Another test version: This one Adds tls-auth input! Does a better job of cleaning up resources if starting up the server fails Fixed "certifate" typo :wink: Switched to 7zip compression on download file, so it is much, much smaller From the last test build: Address field lengthened to 32 characters Static key mode site-to-site improvements Download it here. If you find problems, especially regressions, be sure to let me know! There's probably enough changes there to warrant a full release, so I'll make a release if no bugs are found in the near future.
EDIT: just realized that you create an ovpn file that I can directly edit through SSH EDIT: quick bug in your latest release, you didn't add a 1 to the end of the "tls-auth" line in the config, so it doesn't work (i had to manually edit the ovpn and add it in); i dont know about the server side script also for TUN, I couldn't connect to computers behind the server router until i changed your client side firewall script to below (also added icmp for ping): Code: #!/bin/sh iptables -I INPUT 2 -p udp --dport 1194 -j ACCEPT iptables -I FORWARD -i br+ -o tun+ -j ACCEPT iptables -I FORWARD -i tun+ -o br+ -j ACCEPT iptables -I INPUT -i tun+ -p icmp -j ACCEPT iptables -I OUTPUT -o tun+ -p icmp -j ACCEPT iptables -t nat -A POSTROUTING -s 192.168.x.y/16 -o tun+ -j MASQUERADE iptables -A FORWARD -s 192.168[B].x.y[/B]/16 -o tun+ -j ACCEPT iptables -A FORWARD -d 192.168[B].x.y[/B]/16 -m state --state ESTABLISHED,RELATED -i tun+ -j ACCEPT as a last note, your config currently adds a number to the tun interface you create (for example, dev tun2); you don't need the # and it actually is cleaner without the number because you also don't have to initialize the connection first (openvpn does it for you) -- this is the config file I usually use for tun site to site: Code: daemon client dev tun remote [B]xyz.xyz.xyz.xyz[/B] 1194 resolv-retry infinite nobind #persist-key #persist-tun comp-lzo #don't need a yes here cipher bf-cbc verb 4 tls-auth client1-static.key 1 ca client1-ca.crt cert client1.crt key client1.key # Custom Configuration ns-cert-type server float thanks for the great work! -- EDIT: I was also thinking about a possible solution to a TUN two-way site to site (via the gui). The real issue is creating a gui for the client-configs; I was wondering if you could use an approach similar to what is used for port forwarding and reserving dhcp leases in the current gui where you would have two columns: Client Common Name Client Config Script and the ability to add/edit/etc as we need This would be a little easier than using jffs as well as the gui
Not so much a bug, as room for an additional feature. The 0 or 1 is an optional parameter specifying direction. Leaving it off mean bi-directional (which I thought would be the most common). I'll add in the option to change it in the GUI. Odd, it worked for me. I'll have to do more experimenting, I guess. But I am creating and removing multiple interfaces. In order to be sure I'm deleting the correct one that was used, I need to specify the one that was used. And, I don't believe that would work for TAP anyway, and this keeps things more consistent. That's the general idea of what I've been picturing in my head. However, creating the GUI isn't the only obstacle. If I auto-generate a client-connect or client-config-dir, then the user wouldn't be able to specify their own as well. Perhaps in a future release I'll settle on an acceptable compromise. It's definitely churning in the back of my mind. :smile:
I asked for it before. I understand what VPN is but can you please post a screenshotted guide of your build on how to set it up with Win XP or Win Vista. Which settings do what and what to enter in which VPN option in your tomato mod. Really like to use VPN but I am confused as if where to even start.
openvpn init error I am using Tomato 1.21vpn1.0017 (without using graphic gui). I create jffs partition. I put in /jffs/openvpn the following vpn files: Code: ca.crt dh1024.pem key.txt server.conf server.crt server.key server.conf: Code: dev tun0 mode server proto udp port 1194 server 10.9.8.0 255.255.255.0 client-to-client max-clients 10 client-config-dir /jffs/openvpn/ccd/ ifconfig-pool-persist /jffs/openvpn/ipp.txt daemon persist-key persist-tun comp-lzo keepalive 10 120 verb 5 cipher BF-CBC tls-auth /jffs/openvpn/key.txt 0 ca /jffs/openvpn/ca.crt dh /jffs/openvpn/dh1024.pem cert /jffs/openvpn/server.crt key /jffs/openvpn/server.key in aministration - scripts - init: Code: sleep 5 /tmp/myvpn --mktun --dev tun0 ln -s /usr/sbin/openvpn /tmp/myvpn # Initiate the tunnel sleep 5 /tmp/myvpn --config /jffs/openvpn/server.conf in administration - scripts - firewall: Code: iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT iptables -I INPUT -i tun0 -j ACCEPT iptables -I FORWARD -i tun0 -j ACCEPT but when the router starts, openvpn doesn't work Code: Nov 3 15:22:56 unknown daemon.notice openvpn[267]: OpenVPN 2.1_rc12 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Oct 29 2008 Nov 3 15:22:57 unknown daemon.notice openvpn[267]: Diffie-Hellman initialized with 1024 bit key Nov 3 15:22:57 unknown daemon.warn openvpn[267]: WARNING: file '/jffs/openvpn/server.key' is group or others accessible Nov 3 15:22:57 unknown daemon.warn openvpn[267]: WARNING: file '/jffs/openvpn/key.txt' is group or others accessible Nov 3 15:22:57 unknown daemon.notice openvpn[267]: Control Channel Authentication: using '/jffs/openvpn/key.txt' as a OpenVPN static key file Nov 3 15:22:57 unknown daemon.notice openvpn[267]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Nov 3 15:22:57 unknown daemon.notice openvpn[267]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Nov 3 15:22:57 unknown daemon.notice openvpn[267]: TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ] Nov 3 15:22:57 unknown daemon.warn openvpn[267]: Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2) Nov 3 15:22:57 unknown daemon.notice openvpn[267]: Note: Attempting fallback to kernel 2.2 TUN/TAP interface Nov 3 15:22:57 unknown daemon.err openvpn[267]: Cannot open TUN/TAP dev /dev/tun0: No such file or directory (errno=2) Nov 3 15:22:57 unknown daemon.notice openvpn[267]: Exiting on dd-wrt the same config works fine what is wrong?
you need to add the tun module: Code: modprobe tun before you can create a tap/tun interface. My build only loads it into memory as needed to conserve resources.
A good place to start would be the OpenVPN HowTo. But, here is a quick summary of the different settings: Server Interface Type: See here for deciding which to use TAP: "Bridged". This creates a virtual device that is treated like an additional ethernet card, only the "ethernet cable" is the VPN tunnel TUN: "Routed". Creates a Point-to-Point device. Protocol TCP: Use this if you know you have to, or if your tunnel is going to need to go through a HTTP proxy UDP: Otherwise, use this Port: port that the server will listen on Firewall Automatic: the firmware will automatically open the firewall for incoming connections and the VPN tunnel External only: the firmware will only open the firewall for incoming connections Custom: the firmware won't generate any firewall rules Authorization mode TLS: This is the more powerful option, but it takes a bit more work generating certificates. Must use this to have multiple clients. See here for generating certificates Static Key: A bit simpler to generate keys, but not scalable See here for information on static key mode Custom: I won't auto-generate any authorization settings, you do it yourself in the Custom Configuration section Use extra HMAC authorization (TLS only): When using TLS, the server has to negotiate with the client before knowing if they are legit or not. This uses resources. Using this setting will add a pre-shared static key to use to be able to reject bogus traffic before wasting any time on it Client Address Pool (TAP+TLS only): IP range to assign to clients. If DHCP is selected, an address will be assigned out of the normal LAN DHCP range. VPN subnet/netmask (TUN+TLS only): Subnet and netmask to use for tunnel, must be different from the subnet used on server and all clients Use extra HMAC authorization: see above. Setting must be complimentary to server setting (Incoming on server = Outgoing on client) Local/remote endpoint addresses (TUN+Static Key only): Addresses to use for local endpoint and what to look for as remote endpoint (must be on the same subnet as each other, but a different subnet than both client and server) Encryption cipher: The actual encryption algorithm. If you don't care, just leave it as Default: BF-CBC will be used Compression: compresses VPN traffic if enabled. Adaptive mode will dynamically decide as it goes along whether or not to compress (some traffic is actually more efficient uncompressed) Custom Configuration: you're place to add any settings I didn't put in the GUI The remaining fields are various keys and certificates (see links above on how to generate them) Client Interface type: must be same as server Protocol: must be same as server Server address/port: address of server and port number it is listening on Firewall Automatic: the firmware will automatically open the firewall for incoming connections and the VPN tunnel Custom: the firmware won't generate any firewall rules Authorization Mode: must be same as server Server is on same subnet (TAP only): If the client and server are on the same subnet, this will bridge them together Create NAT on tunnel (TUN or TAP with different subnets): Creates a NAT on the client end of the tunnel. This makes all traffic look like it is coming from the tunnel endpoint, and saves us from having to manually set up routing Tunnel address/netmask (TAP+Static key only): address to use as the client side tunnel endpoint. Must be a free address on server subnet. Netmask is the netmask on the server LAN Local/remote tunnel endpoints (TUN+Static Key only): use the same addresses as you used on the server, only reversed Encryption cipher: must be same as server Compression: Must be same as server Connection retry: how long to retry resolving the server address before giving up Custom Configuration: your place to add settings I didn't put in the GUI The remaining fields are for various keys and certificates, see above links on generating them
My fault; didn't realize it was optional -- way I read it was that it was 0 on server an 1 on client. I'll try removing the number from all my sites and see what happens. I apologize if I am critiquing too much -- since I set up my site with roadkill's mod first, I'm trying to wedge a gui over my currently existing script instead of starting anew with your gui. The firewall script I pasted was exactly the one that I use on the server (using roadkill's mod) -- so I don't know if that is part of the issue. Thanks for all your comments!
No problem. I was actually considering adding an option for that parameter, but didn't get to it by the time I posted that test build. It definitely should be an option if I'm going to include tls-auth. Not at all! I really appreciate it. Without people posting suggestions and problems, progress would be slow. A perfectly reasonable approach. If you have a reasonable configuration, it should be possible to do it using the GUI. If not, there's a problem I need to fix. Like I said, the auto-generated firewall rules seem to work for me. So, if you could try adding and removing your rules one at a time from the shell (with the tunnel running) to see what it is that is lacking, I would appreciate it. That way maybe we can figure out what is different, and when/if I should autogenerate those firewall rules. Thanks!
I really appreciate all of the comments I've received. Here is another test build: Build 1.21vpn1.9036 can be downloaded here. This will hopefully be the last test build before the next release. Changes in this test build: tls-auth now has directional options Cleanup on startup failure is now added to client instances as well Fixed static key files not getting cleaned up From previous test builds: Adds tls-auth input! Does a better job of cleaning up resources if starting up the server fails Fixed "certifate" typo :wink: Switched to 7zip compression on download file, so it is much, much smaller Address field lengthened to 32 characters Static key mode site-to-site improvements
Thanks and FYI First off, thanks for this. This is the one thing that's been missing from Tomato. FYI in the previous test build the TLS setting didn't seem to stick if you set it to off and saved the page. Might just be lack of testing, but that's what I saw. On another note... as a future feature, it would be nice to have the ability to use OpenVPN to connect two routers via wireless. Meaning that all the wireless traffic would be encrypted. Sure it would mean less total throughput, but the added security would be nice. Anyway thanks again. -K1nslayer
Version? Sorry, I forgot to mention this. Is there a reason this mod isn't compiled with OpenVPN v2.1rc13? The notes on the first page say its using rc12.
Glad you find it useful! Could you clarify what the "previous version" and "TLS setting" that you mention are? If you are referring to 1.21vpn1.9027 and the HMAC authentication option, I did notice that the setting was not being read from nvram properly when displaying the page (the setting was being saved and used properly, though). It is fixed in the latest test build. If you are referring to something else, please let me know so I can look into it. Interesting idea. And, with compression enabled, it could actually mean more throughput (especially if you just use compression, no encryption). I gave away my second router a bit back, so I can't try it myself, but I think it may already be possible. If you connect router 2 to router 1 via Wireless Client mode, then create a VPN from router 2 (client) to router 1 (server). It might just work. You could even use the redirect-gateway directive (which I see making it to the GUI sometime, but not until I test it) to have all internet traffic go through the tunnel, too. I'm intrigued, let me know if you try it. :smile: 2.1rc12 was the latest when I made my first release, and the changelog indicated that the only changes were the version of OpenSSL bundled with the windows installer (not relevant), copyright changes (not functional), and a small change to the management interface (which I don't use). Plus, with how rapidly rc10 through rc13 were released, I thought it wouldn't be long before the next was released. If there's a relevant improvement in 2.1rc13 that I'm not aware of, let me know and I'll update.
I suspect compression will matter very little given the cpu constraints. I only get a couple mbit/s through a site to site vpn running on our gbit network at work (the only 100mbit links are from each router to the switch).
Hi, thanks for this great build, using it on my gateway for vpn access! But, could it be, that your firmware causes this issue? I have a second router (WRT54G) connected to the first router in bridge mode. The second router is not running your build but plain tomato and SSL remote access starts without proplems. On the first router your firmware is installed and SSL won't start... Greetings, Till
1.21vpn2.0001 Version 1.21vpn2.0001 You can download the binaries and source from here. For those wanting to use the source, be sure to read the README file included in the source archive. Changes from 1.21vpn1.0017 Static Key mode site-to-site now doesn't need any custom configuration Adds tls-auth support (both directional and bi-directional) Resources are now properly cleaned up if a client or server fails to start Fixed typos and GUI bugs Server address field lengthened to 32 bytes from 16 Download file is now a 7zip file and, as such, is about one sixth the size Known limitations: None that I am aware of. If you find, some let me know. I went ahead and tested site-to-site for all combinations of UDP/TCP, TAP/TUN, and TLS/TLS+Static/Static (with the exception of TUN w/ Static Key mode[sup]1[/sup]). All work with zero custom configurations! [sup]1[/sup] [size=-2]This mode is particularly difficult because with TUN there is no bridging and with Static Key mode you can't push information to the clients. [/size] Let me know what you think, and what can be improved. :smile:
Hi, Can anyone confirm the HTTPs port sharing function of OpenVPN works in this firmware? if it does, that would ROCK! I was going to put openVPN on my server at home, then I noticed the port sharing isn't implemented on windows.... But if it was running on my router that would be even more ideal Cheers
I had never heard of that feature, but I just tried it....and it worked! That's a really cool feature. Thanks for bringing it my attention.
Thanks SgtPepperKSU! Port sharing is definitely really cool. Where I work blocks SSL that isn't on port 443, but I still want to have SSL for my webmail etc. I'll be trying out your firmware tonight!
I noticed there must be a huge memory-leak in this version. 1. look at the free RAM space 2. open the VPN page 3. look at the free RAM space I have memory loss of about 50% And that WITHOUT enabling VPN
If you run top from the shell while you do that, you'll notice that the memory is just being used as cache, not leaked. My understanding is that memory would be reclaimed when needed.
Thanks for the fast response and sorry for the double-post Maybe you are right, but WHY does this effect not appear when browsing through other pages?
Probably due to the large number of nvram variables being read (incidentally, did you already have keys/certs in the configuration when you loaded in the page?). I'll do some experimentation some time to make sure I understand exactly what's causing it.
I have flashed my 54GL with the VPN GUI mod , cleared the NVRAM and then go to the VPN tunneling and on server 1 clicked on the start now button. where and how do I create the keys/certs/authority ? I read the openVPN how to and then created a telnet session with the 54GL cd / ls cd etc ls cd openvpn and there is nothing there ? where do I go , what command or file needs to be executed and what needs to be copied and pasted into the VPN configuration boxes ? am I making some basic mistakes - probably can some one point me in a direction ? thanks
You will have to download openvpn to another computer and generate the keys there. The utitilities needed are not on the router itself. Then you will be able to follow the OpenVPN howto.
Can't get vpnserver2 to startup from Init script..?? Probably my ignorance showing here.. :biggrin: I added the following line (only line actually) in my init script but I do not see OpenVPN starting when I check the log.. I have to manually hit the start button on the server 2 tab. service vpnserver2 start <--- this does not start the service?!?! Am I doing something wrong? I really want OpenVPN to start whenever my router reboots/drops power. Thanks for the awesome job on the firmware! I am running your latest version v1.21vpn2.0001. Any way to view the ovpn config file your gui creates for the server or client? I would imagine it's in the router somewhere.. ?? I am wanting to see if my custom entries are overlapping with what you are creating. edit: nevermind the question on the ovpn config... found it.. and cp'd it to my cifs1 share to check it out! # Automatically generated configuration daemon server-bridge 192.168.1.1 255.255.255.0 192.168.1.222 192.168.1.226 proto tcp-server port 443 dev tap22 comp-lzo yes keepalive 15 60 verb 3 ca server2-ca.crt dh server2-dh.pem cert server2.crt key server2.key status-version 2 status server2.status # Custom Configuration tls-server proto tcp-server mode server push "route-gateway 192.168.1.1" push "dhcp-option DNS 192.168.1.1" client-to-client keepalive 15 60 #verb 3 #daemon A few overlaps! Time to tidy up my custom commands!! Excellent work again!! Regards, Weav
You probably need to add a delay before that line: Code: sleep 10 You can try different values (in seconds) to see what is needed.
Oh, and there may be more overlaps there than you realize. The server-bridge line already performs the "mode server", the route-gateway push, and the tls-server lines. The only ones there you should need in your custom config are the dhcp-option push and the client-to-client lines. Just an FYI in case you a didn't already realize that.
Weird problem Just so you know. I tried this tomato mod (ver 1.21vpn1.0017) and I'm testing on a second WRT54GL, which I use like a simple switch. I'm setting it up on 192.168.2.x segment with WAN disabled. I also set the router's IP address on 192.168.2.7 with wireless disabled. Whenever I do this, I lose the web interface. To bring it back, I press the reset button for more than 5 secs. I also tried clearing the NVRAM but it didn't help to fix the problem. Roadkill's mod works well with my settings (WAN disabled). My $0.02.
That's interesting. Roadkill includes my changes, but I don't know if he has the latest (does the GUI look the same in his - fields in the same order?). If not, then it might be something to do with the automatic firewall rules. I must admit I didn't try with WAN disabled. Can you still connect via SSH after starting the server? If so, could you try running Code: iptables -Lv route -n before and after starting it? Also, are you using TAP or TUN? Have you tried both?
Yes I can. I will try later this week-end, right now I have Roadkill's version, I need to reflash it. I will let you know soon. VPN wasn't setup yet. I believe it's when I changed the segment and or I disabled the WAN because I was doing both on same time. I will try to test the iptables sometimes this week-end. Thanks for the quick answer.
Hi! I just tried again. - I didn't told you the truth, I'm using 1.21vpn2.0001. - I can not connect to my router in anyway (Web GUI, telnet or ssh). Now, more observations: - The router is still working properly using the settings I put. I just can't access it anymore. - The router is using the settings I've put in. - I tried to put the commands (mentioned before) in the init script but it didn't change anything. I will now try to change one setting at a time....
More testing done. Whenever I switch to WAN disable, I can't access tomato's Web GUI but I CAN access the router using telnet. Here is the result of the commands you asked: before # iptables -Lv iptables: No chain/target/match by that name # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo after # iptables -Lv iptables: No chain/target/match by that name # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo # I'm also attaching a picture of my settings just before hittinf the save button.
i would say *thank you* to you SgtPepperKSU for that really nice mod. im using the 1.21vpn2.0001 version and it works really well with a TLS server configuration. thank you very much for all your work. :thumbup: :thumbups: :rockon:
Oh, I misunderstood before. I thought you had all those settings in place and when you started the VPN server, it stopped working. This is even more odd, since if you haven't run a vpn client and/or server since the last reboot, none of my code should be run and it should behave just like vanilla tomato. Are you sure you erased nvram (thorough) after flashing to this build (even if coming from roadkill's mod)? And, I made a mistake in the commands I gave you to run. The 'L' and the 'v' in the iptables command need to be reversed, but you can probably just drop the v altogether. Also, if you continue to have trouble, it would probably be better if you opened a new thread so we don't clutter this one up unnecessarily.
I have 2 54GL's flashed with the VPN GUI mod with one set up to be server and one as client I followed the OpenVPN how to and generated certificate Authority , server , client and DH certs and keys and copied/pasted from the -----BEGIN CERTIFICATE----- to the -----END CERTIFICATE----- into the GUI boxes and saved both the server and client will start but I get the errors below - googling the error said it was a time issue with the validity of the certs so I changed the time on both 54GL's but still the error occurs server log daemon.err openvpn[425]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146) client log unknown daemon.err openvpn[15727]: TLS Error: Unroutable control packet received from 220.255.x.x:1194 (si=3 op=P_CONTROL_V1) any ideas as to what I might be doing wrong here ?
Time zones are identical and I am using TAP. In the client .crt file there is quite a lot of information before the -----BEGIN CERTIFICATE----- . It seems to be the only .crt file with this - does this information need to be used somewhere ? and I am not sure if it makes a difference but the WRT54GL that is set up as the Client is running as a wireless client connected to the modem/AP that is connected to the outside world.
The information before the -----BEGIN CERTIFICATE----- isn't needed. Are the two routers on the same subnet? Do you have the box checked for the same subnet on the client?
I unchecked the box for same subnet and the client now seems to connect Code: Nov 17 16:47:31 unknown daemon.notice openvpn[17886]: Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ] Nov 17 16:47:31 unknown daemon.notice openvpn[17886]: Socket Buffers: R=[32767->65534] S=[32767->65534] Nov 17 16:47:31 unknown daemon.notice openvpn[17886]: UDPv4 link local: [undef] Nov 17 16:47:31 unknown daemon.notice openvpn[17886]: UDPv4 link remote: 220.255.xxx.xxx:1194 but no joy from a device behind the client router pinging a device behind the server router. do I have to map static routes to the TAP interface ?
When I set the wireless mode to wireless ethernet bridge, the webinterface was not available anymore. Although the box seemed to do his job. Flashing back to the official tomato version resolved the problem. Can anybody else reproduce this?
Not if the two routers are on the same subnet? Are they? And, if so, have you ensured there are no conflicting addresses?
the server router LAN is 10.168.222.x and the client router LAN is 192.168.2.x the client pool on the server is 10.168.222.211 to 220 which does not conflict with anything. should I be able to ping the server LAN address with the ping client on the tomato GUI client router ? as I cannot.
Since you are on separate subnets and have control over both endpoints, I would suggest using TUN. You might try using that. But, first, could you run Code: route -n on each router and post the information here?
this is from the client end # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1 I will have to wait until tomorrow to get the server end though this is its routing table from the GUI Destination Gateway Subnet Mask Metric Interface 220.255.112.1 * 255.255.255.255 0 ppp0 10.168.222.0 * 255.255.255.0 0 br0 (LAN) 127.0.0.0 * 255.0.0.0 0 lo default 220.255.112.1 0.0.0.0 0 ppp0 and one static route Destination Gateway Subnet Mask Metric Interface Description 192.168.222.0 10.168.222.12 255.255.255.0 0 LAN
1.22vpn2.0002 Version 1.22vpn2.0002 You can download the binaries and source from here. For those wanting to use the source, be sure to read the README file. This is just a small incremental update (as far as the VPN GUI is concerned). It mostly just pulls in the updated Tomato version. Changes from 1.21vpn2.0001 Updated to Tomato 1.22 baseline[sup]1[/sup] Cleaned up OpenVPN and LZO installation Updated to 2.1rc13 (no functional difference I know of) Known limitations: None that I am aware of. If you find some, let me know. [sup]1[/sup][size=-2]I've changed over to using git for source control, so updating to Tomato 1.22 was just a matter of a single git rebase command :smile:. Also as part of moving to git, my sources are now just a single (zipped) patch file - be sure to read the README if you plan to use the source.[/size] Let me know what you think, and what can be improved. :smile:
Hi, Firstly thanks for all the continued work. I've been using the Roadkill mod for over a year on a Buffalo WHR-G54s at home, and connecting to it remotely from my laptop. I haven't run this mod yet, but am keen to try. I've read through both threads as much as I can, but am somewhat confused as to where each is now in terms of features/functionality. Could someone explain to me in relatively simple terms the main differences between this mod and the Roadkill one in terms of features/functionality? I'm not needing to do site-to-site, only client to router vpn, and don't have any usb or sd/mmc functionality on my router. Thanks, Ben
Roadkill includes my changes in his build, so I can see where that would get confusing. So, pretty much Roadkill's mod is the VPN GUI from here, some QOS features from Viktec's mod, and some additions having to do with added serial ports and SD memory (and few other things). If all you want is Tomato+VPN, this build is probably the best fit. If you specifically want any of the other features in Roadkill's mod, go with that. There is also the TrzepakoTomato mod, which also includes my changes, that adds some USB support (I don't know which Buffalo routers have USB ports, so this may not be relevant). Clear as mud?
Hi SgtPepperKSU, thanks for the mod. Is the mod considered stable at this point? I'm currently using Roadkill's old 1.19 version but I only need Tomato+VPN, so I'd like to give yours a try. I'm currently using a static key file, so the setup should be pretty simple.
I would say the last few releases have been very stable. Aside from the issue with having the VPN client router in Wireless Client Mode that we're currently investigating (the VPN NAT doesn't work in that case), I am not aware of any issues. As far as the back-end goes, static key is more complicated than TLS. This is because routing information cannot be pushed from server to client. If you are also using TUN, then you will have to manually configure routes. However, if you are using TAP and either have the same subnet on both routers or are okay with a layer of NATing, static key is fine without any custom configuration. Though, I suppose you realized all that since you are already using router-based VPN.
Actually I'm not using the site-to-site feature at this point at all. My usage involves a single laptop (from work or public hot spot) connecting to the router at home so that I have access to my home network. In this case, I should paste the static key in the "server" portion of the VPN GUI, right?
Yes, you'll want to use the server configuration for your setup. But, TUN+Static Key would still require custom routing even if you're not doing a site-to-site. TAP should work fine, though.
Thanks! Here's my current ovpn config file, which should be good to go? Code: dev tap0 secret static.key proto udp route-gateway 192.168.1.1 remote [my_home_ip] 1194 keepalive 10 60 resolv-retry infinite nobind persist-key persist-tun cipher BF-CBC comp-lzo verb 3 float
Yep, just as long as the local network your laptop is on isn't also 192.168.1.0/24, you'll be fine! And, you shouldn't need the route-gateway line your config, but it doesn't hurt.
I just did a little experimenting, and the memory is cached (not leaked - it will be reclaimed as needed) because loading the page runs the following command: Code: openvpn --show-ciphers Running this command from the SSH shell has the same effect. It is nothing to worry about.
When I paste my Server Certificate (file server1.crt) in the Server Certificate textbox, its background turns yellow and the tooltip shows this error message: Invalid length. Please reduce the length to 1392 characters or less. My server1.crt is 1414 characters long. Why is mine longer than normal?
Is there anything before the -----BEGIN.. line? Anything before that isn't needed. If not, I'd like to know how you generated your certificate - I may need to make the field longer.
Ah, I see I'm late to the party :wink: I opened up several tabs and got distracted before coming back to this one... I guess I need to make that field longer. In the meantime, you can bypass the length check by ssh/telneting to the router and running Code: nvram set vpn_server1_crt="<paste certificate>" nvram commit Do this after configuring the rest of the page. Then you'll be able to start the server from the GUI (or the shell or scripts), but you won't be able to make changes the other settings without shortening that field first. I'd still like to know how you generated the certificate out of curiosity.
Thanks. I tried using the SSH command line to set the nvram variable... However, it seems it won't let me type a command that is so long at once on the same command line. It just blocks! I don't really remember the exact details on how I generated the certificate. However it was on a Linux machine using a completely different version. Maybe that's the problem. It's 1,414 characters long including the BEGIN and END statements.
It doesn't need to be all on one line. Just copy the whole thing (including line breaks) and Code: nvram set vpn_server1_crt="<paste>" nvram commit The paste can span multiple lines before you get to the close quote. That is, assuming there are line breaks. Mine is twenty-some lines long with fifty-some characters per line.
SO is it possible to connect 2 LinksysWRTs over VPN ? I wanted to connect my Router over VPN with the Router of a friend of mine. So is it then possible to use this VPN Connection like an normal Lan connection. Is it possible to see each other in "Network" and communicate (Games, Datatransfer, etc.) with each other? Thanks in Advance...
Yep, that's the idea! :smile: You will only be able to browse Network Neighborhood type windows if you use TAP and both networks are on the same subnet (you'll be sharing that subnet, so be sure not to have conflicting IP assignments). Even if you don't go that route, you will be able to open their network shares (by specifying ip address manually), transfer files, and play games. It's just broadcast traffic (traffic not destined for a particular IP) that won't get routed over the VPN without extra work (if it's even possible). Currently, the only automatic configuration is client->server only (server LAN can't see client LAN), but if you decide you want client<->server connections, I can help you add the custom configuration necessary. Or, there are many howtos floating around the 'net.
Thank you for your help... So with this solution I can browse the shared folders/Files either from Server to client or from client to Server if I type the IP manually in the Explorer? So im really new to this and I would appreciate it if you could post a Link to a HowTo or somthing for the "Client<->Server" solution with tomato or OpenWRT .... Thank you in advance...
Yes that's right. You can just go to Start->Run and type in \\<ip address>\ and browse their shared files from there (or do the same from within explorer). If you use TAP and share a subnet, then this build handles client<->server communication without any need for custom configuration. If you don't want to share a subnet, then what you need to do will depend on whether you use static key or TLS mode. I haven't tried it, but I think here is all you have to do (substituting values as appropriate): For Static Key mode, add Code: route other_subnet other_netmask iroute other_subnet other_netmask (the iroute might not be necessary) to the custom configuration on each router For TLS mode, add Code: mkdir /tmp/ccd echo "iroute other_subnet other_netmask" > /tmp/ccd/other_commonname to the init script section on the server and Code: client-config-dir /tmp/ccd route other_subnet other_netmask to the custom config section on the server. I'll probably give this a try some time in the next couple of days. If anyone else has done it, feel free to chime in. EDIT: Oh, and with either Static Key or TLS you'll want to uncheck the NAT checkbox on the client if you're setting up the routes manually like shown above.
If I wish to achieve: Code: TAP Same subnet client <-> server Should I do the following, as an example? Code: Router 1 (server): 192.168.1.1 DHCP range: 192.168.1.100 - 192.168.1.150 TAP UDP static key Router 2 (client): 192.168.1.2 DHCP range: 192.168.1.151 - 192.168.1.200 TAP UDP same static key Will this allow the server and the client resources see one other without limitations? Thanks.
I have a problem with this mod and iptables. Changes in Port Forwarding are saved in the Web-GUI, but they don't work. I looked into the IPTABLE-dump. The changes are not inside. Also changes in admin port take no effect in the iptables.
I am noticing that problem also. the port forwarding changes are not working even though it shows changed in the web GUI also the static routing , even when removed via the GUI and saved it is still in the routing table. I tried a reboot , but no change.
1.22vpn2.0004 Version 1.22vpn2.0004 You can download the binaries and source from here. For those wanting to use the source, be sure to read the README file. Sorry for the short release cycle here. The bug in 1.22vpn2.0002 shouldn't have gotten past my testing, but I must have made a small change part way through my testing that caused it. Changes from 1.22vpn2.0002 Fixed automatic firewall generation. This should fix the loss of admin access problem. This should fix the port forwarding not working problem. For what its worth, I haven't been able to recreate the SSL problem with this build. But, since the root cause of that isn't known for sure, I can't call it "fixed". If you still see it, let me know. Known limitations: None that I am aware of. If you find some, let me know. Let me know what you think, and what can be improved. :smile:
Sorry, the "_source" was added to the wrong two files. The .7z was the binaries, not the source. I've renamed them.
Ok... Simple question since i'm intrested in this. Can i just flash it over my current tomato 1.21 to 1.22 with VPN? cause when i tried it few days ago i flashed it and my WRT54GL refused to work anymore. So basicly it was sort of bricked, debricked with tftp and reset nvram. Or should i've resetted the NVRam after i flashed it from 1.21 to 1.22 with vpn?
It's always a good idea to clear nvram after upgrading, but not strictly necessary. When you say it "refused to work", what do you mean? Could you just not get to the admin interface (do you use http or https?), or did it stop providing wireless and/or dhcp addresses? If it is the former, it could just have been the bug fixed in 1.22vpn2.0004.
Will AES be available as a cipher mode anytime soon. Blowfish is so last millennium. Obviously not in the least bit urgent.
I have OpenSSL 0.9.8i through the tomato build process (including libfoo.pl for those that care) and installed on the router, but it fails at run-time when it actually does encryption with missing __divdi3 and __moddi3 (64-bit divide and multiply) symbols. Apparently, these are supposed to be provided by libgcc, but modifying libc to include that doesn't fix it. I am working on resolving this issue. Hopefully, I'll have that straightened out soon and OpenVPN will automatically pick up all the new ciphers. For a little while now, I've been more focused on other items. But, I haven't forgotten about it :smile:
This is particularly strange because AES is a 32-bit algorithm, not a 64-bit one. AES doesn't use multiply or divide The router has to already have AES built in, since it implements WPA/AES Must be some initialization code somewhere that has changed. Thanks for the quick response.
Actually, I think it was blowing up when using blowfish. I don't think I even got around to trying AES. And, I haven't found a way to have OpenSSL use the AES hardware on the router yet, so it would be done in software (unlike AES w/ wireless), at least initially. EDIT: Just compiled it again and loaded it on the router. It does the same for AES: Code: # openssl WARNING: can't open config file: /usr/local/ssl/openssl.cnf OpenSSL> aes-128-cbc enter aes-128-cbc encryption password:*** Unresolved: __umoddi3
Well.. let's see... installed the firmware Looked at router after reboot The lan ports were working fine (was planning for the future with the VPN since of changing ISP and such) But couldn't enter the webinterface via http or access the router by ssh. The power led was going on/off/on/off/etc... So basicly well it didn't want to work on me We tried TFTP with old firmware still did the same until we did a hard NVRam reset on the router itself with the nifty little reset button. Since it could've been possible tomato settings stopping linksys firmware from working.
If you haven't yet, you should give the newer version a try. It was probably just the bug that was fixed in 1.22vpn2.0004. And, if you are upgrading from linksys firmware, you should definitely clear nvram after the upgrade.
Well did the reset now. But won't test your new version now. 1. I'll get a brother bashing in on me if it fails. 2. All shops are closed at 0:30 this time in The Netherlands PS: Running the Tomato 1.22 now so not running linksys firmware after we tried tomato i banned that firmware from my harddisk and WRT54GL but it was unstoppable to TFTP
Hi, SgtPepperKSU I registered in the forum to thank you for your great release. I'm also wondering how to configure the openvpn so that i can connect without using openvpn client, like Vista/XP default connection manager? Or openvpn only work with openvpn client? Thank you and have a good day.
thanks SgtPepperKSU - ( is this also your nick on /. ?) I put the new version on and it seems to have fixed the port forwarding but I cannot test the static routing at the moment. In the next day I will flash the unit I have configured as the wifi client and test to see if the issues there have been resolved also.
OpenVPN only connects to OpenVPN. There is an "official" OpenVPN for Windows. http://openvpn.net I suggest using version 2.1 (right now version 2.1rc15 - a release candidate, but works well on Vista)
Simple question about this mod. I just got an iPhone 3G. The phone supports VPN using L2TP, PPTP and IPSec. Will this mod enable the iPhone to set up a VPN connection to my network? Thanks in advance.
The answer to both is the same. As ntest2 mentioned, only the OpenVPN client can connect to an OpenVPN connection (Network Manager in Linux connects extremely smoothly, but it uses openvpn in the backend).
Well, looks like i misunderstood openvpn. Is there other way to set up a VPN server in Tomato, what makes system without openvpn client (Symbian OS, iPhone...) also work? Can MPPE, dkms, pptpd packages be compiled and work? Thanks.
I really don't have any experience setting up a VPN server with anything other than OpenVPN, so I'm afraid I can't be of much help. You could do an internet search on the different types of VPN that your phone supports to find what can be installed on linux, though.
thanks for all of your fantastic work; i noticed in your latest build you fixed something that was causing loss of admin access -- i actually lost admin access to my router and I was wondering what the best way to restore that would be -- do I need to tftp to the router and reflash? on another note -- i noticed openvpn 2.1rc15 is out -- i dont know if any of the changes affect implementation -- though there are a couple new options implemented -- any hopes of updating soon? as an aside; i wish openvpn would post a roadmap or something -- i have been waiting for 2.1 to come out for more than 2 months and holding off upgrading all my; routers; anyone know of when the final release is supposed to come about?
Your best bet is a build with pptp built in already. I don't know of a stable tomato version for that, you might look at dd-wrt - their v24sp1 works quite well.
I found unplugging and replugging got me admin access back. Otherwise, tftp is probably the easiest way. I already have it updated in my local builds, so it will be updated whenever I next release. I feel the same way. I kept the build at rc12 after rc13 since I thought I'd wait for more significant changes to come in. And, sure enough, as soon as I updated it to rc13 they released rc14 and rc15... Personally, I don't think they should be calling them release candidates if they're going to release so many of them, adding features along the way.
