1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN help

Discussion in 'Tomato Firmware' started by cohomology, Jan 27, 2011.

  1. cohomology

    cohomology Networkin' Nut Member

    I have tried for days and no go. Hope someone with more experience can help me out.

    Here is the scenario: I have two routers both flashed to tomato, one at home and one in the office. I setup vpn server at home and client in the office and I could access computers at home from office with no problem.

    But I want to do more with the settings:

    1. How can I access computers in the office from home? i.e., access computers on the client side from the server side?
    2. Is it possible to tell the client router that when a computer on the client side wants to access a predefined set of ip addresses, use the vpn and for everything else just use the usual route?

    I am thinking might be able to do it with the routing table, however, the route command in tomato seems to be very different from the counterpart on a regular distro. I have been fighting with it and it is beating me really hard.

    Thank you in advance for the help!!
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    See here
    Use TUN+TLS (you don't say what you're currently using) and that will be the default behavior (with the "predefined set of ip address" being anything on the server subnet). If that's not what you want, we can probably still figure out how to do what you want (but if that's the case, please provide more info on your network topology).
  3. cohomology

    cohomology Networkin' Nut Member

    Wow, this works like a charm!!!:biggrin:

    Yeah I am using TUN+TLS. What I want to do is that for some(not all) specific addresses(different from the server subnet), traffics initiated from the client subnet will be re-routed through the VPN. Is this possible?

    Thanks a lot!
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Well, since the server's subnet should be unique (there shouldn't be any devices with IPs in the server's subnet that aren't on the server's LAN), we can say that when the it won't be routed over the tunnel, it can just be blocked (it doesn't need to go anywhere else).

    So, there are two options:
    1. Leave the routing as it is and add firewall rules to block addresses/ranges you don't want to allow VPN access to
    2. Uncheck "Push LAN to clients" on the server, and put manually push routes in your custom config

    So the question really comes down to whether a whitelist (not allow by default, provide certain cases where it will be allowed) or a blacklist (allow by default, provide certain cases where it will not be allowed) is what you want (either option above can be made to work as a blacklist or a whitelist, as well).

Share This Page