Source is available at the Git repository.
Be sure to read the COPYING file if you plan to use/distribute the sources.
Direct links:Notable changes from 1.27vpn3.5
- Fixed service restart on WAN reconnect
- Took back out the new redirect gateway option (don't leave default gateway) as its benefit was questionable at best.
- Some code cleanups
The feature i really missed was the one that starts the openvpn service with the router. I have a WRT54GL connected on my home lan and i only use it as an access point+wds and of course a vpn server. Since there is no WAN, with the new option i must start it manually every time. Could you please have both options at least, starting the service with WAN and/or router? Keep up the good work !!!
ReplyDelete@denexo:
ReplyDeleteI hadn't considered the no-WAN case. Will be addressed in the next release.
oops, remote sshd does not work. because no instance of "dropbear -p " is started. In stead two instances of "dropbear -p " are started. see console log hereafter:
ReplyDelete----
# nvram get sshd_port
22
# nvram get sshd_rport
1022
# ps | grep drop
1259 root 1532 S dropbear -p 22
1264 root 1600 S dropbear -p 22
----
arghh.. should read "dropbear -p sshd_port" and "dropbear -p sshd_rport". somehow the ports got lost in translation :-"
ReplyDelete@Ronny:
ReplyDeleteThere isn't supposed to be a separate dropbear instance for remote access. The port is forwarded in the firewall rules.
Thanks Keith. Looking forward for your next release !
ReplyDeleteGreat work! keep it up
ReplyDeleteHi,
ReplyDeleteThank you sincerely for your work.
I must confess that I look forward to the feature username/ password for the next release. (Do you know the release date? approximately)
Because the French government policy, I am obliged to subscribe VPN ... Tough times for the Internet.
Have a nice day!
I'm also curious about a user/pass release date, would make it easy to implement at work here.
ReplyDeleteThanks again Keith for fast update!
ReplyDeleteAlso waiting for the GUI user/pass release.
Hopefully we are not putting too much pressure here :)
This comment has been removed by a blog administrator.
ReplyDeleteYeah, just installed this right now, and w/out the user-pass part, we may not be able to fully implement it here at work.
ReplyDeleteAny estimated release date would be appreciated.
@all:
ReplyDeleteNo ETA on the user/pass addition. However, it shouldn't be nearly as long as the wait after 1.25vpn3.4.
In the meantime, changes in 1.27vpn3.5 made it so user/pass configs can be created. Just create a file that contains the user and pass in the init script, and add auth-user-pass to your VPN custom config. If it is user/pass-only (no certificates), just leave the certificates blank.
@Keith, do you know if somebody has written a sort of "howto" with screenshots for that method?
ReplyDeleteI know you said no ETA, but could you at least give us a "few weeks" "couple of months" or "4+ months away" kind of estimate?
Thanks again for all your hard work on this project.
Is it possible to have a mini-howto for manually configure the VPN username / password in v3.6?
ReplyDeleteFor now I copied login_password.txt and ca.crt in a /tmp directory; in the advanced/vpn GUI that I have set the VPN configuration, I start it, but it blocks all Internet traffic. I think missing iptables rules.
Thank you,
See you
I have been in love with Tomato for years now, but this fork with OpenVPN is fantastic. I am using it extensively and have yet to have any problem with it. Thank you for you efforts on this (donation coming...)
ReplyDelete@all who've asked:
ReplyDeleteI'd say the next release will likely fall somewhere between a "few weeks" and a "couple of months" away. Note that there is not a deadline or schedule, so it's also possible that it will happen sooner or later than that.
@Keith, I totally understand that there's no set schedule, was just looking for a best estimate.
ReplyDeleteThanks for the guestimate. Added your blog to my RSS reader.
Thanks again.
@Keith. First of all; great firmware :) really enjoying it!
ReplyDelete...
But: I've run into a bit of trouble :s
Under basic settings I have checked the "client pool address - DHCP" option, but when I connect, my client gets no ip-address.
the server log contains this line I suspect is the cause of my troubles:
---
Feb 11 17:52:46 ? daemon.err openvpn[14670]: client1/87.58.39.133:54278 MULTI: no dynamic or static remote --ifconfig address is available for client1/87.58.39.133:54278
---
if I uncheck the "client pool address - DHCP" option. The openvpn server will supply me with an ip-address! but that's from the range specified under vpn -> server -> basic settings.
Any help appreciated! :)
Ubunut
@ubunut:
ReplyDeleteI replied to your comment yesterday, but it doesn't seem to have taken...
Unfortunately, the DHCP option ("route-gateway dhcp") is a pretty new feature to OpenVPN and seems a little flaky. If it doesn't work for you, you can either specify a range of IPs or try to get help on the OpenVPN IRC channel. I'm afraid I don't know where to look to debug this.
Also, the forum should be used for technical support (see top of page). It's just better suited for that type of discussion.
@Keith
ReplyDeleteNp, just a minor flaw. Thanks for your quick reply! :)
keep up the good work.
Ubunut
This comment has been removed by the author.
ReplyDeleteAnyone get this working with StrongVPN's PPTP?
ReplyDeleteI've been using vpn on tomato for a few weeks. I have to say it works really good and stable.
ReplyDeleteI just have a little trouble and want to remove "persist-tun" from default config file. Is there a easy way to archive this?
@pnt:
ReplyDeleteSorry for the delay. I thought I responded to you before...
I'm afraid there's no way to start the client/server from the GUI without "persist-tun". Is there some reason you want it removed? If there is a reasonable use case, I could make it an option in the GUI.
@Keith:
ReplyDeleteI use DNS server over VPN to resolv everything. Local DNS is just a backup. This is what I intended, because it's faster to use CDN near VPN server than near local ones.
In this situation, if VPN goes down and it tries to reconnect the VPN host, it will meet resolv problem. And if I don't use "persist-tun", openvpn will disconnect and DNS request can go through. It's already verified on linux and win32 openvpn client.
It's important to use domain host over IP addr to connect VPN, in multi-VPN-server environment.
If you add an option for not adding "persist-tun", it'll greatly help me.
And thanks for your continuous work on this project.
hi, i would like to know if there's the possibility to enable ipc in the kernel config in the next releases?
ReplyDelete@denexo: you can work around the VPN service start by adding
ReplyDelete'service vpnclient1 start'
(without quotes) to your init script. Works for me.
Keith:
ReplyDeleteCould you be so kind and explain me, how does the router test the WAN (if it is alive or not)?
Whether Router makes some ping to some hosts on the Internet, or to the ISP default gateway (which is DSL cable modem), or something like that?
I have done some tests, where OpenVPN connections were initiated from the inside LAN.
I noticed that VPN server resets connection coming from inside, when the IP address on the WAN is different from the ISP addressing pool (routing outside is unavailable), despite the WAN interface is connected and UP.
It means that the router do some tests on the WAN side, before VPN connections from inside LAN can be accepted and there is not just simple test if the WAN interface is Up or Down.
THX in advance.
PS: IMHO, the second option in GUI, which turn on the VPN server up during router starting phase not only when WAN is OK, is a good idea.
@Remigiusz:
ReplyDeleteAside from attempting to get an IP address as needed, the router doesn't do any checking on the WAN connectivity.
Yes, if you have the "Start with WAN" option set, the server will restart when you get a new IP.
Do you have a valid use-case, besides testing, where restarting the server on WAN-up is a bad thing?
@Keith:
ReplyDeleteOf course it is good idea to restart the VPN, when new IP address on the WAN is set.
But when IP is fixed, this feature could be turned off.
My testing scenarios were simple:
ISP DSL Modem <--> (WAN)My Home Router (LAN) <--> (WAN)Test Router with VPN Server (LAN) <--> My PC with OpenVPN Client
Variant A:
1. I set the fixed IP address on the WAN interface of the Test Router (one of the LAN IP address of My Home Router). Of course I set default gateway pointing My Home Router.
2. Reloading the Test Router.
3. Starting Up the OpenVPN Client on My PC, pointing the WAN interface of Test Router.
4. Connection established OK.
5. Success.
Variant B:
1. I set the fixed IP address on the WAN interface of the Test Router (but the IP address is "phantom" - other then one of the LAN IP address of My Home Router). Of course I set default gateway pointing phantom IP.
2. Reloading the Test Router.
3. Starting Up the OpenVPN Client on My PC, pointing the WAN interface of Test Router.
4. Connection is reseted by VPN Server.
5. Test Unsuccessful.
Why in the second scenario does the VPN Server reset the incoming requests coming from My PC?
The IP address is fixed. So what the IP is from the phantom pool.
I have done another test.
I set up Fixed IP as in first scenario, but unplugged the WAN interface during router startup phase. When router was up, I ran the OpenVPN Client on My PC. Connection failed (VPN Server reseted incoming request).
Then I plugged WAN interface of the Test Router. Again I ran the OpenVPN client. Connection established.
Next, I set up Fixed IP as in second scenario, but unplugged the WAN interface during router startup phase. When router was up, I ran the OpenVPN Client on My PC. Connection failed (VPN Server reseted incoming request).
Then I plugged WAN interface of the Test Router. Again I ran the OpenVPN client. Connection was reseted by VPN Server.
After this test I supposed that router does some IP Internet Connectivity Tests to make decision to bring VPN Server UP, when everything is OK.
IMHO: As a @denexo have said, the option, which allows to turn on the VPN Server permanently, is a solution. Do not You think?
@Remigiusz:
ReplyDeleteOkay, I understand now. I thought you were talking about the server restarting, but you're talking about it not starting at all.
Since the last release, I've already changed it to (re)start the service either if the WAN is connected or if the WAN is disabled. I guess maybe it should just do it no matter what. I still don't see a use-case besides testing where you'll be connecting via LAN with a bad WAN, but the use-cases I do see shouldn't be hurt by an extra (re)start if the WAN is bad (since nobody will be connected anyway).
@Keith:
ReplyDeleteI probably found the problem.
When I wrote info about that the VPN Server did not proper Up, when there is no Internet connectivity to the ISP, I were
wrong.
It turned out that VPN Server ran OK in both cases (whatever Static IP was set up).
When there was no connectivity to the Internet (for test sake), I thought that VPN Server have some problems to start
properly. I thought that because it did reset all incoming connection (initiated from LAN, frm My PC).
Connection result screen was:
========================================
Thu Mar 04 12:33:50 2010 OpenVPN 2.1_rc21 i686-pc-mingw32 [SSL] [LZO2] [PKCS11]
built on Nov 12 2009
--------- Some are ommited -------------
Thu Mar 04 12:33:52 2010 VERIFY OK: nsCertType=SERVER
Thu Mar 04 12:33:52 2010 VERIFY OK: depth=0, /C=PL/ST=ZP/O=OpenVPN/CN=server/ema
ilAddress=xxxxxxxxx@gmail.com
Thu Mar 04 12:33:52 2010 Connection reset, restarting [0]
Thu Mar 04 12:33:52 2010 TCP/UDP: Closing socket
Thu Mar 04 12:33:52 2010 SIGUSR1[soft,connection-reset] received, process restar
ting
Thu Mar 04 12:33:52 2010 Restart pause, 30 second(s)
========================================
But when I plugged the Router to the ISP, connection result screen was:
========================================
Thu Mar 04 12:51:02 2010 OpenVPN 2.1_rc21 i686-pc-mingw32 [SSL] [LZO2] [PKCS11]
built on Nov 12 2009
--------- Some are ommited -------------
Thu Mar 04 12:51:04 2010 VERIFY OK: nsCertType=SERVER
Thu Mar 04 12:51:04 2010 VERIFY OK: depth=0, /C=PL/ST=ZP/O=OpenVPN/CN=server/ema
ilAddress=xxxxxxxxx@gmail.com
Thu Mar 04 12:51:05 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with
128 bit key
Thu Mar 04 12:51:05 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1'
--------- Some are ommited -------------
Thu Mar 04 12:51:13 2010 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
Thu Mar 04 12:51:13 2010 Initialization Sequence Completed
========================================
When you compare both scree shots you can see that (on the first screen shot) "Connection reset, restarting [0]" occurred when the "Data Channel Encrypt: Cipher 'BF-CBC' initialized" phase began (visible on the second screen shot).
Conclusion:
Problem was not in Internet Connectivity, but in Router NTP Time synchronization.
When I plugged a WAN interface of the Router to the ISP DSL Modem for only 5 second, just for synchronize the Time with
Internet NTP Server, I was able to establish VPN connection to the VPN Server without any restarts of VPN Server Service.
Only Time synchronization have occurred.
After synchronization I unplugged the WAN interface of the Router from ISP DSL Modem, and I still had opportunity to establish
a new VPN connection to the VPN Server (initiated from My PC, from LAN side).
So, it means that without proper synchronization of the Router System Time, VPN connection cannot be established because the
cipher negotiation phase always will fail.
For testing sake:
Turn off the Time Synchronization, setting the "Auto Update Time" option to "Never". Save it, and Reboot the Router.
After that, none of the VPN session request will finish with success.
It bothers me because if I do not have any NTP Server to synchronize the TomatoVPN router (for example in some LAN solutions),
I will not be able to use VPN feature on this router.
It is possible to force the Router System Time synchronization from the fake "internal" source?
BR
@Remigiusz:
ReplyDeleteThe time must be correct for VPN to work. There's no way to avoid that.
I'm not sure what you mean by a "fake" source, but you can point it to an NTP server on the LAN just fine. In fact, that is what I do.
Also, if you continue to have difficulty, please post on the forum. This is not a very good format for this type of discussion.
@Keith:
ReplyDeleteAs a "fake" NTP source I mean any router internal process, which will be able to synchronize the Router Time internally (when no external NTP source is available, on the WAN as well as LAN side).
Thank You for your help.
I move this topic to the forum.
BR
@Remigiusz:
ReplyDeleteIt has to get the time from somewhere. This isn't a matter of not having an ntp server to talk to. The time actually has to be correct for the encryption to work properly. Unless you have a time source physically connected to the router, it will need to connect to an NTP server (either WAN or LAN).
Getting this working was seamless. Thank you for this effort!
ReplyDeleteI eventually want to use the VPN ability, but right now I am just trying to get a simple setup working. Under Basic -- Network -- WAN, there is no option for Primary DNS and Secondary DNS. Is this listed somewhere else, or do I have to set it with a command line? Thanks (and sorry for asking a support question here...)
ReplyDelete@gregconquest:
ReplyDeleteIt's a bit of a misnomer, but place those under Static DNS in the LAN section.
would be nice if we can get the vpn service to restart automatically if it crashes.
ReplyDeletealso would be nice if we can get the firewall to autoconfigure based on vpn settings. e.g. if i set the vpn client to connect to a TAP network the firewall autoblocks incoming packets from that network.
Whenever I save my settings in the GUI, Server 1's port ends up blank and Server 2's subnetmak ends up blank as well. Server won't start due to the server 1's port being set to nothing.
ReplyDelete@ysesq:
ReplyDeleteThose are current features.
@mattswell:
ReplyDeleteI'm guessing you didn't clear NVRAM after upgrading? Do so and reconfigure your settings.
Hello Keith,
ReplyDeleteGreat job!
I have two questions:
- any plans in the future to add management interface option for OpenVPN?
- how/where can I find a list of all CLI supported options in your version of Tomato OpenVPN?
Thank You.
@Panai:
ReplyDelete1. No real plans, no.
2. If you include the "Custom Configuration" section, it supports all OpenVPN options.
hi!
ReplyDeletei have a few questions concerning this software and the vpn-settings!? where's the best place to ask?
thanks!
@letschi:
ReplyDeleteThe forums. See the link up top.
Any plans to include speedmod as part of your distribution?
ReplyDeletehttp://touristinparadise.blogspot.com/2008/04/linksys-wrt54gl-routers-improving.html
@Wendy:
ReplyDeleteI'm pretty sure the good parts of SpeedMod were incorporated into Tomato a while ago, so they made it into TomatoVPN as well.
You are correct that most of the changes were incorporated back awhile ago.
ReplyDeleteThere is an additional one that was added later and hasn't been incorporated in the Tomato source that i've found has improved the speed of my router. The author replaced Jenkins' lookup2 hash with lookup3. This was done in SpeedMod 119.
Something possibly to consider.
again great job but where do i report bugs?
ReplyDeletemy server vpn router does not automatically update the time on boot/reboot; even though i have set it to do so. i have to do a manual reconnect on the wan to force the time to update. the time on the client vpn router however updates fine.
i don't schedule a reboot cause the firmware is solid, but sometimes there are power failures and what have you and the vpn doesn't reestablish after that.
both my wrt54gl routers running tomatovpn 1.27vpn3.6
Hello Keith,
ReplyDeleteSo any router that works with the original Tomato firmware will pretty much work with TomatoVPN right?
I'm looking for a wireless-n router that will work wit TomatoVPN. Will the netgear WNR3500L work? Found out that its supported by the original firmware.
@Howie:
ReplyDeleteSounds like that'd be an issue with the base Tomato, not with the VPN additions. You can try and get help at the forums.
@Review:
Yes, TomatoVPN works on any router that the original Tomato does. However, the original Tomato does not support the WNR3500L. However, I do believe that teddy_bear (at the linksysinfo forums) has a mod that supports that router, and he also releases a version that includes my VPN changes as well.
Is it possible to configure VPN using Dyndns on Serversite?
ReplyDelete@harry:
ReplyDeleteYou can input DNS names for the VPN server when configuring the VPN client, and you can configure Tomato to update a dynamic DNS service. However, I have no idea what you mean by "configure VPN using Dyndns on Serversite". If I haven't answered your question, please be more specific.
@Keith
ReplyDeleteThe VPN Server has an dynamic IP from the internetprovider, that's what i mean. So how can I configure the VPN-client by using the GUI to connect throught a DYNDNS to the Server.
I remember that in the GUI it's only possible to enter an IP-Adress, or should it work to enter there the DYNDNS-Name.
Thanks Harry
@harry:
ReplyDeleteAs I mentioned, entering DNS names should work fine.
@ keith
ReplyDeleteThanks for the hint, i'll test it.
@ Keith
ReplyDeleteYess ! It works with Dyndns.
The Linksys with tomato is the most coolest thing in my house.
I can't save OpenVPN Port. If i go to save and then START VPN SERVER it won't start up and the port will be erased in the form.
ReplyDeleteHow to solve the problem?
can i save th eport with ssh ?
Here a picture from my error:
http://www.abload.de/img/16.05b2s7.png
@tatoosh:
ReplyDeleteSounds like you have corrupted NVRAM. This often happens if you don't clear it after an upgrade. You need to clear the NVRAM and reconfigure your router from scratch.
I can't seem to manage a site-to-site configuration properly. I've got the client-side acting as a normal router (Read: Between the network and the internet), and I've got the server-side behind an IPCop Firewall/Router, with my VPN port forwarded. The VPN connects fine, and out-of-the-box, so to speak, I can ping machines on the server-side from the client-side, but not the other way around. I'm pretty sure it has to do with my routes on my server-side VPN and IPCop routers, but I'm not entirely sure what routes I need to create where.
ReplyDelete@Nathan:
ReplyDeletehttp://tomatovpn.keithmoyer.com/2009/03/client-specific-options.html
@Keith:
ReplyDeleteOh pfft. Without a manual (Or an index of blog posts), I wasn't really sure what that option did. Before I saw your reply, I set up both server and client instances on each router passing traffic on two different subnets (10.8.0.0 and 10.8.1.0), and it's probably a bit silly, but it works. I think I'll rip that down and play with the client options. Thanks for the input!
Awesome work, Keith! One suggestion: make options such as 'Advertise DNS to clients' become greyed out instead of hidden when the parent option is unticked. Make the child options indented, too. I think that this will make the UI more clear.
ReplyDeleteIs it possible to add "IP/MAC Bandwidth Limiter" to your mod?
ReplyDeleteWhat is "Advertise DNS to clients"? Can I access clients in server side?
ReplyDeleteDo you know if this will work with the WRT54G-TM?
ReplyDelete@Hans:
ReplyDeleteIs it possible for someone to add? Sure. Will I add it to my releases? No.
@Andy:
It tells the clients that they can use the VPN server as a DNS server as well. You can access clients from the server side if it is configured to do so.
@Josh:
TomatoVPN supports all routers that Tomato does, including the WRT54G-TM.
Hello,
ReplyDeleteGreat work!
where can i find the beta versions (night builds)?
@StaRipper:
ReplyDeleteThere aren't any.
how does one actually test a unit if the flashing of the firmware is fully compplete and without fault? since appearance can be deceiving. just because you see all the bells and whistles does not mean things are ok internally.
ReplyDelete@vientito:
ReplyDeleteThere's no real way to verify the flash. The best you can do is erase NVRAM (thorough) from the GUI and start using it.
how do i emulate --client-config-dir per-client behaviour on tomate router since I could not specify files like what I could do on a PC?
ReplyDelete@1240500:
ReplyDeleteNo need to just emulate. See http://tomatovpn.keithmoyer.com/2009/03/client-specific-options.html
I see under client advance config an option to accept DNS configuration. There are four choices: none, relaxed, strict and exclusive. I vaguely understand the need for dispatching DNS resolution packets to remote and local network, but could not figure out exactly which one is for what. Yet I could not find documentation on it. I wonder if you could spell it out for me. Thanks for the link.
ReplyDeleteAlso, i look all over but could not find in client setup that there is anything resembling the system definition of persist-key and all related persist functions for restarting purpose. are they being embedded inside some settings and assumed already? Or do I have to specify under custom config myself?
@1240500:
ReplyDeletenone = DNS servers sent by server are ignored
relaxed = DNS servers sent by server are prepended to the current list of DNS servers, of which any can be used
strict = DNS servers sent by the server are prepended to the current list of DNS servers, which are used in order (existing DNS servers are only used if VPN-provided ones don't respond)
exclusive = only the VPN-provided DNS servers are used
persist-key and persist-tun are automatically added to the config
Keith:
ReplyDeleteThanks again for your wonderful branch of tomato. I'm having ongoing issues with Charter, probably due to this bug:
https://bugs.busybox.net/show_bug.cgi?id=629
(which doesn't appear fixed in 1.14.4). However, I noticed that tomato 1.28 has fixes for udhcpc, and looking through the source, this is one of them.
Can you make a new release with 1.28? I really want my DHCP to work with my (non-compliant) Charter DHCP server, but I don't want to lose VPN to get it...
Darn. I was still on 1.25. Just upgraded.. Everything looks fabulous.. Hardly skipped a beat..
ReplyDeleteThanks again for this excellent mod!
Just a real quick question, I have a Buffalo WHR-HP-G54 with Tomato (standard) 1.27 on it.
ReplyDeleteWorks great, but I need some VPN. Enter yours. So I downloaded your firmware.
My question is which of the BIN files (they all seem to be labeled for Linksys models) is going to be the one I want to use?
@John Jennings:
ReplyDeleteAny of them will work. The only difference is a header that allows different default firmware to accept them. The actual firmware being loaded is the same.
Okay, thank you!!
ReplyDeleteSecond question, lol. The "site-to-site" without any additional config.... seems to be a little bit more deceiving than that. Have you written (or do you know of) a good tutorial to show me how to setup the site-to-site functionality??
@John Jennings:
ReplyDeletehttp://tomatovpn.keithmoyer.com/2009/03/client-specific-options.html
is it possible to get/have a pptp server?
ReplyDeleteI know it's not "more secure" but i'm not running the FBI here.. I just can't run openvpn on my mobile device, but i can run pptp.
I know other firmware has it, but i'd rather not switch unless i have to.
thanks!
The WAN-up scripts don't seem to work anymore. I always used a route add ("route add -net 192.168.2.0 netmask 255.255.255.0 dev tun21") on both sides to route traffic through the VPN tunnel; using the WAN-up scripts, but they don't seem to work anymore. Anyone have a clue why?
ReplyDeleteHello and really thank you for your work Keith, TomatoVPN is great! Have a question: Its possible to configure automatically the pem pass phrase for the client part of TomatoVPN? Can be made with option "auth-user-pass /etc/openvpn.pass"?
ReplyDeleteCould you elaborate on how to revoke client certificates, using TomatoVPN as an OpenVPN server? Specifically, how can I save the certificate revocation list (crl.pem) on the router? Thanks for the great mod!
ReplyDelete@Timo: You can set up JFFS and save it to /jffs, then add crl-verify /jffs/your-file.pem to the custom config.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteIs it normal behavior for OpenVPN to restart itself every ~60 seconds when no clients are connected? I'm getting ridiculous log thrashing as a result, though the system is quite stable.
ReplyDeleteIt sees no activity, closes the socket, closes the TAP/TUN interface, restarts the service, initializes encryption/compression, creates the interface again, then waits for one minute and does it all over again. The polling interval setting in the GUI doesn't seem to be relevant to this behavior.
Help?
Keith:
ReplyDeleteAny chance you'll get a chance to update to Tomato 1.28?
Hello there, I have two questions
ReplyDelete1. Does Tomato Support WRT320N ?
I downloaded the latest firmware from
http://tomatousb.org/download
2. how does QoS work when OpenVpn connection is established. ?
The VPN will not properly register Avaya VOIP phones from the client if the Conntrack/netfilter tracking helpers are checked.
ReplyDeleteSimilar problem of dropped packets were reported by others on the dslreports forum.
Fortunately, someone discovered what was causing the dropped packets!
Hi Keith,
ReplyDeleteAt first, Thanks for the tremendous work!
I'm having some problems with my setup, it's probably related to some config in the router that I need to do, and would really appreciate some help. I tried to look for some documentation or use Google but with no luck.
- I have TomatoVPN with 'tun' server running. so any one connects to this server is assigned a 10.8... IP
- Behind my router there is a VoIP server, which has a 192.168.. IP
I have the same problem that Brian described ..softphones on external machines (running vpn to my server) are not able to register in the VoIP server. (Following an approach similar to Brian's, I unchecked the NAT helpers. but that didn't work for me)
SIP (VoIP) messages should arrive on port 5060 which is forwarded to my VoIP server. But the messages are not hitting my VoIP server.
Do you have an insights on what might be causing this or how it can be resolved?
Hello there, can someone tell me TomatoVPN will Linksys WRT320N ?
ReplyDeleteHello all , will this project update?
ReplyDeleteOr this project already closed?
Hello,
ReplyDeleteis this project still running?
Yep
ReplyDeleteFor those looking for support for other routers, updated tomato versions, usb support, etc -- the tomato-usb folk have taken the VPN changes that Keith originally wrote, and have an updated version with tomato 1.28 (and many other changes).
ReplyDeleteIf you are looking for such a thing, it's found here:
http://tomatousb.org/
NOTE: This version uses the ND (new driver) and CAN brick certain routers. See:
http://www.linksysinfo.org/forums/showthread.php?t=59920&highlight=new+driver
(to see your version, run "nvram get wl0_corerev")
Thank you again, Keith, for your valuable contribution. I cannot express enough how helpful tomatovpn is in my daily life.
I think this project is dead. There are no answers to questions. :(
ReplyDeleteNot dead. I answer all questions I see. I missed the one about IPV6 is all...
ReplyDeleteBut, I'll give the same answer I've given about other things: I won't add features that aren't directly VPN-related. However, if it shows up in the baseline that I use (currently that's vanilla Tomato).
Though, work is being done in another branch (that also includes my VPN changes) towards IPV6 support.
First of all, thank you for your work and your reply Keith.
ReplyDelete"I answer all questions I see. I missed the one about IPV6 is all..."
Some of unanswered question:
Jason: September 8, 2010 10:49 AM
" Is it normal behavior for OpenVPN to restart itself every ~60 seconds when no clients are connected? I'm getting ridiculous log thrashing as a result, though the system is quite stable."
Lothsahn: September 16, 2010 12:19 PM
Any chance you'll get a chance to update to Tomato 1.28?
-
Also I have a related question: Is there any way to disable the endless OpenVPN log? :
//
...
Feb 10 11:39:13 unknown daemon.warn openvpn[2277]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Feb 10 11:39:13 unknown daemon.notice openvpn[2277]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Feb 10 11:39:13 unknown daemon.notice openvpn[2277]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 10 11:39:13 unknown daemon.notice openvpn[2277]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Feb 10 11:39:13 unknown daemon.notice openvpn[2277]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 10 11:39:13 unknown daemon.notice openvpn[2277]: LZO compression initialized
Feb 10 11:39:13 unknown daemon.notice openvpn[2277]: TUN/TAP device tap21 opened
Feb 10 11:39:13 unknown daemon.notice openvpn[2277]: TUN/TAP TX queue length set to 100
Feb 10 11:39:13 unknown daemon.notice openvpn[2277]: Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
Feb 10 11:39:13 unknown daemon.notice openvpn[2277]: Socket Buffers: R=[32767->65534] S=[32767->65534]
Feb 10 11:39:13 unknown daemon.notice openvpn[2277]: UDPv4 link local (bound): [undef]:1194
Feb 10 11:39:13 unknown daemon.notice openvpn[2277]: UDPv4 link remote: [undef]
Feb 10 11:40:13 unknown daemon.notice openvpn[2277]: Inactivity timeout (--ping-restart), restarting
Feb 10 11:40:13 unknown daemon.notice openvpn[2277]: TCP/UDP: Closing socket
Feb 10 11:40:13 unknown daemon.notice openvpn[2277]: Closing TUN/TAP interface
Feb 10 11:40:13 unknown daemon.notice openvpn[2277]: SIGUSR1[soft,ping-restart] received, process restarting
Feb 10 11:40:13 unknown daemon.notice openvpn[2277]: Restart pause, 2 second(s)
...
//
I suggest going to the support forum for such questions (been answered many, many times).
ReplyDeleteHello,
ReplyDeleteI have a question regarding VPN and several tunnels configured on it. My router it is Asus RT-N16.
On it has set up a VPN server on UDP TUN with enabled Allow Only These Clients and below I have listed the names of CommonName networks to which it wants to have a routing from server. All routing is working nicely with internal routing. I have access to clients from a server network and from clients networks to server network. However, the problem comes at a time when I want to add client a number four.
Configuration stores nicely in ccd folder - but the server no longer starts. When I try start it in the log I see
user.info kernel: device tun21 entered promiscuous mode
Simply if remove the fourth client everything works again.
I would be grateful for any tips. I want to have more an 3 VPN tunnels with full routing between all networks.
Best regards
tenskwatawa
Once again, go to the support forums (see block at top) for technical support.
ReplyDeleteHi Keith!
ReplyDeleteIs ist possible to select between "Start with WAN" and "Start with Router" so in ver1.25 ?
I have troubles with my provider, they set the leasetime to 12h, so every time the VPN will be killed and starts again. I'm the SAME ip from my provider.
thanks Harry
binaries link is broken?
ReplyDeleteYeah, the binaries page is down. Would anybody happen to have it already? I want it.
ReplyDeleteHi, the Downloadpage is incorrect. has anybody an Idea where to get the firmware?
ReplyDeleteGreets C.
Your system must have} an active internet connection to access the appliance. Tennessee's blowout of Kentucky vaulted Hendon Hooker into the favourite within the Heisman odds forward of 코인카지노 an enormous game towards Georgia. See odds, TV info and expert predictions for Texans vs. Eagles Week 9 Thursday Night Football. Sign up to as} get day by day betting columns and advice delivered directly to your inbox. Information offered on Forbes Advisor is for educational functions solely. Your financial scenario is exclusive and the services and products we evaluation most likely not|will not be} right in your circumstances.
ReplyDelete