This howto covers the steps I followed to get a site-site VPN up and running using TomatoVPN.  I claim no responsibility if your hardware is damaged following any of the steps contained in this tutorial.

I spent the better portion of the weekend looking at different VPN solutions to connect my shop to my residence.  My goal was to have a bi-directional connection so I could access resources at both locations from the other.  My decision was to use a site to site VPN with 2 Linksys WRT54GL routers that I already had lying around.  I have in the past used the DD-WRT for normal router operation but found the Quality of Service to be lacking.  This could be my own lack of knowledge but who knows. I just know that I have never been able to get it working right.  I decided to use TomatoVPN which is a mod of Tomato.  The reviews of the QoS were pretty good and the initial testing I performed looked promising.

Step 1 - Generate Your OpenVPN Certs and Keys

The TomatoVPN GUI gives you 3 choices when choosing your Authorization Mode.

1. TLS
2. Static
3. Custom

As far as setup goes TLS is not that much more work and is a better solution all around.  In order to use it you must generate several keys and certificates.  To do this first install the open-vpn client on a computer, you can locate that here.  I believe that you can only use only the Windows or Linux clients.  Using a Mac is a little more complicated and is beyond the scope of this post.  Once you have the client installed follow this howto.  Read the howto and don't just skip to the commands.  Watch out for the Common Name of each device it must be different.

Step 2 - Install TomatoVPN

Download the TomatoVPN firmware and follow these instructions.  Once the router is flashed confirm everything works prior to moving on.  Set up different subnet on the two networks. Like 192.168.2.x and 192.168.3.x or what ever strikes your fancy.

Step 3 - Setup OpenVPN Server

On the router that will be the server use the following screen shots as an example.  This router is residing at my shop which has a static IP. The server needs either a static IP address or to use a service like dyndns.org.  You wil need it for the client to connect to the server.

The only thing that you might need to change is the VPN subnet/netmask if you are already using 10.8.0.0.  Just set it to a different subnet then you are currently using on either ends.

Use a plain text editor to open the keys and certs that you created.  Everything that is in the key/cert files starting with -----BEGIN line and ending with the line that starts with -----END. has to be entered.  The files that you create during the key gen process should be located in the easy-rsa/keys directory.

I am using 10.10.30.0/255.255.255.0 for my home network.  By adding the entry to this field I am setting it up so that the VPN can by bidirectional.  I don't just want to access my shop from home, I want to access my home from the shop.

Finally go into port forwarding and forward port 1194 to the routers own address. If your router is 192.168.1.1 then that's address to use

Step 4 - Setup the Client Router

The client router in my case is at my home does not have or need a static address.

The only piece of information that is variable here is the server address, replace the xxx.xxx.xxx.xxx with the address of your other router that is going to be acting as the OpenVPN server.  Make sure the 'Create NAT on tunnel' is unchecked.  The settings changes that were made to the server advanced page will take care of it.

For the keys and certs your going to be doing the same as you did for the server except that you will use the client cert and key that you created and not the server ones.

Step 5 - Enjoy

That is all there is to it.