1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN build with Web GUI

Discussion in 'Tomato Firmware' started by SgtPepperKSU, Oct 10, 2008.

  1. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You can generate the file in your init script if you don't want to use JFFS or CIFS:
    Code:
    echo "login
    pass" > /tmp/auth.txt
    I'll consider adding simple user/password authorization to the GUI in the future. But, no promises or timeline.
     
  2. dvd-guy

    dvd-guy Guest

    For some reason, I can't connect through UDP, but TCP works fine?

    Also, once I connect, I can browse the internet on my client. I can reach the router, but I think I'm missing an option to redirect traffic?
     
  3. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    If TCP works and UDP doesn't, I think the only possible causes are: a) it's getting blocked somewhere along the way, or b) the connection isn't reliable somewhere along the way (TCP has built in protection/correction for this).

    To redirect internet-bound traffic over the tunnel, add
    Code:
    redirect-gateway def1
    to your client configuration.
     
  4. dvd-guy

    dvd-guy Guest

    I get this error when specifying redirect-gateway:
    NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing
     
  5. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Sorry, also add
    Code:
    route-gateway 192.168.1.1
    (replace with LAN ip of vpn server router).
     
  6. baldrickturnip

    baldrickturnip LI Guru Member

    I have a 54GL tom+openvpn running as server and "client to client" in the custom

    can I config the server so only 1 client is "client to client" and the others are not ? I want another 54Gl that is running an openvpn client and has a network on its LAN to be "client to client" , but other machines that connect to the server I do not want them to be "client to client"
     
  7. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Directly? Yes. Just don't check the "push" checkbox next to the other clients. Clients are only instructed how to access other clients that have this checked.

    Does this seal off the other client LANs from a security standpoint? No. If somebody on a connected client knew the subnet of another connected client, he could manually add it to his routing table to sent the traffic over the tunnel. But, if they don't do this, they won't have access to the other LANs.

    I just reread your post, and I have a clarification to make. If these other clients are also routers (or otherwise have a LAN behind them), then what I said applies. If they are individual machines, then once you check "client-to-client", all clients can access each other with their tunnel IPs (this goes for the actual routers that are connected, too - not the computers connected to them).

    I guess one way you could accomplish what you want is to run two servers. One that only the routers that you want to share connect to, and another that you won't choose "client-to-client" on. The shared LAN (if they know the addresses and manually add routes) and your server LAN will be able to access all the other clients, but they won't be able to access each other. Quite a bit more complicated, I know, but unfortunately "client-to-client" is just an all-on/all-off switch.
     
  8. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    1.23vpn3.2

    For those that don't follow the blog, TomatoVPN 1.23vpn3.2 is ready for downloading.

    The biggest changes are a status tab for clients, the server status tab displays static-key server statistics better, and there is a GUI option to allow the server to accept DNS requests.

    Side-note: It seems there were approximately a dozen downloads of 1.32vpn3.2 for a build (several hours before the release announcement) that had a minor bug that causes a minor Javascript error when settings are changed while the server is running (you should still be able to make/change the settings, though). If you're one of these people, you should re-download.
     
  9. baldrickturnip

    baldrickturnip LI Guru Member

    I have just put 3.2 on a 54GL

    on the VPN basic page there is VPN subnet/netmask

    is that to assign an IP to the VPN server interface ?

    previously it took the IP of the bridge and you either assigned a pool for the clients or let a DHCP server assign.

    what happens now ?


    :D - whoops

    the default install has the type set to TUN :)
    changing the server to TAP has fixed my stupidity this time

    though I notice that when using the DHCP server option the assigned IP does not show up in the connected bubble on XP as the IP pool option would do.
     
  10. CypherBit

    CypherBit Network Guru Member

  11. kenyloveg

    kenyloveg LI Guru Member

    Hi, SgtPepperKSU
    Can you upload your release to fs2you or rapidshare site?
    BTW, I'm running dual wan MOD on 8230 MOD(8M flash, 128M ram). And I really want to turn to your MOD^_^(your MOD works great on my WHR2-G54).
     
  12. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yep, I changed a couple of the defaults in this version (this and compression is now "adaptive").
    Interesting, it must be a timing thing on when it gets the address. That's all internal to OpenVPN, though, so I can't say for sure.
     
  13. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Just follow the instructions in that link to actually revoke the certificate (on a computer with OpenVPN installed), then place the .pem file on the router via JFFS or CIFS and add
    Code:
    crl-verify /path/to/pem-file
    in the VPN server Custom Config box.

    I've never done this, but I don't see any reason it wouldn't work.
     
  14. fyellin

    fyellin LI Guru Member

    How many users do you have?

    If you only have two or three users, it may be faster to just create a new CA and new certificates for the good users and the server, rather than revoke the certificates of the bad users.

    Of course, as SgtPepperKSU points out, certificate revocation is supposed to work. You'll probably want to create an extra certificate--for the sole purpose of revoking it--just to make sure it works they way you think it does.
     
  15. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Is the new download location also blocked where you are? If you haven't tried it, I'm no longer placing the downloads on mediafire.

    But, in case you can't get to the new site, either, here's a mirror. However, I strongly suggest people use the main download link.
     
  16. CypherBit

    CypherBit Network Guru Member

    Works just as you said. I placed the pem-file in /tmp/etc/ through WinSCP and made the appropriate change, the logs show:

    Code:
    CRL CHECK FAILED CN=test/Email=test@test.com is REVOKED
    This was done more as a test, just in case I need to do it down the line, thank you.
     
  17. dvd-guy

    dvd-guy Guest

    How can I verify all my traffic is actually going through the VPN? I went to check my IP and it's still the host network, not my VPN's IP address.

    Okay, I changed to TAP from TUN, and now I get
    Warning: route gateway is not reachable on any active network adapters:
    Route addition via IPAPI failed

    but it still seems to connect? Any way to correct this error?
     
  18. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That seems like a good way to do a basic check. Doing that, the IP address shown should be the WAN IP of the vpn server if you've configured it to use the VPN for all internet traffic.

    What steps have you taken to make the internet traffic use the tunnel? Could you provide the routing table from the client?
     
  19. dvd-guy

    dvd-guy Guest

    I keep getting this at the end of my client log status:
    Mon May 04 13:29:51 2009 Successful ARP Flush on interface [3] {D9DBAB51-1B67-455A-8DE9-F4AEB0695942}
    Mon May 04 13:29:51 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:29:51 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:29:51 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:29:51 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:29:52 2009 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
    Mon May 04 13:29:52 2009 NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway

    I have this in my server config:
    route-gateway 192.168.1.1
    push "redirect-gateway"

    I noticed these errors too:
    Mon May 04 13:50:30 2009 RESOLVE: Cannot resolve host address: dhcp: [HOST_NOT_FOUND] The specified host is unknown.
    Mon May 04 13:50:30 2009 OpenVPN ROUTE: failed to parse/resolve default gateway: dhcp

    This might be conflicting with my route-gateway directive. Any way to disable that?
     
  20. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The route-gateway needs to be pushed just like the redirect-gateway
    Code:
    push "route-gateway 192.168.1.1"
    That or it needs to be placed in the client config.
     
  21. dvd-guy

    dvd-guy Guest

    I tried changing that too. From the log, it seems when I enable TAP, the push "route-gateway 192.168.1.1" is automatic, so I don't need to set it again.

    So I disabled DHCP, and changed my custom config to just push "redirect-gateway def1". At the end of my client log, I get this:

    Mon May 04 13:57:16 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:57:16 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:57:17 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:57:17 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:57:18 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:57:18 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:57:19 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:57:19 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:57:21 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:57:21 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:57:22 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:57:22 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:57:23 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:57:23 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:57:24 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:57:24 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:57:25 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:57:25 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:57:26 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:57:26 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:57:27 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:57:27 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:57:28 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:57:28 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:57:29 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:57:29 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:57:30 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:57:30 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:57:31 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:57:31 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:57:32 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:57:32 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:57:33 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:57:33 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:57:34 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:57:34 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:57:36 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:57:36 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:57:37 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:57:37 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:57:38 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:57:38 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:57:39 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:57:39 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:57:41 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:57:41 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:57:42 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:57:42 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:57:43 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:57:43 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:57:44 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:57:44 2009 Route: Waiting for TUN/TAP interface to come up...
    Mon May 04 13:57:45 2009 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
    Mon May 04 13:57:45 2009 route ADD 67.212.20.206 MASK 255.255.255.255 192.168.1.1
    Mon May 04 13:57:45 2009 Route addition via IPAPI succeeded
    Mon May 04 13:57:45 2009 route ADD 0.0.0.0 MASK 128.0.0.0 192.168.1.1
    Mon May 04 13:57:45 2009 Route addition via IPAPI succeeded
    Mon May 04 13:57:45 2009 route ADD 128.0.0.0 MASK 128.0.0.0 192.168.1.1
    Mon May 04 13:57:45 2009 Route addition via IPAPI succeeded
    Mon May 04 13:57:45 2009 Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )
     
  22. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    And you have a TAP device created/enabled on your windows client? Did you check the things mentioned in the link from the error message?

    The routes to send traffic over the tunnel are added correctly, so it seems your issue is some kind of setup issue on your Windows client.
     
  23. dvd-guy

    dvd-guy Guest

    I created the TAP adapter using OpenVPN GUI for Windows. It was part of the installation. I've also tried removing/reinstalling the driver. It seems to be a problem with the Windows client not picking up the IP address from the router.
     
  24. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    What leads you to that conclusion? Also, what version of OpenVPN client are you using (sorry if I've asked you this sometime in the past; I help a lot of people and can't always keep them straight)?
     
  25. dvd-guy

    dvd-guy Guest

    It's OpenVPN 2.0.9 from the Windows OpenVPN 1.0.3 stable package. Maybe I should upgrade...
     
  26. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yeah, I would definitely try that before spending any more time debugging. 2.0.9 is quite old, and the server is 2.1rc15.
     
  27. CypherBit

    CypherBit Network Guru Member

    I'm using 2.1rc15 clients and the WAN IP the clients get is not that of the server. I've verified using whatismyip.org . Can someone point me in the right direction as to which steps need to be taken on the server and client side. Perhaps documentation that elaborates on:
    I'm using TAP.
     
  28. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Just add
    Code:
    redirect-gateway def1
    to your client config.
     
  29. CypherBit

    CypherBit Network Guru Member

    SgtPepperKSU, thank you so much the WAN IP has changed now. I also added
    Code:
    push "dhcp-option DNS 192.168.1.1"
    DNS just didn't resolve without it (it also didn't work if I just entered my ISP's DNS servers).

    My reason for this is because I'm having problems sending e-mails using Outlook through my ISP's SMTP (haven't been successful with using gmail ones) servers while traveling abroad. Hopefully this will solve my problem?
     
  30. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, it should fix that problem. Many ISPs limit the use of the SMTP server to computers on their network to limit spam. Now you can be "on their network" no matter where you are.
     
  31. CypherBit

    CypherBit Network Guru Member

    Great, hopefully I'll be able to test this soon.

    Another quick question. I'm thinking of buying another WRT-54GL and putting on this firmware, take it to my GF's house and configure her subnet through DHCP to 10.0.0.1/24 (mine is 192.168.1.1/24). I'd then configure the OpenVPN Client part of her router so she can access my OpenVPN server and plug the cheapest NAS I can find to her router and backup my most important data to her over the night.

    Will this kind of setup allow for browsing shares both on her network and mine...will it basically create "one network" where I'll be able to backup on a regular basis? If not I'd appreciate if you could point me in the right direction, browsing through this long thread is quite a challenge.
     
  32. dvd-guy

    dvd-guy Guest

    I got TUN working, somehow. Maybe it was the upgraded client. My server config looks like this for anyone interested:

    push "redirect-gateway def1"
    push "dhcp-option DNS 192.168.1.1"
    push "dhcp-option WINS 192.168.1.1"

    I think the last option helped with name resolution on Windows, since before it, I couldn't resolve anything properly.
     
  33. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You will not be able to browse in network neighborhood, but you can type in the ip address manually (\\<address>\<sharename>) and access the Windows shares.

    You're situation is exactly why I developed this firmware: to link two LANs together for off-site back-up.
     
  34. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Great! I had a feeling that would help. And, I assume you had to enable the new DNS checkbox on the Advanced tab, right?
     
  35. gawd0wns

    gawd0wns LI Guru Member

    My 2 cents about the situation:

    You could always set up an ftp server on the NAS, every NAS I have seen has an ftp server of some sort. If you are feeling a little ambitous, you could install an http server with some sort of upload script(something I am trying to get working)

    You didn't mention if you have a NAS at home, or if you will be running shares off of your pc, but you can easily do the same on your end and stop worrying about netbios ;).

    I tend to stay away from netbios. In my experience, sometimes it works, and sometimes it doesn't... You can't prioritize your downloads, and alot of other little things.

    Ftp servers and clients are highly configurable and free. You could bookmark the site on each end if you choose to use your web browser, as well as download, and browse without waiting a century for thumbnails to load! You can even upload with IE, not sure if firefox can.

    I'll just end my rant here :)
     
  36. i1135t

    i1135t Network Guru Member

    Don't you need a WINS server at the VPN server location for this option to be effective? Just wondering...
     
  37. dvd-guy

    dvd-guy Guest

    Any reason why I see this all over my logs?
    client1/192.168.1.140:2084 MULTI: bad source address from client [192.168.1.140], packet dropped
     
  38. gawd0wns

    gawd0wns LI Guru Member

    When you are connecting to a VPN server, the LAN subnets on both ends have to be different, they cannot be the same.

    Edit:

    Example: Your router is acting as a VPN server and has a LAN subnet 192.168.1.*, with the ip address of 192.168.1.1.

    Any client which connects to the VPN server has to have a different local subnet, like 192.168.199.*
     
  39. CypherBit

    CypherBit Network Guru Member

    That's fine, I'd just backup the data.

    I assume this is directed to my issue. I found an old WRT54GS laying around so all I'm missing is a NAS for location2. I don't have a NAS at location1, just shares.
    I have considered FTP, but it's highly insecure. I don't want to deal with FreeNAS or anything similar, I want the machine to be as cheap as possible, extremely quiet and consumes small amounts of power. NSLU2 frequently comes up, but it doesn't feel like the way to go.
     
  40. dvd-guy

    dvd-guy Guest

    I still get this when my IP is 129.x.x.x
     
  41. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    If this is showing up doing a site-to-site, have you
    • set up the client-specific options section on the server router, or
    • selected the NAT checkbox on the client router?
    If this is showing up with individual clients
    • The OS on the client is screwing up and saying packets are from the client's LAN IP rather than from the client's tunnel IP
    • This can also be fixed by using the client-specific options section on the router
     
  42. dvd-guy

    dvd-guy Guest

    This is for an individual Windows client. What options can I play with on the router?
     
  43. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Advanced->Manage Client-specific options.
    Enter the client's CommonName from the certificate you generated for it, for the subnet put in the IP address that's showing up in your logs, and for netmask put in 255.255.255.255 (or if it won't be the same address every time, put the real subnet/netmask for the client LAN).

    That will teach OpenVPN that that address is on the other end of the tunnel so it can route things correctly.

    And, that is for TLS (recommended). If you're using static-key, place
    Code:
    route <ipaddress> 255.255.255.255
    iroute <ipaddress> 255.255.255.255
    in the server Custom Configuration section.
     
  44. tstrike2000

    tstrike2000 Network Guru Member

    Just had a quick question. I haven't used openvpn in quite so I have to start from scratch again. If I put settings such as these in the client settings to stablize the connection and provide compression, does these same settings need to be applied to the server end as well?

    persist-key
    persist-tun
    secret static.key
    comp-lzo
     
  45. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Code:
    persist-key
    persist-tun
    No, these don't have to match between client and server. The GUI automatically adds these to the client, but not the server.
    Code:
    secret static.key
    comp-lzo
    Yes, these need to match. They are configurable via the Web GUI.
     
  46. fyellin

    fyellin LI Guru Member

    Just for the sake of completeness, these almost need to match. If the client has included any comp-lzo specification in its configuration, even the wrong one, the server can include the custom configuration line:
    Code:
    push "comp-lzo [I]XXX[/I]"
    where XXX is one of yes, no, or adaptive. The client will change its configuration appropriately.

    When SgtPepperKSU added adaptive compression to the VPN GUI, I enabled this feature and I also added a line to the custom configuration pushing this information out to the clients. No client configurations had to be modified.

    For this to work, the client does need to have some comp-lzo line in its configuration, even if it's "comp-lzo off". The client will initialize, but not use LZO compression until the server tells it otherwise.
     
  47. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Good points. However, "push" only works for TLS authorization, and tstrike2000 seems to be using Static Key authorization.
     
  48. tstrike2000

    tstrike2000 Network Guru Member

    Yes, I'm gonna try static key for now only because I'm a little over my head with a lot of the openvpn settings, so I'm going simple for now. The other reason is I have just one or two clients that would connect to the vpn so I just wanted to test it first. Thanks for the responses.
     
  49. tstrike2000

    tstrike2000 Network Guru Member

    One last quick question. The VPN works pretty good connecting from work to home. However, DNS isn't being resolved from my internal work DNS server when the vpn is connected. Is there a quick setting on the client that can tell it to use my internal DNS first and the vpn DNS second? I've tried a couple of different settings but still couldn't get it working like that.
     
  50. unggnu

    unggnu Addicted to LI Member

  51. sean_lc

    sean_lc Addicted to LI Member

    Fantastic!!

    Just a quick note to let you know that your VPN mod is excellent!!!! I was able to get my TAP VPN set up entirely in the GUI. I've set up 2 servers in tomato VPN, both on port 443. Server 1 is set up for UDP, and server 2 is completely identical (uses same keys, etc.), but on TCP. I use TLS with extra HMAC authentication.

    I currently have 2 client windows laptops - when I'm away from home, I connect to server 1 (connection named "home" on windows PC). Occasionally, UDP is blocked on the network I'm using, so I'll connect to server 2 which is using TCP (connection is named "backup" on my windows PC)

    This set-up works great!! I'm VERY impressed with the transfer speeds I get when using the VPN tunnel away from home. I'm using redirect-gateway option to send all traffic through the VPN for privacy reasons.

    Just FYI, I tested both servers from a remote site, and it seems that UDP delivers higher transfer speeds (30-40% in my test). This is why I decided to use both servers with #2 as a TCP server backup.

    Thanks again, and keep up the good work!!!
     
  52. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That commit relies on at least this commit, and I still don't see any of the backend work that equates "Channel 0" to "Automatic". Though, that may be built into the wireless driver, I'm not sure.
     
  53. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Glad you've found it so useful!

    Your observation about TCP vs UDP is normal. The TCP protocol contains congestion algorithms and packet loss correction that creates extra overhead. When you're tunneling traffic, the tunneled traffic will typically use TCP itself if it needs those services. If you use TCP for the tunneling, you end up with two layers trying to do the same extra services. Not only is that wasteful, it can cause problems. See here for why TCP over TCP should be avoided.

    But, your setup is fine (as is exactly why I included two server tabs), since you're using UDP unless otherwise not able.
     
  54. teddy_bear

    teddy_bear Network Guru Member

    That's correct - it's all in the wlconf code. It sets the wl driver to automatically rescan and reselect the channel every 10 mins if it's set to 0 in nvram. However, the original Tomato wlconf is precompiled, so I can't guarantee that it has the same functionality (in USB mod I'm using the newer version with source).

    Also, if you don't want to provide the country code selection, you only need to port changes that add channel "0".
     
  55. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Thanks for confirming. It's worth trying.
     
  56. fyellin

    fyellin LI Guru Member

    Is channel 0 only for the Access Point, or can it be used in the router's other modes as well?

    On my laptop, I just give it the SSID and it finds the right channel. I'd love to be able to do the same on my wireless client router and my WDS router.
     
  57. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Hard to say whether it's working or not. I ran
    Code:
    nvram set wl_channel="0"
    nvram commit
    reboot
    And when it came back up
    Code:
    wl channel
    showed channel 1. This could be because I was out of the valid range so it picked the first one, or it could be because channel 1 is the best one (it is here). Could someone with substantial interference on channel 1 give it a shot (with the regular Tomato ND or non-ND drivers)?
     
  58. tstrike2000

    tstrike2000 Network Guru Member

    Can't Ping openVPN network

    I'm trying to openvpn from my work LAN to home using TUN interface. My client looks like this:

    client
    proto udp
    dev tun
    remote <remote ip> 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
    cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\client1.crt"
    key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\client1.key"
    ns-cert-type server
    redirect-gateway def1
    cipher BF-CBC
    comp-lzo
    verb 3

    I can connect but cannot ping anything on the openvpn side which is 192.168.1.0. My server custom config includes:

    push "comp-lzo yes"
    push "route-gateway 192.168.1.1"
    push "redirect-gateway"
    push "dhcp-option DNS 192.168.1.1"

    Am I possibly missing a route somewhere which is why I can't ping anything on my home 192.168 network?
     
  59. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Please provide the routing table of your client ("route print" on windows) and the router (Advanced->Routing) when connected . Also, the client logs might be useful. Then we can see if it is a routing problem.
     
  60. tstrike2000

    tstrike2000 Network Guru Member

    Route Print from Windows:

    Interface List
    0x1 ........................... MS TCP Loopback interface
    0x2 ...00 19 7e a3 af bc ...... 11a/b/g Wireless LAN Mini PCI Express Adapter -
    Packet Scheduler Miniport
    0x3 ...00 16 d3 ba ee aa ...... Intel(R) PRO/1000 PL Network Connection - Packe
    Scheduler Miniport
    0x10005 ...00 ff 07 3c ed d6 ...... TAP-Win32 Adapter V9 - Packet Scheduler Min
    port
    ===========================================================================
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 10.208.1.1 10.208.0.50 20
    10.1.1.4 255.255.255.252 10.1.1.6 10.1.1.6 30
    10.1.1.6 255.255.255.255 127.0.0.1 127.0.0.1 30
    10.208.0.0 255.255.254.0 10.208.0.50 10.208.0.50 20
    10.208.0.50 255.255.255.255 127.0.0.1 127.0.0.1 20
    10.255.255.255 255.255.255.255 10.1.1.6 10.1.1.6 30
    10.255.255.255 255.255.255.255 10.208.0.50 10.208.0.50 20
    63.245.209.58 255.255.255.255 10.208.1.12 10.208.0.50 1
    63.245.209.93 255.255.255.255 10.208.1.12 10.208.0.50 1
    64.53.140.13 255.255.255.255 10.208.1.1 10.208.0.50 1
    64.53.140.13 255.255.255.255 10.208.1.12 10.208.0.50 1
    66.235.138.18 255.255.255.255 10.208.1.12 10.208.0.50 1
    72.14.205.147 255.255.255.255 10.208.1.12 10.208.0.50 1
    72.14.205.155 255.255.255.255 10.208.1.12 10.208.0.50 1
    74.125.45.100 255.255.255.255 10.208.1.12 10.208.0.50 1
    74.125.159.101 255.255.255.255 10.208.1.12 10.208.0.50 1
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    169.254.0.0 255.255.0.0 10.208.0.50 10.208.0.50 30
    192.157.38.18 255.255.255.255 10.208.1.12 10.208.0.50 1
    192.168.1.1 255.255.255.255 10.208.1.12 10.208.0.50 1
    199.3.18.39 255.255.255.255 10.208.1.12 10.208.0.50 1
    206.166.93.138 255.255.255.255 10.208.1.12 10.208.0.50 1
    206.166.93.139 255.255.255.255 10.208.1.12 10.208.0.50 1
    209.18.36.80 255.255.255.255 10.208.1.12 10.208.0.50 1
    209.62.187.43 255.255.255.255 10.208.1.12 10.208.0.50 1
    212.58.226.143 255.255.255.255 10.208.1.12 10.208.0.50 1
    216.44.52.85 255.255.255.255 10.208.1.12 10.208.0.50 1
    216.73.87.52 255.255.255.255 10.208.1.12 10.208.0.50 1
    216.115.96.174 255.255.255.255 10.208.1.12 10.208.0.50 1
    216.139.210.128 255.255.255.255 10.208.1.12 10.208.0.50 1
    224.0.0.0 240.0.0.0 10.1.1.6 10.1.1.6 30
    224.0.0.0 240.0.0.0 10.208.0.50 10.208.0.50 20
    255.255.255.255 255.255.255.255 10.1.1.6 10.1.1.6 1
    255.255.255.255 255.255.255.255 10.1.1.6 2 1
    255.255.255.255 255.255.255.255 10.208.0.50 10.208.0.50 1
    Default Gateway: 10.208.1.1
    ===========================================================================
    Persistent Routes:
    None

    My client log is:

    Tue May 12 13:52:48 2009 OpenVPN 2.1_rc15 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 19 2008
    Tue May 12 13:52:48 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Tue May 12 13:52:48 2009 LZO compression initialized
    Tue May 12 13:52:48 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Tue May 12 13:52:48 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Tue May 12 13:52:48 2009 Local Options hash (VER=V4): '41690919'
    Tue May 12 13:52:48 2009 Expected Remote Options hash (VER=V4): '530fdded'
    Tue May 12 13:52:48 2009 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Tue May 12 13:52:48 2009 UDPv4 link local: [undef]
    Tue May 12 13:52:48 2009 UDPv4 link remote: <PUBLIC IP>:1194
    Tue May 12 13:52:48 2009 TLS: Initial packet from <PUBLIC IP>:1194, sid=47ab6244 a83b3ae0
    Tue May 12 13:52:49 2009 VERIFY OK: depth=1, /C=US/ST=IL/L=Chicago/O=myvpn.org/CN=myvpn/emailAddress=vpnadmin@myrealbox.com
    Tue May 12 13:52:49 2009 VERIFY OK: nsCertType=SERVER
    Tue May 12 13:52:49 2009 VERIFY OK: depth=0, /C=US/ST=IL/O=myvpn.org/CN=server/emailAddress=vpnadmin@myrealbox.com
    Tue May 12 13:52:49 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Tue May 12 13:52:49 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Tue May 12 13:52:49 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Tue May 12 13:52:49 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Tue May 12 13:52:49 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Tue May 12 13:52:49 2009 [server] Peer Connection Initiated with <PUBLIC IP>:1194
    Tue May 12 13:52:50 2009 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Tue May 12 13:52:50 2009 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,comp-lzo yes,route-gateway 192.168.1.1,redirect-gateway,dhcp-option DNS 192.168.1.1,route 10.1.1.1,topology net30,ping 15,ping-restart 60,ifconfig 10.1.1.6 10.1.1.5'
    Tue May 12 13:52:50 2009 OPTIONS IMPORT: timers and/or timeouts modified
    Tue May 12 13:52:50 2009 OPTIONS IMPORT: LZO parms modified
    Tue May 12 13:52:50 2009 OPTIONS IMPORT: --ifconfig/up options modified
    Tue May 12 13:52:50 2009 OPTIONS IMPORT: route options modified
    Tue May 12 13:52:50 2009 OPTIONS IMPORT: route-related options modified
    Tue May 12 13:52:50 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Tue May 12 13:52:51 2009 ROUTE default_gateway=10.208.1.1
    Tue May 12 13:52:51 2009 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{073CEDD6-94C1-4131-8806-021A448C88CF}.tap
    Tue May 12 13:52:51 2009 TAP-Win32 Driver Version 9.4
    Tue May 12 13:52:51 2009 TAP-Win32 MTU=1500
    Tue May 12 13:52:51 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.1.1.6/255.255.255.252 on interface {073CEDD6-94C1-4131-8806-021A448C88CF} [DHCP-serv: 10.1.1.5, lease-time: 31536000]
    Tue May 12 13:52:51 2009 Successful ARP Flush on interface [65541] {073CEDD6-94C1-4131-8806-021A448C88CF}
    Tue May 12 13:52:56 2009 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up
    Tue May 12 13:52:56 2009 Route: Waiting for TUN/TAP interface to come up...
    Tue May 12 13:53:01 2009 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up
    Tue May 12 13:53:01 2009 Route: Waiting for TUN/TAP interface to come up...
    Tue May 12 13:53:02 2009 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up
    Tue May 12 13:53:02 2009 Route: Waiting for TUN/TAP interface to come up...
    Tue May 12 13:53:03 2009 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up
    Tue May 12 13:53:03 2009 Route: Waiting for TUN/TAP interface to come up...
    Tue May 12 13:53:04 2009 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up
    Tue May 12 13:53:04 2009 Route: Waiting for TUN/TAP interface to come up...
    Tue May 12 13:53:05 2009 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up
    Tue May 12 13:53:05 2009 Route: Waiting for TUN/TAP interface to come up...
    Tue May 12 13:53:06 2009 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Tue May 12 13:53:06 2009 Route: Waiting for TUN/TAP interface to come up...
    Tue May 12 13:53:07 2009 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Tue May 12 13:53:07 2009 Route: Waiting for TUN/TAP interface to come up...
    Tue May 12 13:53:09 2009 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
    Tue May 12 13:53:09 2009 Route: Waiting for TUN/TAP interface to come up...
    Tue May 12 13:53:10 2009 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up
    Tue May 12 13:53:10 2009 Route: Waiting for TUN/TAP interface to come up...
    Tue May 12 13:53:11 2009 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up
    Tue May 12 13:53:11 2009 Route: Waiting for TUN/TAP interface to come up...
    Tue May 12 13:53:12 2009 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up
    Tue May 12 13:53:12 2009 Route: Waiting for TUN/TAP interface to come up...
    Tue May 12 13:53:13 2009 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up
    Tue May 12 13:53:13 2009 Route: Waiting for TUN/TAP interface to come up...
    Tue May 12 13:53:14 2009 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up
    Tue May 12 13:53:14 2009 Route: Waiting for TUN/TAP interface to come up...
    Tue May 12 13:53:15 2009 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up
    Tue May 12 13:53:15 2009 Route: Waiting for TUN/TAP interface to come up...
    Tue May 12 13:53:16 2009 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up
    Tue May 12 13:53:16 2009 Route: Waiting for TUN/TAP interface to come up...
    Tue May 12 13:53:17 2009 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up
    Tue May 12 13:53:17 2009 Route: Waiting for TUN/TAP interface to come up...
    Tue May 12 13:53:18 2009 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up
    Tue May 12 13:53:18 2009 Route: Waiting for TUN/TAP interface to come up...
    Tue May 12 13:53:19 2009 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up
    Tue May 12 13:53:19 2009 Route: Waiting for TUN/TAP interface to come up...
    Tue May 12 13:53:20 2009 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up
    Tue May 12 13:53:20 2009 Route: Waiting for TUN/TAP interface to come up...
    Tue May 12 13:53:21 2009 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up
    Tue May 12 13:53:21 2009 Route: Waiting for TUN/TAP interface to come up...
    Tue May 12 13:53:22 2009 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up
    Tue May 12 13:53:22 2009 Route: Waiting for TUN/TAP interface to come up...
    Tue May 12 13:53:23 2009 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up
    Tue May 12 13:53:23 2009 Route: Waiting for TUN/TAP interface to come up...
    Tue May 12 13:53:24 2009 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up
    Tue May 12 13:53:24 2009 Route: Waiting for TUN/TAP interface to come up...
    Tue May 12 13:53:25 2009 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up
    Tue May 12 13:53:25 2009 Route: Waiting for TUN/TAP interface to come up...
    Tue May 12 13:53:27 2009 TEST ROUTES: 0/3 succeeded len=2 ret=0 a=0 u/d=up
    Tue May 12 13:53:27 2009 C:\WINDOWS\system32\route.exe ADD <PUBLIC IP> MASK 255.255.255.255 10.208.1.1
    Tue May 12 13:53:27 2009 Route addition via IPAPI succeeded [adaptive]
    Tue May 12 13:53:27 2009 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.1.1
    Tue May 12 13:53:27 2009 Warning: route gateway is not reachable on any active network adapters: 192.168.1.1
    Tue May 12 13:53:27 2009 Route addition via IPAPI failed [adaptive]
    Tue May 12 13:53:27 2009 Route addition fallback to route.exe
    Tue May 12 13:53:27 2009 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.1.1
    Tue May 12 13:53:27 2009 Warning: route gateway is not reachable on any active network adapters: 192.168.1.1
    Tue May 12 13:53:27 2009 Route addition via IPAPI failed [adaptive]
    Tue May 12 13:53:27 2009 Route addition fallback to route.exe
    Tue May 12 13:53:27 2009 C:\WINDOWS\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 192.168.1.1
    Tue May 12 13:53:27 2009 Warning: route gateway is not reachable on any active network adapters: 192.168.1.1
    Tue May 12 13:53:27 2009 Route addition via IPAPI failed [adaptive]
    Tue May 12 13:53:27 2009 Route addition fallback to route.exe
    Tue May 12 13:53:27 2009 C:\WINDOWS\system32\route.exe ADD 10.1.1.1 MASK 255.255.255.255 192.168.1.1
    Tue May 12 13:53:27 2009 Warning: route gateway is not reachable on any active network adapters: 192.168.1.1
    Tue May 12 13:53:27 2009 Route addition via IPAPI failed [adaptive]
    Tue May 12 13:53:27 2009 Route addition fallback to route.exe
    SYSTEM ROUTING TABLE
    0.0.0.0 0.0.0.0 10.208.1.1 p=0 i=3 t=4 pr=3 a=17368 h=0 m=20/-1/-1/-1/-1
    10.1.1.4 255.255.255.252 10.1.1.6 p=0 i=65541 t=3 pr=2 a=17 h=0 m=30/-1/-1/-1/-1
    10.1.1.6 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=17 h=0 m=30/-1/-1/-1/-1
    10.208.0.0 255.255.254.0 10.208.0.50 p=0 i=3 t=3 pr=2 a=17371 h=0 m=20/-1/-1/-1/-1
    10.208.0.50 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=17371 h=0 m=20/-1/-1/-1/-1
    10.255.255.255 255.255.255.255 10.1.1.6 p=0 i=65541 t=3 pr=2 a=17 h=0 m=30/-1/-1/-1/-1
    10.255.255.255 255.255.255.255 10.208.0.50 p=0 i=3 t=3 pr=2 a=17371 h=0 m=20/-1/-1/-1/-1
    <PUBLIC IP> 255.255.255.255 10.208.1.1 p=0 i=3 t=4 pr=3 a=0 h=0 m=1/-1/-1/-1/-1
    <PUBLIC IP> 255.255.255.255 10.208.1.12 p=0 i=3 t=4 pr=4 a=294 h=0 m=1/-1/-1/-1/-1
    127.0.0.0 255.0.0.0 127.0.0.1 p=0 i=1 t=3 pr=2 a=17411 h=0 m=1/-1/-1/-1/-1
    169.254.0.0 255.255.0.0 10.208.0.50 p=0 i=3 t=3 pr=3 a=17325 h=0 m=30/-1/-1/-1/-1
    224.0.0.0 240.0.0.0 10.1.1.6 p=0 i=65541 t=3 pr=2 a=17 h=0 m=30/-1/-1/-1/-1
    224.0.0.0 240.0.0.0 10.208.0.50 p=0 i=3 t=3 pr=2 a=17371 h=0 m=20/-1/-1/-1/-1
    255.255.255.255 255.255.255.255 10.1.1.6 p=0 i=65541 t=3 pr=2 a=15475 h=0 m=1/-1/-1/-1/-1
    255.255.255.255 255.255.255.255 10.1.1.6 p=0 i=2 t=3 pr=2 a=17411 h=0 m=1/-1/-1/-1/-1
    255.255.255.255 255.255.255.255 10.208.0.50 p=0 i=3 t=3 pr=2 a=17411 h=0 m=1/-1/-1/-1/-1
    SYSTEM ADAPTER LIST
    TAP-Win32 Adapter V9 - Packet Scheduler Miniport
    Index = 65541
    GUID = {073CEDD6-94C1-4131-8806-021A448C88CF}
    IP = 10.1.1.6/255.255.255.252
    MAC = 00:ff:07:3c:ed:d6
    GATEWAY =
    DHCP SERV = 10.1.1.5
    DHCP LEASE OBTAINED = Tue May 12 13:53:10 2009
    DHCP LEASE EXPIRES = Wed May 12 13:53:10 2010
    DNS SERV = 192.168.1.1
    11a/b/g Wireless LAN Mini PCI Express Adapter - Packet Scheduler Miniport
    Index = 2
    GUID = {DDF0DA3C-0E18-4725-A3F0-2F6D49F9E013}
    IP = 0.0.0.0/0.0.0.0
    MAC = 00:19:7e:a3:af:bc
    GATEWAY =
    DHCP SERV = 255.255.255.255
    DHCP LEASE OBTAINED = Tue May 12 09:21:39 2009
    DHCP LEASE EXPIRES = Tue May 12 10:21:39 2009
    DNS SERV =
    Intel(R) PRO/1000 PL Network Connection - Packet Scheduler Miniport
    Index = 3
    GUID = {89FC38B4-811E-4841-9291-B2AA8852303F}
    IP = 10.208.0.50/255.255.254.0
    MAC = 00:16:d3:ba:ee:aa
    GATEWAY = 10.208.1.1/0.0.0.0
    DHCP SERV = 10.208.2.168
    DHCP LEASE OBTAINED = Tue May 12 09:04:02 2009
    DHCP LEASE EXPIRES = Fri Jun 26 09:04:02 2009
    DNS SERV = 10.208.1.12
    Tue May 12 13:53:27 2009 Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )

    The routing table for the router is attached as a picture. 192.168.1.x is the Home network and 10.1.1.x is the openVPN tun IP range. 10.208.x is the work internal address range.

    * In the router routing table picture, I added a static route as a test, but it didn't make any difference.
     

    Attached Files:

  61. cuisinartoh

    cuisinartoh Addicted to LI Member

    This thread is already 86 pages long so I almost feel guilty asking yet another newbie question. :)

    I've been pulling my hair trying to get the vpn setup. I created keys, etc and copied them to their appropriate spots in the gui but the server will not start. The /var/log/messages log says:
    "May 12 12:06:43 unknown daemon.err openvpn[443]: Cannot load CA certificate file ca.crt path (null) (SSL_CTX_load_verify_locations) (OpenSSL)"

    On your opening post you said:
    "All config, key, and cert files are generated in /etc/openvpn at run time, so you can take a look at them if you're curious/concerned. If you find something wrong with the generated files, let me know."

    There is no /etc/openvpn directory. I've cleared the NVRAM and re-flashed the firmware but no /etc/openvpn directory exists when I copy in the keys and press "start now" in the GUI. Any idea what I'm doing wrong? Do I have to create it manually?

    Linksys WRT54G v4 router

    Thank you!
     
  62. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That folder should only exist if there is a VPN service currently running. If you want the files to stick around longer, you can ssh/telnet to the router and run
    Code:
    nvram set vpn_debug="99"
    . This will make the files not be deleted when the service is stopped (or failed to start).

    Make sure you have all of the fields shown on the "Keys" filled in with the correct values (the GUI hides any of them that aren't needed).
     
  63. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Indeed. If anything, I would think that route would break things.

    This is likely one (or both) of two things:
    • Windows is sending traffic over the tunnel interface, but saying that it is coming from the ethernet interface IP. The router doesn't know how to return that traffic, so it tries to send it out on the internet (where it, of course, can't find its way to your client).
    • Windows is mistreating the 10.0.0.0/8 ip space, assuming that it isn't divvied into smaller subnets (notice the two 10.255.255.255 routes).

    To fix this you'll need to do one (or both) of the following:
    • Teach your VPN server about your client's subnet by configuring the "Client-Specific Options" section in the GUI
    • Change one of your 10.x.x.x subnets (the VPN subnet would probably be easier to change) to something else (like 172.16.x.x).

    These are both things I've seen when helping other people set up OpenVPN Windows clients, and I can't see any way to see them as anything but Windows bugs. But, they can be worked around.
     
  64. cuisinartoh

    cuisinartoh Addicted to LI Member

    Well, I rechecked the keys and this time in the "Certificate Authority" field I put the contents of ca.crt instead of ca.key and now the VPN service is running.

    Now it's time to see if I can make any of this work.

    Thank you for the rapid reply! :)
     
  65. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Ah, yes. The ca.key (root key) file is only used to sign other certificates. In fact, for the best security practices, it is recommended that that key is only present on a non-networked computer. That's not really feasible for a lot of people (and that's okay), but it goes to show that you should never need to use it to establish a connection. See the last part of the Hardening OpenVPN Security section of the OpenVPN howto.

    Anyway, glad you got it working.
     
  66. tstrike2000

    tstrike2000 Network Guru Member

    First, in the client section of the gui, does everything have to match what I have for the client config in Windows? I'm confused as to what exactly needs to be put in the client section of the gui. Second, no static route should need to be added to the router's table, correct?
     
  67. fyellin

    fyellin LI Guru Member

    I was about to write almost the exact same thing!
    I particularly like the comment:
    Floppy disks can be used to move key files back and forth, as necessary. Such measures make it extremely difficult for an attacker to steal the root key, short of physical theft of the key signing machine.​
    When was the last time you used a computer with a floppy disk?

    s/Floppy disk/Thumb drive/ ???
     
  68. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Unless you want to use the router as an OpenVPN client, you don't need to put anything there. Since, (I think) you're just using it as an OpenVPN server, you only need to worry about the server settings.
    Correct. All the routing is handled by OpenVPN
     
  69. tstrike2000

    tstrike2000 Network Guru Member

    Yes, I'm just using it as an openvpn server. I'm about to give up on this though as I still can't ping my home 192.168.1.x network. I'm using TUN interface and TLS auth. Per your suggestion, I changed the openvpn network to 172.16.1.x away from the 10.x.x.x. When it connected, I was able to ping 192.168.1.1 for about 15 seconds, but then it got lost. Not sure if it's the Windows client or what. As a last ditch effort, I saw you mentioned putting something in the client config to "teach" Windows the correct route but still can't figure it out. You mentioned in another post to put in the CommonName with IP address from the logs. You mentioned the client's CN and the client's subnet/and mask. I assume this would be something like this in the config:

    client1 192.168.1.0 255.255.255.0

    in order to "teach" the correct route in the client config.
     
  70. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    As long as you used "client1" as the CommonName when you generated the client's TLS certificates. If you used something else, that's what you'll need to put there. If you're not sure what the CommonName is, you can look in the Status tab when the client is connected.
     
  71. tstrike2000

    tstrike2000 Network Guru Member

    Yes, client2 in this case is the CN for the client cert with client2 in the CN in the subject line. However, when I put in client2 192.168.1.0 255.255.255.0 I get an immediate error

    Options error: Unrecognized option or missing parameter(s) in client2.ovpn:8: client2 (2.1_rc15)
     
  72. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Where are you entering this information? It needs to be in the Client-Specific Options section of the Server Web GUI.
     
  73. sean_lc

    sean_lc Addicted to LI Member

    One important note for Vista users - I found that the open vpn windows gui client fails to add the new routes UNLESS it's run as an administrator. I had to manually set vista to always run openvpn as administrator, and all the routes get added properly.
     
  74. tatoosh

    tatoosh Addicted to LI Member

    How can i use certificate revocatio list (crl.pem)?
    is this possible to do with "Custom Configuration" VPN-Tunneling - Server - Adcanced

    how to put my crl.pem on the router.
    i use WRT54G - no usb oder external memory.
     
  75. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The post you quoted says how to use the revocation list. You can set up JFFS or CIFS in the Administration section. If you use CIFS, you don't need to copy the file to the router. If you use JFFS, you can use an SCP client (such as WinSCP).
     
  76. tstrike2000

    tstrike2000 Network Guru Member

    Oops on my part. I had it also in the client config in Windows for some reason. I put client2 172.16.1.0 255.255.255.0 in the client specific options in the Server GUI. The only thing in the server custom configuration now is push "comp-lzo yes". My client got the connection and IP address of 172.16.1.6, but it's the same result where I can ping 192.168.1.1 on the server network for a little while and then it just stops even though I'm still connected. It should be easy to setup, but for some reason for me it's not working. All I need is to get to a few workstations on the 192.168 side by ip address, but for whatever reason the 192.168 side stops responding after a short amount of time. The client config is very simple, no routing settings.
     
  77. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You sure had a pretty long routing table for a "simple" config... But, I don't see how any of them should conflict with us.

    Have you confirmed that the OpenVPN client is running as Administration as sean_lc noted?

    And it looks like I provided the wrong subnet for the client-specific options before. It needs to be your client LAN's subnet (10.208.0.0/255.255.254.0?), but I think I accidentally quoted the router's subnet. Could you recapture the routing table on the client and router when connected with these options in place?

    Also, when you lose connectivity to the 192.168.1.0/24 subnet, can you still ping the router's tunnel IP (10.1.1.4)?
     
  78. tstrike2000

    tstrike2000 Network Guru Member

    I've gone back and forth so many times I'm confused. I may have to scrap it for now as I appreciate your time and don't understand from here. The vpn server was changed to 172.16.1.0/24. The route print was probably pretty long before, but now the only thing in the server custom configuration is push "comp-lzo yes" The client specific options in the web GUI were change from 172.16.1.0/24 to 10.208.0.0 255.255.254.0 to match the range of the client PC's network. My client config consists of this:

    client
    proto udp
    dev tun
    remote public IP 1000
    resolv-retry infinite
    nobind
    ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
    cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\client1.crt"
    key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\client1.key"
    cipher BF-CBC
    comp-lzo

    My connection looked like this.

    IEthernet adapter Local Area Connection 2:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : TAP-Win32 Adapter V9
    Physical Address. . . . . . . . . : 00-FF-9B-06-E7-AE
    Dhcp Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IP Address. . . . . . . . . . . . : 172.16.1.6
    Subnet Mask . . . . . . . . . . . : 255.255.255.252
    Default Gateway . . . . . . . . . :
    DHCP Server . . . . . . . . . . . : 172.16.1.5
    Lease Obtained. . . . . . . . . . : Thursday, May 14, 2009 11:04:38 AM
    Lease Expires . . . . . . . . . . : Friday, May 14, 2010 11:04:38 AM

    But I couldn't ping 172.16.1.5 or 192.168.1.x addresses.
     
  79. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Just to get things straight, there are three subnets involved:
    • Server LAN subnet
      • 192.168.1.0/255.255.255.0?
      • This is what is in the Basic->Network->LAN section of the Web GUI
    • VPN subnet
      • 172.16.1.0/255.255.255.0?
      • This is what is in the VPN->Server->Basic->VPN subnet/netmask fields
    • Client LAN subnet
      • 10.208.0.0/255.255.254.0?
      • This is what needs to be in the Client-Specific options

    But, really, if you provide a routing table from the client and router with the client connected, we can see if anything is messed up there.
     
  80. tstrike2000

    tstrike2000 Network Guru Member

    All those addresses are correct and setup as listed above. Route print and router routing table attached.
     

    Attached Files:

  81. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Okay, things are definitely messed up there. First, I have to check if you're using version 2.1rc15 on the client (sorry if I've already asked that).

    Could you provide the client's OpenVPN log (when posting it, please wrap it with
    Code:
    ...
    tags)? It could give us an idea why the routes are not being added correctly.

    You might also try adding "topology subnet" to the server custom config.
     
  82. tstrike2000

    tstrike2000 Network Guru Member

    I added topology subnet to the server custom config but no difference. Here is the client log:

    Code:
    Thu May 14 14:03:49 2009 OpenVPN 2.1_rc15 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 19 2008
    Thu May 14 14:03:49 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Thu May 14 14:03:49 2009 LZO compression initialized
    Thu May 14 14:03:49 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Thu May 14 14:03:49 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Thu May 14 14:03:49 2009 Local Options hash (VER=V4): '41690919'
    Thu May 14 14:03:49 2009 Expected Remote Options hash (VER=V4): '530fdded'
    Thu May 14 14:03:49 2009 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Thu May 14 14:03:49 2009 UDPv4 link local: [undef]
    Thu May 14 14:03:49 2009 UDPv4 link remote: 64.53.140.13:1000
    Thu May 14 14:03:49 2009 TLS: Initial packet from 64.53.140.13:1000, sid=6a5887d8 5d7c6ed6
    Thu May 14 14:03:50 2009 VERIFY OK: depth=1, /C=US/ST=IL/L=Chicago/O=openvpn/CN=alcockhome.com/emailAddress=vpnadmin@myrealbox.com
    Thu May 14 14:03:50 2009 VERIFY OK: nsCertType=SERVER
    Thu May 14 14:03:50 2009 VERIFY OK: depth=0, /C=US/ST=IL/O=openvpn/CN=alcockhome.com/emailAddress=vpnadmin@myrealbox.com
    Thu May 14 14:03:50 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Thu May 14 14:03:50 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu May 14 14:03:50 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Thu May 14 14:03:50 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu May 14 14:03:50 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Thu May 14 14:03:50 2009 [alcockhome.com] Peer Connection Initiated with 64.53.140.13:1000
    Thu May 14 14:03:52 2009 SENT CONTROL [alcockhome.com]: 'PUSH_REQUEST' (status=1)
    Thu May 14 14:03:52 2009 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,comp-lzo yes,route 172.16.1.1,topology net30,ping 15,ping-restart 60,ifconfig 172.16.1.6 172.16.1.5'
    Thu May 14 14:03:52 2009 OPTIONS IMPORT: timers and/or timeouts modified
    Thu May 14 14:03:52 2009 OPTIONS IMPORT: LZO parms modified
    Thu May 14 14:03:52 2009 OPTIONS IMPORT: --ifconfig/up options modified
    Thu May 14 14:03:52 2009 OPTIONS IMPORT: route options modified
    Thu May 14 14:03:52 2009 ROUTE default_gateway=10.208.1.1
    Thu May 14 14:03:52 2009 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{073CEDD6-94C1-4131-8806-021A448C88CF}.tap
    Thu May 14 14:03:52 2009 TAP-Win32 Driver Version 9.4 
    Thu May 14 14:03:52 2009 TAP-Win32 MTU=1500
    Thu May 14 14:03:52 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 172.16.1.6/255.255.255.252 on interface {073CEDD6-94C1-4131-8806-021A448C88CF} [DHCP-serv: 172.16.1.5, lease-time: 31536000]
    Thu May 14 14:03:52 2009 Successful ARP Flush on interface [65541] {073CEDD6-94C1-4131-8806-021A448C88CF}
    Thu May 14 14:03:57 2009 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
    Thu May 14 14:03:57 2009 C:\WINDOWS\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 172.16.1.5
    Thu May 14 14:03:57 2009 Route addition via IPAPI succeeded [adaptive]
    Thu May 14 14:03:57 2009 C:\WINDOWS\system32\route.exe ADD 172.16.1.1 MASK 255.255.255.255 172.16.1.5
    Thu May 14 14:03:57 2009 Route addition via IPAPI succeeded [adaptive]
    Thu May 14 14:03:57 2009 Initialization Sequence Completed
     
  83. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm sorry. I'm out of ideas. The issue is definitively on your client. You can see from the log that the routes are being added "successfully", but your routing table doesn't show them. I suppose there could be another service running on your client that changing the routing table, but I wouldn't know where to begin trouble shooting it. Whatever the problem is, it seems to be Windows specific, and I don't have a lot of experience with OpenVPN on Windows.
     
  84. tstrike2000

    tstrike2000 Network Guru Member

    I understand, I was very confused, too. It's works sometimes and then stops. I am using the newest client. Thanks for taking a look though.
     
  85. Vezado

    Vezado Addicted to LI Member

    I'd love to see cert revoking implemented in the GUI, would that be possible?

    Also, I'm a bit confused as to how to revoke multiple certs, do we generate a separate crl.pem for each? (ie crl01.pem, crl02.pem)
     
  86. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Sorry, I don't currently have any of the tools needed for generating or revoking certificates loaded onto the router. Perhaps someday, but I see it happening any time soon.

    You don't need a separate certificate revocation list (crl.pem) for each certificate you're revoking. When you revoke a second certificate, the crl.pem should be updated and you'll just replace the one on the router with that.
     
  87. Delta221

    Delta221 Addicted to LI Member

    Tstrike2000: Try setting Extra HMAC authorization (TLS-Auth) to 0 on the server, and 1 on the client.

    I compiled a HOWTO, maybe it will help you. I recommend you do a hard reset before starting, I had difficulties after saving many configurations over and over and over, a hard reset helped:

    http://www.linksysinfo.org/forums/showthread.php?t=61253
     
  88. Vezado

    Vezado Addicted to LI Member

    Thanks for the quick reply. Sorry if i'm a bit dim here, just want to be sure i understand this fully...

    Suppose i do the following:

    1) revoke-full.bat client1
    2) revoke-full.bat client2

    Then after step 1, crl.pem is already present. Does this mean revoke-full checks for the presence of crl.pem and if present reads it to check for certs already revoked? In looking at the batch file it looked like it simply overwrites the previous.
     
  89. fyellin

    fyellin LI Guru Member

    I'm pretty sure that revoke-full keeps a database of all the certs that have been revoked to date, and then generates a crl containing them all.

    If you're uncertain, there should also be a script list-crl.bat that will list the contents of your crl.
     
  90. Vezado

    Vezado Addicted to LI Member

    Ahh. ok... so deleting the current crl.pem will not un-revoke all revoked certs then. Thanks for clearing that up.
     
  91. humba

    humba Network Guru Member

    I finally dared to make the upgrade from the trusted old "do it yourself" approach.. and ran into some trouble.

    For starters I configured a simple tun server.. it's up and running just fine. However, the server hands out its own IP addresses.. and I cannot have that. Also, by default the server is configured to a 10.8.something subnet (that's why I noted it hands out the wrong IPs). When doing things manually I can simply leave the server line in the config as server without specifying a subnet and subnet mask.. but if I try to leave those two fields empty in the GUI, I cannot save.

    Is it possible to use the GUI and bypass those options (so that the dhcp running on br0 is used.. or whatever dhcp server is connected to br0)?

    Also - custom configuration - is that the entire configuration or do you just add parameters that cannot be configured with GUI options there? Looking at the autogenerated config makes me think those are additional options, but the GUI description is ambiguous.
     
  92. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Are you sure you aren't thinking about TAP? The OpenVPN manual shows those parameters (subnet/netmask) as mandatory for "server" (TUN), but optional for "server-bridge" (TAP). Also, TUN can not work giving out LAN IP addresses, or at least it goes against all intended uses of it. TAP gives out LAN IP addresses. If you use TAP and choose the "dhcp" option, it is equivalent to leaving the parameters off of the "server-bridge" directive.
    The Custom Configuration field is tacked on to the end of the OpenVPN configuration file. Most (all?) options can be overridden by items in that section.
     
  93. humba

    humba Network Guru Member

    Aargh.. now that you say it, I'm finally seeing it.. I was so set on tap being the default that I never noted I was running in TUN mode :( Sorry for wasting your time.

    So.. suppose I write the same option into the config file that would be written by the code that autogenerated the config file, then my own line would be taken into account and not the one from the autogenerated file? Is that openvpn's default way of using the last entry if there are multiple of the same options or how do you determine which lines not to write to the configuration you create?

    And on a slightly different note.. I'm often running multiple vpns to different locations and separate networks via vlan.. so I need one server/client on one vlan and another server/client on another vlan. Have you ever thought about enabling a configuration like that via GUI (binding server / client to an existing vlan instead of binding everything to br0)?
     
  94. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    My code does no checking of what's in the Custom Configuration section. It just tacks it on to the end of the file. If the entries are the same as what is defined in the auto-generated section, then the behavior is just dependent on what OpenVPN does with duplicate entries. I know that in at least some of the directives, the last one is used. Whether that is the general case, I don't know.
    No, hadn't crossed my mind. Unless VLAN configuration is added to the Tomato GUI, I don't see it being added. You can just use TUN and put firewall rules in place to limit access between the different interfaces. You may even be able to do that with TAP.
     
  95. i1135t

    i1135t Network Guru Member

    SgtPepper, would you know if there is a way to keep my UDP VPN connection from disconnecting after idling for 25 mins for so. I've tried adding the following fields in my server's custom config, but still no luck:
    Code:
    keepalive 10 120
    reneg-sec 300
    I also removed the "keepalive" line from my client configs, as well as the "auth-nocache" line so that when it renegotiates, it will have the password cached and do it automatically.

    It still disconnects/reconnects, which is annoying, but probably due to inherent UDP's protocol nature and my work's firewall. There is also another problem that occurs after it renegotiates correctly. After it does that, I can no longer access any of my home network devices, but the route statements are there and valid, but no access. I have to disconnect manually and reconnect for it to work. It doesn't appear to be happening for my TCP VPN setup, but I will test it and post an update on that. This is for my Windows box, FYI. And suggestions would help... Thanks!
     
  96. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Unfortunately, I don't know why this occurs. But, it has occurred for several people. It's possible that it there is something the VPN GUI backend isn't setting up quite right (firewall, etc), but I don't know what that would be. As far as I know I have the firewall wide open for the tunnel, and I don't know of anything else that would stop these keep-alive messages.
    A thought just occurred to me, though. I've assumed that the keep-alive pings were coming over the tunnel, but I suppose it's possible (though, not entirely logical) that they are sent outside of the tunnel. Maybe you could try enabling "Respond To ICMP Ping" in Advanced(not the VPN advanced tab)->Firewall. See if that helps.
    This one is a bit stranger. However, if it works on a connect, but not on a reconnect, the problem likely resides deep within OpenVPN and out of my familiarity. One data point you could try is rather than restarting the client, try restarting the server when the problem arises. If that doesn't help things, then the at least you'd know it was a client-side issue.

    If this is highly recreatable, I would be tremendously grateful if you could try to get help from the OpenVPN folks (easiest would probably be the IRC channel, ##openvpn at irc.freenode.net). I can't seem to recreate it reliably, and I don't think anyone else has taken it to them. If it comes down to a setup problem in the VPN GUI backend, I'd definitely fix it. And, if it were an OpenVPN bug (in the firmware that they can at least narrow down, I could even try to write a patch for it.
     
  97. i1135t

    i1135t Network Guru Member

    Ok, it looks like I didn't wait long enough after the reconnection, because for some odd reason, it keeps adding my VPN DNS server route to my other connection interface... It just took a minute or two for that statement to show up in my route statements. So, everytime, I have to delete that in order to access my Home router. I tried checking off, respond to ICMP requests on the firewall section, but no help, it still disconnects.

    First thing I will try to do is adding "interface=br0,tun21,tun22" to my dnsmasq section, uncheck respond to DNS on both VPN servers and see if the fixes the rouge route statement from being adding to my Windows VPN connections.

    If so, then dunno how to fix that. I will then later test the TCP VPN to see if the idling problem exists there as well. Thanks!
     
  98. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Adding the "interface=" line to your dnsmasq configuration (proper syntax is a separate interface=... line for each interface, btw) is all that the VPN GUI option does, so I don't think that will affect anything.

    So the only problem is Windows adding a route specific to the router IP on a different interface? You could try adding that route to your client config (or pushed from your server):
    Code:
    route 192.168.1.1
    (or whatever the right IP address is). This might keep Windows from making this mistake.
     
  99. i1135t

    i1135t Network Guru Member

    Actually, adding the following below and disabling the check boxes on both VPN servers for "Respond to DNS" appears to have fixed the rouge route statement problem.
    Code:
    interface=br0,tun21,tun22
    I don't know why it works.. but it does... DNS tunneling works on/off, but then it's always been that way, for me at least.

    Will update on idling issue for UDP and TCP VPNs...

    --EDIT--

    OK, at first it worked, but after it timed out and reconnected, the rouge statement came back. Will try what you suggested up top and repost.
     
  100. humba

    humba Network Guru Member

    TUN is a no go for me... I use openvpn to bridge between networks at different physical locations at the office - and it's not like I can go around asking for new subnets and routing in between.. so it's all TAP. And suppose you need to bridge multiple networks.. the easiest thing to do is have a different subnet on a different port on the router and the way to do that is vlans. Alternatively, when you actually control the switch that connects to the router you can be even more flexible).
    Anyways, that's why I'm using VLANs. Incidentally it wouldn't be too hard to add that to the GUI ;)

    On subnetting though - the thing that's kinda missing in Tomato and becomes apparent when with OpenVPN and especially TUN networks is subnetting support... configure different subnets, configure firewall rules in between, configure dns for them.. and all that with a GUI. Having that would bring Tomato into a whole different league.
     

Share This Page