1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN build with Web GUI

Discussion in 'Tomato Firmware' started by SgtPepperKSU, Oct 10, 2008.

  1. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You got it right. Also, the last bit in the init script isn't necessary (just in the WAN up script).
     
  2. gregg098

    gregg098 LI Guru Member

    I ran into another problem with my VPN setup that has stumped me.

    I have two VPN servers setup on my WRT54GL with Tomoato and VPN GUI.
    The first is TCP on port 443. I want this connection for use when Im at work.
    The second is UDP port 444. I want to use this for other reasons.

    I am using the following OpenVPN scripts to connect:

    Change UDP to TCP-CLIENT and 444 to 443 for the TCP version. Both servers are setup the exact same with the exception of the port and protocol.

    Now, when I connect to the TCP server, I browse the web like normal, with traffic orignating from my IP wherever Im at, but have access to my local LAN (router, computers, etc.). This works perfectly. This is all I want most of the time. I dont need to redirect all traffic.

    But, if I disconnect and connect to the UDP server, it connects OK but I cant connect to any web pages, not even my router. Ive looked over both pages of server settings and they are exactly the same. Ive put the client configs side by side and they are the same. (except port and protocol). Im stumped. Why doesnt the UDP connection work?

    To make things weirder, I have two more client configs to redirect all traffic through the VPN. Basically I just added this to the end of the configs:

    Now, BOTH the UDP and TCP connections work perfectly. So, why wont the UDP connection work that doesnt redirect all traffic? Are my client configs messed up somewhere?

    I appreciate any help.
     
  3. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I don't know why your problems are limited to just UDP, but you could try replacing your first three lines with just
    Code:
    client
    .
    If you want to debug further, could you post your routing table and dns server list on the client? If you're not sure how to do that, I'll need to know the operating instructions before I can give instructions.
     
  4. ng12345

    ng12345 LI Guru Member


    a quick note; by putting the service line in the wan up script will you run into issues if lets say the wan goes down for 1 minute? wouldn't you end up with 2 instances of the vpn server running?
     
  5. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That's why I've always discouraged doing that. If you don't want to use the vpnup.sh script, then service vpnserver1 restart should be used.

    Though, I've been meaning to add logic to the start code to check if an instance is already running and do nothing if so. If I make that change, then using start (instead of restart), may even be preferable (since it would kind of act like the vpnup.sh script does now).
     
  6. severus

    severus Guest

    Is this a Client or a Server Error?

    morning =),
    i installed your latest vpn mod and generated all the certs.
    the system will start without errors

    Code:
    Feb 26 18:52:47 maingate user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
    Feb 26 18:52:49 maingate user.info kernel: device tap21 entered promiscuous mode
    Feb 26 18:52:49 maingate user.info kernel: br0: port 3(tap21) entering listening state
    Feb 26 18:52:49 maingate user.info kernel: br0: port 3(tap21) entering learning state
    Feb 26 18:52:49 maingate user.info kernel: br0: port 3(tap21) entering forwarding state
    Feb 26 18:52:49 maingate user.info kernel: br0: topology change detected, propagating
    Feb 26 18:52:49 maingate daemon.notice openvpn[391]: OpenVPN 2.1_rc13 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Feb 16 2009
    Feb 26 18:52:49 maingate daemon.warn openvpn[391]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
    Feb 26 18:52:50 maingate daemon.notice openvpn[391]: Diffie-Hellman initialized with 1024 bit key
    Feb 26 18:52:50 maingate daemon.notice openvpn[391]: TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Feb 26 18:52:50 maingate daemon.notice openvpn[391]: TUN/TAP device tap21 opened
    Feb 26 18:52:50 maingate daemon.notice openvpn[391]: TUN/TAP TX queue length set to 100
    Feb 26 18:52:50 maingate daemon.notice openvpn[391]: Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Feb 26 18:52:50 maingate daemon.notice openvpn[395]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Feb 26 18:52:50 maingate daemon.notice openvpn[395]: UDPv4 link local (bound): [undef]:1194
    Feb 26 18:52:50 maingate daemon.notice openvpn[395]: UDPv4 link remote: [undef]
    Feb 26 18:52:50 maingate daemon.notice openvpn[395]: MULTI: multi_init called, r=256 v=256
    Feb 26 18:52:50 maingate daemon.notice openvpn[395]: IFCONFIG POOL: base=172.0.1.100 size=10
    Feb 26 18:52:50 maingate daemon.notice openvpn[395]: Initialization Sequence Completed
    Feb 26 18:53:34 maingate daemon.info dnsmasq[122]: DHCPREQUEST(br0) 172.0.0.105 00:1e:52:6f:fe:ee 
    Feb 26 18:53:34 maingate daemon.info dnsmasq[122]: DHCPACK(br0) 172.0.0.105 00:1e:52:6f:fe:ee nebukatneza
    OK, and now i'm trying to connect and the client hangs up...

    Code:
    Feb 26 18:57:40 maingate daemon.notice openvpn[395]: MULTI: multi_create_instance called
    Feb 26 18:57:40 maingate daemon.notice openvpn[395]: 172.0.0.105:49236 Re-using SSL/TLS context
    Feb 26 18:57:40 maingate daemon.notice openvpn[395]: 172.0.0.105:49236 LZO compression initialized
    Feb 26 18:57:40 maingate daemon.notice openvpn[395]: 172.0.0.105:49236 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Feb 26 18:57:40 maingate daemon.notice openvpn[395]: 172.0.0.105:49236 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Feb 26 18:57:40 maingate daemon.notice openvpn[395]: 172.0.0.105:49236 TLS: Initial packet from 172.0.0.105:49236, sid=08d068a4 71d1a7dc
    
    so i kill the client and get these lines in the log

    Code:
    Feb 26 18:58:40 maingate daemon.err openvpn[395]: 172.0.0.105:49236 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Feb 26 18:58:40 maingate daemon.err openvpn[395]: 172.0.0.105:49236 TLS Error: TLS handshake failed
    Feb 26 18:58:40 maingate daemon.notice openvpn[395]: 172.0.0.105:49236 SIGUSR1[soft,tls-error] received, client-instance restarting
    Feb 26 18:58:40 maingate daemon.notice openvpn[395]: MULTI: multi_create_instance called
    Feb 26 18:58:40 maingate daemon.notice openvpn[395]: 172.0.0.105:49237 Re-using SSL/TLS context
    Feb 26 18:58:40 maingate daemon.notice openvpn[395]: 172.0.0.105:49237 LZO compression initialized
    Feb 26 18:58:40 maingate daemon.notice openvpn[395]: 172.0.0.105:49237 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Feb 26 18:58:40 maingate daemon.notice openvpn[395]: 172.0.0.105:49237 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Feb 26 18:58:40 maingate daemon.notice openvpn[395]: 172.0.0.105:49237 TLS: Initial packet from 172.0.0.105:49237, sid=67bc8f06 2dd40b2d
    
    Can anybody help me,...?
    Thanks
    Severus
     
  7. humba

    humba Network Guru Member

    Are those just server logs? If so, where are the client logs?
     
  8. gregg098

    gregg098 LI Guru Member

    I changed the first few lines to "client" and tried again and it works. I just dont understand it enough to know why....but it does!

    Thanks!
     
  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Code:
    client
    is equivalent to
    Code:
    pull
    tls-client
    The pull accepts routes and various options that are pushed form the server. You could probably put back the ns-cert-type and float directives if you need them.
     
  10. albundy118

    albundy118 Addicted to LI Member

    hi ,

    finally I took again some time to troubleshoot on my problem :confused: after several time I found out it was just the "keepalive 10 120" in the client config (was missing before). However this is still strange for me because without that statement it seemed that no connection will established.
    But anyway this really the best WEB gui for OpenVPN on my linksys router I ever saw.

    now another question to the openvpn gurus... I want to have per user/client iptables rules.
    For example: when I will connect to my remote networks I want to be connected to the hole network, but if I want to let another one connect I dont wnat him to give connectivity to the hole network. How can I differ several users/client and create scripts to apply iptables rules. Is this possible ??

    cheers
    florian
     
  11. kenyloveg

    kenyloveg LI Guru Member

    Hi, SgtPepperKSU
    Would you release a user guide with some examples?
    I don't think most people can get a clear picture of openvpn deployment after looking into more than 500 threads, at least for me-_-".
     
  12. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm glad you got it working. I don't have any ideas as to why the keepalive would be necessary to make a connection.

    You can use the client-connect directive to run a custom script. In that script, you can run any command you like (including iptables) based on the $common_name environment variable. It will be run immediately after client authentication.
     
  13. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    At the end of the first post in this thread, there is a link to another post by me that I keep up to date with descriptions of all the settings. But, perhaps it would be worthwhile to take screenshots of a working setup and post them as a dual-purpose how-to/preview...
     
  14. albundy118

    albundy118 Addicted to LI Member

    Cool, this sounds good. I'll give a try when I have more time and checking the openvpn man-page.
    Another request... is it possible to make the openvpn start automaticly after reboot. It would be cool to have a checkbox to select autorun. I didn't check the sources of your tomato-mod already so not sure if possible or not.
    BTW I still can remember some post in that thread talking about using dnsmasq to connect different domains dns-server. I used that already several years and working perfect. you only need to assing different domains and put the statement: server=/domain2/192.168.xxx.xxx and dnsmasq will forward dns-request ending with domain2 to the other one. If using tun devices with openvpn it's also neccesary to put interface=tunx in the config.

    cheers florian
     
  15. scooter32

    scooter32 Addicted to LI Member

    Thanks for this great mod!

    I installed this the other night right over my default
    tomato install and it is working great. I used my openvpn
    configs from my regular FC10 openvpn install and was up
    and running in about 10 minutes!

    Scott
     
  16. occamsrazor

    occamsrazor Network Guru Member

    Hi SgtPepper,

    I am currently experimenting with the NeoRouter mod discussed in this thread:

    http://www.linksysinfo.org/forums/showthread.php?t=60852

    It has some pretty cool features that I am still trying out, but it does not have the "raw vpn"-type functionality that simply gives you a LAN IP remotely that you can use just as if you were connected at home

    So I was thinking - why not have both? I don't see the source code for the NeoRouter/Tomato mod available, only a .trx file used to flash. I was therefore wondering whether you thought it might be possible to start with the NeoRouter mod of Tomato 1.23 (presumably the same as vanilla 1.23 but with extra files) and then add the openvpn-specific-files from your mod via WinSCP just by copying them into the relevant folders?

    Would that work? Is it possible? Or might there be a better way to combine the two?

    Sorry I'm still a beginner when it comes to actual programming/compiling etc....
     
  17. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Getting openvpn (and LZO) on there that way would probably work, but the GUI and integration as a system service - not so much.
     
  18. occamsrazor

    occamsrazor Network Guru Member

    I figured just copying the files had to be too easy to actually work!
    Thanks anyway...
     
  19. skyanvi1

    skyanvi1 Addicted to LI Member

    redirect-gateway all but DNS
    I am currently running two simultaneous vpn servers (on different ports) on a Asus-500gp v2: one server allows access to the subnet behind the router. The second uses the redirect-gateway option to (supposedly) push all traffic through the router to the server's lan and wan. I only connect to one server at a time. The redirect-gateway option works perfectly or so I thought... until I monitored my client tap interface with Wireshark... No dns queries were being returned across the vpn. on fail my windows client was taking up the slack and using my client side dns; pushing unencrypted traffic over the client network. I see the attempt in the wireshark logs but no response from the router. I attempted to add the MASQUERADE option to the iptables, however it appears not to work (like it does on a full blown linux box.) Am I missing something?
    i.e. what is the difference between NAT Loopback: Forwarded Only and All
     
  20. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I've never used redirect-gateway, so I can't really help much in debugging your problem. At this point I don't think it's anything router-specific, so you may have better luck searching the internet at large. And, I don't think the NAT loopback setting is relevant here at all.
     
  21. skyanvi1

    skyanvi1 Addicted to LI Member

    pushing DNS options through VPN tunnel solved! (yes I'm still doing the dance...)

    after poking around the dnsmasq.conf file I discovered the interface parameter. When a VPN tunnel is created and local server DNS options are pushed to the client, the local dnsmasq server will need to either be told to listen on the new interface to respond to dns queries OR tricked (i.e. the using the masquerade option in iptables which I couldn't get working on this linux distro).

    adding the following to the Dnsmasq custom configuration page of tomato allowed DNS passthrough to the VPN server router on server 1:
    Code:
    interface=tun21
    
    Wireshark now shows me all dns queries being served through the tomato router. I haven't tested it out but I am hoping this will also resolve the hosts on the server lan so I am no longer accessing everything by ip.

    Once again thanks, SgtPepperKSU, for the mod.
     
  22. schweinc

    schweinc Network Guru Member

    Static Key Error?

    Noob here,

    Successfully created keys and certs and input into Tomato. Config is TAP, UDP, 1194, Auto, TLS, Bi-directional, DHCP, Use Default, and Enabled. After Starting the log shows an error for the Static Key. Assumed it wasn't required since the plan is one server w/ multiple clients. Question is do I need a static key as well or am I missing something (be nice). Thanks in advance for great firmware. Pig

    Mar 1 21:14:09 MSHOME user.warn kernel: nvram_commit(): init
    Mar 1 21:14:11 MSHOME user.warn kernel: nvram_commit(): end
    Mar 1 21:14:20 MSHOME user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
    Mar 1 21:14:20 MSHOME user.info kernel: device tap21 entered promiscuous mode
    Mar 1 21:14:20 MSHOME user.info kernel: br0: port 3(tap21) entering learning state
    Mar 1 21:14:20 MSHOME user.info kernel: br0: port 3(tap21) entering forwarding state
    Mar 1 21:14:20 MSHOME user.info kernel: br0: topology change detected, propagating
    Mar 1 21:14:20 MSHOME daemon.notice openvpn[1348]: OpenVPN 2.1_rc13 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Feb 16 2009
    Mar 1 21:14:20 MSHOME daemon.warn openvpn[1348]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
    Mar 1 21:14:20 MSHOME daemon.notice openvpn[1348]: Diffie-Hellman initialized with 1024 bit key
    Mar 1 21:14:20 MSHOME daemon.err openvpn[1348]: Passphrase file 'server1-static.key' is too small (must have at least 8 characters)
    Mar 1 21:14:20 MSHOME daemon.notice openvpn[1348]: Exiting
    Mar 1 21:14:20 MSHOME user.info kernel: br0: port 3(tap21) entering disabled state
    Mar 1 21:14:21 MSHOME user.info kernel: br0: port 3(tap21) entering disabled state
     
  23. kenyloveg

    kenyloveg LI Guru Member

    Hi, SgtPepperKSU
    I finnally figure out why there will be no Openswan support on BCM47xx devices.
    Current 2.4 kernal lack of IPSEC support-_- so sad...
     
  24. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It's only needed if you want it to be. Change the Extra HMAC Authentication setting to Disabled, and you won't need a static key.
     
  25. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The Openswan site seems to indicate it has a kernel patch to provide the needed support to the 2.4 kernel. I haven't done any work to making it happen, but it doesn't seem to me that door is shut.
     
  26. kenyloveg

    kenyloveg LI Guru Member

    lol
    Thanks for your information.
    Even Kamikaze only support openswan in 2.6 kernal build, while strongswan 2.8 in 2.4 Kamikaze. Good news is you are noticed it, which means I'm not hopeless......
     
  27. ramasule

    ramasule Addicted to LI Member

    Hello,

    First thanks road and pepper.


    I have a sme server vpn. My clients work and can connect the server is in bridged mode.

    I wanted to get my router ro connect now so I dont have 4 guys from one location all using thier openvpn gui, instead just pluggin in and going.

    Anyways I have tried both the roadkill and now the pepper one and they have the same problem.

    I can connect to my vpn no problem, here are my server and client logs


    Server SME openvpn - bridge mode
    Code:
    Mon Mar  2 16:22:55 2009 MULTI: multi_create_instance called
    Mon Mar  2 16:22:55 2009 96.52.184.138:1025 Re-using SSL/TLS context
    Mon Mar  2 16:22:55 2009 96.52.184.138:1025 LZO compression initialized
    Mon Mar  2 16:22:55 2009 96.52.184.138:1025 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Mon Mar  2 16:22:55 2009 96.52.184.138:1025 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Mon Mar  2 16:22:55 2009 96.52.184.138:1025 Local Options hash (VER=V4): '360696c5'
    Mon Mar  2 16:22:55 2009 96.52.184.138:1025 Expected Remote Options hash (VER=V4): '13a273ba'
    Mon Mar  2 16:22:55 2009 96.52.184.138:1025 TLS: Initial packet from 96.52.184.138:1025, sid=31c19efc 7f06cfe5
    Mon Mar  2 16:22:58 2009 96.52.184.138:1025 CRL CHECK OK: /C=CA/ST=Canada/L=Edmonton/O=Home/OU=vpn/CN=sme-openvpn-bridge/emailAddress=admin@mail.dirkinthedark.kicks-ass.net
    Mon Mar  2 16:22:58 2009 96.52.184.138:1025 VERIFY OK: depth=1, /C=CA/ST=Canada/L=Edmonton/O=Home/OU=vpn/CN=sme-openvpn-bridge/emailAddress=admin@mail.dirkinthedark.kicks-ass.net
    Mon Mar  2 16:22:58 2009 96.52.184.138:1025 CRL CHECK OK: /C=CA/ST=Canada/O=Home/OU=vpn/CN=VPNRouter1/emailAddress=admin@mail.dirkinthedark.kicks-ass.net
    Mon Mar  2 16:22:58 2009 96.52.184.138:1025 VERIFY OK: depth=0, /C=CA/ST=Canada/O=Home/OU=vpn/CN=VPNRouter1/emailAddress=admin@mail.dirkinthedark.kicks-ass.net
    Mon Mar  2 16:22:58 2009 96.52.184.138:1025 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mon Mar  2 16:22:58 2009 96.52.184.138:1025 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Mar  2 16:22:58 2009 96.52.184.138:1025 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mon Mar  2 16:22:58 2009 96.52.184.138:1025 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Mar  2 16:22:58 2009 96.52.184.138:1025 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Mon Mar  2 16:22:58 2009 96.52.184.138:1025 [VPNRouter1] Peer Connection Initiated with 96.52.184.138:1025
    Mon Mar  2 16:22:58 2009 VPNRouter1/96.52.184.138:1025 OPTIONS IMPORT: reading client specific options from: ccd-bridge/VPNRouter1
    Mon Mar  2 16:22:59 2009 VPNRouter1/96.52.184.138:1025 PUSH: Received control message: 'PUSH_REQUEST'
    Mon Mar  2 16:22:59 2009 VPNRouter1/96.52.184.138:1025 SENT CONTROL [VPNRouter1]: 'PUSH_REPLY,ping 10,ping-restart 120,dhcp-option DOMAIN dirkinthedark.kicks-ass.net,dhcp-option DNS 192.168.1.2,dhcp-option WINS 192.168.1.2,redirect-gateway,route-gateway 192.168.1.2,ping 10,ping-restart 120,ifconfig 192.168.1.11 255.255.255.0' (status=1)
    Mon Mar  2 16:23:01 2009 VPNRouter1/96.52.184.138:1025 NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.
    Mon Mar  2 16:23:03 2009 VPNRouter1/96.52.184.138:1025 MULTI: Learn: 00:13:10:9a:67:2b -> VPNRouter1/96.52.184.138:1025
    Mon Mar  2 16:23:20 2009 VPNRouter1/96.52.184.138:1025 MULTI: Learn: 00:50:8d:d5:ee:e0 -> VPNRouter1/96.52.184.138:1025
    Mon Mar  2 16:26:32 2009 VPNRouter1/96.52.184.138:1025 MULTI: Learn: 00:ff:e5:ad:4f:ee -> VPNRouter1/96.52.184.138:1025
    Mon Mar  2 16:26:37 2009 VPNRouter1/96.52.184.138:1025 NOTE: failed to empirically measure MTU (requires OpenVPN 1.5 or higher at other end of connection).
    Mon Mar  2 16:27:54 2009 VPNRouter1/96.52.184.138:1025 MULTI: Learn: 00:13:e8:10:80:c1 -> VPNRouter1/96.52.184.138:1025
    
    It also states vpnrouter1 is a valid client in its client table


    here is my client log

    Client
    Code:
    Mar  2 15:22:54 unknown user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
    Mar  2 15:22:54 unknown user.info kernel: device tap11 entered promiscuous mode
    Mar  2 15:22:54 unknown daemon.notice openvpn[5103]: OpenVPN 2.1_rc13 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Feb 16 2009
    Mar  2 15:22:54 unknown daemon.warn openvpn[5103]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Mar  2 15:22:54 unknown daemon.notice openvpn[5103]: Control Channel Authentication: using 'client1-static.key' as a OpenVPN static key file
    Mar  2 15:22:54 unknown daemon.notice openvpn[5103]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mar  2 15:22:54 unknown daemon.notice openvpn[5103]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mar  2 15:22:54 unknown daemon.notice openvpn[5103]: LZO compression initialized
    Mar  2 15:22:54 unknown daemon.notice openvpn[5103]: Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Mar  2 15:22:54 unknown daemon.notice openvpn[5103]: Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Mar  2 15:22:54 unknown daemon.notice openvpn[5107]: Socket Buffers: R=[65535->131070] S=[65535->131070]
    Mar  2 15:22:54 unknown daemon.notice openvpn[5107]: UDPv4 link local: [undef]
    Mar  2 15:22:54 unknown daemon.notice openvpn[5107]: UDPv4 link remote: 96.52.180.137:1194
    Mar  2 15:22:54 unknown daemon.notice openvpn[5107]: TLS: Initial packet from 96.52.180.137:1194, sid=6682a786 1a5d9e75
    Mar  2 15:22:54 unknown daemon.notice openvpn[5107]: VERIFY OK: depth=1, /C=CA/ST=Canada/L=Edmonton/O=Home/OU=vpn/CN=sme-openvpn-bridge/Email=admin@mail.dirkinthedark.kicks-ass.net
    Mar  2 15:22:54 unknown daemon.notice openvpn[5107]: VERIFY OK: depth=0, /C=CA/ST=Canada/O=Home/OU=vpn/CN=server/Email=admin@mail.dirkinthedark.kicks-ass.net
    Mar  2 15:22:56 unknown user.warn kernel: DROP IN=vlan1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:14:f1:e7:76:5d:08:00:45:00:01:52 SRC=96.52.160.1 DST=255.255.255.255 LEN=338 TOS=0x00 PREC=0x00 TTL=255 ID=16161 PROTO=UDP SPT=67 DPT=68 LEN=318 
    Mar  2 15:22:57 unknown daemon.notice openvpn[5107]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mar  2 15:22:57 unknown daemon.notice openvpn[5107]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mar  2 15:22:57 unknown daemon.notice openvpn[5107]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mar  2 15:22:57 unknown daemon.notice openvpn[5107]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mar  2 15:22:57 unknown daemon.notice openvpn[5107]: Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Mar  2 15:22:57 unknown daemon.notice openvpn[5107]: [server] Peer Connection Initiated with 96.52.180.137:1194
    Mar  2 15:22:59 unknown daemon.notice openvpn[5107]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Mar  2 15:22:59 unknown daemon.notice openvpn[5107]: PUSH: Received control message: 'PUSH_REPLY,ping 10,ping-restart 120,dhcp-option DOMAIN dirkinthedark.kicks-ass.net,dhcp-option DNS 192.168.1.2,dhcp-option WINS 192.168.1.2,redirect-gateway,route-gateway 192.168.1.2,ping
    Mar  2 15:22:59 unknown daemon.notice openvpn[5107]: OPTIONS IMPORT: timers and/or timeouts modified
    Mar  2 15:22:59 unknown daemon.notice openvpn[5107]: OPTIONS IMPORT: --ifconfig/up options modified
    Mar  2 15:22:59 unknown daemon.notice openvpn[5107]: OPTIONS IMPORT: route options modified
    Mar  2 15:22:59 unknown daemon.notice openvpn[5107]: OPTIONS IMPORT: route-related options modified
    Mar  2 15:22:59 unknown daemon.notice openvpn[5107]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Mar  2 15:22:59 unknown daemon.notice openvpn[5107]: TUN/TAP device tap11 opened
    Mar  2 15:22:59 unknown daemon.notice openvpn[5107]: TUN/TAP TX queue length set to 100
    Mar  2 15:22:59 unknown daemon.notice openvpn[5107]: /sbin/ifconfig tap11 192.168.1.11 netmask 255.255.255.0 mtu 1500 broadcast 192.168.1.255
    Mar  2 15:22:59 unknown user.info kernel: br0: port 3(tap11) entering learning state
    Mar  2 15:22:59 unknown user.info kernel: br0: port 3(tap11) entering forwarding state
    Mar  2 15:22:59 unknown user.info kernel: br0: topology change detected, propagating
    Mar  2 15:22:59 unknown daemon.notice openvpn[5107]: /sbin/route add -net 96.52.180.137 netmask 255.255.255.255 gw 96.52.184.1
    Mar  2 15:22:59 unknown daemon.notice openvpn[5107]: /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
    Mar  2 15:22:59 unknown daemon.notice openvpn[5107]: /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.1.2
    Mar  2 15:22:59 unknown daemon.notice openvpn[5107]: Initialization Sequence Completed
    
    I can not ping 192.168.1.2 (vpn server) from 192.168.1.11 (vpn client) and as such no traffic is going through (I have gateway redirect on)

    Any ideas?

    Thank you
     
  28. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Please provide the output of
    Code:
    route -n
    on the client router.
     
  29. ramasule

    ramasule Addicted to LI Member

    Code:
    # route -n
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    96.52.180.137   96.52.184.1     255.255.255.255 UGH   0      0        0 vlan1
    192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
    192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 tap11
    96.52.184.0     0.0.0.0         255.255.252.0   U     0      0        0 vlan1
    127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
    0.0.0.0         192.168.1.2     0.0.0.0         UG    0      0        0 tap11
    
    96.52.180.137 is public ip for my router which has the sme openvpn server on it
    96.52.184.138 is my vpnclient tomato router
    192.168.1.2 is my sme box
     
  30. elec999

    elec999 Addicted to LI Member

    Ill pay $10 to whoever can login into into my two routers and link my two networks via vpn.
    Thank you
     
  31. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That looks fine. And you have the Server is on Same Subnet option unselected and the NAT option selected on the client router? That should be enough to have it working.

    Also, if you have a choice, you may consider using TUN. Since you're already connected distinct subnets, it's probably more appropriate.
     
  32. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I don't think you need to pay anyone. If you load the build on each router and go through the settings, I think you'll find it to not be overwhelming.
     
  33. elec999

    elec999 Addicted to LI Member

    I loaded this build on both routers. But I feel stupid cant figure this out. I followed the guide.
    Thank you
     
  34. elec999

    elec999 Addicted to LI Member

    Both of my routers at different location both use 192.168.8.1 ips, Is not going to work.
    My server router seems fine now. My Client router shows
    Mar 3 23:44:57 unknown daemon.err openvpn[463]: Cannot open file key file 'static.key': No such file or directory (errno=2)
    Thank you
     
  35. ramasule

    ramasule Addicted to LI Member

    It was the different subnets and dhcp server its working good now thanks pepper.

    Also would TAP be more efficient in this case?
     
  36. ramasule

    ramasule Addicted to LI Member

    elec99
    It looks like you turned on tls option without providing a static key.
    Where it says Extra HMAC authorization (tls-auth) set that to disabled or provide a key.
    Tell me what you get next.
     
  37. ramasule

    ramasule Addicted to LI Member

    ALLLso Pepper
    I was using mode 4 on my sme box which is username/password and certificates
    Can you tell me how I could add this in / could you build the openvpn mod with
    --enabe-password-save compiled
    and then write in the script to write to a file on init.

    Anyways thanks again pepper.
     
  38. elec999

    elec999 Addicted to LI Member

    I took off the customer config, set back both routers on 192.168.8.1 ips. And now works. My two routers are linked together. WORKS 100%, should I turn off DHCP on one of my routers.

    EDIT Just realized with the VPN enabled my whole INTERNET speed is lowered to my download speed. So basically all my traffic is going through my server router, any way to avoid this.
    Thank you
     
  39. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    @elec999: Don't feedl discouraged. If you post what settings you have on each router, we can debug any problems you may have. For what it's worth, unless you have specific reasons to do otherwise, I recommend using TUN, UDP, TLS, and having the routers be on different subnets.

    Also, the two routers should not have the same ip address. That could be why you're seeing what you're seeing. If you are going to use TUN mode (which I recommend) you should place them on separate subnets (ie 192.168.0.1 and 192.168.1.1).
     
  40. Loco_Turkey

    Loco_Turkey Guest

    Hi guys,

    I had a problem with configure openVPN in Tomato with router mode (TUN).

    The bridge (TAP) mode working fine

    INIT
    Code:
    sleep 5
    insmod tun.o
    cd /tmp
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    
    echo "
    mode server 
    proto udp 
    port 1194 
    dev tap0 
    keepalive 15 60 
    daemon 
    verb 3 
    comp-lzo 
    
    client-to-client 
    duplicate-cn 
    
    tls-server 
    ca ca.crt 
    dh dh1024.pem 
    cert server.crt 
    key server.key 
    " > openvpn.conf
    
    echo "
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
    " > ca.crt
    echo "
    -----BEGIN RSA PRIVATE KEY-----
    -----END RSA PRIVATE KEY-----
    " > server.key
    chmod 600 server.key
    echo "
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
    " > server.crt
    echo "
    -----BEGIN DH PARAMETERS-----
    -----END DH PARAMETERS-----
    " > dh1024.pem
    
    sleep 5
    ln -s /usr/sbin/openvpn /tmp/myvpn
    /tmp/myvpn --config openvpn.conf
    

    FIREWALL

    Code:
    iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
    I tray with
    Code:
    sleep 5
    insmod tun.o
    cd /tmp
    openvpn --mktun --dev tun0
    brctl addif br0 tun0
    ifconfig tun 0 0.0.0.0 promisc up
    
    echo "
    mode server 
    proto udp 
    port 1194 
    dev tap0 
    keepalive 15 60 
    daemon 
    verb 3 
    comp-lzo 
    server 10.8.0.0 255.255.255.0
    
    client-to-client 
    duplicate-cn 
    
    tls-server 
    ca ca.crt 
    dh dh1024.pem 
    cert server.crt 
    key server.key 
    " > openvpn.conf
    
    echo "
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
    " > ca.crt
    echo "
    -----BEGIN RSA PRIVATE KEY-----
    -----END RSA PRIVATE KEY-----
    " > server.key
    chmod 600 server.key
    echo "
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
    " > server.crt
    echo "
    -----BEGIN DH PARAMETERS-----
    -----END DH PARAMETERS-----
    " > dh1024.pem
    
    sleep 5
    ln -s /usr/sbin/openvpn /tmp/myvpn
    /tmp/myvpn --config openvpn.conf
    BUT not working :frown:

    Thanks for help!
     
  41. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    OpenVPN in my builds should already be built with that option. You just need to add
    Code:
    auth-user-pass /tmp/vpnpass
    to your custom config and
    Code:
    echo "yourusername
    yourpassword" > /tmp/vpnpass
    to your init script.

    Oh, and I don't think TAP would be more efficient. You're already doing routing, and that is what TUN is designed for. TAP's advantage is being able to send non-IP traffic, but that is only possible if linking two like subnets - which you are not.
     
  42. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It's probably because your config file is still saying tap0, while you created tun0. If you want to do tun instead of tap, replace all occurrences of tap0 with tun0 (not just tun like you did in ifconfig, either). Also, you don't need the brctl line for tun.
     
  43. elec999

    elec999 Addicted to LI Member

    Do I need to enter any custom configs.
    I set my client router on 192.168.16.1/255.255.0.0
    On both client/server
    I set to TUP/UDP/TLS, extra HMAC Auth is disabled. Under client/server key in put in my openvpn generated key. The client side seems fine now, but on the server I get
    Mar 4 11:58:11 unknown daemon.notice openvpn[1159]: OpenVPN 2.1_rc13 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Feb 16 2009
    Mar 4 11:58:11 unknown daemon.err openvpn[1159]: Cannot load DH parameters from server1-dh.pem: error:0906D06C:pEM routines:pEM_read_bio:no start line
    Mar 4 11:58:11 unknown daemon.notice openvpn[1159]: Exiting
    Could someone help me figure this out. Do I need to add any extra lines in the configs. Doing TAP on both ends worked, but my connection was slowed down to my max upload speed.
    Thank you
     
  44. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It still looks like you have your routers on the same subnet. That is likely confusing the routing. Be sure to put them on separate subnets.
    The error shown indicates you have not entered valid contents in the DH Parameters field. You need to put there the contents of the dh1024.pem file that you created when you generated your keys. If you don't have one, make sure you followed the steps found here.
    You should not need anything in the custom config section for now.
     
  45. jza80

    jza80 Network Guru Member

    I agree with SgtPepperKSU. By setting your IP/subnet mask to 192.168.16.1 255.255.0.0 (/16), the IP address range is 192.168.0.0 - 192.168.255.255. I highly doubt you need 65,534 usable IPs.

    I'd change the subnet mask to 255.255.255.0 (/24) or smaller. Use different subnets on each end, for example: 192.168.1.0 255.255.255.0 (192.168.1.0/24) and 192.168.2.0 255.255.255.0 (192.168.2.0/24).
     
  46. kenyloveg

    kenyloveg LI Guru Member

    Hi, SgtPepperKSU
    I'm able to connect to my server, and surf webs through VPN server without problems on client. But I can't access to device inside the VPN server LAN (even Tomato's web interface, and pinged them without response). Would you tell me what would most likely cause?
    I'm using same subnet with server's.
    Client 192.168.1.9/10
    Server 192.168.1.1
    Router 192.168.1.1
    NAS inside the Router's LAN 192.168.1.2
    Here is the configuration in web GUI:
    Interface Type TUN
    Protocol UDP
    Port 1194
    Firewall Automatic
    Authorization Mode Static Key
    Local/remote endpoint addresses 192.168.1.9 192.168.1.10
    Encryption cipher Use Default
    Compression Adaptive

    Also looks like these is a bug, if you drag to copy the text in "VPN Server 1" web GUI, below contents will comes up while not shown in GUI:
    Extra HMAC authorization (tls-auth)
    VPN subnet/netmask
    Client address pool DHCP -
     
  47. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Your problem is almost certainly that you are using the same subnet on both ends of the tunnel. Change one of them and you'll probably be okay.
    Those settings are present but not visible (since you are using static key authentication they are not relevant). If it would be considered a bug, I think it would be in your browser.
     
  48. jza80

    jza80 Network Guru Member

    Finally got around to updating my router to your latest build. I was using roadkill vpn mod 1.19.1464.

    I ignored the GUI and copy/paste the scripts I was using from roadkill vpn mod. Everything works just like it did before, except with a newer version of Tomato and OpenVPN. :)

    While I was at it, I also upgraded the client software to OpenVPN 2.1_rc15.
     
  49. bigclaw

    bigclaw Network Guru Member

    Not cool, man. Back up the config file and start migrating everything to the GUI. :smile:
     
  50. xworm

    xworm LI Guru Member

    Is it possible to launch openvpn automatic when router boots up?
     
  51. kenyloveg

    kenyloveg LI Guru Member

    Hi, SgtPepperKSU
    Would you recommand me to input what in "Local/remote endpoint addresses"?
    After I changed the subnet to others, I always get "Fri Mar 06 16:55:01 2009 There is a problem in your selection of --ifconfig endpoints [local=192.168.0.5, remote=192.168.0.1]. The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver. Try 'openvpn --show-valid-subnets' option for more info."

    And run "openvpn --show-valid-subnets" in ssh terminal shows invalid command.

    Here is my server1.ovpn file on WHR2-G54

    # Automatically generated configuration
    daemon
    ifconfig 192.168.0.1 192.168.0.5
    proto udp
    port 1194
    dev tun21
    comp-lzo adaptive
    keepalive 15 60
    verb 3
    push "route 192.168.1.0 255.255.255.0"
    secret server1-static.key
    status-version 2
    status server1.status

    # Custom Configuration

    And WHR2-G54.ovpn on windows client

    remote myremoteddns
    port 1194
    dev tun
    ifconfig 192.168.0.5 192.168.0.1
    secret key.txt
    ping-restart 60
    ping 15
    comp-lzo
    verb 3
    mute 10

    Thanks in advance.
     
  52. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    See the README
     
  53. kenyloveg

    kenyloveg LI Guru Member

    And I'd like to know would there be any conflicts like
    "A"
    00:12:34:56:78:90 is set to 192.168.1.4 in static DHCP/ARP binding
    00:12:34:56:78:90 is set to 192.168.1.4 in VPN client
    (I've tried this, 00:12:34:56:78:90 can't access internet and Router's web gui but can access devices inside the LAN like 192.168.1.2)
    "B"
    00:12:34:56:78:90 is set to 192.168.1.4 in static DHCP/ARP binding
    00:12:34:56:78:90 is set to 192.168.1.9 in VPN client
     
  54. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I would recommend 10.8.0.1 and 10.8.0.2
    Note that these are not in the same subnet as either LAN.
     
  55. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    See above reply. The IP addresses used are on a different subnet, so there are no conflicts.
     
  56. jza80

    jza80 Network Guru Member

    If it ain't broke, I'm not fixing it. :)

    I look at the GUI as another option to configure OpenVPN.


    The IPs/subnet mask is invalid. Don't ask why its invalid though, as it would require a long explanation on IP addressing and subneting. :)

    With a subnet mask of 255.255.255.252 (/30), you have 2 usable IPs per subnet/network.

    .
    .

    So using your IPs (192.168.0.x) as an example, you'd have this:

    192.168.0.0 (network) 192.168.0.1 - 192.168.0.2 (usable) 192.168.0.3 (broadcast)
    192.168.0.4 (network) 192.168.0.5 - 192.168.0.6 (usable) 192.168.0.7 (broadcast)
    192.168.0.8 (network) 192.168.0.9 - 192.168.0.10 (usable) 192.168.0.11 (broadcast)

    etc... etc...

    Network address and broadcast address are not usable.

    As you can see, 192.168.0.1/30 and 192.168.0.5/30 are on different subnets.
     
  57. kenyloveg

    kenyloveg LI Guru Member

    Hi, Guys
    Well, after i changed Local/Remote endpoint address to 10.8.0.1/10.8.0.2. I can surf web and access router's web through 10.8.0.1. But i cant access devices (by ping, web gui, samba) inside the router's LAN, do i have to add routing table?
     
  58. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, using Static-key mode, you have to set up the routes manually (TLS pushes it out to the clients automatically). That is why the warning message is shown on the client when using this mode. Place the following in the Custom Config on each router:
    Code:
    route 192.168.1.0 255.255.255.0
    Replacing 192.168.1.0 with the subnet on the opposite router.

    This is one of the things I plan to add to the GUI, so in future releases you may not need to do this step.
     
  59. xworm

    xworm LI Guru Member

    i'm a newbie, but where is the "README" ? in the source tar package? in the openvpn.net? in the router ?

    could you pls give me a little clue? thx
     
  60. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Alongside the binaries where you download them, in the source tar-ball, or on the git repository (link is direct to view the readme). Take your pick. I guess with this release it could be possible to miss it if you went straight to the mirrors.

    For what it's worth, I've made changes that has "service vpnserver1 start" check if the server is already running before doing anything else (and the client equivalent). This makes it behave like the vpnup.sh from the readme. So, for the next release that script won't be needed.
     
  61. occamsrazor

    occamsrazor Network Guru Member

    I'm looking to use a commercial VPN service (they use OpenVPN), that I'd like my Tomato router to connect to as a client.
    Assuming I can get it setup and working, are there ways to define which traffic goes over the VPN tunnel and which goes straight out to the internet? I'm looking to be able to filter it so traffic to www.domain1.com, www.domain2.com, etc goes over the VPN but everything else goes over the internet.
    Is this possible? (I don't have the service yet so can't test...)
     
  62. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Absolutely. You just need to add a route for each one in the Custom Config section. I've done exactly that before.
     
  63. occamsrazor

    occamsrazor Network Guru Member

    Thanks... I'll give it a try when I subscribe to the service.

    BTW... I found a genuinely free OpenVPN provider, based in the Netherlands. It has some limitations so I'm not going to end up using it primarily, but it has been quite useful to test with:

    http://alonweb.com/

    I managed to get it up and working fine with my Windows OpenVPN client, but was unable to with the client in Tomato. They provide you with two files: a certificate file and an OpenVPN .ovpn config file. The config file contains:

    Code:
    client
    dev tun
    proto tcp
    remote <domain name address> 443
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    mute-replay-warnings
    ca alonweb.crt
    auth-user-pass
    comp-lzo
    verb 3
    redirect-gateway
    

    I configured the Tomato VPN client with Tun,TCP,host,443,TLS etc but was unable to get it to work. The problem seems to be the "auth-user-pass" - their server requires you to enter a user/pass each time, which you can do with the Windows client (a popup window asks you) but not with the "headless" Tomato router. I think I was getting some kind of "stdin" error in the Tomato logs. Or maybe I was just putting the cert file in the wrong box.

    I'd read about reading the user/pass from a text file, but could not get that to work either. It's not a big deal as I'm not planning to use them, but was interested if there's a workaround.

    On another note, a sort of feature request that I've no idea how difficult it would be to implement..... It would be really great to have some kind of indication as to whether the vpnserver in Tomato is running or not. I'm thinking a kind of traffic-light icon with a colour indication along the lines of "Server Off", "Server On" or "Server On, Client connected". The latter could show some details about the client e.g. local IP, remote IP, etc.

    Would be pretty handy....
     
  64. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The OpenVPN site is down, so I can't go check the manual to be sure, but I think you just need to provide a file that contains your username and password on separate lines after the auth-user-pass directive (you can generate this file in the init script). I know I recently provided the exact syntax to someone else in this thread but don't have time to search for it at the moment. You may do a search on this thread to see if you can find.

    You may also have to choose Custom for Authorization mode and put the auth-user-pass <filename> and ca <filename> in the Custom Config section.

    Hope you get it working...
     
  65. xworm

    xworm LI Guru Member



    I've been trying to download the source tar,but it seems too large than i expected, so I stop it. maybe i shouldn't give it up. :)

    anyway, thanks, the link is what i want.
     
  66. xworm

    xworm LI Guru Member

    another question

    what i want is a server with following conf:
    #------------------
    proto tcp-server
    port 8080
    dev tap0
    mode server
    tls-server
    ca ca.crt
    tls-auth ta.key 0
    dh dh1024.pem
    key VPN-Server.key
    cert VPN-Server.crt
    ifconfig 192.168.0.1 255.255.255.0
    keepalive 10 120
    user nobody
    group nobody
    persist-key
    persist-tun
    comp-lzo
    verb 4
    #-------------------
    I don't want server to push any info to client, I want client define its ip/dns/route itself. and the upper conf works fine for me.



    and I've made following choice in GUI:
    --------------
    Interface type : TAP
    Protocol: TCP
    Port:8080
    Firewall:Automatic
    Authorization Mode:TLS
    Extra HMAC authorization (tls-auth): incoming (0)
    Client Address Pool: 192.168.0.50 - 192.168.0.55
    Encryption cipher: User Default
    Compression:Enabled
    ------------------------

    with custom configuration like:
    #------------------
    ifconfig 192.168.0.1 255.255.255.0
    user nobody
    group nobody
    persist-key
    persist-tun
    verb 4
    #--------------------------



    but the upper GUI conf won't work, and give out error msg in log like:
    Mar 9 08:59:04 VPN-Server daemon.err openvpn[10518]: Options error: --server-bridge IP addresses 192.168.1.1 and 192.168.0.50 are not in the same 255.255.255.0 subnet

    192.168.1.1 is the router's LAN IP, it seems the "ifconfig 192.168.0.1 255.255.255.0" in custom conf doesn't work.

    any ideas ? thanks
     
  67. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    If you want the router to have an ip address of 192.168.0.1, set it that way in Basic->Network rather than trying to do it with the VPN config. Changing the LAN IP address of the router when you start the VPN server sounds like a bad (and odd) idea.

    You shouldn't need the ifconfig line (or the persist-* or user/group lines; plus, verb 3 is the default, unless you really want the more verbose logs, you don't need that line either).
     
  68. xworm

    xworm LI Guru Member

    maybe i haven't describe it clearly.
    I want the router's subnet to be 192.168.1.0/24, while the tap0 (or tap21 in this firmware) to be 192.168.0.0/24. I don't want them in the same subnet

    BTW,why user/group isn't necessary? I think this will lead a lower privilege on openvpn process, which is considered to be somewhat safe.
     
  69. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    My GUI automatically adds the TAP interface to the LAN bridge. If you want it to be separate, I suggest using TUN as TAP won't give you any benefit if you aren't bridging. If you for some reason need to use TAP, but use it like TUN (which is what you're doing), you'll have to do so outside of the GUI. Sorry.
     
  70. ramasule

    ramasule Addicted to LI Member

    Hey I'm back after pulling my hair out :p
    I have openvpn to my sme server working.
    Then I had it working with the routers to my sme server.
    Now that I redone my router and switched sites I cannot connect to my sme openvpn anymore.
    My computer openvpn gui can still connect so I am totally stumped.
    It fails on the tls authentication

    Code:
    Mar  9 17:17:38 unknown daemon.notice openvpn[345]: TLS: Initial packet from *REMOVED BY ME*, sid=f0a3558c 71722b9c
    Mar  9 17:17:39 unknown daemon.notice openvpn[345]: VERIFY OK: depth=1, *REMOVED BY ME*
    Mar  9 17:17:39 unknown daemon.notice openvpn[345]: VERIFY OK: nsCertType=SERVER
    Mar  9 17:17:39 unknown daemon.notice openvpn[345]: VERIFY X509NAME OK: *REMOVED BY ME*
    Mar  9 17:17:39 unknown daemon.notice openvpn[345]: VERIFY OK: depth=0, *REMOVED BY ME*
    Mar  9 17:18:58 unknown daemon.err openvpn[345]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mar  9 17:18:58 unknown daemon.err openvpn[345]: TLS Error: TLS handshake failed
    Mar  9 17:18:58 unknown daemon.notice openvpn[345]: TCP/UDP: Closing socket
    Mar  9 17:18:58 unknown daemon.notice openvpn[345]: SIGUSR1[soft,tls-error] received, process restarting
    here is the server and TLS packet
    Code:
    Mon Mar  9 17:18:58 2009 us=720615 *Removed by me*:35041 TLS: Initial packet from *Removed by me*:35041, sid=5e494202 468609b6
    
    I cant seem to get past this now.

    The time on my server and router matches so I dont know what else it could be.

    Thanks for your time,

    Derek L
     
  71. ramasule

    ramasule Addicted to LI Member

    You can look at roadkills code here it sort of works :p
    Code:
    I=`ifconfig tap0|grep -q 'UP'`
    while sleep 1; do
    if I=0; then
    XFER=`ifconfig tap0|grep bytes`
    if [ "$XFER" != "$PXFER" ]; then
    led amb on
    PXFER=$XFER
    else
    led amb off
    fi
    else
    led amb off
    led white off
    fi
    done 
    
    Put it in your administrator wan up code.
    Will turn the cisco systems light amber when vpn is on.
     
  72. ramasule

    ramasule Addicted to LI Member

    I hate you tls
     
  73. kenyloveg

    kenyloveg LI Guru Member

    Hi, SgtPepperKSU
    I'm able to establish Tun+TLS, and my client can access devices behind the VPN Server. While i cant surf web through VPN tunnel, dns won't be resolved.
    Check out below feature introduced by openwrt:
    http://wiki.openwrt.org/OpenVPNDNS
    Can you port this feature to your MOD, just think it would be helpful rather than config dnsmasq again.
    Thank you and have a good day.
     
  74. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm not sure that does what you think it does. All that does is makes the VPN clients resolvable on the server LAN using commonname.vpn.<yourrouterdomain>.

    So, are you saying that DNS doesn't work at all when your VPN tunnel is connected? You can't surf the web at all, or it just doesn't go through the VPN?
     
  75. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    @ramasule: Only thing I can think of at the moment is to try TCP and/or other ports. Something may be getting blocked.
     
  76. ramasule

    ramasule Addicted to LI Member

    Thats what I thought.

    Dont you have to have gateway redirect on if you want to surf through your vpn to your external server?

    Ive tried this setup lots of times and everytime I have had no problem with the DNS when it was able to establish a tunnel.
     
  77. bigclaw

    bigclaw Network Guru Member

    Finally bit the bullet and upgraded my RoadKill mod to this one. The upgrade was effortless. I think it took longer to re-enter all my static DHCP settings than re-enabling VPN with the new, shiny GUI.

    Now I have the latest QoS, Vegas, and VPN w/ GUI. Life is good. :)

    Excellent job, SgtPepperKSU, and thanks a lot!
     
  78. kenyloveg

    kenyloveg LI Guru Member

    Hi, SgtPepperKSU
    I cant surf web at all. I want the VPN server to be my gateway and router, which means I can surf webs through VPN and access devices behind the Router(VPN Server). How can i do to make it happen? BTW, I went through OpenVPN handbook but no clue.
    Thank you.
     
  79. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The redirect-gateway option is needed to send web-bound traffic over the tunnel. Is this what you are using? If so, ssh/telnet to the router and provide the output of
    Code:
    route -n;ifconfig
     
  80. kenyloveg

    kenyloveg LI Guru Member

    # route -n;ifconfig
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun21
    58.41.84.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
    10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun21
    192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
    127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
    0.0.0.0 58.41.84.1 0.0.0.0 UG 0 0 0 ppp0
    br0 Link encap:Ethernet HWaddr 00:07:40:00:00:00
    inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:76262657 errors:0 dropped:0 overruns:0 frame:0
    TX packets:72297210 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:1561467898 (1.4 GiB) TX bytes:722942970 (689.4 MiB)

    eth0 Link encap:Ethernet HWaddr 00:07:40:00:00:00
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:77044823 errors:3 dropped:0 overruns:2 frame:2
    TX packets:72324321 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:403624440 (384.9 MiB) TX bytes:134275744 (128.0 MiB)
    Interrupt:4 Base address:0x1000

    eth1 Link encap:Ethernet HWaddr 00:07:40:00:00:01
    UP BROADCAST RUNNING MULTICAST MTU:1492 Metric:1
    RX packets:72456653 errors:21 dropped:0 overruns:19 frame:19
    TX packets:76170352 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:1630966635 (1.5 GiB) TX bytes:3092285472 (2.8 GiB)
    Interrupt:5 Base address:0x2000

    eth2 Link encap:Ethernet HWaddr 00:07:40:00:00:02
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:1279802 errors:0 dropped:0 overruns:0 frame:14581995
    TX packets:2165881 errors:468 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:326332906 (311.2 MiB) TX bytes:2734444520 (2.5 GiB)
    Interrupt:2 Base address:0x2000

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
    RX packets:747 errors:0 dropped:0 overruns:0 frame:0
    TX packets:747 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:60144 (58.7 KiB) TX bytes:60144 (58.7 KiB)

    ppp0 Link encap:point-to-Point Protocol
    inet addr:58.41.87.222 P-t-P:58.41.84.1 Mask:255.255.255.255
    UP POINTOPOINT RUNNING MULTICAST MTU:1492 Metric:1
    RX packets:72426578 errors:0 dropped:0 overruns:0 frame:0
    TX packets:76140277 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:3
    RX bytes:4040918103 (3.7 GiB) TX bytes:1416297078 (1.3 GiB)

    tun21 Link encap:point-to-Point Protocol
    inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
    RX packets:30693 errors:0 dropped:0 overruns:0 frame:0
    TX packets:42697 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:2964308 (2.8 MiB) TX bytes:43233023 (41.2 MiB)

    Thank you for helping me out:hearts:
     
  81. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Routing table looks correct... if you are not using the redirect-gateway OpenVPN option. As mentioned before, this is what tells the router send all the traffic over the tunnel. If you have not already, please the following to your Custom Config section:
    Code:
    redirect-gateway def1
    Not a problem. :smile:
     
  82. kenyloveg

    kenyloveg LI Guru Member

    Well, SgtPepperKSU
    I got following message in syslog.
    Mar 12 00:19:23 ? user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
    Mar 12 00:19:24 ? user.info kernel: device tun21 entered promiscuous mode
    Mar 12 00:19:24 ? daemon.err openvpn[29485]: Options error: --redirect-gateway cannot be used with --mode server (however --push "redirect-gateway" is fine)
    Mar 12 00:19:24 ? daemon.warn openvpn[29485]: Use --help for more information.

    Execuse me for bothering you again.
     
  83. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Oh, I thought you were configuring your client. redirect-gateway goes in the client config (or push "redirect-gateway" in the server config, as stated in the error message). Is it the clients or the server that can't browse the internet when the VPN is connected? Whichever isn't working is where I need to see the routing information.
     
  84. Chilling_Silence

    Chilling_Silence Addicted to LI Member

    Absolutely brilliant stuff! Having used the DD-WRT -vpn builds a few times, I must say I found this firmware so much nicer to setup as a client and as a server! Was quick as to get it setup and working well, thankyou very much for all your work done adding OpenVPN to this already brilliant firmware! :)

    Loving the ability to be a client on two VPN's at once, thats definitely going to come in handy in the near future!

    Two thumbs up from me! :thumbup: :thumbup:
     
  85. bigclaw

    bigclaw Network Guru Member

    Hmm, I think I'm still getting these restarts with the latest build, every minute:

    Code:
    Mar 12 14:32:20 unknown daemon.notice openvpn[145]: Inactivity timeout (--ping-restart), restarting
    Mar 12 14:32:20 unknown daemon.notice openvpn[145]: TCP/UDP: Closing socket
    Mar 12 14:32:20 unknown daemon.notice openvpn[145]: Closing TUN/TAP interface
    Mar 12 14:32:20 unknown daemon.notice openvpn[145]: SIGUSR1[soft,ping-restart] received, process restarting
    Mar 12 14:32:20 unknown daemon.notice openvpn[145]: Restart pause, 2 second(s)
    Mar 12 14:32:22 unknown daemon.notice openvpn[145]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mar 12 14:32:22 unknown daemon.notice openvpn[145]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mar 12 14:32:22 unknown daemon.notice openvpn[145]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mar 12 14:32:22 unknown daemon.notice openvpn[145]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mar 12 14:32:22 unknown daemon.notice openvpn[145]: LZO compression initialized
    Mar 12 14:32:22 unknown daemon.notice openvpn[145]: TUN/TAP device tap21 opened
    Mar 12 14:32:22 unknown daemon.notice openvpn[145]: TUN/TAP TX queue length set to 100
    Mar 12 14:32:22 unknown daemon.notice openvpn[145]: Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
    Mar 12 14:32:22 unknown daemon.notice openvpn[145]: Socket Buffers: R=[65535->131070] S=[65535->131070]
    Mar 12 14:32:22 unknown daemon.notice openvpn[145]: UDPv4 link local (bound): [undef]:1194
    Mar 12 14:32:22 unknown daemon.notice openvpn[145]: UDPv4 link remote: [undef]
    
    My current VPN setup:
    Code:
    TAP
    UDP
    Port: 1194
    Firewall: Automatic
    Authorization Mode: Static Key
    Encryption cipher: BF-CBC
    Compression: Enabled
    
    Let me know if you want any more details of my setup.

    Update: this bug report implies that OpenVPN does soft-restart itself periodically when UDP is used. I guess the question is that why we didn't see these log entries before?
     
  86. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I don't think it is UDP specific. When I was seeing them (previous release), I was using TCP (through an http proxy). And, with the current release, I'm not seeing them, though I am using client-config-dir to have two-way LAN-to-LAN access. Since, it is still happening with this release, and I've stopped seeing it when I moved to client-config-dir, it makes me think that it has something to do with the NAT firewall command I run on the client when that checkbox is set.

    Could you try unchecking that box and see what happens? Your client LAN will no longer be able to communicate over the tunnel, but you can check connectivity by using ping, nslookup, and traceroute from the client router shell.
     
  87. bigclaw

    bigclaw Network Guru Member

    I'm not running a site-to-site VPN, so I don't even use the client config on the Tomato router. I have server1 up, and my laptop dials in from work when needed. That's why it's weird; OpenVPN is apparently saying that it needs to restart because there is no activity. Well, there is no activity because no client is connected. Duh...

    I figure it may have to do with UDP being a connection-less protocol? But that shouldn't prevent OpenVPN from keeping its own state information about current connections...

    What I can do is switch to TCP for the time being and verify the warnings are or aren't there.
     
  88. bigclaw

    bigclaw Network Guru Member

    Just verified that TCP doesn't soft-restart; UDP soft-restarts (and generates those annoying log entries) based on the keepalive timeout value when no client is connected. When a client is connected, UDP doesn't soft-restart, presumably because the keepalive pings are succeeding.

    I put "keepalive 15 120" in Custom Configuration so that OpenVPN restarts every 2 minutes now. :)
     
  89. Chilling_Silence

    Chilling_Silence Addicted to LI Member

    Im currently hosting OpenVPN on a box, and wanted the Tomato router to join.

    Im positive when I first tested it, that it was connected, but now it doesnt seem to be, and Im getting a *ton* of log entries (I think this is different to the previous poster though)
    Code:
    20090313-112918 delete  10.179.0.70
    20090313-112919 add     10.179.0.70     rTomatoRouter1
    20090313-112936 delete  10.179.0.70
    20090313-112937 add     10.179.0.70     rTomatoRouter1
    20090313-112952 delete  10.179.0.70
    20090313-112956 add     10.179.0.70     rTomatoRouter1
    20090313-113009 delete  10.179.0.70
    20090313-113016 add     10.179.0.70     rTomatoRouter1
    20090313-113026 delete  10.179.0.70
    20090313-113035 add     10.179.0.70     rTomatoRouter1
    20090313-113054 update  10.179.0.70     rTomatoRouter1
    20090313-113113 update  10.179.0.70     rTomatoRouter1
    20090313-113132 update  10.179.0.70     rTomatoRouter1
    20090313-113151 update  10.179.0.70     rTomatoRouter1
    20090313-113209 update  10.179.0.70     rTomatoRouter1
    20090313-113227 update  10.179.0.70     rTomatoRouter1
    20090313-113247 update  10.179.0.70     rTomatoRouter1
    20090313-113306 update  10.179.0.70     rTomatoRouter1
    20090313-113324 delete  10.179.0.70
    20090313-113325 add     10.179.0.70     rTomatoRouter1
    20090313-113341 delete  10.179.0.70
    20090313-113344 add     10.179.0.70     rTomatoRouter1
    20090313-113358 delete  10.179.0.70
    20090313-113402 add     10.179.0.70     rTomatoRouter1
    20090313-113415 delete  10.179.0.70
    20090313-113420 add     10.179.0.70     rTomatoRouter1
    I currently have approx 15 other boxes connected to it just fine, its just this thats playing up and Im not entirely sure why...
    Server config:
    Code:
    port                    1194
    proto                   tcp-server
    dev                     tun7
    
    tls-server
    cipher                  aes-256-cbc
    ca                      /etc/openvpn/cvnet/keys/ca.crt
    cert                    /etc/openvpn/cvnet/keys/vpn.crt
    key                     /etc/openvpn/cvnet/keys/vpn.key
    dh                      /etc/openvpn/cvnet/keys/dh1024.pem
    client-to-client
    mssfix                  1200
    comp-lzo                yes
    keepalive               7 20
    ping-timer-rem
    server                  10.179.0.0 255.255.252.0
    ifconfig-pool-persist   /etc/openvpn/cvnet/pool-vc1.csv
    client-config-dir       /etc/openvpn/cvnet/configs
    learn-address           /etc/openvpn/cvnet/scripts/route-event
    route-up                "route add -net 10.179.0.0/22 tun7"
    push                    "route 10.179.0.0 255.255.252.0"
    I dont have direct access to the client config I used on the router right now (Am at work, will post the exact config I used shortly) but heres what most of the clients look like, I just tried to mirror this using the GUI:
    Code:
    port		1194
    proto		tcp-client
    dev		tun
    remote	X.X.X.X (Removed for privacy reasons)
    tls-client
    cipher		aes-256-cbc
    ca		ca.crt
    cert		client15.crt
    key		client15.key
    ns-cert-type	server
    comp-lzo	yes
    pull
    Any ideas why I cant ping from the VPN Server to the Tomato client, yet I can for all others?
    Code:
    # ping 10.179.0.38 -c 2
    PING 10.179.0.38 (10.179.0.38) 56(84) bytes of data.
    64 bytes from 10.179.0.38: icmp_seq=1 ttl=64 time=30.3 ms
    64 bytes from 10.179.0.38: icmp_seq=2 ttl=64 time=18.8 ms
    
    --- 10.179.0.38 ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 999ms
    rtt min/avg/max/mdev = 18.835/24.602/30.369/5.767 ms
    
    # ping 10.179.0.70 -c 2
    PING 10.179.0.70 (10.179.0.70) 56(84) bytes of data.
    
    --- 10.179.0.70 ping statistics ---
    2 packets transmitted, 0 received, 100% packet loss, time 1007ms
     
  90. Ezrem

    Ezrem LI Guru Member

    Can someone post a step by step guide of exactly what they did to set up a TLS VPN?

    I'm configuring a new router for my parents, and want to be able to VPN in to troubleshoot issues. I have been trying to figure this out, slowly wading through this thread, but am not having much luck.

    I installed OpenVPN on my XP box, generated certificates and keys, pasted them into the VPN configuration and can start the VPN service, but for the life of me, I cannot connect.

    I saw something about running modprobe tun at the command line, so I did that as well.

    Is there more I must do? When I try to connect, here is what I get in my logs:
    Dec 31 19:59:40 routername daemon.notice openvpn[13256]: MULTI: multi_create_instance called
    Dec 31 19:59:40 routername daemon.notice openvpn[13256]: 192.168.0.10:53404 Re-using SSL/TLS context
    Dec 31 19:59:40 routername daemon.notice openvpn[13256]: 192.168.0.10:53404 LZO compression initialized
    Dec 31 19:59:40 routername daemon.notice openvpn[13256]: 192.168.0.10:53404 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Dec 31 19:59:40 routername daemon.notice openvpn[13256]: 192.168.0.10:53404 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Dec 31 19:59:40 routername daemon.notice openvpn[13256]: 192.168.0.10:53404 TLS: Initial packet from 192.168.0.10:53404, sid=aadaaeb0 0fce3cea
    Dec 31 19:59:41 routername daemon.err openvpn[13256]: 192.168.0.10:53404 VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=US/ST=State/L=City/O=Corp/CN=servername/Email=email@gmail.com
    Dec 31 19:59:41 routername daemon.err openvpn[13256]: 192.168.0.10:53404 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
    Dec 31 19:59:41 routername daemon.err openvpn[13256]: 192.168.0.10:53404 TLS Error: TLS object -> incoming plaintext read error
    Dec 31 19:59:41 routername daemon.err openvpn[13256]: 192.168.0.10:53404 TLS Error: TLS handshake failed
    Dec 31 19:59:41 routername daemon.notice openvpn[13256]: 192.168.0.10:53404 SIGUSR1[soft,tls-error] received, client-instance restarting

    I have replaced personal info in here with generic stuff. State/City/Corp/email etc.
     
  91. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That error indicates that the time embeded in the certificate that you generated is in the future. That could be because your router's time or the computer you generated the certificates on have the wrong time. Please check that and try again.
     
  92. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Could you provide the output of
    Code:
    route -n; iptables -vL
    on the router with the tunnel connected?
     
  93. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    So, it's only happening for you when there are no clients connected? I don't know that I ever checked if it was (soft) restarting while idle, but it definitely was when a client was connected. There has to be some underlying firewall problem, but I just can't think of what to try different.

    I guess I should make the keepalive parameters tunable in the GUI...
     
  94. Chilling_Silence

    Chilling_Silence Addicted to LI Member

    It wouldnt have anything to do with the fact that Im using aes-256-cbc as my cipher would it? I cant see it in the supported cipher list in the GUI.

    Here's the output of that command as-requested.
    192.168.178.X is the LAN / WLAN of the Tomato router
    192.168.1.1 is the IP of the DSL Router (WAN Interface)
    10.179.0.1 is the VPN

    Code:
    Tomato v1.23vpn2.0006
    
    BusyBox v1.12.3 (2009-02-16 02:58:04 CST) built-in shell (ash)
    Enter 'help' for a list of built-in commands.
    
    # route -n; iptables -vL
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    192.168.178.0   0.0.0.0         255.255.255.0   U     0      0        0 br0
    192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 vlan1
    127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
    0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 vlan1
    Chain INPUT (policy DROP 8 packets, 292 bytes)
     pkts bytes target     prot opt in     out     source               destination
    
        0     0 DROP       0    --  any    any     anywhere             anywhere
            state INVALID
      283 44090 ACCEPT     0    --  any    any     anywhere             anywhere
            state RELATED,ESTABLISHED
      155 28622 ACCEPT     0    --  br0    any     anywhere             anywhere
    
        0     0 ACCEPT     0    --  lo     any     anywhere             anywhere
    
        0     0 ACCEPT     icmp --  any    any     anywhere             anywhere
    
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination
    
        0     0 ACCEPT     0    --  br0    br0     anywhere             anywhere
    
        0     0 DROP       0    --  any    any     anywhere             anywhere
            state INVALID
      561 27164 TCPMSS     tcp  --  any    any     anywhere             anywhere
            tcp flags:SYN,RST/SYN tcpmss match 1261:65535 TCPMSS set 1260
    10239 7137K L7in       0    --  vlan1  any     anywhere             anywhere
    
    19414 9866K ACCEPT     0    --  any    any     anywhere             anywhere
            state RELATED,ESTABLISHED
       15   756 wanin      0    --  vlan1  any     anywhere             anywhere
    
      506 30386 wanout     0    --  any    vlan1   anywhere             anywhere
    
      506 30386 ACCEPT     0    --  br0    any     anywhere             anywhere
    
       15   756 upnp       0    --  vlan1  any     anywhere             anywhere
    
    
    Chain OUTPUT (policy ACCEPT 503 packets, 177K bytes)
     pkts bytes target     prot opt in     out     source               destination
    
    
    Chain L7in (1 references)
     pkts bytes target     prot opt in     out     source               destination
    
        0     0 RETURN     0    --  any    any     anywhere             anywhere
            LAYER7 l7proto httpvideo
    
    Chain upnp (1 references)
     pkts bytes target     prot opt in     out     source               destination
    
        0     0 ACCEPT     udp  --  any    any     anywhere             caseylaptop
            udp dpt:16258
    
       15   756 ACCEPT     tcp  --  any    any     anywhere             192.168.178.
    8       tcp dpt:12609
        0     0 ACCEPT     udp  --  any    any     anywhere             192.168.178.
    8       udp dpt:12609
    
    Chain wanin (1 references)
     pkts bytes target     prot opt in     out     source               destination
    
    
    Chain wanout (1 references)
     pkts bytes target     prot opt in     out     source               destination
     
  95. Frittenschmied

    Frittenschmied Addicted to LI Member

    Nice mod, thank you.

    Is it possible to add fprobe for netflow-monitoring to your mod? I tried the kamikaze-binaries, but it ends in a segfault. :frown:

    http://fprobe.sourceforge.net/
     
  96. bigclaw

    bigclaw Network Guru Member

    If you look at the bug report I quoted, they were saying that the Ubuntu OpenVPN wrapper does not handle OpenVPN UDP soft-restarts correctly. In other words, the bug report was not against OpenVPN itself. The wording implies that these UDP soft-restarts are almost expected.

    I don't think there's an urgent need for that. If anybody wants to override the default 1 minute interval, they can do what I did and have one extra line in Custom Configuration. Besides, changing keepalive values doesn't eliminate the problem anyway.
     
  97. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Spot on. Using AES as the cipher is not supported. The VPN GUI auto-queries to see what ciphers are supported whenever the page is loaded, but the version of OpenSSL that is in Tomato doesn't support AES. All attempts at upgrading OpenSSL have so far failed. It is still something on the roadmap, though.
     
  98. Chilling_Silence

    Chilling_Silence Addicted to LI Member

    Thats a bit of a bugger, serves me right for not sticking to the default encryption scheme ;)

    Oh well, Im sure its something I can get around. Cheers for the info, really appreciate all the work with putting OpenVPN in with Tomato, seriously cool stuff!!!
     
  99. patos

    patos Network Guru Member

    Hi!

    I have configured both a client and a server. Is it normal that the client's interface won't show in the 24-hour graph (tap11) ? For the record: I did not bridge tap11 with br0 (tap21 is bridged). Could that be it? How can I anyhow include tap11 in the 24-hour graph?

    Btw, no problem on the Realtima Graph...
     
  100. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    How long have you waited? The 24-hour graph should pick it up eventually.

    I did no work to get these interfaces in the graphs. Tomato just picks up all interfaces that are there.
     

Share This Page