Jump to content
Not connected, Your IP: 54.81.69.220
Baraka

AirVPN Tomato configuration step-by-step guide

Recommended Posts

Fantastic guide. I just bought this router and hope to set it up this weekend following your instructions. I do have one question if anyone knows: can the network be setup so that all the wireless clients connected are on the vpn but the wired computer isn't part of the vpn on the router?

Share this post


Link to post

Thanks for the guide, Baraka. 

 

I just installed and configured tomato-K26USB-1.28.7503.5MIPSR2Toastman-RT-VLAN-VPN on my Belkin Share Max N300.  Working great!

Share this post


Link to post

I'm contemplating configuring my Shibby Tomato router with OpenVPN/AirVPN, but I have a question.

 

Is there a way to select the IP addresses which I want to always use the VPN and those which should never use the VPN?  For example, we have a PS3 that I would like NOT to use the VPN since gaming requires fast ping times.  We also have a VoIP phone and I would like it to bypass the VPN as well (regardless of what I've read about it SHOULD be on a VPN).

 

Is there way via firewall rules to do this?  If so, any assistance?

Share this post


Link to post

After the major system upgrade that took place during Sunday, 13 April 2014, we need to set Extra HMAC authorization (tls-auth) to outgoing...

 

image.jpg

 

...And add the 2048 bit OpenVPN static key that we find at the end of the file we get from the OpenVPN Configuration Generator.

 

image.jpg

 

Edit:

 

I'm so sorry last night I left some details out, I was so tired and I just wanted to hit the sack but, I couldn't do it knowing that there will be users having issues to get the system up and running.

 

You also need to copy&paste the rest of the keys as pointed in the original post from AirVPN https://airvpn.org/topic/11319-major-system-upgrade-completed/?hl=tomato

 

 

  • in Tomato, DD-WRT, pfSense, Fritz!Box etc., the client certificate, the server certificate, the client key and the TLS key must be pasted again (after they have been generated and downloaded from the Configuration Generator as usual) in the appropriate fields of your configuration

Share this post


Link to post

After major system upgrade that took place during Sunday, 13 April 2014, we need to set Extra HMAC authorization (tls-auth) to outgoing...

 

 

 

...And add the 2048 bit OpenVPN static key that we find at the end of the file we get from the OpenVPN Configuration Generator.

Many thanks Xiocus. I was having difficulty connecting my Asus N66U with Asuswrt-Merlin firmware 374.40 since the system upgrade (see other thread in Troubleshooting), and your additional settings did it for me. All is now good in the world! (I wish!)

 

Gotta love Air for all their hard work!

 

Thanks again,

 

Laurelli


Laurelli

<my rant>Privacy is a right and expectation that the citizens of the world once enjoyed, but took for granted, and have lost. Today we are made to believe that we only need privacy if we are doing something wrong. I do not believe this lie. Today we are told by our governments that we can have no expectations of privacy, for our own "safety" and for "the greater good" of society. Personally, I don't need a big brother to protect me, and I will NEVER choose to surrender my rights and my liberties for so-called safety and security from a boogie man. I will continue to use services, such as AirVpn, in order to exercise my right and expectation of privacy. Would that the sheep would learn.</end rant>

 

Share this post


Link to post

The new changes have been complete hell for me. I've tried about 20 different configurations and my connection is dead every time I try going through the VPN. That means all packets are dying beyond the first hop, which is my router. And I wrote the damned guide!

 

Air did NOT think this through nearly well enough before going through with these major changes. If I'm being screwed right now with no connectivity there must be many, many more who are in the same boat.

 

Here is my latest connect log of failure:

 

Apr 14 02:38:07 asus user.info kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>Apr 14 02:38:07 asus daemon.info dnsmasq-dhcp[614]: DHCPINFORM(br0) 10.100.100.22 08:2e:5f:71:61:21 Apr 14 02:38:07 asus daemon.info dnsmasq-dhcp[614]: DHCPACK(br0) 10.100.100.22 08:2e:5f:71:61:21 TerrianApr 14 02:38:07 asus daemon.notice openvpn[1226]: OpenVPN 2.3.0 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan 31 2014Apr 14 02:38:07 asus daemon.warn openvpn[1226]: NOTE: the current --script-security setting may allow this configuration to call user-defined scriptsApr 14 02:38:07 asus daemon.notice openvpn[1226]: Control Channel Authentication: using 'static.key' as a OpenVPN static key fileApr 14 02:38:07 asus daemon.notice openvpn[1226]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authenticationApr 14 02:38:07 asus daemon.notice openvpn[1226]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authenticationApr 14 02:38:08 asus daemon.notice openvpn[1226]: Socket Buffers: R=[112640->131072] S=[112640->131072]Apr 14 02:38:08 asus daemon.notice openvpn[1234]: UDPv4 link local: [undef]Apr 14 02:38:08 asus daemon.notice openvpn[1234]: UDPv4 link remote: [AF_INET]184.75.221.4:80Apr 14 02:38:08 asus daemon.notice openvpn[1234]: TLS: Initial packet from [AF_INET]184.75.221.4:80, sid=450b4cca c0c0d25eApr 14 02:38:08 asus daemon.notice openvpn[1234]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.orgApr 14 02:38:08 asus daemon.notice openvpn[1234]: VERIFY OK: nsCertType=SERVERApr 14 02:38:08 asus daemon.notice openvpn[1234]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.orgApr 14 02:38:14 asus daemon.notice openvpn[1234]: OpenVPN STATISTICSApr 14 02:38:14 asus daemon.notice openvpn[1234]: Updated,Mon Apr 14 02:38:14 2014Apr 14 02:38:14 asus daemon.notice openvpn[1234]: TUN/TAP read bytes,0Apr 14 02:38:14 asus daemon.notice openvpn[1234]: TUN/TAP write bytes,0Apr 14 02:38:14 asus daemon.notice openvpn[1234]: TCP/UDP read bytes,5079Apr 14 02:38:14 asus daemon.notice openvpn[1234]: TCP/UDP write bytes,1989Apr 14 02:38:14 asus daemon.notice openvpn[1234]: Auth read bytes,0Apr 14 02:38:14 asus daemon.notice openvpn[1234]: pre-compress bytes,0Apr 14 02:38:14 asus daemon.notice openvpn[1234]: post-compress bytes,0Apr 14 02:38:14 asus daemon.notice openvpn[1234]: pre-decompress bytes,0Apr 14 02:38:14 asus daemon.notice openvpn[1234]: post-decompress bytes,0Apr 14 02:38:14 asus daemon.notice openvpn[1234]: ENDApr 14 02:38:19 asus daemon.notice openvpn[1234]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit keyApr 14 02:38:19 asus daemon.notice openvpn[1234]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationApr 14 02:38:19 asus daemon.notice openvpn[1234]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit keyApr 14 02:38:19 asus daemon.notice openvpn[1234]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationApr 14 02:38:19 asus daemon.notice openvpn[1234]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSAApr 14 02:38:19 asus daemon.notice openvpn[1234]: [server] Peer Connection Initiated with [AF_INET]184.75.221.4:80Apr 14 02:38:22 asus daemon.notice openvpn[1234]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)Apr 14 02:38:22 asus daemon.notice openvpn[1234]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.6.0.1,comp-lzo no,route 10.6.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.6.0.10 10.6.0.9'Apr 14 02:38:22 asus daemon.notice openvpn[1234]: OPTIONS IMPORT: timers and/or timeouts modifiedApr 14 02:38:22 asus daemon.notice openvpn[1234]: OPTIONS IMPORT: LZO parms modifiedApr 14 02:38:22 asus daemon.notice openvpn[1234]: OPTIONS IMPORT: --ifconfig/up options modifiedApr 14 02:38:22 asus daemon.notice openvpn[1234]: OPTIONS IMPORT: route options modifiedApr 14 02:38:22 asus daemon.notice openvpn[1234]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modifiedApr 14 02:38:22 asus daemon.notice openvpn[1234]: TUN/TAP device tun11 openedApr 14 02:38:22 asus daemon.notice openvpn[1234]: TUN/TAP TX queue length set to 100Apr 14 02:38:22 asus daemon.notice openvpn[1234]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0Apr 14 02:38:22 asus daemon.notice openvpn[1234]: /sbin/ifconfig tun11 10.6.0.10 pointopoint 10.6.0.9 mtu 1500Apr 14 02:38:22 asus daemon.notice openvpn[1234]: updown.sh tun11 1500 1558 10.6.0.10 10.6.0.9 initApr 14 02:38:22 asus daemon.info dnsmasq[614]: exiting on receipt of SIGTERMApr 14 02:38:22 asus user.debug init[1]: 182: pptp peerdns disabledApr 14 02:38:22 asus daemon.info dnsmasq[1281]: started, version 2.69pre-test4-140124 cachesize 1500Apr 14 02:38:22 asus daemon.info dnsmasq[1281]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset Tomato-helper auth no-DNSSECApr 14 02:38:22 asus daemon.info dnsmasq[1281]: asynchronous logging enabled, queue limit is 5 messagesApr 14 02:38:22 asus daemon.info dnsmasq-dhcp[1281]: DHCP, IP range 10.100.100.2 -- 10.100.100.62, lease time 1dApr 14 02:38:22 asus daemon.info dnsmasq[1281]: reading /etc/resolv.dnsmasqApr 14 02:38:22 asus daemon.info dnsmasq[1281]: using nameserver 10.6.0.1#53Apr 14 02:38:22 asus daemon.info dnsmasq[1281]: read /etc/hosts - 2 addressesApr 14 02:38:22 asus daemon.info dnsmasq[1281]: read /etc/dnsmasq/hosts/hosts - 22 addressesApr 14 02:38:22 asus daemon.info dnsmasq-dhcp[1281]: read /etc/dnsmasq/dhcp/dhcp-hostsApr 14 02:38:22 asus daemon.notice openvpn[1234]: /sbin/route add -net 184.75.221.4 netmask 255.255.255.255 gw *REDACTED*Apr 14 02:38:22 asus daemon.notice openvpn[1234]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.6.0.9Apr 14 02:38:22 asus daemon.notice openvpn[1234]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.6.0.9Apr 14 02:38:22 asus daemon.notice openvpn[1234]: /sbin/route add -net 10.6.0.1 netmask 255.255.255.255 gw 10.6.0.9Apr 14 02:38:22 asus daemon.notice openvpn[1234]: Initialization Sequence Completed

Share this post


Link to post

No I haven't. Any admins out there who can look over my log and figure this out? I've tried EVERYTHING. About 20 different configs. Everything fails. This is a very serious problem.

Share this post


Link to post

 

After the major system upgrade that took place during Sunday, 13 April 2014, we need to set Extra HMAC authorization (tls-auth) to outgoing...

 

image.jpg

 

...And add the 2048 bit OpenVPN static key that we find at the end of the file we get from the OpenVPN Configuration Generator.

 

image.jpg

 

Edit:

 

I'm so sorry last night I left some details out, I was so tired and I just wanted to hit the sack but, I couldn't do it knowing that there will be users having issues to get the system up and running.

 

You also need to copy&paste the rest of the keys as pointed in the original post from AirVPN https://airvpn.org/topic/11319-major-system-upgrade-completed/?hl=tomato

 

 

  • in Tomato, DD-WRT, pfSense, Fritz!Box etc., the client certificate, the server certificate, the client key and the TLS key must be pasted again (after they have been generated and downloaded from the Configuration Generator as usual) in the appropriate fields of your configuration

 

Worked like a charm. Thanks!

Share this post


Link to post

After spending another 6 hellish hours trying to solve this problem, I finally have. I don't know what the problem was, but after upgrading Tomato from tomato-K26USB-1.28.0503.6MIPSR2Toastman-RT-N-VLAN-VPN to tomato-K26-1.28.0504MIPSR2Toastman-RT-N-VPN I was able to connect. The only different settings I used were the two here (outgoing extra HMAC/tls-auth with the static key) and only 3 options in the custom config window (resolv-retry infinite, remote-cert-tls server and verb 3). I tried playing around with the compression setting because Air's admins have posted that compression has been disabled with the update. That said, the "adaptive" setting works just fine.

 

The only problem left is that my NVRAM is completely maxed out. That's a really big problem I've been having with the RT-N66U. Never any of that with the older and slower N16. If anyone can figure that out, please let me know right away.

 

So to recap if you're having really bad problems like I was:

 

-upgrade your Tomato firmware to the latest, unbloated, vanilla version which can do VPN

-follow the instructions here and enable "outgoing (1) extra HMAC/tls-auth", then cut and paste in the new static key

-also cut and paste in the new certificate authority, client certificate and client (RSA private) key

-you only need to type in 3 options in your custom config window under Advanced: resolv-retry infinite, remote-cert-tls server and verb 3

 

Other than that, the settings should be the same as before.

 

Air staff: I know this was the single worst bug discovered in the history of the internet. But this upgrade should've taken longer to complete (another couple of days would've made a huge difference) and there should've been some beta testing of the new system as far as other setups are concerned. Like Tomato. Or DD-WRT.

Share this post


Link to post

For those using Tomato by Shibby, he just finished with the release of Tomato v117 Security update so, it is time to upgrade your firmware and change some passwords just incase.

 

@Baraka: Glad to read that you fixed your issues with the upgrade.

 

Now and if you got some free time, you could update the guide to skip confussions to the new users, that would be highly appreciated and thanks again for your guide!!

Share this post


Link to post

@Baraka

The only problem left is that my NVRAM is completely maxed out. That's a really big problem I've been having with the RT-N66U.

 

As you have a USB Router, you may copy the ca.crt, user.crt and user.key to your USB-drive instead of pasting to the key section. This saves a lot of NVRAM.

Then add link to your keys in "advanced - custom configuration" section as followed:

ca /path/to/your/ca.crt

cert /path/to/your/user.crt

key /path/to/your/key.crt

 

I did not figure out how to link the static key (ta.key) so I pasted in the key section.

Do you have to upgrade Tomato first?

Not necessarely. I am still running tomato 1.28 v111, and on v111 OpenSSL version 0.9.7m is default, that is not affected by Heartblead. VPN is running with settings discussed by apilbeam and you, Baraka > thanks for your input!

Share this post


Link to post

I did not figure out how to link the static key (ta.key) so I pasted in the key section.

 

I did. Please see my new thread, Big problem solved with Asus RT-N66U on Tomato

Share this post


Link to post

I have set this up on a RT-AC66U running Merlins latest firmware. Connection is fine but speed is limited. I have a 80/30 connection and I am only seeing 10/10. What could be the problem?

Share this post


Link to post

I'm surprised no one answered this one.

 

The problem is with the router's CPU. Depending on what Asus hardware you're running, you'll get between 6 and 10 Mbps with an encrypted VPN tunnel. No more. The only way to get past that limitation is to setup a late model box, i3 minimum (preferably an i5 or i7), and then run it as a Linux router. That's definitely worth it if you need the full speed of your connection.

Share this post


Link to post

Sorry for this post, I actually did overlook something.  I was working under SERVER instead of CLIENT settings.  The RT-AC66U has by default a VPN Server.

Share this post


Link to post

Works well on a RT-N66U running the latest Tomato by Shibby.    The RT-N66U has a in-tunnel bandwidth limitation of around 10-11Mbit.  Which is not so bad compared to my connection limits of 15/10.

 

Setup wasnt too complicated, the only unclear part that maybe should be part of this tutorial is how to forward ports to your internal network.

 

as described here:

https://airvpn.org/topic/9270-how-to-forward-ports-in-dd-wrt-tomato-with-iptables

 

 

Speed test is looking fine, but after a couple of days of using it completely, it seems to me that stability is not that great.    It is quite anoying when it comes to streaming or just browsing the web (when you have to re-click links or reload pages).   I'll test different air servers to see if I can find a more stable one.

Share this post


Link to post

I think this guide is outdated.  

 

This does not work for me.  I am using Shibby v131 and cannot successfully surf pages when Shibby is using OPENVPN.  I have followed the guide and have even been contacting support for the past 2 weeks.  

 

Has anyone been successful with getting OPENVPN to run on Tomato Shibby v131?  

Share this post


Link to post

I think this guide is outdated.  

 

This does not work for me.  I am using Shibby v131 and cannot successfully surf pages when Shibby is using OPENVPN.  I have followed the guide and have even been contacting support for the past 2 weeks.  

 

Has anyone been successful with getting OPENVPN to run on Tomato Shibby v131?  

 

 

I have it sucessfully running at 1.28 (AIO) there are a few changes since then that relate to openVPN

 

  • OpenVPN: Routing policy integration and GUI
  • GUI: OpenVPN – add „Ignore Redirect Gateway (route-nopull)”
  • OpenSSL: update to 1.0.2c
  • OpenVPN: update to 2.3.7

Especially the first one is interesting to me - could you post a screenshot of that? (perhaps PM it to me as to not pollute the thread further) if it looks like it might work I may just update my router to 1.31 and see if I can get it to work

Share this post


Link to post

I think this guide is outdated.  

 

This does not work for me.  I am using Shibby v131 and cannot successfully surf pages when Shibby is using OPENVPN.  I have followed the guide and have even been contacting support for the past 2 weeks.  

 

Has anyone been successful with getting OPENVPN to run on Tomato Shibby v131?  

I am using the latest shibby 131 on an Asus 56u and all is working wonderful. I followed this guide a year ago I am not sure if anything has changed. Have you double checked all settings are ticked just as they should be? Also check your dns page on your router I would recommend using 10.4.0.1 as primary and the Google 8.8.8.8 as secondary.

Share this post


Link to post

ok - I have just got this set up on an AC-66U with Tomato Firmware 1.28.0000 MIPSR2-131 K26AC USB AIO-64K

 

I started with this guide - https://airvpn.org/tomato/ - and I agree it needs updating

 

my settings for now

 

Basic Tab

 

interface type - TUN

Protocol          - UDP

server address port - gb.vpn.airdns.org 443    ( I wish to watch the rugby on ITV for now so I used a GB server )

firewall            - Automatic

Authorisation mode    - TLS

user/pass        - not selected

extra HMAC authorisation  - outgoing (1)

create NAT on tunnel  - selected

 

Advanced Tab

 

Poll interval        - 0

redirect internet traffic  - not selected

ignore redirect gateway  - not selected

accept DNS config  - disabled

encryption cypher   - AEC-256-CBC  

compression    - Adaptive

TLS regen time  -  -1

connection retry  30

Verift server cert  - not selected

 

custom config       resolv-retry infinite

                             remote-cert-tls server
                             comp-lzo
                             verb 3
 
Keys  - you will get them from your generated .opvn file when you open it in a text editor
 
 
this setup got it working - I have a UK address according to IPleak
 
the 2 main things that were missing from the tomatoVPN howto was 
 
Extra HMAC authorisation which then gave you a box in your keys tab to put the static key - the error in the logs was TLS timeout
 
Encryption cypher - AES-256-CBC   - the error in the logs was 
 
WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256
 
as I play with this more I will post my findings

Share this post


Link to post

I also could not get things going according to the guide but baldrick's settings helped fix the issue.

 

 

ok - I have just got this set up on an AC-66U with Tomato Firmware 1.28.0000 MIPSR2-131 K26AC USB AIO-64K

 

I started with this guide - https://airvpn.org/tomato/ - and I agree it needs updating

 

my settings for now

 

Basic Tab

 

interface type - TUN

Protocol          - UDP

server address port - gb.vpn.airdns.org 443    ( I wish to watch the rugby on ITV for now so I used a GB server )

firewall            - Automatic

Authorisation mode    - TLS

user/pass        - not selected

extra HMAC authorisation  - outgoing (1)

create NAT on tunnel  - selected

 

Advanced Tab

 

Poll interval        - 0

redirect internet traffic  - not selected

ignore redirect gateway  - not selected

accept DNS config  - disabled

encryption cypher   - AEC-256-CBC  

compression    - Adaptive

TLS regen time  -  -1

connection retry  30

Verift server cert  - not selected

 

custom config       resolv-retry infinite

                             remote-cert-tls server
                             comp-lzo
                             verb 3
 
Keys  - you will get them from your generated .opvn file when you open it in a text editor
 
 
this setup got it working - I have a UK address according to IPleak
 
the 2 main things that were missing from the tomatoVPN howto was 
 
Extra HMAC authorisation which then gave you a box in your keys tab to put the static key - the error in the logs was TLS timeout
 
Encryption cypher - AES-256-CBC   - the error in the logs was 
 
WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256
 
as I play with this more I will post my findings

Share this post


Link to post

Hi, I'm hoping to find assistance setting up my flashed router:

 

Getting "Client is not running or status could not be read." when starting the VPN Client on Asus A-66R with Tomato Firmware 1.28.0000 MIPSR2-120 K26AC USB AIO-64K.

 

Tried Baraka's steps as well as baldrick's to no avail.  The only thing different with my setup is the server address, for which I'm using the IP of a different AirVPN server.

 

Any suggestions/guidance?

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...