Monday, May 4, 2009


Just thought I'd give a peek into my intentions for future features. As always, I'm open to comments/suggestions.
By the way, the comments section of this post would probably be the appropriate place for feature requests.
To-do items:
  • GUI for client-config-dir to allow full site-to-site
  • Get DNS over VPN working
  • Get client to accept dhcp-option items from server
    • At this point I'll also add a GUI option to push DNS from the server
  • GUI option to route Internet-bound traffic over the tunnel
    • This will probably include an option on the client and an option on the server to push it to clients
  • Upgrade OpenSSL
    • Might not be necessary now that fyellin ported AES back to the current OpenSSL version
  • Get OpenSSL to use encryption hardware where appropriate

Wish-list items (won't work on them until the to-do list is empty):
  • IPSec tunneling
  • PPTP tunneling

Not on the radar, but often requested:
  • SNMP
    • Perhaps it's that I don't fully see where this would be needed on the router, but I don't see myself taking time to learning about it and working out the kinks.
    • If someone can explain how it would greatly improve the VPN experience, I may reconsider
    • Of course, if someone adds a git branch with SNMP+GUI, it'd probably be easier to convince me to include it.


  1. IPSec tunneling

    The ultimate, or maybe impossible mission from my understanding......

  2. @Apple Rocks:
    From the little I've investigated it, it seemed possible. What leads you to understand differently?

  3. Is it possible to get more Dynamic DNS settings.
    currently you only have 2 slots, but i need like 4 or 5

  4. @blitzbob:
    With that kind of thing, I just follow whatever happens in the upstream Tomato. Other people have used external Dynamic DNS consolidation services (enter one in the router GUI, and that site updates the reset). I can't remember the name, but you may want to look into that.

  5. This comment has been removed by the author.

  6. Is it possible to add an option to enable/disable "route all traffic over VPN"?

  7. @Andy:
    It's definitely in my plans, and I'll add it to the roadmap. I didn't put it there before because it's not that major of a change (I just haven't had a chance to test it out myself yet).

  8. Definitely another vote for all-traffic as an option.

    Also, I managed to get my router into a bit of a state, it won't let me save the config. Keeps saying "Invalid IP Address" no matter what I change. Managed to remove the start-by-default via nvram but maybe a reset-vpn-to-default panic button would be a good addition?

    Awesome work in any case, thanks!

    Try changing some of the major options (TLS/Static, TUN/TAP, management-specific options) and see if any invalid fields show up. The bad one may be hidden with your current set of options.

  10. My company is using user certificates with password, but there is no input field in webgui to pass it to openvpn (I have to run openvpn client trough custom script with "--askpass" parameter atm).

    Also it would be nice to have policy routing. I need my home worktations traffic to go out my DSL or company vpn network depending on source ip address, When I type in terminal:

    # ip ru ls

    all I get is:

    RTNETLINK answers: Invalid argument
    Dump terminated

  11. Also in my case 4096 bytes for custom script is too few (mostly because of certificates being passes in it :-) ). My custom script has ~6kB and I could not edit it because "Init script is too long" error. Last time I made some changes to init script was on 1.19 roadkill mod, and then webgui did not checked its length.

  12. Implementing PPTP first, would help a broad user base. Few commercial VPN providers support IPsec, citing complexity issues.

    PPTP is very popular on phones. iPhones already have PPTP clients and recently Nokia Symbian S60 based devices also have a third party app for PPTP connectivity.

  13. great work !! I got it up and running in no time. I won't have to stick to DD-WRT and they can go on and break whatever GNU,etc license... it's his karma...

  14. I'd definitely appreciate a simple VLAN GUI.

  15. I also wouldn't "mind" IPv6 support added...we're bound to go down that route sooner rather then later.

  16. Hi! Any chance you could do "URL (keyword) content filtering" ? (or do people have an alternative to that?)

  17. PPTP would be a very great feature if it comes true. Currently a Chinese Version of Tomato (Tomato DualWAN) has it but is only limited to Non-ND ones. The official site of it mentions to deal with the bug with NDs after China's National day.
    I really appreciate what Keith has done. I am using 1.25 3.4.4^^

  18. I am having the same problem as no matter what i do, i get a series of messages that say "invalid ip adress". i've tried various settings and have not been able to save the settings i imput.
    I am currently running tomato v1.27.8742 on a wl520gu if it helps.

  19. I'm having the same problem as Smart. My problem is trying to save the OpenVPN server connection. I get an invalid IP address message that pops up about 4 times. I'm also running tomato 1.27.8742 on a wl520gu.

  20. This seems like a javascript issue. Do I need to be using a specific browser? I'm using Firefox 3.5.

    The code also looks likes it's trying to verify more fields than I'm editing. For instance I set the config for Server1 Basic, click save and the javascript is also validating the Server 2 setup. Is that expected?

  21. @BravoFoxtrot35:
    Yes, it's expected to to verify all of the fields whenever you save. In that way, you shouldn't have been able to save a bad value in the first place. So, I expect this is due to NVRAM corruption. This often happens with Tomato upgrades. Please wipe your NVRAM (thorough) and reconfigure.

  22. Hi, any news about the pptp pass thru? TIA

  23. Am sitting here crossing my fingers that IPSEC gets implemented... it would be HUGE for me, and a couple other people I know. Otherwise I'm buying an ISR or small ASA for home. :)

  24. This comment has been removed by the author.

  25. I found a way to fix the Invalid IP Address. Setup everything the way you want, then under Basic Settings set "Authorization Mode" to "Static Key" and put some random IP address in the IP box listed below. Save settings. Then set your Auth Mode back to TLS and it will allow you to save and be on your way.