TomatoVpn and Windows

Discussion in 'Tomato Firmware' started by fluu, Dec 31, 2010.

  1. fluu

    fluu Networkin' Nut Member

    Maybe that's quiet a silly question, so please excuse! :confused:

    I use Tomato 1.27VPN, and I would like to use this one as VPN Server.

    My VPN Client should be a normal XP Workstation on the Internet.

    I don't really want to install OpenVPN.
    I want to use the built-in VPN Connection Methode that Windows provides.
    (look at the picture)[​IMG]

    Is there a way to do it?
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Nope, OpenVPN and the VPN protocol used in the Windows built-in client are not compatible.
  3. TT76

    TT76 Networkin' Nut Member

    Look at HOWTO on
  4. fluu

    fluu Networkin' Nut Member

    okay, thank you!

    But is there a way, maybe with another firmware (like dd-wrt) to make the vpn compatible with the windows vpn?
  5. TT76

    TT76 Networkin' Nut Member

    you can try Jean-Yves/Hydrix's MOD which includes a pptp server (, but it is said that pptp serve cannot be configure via web gui in the readme.
    another way is using dualwan mod which has a web gui to configure pptp server (,but there is only chinese version about that mod, so maybe you have to use it via goole translate
  6. fluu

    fluu Networkin' Nut Member

    thank you so much! I found a dualwan EN version (1.23.0409).
    and it works great!

    but i have still a problem left.

    when I copnnect to the router from the internet from a normal winXP Client, without changing the standard settings everything works fine.
    The hole traffic is tunneled over the Vpn.
    And also the shares are working.

    For example:

    VPN IP Pool Adresses: [server:]
    Local Lan (where the VPN Server (linksys) is: [router IP]
    ...pool: (for example)

    When I remove the folloing hook (red in the pricture):


    ...than, the VPN is still working and traffic is now splitted.

    BUT ...and thats my problem, i couln't connect to my shares any more.

    Standard-Gateway Box (red surrounded in the image) checked:
    everything is working i could connect to share \\\Share1
    ping to is working
    ping to is working
    ping to is working

    Standard-Gateway Box (red surrounded in the image) UNchecked:
    i couldn't connect to share \\\Share1
    ping to is working
    ping to is not working
    ping to is not working

    what's wrong?
  7. rhester72

    rhester72 Network Guru Member

    When you uncheck the box, you have no route to anymore. You'll need to either define a static route to via gateway or put the following in Advanced/DHCP/Custom Configuration (untested!):


    The above assumes that ipconfig on the Windows machine has a default gateway of for the VPN connection (and that the Windows PPTP client honors DHCP option 121!).

  8. fluu

    fluu Networkin' Nut Member

    that was a good idea... but not worling :(

    I also tried:

    but that was also not working.

    Here the screenshots from normal setting, without the dhcp option set:

    Here all the traffic goes over the vpn server:
    ...everything is working, shares and internet


    Here the internet traffic is normal, and goes not over the vpn server:
    ...but shares and so on are not working


    maybe I have to add some Routing here:


    ....but I have to idea what I have to insert!?
  9. rhester72

    rhester72 Network Guru Member

    Hrm - you may be right, there may be _two_ routes needed here - one on the client and one on the server.

    Can you paste a "route print" from the client with the default gateway box _un_checked and with option 121 _enabled_ in DNSmasq (with the gw) after connecting to the PPTP VPN? I just want to verify that Microsoft's client is indeed accepting/parsing option 121 and that the only remaining issue is a route back to the client from the server.

  10. fluu

    fluu Networkin' Nut Member

    i don't know... the connection between and seems not to be working.

    But I don't know how to create routes...

    here the route print and an ipconfig /ALL as requested:

  11. rhester72

    rhester72 Network Guru Member

    It looks like Option 121 is not being honored by Windows, but I'm also concerned about your netmask - why is it on both connections?

    Doing a manual route add on the XP box should help, but based on the rulechain, you don't have a route to the VPN tunnel either, so the route should look like:

    route add

    (Come to think of it - Option 121 _may_ be working, but the rule may have been ignored since you have no presence on See if you can get it working with the manual route above from the XP command prompt first.)

  12. fluu

    fluu Networkin' Nut Member

    Why do you think Option 121 is not being honored by windows?

    For the netmask I have an answer, I just let one client connect at the moment:


    Okay I will try to add this route on the XP Client.

    But there must be a way to configure that on the Server side.

    Because when I connect to the VPN I could connect to
    When I go to in the Browser, when VPN is connected, than I reach the Tomato-site.
    Just all the 200.200.... are not working.

    I will try and tell you tomorrow.
    good night
  13. fluu

    fluu Networkin' Nut Member

    I got an error message on the xp client:

    route: Invalid destination address

    I also tried:

    route add MASK

    ...but that also didn't work I think the hole command should look like:

    route add MASK METRIC 3 IF 2

    --> but I don't know what number after METRIC and also I don't know the Interface. is it: 30007?
  14. rhester72

    rhester72 Network Guru Member

    You can safely exclude the metric. The interface # will potentially change each time the client is restarted/reconnects - I believe you can use the quoted interface name instead.

    BTW, the route command I posted works fine in Windows 7 - maybe there was some syntax change from XP?

  15. fluu

    fluu Networkin' Nut Member

    Which name is it?
    Is it: WAN (PP/SLIP) Interface ? ...i have two of them :\

    Think so too.

    Just an idea:
    When I change the Ip Range from the Router to
    do you think that could help?
    Because i could ping, maybe I could ping than 192.168.123 too!?
  16. rhester72

    rhester72 Network Guru Member

    Re: which interface - they should still have distinct names (maybe one has a number at the end?), use the one associated with the current PPTP connection.

    Re: changing the IP range...No - they are still separate subnets.

  17. fluu

    fluu Networkin' Nut Member

    that worked:

    route add mask

    --> now i can go to tomato site on AND

    BUT i still cant reach the computers behind... for example:
  18. rhester72

    rhester72 Network Guru Member

    The gateway should be, not

  19. fluu

    fluu Networkin' Nut Member

    yes i know, and i think it is isn't it!?

    look on Post #12 -> this are my settings for vpn! is the vpn ip the xp client got from the vpn server.

    i read a similar route add anywhere in the internet and i wanted go give it a try and the xp client accepted the command (to my surprise) and now i could go to the router also with AND

    But the main problem is still up. no connection to the clients (

    What could be wrong?

    Which settings could i made wrong?

    Do you need more screenshots?

    Tell me what you need and I'll provide!

    Tank you for your support!
  20. fluu

    fluu Networkin' Nut Member

    Sould I make here some changes?

  21. rhester72

    rhester72 Network Guru Member

    See above.

    You can ping with the "wrong" gateway because the destination is actually the same machine. The gateway _must_ be the PPTP server.

  22. fluu

    fluu Networkin' Nut Member

    You were complete right!

    route add mask IF 0x60003

    IS WORKING GREAT !!!! :thumbup: :thumbup:

    but how could i make this route permanent?

    wenn i close the vpn connection and reopen it, the interface changes to 0x70005 for example.

    and when i try: route add 200... mask ... IF WAN PPP

    (WAN PPP the name of the connection)

    --> that doesn't work. :confused:

    is there a way to push this route over the vpn server?
  23. rhester72

    rhester72 Network Guru Member

    DNSMasq _should_ be pushing the route over DHCP with the option statement, but based on the route table you printed post-connection, it doesn't look like that's happening. tcpdump should be able to verify that DNSMasq is indeed pushing the option (and I've never seen that -not- happen), but actually doing something with the result is the responsibility of the DHCP client (in this case, on Windows). If it's ignoring options, I don't really know how to troubleshoot that, as I'm not really a Windows networking expert. ;)

  24. fluu

    fluu Networkin' Nut Member

    i made another screenshot of it:

    (maybe you could anything what could be wrong!?)


    are you sure that this should look like this:


    ...couldn't it may be look like this:

    dhcp-option=121,, :confused:


    dhcp-option=121, mask :confused:
    dhcp-option=121, mask :confused:

    another thing (maybe it's normal, I don't know):

    if I add route:

    route add mask IF 0x20007
    ...than i have access to for example...

    but DNS seems not to be working... when i try to reach the computer with his name it didn't work... it's just working with his IP address

  25. fluu

    fluu Networkin' Nut Member

    I have great news!

    I have access to my network without adding something in dnsmasq or doing some manually routing.

    short summary:
    -linksys with dualwan mod (
    -One Computer-IP in this LAN:

    Now I could connect with a normal Win. XP Pc from anywhere on the internet.
    His IP in any LAN, which is connected to the internet is:
    [ mask GW:]

    \\\share ALL working now! :)

    this are my VPN-Server settings:


    and here is my "route print" from the XP CLient:


    ###################################################### let's come to the open Bugs:

    - DNS is not working (it's not important to me, so keep that behind)
    - Connecting to another Linksys with dual wan mod isn't working
    --> I think I have to configure somethingon the GREEN surrounded field from the picture above!

    LAN Configuration of the "VPN Client Router":

    His IP:

    ...and he will get the IP from VPN-Server:

    And I also didn't know what to fill out here {RED surrounded field}:


    I tried:

    on the "Overview site" the field "server sub" has the name "network"

    so i tried this IP's:

    any ideas, what I could fill in??

    --> but i think i'll make a new thread because the topic didn't fit any more.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice