1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN build with Web GUI

Discussion in 'Tomato Firmware' started by SgtPepperKSU, Oct 10, 2008.

  1. ng12345

    ng12345 LI Guru Member

    sorry to ask a question that is likely posted before. spent 15minutes searching through the thread and couldn't find an easy answer.

    When the firewall is set to "automatic" what rules does it put into place?

    I have a site to site vpn in place so client to client is enabled and i need the client to see behind the server and the server to see behind the client.


    right now using tomatovpn is working great at all 5 sites, but i dont think the router's performance is up to par on the server side. i am moving the openvpn server to a dedicated box behind a tomato router and was hoping to use the firewall rules that your firmware puts in place
     
  2. haarp

    haarp LI Guru Member

    I'm about to flash my WRT54GL with this. My plan is to set up a VPN to access my local server from anywhere with a Laptop. OpenVPN nicely integrated into the web GUI? Count me in! I hope this makes my quest easier as someone who never set up a VPN before. Anything I should know or keep in mind?

    A few questions before I flash: Can we expect a version based off 1.28 soon? It has some changes to 1.27 that I wouldn't want to miss :)

    Also, what are the chances of other nice GUI patches finding their way into this? I for one would really enjoy the ability to overclock the router from the GUI (I think this is possible in Victek's mod). Or what about Speedmod?

    And finally: What is the impact on CPU load when using VPN on the WRT54GL? I can imagine that encryption taxes it quite a lot.
     
  3. srouquette

    srouquette Network Guru Member

  4. haarp

    haarp LI Guru Member

    Oh, this looks interesting! Thanks!
    I only see ND versions though. I thought they weren't comatible with my good ol' 54GL? The compatibility table on that site lists it as compatible. Is that true? Can I use kernel 2.4 NoUSB VPN with the 54GL?
     
  5. srouquette

    srouquette Network Guru Member

    yep, that's what I use, same router :)
     
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Code:
    iptables -t nat -I PREROUTING -p <protocol> --dport <port> -j ACCEPT
    iptables -t filter -I INPUT -p <protocol> --dport <port> -j ACCEPT
    iptables -t filter -I INPUT -i <vpninterface> -j ACCEPT
    iptables -t filter -I FORWARD -i <vpninterface> -j ACCEPT
    
     
  7. Toastman

    Toastman Super Moderator Staff Member Member

    The GL likes the ND versions. Just go ahead!
     
  8. WoKa

    WoKa Networkin' Nut Member

    VPN troubles

    Hi all,

    First, thanks for all info and answers to this forum that make me the possibility of make my first VPN with Tomato.

    At the beggining was hard to learn all the concepts but, reading some posts seems that finally my VPN works well...only have a few problems that I hope you can help me.

    My configuration is this:

    (Note: I don't have VPN over internet, in my country there is a big network called "Guifi.net" that provides us interconection between houses and other services)

    TomatoVPN Server:
    Public IP: 10.138.138.25
    Private IP: 192.168.10.40

    TomatoVPN Client1:
    Public IP: 10.138.33.25
    Private IP: 192.168.20.50

    TomatoVPN Client2:
    Public IP: (I don't remember exactly now)
    Private IP: 192.168.30.30

    Basically I have two questions:

    1. Client1 and Client2 have two different subnetwork, is it correct? or I only need the same subnetwork for all clients, like only 192.168.20.x? (I tried with the same but I have problems with that, so I supose that they need different subnetwork)

    2. With VPN running, I can ping client from server (192.168.20.50), or ping server from client (192.168.10.40). I can ping too both with VPN Internal IP, like 10.8.0.1 (server) and 10.8.0.6 (client).
    The problem is when I try to ping from the server to another router conected to client VPN router. Is a firewall problem or VPN configuration?
    If is firewall problem, I read just above this sentence:

    -------
    iptables -t nat -I PREROUTING -p <protocol> --dport <port> -j ACCEPT
    iptables -t filter -I INPUT -p <protocol> --dport <port> -j ACCEPT
    iptables -t filter -I INPUT -i <vpninterface> -j ACCEPT
    iptables -t filter -I FORWARD -i <vpninterface> -j ACCEPT
    -------

    Is it the solution, in what router I need to put this sentence and where?

    Thanks in advance
    WoKa

    (sorry if my english is bad, I'm from Catalonia)
     
  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Are you using TAP or TUN? If you're using TUN (recommended), they must be on separate subnets.

    If you have the server and clients "Firewall" setting as "Automatic", it shouldn't be a firewall problem.

    First, I'll assume you're using TLS, not static key, since static key won't work for what you want to do.

    Do you have "Create NAT on tunnel" selected on the client? Do you have the client-specific options table filled out with the client subnet information on the server?
     
  10. WoKa

    WoKa Networkin' Nut Member

    more info...

    Hi SgtPepperKSU,

    Thanks to answer.

    Here you have more info about my configuration:

    I use TUN with TLS.

    Firewall rules are in automatic.

    In client side I have "Create LAN on tunel" disable, and in server side have client-to-client box checked (enabled) with this sentence:

    On / CommonName / Subnet / Mask / Push
    Marked / client1..... / 192.168.20.0 / 255.255.255.0 / Marked
    Marked / client2..... / 192.168.30.0 / 255.255.255.0 / Marked

    One question, what is the importance of "CommonName"? it would be the same that I had typed at client keys or can be different.

    Thanks in advance,
    WoKa
     
  11. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It is very important the the CommonName matches the name you used when you created the client keys. That is how it knows what routes to set up. If they didn't match, you'd see exactly the problems you describe.
     
  12. WoKa

    WoKa Networkin' Nut Member

    common name

    well, I put same common name in the table, but I'm not sure if it's EXACTLY the same. Is there any options to see common name created in keys?

    Anyway, I'm able to ping between server-client routers, the problem is that can't ping from server VPN router to another router different than clientVNP router in client side.

    Example:

    ROUTER INTERNET(1) -- ROUTER VPN SERVER(2) < --- > ROUTER VPN CLIENT(3) -- ROUTER (4)

    I'm in server side and can ping to router 2 and 3 but not 4, that's the problem.

    In client side I only tried to ping to router 2 and it works

    Thanks for your patience,
    WoKa
     
  13. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yep, that sounds exactly like you have the CommonNames wrong. They must be exact. The easiest way would probably be to look at the server logs when the client connects. Or on the "status" tab of the server after the client connects.
     
  14. WoKa

    WoKa Networkin' Nut Member

    common name

    Ok, I'm going to make some test tomorrow (now it's 0:20 here :))

    By the way, I upload a screen capture of status in server, checks if it's all correct when you can.

    Thanks for all, you're so great!
    Regards.
     

    Attached Files:

  15. WoKa

    WoKa Networkin' Nut Member

    common name are ok

    Just now I open client certificates with notepad and can view exactly the common name.

    It's well configured so, what's the problem?

    Thanks
    WoKa.
     
  16. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Can you post the the server and client logs from when the client connects?
     
  17. WoKa

    WoKa Networkin' Nut Member

    logs

    Just now I return from server and client houses and there are the logs:

    Server log after 5 minutes of reboot
    Log from client2 after reboot
    Log from Client3 after reboot
    I put a screen capture of server status too.


    I noticed that logs from clients are different...but I check every options in client routers and are identically.

    One curiosity, what meens the "C" at the end of IP in status bar server?

    Thanks for all,
    Regards.
    WoKa
     

    Attached Files:

  18. sleepymatt

    sleepymatt Addicted to LI Member

    Hello!

    Just a few quick questions. I am running vanilla Tomato 1.27 on an Asus WL-520GU.

    1st question: In the 7z archive I see there are multiple files ... would I use the tomato.trx to flash?

    2nd Question: Can I just do a standard upgrade from the tomato admin or do I need to do a 30/30/30 reset of the device before flashing? Also, after the flash does a 30/30/30 reset need to be done?

    Thanks,
    Matt
     
  19. rhester72

    rhester72 Network Guru Member

    1. Yes.
    2. In my experience, coming from vanilla, you'll be fine, especially if you have a complex configuration in place already. I'd upgrade, and if you encounter difficult-to-explain issues afterwards, a thorough NVRAM erase from within the Administration menu should suffice in lieu of a 30/30/30.

    Rodney
     
  20. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Client3 is not asking the server to push the routes to it. There's no reason why this should happen if you have it configured the same as Client2. As rhester72 just implied in his reply to sleepymatt, upgrading without erasing NVRAM can sometimes cause "difficult-to-explain issues". I would recommend erasing NVRAM (Administration->Configuration->Restore Default Configuration->thorough) and configuring that router from scratch.

    Have you tried testing connectivity from Client2? Client3 isn't working because of the issue above, but it seems Client2 has the routes set up correctly.
     
  21. WoKa

    WoKa Networkin' Nut Member

    Ok. these routers have been used before for other things so it's possible that they need a configuration reset. I remember having issues with server and client2...I had to doing a reset factory default and then reconfigure again and they work better; so I go to do the same with client3. What is better, nvram clear or reset to factory defaults?

    I tried to connect PC from server side to PC in client2 side and seems that work. I typed \\192.168.20.112\ in "run" dialog and it ask me for user/pass (both have Windows 7). I'm very happy with that :biggrin:

    Thanks a lot!
    Regards,
    WoKa.
     
  22. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    "Erase all data in NVRAM memory (thorough)" is the best option. It erases "everything", on the defaults are set on the next boot.

    Glad to hear it. Hopefully, the NVRAM erase clears up your problems.
     
  23. sleepymatt

    sleepymatt Addicted to LI Member

    Well this whole process was a lot easier than I thought it was going to be. Thanks for all your hard work SgtPepper.

    One question though. I am able to access network drives, view the admin page on the router etc from the client computer ... so everything is working fine in that aspect which is what I want.

    But lets say that I'm at an internet cafe and want to do something I would like secured ... such as checking gmail over http. How would I go about sending my internet traffic through the VPN? As far as I can see (doing a whatsmyip.org) ... internet traffic is being routed through the local connection. Is there some sort of setting in the config file that says send internet traffic through the VPN?

    Edit: Also, I just noticed the router seems to be running very low on ram. Is this normal/OK? 14.19 MB / 460.00 KB (3.17%)

    Thanks,
    Matt
     
  24. Toastman

    Toastman Super Moderator Staff Member Member

    You may need to check this box in ADMIN-DEBUG page "Count cache memory and buffers as free memory".
     
  25. peyton

    peyton LI Guru Member

    Hi there,

    i've just tested the vpn option with 2 differents servers from 2 differents city. I've just got 1 prob.. I can't get more than 0.8Mpbs in DL and 0.6Mbps in UL for both. The 3 connections (with mine) are 15Mbps+

    Could we optimize the VPN to get more ? I've already disable compression and i use default for encryption.

    Thanks.

    Ps : I use it to share connection and test via browser through speedtest.net
     
  26. WoKa

    WoKa Networkin' Nut Member

    internet and VPN

    Hi again SgtPepper,

    Clear NVRAM works well for client3. Now I'm able to ping both clients and connect to shared folders; thanks for the help.

    This weekend finally I've got internet connection and now I'm trying to share this with clients, with no succes.
    I try to setup some routes and change some settings but can't get VPN and internet at the same time.

    In TomatoVPN Server router, if I put in gateway (in Basic/Network) 192.168.10.10, VPN works (192.168.10.10 is ip of antena I use to connect with other clients), but no internet acces.
    If in gateway I put 192.168.10.1 (ip of my ADSL router), I can get internet through TomatoVPN Server router (in server side), but then VPN does not work.

    What is the way to configure TomatoVPN Server router to get VPN+internet?

    Thanks a lot!
    Regards,
    WoKa.
     
  27. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yep, it's
    Code:
    redirect-gateway def1
     
  28. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You might play with the MTU and fragmentation settings (not in the GUI, see the openvpn manpages or google).
     
  29. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Could you describe your topology a bit more? I'm not sure I understand.

    However, here's what I think you're saying: You have "TomatoVPN Server" behind another private subnet that has a) an ADSL router to connect to the Internet and b) another server and/or router that's connected (possibly indirectly) to your VPN clients but not the Internet. So, your VPN clients are not accessing the VPN server from over the Internet?

    If all that is true, you should have static routes in your TomatoVPN server router (not in the VPN configuration, just in the Advanced->Routing page) that tell the router to use the other server/router for certain subnets.

    As a starter, you should make sure you have connectivity to the clients and the Internet at the same time before worrying about the VPN.
     
  30. WoKa

    WoKa Networkin' Nut Member

    topology

    Code:
    So, your VPN clients are not accessing the VPN server from over the Internet?
    Exactly. Not internet access be needed for connect to VPN, all VPN routers connect through Guifi network (www.guifi.net).

    I try some things in "Advanced-Routing page" but no succes. I tried this:

    Destination / Gateway / Subnet mask
    192.168.10.1 / 0.0.0.0 / 255.255.255.0
    192.168.10.10 / 10.0.0.0 / 255.255.255.224

    I'm confused with this :rolleyes:

    Other question, guifi.net uses 10.0.0.0 subnet and VPN uses 10.8.0.0...can be a conflict that?


    Here is the topology...
     

    Attached Files:

  31. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The routes you need are to the client routers (their WAN IP), using 192.168.10.10 as the gateway. From what I understand, your router has absolutely no idea that the clients need to be reached someway else than its default gateway.

    Since your VPN subnet is more specific (guifi uses the entire /8, and your VPN uses a /24), things would probably work. However, if there is a guifi address that happens to fall in your VPN /24 subnet, you won't be able to reach it (your router will assume it's a VPN address). Regardless of whether or not it would work, it'd be much, much cleaner to have a distinct subnet for your VPN (eg 172.16.123.0/255.255.255.0). Just be sure to pick a range that is set aside for private use (and isn't already used in another private network you're attached to, like 10.0.0.0).
     
  32. WoKa

    WoKa Networkin' Nut Member

    So...something like that:

    Destination / Gateway / Subnet mask
    10.138.33.5 / 192.168.10.10 / 255.255.255.0
    10.138.33.73 / 192.168.10.10 / 255.255.255.0

    (10.138.33.5 and 10.138.33.73 are clients WAN IP)


    Next time I go to change 10.8.0.0 subnet for 172.16.123.0, thanks.
     
  33. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The subnet mask only needs to be 255.255.255.255 if you're adding specific hosts (not a subnet). However, given how you've described your topology, you could add a 10.0.0.0/192.168.10.10/255.0.0.0 route to cover anything in guifi (including your two clients, so this one route would cover your needs), if you wanted to.
     
  34. WoKa

    WoKa Networkin' Nut Member

    Nice!

    Ok, this is to send internet to clients, but my problem at this moment is in server side.
    If I put in Basic/Network settings 192.168.10.10 gateway, VPN tunnel works but can't get internet access.
    If I put 192.168.10.1 as gateway, I can surf through internet but then can't ping to VPN clients.
    I need to have both things before send internet to clients...it's routes?


    By the way, I want to thank you for the patience you're taking, If you come here let me know, I owe you a few beers :wink:
     
  35. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yeah, definitely don't do that. When you do that, you're telling your router that it needs to send traffic to 192.168.10.10 to get to the Internet.
    This is the gateway you want set. You want everything, unless otherwise specified, to go to your ADSL modem. The "otherwise specified"? That's what the routes I'm talking about are for. They say "If I need to talk to a device on this subnet, use this gateway instead of the default gateway".

    Have you tried any of the static routes (on the server) we've talked about (either the two specific to your client routers, or the one that covers all of guifi)? It will not work without it.
     
  36. WoKa

    WoKa Networkin' Nut Member

    yeah

    Solved.

    I go to server house now and I try route you talk, and then change 192.168.10.10 for 192.168.10.1 in gateway and have pings to VPN clients and internet. Fantastic!

    Now I'm trying to send internet to clients, can't ping to internet from client yet...

    THANKS A LOT!
    Regards,
    WoKa.
     
  37. sleepymatt

    sleepymatt Addicted to LI Member

    Hey,

    Perfect that worked! Thanks!

    What do you guys think about running VOIP over VPN? I have a Asterisk server running and would like to connect a remote computer through the VPN to the Asterisk server to make phone calls.

    Is this something a WRT54GL can handle? I am currently using the default encryption. I currently have 60KB/sec upload but if I need to I could upgrade to 120KB/sec. Are there any settings I should change? Codecs? Better ways of achieving this maybe by using another router to handle VPN only rather than using one router to handle all traffic? The VPN would only be handling 1 call at a time as the other calls would be waiting on hold. Using the G.711(ulaw) codec the call using ~25KB/sec transmit and 20KB/sec receive. Could the VPN handle this??

    Thanks so much!
    Matt
     
  38. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Unfortunately, I think it's fairly likely that the hardware won't be able to keep up. But, the only way to know what bandwidth your configuration will provide is to try it out.
     
  39. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Do you have either "Direct clients to redirect Internet traffic" selected on the server or "Redirect Internet traffic" selected on the clients?
     
  40. WoKa

    WoKa Networkin' Nut Member

    internet...

    I have this enable in VPN Server:

    Push LAN to clients
    Direct cliens to redirect internet traffic
    Respond to DNS
    Advertise DNS to clients

    (All checked)


    I tried differents things in VPN client side but no success, playing with "Redirect internet traffic" and "Accept DNS configuration" options in client side but can't ping to internet...

    ...in server side ALL works perfectly, I can access internet, internet through proxy (Guifi) and can ping to clients.

    Is possible that I need to put this sentence somewhere in firewall?:
    (If it's yes; in server or client side? and to be sure, exactly where?)

    iptables -t nat -I PREROUTING -p UDP --dport 1194 -j ACCEPT
    iptables -t filter -I INPUT -p UDP --dport 1194 -j ACCEPT
    iptables -t filter -I INPUT -i tun+ -j ACCEPT
    iptables -t filter -I FORWARD -i tun+ -j ACCEPT

    Thanks...this is the last step I hope :smile:
     
  41. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You shouldn't need any firewall commands if you have your firewall settings set to "Automatic".

    Filling in the "client-specific options" table on the server would have been sufficient if your VPN server router was also creating a NAT on the WAN connection (connected to ADSL router). However, looking at the IP addresses in your topology diagram again, I see it's likely there is no NAT there.

    You will either need to create that NAT (connect the ADSL router to the WAN port on the VPN server router and have the VPN server router in "gateway" mode) or set up routes on the ADSL router that tell it where to find your clients' subnets (using your VPN server router's IP as the gateway). The first option is probably simpler. Can your ADSL router be configured in "bridge mode" so you don't have two NATs? (don't ask me technicals about bridge mode, I don't have ADSL and have only heard others suggest it)

    EDIT: For clarification, this is needed because your Internet return traffic doesn't know where to go to get back to your client subnets. As it comes back in to your ADSL router, it needs to know that this traffic needs to go through the VPN server router to reach those addresses (at which point the VPN server router will decide to send it over the VPN). If there is a NAT on the VPN server router's connection to the Internet, it will hide all of this by making each packet appear as though it came from (and should be returned to) him. Once he gets the response, he modifies the destination back to the proper address and sends it on its way.
     
  42. WoKa

    WoKa Networkin' Nut Member

    It works! but I have another problem

    Well...

    I tried different things and finally...enabling dynamic routing in ADSL router (in eth and ppp interfaces) it works.
    Now I can ping to internet (ex: www.google.com) in client VPN router; but seems that configuration is not pushed to PC client. In PC client I can't ping to internet :frown:

    This is what I have in Client side:

    (VPN Client router have WDS+AP enable)

    VPN Client Router(1) connected via Wifi to PS3(2).
    VPN Client Router(1) connected via WDS to another WRT54GL router(3) with tomato firmware. This last is connected via ethernet to PC Client(4).

    I can ping from 1 to internet, but can ping from 2,3 or 4 to internet.

    [note, I put "route" 10.0.0.0(destination) / 192.168.20.1 (gateway) / 255.0.0.0 (mask) in VPN Client router too, so now it can access server, clients and guifi, only need internet]

    If you need, I can upload client's log later...

    Thanks in advance,
    Regards,
    WoKa.
     
  43. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    See my last reply. The symptoms you mention match the problem I was describing.
     
  44. windozer

    windozer Networkin' Nut Member

    Router#2 to access hulu etc.

    Thanks for making this super firmware because I don't think it gets any easier than this. Learning to configure was pretty easy from this thread.
    Because I'm not an expert I need some help to understand what I'm doing wrong with my Tomato GUI. I can't access net unless I stop VPN client.

    I have version tomatovpn-1.27vpn3.6.7z on router#2 (192.168.2.1) having WAN static ip (192.168.1.20) on the main router.
    [​IMG]
    My main goal is to let devices connected to router#2 have access to hulu etc.



    VPN provider's config
    client
    dev tun
    fast-io
    persist-key
    persist-tun
    nobind
    remote vpn.blackvpn.com 1194
    pull
    comp-lzo
    tls-client
    tls-remote server
    ns-cert-type server
    tls-auth ssl/ta.key 1
    ca ssl/ca.crt
    cipher AES-256-CBC
    verb 3
    mute 10
    auth-user-pass

    VPN Client custom config and INIT
    VPN Client 1>Basic> tun,udp,FW-auto, Auth mode-custom

    VPN Client 1>Advanced>Custom Config>
    Code:
    client
    dev tun0
    fast-io
    persist-key
    persist-tun
    nobind
    remote vpn.blackvpn.com 1194
    pull
    comp-lzo
    tls-client
    tls-remote server
    ns-cert-type server
    tls-auth /tmp/ta.key 1
    ca /tmp/ca.crt
    cipher AES-256-CBC
    script-security 3
    verb 3
    mute 10
    keepalive 10 120
    auth-user-pass /tmp/blackvpnuserpass
    Init
    Code:
    echo 'abcdefg
    1234567' > /tmp/blackvpnuserpass
    
    echo '-----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----' > /tmp/ca.crt
    
    echo '#
    # 2048 bit OpenVPN static key
    -----BEGIN OpenVPN Static key V1-----
    -----END OpenVPN Static key V1-----' > /tmp/ta.key
    
    
    Tomato log
    Code:
    Jan  1 04:00:13 unknown user.warn kernel: ip_conntrack version 2.1 (8092 buckets, 4096 max) - 368 bytes per conntrack
    Jan  1 04:00:13 unknown user.warn kernel: ip_tables: (C) 2000-2002 Netfilter core team
    Jan  1 04:00:13 unknown user.info kernel: NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
    Jan  1 04:00:13 unknown user.info kernel: NET4: Ethernet Bridge 008 for NET4.0
    Jan  1 04:00:13 unknown user.alert kernel: 802.1Q VLAN Support v1.7 Ben Greear <greearb@candelatech.com>
    Jan  1 04:00:13 unknown user.alert kernel: All bugs added by David S. Miller <davem@redhat.com>
    Jan  1 04:00:13 unknown user.warn kernel: VFS: Mounted root (squashfs filesystem) readonly.
    Jan  1 04:00:13 unknown user.info kernel: Mounted devfs on /dev
    Jan  1 04:00:13 unknown user.info kernel: Freeing unused kernel memory: 64k freed
    Jan  1 04:00:13 unknown user.warn kernel: Algorithmics/MIPS FPU Emulator v1.5
    Jan  1 04:00:13 unknown user.warn kernel: ip_conntrack_pptp version 1.9 loaded
    Jan  1 04:00:13 unknown user.warn kernel: ip_nat_pptp version 1.5 loaded
    Jan  1 04:00:13 unknown user.warn kernel: ip_conntrack_rtsp v0.01 loading
    Jan  1 04:00:13 unknown user.warn kernel: ip_nat_rtsp v0.01 loading
    Jan  1 04:00:13 unknown user.warn kernel: eth0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.90.38.0
    Jan  1 04:00:13 unknown user.warn kernel: eth1: Broadcom BCM4320 802.11 Wireless Controller 3.90.38.0
    Jan  1 04:00:13 unknown user.warn kernel: tomato_ct.c [Jan 31 2010 21:44:26]
    Jan  1 04:00:13 unknown user.info kernel: vlan0: dev_set_promiscuity(master, 1)
    Jan  1 04:00:13 unknown user.info kernel: device eth0 entered promiscuous mode
    Jan  1 04:00:13 unknown user.info kernel: device vlan0 entered promiscuous mode
    Jan  1 04:00:13 unknown user.info kernel: device eth1 entered promiscuous mode
    Jan  1 04:00:13 unknown user.info kernel: br0: port 2(eth1) entering learning state
    Jan  1 04:00:13 unknown user.info kernel: br0: port 1(vlan0) entering learning state
    Jan  1 04:00:13 unknown user.warn kernel: vlan1: Setting MAC address to  00 16 b6 d9 d4 c6.
    Jan  1 04:00:13 unknown user.info kernel: vlan1: add 01:00:5e:00:00:01 mcast address to master interface
    Jan  1 04:00:13 unknown user.info kernel: br0: port 2(eth1) entering forwarding state
    Jan  1 04:00:13 unknown user.info kernel: br0: topology change detected, propagating
    Jan  1 04:00:13 unknown user.info kernel: br0: port 1(vlan0) entering forwarding state
    Jan  1 04:00:13 unknown user.info kernel: br0: topology change detected, propagating
    Jan  1 04:00:13 unknown user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
    Jan  1 04:00:14 unknown daemon.info dnsmasq[233]: started, version 2.51 cachesize 150
    Jan  1 04:00:14 unknown daemon.info dnsmasq[233]: compile time options: no-IPv6 GNU-getopt no-RTC no-DBus no-I18N DHCP no-scripts no-TFTP
    Jan  1 04:00:14 unknown daemon.info dnsmasq-dhcp[233]: DHCP, IP range 192.168.2.100 -- 192.168.2.149, lease time 1d
    Jan  1 04:00:14 unknown daemon.info dnsmasq[233]: reading /etc/resolv.dnsmasq
    Jan  1 04:00:14 unknown daemon.info dnsmasq[233]: using nameserver 192.168.1.1#53
    Jan  1 04:00:14 unknown daemon.info dnsmasq[233]: read /etc/hosts - 0 addresses
    Jan  1 04:00:14 unknown daemon.info dnsmasq[233]: read /etc/hosts.dnsmasq - 1 addresses
    Jan  1 04:00:14 unknown user.info init[1]: Tomato 1.27vpn3.6.4b664ba6
    Jan  1 04:00:14 unknown cron.err crond[237]: crond (busybox 1.14.4) started, log level 9
    Jan  1 04:00:14 unknown user.info init[1]: Linksys WRT54G/GS/GL
    Jan  1 04:00:15 unknown daemon.warn openvpn[212]: WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
    Jan  1 04:00:15 unknown daemon.warn openvpn[212]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jan  1 04:00:15 unknown daemon.notice openvpn[212]: Re-using SSL/TLS context
    Jan  1 04:00:15 unknown daemon.notice openvpn[212]: LZO compression initialized
    Jan  1 04:00:15 unknown daemon.notice openvpn[212]: Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Jan  1 04:00:15 unknown daemon.err openvpn[212]: RESOLVE: NOTE: vpn.blackvpn.com resolves to 2 addresses, choosing one by random
    Jan  1 04:00:15 unknown daemon.notice openvpn[212]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
    Jan  1 04:00:15 unknown daemon.notice openvpn[212]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Jan  1 04:00:15 unknown daemon.notice openvpn[212]: UDPv4 link local: [undef]
    Jan  1 04:00:15 unknown daemon.notice openvpn[212]: UDPv4 link remote: 208.100.1.26:1194
    Jan  1 04:00:15 unknown daemon.notice openvpn[212]: TLS: Initial packet from 208.100.1.26:1194, sid=b1869ef5 4e191e2b
    Jan  1 04:00:15 unknown daemon.warn openvpn[212]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Jan  1 04:00:17 unknown daemon.err openvpn[212]: VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=NL/ST=NL/L=Amsterdam/O=blackVPN/CN=blackVPN_CA/Email=staff@blackvpn.com
    Jan  1 04:00:17 unknown daemon.err openvpn[212]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Jan  1 04:00:17 unknown daemon.err openvpn[212]: TLS Error: TLS object -> incoming plaintext read error
    Jan  1 04:00:17 unknown daemon.err openvpn[212]: TLS Error: TLS handshake failed
    Jan  1 04:00:17 unknown daemon.notice openvpn[212]: TCP/UDP: Closing socket
    Jan  1 04:00:17 unknown daemon.notice openvpn[212]: SIGUSR1[soft,tls-error] received, process restarting
    Jan  1 04:00:17 unknown daemon.notice openvpn[212]: Restart pause, 2 second(s)
    Nov 28 12:28:53 unknown daemon.warn openvpn[212]: WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
    Nov 28 12:28:53 unknown daemon.warn openvpn[212]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Nov 28 12:28:53 unknown daemon.notice openvpn[212]: Re-using SSL/TLS context
    Nov 28 12:28:53 unknown daemon.notice openvpn[212]: LZO compression initialized
    Nov 28 12:28:53 unknown daemon.notice openvpn[212]: Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Nov 28 12:28:53 unknown daemon.err openvpn[212]: RESOLVE: NOTE: vpn.blackvpn.com resolves to 2 addresses, choosing one by random
    Nov 28 12:28:53 unknown daemon.notice openvpn[212]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
    Nov 28 12:28:53 unknown daemon.notice openvpn[212]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Nov 28 12:28:53 unknown daemon.notice openvpn[212]: UDPv4 link local: [undef]
    Nov 28 12:28:53 unknown daemon.notice openvpn[212]: UDPv4 link remote: 208.100.1.26:1194
    Nov 28 12:28:54 unknown daemon.notice openvpn[212]: TLS: Initial packet from 208.100.1.26:1194, sid=905e9425 e93cd73c
    Nov 28 12:28:54 unknown daemon.warn openvpn[212]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Nov 28 12:28:56 unknown daemon.notice openvpn[212]: VERIFY OK: depth=1, /C=NL/ST=NL/L=Amsterdam/O=blackVPN/CN=blackVPN_CA/Email=staff@blackvpn.com
    Nov 28 12:28:56 unknown daemon.notice openvpn[212]: VERIFY OK: nsCertType=SERVER
    Nov 28 12:28:56 unknown daemon.notice openvpn[212]: VERIFY X509NAME OK: /C=NL/ST=NL/L=Amsterdam/O=blackVPN/CN=server/Email=staff@blackvpn.com
    Nov 28 12:28:56 unknown daemon.notice openvpn[212]: VERIFY OK: depth=0, /C=NL/ST=NL/L=Amsterdam/O=blackVPN/CN=server/Email=staff@blackvpn.com
    Nov 28 12:29:17 unknown daemon.notice openvpn[212]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Nov 28 12:29:17 unknown daemon.notice openvpn[212]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Nov 28 12:29:17 unknown daemon.notice openvpn[212]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Nov 28 12:29:17 unknown daemon.notice openvpn[212]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Nov 28 12:29:17 unknown daemon.notice openvpn[212]: Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 2048 bit RSA
    Nov 28 12:29:17 unknown daemon.notice openvpn[212]: [server] Peer Connection Initiated with 208.100.1.26:1194
    Nov 28 12:29:19 unknown daemon.notice openvpn[212]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Nov 28 12:29:24 unknown daemon.notice openvpn[212]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Nov 28 12:29:29 unknown daemon.notice openvpn[212]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Nov 28 12:29:30 unknown daemon.notice openvpn[212]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 172.16.24.1,route 172.16.24.1,topology net30,ping 10,ping-restart 60,ifconfig 172.16.24.198 172.16.24.197'
    Nov 28 12:29:30 unknown daemon.notice openvpn[212]: OPTIONS IMPORT: timers and/or timeouts modified
    Nov 28 12:29:30 unknown daemon.notice openvpn[212]: OPTIONS IMPORT: --ifconfig/up options modified
    Nov 28 12:29:30 unknown daemon.notice openvpn[212]: OPTIONS IMPORT: route options modified
    Nov 28 12:29:30 unknown daemon.notice openvpn[212]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Nov 28 12:29:30 unknown daemon.notice openvpn[212]: TUN/TAP device tun0 opened
    Nov 28 12:29:30 unknown daemon.notice openvpn[212]: TUN/TAP TX queue length set to 100
    Nov 28 12:29:30 unknown daemon.notice openvpn[212]: /sbin/ifconfig tun0 172.16.24.198 pointopoint 172.16.24.197 mtu 1500
    Nov 28 12:29:30 unknown daemon.notice openvpn[212]: /sbin/route add -net 208.100.1.26 netmask 255.255.255.255 gw 192.168.1.1
    Nov 28 12:29:30 unknown daemon.notice openvpn[212]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 172.16.24.197
    Nov 28 12:29:30 unknown daemon.notice openvpn[212]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 172.16.24.197
    Nov 28 12:29:30 unknown daemon.notice openvpn[212]: /sbin/route add -net 172.16.24.1 netmask 255.255.255.255 gw 172.16.24.197
    Nov 28 12:29:30 unknown daemon.notice openvpn[212]: Initialization Sequence Completed
    Nov 28 12:29:30 unknown daemon.notice openvpn[212]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 172.16.24.1,route 172.16.24.1,topology net30,ping 10,ping-restart 60,ifconfig 172.16.24.198 172.16.24.197'
    Nov 28 12:29:30 unknown daemon.notice openvpn[212]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 172.16.24.1,route 172.16.24.1,topology net30,ping 10,ping-restart 60,ifconfig 172.16.24.198 172.16.24.197'
    Nov 28 12:29:35 unknown cron.err crond[237]: time disparity of 21515549 minutes detected
    
    Routing table
    HTML:
    Current Routing Table
    Destination   Gateway       Subnet Mask     Metric  Interface
    172.16.24.197 *             255.255.255.255 0       tun0
    172.16.24.1   172.16.24.197 255.255.255.255 0       tun0
    208.100.1.26  192.168.1.1   255.255.255.255 0       vlan1 (WAN)
    192.168.2.0   *             255.255.255.0   0       br0 (LAN)
    192.168.1.0   *             255.255.255.0   0       vlan1 (WAN)
    127.0.0.0     *             255.0.0.0       0       lo
    default       172.16.24.197 128.0.0.0       0       tun0
    128.0.0.0     172.16.24.197 128.0.0.0       0       tun0
    default       192.168.1.1   0.0.0.0         0       vlan1 (WAN)
    PS: I read from a tomato-friendly blog-post that "main thing you want to make sure is that there is never an entry of default (or 0.0.0.0) in the destination column that goes to any interface other than a tunnel" (source).
     
  45. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I think the problem is that you're specifying tun0 in the custom config (and lots of other stuff) instead of letting the VPN GUI make any decisions on its own.

    My recommendation would be to use the VPN GUI to configure your VPN instead of how you did it.


    Select TLS instead of Custom.

    Get rid of both of those lines, the GUI takes care of it.
    I've never used that option, but you can leave it if you want it.
    Get rid of those, the VPN GUI does that for you.
    Get rid of this, and enter the address/port in the GUI on the Basic tab.
    This is a worthless line (even if you weren't using the GUI, it'd be worthless) since "pull" is implied by "client". You should get rid of it.
    Get rid of this line, and make sure Compression: Adaptive is selected in the GUI.
    This is a worthless line (even if you weren't using the GUI, it'd be worthless) since "tls-client" is implied by "client". You should get rid of it.
    You can leave those. They just help verify that you're connected to the right server, but don't affect the connection otherwise.
    Get rid of this line, and select Extra HMAC authorization (tls-auth): Outgoing(1) in the GUI.
    Get rid of that line. The GUI takes care of it
    Get rid of that line and select AES-256-CBC as the encryption cipher in the GUI.
    Get rid of those. The GUI takes care of it.
    Leave that one.
    Leave that bit.
    Get rid of that part and put the ca.crt certificate in the Certificate Authority field and the ta.key in the Static Key field on the Keys tab of the GUI.

    Well, they were just wrong... :tongue:
     
  46. WoKa

    WoKa Networkin' Nut Member

    finally got internet on clients...

    Hi SgtPeeper,

    Sorry but these days I could not test what you tell me...finally on weekend I tried to delete "dynamic routes" in ADSL router and make it manually as you describe, then WORKS WELL!

    VPN Client router sends internet to client (pc, ps3, laptop,...), can access to pc shared folders remotelly and got guifi conection too, it's FANTASTIC!

    One last thing, and sorry about that...there is a lot of information in forums and threads, but you really help me so much to solve all my doubts, so...

    It's a performance question. Server and client are connected with 5Ghz wireless antenas (A mode) that can theorically have 54Mbps. I don't expect this bandwith, but at least 10Mbps yes.(BTW, my internet line is 10Mb/800Kb).
    When I make test, internet in client's side is only 1-2Mbps.
    If I'm trying to copy one file (2GB file size) in pc client side to server's pc I get about ~2Mbps (between 0,5/3Mbps).

    Can I boost performance in some way?

    Note: I read somethings and these are my doubts:

    I read about netbios traffic and that it consume a lot of bandwith, but I think it's disabled in my case, how I can be sure?

    I read that encryptation algorithm have their limit, but it's more than I get in speed. I don't think this is a problem.

    I supose that "compression parameters" can make some changes in speed, what's the best option? I make test with "Disable" and "Enable" modes and results are similar.

    I don't know if this makes speed changes but, now I have VPN client and server routers with gateway mode enabled. Can now I put it in router mode (both sides) because I already have routes in ADSL router?

    I read something about MTU too, have you a link for more information?


    Is there any other parameter to check?


    Thanks in advance,
    WoKa
     
  47. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I have not done much research into increasing the bandwidth across the tunnel, so I can't tell you much. Anything I could tell you would pretty much just be me googling (which you can do).

    However, it seems most likely to me that the bottleneck is the router hardware trying to keep up with the encryption. If disabling encryption isn't an option (it usually isn't), then there isn't much you can do besides upgrading hardware. Picking a lightweight encryption cipher would help, and I think that BF-CBC is the lightest (and is the default).

    Other than that, all I can tell is you is "Good luck"!
     
  48. karog

    karog Networkin' Nut Member

    You can run a bandwidth test with encryption turned off and turned on to test this hypothesis. At least you will then know if encryption is in fact the culprit rather than just guessing.
     
  49. windozer

    windozer Networkin' Nut Member

    It just worked

    Dear SgtPepperKSU
    I simply removed the lines and setup gui options exactly like u mentioned and worked right off the bat.
    Muchos gratias, Shukriya, Kap kun kaap, Danki, Merci, Thank you!!
     
  50. jwbrown77

    jwbrown77 Networkin' Nut Member

    DNS Issues

    Hi,

    I've setup the OpenVPN module in Tomato USB (build 54) successfully, but I am unable to get the router (Asus RT-N16) to resolve DNS names with my remote corporate DNS server.

    General VPN connectivity works from both the router and internal PCs. DNS works on the internal client with my corporate DNS server:

    C:\>nslookup
    Default Server: ROUTER
    Address: 192.168.8.1

    > server 192.168.254.252
    Default Server: [192.168.254.252]
    Address: 192.168.254.252

    > hostname.xxx.com
    Server: [192.168.254.252]
    Address: 192.168.254.252

    Name: hostname.xxx.com
    Address: 192.168.254.251
    (WORKS)

    ******

    But the router itself is unable to query the same IP for DNS entries:

    nslookup hostname.xxx.com 192.168.254.252
    Server: 192.168.254.252
    Address 1: 192.168.254.252

    nslookup: can't resolve 'hostname.xxx.com'
    (NOT WORKING)

    ******

    But the router itself *can* ping the remote host (192.168.254.252) and connect to other services such as SSH.

    I have done tcpdumps on both ends and have found that the remote server is attempting to return the correct DNS response, but for some reason it's not making it back to the client side router (firewall maybe?)

    Generated config below:

    # Automatically generated configuration
    daemon
    client
    dev tun11
    proto udp
    remote vpn.xxx.com 11945
    resolv-retry 30
    nobind
    persist-key
    persist-tun
    comp-lzo yes
    cipher AES-256-CBC
    verb 3
    tls-auth static.key 1
    ca ca.crt
    cert client.crt
    key client.key
    status-version 2
    status status

    # Custom Configuration
    link-mtu 1558
    auth-user-pass /opt/openvpn/openvpn.pass
    ns-cert-type server

    "Firewall" is set to "Automatic"
    "Redirect Internet Traffic" is "Disabled"

    ******

    I'm stumped. Any assistance would be appreciated.

    Thanks in advance.
     
  51. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Hmmm, the tunnel firewall should be wide open if you chose Automatic. I take it you have the NAT checkbox selected?

    Can you tell what source address is associated with the packet from the client to the server (or the destination on the return packet)?
     
  52. jwbrown77

    jwbrown77 Networkin' Nut Member

    Yes, "Create NAT on tunnel" is checked.

    Odd, I thought I was seeing DNS traffic go out over the tun adapter straight from the router, but now I am unable to recreate it.

    Here is an example of SSH traffic to said IP address (WORKS):

    root@ROUTER:/tmp/home/root# tcpdump -n -i tun11 dst 192.168.254.252
    tcpdump: WARNING: can't create rx ring on packet socket 3: 99-Protocol not available
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on tun11, link-type RAW (Raw IP), capture size 68 bytes
    21:00:58.729174 IP 10.5.10.113.16620 > 192.168.254.252.22: Flags , seq 868579909, win 5840, options [mss 1460,sackOK,TS val 7951171 ecr 0,nop,wscale 2], length 0
    21:00:58.743383 IP 10.5.10.113.16620 > 192.168.254.252.22: Flags [.], ack 919516866, win 1460, options [nop,nop,TS val 7951172 ecr 757483818], length 0
    21:00:58.745182 IP 10.5.10.113.16620 > 192.168.254.252.22: Flags [P.], ack 1, win 1460, options [nop,nop,TS val 7951172 ecr 757483818], length 23
    21:00:58.784845 IP 10.5.10.113.16620 > 192.168.254.252.22: Flags [.], ack 41, win 1460, options [nop,nop,TS val 7951176 ecr 757483859], length 0
    etc...

    ******

    I get no traffic to that IP or to port 53 on the tun adapter when I'm trying the following:

    nslookup hostname.xxx.com 192.168.254.252

    Here's the tcpdump I'm running:

    root@ROUTER:/tmp/home/root# tcpdump -n -i tun11 dst 192.168.254.252

    I can see DNS requests go to Google's DNS over WAN if I try the same command with a valid hostname, IP 8.8.8.8, and using the WAN interface instead of the VPN interface.

    *******

    Doesn't even seem to be sending the DNS request out over the tun adapter. So odd though because ping/ssh works.

    Thanks again for the help.
     
  53. SgtPepperKSU

    SgtPepperKSU Network Guru Member


    One thing to note is that the nslookup in stock Tomato (I'm not sure about TomatoUSB) doesn't use the second parameter (the DNS server) and always uses the configured DNS server. Do you have the router configured to use the DNS server over the tunnel?

    Does the VPN server push a DNS server to the clients? If so, you can use the "Accept DNS configuration" options to automatically setup DNS using the directives from the server.
     
  54. jwbrown77

    jwbrown77 Networkin' Nut Member

    Really? I noticed that the nslookup isn't BIND's version (guess it's Busybox's?). But the parameters indicated the second argument is the DNS server to query.

    Yes the VPN server pushes the DNS option. What DNS server setting would you recommend I use in the Client configuration? I couldn't find any documentation that indicated how each option behaves. The ones I tried didn't seem to work.

    Ultimately I was actually hoping to add a custom dnsmasq entry to query all xxx.com entries from my corporate server and everything else through Google's DNS, but although I found the right config for dnsmasq, it wasn't able to query the corporate server at all.

    I'm at work at the moment, but I can play around with the settings some more tonight.

    Thanks.
     
  55. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Again, I don't know if it's different in TomatoUSB, but in stock Tomato nslookup seems to ignore the server parameter, despite the usage information.
    Disabled = Ignore pushed DNS directives
    Relaxed = Add it to the top of dnsmasq's DNS server list. With how dnsmasq works, there's no guarantee it will be used unless the other servers don't respond (it tries them all and uses the one that responds the quickest the first time).
    Strict = Add it to the top of dnsmasq's DNS server list and instruct it to use them in that order. It will only fall back to others in the list if the current one fails to return anything.
    Exclusive = Replace dnsmasq 's DNS server list with the pushed server(s).

    You seem to know what you're doing and are doing everything right to debug this, so I'm really just grasping at straws. It might be interesting to try the following experiment (I know it's not what you want in the end, just to create a controlled test):
    1. Use an IP instead of a DNS name for the VPN server address
    2. Configure the router to use the desired DNS server (even though it can't talk to it yet)
    3. Connect the VPN
    4. attempt DNS resolution
    5. Capture packets and inspect src/dest addresses for query and response
     
  56. jwbrown77

    jwbrown77 Networkin' Nut Member

    Ok, thanks for the info on the DNS options (sounds like "Strict" is what I want, but "Exclusive" might help me debug) and the tips at the end. I will try anything at this point.

    If the nslookup utility is ignoring the server parameter, then my guess that my attempts to query the internal corporate hostnames are just going out over the WAN and using Google's DNS server, which will obviously not work.

    I'll take a look at the ipkg package list and maybe I can find nslookup or dig from BIND? Who knows.

    Thanks again.
     
  57. jwbrown77

    jwbrown77 Networkin' Nut Member

    Follow up: I was able to telnet into my home router from work and I found the bind package on ipkg and installed it. BIND's nslookup does work with my corporate DNS server.

    I also searched Google for Busybox's nslookup and you're right, I guess it's a known issue that the server parameter doesn't work. No wonder I was banging my head on it.

    I'm going to try the different DNS options again tonight and I will let you know. Thanks for the assistance.
     
  58. WRobertE

    WRobertE Addicted to LI Member

    Interaction between VPN Keepalive directive and UDP Conntrack Timeout

    First, SgtPepperKSU's VPN add-on for Tomato makes it a breeze to implement a VPN network. A truly fantastic piece of work.

    I'm running Victek's Tomato RAF 1.28.8525 ND + VPN firmware.

    I have 2 WRT54G-TM routers with one setup as the VPN server and the other setup as the VPN client. I basically wanted to link 2 remote LAN's together to enable bi-directional file sharing. Screen prints showing my setup are attached.

    Periodically in the client's router log, I would see entries like this:

    user.warn kernel: DROP IN=vlan1 ... SRC=<VPN_SERVER_IP> DST=<VPN_CLIENT_IP> ... PROTO=UDP SPT=1194 DPT=1025 LEN=61

    I've come to the conclusion that these log messages occur due to an interaction between the settings on the VPN keepalive directive and the settings for the UDP conntack timeout.

    Basically, it seems if the first parameter of the keepalive directive is greater than the UDP conntrack timeout, the connection tracking on the client side for the UDP VPN session expires before the next ping is received from the VPN server. In this case, VPN pings from the server are rejected (hence the user.warn kernel DROP's in the log) until the next ping is generated from the client which then re-establishes the UDP conntrack.

    The Tomato default is 10 seconds for the UDP timeouts but the default for the VPN keepalive is 15 60. So, periodically port 1194 UDP messages from the server will be rejected.

    When I updated the UDP timeouts to 20 seconds, the rejected port 1194 UDP messages from the VPN server no longer occur.

    I'm wondering if anyone else has observed this same behavior?

    Thanks in advance.
     

    Attached Files:

  59. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Interesting. I've not seen this behavior, but I don't usually have drop logging enabled.

    Could you try putting the UDP timeout back to how it was and putting "keepalive 5 60" in your VPN custom config (if I remember correctly, a second keepalive statement will override the first)?

    If we can confirm what you're saying is what's actually happening (it makes sense to me, I didn't realize the default UDP timeout was 10 seconds), I'll change the keepalive to be less than 10 (probably expose it in the GUI, which I'm currently redesigning anyway).
     
  60. WRobertE

    WRobertE Addicted to LI Member

    OK...I've made the changes and restarted the server and client. I'll watch the client log and report back in a bit.

    By the way, I also sent you a private message about something else.
     
  61. WRobertE

    WRobertE Addicted to LI Member

    Followup: Interaction between VPN Keepalive directive and UDP Conntrack Timeout

    OK...its been about an hour since I made the keepalive and UDP timeout changes and I haven't seen the user.warn kernel: DROP IN=vlan1 ... SRC=<VPN_SERVER_IP> DST=<VPN_CLIENT_IP> ... PROTO=UDP SPT=1194 DPT=1025 type of log messages mentioned previously.

    A couple of other things lead me to my prior conclusion about the keepalive / UPD timeout interaction.

    First, in a prior effort to eliminate the DROP log messages, I switched from UDP to TCP and noticed the DROP ... SPT=1194 messages disappeared. Conntrack defaults for TCP are greater than for UDP so it makes sense that the issue would go away under TCP.

    Second, I also noticed that I could attempt to map a network drive from the server side's LAN to a PC on the client side LAN and the operation would fail and then I could try it again shortly afterward and it would succeed. Drive mappings initiated from a PC on the client LAN to a PC on the server LAN would always succeeded.

    I came to the conclusion that this might also be a byproduct of the timing nature of the keepalive / UDP conntrack interaction. For example, sometimes the client would know about the server if the UDP conntrack was still active and other times it wouldn't if the previous UDP conntrack had already expired. So, network mapping attempts would therefore be intermittently successful, which is what I experienced.

    That's the theory anyways.
     
  62. jwbrown77

    jwbrown77 Networkin' Nut Member

    I tried your steps on the bottom and no change. I did find something though: It's *only* my corporate domain that won't resolve, any attempts to resolve hosts on that domain fail immediately. Regular hosts (e.g. www.google.com) do resolve with my corporate DNS server configured as the only DNS server in the Basic settings.

    I've included some tcpdumps below. I noticed that outgoing requests for my corporate domain look different than regular hostnames. I don't understand why that is.

    ******

    Tomato USB Router

    tcpdump -vv -n -i tun11 dst 192.188.254.252 or src 192.168.254.252 or dst port 53
    tcpdump: WARNING: can't create rx ring on packet socket 3: 99-Protocol not available
    tcpdump: listening on tun11, link-type RAW (Raw IP), capture size 68 bytes
    18:26:44.104439 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 73)
    10.5.10.113.38232 > 192.168.254.252.53: 64837+[|domain]
    18:26:44.121370 IP (tos 0x0, ttl 64, id 63024, offset 0, flags [none], proto UDP (17), length 89)
    192.168.254.252.53 > 10.5.10.113.38232: 64837* q:[|domain]
    18:26:44.129093 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 73)
    10.5.10.113.36045 > 192.168.254.252.53: 64526+[|domain]
    18:26:44.143403 IP (tos 0x0, ttl 64, id 16726, offset 0, flags [none], proto UDP (17), length 89)
    192.168.254.252.53 > 10.5.10.113.36045: 64526 q:[|domain]

    ******

    Corporate DNS Server (Return information *does* have full domain name in tcpdump)

    tcpdump -vv -n -i tun0 src 10.5.10.113 or dst 10.5.10.113
    tcpdump: listening on tun0, link-type NULL (BSD loopback), capture size 96 bytes
    18:26:44.785875 IP (tos 0x0, ttl 64, id 63024, offset 0, flags [none], proto UDP (17), length 89) 192.168.254.252.53 > 10.5.10.113.38232: [udp sum ok] 64837* q: A? hostname.xxx.com. 1/0/0 hostname.xxx.com. A 192.168.254.251 (61)
    18:26:44.808084 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 73) 10.5.10.113.36045 > 192.168.254.252.53: [udp sum ok] 64526+ A? hostname.xxx.com. (45)
    18:26:44.808263 IP (tos 0x0, ttl 64, id 16726, offset 0, flags [none], proto UDP (17), length 89) 192.168.254.252.53 > 10.5.10.113.36045: [udp sum ok] 64526 q: A? hostname.xxx.com. 1/0/0 hostname.xxx.com. A 192.168.254.251 (61)

    ******

    Working Query With Normal Domain

    18:22:55.359901 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 61)
    10.5.10.113.59338 > 192.168.254.252.53: [udp sum ok] 39599+ A? mail.google.com. (33)
    18:22:55.396242 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 61)
    10.5.10.113.53429 > 192.168.254.252.53: [udp sum ok] 38495+ AAAA? mail.google.com. (33)

    (Notice how for this query it looks like "A? mail.google.com" instead of "[|domain]"?)

    ******

    I have to be missing something if it's working since:

    1. Queries with BIND's nslookup directly from the router using the corporate server works correctly for all domain names.

    2. Internal clients can use the corp. dns server directly successfully for all domain names.

    3. All domains but the corp domain work using corp dns server and hardcoded dnsmasq server entry.

    I don't get what I'm missing though since I'm not trying anything special with the config. :(
     
  63. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm sorry, but I'm also out of ideas. It may just be that your DNS server creates a response that busybox's nslookup does not handle correctly.

    For clarification, when you say "internal clients" do you mean devices directly on the corporate intranet or devices on your router's LAN? Does DNS resolution work for devices on your router's LAN?
     
  64. jwbrown77

    jwbrown77 Networkin' Nut Member

    It works for devices on my router's LAN.

    I have a Windows 7 client on my router's LAN that uses my Tomato USB router as it's default DNS server (handed out by the router's DHCP server): 192.168.8.1

    If I query DNS entries through the default (Tomato), then domain hosts on my corporate domain name cannot be resolved. However, if I switch the DNS server in nslookup directly (server 192.168.254.252), then resolution works fine for all domains, including the corporate domain.

    Really stumped.
     
  65. jwbrown77

    jwbrown77 Networkin' Nut Member

    ARGH! I found the solution!

    According to this page:

    http://www.dd-wrt.com/phpBB2/viewtopic.php?t=77523

    dnsmasq is now employing an option "stop-dns-rebind" that blocks querying upstream DNS servers that reside on reserved private IP address space (like mine).

    I added the following to Advanced->DHCP/DNS:

    rebind-domain-ok=/xxx.com/

    That makes it ignore the "stop-dns-rebind" option for the specified domain name, which fixes the issue.

    Just as an FYI to anyone that might want to do this in the future; I wanted to keep querying public DNS servers for all domains other than my corporate domain. I added another entry to Advanced->DHCP/DNS that allows me to query only my corporate domain with my corporate internal DNS server:

    server=/xxx.com/192.168.254.244

    SgtPepperKSU: Thanks for writing this terrific software and bearing with me. Hopefully this exercise won't be for naught if at least one other person is helped by all of this.

    Thanks again.
     
  66. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    No, thank you for posting the solution. If nothing else, we both learned something new about dnsmasq. :smile:
     
  67. bashy

    bashy Network Guru Member

    So I've managed to setup my WRT54GS v4 andTomato with Witopia's VPN service and it's working smoothly.. Only thing I noticed was the fact that when I use the OpenVPN software client on my windows laptop along with the connection to my ISP I get much higher speeds to the same speedtest server compared to using OpenVPN on my linksys router and testing on the same speedtest server (software VPN client on laptop obviously disabled)..

    My Guess is that the laptop is able to process the VPN faster as it's a much power unit then the Linksys router!!!!!

    IF so how much of difference would it make if i upgrade to new more powerful routers?
     
  68. tcsoft

    tcsoft Addicted to LI Member

    will this build ever beeing updated to 1.28?
    where can i find the source for the 1.27vpn3.6 release? i want to rebuild an image with HAVE_SCRIPT enabled in DNSMASQ to use the "dhcp-script" configuration option! this would be very useful for WOL. i.e. waking up a server when a client joins the network!!
    thanks
     
  69. SgtPepperKSU

    SgtPepperKSU Network Guru Member

  70. tcsoft

    tcsoft Addicted to LI Member

  71. SgtPepperKSU

    SgtPepperKSU Network Guru Member

  72. dougisfunny

    dougisfunny LI Guru Member

    I don't know if anyone else has noticed this, but if you configure vpn clients such that the
    vpn_server1_ccd_val is more that 188 characters it causes a failure. If you save it with the config being longer than 'allowed' while the vpn is off, and try to start the vpn it fails. If you save it while the vpn is started, it seems to just crash the router.
    Examples:
    Works:
    1<site1router<192.168.11.0<255.255.255.0<1>1<site2router<192.168.12.0<255.255.255.0<1>1<site3<10.11.2.0<255.255.255.0<1>1<s4<192.168.51.0<255.255.255.0<1>1<s<192.168.16.0<255.255.255.0<1>
    Breaks:
    1<site1router<192.168.11.0<255.255.255.0<1>1<site2router<192.168.12.0<255.255.255.0<1>1<site3<10.11.2.0<255.255.255.0<1>1<s4<192.168.51.0<255.255.255.0<1>1<s5<192.168.16.0<255.255.255.0<1>

    I notice that 96 is the size of the buffer that value gets read into. 192 being 2*96, figure a control character or two for line termination and you're right about 188 as a limit.
     
  73. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Actually, the size of the buffer is 128, but that is still too small considering there is no max on the length of this variable (aside from running out of NVRAM space). Once you go over that, it'll start overwriting other variables. Many wouldn't be a problem, as they aren't set until after that point, but 191 must be where you start to overwrite something important. I'll work out a way to do it without reading the whole variable into a buffer at all (not use the dreadful strtok, which I should have avoided anyway).

    Thanks for reporting this.
     
  74. dougisfunny

    dougisfunny LI Guru Member

  75. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    My thought on this has always been that the number of people that would be confused by the existence of such a field would far outweigh the number of people who would make use of it. And, those people that would use it are, by and large, going to be knowledgeable enough to create the file in the init script and add the crl-verify line to the custom config.

    However, the next version will have a reorganized GUI, so maybe it could fit in better without confusion then. If I don't include it in the next version, and you still think it should be there, ask again; my opinion on it may have changed. :smile:
     
  76. avataruy

    avataruy Guest

    Hi! I have an ASUS RT-N10 with Tomato 1.28.

    I've configured it as an OpenVPN Client.

    I wish to forward all LAN traffic through the vpn.

    The thing is i can create the tunnel and traffic from the router goes through the vpn, BUT i cant ping or surf the web from any computer connected to the LAN.

    If i set the firewall to Automatic on the Tomato GUI, i can ping everything from a LAN computer.

    But if i try to open a webpage, the tunnel goes down.

    What could be happening???
     
  77. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'll assume you mean WAN, not LAN.
    Yes, if you don't let the GUI open up your firewall and don't do it yourself, you'll be firewalled. :wink:
    Does anything show up in the router logs when this happens?
     
  78. tcsoft

    tcsoft Addicted to LI Member

    worked fine. but i failed with integrating lzo+openvpn into the source so i'm stuck. thanks anyway!
     
  79. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm not quite sure I follow...

    If you pull the tomatovpn or tomatovpn-ND branches using git, you'll have the full source, including openvpn and lzo.
     
  80. tcsoft

    tcsoft Addicted to LI Member

    hm, maybe i've done something wrong in the checkout. i'll check it and report back ;)

    edit:
    thanks! got it ;)
     
  81. tmpid

    tmpid Networkin' Nut Member

    If I try to use ping and/or ping-restart options in the Custom Configuration, the server won't start. Anyone has a clue? Thanks.
     
  82. rs232

    rs232 Network Guru Member

    SgtPepperKSU, I've noticed that your nvram keys are called:

    vpn_client1....
    vpn_client2....
    vpn_server1....
    vpn_server....

    considering nvram is precious, how about change it into:

    vc1...
    vc2...
    vs1...
    vs2...

    This way you save at least 8 chars per key defined, currently you use 115 keys that would make a saving of 920 chars and 1840 bytes!

    my 2 cents
    rs232
     
  83. tmpid

    tmpid Networkin' Nut Member

    I tried to start the openvpn server using console command line with the --ping option. The server started and ran fine. Just won't start with ping option in the GUI Custom Configuration. Anoter thing I noticed was that the server won't start with the shared key method, while it ran fine if started from console. TLS Authorization Mode works fine with GUI though.

    I am using teddybear Build 54. NVRAM is clean with 15.5KB left. Did anyone experience the same issue or mind give it a try? Thanks.
     
  84. Stach

    Stach Network Guru Member

    Connect with iPhone to OpenVPN

    I've been a Tomato user for several years and switched to TomatoVPN about 9 months ago and it has been running flawlessly. I can connect via OpenVPN from my Windows laptop and access anything remotely. I would like to be able to do the same from my Jailbroken iPhone (iOS 4.2.1) and I have tried setting up the SBSettings OpenVPN toggle manually (using the same files that work on my Windows laptop), but it doesn't work (I have tried renaming my ovpn file to both client.ovpn and conf.ovpn).
    Has anyone had success connecting with an iPhone to your TomatoVPN? If so, any tips on what OpenVPN features are supported? Below is my conf.ovpn file and let me know if you see anything that needs to be changed. I have also been thinking about trying GuizmoVPN on the iphone, but it doesn't sound like it wants all 4 of my key files, has anybody had success with GuizmoVPN? Thanks in advance for your replies and help! -Stach


    # OpenVPN(v2.0) configuration script

    tls-client
    dev tun
    proto udp
    dev-node openvpn
    remote <Ip.Address> 1195
    keepalive 15 120
    verb 3
    ca ca.crt
    cert Stach-iPhone.crt
    key Stach-iPhone.key
    tls-auth ta.key 1
    ns-cert-type server
    cipher AES-256-CBC
    pull
    nobind
    explicit-exit-notify 3
    log tun.log
     
  85. nonono

    nonono Networkin' Nut Member

    http-proxy authentication

    Apologies if this has already been answered, but I've been looking for 20 min....

    I want to use this tomato gui vpn as a client from inside my work network. When I set up openvpn on a winxp machine, I am able to go through the web proxy with command

    http-proxy 10.0.0.1 80 proxy.txt basic

    and then have my web proxy user name and password in the text file proxy.txt

    How do I do this here? Could I include the same line in the custom configuration and somehow have the proxy.txt file created each time I reboot the tomato router? Or is there a better way?
     
  86. nonono

    nonono Networkin' Nut Member

    http-proxy authentication

    I am trying to set up my Asus 520gu to serve as a OpenVPN client from within my company's network. All connections out have to go through the company's http proxy server.

    I have been successful using a winxp machine as the client, by using the line:

    http-proxy 10.0.0.1 80 c:\\@data\\Security\\openvpn\\proxy.txt basic

    Is something like this possible within Tomato's gui vpn? Should I create a start-up script that creates the file proxy.txt each time the unit boots? Is there a more elegant solution for authenticating (user/pass) through a http proxy?

    Thanks!
     
  87. Cefur

    Cefur Networkin' Nut Member

    Not receiving IP

    I have a following problem. I have set up a client on my router (TomatoUSB 1.28 latest). Everything seems to start ok, but I do not get an IP. Here is the troublesome part:
    This is from the log.
    Code:
    SENT CONTROL [xx.yy.zz]: 'PUSH_REQUEST' (status=1)
    PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route-gateway dhcp'
    OPTIONS IMPORT: route options modified
    OPTIONS IMPORT: route-related options modified
    TUN/TAP device tap12 opened
    This is the return of ifconfig (after the client is started):
    Code:
    tap12      Link encap:Ethernet  HWaddr 00:AA:BB:CC:DD:EE
               UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
               RX packets:0 errors:0 dropped:0 overruns:0 frame:0
               TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:100
               RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
    So as I see it, I do net get my inet addr ...
    I am assuming that I am missing a setting on my client to make it work.

    Any ideas would be helpful and much appreciated. Thanks.
     
  88. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Using TAP in bridged mode, you'll just be using your existing IP address (you won't have a separate one on tap12 since it's bridged with your router's LAN interface).
     
  89. Cefur

    Cefur Networkin' Nut Member

    So this is why it works, if I have client on PC but not on router.
    Since obviously I am no expert. Du you have any suggestions (server or client wise) to make it work on router?

    Btw. my other client, which connects to some other "non-dhcp" openvpn server (in PUSH_REPLY I get "dhcp-option DNS xx,route-gateway yy,ifconfig blabla") works just fine with the same client settings.
     
  90. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Are your server router and client router on the same subnet (but different addresses)? If not, then you have to either use TUN or don't select "Server is on the same subnet" on the client.
     
  91. Cefur

    Cefur Networkin' Nut Member

    To answer your questions:
    - no they are not on the same subnet
    - I have already unchecked "Server is on the same subnet"

    But I have made a little progress. I used dhcpcd to acquire IP etc. from my "dhcp" openvpn server. This works just fine with one problem. There are many default routes added (and also one 128.0.0.0). So when I delete them everything works as it should (or at least seems to, this is where I stopped last night). I am guessing that I will have to uncheck "Create NAT ..." and write a script to get all the needed information to create needed routes. Or is there any other solution?

    Second question I have is ... I noticed that you do not support "auth-user-pass". Any special reason for that?
     
  92. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The "DHCP" feature of OpenVPN is relatively new and I've found it to be quite flakey (it's been the source of many people's problems). Try not using that.
    If you don't need server->client communication (all you need is for the client to be able to initiate connections), then using the NAT option should be fine.
    Time. I have plans to add it. When I developed the VPN GUI, I had the use case of remote site access in mind, not connecting to a commercial VPN provider for internet access.
     
  93. toolbox

    toolbox Addicted to LI Member

    I thought I have setup running perfectly but noticed I no longer able to access my PCs on my network remotely. I am very sure it use to work but I have forgotten if I have made changes to OpenVPN or not but the only thing I know now is my remote client's internet traffic still being routed through the router before going out. What is the procedure to determine why I can't access my machines remotely?
    Thanks.
     
  94. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The routing tables from the server and the client should give a good idea.
     
  95. toolbox

    toolbox Addicted to LI Member

    Maybe a stupid question. Do I need to forward the port I use for OpenVPN to the router?
     
  96. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You don't need to do any port forwarding on the TomatoVPN router itself. If there is another router in front of it, it will need to have the port forwarded to the TomatoVPN router.
     
  97. toolbox

    toolbox Addicted to LI Member

    Have no clue what I supposed to look. The output of my router (server?)'s route -n is (I changed my ip address to xx.xx.xxx)
    Code:
    route -n
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun21
    xx.xxx.xxx.1    0.0.0.0         255.255.255.255 UH    0      0        0 vlan1
    10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun21
    192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
    192.168.16.0    192.168.1.22    255.255.255.0   UG    0      0        0 br0
    xx.xxx.xxx.0    0.0.0.0         255.255.252.0   U     0      0        0 vlan1
    127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
    0.0.0.0         xx.xxx.xxx.1    0.0.0.0         UG    0      0        0 vlan1
    
    output of my laptop's netstat -ns
    Code:
    Interface List
     17...xx xx xx xx xx xx ......TAP-Win32 Adapter V9
     15...xx xx xx xx xx xx .....Bluetooth Device (Personal Area Network)
     11...xx xx xx xx xx xx ......Atheros AR5B93 Wireless Network Adapter
     10...xx xx xx xx xx xx ......Atheros AR8132 PCI-E Fast Ethernet Controller (NDIS 6.20)
      1...........................Software Loopback Interface 1
     16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
     12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
     18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
     20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
     19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
    ===========================================================================
    
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0         10.0.0.1       10.0.0.195     25
              0.0.0.0        128.0.0.0         10.8.0.5         10.8.0.6     30
             10.0.0.0    255.255.255.0         On-link        10.0.0.195    281
           10.0.0.195  255.255.255.255         On-link        10.0.0.195    281
           10.0.0.255  255.255.255.255         On-link        10.0.0.195    281
             10.8.0.1  255.255.255.255         10.8.0.5         10.8.0.6     30
             10.8.0.4  255.255.255.252         On-link          10.8.0.6    286
             10.8.0.6  255.255.255.255         On-link          10.8.0.6    286
             10.8.0.7  255.255.255.255         On-link          10.8.0.6    286
        xx.xxx.xxx.67  255.255.255.255         10.0.0.1       10.0.0.195     25
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
            128.0.0.0        128.0.0.0         10.8.0.5         10.8.0.6     30
          192.168.1.0    255.255.255.0         10.8.0.5         10.8.0.6     30
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link          10.8.0.6    286
            224.0.0.0        240.0.0.0         On-link        10.0.0.195    281
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link          10.8.0.6    286
      255.255.255.255  255.255.255.255         On-link        10.0.0.195    281
    
     
  98. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    One thing I've noticed when helping other people is that Windows seems to get confused when there is more than one 10.x.x.x network, even if the subnets don't overlap. Try changing your VPN subnet to 172.22.123.0/255.255.255.0
     
  99. toolbox

    toolbox Addicted to LI Member

    Thanks. That did it.
     
  100. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I've given that advice several times, but can't remember getting any direct confirmation that it fixed it. I've gotten "I changed X, Y, and Z, and it started working" (with X being my 10.x.x.x advice), and I've had people just not show back up after I gave that advice (which I assumed meant it was fixed. Good to know for sure that it's been good advice...

    So, thanks for reporting back. :smile:
     

Share This Page