1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN build with Web GUI

Discussion in 'Tomato Firmware' started by SgtPepperKSU, Oct 10, 2008.

  1. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Another test version:

    This one
    • Adds tls-auth input!
    • Does a better job of cleaning up resources if starting up the server fails
    • Fixed "certifate" typo :wink:
    • Switched to 7zip compression on download file, so it is much, much smaller
    • From the last test build:
      • Address field lengthened to 32 characters
      • Static key mode site-to-site improvements

    Download it here.

    If you find problems, especially regressions, be sure to let me know! There's probably enough changes there to warrant a full release, so I'll make a release if no bugs are found in the near future.
     
  2. ng12345

    ng12345 LI Guru Member

    EDIT: just realized that you create an ovpn file that I can directly edit through SSH

    EDIT: quick bug in your latest release, you didn't add a 1 to the end of the "tls-auth" line in the config, so it doesn't work (i had to manually edit the ovpn and add it in); i dont know about the server side script

    also for TUN, I couldn't connect to computers behind the server router until i changed your client side firewall script to below (also added icmp for ping):

    Code:
    #!/bin/sh
    iptables -I INPUT 2 -p udp --dport 1194 -j ACCEPT
    iptables -I FORWARD -i br+ -o tun+ -j ACCEPT
    iptables -I FORWARD -i tun+ -o br+ -j ACCEPT
    iptables -I INPUT -i tun+ -p icmp -j ACCEPT
    iptables -I OUTPUT -o tun+ -p icmp -j ACCEPT
    iptables -t nat -A POSTROUTING -s 192.168.x.y/16 -o tun+ -j MASQUERADE
    iptables -A FORWARD -s 192.168[B].x.y[/B]/16 -o tun+ -j ACCEPT
    iptables -A FORWARD -d 192.168[B].x.y[/B]/16 -m state --state ESTABLISHED,RELATED -i tun+ -j ACCEPT
    
    as a last note, your config currently adds a number to the tun interface you create (for example, dev tun2); you don't need the # and it actually is cleaner without the number because you also don't have to initialize the connection first (openvpn does it for you) -- this is the config file I usually use for tun site to site:
    Code:
    daemon
    client
    dev tun 
    remote [B]xyz.xyz.xyz.xyz[/B] 1194
    resolv-retry infinite
    nobind
    #persist-key
    #persist-tun
    comp-lzo #don't need a yes here
    cipher bf-cbc
    verb 4
    tls-auth client1-static.key 1
    ca client1-ca.crt
    cert client1.crt
    key client1.key
    
    # Custom Configuration
    ns-cert-type server
    float
    thanks for the great work!

    -- EDIT: I was also thinking about a possible solution to a TUN two-way site to site (via the gui). The real issue is creating a gui for the client-configs; I was wondering if you could use an approach similar to what is used for port forwarding and reserving dhcp leases in the current gui where you would have two columns:

    Client Common Name Client Config Script

    and the ability to add/edit/etc as we need

    This would be a little easier than using jffs as well as the gui
     
  3. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Not so much a bug, as room for an additional feature. The 0 or 1 is an optional parameter specifying direction. Leaving it off mean bi-directional (which I thought would be the most common). I'll add in the option to change it in the GUI.
    Odd, it worked for me. I'll have to do more experimenting, I guess.
    But I am creating and removing multiple interfaces. In order to be sure I'm deleting the correct one that was used, I need to specify the one that was used. And, I don't believe that would work for TAP anyway, and this keeps things more consistent.
    That's the general idea of what I've been picturing in my head. However, creating the GUI isn't the only obstacle. If I auto-generate a client-connect or client-config-dir, then the user wouldn't be able to specify their own as well. Perhaps in a future release I'll settle on an acceptable compromise. It's definitely churning in the back of my mind. :smile:
     
  4. powersquad

    powersquad Addicted to LI Member

    I asked for it before. I understand what VPN is but can you please post a screenshotted guide of your build on how to set it up with Win XP or Win Vista. Which settings do what and what to enter in which VPN option in your tomato mod. Really like to use VPN but I am confused as if where to even start.
     
  5. adeej

    adeej Addicted to LI Member

    openvpn init error

    I am using Tomato 1.21vpn1.0017 (without using graphic gui).

    I create jffs partition.

    I put in /jffs/openvpn the following vpn files:
    Code:
    ca.crt
    dh1024.pem
    key.txt
    server.conf
    server.crt
    server.key

    server.conf:
    Code:
    dev tun0
    mode server
    proto udp
    port 1194
    server 10.9.8.0 255.255.255.0
    client-to-client
    max-clients 10
    client-config-dir /jffs/openvpn/ccd/
    ifconfig-pool-persist /jffs/openvpn/ipp.txt
    daemon
    persist-key
    persist-tun
    comp-lzo
    keepalive 10 120
    verb 5
    
    cipher BF-CBC
    tls-auth /jffs/openvpn/key.txt 0
    ca /jffs/openvpn/ca.crt
    dh /jffs/openvpn/dh1024.pem
    cert /jffs/openvpn/server.crt
    key /jffs/openvpn/server.key
    in aministration - scripts - init:
    Code:
    sleep 5
    /tmp/myvpn --mktun --dev tun0
    ln -s /usr/sbin/openvpn /tmp/myvpn
    
    # Initiate the tunnel
    sleep 5
    /tmp/myvpn --config /jffs/openvpn/server.conf

    in administration - scripts - firewall:
    Code:
    iptables -I INPUT 1 -p udp  --dport 1194 -j ACCEPT
    iptables -I INPUT -i tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -j ACCEPT
    but when the router starts, openvpn doesn't work

    Code:
    Nov  3 15:22:56 unknown daemon.notice openvpn[267]: OpenVPN 2.1_rc12 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Oct 29 2008
    Nov  3 15:22:57 unknown daemon.notice openvpn[267]: Diffie-Hellman initialized with 1024 bit key
    Nov  3 15:22:57 unknown daemon.warn openvpn[267]: WARNING: file '/jffs/openvpn/server.key' is group or others accessible
    Nov  3 15:22:57 unknown daemon.warn openvpn[267]: WARNING: file '/jffs/openvpn/key.txt' is group or others accessible
    Nov  3 15:22:57 unknown daemon.notice openvpn[267]: Control Channel Authentication: using '/jffs/openvpn/key.txt' as a OpenVPN static key file
    Nov  3 15:22:57 unknown daemon.notice openvpn[267]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Nov  3 15:22:57 unknown daemon.notice openvpn[267]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Nov  3 15:22:57 unknown daemon.notice openvpn[267]: TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Nov  3 15:22:57 unknown daemon.warn openvpn[267]: Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
    Nov  3 15:22:57 unknown daemon.notice openvpn[267]: Note: Attempting fallback to kernel 2.2 TUN/TAP interface
    Nov  3 15:22:57 unknown daemon.err openvpn[267]: Cannot open TUN/TAP dev /dev/tun0: No such file or directory (errno=2)
    Nov  3 15:22:57 unknown daemon.notice openvpn[267]: Exiting
    on dd-wrt the same config works fine
    what is wrong?
     
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    you need to add the tun module:
    Code:
    modprobe tun
    before you can create a tap/tun interface.

    My build only loads it into memory as needed to conserve resources.
     
  7. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    A good place to start would be the OpenVPN HowTo. But, here is a quick summary of the different settings:
    • Server
      • Interface Type:
        • See here for deciding which to use
        • TAP: "Bridged". This creates a virtual device that is treated like an additional ethernet card, only the "ethernet cable" is the VPN tunnel
        • TUN: "Routed". Creates a Point-to-Point device.
      • Protocol
        • TCP: Use this if you know you have to, or if your tunnel is going to need to go through a HTTP proxy
        • UDP: Otherwise, use this
      • Port: port that the server will listen on
      • Firewall
        • Automatic: the firmware will automatically open the firewall for incoming connections and the VPN tunnel
        • External only: the firmware will only open the firewall for incoming connections
        • Custom: the firmware won't generate any firewall rules
      • Authorization mode
        • TLS: This is the more powerful option, but it takes a bit more work generating certificates. Must use this to have multiple clients.
          • See here for generating certificates
        • Static Key: A bit simpler to generate keys, but not scalable
          • See here for information on static key mode
        • Custom: I won't auto-generate any authorization settings, you do it yourself in the Custom Configuration section
      • Use extra HMAC authorization (TLS only): When using TLS, the server has to negotiate with the client before knowing if they are legit or not. This uses resources. Using this setting will add a pre-shared static key to use to be able to reject bogus traffic before wasting any time on it
      • Client Address Pool (TAP+TLS only): IP range to assign to clients. If DHCP is selected, an address will be assigned out of the normal LAN DHCP range.
      • VPN subnet/netmask (TUN+TLS only): Subnet and netmask to use for tunnel, must be different from the subnet used on server and all clients
      • Use extra HMAC authorization: see above. Setting must be complimentary to server setting (Incoming on server = Outgoing on client)
      • Local/remote endpoint addresses (TUN+Static Key only): Addresses to use for local endpoint and what to look for as remote endpoint (must be on the same subnet as each other, but a different subnet than both client and server)
      • Encryption cipher: The actual encryption algorithm. If you don't care, just leave it as Default: BF-CBC will be used
      • Compression: compresses VPN traffic if enabled. Adaptive mode will dynamically decide as it goes along whether or not to compress (some traffic is actually more efficient uncompressed)
      • Custom Configuration: you're place to add any settings I didn't put in the GUI
      • The remaining fields are various keys and certificates (see links above on how to generate them)
    • Client
      • Interface type: must be same as server
      • Protocol: must be same as server
      • Server address/port: address of server and port number it is listening on
      • Firewall
        • Automatic: the firmware will automatically open the firewall for incoming connections and the VPN tunnel
        • Custom: the firmware won't generate any firewall rules
      • Authorization Mode: must be same as server
      • Server is on same subnet (TAP only): If the client and server are on the same subnet, this will bridge them together
      • Create NAT on tunnel (TUN or TAP with different subnets): Creates a NAT on the client end of the tunnel. This makes all traffic look like it is coming from the tunnel endpoint, and saves us from having to manually set up routing
      • Tunnel address/netmask (TAP+Static key only): address to use as the client side tunnel endpoint. Must be a free address on server subnet. Netmask is the netmask on the server LAN
      • Local/remote tunnel endpoints (TUN+Static Key only): use the same addresses as you used on the server, only reversed
      • Encryption cipher: must be same as server
      • Compression: Must be same as server
      • Connection retry: how long to retry resolving the server address before giving up
      • Custom Configuration: your place to add settings I didn't put in the GUI
      • The remaining fields are for various keys and certificates, see above links on generating them
     
  8. ng12345

    ng12345 LI Guru Member

    My fault; didn't realize it was optional -- way I read it was that it was 0 on server an 1 on client. I'll try removing the number from all my sites and see what happens.

    I apologize if I am critiquing too much -- since I set up my site with roadkill's mod first, I'm trying to wedge a gui over my currently existing script instead of starting anew with your gui. The firewall script I pasted was exactly the one that I use on the server (using roadkill's mod) -- so I don't know if that is part of the issue.

    Thanks for all your comments!
     
  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    No problem. I was actually considering adding an option for that parameter, but didn't get to it by the time I posted that test build. It definitely should be an option if I'm going to include tls-auth.
    Not at all! I really appreciate it. Without people posting suggestions and problems, progress would be slow.
    A perfectly reasonable approach. If you have a reasonable configuration, it should be possible to do it using the GUI. If not, there's a problem I need to fix.
    Like I said, the auto-generated firewall rules seem to work for me. So, if you could try adding and removing your rules one at a time from the shell (with the tunnel running) to see what it is that is lacking, I would appreciate it. That way maybe we can figure out what is different, and when/if I should autogenerate those firewall rules.

    Thanks!
     
  10. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I really appreciate all of the comments I've received.

    Here is another test build:

    Build 1.21vpn1.9036 can be downloaded here.

    This will hopefully be the last test build before the next release.

    Changes in this test build:
    • tls-auth now has directional options
    • Cleanup on startup failure is now added to client instances as well
    • Fixed static key files not getting cleaned up
    • From previous test builds:
      • Adds tls-auth input!
      • Does a better job of cleaning up resources if starting up the server fails
      • Fixed "certifate" typo :wink:
      • Switched to 7zip compression on download file, so it is much, much smaller
      • Address field lengthened to 32 characters
      • Static key mode site-to-site improvements
     
  11. K1nslayer

    K1nslayer LI Guru Member

    Thanks and FYI

    First off, thanks for this. This is the one thing that's been missing from Tomato.

    FYI in the previous test build the TLS setting didn't seem to stick if you set it to off and saved the page. Might just be lack of testing, but that's what I saw.

    On another note... as a future feature, it would be nice to have the ability to use OpenVPN to connect two routers via wireless. Meaning that all the wireless traffic would be encrypted. Sure it would mean less total throughput, but the added security would be nice.

    Anyway thanks again.
    -K1nslayer
     
  12. K1nslayer

    K1nslayer LI Guru Member

    Version?

    Sorry, I forgot to mention this. Is there a reason this mod isn't compiled with OpenVPN v2.1rc13? The notes on the first page say its using rc12.
     
  13. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Glad you find it useful!
    Could you clarify what the "previous version" and "TLS setting" that you mention are? If you are referring to 1.21vpn1.9027 and the HMAC authentication option, I did notice that the setting was not being read from nvram properly when displaying the page (the setting was being saved and used properly, though). It is fixed in the latest test build. If you are referring to something else, please let me know so I can look into it.
    Interesting idea. And, with compression enabled, it could actually mean more throughput (especially if you just use compression, no encryption). I gave away my second router a bit back, so I can't try it myself, but I think it may already be possible. If you connect router 2 to router 1 via Wireless Client mode, then create a VPN from router 2 (client) to router 1 (server). It might just work. You could even use the redirect-gateway directive (which I see making it to the GUI sometime, but not until I test it) to have all internet traffic go through the tunnel, too. I'm intrigued, let me know if you try it. :smile:
    2.1rc12 was the latest when I made my first release, and the changelog indicated that the only changes were the version of OpenSSL bundled with the windows installer (not relevant), copyright changes (not functional), and a small change to the management interface (which I don't use). Plus, with how rapidly rc10 through rc13 were released, I thought it wouldn't be long before the next was released. If there's a relevant improvement in 2.1rc13 that I'm not aware of, let me know and I'll update.
     
  14. humba

    humba Network Guru Member

    I suspect compression will matter very little given the cpu constraints. I only get a couple mbit/s through a site to site vpn running on our gbit network at work (the only 100mbit links are from each router to the switch).
     
  15. illopel

    illopel Network Guru Member

    Hi,

    thanks for this great build, using it on my gateway for vpn access!
    But, could it be, that your firmware causes this issue?
    I have a second router (WRT54G) connected to the first router in bridge mode.
    The second router is not running your build but plain tomato and SSL remote access starts without proplems.
    On the first router your firmware is installed and SSL won't start...

    Greetings,
    Till
     
  16. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Responding in that thread...
     
  17. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    1.21vpn2.0001

    Version 1.21vpn2.0001

    You can download the binaries and source from here.

    For those wanting to use the source, be sure to read the README file included in the source archive.

    Changes from 1.21vpn1.0017
    • Static Key mode site-to-site now doesn't need any custom configuration
    • Adds tls-auth support (both directional and bi-directional)
    • Resources are now properly cleaned up if a client or server fails to start
    • Fixed typos and GUI bugs
    • Server address field lengthened to 32 bytes from 16
    • Download file is now a 7zip file and, as such, is about one sixth the size

    Known limitations:
    • None that I am aware of. If you find, some let me know.

    I went ahead and tested site-to-site for all combinations of UDP/TCP, TAP/TUN, and TLS/TLS+Static/Static (with the exception of TUN w/ Static Key mode[sup]1[/sup]). All work with zero custom configurations!

    [sup]1[/sup] [size=-2]This mode is particularly difficult because with TUN there is no bridging and with Static Key mode you can't push information to the clients. [/size]

    Let me know what you think, and what can be improved. :smile:
     
  18. Johnno74

    Johnno74 Network Guru Member

    Hi,

    Can anyone confirm the HTTPs port sharing function of OpenVPN works in this firmware?

    if it does, that would ROCK! I was going to put openVPN on my server at home, then I noticed the port sharing isn't implemented on windows.... But if it was running on my router that would be even more ideal

    Cheers
     
  19. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I had never heard of that feature, but I just tried it....and it worked! That's a really cool feature. Thanks for bringing it my attention.
     
  20. Johnno74

    Johnno74 Network Guru Member

    Thanks SgtPepperKSU!

    Port sharing is definitely really cool. Where I work blocks SSL that isn't on port 443, but I still want to have SSL for my webmail etc.

    I'll be trying out your firmware tonight!
     
  21. dadaniel

    dadaniel Network Guru Member

    I noticed there must be a huge memory-leak in this version.

    1. look at the free RAM space
    2. open the VPN page
    3. look at the free RAM space

    I have memory loss of about 50%
    And that WITHOUT enabling VPN
     
  22. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    If you run top from the shell while you do that, you'll notice that the memory is just being used as cache, not leaked. My understanding is that memory would be reclaimed when needed.
     
  23. dadaniel

    dadaniel Network Guru Member

    Thanks for the fast response and sorry for the double-post

    Maybe you are right, but WHY does this effect not appear when browsing through other pages?
     
  24. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Probably due to the large number of nvram variables being read (incidentally, did you already have keys/certs in the configuration when you loaded in the page?).

    I'll do some experimentation some time to make sure I understand exactly what's causing it.
     
  25. dadaniel

    dadaniel Network Guru Member

    No, all fields are blank at the moment
     
  26. baldrickturnip

    baldrickturnip LI Guru Member

    I have flashed my 54GL with the VPN GUI mod , cleared the NVRAM and then go to the VPN tunneling and on server 1 clicked on the start now button.

    where and how do I create the keys/certs/authority ?

    I read the openVPN how to and then created a telnet session with the 54GL

    cd /
    ls
    cd etc
    ls
    cd openvpn

    and there is nothing there ?

    where do I go , what command or file needs to be executed and what needs to be copied and pasted into the VPN configuration boxes ?

    am I making some basic mistakes - probably :D
    can some one point me in a direction ? thanks



     
  27. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You will have to download openvpn to another computer and generate the keys there. The utitilities needed are not on the router itself. Then you will be able to follow the OpenVPN howto.
     
  28. weav

    weav Addicted to LI Member

    Can't get vpnserver2 to startup from Init script..??

    Probably my ignorance showing here.. :biggrin:

    I added the following line (only line actually) in my init script but I do not see OpenVPN starting when I check the log.. I have to manually hit the start button on the server 2 tab.

    service vpnserver2 start <--- this does not start the service?!?!

    Am I doing something wrong? I really want OpenVPN to start whenever my router reboots/drops power.

    Thanks for the awesome job on the firmware! I am running your latest version v1.21vpn2.0001.

    Any way to view the ovpn config file your gui creates for the server or client? I would imagine it's in the router somewhere.. ?? I am wanting to see if my custom entries are overlapping with what you are creating.

    edit: nevermind the question on the ovpn config... found it.. and cp'd it to my cifs1 share to check it out!

    # Automatically generated configuration
    daemon
    server-bridge 192.168.1.1 255.255.255.0 192.168.1.222 192.168.1.226
    proto tcp-server
    port 443
    dev tap22
    comp-lzo yes
    keepalive 15 60
    verb 3
    ca server2-ca.crt
    dh server2-dh.pem
    cert server2.crt
    key server2.key
    status-version 2
    status server2.status

    # Custom Configuration
    tls-server
    proto tcp-server
    mode server
    push "route-gateway 192.168.1.1"
    push "dhcp-option DNS 192.168.1.1"
    client-to-client
    keepalive 15 60
    #verb 3
    #daemon

    A few overlaps! Time to tidy up my custom commands!!

    Excellent work again!!



    Regards,
    Weav
     
  29. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You probably need to add a delay before that line:
    Code:
    sleep 10
    You can try different values (in seconds) to see what is needed.
     
  30. weav

    weav Addicted to LI Member


    That's the ticket! Problem solved!! :biggrin:

    Thanks again for the firmware and the help!
     
  31. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Oh, and there may be more overlaps there than you realize. The server-bridge line already performs the "mode server", the route-gateway push, and the tls-server lines. The only ones there you should need in your custom config are the dhcp-option push and the client-to-client lines.
    Just an FYI in case you a didn't already realize that.
     
  32. MrSVT

    MrSVT LI Guru Member

    Weird problem

    Just so you know. I tried this tomato mod (ver 1.21vpn1.0017) and I'm testing on a second WRT54GL, which I use like a simple switch. I'm setting it up on 192.168.2.x segment with WAN disabled. I also set the router's IP address on 192.168.2.7 with wireless disabled. Whenever I do this, I lose the web interface. To bring it back, I press the reset button for more than 5 secs. I also tried clearing the NVRAM but it didn't help to fix the problem. Roadkill's mod works well with my settings (WAN disabled). My $0.02.
     
  33. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That's interesting. Roadkill includes my changes, but I don't know if he has the latest (does the GUI look the same in his - fields in the same order?). If not, then it might be something to do with the automatic firewall rules. I must admit I didn't try with WAN disabled. Can you still connect via SSH after starting the server? If so, could you try running
    Code:
    iptables -Lv
    route -n
    before and after starting it?

    Also, are you using TAP or TUN? Have you tried both?
     
  34. MrSVT

    MrSVT LI Guru Member

    Yes I can.

    I will try later this week-end, right now I have Roadkill's version, I need to reflash it. I will let you know soon.

    VPN wasn't setup yet. I believe it's when I changed the segment and or I disabled the WAN because I was doing both on same time. I will try to test the iptables sometimes this week-end.

    Thanks for the quick answer.
     
  35. MrSVT

    MrSVT LI Guru Member

    Hi! I just tried again.

    - I didn't told you the truth, I'm using 1.21vpn2.0001.
    - I can not connect to my router in anyway (Web GUI, telnet or ssh).

    Now, more observations:
    - The router is still working properly using the settings I put. I just can't access it anymore.
    - The router is using the settings I've put in.
    - I tried to put the commands (mentioned before) in the init script but it didn't change anything.

    I will now try to change one setting at a time....
     
  36. MrSVT

    MrSVT LI Guru Member

    More testing done. Whenever I switch to WAN disable, I can't access tomato's Web GUI but I CAN access the router using telnet. Here is the result of the commands you asked:

    before


    # iptables -Lv
    iptables: No chain/target/match by that name
    # route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
    127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo


    after


    # iptables -Lv
    iptables: No chain/target/match by that name
    # route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
    127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
    #



    I'm also attaching a picture of my settings just before hittinf the save button.
     

    Attached Files:

  37. Thyrael

    Thyrael Addicted to LI Member

    i would say *thank you* to you SgtPepperKSU for that really nice mod. im using the 1.21vpn2.0001 version and it works really well with a TLS server configuration. thank you very much for all your work. :thumbup: :thumbups: :rockon:
     
  38. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Oh, I misunderstood before. I thought you had all those settings in place and when you started the VPN server, it stopped working.

    This is even more odd, since if you haven't run a vpn client and/or server since the last reboot, none of my code should be run and it should behave just like vanilla tomato. Are you sure you erased nvram (thorough) after flashing to this build (even if coming from roadkill's mod)?

    And, I made a mistake in the commands I gave you to run. The 'L' and the 'v' in the iptables command need to be reversed, but you can probably just drop the v altogether.

    Also, if you continue to have trouble, it would probably be better if you opened a new thread so we don't clutter this one up unnecessarily.
     
  39. baldrickturnip

    baldrickturnip LI Guru Member

    I have 2 54GL's flashed with the VPN GUI mod with one set up to be server and one as client
    I followed the OpenVPN how to and generated certificate Authority , server , client and DH certs and keys and copied/pasted from the -----BEGIN CERTIFICATE----- to the -----END CERTIFICATE----- into the GUI boxes and saved

    both the server and client will start but I get the errors below - googling the error said it was a time issue with the validity of the certs so I changed the time on both 54GL's but still the error occurs


    server log
    daemon.err openvpn[425]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)

    client log
    unknown daemon.err openvpn[15727]: TLS Error: Unroutable control packet received from 220.255.x.x:1194 (si=3 op=P_CONTROL_V1)

    any ideas as to what I might be doing wrong here ?
     
  40. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Did you also check the time zones on each? The must be the same. Also, are you using TAP or TUN?
     
  41. baldrickturnip

    baldrickturnip LI Guru Member

    Time zones are identical and I am using TAP.

    In the client .crt file there is quite a lot of information before the -----BEGIN CERTIFICATE----- . It seems to be the only .crt file with this - does this information need to be used somewhere ?


    and I am not sure if it makes a difference but the WRT54GL that is set up as the Client is running as a wireless client connected to the modem/AP that is connected to the outside world.
     
  42. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The information before the -----BEGIN CERTIFICATE----- isn't needed.

    Are the two routers on the same subnet? Do you have the box checked for the same subnet on the client?
     
  43. baldrickturnip

    baldrickturnip LI Guru Member

    I unchecked the box for same subnet and the client now seems to connect

    Code:
    Nov 17 16:47:31 unknown daemon.notice openvpn[17886]: Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Nov 17 16:47:31 unknown daemon.notice openvpn[17886]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Nov 17 16:47:31 unknown daemon.notice openvpn[17886]: UDPv4 link local: [undef]
    Nov 17 16:47:31 unknown daemon.notice openvpn[17886]: UDPv4 link remote: 220.255.xxx.xxx:1194
    
    but no joy from a device behind the client router pinging a device behind the server router. do I have to map static routes to the TAP interface ?
     
  44. dopee

    dopee LI Guru Member

    When I set the wireless mode to wireless ethernet bridge, the webinterface was not available anymore. Although the box seemed to do his job.
    Flashing back to the official tomato version resolved the problem. Can anybody else reproduce this?
     
  45. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Not if the two routers are on the same subnet? Are they? And, if so, have you ensured there are no conflicting addresses?
     
  46. baldrickturnip

    baldrickturnip LI Guru Member

    the server router LAN is 10.168.222.x and the client router LAN is 192.168.2.x

    the client pool on the server is 10.168.222.211 to 220 which does not conflict with anything.

    should I be able to ping the server LAN address with the ping client on the tomato GUI client router ? as I cannot.
     
  47. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Since you are on separate subnets and have control over both endpoints, I would suggest using TUN. You might try using that.

    But, first, could you run
    Code:
    route -n
    on each router and post the information here?
     
  48. baldrickturnip

    baldrickturnip LI Guru Member

    this is from the client end

    # route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
    192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
    127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
    0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1

    I will have to wait until tomorrow to get the server end
    though this is its routing table from the GUI

    Destination Gateway Subnet Mask Metric Interface
    220.255.112.1 * 255.255.255.255 0 ppp0
    10.168.222.0 * 255.255.255.0 0 br0 (LAN)
    127.0.0.0 * 255.0.0.0 0 lo
    default 220.255.112.1 0.0.0.0 0 ppp0

    and one static route

    Destination Gateway Subnet Mask Metric Interface Description
    192.168.222.0 10.168.222.12 255.255.255.0 0 LAN
     
  49. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm responding in a new thread here.
     
  50. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    1.22vpn2.0002

    Version 1.22vpn2.0002

    You can download the binaries and source from here.

    For those wanting to use the source, be sure to read the README file.

    This is just a small incremental update (as far as the VPN GUI is concerned). It mostly just pulls in the updated Tomato version.

    Changes from 1.21vpn2.0001
    • Updated to Tomato 1.22 baseline[sup]1[/sup]
    • Cleaned up OpenVPN and LZO installation
      • Updated to 2.1rc13 (no functional difference I know of)

    Known limitations:
    • None that I am aware of. If you find some, let me know.

    [sup]1[/sup][size=-2]I've changed over to using git for source control, so updating to Tomato 1.22 was just a matter of a single git rebase command :smile:. Also as part of moving to git, my sources are now just a single (zipped) patch file - be sure to read the README if you plan to use the source.[/size]

    Let me know what you think, and what can be improved. :smile:
     
  51. occamsrazor

    occamsrazor Network Guru Member

    Hi,

    Firstly thanks for all the continued work. I've been using the Roadkill mod for over a year on a Buffalo WHR-G54s at home, and connecting to it remotely from my laptop.

    I haven't run this mod yet, but am keen to try. I've read through both threads as much as I can, but am somewhat confused as to where each is now in terms of features/functionality.

    Could someone explain to me in relatively simple terms the main differences between this mod and the Roadkill one in terms of features/functionality?

    I'm not needing to do site-to-site, only client to router vpn, and don't have any usb or sd/mmc functionality on my router.

    Thanks,

    Ben
     
  52. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Roadkill includes my changes in his build, so I can see where that would get confusing. So, pretty much Roadkill's mod is the VPN GUI from here, some QOS features from Viktec's mod, and some additions having to do with added serial ports and SD memory (and few other things). If all you want is Tomato+VPN, this build is probably the best fit. If you specifically want any of the other features in Roadkill's mod, go with that. There is also the TrzepakoTomato mod, which also includes my changes, that adds some USB support (I don't know which Buffalo routers have USB ports, so this may not be relevant).

    Clear as mud?
     
  53. bigclaw

    bigclaw Network Guru Member

    Hi SgtPepperKSU, thanks for the mod. Is the mod considered stable at this point? I'm currently using Roadkill's old 1.19 version but I only need Tomato+VPN, so I'd like to give yours a try.

    I'm currently using a static key file, so the setup should be pretty simple.
     
  54. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I would say the last few releases have been very stable. Aside from the issue with having the VPN client router in Wireless Client Mode that we're currently investigating (the VPN NAT doesn't work in that case), I am not aware of any issues.

    As far as the back-end goes, static key is more complicated than TLS. This is because routing information cannot be pushed from server to client. If you are also using TUN, then you will have to manually configure routes. However, if you are using TAP and either have the same subnet on both routers or are okay with a layer of NATing, static key is fine without any custom configuration. Though, I suppose you realized all that since you are already using router-based VPN.
     
  55. occamsrazor

    occamsrazor Network Guru Member

    Thanks for that explanation, much appreciated....
     
  56. bigclaw

    bigclaw Network Guru Member

    Actually I'm not using the site-to-site feature at this point at all. My usage involves a single laptop (from work or public hot spot) connecting to the router at home so that I have access to my home network.

    In this case, I should paste the static key in the "server" portion of the VPN GUI, right?
     
  57. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, you'll want to use the server configuration for your setup. But, TUN+Static Key would still require custom routing even if you're not doing a site-to-site. TAP should work fine, though.
     
  58. bigclaw

    bigclaw Network Guru Member

    Thanks!

    Here's my current ovpn config file, which should be good to go?

    Code:
    dev tap0
    secret static.key
    proto udp
    route-gateway 192.168.1.1
    remote [my_home_ip] 1194
    keepalive 10 60
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    cipher BF-CBC
    comp-lzo
    verb 3
    float
    
     
  59. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yep, just as long as the local network your laptop is on isn't also 192.168.1.0/24, you'll be fine! And, you shouldn't need the route-gateway line your config, but it doesn't hurt.
     
  60. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I just did a little experimenting, and the memory is cached (not leaked - it will be reclaimed as needed) because loading the page runs the following command:
    Code:
    openvpn --show-ciphers
    Running this command from the SSH shell has the same effect. It is nothing to worry about.
     
  61. jimmo04

    jimmo04 LI Guru Member

    When I paste my Server Certificate (file server1.crt) in the Server Certificate textbox, its background turns yellow and the tooltip shows this error message:

    Invalid length. Please reduce the length to 1392 characters or less.

    My server1.crt is 1414 characters long. Why is mine longer than normal? :)
     
  62. baldrickturnip

    baldrickturnip LI Guru Member

    you only need to paste from --------BEGIN CERTIFICATE ------- to ------END CERTIFICATE------
     
  63. jimmo04

    jimmo04 LI Guru Member

    That's what I do... from the first - of the BEGIN to the last - of the END.
     
  64. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Is there anything before the -----BEGIN.. line? Anything before that isn't needed. If not, I'd like to know how you generated your certificate - I may need to make the field longer.
     
  65. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Ah, I see I'm late to the party :wink: I opened up several tabs and got distracted before coming back to this one...

    I guess I need to make that field longer. In the meantime, you can bypass the length check by ssh/telneting to the router and running
    Code:
    nvram set vpn_server1_crt="<paste certificate>"
    nvram commit
    Do this after configuring the rest of the page. Then you'll be able to start the server from the GUI (or the shell or scripts), but you won't be able to make changes the other settings without shortening that field first.

    I'd still like to know how you generated the certificate out of curiosity.
     
  66. jimmo04

    jimmo04 LI Guru Member

    Thanks. I tried using the SSH command line to set the nvram variable... However, it seems it won't let me type a command that is so long at once on the same command line. It just blocks!

    I don't really remember the exact details on how I generated the certificate. However it was on a Linux machine using a completely different version. Maybe that's the problem. It's 1,414 characters long including the BEGIN and END statements.
     
  67. jimmo04

    jimmo04 LI Guru Member

    It was some time ago... I used the easy-rsa script that was included with openvpn 2.0.9.
     
  68. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It doesn't need to be all on one line. Just copy the whole thing (including line breaks) and
    Code:
    nvram set vpn_server1_crt="<paste>"
    nvram commit
    The paste can span multiple lines before you get to the close quote. That is, assuming there are line breaks. Mine is twenty-some lines long with fifty-some characters per line.
     
  69. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    In fact, here's a quick build with the certificate fields increased in length:

    1.22vpn2.9003
     
  70. kamatschka

    kamatschka Network Guru Member

    SO is it possible to connect 2 LinksysWRTs over VPN ?

    I wanted to connect my Router over VPN with the Router of a friend of mine. So is it then possible to use this VPN Connection like an normal Lan connection. Is it possible to see each other in "Network" and communicate (Games, Datatransfer, etc.) with each other?


    Thanks in Advance...
     
  71. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yep, that's the idea! :smile:
    You will only be able to browse Network Neighborhood type windows if you use TAP and both networks are on the same subnet (you'll be sharing that subnet, so be sure not to have conflicting IP assignments).
    Even if you don't go that route, you will be able to open their network shares (by specifying ip address manually), transfer files, and play games. It's just broadcast traffic (traffic not destined for a particular IP) that won't get routed over the VPN without extra work (if it's even possible).

    Currently, the only automatic configuration is client->server only (server LAN can't see client LAN), but if you decide you want client<->server connections, I can help you add the custom configuration necessary. Or, there are many howtos floating around the 'net.
     
  72. kamatschka

    kamatschka Network Guru Member

    Thank you for your help...

    So with this solution I can browse the shared folders/Files either from Server to client or from client to Server if I type the IP manually in the Explorer?


    So im really new to this and I would appreciate it if you could post a Link to a HowTo or somthing for the "Client<->Server" solution with tomato or OpenWRT ....

    Thank you in advance...
     
  73. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes that's right. You can just go to Start->Run and type in \\<ip address>\ and browse their shared files from there (or do the same from within explorer).

    If you use TAP and share a subnet, then this build handles client<->server communication without any need for custom configuration. If you don't want to share a subnet, then what you need to do will depend on whether you use static key or TLS mode.

    I haven't tried it, but I think here is all you have to do (substituting values as appropriate):

    For Static Key mode, add
    Code:
    route other_subnet other_netmask
    iroute  other_subnet other_netmask
    (the iroute might not be necessary) to the custom configuration on each router

    For TLS mode, add
    Code:
    mkdir /tmp/ccd
    echo "iroute other_subnet other_netmask" > /tmp/ccd/other_commonname
    to the init script section on the server and
    Code:
    client-config-dir /tmp/ccd
    route other_subnet other_netmask
    to the custom config section on the server.

    I'll probably give this a try some time in the next couple of days. If anyone else has done it, feel free to chime in.

    EDIT: Oh, and with either Static Key or TLS you'll want to uncheck the NAT checkbox on the client if you're setting up the routes manually like shown above.
     
  74. bigclaw

    bigclaw Network Guru Member

    If I wish to achieve:

    Code:
    TAP
    Same subnet
    client <-> server
    
    Should I do the following, as an example?

    Code:
    Router 1 (server): 192.168.1.1
    DHCP range: 192.168.1.100 - 192.168.1.150
    TAP
    UDP
    static key
    
    Router 2 (client): 192.168.1.2
    DHCP range: 192.168.1.151 - 192.168.1.200
    TAP
    UDP
    same static key
    
    Will this allow the server and the client resources see one other without limitations? Thanks.
     
    Sean L likes this.
  75. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, a site-to-site should be seemless in that environment.
     
  76. kisenberg

    kisenberg Addicted to LI Member

    I have a problem with this mod and iptables. Changes in Port Forwarding are saved in the Web-GUI, but they don't work. I looked into the IPTABLE-dump. The changes are not inside. Also changes in admin port take no effect in the iptables.
     
  77. baldrickturnip

    baldrickturnip LI Guru Member

    I am noticing that problem also.

    the port forwarding changes are not working even though it shows changed in the web GUI

    also the static routing , even when removed via the GUI and saved it is still in the routing table.

    I tried a reboot , but no change.
     
  78. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    1.22vpn2.0004

    Version 1.22vpn2.0004

    You can download the binaries and source from here.

    For those wanting to use the source, be sure to read the README file.

    Sorry for the short release cycle here. The bug in 1.22vpn2.0002 shouldn't have gotten past my testing, but I must have made a small change part way through my testing that caused it.

    Changes from 1.22vpn2.0002
    • Fixed automatic firewall generation.
      • This should fix the loss of admin access problem.
      • This should fix the port forwarding not working problem.
      • For what its worth, I haven't been able to recreate the SSL problem with this build. But, since the root cause of that isn't known for sure, I can't call it "fixed". If you still see it, let me know.

    Known limitations:
    • None that I am aware of. If you find some, let me know.

    Let me know what you think, and what can be improved. :smile:
     
  79. bigclaw

    bigclaw Network Guru Member

    I don't see any binaries in there...
     
  80. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Sorry, the "_source" was added to the wrong two files. The .7z was the binaries, not the source. I've renamed them.
     
  81. DJClean

    DJClean LI Guru Member

    Ok...

    Simple question since i'm intrested in this.

    Can i just flash it over my current tomato 1.21 to 1.22 with VPN?

    cause when i tried it few days ago i flashed it and my WRT54GL refused to work anymore.

    So basicly it was sort of bricked, debricked with tftp and reset nvram.

    Or should i've resetted the NVRam after i flashed it from 1.21 to 1.22 with vpn?
     
  82. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It's always a good idea to clear nvram after upgrading, but not strictly necessary.

    When you say it "refused to work", what do you mean? Could you just not get to the admin interface (do you use http or https?), or did it stop providing wireless and/or dhcp addresses? If it is the former, it could just have been the bug fixed in 1.22vpn2.0004.
     
  83. fyellin

    fyellin LI Guru Member

    Will AES be available as a cipher mode anytime soon. Blowfish is so last millennium. :)

    Obviously not in the least bit urgent.
     
  84. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I have OpenSSL 0.9.8i through the tomato build process (including libfoo.pl for those that care) and installed on the router, but it fails at run-time when it actually does encryption with missing __divdi3 and __moddi3 (64-bit divide and multiply) symbols. Apparently, these are supposed to be provided by libgcc, but modifying libc to include that doesn't fix it. I am working on resolving this issue.

    Hopefully, I'll have that straightened out soon and OpenVPN will automatically pick up all the new ciphers. For a little while now, I've been more focused on other items. But, I haven't forgotten about it :smile:
     
  85. fyellin

    fyellin LI Guru Member

    This is particularly strange because
    • AES is a 32-bit algorithm, not a 64-bit one.
    • AES doesn't use multiply or divide
    • The router has to already have AES built in, since it implements WPA/AES
    Must be some initialization code somewhere that has changed.

    Thanks for the quick response.
     
  86. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Actually, I think it was blowing up when using blowfish. I don't think I even got around to trying AES.

    And, I haven't found a way to have OpenSSL use the AES hardware on the router yet, so it would be done in software (unlike AES w/ wireless), at least initially.

    EDIT: Just compiled it again and loaded it on the router. It does the same for AES:
    Code:
    # openssl
    WARNING: can't open config file: /usr/local/ssl/openssl.cnf
    OpenSSL> aes-128-cbc
    enter aes-128-cbc encryption password:*** Unresolved: __umoddi3
    
     
  87. DJClean

    DJClean LI Guru Member

    Well.. let's see... installed the firmware

    Looked at router after reboot

    The lan ports were working fine (was planning for the future with the VPN since of changing ISP and such)

    But couldn't enter the webinterface via http or access the router by ssh.

    The power led was going on/off/on/off/etc...

    So basicly well it didn't want to work on me :)

    We tried TFTP with old firmware still did the same until we did a hard NVRam reset on the router itself with the nifty little reset button. Since it could've been possible tomato settings stopping linksys firmware from working. :)
     
  88. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    If you haven't yet, you should give the newer version a try. It was probably just the bug that was fixed in 1.22vpn2.0004. And, if you are upgrading from linksys firmware, you should definitely clear nvram after the upgrade.
     
  89. DJClean

    DJClean LI Guru Member

    Well did the reset now.

    But won't test your new version now.

    1. I'll get a brother bashing in on me if it fails.
    2. All shops are closed at 0:30 this time in The Netherlands ;)

    PS: Running the Tomato 1.22 now so :) not running linksys firmware after we tried tomato i banned that firmware from my harddisk and WRT54GL but it was unstoppable to TFTP :)
     
  90. kenyloveg

    kenyloveg LI Guru Member

    Hi, SgtPepperKSU
    I registered in the forum to thank you for your great release.
    I'm also wondering how to configure the openvpn so that i can connect without using openvpn client, like Vista/XP default connection manager?
    Or openvpn only work with openvpn client?
    Thank you and have a good day.
     
  91. baldrickturnip

    baldrickturnip LI Guru Member

    thanks SgtPepperKSU - ( is this also your nick on /. ?)

    I put the new version on and it seems to have fixed the port forwarding but I cannot test the static routing at the moment.

    In the next day I will flash the unit I have configured as the wifi client and test to see if the issues there have been resolved also.
     
  92. ntest7

    ntest7 Network Guru Member

    OpenVPN only connects to OpenVPN.
    There is an "official" OpenVPN for Windows.
    http://openvpn.net
    I suggest using version 2.1 (right now version 2.1rc15 - a release candidate, but works well on Vista)
     
  93. turbo53

    turbo53 Network Guru Member

    Simple question about this mod. I just got an iPhone 3G. The phone supports VPN using L2TP, PPTP and IPSec. Will this mod enable the iPhone to set up a VPN connection to my network?

    Thanks in advance.
     
  94. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The answer to both is the same. As ntest2 mentioned, only the OpenVPN client can connect to an OpenVPN connection (Network Manager in Linux connects extremely smoothly, but it uses openvpn in the backend).
     
  95. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Indeed, it is. I'm surprised anyone recognized it. I hardly ever post there.
    Glad it's working now!
     
  96. kenyloveg

    kenyloveg LI Guru Member

    Well, looks like i misunderstood openvpn.
    Is there other way to set up a VPN server in Tomato, what makes system without openvpn client (Symbian OS, iPhone...) also work? Can MPPE, dkms, pptpd packages be compiled and work?
    Thanks.
     
  97. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I really don't have any experience setting up a VPN server with anything other than OpenVPN, so I'm afraid I can't be of much help. You could do an internet search on the different types of VPN that your phone supports to find what can be installed on linux, though.
     
  98. ng12345

    ng12345 LI Guru Member

    thanks for all of your fantastic work;

    i noticed in your latest build you fixed something that was causing loss of admin access -- i actually lost admin access to my router and I was wondering what the best way to restore that would be -- do I need to tftp to the router and reflash?

    on another note -- i noticed openvpn 2.1rc15 is out -- i dont know if any of the changes affect implementation -- though there are a couple new options implemented -- any hopes of updating soon?

    as an aside; i wish openvpn would post a roadmap or something -- i have been waiting for 2.1 to come out for more than 2 months and holding off upgrading all my; routers; anyone know of when the final release is supposed to come about?
     
  99. ntest7

    ntest7 Network Guru Member

    Your best bet is a build with pptp built in already. I don't know of a stable tomato version for that, you might look at dd-wrt - their v24sp1 works quite well.
     
  100. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I found unplugging and replugging got me admin access back. Otherwise, tftp is probably the easiest way.
    I already have it updated in my local builds, so it will be updated whenever I next release.
    I feel the same way. I kept the build at rc12 after rc13 since I thought I'd wait for more significant changes to come in. And, sure enough, as soon as I updated it to rc13 they released rc14 and rc15...
    Personally, I don't think they should be calling them release candidates if they're going to release so many of them, adding features along the way.
     

Share This Page