vpn client on tomato router (wireless ethernet bridge and repeater) behind at&t uverse

Discussion in 'Tomato Firmware' started by ghoffman, Mar 16, 2014.

  1. ghoffman

    ghoffman LI Guru Member

    ok, i am not a vpn guy but what i'm attempting to do is summarized in title, but it's more complicated:

    i'm trying to connect from location (B) to my company domain (C), but my company and at&t have an unresoloved issue that blocks the IP address at location B. However, my company and time warner (available at my home, location A) connect fine.

    so: A <---internet--> C is fine
    but B <---internet--> C does not work.

    so: i'd like to do this:

    B <---internet vpn----> A <----internet----> C

    to make things more complicated: location B is at&t uverse, have to use their modem; i've connected to the at&t modem via a wireless ethernet bridge to a belkin f5d7301 running shibby k26usb-v116. (router D)
    i'd like the router D to broadcast another wireless SSID for the VPN to the outside.

    so: it looks more like this:

    D (belkin tomato) <---WET carrying VPN--> B (AT&T) <----internet VPN--> A (linksys e4200) <--internet--> C

    B: 192.168.1.X, gateway
    A: 192.168.1.X, gateway

    those two networks do not need to see eachother.

    the vpn traffic reaching router A should be directed to the internet through A.

    i set up a vpn server on A, and a vpn client on D. they can connect, but that joins the two networks. i want the vpn connection on D to go to a virtual access point on the same router, but not to intermix packets from lan A and lan B. (networks A and B are complex and i would very much like to avoid having to reconfigure them using different subnet numbers)

    i'm thinking this will require vlans and tagging, but i have miniscule knowledge and less experience.
    is this possible?

    thank you in advance!
  2. eibgrad

    eibgrad Network Guru Member

    I have a question. If you could connect directly from B to C, would all the other issues involving the VPN, conflicting subnets, etc., go away? IOW, are most of the configuration issues on B due to the fact you can't reach C except by passing through A?

    The reason I ask is that some routers will allow you to port forward to an external ip (last I checked, my tomato router can, might require iptables rather than GUI in some routers). You can picture it as sort of a ricochet shot. And thanks to NAT, this has the effect of making it appear your public ip is coming from A. So it might be as simple as setting up port forwarding.

    Granted, it won’t be very fast if your home upload speed is limited, but neither would the VPN (in fact, the VPN would add overhead). And it should avoid the subnet conflict since you never establish a connection into A’s local subnet. And so now you just connect your VPN client directly to C (assuming you’re using one to C).

    Just a thought. Perhaps it won’t work, but I thought it was worth mentioning since it would appear to be so much simpler.
  3. ghoffman

    ghoffman LI Guru Member

    the problem is that C blocks all access from B. I don't have control over C domain (includes multiple web servers, email, ftp, etc). i'm not seeing how port forwarding would help.
    thank you though.
  4. eibgrad

    eibgrad Network Guru Member

    C is blocking B based on B’s public ip, correct? But if C sees a public ip belonging to A, it will accept it, correct?

    What I'm suggesting is if you bounced your traffic from B off A (via port forwarding by A) before going to C, C would accept it. Why? Because the public ip from B would appear to be that of A thanks to NAT'ing by A.

    That was a mouthful, I know, with all these letters.
  5. ghoffman

    ghoffman LI Guru Member

    ok, but how can i get B to send to A all traffic destined for C, and how can i get A to only forward things from B to C (i though port forwarding would only work within a lan, not across the internet).....?
  6. eibgrad

    eibgrad Network Guru Member

    Remember, this is all contingent on router A allowing the forwarding to external ips. Not all routers will allow this. Or they only will if you use the CLI and iptables. So assuming for the moment your router does, it's no different than any other port forwarding.

    Let’s say you normally connect to C at public ip, port 9999. Your A router is located at public ip, and you select some arbitrary port, say 8888. On router A, you port forward any request for to Finally, you configure B to connect to C using (A).
    Last edited: Mar 17, 2014
  7. ghoffman

    ghoffman LI Guru Member

    eibgrad: i don't think my router can forward to external ip's, and the list of applications is large, making port forwarding not a solution. thank you though.
  8. eibgrad

    eibgrad Network Guru Member

    I suppose that means you’re back to the VPN solution. Are you using PPTP or OpenVPN?
  9. ghoffman

    ghoffman LI Guru Member

    i am trying to avoid opnevpn clients on computers. i'm trying to get the tomato routers to handle the vpn using the integrated openvpn server and client.
  10. eibgrad

    eibgrad Network Guru Member

    Good. Because OpenVPN makes things so much easier (if it’s a routed (tun) config). You won't have any subnet conflicts as long as you don't push the remote network to the client. It’s now just an alternate gateway to the internet and router C’s public ip.

    But here’s what I would do differently. Instead of configuring the tomato router as a WET, configure it in client mode. This will allow you total separation from the local network (192.168.1.x) behind your own WAN (virtualized over the wireless client), DHCP server, firewall, etc., while maintaining access to that local 192.168.1.x network over that same WAN. Now configure the OpenVPN client as either the default gateway (which is either a GUI option, or requires a redirect-gateway directive), or else add a static route for router C’s public ip so only that destination is routed over the VPN.

    If you eventually want to add a VAP (virtual AP) for some reason, you can always do that later (assuming it’s supported when the physical adapter is configured as a wireless client, I’m not sure it is).
  11. ghoffman

    ghoffman LI Guru Member

    eibgrad - thank you keeping up with this, but:
    1. i don't know all the public ip's of C
    2. i need to access a printer attached to D from within network B, so WET allows B and D to be on the same subnet.
    3. i also need to access a printer and disk on D form the outside, so a few port forwards on B takes care of it. again, easy with WET, no so easy if D is a separate client network.

    i think the issue might be 'pushing' the subnet which caused some problems. i'll work on an alternative.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice