Sunday, January 31, 2010

1.27vpn3.6 release

You can download the binaries from here.

Source is available at the Git repository.
Be sure to read the COPYING file if you plan to use/distribute the sources.
Direct links:
Notable changes from 1.27vpn3.5
  • Fixed service restart on WAN reconnect
  • Took back out the new redirect gateway option (don't leave default gateway) as its benefit was questionable at best.
  • Some code cleanups
This is just a bug fix release, so there are no new features included. Look forward to user/pass authorization in the next release...

108 comments:

  1. The feature i really missed was the one that starts the openvpn service with the router. I have a WRT54GL connected on my home lan and i only use it as an access point+wds and of course a vpn server. Since there is no WAN, with the new option i must start it manually every time. Could you please have both options at least, starting the service with WAN and/or router? Keep up the good work !!!

    ReplyDelete
  2. @denexo:
    I hadn't considered the no-WAN case. Will be addressed in the next release.

    ReplyDelete
  3. oops, remote sshd does not work. because no instance of "dropbear -p " is started. In stead two instances of "dropbear -p " are started. see console log hereafter:
    ----
    # nvram get sshd_port
    22
    # nvram get sshd_rport
    1022
    # ps | grep drop
    1259 root 1532 S dropbear -p 22
    1264 root 1600 S dropbear -p 22
    ----

    ReplyDelete
  4. arghh.. should read "dropbear -p sshd_port" and "dropbear -p sshd_rport". somehow the ports got lost in translation :-"

    ReplyDelete
  5. @Ronny:
    There isn't supposed to be a separate dropbear instance for remote access. The port is forwarded in the firewall rules.

    ReplyDelete
  6. Thanks Keith. Looking forward for your next release !

    ReplyDelete
  7. Hi,

    Thank you sincerely for your work.

    I must confess that I look forward to the feature username/ password for the next release. (Do you know the release date? approximately)

    Because the French government policy, I am obliged to subscribe VPN ... Tough times for the Internet.

    Have a nice day!

    ReplyDelete
  8. I'm also curious about a user/pass release date, would make it easy to implement at work here.

    ReplyDelete
  9. Thanks again Keith for fast update!
    Also waiting for the GUI user/pass release.
    Hopefully we are not putting too much pressure here :)

    ReplyDelete
  10. This comment has been removed by a blog administrator.

    ReplyDelete
  11. Yeah, just installed this right now, and w/out the user-pass part, we may not be able to fully implement it here at work.

    Any estimated release date would be appreciated.

    ReplyDelete
  12. @all:
    No ETA on the user/pass addition. However, it shouldn't be nearly as long as the wait after 1.25vpn3.4.
    In the meantime, changes in 1.27vpn3.5 made it so user/pass configs can be created. Just create a file that contains the user and pass in the init script, and add auth-user-pass to your VPN custom config. If it is user/pass-only (no certificates), just leave the certificates blank.

    ReplyDelete
  13. @Keith, do you know if somebody has written a sort of "howto" with screenshots for that method?

    I know you said no ETA, but could you at least give us a "few weeks" "couple of months" or "4+ months away" kind of estimate?

    Thanks again for all your hard work on this project.

    ReplyDelete
  14. Is it possible to have a mini-howto for manually configure the VPN username / password in v3.6?

    For now I copied login_password.txt and ca.crt in a /tmp directory; in the advanced/vpn GUI that I have set the VPN configuration, I start it, but it blocks all Internet traffic. I think missing iptables rules.


    Thank you,
    See you

    ReplyDelete
  15. I have been in love with Tomato for years now, but this fork with OpenVPN is fantastic. I am using it extensively and have yet to have any problem with it. Thank you for you efforts on this (donation coming...)

    ReplyDelete
  16. @all who've asked:
    I'd say the next release will likely fall somewhere between a "few weeks" and a "couple of months" away. Note that there is not a deadline or schedule, so it's also possible that it will happen sooner or later than that.

    ReplyDelete
  17. @Keith, I totally understand that there's no set schedule, was just looking for a best estimate.

    Thanks for the guestimate. Added your blog to my RSS reader.

    Thanks again.

    ReplyDelete
  18. @Keith. First of all; great firmware :) really enjoying it!
    ...
    But: I've run into a bit of trouble :s
    Under basic settings I have checked the "client pool address - DHCP" option, but when I connect, my client gets no ip-address.

    the server log contains this line I suspect is the cause of my troubles:
    ---
    Feb 11 17:52:46 ? daemon.err openvpn[14670]: client1/87.58.39.133:54278 MULTI: no dynamic or static remote --ifconfig address is available for client1/87.58.39.133:54278
    ---

    if I uncheck the "client pool address - DHCP" option. The openvpn server will supply me with an ip-address! but that's from the range specified under vpn -> server -> basic settings.

    Any help appreciated! :)
    Ubunut

    ReplyDelete
  19. @ubunut:
    I replied to your comment yesterday, but it doesn't seem to have taken...
    Unfortunately, the DHCP option ("route-gateway dhcp") is a pretty new feature to OpenVPN and seems a little flaky. If it doesn't work for you, you can either specify a range of IPs or try to get help on the OpenVPN IRC channel. I'm afraid I don't know where to look to debug this.
    Also, the forum should be used for technical support (see top of page). It's just better suited for that type of discussion.

    ReplyDelete
  20. @Keith

    Np, just a minor flaw. Thanks for your quick reply! :)
    keep up the good work.

    Ubunut

    ReplyDelete
  21. This comment has been removed by the author.

    ReplyDelete
  22. Anyone get this working with StrongVPN's PPTP?

    ReplyDelete
  23. I've been using vpn on tomato for a few weeks. I have to say it works really good and stable.

    I just have a little trouble and want to remove "persist-tun" from default config file. Is there a easy way to archive this?

    ReplyDelete
  24. @pnt:
    Sorry for the delay. I thought I responded to you before...
    I'm afraid there's no way to start the client/server from the GUI without "persist-tun". Is there some reason you want it removed? If there is a reasonable use case, I could make it an option in the GUI.

    ReplyDelete
  25. @Keith:
    I use DNS server over VPN to resolv everything. Local DNS is just a backup. This is what I intended, because it's faster to use CDN near VPN server than near local ones.

    In this situation, if VPN goes down and it tries to reconnect the VPN host, it will meet resolv problem. And if I don't use "persist-tun", openvpn will disconnect and DNS request can go through. It's already verified on linux and win32 openvpn client.

    It's important to use domain host over IP addr to connect VPN, in multi-VPN-server environment.

    If you add an option for not adding "persist-tun", it'll greatly help me.

    And thanks for your continuous work on this project.

    ReplyDelete
  26. hi, i would like to know if there's the possibility to enable ipc in the kernel config in the next releases?

    ReplyDelete
  27. @denexo: you can work around the VPN service start by adding

    'service vpnclient1 start'

    (without quotes) to your init script. Works for me.

    ReplyDelete
  28. Keith:
    Could you be so kind and explain me, how does the router test the WAN (if it is alive or not)?

    Whether Router makes some ping to some hosts on the Internet, or to the ISP default gateway (which is DSL cable modem), or something like that?

    I have done some tests, where OpenVPN connections were initiated from the inside LAN.

    I noticed that VPN server resets connection coming from inside, when the IP address on the WAN is different from the ISP addressing pool (routing outside is unavailable), despite the WAN interface is connected and UP.

    It means that the router do some tests on the WAN side, before VPN connections from inside LAN can be accepted and there is not just simple test if the WAN interface is Up or Down.

    THX in advance.

    PS: IMHO, the second option in GUI, which turn on the VPN server up during router starting phase not only when WAN is OK, is a good idea.

    ReplyDelete
  29. @Remigiusz:
    Aside from attempting to get an IP address as needed, the router doesn't do any checking on the WAN connectivity.
    Yes, if you have the "Start with WAN" option set, the server will restart when you get a new IP.
    Do you have a valid use-case, besides testing, where restarting the server on WAN-up is a bad thing?

    ReplyDelete
  30. @Keith:

    Of course it is good idea to restart the VPN, when new IP address on the WAN is set.

    But when IP is fixed, this feature could be turned off.

    My testing scenarios were simple:

    ISP DSL Modem <--> (WAN)My Home Router (LAN) <--> (WAN)Test Router with VPN Server (LAN) <--> My PC with OpenVPN Client

    Variant A:

    1. I set the fixed IP address on the WAN interface of the Test Router (one of the LAN IP address of My Home Router). Of course I set default gateway pointing My Home Router.
    2. Reloading the Test Router.
    3. Starting Up the OpenVPN Client on My PC, pointing the WAN interface of Test Router.
    4. Connection established OK.
    5. Success.

    Variant B:
    1. I set the fixed IP address on the WAN interface of the Test Router (but the IP address is "phantom" - other then one of the LAN IP address of My Home Router). Of course I set default gateway pointing phantom IP.
    2. Reloading the Test Router.
    3. Starting Up the OpenVPN Client on My PC, pointing the WAN interface of Test Router.
    4. Connection is reseted by VPN Server.
    5. Test Unsuccessful.

    Why in the second scenario does the VPN Server reset the incoming requests coming from My PC?

    The IP address is fixed. So what the IP is from the phantom pool.

    I have done another test.
    I set up Fixed IP as in first scenario, but unplugged the WAN interface during router startup phase. When router was up, I ran the OpenVPN Client on My PC. Connection failed (VPN Server reseted incoming request).
    Then I plugged WAN interface of the Test Router. Again I ran the OpenVPN client. Connection established.
    Next, I set up Fixed IP as in second scenario, but unplugged the WAN interface during router startup phase. When router was up, I ran the OpenVPN Client on My PC. Connection failed (VPN Server reseted incoming request).
    Then I plugged WAN interface of the Test Router. Again I ran the OpenVPN client. Connection was reseted by VPN Server.

    After this test I supposed that router does some IP Internet Connectivity Tests to make decision to bring VPN Server UP, when everything is OK.

    IMHO: As a @denexo have said, the option, which allows to turn on the VPN Server permanently, is a solution. Do not You think?

    ReplyDelete
  31. @Remigiusz:
    Okay, I understand now. I thought you were talking about the server restarting, but you're talking about it not starting at all.
    Since the last release, I've already changed it to (re)start the service either if the WAN is connected or if the WAN is disabled. I guess maybe it should just do it no matter what. I still don't see a use-case besides testing where you'll be connecting via LAN with a bad WAN, but the use-cases I do see shouldn't be hurt by an extra (re)start if the WAN is bad (since nobody will be connected anyway).

    ReplyDelete
  32. @Keith:



    I probably found the problem.

    When I wrote info about that the VPN Server did not proper Up, when there is no Internet connectivity to the ISP, I were

    wrong.
    It turned out that VPN Server ran OK in both cases (whatever Static IP was set up).
    When there was no connectivity to the Internet (for test sake), I thought that VPN Server have some problems to start

    properly. I thought that because it did reset all incoming connection (initiated from LAN, frm My PC).

    Connection result screen was:
    ========================================
    Thu Mar 04 12:33:50 2010 OpenVPN 2.1_rc21 i686-pc-mingw32 [SSL] [LZO2] [PKCS11]
    built on Nov 12 2009
    --------- Some are ommited -------------
    Thu Mar 04 12:33:52 2010 VERIFY OK: nsCertType=SERVER
    Thu Mar 04 12:33:52 2010 VERIFY OK: depth=0, /C=PL/ST=ZP/O=OpenVPN/CN=server/ema
    ilAddress=xxxxxxxxx@gmail.com
    Thu Mar 04 12:33:52 2010 Connection reset, restarting [0]
    Thu Mar 04 12:33:52 2010 TCP/UDP: Closing socket
    Thu Mar 04 12:33:52 2010 SIGUSR1[soft,connection-reset] received, process restar
    ting
    Thu Mar 04 12:33:52 2010 Restart pause, 30 second(s)

    ========================================






    But when I plugged the Router to the ISP, connection result screen was:


    ========================================
    Thu Mar 04 12:51:02 2010 OpenVPN 2.1_rc21 i686-pc-mingw32 [SSL] [LZO2] [PKCS11]
    built on Nov 12 2009
    --------- Some are ommited -------------
    Thu Mar 04 12:51:04 2010 VERIFY OK: nsCertType=SERVER
    Thu Mar 04 12:51:04 2010 VERIFY OK: depth=0, /C=PL/ST=ZP/O=OpenVPN/CN=server/ema
    ilAddress=xxxxxxxxx@gmail.com
    Thu Mar 04 12:51:05 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with
    128 bit key
    Thu Mar 04 12:51:05 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1'
    --------- Some are ommited -------------
    Thu Mar 04 12:51:13 2010 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
    Thu Mar 04 12:51:13 2010 Initialization Sequence Completed

    ========================================



    When you compare both scree shots you can see that (on the first screen shot) "Connection reset, restarting [0]" occurred when the "Data Channel Encrypt: Cipher 'BF-CBC' initialized" phase began (visible on the second screen shot).

    Conclusion:
    Problem was not in Internet Connectivity, but in Router NTP Time synchronization.

    When I plugged a WAN interface of the Router to the ISP DSL Modem for only 5 second, just for synchronize the Time with

    Internet NTP Server, I was able to establish VPN connection to the VPN Server without any restarts of VPN Server Service.
    Only Time synchronization have occurred.
    After synchronization I unplugged the WAN interface of the Router from ISP DSL Modem, and I still had opportunity to establish

    a new VPN connection to the VPN Server (initiated from My PC, from LAN side).

    So, it means that without proper synchronization of the Router System Time, VPN connection cannot be established because the

    cipher negotiation phase always will fail.

    For testing sake:
    Turn off the Time Synchronization, setting the "Auto Update Time" option to "Never". Save it, and Reboot the Router.
    After that, none of the VPN session request will finish with success.


    It bothers me because if I do not have any NTP Server to synchronize the TomatoVPN router (for example in some LAN solutions),

    I will not be able to use VPN feature on this router.

    It is possible to force the Router System Time synchronization from the fake "internal" source?


    BR

    ReplyDelete
  33. @Remigiusz:
    The time must be correct for VPN to work. There's no way to avoid that.
    I'm not sure what you mean by a "fake" source, but you can point it to an NTP server on the LAN just fine. In fact, that is what I do.
    Also, if you continue to have difficulty, please post on the forum. This is not a very good format for this type of discussion.

    ReplyDelete
  34. @Keith:


    As a "fake" NTP source I mean any router internal process, which will be able to synchronize the Router Time internally (when no external NTP source is available, on the WAN as well as LAN side).

    Thank You for your help.
    I move this topic to the forum.

    BR

    ReplyDelete
  35. @Remigiusz:
    It has to get the time from somewhere. This isn't a matter of not having an ntp server to talk to. The time actually has to be correct for the encryption to work properly. Unless you have a time source physically connected to the router, it will need to connect to an NTP server (either WAN or LAN).

    ReplyDelete
  36. Getting this working was seamless. Thank you for this effort!

    ReplyDelete
  37. I eventually want to use the VPN ability, but right now I am just trying to get a simple setup working. Under Basic -- Network -- WAN, there is no option for Primary DNS and Secondary DNS. Is this listed somewhere else, or do I have to set it with a command line? Thanks (and sorry for asking a support question here...)

    ReplyDelete
  38. @gregconquest:
    It's a bit of a misnomer, but place those under Static DNS in the LAN section.

    ReplyDelete
  39. would be nice if we can get the vpn service to restart automatically if it crashes.
    also would be nice if we can get the firewall to autoconfigure based on vpn settings. e.g. if i set the vpn client to connect to a TAP network the firewall autoblocks incoming packets from that network.

    ReplyDelete
  40. Whenever I save my settings in the GUI, Server 1's port ends up blank and Server 2's subnetmak ends up blank as well. Server won't start due to the server 1's port being set to nothing.

    ReplyDelete
  41. @ysesq:
    Those are current features.

    ReplyDelete
  42. @mattswell:
    I'm guessing you didn't clear NVRAM after upgrading? Do so and reconfigure your settings.

    ReplyDelete
  43. Hello Keith,

    Great job!

    I have two questions:
    - any plans in the future to add management interface option for OpenVPN?
    - how/where can I find a list of all CLI supported options in your version of Tomato OpenVPN?

    Thank You.

    ReplyDelete
  44. @Panai:
    1. No real plans, no.
    2. If you include the "Custom Configuration" section, it supports all OpenVPN options.

    ReplyDelete
  45. hi!

    i have a few questions concerning this software and the vpn-settings!? where's the best place to ask?

    thanks!

    ReplyDelete
  46. @letschi:
    The forums. See the link up top.

    ReplyDelete
  47. Any plans to include speedmod as part of your distribution?

    http://touristinparadise.blogspot.com/2008/04/linksys-wrt54gl-routers-improving.html

    ReplyDelete
  48. @Wendy:
    I'm pretty sure the good parts of SpeedMod were incorporated into Tomato a while ago, so they made it into TomatoVPN as well.

    ReplyDelete
  49. You are correct that most of the changes were incorporated back awhile ago.

    There is an additional one that was added later and hasn't been incorporated in the Tomato source that i've found has improved the speed of my router. The author replaced Jenkins' lookup2 hash with lookup3. This was done in SpeedMod 119.

    Something possibly to consider.

    ReplyDelete
  50. again great job but where do i report bugs?

    my server vpn router does not automatically update the time on boot/reboot; even though i have set it to do so. i have to do a manual reconnect on the wan to force the time to update. the time on the client vpn router however updates fine.

    i don't schedule a reboot cause the firmware is solid, but sometimes there are power failures and what have you and the vpn doesn't reestablish after that.

    both my wrt54gl routers running tomatovpn 1.27vpn3.6

    ReplyDelete
  51. Hello Keith,

    So any router that works with the original Tomato firmware will pretty much work with TomatoVPN right?

    I'm looking for a wireless-n router that will work wit TomatoVPN. Will the netgear WNR3500L work? Found out that its supported by the original firmware.

    ReplyDelete
  52. @Howie:
    Sounds like that'd be an issue with the base Tomato, not with the VPN additions. You can try and get help at the forums.

    @Review:
    Yes, TomatoVPN works on any router that the original Tomato does. However, the original Tomato does not support the WNR3500L. However, I do believe that teddy_bear (at the linksysinfo forums) has a mod that supports that router, and he also releases a version that includes my VPN changes as well.

    ReplyDelete
  53. Is it possible to configure VPN using Dyndns on Serversite?

    ReplyDelete
  54. @harry:
    You can input DNS names for the VPN server when configuring the VPN client, and you can configure Tomato to update a dynamic DNS service. However, I have no idea what you mean by "configure VPN using Dyndns on Serversite". If I haven't answered your question, please be more specific.

    ReplyDelete
  55. @Keith

    The VPN Server has an dynamic IP from the internetprovider, that's what i mean. So how can I configure the VPN-client by using the GUI to connect throught a DYNDNS to the Server.
    I remember that in the GUI it's only possible to enter an IP-Adress, or should it work to enter there the DYNDNS-Name.

    Thanks Harry

    ReplyDelete
  56. @harry:
    As I mentioned, entering DNS names should work fine.

    ReplyDelete
  57. @ keith

    Thanks for the hint, i'll test it.

    ReplyDelete
  58. @ Keith
    Yess ! It works with Dyndns.

    The Linksys with tomato is the most coolest thing in my house.

    ReplyDelete
  59. I can't save OpenVPN Port. If i go to save and then START VPN SERVER it won't start up and the port will be erased in the form.

    How to solve the problem?
    can i save th eport with ssh ?

    Here a picture from my error:
    http://www.abload.de/img/16.05b2s7.png

    ReplyDelete
  60. @tatoosh:
    Sounds like you have corrupted NVRAM. This often happens if you don't clear it after an upgrade. You need to clear the NVRAM and reconfigure your router from scratch.

    ReplyDelete
  61. I can't seem to manage a site-to-site configuration properly. I've got the client-side acting as a normal router (Read: Between the network and the internet), and I've got the server-side behind an IPCop Firewall/Router, with my VPN port forwarded. The VPN connects fine, and out-of-the-box, so to speak, I can ping machines on the server-side from the client-side, but not the other way around. I'm pretty sure it has to do with my routes on my server-side VPN and IPCop routers, but I'm not entirely sure what routes I need to create where.

    ReplyDelete
  62. @Nathan:
    http://tomatovpn.keithmoyer.com/2009/03/client-specific-options.html

    ReplyDelete
  63. @Keith:
    Oh pfft. Without a manual (Or an index of blog posts), I wasn't really sure what that option did. Before I saw your reply, I set up both server and client instances on each router passing traffic on two different subnets (10.8.0.0 and 10.8.1.0), and it's probably a bit silly, but it works. I think I'll rip that down and play with the client options. Thanks for the input!

    ReplyDelete
  64. Awesome work, Keith! One suggestion: make options such as 'Advertise DNS to clients' become greyed out instead of hidden when the parent option is unticked. Make the child options indented, too. I think that this will make the UI more clear.

    ReplyDelete
  65. Is it possible to add "IP/MAC Bandwidth Limiter" to your mod?

    ReplyDelete
  66. What is "Advertise DNS to clients"? Can I access clients in server side?

    ReplyDelete
  67. Do you know if this will work with the WRT54G-TM?

    ReplyDelete
  68. @Hans:
    Is it possible for someone to add? Sure. Will I add it to my releases? No.

    @Andy:
    It tells the clients that they can use the VPN server as a DNS server as well. You can access clients from the server side if it is configured to do so.

    @Josh:
    TomatoVPN supports all routers that Tomato does, including the WRT54G-TM.

    ReplyDelete
  69. Hello,
    Great work!
    where can i find the beta versions (night builds)?

    ReplyDelete
  70. @StaRipper:
    There aren't any.

    ReplyDelete
  71. how does one actually test a unit if the flashing of the firmware is fully compplete and without fault? since appearance can be deceiving. just because you see all the bells and whistles does not mean things are ok internally.

    ReplyDelete
  72. @vientito:
    There's no real way to verify the flash. The best you can do is erase NVRAM (thorough) from the GUI and start using it.

    ReplyDelete
  73. how do i emulate --client-config-dir per-client behaviour on tomate router since I could not specify files like what I could do on a PC?

    ReplyDelete
  74. @1240500:
    No need to just emulate. See http://tomatovpn.keithmoyer.com/2009/03/client-specific-options.html

    ReplyDelete
  75. I see under client advance config an option to accept DNS configuration. There are four choices: none, relaxed, strict and exclusive. I vaguely understand the need for dispatching DNS resolution packets to remote and local network, but could not figure out exactly which one is for what. Yet I could not find documentation on it. I wonder if you could spell it out for me. Thanks for the link.

    Also, i look all over but could not find in client setup that there is anything resembling the system definition of persist-key and all related persist functions for restarting purpose. are they being embedded inside some settings and assumed already? Or do I have to specify under custom config myself?

    ReplyDelete
  76. @1240500:
    none = DNS servers sent by server are ignored
    relaxed = DNS servers sent by server are prepended to the current list of DNS servers, of which any can be used
    strict = DNS servers sent by the server are prepended to the current list of DNS servers, which are used in order (existing DNS servers are only used if VPN-provided ones don't respond)
    exclusive = only the VPN-provided DNS servers are used

    persist-key and persist-tun are automatically added to the config

    ReplyDelete
  77. Keith:

    Thanks again for your wonderful branch of tomato. I'm having ongoing issues with Charter, probably due to this bug:
    https://bugs.busybox.net/show_bug.cgi?id=629

    (which doesn't appear fixed in 1.14.4). However, I noticed that tomato 1.28 has fixes for udhcpc, and looking through the source, this is one of them.

    Can you make a new release with 1.28? I really want my DHCP to work with my (non-compliant) Charter DHCP server, but I don't want to lose VPN to get it...

    ReplyDelete
  78. Darn. I was still on 1.25. Just upgraded.. Everything looks fabulous.. Hardly skipped a beat..

    Thanks again for this excellent mod!

    ReplyDelete
  79. Just a real quick question, I have a Buffalo WHR-HP-G54 with Tomato (standard) 1.27 on it.

    Works great, but I need some VPN. Enter yours. So I downloaded your firmware.

    My question is which of the BIN files (they all seem to be labeled for Linksys models) is going to be the one I want to use?

    ReplyDelete
  80. @John Jennings:
    Any of them will work. The only difference is a header that allows different default firmware to accept them. The actual firmware being loaded is the same.

    ReplyDelete
  81. Okay, thank you!!

    Second question, lol. The "site-to-site" without any additional config.... seems to be a little bit more deceiving than that. Have you written (or do you know of) a good tutorial to show me how to setup the site-to-site functionality??

    ReplyDelete
  82. @John Jennings:
    http://tomatovpn.keithmoyer.com/2009/03/client-specific-options.html

    ReplyDelete
  83. is it possible to get/have a pptp server?
    I know it's not "more secure" but i'm not running the FBI here.. I just can't run openvpn on my mobile device, but i can run pptp.

    I know other firmware has it, but i'd rather not switch unless i have to.
    thanks!

    ReplyDelete
  84. The WAN-up scripts don't seem to work anymore. I always used a route add ("route add -net 192.168.2.0 netmask 255.255.255.0 dev tun21") on both sides to route traffic through the VPN tunnel; using the WAN-up scripts, but they don't seem to work anymore. Anyone have a clue why?

    ReplyDelete
  85. Hello and really thank you for your work Keith, TomatoVPN is great! Have a question: Its possible to configure automatically the pem pass phrase for the client part of TomatoVPN? Can be made with option "auth-user-pass /etc/openvpn.pass"?

    ReplyDelete
  86. Could you elaborate on how to revoke client certificates, using TomatoVPN as an OpenVPN server? Specifically, how can I save the certificate revocation list (crl.pem) on the router? Thanks for the great mod!

    ReplyDelete
  87. @Timo: You can set up JFFS and save it to /jffs, then add crl-verify /jffs/your-file.pem to the custom config.

    ReplyDelete
  88. This comment has been removed by the author.

    ReplyDelete
  89. Is it normal behavior for OpenVPN to restart itself every ~60 seconds when no clients are connected? I'm getting ridiculous log thrashing as a result, though the system is quite stable.

    It sees no activity, closes the socket, closes the TAP/TUN interface, restarts the service, initializes encryption/compression, creates the interface again, then waits for one minute and does it all over again. The polling interval setting in the GUI doesn't seem to be relevant to this behavior.

    Help?

    ReplyDelete
  90. Keith:

    Any chance you'll get a chance to update to Tomato 1.28?

    ReplyDelete
  91. Hello there, I have two questions
    1. Does Tomato Support WRT320N ?
    I downloaded the latest firmware from
    http://tomatousb.org/download

    2. how does QoS work when OpenVpn connection is established. ?

    ReplyDelete
  92. The VPN will not properly register Avaya VOIP phones from the client if the Conntrack/netfilter tracking helpers are checked.

    Similar problem of dropped packets were reported by others on the dslreports forum.

    Fortunately, someone discovered what was causing the dropped packets!

    ReplyDelete
  93. Hi Keith,
    At first, Thanks for the tremendous work!
    I'm having some problems with my setup, it's probably related to some config in the router that I need to do, and would really appreciate some help. I tried to look for some documentation or use Google but with no luck.

    - I have TomatoVPN with 'tun' server running. so any one connects to this server is assigned a 10.8... IP
    - Behind my router there is a VoIP server, which has a 192.168.. IP

    I have the same problem that Brian described ..softphones on external machines (running vpn to my server) are not able to register in the VoIP server. (Following an approach similar to Brian's, I unchecked the NAT helpers. but that didn't work for me)

    SIP (VoIP) messages should arrive on port 5060 which is forwarded to my VoIP server. But the messages are not hitting my VoIP server.

    Do you have an insights on what might be causing this or how it can be resolved?

    ReplyDelete
  94. Hello there, can someone tell me TomatoVPN will Linksys WRT320N ?

    ReplyDelete
  95. Hello all , will this project update?
    Or this project already closed?

    ReplyDelete
  96. Hello,

    is this project still running?

    ReplyDelete
  97. For those looking for support for other routers, updated tomato versions, usb support, etc -- the tomato-usb folk have taken the VPN changes that Keith originally wrote, and have an updated version with tomato 1.28 (and many other changes).

    If you are looking for such a thing, it's found here:
    http://tomatousb.org/

    NOTE: This version uses the ND (new driver) and CAN brick certain routers. See:
    http://www.linksysinfo.org/forums/showthread.php?t=59920&highlight=new+driver

    (to see your version, run "nvram get wl0_corerev")

    Thank you again, Keith, for your valuable contribution. I cannot express enough how helpful tomatovpn is in my daily life.

    ReplyDelete
  98. What about IPv6 support in next relase ?

    ReplyDelete
  99. I think this project is dead. There are no answers to questions. :(

    ReplyDelete
  100. Not dead. I answer all questions I see. I missed the one about IPV6 is all...

    But, I'll give the same answer I've given about other things: I won't add features that aren't directly VPN-related. However, if it shows up in the baseline that I use (currently that's vanilla Tomato).

    Though, work is being done in another branch (that also includes my VPN changes) towards IPV6 support.

    ReplyDelete
  101. First of all, thank you for your work and your reply Keith.

    "I answer all questions I see. I missed the one about IPV6 is all..."

    Some of unanswered question:

    Jason: September 8, 2010 10:49 AM

    " Is it normal behavior for OpenVPN to restart itself every ~60 seconds when no clients are connected? I'm getting ridiculous log thrashing as a result, though the system is quite stable."

    Lothsahn: September 16, 2010 12:19 PM

    Any chance you'll get a chance to update to Tomato 1.28?

    -

    Also I have a related question: Is there any way to disable the endless OpenVPN log? :

    //
    ...
    Feb 10 11:39:13 unknown daemon.warn openvpn[2277]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Feb 10 11:39:13 unknown daemon.notice openvpn[2277]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Feb 10 11:39:13 unknown daemon.notice openvpn[2277]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb 10 11:39:13 unknown daemon.notice openvpn[2277]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Feb 10 11:39:13 unknown daemon.notice openvpn[2277]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Feb 10 11:39:13 unknown daemon.notice openvpn[2277]: LZO compression initialized
    Feb 10 11:39:13 unknown daemon.notice openvpn[2277]: TUN/TAP device tap21 opened
    Feb 10 11:39:13 unknown daemon.notice openvpn[2277]: TUN/TAP TX queue length set to 100
    Feb 10 11:39:13 unknown daemon.notice openvpn[2277]: Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
    Feb 10 11:39:13 unknown daemon.notice openvpn[2277]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Feb 10 11:39:13 unknown daemon.notice openvpn[2277]: UDPv4 link local (bound): [undef]:1194
    Feb 10 11:39:13 unknown daemon.notice openvpn[2277]: UDPv4 link remote: [undef]
    Feb 10 11:40:13 unknown daemon.notice openvpn[2277]: Inactivity timeout (--ping-restart), restarting
    Feb 10 11:40:13 unknown daemon.notice openvpn[2277]: TCP/UDP: Closing socket
    Feb 10 11:40:13 unknown daemon.notice openvpn[2277]: Closing TUN/TAP interface
    Feb 10 11:40:13 unknown daemon.notice openvpn[2277]: SIGUSR1[soft,ping-restart] received, process restarting
    Feb 10 11:40:13 unknown daemon.notice openvpn[2277]: Restart pause, 2 second(s)
    ...
    //

    ReplyDelete
  102. I suggest going to the support forum for such questions (been answered many, many times).

    ReplyDelete
  103. Hello,
    I have a question regarding VPN and several tunnels configured on it. My router it is Asus RT-N16.
    On it has set up a VPN server on UDP TUN with enabled Allow Only These Clients and below I have listed the names of CommonName networks to which it wants to have a routing from server. All routing is working nicely with internal routing. I have access to clients from a server network and from clients networks to server network. However, the problem comes at a time when I want to add client a number four.
    Configuration stores nicely in ccd folder - but the server no longer starts. When I try start it in the log I see
    user.info kernel: device tun21 entered promiscuous mode

    Simply if remove the fourth client everything works again.
    I would be grateful for any tips. I want to have more an 3 VPN tunnels with full routing between all networks.
    Best regards
    tenskwatawa

    ReplyDelete
  104. Once again, go to the support forums (see block at top) for technical support.

    ReplyDelete
  105. Hi Keith!

    Is ist possible to select between "Start with WAN" and "Start with Router" so in ver1.25 ?
    I have troubles with my provider, they set the leasetime to 12h, so every time the VPN will be killed and starts again. I'm the SAME ip from my provider.

    thanks Harry

    ReplyDelete