Some guidance re tomato and VPN/OpenSSL

Discussion in 'Tomato Firmware' started by Funkoid, Aug 21, 2013.

  1. Funkoid

    Funkoid Networkin' Nut Member


    First off thanks for creating such a great resource. I've never used open source firmware but am loving the look of it.

    I've recently purchased a linksys E900 for use with tomato - I've chosen tomato over wrt as I've heard people have had issues with the E900 in the past. I'm yet to flash but have everything in place to do so.

    I'm pretty new to advanced networking but wanted to run my proposed setup past you and hopefully get some recommendations on how to accomplish it with tomato :)

    Essentially my home cable connection router will be replaced with the E900. I want the E900 to have a permanent VPN connection to an online VPN provider for private access, there will be multiple devices on the network, however I only one one or two to exclusively use the VPN and nothing else, if the VPN is down, the Internet connection is down for that device. I understand for that part I'm looking at setting up OpenSSL with tomato to achieve this (please correct me if I'm wrong!!).

    Now here's the bit I can't get my head around at the moment and am not sure of how to achieve or even if its possible. I would like to rdp or access a website hosted on the VPN only machine from a local address, but that will hopefully be using only the VPN connection, so my question really is can I force all traffic down the VPN for this one machine but somehow have local access from another machine on the same local subnet of to administer the VPN only machine?
  2. ntest7

    ntest7 Network Guru Member

    Generally, a machine that uses a VPN for outside access will still have access to the local network, so that usually isn't a problem.

    If you just want one or two machines to use OpenVPN, the easiest solution is to run OpenVPN directly on those machines rather than on the router. You'll get better performance, and the config is simpler.

    If you really want to run OpenVPN on the router and just route specific machines through the vpn, you'll have to use iptables mangling to route the special machines differently from everyone else. Getting the syntax right for this isn't always obvious. There was a pretty long discussion here a couple weeks ago about using OpenVPN for specific ports; the solution for specific machines is generally the same. Good luck.
    koitsu likes this.
  3. Funkoid

    Funkoid Networkin' Nut Member

    Surely if I use open VPN on each of the protected machines I'll still suffer from the same problem of not being able to kill the Internet connection if the VPN goes offline without using another bit of software or similar advanced routing on the windows routing table?

    I figured that setting the machines gateway to use the VPN via the router would in fact be a safer solution as if the VPN drops surely nothing will be routed outside of the VPN, the connection just wouldn't be there?
  4. ntest7

    ntest7 Network Guru Member

    You can block their IP on the router. That will prevent them from accessing the internet when the VPN is down.

    If the router is providing the VPN, when the VPN goes down the router just routes all traffic normally unless you've made proper gyrations to prevent that.

    I would still pick running OpenVPN on the individual machines, but you can do whatever best suits your needs.
  5. chuck790

    chuck790 Networkin' Nut Member

    I have a similar need as the OP. I have a linux box with a reduced kernel that does not have iptables in it (dedicated purpose device) and do not want to run the VPN client on this device since I have no way to run iptables to set up a firewall. Since I do not have iptables on the target device, I would like to use openVPN on my router which is an ASUS RT-N66U running v1.28.0500 MIPSR2Toastman-RT-N K26 USB VLAN-VPN-NOCAT.

    I would like some help/guidance with configuring the iptables to allow all my internal LAN/wireless traffic on my network to use my normal Internet and only one IP allowed access to the VPN and have the router provide same NAT/firewall protection. If the VPN disconnects, the route from the internal IP should be blocked until the VPN is back up. Any help would be much appreciated as iptables is not my area.

    I already have the VPN configured on the router, but it allows all traffic on the internal network through the tunnel by default. I have issued the 'route-nopull' option which keeps my network devices using my normal Internet, but need help from the professionals with setting the iptables to do as described in previous paragraph.
    Last edited: Aug 23, 2013
  6. Malitiacurt

    Malitiacurt Networkin' Nut Member

    If your budget allows it, another solution that might be easier is to buy a router to load tomato+openvpn on it.
  7. Funkoid

    Funkoid Networkin' Nut Member

    That is the setup I'm intending on running
  8. Funkoid

    Funkoid Networkin' Nut Member

    Just another thought, what about if I go down the wireless route, setup two ssids forcing one to use the VPN and another not to? Presume that would be just as much config if not more?
  9. chuck790

    chuck790 Networkin' Nut Member

    Well, I went the low-tech route to solve my problem as I need more time to learn iptables. I dusted off my old WL-520GU router and loaded the latest Toastman with VPN on it and put it behind my main router to serve just my target Linux box. I put a second NIC in the target box to connect to the main router. I now have firewalled VPN for the target with regular access to it from the rest of the internal network over the second NIC. She's not the fastest, but I don't have the VPN wide open. Wide open puts sysload 1+ on that 'lil WL520.

    If someone can come up with a way to do what I need as described in the earlier post, I would be willing to toss a few bux their way for compensation.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice