1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN build with Web GUI

Discussion in 'Tomato Firmware' started by SgtPepperKSU, Oct 10, 2008.

  1. koham

    koham Addicted to LI Member

    Ok, i thought my Linksys would be the Openvpn server and offer me the possibility to connect to all the computer of my lan witch are behind him.

    So, i have to install and step up Openvpn server on the computer i want to connect to (in my lan), and TomatoVPN will just help me to setup my linksys in order get that VPN connection possible right ?

    Sorry if that seems basic question for some of you, but it will help me to have a clear answer about it.

    Thanks a lot.
     
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    No, your router will still be the OpenVPN server. It's just that the tools for generating the keys are not included in the firmware. You just need to install OpenVPN, use the easy-rsa tools to generate keys, copy them to the router GUI, then you're free to uninstall OpenVPN.
     
  3. ahunor

    ahunor Addicted to LI Member

    EDIT: A few seconds too late, SgtPepperKSU answered it already.
     
  4. rviteri

    rviteri Addicted to LI Member

    Any ideas about ebtables?
     
  5. koham

    koham Addicted to LI Member

    That's awesome, thanks a lot !
     
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I won't be adding it, but would pick it up if it made it into Tomato. In fact, it was in a release or two, but caused enough problems that it was pulled back out...
     
  7. groosh

    groosh Addicted to LI Member

    Just curious if there is a newer test build that I could run... right now I have not had any problems, in my setup, with the code you posted late December.

    Thank you again for all of your work.
     
  8. Bukkit

    Bukkit Addicted to LI Member

    Hi,

    it's just at the time to say thanks for this stable firmware.

    I'm using
    Code:
    Tomato Firmware v1.25vpn3.4.4a8380cb
    and its' running fine:
    Code:
    Uptime	88 days, 17:48:34
    I have configured an openvpn server and a client.

    The openvpn client reconnects every day (after my forced ip change from isp) to my Internet-Server and the tunnel route is always ready to use. Can't remember right now, when i had to fix, restart or change anything at one of the systems.

    My openvpn Server allows me to connect from work into my home-network.
    The same here: it always works.

    Good work!
     
  9. baldrickturnip

    baldrickturnip LI Guru Member

    when I start/stop a VPN client or server I am seeing the wifi drop off

    is this normal ? I am seeing this in the device list as all the devices come back to the list.
     
  10. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Do the devices actually see a drop off? Depending on your settings the dnsmasq service can be restarted, which may clear them out of the device list. However, that doesn't mean that they are being disconnected.
     
  11. kenyloveg

    kenyloveg LI Guru Member

    Hi, SgtPepperKSU
    Like Bukkit said, I'v also been running your MOD without problem for couple of months.
    Now I'm trying to setup a OpenVPN Server<->Client between your MOD and latest DD-WRT preSP2 build. Do you have any experienc on setting up DD-WRT VPN build? I'd like to keep your Route/DHCP push/DNS redirect/Firewall customization on DD-WRT, but how to?
    Thanks in advance, and I can't wait for you announcing 1.27 MOD......
     
  12. baldrickturnip

    baldrickturnip LI Guru Member

    thanks - that could explain it

    I am not on site and unable the physically test it , I had just noticed it whaen I was making some changes.
     
  13. rs232

    rs232 Network Guru Member

    I appreciate the fact that the GUI is restricted to 2 server and 2 client config, but on one of my router I just need 3 server config with no client config at all.
    I'm not asking to change the GUI for me :) but can anybody direct me on how to have a third server process running on my router?

    What I did it so far is:
    1)
    cd /tmp/etc/openvpn
    2)
    created file fw/server3-fw.sh with the right port number
    3)
    Created server3 directory into
    4)
    Created server3/config.ovpn, static.key
    5)
    Created symbolic link between /tmp/etc/openvpn/server3 and /usr/sbin/openvpn


    I guess I can achieve the steps above automatially with a (long!) init script :)

    Whould this work, how do I start the server3 process?



    BTW I've been using version 3.5 and so far it has been working very well.

    Thanks!
    rs232
     
  14. koham

    koham Addicted to LI Member

    Hello.

    So, i've been able to setup the vpn and it works fine !

    Just a question, where is store on my router the openvpn configuration and keys files ?

    For exemple, i'm making test of the configuration, and i can't acces anymore to my vpn, so i would like to connect trough ssh to it and modify the conf file directly, but i can't find it on my root.

    Is the only acces to it is trough tomato webpage ?

    Thanks.
     
  15. TurtleFang

    TurtleFang Addicted to LI Member

    /etc/openvpn

    There is a separate directory for each server and a "fw" directory with the script generated to update your iptables.

    Hope this helps,
    -TurtleFang
     
  16. koham

    koham Addicted to LI Member

    Yes, of course.. stupid question.
    Thanks !
     
  17. koham

    koham Addicted to LI Member

    Hi again

    I do have few more question about tomatovpn, openvpn and securty :

    - After i've created the keys, and after i've copied the needed one on the server and the client, what do i do with the other file ? Do i have to keep it for later ? Or can i just delete it if it won't be use then ?
    (eg : 0*.pem, *.csr, index.txt*, serial*)

    - What would be the file right for the client keys ? (for now, i've put it in /etc/openvpn/keys/ with root.root and 600), but could it be in /home/user/.openvpn with 644 for exemple ?

    Thanks !
     
  18. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The remaining files would be needed to create additional keys in the future that are compatible with the ones you just created. If you won't need that (for instance, if you're okay recreating all of them when you need a new one), then you're free to delete them.
    In TomatoVPN, you shouldn't don't need to be messing with the files directly. Paste the contents of the files into the GUI. If you're referring to a PC client or server, then you can put them wherever you want - just so long as the config file points to them correctly.
     
  19. tomtom

    tomtom Addicted to LI Member

    I see there is a new drop today. Does this mean it is ready...?
     
  20. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    1.27vpn3.5 release blog post :biggrin:

    As I mention in the blog, I want to apologize for the delay of this release. Since it was so long, there may have been features that I said I'd include then forgot about. If that's the case, please definitely let me know.

    Hopefully, this release works out well for everyone. :smile:
     
  21. dougisfunny

    dougisfunny LI Guru Member

    You said it would do the dishes and windows, I don't see that in the change log.
     
  22. kazon

    kazon Addicted to LI Member

    This version iw working much better for me - no more dns leaking using vpn (as a client)!

    Thanks for your efforts!
     
  23. kenyloveg

    kenyloveg LI Guru Member

    Hi, SgtPepperKSU
    We don't deserve your apologize, what you delivered is more than we expected...
    I'll test your new build and report any problem i met, Thanks again for your great MOD.
     
  24. Raganook

    Raganook Addicted to LI Member

    Hey, long time no question. Thanks again, by the way, I've now set up a total of 4 routers with TomatoVPN.

    I can TUN and TAP now with no problem (thanks to your seemingly limitless patience), but there is something I want to know:

    I have a TUN VPN from home<-> office. I only actually need the office to see ONE device at home, and I would really rather have the home not be able to see anything but ONE device at work. Both sides are equipped with TomatoVPN-enabled routers, with Home hosting.

    Is there some way to "block" devices from joining the VPN, or the inverse, only allow certain device/mac addresses to join?

    Thanks in advance!
     
  25. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The "Firewall" setting "Automatic" opens up the tunnel completely. You'll want to set it to "External Only" on the server and "Custom" on the client, then define your own firewall rules for traffic going over the tunnel.

    Off-the-cuff attempt:
    Code:
    iptables -I INPUT -i tun21 -j ACCEPT
    iptables -I FORWARD -i tun21 -s <ip1> -d <ip2> -j ACCEPT
    
    Place this on both routers in the firewall script. On the client-side, change tun21 to tun11. On each side, ip1 is the ip address of the remote device and ip2 is the ip address of the local device (so they will swap positions between client and server).

    The first rule allows anybody on the remote end contact the local router itself. The second explicitly allows a certain remote device access a certain local device. All other traffic will be blocked.
     
  26. groosh

    groosh Addicted to LI Member

    thank you for the latest drop, working good so far.
     
  27. tastyfish

    tastyfish Addicted to LI Member

    Hi there! Thanks for this mod, it works really well and I've been using it for a long time now! But there seems to be a bug in this release: when "Direct clients to redirect Internet traffic" is set with the option "Yes, leave default gateway intact" the output in the config.ovpn file has a typo:

    Where it should say
    Code:
    push "redirect-gateway def1"
    it instead says
    Code:
    push "redirect-gatewaydef1"
    (The space between "redirect-gateway" and "def1" is missing.)

    I have used the custom configuration box to add the correct line to my configuration manually but other users may have trouble. Thanks again for the great mod! :)
     
  28. jyavenard

    jyavenard Network Guru Member

    Weird, cause the code is correct:
    fprintf(fp, "redirect-gateway%s\n", nvi>1? "": " def1");
     
  29. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    He's referring to the server config where, indeed, there is a bug (the space was accidentally left out).

    Thanks for letting me know. I'll fix it and post new binaries.
     
  30. Low-WRT

    Low-WRT LI Guru Member

    Just checked my logs...VPN seems to be constantly restarting. I just updated to 1.27 from 1.25. This definitely wasn't happening before.
    Code:
    Jan 31 08:10:26 unknown daemon.warn openvpn[242]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Jan 31 08:10:26 unknown daemon.notice openvpn[242]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jan 31 08:10:26 unknown daemon.notice openvpn[242]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 31 08:10:26 unknown daemon.notice openvpn[242]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jan 31 08:10:26 unknown daemon.notice openvpn[242]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 31 08:10:26 unknown daemon.notice openvpn[242]: LZO compression initialized
    Jan 31 08:10:26 unknown daemon.notice openvpn[242]: TUN/TAP device tap21 opened
    Jan 31 08:10:26 unknown daemon.notice openvpn[242]: TUN/TAP TX queue length set to 100
    Jan 31 08:10:26 unknown daemon.notice openvpn[242]: Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
    Jan 31 08:10:26 unknown daemon.notice openvpn[242]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Jan 31 08:10:26 unknown daemon.notice openvpn[242]: UDPv4 link local (bound): [undef]:1194
    Jan 31 08:10:26 unknown daemon.notice openvpn[242]: UDPv4 link remote: [undef]
    Jan 31 08:11:26 unknown daemon.notice openvpn[242]: Inactivity timeout (--ping-restart), restarting
    Jan 31 08:11:26 unknown daemon.notice openvpn[242]: TCP/UDP: Closing socket
    Jan 31 08:11:26 unknown daemon.notice openvpn[242]: Closing TUN/TAP interface
    Jan 31 08:11:26 unknown daemon.notice openvpn[242]: SIGUSR1[soft,ping-restart] received, process restarting
    Jan 31 08:11:26 unknown daemon.notice openvpn[242]: Restart pause, 2 second(s)
    Jan 31 08:11:28 unknown daemon.warn openvpn[242]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Jan 31 08:11:28 unknown daemon.notice openvpn[242]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jan 31 08:11:28 unknown daemon.notice openvpn[242]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 31 08:11:28 unknown daemon.notice openvpn[242]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jan 31 08:11:28 unknown daemon.notice openvpn[242]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 31 08:11:28 unknown daemon.notice openvpn[242]: LZO compression initialized
    Jan 31 08:11:28 unknown daemon.notice openvpn[242]: TUN/TAP device tap21 opened
    Jan 31 08:11:28 unknown daemon.notice openvpn[242]: TUN/TAP TX queue length set to 100
    Jan 31 08:11:28 unknown daemon.notice openvpn[242]: Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
    Jan 31 08:11:28 unknown daemon.notice openvpn[242]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Jan 31 08:11:28 unknown daemon.notice openvpn[242]: UDPv4 link local (bound): [undef]:1194
    Jan 31 08:11:28 unknown daemon.notice openvpn[242]: UDPv4 link remote: [undef]
    Jan 31 08:12:29 unknown daemon.notice openvpn[242]: Inactivity timeout (--ping-restart), restarting
    Jan 31 08:12:29 unknown daemon.notice openvpn[242]: TCP/UDP: Closing socket
    Jan 31 08:12:29 unknown daemon.notice openvpn[242]: Closing TUN/TAP interface
    Jan 31 08:12:29 unknown daemon.notice openvpn[242]: SIGUSR1[soft,ping-restart] received, process restarting
    Jan 31 08:12:29 unknown daemon.notice openvpn[242]: Restart pause, 2 second(s)
    Jan 31 08:12:31 unknown daemon.warn openvpn[242]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Jan 31 08:12:31 unknown daemon.notice openvpn[242]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jan 31 08:12:31 unknown daemon.notice openvpn[242]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 31 08:12:31 unknown daemon.notice openvpn[242]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jan 31 08:12:31 unknown daemon.notice openvpn[242]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 31 08:12:31 unknown daemon.notice openvpn[242]: LZO compression initialized
    Jan 31 08:12:31 unknown daemon.notice openvpn[242]: TUN/TAP device tap21 opened
    Jan 31 08:12:31 unknown daemon.notice openvpn[242]: TUN/TAP TX queue length set to 100
    Jan 31 08:12:31 unknown daemon.notice openvpn[242]: Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
    Jan 31 08:12:31 unknown daemon.notice openvpn[242]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Jan 31 08:12:31 unknown daemon.notice openvpn[242]: UDPv4 link local (bound): [undef]:1194
    Jan 31 08:12:31 unknown daemon.notice openvpn[242]: UDPv4 link remote: [undef]
    Jan 31 08:13:31 unknown daemon.notice openvpn[242]: Inactivity timeout (--ping-restart), restarting
    Jan 31 08:13:31 unknown daemon.notice openvpn[242]: TCP/UDP: Closing socket
    Jan 31 08:13:31 unknown daemon.notice openvpn[242]: Closing TUN/TAP interface
    Jan 31 08:13:31 unknown daemon.notice openvpn[242]: SIGUSR1[soft,ping-restart] received, process restarting
    Jan 31 08:13:31 unknown daemon.notice openvpn[242]: Restart pause, 2 second(s)
    Jan 31 08:13:33 unknown daemon.warn openvpn[242]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Jan 31 08:13:33 unknown daemon.notice openvpn[242]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jan 31 08:13:33 unknown daemon.notice openvpn[242]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 31 08:13:33 unknown daemon.notice openvpn[242]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jan 31 08:13:33 unknown daemon.notice openvpn[242]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 31 08:13:33 unknown daemon.notice openvpn[242]: LZO compression initialized
    Jan 31 08:13:33 unknown daemon.notice openvpn[242]: TUN/TAP device tap21 opened
    Jan 31 08:13:33 unknown daemon.notice openvpn[242]: TUN/TAP TX queue length set to 100
    Jan 31 08:13:33 unknown daemon.notice openvpn[242]: Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
    Jan 31 08:13:33 unknown daemon.notice openvpn[242]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Jan 31 08:13:33 unknown daemon.notice openvpn[242]: UDPv4 link local (bound): [undef]:1194
    Jan 31 08:13:33 unknown daemon.notice openvpn[242]: UDPv4 link remote: [undef]
    Jan 31 08:14:33 unknown daemon.notice openvpn[242]: Inactivity timeout (--ping-restart), restarting
    Jan 31 08:14:33 unknown daemon.notice openvpn[242]: TCP/UDP: Closing socket
    Jan 31 08:14:33 unknown daemon.notice openvpn[242]: Closing TUN/TAP interface
    Jan 31 08:14:33 unknown daemon.notice openvpn[242]: SIGUSR1[soft,ping-restart] received, process restarting
    Jan 31 08:14:33 unknown daemon.notice openvpn[242]: Restart pause, 2 second(s)
    Jan 31 08:14:35 unknown daemon.warn openvpn[242]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Jan 31 08:14:35 unknown daemon.notice openvpn[242]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jan 31 08:14:35 unknown daemon.notice openvpn[242]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 31 08:14:35 unknown daemon.notice openvpn[242]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jan 31 08:14:35 unknown daemon.notice openvpn[242]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 31 08:14:35 unknown daemon.notice openvpn[242]: LZO compression initialized
    Jan 31 08:14:35 unknown daemon.notice openvpn[242]: TUN/TAP device tap21 opened
    Jan 31 08:14:35 unknown daemon.notice openvpn[242]: TUN/TAP TX queue length set to 100
    Jan 31 08:14:35 unknown daemon.notice openvpn[242]: Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
    Jan 31 08:14:35 unknown daemon.notice openvpn[242]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Jan 31 08:14:35 unknown daemon.notice openvpn[242]: UDPv4 link local (bound): [undef]:1194
    Jan 31 08:14:35 unknown daemon.notice openvpn[242]: UDPv4 link remote: [undef]
    Jan 31 08:15:35 unknown daemon.notice openvpn[242]: Inactivity timeout (--ping-restart), restarting
    Jan 31 08:15:35 unknown daemon.notice openvpn[242]: TCP/UDP: Closing socket
    Jan 31 08:15:35 unknown daemon.notice openvpn[242]: Closing TUN/TAP interface
    Jan 31 08:15:35 unknown daemon.notice openvpn[242]: SIGUSR1[soft,ping-restart] received, process restarting
    Jan 31 08:15:35 unknown daemon.notice openvpn[242]: Restart pause, 2 second(s)
    Jan 31 08:15:37 unknown daemon.warn openvpn[242]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Jan 31 08:15:37 unknown daemon.notice openvpn[242]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jan 31 08:15:37 unknown daemon.notice openvpn[242]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 31 08:15:37 unknown daemon.notice openvpn[242]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jan 31 08:15:37 unknown daemon.notice openvpn[242]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 31 08:15:37 unknown daemon.notice openvpn[242]: LZO compression initialized
    Jan 31 08:15:37 unknown daemon.notice openvpn[242]: TUN/TAP device tap21 opened
    Jan 31 08:15:37 unknown daemon.notice openvpn[242]: TUN/TAP TX queue length set to 100
    Jan 31 08:15:37 unknown daemon.notice openvpn[242]: Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
    Jan 31 08:15:37 unknown daemon.notice openvpn[242]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Jan 31 08:15:37 unknown daemon.notice openvpn[242]: UDPv4 link local (bound): [undef]:1194
    Jan 31 08:15:37 unknown daemon.notice openvpn[242]: UDPv4 link remote: [undef]
    
    NEVERMIND--I added "keepalive 60 86400" and now everything is fine. Odd, I don't know how that gotten taken out.
     
  31. d3v4

    d3v4 Addicted to LI Member

    Hi! Thanks for this mod. I used it for weeks now, but after upgrading to the latest version I have a problem with OpenVPN stopping after a WAN reconnect, but not being restarted.

    The "Start with WAN" option is checked, but OpenVPN is only started after a reconnect, if it wasn't running before the disconnect. If it was running before the disconnect, it just stops after the reconnect:

    Code:
    daemon.notice openvpn[1902]: TCP/UDP: Closing socket
    daemon.notice openvpn[1902]: Closing TUN/TAP interface
    daemon.notice openvpn[1902]: /sbin/ifconfig tun21 0.0.0.0
    daemon.notice openvpn[1902]: SIGTERM[hard,] received, process exiting
     
  32. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Could you ssh/telnet to your router, run
    Code:
    nvram set vpn_debug=2
    Then provide the VPN_LOG_* lines in your log?
     
  33. d3v4

    d3v4 Addicted to LI Member


    1. Disconnect/Reconnect while OpenVPN is not running.
    Code:
    Jan 31 17:52:00 charon user.info init[1]: VPN_LOG_EXTRA: 1055: Adding server 1 interface to dns config
    Jan 31 17:52:07 charon user.info init[1]: VPN_LOG_EXTRA: 1055: Adding server 1 interface to dns config
    Jan 31 17:52:21 charon user.info init[1]: VPN_LOG_EXTRA: 1055: Adding server 1 interface to dns config
    Jan 31 17:52:28 charon user.info ip-up[2540]: VPN_LOG_INFO: 971: Starting servers (eas): 1,
    Jan 31 17:52:28 charon user.info ip-up[2540]: VPN_LOG_INFO: 985: Starting server 1 (eas)
    Jan 31 17:52:29 charon user.info ip-up[2540]: VPN_LOG_INFO: 459: VPN GUI server backend starting...
    Jan 31 17:52:29 charon user.info ip-up[2540]: VPN_LOG_EXTRA: 550: Writing config file
    Jan 31 17:52:29 charon user.info ip-up[2540]: VPN_LOG_EXTRA: 751: Done writing config file
    Jan 31 17:52:29 charon user.info ip-up[2540]: VPN_LOG_EXTRA: 754: Writing certs/keys
    Jan 31 17:52:29 charon user.info ip-up[2540]: VPN_LOG_EXTRA: 815: Done writing certs/keys
    Jan 31 17:52:29 charon user.info ip-up[2540]: VPN_LOG_INFO: 818: Starting OpenVPN: /etc/openvpn/vpnserver1 --cd /etc/openvpn/server1 --config config.ovpn
    Jan 31 17:52:30 charon user.info ip-up[2540]: VPN_LOG_EXTRA: 826: Done starting openvpn
    Jan 31 17:52:30 charon user.info ip-up[2540]: VPN_LOG_EXTRA: 833: Creating firewall rules
    Jan 31 17:52:30 charon user.info ip-up[2540]: VPN_LOG_EXTRA: 856: Done creating firewall rules
    Jan 31 17:52:30 charon user.info ip-up[2540]: VPN_LOG_EXTRA: 859: Running firewall rules
    Jan 31 17:52:30 charon user.info ip-up[2540]: VPN_LOG_EXTRA: 864: Done running firewall rules
    Jan 31 17:52:30 charon user.info ip-up[2540]: VPN_LOG_EXTRA: 871: Adding cron job
    Jan 31 17:52:30 charon user.info ip-up[2540]: VPN_LOG_EXTRA: 880: Done adding cron job
    Jan 31 17:52:30 charon user.info ip-up[2540]: VPN_LOG_INFO: 883: VPN GUI server backend complete.
    2. Disconnect/Reconnect while OpenVPN is already running.
    Code:
    Jan 31 17:56:42 charon user.info init[1]: VPN_LOG_EXTRA: 1055: Adding server 1 interface to dns config
    Jan 31 17:56:55 charon user.info init[1]: VPN_LOG_EXTRA: 1055: Adding server 1 interface to dns config
    Jan 31 17:57:10 charon user.info init[1]: VPN_LOG_EXTRA: 1055: Adding server 1 interface to dns config
    Jan 31 17:57:12 charon user.info ip-up[2906]: VPN_LOG_EXTRA: 1022: Beginning all firewall scripts...
    Jan 31 17:57:12 charon user.info ip-up[2906]: VPN_LOG_INFO: 1028: Running firewall script: server1-fw.sh
    Jan 31 17:57:12 charon user.info ip-up[2906]: VPN_LOG_EXTRA: 1034: Done with all firewall scripts...
    Jan 31 17:57:17 charon user.info ip-up[2906]: VPN_LOG_INFO: 971: Starting servers (eas): 1,
    Jan 31 17:57:17 charon user.info ip-up[2906]: VPN_LOG_INFO: 980: Stopping server 1 (eas)
    Jan 31 17:57:17 charon user.info ip-up[2906]: VPN_LOG_INFO: 892: Stopping VPN GUI server backend.
    Jan 31 17:57:17 charon user.info ip-up[2906]: VPN_LOG_EXTRA: 895: Removing cron job
    Jan 31 17:57:18 charon user.info ip-up[2906]: VPN_LOG_EXTRA: 902: Done removing cron job
    Jan 31 17:57:18 charon user.info ip-up[2906]: VPN_LOG_EXTRA: 905: Removing firewall rules.
    Jan 31 17:57:18 charon user.info ip-up[2906]: VPN_LOG_EXTRA: 918: Done removing firewall rules.
    Jan 31 17:57:18 charon user.info ip-up[2906]: VPN_LOG_EXTRA: 921: Stopping OpenVPN server.
    Jan 31 17:57:18 charon user.info ip-up[2906]: VPN_LOG_EXTRA: 924: OpenVPN server stopped.
    Jan 31 17:57:18 charon user.info ip-up[2906]: VPN_LOG_EXTRA: 927: Removing VPN device.
    Jan 31 17:57:18 charon user.info ip-up[2906]: VPN_LOG_EXTRA: 935: VPN device removed.
    Jan 31 17:57:18 charon user.info ip-up[2906]: VPN_LOG_EXTRA: 941: Removing generated files.
    Jan 31 17:57:18 charon user.info ip-up[2906]: VPN_LOG_EXTRA: 950: Done removing generated files.
    Jan 31 17:57:18 charon user.info ip-up[2906]: VPN_LOG_EXTRA: 956: Killing OpenVPN client.
    Jan 31 17:57:18 charon user.info ip-up[2906]: VPN_LOG_EXTRA: 959: OpenVPN server killed.
    Jan 31 17:57:18 charon user.info ip-up[2906]: VPN_LOG_INFO: 961: VPN GUI server backend stopped.
     
  34. jyavenard

    jyavenard Network Guru Member

    Hi there..

    In the list of mods I've sent you ; I have fixed this issue...

    When the WAN link goes down ; OpenVPN isn't stopped.
    So I added a function stop_vpn_eas called when the WAN is down. So when the WAN restarts, openvpn is restarted
     
  35. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Thanks. I've fixed the bug and will be making a new release in short order.
     
  36. jyavenard

    jyavenard Network Guru Member

    OpenVPN with username/password authentication support.

    Hi

    I've posted in another thread on the matter.
    http://www.avenard.org/wrt54-tomato/tomato-127vpn4.0.beta3.zip

    It's a merge of my previous firmware (with PPTP/snmp support) and this great OpenVPN one.

    Added a few fixes here and there , as well as user/password authentication support (client side only).

    Also added some features like the bility to test the server certificate common name (check http://openvpn.net/index.php/open-source/documentation/howto.html#secnotes)

    Edit: Beta3 with 3.6 fixes
     
  37. SgtPepperKSU

    SgtPepperKSU Network Guru Member

  38. d3v4

    d3v4 Addicted to LI Member

    Thanks, works great!
     
  39. Raganook

    Raganook Addicted to LI Member

    I tried this and neither end could see anything. I now understand that it's got nothing to do with your firmware, just everything to do with me not knowing anything about firewall scripting. Thanks for the help :)
     
  40. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    If you could ssh/telnet to your routers and do the following (with the rules I already provided in place), I'm sure we could find the firewall rules you need:
    1. On both routers:
      Code:
      service firewall restart
    2. Attempt whatever you're trying to do that isn't working
    3. On both routers and provide the output:
      Code:
      iptables -t mangle -nvL; iptables -t nat -nvL; iptables -t filter -nvL
     
  41. kenyloveg

    kenyloveg LI Guru Member

    Thanks for your sharing.
     
  42. Tordenflesk

    Tordenflesk Addicted to LI Member

    Any chance of a tutorial for a doofus like me?
    The only problem i see is the remote machine running x64 win7 which i haven't found a compatible client for. Also, what do i paste in the different fields? Do i just open the certificates, select all and paste it in?
     
  43. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    From what I've read, version 2.1.1 from the OpenVPN site works on Windows 7 64-bit.

    Simply copying/pasting the entire contents of the certificate/key files will work, however a couple of them might have more content than you need. All you really need to paste into the GUI is the stuff between (and including) the "-----BEGIN ...-----" and "-----END ...-----" lines.
     
  44. Tordenflesk

    Tordenflesk Addicted to LI Member

    So i paste:
    ca.key in Certificate Authority
    .crt in Server Certificate
    .key in Server key
    and dh1024.pem in diffie Hellman parameters

    Then i do approx the same thing on the Client on my work-machine, and i should be able to connect?
     
  45. gawd0wns

    gawd0wns LI Guru Member

    I find that when I have a VPN tun connection setup between two routers, I can no longer resolve LAN IP addresses from one network to the other after about a week or two of inactivity/non-use. I can connect to the linked router from one end to the other using the VPN address (i.e. 10.8.0.6), though no clients can be reached until I disconnect the client router, and reboot the server router.

    Any ideas on how to get this working again without rebooting?

    Thanks
     
  46. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Odd. Have you checked to see if the routing tables are still correct? Besides stopping then restarting the server/client, I'm afraid I don't have any ideas. Once the tunnel is set up, my code stays out of the way, so it sounds like a problem in OpenVPN itself.
     
  47. gawd0wns

    gawd0wns LI Guru Member

    Yes, I did check the routing tables for changes, though no changes were made. I think it has something to do with the server, since disconnecting and reconnecting a client had no effect.
     
  48. DrCain

    DrCain Addicted to LI Member

    I finally got my DNS over VPN issues solved. Instead of having openvpn push dns servers to the clients. I setup dnsmasq to use a separate namserver for internal dns.
    Like so:
    server=/int.example.com/192.168.1.1@192.168.2.1
     
  49. CorneliousJD

    CorneliousJD Guest

    Any news or estimated release date on the Username/Pass authentication release? This will be extremely helpful in my workplace.
     
  50. rs232

    rs232 Network Guru Member

    Is there any chance to have auto-channel included in this wonderful mod? :)
    My neighbours are driving me crazy they seem to have nothing do other then change their channel all the time :-(
     
  51. pendetim

    pendetim Addicted to LI Member

    Thanks to SgtPepperKSU

    First and foremost, many thanks to you, SgtPepperKSU, for this labor. It has to be a labor of love based on the passion you have shown since the first release almost 2 1/2 years ago!

    Being a complete NOOB, I have been lurking for a few weeks trying to learn as much as possible about the VPN build. Finally last week took the plunge and loaded 1.25vpn3.4 After a few false starts I have server working (!) on 2 WRT54Gs; one a GL and the other a V4 model. So far connecting from my laptop client to either of them as been solid. I have done the client openvpn on a Win2K and Win 7 64 bit laptops.

    One observation is that when I tried to flash the WRT54GL using FF 3.5.7 or IE8 it kept failing. When I switched to IE tab in FF all was well. Just a random observation.

    To make life really simple I am using TAP and a static key which gives me stable connection from the client laptop to either of the WRT54Gs. So far so good.

    Now I want to do something a little more advanced, (yea can't leave well enough alone).

    I want to set up one of the WRT54Gs as a client and the other as a server and have them connected all the time. There are tabs in the WRT54G build that show parameters for a client so I assume by filling in the boxes, I can make the client on the WRT54G call the server on the other WRT54 and they will stay connected until told to drop. This should be easy.

    Where it gets more complicated is while these two boxes are connected, I want to be able to also connect with my laptop to either one of them and be on the combined network. Everything is on different subnets, WRT54GL is 192.168.3.1, WRT54V4 is 192.168.0.10, Laptop is whatever I am handed.

    So.... First I tried to add the duplicates-cn command in the advanced tab of the server. The WRT54G protested saying I needed to run the --mode-server command also. when I added mode-server command it was not happy either. Is the duplicates-cn command supported with static keys and TAP?

    Since that duplicates-cn does not seem to work, could I setup the second server tab and (using UDP 1195), connect to server 2 while Server 1 is running? Will this combine the networks? Can Server 2 use the same static key as Server1? Can static keys be named static1.key and static2.key if I need different keys.

    Also, can a client and server be connected and running simultaneously on the same WRT54GL?

    I know I probably could generate and use the more complicated TLS keys if needed. If I have to do this, do I need unique sets of TLS keys on all the servers my laptop will be connecting to or can I copy the same server keys to all servers and use a single set of keys on the laptop?

    Thanks for any insight and help on this.

    Tim

    Here is a cut and paste from the time when I added the duplicates-cn to the running srever:

    Feb 6 19:45:08 ? daemon.info dnsmasq[2464]: read /etc/hosts - 0 addresses
    Feb 6 19:45:08 ? daemon.info dnsmasq[2464]: read /etc/hosts.dnsmasq - 0 addresses
    Feb 6 19:45:08 ? cron.err crond[2468]: crond (busybox 1.14.0) started, log level 9
    Feb 6 19:45:08 ? user.info init[1]: Tomato 1.25vpn3.4.4a8380cb
    Feb 6 19:45:08 ? user.info init[1]: Linksys WRT54G/GS/GL
    Feb 6 20:00:01 ? syslog.info root: -- MARK --
    Feb 6 20:21:56 ? user.warn kernel: nvram_commit(): init
    Feb 6 20:21:58 ? user.warn kernel: nvram_commit(): end
    Feb 6 20:21:59 ? daemon.err openvpn[1214]: event_wait : Interrupted system call (code=4)
    Feb 6 20:21:59 ? daemon.notice openvpn[1214]: TCP/UDP: Closing socket
    Feb 6 20:21:59 ? daemon.notice openvpn[1214]: Closing TUN/TAP interface
    Feb 6 20:21:59 ? daemon.notice openvpn[1214]: SIGTERM[hard,] received, process exiting
    Feb 6 20:21:59 ? user.info kernel: br0: port 3(tap21) entering disabled state
    Feb 6 20:21:59 ? user.info kernel: br0: port 3(tap21) entering disabled state
    Feb 6 20:22:00 ? user.info kernel: device tap21 entered promiscuous mode
    Feb 6 20:22:00 ? user.info kernel: br0: port 3(tap21) entering learning state
    Feb 6 20:22:00 ? user.info kernel: br0: port 3(tap21) entering forwarding state
    Feb 6 20:22:00 ? user.info kernel: br0: topology change detected, propagating
    Feb 6 20:22:00 ? daemon.err openvpn[3791]: Options error: --duplicate-cn requires --mode server
    Feb 6 20:22:00 ? daemon.warn openvpn[3791]: Use --help for more information.
    Feb 6 20:22:00 ? user.info init[1]: VPN_LOG_ERROR: 732: Starting VPN instance failed...
    Feb 6 20:22:00 ? user.info kernel: br0: port 3(tap21) entering disabled state
    Feb 6 20:22:00 ? user.info kernel: br0: port 3(tap21) entering disabled state
    Feb 6 20:22:48 ? user.warn kernel: nvram_commit(): init
    Feb 6 20:22:50 ? user.warn kernel: nvram_commit(): end
    Feb 6 20:23:03 ? user.info kernel: device tap21 entered promiscuous mode
    Feb 6 20:23:03 ? user.info kernel: br0: port 3(tap21) entering learning state
    Feb 6 20:23:03 ? user.info kernel: br0: port 3(tap21) entering forwarding state
    Feb 6 20:23:03 ? user.info kernel: br0: topology change detected, propagating
    Feb 6 20:23:03 ? daemon.notice openvpn[3824]: OpenVPN 2.1_rc19 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Aug 12 2009
    Feb 6 20:23:03 ? daemon.warn openvpn[3824]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Feb 6 20:23:03 ? daemon.notice openvpn[3824]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Feb 6 20:23:03 ? daemon.notice openvpn[3824]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
     
  52. cenc

    cenc Addicted to LI Member

    port error messages

    Total newbie to vpn, but not tomato. Everything though looks like it is going good so far, but... I think I have a bug in one of the packages.

    Using two tomato routers, and I keep running in to an error related to the port field in the GUI setting up the server or client on one of the routers.

    Everything works find on the tomatovpn-1.27vpn3.6 flashed to a GL, but on my bufflo router I can neither enter the port or the ip / domain of the server or client fields without getting errors. The only difference I can find is the tomato.trx package I used to flash the bufflo router with. I have tried all kinds of mixes of settings, and none will work. I have however entered the exact same settings on the GL, and they worked perfectly and both the server and client started without a problem. So, I believe I have all the right settings.

    On the bufflo in the server configurations, I have tried it in almost every mode to get it to enter the port number and it either goes blank on saving or complains about an invalid port or netmask. I have tried some different browsers also with no luck. I don't think it is browser glitch.

    Feb 8 02:49:53 sgc user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
    Feb 8 02:49:53 sgc user.info kernel: device tun22 entered promiscuous mode
    Feb 8 02:49:53 sgc daemon.err openvpn[402]: Options error: Parameter renegotiate_seconds can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.
    Feb 8 02:49:53 sgc daemon.warn openvpn[402]: Use --help for more information.
    Feb 8 02:49:53 sgc user.info init[1]: VPN_LOG_ERROR: 822: Starting VPN instance failed...
    Feb 8 02:58:10 sgc user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
    Feb 8 02:58:10 sgc user.info kernel: device tap21 entered promiscuous mode
    Feb 8 02:58:10 sgc user.info kernel: br0: port 3(tap21) entering learning state
    Feb 8 02:58:10 sgc user.info kernel: br0: port 3(tap21) entering forwarding state
    Feb 8 02:58:10 sgc user.info kernel: br0: topology change detected, propagating
    Feb 8 02:58:10 sgc daemon.err openvpn[467]: Options error: Bad port number: 0
    Feb 8 02:58:10 sgc daemon.warn openvpn[467]: Use --help for more information.
    Feb 8 02:58:10 sgc user.info init[1]: VPN_LOG_ERROR: 822: Starting VPN instance failed...
    Feb 8 02:58:11 sgc user.info kernel: br0: port 3(tap21) entering disabled state
    Feb 8 02:58:11 sgc user.info kernel: br0: port 3(tap21) entering disabled state
     
  53. cenc

    cenc Addicted to LI Member

    trying to setup the bad router as a client,

    type tap
    protocal udp
    server address port domainname 1194
    firewall automatic
    static key
    server on the same subnet checked.

    It complains about the IP address being invalid, even though it is a no-ip domain name. If I enter a ip, I get the same complaint.

    When I switch to Tun, however it will keep the domain, and not complain about it; but, still will not start the client.
     
  54. cenc

    cenc Addicted to LI Member

    javascript

    It seems like a javascript error, as in other modes I will have the same problem of not being able to enter data in to certain fields (and have it keep the data through a save).
     
  55. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Try to erase NVRAM (thorough) from Administration/Configuration in the GUI. This is recommended after any upgrade, as occasionally weird things like this can happen when you don't.
     
  56. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You can have a client and server running at the same time on a router, but I don't know how well that would work with TAP with everything on the same subnet. It would really be better if you just had one server, then had the client router and any client PCs connect to just it.

    Also, if you're going to have multiple clients, you really should use TLS rather than static-key. Static-key authentication is meant for just one connection at a time.
     
  57. pendetim

    pendetim Addicted to LI Member

    Ok I will try to generate TLS keys and start over.

    Here is what I need to do once I do that:

    Location 1: openVPN/Tomato 1.2.5 build 3.4 on a WRT54GL with IP of 192.168.0.10. This will be the server. It is inside my LAN with port 1195 forwarded to it

    Location 2: open VPN/Tomato 1.25 build 3.4 on a WRT54GV4 with an IP of 192.168.3.1. This will be the client and is also the router connected to the cable comapny's modem.

    Laptop Win7 64 bit in the wild. Or when it is on the LAN at location 1 or 2 it will be assigned an IP by the local DHCP server.

    Both Location 1 and 2 use DYNDNS to track use DUN DNS track public IPs.

    What I want to do is have location 2 connect to location 1 and stay connected and be able to share/browse location (1/2) to location (2/1) and the laptop be able to see both LANs when in the wild or on either LAN.

    I have tried TAP and TUN on the server/client and combinations of NAT etc with little success. Using existing static keys I can connect and see the laptop being assigned an IP in the remote site but I can not seem to be able to ping or connect to anything on the remote site.

    I did see a post way back where some one was trying to do what I am trying but could not sort out how it was resolved.

    Until I can generate the TLS keys I want to try with static keys.


    So in BASIC for the client:
    TUN
    UDP1195
    Firewall Auto
    Key Static ( for now tiil I change )
    Create NAT Checked ( what does routes must be configured manually mean and where do I do this???)
    Local/Remote Endpoints? What goes here?

    ADVANCED:
    Redirect not checked
    adaptive
    Connection retry 30

    custom:
    keepalive 10 60
    ping-timer-rem
    float

    On the SERVER SIde:
    TUN
    UDP 1195
    Static
    Local Remote endpoints ( what goes here? )
    ( do not see a NAT box on this page?)

    ADVANCED
    Respond to DNS checked
    Adaptive

    Custom:
    keepalive 10 60
    ping-timer-rem
    float

    So what goes in the local/remote endpoints boxes? and what else am I missing?

    Tim
     
  58. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Using static-key mode complicates things because the server can't push any information to the client like it can with TLS. That's why it requires more information to be entered (endpoints) and throws up warning about routing.

    If you're going to stick with static-key, the endpoints are two addresses on the same, unique subnet (not the same as any subnet you already use at any site). The local endpoint is the one that will be used on this router while the remote endpoint is the one that will be expected to be used on the other router (they need to flip positions between server and client). This is so it knows how to talk to the other end of the tunnel. The default values are 10.8.0.1 and 10.8.0.2 (switched on client), and as long as that doesn't conflict with any subnet you're already using, it should be fine.

    Creating a NAT on the client makes everything on the client's subnet appear as if it was coming from the client router itself, rather than distinct machines. This means that the server doesn't need to know anything about the client subnet , but it also means that, while the client subnet can initiate communication with the server subnet, the server subnet cannot initiate communication with the client subnet (in much the same way that people on the internet cannot initiate communication with your LAN computers - without setting up forwarding, etc). If you don't select NAT, then you have to teach the server router about the client subnet. This can be done by adding routing information to the custom configuration section. See the OpenVPN manual for the "--route" command (when entered in the custom config section, drop the leading "--").

    However, this is much, much, easier using TLS. The endpoint information is pushed to the client automatically. Also, if you fill in the Client Specific options table in the server (only possible with TLS), the routing is handled automatically as well.

    Static-key is okay for small deployments where just one simultaneous client is needed and it is a single PC (no network behind it). Anything more complicated than that is just begging you to use TLS. It takes a couple more steps to generate certificates, but it saves a ton of headache in setup and maintenance.
     
  59. pendetim

    pendetim Addicted to LI Member

    Thanks for your patience. :) I will be setting up TLS keys today.

    So if I understand you correctly using TLS, the server sets a VPNSubnet mask of 10.8.0.0/255.255.255.0. and this is magically pushed to all clients when they connect?

    On the client when I use TLS and do not select NAT ( since I want to browse both directions) do I then then have to somehow configure the routes??? Or do manual route configurations go away when I use TLS ?

    Will the laptop, when on a Foreign network, be able to see machines connected to the client router?

    Tim
     
  60. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yep.
    Filling in the Client-specific options section on the server takes care of all of the routing.
    Yes, as long as you set it up that way in the Client-specific options table (select "Allow Client<->Client" and "push" for the client router entry).

    Now, when you say you want to "browse" both directions, what do you mean? Using TUN (which I still recommend), you will not be able to browse in Windows' Network Neighborhood to find a computer. However, you will be able to contact any of the computers directly (including browsing their Windows shares via //<ip address/). This is because of how windows sharing works (it has to be on the same subnet to "discover" the other computers in the "neighborhood"). I think this point may be moot, though, if you have a WINS server configured. If you don't rely on which computers show up in "Network Neighborhood" (which I've always found to be spotty even without a VPN involved), then you can completely ignore this last paragraph.
     
  61. pendetim

    pendetim Addicted to LI Member


    Thanks for the help, now some more questions. I really am unfamiliar with this stuff, Sorry to be a pest.

    On the server configuration page, Using TUN/TLS on basic settings enables some options on the advanced page I do not understand.

    I DO want Push Lan to clients.
    Do I want to respond to DNS?
    Do I want to Advertise DNS?
    I DO want to manage client specific options
    I DO want to enable client<-> client
    The next line is a bit confusing to me.
    "allow only these clients" "enable" "Common Name" "Subnet" "Netmask" "push"

    If I put an entry in this series of boxes, will this only allow clients matching these parameters to connect? How would that work with my laptop in an internet cafe where the subnet @ the NIC could be anything? Or are we talking a different subnet than the NIC is assigned?

    On the client basic page, TUN using TLs with Nat "off" give a message saying routes must be configured manually. Can this be ignored with TUN/TLS on the server with the server enabling client-client ?


    Tim
     
  62. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    If you want the connected clients to use the VPN server as their DNS server, then select both of these. If not, don't (they will continue to use whatever DNS they were already using).
    With "Allow only these clients" selected, only the clients in the table can connect. If a client with a different CommonName tries to connect, it will be rejected. Note that this isn't required to use the table. If you don't want to limit the connected clients to ones listed in the table, you're free to not select this and just fill in the entries that need subnet/netmask info.

    Be sure to fill in the CommonName exactly as it was used in creation of the client certificates. Otherwise, it won't match and the entry in the table won't be used. For devices that don't have a network behind them (they're not another router, or they are a router with a NAT - like your laptop), simply don't fill in the subnet and netmask fields. For devices that have a network behind them (a router with no NAT on the VPN client interface - like your client router), fill in the LAN sunbet/netmask. If you want to advertise this network to other clients, select "push".
    Your routes are being "configured manually" by filling in the table on the server, so you're fine. The warning is just to let people know that things will not work unless that (or equivalent) is done.
     
  63. jabberwock

    jabberwock Addicted to LI Member

    VPN established but cannot reach server-side LAN

    Thanks for keeping such awesome forum going!

    I am trying to expanding the scope of the VPN to include additional machines on the server subnet (192.168.1.0/24). I understand I need to advertise the 192 subnet to VPN clients. I inserted a push directive in config.ovpn but it isn't working. Any inputs will be greatly appreciated!

    Here is my server config:

    # Automatically generated configuration
    daemon
    ifconfig 10.8.0.1 10.8.0.2
    proto udp
    port 1194
    dev tun21
    keepalive 15 60
    verb 3
    secret static.key
    status-version 2
    status status

    # Custom Configuration
    push "route 192.168.1.0 255.255.255.0"#

    -Jackson
     
  64. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You can't push anything when using static-key mode. You'll have to enter it on the client configs or use TLS.
     
  65. pendetim

    pendetim Addicted to LI Member

    Tried to setup following your advice and still no luck with VPN. I created the TLS keys and got the server and client running. When I am on the client's network I can connect to the server but nothing else on the server side. A ping to any device except the server on the server's network fails also.
    When I am on the server side, I can connect to nothing on the client side.

    A dumb question: the VPNserver WRT54G is connected to my LAN using the lan port on the WRT54GL that is acting as the VPN server. Is this the correct port to use or should I use the WAN port?????

    vpn server is 192.168.0.10. Gateway is 192.168.0.18 and this box hands out DHCP for the 192.168.0.0 subnet

    Here are my Server basic settings:
    Start with Router checked
    Interface Type TUN
    Protocol UDP
    Server Address/Port DYNDNS 1195
    Firewall Auto
    Authorization Mode TLS
    Extra HMAC authorization No
    VPN Subnet 10.8.0.0 255.255.255.0

    ADvanced:

    Push LAN to clients yes
    Direct clients to
    redirect Internet traffic no
    Respond to DNS no
    Advertise DNS to clients no
    Encryption cipher default
    Compression adaptive
    TLS Renegotiation Time (in seconds, -1 for default)
    Manage Client-Specific Options
    Allow Client<->Client yes
    Allow Only These Clients not checked


    enable client1 192.168.3.0 255.255.255.0 push checked

    Custom : keepalive 10 60
    ping-timer-rem
    float


    For the client: on a router with lan address of 192.168.3.1

    TUN
    UDP
    DYNDNS address 1195
    Firwall auto
    Auth TLS
    Extra HIMAc NO
    Create NAT No

    Advanced:
    Redirect No
    Accept DNS no
    Encrypt default
    compression adaptive
    tls timer -1
    connection retry 30


    custom:
    keepalive 10 60
    ping-timer-rem
    float


    Here is a sample from my client log on a restart. It is seeing the server, as the WAN ip address of the far end is there:

    Feb 8 21:58:32 unknown daemon.notice openvpn[507]: Closing TUN/TAP interface
    Feb 8 21:58:32 unknown daemon.notice openvpn[507]: /sbin/ifconfig tun12 0.0.0.0
    Feb 8 21:58:33 unknown daemon.notice openvpn[507]: SIGTERM[hard,] received, process exiting
    Feb 8 21:58:58 unknown daemon.notice openvpn[540]: OpenVPN 2.1_rc19 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Aug 12 2009
    Feb 8 21:58:58 unknown daemon.warn openvpn[540]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Feb 8 21:58:58 unknown daemon.warn openvpn[540]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Feb 8 21:58:58 unknown daemon.notice openvpn[540]: LZO compression initialized
    Feb 8 21:58:58 unknown daemon.notice openvpn[540]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Feb 8 21:58:58 unknown daemon.notice openvpn[540]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Feb 8 21:58:58 unknown daemon.notice openvpn[544]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Feb 8 21:58:58 unknown daemon.notice openvpn[544]: UDPv4 link local: [undef]
    Feb 8 21:58:58 unknown daemon.notice openvpn[544]: UDPv4 link remote: 138.89.135.108:1195
    Feb 8 21:58:58 unknown daemon.err openvpn[544]: TLS Error: local/remote TLS keys are out of sync: 138.89.135.xxx:1195 [0]
    Feb 8 21:58:58 unknown daemon.notice openvpn[544]: TLS: Initial packet from 138.89.135.xxx:1195, sid=d91d6e7e dd3256ac
    Feb 8 21:59:00 unknown daemon.notice openvpn[544]: VERIFY OK: depth=1, /C=US/ST=NJ/L=Allamuchy/O=OpenVPN/CN=Tr/Email=@gmail.com
    Feb 8 21:59:00 unknown daemon.notice openvpn[544]: VERIFY OK: depth=0, /C=US/ST=NJ/O=OpenVPN/CN=server/Email=@gmail.com
    Feb 8 21:59:02 unknown daemon.notice openvpn[544]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Feb 8 21:59:02 unknown daemon.notice openvpn[544]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb 8 21:59:02 unknown daemon.notice openvpn[544]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Feb 8 21:59:02 unknown daemon.notice openvpn[544]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb 8 21:59:02 unknown daemon.notice openvpn[544]: Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Feb 8 21:59:02 unknown daemon.notice openvpn[544]: [server] Peer Connection Initiated with 138.89.135.108:1195
    Feb 8 21:59:02 unknown daemon.err openvpn[544]: event_wait : Interrupted system call (code=4)
    Feb 8 21:59:03 unknown daemon.notice openvpn[544]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Feb 8 21:59:03 unknown daemon.notice openvpn[544]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5'
    Feb 8 21:59:03 unknown daemon.notice openvpn[544]: OPTIONS IMPORT: timers and/or timeouts modified
    Feb 8 21:59:03 unknown daemon.notice openvpn[544]: OPTIONS IMPORT: --ifconfig/up options modified
    Feb 8 21:59:03 unknown daemon.notice openvpn[544]: OPTIONS IMPORT: route options modified
    Feb 8 21:59:03 unknown daemon.notice openvpn[544]: TUN/TAP device tun12 opened
    Feb 8 21:59:03 unknown daemon.notice openvpn[544]: TUN/TAP TX queue length set to 100
    Feb 8 21:59:03 unknown daemon.notice openvpn[544]: /sbin/ifconfig tun12 10.8.0.6 pointopoint 10.8.0.5 mtu 1500
    Feb 8 21:59:03 unknown daemon.notice openvpn[544]: /sbin/route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.8.0.5
    Feb 8 21:59:03 unknown daemon.notice openvpn[544]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.5
    Feb 8 21:59:04 unknown daemon.notice openvpn[544]: Initialization Sequence Completed


    Here is the server on a restart:

    Feb 8 22:00:01 ? syslog.info root: -- MARK --
    Feb 8 22:04:56 ? daemon.err openvpn[447]: event_wait : Interrupted system call (code=4)
    Feb 8 22:04:56 ? daemon.notice openvpn[447]: TCP/UDP: Closing socket
    Feb 8 22:04:56 ? daemon.notice openvpn[447]: /sbin/route del -net 10.8.0.0 netmask 255.255.255.0
    Feb 8 22:04:56 ? daemon.notice openvpn[447]: /sbin/route del -net 192.168.3.0 netmask 255.255.255.0
    Feb 8 22:04:56 ? daemon.notice openvpn[447]: Closing TUN/TAP interface
    Feb 8 22:04:56 ? daemon.notice openvpn[447]: /sbin/ifconfig tun22 0.0.0.0
    Feb 8 22:04:56 ? daemon.notice openvpn[447]: SIGTERM[hard,] received, process exiting
    Feb 8 22:05:08 ? user.info kernel: device tun22 entered promiscuous mode
    Feb 8 22:05:08 ? daemon.notice openvpn[1781]: OpenVPN 2.1_rc19 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Aug 12 2009
    Feb 8 22:05:08 ? daemon.warn openvpn[1781]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes t
    Feb 8 22:05:08 ? daemon.warn openvpn[1781]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Feb 8 22:05:08 ? daemon.notice openvpn[1781]: Diffie-Hellman initialized with 1024 bit key
    Feb 8 22:05:08 ? daemon.notice openvpn[1781]: TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Feb 8 22:05:08 ? daemon.notice openvpn[1781]: TUN/TAP device tun22 opened
    Feb 8 22:05:08 ? daemon.notice openvpn[1781]: TUN/TAP TX queue length set to 100
    Feb 8 22:05:08 ? daemon.notice openvpn[1781]: /sbin/ifconfig tun22 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
    Feb 8 22:05:08 ? daemon.notice openvpn[1781]: /sbin/route add -net 192.168.3.0 netmask 255.255.255.0 gw 10.8.0.2
    Feb 8 22:05:08 ? daemon.notice openvpn[1781]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
    Feb 8 22:05:09 ? daemon.notice openvpn[1781]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Feb 8 22:05:09 ? daemon.notice openvpn[1788]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Feb 8 22:05:09 ? daemon.notice openvpn[1788]: UDPv4 link local (bound): [undef]:1195
    Feb 8 22:05:09 ? daemon.notice openvpn[1788]: UDPv4 link remote: [undef]
    Feb 8 22:05:09 ? daemon.notice openvpn[1788]: MULTI: multi_init called, r=256 v=256
    Feb 8 22:05:09 ? daemon.notice openvpn[1788]: IFCONFIG POOL: base=10.8.0.4 size=62
    Feb 8 22:05:09 ? daemon.notice openvpn[1788]: Initialization Sequence Completed
    Feb 8 22:05:13 ? daemon.err openvpn[1788]: event_wait : Interrupted system call (code=4)


    What am I missing???
     
  66. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Your server subnet needs to know where to find the client subnet. You will have to add a static route on the gateway router that says to use 192.168.0.10 as the gateway for the client subnet. Since you have separate VPN server and gateway, the firmware can't do this part automatically.
     
  67. Thux

    Thux Addicted to LI Member

    Hello!

    First of all, I want to thank you for this great build!

    I have a little problem with TLS authentication. I wanted that my clients and server to use keys and certificates and the only mode is to have TLS activated as Auth Method.

    After all the config and many tries I couldn't connect and I don't know exactly where I did wrong.

    So here is my config:

    On the server I have:

    Code:
    # Automatically generated configuration
    daemon
    server 10.30.0.0 255.255.255.0
    proto udp
    port 13794
    dev tun22
    comp-lzo adaptive
    keepalive 15 60
    verb 3
    push "route 192.168.123.0 255.255.255.0"
    push "dhcp-option DNS 192.168.123.1"
    ca ca.crt
    dh dh.pem
    cert server.crt
    key server.key
    status-version 2
    status status
    on the client:

    Code:
    client                                          
    dev tun                                               
    proto udp                               
    remote my.site.org 13794       
    resolv-retry infinite                            
    nobind                                         
    persist-key                                  
    persist-tun                                  
    ca ca.crt                            
    cert client1.crt                     
    key client1.key                                              
    # If a tls-auth key is used on the server
    # then every client must also have the key.
    # So, I should have a ta.key? 
    ;tls-auth ta.key 1
    
    comp-lzo
    verb 3
    # Down here are some options I have tried and none works
    remote-cert-tls server
    #tls-remote Router
    #ns-cert-type client
    So, if I need a ta.key where should I put it on the server? I didn't saw any options for a ta.key there.

    Thank you!
     
  68. pendetim

    pendetim Addicted to LI Member

    Thanks SgtPepperKSU!:thumbup: that makes sense. So if I understand you correctly: in my gateway router I would set a static route that sends anything that is asking for (192.168.3.0 255.255.255.0) to 192.168.0.10 which in turn would go in/out on 192.168.0.18 ( my gateway ). This plan will work to connect to the tomato client and devices on the other end with an IP in the range of 192.168.3.0 .

    When I connect from my laptop in the wild, it will have a variety of LAN addresses. Is there a clever solution to this?

    Thanks for your patience with a NOOB.

    Tim
     
  69. jabberwock

    jabberwock Addicted to LI Member

    Thanks SgtPepperKSU! I'll give that a try.

    A follow on question, I can not seem to save the changes I made to \etc\openvpn\server1-fw.sh when I ssh to the router directly, even after "nvram commit". (The only way I managed to save was via the web front end.) What am I doing wrong?

    Again, your input is greatly appreciated!

    -Jackson
     
  70. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Pretty much, yeah. The devices on your 192.168.0.0/24 LAN won't know anything about the VPN, so they'll be sending everything to their gateway (.18). That gateway will then forward anything VPN bound (192.168.3.0/24) to the VPN client router (.10). From there, the VPN client router will have all of the proper routing in place to know to send it over the tunnel (which will be encrypted traffic going over its gateway, .18).
    One thing I'm not sure of, though, is if the VPN client sending return traffic directly back to the LAN computers instead of through the gateway will be a problem. I suspect it will be (the LAN computers will be sending traffic to .18 and getting responses from .10 - which will probably be seen as invalid). You will probably need to modify the routing on the VPN client to always use the gateway instead of directly contacting LAN devices. I know I've successfully worked through this exact situation with somebody before - I'll try and look that up.
    When your laptop is connected, it will receive an IP address on its TUN interface. That is what it should be identified as when communicating over the VPN. You can direct your gateway to also point the VPN subnet to the VPN client just as you are the remote LAN subnet.
     
  71. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I think this post is the end result of the discussion I was referring to. You should probably try it first without the iptables rule he used, though. Hopefully, that sort of thing isn't necessary for this to work.
     
  72. pendetim

    pendetim Addicted to LI Member

    YESSSSSSSSSSSSSSSSS ! Adding the static route worked! My most grateful thanks to you SgtPepperKSU for the patience and help you showed a poor lost soul.

    Tim
     
  73. Thux

    Thux Addicted to LI Member

  74. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Neither your client nor server is configured to use tls-auth (ta.key), so you're fine there. The first thing that jumps out at me is that your comp-lzo lines are mismatched. You either need to change the compression setting on the server or change the client line to match the server.

    If that doesn't work, more details on what isn't working and server/client logs from the relevant timeframe would help.
     
  75. gawd0wns

    gawd0wns LI Guru Member

    When there is a ';' in front of a line in the openvpn configuration, the line is ignored, as if it is not there at all.

    The "Static Key" box will be activated only when you set "Extra HMAC authorization (tls-auth)" to a setting other than disabled, then you will need enter a static key in the keys window generated by the command: openvpn --genkey --secret ta.key

    I see a problem with your client config:
    comp-lzo is in the client config but not in the server config, either remove it, or add it to both config files.
     
  76. Thux

    Thux Addicted to LI Member

    I know that ; comments the line out. I don't want just a simple secret.key I need so that the server and client use certificates and keys. And to do that I've seen that only when TLS chosen as Auth Method I am able to use certficates and keys.

    The problem is that the client can't connect to the server because of the TLS and how can I overcome it?
    As far as I read about TLS it is required that the server should have a ta.key but from the admin gui -> keys I couldn't see any box for a ta.key.

    L.E.: I'm gonna try adjusting the comp parameter and I'll get back to you! Thanks!
     
  77. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    How are you determining that it is failing due to authentication (TLS)? From logs?
    tls-auth (ta.key) is not required for TLS. It is an additional, option layer of authentication before TLS negotiation is started. It is mainly used because it is lower overhead than full TLS authentication, so it can weed out most of the bad attempts before using all the resources normally needed to do so. It's really only useful if you're expecting enough failed authorization attempts to slow down the router. It is configurable in the GUI, though, if you enable it in the Basic tab (incoming vs outgoing needs to be complimentary with the client - either both need to be disabled/bi-directional or the 0-1 values need to be opposite).
     
  78. Thux

    Thux Addicted to LI Member

    Ok, here is the log:

    - from the server:

    cat status

    TITLE,OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Jan 31 2010
    TIME,Wed Feb 10 18:22:46 2010,1265818966
    HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t)
    CLIENT_LIST,UNDEF,192.168.123.103:41921,,210,494,Wed Feb 10 18:22:14 2010,1265818934
    HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
    GLOBAL_STATS,Max bcast/mcast queue length,0
    END

    -from client:

    openvpn /etc/openvpn/client.conf

    Wed Feb 10 18:22:00 2010 OpenVPN 2.1_rc20 x86_64-mandriva-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 6 2009
    Wed Feb 10 18:22:00 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Wed Feb 10 18:22:00 2010 LZO compression initialized
    Wed Feb 10 18:22:00 2010 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Wed Feb 10 18:22:00 2010 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Wed Feb 10 18:22:00 2010 Local Options hash (VER=V4): '41690919'
    Wed Feb 10 18:22:00 2010 Expected Remote Options hash (VER=V4): '530fdded'
    Wed Feb 10 18:22:00 2010 Socket Buffers: R=[129024->131072] S=[129024->131072]
    Wed Feb 10 18:22:00 2010 UDPv4 link local: [undef]
    Wed Feb 10 18:22:00 2010 UDPv4 link remote: <ip>:13794
    Wed Feb 10 18:23:00 2010 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Wed Feb 10 18:23:00 2010 TLS Error: TLS handshake failed
    Wed Feb 10 18:23:00 2010 TCP/UDP: Closing socket
    Wed Feb 10 18:23:00 2010 SIGUSR1[soft,tls-error] received, process restarting
    Wed Feb 10 18:23:00 2010 Restart pause, 2 second(s)

    HMAC option is "disabled" on the server.
     
  79. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The logs on the server will show in the syslog, available in the GUI under status(not VPN status, but in the main navigation)->logs.
    From the client logs, this could just as well be a connectivity problem (blocked ports, etc). I'll need to see if anything occurs at all on the server when the client tries to connect.
     
  80. Thux

    Thux Addicted to LI Member

    Feb 10 19:22:16 router daemon.notice openvpn[27222]: MULTI: multi_create_instance called
    Feb 10 19:22:16 router daemon.notice openvpn[27222]: 192.168.123.103:57743 Re-using SSL/TLS context
    Feb 10 19:22:16 router daemon.notice openvpn[27222]: 192.168.123.103:57743 LZO compression initialized
    Feb 10 19:22:16 router daemon.notice openvpn[27222]: 192.168.123.103:57743 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Feb 10 19:22:16 router daemon.notice openvpn[27222]: 192.168.123.103:57743 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Feb 10 19:22:16 router daemon.notice openvpn[27222]: 192.168.123.103:57743 TLS: Initial packet from 192.168.143.103:57743, sid=e8f0e78e 67367221

    and after 1 min:

    Feb 10 19:23:16 router daemon.err openvpn[27222]: 192.168.123.103:57743 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Feb 10 19:23:16 router daemon.err openvpn[27222]: 192.168.123.103:57743 TLS Error: TLS handshake failed
    Feb 10 19:23:16 router daemon.notice openvpn[27222]: 192.168.123.103:57743 SIGUSR1[soft,tls-error] received, client-instance restarting
     
  81. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I notice that 192.168.123.103 and 192.168.143.103 are shown as IPs. There should only be one IP in those places. Is this due to you redacting the IP addresses for privacy and mistyping? If not, there may be a problem there.

    It looks like the TLS authorization isn't failing; it isn't even attempted. Try changing UDP vs TCP and/or a different port number.
     
  82. Thux

    Thux Addicted to LI Member

    Thank you very much for your answers and patience! Now it works! It was the firewall on the client...
     
  83. Paul

    Paul Addicted to LI Member

    For those who are asking for username/password here is an easy way - just put your own username and password to replace where I have put them in caps:

    Copy this:

    Code:
    echo [I]USERNAME[/I]> /tmp/password.txt
    echo [I]PASSWORD[/I]>> /tmp/password.txt
    to Administration<Script>Init


    and this:

    Code:
    --script-security 2
    auth-user-pass /tmp/password.txt
    to Client>Advanced>Custom config​
     
  84. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Thanks for posting this. I've provided it before, but there has seemed to be an increase in interest lately.

    However, I don't think the script-security line is needed. But, if it is needed, the "--" needs to be dropped from the front.
     
  85. Thux

    Thux Addicted to LI Member

    Just to give a feedback, I've tested my connection from two machines on different networks and different OSes (linux and windows) and both work fine.

    I have just one little problem left, my ISP gave me an USB modem stick which I'm using with my laptop when I'm traveling but somehow the connection is very much "firewalled" so that anyone trying to acces my laptop on tcp/80 for example can't. Also tcp/25 is closed but I don't mind very much. The problem is that I can't establish a VPN connection with my router back home.
    Weird thing, the client tries to connect to the server, the server on the router sees the attempt but (this is what I suspect) when the server tries to send back replies to my client(laptop) it fails because of my internet connection which is somehow blocked by my "dear" ISP.

    Can I do something about that on my side? Some configs or something?

    To give you a bit more info about what's happening here's the log from the server:

    Feb 10 22:57:22 router daemon.notice openvpn[29811]: MULTI: multi_create_instance called
    Feb 10 22:57:22 router daemon.notice openvpn[29811]: 86.122.33.5:39526 Re-using SSL/TLS context
    Feb 10 22:57:22 router daemon.notice openvpn[29811]: 86.122.33.5:39526 LZO compression initialized
    Feb 10 22:57:22 router daemon.notice openvpn[29811]: 86.122.33.5:39526 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Feb 10 22:57:22 router daemon.notice openvpn[29811]: 86.122.33.5:39526 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Feb 10 22:57:22 router daemon.notice openvpn[29811]: 86.122.33.5:39526 TLS: Initial packet from 86.122.33.5:39526, sid=862641e0 97a906f7

    and here's what my client says:

    Wed Feb 10 23:01:31 2010 OpenVPN 2.1_rc20 x86_64-mandriva-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 6 2009
    Wed Feb 10 23:01:31 2010 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Wed Feb 10 23:01:31 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Wed Feb 10 23:01:31 2010 LZO compression initialized
    Wed Feb 10 23:01:31 2010 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Wed Feb 10 23:01:32 2010 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Wed Feb 10 23:01:32 2010 Local Options hash (VER=V4): '41690919'
    Wed Feb 10 23:01:32 2010 Expected Remote Options hash (VER=V4): '530fdded'
    Wed Feb 10 23:01:32 2010 Socket Buffers: R=[129024->131072] S=[129024->131072]
    Wed Feb 10 23:01:32 2010 UDPv4 link local: [undef]
    Wed Feb 10 23:01:32 2010 UDPv4 link remote: 79.114.107.219:1194
    Wed Feb 10 23:02:32 2010 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Wed Feb 10 23:02:32 2010 TLS Error: TLS handshake failed
    Wed Feb 10 23:02:32 2010 TCP/UDP: Closing socket
    Wed Feb 10 23:02:32 2010 SIGUSR1[soft,tls-error] received, process restarting
    Wed Feb 10 23:02:32 2010 Restart pause, 2 second(s)

    and in the Status -> Client List on the server I can see this:

    UNDEF 86.122.33.5:44709 126 294 Wed Feb 10 23:00:42 2010

    P.S.: Just to be clear, there is no problem with the firewall on my server or my client. The only firewall left would be the one of my ISP....

    Thank you in advance for your answers!
     
  86. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Only thing I can think of would be to try changing TCP vs UDP or the port number (try using common ports like 80 or 443). Since you narrowed it down to your ISP blocking things, it's really just a guessing game from here... :frown:
     
  87. Thux

    Thux Addicted to LI Member

    Thank you a thousand times! :thumbup: :flowers:

    Just switched to TCP and everything is fine!

    Wed Feb 10 23:29:59 2010 OpenVPN 2.1_rc20 x86_64-mandriva-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 6 2009
    Wed Feb 10 23:29:59 2010 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Wed Feb 10 23:29:59 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Wed Feb 10 23:29:59 2010 LZO compression initialized
    Wed Feb 10 23:29:59 2010 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Wed Feb 10 23:29:59 2010 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
    Wed Feb 10 23:29:59 2010 Local Options hash (VER=V4): '69109d17'
    Wed Feb 10 23:29:59 2010 Expected Remote Options hash (VER=V4): 'c0103fa8'
    Wed Feb 10 23:29:59 2010 Attempting to establish TCP connection with 79.114.107.219:1194 [nonblock]
    Wed Feb 10 23:30:00 2010 TCP connection established with 79.114.107.219:1194
    Wed Feb 10 23:30:00 2010 Socket Buffers: R=[87380->131072] S=[16384->131072]
    Wed Feb 10 23:30:00 2010 TCPv4_CLIENT link local: [undef]
    Wed Feb 10 23:30:00 2010 TCPv4_CLIENT link remote: 79.114.107.219:1194
    Wed Feb 10 23:30:00 2010 TLS: Initial packet from 79.114.107.219:1194, sid=84d5fdb7 9fd37827
    Wed Feb 10 23:30:02 2010 VERIFY OK: depth=1, /C=RO/ST=Blah/L=BlahBlah/O=Blabla/CN=Blablabla/emailAddress=bla@gmail.com
    Wed Feb 10 23:30:02 2010 VERIFY OK: depth=0, /C=RO/ST=Blah/L=BlahBlah/O=Blabla/CN=Blablabla/emailAddress=bla@gmail.com
    Wed Feb 10 23:30:05 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Wed Feb 10 23:30:05 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Feb 10 23:30:05 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Wed Feb 10 23:30:05 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Feb 10 23:30:05 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Wed Feb 10 23:30:05 2010 [Cerber] Peer Connection Initiated with 79.114.107.219:1194
    Wed Feb 10 23:30:07 2010 SENT CONTROL [Cerber]: 'PUSH_REQUEST' (status=1)
    Wed Feb 10 23:30:07 2010 PUSH: Received control message: 'PUSH_REPLY,route 192.168.123.0 255.255.255.0,dhcp-option DNS 192.168.123.1,redirect-gateway def1,route 10.30.0.0 255.255.255.0,topology net30,ping 15,ping-restart 60,ifconfig 10.30.0.6 10.30.0.5'
    Wed Feb 10 23:30:07 2010 OPTIONS IMPORT: timers and/or timeouts modified
    Wed Feb 10 23:30:07 2010 OPTIONS IMPORT: --ifconfig/up options modified
    Wed Feb 10 23:30:07 2010 OPTIONS IMPORT: route options modified
    Wed Feb 10 23:30:07 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Wed Feb 10 23:30:07 2010 ROUTE: default_gateway=UNDEF
    Wed Feb 10 23:30:07 2010 TUN/TAP device tun0 opened
    Wed Feb 10 23:30:07 2010 TUN/TAP TX queue length set to 100
    Wed Feb 10 23:30:07 2010 /sbin/ifconfig tun0 10.30.0.6 pointopoint 10.30.0.5 mtu 1500
    Wed Feb 10 23:30:07 2010 NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
    Wed Feb 10 23:30:07 2010 /sbin/route add -net 192.168.123.0 netmask 255.255.255.0 gw 10.30.0.5
    Wed Feb 10 23:30:07 2010 /sbin/route add -net 10.30.0.0 netmask 255.255.255.0 gw 10.30.0.5
    Wed Feb 10 23:30:07 2010 Initialization Sequence Completed

    Now I have to figure out how to redirect the connection so that the client "goes out" on the internet trough the vpn server. I've checked the "Direct clients to
    redirect Internet traffic" option on the server but I don't know yet what and if I have to put something in the config file of the client also.
     
  88. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You already have the needed line in your client config (the "client" line implies "pull" which accepts the "redirect-gateway" from the server). However there seems to be an error when it tries to do so (see the log line I left when I quoted your post).

    I have never seen that error before. Are you, by chance, testing this while still connected to the servers LAN? A quick google shows that is the most common cause.
     
  89. Thux

    Thux Addicted to LI Member

    Uhm, no, I'm not connected in the LAN with the server, my only connection is trough the USB modem stick. I've restarted now the server to be sure and that Note still shows up. If it helps I'm going to paste below the config on my client:

    client
    dev tun
    proto tcp
    remote my.dns.net 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert client.crt
    key client.key
    comp-lzo yes
    verb 3
    float

    and on the server i have:

    daemon
    server 10.30.0.0 255.255.255.0
    proto tcp-server
    port 1194
    dev tun21
    comp-lzo adaptive
    keepalive 15 60
    verb 3
    push "route 192.168.123.0 255.255.255.0"
    client-config-dir ccd
    client-to-client
    push "dhcp-option DNS 192.168.123.1"
    push "redirect-gateway def1"
    ca ca.crt
    dh dh.pem
    cert server.crt
    key server.key
    status-version 2
    status status
     
  90. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Can you provide your routing table both before and after you connect? On windows, this is "route print" from a command prompt and on linux it is "route -n".

    Also, what operating system are you using (if Windows, what version)? Are you running OpenVPN with administrative/superuser privileges?
     
  91. Thux

    Thux Addicted to LI Member

    My OS is Linux (Mandriva)

    route -n before the vpn connection:

    Code:
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    10.64.64.64     0.0.0.0         255.255.255.255 UH    25     0        0 ppp0
    127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
    0.0.0.0         0.0.0.0         0.0.0.0         U     25     0        0 ppp0

    and after:

    Code:
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    10.64.64.64     0.0.0.0         255.255.255.255 UH    25     0        0 ppp0
    10.30.0.5       0.0.0.0         255.255.255.255 UH    0      0        0 tun0
    10.30.0.0       10.30.0.5       255.255.255.0   UG    0      0        0 tun0
    192.168.123.0   10.30.0.5       255.255.255.0   UG    0      0        0 tun0
    127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
    0.0.0.0         0.0.0.0         0.0.0.0         U     25     0        0 ppp0

    ppp0 is the connection of my usb modem and the vpn connection is started as root!
     
  92. pendetim

    pendetim Addicted to LI Member

    Just got my TLS working on a pair of WRT54G's. I have had static keys going for a few days and could not leave well enough alone. :wink:
    I have setup Server 1 which uses a 2048 bit static key and server 2 which is using TLS. This has also been working but now I want to try TLS auth. Then I enable the TLS-auth on the server the static key box comes up on the keys page but it is prefilled in with the static.key I used on Server 1. When I enable TLS-auth on the client and put this key in the static key box, I can not connect. Client and server are set bidirectional.

    If I generate a ta.key for this and put values in static boxes on server and client , will this overwrite the 2048 bit key for server 1?

    In other words can I have a ta.key and static.key on the same box?


    Tim
     
  93. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Well, no wonder. You have no default gateway at all. That is a very peculiar network setup.

    I think you're going to have to set up an up script to set up your routes. Something like:
    Code:
    #!/bin/sh
    route add -host $remote_1 gw 0.0.0.0 dev ppp0
    route add -net 0.0.0.0/1 gw $route_vpn_gateway dev tun0
    route add -net 128.0.0.0/1 gw $route_vpn_gateway dev tun0
    
    then in the custom config:
    Code:
    script-security 2
    up <path/to/up-script.sh>
    This is just off the top of my head and completely untested.
     
  94. Thux

    Thux Addicted to LI Member

    It doesn't work:

    This is what happens:

    Code:
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    10.64.64.64     0.0.0.0         255.255.255.255 UH    25     0        0 ppp0
    10.30.0.5       0.0.0.0         255.255.255.255 UH    0      0        0 tun0
    10.30.0.0       10.30.0.5       255.255.255.0   UG    0      0        0 tun0
    192.168.143.0   10.30.0.5       255.255.255.0   UG    0      0        0 tun0
    127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
    0.0.0.0         10.30.0.5       128.0.0.0       UG    0      0        0 tun0
    128.0.0.0       10.30.0.5       128.0.0.0       UG    0      0        0 tun0
    0.0.0.0         0.0.0.0         0.0.0.0         U     25     0        0 ppp0
    the client still gives me that notice about the gateway and i can't ping the server or get out on the internet
     
  95. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Well, it did exactly what I was trying to get it to do (as long as 10.64.64.64 is the VPN server). Could you ping anything over the tunnel before we did this?
     
  96. Thux

    Thux Addicted to LI Member

    10.64.64.64 is the gateway of my ppp0 connection

    the vpn server is 10.30.0.1 or 192.168.123.1
    my client's vpn ip is 10.30.0.6

    and yes, before i've added that script I could ping or ssh any machine from my network (the one's with the ip 192.168.123.xxx)
     
  97. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Oh, I see. I didn't notice that address in the "before" routing table. It seems the first route command didn't take.

    Try this instead (apparently explicitly saying 0.0.0.0 as a gateway is an error, but leaving it out implies 0.0.0.0):
    Code:
    #!/bin/sh
    route add -host $remote_1 dev ppp0
    route add -net 0.0.0.0/1 gw $route_vpn_gateway dev $dev
    route add -net 128.0.0.0/1 gw $route_vpn_gateway dev $dev
    
    If that doesn't work add the following line to the script, and post the contents of /tmp/openvpn-env after using it.
    Code:
    echo "$remote_1,$dev,$route_vpn_gateway" > /tmp/openvpn-env
    By the way, what's making your situation so weird is that your routing table basically says "Just toss anything over this interface, and it will find its way to its destination" instead of the usual "If you're contacting anything not on my subnet, send it to X host, who will route it to its destination". OpenVPN expects the latter and tries to figure out X for use in its own routes. So, since it gets confused, we're doing the same thing it would if it had understood your situation.
     
  98. Thux

    Thux Addicted to LI Member

    It works! :biggrin:

    After the vpn connection was up I've done a traceroute to google and showed that the requests go trough the cable connection (vpn server).

    Code:
    traceroute to google.com (74.125.87.104), 30 hops max, 60 byte packets
     1  10.30.0.1 (10.30.0.1)  139.620 ms  399.778 ms  399.797 ms
     2  10.0.0.1 (10.0.0.1)  399.805 ms  399.828 ms  399.836 ms
     3  10.128.4.17 (10.128.4.17)  399.843 ms  399.855 ms  399.860 m
    ....etc....
    Also, I've checked on a site which displays your IP and it showed up the IP of my cable connection.

    Still, the Notice keeps on showing up when I'm connecting the vpn:

    openvpn /etc/openvpn/client.conf
    Thu Feb 11 17:31:52 2010 OpenVPN 2.1_rc20 x86_64-mandriva-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 6 2009
    Thu Feb 11 17:31:52 2010 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Thu Feb 11 17:31:52 2010 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Thu Feb 11 17:31:52 2010 LZO compression initialized
    Thu Feb 11 17:31:52 2010 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Thu Feb 11 17:31:54 2010 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
    Thu Feb 11 17:31:54 2010 Local Options hash (VER=V4): '69109d17'
    Thu Feb 11 17:31:54 2010 Expected Remote Options hash (VER=V4): 'c0103fa8'
    Thu Feb 11 17:31:54 2010 Attempting to establish TCP connection with 79.114.92.105:1194 [nonblock]
    Thu Feb 11 17:31:55 2010 TCP connection established with 79.114.92.105:1194
    Thu Feb 11 17:31:55 2010 Socket Buffers: R=[87380->131072] S=[16384->131072]
    Thu Feb 11 17:31:55 2010 TCPv4_CLIENT link local: [undef]
    Thu Feb 11 17:31:55 2010 TCPv4_CLIENT link remote: 79.114.92.105:1194
    Thu Feb 11 17:31:55 2010 TLS: Initial packet from 79.114.92.105:1194, sid=cc178f15 a5d83274
    Thu Feb 11 17:31:57 2010 VERIFY OK: depth=1, /C=RO/ST=Bla/L=Blabla/O=Blahh/CN=Blah/emailAddress=bla@gmail.com
    Thu Feb 11 17:31:57 2010 VERIFY OK: depth=0, /C=RO/ST=Bla/L=Blabla/O=Blahh/CN=Blah/emailAddress=bla@gmail.com
    Thu Feb 11 17:32:02 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Thu Feb 11 17:32:02 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu Feb 11 17:32:02 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Thu Feb 11 17:32:02 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu Feb 11 17:32:02 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Thu Feb 11 17:32:02 2010 [Router] Peer Connection Initiated with 79.114.92.105:1194
    Thu Feb 11 17:32:04 2010 SENT CONTROL [Router]: 'PUSH_REQUEST' (status=1)
    Thu Feb 11 17:32:04 2010 PUSH: Received control message: 'PUSH_REPLY,route 192.168.123.0 255.255.255.0,redirect-gateway def1,route 10.30.0.0 255.255.255.0,topology net30,ping 15,ping-restart 60,ifconfig 10.30.0.6 10.30.0.5'
    Thu Feb 11 17:32:04 2010 OPTIONS IMPORT: timers and/or timeouts modified
    Thu Feb 11 17:32:04 2010 OPTIONS IMPORT: --ifconfig/up options modified
    Thu Feb 11 17:32:04 2010 OPTIONS IMPORT: route options modified
    Thu Feb 11 17:32:04 2010 ROUTE: default_gateway=UNDEF
    Thu Feb 11 17:32:04 2010 TUN/TAP device tun0 opened
    Thu Feb 11 17:32:04 2010 TUN/TAP TX queue length set to 100
    Thu Feb 11 17:32:04 2010 /sbin/ifconfig tun0 10.30.0.6 pointopoint 10.30.0.5 mtu 1500
    Thu Feb 11 17:32:04 2010 up-script.sh tun0 1500 1544 10.30.0.6 10.30.0.5 init
    Thu Feb 11 17:32:05 2010 NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
    Thu Feb 11 17:32:05 2010 /sbin/route add -net 192.168.123.0 netmask 255.255.255.0 gw 10.30.0.5
    Thu Feb 11 17:32:05 2010 /sbin/route add -net 10.30.0.0 netmask 255.255.255.0 gw 10.30.0.5
    Thu Feb 11 17:32:05 2010 Initialization Sequence Completed

    the route -n shows like this _before_ the vpn connection is up:

    Code:
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    10.64.64.64     0.0.0.0         255.255.255.255 UH    25     0        0 ppp0
    127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
    0.0.0.0         0.0.0.0         0.0.0.0         U     25     0        0 ppp0
    and after:

    Code:
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    10.64.64.64     0.0.0.0         255.255.255.255 UH    25     0        0 ppp0
    79.114.92.105   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
    10.30.0.5       0.0.0.0         255.255.255.255 UH    0      0        0 tun0
    10.30.0.0       10.30.0.5       255.255.255.0   UG    0      0        0 tun0
    192.168.123.0   10.30.0.5       255.255.255.0   UG    0      0        0 tun0
    127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
    0.0.0.0         10.30.0.5       128.0.0.0       UG    0      0        0 tun0
    128.0.0.0       10.30.0.5       128.0.0.0       UG    0      0        0 tun0
    0.0.0.0         0.0.0.0         0.0.0.0         U     25     0        0 ppp0
    and this is the output of /tmp/openvpn-env:

    Code:
    my.dns.net,tun0,10.30.0.5
    A funny thing, my usb modem stick connection kinda sucks and I'm losing packets (I've noticed that on pings). It can't happen because of the routing or it could?

    One last question, how could I configure the vpn-server/router so that I can serve web from a machine connected to the vpn server?

    I mean something like this:

    webserver <---vpn-connection---> router(vpn-server)<------>internet

    I've tried to forward the port 80 of the ip of my vpn connected web server but it doesn't work. I think I have to route something...

    Thank you!
     
  99. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Glad to hear it!
    Yeah, you'll still get the warning. It's just saying it couldn't set up the redirection itself. But, since we're doing it manually, you can ignore the message in the log.
    Probably just quality of connection in general, not due to the routing. Though, I've never seen routing like that before...
    The routing should already be fine as long as you are forwarding the port on the router to the VPN IP of the webserver. Where are you attempting to access the webserver from? I don't think it will work from the VPN client itself without adding additional NATing to the router.
     
  100. Thux

    Thux Addicted to LI Member

    I'm accesing the webserver from the internet, I want that anyone could connect to the webserver via the router(vpn-server) when the webserver is connected via vpn.
     

Share This Page