Tomato Router is one way to bypass expensive equipment to give users secure remote access or connect offices. Learn how to configure the VPN server and clients as well as how to best test it out.
In the previous installment, we upgraded a wireless router with the TomatoVPN firmware and started preparing to use its VPN server. This provides an economical and secure way for remote users to access your network or connect multiple offices together. In this part, we'll configure the VPN server and clients, and then test it out.
Configuring the VPN server
Now you have everything to configure the VPN server on the TomatoVPN router. Connect to the router and bring up the web-based control panel. Then click VPN Tunneling > Server(see Figure 1). Here are the settings for our configuration:
- Start with WAN: Checked
- Interface Type: TAP
- Protocol: UDP
- Port: 1194
- Firewall: Automatic
- Authorization Mode: TLS
- Extra HMAC authorization: Disabled
For the Client Address Pool, uncheck it and make sure the IP address range is in the same subnet as the router. For example, if you changed the router to 192.168.50.1, put 192.168.50.50 to 192.168.50.55. That would support six simultaneous VPN clients. Simply increase the range if you are going to have more clients. Just don't conflict with the range reserved for local users, for example 192.168.50.100 to 192.168.50.149, or change the range.
Click Save to keep the changes.
Then, click the Advanced tab (see Figure 2). For Compression, select Disabled. If you want all Internet traffic of clients to flow through the VPN, such as to secure traffic on public networks, check Direct clients to redirect Internet traffic. To allow VPN clients to access each other's shared resources, check Manage Client-Specific Options and Allow Client<->Client. Otherwise, VPN clients can access the shared resources of only those computers directly connected to the local network of the TomatoVPN router hosting the server. When you're done, click Save to keep the changes.
Now click the Keys tab (see Figure 3)and populate the fields by copying in the contents of the following files you just created in the easy-rsakeys directory:
- Certificate Authority - ca.crt
- Server Certificate - server.crt
- Server Key - server.key
- Diffie Hellman parameters - dh1024.pem
Open each file in Notepad to view and copy the contents. Some files you can right-click, select Open With, and choose Notepad. Some you may have to Open and then choose Notepad as the program.
For the Server Certificate, don't include first part of file. Similar to the others, start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
When you're done, click Save.
Starting the VPN Server
You should now be all ready to start the VPN server. On any of the server tabs, hit the Start Now button. If successful, the button should change to Stop Now and you should see General Statistics on the Status tab.
Configure Clients on Computers
Now you can configure client computers that you want to connect to the VPN server. Start by downloading and installing OpenVPN on each PC. Next, open Notepad and paste in the following:
remote XXX.XXX.XXX.XXX 1194
Replace the remote address at the beginning with your WAN or Internet IP address. You could alternatively use a hostname, such as from a dynamic DNS service, if your Internet connection doesn't have a static IP. Also, make sure the filenames of the client certificate and key are correct.
Save the Notepad file with an .ovpn extension to the following location: C:Program FilesOpenVPNconfig.
Now copy the CA certificate (ca.crt) and client certificate and key (i.e., client1.crt & client1.key) from the PC you created the PKI on to that same location (C:Program FilesOpenVPNconfig) on the client computer.
The client settings are set so you can connect. Click Start > All Programs > OpenVPN > OpenVPN GUI. Then right-click the OpenVPN GUI icon in the system tray and click Connect.
Configure Clients on Additional TomatoVPN Routers
If you want to connect entire offices to the VPN server, you can set up additional TomatoVPN routers at other locations. You can use the VPN client on the router so all users on the remote network will have access.
Connect to the router and bring up the web-based control panel. Then click VPN Tunneling > Client. On the Basic tab (see Figure 4), you will probably want to enable Start with WAN so the VPN client automatically starts when the router boots up. Enter the WAN or Internet IP address of the TomatoVPN router that's hosting the VPN server for the Server Address. You could alternatively use a hostname, such as from a dynamic DNS service if your Internet connection doesn't have a static IP. You can probably leave the defaults for the other settings. Click Save to keep the changes.
Click the Advanced , and for Compression, select Disabled. Then click Save.
Next, click the Keys tab and populate the fields by copying in the contents of the following files you created in the easy-rsakeys directory:
- Certificate Authority - ca.crt
- Client Certificate - i.e. client1.crt
- Client Key - i.e. client1.key
For the Client Certificate, don't include first part of file. Similar to the others, start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
When you're done, click Save. Then to connect, click Start Now. If successful, the button should change to Stop Now and you'll see the General Statistics on the Status tab.
Test It Out
Once connected, you should be able to access the network resources and shares on the local network of the TomatoVPN router hosting the server.
If you want to test your setup without going to another location, connect the TomatoVPN router hosting the VPN server from the WAN/Internet port to an Ethernet port on another router. To test a client connection on a PC, connect to the other router and configure the OpenVPN client with the WAN IP address of the TomatoVPN router. This simulates a connection from the Internet. Once you're done and want to use it via the Internet, discount the TomatoVPN router and hook it directly to the Internet modem.
Eric Geier is the founder and CEO of NoWiresSecurity, which helps businesses easily protect their Wi-Fi with enterprise-level encryption by offering an outsourced RADIUS/802.1X authentication service. He is also the author of many networking and computing books, for brands such as For Dummies and Cisco Press.
Follow ServerWatch on Twitter