Setting Up a VPN Server on a Tomato Router, Part 1

 

Looking to set up a virtual private network (VPN)? You don't have to buy expensive equipment to set up a VPN to give users secure remote access or connect offices together. Small and midisze businesses especially can take advantage of lower-cost alternatives.

Building a VPN? Tomato Router is one way to bypass expensive equipment to give users secure remote access or connect offices.

Microsoft gives you VPN server and client functionality right in Windows; however, the feature-set is limited, and only Vista versions and later offer good security. One alternative we're going to discuss is installing aftermarket firmware on a wireless router loaded with the free OpenVPN server and client. We already covered this with the DD-WRT firmware. Now, we'll look at the Tomato firmware, using the TomatoVPN variant.

Get a Compatible Router

You can't use the Tomato firmware on just any wireless router. Make sure you have (or get) one that's compatible. Vendors with supported routers include Linksys, Buffalo, and Asus. To check your specific model and version, refer to the Tomato FAQ.

Once you've verified your router is compatible, download and install the firmware.

This tutorial is written using the 1.27vpn3.6 release of TomatoVPN, which uses the OpenVPN 2.1.1 server and client. Then on a PC, I'll use OpenVPN 2.1.4 for creating SSL certificates and for VPN client functionality on PCs.

Initial Login

Start by connecting to the TomatoVPN router and logging into the web-based control panel. Open your browser and enter the default IP address of 192.168.1.1. Then, login with the default username and password, which are both "admin".

Before playing with the VPN features, be sure to configure the basics so you're secure: wireless settings (including WPA or WPA2 security) and the router's password for the control panel.

Change the Router's Subnet and IP

Since VPN connections link networks together, you must be careful with the subnet and IP addressing so there aren't any conflicts. The TomatoVPN default IP of 192.168.1.1 is one of the most common among all routers, and it and will likely cause a problem. Use something that's not a common default, such as 192.168.50.1. If you have multiple offices, assign each to a different IP/subnet, such as 192.168.51.1 and 192.168.52.1.

To change the TomatoVPN router, connect and bring up the web-based control panel by entering the IP address (192.168.1.1) into a web browser. Then click Basic > Network (see Figure 1). Change the Router IP Address, such as 192.168.50.1 and adjust the IP Address Range accordingly, such as 192.168.50.100 - 192.168.50.149. Then click Save.


Tomato VPN Router

Figure 1
The Tomato VPN Router

(Click for larger image)

Now you must use the new IP to login to the TomatoVPN control panel.

Signup and Configure a Dynamic DNS Service

If the Internet connection where you want to set up the VPN server uses a dynamic or changing IP address rather than a static one, you should use a dynamic DNS service. Otherwise, you'll have to manually keep track of the Internet connection's IP and update it on clients when it changes.

Sign up for a dynamic DNS service, such as from No-IP. Then, on the TomatoVPN router, click Basic > DDNS, and input the details for the service. Your router will automatically update your hostname to point to your current IP address. You'll input your hostname on the client VPN configuration rather than the IP address.

Setting Up a VPN Server on a Tomato Router, Part 1 Page 2

 

Create Server and Client Certificates

Since OpenVPN uses SSL encryption, you must create and install SSL certificates on the server and clients. Choose a secure PC on which to create and manage your PKI (public key infrastructure), and then download and install OpenVPN using the Windows Installer. Remember, you may need to come back to this PC to create additional client certificates in the future.

Once OpenVPN is installed, you can get started:

  1. Open a Command Prompt: Click Start, type cmd, and hit Enter.
  2. Move to the easy-rsa directory: cd C:Program FilesOpenVPNeasy-rsa.
  3. Run the batch file to create the configuration files: init-config (see Figure 2)
  4. Keep this Command Prompt window open for later use.

Next, go to the following directory in Windows: C:Program FilesOpenVPNeasy-rsa. Then right-click the vars.bat file and click Edit. You must change the default values of all the following settings:


Tomato VPN Configuration Files

Tomato VPN Router Configuration Files

(Click for larger image)

If the file opens in Notepad, there probably will not be any line returns, and everything will be run together, which is fine. Be sure edit only the setting values between the equals sign and the word "set". For a better visual, you can download and use an editor like VIM.

Now go back to the Command Prompt window and initialize the PKI by entering the following commands one at a time:

vars

clean-all

build-ca

You'll be prompted (see Figure 3) for the parameters you just set in the vars.bat file; hit Enter to accept them. You can leave the Organizational Unit Name blank. However, you must enter a Common Name. This will be the name of the CA certificate that will be installed onto the server and all the clients. You might pick something like "ABC_Corp-VPN-CA"


Alt text

Figure 3
Tomato VPN Router Parameters

(Click for larger image)

Now you can create a certificate and private key for the server with this command:

build-key-server server

You'll be prompted for parameters again. Accept the defaults for the ones you set in vars.bat. For the Common Name, enter something like "ABC_Corp-VPN-Server". Be sure to enter a secure password you'll remember or store somewhere safe. When prompted to sign and commit the certificate, confirm the details and then enter "y".

Next, you can create the client certificates for the computers or routers that will be remotely connecting to your VPN server. You must create a separate certificate for each client. Enter "build-key" into the Command Prompt, followed by a space and a name for the certificate. For example, for three clients:

build-key client1

build-key client2

build-key client3

You might want to be more descriptive with the name, specifying the person or router that will be using it.

You'll be prompted for the parameters once again. Choose a unique Common Name for each, which you might want to be the same as the certificate name. You can optionally create a password.

Note: If you must generate additional client certificates in the future, return to the easy-rsa directory in a Command Prompt, type "vars", and then go ahead with the build-key command, such as build-key client2.

Now you must generate the Diffie Hellman parameters by entering:

build-dh

Finally, you should see all your certificates in the following directory: C:Program FilesOpenVPNeasy-rsakeys

Keep in mind; the CA, server, and all client keys should be kept private and secure.

Stay tuned--in the next part, we'll configure the VPN server and clients.

 

 

Setting Up a VPN Server on a Tomato Router, Part 2

 

In the previous installment, we upgraded a wireless router with the TomatoVPN firmware and started preparing to use its VPN server. This provides an economical and secure way for remote users to access your network or connect multiple offices together. In this part, we'll configure the VPN server and clients, and then test it out.

Configuring the VPN server

Tomato Router is one way to bypass expensive equipment to give users secure remote access or connect offices. Learn how to configure the VPN server and clients as well as how to best test it out.

Now you have everything to configure the VPN server on the TomatoVPN router. Connect to the router and bring up the web-based control panel. Then click VPN Tunneling > Server(see Figure 1). Here are the settings for our configuration:


Configuring the VPN server

Configuring the VPN server

(Click for larger image)

For the Client Address Pool, uncheck it and make sure the IP address range is in the same subnet as the router. For example, if you changed the router to 192.168.50.1, put 192.168.50.50 to 192.168.50.55. That would support six simultaneous VPN clients. Simply increase the range if you are going to have more clients. Just don't conflict with the range reserved for local users, for example 192.168.50.100 to 192.168.50.149, or change the range.

Click Save to keep the changes.

Then, click the Advanced tab (see Figure 2). For Compression, select Disabled. If you want all Internet traffic of clients to flow through the VPN, such as to secure traffic on public networks, check Direct clients to redirect Internet traffic. To allow VPN clients to access each other's shared resources, check Manage Client-Specific Options and Allow Client<->Client. Otherwise, VPN clients can access the shared resources of only those computers directly connected to the local network of the TomatoVPN router hosting the server. When you're done, click Save to keep the changes.


Tomato Router Advanced tab

Tomato Router Advanced tab

(Click for larger image)

Now click the Keys tab (see Figure 3)and populate the fields by copying in the contents of the following files you just created in the easy-rsakeys directory:


Tomato Router Keys Tab

Tomato Router Keys Tab

(Click for larger image)

Open each file in Notepad to view and copy the contents. Some files you can right-click, select Open With, and choose Notepad. Some you may have to Open and then choose Notepad as the program.

For the Server Certificate, don't include first part of file. Similar to the others, start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

When you're done, click Save.

 

 

 

Setting Up a VPN Server on a Tomato Router, Part 2 Page 2

 

Starting the VPN Server

You should now be all ready to start the VPN server. On any of the server tabs, hit the Start Now button. If successful, the button should change to Stop Now and you should see General Statistics on the Status tab.

 

Configure Clients on Computers

Tomato Router is one way to bypass expensive equipment to give users secure remote access or connect offices. Learn how to configure the VPN server and clients as well as how to best test it out.

Now you can configure client computers that you want to connect to the VPN server. Start by downloading and installing OpenVPN on each PC. Next, open Notepad and paste in the following:

remote XXX.XXX.XXX.XXX 1194

client

dev tap0

proto udp

resolv-retry infinite

nobind

persist-key

persist-tun

float

ca ca.crt

cert client1.crt

key client1.key

ns-cert-type server

Replace the remote address at the beginning with your WAN or Internet IP address. You could alternatively use a hostname, such as from a dynamic DNS service, if your Internet connection doesn't have a static IP. Also, make sure the filenames of the client certificate and key are correct.

Save the Notepad file with an .ovpn extension to the following location: C:Program FilesOpenVPNconfig.

Now copy the CA certificate (ca.crt) and client certificate and key (i.e., client1.crt & client1.key) from the PC you created the PKI on to that same location (C:Program FilesOpenVPNconfig) on the client computer.

The client settings are set so you can connect. Click Start > All Programs > OpenVPN > OpenVPN GUI. Then right-click the OpenVPN GUI icon in the system tray and click Connect.

Configure Clients on Additional TomatoVPN Routers

If you want to connect entire offices to the VPN server, you can set up additional TomatoVPN routers at other locations. You can use the VPN client on the router so all users on the remote network will have access.

Connect to the router and bring up the web-based control panel. Then click VPN Tunneling > Client. On the Basic tab (see Figure 4), you will probably want to enable Start with WAN so the VPN client automatically starts when the router boots up. Enter the WAN or Internet IP address of the TomatoVPN router that's hosting the VPN server for the Server Address. You could alternatively use a hostname, such as from a dynamic DNS service if your Internet connection doesn't have a static IP. You can probably leave the defaults for the other settings. Click Save to keep the changes.

Click the Advanced , and for Compression, select Disabled. Then click Save.

Next, click the Keys tab and populate the fields by copying in the contents of the following files you created in the easy-rsakeys directory:


Tomato Router Basic Tab

Tomato Router Basic Tab

(Click for larger image)

For the Client Certificate, don't include first part of file. Similar to the others, start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

When you're done, click Save. Then to connect, click Start Now. If successful, the button should change to Stop Now and you'll see the General Statistics on the Status tab.

Test It Out

Once connected, you should be able to access the network resources and shares on the local network of the TomatoVPN router hosting the server.

If you want to test your setup without going to another location, connect the TomatoVPN router hosting the VPN server from the WAN/Internet port to an Ethernet port on another router. To test a client connection on a PC, connect to the other router and configure the OpenVPN client with the WAN IP address of the TomatoVPN router. This simulates a connection from the Internet. Once you're done and want to use it via the Internet, discount the TomatoVPN router and hook it directly to the Internet modem.