Bi-directional VPN tunnel?

Discussion in 'Tomato Firmware' started by Sephiroth, Dec 19, 2013.

  1. Sephiroth

    Sephiroth Reformed Router Member

    Alright, I just purchased four Netgear WNR3500L v2 routers and flashed them with Shibby's 1.28 Tomato firmware. I am really liking the firmware as it seems much more mature and less buggy than the DD-WRT I have on my older WNR2000 v2. I may be making the switch to Tomato soon!

    Anyway, I see that I can run an OpenVPN server and client on each router. Since I need a two-way tunnel, should I just have each router run a client and server set to connect to each other? My only concern is that it may cause the VPN equivalent of an "Ethernet storm", where you have two patch cables run between the same two switches on a network. If this is not correct, how can I get a two-way tunnel going with Tomato? I already created my certificates and have the three branch offices connected to the main office. Branch offices can easily talk to the main office, but the main office cannot get to the branch offices. Also, one branch needs access to the other two branches. Is this even possible with this firmware?
  2. gfunkdave

    gfunkdave LI Guru Member

    Easily possible. Set your main office router as the server and the other three as clients. Each node should only be a server or client. I have no idea what would happen if you made each router a server and client - probably bad things.

    Ensure the "Manage Client Specific Options" and "Enable client<->client" checkboxes are checked on your server router.

    Ensure the "Create NAT on tunnel" checkbox is checked on each client router.

    There's a thread around here where someone links to a how-to that he made for this - ah, here it is:
    Last edited: Dec 19, 2013
  3. Sephiroth

    Sephiroth Reformed Router Member

    Thank you, I will check into this today. I have not enabled "Manage Client Specific Options" and maybe that is why I cannot see the client to client option.
  4. Sephiroth

    Sephiroth Reformed Router Member

    Just updating this thread. I have not been back to the client location and while the routers have connected and work, I cannot for the life of me get my laptop to work. It connects to the OpenVPN server, then nothing works at all. I cannot even ping the host router. As such, I have not been able to update the setting on the host router.
  5. gfunkdave

    gfunkdave LI Guru Member

    Post screen captures of the Basic and Advanced tabs for both the VPN server and one of the clients.
  6. Sephiroth

    Sephiroth Reformed Router Member

    I am using the network manager interface for KDE. I have uploaded everything that should matter. I have IPv6 disabled and yes, I disabled my firewall even though I have an exception to allow all traffic on tun0, which is created when I connect and does get the correct IP address from the OpenVPN server on the router. Thanks for the offer of help!


    By the way, I cannot bring up the server (host router) since I cannot pass data through the VPN tunnel from my laptop. I posted screenshots of that configuration. All I know is that the three remote routers have maintained a connection to the host router and that all clients on those remote networks can access the a share on a file-server on the host network. I believe the problem is in my laptop.

    Attached Files:

    Last edited: Dec 24, 2013
  7. gfunkdave

    gfunkdave LI Guru Member

    No, not screen shots of your PCs' network settings. I meant to post screen shots of the routers' OpenVPN settings pages - the Basic and Advanced tabs.

    You should set up SSH with key-based auth to provide a redundant way to access each router without relying on the VPN - very useful in VPN troubleshooting.

    Here is an example of how I have mine configured. For your purposes, you will want to ensure the Enable Client-Client is CHECKED. I unchecked mine for other reasons. As you noted, the checkbox doesn't appear until the "Manage client-specific options" box is checked.

    Ignore everything I have in the custom commands boxes - I store VPN keys on USB sticks or in JFFS.

    Note that each router's LAN will need to be on a unique subnet - as you can see, I use,, and Note that you will get IP connectivity via this method but not DNS lookup connectivity; you'll need to add some settings in each router's DNSMasq for that.

    Disable OpenVPN on each PC. Just set them up with stock DHCP settings.

    Good luck.

    Attached Files:

  8. Sephiroth

    Sephiroth Reformed Router Member

    I do not have OpenVPN on any PC. I like allowing the routers to do the work so I can just use the PC as normal and still have access to the other networks. Oh and all four locations are on different networks/subnets.

    I will be configuring the server per your instructions on Monday. I may enable SSH and I may not. I do have physical access, but just have not messed with it during my Christmas break.
  9. Sephiroth

    Sephiroth Reformed Router Member

    Alright, I am back. I had a look at the routers and enabled the settings we discussed, but still no go. Let me show you my setup.
    Code: - Office/OpenVPN Server - Owner's Home/Client A - One remote office/Client B - Other remote office/Client C
    I need, at a minimum, for B and C to be two-way, and I need A to be able to reach B, C, and the server networks, but would prefer to not allow anything back down that tunnel since it is her home. If I have to allow two-way on all three clients that is fine with me, but I need this up.

    Now, I already enabled client-to-client, but I cannot get from her home into either remote office, only the server LAN. Each location has a unique certificate and name.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice