Showing posts with label TomatoUSB. Show all posts
Showing posts with label TomatoUSB. Show all posts

March 03, 2012

Configuring PPTP VPN

This post is the last in the series of upgrades I completed on my router running the new TomatoUSB router firmware. Most data for this post is thanks to this tutorial

Requirements:

  • A router running TomatoUSB
  • Install and configure Optware on the router
  • A way to address the router from outside the home network - like setting up a dynamic DNS maybe
  • A VPN client to connect to the router

Installation

Log onto your TomatoUSB via SSH and run the following on the shell

ipkg install poptop

That is it. Wait for ipkg to do it's thing and you are done installing.

Configuration

Edit the file /opt/etc/pptpd.conf

I installed what is called a Single-Net configuration, after logging in, the entire network is available to the VPN. This was a home network, and I wasn't going to implement any sort of zoning on it.

Ensure the following line is commented

logwtmp

Establish the list of available IP addresses. Here is what I have

localip 192.168.1.1 #This is the local IP address of the router remoteip 192.168.1.245-254 #These are the available remote IPs to be used when a remote VPN connection is made

Edit the file /opt/etc/ppp/options.pptpd

Here is what I have as the final configuration. I have removed the prompts & help text to keep it clean(er).

name pptpd #chapms-strip-domain # BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o # {{{ refuse-pap refuse-chap refuse-mschap # Require the peer to authenticate itself using MS-CHAPv2 [Microsoft # Challenge Handshake Authentication Protocol, Version 2] authentication. require-mschap-v2 # Require MPPE 128-bit encryption # (note that MPPE requires the use of MSCHAP-V2 during authentication) require-mppe-128 # }}} # OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o # {{{ #-chap #-chapms # Require the peer to authenticate itself using MS-CHAPv2 [Microsoft # Challenge Handshake Authentication Protocol, Version 2] authentication. #+chapms-v2 # Require MPPE encryption # (note that MPPE requires the use of MSCHAP-V2 during authentication) #mppe-40 # enable either 40-bit or 128-bit, not both #mppe-128 #mppe-stateless nomppe-stateful # }}} # Network and Routing ms-dns 192.168.1.1 #ms-dns 10.0.0.2 #ms-wins 10.0.0.3 #ms-wins 10.0.0.4 proxyarp # Logging #debug #dump # Miscellaneous lock nobsdcomp

Authentication & Credentials

Create the file /opt/etc/ppp/chap-secrets with the VPN setup credentials. My file looks like below, of course with a valid username & password.

# Username Server Password AllowedIPs myusername * myawesomepassword *

As with any password file, ensure it is only readable by root by running the following as root.

chmod 600 /opt/etc/ppp/chap-secrets

Configure Firewall

Create the file /opt/etc/config/vpn.fire and put the following in it

#!/bin/sh iptables -A INPUT -p gre -j ACCEPT iptables -A INPUT -p tcp --dport 1723 -j ACCEPT iptables -A INPUT -i ppp+ -j ACCEPT iptables -A FORWARD -i ppp+ -j ACCEPT iptables -A FORWARD -o ppp+ -j ACCEPT

Make the script executable by running the following

chmod +x /opt/etc/config/vpn.fire

Restart the firewall service

service firewall restart

Start VPN server

This is the last step. Create the file /opt/etc/config/vpn.wanup and add the following

#!/bin/sh if [ ! -f /tmp/ppp/chap-secrets ]; then mkdir -p /tmp/ppp ln -s /opt/etc/ppp/chap-secrets /tmp/ppp fi /opt/etc/init.d/S20poptop restart

Make this script executable

chmod +x /opt/etc/config/vpn.wanup

That is it, this will ensure the vpn always runs whenever the WAN comes back up. The VPN is up and running.

Testing it may end up being a bit tricky. You cannot log into the network while you are on it. I used my phone, disabled WiFi, and configured it to log in via the mobile network to ensure that the VPN was indeed accessible and working. Presto, I could log into my home network from anywhere in the world.

Check out the original post about ways to configure a VPN client on an iOS or Android device.

by at No comments:
Labels: , , ,

January 19, 2012

Extending Tomato with Optware

I had waxed eloquent about the flexibility, freedom and capabilities extended by open source tools in general, and the Tomato USB in particular. Little did I know, that this was just the tip of the iceberg of capabilities offered by the third party firmware on my Netgear router.

The big extension to the core capabilities offered by the firmware is available via the installation of Optware. At its core, Optware is an advanced package manager, built for distribution of software packages across a number of platforms, including the TomatoUSB router firmware.

Optware comes with a variety of packages compiled and available in it's repository. This repository extends the capabilities of the router firmware, from their stripped down, small-footprint cousins to the full featured Linux box tools.

Tomato has inbuilt support for Optware. But it needed a bunch of work, to prepare the setup for Optware. In particular there were two things that had to be done:

  • Format the connected storage in EXT3. My terabyte RAID had been originally formatted in NTFS. While TomatoUSB has support for NTFS, but it is slow and painful, and fundamentally missing capabilities. Not something that lends itself for Optware.
  • Figure out where /opt is going to mounted.

There is no easy way to convert NTFS to EXT3 - other that the slow and methodical approach. Take files off the NTFS file system, format the disk as EXT3, and copy the files back. There are several tutorials out there, like this one - the only tweak was that I ended up using the mkfs.ext3 script available on the router to format the disk.

An aside, the cheap Terabyte RAID survived and is thriving through this all - including the EXT3 formatted drive.

Now mounting storage on /opt where Optware will be installed, seemed tricky at first, but ended up being pretty simple. The reason it seemed tricky was that I created only one partition on the storage when I formatted it as EXT3. My worry was that I'd have to re-size the partition and add a new one, which could then be mounted on /opt.

Turns out, you can mount the same device on multiple mount points. And given that I am already automounting the USB device, I figured all I had to do was to mount a sub-folder on /opt. Adding the following in the “Run after mounting” script-box, did the trick.

if [ -d /mnt/Teranarchy/optware ]; then mount -o bind /mnt/Teranarchy/optware /opt fi

Once I had space available on /opt - installing Optware is simple. As simple as running the following on a shell after logging in via Telnet or SSH.

wget http://tomatousb.org/local--files/tut:optware-installation/optware-install.sh -O - | tr -d '\r' > /tmp/optware-install.sh chmod +x /tmp/optware-install.sh sh /tmp/optware-install.sh

That is it. Optware does a great job of obtaining and installing all the packages. And because Tomato already has the correct folders in $PATH variables, all the tools and capabilities are available instantly from any shell.

Now that I have Optware, it is time to start doing something more interesting. Like installing a VPN on the router. Coming up next.

by at No comments:
Labels: , , ,

January 12, 2012

Dynamic DNS on my Tomato Router

Here is the problem statement - now that I had my router running a custom TomatoUSB build, I wanted to open it up to the Internet so that I could access my music and data from anywhere.

The first step though, was to establish a way to address my router via the Internet. Now, I get a dynamic IP address from my ISP; so I had to find a way to keep track of the latest address. The answer, of course, was to use a dynamic DNS (DDNS) solution, of which there are dozens available. But as it turned out, my case was more complicated than that.

I chose the FreeDNS service offered by afraid.org. Tomato firmware has native support for their dynamic DNS service built in. But more importantly the tagline on their website read “Why is it free? It's quite simple. We wanted a challenge... that's it.”.

To set my site up, I had to delegate the nameserver function for my domain to my hosting provider. My initial idea was to delegate a subdomain to the FreeDNS service, and then update the IP address directly from my router. Unfortunately my hosting provider did not allow delegation of sub-domains to a different DNS provider. In other words, they did not allow NS records to be created for their inconsequential customers like me. They only allowed A, TXT or CNAME records. CNAME records - that gave me a way out.

I created a sub-domain on one of the free domains provided by the FreeDNS service - in my case it was mooo.com. The name of the sub-domain did not really matter, any available one worked just fine. Then I set up my Tomato router to update the IP address of this sub-domain automatically.

Finally, I set-up a CNAME pointing a sub-domain from anarchius.org to the newly created sub-domain on mooo.com. Presto - sub-domain.anarchius.org now resolved to my WAN IP address. Here is how my DNS records look now:

There you are, Dynamic DNS on my Tomato router up and running, linked directly to my own domain. Bring on the possibilities.

by at 2 comments:
Labels: , , ,

December 04, 2011

TomatoUSB on Netgear 3500L

Upgrading a Netgear 3500L to the latest TomatoUSB build. This worked for me as of December 01, 2011 - with no guarantees that will work for you or at any other time.

Required ingredients:

  • The trailed DD-WRT build to perform the first upgrade. Filename: dd-wrt.v24-15704_NEWD-2_K2.6_mini-WNR3500L.chk
  • The correct TomatoUSB version - Build 54, Kernel 2.6, CPU MIPSR2 and feature-set Extras or Ext. This is what I used, but you might check the latest version here. Filename: tomato-K26USB-1.28.9054MIPSR2-beta-Ext.rar
  • WinRAR or 7-zip or a related utility to unzip the RAR file.
  • Some timer - either an app on your phone or a watch with a seconds hand.
  • A pushpin of some sort.
  • A printout of a document that looks something like this.
  • A laptop or desktop of some kind that has a working modern browser.

Procedure:

  • Ensure your firmware files are identified, available and ready to go. See above for the two files you need to keep available. Use WinRAR or 7-Zip to unzip the .rar file. You will get a .trx file along with a changelog. Rename the .trx extension to .bin.
  • Connect your computer to the router using an Ethernet cable, if you do not have extra cords, use the one which used to connect the router to the external WAN. In either case, ensure the External WAN is disconnected.
  • Set your computer to a static IP of 192.168.1.8 (Ensure you are doing this to the wired LAN connection)
  • Perform a 30-30-30 reset using your push-pin on the depressed reset button on the back of the router. You might want to use the timer to ensure you are actually keeping it depressed for 30 seconds.
  • Wait for the router to boot back up. Using your browser, head over to http://192.168.1.1, and use your default credentials login: admin and password: password to log in.
  • Using the Upgrade option on the Netgear admin menu, use the .chk file you downloaded from the DD-WRT site. Note you are not using the bigger TomatoUSB firmware yet.
  • Wait, no seriously wait. Wait till the lights get back to normal. Wait. Wait to see that you can access the new admin interface.
  • Perform the 30-30-30 reset. Wait for the router to come back up.
  • Now head back over to http://192.168.1.1. You should be automatically logged in, but instead will be asked to set an admin account with password. You can set this to be whatever you want, your firmware is just about to be flashed.
  • Go to the Administration tab and then Firmware Upgrade sub-tab. Select the TomatoUSB file that you extracted from the RAR archive and renamed to a .bin file.
  • Again wait. For all the frenzy to subside. After you can see the router administration page again, wait some more.
  • Perform another 30-30-30 reset. Wait for the router to come back up.
  • Again head back over to http://192.168.1.1. Login using the Tomato default credentials: no login required and password: admin
  • Set up basic wireless services, located under. Disconnect the Ethernet cord, reconnect the router to the WAN network, get-up sit on the couch and continue configuring your brand new router firmware.
  • And yes, keep away the push-pin, the timer and set your wired connection back to dynamic IP.

That was it, and if you have been following along, my Toshiba thrive connects beautifully to the new router via SMB and I can now access all the media I have on my RAID, wirelessly over the home WiFi network. Cloud anyone?

Freedom to hack: 1 - Closed systems:0.

by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)