Thursday, March 19, 2009

Client-specific options

Of the new features in TomatoVPN 1.23vpn3.0000, the new client-specific options feature may be overshadowed by the more visible GUI overhaul and server status AJAX display. However, it is the feature I'm personally most excited about, so I thought I'd post to shed some light on it.

Using this option, you can have full bidirectional site-to-site TLS VPNs with no Custom Configuration or init scripts.

Selecting this option displays a table where you fill in the Common Name (from when you generated the TLS certificates), subnet (optional), and netmask (optional). If you fill in the subnet and netmask of the client, your server LAN will be able to communicate with your client LAN whenever it's connected (be sure not to choose the NAT option on the client router). Without this, you're stuck with just client->server communication.

If you also select the "Allow Client<->Client" option, another checkbox appears in the table that, when selected, allows other clients (or client LANs) to communicate with this client LAN. So, now you can have multiple sites all connected together with communication between any of them as desired.

An "allow only these clients" option is also present. With this selected, clients that aren't in the table are not allowed to connect. If you want to allow a client that doesn't have a LAN behind it (or you don't want to allow access to it), just put it in the table and leave the subnet/netmask blank.

With these options, this release removed the biggest limitation that's been present since the first release: having the VPN limited to client-initiated connections.

Feedback on this new feature is, of course, welcome and appreciated.


  1. Help! I've got a remote vpn server, and am connecting to it using this software. Connection works fine according to the logs at both ends, but I'm obviously screwing up the routing somewhere.

    The purpose of the connection is to connect 2 remote networks, so all I want from the linksys router is to make the remote network available to the local network, and route everything else via the existing default route.

    I've switched off nat, but am unsure which routing options should be set... at both ends!

  2. @greengecko
    If that's all you want to do, you probably want to have the NAT checkbox selected, then you won't have to do any custom routing.

    For future reference, the forum is probably better suited for support issues. General questions and/or requests are probably more appropriate to handle via the blog.