Baraka 32 Posted ... After writing the config guide for Tomato way back, I didn't have any problems afterwards. And judging from the comments here, I think most people using Tomato were able to get up and running in no time. Fast forward to a couple of months ago. I upgraded my Asus RT-N16 router to its more powerful cousin, the RT-N66U. Right away I began to have problems. This was due to the tiny amount of NVRAM (32 KB) that holds the router's config. Including 64 KB would ensure that no one ever had any problems. Too bad Asus skimped. No matter what I tried, I kept on running out of NVRAM. My free space was always running at or near 0. Fast forward a little bit more to last month until Heartbleed and Air's response. The new RSA key was bigger and TLS auth was implemented, which makes use of a static key. This config change basically killed my router. The NVRAM was overflowing and wreaking havoc on my connectivity. I must've tried 50 different configs, but they all failed. Today, I finally solved this problem with the NVRAM running out. It's this simple: First, buy the smallest USB flash memory key you can find and copy your ca.crt, user.crt, user.key and ta.key to a directory of your choice (I created "tomato" on mine). Then remove the key and plug it into your RT-N66U. Make sure you enable USB support and refresh that section to make sure it's detected and mounted. Make note of the directory path that's shown and copy/paste it so you have it ready. Second, in your OpenVPN Client/Keys section DON'T COPY ANYTHING IN. LEAVE THE 4 FIELDS BLANK. [see next post-->] 1 Xiocus reacted to this Quote Share this post Link to post
Baraka 32 Posted ... Third, under OpenVPN Client/Advanced paste the following (after resolv-retry infinite, remote-cert-tls server, and verb 3): ca "/path_to_your_usb_key/tomato/ca.crt"cert "/path_to_your_usb_key/tomato/user.crt"key "/path_to_your_usb_key/tomato/user.key"tls-auth "/path_to_your_usb_key/tomato/ta.key" 1 The "tomato" in the path is the directory I created on my USB key, but you can sub in whatever you want. Just make sure whatever you put in there is exactly what you have on your USB key. Once you're done that you'll be able to connect immediately without any problems. You'll always have plenty of NVRAM left over and you can even fill out another config in your second VPN client section, using the same method. What I had to go through to come up with this updated guide was pure misery. Hopefully I've saved people a lot of time and frustration by posting this. Air Admins: please update the Tomato config guide to reflect this. Otherwise, anyone you have coming to the service with an RT-N66U is going to be screwed. *I'm using the latest version of Toastman's Tomato, Tomato Firmware v1.28.0505 MIPSR2Toastman-RT-N K26 USB VLAN-VPN 1 Xiocus reacted to this Quote Share this post Link to post
amires 10 Posted ... Thanks for this. Did you know if the CFE of your RT-N66U is v1.0.1.3 then you can flash a 64k nvram build on it. to check your cfe version enter the following command in the shell : cat /dev/mtd0ro | grep bl_version if the result is 1.0.1.3 then your router is compatible with 64k nvram builds. Quote Share this post Link to post
Xiocus 9 Posted ... (edited) Correct me if I'm wrong please. So, if that is the path I just should type under OpenVPN Client/Advanced this: resolv-retry infinitens-cert-type servercomp-lzoverb 3ca "/tmp/mnt/sda/tomato/ca.crt"cert "/tmp/mnt/sda/tomato/user.crt"key "/tmp/mnt/sda/tomato/user.key"tls-auth "/tmp/mnt/sda/tomato/ta.key" 1 (What is that 1 there? just curiosity) It is not working for me... So, I'm really trying to figure out why. Thanks in advance. Edit: I'm so sorry but, it is working just fine... I did a tiny mistake when I gave a name to the folder holding the keys and certs, I called it tomoto instead of tomato. A million thanks Baraka! Edited ... by Xiocus 1 Baraka reacted to this Quote Share this post Link to post
Baraka 32 Posted ... How do you know this for sure? And how is it possible to flash your NVRAM with a build that's far larger than the allotted memory? I researched this quite a bit and Toastman himself warned very strongly against using any of the large builds of his firmware on the N66U. Thanks for this. Did you know if the CFE of your RT-N66U is v1.0.1.3 then you can flash a 64k nvram build on it. to check your cfe version enter the following command in the shell : cat /dev/mtd0ro | grep bl_version if the result is 1.0.1.3 then your router is compatible with 64k nvram builds. Quote Share this post Link to post
Baraka 32 Posted ... See for yourself here: http://www.linksysinfo.org/index.php?threads/toastman-rt-n-tomato-firmware-on-asus-rt-n66u-dark-knight-dual-band-wireless-n900-gigabit-router.36959/ Please use only the version that is designed for your router, whatever the model. You can't use the 60K version on routers that do not have 60K of NVRAM. That should be rather obvious.Now, please don't try to be smart and keep asking whether this only applies to model XXX router.If your router - ANY MAKE, ANY MODEL - does not have 60K of NVRAM then you can't use the 60K version of the software, OK? It's not negotiable.You can't stick the wheel of a huge truck on your toyota either, can you? What's the problem here? But then there's this- http://linksysinfo.org/index.php?threads/asus-rt-n66u-low-nvram.37500/ RT-N66U 64K Update Asus recently published code which has the mod in it, although they have not yet released firmware with this feature enabled. JYAvenard has just been experimenting with this and has just added the code to Tomato - it appears to work fine. So shortly Shibby and my builds will have it also. I did post a build (1.28.0500.3) which I have since withdrawn, as the update has broken some other features. Please not that it isn't a cfe update, and it will only work while firmware using this code is being run. It will revert to only using 32K if any other firmware is used. If you want to experiment, please back up all your settings first using the nvram export --set method here:http://www.linksysinfo.org/index.ph...orial-and-discussion.28349/page-9#post-138676 There is a possibility that this method could also be used for other routers, but it would require some additional changes. At the moment only the RT-N66U has it. Really confused now. Anyone want to be a guinea pig and test this out? Quote Share this post Link to post
amires 10 Posted ... Actually RT-N66U does have 64kb of NVRAM however only 32kb is usable due to the boot loader. With a later version of the bootloader (v1.0.1.3) it is possible to utilize all 64kb of NVRAM. http://www.linksysinfo.org/index.php?threads/determining-nvram-size-on-rt-n66u.69966/ How do you know this for sure? And how is it possible to flash your NVRAM with a build that's far larger than the allotted memory? I researched this quite a bit and Toastman himself warned very strongly against using any of the large builds of his firmware on the N66U. Thanks for this. Did you know if the CFE of your RT-N66U is v1.0.1.3 then you can flash a 64k nvram build on it. to check your cfe version enter the following command in the shell : cat /dev/mtd0ro | grep bl_version if the result is 1.0.1.3 then your router is compatible with 64k nvram builds. See for yourself here: http://www.linksysinfo.org/index.php?threads/toastman-rt-n-tomato-firmware-on-asus-rt-n66u-dark-knight-dual-band-wireless-n900-gigabit-router.36959/ Please use only the version that is designed for your router, whatever the model. You can't use the 60K version on routers that do not have 60K of NVRAM. That should be rather obvious.Now, please don't try to be smart and keep asking whether this only applies to model XXX router.If your router - ANY MAKE, ANY MODEL - does not have 60K of NVRAM then you can't use the 60K version of the software, OK? It's not negotiable.You can't stick the wheel of a huge truck on your toyota either, can you? What's the problem here?But then there's this- http://linksysinfo.org/index.php?threads/asus-rt-n66u-low-nvram.37500/ RT-N66U 64K UpdateAsus recently published code which has the mod in it, although they have not yet released firmware with this feature enabled. JYAvenard has just been experimenting with this and has just added the code to Tomato - it appears to work fine. So shortly Shibby and my builds will have it also. I did post a build (1.28.0500.3) which I have since withdrawn, as the update has broken some other features.Please not that it isn't a cfe update, and it will only work while firmware using this code is being run. It will revert to only using 32K if any other firmware is used. If you want to experiment, please back up all your settings first using the nvram export --set method here:http://www.linksysinfo.org/index.ph...orial-and-discussion.28349/page-9#post-138676There is a possibility that this method could also be used for other routers, but it would require some additional changes. At the moment only the RT-N66U has it. Really confused now. Anyone want to be a guinea pig and test this out? Quote Share this post Link to post
Baraka 32 Posted ... So have you gotten one of the 64KB builds to work on your router with no additional mods? I don't have the balls to try it after the hell I went through over the past couple of months. Actually RT-N66U does have 64kb of NVRAM however only 32kb is usable due to the boot loader. With a later version of the bootloader (v1.0.1.3) it is possible to utilize all 64kb of NVRAM. http://www.linksysinfo.org/index.php?threads/determining-nvram-size-on-rt-n66u.69966/ Quote Share this post Link to post
amires 10 Posted ... No, I dont have this router however I am planning to get one soon and I was researching into this nvram issue for quite a while before buying it. So have you gotten one of the 64KB builds to work on your router with no additional mods? I don't have the balls to try it after the hell I went through over the past couple of months. Actually RT-N66U does have 64kb of NVRAM however only 32kb is usable due to the boot loader. With a later version of the bootloader (v1.0.1.3) it is possible to utilize all 64kb of NVRAM. http://www.linksysinfo.org/index.php?threads/determining-nvram-size-on-rt-n66u.69966/ Quote Share this post Link to post
Baraka 32 Posted ... How soon? Update this thread when you have the router and have flashed it with the 64KB NVRAM version of Toastman's Tomato. If it works then I'll do the same. Quote Share this post Link to post
agunymous 2 Posted ... Thanks, I had the same problem with my Asus RT-N16. Since I didn´t have a USB-Stick, I just enabled JFFS (Adminstration-->JFFS).Now I have about 20MB available at /jffs on my router for adding two folders with my certs (one folder for each client) My custom config looks like this: CLIENT 1: resolv-retry infinite remote-cert-tls server comp-lzo verb 3 ca "/jffs/c1-zaurak/ca.crt" cert "/jffs/c1-zaurak/user.crt" key "/jffs/c1-zaurak/user.key" tls-auth "/jffs/c1-zaurak/ta.key" 1 CLIENT 2: resolv-retry infinite remote-cert-tls server comp-lzo verb 3 ca "/jffs/c2-phoenicis/ca.crt" cert "/jffs/c2-phoenicis/user.crt" key "/jffs/c2-phoenicis/user.key" tls-auth "/jffs/c2-phoenicis/ta.key" 1 Thanks again, I don´t have any problems with my NVRAM anymore! Best wishes,agunymous Quote Share this post Link to post
agunymous 2 Posted ... By the way, if anyone is wondering how to copy a folder from your local computer to the folder /jffs on your router: First enable SSH on your router (with Shibby, it´s already enabled by default). Then just use the Terminal: scp -r c1-zaurak root@192.168.1.1:/jffs "c1-zaurak" --> replace with name of your folder containing the certificates"192.168.1.1" --> replace with IP of your router When asked for a password, just enter your router password. On Windows, you could also use WinSCP if you want a GUI.SFTP clients won´t work though. Quote Share this post Link to post
agunymous 2 Posted ... tls-auth "/tmp/mnt/sda/tomato/ta.key" 1 (What is that 1 there? just curiosity) I just checked... you use a "0" on the server and "1" on the client. So "1" is just fine. :-) Quote Share this post Link to post
Xiocus 9 Posted ... Thanks agunymous I'm more curious than a cat... But, that keeps me bussy Quote Share this post Link to post
sandrovaldavid 1 Posted ... Hmm. Anyone tried something like this on an RT-N16 router? Mine crashes using DDWRT and the new keys. Quote Share this post Link to post
SlyFox 10 Posted ... Baraka, I just bought this router the N66u. I used to run toastman on my rt-n16. I also upgraded. I flashed toastman tomato-K26-NVRAM64K-1.28.0506.3MIPSR2Toastman-RT-N-VPN and it works perfect. So 64k nvram no problem. I dont use USB but I assume the usb version of 64k works just the same. Quote Share this post Link to post
blacclizzard 0 Posted ... Thanks this helped me a lot.Couldnt find this info anywhere else on the web. Great work! Quote Share this post Link to post
Not connected, Your IP: 18.118.10.21
Online: 27847 users - 314254 Mbit/s total BW