I wrote recently about setting up guest wireless with the Tomato router firmware. I also needed to be able to use site-to-site OpenVPN between two routers running Tomato. I’m using a “Toastman” build that includes both VLAN and VPN functionality, but how can I use them at the same time?
This is the main article I followed for setting up a site-to-site VPN:
It seems that the last bit of his step 3, where you add 1194 to the port forwarding, is no longer required.
VPN Can’t Ping from LAN to LAN
Unfortunately after configuring the VPN, I could ping from the router to the other LAN, but I could not ping from one LAN to the other LAN. Not good!
The solution is to manually add a one-line forwarding instruction to each router. The exact instruction depends on which VLAN you wan to route to which VPN tunnel.
The tunnels are named as follows: tun11 = OpenVPN Client1, tun12 = Client2, tun21 = Server1, and tun22 = Server2. You can see which tunnel is active under Advanced > Routing. This screen shot is from my OpenVPN server:
On both the client and sever, my main LAN (that I want to share across the VPN) is on br0. The server is tun21 and the client is tun11. So on the OpenVPN server router, I ran this instruction from Tools > System:
iptables -A FORWARD -i br0 -o tun21 -j ACCEPT
and on the OpenVPN client router I ran this instruction:
iptables -A FORWARD -i br0 -o tun11 -j ACCEPT
Voila! Bi-directional ping happiness, from server’s LAN to client’s LAN and vice-versa.
To make the instructions “sticky,” save the corresponding instruction in Administration > Scripts > Firewall on each router, and reboot the router.
This functionality may eventually become “standard” or part of the GUI, but for now, a pair of simple instructions lets you use OpenVPN on a router running VLANs.