1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN build with Web GUI

Discussion in 'Tomato Firmware' started by SgtPepperKSU, Oct 10, 2008.

  1. i1135t

    i1135t Network Guru Member

    SgtPepper, in your new mod, you cannot have two VPN Servers running on the same port, with one UDP and one TCP. In your previous version, I could without any problems. Just wanted to see if it was something you implemented or part of the new OpenVPN version. Anyways, looks good. Will test it and see how it performs.
     
  2. besonen

    besonen LI Guru Member

    router-to-router vpn connection

    i'd like to use this firmware to setup a router-to-router vpn connection. are there any nuances of which i need to be aware that are documented in this 1200 post thread?

    humongous threads are hell. if i had the time i would setup a dedicated forum for this firmware so that information could more easily be shared. does anyone else have the juice to do this? i'd happily contribute financially to see this happen.


    thanks,
    david
     
  3. Gobbla

    Gobbla Addicted to LI Member

    My client is a computer. I did implement your change suggestions, but I still don't seem to be able to reach anything within my network. Are you supposed to add custom routes in the custom config to be able to "see" your network on the VPN connection? Thanks for your help so far.
    EDIT: Tried adding route-gateway 192.168.1.1, still cannot ping this IP.
     
  4. besonen

    besonen LI Guru Member

    simultaneous duplicate certificate usage

    is it possible to use the same openvpn certificate on multiple computers simultaneously?


    thanks,
    david
     
  5. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    No. OpenVPN doesn't work that way. Sorry.
     
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I thought the important bits of Speedmod were incorporated into Tomato. Am I wrong?
     
  7. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I didn't do anything relevant to that. If it has changed, it's probably in OpenVPN.
     
  8. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Just use TLS & TUN, and fill out the "Client-specific options" section on the server config. There shouldn't be any nuances besides that.

    I've tried to make the GUI user-friendly enough to not require anyone to have to read through this thread.
     
  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    With the tunnel connected, capture the routing table on the router and on the client. Also, see if there is anything suspicious in either's logs.
     
  10. gawd0wns

    gawd0wns LI Guru Member

    besonen, the duplicate-cn option might be what you are looking for. Add it to your server config and try it out.
     
  11. flor1n

    flor1n Addicted to LI Member

    Hi all,

    First of all thank you SgtPepper for great tomato mod,

    Second I have a quick question (would be great to get the answer today as I'm leaving tomorrow):

    I want to set openvpn server to listen on UDP port 53 but I cannot seem to make it work, always conflicting with dnsmasq. Also tried to set openvpn to listen on 1194 UDP port and then to forward external port 53 to internal 1194 but that also not worked.

    The purpose of this is as you may figured out to get internet access in hotspots where they allow DNS traffic.
    Thank you in advance!
     
  12. gawd0wns

    gawd0wns LI Guru Member

    OpenVPN has one of the best manuals around, make sure to bookmark it:

    "--port-share host port
    When run in TCP server mode, share the OpenVPN port with another application, such as an HTTPS server. If OpenVPN senses a connection to its port which is using a non-OpenVPN protocol, it will proxy the connection to the server at host:port. Currently only designed to work with HTTP/HTTPS, though it would be theoretically possible to extend to other protocols such as ssh.

    Not implemented on Windows. "

    **Note: When adding any of the options to your server-config.ovpn (the custom configuration box in tomato), make sure to exclude the first two dashes --> --port-share will be written as port-share in the config box.

    http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html

    There are many useful HowTO's on the site.
     
  13. flor1n

    flor1n Addicted to LI Member

    Thanks for usefull informations you gave me gawd0wns but the problem is that I try to run OpenVPN server on UDP port 53 not TCP so the --port-share host port is not an option.
     
  14. kenyloveg

    kenyloveg LI Guru Member

    Hi, SgtPepperKSU
    I've been using some Free VPN service(ex, UltraVPN) now a day. These services are implemented by OpenVPN customized setup packages, which only need you to enter your account name and pswd when you click connect. I'd like to know how to make your MOD works like this way? It'll be easy for noob users and simplify the setup procedures...
    Thank you and have a good day.
     
  15. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I've tried to help people get that exact thing working before, but, alas, it does not appear to be possible. It appears OpenVPN has to be listening on the same port internally and externally, and you can't have it listening to UDP 53 internally due to DNS. So, UDP port 53 is out.
     
  16. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Well, you could use client-cert-not-required and user-auth-pass to accomplish that. See the OpenVPN manual for details. However, you should know that that would be much less secure.
     
  17. fyellin

    fyellin LI Guru Member

    My solution has been to run two OpenVPN servers, one on UDP/1194 and the other on TCP/1194. I use the UDP port whenever possible, but the TCP port is available for cafe hotspots and hotel rooms.
     
  18. ntest7

    ntest7 Network Guru Member

    Seems like many of the hotspots I've used are extremely restricted; they allow ONLY ports 80 & 443 and nothing else. Kinda silly if you ask me...

    Anyway, nothing is better than OpenVPN on tcp/443 to get out of a restricted hotspot. I've never had that blocked.

    If you use https management on your tomato, set it to something other than port 443, and let OpenVPN forward it for you with the --port-share option.

    If you really need port 53 for some reason, you'll likely need to turn off dnsmasq and add another server for local DNS.
     
  19. flor1n

    flor1n Addicted to LI Member

    ntest7 I could live without dnsmasq but I've tried stopping it manually by issuing kill PID (after checking the box "do not restart dnsmasq if it dies") and then run OpenVPN on port 53 but still OpenVPN has some issues with this and thus it starts it cannot work .
     
  20. besonen

    besonen LI Guru Member

    thanks gawd0wns.
     
  21. ntest7

    ntest7 Network Guru Member

    Maybe you can leave dnsmasq running but disable it's DNS functions. You can add
    port=0
    to the Advanced>DHCP/DNS>dnsmasq custom settings box for that.

    The man page is here for additional settings to try
    http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

    So what's the big deal with port 53 anyway? Seems like there are better choices.
     
  22. Gobbla

    Gobbla Addicted to LI Member

    I'm not sure I am on the clear on what commands you should do. Are you on IRC?
     
  23. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You can get the routing table for the router in the Web GUI (Advanced->Routing). For a Windows computer, you can get the routing table with "route print".

    The logs for the router are under "logs" and on the Windows client they should pop up in a window when you connect (also available via the tray icon, I believe).
     
  24. flor1n

    flor1n Addicted to LI Member

    With this I am able to start openvpn server on UDP port 53 but no success because it still not working and output an error in log file:
     
  25. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That's not an error, that's just the status updating in the web GUI.

    You'll have to provide more details as to what you mean by "isn't working". Are the clients not able to initiate a connection, not able to complete connecting, something else?
     
  26. ahunor

    ahunor Addicted to LI Member

    Can't set up vpn

    Greetings

    I've been trying all day long and googling, but couldn't set up vpn with tomato 1.25vpn3.4 .
    I'm using or at least want to : tap over tcp. Generated the keys as should, no HMAC authentication, still, no avail.
    I always get status=1 error messages and the connection is interrupted.
    error log at pastebin

    This is in config.ovpn :
    Code:
    daemon
    server-bridge 192.168.1.1 255.255.255.0 192.168.1.50 192.168.1.55
    proto tcp-server
    port 1194
    dev tap21
    cipher AES-256-CFB
    comp-lzo yes
    reneg-sec 30
    keepalive 15 60
    verb 3
    client-config-dir ccd
    client-to-client
    push "route-gateway 192.168.1.1"
    push "redirect-gateway def1"
    ca ca.crt
    dh dh.pem
    cert server.crt
    key server.key
    status-version 2
    status status
    
    For connection I've used the NetworkManager's VPN plugin in gnome, which is essentialy :
    Code:
    /usr/sbin/openvpn --remote _address_ --comp-lzo --nobind --dev tap --proto tcp-client --port 1194 --cipher AES-256-CFB --auth none --syslog nm-openvpn --script-security 2 --up /usr/lib/network-manager-openvpn/nm-openvpn-service-openvpn-helper --up-restart --persist-key --persist-tun --management 127.0.0.1 1194 --management-query-passwords --route-noexec --client --ca /ca.crt --cert raziel.crt --key raziel.key
    
    Can you help please, cause I've tried to solve it but no avail. Thanks.

    EDIT : It worked like a charm just the day after without changing anything, don't know really how, somewhere somehow something must had been cached.
     
  27. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Start with the basics and try to make a connection, then worry about adding the rest. Get rid of the "redirect gateway" stuff, the custom cipher, compression, etc. Also, I don't know if the the "auth none" in the client configuration is compatible with the (default) "auth sha1" from the server configuration.
     
  28. besonen

    besonen LI Guru Member

    file i/o and performance

    recently i started running rsnapshot (a perl backup script that uses rsync) over an openvpn connection. this backup routine is processing 60,000+ files daily (this may be "no-big-deal" but it's the most significant i/o i've attempted to move across an openvpn link).

    today i noticed a new networking lag and was wondering about the possibility of tomato/openvpn becoming overwhelmed in some way that might be affecting general *non-vpn* tomato performance. does anyone have any tomato/openvpn stress-testing (deliberate or not) info they could share?


    thanks,
    david
     
  29. albundy118

    albundy118 Addicted to LI Member

    SD/MMC Mod

    Hi,

    not sure about the effort but would it possible to integrate MMC mod ? I would also be happy if only the modules for mmc & ext2-fs would be available in the image, the rest I could done by scripts.

    Thanks in advanced
    cheers
    Florian
     
  30. chuckj

    chuckj Addicted to LI Member

    Server cannot ping client on routed VPN.

    Using 2 Wrt54GLs which also serve as internet gateways, I have a 1.25/3.4 GUI VPN joining two subnets. I used as many of the default settings as I could:

    TUN, UDP 1194, Static Key, Auto Firewall, 10.8.0.1/2, NAT on client side.
    Firewall is default, routing is default.


    I can ping the server endpoint(10.8.0.1) from the Client side, but cannot ping the Client endpoint(10.8.0.2) from the Server side. Is there some option I can set to have the VPN act as a bidirectional router between my two subnets?

    It appears to be a client issue since the GUI VPN Server connected to a DDWrt OpenVPN client worked fine in both directions.

    Another question - I have to add the command

    route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.8.0.1

    to the client to enable routing from the client subnet. Is there an OpenVPN up script I can put this command into? If so, where is it?

    Thank you!
     
  31. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Your routing would work automatically if you used TLS instead of static key. Have you considered using that?
     
  32. chuckj

    chuckj Addicted to LI Member

    I did not know that. I will try TLS - thanks!
     
  33. ahunor

    ahunor Addicted to LI Member

    Greetings

    I use a WRT54GL with tomato1.25vpn3.4 and the following config :
    Code:
    daemon
    server-bridge 192.168.1.1 255.255.255.0 192.168.1.10 192.168.1.15
    proto tcp-server
    port 443
    dev tap21
    cipher AES-256-CBC
    comp-lzo yes
    reneg-sec 30
    keepalive 15 60
    verb 3
    client-config-dir ccd
    client-to-client
    push "dhcp-option DNS 192.168.1.1"
    push "route-gateway 192.168.1.1"
    push "redirect-gateway def1"
    ca ca.crt
    dh dh.pem
    cert server.crt
    key server.key
    status-version 2
    status status
    
    Everything works great and fine, but I don't know if it's normal that the CPU when using the tunnel doesn't peak at 100%, max 40-50, and the throughput is roughly 100KB/s.
    So i see, that the bottleneck is not the cpu, not the upload / upload speeds, what is it then ?
    Thanks.
     
  34. tecumseh

    tecumseh Addicted to LI Member

    Routing only requested to specific tcp port

    Hi all
    I have Tomato Firmware v1.25vpn3.4.4a8380cb on two Linksys WRT54GL routers.
    Router A 192.168.0.0/24 works as a VPN Clinet (TUN/TLS)
    Router B 192.168.1.0/24 worsks as a VPN Server (TUN/TLS)
    All works fine ping between networks and all network services.
    A have forwarded one Internet-Extern IP address from VPN Client network via Server VPN gateway.
    I addedd route xx.xx.xx.xx 255.255.255.255 on the Custom Configuration on VPN Client. And it works perfectly.
    All internet traffic from net A to that IP address go via VPN server.
    Now I vill forward only TCP port 25 from net A via VPN server - is that possible? How?
    Please help
    Best regards
     
  35. XMoA

    XMoA Addicted to LI Member

    Dec 31 17:17:30 unknown daemon.warn openvpn[844]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Dec 31 17:17:30 unknown daemon.err openvpn[844]: Cannot load DH parameters from dh.pem: error:0906D06C:pEM routines:pEM_read_bio:no start line


    Hi all,

    Noob to this vpn firmware, I've tried to follow the HotTo tutorial to generate the keys, which I've pasted in the Keys tab but when i start I get the errors mentionned above.

    Can someone help me. I've tried to look in this thread but it's too huge...

    THank you in advance
     
  36. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Your "Diffie Hellman parameters" field is not valid. It should have a "-----BEGIN DH PARAMETERS-----" line, a "-----END DH PARAMETERS-----" line, and base64 text (numbers, letters, +, and /) between.
     
  37. martinqiu

    martinqiu Addicted to LI Member

    What do they mean?
     
  38. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It's just the status being refreshed in the web GUI.
     
  39. chuckj

    chuckj Addicted to LI Member

    I tried TLS, the result was much the same as with the static key. I can access the Server subnet from the Client subnet, but I cannot access the Client subnet from the Server subnet.

    I have disabled the GUI VPN and used static key Init and Firewall scripts to get VPN routing between the two subnets. The scripts are simple, nothing too fancy.

    I can post my scripts if the VPN GUI has a known problem routing between
    subnets. Otherwise, the cause is some fluke in my setup, though it is pretty much as default as you can get. I like the VPN GUI and am willing to help debug it if that is desired.

    Thank you, SgtPepperKSU, for an OpenVPN build of Tomato!
     
  40. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    In order to access the client subnet from the server subnet, you have to uncheck the "NAT" option on the client router and give the server router an idea as to the subnet behind the client router. The easiest way to do the latter is by setting up the "Client-specific options" section on the server VPN settings. That is only available for TLS, though. For static key, you'll need to set up routes manually in the custom config section.

    For what it's worth, I have an always connected (zero problems) site-to-site (plus occasional individual clients) connection using TUN/UDP/TLS (with client-specific options table filled in) and nothing in my custom configuration fields. The routing is handled in both directions automatically by the GUI.
     
  41. Andy22

    Andy22 Addicted to LI Member

    OpenVPN was designed for UDP transfer mainly, u can try to switch to "proto UDP" or u can try switching to routed, none bridged mode with TUN device.

    The cpu in the WRT54GL with AES should max out at around 400kb/s, there was also a speedtest in the net using multiple configurations on the WRT54GL, just google for it.
     
  42. XMoA

    XMoA Addicted to LI Member

    hello

    I have a new question:

    using default setting TUN/TLS/UDP:

    I have a router vpn server with IP = 192.168.40.1
    vpn subnet 10.8.0.0 netmask 255.255.255.0
    xbox360 IP is192.168.40.120

    my friend client router vpn client with IP = 192.168.20.1
    vpn subnet 10.8.0.0 netmask 255.255.255.0
    xbox360 IP is 192.168.20.130

    vpn is working (he can access my routers config)
    but how can we make that our xbox can see each other with system link

    thank you very much for help
     
  43. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I think XBox System Link uses broadcast messages (I've never used it, just going off a quick google search) to find the other Xboxes. There may be a way to replicate broadcasts across different subnets, but it would probably be simpler, in your case, to use TAP and have everything on the same subnet (you'll have to work out with him which IP addresses each of you can use to keep from having conflicts).

    If there is a way to get System Link to work over subnet boundaries, hopefully somebody will speak up.
     
  44. XMoA

    XMoA Addicted to LI Member


    ok I tried to set up TAP but doesn't seem to work


    my router vpn server with IP = 192.168.40.1
    dhcp enabled

    my friends vpn client IP set up to 192.168.40.2
    everything else default but he cannot even access my router 192.168.40.1 this time

    how do I set up on the same subnet... can you maybe give me an example of how to set the IPs
     
  45. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The IPs seem fine. Can you give a run down of your settings?
     
  46. mlebl1h

    mlebl1h Guest

    SOCKS proxy via VPN?

    I have a VPN connection from my work computer to my tomato router working very well. Now I'd like to find an easy way to make the tomato router open a SOCKS proxy on a router port like 8080.

    First some background: For large downloads, I want to be able to use the corporate connection to the internet, but for personal use, I would like to send internet traffic through my home tomato router. I can do this now by routing all non-local traffic through the VPN tunnel to my router, but what I'd really like is to have Internet Explorer use the corporate proxy, and have Firefox and other select programs go through my VPN connection to the tomato router, but preferably without making the VPN tunnel the default route for all network connections. I thought a good way to achieve this would be to have tomato open a port like 8080 on the router, listening as a SOCKS proxy. I know I could tunnel via ssh from my work computer, but why bother with Putty when I already have a working OpenVPN connection to my tomato router? I'd like to be able to just have 192.168.1.1:8080 be my SOCKS proxy.

    A friend suggested that if I add an ssh to localhost in a tomato router script, I can have an open SOCKS proxy. If this sounds reasonable, where would I put the ssh command (in which tomato script), something like the following:

    ssh -D 8080 root@localhost

    Does this sound reasonable, or is there an easier way to create an open proxy on the router?

    Thanks in advance for any suggestions!
     
  47. chuckj

    chuckj Addicted to LI Member

    Thanks for the additional info, my results are the same, client can ping server, server cannot access client.

    Here is my setup-
    Client:
    subnet is 192.168.4.0 mask 255.255.255.0
    WRT54GL running 1.25Vpn3.4.7 is also gateway to static IP internet.
    Client1-Basic starts with router, TUN/UDP 1194/TLS with server IP correct.
    Firewall is Auto, Extra HMAC Disabled, Create NAT unchecked.
    Client1-Advanced is all defaults - Redirect Internet unchecked, Accept DNS disabled, etc.
    Client1 keys all set.

    Server:
    subnet is 192.168.1.0 mask 255.255.255.0
    WRT54GL running 1.25Vpn3.4.7 is also gateway to static IP internet.
    Server1-Basic starts with router, TUN/UDP 1194/TLS.
    Firewall is Auto, Extra HMAC Disabled, VPN subnet 10.8.0.0, 255.255.255.0
    Server1-Advanced-Push LAN to clients is checked, Direct clients and respond DSN are unchecked. Defaults for cipher,compression and TLS time.
    Manage Client-Specific Options is checked, Allow client-client and Allow only these clients are both unchecked.
    Enabled 1 Client XXX Subnet 192.168.4.0, Netmask 255.255.255.0, tried push both checked and unchecked.

    Server1-Keys are set.

    RESULTS:
    VPN is connected, VPN Server1 shows this under Status tab-
    Client List:
    client1 <ClientIP>:2051 10.8.0.6 27127Recv 27091Sent
    Routing Table:
    10.8.0.6 client1 <clientIP>:2051

    Server routing table shows these routes to tun21:
    10.8.0.2 ** 255.255.255.255
    192.168.4.0 10.8.0.2 255.255.255.0
    10.8.0.0 ** 255.255.255.0

    From server, I can ping 10.8.0.6, but not gateway 10.8.0.2.
    As I said Client can ping Server subnet, Server cannot ping Client subnet.

    Am I being naive somewhere with the VPN settings?
    Any ideas what I have done wrong??

    Thanks!!
     
  48. chuckj

    chuckj Addicted to LI Member

    Saw this comment from http://theorum.net/blog/?p=22 which a page giving a setup for a routed TLS VPN:

    This comment does not make sense, perhaps the line should read:
    Routing from the server subnet (192.168.1.x) to the client subnet (192.168.2.x) does **NOT** work correctly if the server is in daemon mode.
     
  49. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You won't be able to ping 10.8.0.2. What about 10.8.0.6? If you log into the server router, can you ping 10.8.0.6 or the client subnet from there?

    The only way I can think of that would make it so you can ping one direction and not the other is a NAT. Can you provide the output of
    Code:
    iptables -t nat -nvL
    on each router?
     
  50. chuckj

    chuckj Addicted to LI Member

    Problem solved, my apologies for being naive.

    On the server, under VPN-Server1-Advanced-Client Specific Options,
    the client Common Name must match the client name used for the TLS client certificate and key.

    In retrospect, that is obvious...

    Thanks again!
     
  51. XMoA

    XMoA Addicted to LI Member

    my server router ip = 192.168.40.1
    IP Address Range = 192.168.40.0 - 192.168.40.149
    my laptop ip = 192.168.40.123
    VPN server config: TAP, UDP, PORT, Firewall: auto, TLS, Extra HMAC = disabled, Client address pool = DHCP


    my friends client router ip = 192.168.40.2
    IP Address Range = 192.168.40.150 - 192.168.40.200
    he's pc ip = 192.168.40.180
    VPN client config = TAP, UDP, my public IP, Firewall: auto, TLS, Extra HMAC = disabled, Create NAT on Tunnel = ON

    vpn server is started and he's router is also connected but he can't access my router or ping it

    with TUN it worked
     
  52. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Can you ping the server router from the client router itself?
     
  53. forprivate

    forprivate Guest

    Thanks for your great work. Your mod is so powerful in terms of VPN!

    Is it possible to implement 4-6 OpenVPN server and client instances?

    Also, is it possible to add PPTP server function? This is particularly useful for WinXP client because there is no need to install any software on the the client machine, just give them the login and password.
     
  54. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I don't think these routers would have the horsepower to run that many...
    It's something I've considered, but would need to find the time to do it. It would have very little in common with what I've done, so it would mostly be starting from scratch.
     
  55. das_mus

    das_mus Addicted to LI Member

    hi,
    first of all thanks for this awesome mod, it works perfectly for me! I've been using dd-wrt for a few month and it took me a tens of hours to setup a vpn-server for it. With this mod I set it up in about 10 minutes! :)

    I am just wondering about the "Response to DNS" option. I'm using a bridged interface and if this option is unchecked, it responds to DNS anyway.

    I also think I know why that is:
    In /etc/dnsmasq.conf interface=br0 is set by default, if "Response to DNS" is checked, interface=tap21 is added to /etc/dnsmasq.conf. But when using a bridged interface, tap21 is part of br0 anyway and will therefore respond to DNS querys, right?
    I don't think this is a problem, I just noticed it and wanted to let you know! :)

    Another thing: If the clients get their IP adress and their DNS-Server via DHCP is there even a point in setting "Advertise DNS to clients"? Because I didn't set it, and when using redirect-gateway the client will use the VPN-Server as the primary DNS-Server just fine (tested on Windows 7 RC with latest OpenVPN version). I'm not sure about this one, so I'm just asking. ;)

    anyway, thanks away for this awesome mod and keep up the good work :)
     
  56. gawd0wns

    gawd0wns LI Guru Member

    TAP will not work because you and your friend are have the same network subnet (192.168.40.x). THEY MUST BE DIFFERENT. When you run on tap, the entire subnet is pushed to the client, and an ip from the host network is assigned to the client. This will create a conflict and break everything if they are the same. Tell your client to change to subnet 192.168.41.XXX. TUN works between two individual points, so it can work within the same subnet.

    After you change that, quickly run through the following. If compression is enabled on the host, ensure you have 'comp-lzo yes' in the client config. If it is disabled, ensure you have 'comp-lzo no' in the client config. I'm not sure what to put if you specify adaptive compression.

    Next, push DNS settings to the client. Create this line in your host config:
    push dhcp-option DNS 192.168.40.1
     
  57. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Good points. Those settings were meant for TUN and shouldn't be available for TAP (since they don't do much of anything). I'll try to remember to make them not visible if TAP is selected for the next version.
     
  58. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Quite the opposite. TAP is meant to work with the subnet being the same on each endpoint, and TUN is meant to work with them being different on each endpoint (though is not strictly necessary unless you want access to the server subnet).

    Also, he should worry about getting pinging to work before messing around with DNS. In fact, I doubt he'd even want to push DNS at all for what he needs. But, if he did, there's a GUI option for it and no need to add a line to the custom config.
     
  59. bokken

    bokken Addicted to LI Member

    routing problem?

    Firstly, thanks for a great mod. Really is appreciated.

    I started going through this thread and although I have found some extremely useful info/help my problem seems to be unique.

    I currently have 2 tomatoed WRT54GL's running in separate countries

    My settings are as follows:

    Server
    LAN Subnet - 192.168.1.0/24
    Start with Router - Checked
    Interface Type - TUN
    Protocol - TCP
    Port - 1194
    Firewall - Auto
    Authorization Mode - Static Key
    Local/remote endpoint addresses - 172.16.1.1 172.16.1.2

    Client
    LAN Subnet - 192.168.0.0/24
    Start with Router - Checked
    Interface Type - TUN
    Protocol - TCP
    Server Address/Port - Server_IP 1194
    Firewall - Auto
    Authorization Mode - Static Key
    Create NAT on tunnel - checked
    Local/remote endpoint addresses - 172.16.1.2 172.16.1.1


    Essentially the setup is as simple as can be.

    I can ping the remote endpoint addresses from each router with no problems (i.e. server can ping 172.16.1.2 and client can ping 172.16.1.1).

    The problem is I can't seem to get the routing working properly, regardless of my routing setup.

    Currently the routing tables look like the following:

    Server
    # route
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    172.16.1.2 * 255.255.255.255 UH 0 0 0 tun21
    xx.xxx.xxx.xx * 255.255.255.248 U 0 0 0 vlan1
    192.168.1.0 * 255.255.255.0 U 0 0 0 br0
    127.0.0.0 * 255.0.0.0 U 0 0 0 lo
    default xx.xxx.xxx.xx 0.0.0.0 UG 0 0 0 vlan1
    #

    Client
    # route
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    172.16.1.1 * 255.255.255.255 UH 0 0 0 tun11
    xx.xxx.xxx.xx * 255.255.255.248 U 0 0 0 vlan1
    192.168.0.0 * 255.255.255.0 U 0 0 0 br0
    127.0.0.0 * 255.0.0.0 U 0 0 0 lo
    default xx.xxx.xxx.xx 0.0.0.0 UG 0 0 0 vlan1

    I need to make sure the 192.168.1.0/24 subnet can get to the 192.168.0.0/24 subnet and vice versa.

    Now normally I would assume you would add a route on the server (and vice versa) such as

    # route add 192.168.0.0/24 dev tun21
    route: netmask 000000ff and host route conflict

    But as you can see, it doesn't let me as it gives me the error message. I cannot see a conflict but maybe I am reading it wrong.

    The whole reason for this setup is because the country I am in at the moment restricts VoIP. I need to route all VoIP traffic to the client router in Australia.

    So the traffic flow would be

    VoIP-ATA (192.168.1.x) -> Server -> VPN (172.16.1.x) -> Client (192.168.0.x) -> Internet -> Client -> VPN -> Server -> VoIP-ATA

    I tried to put as much info as possible into this post, but please let me know if I missed something. I hope its clear enough.

    Is there anything glaringly obvious that I am missing?

    Thanks in advance.
     
  60. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    First let me point out that if you used TLS instead of static key, the firmware would take care of those routes for you.

    However, the problem with your route command is just syntax. Try:
    Code:
    route add -net 192.168.0.0 netmask 255.255.255.0 dev tun21
     
  61. bokken

    bokken Addicted to LI Member

    routing still

    OK, thanks for that.

    I wiped out the previous config and am now using TLS.

    The VPN seems to come up fine (can see counters incrementing)

    Server reports the follwing:

    Common Name Real Address Virtual Address Bytes Received Bytes Sent Connected Since
    UNDEF client_public_IP:2049 28 48 Tue Sep 8 06:31:32 2009

    Client show steady increase in counters.

    The routing table on the server looks as below:

    # route
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    172.16.1.2 * 255.255.255.255 UH 0 0 0 tun21
    87.200.115.16 * 255.255.255.248 U 0 0 0 vlan1
    192.168.1.0 * 255.255.255.0 U 0 0 0 br0
    172.16.1.0 172.16.1.2 255.255.255.0 UG 0 0 0 tun21
    127.0.0.0 * 255.0.0.0 U 0 0 0 lo
    default 87.200.115.17 0.0.0.0 UG 0 0 0 vlan1
    # ping 172.16.1.2
    PING 172.16.1.2 (172.16.1.2): 56 data bytes

    --- 172.16.1.2 ping statistics ---
    4 packets transmitted, 0 packets received, 100% packet loss

    As you can see I cant ping the client router.

    The client router shows no sign of the tunnelled interface (routing table shows WAN, LAN and loopback only) and obviously I cannot ping the servers IP.

    Where am I going wrong? Sorry for being a newbie.

    Thanks in advance.

    edit - for clarity, i am using UDP/TLS/TUN. Everything else is left as default (except the ip range which is 172.16.1.x/24).

    edit2 - I just noticed the coutners increment to about 1000 or so and then reset to 0 and start again rising to about 1000. Perhaps the tunnel isn't coming up after all.

    edit3 - here is the output of /var/log/messages

    Sep 8 06:49:36 netscreen daemon.err openvpn[803]: 211.30.121.103:2051 TLS Error: Unroutable control packet received from 211.30.121.103:2051 (si=3 op=P_CONTROL_V1)
    Sep 8 06:49:37 netscreen daemon.err openvpn[803]: 211.30.121.103:2051 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Sep 8 06:49:37 netscreen daemon.err openvpn[803]: 211.30.121.103:2051 TLS Error: TLS handshake failed
    Sep 8 06:49:37 netscreen daemon.notice openvpn[803]: 211.30.121.103:2051 SIGUSR1[soft,tls-error] received, client-instance restarting
    Sep 8 06:49:38 netscreen daemon.notice openvpn[803]: MULTI: multi_create_instance called
    Sep 8 06:49:38 netscreen daemon.notice openvpn[803]: 211.30.121.103:2051 Re-using SSL/TLS context
    Sep 8 06:49:38 netscreen daemon.notice openvpn[803]: 211.30.121.103:2051 LZO compression initialized
    Sep 8 06:49:38 netscreen daemon.notice openvpn[803]: 211.30.121.103:2051 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Sep 8 06:49:38 netscreen daemon.notice openvpn[803]: 211.30.121.103:2051 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Sep 8 06:49:38 netscreen daemon.notice openvpn[803]: 211.30.121.103:2051 TLS: Initial packet from 211.30.121.103:2051, sid=9d36b80a d440feb3
    Sep 8 06:49:38 netscreen daemon.err openvpn[803]: 211.30.121.103:2051 TLS Error: Unroutable control packet received from 211.30.121.103:2051 (si=3 op=P_CONTROL_V1)
    Sep 8 06:49:39 netscreen daemon.err openvpn[803]: 211.30.121.103:2051 TLS Error: Unroutable control packet received from 211.30.121.103:2051 (si=3 op=P_CONTROL_V1)
    <snip>
    Sep 8 06:49:56 netscreen daemon.err openvpn[803]: 211.30.121.103:2051 write UDPv4 []: No buffer space available (code=132)
    Sep 8 06:49:56 netscreen daemon.err openvpn[803]: 211.30.121.103:2051 write UDPv4 []: No buffer space available (code=132)
    Sep 8 06:49:59 netscreen daemon.notice openvpn[803]: 211.30.121.103:2051 TLS: new session incoming connection from 211.30.121.103:2051
    Sep 8 06:49:59 netscreen daemon.err openvpn[803]: 211.30.121.103:2051 TLS Error: reading acknowledgement record from packet
    Sep 8 06:50:00 netscreen daemon.notice openvpn[803]: 211.30.121.103:2051 TLS: new session incoming connection from 211.30.121.103:2051
    Sep 8 06:50:01 netscreen daemon.notice openvpn[803]: 211.30.121.103:2051 TLS: new session incoming connection from 211.30.121.103:2051

    I have just called my router netscreen, it is a WRT54GL with tomato 1.25vpn3.4

    edit 4 - I have just changed the MTU on both routers to 1340 as I was suspecting an MSS problem. This seems to have reduced the log messages to the following.

    Server
    # tail /var/log/messages
    Sep 8 07:01:20 netscreen daemon.err openvpn[803]: 211.30.121.103:2054 write UDPv4 []: No buffer space available (code=132)
    Sep 8 07:01:20 netscreen daemon.err openvpn[803]: 211.30.121.103:2054 write UDPv4 []: No buffer space available (code=132)
    Sep 8 07:01:23 netscreen daemon.err openvpn[803]: 211.30.121.103:2054 write UDPv4 []: No buffer space available (code=132)
    Sep 8 07:01:25 netscreen daemon.err openvpn[803]: 211.30.121.103:2054 write UDPv4 []: No buffer space available (code=132)
    Sep 8 07:01:25 netscreen daemon.err openvpn[803]: 211.30.121.103:2054 write UDPv4 []: No buffer space available (code=132)
    Sep 8 07:02:01 netscreen daemon.err openvpn[803]: 211.30.121.103:2054 write UDPv4 []: No buffer space available (code=132)
    Sep 8 07:02:03 netscreen daemon.err openvpn[803]: 211.30.121.103:2054 write UDPv4 []: No buffer space available (code=132)
    Sep 8 07:02:03 netscreen daemon.err openvpn[803]: 211.30.121.103:2054 write UDPv4 []: No buffer space available (code=132)
    Sep 8 07:02:03 netscreen daemon.err openvpn[803]: 211.30.121.103:2054 write UDPv4 []: No buffer space available (code=132)
    Sep 8 07:02:03 netscreen daemon.err openvpn[803]: 211.30.121.103:2054 write UDPv4 []: No buffer space available (code=132)
    <snip>
    # tail /var/log/messages
    Sep 8 07:05:32 netscreen daemon.err openvpn[803]: 211.30.121.103:2054 TLS Error: reading acknowledgement record from packet
    Sep 8 07:05:32 netscreen daemon.err openvpn[803]: 211.30.121.103:2054 TLS Error: reading acknowledgement record from packet
    Sep 8 07:05:33 netscreen daemon.err openvpn[803]: 211.30.121.103:2054 TLS Error: reading acknowledgement record from packet
    Sep 8 07:05:33 netscreen daemon.notice openvpn[803]: 211.30.121.103:2054 TLS: new session incoming connection from 211.30.121.103:2054
    Sep 8 07:05:33 netscreen daemon.err openvpn[803]: 211.30.121.103:2054 TLS Error: reading acknowledgement record from packet
    Sep 8 07:05:37 netscreen daemon.err openvpn[803]: 211.30.121.103:2054 TLS Error: reading acknowledgement record from packet
    Sep 8 07:05:39 netscreen daemon.err openvpn[803]: 211.30.121.103:2054 TLS Error: reading acknowledgement record from packet
    Sep 8 07:05:39 netscreen daemon.err openvpn[803]: 211.30.121.103:2054 TLS Error: reading acknowledgement record from packet
    Sep 8 07:05:39 netscreen daemon.err openvpn[803]: 211.30.121.103:2054 TLS Error: reading acknowledgement record from packet
    Sep 8 07:05:40 netscreen daemon.err openvpn[803]: 211.30.121.103:2054 TLS Error: reading acknowledgement record from packet


    Client
    # tail /var/log/messages
    Sep 8 13:02:15 gwmum daemon.err openvpn[817]: TLS Error: Unroutable control pac
    ket received from 87.200.115.19:1194 (si=3 op=P_CONTROL_V1)
    Sep 8 13:02:15 gwmum daemon.err openvpn[817]: TLS Error: Unroutable control pac
    ket received from 87.200.115.19:1194 (si=3 op=P_CONTROL_V1)
    Sep 8 13:02:15 gwmum daemon.err openvpn[817]: TLS Error: Unroutable control pac
    ket received from 87.200.115.19:1194 (si=3 op=P_CONTROL_V1)
    Sep 8 13:02:15 gwmum daemon.err openvpn[817]: TLS Error: Unroutable control pac
    ket received from 87.200.115.19:1194 (si=3 op=P_CONTROL_V1)
    Sep 8 13:02:16 gwmum daemon.err openvpn[817]: TLS Error: Unroutable control pac
    ket received from 87.200.115.19:1194 (si=3 op=P_CONTROL_V1)
    Sep 8 13:02:16 gwmum daemon.err openvpn[817]: TLS Error: Unroutable control pac
    ket received from 87.200.115.19:1194 (si=3 op=P_CONTROL_V1)
    Sep 8 13:02:16 gwmum daemon.err openvpn[817]: TLS Error: Unroutable control pac
    ket received from 87.200.115.19:1194 (si=3 op=P_CONTROL_V1)
    Sep 8 13:02:28 gwmum daemon.err openvpn[817]: TLS Error: Unroutable control pac
    ket received from 87.200.115.19:1194 (si=3 op=P_CONTROL_V1)
    Sep 8 13:02:29 gwmum daemon.err openvpn[817]: TLS Error: Unroutable control pac
    ket received from 87.200.115.19:1194 (si=3 op=P_CONTROL_V1)
    Sep 8 13:02:40 gwmum daemon.notice openvpn[817]: TLS: Initial packet from 87.20
    0.115.19:1194, sid=0fcecf37 bd287d54
    <snip>
    Sep 8 13:06:16 gwmum daemon.notice openvpn[817]: Restart pause, 2 second(s)
    Sep 8 13:06:18 gwmum daemon.warn openvpn[817]: WARNING: No server certificate v
    erification method has been enabled. See http://openvpn.net/howto.html#mitm for
    more info.
    Sep 8 13:06:18 gwmum daemon.warn openvpn[817]: NOTE: OpenVPN 2.1 requires '--sc
    ript-security 2' or higher to call user-defined scripts or executables
    Sep 8 13:06:18 gwmum daemon.notice openvpn[817]: Re-using SSL/TLS context
    Sep 8 13:06:18 gwmum daemon.notice openvpn[817]: LZO compression initialized
    Sep 8 13:06:18 gwmum daemon.notice openvpn[817]: Control Channel MTU parms [ L:
    1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Sep 8 13:06:18 gwmum daemon.notice openvpn[817]: Data Channel MTU parms [ L:154
    2 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Sep 8 13:06:18 gwmum daemon.notice openvpn[817]: Socket Buffers: R=[32767->6553
    4] S=[32767->65534]
    Sep 8 13:06:18 gwmum daemon.notice openvpn[817]: UDPv4 link local: [undef]
    Sep 8 13:06:18 gwmum daemon.notice openvpn[817]: UDPv4 link remote: 87.200.115.19:1194

    Sorry for the extraordinarily long post :biggrin:
     
  62. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    For two-way communication you need to fill out the "Manage client-specific options" table in the VPN server router with the LAN details of the various clients. Then you should make sure to uncheck the "NAT" checkbox on the client.

    Then the LANs should be able to see each other fine. If you still have problems after making those settings, we'll see if we can figure something out.
     
  63. bokken

    bokken Addicted to LI Member

    OK, so i did as instructed. Still no luck. Strangely, when I added the subnets it crashed the router (I had to do a factory default). This was whether I clicked "Push" or not.

    Putting in specific hosts stopped this from happening.

    /var/log/messages below

    Server
    Sep 8 17:22:01 unknown daemon.warn httpd[317]: Invalid ID '' from 192.168.1.125 for /tomato.cgi
    Sep 8 17:22:01 unknown authpriv.info dropbear[318]: Child connection from 192.168.1.125:44806
    Sep 8 17:22:05 unknown authpriv.notice dropbear[318]: password auth succeeded for 'root' from 192.168.1.125:44806
    Sep 8 17:22:19 unknown user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
    Sep 8 17:22:21 unknown user.info kernel: device tun21 entered promiscuous mode
    Sep 8 17:22:21 unknown daemon.notice openvpn[363]: OpenVPN 2.1_rc19 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Aug 12 2009
    Sep 8 17:22:21 unknown daemon.warn openvpn[363]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Sep 8 17:22:22 unknown daemon.notice openvpn[363]: Diffie-Hellman initialized with 1024 bit key
    Sep 8 17:22:22 unknown daemon.notice openvpn[363]: TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Sep 8 17:22:22 unknown daemon.notice openvpn[363]: TUN/TAP device tun21 opened
    Sep 8 17:22:22 unknown daemon.notice openvpn[363]: TUN/TAP TX queue length set to 100
    Sep 8 17:22:22 unknown daemon.notice openvpn[363]: /sbin/ifconfig tun21 172.16.1.1 pointopoint 172.16.1.2 mtu 1500
    Sep 8 17:22:22 unknown daemon.notice openvpn[363]: /sbin/route add -net 192.168.0.1 netmask 255.255.255.255 gw 172.16.1.2
    Sep 8 17:22:22 unknown daemon.notice openvpn[363]: /sbin/route add -net 192.168.1.1 netmask 255.255.255.0 gw 172.16.1.2
    Sep 8 17:22:22 unknown daemon.warn openvpn[363]: ERROR: Linux route add command failed: external program exited with error status: 1
    Sep 8 17:22:22 unknown daemon.notice openvpn[363]: /sbin/route add -net 172.16.1.0 netmask 255.255.255.0 gw 172.16.1.2
    Sep 8 17:22:22 unknown daemon.notice openvpn[363]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Sep 8 17:22:22 unknown daemon.notice openvpn[371]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Sep 8 17:22:22 unknown daemon.notice openvpn[371]: UDPv4 link local (bound): [undef]:1194
    Sep 8 17:22:22 unknown daemon.notice openvpn[371]: UDPv4 link remote: [undef]
    Sep 8 17:22:22 unknown daemon.notice openvpn[371]: MULTI: multi_init called, r=256 v=256
    Sep 8 17:22:22 unknown daemon.notice openvpn[371]: IFCONFIG POOL: base=172.16.1.4 size=62
    Sep 8 17:22:22 unknown daemon.notice openvpn[371]: Initialization Sequence Completed
    Sep 8 17:22:25 unknown daemon.err openvpn[371]: event_wait : Interrupted system call (code=4)
    Sep 8 17:22:45 unknown cron.err crond[89]: time disparity of 20873242 minutes detected


    Client
    Sep 8 17:02:58 gwmum daemon.notice openvpn[1325]: Closing TUN/TAP interface
    Sep 8 17:02:58 gwmum daemon.notice openvpn[1325]: /sbin/ifconfig tun11 0.0.0.0
    Sep 8 17:02:58 gwmum daemon.notice openvpn[1325]: SIGTERM[soft,auth-failure] re
    ceived, process exiting
    Sep 8 17:09:34 gwmum daemon.info dnsmasq[988]: DHCPINFORM(br0) 192.168.0.136 00
    :21:27:ff:8f:cb
    Sep 8 17:09:34 gwmum daemon.info dnsmasq[988]: DHCPACK(br0) 192.168.0.136 00:21
    :27:ff:8f:cb butter
    Sep 8 17:13:48 gwmum daemon.notice openvpn[1380]: OpenVPN 2.1_rc19 mipsel-unkno
    wn-linux-gnu [SSL] [LZO2] built on Aug 12 2009
    Sep 8 17:13:48 gwmum daemon.warn openvpn[1380]: WARNING: No server certificate
    verification method has been enabled. See http://openvpn.net/howto.html#mitm fo
    r more info.
    Sep 8 17:13:48 gwmum daemon.warn openvpn[1380]: NOTE: OpenVPN 2.1 requires '--s
    cript-security 2' or higher to call user-defined scripts or executables
    Sep 8 17:13:49 gwmum daemon.notice openvpn[1380]: LZO compression initialized
    Sep 8 17:13:49 gwmum daemon.notice openvpn[1380]: Control Channel MTU parms [ L
    :1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Sep 8 17:13:49 gwmum daemon.notice openvpn[1380]: Data Channel MTU parms [ L:15
    42 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Sep 8 17:13:49 gwmum daemon.notice openvpn[1384]: Socket Buffers: R=[32767->655
    34] S=[32767->65534]
    Sep 8 17:13:49 gwmum daemon.notice openvpn[1384]: UDPv4 link local: [undef]
    Sep 8 17:13:49 gwmum daemon.notice openvpn[1384]: UDPv4 link remote: 87.200.115
    .19:1194
    Sep 8 17:13:50 gwmum daemon.notice openvpn[1384]: TLS: Initial packet from 87.2
    00.115.19:1194, sid=face8174 a8e8faa9
    Sep 8 17:13:52 gwmum daemon.err openvpn[1384]: event_wait : Interrupted system
    call (code=4)
    Sep 8 17:14:07 gwmum daemon.notice openvpn[1384]: VERIFY OK: depth=1, /C=AU/ST=
    NSW/L=Sydney/O=muslim/CN=openvpn/Email=omar@omarabas.com
    Sep 8 17:14:07 gwmum daemon.notice openvpn[1384]: VERIFY OK: depth=0, /C=AU/ST=
    NSW/O=muslim/CN=server/Email=omar@omarabas.com
    Sep 8 17:14:24 gwmum daemon.notice openvpn[1384]: Data Channel Encrypt: Cipher
    'BF-CBC' initialized with 128 bit key
    Sep 8 17:14:24 gwmum daemon.notice openvpn[1384]: Data Channel Encrypt: Using 1
    60 bit message hash 'SHA1' for HMAC authentication
    Sep 8 17:14:24 gwmum daemon.notice openvpn[1384]: Data Channel Decrypt: Cipher
    'BF-CBC' initialized with 128 bit key
    Sep 8 17:14:24 gwmum daemon.notice openvpn[1384]: Data Channel Decrypt: Using 1
    60 bit message hash 'SHA1' for HMAC authentication
    Sep 8 17:14:24 gwmum daemon.notice openvpn[1384]: Control Channel: TLSv1, ciphe
    r TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Sep 8 17:14:24 gwmum daemon.notice openvpn[1384]: [server] Peer Connection Init
    iated with 87.200.115.19:1194
    Sep 8 17:14:25 gwmum daemon.notice openvpn[1384]: SENT CONTROL [server]: 'PUSH_
    REQUEST' (status=1)
    Sep 8 17:14:27 gwmum daemon.notice openvpn[1384]: AUTH: Received AUTH_FAILED co
    ntrol message
    Sep 8 17:14:27 gwmum daemon.notice openvpn[1384]: TCP/UDP: Closing socket
    Sep 8 17:14:27 gwmum daemon.notice openvpn[1384]: SIGTERM[soft,auth-failure] re
    ceived, process exiting
    Sep 8 17:24:25 gwmum auth.info login[1394]: root login on 'pts/0'
    #


    thanks again.

    note - the vpn doesnt seem to come up anymore. The server side doesn't show any connections
     
  64. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It looks like things aren't right in your client-specific options table. Could you respond with what you put there?
     
  65. bokken

    bokken Addicted to LI Member

    There are two entries.

    192.168.0.0/24 and 192.168.1.0/24. The problem is, if I put it in like that, it crashes and is unrecoverable except through factory defaults.

    There are two entries, 192.168.0.1/24 and 192.168.1.1/24

    When I put the routes in like this it doesn't crash the router although its obvious that something is wrong. I stumbles across this because I hit the save button early.

    Even if I remove both of those routes and put only specific hosts (192.168.0.1/32 and 192.168.1.1/32) it still doesn't work.

    Thanks for your help so far, it really is appreciated.
     
  66. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You're having problems because you're putting the server subnet in the client-specific table. This is causing 192.168.1.0/24 traffic to go over the tunnel, when you want it going over the LAN. Just put the client subnet in the client-specific table (being sure to use the commonname from the client's TLS certificate) and you should be fine.
     
  67. das_mus

    das_mus Addicted to LI Member

    hi,
    I just bought a second WRT54GL and wanted to setup a client on it, which is connecting to another WRT54GL running an OpenVPN-Server.

    Both routers have the subnet 10.17.24.0/24.
    The router that is running the server is 10.17.24.254. The router that is running the client has 10.17.24.252.

    I can connect just fine (log shows no errors), but I simply couldn't ping to the server, let alone the clients behind it.

    After some trial-and-error I found out that everything works fine as soon as I ssh into the router and type "ifconfig tap11 up". Seems like the tap11 is down after the OpenVPN-connection has been established.

    Is this a bug or am I simply doing something wrong? :confused:
     
  68. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Hmmm, that is odd. Do you have the "Server is on the same subnet" checkbox selected? Can you provide the output of ifconfig when it is in the non-working state?
     
  69. das_mus

    das_mus Addicted to LI Member

    yes, "Server is on the same subnet" is checked.

    Code:
    br0        Link encap:Ethernet  HWaddr 00:25:9C:2B:92:8B  
               inet addr:10.17.24.252  Bcast:10.17.24.255  Mask:255.255.255.0
               UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
               RX packets:13884 errors:0 dropped:0 overruns:0 frame:0
               TX packets:10382 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:0 
               RX bytes:2400904 (2.2 MiB)  TX bytes:6893351 (6.5 MiB)
    
    eth0       Link encap:Ethernet  HWaddr 00:25:9C:2B:92:8B  
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:19436 errors:0 dropped:0 overruns:0 frame:0
               TX packets:17880 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:100 
               RX bytes:8363873 (7.9 MiB)  TX bytes:6020907 (5.7 MiB)
               Interrupt:4 Base address:0x1000 
    
    eth1       Link encap:Ethernet  HWaddr 00:25:9C:2B:92:8D  
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:2179 errors:0 dropped:0 overruns:0 frame:4510
               TX packets:3022 errors:293 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:100 
               RX bytes:189296 (184.8 KiB)  TX bytes:3323892 (3.1 MiB)
               Interrupt:2 Base address:0x5000 
    
    lo         Link encap:Local Loopback  
               inet addr:127.0.0.1  Mask:255.0.0.0
               UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
               RX packets:34 errors:0 dropped:0 overruns:0 frame:0
               TX packets:34 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:0 
               RX bytes:2712 (2.6 KiB)  TX bytes:2712 (2.6 KiB)
    
    vlan0      Link encap:Ethernet  HWaddr 00:25:9C:2B:92:8B  
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:10020 errors:0 dropped:0 overruns:0 frame:0
               TX packets:8775 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:0 
               RX bytes:1667867 (1.5 MiB)  TX bytes:4260386 (4.0 MiB)
    
    vlan1      Link encap:Ethernet  HWaddr 00:25:9C:2B:92:8C  
               inet addr:xx.xx.xx.xx  Bcast:xx.xx.xx.xx  Mask:255.255.248.0
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:9416 errors:0 dropped:0 overruns:0 frame:0
               TX packets:9105 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:0 
               RX bytes:6346158 (6.0 MiB)  TX bytes:1760521 (1.6 MiB)
    
    edit: obviously, tap11 is not displayed because it is down. "ifconfig tap11" outputs the following:
    Code:
    tap11      Link encap:Ethernet  HWaddr 00:FF:1F:DE:94:8E  
               BROADCAST MULTICAST  MTU:1500  Metric:1
               RX packets:9 errors:0 dropped:0 overruns:0 frame:0
               TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:100 
               RX bytes:1011 (1011.0 B)  TX bytes:0 (0.0 B)
    
     
  70. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    And, what does it do if instead of bringing up tap11 directly, you run:
    Code:
    brctl addif br0 tap11
    ifconfig br0 promisc up
    This is what the firmware does, so if there is an error message there it would hopefully explain what's going wrong.
     
  71. das_mus

    das_mus Addicted to LI Member

    "brctl addif br0 tap11" outputs "device tap11 is already a member of a bridge; can't enslave it to bridge br0.".
    "ifconfig br0 promisc up" does nothing, it still doesnt work. Seems like bringing up br0 does not automatically bring up its interfaces (including tap11). I have a ping on the server running in the background and I see a response immediately after I type "ifconfig tap11 up".
     
  72. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Hmmm, I know this used to work, so I wonder if the updated busybox in the last version of Tomato changed this behavior. I specifically remember originally trying to bring up the tap device directly, but having to change it to bringing up the bridge. Maybe I was working around a bug that they fixed...

    In any case, I'll play around with it and fix it in the next release.

    In the meantime, you can add
    Code:
    echo "ifconfig tap11 up" > /tmp/tap11up.sh
    to your init script and
    Code:
    up /tmp/tap11up.sh
    to your custom config (as long as you aren't using the "Accept DNS" option - if you are, we'll need to do it a little different).
     
  73. das_mus

    das_mus Addicted to LI Member

    thx, looking forward to see a fixed version soon. :)
     
  74. das_mus

    das_mus Addicted to LI Member

    hi, it's me again. :biggrin:

    my site-to-site VPN is working fine so far with the "ifconfig tap11 up"-workaround, there's is just one problem: I now have 2 DHCP-Servers in my network - the Tomato-Router running the OpenVPN-Server and the Router running the Client. Can I somehow prevent DHCP-packets from going through the VPN-tunnel, so that all PCs get their IP only from their local DHCP-Server?
     
  75. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That one of the biggest reasons I always tell people to use TUN (with different subnets) rather than TAP unless it is explicitly needed.

    I don't know off-hand how to prevent that, but I'm pretty sure Google should turn some things up for you.
     
  76. Delta221

    Delta221 Addicted to LI Member

    Maybe a firewall rule could be added to the router hosting your device to block outgoing DHCP requests? If successful, you could put in the same rule on the other router, to contain its own DHCP requests from reaching your server/client.

    I'm not great with iptables, but I'll see if I can hash something out.. I'm running a TAP+static key setup between two routers and I am seeing the same thing. For now, setting the IP and gateway addresses manually on your clients could help ensure no unintended traffic will be forwarded over the tunnel.
     
  77. das_mus

    das_mus Addicted to LI Member

    DHCP seems to be using UDP 67/68. I'm not really familiar with iptables, but shouldn't it be possible to simply block those ports on the TAP-interface?
     
  78. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, probably. I've just never tried it.

    Completely untested, but I think the following might work (replace tap21 with tap11 (or tap22 or tap12) as appropriate):
    Code:
    iptables -t nat -I PREROUTING -i tap21 -p udp --dport 67:68 -j DROP
    
    You might also try changing PREROUTING to POSTROUTING and -i to -o to try and catch them before they go over the tunnel instead of after.
     
  79. Delta221

    Delta221 Addicted to LI Member

    I'd love to try it... Though one of my routers is offline :(...Let me know if it works das_mus!
     
  80. das_mus

    das_mus Addicted to LI Member

    I disabled the DHCP-Server on the OpenVPN-Client for testing. Then I tried both commands on the OpenVPN-Server via SSH, but it responded to DHCP-requests anyway...so no, it didn't work. :(
    Code:
    iptables -t nat -I PREROUTING -i tap21 -p udp --dport 67:68 -j DROP
    iptables -t nat -I POSTROUTING -o tap21 -p udp --dport 67:68 -j DROP
    edit:
    I also tried to add the following to Advanced -> DHCP/DNS -> Custom Configuration.
    Code:
    no-dhcp-interface=tap21
    This tells dnsmasq to not listen to DHCP-requests on tap21. But that doesn't work either, probably because it is still listening on br0, which tap21 is a part of.
     
  81. Delta221

    Delta221 Addicted to LI Member

    I've decided to try establishing a TUN/TLS connection. The machines on the client lan can access the machines on the server lan, however, the client subnet is not visible to anyone on the openvpn server lan, and server. How to solve this?

    I put "route 100.100.100.0 255.255.255.0" into the server configuration, and ran
    "route add -net 100.100.100.0 netmask 255.255.255.0 gw 10.8.0.2 dev tun21" though I cannot connect to anyone on the client subnet.

    I also tried placing a file(named after the common name of my client) in the ccd folder with iroute x.x.x.x 255.255.255.0 and it did not work either.

    I also tried enabling client specific options, and put in the client subnet in the list, with enable checked off, it did not work. When I checked off push, my client router froze. I also tried push "route 100.100.100.0 255.255.255.0" in my client configuration, but it did not succeed as well... I knew you could not push to a server, but tried anyway.

    Which piece of the puzzle am I missing? When I uncheck "Create NAT" in the client config, I am no longer able to access the server subnet, so I have to leave it checked.
     
  82. peter_m

    peter_m Addicted to LI Member

    Just to be sure I don't brick anything, can the "1.25vpn3.4" run on the WRT54GL v1.1 ?

    Peter
     
  83. Delta221

    Delta221 Addicted to LI Member

    Yes. I am running Tomato on a WRT54GL 1.1
     
  84. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    To get server LAN -> client LAN communication, you need to do two things. Uncheck the NAT box on the client and fill in the client-specific options table on the server. Be absolutely sure, though, that you put the correct CommonName in the table (the CommonName used to create the client TLS certificate), or it won't work. You won't need to use "push" unless you want the different clients to see each other.
     
  85. Delta221

    Delta221 Addicted to LI Member

    I'm 100% sure it is the same. What I find odd, is that the client LAN subnet does appear in the server's routing table after the connection is established, though still does not work.

    I can ping 10.8.0.2 (the client router), but I cannot ping 192.168.2.1 (the client router), or reach anyone on 192.168.2.*.

    My server config is simple:

    replay-window 60 15
    chroot /tmp/openvpn/
    fragment 1500
    keepalive 10 120
    group nobody
    user nobody
    persist-key
    persist-tun
    ;client-config-dir /tmp/openvpn/ccd
    route 192.168.2.0 255.255.255.0

    So so close... I'm wondering if the client router needs an "Accept DNS option" or something else I have to set?... Though my firewall does not show any reject DNS attempts.
     
  86. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    No, DNS isn't needed at all for this.

    Can you post the server logs for when the client connects (using the client-specific options table)? It should have lines similar to
    Code:
    Sep 24 11:17:17 router daemon.notice openvpn[12938]: <CommonName>/<Client IP>:1038 MULTI: internal route 192.168.2.0/24 -> <CommonName>/<Client IP>:1038
    Sep 24 11:17:17 router daemon.notice openvpn[12938]: <CommonName>/<Client IP>:1038 MULTI: Learn: 192.168.2.0/24 -> <CommonName>/<Client IP>:1038
    
     
  87. Delta221

    Delta221 Addicted to LI Member

    Only one of those lines is present in the log:

    daemon.notice openvpn[488]: MULTI: Learn: 10.8.0.6 -> client/xx.xx.xx.152:2050
     
  88. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That is how it would be if the client-specific options entry wasn't being triggered.

    Could you post the output of
    Code:
    cat /etc/openvpn/server1/config.ovpn
    ls /etc/openvpn/server1/ccd/*
    cat /etc/openvpn/server1/ccd/*
    
    along with the "VERIFY OK" lines from your server log when the client connects?
     
  89. Delta221

    Delta221 Addicted to LI Member

    # Automatically generated configuration
    daemon
    server 10.8.0.0 255.255.255.0
    proto udp
    port 5000
    dev tun21
    cipher BF-CBC
    comp-lzo no
    keepalive 15 60
    verb 3
    push "route 192.168.1.0 255.255.255.0"
    client-config-dir ccd
    client-to-client
    route 192.168.2.0 255.255.255.0
    tls-auth static.key 0
    ca ca.crt
    dh dh.pem
    cert server.crt
    key server.key
    status-version 2
    status status

    # Custom Configuration
    auth SHA1
    replay-window 60 15
    chroot /tmp/openvpn/
    fragment 1500
    keepalive 10 120
    group nobody
    user nobody
    persist-key
    persist-tun#

    # cd /etc/openvpn/server1/ccd
    #ls
    client
    # cat client
    iroute 192.168.2.0 255.255.255.0


    daemon.notice openvpn[1446]: client/xx.xx.10.82:2051 VERIFY OK: depth=1, /C=CA/ST=CA/L=CA/O=none/CN=Certificate_Authority/Email=mail@host.domain

    daemon.notice openvpn[1446]: client/xx.xx.10.82:2051 VERIFY OK: depth=0, /C=CA/ST=CA/O=none/CN=client/Email=mail@host.domain


    Destination Gateway Subnet Mask Metric Interface
    10.8.0.2 * 255.255.255.255 0 tun21
    192.168.2.0 10.8.0.2 255.255.255.0 0 tun21
    10.8.0.0 10.8.0.2 255.255.255.0 0 tun21
    192.168.1.0 * 255.255.255.0 0 br0 (LAN)
    xx.xx.10.0 * 255.255.254.0 0 vlan1 (WAN)
    127.0.0.0 * 255.0.0.0 0 lo
    default xx.xx.10.1.0.0.0 0 vlan1 (WAN)

    Strangely, my client is assigned the address 10.8.0.6, and not 10.8.0.2.
     

    Attached Files:

  90. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Try getting rid of the chroot line. You're limiting OpenVPN to the /tmp/openvpn directory, so it can't get to the /etc/openvpn/server1/ccd directory when it needs to (when the client connects).
     
  91. occamsrazor

    occamsrazor Network Guru Member

    I saw on the forum of an OpenVPN client I use, the following statement:

    ....the latest version of OpenVPN (version 2.1rc19). The OpenVPN team changed how the redirect-gateway flag functions: it now requires an argument to be specified. If none is specified, the command is ignored, and hence all traffic will not go through your VPN connection.
    If you are running your own OpenVPN server you should update it so it pushes out the command "redirect-gateway def1" instead of just "redirect-gateway" (which will no longer work with newer versions of OpenVPN)


    Is this taken care of automatically by the "Direct clients to redirect Internet traffic" checkbox, or does the updated command (with def1) need to be set manually?

    Just want to be sure... thanks...
     
  92. dvd-guy

    dvd-guy Guest

    Is there a GUI option for WINS? I don't see it.
     
  93. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It's built in to the DNS options. If you have a WINS server IP set up in the server router, then selecting "Advertise DNS to clients" will send WINS along with the rest of the DNS stuff. If you then have "Accept DNS configuration" enabled on the client, it will accept the WINS setting from the server, and it will be as if you had entered that IP on the client (until it disconnects, of course).
     
  94. peter_m

    peter_m Addicted to LI Member

    I am not talking about plain jane Tomato, but SgtPepperKSU's flavor of Tomato with "VPN build with Web GUI" version 1.25vpn3.4 ... Does it run on WRT54GL?

    The reason I am being anal about this detail is I think I might have read it requires more flash memory or RAM then what the WRT54GL has... I hope I am wrong but I need to be sure.

    Thanks
    Peter
     
  95. Delta221

    Delta221 Addicted to LI Member

  96. Delta221

    Delta221 Addicted to LI Member

    Found the problem with my previous post. One of the routers was running tomatoVPN 3.3, after updating it, everything worked.

    Thanks for all of your help.
     
  97. jacgl

    jacgl Addicted to LI Member

    Hi,
    first of all, thank you for this fantastic GUI, it really helps.
    Two problems I discovered while playing with your mode and WRT54GL:

    -I use 2048bit keys; when I tried to configure 2nd server, Tomoato refused to write the proper config. Server crt was always empty. I tried several times, and the only way to manage was shortening of all keys/crts just to lines between BEGIN-END. Is it a lack of nvram area for keys? Better to use 1024bit keys?

    -The combination of server running, and client (of course connected to another server) with "Create NAT on tunnel" checked leads to router hang. Router bahaves strangely when the OpenVPN config is written (empty fields), after reboot definitely stops to respond. I had to reset to defaults with reset key to recover. Tested on two routers...

    Jacek
     
  98. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    My guess is you're running into NVRAM and memory limits, respectively.
     
  99. toolbox

    toolbox Addicted to LI Member

    What does "Direct clients to redirect Internet traffic" setting do? If I check mark it, does it mean all the client's internet traffic will route through the router via VPN before it goes out"
     
  100. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It tells the clients to do that, yes. They can still do some maneuvering on their end to avoid it. But, without deliberate effort, their internet traffic will route through the router via VPN when that option is selected.
     

Share This Page