dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1438
share rss forum feed


Rexter
YeeHaw

join:2002-11-17
cloud 9

OpenVPN PKI

I am using Tomato to allow several remote clients to connect and access local resources here at my office. I have spend about 40-60 hours now, trying to figure out how to create the certificates. I think I can plug them into Tomato once they are created, but I can't find a good tutorial. It seems that there have been some major changes as of the OpenVPN software 2.3 that invalidates most of the instructions that are out there. All the instructions say open a Command prompt, and go to the easy-rsa directory, enter commands to create the certificates. This easy-rsa directory does not exist. I found a the easy-rsa files on github, but the directory structure is not the same. I can't figure out how to utilize them with the tutorials. Could Someone please point me to a current tutorial that you know to be current and correct. Please don't point me to the various tutorials that come up on a Google search. I'm quite good with Google, and have done my due diligence there. I've just been unable to find the needle in the haystack, so to speak.

Thanks
--
I'm with the Central Government. I'm here to help you. Now bend over, really, I'm helping you, just, just stay still. You'll feel better in a moment.


aguen
Premium
join:2003-07-16
Grants Pass, OR
kudos:2

What version of tomato vpn are you using?



Rexter
YeeHaw

join:2002-11-17
cloud 9

TomatoUSB 2.6

Please keep in mind that where I m stuck is on the certificate creation within OpenPVN. I haven't even got to configuring the Tomato VPN server yet. I see a readme in the easy-rsa files I downloaded from github. It provided some info I was missing, so I have some new things I'm about to try. A complete tutorial that did some hand holding would still be greately appreciated though.
--
I'm with the Central Government. I'm here to help you. Now bend over, really, I'm helping you, just, just stay still. You'll feel better in a moment.


aguen
Premium
join:2003-07-16
Grants Pass, OR
kudos:2
reply to Rexter

I can't find anything current for 2.6 other than some issue with using it on a wrt54x router. The tomatousb website is totally useless as well. I did find a tutorial on major geeks site but it is not for the most current version of openvpn but may still be useful.

»www.howtogeek.com/60774/connect-···-tomato/

Good Luck.

I have no compatible router to play with, so I can't help much beyond this.



Rexter
YeeHaw

join:2002-11-17
cloud 9
reply to Rexter

Ok, it looks like I've connected.

Fri Feb 08 17:39:49 2013 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Fri Feb 08 17:39:49 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Feb 08 17:39:49 2013 UDPv4 link local: [undef]
Fri Feb 08 17:39:49 2013 UDPv4 link remote: XXX.XXX.33.1:1194
Fri Feb 08 17:40:05 2013 [changeme] Peer Connection Initiated with XXX.XXX.33.1:1194
Fri Feb 08 17:40:08 2013 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{ABA557F9-35AD-4CA7-A52F-2241E04FF9B4}.tap
Fri Feb 08 17:40:08 2013 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.2.150/255.255.255.0 on interface {ABA557F9-35AD-4CA7-A52F-2241E04FF9B4} [DHCP-serv: 192.168.2.0, lease-time: 31536000]
Fri Feb 08 17:40:08 2013 Successful ARP Flush on interface [35] {ABA557F9-35AD-4CA7-A52F-2241E04FF9B4}
Fri Feb 08 17:40:13 2013 Initialization Sequence Completed
However, I cannot access any of the resources on the 192.168.2.x network. For example, I cannot ping the router at 192.168.2.1. I'm not sure traffic is being routed through the VPN. I can still access the Internet. In fact, I am making this post while I am supposedly connected.
--
I'm with the Central Government. I'm here to help you. Now bend over, really, I'm helping you, just, just stay still. You'll feel better in a moment.

aguen
Premium
join:2003-07-16
Grants Pass, OR
kudos:2
reply to Rexter

So..... You have established a VPN connection between your local PC and the VPN server running on your router, correct? Are you just testing the setup or is this what you intended all along?



Rexter
YeeHaw

join:2002-11-17
cloud 9
reply to Rexter

I just ran a speed test while connected, and while monitoring the bandwidth on the Tomato router. I saw no increase in usage during the test, so I know traffic is not being routed through the VPN.
--
I'm with the Central Government. I'm here to help you. Now bend over, really, I'm helping you, just, just stay still. You'll feel better in a moment.



Rexter
YeeHaw

join:2002-11-17
cloud 9
reply to aguen

I am just testing right now. This computer, that I am working from, won't be one of the clients in the end. I figured that if I can get this one working I'll be able to set the other ones up pretty easy once I have it figured out.
--
I'm with the Central Government. I'm here to help you. Now bend over, really, I'm helping you, just, just stay still. You'll feel better in a moment.


HarryH3
Premium
join:2005-02-21
kudos:2
Reviews:
·Suddenlink
reply to Rexter

said by Rexter:

I just ran a speed test while connected, and while monitoring the bandwidth on the Tomato router. I saw no increase in usage during the test, so I know traffic is not being routed through the VPN.

If you are using split tunneling, then this behavior is to be expected. The ONLY traffic that should traverse the VPN with split tunneling is traffic to/from the specific IP range of the VPN. All other traffic will go via your standard route.


Rexter
YeeHaw

join:2002-11-17
cloud 9

Ok, that would be nice, but no traffic is going to the VPN, at all. I cannot ping or access anything on the host network. VPN client shows connected, and ipconfig shows the network has the right IP address, and subnet, but no default gateway.
--
I'm with the Central Government. I'm here to help you. Now bend over, really, I'm helping you, just, just stay still. You'll feel better in a moment.



Rexter
YeeHaw

join:2002-11-17
cloud 9

1 edit

Using this guide:
»todayguesswhat.blogspot.com/2011···ing.html

I was able to get it talking to the host resources. I am now able to access shares on the server. I do see that Internet traffic is not going across the VPN.

rout print, shows that my local gateway has a lower metric/higher priority than the gateway on the host network. For the sake of privacy and security, I'd like to send all internet traffic over the vpn whenever connected. I don't see any such option.
--
I'm with the Central Government. I'm here to help you. Now bend over, really, I'm helping you, just, just stay still. You'll feel better in a moment.


aguen
Premium
join:2003-07-16
Grants Pass, OR
kudos:2
reply to Rexter

Where is the "server" physically located?

Where is the VPN endpoint located?



Rexter
YeeHaw

join:2002-11-17
cloud 9

The server is a W2k3 domain controler at the office. The endpoint is the tomato router at the office.



SoonerAl
Premium,MVM
join:2002-07-23
Norman, OK
kudos:5

said by Rexter:

The server is a W2k3 domain controler at the office. The endpoint is the tomato router at the office.

Back in the past when I ran an OpenVPN server I included this statement in the server config file that forced all client traffic through the VPN tunnel.

»openvpn.net/index.php/open-sourc···redirect

If I remember correctly I made the change to the config file then either stopped and restarted the service or rebooted the server machine which in my case was running XP or Vista.

HarryH3
Premium
join:2005-02-21
kudos:2
reply to Rexter

Keep in mind that if you route all traffic through the VPN that the download speed of the client is now limited to the upload speed at the other end of the tunnel.



Rexter
YeeHaw

join:2002-11-17
cloud 9

I do realize that. My office has a 40/5 mb connection. It's fine for most things.



Rexter
YeeHaw

join:2002-11-17
cloud 9
reply to SoonerAl

I have a network printer at home, so I do want local traffic to stay local. Won't I need an exception for my local subnet.



Rexter
YeeHaw

join:2002-11-17
cloud 9
reply to SoonerAl

I tried putting that in the config file, but it didn't make any difference. Internet traffic is not being sent over the VPN.


cptmikey

join:2013-02-14
Annapolis, MD

I've spent the last year building and administrating portdefender.net so I've been through most of your problems. Lets have a look at how openvpn works ...

First when configured correctly openvpn will set a new default route for internet traffic. For you this would be something like 0.0.0.0 mask 128.0.0.0 x.x.x.x (your openvpn server ip). This routes all Internet traffic through your openvpn server. You need to add "push redirect-gateway def1" to your server config file. If you look at your client machine "route print" command you should see the new default route. Your local network traffic, PC to PC and PC to printer, etc does not go through the VPN and you will see routes for your local network. Once you have that working you have to setup routing on your server.

I use linux and iptables to bridge the vpn to the Internet. I don't know how you would do it on windows. Maybe using M$ "bridging" in the "network" setup section.

Finally you need DNS to find websites. Again I use linux and named so it's easy but on windows I don't know. Perhaps someone else can tell you how to setup a DNS server on windows.

If all of that is setup correctly you should be able to connect and ping the openvpn private network address and access any service you have setup at your office, web, samba, printing etc.

If you execute a "tracert x.x.x.x (the openvpn server address) it should show just one hop bypassing the usual internet gateways and router.

I hope this helps you.
Mike



Rexter
YeeHaw

join:2002-11-17
cloud 9

Boy, I didn't realise what a complicated mess OpenVPN is when I decided to do this project. I'm gonna skip this part for now. I have access to the host resources, and that was the most important part. Routing all Internet traffic through it was just a side benifit that I thought would happen automatically. In many circumstances not routing all traffic through the VPN is better anyway. I am going to want to figure that out for future reference though, but for now I have more pressing matters.

The issue I have now is that the users don't have administrtator access to the machines that they will be using. If I have it run as a service, will the users be able to use the gui to connect, and disconnect?
--
I'm with the Central Government. I'm here to help you. Now bend over, really, I'm helping you, just, just stay still. You'll feel better in a moment.