VPN build with Web GUI

SgtPepperKSU
Is your build ND version, or if not how to enable Vegas?
WRT54GS V1 here, nvram get wl0corerev=7
Thanks.

Thanks to you and SgtPepper for the responses. I really want to stay with Tomato so I guess I'll live without the iPhone interface for now.

I have not been building ND versions, but I guess I could start. And, I have done nothing special to enable TCP Vegas, so I assume it would not work.

Thank you.
I'll be waiting for your ND build:halo:
And start to check the posibilly of mppe, dkms stuff.

Thanks, SgtPepperKSU.
The actual mod works great. How is it possible to start OpenVPN after a reboot automatically and even after it dies?

It doesn't right now?

Hmmm, maybe something along the lines of (in your init script):

Code:

#Generate vpnup.sh
echo "#!/bin/sh
killall -0 vpn\$1 2> /dev/null
if [ \$? != 0 ]
then
logger \"\$0: Starting vpn\$1\"
service vpn\$1 start
else
logger \"\$0: vpn\$1 already running: \$(pidof vpn\$1)\"
fi
" > /tmp/vpnup.sh
# Make vpnup.sh executable
chmod +x /tmp/vpnup.sh
# Schedule vpnup.sh to run every 30 minutes
cru a CheckVPNServer "*/30 * * * * /tmp/vpnup.sh server1"
# Wait 10 seconds and run vpnup.sh once
sleep 10
/tmp/vpnup.sh server1

This will check if Server 1 is running every 30 minutes and start it if it isn't.
You can adjust the time interval by changing the 30 in the cru line or replace the server1 with client1, client2, or server2 if appropriate.

I've asked SgtPepperKSU to add a README file to the distribution. The answer to your question is in the first post of this thread, but it tends to get forgotten there.

In Administration>Scripts>Init, add the line

Code:

service vpnserver1 start

replacing vpnserver1 with vpnserver2, vpnclient1, or vpnclient2 as appropriate.

Some users have reported needing a "sleep 10" beforehand

Actually, that will just start it once. If it dies for some reason, you would have to manually restart it. In the post above yours (probably while you were responding), I posted a script to check it every 30 minutes and start it if necessary. I will add both methods to the README for the next release.

In bridge-mode, clients should get there network-information by DHCP of the tomato-box. So, I try to use the directive "server-bridge" without any parameters. But that is not possible, because "server-bridge" is already set by the Web-GUI which needs start- and end-IP-addresses.
I suggest, to generate a plain "server-bridge" entry in the conf, if no IP addresses are entered in the GUI.

I use a "keepalive 15 60" in my custom-config. Now, I'm discovering in the generated conf, that a "keepalive 15 60" is already inside. May it be possible to show the generated config as an non-editable textfield in the web-GUI, to prevent double-configs? For the option "verb" I suggest a select-field.

Good suggestion. I'll add a checkbox for DHCP. Somehow I missed that that directive could be called without parameters, or I would have already done so.

sgtpepperksu,

I think your work has been great so far, but in looking at this thread and the constant change in your gui in each revision, something came to mind.

In my opinion the idea behind a gui is to make it more visually appealing to configure the different settings. Openvpn has a ton of settings and parameters, and in looking through the available commands, it doesn't seem to lend itself very well to a complete gui package (without overwhelming the user). Your gui already has one click configs for a variety of openvpn connections, which I think is exactly what the novice end-user wants.

For someone who is more interested in specific options (such as client config directories, ipp tables, whatnot), it makes more sense to me to be able to directly edit the config file, and to do so through the tomato web interface is welcome. I think it would be easier for you and for the more advanced users to be able to see the .conf file directly through the asp page. Maybe if one of the templates was "custom config" and it used the custom config text box as the whole config (ignoring the rest of the boxes and pre-hashed config lines). this way hardcoded changes in the gui would not affect users updating from one version of your mod to the next.

just some thoughts -- hopefully that made sense and didn't seem like i was rambling

thanks for all your work

I think I have just about reached the limit on the amount of settings automatically configured via the GUI. After I add some kind of input for routes to achieve two-way connections, it will probably just be maintenance type changes from then on. Anything more (unless a compelling argument is made), will need to be set up via the Custom Config section. I don't have any intention of making it a complete GUI package for all OpenVPN options (in fact, I took out a couple of options that were of limited use after the first couple releases)

I think almost any of the options can still be used in the Custom Config section along with the automatically generated config (including client config directories, etc). The target audience for the GUI was people setting up a VPN choosing the features they want, not trying to match a particular config file. My thought was that if you just want to use a specific config file, it can about as easily be entered into the init script (like was done with roadkill's mod before I made the GUI). I will consider an option to only use the Custom Config section (and not auto-generate anything), though.

Thanks for your feedback!

Can we be so blessed as to expect a VPN GUI version that incorporates the offical (test) Tomato build that has TCP Vegas? Please..please?

Not until there are sources available (probably not until it becomes Tomato 1.23). But, shortly after that happens, I'll release an update.

1.22vpn2.0005

Version 1.22vpn2.0005

You can download the binaries and source from here.

This release includes a README file with a couple of init scripts for automatically starting the VPN. For those wanting to use the source, be sure to read the COPYING file.

Changes from 1.22vpn2.0004

• Fixed "Unable to start SSL" error.
• Added DHCP option for assigning VPN addresses for TAP+TLS server
  • If enabled, this assigns an address out of the normal LAN DHCP range. If disabled, it assigns an address out of the given range
• Removed length restrictions on the text area fields (certificates, keys, etc)
• Updated to OpenVPN 2.1rc15

Known limitations:

• None that I am aware of. If you find some, let me know.

Let me know what you think, and what can be improved. :smile:

after i upgraded my Router (WRT54GL v1.1) from 1.22vpn2.0004 to 1.22vpn2.0005 it shows 1.21vpn2.0005 as the installed Version?

edit:
same Thing when im doing a "clear NVRam" before and also after the Upgrade.

Probably just a typo on my part. The only vpn2.0005 build I've made is based on 1.22. I'll rebuild when I get home to get the right number in there.

I've replaced the build with one that shows the correct version number. That is the only change, so I'm leaving it at 2.0005. Sorry if it caused any confusion.

thank you m8

There is now also a ND version at the same download location.

any plans to include TCP Vegas and Speedmod?

I will when/if they are included in a Tomato release. It looks like TCP Vegas will be in the next Tomato release, but not Speedmod as far as I know.

uber cool. thanks. I remember someone mentioned Vegas and Speedmod has already been incorporated into the latest Tomato testbuild. Looking forward to it.

great work, sir. :halo:

SgtPepperKSU

I know you fixed the issue with the port forwarding rules not happening after being saved but it seems the static routing did not get fixed.

I can create a static route ( advanced-->routing) and save , but it does not show up in the routing table

last time I got it to work by doing a nvram wipe and re installing the config - but I would rather not

Have you tried regular Tomato 1.22? I just loaded that on my router and am seeing the same problem. I think it may be a problem upstream from me.

I may do some in-depth debugging on this, but I can't guarantee it will be soon due to the upcoming holidays and a general lack of time.

thanks

I went the nvram wipe to get the route to show up in the table

a tracert showed it was routing to the static route I'd set to the second router , but I was not getting a reply from the WAN side of the second router with a forwarded port until I changed the gateway address on the unit I was trying to contact which defeated the purpose of the static route

I have had this working before but I cannot remember - it might have been tomato 1.21

could the recent dnsmasq implementation be a cause of these issues ?

Hm, Interesting.

Any idea if I could load this over 1.19 with the openvpn mod of roadkill without having to reconfigure everything?

Could? Sure.
Should? Probably not. It's always a good idea to clear nvram after an upgrade, or you might run across difficult to diagnose problems. But, there is no more risk than upgrading vanilla Tomato versions.

1.23vpn2.0005

Version 1.23vpn2.0005

You can download the binaries from here.

Source is available at the Git repository. Be sure to read the COPYING file if you plan to use/distribute the sources.
Direct links: Patch from Tomato-1.23 TomatoVPN Source TomatoVPN-ND Source

Changes from 1.22vpn2.0005

• Updated to Tomato 1.23 baseline (Tomato changelog here)

Known limitations:

• None that I am aware of. If you find some, let me know.

Let me know what you think, and what can be improved. :smile:

Hi, SgtPepperKSU
Any plans to implement OpenSWAN?
Roadkill says he won't have time to do it, i hope someone can do this.
I'm currently using jyavenard's PPTP server MOD. But a IPSec VPN server would be the bets, i thought.
Thanks.

As a matter of fact, in the last few days, I decided it would be "nice" to incorporate both PPTP and OpenSwan into the VPN GUI. But, it would be a low priority, and I probably wouldn't have time to even consider it until after the holidays.

But, yes, it is on my self-wishlist.

FYI, I updated successfully the server from Roadkill's to yours
Next week, I'll update the client.

Thanks for your work

many thanks. it works on my WRT54GS v1

And is it possible to show vpn clients of router mode (TUN) in Device List? :biggrin:

Most likely not, but I'll look into it.

The init script "service vpnserver1 start" not working?
I need to click the "Start Now" button to start vpn server1 each time I reboot the router

Try putting "sleep 5" or "sleep 10" on the line before.

It works only once, but not working most of the time

When it doesn't work, is there anything interesting in your log?

instead of init, put it in Wan Up (and with sleep 10 before).

If you're going to put it in wan up, it would probably be better to use "restart" rather than "start". That way, if one is already running, you won't end up with multiple instances.

It works only the first time than not working anymore
cannot see anything about "openvpn" in the log
I use the router inside the lan and so disable the WAN so cannot use Wan Up script

What do you mean by "it works only the first time"? It should behave the same every time you reboot since a reboot clears out anything that happened during the previous boot.

may be it never work.. I will try to clear nvram and try again

If the WAN is disable, the Init Script "service vpnserver1 start" will not work
If I just put all the setting in Init Script like Roadkill's mod, the router refused to save exceed 4096 script.
So what can I do?

I'm not sure I completely understand what you're saying. Do you have a very long init script, and it's exceeded 4096 characters in length? What else do you have in that script?

You might consider saving that script as a shell executable file in your /jffs directory, and then just execute the script in your init.

If you have used Roadkill's mod before, you will know that all crt/key will be put in Init Script and it will exceed 4096 size. There is no VPN GUI for Roadkill's old build.

Is there any way to start the "service vpnserver1" at the Init Script with the "WAN disable"?

I guest the openvpn will be initailize when the wan up, if the Wan is disable, Init Script of "service vpnserver1 start" will not work.

Hope SgtPepperKSU will fix this soon

I'm not sure yet what it is I would need to fix. I've never tried it with the WAN disabled, but off-hand, I don't see a reason it wouldn't work. If you post here the script you used with Roadkill's mod, I'll what is different from what my GUI does. It may be that I need to do a special check for the WAN disabled case.

EDIT: You could also try telnet/sshing to the router and running

Code:

nvram set vpn_debug="1"
nvram commit

and trying it again. This should print a message to the log showing what part of the process isn't working.

While I would be interested in why it isn't working for you to put a simple start command in your init script, you seem to be in a hurry to get it up and running. Your best bet would be to use the script in the README file instead. That script periodically checks to see if the server is up, and starts it if not.

Looking at that script again just now, I would replace "service vpn\$1 start" with "service vpn\$1 restart", though, for the reasons given in the previous post.

For easier reference, the script is (paste into init script):

Code:

## Start VPN init script
#Generate vpnup.sh
echo "#!/bin/sh
killall -0 vpn\$1 2> /dev/null
if [ \$? != 0 ]
then
logger \"\$0: Starting vpn\$1\"
service vpn\$1 restart
else
logger \"\$0: vpn\$1 already running: \$(pidof vpn\$1)\"
fi
" > /tmp/vpnup.sh
# Make vpnup.sh executable
chmod +x /tmp/vpnup.sh
# Schedule vpnup.sh to run every 30 minutes
cru a CheckVPNServer "*/30 * * * * /tmp/vpnup.sh server1"
# Wait 10 seconds and run vpnup.sh once
sleep 10
/tmp/vpnup.sh server1
## End VPN init script

However, if the button in the GUI starts it okay, then I really think you just need to increase the sleep time before the "service vpnserver1 start" that you've already been trying (try 15, 20, or even 30).

Is there a particular reason that people don't like using /jffs for files that need to be re-created at each reboot. I keep on seeing large "cat"s in people's init files, which seems kind of ugly.

My original solution was to store all the files I needed individually in /jffs, and just copy each of them to their required target location in init.

Then I came up with the better solution of creating a single tar ball of all my files, and then issuing in my init script the command
tar -x -f /jffs/files.tar -C /
Adding more files or changing files is just updating the tar file.

My current tar ball contains the already mentioned /tmp/vpnup.sh, root/.profile to add some personalization to the shell, and lots of stuff for /var/wwwext.

Of course, either the tar file or the files from which the tar file is created should be backed up elsewhere. I have my files on a mirror directory in /cifs1/tomato.

I did it that way in the README simply because it is "easier" for the user. Just copy here, paste there. I figured anyone with knowledge enough to easily do it with jffs/cifs (not that is hard), could do it just fine without my guidance (as you have done).

Oh.. I tried sleep 20 and it is working now
Thank you very much for your help!!!!!!
I'm very happy with my router now

what router r u using?

Buffalo HP-G54

I added:
service vpnserver1 start
To my Init script as stated on the first page of this thread, but my server does not start automatically. I can get everything to work just fine, but I have to manually start the server via the button on the tunnel page. After a reboot, my logs show no reference to openvpn. What am I doing wrong?

Try adding "sleep 10" or "sleep 20" on the line before. (Some have reported needing "sleep 30".)

Sleep 20 did the trick. Thanks.

Since the answer "add 'sleep 20' to the beginning of your init script" seems to appear so often. . . .

At what point in router start up does the init script get run? What's going on in those first twenty seconds that stops vpnserver and many other services from running?

Anyone know?

The Init script is executed almost the first thing when router is booting up - before network is initialized and before any other services are started. I had to add 40 sec sleep in front of my script to wait for network and NTP time sync.

Alternatively you can move your code to WAN Up script - it runs after network is set up, but before other services are started - so you still may need to add some delay but probably maybe not that long... But I'm not sure whether or not WAN Up script will run again if your WAN connection is restarted. You should assume it will though, and use caution to not execute some things that only should be executed once.

I am trying to use the "1.23vpn2.0005" version of this firmware to get a VPN up from work to my home and I am having a problem. I am not new to OpenVPN, but I am new to this version of the tomato firmware. I have tried two different setups without success:

1. TLS with tls-auth
2. Static Key mode

I can see my client come in and start negotiation with the VPN server, but I can never fully connect. With the TLS option I just get what appears to be a timeout and with the static key I see the router trying to get my client a IP address, but it never does get it. Any thoughts or help would be appreciated. Here are some logs of what I see:

TLS Mode
----------

Code:

Dec 23 07:39:52 WRT54G daemon.notice openvpn[3912]: MULTI: multi_init called, r=256 v=256
Dec 23 07:39:52 WRT54G daemon.notice openvpn[3912]: Initialization Sequence Completed
Dec 23 07:40:15 WRT54G daemon.notice openvpn[3912]: MULTI: multi_create_instance called
Dec 23 07:40:15 WRT54G daemon.notice openvpn[3912]: XXX.XXX.XXX.XXX:63943 Re-using SSL/TLS context
Dec 23 07:40:15 WRT54G daemon.notice openvpn[3912]: XXX.XXX.XXX.XXX:63943 LZO compression initialized
Dec 23 07:40:15 WRT54G daemon.notice openvpn[3912]: XXX.XXX.XXX.XXX:63943 Control Channel MTU parms...
Dec 23 07:40:15 WRT54G daemon.notice openvpn[3912]: XXX.XXX.XXX.XXX:63943 Data Channel MTU parms...
Dec 23 07:40:15 WRT54G daemon.notice openvpn[3912]: XXX.XXX.XXX.XXX:63943 TLS: Initial packet from XXX.XXX.XXX.XXX:63943, sid=XXX XXX
Dec 23 07:41:15 WRT54G daemon.err openvpn[3912]: XXX.XXX.XXX.XXX:63943 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 23 07:41:15 WRT54G daemon.err openvpn[3912]: XXX.XXX.XXX.XXX:63943 TLS Error: TLS handshake failed
Dec 23 07:41:15 WRT54G daemon.notice openvpn[3912]: XXX.XXX.XXX.XXX:63943 SIGUSR1[soft,tls-error] received, client-instance restarting

Static Key Mode
----------------

Code:

Dec 23 07:38:05 WRT54G daemon.notice openvpn[3851]: Peer Connection Initiated with XXX.XXX.XXX.XXX:64466
Dec 23 07:38:05 WRT54G daemon.notice openvpn[3851]: Replay-window backtrack occurred [1]
Dec 23 07:38:06 WRT54G daemon.notice openvpn[3851]: Initialization Sequence Completed
Dec 23 07:38:08 WRT54G daemon.info dnsmasq[2755]: DHCPDISCOVER(br0) XX:XX:XX:XX:XX:XX 
Dec 23 07:38:08 WRT54G daemon.info dnsmasq[2755]: DHCPOFFER(br0) 192.168.X.X XX:XX:XX:XX:XX:XX 
Dec 23 07:38:08 WRT54G daemon.info dnsmasq[2755]: DHCPDISCOVER(br0) XX:XX:XX:XX:XX:XX 
Dec 23 07:38:08 WRT54G daemon.info dnsmasq[2755]: DHCPOFFER(br0) 192.168.X.X XX:XX:XX:XX:XX:XX 
Dec 23 07:38:08 WRT54G daemon.info dnsmasq[2755]: DHCPDISCOVER(br0) XX:XX:XX:XX:XX:XX 
Dec 23 07:38:08 WRT54G daemon.info dnsmasq[2755]: DHCPOFFER(br0) 192.168.X.X XX:XX:XX:XX:XX:XX 
Dec 23 07:38:24 WRT54G daemon.info dnsmasq[2755]: DHCPDISCOVER(br0) XX:XX:XX:XX:XX:XX 
Dec 23 07:38:24 WRT54G daemon.info dnsmasq[2755]: DHCPOFFER(br0) 192.168.X.X XX:XX:XX:XX:XX:XX

Again...neither mode actually fully connects. The Static mode at least starts up the TAP network adapter on my Vista client, but it never gets an IP address. Are there some options that I am missing that I need? Thanks for any assistance.

I'd need to know what settings you have set and what client config you are using to help. Provide those (preferably in a new thread), and we'll see what we can figure out.

New thread is here: http://www.linksysinfo.org/forums/showthread.php?t=60296

I will be posting my settings and config shortly...Thanks!

Can you please help me link two networks together at different location. Using your vpn mod, both running Tomato 1.23 with your vpn mod. Each network as its own isp.
Thank you

There should be several examples in this thread. If you have specific questions, reply back with those and we'll figure it out.

Download links appear to be down

!!

tomatovpn-1.23vpn2.0005

there is still a problem with static routes not being added to the routing table on save

What links are appearing down? They look like they are up right now to me.

And it still appears to be a problem in vanilla tomato (at least in my testing). If you find otherwise, let me know. Otherwise, it should probably be reported to Jon.

ok - I will post it in the 1.23 thread

another question though

I have 2 networks linked via the internet and 54GLs with one running the VPN client and the other the VPN server.
both net works are in 10.8.8.x I can talk to all machines on both sides from both sides. But when I connect from outside to the server I cannot see the machines behind the client 54GL , though can see all machines behind the server 54GL - I can VNC to a machine behind the server 54GL and then contact all machines behind the client 54 GL ?
hope that makes some sense , and are you able to tell me what I am doing incorrectly ?

thanks

Yep they are good....seems I can't get to mediafire.com from my office network....

First, I'm assuming you are using TLS authentication since I don't think you can get in your situation via static key mode. Also, I'm assuming TAP since it is the simplest way to get in your described situation. If either of these are incorrect, let me know.

I think all you need to do is add "client-to-client" to your Custom Configuration. Without this, OpenVPN doesn't let clients "see" each other for security reasons.

yes , TAP , UDP and TLS

what code is needed in custom config to allow client-to-client ?

and can the client which other clients can see be specified ?

Just "client-to-client". Though, I've never tried it.

I don't know if it's possible to have it only "share" one client with everyone with TAP. But, it should be possible with TUN (or TAP in bridged mode).

I have a very long domain name so it won't fit in the Server Address. I am using IP address now.

I world like to see this field be extened in the next release.

Thanks for this great product.

HAPPY NEW YEAR!

client-to-client in the custom field worked fine

thanks

Done! I've made the changes, and the length restriction will be completely removed on that field in the next release. In the meantime, you should be able to enter it manually from the shell with

Code:

nvram set vpn_server1_addr="verylonghostname.goeshere.example.com"
nvram commit

I noticed that I couldn't get the access restrictions to work on this version.

is there something that I am missing -- i created two separate restrictions (1 by ip and another by mac) to specifically block the internet for one computer during the night.

I'm afraid I've never used access restrictions. Could you try temporarily flashing back to normal Tomato (no nvram clear) and trying it again?
If it does then work, then it's likely there is a real problem and I'll look into it when I get time.
If it still doesn't work, then it is either a bug in Tomato or a problem in nvram. To test the latter, you'll need to do a nvram clear :frown: (and it would be useful to try it on both builds).

By the way, did you do a nvram clear when you last upgraded?

Does client-config-dir work with this firmware mod? I need to assign fixed IP to my clients.

Yes, it does.

))) very good, thanks a lot for thois mod!

I am currently trying to convert my (working) config for roadkills mod to this mod.

When I start openvpn, I can't browse any more. I have to stop the openvpn service on my client Windows PC in order to regain access to the router and the internet. Openvpn connections gets established, by teh way, but somehow my routing seems to get broken.

I have tried a lot of things/options. Does anyone have a hint for me what's wrong with the following config?

#WEB Gui: (Auth Mode set to "custom")
#port 1194
#proto udp
#dev tun
max-clients 5
mode server
tls-server
ifconfig 10.8.0.1 10.8.0.2
ifconfig-pool 10.8.0.4 10.8.0.24
float
comp-lzo
push "resolv-retry infinite"
push "ping 20"
push "ping-restart 180"
persist-key
persist-tun
verb 2
daemon
ca /tmp/ca.crt
dh /tmp/dh1024.pem
cert /tmp/server.crt
key /tmp/server.key

Hi, SgtPepperKSU and all gurus
Happy New Year!:biggrin:
I'm still waiting someone could enable OpenSwan support on Tomato, which should be the perfect solution for VPN connection (without client and secure).
I wish it would be available this year.:thumbup:

This forum seems to have had problems, two posts are missing. For the record, SgtPepper asked me to post the full config, so here's my server1.ovpn
(Auth Mode set to "custom"):

# Automatically generated configuration
daemon
proto udp
port 1194
dev tun21
comp-lzo yes
keepalive 15 60
verb 3
push "route 192.168.1.0 255.255.255.0"
status-version 2
status server1.status

# Custom Configuration
max-clients 5
mode server
tls-server
ifconfig 10.8.0.1 10.8.0.2
ifconfig-pool 10.8.0.4 10.8.0.24
float
comp-lzo
push "resolv-retry infinite"
push "ping 20"
push "ping-restart 180"
persist-key
persist-tun
verb 2
ca /tmp/ca.crt
dh /tmp/dh1024.pem
cert /tmp/server.crt
key /tmp/server.key

I think the ' push "route 192.168.1.0 255.255.255.0" ' line in the automatically generated part is causing the problem. If I manually delete the pushed route on the client side, I can use my webbrowser again.

Why is this line added? Is there any way to delete/disable this line?
Maybe a "full custom config" option would be nice, where you could specify all parameters yourself.

That line is there so that the clients can see the computers on the server LAN. I think the problem is that your two networks have the same subnet. This will _not_ work properly unless you use TAP w/ bridging. Try to change one of them to 192.168.0.0/24 or 192.168.2.0/24.

My thought on a full custom config was that if you wanted that, you may as well just use the init script to generate it. But, there have been a few requests for it, so I may consider it.

Yes, the two subnets are the same. I generated a config for openvpn manually in the init script as proposed.

Just omitted that route line and everything works now. I want the computers connected via openvpn be unaware of the rest of the network, just an isolated openvpn net, so to speak.

Am using this setup to remotely administer two stores in different locations. And CCD finally now work, too. Now I don't have to find out the IP addresses of these computers any more each time I want to log on. Great buy, this WRT54 router, I simply love it!

Thanks again very much for your great mod and yor help!

I am fine now, but maybe if you just incorporated an option to toggle the route command on/off it would be helpful for other people in my opinion.

Perhaps if I understood better the use-case where that kind of option would be useful...

Is it that you want only one computer on the server LAN to be visible (and you add a route to it manually)? If this is the case (which I have the feeling it isn't), then it would be probably more appropriate to run the OpenVPN server on that computer.

I'm sorry if I'm being dense, but I'm just not picturing a situation where the VPN would be useful without that route. Obviously, there is one or you wouldn't be asking for it, but I just haven't been able to come up with such a scenario. If you could explain a little more what your situation is, perhaps I'd understand better.

EDIT: To explain further, no communication is possible between any LAN computer and a client (in either direction) without that route. So, the client would only be able to see the router, and only the router could see the clients. And, I can't think of when that would be useful (aside from router administration, but SSH or HTTPS would be better suited).

I'm going to be on vacation for the next week, so I will be unable to answer questions during that time. I will, however, try to catch up on things upon my return.

Could someone post a screenshot of the VPN Web GUI page?
I'd like to have a look before trying it out... currently running roadkill's mod.
Thanks,
Ben

this is just the server - 2 servers and 2 clients available

Super... many thanks...

I have been using Roadkill's mod for a while now. It seems that his branch is going to go away as he seems to have moved on to OpenWrt.

Is there a step by step for converting my TLS scripts for Roadkill's Mod to pluggin them into the UI for this Mod?

My scripts are based on post #2
http://www.linksysinfo.org/forums/showthread.php?t=53233

This ought to work just fine as is. Though SgtPepperKSU's mod provides a GUI, you're under no obligation to use it.

I have a couple of questions, as I am completely new to VPN's.

I just flashed with Sgtpepper's mod, and I am looking to set up a VPN so that outside PC's can connect to my home computer (I am running Gentoo Linux on my machine which is sitting behind a WRT54GL with Tomato+VPN). I have read the tutorial in this thread and I am not clear on a couple of things.

1) If I want to use my home machine/router as the VPN server, do I need to install OpenVPN on my Gentoo machine? I was under the impression that this Tomato mod builds OpenVPN right into the router, thus making my router act as the VPN server. Therefore, I won't need OpenVPN on the PC itself, or am I wrong?

2) If I don't need openVPN on my computer, then what directory in the Tomato shell do I need to go to generate the keys? The OpenVPN official tutorial is written under the assumption that one is using the standard OpenVPN installed on a PC. I can't seem to find the location in the router shell to generate keys (this is the reason I am asking question 1).

3) Is it possible to treat a VPN connection like an FTP server? In other words, is it possible to only allow certain directories for browsing, etc?

1) You don't need OpenVPN on your computer if you are running it on the router

2) Unfortunately, the router can't generate the keys. So the real answer to #1 is that you do need a copy of OpenVPN running somewhere, but just enough to generate the keys, and then copy and past them into the Router's GUI

3) I don't thinks so.

Actually, to this last question; you can set permissions etc but it is kinda complicated. If you go to the openvpn site they talk about how you can set a username and password for vpn connections when logging in and use that to set permissions. also you can link your openvpn setup with ldap/active directory and it will import the permissions from there.

i have not done this myself-- i only know that it is possible as indicated by openvpn documentation

Wanting to switch from Roadkill mod v1.19.1464, to the latest SgtPepper VPN with Web GUI build. A couple questions...

1. Is this straightforward? Do I need to do anything in particular before upgrading (NVRAM?)
2. Will all my Router settings be carried over?
3. Will I need to reconfigure my VPN settings?

I'm currently using static-key VPN with these scripts:

Firewall:

iptables -I INPUT 1 -p udp --dport 444 -j ACCEPT

WAN UP:

cd /tmp
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
echo "
-----BEGIN OpenVPN Static key V1-----

<deleted for forum post>

-----END OpenVPN Static key V1-----

" > /tmp/static.key

sleep 5
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn --dev tap0 --secret /tmp/static.key --comp-lzo --port 444 --cipher BF-CBC --proto udp --keepalive 10 300 --verb 3 --daemon

Client config:

dev tap0
secret static.key
proto udp
remote <my ip address> 444
keepalive 10 60
resolv-retry infinite
nobind
persist-key
persist-tun
cipher BF-CBC
comp-lzo
verb 3
float

It was so long ago I set it all up that I've forgotten what it all does! Thanks in advance for any help you can give...

Ben

Hi there.

I hope you can help me. I'm trying to set up VPN.

First I created certificates with openvpn on my linux machine:
http://openvpn.net/index.php/documentation/howto.html#pki

After this I copied the keys from ca.cert, server.cert, server.key and dh1024.pem (in this order) into the webgui, made the other configs and klicked "Star Now", now it looks like this:
http://img187.imageshack.us/img187/5773/vpnii4.jpg

I also opend the port in iptables:
Administration/Scripts/Firewall -> iptables -I INPUT 1 -p upd --dport 1194 -j ACCEPT

last but not least I made a config-file for my linux openvpn-client:

Code:

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 192.168.13.13 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert Client1.crt
key Client1.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 4

# Silence repeating messages
;mute 20

now I copied the ca.crt, Client1.crt and Client1.key to the same directory like the client.conf file and started openvpn in the console with "openvpn --config client.conf".

Now I'm trying to connect from my local LAN to the Router and I'm getting this Error-MSG:

Code:

sudo openvpn --config client.conf
Sat Jan 10 18:45:03 2009 us=620200 Current Parameter Settings:
Sat Jan 10 18:45:03 2009 us=620349   config = 'client.conf'
Sat Jan 10 18:45:03 2009 us=620375   mode = 0
Sat Jan 10 18:45:03 2009 us=620397   persist_config = DISABLED
Sat Jan 10 18:45:03 2009 us=620417   persist_mode = 1
Sat Jan 10 18:45:03 2009 us=620454   show_ciphers = DISABLED
Sat Jan 10 18:45:03 2009 us=620491   show_digests = DISABLED
Sat Jan 10 18:45:03 2009 us=620513   show_engines = DISABLED
Sat Jan 10 18:45:03 2009 us=620533   genkey = DISABLED
Sat Jan 10 18:45:03 2009 us=620552   key_pass_file = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=620574   show_tls_ciphers = DISABLED
Sat Jan 10 18:45:03 2009 us=620594   proto = 0
Sat Jan 10 18:45:03 2009 us=620613   local = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=620637   remote_list[0] = {'192.168.13.13', 1194}
Sat Jan 10 18:45:03 2009 us=620661   remote_random = DISABLED
Sat Jan 10 18:45:03 2009 us=620681   local_port = 0
Sat Jan 10 18:45:03 2009 us=620700   remote_port = 1194
Sat Jan 10 18:45:03 2009 us=620719   remote_float = DISABLED
Sat Jan 10 18:45:03 2009 us=620751   ipchange = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=620783   bind_defined = DISABLED
Sat Jan 10 18:45:03 2009 us=620814   bind_local = DISABLED
Sat Jan 10 18:45:03 2009 us=620845   dev = 'tun'
Sat Jan 10 18:45:03 2009 us=620876   dev_type = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=620907   dev_node = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=620938   lladdr = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=620970   topology = 1
Sat Jan 10 18:45:03 2009 us=621000   tun_ipv6 = DISABLED
Sat Jan 10 18:45:03 2009 us=621031   ifconfig_local = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=621063   ifconfig_remote_netmask = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=621094   ifconfig_noexec = DISABLED
Sat Jan 10 18:45:03 2009 us=621125   ifconfig_nowarn = DISABLED
Sat Jan 10 18:45:03 2009 us=621155   shaper = 0
Sat Jan 10 18:45:03 2009 us=621186   tun_mtu = 1500
Sat Jan 10 18:45:03 2009 us=621207   tun_mtu_defined = ENABLED
Sat Jan 10 18:45:03 2009 us=621226   link_mtu = 1500
Sat Jan 10 18:45:03 2009 us=621245   link_mtu_defined = DISABLED
Sat Jan 10 18:45:03 2009 us=621263   tun_mtu_extra = 0
Sat Jan 10 18:45:03 2009 us=621283   tun_mtu_extra_defined = DISABLED
Sat Jan 10 18:45:03 2009 us=621301   fragment = 0
Sat Jan 10 18:45:03 2009 us=621332   mtu_discover_type = -1
Sat Jan 10 18:45:03 2009 us=621363   mtu_test = 0
Sat Jan 10 18:45:03 2009 us=621393   mlock = DISABLED
Sat Jan 10 18:45:03 2009 us=621432   keepalive_ping = 0
Sat Jan 10 18:45:03 2009 us=621452   keepalive_timeout = 0
Sat Jan 10 18:45:03 2009 us=621474   inactivity_timeout = 0
Sat Jan 10 18:45:03 2009 us=621493   ping_send_timeout = 0
Sat Jan 10 18:45:03 2009 us=621519   ping_rec_timeout = 120
Sat Jan 10 18:45:03 2009 us=621550   ping_rec_timeout_action = 2
Sat Jan 10 18:45:03 2009 us=621581   ping_timer_remote = DISABLED
Sat Jan 10 18:45:03 2009 us=621612   remap_sigusr1 = 0
Sat Jan 10 18:45:03 2009 us=621643   explicit_exit_notification = 0
Sat Jan 10 18:45:03 2009 us=621674   persist_tun = ENABLED
Sat Jan 10 18:45:03 2009 us=621705   persist_local_ip = DISABLED
Sat Jan 10 18:45:03 2009 us=621736   persist_remote_ip = DISABLED
Sat Jan 10 18:45:03 2009 us=621767   persist_key = ENABLED
Sat Jan 10 18:45:03 2009 us=621798   mssfix = 1450
Sat Jan 10 18:45:03 2009 us=621829   passtos = DISABLED
Sat Jan 10 18:45:03 2009 us=621861   resolve_retry_seconds = 1000000000
Sat Jan 10 18:45:03 2009 us=621892   connect_retry_seconds = 5
Sat Jan 10 18:45:03 2009 us=621935   connect_timeout = 10
Sat Jan 10 18:45:03 2009 us=621955   connect_retry_max = 0
Sat Jan 10 18:45:03 2009 us=621973   username = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=621995   groupname = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=622013   chroot_dir = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=622036   cd_dir = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=622054   writepid = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=622081   up_script = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=622112   down_script = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=622143   down_pre = DISABLED
Sat Jan 10 18:45:03 2009 us=622174   up_restart = DISABLED
Sat Jan 10 18:45:03 2009 us=622204   up_delay = DISABLED
Sat Jan 10 18:45:03 2009 us=622223   daemon = DISABLED
Sat Jan 10 18:45:03 2009 us=622241   inetd = 0
Sat Jan 10 18:45:03 2009 us=622259   log = DISABLED
Sat Jan 10 18:45:03 2009 us=622276   suppress_timestamps = DISABLED
Sat Jan 10 18:45:03 2009 us=622294   nice = 0
Sat Jan 10 18:45:03 2009 us=622312   verbosity = 4
Sat Jan 10 18:45:03 2009 us=622329   mute = 0
Sat Jan 10 18:45:03 2009 us=622346   gremlin = 0
Sat Jan 10 18:45:03 2009 us=622364   status_file = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=622382   status_file_version = 1
Sat Jan 10 18:45:03 2009 us=622399   status_file_update_freq = 60
Sat Jan 10 18:45:03 2009 us=622417   occ = ENABLED
Sat Jan 10 18:45:03 2009 us=622435   rcvbuf = 65536
Sat Jan 10 18:45:03 2009 us=622523   sndbuf = 65536
Sat Jan 10 18:45:03 2009 us=622545   sockflags = 0
Sat Jan 10 18:45:03 2009 us=622563   socks_proxy_server = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=622581   socks_proxy_port = 0
Sat Jan 10 18:45:03 2009 us=622599   socks_proxy_retry = DISABLED
Sat Jan 10 18:45:03 2009 us=622617   fast_io = DISABLED
Sat Jan 10 18:45:03 2009 us=622634   lzo = 7
Sat Jan 10 18:45:03 2009 us=622651   route_script = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=622669   route_default_gateway = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=622688   route_default_metric = 0
Sat Jan 10 18:45:03 2009 us=622706   route_noexec = DISABLED
Sat Jan 10 18:45:03 2009 us=622723   route_delay = 0
Sat Jan 10 18:45:03 2009 us=622741   route_delay_window = 30
Sat Jan 10 18:45:03 2009 us=622759   route_delay_defined = DISABLED
Sat Jan 10 18:45:03 2009 us=622777   route_nopull = DISABLED
Sat Jan 10 18:45:03 2009 us=622795   management_addr = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=622813   management_port = 0
Sat Jan 10 18:45:03 2009 us=622831   management_user_pass = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=622850   management_log_history_cache = 250
Sat Jan 10 18:45:03 2009 us=622868   management_echo_buffer_size = 100
Sat Jan 10 18:45:03 2009 us=622887   management_query_passwords = DISABLED
Sat Jan 10 18:45:03 2009 us=622905   management_hold = DISABLED
Sat Jan 10 18:45:03 2009 us=622924   management_client = DISABLED
Sat Jan 10 18:45:03 2009 us=622942   management_signal = DISABLED
Sat Jan 10 18:45:03 2009 us=622960   management_forget_disconnect = DISABLED
Sat Jan 10 18:45:03 2009 us=622979   management_write_peer_info_file = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=622999   shared_secret_file = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=623018   key_direction = 0
Sat Jan 10 18:45:03 2009 us=623036   ciphername_defined = ENABLED
Sat Jan 10 18:45:03 2009 us=623055   ciphername = 'BF-CBC'
Sat Jan 10 18:45:03 2009 us=623074   authname_defined = ENABLED
Sat Jan 10 18:45:03 2009 us=623092   authname = 'SHA1'
Sat Jan 10 18:45:03 2009 us=623110   keysize = 0
Sat Jan 10 18:45:03 2009 us=623128   engine = DISABLED
Sat Jan 10 18:45:03 2009 us=623146   replay = ENABLED
Sat Jan 10 18:45:03 2009 us=623165   mute_replay_warnings = DISABLED
Sat Jan 10 18:45:03 2009 us=623183   replay_window = 64
Sat Jan 10 18:45:03 2009 us=623201   replay_time = 15
Sat Jan 10 18:45:03 2009 us=623219   packet_id_file = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=623237   use_iv = ENABLED
Sat Jan 10 18:45:03 2009 us=623255   test_crypto = DISABLED
Sat Jan 10 18:45:03 2009 us=623273   tls_server = DISABLED
Sat Jan 10 18:45:03 2009 us=623291   tls_client = ENABLED
Sat Jan 10 18:45:03 2009 us=623309   key_method = 2
Sat Jan 10 18:45:03 2009 us=623327   ca_file = 'ca.crt'
Sat Jan 10 18:45:03 2009 us=623346   ca_path = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=623364   dh_file = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=623382   cert_file = 'Client1.crt'
Sat Jan 10 18:45:03 2009 us=623401   priv_key_file = 'Client1.key'
Sat Jan 10 18:45:03 2009 us=623419   pkcs12_file = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=623437   cipher_list = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=623456   tls_verify = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=623474   tls_remote = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=633511   crl_file = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=633533   ns_cert_type = 0
Sat Jan 10 18:45:03 2009 us=633552   remote_cert_ku[i] = 0
Sat Jan 10 18:45:03 2009 us=633570   remote_cert_ku[i] = 0
Sat Jan 10 18:45:03 2009 us=633588   remote_cert_ku[i] = 0
Sat Jan 10 18:45:03 2009 us=633606   remote_cert_ku[i] = 0
Sat Jan 10 18:45:03 2009 us=633624   remote_cert_ku[i] = 0
Sat Jan 10 18:45:03 2009 us=633641   remote_cert_ku[i] = 0
Sat Jan 10 18:45:03 2009 us=633658   remote_cert_ku[i] = 0
Sat Jan 10 18:45:03 2009 us=633675   remote_cert_ku[i] = 0
Sat Jan 10 18:45:03 2009 us=633693   remote_cert_ku[i] = 0
Sat Jan 10 18:45:03 2009 us=633711   remote_cert_ku[i] = 0
Sat Jan 10 18:45:03 2009 us=633728   remote_cert_ku[i] = 0
Sat Jan 10 18:45:03 2009 us=633746   remote_cert_ku[i] = 0
Sat Jan 10 18:45:03 2009 us=633764   remote_cert_ku[i] = 0
Sat Jan 10 18:45:03 2009 us=633781   remote_cert_ku[i] = 0
Sat Jan 10 18:45:03 2009 us=633799   remote_cert_ku[i] = 0
Sat Jan 10 18:45:03 2009 us=633816   remote_cert_ku[i] = 0
Sat Jan 10 18:45:03 2009 us=633835   remote_cert_eku = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=633853   tls_timeout = 2
Sat Jan 10 18:45:03 2009 us=633872   renegotiate_bytes = 0
Sat Jan 10 18:45:03 2009 us=633890   renegotiate_packets = 0
Sat Jan 10 18:45:03 2009 us=633908   renegotiate_seconds = 3600
Sat Jan 10 18:45:03 2009 us=633926   handshake_window = 60
Sat Jan 10 18:45:03 2009 us=633944   transition_window = 3600
Sat Jan 10 18:45:03 2009 us=633962   single_session = DISABLED
Sat Jan 10 18:45:03 2009 us=633979   tls_exit = DISABLED
Sat Jan 10 18:45:03 2009 us=633997   tls_auth_file = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=634041   server_network = 0.0.0.0
Sat Jan 10 18:45:03 2009 us=634064   server_netmask = 0.0.0.0
Sat Jan 10 18:45:03 2009 us=634085   server_bridge_ip = 0.0.0.0
Sat Jan 10 18:45:03 2009 us=634105   server_bridge_netmask = 0.0.0.0
Sat Jan 10 18:45:03 2009 us=634126   server_bridge_pool_start = 0.0.0.0
Sat Jan 10 18:45:03 2009 us=634147   server_bridge_pool_end = 0.0.0.0
Sat Jan 10 18:45:03 2009 us=634166   ifconfig_pool_defined = DISABLED
Sat Jan 10 18:45:03 2009 us=634186   ifconfig_pool_start = 0.0.0.0
Sat Jan 10 18:45:03 2009 us=634207   ifconfig_pool_end = 0.0.0.0
Sat Jan 10 18:45:03 2009 us=634227   ifconfig_pool_netmask = 0.0.0.0
Sat Jan 10 18:45:03 2009 us=634246   ifconfig_pool_persist_filename = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=634264   ifconfig_pool_persist_refresh_freq = 600
Sat Jan 10 18:45:03 2009 us=634283   n_bcast_buf = 256
Sat Jan 10 18:45:03 2009 us=634301   tcp_queue_limit = 64
Sat Jan 10 18:45:03 2009 us=634319   real_hash_size = 256
Sat Jan 10 18:45:03 2009 us=634337   virtual_hash_size = 256
Sat Jan 10 18:45:03 2009 us=634356   client_connect_script = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=634374   learn_address_script = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=634392   client_disconnect_script = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=634410   client_config_dir = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=634428   ccd_exclusive = DISABLED
Sat Jan 10 18:45:03 2009 us=634447   tmp_dir = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=634465   push_ifconfig_defined = DISABLED
Sat Jan 10 18:45:03 2009 us=634486   push_ifconfig_local = 0.0.0.0
Sat Jan 10 18:45:03 2009 us=634506   push_ifconfig_remote_netmask = 0.0.0.0
Sat Jan 10 18:45:03 2009 us=634525   enable_c2c = DISABLED
Sat Jan 10 18:45:03 2009 us=634543   duplicate_cn = DISABLED
Sat Jan 10 18:45:03 2009 us=634561   cf_max = 0
Sat Jan 10 18:45:03 2009 us=634580   cf_per = 0
Sat Jan 10 18:45:03 2009 us=634598   max_clients = 1024
Sat Jan 10 18:45:03 2009 us=634616   max_routes_per_client = 256
Sat Jan 10 18:45:03 2009 us=634634   client_cert_not_required = DISABLED
Sat Jan 10 18:45:03 2009 us=634653   username_as_common_name = DISABLED
Sat Jan 10 18:45:03 2009 us=634671   auth_user_pass_verify_script = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=634690   auth_user_pass_verify_script_via_file = DISABLED
Sat Jan 10 18:45:03 2009 us=639243   port_share_host = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=639281   port_share_port = 0
Sat Jan 10 18:45:03 2009 us=639303   client = ENABLED
Sat Jan 10 18:45:03 2009 us=639323   pull = ENABLED
Sat Jan 10 18:45:03 2009 us=639343   auth_user_pass_file = '[UNDEF]'
Sat Jan 10 18:45:03 2009 us=639371 OpenVPN 2.1_rc7 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Jun 11 2008
Sat Jan 10 18:45:03 2009 us=639468 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Jan 10 18:45:03 2009 us=640970 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Sat Jan 10 18:45:03 2009 us=742525 LZO compression initialized
Sat Jan 10 18:45:03 2009 us=742683 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Jan 10 18:45:03 2009 us=742752 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Jan 10 18:45:03 2009 us=742783 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sat Jan 10 18:45:03 2009 us=742796 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sat Jan 10 18:45:03 2009 us=742821 Local Options hash (VER=V4): '41690919'
Sat Jan 10 18:45:03 2009 us=742838 Expected Remote Options hash (VER=V4): '530fdded'
Sat Jan 10 18:45:03 2009 us=742863 Socket Buffers: R=[111616->131072] S=[111616->131072]
Sat Jan 10 18:45:03 2009 us=742880 UDPv4 link local: [undef]
Sat Jan 10 18:45:03 2009 us=742893 UDPv4 link remote: 192.168.13.13:1194
Sat Jan 10 18:45:03 2009 us=743636 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Sat Jan 10 18:45:08 2009 us=685086 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

Any ideas whats wrong with my config?
THX 4 your help.

A couple of random things.

1) You don't need to do iptables when using SgtPepperKSU's mod. It does it for you automatically.

2) The first line of the config file is certainly wrong. The line "service vpnserver1 start" belongs in a start up script, not here. The jpeg make it look like "persist-key" and "persist-tun" have an extra space in them, but that may just be an artifact.

Are you seeing anything in the router log file? It's possible that one or more bad options may prohibit the server from starting.

Thanks for your help, but there are still some problems.
I deleted the "service start" from custom scripts (the spaces are only in the picture). I also deleted the iptabels config. The server starts now..

I edited some things in the client config and it looks like this now:

Code:

client
dev tun
proto udp
remote 192.168.13.13 13171
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert Client2.crt
key Client2.key
ns-cert-type server
comp-lzo
verb 4
float
keepalive 10 60

when I startup openvpn, I'm getting this output:
Attachment-Zip-File: log-auth-off.txt

I think the connection is working until it times out?
This is the router-log:
Attachment-Zip-File: log-auth-off-router.txt

I was able to connet to IPs in the internet (i.e Google http://66.249.93.99), but not to the dns names.
I think this is a second problem and may be solved with the proper routing config?

Furthermore I tried to use TLS-Auth. I made an extra auth key with "openvpn --genkey --secret ta.key", set the auth mode to "bi-directional", copied the key to "static key" on my router and added in the client.conf "tls-auth ta.key 1". the ta.key file is in the same dir like die other crt-files.

When I'm trying to connect, I get this output:
Attachment-Zip-File: log-auth.txt

the router-log says TLS-Error:
Attachment-Zip-File: log-auth-router.txt

I hope you can help me again, THX :>