1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN build with Web GUI

Discussion in 'Tomato Firmware' started by SgtPepperKSU, Oct 10, 2008.

  1. kenyloveg

    kenyloveg LI Guru Member

    Hi, SgtPepperKSU
    I'm restarting allover again to generate a new set of keys.
    While I met some problems when run
    Code:
    C:\Program Files\OpenVPN\bin\openvpn --genkey --secret C:\Program Files\OpenVPN\easy-rsa\keys\ta.key
    it shows
    Code:
    Options error: unknown key direction 'files\openvpn\easy-rsa\keys\ta.key' -- must be
    '0' or '1'

    But i can get ta.key at c:\program files\openvpn\bin after i type C:\Program Files\OpenVPN\bin\openvpn --genkey --secret ta.key

    But with this key, i'm keeping get TLS Auth error
    Code:
    daemon.err openvpn[648]: 61.173.xxx.xxx:1025 TLS Auth Error: --client-config-dir authentication failed for common name 'weiqinlu' file='ccd/weiqinlu'
    
    Which I'm quite sure 'weiqinlu' is the exact common name.

    Thanks.
     
  2. occamsrazor

    occamsrazor Network Guru Member

    I've been away for a while and recently flashed my router to use Thor's All-in-One mod, which contains the OpenVPN with web GUI components. I haven't kept up with the recent changes I'm afraid, but wanted to check what scripts were still necessary if I'm using the "start with Router" function of the vpn server. Do I still need either of these manually entered in the scripts, or are they now redundant?

    (init script)
    Code:
    cru a CheckVPNServer "*/30 * * * * service vpnserver1 start
    
    (WAN UP script)
    Code:
    sleep 20
    service vpnserver1 start
    
     
  3. i1135t

    i1135t Network Guru Member

    Code:
    sleep 20
    service vpnserver1 start
    
    I don't think this is needed anymore if you have the checkbox, "Start with router" for VPNServer1 checked off as it does the same thing.
    Code:
    cru a CheckVPNServer "*/30 * * * * service vpnserver1 start
    
    You can keep this if you plan on having the router check itself every 30 minutes to see if VPNserver1 is running and start it if it's not.
     
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Since there is a space in that path, you have to put quotes around it. Otherwise, the shell passes it as two different arguments "C:\Program" and "Files\OpenVPN\easy-rsa\keys\ta.key".
    Then there is a problem with your certificates.

    Did you follow the openvpn how-to for generating the regular TLS certs/keys? Have you tried it without the "Extra HMAC authentication" (tls-auth)?
     
  5. dotnetguru

    dotnetguru Addicted to LI Member

    I am experiencing frequent disconnects in vpn client mode running 1.25vpn3.3 firmware. The router is configured to connect to a vpn service provider. The VPN works for first 5 mins after boot and disconnects. When it disconnects I see event_wait : Interrupted system call (code=4). Below is the log. Any idea what I am missing?

    I had dd-wrt on this router before and didn't have this issue.

    Thanks for your help

    Jul 13 19:36:13 AceVPN daemon.notice openvpn[508]: OpenVPN 2.1_rc15 mipsel-unknown-linux-gnu [SSL] [LZO2] built on May 31 2009
    Jul 13 19:36:13 AceVPN daemon.warn openvpn[508]: WARNING: file '/tmp/openvpn-client1-userpass.conf' is group or others accessible
    Jul 13 19:36:13 AceVPN daemon.warn openvpn[508]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jul 13 19:36:13 AceVPN daemon.notice openvpn[508]: LZO compression initialized
    Jul 13 19:36:13 AceVPN daemon.notice openvpn[508]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Jul 13 19:36:13 AceVPN daemon.notice openvpn[508]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Jul 13 19:36:13 AceVPN daemon.notice openvpn[512]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Jul 13 19:36:13 AceVPN daemon.notice openvpn[512]: UDPv4 link local: [undef]
    Jul 13 19:36:13 AceVPN daemon.notice openvpn[512]: UDPv4 link remote: 94.23.114.100:443
    Jul 13 19:36:14 AceVPN daemon.notice openvpn[512]: TLS: Initial packet from 94.23.114.100:443, sid=d785c39d ff1456b6
    Jul 13 19:36:16 AceVPN daemon.notice openvpn[512]: VERIFY OK: depth=1, /C=AV/ST=AceVPN.com/L=AceVPN.com/O=Ace_VPN/CN=acevpn-ca/Email=me@myhost.mydomain
    Jul 13 19:36:16 AceVPN daemon.notice openvpn[512]: VERIFY OK: nsCertType=SERVER
    Jul 13 19:36:16 AceVPN daemon.notice openvpn[512]: VERIFY OK: depth=0, /C=AV/ST=AceVPN.com/L=AceVPN.com/O=Ace_VPN/CN=acevpn-server/Email=me@myhost.mydomain
    Jul 13 19:36:17 AceVPN daemon.err openvpn[512]: event_wait : Interrupted system call (code=4)
    Jul 13 19:36:30 AceVPN daemon.notice openvpn[512]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jul 13 19:36:30 AceVPN daemon.notice openvpn[512]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jul 13 19:36:30 AceVPN daemon.notice openvpn[512]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jul 13 19:36:30 AceVPN daemon.notice openvpn[512]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jul 13 19:36:30 AceVPN daemon.notice openvpn[512]: Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Jul 13 19:36:30 AceVPN daemon.notice openvpn[512]: [acevpn-server] Peer Connection Initiated with 94.23.114.100:443
    Jul 13 19:36:31 AceVPN daemon.notice openvpn[512]: SENT CONTROL [acevpn-server]: 'PUSH_REQUEST' (status=1)
    Jul 13 19:36:32 AceVPN daemon.notice openvpn[512]: PUSH: Received control message: 'PUSH_REPLY,ping 10,ping-restart 60,dhcp-option DNS 213.186.33.99,dhcp-option DNS 10.8.12.1 255.255.255.0,dhcp-option WINS 10.8.12.1,redirect-gateway def1,route 10.8.12.1,topology net30,pin
    Jul 13 19:36:32 AceVPN daemon.notice openvpn[512]: OPTIONS IMPORT: timers and/or timeouts modified
    Jul 13 19:36:32 AceVPN daemon.notice openvpn[512]: OPTIONS IMPORT: --ifconfig/up options modified
    Jul 13 19:36:32 AceVPN daemon.notice openvpn[512]: OPTIONS IMPORT: route options modified
    Jul 13 19:36:32 AceVPN daemon.notice openvpn[512]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Jul 13 19:36:32 AceVPN daemon.notice openvpn[512]: TUN/TAP device tun11 opened
    Jul 13 19:36:32 AceVPN daemon.notice openvpn[512]: TUN/TAP TX queue length set to 100
    Jul 13 19:36:32 AceVPN daemon.notice openvpn[512]: /sbin/ifconfig tun11 10.8.12.50 pointopoint 10.8.12.49 mtu 1500
    Jul 13 19:36:32 AceVPN daemon.notice openvpn[512]: updown.sh tun11 1500 1542 10.8.12.50 10.8.12.49 init
    Jul 13 19:36:33 AceVPN daemon.info dnsmasq[116]: exiting on receipt of SIGTERM
    Jul 13 19:36:33 AceVPN daemon.info dnsmasq[543]: started, version 2.47 cachesize 150
    Jul 13 19:36:33 AceVPN daemon.info dnsmasq[543]: compile time options: no-IPv6 GNU-getopt no-RTC no-DBus no-I18N no-TFTP
    Jul 13 19:36:33 AceVPN daemon.info dnsmasq[543]: DHCP, IP range 192.168.2.10 -- 192.168.2.20, lease time 1d
    Jul 13 19:36:33 AceVPN daemon.info dnsmasq[543]: reading /etc/resolv.dnsmasq
    Jul 13 19:36:33 AceVPN daemon.info dnsmasq[543]: using nameserver 10.8.12.1#53
    Jul 13 19:36:33 AceVPN daemon.info dnsmasq[543]: read /etc/hosts - 0 addresses
    Jul 13 19:36:33 AceVPN daemon.info dnsmasq[543]: read /etc/hosts.dnsmasq - 1 addresses
    Jul 13 19:36:33 AceVPN daemon.notice openvpn[512]: /sbin/route add -net 94.23.114.100 netmask 255.255.255.255 gw 192.168.100.1
    Jul 13 19:36:33 AceVPN daemon.notice openvpn[512]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.12.49
    Jul 13 19:36:33 AceVPN daemon.notice openvpn[512]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.12.49
    Jul 13 19:36:33 AceVPN daemon.notice openvpn[512]: /sbin/route add -net 10.8.12.1 netmask 255.255.255.255 gw 10.8.12.49
    Jul 13 19:36:33 AceVPN daemon.notice openvpn[512]: Initialization Sequence Completed
    Jul 13 19:36:35 AceVPN daemon.err openvpn[512]: event_wait : Interrupted system call (code=4)
    Jul 13 19:36:40 AceVPN daemon.err openvpn[512]: event_wait : Interrupted system call (code=4)
    Jul 13 19:36:43 AceVPN daemon.err openvpn[512]: event_wait : Interrupted system call (code=4)
    Jul 13 19:36:46 AceVPN daemon.err openvpn[512]: event_wait : Interrupted system call (code=4)
    Jul 13 19:36:48 AceVPN daemon.err openvpn[512]: event_wait : Interrupted system call (code=4)
    Jul 13 19:36:50 AceVPN daemon.err openvpn[512]: event_wait : Interrupted system call (code=4)
    Jul 13 19:36:52 AceVPN daemon.err openvpn[512]: event_wait : Interrupted system call (code=4)
    Jul 13 19:36:53 AceVPN daemon.err openvpn[512]: event_wait : Interrupted system call (code=4)
     
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The event_wait is not an error, it is just you refreshing the status in the web GUI. There is nothing to indicate a problem (or that you disconnected) in this log. In what way did you come to that conclusion?
     
  7. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    At a second glance, I think it is probably more likely that you selected "Allow Only These Clients", but didn't put that Common Name in the table. Please double check this.
     
  8. dotnetguru

    dotnetguru Addicted to LI Member

    Thanks for the quicky reply. The external IP reverts back to my ISP IP instead of the VPN provider. If I hit "Start" button again it works for 5 mins and disconnects. I am confused.
     
  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I don't think there is any disconnecting going on; your traffic just isn't being routed over the tunnel anymore. If you reload the web GUI VPN page while it isn't working, does the button say "Stop Now" or "Start Now"?

    Please post your routing table (Advanced->Routing) both while it is working and after it stops working.
     
  10. humba

    humba Network Guru Member

    To get back to this.. how do you suggest to get such a script in there? Don't you bring up the tun/tap interface only when you're about to create a connection? Thus trying to mess with it at that point would be cause for disaster (trying to take the if down when there's activity fails for starters.. plus it would kill the openvpn session)

    How about an option to bind the vpn client/server to a vlan id that can be specified in the gui?
     
  11. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I don't have any idea. I know nothing about VLANs.
    As I said before, I'd be happy to add VLAN-related GUI options as soon as VLANs are configurable via the GUI.
     
  12. i1135t

    i1135t Network Guru Member

    SgtPepper, is there a way for dnsmasq, or whatever process, to "share" the DNS port with a VPNserver? I get this error when I try to use port 53 (UDP & TCP) for one of the VPN servers.
    Code:
    Jul 20 14:25:48 tomato daemon.err openvpn[1564]: TCP/UDP: Socket bind failed on local address [undef]:53: Address already in use
    
    Jul 20 14:25:48 tomato daemon.notice openvpn[1564]: Exiting
    
    Jul 20 14:25:48 tomato user.info init[1]: VPN_LOG_ERROR: 719: Starting VPN instance failed...
     
  13. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Take a look at the "port-share" directive. It was designed to share a port with an HTTPS server, but they indicate it could work with others as well.
    Code:
    port-share localhost 5353
    However, as you can tell, this would mean running your DNS server on port 5353. To do this, add the following to the dnsmasq custom configuration:
    Code:
    port=5353
    Then, as long as the VPN server is running, both DNS clients and VPN clients can connect to port 53.

    Having both actually attached to the same port is not possible.
     
  14. occamsrazor

    occamsrazor Network Guru Member


    There's a "port-share" command in OpenVPN 2.1, but I don't know if it'll work with DNS port 53:

    "--port-share host port
    When run in TCP server mode, share the OpenVPN port with another application, such as an HTTPS server. If OpenVPN senses a connection to its port which is using a non-OpenVPN protocol, it will proxy the connection to the server at host:port. Currently only designed to work with HTTP/HTTPS, though it would be theoretically possible to extend to other protocols such as ssh. "

    http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html

    Can I ask what you're trying to do? I'm assuming the purpose is to allow VPN tunnels over very restrictive networks that block other ports. If so I've been interested in this for some time and would love to hear if you get it working.
    There are also some other efforts to tunnel traffic directly over the DNS and/or ICMP protocols, which has the benefit of working even if the network intercepts DNS and directs it to its own DNS server (from what I understand), though these options look too complicated for me.

    http://thomer.com/howtos/nstx.html
    http://thomer.com/icmptx/
    http://www.cs.uit.no/~daniels/PingTunnel/
     
  15. i1135t

    i1135t Network Guru Member

    When I added "port=5353" to my dnsmasq config, I lost all DNS resolving, so I don't know if that will work. So I removed it, then I tried adding "port-share localhost 5353" to my VPN custom config and I get this error:
    Code:
    Jul 20 17:32:00 tomato daemon.err openvpn[537]: Options error: --port-share only works in TCP server mode (--proto tcp-server)
    Jul 20 17:32:00 tomato daemon.warn openvpn[537]: Use --help for more information.
    Jul 20 17:32:00 tomato user.info init[1]: VPN_LOG_ERROR: 719: Starting VPN instance failed...
    
    It seems it won't work with udp packets.

    What I was trying to do was configure one of my VPN servers to use port 53 udp. So when I am at a hotspot that hosts a DNS server that allows forwarding DNS request to other DNS servers, I could essentially use my home VPN server to proxy my data without having to subscribe/authenticate to the service. I was just testing to see if it was possible. I was reading about the ICMPTX and NSTX stuff and came across this, but I cannot get it to set up properly because of this issue. :(
     
  16. dotnetguru

    dotnetguru Addicted to LI Member

    Strangely its not disconnecting today. Dont know why it was doing last few days.

    one more Q. Is it possible to route only certain devices through vpn say by mac address or IP?

    Thanks SgtPepperKSU for all your help.
     
  17. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It may be possible using some iptables trickery with the ROUTE target, but I haven't tried anything like that. If you want to be a guinea pig, start a new thread and we'll see if we can figure something out. :smile:
     
  18. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yeah, like I said before, the VPN server would have to be running (with a working port-share) for the DNS server to be reachable on port 53.
    Bummer.
    You could still have your VPN server listen on a different port, but port forward external port 53 to it.

    Set the VPN "Firewall" setting (Basic Tab) to custom, and add the following to your firewall script:
    Code:
    iptables -t nat -I PREROUTING -p `nvram get vpn_server1_proto` -i `nvram get wan_ifname` --dport 53 -j DNAT --to-destination `nvram get lan_ipaddr`:`nvram get vpn_server1_port`
    iptables -I INPUT -p udp --dport `nvram get vpn_server1_port` -j ACCEPT
    iptables -I INPUT -i `nvram get vpn_server1_if`21 -j ACCEPT
    iptables -I FORWARD -i `nvram get vpn_server1_if`21 -j ACCEPT
    
    Note that I haven't tested this at all, but it should work okay (unless there is a typo, etc).
     
  19. DeathWolf

    DeathWolf Network Guru Member

    Is there any way with this firmware to easily add routing of only specific destinations/sources through the vpn?
     
  20. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Destinations - absolutely. Just add "route example.com" in your client configuration.
    Sources - See two posts above yours. It may be possible, but it'll take a little experimentation.
     
  21. Noodle

    Noodle Addicted to LI Member

    Sorry, if this question had been answered, but I cannot find it anywhere.

    I just switch from dd-wrt to tomato with openvpn. It works fine except openvpn.
    The problem is:
    If I use "Route" mode (TUN), from remote client, I can ping router (both VPN subnet address and LAN address), but nothing else inside the LAN. From both router and workstation inside LAN, I can ping remote client. I checked route table on remote client, it looks fine, I also made sure it's not firewall issue. (Remote client running Windows 7)
    If I use "Bridge" mode (TAP), everything works fine.

    So it looks like router is not forwarding request from VPN subnet to LAN subnet? What else I can do make TUN work?

    Thanks a lot

    Noodle
     
  22. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    For TUN, you must have two different subnets on each LAN (and both distinct from the VPN subnet). Is the case in your setup?

    Could you post the routing table for the client and the router?
     
  23. Noodle

    Noodle Addicted to LI Member

    Yes, I have different subnet for LAN and remote workstation. I'm not able to post routing table now, but I can describe the setting:
    LAN subnet: 192.168.193.0/255.255.255.0
    VPN subnet: 192.168.195.0/255.255.255.0
    My workstation in: 172.16.2.0/255.255.0.0
    workstation get address: 192.168.195.2, gateway: 192.168.193.0/255.255.255.0 been set to 192.168.195.1.
    workstation was able to ping: 192.168.195.2, 192.168.195.1 and 192.168.193.1, but cannot ping 192.168.193.5.
    I can ping 192.168.195.2 from both 192.168.193.1 and 192.168.193.5.
     
  24. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I suspect that what is happening is that your (Windows? Vista?) client is sending packets over the tunnel as if they are coming from its LAN IP instead of its VPN IP. When this happens the router doesn't know how to route the return traffic (as far as it knows, the only address across the tunnel is the VPN IP).

    If this is the case, this Windows bug can be worked around by adding an entry in the "Client-specific options" table (Advanced tab) with the client's subnet info. The router will then know that subnet exists across the tunnel to that client and will route the proper traffic across it.

    This has been seen by several people with their Windows (I want to say it's been all Vista, but I'm not sure about that) clients, and the above fixed it for them.
     
  25. Noodle

    Noodle Addicted to LI Member

    Thanks for your response, it turns out that "Quick and dirty VPN server HOWTO!!" misleaded me. After I removed "topology subnet" and "push redirect-gateway", it works fine now. Especially "topology subnet", I don't know what it do yet, but it cause my issue.

    Thanks again.

    Noodle
     
  26. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Interesting. I wonder if the other folks that had this problem also had "topology subnet" in the custom configuration and just didn't share that fact.

    For most people, there should be no need to have anything in the Custom Configuration section at all. Some of the items that Delta221 has in there are/were already generated by the GUI, others have since become configurable via the GUI (since not everyone will want them), others are not needed, and yet others don't do anything at all.

    The easiest way to get going with a basic configuration is just to create your certificates using the how-to on the OpenVPN site, copy them to the web GUI, and start it up.
     
  27. Noodle

    Noodle Addicted to LI Member

    Without any custom configuration, it will not work. Because of gateway. I had to put two line into custom configuration.
    route-gateway 192.168.195.1
    push "dhcp-option DNS 192.168.195.1"
    Because my remote client get IP address: 192.168.195.6, and set gateway and DNS to 192.168.195.5. I checked the network, there has no 192.168.195.5 at all. I don't know where this 192.168.195.5 come from. So by adding these two lines, I get it set gateway and dns to 192.168.195.1, which made it works.

    And intersting part is: even I add these two lines, "route print" still shows gateway is 192.168.195.5, and it works. Don't know why?

    route print contains:
    192.168.193.0 255.255.255.0 192.168.195.5 192.168.195.6 30
    192.168.195.1 255.255.255.255 192.168.195.5 192.168.195.6 30

    But tracert 192.168.193.5 gives me:
    Tracing route to 192.168.193.5 over a maximum of 30 hops

    1 23 ms 27 ms 33 ms 192.168.195.1
    2 22 ms 23 ms 22 ms 192.168.193.5
     
  28. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    There are DNS options in the Advanced tab of the GUI. You should not need those lines in Custom Configuration. If it doesn't, please post the routing tables without those lines.
    That's just the way OpenVPN works (by default), and it is not a problem. Each client has a tunnel on its own /30 subnet and the OpenVPN server has an IP on each (the server's IP on that client's subnet is 192.168.193.5 here).
     
  29. Noodle

    Noodle Addicted to LI Member

    Yes, you are right, I don't need to specific anything in custom configuration part. I only need to check "Respond to DNS" and "Advertise DNS to clients" in "Advanced" tab.
     
  30. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Glad you got it working!
     
  31. i1135t

    i1135t Network Guru Member

    Thanks but I don't think this will work. I have tried numerous changes on the firewall settings, iptables, config changes and still no luck. I will have to research a little more before attempting again. :(
     
  32. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It certainly should work. All we're doing is a simple port forward (that's the first line. the last three lines are just what the GUI would generate to open the actual tunnel if the firewall setting were "Automatic").

    Could you add the iptables entries (either through the shell, or via the script+reboot), and run the following from the ssh/telnet shell?
    Code:
    service firewall restart
    <attempt to connect to VPN server from WAN>
    iptables -t nat -vL
    
    If you're wanting to contact the VPN server from the LAN on port 53 (as opposed to the VPN GUI configured port), you'll need to change "-i `nvram get wan_ifname`" to "-d `nvram get wan_ipaddr`", though. The first solution I provided would have you connecting to port 1194(or whatever you have configured in the GUI) from the LAN and port 53 from the WAN.
     
  33. i1135t

    i1135t Network Guru Member

    Ok, here it is:
    Code:
    root@tomato:/tmp/home/root# iptables -t nat -vL
    Chain PREROUTING (policy ACCEPT 712 packets, 86334 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DNAT       udp  --  vlan1  any     anywhere             anywhere            udp dpt:domain to:10.1.1.1:443 
       30  1440 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:https 
        0     0 DROP       0    --  vlan1  any     anywhere             10.1.1.0/24         
        0     0 DNAT       udp  --  any    any     10.1.1.0/24         !10.1.1.0/24         udp dpt:domain to:10.1.1.1 
        0     0 DNAT       icmp --  any    any     anywhere             mywanip to:10.1.1.1 
       23  1132 DNAT       tcp  --  any    any     anywhere             mywanip tcp dpt:30000 to:10.1.1.2 
        0     0 DNAT       tcp  --  any    any     anywhere             mywanip tcp dpt:33333 to:10.1.1.2 
        0     0 DNAT       tcp  --  any    any     anywhere             mywanip tcp dpts:28000:28100 to:10.1.1.2 
        0     0 DNAT       tcp  --  any    any     anywhere             mywanip tcp dpt:30001 to:10.1.1.3 
        0     0 DNAT       tcp  --  any    any     anywhere             mywanip tcp dpt:30002 to:10.1.1.7 
      308 40808 upnp       0    --  any    any     anywhere             mywanip
    
    Chain POSTROUTING (policy ACCEPT 326 packets, 40648 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 SNAT       tcp  --  any    any     10.1.1.0/24          AMDxp.home.lan      tcp dpt:30000 to:mywanip
        0     0 SNAT       tcp  --  any    any     10.1.1.0/24          AMDxp.home.lan      tcp dpt:33333 to:mywanip
        0     0 SNAT       tcp  --  any    any     10.1.1.0/24          AMDxp.home.lan      tcp dpts:28000:28100 to:mywanip
        0     0 SNAT       tcp  --  any    any     10.1.1.0/24          Yangz7.home.lan     tcp dpt:30001 to:mywanip
        0     0 SNAT       tcp  --  any    any     10.1.1.0/24          YangzUbuntu.home.lan tcp dpt:30002 to:mywanip
      729 76349 MASQUERADE  0    --  any    vlan1   anywhere             anywhere            
    
    Chain OUTPUT (policy ACCEPT 44 packets, 3297 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain upnp (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DNAT       udp  --  any    any     anywhere             anywhere            udp dpt:3658 to:10.1.1.5:3658 
        0     0 DNAT       tcp  --  any    any     anywhere             anywhere            tcp dpt:30000 to:10.1.1.2:30000 
      301 38979 DNAT       udp  --  any    any     anywhere             anywhere            udp dpt:30000 to:10.1.1.2:30000 
    
    If I am reading it correctly your first iptable line is forwarding all DNS 53 UDP traffic to my router IP at 443? What will happen to my legitimate DNS requests?

    What I was trying to do was OpenVPN through port 53 UDP, but after thinking about it, I can't do it with just having that as the only open resource if all other ports/authentication was unavailable. I was testing it here at work being that we have a Cisco VLAN available for guests who want to be able to access internet after authenticating, but still be off our "internal" network. I could do nslookup fine, so I was figuring if it was possible to forward my OpenVPN requests through that port, but I don't think that will work being that the the DNS may not know how to forward the request other than DNS specified packets.
     
  34. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The iptables output you provided indicates that there was no request for UDP port 53 from the WAN. Are you sure that's what you were trying?
    It redirects all UDP port 53 traffic coming from the WAN. Your normal DNS requests will be coming from the LAN.
    I'm not sure I followed all of that, but here is what the iptables rules I provided attempt to do: When accessed from the WAN, UDP port 53 is OpenVPN, not DNS; when accessed from the LAN, UDP port 53 is DNS, not OpenVPN. Is this what you're going for?

    Having two processes on the same port on the same interface is not possible (without the port-share feature, which only works for TCP).
     
  35. i1135t

    i1135t Network Guru Member

    What I was trying to do was to see if OpenVPN could bypass the "Hotspot" authentication by tunneling through port 53 UDP. I guess it's possible, but I guess I don't really understand the concept of how some people are using that port with OpenVPN to bypass hotspots that allow DNS forwarding without having to authenticate. Again, this is purely for testing, so I hope that no one will think of it this as something illegal, which it can be construed.

    Look at this code:
    Code:
        0     0 DNAT       udp  --  vlan1  any     anywhere             anywhere            udp dpt:domain to:10.1.1.1:443
    What does the "domain to" field mean? And I why is it forwarding to 443 on my router IP? Shouldn't it be forwarding to my TUN VPN Server1 IP? The IP 10.1.1.1 is not my TUN adapter.
     
  36. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    My guess is that those hotspots allow unrestricted access to any server for UDP port 53 (their authentication scheme probably requires some DNS requests to work before actually authenticating). If you have your OpenVPN server on that port, then they'll let it through (thinking that it is DNS traffic) you'll be able to use it without the hotspot's "authentication".
    It's not "domain to". The dpt field is the destination port. The value for that field is "domain" (ie, DNS, 53). The "to" field is what the traffic is being redirected to. That should be your router's LAN address and OpenVPN port. By default, OpenVPN binds to all interfaces, so there is no reason to use the TUN interface (though, I suppose that might work, too).

    The iptables output out provided before shows no attempts to connect to UDP port 53 from the WAN. Did you try to make such a connection?

    It's not my place to judge :wink: You asked a perfectly valid technical question (how to have OpenVPN listen on a WAN port already in use on the LAN, ie 53), and I'm just trying to help with an answer.
     
  37. i1135t

    i1135t Network Guru Member

    Yes, I did make a connection using port 443 UDP, which I assume was to be kept the same? I connected after issuing "service firewall restart" within ssh. Let me try again and repost.

    -- EDIT --

    OK, something is probably wrong, the packet count increased minimally (from 0 to 3), as well as bytes, while I was browsing the web through numerous sites on the connection. I can verify that it's tunneling properly because I am not getting DNS blocks, which would be if I was going outbound through the other gateway. Hmm...
     
  38. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    No, to test this you need to be making a connection from the WAN on UDP port 53. Connecting from the LAN on UDP port 443 should also work, but it does nothing to test the redirection.
     
  39. i1135t

    i1135t Network Guru Member

    Ok, I cannot connect through port 53 UDP... this is all I get:
    Code:
    Wed Jul 22 16:27:21 2009 OpenVPN 2.1_rc15 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 19 2008
    Wed Jul 22 16:27:21 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Wed Jul 22 16:27:24 2009 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Wed Jul 22 16:27:25 2009 Control Channel Authentication: using 'static.key' as a OpenVPN static key file
    Wed Jul 22 16:27:25 2009 LZO compression initialized
    Wed Jul 22 16:27:25 2009 UDPv4 link local: [undef]
    Wed Jul 22 16:27:25 2009 UDPv4 link remote: 68.x.x.x:53
    Wed Jul 22 16:28:25 2009 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Wed Jul 22 16:28:25 2009 TLS Error: TLS handshake failed
    Wed Jul 22 16:28:25 2009 SIGUSR1[soft,tls-error] received, process restarting
    Wed Jul 22 16:28:27 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Wed Jul 22 16:28:27 2009 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Wed Jul 22 16:28:27 2009 Control Channel Authentication: using 'static.key' as a OpenVPN static key file
    Wed Jul 22 16:28:27 2009 LZO compression initialized
    Wed Jul 22 16:28:27 2009 UDPv4 link local: [undef]
    Wed Jul 22 16:28:27 2009 UDPv4 link remote: 68.x.x.x:53
    Wed Jul 22 16:29:27 2009 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Wed Jul 22 16:29:27 2009 TLS Error: TLS handshake failed
    Wed Jul 22 16:29:27 2009 SIGUSR1[soft,tls-error] received, process restarting
    Wed Jul 22 16:29:29 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Wed Jul 22 16:29:29 2009 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Wed Jul 22 16:29:29 2009 Control Channel Authentication: using 'static.key' as a OpenVPN static key file
    Wed Jul 22 16:29:29 2009 LZO compression initialized
    Wed Jul 22 16:29:29 2009 UDPv4 link local: [undef]
    Wed Jul 22 16:29:29 2009 UDPv4 link remote: 68.x.x.x:53
    Wed Jul 22 16:30:29 2009 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Wed Jul 22 16:30:29 2009 TLS Error: TLS handshake failed
    Wed Jul 22 16:30:29 2009 SIGUSR1[soft,tls-error] received, process restarting
    Wed Jul 22 16:30:31 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Wed Jul 22 16:30:31 2009 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Wed Jul 22 16:30:31 2009 Control Channel Authentication: using 'static.key' as a OpenVPN static key file
    Wed Jul 22 16:30:31 2009 LZO compression initialized
    Wed Jul 22 16:30:31 2009 UDPv4 link local: [undef]
    Wed Jul 22 16:30:31 2009 UDPv4 link remote: 68.x.x.x:53
    Wed Jul 22 16:30:52 2009 SIGTERM[hard,] received, process exiting
    
    So I guess it doesn't work... it could be that my workplace firewall filters out irrelevant outbound data on that port, but I can't confirm.
     
  40. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You can confirm with the iptables output I had you get before. It will show if there was any attempt at port 53 UDP traffic from the WAN.
     
  41. i1135t

    i1135t Network Guru Member

    I looked and the packet count and it was showing little or no increase for the PREROUTING chain that we DNATted... is that the one you were talking about?
     
  42. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, if the pkts column for the first DNAT line in PREROUTING (the one we added) did not increase then the requests are not reaching the router at all. Either where you are trying to connect from or your ISP is blocking or redirecting the requests.

    It might still work from the hotspots you are referring to, but it is not directly testable from your current location.

    If it is the connection where you are attempting to connect from that is the problem and they only mess with port 53, you could try using a completely different port (just change the 53 in the iptables rule I gave you). That way you could test if the router is set up correctly. Then you could change it back to 53 and be pretty confident that everything is set up to work (but if the hotspot or your router ISP mess with port 53, you'd still be SOL).
     
  43. i1135t

    i1135t Network Guru Member

    OK, looks like it's not our firewall at work. I changed the --dport to 80 on my script, rebooted, and changed my config, and it still won't connect. I know that port is not blocked. Any thoughts?
     
  44. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    And is the first line of the iptables output increasing when you try to connect?

    My suggestion would be to find a port that works from your work without the iptables commands I gave and with the VPN firewall setting to "Automatic". Then we can rule out any outside firewalls.
     
  45. i1135t

    i1135t Network Guru Member

    OK, well I verified that port 80 UDP is not firewalled at work. I disabled the iptables rules, reset my VPN to 80 UDP with firewall to "auto" and tested connection and it worked fine.

    I re-enabled everything and re-tested and still cannot connect through that same port. I did notice that I was getting one packet increase per one retry of the VPN connection for the PREROUTING chain that we set up. So it looks like it is hitting that chain, just not doing anything else after that....
     
  46. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Oh, good. Then we at least have a place to start now. At least if you mean that the rule we added to the PREROUTING chain is incrementing each time.

    <I find time to go try this myself here>

    I'm not so sure this is possible anymore. Using the rules I originally posted, everything forward correctly and VPN connections were correctly initiated. However, the TLS negotiate failed to take place. I suspect the conversation must be something like
    1. Client contacts Server on port X
    2. Router forwards port X to port Y (where the VPN server is listening)
    3. Server responds with "Let's perform TLS negotiation on port Y"
    4. Client attempts to use port Y
    5. Router doesn't know to allow port Y traffic through, so connection times out
    In short, the OpenVPN communication must include port information that overrides what port was initially used to initiate the connection.

    This being the case, I would say that it is not possible to have OpenVPN listen on different ports on LAN vs WAN. Thus, it is not possible to have OpenVPN listen on the DNS port on the WAN while not listening on the DNS port on the LAN(since you want the DNS server there).

    The only option left would be to have your LAN DNS communication occur on a different port (and have the OpenVPN server on port 53 on both interfaces). I don't know how or even if this is possible to configure this in different operating systems.
     
  47. i1135t

    i1135t Network Guru Member

    Well, I appreciate you trying to help. It was a nice idea and a nice attempt. If I have time in the future, I will play around with it a bit more and see if I could get it to work. Thanks anyways...
     
  48. Andy22

    Andy22 Addicted to LI Member

    tls-chiper DHE-RSA-AES256-SHA

    My VPN provider has the line "tls-cipher DHE-RSA-AES256-SHA" in the config file i got, but its not supported by tomatoVPN.

    Can i simply use a other of the listed ciphers or do i need to look for a version that supports those tls-ciphers, if so any advice?
    Im running a WRT54GL with latest tomatoVPN

    thx for any advice.
     
  49. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The server is likely configured with a list of allowable TLS ciphers. The server and client then negotiate on what cipher they will use. Have you tried to connect without specifying a tls-cipher directive in the Custom Configuration box?

    If that doesn't work, then your server has limited things to only TLS ciphers that this firmware doesn't currently support.

    I don't have a lot of knowledge of the different ciphers themselves. If fyellin reads this message, maybe he could comment on how hard it would be to enable AES TLS ciphers (he backported AES as a regular cipher for us, and reimplemented it in assembly for performance boosts).
     
  50. Andy22

    Andy22 Addicted to LI Member

    Thx for the reply, im trying to get this running now for 3 days without any luck :(
    Yes i already tryed to leave the line and try to use one of the supported ciphers shown via "openvpn --show-tls", none of them work.


    Main problem, every single WRT54GL 1.1 compatible VPN firmware i try has something missing that i need to connect to my VPN provider.

    Here are the devil lines of hell that drive me crazy:

    auth RSA-RIPEMD160
    cipher AES-256-CBC
    tls-cipher DHE-RSA-AES256-SHA
    ns-cert-type server

    Keys'/Certs i need to be able to copy/upload/install:
    tls-auth ta.key 1
    ca ca.crt
    cert mycert.crt
    key mykey.key

    My finding so far:

    DD-WRT (dd-wrt.v24_vpn_generic.bin):
    Dont support "RSA-RIPEMD160", also only support 3 out of the 4 certs i need to add.

    TomatoVPN (Tomato_RAF_1.25.8515 ND .7_snmp_vpn_v6.trx and normal 1.25vpn3.3):
    Dont support "DHE-RSA-AES256-SHA", also missing a cert.

    OpenWRT (vpn build):
    Dont support "DHE-RSA-AES256-SHA" or "RSA-RIPEMD160" cant remember, also the hardest to setup if u arn't a linux guru.


    Extra notes:

    ALL vpn builds use a openVPN version that allow autologin via "auth-user-pass filename", but none of them allow a easy configuration via web interface. So i always have to enable JFFS copy the keys/login file to the router via SCP and try to tinker with the openvpn config script manually.
    It would be MUCH more user friendly to add a login/pw field and create a autologin file automatically.

    Only tomato has a nice and easy way to directly add additional parameters that combine with the webinterface know parameters.

    So if anyone know a way to get this running or know a firmware version that supports all the ciphers/auth methods pls help.

    PS: I already asked my VPN provider if he could change one or two of the unsupported chippers/auth methods, but they have to setup this special for me and it cost quite some extra bucks.

    So plz can some1 help me?
     
  51. rhester72

    rhester72 Network Guru Member

    My recommendation would be to have your VPN endpoint on a machine instead of the router, which should give you all the flexibility you need.

    Rodney
     
  52. Andy22

    Andy22 Addicted to LI Member

    Im started this already while i'm waiting for help in the various wrt router help to reply.

    But um yeah... again more problems than "flexibility", i had a HP thinclient T5520 laying around and grabbed a D-Link USB network adapter DIR-100. So i have a 800Mhz VIA Eden CPU, 128MB ram and 64MB flash.

    I already got a flashstick booting correctly using ploplinux and i can DD using:
    "dd if=filnename of=/dev/hda"

    But i really want a user friendly webinterface at the end and also look for a ready to install/copy image that give me some out of the box experience.

    I checked all the existing linux "router/firewall" distros and trying to get the better looking to install boot, but i get more and more frustrated atm.

    I tryed openWRT x86, dd-wrt x86, pfSence, eBox, m0n0wall and some others.
    Only m0n0wall was able to boot and got me to the setup screen, but don't seem to support the USB dlink adapter and not even the build in via Rhine2.

    All other distros that i copy directly to the flash via DD simply stop at
    "Grub, loading please wait"..

    Any help would be welcome, mainly i want a Tomato like distro that support openVPN, i dont need any advanced features just simple router + openvpn and a webinterface that is understandable.
     
  53. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You're quite correct about DHE-RSA-AES256-SHA.

    But, all of those keys/certs are supported via the GUI. Just select "TLS" from the "Authorization Mode" dropdown and "Outgoing (1)" from the "Extra HMAC authorization (tls-auth)" dropdown. The "Keys" tab will then have four boxes to input keys/certs (in the same order you have listed, even).

    Like I said before, fyellin already added AES support to TomatoVPN's OpenSSL. It may be possible to make use of that for TLS ciphers as well, rather than just the normal cipher as it is today. I'll look into it.
     
  54. fyellin

    fyellin LI Guru Member

    I'm not sure what you mean by "also missing a cert".

    You are right about Tomato not currently having DHE-RSA-AES256-SHA. This is a part of the code I'm not completely familiar with. Tomato certainly has each of the pieces. I'm just not completely sure how to fit the pieces together.

    I suspect that involves adding a copy of lines to openssl/ssl/s3_lib.c, and perhaps some hacking elsewhere to make sure all the pieces are right. Unfortunately, I wouldn't have any way of knowing whether the code was right or not.
     
  55. Andy22

    Andy22 Addicted to LI Member

    The missing cert, was wrong the other firmwares dont have TLS cipher support and miss this field in the config.

    Im also happy todo the testing if it somehow compiles and looks oki.
     
  56. df9517

    df9517 Addicted to LI Member

    Hello all.

    I live in China and need a vpn: I would like my tomatovpn to be constantly connected to the vpn for all internet traffic.

    I have signed up to a standard vpn connection at anonine.se and the vpn setup for a vpn client in XP was all standard, I didn't even have to change a single setting. Therefor I assume that tomato vpn (on a Buffalo WHR-HP-G54) will work perfectly.

    So my question is: Is there any simple how-to guide, how to configure tomatovpn as a standard PPTP vpn client with login. I have googled around and finally I found this huge thread.

    Thanks in advance.
     
  57. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    TomatoVPN doesn't work as a PPTP client: only OpenVPN for the time-being.
     
  58. df9517

    df9517 Addicted to LI Member

    OK got it. Thanks for quick reply.
     
  59. occamsrazor

    occamsrazor Network Guru Member

  60. Bukkit

    Bukkit Addicted to LI Member

    port-share

    Hi openvpn-fans,

    anyone successful use the port-share option from openvpn on the tomatoVPN router?

    i want to reach openvpn and the Tomato-Webgui at port 445.
     
  61. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, port-share seems to work just fine.

    If I remember right, just
    1. set the VPN server to port 445
    2. Set the web gui admin access to https internal on a different port (no external access)
    3. add "port-share localhost <admin port>" to the VPN server custom config
     
  62. swae

    swae Guest

    Keep Loosing VPN Connection

    Router: Linksys WRT54GL v:1.1
    Firmware: tomatovpn-1.25vpn3.3

    Problem:

    Using linksys router with tomato vpn but my connection keeps dropping at random times. I have one voip adapter connected to it.

    Here is my sys log:
    Any help with resolving this issue will be appreciated...
     
  63. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    My guess? You have "user nobody" and/or "group nobody" in your custom config, but your "auth-user-pass" file is not readable by "nobody". When you use that directive, the file is re-read every time TLS is renegotiated (every hour by default). Try removing the user and group lines.
     
  64. dotnetguru

    dotnetguru Addicted to LI Member

    I have seen this error quite a few times. I dont have nobody user or group in the config. My provider uses username and password and in the custom configuration I have
    Code:
    auth-user-pass /tmp/client1-pass.conf
    script-security 3
    
    and in the init script i create /tmp/client1-pass.conf. It works for few mins and openvpn exists with error

    Code:
    Jul 28 19:46:03 unknown daemon.err openvpn[118]: ERROR: could not read Auth username from stdin
    Jul 28 19:46:03 unknown daemon.notice openvpn[118]: Exiting
    
    Any ideas?
     
  65. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm afraid not. The user/pass file was obviously read correctly the first time, but fails upon TLS renegotiation. The only reason I could think of for this was if permissions had changed. Since that isn't the case, I don't know what could be wrong.

    My suggestion would be to get on the #openvpn IRC channel (on irc.freenode.net) and ask for help. Be sure to post back what you find out (especially if there's something I need to change in the firmware).
     
  66. dotnetguru

    dotnetguru Addicted to LI Member

    I tried on the IRC channel and didn't get a single reply. I tried the same config on dd-wrt router and it works fine but I like your build better. I really wish this could be fixed.
    Thanks for your help.
     
  67. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That sucks. I've sometimes had to wait an while and ask again, but I've always gotten a response.
    You used the exact same config as what is at /etc/openvpn/client1/config.ovpn? What version of OpenVPN do they use?
    I'd be glad to if we can figure out what is wrong.
     
  68. fyellin

    fyellin LI Guru Member

    I was just looking at the source code in openvpn/misc.c, and this certainly is a mystery. Particularly if the tunnel is working for a while and then stops working. According to the code and the documentation:

    1) The username and password are only read once and cached, unless flags are added specifically saying not to cache them. So even if they did change user and group to "nobody", it should work anyway.

    2) I'm surprised by the error message "Could not read ... from stdin". There seems no obvious reason for the code to read the username from a file the first time, and from stdin later. If the file got deleted or were unreadable, you'd have a different error message.

    Is there anything else in the logs regarding OpenVPN that looks the least bit suspicious? How long does it take before it fails? You're positive it's running just fine before the failure?
     
  69. dotnetguru

    dotnetguru Addicted to LI Member

    I had auth-nocache in the config. I took it out and trying it again. It passed one TLS renegotiation. Yes I am positive its runnings before failure.

    Edit: Passed 2nd TLS negotiation.
     
  70. dotnetguru

    dotnetguru Addicted to LI Member

    I used the configuration I have on the tomato router except auth-nocache. It sounds like this line could be the culprit. I am using dd-wrt v24 sp1. Its running 2.1 rc7.
     
  71. gawd0wns

    gawd0wns LI Guru Member

    I don't know how to solve your problem specifically, but I will propose an alternative to server based password authentication. It all depends on what you use your VPN for, how much control you have over it, and how easy it is for you to make changes.

    You can use the build-key-pass easy-rsa script to encrypt and password protect your client key, so that your client will be prompted for the password before a connection attempt is made. If the password is entered successfully, the cert is decrypted and the connection proceeds, otherwise it does not attempt to connect. Your password can be stored in memory so that you don't have to re-enter it every hour at every TLS negotiation, buy adding auth-nocache to the client config. You will have to enter it the first time you connect to get the ball rolling, if you disconnect from the machine and start a new session, you have to manually re-enter it again. I'm sure you can design a script to handle this if you really wanted.

    What are the advantages of this? Your problem is solved :), and the server config is simpler. Since you are on a VPN and distributing certs, you probably know who you are giving the certs to, if anyone else other than yourself.

    The downside, is that someone can try to brute force the password protecting your client key if they ever obtained it (Or your server, in your current case). I use this method, my VPN consists of my router, and my laptop which I only use when I travel. If my laptop got stolen, I would know about it immediately and have plenty of time to take action before the possibility of having my key broken... And even if it was broken, my router has nothing of value stored on it.. I'd have already lost a laptop, so a VPN compromise would be the least of my worries.

    If you are using this in a corporate environment, it will probably not be appropriate... I don't think the build-key-pass server script is included with openvpn anymore, luckily, a forum member posted one a while back which you can adapt for your own use:
    Search for "build-key-pass.bat" if you don't see it.

    http://www.linksysinfo.org/forums/showthread.php?t=61253&highlight=quick+dirty
     
  72. dotnetguru

    dotnetguru Addicted to LI Member

    Its working great now. Looks like auth-nocache was the culprit. Thanks everyone for helping.
     
  73. joosty

    joosty Addicted to LI Member

    TomatoVPN: connection reset

    I'm having trouble connecting to a VPN service called unblockvpn from my Linksys WRTG54L v1.1, running Tomato 1.25vpn3.3 release. It's giving me a "connection reset", while if I try (with same settings and files) from a Ubuntu Jaunty machine (same home network), it connects fine.

    Any help is greatly appreciated.

    This is the output of openvpn, started on the command line via telnet connection:

    Code:
    Enter Auth Username:theUsername
    Enter Auth Password:
    Mon Aug  3 19:49:42 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Mon Aug  3 19:49:42 2009 Control Channel MTU parms [ L:1591 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Mon Aug  3 19:49:42 2009 Data Channel MTU parms [ L:1591 D:1450 EF:59 EB:4 ET:32 EL:0 ]
    Mon Aug  3 19:49:42 2009 Attempting to establish TCP connection with 81.0.217.77:80 [nonblock]
    Mon Aug  3 19:49:43 2009 TCP connection established with 81.0.217.77:80
    Mon Aug  3 19:49:43 2009 Socket Buffers: R=[43689->65534] S=[16384->65534]
    Mon Aug  3 19:49:43 2009 TCPv4_CLIENT link local: [undef]
    Mon Aug  3 19:49:43 2009 TCPv4_CLIENT link remote: 81.0.217.77:80
    Mon Aug  3 19:49:43 2009 TLS: Initial packet from 81.0.217.77:80, sid=5c47b12e 29c72189
    Mon Aug  3 19:49:43 2009 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Mon Aug  3 19:49:44 2009 VERIFY OK: depth=1, /C=CZ/O=UnblockVPN.com/CN=UnblockVPN.com
    Mon Aug  3 19:49:44 2009 VERIFY OK: nsCertType=SERVER
    Mon Aug  3 19:49:44 2009 VERIFY OK: depth=0, /C=CZ/O=UnblockVPN.com/CN=eu.unblockvpn.com/Email=info@unblockvpn.com
    Mon Aug  3 19:49:52 2009 Connection reset, restarting [0]
    Mon Aug  3 19:49:52 2009 TCP/UDP: Closing socket
    Mon Aug  3 19:49:52 2009 SIGUSR1[soft,connection-reset] received, process restarting
    Mon Aug  3 19:49:52 2009 Restart pause, 10 second(s)
    The config file:

    Code:
    # cat unblockvpn.ovpn
    proto tcp-client
    
    remote eu.finevpn.com 80 # non-stadard port for OpenVPN, you can also use port 443 if it is better for you
    dev tap
    
    nobind
    persist-key
    
    tls-client
    ca unblockvpn-ca.pem # Root certificate in the same directory as this configuration file.
    ns-cert-type server
    
    verb 3
    
    cipher AES-256-CBC
    auth SHA1
    pull
    
    auth-user-pass
    
    #redirect all traffic through openVPN tunnel
    redirect-gateway
    
    #if connection is terminated, it will attempt to connect without promting username and pass
    auth-retry nointeract
     
  74. fyellin

    fyellin LI Guru Member

    "auth-user-pass" says that that openvpn is supposed to be asking you for a user name and password. Are you getting a chance to enter this information?
     
  75. joosty

    joosty Addicted to LI Member

    Yes I am, first two lines of the output. I'm entering user+pass. That's not the problem.
     
  76. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I think that message is indicative of the server rejecting your certificates. Please ensure you have them copied to the router properly.
     
  77. joosty

    joosty Addicted to LI Member

    I had the same thought, so I opened a telnet session to the linksys, login as root:
    Code:
    cd /tmp/home/root
    wget http://unblockvpn.com/data/unblockvpn-ovpn-2009-04-06.zip
    unzip unblockvpn-ovpn-2009-04-06.zip
    openvpn --config unblockvpn.ovpn
    Same error is reproduced. On a Ubuntu Jaunty box similar steps work fine. So I don't think the certificate can be the problem, can it?

    Contents of zipfile:
    Code:
    unblockvpn-ca.pem
    unblockvpn.ovpn
     
  78. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I just tried the same steps and got the same result when I gave a bogus username/password. Try adding
    Code:
    echo ie "MyUserName\nMyPassword" > userpass.txt
    sed -i 's/auth-user-pass/auth-user-pass userpass.txt/' unblockvpn.ovpn
    to your steps before calling openvpn (of course, replacing your user name and password).
    This will put you username and password in a text file for openvpn to read, instead of getting it from the command line.
     
  79. joosty

    joosty Addicted to LI Member

    I already tried both ways multiple times, entering my details manually, and also in a file. Same error always. You'd say that I'm making a mistake somewhere, but like I mentioned before, another linux machine works fine with the same credentials. I'll probably just give up on this service and try a different one. They do offer free 3 day trial accounts through, I'd be very interested to see if anyone else is able to connect using the openvpn included with this firmware...
     
  80. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    What version of OpenVPN was on that other linux machine? It's possible, I suppose, that their service is incompatible with the version included in the firmware.
     
  81. joosty

    joosty Addicted to LI Member

    The Ubuntu box uses the one from the stable jaunty repository, I think it's 2.1 rc11. Anyway, their service should work with rc16, I asked.
     
  82. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Sorry it's taking me so long to get this update out. I just found some time this evening, but my laptop locked up right in the middle of a merge (ext4 bug) and it corrupted my git repository. I'm working to get past that (and have had some luck), then I'll be ready to release...
     
  83. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    1.25vpn3.4 release

    1.25vpn3.4 is now ready for download. There are quite a few changes here, and I think I included all of the requests that I agreed to. If I forgot anything, please remind me.

    Anyway, hop on over to the blog post to see the changes or to download. For a full changelog, see the git shortlog.
     
  84. Badster

    Badster Addicted to LI Member

    Excellent can't wait to try it out with my strongvpn OpenVPN account. Thank you for your work.
     
  85. Theblueraja

    Theblueraja Network Guru Member

    Snap, Will be giving this a bash tonight.
     
  86. scooter32

    scooter32 Addicted to LI Member

    Question on routing/port forwarding with vpn

    Howdy all, is it possible to do a port forward to a host connected via a vpn?

    I'm successfully routing port XX from outside to an internal host, that isn't connected via a vpn.

    I have another host connecting via the vpn that I would like to forward port YY. So it would go from internet, linksys device, vpn, vpn_host.

    thanks
     
  87. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I don't see why not.
     
  88. scooter32

    scooter32 Addicted to LI Member

    I started tinkering last night and I think it boils down to an issue of routing.

    When the remote host connects via the vpn, its default route is still the one that
    comes along with eth0 on the local network. So packets can get there, but they
    don't know how to get back. Since I'm really only interested in a single port (at
    the moment), I found this and started experimenting

    http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html

    You could, of course, just change the default route, but I don't think that is optimal.

    I haven't had much success yet, but I haven't spent too much time.
    I'll report back what I do find. Thanks for the reply.

    Scott
     
  89. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I think a simpler way would be to create an SNAT or MASQUERADE on the traffic as it comes through the router and is forwarded. That way, the destination device will think that's where the traffic originated from, and will route the response back. The router then de-NATifies it, and all is well.

    Try adding the following to your firewall script:
    Code:
    iptables -t nat -A POSTROUTING -p <protocol> --dport <port being forwarded to>  -d <computer IP> -j SNAT --to-source `nvram get lan_ipaddr`
    EDIT: I just tried this and it works. Let me know how it goes for you.

    This might be something I can get working automatically in future releases.
     
  90. scooter32

    scooter32 Addicted to LI Member

    WOW. That was SO much easier then what I was trying.
    It works great. Thanks for the quick verification too.

    Scott
     
  91. regular

    regular LI Guru Member

    Question from an OpenVPN newbie

    I'm trying to setup a vpn for me to route my traffic through and access home LAN files when I'm on the road on public wireless hotspots.

    http://www.linksysinfo.org/forums/showpost.php?p=333525&postcount=34

    Would these directions let me do that? would I have to add any routing directions or push gateway etc?
     
  92. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Things have changed a lot since I made that post. I now recommend using UDP, TUN, and TLS. Just click the link on the "Keys" tab for directions on how to generate them. There are check boxes to push the gateway directives, etc. If you have specific questions, let me know.
     
  93. regular

    regular LI Guru Member

    I installed it and have selected TUN, UDP, and TLS with bi-directional HMAC. subnet is 10.10.0.0 with subnet mask 255.255.255.0.

    Under advanced I have Push LAN to clients,Direct clients to redirect Internet traffic ,Respond to DNS checked. Advertise DNS is unchecked. Encryption cipher is aes-128-cbc. Compression is enabled. Allow Client<->Client is enabled.

    Keys are all generated as per the howto. I have renamed by Tap32 adapter name to openvpn.

    My client config is:
    dev tun
    proto udp
    dev-node openvpn
    remote xxx.xxx 40000
    tls-client
    keepalive 15 120
    verb 3
    status openvpn-status.log
    ca ca.crt
    cert client1.crt
    key client1.key
    tls-auth ta.key
    ns-cert-type server
    key-method 2
    auth SHA1
    cipher AES-128-CBC
    pull
    nobind
    comp-lzo
    explicit-exit-notify 3
    replay-window 60 15
    topology subnet

    My ip of my home lan router is 172.16.0.1. I was connected to a friend's wifi router to test this out. My only problem at the moment is that I can't access file shares on my LAN. Traffic is successfully being redirected and I'm amazed how easy you made it to setup. If I could get any pointers to get the file sharing to work, then that's all I need.

    I am using windows xp and vista on my LAN. Normally I can just access the other files by opening network places or manually typing in the ip of the computer or NAS. ie- \\172.16.0.111 etc. I am able to ping my router at 172.16.0.1 though, but nothing else on the LAN.
     
  94. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    First, try removing the "topology subnet" from the client config. There is a bug in Windows where it sends the wrong source IP in the traffic when contacting the remote LAN. There has been some correlation with people having "topology subnet". If that doesn't work, we can try to work around it in other ways.
     
  95. regular

    regular LI Guru Member

    Thanks that seems to have done the trick.

    thanks for making this awesome mod. I've tried the other text based non-GUI mods with openvpn and tomato, but yours made setting a vpn up a breeze.
     
  96. Gobbla

    Gobbla Addicted to LI Member

    Hello,
    I have been trying to search the web for hours and hours for a step by step guide of getting this mod to work, without any luck. The client reports that he gets a connection, but he can't actually reach (or ping etc) anything on my network. Does anybody know what might be causing this?

    Also, does anybody know of a up-to-date HOWTO of configuring this mod?

    This is my configuration:

    ROUTER:
    Router IP Address 192.168.1.1
    Subnet Mask 255.255.255.0
    DHCP 192.168.1.100 - 192.168.1.149

    SERVER:
    Interface Type TUN
    Protocol UDP
    Port 1194
    Firewall Automatic
    Authorization Mode Static Key
    Local/remote endpoint addresses 10.8.0.1 10.8.0.2
    Encryption cipher Use Default
    Compression Enabled
    Custom Configuration "Blank"

    1 thing i think is weird, is that these fields got copy-pasted when i marked my config on router, but i can't see them in the GUI
    Extra HMAC authorization (tls-auth)
    VPN subnet/netmask
    Client address pool DHCP -


    CLIENT:
    Interface Type TUN
    Protocol UDP
    Server Address/Port 192.168.1.1 1194
    Firewall Automatic
    Authorization Mode Static Key
    Local/remote endpoint addresses 10.8.0.2 10.8.0.1
    Encryption cipher Use Default
    Compression Enabled
    Connection retry (in seconds; -1 for infinite) 30
    Custom Configuration "Blank"



    1 thing i think is weird, is that these fields got copy-pasted when i marked my config on router, but i can't see them in the GUI
    Extra HMAC authorization (tls-auth)
    Server is on the same subnet Warning: Cannot bridge distinct subnets. Defaulting to routed mode.
    Create NAT on tunnel Routes must be configured manually.
    Tunnel address/netmask


    ovpn-file:
    dev tap0
    ifconfig 10.8.0.2 255.255.255.0
    secret static.key
    proto udp
    remote "my external ip" 1194
    keepalive 10 60
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    cipher BF-CBC
    comp-lzo
    verb 3
    float

    I am not sure how to see what version of the VPN-mod you have, but I have Tomato Version 1.23 if that helps.
     
  97. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    First, you can't copy your config file to the router and have the GUI pick it up, you have to configure it in the GUI.
    TAP and TUN are two different thing and you have to use just one. You mention both.

    Try configuring both in the GUI, and trying to connect, then see how you fare.
     
  98. Gobbla

    Gobbla Addicted to LI Member

    Can I just edit dev tap0 to dev tun0? I'm not sure what this commando does, I just copied it on some forum.
    Not sure what you mean with the GUI/copy thing, I have configured everything in the GUI.... But when I marked the text in the GUI and pasted it in here, I actually got text that is not visible in the GUI
     
  99. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    So is your client another TomatoVPN router or a computer? If it is a computer, then you don't need to worry about the Client section in the GUI. If it is a TomatoVPN router, then you shouldn't be dealing with an ovpn file at all. For now, I'll assume the former.

    You can just change the "tap0" to "tun", and you should also change the "ifconfig 10.8.0.2 255.255.255.0" to "ifconfig 10.8.0.2 10.8.0.1". If you continue to have problems, we'll start debugging.
     
  100. Incidentflux

    Incidentflux Addicted to LI Member

    SgtPepperKSU,

    In your opinion is there any technical benefit in offering TomatoVPN with Speedmod?
     

Share This Page