1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN build with Web GUI

Discussion in 'Tomato Firmware' started by SgtPepperKSU, Oct 10, 2008.

  1. Elanzer

    Elanzer Addicted to LI Member

    I think I may have figured out the problem with my router to router bridged VPN configuration. It seems the RT-N16's CPU could not deal with the compression at all, as soon as I disabled it the VNC disconnections all stopped and I can use the VPN back and forth with no noticeable performance penalty (thanks to QoS).

    Problem was not bandwidth at all, just the CPU being pinned momentarily which was causing connections to drop, I think.
     
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It won't work without reconfiguring the source and recompiling. I configured it with "--enable-small" to get a smaller executable size. One of the things OpenVPN gets rid of to get this smaller size is the MTU test.
     
  3. Zedsnar

    Zedsnar Networkin' Nut Member

    i saw and read it
    its only a lil bit difficult to understand everything and to know what to do, if english isnt first language, but naturaly i'll try to do the right steps

    maybe would help an example of configuration
     
  4. Elanzer

    Elanzer Addicted to LI Member

    Nevermind - problem still exists, still dropping all connections on both client and server side when VPN connection is running, seems to happen on the client side far much more often though (10 times client side drops to server). VNC and a few test downloads of debian isos dropped connection all at the same time.

    I'm not seeing anything abnormal in the logs on the server-router side, but on the client one I'm continually seeing this:

    Code:
    .warn kernel: WARNING: at net/8021q/vlan_dev.c:351 vlan_dev_hard_header()
    Jul 19 23:27:52 Tomato user.warn kernel: Call Trace:
    Jul 19 23:27:52 Tomato user.warn kernel: [<8000e384>] dump_stack+0x8/0x34
    Jul 19 23:27:52 Tomato user.warn kernel: [<801ffa00>] vlan_dev_hard_header+0x1ec/0x20c
    Jul 19 23:27:52 Tomato user.warn kernel: [<80170c84>] neigh_connected_output+0x84/0xd8
    Jul 19 23:27:52 Tomato user.warn kernel: [<801ef6f8>] bcm_fast_path+0x158/0x200
    Jul 19 23:27:52 Tomato user.warn kernel: [<8018f9d4>] nf_hook_slow+0x1ac/0x1b4
    Jul 19 23:27:52 Tomato user.warn kernel: [<801a45e0>] ip_rcv+0x3e8/0x720
    Jul 19 23:27:52 Tomato user.warn kernel: [<801f92e4>] br_pass_frame_up+0x8c/0x98
    Jul 19 23:27:52 Tomato user.warn kernel: [<801f93c8>] br_handle_frame_finish+0xd8/0x158
    Jul 19 23:27:52 Tomato user.warn kernel: [<801f95ec>] br_handle_frame+0x1a4/0x268
    Jul 19 23:27:52 Tomato user.warn kernel: [<8007a52c>] sys_write+0x58/0xa8
    Jul 19 23:27:52 Tomato user.warn kernel: [<8000ff24>] stack_done+0x20/0x3c

    Nearly every few minutes with the VPN connection initiated I am seeing this flooding the log. Any ideas?
     
  5. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Looks like the kernel bridge code isn't able to handle things for some reason. That'd be Linux 2.6-specific, so you'll need to talk to somebody in the teddy_bear K26 threads (or forum, since he has a separate one now).
     
  6. vientito

    vientito Networkin' Nut Member

    routing IP in other domain

    hello i am posting this here hoping anyone who has indepth knowledge about openvpn and routing could be able to shed some light on this. I have been using a vpn server behind a lan gateway (they are not all in one) . The server exists on a lan network of 192.168.7.0/255.255.248.0 and the client exists on 192.168.3.1 also behind its own gateway router. My assigned virtual addresses for the tunnel is in the range of 10.8.0.*.

    My setup allows me to ping between client and server machine so far.

    I have not been able to ping from client machine to server network other than the server itself. This is probably routing issue.

    I am going to present an extract here from openvpn.com - a HOWTO document.

    "Including multiple machines on the server side when using a routed VPN (dev tun)

    Once the VPN is operational in a point-to-point capacity between client and server, it may be desirable to expand the scope of the VPN so that clients can reach multiple machines on the server network, rather than only the server machine itself.

    For the purpose of this example, we will assume that the server-side LAN uses a subnet of 10.66.0.0/24 and the VPN IP address pool uses 10.8.0.0/24 as cited in the server directive in the OpenVPN server configuration file.

    First, you must advertise the 10.66.0.0/24 subnet to VPN clients as being accessible through the VPN. This can easily be done with the following server-side config file directive:

    push "route 10.66.0.0 255.255.255.0"

    Next, you must set up a route on the server-side LAN gateway to route the VPN client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary if the OpenVPN server and the LAN gateway are different machines)."


    The last paragraph is vital to me since it looks like the route back to the client has to be known for packets to travel back. HOWEVER, I got stuck at this: Isn't IP address only allowed in a same subnet? If I got a 10.8.0.* address flowing in a 192.168.7.* network, isn't that already violating some root principle of how routing works? If I don't want to implement NAT to convert incoming tunnel packets, how actually could i make this happen? I have set up proxy-arp on both tun and eth on the server machine but I think that may only be able to take care of 192.168.3.* subnet. But something like 10.8.0.* moving around within the server network seems impossible. So what does the extract try to say? Is it possible at all?
     
  7. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It's very possible. Having routes to addresses outside your subnet is a fundamental part of networking; it doesn't violate anything. For instance, Google's address isn't on your subnet, and you route to that just fine (I assume).

    The basics you'll need:
    • You need to tell the client how to reach the server LAN. To do this, you can push the server subnet to the clients, telling them to use the VPN to contact the server LAN. Sounds like you don't have any problem with that part.
    • You need to tell the server LAN how to reach the client. This will be done on the server LAN's default gateway device. You need to add a route, saying to route traffic to the VPN subnet differently than other traffic, using the VPN server as the gateway.

    If you want the server and server LAN to also have access to the client LAN, you can use the client LAN subnet instead of the VPN subnet in the gateway device's route. But, you'll also need to set up client-config-dir directives for the client (in the server config) to do that.
     
  8. Dagger

    Dagger Networkin' Nut Member

    When you want to access a VPN server's LAN and not only the VPN server itself, it is easier and better if you use TAP instead of TUN.

    Also, even though your VPN virtual interface has a 10.8.0.* address... it is the physical LAN interface (with the 192.168.7.* IP) that is putting packets on the network. Your VPN packets are being encapsulated inside of the LAN packets. So the physical LAN interface is the only interface using the local LAN.
     
  9. vientito

    vientito Networkin' Nut Member

    vpn client route table

    I check to see the routing on my tomatovpn router and I happen to find a route to my vpn server on the WAN interface. It has that very IP address. It is placed on the third item - i guess it will catch that outgoing packet to form vpn connection ahead of all other routes, which is good. But I have a question: what happens when my server ip address changes and my client has detected that thus effecting a restart? A new IP address would have to replace that entry in that table, I suppose. Will this process be automatic? I mean, could I assume a tidy housekeeping if somehow that Ip address has been updated?
     
  10. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yep :smile:
     
  11. vientito

    vientito Networkin' Nut Member

    gettng close, just one more

    After a day of work and help from you, I have managed to ping thru to the server network and reach the internet too! However, something is still bugging me. I could ping over to the client router with both virtual address and also the client gateway local address. But that's it. Could not reach that vista machine that plug into the client gateway. But that vista could reach the internet by using the server LAN's connection to the outside world. If packets could freely exchange across, I could not understand how come I still could not ping that vista machine. I have already disabled the firewall on that vista machine. But one thing I am not sure is if there are some settings I need to be aware of in the tomato software. I have since checked on firewall setting under advanced: response to icmp ping is checked and nat loopback disabled the rest are all unchecked. There does not seem to have any setttings to turn off firewall completely in tomato. Any advice?

    I have a feeling that it has to do with firewall but don't know where else to search
     
  12. vientito

    vientito Networkin' Nut Member

    please ignore my previous post. I found the problem. I overlooked in vista the firewall setting was not off. I thought it was but looking closely it was not turned off. Once off everything is pingable.
     
  13. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Great! Glad you got it working.
     
  14. Dagger

    Dagger Networkin' Nut Member

    Cool.... could you post your final working config?
     
  15. vientito

    vientito Networkin' Nut Member

    A little poking around

    I fire up my wireshark on my local and remote environ. to observe the packets. two things I have since noted.

    (a) once in a while a NTP packet being sent from client over to server LAN (which is fully explainable by that I set option to redirect internet traf to server side)
    (b) absence of noticeable name resolution packets before all kinds of net activities

    I have explicitly disabled DNS by server and only use name resolution on the client side. I have looked through manpage on dnsmasq but still don't seem to stumble upon any sort of udp packets on my client side LAN. any clue to why that might be?

    I have noted also the importance of synchronization of time between the server and client. DD-WRT claims that it is essential that before VPN starts the ntp server has to be outside of my VPN. I am not yet grasping the significance of that. Isn't time always synchronized in these special centres? Whether I use a local ntp or a remote ntp why does it matter (they all give the same UTC)? Also, the fact that my ntp packet goes over to the server side after initalization could it have any impact on the tunnel in the long run?
     
  16. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    If you've told it to route internet traffic (default route) over the VPN, then anything that doesn't have a separate route set up will be sent over the VPN - including DNS. If you want DNS to remain local, then you'll have to set up routes to the DNS servers that bypass the VPN. All you disabled on the server was the server itself responding to DNS requests - it has nothing to do with allowing DNS requests to traverse the tunnel.

    I imagine all they meant is that you have to be sure both the server and client are able to synchronize their time before you initiate the connection. It shouldn't matter if the NTP requests are going over the tunnel once it's established, as the NTP protocol has provisions for any type of delay.
     
  17. vientito

    vientito Networkin' Nut Member

    thanks again. what exactly happens during a connection cutoff? I suppose all that redirection of internet traffic cease at that point and DNS lookup will come back on the client side again? if not, i imagine it would be hard to re-establish connection.
     
  18. Elanzer

    Elanzer Addicted to LI Member

    Alright, so I replaced those RT-N16s with some WRT54GLs to avoid that crash/VPN instability issue I was having that might have been related to kernel 2.6, and flashed it up with your latest build.

    Now I'm still getting the same type of instability, but it appears different in the logs - I fired up a few big file transfers over the VPN, along with some web downloads to test stability, seeing everything was going fine I closed my VNC connection. Came back a couple hours later completely unable to connect to the client side via VNC, but server side worked. Both my web download and VPN file transfers were terminated on both sides, I disabled the VPN service on the server router and suddenly I could connect to the client side again by VNC.


    Checked the logs, this is what I see spammed:

    Code:
    daemon.err openvpn[4556]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
    Pretty much happened every second in loop until I killed the VPN server on the server side. After restarting the VPN server service it reconnected fine. Any idea what's going on? I have the port manually forwarded ofcourse.

    I noticed the free memory on the WRT54GLs is kind of low (less than 1mb), is this normal?

    edit: have also tried with TCP instead of UDP for the TAP connection, ended up with the same type of results, the server-side dropping my http download and VNC connections until I disabled VPN on the client side - weirdly enough the VPN file transfer was still going on the client side without complaint though.

    It looks like it can happen to both sides, whichever side decides the drop it's connections I can't do anything until I disable the VPN service on the side that does still work.
     
  19. Amuro

    Amuro Addicted to LI Member

    Hello,

    My ISP gives me an .ovpn configuration file that needs only my password to connect. It actually works with tunnelblick (an open vpn client).

    Is there a way to 'load' this file in the Tomatio vpn client interface? Is this a feature you may consider?

    Seems simple enough, use a config file to connect. We can produce config files to connect 2 networks using x.x.x.x ip range or other settings that may need minimal changes to work...

    Thanks.

    -AM
     
  20. vientito

    vientito Networkin' Nut Member

    looks like I am able to answer my own question after reading closely at the documentation. If and when tunnel is cut, basically the call to redirect gateway would revert all its initial steps of setup hence restoring the original default gateway. Now the client will have a chance to re-establish connection by sending packets out at the original gateway. so no worry about the collapsed tunnel. Things will still work.
     
  21. ElZar

    ElZar Addicted to LI Member

    Connect on WAN

    Hi SgtPepperKSU.

    Houston we have a Problem :)

    We're using a WRT54GL with your TomatoMOD. The Option "Connect on WAN" for the OVPN-Client is enabled and works fine if you reboot the Router. But we have a dynamic DSL connection at this Location, which reconnects every 24 hours. After the 24h-reconnect, the OVPN won't start up again, until they reboot the Router (I think manually starting the VPN would also work, but theses guys are not very familiar with "iT-Stuff", so they simply dis/reconnect the Power plug).

    Any Ideas? THX :)

    *Edit* I will post some Logs tomorrow, because there are only Logs after the Reboot this morning.
     
  22. rhester72

    rhester72 Network Guru Member

    As a short-term fix, why not just set Tomato to auto-reboot every 24 hours?

    Rodney
     
  23. ElZar

    ElZar Addicted to LI Member

    Didn't thought about that, but it should also do the trick. Even if it's not the best solution, it is a solution :) Thanks.
     
  24. karog

    karog Networkin' Nut Member

    If it only reconnects every 24 hours and only fails after 24 reconnects, why not reboot just once a week rather than every day? Or 10 or 20 days?
     
  25. kenyloveg

    kenyloveg LI Guru Member

    Does anybody have experience with RouterOS and this great MOD?
    I just purchased a RouterBoard, trying to create OpenVPN channels between RouterOS and Tomato VPN MOD. RB493 as a OpenVPN server (shame is it don't support UDP yet), and Tomato as clients (i got 3 of them). The most concern is I don't know if SgtPepperKSU's GUI implementations are part of OpenVPN features or not...
    I'd appreciate if anyone tell me how to deal with it, thanks and have a good day.
     
  26. dougisfunny

    dougisfunny LI Guru Member

    I doubt there's an easy way to do this, but just in case I'm missing something obvious....

    Here's the scenario:
    5 Locations linked together using over vpn, the central vpn server at Office A where many of our internal servers are. Client specific configurations are use, routes are handed out beautifully. Works like a champ.

    Problem: Internet at Office A goes down- Offices B-E can no longer talk to each other.

    Solution: Have a secondary remote line in the custom configuration that will connect Offices C-E to a backup server at B. Offices B-E can talk to each other yay!

    Secondary problem: (Which is the one I'm asking for a solution to) Office A comes back up, Office B client connects automatically to Office A and can talk to it just fine. Offices C-E are still connected to B, but can't talk to office A through Office B.

    Is there some way I could easily configure the server at office b to push the route to office a the client picks up from the remote vpn to the clients at office C-E?
     
  27. zurk

    zurk Addicted to LI Member

    /bin/ping -c 1 www.google.com > /dev/null; if [[ $? != 0 ]]; then /sbin/reboot; fi
    or
    echo -e "POST /cgi/b/info/restart/?be=0&l0=0&l1=0&tid=RESTART HTTP/1.0\nAuthorization: Basic AUTH_GOES_HERE\nContent-Length: 7\n\n0=17&1=" | telnet 192.168.0.1 80
     
  28. vientito

    vientito Networkin' Nut Member

    bypass-dhcp effect on tomatovpn client?

    does bypass-dhcp option under redirect gateway have any effect on tomatovpn client?
     
  29. Raganook

    Raganook Addicted to LI Member

    Hi...me again.

    I've been trying to figure this out on my own and not bother you, but I'm stumped.

    I have two tomato VPN routers, the host (172.16.0.X) and the client (192.168.0.X).

    The Client can access computers on the host LAN just by going to "Run" and doing a "\\172.16.0.X", no problem...

    ...but no computers on the host-side can access ANY of the LAN resources on the client-side. What am I missing? =/

    Edit: Should probably give more details

    TUN, both firewalls on "automatic", no custom scripting or firewall rules in place, "create nat on tunnel" is checked

    EDIT2: I have found This post of yours and am trying to figure this out

    EDIT3: It says to uncheck "NAT on tunnel", but the second I do, the client loses connection to the host. So I added a common name ("client1") in the host first, filled in the subnet of the client (192.168.1.0) and checked "Push". That kills everything so that neither network can see each other.

    EDIT4: Ok, I got it :). I'm leaving this all up in case someone else down the road is as confused as I was.

    First, in the Server config, I added all the relevant info and checked "push" and "enable" (that enable checkbox actually escaped me for a quick minute). Then, in the client, I disabled NAT on tunnel. Once BOTH things are done, bidirectional VPN complete :)
     
  30. ladysman

    ladysman LI Guru Member

    I wanted to thank SGT for the great VPN build (I'm using Teddy's Beta 19 for the Asus RT-N16). I was using this a while back but was changing firmwares so much, I just never set it up again. I have it working just fine.

    I really want to use it for a secure connection to home but how do I access folders and files on windows or mac? I tried connecting to my windows machine but i couldn't get it to connect. The laptop is on XP and the machine i want to connect to is Windows 7 (mainly) and Mac OSX.

    Thanks!
     
  31. Technobabbler

    Technobabbler Networkin' Nut Member

    So this past weekend I got ambitious and finally set up a site to site bidirectional vpn using tomatovpn, tls and 2 x WRT54GL routers. I had trouble finding a howto that actually covered all of the topics I wanted and had to dig around for the answers. So I figured I would document my experience in the hopes of helping others. Take a look and tell me what you think.

    http://www.wasagacomputers.com/home...te-vpn-using-tomato-firmware-and-openvpn.html
     
  32. rs232

    rs232 Network Guru Member

    How to I specify the route metric for destination to be reached via the tunnel?
    Code:
    route XXXX MMMM 
    in the client/server config works fine but I can't find a way to add a metric to it.

    Any tip?
    Cheers
     
  33. Dagger

    Dagger Networkin' Nut Member

    The metric is defined at the interface level... in windows at least. You can adjust the default metric for the virtual interface by going to "Network Connections"... right-click the TAP-Win32 interface and select "Properties"... Select the TCP/IP Protocol and click the "Properties" button... at the bottom of the General tab click the "Advanced" button... at the bottom of the IP Settings tab uncheck "Automatic metric" and enter the metric that you want the OpenVPN interface to have.

    That's how I've done it in XP...
     
  34. rs232

    rs232 Network Guru Member

    Thanks but I'm actually using 2 tomatovpn installation. One client and one server...
    So the interfaces are tun21 and tun 11. Having said that I would really need a metric per destination.

    Thanks!
     
  35. rs232

    rs232 Network Guru Member

    Found!
    In openvpn terminology the destination interface (no matter what os) is always refered as: vpn_gateway

    So answering my own question:
    route 10.10.0.0 255.255.255.0 vpn_gateway 101

    note: tomato (linux) default metric is 0 and anything from 255 on is considered unreachable (as it is supposed to be!) where in windows default is 100 and you can (un)happily set up a metric of e.g. 300. :rolleyes:
     
  36. vientito

    vientito Networkin' Nut Member

    NTP time server address add-in

    I follow this

    route add -host `nvram get vpn_client1_addr` gw `nvram get wan_gateway`

    to add in a route for the VPN remote server address

    but how do I get at the 3 NTP server addresses?

    How are the variables named so I could specify them at the WAN bootup script?
     
  37. dbt78

    dbt78 Networkin' Nut Member

    Hi SgtPepperKSU,

    On advice of teddy_bear I would like to submit a problem that I encounter to create a VPN tunnel :
    I wanted to try OpenVPN with my RT-N16 (Tomato v1.28.9049 MIPSR2 vpn3.6-beta19-K26), in client mode, with a free public server TCP OpenVPN TUN :

    http://bb.s6n.org/viewtopic.php?id=81

    I have a serious problem with permannent "soft connection-reset" .
    I wonder what could I have forgotten ?.. and I would be grateful if you could give me some help.
    Nb: Sorry for this long post but I wanted expose all.

    ca.crt: --> copied directly into the interface of tomato ( Client1—> Keys —> Certificate Authority )
    Code:
    -----BEGIN CERTIFICATE-----
     ,,,
    -----END CERTIFICATE-----
    
    log :
    Code:
    Aug 27 21:17:10 RT-N16 daemon.notice openvpn[2165]: TCPv4_CLIENT link local: [undef]
    Aug 27 21:17:10 RT-N16 daemon.notice openvpn[2165]: TCPv4_CLIENT link remote: 88.191.121.143:443
    Aug 27 21:17:10 RT-N16 daemon.notice openvpn[2165]: TLS: Initial packet from 88.191.121.143:443, sid=34dde935 23f814f2
    Aug 27 21:17:10 RT-N16 daemon.warn openvpn[2165]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Aug 27 21:17:10 RT-N16 daemon.err openvpn[2165]: Connection reset, restarting [0]
    Aug 27 21:17:10 RT-N16 daemon.notice openvpn[2165]: TCP/UDP: Closing socket
    Aug 27 21:17:10 RT-N16 daemon.notice openvpn[2165]: SIGUSR1[soft,connection-reset] received, process restarting
    Aug 27 21:17:10 RT-N16 daemon.notice openvpn[2165]: Restart pause, 5 second(s)
    Aug 27 21:17:15 RT-N16 daemon.warn openvpn[2165]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Aug 27 21:17:15 RT-N16 daemon.notice openvpn[2165]: Re-using SSL/TLS context
    Aug 27 21:17:15 RT-N16 daemon.notice openvpn[2165]: LZO compression initialized
    Aug 27 21:17:15 RT-N16 daemon.notice openvpn[2165]: Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Aug 27 21:17:15 RT-N16 daemon.notice openvpn[2165]: TCP/UDP: Preserving recently used remote address: xx.xxx.xxx.xxx:443
    Aug 27 21:17:15 RT-N16 daemon.notice openvpn[2165]: Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
    Aug 27 21:17:15 RT-N16 daemon.notice openvpn[2165]: Attempting to establish TCP connection with xx.xxx.xxx.xxx:443 [nonblock]
    Aug 27 21:17:16 RT-N16 daemon.notice openvpn[2165]: TCP connection established with xx.xxx.xxx.xxx:443
    Aug 27 21:17:16 RT-N16 daemon.notice openvpn[2165]: Socket Buffers: R=[87380->131072] S=[16384->131072]
    Aug 27 21:17:16 RT-N16 daemon.notice openvpn[2165]: TCPv4_CLIENT link local: [undef]
    Aug 27 21:17:16 RT-N16 daemon.notice openvpn[2165]: TCPv4_CLIENT link remote: xx.xxx.xxx.xxx:443
    Aug 27 21:17:16 RT-N16 daemon.notice openvpn[2165]: TLS: Initial packet from xx.xxx.xxx.xxx:443, sid=59e86c32 4f0f3aed
    Aug 27 21:17:16 RT-N16 daemon.warn openvpn[2165]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Aug 27 21:17:16 RT-N16 daemon.err openvpn[2165]: Connection reset, restarting [0]
    Aug 27 21:17:16 RT-N16 daemon.notice openvpn[2165]: TCP/UDP: Closing socket
    Aug 27 21:17:16 RT-N16 daemon.notice openvpn[2165]: SIGUSR1[soft,connection-reset] received, process restarting
    Aug 27 21:17:16 RT-N16 daemon.notice openvpn[2165]: Restart pause, 5 second(s)
    
    Settings in Client1-->Basic :
    Code:
    Interface Type : TUN
    Protocol : TCP
    Server Adress/Port : [IP of the free server] 443
    Firewall : Automatic
    Authorization Mode : TLS
    Extra HMAC authorization (tls-auth) ; Disabled
    Create NAT on tunnel : no
    
    Settings in Client1-->Advanced :
    Code:
    Accept DNS configuration : strict
    Encryption cipher : AES-256-CBC
    Compression : Enabled
    
    my Custom configuration : (Client1 —> advanced —> custom configuration) :
    Code:
    client
    dev tun
    proto tcp
    remote xxx.xxx.xxx.xxx 443
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    persist-remote-ip
    ;http-proxy-retry # retry on connection failures
    ;http-proxy [proxy server] [proxy port #]
    mute-replay-warnings
    ;ca arethusa-ca.crt
    ns-cert-type server
    cipher AES-256-CBC
    comp-lzo
    verb 3
    mute 20
    auth-user-pass /tmp/client1-userpass
    redirect-gateway def1 bypass-dhcp
    
    init script (in administration—> scripts) :
    Code:
    echo 'xxxxxxxxxx
    yyyyyyyyy' > /tmp/client1-userpass
    
    and firewall script :
    Code:
    iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
    iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE
    
     
  38. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    For starters, you should try it without any of that stuff in the Custom Config section (except the auth-user-pass line) and without the firewall script. All that stuff is just repeating things you have configured in the GUI, and it could be causing something weird to happen.
     
  39. dbt78

    dbt78 Networkin' Nut Member

    Thank's for your reply. OK, i let only the auth-user-pass line in in the Custom Config section, i have rebooted the router, with the same problem.
    Now , I can see in the log a new warning message :
    Code:
     daemon.warn openvpn[699]: WARNING: No server certificate verification method has been enabled.

    Edit 1: I just read this Thread: http://www.linksysinfo.org/forums/showthread.php?t=63197#post354174
    it is written: "I tried SgtPepper's OpenVPN (which I'm currently running) but it does not implement the user/pwd authentication without the use of a key. May get this one day, but for now no dice."
    --> Is there now this option ? I think my problem could come from it ..
     
  40. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    If you want this warning to go away, you can readd the ns-cert-type server line to the custom config.
    user/pwd authentication is not built in to the GUI yet, but what you've done in the custom config/init scripts is all you need to get that working.

    One thing I've noticed is that you have "Create NAT on tunnel" unchecked. You need to have that checked unless the server has a special configuration for your LAN (which they won't for a free service like this). I have a feeling this is where your problem is.

    You also don't mention what you have for "Redirect Internet traffic". You'll want that checked.
     
  41. dbt78

    dbt78 Networkin' Nut Member

    now I checked "Create one NAT tunnel". "Redirect Internet traffic" was already checked.
    Always disconnects ... is very curious !

    I 'read a little their docs for setup on DD-WRT and OpenWrt, and I see nothing special in their config : http://bb.s6n.org/viewforum.php?id=4
     
  42. toolbox

    toolbox Addicted to LI Member

    I am running into an odd problem with OpenVPN recently. I have OpenVPN running for several months now and have all internet traffics on my laptop route through my ASUS router (OpenVPN server). It works fine until now. Now my internet browsers work fine but not Windows Live Mail (2010 Beta). When OpenVPN client is active, I can't check e-mails and received the following message:
    Unable to send or receive messages for the Hotmail (***account name***) account.

    Server Error: 0x80048848
    Server: 'http://mail.services.live.com/DeltaSync_v2.0.0/Sync.aspx'
    Windows Live Mail Error ID: 0x80048848

    Google 0x80048848 yields nothing. Is there something on the router I can check?
    Thanks.
     
  43. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm afraid not. It sounds like the error is coming from your Windows Live Mail account. You should check with them for support.
     
  44. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Another thing that I see that's different is that their config specifies "comp-lzo", which lines up with selecting "Compression: Adaptive" (not Enabled like you have it) in the TomatoVPN GUI. Give that a shot.
     
  45. dbt78

    dbt78 Networkin' Nut Member

    (Argh..) Unfortunately , with compression set to "Adaptive" in the gui, I get the same result.

    Edit 1:
    I saw in nvram for client1 that vpn_client1_remote=10.8.0.1
    This is not what I configured in the gui

    Code:
    vpn_client1_addr=freetun.s6n.com
    vpn_client1_adns=2
    vpn_client1_bridge=1
    vpn_client1_ca=-----BEGIN CERTIFICATE-----  MIIESDCCAzCgAwIBAgIJAKe19ZcHzEc/MA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV  BAYTAkFRMRMwEQYDVQQIEwpBbnRhcmN0aWNhMRUwEwYDVQQHEwxNb3VudCBWaW5z  b24xDDAKBgNVBAoTA1M2TjEPMA0GA1UEAxMGUzZOIENBMRswGQYJKoZIhvcNAQkB  Fgxyb290QHM2bi5vcmcwHhcNMDkwNzA3MTYzNTM1WhcNMjkwNzAyMTYzNTM1WjB1  MQswCQYDVQQGEwJBUTETMBEGA1UECBMKQW50YXJjdGljYTEVMBMGA1UEBxMMTW91  bnQgVmluc29uMQwwCgYDVQQKEwNTNk4xDzANBgNVBAMTBlM2TiBDQTEbMBkGCSqG  SIb3DQEJARYMcm9vdEBzNm4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB  CgKCAQEAvjDtAjYziD4dSXXR+y/HOF3qaylJqZfa7TJabnfC4bcC7/z8LU/aSgo9  SbDa6Sh/Kn3CHmNyu6QTSz8GkokqSLC91/3OrKM+XlR8H57I9PFZNFswTZEnkxqA  vQyoklrPOUmN120nIKQoIN2+pCctD/a9klTmTxTly4JeSiaf4t+H1DfKlM0q8FD/  avBYiWRWqEOUY9ChEweKKdITFdy9Zz8Vh5J7AYlnzZfmalOyCubK1A+nuD7mCjZl  OWPe/BG0sAnXUnDUEgCBC5fiTfp851ZkScHoQb9SVHqE3iw7o8CR9RZWCUsnxPsC  GJrIzZ2S9hbI9DopZ7CpU6qIRfFLMwIDAQABo4HaMIHXMB0GA1UdDgQWBBSY2HUT  D8BXjpiHTAUN6HN8DNj6pTCBpwYDVR0jBIGfMIGcgBSY2HUTD8BXjpiHTAUN6HN8  DNj6paF5pHcwdTELMAkGA1UEBhMCQVExEzARBgNVBAgTCkFudGFyY3RpY2ExFTAT  BgNVBAcTDE1vdW50IFZpbnNvbjEMMAoGA1UEChMDUzZOMQ8wDQYDVQQDEwZTNk4g  Q0ExGzAZBgkqhkiG9w0BCQEWDHJvb3RAczZuLm9yZ4IJAKe19ZcHzEc/MAwGA1Ud  EwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBALkQ2H/znwBNWL+1V+F1T2hYZtC/  clbtKJjR5URHFDIy1eTaijOUIArJJIpFb+MeWdi5WensNj8RqFgH6ah8eiaNMoIV  bUxMyGnakqFWbiS3L1nBEVC0npiLXkrvCQimHgZvo3EmeyhBs7zznsCoxDXq8nUm  CvrFvtgEUPz4Cnn2FCr4TjPt5pgjJ3CznYpf9QOwpM40mT0dYKB/ceGTzsGuh3ao  2OYmap0IvJ0WNOteVMNpK+wbvJB11a+qpF/bx2wjcDkZe76hE7CCtJM5YWjIMDRr  nzzUUqoklinTWlEqCfGavkYEl6ktcjapCnOJtV1zAQNa/Ek4THpWQo/vqU8=  -----END CERTIFICATE-----  
    vpn_client1_cipher=AES-256-CBC
    vpn_client1_comp=adaptive
    vpn_client1_crt=
    vpn_client1_crypt=tls
    vpn_client1_custom=ns-cert-type server  auth-user-pass /tmp/client1-userpass
    vpn_client1_firewall=auto
    vpn_client1_gw=
    vpn_client1_hmac=-1
    vpn_client1_if=tun
    vpn_client1_key=
    vpn_client1_local=10.8.0.2
    vpn_client1_nat=1
    vpn_client1_nm=255.255.255.0
    vpn_client1_poll=0
    vpn_client1_port=443
    vpn_client1_proto=tcp-client
    vpn_client1_remote=10.8.0.1
    vpn_client1_reneg=-1
    vpn_client1_retry=30
    vpn_client1_rg=0
    vpn_client1_rgw=1
    vpn_client1_static=
    
     
  46. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm not seeing anything off-hand that's wrong.

    Something you can try:
    • Create a .ovpn file with the exact contents that the VPN service specifies and launch openvpn manually from the router shell. This will see if it's a problem with the configuration

    That's because you didn't configure that variable (didn't need to - it doesn't apply to your configuration). vpn_client1_addr still has the server's address.
     
  47. dbt78

    dbt78 Networkin' Nut Member

    yes, it's a good idea. I would test when my router is not in production.
    I would provide the results.
    Thank you very much for all the help that you make !
     
  48. srouquette

    srouquette Network Guru Member

    @SgtPepperKSU: I have a little question :)
    Will you update your mod or do you recommend using another mod?
    I'm not in a hurry to update my firmware, your mod works really great, but I saw another mod popup with VPN support, and now there's the 1.28 firmware, so I was wondering...
     
  49. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I will update it. I've just been extremely busy in "real life" lately. :)
     
  50. srouquette

    srouquette Network Guru Member

    Thank you :)
    No problem, I wasn't sure if you wanted to continue your mod.
    Take your time ;)
     
  51. dbt78

    dbt78 Networkin' Nut Member

    Some news ...
    I tried openvpn in shell mode, with the conf provider and I still get the same error: (SIGUSR1[soft,connection-reset] received, process restarting)
    I also tried with some additional parameters:

    - Ping-restart 30
    - Tun-mtu 1300


    Something is wrong! Provider? , Firmware?. I will drop my RT-N16 and experiment with ubuntu or W7 in client mode, with the same conf file ..
     
  52. dbt78

    dbt78 Networkin' Nut Member

    Edit : With client windows (OpenVPN 2.1.1) --> all is OK

    Code:
    Tue Aug 31 20:34:20 2010 LZO compression initialized
    Tue Aug 31 20:34:20 2010 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Tue Aug 31 20:34:21 2010 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
    Tue Aug 31 20:34:21 2010 Local Options hash (VER=V4): '958c5492'
    Tue Aug 31 20:34:21 2010 Expected Remote Options hash (VER=V4): '79ef4284'
    Tue Aug 31 20:34:21 2010 Attempting to establish TCP connection with 88.191.121.143:443
    Tue Aug 31 20:34:21 2010 TCP connection established with 88.191.121.143:443
    Tue Aug 31 20:34:21 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Tue Aug 31 20:34:21 2010 TCPv4_CLIENT link local: [undef]
    Tue Aug 31 20:34:21 2010 TCPv4_CLIENT link remote: 88.191.121.143:443
    Tue Aug 31 20:34:21 2010 TLS: Initial packet from 88.191.121.143:443, sid=b4e134e6 42f9ae27
    Tue Aug 31 20:34:21 2010 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Tue Aug 31 20:34:21 2010 VERIFY OK: depth=1, /C=AQ/ST=Antarctica/L=Mount_Vinson/O=S6N/CN=S6N_CA/emailAddress=root@s6n.org
    Tue Aug 31 20:34:21 2010 VERIFY OK: nsCertType=SERVER
    Tue Aug 31 20:34:21 2010 VERIFY OK: depth=0, /C=AQ/ST=Antarctica/L=Mount_Vinson/O=S6N/CN=free.tunsrv.s6n.net/emailAddress=root@s6n.org
    Tue Aug 31 20:34:22 2010 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Tue Aug 31 20:34:22 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Tue Aug 31 20:34:22 2010 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Tue Aug 31 20:34:22 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Tue Aug 31 20:34:22 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Tue Aug 31 20:34:22 2010 [free.tunsrv.s6n.net] Peer Connection Initiated with 88.191.121.143:443
    Tue Aug 31 20:34:24 2010 SENT CONTROL [free.tunsrv.s6n.net]: 'PUSH_REQUEST' (status=1)
    Tue Aug 31 20:34:24 2010 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.10.10.10,dhcp-option DNS 8.8.8.8,route 10.17.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.17.0.38 10.17.0.37'
    Tue Aug 31 20:34:24 2010 OPTIONS IMPORT: timers and/or timeouts modified
    Tue Aug 31 20:34:24 2010 OPTIONS IMPORT: --ifconfig/up options modified
    Tue Aug 31 20:34:24 2010 OPTIONS IMPORT: route options modified
    Tue Aug 31 20:34:24 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Tue Aug 31 20:34:25 2010 ROUTE default_gateway=192.168.2.254
    Tue Aug 31 20:34:25 2010 TAP-WIN32 device [Connexion au réseau local 4] opened: \\.\Global\{95C9A6BC-523C-482D-9E85-7134C9DC4D81}.tap
    Tue Aug 31 20:34:25 2010 TAP-Win32 Driver Version 9.6 
    Tue Aug 31 20:34:25 2010 TAP-Win32 MTU=1500
    Tue Aug 31 20:34:25 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.17.0.38/255.255.255.252 on interface {95C9A6BC-523C-482D-9E85-7134C9DC4D81} [DHCP-serv: 10.17.0.37, lease-time: 31536000]
    Tue Aug 31 20:34:25 2010 Successful ARP Flush on interface [32] {95C9A6BC-523C-482D-9E85-7134C9DC4D81}
    Tue Aug 31 20:34:30 2010 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
    Tue Aug 31 20:34:30 2010 C:\WINDOWS\system32\route.exe ADD 88.191.121.143 MASK 255.255.255.255 192.168.2.254
    Tue Aug 31 20:34:30 2010 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=10 and dwForwardType=4
    Tue Aug 31 20:34:30 2010 Route addition via IPAPI succeeded [adaptive]
    Tue Aug 31 20:34:30 2010 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.17.0.37
    Tue Aug 31 20:34:30 2010 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
    Tue Aug 31 20:34:30 2010 Route addition via IPAPI succeeded [adaptive]
    Tue Aug 31 20:34:30 2010 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.17.0.37
    Tue Aug 31 20:34:30 2010 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
    Tue Aug 31 20:34:30 2010 Route addition via IPAPI succeeded [adaptive]
    Tue Aug 31 20:34:30 2010 C:\WINDOWS\system32\route.exe ADD 10.17.0.1 MASK 255.255.255.255 10.17.0.37
    Tue Aug 31 20:34:30 2010 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
    Tue Aug 31 20:34:30 2010 Route addition via IPAPI succeeded [adaptive]
    Tue Aug 31 20:34:30 2010 Initialization Sequence Completed
    With Router (shell)
    --> It seems stuck on one sequence "VERIFY depth"
    Code:
    root@RT-N16:/tmp# cat log.txt
    Tue Aug 31 20:44:49 2010 OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] [EP
    OLL] built on Aug  1 2010
    Tue Aug 31 20:44:49 2010 WARNING: file '/tmp/client1-userpass' is group or other
    s accessible
    Tue Aug 31 20:44:49 2010 NOTE: the current --script-security setting may allow t
    his configuration to call user-defined scripts
    Tue Aug 31 20:44:49 2010 LZO compression initialized
    Tue Aug 31 20:44:49 2010 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:
    0 EL:0 ]
    Tue Aug 31 20:44:49 2010 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:
    0 EL:0 AF:3/1 ]
    Tue Aug 31 20:44:49 2010 Attempting to establish TCP connection with 88.191.121.
    143:443 [nonblock]
    Tue Aug 31 20:44:50 2010 TCP connection established with 88.191.121.143:443
    Tue Aug 31 20:44:50 2010 Socket Buffers: R=[87380->131072] S=[16384->131072]
    Tue Aug 31 20:44:50 2010 TCPv4_CLIENT link local: [undef]
    Tue Aug 31 20:44:50 2010 TCPv4_CLIENT link remote: 88.191.121.143:443
    Tue Aug 31 20:44:50 2010 TLS: Initial packet from 88.191.121.143:443, sid=8c9a05
    ff c84848dc
    Tue Aug 31 20:44:50 2010 WARNING: this configuration may cache passwords in memo
    ry -- use the auth-nocache option to prevent this
    Tue Aug 31 20:44:50 2010 Connection reset, restarting [0]
    Tue Aug 31 20:44:50 2010 TCP/UDP: Closing socket
    Tue Aug 31 20:44:50 2010 SIGUSR1[soft,connection-reset] received, process restar
    ting
    Tue Aug 31 20:44:50 2010 Restart pause, 5 second(s)
    Tue Aug 31 20:44:55 2010 NOTE: the current --script-security setting may allow t
    his configuration to call user-defined scripts
    Tue Aug 31 20:44:55 2010 Re-using SSL/TLS context
    Tue Aug 31 20:44:55 2010 LZO compression initialized
    Tue Aug 31 20:44:55 2010 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:
    0 EL:0 ]
    Tue Aug 31 20:44:55 2010 TCP/UDP: Preserving recently used remote address: 88.19
    1.121.143:443
    Tue Aug 31 20:44:55 2010 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:
    0 EL:0 AF:3/1 ]
    Tue Aug 31 20:44:55 2010 Attempting to establish TCP connection with 88.191.121.
    143:443 [nonblock]
    Tue Aug 31 20:44:56 2010 TCP connection established with 88.191.121.143:443
    Tue Aug 31 20:44:56 2010 Socket Buffers: R=[87380->131072] S=[16384->131072]
    Tue Aug 31 20:44:56 2010 TCPv4_CLIENT link local: [undef]
    Tue Aug 31 20:44:56 2010 TCPv4_CLIENT link remote: 88.191.121.143:443
    Tue Aug 31 20:44:56 2010 TLS: Initial packet from 88.191.121.143:443, sid=a5e5ee
    30 26a4752b
    Tue Aug 31 20:44:56 2010 WARNING: this configuration may cache passwords in memo
    ry -- use the auth-nocache option to prevent this
    Tue Aug 31 20:44:56 2010 Connection reset, restarting [0]
    Tue Aug 31 20:44:56 2010 TCP/UDP: Closing socket
    Tue Aug 31 20:44:56 2010 SIGUSR1[soft,connection-reset] received, process restar
    ting
    Tue Aug 31 20:44:56 2010 Restart pause, 5 second(s)
    
     
  53. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Sounds like the certificate authority certificate isn't validating. Are you sure it's being copied to the router properly and is pointed to by the ovpn file?
     
  54. dbt78

    dbt78 Networkin' Nut Member

    Yes, I've checked several times the contents of the certificate, and if I do not point to the ".ovpn" and the "ca.crt" , I had a message in the log.
    I would think may be a problem of implementation in the Encryption cipher: AES-CBC-256
    If you have a moment, you can try the "arethusa-free" on your router :http://www.megaupload.com/?d=JWS1VIBH
    ..I don't see an issue from my side with TomatoVpn.
     
  55. rs232

    rs232 Network Guru Member

    I've already posted this in another tread (possibly the wrong one) :)
    Is there any chance to see TomatoVPN updated to tomato 1.28 core and openVPN 2.1.3?

    Thanks
     
  56. beneee

    beneee Networkin' Nut Member

    Hi,

    a question. I have one Tomato Router for my normal Internet. Now i wanna have one PC into a VPN, the other PCs not. I now have a second Tomato Router where the PC is hanged on that should be in a VPN. I installed the Tomato VPN Mod. Connection is done, but the PC cannot go to Internet when VPN Client is on. The VPN is not from the first Tomato Router it is from a Internet Service.

    Tomato 1: 192.168.1.1 / WAN: DHCP Cable Modem
    Tomato 2: 192.168.2.1 / WAN: Static IP 192.168.1.201

    What do i wrong or is it not possible? I have a VPN Connection, but no Internet, that is my Problem, please help me.
     
  57. srouquette

    srouquette Network Guru Member

    @rs232: yes, he will update it.
     
  58. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, very possible. Care to share a bit about your VPN configuration?
     
  59. beneee

    beneee Networkin' Nut Member

    Hi,

    sure. It is a VPN Service from surfonym, OpenVPN and PPTP possible. I setup OpenVPN Client on the second Tomato (WRT54GL). No special options, i set redirect internet traffic and NAT Rules etc pp. I can see in the GUI that connection is done and i checked /var/log/messages and there also the connection is done.

    Do you need any other Informations?

    Router 1 Netgear WNR 3500L with Tomato Mod from the Forum here:
    Cable Modem, WAN to DHCP, Router IP 192.168.1.1

    Router 2 Linksys WRT54GL with your VPN Mod:
    WAN set to Static IP, 192.168.1.117 and Router IP to 192.168.2.1. I also tested Router IP 192.168.1.201 and i also tested WAN to DHCP.
     
  60. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    TAP vs TUN? TLS vs Static? Custom config entries? If TLS, do the logs show routes being pushed to you? Are any of these routes in the 192.168.1.0/24 or 192.168.2.0/24 space?
     
  61. beneee

    beneee Networkin' Nut Member

    Hi,

    here are my Settings, installed a fresh Tomato VPN Build:
    WRT54GL: 192.168.2.1 / WAN DHCP

    OpenVPN Client Settings:
    Interface: TUN
    Protocol: TCP
    Server Adresse and Port: vpn.xxx.net Port 443
    Firewall: Automatic
    Authorisation Mode: TLS
    Create NAT on Tunnel: Yes
    Redirect Internet Traffic: Yes
    Accept DNS: disabled
    Nothing in Custom Configuration
    The Certificate pasted into the Keys.

    Sample Config from the Provider if it helps:
    Code:
    client
    auth-user-pass
    dev tun
    proto tcp
    remote openvpn.surfonym.com 443
    remote-random
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    verb 3
    mute 20
    ca surfonym-ca.crt
    remote-cert-tls server
    ; if you do NOT want ALL traffic through openvpn, REMOVE this line!
    redirect-gateway def1
    ; for windows XP, remove the line above and use this one instead:
    ;redirect-gateway
    
    And now i started VPN, lookin on telnet in /var/log/messages:
    Code:
    Sep  9 14:42:37 unknown user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
    Sep  9 14:42:39 unknown daemon.notice openvpn[530]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Mar  1 2010
    Sep  9 14:42:39 unknown daemon.warn openvpn[530]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm
    Sep  9 14:42:39 unknown daemon.warn openvpn[530]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Sep  9 14:42:39 unknown daemon.notice openvpn[530]: LZO compression initialized
    Sep  9 14:42:39 unknown daemon.notice openvpn[530]: Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Sep  9 14:42:39 unknown daemon.notice openvpn[530]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
    Sep  9 14:42:39 unknown daemon.notice openvpn[534]: Attempting to establish TCP connection with 78.40.213.198:443 [nonblock]
    Sep  9 14:42:40 unknown daemon.notice openvpn[534]: TCP connection established with 78.40.213.198:443
    Sep  9 14:42:40 unknown daemon.notice openvpn[534]: Socket Buffers: R=[43689->65534] S=[16384->65534]
    Sep  9 14:42:40 unknown daemon.notice openvpn[534]: TCPv4_CLIENT link local: [undef]
    Sep  9 14:42:40 unknown daemon.notice openvpn[534]: TCPv4_CLIENT link remote: 78.40.213.198:443
    Sep  9 14:42:40 unknown daemon.notice openvpn[534]: TLS: Initial packet from 78.40.213.198:443, sid=32dbdd85 aee2324f
    Sep  9 14:42:40 unknown daemon.warn openvpn[534]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Sep  9 14:42:41 unknown daemon.notice openvpn[534]: VERIFY OK: depth=1, /C=AT/ST=Austria/L=Vienna/O=SurfoNym/OU=Certificate_Authority/CN=SurfoNym/Email=office@
    Sep  9 14:42:41 unknown daemon.notice openvpn[534]: VERIFY OK: depth=0, /C=AT/ST=Austria/L=Vienna/O=SurfoNym/O=f92229a9c920b8edda0c4ec880d8e83b/OU=SurfoNym/CN=
    Sep  9 14:42:42 unknown daemon.notice openvpn[534]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Sep  9 14:42:42 unknown daemon.notice openvpn[534]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sep  9 14:42:42 unknown daemon.notice openvpn[534]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Sep  9 14:42:42 unknown daemon.notice openvpn[534]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sep  9 14:42:42 unknown daemon.notice openvpn[534]: Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Sep  9 14:42:42 unknown daemon.notice openvpn[534]: [openvpn.surfonym.com] Peer Connection Initiated with 78.40.213.198:443
    Sep  9 14:42:44 unknown daemon.notice openvpn[534]: SENT CONTROL [openvpn.surfonym.com]: 'PUSH_REQUEST' (status=1)
    Sep  9 14:42:44 unknown daemon.notice openvpn[534]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 195.149.115.5,dhcp-option DNS 8.8.8.8,route 10.
    Sep  9 14:42:44 unknown daemon.notice openvpn[534]: OPTIONS IMPORT: timers and/or timeouts modified
    Sep  9 14:42:44 unknown daemon.notice openvpn[534]: OPTIONS IMPORT: --ifconfig/up options modified
    Sep  9 14:42:44 unknown daemon.notice openvpn[534]: OPTIONS IMPORT: route options modified
    Sep  9 14:42:44 unknown daemon.notice openvpn[534]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Sep  9 14:42:44 unknown daemon.notice openvpn[534]: TUN/TAP device tun11 opened
    Sep  9 14:42:44 unknown daemon.notice openvpn[534]: TUN/TAP TX queue length set to 100
    Sep  9 14:42:44 unknown daemon.notice openvpn[534]: /sbin/ifconfig tun11 10.7.11.38 pointopoint 10.7.11.37 mtu 1500
    Sep  9 14:42:44 unknown daemon.notice openvpn[534]: /sbin/route add -net 78.40.213.198 netmask 255.255.255.255 gw 192.168.1.1
    Sep  9 14:42:44 unknown daemon.notice openvpn[534]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.7.11.37
    Sep  9 14:42:44 unknown daemon.notice openvpn[534]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.7.11.37
    Sep  9 14:42:44 unknown daemon.notice openvpn[534]: /sbin/route add -net 10.7.11.1 netmask 255.255.255.255 gw 10.7.11.37
    Sep  9 14:42:44 unknown daemon.notice openvpn[534]: Initialization Sequence Completed
    
    And thats it, no more Internet on the PC that are connected to the WRT54GL. Can you help me? :)
     
  62. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Hmmm.
    From the connected PCs, can you ping google.com or 74.125.227.19? What about from the router telnet shell? Can you provide the routing table on the connected PC (for windows "route print")? On the router ("route -n")?
     
  63. beneee

    beneee Networkin' Nut Member

    Hi,

    no Ping from Telnet and no ping from the connected PCs. This is the output from route print:
    Code:
    IPv4-Routentabelle
    ===========================================================================
    Aktive Routen:
         Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
              0.0.0.0          0.0.0.0      192.168.2.1      192.168.2.3     20
            127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1    306
            127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1    306
      127.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
          192.168.2.0    255.255.255.0   Auf Verbindung       192.168.2.3    276
          192.168.2.3  255.255.255.255   Auf Verbindung       192.168.2.3    276
        192.168.2.255  255.255.255.255   Auf Verbindung       192.168.2.3    276
        192.168.145.0    255.255.255.0   Auf Verbindung     192.168.145.1    276
        192.168.145.1  255.255.255.255   Auf Verbindung     192.168.145.1    276
      192.168.145.255  255.255.255.255   Auf Verbindung     192.168.145.1    276
        192.168.152.0    255.255.255.0   Auf Verbindung     192.168.152.1    276
        192.168.152.1  255.255.255.255   Auf Verbindung     192.168.152.1    276
      192.168.152.255  255.255.255.255   Auf Verbindung     192.168.152.1    276
            224.0.0.0        240.0.0.0   Auf Verbindung         127.0.0.1    306
            224.0.0.0        240.0.0.0   Auf Verbindung     192.168.152.1    276
            224.0.0.0        240.0.0.0   Auf Verbindung     192.168.145.1    276
            224.0.0.0        240.0.0.0   Auf Verbindung       192.168.2.3    276
      255.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
      255.255.255.255  255.255.255.255   Auf Verbindung     192.168.152.1    276
      255.255.255.255  255.255.255.255   Auf Verbindung     192.168.145.1    276
      255.255.255.255  255.255.255.255   Auf Verbindung       192.168.2.3    276
    ===========================================================================
    Ständige Routen:
      Keine
    
     
  64. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    What about the other parts of my questions? (routing table from router, pinging IP address vs pinging hostname)
     
  65. dewdman42

    dewdman42 Network Guru Member

    Is TomatoVPN what I need? I travel out of the USA frequently and often have problems connecting to some websites such as hulu and fancast that do not allow access from outside the USA. Is there a way to setup TomatoVPN such that I can tunnel through my home internet connection from abroad in order to access those sites? I don't particularly care about accessing machines on my LAN per say, might a nice side benefit, but mainly I just want to be able to access the sites that normally only allow from within the USA. Possible with TomatoVPN? Would I need to do anything special to set that up?
     
  66. rhester72

    rhester72 Network Guru Member

    Proxying streaming video is probably not going to work very well/at all unless you have a *VERY* fast uplink on your home connection in the US (read: fiber). In that event, a combination of an OpenVPN tunnel and srelay should do the trick, allowing for SOCKS proxy through your browser to your home network. A similar question was asked (and answered) a few posts back.

    Rodney
     
  67. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Also, you don't need OpenVPN or srelay to have your Tomato router act as a secure SOCKS proxy. If you set up a dynamic tunnel on an SSH login to your router (available on stock Tomato), it acts as a SOCKS proxy that can be configured in your browser. I do this all the time. But, as with the OpenVPN+srelay approach (as rhester mentioned), you're likely not going to have enough bandwidth available to have good results. This is not only due to upstream bandwidth, but also because these routers are pretty low powered and they can't encrypt this much data very fast.
     
  68. beneee

    beneee Networkin' Nut Member

    Pinging address not working
    Pinging hostname not working

    Router route -n:
    Code:
    # route -n
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    10.7.11.1       10.7.11.37      255.255.255.255 UGH   0      0        0 tun11
    10.7.11.37      0.0.0.0         255.255.255.255 UH    0      0        0 tun11
    78.40.213.198   192.168.1.1     255.255.255.255 UGH   0      0        0 vlan1
    192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
    192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 vlan1
    127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
    0.0.0.0         10.7.11.37      128.0.0.0       UG    0      0        0 tun11
    128.0.0.0       10.7.11.37      128.0.0.0       UG    0      0        0 tun11
    0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 vlan1
    #
    
    Code:
    # ping google.com
    PING google.com (74.125.39.105): 56 data bytes
    
    --- google.com ping statistics ---
    2 packets transmitted, 0 packets received, 100% packet loss
    
    Code:
    # ping 74.125.227.19
    PING 74.125.227.19 (74.125.227.19): 56 data bytes
    
    --- 74.125.227.19 ping statistics ---
    5 packets transmitted, 0 packets received, 100% packet loss
    
     
  69. dewdman42

    dewdman42 Network Guru Member

    Understood about the low power linksys. Well its worth a try anyway. I will mess around with the socks stuff then. If nothing else I would still like to be able to get to general websites that are sometimes blocked overseas, so I could do that with the SOCKS thing right? No need for VPN. I guess the only reason I might want to try openVPN would be to use a samba share from outside my LAN, but generally I don't need to do that.

    Anyway thanks for the tip about SOCKS. Generally if its not in the Tomato web gui, Its probably over my head, but I'll see what I can figure out. So if there is no VPN encryption, just pure SOCKS, that would be too slow too you think?
     
  70. karog

    karog Networkin' Nut Member

    To do the SOCKS thing, you just use the -D localport switch when you ssh to the router (eg ssh -D 4321 myrouter.dyndns.org) and then set up a proxy using localhost as the host and localport as the port. If you use Firefox, get the FoxyProxy Add-on, define a proxy in its options using localhost and the port you used after the -D (make sure to choose one above 1024 eg 4321) and name the proxy. You can then easily enable the named proxy when you want to use it and disable it when you don't.

    With a vpn the data is encrypted by the vpn and with ssh it is encrypted by ssh. This SOCKS/proxy approach is good for general things like web sites and other relatively low bandwidth things on your router. Or you can use the vpn if you want to do more on your local network.

    If you want to stream video, that may or may not be too much strain on the low power router whether the encryption is vpn or ssh although I suspect ssh demands a bit less. I cross-compiled HDHomerun's software for my ASUS RT-N16 and tried to record SD and HD video on it. The HD crapped out after about 15 secs though it recorded that 15 secs just fine while it pinned the cpu. The SD recorded fine for several minutes before I stopped it because even though it was working, it too pinned the router cpu and I didn't want to burn it up.

    I have 2 Mbps upload and I have vpn'd to my LAN TAP/bridged and watched HD on my SlingBox. The SlingBox does adaptive bandwidth management so the HD was not as good as on my LAN but it was still pretty damn good on my 1440x900 MacBook Pro screen.

    An alternative if you want to do video is if you have a host on your LAN that is linux or OS X or other that has an sshd that can do the socks thing. Then you can just port forward the ssh port to the host and let it do the work. You still need enough upload bandwidth however.

    Finally, you are not stuck with one approach or the other. You can choose on a case by case basis.
     
  71. dewdman42

    dewdman42 Network Guru Member

    in case anyone is wondering, I came to starbucks to test this out on my mac laptop. Setup ssh on the linksys. Then started ssh on the mac using blowfish encryption. Configured the mac to go to the local proxy server and whala, it worked. went to an ip port checker website and it was reporting my home ip addr. Good so far, went to fancast and played an HD video right before my eyes, so I guess the linksys can handle whatever encryption it is doing with blowfish well enough to handle the HD and apparantly the bandwidth at home is good enough to deal with the traffic too. So I think I'll be set now when I'm abroad without having to resort to using a VPN service, which I don't trust.

    Anyway thanks for the pointers and sorry for the slightly offtopic bandwidth since this is not really a VPN situation. if I have any problems with the linksys crapping out on the encryption, I will setup ssh deamon on my home XP box. Hope I can avoid that, but it sounds like it would not be too much trouble.
     
  72. dewdman42

    dewdman42 Network Guru Member

    I may have spoke too soon. When setting up an SSH tunnel for the purposes of getting out to the net as mentioned before, it seems that port-forwards to my own LAN are not possible. In other words, the tunnel can forward everything through my router out to the world, but can't forward back to itself through the port forwarding mechanism. I can't seem to get to any of my port forwarded resources when the ssh/socks tunnel is in place.

    Does anyone know anything about this, maybe there is some config info I need.

    Perhaps this is a reason to have to use the full VPN solution?
     
  73. dewdman42

    dewdman42 Network Guru Member

    For kicks I Installed Tomato VPN to try it out. Using OSX client with Viscocity OpenVPN client. I have tried but tun and tap, but in both cases I am able to establish a VPN session with my home router, and I'm able to continue surfing the web, presumably its being routed through the VPN. However, the real reason for using his is to access a shared folder on my XP box that is on my LAN. However I can't seem to see it or connect to it. What is the special magic to see shared windows file servers on my LAN with this VPN?
     
  74. TheGIZ

    TheGIZ Network Guru Member

    Well its been 6 months since I tried to update. Had some time today and more of the same.

    I had been using a TLS OpenVPN under RoadKills firmware. When Sgt. Pepper took over I was able to keep my VPN in the scripts and it just kept on working. Once I past Tomato123... stopped working. So I have kept my router at firmware 123.

    In looking at the last time I got some directions from Pepper I was told to just cut and paste my certs and set the interface as TAP. Then there was a quick post about Allow Client <---> Client. I have done all this and I don't get anything.

    The VPN GUI says that server is not running. I can not force it to start either? When I try to connect I just get establishing connection... thats it. No connection reset or anything. Odd.
     
  75. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Does anything show up in the router logs?
     
  76. TheGIZ

    TheGIZ Network Guru Member

    Didn't have the Starts and End in the Certificate Blocks. Fixed now. Thanks. (I feel like a microbe at the moment.)
     
  77. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Haha, don't worry about it. Glad you got it working.
     
  78. potatoMasher

    potatoMasher Networkin' Nut Member

    Hi, I recently got TomatoVPN working on my router (BTW, thanks for the work put in this mod, it's great) and I have several computers hooked up in the router and a xbox. I was wondering is there a way to make the xbox bypass the VPN and access the internet directly through my ISP (I have tried playing online through the VPN but the overhead of the tunnel makes playing unbearable).

    Other question:

    Is it possible to use the button in front of the router (the one that says "Cisco Systems" in the WRT54GL) to toggle the VPN tunnel on/off?

    Thanks in advance. : )

    Thanks in advance.
     
  79. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    This is a common request, but nobody has gotten it working.

    Sure. Administration->Buttons. The script you'll want is something like:
    Code:
    if ps | grep -v grep | grep vpnclient1
    then
      service vpnclient1 stop
    else
      service vpnclient1 start
    fi
     
  80. potatoMasher

    potatoMasher Networkin' Nut Member

    Too bad it's not possible at the moment to route the traffic outside the VPN, but thanks to the script I can turn off/on the tunnel when needed.

    In the first line of the script it should be "vpnclient1" instead of "vpnclient 1".

    Thanks for your help. :)
     
  81. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Oh, that's very possible. But, so far noones gotten it working to selectively change the default gateway to be over the vpn or not for individual connected devices.
    Whoops. Sorry for the typo. Hope it didn't waste much of your time to figure it out. I'll fix it in my previous post, in case anyone else uses it.
     
  82. occamsrazor

    occamsrazor Network Guru Member

    I've been running an OpenVPN TAP tunnel for ages on SgtPepper's firmware, then Teddybear's, and now Victek's.
    Recently I found a working OpenVPN client for the iPhone but the problem is it only supports TUN, not TAP.
    My thinking was the only way to get around this would be to create a second VPN server using TUN.... yeah?
    If so how would I duplicate my TAP settings (see attached screenshots) to get a TUN tunnel that works in the same way on Server 2? FYI, it is only ever me that connects remotely.
    Also, what I don't understand about TUN is it seems to give out addresses different from the normal DHCP range.... would I still be able to connect to internal resources via their LAN address?
    Sorry for the dumb questions, I've been using OpenVPN for a while but never with TUN.... Thanks...
     

    Attached Files:

  83. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    1. Change TAP to TUN
    2. Done :)
    Yes, you would. When you connect, an extra route is added to the client that tells it where to find your server's LAN. The only differences would be:
    • Broadcast messages (DHCP, Network Neighborhood*, some gaming discovery, etc) won't go across a TUN tunnel
    • Your client will get an address on a different subnet (but, that address will be reachable by your LAN and visa versa).

    * When I say Network Neighborhood won't work, I just mean discovering computers in Network Neighborhood only. You can still enter //<ip address>/ into explorer or the Run dialog and get to the computer's shares.
     
  84. occamsrazor

    occamsrazor Network Guru Member

    Hmm... doh! Yes, that worked. When I tried it like that before I had lots of problems with it accepting the VPN subnet settings, saying they were illegal, but now I think that may have been due to a full NVRAM that happened coincidentally around the same time.
    Anyway, I can successfully create a TUN tunnel now from my laptop, but when I try to access any LAN resource, e.g. a local machine, or even the Tomato router itself, all via LAN IP address, it doesn't work. Perhaps there's something in the logs....

    Here is the server log:
    Code:
    Sep 20 16:39:29 Tomato daemon.notice openvpn[3274]: [**clientIP**]:52015 TLS: Initial packet from [**clientIP**]:52015, sid=f20eea4b 345541fe
    Sep 20 16:39:39 Tomato daemon.notice openvpn[3274]: [**clientIP**]:52015 VERIFY OK: depth=1, /C=US/ST=myname/L=myname/O=myname.dyndns.org/OU=myname/CN=myname-ca/Email=myname@dyndns.org
    Sep 20 16:39:39 Tomato daemon.notice openvpn[3274]: [**clientIP**]:52015 VERIFY OK: depth=0, /C=US/ST=myname/O=myname.dyndns.org/OU=myname/CN=laptop/Email=myname@dyndns.org
    Sep 20 16:39:40 Tomato daemon.notice openvpn[3274]: [**clientIP**]:52015 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Sep 20 16:39:40 Tomato daemon.notice openvpn[3274]: [**clientIP**]:52015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sep 20 16:39:40 Tomato daemon.notice openvpn[3274]: [**clientIP**]:52015 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Sep 20 16:39:40 Tomato daemon.notice openvpn[3274]: [**clientIP**]:52015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sep 20 16:39:40 Tomato daemon.notice openvpn[3274]: [**clientIP**]:52015 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Sep 20 16:39:40 Tomato daemon.notice openvpn[3274]: [**clientIP**]:52015 [laptop] Peer Connection Initiated with [**clientIP**]:52015
    Sep 20 16:39:40 Tomato daemon.notice openvpn[3274]: laptop/[**clientIP**]:52015 MULTI: Learn: 10.8.0.6 -> laptop/[**clientIP**]:52015
    Sep 20 16:39:40 Tomato daemon.notice openvpn[3274]: laptop/[**clientIP**]:52015 MULTI: primary virtual IP for laptop/[**clientIP**]:52015: 10.8.0.6
    Sep 20 16:39:42 Tomato daemon.notice openvpn[3274]: laptop/[**clientIP**]:52015 PUSH: Received control message: 'PUSH_REQUEST'
    Sep 20 16:39:42 Tomato daemon.notice openvpn[3274]: laptop/[**clientIP**]:52015 SENT CONTROL [laptop]: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,dhcp-option DOMAIN mydomain,dhcp-option DNS 192.168.0.1,redirect-gateway def1,route 10.8.0.0 255.255.255.0,topology net30,ping 15,
    
    Here is the client log
    Code:
    Mon Sep 20 16:39:27 2010: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Mon Sep 20 16:39:27 2010: LZO compression initialized
    Mon Sep 20 16:39:27 2010: Attempting to establish TCP connection with [**serverIP**]:1195 [nonblock]
    Mon Sep 20 16:39:28 2010: TCP connection established with [**serverIP**]:1195
    Mon Sep 20 16:39:28 2010: TCPv4_CLIENT link local: [undef]
    Mon Sep 20 16:39:28 2010: TCPv4_CLIENT link remote: [**serverIP**]:1195
    Mon Sep 20 16:39:40 2010: [server] Peer Connection Initiated with [**serverIP**]:1195
    Mon Sep 20 16:39:42 2010: TUN/TAP device /dev/tun0 opened
    Mon Sep 20 16:39:42 2010: /sbin/ifconfig tun0 delete
    Mon Sep 20 16:39:42 2010: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
    Mon Sep 20 16:39:42 2010: /sbin/ifconfig tun0 10.8.0.6 10.8.0.5 mtu 1500 netmask 255.255.255.255 up
    Mon Sep 20 16:39:42 2010: /Applications/3rd Party/Viscosity.app/Contents/Resources/dnsup.py tun0 1500 1544 10.8.0.6 10.8.0.5 init
    Mon Sep 20 16:40:03 2010: Initialization Sequence Completed
    
     
  85. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I don't see anything about routes being added in the client logs. Can you post the client config?
     
  86. potatoMasher

    potatoMasher Networkin' Nut Member

    I have other doubt related to the VPN.

    I have tested the router's firewall with GRC's ShieldsUP! test when the tunnel is up and every time it fails the test saying that most ports are closed (not stealth) and some are open. When I shut the tunnel and rerun the test, the router passes the test successfully.

    I have tried OpenVPN clients for Windows 7 and MacOS 10.6 and in both systems when the tunnel is up they pass the test (all ports are invisible).

    When the VPN is up in the router does it bypass the firewall rules? Is there a way to fix this?

    Sorry for so much questions, but I am concerned with the implications of running the OpenVPN client directly in the router.

    Thanks.
     
  87. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    By default, TomatoVPN (as a client) just opens up the firewall on the tunnel. This is to emulate the VPN being on the local LAN (what VPNs were designed for). However, the firewall is still fully in place for the WAN of the router.

    If you're using the VPN to connect to an untrusted VPN server that may not be firewalling you from the Internet, you may want to set up your own firewall rules for the VPN. To do this change the "Firewall" setting to "Custom" and add your rules for opening specific ports to the router's Firewall script.
     
  88. sbabolat

    sbabolat Guest

    Hi,

    I just started looking into a VPN so that I can access securely my home server from outside.

    While I tried to read all post, there are more than 200 pages :)

    I have tomato 1.27 running. I was wondering how to install and set up easily tomatovpn.

    Do I install it on top of tomato ? Does it keep tomato or replaces it (but with some addons)?

    How do I set it up in the simplest way possible (one connection/client) ? What do i need to connect to it ?
    Thanks!
     
  89. gijs73

    gijs73 LI Guru Member

    Hi, I have been struggling to configure a Site-to-Site VPN using TAP. I am not sure I understand how to configure the bridging and having read swathes of this thread I am no clearer. I have started a new post here:
    http://www.linksysinfo.org/forums/showthread.php?p=368684

    hopefully this will help anyone with the same problems as me, basically windows GUI clients connect fine but pinging from either Tomato router times out.

    Additionally, I would like to take this moment to thank the developers and everyone in the community for making such great firmware available!
     
  90. srouquette

    srouquette Network Guru Member

    I have some errors in my log, what's the problem?
    Code:
    82.65.37.39:2052 write UDPv4 []: No buffer space available (code=132)
    82.65.37.39:2052 TLS Error: reading acknowledgement record from packet
    
    Is it an "Out of Memory" problem?
    I still have 1MB left on the status page (WTR54GL).

    edit:
    Code:
    Oct 14 13:11:57 unknown daemon.err openvpn[434]: 82.65.37.39:2052 TLS Error: TLS handshake failed
    Oct 14 13:11:57 unknown daemon.notice openvpn[434]: 82.65.37.39:2052 SIGUSR1[soft,tls-error] received, client-instance restarting
    Oct 14 13:11:58 unknown daemon.notice openvpn[434]: MULTI: multi_create_instance called
    Oct 14 13:11:58 unknown daemon.notice openvpn[434]: 82.65.37.39:2052 Re-using SSL/TLS context
    Oct 14 13:11:58 unknown daemon.notice openvpn[434]: 82.65.37.39:2052 LZO compression initialized
    Oct 14 13:11:58 unknown daemon.notice openvpn[434]: 82.65.37.39:2052 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Oct 14 13:11:58 unknown daemon.notice openvpn[434]: 82.65.37.39:2052 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Oct 14 13:11:58 unknown daemon.notice openvpn[434]: 82.65.37.39:2052 TLS: Initial packet from 82.65.37.39:2052, sid=6633860c c2b7d648
    Oct 14 13:11:58 unknown daemon.err openvpn[434]: 82.65.37.39:2052 TLS Error: Unroutable control packet received from 82.65.37.39:2052 (si=3 op=P_CONTROL_V1)
    Oct 14 13:11:58 unknown daemon.err openvpn[434]: 82.65.37.39:2052 TLS Error: Unroutable control packet received from 82.65.37.39:2052 (si=3 op=P_ACK_V1)
    Oct 14 13:11:59 unknown daemon.err openvpn[434]: 82.65.37.39:2052 TLS Error: Unroutable control packet received from 82.65.37.39:2052 (si=3 op=P_CONTROL_V1)
    
    I'm receiving these errors since I tried to update to TomatoUSB k24 NoUSB VPN.

    edit2:
    ok, problem found.
    It happens when I try to use Toastman QoS: http://tomatousb.org/tut:easy-toastman-qos-setup
    Is there a way to see how much nvram's left?
    What is the limit for a WRT54GL?
     
  91. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Code:
    nvram show
    from ssh/telnet. At the end, it will tell you how much is used and free.
     
  92. srouquette

    srouquette Network Guru Member

    ok thanks.
    10k left, and Toastman's QoS is only 1.5k.
    Do you have an idea why this happened?
     
  93. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Why what happened? 10k remaining is plenty.
     
  94. srouquette

    srouquette Network Guru Member

  95. SgtPepperKSU

    SgtPepperKSU Network Guru Member

  96. rs232

    rs232 Network Guru Member

    A quick question,
    Has the
    Code:
    keepalive 15 60 
    been hardcoded in the config?
    I'm asking as no matter what keealive XX YY I use in my advanced/custom config page, I'll always get keepalive 15 60 written in the config.ovpn file

    This "may be" fine for always on VPN but not for road warriors as this will try to restart the tunnel (server/tomato side) every 60 seconds even if the road warrior client is not connected.

    Beside this, may I ask what the "poll interval" should translate in openvpn configuration terminology?


    Thanks!
     
  97. Toastman

    Toastman Super Moderator Staff Member Member

    srouquette, did you try clearing your NVRAM and re-entering config? This is just the sort of thing that happens when NVRAM has become corrupted for some reason.
     
  98. srouquette

    srouquette Network Guru Member

    At first, I tried to use the "batch" to set automatically the QoS rules, it didn't work well. So I entered them manually. It works better but still have some trouble sometimes...

    nvram show = 7300 bytes
    free memory (Count cache memory and buffers as free memory) = 3400kB
     
  99. quinezhu

    quinezhu Addicted to LI Member

    I have been using v1.27vpn3.6.4b664ba6 for half a year and it's very stable except for a little bit of problem. That is, after I set up the 3rd VPN Tunneling (totally four) the router's nvram seems to be collapsed then I have to restore the default setting.

    Of course two VPN Tunnelings is enough for me. I just guess the problem may be related to too much things in script setting page on my router.
     
  100. DanRogl

    DanRogl Addicted to LI Member

    CallServe Routing, VPN fails after end of call.

    I have an annoying issue, that cases the TUN VPN I use for my folks to access a VoIP service ran by CallServe to appear to fail. I actually have a 3 router setup, all running 1.27vpn3.6.4b664ba6, 1 server (UK) and 2 clients (remote) and the connection between the three usually runs flawlessly.

    Anyway, the first call works ok, and I can see the traffic being passed over the VPN, but after that call ends the VPN appears to die, the server is still up as the other client is still connected but the client using the VoIP service needs to be re-booted before the VPN will establish a connection again. Traffic counters don't show the correct info either, usually 0 for all and then about 50 bytes sent on TCP/UDP write bytes and that's it.

    Has anyone had an issue like this before, or is there something I'm missing?

    Server Config:

    [​IMG]

    Client Config:

    [​IMG]
     

Share This Page