1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN Setup

Discussion in 'Tomato Firmware' started by aeonone, Sep 25, 2009.

  1. aeonone

    aeonone Network Guru Member

    Need help setting up the VPN feature included in the Tomato 1.23.8515 .5 RAF ND Thor MOD.

    I want to be able to connect while on the road back to my LAN to grab files, backup, or get secure web browsing.

    I've been following a guide I found on the net: http://blog.johnso.org/2009/08/how-to-setup-openvpn-in-tomato.html

    At the step where it says to paste in the Key, how do I get this key?

    Also, what is everyone using to connect to their VPN? I know there's a built in windows solution using the "Set up a Connection or Network" wizard. I've also found this OpenVPN GUI for windows too. What's the difference?

    Is the setup in the guide secure?

    Thanks :)
     
  2. aeonone

    aeonone Network Guru Member

    Update

    So I followed the OpenVPN documentation on how to setup the VPN using the CA certificate method.

    I tried to start up the server after populating all of the fields in the Key section and save my settings. It doesn't start up.

    VPN Server1 settings:
    TUN
    UDP
    Port 898
    Firewall Automatic
    TLS
    HMAC Disabled
    VPN subnet: 10.2.0.0 / 255.255.255.0


    Checked the general logs:

    Sep 27 11:50:26 unknown user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
    Sep 27 11:50:26 unknown user.info kernel: device tun21 entered promiscuous mode
    Sep 27 11:50:26 unknown daemon.notice openvpn[14347]: OpenVPN 2.1_rc15 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Jul 28 2009
    Sep 27 11:50:26 unknown daemon.warn openvpn[14347]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Sep 27 11:50:27 unknown daemon.notice openvpn[14347]: Diffie-Hellman initialized with 1024 bit key
    Sep 27 11:50:27 unknown daemon.err openvpn[14347]: Cannot load CA certificate file ca.crt path (null) (SSL_CTX_load_verify_locations) (OpenSSL)
    Sep 27 11:50:27 unknown daemon.notice openvpn[14347]: Exiting
    Sep 27 11:50:27 unknown user.info init[1]: VPN_LOG_ERROR: 719: Starting VPN instance failed...


    Where am I supposed to upload the ca.crt?

    What does the firewall setting do?
     
  3. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    To get the certificates, follow the HOWTO that is linked to on the "Keys" tab in the GUI.

    The firewall setting opens up the firewall to allow clients to connect and to allow them to contact the LAN.
     
  4. aeonone

    aeonone Network Guru Member

    I followed the OpenVPN documentation/tutorial and created the keys. I put them all in the Keys tab in the GUI. I can now start the server.

    I am trying to test this internally before opening it up. However I am unable to connect. Should I be connecting to the router's internal IP? Or what I setup in the VPN setup (10.2.0.0)?

    Do I also need to set up the client section (under VPN Tunnelling) to tell the server which clients to use?

    What client program are you using to connect? I downloaded this ShrewSoft VPN client for windows. I can't connect, it says "bringing up the tunnel ..." then "neotiation timeout occurred, tunnel disabled". The authentication shouldn't take that long to occur right?

    I still don't understand the firewall settings. Auto/external/custom. How do I tweak each? What does each one mean?

    Is there any official documentation for the Tomato version of the VPN? I'm sure it seems really intuitive, but I still have no clue what is going on.
     
  5. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You should connect using the router's WAN IP address. If you are trying to connect from a computer already on the router's LAN, you should use the LAN IP address (but it may not totally work).

    No, the client section is for if you want the router to act as a client and connect to another VPN.

    ShrewSoft is a completely different type of VPN. You should use the client from the OpenVPN site (or another TomatoVPN router).

    Automatic means the router will set up the firewall to allow connections from the WAN and allow connected clients to contact the LAN. External only means it sets up the firewall to allow connections from the WAN, but doesn't do anything about allowing the clients to access the LAN. Custom means it doesn't do anything at all. You almost certainly want Automatic.

    This post gives a quick run down of most of the settings.
     
  6. aeonone

    aeonone Network Guru Member

    Thanks for your reply!

    I uninstalled the ShrewSoft VPN and am now using the OpenVPN client with GUI.

    When I try to connect, I get:
    Options error: On Windows, --ifconfig is required when --dev tun is used

    Not sure why windows is trying to call a linux command?
     
  7. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Could you post what your client config looks like?
     
  8. aeonone

    aeonone Network Guru Member

    Client config looks like:
    ============
    dev tun
    proto udp
    remote x.hopto.org 898
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert client1.crt
    key client1.key
    ns-cert-type server
    comp-lzo
    verb 3
    ============

    I dug around and added "client" to the first line of the client config file.

    Now I get a different error in the client:

    OpenVPN 2.1_rc19 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Jul 16 2009
    NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Cannot load certificate file client1.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
    Exiting

    I also get the note about script-security 2 in the server logs.
     
  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Good. I suspected that was missing...

    I'd say you don't have a client1.crt file in the directory. You'll need the ca.crt, client1.crt, and client1.key files you refer to in your config.
    This can be safely ignored.
     
  10. aeonone

    aeonone Network Guru Member

    I think we're almost there :)

    You were right, I was missing those cert and key files in the config directory. I think when I reinstalled OpenVPN they got misplaced and I just assumed they were still there from my previous install. :frown: How embarrassing...

    Now the client just sits at "Connecting..." with the yellow tray icon.

    Log:
    Socket Buffers: R=[8192->8192] S=[8192->8192]
    UDPv4 link local: [undef]
    UDPv4 link remote: <MY IP>:9999

    Do I need to explicitly state the IP address in a config since I won't have DHCP from the server?
     
  11. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    As long as you have a working internet connection with DNS name resolution (you can type in google.com and get to their site), you don't need to specify any IP addresses.

    Are you sure you're using the right address and port in the "remote" line in the client config (the WAN address of the router and the port specified in the server VPN page).
     
  12. aeonone

    aeonone Network Guru Member

    You're right. The port was all messed.

    It still sits at "Connecting", icon yellow. I wish there was something telling me why it isn't connecting. :mad:
     
  13. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Does anything show up in the server logs when you try to connect?
     
  14. aeonone

    aeonone Network Guru Member

    I checked the router logs:

    Sep 28 21:34:11 unknown daemon.err openvpn[16178]: TLS Error: cannot locate HMAC in incoming packet from <INTERNAL IP>:52882

    It lists this a few times, with different port numbers.

    Do I need to port forward?
     
  15. aeonone

    aeonone Network Guru Member

    I realized I had the bi-directional setting selected on the Extra HMAC auth.
    I changed it to disabled, rebooted the vpn server and tried to connect again.

    Client:
    Mon Sep 28 22:09:12 2009 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mon Sep 28 22:09:12 2009 TLS Error: TLS handshake failed
    Mon Sep 28 22:09:12 2009 TCP/UDP: Closing socket
    Mon Sep 28 22:09:12 2009 SIGUSR1[soft,tls-error] received, process restarting
    Mon Sep 28 22:09:12 2009 Restart pause, 2 second(s)

    Server says something similar with the handshake failed.
     
  16. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    What do those router logs say?
     
  17. aeonone

    aeonone Network Guru Member

    Server logs:

    Sep 28 22:18:03 unknown daemon.err openvpn[16358]: <INTERNAL IP>:50056 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Sep 28 22:18:03 unknown daemon.err openvpn[16358]: <INTERNAL IP>:50056 TLS Error: TLS handshake failed

    On every retry, the port changes.
     
  18. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Try changing the protocol and/or port (on both), try removing nobind from the client, or try adding float to the server. Something is blocking your connection (ISP?), so you just need to try different things to see what they won't block.
     
  19. aeonone

    aeonone Network Guru Member

    You were right, changing my protocol from UDP to TCP did the trick. I can now connect. Are there any security issues from changing to TCP?

    I'm on a different subnet now, do I need to setup the routing to access the original subnet?

    Thanks so much for your replies! :)
     
  20. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    There aren't any security issues with TCP. Performance may not be as good (probably not a big difference, though).

    Routing should already be taken care of. Can you not ping the computers on the server LAN.
     
  21. aeonone

    aeonone Network Guru Member

    TCP seems to be the only option. From offsite, it is a bit slow. Crawling sometimes when I try to access websites.

    I can't seem to ping other computers on the server side. I can ping the router, but not any of the computers.
     
  22. aeonone

    aeonone Network Guru Member

    UDP works. But not when I set the firewall to Automatic.

    I need to set to Custom, then under Port Forwarding, forward the port to the router's internal IP. Not sure how safe this is.

    After connecting, my connection stops working. Seems everything is being tunneled through the VPN connection.
     
  23. DragonCooler

    DragonCooler Addicted to LI Member

    Is there a way to use the routers default gateway when connecting remotely? Currently when I am connected I am using my non home network gateway. Im pretty sure this is needed for secure browsing.
     
  24. aeonone

    aeonone Network Guru Member

    There's a setting you can use in your client config file which will allow this. I've created partial and full configs using the same keys. Partial will only allow me to browse shares, full will allow me to view shares and use the router's gateway.

    I'm trying to look up what I used before, but try viewing documentation on client side in the meanwhile.
     

Share This Page