在更新之前，要先看一下 Change Log, 看完之後，再看 know issue:

Change Log:

Build 52 – 10/15/2010

Changes common for kernel 2.4 and kernel 2.6 based builds:

• 1.Fixed WAN Up script not being executed (在 build 51 是壞掉的).
• 2.Fixed obtaining DHCP lease from Corbina Beeline and possibly other ISPs (在 build 51 是壞掉的).
• 3.Fixed DHCP renewal processing to not replace the default gateway and DNS servers for PPTP/L2TP connections.
• 4.Fixed errors in routing for PPTP/L2TP connections.
• 5.Added "Use Default Gateway on Remote Network" option for PPTP/L2TP connection types (turned on by default). Turn it off to use gateway obtained via DHCP for internet routing, and only use PPTP/L2TP gateway for VPN subnet (custom routing may be required in case if VPN network contains multiple subnets).
• 6.Resolve sporadic PPPoE disconnect issues with some ISPs.
• 7.Allow to configure custom TTL values in the Web GUI.
• 8.Make sure PPTP/L2TP is gracefully disconnected after firmware upgrades and after restoring configuration to prevent connection problems after reboot.
• 9.Size optimization of some large applications.
• 10.Software updates: PPTP kernel driver 0.8.5, Busybox 1.17.3.
• Cosmetics.

Kernel 2.6-based builds only (beta23):

• 1.Fixed Mini build for Netgear routers with 4MB flash (WNR2000v2, WNR3500v2), removed RIPv1/v2 routing from Mini build due to Netgear size restrictions, added JFFS to Mini build to make use of some otherwise wasted flash space.
• 2.Fixed flashing all supported Netgear routers back to OEM firmware.
• 3.Media server: removed some rare and obsolete demuxers to reduce size, reduced Mini DLNA memory usage.
• 4.Minor backports from upstream 2.6 kernel.

Known issues with this build:
Please read the important notes in the announcement post to avoid or resolve potential issues when upgrading to this version.

Know Issue:

NOTES:

1. 1.When upgrading Netgear routers from previous build 51, you will get an error message "Error writing fake Netgear CRC". Don’t worry about it – just wait for a couple minutes for router to reboot, and the new firmware will be loaded anyway, regardless of this error.
2. 2.A few new options are now automatically added to the default Dnsmasq configuration file, so if you have the same options in the Dnsmasq Custom Configuration box, you need to remove them to avoid errors starting Dnsmasq. The new options are:
   • log-async
   • all-servers (<- you can still override it with "strict-order" option in Custom Configuration box)
   • cache-size (<- DNS Cache Size is now configurable via GUI)

下載:

tomatoUSB download

快速下載(Ausu RT-N16):

tomatoUSB Build 52 VPN 版本

1. 解開壓縮檔找到 tomato-K26USB-1.28.9052MIPSR2-beta23-vpn3.6.trx

改成 tomato-K26USB-1.28.9052MIPSR2-beta23-vpn3.6.bin

2.連到 http://192.168.1.1 ，找到 Administration -> Upgrade 開始進行 web gui 的 更新作業，上傳剛才改名的 .bin 檔。 (注意: 有個選項: After flashing, erase all data in NVRAM memory，請不要勾選，這個會清除你 NVRAM 的設定記憶喔。)

3.在 know issue 有提到 如果是 Netgear routers 才會有錯誤發生，請不要擔心，等候 AP 重新開完機之後即可。(ASUS RT-N16 不是 Netgear routers ，所以請不要擔心。)

4.看到 Image successfully flashed 要再等個 50 幾秒，請耐心等候，等到 秒數變成 Continue 的按鈕，然後按下去就對了。

5. 再到 About 檢查一下版本是否為 Tomato Firmware v1.28.9052 MIPSR2-beta23 K26 USB vpn3.6， 如果是，那就代表您更新完成了。

於是有了下列筆記產生。

安裝 Copssh 3.1.1

http://sourceforge.net/projects/sereds/files/Copssh/3.1.1/Copssh_3.1.1_Installer.zip/download

1.將 Copssh_3.1.1_Installer.zip 解壓縮後執行安裝

2.我的安裝路徑在 C:\Apps\ICW\ , 接下來 SvcCOPSSH 服務帳號的密碼(可自訂)，直接按下一步繼續然後完成安裝之前，會彈一個警告視窗說 Copssh 預設是不會有任意使用者可以登入，必須要啟動使用者。

接下來 (1. Active User) -> 選擇 Administrator -> /bin/false， 因為不用登入所以選 /bin/false，如果要用 winscp 傳檔案就改成 /bin/bash，所以這樣子就可以了。

接下是輸入 PassPhrase 。

終於完成了。

接下來 WINDOWS 7 的警告，可以忽略不用管它。

3.由於 Copssh 自動幫我們建立的 私鑰 及 公鑰，似乎是比較高等級的加密演算法(DES-EDE3-CBC)，故 myentunnel 會有使用上的問題，所以另外使用 puttygen.exe，重新建立 公鑰給 Copssh，私鑰給 myentunnel。

4.用 puttygen.exe 產生 公鑰及私鑰，將公鑰(綠色框框)複製到 C:\Apps\ICW\home\Administrator\.ssh\authorized_keys 並取代原先的內容，然後再選 Save Private Key(黃色框框) 把檔案存成 *-keyfile.ppk (* 字是指 myentunnel profile name) 給 myentunnel 使用。Key Phassphrase (紅色框框) 請務必要輸入，因為會用到及安全性因素。

5.NB(公司) 的 myentunnel 的設定: 在 tunnel -> Remote 輸入 192.168.111.200:5577:10.11.22.33:22 -> Save 即可。

6.Server 端: 會出現 (192.168.111.200:5577  <- 這個不會出現在 SERVER上 )  -> 0.0.0.0:5577 (Listen) 的部份，代表已成功將公司 PC 的 Copssh 的服務對應到家中的 Server 上。

7.與 Server端同網段的 PC 的 myentunnel 的設定: Settting -> Server: 192.168.111.200 , Port: 5577 ,Username : Administrator(使用者名稱大小寫請注意), Passphrase: 就看你高興囉，但是這個一定要設。 再來切換到 Tunnel -> Local -> 9911:10.11.22.44:3389 (這是你要遙控的 NB 的 IP) -> Save 即可。

PS. SSHD Server (公司端) 跟被遙控的 PC 不可以是同一台。為什麼不能？目前無解。但是，就是不能同一台，如果有人有答案，可以跟我分享嗎？

8.再來用遠端桌面連線輸入 127.0.0.1:9911 即可連線。

#cd /root
#wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz
#tar zxvf  lzo-2.03.tar.gz
#cd lzo-2.03
#./configure && make && make install

再安裝 openvpn 2.1.1 (lzo 必須要先安裝，不然下面的安裝會出錯)
#cd /root
#wget http://openvpn.net/release/openvpn-2.1.1.tar.gz
#tar zxvf openvpn-2.1.1.tar.gz
#cd openvpn-2.1.1
#./configure && make && make install

# cd /root

# cp -rv openvpn-2.1.1/easy-rsa ./

(如果是用 tar 方式安裝，則 easy-rsa 會在 openvpn-2.1.1 的資料夾裡。)

# cd  ~/easy-rsa

# vi vars

export KEY_COUNTRY="TW"

export KEY_PROVINCE="Taiwan"

export KEY_CITY="Taipei"

export KEY_ORG="TomatoVPN"

export KEY_EMAIL="y...@email.com"

# source ./vars

# ./clean-all

# ./build-ca
(以下為問答交談的畫面，請注意輸入，因為不能使用刪除鍵。)

Country Name (2 letter code) [TW]:

State or Province Name (full name) [Taiwan]:

Locality Name (eg, city) [Taipei]:

Organization Name (eg, company) [TomatoVPN]:

Organizational Unit Name (eg, section) []:Home

Common Name (eg, your name or your server’s hostname) [TomatoVPN CA]:

Name []:Home

Email Address [y...@email.com]:

—–[建立 vpn server 的相關 key 組]—————————————————————

# ./build-key-server vpnsrv

……

Country Name (2 letter code) [TW]:

State or Province Name (full name) [Taiwan]:

Locality Name (eg, city) [Taipei]:

Organization Name (eg, company) [TomatoVPN]:

Organizational Unit Name (eg, section) []:Home

Common Name (eg, your name or your server’s hostname) [vpnsrv]:

Name []:Home

Email Address [y...@email.com]:

…….. (以下兩個都按 Enter 跳過。)

A challenge password []:

An optional company name []:

……..
(以下兩個都回答 y 即可)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

——[dh1024]————————————————————

# ./build-dh

—–[以下為  VPN SERVER 填寫到 tomatovpn 對應的欄位---------------------------------------------

Certificate Authority -> 開啟 ca.crt 並全選->複製 -> 貼上

Server Certificate -> 開啟 vpnsrv.crt 並全選->複製 -> 貼上

Server Key -> 開啟 vpnsrv.key 並全選->複製 -> 貼上

Diffie Hellman parameters ->開啟 dh1024.pem 並全選->複製 -> 貼上

================================================================

[Client-Part]

# cd /tmp

# cp -rv easy-key client

( If you want to copy second client key.) -> 非必要步驟

(# cp -rv easy-key client1) -> 非必要步驟

# cd client

# source ./vars

# ./build-key vpnclient1

Generating a 1024 bit RSA private key

………………………………………………………………………………………………………………………++++++

…………++++++

writing new private key to ‘vpnclient1.key’

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [TW]:

State or Province Name (full name) [Taiwan]:

Locality Name (eg, city) [Taipei]:

Organization Name (eg, company) [TomatoVPN]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server’s hostname) [vpnclient1]:

Name []:

Email Address [y...@email.com]:

Please enter the following ‘extra’ attributes

to be sent with your certificate request

(以下兩個可以按 Enter 跳過)

A challenge password []:

An optional company name []:

Using configuration from /tmp/client/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject’s Distinguished Name is as follows

countryName :’TW’

stateOrProvinceName : ‘Taiwan’

localityName : ‘Taipei’

organizationName :PRINTABLE:’TomatoVPN’

commonName :PRINTABLE:’vpnclient1′

emailAddress :IA5STRING:’y...@email.com’

Certificate is to be certified until Jul 19 11:17:27 2019 GMT (3650 days)

(以下兩項也是都回答 y 即可)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

—[到這裡為止，該做的 KEY 都做完了。]—————————————————

(接下來要 sign vpnclient1 的 key 了)

# cp keys/vpnclient1.csr ../easy-rsa/keys/

# cp keys/vpnclient1.key ../easy-rsa/keys/

# cd ../easy-rsa

# source ./vars

# ./sign-req vpnclient1

Using configuration from /tmp/easy-rsa/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject’s Distinguished Name is as follows

countryName :PRINTABLE:’TW’

stateOrProvinceName :PRINTABLE:’Taiwan’

localityName :PRINTABLE:’Taipei’

organizationName :PRINTABLE:’TomatoVPN’

commonName :PRINTABLE:’vpnclient1′

emailAddress :IA5STRING:’y...@email.com’

Certificate is to be certified until Jul 19 11:20:48 2019 GMT (3650 days)

(以下兩個回答 y 即可)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

======================================================================

ca ca.crt
cert vpnclient1.crt
key vpnclient1.key

以上3個為 vpnclient 的 KEY。

======================================================================

http://code.google.com/p/twtomato/w/list

以下更新方法適用 已為 tomatovpn 或已是 tomato 的韌體適用:

tomatoVPN官網

使用機型: Buffalo WHR-G54S
更新用的檔案: tomatovpn-1.27vpn3.6.7z 裡的 tomato.trx 更名為 tomato.bin

下載網址:  點這裡下載
檔案名稱: tomatovpn-1.27vpn3.6.7z

————————————————————————————–

使用機型: Asus WL-520GU

更新用的檔案: tomatovpn-ND-1.27vpn3.6.7z 裡的 tomato-ND.trx

下載網址:  點這裡下載

檔案名稱: tomatovpn-ND-1.27vpn3.6.7z

更新步驟:

1.連到後台 192.168.x.x 的 ip

2. 找到左邊的 Administration -> Upgrade  -> Upgrade Firmware 的頁面

3. 點擊 「瀏覽」，依上頭的機型並選擇對應的檔案，然後點 Upgrade.

4. 依畫面指示，等候1分多鐘，幾乎快 2 分鐘了。反正不要中斷或按重整或中斷電源，這些都是不可以做的事情。

5. 待設定畫面恢復後，進入檢查設定並啟動未啟動的設定。

=====================================================

tomatoVPN 的 change log 看下面官方的 BLOG 吧。

http://tomatovpn.keithmoyer.com/2010/01/127vpn35.html

• Moved to Tomato 1.27 baseline
  • Tomato 1.26 changelog
  • Tomato 1.27 changelog
• Upgraded to OpenVPN 2.1.1
  • OpenVPN changelog
• Fixed "exclusive" option for accepting DNS
• Omit key/certs that aren’t filled in in the GUI
  • This should allow people to create user/pass only configs – likely to be added to the GUI in the future
• Fix some TAP connection issues
• Option to not leave existing default gateway in place while VPN is running
• Option is now to start VPN with WAN, not just with router
  • If wan goes down and back up, VPN service will be stopped and restarted
• "Poll Interval" option in GUI to periodically check if the VPN is running, and restart it if not.
• Various code cleanups/improvements and adaptations to the updated Tomato components

=====================================================

offical tomato change log as below:

http://www.polarcloud.com/tomato_127
Tomato 1.27
Submitted by jon on Sun, 2009-11-29 11:44

Version 1.27

* Fix DDNS "-1″ error when service used HTTPS.

Tomato 1.26
Submitted by jon on Thu, 2009-11-26 22:43

Version 1.26

* Allow a different port to be entered in Basic:Network:Static DNS (enter as "ip:port"). Be aware that dnsmasq must act as the DNS server (the default setting) when not using the normal port 53.
* Allow DHCP to serve the user-entered gateway (in Basic:Network) if the option in Advanced:DHCP is enabled.
* Do not start miniupnpd early to avoid warning messages.
* Update Australian DST (need to re-select), add Darwin, Brisbane TZ. Thanks to Peter O. for the info.
* Avoid double loading of tomato.css
* Fix possible null dereference in sendpage
* Collapsed all menus. For the old look, set nvram: "web_mx=status,bwm,tools"
* Obscured some key/password fields when not in focus.
* Accept more than two MAC addresses per IP address (ex: one IP for a laptop either wired or wireless [one at a time]). Note: Some computers may not like seeing the same IP unless it’s restarted.
* Added LED options back in Admin:Buttons/LED.
* Added ID for WLA2-G54L, TrueMobile 2300 thanks to Nick B. and David J.
* Added EditDNS thanks to Keith M.
* Added UTC+4:30 Kabul time zone.
* Fixed port set validation allowed more than what could be handled.
* Allow rstats to log if WAN port is used for LAN.
* Update dnsmasq to 2.51, miniupnpd 1.4, busybox 1.14.4, matrixssl 1.8.8.
=====================================================

此版更新後，原 sshd 的部份，會多出 remote port。

如果用 ap 做 gateway 的話，請勾選 remote port 並指定 port number。

如果不是用 ap 做 gateway 的話，請不要勾選 remote port。謝謝。

官網: http://tomatovpn.keithmoyer.com/2009/08/125vpn34-release.html

至於新增什麼功能，請看下面:

• Upgraded to OpenVPN 2.1rc19
• AES speed improvements (Thanks fyellin!)
• More "Accept DNS configuration" options (strict/exclusive)
• Add (dynamic) HOWTO links to GUI for key generation
• TLS renegotiation time setting
• WINS options pushed/accepted along with other DNS options
• Option to not push server LAN route to clients
• Option to leave comp-lzo directive out of confi altogether (now "Disable", "None" is equivalent to the old "Disable")
• Non-VPN changes (also sent to Jon for inclusion in Tomato)
  • Multiple MAC addresses can share an IP for Static DHCP
  • EditDNS added to Dynamic DNS providers
• Various code cleanups/improvements

1. 下載 puttygen.exe ，http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
[點我快速下載] ， 並啟動 puttygen.exe。

2.修改 Number of bits in a generated key 為 2048 → 並點 Generate。

3. 在產生 key 必須移動鼠標作為亂數的種子。

4. 等候 putty key generator 產生 public & private key.

5.藍色框框: 為 public key (公鑰)
tomato sshd server : Administration → Admin Access → Authorized Keys 的欄位貼上。
Linux server: /home/users/.ssh/authorized_keys
黃色框框: key comment (金鑰的註解，可註明用途及日期)
綠色框框: key passphrase (金鑰的保護密碼，不知道密碼的人，就會無法使用。)
紫色框框: Save Public key (儲存公開金鑰，可以不用儲存，只要有私鑰可以再度產生出來。)
紅色框框: Save Private key (儲存私人金鑰，此金鑰極為重要，不可亂丢)

6.Myentunnel: 請存成 keyfile.ppk , 如果有 profile ,ex: cpalm-keyfile.ppk , ( – ) 減號為檔名分隔符號。

7.(非必要步驟) 把產生的私鑰順便轉成 linux ssh 用的 私鑰格式。
Conversions → Export OpenSSH key → openssh.ppk 即可。

8. 在 Tomato sshd  的 authroized keys 欄位，貼入公鑰(public key) → Save → Start Now.

如欲轉載，請註明出處，謝謝。

1. 請到 openvpn.net 或 openvpn.se 下載，最新 2.1 的版本來安裝。
1.1 : http://openvpn.net/index.php/open-source/downloads.html ,
Direct Link: http://openvpn.net/release/openvpn-2.1_rc18-install.exe
2. 根據官方HowTo的說明安裝Server部分
a. 產生各種key，利用/usr/share/doc/openvpn/examples/easy-rsa/2.0/的script & bat.

b.init-conifg.bat / init-conifg
c. 修改vars
export KEY_COUNTRY="TW"
export KEY_PROVINCE="Taoyuan"
export KEY_CITY="PingChenCity"
export KEY_ORG="CompanyName"
export KEY_EMAIL="m...@email.box"
2. 執行參數設定
../vars
vars.bat
3. 清除已有 Key
./clean-all
clean-all.bat
4. 產生RootCA憑證
./build-ca
build-ca.bat
Common Name 填 OpenVPN-CA 其他都預設就好
5. 產生Server用憑證
./build-key-server server
build-key-server.bat server
Common Name 填 server ；其他是非題就選y
2. 偷懶法產生Client憑證
./build-key client1 ,  common name : client1
./build-key client2,  common name: client2
./build-key client3,  common name: client3
依此類推
3. 產生Diffie Hellman parameters
./build-dh
build-dh.bat
4. 把ca.crt、ca.key、server.crt、server.key、dh1024.pem放到 /etc/openvpn
5. 修改/usr/share/doc/openvpn/examples/sample-config-files/server.conf
後放在 /etc/server.conf
1. proto tcp
2. push "redirect-gateway"
3. user nobody
4. group nogroup
6. 把ca.crt、client1.crt、client1.key放到 第一台Client的設定檔目錄
(例如:Windows 就是在C:\Program Files\OpenVPN\config)
(Linux則在/etc/openvpn)
7. 在client1機器上一樣把client.conf(或client.ovpn@windows)的sample檔案拿來改
(其他client自行類推)
1. proto tcp
2. remote [VPN主機位置] 1194 (443,1863)
3. cert client1.crt
key client1.key
3. 加上NAT的設定
1. 啟動 ip forward
修改 /etc/network/options
ip_forward=yes
2. 設定iptable 的NAT 對應->參考資料
/sbin/iptables -t nat -A POSTROUTING -d ! 10.8.0.0/255.255.255.0 -j MASQUERADE
3. 儲存iptable設定
mkdir /var/lib/iptables/
/etc/init.d/iptables save active
4. 完成啦！
=====================================================================
VPN Server -
Certificate Authority – ca.crt of content from BEGIN to END.
Server Certificate – server.crt of content from BEGIN to END.
Server Key – server.key of content from BEGIN to END.
Diffie Hellman parameters – dh1024.pem of content from BEGIN to END.
Then click Save to Save above keys & Certificate of content.

=====================================================================
vpn.bat of content as below:
@echo off
rem —————————————————–
set ONET=10.0.0.0
set OMASK=255.0.0.0
set OGW=10.1.2.254

set VNET=192.168.1.0
set VMASK=255.255.255.0
set VGW=192.168.1.254
set VIP=192.168.1.100

route -f
route add %ONET% mask %OMASK% %OGW%
route add %VNET% mask %VMASK% %VIP%
route add 123.126.1.0 mask %VMASK% 10.1.2.3
route add 0.0.0.0 mask 0.0.0.0 %VGW%
route print
pause

rem ipconfig /flushdns
rem ipconfig /registerdns
:END

rem  10.1.2.3 <–> 123.126.1.2 <–> 192.168.1.100
rem —————————————————–
=====================================================================
Proxy Setting:
1. 在 .ovpn 或 .conf 裡加入，如下列:
ntlm auth: (for ISA 200X)

http-proxy proxy.Server 80 proxy.txt ntlm

proxy.Server : 你的公司內部的 porxy server 的ip 或 wins name。
80 : proxy port number
proxy.txt : 這個檔案必須跟 .ovpn/.conf 放在同一個資料夾，格式: 第一行:  cpalm\usr999000 ，第二行: 密碼
ntlm : auth 的方式有 none (免認證)，basic ( ID/PW) ， ntlm (isa server 綁定 domain 的認證方式)。

basic auth: (for Squid proxy server )

http-proxy proxy.Server 3128 proxy.txt basic
=====================================================================
===tomato VPN Web GUI setting===
=====================================================================
1.Goto [Administration] > [Scripts]  Copy below into text-box then save.

—Copy Begin—
到 Administration -> Scheduler -> Custom1 -> 在 command 填入下列幾行:
service vpnserver1 start
sleep 5
service vpnserver2 start
—Copy End—

2.Goto [VPN Tunneling] > [Server] > [Server 1]
Basic:
Start with Router : Checked (打勾)
Interface Type: TAP
Protocol: TCP
Port: 443
Firewall : Automatic
Authorization Mode: Static Key
Then click [Save] to save above settings.
Advanced:
Respond to DNS: Checked (打勾)
Encryption cipher : Use Default
Compression : Disabled
Custom Configuration: Leave Blank
Then click [Save] to save above settings.
Keys:
Static Key generate command as below and open key.txt then copy content to keys of textbox.
"C:\Program Files\OpenVPN\bin\openvpn.exe" –pause-exit –verb 3 –genkey –secret "C:\Program Files\OpenVPN\config\key.txt"
Then click [Save] to save above settings.
3. Click [Start Now] to active VPN server 1.