPT
    iptables -A wanout -i br0 -j DROP
    would this affect inbound/outbound OpenVPN packages?
     
  62. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    "Direct clients to redirect Internet traffic" pushes a redirect-gateway (and route-gateway, if needed) to the client. Checking "Respond to DNS" and "Advertise DNS to Clients" enables the router to respond to DNS over the tunnel and pushes a dhcp-option DNS to the client.
     
  63. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I don't think it would.
     
  64. dorkiedoode

    dorkiedoode Addicted to LI Member

    Hi, thanks for responding. Yes I am using TUN/TLS/UDP. My server lan subnet is 192.168.1.1/255.255.255.0. My computer is on 192.168.1.101.

    Client: IP= 10.0.0.245, external IP: 64.183.115.146


    As of now I am using the library internet to test out my vpn and here is the log from my laptop when I am connected

    I tried all the commands that you requested and I get request time out on all
     
  65. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Try changing your VPN subnet to 172.16.0.0/255.255.255.0 instead of 10.8.0.0/255.255.255.0. I've seen lots of people who have problems with OpenVPN and Vista if they use a 10.X.X.X subnet for both LAN and VPN (even if the two subnets are properly separate). I suspect there is a bug in Windows with regard to this.
     
  66. dorkiedoode

    dorkiedoode Addicted to LI Member

    I changed 10.8.0.0 to 172.16.0.0 and I am unable to connect to VPN.

     
  67. dorkiedoode

    dorkiedoode Addicted to LI Member

    hmm i search and it seems to have something to do with the time.
     
  68. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Any errors in the server log?

    The 172.16.0.0 subnet may also be in use where you are testing. Try 192.168.243.0/255.255.255.0 instead (random choice in one of the private ip space).

    That, or there could be a problem with your TLS certificates. Double check that there are no errors in the server log and make sure the router and client have the same time (and time zone).

    EDIT: I see you beat me to the second option there. Definitely fix that up and see if it works.
     
  69. dorkiedoode

    dorkiedoode Addicted to LI Member

    So after messing it around for a bit, I got some errors to go away. Now i am able to connect but still no internet.
    Server
    client
     
  70. Incidentflux

    Incidentflux Addicted to LI Member

  71. kenyloveg

    kenyloveg LI Guru Member

    The IPV4 gateway is still blank on my windows client, here goes part of server log
    Code:
    Jul  9 17:36:41 ? daemon.notice openvpn[3977]: FREELANCER/58.41.87.39:65472 PUSH: Received control message: 'PUSH_REQUEST'
    Jul  9 17:36:41 ? daemon.notice openvpn[3977]: FREELANCER/58.41.87.39:65472 SENT CONTROL [FREELANCER]: 'PUSH_REPLY,route 192.168.10.0 255.255.255.0,redirect-gateway def1,route 172.16.0.1,topology net30,ping 15,ping-restart 60,ifconfig 172.16.0.6 172.16.0.5' (status=1
    
    and part of client log
    Code:
    Thu Jul 09 17:36:36 2009 [zgqc.3322.org] Peer Connection Initiated with 222.69.93.135:45646
    Thu Jul 09 17:36:37 2009 SENT CONTROL [xx.xx.xx.xx]: 'PUSH_REQUEST' (status=1)
    Thu Jul 09 17:36:37 2009 PUSH: Received control message: 'PUSH_REPLY,route 192.168.10.0 255.255.255.0,redirect-gateway def1,route 172.16.0.1,topology net30,ping 15,ping-restart 60,ifconfig 172.16.0.6 172.16.0.5'
    Thu Jul 09 17:36:37 2009 OPTIONS IMPORT: timers and/or timeouts modified
    Thu Jul 09 17:36:37 2009 OPTIONS IMPORT: --ifconfig/up options modified
    Thu Jul 09 17:36:37 2009 OPTIONS IMPORT: route options modified
    Thu Jul 09 17:36:37 2009 ROUTE default_gateway=192.168.1.1
    Thu Jul 09 17:36:37 2009 TAP-WIN32 device [ZGQC] opened: \\.\Global\{531CE697-4755-4AEF-A2A1-C344582726F4}.tap
    Thu Jul 09 17:36:37 2009 TAP-Win32 Driver Version 9.4 
    Thu Jul 09 17:36:37 2009 TAP-Win32 MTU=1500
    Thu Jul 09 17:36:37 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 172.16.0.6/255.255.255.252 on interface {531CE697-4755-4AEF-A2A1-C344582726F4} [DHCP-serv: 172.16.0.5, lease-time: 31536000]
    Thu Jul 09 17:36:37 2009 Successful ARP Flush on interface [29] {531CE697-4755-4AEF-A2A1-C344582726F4}
    Thu Jul 09 17:36:42 2009 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
    Thu Jul 09 17:36:42 2009 C:\WINDOWS\system32\route.exe ADD xx.xx.xx.xx MASK 255.255.255.255 192.168.1.1
    Thu Jul 09 17:36:42 2009 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
    Thu Jul 09 17:36:42 2009 Route addition via IPAPI succeeded [adaptive]
    Thu Jul 09 17:36:42 2009 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 172.16.0.5
    Thu Jul 09 17:36:42 2009 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
    Thu Jul 09 17:36:42 2009 Route addition via IPAPI succeeded [adaptive]
    Thu Jul 09 17:36:42 2009 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 172.16.0.5
    Thu Jul 09 17:36:42 2009 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
    Thu Jul 09 17:36:42 2009 Route addition via IPAPI succeeded [adaptive]
    Thu Jul 09 17:36:42 2009 C:\WINDOWS\system32\route.exe ADD 192.168.10.0 MASK 255.255.255.0 172.16.0.5
    Thu Jul 09 17:36:42 2009 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
    Thu Jul 09 17:36:42 2009 Route addition via IPAPI succeeded [adaptive]
    Thu Jul 09 17:36:42 2009 C:\WINDOWS\system32\route.exe ADD 172.16.0.1 MASK 255.255.255.255 172.16.0.5
    Thu Jul 09 17:36:42 2009 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
    Thu Jul 09 17:36:42 2009 Route addition via IPAPI succeeded [adaptive]
    Thu Jul 09 17:36:42 2009 Initialization Sequence Completed
    client configurations
    Code:
    client
    pull
    tls-client
    dev tun
    proto udp
    remote xx.xx.xx.xx 45646
    nobind
    auth SHA1
    key-method 2
    ca ca.crt
    cert client_huwei.crt
    key client_huwei.key
    ns-cert-type server
    tls-auth ta.key 1
    cipher BF-CBC
    status openvpn-status.log
    verb 3
    explicit-exit-notify 3
    keepalive 15 120
     
  72. kenyloveg

    kenyloveg LI Guru Member

    And errors on client logs
    Code:
    Thu Jul 09 17:38:22 2009 write to TUN/TAP  [State=AT0c Err=[c:\src\21\tap-win32\tapdrvr.c/2268] #O=2 Tx=[10,0] Rx=[0,7] IrpQ=[1,1,16] PktQ=[0,1,64]]: The data area passed to a system call is too small. (code=122)
    This happens to be a known issue between Vista and OpenVPN?
    I'm running latest windows client.
     
  73. kenyloveg

    kenyloveg LI Guru Member

    Hi, Hi, SgtPepperKSU
    Well, I figured out how to fix my problem now.
    After changed some settings on server:
    Compression from Disable/Enable to Adaptive
    on windows client:
    client (identify client or server)
    dev tun (TAP)
    proto udp
    remote xx.xx.xx.xx
    port 45646
    nobind (IPaddress will be released if not in use)
    persist-tun
    persist-key
    tls-auth ta.key 1
    ca ca.crt
    cert client.crt
    key client.key
    dh dh2048.pem (this line is added, looks like handshake could speed up by this)
    cipher BF-CBC
    status openvpn-status.log
    verb 6 (this will increase details in logs, higher is more detailed)
    comp-lzo (added in case server side is Adaptive/Enabled, Adaptive works great but Enable really slow, and it should fix "The data area passed to a system call is too small")
    keepalive 15 120

    The option "pull" is pulled out, this might cause the gateway problem.
     
  74. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Glad to hear it!
    "pull" is already part of the "client" directive, so you were including it twice before. You'd think OpenVPN would ignore the second one, but I guess not.
     
  75. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    What about all the pinging, nslookups, and traceroutes I had you try before? Does any of that work (can you ping the server router, server LAN computers, internet by IP, etc)?

    Can you post the routing table from both the server and client?
     
  76. kenyloveg

    kenyloveg LI Guru Member

    Hi, SgtPepperKSU
    How to let VPN client's internet traffic go through it's own wan, not VPN's WAN? Simply uncheck "Direct clients to redirect Internet traffic" would work?
    And how to make netbios/wins work, to contact devices under server's lan by typing name not ipaddress? TAP should be chosen?
    These two option on GUI is not clarified on your site http://tomatovpn.keithmoyer.com nor the quick start http://www.linksysinfo.org/forums/showpost.php?p=334426, can you add them to the quick description of the settings?
    Hope my question don't bother you again^_^. And thank you again.
     
  77. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    yep, as long as the client doesn't have a redirect-gateway directive in its own config.
    You don't need netbios or WINS to do that. The "Accept DNS requests" and "Advertise DNS" options should take care of that.

    However, if you really want to get WINS working, I can't help you. I've never set that up. Good luck! If you figure something out, post back here.

    EDIT: I forgot how long it's been since my last release (keep thinking 1.26 shouldn't be far off). You may also need to add "strict-order" to your DNSMasq custom configuration to get the DNS stuff to work reliably. This has already been fixed in the development versions I've been using for quite a while, so that won't be necessary in the next release.
     
  78. kenyloveg

    kenyloveg LI Guru Member

    Ok, I'll try it to see if it works.
    Another question is about client-to-client option:
    Code:
    If you fill in the subnet and netmask of the client, your server LAN will be able to communicate with your client LAN whenever it's connected (be sure not to choose the NAT option on the client router).
    Does "whenever it's connected" mean whenever client connect to server through VPN (the client's router should already connect to server through VPN tunnel)? Would "Tracking / NAT Helpers" under "Advanced" influence the NAT option on VPN client TAB?

    I used to run dualwan MOD on 3 tomato routers (all connected by PPTP protocal), while devices inside the dualwan MOD can't establish PPTP connection to other site (PPTP in "Tracking / NAT Helpers" must be disable to make PPTP site-site work). Another reason is security, so I turned to your MOD. Everything is flawless, except the client software. It'll be perfect if IPSEC VPN over L2TP are available in the near future.:thumbup:
    After all experimental test is done, I may create a quick start guide for newbies like me:hearts:
     
  79. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    "whenver it's connected" means whenever the VPN client (this would be the client-side router) is connected. All it does is say "I know this client has this subnet behind it, so whenever it is connected, I'll route traffic destined for that subnet over VPN to that client (and it will know what to do with it)".
    No, they shouldn't have any influence on each other. The NAT option on the VPN client TAB just makes the entire LAN behind that client look like one machine. That's fine if you just to allow the client-side to contact the server-side, but the server-side can't contact the client-side LAN because they all look the same (they all look like the router). Does that make sense?
     
  80. anik

    anik Addicted to LI Member

    Here, let me fix that for you...
    Not that I don't appreciate it - I was hoping someone would do that sooner or later. But you really shouldn't say that you are "writing" something when for the most part you're simply posting a translation of the German page, without at least giving credit to the source at http://de.wikibooks.org/wiki/Tomato_(Firmware) (for the Wikibooks page). Unless, of course, you are multi-lingual and you are the author of the original German language page, in which case I apologize in advance.
     
  81. Incidentflux

    Incidentflux Addicted to LI Member

    Oh! "Writing" meant others contributing, I was hoping to encourage people to add to those articles, since search engine results favor Wikipedia and it'll look more organized for new users.

    I never claimed or implied the Wikibooks article was my work. I (MMuzammils) did however resurrect the Wikipedia article, after it was deleted and re-directed to the Linksys page. But its not that useful compared to the Wikibooks one.

    http://en.wikipedia.org/w/index.php?title=Tomato_(firmware)&action=history

    You can look at the respective Wikibooks article's history to see who did what. If you want to know who wrote the bulk of them. Although the whole point is moot since Wikipedia licenses allow copying between wikis.

    History
    http://en.wikibooks.org/w/index.php?title=Tomato_(firmware)&limit=500&action=history

    http://de.wikibooks.org/w/index.php?title=Tomato_(Firmware)&limit=500&action=history
     
  82. ng12345

    ng12345 LI Guru Member

    Good to know -- I would like this functionality, and will try the DNS request feature. Could you explain in more detail what these options do? I would like to have this functionality on a computer that is connecting as a roaming client through the windows openvpn package; and want to know if this is a openvpn option or a routing table option.

    If you are interested in WINS, I have successfully done it on the 1.19 VPN iteration (before GUI was in play) -- it requires running a WINS server, usually behind your VPN server and push that to the clients. It works, but I was using win 2k3 as my wins server, and i dont think the wins server implementation is all that stable.

    As an example:

    VPN server subnet: 192.168.1.0
    WINS server: 192.168.1.25
    client server subnet: 192.168.2.0

    I would then put this in my serve OpenVPN config:
    push "dhcp-option WINS 192.168.1.25"



    Also, another feature that would be nice, would be a text box/nvram variable for the revocation file crl.pem; I think it would require minimal coding to the current construct, but would save people who need to revoke certificates from creating a jffs or storing the pem file on a network computer
     
  83. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    "Accept DNS requests" just changes the Dnsmasq configuration on the router to accept DNS requests from the VPN interface. "Advertise DNS" just pushes a "dhcp-option DNS" directive to the clients to let them know that there is a DNS server on the server side. It works fine on Windows clients with no further configuration either end.
    Good to know. I might add that to the GUI in future versions.
     
  84. Incidentflux

    Incidentflux Addicted to LI Member

    I did a thorough NVRAM erase and now, status shows much more free memory, earlier it was dropping down to about 3% free and up to 7-9% upon stopping the VPN. But now at stopping its up to 14.19 MB / 1,848.00 KB (12.72%) and 14.19 MB / 1,292.00 KB (8.89%) while in use.

    Hope this info comes in handy for the FAQ.
     
  85. kenyloveg

    kenyloveg LI Guru Member

    Hi, SgtPepperKSU
    I'm able to link 3 routers via your MOD now, but something is abnormal.
    Here is the configuration:

    Server1 (Router A)
    Code:
    # Automatically generated configuration
    daemon
    server 192.168.100.0 255.255.255.0
    proto udp
    port 45646
    dev tun21
    cipher BF-CBC
    comp-lzo adaptive
    keepalive 15 60
    verb 3
    push "route 192.168.10.0 255.255.255.0"
    client-config-dir ccd
    client-to-client
    push "dhcp-option DNS 192.168.10.1"
    tls-auth static.key 0
    ca ca.crt
    dh dh.pem
    cert server.crt
    key server.key
    status-version 2
    status status
    
    # Custom Configuration
    group nobody
    user nobody
    Client1 (Router B)

    Code:
    # Automatically generated configuration
    daemon
    client
    dev tun11
    proto udp
    remote xxxx.xxxx.org 45646
    resolv-retry 30
    nobind
    persist-key
    persist-tun
    comp-lzo adaptive
    cipher BF-CBC
    verb 3
    script-security 2
    up updown.sh
    down updown.sh
    tls-auth static.key 1
    ca ca.crt
    cert client.crt
    key client.key
    status-version 2
    status status
    
    # Custom Configuration
    group nobody
    user nobody
    
    Client2 (Router C)
    Same as Client1

    Client3 (Windows PC, behind Router B or Router D)
    Code:
    client
    dev tun
    proto udp
    remote xxxx.xxxx.xxx
    port 45646
    nobind
    persist-tun
    persist-key
    tls-auth ta.key 1
    ca ca.crt
    cert client_huwei.crt
    key client_huwei.key
    dh dh2048.pem
    cipher BF-CBC
    verb 3
    comp-lzo adaptive
    keepalive 15 120
    status openvpn-status.log
    The problem is Client3 can access devices behind Router A, but devices behind Router B/C cannot.

    And logs on Router A/B/C keep getting below errors.
    Code:
    daemon.err openvpn[122]: event_wait : Interrupted system call (code=4)
    
    Thanks for your help.
     
  86. Bukkit

    Bukkit Addicted to LI Member

    In my /var/spool/cron/crontabs/root is this line:
    Code:
    */30 * * * * service vpnserver1 start #CheckVPNServer#
    was that added my TomatoVPN?
    can i remove it? and do i need to realod crontab or somthing like that after removing?
     
  87. x-demon

    x-demon Addicted to LI Member

    i got following error on router:
    Jul 15 16:14:21 home daemon.notice openvpn[11261]: h0m3.x-demon.org/192.168.1.6:52445 SENT CONTROL [h0m3.x-demon.org]: 'PUSH_REPLY,dhcp-option DNS 192.168.1.2,route-gateway 192.168.1.2,redirect-gateway def1,route 192.168.1.0 255.255.255.0,redirect-gateway def1,route-gat
    Jul 15 16:14:22 home daemon.err openvpn[11261]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)

    and on client:
    failed to parse/resolve default gateway: dhcp


    config
    TAP. UDP. HMAC disabled. TLS auth. DHCP binding.


    script-security 2
    route-gateway 192.168.0.2
    push "route 192.168.1.0 255.255.255.0"
    push "redirect-gateway def1"
    replay-window 60 15
    persist-key
    persist-tun
    group nobody
    user nobody
     
  88. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That isn't added by TomatoVPN. Did you add an entry like that to your Init script? Just remove it from there and reboot.
     
  89. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Make sure you are using a recent version of OpenVPN client.

    I'll assume that last bit of stuff you provided is what you have in your Custom Configuration (that seems to agree with the bit of log you provided). Get rid of all of that besides possibly the group and user line - the route and route-gateway lines you have don't make sense, and should be set up in the GUI anyway. What IP addresses do the server router and client (router?) have?
     
  90. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    What LAN subnets are each of the routers using? Have you configured them in your Client-Specific Options?

    That's not an error. That's just the GUI telling OpenVPN to refresh the stats so it can display them.
     
  91. Bukkit

    Bukkit Addicted to LI Member

    I added it once to my init script, But removed it after the last upgrade. Didn't reboot since then. (Now 31 Days Uptime) Can't i remove that line from the file?
     
  92. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    If you want to remove it for the current boot:
    Code:
    cru d CheckVPNServer
     
  93. Bukkit

    Bukkit Addicted to LI Member

    thanx SgtPepperKSU
     
  94. kenyloveg

    kenyloveg LI Guru Member

    Router A is 192.168.10.1
    Router B is 192.168.20.1
    Router C is 192.168.30.1
    And subnet mask is all same 255.255.255.0
     
  95. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    And have you configured them all in the Client-specific options section of the server?

    Can routers B and C, themselves, ping devices behind router A?
     
  96. kenyloveg

    kenyloveg LI Guru Member

    Hi, SgtPepperKSU
    Would you tell me how to get "common name" string from exsiting keys?
    I do not remember which i inputed...
    Thx.
     
  97. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    They show up in the server log when the client connects, or from a computer with openssl
    Code:
    openssl verify certificatefile.crt
     
  98. andlil

    andlil Addicted to LI Member

    Problem with pushing redirect gateway

    Hi!

    I have OpenVPN running on a server but I want it running on Tomato. Using all my certs etc I configured OpenVPN on tomato as follows;

    Router is 192.168.1.1 255.255.255.0

    Basic:
    Start with router: yes
    Interface: TAP
    Protocol: UDP
    Port: 443
    Firewall: Auto
    Auth: TLS
    Extra hmac: Disabled
    Client Address pool: DHCP

    Advanced:
    Direct clients to redirect: yes
    Respond to DNS: yes
    Advertise DNS: yes
    Encryption: Default
    Compression: Adaptive
    Manage client specific: no
    Custom config: <blank>

    My client config is this:
    Code:
    client
    dev tap
    proto udp
    remote xxxxx.ath.cx 443  
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca "D:\\Program\\OpenVPN\\easy-rsa\\keys\\ca.crt"
    cert "D:\\Program\\OpenVPN\\easy-rsa\\keys\\bearmicro.crt" 
    key "D:\\Program\\OpenVPN\\easy-rsa\\keys\\bearmicro.key"  
    ns-cert-type server
    comp-lzo
    verb 3
    When I connect everything works fine, I can ping the router but the default gateway is not chaged/redirected.

    Code:
    Fri Jul 17 10:34:32 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
    Fri Jul 17 10:34:32 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Fri Jul 17 10:34:32 2009 LZO compression initialized
    Fri Jul 17 10:34:32 2009 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Fri Jul 17 10:34:32 2009 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Fri Jul 17 10:34:32 2009 Local Options hash (VER=V4): 'd79ca330'
    Fri Jul 17 10:34:32 2009 Expected Remote Options hash (VER=V4): 'f7df56b8'
    Fri Jul 17 10:34:32 2009 UDPv4 link local: [undef]
    Fri Jul 17 10:34:32 2009 UDPv4 link remote: 79.xxx.xxx.xxx:443
    Fri Jul 17 10:34:32 2009 TLS: Initial packet from 79.xxx.xxx.xxx:443, sid=f816bb70 ba03459e
    Fri Jul 17 10:34:35 2009 VERIFY OK: depth=1, /C=SE/ST=Skane/L=Helsingborg/O=Anders_Liljeberg/CN=wxserver/emailAddress=
    Fri Jul 17 10:34:35 2009 VERIFY OK: nsCertType=SERVER
    Fri Jul 17 10:34:35 2009 VERIFY OK: depth=0, /C=SE/ST=Skane/O=Anders_Liljeberg/CN=server/emailAddress=
    Fri Jul 17 10:34:36 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Fri Jul 17 10:34:36 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Fri Jul 17 10:34:36 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Fri Jul 17 10:34:36 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Fri Jul 17 10:34:36 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Fri Jul 17 10:34:36 2009 [server] Peer Connection Initiated with 79.xxx.xxx.xxx:443
    Fri Jul 17 10:34:37 2009 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Fri Jul 17 10:34:37 2009 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DOMAIN lan,dhcp-option DNS 192.168.1.1,route-gateway 192.168.1.1,redirect-gateway def1,route-gateway dhcp,ping 15,ping-restart 60'
    Fri Jul 17 10:34:37 2009 OPTIONS IMPORT: timers and/or timeouts modified
    Fri Jul 17 10:34:37 2009 OPTIONS IMPORT: route options modified
    Fri Jul 17 10:34:37 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Fri Jul 17 10:34:37 2009 RESOLVE: Cannot resolve host address: dhcp: [HOST_NOT_FOUND] The specified host is unknown.
    Fri Jul 17 10:34:37 2009 OpenVPN ROUTE: failed to parse/resolve default gateway: dhcp
    Fri Jul 17 10:34:37 2009 TAP-WIN32 device [NULL] opened: \\.\Global\{CBE86A95-CB99-4001-850F-42A06583849D}.tap
    Fri Jul 17 10:34:37 2009 TAP-Win32 Driver Version 8.4 
    Fri Jul 17 10:34:37 2009 TAP-Win32 MTU=1500
    Fri Jul 17 10:34:37 2009 Successful ARP Flush on interface [3] {CBE86A95-CB99-4001-850F-42A06583849D}
    Fri Jul 17 10:34:37 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Fri Jul 17 10:34:37 2009 Route: Waiting for TUN/TAP interface to come up...
    Fri Jul 17 10:34:38 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Fri Jul 17 10:34:38 2009 Route: Waiting for TUN/TAP interface to come up...
    Fri Jul 17 10:34:39 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Fri Jul 17 10:34:39 2009 Route: Waiting for TUN/TAP interface to come up...
    Fri Jul 17 10:34:40 2009 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
    Fri Jul 17 10:34:40 2009 NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing
    Fri Jul 17 10:34:40 2009 Initialization Sequence Completed
    Why, oh why, do I get both "route-gateway 192.168.1.1" and "route-gateway dhcp", the last one seems to break everything....

    Any help appreciated!


    //A

    Edit:Apparently if I change Client address pool from dhcp to standard 192.168.1.50-55 the push of the gateway works.
     
  99. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, you are using a very old OpenVPN client version that doesn't understand "route-gateway dhcp". But, as you already figured out, you can explicitly give the IP range and it won't send that particular directive.

    For moderately current clients, pushing the route-gateway twice doesn't cause a problem (and it fixed some problems), but I should probably clean things up. The reason I needed to do that in the first place might not even be there any more (the route-gateway dhcp directive first appeared pretty much when I started making this mod, and all the kinks may not have been worked out yet).
     
  100. andlil

    andlil Addicted to LI Member

    Thanks for your prompt answer, I upgraded my client (hey, presto, going to openvpn.net gives me a newer client with gui than openvpn.se where I used to go before :oops:)

    This has to be the best version of tomato there is, I was tempted to the dark side of dd-wrt but I have seen the light.

    //A
     

Share This Page