Search the Community
Showing results for tags 'tomato'.
Found 21 results
-
I have installed WireGuard on my Synology. Does anyoe know if there is a way to connect? My configuration looks like this, but no connection is being established, and I am getting an error message.
-
Hello all, This is collection from different tutorials which I will refer here, but usually changed since some things changed. Setting up VPN on Synology is modified neolefort tutorial from here and reconnect script if from sundi which you can find here, which probably modified this script, plus my iptables for blocking Synology on router level when VPN fails. Other contributions: foobar666 - you no longer need to enter variables manually _sinnerman_ - fixed script for DS 6.1 I'm doing this mostly because I usually forget things I managed to solve after year or two, so this is way to have constant reminder how it was solved and also help others. 1. Get your certificates from AirVPN. Go to the https://airvpn.org/generator/ page to generate the configuration file. (1) SELECT the Advanced Mode (under "Config generator" title ) (2) SELECT LINUX OS (3) Under "Protocols" section select one with protocol UDP, port 443 and tls-auth in the right column (at the time of writing, it was in middle of the list). You can choose any combination of protocol/port, but then also change iptables accordingly if you are using failsafe script. Don't choose any combination which has tls-crypt in the right column. (4) Under "Advanced - OpenVPN only" section (right part of page), toggle "Separate keys/certs from .ovpn file" button and change/leave OpenVPN version to 2.5 (This works in DSM 7.2.1. For older versions you will maybe have to select OpenVPN version 2.4). (5) SELECT 1 SERVER (refer to section "by single servers") OR COUNTRY OR ANYTHING ELSE YOU WANT In original tutorial, neolefort said to choose 1 server, because in that case you will get IP instead of xxx.airvpn.org domain. Choosing 1 server is safe because it doesn't need working DNS when you want to connect to VPN. If you choose anything else, you need working DNS on your router when establishing VPN connection. (6) Click "GENERATE" at the bottom. (7) Page will reload with links on top to your files, save them to you computer. Following files will be generated: -AirVPN_XXXXX_UDP-443.ovpn -ca.crt -user.crt -user.key -ta.key 2. Setup AirVPN on Synology. - Login as admin or with user from Administrator group. - Open Control panel. - Go "Network" and click on tab "Network Interface" - Click on button "Create" - "Create VPN profile" - Choose "OpenVPN (via importing .ovpn file)" - Click "Advanced options" so it shows all options - Profile name: anything you want, but please keep is short and if you can without spaces " ", for example "AirVPN". - User name: LEAVE EMPTY (for DSM 7+ just put anything here) - Password: LEAVE EMPTY (for DSM 7+ just put anything here) - Import .ovpn file: click button and import your AirVPN_XXXXX_UDP-443.ovpn - CA certificate: click button and import your ca.crt - Client certificate: click button and import your user.crt - Client key: click button and import your user.key - Certificate revocation: LEAVE EMPTY - TLS-auth key: click button and import your ta.key - Click "Next" - Select all options and click "Done" Now you have working OpenVPN link on your Synology. You just need to start it from "Control panel" - "Network" - "Network Interface". If you want to make your connection faster, you can remove some ciphers. Look for this line in .ovpn file: data-ciphers AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC And change it to this: data-ciphers AES-128-GCM Then save file and create new connection with it. After some testing I found out AES-128-GCM is fastest from all other mentioned in settings. You can also test other ciphers your self and leave one you find fastest. EXTRAS!!! 3. Setting up external access to your Synology. First what you will notice is, "I CAN'T ACCESS MY SYNOLOGY FROM OUTSIDE OF MY LAN!!!!!!! OMG OMG OMG!!!!" I will not explain port fowards on your router here, if you don't know how to make one, learn! (1) You can port forward trough AirVPN webpage and access your Syno via VPN exit IP. This sometimes works, most of times it doesn't since Syno has some ports you cannot change. Anyway, change your default HTTP / HTTPS port on Syno to your forwarded AirVPN port and you should be fine. But forget about Cloudstation and similliar things. (2) If you want to access Syno via you ISP IP (WAN), then problem is, your Syno is receiving your connection, but it's replying trough VPN. That's a security risk and those connections get droped. But there is solution! - Access "Control panel" - "Network" - "General" - Click "Advanced Settings" button - Mark "Enable multiple gateways" and click "OK" and then "Apply" You're done! It's working now (if you forwarded good ports on your router). 4. Prevent leaks when VPN connection on Synology fails. There will be time, when you VPN will fail, drop, disconnect, and your ISP IP will become visible to world. This is one of ways you can prevent it, on router level. For this you need Tomato, Merlin, DD-WRT or OpenWRT firmware on your router. I will tell you steps for Tomato router. If you are using different firmware, then you need to learn alone how to input this code into your router. Since Shibby version 129 for ARM routers, syntax of iptables changed and depending on which version of iptables you are using, apply that code. - Login to your router (usually just by entering 192.168.1.1 into your browser, if your IP is different, find out which is your gateway IP). - Click on "Administration" - Click on "Scripts" - Choose tab "Firewall" For Shibby v129 for ARM and later (iptables 1.4.x) us this: #Use this order of commands because it executes in reverse order. #This command will execute last, it kills all UDP requests. iptables -I FORWARD -p udp -s 192.168.1.100 -j REJECT #This command will execute second and will block all TCP source ports except those needed for web access or services iptables -I FORWARD -p tcp -s 192.168.1.100 -m multiport ! --sports 5000,5001,6690 -j REJECT #This command will execute first and will ACCEPT connection to your VPN on destination port 443 UDP iptables -I FORWARD -p udp -s 192.168.1.100 -m multiport --dports 443 -j ACCEPT For earlier Shibby versions and later for MIPS routers: #Use this order of commands because it executes in reverse order. #This command will execute last, it kills all UDP requests. iptables -I FORWARD -p udp -s 192.168.1.100 -j REJECT #This command will execute second and will block all TCP source ports except those needed for web access or services iptables -I FORWARD -p tcp -s 192.168.1.100 -m multiport --sports ! 5000,5001,6690 -j REJECT #This command will execute first and will ACCEPT connection to your VPN on destination port 443 UDP iptables -I FORWARD -p udp -s 192.168.1.100 -m multiport --dports 443 -j ACCEPT Port TCP 5000 = HTTP for for Synology web access (change to your if it's not default) Port TCP 5001 = HTTPS for for Synology web access (change to your it's not default) Port TCP 6690 = Cloud Station port Port UDP 443 = AirVPN connection port which you defined in step 1 of this tutorial. If you are using TCP port, then you need to change "-p udp" to "-p tcp" in that line. If you need more ports, just add them separated by comma ",". If you want port range, for example 123,124,125,126,127, you can add it like this 123:127. Change IP 192.168.1.100 to your Synology LAN IP. Be careful NOT TO assign those ports to your Download Station on Synology. This isn't perfect, you can still leak your IP through UDP 443, but since torrent uses mostly TCP, those chances are minimal. If you use TCP port for VPN, then those chances increase. If you really want to be sure nothing leaks even on UDP 443 (or your custom port), you need to choose 1 (ONE) AirVPN server. You need to find that server entry IP and change last IPTABLES rule to something like this: iptables -I FORWARD -p udp -s 192.168.1.100 -d 123.456.789.123 -m multiport --dports 443 -j ACCEPT Where 123.456.789.123 is AirVPN server entry IP. This will allow UDP 443 only for that server, rest will be rejected by router. These are all my opinions, from my very limited knowledge, which may be right and may be wrong. 5. Auto reconnection when VPN is down. Since when you made your VPN connection on your Synology, you checked "Reconnect" option, Syno will try to reconnect automaticly when connection fails. But in some cases, your network will be offline long enough and Syno will stop trying to reconnect, or will hang with VPN connection established, but not working. In those cases you can use this auto reconnect script. This is reconnect script. Just select all script text and copy it. #VPN Check script modified Sep 11, 2016 #Script checks if VPN is up, and if it is, it checks if it's working or not. It provides details like VPN is up since, data #received/sent, VPN IP & WAN IP. #If VPN is not up it will report it in the log file and start it #Change LogFile path to your own location. #Save this script to file of your choosing (for example "synovpn_reconnect"). Store it in one of your Synology shared folders and chmod it: "chmod +x /volume1/shared_folder_name/your_path/synovpn_reconnect" #Edit "/etc/crontab" and add this line without quotes for starting script every 10 minutes: "*/10 * * * * root /volume1/shared_folder_name/your_path/synovpn_reconnect" #After that restart cron with: "/usr/syno/sbin/synoservicectl --restart crond" #!/bin/sh DATE=$(date +"%F") TIME=$(date +"%T") VPNID=$(grep "\[.*\]" /usr/syno/etc/synovpnclient/openvpn/ovpnclient.conf | cut -f 2 -d "[" | cut -f 1 -d "]") VPNNAME=$(grep conf_name /usr/syno/etc/synovpnclient/openvpn/ovpnclient.conf | cut -f 2 -d "=") LogFile="/volume1/filmovi/Backup/airvpn/check_airvpn_$DATE.log" PUBIP=$(curl -s -m 5 icanhazip.com) #PUBIP=$(curl -s -m 5 ipinfo.io/ip) #PUBIP=$(curl -s -m 5 ifconfig.me) CHECKIP=$(echo $PUBIP | grep -c ".") start_vpn() { echo "VPN is down. Attempting to (re)start now." >> $LogFile # /usr/syno/bin/synovpnc kill_client --protocol=openvpn --name=$VPNNAME /usr/syno/bin/synovpnc kill_client /bin/kill `cat /var/run/ovpn_client.pid` 2>/dev/null sleep 35 echo 1 > /usr/syno/etc/synovpnclient/vpnc_connecting echo conf_id=$VPNID > /usr/syno/etc/synovpnclient/vpnc_connecting echo conf_name=$VPNNAME >> /usr/syno/etc/synovpnclient/vpnc_connecting echo proto=openvpn >> /usr/syno/etc/synovpnclient/vpnc_connecting /usr/syno/bin/synovpnc reconnect --protocol=openvpn --name=$VPNNAME >> $LogFile } sleep 6 echo "======================================" >> $LogFile echo "$DATE $TIME" >> $LogFile if ifconfig tun0 | grep -q "00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00" then if [ "$CHECKIP" == 1 ] then IPADDR=$(/sbin/ifconfig tun0 | grep 'inet addr' | cut -d: -f2 | awk '{print $1}') RXDATA=$(/sbin/ifconfig tun0 | grep "bytes:" | cut -d: -f2 | awk '{print $1,$2,$3}') TXDATA=$(/sbin/ifconfig tun0 | grep "bytes:" | cut -d: -f3 | awk '{print $1,$2,$3}') UPTIME=$(cat /var/log/messages | grep "$IPADDR" | awk '{print $1}' | tail -1) UPTIME=$(date -d"$UPTIME" +"%Y/%m/%d %H:%M:%S") echo "VPN is up since: $UPTIME" >> $LogFile echo "Session Data RX: $RXDATA" >> $LogFile echo "Session Data TX: $TXDATA" >> $LogFile echo "VPN IP is: $IPADDR" >> $LogFile echo "WAN IP is: $PUBIP" >> $LogFile else start_vpn fi else start_vpn fi exit 0 (1) Login to you Synology DSM web interface as admin. - As admin go to "Control panel" - "Task Scheduler" (you need to enable advanced mode in top right corner of control panel for this) - Click "Create" button near top of page, then select "Scheduled Task" and then "User-defined script" (2) New popup window will open. - under "Task:" enter task name - under "User:" select "root" if it's not already selected - switch to "Schedule" tab and select how often you want this task to run, my settings are: - "Run of following days" - "Daily" - "First run time" - 00:00 - "Frequency" - "Every 10 minutes" - "Last run time" - 23:50 - switch to "Task settings" tab - paste script you copied into empty box under "User-defined script" title - press OK and you're done I tested this on DSM 6.2.2 and it works without problems for now. Still, I'm keeping old instructions in next post, if someone wants to do it like that. Tip: If you don't want logfile, you can comment out those lines, or remove ">> $LogFile" code from whole script. That's all. If you entered everything correctly, you should be fine and ready to go! Comments are welcome. If you find mistakes, please correct me.
-
This is only a solution for people in their home country willing/wanting to bypass the VPN to access their Netflix account. Does not help for out-of-country Netflix access. I was surprised to not see this in the forum, as it's very simple and works. It is a very short script added to the Custom Configuration which pulls the current IP addresses for a domain name (Netflix.com, Hulu.com) and routes those addresses "around" the VPN. allow-pull-fqdn route www.netflix.com 255.255.255.255 net_gateway So far I've been using this for a day, and had to restart things one time to get it to pick up new addresses. I would like to find a way to run this at regular intervals to add to the IP list (without duplicating addresses already in the list).
-
Step 1: First configure the Tomato VPN client (I am using Shibby's AIO build 134, but any of the recent VPN builds that have policy based routing included should work) so that all traffic is sent through the VPN and ensure that works. Once that is working, you can continue. Getting that working is outside the scope of this guide, and a good guide can be found here. Step 2: On the 'Advanced' tab of the VPN client, check the Ignore Redirect Gateway (route-nopull) option and on the Routing Policy tab, check the Redirect Through VPN option, and add the devices you want to redirect through the VPN. In my case, I added Source IP 192.168.1.120, as this is the only client on my LAN I want to be routed through the VPN. Once that's done, ensure the VPN client is running and see if you have internet access through the tunnel for the specified client. I use ipleak.net to test. You will likely notice that while your IP address is that of the VPN, DNS is still being served by whichever DNS servers your router has configured. This is normal, and is solved in step 3. Step 3: On the Advanced -> DHCP/DNS tab, in the advanced configuration: # Create a tag for clients to use a specific DNS server dhcp-option=tag:vpn,option:dns-server,10.30.0.1 # Tell these clients when they connect to use the VPN tag dhcp-host=XX:XX:XX:XX:XX:XX,set:vpn,hostnameyouwanttouse,192.168.1.120 The XX:XX:XX:XX:XX:XX above is the MAC address of your device's network interface. You can find this easily on the Status -> Device List tab. This line is essentially assigning static DHCP for the client with the MAC address specified. This tells all clients tagged as 'vpn' to use 10.30.0.1 as their DNS server. Disconnect your client that you wish to route through the VPN and reconnect it so that it renews the DHCP lease. You may also need to flush the DNS on the client. On Windows this is done from a command prompt run as administrator and typing: ipconfig /flushdnsNote: I am connecting to air on port 2018 to make QoS rules easier, so that's why you see 10.30.0.1 for the DNS server. Use whichever Air DNS server is appropriate for your connection. Step 4: Now, in Administration -> Scripts -> Firewall add the following: iptables -t nat -I PREROUTING -i br0 -s 192.168.1.120 -p udp --dport 53 -j DNAT --to 10.30.0.1 iptables -t nat -I PREROUTING -i br0 -s 192.168.1.120 -p tcp --dport 53 -j DNAT --to 10.30.0.1 iptables -I FORWARD ! -o tun11 -s 192.168.1.120 -j DROP The first two lines prevent the specified client from specifying their own DNS servers, so if this is an issue for you, these rules will make sure the client always uses Air's DNS server. The third line prevents ANY traffic from that client using anything other than the VPN interface "tun11". Note: tun11 is the interface Tomato creates for VPN Client 1. If you use VPN Client 2 use tun12 instead. Routing an entire bridge: To take this a step further I also created an entire bridge (br1) on a different subnet (172.16.0.1/24), and a virtual wireless network on that bridge that 100% uses the VPN tunnel. The rules for an entire subnet are a little different. Configuring additional bridges and virtual wireless access points in Tomato is outside the scope of this guide. Again, in the VPN Client Policy Routing tab, add the "Source IP" and enter 172.16.0.0/24, then in Advanced -> DHCP/DNS: dhcp-option=tag:br1,option:dns-server,10.30.0.1 This tells all clients that connect to br1 to use 10.30.0.1 as their DNS server. Tomato, by default, tags the clients with the bridge they are connected to, so that's all that is required to tell clients on that bridge to use a different DNS server. Then in the Firewall: iptables -t nat -I PREROUTING -i br1 -p udp --dport 53 -j DNAT --to 10.30.0.1 iptables -t nat -I PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to 10.30.0.1 iptables -t nat -I POSTROUTING -s 172.16.0.1/255.255.255.0 -o tun11 -j MASQUERADE iptables -I FORWARD -i br1 -o tun11 -j ACCEPT iptables -I FORWARD -i tun11 -o br1 -j ACCEPT iptables -I FORWARD ! -o tun11 -s 172.16.0.1/255.255.255.0 -j DROP Again, the first two lines prevent clients from specifying their own DNS servers. The next three lines are required, as Tomato's VPN client doesn't automatically add them for bridges other than br0. Without these, no traffic will move between br3 and tun11 (and hence, you will not get a connection). The last line prevents all traffic on br1 if the VPN is down. Port Forwarding: This is straight from AirVPN's FAQ, copied here for completeness. To forward ports to clients, four firewall rules are required for each port you wish to forward. Here I am forwarding port 12345 (both UDP and TCP) to my one VPN'd client on my main LAN.: iptables -I FORWARD -i tun11 -p udp -d 192.168.1.120 --dport 12345 -j ACCEPT iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.120 --dport 12345 -j ACCEPT iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 12345 -j DNAT --to-destination 192.168.1.120 iptables -t nat -I PREROUTING -i tun11 -p udp --dport 12345 -j DNAT --to-destination 192.168.1.120 Preventing leaks on the main LAN when not using policy routing: If you are not interested in policy based routing, and just want to prevent leaks while routing all traffic through the VPN, make sure you check Redirect Internet traffic in the VPN Client Advanced tab and then the following firewall rules: iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 10.30.0.1 iptables -t nat -I PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 10.30.0.1 iptables -I FORWARD ! -o tun11 -s 192.168.1.1/255.255.255.0 -j DROP The above is completely untested by me as I don't want to route my main LAN (other than a single client) over the VPN. It may cause connectivity issues with the router itself if the tunnel goes down. If someone does test, please come back here and report your results! I hope this guide helps anyone wishing to use Tomato's VPN client to get connected and if you run in to any trouble, I am happy to try and help solve the issue. Troubleshooting: If something isn't working and you've entered everything correctly, I've found that rebooting the client you want routed through the VPN or restarting the VPN client can help. Also, rebooting the router will flush out anything left over between configuration steps and can sometimes solve problems. You can also rebuild the firewall rules in Tomato by going to the Tools->System Commands tab in the interface, and sending service firewall restart. If these don't help, double check that everything is configured appropriately.
-
Hi, I'm determined to buy a router to run openvpn with airvpn account. Specifically I will have only one device, or at the maximum one other, which should pass in the tunnel.The speed must not deviate much from the real 30mb. I wondered what characteristics must have the cpu, basically I will use the vpn for media streams
-
Just a quick question, I have OpenVPN setup in my Shibby Tomato router to use airvpn. No issues until I started to selectively route a few of the Source IP through the tunnel (using the GUI OpenVPN Client tab Routing Policy) as I can't Netflix to work. So now, my ISP's DNS is showing up in DNS leak test. I've tried to insert static DNS in the basic network config to use another DNS server, but nothing worked. DNS Leak test still show me that I am using my ISP's DNS server. Anyone has this problem when selectively routing a few IPs through the tunnel using Tomato?
-
So I love AirVPN, I use the portable app that runs on my machine, and I get great speeds, usually 60 Mbps when connected. However I would love to run it on my router so that way I could possibly run another VPN on top of it for extra security, but it's more so for the peace of mind knowing that my router is 100% securing my data at all times. I have 2 different routers, and I was going to try to have my main dedicated router broadcasting my normal signal, and then my Asus Rt-n66u running a VPN at all times. After running through the setup guides and everything I was able to get a successful connection however the speeds were terrible, maxing out at around 7 Mbps. I need desperate help as my other router (r7000) has a similar problem with speeds only maxing out at about 10 Mbps. This isn't doable, and I love getting decent speeds but I can't work with something this slow. Has anyone else here had any similar issues with installation to a router? I was also looking at the Ubiquiti Edgerouter as a higher performing router, I just want to be sure I've expended all my resources before I buy another router that may be more powerful.
-
Hi, I recently bought an Asus RT-AC66 and install Tomato Shibby on it. I currently have a wrt54g with Tomato Toastman and it is configure as per instruction provided on here and it works well However on the Asus, it works first time and then it stops. On connection to the VPN, i get internet briefly. Then nothing. On my browser (chrome), it says DNS_PROBE BAD_CONFIG. I have been trying all sort for the last 2 days. I hope someone can help me with this. Thanks.
-
About Tomato Firmware Tomato is a small, lean and simple replacement firmware for Linksys' WRT54G/GL/GS, Buffalo WHR-G54S/WHR-HP-G54 and other Broadcom-based routers. Official website: http://www.polarcloud.com/tomato. PrerequisiteMake sure you triple-check that your version of Tomato supports OpenVPN or you'll be sorry. I strongly recommend Toastman's build of Tomato because of its widespread feature support and stability. StepsUnder Basic->Network, configure your 3 static DNS servers. If you wish to use the AirVPN DNS set 10.4.0.1 as first DNS IP address. The Air DNS will enable you to access internal Air services, geo-routing services and bypass ICE/ICANN USA censorship (more information here). About the others, I recommend picking ones from the OpenNIC Project because many of the servers don't keep any logs, which is consistent with the Air service, plus they would allow your internet service to continue functioning in the event of a government-ordered root DNS server shutdown- https://servers.opennic.org/Under Basic->Time, make sure that the correct time zone and server is configured.Download the OpenVPN (.ovpn) file of your choosing under "Client Area -> Config Generator" after you log in the AirVPN site. In the Configuration Generator make sure to tick "Advanced Mode" and "Separate certs/keys from .ovpn files". In order to determine the IP address of the server you wish to connect to, please resolve "servername.airservers.org". For example, for Acrux resolve "acrux.airservers.org". Find the server names by looking at Status page.For the actual configuration, please see the following two screenshots of the Basic and Advanced OpenVPN Client Configuration: Under Basic, sub in your own correct protocol, IP and port in place of what I have in my own config. In the Advanced Custom Configuration text box, the options are as follows: resolv-retry infinite remote-cert-tls server comp-lzo verb 3 Under Keys, you'll need to again text edit your user.key, user.crt, ca.crt and ta.key files, copy the matching keys and certificates and paste them into the text boxes in your router config. - ta.key is the Static Key - ca.crt is the Certificate Authority certificate (in some older builds, "Server certificate") - user.crt is the Client Certificate - user.key is the Client KeyAbout certificates files (user.crt and ca.crt) content, just copy and paste from "-----BEGIN CERTIFICATE-----" (included) up to "-----END CERTIFICATE-----" (included).Save all settings.Under Status, click Start Now and count for 30 seconds. Go to https://airvpn.org and at the bottom of the screen it should show you are connected or visit https://ipleak.net for check. Tested withToastman's build of Tomato [v1.28.7500 MIPSR2Toastman-RT K26 VPN] on Asus RT-N16 router.Tomato-ND-1.28.7633-Toastman-IPT-ND-SmallVPN on Buffalo WHR-G54S Feedback For any comment or feedback, you can find the discussion here. Thanks to Baraka for this article.
-
I've searched and tried everything and I can't get anything to work. Here's my setup. I have the Verizon Fios Actiontec router with a Asus RT-N16 as a secondary router with Tomato installed. The Asus is on a different subnet than the Actiontec and the Asus connects to AirVPN. I run everything through the second router which connects to AirVPN. I tried setting up forwarding the ports on AirVPN to have my Plex server visible through the VPN, but nothing. Most of the setups I see with Plex connect with the software client. Can someone point me in the right direction?
-
Dear community, Hoping someone can help with this.... I am trying to setup a firewall script for my router running Tomato Firmware 1.28.0000 -121 K26ARM USB AIO-64K by SHIBBY on a Netgear R7000 Nighthawk on mostly default settings apart from the VPN Client. The script is to block all non-VPN traffic even if the connection fails and i have tried several suggestions made in the forums without success. Below is the script most people have success with (except me): iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT iptables -I FORWARD -i br0 -o vlan2 -j DROP iptables -I INPUT -i tun0 -j REJECT iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE (from https://airvpn.org/topic/4287-how-to-block-all-traffic-with-dd-wrt-if-vpn-connection-fails/) I think the problem lies in the assigned interface names. Below is my current routing table while VPN'd: In short can someone modify the script to suite my arrangement?? or let me know what direction I need to take to set this up.... using the script above lets traffic through even if I stop the VPN client and my attempts to modify usually blocks all traffic. Any help would me much appreciated, EWS
-
I'm using a 4 port RT-N16 Toastman build VPN, VLAN version router. Netgear 24port switch Linux machines 2 streaming media players, playstations I want to split the network up into 3 segments. 192.168.1.x, 192.168.2.x, 192.68.3.x *Important* - I don't want any segment on the network to be able to speak to each other. Segment 1 and 2 - I want to Tunnel through the VPN via network manager on the Linux machines using SSL Port 443. These connections have 13 ports to connect through on the switch. 0/01, 0/02, 0/03.....0/013 On 1 segment - I want to go through the VPN to America via the a Tomato router configuration using Client 1. I don't care what port I use. These connections will have 6 ports to connect through the switch. 0/14, 0/15, 0/16......0/19, 0/20 I've been at this for a 2 good solid days manipulating scripts, manual configurations through the GUI on tomato, etc. I like to figure things out myself, and I've learned alot, but i think it's time I asked for some help. Anyone have an idea how to do this? Greatly appreciate your input!
- ...
- 3 replies
-
- splitnetwork
- multiple
- configuration
- tomato
- script
- segment
- vlans
- rt-n16
-
(and 7 more)
Tagged with:
-
I have not been able to connect to the AirVPN server since changing my keys/certs according to the Notice posted 12 April 2014. I created a .ovpn configuration as instructed and just replaced my keys/certs in the OpenVPN configuration for the Toastman Tomato firmware on my WRT54GL router. The instructions are a little dated. Here is what I have found: There is no "Member Area" that points to "Access Without Our Client" anymore. I went to:Client Area --> Config GeneratorFollowing instructions at: https://airvpn.org/tomato/The first screen shot shows information added to EXTRA HMAC AUTHORIZATION (TLS-AUTH) that does not exist on my system so I have left it set to "DISABLED";The second screen shot link is broken;I have one file, a "AirVPN_[Country]_UDP-443.ovpn" file, which does not include USER.KEY, USER.CRT, or CA.CRT files;So, in the one file, I took everything from the <ca> .... </ca> beginning with "-----BEGIN CERTIFICATE-----" and ending with "-----END CERTIFICATE-----" and put it in the CERTIFICATE AUTHORITY box in the OpenVPN configuration (this is the top box, the box titled STATIC KEY does not exist);I took the certification beginning with "-----BEGIN CERTIFICATE-----" and ending with "-----END CERTIFICATE-----" in the <cert>....</cert> area and pasted it into the CLIENT CERTIFICATE box;Finally, the <key>....</key> that starts with "-----BEGIN RSA PRIVATE KEY-----" and ends with "-----END RSA PRIVATE KEY-----" I put into the CLIENT KEY box in the OpenVPN area.I did these steps originally and was able to connect; however, with the new information/configuration I am not able to connect; hopefully, I am missing something simple . Note: I apologize if I seem confused; I have brain damage due to a medical condition and some days (like today) my ability to troubleshoot is limited...
-
I have a problem when connecting to another site from a Tomato router. The VPN client can't connect to another site for 30 to 300 seconds after stopping the client. If I reconnect to the same site, it connects immediately. The error message I get in the vpn log is: AUTH: Received control message: AUTH_FAILED I use ip addresses in the config file After waiting for up to 5 minutes, it will connect fine. I've followed the tomato set up instructions in the forums. I've searched internet and the forums but I can't find much about this problem. I hope somebody can help me with this. Thanks in advance.
-
Hi, Thanks for a great VPN service. I've been using the Windows client so far with no problems. However, I recently bought an Asus RT-N16 router for the purpose of bridging with the router upstairs, in order to get a wired Internet connection downstairs. This worked out well. I also wanted to use openVPN on the router downstairs using tomato (shibby), but I've run into a problem. In the howto article it says I have to change the DNS servers under basic/networking, but the problem is as the router is bridged to the router upstairs, the gateway and first DNS address is the LAN address to the router upstairs. I've tried setting up openVPN without changing the DNS settings, but it didn't seem to work very well (at all). Is it possible to use openVPN on a tomato router that is bridged to another router that it gets the internet access from?
-
I have successfully followed the AirVPN instructions on setting up the Asus RT-N66U's (Merlin firmware) openvpn client. My concern now is protecting privacy in the event the VPN drops & traffic continues through the ISP. I would like to route all client traffic through the VPN & in the event it drops, no access to the internet is available to the clients. Does anyone know of a solution for this ? A workable solution exists for the for DD-WRT routers & I'm guessing similar one can be done for the RT-N66U as it runs a variant of DD-WRT (AsusWRT). I'm not technical enough to implement it so would appreciate any help. https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=4287&Itemid=142#4287
-
Hi, I see that I am connected to Leonis NL server, but the speed test page is not working the tomato router logs show "possible DNS-rebind attack detected: speedtest.air" dnsleak test says IP: 85.17.20.219Hostname: hosted-by.leaseweb.com What might be the problem?
-
Hi, I have successfully setup tomato vpn by followed your setup guide here https://airvpn.org/tomato/ I wonder if the dns traffic is visible. There is another discussion regarding this here https://www.airvpn.org/topic/1408-dnscrypt/ But I wonder if this applies to tunnelblick only or also the tomato setup, since we enter DNS ips in the tomato setup Kind regards
-
Hi As the topic say - does anyone know how to configure the openvpn client in a tomato (shibbys) firmware router not to tunnel traffic on a specific port. Example: I want everything except Utorrent port 4548 and Usenet port 119 to be tunneled thru airvpn. My LAN is based on a 192.168.1.x subnet (where my router router has 192.168.1.3 Regards Daniel
-
HOW TO FORWARD PORTS TO YOUR DEVICES WITH IPTABLES You need to create a basic DNAT on your router. Remember that the router GUI forwards ports from the WAN to LAN. When connected to the VPN you must forward ports from TUN to LAN. Therefore, it is imperative that you do NOT forward ports in the GUI of the router. Assuming that: destIP is the IP address of the destination deviceport is the port you wish to forward to that devicetun1 is the tun interface of your router (please check! on some routers it can be tun0, on Tomato it can be tun11)you need to forward both TCP and UDP packetsyou need to add the following rules. Please note that the following rules do NOT replace your already existing rules, you just have to add them. iptables -I FORWARD -i tun1 -p udp -d destIP --dport port -j ACCEPT iptables -I FORWARD -i tun1 -p tcp -d destIP --dport port -j ACCEPT iptables -t nat -I PREROUTING -i tun1 -p tcp --dport port -j DNAT --to-destination destIP iptables -t nat -I PREROUTING -i tun1 -p udp --dport port -j DNAT --to-destination destIP Note: if your router firmware iptables supports the multiport module you can use --match option to make your rules set more compact. Please see here, thanks to Mikeyy https://airvpn.org/topic/14991-asuswrt-merlin-multiple-ports/?do=findComment&comment=31221 Kind regards
-
DD-WRT How to block all traffic with DD-WRT if VPN connection fails
fribeiro123 posted a topic in How-To
Hello, This post is to everyone that have openvpn configured in a dd-wrt router and wants to block all connections through the ISP if the VPN connection fails, avoiding leaking our real ISP IP. I setup the connection to AIRVPN servers using the tutorial in https://airvpn.org/ddwrt and then insert following line to the firewall rules: "iptables -I FORWARD -i br0 -o vlan2 -j DROP" - br0 is the bridge with my lan ports & wireless - vlan2 is my WAN port connected to the modem ISP So if there is any connection starting from my lan or wifi to the wan port the firewall of the router blocks the connection. My firewall rules are like this: iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT iptables -I FORWARD -i br0 -o vlan2 -j DROP iptables -I INPUT -i tun0 -j REJECT iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE [sTAFF EDIT] In case you apply Policy Based Routing, please see here as well: http://www.dd-wrt.com/phpBB2/viewtopic.php?p=777788 Check the interface names and make sure to enter the correct names (in your firmware the tun interface might be tun1 or tun0, etc.).