TomatoVPN from scratch!

Discussion in 'Tomato Firmware' started by Delta221, Apr 5, 2009.

  1. Delta221

    Delta221 Addicted to LI Member

    TomatoVPN from scratch! (SEE PAGE 2 for a quick and dirty HOWTO)

    My setup: A fresh install of Tomato VPN v1.23vpn3.0000.
    Openvpn certificates are generated, and I can connect to my vpn server (tun interface) with a port forwarding rule.

    Now can someone tell me step by step, which firewall rules I have to edit to be able to ping between my remote client and my router? I don't want anything fancy, I don't want to be able to communicate with other machines on the remote network. I just want to be able to ping my router. (These services are filtered by my isp and I can't access them remotely). I want to do other things later on, but for now, I want to take it step by step.
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Do you specifically want to NOT be able to access the LAN machines? Or is it just not a requirement?
    By default, you should have access to the router already.

    So is your ISP blocking SSH no matter what port it is on? If you can connect SSH at all, that would probably be more in line with what you want. Plus, you could use regular Tomato instead of TomatoVPN.
  3. Delta221

    Delta221 Addicted to LI Member

    I'm on a school network, so all sorts of servers/filesharing is filtered. SSH doesn't work at all. I don't need to reach any other clients on the router's network, because no one else has access to the router in my room, so I don't want to add extra configurations which I will never use.

    I set the firewall option in the openvpn menu to automatic, though it doesn't work. What must I change? When I am away on a remote network, openvpn connects to my router, though I can't ping the router (vpn host), and vice versa. The router has everything on the default setting, except for the openvpn key files I generated.
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The reason I ask is that it would take extra configuration to NOT allow access to the LAN...
    There is probably a mismatch in settings between server and client and/or a subnet conflict. I suggest using TUN and set your LAN's subnet (and the VPN subnet) to something different than anywhere you're going to be connecting from (ie, LAN:, VPN:
    Try changing those settings and making sure everything matches on your client config.
  5. Delta221

    Delta221 Addicted to LI Member

    I was always trying it with dev tun and udp. After playing around I switched it to tcp, and it worked when I switched the server to proto tcp, and set my client to proto tcp-client (would not work with "proto tcp" alone). Is something wrong with UDP connections in this build? When it connected with UDP in the past, the connection would also drop...

    One other thing I noticed is that I can never establish a connection when bi-directional Hmac authorization is selected (Yes, I have a key generated for that). Are these known bugs?
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    This has happened to a couple of people. It seems to be due to flaky connections between the endpoints - UDP by nature doesn't handle this gracefully (its also what makes it so efficient...when it works). I don't think this is an OpenVPN bug (or a TomatoVPN bug), just a side-effect of using UDP over a flaky connection. That, or something is blocking the UDP traffic along the way.
    Do you have bi-directional Hmac authorization enabled on the client, too? You will need
    tls-auth /path/to/static.key
    in your client config (note there is not a number after the file).
  7. Delta221

    Delta221 Addicted to LI Member

    I don't know what you mean by "flaky", but my connection is very stable. After all, my school has been able to effectively prevent filesharing and torrents, so everything runs with very low latency, and I have never seen internet access go down. I installed the openvpn server on the pc in my room, and took my laptop to a coffee shop and it was absolutely stable with TUN/UDP. The connection did not drop once in over an hour.

    I don't know why it did not work with my router, I used the exact same certificates and configuration (I did not use any options to see if it worked)... This is why I thought there was some firewall rule, or something that needed to be changed on the router which has been messing everything up, because I turned off the firewall on my pc when I was testing it remotely.

    I specified the location of the secret key file on my client, or else the connection would not initiate. Could it be an issue with cpu usage or memory? I am using a WRT54GL, and these things are only 200MHz... maybe cpu usage is going up high and it is choking?
  8. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm not sure then. I use UDP on my WRT54GL just fine, so I don't know what could be going wrong for a limited number of users. If you're willing, you could try to get help from the OpenVPN IRC channel and see if they can help out. If you find something and report back here, it would help others who are experiencing this. I am not experiencing this problem, so I only have Google to help debug it - and apparently the answers I found are not complete (since it doesn't explain your issues). If you find it is an issue with firewall rules or otherwise with the firmware, I could correct it in future versions.
    But you said before that it would not connect... Note that the client config has to be complimentary to the server to have HMAC authentication to work. If the server config specifies 1, then the client must specify 0 (and visa-versa). If the server config specifies bi-directional (no 1 or 0 specified), then the client must also specify bi-directional. As I stated before, please check that bi-directional is specified in the client config (no number after the path).
  9. Delta221

    Delta221 Addicted to LI Member

    After many frustrating hours, I managed to get this thing working :biggrin:

    It appears I can connect to my vpn server, but NOTHING works without this ONE line in the custom configuration box:


    Yes that ONE smelly line.... I also added this feature which I need:

    push redirect-gateway


    One suggestion: remove all the older ciphers and add in AES.

  10. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Hmmmm, you shouldn't need that line. Could you, by chance, log in to the router via ssh/telnet and post the contents of /etc/openvpn/server1.ovpn while the server is running?
    Easier said than done. I make all of the supported ciphers an option, but which ones are supported is due to the version of OpenSSL included. I (and others) made a couple of attempts to upgrade OpenSSL, but have not been successful. I still hope to do that sometime, though.
  11. Delta221

    Delta221 Addicted to LI Member

    Definitely... I'll do it tonight (About 8 hours from now).

    Oh I see.. If you find an openssl version that supports Elliptic Curve Cryptography (ECC) that would be amazing... It is supposed to be faster much faster and more secure than RSA, and will eventually replace it in my opinion. I think the U.S. military uses it now, though there are some patents on some of the ciphers. I saw it in openssl 0.9.8g (I think), under the experimental ciphers... I got to compile it into Apache and it was fantastic.

    Thank you for your efforts!
  12. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The last version I tried to compile into the firmware was 0.9.8i, and when I get around to trying again, I'll use the latest version. It looks like ECC will not be enabled by default until 0.9.9, but if I get it upgraded pre-0.9.9 sans ECC, I'll consider trying to enable it.
  13. Delta221

    Delta221 Addicted to LI Member

    :confused: I removed that option to see that it would not work, though it is now working... I don't know what to say, I was trying to get it up for hours last night..... grrr...

    Well here it is anyway:

    # cat /etc/openvpn/server1.ovpn
    # Automatically generated configuration
    proto udp
    port 45646
    dev tun21
    cipher BF-CBC
    comp-lzo yes
    keepalive 15 60
    verb 3
    push "route"
    tls-auth server1-static.key
    ca server1-ca.crt
    dh server1-dh.pem
    cert server1.crt
    key server1.key
    status-version 2
    status server1.status

    # Custom Configuration
    auth SHA1
    key-method 2
    push redirect-gateway bypass-dns
    replay-window 60 15
    group nobody
    user nobody
  14. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Hmm, I thought it was odd you would need an ifconfig line. However, you should certainly not use the ifconfig line you have shown above. It is formed as a TAP ifconfig directive (ip/netmask). For TUN, ifconfig takes local/remote tunnel address as its parameters, so you're telling it "I am and I'm talking to". The proper ifconfig line is run as part of the "server" directive (it also pushes the correct ifconfig directive to the clients).

    Also, you don't need "tls-server", as that is also included in the "server" directive.
  15. Delta221

    Delta221 Addicted to LI Member

  16. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, I've seen that, but it requires OpenSSL to first be upgraded to a version that supports ECC.

    Thanks, though!
  17. Delta221

    Delta221 Addicted to LI Member

  18. gte024h

    gte024h LI Guru Member

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice