1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN build with Web GUI

Discussion in 'Tomato Firmware' started by SgtPepperKSU, Oct 10, 2008.

  1. Guzel

    Guzel Network Guru Member

    I get this
    nc: can't connect to remote host (74.125.67.106): No route to host

    IP Trace is working ,tryd www.google.com
    10.8.0.1
    vpn.xxxx.xxx
    xxx.xxx.xx

    I haved add any FW scripts,
    In vpn.cl setings havet the FW Auto
     
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    From the router via ssh/telnet, could you provide the output of
    Code:
    route -n
    ?

    If there is no route, then it would affect all ports equally.
     
  3. Guzel

    Guzel Network Guru Member

    this is whit vpn.client on
    Destination Gateway Genmask Flags Metric Ref Use Iface
    217.10.xx.xx 77.105.xxx.xx 255.255.255.255 UGH 0 0 0 vlan2
    80.67.14.xx 77.105.xxx.xx 255.255.255.255 UGH 0 0 0 vlan2
    77.105.xxx.xx 0.0.0.0 255.255.255.255 UH 0 0 0 vlan2
    217.10.xx.xx 77.105.xxx.xx 255.255.255.255 UGH 0 0 0 vlan2
    10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun11
    192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
    77.105.xxx.x 0.0.0.0 255.255.255.0 U 0 0 0 vlan2
    127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
    0.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tun11
    128.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tun11
    0.0.0.0 77.105.xxx.xx 0.0.0.0 UG 0 0 0 vlan2

    this is whit no vpn.cl
    Destination Gateway Genmask Flags Metric Ref Use Iface
    217.10.xx.xx 77.105.xxx.xx 255.255.255.255 UGH 0 0 0 vlan2
    77.105.xxx.xx 0.0.0.0 255.255.255.255 UH 0 0 0 vlan2
    217.10.xx.xx 77.105.xxx.xx 255.255.255.255 UGH 0 0 0 vlan2
    192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
    77.105.xxx.x 0.0.0.0 255.255.255.0 U 0 0 0 vlan2
    127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
    0.0.0.0 77.105.xxx.xx 0.0.0.0 UG 0 0 0 vlan2
     
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Well, that looks fine. I don't know why it was reporting there was no route to the host. There definitely is. Perhaps there is something screwy with the updated kernel with respect to routing. In that case, I can't help you and you'll have to check with the people familiar with those builds.
     
  5. teddy_bear

    teddy_bear Network Guru Member

    Guzel,
    Is this the same problem you solved by turning off the Broadcom "fast NAT", or something else?
     
  6. Guzel

    Guzel Network Guru Member

    SgtPepperKSU
    Thanks for your help m8,
    Can I youse the TAB config seting on tomato.vpn

    teddy_bear
    Yes, but whit fast NAT on it didnt work att all, no vpn.server no vpn.client
     
  7. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm afraid I don't understand what you're asking... :blush:
     
  8. Orkvonmork

    Orkvonmork Networkin' Nut Member

    Hi,

    I need some help. I cant get the VPN running. My VPN Client says that I am connected to the router, and my computer shows up in the Router Status. But,
    no data is going through the connection. I cant even reach my router. Cant ping it and no telnet/ssh access.

    Here is my configuration
    [​IMG]
    [​IMG]
    [​IMG]
    [​IMG]

    My client config is this:
    Code:
    client
    remote my.dyndns.org 1195
    ca /path/to/cert/ca.crt
    cert /path/to/1stclient.crt
    key /path/to/1stclient.key
    dev tun
    proto udp
    nobind
    auth-nocache
    script-security 2
    persist-key
    persist-tun
    user openvpn
    group openvpn
    
    Can some1 please help me?
     
  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    What's your goal? Currently you have it configured to not send client Internet-bound traffic over the tunnel ("Direct clients to redirect Internet traffic") or provide access to the server LAN ("Push LAN to clients"). For different use-cases, it could make sense to select one or both of those options, but I can't think of a time you would want neither (unless you're doing something manually in the custom config, which you aren't).

    Also, just to check: the 10.10.10.0/24 subnet is not used anywhere else in your network topology, right? (ie, it is unique to the VPN - the server LAN, the client LAN, and any network segment visible to either use other subnets).
     
  10. karog

    karog Networkin' Nut Member

    Why the port forward? The VPN gets packets on 1195 yet you forward that port to 192.168.1.10. Lose the port forward.
     
  11. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Good point. I completely missed that last image.
     
  12. Orkvonmork

    Orkvonmork Networkin' Nut Member

    Thanks for your quick reply.

    My goal is pretty simple.
    If my notebook is connected to a public wi-fi spot it should make a encrypted connection to my router at home and use my home IP for surfing.

    Now I tried some setups with "Direct clients to redirect Internet traffic = ON/OFF" and "Push LAN to clients =ON/OFF" but still got the problem.

    And I deleted the port forwarding. Why I did the portforwarding? Because in some tutorials they say that you should forward the VPN port to the server IP, I guess.

    What setup do you suggest?

    One more thing I should mention:
    My Network looks like this.
    [​IMG]
    Router A is the router for the whole house. Router B is just for me.
     
  13. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You definitely need to select "Direct clients to redirect Internet traffic", and it wouldn't hurt to add the "Push LAN to clients". You should select those, connect, and provide the routing table for both the server and the client.
     
  14. karog

    karog Networkin' Nut Member

    Yes, you might have mentioned that:)

    So was the port forward on Router A forwarding the 1195 packets to Router B which has the VPN? Is 192.168.1.10 the ip of Router B? If so, then the port forward makes more sense. Your previous message gave no hint you were giving configuration from two different routers.

    How is Router B connected to Router A? Are both running Tomato? Is Router B an Access Point + WDS? Or what?
     
  15. karog

    karog Networkin' Nut Member

    Doesn't that depend on what the client wants to do? In some cases yes. But in some I prefer to let the client make the decision. The client config can contain:

    redirect-gateway

    if it wants to redirect all traffic through the VPN and not include it if it doesn't. When I connect to my home VPN from some public place I want to redirect all traffic. But when I connect from home to my father's VPN I don't. Then I just want to direct only traffic to his LAN over the VPN.

    So I don't want the VPN server making this decision for me. I want to do it at the client.
     
  16. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I was just going off what he'd said so far. Of course, he could add the directive to the client config manually. However, it seems the whole point of the VPN server here is to provide redirected Internet access - so it seemed easier to click a checkbox rather than worrying about configuring one or more config files manually.
     
  17. Orkvonmork

    Orkvonmork Networkin' Nut Member

    Thanks for your help!

    • Router A is Accesspoint for wifi A
    • Router B is Accesspoint for wifi B
    • Both are running Tomato
    • Router B is connected to router A via cable (Powerline Communication (PLC))
    • My PC is connected to Router B via cable. wifi is only used with the netbook an mobile.

    I checked/unchecked "Push LAN to clients" and "Direct clients to
    redirect Internet traffic" in all possible ways, no positive result.

    I cant even ping my router when VPN is on. When I disable VPN I can check the status.

    [​IMG]

    I will try in the next days to log into the VPN from another network.
     
  18. karog

    karog Networkin' Nut Member

    removed by author for mistaken assumption
     
  19. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Not so; it is listening on all interfaces. In fact many people use TomatoVPN only connected via LAN (WAN disabled).

    From what he's said, I'd guess that he wants all things specific to him limited to router B, with router A only having to worry about things that effect the LAN at-large. That seems reasonable to me. There's no real difference between running the VPN server "directly" connected to the Internet and running it behind one additonal router (other than the need for a port forward on A).

    As I said before, the best bit of information you can provide is the routing tables from the server and client when the tunnel is connected (with those options turned on). If you provide that information, it will hopefully be easy to see what's going wrong.
     
  20. Orkvonmork

    Orkvonmork Networkin' Nut Member

    right!

    It is on the WAN port but "Use WAN port for LAN" is checked

    Right again. And yes, I can ping with VPN off.

    Router B is my own router, and I can make some experiments with is. Router A is the family/house router. But I just setup the VPN on Router A and will try to connect to it from outside the network tomorrow.

    The client connection is the network-manager in ubuntu.


    Will report tomorrow or friday.

    Thanks again!
     
  21. karog

    karog Networkin' Nut Member

    I sit corrected. My bad. Thanks.
     
  22. Stach

    Stach Network Guru Member

    Unable to Connect

    I am an Untangle Gateway user trying to switch back to Tomato. One thing that I feared giving up was OpenVPN, so I was very excited to see this addition to the base Tomato.

    I used the guide to generate all my keys/certs and have the OpenVPN server up and running on my TomatoVPN gateway. However, when I try to connect from my Windows laptop remotely, the OpenVPN client log shows the following (I also get the same message when trying to connect from my LAN as well):

    Thu Jun 17 05:37:13 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
    Thu Jun 17 05:37:13 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Thu Jun 17 05:37:14 2010 Control Channel Authentication: using 'Tomato/ta.key' as a OpenVPN static key file
    Thu Jun 17 05:37:14 2010 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu Jun 17 05:37:14 2010 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu Jun 17 05:37:14 2010 Control Channel MTU parms [ L:1557 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Thu Jun 17 05:37:14 2010 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ]
    Thu Jun 17 05:37:14 2010 Local Options hash (VER=V4): 'a1cd95fb'
    Thu Jun 17 05:37:14 2010 Expected Remote Options hash (VER=V4): '6b4b9437'
    Thu Jun 17 05:37:14 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Thu Jun 17 05:37:14 2010 UDPv4 link local: [undef]
    Thu Jun 17 05:37:14 2010 UDPv4 link remote: X.X.X.X:1194
    Thu Jun 17 05:38:14 2010 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Thu Jun 17 05:38:14 2010 TLS Error: TLS handshake failed
    Thu Jun 17 05:38:14 2010 TCP/UDP: Closing socket
    Thu Jun 17 05:38:14 2010 SIGUSR1[soft,tls-error] received, process restarting
    Thu Jun 17 05:38:14 2010 Restart pause, 2 second(s)


    My home subnet is 192.168.1.0/24 and I told TomatoVPN to use 192.169.1.0/24 for the VPN subnet (I tried 192.168.11.0/24, but it didn't like that), as my work uses 10.0.0.0/8 internally for networking...anything wrong with that?

    Any ideas as to what I'm missing?

    Thanks in advance!
    Stachu

    Any ideas as to what is failing?
     
  23. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Does anything at all show up in the server logs?

    Assuming you're using TUN, all that's important is that the VPN subnet is unique (not the same as the client or server subnets or any subnet visible to the client or server).
     
  24. Stach

    Stach Network Guru Member

    SgtPepperKSU, thanks for the reply. My configuration is the following:
    Interface Type: TUN
    Protocol: UDP
    Port: 1194
    Firewall: Automatic
    Auth Mode: TLS
    Extra HMAC: Incoming (0)
    VPN Subnet: 192.169.1.0 / 255.255.255.0

    Below is what I am seeing in my Tomato logs (before and after some reconfig changes)...is one of my keys/certs bad because of the "HMAC authentication failed" message?
    Should I reboot the Tomato router?

    Jun 17 04:24:20 unknown daemon.err openvpn[456]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Jun 17 04:24:20 unknown daemon.err openvpn[456]: TLS Error: incoming packet authentication failed from 192.168.1.23:63699
    Jun 17 04:42:15 unknown user.warn kernel: nvram_commit(): init
    Jun 17 04:42:17 unknown user.warn kernel: nvram_commit(): end
    Jun 17 04:42:18 unknown daemon.notice openvpn[456]: TCP/UDP: Closing socket
    Jun 17 04:42:18 unknown daemon.notice openvpn[456]: /sbin/route del -net 192.169.1.0 netmask 255.255.255.0
    Jun 17 04:42:18 unknown daemon.notice openvpn[456]: Closing TUN/TAP interface
    Jun 17 04:42:18 unknown daemon.notice openvpn[456]: /sbin/ifconfig tun21 0.0.0.0
    Jun 17 04:42:18 unknown daemon.notice openvpn[456]: SIGTERM[hard,] received, process exiting
    Jun 17 04:42:19 unknown user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
    Jun 17 04:42:19 unknown user.info kernel: device tun21 entered promiscuous mode
    Jun 17 04:42:19 unknown daemon.notice openvpn[810]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Jan 31 2010
    Jun 17 04:42:19 unknown daemon.warn openvpn[810]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Jun 17 04:42:22 unknown daemon.notice openvpn[810]: Diffie-Hellman initialized with 2048 bit key
    Jun 17 04:42:22 unknown daemon.notice openvpn[810]: Control Channel Authentication: using 'static.key' as a OpenVPN static key file
    Jun 17 04:42:22 unknown daemon.notice openvpn[810]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jun 17 04:42:22 unknown daemon.notice openvpn[810]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jun 17 04:42:22 unknown daemon.notice openvpn[810]: TLS-Auth MTU parms [ L:1557 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Jun 17 04:42:22 unknown daemon.notice openvpn[810]: TUN/TAP device tun21 opened
    Jun 17 04:42:22 unknown daemon.notice openvpn[810]: TUN/TAP TX queue length set to 100
    Jun 17 04:42:22 unknown daemon.notice openvpn[810]: /sbin/ifconfig tun21 192.169.1.1 netmask 255.255.255.0 mtu 1500 broadcast 192.169.1.255
    Jun 17 04:42:22 unknown daemon.notice openvpn[810]: Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ]
    Jun 17 04:42:22 unknown daemon.notice openvpn[815]: GID set to nobody
    Jun 17 04:42:22 unknown daemon.notice openvpn[815]: UID set to nobody
    Jun 17 04:42:22 unknown daemon.notice openvpn[815]: Socket Buffers: R=[65535->131070] S=[65535->131070]
    Jun 17 04:42:22 unknown daemon.notice openvpn[815]: UDPv4 link local (bound): [undef]:1194
    Jun 17 04:42:22 unknown daemon.notice openvpn[815]: UDPv4 link remote: [undef]
    Jun 17 04:42:22 unknown daemon.notice openvpn[815]: MULTI: multi_init called, r=256 v=256
    Jun 17 04:42:22 unknown daemon.notice openvpn[815]: IFCONFIG POOL: base=192.169.1.2 size=252
    Jun 17 04:42:22 unknown daemon.notice openvpn[815]: Initialization Sequence Completed
    Jun 17 05:00:01 unknown syslog.info root: -- MARK --
    Jun 17 05:04:26 unknown daemon.err openvpn[815]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Jun 17 05:04:26 unknown daemon.err openvpn[815]: TLS Error: incoming packet authentication failed from 159.xx.xx.xx:42468

    Also, here's my client config file:

    # OpenVPN(v2.0) configuration script
    dev tun
    proto udp
    dev-node openvpn
    remote 192.168.1.1 1194
    tls-client
    keepalive 15 120
    verb 3
    ca Tomato/ca.crt
    cert Tomato/client1.crt
    key Tomato/client1.key
    tls-auth Tomato/ta.key
    ns-cert-type server
    cipher AES-256-CBC
    pull
    nobind
    explicit-exit-notify 3
     
  25. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You're likely getting the errors because your tls-auth configuration on the client isn't compatible with what you have on the server. On the server, you selected "Incoming(0)", but on the client you configured the equivalent of "Bi-directional". You either need to add " 1" to the end of the tls-auth line in your client config (to indicate "Outgoing(1)" or change your server configuration to "Bi-directional" for "Extra HMAC authorization (tls-auth)"

    BTW, 192.169.x.x is not available for private use. Those are real public IP addresses. The only addresses available for private use are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Chances are you'll never experience an issue due to that, but it's considered bad form.
     
  26. Stach

    Stach Network Guru Member

    Thank you!

    Thank you SgtPepperKSU, you nailed it yet again....everything is working GREAT!

    -Stach
     
  27. CypherBit

    CypherBit Network Guru Member

    redirect-gateway def1

    I'm having problems with redirecting all WAN traffic through my connection...some of the time. In my client config I have: redirect-gateway def1
    I'm using Tomato Firmware v1.25vpn3.3.4a23156e (doubt an upgrade would help?) and at times when I connect (the connection is usually ADSL) I don't get my home IP, but the one I'm connecting from.

    Someone else connecting through a different connection at the same time with the exact same config, client version doesn't have that problem (these roles/problems are frequently reversed).

    I experimented with changing the options on the server:
    - Direct clients to redirect Internet traffic
    - Respond to DNS
    - Advertise DNS to clients

    without much success.

    What could be causing this? How could I possibly resolve it? I need my home IP once I connect so that I can easily send e-mails (relaying is usually blocked). Another thing I should probably mention, while I connect just fine, I at times (always when I don't get my home WAN IP) can't even RDP to my desktop although I get a local IP (I am connected).

    Any assistance would be greatly appreciated.
     
  28. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Could you provide client logs and routing table from when you are connected?
     
  29. CypherBit

    CypherBit Network Guru Member

    Since I'm not entirely sure when I'll be able to reproduce this issue (it usually happens when I'm abroad travelling) I can currently only provide the logs from the server:
    Code:
    Jun 19 16:38:15 unknown daemon.notice openvpn[109]: MULTI: multi_create_instance called
    Jun 19 16:38:15 unknown daemon.notice openvpn[109]: 83.131.75.135:49783 Re-using SSL/TLS context
    Jun 19 16:38:15 unknown daemon.notice openvpn[109]: 83.131.75.135:49783 LZO compression initialized
    Jun 19 16:38:15 unknown daemon.notice openvpn[109]: 83.131.75.135:49783 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Jun 19 16:38:15 unknown daemon.notice openvpn[109]: 83.131.75.135:49783 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Jun 19 16:38:15 unknown daemon.notice openvpn[109]: 83.131.75.135:49783 TLS: Initial packet from 83.131.75.135:49783, sid=cf80a312 ebf3ffaa
    Jun 19 16:38:18 unknown daemon.notice openvpn[109]: 83.131.75.135:49783 VERIFY OK: depth=1, /C=SI/ST=SI/L=City/O=CypherBit/CN=CypherBit-CA/Email=client@gmail.com
    Jun 19 16:38:18 unknown daemon.notice openvpn[109]: 83.131.75.135:49783 VERIFY OK: depth=0, /C=SI/ST=SI/O=CypherBit/CN=client1/Email=client1@gmail.com
    Jun 19 16:38:19 unknown daemon.notice openvpn[109]: 83.131.75.135:49783 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jun 19 16:38:19 unknown daemon.notice openvpn[109]: 83.131.75.135:49783 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jun 19 16:38:19 unknown daemon.notice openvpn[109]: 83.131.75.135:49783 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jun 19 16:38:19 unknown daemon.notice openvpn[109]: 83.131.75.135:49783 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jun 19 16:38:19 unknown daemon.notice openvpn[109]: 83.131.75.135:49783 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Jun 19 16:38:19 unknown daemon.notice openvpn[109]: 83.131.75.135:49783 [client1] Peer Connection Initiated with 83.131.75.135:49783
    Jun 19 16:38:20 unknown daemon.notice openvpn[109]: client1/83.131.75.135:49783 PUSH: Received control message: 'PUSH_REQUEST'
    Jun 19 16:38:20 unknown daemon.notice openvpn[109]: client1/83.131.75.135:49783 SENT CONTROL [client1]: 'PUSH_REPLY,dhcp-option DNS 192.168.1.1,route-gateway 192.168.1.1,redirect-gateway def1,route-gateway 192.168.1.1,ping 15,ping-restart 60,ifconfig 192.168.1.50 255.255.255.0
    Hope that's enough so you can at least point me in the right direction.

    BTW I just changed my server VPN port to 443...I was thinking if that could perhaps be a problem, but it seems unlikely since the client does connect.
    Another thought that I'm having is could the fact we're both (my home server and the network I'm connecting from) on 192.168.1.x network?
     
  30. karog

    karog Networkin' Nut Member

    I have just started to use tls-auth and I have set my server as incoming (0) and my client as outgoing(1). Reading the man page for openvpn it appears to me that using a direction paramter (4 keys) is better than bidirectional (2 keys).

    It also seems to me that it does not matter which, the server or the client, is set to incoming and which to outgoing as long as they are opposite of each other. Is my understanding correct?
     
  31. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That depends. Are you using TAP or TUN? If you using TUN or using TAP and you aren't bridging your client connections, then that certainly would cause an issue.
     
  32. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The tls-auth key(s) are only used for authentication before allowing regular TLS authentication. The purpose of it is not to add security, but to save resources when people try to authentication who shouldn't be (regular TLS authentication takes more resources than that of the tls-auth key). So, more keys is not really better.

    Also, it the difference between 1 key and 2 keys (not 2 and 4). Only the HMAC portions are used, the data encrypted using other means.

    You are correct, though, that it doesn't really matter which has 1 and which has 0, as long as they are opposite (or neither uses direction).
     
  33. pendetim

    pendetim Addicted to LI Member

    I just added a second TLS client to my network using a WRT54GL for both clients and the server. The Server is build 1.27 and clients are 1.25.

    I had to manually add the route 192.168.7.0 to the server on the advanced page before I could pass any data. There were no errors in the log files, it just did not have a route. I don't recall having to do this to get the 192.168.3.0 connection to work. Would I have had to manually add the 192.168.3.0 route?
    Basic configuration is:
    TUN
    UDP
    Autofirewall
    TLS
    and Bi-Directional

    A question on compression, currently I an using adaptive on both clients and the server. Can I get any better data transfer performance by changing to "enabled" or "none" or "disabled" ?

    Thanks,
    Tim
     
  34. CypherBit

    CypherBit Network Guru Member

    I'm using TAP (please let me know if further details are needed.).

    I'd just like to add that I could even cope with not having my WAN IP when I connect from outside of my home, but I *need* to be able to RDP to my computers, which I'm currently unable to do (somehow this issue always comes up when my WAN IP doesn't reflect my home one).
     
  35. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    If you fill out the client-specific options table, you don't have to add any routes to the custom configuration.

    I don't have any numbers on that. You'll have to try it yourself and see what performs better. If you do, please report back so others can benefit.
     
  36. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Like I mentioned before, if you use TAP with the same subnet on each end, you have to bridge your client connections. Are you bridging your TAP interface to your Ethernet interface on the client?
     
  37. CypherBit

    CypherBit Network Guru Member

    SgtPepperKSU many thanks for your patience.

    It appears I've had a lot of luck so far when connecting, since I've never bridged my connections and it worked most of the time. Just to confirm by bridging you mean this (the only difference in my case being that I'm connecting through Wireless Network Connection as opposed to a Local Area Connections): http://www.pavelec.net/adam/openvpn/bridge/ ?
     
  38. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, that correct. Note, you only need to do this if the server and client subnets are the same.
     
  39. CypherBit

    CypherBit Network Guru Member

    Thanks so much, I'll keep this in mind the next time I'm faced with problems.
     
  40. 7700741

    7700741 Networkin' Nut Member

    There a lot of new NVRAM options, but you should be okay not clearing it
     
  41. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    This is the first sentence from one of my posts on the first page of this thread (missing word and all). Is this some kind of precursor to spam, building up the post count first?
     
  42. williamthrilliam

    williamthrilliam Networkin' Nut Member

    Ok, I apologize in advance if this has been posted as I'm sure this is not a unique case. I really did try to search and read through this forum.

    Its simple. What I want is to be able to mount a samba share (from ubuntu) on to a Windows Server. I want to achieve this through a TUN using two TomatoVPN routers.

    My Setup:
    All defaults for TUN except I have the static key.

    I can ping from both routers; server can ping to 10.8.0.2 and the client can ping to 10.8.0.1. Awesome, it works! Not so fast.

    Now how do I get my Windows machine(server side) to connect to my samba share (client side)? I can't just get it by going to //10.8.0.2/192.168.x.xxx/Sambashare?

    PS. I don't want them to be on the same subnet. I'm trying to back up office stuff to my home and don't want everyone "discovering" my devices in my house over TAP.
     
  43. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The easiest way to have access to the server LAN from the client (or client LAN) is to use TLS. The firmware then has an option (enabled by default) for "push LAN to clients". With that set, the clients can simply go to //<sambaserverip>/Sambashare. If you also want access to the client LAN from the server (or server LAN), also fill in the client-specific options table and disable the "NAT" option on the client.
     
  44. williamthrilliam

    williamthrilliam Networkin' Nut Member

    Diffie Hellman

    Ok I'm all good with the certificates except for the Diffie Hellman parameters. I used tinyca to make the certificates, how can I create the diffie hellman parameters?
     
  45. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    On the Keys tab in the GUI, there is a link to a How-to on generating the certificates. Note: those instructions need to be carried out on a separate computer with OpenVPN installed, not on the router itself (the scripts for certificate generation are not included to save space).
     
  46. williamthrilliam

    williamthrilliam Networkin' Nut Member

    FTP

    How about if I have a FTP server on the client end I want to connect to from the server. If using TUN with a static key, What rout/port forward would I have to set up to from 10.8.0.1 to 10.8.0.2 and then have the client router forward that request on to 192.168.x.xxx:21?
     
  47. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    If you use TLS, that'd be taken care of that automatically.

    However, using static key mode, you'd need to add
    Code:
    route 192.168.x.0 255.255.255.0
    (replace x as appropriate) to your client custom config.
     
  48. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Okay, so I haven't found any time to work on this mod in a while, but am hoping to get back to it. However, it's been long enough since the last release that I'm sure I've said "I'll include that in the next release" several times now, but the search function on this forum isn't helping me find them at all.

    I had implemented some the smaller items as they came up, but I've lost my local git repository so I lost my changes.

    So, if anyone has anything I've told them (or remember me telling someone else) I'd add in the next release, please post it here.
     
  49. Guzel

    Guzel Network Guru Member

    Hi Sgtpperksu
    I have a problem whit PPTP client, wnr3500l beta16
    It dropps the connection after 1 hour, hir is my log

    Jun 27 11:18:36 unknown user.info redial[856]: Started. Time: 30
    Jun 27 11:18:36 unknown daemon.info pptp[857]: Plugin pptp.so loaded.
    Jun 27 11:18:36 unknown daemon.info pptp[857]: PPTP plugin version 0.8.4 compiled for pppd-2.4.5, linux-2.6.22.19
    Jun 27 11:18:36 unknown daemon.notice pptp[859]: pppd 2.4.5 started by root, uid 0
    Jun 27 11:18:37 unknown daemon.info pptp[859]: Using interface ppp0
    Jun 27 11:18:37 unknown daemon.notice pptp[859]: Connect: ppp0 <--> pptp (vpn.xxxxxxx.xxt)
    Jun 27 11:18:39 unknown daemon.info pptp[859]: CHAP authentication succeeded: Welcome
    Jun 27 11:18:39 unknown daemon.notice pptp[859]: CHAP authentication succeeded
    Jun 27 11:18:39 unknown daemon.err pptp[859]: not replacing existing default route via 77.105.xxx.xxx
    Jun 27 11:18:39 unknown daemon.notice pptp[859]: local IP address 188.126.xx.xx
    Jun 27 11:18:39 unknown daemon.notice pptp[859]: remote IP address 188.126.xx.xx
    Jun 27 11:18:39 unknown daemon.notice pptp[859]: primary DNS address 80.67.x.x
    Jun 27 11:18:39 unknown daemon.notice pptp[859]: secondary DNS address 91.213.xxx.x
    Jun 27 11:18:39 unknown daemon.info dnsmasq[812]: reading /etc/resolv.dnsmasq
    Jun 27 11:18:39 unknown daemon.info dnsmasq[812]: using nameserver 91.213.xxx.x#53
    Jun 27 11:18:39 unknown daemon.info dnsmasq[812]: using nameserver 80.67.x.x#53
    Jun 27 11:18:39 unknown daemon.info dnsmasq[812]: exiting on receipt of SIGTERM
    Jun 27 11:18:39 unknown daemon.info dnsmasq[869]: started, version 2.55 cachesize 150
    Jun 27 11:18:39 unknown daemon.info dnsmasq[869]: compile time options: no-IPv6 GNU-getopt no-RTC no-DBus no-I18N DHCP no-scripts TFTP
    Jun 27 11:18:39 unknown daemon.info dnsmasq-dhcp[869]: DHCP, IP range 192.168.1.100 -- 192.168.1.149, lease time 1d
    Jun 27 11:18:39 unknown daemon.info dnsmasq[869]: reading /etc/resolv.dnsmasq
    Jun 27 11:18:39 unknown daemon.info dnsmasq[869]: using nameserver 91.213.xxx.x#53
    Jun 27 11:18:39 unknown daemon.info dnsmasq[869]: using nameserver 80.67.x.x#53
    Jun 27 11:18:39 unknown daemon.info dnsmasq[869]: read /etc/hosts - 2 addresses
    Jun 27 11:18:39 unknown daemon.info dnsmasq[869]: read /etc/hosts.dnsmasq - 1 addresses
    Jun 27 12:00:01 unknown syslog.info root: -- MARK --
    Jun 27 12:17:38 unknown daemon.info dnsmasq[869]: reading /etc/resolv.dnsmasq
    Jun 27 12:17:38 unknown daemon.info dnsmasq[869]: using nameserver 217.10.xx.xx#53
    Jun 27 12:17:38 unknown daemon.info dnsmasq[869]: using nameserver 217.10.xx.xx#53
    Jun 27 12:17:38 unknown daemon.info dnsmasq[869]: exiting on receipt of SIGTERM
    Jun 27 12:17:38 unknown daemon.info dnsmasq[1768]: started, version 2.55 cachesize 150
    Jun 27 12:17:38 unknown daemon.info dnsmasq[1768]: compile time options: no-IPv6 GNU-getopt no-RTC no-DBus no-I18N DHCP no-scripts TFTP
    Jun 27 12:17:38 unknown daemon.info dnsmasq-dhcp[1768]: DHCP, IP range 192.168.1.100 -- 192.168.1.149, lease time 1d
    Jun 27 12:17:38 unknown daemon.info dnsmasq[1768]: reading /etc/resolv.dnsmasq
    Jun 27 12:17:38 unknown daemon.info dnsmasq[1768]: using nameserver 217.10.xx.xx#53
    Jun 27 12:17:38 unknown daemon.info dnsmasq[1768]: using nameserver 217.10.xx.xx#53
    Jun 27 12:17:38 unknown daemon.info dnsmasq[1768]: read /etc/hosts - 2 addresses
    Jun 27 12:17:38 unknown daemon.info dnsmasq[1768]: read /etc/hosts.dnsmasq - 1 addresses

    Its the same problem whit beta10,b11,b14,b15
    Thanks
     
  50. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I don't include PPTP client in my mod. You'll need to talk to whoever created your firmware.
     
  51. wycf

    wycf Network Guru Member

    Love this version and has been use it for long time. Very solid! Thanks.

    Quick question: Can this OpenVPN GUI version of Tomato run on ASUS RT-N16 router?
     
  52. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Not my releases, but teddy_bear makes releases that include my changes and runs on the RT-N16.
     
  53. williamthrilliam

    williamthrilliam Networkin' Nut Member

    Well, I can't connect from the server network to the client networks ftp. Both are on different subnets, i.e. the server is on 192.168.1.1 and the client is on 192.168.2.1. I added 192.168.2.10 255.255.255.0 to my client custom config. The ftp server, on the client side, is at 192.168.2.10. Is this all correct, or am I missing something?

    Again, using TUN static key. The routers will ping each other at 10.8.0.1 and 10.8.0.2, but thats about all I can get them to do.

    I really appreciate all your help thus far :)
     
  54. williamthrilliam

    williamthrilliam Networkin' Nut Member

    Oh, and what I'm trying to accomplish is access the ftp from the server side network to the client using ftp://10.8.0.2.
     
  55. williamthrilliam

    williamthrilliam Networkin' Nut Member

    I figured it out!!!! WOOOOOOOOO! hahah. On the client side, I had to add the SERVER side subnet to the custom config. Then on the server side, I had to add the client side subnet to the custom config. Then on the server side I could go straight to the client side subnet at 1ftp://92.168.2.1. Thanks again!!!!
     
  56. williamthrilliam

    williamthrilliam Networkin' Nut Member

    Does this mean I ran out of memory?

    Code:
    Jul  9 07:54:26 unknown daemon.notice openvpn[4097]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Jan 31 2010
    Jul  9 07:54:26 unknown daemon.warn openvpn[4097]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Jul  9 07:54:26 unknown daemon.notice openvpn[4097]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jul  9 07:54:26 unknown daemon.notice openvpn[4097]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jul  9 07:54:26 unknown daemon.notice openvpn[4097]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jul  9 07:54:26 unknown daemon.notice openvpn[4097]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jul  9 07:54:26 unknown daemon.notice openvpn[4097]: LZO compression initialized
    Jul  9 14:54:26 unknown daemon.warn openvpn[4097]: Note: Cannot open TUN/TAP dev /dev/net/tun: Too many open files (errno=24)
    Jul  9 14:54:26 unknown daemon.notice openvpn[4097]: Note: Attempting fallback to kernel 2.2 TUN/TAP interface
    Jul  9 14:54:26 unknown daemon.err openvpn[4097]: Cannot open TUN/TAP dev /dev/tun21: Too many open files (errno=24)
    Jul  9 14:54:26 unknown daemon.notice openvpn[4097]: Exiting
    Jul  9 07:54:26 unknown user.info init[1]: VPN_LOG_ERROR: 822: Starting VPN instance failed...
     
  57. rhester72

    rhester72 Network Guru Member

    No, you exceeded the NOFILES ulimit. Unfortunately, I don't know how to increase it such that the built-in OpenVPN script will honor it.

    Rodney
     
  58. Dagger

    Dagger Networkin' Nut Member

    Why aren't you using TAP? Much easier...
     
  59. williamthrilliam

    williamthrilliam Networkin' Nut Member

    Well, it wasn't working. And now that I think of it, this is why it wasn't working. I gave up and went to TUN because at least it connected and stayed up. Over TAP it just won't even start. I rebooted the router and it seems to be fine right now, but I wonder when it will kick off. I really do think its a memory issue; its a first gen WRT54G and in the status it showed about 1.5% free memory. I may just go get another WRT54GL and see if that fixes my problem.
     
  60. rhester72

    rhester72 Network Guru Member

    Enable Debug/Count cache memory and buffers as free memory. There's no way in the world the router was still functioning with only 1.5% free RAM.

    Rodney
     
  61. wycf

    wycf Network Guru Member

    VPN failed?

    I was using WRT54GL with TomatoVPN GUI for quite a long time without any problem.

    Then today I got my new Asus RT-N16 installed. I loaded Teddy_Bear's MOD:
    Tomato Firmware v1.27.9047 MIPSR2-beta16 K26 USB vpn3.6

    On the OpenVPN Client config, I just copy and paste all the settings from my WRT54GL to the new RT-N16. Everything is exactly the same, at least I believe.

    Then I saw the OpenVPN connected to my office OpenVPN server. I can ping any IP on the remote side. BUT I just can't browse our internal web site using http. Samba connection also failed.

    here is the log from Tomato:
    Code:
    Jul 10 15:31:13 TeddyBear user.info kernel: tun: Universal TUN/TAP device driver, 1.6
    Jul 10 15:31:13 TeddyBear user.info kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
    Jul 10 15:31:13 TeddyBear daemon.notice openvpn[1161]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Jun 11 2010
    Jul 10 15:31:13 TeddyBear daemon.warn openvpn[1161]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Jul 10 15:31:13 TeddyBear daemon.warn openvpn[1161]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Jul 10 15:31:13 TeddyBear daemon.notice openvpn[1161]: LZO compression initialized
    Jul 10 15:31:13 TeddyBear daemon.notice openvpn[1161]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Jul 10 15:31:13 TeddyBear daemon.notice openvpn[1161]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Jul 10 15:31:13 TeddyBear daemon.notice openvpn[1165]: Socket Buffers: R=[112640->131072] S=[112640->131072]
    Jul 10 15:31:13 TeddyBear daemon.notice openvpn[1165]: UDPv4 link local: [undef]
    Jul 10 15:31:13 TeddyBear daemon.notice openvpn[1165]: UDPv4 link remote: 24.xxx.xxx.xxx:1194
    Jul 10 15:31:13 TeddyBear daemon.notice openvpn[1165]: TLS: Initial packet from 24.xxx.xx.xxx:1194, sid=92a72082 07a3e54f
    Jul 10 15:31:13 TeddyBear daemon.notice openvpn[1165]: VERIFY OK: depth=1, /C=CA/ST=BC/L=DELTA/O=XXXXXXXXX/CN=openvpn-gateway2/Email=admin@XXXXXXXX.com
    Jul 10 15:31:14 TeddyBear daemon.notice openvpn[1165]: VERIFY OK: depth=0, /C=CA/ST=BC/O=XXXXXXXXXXXXXX/CN=openvpn-gateway2/Email=admin@XXXXXXXXXX.com
    Jul 10 15:31:16 TeddyBear daemon.notice openvpn[1165]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jul 10 15:31:16 TeddyBear daemon.notice openvpn[1165]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jul 10 15:31:16 TeddyBear daemon.notice openvpn[1165]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jul 10 15:31:16 TeddyBear daemon.notice openvpn[1165]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jul 10 15:31:16 TeddyBear daemon.notice openvpn[1165]: Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 2048 bit RSA
    Jul 10 15:31:16 TeddyBear daemon.notice openvpn[1165]: [openvpn-gateway2] Peer Connection Initiated with 24.xxx.xxx.xxx:1194
    Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: SENT CONTROL [openvpn-gateway2]: 'PUSH_REQUEST' (status=1)
    Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option WINS 192.168.123.30,route 192.168.123.0 255.255.255.0,route 192.168.25.0 255.255.255.0,route 10.66.77.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.66.77.6 10.66.77.5'
    Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: OPTIONS IMPORT: timers and/or timeouts modified
    Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: OPTIONS IMPORT: --ifconfig/up options modified
    Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: OPTIONS IMPORT: route options modified
    Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: TUN/TAP device tun11 opened
    Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: TUN/TAP TX queue length set to 100
    Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: /sbin/ifconfig tun11 10.66.77.6 pointopoint 10.66.77.5 mtu 1500
    Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: /sbin/route add -net 192.168.123.0 netmask 255.255.255.0 gw 10.66.77.5
    Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: /sbin/route add -net 192.168.25.0 netmask 255.255.255.0 gw 10.66.77.5
    Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: /sbin/route add -net 10.66.77.0 netmask 255.255.255.0 gw 10.66.77.5
    Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: Initialization Sequence Completed
    
    How can I trouble shooting this problem? I tried ssh into the router and I found the crt and key files but I didn't find the client configration file.

    Please help. Thanks a lot!
     
  62. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Just to double check: can you ping the server(s) that runs the website and samba server?

    The client config file is at /etc/openvpn/client1/config.ovpn. You could compare that to the one on the old router to see if there are any differences.

    Can you telnet to port 80 on the webserver? If you connect to the router and run
    Code:
    iptables -t filter -nvL; iptables -t nat -nvL; iptables -t mangle -nvL
    , what does it show?
     
  63. wycf

    wycf Network Guru Member

    Thank you SgtPepperKSU for help.

    I did those test following your instruction:
    1. Yes I can ping the http/samba server. But telnet failed to connect.
    Code:
    telnet 192.168.123.39 80
    2. Compared the config.ovpn file and find ther are the same except one line:
    Old WRT54GL
    Code:
    dev tun12
    RT-N16
    Code:
    dev tun11
    3. iptables -t filter -nvL; iptables -t nat -nvL; iptables -t mangle -nvL
    Code:
    
    root@TeddyBear:/tmp/home/root# iptables -t filter -nvL; iptables -t nat -nvL; iptables -t mangle -nvL
    Chain INPUT (policy DROP 222 packets, 115K bytes)
     pkts bytes target     prot opt in     out     source               destination
        1    52 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0
        0     0 DROP       all  --  br0    *       0.0.0.0/0            206.116.xxx.xxx
        1    44 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
     1492  315K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
      333 35276 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
        1    60 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:33434:33534
       37  1184 ACCEPT     2    --  *      *       0.0.0.0/0            0.0.0.0/0
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination
        0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0
        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
       21  1096 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
        0     0 wanin      all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0
       29  3094 wanout     all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0
      255 98303 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
        0     0 upnp       all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0
    
    Chain OUTPUT (policy ACCEPT 2166 packets, 1133K bytes)
     pkts bytes target     prot opt in     out     source               destination
    
    Chain upnp (1 references)
     pkts bytes target     prot opt in     out     source               destination
    
    Chain wanin (1 references)
     pkts bytes target     prot opt in     out     source               destination
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.0/4         udp
    
    Chain wanout (1 references)
     pkts bytes target     prot opt in     out     source               destination
    Chain PREROUTING (policy ACCEPT 538 packets, 137K bytes)
     pkts bytes target     prot opt in     out     source               destination
        0     0 DROP       all  --  vlan2  *       0.0.0.0/0            10.11.22.0/24
        0     0 DNAT       icmp --  *      *       0.0.0.0/0            206.116.xxx.xxx     to:10.11.22.1
      222  115K upnp       all  --  *      *       0.0.0.0/0            206.116.xxx.xxx
    
    Chain POSTROUTING (policy ACCEPT 15 packets, 3335 bytes)
     pkts bytes target     prot opt in     out     source               destination
        0     0 MASQUERADE  all  --  *      tun11   10.11.22.0/24        0.0.0.0/0
       63  4055 MASQUERADE  all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0
    
    Chain OUTPUT (policy ACCEPT 56 packets, 5888 bytes)
     pkts bytes target     prot opt in     out     source               destination
    
    Chain upnp (1 references)
     pkts bytes target     prot opt in     out     source               destination
    Chain PREROUTING (policy ACCEPT 2407 packets, 572K bytes)
     pkts bytes target     prot opt in     out     source               destination
    
    Chain INPUT (policy ACCEPT 2114 packets, 470K bytes)
     pkts bytes target     prot opt in     out     source               destination
    
    Chain FORWARD (policy ACCEPT 255 packets, 98303 bytes)
     pkts bytes target     prot opt in     out     source               destination
       29  3094 QOSO       all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0
    
    Chain OUTPUT (policy ACCEPT 2168 packets, 1135K bytes)
     pkts bytes target     prot opt in     out     source               destination
      512  127K QOSO       all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0
    
    Chain POSTROUTING (policy ACCEPT 2473 packets, 1238K bytes)
     pkts bytes target     prot opt in     out     source               destination
    
    Chain QOSO (2 references)
     pkts bytes target     prot opt in     out     source               destination
      541  130K BCOUNT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
      541  130K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK restore mask 0xff
        0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK match !0x0/0xff00
       23  1203 CONNMARK   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           mport dports 80,443 bcount --range 0:524287 CONNMARK set-return 0x2/0xff
        0     0 CONNMARK   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           mport dports 80,443 bcount --range 524288+ CONNMARK set-return 0x4/0xff
       37  2351 CONNMARK   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 bcount --range 0:2047 CONNMARK set-return 0x1/0xff
        0     0 CONNMARK   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53 bcount --range 0:2047 CONNMARK set-return 0x1/0xff
        0     0 CONNMARK   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 bcount --range 2048+ CONNMARK set-return 0x5/0xff
        0     0 CONNMARK   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53 bcount --range 2048+ CONNMARK set-return 0x5/0xff
      463  123K CONNMARK   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:1024:65535 CONNMARK set-return 0x5/0xff
        0     0 CONNMARK   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:1024:65535 CONNMARK set-return 0x5/0xff
       18  4008 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK set-return 0x4
    
     
  64. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Hmmm, I don't see anything there that would cause your problem. Can you try the port 80 telnet from the router itself?
    Note: when you connect it give any output until you type a command, such as
    Code:
    GET /index.html
     
  65. wycf

    wycf Network Guru Member

    I just did nvram clean again and re-config OpenVPN Client. It still the same.

    I tried telnet again from the router:
    Code:
    root@TeddyBear:/tmp/home/root# telnet 192.168.123.39 80
    GET /index
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL /index was not found on this server.</p>
    <hr>
    <address>Apache/2.2.6 (Fedora) Server at 192.168.123.39 Port 80</address>
    </body></html>
    Connection closed by foreign host
    
    I got this 404 which means telnet port 80 on our web server got connected. But browse from IE/Firefox still time out.
     
  66. wycf

    wycf Network Guru Member

    update:

    It's Monday and I came to office and checked our OpenVPN server log and found lost of this:
    Code:
    Mon Jul 12 11:45:48 2010 us=575558 openvpn-sgi/206.116.xxx.xxx:42052 MULTI: bad source address from client [206.116.xxx.xxx], packet dropped
    Last night I flashed Non-USB MOD (K26 build 47) from TeddyBear and OpenVPN still not working.


    update @ 1:10PM PST
    Here is the log from OpenVPN server when my router at home try to connect:
    Code:
    Mon Jul 12 13:05:31 2010 us=326899 MULTI: multi_create_instance called
    Mon Jul 12 13:05:31 2010 us=326958 206.116.xxx.xxx:15688 Re-using SSL/TLS context
    Mon Jul 12 13:05:31 2010 us=326977 206.116.xxx.xxx:15688 LZO compression initialized
    Mon Jul 12 13:05:31 2010 us=327055 206.116.xxx.xxx:15688 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Mon Jul 12 13:05:31 2010 us=327074 206.116.xxx.xxx:15688 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Mon Jul 12 13:05:31 2010 us=327114 206.116.xxx.xxx:15688 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
    Mon Jul 12 13:05:31 2010 us=327128 206.116.xxx.xxx:15688 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
    Mon Jul 12 13:05:31 2010 us=327151 206.116.xxx.xxx:15688 Local Options hash (VER=V4): '530fdded'
    Mon Jul 12 13:05:31 2010 us=327172 206.116.xxx.xxx:15688 Expected Remote Options hash (VER=V4): '41690919'
    Mon Jul 12 13:05:31 2010 us=327236 206.116.xxx.xxx:15688 TLS: Initial packet from 206.116.xxx.xxx:15688, sid=93e2756d 19f5a1bf
    Mon Jul 12 13:05:34 2010 us=98730 206.116.xxx.xxx:15688 CRL CHECK OK: /C=CA/ST=BC/L=DELTA/O=mycompany/CN=openvpn-gateway/emailAddress=admin@mycompany.com
    Mon Jul 12 13:05:34 2010 us=98782 206.116.xxx.xxx:15688 VERIFY OK: depth=1, /C=CA/ST=BC/L=DELTA/O=mycompany/CN=openvpn-gateway2/emailAddress=admin@mycompany.com
    Mon Jul 12 13:05:34 2010 us=99187 206.116.xxx.xxx:15688 CRL CHECK OK: /C=CA/ST=BC/O=mycompany/CN=openvpn-sgi/emailAddress=admin@mycompany.com
    Mon Jul 12 13:05:34 2010 us=99227 206.116.xxx.xxx:15688 VERIFY OK: depth=0, /C=CA/ST=BC/O=mycompany/CN=openvpn-sgi/emailAddress=admin@mycompany.com
    Mon Jul 12 13:05:34 2010 us=193195 206.116.xxx.xxx:15688 NOTE: Options consistency check may be skewed by version differences
    Mon Jul 12 13:05:34 2010 us=193222 206.116.xxx.xxx:15688 WARNING: 'version' is used inconsistently, local='version V4', remote='version V0 UNDEF'
    Mon Jul 12 13:05:34 2010 us=193241 206.116.xxx.xxx:15688 WARNING: 'dev-type' is present in local config but missing in remote config, local='dev-type tun'
    Mon Jul 12 13:05:34 2010 us=193258 206.116.xxx.xxx:15688 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1542'
    Mon Jul 12 13:05:34 2010 us=193275 206.116.xxx.xxx:15688 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1500'
    Mon Jul 12 13:05:34 2010 us=193291 206.116.xxx.xxx:15688 WARNING: 'proto' is present in local config but missing in remote config, local='proto UDPv4'
    Mon Jul 12 13:05:34 2010 us=193308 206.116.xxx.xxx:15688 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
    Mon Jul 12 13:05:34 2010 us=193324 206.116.xxx.xxx:15688 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher BF-CBC'
    Mon Jul 12 13:05:34 2010 us=193340 206.116.xxx.xxx:15688 WARNING: 'auth' is present in local config but missing in remote config, local='auth SHA1'
    Mon Jul 12 13:05:34 2010 us=193356 206.116.xxx.xxx:15688 WARNING: 'keysize' is present in local config but missing in remote config, local='keysize 128'
    Mon Jul 12 13:05:34 2010 us=193373 206.116.xxx.xxx:15688 WARNING: 'key-method' is present in local config but missing in remote config, local='key-method 2'
    Mon Jul 12 13:05:34 2010 us=193389 206.116.xxx.xxx:15688 WARNING: 'tls-client' is present in local config but missing in remote config, local='tls-client'
    Mon Jul 12 13:05:34 2010 us=193622 206.116.xxx.xxx:15688 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mon Jul 12 13:05:34 2010 us=193641 206.116.xxx.xxx:15688 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Jul 12 13:05:34 2010 us=193725 206.116.xxx.xxx:15688 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mon Jul 12 13:05:34 2010 us=193741 206.116.xxx.xxx:15688 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Jul 12 13:05:34 2010 us=225900 206.116.xxx.xxx:15688 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 2048 bit RSA
    Mon Jul 12 13:05:34 2010 us=225930 206.116.xxx.xxx:15688 [openvpn-sgi] Peer Connection Initiated with 206.116.xxx.xxx:15688
    Mon Jul 12 13:05:34 2010 us=226014 openvpn-sgi/206.116.xxx.xxx:15688 MULTI: Learn: 10.66.77.6 -> openvpn-sgi/206.116.xxx.xxx:15688
    Mon Jul 12 13:05:34 2010 us=226033 openvpn-sgi/206.116.xxx.xxx:15688 MULTI: primary virtual IP for openvpn-sgi/206.116.xxx.xxx:15688: 10.66.77.6
    Mon Jul 12 13:05:36 2010 us=270038 openvpn-sgi/206.116.xxx.xxx:15688 PUSH: Received control message: 'PUSH_REQUEST'
    Mon Jul 12 13:05:36 2010 us=270109 openvpn-sgi/206.116.xxx.xxx:15688 SENT CONTROL [openvpn-sgi]: 'PUSH_REPLY,dhcp-option WINS 192.168.123.30,route 192.168.123.0 255.255.255.0,route 192.168.25.0 255.255.255.0,route 10.66.77.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.66.77.6 10.66.77.5' (status=1)
    Mon Jul 12 13:05:36 2010 us=562332 openvpn-sgi/206.116.xxx.xxx:15688 MULTI: bad source address from client [10.11.22.92], packet dropped
    Mon Jul 12 13:05:36 2010 us=710416 openvpn-sgi/206.116.xxx.xxx:15688 MULTI: bad source address from client [10.11.22.92], packet dropped
    Mon Jul 12 13:05:40 2010 us=710702 openvpn-sgi/206.116.xxx.xxx:15688 MULTI: bad source address from client [10.11.22.92], packet dropped
    
     
  67. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Your client is incorrectly using its LAN address instead of its VPN address as the source of the packets. The VPN server doesn't know anything about their LAN, so things fail.

    I'm guessing it was a Windows client, as I've seen people report this bug before. If you know what the LAN looks like where this client connects from, you can fill out the client-specific options table for them. Otherwise, you'll need to find a solution to this Windows bug (not even a Windows OpenVPN bug, as far as I can tell), and I don't know what that is.
     
  68. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Hmmmm, there's definitely a firewall problem, but I'm not seeing what it is. To help track it down, you can run the following on the router:
    Code:
    service firewall restart
    then try to telnet from the PC to the web server. Then run the following on the router
    Code:
    iptables -t mangle -nvL; iptables -t nat -nvL; iptables -t filter -nvL
    The counters should give us some idea of what rules are getting invoked.
     
  69. wycf

    wycf Network Guru Member

    Here is the result:

    Code:
    root@TeddyBear:/tmp/home/root# iptables -t mangle -nvL; iptables -t nat -nvL; iptables -t filter -nvL
    Chain PREROUTING (policy ACCEPT 157 packets, 27459 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain INPUT (policy ACCEPT 160 packets, 23575 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain FORWARD (policy ACCEPT 21 packets, 9399 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain OUTPUT (policy ACCEPT 122 packets, 15491 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain POSTROUTING (policy ACCEPT 178 packets, 29269 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    Chain PREROUTING (policy ACCEPT 19 packets, 1702 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DROP       all  --  vlan2  *       0.0.0.0/0            10.11.22.0/24       
        0     0 DNAT       icmp --  *      *       0.0.0.0/0            206.116.xxx.xxx     to:10.11.22.1 
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            206.116.xxx.xxx     tcp dpt:8080 to:10.11.22.1:80 
        2   160 DNAT       tcp  --  *      *       0.0.0.0/0            206.116.xxx.xxx     tcp dpt:2222 to:10.11.22.1:22 
        1    81 DNAT       udp  --  *      *       0.0.0.0/0            206.116.xxx.xxx     udp dpts:10000:20000 to:10.11.22.77 
        0     0 DNAT       udp  --  *      *       0.0.0.0/0            206.116.xxx.xxx     udp dpt:5060 to:10.11.22.77 
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            206.116.xxx.xxx     tcp dpt:24700 to:10.11.22.77:22 
       11   462 upnp       all  --  *      *       0.0.0.0/0            206.116.xxx.xxx     
    
    Chain POSTROUTING (policy ACCEPT 6 packets, 526 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 MASQUERADE  all  --  *      tun11   10.11.22.0/24        0.0.0.0/0           
        0     0 SNAT       udp  --  *      *       10.11.22.0/24        10.11.22.77         udp dpts:10000:20000 to:206.116.xxx.xxx 
        0     0 SNAT       udp  --  *      *       10.11.22.0/24        10.11.22.77         udp dpt:5060 to:206.116.xxx.xxx 
        0     0 SNAT       tcp  --  *      *       10.11.22.0/24        10.11.22.77         tcp dpt:22 to:206.116.xxx.xxx 
        7  1318 MASQUERADE  all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0           
    
    Chain OUTPUT (policy ACCEPT 10 packets, 744 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain upnp (1 references)
     pkts bytes target     prot opt in     out     source               destination         
    Chain INPUT (policy DROP 20 packets, 5196 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0           
        0     0 DROP       all  --  br0    *       0.0.0.0/0            206.116.xxx.xxx     
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
      103 12791 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
        7   253 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
        1    60 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:33434:33534 
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.11.22.1          tcp dpt:80 
        2   160 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.11.22.1          tcp dpt:22 
        2    64 ACCEPT     2    --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0           
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
        0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
       10  4955 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
        1    81 wanin      all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           
        5  2399 wanout     all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0           
        9  3855 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
        0     0 upnp       all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           
    
    Chain OUTPUT (policy ACCEPT 126 packets, 18819 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain upnp (1 references)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain wanin (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.0/4         udp 
        1    81 ACCEPT     udp  --  *      *       0.0.0.0/0            10.11.22.77         udp dpts:10000:20000 
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            10.11.22.77         udp dpt:5060 
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.11.22.77         tcp dpt:22 
    
    Chain wanout (1 references)
     pkts bytes target     prot opt in     out     source               destination         
    root@TeddyBear:/tmp/home/root# 
    
     
  70. wycf

    wycf Network Guru Member

    Well, that client you saw in the log file, IP 10.11.22.92, is a Linksys SPA941 VoIP phone. It keep sending registration request via OpenVPN tunnel to our office (we have a Asterisk server in the office subnet.) So it's not a Windows client.

    Anyway, I see your point about that "client is incorrectly using its LAN address instead of its VPN address as the source of the packets". But I don't know what went wrong. All I did the put the same configuration on the RT-N16 router. Also why is the PING works? -- ICMP packets seems went through all the routes and come back correctly.
     
  71. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I just noticed something. In your logs, there is mention of dev type tun, but things appear as though the VPN subnet and the local subnet are the same.

    Are you using TUN or TAP? If you're using TUN, are all segments (local, remote, and VPN) on unique subnets?
     
  72. wycf

    wycf Network Guru Member

    I am using TUN.
    My home network is 10.11.22.0/24
    Office Subnet: 192.168.123.0/24
    VPN Subnet: 10.66.77.0/24

    There is nothing changed. My WRT54GL running your OpenVPN GUI MOD works fine. We also have clients running on different OS.(WinXP, Vista,WIN7,Ubuntu, MAC OS X, DDWRT). If the TeddyBear MOD just include your VPN part then it should work.
     
  73. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I had looked at the iptables output wrong earlier. I'm really not seeing what's wrong. However, if things were working, the following counter should have been incrementing
    Code:
    Chain INPUT (policy DROP 20 packets, 5196 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0           
    The only other thing I can think to try is to place logging rules in the iptables tables to see where things go awry. You can do this by adding the following to the firewall script (replacing <dstaddr> with the IP address of the server you're trying to reach).
    Code:
    iptables -t mangle -I PREROUTING -d <dstaddr> -j LOG --prefix=MPI
    iptables -t mangle -A PREROUTING -d <dstaddr> -j LOG --prefix=MPA
    iptables -t nat -I PREROUTING -d <dstaddr> -j LOG --prefix=NPI
    iptables -t nat -A PREROUTING -d <dstaddr> -j LOG --prefix=NPA
    iptables -t filter -I FORWARD -d <dstaddr> -j LOG --prefix=FFI
    iptables -t filter -I FORWARD -d <dstaddr> -j LOG --prefix=FFA
    iptables -t nat -I POSTROUTING -d <dstaddr> -j LOG --prefix=NOI
    iptables -t nat -A POSTROUTING -d <dstaddr> -j LOG --prefix=NOA
    iptables -t mangle -I POSTROUTING -d <dstaddr> -j LOG --prefix=MOI
    iptables -t mangle -A POSTROUTING -d <dstaddr> -j LOG --prefix=MOA
    This will place messages in the router's log at the beginning and end of each of the tables that we'd expect the packets to traverse.
     
  74. wycf

    wycf Network Guru Member

    Just report back that I tried to log the iptables with the above instruction, replaced <dstaddr> with 192.168.123.39 -- a web server in our office subnet , then after VPN connected, I start browser to access http://192.168.123.39. The router reboot instantly!

    I repeat the above test again with a fresh installation of new firmware and openvpn. Same result.
     
  75. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Terribly sorry. I mistyped. They should be
    --log-prefix label
    not
    --prefix=label
     
  76. wycf

    wycf Network Guru Member

    I took my RT-N16 with me to the office and test it again. Something must be wrong!

    Here is the setup:
    Code:
    notebook (WinXP) <--->RT-N16(TeddyBearVPN)<--->SonicWall Router<--->INTERNET<--->WRT54GL(TomatoVPN GUI, VPN Server)<--->SPA941 Phone (IP 10.11.22.92, web server on port 80)
    IP address:
    notebook: 192.168.1.138
    RT-N16 LAN: 192.168.1.1
    RT-N16 WAN: 192.168.123.186
    SonicWall LAN:192.168.123.254
    SonicWall WAN:24.207.xxx.xxx
    WRT54GL WAN: 206.116.xxx.xxx
    WRT54GL LAN: 10.11.22.1
    SPA941: 10.11.22.92

    Some observation:
    1. OpenVPN connected. I can see that from RT-N16 tomato log.

    2. From my notebook (XP), ping 10.11.22.92 works.

    3. From my notebook (XP), tract route 10.11.22.92 shows:
    Code:
    Tracing route to 10.11.22.92 over a maximum of 30 hops
      1    <1 ms    <1 ms    <1 ms  unknown [192.168.1.1]
      2    39 ms    38 ms    38 ms  10.88.0.1
      3    42 ms    43 ms    42 ms  10.11.22.92
    Trace complete.
    4. From my notebook (XP), use IE/Firefox to access http://10.11.22.92, in about 10 seconds, router RT-N16 rebooted! The PWR LED went off for about 1 sec and turn on again. The tomato log shows it just restarted.

    5. I put the following in the firewall script:
    Code:
    iptables -t mangle -I PREROUTING -d 10.11.22.92 -j LOG --log-prefix MPI
    iptables -t mangle -A PREROUTING -d 10.11.22.92 -j LOG --log-prefix MPA
    iptables -t nat -I PREROUTING -d 10.11.22.92 -j LOG --log-prefix NPI
    iptables -t nat -A PREROUTING -d 10.11.22.92 -j LOG --log-prefix NPA
    iptables -t filter -I FORWARD -d 10.11.22.92 -j LOG --log-prefix FFI
    iptables -t filter -I FORWARD -d 10.11.22.92 -j LOG --log-prefix FFA
    iptables -t nat -I POSTROUTING -d 10.11.22.92 -j LOG --log-prefix NOI
    iptables -t nat -A POSTROUTING -d 10.11.22.92 -j LOG --log-prefix NOA
    iptables -t mangle -I POSTROUTING -d 10.11.22.92 -j LOG --log-prefix MOI
    iptables -t mangle -A POSTROUTING -d 10.11.22.92 -j LOG --log-prefix MOA
    when I ping 10.11.22.92, the log shows:
    Code:
    Jul 13 14:00:23 unknown user.warn kernel: MPIIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4602 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28416 
    Jul 13 14:00:23 unknown user.warn kernel: MPAIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4602 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28416 
    Jul 13 14:00:23 unknown user.warn kernel: NPIIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4602 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28416 
    Jul 13 14:00:23 unknown user.warn kernel: NPAIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4602 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28416 
    Jul 13 14:00:23 unknown user.warn kernel: FFAIN=br0 OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4602 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28416 
    Jul 13 14:00:23 unknown user.warn kernel: FFIIN=br0 OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4602 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28416 
    Jul 13 14:00:23 unknown user.warn kernel: MOIIN= OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4602 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28416 
    Jul 13 14:00:23 unknown user.warn kernel: MOAIN= OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4602 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28416 
    Jul 13 14:00:24 unknown user.warn kernel: MPIIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4603 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28672 
    Jul 13 14:00:24 unknown user.warn kernel: MPAIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4603 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28672 
    Jul 13 14:00:24 unknown user.warn kernel: NPIIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4603 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28672 
    Jul 13 14:00:24 unknown user.warn kernel: NPAIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4603 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28672 
    Jul 13 14:00:24 unknown user.warn kernel: FFAIN=br0 OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4603 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28672 
    Jul 13 14:00:24 unknown user.warn kernel: FFIIN=br0 OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4603 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28672 
    Jul 13 14:00:24 unknown user.warn kernel: MOIIN= OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4603 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28672 
    Jul 13 14:00:24 unknown user.warn kernel: MOAIN= OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4603 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28672 
    Jul 13 14:00:25 unknown user.warn kernel: MPIIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4604 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28928 
    Jul 13 14:00:25 unknown user.warn kernel: MPAIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4604 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28928 
    Jul 13 14:00:25 unknown user.warn kernel: NPIIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4604 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28928 
    Jul 13 14:00:25 unknown user.warn kernel: NPAIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4604 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28928 
    Jul 13 14:00:25 unknown user.warn kernel: FFAIN=br0 OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4604 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28928 
    Jul 13 14:00:25 unknown user.warn kernel: FFIIN=br0 OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4604 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28928 
    Jul 13 14:00:25 unknown user.warn kernel: MOIIN= OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4604 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28928 
    Jul 13 14:00:25 unknown user.warn kernel: MOAIN= OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4604 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28928 
    Jul 13 14:00:26 unknown user.warn kernel: MPIIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4605 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=29184 
    Jul 13 14:00:26 unknown user.warn kernel: MPAIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4605 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=29184 
    Jul 13 14:00:26 unknown user.warn kernel: NPIIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4605 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=29184 
    Jul 13 14:00:26 unknown user.warn kernel: NPAIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4605 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=29184 
    Jul 13 14:00:26 unknown user.warn kernel: FFAIN=br0 OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4605 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=29184 
    Jul 13 14:00:26 unknown user.warn kernel: FFIIN=br0 OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4605 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=29184 
    Jul 13 14:00:26 unknown user.warn kernel: MOIIN= OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4605 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=29184 
    Jul 13 14:00:26 unknown user.warn kernel: MOAIN= OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4605 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=29184 
    
    I can not get the log for the http request since the router keep rebooting.

    With the same setup, use my desktop PC(Ubuntu) connected to our office LAN directly (No RT-N16), and fire up OpenVPN client to connect back to my home, everything works.

    I am not sure this is a OpenVPN/Firewall problem, or the firmware problem. I didn't notice the automatic reboot until last night. In my previous post I report as "timed out" but actually it was the router rebooted.

    SgtPepperKSU, thanks for all the help. if you need me to further test, I'll do it and report back. (BTW, am I the only one report this knid of problem?)

    I may try to setup DDWRT VPN on this to see how it works. But I really LIKED tomato!
     
  77. wycf

    wycf Network Guru Member

    Quick update:

    Don't take me wrong I like Tomato. But this time I flashed DDWRT(DD-WRT v24-sp2 (04/23/10) mega - build 14311 ) and it seems working fine, including VPN.

    I'll further test it when I get home to see if my router can connect back to my office.

    So I'll close watch and wait TeddyBear release next version.
     
  78. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Very strange! The reboots definitely put a different spin on it. I really have no idea what would be causing that. No wonder I couldn't see anything wrong with the firewall rules. I haven't heard of any other reports of such a thing. You might mention in it one of the teddy_bear threads, though, to see if anyone else has heard of it. It likely specific to the K26 builds.
     
  79. wycf

    wycf Network Guru Member

    I am using DDWRT for now. Hope we can see a new release of TB soon.

    And I just found someone already reported the bug:
    http://tomatousb.org/forum/t-249586/openvpn-chrashes-router

    Thank you SgtPepperKSU for all your great work and help. Cheers!
     
  80. Elanzer

    Elanzer Addicted to LI Member

    I've recently setup a VPN with 2 ASUS RT-N16 routers that connects 2 offices together from city to city. The goal was simply to get them all on the same workgroup for easy file sharing and such between both offices as if they were local. The VPN is setup as TAP over UDP, nothing too special for configuration - basically followed a simple guide on a blog (http://blog.johnso.org/2009/08/how-to-setup-openvpn-in-tomato.html)

    There's a configuration problem somewhere though, ever since I've put in the 2 routers with the VPN setup both office's internet connections bog down to snailpace intermittently. Judging by speed tests on the remote VPN client out of town, it seems that sometimes (but not always?) the VPN client might actually be using the VPN server as an internet gateway - sometimes the upload and download bandwidth speed test for the client router results are almost identically to the VPN server's upload bandwidth. It doesn't seem to ALWAYS happen though, as in I can sometimes get full speed on the VPN client side without any performance issues.

    It's my second time setting up a VPN with Tomato, the first with a site to site with 2 routers so I've probably missed a crucial setting somewhere that's utterly facepalm-worthy.

    Any tips?
     
  81. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The only strength of using TAP is also its biggest difficulty. TAP connections allow broadcast messsages to traverse the tunnel. This is what allows computers on the remote side of the tunnel to appear in "Network Neighborhood", etc. However, DHCP also uses broadcast messages. So, if a device asks for a DHCP server, both the local and remote DHCP servers will respond. Whichever response is received first, wins.

    Aside from that fact, you should insure that the "Redirect Internet Traffic" checkboxes are not selected on either the client or server.
     
  82. Elanzer

    Elanzer Addicted to LI Member

    Well it looks like the default setting for "redirect internet traffic" isn't checked and it's disabled on the server, so it shouldn't be checked on the client - can't check yet, don't have VNC access on the client-side and it's a 3 hour drive away so I don't have any readily available local access.

    Even just trying to access the local server via VNC from home is getting ridiculous with it's constant disconnections, but it's currently 1:20am and both offices have since long been closed - there should be no real activity over the VPN. When I stop the VPN server service my VNC client won't have disconnect issues and everything performs as expected, when I restart the VPN service the VNC client will disconnect every minute or even less. I'm beginning to think this isn't a bandwidth issue, but a problem with the routers or firmware. The client firmware is about half a year old now so I can try updating it, already updated the server firmware. I don't believe the VPN connection has ALWAYS had this performance issue, so it's getting pretty hard to troubleshoot it.
     
  83. Zedsnar

    Zedsnar Networkin' Nut Member

    Hey Guys.

    Im a trainee and I need some help in my project: creating a site-to-site-vpn connection.
    The aim of my project is to connect a complete homenetwork with the network from a soccerclub. I have to use two WRT54GL router with TomatoVPN (at the moment Tomato Firmware v1.27vpn3.6.4b664ba6 in use).

    To simulate it first, I've created two networks and connect the router dircetly from WAN interface to WAN interface with a crossover-cable.

    1. router network configuration (LAN):
    ip: 192.168.1.1
    subnet: 255.255.255.0

    1. router WAN:
    ip: 10.20.204.5
    subnet: 255.255.0.0
    gateway: 10.20.254.254

    2. router network configuration (LAN):
    ip: 192.168.2.1
    subnet: 255.255.255.0

    2. router WAN:
    ip: 10.20.254.254
    subnet: 255.255.0.0
    gateway: 10.20.204.5

    my question:
    which configuration i have to do by "VPN Tunneling" and what i have to do additional (OpenVPN? PortForwarding?) ?
    At the moment i use static key, which i created with OpenVPN.

    All tries were flops and i dont know how to search for mistakes cause its my first time with VPN and im a newbie in network, too.

    I hope i havent forgot important informations and my english isnt worth^^

    Greetz
    Zedsnar
     
  84. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You can start with how you have the VPN settings configured and expanding on what isn't working.
     
  85. Zedsnar

    Zedsnar Networkin' Nut Member

    ive tried many different configurations. general i've started server and client and dont get a connection/cant ping the other network only the vpn tunnel.

    im not at work, but i try to remind of one configuration...

    1. router as Server:
    interface type: TAP
    protocol: UDP
    Port: 1194
    firewall: custom
    Authorization Mode: static key

    2. router as client:
    interface type: TAP
    protocol: UDP
    server address/port: 10.20.254.254 1194
    firewall: custom
    authorization mode: static key
    tunnel: 10.8.0.1 255.255.0.0

    i believe that was one of my tests.
    if i start it, i can ping 10.8.0.1 and it seems to me (for a newbie) that a tunnel opened (cause i cant start one with windows) but it doesnt find the right destination.

    i also tried two server or TUN or authorization mode certifications...
    do u want further configurations i tried (if i can remind of them^^)?

    thanks for your help
    greetz Zedsnar
     
  86. Lothsahn

    Lothsahn Addicted to LI Member

    Problem setting up VPN...

    1) The first thing to do is figure out if you want TAP or TUN. Generally, TUN is recommended. TAP can create problems with DHCP.

    The advantage of TAP is that both networks are completely merged, so all broadcasts go to all devices, while in TUN networking mode, only direct communications are sent.


    2) It seems weird that your vpn server is 10.x.x.x. 10.* is a reserved subnet for internal networks. Is your vpn server actually at 10.*? You should be using the external IP address for the vpn server, not the internal.

    For instance, if your network looks like this:
    Internet->72.45.32.212 <Tomato VPN Server> 10.20.254.254 -> Internal network

    Then your client should be connecting to 72.45.32.212, not 10.20.254.254.



    I would change to TUN mode instead of TAP and make sure that your client IP address is correct. Do you have anything under "custom configuration" in Tomato for the client or the server?
     
  87. Zedsnar

    Zedsnar Networkin' Nut Member

    10.8.0.1 i only used because TomatoVPN make this advise.
    i will try your way.

    for my own understanding: is the virtual vpn-server, which i start, like a device with two ip-interfaces...one 10.20.254.254 and one 72.45.32.212 (e.g.)?

    what do u mean with custom configuration? i dont know this tab/option in "vpn-tunneling". in advanced i doenst do anything...only keys naturaly.

    thanks for your advices.
    for further instruction: i'll be here and read/comment it and at monday morning, when i'm at work again, i'll try all of it :)
    do i have to do more configurations (e.g. port forwarding)?

    greetz
    Zedsnar
     
  88. pmason

    pmason Networkin' Nut Member

    I ran mtu-test in my client config file using the latest teddy bear build with vpn and got the following message:

    Code:
    NOTE: failed to empirically measure MTU (requires OpenVPN 1.5 or higher at other end of connection).
    
    I have openvpn 2.1.1 on the client.

    What version of openvpn is on the latest teddy bear with vpn firmware?
     
  89. Lothsahn

    Lothsahn Addicted to LI Member

    VPN trouble...

    The router has two IP addresses (WAN and LAN). Your clients should specify the WAN (in my example, 72.45.32.212)

    Custom configuration is under vpn tunneling->server->advanced in 1.27vpn3.5. What version are you using?
     
  90. Zedsnar

    Zedsnar Networkin' Nut Member

    Now at work i see custom configuration...no, i dont use it. do i have to?
    im using Tomato Firmware v1.27vpn3.6.4b664ba6.

    Lets start configuration again...:)
     
  91. Zedsnar

    Zedsnar Networkin' Nut Member

    i've talked to my instructor again...

    i think i have to use TAP, cause both networks have to be like the same network...so broadcasts also have to go to every PC (e.g.)
     
  92. Dagger

    Dagger Networkin' Nut Member

    If using TAP, the client router will need to bridge the OpenVPN TAP interface with it's LAN interface. I'm not sure how to do that on Tomato. I think it's done on the OpenVPN server when using TAP by the server-bridge directive.

    You might find this interesting:

    http://www.imped.net/oss/misc/openvpn-2.0-howto-edit.html#scope
     
  93. Zedsnar

    Zedsnar Networkin' Nut Member

    one day more with many tries and no result. :frown:

    lets see whether it is possibile what i want to do...

    1) i configurate the 1. router -> server
    2) i configurate the 2. router -> client
    3) i start both and the vpn-tunnel works

    is this right or is it too easy? do i have to do more?

    still stand the question, which configurations i have to do?
    for instance, i dont know what i have to write in "tunnel address/netmask" and what i have to do cause of "Warning: Cannot bridge distinct subnets. Defaulting to routed mode." (is shown if i dont check "Server is on same subnet")

    thanks for your help
    i have the feeling that i didnt see the right way although it isnt that difficult...:frown:
     
  94. Dagger

    Dagger Networkin' Nut Member

    Did you see this at the link I posted?

    ====
    Including multiple machines on the client side when using a bridged VPN (dev tap)

    This requires a more complex setup (maybe not more complex in practice, but more complicated to explain in detail):

    * You must bridge the client TAP interface with the LAN-connected NIC on the client.
    * You must manually set the IP/netmask of the TAP interface on the client.
    * You must configure client-side machines to use an IP/netmask that is inside of the bridged subnet, possibly by querying a DHCP server on the OpenVPN server side of the VPN.
    ====

    The key points here are:
    1) You have to bridge the TAP interface with the LAN interface on the client Tomato.
    2) Once the client Tomato has the local LAN bridged with the server Tomato's LAN, the client Tomato's hosts will need either be assigned IP's in the server Tomato's LAN or let the hosts get DHCP via the server Tomato's LAN. Meaning, do not use the DHCP configuration on the client Tomato LAN. Technically the TAP interface on the client Tomato is the only host on that LAN... which is why it needs to be manually assigned an IP.

    As far as bridging the TAP interface with the LAN interface on the client Tomato... I haven't looked into that so I don't know the specifics of how to do it... but I'm sure it can be done.
     
  95. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It does it automatically if you select "Server is on the same subnet".
     
  96. Dagger

    Dagger Networkin' Nut Member

    I thought that was used when the client and the server are on the same network (i.e. not separated by the internet cloud). I thought it generated the "redirect-gateway local" directive on the client so that a static route isn't created where it's not needed.

    Outside of a test environment, I don't see a client Tomato being on the same subnet as the server Tomato.

    Am I confused?
     
  97. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Nope. It's only visible/applicable for TAP and controls whether it is added to the LAN bridge or has its own IP address.

    I would expect almost all TAP setups to share a subnet. Note that this is referring to a common logical subnet address space, not any kind of physical co-location.
     
  98. pmason

    pmason Networkin' Nut Member

    How do I figure out what openvpn version tomato vpn comes with?
     
  99. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    If you're using the most recent version, it is 2.1.1. However, it is also displayed on the status tab of active connections and can be viewed from the command line as well.
     
  100. pmason

    pmason Networkin' Nut Member

    Is there anything I need to do in order to make mtu-test work then? This is the error I receive when I use it:

    Code:
    NOTE: failed to empirically measure MTU (requires OpenVPN 1.5 or higher at other end of connection).
     

Share This Page