Toastman: OpenVPN with static key doesn't set routes

Discussion in 'Tomato Firmware' started by gfunkdave, Nov 23, 2012.

  1. gfunkdave

    gfunkdave LI Guru Member

    I just spent a few hours getting this to work, so I thought I'd share the experience and request the developers to streamline.

    Background: For several months I have used OpenVPN on three Tomato routers with Toastman firmware to create a seamless and always-on site-to-site VPN. I had one router set as the server, with the other two acting as clients to it. This setup uses TLS. It works great, except the latency from client to client is of course the sum of the latencies between each client and the server.

    Today, I decided to directly connect the two clients using OpenVPN and a static key. I disabled the "Enable Client-Client" setting in the existing server beforehand.

    The Problem: APparently, when using a static key, Tomato doesn't set up all the NAT and routing stuff that it does when using TLS authentication. The UI said that I'd have to set up routing, even though the "Enable NAT on tunnel" box was checked. Unchecking the box broke things further, so I left it checked.

    On the new VPN tunnel, the server LAN is, and the client LAN is

    In order to get it to work, I had to:

    On the server
    1. Set the "Local/Remote endpoint addresses" to (or another pair in a different subnet than anything else being used by client or server)
    2. Under VPN- Advanced, in the Advanced box, add the line:
    route-up "/sbin/route add -net netmask gw"
    3. Under Administration-Scripts-Firewall, add the following lines:
    iptables -I FORWARD -i br0 -o tun21 -j ACCEPT
    iptables -I FORWARD -i tun21 -o br0 -j ACCEPT
    iptables -I INPUT -i tun21 -j ACCEPT
    ip route add dev tun21
    *Note that tun21 is VPN server 1, and tun22 is VPN server 2.

    On the client
    1. On the main VPN client settings page, ensure the "Create NAT on tunnel" box is checked
    2. On VPN-Advanced, enter the following line in the Advanced Settings box
    3. On Administration-Scripts-Firewall, add the following:
    iptables -I FORWARD -i br0 -o tun12 -j ACCEPT
    iptables -I FORWARD -i tun12 -o br0 -j ACCEPT
    iptables -I INPUT -i tun12 -j ACCEPT
    *Note that tun11 is VPN client 1, and tun12 is VPN client 2.
    Can we have Tomato automatically set this up when the Create NAT on Tunnel box is checked, just as it does for a TLS connection?
  2. gfunkdave

    gfunkdave LI Guru Member

    Update: Upon further investigation, I realized that there are only a couple of extra config lines needed:

    On the server, in the VPN-Advanced box:
    route add
    On the client, in the VPN-Advanced box:
    route add
    Setting up an OpenVPN in TLS mode adds this automatically, but the static key mode requires the user to add it manually. Can the devs make it so static key mode works the same as TLS mode? It seems the "Create NAT on Tunnel" box doesn't do anything in static key mode, even though it's still present. Why is this?
  3. rs232

    rs232 Network Guru Member

    In my config I use:

    and it works. Since this is saved in NVRAM I would go for the shorter option.

  4. gfunkdave

    gfunkdave LI Guru Member

    Do you do this on the server or the client? If I only do it in one place, I can access the server LAN from the client LAN but not vice-versa.
  5. rs232

    rs232 Network Guru Member

    for site-to-site VPN you need to specify the routes on both sides unless you use the "push" on the server side,
    If you have one way communication problem make sure the "create NAT on the tunnel" is disabled
  6. gfunkdave

    gfunkdave LI Guru Member

    After adding the two route directives to the config.ovpn file, the "Create NAT on Tunnel" box doesn't seem to have any effect.
  7. gfunkdave

    gfunkdave LI Guru Member

    Bumping my old thread, a new issue has come up. Hopefully someone knows what's going on.

    I just got a router running Tomato for my mother in law. I'm trying to add it to my existing VPN setup by using a static key in OpenVpn and running a new server instance on my RT-N66 at home. The tunnel works fine, but my RT-N66 won't route packets from my MIL's house to other routers the RT-N66 is connected to (e.g., my parents' house). It's like I need to enable client to client on the RT-N66, but since I'm using a static key that option is invalid.

    I know I should probably just use TLS auth, and I'm happy to do so, but I wanted to see if this was possible using static key.

    My MIL's router correctly routes packets across the VPN that are destined for the other nodes on the VPN, and then my RT-N66 seems to drop them. I can traceroute and it goes across the VPN (to the private IP I've defined as the remote endpoint) and then vanishes. But if I ssh to the RT-N66, I can ping any other VPN node just fine.

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice