1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN build with Web GUI

Discussion in 'Tomato Firmware' started by SgtPepperKSU, Oct 10, 2008.

  1. patos

    patos Network Guru Member

    That was my first thought, but after some days running tap11 is still not there :-(
     
  2. Chilling_Silence

    Chilling_Silence Addicted to LI Member

    Just thought I'd make another quick post and say thanks!

    Ive setup another server on a VPS elsewhere hosting OpenVPN using the default bf-cbc cipher, this ones UDP instead of TCP, and its working brilliantly!
    No fuss, no messing around, just chucked the keys into the Router and Im away laughing!
    The Real-time & 24-hour bandwidth graph picked it up immediately (Mind you there's no traffic showing because its only had <2KB/s vs the 8mbps of the WAN port).
    Im absolutely stoaked, thankyou so very much for all the work of putting the firmware together, not to mention all the help you are to the members posting in this thread!
     
  3. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    New Blog + 1.23vpn3.0000

    This post is to announce two things.

    First, since this thread has gotten so long, I started a blog where I will post new releases and bits of useful information from this forum. So far, I don't have a lot of information there, but it's enough put together to start using it to announce releases. There are RSS/atom feeds that can be used to be notified of future posts.

    Second, a new version, 1.23vpn3.0000, is now released. Please see the blog post for details.

    The release has quite a lot of changes in it and the GUI code is more complicated, so perhaps it would be best to treat this as a testing release until a little time has gone by. This will give people a chance to post problems, if they exist.

    The biggest changes that people should notice are:
    • The GUI is now divided into sections, to cut down on clutter
    • The server status file is now read (via AJAX), parsed, and displayed - this gives quite a bit of useful information
    • Client-specific options (client-config-dir) are now configurable via the GUI. Please let me know if you have problems with this.
    • "service vpnserver1 start" will now behave like the old vpnup.sh script I provided (checks to see if it is already started before doing anything).

    Let me know how it goes (whether good or bad).
     
  4. kenyloveg

    kenyloveg LI Guru Member

    Hi, SgtPepperKSU
    Can you upload your newest build to somewhere else?
    I can't access to Mediafire neither your new blog site.
    Thanks.
     
  5. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Mirrors:
    tomatovpn-ND-1.23vpn3.0000.7z
    tomatovpn-1.23vpn3.0000.7z

    Are you behind a restrictive firewall and/or proxy? The blog is hosted by Blogger/blogspot/Google, so there's nothing strange there. Everything looks to be up and working to me.

    Is anyone else having problems?
     
  6. kenyloveg

    kenyloveg LI Guru Member

    Excuse me that I'm behind the greatest wall (GFW):redface:
     
  7. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    No problem. I thought that might be it. I just wanted to make sure there wasn't a wider spread problem.

    By the way, do you have a preferred file upload/sharing provider that you have access to?
     
  8. occamsrazor

    occamsrazor Network Guru Member

    So we can replace the 20-ish lines of code establishing the vpnup.sh in the init script, with just "service vpnserver1 start"?

    Thanks for your continued hard work and the new blog...
     
  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, depending on how you want it to behave.

    If you want the VPN server to start up just when the router starts, place
    Code:
    service vpnserver1 start
    in the init script (probably with a "sleep" delay).

    If you want the VPN server to be sure the server is up whenever the WAN comes up (at router boot and on WAN reconnect), instead place it in the WAN Up script.

    If you want to periodically (every 30 minutes in this example) check if the server is up also place
    Code:
    cru a CheckVPNServer "*/30 * * * * service start vpnserver1"
    in the init script.

    But, whichever way you go, you shouldn't need the lines that generate or call the vpnup.sh script anymore.

    As with the vpnup.sh script, this will print a message to the syslog if the server is already running. However, I refactored the logging in this release as well, and these messages can be avoided (though, I recommend leaving them) by turning down the debug level with this in your init script (or run from the shell and committed)
    Code:
    nvram set vpn_debug="-1"
    Sounds like a good candidate for a blog post...
     
  10. occamsrazor

    occamsrazor Network Guru Member

    Thanks SgtPepper... I'll give it a try tonight. Glad to see this build continuing to develop...
    One other thought I had, don't know how many people would find it useful, or how much work it would be. But was thinking as this is a VPN build, whether it might be useful to add a PPTP client such as that found in this mod:

    http://www.linksysinfo.org/forums/showthread.php?t=58883

    ...to give extra options. Or maybe not, was just a thought...
     
  11. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That is something I have considered, and it may happen in a future version.
     
  12. ratchet

    ratchet Addicted to LI Member

    SgtPepperKSU, I realize you have been inundated with questions in this monumental thread and apologize for yet another. I'd spent about a year periodically attempting to wake my desktop over the internet with my laptop using a magic packet while visiting my children. I'd resolved myself to the fact that because of ARP release shortly after pc shutdown it couldn't be accomplished. Then I ran into a thread on the AnandTech forum and with help from poster engineer, Tomato and this script:
    sleep 5
    ip neigh change 192.168.1.254 lladdr 01:02:03:04:05:06 nud permanent dev br0
    ip neigh add 192.168.1.254 lladdr 01:02:03:04:05:06 nud permanent dev br0

    Success, and with TeamViewer I can check the house temperature with a web cam and anything else I want to control remotely. However, I believe leaving a port open is not secure (although the chance of an intrusion is minimal). I believe I've read where waking remotely can be accomplished securely with a server. So my question is, can your firmware be used to wake the desktop via WRT54GS as the server and then use TeamViewer? Should your answer be yes prepare yourself for the "how" question. Thank You!
     
  13. occamsrazor

    occamsrazor Network Guru Member

    Just to report updated it all fine, and the new GUI looks very nice and more conveniently laid out. The status info in particular is nice to have. Thanks!
     
  14. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    First, let me rephrase what I think you're asking - if I'm off let me know.
    You are using software (TeamViewer) that listens on a port for incoming connections. You'd like to connect to that port without port-forwarding it to the internet (where it can be seen by anyone).

    Yes, that can be accomplished using a VPN (and, thus, this build). You would generate keys via OpenVPN on a computer, enter settings for the VPN server in this firmware's GUI (including the keys generated), and configure an OpenVPN client with the same settings. Then, when you connect the client, you will be able to communicate with any computer on the LAN securely.

    That said, since you are only needing to connect to a single port on a single computer, it would probably be easier to use the port-tunneling features of SSH. You can use the regular Tomato firmware for that, too.
    Just enable Remote SSH in Tomato.
    If you are on Windows, I would suggest PuTTY as your SSH client.
    In PuTTY, when you create a session, there is a Connection->SSH->Tunnels section where you can create a "Local" port forward. Enter your software's port and in "Source port" and "<lanip>:<sameport>" replacing the desired desktop's ip and the software's port.
    After you connect, it is as if the software were running on the client computer itself! You can then access it at localhost:<portnumber>.

    For bonus points, you could generate SSH keys and disable password login to be even more secure. This would give you pretty equivalent security on your communication as with a VPN.

    That might seem complicated, but I think it'd be easier that setting a VPN just for this. Give setting it up a try, and if you have questions start a new topic here with a title of "SSH port tunneling help" or similar.
     
  15. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Thanks for the update, and I'm glad you like the changes.

    Anybody else try the latest release? There have been a lot of downloads, but I bet there are people waiting until I remove the "testing" disclaimer before upgrading. Has anyone run into any problems with the GUI and/or Client-specific server options (I'm especially interested in the latter since it had significant backend changes as well as GUI)?
     
  16. bigclaw

    bigclaw Network Guru Member

    I'm not sure whether this has been discussed, but I'd like to submit an enhancement request--get rid of the init script requirement and have an "Enable at startup" checkbox for VPN, just like that of the SSH server under Administration|Admin Access.

    I hope it's not hard to implement. Then this will truly be a GUI solution.
     
  17. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That should be doable now that I've made the changes to the start command. I'll probably add that option in the next release (but probably won't make a release just for that).
     
  18. ratchet

    ratchet Addicted to LI Member

    Well not exactly. I send the magic packet, my external ip and mac address to a port I have the router set to port forward to. This wakes the pc. TeamViewer (free for personal use) is enabled to start on the host. Then I start a TV session with the laptop. All of this TV does on its own. Really the only thing I have to do is enter a password to connect to the desktop (host) once I wake it. But really, I'm not going to worry about it because the present system works fine and I also believe I've read where cable ISPs pretty much can prevent most drive by attacks. I just thought if your firmware was easy to configure I'd try it that way. Thank you again!
    http://www.teamviewer.com/index.aspx
     
  19. fyellin

    fyellin LI Guru Member

    Works just fine for me. Some old problems seem to have disappeared. :thumbup: GUI works well, but I don't use the client-specific server options. If I run into any problems, I'll be sure to let you know.

    I do suggest, in the future, that you make announcements like this as a new thread. This thread is getting pretty long.
     
  20. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Okay, so everything to do with TeamViewer is how you want it (it sets up its own port forwarding via upnp), and you just want to not have to have a permanent port forward for waking the computer up?

    In that case you could use the same SSH method I described before, replacing the port numbers with whatever you need. All it does is make a local port on the SSH client computer automatically forward (over secure SSH) to an address on your LAN. You can use it to secure any port forward.

    If I'm off again, let me know...
     
  21. bigclaw

    bigclaw Network Guru Member

    So presently you use Wake-on-WAN to wake your computer up and then use TeamViewer to establish a remote session between your laptop on the road and your PC at home. Is that correct?

    If so, what are you trying to accomplish additionally (by using this VPN firmware)? I looked at TeamViewer briefly; it seems to provide encryption already. Are you trying to secure the Wake-on-WAN process then?

    It's actually a pretty low risk operation already because there is no password involved. A hacker intercepting your Wake-on-WAN request would know your public IP and the MAC address of your home PC. There's not much they can do except maybe wake the computer up from time to time, assuming the home PC itself is secure, of course.

    I use a dynamic SSH tunnel as a proxy for Firefox on my laptop at work. That way I can log into the router admin page at home and issue a WOL right there. That way, no WAKE-ON-WAN needs to occur, and you can get rid of the port-forward established for that purpose. Even simplier is to enable SSL remote admin. Then you don't need any third-party applications to WOL a PC, but I very much prefer SSH in general.
     
  22. bigclaw

    bigclaw Network Guru Member

    That's not entirely true. You should be able to port-forward to the broadcast address of your LAN; then ARP cache expiration shouldn't be an issue. The broadcast address of a home LAN is usually 192.168.1.255 (replace 192.168.1. with your subnet of course). That way every PC will get your WOL request, but only the PC with the correct MAC address will respond to the request.

    I remember somebody was claiming that having a static DHCP entry linking the MAC address to the IP address should also work around the ARP issue. I don't have any experience with that.

    Anyway, if you simply wish to get rid of the port-forward for good, see my previous post.
     
  23. ratchet

    ratchet Addicted to LI Member

    bigclaw and SgtPepperKSU, thanks for the replies. bigclaw you make a good point about security risk or lack thereof. Given that I'm 61 with limited skills I guess I'll go with "If it ain't broke, don't fix it!" Hell, like I said, it took a year to get to this system to work.
     
  24. redcow

    redcow LI Guru Member

    just upgraded to the new version, everything works great, the gui upgrade is really nice :)
     
  25. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Okay. I think there have been enough downloads with no reports of problems that I'm going to remove my previous "testing" disclaimer, so...

    TomatoVPN 1.23vpn3.0000 is ready for mass consumption. Follow that link and download/flash away!
     
  26. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I also just realized that I haven't spelled out the benefits of using the client-specific options introduced in this release, so I've made a post about it on the blog.

    Summary:
     
  27. dalamarek

    dalamarek Guest

    Hello.

    Great work SgtPepperKSU. Thank you for your hard work.

    Is there any tutorial how to configure and start vpn server in your mod. I supose that in all linux system the steps are the same but maybe someone could point me a site with nic tutorial for setting a vpn server on tomato.

    I tried to find out something in those 63 pages but this is to hard for me so hopeing someone could help.
     
  28. dougisfunny

    dougisfunny LI Guru Member

    I had a feature request, and I don't know if it has been mentioned before, as there are way to many pages to read for that.

    But anyway, if it would be possible to have a check box for each of the VPNs to "Enable as Startup" like the SSH server for the router. Such that it doesn't go off the last remembered state, but the check box on startup.

    Like I said, its not a big deal, just I was switching from using roadkill's mod to this mod on a remote router, and I was VPNed into it, I setup the server, and then deleted the scripts from the Admin scripts, and rebooted. In this situation, the Enable at Startup would have allow a seamless change where now I have to wait for someone from there to come back online.
     
  29. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, that's been requested (most recently just a dozen posts ago), and it's planned for the next release.
    However, with any of the releases, you could have just placed a "sleep 10;service vpnserver1 start" in your init script (as suggested in the README), and your transition would have seemless as you describe.
     
  30. dougisfunny

    dougisfunny LI Guru Member

    I started reading the thread from the beginning forward, not the end backward before I gave that up.
    As for the readme... that would imply I read the readme files that go with things..... which I didn't since it wasn't in the 7z file and the mediafire download service is obnoxious.

    On that note, do you get any stats on how much bandwidth gets used on that? I'd be willing to donate some web space as a mirror if you can keep it under a couple terabytes per month.
     
  31. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    No worries. It wasn't meant as criticism, just an FYI that might help others considering doing the same as you.
    Another user actually just provided some space that I will use for future releases. Thanks for the offer, though.
     
  32. dougisfunny

    dougisfunny LI Guru Member

    Maybe I'll read the read me next time around then ;)
     
  33. srouquette

    srouquette Network Guru Member

    I updated from vpn 2.0005, and now I have this error:
    Code:
    daemon.err openvpn[556]: event_wait : Interrupted system call (code=4)
    
    the client tomato doesn't seem to connect (it's still in 2.0005), do you have an idea where is the problem ?
    I only updated the firmware, I didn't change any option yet.
     
  34. movd

    movd Guest

    Hey guys, I just installed VPN Mod and it nearly get it to work.
    But my Clients dont get an IP assigend via DHCP.
    I want to run my Server in Bridged Mode.

    My Server Config:
    [​IMG]
    Click for full size - Uploaded with plasq's Skitch

    My Client Config:
    Code:
    dev tap
    remote *myhost*
    tls-client
    ca ca.crt
    cert client1.crt
    key client1.key
    port 1194
    comp-lzo
    verb 0
    mute 10
    When typing "ifconfig tap0" in the Terminal, it looks like this:
    Code:
    ifconfig tap0
    tap0: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    	ether ce:d0:c0:cd:2e:52 
    	open (pid 1818)
    
    Im running MacOSX with Tunnelblick.
    Awesom Job with this Mod, never got this far with DD-WRT! Looks like its just a final step for me to get it done.

    EDIT:

    Just solved my Problem!
    I had to create a shell script which tell tunnelblick to directly set tap0 to dhcp

    Found it here http://www.dd-wrt.com/phpBB2/viewtopic.php?t=5058&highlight=openvpn+mac+clients
     
  35. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That is not an error. That will appear whenever the server status is refreshed in the GUI (including when the page is first loaded) because I'm sending a signal to the openvpn process to get it to update the status file.

    You'll need to find the real error message before I can help debug.
     
  36. Ezrem

    Ezrem LI Guru Member

    I loaded 1.23vpn3.0000 on my router, installed my keys.

    When I first tried to connect, my client did nothing but time out. A little research caused me to believe the port wasn't open on the firewall, so I manually opened it.

    Next, I get the following messages when trying to connect:

    This message comes from Viscosity, an OSX OpenVPN client: Tue Mar 24 16:17:48 2009: TCP/UDP: Incoming packet rejected from [redacted]:1024[2]

    This message comes from Tunnelblick, another client: Tue 03/24/09 04:16 PM: expected peer address: [redacted]:1194 (allow this incoming source address/port by removing --remote or adding --float)

    I even tried disabling my OSX firewall for testing. No dice.
     
  37. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    What port are you trying to use? Are you sure the port setting is the same in the server and all clients? Could you try to use another port (it could be getting blocked)?
     
  38. fyellin

    fyellin LI Guru Member

    I've got two servers set up on my router, one running UDP and one running TCP, with the same parameters (but a different DHCP range). I've noticed that lots of hot spots and hotels block UDP, when they don't block TCP. You might want to try TCP to see if you have better luck.

    I've also had difficulty running VPN from within the LAN that I 'm trying to connect to. I had to go to a nearby Starbucks to make sure everything was set up correctly. (I'd use ssh tunneling to modify settings on my router, as necessary)
     
  39. dougisfunny

    dougisfunny LI Guru Member

    So I was wondering, with the new client specific options, is it possible to use TAP for a full bidirectional site to site VPN? I'm having issues getting that going.
     
  40. dougisfunny

    dougisfunny LI Guru Member

    Also, I noticed an interesting idiosyncrasy, which may be intended. If a VPN Server is running, you aren't allowed to edit the client specific options, except to delete them on either of the VPN servers. So if you are VPNed into a router, you can't configure the other VPN to use client specific options, even if that one is disabled.
     
  41. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    If each end of the tunnel shares a subnet, then you shouldn't need the client-specific options to achieve bidirectional site-to-site. If the subnets aren't the same, then sure, this would help - but you should consider using TUN instead.
     
  42. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That is definitely not intended and is not something I'm seeing. What browser are you using? If you reload the page, does it work? I suppose there could be something to do with the server status display that is conflicting with the table. But, again, I'm not seeing that behavior here, so I'll need you to do a lot of the debugging.

    EDIT: I just thought of an experiment to try. Have the server stopped, open the GUI, and ensure that the table is functional. Then ssh/telnet into the router and start the server (service vpnserver1 start). Don't reload the page, but go to the status tab and hit refresh. Does the table become disfunctional again?
     
  43. philr

    philr Addicted to LI Member

    OpenVPN client attempts to connect to DMZ host when enabled

    First and foremost: SgtPepperKSU - thank you for this excellent mod of the Tomato firmware.

    The only issue I am having is when I put a host in the DMZ (my Nintendo Wii) and enable the DMZ the OpenVPN client is always directed to the DMZ host instead of the OpenVPN server. I have SSH and HTTPS enabled for remote access while I troubleshoot my setup. Neither of those is redirected to the DMZ host when enabled.

    IP info:
    Linksys AP: 192.168.1.1
    DMZ: 192.168.1.10

    What I have noticed in iptables is that the automatic firewall rule generated by the mod is an any to any rule on port 1194. (output truncated for readability)
    # iptables -L
    Chain INPUT (policy DROP)
    target prot opt source destination
    ACCEPT udp -- anywhere anywhere udp dpt:1194
    ACCEPT tcp -- anywhere *router*.dyndns.org tcp dpt:https
    ACCEPT tcp -- anywhere *router*.dyndns.org tcp dpt:ssh
    ...

    Is there a way to make the rule to only allow the OpenVPN connection(s) to the router's public IP address (like the HTTPS and SSH) instead of any to any?

    I've turned up Connection Logging to show accepted connections.

    When the DMZ is enabled this is what I see in the logs for the OpenVPN connection:

    Mar 25 10:33:23 *router* user.warn kernel: ACCEPT IN=vlan1 OUT=br0 SRC=2.2.2.2 DST=172.23.1.10 LEN=42 TOS=0x00 PREC=0x20 TTL=48 ID=0 DF PROTO=UDP SPT=1775 DPT=1194 LEN=22

    and the OpenVPN client never connects.

    When I disable the DMZ this is what I see in the logs:

    Mar 25 10:36:15 *router* daemon.notice openvpn[600]: 2.2.2.2:4863 Re-using SSL/TLS context
    Mar 25 10:36:15 *router* daemon.notice openvpn[600]: 2.2.2.2:4863 LZO compression initialized
    Mar 25 10:36:15 *router* daemon.notice openvpn[600]: 2.2.2.2:4863 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Mar 25 10:36:15 *router* daemon.notice openvpn[600]: 2.2.2.2:4863 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Mar 25 10:36:15 *router* daemon.notice openvpn[600]: 2.2.2.2:4863 TLS: Initial packet from 2.2.2.2:4863, sid=bf15f896 57dbe261
    Mar 25 10:36:16 *router* daemon.notice openvpn[600]: 2.2.2.2:4863 VERIFY OK: depth=1, /C=US/ST=ST/L=City/O=PhilR/CN=*router*.dyndns.org/Email=user@domain.com
    Mar 25 10:36:16 *router* daemon.notice openvpn[600]: 2.2.2.2:4863 VERIFY OK: depth=0, /C=US/ST=ST/O=PhilR/CN=client5/Email=user@domain.com
    Mar 25 10:36:17 *router* daemon.notice openvpn[600]: 2.2.2.2:4863 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mar 25 10:36:17 *router* daemon.notice openvpn[600]: 2.2.2.2:4863 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mar 25 10:36:17 *router* daemon.notice openvpn[600]: 2.2.2.2:4863 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mar 25 10:36:17 *router* daemon.notice openvpn[600]: 2.2.2.2:4863 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mar 25 10:36:17 *router* daemon.notice openvpn[600]: 2.2.2.2:4863 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Mar 25 10:36:17 *router* daemon.notice openvpn[600]: 2.2.2.2:4863 [client5] Peer Connection Initiated with 2.2.2.2:4863
    Mar 25 10:36:19 *router* daemon.notice openvpn[600]: client5/2.2.2.2:4863 PUSH: Received control message: 'PUSH_REQUEST'
    Mar 25 10:36:19 *router* daemon.notice openvpn[600]: client5/2.2.2.2:4863 SENT CONTROL [client5]: 'PUSH_REPLY,route-gateway 172.23.1.1,ping 15,ping-restart 60,ifconfig 172.23.1.9 255.255.255.240' (status=1)
    Mar 25 10:36:19 *router* daemon.notice openvpn[600]: client5/2.2.2.2:4863 MULTI: Learn: 76:b8:54:be:1d:11 -> client5/2.2.2.2:4863

    and the OpenVPN client connects.

    I'm guessing this is the nature of the DMZ feature. If so, is there any work around so that I can have a host in the DMZ and be able to OpenVPN?

    Thanks.

    Phil
     
  44. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I had not considered or tested that situation. :oops: Sounds like I need to change the iptables rules that my code generates. I'll look into the rules that are used for remove SSH and try and do similar.

    Unfortunately, I can't think of any way for you to reasonably workaround this in the meantime. I made the unfortunate choice to have the VPN firewall rules run _after_ the Firewall script entered in the GUI, so you can't even override it there...
    I suppose you could start the server, SSH/telnet to the router, change the rules in /etc/openvpn/server1-fw.sh (I think you may need to just add a "-d <lan_ip>" to the rule), and restart the firewall (service firewall restart). This should fix it until the next time the VPN server is started (such as a router reboot).

    Sorry for any inconvenience this has caused.
     
  45. philr

    philr Addicted to LI Member

    It has not been an inconvenience. It has been a great learning experience for me.

    I tried editing the /etc/openvpn/server1-fw.sh script, restarting the firewall (it then has an any to *router*.dyndns.org) and my OpenVPN client cannot connect at all to the server.

    I enabled connection logging for "blocked by firewall" and this is what I see:
    Mar 25 12:31:17 *router* user.warn kernel: DROP IN=ppp0 OUT= MAC= SRC=2.2.2.2 DST=*MY_PUBLIC_IP* LEN=42 TOS=0x00 PREC=0x40 TTL=55 ID=0 DF PROTO=UDP SPT=39388 DPT=1194 LEN=22

    Somehow the DST needs to be the IP of my router (192.168.1.1) and not the public IP.

    This is a line from the log with connection logging enabled for "allowed by firewall":
    Mar 25 12:40:58 *router* user.warn kernel: ACCEPT IN=ppp0 OUT= MAC= SRC=2.2.2.2 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x40 TTL=55 ID=48943 DF PROTO=TCP SPT=47096 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A0038BAD70000000001030305)

    Notice that the DST is the internal address of the router, not the public address?

    I have no idea how the remote HTTPS and SSH work properly as I do not have any port forwards enabled for those.

    If you need something else to assist you please let me know.

    Phil
     
  46. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Did you try changing the "-d <lan_ip>" to "-d <wan_ip>"? If that doesn't work you could leave that line as <lan_ip> and add a line similar to
    Code:
    iptables -A PREROUTING -p udp -d `nvram get wan_ipaddr` --dport 1194 -j DNAT --to-destination `nvram get lan_ipaddr`:1194
    No guarantees, though, as I'm learning as I go along as well. However, I think those two lines are how the router does it with SSH.
     
  47. dougisfunny

    dougisfunny LI Guru Member

    I've tried it in IE and Firefox, I'll try your experiment when I get back from dinner.
     
  48. dougisfunny

    dougisfunny LI Guru Member

    I tried your experiment, and doing service vpnsertver1 start hitting refresh on the status page does disable to ability to add/edit client specific entries.
     
  49. dougisfunny

    dougisfunny LI Guru Member

    Also tried it on a fresh install where I erased the nvram, in Firefox and Safari and I got the same behavior.
     
  50. fyellin

    fyellin LI Guru Member

    I confirmed a similar problem. I ssh'ed to my router and logged into the GUI using a tunnel. When neither server was running, I could easily change client options. Once I started server1 (using the GUI), the "add" button would no longer work for either server.
     
  51. dougisfunny

    dougisfunny LI Guru Member

    You'll also notice that if you had one already there and click to edit it, it won't let you hit OK.
     
  52. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Thanks guys. From your descriptions, I was able to find the problem. I simply forgot to declare a javascript variable as local in the status parsing code and it overrode a global prototype. The fix is simple, and I'll see what I can do about getting an updated release some time in the next few days.
     
  53. dougisfunny

    dougisfunny LI Guru Member

    I'm good at breaking things.
     
  54. philr

    philr Addicted to LI Member

    I tried changing the <lan_ip> to <wan_ip> and that worked.

    Adding the other line did not. I get the error as indicated below.
    # iptables -A PREROUTING -p udp -d 2.2.2.2 --dport 1194 -j DNAT --to-destination 192.168.1.1:1194
    iptables: No chain/target/match by that name

    What I find interesting is that when I use the <lan_ip> the rule in the firewall is
    ACCEPT udp -- anywhere *router*.dyndns.org udp dpt:1194
    ACCEPT tcp -- anywhere *router*.dyndns.org tcp dpt:https
    ACCEPT tcp -- anywhere *router*.dyndns.org tcp dpt:ssh

    and when I use the <wan_ip> the rule in the firewall is
    ACCEPT udp -- anywhere adsl-2-2-2-2.dsl.dytnoh.sbcglobal.net udp dpt:1194
    ACCEPT tcp -- anywhere *router*.dyndns.org tcp dpt:https
    ACCEPT tcp -- anywhere *router*.dyndns.org tcp dpt:ssh

    If you figure something out great. I wish I could help you more but I have no clue as how to look at the source code and figure anything out.

    Thanks again for all your great work with this firmware and your assistance is truly appreciated.

    Phil
     
  55. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The only reason that prerouting dnat is used is because the port numbers can be different on WAN vs LAN access for SSH, telnet, and web admin. Since the port number is the same for VPN, it shouldn't be necessary and I'm not going to take time to debug why it didn't work. Especially since it worked fine just adding a -d <wan_ip> to the other rule.

    The reason why the rules look different is because the other rules use the LAN ip instead of the WAN ip.

    I hope to make a release in the next few days, and I'll try to get this fix in there.
     
  56. philr

    philr Addicted to LI Member

    I understand why the rules look different but I guess what I don't understand is that the dyndns.org IP address should be the same as the <wan_ip>. That is what I use to connect by HTTPS and SSH.

    Truly the problem is getting the OpenVPN connection to the server when the DMZ is enabled. (Which still does not work with the updated firewall rule using the <wan_ip>. It still sends the OpenVPN connection to whatever IP is listed as being the DMZ host.)

    Somewhere in the code it knows to send the remote HTTPS and SSH to the router/ap. Could it be because they are using different WAN ports (8080 and 2222) and redirecting to the LAN ports (443 and 22) and the code is doing something automagically?
     
  57. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Oh, when you said "I tried changing the <lan_ip> to <wan_ip> and that worked", I thought you meant that it worked like you wanted it to. What did you mean by it worked?

    I'll try and get the rules to work like with SSH.
     
  58. philr

    philr Addicted to LI Member

    Sorry. I should have been more clear.

    It worked as in that instead of having an any to any connection it is an any to host firewall rule which is preferable. I actually forgot to turn the DMZ back on (hence my second post about it not working with the DMZ on).

    If there is anything I can do to try and help figure it out please let me know.
     
  59. Ezrem

    Ezrem LI Guru Member

    I ended up downgrading to 1.23vpn2.0006, which would let me connect.

    One of my routers is now working swimmingly. A second at another site gives this:

    Thu Mar 26 15:45:23 2009: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Thu Mar 26 15:45:23 2009: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Thu Mar 26 15:45:23 2009: LZO compression initialized
    Thu Mar 26 15:45:26 2009: Attempting to establish TCP connection with [redacted]:1194 [nonblock]
    Thu Mar 26 15:45:27 2009: TCP connection established with [redacted]:1194
    Thu Mar 26 15:45:27 2009: TCPv4_CLIENT link local: [undef]
    Thu Mar 26 15:45:27 2009: TCPv4_CLIENT link remote: [redacted]:1194
    Thu Mar 26 15:45:33 2009: [bigbasslures] Peer Connection Initiated with [redacted]:1194
    Thu Mar 26 15:45:35 2009: WARNING: Since you are using --dev tap
    Thu Mar 26 15:45:35 2009: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
    Thu Mar 26 15:45:35 2009: OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.1.0
    Thu Mar 26 15:45:35 2009: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
    Thu Mar 26 15:45:35 2009: OpenVPN ROUTE: failed to parse/resolve route for host/network: 10.8.0.1
    Thu Mar 26 15:45:35 2009: TUN/TAP device /dev/tap0 opened
    Thu Mar 26 15:45:35 2009: /sbin/ifconfig tap0 delete
    Thu Mar 26 15:45:35 2009: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
    Thu Mar 26 15:45:35 2009: /sbin/ifconfig tap0 10.8.0.6 netmask 10.8.0.5 mtu 1500 up
    Thu Mar 26 15:45:35 2009: /Applications/Viscosity.app/Contents/Resources/dnsup.py tap0 1500 1576 10.8.0.6 10.8.0.5 init
    Thu Mar 26 15:45:35 2009: Initialization Sequence Completed

    Both connections are configured identically on my laptop in Viscosity, an OpenVPN GUI front-end.
     
  60. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Strange. The only relevant difference was that I reupgraded from OpenVPN 2.1rc13 to OpenVPN 2.1rc15.

    Well, I would have to think something is different between to the two routers. Have you tried adding a route-gateway directive as the error suggests?
     
  61. Ezrem

    Ezrem LI Guru Member

    I would have done so happily, if I had any idea what the gateway should be... :)
     
  62. Ezrem

    Ezrem LI Guru Member

    I should mention, there are differences between the routers, but not differences that should matter:

    One is a Linksys WRT54GL, one is a ASUS WL-520GU.
    The Linksys has QoS enabled, the ASUS does not.
    The Linksys has wireless disabled, the ASUS does not.
     
  63. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Try adding this to the client config:
    Code:
    route-gateway <server_lan_ip>
    And, just to double-check: you did clear nvram after you upgraded to 1.23vpn3.0000, right?
     
  64. Ezrem

    Ezrem LI Guru Member

    Tried that, testing with both the actual LAN IP and 10.8.0.1. No go either time. The message about not having a gateway doesn't pop up, though!
     
  65. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Wait. You were using TAP, right? Where are you getting 10.8.0.1 if it isn't the LAN IP of the router?
    Could you provide the output of
    Code:
    route -n
    on your laptop after you're connected?
     
  66. Ezrem

    Ezrem LI Guru Member

    Yes, using TAP. Are you missing some arguments in that command line? route -n doesn't return anything.

    Do you perhaps mean a netstat -r?
     
  67. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    However you get the routing table on your client. I don't have a Mac.
     
  68. Ezrem

    Ezrem LI Guru Member

    First, the working router
    Code:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            192.168.70.1       UGSc       17      102    en1
    10.8.0.1/32        10.8.0.5           UGSc        0        0   tun0
    10.8.0.5           10.8.0.6           UH          2        0   tun0
    169.254            link#6             UCS         0        0    en1
    172.16.129/24      link#8             UC          2        0 vmnet8
    172.16.129.128     0:c:29:82:90:f0    UHLW        0        0 vmnet8   1093
    172.16.129.255     ff:ff:ff:ff:ff:ff  UHLWb       0        9 vmnet8
    192.168.0          10.8.0.5           UGSc        0        0   tun0
    192.168.70         link#6             UCS         2        0    en1
    192.168.70.1       0:18:fe:27:ad:a9   UHLW       16        8    en1    447
    192.168.70.255     ff:ff:ff:ff:ff:ff  UHLWb       0        9    en1
    192.168.203        link#9             UC          1        0 vmnet1
    192.168.203.255    ff:ff:ff:ff:ff:ff  UHLWb       0        9 vmnet1
    
    Second, the broken one
    Code:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            192.168.70.1       UGSc       10      109    en1
    10.8.0.4&0xa080005 link#12            UC          0        0   tap0
    169.254            link#6             UCS         0        0    en1
    172.16.129/24      link#8             UC          1        0 vmnet8
    172.16.129.255     ff:ff:ff:ff:ff:ff  UHLWb       1        3 vmnet8
    192.168.70         link#6             UCS         2        0    en1
    192.168.70.1       0:18:fe:27:ad:a9   UHLW        1        0    en1   1197
    192.168.70.115     2o7.net            UHS         0        0    lo0
    192.168.203        link#9             UC          1        0 vmnet1
    192.168.203.255    ff:ff:ff:ff:ff:ff  UHLWb       0        1 vmnet1
    
    The 10.8.0.4&0xa080005 business is very confusing to me.
     
  69. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Well, you said you had them configured the same, but it appears one is using TAP and the other TUN. If TAP vs TUN is mismatched between client and server it can cause strange things (and it certainly won't work right). Could you double check that?

    By the way, unless you have a specific need for TAP I suggest TUN.
     
  70. Ezrem

    Ezrem LI Guru Member

    Agh, I was tinkering, sorry. Flipped the broken one to TAP at both ends just to test to see if I could get any further.

    The actual routes:

    Code:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    0/1                10.8.1.5           UGSc        0        0   tun0
    default            192.168.70.1       UGSc       18      145    en1
    10.8/29            10.8.0.5           UGSc        0        0    en1
    10.8.1.1/32        10.8.1.5           UGSc        0        0   tun0
    10.8.1.5           10.8.1.6           UH          6        0   tun0
    67.148.108.23/32   192.168.70.1       UGSc        1        8    en1
    128.0/1            10.8.1.5           UGSc        2        0   tun0
    169.254            link#6             UCS         0        0    en1
    172.16.129/24      link#8             UC          2        0 vmnet8
    172.16.129.128     0:c:29:82:90:f0    UHLW        0        0 vmnet8   1087
    172.16.129.255     ff:ff:ff:ff:ff:ff  UHLWb       0        6 vmnet8
    192.168.1          10.8.1.5           UGSc        0        0   tun0
    192.168.70         link#6             UCS         2        0    en1
    192.168.70.1       0:18:fe:27:ad:a9   UHLW        2        0    en1    940
    192.168.70.255     ff:ff:ff:ff:ff:ff  UHLWb       1        8    en1
    192.168.203        link#9             UC          1        0 vmnet1
    192.168.203.255    ff:ff:ff:ff:ff:ff  UHLWb       0        6 vmnet1
    
    And now, miraculously, it's working! I must have had one end or the other set wrong every time, but I really can't believe that I'd do that. Do I ever feel sheepish now.
     
  71. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Great! I'm glad it's working. But, just to clarify, those routes show you're using TUN.
     
  72. Ezrem

    Ezrem LI Guru Member

    Yep! TUN is what I wanted all along.

    Thanks for the great mod.
     
  73. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I think I found what was wrong with the iptables command, could you start the server and try running (I assume UDP on port 1194 here):
    Code:
    iptables -D INPUT -p udp --dport 1194 -j ACCEPT
    iptables -t nat -A PREROUTING -p udp -d `nvram get wan_ipaddr` --dport 1194 -j DNAT --to-destination `nvram get lan_ipaddr`:1194
    iptables -I INPUT -p udp -d `nvram get lan_ipaddr` --dport 1194 -j ACCEPT  
    
    (just from the shell, not modifying the scripts).

    I think this should make it just like SSH/telnet/web-admin. I hope you (or someone else willing to test) get this are able to test. I'd like to fix this in the next release, and I'd like to do that in the next couple days.
     
  74. philr

    philr Addicted to LI Member


    I can add those three (3) lines without an issue and when I iptables -L I get:
    # iptables -L
    Chain INPUT (policy DROP)
    target prot opt source destination
    ACCEPT udp -- anywhere *router*.dyndns.org udp dpt:1194

    However I still cannot connect. It is still trying to send it to whatever host I have enabled in the DMZ.

    Is there a way to use a different port on the WAN and forward it to the router on 1194?
     
  75. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    To have it listen to a different external port, just change the --dport to another port (you'll either need to delete the rules you already tried or reboot before you can test this). However, I don't see how that would fix anything.
    Could you compare the rules for ssh and vpn with
    Code:
    iptables -t nat -vL;iptables -vL
    to see if there are differences?
     
  76. philr

    philr Addicted to LI Member

    This is the _entire_ output from the commands (public IP and DDNS changed for security):
    # iptables -t nat -vL;iptables -vL
    Chain PREROUTING (policy ACCEPT 39 packets, 5750 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP 0 -- ppp+ any anywhere 192.168.1.0/27
    0 0 DNAT icmp -- any any anywhere adsl-2-2-2-2.dsl.dytnoh.sbcglobal.net to:192.168.1.1
    0 0 DNAT tcp -- any any anywhere adsl-2-2-2-2.dsl.dytnoh.sbcglobal.net tcp dpt:webcache to:192.168.1.1:443
    0 0 DNAT tcp -- any any anywhere adsl-2-2-2-2.dsl.dytnoh.sbcglobal.net tcp dpt:2222 to:192.168.1.1:22
    0 0 upnp 0 -- ppp+ any anywhere anywhere
    0 0 DNAT 0 -- any any anywhere adsl-2-2-2-2.dsl.dytnoh.sbcglobal.net to:192.168.1.10
    0 0 DNAT udp -- any any anywhere adsl-2-2-2-2.dsl.dytnoh.sbcglobal.net udp dpt:1194 to:192.168.1.1:1194

    Chain POSTROUTING (policy ACCEPT 11 packets, 3168 bytes)
    pkts bytes target prot opt in out source destination
    28 1438 MASQUERADE 0 -- any ppp+ anywhere anywhere

    Chain OUTPUT (policy ACCEPT 16 packets, 3502 bytes)
    pkts bytes target prot opt in out source destination

    Chain upnp (1 references)
    pkts bytes target prot opt in out source destination
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT udp -- any any anywhere *router*.dyndns.org udp dpt:1194
    0 0 DROP 0 -- br0 any anywhere adsl-2-2-2-2.dsl.dytnoh.sbcglobal.net
    0 0 DROP 0 -- any any anywhere anywhere state INVALID
    272 20851 ACCEPT 0 -- any any anywhere anywhere state RELATED,ESTABLISHED
    85 28350 ACCEPT 0 -- br0 any anywhere anywhere
    2 142 ACCEPT 0 -- lo any anywhere anywhere
    0 0 logaccept tcp -- any any anywhere *router*.dyndns.org tcp dpt:https
    0 0 logaccept tcp -- any any anywhere *router*.dyndns.org tcp dpt:ssh
    0 0 ACCEPT 0 -- tap21 any anywhere anywhere

    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT 0 -- br0 br0 anywhere anywhere
    0 0 DROP 0 -- any any anywhere anywhere state INVALID
    69 3312 TCPMSS tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match 1453:65535 TCPMSS set 1452
    67 3621 ACCEPT 0 -- any any anywhere anywhere state RELATED,ESTABLISHED
    0 0 wanin 0 -- ppp+ any anywhere anywhere
    67 3216 wanout 0 -- any ppp+ anywhere anywhere
    67 3216 ACCEPT 0 -- br0 any anywhere anywhere
    0 0 upnp 0 -- ppp+ any anywhere anywhere
    0 0 logaccept 0 -- any br0 anywhere Wii.dyndns.org
    0 0 ACCEPT 0 -- tap21 any anywhere anywhere

    Chain OUTPUT (policy ACCEPT 268 packets, 55403 bytes)
    pkts bytes target prot opt in out source destination

    Chain logaccept (3 references)
    pkts bytes target prot opt in out source destination
    0 0 LOG 0 -- any any anywhere anywhere state NEW limit: avg 1/sec burst 5 LOG level warning tcp-options ip-options prefix `ACCEPT '
    0 0 ACCEPT 0 -- any any anywhere anywhere

    Chain upnp (1 references)
    pkts bytes target prot opt in out source destination

    Chain wanin (1 references)
    pkts bytes target prot opt in out source destination

    Chain wanout (1 references)
    pkts bytes target prot opt in out source destination
    #
     
  77. philr

    philr Addicted to LI Member

    I was looking at the logs and noticed the following:

    *** This is my OpenVPN client trying to connect the VPNServer on the router
    Mar 30 09:25:24 *router* user.warn kernel: ACCEPT IN=ppp0 OUT=br0 SRC=2.2.2.2 DST=192.168.1.10 LEN=42 TOS=0x00 PREC=0x40 TTL=54 ID=0 DF PROTO=UDP SPT=17516 DPT=1194 LEN=22
    *** This is my Firefox client connecting to the webserver of the router
    Mar 30 09:25:37 *router* user.warn kernel: ACCEPT IN=ppp0 OUT= MAC= SRC=2.2.2.2 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x40 TTL=55 ID=22081 DF PROTO=TCP SPT=18156 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A001131500000000001030305)

    Notice on the OpenVPN redirection the OUT=br0 and on the web redirection the OUT=

    I have tried using TCP instead of UDP. Does not seem to make a difference.
     
  78. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Could you try changing the -A to a -I? Then the vpn rule should show up at the top of the PREROUTING table, rather than at the bottom (after what appears to be the DMZ rule).
     
  79. philr

    philr Addicted to LI Member

    iptables -D INPUT -p udp --dport 1194 -j ACCEPT
    iptables -t nat -I PREROUTING -p udp -d 2.2.2.2 --dport 1194 -j DNAT --to-destination 192.168.1.1:1194
    iptables -I INPUT -p udp -d 192.168.1.1 --dport 1194 -j ACCEPT

    # iptables -t nat -vL;iptables -vL
    Chain PREROUTING (policy ACCEPT 3 packets, 144 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DNAT udp -- any any anywhere adsl-2-2-2-2.dsl.dytnoh.sbcglobal.net udp dpt:1194 to:192.168.1.1:1194
    0 0 DROP 0 -- ppp+ any anywhere 192.168.1.0/27
    0 0 DNAT icmp -- any any anywhere adsl-2-2-2-2.dsl.dytnoh.sbcglobal.net to:192.168.1.1
    0 0 DNAT tcp -- any any anywhere adsl-2-2-2-2.dsl.dytnoh.sbcglobal.net tcp dpt:webcache to:192.168.1.1:443
    0 0 DNAT tcp -- any any anywhere adsl-2-2-2-2.dsl.dytnoh.sbcglobal.net tcp dpt:2222 to:192.168.1.1:22
    2 96 upnp 0 -- ppp+ any anywhere anywhere

    Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    1 48 MASQUERADE 0 -- any ppp+ anywhere anywhere

    Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination

    Chain upnp (1 references)
    pkts bytes target prot opt in out source destination
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT udp -- any any anywhere *router*.dyndns.org udp dpt:1194
    0 0 DROP 0 -- br0 any anywhere adsl-2-2-2-2.dsl.dytnoh.sbcglobal.net
    0 0 logdrop 0 -- any any anywhere anywhere state INVALID
    56 4226 ACCEPT 0 -- any any anywhere anywhere state RELATED,ESTABLISHED
    0 0 ACCEPT 0 -- br0 any anywhere anywhere
    1 72 ACCEPT 0 -- lo any anywhere anywhere
    0 0 logaccept tcp -- any any anywhere *router*.dyndns.org tcp dpt:https
    0 0 logaccept tcp -- any any anywhere *router*.dyndns.org tcp dpt:ssh
    2 96 logdrop 0 -- any any anywhere anywhere
    0 0 ACCEPT 0 -- tap21 any anywhere anywhere

    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT 0 -- br0 br0 anywhere anywhere
    0 0 DROP 0 -- any any anywhere anywhere state INVALID
    2 96 TCPMSS tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match 1453:65535 TCPMSS set 1452
    0 0 ACCEPT 0 -- any any anywhere anywhere state RELATED,ESTABLISHED
    0 0 wanin 0 -- ppp+ any anywhere anywhere
    2 96 wanout 0 -- any ppp+ anywhere anywhere
    2 96 ACCEPT 0 -- br0 any anywhere anywhere
    0 0 upnp 0 -- ppp+ any anywhere anywhere
    0 0 ACCEPT 0 -- tap21 any anywhere anywhere

    Chain OUTPUT (policy ACCEPT 54 packets, 8638 bytes)
    pkts bytes target prot opt in out source destination

    Chain logaccept (2 references)
    pkts bytes target prot opt in out source destination
    0 0 LOG 0 -- any any anywhere anywhere state NEW limit: avg 1/sec burst 5 LOG level warning tcp-options ip-options prefix `ACCEPT '
    0 0 ACCEPT 0 -- any any anywhere anywhere

    Chain logdrop (2 references)
    pkts bytes target prot opt in out source destination
    2 96 LOG 0 -- any any anywhere anywhere state NEW limit: avg 1/sec burst 5 LOG level warning tcp-options ip-options prefix `DROP '
    2 96 DROP 0 -- any any anywhere anywhere

    Chain logreject (0 references)
    pkts bytes target prot opt in out source destination
    0 0 LOG 0 -- any any anywhere anywhere limit: avg 1/sec burst 5 LOG level warning tcp-options ip-options prefix `REJECT '
    0 0 REJECT tcp -- any any anywhere anywhere reject-with tcp-reset

    Chain upnp (1 references)
    pkts bytes target prot opt in out source destination

    Chain wanin (1 references)
    pkts bytes target prot opt in out source destination

    Chain wanout (1 references)
    pkts bytes target prot opt in out source destination
    #


    *** WITH DMZ ENABLED ***
    Mar 30 12:12:55 *router* daemon.notice openvpn[5562]: 3.3.3.3:21067 Re-using SSL/TLS context
    Mar 30 12:12:55 *router* daemon.notice openvpn[5562]: 3.3.3.3:21067 LZO compression initialized
    Mar 30 12:12:55 *router* daemon.notice openvpn[5562]: 3.3.3.3:21067 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Mar 30 12:12:55 *router* daemon.notice openvpn[5562]: 3.3.3.3:21067 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Mar 30 12:12:55 *router* daemon.notice openvpn[5562]: 3.3.3.3:21067 TLS: Initial packet from 3.3.3.3:21067, sid=b910c06e c168575d
    Mar 30 12:13:55 *router* daemon.err openvpn[5562]: 3.3.3.3:21067 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mar 30 12:13:55 *router* daemon.err openvpn[5562]: 3.3.3.3:21067 TLS Error: TLS handshake failed
    Mar 30 12:13:55 *router* daemon.notice openvpn[5562]: 3.3.3.3:21067 SIGUSR1[soft,tls-error] received, client-instance restarting

    *** WITH DMZ DISABLED ***
    Mar 30 12:16:01 *router* daemon.notice openvpn[5562]: MULTI: multi_create_instance called
    Mar 30 12:16:01 *router* daemon.notice openvpn[5562]: 3.3.3.3:23609 Re-using SSL/TLS context
    Mar 30 12:16:01 *router* daemon.notice openvpn[5562]: 3.3.3.3:23609 LZO compression initialized
    Mar 30 12:16:01 *router* daemon.notice openvpn[5562]: 3.3.3.3:23609 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Mar 30 12:16:01 *router* daemon.notice openvpn[5562]: 3.3.3.3:23609 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Mar 30 12:16:01 *router* daemon.notice openvpn[5562]: 3.3.3.3:23609 TLS: Initial packet from 3.3.3.3:23609, sid=2533ec15 ac8fcefa
    Mar 30 12:17:01 *router* daemon.err openvpn[5562]: 3.3.3.3:23609 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mar 30 12:17:01 *router* daemon.err openvpn[5562]: 3.3.3.3:23609 TLS Error: TLS handshake failed
    Mar 30 12:17:01 *router* daemon.notice openvpn[5562]: 3.3.3.3:23609 SIGUSR1[soft,tls-error] received, client-instance restarting


    Definitely making progress. However with these three rules the OpenVPN client does not connect even when the DMZ is disabled.
     
  80. bigclaw

    bigclaw Network Guru Member

    Hi, sorry if this has been answered somewhere, but with the latest build (3000), what do I have to do to periodically restart the VPN server? Is a custom script still needed to be scheduled?

    Thanks.
     
  81. fyellin

    fyellin LI Guru Member

    With newer builds, you can use
    service vpnserver1 start
    which will start VPN Server 1 if it is not currently running. You can also use this command in a cron job, e.g.
    cru a CheckVpnServer "*/30 * * * * service vpnserver1 start"​

    to check your server every thirty minutes. Obviously use whichever of vpnserver1, vpnserver2, vpnclient1, vpnclient2 is appropriate.
     
  82. jiml

    jiml Addicted to LI Member

    Ok, I have read through a bunch of pages. I have read a lot of the openvpn documentation but I am still having trouble getting a simple setup done.

    I want to setup the openvpn on my router to accept clients and have all traffic flow over the VPN. Here is my setup.

    Tomato running the latest with openvpn gui.

    Server Config in the GUI:

    TAP
    UDP
    80
    Firewall Automatic
    TLS
    disabled
    DHCP checked

    I have tried to connect from a mac using Vicosity and the openvpn gui on windows. Both systems are able to connect(receive an ip) but no traffic flows over the VPN.

    What setting am I missing on the server side and client side? Since viscosity has a setting to send all the traffic over the VPN, I assume I missing something on the server side. But for windows what do I need to put in the client config to get all the traffic to flow over the VPN?

    I appreciate any help you can provide.
     
  83. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Two more things to try (even if the first one works, please try both):
    • Same as the last try, but with
      Code:
      local br0
      in your Custom Configuration
    • Place
      Code:
      iptables -t nat -I INPUT -p udp --dport 1194 -j ACCEPT
      in your Firewall script, change the firewall setting of the VPN server to "Custom" and reboot the router (starting the server after it reboots)?

    The first is to test if OpenVPN is getting confused by us NATing between two interfaces that it is listening on. The second attempts to get rid of the NATing altogether by trying to get the original firewall rule in before the DMZ rule.
     
  84. philr

    philr Addicted to LI Member

    Neither of the commands work:
    When I do the local br0 in the custom configuration I get in the log:
    Mar 30 16:00:33 *router* daemon.err openvpn[5902]: RESOLVE: Cannot resolve host address: br0: [HOST_NOT_FOUND] The specified host is unknown.

    The firewall command does not add anything to iptables. When I try from the command line I get an error.
    # iptables -t nat -I INPUT -p udp --dport 1194 -j ACCEPT
    iptables: No chain/target/match by that name
     
  85. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Doh!
    Let's try that again:
    1. Code:
      local 192.168.1.1
    2. Code:
      iptables -t nat -I PREROUTING -p udp --dport 1194 -j ACCEPT
     
  86. ng12345

    ng12345 LI Guru Member

    it is unfortunate that so much of this thread is devoted to troubleshooting -- i guess there is an inverse relationship between how many features/ how open a software is and how easy it is to use / set up. It is really great that SgtPepperKSU is willing to donate so much time to this project.

    I was looking for dual-wan support within tomato and stumbled across this thread:
    http://www.linksysinfo.org/forums/showthread.php?t=60917&highlight=dual+wan&page=3

    looks like some guys in china have put together a mod that allows for 2 wan's. there is documentation of this in dd-wrt already.

    i was wondering if you, sgtpepper, have looked at these implementations and thought about putting it into your firmware (or at least getting it into the git repository)?

    * seems like it would be crucial to those using tomato + openvpn in a business environment (load balancing / internet redundancy) *
     
  87. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That's why I created the blog. To strip out the support and just have what what might be interesting to a wider audience. Eventually, I'll put a quick-start guide, etc, I just haven't gotten around to it yet.
    Unfortunately, I have not looked into that. I personally don't have the need for dual internet connections, so it wouldn't make much sense to buy another one just to do testing of a feature I won't use. If someone else were to get it into the repository, though, it would be trivial to make a combined build (either me or someone else).
     
  88. baldrickturnip

    baldrickturnip LI Guru Member

    if you want to put a wiki in with your blog I will add my procedure that I use to set up the server and clients - the least I could do after your sterling efforts with the VPN GUI mod which I appreciate.
     
  89. philr

    philr Addicted to LI Member

    My apologies for not being able to test this more quickly yesterday afternoon or evening.

    When I add the local 192.168.1.1 and the three (3) iptables updates after vpnserver1 starts I can successfully connect to the OpenVPN server.

    Three (3) iptables rules added after vpnserver1 starts:
    iptables -D INPUT -p udp --dport 1194 -j ACCEPT
    iptables -t nat -I PREROUTING -p udp -d 2.2.2.2 --dport 1194 -j DNAT --to-destination 192.168.1.1:1194
    iptables -I INPUT -p udp -d 192.168.1.1 --dport 1194 -j ACCEPT

    I didn't post the output of iptables -t nat -vL;iptables -vL as they are the same (as far as I can tell) as before we added the local 192.168.1.1

    The change I noticed by adding local 192.168.1.1 is when the OpenVPN server starts it is bound to an IP instead of being [undef]
    Mar 31 09:00:40 *router* daemon.notice openvpn[226]: UDPv4 link local (bound): 192.168.1.1:1194

    ***
    As for the second test of the custom firewall configuration I was not sure if you wanted me to test with the local 192.168.1.1 in the custom configuration or not.
     
  90. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Good. We at least have that solution to fall back on then. However, the second one would be much cleaner (no NAT). It is completely independent of any of the other things we've tried, so:
    • Nothing in Custom Config
    • VPN firewall setting: Custom
    • Firewall script:
      Code:
      iptables -t nat -I PREROUTING -p udp --dport 1194 -j ACCEPT
      iptables -I INPUT -p udp --dport 1194 -j ACCEPT
    • Reboot and start server
    Could you also try with just the first rule in the firewall script? I don't know if both are necessary. I'm no iptables expert and am trying to pick this up as I go along.

    I really appreciate all of the debugging you're doing. When I started making my custom builds, I started off trying to match roadkill's firewall/VPN configuration and evaluated/changed as I saw appropriate. I think this is the last bit that I haven't looked into to see if it needed improving.
     
  91. philr

    philr Addicted to LI Member

    Nothing in OpenVPN custom configuration
    Firewall set to Custom
    iptables -t nat -I PREROUTING -p udp --dport 1194 -j ACCEPT
    iptables -I INPUT -p udp --dport 1194 -j ACCEPT
    Logfile
    Nothing in it

    Can successfully connect (if I just use the first line I cannot connect - I get the following in my logfile
    Mar 31 09:50:46 *router* user.warn kernel: DROP IN=vlan1 OUT= MAC=00:e0:b8:bf:21:e5:00:01:5c:24:91:c2:08:00:45:20:00:2a SRC=<my.ip.at.work> DST=<my.wan.ip.at.home> LEN=42 TOS=0x00 PREC=0x20 TTL=49 ID=0 DF PROTO=UDP SPT=60518 DPT=1194 LEN=22 )

    # iptables -t nat -vL;iptables -vL
    Chain PREROUTING (policy ACCEPT 25 packets, 5399 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:1194
    0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:1194
    0 0 DROP 0 -- ppp+ any anywhere 192.168.1.0/27
    0 0 DNAT icmp -- any any anywhere adsl-2-2-2-2.dsl.dytnoh.sbcglobal.net to:192.168.1.1
    11 660 DNAT tcp -- any any anywhere adsl-2-2-2-2.dsl.dytnoh.sbcglobal.net tcp dpt:webcache to:192.168.1.1:443
    1 60 DNAT tcp -- any any anywhere adsl-2-2-2-2.dsl.dytnoh.sbcglobal.net tcp dpt:2222 to:192.168.1.1:22
    2 96 upnp 0 -- ppp+ any anywhere anywhere
    2 96 DNAT 0 -- any any anywhere adsl-2-2-2-2.dsl.dytnoh.sbcglobal.net to:192.168.1.10

    Chain POSTROUTING (policy ACCEPT 5 packets, 778 bytes)
    pkts bytes target prot opt in out source destination
    19 1103 MASQUERADE 0 -- any ppp+ anywhere anywhere

    Chain OUTPUT (policy ACCEPT 11 packets, 1257 bytes)
    pkts bytes target prot opt in out source destination

    Chain upnp (1 references)
    pkts bytes target prot opt in out source destination
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:1194
    0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:1194
    0 0 DROP 0 -- br0 any anywhere adsl-2-2-2-2.dsl.dytnoh.sbcglobal.net
    0 0 DROP 0 -- any any anywhere anywhere state INVALID
    188 25966 ACCEPT 0 -- any any anywhere anywhere state RELATED,ESTABLISHED
    64 20311 ACCEPT 0 -- br0 any anywhere anywhere
    1 74 ACCEPT 0 -- lo any anywhere anywhere
    11 660 ACCEPT tcp -- any any anywhere *router*.dyndns.org tcp dpt:https
    1 60 ACCEPT tcp -- any any anywhere *router*.dyndns.org tcp dpt:ssh

    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT 0 -- br0 br0 anywhere anywhere
    0 0 DROP 0 -- any any anywhere anywhere state INVALID
    25 1200 TCPMSS tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match 1453:65535 TCPMSS set 1452
    120 21469 ACCEPT 0 -- any any anywhere anywhere state RELATED,ESTABLISHED
    6 288 wanin 0 -- ppp+ any anywhere anywhere
    24 1152 wanout 0 -- any ppp+ anywhere anywhere
    24 1152 ACCEPT 0 -- br0 any anywhere anywhere
    6 288 upnp 0 -- ppp+ any anywhere anywhere
    6 288 ACCEPT 0 -- any br0 anywhere Wii.dyndns.org

    Chain OUTPUT (policy ACCEPT 311 packets, 143K bytes)
    pkts bytes target prot opt in out source destination

    Chain upnp (1 references)
    pkts bytes target prot opt in out source destination

    Chain wanin (1 references)
    pkts bytes target prot opt in out source destination

    Chain wanout (1 references)
    pkts bytes target prot opt in out source destination
     
  92. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Great! It seems all i need to do is add the PREROUTING line to the firewall rules (the INPUT line is what I am already generating).

    Thank you for all your help in debugging. I think I have all the information I need. For now, you can change the vpn firewall setting back to "Automatic" and leave just the PREROUTING...ACCEPT line in your firewall script. That should get everything working for you. In the next release, you will no longer need the PREROUTING line.
     
  93. philr

    philr Addicted to LI Member

    You are very welcome. THANK YOU for working with me on this.

    I tried your suggestion of setting the firewall back to automatic and removing the 2nd line from the firewall script. Works great. I am able to connect with and without the DMZ enabled.
     
  94. MiBz

    MiBz Network Guru Member

    Keith, thanks for all your hard work.
    I installed 1.23vpn3.0000 fw this week-end, created the certs and set it up.
    Seems to be working well so far.

    Need some help tho. I can't seem get Server 1 to auto start on a reboot.

    I added sleep 10 service vpnserver1 start in the init script, but it doesn't seem to work.
    I still have to start it manually. nothing in the logs either.

    Also is it normal that my clients get an IP like 10.8.0.6/255.255.255.252 subnet when the tun server config is setup for 10.8.0.0/255.255.255.0 ?

    Thanks again.
     
  95. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Try placing it in the WAN Up script. By the way, the next version will have an option in the GUI to auto-start.
    That's normal. See here for an explanation of why it uses that subnet for each client.
     
  96. MiBz

    MiBz Network Guru Member

    Great, I guess I'll wait for the next version. Are you expecting to release it soon ?
    I'd rather not put it in the WAN Up script if possible, to avoid having a second instance start up if the wan connection is dropped momentarily.

    Thanks for the link on /30 subnet. Least I know it's working the way it's supposed to.

    At first it was really slow and choppy. Quite disappointing compared the previous PPTP setup. Then it hit me to look at Tomato's QoS classification. Sure enough it was classified as lowest (default) priority. Fixed that up quickly.

    Thanks again. Great work and very much appreciated.
     
  97. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I was going to try and hurry out a release when it looked as thought there was a non-starter for people with DMZs. However, we came up with a pretty simple workaround to get that going until the next release, so I'm not in a hurry any more. That said, it will probably be sometime in the next week.
    Starting with 1.23vpn3.0000, that command checks if the server/client is already running before it does anything. So, if it is already running when the WAN comes back up, nothing happens and you don't have duplicate instances.
    You could probably also get it working in the init script by increasing the delay (try 20 or 30, instead of 10), but WAN up is probably better.
     
  98. baldrickturnip

    baldrickturnip LI Guru Member

    I have

    sleep 30
    service vpnserver1 restart

    in the WAN up

    and also at around 1-2am everyday with the scheduler I have it do the same
    service vpnserver1 restart
     
  99. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Unless you really want the server to stop and restart each time, you can change those to "service vpnserver1 start" (assuming you're on 1.23vpn3.0000). When that is run, it checks if the server is running, and if not, starts it up.
     
  100. MiBz

    MiBz Network Guru Member

    Wow next week is pretty quick. That's terrific and after all it's not really anything urgent.

    Thanks I didn't realize that. With your blessing I just added to the WAN Up as;
    sleep 30
    service vpnserver1 start

    Hey, in passing I noticed that on your 'readme' the cron job command is somewhat reversed, where vpnserver1 is at the end ?

    cru a CheckVPNServer "*/30 * * * * service start vpnserver1
     

Share This Page