1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN build with Web GUI

Discussion in 'Tomato Firmware' started by SgtPepperKSU, Oct 10, 2008.

  1. MelechRic

    MelechRic LI Guru Member

    First off: Thank you, SgtPepperKSU. This is an awesome modification to a product I didn't think could be improved.

    I had everything up and running in a little under two days using this thread and the openvpn.org guides. It seems to be working flawlessly and I couldn't be happier.

    I don't have any complaints. All I have is a question. Currently I'm using TCP/TAP and DHCP to assign addresses when a client connects. When I look in my device list I see the client but I also see several MAC addresses with assigned IPs that I don't recognize. OUI lookup also fails on them. I assume that these are the virtual NICs that are created as part of the openvpn tunnels.

    Is this right or should I be concerned?

    Thanks again for a great mod and your tireless support!
     
  2. ipse

    ipse LI Guru Member

    Awesome...thanks for the suggestions.
    Like I said, for now I rely on a second router (connected to Internet) to filter out the
    unwanted" traffic, but of course the ultimate goal is to rely on the OpenVPN client to do it automagically.
    I'll try the firewall changes and report back on results.

    Cheers!

    PS As much as I like AceVPN at this point, nothing beats "free" :) so if I could get to use some other service, I'd be even happier...
     
  3. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I haven't used TAP much myself. What kind of IP addresses are you seeing?
     
  4. MelechRic

    MelechRic LI Guru Member

    The are all in the valid DHCP range that I've setup on dnsmasq. I'm actually connected right now through the openvpn while I'm up at my in-law's house. What I see is that there is a DHCP address assigned to a MAC that isn't one I normally recognize. When I try to use tomato's OUI lookup the MAC is not found.

    I suspect that the openvpn software I'm using in Mac OS X creates a TAP interface with a software MAC that is random in nature. This would make sense as the device is essentially a virtual NIC. I've setup the lease on any assigned address to expire in 60 minutes. I'll do some more testing to make sure that they do.

    I think I was more concerned with the 3-4 that seemed to be lying around in the devices list. They may have been a result of my few days of configuration on the openvpn service. My old lease time was set to 1440 minutes which could explain why they were still there for so long. A reboot cleared them out of the list.

    I'm going to try and read up a bit more on the tun/tap implementation in Mac OS X to see if my theory is true.

    Thanks for taking the time to reply.
     
  5. ipse

    ipse LI Guru Member

    @Paul: I'm not sure if those firewall rules are for Tomato...they don't follow the usual syntax ("iptables blah...").
    Just for kick I added them and although I got no log error re syntax, there is no filtering done for the chosen src address.
    Are you saying you're using these rules with Tomato? They seem to work on OpenWRT...

    Thanks

    /EDIT: yeah, the rules have to be converted to iptables options...working on that.;;
    //EDIT: should be something like this:
    iptables -I FORWARD -p udp -o wan -s 192.168.x.100/24 -j REJECT
    iptables -I FORWARD -p tcp -o wan -s 192.168.x.100/24 -j REJECT

    This should do it...but now I'm thinking that unless I keep my DNS setup (no available server unless the tunnel is up), the DNS requests from the machine I'm trying to block will actually be either sent directly to the DNS server (that's easy to block) or worse, forwarded by the router itself (it seems to be the case when I add a DNS server in the basic network config, besides the router itself). That I can't block without affecting all the machines on the LAN.
    I'm about to give up...obviously no solution can cover ALL the combinations.

    ///EDIT...I got the fw rules wrong...unless I smarten up, the rule does not drop the source traffic, I see it dropped in the main router.
     
  6. Paul

    Paul Addicted to LI Member

    ipse,

    It was just mentioned on that thread after I mentioned TomatoVPN and some other router options, but maybe it is just for dd-wrt.

    Keep up the good work - but I am waiting for the next tomatovpn release....
     
  7. ipse

    ipse LI Guru Member

    HELP...lost mgmt

    Guys...I managed to screw up something and now I cannot manage the second router (OpenVPN client in wireless client mode) from the LAN of the main route (AP, connected to Internet).

    /EDIT: fixed....
     
  8. daplumber

    daplumber Addicted to LI Member

    UN-urgent: move to 1.26?

    I'm very happy with this mod, it's working perfectly for me, and it's incredibly useful so a big "Thank You!"

    Just wondering: Any plans/timeline on moving to 1.26 as a base?
     
  9. EntityPacket

    EntityPacket LI Guru Member

    Going all the way back to the user who was having the problem entering his port number. I am encountering the same problem. Trying the nvram commands don't seem to work. I do a 'nvram show' and don't see 'vpn_server1_port' However, I do see 'vpn_server2_port=1194'

    I tried moving all my keys and everything to server2 since it has the port number. When I tried to save everything the subnet mask value (on server2) is now showing up blank like the port number was on server1. The port number on server1 is still missing. A 'nvram show' now shows the 'vpn_server2_nm' line missing (strange enough it was there before I moved my configs over to server2). Is there a way to clear out only the VPN configurations and start over?
     
  10. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes/"when it's done" :wink:
     
  11. occamsrazor

    occamsrazor Network Guru Member

    Which one are you using? There's Tunnelblick (free), Viscosity (paid), and Shimo (paid). If you don't need the extra (non-OpenVPN related) features of Shimo and don't mind paying the $9, then I've found Viscosity to be the best in my opinion. They have a 30-day trial if you want to test.
    Edit: Sorry I realise that doesn't answer your question, just thought it might be useful....
     
  12. EntityPacket

    EntityPacket LI Guru Member


    I think I found my own problem. Getting rid of the extra keys/settings I no longer need seems to have cleared up this issue. For example, at first I was playing with a static key setup, then I switched to using TLS. My static key was still entered in the GUI if you switch from TLS to static... Clearing out all the GUI forms back to default then entering my information fixed this.
     
  13. MelechRic

    MelechRic LI Guru Member

    I switched over to Viscosity and haven't seen the issue again. I suspect that Tunnelblick is still a work in progress. Ever since the switch the issue seems to have resolved itself.

    I'm also using the openvpn-gui for win32 and that works fine as well.
     
  14. fryfrog

    fryfrog Network Guru Member

    I was wondering if there were any plans for a 1.27 version of this?
     
  15. daplumber

    daplumber Addicted to LI Member

    Er, make that 1.27 and counting...

    I call Bug Roundup!
     
  16. Chrissss

    Chrissss Guest

    Like http://www.linksysinfo.org/forums/showpost.php?p=354761&postcount=1389 i followed http://blog.johnso.org/2009/08/how-to-setup-openvpn-in-tomato.html to set up OpenVPN with Tomato. I followed his hints and i end up with...

    Code:
    Thu Dec 03 18:44:22 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
    Thu Dec 03 18:44:22 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Thu Dec 03 18:44:22 2009 LZO compression initialized
    Thu Dec 03 18:44:22 2009 TAP-WIN32 device [LAN-Verbindung 2] opened: \\.\Global\{952E9070-A4C8-4025-B5A3-F83CDD2804EE}.tap
    Thu Dec 03 18:44:22 2009 Successful ARP Flush on interface [19] {952E9070-A4C8-4025-B5A3-F83CDD2804EE}
    Thu Dec 03 18:44:22 2009 UDPv4 link local (bound): [undef]:1194
    Thu Dec 03 18:44:22 2009 UDPv4 link remote: 88.67.254.11:443
    ...too. The connection can't be established. I have to change the port of my vpn server to 443 since on the client side i have a strict firewall which blocks everything besides port 80 (over a proxy) and 443.

    But for me it doesn't help to switch to the automatic firewall settings, it doesn't matter what i choose here.

    Can you help me out?

    Thanks
    Christoph
     
  17. strike

    strike Addicted to LI Member

    Looking at setting up a new router with this mod for a colleague who needs VPN.

    Hoping to get some recommendations...I am currently considering the following:

    1. Buffalo WHR-HP-G54
    2. Asus WL-500G V2
    3. Linksys WRT54GL

    Looks like it will work with any of these. Any recommendations / experiences with this mod and these routers?
     
  18. gawd0wns

    gawd0wns LI Guru Member

    OpenVPN 2.1.0 has been released ;)
     
  19. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Well crap. Just last night I compiled in all the changes I wanted in the next release, hoping to test them this weekend. This included a last minute check to the OpenVPN site to make sure there hadn't been another release. Why couldn't they have done this a day sooner :wink:

    Though, I guess it's good they're finally out of their perpetual RC state.
     
  20. strike

    strike Addicted to LI Member

    Or would you all recommend the WRT54G-TM over them all?
    http://cgi.ebay.com/NEW-T-Mobile-Ho...wItemQQptZCOMP_EN_Routers?hash=item518f059980
     
  21. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Speaking of testing the next release, is there any interest from anyone in testing a pre-release version (I haven't done any testing yet besides making sure it compiles)? I'm especially interested if if you were someone I told I'd fix your issue in the next release.

    Here's a brief list of what I included (from memory, not at home now):
    • Option to not leave existing default gateway in place when tunnel is created
      • Should make the internet unreachable when tunnel is down
    • Don't add the cert/key lines to the config if the fields are empty
      • Should make it possible to have client configs with nothing but user/pass as credentials
      • I haven't added user/pass fields to the GUI, but the custom config necessary shouldn't be hard
      • I've considered adding user/pass to the client GUI (not server), but so far haven't come up with a way that I'm satisfied with
    • Fix Exclusive accept DNS mode
    • Upgrade to Tomato 1.27
    • Upgrade to OpenVPN 2.1rc22 (will update to 2.1 final before release)
      • I don't think there were any functional changes, but the round version number would be nice
    • Merged in all the AES updates
    • Made the vpngui branch not depend on the openssl-AES branch. If mods including vpngui want AES they'll need to manually merge it themselves.
      • the gui will automatically pick up the new cipher options, though
      • This was mainly so that if the AES changes are incompatible with another mod (like recently with the updated kernel), they can easily be left out
    • Something else. I know there was at least one more thing directly in the VPN GUI that I changed, but I can't remember it...
     
  22. jinx

    jinx Addicted to LI Member

    Does your firewall also allow UDP traffic over port 443?
     
  23. rs232

    rs232 Network Guru Member

    I have 2 tomato VPN connected between each other.
    VPN works fine with static key.

    I would now like to connect from Internet to either of the 2 router using the windows openvpn software.

    I did try 1000 configs on my laptop but I'm stuck with this error:

    Code:
    Options error: specify only one of --tls-server, --tls-client, or --secret
    Use --help for more information.
    
    And this is the content of the file on my windows box (real host removed)
    Code:
    ## acme.ovpn ##
    client
    dev tun
    proto udp
    remote myhost 1195
    ifconfig 10.10.3.1 10.10.3.213
    resolv-retry 30
    nobind
    persist-key
    persist-tun
    cipher AES-128-CBC
    verb 3
    secret static.key
    status-version 2
    status status
    Any help on how to troubleshoot his?
    thanks!
    rs232
     
  24. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Get rid of "client". That is for TLS. With static key, there really isn't a notion of "server" or "client", just the initiator and target.
     
  25. rs232

    rs232 Network Guru Member

    Excellent, thank you sooooo much! :)

    Just another question, is it possible to add additional VPN server config tab on tomato? Ideally I would need 3 server configurations.

    Thanks to read
     
  26. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm afraid not. NVRAM space is limited, and putting certificates in multiple tabs uses up a lot of it.
     
  27. rs232

    rs232 Network Guru Member

    I see, same for static keys?
    That's what I'm using btw but I understand the issue...
     
  28. TurtleFang

    TurtleFang Addicted to LI Member

    Then you're asking for a reduced SSLVPN config feature set to allow 3 servers?

    That would make it less likely to be implemented on the released images, as others depend on certificate based configs.

    Hope this helps,
    -TurtleFang
     
  29. gawd0wns

    gawd0wns LI Guru Member

    SgtPepperKSU, I hate to say it, but OpenVPN 2.1.1 has been released :))

    The change made may not be relevant:

    2009.12.11 -- Version 2.1.1

    * Fixed some breakage in openvpn.spec (which is required to build an
    RPM distribution) where it was referencing a non-existent
    subdirectory in the tarball, causing it to fail (patch from
    David Sommerseth).

    Happy Holidays everyone!
     
  30. dizziness

    dizziness Guest

    Oh, and Tomato 1.27. :)
     
  31. i1135t

    i1135t Network Guru Member

    Hi SgtPepper, I just noticed this error showing up in the log when going into the VPN GUI on the router. I'm not sure if it's VPN server1 or server2 though..
    Code:
    tomato daemon.err openvpn[156]: event_wait : Interrupted system call (code=4)
    
    Any clues..? I cannot test the VPN right now, but both servers appear to be up and running...

    Oh, I am running Teddy's 1.25 USB mod w/ vpn 3.4... thanks!
     
  32. gawd0wns

    gawd0wns LI Guru Member

    If you go to page 134 of this thread, you will get your answer to that question:

    "The event_wait is not an error. It is just you updating the status in the GUI."
     
  33. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, that question has come up a lot. I can't blame people for not finding it in this thread, though. It's so long that I don't expect anyone to read through it.

    In fact, it's been asked so many times, I've made a change to the OpenVPN source to get rid of that message in the next release.
     
  34. ipse

    ipse LI Guru Member

    Hahahaha...always aiming to please the customer ;)

    Thanks!
     
  35. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Okay, so I realize it's getting pretty ridiculous with how long I've been taking to make a new release. I found some time a bit back to do some development of new features/fixes, but haven't had any time to do the testing I usually do.

    So, here's my proposal: I've gone ahead and uploaded a 1.27vpn3.5 release, but I haven't so much as loaded it onto a router. The changes I authored are pretty small and I don't include any changes to the kernel, so there should be no risk of bricking a router. The worst that could happen is that the VPN pages or functions won't work and a downgrade would be necessary.

    If just the basics can be verified (GUI is functional, tunnel can be established), I'll announce the release with some disclaimers (and eventually remove the disclaimers if no issues come up).

    Are there any willing testers out there?
     
  36. ntest7

    ntest7 Network Guru Member

    OK, I'll bite.

    WRT54GL Upgrading from 1.25vpn3.4
    Flashed OK, router rebooted OK, WIFI works.

    Oops, VPN Server page is blank -- The "VPN Server" heading is there, but just a blank box underneath. Left-side menu is OK. VPN Client pages look normal.

    Didn't check to see if VPN is working.

    Flashed back to 1.25vpn34, VPN server page back to normal.
     
  37. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Thank you very much for loading the build.

    I think I see what the problem is. One stray ' in the page that was recently added by mistake. Damn.

    I'm pulling the build back down until I can fix this (and, hopefully, do some basic testing).
     
  38. gawd0wns

    gawd0wns LI Guru Member

    Seeing as how you are doing most of the work by yourself, I can understand it can take a little bit longer. I don't think anyone is complaining.

    Thanks for your hard work.
     
  39. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Normally, it hasn't been a problem finding some time for this. I've just been unusually short on free time away from work lately (and some other things than this get higher priority to fill that time). I'm hopeful that will change some soon.
     
  40. MelechRic

    MelechRic LI Guru Member

    You've really outdone yourself over the life of this project. Your support for "customer" issues is really amazing. I think I speak for most people on this forum when I say that we appreciate all your hard work and are more than willing to wait for you.

    As a software engineer I completely understand the free time issue. Work can consume you (and also evaporate your desire to work on software outside of work). If you put family into the mix it's a whole other ball game.

    Happy Holidays! and best wishes in the New Year.

    P.S. PM me if you want another beta tester for non-kernel changes. (I've only got one router so bricking it would be sad, but I'm happy to beta test with any gui and userspace changes.)
     
  41. Incidentflux

    Incidentflux Addicted to LI Member

    I sincerely and strongly agree!
     
  42. rs232

    rs232 Network Guru Member

    How about saving VPN config in a network share (CIFS)?
     
  43. ipse

    ipse LI Guru Member

    Hear Hear!!!! I'm not a brown nose, but I do work in support and I can tell the difference a quick and competent response makes for any customer.

    Thanks and have Merry Christmas and Happy New Year!!!!
     
  44. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Okay, let's try this again. I've uploaded updated binaries to the download site.

    This time, I've at least loaded it onto a router and checked that the GUI was functional.

    If there are any willing testers, I'd be very appreciative. I'd especially like to hear if TAP client configurations work.
     
  45. oversky

    oversky LI Guru Member

    I want to setup openvpn because the public AP has no wireless
    security and the ports are not opened for P2P network.
    Now, the openvpn client can connect to the vpn server. So I believe the
    issue of the wireless security is solved. However, the ports are not
    opened yet for bittorrent and emule.

    I have installed SgtPepperKSU tomatovpn-1.25vpn3.4.

    My network configuration is as following:

    Laptop -> AP2 -> Public AP -> Internet -> AP1 -> Internet

    AP1(openvpn server)
    Public IP: 111.222.333.444
    Private IP: 192.168.0.1

    Public AP
    Public IP: 555.666.777.888
    Private IP: 192.168.1.254

    AP2(openvpn client):loggin Public AP in wireless client mode
    WAN IP: 192.168.1.10
    Private IP: 192.168.2.1

    Laptop:
    Private IP: 192.168.2.2



    I tried the following setup for openvpn

    AP1(openvpn server)
    Start with router: v
    Interface Type: TUN
    Protocal: TCP
    Port: 1194
    Firewall: Automatic
    Authorization Mode: Static Key
    Local/remote endpoint: 10.8.0.1 10.8.0.2
    Respond to DNS: v
    Paste Static Key and save
    Port Forwarding:
    DMZ: 192.168.0.1 (Do I need this?)

    AP2(Openvpn client)
    Start with router: v
    Interface Type: TUN
    Protocol: TCP
    Server Address/Port 111.222.333.444 1194
    Firewall: Automatic
    Authorization Mode: Static Key
    Create NAT on tunnel: v
    Local/remote endpoint: 10.8.0.2 10.8.0.1
    Redirect Internet traffic: v
    Paste Static Key and save
    Port Forwarding:
    DMZ: 192.168.2.2

    Do I have correct port forwarding setup? Is TUN suitable for this?
     
  46. jvro

    jvro Addicted to LI Member

    Tried it out but i continiously have this error written to my log after the upgrade:

    write UDPv4 []: No buffer space available (code=132)

    There seems to be a memory problem all of a sudden?

    /John
     
  47. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Interesting...

    I've uploaded a new 1.27vpn3.4 binary (updated OpenVPN and Tomato, but none of my other changes) to the same location. Could you try that and see if it's better?

    Also, are you using AES, by chance?
     
  48. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Try it without the DMZ settings.
     
  49. TurtleFang

    TurtleFang Addicted to LI Member

    Hi,

    I'm willing to try it out on my TM but I don't see a ND image in that tomatovpn-1.27vpn3.4.7z file.

    Also, in that new 7z file what are the additional .bin files? For example, tomatovpn-ND-1.25vpn3.4 only has one .trx file. But I see the follow images in tomatovpn-1.27vpn3.4.7z:
    tomato.trx
    WR850G.bin
    WRT54GS.bin
    WRT54GSv4.bin
    WRT54G_WRT54GL.bin
    WRTSL54GS.bin

    I've got tomatovpn-ND-1.25vpn3.4 running right now and have a client that I connect with. I can try it out tonight, just want to clarify on the right image for a ND device.

    Here is the output of my TM as to which wl0_corerev I have:
    Code:
    Tomato v1.25vpn3.4
    
    
    BusyBox v1.14.0 (2009-08-12 21:41:53 CDT) built-in shell (ash)
    Enter 'help' for a list of built-in commands.
    
    # nvram get wl0_corerev
    9
    # 
    
    Thanks,
    -TurtleFang
     
  50. oversky

    oversky LI Guru Member

    Thanks for your replying. I disabled DMZ on both client and server, but port checker still reports error.

     
  51. jvro

    jvro Addicted to LI Member

    Hi. Just tried the new image and now i get this instead (not able to connect now):

    openvpn[370]: read udpv4 [econnrefused]: connection refused (code=146)

    Yes i guess i am using AES (i'm using default there).
     
  52. jvro

    jvro Addicted to LI Member

    Hi again.

    About an hour after the reconnecting i can se from my log that it connected like it should and the connection seems from my log that i has been stable since :)

    UPDATE:

    Just checked my log again and the original error (no bufferspace available) is still happening. Not quite as often but still quite often.

    /John
     
  53. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Interesting.

    Just to clarify. You said that you were using AES, but also that you were using the default. AES is not the default, blowfish is. Am I correct that you are not using AES? I only mention it because there were some AES changes since the last release, and if you are using it, it could be a direction to look in.

    I really appreciate you're willingness to test these builds. I think next I make a build without the newer OpenVPN version. As long as you aren't using AES, that's the most likely cause of the problem.
     
  54. jvro

    jvro Addicted to LI Member

    Actually i just went back to my previous bulid to try that out and after a while i sterted getting the same error so maybe it has been there all along?

    i'm going to try AES instead and see if that helps. Also the error is reported my the client on the server router as it seem
     
  55. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Hmmm, if it isn't a regression from a previous release, I think I'll rebuild (unfortunately, I deleted them) and repost 1.27vpn3.5 with everything in it.
     
  56. rastoma

    rastoma Guest

    can't connect with Windows VPN

    Sorry for being a newb, but I have tried searching and the search function is aweful here. And there are well over 100+ pages to sift through on this one thread.

    I have gotten the VPN server running on my router.

    But I cannot make a VPN connection to the router using Windows VPN client.

    I have tried the ridiculous opensource openvpn client for Windows and it fails under Windows 7.

    Is there no way to use a client certificate using the Windows VPN client?

    Any suggestions please?
     
  57. toolbox

    toolbox Addicted to LI Member

    I am a newbie as well and I am able to use openvpn client under Win 7 with helps from this thread. You may want to provide more details how you can't connect so people can give you some tips.
     
  58. xppx99

    xppx99 Addicted to LI Member

    Hi there!

    First of all, and because I'm a recent member of this great community, I would like to thank SgtPepperKSU for this great work! I've been using dd-wrt for the passed 2 years and have never give any credit to tomato firmware until I tried it... Very simple, and the best of all, very very functional. Now I'm using tedy_bear USB version with integration of SgtPepperKSU VPN version, and it works way better than my previous dd-wrt setup! Thanks!

    I have a small problem though: when clients are not connected to the server (tomato router), openvpn is allways restarting every 2 seconds, as it can be seen in the quoted log

    Code:
    Dec 22 17:40:20 asus daemon.notice openvpn[165]: Restart pause, 2 second(s)
    Dec 22 17:40:22 asus daemon.warn openvpn[165]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Dec 22 17:40:22 asus daemon.notice openvpn[165]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Dec 22 17:40:22 asus daemon.notice openvpn[165]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Dec 22 17:40:22 asus daemon.notice openvpn[165]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Dec 22 17:40:22 asus daemon.notice openvpn[165]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Dec 22 17:40:22 asus daemon.notice openvpn[165]: LZO compression initialized
    Dec 22 17:40:22 asus daemon.notice openvpn[165]: TUN/TAP device tap21 opened
    Dec 22 17:40:22 asus daemon.notice openvpn[165]: TUN/TAP TX queue length set to 100
    Dec 22 17:40:22 asus daemon.notice openvpn[165]: Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
    Dec 22 17:40:22 asus daemon.notice openvpn[165]: Socket Buffers: R=[108544->131072] S=[108544->131072]
    Dec 22 17:40:22 asus daemon.notice openvpn[165]: UDPv4 link local (bound): [undef]:1194
    Dec 22 17:41:22 asus daemon.notice openvpn[165]: Inactivity timeout (--ping-restart), restarting
    Dec 22 17:41:22 asus daemon.notice openvpn[165]: TCP/UDP: Closing socket
    Dec 22 17:41:22 asus daemon.notice openvpn[165]: Closing TUN/TAP interface
    Dec 22 17:41:22 asus daemon.notice openvpn[165]: SIGUSR1[soft,ping-restart] received, process restarting
    Dec 22 17:41:22 asus daemon.notice openvpn[165]: Restart pause, 2 second(s)
    Dec 22 17:41:24 asus daemon.warn openvpn[165]: NOTE: OpenVPN 2.1 requires '--......
    repeated above log....
    ......
    Dec 22 17:42:24 asus daemon.notice openvpn[165]: Restart pause, 2 second(s)
    ......
    
    I would like to know what is causing this. I use a "TAP+Static.key" combination with no custom configuration.

    Thanks
     
  59. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It looks like it is restarting every 1 minute + 2 seconds to me. It is happening due to the keepalive (which by default will restart if the tunnel is non-responsive for 60 seconds. Though, I don't think it is supposed to do this when there is no client connected...
    Try adding
    Code:
    keepalive 60 86400
    to up that to every 1 day instead. I guess I should consider making the keepalive tunable(including disable) via the GUI.
     
  60. xppx99

    xppx99 Addicted to LI Member

    Thanks, it worked. I added "keepalive 60 86400" in the "Advance->custom configuration" setting and it works.
     
  61. sauce

    sauce Network Guru Member

    Amazing modification. Works flawlessly. I have my WRT54GS set up with a pre-shared key and no NAT to establish a site-to-site tunnel through the internet to another office. The GUI is perfect.

    DD-WRT's VPN build sucks compared to this. I tried it first because I had a device that Tomato doesn't support. I ended up going out and buying a Tomato-compatible device just to try this build. I'm glad I did.

    I'm having trouble getting OpenVPN to work automatically upon restart though. I have to manually stop/start the process. Maybe that "Restart with router" function needs a longer sleep time. I may have to disable it and use a custom script to start it instead.
     
  62. Vikster

    Vikster Addicted to LI Member

    This mod is so much simpler then rolling out a dedicated server for VPN.

    I have successfully setup a tun vpn and can connect from all machines from the client side to all the machines on the server side. I would like to do the same in reverse, I.E machines on the server side can ping machines on the client side - is this possible in tun mode or do I have to go for tap?

    Thanks again for a great mod!

    Vik
     
  63. strike

    strike Addicted to LI Member

    Loaded up the current version, tomatovpn-1.25vpn3.4 on a WRT54G-TM and have gotten everything working so far.
    VPN with multiple clients, TUN, TLS, with AES.

    Very nice!

    But, can someone tell me if that is the right firmware for the TM? Should I be using the ND version?

    Thanks,
    Strike

    btw - I have also done the CFE DD-WRT update prior to loading the tomatovpn build.

    edit - corerev is 9, so ND it is...
     
  64. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Very possible :smile:
     
  65. Low-WRT

    Low-WRT LI Guru Member

    Is this normal? It looks like vpn is restarting every minute:
    Code:
    Dec 26 22:57:12 unknown daemon.warn openvpn[116]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    
    Code:
    Dec 26 22:57:10 unknown daemon.notice openvpn[116]: TCP/UDP: Closing socket
    Dec 26 22:57:10 unknown daemon.notice openvpn[116]: Closing TUN/TAP interface
    Dec 26 22:57:10 unknown daemon.notice openvpn[116]: SIGUSR1[soft,ping-restart] received, process restarting
    Dec 26 22:57:10 unknown daemon.notice openvpn[116]: Restart pause, 2 second(s)
    Dec 26 22:57:12 unknown daemon.warn openvpn[116]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Dec 26 22:57:12 unknown daemon.notice openvpn[116]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Dec 26 22:57:12 unknown daemon.notice openvpn[116]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Dec 26 22:57:12 unknown daemon.notice openvpn[116]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Dec 26 22:57:12 unknown daemon.notice openvpn[116]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Dec 26 22:57:12 unknown daemon.notice openvpn[116]: LZO compression initialized
    Dec 26 22:57:12 unknown daemon.notice openvpn[116]: TUN/TAP device tap21 opened
    Dec 26 22:57:12 unknown daemon.notice openvpn[116]: TUN/TAP TX queue length set to 100
    Dec 26 22:57:12 unknown daemon.notice openvpn[116]: Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
    Dec 26 22:57:12 unknown daemon.notice openvpn[116]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Dec 26 22:57:12 unknown daemon.notice openvpn[116]: UDPv4 link local (bound): [undef]:1194
    Dec 26 22:57:12 unknown daemon.notice openvpn[116]: UDPv4 link remote: [undef]
    Dec 26 22:58:12 unknown daemon.notice openvpn[116]: Inactivity timeout (--ping-restart), restarting
    Dec 26 22:58:12 unknown daemon.notice openvpn[116]: TCP/UDP: Closing socket
    Dec 26 22:58:12 unknown daemon.notice openvpn[116]: Closing TUN/TAP interface
    Dec 26 22:58:12 unknown daemon.notice openvpn[116]: SIGUSR1[soft,ping-restart] received, process restarting
    Dec 26 22:58:12 unknown daemon.notice openvpn[116]: Restart pause, 2 second(s)
    Dec 26 22:58:14 unknown daemon.warn openvpn[116]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Dec 26 22:58:14 unknown daemon.notice openvpn[116]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Dec 26 22:58:14 unknown daemon.notice openvpn[116]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Dec 26 22:58:14 unknown daemon.notice openvpn[116]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Dec 26 22:58:14 unknown daemon.notice openvpn[116]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Dec 26 22:58:14 unknown daemon.notice openvpn[116]: LZO compression initialized
    Dec 26 22:58:14 unknown daemon.notice openvpn[116]: TUN/TAP device tap21 opened
    Dec 26 22:58:14 unknown daemon.notice openvpn[116]: TUN/TAP TX queue length set to 100
    Dec 26 22:58:14 unknown daemon.notice openvpn[116]: Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
    Dec 26 22:58:14 unknown daemon.notice openvpn[116]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Dec 26 22:58:14 unknown daemon.notice openvpn[116]: UDPv4 link local (bound): [undef]:1194
    Dec 26 22:58:14 unknown daemon.notice openvpn[116]: UDPv4 link remote: [undef]
    Dec 26 22:59:14 unknown daemon.notice openvpn[116]: Inactivity timeout (--ping-restart), restarting
    Dec 26 22:59:14 unknown daemon.notice openvpn[116]: TCP/UDP: Closing socket
    Dec 26 22:59:14 unknown daemon.notice openvpn[116]: Closing TUN/TAP interface
    Dec 26 22:59:14 unknown daemon.notice openvpn[116]: SIGUSR1[soft,ping-restart] received, process restarting
    Dec 26 22:59:14 unknown daemon.notice openvpn[116]: Restart pause, 2 second(s)
    Dec 26 22:59:16 unknown daemon.warn openvpn[116]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Dec 26 22:59:16 unknown daemon.notice openvpn[116]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Dec 26 22:59:16 unknown daemon.notice openvpn[116]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Dec 26 22:59:16 unknown daemon.notice openvpn[116]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Dec 26 22:59:16 unknown daemon.notice openvpn[116]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Dec 26 22:59:16 unknown daemon.notice openvpn[116]: LZO compression initialized
    Dec 26 22:59:16 unknown daemon.notice openvpn[116]: TUN/TAP device tap21 opened
    Dec 26 22:59:16 unknown daemon.notice openvpn[116]: TUN/TAP TX queue length set to 100
    Dec 26 22:59:16 unknown daemon.notice openvpn[116]: Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
    Dec 26 22:59:16 unknown daemon.notice openvpn[116]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Dec 26 22:59:16 unknown daemon.notice openvpn[116]: UDPv4 link local (bound): [undef]:1194
    Dec 26 22:59:16 unknown daemon.notice openvpn[116]: UDPv4 link remote: [undef]
    
     
  66. TurtleFang

    TurtleFang Addicted to LI Member

  67. Vikster

    Vikster Addicted to LI Member

    that works brilliantly - thank you!! much easier then sifting through 147 pages

    Vik
     
  68. Low-WRT

    Low-WRT LI Guru Member

  69. gawd0wns

    gawd0wns LI Guru Member

    Hmm... I just got an idea on how to organize all the information in this thread. I think we have more than enough to create a FAQ/sticky, possibly here (as der _Kief has done) or the tomato wikibooks page, or both, and lock this thread.

    What do you all think?
     
  70. tomtom

    tomtom Addicted to LI Member

    Simple VPN design and other questions

    I have a remote site where I have a few devices, one of which is a Logitech Squeezebox (SB). I want to connect the SB back to the main site via VPN. The SB itself does not have a vpn client so I am considering doing this with my Tomato routers (WRT54GS).

    I have been using Tomato for several years and it has been rock stable, which is a requirement since the remote site may not be visited for months at a time and there is a weather station that need reliable connectivity. Is Tomato with this mod as stable as Tomato alone? I was thinking of using the latest version tomatovpn-1.27vpn3.5.7.

    My two sites are currently using the same internal address scheme (192.168.0/24) and there are overlapping addresses. Is there a way to direct just traffic to/from the SB into a VPN tunnel whilst keeping the current address scheme? Or will I need to re-address my remote site devices and keep the SB at the remote site as 192.168.0/24 (not a big deal since it is only a few devices)?

    I assume I would set up a TUN with static key as I will only have this one site connected in, is that correct?

    Thanks
     
  71. techmanblues

    techmanblues Network Guru Member

    VPN newbie help

    I have been reading these posts and feel comfortable enough to try out Tomato with VPN. Here is my current setup. I have a home office and a work office. The work office has a static IP account through Comcast and the home is dynamic via ATT DSL (I am thinking of upgrading to Comcast as well with dynamic IP). At work there is a file server running XP Pro. At home there is also a file server that is a NAS box from Synology. I want these two file servers to be able to sync their data via rsync. The Synology box supports rsync and I believe there is an rsync client/server for XP.

    So the plan is to to flash the current WRT54GL v1.1 stock firmware with TomatoVPN 1.25vpn3.4. This is my first foray into VPN. Is there a guide out there that shows me step by step? What is the ND version of the Tomato VPN anyway?

    Thanks for any help provided.
     
  72. groosh

    groosh Addicted to LI Member

    openvpn 2.1.1?

    Just curious what version of openvpn is in the 1.27vpn3.5 drop uploaded on December 21, 2009.
     
  73. ladiabla

    ladiabla Addicted to LI Member

    re: Groosh
    I was confused for several minutes, as neither the relase blog nor these community support forums listed a December release for this mod... altho I just found that Dec 2009 build now.

    FYI: The previous build of the Sgt Pepper mod (v.1.25vpn3.4 from aug 2009) states in its release blog entry that OpenVPN was upgraded to v.2.1rc19. However, i imagine you read that info already, since you were resourceful enough to find this much more recent build, for which I find no direct public link, nor announcement on either the mod's release blog or here in the community/support forums.

    Which leads me to ask the mod developer why that is.

    * Has this Dec 2009 build not been determined to be ready for public "consumption"?
    * Is this unlisted Dec 2009 build for testers only?
    * OR... perhaps the issue is more simply that the release blog's maintainer has been too busy over the holidays to create a new entry announcing this latest build [v.127vpn3.5]...
    * Would the developer care to comment?

    -- an eager VPN beaver
     
  74. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    1.27vpn3.5 isn't ready yet, but the December build had OpenVPN 2.1.1. It's been posted for people to test. With the limited testing I've done, there appears to be an issue with static key and routed VPNs. I suspect the OpenVPN upgrade as the culprit.
     
  75. zurk

    zurk Addicted to LI Member

    i run a tomato 1.25 stable vpn build on one network (TAP) and on another i put this 1.27 build. connecting to the 1.25 with the 1.27 as client (the 1.27 is also running a TAP server with VPN) i get the following errors and it does not work :

    Dec 31 16:00:12 test cron.err crond[94]: crond (busybox 1.14.4) started, log level 8
    Dec 31 16:00:13 test daemon.info httpd[104]: Generating SSL certificate...
    Dec 31 16:00:13 test user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
    Dec 31 16:00:16 test user.info kernel: device tap21 entered promiscuous mode
    Dec 31 16:00:16 test user.info kernel: br0: port 3(tap21) entering listening state
    Dec 31 16:00:16 test user.info kernel: br0: port 3(tap21) entering learning state
    Dec 31 16:00:16 test user.info kernel: br0: port 3(tap21) entering forwarding state
    Dec 31 16:00:16 test user.info kernel: br0: topology change detected, propagating
    Dec 31 16:00:16 test daemon.notice openvpn[121]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Dec 20 2009
    Dec 31 16:00:17 test daemon.warn openvpn[121]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
    Dec 31 16:00:17 test daemon.warn openvpn[121]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Dec 31 16:00:18 test daemon.notice openvpn[121]: Diffie-Hellman initialized with 1024 bit key
    Dec 31 16:00:18 test daemon.notice openvpn[121]: TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Dec 31 16:00:18 test daemon.notice openvpn[121]: TUN/TAP device tap21 opened
    Dec 31 16:00:18 test daemon.notice openvpn[121]: TUN/TAP TX queue length set to 100
    Dec 31 16:00:18 test daemon.notice openvpn[121]: Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Dec 31 16:00:18 test daemon.notice openvpn[125]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Dec 31 16:00:18 test daemon.notice openvpn[125]: UDPv4 link local (bound): [undef]:1194
    Dec 31 16:00:18 test daemon.notice openvpn[125]: UDPv4 link remote: [undef]
    Dec 31 16:00:18 test daemon.notice openvpn[125]: MULTI: multi_init called, r=256 v=256
    Dec 31 16:00:18 test daemon.notice openvpn[125]: Initialization Sequence Completed
    Dec 31 16:00:19 test user.info init[1]: Tomato 1.27vpn3.5.4b2eeca4
    Dec 31 16:00:19 test user.info init[1]: Linksys WRT54G/GS/GL
    Dec 31 16:00:19 test daemon.info dnsmasq[88]: reading /etc/resolv.dnsmasq
    Dec 31 16:00:19 test daemon.info dnsmasq[88]: using nameserver 4.2.2.1#53
    Dec 31 16:00:19 test daemon.info dnsmasq[88]: using nameserver 4.2.2.2#53
    Dec 31 16:00:19 test daemon.info dnsmasq[88]: using nameserver 8.8.8.8#53
    Dec 31 16:00:19 test daemon.info dnsmasq[88]: exiting on receipt of SIGTERM
    Dec 31 16:00:19 test daemon.info dnsmasq[133]: started, version 2.51 cachesize 150
    Dec 31 16:00:19 test daemon.info dnsmasq[133]: compile time options: no-IPv6 GNU-getopt no-RTC no-DBus no-I18N DHCP no-scripts no-TFTP
    Dec 31 16:00:19 test daemon.warn dnsmasq[133]: warning: interface tap21 does not currently exist
    Dec 31 16:00:19 test daemon.info dnsmasq-dhcp[133]: DHCP, IP range 192.168.100.100 -- 192.168.100.199, lease time 1d
    Dec 31 16:00:19 test daemon.info dnsmasq[133]: reading /etc/resolv.dnsmasq
    Dec 31 16:00:19 test daemon.info dnsmasq[133]: using nameserver 4.2.2.1#53
    Dec 31 16:00:19 test daemon.info dnsmasq[133]: using nameserver 4.2.2.2#53
    Dec 31 16:00:19 test daemon.info dnsmasq[133]: using nameserver 8.8.8.8#53
    Dec 31 16:00:19 test daemon.info dnsmasq[133]: read /etc/hosts - 0 addresses
    Dec 31 16:00:19 test daemon.info dnsmasq[133]: read /etc/hosts.dnsmasq - 1 addresses
    Dec 31 16:00:19 test user.info kernel: ipt_recent v0.3.1: Stephen Frost <sfrost@snowman.net>. http://snowman.net/projects/ipt_recent/
    Dec 31 16:00:20 test user.info rcheck[147]: Time not yet set. Only "all day, everyday" restrictions will be activated.
    Dec 31 16:00:22 test user.info kernel: device br0 entered promiscuous mode
    Jan 1 14:30:12 test user.info ntpc[192]: Time Updated: Fri, 01 Jan 2010 14:30:12 -0800 [+1262384990s]
    Jan 1 14:30:16 test user.info kernel: vlan1: add 01:00:5e:00:00:01 mcast address to master interface
    Jan 1 14:30:17 test user.info kernel: vlan1: add 01:00:5e:00:00:09 mcast address to master interface
    Jan 1 14:30:51 test cron.err crond[94]: time disparity of 21039750 minutes detected
    Jan 1 14:32:56 test user.info kernel: device tap11 entered promiscuous mode
    Jan 1 14:32:56 test user.info kernel: br0: port 4(tap11) entering listening state
    Jan 1 14:32:56 test user.info kernel: br0: port 4(tap11) entering learning state
    Jan 1 14:32:56 test user.info kernel: br0: port 4(tap11) entering forwarding state
    Jan 1 14:32:56 test user.info kernel: br0: topology change detected, propagating
    Jan 1 14:32:56 test daemon.notice openvpn[454]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Dec 20 2009
    Jan 1 14:32:56 test daemon.warn openvpn[454]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Jan 1 14:32:56 test daemon.warn openvpn[454]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Jan 1 14:32:56 test daemon.notice openvpn[454]: LZO compression initialized
    Jan 1 14:32:56 test daemon.notice openvpn[454]: Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Jan 1 14:32:56 test daemon.notice openvpn[454]: Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Jan 1 14:32:56 test daemon.notice openvpn[458]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Jan 1 14:32:56 test daemon.notice openvpn[458]: UDPv4 link local: [undef]
    Jan 1 14:32:56 test daemon.notice openvpn[458]: UDPv4 link remote: xx.xx.xx.xx:1194
    Jan 1 14:32:56 test daemon.notice openvpn[458]: TLS: Initial packet from xx.xx.xx.xx:1194, sid=9364bbcf 0d04cf04
    Jan 1 14:32:57 test daemon.notice openvpn[458]: VERIFY OK: depth=1, /C=CA/OU=IT/CN=network/Email=xx@xxx.com
    Jan 1 14:32:57 test daemon.notice openvpn[458]: VERIFY OK: depth=0, /C=CA/OU=IT/CN=server/Email=xx@xxx.com
    Jan 1 14:32:59 test daemon.notice openvpn[458]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jan 1 14:32:59 test daemon.notice openvpn[458]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 1 14:32:59 test daemon.notice openvpn[458]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jan 1 14:32:59 test daemon.notice openvpn[458]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 1 14:32:59 test daemon.notice openvpn[458]: Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Jan 1 14:32:59 test daemon.notice openvpn[458]: [server] Peer Connection Initiated with xx.xx.xx.xx:1194
    Jan 1 14:33:01 test daemon.notice openvpn[458]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Jan 1 14:33:01 test daemon.notice openvpn[458]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DOMAIN xxx.com,dhcp-option DNS 192.168.0.1,route-gateway 192.168.0.1,redirect-gateway def1,route-gateway dhcp,ping 15,ping-restart 60'
    Jan 1 14:33:01 test daemon.notice openvpn[458]: OPTIONS IMPORT: timers and/or timeouts modified
    Jan 1 14:33:01 test daemon.notice openvpn[458]: OPTIONS IMPORT: route options modified
    Jan 1 14:33:01 test daemon.notice openvpn[458]: OPTIONS IMPORT: route-related options modified
    Jan 1 14:33:01 test daemon.notice openvpn[458]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Jan 1 14:33:01 test daemon.notice openvpn[458]: TUN/TAP device tap11 opened
    Jan 1 14:33:01 test daemon.notice openvpn[458]: TUN/TAP TX queue length set to 100
    Jan 1 14:33:01 test daemon.notice openvpn[458]: /sbin/route add -net xx.xx.xx.xx netmask 255.255.255.255 gw xxx.xxx.xxx.xxx
    Jan 1 14:33:01 test daemon.notice openvpn[458]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 192.168.0.1
    Jan 1 14:33:01 test daemon.warn openvpn[458]: ERROR: Linux route add command failed: external program exited with error status: 1
    Jan 1 14:33:01 test daemon.notice openvpn[458]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 192.168.0.1
    Jan 1 14:33:01 test daemon.warn openvpn[458]: ERROR: Linux route add command failed: external program exited with error status: 1
    Jan 1 14:33:01 test daemon.notice openvpn[458]: Initialization Sequence Completed
    Jan 1 14:35:42 test daemon.notice openvpn[458]: TCP/UDP: Closing socket
    Jan 1 14:35:42 test daemon.notice openvpn[458]: /sbin/route del -net xx.xx.xx.xx netmask 255.255.255.255
    Jan 1 14:35:42 test daemon.notice openvpn[458]: /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
    Jan 1 14:35:42 test daemon.warn openvpn[458]: ERROR: Linux route delete command failed: external program exited with error status: 1
    Jan 1 14:35:42 test daemon.notice openvpn[458]: /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
    Jan 1 14:35:42 test daemon.warn openvpn[458]: ERROR: Linux route delete command failed: external program exited with error status: 1
    Jan 1 14:35:42 test daemon.notice openvpn[458]: Closing TUN/TAP interface
    Jan 1 14:35:42 test daemon.notice openvpn[458]: SIGTERM[hard,] received, process exiting
    Jan 1 14:35:42 test user.info kernel: br0: port 4(tap11) entering disabled state
    Jan 1 14:35:42 test user.info kernel: br0: port 4(tap11) entering disabled state

    also read packets show up as 0, all the rest look good. chances are its a firewall issue.
     
  76. zurk

    zurk Addicted to LI Member

    also after 48 hours i had scheduled a reconnect with my pppoe provider. 1.27 refused to allow me to browse the web (but dns queries and pings and traceroutes went through). skype was also blocked. reboot fixed it. might have a firewall issue.
     
  77. baldrickturnip

    baldrickturnip LI Guru Member

    the normal upgrade path for 54GLs - admin , upgrade ,browse for firmware , upgrade.
    just remember to clear NVRAM after the upgrade.

    as you have a static IP at the office I would use the 54GL at that end as the server and use the 54GL at home as the client.

    the best option is to use the 54GL to control the modem at each end , though port forwarding ( port 1194 by default ) still works fine.

    download openVPN+GUI for windows to your windows machine and install.

    navigate to /program files/openvpn/easyrsa/ and open the readme.txt - you can also edit your vars.bat file here with notepad when instructed to

    then open a prompt - start,run,cmd - and navigate to your /progarm files/openvpn/easyrsa/ directory.

    follow the instructions in the readme file by typing the commands in the CLI box and all the keys and certs will be created in a directory keys ( though you can name it what you want in the vars.bat file ).

    when you run build-ca it will produce a ca.crt and ca.key file
    the ca.crt will be needed on both the servers and clients

    when you run build-dh it will produce a dh1024.pem file
    the dh1024 will be needed on the server

    when you run build-key-server <machine name> ( give a machine name ) it will produce a <machine name>.crt and <machine name>.key file which will be needed by your server

    when you run build-key <machine name> ( I also add -client1 ect ) it will produce
    <machine name>.crt and <machine name>.key for client machines.

    run build-key to produce certs and keys for as many clients as you wish to use with the server. I normally do 5 clients.

    so I end up with myVPNservername-client1.crt and .key for client 1 to client5 in the keys directory.


    connect to your server 54GL , go to vpn tunneling , server - basic

    tick start with router
    interface type - tap
    protocol - udp
    client address pool - you can use the DHCP server on your server network to assign an IP to the clients that connect but I set aside a small pool of IPs outside the DHCP server range to assign to the clients when they connect.

    in advanced , tick manage client specific options and tick client to client

    in keys open the cert , key and dh files with notepad and copy and paste from ----- begin cert to end cert ----- into the relevent boxes.

    save , and click on start now back at the basic tab. - if the box changes to stop now it indicates your VPN server has successfully started.

    then connect to the 54GL that will be the client and go to vpntunneling , client 1

    tick start with router
    interface type - TAP
    protocol - UDP
    server address - your office static IP

    client 1 - keys

    open your client1 crt , key and ca.crt files with notepad and copy and paste the relevent bits into their respective boxes.

    save . - start now.

    you will need to make sure port 1194 of your vpn server 54 GLis available to the internet and your winXP file server is behind the server 54GL.

    you will need to make sure your NAS is behind your client 54GL.

    hope that makes some sort of sense.

    I have meant to do a nice tutorial with screen grabs for this but always seem to be in a rush when I am setting up a new VPN server :D
     
  78. techmanblues

    techmanblues Network Guru Member

    Thank you so much for the instruction!

    Would this situation work with VPN? Sorry for being a noob here.

    Because I only want a particular PC (the file server) at work to be a member of the VPN network and not the rest of the PCs, this file server has 2 NICs.

    NIC#1 is 192.168.1.x/24
    NIC#2 is 192.168.2.x/24.

    The network at work is currently at 192.168.1.x/24.

    NIC#2 is plugged into the WRT54GL-TMVPN that is configured as 192.168.2.1/24 on it's LAN side. The office has a Comcast modem that can assign 2 public static IPs with one currently being used for the other non-VPN router that is connected to the other PCs. I will assign the remaining second public IP to the WAN side of the WRT54GL-TMVPN from the same modem. The NIC#2 will be connected to this VPN router.

    OK, so can this setup work? The rationale is I do not want the other PCs to be part of this VPN except the file server in question. None of these PCs need to be connected to remotely so there is no need for them to have any VPN service.

    Alternatively, wouldn't it be easier to install the OpenVPN software on the file server at work and skip the WRT54GL-TMVPN altogther? That is, I will tell the OpenVPN software to use the NIC#2 as the NIC to communicate with VPN to the outside world and ignore the NIC#1. The reason I like to use the 54GL-TMVPN is I may in the future have another PC at work join the VPN. Therefore all I have to do is plug this PC into the tomato router and it's done. No need to install OpenVPN on this second PC.
     
  79. baldrickturnip

    baldrickturnip LI Guru Member

    ok - run the server at home on a 54GL and use dyndns to update as its IP changes.

    on the windows machine at the office , install openvpn+gui , generate your certs and keys and put a copy of the cert authority , client cert and client key in the openvpn/config directory and copy client.ovpn from the samle-config dir to the config dir. rename client.ovpn to <machine name>.ovpn and open it with notepad. edit the ovpn config to set it to TAP , change the server to your dyndns address and port , and rename the ca.crt , client.crt and client.key to what you have in your config dir. save.

    then the windows machine should be able to connect as a client to the openVPN server at your home and with client to client enabled you should have bi directional coms between it and the NAS
     
  80. toolbox

    toolbox Addicted to LI Member

    As reported by others, start/stop state of VPN does not seems to be kept between restart. In my case, I have been running tomato-1.27-NDU SB-8741-vpn3.4 for almost a month on a Asus WL-520gU. After each restart, I have to go in and restart the VPN. I don't recall I need to do that with the previous version of the firmware.Is there a script I can add so it will "kick start it" if it doesn't start by itself at router restart?
    Thanks.
     
  81. Low-WRT

    Low-WRT LI Guru Member

    This may help you:
     
  82. ladiabla

    ladiabla Addicted to LI Member

    re: SgtPepperKSU
    Thanks for your quick response! Much appreciated.
    I look forward trying your mod's new release when its ready.

    -Kym
     
  83. tomtom

    tomtom Addicted to LI Member

    Me too. Sgt Pepper: Any idea when v.127vpn3.5 build might be ready?
    Thanks
     
  84. anik

    anik Addicted to LI Member

    This is probably something really simple, but it eludes me. For some reason, it seems that other devices on the "WAN" side of the local network can't see or connect to the Tomato router. In this case, the WAN specs are as follows:

    Connection Type: DHCP
    IP Address: 192.168.10.100
    Subnet Mask: 255.255.255.0
    Gateway: 192.168.10.1
    DNS: 192.168.10.1
    MTU: 1500

    The problem is, if I go to another computer on the 192.168.10.x network and try to ping 192.168.10.100, I get no response at all. Someone said I should try an " arp -a -N 192.168.10.100" command, and this is what I got:

    $ arp -a -N 192.168.10.100
    arp: -N not yet supported.
    ? (192.168.10.100) at xx:xx:xx:xx:xx:xx [ether] on eth0

    (Where xx:xx:xx:xx:xx:xx IS the correct MAC address of the Tomato router).

    But if I do a PING...

    $ ping 192.168.10.100
    PING 192.168.10.100 (192.168.10.100) 56(84) bytes of data.
    ^C
    --- 192.168.10.100 ping statistics ---
    12 packets transmitted, 0 received, 100% packet loss, time 11043ms

    It's NOT an issue with not being able to ping anything on the local network… for example, if I do this (ping a different device on the local network):

    $ ping 192.168.10.2
    PING 192.168.10.2 (192.168.10.2) 56(84) bytes of data.
    64 bytes from 192.168.10.2: icmp_seq=1 ttl=250 time=0.863 ms
    64 bytes from 192.168.10.2: icmp_seq=2 ttl=250 time=0.812 ms
    64 bytes from 192.168.10.2: icmp_seq=3 ttl=250 time=1.02 ms
    64 bytes from 192.168.10.2: icmp_seq=4 ttl=250 time=0.847 ms
    64 bytes from 192.168.10.2: icmp_seq=5 ttl=250 time=1.01 ms
    ^C
    --- 192.168.10.2 ping statistics ---
    5 packets transmitted, 5 received, 0% packet loss, time 4015ms
    rtt min/avg/max/mdev = 0.812/0.911/1.026/0.094 ms

    … then it works fine. So it's only the Tomato Router on 192.168.0.100 that is non-responsive.

    One other point, if I SSH into the Tomato router itself (from the opposite end of the VPN tunnel) then it can ping itself:

    # ping 192.168.10.100
    PING 192.168.10.100 (192.168.10.100): 56 data bytes
    64 bytes from 192.168.10.100: seq=0 ttl=64 time=1.323 ms
    64 bytes from 192.168.10.100: seq=1 ttl=64 time=0.879 ms
    64 bytes from 192.168.10.100: seq=2 ttl=64 time=0.899 ms
    64 bytes from 192.168.10.100: seq=3 ttl=64 time=0.881 ms
    64 bytes from 192.168.10.100: seq=4 ttl=64 time=0.875 ms

    --- 192.168.10.100 ping statistics ---
    5 packets transmitted, 5 packets received, 0% packet loss
    round-trip min/avg/max = 0.875/0.971/1.323 ms

    … so it's not an issue with ping not working (at least I don't think so).

    One other point: If, while I am ssh'd into the Tomato router from the opposite side of the tunnel, I do this:

    # iptables -L
    Chain INPUT (policy DROP)
    target prot opt source destination
    ACCEPT 0 -- anywhere anywhere
    DROP 0 -- anywhere 192.168.10.100
    DROP 0 -- anywhere anywhere state INVALID
    ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
    shlimit tcp -- anywhere anywhere tcp dpt:ssh state NEW
    shlimit tcp -- anywhere anywhere tcp dpt:telnet state NEW
    ACCEPT 0 -- anywhere anywhere
    ACCEPT 0 -- anywhere anywhere
    ACCEPT tcp -- anywhere Tomato tcp dpt:https

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ACCEPT 0 -- anywhere anywhere
    ACCEPT 0 -- anywhere anywhere
    DROP 0 -- anywhere anywhere state INVALID
    TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match 1461:65535 TCPMSS set 1460
    ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
    wanin 0 -- anywhere anywhere
    wanout 0 -- anywhere anywhere
    ACCEPT 0 -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain shlimit (2 references)
    target prot opt source destination
    0 -- anywhere anywhere recent: SET name: shlimit side: source
    DROP 0 -- anywhere anywhere recent: UPDATE seconds: 60 hit_count: 3 name: shlimit side: source

    Chain wanin (1 references)
    target prot opt source destination

    Chain wanout (1 references)
    target prot opt source destination

    … the above is the output that I get. I do NOT understand much of anything about iptables and in particular, I don't know if this line…

    DROP 0 -- anywhere 192.168.10.100

    … is the one causing this problem. But if it is, I have no idea how it got set that way. If anyone could shed any light on this subject, I'd much appreciate it!
     
  85. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The default setting for Tomato is not to respond to pings from WAN. There is a setting to change that in Advanced->Firewall.
     
  86. anik

    anik Addicted to LI Member

    SgtPepperKSU, thanks for the quick response. That is half the battle. Now here's where I was really going with this. What I want to do is route traffic from selected devices on the WAN side of the Tomato router to the subnet on the opposite side of the VPN tunnel. As a simple example, if I have a Linux-based device on 192.168.10.3 (remember the WAN side of the Tomato router is 192.168.10.100) and I want to access just a couple of devices on the other side of the tunnel (say at 192.168.0.7 and 192.168.0.8) it would SEEM like I should be able to do this at the Linux device at 192.168.10.3:

    $ sudo route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.10.100 eth0

    After that, if I enter the route command on that device, I get this:

    $ route
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    192.168.0.0 192.168.10.100 255.255.255.0 UG 0 0 0 eth0
    192.168.10.0 * 255.255.255.0 U 1 0 0 eth0
    link-local * 255.255.0.0 U 1000 0 0 eth0
    default 192.168.10.1 0.0.0.0 UG 0 0 0 eth0

    … so it would SEEM that any traffic destined for the 192.168.0.x subnet (on the other side of the tunnel) should go through. But…

    $ ping 192.168.0.8
    PING 192.168.0.8 (192.168.0.8) 56(84) bytes of data.
    ^C
    --- 192.168.0.8 ping statistics ---
    6 packets transmitted, 0 received, 100% packet loss, time 5016ms

    BUT if I issue the exact same PING command from the Tomato router itself...

    # ping 192.168.0.8
    PING 192.168.0.8 (192.168.0.8): 56 data bytes
    64 bytes from 192.168.0.8: seq=0 ttl=249 time=74.883 ms
    64 bytes from 192.168.0.8: seq=1 ttl=249 time=70.263 ms
    64 bytes from 192.168.0.8: seq=2 ttl=249 time=70.287 ms

    --- 192.168.0.8 ping statistics ---
    3 packets transmitted, 3 packets received, 0% packet loss
    round-trip min/avg/max = 70.263/71.811/74.883 ms

    Here are the firewall settings in the Tomato router:

    Respond to ICMP ping (checked, to enable pings)
    Allow multicast (NOT checked)
    NAT Loopback (Forwarded Only)
    Enable SYN cookies (NOT checked)
    NAT Target (MASQUERADE)

    Do I need to change anything else there, or is there some other issue?

    Note that I can go through the tunnel in the reverse direction just fine - from the opposite end I can connect to anything in the 192.168.10.x network range. I'm just wanting it to work from the Tomato router end to the opposite end of the tunnel, but ONLY for traffic to the 192.168.0.x network, and for machines on the WAN side of the Tomato Router. Things connected to the LAN side of the router can connect to the 192.168.0.x network just fine, but those devices would also connect to the Internet through the tunnel if they had any 'net traffic. For devices on the WAN side of the Tomato router, we only want them to use the tunnel for traffic to the 192.168.0.x subnet, and that's it (hope this isn't too confusing)! Is that even possible?
     
  87. anik

    anik Addicted to LI Member

    P.S. If you saw the above message in the first ten minutes or so after I posted it, you probably couldn't read it. It's fixed now, but I forgot you can't use square brackets in a post or it eats all the linefeeds! Sorry.
     
  88. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, to do that you'll need to open a hole for it in the firewall. I think the following in your router firewall script should do it:
    Code:
    iptables -t nat -I PREROUTING  -s 192.168.10.3 -d 192.168.0.0/24 -j ACCEPT
    iptables -t filter -A wanin -s 192.168.10.3 -d 192.168.0.0/24 -j ACCEPT
    The first allows it to even be considered for routing, the second allows it to be forwarded from WAN to VPN.

    EDIT: Also, the other end of the VPN doesn't know about the 192.168.10.0/24 subnet, so it won't know how to send the reply packets back. Unless it is redirecting all of its internet-bound traffic over the tunnel, you'll need to add a route on the VPN-client router telling it to use the VPN-server as a gateway for that subnet. If the VPN client isn't also the default gateway for 192.168.0.7-8 (ie, you're not using TomatoVPN as the VPN client or the network topology is complex), a couple of routes will need to be added, but it's doable.

    EDIT2: ugh. You'll also need to open up the firewall to allow the return traffic to be forwarded from VPN to WAN (there's already a rule for LAN to WAN, so I forgot about this):
    Code:
    iptables -t filter -A wanout -s 192.168.0.0/24 -d 192.168.10.3 -j ACCEPT
     
  89. baldrickturnip

    baldrickturnip LI Guru Member

    would it be easier to set a VPN client on the 192.168.10.3 device to connect to the VPN server on 192.168.1.100 , tick client to client - and then the 10.3 will see all devices on the VPN subnet. and vice versa.




    good to see you back Keith , hope you had a good holiday
     
  90. anik

    anik Addicted to LI Member

    SgtPepperKSU, thanks for your help. I would have never figured out the iptables stuff! It worked great, although I did open it up for the entire subnet rather than just a single machine:

    iptables -t nat -I PREROUTING -s 192.168.10.0/24 -d 192.168.0.0/24 -j ACCEPT
    iptables -t filter -A wanin -s 192.168.10.0/24 -d 192.168.0.0/24 -j ACCEPT
    iptables -t filter -A wanout -s 192.168.0.0/24 -d 192.168.10.0/24 -j ACCEPT

    A couple notes for anyone else trying this - here are sample route statements (note these do NOT survive a reboot, haven't figured that part out) for a Mac and for a Linux box, to make it pass traffic for the 192.168.0.x net through the Tomato router at 192.168.10.100:

    Mac OS X: sudo route add -net 192.168.0.0 -netmask 255.255.255.0 192.168.10.100
    Linux: sudo route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.10.100 eth0

    Also on a Mac, if you want to see share on the other network, use Finder's "Go" menu and enter the machine on the other network in this form (using the correct IP address, not the one shown, and yes the :139 is sometimes important):
    smb://192.168.0.2:139

    Thanks again for the help!
     
  91. bobapoka

    bobapoka Addicted to LI Member

    vpn established, but won't route

    hello, trying to get communication between 2 sites.

    lan on server site - 192.168.96.0/24, server is centos PC
    lan on client site - 192.168.30.0/24, client is tomato asus 520gu

    vpn seems to be up but I don't see any traffic originated from the tomato router somehow. below is the status and config, can someone advise what did I do wrong?

    Just want add, I had the exact same setup working fine with the same centos server and pfsense box as client - but not working with using tomato as client...


    - status from tomato router, vpn client side -
    Name Value
    TUN/TAP read bytes 1443
    TUN/TAP write bytes 0 <<<<<<<<< always 0
    TCP/UDP read bytes 3848
    TCP/UDP write bytes 4584
    Auth read bytes 0
    pre-compress bytes 0
    post-compress bytes 0
    pre-decompress bytes 0
    post-decompress bytes 0


    Current Routing Table
    Destination Gateway Subnet Mask Metric Interface
    x.x.x.x * 255.255.255.255 0 ppp0
    192.168.200.21 * 255.255.255.255 0 tun11
    192.168.200.0 192.168.200.21 255.255.255.224 0 tun11
    192.168.96.0 192.168.200.21 255.255.255.0 0 tun11
    192.168.30.0 * 255.255.255.0 0 br0 (LAN)
    127.0.0.0 * 255.0.0.0 0 lo
    default x.x.x.x 0.0.0.0 0 ppp0


    // config on tomato, openvpn client //
    root@tomato:/tmp/etc/openvpn/client1# more config.ovpn
    # Automatically generated configuration
    daemon
    client
    dev tun11
    proto udp
    remote xxx.xxx.xxx.xxx 1194
    resolv-retry 30
    nobind
    persist-key
    persist-tun
    comp-lzo no
    verb 3
    ca ca.crt
    cert client.crt
    key client.key
    status-version 2
    status status

    # Custom Configuration
    keepalive 10 30
    float
    tun-mtu 1450
    mssfix 1400


    // openvpn server config //
    root@pbx:/etc/openvpn $ more server.conf
    port 1194
    proto udp
    dev tun
    tun-mtu 1450
    mssfix 1400
    ca easy-rsa/keys/ca.crt
    cert easy-rsa/keys/server.crt
    key easy-rsa/keys/server.key
    dh easy-rsa/keys/dh1024.pem
    server 192.168.200.0 255.255.255.224
    ifconfig-pool-persist ipp.txt
    push "route 192.168.96.0 255.255.255.0"
    client-config-dir ccd
    route 192.168.30.0 255.255.255.0
    client-to-client
    push "route 192.168.30.0 255.255.255.0"
    keepalive 30 120
    #comp-lzo
    max-clients 5
    user nobody
    group nobody
    persist-key
    persist-tun
    status openvpn-status.log
    log-append openvpn.log
    verb 4
    management localhost 7505
     
  92. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    First, I'll assume you have your client-config-dir setup correctly with the proper routes for the client LAN, or you have the NAT selection on the client router. If you don't have either of these, it will not work.

    When you say "I don't see any traffic originated from the tomato router", are you expecting internet-bound traffic to be sent over the tunnel (you don't have that option selected) or just traffic bound for the server LAN?
     
  93. bobapoka

    bobapoka Addicted to LI Member

    hello SgtPepperKSU, thanks for the reply.

    Yes I think I do have the lan segment for client side specified as shown below. Also attached the status log from the server as well.
    And no internet traffic is involved, just the traffic bound for server lan.

    pfsense is just the common name I am using for the tomato asus 520gu

    Do you see any issue with my setup?


    root@pbx:/etc/openvpn/ccd $ ls
    pfsense

    root@pbx:/etc/openvpn/ccd $ more pfsense
    iroute 192.168.30.0 255.255.255.0

    root@pbx:/etc/openvpn $ more openvpn-status.log
    OpenVPN CLIENT LIST
    Updated,Wed Jan 13 09:01:18 2010
    Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
    user1,xxx.xxx.xxx.xxx:1420,60036,142230,Wed Jan 13 08:55:50 2010
    pfsense,xxx.xxx.xxx.xxx:2063,43124295,1194403,Tue Jan 12 22:52:24 2010
    ROUTING TABLE
    Virtual Address,Common Name,Real Address,Last Ref
    192.168.30.0/24,pfsense,xxx.xxx.xxx.xxx:2063,Tue Jan 12 22:52:26 2010 <<<< lan segment for client side
    192.168.200.18,user1,xxx.xxx.xxx.xxx:1420,Wed Jan 13 09:01:08 2010
    192.168.200.22,pfsense,xxx.xxx.xxx.xxx:2063,Tue Jan 12 22:52:26 2010 <<<< vpn ip addr assigned
    GLOBAL STATS
    Max bcast/mcast queue length,1
    END
     
  94. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I think you might need a "route" line along with your "iroute" line to put the client subnet in the system routing table, instead of just the OpenVPN internal routing table.
     
  95. bobapoka

    bobapoka Addicted to LI Member

    Thanks again for the reply,

    do you mean like this? just tried it and I don't see any changes (restarted openvpn process on both ends).

    'route 192.168.30.0 255.255.255.0' is already added into the server.conf on the server side.


    root@pbx:/etc/openvpn/ccd $ more pfsense
    iroute 192.168.30.0 255.255.255.0
    route 192.168.30.0 255.255.255.0


    root@pbx:/etc/openvpn/ccd $ netstat -r
    Kernel IP routing table
    Destination Gateway Genmask Flags MSS Window irtt Iface
    192.168.200.2 * 255.255.255.255 UH 0 0 0 tun0
    192.168.200.0 192.168.200.2 255.255.255.224 UG 0 0 0 tun0
    192.168.96.0 * 255.255.255.0 U 0 0 0 eth0
    192.168.30.0 192.168.200.2 255.255.255.0 UG 0 0 0 tun0
    169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
    default 192.168.96.1 0.0.0.0 UG 0 0 0 eth0
     
  96. bobapoka

    bobapoka Addicted to LI Member

    still trying to get it to work... today noticed I am getting alot of warning messages on the server side when trying to connect to tomato router.

    does the warning messages matters? config files looks identical to me....


    // log from server //
    Thu Jan 14 16:34:59 2010 us=395847 pfsense/xx.xx.xx.xx:2052 TLS: new session incoming connection from xx.xx.xx.xx:2052
    Thu Jan 14 16:35:00 2010 us=580491 pfsense/xx.xx.xx.xx:2052 VERIFY OK: ...
    Thu Jan 14 16:35:00 2010 us=580768 pfsense/xx.xx.xx.xx:2052 VERIFY OK: ...
    Thu Jan 14 16:35:00 2010 us=635499 pfsense/xx.xx.xx.xx:2052 NOTE: Options consistency check may be skewed by version differences
    Thu Jan 14 16:35:00 2010 us=635529 pfsense/xx.xx.xx.xx:2052 WARNING: 'version' is used inconsistently, local='version V4', remote='version V0 UNDEF'
    Thu Jan 14 16:35:00 2010 us=635550 pfsense/xx.xx.xx.xx:2052 WARNING: 'dev-type' is present in local config but missing in remote config, local='dev-type tun'
    Thu Jan 14 16:35:00 2010 us=635571 pfsense/xx.xx.xx.xx:2052 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1491'
    Thu Jan 14 16:35:00 2010 us=635590 pfsense/xx.xx.xx.xx:2052 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1450'
    Thu Jan 14 16:35:00 2010 us=635610 pfsense/xx.xx.xx.xx:2052 WARNING: 'proto' is present in local config but missing in remote config, local='proto UDPv4'
    Thu Jan 14 16:35:00 2010 us=635629 pfsense/xx.xx.xx.xx:2052 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher BF-CBC'
    Thu Jan 14 16:35:00 2010 us=635648 pfsense/xx.xx.xx.xx:2052 WARNING: 'auth' is present in local config but missing in remote config, local='auth SHA1'
    Thu Jan 14 16:35:00 2010 us=635669 pfsense/xx.xx.xx.xx:2052 WARNING: 'keysize' is present in local config but missing in remote config, local='keysize 128'
    Thu Jan 14 16:35:00 2010 us=635689 pfsense/xx.xx.xx.xx:2052 WARNING: 'key-method' is present in local config but missing in remote config, local='key-method 2'
    Thu Jan 14 16:35:00 2010 us=635708 pfsense/xx.xx.xx.xx:2052 WARNING: 'tls-client' is present in local config but missing in remote config, local='tls-client'
    Thu Jan 14 16:35:00 2010 us=636016 pfsense/xx.xx.xx.xx:2052 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Thu Jan 14 16:35:00 2010 us=636038 pfsense/xx.xx.xx.xx:2052 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu Jan 14 16:35:00 2010 us=636122 pfsense/xx.xx.xx.xx:2052 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Thu Jan 14 16:35:00 2010 us=636142 pfsense/xx.xx.xx.xx:2052 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu Jan 14 16:35:00 2010 us=636202 pfsense/xx.xx.xx.xx:2052 TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
    Thu Jan 14 16:35:00 2010 us=636388 pfsense/xx.xx.xx.xx:2052 TLS: tls_multi_process: untrusted session promoted to trusted
    Thu Jan 14 16:35:00 2010 us=678570 pfsense/xx.xx.xx.xx:2052 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Thu Jan 14 16:35:01 2010 us=868588 pfsense/xx.xx.xx.xx:2052 PUSH: Received control message: 'PUSH_REQUEST'
    Thu Jan 14 16:35:01 2010 us=868684 pfsense/xx.xx.xx.xx:2052 SENT CONTROL [pfsense]: 'PUSH_REPLY,route 192.168.96.0 255.255.255.0,route 192.168.200.0 255.255.255.224,ping 30,ping-restart 120,ifconfig 192.168.200.22 192.168.200.21' (status=1)
    Thu Jan 14 16:39:55 2010 us=573250 pfsense/xx.xx.xx.xx:2052 [pfsense] Inactivity timeout (--ping-restart), restarting
    Thu Jan 14 16:39:55 2010 us=573296 pfsense/xx.xx.xx.xx:2052 SIGUSR1[soft,ping-restart] received, client-instance restarting


    // log from tomato //
    Jan 14 16:34:59 pfsense daemon.warn openvpn[112]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Jan 14 16:34:59 pfsense daemon.notice openvpn[112]: Re-using SSL/TLS context
    Jan 14 16:34:59 pfsense daemon.notice openvpn[112]: LZO compression initialized
    Jan 14 16:34:59 pfsense daemon.warn openvpn[112]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1450)
    Jan 14 16:34:59 pfsense daemon.notice openvpn[112]: Control Channel MTU parms [ L:1492 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Jan 14 16:34:59 pfsense daemon.notice openvpn[112]: Data Channel MTU parms [ L:1492 D:1400 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Jan 14 16:34:59 pfsense daemon.notice openvpn[112]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Jan 14 16:34:59 pfsense daemon.notice openvpn[112]: UDPv4 link local: [undef]
    Jan 14 16:34:59 pfsense daemon.notice openvpn[112]: UDPv4 link remote: yy.yy.yy.yy:1181
    Jan 14 16:34:59 pfsense daemon.notice openvpn[112]: TLS: Initial packet from yy.yy.yy.yy:1181, sid=ab057317 1d5c0feb
    Jan 14 16:34:59 pfsense daemon.notice openvpn[112]: VERIFY OK: ...
    Jan 14 16:34:59 pfsense daemon.notice openvpn[112]: VERIFY OK: ...
    Jan 14 16:35:00 pfsense daemon.notice openvpn[112]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jan 14 16:35:00 pfsense daemon.notice openvpn[112]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 14 16:35:00 pfsense daemon.notice openvpn[112]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jan 14 16:35:00 pfsense daemon.notice openvpn[112]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 14 16:35:00 pfsense daemon.notice openvpn[112]: Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Jan 14 16:35:00 pfsense daemon.notice openvpn[112]: [mypbx_anh] Peer Connection Initiated with yy.yy.yy.yy:1181
    Jan 14 16:35:02 pfsense daemon.notice openvpn[112]: SENT CONTROL [mypbx_anh]: 'PUSH_REQUEST' (status=1)
    Jan 14 16:35:02 pfsense daemon.notice openvpn[112]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.96.0 255.255.255.0,route 192.168.200.0 255.255.255.224,ping 30,ping-restart 120,ifconfig 192.168.200.22 192.168.200.21'
    Jan 14 16:35:02 pfsense daemon.notice openvpn[112]: OPTIONS IMPORT: timers and/or timeouts modified
    Jan 14 16:35:02 pfsense daemon.notice openvpn[112]: OPTIONS IMPORT: --ifconfig/up options modified
    Jan 14 16:35:02 pfsense daemon.notice openvpn[112]: OPTIONS IMPORT: route options modified
    Jan 14 16:35:02 pfsense daemon.notice openvpn[112]: Preserving previous TUN/TAP instance: tun11
    Jan 14 16:35:02 pfsense daemon.notice openvpn[112]: Initialization Sequence Completed
     
  97. jmcgee

    jmcgee Guest

    which version for Buffalo WHR-G54S

    I would like to gain VPN access to my home network, but confused about which version to upgrade on my Buffalo WHR-G54S.

    there are 5 different versions of binaries in the tomatovpn-1.25vpn3.4 file, none match my model number. Just don't want to brick the thing.

    Edit: I figured out it was tomato.trx. never mind.
     
  98. rviteri

    rviteri Addicted to LI Member

    Hi, great work for this mod it works very very well I've been using it over a few months for routing different networks.

    Is it possible to release a version with ebtables compiled into the kernel??

    It would be most desirable to block dhcp and other broadcast traffic through the tunnel, this way it would be able to have local dhcp servers serving different ip ranges within the same subnet. And still be able to use services that rely on broadcast traffic.
     
  99. koham

    koham Addicted to LI Member

    Hi.

    I'm trying to set up a vpn with Tomatovpn, but i can't generate certificate.
    I've follow the Openvpn howto, but i can't find easy-rsa or build-ca tools on my router through ssh acces.

    Howto ask to look for it in /usr/share/... but there is not /usr/share folder in the folder tree.
    So, where can i find it in order to generate the certificate ?
    Do i have to create it on another computer and them, copy the /etc/openvpn created file on the router ?

    Thanks.
     
  100. baldrickturnip

    baldrickturnip LI Guru Member

    you do the generation of certs , keys , DH parms on your computer.

    if you install openvpn on a windows machine the will be an easy-rsa folder in C:\program files\openvpn
     

Share This Page