#cd /root
#wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz
#tar zxvf  lzo-2.03.tar.gz
#cd lzo-2.03
#./configure && make && make install

再安裝 openvpn 2.1.1 (lzo 必須要先安裝，不然下面的安裝會出錯)
#cd /root
#wget http://openvpn.net/release/openvpn-2.1.1.tar.gz
#tar zxvf openvpn-2.1.1.tar.gz
#cd openvpn-2.1.1
#./configure && make && make install

# cd /root

# cp -rv openvpn-2.1.1/easy-rsa ./

(如果是用 tar 方式安裝，則 easy-rsa 會在 openvpn-2.1.1 的資料夾裡。)

# cd  ~/easy-rsa

# vi vars

export KEY_COUNTRY="TW"

export KEY_PROVINCE="Taiwan"

export KEY_CITY="Taipei"

export KEY_ORG="TomatoVPN"

export KEY_EMAIL="y...@email.com"

# source ./vars

# ./clean-all

# ./build-ca
(以下為問答交談的畫面，請注意輸入，因為不能使用刪除鍵。)

Country Name (2 letter code) [TW]:

State or Province Name (full name) [Taiwan]:

Locality Name (eg, city) [Taipei]:

Organization Name (eg, company) [TomatoVPN]:

Organizational Unit Name (eg, section) []:Home

Common Name (eg, your name or your server’s hostname) [TomatoVPN CA]:

Name []:Home

Email Address [y...@email.com]:

—–[建立 vpn server 的相關 key 組]—————————————————————

# ./build-key-server vpnsrv

……

Country Name (2 letter code) [TW]:

State or Province Name (full name) [Taiwan]:

Locality Name (eg, city) [Taipei]:

Organization Name (eg, company) [TomatoVPN]:

Organizational Unit Name (eg, section) []:Home

Common Name (eg, your name or your server’s hostname) [vpnsrv]:

Name []:Home

Email Address [y...@email.com]:

…….. (以下兩個都按 Enter 跳過。)

A challenge password []:

An optional company name []:

……..
(以下兩個都回答 y 即可)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

——[dh1024]————————————————————

# ./build-dh

—–[以下為  VPN SERVER 填寫到 tomatovpn 對應的欄位---------------------------------------------

Certificate Authority -> 開啟 ca.crt 並全選->複製 -> 貼上

Server Certificate -> 開啟 vpnsrv.crt 並全選->複製 -> 貼上

Server Key -> 開啟 vpnsrv.key 並全選->複製 -> 貼上

Diffie Hellman parameters ->開啟 dh1024.pem 並全選->複製 -> 貼上

================================================================

[Client-Part]

# cd /tmp

# cp -rv easy-key client

( If you want to copy second client key.) -> 非必要步驟

(# cp -rv easy-key client1) -> 非必要步驟

# cd client

# source ./vars

# ./build-key vpnclient1

Generating a 1024 bit RSA private key

………………………………………………………………………………………………………………………++++++

…………++++++

writing new private key to ‘vpnclient1.key’

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [TW]:

State or Province Name (full name) [Taiwan]:

Locality Name (eg, city) [Taipei]:

Organization Name (eg, company) [TomatoVPN]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server’s hostname) [vpnclient1]:

Name []:

Email Address [y...@email.com]:

Please enter the following ‘extra’ attributes

to be sent with your certificate request

(以下兩個可以按 Enter 跳過)

A challenge password []:

An optional company name []:

Using configuration from /tmp/client/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject’s Distinguished Name is as follows

countryName :’TW’

stateOrProvinceName : ‘Taiwan’

localityName : ‘Taipei’

organizationName :PRINTABLE:’TomatoVPN’

commonName :PRINTABLE:’vpnclient1′

emailAddress :IA5STRING:’y...@email.com’

Certificate is to be certified until Jul 19 11:17:27 2019 GMT (3650 days)

(以下兩項也是都回答 y 即可)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

—[到這裡為止，該做的 KEY 都做完了。]—————————————————

(接下來要 sign vpnclient1 的 key 了)

# cp keys/vpnclient1.csr ../easy-rsa/keys/

# cp keys/vpnclient1.key ../easy-rsa/keys/

# cd ../easy-rsa

# source ./vars

# ./sign-req vpnclient1

Using configuration from /tmp/easy-rsa/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject’s Distinguished Name is as follows

countryName :PRINTABLE:’TW’

stateOrProvinceName :PRINTABLE:’Taiwan’

localityName :PRINTABLE:’Taipei’

organizationName :PRINTABLE:’TomatoVPN’

commonName :PRINTABLE:’vpnclient1′

emailAddress :IA5STRING:’y...@email.com’

Certificate is to be certified until Jul 19 11:20:48 2019 GMT (3650 days)

(以下兩個回答 y 即可)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

======================================================================

ca ca.crt
cert vpnclient1.crt
key vpnclient1.key

以上3個為 vpnclient 的 KEY。

======================================================================

http://code.google.com/p/twtomato/w/list

以下更新方法適用 已為 tomatovpn 或已是 tomato 的韌體適用:

tomatoVPN官網

使用機型: Buffalo WHR-G54S
更新用的檔案: tomatovpn-1.27vpn3.6.7z 裡的 tomato.trx 更名為 tomato.bin

下載網址:  點這裡下載
檔案名稱: tomatovpn-1.27vpn3.6.7z

————————————————————————————–

使用機型: Asus WL-520GU

更新用的檔案: tomatovpn-ND-1.27vpn3.6.7z 裡的 tomato-ND.trx

下載網址:  點這裡下載

檔案名稱: tomatovpn-ND-1.27vpn3.6.7z

更新步驟:

1.連到後台 192.168.x.x 的 ip

2. 找到左邊的 Administration -> Upgrade  -> Upgrade Firmware 的頁面

3. 點擊 「瀏覽」，依上頭的機型並選擇對應的檔案，然後點 Upgrade.

4. 依畫面指示，等候1分多鐘，幾乎快 2 分鐘了。反正不要中斷或按重整或中斷電源，這些都是不可以做的事情。

5. 待設定畫面恢復後，進入檢查設定並啟動未啟動的設定。

=====================================================

tomatoVPN 的 change log 看下面官方的 BLOG 吧。

http://tomatovpn.keithmoyer.com/2010/01/127vpn35.html

• Moved to Tomato 1.27 baseline
  • Tomato 1.26 changelog
  • Tomato 1.27 changelog
• Upgraded to OpenVPN 2.1.1
  • OpenVPN changelog
• Fixed "exclusive" option for accepting DNS
• Omit key/certs that aren’t filled in in the GUI
  • This should allow people to create user/pass only configs – likely to be added to the GUI in the future
• Fix some TAP connection issues
• Option to not leave existing default gateway in place while VPN is running
• Option is now to start VPN with WAN, not just with router
  • If wan goes down and back up, VPN service will be stopped and restarted
• "Poll Interval" option in GUI to periodically check if the VPN is running, and restart it if not.
• Various code cleanups/improvements and adaptations to the updated Tomato components

=====================================================

offical tomato change log as below:

http://www.polarcloud.com/tomato_127
Tomato 1.27
Submitted by jon on Sun, 2009-11-29 11:44

Version 1.27

* Fix DDNS "-1″ error when service used HTTPS.

Tomato 1.26
Submitted by jon on Thu, 2009-11-26 22:43

Version 1.26

* Allow a different port to be entered in Basic:Network:Static DNS (enter as "ip:port"). Be aware that dnsmasq must act as the DNS server (the default setting) when not using the normal port 53.
* Allow DHCP to serve the user-entered gateway (in Basic:Network) if the option in Advanced:DHCP is enabled.
* Do not start miniupnpd early to avoid warning messages.
* Update Australian DST (need to re-select), add Darwin, Brisbane TZ. Thanks to Peter O. for the info.
* Avoid double loading of tomato.css
* Fix possible null dereference in sendpage
* Collapsed all menus. For the old look, set nvram: "web_mx=status,bwm,tools"
* Obscured some key/password fields when not in focus.
* Accept more than two MAC addresses per IP address (ex: one IP for a laptop either wired or wireless [one at a time]). Note: Some computers may not like seeing the same IP unless it’s restarted.
* Added LED options back in Admin:Buttons/LED.
* Added ID for WLA2-G54L, TrueMobile 2300 thanks to Nick B. and David J.
* Added EditDNS thanks to Keith M.
* Added UTC+4:30 Kabul time zone.
* Fixed port set validation allowed more than what could be handled.
* Allow rstats to log if WAN port is used for LAN.
* Update dnsmasq to 2.51, miniupnpd 1.4, busybox 1.14.4, matrixssl 1.8.8.
=====================================================

1. 請到 openvpn.net 或 openvpn.se 下載，最新 2.1 的版本來安裝。
1.1 : http://openvpn.net/index.php/open-source/downloads.html ,
Direct Link: http://openvpn.net/release/openvpn-2.1_rc18-install.exe
2. 根據官方HowTo的說明安裝Server部分
a. 產生各種key，利用/usr/share/doc/openvpn/examples/easy-rsa/2.0/的script & bat.

b.init-conifg.bat / init-conifg
c. 修改vars
export KEY_COUNTRY="TW"
export KEY_PROVINCE="Taoyuan"
export KEY_CITY="PingChenCity"
export KEY_ORG="CompanyName"
export KEY_EMAIL="m...@email.box"
2. 執行參數設定
../vars
vars.bat
3. 清除已有 Key
./clean-all
clean-all.bat
4. 產生RootCA憑證
./build-ca
build-ca.bat
Common Name 填 OpenVPN-CA 其他都預設就好
5. 產生Server用憑證
./build-key-server server
build-key-server.bat server
Common Name 填 server ；其他是非題就選y
2. 偷懶法產生Client憑證
./build-key client1 ,  common name : client1
./build-key client2,  common name: client2
./build-key client3,  common name: client3
依此類推
3. 產生Diffie Hellman parameters
./build-dh
build-dh.bat
4. 把ca.crt、ca.key、server.crt、server.key、dh1024.pem放到 /etc/openvpn
5. 修改/usr/share/doc/openvpn/examples/sample-config-files/server.conf
後放在 /etc/server.conf
1. proto tcp
2. push "redirect-gateway"
3. user nobody
4. group nogroup
6. 把ca.crt、client1.crt、client1.key放到 第一台Client的設定檔目錄
(例如:Windows 就是在C:\Program Files\OpenVPN\config)
(Linux則在/etc/openvpn)
7. 在client1機器上一樣把client.conf(或client.ovpn@windows)的sample檔案拿來改
(其他client自行類推)
1. proto tcp
2. remote [VPN主機位置] 1194 (443,1863)
3. cert client1.crt
key client1.key
3. 加上NAT的設定
1. 啟動 ip forward
修改 /etc/network/options
ip_forward=yes
2. 設定iptable 的NAT 對應->參考資料
/sbin/iptables -t nat -A POSTROUTING -d ! 10.8.0.0/255.255.255.0 -j MASQUERADE
3. 儲存iptable設定
mkdir /var/lib/iptables/
/etc/init.d/iptables save active
4. 完成啦！
=====================================================================
VPN Server -
Certificate Authority – ca.crt of content from BEGIN to END.
Server Certificate – server.crt of content from BEGIN to END.
Server Key – server.key of content from BEGIN to END.
Diffie Hellman parameters – dh1024.pem of content from BEGIN to END.
Then click Save to Save above keys & Certificate of content.

=====================================================================
vpn.bat of content as below:
@echo off
rem —————————————————–
set ONET=10.0.0.0
set OMASK=255.0.0.0
set OGW=10.1.2.254

set VNET=192.168.1.0
set VMASK=255.255.255.0
set VGW=192.168.1.254
set VIP=192.168.1.100

route -f
route add %ONET% mask %OMASK% %OGW%
route add %VNET% mask %VMASK% %VIP%
route add 123.126.1.0 mask %VMASK% 10.1.2.3
route add 0.0.0.0 mask 0.0.0.0 %VGW%
route print
pause

rem ipconfig /flushdns
rem ipconfig /registerdns
:END

rem  10.1.2.3 <–> 123.126.1.2 <–> 192.168.1.100
rem —————————————————–
=====================================================================
Proxy Setting:
1. 在 .ovpn 或 .conf 裡加入，如下列:
ntlm auth: (for ISA 200X)

http-proxy proxy.Server 80 proxy.txt ntlm

proxy.Server : 你的公司內部的 porxy server 的ip 或 wins name。
80 : proxy port number
proxy.txt : 這個檔案必須跟 .ovpn/.conf 放在同一個資料夾，格式: 第一行:  cpalm\usr999000 ，第二行: 密碼
ntlm : auth 的方式有 none (免認證)，basic ( ID/PW) ， ntlm (isa server 綁定 domain 的認證方式)。

basic auth: (for Squid proxy server )

http-proxy proxy.Server 3128 proxy.txt basic
=====================================================================
===tomato VPN Web GUI setting===
=====================================================================
1.Goto [Administration] > [Scripts]  Copy below into text-box then save.

—Copy Begin—
到 Administration -> Scheduler -> Custom1 -> 在 command 填入下列幾行:
service vpnserver1 start
sleep 5
service vpnserver2 start
—Copy End—

2.Goto [VPN Tunneling] > [Server] > [Server 1]
Basic:
Start with Router : Checked (打勾)
Interface Type: TAP
Protocol: TCP
Port: 443
Firewall : Automatic
Authorization Mode: Static Key
Then click [Save] to save above settings.
Advanced:
Respond to DNS: Checked (打勾)
Encryption cipher : Use Default
Compression : Disabled
Custom Configuration: Leave Blank
Then click [Save] to save above settings.
Keys:
Static Key generate command as below and open key.txt then copy content to keys of textbox.
"C:\Program Files\OpenVPN\bin\openvpn.exe" –pause-exit –verb 3 –genkey –secret "C:\Program Files\OpenVPN\config\key.txt"
Then click [Save] to save above settings.
3. Click [Start Now] to active VPN server 1.