OpenVPN

VPN

As of Tomato USB build 41, it is now possible to set up Tomato USB as an OpenVPN appliance using only the web-based GUI. It is no longer necessary to issue shell commands, or to echo quoted certificates and config files using a shell script.
This Tutorial shows how to set up an OpenVPN Server on Tomato USB and clients on either Desktop PCs or another router.

Getting Started - Flashing the Router

To flash a brand new router:
First, install the "mini" version of DD-WRT. (Current filename: dd-wrt.v24_mini_generic.bin ) Then, install the "vpn" version of Tomato USB that has OpenVPN support. (Current filename: tomato-1.27-NDUSB-9044MIPSR2-beta07-vpn3.6.trx ) For other routers, use the appropriate bin files and installation procedure, as per the Tomato USB website.
For more detailed instructions please see the Tomato USB Installation section.

Creating Certificates

You will need the OpenVPN software installed on your computer, as it is used to create all the needed certificates.

See steps below for "how to" download/install/use OpenVPN on your computer, or visit http://openvpn.net/index.php/documentation/howto.html for the general official guide.

Creating Certificates using Ubuntu

Install OpenVPN package
$ sudo apt-get install openvpn openssl

You must execute the commands as root.

  1. Move to the OpenVPN script folder

$ cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/

  1. Before anything else you may want to make a backup copy of the vars script

$ cp vars vars-org

  1. The following are the actual certificate building commands

$ source ./vars
$ ./clean-all
$ ./build-ca
$ ./build-key-server server
$ ./build-key client1
$ ./build-key client2 #Etc, for other clients
$ ./build-dh

At this point, you have created the certificates which you will need to pass out to the server and clients. You find them in the new directory keys. KEEP THEM IN A SAFE PLACE.

Notes about the above commands:

  • Before you run the source vars command you may wish to edit some of the export lines. KEY_SIZE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL are probably the only export variables you should mess with. Please note: if you change KEY_SIZE it must be done before running source vars.
  • source var - will run the vars script and export the vars variables all the way to the command prompt.
  • ./clean-all - makes sure no old keys are stored in the "keys" directory. All the .crt and .key files you create make up ONE set of mutually dependent keys, that all store parts from one another.
  • ./build-ca - creates the ca.crt and ca.key files - ./build-ca will ask you to enter some parametres. Here is an example:
Country Name (2 letter code) [US]:CH
 State or Province Name (full name) [CA]:CH
 Locality Name (eg, city) [SanFrancisco]:Home
 Organization Name (eg, company) [Fort-Funston]:Home
 Organizational Unit Name (eg, section) []:Tomato
 Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:Tomato USB Server
 Email Address [me@myhost.mydomain]:vpn@tomato.ch
  • ./build-key-server server - creates the server.crt and server.key files. Here is an example:
 Country Name (2 letter code) [US]:CH
 State or Province Name (full name) [CA]:CH
 Locality Name (eg, city) [SanFrancisco]:Home
 Organization Name (eg, company) [Fort-Funston]:AtHome
 Organizational Unit Name (eg, section) []:Tomato
 Common Name (eg, your name or your server's hostname) [server]:Tomato USB Server
 Email Address [me@myhost.mydomain]:vpn@tomato.ch

 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:password
 An optional company name []:AJAX Inc.
  • ./build-key Client1 - creates the Client1.crt and Client1.key files
 Country Name (2 letter code) [US]:CH
 State or Province Name (full name) [CA]:CH
 Locality Name (eg, city) [SanFrancisco]:Home
 Organization Name (eg, company) [Fort-Funston]:AtHome
 Organizational Unit Name (eg, section) []:AtHome
 Common Name (eg, your name or your server's hostname) [client1]:Client1
 Email Address [me@myhost.mydomain]:vpn@tomato.ch

 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:password 
 An optional company name []:AJAX Inc.

So long as you dont change anything in the vars file, you can come back and run the ./build-key ClientX command at any time, in order to create keys for one more client to connect to your OpenVPN (Tomato USB Server) server.

  • ./build-dh - creates the dh1024.pem or dh2048.pem files, depending on KEY-SIZE variable. Please note: if you change KEY_SIZE you must re-do all steps above begining with source vars

Setting up the Gateway

  • The server will reject certificates unless the server clock is set correctly. To fix this, enable NTP.

In the Web Interface of Tomato USB Server, go to:<br>
VPN Tunneling —> Server —> Basic

  • Check "Start with WAN"

VPN Tunneling —> Server —> Keys
Paste the certificate files created above into the boxes in the Tomato USB Server web interface as follows:

Box File
Certificate Authority ca.crt
Server Certificate server.crt
Server Key server.key
Diffie Hellman parameters dh1024.pem

NOTE: Only paste the sections of text starting with (and including):

-----BEGIN CERTIFICATE-----
and ending with (and including):
-----END CERTIFICATE-----
in the text files. That is, include the two -BEGIN/END CERTIFICATE- lines. Do not paste all the descriptive stuff above that section.

NOTE: The following commands will make it easier to copy text from the files stored in /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys to the web-GUI of Tomato USB Server.

  1. When you have issued ./build-dh, then do:

$ chmod 755 keys
$ cd keys
$ chmod 755 *.*

Client Config

This a configuration file for a Desktop OpenVPN Client to connect to the server.

Ubuntu

Client Config File:

 ##########################################
 #   ______                      __       
 #  /_  __/___  ____ ___  ____ _/ /_____  
 #   / / / __ \/ __ `__ \/ __ `/ __/ __ \
 #  / / / /_/ / / / / / / /_/ / /_/ /_/ /
 # /_/  \____/_/ /_/ /_/\__,_/\__/\____/
 #                     admin@domain.com    
 ##########################################

 # The hostname/IP and port of the server. You can have multiple remote entries to load balance between the servers.
 remote server.dyndns.org 1194

 # Specify that we are a client and that we will be pulling certain config file directives from the server.
 client
 ns-cert-type server
 # On most systems, the VPN will not function unless you partially or fully disable the firewall for the TUN/TAP interface.
 dev tun21
 # Are we connecting to a TCP or UDP server?
 proto udp
 # Keep trying indefinitely to resolve the host name of the OpenVPN server.  Useful for machines which are not permanently connected to the internet such as laptops.
 resolv-retry infinite
 # Most clients don't need to bind to a specific local port number.
 nobind
 # The persist options will try to avoid accessing certain resources on restart that may no longer be accessible because of the privilege downgrade.
 persist-key
 persist-tun
 float
 # SSL/TLS parms.
 ca ca.crt
 cert client1.crt
 key client1.key
 # Enable compression on the VPN link.
 comp-lzo
 # Silence repeating messages
 ;verb 3
 # Silence repeating messages
 mute 20

Windows

Download and install the stable version of OpenVPN GUI for Windows. http://openvpn.se/
Client Config File:

 ##########################################
 #   ______                      __       
 #  /_  __/___  ____ ___  ____ _/ /_____  
 #   / / / __ \/ __ `__ \/ __ `/ __/ __ \
 #  / / / /_/ / / / / / / /_/ / /_/ /_/ /
 # /_/  \____/_/ /_/ /_/\__,_/\__/\____/
 #                     admin@domain.com    
 ##########################################

 # The hostname/IP and port of the server. You can have multiple remote entries to load balance between the servers.
 remote server.dyndns.org 1194

 # Specify that we are a client and that we will be pulling certain config file directives from the server.
 client
 ns-cert-type server
 # On most systems, the VPN will not function unless you partially or fully disable the firewall for the TUN/TAP interface.
 dev tun21
 # Are we connecting to a TCP or UDP server?
 proto udp
 # Keep trying indefinitely to resolve the host name of the OpenVPN server.  Useful for machines which are not permanently connected to the internet such as laptops.
 resolv-retry infinite
 # Most clients don't need to bind to a specific local port number.
 nobind
 # The persist options will try to avoid accessing certain resources on restart that may no longer be accessible because of the privilege downgrade.
 persist-key
 persist-tun
 float
 # SSL/TLS parms.
 ca ca.crt
 cert client1.crt
 key client1.key
 # Enable compression on the VPN link.
 comp-lzo
 # Silence repeating messages
 ;verb 3
 # Silence repeating messages
 mute 20

Tomato USB

This is the configuration for an OpenVPN Client running on another Tomato USB box.

In the Web Interface of Tomato USB Server, go to:>
VPN Tunneling —> Client —> Basic

  • Check "Start with WAN"
  • Set "Server Address/Port" to match your server setup

VPN Tunneling —> Client —> Keys

Paste the certificate files created above into the boxes in the Tomato USB Server web interface as follows:

Box File
Public Server Cert ca.crt
Public Client Cert client1.crt
Private Client Key client1.key
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License