by
ashes » Sat Feb 06, 2016 6:50 pm
@pratik Here's how to setup Tomato...
I'm a Sonic FFTN customer and I want the same level of privacy protection I had under my old Sonic ADSL service. I am VPNing my whole home network to Sonic's VPN server. If the VPN goes down, I want it to fail closed (not to simply route out on ATT's network).
I am running Tomato (Shibby) on an ASUS RT-AC68U v2; you will want router, like this one, with a reasonably fast CPU to handle VPN without impacting bandwidth. It is not DMZ'd since this VPN-only configuration does not double-NAT due to the VPN bypassing the Uverse gateway's NAT. I have another router DMZ'd providing a standard non-VPN NAT to a separate home network.
Step 1)
Log into ovpn.sonic.net I mean "Login" not "Connect". Note the drop-menu next to the "Go" button.

You'll see this screen, otherwise you didn't change the drop-menu to Login in the previous step. Hit the last link, "Yourself (user-locked profile)". It will download a file called client.ovpn open this in any text editor (e.g. Notepad, TextEdit, etc). You will need to copy some keys from this file later on.

Step 2)
On your router running Tomato, go VPN Tunneling->OpenVPN Client. Enter the following settings.
You could replace ovpn.sonic.net with it's IP address: 209.148.113.36
Enter your sonic username/password

The Exclusive DNS setting ensures that only Sonic's DNS servers are used when VPNing.

Here's where you want to copy-paste those keys from the client.ovpn file. Look for the correponding <tag> in the client.ovpn files and copy the whole alphanumeric string, including the BEGIN and END lines, excluding the <tag> </tag> lines


You should at this point be able to hit the "Start Now" button and the VPN will start, you can check it on the status tab or in the logfile. If it doesn't establish, check your settings and the log file.

Step 2) (Optional)
In Administration->Scripts->Firewall adding this will block all home network traffic is the VPN is down.
iptables -I FORWARD -i br0 -o `nvram get wan_iface` -j DROP

In Administration->Scheduler you can set the VPN to automatically restart on schedule or disconnect.
If you need to restart your VPN connection, then enable this. I was using this on the VPN beta server since it timed out OpenVPN connections after 24 hours, supposedly this doesn't happen on the production server (or the beta server anymore). I just switched to production today, so I haven't tested to be sure. Anyhow if you need it, it's here.

Also there we can have the VPN auto-reconnect if we lost the connection.
This sets it to try to establish the VPN every minute (at the 40 second mark, due the "wait 40;"). I offset this by 40 seconds for compatibility with the scheduled force-restart setting above. If your VPN is already established, then this does not disturb the existing link. You can test this yourself by disconnecting your WAN port on your router to force a loss of connection, then watch it re-establish on reconnect.