Bridge two home networks using OpenVPN and Tomato

This post will cover setting up a client and server static key OpenVPN connection with routing using the Tomato VPN Firmware.

Requirements

• Two routers with Tomato (I am using two Asus 520GU Routers running Tomato VPN
• Version used at the time of writing this: Tomato Firmware v1.27.8744 vpn3.6 ND USB VPN
• OpenVPN on a computer so you can generate the static key
• A bit of time :)

Assumptions

Router 1, we'll call Jane, is on subnet 192.168.3.0/24

Router 2, we'll call Susan, is on subnet 192.168.6.0/24

Jane will be playing the part of server.

Susan will be playing the part of the client.

Firewalls/Open ports and other things Oh my. I am assuming that your Cable/DSL modem is sending all traffic to your router. As in if you forward a port on your Tomato router it actually gets forwarded.

I am also assuming you are using something like no-ip.com or dyndns.org to keep track of what the public IP address of the server is.


Step 1 Generate the key

Run the following on the computer with the OpenVPN binary


openvpn --genkey --secret my_keyname.key

Save this file for later.

**Keep in mind if someone gets a hold of this they can authenticate to your VPN network.

Step 2 Configure the Server (Jane)


Starting from the Tomato main page

VPN Tunneling > Server > Server 1


Basic Tab

Start with WAN: Check
Interface Type: TUN
Protocol: TCP
Port: 1194
Firewall: Automatic
Authorization Mode: Static Key
Local/Remote end point addresses: Box 1: 10.8.0.1 Box 2: 10.8.0.2


Advanced Tab

Add the following in the Custom Configuration text box:

script-security 2
route-up "/sbin/route add -net 192.168.6.0 netmask 255.255.255.0 gw 10.8.0.2"

Notice in the -net option I have the network for Susan


Keys Tab

Paste the contents of my_keyname.key into the Static key text area.

Click save and then Start Now


Step 3 Configure the Client (Susan)

Starting from the Tomato main page of Susan 

VPN Tunneling > Client > Client 1

Basic Tab

Start with WAN: CHECK

Interface Type: TUN

Protocol: TCP

Server Address/Port: Box 1:  XXX-no.ip.org Box 2: 1194

Firewall: Automatic

Authorization Mode: Static Key

Create NAT on tunnel: Unchecked

Local/Remote end point addresses: Box 1: 10.8.0.2 Box 2: 10.8.0.1

*Notice how the Local/Remote end point have swapped here. 

Advanced Tab

In the Custom Configuration text box add the following:

route 192.168.3.0 255.255.255.0


Click save and then Start Now

DONE!

That is it! you should be able to connect to systems from 192.168.3.0/24 to systems on 192.168.6.0/24 and vice versa. 

If you are having problems a good way to troubleshoot is starting the server only and seeing if you can connect to your IP address on port 1194 (Using netcat or telnet).  If you can't your firewall is probably causing issues.

Resources

http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html


Additional


I found it helpful to have the actual configs that Tomato creates for the client and the server so that I could easily setup other systems to interact via openvpn with this setup. With the following below one could setup two end points using openvpn on any other system.


Client Config

daemon
dev tun11
proto tcp-client
remote xxxx.no-ip.org 1194
ifconfig 10.8.0.2 10.8.0.1
resolv-retry 30
nobind
persist-key
persist-tun
comp-lzo adaptive
verb 3
secret static.key
status-version 2
status status
# custom configuration
route 192.168.3.0 255.255.255.0

Server Config

daemon
ifconfig 10.8.0.1 10.8.0.2
proto tcp-server
port 1194
dev tun21
comp-lzo adaptive
keepalive 15 60
verb 3
secret static.key
status-version 2
status status
# Custom configuration
script-security 2
route-up "/sbin/route add -net 192.168.6.0 netmask 255.255.255.0 gw 10.8.0.2"