Tag Archives: Tomato

Creating OpenVPN .ovpn Files for Android (Any?) Clients

In another post I cover setting up and OpenVPN server on a Tomato powered router and making client connections to that server.

In setting up a new phone, I see the OpenVPN for Android app will now import yourVPNclient.ovpn files (much easier than transferring and importing the separate key and cert components as covered in my prior post). It took a bit of Googling to find out how to create the .ovpn files, but now that I’ve found the file format, setting one up turns out to be a piece of cake. Here’s the template:


client
proto udp
remote your.openvpnserver.url.net
port 1194
dev tun
nobind

key-direction 1

<ca>
-----BEGIN CERTIFICATE-----
# insert base64 blob from ca.crt
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
# insert base64 blob from client1.crt
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
# insert base64 blob from client1.key
-----END PRIVATE KEY-----
</key>

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
# insert ta.key
-----END OpenVPN Static key V1-----
</tls-auth>

I edited the “remote” directive to point to my VPN (router’s) dynamic DNS address and then copied the specified parts of the files from the /etc/openvpn directory as created in my prior post to this template. Then saved the consolidated file as myserver+clientname.ovpn.txt on my linux box.

Why with *.txt extension? Because otherwise the bluetooth file transfer from my desktop linux box to my phone would fail (unsupported file type). Text file transfer is supported, .ovpn is apparently not.

I then simply renamed the file on my Android phone to drop the .txt suffix and imported the resulting file in the OpenVPN for Android app (it turns out you can leave it, but the app will include that text in the connection name by default, so I now simply cut it there). I still needed to go through and set some options properly in the app to match my server config (LZO, persistent TUN, etc.), but the heavy lifting was already done.

Connected successfully on my first try! I see no reason why the same file set up would not work in NetworkManager on Linux or some other client, but I haven’t tried myself. Good luck!

Credit for the .ovpn template content goes to this ServerFault discussion thread .

OpenVPN on Tomato with Android and Linux Clients

I’ve been wanting to do this for a very long time. When away from home I sometimes need access to the systems (or data residing on those systems) back at home. I wanted to set up a secure means to access the machines behind my router’s firewall and one of the most versatile and secure ways to do that is with a Virtual Private Network (VPN). The problem was that this stuff is pretty complicated and even though the open source firmware we run on our router has had a VPN-enabled version available, I’ve been loathe to try implementing it.

Well, the garage control system project I was recently working on had a hardware failure such that I could not implement it in the original way intended (until I replace the CAI WebControl board central to it). The board failed in such a way that it would not accept PLC programming but would still respond through the default web interface – which unfortunately is not sufficiently secure to expose to the internet directly. However, we were going away for an extended period and I needed to be able to access it while away. A perfect application for VPN technology, I could keep the “vulnerable” system firewalled behind the router and poke a secure hole through it using the VPN to control it from afar when needed. Just the shove I needed to get going on the VPN!

Curiously enough, in googling, I was able to find various basic tutorials about setting up a Tomato VPN-enabled router (which is Linux based) as a VPN server with Windows clients and creating the certificates and keys on Windows but pretty much nothing simple about doing so with other platforms like mine – Android (again Linux based), Linux and Mac. The ones about setting up a VPN with Linux all seemed to want you doing everything down in the weeds of config files and installing VPN packages on your own server (not a router). Not what I wanted.

The good news for you and me is that I figured out how to get this done with minimal effort and it pretty much worked perfectly on the first try, so I’m writing it up here for future reference and to share with any others following this path. Looking back, it wasn’t that hard but the lack of clear guidance made it all confusing. All that said, here’s some clarity on how to get it done:

Creating Certificates and Keys

On Linux Mint LMDE (Debian Linux) workstation, using Synaptic or another package manager install:
openvpn
easy-rsa

This will install the easy-rsa scripts into
/usr/share/easy-rsa

Taking note of the instructions at http://openvpn.net/index.php/open-source/documentation/howto.html#pki, I did the following:

Copy the easy-rsa files to another location that will persist after package upgrades (note, this location already existed as a result of the openvpn installation and contained the single file update-resolv-conf, so maybe that claim is misleading?) and cd into that directory:
sudo cp -R /usr/share/easy-rsa/* /etc/openvpn/
cd /etc/openvpn

Edited the vars file using vi to set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. These were at the bottom of the file for me. From what I can tell, the two email entries are identical but for the quote symbols. I presume the quoted one is meant to be the “real life name”, but nothing I could easily find via google confirmed or contradicted this – so I just set them both to the same address.

export KEY_COUNTRY="US"
export KEY_PROVINCE="MA"
export KEY_CITY="MyCity"
export KEY_ORG="My ORG Name"
export KEY_EMAIL="vpn_contact@myDomain.com"
export KEY_EMAIL=vpn_contact@myDomain.com

I then completed the rest of the steps at the above link using root/sudo priviledges, creating the certificate authority, server certificate and key and then the client certificates and keys. What I found online was not very informative on this point, but the Commmon Name (CN) must be entered each time you build these items and should be varied so as to be descriptive. So, for each command:

./build-ca
For this I specified my own name as the Common Name (I’m my own certificate authority) and it generated two files, ca.crt and ca.key (note, these are not named after the Common Name given, unlike the following).

./build-key-server ServerName
I gave my intended VPN server name as the ServerName which it then used as the Common Name and generated ServerName.crt, ServerName.csr, ServerName.key plus a 01.pem file and changed the index.txt and serial files in the keys directory.
NOTE: I also here encountered something different than that laid out at the above URL, for each key it asked me for:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
which I simply clicked Enter through (I presume to set as blank, as no password was later asked for).

./build-key ClientNameHere
I gave unique descriptive names for each client and it created similar files to the server ones above, named per the client names I gave, created sequentially numbered pem files and updated the index.txt and serial files.

./build-dh
Returned Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
(But it didn’t – it was less than 5 seconds on my main Linux 64 bit workstation)

In the Arch Linux wiki entry for EasyRSA it stated that there was a need to convert the server certificate to an encrypted .p12 format for use on Android. I found this to not be needed, using the OpenVPN for Android client from the Google Play Store.

In order to provide additional TLS security and to protect against potential denial of service attacks against my router/VPN server I also set up an HMAC signature:
openvpn --genkey --secret ta.key

Setting the server and clients up…

As I created all the certificates, keys, etc. on my main Debian workstation, I needed to transfer those files to the associated machines. First I used my browser and the Tomato-powered router (VPN server) web interface to set up the VPN server following the info here *except* for using TUN instead of TAP. Installing Tomato is covered in my other blog post. Here’s screenshots of my settings (click on them to enlarge):
Tomato-Version
Tomato-VPN-Basic
Tomato-VPN-Advanced
Tomato-VPN-Keys
Tomato-VPN-Status

Connecting with a Linux machine. I then set up the test client on my Mint LMDE/Debian laptop following the leads at https://support.hidemyass.com/hc/en-us/articles/202721596-OpenVPN-Setup-with-Network-manager-on-Linux-Mint-Mate , which dragged along a bunch of other required packages including openvpn, easy-rsa, etc. I imported the certificates and keys when setting up the VPN connection using NetworkManager. Trying to connect via this initially failed. I thought this might be because I was on my home network at the time, so I proceeded to set up my phone as a client to see if I could use the cellular network to test outside access.

Connecting via Android. I installed OpenVPN for Android from the Google Play store onto my cell phone. Copied over the certs and keys to my phone using USB cable and set up the connection in the app. Took a bit of twiddling to figure out where everything went and which boxes to check, but it connected quickly once set up. Could access private resources behind the router firewall now! I went on to set up my Android tablet with the same app.

Connecting from an Outside Network. Brought my phone, Linux laptop and Android tablet for a drive to find an available Xfinity Wi-Fi connection. Tried each client to access the VPN once connected to some poor folks’ wireless access point (why folks stand for Comcast doing this, I don’t know), and they all connected quickly and could access my Garage Control System web interface on my home network… success!

Note that in none of these set-ups did I need to edit or create any configuration files manually on the clients or server, despite lots of other tutorials making great points of this! It appears each of the OpenVPN server and client implementations I used took care of this for me.

The only bit of weirdness is that I cannot figure how to directly disconnect from the VPN using NetworkManager under MATE desktop on my Linux laptop. I can disconnect the VPN by dropping the wireless connection overall. There should be a “Disconnect VPN” option within NetworkManager but I don’t see it on my laptop when I’m connected (it is there when I’m not!). But that’s a (minor) problem for another day.

I’ve found the disconnect option in the VPN menu under NetworkManager and that can be used to drop the VPN connection. The Android clients have a connection status entry in the notifications list which provides a disconnect option once clicked on. All good to go now!

Tomato Router Update Triggers SSL Error

After updating my Asus WL-520gU router to the latest version of the Tomato firmware (with OpenVPN support), I ran into a strange error. While trying to access the admin interface via https:, I got the following error in my Firefox browser:
Cannot communicate securely with peer: no common encryption algorithm(s)
(Error code: ssl_error_no_cypher_overlap)
.

I couldn’t access via http: either (which was expected, as that’s how I’d set up the router with the prior FW version to enforce security).

Googling for the error didn’t turn up anything really useful. I at first thought that the update had somehow gone bad, but I was able to get out to the internet through the router so that brought some hope. I was also able to ssh in to the router so all seemed to be OK in general. Only problem was I couldn’t access the router’s controls.

On an off chance, I decided to check out the Firefox settings for SSL security. Under the Advanced tab, I tried turning off and on the SSL and TLS checkboxes. Nothing changed. Then I decided to delete/remove the Certificate entries for my router and try again. That turned out to be the trick. For some reason Firefox didn’t like the security certificate any more – this time I got the familiar “This connection is untrusted” (or effectively similar) warning and was able to accept the security exception for my self-signed SSL certificate once more and all was fine.

Just in case someone else runs into the same problem… try the above.

Wireless Tomato

The other day the internet died. One moment all was good and the next, nothing. Gasp!

Poked around and all the lights on the router were out. Of course, this happens right as we’re flying out the door. So out comes the volt-ohm meter and find out the power brick failed. No problem, I’ve got a universal brick with changeable tips! I’ll just swap that out and we can get on our way… well, not exactly. Router still dead. Seems the connector is mating fine… funny. Ok, now really need to get out the door. Drop in a basic router from way back (no wireless) so the VOIP phone is back up and off we go.

Later, I use the V-O-M again to find my error. I had set one polarity on that universal brick, but that was not the one the router wanted. So I swap and plug it in — lights — yay! But it won’t stay up for more than a few seconds at a time now. Either the old brick killed it before, or I gave it the final shove with that reversed power.

OK, so now we’re short wireless. We’ve got a few mobile devices here and some of them have no ethernet jacks, so it’s off to NewEgg and I see there’s a very popular inexpensive router (Asus WL-520gU) on sale and with rebate. It seems to be a snap to convert it to a very full featured router/print server/NAS device, by use of an open source firmware package. Within just a couple of days I have the new toy. Google-ing ensues to find the best way to get the firmware updated.

The open source firmware package “Tomato” is already popular, but a person called “teddy_bear” created a custom version for this router to enable USB support for the print server and NAS capabilities. Before I install it, I try out the router with Asus’ own package. It seems pretty nice, but somewhat confusing in a Chinese-English language hybrid sort of way, and I can’t get the router to hold an internet connection to the WAN. If I reboot, it works for a few minutes and then goes away. Thinking Comcast may want a specific MAC address, I clone it from my original PC. Still no joy. Time to toss in a little Tomato.

There are some complicated processes on line for updating this router to Tomato by using the windows CD that comes with the router, and then loading another open source firmware, DD-WRT, and then using that to update the firmware to teddy_bear’s version of Tomato. Luckily, I found another post indicating success in downgrading the router’s own firmware from v 2.0.0.9 to 2.0.0.8 and then renaming the Tomato image file to v 2.0.0.9 and loading that, all using the Asus web page interface.

Well, my unit came with v 3.0.0.9. Wondering if the downgrade was solely to get the router to accept a “higher” revision number, I try renaming the Tomato image to fake a v 3.0.1.0 and load that. No dice. Firmware update fails. Meanwhile I’m having other issues with the linux laptop I’m using, so I think that is the cause. After futzing with it and then booting into WinXP to try again with the same result, I finally decide to just try the massive downgrade. I load version 2.0.0.8 on the machine and it works (albeit providing a very primitive interface)! I then load Tomato, renamed to fake a v 2.0.0.9, and it works straight away!

Tomato is definitely the secret sauce for this machine. Way, way easier to navigate through and the performance is now rock solid, keeping an internet connection (with the native MAC address, even) with no problem. All the devices but the linux laptop seem to love the wireless*, and the wired connections all work great.

I haven’t tried the print server function yet (I have a NSLU-2 unSLUng box that does that still) but the NAS function works fine and it even supplies an ftp service. And I was finally able to set up Mrs. V’s Mac to print wirelessly via the router to NSLU-2 as well.

One more set of tasks checked off. 😉

*This EEE PC netbook has had wireless issues all along, both under WinXP and linux. It seems to just not like certain routers. I can change drivers under linux, using either ath5k or ndiswrapper, and the solution will work for some and not for others. The opposite set up will work with those others. Go figure.