1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN build with Web GUI

Discussion in 'Tomato Firmware' started by SgtPepperKSU, Oct 10, 2008.

  1. Delta221

    Delta221 Addicted to LI Member

    While playing around and trying to get my config to work, I noticed something which might require a fix.

    When making a change to the server config while it is running, and hitting save, the server would stop and start back up again with the changes.

    When making a change on the client while running, I noticed the client would save the change and simply stop, requiring me to manually start the client up again (or wait until the scheduled "service vpnclient1 start" command was executed).

    It made things difficult to work with, I hope it can be solved.

    And a quick question before I go. After a while, on my server router, I notice a third line appears in the Status tab of my server (see line 3). I noticed this after I starting running with persist-tun... I think this started showing up after I restarted my server router. What does it mean? Is it something to worry about?

    Virtual Address CN Real Address Last Ref
    10.8.0.6 user xx.xx.xx.xx:3065 Tue Sep 29 16:06:37 2009
    192.168.1.0/24 user xx.xx.xx.xx:3065 Tue Sep 29 16:06:37 2009
    192.168.1.1C user xx.xx.xx.xx:3065 Tue Sep 29 17:33:31 2009

    Thank you, and congratulations on having 100,000+ visits to the thread :thumbup:
     
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Odd. I'll see if I can a reason why that would be.

    That's just OpenVPN learning about a particular machine on the client LAN because it sent traffic over it (it just happens to be the client router here).
     
  3. Delta221

    Delta221 Addicted to LI Member

    Thanks :)

    Just a heads-up... OpenVPN 2.1_rc20 is out. It looks like there are some significant changes/additions:


    Source: http://openvpn.net/index.php/open-source/documentation/change-log/71-21-change-log.html
     
  4. Bukkit

    Bukkit Addicted to LI Member

    i have a behavior strange since yesterday. The Port-Field from my vpn server1 became empty. I can re-enter the port number and save, but when i start the server it fails because "bad port : 0".
     
  5. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That is strange. Try
    Code:
    nvram set vpn_server1_port=1194
    nvram commit
    from telnet/ssh.
     
  6. Bukkit

    Bukkit Addicted to LI Member

    i did and went to vpn server page. Port-Field was emtpy.

    i copied all my configs from server 1 to server2 field and wanted to presse save. a message appeared i have to a port. i entered 443 at server1 port-Field and pressed save.
    Now the config is saved and i can start the vpn-server1.

    weird
     
  7. CypherBit

    CypherBit Network Guru Member

    TomatoVPN simultaneous connections

    I'm just wondering how many users/clients can a simple WRT54GL support simultaneously through VPN? That is if bandwidth isn't an issue.

    Does anyone have any experience in this area. I'm considering an implementation for this for a couple customers but am not quite sure the limited specifications of the WRT54GL will take it.

    Is there another TomatoVPN friendly router that would be better suited for this?
     
  8. ipse

    ipse LI Guru Member

    Is there anyone out there using this build as a client for alonweb.com?
    Looking for suggestions on how to set it up as I keep getting these error messages:

    Oct 11 01:21:34 somerouter daemon.notice openvpn[32018]: OpenVPN 2.1_rc19 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Aug 12 2009
    Oct 11 01:21:34 somerouter daemon.warn openvpn[32018]: WARNING: file '/jffs/au.txt' is group or others accessible
    Oct 11 01:21:34 somerouter daemon.warn openvpn[32018]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Oct 11 01:21:34 somerouter daemon.warn openvpn[32018]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Oct 11 01:21:34 somerouter daemon.warn openvpn[32018]: Cannot load private key file client.key: error:0906D06C:pEM routines:pEM_read_bio:no start line: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:missing asn1 eos
    Oct 11 01:21:34 somerouter daemon.err openvpn[32018]: Error: private key password verification failed
    Oct 11 01:21:34 somerouter daemon.notice openvpn[32018]: Exiting
    Oct 11 01:21:34 somerouter user.info init[1]: VPN_LOG_ERROR: 286: Starting OpenVPN failed...

    I populated the CA section and set it to TUN...looks like I'm missing something. The site requires authentication for which I provided u/p via a file.

    Thanks!

    PS I verified the credentials using the Windows client and it works fine.
     
  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The web GUI doesn't yet support password-only authentication. It only currently supports certificate/key-based authentication.
     
  10. ipse

    ipse LI Guru Member

    Thanks for the quick reply SgtPepperKSU (BTW: I LOVE your OpenVPN mod of Tomatio...been using it for more than a year now).
    Was I misled by an earlier post indicating that u/p authentication works if the credentials are stored in a file?

    I have this line in custom settings:
    auth-user-pass /jffs/au.txt <<<<stored u/p in this file

    Cheers
     
  11. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That makes it so that user/pass is used in addition to the certificates. I'll look into making it an option in the future.
     
  12. ipse

    ipse LI Guru Member

    Thanks! Looking forward to testing it ;)
     
  13. Paul

    Paul Addicted to LI Member

    Hello,

    TomatoVPN is by far the best firmware for OpenVPN I have seen. Thanks for your efforts.

    I am having some difficulties and would be grateful for some help.....

    The objective: plug a WRT54GL into any another ADSL router, and a computer or ip phone into the WRT54GL. The 54GL to auto-connect to one of the many OpenVPN privacy services.

    Important: OpenVPN should be used exclusively - if the VPN connection at the server end gets dropped, nothing should go out except OpenVPN reconnecting (maybe to the second OpenVPN connection if the first is down?). Also, double important, no DNS leaks - all dns lookups should go through the VPN server to its supplied dns address.

    I have so far managed to get the Username / Password working. Certificates are OK, but then get hung up with a 60 second TLS authentication handshake error. The internet keeps working but not through the VPN.

    The current adsl router is 192.168.1.254, the Linksys is given 192.168.1.65 ( .254 for gateway and dns) and I've set the WRT54GL to 192.168.3.1 The service I'm trying to connect to is www.perfect-privacy.com , here is their supplied ovpn:

    client
    dev tun
    remote steinsel.perfect-privacy.com 1149
    proto udp
    tun-mtu 1500
    fragment 1300
    mssfix
    float
    reneg-sec 86400
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    route-method exe
    route-delay 2
    ca stca.crt ;comment out if using pkcs12
    cert stclient.crt ;comment out if using pkcs12
    key stclient.key ;comment out if using pkcs12
    ###########################################################
    ## Specify a PKCS #12 file containing local private ##
    ## key, local certificate, and root CA certificate. ##
    ## This option can be used instead of ca, cert, and key. ##
    ## To use the PKCS #12 X.509 certificate instead of ##
    ## the ca, cert, and key files, uncomment the line below ##
    ## and comment the ca, cert, and key lines out. ##
    ## ##
    ## pkcs12 stclient.p12 ##
    ## ##
    ###########################################################
    tls-auth stta.key 1
    cipher AES-256-CBC
    comp-lzo
    verb 4
    ns-cert-type server
    auth-user-pass password.txt
    inactive 604800
    ping 5
    ping-restart 60



    Here is my TomatoVPN solution for Username / Password:

    Copy this:

    echo USERNAME> /tmp/password.txt
    echo PASSWORD>> /tmp/password.txt

    to Administration<Script>Init


    and this:

    --script-security 2
    auth-user-pass /tmp/password.txt

    to Client>Advanced>Custom config




    And finally here is the error I'm getting:

    Oct 14 22:16:58 PIP daemon.err openvpn[338]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Oct 14 22:16:58 PIP daemon.err openvpn[338]: TLS Error: TLS handshake failed
    Oct 14 22:16:58 PIP daemon.notice openvpn[338]: TCP/UDP: Closing socket
    Oct 14 22:16:58 PIP daemon.notice openvpn[338]: SIGUSR1[hard,tls-error] received, process restarting
    Oct 14 22:16:58 PIP daemon.notice openvpn[338]: Restart pause, 2 second(s)
    Oct 14 22:17:00 PIP daemon.warn openvpn[338]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Oct 14 22:17:00 PIP daemon.notice openvpn[338]: Re-using SSL/TLS context
    Oct 14 22:17:00 PIP daemon.notice openvpn[338]: LZO compression initialized
    Oct 14 22:17:00 PIP daemon.notice openvpn[338]: Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Oct 14 22:17:00 PIP daemon.notice openvpn[338]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
    Oct 14 22:17:00 PIP daemon.notice openvpn[338]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Oct 14 22:17:00 PIP daemon.notice openvpn[338]: UDPv4 link local: [undef]
    Oct 14 22:17:00 PIP daemon.notice openvpn[338]: UDPv4 link remote: 212.117.160.22:1149
    Oct 14 22:17:00 PIP daemon.notice openvpn[338]: TLS: Initial packet from 212.117.160.22:1149, sid=4ea25468 fa0fa5e2
    Oct 14 22:17:00 PIP daemon.warn openvpn[338]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Oct 14 22:17:00 PIP daemon.notice openvpn[338]: VERIFY OK: depth=1, /C=LU/ST=Luxembourg/L=Steinsel/O=PP_Internet_Services/CN=OpenVPN-CA/Email=admin@perfect-privacy.com
    Oct 14 22:17:00 PIP daemon.notice openvpn[338]: VERIFY OK: nsCertType=SERVER
    Oct 14 22:17:00 PIP daemon.notice openvpn[338]: VERIFY OK: depth=0, /C=LU/ST=Luxembourg/L=Steinsel/O=PP_Internet_Services/CN=server/Email=admin@perfect-privacy.com
    Oct 14 22:18:04 PIP daemon.err openvpn[338]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Oct 14 22:18:04 PIP daemon.err openvpn[338]: TLS Error: TLS handshake failed​
     
  14. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    First, drop the "--" on the front of your line in the custom config. They are only used on the command line when calling OpenVPN.
    You might try adding "fragment 1300", "tun-mtu 1500", and increase the "TLS Renegotiation Time" to 86400 to better match the provided client config.
     
  15. Paul

    Paul Addicted to LI Member

    Thanks. I have done both, but still the same TLS error.

    Is it possible the cipher AES-256-CBC is not fully implemented yet? The logs are hanging just before the cipher data channel.

    Or, maybe the firewall doesn't like 1149 instead of 1194? I couldn't find a way to turn the firewall off.

    Anyway, here is the complete custom configuration I have entered:

    tun-mtu 1500
    fragment 1300
    mssfix
    float
    nobind
    persist-key
    persist-tun
    tls-auth static.key 1
    cipher AES-256-CBC
    comp-lzo
    verb 4
    ns-cert-type server
    script-security 2
    auth-user-pass /tmp/password.txt
    inactive 604800
    ping 5​
     
  16. Relax Preppy

    Relax Preppy Addicted to LI Member

    i can connect to the vpn server but im unable to pass any traffic...

    home network (behind VPN server): 10.10.10.0 255.255.255.0

    remote network: 192.168.1.0 255.255.255.0

    server config:
    Start with Router - checked
    Interface Type - tun
    Protocol - udp
    Port - 443
    Firewall - auto
    Authorization Mode - tls
    Extra HMAC authorization - disabled
    VPN subnet/netmask - 10.11.12.0 255.255.255.0

    client:
    client
    tls-client
    keepalive 10 120
    dev tun
    proto udp
    remote xxxxxxx.getmyip.com 443
    float
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert client1.crt
    key client1.key
    ns-cert-type server
    cipher AES-256-CBC
    comp-lzo
    verb 4
    mute-replay-warnings

    log file:

    Sun Oct 18 17:34:49 2009 us=640000 OpenVPN 2.1_rc15 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 19 2008
    Sun Oct 18 17:34:49 2009 us=640000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Sun Oct 18 17:34:49 2009 us=968000 LZO compression initialized
    Sun Oct 18 17:34:49 2009 us=968000 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Sun Oct 18 17:34:50 2009 us=562000 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
    Sun Oct 18 17:34:50 2009 us=562000 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
    Sun Oct 18 17:34:50 2009 us=562000 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
    Sun Oct 18 17:34:50 2009 us=562000 Local Options hash (VER=V4): '22188c5b'
    Sun Oct 18 17:34:50 2009 us=562000 Expected Remote Options hash (VER=V4): 'a8f55717'
    Sun Oct 18 17:34:50 2009 us=562000 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Sun Oct 18 17:34:50 2009 us=562000 UDPv4 link local: [undef]
    Sun Oct 18 17:34:50 2009 us=562000 UDPv4 link remote: 75.74.156.150:443
    Sun Oct 18 17:34:50 2009 us=796000 TLS: Initial packet from 75.74.156.150:443, sid=2ceaab95 83d1d6c2
    Sun Oct 18 17:34:52 2009 us=937000 VERIFY OK: depth=1, /C=US/ST=FL/L=LighthousePoint/O=bobo/OU=bobo/emailAddress=xxxxx@gmail.com
    Sun Oct 18 17:34:52 2009 us=937000 VERIFY OK: nsCertType=SERVER
    Sun Oct 18 17:34:52 2009 us=937000 VERIFY OK: depth=0, /C=US/ST=FL/O=bobo/CN=server/emailAddress=relaxpreppy@gmail.com
    Sun Oct 18 17:34:56 2009 us=62000 NOTE: Options consistency check may be skewed by version differences
    Sun Oct 18 17:34:56 2009 us=62000 WARNING: 'version' is used inconsistently, local='version V4', remote='version V0 UNDEF'
    Sun Oct 18 17:34:56 2009 us=62000 WARNING: 'dev-type' is present in local config but missing in remote config, local='dev-type tun'
    Sun Oct 18 17:34:56 2009 us=62000 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1558'
    Sun Oct 18 17:34:56 2009 us=62000 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1500'
    Sun Oct 18 17:34:56 2009 us=62000 WARNING: 'proto' is present in local config but missing in remote config, local='proto UDPv4'
    Sun Oct 18 17:34:56 2009 us=62000 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
    Sun Oct 18 17:34:56 2009 us=62000 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher AES-256-CBC'
    Sun Oct 18 17:34:56 2009 us=62000 WARNING: 'auth' is present in local config but missing in remote config, local='auth SHA1'
    Sun Oct 18 17:34:56 2009 us=62000 WARNING: 'keysize' is present in local config but missing in remote config, local='keysize 256'
    Sun Oct 18 17:34:56 2009 us=62000 WARNING: 'key-method' is present in local config but missing in remote config, local='key-method 2'
    Sun Oct 18 17:34:56 2009 us=62000 WARNING: 'tls-server' is present in local config but missing in remote config, local='tls-server'
    Sun Oct 18 17:34:56 2009 us=62000 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Sun Oct 18 17:34:56 2009 us=62000 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sun Oct 18 17:34:56 2009 us=62000 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Sun Oct 18 17:34:56 2009 us=62000 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sun Oct 18 17:34:56 2009 us=62000 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Sun Oct 18 17:34:56 2009 us=62000 [server] Peer Connection Initiated with 75.74.156.150:443
    Sun Oct 18 17:34:57 2009 us=93000 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Sun Oct 18 17:34:57 2009 us=421000 PUSH: Received control message: 'PUSH_REPLY,route 10.10.10.0 255.255.255.0,route 10.11.12.1,topology net30,ping 15,ping-restart 60,ifconfig 10.11.12.6 10.11.12.5'
    Sun Oct 18 17:34:57 2009 us=421000 OPTIONS IMPORT: timers and/or timeouts modified
    Sun Oct 18 17:34:57 2009 us=421000 OPTIONS IMPORT: --ifconfig/up options modified
    Sun Oct 18 17:34:57 2009 us=421000 OPTIONS IMPORT: route options modified
    Sun Oct 18 17:34:57 2009 us=437000 ROUTE default_gateway=192.168.1.1
    Sun Oct 18 17:34:57 2009 us=453000 TAP-WIN32 device [Local Area Connection 6] opened: \\.\Global\{9F6AF4FA-8861-4CFF-B680-5398DFF6DA79}.tap
    Sun Oct 18 17:34:57 2009 us=453000 TAP-Win32 Driver Version 9.4
    Sun Oct 18 17:34:57 2009 us=453000 TAP-Win32 MTU=1500
    Sun Oct 18 17:34:57 2009 us=453000 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.11.12.6/255.255.255.252 on interface {9F6AF4FA-8861-4CFF-B680-5398DFF6DA79} [DHCP-serv: 10.11.12.5, lease-time: 31536000]
    Sun Oct 18 17:34:57 2009 us=453000 Successful ARP Flush on interface [4] {9F6AF4FA-8861-4CFF-B680-5398DFF6DA79}
    Sun Oct 18 17:35:02 2009 us=484000 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
    Sun Oct 18 17:35:02 2009 us=500000 C:\WINDOWS\system32\route.exe ADD 10.10.10.0 MASK 255.255.255.0 10.11.12.5
    Sun Oct 18 17:35:02 2009 us=500000 Route addition via IPAPI succeeded [adaptive]
    Sun Oct 18 17:35:02 2009 us=515000 C:\WINDOWS\system32\route.exe ADD 10.11.12.1 MASK 255.255.255.255 10.11.12.5
    Sun Oct 18 17:35:02 2009 us=515000 Route addition via IPAPI succeeded [adaptive]
    Sun Oct 18 17:35:02 2009 us=515000 Initialization Sequence Completed
    Sun Oct 18 17:35:12 2009 us=281000 Authenticate/Decrypt packet error: cipher final failed
    Sun Oct 18 17:35:26 2009 us=843000 Authenticate/Decrypt packet error: cipher final failed
    Sun Oct 18 17:35:41 2009 us=984000 Authenticate/Decrypt packet error: cipher final failed
     
  17. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Windows seems to have a hard time with multiple subnets in the 10.x.x.x range. Try changing one of them to 172.22.x.x.
     
  18. Paul

    Paul Addicted to LI Member

    Is it OK for the Static key entry to be used for the TLS auth key also, (normally ta.key or something)? Or, should I put a ..ta.key in the router somewhere?
     
  19. Relax Preppy

    Relax Preppy Addicted to LI Member

    i changed my vpn subnet to 172.17.17.0/24

    so home network behind router = 10.10.10.0/24
    vpn network = 172.17.17.0/24
    remote network = 192.168.1.0/24

    can connect and get IP but still cant ping... this is from var/log/messages

    Oct 19 22:30:44 ? daemon.notice openvpn[6705]: 75.251.134.131:1389 [client] Peer Connection Initiated with 75.251.134.131:1389
    Oct 19 22:30:44 ? daemon.notice openvpn[6705]: client/75.251.134.131:1389 MULTI: Learn: 172.17.17.6 -> client/75.251.134.131:1389
    Oct 19 22:30:44 ? daemon.notice openvpn[6705]: client/75.251.134.131:1389 MULTI: primary virtual IP for client/75.251.134.131:1389: 172.17.17.6
    Oct 19 22:30:46 ? daemon.notice openvpn[6705]: client/75.251.134.131:1389 PUSH: Received control message: 'PUSH_REQUEST'
    Oct 19 22:30:46 ? daemon.notice openvpn[6705]: client/75.251.134.131:1389 SENT CONTROL [client]: 'PUSH_REPLY,route 10.10.10.0 255.255.255.0,route 172.17.17.1,topology net30,ping 15,ping-restart 60,ifconfig 172.17.17.6 172.17.17.5' (status=1)
    Oct 19 22:31:01 ? daemon.err openvpn[6705]: client/75.251.134.131:1389 Authenticate/Decrypt packet error: cipher final failed
    Oct 19 22:31:06 ? daemon.err openvpn[6705]: client/75.251.134.131:1389 Authenticate/Decrypt packet error: cipher final failed
    Oct 19 22:31:11 ? daemon.err openvpn[6705]: client/75.251.134.131:1389 Authenticate/Decrypt packet error: cipher final failed
     
  20. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Select "Extra HMAC authorization (tls-auth)" option. There will then be a static key input on the keys page.
     
  21. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Do you have the same cipher configured on both ends?
     
  22. Relax Preppy

    Relax Preppy Addicted to LI Member

    dont know how i missed that... i vi'ed into /etc/openvpn/server1.ovpn and i added the aes line but when i checked again it wasnt there. so i just removed it and now it works
     
  23. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The config is rebuilt each time. There is an "Encryption cipher" option in the GUI to control it.
     
  24. Relax Preppy

    Relax Preppy Addicted to LI Member

    thanks

    i love this fw and openvpn...
     
  25. TheGIZ

    TheGIZ Network Guru Member

    A few months ago I asked if I upgraded from Roadkill to your mod if the VPN in Scripts would still work.

    I was told that if I updated to 1.23 then the GUI was optional and that my VPN would still work. Well it did work.

    Yesterday I tried upgrading to 1.25 and my TLS based VPN stopped working. I tried the standard and ND version and both would not allow me to connect.

    I just flashed 1.23 back on and my VPN is operational again.

    Is there a step by step somewhere with screen shots of how to take my old config out of scripts and put it in the GUI and have it work?

    Also when I change it will I need to change my config file?

    Thanks for the firmware and any help.
     
  26. DanRogl

    DanRogl Addicted to LI Member

    Anyone on Google wave, search for id:w+BcsaWyGkB for a tomatoVPN discussion wave.
     
  27. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The only thing that could have made it not work is the newer version of OpenVPN being used in the later version of TomatoVPN. Maybe it'd be as simple as upgrading the version of OpenVPN client being used?

    To move to using the GUI, I would suggest just changing the GUI settings (and entering certificates) as best as you can to match your config (if it says UDP in the config, select UDP from the GUI, etc). Then start the server, telnet/ssh to the router, and look at the contents of /etc/openvpn/server1/config.ovpn . If there are important differences, see if there is a GUI option that sounds related. If not, add that line to the custom configuration field. Then, make sure it works.
     
  28. kazon

    kazon Addicted to LI Member

    Is anyone using this (by the way superb) firmware with ivacy.com ? (Here are their settings explained: http://ivacy.com/en/doc/user/setup/winxp_openvpn and they offer free test accounts)
    But it isn't working for me - maybe someone is using it already?!
     
  29. Paul

    Paul Addicted to LI Member

    I think you are having the same problem as me with perfect-privacy. It is something to do with the TLS handshake.

    Check on the logs and see if it hangs with a TLS handshake error after 60 seconds.

    The only reason for this online I have found is to do with the firewall settings, but I'm not really sure.

    Also, do you need to put a username / password in? I have got that working - look at my first post a page or two back.
     
  30. ghostknife

    ghostknife Addicted to LI Member

    Witopia

    Hi there,
    Just wanted to ask if anybody knows if Witopia ssl vpn service does or doesn't work at all?
    There are a few posts back on p.33/103(?) but no answer if they ever actually got it working or not. Till now I've only used teddy_bear USB mod but he also includes SgtPepperKSU in an alternative build which i'd like to use for this VPN setup. I asked them if they could ship cloakbox (or supply firmware :)) to Australia and they said no. Mainly I want one solution to access TV/Video services in US/UK (BBC, Hulu, etc.) which is what they provide at a reasonable price.

    Thanks.
     
  31. kazon

    kazon Addicted to LI Member

    I'd be switching to perfect-privacy if it would be working there without any problems - is your setup now working?

    For me using ivacy.com username/password is working (using init script), tls is working, the connection is established but:
    -the status conuters are increasing, but TUN/TAP write bytes remains at 0
    -error messages in the logfile saying: daemon.err openvpn[XXX]: event_wait : Interrupted system call (code=4)
     
  32. Paul

    Paul Addicted to LI Member

    No, I'm still not working - I've tried everything I know. It works fine with the Windows OpenVPN client, same computer/router.

    None of the other firmware options are any good either, only x-wrt snapshot version has TLS hmac extra authentication but its bloated and buggy - not even default gateway works. There is a working solution here : https://forum.perfect-privacy.com/showthread.php?t=1019 but I don't want a hard coded solution, I want a plug in solution that will work anywhere. This version is so lean and simple, I'll wait and hope the next version works.

    When you say connection is established, do you mean the VPN starts up or do you mean the logs show certificates, TLS authentication and everything OK?

    On mine everything looks connected, but like yours, zero bytes, and the logs show as I posted earlier.

    Maybe post the logs and SgtPepper or someone might be able to help...


    P.S. make sure you have "ns-cert-type server" on the custom config and compression may need to be either adaptive or enabled (1) ​
     
  33. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That's not an error. That's just you refreshing the status in the GUI.

    Have you selected to redirect internet traffic over the tunnel? If you don't, and you aren't contacting one of their servers directly, then the byte counts won't increase, because you aren't sending any traffic that should go over the tunnel.
     
  34. ezhik

    ezhik Addicted to LI Member

    I'd like to try this out, but just unsure of the first step. Would I be correct in thinking I can flash the router with 'code.bin' from the 'Result' folder from the downloaded file 'tomato-tomatovpn-1.25vpn3.4.tar.gz', or do I have to compile my own firmware 'bin' file somehow?

    I can see earlier releases available as flashable firmware file, but not the latest, I know it must be me! Am I missing something obvious?
     
  35. kazon

    kazon Addicted to LI Member

    Yes, Redirect Internet is ticked.
    I've noticed that I get "TLS Error: TLS handshake failed" now as well.
    But I'm quite sure that this was working before when I had the "tls-auth /tmp/ivacy-tls.key 1" (generated fom init) before.
    But in both scenarios I get these error messages:
    unknown daemon.err openvpn[XX]: event_wait : Interrupted system call (code=4)
    And no traffic is being redirected.

    Here are my settings - hopefully I have only done a stupid obvious mistake.
    (comments are in brackets)

    Thanks for your help.

    ========================================

    Basic:

    Interface Type TUN
    Protocol UDP
    Server Address/Port openvpn.ivacy.com 1194
    Firewall Automatic
    Authorization Mode TLS
    Extra HMAC authorization (tls-auth) Bi-directional
    Create NAT on tunnel ticked

    Advanced:

    Redirect Internet ticked
    Accept DNS configuration Disabled (can someone explain this to me - Strict/Exclusive will be dns-leak-save?)
    Encryption cipher Use Default
    Compression Enabled
    TLS Renegotiation Time 30
    Connection retry 30

    Custom Configuration:
    client
    dev tun
    proto udp
    remote openvpn.ivacy.com 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ns-cert-type server
    comp-lzo
    verb 3
    auth-user-pass /tmp/openvpn-password.txt (generated using Administration->Init)
    redirect-gateway
    script-security 3
    reneg-sec 0
    (duplication of automatic added entries?)
     
  36. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The event_wait is not an error. It is just you updating the status in the GUI.

    If you needed to you "1" for tls-auth before, you still need to use that when using the GUI. Select "Outgoing (1)" for the tls-auth drop-down box, not bi-directional.
     
  37. Paul

    Paul Addicted to LI Member

  38. koham

    koham Addicted to LI Member

    Hello.

    I've just installed the 1.25vpn firmware.
    Thanks a lot for that work and possibility.
    Is there any tutorial online in order to set up a vpn with that gui please ?
     
  39. Hudogriz

    Hudogriz Guest

    Hi all!

    I've been a Tomato user for years now on my WRT54GL 1.1. Awesome firmware!
    I just recently found out about the VPN mod. I used the WRT54G_WRT54GL.bin from the 1.25vpn3.4 release to upgrade the router and cleared NVRAM.
    After the upgrade I made the VPN keys and left the router VPN adjustments on default. When trying to connect to VPN (directly with the server and client in LAN), I got the "TLS handshake error after 60 seconds" error.

    Already tried to change the ports, protocols,... no good. Before I go Telnet/SSH, is it possible to test the VPN tunnel in LAN? BTW: keys and certs were already tested on my other VPN server-client setup.

    Please help :)
     
  40. kazon

    kazon Addicted to LI Member

    Sorry, Outgoing (1) was selected before - too much testing!
    Now again it connects but I can't ping/access anything.
    I can only ping 1.2.112.107.

    Maybe the logfiles helps:

    Code:
    ...:13 unknown user.warn kernel: nvram_commit(): init
    ...:14 unknown user.warn kernel: nvram_commit(): end
    ...:27 unknown user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
    ...:29 unknown daemon.notice openvpn[333]: OpenVPN 2.1_rc19 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Aug 12 2009
    ...:29 unknown daemon.warn openvpn[333]: WARNING: file '/tmp/openvpn-password.txt' is group or others accessible
    ...:29 unknown daemon.warn openvpn[333]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    ...:29 unknown daemon.notice openvpn[333]: Control Channel Authentication: using 'static.key' as a OpenVPN static key file
    ...:29 unknown daemon.notice openvpn[333]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    ...:29 unknown daemon.notice openvpn[333]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    ...:29 unknown daemon.notice openvpn[333]: LZO compression initialized
    ...:29 unknown daemon.notice openvpn[333]: Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
    ...:31 unknown daemon.err openvpn[333]: RESOLVE: NOTE: openvpn.ivacy.com resolves to 3 addresses, choosing one by random
    ...:31 unknown daemon.notice openvpn[333]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    ...:31 unknown daemon.notice openvpn[337]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    ...:31 unknown daemon.notice openvpn[337]: UDPv4 link local: [undef]
    ...:31 unknown daemon.notice openvpn[337]: UDPv4 link remote: 85.249.223.30:1194
    ...:31 unknown daemon.notice openvpn[337]: TLS: Initial packet from 85.249.223.30:1194, sid=*removed*
    ...:31 unknown daemon.warn openvpn[337]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    ...:32 unknown daemon.notice openvpn[337]: VERIFY OK: depth=1, /C=RU/ST=MR/L=Moscow/O=ivacy.com/CN=ivacy.com_CA/Email=admin@ivacy.com
    ...:32 unknown daemon.notice openvpn[337]: VERIFY OK: nsCertType=SERVER
    ...:32 unknown daemon.notice openvpn[337]: VERIFY OK: depth=0, /C=RU/ST=MR/L=Moscow/O=ivacy.com/CN=openvpn.ivacy.com/Email=admin@ivacy.com
    ...:40 unknown daemon.notice openvpn[337]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    ...:40 unknown daemon.notice openvpn[337]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    ...:40 unknown daemon.notice openvpn[337]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    ...:40 unknown daemon.notice openvpn[337]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    ...:40 unknown daemon.notice openvpn[337]: Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 2048 bit RSA
    ...:40 unknown daemon.notice openvpn[337]: [openvpn.ivacy.com] Peer Connection Initiated with 85.249.223.30:1194
    ...:41 unknown daemon.notice openvpn[337]: SENT CONTROL [openvpn.ivacy.com]: 'PUSH_REQUEST' (status=1)
    ...:42 unknown daemon.notice openvpn[337]: PUSH: Received control message: 'PUSH_REPLY,route 1.0.0.0 255.0.0.0,dhcp-option DNS 1.254.2.2,dhcp-option DNS 1.254.2.3,dhcp-option DOMAIN vpn,explicit-exit-notify 2,route-gateway 1.2.112.1,topology subnet,ping 10,ping-re
    ...:42 unknown daemon.err openvpn[337]: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:5: explicit-exit-notify (2.1_rc19)
    ...:42 unknown daemon.notice openvpn[337]: OPTIONS IMPORT: timers and/or timeouts modified
    ...:42 unknown daemon.notice openvpn[337]: OPTIONS IMPORT: --ifconfig/up options modified
    ...:42 unknown daemon.notice openvpn[337]: OPTIONS IMPORT: route options modified
    ...:42 unknown daemon.notice openvpn[337]: OPTIONS IMPORT: route-related options modified
    ...:42 unknown daemon.notice openvpn[337]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    ...:42 unknown daemon.notice openvpn[337]: TUN/TAP device tun0 opened
    ...:42 unknown daemon.notice openvpn[337]: TUN/TAP TX queue length set to 100
    ...:42 unknown daemon.notice openvpn[337]: /sbin/ifconfig tun0 1.2.112.107 netmask 255.255.252.0 mtu 1500 broadcast 1.2.115.255
    ...:42 unknown daemon.notice openvpn[337]: /sbin/route add -net 85.249.223.30 netmask 255.255.255.255 gw 192.168.1.1
    ...:42 unknown daemon.notice openvpn[337]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 1.2.112.1
    ...:42 unknown daemon.notice openvpn[337]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 1.2.112.1
    ...:42 unknown daemon.notice openvpn[337]: /sbin/route add -net 1.0.0.0 netmask 255.0.0.0 gw 1.2.112.1
    ...:42 unknown daemon.notice openvpn[337]: Initialization Sequence Completed
    
     
  41. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    What about from the router itself? Can you ping other IP addresses?
     
  42. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Sure, it can be tested from the LAN. Just use the router LAN address rather than the WAN address when connecting.
     
  43. kazon

    kazon Addicted to LI Member

    In this setup I can't ping 1.2.112.1.
    But I can ping 1.2.112.107, 85.249.223.30, 192.168.1.1 and the router.
     
  44. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Do you still have all those duplicated entries in your custom configuration? You should try getting rid of them.
    When the client is running, telnet/ssh to the router and run
    Code:
    cat /etc/openvpn/client1/config.ovpn
    This will show you the config being used. Remove any duplicates from your custom config, and identify any differences in the automatically generated section from what you want it to be.
     
  45. Paul

    Paul Addicted to LI Member

    If you use Windows - I found the easiest way to go into the router is with a program called WinSCP from http://winscp.net/eng/index.php . It has ssh or scp and then you can browse the router in a window like explorer.
     
  46. ipse

    ipse LI Guru Member

    Please keep us in mind for the next release...I tried so many ways of connecting to a free OpenVPN server or even to a PPTP one and it's so obvious that all the solutions in place make use of an interactive GUI (Windoze/Linux/Mac).

    There has to be a router based solution - it can be done as AceVPN demonstrates on their website...they only have it for the PAID service.
    I noticed that they provide 3 files: crt + ca + key - which seems to be what I'm missing with alonweb where I only have the certificate. Not an issue in Windows, but won't work with my Tomato...as you know.

    Probably it's time to start reading a bit on security while waiting fr a new version.

    :flowers:
     
  47. Paul

    Paul Addicted to LI Member

    It should work with alonweb - have you tried just putting junk in the key and cert sections that you don't need, set TCP, disable TLS, use default encryption, use port 443, compression enabled (or else adaptive)? Use nl.alonweb.com for Euro server or fl.alonweb.com for Panama.

    Then for your username and password -

    Copy this putting in your own details:

    echo USERNAME> /tmp/password.txt
    echo PASSWORD>> /tmp/password.txt

    to Administration<Script>Init


    and this:

    script-security 2
    auth-user-pass /tmp/password.txt


    to Client>Advanced>Custom config



    Here is alonweb configuration:

    client
    dev tun
    proto tcp
    remote gw.alonweb.com 443
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    mute-replay-warnings
    ca alonweb.crt
    comp-lzo
    verb 3
    auth-user-pass
    redirect-gateway​
     
  48. kazon

    kazon Addicted to LI Member

    Thank you! :)
    One step further! Removing all the duplicates did help.
    Now I can connect to the vpn, traffic is redirect.

    But next problems:
    -after a couple of seconds I get the error mesage "TLS: soft reset" and the connection stops
    -dns leakage - what do I have to select/change to remove all dns servers but the ones from the vpn provider? I tried "strict" and "exclusive" on both settings the vpn dns severs are only added in addition to the normal one
     
  49. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    How are you checking the DNS settings? "exclusive" should use only the VPN provided DNS servers.

    Try changing "TLS Renegotiation Time" to 0 for the soft reset.
     
  50. ipse

    ipse LI Guru Member



    Thanks Paul...can't wait to get home and try...I do remember though that for kicks I put the CA file in all the fields (since I did not have a key file)...

    Cheers...I will report back.

    /EDIT

    No go...when in Static key mode or Custom (the 2 alternatives to TLS), I always have conflicting options: see logs

    1) Custom

    First I had pull option in custom cfg, then removed it

    Oct 30 16:35:15 router daemon.err openvpn[4532]: Options error: --auth-user-pass requires --pull
    Oct 30 16:35:15 router daemon.warn openvpn[4532]: Use --help for more information.
    Oct 30 16:35:15 router user.info init[1]: VPN_LOG_ERROR: 286: Starting OpenVPN failed...
    Oct 30 16:36:12 router daemon.err openvpn[4605]: Options error: Parameter --pull can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.
    Oct 30 16:36:12 router daemon.warn openvpn[4605]: Use --help for more information.
    Oct 30 16:36:12 router user.info init[1]: VPN_LOG_ERROR: 286: Starting OpenVPN failed...


    2) Static key

    With Static key I am asked to provide the local and remote endpoints...the WAN IP and Alonweb IP won't work.
    The setup is tailored towards using OpenVPN to join 2 private networks over a WAN link...not quite the same as what I'm trying to do :(


    It looks to me that TLS is needed to negotiate the authentication (esp in this case of u/p)...that's why the other 2 alternatives won't work.
    I read some stuff about this type of "SSL (aka TLS) VPNs" they have their own quirks.

    help?​
     
  51. Paul

    Paul Addicted to LI Member

  52. kazon

    kazon Addicted to LI Member

    :smile:
    Changing the Time to 0 solved this problem!

    I have seleced "exclusive" and have checked on the page Paul suggested as well:
    https://www.dns-oarc.net/oarc/services/dnsentropy

    192.168.1.1 I don't want to see here:
    Code:
    # cat /etc/resolv.conf
    nameserver 127.0.0.1
    # cat /etc/resolv.dnsmasq
    nameserver 1.254.2.2
    nameserver 1.254.2.3
    search vpn
    
    nameserver 192.168.1.1
    The router itself is configured as a DHCP client.
     
  53. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Interesting. That last line shouldn't be there when exclusive is selected. Could you post the output of the following while the client is connected?
    Code:
    nvram get vpn_client1_adns
    cat /etc/openvpn/dns/client1.resolv
     
  54. kazon

    kazon Addicted to LI Member

    Here you go:
    Code:
    # nvram get vpn_client1_adns
    3
    # cat /etc/openvpn/dns/client1.resolv
    nameserver 1.254.2.2
    nameserver 1.254.2.3
    search vpn
     
  55. Raganook

    Raganook Addicted to LI Member

    So I've never set up anything like this, and I've gotten SO close to completion, and ultimately am stuck. I have the VPN setup on my tomato-enabled router (WRT54GL), and the client setup on a single computer in my office.

    I want my entire office LAN to have access to the LAN behind my tomato-enabled router. The openVPN client (currently just on one PC) can connect to the server, and I can even ping every computer behind the tomato router. However, no matter what I do, I can't get any of those computers to "appear"; meaning, in windows 7, when I go to my network computers, I see all my office LAN, but cannot see any computers in tomato's LAN, which means I can't actually access/share files. Even though I can ping the darn things :(

    More info:

    *I have all firewalls disabled
    *No anti-virus running
    *Latest version of TomatoVPN
    *Office LAN is 192.168.0.X, Tomato LAN is 172.16.0.X
    *OS's on various computers range from Windows XP, Vista, 7 and Buffalo NAS

    Specific configuration:
    (Basic)
    Start With Router
    TUN
    UDP
    1194
    Firewall Automatic
    TLS
    Extra HMAC disabled
    subnet 10.8.0.0, 255.255.255.0

    (advanced)
    I have "push land to clients" checked
    Respond to DNS
    Advertise DNS to clients

    On clientside, I have:
    client
    dev tun
    dev-node MyTap
    proto udp
    remote (myip) 1194
    ;remote-random
    resolv-retry infinite
    nobind
    persist-key
    persist-tun

    What on earth am I missing? Why can't the computers "see" eachother, even though they can all ping eachother?

    Any help would be appreciated!

    In case this is useful, here is the server log:
    Code:
    Wed Nov 11 15:50:20 2009 OpenVPN 2.1_rc20 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Oct  1 2009
    Wed Nov 11 15:50:20 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Wed Nov 11 15:50:20 2009 LZO compression initialized
    Wed Nov 11 15:50:20 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Wed Nov 11 15:50:20 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Wed Nov 11 15:50:20 2009 Local Options hash (VER=V4): '41690919'
    Wed Nov 11 15:50:20 2009 Expected Remote Options hash (VER=V4): '530fdded'
    Wed Nov 11 15:50:20 2009 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Wed Nov 11 15:50:20 2009 UDPv4 link local: [undef]
    Wed Nov 11 15:50:20 2009 UDPv4 link remote: 29.28.172.239:1194
    Wed Nov 11 15:50:20 2009 TLS: Initial packet from 29.28.172.239:1194, sid=1d14d8c5 63eea276
    Wed Nov 11 15:50:21 2009 VERIFY OK: depth=1, /C=US/ST=CA/L=LosAngeles/O=OpenVPN/CN=LauferManagement/emailAddress=Mail@Domainname.com
    Wed Nov 11 15:50:21 2009 VERIFY OK: nsCertType=SERVER
    Wed Nov 11 15:50:21 2009 VERIFY OK: depth=0, /C=US/ST=CA/O=OpenVPN/CN=server/emailAddress=Mail@Domainname.com
    Wed Nov 11 15:50:22 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Wed Nov 11 15:50:22 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Nov 11 15:50:22 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Wed Nov 11 15:50:22 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Nov 11 15:50:22 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Wed Nov 11 15:50:22 2009 [server] Peer Connection Initiated with 24.24.172.239:1194
    Wed Nov 11 15:50:24 2009 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Wed Nov 11 15:50:24 2009 PUSH: Received control message: 'PUSH_REPLY,route 172.16.0.0 255.255.255.0,dhcp-option DNS 172.16.0.1,route 10.8.0.1,topology net30,ping 15,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5'
    Wed Nov 11 15:50:24 2009 OPTIONS IMPORT: timers and/or timeouts modified
    Wed Nov 11 15:50:24 2009 OPTIONS IMPORT: --ifconfig/up options modified
    Wed Nov 11 15:50:24 2009 OPTIONS IMPORT: route options modified
    Wed Nov 11 15:50:24 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Wed Nov 11 15:50:24 2009 ROUTE default_gateway=192.168.1.1
    Wed Nov 11 15:50:24 2009 TAP-WIN32 device [MyTap] opened: \\.\Global\{39B5DE35-8074-4810-906A-861E3496B270}.tap
    Wed Nov 11 15:50:24 2009 TAP-Win32 Driver Version 9.6 
    Wed Nov 11 15:50:24 2009 TAP-Win32 MTU=1500
    Wed Nov 11 15:50:24 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {39B5DE35-8074-4810-906A-861E3496B270} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
    Wed Nov 11 15:50:24 2009 Successful ARP Flush on interface [23] {39B5DE35-8074-4810-906A-861E3496B270}
    Wed Nov 11 15:50:29 2009 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
    Wed Nov 11 15:50:29 2009 C:\WINDOWS\system32\route.exe ADD 172.16.0.0 MASK 255.255.255.0 10.8.0.5
    Wed Nov 11 15:50:29 2009 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
    Wed Nov 11 15:50:29 2009 Route addition via IPAPI succeeded [adaptive]
    Wed Nov 11 15:50:29 2009 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
    Wed Nov 11 15:50:29 2009 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
    Wed Nov 11 15:50:29 2009 Route addition via IPAPI succeeded [adaptive]
    Wed Nov 11 15:50:29 2009 Initialization Sequence Completed
    
     
  56. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That's the way Windows file sharing works. You can only browse network neighborhood to find computers on the same subnet. You should be able to get to your computer by going to the address (windows explorer, or start->run) \\ip-address\ .
     
  57. Raganook

    Raganook Addicted to LI Member

    Thanks so much. I can definitely access the different computers via IP address in an elevated command prompt!

    So is this as seamless as I can get it? There is no means of getting Windows 7 to actually add the other subnet into it's network center/get the Tomato-side LAN to also join the subnet used for the VPN?
     
  58. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You could use TAP mode, have them use the same subnet, and bridge the two interfaces together on your Windows machine. However, then you have to deal with additional complications - multiple DHCP servers (one on each side) conflicting, etc.
     
  59. Raganook

    Raganook Addicted to LI Member

    Right I do see, I'd either have to go all static or something, but it would ultimately be headaches.

    OK, so I'll stick with just making shortcuts for the other users.

    Last question (Thanks again for your prompt responses): I'm now struggling in my efforts to have the other networked computers able to ping my Tomato LAN through the one client I have set up.

    I enabled IP forwarding, and again have all firewalls disabled.
    *The client PC can ping all Tomato-LAN computers
    *The Tomato-LAN computers can only ping the client, and only by its VPN subnet and not it's DHCP-given LAN.
    *No other office computers can ping the Tomato-LAN

    I'm trying to figure it out (and breaking/unbreaking all kinds of stuff in the process :p), but advice would be appreciated.
    Edit: I did my best, but I'm stuck. I tried adding static routes and various scripts I found in different FAQs, but whenever I perform tracert, neither end can arrive (except, of course, the client PC and any host PC)
     
  60. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You have two options. You can create a NAT on the client computer so that the entire client-LAN's traffic appears as coming from the client computer, or you can teach the server router about the client-LAN. The first way would depend on the client operating system and setup. The second way is as simple as selecting "Manage Client-Specific Options" on the server router and filling in the table with the client's VPN CommonName (from when you created the VPN client certificate) and client-LAN subnet/netmask information.

    Either way, though, you'll need to teach the client-LAN how to reach Tomato-LAN. This is usually done by creating a static route on the client-LAN's gateway/router (you'd add an entry saying "To access <Tomato-LAN subnet/netmask> use <client-PC> as the gateway". Otherwise, the client-LAN won't even know to involve your client-PC in the communication at all.
     
  61. Raganook

    Raganook Addicted to LI Member

    Im trying this right now (the second option). Should I check the box that says "push" next to the fields for client subnet mask/ip?

    Edit: I've established the static route on my client-router (Destination: Host LAN's IP+mask, Gateway: specific DCHP-assigned IP of client PC), and entered the information as you specified, both with and without "push" checked. Whenever a host-pc attempts a traceroute to a random computer's IP in the host-LAN, it pings the client-router twice and then dies.

    Edit2: The problem I'm now encountering is definitely with the non-tomato router. I set up the static route properly (I think, its as I wrote above), but the traceroute always ends up hitting the non-tomato router twice, never forwarding the packets to the client-pc. Unless I'm missing something, once the static route is setup properly, when I try to traceroute from a client-pc-lan computer, it should go router>client-pc>vpn>tomato-lan.

    Thanks for all the help, I can't believe what I've even done so far is possible.
     
  62. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The push option only matters if you have multiple VPN clients. That would advertise the client-LAN to all of the connected clients.

    Your understanding is correct. Once you add a static route on your non-Tomato router to use your VPN client (it's local LAN IP address) for the Tomato router's subnet (note, not IP address) and netmask, all attempts to send traffic to the Tomato router's LAN should be sent to your VPN client PC - which should know how to handle it.

    To test if you have your VPN client PC set up correctly, try configuring one of your other LAN computers to use it as its default gateway. If you can then access the Tomato router's LAN, then the problem is indeed in your non-Tomato router.
     
  63. Raganook

    Raganook Addicted to LI Member

    Using your test, I've found my router refuses to allow any static route to use a gateway of a different device on the same subnet. No matter what I enter (say 192.168.1.5), it will ALWAYS push the traffic to the router's LAN IP (192.168.1.1).

    That answers that. You've been amazingly helpful and clear, considering I knew nothing about any of this two days ago and I understand what you're saying. Thanks a ton.

    Edit: Actions speak louder. I hope my donation is in some way helpful.
     
  64. DragonCooler

    DragonCooler Addicted to LI Member

    Having trouble with the basics

    EDIT/// I finally got connected, it was changing the router from custom to automatic. But the problem I am having now Is generating a CA. I dont want to use the static key (only because from what i read, only 1 person can use it at a time) Where on earth in tomato do i generate a cert? Also is there a way to use the routers default gateway when connecting remotely? Currently when I am connected I am using my non home network gateway. Im pretty sure this is needed for secure browsing.

    I have been running tomato for a long time now, but have been desperately wanting VPN. I flashed the firmware with 1.25vpn3.4 release to my WRT54GL. I see the Tunneling option and have tried everthing I can to get this stuff to work. I followed the mini howto at:
    http://blog.johnso.org/2009/08/how-to-setup-openvpn-in-tomato.html

    I am able to get what I think is a successful connection using the static key. Here is my log from the client:

    Thu Nov 12 17:23:38 2009 Successful ARP Flush on interface [22] {90A31622-2605-4AF7-95D0-XXXXXXXXX}
    Thu Nov 12 17:23:38 2009 UDPv4 link local (bound): [undef]:1194
    Thu Nov 12 17:23:38 2009 UDPv4 link remote: 71.x.x.x:1194 (IP masked)

    I take it this means I am connected. But my problem is, I cant ping or access any computers on my network. What am I missing from my comfigs?

    Here is the router:

    # Automatically generated configuration
    daemon
    proto udp
    port 1194
    dev tap21
    comp-lzo adaptive
    keepalive 15 60
    verb 3
    secret static.key
    status-version 2
    status status
    # Custom Configuration

    Here is the client:

    remote foo.bar (masked for security)
    port 1194
    dev tap
    secret static.key
    proto udp
    comp-lzo
    route-gateway 192.168.1.1
    redirect-gateway
    float

    I have tried reading up and down these forums and googling, but i cant figure it out for the life of me. And here I thought i was a computer/networking guru!! LOL

    Please please help!
     
  65. Raganook

    Raganook Addicted to LI Member

    I think I can actually answer that -

    you can't generate a cert in Tomato. use the openvpn tools to do it. Its detailed here.

    That's how I did it, works great :)
     
  66. ipse

    ipse LI Guru Member

    How to PREVENT Internet traffic go outside the tunnel?

    Question for you SgtPepper:

    I'm happily running your mod on 2 routers with no issues...but although on the router running the OpenVPN client I have "Redirect Internet traffic" option checked, when the tunnel is down, the traffic simply goes out to the public Internet.
    Is there a way to prevent this? After all this is why I have redirected my traffic - to avoid exposing it.

    Thanks!
     
  67. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Raganook is exactly right. The tools for generating certificates are not included in the firmware. You need to install OpenVPN on a computer and use the tools in the easy-rsa directory. The Keys tab in the firmware GUI should have a link to directions at the top.
    All you should need to do is redirect-gateway on the client or selecting the redirect gateway option on the server (once you change to TLS). When you go to TLS, add "client" to your client config, and get rid of the route-gateway and redirect-gateway line. The firmware will push all that out to the client as needed.
     
  68. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Hmmm, that was by design, but I guess I should have an option not to do that. Try to add "redirect-gateway" to your client custom config. Hopefully that will override the "redirect-gateway def1" that my firmware puts in there (the def1 specifically leaves the original default gateway in place so that if the VPN goes down, your internet won't go down). If not, we might be able to work out an up script that can do it.
     
  69. ipse

    ipse LI Guru Member

    Thanks for the quick reply..."redirect-gateway" didn't do it.
    The client can still surf with the VPN down.

    I realize that this is not the standard use of your mod, but if you can offer a script to disable traffic while the tunnel is down it would be perfect.

    Cheers!
     
  70. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Do you use the DNS options in the client GUI?
     
  71. ipse

    ipse LI Guru Member

    It's set to "exclusive" and from what I can tell when the tunnel is up it only uses what the server provides...which is what I want.
    When the tunnel is down, I provide a couple of free DNS servers in the WAN config.

    BTW...this is the AceVPN service - if it rings a bell or makes a difference.

    Thanks

    /EDIT: Actually you gave me an idea...to point the DHCP clients behind the OpenVPN client router to itself for DNS. This way I hope when the tunnel is down, there won't be any way to resolve the names. At least it would take care of surfing by name... not by IP.
    In the Advance Options ->DHCP/DNS, I set it to "Use received DNS with static DNS" and DNS caching and intercept is ON (I just changed it to ON and it seems to work...).

    Think this might work?

    /EDIT ...nope, I somehow still get a valid DNS. I'm suspecting that the OpenVPN client - which is also a wireless client of the first router- is getting it from it.
     
  72. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I was only asking because it will make a difference on how the up script looks. I'll try to come up with something a bit later.
     
  73. kazon

    kazon Addicted to LI Member

    @SgtPepperKSU Any idea what the reason for the DNS leaking is?

     
  74. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    All I can think of is NVRAM funkiness causing it to not act as "Exclusive". Did you erase NVRAM (thorough) after upgrading?
     
  75. DragonCooler

    DragonCooler Addicted to LI Member

    Guys it was your little nudge of "it doesnt do it on the router" that really got me thinking and figuring it out. Thank you!!! I got everything working perfectly!!

    I ran into a problem generating certs. It would generate the first client, but error out on every one there after saying it couldnt find the *.old. I dug some more and found something that wasnt in any tutorial. Your common name CAN NOT MATCH any other clients or certs COMMON NAMES. After that, it was smooth sailing.

    Thank you everyone once again!
     
  76. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    How about this in your WAN-up script:
    Code:
    route add -host `nvram get vpn_client1_addr` gw `nvram get wan_gateway`
    route del default
    
    This should make it so the only address you can contact is the VPN server.
     
  77. ipse

    ipse LI Guru Member

    Thanks!!! I'll give it a try and report back.

    So far, cooking the DNS has blocked surfing by name, but I'm thinking that once the tunnel is up, an FQDN name gets resolved then cached.
    This means that if the tunnel goes down, traffic will go on the public Internet based on the dnsmaq cache entry...I don't know how long it takes to expire or if it's flushed when the tunnel goes down (I assume not).

    Paranoia...paranoia :)

    /EDIT That didn't work :(

    Dec 31 19:02:08 unknown daemon.err openvpn[250]: TLS Error: Unroutable control packet received from x.x.x.x:443 (si=3 op=P_CONTROL_V1)
    Dec 31 19:02:08 unknown daemon.err openvpn[250]: TLS Error: Unroutable control packet received from x.x.x.x:443 (si=3 op=P_ACK_V1)

    I checked the routing table on the router and your suggested change took...I do have a route for the OpenVPN svr and NO default.
    The error makes no sense since there is a route for that IP...nonetheless, restoring the old config fixes the problem.
    I thought I understand routing :)
    The router was rebooted after the change...so it can't be some cookie leftover...Somehow this must be related to TLS nego and not pure routing.
     
  78. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Is there anything just before the unroutable control packet messages?

    EDIT: You might also try adding a
    Code:
    route add default gw <some random LAN IP not assigned to any computer>
    Just in case openvpn freaks out if there is no default route.
     
  79. ipse

    ipse LI Guru Member

    Nothing jumps out as wrong before the error...

    Dec 31 19:08:20 unknown daemon.warn openvpn[303]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Dec 31 19:08:20 unknown daemon.notice openvpn[303]: Re-using SSL/TLS context
    Dec 31 19:08:20 unknown daemon.notice openvpn[303]: LZO compression initialized
    Dec 31 19:08:20 unknown daemon.warn openvpn[303]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1450)
    Dec 31 19:08:20 unknown daemon.notice openvpn[303]: Control Channel MTU parms [ L:1492 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Dec 31 19:08:20 unknown daemon.notice openvpn[303]: Data Channel MTU parms [ L:1492 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Dec 31 19:08:20 unknown daemon.notice openvpn[303]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Dec 31 19:08:20 unknown daemon.notice openvpn[303]: UDPv4 link local: [undef]
    Dec 31 19:08:20 unknown daemon.notice openvpn[303]: UDPv4 link remote: x.x.x.x:443
    Dec 31 19:08:20 unknown daemon.err openvpn[303]: event_wait : Interrupted system call (code=4)
    Dec 31 19:08:20 unknown daemon.err openvpn[303]: TLS Error: Unroutable control packet received from x.x.x.x:443 (si=3 op=P_ACK_V1)
    Dec 31 19:08:21 unknown daemon.err openvpn[303]: TLS Error: Unroutable control packet received from x.x.x.x:443 (si=3 op=P_CONTROL_V1)

    I added a bogus default that would be replaced by the one provided by the server and didn't make a difference.
    Thanks...

    /EDIT: Oh, I noticed when it's working, when the tunnel goes down, it deletes the route to the OpenVPN server (which is always added as part of the tunnel estab)


    ...UP...

    Nov 15 00:53:56 unknown daemon.notice openvpn[320]: /sbin/route add -net x.x.x.x netmask 255.255.255.255 gw 192.168.x.1

    ....down.....

    Nov 15 00:56:44 unknown daemon.notice openvpn[320]: TCP/UDP: Closing socket
    Nov 15 00:56:44 unknown daemon.notice openvpn[320]: /sbin/route del -net 10.x.x.1 netmask 255.255.255.255
    Nov 15 00:56:44 unknown daemon.notice openvpn[320]: /sbin/route del -net x.x.x.x netmask 255.255.255.255
    Nov 15 00:56:44 unknown daemon.notice openvpn[320]: /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
    Nov 15 00:56:44 unknown daemon.notice openvpn[320]: /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
    Nov 15 00:56:44 unknown daemon.notice openvpn[320]: Closing TUN/TAP interface


    So the Wan-Up script route will be gone when the tunnel bounces for any reason.
     
  80. ipse

    ipse LI Guru Member

    Weird...I found the cause for the "unroutable packets": the time on the router HAS to be synchronized with the OpenVPN server.
    Because of my DNS changes, it was unable to run ntpd to get time...I had to put in a fixed IP (for now).
    Lots to learn about OpenVPN :)

    Now, back to the route problem hahahahaha....
     
  81. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Lets change it to a bit more general route
    Code:
    route add -net <VPN server, first three octets>.0 netmask 255.255.255.0 gw `nvram get wan_gateway`
    
    instead of the other route add.

    That should survive any meddling OpenVPN does.

    The date is the usual cause of the unroutable packets error, but it seemed weird that it only occured after changing the routes. I forgot that you rebooted your router, and it wouldn't be able to set the date. You'll probably want to add an explicit route to the NTP server in the WAN-UP script as well.
     
  82. Cevan

    Cevan Addicted to LI Member

    Where can I find binary of the ND Build of 1.25vpn3.4 ?

    Thx
     
  83. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Links are in the first post.
     
  84. Cevan

    Cevan Addicted to LI Member

    Is tomatovpn-ND-1.25vpn3.4 a valid build for WRT54GL ?
     
  85. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    yes.
     
  86. ipse

    ipse LI Guru Member

    Makes sense...I'll give it a try when I get home. I will have to add quite a few subnets since there is more then one server I can connect to.
    At least by tweaking DNS and setting cache to zero I stopped browsing by name when the tunnel is down.

    Thanks for your advices.
     
  87. ipse

    ipse LI Guru Member

    Running it happily on my GL since the day it came out. I deviated for 2 days (two!) to DD-WRT....came running back as fast as I could :)
    Now I have another WRT54G v3 running the same load...both stable.
     
  88. geckobros

    geckobros Addicted to LI Member

    SGT,
    This worked great and reading through this thread helped a lot.

    -- thank you
     
  89. zSoc

    zSoc Addicted to LI Member

    Hi all
    Could you help me guys?
    I've just set up the VPN by this manual: http://blog.johnso.org/2009/08/how-to-setup-openvpn-in-tomato.html
    The client is my laptop, with OpenVPN software installed, Windows (7).
    On my home wifi network (with the server router), the vpn works, but from another network, it starts connecting, than stop:

    Fri Nov 20 00:37:58 2009 OpenVPN 2.1_rc20 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Oct 1 2009
    Fri Nov 20 00:37:58 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Fri Nov 20 00:37:58 2009 LZO compression initialized
    Fri Nov 20 00:37:58 2009 TAP-WIN32 device [VPN] opened: \\.\Global\{552D2451-8DAA-4A4F-B679-890EACA17173}.tap
    Fri Nov 20 00:37:58 2009 UDPv4 link local (bound): [undef]:1195
    Fri Nov 20 00:37:58 2009 UDPv4 link remote: 80.99.69.24:1195

    Where is the problem?:S
     
  90. baldrickturnip

    baldrickturnip LI Guru Member

    the next line should read
    initial packet recieved

    so I would be looking to see if you have the external internet facing address correct in your config file and check that the port is forwarded correctly to the VPN server.
     
  91. ipse

    ipse LI Guru Member

    ...and it does! The problem though is that OpenVPN picks the "fake" gw (the one you suggested after deleting the "normal" gw) and tries to use that to send packets to the OpenVPN server :)

    x.x.x.x 192.168.3.254 255.255.255.255 0 br0 (LAN)
    ............^^^FAKE def gw

    I'll try again without default gw...I have all my VPN servers, NTP servers added as static routes...it should work

    /EDIT...so far so good, it looks OK. Thanks for all suggestions SgtPepper. I will stop messing with the routers now :) (no one believes me, right?)

    /EDIT2 Spoke to soon: once the tunnel goes down there is no gw to be served to the DHCP clients. While the tunnel still establishes, the clients can't surf. Back to the drawing board.
     
  92. geckobros

    geckobros Addicted to LI Member

    In "VPN Tunneling" on your router, change your firewall setting from "Custom" to "Automatic". Save. Reboot. Try your VPN connection again.
     
  93. zSoc

    zSoc Addicted to LI Member

    It worked, thank you very much.
     
  94. geckobros

    geckobros Addicted to LI Member

    You are welcome.
     
  95. kazon

    kazon Addicted to LI Member

    Yes, I deleted it completely.
    In the meantime I reinstalled it on another (thorough NVRAM-erased) router - exactly the same problem - DNS leaking. :(

    Can anyone guide me to the "fastest" TomatoVPN-compatible router? The WRT54GS/L I'm using seem to be quite quickly at their maximum.
     
  96. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Good news. I just tracked down a bug that could cause "Exclusive" accept DNS option not to work exclusively. It should be fixed in the next release.
     
  97. ipse

    ipse LI Guru Member

    Is there a way to specify a route bound to an interface? In this case it's tricky since the one I need would be tun11, the tunnel interface that does NOT exist when the tunnel is down.
    I could not set this up manually.

    I'm getting frustrated to see that all the precautions we take to build a VPN tunnel are negated the minute the tunnel goes down and obviously there is a default route through the public interface.
    I realize that most of the users of this mod use OpenVPN to connect remote LANs, but I'm also certain I'm not the only one using an OpenVPN public service to tunnel all/some of my Internet traffic.

    IIRC DD-WRT allows one to create virtual interfaces...would it be possible to use this to statically define the tun11 if and create a default static route based on that?

    I'm open to any suggestions....esp now that I don't have a lot of hair left :)
     
  98. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Maybe instead of trying to tackle this problem with routing, we should use the firewall.

    Code:
    iptables -t filter -I FORWARD -d ! <VPN server IP> -o vlan1 -j DROP
    
     
  99. ipse

    ipse LI Guru Member

    You Sir are tireless :)
    I need to tweak your suggestion since I have set the server to random (a list of 4 IPs) for redundancy.

    For now I found a solution (stupid me, I ignored I actually have 2 routers) by blocking some ports on the main router (the OpenVPN client is on the secondary one).
    At least this guarantees that in the absence of the tunnel, the "unwanted" traffic will be dropped if outside the tunnel.

    A few things that would really end the tribulation (and the pestering in this forum :) ) would be:

    - kickstart the tunnel upon receiving traffic from a given MAC/IP or even better, channel traffic from only one IP through it (this would work in a "normal" OpenVPN setup, not sure about my setup)
    - tweak dnsmasq to serve a DIFFERENT DNS to a certain MAC (I read the dnsmasq man and this does not seem possible)
    - have traffic from one MAC/IP go outside the tunnel (the problem is that only the source IP would be known, not the destination - src is an Internet Radio device). The reason being that it generates a lot of traffic which for now it's chewing my monthly VPN quota

    I still hope that the next version of your mod will have the ability to use GUI to enter a user/pass without expecting a key or certificate (can't remember now what this TLS mode is called).

    Cheers...and many thanks for sticking with me.
     
  100. Paul

    Paul Addicted to LI Member

    Ipse - you are certainly not the only one using VPN services. In fact, the moment TomatoVPN works easily for these services, I imagine it will have hundreds more users at least.

    There's a post over at perfect-privacy also, about using the firewall to block the internet when the VPN goes down - https://forum.perfect-privacy.com/showthread.php?p=6363#post6363 Don't know if it will help, or if Sarge's solution has already sorted it:

    " What i noticed was:
    If the Open Vpn Server doesn't work, you are automatically connected with your original IP to the internet. This could be dangerous. But if you change a few things in the firewall config you can block all outgoing coonections over the wan port:

    /etc/config/firewall:

    ### EXAMPLE CONFIG SECTIONS
    # do not allow a specific ip to access wan
    # TCP

    config rule
    option src lan
    option src_ip 192.168.1.100
    option dest wan
    option proto tcp
    option target REJECT
    # UDP
    option src lan
    option src_ip 192.168.1.100
    option dest wan
    option proto udp
    option target REJECT

    Now all tcp/udp packages are blocked for 192.168.1.100 over wan port.
    If the Open vpn doesn't work, you are not go via original IP to the internet.
    If you want to add more devices copy the same and change the ip.

    best regards

    sangul "​
     

Share This Page