Wednesday, August 12, 2009

1.25vpn3.4 release

You can download the binaries from here.

Source is available at the Git repository.
Be sure to read the COPYING file if you plan to use/distribute the sources.
Direct links:
Notable changes from 1.25vpn3.3
  • Upgraded to OpenVPN 2.1rc19
  • AES speed improvements (Thanks fyellin!)
  • More "Accept DNS configuration" options (strict/exclusive)
  • Add (dynamic) HOWTO links to GUI for key generation
  • TLS renegotiation time setting
  • WINS options pushed/accepted along with other DNS options
  • Option to not push server LAN route to clients
  • Option to leave comp-lzo directive out of confi altogether (now "Disable", "None" is equivalent to the old "Disable")
  • Non-VPN changes (also sent to Jon for inclusion in Tomato)
    • Multiple MAC addresses can share an IP for Static DHCP
    • EditDNS added to Dynamic DNS providers
  • Various code cleanups/improvements


  1. Keith,
    I was wondering if there is space left to squeeze a samba installation in your firmware. I am looking forward to setup a wins server on my router.

  2. @Tiago:
    I don't think I'll be adding samba, at least in the near future. Sorry. For now, it just pushes/receives the value set up in "Basic"->"Network".

  3. Keith, thanks for your great work!

    TomatoVPN is what we use at work. Over the past 2 months, it's worked flawlessly for our 6 roaming users. Looking forward to your future releases!

  4. Is it possible to add client revoke list to open vpn )for blocked certs ?

  5. Hey,

    I had the problem in the last release with compression always being on. Sorry I never got back to you with results from manually removing the comp-lzo line, I've been in the process of an international move.

    The new functionality of "disable" has fixed my problem. Thanks for adding it despite my lack of responsiveness!

  6. has anyone got this particulare firmware release with openvpn to work with ipcops zerina?

    can anyone share their experiences..


  7. How can i diable ssh access without a keyfile?
    In centos i use hosts.allow file to set these switch.

    can u please help me ?
    at the moment both logins are working: with root / password and with keyfile

  8. @tatoosh go to Aministration>Admin access and uncheck "Allow Password Login". right above the fieldwhere you pasted the keyfile.
    It's a feature from original Tomato not only in VPN mod.

  9. ok found it myself also in the tomato wiki.
    thanks savy for helping. no my router is secured ;)

  10. oh was logged in with friends google account ^^ answer made by tatoosh.

  11. hello Keith,

    at first thanks a lot for your great job building this patch. everything looks perfect, but there is one thing which i'm not sure how it works in fact - QoS over vpn tunnels. i have "unclassified" all of any connection going through vpn. only "normal" connections are classified. so, what is in real - are they really unclassified? or they're recognised in fact, but only gui or software can see them as unrecognised? did you made any test or checks regarding this issue?


  12. @dezynteria:
    Unfortunately, I haven't done any QoS testing. I don't use it, so I can't say for sure how/if it works.

  13. @Keith:
    thanks for immediate answer! i'll try to figure something and post if got any reasonable results :) brgds!

  14. Nice mod! Any progress on making clients on server net connect to clients on client net?

  15. @Boost:
    Should work just fine. Fill out the client-specific options on the server, and uncheck the NAT box on the client. This is how I have my setup and it works great.

  16. Love it, thanks...been waiting for something like this for a while. See you in the forums...

  17. The last 2 releases i've had trouble when trying to log into my router.
    the router functions just as it should.
    but i can not log into it. i get "The Connection was reset"
    after a PF, i'm still not able to get in local. but i have remote access turned on and i can get in using my external IP and port.
    as i said, this issue has shown up in the last 2 releases, but never any before.
    any ideas?

  18. @blitzbob:
    Have you tried a full NVRAM erase (thorough)? That seems to clear up weird problems like that.

  19. Is there a preferred method to erase the nvram?
    I only found nvcommit in the debug menu?
    Also i discovered something else that was odd.. i tried to telnet and ssh, and get access denied when trying to log into either way. but when i am able to log into via http. my log/pass works fine, yet gives accessed denied telnet/ssh.. any idea on that? thanks for the tech support.

  20. @blitzbob:
    Administration->Configuration->Restore Default Configuration->thorough
    The username for http(s) is admin (or root), but the username for ssh/telnet is root. Maybe that's the problem?

  21. Hey, is there any current way to block/blacklist certificates?

  22. Tomato 1.26 beta and OpenVPN 2.1_rc20 is out. Any thoughts to combine these two when Tomato 1.26 final version will be released ?
    Thank you !

  23. I cant get WLAN to run.
    It is set on enabled and the SSID was hidden.
    I changed and also want to set bacon intervall but this won't be saved.
    Whats wrong here??


  24. @Florin:
    Of course

    Did you clear NVRAM (thorough) after upgrading? If not, do that.

  25. First - You firmware is awesome, I've used it for quite a while, and the PPTP VPNs work flawlessly. Unfortunately, a call was made for standardization (people complained), and we 'upgraded' all of our VPNs to Gigabit boxes (RVS4000/WRVS4400) and our primary firewall to generic IPsec only Gigabit VPN concentrator.

    Have you had a chance to work IPsec VPN stuff into your firmware? Will you use OpenSWAN, or is there another implementation that you are looking at? I've also heard rumblings that the 2.4 kernel is insufficient for IPsec, is your kernel 2.6?

    Thanks again for your hard work!


  26. @Pincushion:
    The current TomatoVPN only supports OpenVPN, not PPTP.
    I have not earnestly started looking into either PPTP or IPSec. But, I thought I remembered there being patches to get OpenSwan working on 2.4 (which is what Tomato uses).

  27. I've tried to get opendchub to work on my wrt54gl. The problem seems to be the missing IPC support of the kernel. The error occurs while creating the semaphore for holding the total share amount. The exact message is: "semget(): Function not implemented". Is there anybody who has the same problem and fixed it anyhow?

  28. Hi!
    How can I patch from Tomato to TomatoVPN?
    It says "Expecting .bin or trx file.
    how can i update?

  29. I know it may seem too early but Tomato 1.26 is out! When can we expect the VPN mod? :)
    Thank you !

  30. Hello,

    Do you plan to prepare VPN version od Tomato 1.27

  31. Hello,
    There has been a quite important update to OpenVPN recently. This fixes CVE-2009-3555 and the SSL/TLS renegotiation vulnerability. The latest package is: 2.1_rc22

    Keep up the nice work!

  32. I would love a Tomato 1.27 and 2.1_rc22 update...

  33. Hello. I have reconfigured ports inside router in following manner:

    vlan0ports=2 3 4 5*
    vlan1ports=0 1 5

    Will I be able to use openVpnClient working through vlan1port 1 ?

  34. @Robert:
    Probably. My code doesn't care what ports you have assigned where, it just uses VLAN1 as the WAN. Though, I'm not quite sure what you mean by "working through vlan1port1", so I may be misunderstanding.

  35. If you are using VLAN1 as WLAN - then ok, it will work. Thanks.
    Another question - I've found tomatovpn-1.27vpn3.5.7z - is it beta or you simply haven't time to update this page?

  36. @Robert:
    I misspoke a little. I just use whatever is set in nvram for wan_iface as the WAN. But, for most configurations, that VLAN1.
    1.27vpn3.5 is still in testing. I haven't been able to find time to test it myself, so I'm "crowdsourcing" the testing a bit :)

  37. Looking forward to 1.27vpn3.5. Enjoy the holidays.

  38. Very excited about 1.27vpn3.5, I love this branch of the code. Just enough features but not too many. Thanks for all your hard work

  39. Any news on Tomato 1.27vpn3.5? Any way I can help?

  40. Hi.

    I have updated the image to use tomato 1.27 ; I merged my previous tomato firmware (PPTP/SNMP) so both VPN client/server can be used.

    Also added support for OpenVPN with username/password authentication.

    If anyone is interested ; email me...

  41. Hello,
    Jean-Yves, i'd be very interested about your firmware, but i can't find yout address.
    Could you upload the firmware to any website, or could you give me an address?
    Many thanks,

  42. @Zsoc@m in case you haven't found the files, Jean-Yves Avenard's version of Tomato is available at

  43. Hi,
    First of all:Thank you - this is a very good firmware!:)
    We using it to connect many networks to a site-to-site vpn network. I suggest some featues that we need:
    - restoring configuration to an another router (if you have many of them, you can keep a backup router with the same config, if the primary hardware fails)
    - export/import static dhcp clients
    - export/import wireless MAC addresses

    Thank you: