Routing not right on client.... I have two wrt54's running 1.27vpn3.6. One wrt is setup as a 'server' the other a 'client' I've got it to a point where the tunnel comes up and I can ping the 'tun' IP's. However PC's on the client side can't ping any device on the server side. If I add a route manually to the client wrt everything works! The Server side is 172.16.1.0/24 The Client side is 172.16.0.0/24 Server config.ovpn Code: # Automatically generated configuration daemon ifconfig 10.0.1.1 10.0.1.2 proto tcp-server port 1194 dev tun21 comp-lzo adaptive keepalive 15 60 verb 3 secret static.key status-version 2 status status Client config.ovpn Code: # more config.ovpn # Automatically generated configuration daemon dev tun11 proto tcp-client remote xxxxyyyy.homelinux.net 1194 ifconfig 10.0.1.2 10.0.1.1 resolv-retry 30 nobind persist-key persist-tun comp-lzo adaptive verb 3 secret static.key status-version 2 status status # Custom Configuration Here's the (working) routing table on the client wrt with the manually added route (public IP's changed) Code: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.0.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun11 192.168.2.0 172.16.0.114 255.255.255.0 UG 2 0 0 br0 172.16.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tun11 1.2.3.0 0.0.0.0 255.255.252.0 U 0 0 0 vlan1 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 1.2.3.4 0.0.0.0 UG 0 0 0 vlan1 # Here's the client routing table in it's 'not working' state. Code: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.0.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun11 192.168.2.0 172.16.0.114 255.255.255.0 UG 2 0 0 br0 172.16.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 1.2.3.0 0.0.0.0 255.255.252.0 U 0 0 0 vlan1 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 1.2.3.4 0.0.0.0 UG 0 0 0 vlan1 # I have 'Create NAT on tunnel' enabled. Any thoughts why the 172.16.1.0/24 route isn't being added to the client wrt routing table when the VPN comes up?
This is why your GUI had a "Routes must be configured manually" comment show up with your configuration. Using static key mode, the client has no way of knowing what the server subnet looks like. If you had used TLS, the server would have pushed that information to the client.
Ahh I didn't realise it related to the type of VPN. When I first hit this issue I added the following to 'WAN up' on the client side. route add -net 172.16.1.0 netmask 255.255.255.0 dev tun11 This worked for a while but after the VPN had been up for a good four hours the route which had been added at boot by the 'WAN up' was removed. I'm guessing that the tunnel had dropped due to inactivity at which point the routing entry was removed. Any thoughts/comments re the disappearing route?
Anyone else with the 'routing' problem here's a simple fix. Don't use the 'WAN up' script as the routing entry will be dropped if the VPN tunnel goes down. Add a route entry for the remote network - you'll need to add this on both the server and client routers. Instead in 'VPN Tunneling' 'Server/Client' 'Advanced' So in my case the Server end had Code: route 172.16.0.0 255.255.255.0 and the Client end had Code: route 172.16.1.0 255.255.255.0
Short Question: in a "Dual-TomatoVPN-Config" should it be possible to ping (and access) the Server from the Client and vice versa? I've set up such a Config and currently it's only working in one Direction: Client --> Server. In the opposite Direction i cant do anything over the VPN ... It's a standard TUN/UDP/TLS - Setup over the WebIF with no special Settings etc ... Thx! Greets Goggy
trying to connect 2 networks... Here is the current situation: I have a bunch of networked and shared pc's at the office behind a tomato router. I have a bunch of pc's at home networked and shared behind a tomato router. I managed to have the routers vpn each other. I was under the understanding this would allow me to access the office networks shared hard drives from home, but I cannot. And I am stumped. I am sorry, I know I am basically asking spoon feeding, but any help is appreciated. I took screenshots of both routers. Red is server (Office) and blue is client (home) 1. 2. 3. 4. Thank you again.
Under the settings for the Office router (Server 1 -> Advanced), the subnet you specified doesn't seem correct to me. Shouldn't that be 192.168.0.0 instead of 192.168.0.100? You might also consider changing the encryption cipher from AES-128-CBC to BF-CBC. From what I've read, Blowfish (BF) provides higher performance than AES and is still very secure. I'd be interested to hear what performance difference you find between these two encryption cipher choices. More about it here: http://www.linksysinfo.org/forums/archive/index.php/t-59416-p-38.html
It would also help to have a description of what isn't working. Are you just trying to browse to the computers in "Network Neighborhood"? Resolving host names to ip addresses? Pinging ip addresses from the client LAN? Pinging ip addresses from the client router?
I am thinking about installing the Tomato VPN build on a Asus RT-16N router. This router has USB ports that I would also like to use for an attached HDD to back stuff up with. 1. Any "gotcha's" putting Tomato VPN on an Asus? Which version is most stable? 2. Is there any stable Tomato VPN build that supports the USB functionality? TIA.. Tim
TomatoVPN itself doesn't support the USB functionality, but TomatoUSB does (thus, the name). It provide a large number of different builds, some of which include all of the VPN additions I've made in TomatoVPN. Open source, ftw. TomatoUSB download page See the links below for specifics, but you'll want the "Kernel 2.6 (experimental) for MIPSR2 Routers"->"VPN" build from the download page. TomatoUSB home page Matrix of which builds have which features. Explanation of which build type you need. EDIT: Oh, and as far as I know, the Asus RT-N16 is well supported by TomatoUSB.
Okay, so it's become apparent that time to work on this won't fall into my lap like it used to (my life has changed a lot in the last couple years). However, I am going to consciously start setting aside time to work on this. Over time, there have been several things that I said I'd try to get into the next release. However, enough time has gone by that I'm finding it difficult to track them all down. I've created a TomatoVPN issue tracker at GitHub, and I'd really appreciate it if people started using it to let me know what I need to work on. I've already got a few things in my local code repo, but I know there are others I should tackle before starting regression testing for a release. Thanks!
I got the OpenVPN + USB build 1.28 running on my Asus RT-16N. After a week or so I just stopped connecting to the remote client and did not show anything specific in the logs. A power cycle seemed to get it going again. I probably need to do a NVRAM clear just to wipe out all the poking I did before I got it running however I don't want to loose the configuration. If I make a backup of the configuration using the router's menu system, then do a NVRAM clear, can I use the configuration restore function to get back my working configuration? I assume so but just want to check, Just In Case. Thanks, Tim
If you restore the normal saved config it is exactly the same as not having erased NVRAM. Use this method, it'll save you a lot of time if you need to grab some config details but not import the junk. http://www.linksysinfo.org/forums/showpost.php?p=362345&postcount=221
I am running tomato v1.28.9054 MIPSR2-beta K26 USB vpn3.6 Server on a Asus RT-16N and am seeing really poor performance. For example when I connect to the client, often times the connection takes 15-20 seconds to establish itself. When I do a Ping /t to the client, it will time out as "unreachable" two or three times exactly every 30 seconds. Trying to connect to the Asus RT-16N over the lan can take 10 seconds when the VPN is connected. When the VPN server is running but not connected, connection seems fine. CPU load is always showing as 0. I have 2 boxes running the VPN client. One is a WRT54GL with v1.25vpn3.4.4a8380cb and the other is the Asus. Both are inside my lan and connect to the outside world through Static Routes and Open Ports from my Draytek router. It is not the remote connection as when I switch to the WRT54GL with 1.25, things are smooth and the client responds to the ping all day long. In the Asus the only fancy thing I am doing is to use the service vpnserver1 start and service vpnserver2 start to start server 1 and 2 when I reboot. I am not using the USB function in this build. Under the advanced VPN server tab I have the following custom configuration: keepalive 10 60 ping-timer-rem float ;duplicate-cn Any one have any idea what is going on here? It seems this new, fancy, fast, memory filled router can't hold a candle to the old WRT54GL. Am I using the wrong build? Should I be looking at a 1.27 or a 1.25 build?
This really isn't normal, so you need to begin a process of elimination if you want to find out what is causing this. Erase NVRAM, set up router with minimal config, and see if speed is restored. Than add one thing at a time, test, etc. until you find the cause. Then after that, you may find something wrong. (Hopefully). Also, 9054 is quite an old build, many odd bugs and updates since then. You *may* find that using a newer build fixes your problem, if it does, then you needn't waste your time looking for the cause.
Thanks, Toastman Would you recommend this one as a newer build? tomato-K26USB-1.28.7483MIPSR2-Toastman-RT-VPN.trx Can I use the Tomato upgrade function to upgrade or should I use the "Asus" upgrade method?
Use the tomato method. Erase NVRAM and reconfigure from scratch. This method should help you: http://www.linksysinfo.org/forums/showpost.php?p=362345&postcount=221
Thanks, Would you suggest the tomato-K26USB-1.28.7483MIPSR2-Toastman-RT-VPN.trx as a more recent and less buggy version?
Hi, Guys I have a problem, my site to site connection is interrupted sometime. I guess this was caused by (from system log): Code: TLS: tls_process: killed expiring key This log happens every hour. What should i config to make the connection to be continuous once tunnel is up? Thanks and have a good day.
The "killed expiring key" message is normal. TLS uses asymmetric keys to authenticate initially, then uses that to negotiate temporary symmetric keys to actually use from there on (because it's less resource intensive). You can adjust how often they expire, but it's expected to be somewhat short. Are there any other messages that happen when you have problems?
Code: Sep 29 14:22:42 WL-500GP daemon.notice openvpn[675]: ABCD-EF/123.123.123.123:41902 TLS: tls_process: killed expiring key Sep 29 14:22:49 WL-500GP daemon.notice openvpn[675]: ABCD-EF/123.123.123.123:41902 TLS: soft reset sec=0 bytes=13140486/0 pkts=34096/0 This soft reset does not happen on another router, the 2 client routers are same ovpn configurations except the keys. Any ideas? Thx
The expiring key and soft-reset are both expected. Not sure why you aren't seeing it on the other config. There really aren't any other messages? You can always disable the renegotiation with Code: reneg-sec 0
Hi, I have spent the better part of the past week goggling and trying everything i find to the weird problem I am experiencing with OpenVPN on Tomato v1.28.0407 MIPSR2-Toastman-VLAN-RT K26 USB VPN, Most of the things I have tried have come from this forum here, and I hope it is the right place to post this odd issue: I am using a Cisco/Linksys E4200 as a LAN/WAN router and OpenVPN client to connect to an OpenVPN server at my colocation. The basic facts: LAN: 192.168.0.1/24 Datacenter: 10.54.73.0/24 Tun11: inet addr:172.16.18.38 P-t-P:172.16.18.37 I can get it to connect, encryption works fine. From the router I can ping the hosts on the server network, but i am unable to connect to anything (ssh, mstsc, etc) , ping, or see the network on the far side from the LAN. My guess is that I have some route issue, however I have added routes and nothing appropriate seems to help; The VPN Server that I am connecting to has the following Configuration --Remote VPN Server Config-- local RE.DA.CT.ED #IP Removed for my comfort. port 5008 proto udp dev tun ca ca.crt cert my.crt key my.key dh dh2048.pem server 172.16.18.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 10.50.73.0 255.255.255.0" client-config-dir ccd keepalive 10 120 tls-auth ta.key 0 comp-lzo max-clients 50 user openvpn group openvpn persist-key persist-tun status openvpn-status.log verb 3 ---END--- My Local Client is configured as such: --Local VPN Client Basic Page-- Start with WAN [X] Interface Type [ TUN ] Protocol [UDP] Server Address/Port: RE.DA.CT.ED:5008 #changed for my comfort Firewall [AUTOMATIC] Authorization Mode [TLS] #works with both TLS and static key Extra HMAC authorization (tls-auth) [Bi-Directional] # this seems to work best. Create NAT on tunnel Routes must be configured manually. #unchecked, as i want routed, not nat (i think) ---END--- --Local VPN Client Advanced Page-- client script-security 2 resolv-retry infinite nobind persist-key persist-tun ca /path/toca.crt cert /path/to/office-router.crt key /path/to/office-router.key ns-cert-type server tls-auth /path/to/ta.key 1 verb 5 ---END--- --BEGIN /var/log/messages-- Oct 26 15:15:33 gw user.info kernel: tun: Universal TUN/TAP device driver, 1.6 Oct 26 15:15:33 gw user.info kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com> Oct 26 15:15:33 gw daemon.notice openvpn[2152]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Oct 10 2011 Oct 26 15:15:33 gw daemon.warn openvpn[2152]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Oct 26 15:15:33 gw daemon.notice openvpn[2152]: Control Channel Authentication: using '/path/to/ta.key' as a OpenVPN static key file Oct 26 15:15:33 gw daemon.notice openvpn[2152]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 26 15:15:33 gw daemon.notice openvpn[2152]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 26 15:15:33 gw daemon.notice openvpn[2152]: LZO compression initialized Oct 26 15:15:33 gw daemon.notice openvpn[2152]: Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ] Oct 26 15:15:33 gw daemon.notice openvpn[2152]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Oct 26 15:15:33 gw daemon.notice openvpn[2159]: Socket Buffers: R=[112640->131072] S=[112640->131072] Oct 26 15:15:33 gw daemon.notice openvpn[2159]: UDPv4 link local: [undef] Oct 26 15:15:33 gw daemon.notice openvpn[2159]: UDPv4 link remote: RE.DA.CT.ED:5008 Oct 26 15:15:33 gw daemon.notice openvpn[2159]: TLS: Initial packet from RE.DA.CT.ED:5008, sid=8bf08c1b f3c1b640 Oct 26 15:15:33 gw daemon.notice openvpn[2159]: VERIFY OK: depth=1, /C=SE/ST=NA/L=NA/O=my/CN=CA/emailAddress=me@my.com Oct 26 15:15:33 gw daemon.notice openvpn[2159]: VERIFY OK: nsCertType=SERVER Oct 26 15:15:33 gw daemon.notice openvpn[2159]: VERIFY OK: depth=0, /C=SE/ST=NA/O=my/CN=my/emailAddress=me@my.com Oct 26 15:15:35 gw daemon.notice openvpn[2159]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Oct 26 15:15:35 gw daemon.notice openvpn[2159]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 26 15:15:35 gw daemon.notice openvpn[2159]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Oct 26 15:15:35 gw daemon.notice openvpn[2159]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 26 15:15:35 gw daemon.notice openvpn[2159]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Oct 26 15:15:35 gw daemon.notice openvpn[2159]: [my] Peer Connection Initiated with RE.DA.CT.ED:5008 Oct 26 15:15:37 gw daemon.notice openvpn[2159]: SENT CONTROL [my]: 'PUSH_REQUEST' (status=1) Oct 26 15:15:37 gw daemon.notice openvpn[2159]: PUSH: Received control message: 'PUSH_REPLY,route 10.50.73.0 255.255.255.0,route 172.16.18.1,topology net30,ping 10,ping-restart 120,ifconfig 172.16.18.38 172.16.18.37' Oct 26 15:15:37 gw daemon.notice openvpn[2159]: OPTIONS IMPORT: timers and/or timeouts modified Oct 26 15:15:37 gw daemon.notice openvpn[2159]: OPTIONS IMPORT: --ifconfig/up options modified Oct 26 15:15:37 gw daemon.notice openvpn[2159]: OPTIONS IMPORT: route options modified Oct 26 15:15:37 gw daemon.notice openvpn[2159]: TUN/TAP device tun11 opened Oct 26 15:15:37 gw daemon.notice openvpn[2159]: TUN/TAP TX queue length set to 100 Oct 26 15:15:37 gw daemon.notice openvpn[2159]: /sbin/ifconfig tun11 172.16.18.38 pointopoint 172.16.18.37 mtu 1500 Oct 26 15:15:37 gw daemon.notice openvpn[2159]: updown.sh tun11 1500 1542 172.16.18.38 172.16.18.37 init Oct 26 15:15:37 gw daemon.notice openvpn[2159]: /sbin/route add -net 10.50.73.0 netmask 255.255.255.0 gw 172.16.18.37 Oct 26 15:15:37 gw daemon.notice openvpn[2159]: /sbin/route add -net 172.16.18.1 netmask 255.255.255.255 gw 172.16.18.37 Oct 26 15:15:37 gw daemon.notice openvpn[2159]: Initialization Sequence Completed ---END--- --Routing Table-- Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 172.16.18.1 172.16.18.37 255.255.255.255 UGH 0 0 0 tun11 172.16.18.37 * 255.255.255.255 UH 0 0 0 tun11 206.66.66.1 * 255.255.255.255 UH 0 0 0 vlan2 10.50.73.0 172.16.18.37 255.255.255.0 UG 0 0 0 tun11 192.168.0.0 * 255.255.255.0 U 0 0 0 br0 213.113.64.0 * 255.255.254.0 U 0 0 0 vlan2 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default ua-213-113-64-1 0.0.0.0 UG 0 0 0 vlan2 ---END--- -- What can I do make this work? why is "Oct 26 15:15:33 gw daemon.notice openvpn[2159]: UDPv4 link local: [undef]" undefined? thanks!
I have used this guid to get it to work: http://www.howtogeek.com/60774/connect-to-your-home-network-from-anywhere-with-openvpn-and-tomato/
You either need to select NAT on the client or configure routes on the server for the client (using client-config-dir). The former will give your client LAN access to the server LAN, and the latter will do that plus give your server LAN access to your client LAN.
Hi Toastman, Can you offer some expert advice, please? I just got a Asus Rt-n12 that I am trying to install Tomato + Openvpn into, I have used 2 Toastman builds and can't seem to make it work. Router seems to accept the firmware but it never stops the slow power light flashing, indicating it is still trying to accept new firmware. If I upload the asus stock firmware all is well. I power off, press the reset button until the power light slow flashes, upload using the Asus recovery utility, it goes through the steps, seems to complete, but slow power flash never stops. I have tried the latest toastman Tomato-K26-1.28.7486.4MIPS2-RT-nousb+vpn.trx and the net older build, Tomato-K26-1.28.7486.3MIPS2-RT-nousb+vpn.trx downloaded from the 4share site. Am I using the correct files? any ideas?
I originally had two posts here trying to figure out how to solve two problems I couldn't find anywhere else. I figured them both out before I got responses. Instead of the long posts, here is a consolidated post with the problems and solutions. Problem 1 - A generic TUN VPN between two Tomato VPN routers is established fine, but neither side can ping/communicate with Windows 7 PCs. Solution - Windows 7 firewall needs to be configured to allow the VPN in. I don't know if there is a way to specify mac address/port or something very specific, but how I did it is: Code: Client PC Firewall Setup Under scope, remote IP, add "IP/subnet", type: xxx.xxx.xxx.0/24 Where xxx is your VPN subnet Code: Server PC Firewall Setup Under scope, remote IP, add "IP/subnet", type: xxx.xxx.xxx.0/24 Enter your Tomato VPN Client Router subnet if you are only doing router-to-router. Enter your VPN subnet if you're using OpenVPN instead of tomato. Enter both if you are using both (aka a laptop that's sometimes home, sometimes on the go). Problem 2 - After adding user/password auth to the VPN using this conversation with Dagger/Pepper, the Tomato VPN Router needs to be able to "enter" a user/password when connecting. Solution - (using modified info from here): Client Tomato router uses configuration as per the Dagger/Pepper conversation, but instead of auth-user-pass, writes "auth-user-pass /tmp/openvpn-client1-userpass.conf" Client Tomato router adds the following init script: Code: echo 'USER PASSWORD' > /tmp/openvpn-client1-userpass.conf
You need to have the user and password in a file (each on a separate line) on the router and specify "auth-user-pass /path/to/file" in the client VPN custom config. You can have that file be on JFFS, CIFS, or generate it in your Init script by echoing it to a file.
Hi! I am looking for a solution to be able to use 255.255.255.255 broadcast between openvpn server and clients. Guys anybody here were already able to do that ? I tried the TAP- UDP bridge way without success. My clients are winxp and win7 users. On winxp if they set a bridge between openvpn and internet adapter then they were able to use it. Is there any other solution ?
Hi, I tried to read this long post but lost in the middle.... Anyway, I have a problem which I posted at: http://www.linksysinfo.org/index.php?threads/openvpn-client-cant-resolve-dns.37076/#post-180289 please help. Thanks.
Any chance we could get a gui for policy-based VPN? Something that would allow us to direct only certain IP addresses or only certain ports (80...etc) throug the VPN and allow all other traffic to pass unmolested
Hello! I'm trying to set up a openvpn-connection (provider: perfect-privacy) but until now i have no success :-(. The vpn-connection works but as soon as the tunnel is up my INet is dead. Here is my config: There is some data-flow but the counter for "tun/tap write bytes" stays on 0 Anyone any idea? Thx in advance!
No one has an Idea? In the Meantime i tried to set up my own OpenVPN-Server on a VPS. Same as with perfect-privacy. Connecting with the PC directly everything works as expected. Connecting the LAN via Router and nothing works anymore. The Routing-Table would be helpful? Thx!
First, thanks SgtPepperKSU and all who made it possible to get VPN up and running so easily. One question I wonder about is if it's normal for the restart and boot time to take so much longer now? I have a WL-520gu, and it's running tomato-NDUSB-1.28.8754-vpn3.6. I have the most basic configuration: check Start with WAN, TAP, Automatic for Firewall, Static Key, and "keepalive 60 86400" in Advanced Custom Configuration. When I first clicked on "Start Now", for about the next 3 minutes the router froze and did not respond to ping. If I save other changes, the router would also freeze for about 3 minutes. A reboot now takes about 10 minutes before it would respond to ping. Afterwards, everything works fine and OpenVPN client on PC works great. A restart used to come back quickly, and a reboot used to take less than one minute. I do not see anything abnormal in the log (nothing is logged after the normal first minute in a reboot), so I wonder what is going on during the 3 or 9 minutes that makes the router completely unresponsive? Especially if you also have a WL-520gu, do you experience the same? Is there a solution to the long restart and boot time?
Hi, I am using the OpenVPN server and on top the key authentication, I would like to use username/password to increase the security. However there is no GUI in OpenVPN Server tab to add any user like in the PPTP Server tab. I used the following tutorial to add user authentication and it worked perfectly (search for auth-user-pass-verify for the relevant code), except this is all command lineā¦ The Tutorial (add .html at the end of the link and remove the spaces): todayguesswhat.blogspot.com / 2011/03/quick-simple-vpn-setup-guide-using What would you think of grabbing the same GUI as PPTP Server to handle the users and add it into the OpenVPN Server tab as well with the previous logic in? Thanks in advance.
