1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN build with Web GUI

Discussion in 'Tomato Firmware' started by SgtPepperKSU, Oct 10, 2008.

  1. kenyloveg

    kenyloveg LI Guru Member

    SgtPepperKSU
    Is your build ND version, or if not how to enable Vegas?
    WRT54GS V1 here, nvram get wl0corerev=7
    Thanks.
     
  2. turbo53

    turbo53 Network Guru Member

    Thanks to you and SgtPepper for the responses. I really want to stay with Tomato so I guess I'll live without the iPhone interface for now.
     
  3. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I have not been building ND versions, but I guess I could start. And, I have done nothing special to enable TCP Vegas, so I assume it would not work.
     
  4. kenyloveg

    kenyloveg LI Guru Member

    Thank you.
    I'll be waiting for your ND build:halo:
    And start to check the posibilly of mppe, dkms stuff.
     
  5. kisenberg

    kisenberg Addicted to LI Member

    Thanks, SgtPepperKSU.
    The actual mod works great. How is it possible to start OpenVPN after a reboot automatically and even after it dies?
     
  6. bigclaw

    bigclaw Network Guru Member

    It doesn't right now?
     
  7. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Hmmm, maybe something along the lines of (in your init script):
    Code:
    #Generate vpnup.sh
    echo "#!/bin/sh
    killall -0 vpn\$1 2> /dev/null
    if [ \$? != 0 ]
    then
    logger \"\$0: Starting vpn\$1\"
    service vpn\$1 start
    else
    logger \"\$0: vpn\$1 already running: \$(pidof vpn\$1)\"
    fi
    " > /tmp/vpnup.sh
    # Make vpnup.sh executable
    chmod +x /tmp/vpnup.sh
    # Schedule vpnup.sh to run every 30 minutes
    cru a CheckVPNServer "*/30 * * * * /tmp/vpnup.sh server1"
    # Wait 10 seconds and run vpnup.sh once
    sleep 10
    /tmp/vpnup.sh server1
    This will check if Server 1 is running every 30 minutes and start it if it isn't.
    You can adjust the time interval by changing the 30 in the cru line or replace the server1 with client1, client2, or server2 if appropriate.
     
  8. fyellin

    fyellin LI Guru Member

    I've asked SgtPepperKSU to add a README file to the distribution. The answer to your question is in the first post of this thread, but it tends to get forgotten there.

    In Administration>Scripts>Init, add the line
    Code:
    service vpnserver1 start
    replacing vpnserver1 with vpnserver2, vpnclient1, or vpnclient2 as appropriate.

    Some users have reported needing a "sleep 10" beforehand
     
  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Actually, that will just start it once. If it dies for some reason, you would have to manually restart it. In the post above yours (probably while you were responding), I posted a script to check it every 30 minutes and start it if necessary. I will add both methods to the README for the next release.
     
  10. kisenberg

    kisenberg Addicted to LI Member

    In bridge-mode, clients should get there network-information by DHCP of the tomato-box. So, I try to use the directive "server-bridge" without any parameters. But that is not possible, because "server-bridge" is already set by the Web-GUI which needs start- and end-IP-addresses.
    I suggest, to generate a plain "server-bridge" entry in the conf, if no IP addresses are entered in the GUI.
     
  11. kisenberg

    kisenberg Addicted to LI Member

    I use a "keepalive 15 60" in my custom-config. Now, I'm discovering in the generated conf, that a "keepalive 15 60" is already inside. May it be possible to show the generated config as an non-editable textfield in the web-GUI, to prevent double-configs? For the option "verb" I suggest a select-field.
     
  12. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Good suggestion. I'll add a checkbox for DHCP. Somehow I missed that that directive could be called without parameters, or I would have already done so.
     
  13. ng12345

    ng12345 LI Guru Member

    sgtpepperksu,

    I think your work has been great so far, but in looking at this thread and the constant change in your gui in each revision, something came to mind.

    In my opinion the idea behind a gui is to make it more visually appealing to configure the different settings. Openvpn has a ton of settings and parameters, and in looking through the available commands, it doesn't seem to lend itself very well to a complete gui package (without overwhelming the user). Your gui already has one click configs for a variety of openvpn connections, which I think is exactly what the novice end-user wants.

    For someone who is more interested in specific options (such as client config directories, ipp tables, whatnot), it makes more sense to me to be able to directly edit the config file, and to do so through the tomato web interface is welcome. I think it would be easier for you and for the more advanced users to be able to see the .conf file directly through the asp page. Maybe if one of the templates was "custom config" and it used the custom config text box as the whole config (ignoring the rest of the boxes and pre-hashed config lines). this way hardcoded changes in the gui would not affect users updating from one version of your mod to the next.

    just some thoughts -- hopefully that made sense and didn't seem like i was rambling

    thanks for all your work
     
  14. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I think I have just about reached the limit on the amount of settings automatically configured via the GUI. After I add some kind of input for routes to achieve two-way connections, it will probably just be maintenance type changes from then on. Anything more (unless a compelling argument is made), will need to be set up via the Custom Config section. I don't have any intention of making it a complete GUI package for all OpenVPN options (in fact, I took out a couple of options that were of limited use after the first couple releases)

    I think almost any of the options can still be used in the Custom Config section along with the automatically generated config (including client config directories, etc). The target audience for the GUI was people setting up a VPN choosing the features they want, not trying to match a particular config file. My thought was that if you just want to use a specific config file, it can about as easily be entered into the init script (like was done with roadkill's mod before I made the GUI). I will consider an option to only use the Custom Config section (and not auto-generate anything), though.

    Thanks for your feedback!
     
  15. bigclaw

    bigclaw Network Guru Member

    Can we be so blessed as to expect a VPN GUI version that incorporates the offical (test) Tomato build that has TCP Vegas? Please..please? :)
     
  16. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Not until there are sources available (probably not until it becomes Tomato 1.23). But, shortly after that happens, I'll release an update.
     
  17. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    1.22vpn2.0005

    Version 1.22vpn2.0005

    You can download the binaries and source from here.

    This release includes a README file with a couple of init scripts for automatically starting the VPN. For those wanting to use the source, be sure to read the COPYING file.

    Changes from 1.22vpn2.0004
    • Fixed "Unable to start SSL" error.
    • Added DHCP option for assigning VPN addresses for TAP+TLS server
      • If enabled, this assigns an address out of the normal LAN DHCP range. If disabled, it assigns an address out of the given range
    • Removed length restrictions on the text area fields (certificates, keys, etc)
    • Updated to OpenVPN 2.1rc15

    Known limitations:
    • None that I am aware of. If you find some, let me know.

    Let me know what you think, and what can be improved. :smile:
     
  18. Thyrael

    Thyrael Addicted to LI Member

    after i upgraded my Router (WRT54GL v1.1) from 1.22vpn2.0004 to 1.22vpn2.0005 it shows 1.21vpn2.0005 as the installed Version?

    edit:
    same Thing when im doing a "clear NVRam" before and also after the Upgrade.
     
  19. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Probably just a typo on my part. The only vpn2.0005 build I've made is based on 1.22. I'll rebuild when I get home to get the right number in there.
     
  20. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I've replaced the build with one that shows the correct version number. That is the only change, so I'm leaving it at 2.0005. Sorry if it caused any confusion.
     
  21. Thyrael

    Thyrael Addicted to LI Member

    thank you m8 :) :cool:
     
  22. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    There is now also a ND version at the same download location.
     
  23. darthboy

    darthboy LI Guru Member

    any plans to include TCP Vegas and Speedmod?
     
  24. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I will when/if they are included in a Tomato release. It looks like TCP Vegas will be in the next Tomato release, but not Speedmod as far as I know.
     
  25. darthboy

    darthboy LI Guru Member

    uber cool. thanks. I remember someone mentioned Vegas and Speedmod has already been incorporated into the latest Tomato testbuild. Looking forward to it.

    great work, sir. :halo:
     
  26. baldrickturnip

    baldrickturnip LI Guru Member

    SgtPepperKSU

    I know you fixed the issue with the port forwarding rules not happening after being saved but it seems the static routing did not get fixed.

    I can create a static route ( advanced-->routing) and save , but it does not show up in the routing table

    last time I got it to work by doing a nvram wipe and re installing the config - but I would rather not :)
     
  27. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Have you tried regular Tomato 1.22? I just loaded that on my router and am seeing the same problem. I think it may be a problem upstream from me.

    I may do some in-depth debugging on this, but I can't guarantee it will be soon due to the upcoming holidays and a general lack of time.
     
  28. baldrickturnip

    baldrickturnip LI Guru Member

    thanks

    I went the nvram wipe to get the route to show up in the table

    a tracert showed it was routing to the static route I'd set to the second router , but I was not getting a reply from the WAN side of the second router with a forwarded port until I changed the gateway address on the unit I was trying to contact which defeated the purpose of the static route :(

    I have had this working before but I cannot remember - it might have been tomato 1.21

    could the recent dnsmasq implementation be a cause of these issues ?
     
  29. devilkin

    devilkin LI Guru Member

    Hm, Interesting.

    Any idea if I could load this over 1.19 with the openvpn mod of roadkill without having to reconfigure everything?
     
  30. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Could? Sure.
    Should? Probably not. It's always a good idea to clear nvram after an upgrade, or you might run across difficult to diagnose problems. But, there is no more risk than upgrading vanilla Tomato versions.
     
  31. SgtPepperKSU

    SgtPepperKSU Network Guru Member

  32. kenyloveg

    kenyloveg LI Guru Member

    Hi, SgtPepperKSU
    Any plans to implement OpenSWAN?
    Roadkill says he won't have time to do it, i hope someone can do this.
    I'm currently using jyavenard's PPTP server MOD. But a IPSec VPN server would be the bets, i thought.
    Thanks.
     
  33. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    As a matter of fact, in the last few days, I decided it would be "nice" to incorporate both PPTP and OpenSwan into the VPN GUI. But, it would be a low priority, and I probably wouldn't have time to even consider it until after the holidays.

    But, yes, it is on my self-wishlist.
     
  34. srouquette

    srouquette Network Guru Member

    FYI, I updated successfully the server from Roadkill's to yours :)
    Next week, I'll update the client.

    Thanks for your work :)
     
  35. quinezhu

    quinezhu Addicted to LI Member

    many thanks. it works on my WRT54GS v1 :)

    And is it possible to show vpn clients of router mode (TUN) in Device List? :biggrin:
     
  36. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Most likely not, but I'll look into it.
     
  37. jwchk

    jwchk Network Guru Member

    The init script "service vpnserver1 start" not working?
    I need to click the "Start Now" button to start vpn server1 each time I reboot the router
     
  38. fyellin

    fyellin LI Guru Member

    Try putting "sleep 5" or "sleep 10" on the line before.
     
  39. jwchk

    jwchk Network Guru Member

    It works only once, but not working most of the time :(
     
  40. fyellin

    fyellin LI Guru Member

    When it doesn't work, is there anything interesting in your log?
     
  41. srouquette

    srouquette Network Guru Member

    instead of init, put it in Wan Up (and with sleep 10 before).
     
  42. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    If you're going to put it in wan up, it would probably be better to use "restart" rather than "start". That way, if one is already running, you won't end up with multiple instances.
     
  43. jwchk

    jwchk Network Guru Member

    It works only the first time than not working anymore
    cannot see anything about "openvpn" in the log
    I use the router inside the lan and so disable the WAN so cannot use Wan Up script
     
  44. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    What do you mean by "it works only the first time"? It should behave the same every time you reboot since a reboot clears out anything that happened during the previous boot.
     
  45. jwchk

    jwchk Network Guru Member

    may be it never work.. I will try to clear nvram and try again
     
  46. jwchk

    jwchk Network Guru Member

    If the WAN is disable, the Init Script "service vpnserver1 start" will not work
    If I just put all the setting in Init Script like Roadkill's mod, the router refused to save exceed 4096 script.
    So what can I do?
     
  47. fyellin

    fyellin LI Guru Member

    I'm not sure I completely understand what you're saying. Do you have a very long init script, and it's exceeded 4096 characters in length? What else do you have in that script?

    You might consider saving that script as a shell executable file in your /jffs directory, and then just execute the script in your init.
     
  48. jwchk

    jwchk Network Guru Member

    If you have used Roadkill's mod before, you will know that all crt/key will be put in Init Script and it will exceed 4096 size. There is no VPN GUI for Roadkill's old build.

    Is there any way to start the "service vpnserver1" at the Init Script with the "WAN disable"?

    I guest the openvpn will be initailize when the wan up, if the Wan is disable, Init Script of "service vpnserver1 start" will not work.

    Hope SgtPepperKSU will fix this soon :(
     
  49. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm not sure yet what it is I would need to fix. I've never tried it with the WAN disabled, but off-hand, I don't see a reason it wouldn't work. If you post here the script you used with Roadkill's mod, I'll what is different from what my GUI does. It may be that I need to do a special check for the WAN disabled case.

    EDIT: You could also try telnet/sshing to the router and running
    Code:
    nvram set vpn_debug="1"
    nvram commit
    and trying it again. This should print a message to the log showing what part of the process isn't working.
     
  50. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    While I would be interested in why it isn't working for you to put a simple start command in your init script, you seem to be in a hurry to get it up and running. Your best bet would be to use the script in the README file instead. That script periodically checks to see if the server is up, and starts it if not.

    Looking at that script again just now, I would replace "service vpn\$1 start" with "service vpn\$1 restart", though, for the reasons given in the previous post.

    For easier reference, the script is (paste into init script):
    Code:
    ## Start VPN init script
    #Generate vpnup.sh
    echo "#!/bin/sh
    killall -0 vpn\$1 2> /dev/null
    if [ \$? != 0 ]
    then
    logger \"\$0: Starting vpn\$1\"
    service vpn\$1 restart
    else
    logger \"\$0: vpn\$1 already running: \$(pidof vpn\$1)\"
    fi
    " > /tmp/vpnup.sh
    # Make vpnup.sh executable
    chmod +x /tmp/vpnup.sh
    # Schedule vpnup.sh to run every 30 minutes
    cru a CheckVPNServer "*/30 * * * * /tmp/vpnup.sh server1"
    # Wait 10 seconds and run vpnup.sh once
    sleep 10
    /tmp/vpnup.sh server1
    ## End VPN init script
    
    However, if the button in the GUI starts it okay, then I really think you just need to increase the sleep time before the "service vpnserver1 start" that you've already been trying (try 15, 20, or even 30).
     
  51. fyellin

    fyellin LI Guru Member

    Is there a particular reason that people don't like using /jffs for files that need to be re-created at each reboot. I keep on seeing large "cat"s in people's init files, which seems kind of ugly.

    My original solution was to store all the files I needed individually in /jffs, and just copy each of them to their required target location in init.

    Then I came up with the better solution of creating a single tar ball of all my files, and then issuing in my init script the command
    tar -x -f /jffs/files.tar -C /
    Adding more files or changing files is just updating the tar file.

    My current tar ball contains the already mentioned /tmp/vpnup.sh, root/.profile to add some personalization to the shell, and lots of stuff for /var/wwwext.

    Of course, either the tar file or the files from which the tar file is created should be backed up elsewhere. I have my files on a mirror directory in /cifs1/tomato.
     
  52. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I did it that way in the README simply because it is "easier" for the user. Just copy here, paste there. I figured anyone with knowledge enough to easily do it with jffs/cifs (not that is hard), could do it just fine without my guidance (as you have done).
     
  53. jwchk

    jwchk Network Guru Member

    Oh.. I tried sleep 20 and it is working now
    Thank you very much for your help!!!!!!
    I'm very happy with my router now :)
     
  54. quinezhu

    quinezhu Addicted to LI Member

    what router r u using?
     
  55. jwchk

    jwchk Network Guru Member

    Buffalo HP-G54
     
  56. gregg098

    gregg098 LI Guru Member

    I added:
    service vpnserver1 start
    To my Init script as stated on the first page of this thread, but my server does not start automatically. I can get everything to work just fine, but I have to manually start the server via the button on the tunnel page. After a reboot, my logs show no reference to openvpn. What am I doing wrong?
     
  57. fyellin

    fyellin LI Guru Member

    Try adding "sleep 10" or "sleep 20" on the line before. (Some have reported needing "sleep 30".)
     
  58. gregg098

    gregg098 LI Guru Member

    Sleep 20 did the trick. Thanks.
     
  59. fyellin

    fyellin LI Guru Member

    Since the answer "add 'sleep 20' to the beginning of your init script" seems to appear so often. . . .

    At what point in router start up does the init script get run? What's going on in those first twenty seconds that stops vpnserver and many other services from running?

    Anyone know?
     
  60. teddy_bear

    teddy_bear Network Guru Member

    The Init script is executed almost the first thing when router is booting up - before network is initialized and before any other services are started. I had to add 40 sec sleep in front of my script to wait for network and NTP time sync.

    Alternatively you can move your code to WAN Up script - it runs after network is set up, but before other services are started - so you still may need to add some delay but probably maybe not that long... But I'm not sure whether or not WAN Up script will run again if your WAN connection is restarted. You should assume it will though, and use caution to not execute some things that only should be executed once.
     
  61. peridoc

    peridoc Addicted to LI Member

    I am trying to use the "1.23vpn2.0005" version of this firmware to get a VPN up from work to my home and I am having a problem. I am not new to OpenVPN, but I am new to this version of the tomato firmware. I have tried two different setups without success:

    1. TLS with tls-auth
    2. Static Key mode

    I can see my client come in and start negotiation with the VPN server, but I can never fully connect. With the TLS option I just get what appears to be a timeout and with the static key I see the router trying to get my client a IP address, but it never does get it. Any thoughts or help would be appreciated. Here are some logs of what I see:

    TLS Mode
    ----------
    Code:
    Dec 23 07:39:52 WRT54G daemon.notice openvpn[3912]: MULTI: multi_init called, r=256 v=256
    Dec 23 07:39:52 WRT54G daemon.notice openvpn[3912]: Initialization Sequence Completed
    Dec 23 07:40:15 WRT54G daemon.notice openvpn[3912]: MULTI: multi_create_instance called
    Dec 23 07:40:15 WRT54G daemon.notice openvpn[3912]: XXX.XXX.XXX.XXX:63943 Re-using SSL/TLS context
    Dec 23 07:40:15 WRT54G daemon.notice openvpn[3912]: XXX.XXX.XXX.XXX:63943 LZO compression initialized
    Dec 23 07:40:15 WRT54G daemon.notice openvpn[3912]: XXX.XXX.XXX.XXX:63943 Control Channel MTU parms...
    Dec 23 07:40:15 WRT54G daemon.notice openvpn[3912]: XXX.XXX.XXX.XXX:63943 Data Channel MTU parms...
    Dec 23 07:40:15 WRT54G daemon.notice openvpn[3912]: XXX.XXX.XXX.XXX:63943 TLS: Initial packet from XXX.XXX.XXX.XXX:63943, sid=XXX XXX
    Dec 23 07:41:15 WRT54G daemon.err openvpn[3912]: XXX.XXX.XXX.XXX:63943 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Dec 23 07:41:15 WRT54G daemon.err openvpn[3912]: XXX.XXX.XXX.XXX:63943 TLS Error: TLS handshake failed
    Dec 23 07:41:15 WRT54G daemon.notice openvpn[3912]: XXX.XXX.XXX.XXX:63943 SIGUSR1[soft,tls-error] received, client-instance restarting
    Static Key Mode
    ----------------
    Code:
    Dec 23 07:38:05 WRT54G daemon.notice openvpn[3851]: Peer Connection Initiated with XXX.XXX.XXX.XXX:64466
    Dec 23 07:38:05 WRT54G daemon.notice openvpn[3851]: Replay-window backtrack occurred [1]
    Dec 23 07:38:06 WRT54G daemon.notice openvpn[3851]: Initialization Sequence Completed
    Dec 23 07:38:08 WRT54G daemon.info dnsmasq[2755]: DHCPDISCOVER(br0) XX:XX:XX:XX:XX:XX 
    Dec 23 07:38:08 WRT54G daemon.info dnsmasq[2755]: DHCPOFFER(br0) 192.168.X.X XX:XX:XX:XX:XX:XX 
    Dec 23 07:38:08 WRT54G daemon.info dnsmasq[2755]: DHCPDISCOVER(br0) XX:XX:XX:XX:XX:XX 
    Dec 23 07:38:08 WRT54G daemon.info dnsmasq[2755]: DHCPOFFER(br0) 192.168.X.X XX:XX:XX:XX:XX:XX 
    Dec 23 07:38:08 WRT54G daemon.info dnsmasq[2755]: DHCPDISCOVER(br0) XX:XX:XX:XX:XX:XX 
    Dec 23 07:38:08 WRT54G daemon.info dnsmasq[2755]: DHCPOFFER(br0) 192.168.X.X XX:XX:XX:XX:XX:XX 
    Dec 23 07:38:24 WRT54G daemon.info dnsmasq[2755]: DHCPDISCOVER(br0) XX:XX:XX:XX:XX:XX 
    Dec 23 07:38:24 WRT54G daemon.info dnsmasq[2755]: DHCPOFFER(br0) 192.168.X.X XX:XX:XX:XX:XX:XX
    Again...neither mode actually fully connects. The Static mode at least starts up the TAP network adapter on my Vista client, but it never gets an IP address. Are there some options that I am missing that I need? Thanks for any assistance.
     
  62. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'd need to know what settings you have set and what client config you are using to help. Provide those (preferably in a new thread), and we'll see what we can figure out.
     
  63. peridoc

    peridoc Addicted to LI Member

    New thread is here: http://www.linksysinfo.org/forums/showthread.php?t=60296

    I will be posting my settings and config shortly...Thanks!
     
  64. elec999

    elec999 Addicted to LI Member

    Can you please help me link two networks together at different location. Using your vpn mod, both running Tomato 1.23 with your vpn mod. Each network as its own isp.
    Thank you
     
  65. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    There should be several examples in this thread. If you have specific questions, reply back with those and we'll figure it out.
     
  66. kevanj

    kevanj LI Guru Member

    Download links appear to be down

    :( !!
     
  67. baldrickturnip

    baldrickturnip LI Guru Member

    tomatovpn-1.23vpn2.0005

    there is still a problem with static routes not being added to the routing table on save
     
  68. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    What links are appearing down? They look like they are up right now to me.
     
  69. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    And it still appears to be a problem in vanilla tomato (at least in my testing). If you find otherwise, let me know. Otherwise, it should probably be reported to Jon.
     
  70. baldrickturnip

    baldrickturnip LI Guru Member

    ok - I will post it in the 1.23 thread

    another question though

    I have 2 networks linked via the internet and 54GLs with one running the VPN client and the other the VPN server.
    both net works are in 10.8.8.x I can talk to all machines on both sides from both sides. But when I connect from outside to the server I cannot see the machines behind the client 54GL , though can see all machines behind the server 54GL - I can VNC to a machine behind the server 54GL and then contact all machines behind the client 54 GL ?
    hope that makes some sense , and are you able to tell me what I am doing incorrectly ?

    thanks
     
  71. kevanj

    kevanj LI Guru Member

    Yep they are good....seems I can't get to mediafire.com from my office network....
     
  72. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    First, I'm assuming you are using TLS authentication since I don't think you can get in your situation via static key mode. Also, I'm assuming TAP since it is the simplest way to get in your described situation. If either of these are incorrect, let me know.

    I think all you need to do is add "client-to-client" to your Custom Configuration. Without this, OpenVPN doesn't let clients "see" each other for security reasons.
     
  73. baldrickturnip

    baldrickturnip LI Guru Member

    yes , TAP , UDP and TLS

    what code is needed in custom config to allow client-to-client ?

    and can the client which other clients can see be specified ?
     
  74. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Just "client-to-client". Though, I've never tried it.

    I don't know if it's possible to have it only "share" one client with everyone with TAP. But, it should be possible with TUN (or TAP in bridged mode).
     
  75. wycf

    wycf Network Guru Member

    I have a very long domain name so it won't fit in the Server Address. I am using IP address now.

    I world like to see this field be extened in the next release.

    Thanks for this great product.

    HAPPY NEW YEAR!
     
  76. baldrickturnip

    baldrickturnip LI Guru Member

    client-to-client in the custom field worked fine

    thanks
     
  77. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Done! I've made the changes, and the length restriction will be completely removed on that field in the next release. In the meantime, you should be able to enter it manually from the shell with
    Code:
    nvram set vpn_server1_addr="verylonghostname.goeshere.example.com"
    nvram commit
     
  78. ng12345

    ng12345 LI Guru Member

    I noticed that I couldn't get the access restrictions to work on this version.

    is there something that I am missing -- i created two separate restrictions (1 by ip and another by mac) to specifically block the internet for one computer during the night.
     
  79. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm afraid I've never used access restrictions. Could you try temporarily flashing back to normal Tomato (no nvram clear) and trying it again?
    If it does then work, then it's likely there is a real problem and I'll look into it when I get time.
    If it still doesn't work, then it is either a bug in Tomato or a problem in nvram. To test the latter, you'll need to do a nvram clear :frown: (and it would be useful to try it on both builds).

    By the way, did you do a nvram clear when you last upgraded?
     
  80. bladecgn

    bladecgn LI Guru Member

    Does client-config-dir work with this firmware mod? I need to assign fixed IP to my clients.
     
  81. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, it does.
     
  82. bladecgn

    bladecgn LI Guru Member

    :)))) very good, thanks a lot for thois mod!

    I am currently trying to convert my (working) config for roadkills mod to this mod.

    When I start openvpn, I can't browse any more. I have to stop the openvpn service on my client Windows PC in order to regain access to the router and the internet. Openvpn connections gets established, by teh way, but somehow my routing seems to get broken.

    I have tried a lot of things/options. Does anyone have a hint for me what's wrong with the following config?

    #WEB Gui: (Auth Mode set to "custom")
    #port 1194
    #proto udp
    #dev tun
    max-clients 5
    mode server
    tls-server
    ifconfig 10.8.0.1 10.8.0.2
    ifconfig-pool 10.8.0.4 10.8.0.24
    float
    comp-lzo
    push "resolv-retry infinite"
    push "ping 20"
    push "ping-restart 180"
    persist-key
    persist-tun
    verb 2
    daemon
    ca /tmp/ca.crt
    dh /tmp/dh1024.pem
    cert /tmp/server.crt
    key /tmp/server.key
     
  83. kenyloveg

    kenyloveg LI Guru Member

    Hi, SgtPepperKSU and all gurus
    Happy New Year!:biggrin:
    I'm still waiting someone could enable OpenSwan support on Tomato, which should be the perfect solution for VPN connection (without client and secure).
    I wish it would be available this year.:thumbup:
     
  84. bladecgn

    bladecgn LI Guru Member

    This forum seems to have had problems, two posts are missing. For the record, SgtPepper asked me to post the full config, so here's my server1.ovpn
    (Auth Mode set to "custom"):

    # Automatically generated configuration
    daemon
    proto udp
    port 1194
    dev tun21
    comp-lzo yes
    keepalive 15 60
    verb 3
    push "route 192.168.1.0 255.255.255.0"
    status-version 2
    status server1.status

    # Custom Configuration
    max-clients 5
    mode server
    tls-server
    ifconfig 10.8.0.1 10.8.0.2
    ifconfig-pool 10.8.0.4 10.8.0.24
    float
    comp-lzo
    push "resolv-retry infinite"
    push "ping 20"
    push "ping-restart 180"
    persist-key
    persist-tun
    verb 2
    ca /tmp/ca.crt
    dh /tmp/dh1024.pem
    cert /tmp/server.crt
    key /tmp/server.key

    I think the ' push "route 192.168.1.0 255.255.255.0" ' line in the automatically generated part is causing the problem. If I manually delete the pushed route on the client side, I can use my webbrowser again.

    Why is this line added? Is there any way to delete/disable this line?
    Maybe a "full custom config" option would be nice, where you could specify all parameters yourself.
     
  85. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That line is there so that the clients can see the computers on the server LAN. I think the problem is that your two networks have the same subnet. This will _not_ work properly unless you use TAP w/ bridging. Try to change one of them to 192.168.0.0/24 or 192.168.2.0/24.

    My thought on a full custom config was that if you wanted that, you may as well just use the init script to generate it. But, there have been a few requests for it, so I may consider it.
     
  86. bladecgn

    bladecgn LI Guru Member

    Yes, the two subnets are the same. I generated a config for openvpn manually in the init script as proposed.

    Just omitted that route line and everything works now. I want the computers connected via openvpn be unaware of the rest of the network, just an isolated openvpn net, so to speak.

    Am using this setup to remotely administer two stores in different locations. And CCD finally now work, too. Now I don't have to find out the IP addresses of these computers any more each time I want to log on. Great buy, this WRT54 router, I simply love it!

    Thanks again very much for your great mod and yor help!

    I am fine now, but maybe if you just incorporated an option to toggle the route command on/off it would be helpful for other people in my opinion.
     
  87. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Perhaps if I understood better the use-case where that kind of option would be useful...

    Is it that you want only one computer on the server LAN to be visible (and you add a route to it manually)? If this is the case (which I have the feeling it isn't), then it would be probably more appropriate to run the OpenVPN server on that computer.

    I'm sorry if I'm being dense, but I'm just not picturing a situation where the VPN would be useful without that route. Obviously, there is one or you wouldn't be asking for it, but I just haven't been able to come up with such a scenario. If you could explain a little more what your situation is, perhaps I'd understand better.

    EDIT: To explain further, no communication is possible between any LAN computer and a client (in either direction) without that route. So, the client would only be able to see the router, and only the router could see the clients. And, I can't think of when that would be useful (aside from router administration, but SSH or HTTPS would be better suited).
     
  88. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm going to be on vacation for the next week, so I will be unable to answer questions during that time. I will, however, try to catch up on things upon my return.
     
  89. occamsrazor

    occamsrazor Network Guru Member

    Could someone post a screenshot of the VPN Web GUI page?
    I'd like to have a look before trying it out... currently running roadkill's mod.
    Thanks,
    Ben
     
  90. baldrickturnip

    baldrickturnip LI Guru Member

    this is just the server - 2 servers and 2 clients available

    [​IMG]
     
  91. occamsrazor

    occamsrazor Network Guru Member

    Super... many thanks...
     
  92. TheGIZ

    TheGIZ Network Guru Member

    I have been using Roadkill's mod for a while now. It seems that his branch is going to go away as he seems to have moved on to OpenWrt.

    Is there a step by step for converting my TLS scripts for Roadkill's Mod to pluggin them into the UI for this Mod?

    My scripts are based on post #2
    http://www.linksysinfo.org/forums/showthread.php?t=53233
     
  93. fyellin

    fyellin LI Guru Member

    This ought to work just fine as is. Though SgtPepperKSU's mod provides a GUI, you're under no obligation to use it.
     
  94. GreenThumb

    GreenThumb Addicted to LI Member

    I have a couple of questions, as I am completely new to VPN's.

    I just flashed with Sgtpepper's mod, and I am looking to set up a VPN so that outside PC's can connect to my home computer (I am running Gentoo Linux on my machine which is sitting behind a WRT54GL with Tomato+VPN). I have read the tutorial in this thread and I am not clear on a couple of things.

    1) If I want to use my home machine/router as the VPN server, do I need to install OpenVPN on my Gentoo machine? I was under the impression that this Tomato mod builds OpenVPN right into the router, thus making my router act as the VPN server. Therefore, I won't need OpenVPN on the PC itself, or am I wrong?

    2) If I don't need openVPN on my computer, then what directory in the Tomato shell do I need to go to generate the keys? The OpenVPN official tutorial is written under the assumption that one is using the standard OpenVPN installed on a PC. I can't seem to find the location in the router shell to generate keys (this is the reason I am asking question 1).

    3) Is it possible to treat a VPN connection like an FTP server? In other words, is it possible to only allow certain directories for browsing, etc?
     
  95. fyellin

    fyellin LI Guru Member

    1) You don't need OpenVPN on your computer if you are running it on the router

    2) Unfortunately, the router can't generate the keys. So the real answer to #1 is that you do need a copy of OpenVPN running somewhere, but just enough to generate the keys, and then copy and past them into the Router's GUI

    3) I don't thinks so.
     
  96. ng12345

    ng12345 LI Guru Member


    Actually, to this last question; you can set permissions etc but it is kinda complicated. If you go to the openvpn site they talk about how you can set a username and password for vpn connections when logging in and use that to set permissions. also you can link your openvpn setup with ldap/active directory and it will import the permissions from there.

    i have not done this myself-- i only know that it is possible as indicated by openvpn documentation
     
  97. occamsrazor

    occamsrazor Network Guru Member

    Wanting to switch from Roadkill mod v1.19.1464, to the latest SgtPepper VPN with Web GUI build. A couple questions...

    1. Is this straightforward? Do I need to do anything in particular before upgrading (NVRAM?)
    2. Will all my Router settings be carried over?
    3. Will I need to reconfigure my VPN settings?

    I'm currently using static-key VPN with these scripts:

    Firewall:

    iptables -I INPUT 1 -p udp --dport 444 -j ACCEPT

    WAN UP:

    cd /tmp
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    echo "
    -----BEGIN OpenVPN Static key V1-----

    <deleted for forum post>

    -----END OpenVPN Static key V1-----

    " > /tmp/static.key

    sleep 5
    ln -s /usr/sbin/openvpn /tmp/myvpn
    /tmp/myvpn --dev tap0 --secret /tmp/static.key --comp-lzo --port 444 --cipher BF-CBC --proto udp --keepalive 10 300 --verb 3 --daemon

    Client config:

    dev tap0
    secret static.key
    proto udp
    remote <my ip address> 444
    keepalive 10 60
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    cipher BF-CBC
    comp-lzo
    verb 3
    float

    It was so long ago I set it all up that I've forgotten what it all does! Thanks in advance for any help you can give...

    Ben
     
  98. ElZar

    ElZar Addicted to LI Member

    Hi there.

    I hope you can help me. I'm trying to set up VPN.

    First I created certificates with openvpn on my linux machine:
    http://openvpn.net/index.php/documentation/howto.html#pki

    After this I copied the keys from ca.cert, server.cert, server.key and dh1024.pem (in this order) into the webgui, made the other configs and klicked "Star Now", now it looks like this:
    http://img187.imageshack.us/img187/5773/vpnii4.jpg

    I also opend the port in iptables:
    Administration/Scripts/Firewall -> iptables -I INPUT 1 -p upd --dport 1194 -j ACCEPT

    last but not least I made a config-file for my linux openvpn-client:

    Code:
    # Specify that we are a client and that we
    # will be pulling certain config file directives
    # from the server.
    client
    
    # Use the same setting as you are using on
    # the server.
    # On most systems, the VPN will not function
    # unless you partially or fully disable
    # the firewall for the TUN/TAP interface.
    ;dev tap
    dev tun
    
    # Windows needs the TAP-Win32 adapter name
    # from the Network Connections panel
    # if you have more than one.  On XP SP2,
    # you may need to disable the firewall
    # for the TAP adapter.
    ;dev-node MyTap
    
    # Are we connecting to a TCP or
    # UDP server?  Use the same setting as
    # on the server.
    ;proto tcp
    proto udp
    
    # The hostname/IP and port of the server.
    # You can have multiple remote entries
    # to load balance between the servers.
    remote 192.168.13.13 1194
    ;remote my-server-2 1194
    
    # Choose a random host from the remote
    # list for load-balancing.  Otherwise
    # try hosts in the order specified.
    ;remote-random
    
    # Keep trying indefinitely to resolve the
    # host name of the OpenVPN server.  Very useful
    # on machines which are not permanently connected
    # to the internet such as laptops.
    resolv-retry infinite
    
    # Most clients don't need to bind to
    # a specific local port number.
    nobind
    
    # Downgrade privileges after initialization (non-Windows only)
    ;user nobody
    ;group nobody
    
    # Try to preserve some state across restarts.
    persist-key
    persist-tun
    
    # If you are connecting through an
    # HTTP proxy to reach the actual OpenVPN
    # server, put the proxy server/IP and
    # port number here.  See the man page
    # if your proxy server requires
    # authentication.
    ;http-proxy-retry # retry on connection failures
    ;http-proxy [proxy server] [proxy port #]
    
    # Wireless networks often produce a lot
    # of duplicate packets.  Set this flag
    # to silence duplicate packet warnings.
    ;mute-replay-warnings
    
    # SSL/TLS parms.
    # See the server config file for more
    # description.  It's best to use
    # a separate .crt/.key file pair
    # for each client.  A single ca
    # file can be used for all clients.
    ca ca.crt
    cert Client1.crt
    key Client1.key
    
    # Verify server certificate by checking
    # that the certicate has the nsCertType
    # field set to "server".  This is an
    # important precaution to protect against
    # a potential attack discussed here:
    #  http://openvpn.net/howto.html#mitm
    #
    # To use this feature, you will need to generate
    # your server certificates with the nsCertType
    # field set to "server".  The build-key-server
    # script in the easy-rsa folder will do this.
    ;ns-cert-type server
    
    # If a tls-auth key is used on the server
    # then every client must also have the key.
    ;tls-auth ta.key 1
    
    # Select a cryptographic cipher.
    # If the cipher option is used on the server
    # then you must also specify it here.
    ;cipher x
    
    # Enable compression on the VPN link.
    # Don't enable this unless it is also
    # enabled in the server config file.
    comp-lzo
    
    # Set log file verbosity.
    verb 4
    
    # Silence repeating messages
    ;mute 20
    now I copied the ca.crt, Client1.crt and Client1.key to the same directory like the client.conf file and started openvpn in the console with "openvpn --config client.conf".

    Now I'm trying to connect from my local LAN to the Router and I'm getting this Error-MSG:

    Code:
    sudo openvpn --config client.conf
    Sat Jan 10 18:45:03 2009 us=620200 Current Parameter Settings:
    Sat Jan 10 18:45:03 2009 us=620349   config = 'client.conf'
    Sat Jan 10 18:45:03 2009 us=620375   mode = 0
    Sat Jan 10 18:45:03 2009 us=620397   persist_config = DISABLED
    Sat Jan 10 18:45:03 2009 us=620417   persist_mode = 1
    Sat Jan 10 18:45:03 2009 us=620454   show_ciphers = DISABLED
    Sat Jan 10 18:45:03 2009 us=620491   show_digests = DISABLED
    Sat Jan 10 18:45:03 2009 us=620513   show_engines = DISABLED
    Sat Jan 10 18:45:03 2009 us=620533   genkey = DISABLED
    Sat Jan 10 18:45:03 2009 us=620552   key_pass_file = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=620574   show_tls_ciphers = DISABLED
    Sat Jan 10 18:45:03 2009 us=620594   proto = 0
    Sat Jan 10 18:45:03 2009 us=620613   local = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=620637   remote_list[0] = {'192.168.13.13', 1194}
    Sat Jan 10 18:45:03 2009 us=620661   remote_random = DISABLED
    Sat Jan 10 18:45:03 2009 us=620681   local_port = 0
    Sat Jan 10 18:45:03 2009 us=620700   remote_port = 1194
    Sat Jan 10 18:45:03 2009 us=620719   remote_float = DISABLED
    Sat Jan 10 18:45:03 2009 us=620751   ipchange = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=620783   bind_defined = DISABLED
    Sat Jan 10 18:45:03 2009 us=620814   bind_local = DISABLED
    Sat Jan 10 18:45:03 2009 us=620845   dev = 'tun'
    Sat Jan 10 18:45:03 2009 us=620876   dev_type = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=620907   dev_node = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=620938   lladdr = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=620970   topology = 1
    Sat Jan 10 18:45:03 2009 us=621000   tun_ipv6 = DISABLED
    Sat Jan 10 18:45:03 2009 us=621031   ifconfig_local = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=621063   ifconfig_remote_netmask = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=621094   ifconfig_noexec = DISABLED
    Sat Jan 10 18:45:03 2009 us=621125   ifconfig_nowarn = DISABLED
    Sat Jan 10 18:45:03 2009 us=621155   shaper = 0
    Sat Jan 10 18:45:03 2009 us=621186   tun_mtu = 1500
    Sat Jan 10 18:45:03 2009 us=621207   tun_mtu_defined = ENABLED
    Sat Jan 10 18:45:03 2009 us=621226   link_mtu = 1500
    Sat Jan 10 18:45:03 2009 us=621245   link_mtu_defined = DISABLED
    Sat Jan 10 18:45:03 2009 us=621263   tun_mtu_extra = 0
    Sat Jan 10 18:45:03 2009 us=621283   tun_mtu_extra_defined = DISABLED
    Sat Jan 10 18:45:03 2009 us=621301   fragment = 0
    Sat Jan 10 18:45:03 2009 us=621332   mtu_discover_type = -1
    Sat Jan 10 18:45:03 2009 us=621363   mtu_test = 0
    Sat Jan 10 18:45:03 2009 us=621393   mlock = DISABLED
    Sat Jan 10 18:45:03 2009 us=621432   keepalive_ping = 0
    Sat Jan 10 18:45:03 2009 us=621452   keepalive_timeout = 0
    Sat Jan 10 18:45:03 2009 us=621474   inactivity_timeout = 0
    Sat Jan 10 18:45:03 2009 us=621493   ping_send_timeout = 0
    Sat Jan 10 18:45:03 2009 us=621519   ping_rec_timeout = 120
    Sat Jan 10 18:45:03 2009 us=621550   ping_rec_timeout_action = 2
    Sat Jan 10 18:45:03 2009 us=621581   ping_timer_remote = DISABLED
    Sat Jan 10 18:45:03 2009 us=621612   remap_sigusr1 = 0
    Sat Jan 10 18:45:03 2009 us=621643   explicit_exit_notification = 0
    Sat Jan 10 18:45:03 2009 us=621674   persist_tun = ENABLED
    Sat Jan 10 18:45:03 2009 us=621705   persist_local_ip = DISABLED
    Sat Jan 10 18:45:03 2009 us=621736   persist_remote_ip = DISABLED
    Sat Jan 10 18:45:03 2009 us=621767   persist_key = ENABLED
    Sat Jan 10 18:45:03 2009 us=621798   mssfix = 1450
    Sat Jan 10 18:45:03 2009 us=621829   passtos = DISABLED
    Sat Jan 10 18:45:03 2009 us=621861   resolve_retry_seconds = 1000000000
    Sat Jan 10 18:45:03 2009 us=621892   connect_retry_seconds = 5
    Sat Jan 10 18:45:03 2009 us=621935   connect_timeout = 10
    Sat Jan 10 18:45:03 2009 us=621955   connect_retry_max = 0
    Sat Jan 10 18:45:03 2009 us=621973   username = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=621995   groupname = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=622013   chroot_dir = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=622036   cd_dir = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=622054   writepid = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=622081   up_script = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=622112   down_script = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=622143   down_pre = DISABLED
    Sat Jan 10 18:45:03 2009 us=622174   up_restart = DISABLED
    Sat Jan 10 18:45:03 2009 us=622204   up_delay = DISABLED
    Sat Jan 10 18:45:03 2009 us=622223   daemon = DISABLED
    Sat Jan 10 18:45:03 2009 us=622241   inetd = 0
    Sat Jan 10 18:45:03 2009 us=622259   log = DISABLED
    Sat Jan 10 18:45:03 2009 us=622276   suppress_timestamps = DISABLED
    Sat Jan 10 18:45:03 2009 us=622294   nice = 0
    Sat Jan 10 18:45:03 2009 us=622312   verbosity = 4
    Sat Jan 10 18:45:03 2009 us=622329   mute = 0
    Sat Jan 10 18:45:03 2009 us=622346   gremlin = 0
    Sat Jan 10 18:45:03 2009 us=622364   status_file = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=622382   status_file_version = 1
    Sat Jan 10 18:45:03 2009 us=622399   status_file_update_freq = 60
    Sat Jan 10 18:45:03 2009 us=622417   occ = ENABLED
    Sat Jan 10 18:45:03 2009 us=622435   rcvbuf = 65536
    Sat Jan 10 18:45:03 2009 us=622523   sndbuf = 65536
    Sat Jan 10 18:45:03 2009 us=622545   sockflags = 0
    Sat Jan 10 18:45:03 2009 us=622563   socks_proxy_server = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=622581   socks_proxy_port = 0
    Sat Jan 10 18:45:03 2009 us=622599   socks_proxy_retry = DISABLED
    Sat Jan 10 18:45:03 2009 us=622617   fast_io = DISABLED
    Sat Jan 10 18:45:03 2009 us=622634   lzo = 7
    Sat Jan 10 18:45:03 2009 us=622651   route_script = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=622669   route_default_gateway = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=622688   route_default_metric = 0
    Sat Jan 10 18:45:03 2009 us=622706   route_noexec = DISABLED
    Sat Jan 10 18:45:03 2009 us=622723   route_delay = 0
    Sat Jan 10 18:45:03 2009 us=622741   route_delay_window = 30
    Sat Jan 10 18:45:03 2009 us=622759   route_delay_defined = DISABLED
    Sat Jan 10 18:45:03 2009 us=622777   route_nopull = DISABLED
    Sat Jan 10 18:45:03 2009 us=622795   management_addr = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=622813   management_port = 0
    Sat Jan 10 18:45:03 2009 us=622831   management_user_pass = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=622850   management_log_history_cache = 250
    Sat Jan 10 18:45:03 2009 us=622868   management_echo_buffer_size = 100
    Sat Jan 10 18:45:03 2009 us=622887   management_query_passwords = DISABLED
    Sat Jan 10 18:45:03 2009 us=622905   management_hold = DISABLED
    Sat Jan 10 18:45:03 2009 us=622924   management_client = DISABLED
    Sat Jan 10 18:45:03 2009 us=622942   management_signal = DISABLED
    Sat Jan 10 18:45:03 2009 us=622960   management_forget_disconnect = DISABLED
    Sat Jan 10 18:45:03 2009 us=622979   management_write_peer_info_file = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=622999   shared_secret_file = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=623018   key_direction = 0
    Sat Jan 10 18:45:03 2009 us=623036   ciphername_defined = ENABLED
    Sat Jan 10 18:45:03 2009 us=623055   ciphername = 'BF-CBC'
    Sat Jan 10 18:45:03 2009 us=623074   authname_defined = ENABLED
    Sat Jan 10 18:45:03 2009 us=623092   authname = 'SHA1'
    Sat Jan 10 18:45:03 2009 us=623110   keysize = 0
    Sat Jan 10 18:45:03 2009 us=623128   engine = DISABLED
    Sat Jan 10 18:45:03 2009 us=623146   replay = ENABLED
    Sat Jan 10 18:45:03 2009 us=623165   mute_replay_warnings = DISABLED
    Sat Jan 10 18:45:03 2009 us=623183   replay_window = 64
    Sat Jan 10 18:45:03 2009 us=623201   replay_time = 15
    Sat Jan 10 18:45:03 2009 us=623219   packet_id_file = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=623237   use_iv = ENABLED
    Sat Jan 10 18:45:03 2009 us=623255   test_crypto = DISABLED
    Sat Jan 10 18:45:03 2009 us=623273   tls_server = DISABLED
    Sat Jan 10 18:45:03 2009 us=623291   tls_client = ENABLED
    Sat Jan 10 18:45:03 2009 us=623309   key_method = 2
    Sat Jan 10 18:45:03 2009 us=623327   ca_file = 'ca.crt'
    Sat Jan 10 18:45:03 2009 us=623346   ca_path = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=623364   dh_file = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=623382   cert_file = 'Client1.crt'
    Sat Jan 10 18:45:03 2009 us=623401   priv_key_file = 'Client1.key'
    Sat Jan 10 18:45:03 2009 us=623419   pkcs12_file = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=623437   cipher_list = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=623456   tls_verify = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=623474   tls_remote = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=633511   crl_file = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=633533   ns_cert_type = 0
    Sat Jan 10 18:45:03 2009 us=633552   remote_cert_ku[i] = 0
    Sat Jan 10 18:45:03 2009 us=633570   remote_cert_ku[i] = 0
    Sat Jan 10 18:45:03 2009 us=633588   remote_cert_ku[i] = 0
    Sat Jan 10 18:45:03 2009 us=633606   remote_cert_ku[i] = 0
    Sat Jan 10 18:45:03 2009 us=633624   remote_cert_ku[i] = 0
    Sat Jan 10 18:45:03 2009 us=633641   remote_cert_ku[i] = 0
    Sat Jan 10 18:45:03 2009 us=633658   remote_cert_ku[i] = 0
    Sat Jan 10 18:45:03 2009 us=633675   remote_cert_ku[i] = 0
    Sat Jan 10 18:45:03 2009 us=633693   remote_cert_ku[i] = 0
    Sat Jan 10 18:45:03 2009 us=633711   remote_cert_ku[i] = 0
    Sat Jan 10 18:45:03 2009 us=633728   remote_cert_ku[i] = 0
    Sat Jan 10 18:45:03 2009 us=633746   remote_cert_ku[i] = 0
    Sat Jan 10 18:45:03 2009 us=633764   remote_cert_ku[i] = 0
    Sat Jan 10 18:45:03 2009 us=633781   remote_cert_ku[i] = 0
    Sat Jan 10 18:45:03 2009 us=633799   remote_cert_ku[i] = 0
    Sat Jan 10 18:45:03 2009 us=633816   remote_cert_ku[i] = 0
    Sat Jan 10 18:45:03 2009 us=633835   remote_cert_eku = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=633853   tls_timeout = 2
    Sat Jan 10 18:45:03 2009 us=633872   renegotiate_bytes = 0
    Sat Jan 10 18:45:03 2009 us=633890   renegotiate_packets = 0
    Sat Jan 10 18:45:03 2009 us=633908   renegotiate_seconds = 3600
    Sat Jan 10 18:45:03 2009 us=633926   handshake_window = 60
    Sat Jan 10 18:45:03 2009 us=633944   transition_window = 3600
    Sat Jan 10 18:45:03 2009 us=633962   single_session = DISABLED
    Sat Jan 10 18:45:03 2009 us=633979   tls_exit = DISABLED
    Sat Jan 10 18:45:03 2009 us=633997   tls_auth_file = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=634041   server_network = 0.0.0.0
    Sat Jan 10 18:45:03 2009 us=634064   server_netmask = 0.0.0.0
    Sat Jan 10 18:45:03 2009 us=634085   server_bridge_ip = 0.0.0.0
    Sat Jan 10 18:45:03 2009 us=634105   server_bridge_netmask = 0.0.0.0
    Sat Jan 10 18:45:03 2009 us=634126   server_bridge_pool_start = 0.0.0.0
    Sat Jan 10 18:45:03 2009 us=634147   server_bridge_pool_end = 0.0.0.0
    Sat Jan 10 18:45:03 2009 us=634166   ifconfig_pool_defined = DISABLED
    Sat Jan 10 18:45:03 2009 us=634186   ifconfig_pool_start = 0.0.0.0
    Sat Jan 10 18:45:03 2009 us=634207   ifconfig_pool_end = 0.0.0.0
    Sat Jan 10 18:45:03 2009 us=634227   ifconfig_pool_netmask = 0.0.0.0
    Sat Jan 10 18:45:03 2009 us=634246   ifconfig_pool_persist_filename = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=634264   ifconfig_pool_persist_refresh_freq = 600
    Sat Jan 10 18:45:03 2009 us=634283   n_bcast_buf = 256
    Sat Jan 10 18:45:03 2009 us=634301   tcp_queue_limit = 64
    Sat Jan 10 18:45:03 2009 us=634319   real_hash_size = 256
    Sat Jan 10 18:45:03 2009 us=634337   virtual_hash_size = 256
    Sat Jan 10 18:45:03 2009 us=634356   client_connect_script = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=634374   learn_address_script = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=634392   client_disconnect_script = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=634410   client_config_dir = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=634428   ccd_exclusive = DISABLED
    Sat Jan 10 18:45:03 2009 us=634447   tmp_dir = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=634465   push_ifconfig_defined = DISABLED
    Sat Jan 10 18:45:03 2009 us=634486   push_ifconfig_local = 0.0.0.0
    Sat Jan 10 18:45:03 2009 us=634506   push_ifconfig_remote_netmask = 0.0.0.0
    Sat Jan 10 18:45:03 2009 us=634525   enable_c2c = DISABLED
    Sat Jan 10 18:45:03 2009 us=634543   duplicate_cn = DISABLED
    Sat Jan 10 18:45:03 2009 us=634561   cf_max = 0
    Sat Jan 10 18:45:03 2009 us=634580   cf_per = 0
    Sat Jan 10 18:45:03 2009 us=634598   max_clients = 1024
    Sat Jan 10 18:45:03 2009 us=634616   max_routes_per_client = 256
    Sat Jan 10 18:45:03 2009 us=634634   client_cert_not_required = DISABLED
    Sat Jan 10 18:45:03 2009 us=634653   username_as_common_name = DISABLED
    Sat Jan 10 18:45:03 2009 us=634671   auth_user_pass_verify_script = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=634690   auth_user_pass_verify_script_via_file = DISABLED
    Sat Jan 10 18:45:03 2009 us=639243   port_share_host = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=639281   port_share_port = 0
    Sat Jan 10 18:45:03 2009 us=639303   client = ENABLED
    Sat Jan 10 18:45:03 2009 us=639323   pull = ENABLED
    Sat Jan 10 18:45:03 2009 us=639343   auth_user_pass_file = '[UNDEF]'
    Sat Jan 10 18:45:03 2009 us=639371 OpenVPN 2.1_rc7 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Jun 11 2008
    Sat Jan 10 18:45:03 2009 us=639468 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Sat Jan 10 18:45:03 2009 us=640970 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
    Sat Jan 10 18:45:03 2009 us=742525 LZO compression initialized
    Sat Jan 10 18:45:03 2009 us=742683 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Sat Jan 10 18:45:03 2009 us=742752 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Sat Jan 10 18:45:03 2009 us=742783 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
    Sat Jan 10 18:45:03 2009 us=742796 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
    Sat Jan 10 18:45:03 2009 us=742821 Local Options hash (VER=V4): '41690919'
    Sat Jan 10 18:45:03 2009 us=742838 Expected Remote Options hash (VER=V4): '530fdded'
    Sat Jan 10 18:45:03 2009 us=742863 Socket Buffers: R=[111616->131072] S=[111616->131072]
    Sat Jan 10 18:45:03 2009 us=742880 UDPv4 link local: [undef]
    Sat Jan 10 18:45:03 2009 us=742893 UDPv4 link remote: 192.168.13.13:1194
    Sat Jan 10 18:45:03 2009 us=743636 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Sat Jan 10 18:45:08 2009 us=685086 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Any ideas whats wrong with my config?
    THX 4 your help.
     
  99. fyellin

    fyellin LI Guru Member

    A couple of random things.

    1) You don't need to do iptables when using SgtPepperKSU's mod. It does it for you automatically.

    2) The first line of the config file is certainly wrong. The line "service vpnserver1 start" belongs in a start up script, not here. The jpeg make it look like "persist-key" and "persist-tun" have an extra space in them, but that may just be an artifact.

    Are you seeing anything in the router log file? It's possible that one or more bad options may prohibit the server from starting.
     
  100. ElZar

    ElZar Addicted to LI Member

    Thanks for your help, but there are still some problems.
    I deleted the "service start" from custom scripts (the spaces are only in the picture). I also deleted the iptabels config. The server starts now..

    I edited some things in the client config and it looks like this now:

    Code:
    client
    dev tun
    proto udp
    remote 192.168.13.13 13171
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert Client2.crt
    key Client2.key
    ns-cert-type server
    comp-lzo
    verb 4
    float
    keepalive 10 60

    when I startup openvpn, I'm getting this output:
    Attachment-Zip-File: log-auth-off.txt

    I think the connection is working until it times out?
    This is the router-log:
    Attachment-Zip-File: log-auth-off-router.txt

    I was able to connet to IPs in the internet (i.e Google http://66.249.93.99), but not to the dns names.
    I think this is a second problem and may be solved with the proper routing config?

    Furthermore I tried to use TLS-Auth. I made an extra auth key with "openvpn --genkey --secret ta.key", set the auth mode to "bi-directional", copied the key to "static key" on my router and added in the client.conf "tls-auth ta.key 1". the ta.key file is in the same dir like die other crt-files.

    When I'm trying to connect, I get this output:
    Attachment-Zip-File: log-auth.txt

    the router-log says TLS-Error:
    Attachment-Zip-File: log-auth-router.txt

    I hope you can help me again, THX :>
     

    Attached Files:

Share This Page