1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN build with Web GUI

Discussion in 'Tomato Firmware' started by SgtPepperKSU, Oct 10, 2008.

  1. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Thanks for pointing out that typo. I'll make sure I fix it for the next release.
     
  2. occamsrazor

    occamsrazor Network Guru Member

    Couple of TLS questions...

    I've been running the OpenVPN mods for a while.... using static-key authorization. I remotely connect to my router from two different machines, but never simultaneously, and it's all worked very fine.
    But the recent addition of "Client<->Client" connectivity in the last build has got me thinking maybe I should use TLS instead, it seems to be "better".

    1. What are the advantages for a single user (but with a couple of remote machines) in using TLS rather than static-key?

    2. I know I saw a guide on how to set up TLS, but can't find it now, and remember being quite daunted by the setup and certificate/authority generation procedure. Can anyone recommend an easy TLS setup guide or post to look at?

    Thanks....
     
  3. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    TLS has a clear notion of server vs client, and as such, can push options from the server to the clients. For instance, you have to enter subnet information into the client for Static Key mode, but it is pushed out automatically in TLS mode.

    The OpenVPN HOWTO has a pretty good tutorial for generating everything.
     
  4. occamsrazor

    occamsrazor Network Guru Member

    Cool... I have the TLS all working now. It was certainly more complicated than setting up the static-key system, but I can now see it allows greater flexibility.
    Just using the sample client config at the moment, will see if there's options worth tweaking later, e.g. forcing or not-forcing all traffic and DNS over the tunnel (I like to have both options) after a long crawl through this thread...

    Re: the typo in the readme noticed above, which is correct "service vpnserver1 start" or "service start vpnserver1"?

    Thanks as always....
     
  5. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Code:
    service vpnserver1 start
    is correct.
     
  6. occamsrazor

    occamsrazor Network Guru Member

    Thanks...

    A question re: the new client-to-client functionality...

    Once both remote clients are authenticated to the tomato openvpn router, if a data transfer is made from client1 to client2, does the tunneled data traffic go client1 > router > client2, or does it go peer-to-peer directly i.e. client1 > client2 ?
     
  7. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Unfortunately, it goes client1->router->client2. That's just the way OpenVPN works. Unless you set up a tunnel directly between the two.
     
  8. baldrickturnip

    baldrickturnip LI Guru Member

    is it a better option to use restart ?
     
  9. occamsrazor

    occamsrazor Network Guru Member

    That's a shame... but frankly not a big deal for me, I doubt I'd use it much, but find it all quite interesting. That was why I was quite keen to try out the NeoRouter software:

    http://www.linksysinfo.org/forums/showthread.php?t=60852&highlight=neorouter

    ...as it does direct P2P transfers, which is pretty cool.

    On the other hand it didn't provide "real" vpn-type access to home LAN, unless you installed clients on every single machine (and of course not other devices), which is my primary need, so I came back to your mod, which overrall is the best I've used.

    While I'm here, did you have any further thoughts on the possibility of adding PPTP client functionality (I mentioned this previously, but don't know if any others would find this useful). Just that many commercial VPN providers only support PPTP (and/or it's cheaper than their OpenVPN offerings).

    Also just wondering if you have any plans to incorporate features from any of the other mods, or whether you prefer to keep it "clean".

    As always, thank you for all your hard work and active development of this great mod. Cheers.
     
  10. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Only if you want it to stop the server every time. 'start' checks if it is already running and does nothing if it is, starting it if it isn't.
     
  11. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It's still in the back of my mind as a "wish-list" item, but I've made no effort to that effect so far.
    There may be an odd thing here or there I pull in, but generally not. If those features are in the git repository, it should be fairly simple for someone to merge them together, though.
     
  12. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    1.23vpn3.0001

    For those that don't follow the blog, TomatoVPN 1.23vpn3.0001 is ready for downloading.

    Sorry it took me so long to finish it up. I had all of the changes that anybody would care about finished a couple weeks ago, but wanted to do a backend cleanup (client/server files now are in their own sub-directories) in before making this release - and I had a hard time finding the time/motivation to get it done.

    Anyway, the biggest thing that you'll notice is that there is an option to auto-start the client/server on router boot. Let me know if you have any problems.
     
  13. occamsrazor

    occamsrazor Network Guru Member

    Upgraded fine. "Start with Server" option is a nice addition... Does this mean we no longer need to have this code in the WAN UP script?

    Code:
    sleep 10
    service vpnserver1 start
    
    ...and am I right in saying if we want to periodically check the server is running (and restart if needed) we should still have this in the init script?

    Code:
    cru a CheckVPNServer "*/30 * * * * service vpnserver1 start"
    
    Thanks again for your continued updates....
     
  14. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You're completely correct on both counts.
     
  15. ir2lazy

    ir2lazy Addicted to LI Member

    I seem to have a problem with VPN staying on. Even with the check code below in the init script. The vpn server still shuts down every few hours. I have to click "Start Now" in the VPN tab to turn it on again.

    Code:
    cru a CheckVPNServer "*/30 * * * * service vpnserver1 start"
     
  16. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Is there anything in the logs showing an error when the server shuts down?

    Also, can you ssh/telnet to the router and provide the output of
    Code:
    cru l
    (that's a lowercase 'L')?
     
  17. ir2lazy

    ir2lazy Addicted to LI Member

    cru 1 output
    Code:
    17 1,5,9,13,17,21 * * * ntpsync --cron #ntpsync#
    12 18 2 5 * ddns-update 0 force #ddnsf0#
    0 * * * * logger -p syslog.info -- -- MARK -- #syslogdmark#
    
    I'll keep an eye out when the VPN server stops and post the logs. What I do notice is alot of "daemon.notice openvpn" spamming my logs, not sure is it suppose to do that. Also i am receiving the following warnings/errors

    Code:
    Apr 13 07:31:29 ? daemon.warn openvpn[1509]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    
    Apr 13 07:30:31 ? daemon.err openvpn[1509]: event_wait : Interrupted system call (code=4)
    
    
     
  18. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Okay, so the cron entry isn't getting added. Try adding a delay (sleep 20) before the cru command in your init script.

    You can ignore the messages. The first is just a warning because they changed some behavior in OpenVPN 2.1, but it isn't relevant to your situation. The second will show up whenever the server status is updated in the GUI.
     
  19. occamsrazor

    occamsrazor Network Guru Member

    I have a weird problem I can't seem to fix.... My setup is now TLS with Certificate Authority and two clients, a laptop and desktop both at my work. Both connect absolutely fine.

    I want each to get given the same IP address each time. For both I have fixed the IP address they are given by the mac address of their TAP adapter in the Static DHCP options page.

    My General pool of DHCP is 192.168.0.2 to 192.168.0.150
    I already have LAN machines with static DHCP on addresses up to 192.168.0.8
    I assigned 192.168.0.100 to the remote laptop and 192.168.0.101 to the remote desktop

    The remote laptop always gets .100, but the remote desktop always gets 192.168.0.9 (the first available DHCP address) instead of .101
    I've checked and double-checked the static DHCP list, even deleted then re-added the mac address of the remote desktop's TAP adapter directly from the "Device list" while it's connected via vpn.... yet still it never gets the .101 address

    Any ideas?
     
  20. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm afraid not many. Does the syslog show any DHCP negotiation messages when the client connects? It sounds like OpenVPN is using the router's DHCP fine, but for some reason the router isn't settling on the right address.
     
  21. occamsrazor

    occamsrazor Network Guru Member

    I finally fixed the dhcp problem (been bugging me for months). Poring through the logs I discovered the only difference was slightly different versions of the OpenVPN client - the laptop was 2.1rc7 while the desktop was 2.1beta7, so I upgraded the desktop to the latest 2.1rc15... and now I get the .101 address correctly... must've been some kind of bug with the older version, either that or just the process of re-installing the TAP adapter.
     
  22. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    2.1beta7 is about 3½ years old, so it doesn't surprise me that it worked differently. Unfortunately, OpenVPN uses the terms beta and rc very loosely and there has been much in the way of development and new features along the way.

    Anyway, I'm glad you resolved your issue!
     
  23. occamsrazor

    occamsrazor Network Guru Member

  24. ir2lazy

    ir2lazy Addicted to LI Member

    So far so good, the server is still running. Thanks!
     
  25. Mojonba

    Mojonba Network Guru Member

    Hey guys,

    Im currently have a tomato vpn server at home which works perfectly is set up the following way. Router is at 192.168.105.1 set up with TAP & TLS & DHCP. Clients connect with the openvpn client and receive a 192.168.105.x ip. I recently bought another WRT and would like to set it up at work in client mode with my home server in order to eliminate clients connecting individually and to take advantage if possible of server-client comm. What would be the best way to configure this. TUN/TAP? Im my case it is possible to set both sites in the 192.168.105.x subnet if it makes configuration any easier. I use my vpn primarily for windows file/printer sharing and i would like to maintain the flexibility of connecting with the openvpn client from anywhere as well.

    Thanks
     
  26. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    For site-to-site, I prefer to use TUN as it's much more clear-cut what you need to do. With TAP, you have to deal with peculiarities with DHCP requests crossing (or not) the tunnel.

    The only downside is that only IP routable traffic will go across the tunnel. This means you will not be able to browse network neighborhood to find computers on the other end of the tunnel, but you can still access the shares via //<ip-address>/. But, it can be done either way.
     
  27. i1135t

    i1135t Network Guru Member

    Help anyone, I have setup my VPN to connect to my home network from work. It connects fine without errors, but I cannot ping any of my home LAN computers, nor can I surf through my home gateway (my work has limited access to internet).

    I am using TUN / CA / multi-client setup and it works fine. Am I supposed to add a route statement as well to my router? How do I do that? I have set up my VPN subnet to 10.2.2.x mask 255.255.255.0 and my LAN subnet is 10.1.1.x mask 255.255.255.0. I want to keep them on different subnet because it's easier to differentiate and good for learning some network stuff.

    When I connect from work, I get an IP in 10.2.2.x subnet, but the gateway is 10.2.2.6 which I assume is set automatically by my VPN? I thought that by adding custom DNS servers from my home setting on my VPN server to forward to my clients will allow me to surf though unrestricted access, but no luck. I get the DNS servers correctly after connecting, but my route statements are messed up. Pls look here (I x'd out the public IPs):

    Code:
    Active Routes:
    
    Network Destination        Netmask          Gateway       Interface  Metric
    
              0.0.0.0        128.0.0.0         10.2.2.5        10.2.2.6       1
    
              0.0.0.0          0.0.0.0   192.168.150.40  192.168.150.146      10
    
             10.1.1.0    255.255.255.0         10.2.2.5        10.2.2.6       1
    
             10.2.2.0    255.255.255.0         10.2.2.5        10.2.2.6       1
    
             10.2.2.4  255.255.255.252         10.2.2.6        10.2.2.6       30
    
             10.2.2.6  255.255.255.255        127.0.0.1       127.0.0.1       30
    
       10.255.255.255  255.255.255.255         10.2.2.6        10.2.2.6       30
    
             66.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
    
             66.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
    
             67.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
    
             67.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
    
             67.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
    
             68.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
    
             72.x.x.x  255.255.255.255   192.168.150.40  192.168.150.146      1
    
             72.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
    
            127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
    
            128.0.0.0        128.0.0.0         10.2.2.5        10.2.2.6       1
    
        192.168.148.0    255.255.252.0  192.168.150.146  192.168.150.146      10
    
      192.168.150.146  255.255.255.255        127.0.0.1       127.0.0.1       10
    
      192.168.150.255  255.255.255.255  192.168.150.146  192.168.150.146      10
    
            216.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
    
            216.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
    
            224.0.0.0        240.0.0.0         10.2.2.6        10.2.2.6       30
    
            224.0.0.0        240.0.0.0  192.168.150.146  192.168.150.146      10
    
      255.255.255.255  255.255.255.255         10.2.2.6        10.2.2.6       1
    
      255.255.255.255  255.255.255.255  192.168.150.146  192.168.150.146      1
    
    Default Gateway:          10.2.2.5
    
    ===========================================================================
    
    Persistent Routes:
    
      None
    
    However I cannot ping any of my home IPs in the 10.1.1.x subnet nor can I surf through my home connection. All my DNS queries still go through my work DNS & gateway. Anyone have any ideas? Basically I want my VPN connection (10.2.2.x) to be on a seperate subnet from my home LAN subnet (10.1.1.x) but still be able to communicate with each other, and still give me the ability to have my traffic go through my home gateway, so I can surf freely.

    Also, how do I setup my VPN connections to prompt for a password, should someone get their hands on my certs/keys? Thanks!!
     
  28. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Operating system? Client configuration? Custom server configuration? You'll need to provide some details on your setup before I can help debug it.

    To browse your home network, you shouldn't need anything in the Custom Config section on the router. The routing should be set up automatically.
     
  29. i1135t

    i1135t Network Guru Member

    I will post my VPN Server custom config when I get home from work in about an hour. Now by wiping my custom config on the VPN Server, how will my clients know which DNS servers to contact? Through my route statements?

    I am running Windows XP Pro at work and my client config is:

    Code:
    dev tun
    
    proto udp
    
    remote x.x.x.x 1194
    
    resolv-retry infinite
    
    tls-client
    
    keepalive 10 120
    
    verb 3
    
    ca ca.crt
    
    cert client1.crt
    
    key client1.key
    
    tls-auth static.key
    
    ns-cert-type server
    
    key-method 2
    
    auth SHA1
    
    cipher BF-CBC
    
    pull
    
    nobind
    
    comp-lzo
    
    float
    
    explicit-exit-notify 3
     
  30. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    They won't, but let's get the routing working first. Then we'll worry about DNS.
     
  31. i1135t

    i1135t Network Guru Member

    Here is my VPN server config:
    Code:
    push route 10.1.1.0 255.255.255.0
    push redirect-gateway def1 bypass-dhcp
    route-gateway 10.1.1.1
    push dhcp-option DNS 68.x.x.x
    push dhcp-option DNS 68.x.x.x
    push dhcp-option DNS 68.x.x.x
    keepalive 10 120
    persist-key
    persist-tun
    I forgot to mention, that I was able to ping my router before when I was at work, but only my router... when I didn't have this line in my server config:

    route-gateway 10.1.1.1

    I added that line when I was at work and saved it, but then after that, I couldn't ping it anymore.
     
  32. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Try getting rid of all of that and posting the routing table on your client.
     
  33. i1135t

    i1135t Network Guru Member

    OK, well, if I need to do that at work, then it will have to wait till tomorrow. Right now, I have it set up at home for me to connect out, then back in.

    Here is my routing table for my home desktop running Windows XP also.

    Code:
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0         10.1.1.1        10.1.1.2       10
             10.1.1.0    255.255.255.0         10.1.1.2        10.1.1.2       10
             10.1.1.0    255.255.255.0         10.2.2.5        10.2.2.6       1
             10.1.1.2  255.255.255.255        127.0.0.1       127.0.0.1       10
             10.2.2.0    255.255.255.0         10.2.2.5        10.2.2.6       1
             10.2.2.4  255.255.255.252         10.2.2.6        10.2.2.6       30
             10.2.2.6  255.255.255.255        127.0.0.1       127.0.0.1       30
       10.255.255.255  255.255.255.255         10.1.1.2        10.1.1.2       10
       10.255.255.255  255.255.255.255         10.2.2.6        10.2.2.6       30
            127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
            224.0.0.0        240.0.0.0         10.1.1.2        10.1.1.2       10
            224.0.0.0        240.0.0.0         10.2.2.6        10.2.2.6       30
      255.255.255.255  255.255.255.255         10.1.1.2        10.1.1.2       1
      255.255.255.255  255.255.255.255         10.2.2.6        10.2.2.6       1
    Default Gateway:          10.1.1.1
    ===========================================================================
    Persistent Routes:
      None
    BTW, I cannot get out to the internet at all when I am connected to the VPN.
     

    Attached Files:

  34. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Strange, because it shouldn't affect your internet traffic at all. Could you connect to your router via ssh/telnet and post the contents of /etc/openvpn/server1/config.ovpn? Also anything that shows up in the syslog when the client connects. Also, the client logs when it connects.
     
  35. i1135t

    i1135t Network Guru Member

    Here is what I have in my logs:

    Code:
    Apr 14 18:00:02 tomato user.info rcheck[5399]: Activating rule 1
    Apr 14 18:08:50 tomato daemon.err openvpn[3299]: event_wait : Interrupted system call (code=4)
    Apr 14 18:08:50 tomato daemon.notice openvpn[3299]: TCP/UDP: Closing socket
    Apr 14 18:08:50 tomato daemon.notice openvpn[3299]: /sbin/route del -net 10.2.2.0 netmask 255.255.255.0
    Apr 14 18:08:50 tomato daemon.notice openvpn[3299]: Closing TUN/TAP interface
    Apr 14 18:08:50 tomato daemon.notice openvpn[3299]: /sbin/ifconfig tun21 0.0.0.0
    Apr 14 18:08:50 tomato daemon.notice openvpn[3299]: SIGTERM[hard,] received, process exiting
    Apr 14 18:08:51 tomato user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
    Apr 14 18:08:51 tomato user.info kernel: device tun21 entered promiscuous mode
    Apr 14 18:08:51 tomato daemon.notice openvpn[5424]: OpenVPN 2.1_rc15 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Apr 13 2009
    Apr 14 18:08:51 tomato daemon.warn openvpn[5424]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Apr 14 18:08:51 tomato daemon.notice openvpn[5424]: Diffie-Hellman initialized with 1024 bit key
    Apr 14 18:08:51 tomato daemon.notice openvpn[5424]: Control Channel Authentication: using 'static.key' as a OpenVPN static key file
    Apr 14 18:08:51 tomato daemon.notice openvpn[5424]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 14 18:08:51 tomato daemon.notice openvpn[5424]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 14 18:08:51 tomato daemon.notice openvpn[5424]: TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Apr 14 18:08:51 tomato daemon.notice openvpn[5424]: TUN/TAP device tun21 opened
    Apr 14 18:08:51 tomato daemon.notice openvpn[5424]: TUN/TAP TX queue length set to 100
    Apr 14 18:08:51 tomato daemon.notice openvpn[5424]: /sbin/ifconfig tun21 10.2.2.1 pointopoint 10.2.2.2 mtu 1500
    Apr 14 18:08:51 tomato daemon.notice openvpn[5424]: /sbin/route add -net 10.2.2.0 netmask 255.255.255.0 gw 10.2.2.2
    Apr 14 18:08:51 tomato daemon.notice openvpn[5424]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Apr 14 18:08:51 tomato daemon.notice openvpn[5430]: Socket Buffers: R=[65535->131070] S=[65535->131070]
    Apr 14 18:08:51 tomato daemon.notice openvpn[5430]: UDPv4 link local (bound): [undef]:1194
    Apr 14 18:08:51 tomato daemon.notice openvpn[5430]: UDPv4 link remote: [undef]
    Apr 14 18:08:51 tomato daemon.notice openvpn[5430]: MULTI: multi_init called, r=256 v=256
    Apr 14 18:08:51 tomato daemon.notice openvpn[5430]: IFCONFIG POOL: base=10.2.2.4 size=62
    Apr 14 18:08:51 tomato daemon.notice openvpn[5430]: Initialization Sequence Completed
    Apr 14 18:08:56 tomato daemon.err openvpn[5430]: event_wait : Interrupted system call (code=4)
    Apr 14 18:08:56 tomato daemon.notice openvpn[5430]: TCP/UDP: Closing socket
    Apr 14 18:08:56 tomato daemon.notice openvpn[5430]: /sbin/route del -net 10.2.2.0 netmask 255.255.255.0
    Apr 14 18:08:56 tomato daemon.notice openvpn[5430]: Closing TUN/TAP interface
    Apr 14 18:08:56 tomato daemon.notice openvpn[5430]: /sbin/ifconfig tun21 0.0.0.0
    Apr 14 18:08:56 tomato daemon.notice openvpn[5430]: SIGTERM[hard,] received, process exiting
    Apr 14 18:09:01 tomato cron.err crond[106]: USER root pid 5460 cmd ddns-update 0
    Apr 14 18:09:18 tomato user.info rcheck[5518]: Activating rule 1
    Apr 14 18:09:28 tomato user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
    Apr 14 18:09:28 tomato user.info kernel: device tun21 entered promiscuous mode
    Apr 14 18:09:28 tomato daemon.notice openvpn[5545]: OpenVPN 2.1_rc15 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Apr 13 2009
    Apr 14 18:09:28 tomato daemon.warn openvpn[5545]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Apr 14 18:09:28 tomato daemon.notice openvpn[5545]: Diffie-Hellman initialized with 1024 bit key
    Apr 14 18:09:28 tomato daemon.notice openvpn[5545]: Control Channel Authentication: using 'static.key' as a OpenVPN static key file
    Apr 14 18:09:28 tomato daemon.notice openvpn[5545]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 14 18:09:28 tomato daemon.notice openvpn[5545]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 14 18:09:28 tomato daemon.notice openvpn[5545]: TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Apr 14 18:09:28 tomato daemon.notice openvpn[5545]: TUN/TAP device tun21 opened
    Apr 14 18:09:28 tomato daemon.notice openvpn[5545]: TUN/TAP TX queue length set to 100
    Apr 14 18:09:28 tomato daemon.notice openvpn[5545]: /sbin/ifconfig tun21 10.2.2.1 pointopoint 10.2.2.2 mtu 1500
    Apr 14 18:09:28 tomato daemon.notice openvpn[5545]: /sbin/route add -net 10.2.2.0 netmask 255.255.255.0 gw 10.2.2.2
    Apr 14 18:09:28 tomato daemon.notice openvpn[5545]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Apr 14 18:09:29 tomato daemon.notice openvpn[5551]: Socket Buffers: R=[65535->131070] S=[65535->131070]
    Apr 14 18:09:29 tomato daemon.notice openvpn[5551]: UDPv4 link local (bound): [undef]:1194
    Apr 14 18:09:29 tomato daemon.notice openvpn[5551]: UDPv4 link remote: [undef]
    Apr 14 18:09:29 tomato daemon.notice openvpn[5551]: MULTI: multi_init called, r=256 v=256
    Apr 14 18:09:29 tomato daemon.notice openvpn[5551]: IFCONFIG POOL: base=10.2.2.4 size=62
    Apr 14 18:09:29 tomato daemon.notice openvpn[5551]: Initialization Sequence Completed
    Apr 14 18:09:32 tomato daemon.err openvpn[5551]: event_wait : Interrupted system call (code=4)
    Apr 14 18:11:35 tomato daemon.notice openvpn[5551]: MULTI: multi_create_instance called
    Apr 14 18:11:35 tomato daemon.notice openvpn[5551]: 10.1.1.2:1623 Re-using SSL/TLS context
    Apr 14 18:11:35 tomato daemon.notice openvpn[5551]: 10.1.1.2:1623 LZO compression initialized
    Apr 14 18:11:35 tomato daemon.notice openvpn[5551]: 10.1.1.2:1623 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Apr 14 18:11:35 tomato daemon.notice openvpn[5551]: 10.1.1.2:1623 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Apr 14 18:11:35 tomato daemon.notice openvpn[5551]: 10.1.1.2:1623 TLS: Initial packet from 10.1.1.2:1623, sid=8148a9fc f4167650
    Apr 14 18:11:36 tomato daemon.notice openvpn[5551]: 10.1.1.2:1623 VERIFY OK: depth=1, /C=US/ST=XX/L=XX/O=XX/CN=X.X.X.X/Email=X@X.X
    Apr 14 18:11:36 tomato daemon.notice openvpn[5551]: 10.1.1.2:1623 VERIFY OK: depth=0, /C=US/ST=XX/O=XX/CN=client1/Email=X@X.X
    Apr 14 18:11:36 tomato daemon.notice openvpn[5551]: 10.1.1.2:1623 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Apr 14 18:11:36 tomato daemon.notice openvpn[5551]: 10.1.1.2:1623 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 14 18:11:36 tomato daemon.notice openvpn[5551]: 10.1.1.2:1623 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Apr 14 18:11:36 tomato daemon.notice openvpn[5551]: 10.1.1.2:1623 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 14 18:11:36 tomato daemon.notice openvpn[5551]: 10.1.1.2:1623 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Apr 14 18:11:36 tomato daemon.notice openvpn[5551]: 10.1.1.2:1623 [client1] Peer Connection Initiated with 10.1.1.2:1623
    Apr 14 18:11:36 tomato daemon.notice openvpn[5551]: client1/10.1.1.2:1623 MULTI: Learn: 10.2.2.6 -> client1/10.1.1.2:1623
    Apr 14 18:11:36 tomato daemon.notice openvpn[5551]: client1/10.1.1.2:1623 MULTI: primary virtual IP for client1/10.1.1.2:1623: 10.2.2.6
    Apr 14 18:11:37 tomato daemon.notice openvpn[5551]: client1/10.1.1.2:1623 PUSH: Received control message: 'PUSH_REQUEST'
    Apr 14 18:11:37 tomato daemon.notice openvpn[5551]: client1/10.1.1.2:1623 SENT CONTROL [client1]: 'PUSH_REPLY,route 10.1.1.0 255.255.255.0,route 10.2.2.0 255.255.255.0,topology net30,ping 15,ping-restart 60,ifconfig 10.2.2.6 10.2.2.5' (status=1)
    Apr 14 18:13:39 tomato daemon.notice openvpn[5551]: client1/10.1.1.2:1623 [client1] Inactivity timeout (--ping-restart), restarting
    Apr 14 18:13:39 tomato daemon.notice openvpn[5551]: client1/10.1.1.2:1623 SIGUSR1[soft,ping-restart] received, client-instance restarting
    Apr 14 18:15:01 tomato cron.err crond[106]: USER root pid 5558 cmd rcheck --cron
    Apr 14 18:16:11 tomato daemon.notice openvpn[5551]: MULTI: multi_create_instance called
    Apr 14 18:16:11 tomato daemon.notice openvpn[5551]: 10.1.1.2:2037 Re-using SSL/TLS context
    Apr 14 18:16:11 tomato daemon.notice openvpn[5551]: 10.1.1.2:2037 LZO compression initialized
    Apr 14 18:16:11 tomato daemon.notice openvpn[5551]: 10.1.1.2:2037 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Apr 14 18:16:11 tomato daemon.notice openvpn[5551]: 10.1.1.2:2037 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Apr 14 18:16:11 tomato daemon.notice openvpn[5551]: 10.1.1.2:2037 TLS: Initial packet from 10.1.1.2:2037, sid=19cf6771 fa91ea4a
    Apr 14 18:16:12 tomato daemon.notice openvpn[5551]: 10.1.1.2:2037 VERIFY OK: depth=1, /C=US/ST=XX/L=X/O=X/CN=X.X.X.X/Email=X@X.X
    Apr 14 18:16:12 tomato daemon.notice openvpn[5551]: 10.1.1.2:2037 VERIFY OK: depth=0, /C=US/ST=XX/O=X/CN=client1/Email=X@X.X
    Apr 14 18:16:12 tomato daemon.notice openvpn[5551]: 10.1.1.2:2037 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Apr 14 18:16:12 tomato daemon.notice openvpn[5551]: 10.1.1.2:2037 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 14 18:16:12 tomato daemon.notice openvpn[5551]: 10.1.1.2:2037 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Apr 14 18:16:12 tomato daemon.notice openvpn[5551]: 10.1.1.2:2037 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 14 18:16:12 tomato daemon.notice openvpn[5551]: 10.1.1.2:2037 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Apr 14 18:16:12 tomato daemon.notice openvpn[5551]: 10.1.1.2:2037 [client1] Peer Connection Initiated with 10.1.1.2:2037
    Apr 14 18:16:12 tomato daemon.notice openvpn[5551]: client1/10.1.1.2:2037 MULTI: Learn: 10.2.2.6 -> client1/10.1.1.2:2037
    Apr 14 18:16:12 tomato daemon.notice openvpn[5551]: client1/10.1.1.2:2037 MULTI: primary virtual IP for client1/10.1.1.2:2037: 10.2.2.6
    Apr 14 18:16:13 tomato daemon.notice openvpn[5551]: client1/10.1.1.2:2037 PUSH: Received control message: 'PUSH_REQUEST'
    Apr 14 18:16:13 tomato daemon.notice openvpn[5551]: client1/10.1.1.2:2037 SENT CONTROL [client1]: 'PUSH_REPLY,route 10.1.1.0 255.255.255.0,route 10.2.2.0 255.255.255.0,topology net30,ping 15,ping-restart 60,ifconfig 10.2.2.6 10.2.2.5' (status=1)
    Apr 14 18:17:14 tomato daemon.err openvpn[5551]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
    Apr 14 18:17:29 tomato daemon.err openvpn[5551]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
    Apr 14 18:17:44 tomato daemon.err openvpn[5551]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
    Apr 14 18:17:59 tomato daemon.err openvpn[5551]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
    Apr 14 18:18:13 tomato daemon.notice openvpn[5551]: client1/10.1.1.2:2037 [client1] Inactivity timeout (--ping-restart), restarting
    Apr 14 18:18:13 tomato daemon.notice openvpn[5551]: client1/10.1.1.2:2037 SIGUSR1[soft,ping-restart] received, client-instance restarting
    Apr 14 18:20:01 tomato cron.err crond[106]: USER root pid 5560 cmd ddns-update 0
    Apr 14 18:27:12 tomato auth.info login[5605]: root login on 'pts/0'
    Apr 14 18:30:00 tomato authpriv.info dropbear[5618]: Child connection from 10.1.1.2:3440
    Apr 14 18:30:00 tomato authpriv.notice dropbear[5618]: password auth succeeded for 'root' from 10.1.1.2:3440
    Apr 14 18:30:01 tomato cron.err crond[106]: USER root pid 5634 cmd rcheck --cron
    Apr 14 18:30:55 tomato authpriv.info dropbear[5618]: exit after auth (root): Exited normally
    Apr 14 18:31:01 tomato cron.err crond[106]: USER root pid 5718 cmd ddns-update 0
    
    And here is what is in my vpnserver1/config.ovpn

    Code:
    # Automatically generated configuration
    daemon
    server 10.2.2.0 255.255.255.0
    proto udp
    port 1194
    dev tun21
    cipher BF-CBC
    comp-lzo yes
    keepalive 15 60
    verb 3
    push "route 10.1.1.0 255.255.255.0"
    client-config-dir ccd
    client-to-client
    tls-auth static.key
    ca ca.crt
    dh dh.pem
    cert server.crt
    key server.key
    status-version 2
    status status
    
    # Custom Configuration
    
    Damm, I knew there was something strange happening... look at this... when I log into my router using IE8, I see something different from when I log into it using FF3. WTF?!?!
     

    Attached Files:

    • ff.jpg
      ff.jpg
      File size:
      32.9 KB
      Views:
      31
    • ie.jpg
      ie.jpg
      File size:
      21.9 KB
      Views:
      34
  36. i1135t

    i1135t Network Guru Member

    Sorry SgtPepper, I cleared my NVRAM and redid everything from scratch. Basically same goals as before, but all that I changed was that I set a password when I created the certs/keys and changed protocol from UPD to TCP. I also tried to remove some client config settings that maybe were not necessary. Here is my new client config:

    Code:
    dev tun
    proto tcp
    remote x.x.x.x 1194
    resolv-retry infinite
    tls-client
    keepalive 10 120
    ca ca.crt
    cert client1.crt
    key client1.key
    tls-auth static.key
    ns-cert-type server
    key-method 2
    auth SHA1
    nobind
    comp-lzo
    float
    Here is my new server config:

    Code:
    # Automatically generated configuration
    daemon
    server 10.2.2.0 255.255.255.0
    proto tcp-server
    port 1194
    dev tun21
    comp-lzo yes
    keepalive 15 60
    verb 3
    push "route 10.1.1.0 255.255.255.0"
    client-config-dir ccd
    client-to-client
    tls-auth static.key
    ca ca.crt
    dh dh.pem
    cert server.crt
    key server.key
    status-version 2
    status status
    
    # Custom Configuration
    
    I will try again at work tomorrow and post results. Thanks for helping!
     
  37. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Change "tls-client" to just "client". Otherwise the correct routes won't be sent from the server.

    I don't have IE8 and haven't tested on it, so that is probably a bug in the GUI (or IE8 - need to work around it either way). Does IE8 have any kind of error console? I know in previous version of IE, there is a setting to display a pop-up on any javascript errors. Could you check if there is a similar setting in IE8 to see what's going wrong?

    Something else you might try is using a much different subnet for your LAN (eg 192.168.1.0/24 for LAN, 10.8.0.0/24 for the VPN). For some reason your OS is setting up 10.x.x.x routes that conflict. That may be your whole problem.
     
  38. qq6r

    qq6r Addicted to LI Member

    hi,i have a problem when using vpn,
    server 192.168.1.1,vpn address:10.8.0.1
    client 192.168.1.67,gateway:192.168.1.1
    client got vpn address:10.8.0.x when connected the server,and couldnt ping vpn server or access lan or access internet at the same time,i saw the client's log and found this message:
    WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0]

    and i checked the client's route table,

    192.168.1.0 255.255.255.0 在链路上 192.168.1.67 276
    192.168.1.0 255.255.255.0 10.8.0.9 10.8.0.10 30

    there is a conflict between the two rules,then i checked the config of vpn server
    :
    daemon
    server 10.8.0.0 255.255.255.0
    proto udp
    port 1194
    dev tun21
    comp-lzo yes
    keepalive 15 60
    verb 3
    push "route 192.168.1.0 255.255.255.0"
    ca ca.crt
    dh dh.pem
    cert server.crt
    key server.key
    status-version 2
    status status

    # Custom Configuration
    max-clients 10
    client-to-client
    duplicate-cn

    i saw the line:"push route 192.168.1.0 255.255.255.0" in the config,it seems like the router add it automatically,i thought it is the problem,but how cound i correct it?
    here is my client config:
    client
    dev tun
    proto udp
    remote 192.168.1.1 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert client.crt
    key client.key
    ns-cert-type server
    comp-lzo
    verb 3
     
  39. jza80

    jza80 Network Guru Member

    Server LAN and client LAN are on the same subnet (192.168.1.0/24). Change one of them, so that its on a differenet subnet.


    Routing is screwed up. You have 2 gateways to the same destination (192.168.1.0/24).
     
  40. qq6r

    qq6r Addicted to LI Member

    the line 192.168.1.0 255.255.255.0 在链路上 192.168.1.67 276 has already exist before client connects server,the line 192.168.1.0 255.255.255.0 10.8.0.9 10.8.0.10 30 is added after client has already connected the server,so causes the conflict

    vpn subnet 10.8.0.0/24
    local subnet 192.168.1.0/24

    there is no conflict in fact,i think server shouldnt push "route 192.168.1.0 255.255.255.0" where openvpn server and client on the same subnet
     
  41. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The conflict is between the LAN your client is on and the server LAN. They cannot be on the same subnet. Change your server router's LAN IP to 192.168.0.1 (or something other than 192.168.1.x) and you won't get the conflict.
     
  42. i1135t

    i1135t Network Guru Member

    Yeah, that was strange, but sorry I uninstalled IE8 so I can't check that out for you. Looks to me like IE8 is still "beta" regardless of what Microsoft says.

    Well, I made the change and it connects fine. I could ping my LAN computers, but only the wired connections, including my router, so that's good. I cannot ping any of my wireless computers? Is it supposed to be like that? Also, I still cannot surf through my home gateway.

    Here is my route statement:

    Code:
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0   192.168.150.40  192.168.150.146      10
             10.1.1.0    255.255.255.0         10.2.2.5        10.2.2.6       1
             10.2.2.0    255.255.255.0         10.2.2.5        10.2.2.6       1
             10.2.2.4  255.255.255.252         10.2.2.6        10.2.2.6       30
             10.2.2.6  255.255.255.255        127.0.0.1       127.0.0.1       30
       10.255.255.255  255.255.255.255         10.2.2.6        10.2.2.6       30
        63.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
        64.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
       66.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
        67.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
        67.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
        67.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
       72.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
            127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
        192.168.148.0    255.255.252.0  192.168.150.146  192.168.150.146      10
      192.168.150.146  255.255.255.255        127.0.0.1       127.0.0.1       10
      192.168.150.255  255.255.255.255  192.168.150.146  192.168.150.146      10
          199.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
        208.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
        208.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
        208.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
        208.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
        209.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
      216.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
      216.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
      216.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
            224.0.0.0        240.0.0.0         10.2.2.6        10.2.2.6       30
            224.0.0.0        240.0.0.0  192.168.150.146  192.168.150.146      10
      255.255.255.255  255.255.255.255         10.2.2.6        10.2.2.6       1
      255.255.255.255  255.255.255.255  192.168.150.146  192.168.150.146      1
    Default Gateway:    192.168.150.40
    ===========================================================================
    Persistent Routes:
      None
     
  43. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It should be able to ping anything you can ping from your LAN. Can you ping them there?
    We haven't configured that yet. Try adding just
    Code:
    push "redirect-gateway def1"
    to your Custom Config section. It will probably not send DNS over the tunnel still, though.
     
  44. i1135t

    i1135t Network Guru Member

    I am pretty sure I could ping my wireless computers when I am at home. I will have to double check that later.

    OK, made the change to my Custom Config and looks like my default gateway has been updated, but still getting blocked. Here is my new route statement:

    Code:
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0        128.0.0.0         10.2.2.5        10.2.2.6       1
              0.0.0.0          0.0.0.0   192.168.150.40  192.168.150.146      10
             10.1.1.0    255.255.255.0         10.2.2.5        10.2.2.6       1
             10.1.1.3  255.255.255.255   192.168.150.20  192.168.150.146      1
             10.2.2.0    255.255.255.0         10.2.2.5        10.2.2.6       1
             10.2.2.4  255.255.255.252         10.2.2.6        10.2.2.6       30
             10.2.2.6  255.255.255.255        127.0.0.1       127.0.0.1       30
       10.255.255.255  255.255.255.255         10.2.2.6        10.2.2.6       30
        63.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
        67.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
       69.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
       72.x.x.x  255.255.255.255   192.168.150.40  192.168.150.146      1
       72.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
         74.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
         74.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
         74.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
        74.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
            127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
            128.0.0.0        128.0.0.0         10.2.2.5        10.2.2.6       1
        192.168.148.0    255.255.252.0  192.168.150.146  192.168.150.146      10
      192.168.150.146  255.255.255.255        127.0.0.1       127.0.0.1       10
      192.168.150.255  255.255.255.255  192.168.150.146  192.168.150.146      10
          199.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
          199.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
       206.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
        208.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
        208.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
        208.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
        208.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
      216.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
      216.x.x.x  255.255.255.255   192.168.150.20  192.168.150.146      1
            224.0.0.0        240.0.0.0         10.2.2.6        10.2.2.6       30
            224.0.0.0        240.0.0.0  192.168.150.146  192.168.150.146      10
      255.255.255.255  255.255.255.255         10.2.2.6        10.2.2.6       1
      255.255.255.255  255.255.255.255  192.168.150.146  192.168.150.146      1
    Default Gateway:          10.2.2.5
    ===========================================================================
    Persistent Routes:
      None
    Do I need to add in custom DNS servers now? If so, should I add my home gateway (10.1.1.1) as my DNS server or my home WAN DNS servers? What is the proper syntax?
     
  45. qq6r

    qq6r Addicted to LI Member

    i changed as you said,the problem was solved,but i wonder why the config of server contains the line push "192.168.1.0 255.255.255.0"?

    thx for your reply
     
  46. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It contains that line so you can access the server LAN.
     
  47. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    What do you mean by "blocked"? What does it show if you run
    Code:
    tracert 74.125.45.100
    on your client (traceroute to google)?
    I was wanting to get things working one step at a time to see where the problem lies:
    1. VPN connection
    2. VPN route
    3. Server LAN route
    4. Default route
    5. DNS
    If the default route isn't working properly, we should get that straightened away before getting distracted by DNS.

    If the above traceroute doesn't work try running
    Code:
    route add 10.2.2.5 mask 255.255.255.255 10.2.2.6
    on the client and trying the traceroute again.

    If the traceroute does work (without the above route add), then we can try adding DNS by including
    Code:
    push "dchp-option DNS 10.1.1.1"
    in your server custom config.
     
  48. i1135t

    i1135t Network Guru Member

    At my workplace, we have OpenDNS for filtering websites. I cannot access some sites that are blocked.

    My tracert with VPN connected is:

    Code:
    C:\Program Files\Windows Resource Kits\Tools>tracert google.com
    
    Tracing route to google.com [74.125.45.100]
    over a maximum of 30 hops:
    
      1   189 ms   208 ms   251 ms  10.2.2.1
      2   108 ms   114 ms   110 ms  10.1.184.1
      3    69 ms   206 ms    95 ms  68.9.9.85
      4    82 ms   113 ms   117 ms  ip68-9-7-128.ri.ri.cox.net [68.9.7.128]
      5    88 ms   125 ms   124 ms  provdsrj01-ge500.0.rd.ri.cox.net [68.9.14.113]
      6   171 ms   130 ms   131 ms  nyrkbbrj02-ae0.0.r2.ny.cox.net [68.1.0.253]
      7   131 ms    67 ms   108 ms  209.85.255.68
      8   107 ms   245 ms   120 ms  209.85.251.9
      9   158 ms   172 ms   109 ms  72.14.232.213
     10   136 ms   150 ms   121 ms  209.85.253.137
     11   131 ms   184 ms   218 ms  yx-in-f100.google.com [74.125.45.100]
    
    Trace complete.
    So it appears that traffic is working fine because it is going though my home connection in traceroute.

    I also added that route and still no go. Cleared browser cache and dns cache each time and still not working. Also, added Custom DNS servers for 10.1.1.1 and WAN DNS servers on two seperate occasions and still no luck.

    What I don't get is why my HTTP traffic is still coming back to me as blocked through OpenDNS? I remember reading somewhere before that I need srelay or something of that nature? Is that true?
     
  49. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Okay, so it seems the default route is working fine. Now, we just need to get DNS working. What does the output of
    Code:
    nslookup google.com
    return (after adding the dhcp-option line and connecting the client)?
     
  50. i1135t

    i1135t Network Guru Member

    Added dhcp-option DNS 10.1.1.1 and reconnected and did nslookup:

    Code:
    C:\Program Files\Windows Resource Kits\Tools>nslookup google.com
    DNS request timed out.
        timeout was 2 seconds.
    *** Can't find server name for address 10.1.1.1: Timed out
    Server:  x.x.local
    Address:  192.168.150.35
    
    Non-authoritative answer:
    Name:    google.com
    Addresses:  74.125.67.100, 74.125.45.100, 209.85.171.100
    -- EDIT --

    I changed the dhcp-option from 10.1.1.1 to my three WAN DNS servers and got this:

    Code:
    C:\Program Files\Windows Resource Kits\Tools>nslookup google.com
    Server:  cdns2.cox.net
    Address:  68.105.28.12
    
    Non-authoritative answer:
    Name:    google.com
    Addresses:  209.85.171.100, 74.125.45.100, 74.125.67.100
    So it looks like with this setup the name server lookup works and can surf now... THANK YOU SgtPepper!!! Now all I need to get working is my password prompt when connecting through VPN and pinging my wireless computers at home, then I should be all set. Thanks agian!!

    How do I get the password prompt to come up when connecting through VPN? I tried creating it in when made the CA/client certs & keys but it didn't prompt me when I connected...?
     
  51. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It is acting like there is no DNS server running on the router. Do you have "Use Internal Caching DNS Forwarder" disabled in Advanced->DHCP/DNS? I guess I should have checked with you on that. I assumed it was enabled.
    If normal DHCP clients (connected directly on the LAN) get those as their DNS servers (as opposed to the router itself), then you did exactly right.
    When you generate your client key, use build-key-pass rather than build-key. This will password protect your client key and require you to enter a password before the key can be used. If you would rather the server prompt the client for a password, we can do that, too, but it will involve storing the correct password in plain text on the router. I would suggest password protecting the key instead (the user must enter a password before connecting either way).

    EDIT: I just realized that through some bug, the windows installer doesn't create a build-key-pass.bat file. You can create it yourself, though, by just copying the build-key.bat file and removing "-nodes ".
     
  52. i1135t

    i1135t Network Guru Member

    Yes, I have "Use Internal Caching DNS Forwarder" enabled. I will leave it as is, since I cache my DNS at home anyways, should my WAN DNS servers go down.

    About the password issue. I don't have a "build-key-pass.bat" file in my easy-rsa folder. Do I create this batch file? I do have a batch file called "build-key-pkcs12.bat". Reading from the README, it says:

    Code:
    Build key files in PEM format (for each client machine)
    1. vars
    2. build-key <machine-name>
       (use <machine name> for specific name within script)
    
    or
    
    Build key files in PKCS #12 format (for each client machine)
    1. vars
    2. build-key-pkcs12 <machine-name>
       (use <machine name> for specific name within script)
    So I assume the PKCS format is the password protected format?

    You're right, it's probably easier to password protect the client key rather than server, which is easier to set up. Plus, it alows me to choose a different password per client, I hope?

    --EDIT--

    Cool, I will try removing the "-nodes" from the batch file and report back tomorrow . Thanks agan!
     
  53. qq6r

    qq6r Addicted to LI Member

    the line doesnt effect if i Change server router's LAN IP to 192.168.0.1
     
  54. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Are you sure you changed the router's LAN subnet? The VPN code pulls it directly out of NVRAM, using the LAN IP and netmask. Could you telnet/ssh into the router and provide the output of
    Code:
    nvram get lan_ipaddr;nvram get lan_netmask
    ?
     
  55. i1135t

    i1135t Network Guru Member

    Well, it looks like I got the password protected clients set up properly now and I finally figured out why my wireless was not reachable. I had my software firewall on and was blocking all 10.2.2.0 traffic. :) Anyways, I will fully test again tomorrow at work and repost to make sure all is well. Thanks!

    --EDIT--

    OK, looks like it's all set.. thanks a lot SgtPepper. You've been nothing but great at helping me to get this working, so I appreciate it! Now all I have to do is try to get the OpenVPN client working on my linux box, which I can probably figure out, and I should be good to go. Thanks again!!!
     
  56. qq6r

    qq6r Addicted to LI Member

    i still hava a problem:
    Code:
    +---------------+                          +-------------+
    |openvpn server |                          |             |
    |   Router X    |<------- Internet ------->|  Router Y   |
    |eth0,192.168.0.1|                         | 172.18.32.1 |
    |tun0,10.8.0.1  |                          |             |
    +---------------+                          +-------------+
                                                      |                       
                                                      |                       
                                           +----------+--------+              
                                           |                   |              
                                           |                   |              
    			       +---------------+   +------------------------+
    			       |    windows    |   |   windows              |
      			       |     Host C    |   |   OpenVPN  D (Client)  |
    			       |eth0:172.18.32.8|  |   eth0: 172.18.32.26   |
    			       |               |   |   tun0: 10.8.0.6       |
    			       +---------------+   |                        |
    						   +------------------------+
    on D,i can ping router X's eth0 and tun0
    on openvpn server(router X),i can ping D's eth0: 172.18.32.10 and D's tun0:10.8.0.10,but i cant ping C's eth0:172.18.32.8(also cant ping other except D which are on the same subnet with D),how can the openvpn server ping the rest of remote network?

    I have created a client-config-dir entry for the remote client, and added:
    iroute 172.18.32.0 255.255.255.0
    In the server config, I have:
    route 172.18.32.0 255.255.255.0

    the client's routing table:
    Code:
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0    172.18.32.1       172.18.32.26     20
             10.8.0.0    255.255.255.0         10.8.0.5         10.8.0.6      1
             10.8.0.4  255.255.255.252         10.8.0.6         10.8.0.6     30
             10.8.0.6  255.255.255.255        127.0.0.1        127.0.0.1     30
       10.255.255.255  255.255.255.255         10.8.0.6         10.8.0.6     30
            127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
          172.18.32.0    255.255.255.0     172.18.32.26     172.18.32.26     20
         172.18.32.26  255.255.255.255        127.0.0.1        127.0.0.1     20
       172.18.255.255  255.255.255.255     172.18.32.26     172.18.32.26     20
          192.168.0.0    255.255.255.0         10.8.0.5         10.8.0.6      1
            224.0.0.0        240.0.0.0         10.8.0.6         10.8.0.6     30
            224.0.0.0        240.0.0.0     172.18.32.26     172.18.32.26     20
      255.255.255.255  255.255.255.255         10.8.0.6         10.8.0.6      1
      255.255.255.255  255.255.255.255     172.18.32.26     172.18.32.26      1
     
  57. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You either have to run an OpenVPN client on Router Y, or routing software on Computer D.

    It is up to the client computer to act as a gateway and route the traffic from one interface to another. In the case of running my firmware on Router Y, this would be handled for you. In your case, the packets are probably reaching Computer D and not getting routed anywhere. I'm not sure how to configure Windows to act as a gateway. Internet connection sharing? But, you may have to have multiple networking cards to do this.

    Btw, you could have done this part via the GUI (Advanced->Client-specific options)
     
  58. i1135t

    i1135t Network Guru Member

    Well, with the block I get at my workplace, sometimes it works and sometimes it doesn't. Not sure why? I'll investigate a little more. It probably has to do with my route statement somewhere.
     
  59. qq6r

    qq6r Addicted to LI Member

    if D's system is linux,can you carry it out?
    i think there must be a way to make all traffic from C traveling through D
    i have no ideas but making D to be the gateway of C and port forwarding
     
  60. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    There's probably more to it, but you could try just running the following on router Y:
    Code:
    route add -net 192.168.0.0 nm 255.255.255.0 gw 172.18.32.26
     
  61. qq6r

    qq6r Addicted to LI Member

    i installed linux on D and append a rule into iptables which made D working like a gateway
    and now i can ping C on X,thx for your help!
     
  62. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Just to help others who may want to do the same thing, could you post the exact changes you had to make?
     
  63. Mojonba

    Mojonba Network Guru Member

    What is the easiest way to configure it with TAP a two site Tomato VPN with client-server and server-client access? I leaning towards TAP because i did a quick try with TUN and find it less end user friendly as the windows firewall must be turned off and shares must be accessed by ip.

    Thanks.
     
  64. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I've never set up a two-way site-to-site using TAP before, but you could try using the client-specific configuration as with TUN.
     
  65. qq6r

    qq6r Addicted to LI Member

    Code:
    +---------------+                          +-------------+
    |openvpn server |                          |             |
    |   Router X    |<------- Internet ------->|  Router Y   |
    |eth0,192.168.0.1|                         | 172.18.32.1 |
    |tun0,10.8.0.1  |                          |             |
    +---------------+                          +-------------+
                                                      |                       
                                                      |                       
                                           +----------+--------+              
                                           |                   |              
                                           |                   |              
    			       +---------------+   +------------------------+
    			       |    windows    |   |   linux              |
      			       |     Host C    |   |   OpenVPN  D (Client)  |
    			       |eth0:172.18.32.8|  |   eth0: 172.18.32.26   |
    			       |               |   |   tun0: 10.8.0.6       |
    			       +---------------+   |                        |
    						   +------------------------+
    in this case,X can ping D,if X wants to ping C which is not installed openvpn,it must come through D,if X(10.8.0.1) try to ping C's eth0(172.18.32.8),when the package arrive D,D will find the destination(172.18.32.8) and itself(172.18.32.26) are on the same subnet,so sends it to C,but when C receives the package and prepare to return a response package,C checks the source address is 10.8.0.1,according C's routing table,C probably sends it to its default gateway Y,and Y will drop it,because the source address 10.8.0.1 is only recognised by D,so i must let the package sent by C return to D by changing the source address(10.8.0.1) to D's eth0(172.18.32.26),i use iptables and append a rule into chain POSTROUTING of nat table:
    Code:
    target     prot opt source               destination         
    SNAT       all  --  10.0.0.0/8           0.0.0.0/0           to:172.18.32.26 
    after that i can access any machine which is on the same subnet with D,:D
     
  66. occamsrazor

    occamsrazor Network Guru Member

    Couple of feature suggestions, I've no idea how easy/hard they'd be to implement....

    1. On the VPN client pages could we have a status readout tab? Could merely show some or all of the log entries that get posted to the main router log - "Tomato daemon.notice openvpn" etc, or something similar to that on the Server Status tab.

    2. Would it be possible to have all OpenVPN log messages accessible via the Server status tab either visible directly or via a link? I know they get written to the main log but they can easily get lost there amongst other stuff. Would be nice to glance at the latest OpenVPN Server logs directly from the status page (e.g. last x lines). It could be separated for server1, server2, client1 etc... or even all lumped together in one "VPN Logs" page coming under the "VPN Tunneling" page i.e. 3 sub-pages "Server", "Client", "VPN Logs"

    3. Is there any way, or could it be implemented, to be able to have multiple client configs like you have in the Windows version of the OpenVPN GUI, selectable via a dropdown menu? I realise you can have two actual clients with the current mod, and also that you can try connecting to multiple servers in sequence as per this post (though only tried that via Windows GUI) - but I'd simply like to be able to easily chanage from one configuration to another for a single client tunnel. It could be by actually entering each config via the VPN Client Tab and then saving it under a dropdown-menu name... or I'd even be happy to just WinSCP the config+cert files to a specific folder, if they could be read as a dropdown menu by the Tomato VPN GUI.

    Open to your thoughts....
     
  67. occamsrazor

    occamsrazor Network Guru Member

    A VPN Client (in router) config question:

    The client config I need to reproduce is:

    @ client
    @ dev tun
    @ proto udp
    @ remote <vpnserverip> 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ns-cert-type server
    @ cipher bf-cbc
    @ comp-lzo
    verb 3
    mute 20
    @ ca <cafilename>
    @ key <keyfilename>
    @ cert <certfilename>

    I can see that the entries I've marked with a "@" (obviously not in actual config) are taken care of by the various options in the GUI.

    Is the "resolv-retry infinite" achieved by setting the "Connection retry" option to -1 ?

    What about the other config entries - are some of them taken care of automatically and silently, or should I add them to the custom config box?

    Many thanks...
     
  68. fyellin

    fyellin LI Guru Member

    Just FYI.

    I've added the line
    management router 7505​
    to my server configuration. Now, from any computer on my LAN, I can run:
    Code:
    telnet <router IP> 7505
    help
    [I]returns list of commands[/I]
    status
    [I]shows the status of all the connections[/I]
    log all
    [I]shows all the OpenVPN log entries[/I]
    quit
    
    More info on the management interface can be found here. Yes. it would be nice to have all this information on the VPN status page, but this is the next best thing.
     
  69. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I appreciate the feedback, and I'll address the items on-by-one.
    For some reason, I had it in my head that the "status" directive (how I am collecting the status information for the server) was only relevant for servers, but I see know that it can be used on clients as well. I don't see any reason I couldn't add a status tab there as well. Also, I've just come to notice that I don't display the status for Static-key servers very nicely (still show the information, but not in the same user-friendly matter as with TLS). I had assumed that the files would be in the same format, but apparently that was a bad assumption.
    I don't think that the work necessary to properly parse the syslog is warranted given the very small use-case gain. The entries are already viewable in the GUI and they should be lumped together and easy to find. Plus, the only time you really need to see the logs is when debugging a new configuration - it would not add benefit long-term for the user to put them in the status tab. In the (hopefully) rare occurrence of setting up a new connection, clicking over to the logs isn't that big of a chore. The information I currently have on the status tab is useful on an ongoing basis.
    This is really three questions, so I'm going to split them up.
    As you mention, that the real reason there are two tabs available (and I designed everything to be easily extensible to any number of tabs) for each. You can just stop one then start the other. I'd have to hear a pretty good argument to increase the total number of possible configs (by whatever means) as each adds a slew of NVRAM variables.
    That's an intereseting concept, but it would be extremely difficult to capture in a GUI (if you can think of a simple way to present this, I'm all ears). How many of the options are specific to each connection or global to all of them? I think that if you reach this level of complexity in your configuration, it may be best to bypass the GUI altogether and write your configs manually.
    This would be doable, but it would gain you nothing over starting OpenVPN manually with your config. The status tab would not work, because requires certain directives to be used in the config file and a custom config wouldn't be guaranteed to include them. And, obviously, the other tabs would no longer apply. I think this again falls into a category of use-cases where not using the GUI at all (other than entering scripts) is probably the most convenient way to go.

    Again, I appreciate the feedback, and welcome a response to any/all of my comments!
     
  70. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Sure is.
    Code:
    nobind
    persist-key
    persist-tun
    verb 3
    are all silently added to the config.

    FYI: you can ssh/telnet to the router while the client is running and run
    Code:
    cat /etc/openvpn/client1/config.ovpn
    to see exactly what config is generated.
     
  71. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I considered using the management interface for the status tab, but decided it was massive overkill when I just had to make a minor modification to OpenVPN to make it semi-interactive.

    I do agree, though, that it is a very useful tool. And, you can do more active things as well such as killing a client connection.
     
  72. occamsrazor

    occamsrazor Network Guru Member

    You make good points... As a user of course it's easy to say "wouldn't that be nice" without realising what would be required behind the scenes.

    Re: the status tab for Clients, like the one for the Servers - that would be great if it could be added with not too much work.

    Re: Providing the logs in the status tab, yes, I guess it would be a fairly lowly-used feature, it's not a big deal.

    Re: the multiple-configs via dropdown menu... Perhaps I should give an example scenario: You have 5 servers you may want to connect to (not Tomato routers), each can be accessible via UDP 1194, or TCP 443, and each can use normal encryption or AES encryption.
    I'd like to be able to create multiple configs so I could have a dropdown menu along the lines of:

    Server1/UDP
    Server1/TCP
    Server1/UDP/AES
    Server2/UDP
    Server2/TCP
    Server2/UDP/AES
    Server3/UDP
    etc

    ...and I could choose one manually via the GUI before hitting "Start now". Although the background work appears more complicated than I'd thought....
     
  73. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Seems very doable. Most of the work was put into place for the server status and just needs to be adapted to get it to work for the client as well. Just, for some odd reason, it didn't dawn on me before to do it for the clients, too (I suppose my main thought was just to see what clients were connected).
    That would essentially be the same as having a separate tab for each along with the associated NVRAM variables. All the backend infrastructure (mostly NVRAM) would have to be in place for all configurations, whether they're tabs or drop-downs...and I already feel greedy due to the large number of NVRAM variables the GUI uses.
     
  74. fyellin

    fyellin LI Guru Member

    I didn't mean to imply that you should have done it this way. Yes, it's massive overkill for the information that OpenVpn needs to provide. And I agree that simpler is better.

    I just wanted to point out to OccamsRazor that the information he wanted was easily available to the power user.

    3.0001 is running with no problems.
     
  75. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Oh, I understood you correctly. I just meant to throw in an endorsement of the management interface in agreement with you, with a side note that I looked into using it for an interactive management GUI interface. Kind of came out the other way around, though... :blush:
     
  76. occamsrazor

    occamsrazor Network Guru Member

    SgtPepper.. please have a look at this thread, as I think it might have something to do with OpenVPN Client:

    http://www.linksysinfo.org/forums/showthread.php?t=61640

    You'll see I managed to unbrick my router. I changed back to your (latest version) mod from Thor's mod, and re-entered the VPN Client info... and bricked it again at exactly the same point. Fortunately now unbricked a second time.

    Where it's going wrong is this:

    I enter the info for Client1 - which is basically this setup:

    http://www.linksysinfo.org/forums/showpost.php?p=344377&postcount=767

    done via the GUI. There's nothing in custom config. Connection retry is set to the default 30. Then save it. All fine.

    Then I go to enter all the same information in Client2, except for a different server address, and save it. It says it saves.

    Shortly after when I go somewhere else and come back to Client2, I notice the "Connection retry" has changed itself to zero. The Encryption cipher may also have changed from the one I set it to, to "Default". When I enter 30 again and hit save I get the following browser pop-up warning "Invalid IP Address" and keeps doing that no matter what I enter.

    The Tomato GUI is still accessible at this stage, but if I reboot the router becomes semi-bricked requiring a TFTP-flashing.

    Weird huh?

    I can't see any OpenVPN log entries (which makes sense as neither server or clients are set to automatic start). I do however see a whole bunch of these:

    Code:
    Jan  1 02:00:16 Tomato user.notice kernel: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x0005001c: 0xc581 instead
    Jan  1 02:00:16 Tomato user.notice kernel: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00050020: 0xe62c instead
    Jan  1 02:00:16 Tomato user.notice kernel: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00050024: 0xcad5 instead
    Jan  1 02:00:16 Tomato user.notice kernel: Further such events for this erase block will not be printed
    Jan  1 02:00:16 Tomato user.warn kernel: Old JFFS2 bitmask found at 0x00052d4c
    Jan  1 02:00:16 Tomato user.warn kernel: You cannot use older JFFS2 filesystems with newer kernels
    Jan  1 02:00:16 Tomato user.warn kernel: Old JFFS2 bitmask found at 0x0005d33c
    Jan  1 02:00:16 Tomato user.warn kernel: You cannot use ol
    Jan  1 02:00:16 Tomato user.info kernel: der JFFS2 filesystems with newer kernels
    Jan  1 02:00:16 Tomato user.warn kernel: Old JFFS2 bitmask found at 0x0005d784
    Jan  1 02:00:16 Tomato user.warn kernel: You cannot use older JFFS2 filesystems with newer kernels
    Jan  1 02:00:16 Tomato user.notice kernel: JFFS2: Erase block at 0x00050000 is not formatted. It will be erased
    Jan  1 02:00:16 Tomato user.notice kernel: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00060000: 0x7323 instead
    Jan  1 02:00:16 Tomato user.notice kernel: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00060004: 0xfa45 instead
    Jan  1 02:00:16 Tomato user.notice kernel: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00060008: 0x7d4b instead
    
    I did do an erase NVRAM then restored to a known good router config. It seems weird that it bricked at exactly the same point in using the OpenVPN GUI each time, on the other hand I'm wondering if I've got some kind of flash hardware problem or suchlike.

    It's all rather strange...
     
  77. occamsrazor

    occamsrazor Network Guru Member

    Great! Look forward to it...

    I see, fair enough. I can see how that would take up a lot of resources... Could it not be possible to store all the configs as Windows-VPN-style text files on JFFS, and they are only loaded when they are needed? Or doesn't it work like that? Anyway, it seems I'm likely the only one who'd find use :) so you're probably better spending your time on other things...
     
  78. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Sounds to me like everything is centering around corrupted NVRAM. Probably happened when you put in all your certificates in Thor's build. There probably isn't enough room with his build, and the NVRAM system must not be smart enough to not screw things up when there isn't enough room.

    I would suggest you do a thorough NVRAM clear and NOT restore an nvram file. Then, try those steps again (not on Thor's mod, of course). If things work as expected, you're probably okay and you can reconfigure the rest of your router (by hand). If it still has a problem, it may have corrupted something that doesn't get cleared in a NVRAM thorough clear. Let's hope that's not the case - if it is, I'm not sure what will be need to restore things.
     
  79. baldrickturnip

    baldrickturnip LI Guru Member

    Has anyone formed rules in the Qos to give VPN traffic Highest Priority ?

    can it be done on the router running the server or is the VPN in front of the Qos control.

    I ask as I am doing a lot of remote desktop ( VNC ) work via VPN and it sometimes lags and hangs and I was wondering what thoughts people have about Qos and VPN traffic.
     
  80. occamsrazor

    occamsrazor Network Guru Member

    I just created a rule giving high priority to Port 1194, the port I use for VPN. Or you could give priority based on the LAN IP address of the VPN client (give it a static address)
     
  81. martinqiu

    martinqiu Addicted to LI Member

    I used 1.23vpn3001 and have TAP/TCP/Static key setup, it works well except that it seems the code

    causes the vpn closed(tcp closed) if vpn has already connected before. Why?

    Sorry for my poor English.
     
  82. fyellin

    fyellin LI Guru Member

    You want to use restart instead of start. This starts the VPN server only if it isn't already running currently.
     
  83. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That command certainly shouldn't cause dropped connections. I just tested it and the only thing that happens when it is triggered is a "VPN Server 1 already running..." message being printed to the syslog.

    Can you expand more on what kind of problem you are seeing?
     
  84. martinqiu

    martinqiu Addicted to LI Member

    Normally, my router "Listening for incoming TCP connection on [undef]:1863" and it do printed the message "VPN Server 1 already running..." if there is no client-server connection. I just found at the syslog yesterday that it seems dropped Tcp-client to Tcp-server connection at every 30 minutes after the above message .

    Because the tcp-client computer is in UK, I will ask my friend later what was the situation yesterday. I don't think he closed connection actively at every 30 minutes and then make connection again,maybe it is something wrong with my vpn setup. I'll check again.

    Thank you for your replay.
     
  85. martinqiu

    martinqiu Addicted to LI Member

    Thank you. I'll try it.
     
  86. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You have it backwards. start only starts it if it isn't already running. restart always stops it and restarts it.

    Why don't you try going without that cru command and see what happens. If the dropped connections still occur, you'll know it's something else. Several people have seen periodic connection restarts if no data is going across the tunnel. We have not been able to get to the bottom of why it is happening yet. However, it only seems to happen when the tunnel isn't actively being used, and it always immediately reconnects so other than extra entries in the syslog, it shouldn't be noticeable.

    Can you post the entries in the syslog that occur periodically?
     
  87. martinqiu

    martinqiu Addicted to LI Member

    Yes, it is the same I thought and I have tried going without that cru command more than 6 hours till now, the router works very well! Thanks for your great Tomato Mod. Consider the net delay between UK and China, so many Internet equipments are used, I guess maybe the cru command cause another something delay? There are "keepalive 15 60" at two side (your vpn GUI and my client setup) now, Do you think I should make another test with "keepalive 15 120"? How to change it in your vpnGUI?

    Thank you again.
     
  88. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The cru command doesn't do anything unless the server is not running. I think your connection restarts were completely unrelated to the cru command. If you see them again, post the entries that show up in the syslog. If it is the same as what others have seen, it will only happen if you aren't sending data over the tunnel.
    If you want to change the keepalive timeouts, you can just add that line to the Custom Configuration section in the GUI.
     
  89. baldrickturnip

    baldrickturnip LI Guru Member

    1194 is the default port for the server to listen on - but does it then negotiate another port to use for the tunnel ? if so , how do you prioritise that ?
     
  90. djanny

    djanny Addicted to LI Member

    hy.
    try to connect to vpn it seems to have connectet but then i get this error:

    Fri Apr 24 13:21:10 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
    Fri Apr 24 13:21:10 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Fri Apr 24 13:21:10 2009 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
    Fri Apr 24 13:21:10 2009 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Fri Apr 24 13:21:10 2009 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Fri Apr 24 13:21:10 2009 Control Channel MTU parms [ L:1541 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Fri Apr 24 13:21:10 2009 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
    Fri Apr 24 13:21:10 2009 Local Options hash (VER=V4): 'e1cabb67'
    Fri Apr 24 13:21:10 2009 Expected Remote Options hash (VER=V4): 'f78928cd'
    Fri Apr 24 13:21:10 2009 UDPv4 link local: [undef]
    Fri Apr 24 13:21:10 2009 UDPv4 link remote: 89.212.xxx.xx:1193
    Fri Apr 24 13:21:10 2009 TLS: Initial packet from 89.212.xxx.xx:1193, sid=f5abea64 492a2e0a
    Fri Apr 24 13:21:11 2009 VERIFY OK: depth=1, /C=si/ST=si/L=ljubljana/O=dl/OU=it/CN=dl/emailAddress=janbocko@gmail.com
    Fri Apr 24 13:21:11 2009 VERIFY OK: nsCertType=SERVER
    Fri Apr 24 13:21:11 2009 VERIFY OK: depth=0, /C=si/ST=si/O=dl/OU=it/CN=dl/emailAddress=janbocko@gmail.com
    Fri Apr 24 13:21:12 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Fri Apr 24 13:21:12 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Fri Apr 24 13:21:12 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Fri Apr 24 13:21:12 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Fri Apr 24 13:21:12 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Fri Apr 24 13:21:12 2009 [dl] Peer Connection Initiated with 89.212.xxx.xx:1193
    Fri Apr 24 13:21:13 2009 SENT CONTROL [dl]: 'PUSH_REQUEST' (status=1)
    Fri Apr 24 13:21:13 2009 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.1.1,ping 15,ping-restart 60,ifconfig 192.168.1.142 255.255.255.0'
    Fri Apr 24 13:21:13 2009 OPTIONS IMPORT: timers and/or timeouts modified
    Fri Apr 24 13:21:13 2009 OPTIONS IMPORT: --ifconfig/up options modified
    Fri Apr 24 13:21:13 2009 OPTIONS IMPORT: route options modified
    Fri Apr 24 13:21:13 2009 WARNING: Since you are using --dev tun, the second argument to --ifconfig must be an IP address. You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
    Fri Apr 24 13:21:13 2009 There is a problem in your selection of --ifconfig endpoints [local=192.168.1.142, remote=255.255.255.0]. The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver. Try 'openvpn --show-valid-subnets' option for more info.
    Fri Apr 24 13:21:13 2009 Exiting


    my settins in client1.ovpn are:
    dev tun
    proto udp
    dev-node openvpn
    remote 89.212.xxx.xx 1193
    tls-client
    keepalive 15 120
    verb 3
    status openvpn-status.log
    ca ca.crt
    cert client1.crt
    key client1.key
    tls-auth ta.key
    ns-cert-type server
    key-method 2
    auth SHA1
    cipher BF-CBC
    pull
    nobind

    what did i do wrong??

    tnx for help
     
  91. djanny

    djanny Addicted to LI Member

    ok now i've come arround this issue. but vhen i'm connected thru vpn i can not access internet thru router's external IP, cannot ping or access any of my internal network. i's not a IP issue since my external ip is 89.212.xxx.xxx, and internal is 192.168.1.145. the only issue i can see is that i have subnetmask of 255.255.255.252. and i still don't know why i had to incorporate two IPs in ifconfig line,(don't realy know what it means). on my router i can see that i'm present, but my computer doesen't get deault gateway ip. below is my .ovpn file if it helps:

    dev tun
    ifconfig 192.168.1.145 192.168.1.146
    proto udp
    #dev-node MyTAP
    remote 89.212.xxx.xx 1193
    tls-client
    keepalive 15 120
    verb 3
    status openvpn-status.log
    ca ca.crt
    cert client-jan.crt
    key client-jan.key
    tls-auth ta.key
    ns-cert-type server
    key-method 2
    auth SHA1
    cipher BF-CBC
    pull
    nobind
    comp-lzo
    explicit-exit-notify 3
    replay-window 60 15

    please help me with this issue.

    tnx in advance
     
  92. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You shouldn't need that ifconfig line in the config file. It likely masking your problem, not fixing it. Your problem appears on the surface to be either
    • The server is configured to use TAP, but the client is configured to use TUN.
    • You are using an OpenVPN client version that is 2½ years old. Please upgrade to 2.1rc15.
    • Both of the above
    If you are unable to fix the problem based on that, please ssh/telnet to the router and provide the output of
    Code:
    cat /etc/openvpn/server1/config.ovpn
     
  93. fyellin

    fyellin LI Guru Member

    Look at the last five lines of your error message. You seem to still have a bad ifconfig message of some sort on the server that is being "pushed" to the client. The client doesn't know what to do with the TAP ifconfig since it's running TUN.

    The error messages are surprisingly good in this case
     
  94. niet

    niet Addicted to LI Member

    I've been trying to get my tomato router to act as a openvpn client and route all traffic passing through it to the vpn for half a day now but I can't seem to get it to work.
    If anyone would have a spare minute to help me, I'd be most grateful.

    My network is setup like this.
    isp->ethernet->router1 (192.168.0.1)->ethernet->tomato router (wan ip 192.168.0.100, lan ip 192.168.1.250)
    I can reach internet successfully though the tomato router and have configured the openvpn client on it to be able to connect to my vpn provider successfully (if I read the logs correctly, but atleast I can connect to it and stay connected.)

    My current routing table looks like this:
    Destination Gateway Subnet Mask Metric Interface
    192.168.1.0 * 255.255.255.0 0 br0 (LAN)
    192.168.0.0 * 255.255.255.0 0 vlan1 (WAN)
    127.0.0.0 * 255.0.0.0 0 lo
    default 192.168.0.1 0.0.0.0 0 vlan1 (WAN)
    (And "Create NAT on tunnel" is enabled, perhaps that is of interest.)

    And I've been trying add different commands to the "custom configuration" box, such as:
    "route-gateway 192.168.1.250
    redirect-gateway"
    Which to me would seem to be able to do the trick, but apparently not.
    If I understand correctly the "redirect-gateway" option is somewhat of a key to the problem, or doing some changes to the routing table and firewall, but I've been reading around and just can't figure out how to really use it.
    Best regards,
     
  95. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You're correct that redirect-gateway is the key. However, the route-gateway needs to have the IP address of the gateway on the server side of the tunnel.
     
  96. niet

    niet Addicted to LI Member

    I've gotten it to work now, a huge amount of thanks to you SgtPepperKSU, both for the help and your work with the vpn build!
     
  97. x-demon

    x-demon Addicted to LI Member

    About openvpn...
    TS, can you add auth-user-pass mechanism to your mod?
    You can see it on alonweb.com VPN service - it use user-pass and server certificate only. I can do it only if i enable jffs. Better if i can configure it from client's webinterface.
     
  98. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You can use the Custom Config section.
     
  99. x-demon

    x-demon Addicted to LI Member

    i need specify file for auth, for example
    auth-user-pass /jffs/up.txt

    up.txt for example:
    login
    pass

    is it possible to make it without jffs?
     
  100. superchc

    superchc Addicted to LI Member

    would you mind add the snmp function in the firmware? i have tried to compile your code with the snmp binary file. it seems ok, but after one day, lots of problem find and can't access the web interface anymore.

    would you mind simply add the binary file in you build? no gui is needed. if you have a gui, it will be perfect!

    you can get the binary here:
    http://bok.xs4all.nl/downloads/snmpd.zip

    i am using ND. thank you in advance
     

Share This Page