1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN build with Web GUI

Discussion in 'Tomato Firmware' started by SgtPepperKSU, Oct 10, 2008.

  1. skyanvi1

    skyanvi1 Addicted to LI Member

    quinezhu,
    I too am attempting to get this to work.

    1. Have you tried to restart the entire service on Wan reconnect?
    i.e. (in Wan up Script)
    Code:
    sleep 20
    service vpnserver1 restart
    
    2. We may be seeing a race condition where some other script is waiting a certain period of time to update the firewall after the Wan comes up?
    I am currently locked out due to this issue and will attempt to debug as well when I get access to the router.
     
  2. quinezhu

    quinezhu Addicted to LI Member

    I'm using the sample init script from SgtPepperKSU's readme file.
    Code:
    ## Start VPN init script
    #Generate vpnup.sh
    echo "#!/bin/sh
    killall -0 vpn\$1 2> /dev/null
    if [ \$? != 0 ]
    then
    logger \"\$0: Starting vpn\$1\"
    service vpn\$1 start
    else
    logger \"\$0: vpn\$1 already running: \$(pidof vpn\$1)\"
    fi
    " > /tmp/vpnup.sh
    # Make vpnup.sh executable
    chmod +x /tmp/vpnup.sh
    # Schedule vpnup.sh to run every 30 minutes
    cru a CheckVPNServer "*/30 * * * * /tmp/vpnup.sh server1"
    [COLOR="Red"]# Wait 10 seconds and run vpnup.sh once
    sleep 10
    /tmp/vpnup.sh server1[/COLOR]
    ## End VPN init script
    and if you don't want to add iptables -I INPUT 1 -p udp --dport ???? -j ACCEPT
    manually in Firewall script you'll have to move the above red lines (same function as you coded) to WAN Up script for the reason in SgtPepperKSU's post #394. Of course, your own Firewll script will not apply in this case.


    Now I leave the entire sample in Init script and add iptables -I INPUT 1 -p udp --dport ???? -j ACCEPT manually in Firewall script, and avoid reboot in GUI as far as possible. Almost everything is OK. And also I'm looking forward to SgtPepperKSU's next release, then I will not worry about my router's automatic warm reboot occasionally any more.

    As for PPPoE reconnected killing the default firewall rules (in /etc/openvpn/server1-fw.sh), it will not affect if you have added them manually in the Firewall script.
     
  3. skyanvi1

    skyanvi1 Addicted to LI Member

    quinezhu,

    Well vpnup.sh only checks to see if the service is running... if it is it does nothing, but print out a line saying already running:
    Code:
    Feb  5 23:16:57 unknown user.notice root: /tmp/vpnup.sh: vpnserver1 already running: 478
    since a cold boot works and a warm restart does not. my idea is that by forcing a restart of the vpn service and then applying any custom iptables scripts may fix the issue [Edit: On Wan Up].
     
  4. quinezhu

    quinezhu Addicted to LI Member

    not only print out a line saying already running because of the code in the sample
    Code:
    # Schedule vpnup.sh to run every 30 minutes
    cru a CheckVPNServer "*/30 * * * * /tmp/vpnup.sh server1"

    thx. But I don't think so cause vpnup.sh works in WAN Up script like the command of service vpnserver1 restart.
     
  5. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, putting a "service vpnserver1 restart" in the WAN-UP script should go ahead and apply the firewall rules at that time. Note that this will only be necessary until the next release, when you can change it back to vpnup.sh.

    And, it isn't that the tomato FIREWALL script will not apply after doing this. Just that the firewall rules I add automatically give full access for the LAN to the VPN tunnel, so if you have custom rules to give limited access, they will be overridden. Firewall rules unrelated to VPN should still work fine.
     
  6. skyanvi1

    skyanvi1 Addicted to LI Member

    I can confirm that the "service vpnserver1 restart" in the WAN-UP script is works to allow the VPN to survive a WAN reconnect.

    Question: Is there a way to detect openvpn is hung ie. cron'd attempt an internal client connection and on fail: kill the server and restart?

    Two suggestions for the next build:
    1. Gui way to reset all fields in a server. (I managed to get a invalid netmask error that would not let me change any settings. I even went so far as manually clearing settings using nvram set. Eventually I had to do a full NVRAM erase to regain control.

    2. A single page that will show status of and allow enable/disable of vpn servers.
     
  7. skyanvi1

    skyanvi1 Addicted to LI Member

    Update... to ensure the vpn server (and auto added firewall rules) survive firewall or wan restarts. the "service vpnserver1 restart" will need to be added to both the WAN UP as well as the FIREWALL UP scripts.
     
  8. quinezhu

    quinezhu Addicted to LI Member

    That means corresponding to the debug messages in post #397
    Code:
    Feb  5 23:16:35 unknown daemon.notice pppoe[557]: Connected.
    ...
    Feb  5 23:16:39 unknown user.info ip-up[562]: VPN DEBUG: 595: Running firewall script:
    Feb  5 23:16:39 unknown user.info ip-up[562]: VPN DEBUG: 596: server1-fw.sh
    
    firewall script works while server1-fw.sh doesn't work during wan restart. So you will have to add the "service vpnserver1 restart" to the Firewall script too, then the auto added firewall rules will run.

    Just like what I described in post #402.
     
  9. quinezhu

    quinezhu Addicted to LI Member

    u r right. sorry for misunderstanding it in post #404.


    Sorry, I misunderstood the warm restart (On Wan Up) as the warm reboot. Actually there are two separate issues:
    • the custom firewall rules will be overriden by the default ones if reboot in GUI (warm reboot) , or if start vpnserver in WAN up script when cold reboot. So a cold boot (with starting vpnserver start in Init script) works and a warm reboot does not (whatever starting vpnserver in Init or WAN Up script).
      .
    • PPPoE to WAN restart (warm restart) will kill the default firewall rules. It will not affect if you have added them manually in the Firewall script, or if putting "service vpnserver1 restart" in the Firewall script too like you did.
     
  10. redcow

    redcow LI Guru Member

    Hi, I want to force all traffic to go through the vpn tunnel:

    My Router IP (DNS+DHCP+VPN) 192.168.0.1
    my client pc: 192.168.0.7 (wlan), (and 192.168.0.80+ for vpn)

    server:

    client:


    But it does not work :/, dns queries work, but no traffic, probably something messed up with the routing table? because gateway/dns ip etc are correct.


    log:

    [edit]
    I added a static route "destination (192.168.0.0) gateway (192.168.0.1) interface(wan)" not it works, but I'm not sure if thats the "right" solution or only a dirty one, and I should better fix my openvnp config?
    8/edit]
     
  11. skyanvi1

    skyanvi1 Addicted to LI Member

    When setting up a vpn you will want to pick an obscure ip range, definitely not the standard 192.168.0.0/24 . Since the two endpoints should not be on the same subnet. And eventually if not already you will try to VPN out of the standard 192.168.0.0/24.
    I would recommend i.e.
    Server Lan: 10.8.x.0/24
    Client Lan: Usually you have no control
    VPN Lan: 10.8.y.0/24 Where x != y and between 0 and 255

    redirecting the gateway can still be problematic esp. with windows.
     
  12. redcow

    redcow LI Guru Member

    I changed my config:

    Is there some error?

    I'm connecting through wireless, if I'm connecting through openvpn and trying to use internet, it doesn't work.

    wireless client ip: 192.168.0.7
    router(vpn+gateway+wireless): 192.168.0.1

    vpn ip: 10.8.0.10
    vpn gatway should be 10.8.0.1 but cannot reach it :/


    82.xy is my external IP im getting through an adsl modem (connected through ethernet).

    Do I need an extra route ? I tried to set 10.8.0.0 as destination and 192.168.0.1 as gateway , and to forward traffic through "iptables -I FORWARD -i br0 -o tapxy -j ACCEPT"


    current status:

    I'm able to reach 192.168.0.x network, but cannot reach 10.0.8.1, ping 10.0.8.50 works (vpn client ip), inet does not work, without redirect-gateway+push route it does work. The windows client shows ip: 10.8.0.50, subnet 255.255.255.0, dhcp server 10.8.0.0, but the gateway address is empty, is that normal?

    many thanks.
     
  13. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You're going to need to take a step back and tell me what your setup is like. On which end of the tunnel are you using my build? What devices are showing the various output you've provided? When you talk about a windows client, is it behind a router that is connected to the VPN or is it connecting to the VPN directly? What are the subnets on each end of the tunnel? etc.
     
  14. quinezhu

    quinezhu Addicted to LI Member

    I've got a Belkin 7231 router with usb 1.1 support which I want to use as a printer server mainly, and is there any possible to add usb support like the following thread? :biggrin:
    http://www.linksysinfo.org/forums/showthread.php?t=60185

    I found the capacity of jffs on my 7231 with vpn2.0005 is too small (only 440KB) for me to upload the usb driver later.
     
  15. wernert

    wernert Guest

    Differences in Roadkill's and SgtPepperKSU VPN-versions?

    First a big 'thumbs up' for Roadkill and SgtPepperKSU, for their work on VPN on the linksys.

    I've been using Roadkill's firmware but never got the VPN working on my WRT45GL. Probably my fault, but I'm gonna try SgtPepperKSU version.

    In one of the first pages of this thread, SgtPepperKSU wrote that he didn't needed the changes that Roadkill did to the Tomato firmware. Which motivated him to add his own GUI.

    Is there somewhere a description of the (VPN?) differences between the two versions? I'm curious to know this, in order to see if I will gain or lose functions or stability by switching to SgtPepperKSU's firmware.
     
  16. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    There shouldn't be any substantial differences in VPN capabilities. I was referring to things like the serial port and SD mods that he had added.
     
  17. redcow

    redcow LI Guru Member

    @SgtPepperKSU thanks for your help, I know how annoying it is to answer configuration questions.


    My current setup:


    ADSL Modem (192.168.1.2) --> Linksys (192.168.0.1 Tomat Wireless+VPN Server+etc) --> wireless client 1 (192.168.0.2) , wireless client 2 (192.168.0.3) etc

    Wireless client:
    Code:
    WinXP SP3
    IP: 192.168.0.7 (static dhcp)
    subnet mask: 255.255.255.0
    standard gateway: 192.168.0.1
    dhcp-server 192.168.0.1
    dns: 192.168.0.1
    
    routing table before vpn connect:
    Code:
              0.0.0.0          0.0.0.0      192.168.0.1     192.168.0.7	  25
            127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1	  1
          192.168.0.0    255.255.255.0      192.168.0.7     192.168.0.7	  25
          192.168.0.7  255.255.255.255        127.0.0.1       127.0.0.1	  25
        192.168.0.255  255.255.255.255      192.168.0.7     192.168.0.7	  25
            224.0.0.0        240.0.0.0      192.168.0.7     192.168.0.7	  25
      255.255.255.255  255.255.255.255      192.168.0.7               2	  1
      255.255.255.255  255.255.255.255      192.168.0.7     192.168.0.7	  1
      255.255.255.255  255.255.255.255      192.168.0.7               4	  1
    standardgateway:       192.168.0.1
    

    linksys router:
    Code:
    Wireless:WPA/WP2
    DHCP range: 192.168.0.2 - 192.168.0.49
    IP: 192.168.0.1
    Subnet mask: 255.255.255.0
    WAN Internet: DHCP (gets the ip from the modem dhcp server)
    
    routing table (before vpn, standard routing table): (xx is censored internet ip address)

    Code:
    Kernel IP routing table
    
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    87.xx.xx.x      *               255.255.255.0   U     0      0        0 vlan1
    192.168.0.0     *               255.255.255.0   U     0      0        0 br0
    127.0.0.0       *               255.0.0.0       U     0      0        0 lo
    default         hostxx-xx-dyn 0.0.0.0         UG    0      0        0 vlan1
    

    Openvpn server config:
    Code:
    # Automatically generated configuration
    daemon
    server-bridge
    proto udp
    port 1194
    dev tap21
    comp-lzo yes
    keepalive 15 60
    verb 3
    ca server1-ca.crt
    dh server1-dh.pem
    cert server1.crt
    key server1.key
    status-version 2
    status server1.status
    
    # Custom Configuration
    keepalive 15 60 
    mssfix
    float
    resolv-retry infinite
    tun-mtu 1500
    push "redirect-gateway local def1"
    client-to-client
    ifconfig-pool-persist ipp.txt
    server-bridge 10.8.0.1 255.255.255.0 10.8.0.50 10.8.0.100
    #push "route 10.8.0.0 255.255.255.255" # Push client back to server
    #push "route 192.168.0.0 255.255.255.0"
    push "dhcp-option DNS 208.67.222.222"
    push "dhcp-option DNS 208.67.220.220"
    ifconfig 10.8.0.1 255.255.255.0
    
    openvpn client config:
    Code:
    client
    dev tap
    dev-node home-vpn
    proto udp
    remote xy 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    mute-replay-warnings
    ca ca.crt
    cert quork-laptop.crt
    key quork-laptop.key
    ns-cert-type server
    comp-lzo
    verb 3
    
    # Silence repeating messages
    ;mute 20
    
    pull
    mssfix
    float
    tun-mtu 1500
    
    route 0.0.0.0 10.8.0.0
    route 10.8.0.0 192.168.0.0
    
    the routing table on the wireless client after openvpn connect:

    Code:
              0.0.0.0         10.8.0.0         10.8.0.1       10.8.0.50	  1
              0.0.0.0          0.0.0.0      192.168.0.1     192.168.0.7	  25
             10.8.0.0    255.255.255.0        10.8.0.50       10.8.0.50	  30
             10.8.0.0  255.255.255.255         10.8.0.1       10.8.0.50	  1
            10.8.0.50  255.255.255.255        127.0.0.1       127.0.0.1	  30
       10.255.255.255  255.255.255.255        10.8.0.50       10.8.0.50	  30
            127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1	  1
          192.168.0.0    255.255.255.0      192.168.0.7     192.168.0.7	  25
          192.168.0.7  255.255.255.255        127.0.0.1       127.0.0.1	  25
        192.168.0.255  255.255.255.255      192.168.0.7     192.168.0.7	  25
            224.0.0.0        240.0.0.0        10.8.0.50       10.8.0.50	  30
            224.0.0.0        240.0.0.0      192.168.0.7     192.168.0.7	  25
      255.255.255.255  255.255.255.255        10.8.0.50               2	  1
      255.255.255.255  255.255.255.255        10.8.0.50       10.8.0.50	  1
      255.255.255.255  255.255.255.255      192.168.0.7     192.168.0.7	  1
    standardgateway:          10.8.0.1
    
    static route on linksys router
    Code:
    destination: 10.8.0.0 , gateway 192.168.0.1, subnetmask 255.255.255.0, interface lan
    
    forwarding is enabled:
    Code:
    echo 1 > /proc/sys/net/ipv4/ip_forward
    

    I have no clue what I should try else, i played a lot around with the routing table and iptables, forwardiing regarding the iptables should work, no firefalls are enabled, dunno :frown:


    What I want to achieve is, that the entire lan/internet traffic is going through the openvpn tunnel (link sys router), and that I can use the tunnel with the wireless clients, and from outside the network. I want to reach the 192.168.0.x network to connect to other wireless client. thats it :/


    At the moment its really a mess, with the static route (set on linksys router) I'm able to tunnel my internet traffic through the vpn, but the server cant reach 10.8.0.50 etc. maybe somebody can tell me the correct routing/config settings in order to setup it up correctly.

    thanks

    sry for so much text.
     
  18. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I can't say whether it is all that is wrong, but these don't look right.

    Maybe this is what you're trying for with those?
    Code:
    route 0.0.0.0 0.0.0.0 10.8.0.1
    route 10.8.0.0 255.255.255.0 192.168.0.1
    Though, that second one shouldn't be needed.

    If you're wanting all traffic to cross the VPN, I think it'd be simpler to try to get redirect-gateway to work.
     
  19. redcow

    redcow LI Guru Member

    redirect-gateway works, but only if I use the vpn tunnel withing the network (connected to the linksys router via wireless), but I cant ping the vpn client (10.8.0.50) from the server (linksys), vice versa it works (from the wireless client). I tried to connect to my vpn outside the lan and it doesnt work :/ gateway is set etc, but cant ping the vpn server, nor reach any website:

    wireless client route within the new network
    Code:
              Destination   Genmask          Gateway       device      use
              0.0.0.0        128.0.0.0         10.8.0.1       10.8.0.50	  1
              0.0.0.0          0.0.0.0         10.8.0.1       10.8.0.50	  1
              0.0.0.0          0.0.0.0    10.10.191.254   10.10.191.250	  25
             10.8.0.0    255.255.255.0        10.8.0.50       10.8.0.50	  30
            10.8.0.50  255.255.255.255        127.0.0.1       127.0.0.1	  30
          10.10.188.0    255.255.252.0    10.10.191.250   10.10.191.250	  25
        10.10.191.250  255.255.255.255        127.0.0.1       127.0.0.1	  25
       10.255.255.255  255.255.255.255        10.8.0.50       10.8.0.50	  30
       10.255.255.255  255.255.255.255    10.10.191.250   10.10.191.250	  25
            127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1	  1
            128.0.0.0        128.0.0.0         10.8.0.1       10.8.0.50	  1
            224.0.0.0        240.0.0.0        10.8.0.50       10.8.0.50	  30
            224.0.0.0        240.0.0.0    10.10.191.250   10.10.191.250	  25
      255.255.255.255  255.255.255.255        10.8.0.50               2	  1
      255.255.255.255  255.255.255.255        10.8.0.50       10.8.0.50	  1
      255.255.255.255  255.255.255.255    10.10.191.250   10.10.191.250	  1
    standardgateway:          10.8.0.1
    
    Code:
    my vpn gateway: 10.8.0.1
    local wireless client ip: 10.10.191.250
    local subnet mask: 255.255.252.0
    local standard gateway: 10.10.191.254
    

    client log:
    Code:
    [/B]
    Wed Feb 11 11:22:47 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.50/255.255.255.0 on interface {557A9CBB-E9E2-4925-8A1A-9398755F0191} [DHCP-serv: 10.8.0.0, lease-time: 31536000]
    Wed Feb 11 11:22:47 2009 Successful ARP Flush on interface [4] {557A9CBB-E9E2-4925-8A1A-9398755F0191}
    Wed Feb 11 11:22:52 2009 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Wed Feb 11 11:22:52 2009 Route: Waiting for TUN/TAP interface to come up...
    [15x times]
    Wed Feb 11 11:23:22 2009 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.1
    Wed Feb 11 11:23:22 2009 Route addition via IPAPI succeeded [adaptive]
    Wed Feb 11 11:23:22 2009 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.1
    Wed Feb 11 11:23:22 2009 Route addition via IPAPI succeeded [adaptive]
    Wed Feb 11 11:23:22 2009 WARNING: potential route subnet conflict between local LAN [10.10.188.0/255.255.252.0] and remote VPN [0.0.0.0/0.0.0.0]
    Wed Feb 11 11:23:22 2009 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 0.0.0.0 10.8.0.1
    Wed Feb 11 11:23:22 2009 Route addition via IPAPI succeeded [adaptive]
    Wed Feb 11 11:23:22 2009 WARNING: potential route subnet conflict between local LAN [10.8.0.0/255.255.255.0] and remote VPN [10.8.0.0/255.255.255.0]
    Wed Feb 11 11:23:22 2009 C:\WINDOWS\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 192.168.0.1
    Wed Feb 11 11:23:22 2009 Warning: route gateway is not reachable on any active network adapters: 192.168.0.1
    Wed Feb 11 11:23:22 2009 Route addition via IPAPI failed [adaptive]
    Wed Feb 11 11:23:22 2009 Route addition fallback to route.exe
    SYSTEM ROUTING TABLE
    0.0.0.0 128.0.0.0 10.8.0.1 p=0 i=4 t=4 pr=3 a=0 h=0 m=1/-1/-1/-1/-1
    0.0.0.0 0.0.0.0 10.8.0.1 p=0 i=4 t=4 pr=3 a=0 h=0 m=1/-1/-1/-1/-1
    0.0.0.0 0.0.0.0 10.10.191.254 p=0 i=3 t=4 pr=3 a=7122 h=0 m=25/-1/-1/-1/-1
    10.8.0.0 255.255.255.0 10.8.0.50 p=0 i=4 t=3 pr=2 a=29 h=0 m=30/-1/-1/-1/-1
    10.8.0.50 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=29 h=0 m=30/-1/-1/-1/-1
    10.10.188.0 255.255.252.0 10.10.191.250 p=0 i=3 t=3 pr=2 a=7124 h=0 m=25/-1/-1/-1/-1
    10.10.191.250 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=7124 h=0 m=25/-1/-1/-1/-1
    10.255.255.255 255.255.255.255 10.8.0.50 p=0 i=4 t=3 pr=2 a=29 h=0 m=30/-1/-1/-1/-1
    10.255.255.255 255.255.255.255 10.10.191.250 p=0 i=3 t=3 pr=2 a=7124 h=0 m=25/-1/-1/-1/-1
    127.0.0.0 255.0.0.0 127.0.0.1 p=0 i=1 t=3 pr=2 a=75748 h=0 m=1/-1/-1/-1/-1
    128.0.0.0 128.0.0.0 10.8.0.1 p=0 i=4 t=4 pr=3 a=0 h=0 m=1/-1/-1/-1/-1
    224.0.0.0 240.0.0.0 10.8.0.50 p=0 i=4 t=3 pr=2 a=29 h=0 m=30/-1/-1/-1/-1
    224.0.0.0 240.0.0.0 10.10.191.250 p=0 i=3 t=3 pr=2 a=7124 h=0 m=25/-1/-1/-1/-1
    255.255.255.255 255.255.255.255 10.8.0.50 p=0 i=2 t=3 pr=2 a=75748 h=0 m=1/-1/-1/-1/-1
    255.255.255.255 255.255.255.255 10.8.0.50 p=0 i=4 t=3 pr=2 a=75748 h=0 m=1/-1/-1/-1/-1
    255.255.255.255 255.255.255.255 10.10.191.250 p=0 i=3 t=3 pr=2 a=75748 h=0 m=1/-1/-1/-1/-1
    [B][...][/B]
    
    Do I need to set for every network I want to connect from new different routes? Shouldn't it be enough to specify the correct routes to the vpn server?

    thx
     
  20. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You shouldn't need to manually add any routes at all. I'm afraid at this point, though, you'd be better off getting help from the OpenVPN people if you continue to have problems.
     
  21. humba

    humba Network Guru Member

    I've been getting gray hairs from this.. I set up a site to site vpn over the Internet yesterday. I've tested the same setup in the lab (and had it running for 2 months without problems) so it was up and running in no time. It's a simple TAP setup, and the lan side of each router is in the same subnet. A W2K3 server in the remote site serves as DHCP server.
    If I connect my machine behind the tunnel, it gets and IP and can communication just fine. 1-2 hours later, communication suddenly stops (the time can vary.. sometimes it's less than an hour, some time more than 2 hours). if I connect another machine, it has full connectivity. I can still do dhcp refresh/renew on my box but other than that I only get as far as the router on my end. ssh'ing into the router reveals that the link is still up, there are no errors whatsoever (even in verb6 mode.. I checked both sides) and I can still ping or telnet through the tunnel so the tunnel is definitely up. Using wireshark I determined that packets from my machine definitely don't make it into the remote location part of the subnet anymore. I even went as far as to boot my machine - no luck there either.

    If I tear down the tunnel and restart (regardless from which side), the whole thing begins anew.. full communication for 1-2 hours then nothing but dhcp anymore. Since not even simple pings make it to the remote side anymore I suspect the router on my side (the server) somehow messes up, though that's weird since I have the same setup to bridge two subnets in the same office working for 2 months without interruption. Here's the server config
    Code:
    mode server
    proto tcp-server
    port 443
    dev tap0
    keepalive 15 60
    daemon
    verb 3
    comp-lzo
    client-to-client
    duplicate-cn
    tls-server
    ca ca.crt
    dh dh1024.pem
    cert server.crt
    key server.key
    And client

    Code:
    client
    daemon
    dev tap0
    proto tcp-client
    remote ip-server 443
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    keepalive 10 60
    ca ca.crt
    cert client.crt
    key client.key
    ns-cert-type server
    comp-lzo
    verb 3
    Of course I can simply telnet into the local router and restart openvpn but I'd really like to avoid that and have a stable tunnel that everybody can use.
     
  22. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Sounds beyond me to troubleshoot. Once the tunnel is established, it's out of my hands and up to OpenVPN - and nothing is coming to mind right off that could be going wrong there. I would suggest getting help from the OpenVPN folks on their IRC channel or mailing list.
     
  23. humba

    humba Network Guru Member

    I figured it's something obscure. I actually had two tunnels on the client (one site to site over the corporate lan to bridge lab to my desk) .. for now I terminated the first tunnel (the one I know always works), removed the second tap and used the first tap to connect to the remote site.. we'll see where that gets us. I connected and IP phone last night, and sure enough it also had the issue this morning (and it communicates with UDP only).. so it's protocol and device agnostic.
     
  24. redcow

    redcow LI Guru Member

    I solved my vpn problem, I used "redirect-gateway local def1 " to redirect the entire traffic through vpn tunnel, but the parameter "local" works only if the vpn server is in the same subnet, If you want to use the vpn tunnel from outside you have to remove "local". Moreover I removed all the "route" entries in the config, as using bridge mode it is normally not needet, only if u want to reach a subnet behind the vpn server or some other specific settings. I had to add on my linksys router a static route from 10.8.0.0 -> 192.168.0.1 (gateway), now everything works, thanks again for the great firmware :)
     
  25. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Great! I'm glad you got it working!
     
  26. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    1.23vpn2.0006

    Version 1.23vpn2.0006

    You can download the binaries from here.

    There has been some trouble downloading the following files from the main download location, so are a couple of mirrors.
    tomatovpn-1.23vpn2.0006.7z or tomatovpn-1.23vpn2.0006.7z
    tomatovpn-ND-1.23vpn2.0006.7z or tomatovpn-ND-1.23vpn2.0006.7z


    Source is available at the Git repository. Be sure to read the COPYING file if you plan to use/distribute the sources.
    Direct links: Patch from Tomato-1.23 TomatoVPN Source TomatoVPN-ND Source

    Changes from 1.23vpn2.0005
    • Removed length restrictions for server address
    • Fixed the automatic firewall rules problem
    • Made the automatic firewall rules optional in GUI
    • Downgraded OpenVPN from 2.1rc15 to 2.1rc13
      • This will hopefully fix peoples problems with keepalive timeouts and protocol-specific problems
      • If anyone still experiences these problems, be sure to let me know.
      • I wanted to wait for 2.1rc16 but I've been waiting for nearly 2 months. I figured giving up and downgrading is the best way to "cause" a new OpenVPN release :wink:
    • Various code cleanups

    Known limitations:
    • None that I am aware of. If you find some, let me know.

    Let me know what you think, and what can be improved. :smile:
     
  27. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Also, if you would like to be notified of new releases, you can subscribe to the TomatoVPN RSS feed on the GIT repository site. I will typically only push changes to that branch when I'm making a release. It will also give you a list of changes made in that release (all git commits will be listed, not just releases).

    That way, you wouldn't have to keep checking this thread periodically to check for releases.
     
  28. albundy118

    albundy118 Addicted to LI Member

    Hello,

    first of all many thanks for that nice tomato mod, that is what is was looking for.
    But I almost go crazy with openvpn. I have 2 linksys routers with your mod, one of them already version 0006. On both I already have configured a server session using TLS mode to connect with a laptop.
    But I also want to run another openvpn session between both router using static key and no route propagtion ( using ripd instead) , but the connection somehow don't wnat to establish. I already know that I can connect with my laptop to the server session I wanted to use for router-to-router so that I can almost be sure there is no issue on the server config.
    The client session starts as it should be but than nothing happend on the server ( also checked with verb 15).
    Sorry I used the search in that thread but didn't find a problem like that and before I post every config parts maybe somebody can tell me what's neccesary for troubleshooting.
    Btw, earlier I used the tomato mod by roadkill which also includes the vpn gui and everything works fine (related to openvpn) but that one was still based on tomato 1.21 and I wanted to use the latest one.

    Thanks in Advanced
    Florian
     
  29. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm sorry, but I don't anything about that. If you think it could be relevant to your problem, I probably won't be of much use.
    So, does the client router's log look the same both with the server running and with it not running? There are absolutely no entries in the server log when you try to connect? Did you try this same configuration with roadkill's firmware? When you connect with your laptop (and it works) are you outside of the LAN?

    You'll probably need to tell me what settings you are using one both ends of the tunnel, though.
     
  30. gawd0wns

    gawd0wns LI Guru Member

    Which rules are added when the "Automatic" and "External Only," options are selected? I am assuming the "custom" rules selection does not add anything for you.
     
  31. cabexas

    cabexas LI Guru Member

    Hello,

    first of all, thank you for developing this firmware for us.

    Now, my problem. I'm trying to configure a connection to my work via vpn.
    Actually, i have open vpn gui installed in my vista laptop to do all my work, but i would like to not install openvpn in all the computers in the house to connect to work.
    So i'm trying to configure my WRT54GL with this firmware.
    I've configured the vpn client via the web gui. When i do start vpn, i get the error below:

    Code:
    Feb 16 15:07:58 unknown user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
    Feb 16 15:07:59 unknown daemon.notice openvpn[891]: OpenVPN 2.1_rc13 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Feb 16 2009
    Feb 16 15:07:59 unknown daemon.warn openvpn[891]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Feb 16 15:07:59 unknown daemon.warn openvpn[891]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Feb 16 15:07:59 unknown daemon.warn openvpn[891]: Cannot load private key file client1.key: error:0906A068:PEM routines:PEM_do_header:bad password read: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:missing asn1 eos
    Feb 16 15:07:59 unknown daemon.err openvpn[891]: Error: private key password verification failed
    Feb 16 15:07:59 unknown daemon.notice openvpn[891]: Exiting
    
    This is the configuration that is working on my laptop with open vpn that i'm tryng to configure on tomato:
    Code:
    client
    dev tun
    proto udp
    remote xxx.xxx.xxx.xxx 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca vpnqueluz.crt
    cert rfmorais.crt
    key rfmorais.key
    comp-lzo
    verb 3
    
    When i enter the router via ssh, in /etc/openvpn i have got no files.
    My vpn configuration files shouldn't be there??

    what am i doing wrong?

    Thank you
     
  32. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm guessing that when you connect with the OpenVPN client on your laptop that it asks you for a password. Is that right? The router GUI has no (practical) way of interactively asking you for your password, and I haven't added a place to enter one yet. Try adding
    Code:
    askpass /tmp/vpnpwfile
    to your custom config and adding
    Code:
    echo "yourpasswordhere" > /tmp/vpnpwfile
    to your init script (and reboot the router so the init script will run).
    Hopefully that will take care of it for you. Let me know either way, though, so I will know for sure how people should deal with key files that are password protected (if that is indeed what you have).
     
  33. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I try to keep this post (as linked from the first post in this thread) updated with an explanation of the different settings.

    In short: "External Only" only opens the chosen port on the WAN interface to allow incoming connections to the OpenVPN server. "Automatic" also opens up the VPN tunnel to your LAN. "Custom" does neither. For the client, "Automatic" just opens up the VPN tunnel to the LAN and there isn't an "External Only" option since the WAN firewall doesn't need to be opened for clients.
     
  34. cabexas

    cabexas LI Guru Member

    Hello,

    thank you for your reply. You're right, i need to input a password and with your directions i can now connect the vpn to my work.

    But now, i can't ping to any work computer.

    This is my routing:

    Code:
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    10.85.5.94      *               255.255.255.255 UH    0      0        0 tun11
    172.20.30.0     *               255.255.255.0   U     0      0        0 br0
    81.84.124.0     *               255.255.254.0   U     0      0        0 vlan1
    10.85.0.0       10.85.5.94      255.255.0.0     UG    0      0        0 tun11
    172.16.0.0      10.85.5.94      255.255.0.0     UG    0      0        0 tun11
    10.0.0.0        10.85.5.94      255.0.0.0       UG    0      0        0 tun11
    127.0.0.0       *               255.0.0.0       U     0      0        0 lo
    default         a81-84-125-254. 0.0.0.0         UG    0      0        0 vlan1
    
    and this is my ifconfig:
    Code:
    br0        Link encap:Ethernet  HWaddr 00:16:B6:D9:67:51
               inet addr:172.20.30.1  Bcast:172.20.30.255  Mask:255.255.255.0
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:16513 errors:0 dropped:0 overruns:0 frame:0
               TX packets:30217 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:0
               RX bytes:1533707 (1.4 MiB)  TX bytes:41975502 (40.0 MiB)
    
    eth0       Link encap:Ethernet  HWaddr 00:16:B6:D9:67:51
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:51654 errors:0 dropped:0 overruns:0 frame:0
               TX packets:46825 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:100
               RX bytes:44498451 (42.4 MiB)  TX bytes:43872131 (41.8 MiB)
               Interrupt:4 Base address:0x1000
    
    eth1       Link encap:Ethernet  HWaddr 00:16:B6:D9:67:53
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:0 errors:0 dropped:0 overruns:0 frame:42
               TX packets:0 errors:35 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:100
               RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
               Interrupt:2 Base address:0x5000
    
    lo         Link encap:Local Loopback
               inet addr:127.0.0.1  Mask:255.0.0.0
               UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
               RX packets:38 errors:0 dropped:0 overruns:0 frame:0
               TX packets:38 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:0
               RX bytes:3409 (3.3 KiB)  TX bytes:3409 (3.3 KiB)
    
    tun11      Link encap:Point-to-Point Protocol
               inet addr:10.85.5.93  P-t-P:10.85.5.94  Mask:255.255.255.255
               UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
               RX packets:0 errors:0 dropped:0 overruns:0 frame:0
               TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:100
               RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
    
    vlan0      Link encap:Ethernet  HWaddr 00:16:B6:D9:67:51
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:16514 errors:0 dropped:0 overruns:0 frame:0
               TX packets:30217 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:0
               RX bytes:1599809 (1.5 MiB)  TX bytes:42096370 (40.1 MiB)
    
    vlan1      Link encap:Ethernet  HWaddr 00:16:B6:D9:67:52
               inet addr:81.84.125.163  Bcast:81.84.125.255  Mask:255.255.254.0
               UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
               RX packets:35135 errors:0 dropped:0 overruns:0 frame:0
               TX packets:16608 errors:0 dropped:0 overruns:0 carrier:0
               collisions:0 txqueuelen:0
               RX bytes:41968620 (40.0 MiB)  TX bytes:1775761 (1.6 MiB)
    and my iptables:
    Code:
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    DROP       0    --  anywhere             xxxxxxxxxxxxxxxxxxxxxxxxx
    DROP       0    --  anywhere             anywhere            state INVALID
    ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
    ACCEPT     0    --  anywhere             anywhere
    ACCEPT     0    --  anywhere             anywhere
    ACCEPT     tcp  --  anywhere             unknown             tcp dpt:webcache
    ACCEPT     tcp  --  anywhere             unknown             tcp dpt:ssh
    ACCEPT     0    --  anywhere             anywhere
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ACCEPT     0    --  anywhere             anywhere
    DROP       0    --  anywhere             anywhere            state INVALID
    TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN tcpmss match 1461:65535 TCPMSS set 1460
    ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
    wanin      0    --  anywhere             anywhere
    wanout     0    --  anywhere             anywhere
    ACCEPT     0    --  anywhere             anywhere
    upnp       0    --  anywhere             anywhere
    ACCEPT     0    --  anywhere             anywhere
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain upnp (1 references)
    target     prot opt source               destination
    
    Chain wanin (1 references)
    target     prot opt source               destination
    ACCEPT     tcp  --  anywhere             Homeserver          tcp dpt:xxxx
    ACCEPT     tcp  --  anywhere             Homeserver          tcp dpt:xxxx
    
    Chain wanout (1 references)
    target     prot opt source               destination
    
    I know very little about routing and iptables. Maybe i need to add some rules to iptables in order to connect to work computers??

    Thank you
     
  35. occamsrazor

    occamsrazor Network Guru Member

    Hi,

    I saw you took down the binaries of 1.23vpn2.0006 from post #426, but they are now back up. Does this mean it's now considered OK to upgrade? If so...

    I was involved with you and "quinezhu" in long discussion about the automatic firewall rules seemingly not getting applied, and other weirdness... can you clarify under the new version firmware what I should be putting in the init and firewall scripts?

    For example, is it now considered necessary or unnecessary to put this in the init script:

    Code:
    sleep 20
    service vpnserver1 start
    
    ## Start VPN init script
    #Generate vpnup.sh
    echo "#!/bin/sh
    killall -0 vpn\$1 2> /dev/null
    if [ \$? != 0 ]
    then
    logger \"\$0: Starting vpn\$1\"
    service vpn\$1 start
    else
    logger \"\$0: vpn\$1 already running: \$(pidof vpn\$1)\"
    fi
    " > /tmp/vpnup.sh
    # Make vpnup.sh executable
    chmod +x /tmp/vpnup.sh
    # Schedule vpnup.sh to run every 30 minutes
    cru a CheckVPNServer "*/30 * * * * /tmp/vpnup.sh server1"
    # Wait 10 seconds and run vpnup.sh once
    sleep 10
    /tmp/vpnup.sh server1
    ## End VPN init script
    
    ...and this in the firewall script (using 444 as example for your vpn port number):

    Code:
    iptables -I INPUT 1 -p udp --dport 444 -j ACCEPT
    
    Thanks!
     
  36. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Are these work computers on the 172.16.0.0/16 subnet?
    If so, it appears it should work. Try pinging these computers from the router shell.
    If not, it doesn't look like your work VPN server is pushing out routes properly. You'll need to add a
    Code:
    route <work_subnet> <subnet_mask>
    to your Custom Config.

    Also, you do have the "NAT" checkbox checked, right?
     
  37. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, everything seems to be fine. After I posted the binaries the first time, some additional testing resulted in unexpected results. It turned out to be due to a last minute typo that I fixed and reposted the binaries. Nobody had yet downloaded them, so I kept the same version number.
    With this release, I updated the README with my recommendation on where to place things in the different scripts. You can just have the "service vpnserver1 start" line in your init script, but a cleaner solution would be to remove the
    Code:
    sleep 20
    service vpnserver1 start
    and move the
    Code:
    # Wait 10 seconds and run vpnup.sh once
    sleep 10
    /tmp/vpnup.sh server1
    to the WAN Up script. You shouldn't need the line in the firewall script at all.
     
  38. cabexas

    cabexas LI Guru Member

    Hello,

    my work subnet isn't the 172.16.0.0/16 but the 10.85.0.0/16, also in the route.
    I don't know why the subnet 172.16.0.0/16 appears on the route.

    Yes i've checked the nat box in the gui.

    Thank you
     
  39. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Odd. If the work subnet is 10.85.0.0/16, then I wonder if the VPN subnet is the 10.0.0.0/8 route that is in there. That would be very strange since they usually don't overlap. When you connect with your laptop, what address is the VPN device assigned?

    Could you go ahead and try pinging the work addresses from the router shell?
     
  40. cabexas

    cabexas LI Guru Member

    Hi,

    my mistake. After all, my laptop adds all those route too.

    this is the routing from my laptop connected with openvpn software:
    Code:
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0      172.20.30.1    172.20.30.100     25
             10.0.0.0        255.0.0.0       10.85.5.94       10.85.5.93     31
            10.85.0.0      255.255.0.0       10.85.5.94       10.85.5.93     31
           10.85.5.92  255.255.255.252         On-link        10.85.5.93    286
           10.85.5.93  255.255.255.255         On-link        10.85.5.93    286
           10.85.5.95  255.255.255.255         On-link        10.85.5.93    286
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
           172.16.0.0      255.255.0.0       10.85.5.94       10.85.5.93     31
          172.20.30.0    255.255.255.0         On-link     172.20.30.100    281
        172.20.30.100  255.255.255.255         On-link     172.20.30.100    281
        172.20.30.255  255.255.255.255         On-link     172.20.30.100    281
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link        10.85.5.93    286
            224.0.0.0        240.0.0.0         On-link     172.20.30.100    281
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link        10.85.5.93    286
      255.255.255.255  255.255.255.255         On-link     172.20.30.100    281
    ===========================================================================
    and this is my ipconfig

    Code:
       
    Ethernet adapter Local Area Connection 2:
    Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : TAP-Win32 Adapter V9
       Physical Address. . . . . . . . . : 00-FF-10-B0-C3-00
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::884a:debe:4f72:2425%19(Preferred)
       IPv4 Address. . . . . . . . . . . : 10.85.5.93(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.252
       Lease Obtained. . . . . . . . . . : terça-feira, 17 de Fevereiro de 2009 19:2
    1:52
       Lease Expires . . . . . . . . . . : quarta-feira, 17 de Fevereiro de 2010 19:
    21:52
       Default Gateway . . . . . . . . . :
       DHCP Server . . . . . . . . . . . : 10.85.5.94
       DNS Servers . . . . . . . . . . . : 10.80.0.50
       NetBIOS over Tcpip. . . . . . . . : Enabled
    
    Wireless LAN adapter Wireless Network Connection:
    
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AGN
       Physical Address. . . . . . . . . : 00-1D-E0-5A-5C-19
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::b159:22ff:a807:3a74%13(Preferred)
       IPv4 Address. . . . . . . . . . . : 172.20.30.100(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : terça-feira, 17 de Fevereiro de 2009 19:1
    4:31
       Lease Expires . . . . . . . . . . : quarta-feira, 18 de Fevereiro de 2009 19:
    14:31
       Default Gateway . . . . . . . . . : 172.20.30.1
       DHCP Server . . . . . . . . . . . : 172.20.30.1
       DNS Servers . . . . . . . . . . . : 172.20.30.1
       NetBIOS over Tcpip. . . . . . . . : Enabled
    
    
    the log of my laptop when openvpn connects:
    Code:
    Tue Feb 17 19:21:50 2009 PUSH: Received control message: 'PUSH_REPLY,route 10.85.0.0 255.255.0.0,ping 20,ping-restart 180,dhcp-option DNS 10.80.0.50,route 10.0.0.0 255.0.0.0,route 172.16.0.0 255.255.0.0,ifconfig 10.85.5.93 10.85.5.94'
    Tue Feb 17 19:21:50 2009 OPTIONS IMPORT: timers and/or timeouts modified
    Tue Feb 17 19:21:50 2009 OPTIONS IMPORT: --ifconfig/up options modified
    Tue Feb 17 19:21:50 2009 OPTIONS IMPORT: route options modified
    Tue Feb 17 19:21:50 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Tue Feb 17 19:21:50 2009 ROUTE default_gateway=172.20.30.1
    Tue Feb 17 19:21:51 2009 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{10B0C300-33D3-4EDF-A307-1465C7085061}.tap
    Tue Feb 17 19:21:51 2009 TAP-Win32 Driver Version 9.4 
    Tue Feb 17 19:21:51 2009 TAP-Win32 MTU=1500
    Tue Feb 17 19:21:51 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.85.5.93/255.255.255.252 on interface {10B0C300-33D3-4EDF-A307-1465C7085061} [DHCP-serv: 10.85.5.94, lease-time: 31536000]
    Tue Feb 17 19:21:51 2009 Successful ARP Flush on interface [19] {10B0C300-33D3-4EDF-A307-1465C7085061}
    Tue Feb 17 19:21:53 2009 TEST ROUTES: 3/3 succeeded len=3 ret=1 a=0 u/d=up
    Tue Feb 17 19:21:53 2009 C:\WINDOWS\system32\route.exe ADD 10.85.0.0 MASK 255.255.0.0 10.85.5.94
    Tue Feb 17 19:21:53 2009 C:\WINDOWS\system32\route.exe ADD 10.0.0.0 MASK 255.0.0.0 10.85.5.94
    Tue Feb 17 19:21:53 2009 C:\WINDOWS\system32\route.exe ADD 172.16.0.0 MASK 255.255.0.0 10.85.5.94
    Tue Feb 17 19:21:53 2009 Initialization Sequence Completed
    It seems to me that the setup is equal.

    if i ping a machine from the router shell, i've got this:
    ping: bad address 'des.dc.iol.pt'

    if i ping from my laptop connected with openvpn software i've got a reply.

    Any ideas??

    Thank you so much for all the help
     
  41. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Have you tried to ping an ip address on the work LAN? It could be that the routes are fine (and as you say, they seem the same as the working configuration), but DNS isn't quite right.

    If pinging the address that belongs to des.dc.iol.pt works, but nslookup des.dc.iol.pt fails, then we'll need to start looking into DNS. I've never set up a DNS over OpenVPN setup before, so I'll be learning as well.
     
  42. cabexas

    cabexas LI Guru Member

    Hi,

    i was just doing that.

    I can ping an ipaddress but if i use the name of the server, it doesn't resolve, so it's a problem with dns, i think.

    I'm trying to resolve it, if anyone knows somethig about it, please help me.

    Thank you SgtPepperKSU for all the help
     
  43. redcow

    redcow LI Guru Member

    Is it normal to have a only 640KB big jffs2 partition on my linksys WRT54GL 1.1? I rember I had once (other build) >1MB ?
     
  44. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Okay, I've researched DNS options over OpenVPN a little, and it seems that pushing DHCP options (such as DNS) from VPN server to clients is only supported natively for Windows clients.

    However, it can be accomplished by writing custom up and down scripts. I've written (not tested) the following that I believe would work on the router.

    Init script (requires router reboot):
    Code:
    echo "#!/bin/sh
    mv /etc/resolv.dnsmasq /etc/resolv.dnsmasq.orig
    
    for OPTION in \`set | egrep 'foreign_option_[[:digit:]]+ *=' | cut -d\"=\" -f 1\`
    do
      if [ \"\`eval echo \\\\\\\$\\\$OPTION | grep DNS | wc -w\`\" -ne \"0\" ]; then
        eval echo \\\$\$OPTION | sed -e 's/dhcp-option DNS/nameserver/g' >> /etc/resolv.dnsmasq
      fi
      if [ \"\`eval echo \\\\\\\$\\\$OPTION | grep DOMAIN | wc -w\`\" != \"0\" ]; then
        eval echo \\\$\$OPTION | sed -e 's/dhcp-option DOMAIN/search/g' >> /etc/resolv.dnsmasq
      fi
    done
    if [ ! -f /etc/resolv.dnsmasq ]; then mv /etc/resolv.dnsmasq.orig /etc/resolv.dnsmasq; fi
    " > /tmp/up.sh
    chmod +x /tmp/up.sh
    
    echo "#!/bin/sh
    if [ -f /etc/resolv.dnsmasq.orig ]; then mv /etc/resolv.dnsmasq.orig /etc/resolv.dnsmasq; fi
    " > /tmp/down.sh
    chmod +x /tmp/down.sh
    Custom Config:
    Code:
    up /tmp/up.sh
    down /tmp/down.sh
    If you try this, definitely let me know how it goes.
     
  45. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That's what I'm seeing as well. I'm afraid adding software uses space. What build were you seeing >1MB with?
     
  46. cabexas

    cabexas LI Guru Member

    I don't understand what these scripts do, but i will give a try anyway.

    I've put the first script to build the shell scripts in the init script, and indeed they are created.

    The 2 lines that i should put in the vpn client custom configuration, gives me an error:
    Code:
    Feb 17 23:24:24 unknown daemon.notice openvpn[418]: PUSH: Received control message: 'PUSH_REPLY,route 10.85.0.0 255.255.0.0,ping 20,ping-restart 180,dhcp-option DNS 10.80.0.50,route 10.0.0.0 255.0.0.0,route 172.16.0.0 255.255.0.0,ifconfig 10.85.5.93 10.85.5.94'
    Feb 17 23:24:24 unknown daemon.notice openvpn[418]: OPTIONS IMPORT: timers and/or timeouts modified
    Feb 17 23:24:24 unknown daemon.notice openvpn[418]: OPTIONS IMPORT: --ifconfig/up options modified
    Feb 17 23:24:24 unknown daemon.notice openvpn[418]: OPTIONS IMPORT: route options modified
    Feb 17 23:24:24 unknown daemon.notice openvpn[418]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Feb 17 23:24:24 unknown daemon.notice openvpn[418]: TUN/TAP device tun11 opened
    Feb 17 23:24:24 unknown daemon.notice openvpn[418]: TUN/TAP TX queue length set to 100
    Feb 17 23:24:24 unknown daemon.notice openvpn[418]: /sbin/ifconfig tun11 10.85.5.93 pointopoint 10.85.5.94 mtu 1500
    Feb 17 23:24:24 unknown daemon.notice openvpn[418]: /tmp/up.sh tun11 1500 1542 10.85.5.93 10.85.5.94 init
    Feb 17 23:24:24 unknown daemon.warn openvpn[418]: openvpn_execve: external program may not be called due to setting of --script-security level
    Feb 17 23:24:24 unknown daemon.err openvpn[418]: script failed: external program fork failed
    Feb 17 23:24:24 unknown daemon.notice openvpn[418]: Exiting
    Feb 17 23:25:05 unknown user.warn kernel: nvram_commit(): init
    Feb 17 23:25:07 unknown user.warn kernel: nvram_commit(): end
    Feb 17 23:25:09 unknown daemon.err openvpn[433]: Options error: Unrecognized option or missing parameter(s) in client1.ovpn:19: /tmp/up.sh (2.1_rc13)
    Feb 17 23:25:09 unknown daemon.warn openvpn[433]: Use --help for more information.
    after this error, the vpn is down.
     
  47. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Ah, you will also have to add
    Code:
    script-security 2
    It is a new-ish setting to OpenVPN where the default doesn't allow the running of scripts such as the ones we're creating.

    And, I'm sorry about not explaining what the scripts do. On non-Windows systems, the DHCP options that are natively set on windows are set into environmentlal variables (foreign_option_*) instead. That is done so you can do something with them yourself in an up script (as I'm attempting to do). The script grabs all of the foreign_option_* variables that are set, checks them to see if they're options my script recognizes (I think I've covered the only 2 cases that will appear), translates them to the proper form for dnsmasq, and puts them in resolv.dnsmasq (where dns entries live). The down script just puts the old settings back.
     
  48. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Okay. Further research and testing has lead me to believe I'm on the right track. Even if it isn't what your problem is (I think/hope it will fix things for you, though), I'm convinced it is something that can be useful to someone.

    So..... (this is a more complete, cleaned up version of what I posted before)

    To accept DHCP options from the VPN server (like DNS or DOMAIN settings), add the following to the Custom Config on the client:
    Code:
    script-security 2
    up up.sh
    down down.sh
    Then, you have an option of one of the following:
    • If you want to use the VPN server's DNS rules first, and the existing rules if that fails, add the following to your INIT script:
      Code:
      mkdir /etc/openvpn
      echo "#!/bin/sh
      for OPTION in \`set | egrep 'foreign_option_[[:digit:]]+ *=' | cut -d\"=\" -f 1\`; do
        if [ \"\`eval echo \\\\\\\$\\\$OPTION | grep DNS | wc -w\`\" -ne \"0\" ]; then
          sed -i /etc/resolv.dnsmasq -e \"1i \`eval echo \\\\\\\$\\\$OPTION | sed -e 's/dhcp-option DNS/nameserver/g'\` # VPN \$1\"
        fi
        if [ \"\`eval echo \\\\\\\$\\\$OPTION | grep DOMAIN | wc -w\`\" != \"0\" ]; then
          sed -i /etc/resolv.dnsmasq -e \"1i \`eval echo \\\\\\\$\\\$OPTION | sed -e 's/dhcp-option DOMAIN/search/g'\` # VPN \$1\"
        fi
      done
      " > /etc/openvpn/up.sh
      chmod +x /etc/openvpn/up.sh
      echo "#!/bin/sh
      sed -i /etc/resolv.dnsmasq -e \"/# VPN \$1/d\"
      " > /etc/openvpn/down.sh
      chmod +x /etc/openvpn/down.sh
      
    • If you want to use the existing DNS rules first, and the VPN server's rules if that fails, add the following to your INIT script:
      Code:
      mkdir /etc/openvpn
      echo "#!/bin/sh
      for OPTION in \`set | egrep 'foreign_option_[[:digit:]]+ *=' | cut -d\"=\" -f 1\`; do
        if [ \"\`eval echo \\\\\\\$\\\$OPTION | grep DNS | wc -w\`\" -ne \"0\" ]; then
          echo \"\`eval echo \\\\\\\$\\\$OPTION | sed -e 's/dhcp-option DNS/nameserver/g'\` # VPN \$1\" >> /etc/resolv.dnsmasq
        fi
        if [ \"\`eval echo \\\\\\\$\\\$OPTION | grep DOMAIN | wc -w\`\" != \"0\" ]; then
          echo \"\`eval echo \\\\\\\$\\\$OPTION | sed -e 's/dhcp-option DOMAIN/search/g'\` # VPN \$1\" >> /etc/resolv.dnsmasq
        fi
      done
      " > /etc/openvpn/up.sh
      chmod +x /etc/openvpn/up.sh
      echo "#!/bin/sh
      sed -i /etc/resolv.dnsmasq -e \"/# VPN \$1/d\"
      " > /etc/openvpn/down.sh
      chmod +x /etc/openvpn/down.sh
      

    If anyone uses this method, please post with the results.
     
  49. Duffman19

    Duffman19 Addicted to LI Member

    Hi guys, i'm wondering if you can help me. I want to get the vpn working on my router but I'm having an issue that i can't figure out. I'm a complete linux noob so be nice :D

    Right, i've installed the firmware and set the interface type to TAP, the protocol to UDP, the port to default and set it to static key.

    The encryption is set to default and the compression is enabled. I've then pasted in a static key which i generated using the generate key option from a windows installation of openvpn...however i get the following error in my log when i try to start the vpn service...

    Feb 18 08:23:12 Duff user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
    Feb 18 08:23:12 Duff user.info kernel: device tap21 entered promiscuous mode
    Feb 18 08:23:12 Duff user.info kernel: br0: port 3(tap21) entering learning state
    Feb 18 08:23:12 Duff user.info kernel: br0: port 3(tap21) entering forwarding state
    Feb 18 08:23:12 Duff user.info kernel: br0: topology change detected, propagating
    Feb 18 08:23:12 Duff daemon.notice openvpn[6103]: OpenVPN 2.1_rc15 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Dec 14 2008
    Feb 18 08:23:12 Duff daemon.warn openvpn[6103]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Feb 18 08:23:12 Duff daemon.err openvpn[6103]: Insufficient key material or header text not found found in file 'server1-static.key' (0/128/256 bytes found/min/max)
    Feb 18 08:23:12 Duff daemon.notice openvpn[6103]: Exiting
    Feb 18 08:23:12 Duff user.info kernel: br0: port 3(tap21) entering disabled state
    Feb 18 08:23:12 Duff user.info kernel: br0: port 3(tap21) entering disabled state

    The error suggests something is wrong with the static key? I'm sure it's something simple but most of the stuff on this thread and on the openvpn site is over my head :(

    Thanks
    Steve
     
  50. cabexas

    cabexas LI Guru Member

    Hello again,

    SgtPepperKSU you are in the right track.

    I've tried your sugestion, using my dns first and vpn if that fails, and the first time i tried it, it worked. Then i rebooted my router, and it never worked again...

    I also tried using vpn dns first, but without success.
    It's really strange that it only worked once.

    Here is my log:

    Code:
    Feb 18 09:44:10 unknown daemon.notice openvpn[391]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Feb 18 09:44:10 unknown daemon.notice openvpn[391]: PUSH: Received control message: 'PUSH_REPLY,route 10.85.0.0 255.255.0.0,ping 20,ping-restart 180,dhcp-option DNS 10.80.0.50,route 10.0.0.0 255.0.0.0,route 172.16.0.0 255.255.0.0,ifconfig 10.85.5.93 10.85.5.94'
    Feb 18 09:44:10 unknown daemon.notice openvpn[391]: OPTIONS IMPORT: timers and/or timeouts modified
    Feb 18 09:44:10 unknown daemon.notice openvpn[391]: OPTIONS IMPORT: --ifconfig/up options modified
    Feb 18 09:44:10 unknown daemon.notice openvpn[391]: OPTIONS IMPORT: route options modified
    Feb 18 09:44:10 unknown daemon.notice openvpn[391]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Feb 18 09:44:10 unknown daemon.notice openvpn[391]: TUN/TAP device tun11 opened
    Feb 18 09:44:10 unknown daemon.notice openvpn[391]: TUN/TAP TX queue length set to 100
    Feb 18 09:44:10 unknown daemon.notice openvpn[391]: /sbin/ifconfig tun11 10.85.5.93 pointopoint 10.85.5.94 mtu 1500
    Feb 18 09:44:10 unknown daemon.notice openvpn[391]: up.sh tun11 1500 1542 10.85.5.93 10.85.5.94 init
    Feb 18 09:44:10 unknown daemon.notice openvpn[391]: /sbin/route add -net 10.85.0.0 netmask 255.255.0.0 gw 10.85.5.94
    Feb 18 09:44:10 unknown daemon.info dnsmasq[146]: reading /etc/resolv.dnsmasq
    Feb 18 09:44:10 unknown daemon.info dnsmasq[146]: using nameserver 212.113.164.47#53
    Feb 18 09:44:10 unknown daemon.info dnsmasq[146]: using nameserver 212.113.164.54#53
    Feb 18 09:44:10 unknown daemon.info dnsmasq[146]: using nameserver 212.113.164.55#53
    Feb 18 09:44:10 unknown daemon.info dnsmasq[146]: using nameserver 10.80.0.50#53
    Feb 18 09:44:11 unknown daemon.notice openvpn[391]: /sbin/route add -net 10.0.0.0 netmask 255.0.0.0 gw 10.85.5.94
    Feb 18 09:44:11 unknown daemon.notice openvpn[391]: /sbin/route add -net 172.16.0.0 netmask 255.255.0.0 gw 10.85.5.94
    
    It seems to me that everything is ok. Any ideias?
     
  51. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Can you check the contents of /etc/resolv.dnsmasq while the VPN is connected? You can redact the actual IP addresses if you'd like. I'm really just interested in the presence of lines with "# VPN" comments and lines without it.
     
  52. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Be sure that when you paste the static key into the GUI, you include everything between (and including) the -----BEGIN OpenVPN Static key V1----- and -----END OpenVPN Static key V1----- lines. Does the key that you have entered match what I've described?
     
  53. superchc

    superchc Addicted to LI Member

    brother i find that you hvae new version tomoato with openvpn is realesed. do you think you will include a snmpd in your next version? vpn with monitoring tools is prefect!
     
  54. cabexas

    cabexas LI Guru Member

    Hello,

    looking at the log, i can see that the /etc/resolv.dnsmasq contains all the dns, but i will check it again.

    Right now, i'm at work and can't access the router, but when i got home, i will tell you how it goes.

    Thanks a lot :thumbup:
     
  55. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I don't know anything about SNMP, so I wouldn't know what features would be desirable or have the ability/desire to test it. If someone else were to create a branch in the git repository that implements SNMP on Tomato, it would be trivial to merge the two.
     
  56. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    For what it is worth, I have had a tunnel running (routed, UDP, TLS) for a couple of days now with no keepalive timeouts using 1.23vpn2.0006. It seems the downgrade to OpenVPN-2.1rc13 has fixed that issue (at least for me).

    If anyone sees differently, let me know.
     
  57. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Also, I've finally gotten around to trying my previous suggestion (as linked to in the original post) on how to achieve a two-way site-to-site configuration.

    It worked like a charm, so I thought I'd recap here what I did.
    NOTE: this is for TLS only. I have not tested my suggestion for two-way site-to-site Static-Key mode. If anyone else has, let me know

    In my server router's INIT script, I added
    Code:
    mkdir /etc/openvpn
    mkdir /etc/openvpn/ccd
    
    echo "iroute <subnet1> <netmask1>" > /etc/openvpn/ccd/<commonname1>
    echo "iroute <subnet2> <netmask2>" > /etc/openvpn/ccd/<commonname2>
    
    In my server's custom config I added
    Code:
    client-config-dir ccd
    route <subnet1> <netmask1>
    route <subnet2> <netmask2>
    
    If you want the clients to be able to "see" each other, just add the following to the server's Custom Config:
    Code:
    client-to-client
    push "route <subnet1> <netmask1>"
    push "route <subnet2> <netmask2>"
    
    Now that I've tested this configuration, I plan to implement it (optionally) in the GUI when I find time to do so.
     
  58. cabexas

    cabexas LI Guru Member


    Here it is:
    Code:
    cat /etc/resolv.dnsmasq
    nameserver 212.113.164.55
    nameserver 212.113.164.54
    nameserver 212.113.164.47
    nameserver 10.xxx.xxx.xxx # VPN tun11
    
     
  59. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Sorry, I can't give you more direction, but could you play around with the contents of that file some? Try removing and/or reordering the entries, performing the following commands between each change:
    Code:
    killall -SIGHUP dnsmasq
    nslookup des.dc.iol.pt
    
    The first command tells dnsmasq to clear its cache and reload the resolv.dnsmasq file, and the nslookup does a simple DNS lookup. If you can find a way to get it to consistently work, I'll be able to change the script to match.

    It could be something simple like dnsmasq only reads the first 3 nameserver entries, or my # VPN... comment is screwing things up - I'm just not sure.

    Let me know how it goes.
     
  60. cabexas

    cabexas LI Guru Member

    I was doing some quick tests when i remembered to try again your first script (the one bellow) to see if it worked. And it works... The /etc/resolv.dnsmasq as only one line, which is my vpn dns!

    Before revert to your first script, i've tried changed the resolv.dnsmasq and restart dnsmasq but without success.

    For me, i think this enough, but maybe it's not the best solution, but it works for me. :)

    Thank you all
     
  61. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That was going to be my next suggestion :smile: I was trying to avoid going back to that script, though, since it will only work with a single VPN client running. The other two would work with multiple clients running.

    I guess I'll have to brush up on dnsmasq to determine what needs to be done to get the later scripts doing what needs to be done.

    Glad it's working for you, though. You probably aren't concurrently connecting with two clients, but be mindful that that script may cause odd DNS behavior if you do.
     
  62. cabexas

    cabexas LI Guru Member

    Hello,

    i'm only using one client, so that's no problem for me.
    Meanwhile, i was surfing the net and were reading about dnsmasq.
    In the man page, i have found an option that may be usefull, that is :

    I will try that when i got home, but i don't know where is the dnsmasq configuration file. I will search for it and try that option, but i'm not sure if that can resolve my problem.

    Thanks
     
  63. quinezhu

    quinezhu Addicted to LI Member

    thx a lot, it solved my problem. :)
     
  64. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Great! Glad to hear it.
     
  65. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I just thought of one more thing I'd like you to try. Could you try one of the later two scripts I provided, replacing all instances of /etc/resolv.dnsmasq with /etc/resolv.conf? Before I was trying to insert the new DNS entries into the router's internal caching DNS server, but this change will make it bypass that altogether for the VPN DNS.
     
  66. gregg098

    gregg098 LI Guru Member



    Well, finally got a chance to try this version out and Im still having the same problems with UDP connections.

    This is my connection log:
    On my router, I have Server 1 as TCP, Server 2 as UDP. Both are TAP, Firewall: Automatic, TLS, HMAC disabled, DHCP, default encryption cipher, compression enabled and the same exact keys.

    My client script looks like this:

    The TCP version (only change is udp is tcp-client) works perfectly. UDP gives me what it says above. Any ideas? Ive cleared the NVRAM, tried static keys, and all sorts of things, but I ALWAYS get that same error for UDP connections no matter what version I try.

    Thanks.
     
  67. occamsrazor

    occamsrazor Network Guru Member

    Has anyone actually used the "ND" version of this mod on a Buffalo WHR-G54s? Last time I tried the ND drivers with the roadkill mod it almost bricked my router, but am just wondering if they should in theory work, or whether I'm best sticking without them.
     
  68. humba

    humba Network Guru Member

    If that's really true then it's no wonder it ain't working - first I'm wondering if you can really run two instances on the same port but different protocols, and then there's the little matter of using two times the same tap interface which definitely doesn't work (ran into this problem just last week..

    And of course, server logs should be looked at as well.. and why are you using a 2.09 OpenVPN Client but a 2.1 OpenVPN server?

    @SgtPepperKS: Seems I managed to fix my problem.. I removed one tap interface (the one I added to have a connection over the Internet) and used the previous tap interface for the connection over the Internet. The tunnel still started acting a bit funny after several hours but the guys at the OpenVPN mailing list pointed out you should do UDP whenever possible so I switched to UDP (port 53 so I could connect outside despite the firewall) and the tunnel has been running stable since then.
     
  69. gregg098

    gregg098 LI Guru Member


    This was how I tested the new version. Disabling the TCP server had no effect. I had tried to setup the UDP server this way by itself since the first VPN GUI Tomato came out.

    Do you have a suggested config for UDP that differs from mine?

    EDIT: I just installed a 2.1 client and I still get the same results. Im stumped on this.
     
  70. humba

    humba Network Guru Member

    Well.. for starters I'd really look at the server side logs.. see if the device gets any packets at all, and what it does with them.
     
  71. gregg098

    gregg098 LI Guru Member

    OK, so I got a UDP connection to work. I cant use port 443, no matter if the TCP server is setup or not. And second I added "float" the client config.

    I guess that will work for now. I can connect to the TCP server from work since TCP 443 is the only route I can go, then UDP from everywhere else.

    Thanks for all the help.
     
  72. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Glad you figured something out. So UDP port 443 doesn't work from anywhere (not just from work)?
     
  73. humba

    humba Network Guru Member

    By the way.. for my workplace I also have to deal with some port limitations but I found that udp 53 (that's the port for DNS queries) was open.. whereas tcp443 soon has to go through a proxy with domain authentication (not that openvpn cannot handle that but you need to use a separate file that contains the credentials for the proxy and then I don't trust the proxy not to slow things down).
    Unless you are forced to use only internal DNS servers, UDP 53 is a viable alternative to TCP 443.
     
  74. gregg098

    gregg098 LI Guru Member

    You are correct. UDP port 443 does not work for me at all. I have no port forwards or anything else that would take precedence of that port.

    Just playing around though, I found something interesting though. Whether the VPN server is set for port 443 or not, I get the same Connection reset by peer error. I discovered this on accident when trying different ports. I stopped the server, changed the port to 112, saved, started the server, then tried to connect and got the same message. The problem is that I forgot to change my client config to 1123. It still said 443. Changing the client port to 443 connected with no problems on UDP.

    I then tried a router reboot with the server set to start on UDP port 1123. Same thing. If I set my client to any other ports, it doesnt connect at all. 443 still tries to connect it seems, but I get the connection reset by peer. Any ideas?
     
  75. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Port 443 is the default port for HTTPS traffic. You don't happen to have remote access to the web GUI set to HTTPS, do you?
     
  76. gregg098

    gregg098 LI Guru Member

    No I do not. I access the GUI via SSH or VPN over port 80.
     
  77. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Well, if you don't have HTTPS enabled (over either WAN or LAN), then I don't have any more ideas. :frown:
     
  78. gregg098

    gregg098 LI Guru Member

    So with all my playing around, I apparently fixed the problem. How? No idea. But connections to UDP port 443 now work. I cant figure out anything that I did that is different from before, but it works.

    Thank you all for the help.
     
  79. besonen

    besonen LI Guru Member

  80. quinezhu

    quinezhu Addicted to LI Member

    I've made Linksys WRT54GS.v1 a vpnclient of router mode. It run OK in the past serveral days except that the vpnclient displays a strange GUI sometimes (it will restore to normal display after I switch between some GUIs repeatedly), and also the machine behind the router works fine.

    strange GUI_1-2
    [​IMG]

    strange GUI_1
    [​IMG]

    normal GUI
    [​IMG]


    But today the machine failed to surfer but the router's WAN status was OK, and then I found it cound't ping the router and vice versa even after cold reboot. The machine's connection status (including ip, subnet mask, default gateway, DHCP, DNS and WINS server) was OK. I tried to add a new machine into the vpnclient network but it still failed even if the router has assigned an IP to it in the Device List of GUI.

    It will restore to work normally after I stop the vpnclient in GUI, and malfunction again after I start it. :confused:
     

    Attached Files:

  81. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Those extra fields that are showing up should be hidden/visible based on the other settings. What browser are you using? If it has a javascript error console, could you look there when you load the page to see if any errors show up?
    I don't think I understand what you're saying is wrong here. Is it that the VPN tunnel apparently went down? If so, could you check the router logs to see if anything relevant appeared?
     
  82. quinezhu

    quinezhu Addicted to LI Member

    I'm using IE6 and where to find the javascript error console?


    VPN tunnel is OK but it will make the LAN behind the router illusive "connected" so I have to stop it. Now the router is not on my hand and I'll check the log tomorrow.
     
  83. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    IE6 doesn't appear to have a console.
    Make sure in your "Internet Options"->"Advanced", the "Display a notification about every script error" option is selected, and see if an error pops up when you load the page (with the display problems).
     
  84. jza80

    jza80 Network Guru Member

    I'm currently using roadkill vpn mod (1.19.1464). If I want to move to your mod, is there anything I need to change in my server config?

    I read your post about the settings, but I'm confused as to what I need to put into the gui and what goes in custom.

    .
    .

    My current config looks like this. Its a client (laptop) to server (router) config.

    init:

    sleep 5
    insmod tun.o



    firewall:

    iptables -I INPUT 1 -p udp --dport 60250 -j ACCEPT



    WAN up:

    insmod tun.o
    cd /tmp
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up

    echo "
    mode server
    proto udp
    port 60250
    dev tap0
    keepalive 15 60
    daemon
    verb 3
    comp-lzo

    client-to-client

    tls-server
    ca ca.crt
    dh dh1024.pem
    cert server.crt
    key server.key
    " > openvpn.conf

    echo "
    -----BEGIN CERTIFICATE-----

    -----END CERTIFICATE-----
    " > ca.crt
    echo "
    -----BEGIN RSA PRIVATE KEY-----

    -----END RSA PRIVATE KEY-----
    " > server.key
    chmod 600 server.key
    echo "
    -----BEGIN CERTIFICATE-----

    -----END CERTIFICATE-----
    " > server.crt
    echo "
    -----BEGIN DH PARAMETERS-----

    -----END DH PARAMETERS-----
    " > dh1024.pem

    sleep 5
    ln -s /usr/sbin/openvpn /tmp/myvpn
    /tmp/myvpn --config openvpn.conf
     
  85. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    If you don't want to use the GUI, everything should work just how you have it. However, you would also have the option to use the GUI
    For your setup, everything would be configurable via the GUI. You wouldn't need anything in the Custom Config section (client-to-client is not available via the GUI, but I don't think it's doing anything for you anyway).

    The only custom stuff you should need is if you want the VPN to start automatically on router reboot, and that is covered in the README.
     
  86. quinezhu

    quinezhu Addicted to LI Member

    THX~ I checked it and found no errors poped up before the VPN Client GUI displayed the extra fields with the characters of <input type='button' value='Save' id='sav in the bottom instead of the "save" and "cancel" buttons.

    Sometimes the errors will pop up when entering the VPN Client GUI and finally the GUI displays normally without the extra fields.

    Btw, I've got the reason why the LAN behind the vpnclient router is illusive "connected". I forgot to specify an iroute command in the client-config-dir on the vpnserver that resulted in a wrong route within the vpnclient network. :redface:
     

    Attached Files:

  87. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It sounds to me like some of the page data is being dropped somewhere along the way. Could you look at the page source (and save it somewhere) on the different times you load the page (and get different results) to see if the source is changing? I think you'll find that some of the text is disappearing. If that's the case, I'm not sure what to do about it... When was the last time you performed an NVRAM (thorough) clear?

    Glad you found the solution :smile:
     
  88. quinezhu

    quinezhu Addicted to LI Member

    I did a 30-seconds-holding reset before upgrading to 1.23vpn2.0006 that should be an NVRAM clear? :confused: As for the text disappearing, it may caused by the way I sshed to the vpnclient router remotely. I'll check it locally next time.
     
  89. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    For future reference, it is actually more helpful to do an NVRAM clear after upgrading (though, I guess it doesn't hurt to do it before).

    Though, viewing the page over an SSH tunnel is more likely of a suspect for your troubles.
     
  90. quinezhu

    quinezhu Addicted to LI Member

    Also I started vpnserver1 on this router with a static key. My WM phone works fine as a vpnclient to it. But I found a circular error in the log when no vpnclient loged on which I'm afraid of occupying too much of ram.

    Code:
    Feb 25 00:24:26 unknown daemon.notice openvpn[448]: UDPv4 link local (bound): [undef]:xxxx
    Feb 25 00:24:26 unknown daemon.notice openvpn[448]: UDPv4 link remote: [undef]
    Feb 25 00:25:26 unknown daemon.notice openvpn[448]: Inactivity timeout (--ping-restart), restarting
    Feb 25 00:25:26 unknown daemon.notice openvpn[448]: TCP/UDP: Closing socket
    Feb 25 00:25:26 unknown daemon.notice openvpn[448]: Closing TUN/TAP interface
    Feb 25 00:25:26 unknown daemon.notice openvpn[448]: SIGUSR1[soft,ping-restart] received, process restarting
    Feb 25 00:25:26 unknown daemon.notice openvpn[448]: Restart pause, 2 second(s)
    Feb 25 00:25:28 unknown daemon.notice openvpn[448]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Feb 25 00:25:28 unknown daemon.notice openvpn[448]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb 25 00:25:28 unknown daemon.notice openvpn[448]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Feb 25 00:25:28 unknown daemon.notice openvpn[448]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb 25 00:25:28 unknown daemon.notice openvpn[448]: LZO compression initialized
    Feb 25 00:25:28 unknown daemon.notice openvpn[448]: TUN/TAP device tap21 opened
    Feb 25 00:25:28 unknown daemon.notice openvpn[448]: TUN/TAP TX queue length set to 100
    Feb 25 00:25:28 unknown daemon.notice openvpn[448]: Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
    Feb 25 00:25:28 unknown daemon.notice openvpn[448]: Socket Buffers: R=[65535->131070] S=[65535->131070]
    Feb 25 00:25:28 unknown daemon.notice openvpn[448]: UDPv4 link local (bound): [undef]:xxxx
    Feb 25 00:25:28 unknown daemon.notice openvpn[448]: UDPv4 link remote: [undef]
    [COLOR="Red"]Feb 25 00:25:52 unknown daemon.notice openvpn[448]: Peer Connection Initiated with x.x.x.x:x
    Feb 25 00:25:53 unknown daemon.notice openvpn[448]: Initialization Sequence Completed
    Feb 25 00:26:03 unknown daemon.info dnsmasq[141]: DHCPDISCOVER(br0) xx:xx:xx:xx:xx:xx 
    Feb 25 00:26:03 unknown daemon.info dnsmasq[141]: DHCPOFFER(br0) 192.168.1.7 xx:xx:xx:xx:xx:xx 
    Feb 25 00:26:03 unknown daemon.info dnsmasq[141]: DHCPDISCOVER(br0) xx:xx:xx:xx:xx:xx 
    Feb 25 00:26:03 unknown daemon.info dnsmasq[141]: DHCPOFFER(br0) 192.168.1.7 xx:xx:xx:xx:xx:xx 
    Feb 25 00:26:03 unknown daemon.info dnsmasq[141]: DHCPDISCOVER(br0) xx:xx:xx:xx:xx:xx 
    Feb 25 00:26:03 unknown daemon.info dnsmasq[141]: DHCPOFFER(br0) 192.168.1.7 xx:xx:xx:xx:xx:xx 
    Feb 25 00:26:06 unknown daemon.info dnsmasq[141]: DHCPDISCOVER(br0) xx:xx:xx:xx:xx:xx 
    Feb 25 00:26:06 unknown daemon.info dnsmasq[141]: DHCPOFFER(br0) 192.168.1.7 xx:xx:xx:xx:xx:xx 
    Feb 25 00:26:07 unknown daemon.info dnsmasq[141]: DHCPREQUEST(br0) 192.168.1.7 xx:xx:xx:xx:xx:xx 
    Feb 25 00:26:07 unknown daemon.info dnsmasq[141]: DHCPACK(br0) 192.168.1.7 xx:xx:xx:xx:xx:xx 
    Feb 25 00:26:08 unknown daemon.info dnsmasq[141]: DHCPREQUEST(br0) 192.168.1.7 xx:xx:xx:xx:xx:xx 
    Feb 25 00:26:08 unknown daemon.info dnsmasq[141]: DHCPACK(br0) 192.168.1.7 xx:xx:xx:xx:xx:xx [/COLOR]
    Feb 25 00:30:25 unknown daemon.notice openvpn[448]: Inactivity timeout (--ping-restart), restarting
    Feb 25 00:30:25 unknown daemon.notice openvpn[448]: TCP/UDP: Closing socket
    Feb 25 00:30:25 unknown daemon.notice openvpn[448]: Closing TUN/TAP interface
    Feb 25 00:30:25 unknown daemon.notice openvpn[448]: SIGUSR1[soft,ping-restart] received, process restarting
    Feb 25 00:30:25 unknown daemon.notice openvpn[448]: Restart pause, 2 second(s)
    Feb 25 00:30:27 unknown daemon.notice openvpn[448]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Feb 25 00:30:27 unknown daemon.notice openvpn[448]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb 25 00:30:27 unknown daemon.notice openvpn[448]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Feb 25 00:30:27 unknown daemon.notice openvpn[448]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb 25 00:30:27 unknown daemon.notice openvpn[448]: LZO compression initialized
    Feb 25 00:30:27 unknown daemon.notice openvpn[448]: TUN/TAP device tap21 opened
    Feb 25 00:30:27 unknown daemon.notice openvpn[448]: TUN/TAP TX queue length set to 100
    Feb 25 00:30:27 unknown daemon.notice openvpn[448]: Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
    Feb 25 00:30:27 unknown daemon.notice openvpn[448]: Socket Buffers: R=[65535->131070] S=[65535->131070]
    Feb 25 00:30:27 unknown daemon.notice openvpn[448]: UDPv4 link local (bound): [undef]:xxxx
    Feb 25 00:30:27 unknown daemon.notice openvpn[448]: UDPv4 link remote: [undef]
    Feb 25 00:31:27 unknown daemon.notice openvpn[448]: Inactivity timeout (--ping-restart), restarting
    Client config file on my WM phone
    Code:
    dev tap0
    secret "\\Program Files\\OpenVPN\\config\\key.txt"
    proto udp
    remote x.x.x xxxx
    keepalive 10 60
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    cipher BF-CBC
    comp-lzo
    verb 3
    float
    Server config file
    Code:
    # Automatically generated configuration
    daemon
    proto udp
    port xxxx
    dev tap21
    comp-lzo yes
    keepalive 15 60
    verb 3
    secret server1-static.key
    status-version 2
    status server1.status
    
    # Custom Configuration
    
     
  91. quinezhu

    quinezhu Addicted to LI Member

    yes, I recall that I've got the NVRAM clear before and after the upgrade.
     
  92. occamsrazor

    occamsrazor Network Guru Member

    Hi, Trying to upgrade to the latest binary, but am unable to download the file "tomatovpn-1.23vpn2.0006.7z" on the Mediafire link in the first post. I can download the other files (ND version, docs, etc) but not this one the download just hangs... Is it just me? Thanks...
     
  93. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I just tried it, and it hung for me as well. I show a lot of people have downloaded it, though, so I think it is just a temporary problem. Please check back later. If it is still acting up later when I get home from work, I'll post an alternate link.
     
  94. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm surprised to see those inactivity timeouts. I have not been able to recreate them since I downgraded OpenVPN in this last release. :confused:

    When you say "no vpnclient loged on", do you mean there is no client connected at the time, or there is a client connected but it has been connected for a while. If it is the latter, those messages are just due to the inactivity timeout.
     
  95. scooter32

    scooter32 Addicted to LI Member


    I'm still having issues with the download. I've been trying for the past 4 hours.

    Thanks
     
  96. SgtPepperKSU

    SgtPepperKSU Network Guru Member

  97. patos

    patos Network Guru Member

    Sorry if this was already asked, but how can I see the configuration files? Where are they stored? /tmp/openvpn is empty.
     
  98. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    /etc/openvpn
    They will only be present while the tunnel is running.
     
  99. occamsrazor

    occamsrazor Network Guru Member

    Hi, I finally managed to upgrade to v1.23vpn2.0006. All seems to be fine though I haven't had time to test the vpn aspects remotely. Regarding the scripts, are you saying the "cleaner" solution would be to have this (and only this) as scripts:

    Init:

    Code:
    ## Start VPN init script
    #Generate vpnup.sh
    echo "#!/bin/sh
    killall -0 vpn\$1 2> /dev/null
    if [ \$? != 0 ]
    then
    logger \"\$0: Starting vpn\$1\"
    service vpn\$1 start
    else
    logger \"\$0: vpn\$1 already running: \$(pidof vpn\$1)\"
    fi
    " > /tmp/vpnup.sh
    # Make vpnup.sh executable
    chmod +x /tmp/vpnup.sh
    # Schedule vpnup.sh to run every 30 minutes
    cru a CheckVPNServer "*/30 * * * * /tmp/vpnup.sh server1"
    # Wait 10 seconds and run vpnup.sh once
    sleep 10
    /tmp/vpnup.sh server1
    ## End VPN init script
    
    WAN UP:

    Code:
    # Wait 10 seconds and run vpnup.sh once
    sleep 10
    /tmp/vpnup.sh server1
    (do I have it in both scripts or only the WAN UP?)

    ...and NOT have this in either:

    Code:
    sleep 20
    service vpnserver1 start
    Is that correct? Thanks...
     
  100. scooter32

    scooter32 Addicted to LI Member

Share This Page