VPN Server on tomato, possible?

Discussion in 'Tomato Firmware' started by wycf, Oct 14, 2006.

  1. wycf

    wycf Network Guru Member

    Is it possible to setup OpenVPN on Tomato? I know that DDWRT is a option but I do like Tomato. :}

    Any advise? Thanks.
  2. Lunasea

    Lunasea Guest

    Right now the only feature that Tomato is missing, to me, is OpenVPN which still makes me use OpenWRT. Adding OpenVPN would make me trash OpenWRT in a second :)
  3. Rafatk

    Rafatk Network Guru Member

    Yeah I'm missing that too.
    Great fw!!!
    But I saw on /usr/sbin that there is the pptp, pppd, packages there.
    Isn't it the pptp server? if it is, is there any way to activate that?

    Thnx in advance.
  4. LAGMonkey

    LAGMonkey Network Guru Member

    problem is that adding features would start to bloat the code from what is essentially a very good Bandwidth shaping firmware.

    I persoanlly dont need the VPN server or anything else but what is currently in Tomatoe
  5. canis

    canis Network Guru Member

  6. johnny2002

    johnny2002 LI Guru Member

    I like Open VPN also. Anyone had a try?
  7. pablito

    pablito Network Guru Member

    You could try it but I would think that good VPN (proper encryption and compression) would be a lot to ask of a WRT. I run OpenVPN *through* a WRT and that works great. I use a route on the VPN config to reach the LANs and with a static route on the WRT back to the OpenVPN machine I get net-net without a problem.

    The far endpoint is a linux firewall and I make that end the server so I don't need any port forwarding on my end which is more secure. Works a treat.
  8. johnny2002

    johnny2002 LI Guru Member

    I found there are pppd and l2tpd under "/usr/sbin". Maybe there is a way to run up l2tpd.
  9. johnny2002

    johnny2002 LI Guru Member

    Problem with startup l2tpd

    I tried starup the l2tpd while got the following message:
    # /usr/sbin/l2tpd start
    Error: Option [global] is not known in this context
    FATAL: Option [global] is not known in this context

    Here is the /tmp/l2tpd.conf:
    port = 1701

    [lns default]
    ip range =
    local ip =
    require chap = yes
    refuse pap = yes
    require authentication = yes
    name = www.***.cn
    ppp debug = yes
    pppoptfile = /tmp/options.l2tpd
    length bit = yes
  10. johnny2002

    johnny2002 LI Guru Member

    content of /tmp/options.l2tp

    name JXVPN
    logfile /var/log/l2tpd.log
  11. johnny2002

    johnny2002 LI Guru Member

    Content of /tmp/chap-secrets

    # Secrets for authentication using CHAP
    # client server secret IP addresses
    test * "123456" *
    111 * "222" *
  12. wycf

    wycf Network Guru Member

    Any update on this? I don't like DDWRT so if Tomato can't handle VPN then I guess I have to move to OpenWRT.
  13. canis

    canis Network Guru Member

    Moreless less than no. Think about it, that a 200 MHz prcessor cannot handle the necessary encryption code for real running VPN based on PPTP, you should think about something unencrypted.
    But if you upstream wouldn`t exeed 60 KB/s, it`s ok.
  14. wycf

    wycf Network Guru Member

    Thank you for the reply, canis.
    I need go to China in Dec. and I need someway to browse the internet freely. In China today, you are under control. Even the search result from Google is different from rest of the world. So I think if I can establish a VPN tunnel to my home Tomato ( in Canada) then I can use it as a gateway to browse the Internet. Is there any other way to make this work? I don't want setup a OpenVPN server at home running 24x7 when I am away.

    Sorry this is a little of topic.
  15. Disman_ca

    Disman_ca Super Moderator Staff Member Member

  16. Rafatk

    Rafatk Network Guru Member

    Why not exceed 60 Kb/s? Would that cause some problem?
  17. dtswk

    dtswk Network Guru Member

    I run OpenVPN at home as well as Hamachi... Hamachi is waaaaaaaaaay easier and generally works fine.. OpenVPN is nicer in that it will work through HTTP proxies a little better...

    You can install either on your desktop machine at home and simply make a port forward in your router.. that way no load on your router and then use something like VNC to control your desktop and use a browser...

    If you wanna get real neat you can use OpenVPN to force all traffic via it, therefore you can browser from your machine without remote control... details are on the OpenVPN site.

    Once trick that might help is that you need to setup a static route on your router to forward the OpenVPN traffic back via your PC.

    Anyhoo, if you need a hand post back and I'll see if I can help.

  18. johnny2002

    johnny2002 LI Guru Member

    Bad idea. How can you turn on your PC 24x7?
  19. wycf

    wycf Network Guru Member

  20. dtswk

    dtswk Network Guru Member

    Err how about wake on LAN ...?

    Just full of answers aren't I :)

    pffft Bad Idea he he he
  21. johnny2002

    johnny2002 LI Guru Member

    I felt it isn't so far from running l2tpd under tomato.:biggrin:
  22. bokh

    bokh Network Guru Member

    More on Hamachi and Tomato

    Please share some knowledge here.
    I got Hamachi working on a FreeBSD-system that is behind the WRT54. OpenVPN works out-of-the-box, but not Hamachi.
    It worked before I used a WRT54, but now I can't login to / with Hamachi (error 6 0 4 ), even when I open ports TCP-12975 and both-32976 int Tomato. AFAIK it is something with different / random UDP-ports that are openened when login is succesful.
  23. dtswk

    dtswk Network Guru Member

    Using Hamachi with NO changed to the firewall or specific port forwarding in my router ...

    I had to let the Firewall on my machine know and allow the traffic.

    I know Hamachi has the magic port option but i've never needed it... and I've helped hmm at least 6 other people setup and they haven't dont anything other than install and allow the traffic when ZoneAlarm etc pops up.

    Your sure its nothing something on your machine blocking it ...?
  24. q20

    q20 Network Guru Member

    A PPTP server in tomato would be killer. I'm currently using dd-wrt for my VPN server, but I'm actually a little sick of it (dd-wrt, that is). I dislike the QoS implementation, plus I find the WDS unstable. I'm now running tomato on my WDS router and I'm thrilled to bits with it. Seriously awesome firmware. Looks great and runs like a dream. The interface is incredibly snappy too.

    But the lack of a VPN server is preventing me installing it on my main router. I need PPTP. It's easy to set up on Windows clients and I frequently need to be able access my home network from all over the place.

    Just my 2c worth. Couldn't hurt to have it added, surely?
  25. spyderco

    spyderco Network Guru Member

  26. nsumner

    nsumner LI Guru Member

    Okay, my 2 cents worth. Packages. Yes Packages. What I would like to see is a add on to the web interface to allow you to install packages.

    Therefore we add 1 feature to the firmware and people can add what they want. While not adding bloat that other users don't want.
  27. sorian25

    sorian25 LI Guru Member

    Cant get SSH to work


    Post removed, I got it figured out. The instructions for SSH tunneling with putty were wrong on some things.
  28. sorian25

    sorian25 LI Guru Member


    Thanks to the posters in this thread. I was able to get SSH up and running and love the convenience. One question though. Is there and easier way to block incoming connections on 3389 and 5900 and still keep my computer in the DMZ. Right now I just have port forwarding set to forward requests to an unused IP.
  29. shadow2k6

    shadow2k6 LI Guru Member

    This SSH tunnel is awesome. I followed the instructions in the links provided above and I am now able to access the internet connection of my home network remotely and attach to the gui and filesystem on my router. However, I am unable to use RDP on 3389 to get to a local machine on my remote LAN. When I open my putty session (like I would for the remote internet sessions) and open Remote Desktop Connection, I get this error message: "The client could not connect. You are already connected to the console of this computer. A new console session cannot be established." I set this up in tunnel section of putty using local port 3389 to go to then I opened up RDP and typed localhost. It prompted me to login and when I tried to login that is when I got the message that I put in quotes above. Any ideas?
  30. sorian25

    sorian25 LI Guru Member


    Same thing happened to me. Try this:
    In Putty under Tunnels add one with the source being and the destination as the <IP of computer you want to RDP into>:3389. The radio buttons should be on Local and Auto. When you want to connect to the computer connect the SSH and start remote desktop. Use as the ip you want to connect to.

  31. shadow2k6

    shadow2k6 LI Guru Member

    Thanks, that somewhat worked. I am now able to access from my local segment through SSH tunnel, but unable to access from my work segment. It looks like is somehow intercepted and routed back to my local workstation (at work). The login also seems to want a domain name (maybe some type of group policy issue. I will continue to play with this. I feel like I'm now really close. Any other suggestions?
  32. sorian25

    sorian25 LI Guru Member

    I forgot to ask what operating system you are using for home and work.
  33. shadow2k6

    shadow2k6 LI Guru Member

    XP, Version 5.1.2600 Service Pack 2 Build 2600 on both. I believe you're going the direction of the XP firewall. I noticed that my work machine has the advanced tab of my LAN connection gray'ed out so I can't tell what is allowed and not allowed at the moment. My home machine has this tab available.

    Edit: Windows firewall is gray'ed out and appears to be set to OFF. Exceptions tab has each of the programs and services controlled by Group Policy (File and Print Sharing, Remote Desktop, and uPnP Framework are also gray'ed out with a YES setting. Advanced tab has nothing checked and they're all gray'ed out.
  34. sorian25

    sorian25 LI Guru Member

    Is listed in the Hosts file at work?
  35. shadow2k6

    shadow2k6 LI Guru Member

    Unfortunately no. Only 1 entry for to localhost. Did you test yours with your work network? My network has traditional firewalls, proxy server, and standard AD network with group policy security.
  36. wycf

    wycf Network Guru Member

  37. sorian25

    sorian25 LI Guru Member

    I don't have a network at work. I have only been able to test it from other peoples homes.
  38. shadow2k6

    shadow2k6 LI Guru Member

    wycf, this information was similar to a link that was posted earlier, but did not seem to help. I appreciate the help, though.

    Sorian25, I'm still struggling, but still doing a lot of surfing in hopes of finding a working configuration. I'm not giving up and will post again if I find something soon. However, the RDP solution from one home network to another will prove most beneficial regardless if a solution arises with my work network or not. It will be nice helping my family out remotely instead of the blind troubleshooting that I had to do in the past.
  39. sorian25

    sorian25 LI Guru Member

    Try this. Make a new tunnel in putty with the source being and the destination the way you have it (ie Then try using remote desktop and enter Let me know, I haven't given up either. :)
  40. dtswk

    dtswk Network Guru Member

    Seriously you should checkout Hamachi ... nearly zero config VPN solution.. combine with UltraVNC or RemoteDesktop and you got a great solution.. The user can also turn it off whenever they like.

  41. shadow2k6

    shadow2k6 LI Guru Member

    Sorian25, I tried that and it worked! However, I went back and reviewed the configuration and actually trimmed it back down to pretty much the original configuration that you suggested. Here was the change that fixed the problem. The port forward apparently *MUST* occur. I apologize because you had the correct solution all along. The command that I had that worked at home, but oddly did not work at work was [source: to destination (same port)]. Your solution of source: (or whatever port other than 3389) to destination was the winner and the only tunnel needed for RDP on SP SP2! Many thanks!!!

    dtswk, I can now sleep tonight knowing that this works. I will play with hamachi and compare it to the ssh tunnel another night soon.
  42. sorian25

    sorian25 LI Guru Member

    Glad I could help and glad you got it working.
  43. Asmodeo

    Asmodeo LI Guru Member

    Hi All,

    I'm trying to setup and ssh tunnel as suggested earlier on this tread (http://www.geek-pages.com/articles/...via_dd-wrt_and_your_windows_workstation.html),
    but it seems that I'm making some kind of mistake because it's not working.
    What's happening is that when I try to open the connection with putty I got a black screen without any request of user/pwd.
    I configured putty on part 443 because this is the only one that our company proxy allow

    Please any suggestion will be really wellcome

  44. shadow2k6

    shadow2k6 LI Guru Member

    Two suggestions: First of all, my connection takes for what seems like forever to come up (actually it is about 30 seconds, but it feels like forever). Second, make sure if you have a proxy server at work that you put in your proxy server name, port, and login credentials. This is in the connection, proxy section. Also, does your putty connection work on your home network?
  45. shadow2k6

    shadow2k6 LI Guru Member

    Question for Sorian or anyone else: I know this sounds crazy, but has anyone tried to create a tunnel for vpn through ssh? I realize that this is essentially a tunnel in a tunnel, but VPN is blocked through most firewalls and this would seem to be a possible method of tunneling the DNS requests that unfortunately do not travel through the ssh tunnel. I'm currently running a wrt54gl with tomato and a wrtsl54gs with thibor 16 which includes the pptp vpn. The hamachi solution does not seem to be what I'm looking for unless I'm missing something. It appears that hamachi is really good PC to PC solution. I'm looking for pc to router solution (to linksys).
  46. sorian25

    sorian25 LI Guru Member

    I have only done VNC and remote desktop over SSH, besides regular web browsing. I don't see any reason VPN couldn't also be routed over SSH.
  47. Asmodeo

    Asmodeo LI Guru Member

    Thank you shadow2k6 I have added the proxy server configuration to putty and it works now
  48. paped

    paped LI Guru Member

    Just another option which may help people regarding VPN's is to use SSL Explorer which is GPL (or similar) and can be found on sourceforge http://sourceforge.net/projects/sslexplorer/ . This is a browser based SSL VPN but does support MS RDP/VNC and a number of other terminal server type apps via the SSL tunnel. I use this and it works very well and all you need to do on the router is some port forwarding as the server application is PC not router based.

    Personally regarding adding VPN to Tomato I would agree with some of the other previous posts, in that Tomato needs to be kept light weight and not become bloated as at present is easy to configure, feature rich and is excellent firmware. If you need features like VPN and must have them on your router use the heavy weight and bloated firmwares such as DD-wrt etc rather than getting them added to Tomato and spoiling it..... As the reason why many people including myself have moved to Tomato is because is not bloated such as DD-wrt, with 10s or 100s options that most users would never use or need.
  49. digitalgeek

    digitalgeek Network Guru Member

    I have been using PC-anywhere, which gives me remote access and file transfer access. Unlike a VPN, I cannot use my router as a gateway, but I am able to do other things, like start and stop BT remotely, etc. which is fine for me.
  50. snajgel

    snajgel Network Guru Member

    Is it possible to access file shares trough SSH? If it is, how?
    I'm using putty accessing rdp today.
  51. wycf

    wycf Network Guru Member

    But then you need keep the PC with pcAnywhere running 24x7. Can you remotely trun on or wake up the PC when you need to access your pcAnywhere?
  52. elscorcho

    elscorcho LI Guru Member

    not necessarily - he can set up Tomato to allow external web administration, set up the Wake On LAN packet, and then access his PC once his computer is completely booted. i control my PC through this method, except i use a combination of Hamachi and VNC to control/share my PC.
  53. edlogic

    edlogic LI Guru Member

    DNS reqests through SSH in FireFox

    if you are using firefox then in the address bar put


    then scroll down to


    change it to true and your DNS is going through your SSH connection .
  54. roadkill

    roadkill Super Moderator Staff Member Member

    I'm trying to implant OpenVPN in Tomato 1.07 as my codebase and I succeeded with libssl.so having a bit of trouble with dependency and size optimizing if anyone want the source PM me
  55. scaredwitless

    scaredwitless Network Guru Member

    A bit off topic as it has not much to do with Tomato:

    But hey, wow, I was reading a news article just today talking about a software program designed for the very purpose that you're talking about.

    Forbes Article

    The software at the center of attention in that article is a free software called Psiphon: http://psiphon.civisec.org/

    It's basically a easy to setup proxy server software designed at the University of Toronto specifically so that people could set it up on their computers with uncensored web access to allow friends and family in countries with censored web to use their connection.

    Never used it, just read about it just a few hours ago. Might be worth looking into.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice