Thursday, August 06, 2009

How to Setup Openvpn in Tomato

There are 2 ways to setup Openvpn in Tomato, either way you will need to install is to install the openVPN modded version of the tomato firmware, then set it up from the tomato admin screen. There are many ways to setup Openvpn, in this tutorial we will set it up with a single static key. This setup is recommended if you only need 1 user to connect to your home network to access things locally, or just to hide your traffic when you surf on unsecured channel.
I will assume that you have a router that is tomato/dd-wrt/openwrt enabled, with a variation of the firmware installed, that way it is very easy to flash to the tomato openvpn enabled firmware. Your best friend to this information is google.

First download the firmware.
http://tomatovpn.keithmoyer.com/

you can download the binaries, and the latest update is 1.25vpn3.3 release as of this article.

Then go to your tomato router and flash it with the firmware from the Administration Screen.


Notice that I am already using the OpenVpn Modded Tomato, I have attached that screen so users can really see what they are doing.

After you have loaded the firmware and rebooted the router you will see the VPN Tunneling Option in your menu. What you need now is to download openVpn and generate a key, a good tutorial would be to read the materials in Openvpn's main page.

Click on the VPN tunneling option in your router menu. And you will be presented with the following screen


Then you can select the following
Interface Type:TAP
Protocol:UDP
Port:1195
Firewall Custom
Authorization Mode:Static Key

Ignore advanced and goto keys, and you will reach the following screen


Insert the key with the static key you have generated in your copy of OpenVpn. Remember not to share this key with anyone.

Then you should go to your firewall and forward the port 1195 to your router's IP address. In my case, I forward external UDP port 1195 local port 1195 at my router's IP address which is 192.168.1.1

If you do not have static ip with your ISP, it is easier if you configure a DDNS host. You can join free service in either Dyndns.org or no-ip.com. Then you can connect from anywhere to your
xxx.dyndns.org

After that you should configure your local config file for openvpn and save the settings to a configuration file, in our example we name it connect.ovpn.

# Use the following to have your client computer send all traffic through your router
# (remote gateway)
remote replace this with your server's address or xxx.dyndns.org
port 1195
dev tap
secret static.key
proto udp
comp-lzo
route-gateway 192.168.1.1
redirect-gateway
float

Then place your static key in a file in the same directory as your connect.ovpn, make sure the name of the file is "static.key".

You can now connect to your host by right-clicking on your connect.ovpn and select connect option

41 comments:

johnnymacm said...

Great post; quick question. My router does not indicate that the OPENVPN service is running. I get this: "Server is not running or status could not be read." on the status page. Any ideas?
John

John So said...

Hey you could try to connect from within your network first, make sure that it's not the port forwarding that's having the problem. So you can nail down the problem one by one.

jau said...

such simple instructions, very easy read! question - do you know if such a config could be used to circumvent the great firewall of china? i know they block facebook and twitter most of the time.

thanks!

John So said...

Short answer, yes. However you need to setup your openvpn server outside of China. This is more of a openvpn question rather than with tomato. Openvpn opens a tunnel between yourself and your server, thus people cannot read when they are forwarding the traffic for you. Since you have a key, this setup can access all your facebook and twitter from China with no problem. Even Cnn, and most of your mongolia, Taiwan sites. I hope I haven't typed enough keywords for the Chinese to block me.

jau said...

your configs worked perfectly. all i had to do was force the TAP interface metric to something lower than my internet interface. dropped it to 10, and all traffic got throw over the openvpn. even skyping through it!

Empa said...

Hi,
I've tried this HOW-TO and I'm really new to this.
What I can't get to work is the config file. I've tried to create one in a text editor and then I've put the file into my bin folder. Am I doing this wrong? Cause I can't right-click on the file and select connect.
Thanks in advance!

Anonymous said...

Hi,
have you try tinc with tomato?

i think it is a nice part of software.

Greeting

dieter

zmzmzm said...

Are the firewall changes on the router or your PC? The router firewall does not control routing, it is a different tab.

Great overall instructions!

John So said...

Hey glad to know that people are getting this to work. Thanks for your comments.

John So said...

Dieter,
I haven't tried Tinc,I will take a look. Thanks

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

Works perfect inside my lan. I will have to test this when i'm on the road :)

thank you

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

I didn't manage to make a connection using the firewall:Custom Setting. I don't know what went wrong.

However i changed Firewall: Automatic
and didn't use a port forward of the port to the internal address of the router.

This did work on my computer. Great news .. great post :)

Anonymous said...

Dear Author blog.johnso.org !
Rather the helpful information

John So said...

Thanks for the feedback. I found that the openvpn client works depending on the network you connect from. I can connect from anywhere except my work network.

Anonymous said...

Can anyone recommend the well-priced Remote Desktop software for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: [url=http://www.n-able.com] N-able N-central remote control
[/url] ? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

packetrider said...

It looks like this tutorial is for connecting a computer to the tomato VPN server and access resources behind this router. Is there a tutorial on how to do a site-to-site VPN connection using two 2 tomato VPN routers? I like to have a persistent 24/7 VPN connection between my home and office so I can use rsync to sync two file servers -- one at work and one at home.

Smart said...

no matter what i do, i get a series of messages that say "invalid ip adress" when i try to save my settings. i've tried various settings and have not been able to save the settings i input.

I am currently running tomato v1.27.8742 on a wl520gu if it helps.

John So said...

Which part of the instruction are you stuck at?

Smart said...

John
I would get to the last step of the server setup on my tomato router. When I clicked save, that is when I revieved the ip adress is invalid error. I played arround with it all last night and to get I to save my settings, I had to fill in every blank for the setup of server 1 and server 2.

I seem to have a new problem now though. I have th settings saved, but when I click the start button, nothing happens.

Is this a bug, or is it simpily user error?

mfreymond said...

Thanks for the help.

In order for me to get it to work on my system, I had to leave it at the default port, and set the firewall to automatic.

BATMANTAS said...

A few questions and I've read through the threads, and I'm still struggling to get this to work.

1) are the firewall/portforwarding changes done in tomato or on the pc client? I believe the answer is in tomato, and all that needs to be done on the pc is to create a firewall exception.

2)is the external server addess the wan ip address of the modem, or the gateway address between the modem and the router. (Configuration is that my tomato router sits behind my cable modem).

thanks.

BATMANTAS said...

I played around with this this evening as was able to get it to work.

- ip address is external
- port forwarding is done on tomato on the router
- firewall rules are on the PC

John So said...

Glad you got it to work

BATMANTAS said...

Just an update to my last post:

When:
- ip address is external
- port forwarding is done on tomato on the router
- firewall rules are on the PC

I can connect through local LAN, but cannot connect over WAN.

When I change the settings so that
- firewall setting in tomato are automatic
- remove the portforwarding rules in tomato

I am able to connect through VPN both through LAN and WAN.

tomcat said...
This comment has been removed by the author.
tomcat said...

Great post! THANKS!!!!
I had to change the firewall settings on router to Automatic to be able to connect through WAN.
Thank you BATMANTAS for the idea.

Ihstiv said...

I have a naive question: Does setting up a local VPN like this make you anonymous to your own ISP? My hunch is no, but I'm having trouble finding confirmation.

Thanks!

John So said...

@Ihstiv you are correct, if you create a private VPN in your home network the IP address that you use to go out will be the same. Another way is to use your friend or family internet to install the VPN server. Connect to it and you will be seen as the same IP as your friend or family's IP.

István Dániel said...

It doesn't work with windows 7 :( i tried it, it's green, but when i try there was the old ip address, not my routers.. :(

Polaris75 said...

If someone could help it would be GREATLY appreciated ... I've followed the guide as best I could (I'm using a FreeBSD server so it was a little different, but the server isn't the issue) but I'm having a problem and I've scoured google for about an hour now and can't seem to find a fix ...

I've got the authorization mode set to 'static key', and I put the 'client.key' I generated on the server while following into the Keys box, starting with the "-----BEGIN RSA PRIVATE KEY-----" line and ending with "-----END RSA PRIVATE KEY-----", but when I try to start the VPN it fails and I get the following in my /tmp/var/log/messages -

Jun 17 16:27:06 unknown daemon.err openvpn[1077]: Insufficient key material or header text not found found in file 'static.key' (0/128/256 bytes found/min/max)


It's seems like the key isn't making it from nvram to the file when it tries to start up ... if I knew where it was creating the temp file I'd just write the key there myself, but I have no idea ... if anyone knows how I can fix this it would make me extremely happy ...

Thanks

tomcat said...
This comment has been removed by the author.
tomcat said...

Polaris75,

Open up static.key file with a regular text editor, copy :

-----BEGIN OpenVPN Static key V1-----
........................
............................
.....................
-----END OpenVPN Static key V1-----

(including ---BEGIN and ---END lines)
and paste it into "VPN Tunneling\Server -> Keys" on the router. The only problem I had was the firewall. I had to set it to "Auto".
And you will need your "static.key" file to be in "OpenVPN\config" folder.

Shak said...

I don't understand this step:

>Then you should go to your firewall and forward the port 1195 to your router's IP address. In my case, I forward external UDP port 1195 local port 1195 at my router's IP address which is 192.168.1.1

Do you mean port forwarding? And isn't the VPN server residing on the router anyway? What exactly is being forwarded?

Help please. I can connect to my router but can't ping anything.

John So said...

@Istvan if you have setup everything in the router and you try to connect in Vista and Windows 7, I found that you have to run it as administrator, otherwise you won't be able to connect. What does the log say when you connect?

@Shak
You are setting it up on the router, but you still have to forward the ports, some users have success with firewall setting in tomato set to automatic, and remove the port forwarding in the firewall router.

Thanks Batmandas

juan said...

what changes should I make to the config file for bridge mode?

Jack said...

I got stuck at generate OpenVPN keys. I wasn't sure what to install and how to generate a key

Timmy.Norris said...

Great step by step tutorial. It worked out really fine. Thanks.
US VPN

Kathleen Carleton said...

Great step by step instructions and if this can circumvent the firewall in China it must be a powerful piece of software. http://www.proxynetworks.com

Marshal Drake said...

Thanks for sharing this information. I'm still studying how Tomato works with OpenVPN.

chicago colocation