Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

HOWTO: DD-WRT Routers

Guides, HOWTOs etc on how to setup Cryptostorm on PCs, smartphones, tablets and routers.
User avatar

Topic Author
DesuStrike
ForumHelper
Posts: 345
Joined: Thu Oct 24, 2013 2:37 pm

HOWTO: DD-WRT Routers

Postby DesuStrike » Mon Nov 04, 2013 6:14 am

 ! Message from: DesuStrike
I hereby invite the community helpers and staff to keep these reference charts and howtos up2date together with me.

Yet I ask for respecting two things:
1. Don't change the overall layout and/or style of my lists/posts
2. Don't change/remove my personal choice of words like "United States of NSA" or "Mother Russia"


Thanks and keep on being the most awesome people on the internets!


{direct link: cryptostorm.org/dd-wrt}
last updated 07.01.2015

This guide is for the DD-WRT router firmware. You can check if your router supports it and download over here. The GUI might looks a tad different depending on your version. This guide assumes you use the to date (07.01.2015) most recent standard version 25697


Go to SERVICES --> VPN and adjust your settings to match those selected in the screenshot attached below; hit SAVE and then APPLY when you are done!
Replace the IP in the screenshot with the IP of the country node you want to use. Please see my IP chart for LINUX IPs.

(click on the image below to magnify to browser-window-width, for easier viewing...)
openvpn.png




Next, you need to go to ADMINISTRATION --> COMMANDS and enter the text below. Hit SAVE STARTUP when you are done!

Code: Select all

echo "your hashed Token here" > /tmp/user.conf
echo 93b66e7059176bbfa418061c5cba87dd >> /tmp/user.conf
chmod 600 /tmp/user.conf


Now we'll add some leak protection and tell the router how to navigate traffic to the tunnel device
Go to ADMINISTRATION --> COMMANDS and enter the following code. Hit SAVE FIREWALL when you are done!

Code: Select all

iptables -I INPUT -p udp --dport 68 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE


Depending on your router hardware the tun device could be called tun1 and the WAN port is mapped to eth0. So in this case (or if you can't connect to CryptoStorm after following this guide) please use the following firewall rules instead.

Code: Select all

iptables -I INPUT -p udp --dport 68 -j ACCEPT
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o eth0 -j DROP
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE


Finally, you go to ADMINISTRAION --> MANAGMENT and hit REBOOT ROUTER. Give your router some time to reboot and connect to the VPN.


...after a minute or two, you should surf the web protected by cryptostorm_darknet! :thumbup:

Attachments
cryptostorm.crt
(1.79 KiB) Downloaded 1776 times
Last edited by DesuStrike on Mon Nov 04, 2013 4:18 pm, edited 2 times in total.
home is where the artillery hits

User avatar

Topic Author
DesuStrike
ForumHelper
Posts: 345
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: DD-WRT Routers

Postby DesuStrike » Mon Nov 04, 2013 4:12 pm

As always: Thanks for the cosmetic enhancements. I am pretty much out of practice concerning BB-Code and your changes make it way more readable.
home is where the artillery hits


cryptostorm_ops
ForumHelper
Posts: 104
Joined: Wed Jan 16, 2013 9:20 pm
Contact:

unlimited network usage, & reconnect testing request

Postby cryptostorm_ops » Mon Nov 04, 2013 4:53 pm

Friendly note from your network admin team:

By design, connections to cryptostorm are meant to stay connected. Occasionally, local network hiccups can cause a "drop" in the secure network session (which is often referred to as "VPN leaks," although that's a fairly nebulous term to precisely define) - and, even less often, something will happen within the cryptostorm network to cause member sessions to drop.

The configuration parameters we've put in place for network clients specify an "infinite-retry" directive. In English, that means that automatic reconnection efforts should start as soon as the local network routing table itself is able to pass IP packet traffic successfully again. This does not require any extra commands, or actions, or changes to configuration by members of cryptostorm. It is set this way by default.

To stop your client software from attempting this auto-reconnect, you will have to shut down the package itself; there's no time at which, per our configuration settings, the local client will itself "give up" and stop trying to reconnect to cryptostorm. Conversely, the network server-side won't get mad at attempts to reconnect, and in fact encourages them.


The relevance of this to router setups is as follows:

Feel free to wire your router into cryptostorm, per the instructions above. Feel free to leave it connected to cryptostorm continuously, 24/7. There is no reason to disconnect your router from cryptostorm manually, in terms of your membership with cryptostorm. We have no "limits" or "bandwidth caps" or secret tracking we do of your "bandwidth usage" of our network. In fact, the entire design of our token-based auth framework exists to make such tracking not-possible for us to do in the first place: our auth procedures operate on up/down "flags" for network sessions - no other parameters pass out of OpenVPN; we have no "accounting system," no tracking framework, no RADIUS crap that wants to monitor "subscribers" - all of that has been stripped from our network model, intentionally, to increase member security.

If your router drops the connection, it should automatically re-initiate it - although we'd much prefer to see beta testers confirm this behaviour with formal testing, and will ensure that happens in due course. Don't ever worry you are using "too much" of cryptostorm - there is no such thing. The network exists for members to use, and use as they need. Period.

So long as your token auths as "current and valid," the network is yours to use. There are no constraints on this, and never will be. Enjoy.

    ~ cryptostorm_ops

User avatar

Topic Author
DesuStrike
ForumHelper
Posts: 345
Joined: Thu Oct 24, 2013 2:37 pm

Re: unlimited network usage, & reconnect testing request

Postby DesuStrike » Mon Nov 04, 2013 5:28 pm

cryptostorm_ops wrote:If your router drops the connection, it should automatically re-initiate it - although we'd much prefer to see beta testers confirm this behaviour with formal testing, and will ensure that happens in due course.


Well, there is an optional firewall configuration for the extra paranoid folks that will guarantee (I assume no liability! :P ) to block any connections other than reconnect attempts as soon as the VPN dropps.
Feel free to edit those into my guide if and where you feel fit.

Go to ADMINISTRATION --> COMMANDS and enter the following code. Hit SAVE FIREWALL when you are done!

Code: Select all

iptables -I INPUT -p udp --dport 68 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE



Ignore the following if you don't like awkward half-baked tech talk. :oops:

PS: The geek folks around here will notice the one line concerning IP lease/renegotiation. This is a clever trick for people with very short 24/h disconnects or cable internet providers (that renegotiate every 20 Minutes or so) that will keep your VPN connection intact despite those short interruptions forced on you by your ISP.
This is especially useful for gamers!

PPS: Normally this line should not be needed BUT there is a nasty bug in DD-WRT that causes a complete drop of the connection at IP-Lease for a lot of people.
home is where the artillery hits

User avatar

marzametal
Posts: 520
Joined: Mon Aug 05, 2013 11:39 am

Re: HOWTO: DD-WRT Routers

Postby marzametal » Tue Nov 05, 2013 6:07 am

Would help if my modem was supported... oh well...

Might just say goodbye to the Internet forever and destroy my laptop and router with my ww2 bayonet...

User avatar

Graze
Posts: 247
Joined: Mon Dec 17, 2012 2:37 am
Contact:

Re: HOWTO: DD-WRT Routers

Postby Graze » Tue Nov 05, 2013 9:03 am

marzametal wrote:Would help if my modem was supported... oh well...


It's possible to buy used routers that happily run the DD-WRT images for a pittance - usually quite a bit less than $10 - in most areas. That's a pretty good investment, particularly if folks then map cryptostorm into the router & thus have direct darknet connectivity, automatically, for any and all devices using that router. Very handy!

Graze
------------------------
My avatar is pretty much what I look like. ;) <-- ...actually true, says pj
WebMonkey, Foilhat, cstorm evangelnomitron.
Twitter: @grazestorm.
For any time sensitive help requests, best to email the fine bots in support@cryptostorm.is or via Bitmessage at BM-NBjJaLNBwWiwZeQF5BMLYqarawbgycwJ ;)

User avatar

marzametal
Posts: 520
Joined: Mon Aug 05, 2013 11:39 am

Re: HOWTO: DD-WRT Routers

Postby marzametal » Tue Nov 05, 2013 9:41 am

Thanks for the info Graze... never thought of if that way...

User avatar

marzametal
Posts: 520
Joined: Mon Aug 05, 2013 11:39 am

Re: HOWTO: DD-WRT Routers

Postby marzametal » Sun Nov 17, 2013 5:49 am

How are DD-WRT Router users going to be affected down the track... from what I can understand, using DD-WRT removes the need to use the widget. Plans are in place to inject LeakBlock into the widget to produce a one package system. So, wouldn't this mean that DD-WRT Router users would have to revert back to a widget?

I have no clue how LeakBlock would be able to be injected into a router (probably cannot be), unless it is provided as a seperate application entirely.

User avatar

Topic Author
DesuStrike
ForumHelper
Posts: 345
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: DD-WRT Routers

Postby DesuStrike » Sun Nov 17, 2013 6:26 am

If you force a defined set of three DNS-Servers (in General Tab) you avoid DNS-Leaks because the router simply cannot fallback to any of your ISP DNS-Servers and (afaik) transparent DNS proxy tricks by your ISP won't work either.

For actual packet leak protection please use the iptables (firewall) configuration provided at the end of my guide. This will make sure that all outgoing traffic is routed through the VPN. Also if the VPN connection dropps it blocks ALL outgoing traffic other than the one needed to reestablish the VPN connection.

As far as I know this covers exactly the features leakblock has to offer. It's just not as comfortable as a simple widget and especially in Windows it's a real pain in the ass to get similar results like described above. AFAIK windows isn't even capable of doing such things out of the box. So leakblock is not a magical piece of software that removes leaks but just a simple solution to make things easier for windows users and for people without a DD-WRT router.

I could be wrong though. (Offical statement pls! :P ) If Leakblock has some awesome features like protocol obfuscation, etc then DD-WRT users really will be left out in the cold.
home is where the artillery hits

User avatar

marzametal
Posts: 520
Joined: Mon Aug 05, 2013 11:39 am

Re: HOWTO: DD-WRT Routers

Postby marzametal » Fri Nov 22, 2013 7:40 am

Ever since this DD-WRT thingy popped up, I was wondering if there was an alternative. The idea that DD-WRT sits on the router and does what it does is great. But I really can't be bothered going out and getting another router. I've already done it once when I ditched the wireless-enabled router for one that must be connected by an ethernet cable.

So I did a bit of surfing and came across a website...
Protect Your IP From Being Disclosed if Your VPN Connection Fails.

I thought I'd give it a shot, don't plan to get another router, and wanted to challenge myself a bit. I seem to have it working, all up/down streams slow to zero as soon as I log off the darknet. Also, the internet is not active, until I run the batch file to re-enter the original Local Area Connection entry into the routing table.

In the DNS Leaks section, it asks to "find the DNS server addresses that my VPN provider uses or prefers". I used the DNS entries that I found in this thread DNS entries in Post 2.
push "dhcp-option DNS 198.100.146.51"
# OpenNICproject.org
push "dhcp-option DNS 91.191.136.152"
# Telecomix is.gd/jj4IER
push "dhcp-option DNS 213.73.91.35"
# CCC http://is.gd/eC4apk

The second part of the DNS Leaks section asked to change the "preferred ISP DNS servers to generic ones within my router". I used some of the ones mentioned on the page, more specifically the OpenDNS ones instead of the Google ones. Are there safer options for this? I know this is where LeakBlock comes in, and even DD-WRT handles this section very well (I think).

I felt like I should pass this on. Let me know if it's worth applying for those who do not make use of DD-WRT or in general.

User avatar

acid1c
Posts: 49
Joined: Sat Aug 31, 2013 5:42 am

Re: HOWTO: DD-WRT Routers

Postby acid1c » Fri Nov 22, 2013 10:01 am

I suggest sticking with OpenNic, and try to stick with no logging DNS and DNScrypt ones.
http://wiki.opennicproject.org/Tier2
Bitmessage me with Questions, Help, or ChitChat :) - BM-2cV5BzWc9P7vufQREE8Be4U64GBgRJ3GnT
" Those who do not move, do not notice their chains." -Rosa Luxemburg


Lignus
Posts: 33
Joined: Sat Nov 02, 2013 1:26 am

Re: HOWTO: DD-WRT Routers

Postby Lignus » Fri Nov 22, 2013 12:13 pm

Marza,
I have to ask. Just what router was the wireless one you replaced? Most routers are supported by OpenWrt/DD-WRT.

You can likely bring that wireless router back into service and disabling wireless is trivial(just remove the kmod). With a proper IPtables setup, leakblock is pointless because your router does not pass your traffic to the internet, it only knows how to pass it to the VPN.


EDIT: Of note. My OpenWRT config actively blocks everything that clients ask of it except for DHCP, WebUI, and SSH for exactly this reason. The DHCP server pushes DNS servers to the clients to use, not the router's IP. These two settings, along with blocking all access to the WAN by client machines is one of the most effective methods of protecting yourself from leaks.

Since the router does not listen to DNS requests, it cannot relay them to the internet, should the VPN be down. If you allow your clients to request DNS from your local router, there is the STRONG possibility of a DNS leak. My method eliminates this vector. If I were setting up a more permanent, black box type system, I would make my final config setting to disable SSH and WebUI as well. This means that your router is effectively a black hole that happens to happily route whatever you want to the VPN and provide DHCP settings.

User avatar

Mousy
Posts: 18
Joined: Thu Oct 31, 2013 5:12 pm

Re: HOWTO: DD-WRT Routers

Postby Mousy » Sat Feb 01, 2014 3:23 pm

Hello,

I'm having trouble connecting to the VPN on my router, do the settings in the Additional Config section still reflect the settings needed now that we have moved on to the 1.3 configs?

And if not, can somebody point me at solution please?

Many thanks

Mousy
    Key ID: 0x75DA8C34764DD484
    Key Fingerprint: 5FD9 DF85 ED14 0D6E 5F20 6B20 75DA 8C34 764D D484
    Download My PGP Key.

Mahatma Gandhi wrote:First they ignore you, then they laugh at you, then they fight you and then you win.

User avatar

Topic Author
DesuStrike
ForumHelper
Posts: 345
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: DD-WRT Routers

Postby DesuStrike » Sat Feb 01, 2014 4:20 pm

There will be a special DD-WRT config in the future. In the meantime I'd recommend the raw-configs.

I'll only mention values that changed from the picture provided:

Code: Select all

Tunnel MTU settings: Empty

Tunnel UDP Fragment: Empty

Tunnel UDP-MSS-Fix: Enabled

Hand Window 37

replay-window 128 30

float


This should be it. Please report your results.
home is where the artillery hits

User avatar

Mousy
Posts: 18
Joined: Thu Oct 31, 2013 5:12 pm

Re: HOWTO: DD-WRT Routers

Postby Mousy » Sat Feb 01, 2014 4:30 pm

Sorry, it occurred to me that some more details of my setup might be useful!

I'm using a router from Buffalo that's built around the DD-WRT open firmware, and up until couple of days ago I was connected to the PrivateInternetAccess.com VPN server using the same router. That is, until I saw the light and switched to CryptoStorm!

As you can see in the following image of my VPN configuration page, I've used the IP address:

Code: Select all

70.38.46.226
Because when I tried to use the hostname:

Code: Select all

cluster-iceland.cryptostorm.net
I was still completely unable to connect.

DD-WRT.png


After filling in the details on the VPN Settings page, I followed these instructions, saving the following commands in the Commands --> Startup section of the router administration panel. Obviously I swapped in my NT!

Code: Select all

echo "your hashed Token here" > /tmp/user.conf
echo 93b66e7059176bbfa418061c5cba87dd >> /tmp/user.conf
chmod 600 /tmp/user.conf


I then restarted the router but to no avail. :-( On the off chance that the firewall rules where necessary for my router, I plugged them in and restarted the router again but that didn't work either.

The router has a specific OpenVPN status section, but the error messages were singularly unhelpful, as in this was all they said:

Code: Select all

State
Server: : Local Address: Remote Address: Client: : Local Address: Remote Address:

Status

Log
Serverlog Clientlog


Neither use nor ornament, I think you'll agree!

So I think that's everything, is there anything else anybody can suggest that I might try to get me connected to the Darknet please?

Many thanks

Mousy
    Key ID: 0x75DA8C34764DD484
    Key Fingerprint: 5FD9 DF85 ED14 0D6E 5F20 6B20 75DA 8C34 764D D484
    Download My PGP Key.

Mahatma Gandhi wrote:First they ignore you, then they laugh at you, then they fight you and then you win.

User avatar

Topic Author
DesuStrike
ForumHelper
Posts: 345
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: DD-WRT Routers

Postby DesuStrike » Sat Feb 01, 2014 4:48 pm

Ahhh okay! Things obvious now. Your router firmware is WAY out of date. I mean like WAAAAAAAAY out of date. It's from 2012!
This means the openVPN version of this firmware is way too old to support CryptoStorms superior encryption. Now guess how good PIA's overall security is... ;)

If Buffalo doesn't offer an updated firmware for your device you will have to flash it yourself. You find the necessary links on top of the first post.

Cheers!
home is where the artillery hits

User avatar

Mousy
Posts: 18
Joined: Thu Oct 31, 2013 5:12 pm

Re: HOWTO: DD-WRT Routers

Postby Mousy » Sat Feb 01, 2014 4:57 pm

Yowzah, PIA's overall security is TERRIBLE!

Nearly 2 years out of date?! Anyway, I will just stick to VPN connections on individual machines until I can work out how on earth I am going to be able to flash a router myself.

I'm quadriplegic you see, so I need to make sure any instructions are 100% full proof because I will be contracting in a Designated Pair of Hands™ and they probably won't have a high degree of technical skill. So it will end up that I'm probably not going to be able to do it unfortunately as amenable Designated Pair of Hands™, with enough technical know-how are very thin on the ground round here.

Which sucks because I really would like all of the devices in my network to be behind the CryptoStorm protection!
    Key ID: 0x75DA8C34764DD484
    Key Fingerprint: 5FD9 DF85 ED14 0D6E 5F20 6B20 75DA 8C34 764D D484
    Download My PGP Key.

Mahatma Gandhi wrote:First they ignore you, then they laugh at you, then they fight you and then you win.

User avatar

Topic Author
DesuStrike
ForumHelper
Posts: 345
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: DD-WRT Routers

Postby DesuStrike » Sat Feb 01, 2014 8:54 pm

Don't sweat it! It's actually pretty easy as your router already uses DD-WRT. It's just a branded one. Everything can be done with the provided GUI and thus your "Designated Pair of Hands" will not need any special knowledge. ;)

I will attempt a short guide:

1. Get to know what router model you have. Buffalo alone is not enough. There must be some kind of model number. (e.g. Buffalo WZR-HP-G300NH)

2. Go to the download page and search for the model.
(The search is kinda bad sometimes. Just type in "Buffalo" and then search for your model in the provided list.)

3. Download the Firmware that has "openvpn" in the name. If there are only two firmwares provided and one is labeled has "update" in its name choose the update one.

4. Now comes the easy part! In your Router conifg-gui go to Administration and then Firmware Update

5. check the "do not reset" option, select the downloaded firmware update and then hit update!

6. Wait some time for the router to restart itself: DONE!


I searched the web if it is ok to upgrade from a branded firmware to the vanilla dd-wrt and all I was able to gather was that it works fine.
I still can't give you any guarantee of course but everything is to the best of my knowledge!
home is where the artillery hits

User avatar

Mousy
Posts: 18
Joined: Thu Oct 31, 2013 5:12 pm

Re: HOWTO: DD-WRT Routers

Postby Mousy » Sun Feb 02, 2014 6:49 pm

Hi, thanks for whipping up that short guide!

I did as you suggested and is some research on my router and it turns out these are its vital statistics:

Model Number: WZR-HP-AG300H
Firmware Number: DD-WRT v24SP2-MULTI (06/03/12) std - build 19154

I checked on the download page as you suggested and pointed me at the following flashing instructions, and it seems to be that I can do everything I need to do from the administration panel. Is that how you read it as well?

I also looked at the download page and I think I can use the 2014 version of the firmware listed as well, do you concur?

Many thanks for all your help!

Mousy
    Key ID: 0x75DA8C34764DD484
    Key Fingerprint: 5FD9 DF85 ED14 0D6E 5F20 6B20 75DA 8C34 764D D484
    Download My PGP Key.

Mahatma Gandhi wrote:First they ignore you, then they laugh at you, then they fight you and then you win.

User avatar

Topic Author
DesuStrike
ForumHelper
Posts: 345
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: DD-WRT Routers

Postby DesuStrike » Mon Feb 03, 2014 12:10 am

Ahh! I see this model is a tad more complicated to flash than most models. Nontheless it is pretty easy.

Concerning the HOWTO: Step two involves pressing the reset button for 30 seconds. This is something that your designated hands would have to do. But if you ask me you could do the same via GUI by doing a factory reset.
Everything else is strictly GUI work. So yes!

For the firmware. Yes you can use the most recent one! Use the buffalo to dd-wrt image please.


Also: The flashing procedure must be done only once. From now on you can check back on dd-wrt.com and look for updates once in a while. Just download the update image and follow my guide from step 4 onwards.

People often underestimate how important current firmware upgrades for routers are. Those things are the gateway to the internet and your first line of defence! Always keep it up to date to avoid outdated libraries and exploits that can give full access to the router and the network behind it! It's not your fault because buffalo doesn't provide any updates but a router firmware from June 2012 is a big problem in your OpSec!
home is where the artillery hits

User avatar

marzametal
Posts: 520
Joined: Mon Aug 05, 2013 11:39 am

Re: HOWTO: DD-WRT Routers

Postby marzametal » Thu Feb 06, 2014 7:49 am

I have some questions. I am thinking of swapping from Windows widget to Windows DD-WRT (after I purchase a router that supports this).

Having the darknet login process in the router itself... does this mean that when Windows is loaded and the Internet connection is made, that I am on the darknet automatically? (eg: as opposed to Windows loading, and then executing the Windows widget). I have been trying to block all internet traffic until the darknet is accessed, with some luck but no chance in hell it's feasible for my sanity and day-to-day usage. Here's hoping that the DD-WRT stuff will provide protection from the beginning of my PC session.

Would I still be required to use batch files to clean up the routing table? (The reason I do this is to remove the physical routing table entry so the darknet is first in the list and removes internet access if the darknet breaks. The reason I use "-p" (persistent route) is to make it hard-coded in the routing table that there is a connection to use as a primary source. I have also set the TAP Driver metric value to 1.)
It doesn't bother me to do this, I am just wondering if I would be required to continue with it when I take the Windows non-widget approach.
At the moment I have this for post-widget connect: (I have 3 sets of these, since I use the dynamic connection, 10.71, 10.74, 10.77)

Code: Select all

route delete 0.0.0.0 192.168.1.1
timeout /T 3 /NOBREAK
route -p add 0.0.0.0 mask 128.0.0.0 10.71.0.1
timeout /T 3 /NOBREAK
route print
cmd /k

Then I have this for post-widget disconnect (just a reversal):

Code: Select all

route delete 0.0.0.0 10.71.0.1
timeout /T 3 /NOBREAK
route -p add 0.0.0.0 mask 0.0.0.0 192.168.1.1
timeout /T 3 /NOBREAK
route print
cmd /k


This is the guide that should be followed DD-WRT thread, along with this for issues/testing etc... non-widget Windows config/testing?

I think that is it for now. Thanks for any feedback!

User avatar

Topic Author
DesuStrike
ForumHelper
Posts: 345
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: DD-WRT Routers

Postby DesuStrike » Thu Feb 06, 2014 8:17 am

Ehhhh.... I think you misunderstand the complete conecept behind router established VPN connections.

First of all: Windows DD-WRT is a funny word combination but only shows your confusion. If anything a DD-WRT router would need a Linux config. This is why I suggest to use the RAW-Configuration for DD-WRT. Just follow my conversation with mousy and you get the idea. ;)

Second: When you establish the VPN connection from the router all the magic happens on the router. There is absolutely nothing you have to or even CAN do on your connected PC. This is the whole reason for doing router based VPN-Connections: Instead of micromanaging every device you only configure one device and everything behind it benefits from it. Even devices that don't support VPN inherently like your WIFI light bulp or HD-IP-TV-Toaster. ;)

So to sum everything up in short words:
  • Everything you tinkered on your PC for whatever reason (Leakblock, etc) has to be removed. It has absolutely no effect on what is happening VPN-wise and it doesn't provide any security increase whatsoever. In the best case it does nothing. In the worst case it blocks everything and you wonder why nothing works. Your PC just can't see what the router is doing behind the curtains.
  • Leakblock is done exclusively on the router aswell. I provide a copy&paste solution for this.
  • When activated your router connects to the VPN the second it has an internet connection. So no need to worry about attached devices using the VPN. Not your devices connect to the VPN but your router connects to the VPN. So everything that is connected to the router is automatically connected to the VPN. It's like the most fool proof way to do VPN!
  • Everything provided you follow the correct steps to install the VPN and leakblock on your router.

So to sum it up even further: Read the fucking manual! :P

This is why I made it. Everything that needs to be done is written there. If you follow everything exactly as described you are good to go in no time and are better protected than you could ever archive on your windows machine.

Cheers!

Pardon my cheeky answer but I think we both are cool with that, aren't we?
home is where the artillery hits

User avatar

marzametal
Posts: 520
Joined: Mon Aug 05, 2013 11:39 am

Re: HOWTO: DD-WRT Routers

Postby marzametal » Thu Feb 06, 2014 8:45 am

Yeah, all good with the cheekyness, rather get cheeky typing than a picture of your (_|_)...

You were right, I had been confused big time. You say, set up DD-WRT with RAW configs (Linux). Then what is the purpose of "Windows-based connections that are NOT using the widget"? How do they connect? (puts on dunce hat...)

User avatar

Topic Author
DesuStrike
ForumHelper
Posts: 345
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: DD-WRT Routers

Postby DesuStrike » Thu Feb 06, 2014 10:07 am

home is where the artillery hits

User avatar

marzametal
Posts: 520
Joined: Mon Aug 05, 2013 11:39 am

Re: HOWTO: DD-WRT Routers

Postby marzametal » Thu Feb 06, 2014 11:05 am

So in other words, what you are trying to say is don't bother with DD-WRT unless you plan on running Linux...
Also, since it is not on the router, there will still be a period of time before the darknet can connect? (Windows loads, then user runs OpenVPN)... or will setting it to run at startup as a service cover that?

User avatar

Topic Author
DesuStrike
ForumHelper
Posts: 345
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: DD-WRT Routers

Postby DesuStrike » Thu Feb 06, 2014 11:47 am

Dude I slowly start wondering if you are trolling me! :eh:

You obviously got a lot of things mixed up very badly. So please disregard EVERYTHING you think to know about DD-WRT. Clear your mind of it. Just pretend you never heard about it.

Ok, now carefully read the following:
The non-widget windows connection thread has NOTHING to do with DD-WRT.
DD-WRT is a firmware that is installed on your router and replaces the original router firmware. Everything VPN related will be configured and run from this firmware. So the VPN-Client is part of the DD-WRT firmware and thus runs ON the router. The moment your router connects to the internet it also connects to Cryptostorm thus automatically securing EVERYTHING(!) that is connected to your router. It is absolutely irrelevant what kind of device and what kind of OS it is running. As long as it is connected to the router it will be using the VPN-connection. PERIOD!

This is the most basic way I can put it. If you are still confused somebody else will have to try to explain it to you. :crazy:
home is where the artillery hits

User avatar

Mousy
Posts: 18
Joined: Thu Oct 31, 2013 5:12 pm

Re: HOWTO: DD-WRT Routers

Postby Mousy » Sat Mar 01, 2014 6:51 pm

DesuStrike wrote:There will be a special DD-WRT config in the future. In the meantime I'd recommend the raw-configs.

I'll only mention values that changed from the picture provided:

Code: Select all

Tunnel MTU settings: Empty

Tunnel UDP Fragment: Empty

Tunnel UDP-MSS-Fix: Enabled

Hand Window 37

replay-window 128 30

float


This should be it. Please report your results.


Success!

My new ASUS RT-AC66U router turned up this morning, it was flashed with DD-WRT and I now have a working system! The only thing I had to do differently from your instructions is to set:

Tunnel MTU settings: Empty

To

Tunnel MTU settings: 1500

After that change, everything is now working perfectly :-)
    Key ID: 0x75DA8C34764DD484
    Key Fingerprint: 5FD9 DF85 ED14 0D6E 5F20 6B20 75DA 8C34 764D D484
    Download My PGP Key.

Mahatma Gandhi wrote:First they ignore you, then they laugh at you, then they fight you and then you win.


Guest

Re: HOWTO: DD-WRT Routers

Postby Guest » Sun Mar 16, 2014 9:47 pm

Hello! No luck getting this to work at all. :(

Followed all instructions provided and have double-checked everything. Using latest DD-WRT build (DD-WRT v24-sp2 (03/13/14) kongac - build 23720M) on new Netgear R7000 router. My OpenVPN log:

State
Server: : Local Address: Remote Address: Client: RECONNECTING: tls-error Local Address: Remote Address:

Status

Log
Serverlog Clientlog 19700101 00:13:28 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19700101 00:13:31 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19700101 00:13:33 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

And this last line then repeats forever. I am not sure what else to do as I have checked everything over several times. Any ideas or hints? I'd rather use this on DD-WRT for the obvious reasons, but can fall back on the Widget if necessary.

User avatar

Topic Author
DesuStrike
ForumHelper
Posts: 345
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: DD-WRT Routers

Postby DesuStrike » Mon Mar 17, 2014 11:43 pm

Sorry but I cannot read anything useful from this other than you get a TLS-error for some reason. Try to increase the log level and see if you get more useful inoformation. (change VERB 0 to VERB 9)
Also this guide uses the BrainSlayer builds. You are using the kongac build though. So any problems you may encounter very likely stem from the fact that you are using the "wrong" build and I encourage you to switch to BrainSlayer (if possible) and try again.

If increasing the log level does not give you more useful logs and you also can't switch to BrainSlayer I guess you are pretty much out of luck. Maybe somebody else has knowledge about this build in particular and knows a workaround but to be honest I doubt you will run into someone using kongac around here.

Sorry but that's all I can say for now.
home is where the artillery hits


grystch
Posts: 6
Joined: Sat Mar 08, 2014 3:37 am

Re: HOWTO: DD-WRT Routers

Postby grystch » Tue Mar 18, 2014 2:11 pm

Guest wrote:Hello! No luck getting this to work at all. :(

Followed all instructions provided and have double-checked everything. Using latest DD-WRT build (DD-WRT v24-sp2 (03/13/14) kongac - build 23720M) on new Netgear R7000 router. My OpenVPN log:

State
Server: : Local Address: Remote Address: Client: RECONNECTING: tls-error Local Address: Remote Address:

I had a similar problem when I was with a different provider. It's been a few months, as best I can remember I went through the config and compared it to the gui settigns. Any that matched I disabled, set to none, or left blank where it was possible. I then entered everything else in the Additonal Config box. That fixed it. My conclusion was the gui wasn't mapped correctly somewhere or just wasn't workng some way. Might not be the problem here but if you're really stuck it can't hurt to try it.

When I was researching my problem I found some discussion mentioning the needed ciphers might not actually be in the build. To see that, I think you need to ssh in. You can also set everything up thru ssh if you have the knowhow which is probably the best way. For me it turned out the ciphers weren't the problem. I spent a lot of time wokring on this problem, I don't know how to ssh, I don't know linux and I didn't have the time to spend to learn to do so much troubleshooting. The experience pushed me away from DD-WRT and to another solution.


Guest

Re: HOWTO: DD-WRT Routers

Postby Guest » Sat Apr 19, 2014 1:08 pm

Don't know if these are the right/best settings- but they work on the latest Kong build... Please update this thread guys, what you've got posted DOSN'T WORK. figuring this out was a nightmare, and I'm still not sure I've got it right. Is the 1.3 raw release the old or new cert? it's labled in december....

Start OpenVPN Client
Enable
Server IP/Name
79.134.235.132
Port
443
Tunnel Device
TUN
Tunnel Protocol
UDP
Encryption Cipher
AES-256-CBC
Hash Algorithm
SHA-512
Advanced Options
enable

TLS Cipher
NONE
LZO Compression
NO
NAT
Enable
Firewall Protection
Enable
IP Address
<blank>
Subnet Mask
<blank>
Tunnel MTU setting
1500
Tunnel UDP Fragment
<blank>
Tunnel UDP MSS-Fix
Enable
nsCertType verification
yes- checked.

-------Additional Config:-------

auth-user-pass /tmp/user.conf
resolv-retry infinite
tls-client
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
verb 3 (or 0- I prefere to see warnings and errors and such)
mute 1
key-method 2



put CA cert in CA cert box- starting with (and including) -----BEGIN CERTIFICATE----- ending with (and including) -----END CERTIFICATE-----


Guest

Re: HOWTO: DD-WRT Routers

Postby Guest » Mon Apr 21, 2014 2:53 am

I forgot to mention in my post above- that I also inputed the startup/firewall comands listed in the top post.
I have also set the DNS setings on the modum, and the router, to non-logging opennic ones.

My router seams to be running stable with no errors, speed is excellent, latency is about what I'd expect. No ip/dns leaks that I can tell. I've tried cycling the router and modum seperatly and imeadiatly loading http://www.ipleak.com in several tabs- when it finally loads, I see the vpn address, and the DNS's that I've configured. if there's a better way to test, please let me know.


I'm geting ocasional drops (reject) pakets from the spi fire wall- it's unclear why things are being droped though, the logs seam unspecific which rule promted the drop.
Example:
router kern.warn kernel: DROP IN=vlan2 OUT= MAC=******************** SRC=79.134.235.132 DST=192.168.254.1 LEN=141 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=UDP SPT=443 DPT=57035 LEN=121

that's probablly your mac I just censored but I wasn't certain, and I'm unsure if there anything else in there I shouldn't post- lol. This is mostly greek to me; trying to learn.


SPI firewall settings: Security>>Firewall

Block WAN Requests: (default settings here)

YES Block Anonymous WAN Requests (ping)
YES Filter Multicast
NO Filter WAN NAT Redirection (this one is truned OFF- can/should it be turned on?)
YES Filter IDENT (Port 113)
YES Block WAN SNMP access

Impede WAN DoS/Bruteforce: (these are ALL ON- not the default setting)

Limit SSH Access
Limit Telnet Access
Limit PPTP Server Access
Limit FTP Server Access


Please advise:

1. Is there anything wrong with my settings (previous post and this one) that could cause any issue, or could be set more apropriotly?
2. Which of these settings (or the hardcode IPtable rules) are causeing the drops/rejections; and why.
3. Do the raw linux 1.3 config contain the new or old Ca cert?

Thank you.


Guest

Re: HOWTO: DD-WRT Routers

Postby Guest » Tue Apr 22, 2014 5:56 am

new errors:
N write UDPv4: Message too long (code=90)

quick search reveals this likely has to do with mtu setting

I tried seting it to 1400 but then got this.

W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1502' remote='link-mtu 1602'
W WARNING: 'tun-mtu' is used inconsistently local='tun-mtu 1400' remote='tun-mtu 1500'

Tried setting link-mtu 1602, tun-mtu 1500 in additional config- but then nothing loads, logs say only one or the other may be set and it assumes tun-mtu of 1500. Gui will not allow to leave tun-mtu blank.

User avatar

hulltech
Posts: 28
Joined: Thu May 15, 2014 11:45 pm

Re: HOWTO: DD-WRT Routers

Postby hulltech » Mon Jul 07, 2014 3:35 am

Here is my config and it will not connect or do anything;
PPTP Server
PPTP Server  Disable

PPTP Client

PPTP Client
PPTP Client Options Disable

OpenVPN Server/Daemon

OpenVPN Server/Daemon
OpenVPN   Disable

OpenVPN Client

OpenVPN Client
Start OpenVPN Client enable
Server IP/Name exitnode_balancer.cryptostorm.org
Port 443
Tunnel Device TUN
Tunnel Protocol UDP
Encryption Cipher AES-256 CBC
Hash Algorithm SHA 512
Advanced Options enable
TLS Cipher none
LZO Compression yes
NAT enable
IP Address
Subnet Mask
Tunnel MTU setting 1500
Tunnel UDP Fragment 1400
Tunnel UDP MSS-Fix enable
nsCertType verification checked
TLS Auth Key

tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA

resolv-retry infinite

down-pre

explicit-exit-notify 3

Tunnel MTU settings: 1500

Tunnel UDP Fragment: Empty

Tunnel UDP-MSS-Fix: Enabled

Hand Window 37

replay-window 128 30

float

verb 7

mute 3

auth-user-pass client.dat

tls-client

key-method 2

CA CERT

-----BEGIN CERTIFICATE-----
MIIFHjCCBAagAwIBAgIJAKekpGXxXvhbMA0GCSqGSIb3DQEBCwUAMIG6MQswCQYD
VQQGEwJDQTELMAkGA1UECBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQK
FC1LYXRhbmEgSG9sZGluZ3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQx
ETAPBgNVBAsTCFRlY2ggT3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUG
CSqGSIb3DQEJARYYY2VydGFkbWluQGNyeXB0b3N0b3JtLmlzMB4XDTE0MDQyNTE3
MTAxNVoXDTE3MTIyMjE3MTAxNVowgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJR
QzERMA8GA1UEBxMITW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBM
aW1pdGUgLyAgY3J5cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMx
FzAVBgNVBAMUDmNyeXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRt
aW5AY3J5cHRvc3Rvcm0uaXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDJaOSYIX/sm+4/OkCgyAPYB/VPjDo9YBc+zznKGxd1F8fAkeqcuPpGNCxMBLOu
mLsBdxLdR2sppK8cu9kYx6g+fBUQtShoOj84Q6+n6F4DqbjsHlLwUy0ulkeQWk1v
vKKkpBViGVFsZ5ODdZ6caJ2UY2C41OACTQdblCqaebsLQvp/VGKTWdh9UsGQ3LaS
Tcxt0PskqpGiWEUeOGG3mKE0KWyvxt6Ox9is9QbDXJOYdklQaPX9yUuII03Gj3xm
+vi6q2vzD5VymOeTMyky7Geatbd2U459Lwzu/g+8V6EQl8qvWrXESX/ZXZvNG8QA
cOXU4ktNBOoZtws6TzknpQF3AgMBAAGjggEjMIIBHzAdBgNVHQ4EFgQUOFjh918z
L4vR8x1q3vkp6npwUSUwge8GA1UdIwSB5zCB5IAUOFjh918zL4vR8x1q3vkp6npw
USWhgcCkgb0wgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJRQzERMA8GA1UEBxMI
TW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBMaW1pdGUgLyAgY3J5
cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMxFzAVBgNVBAMUDmNy
eXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRtaW5AY3J5cHRvc3Rv
cm0uaXOCCQCnpKRl8V74WzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB
AQAK6B7AOEqbaYjXoyhXeWK1NjpcCLCuRcwhMSvf+gVfrcMsJ5ySTHg5iR1/LFay
IEGFsOFEpoNkY4H5UqLnBByzFp55nYwqJUmLqa/nfIc0vfiXL5rFZLao0npLrTr/
inF/hecIghLGVDeVcC24uIdgfMr3Z/EXSpUxvFLGE7ELlsnmpYBxm0rf7s9S9wtH
o6PjBpb9iurF7KxDjoXsIgHmYAEnI4+rrArQqn7ny4vgvXE1xfAkFPWR8Ty1ZlxZ
gEyypTkIWhphdHLSdifoOqo83snmCObHgyHG2zo4njXGExQhxS1ywPvZJRt7fhjn
X03mQP3ssBs2YRNR5hR5cMdC
-----END CERTIFICATE-----

Here is the main page of the vpn.


Next, you need to go to ADMINISTRATION --> COMMANDS and enter the text below. Hit SAVE STARTUP when you are done!
echo "your hashed Token here" > /tmp/user.conf
echo 93b66e7059176bbfa418061c5cba87dd >> /tmp/user.conf
chmod 600 /tmp/user.conf


Go to ADMINISTRATION --> COMMANDS and enter the following code. Hit SAVE FIREWALL when you are done!

iptables -I INPUT -p udp --dport 68 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE


Then I added this;


Tunnel MTU settings: 1500

Tunnel UDP Fragment: 1400

Tunnel UDP-MSS-Fix: Enabled

Hand Window 37

replay-window 128 30

float


Is there anything I have done wrong.
Any help is greatly appreciated
Hulltech

User avatar

hulltech
Posts: 28
Joined: Thu May 15, 2014 11:45 pm

Re: HOWTO: DD-WRT Routers

Postby hulltech » Mon Jul 07, 2014 3:49 am

dd-wrt kong build 24345m.jpg
Here is a copy of what my DD-WRT vpn page looks like for Openvpn. It has the latest version of Openvpn built-in.

User avatar

hulltech
Posts: 28
Joined: Thu May 15, 2014 11:45 pm

Re: HOWTO: DD-WRT Routers

Postby hulltech » Sat Jul 12, 2014 8:05 pm

I could really use a little help here. I am able to connect through the Netgear R7000 nighthawk router
When I use Windows. I have a problem when I try to setup Openvpn in DD-WRT with the commands and trying to add all of the devices to use the vpn. I setup a DDNS to my router and it works great. When I fill out the information provided I get errors. I have contacted support and they ask where I got the ca key from and I explained that I downloaded it like the instructions said and opened it with notepad++ to copy it to place where the ca key goes. What steps am I missing or doing wrong. I went to the Openvpn site and they said I had to create a variety.bat, server key, client 1,2,3 etc... keys and what information do I put in them. I have sent support screenshots of the errors so I am lost at this point. The regular Netgear firmware allows vpn pass through or Openvpn client on Windows so you can reach your computer on the road. I switched to DD-WRT because it allows you to put Openvpn client and server on the router.
Any help is greatly appreciated,

Thank You
Hulltech


angryhippy

Re: HOWTO: DD-WRT Routers

Postby angryhippy » Thu Oct 30, 2014 1:34 am

I could use some help getting my router set up. I'll start with the easy questions:

1) What is the minimum version of openVPN necessary on the client side?
2) What is the recommended dd-wrt build for atheros-based routers right now?

Thanks!

User avatar

Tealc
ForumHelper
Posts: 283
Joined: Tue Jan 28, 2014 12:38 am

Re: HOWTO: DD-WRT Routers

Postby Tealc » Fri Oct 31, 2014 12:21 am

So first I have to say that this TOPIC is completely outdated, and IT CAN BRICK YOUR ROUTER (I was actually forced to do the TFTP method to recover). I've open a new one here: viewtopic.php?f=32&t=6320

PS: Wrong post, thought of OpenWRT, sorry, this topic is still valid


highlighter
Posts: 3
Joined: Thu Nov 27, 2014 10:33 pm

Re: HOWTO: DD-WRT Routers

Postby highlighter » Fri Nov 28, 2014 12:13 am

Not getting no connection what so ever to cryptostorm....
Im using a Negear r7000 flash with DD-WRT v24-sp2 (11/20/14) std(BrainSlayer)...

I have read and followed all the directions on all the post... the good and the bad... same results no connection to cryptostorm.. Could someone please help me out with an up-to-date setting or something...

thanks
Bitmessage BM-2cWyjfNB1YnjTA6hWZrPmiDKZPzwdZgG6K


Guest

Re: HOWTO: DD-WRT Routers

Postby Guest » Wed Jan 07, 2015 10:33 am

with these instrutions my dd-wrt openvpn service shuts down with error in log
err openvpn[931]: Options error: Unrecognized option or missing parameter(s) in /tmp/openvpncl/openvpn.conf:29: txqueueien (2.3.4)

Removeing the 'txqueueien' setting from the advanced config allows dd-wtr to connect.

Seams to be working well, latency is a bit high but I'm getting 95% of native throughput.

I'm on the latest non-beta Kong build (25100M), netgear r7000. -it also requires the 2nd firewall settings you listed with tun1.

User avatar

Topic Author
DesuStrike
ForumHelper
Posts: 345
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: DD-WRT Routers

Postby DesuStrike » Wed Jan 07, 2015 2:21 pm

You are absolutely right! Thank you very much for pointing this out. The screenshot is fixed now.
I did this guide from memory as I don't run CryptoStorm on my router right now and felt I forgot something. This was it.
home is where the artillery hits


Guest

Re: HOWTO: DD-WRT Routers

Postby Guest » Fri Feb 13, 2015 9:17 pm

Be aware, if changing nodes from the services>vpn tab while you have an active vpn connection, you must select disable openvpn client, then apply, then re-enable, change ip, then hit apply.

If you just put in a new ip and hit apply the routing table will not be flushed correctly and this will result in "leaks"- visable with traceroute between nodes. If I understand correctly- this is because the stale route points around the tunnel and directly to WAN. These "leaks" seam mostly harmless, as they only directly relate to CS node ip's- however they can expose your native IP to your computer behind the router (in an unlikely to be exploited way, hence the ""), and the stale routing table can somehow ruin connectivity. (I'm still not clear exactly why this is the case, but that was my expiriance)


Guest

Re: HOWTO: DD-WRT Routers

Postby Guest » Fri Feb 13, 2015 9:59 pm

...and I spoke to soon. still having (inconsistant) stale routing table entry issues- rebooting seams to be the only thing reseting it- and then I'm still not able to connect to fenrir. just sticks on 'wait'. also the gui for routing table entryies doesn't seam to work. errgg..


Guest

Re: HOWTO: DD-WRT Routers

Postby Guest » Sun Feb 15, 2015 4:18 pm

follow up:

it was reveled there was an issue with the iceland node (fenrir) that was causing the connection issues- so that was not related to the stale routing table entries I was/am expriancing. The stale routing table entries will cause ip connections to those specific ips to route around the vpn tunnel- so if you where connected to one node, then changed to a different node, and traceroute a packet to the first node- it will show the path bypasses the vpn tunnel. Aditionally- if you where attempting tunception and trying to run a computer based VPN session through an exsisting router based session this would muck things up, the new session would bypass rather then tunneling through the existing tunnel. I have no idea why these stale table entries are happening, or how long that's been going on (maybe I just hadn't noticed them before- as they don't seam to cause other errant behavior.

Here's how to find and manually remove the stale entries without rebooting:
click the Administration tab, then click the Commands tab
In the Commands box type route (don't press enter after)
click the 'Run commands' button.
after a few seconds- this will show your current route table.
The only CS ip that should be listed in the routing table is the node you're currently connected to- any other CS ips are stale entries.

CS linux IP's:
viewtopic.php?f=37&t=8453

as of feb-15-15- the ips are:
#Germany - Cantus
46.165.222.248
#Canada - Maple
198.27.89.56
#Iceland - Fenrir
79.134.235.133
#United States of NSA - NSA-Central
167.88.9.27
#United States of NSA - Emerald
23.19.35.14
#France - Onyx
212.83.167.81
#London - Turing
130.180.201.117
#lisbon Tagus portugal
109.71.42.163
#Russia - Laika
91.214.70.206

If more then one of those is visable in the route table, you have stale routing table entries.
table entries starting with 10, 127, 128, 192, 169, are local/internal and should be ignored (generally don't delete anything unless you know what it is)
check you ip here: https://cryptostorm.is/ip.cgi (if you're connected to vpn that ip should stay in routing table)
*note- maple may exit differently then it connects (not sure if they've fixed this or not)
to remove the non matching (stale) entry(s)- in the Comand box, type:
route del -net <Stale CS IP> netmask 255.255.255.0

for example, to remove a stale entry for Cantus you'd enter
route del -net 46.165.222.248 netmask 255.255.255.0

again- don't press enter after typing in the commands or it won't work right. just click the Run Commands button.
This should keep you from having to reboot to clear the routing table.


Guest

Re: HOWTO: DD-WRT Routers

Postby Guest » Sat Oct 31, 2015 4:53 am

Hello - I am trying to connect an Asus RT-N66U router to CryptoStorm. I've followed the instructions listed in this thread (including updating Firmware), using telenet to post suggested commands. After posting the commands and rebooting, the Asus webpage indicated that my IP address had been changed; however, when checking my IP address on line, it is still unchanged. Do you have troubleshooting/How to suggestions? Appreciate any advice you have.


anony

Re: HOWTO: DD-WRT Routers

Postby anony » Sun Nov 01, 2015 4:21 am

Hello - I am trying to connect an Asus RT-N66U router to CryptoStorm. I've followed the instructions listed in this thread (including updating Firmware), using telenet to post suggested commands. After posting the commands and rebooting, the Asus webpage indicated that my IP address had been changed; however, when checking my IP address on line, it is still unchanged. Do you have troubleshooting/How to suggestions? Appreciate any advice you have.


If you've installed DD-wrt, then the admin webpage you visit @ 192.168.1.1 (assuming you didn't change the default ip) should be the DD-wrt admin, rather then Asus's page. Maybe that's what you meant? If you're seeing Asus anything- you may not be running DD-wrt yet. Some installs (most?) are two step, first updating to modified stock firmware (or an interim limited function dd-wrt) to allow for dd-wrt to be installed (this was a .chk file in my case), then installing the latest dd-wrt via the stock/dd-wrt update procedure. (a .bin file). It may be that you've taken the first step, but missed the second. Telnet or ssh can be used for commands, but setup will be more secure if you disable them and just do config through the admin site.

iirc choosing the wrong tun on firewall will just restrict all internet access, but this is another area you might experiment with= if you're sure you're running the latest dd-wrt, and it shows 'connected success' under the status>openvpn page- try changing all references of tun0 to tun1 or vise versa, on the firewall.

Also- the firewall listed in previous posts is very limited. The linux firewall threads on this site and github can be applied to dd-wrt via administration>commands tabs- paste and press update firewall.


anony

Re: HOWTO: DD-WRT Routers

Postby anony » Sun Nov 01, 2015 5:20 am

I notice the DNS info is out of date in this thread. This is a bit nitpicky and only required for absolute leak block, since with default setup opvpn pulls dns server settings upon establishing vpn connection- but iirc the router will resolve with whatever dns is configured or passed by the modem until the initial ovpn connection is made. If you haven't set DNS in the modem, most modems will pass the ISP's dns on to the router through dhcp. To ensure use deep dns at all times, the ip's should be set both in the modem and the router:

current(ish) DeepDNS servers are:

Code: Select all

79.134.235.131
79.134.235.132
103.254.153.244
109.71.42.228
198.100.159.249
198.204.245.3
212.129.46.32
212.129.46.86
31.24.34.50
46.165.222.246
76.164.234.11
91.214.70.199

Match the first three ip oclets (ie xxx.xxx.xxx.###) to the node your connecting to, with the related above deepdns server ip above and enter this dns ip in the 'static dns 1/2/3' field on the 'setup>basic setup' tab. You can enter the same ip for all three, or a different one for each, but the first should be on the same node as your connecting to for quickest response. -for example: the Cantus node is @ 46.165.222.248 - so the DeepDNS for that node is 46.165.222.246

There should be similar settings somewhere in the modems interface- but they vary too much to give a better description of how to do it. You may have to bypass the router (plug the computers ethernet directly into the modem) to access the interface. The access address is usually written on the modem somewhere. Just poke around the menus and find the dns settings- they're in there somewhere. disable automatic dns, enable manual, and put in the proper ips.


Sammy
Posts: 3
Joined: Wed Nov 04, 2015 8:41 am

Re: HOWTO: DD-WRT Routers

Postby Sammy » Wed Nov 04, 2015 8:47 am

Hello,I tried the configuration above many times,
It didnt work, I use Firmware: DD-WRT v24-sp2 (03/25/13) std

https://torguard.net/knowledgebase.php? ... icle&id=47 thishow ever does work for me, you guys dont have something like that ?

thats just a few steps, and worked without issues.
Hopefully you guys have somethin tha works for me.
thnx


anony

Re: HOWTO: DD-WRT Routers

Postby anony » Wed Nov 04, 2015 10:51 am

Sammy wrote:Hello,I tried the configuration above many times,
It didnt work, I use Firmware: DD-WRT v24-sp2 (03/25/13) std

https://torguard.net/knowledgebase.php? ... icle&id=47 thishow ever does work for me, you guys dont have something like that ?

thats just a few steps, and worked without issues.
Hopefully you guys have somethin tha works for me.
thnx


First of all- holy crap, update your software. dd-wrt should be updated monthly at least; this has to be done manually, there is no auto-update. That alone may solve you issues- there are known severe flaws in your software, and CS may be rejecting it simply because of this.

On the torgard setup you linked to:
That shows a setup for an openvpn server.
Cyptostorm functions as an openvpn client.

Are you trying to run a server behind CS? CS doesn't have persistent port forwarding. There's a complicated way to do it, involving a 2nd server to establish connections, but that's way beyond my knowledge. If that's what your trying to do, I'd suggest ask CS staff in IRC. It's not officially supported, but they're generally pretty cool and supportive of non-standard stuff if it's feasible.

If you're just trying to connect to CS and route traffic, update your software, and make sure you're entering settings into the client area.


Sammy
Posts: 3
Joined: Wed Nov 04, 2015 8:41 am

Re: HOWTO: DD-WRT Routers

Postby Sammy » Sat Dec 12, 2015 12:52 pm

Hello, thnx for reply, the guide of the link I posted of torguard, it lets me route all the traffic.

I only want the router to encrypt all traffic.

About the software of router, its the newest version for my router, what can I do ? they dont update their software for all routers right ?


anony

Re: HOWTO: DD-WRT Routers

Postby anony » Sun Dec 13, 2015 1:34 am

Using the client settings will route all outgoing, and related incoming traffic. Once the vpn is connected dd-wrt will automatically route everything through the encrypted tunnel. Unsolicited traffic is dropped.

"release" versions often have known exploits- beta's are far more up to date and generally stable and trouble free. (haven't had a major problem with them in years, myself.)

find dd-wrt beta updates at:
ftp://ftp.dd-wrt.com/betas


Sammy
Posts: 3
Joined: Wed Nov 04, 2015 8:41 am

Re: HOWTO: DD-WRT Routers

Postby Sammy » Mon Dec 14, 2015 5:44 pm

Hello, I have updated router to
Firmware: DD-WRT v24-sp2 (12/22/14) std

Problem: i have internet, but traffic not encrypted, my real ip shows.

the openvpn status only says

Client:

Local Address:
Remote Address:

Status
VPN Client Stats

Log
Clientlog:

ca /tmp/openvpncl/ca.crt management 127.0.0.1 16 management-log-cache 100 verb 3 mute 3 syslog writepid /var/run/openvpncl.pid client resolv-retry infinite nobind persist-key persist-tun script-security 2 dev tun1 proto udp cipher aes-256-cbc auth sha512 remote 46.165.222.248 443 comp-lzo no tun-mtu 1500 fragment 1400 mssfix ns-cert-type server fast-io tun-ipv6 resolv-retry infinite nobind sndbuf size 1655368 rcvbuf size 1655368 down-pre allow-pull-fqdn explicit-exit-notify 3 Tunnel MTU settings: 1500 Tunnel UDP Fragment: Empty Tunnel UDP-MSS-Fix: Enabled Hand Window 37 replay-window 128 30 float auth-user-pass /tmp/user.conf tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA tls-client key-method-2 auth-retry nointeract

I followed the instructions to the letter :(
What can be done ?


anony

Re: HOWTO: DD-WRT Routers

Postby anony » Tue Dec 15, 2015 4:49 am

Showing only "client:" means ovpn isn't even getting to the stage where it attempts to connect to CS- this is usually caused by a missing file, improper file permissions, or a network or firewall misconfiguration.

I'd help you troubleshoot further, but your software is still way too out of date- there were at least three major 0day's in 2015, and even if you get your config straight, CS may refuse connection from the known bad ovpn/ssl versions.

Fixes are generally not backported to older versions of dd-wrt- these firmwares are one time snapshots; newest is always best. If there's nothing more recent available in the beta's, I'd search on your router model name and see if you can find a current version maintained elsewhere- kong or brainslayer are examples of privately maintained versions, there are probably others. If not, you might try searching for a different firmware such as open-wrt, or tomato. If you can't find anything current, you're either going to have to learn to compile a version yourself (difficult and time consuming to learn- instructions are out there though if you're ambitious) or just get a better supported router.


iguanoer
Posts: 1
Joined: Sun Jan 17, 2016 1:43 am

Re: HOWTO: DD-WRT Routers

Postby iguanoer » Sun Jan 17, 2016 1:59 am

Ok, I have managed to
- get into the debug-section of my officialFW.2.27-Buffalo-WZR-1750
- install the official dd-wrt from buffalo (us-version)
- upgrade dd-wrt to BETA from january 13. 2016
- get cryptonet running with the following 'additional config' (fyi):

Code: Select all

resolv-retry 16
nobind
# persist-tun
# persist-key
float
# txqueuelen 686
sndbuf size 1655368
rcvbuf size 1655368
down-pre
allow-pull-fqdn
explicit-exit-notify 3
hand-window 37
auth-user-pass /tmp/user.conf
replay-window 128 30
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
tls-client
key-method 2
auth-retry nointeract


now two questions remain:

1. the firewall hack isn't working. no internet of i paste the tun0 or the tun01 snipping to the "Save Firewall" box. How can i find out what's my routers tun-device name? maybe i'm too blind to see the obvious...

2. The second thing happened three times and I reset the router via hardware button in every time between: after about 5 minutes to an hour my password does not work anymore. i cannot get back on the router. i tried two different PCs, so it's mos def the routers problem.
since this only happens randomly after a while on the net, i'm wondering if big brother auto-pwned my dd-wrt so fast already, or if it's simply a bug? has anyone heard of this behavior from a dd-wrt-beta?

thanks


anony

Re: HOWTO: DD-WRT Routers

Postby anony » Sun Jan 17, 2016 5:32 am

On #1- under Administration>Commands in the command box, type "ifconfig", without quotes, don't hit enter afterwords- push the run commands button. this will give you a full interface listing. I'll post my firewall settings below- it's a bit out of date, (CS is shitty about not updating there github and raw IP thread) and it's a strict, no leak setup based off linux iptables config, (dd-wrt uses iptables also) maybe there's something in there that will help? I'm a intermediate linux user at best, and this could surely be improved, hopefully there's no glaring mistakes in there though. I'm having trouble remembering what the first line is for...modem dhcp? pppoe passthrough? it may not be needed in your setup- if it's not, I'd leave it out...

On #2
Never seen behaviour like that- I've noticed some browser plugins can conflict with dd-wrt, and it may require cookies be enabled. -both of those could cause login failures; but likely you wouldn't be able to login in the first place. If the interface is disappearing altogether then it may be that the http server for the admin panel is crashing- enable and check logs- or it could be firewall/routing related, but you said the firewall isn't working? what happens when you turn the firewall on?

My dd-wrt firewall:

Code: Select all

iptables -I INPUT -p udp --dport 68 -j ACCEPT
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE

iptables -I INPUT -i br0 -p tcp --dport telnet -j DROP
iptables -I INPUT -i br0 -p tcp --dport ssh -j DROP

iptables -A INPUT -i lo -j ACCEPT -m comment --comment "Allow loopback device"
iptables -A OUTPUT -o lo -j ACCEPT -m comment --comment "Allow loopback device"

iptables -A INPUT -s 127.0.1.1 -j ACCEPT -m comment --comment "resolv"
iptables -A OUTPUT -d 127.0.1.1 -j ACCEPT -m comment --comment "resolv"

iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT -m comment --comment "allow all local traffic"
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT -m comment --comment "allow all local traffic"
iptables -A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -d 212.129.46.32 -p udp --dport 53 -j ACCEPT -m comment --comment "alors.deepdns.cryptostorm.net - cryptostorm-shared.deepdns.net"
iptables -A INPUT -s 212.129.46.32 -p udp --sport 53 -j ACCEPT -m comment --comment "alors.deepdns.cryptostorm.net - cryptostorm-shared.deepdns.net"

iptables -A OUTPUT -d 46.165.222.246 -p udp --dport 53 -j ACCEPT -m comment --comment "cantus.deepdns.cryptostorm.net - cryptostorm-shared.deepdns.net"
iptables -A INPUT -s 46.165.222.246 -p udp --sport 53 -j ACCEPT -m comment --comment "cantus.deepdns.cryptostorm.net - cryptostorm-shared.deepdns.net"

iptables -A OUTPUT -d 79.134.235.131 -p udp --dport 53 -j ACCEPT -m comment --comment "fenrir.deepdns.cryptostorm.net - cryptostorm-shared.deepdns.net"
iptables -A INPUT -s 79.134.235.131 -p udp --sport 53 -j ACCEPT -m comment --comment "fenrir.deepdns.cryptostorm.net - cryptostorm-shared.deepdns.net"

iptables -A OUTPUT -d 91.214.70.199 -p udp --dport 53 -j ACCEPT -m comment --comment "laika.deepdns.cryptostorm.net - cryptostorm-shared.deepdns.net"
iptables -A INPUT -s 91.214.70.199 -p udp --sport 53 -j ACCEPT -m comment --comment "laika.deepdns.cryptostorm.net - cryptostorm-shared.deepdns.net"

iptables -A OUTPUT -d 103.254.153.244 -p udp --dport 53 -j ACCEPT -m comment --comment "majulah.deepdns.cryptostorm.net - cryptostorm-shared.deepdns.net"
iptables -A INPUT -s 103.254.153.244 -p udp --sport 53 -j ACCEPT -m comment --comment "majulah.deepdns.cryptostorm.net - cryptostorm-shared.deepdns.net"

iptables -A OUTPUT -d 198.100.159.249 -p udp --dport 53 -j ACCEPT -m comment --comment "maple.deepdns.cryptostorm.net - cryptostorm-shared.deepdns.net"
iptables -A INPUT -s 198.100.159.249 -p udp --sport 53 -j ACCEPT -m comment --comment "maple.deepdns.cryptostorm.net - cryptostorm-shared.deepdns.net"

iptables -A OUTPUT -d 198.204.245.3 -p udp --dport 53 -j ACCEPT -m comment --comment "mishigami.deepdns.cryptostorm.net - cryptostorm-shared.deepdns.net"
iptables -A INPUT -s 198.204.245.3 -p udp --sport 53 -j ACCEPT -m comment --comment "mishigami.deepdns.cryptostorm.net - cryptostorm-shared.deepdns.net"

iptables -A OUTPUT -d 212.129.46.86 -p udp --dport 53 -j ACCEPT -m comment --comment "onyx.deepdns.cryptostorm.net - cryptostorm-shared.deepdns.net"
iptables -A INPUT -s 212.129.46.86 -p udp --sport 53 -j ACCEPT -m comment --comment "onyx.deepdns.cryptostorm.net - cryptostorm-shared.deepdns.net"

iptables -A OUTPUT -d 76.164.234.11 -p udp --dport 53 -j ACCEPT -m comment --comment "stakaya.deepdns.cryptostorm.net - cryptostorm-shared.deepdns.net"
iptables -A INPUT -s 76.164.234.11 -p udp --sport 53 -j ACCEPT -m comment --comment "stakaya.deepdns.cryptostorm.net - cryptostorm-shared.deepdns.net"

iptables -A OUTPUT -d 109.71.42.228 -p udp --dport 53 -j ACCEPT -m comment --comment "tagus.deepdns.cryptostorm.net - cryptostorm-shared.deepdns.net"
iptables -A INPUT -s 109.71.42.228 -p udp --sport 53 -j ACCEPT -m comment --comment "tagus.deepdns.cryptostorm.net - cryptostorm-shared.deepdns.net"

iptables -A OUTPUT -d 31.24.34.50 -p udp --dport 53 -j ACCEPT -m comment --comment "turing.deepdns.cryptostorm.net - cryptostorm-shared.deepdns.net"
iptables -A INPUT -s 31.24.34.50 -p udp --sport 53 -j ACCEPT -m comment --comment "turing.deepdns.cryptostorm.net - cryptostorm-shared.deepdns.net"

iptables -A OUTPUT -d 212.83.161.53 -p udp --dport 443 -j ACCEPT -m comment --comment "linux-alors1.cryptostorm.net - linux-paris.cryptostorm.net"
iptables -A INPUT -s 212.83.161.53 -p udp --sport 443 -j ACCEPT -m comment --comment "linux-alors1.cryptostorm.net - linux-paris.cryptostorm.net"

iptables -A OUTPUT -d 46.165.222.248 -p udp --dport 443 -j ACCEPT -m comment --comment "linux-cantus1.cryptostorm.net - linux-frankfurt.cryptostorm.net - linux-balancer.cryptostorm.net"
iptables -A INPUT -s 46.165.222.248 -p udp --sport 443 -j ACCEPT -m comment --comment "linux-cantus1.cryptostorm.net - linux-frankfurt.cryptostorm.net - linux-balancer.cryptostorm.net"

iptables -A OUTPUT -d 79.134.235.133 -p udp --dport 443 -j ACCEPT -m comment --comment "linux-fenrir1.cryptostorm.net - linux-iceland.cryptostorm.net - linux-balancer.cryptostorm.net"
iptables -A INPUT -s 79.134.235.133 -p udp --sport 443 -j ACCEPT -m comment --comment "linux-fenrir1.cryptostorm.net - linux-iceland.cryptostorm.net - linux-balancer.cryptostorm.net"

iptables -A OUTPUT -d 91.214.70.206 -p udp --dport 443 -j ACCEPT -m comment --comment "linux-laika1.cryptostorm.net - linux-stpetersburg.cryptostorm.net - linux-balancer.cryptostorm.net"
iptables -A INPUT -s 91.214.70.206 -p udp --sport 443 -j ACCEPT -m comment --comment "linux-laika1.cryptostorm.net - linux-stpetersburg.cryptostorm.net - linux-balancer.cryptostorm.net"

iptables -A OUTPUT -d 103.254.153.243 -p udp --dport 443 -j ACCEPT -m comment --comment "linux-majulah1.cryptostorm.net - linux-singapore.cryptostorm.net - linux-balancer.cryptostorm.net"
iptables -A INPUT -s 103.254.153.243 -p udp --sport 443 -j ACCEPT -m comment --comment "linux-majulah1.cryptostorm.net - linux-singapore.cryptostorm.net - linux-balancer.cryptostorm.net"

iptables -A OUTPUT -d 198.27.89.56 -p udp --dport 443 -j ACCEPT -m comment --comment "linux-maple1.cryptostorm.net - linux-montreal.cryptostorm.net - linux-balancer.cryptostorm.net"
iptables -A INPUT -s 198.27.89.56 -p udp --sport 443 -j ACCEPT -m comment --comment "linux-maple1.cryptostorm.net - linux-montreal.cryptostorm.net - linux-balancer.cryptostorm.net"

iptables -A OUTPUT -d 198.204.245.2 -p udp --dport 443 -j ACCEPT -m comment --comment "mishigami.cryptostorm.net - linux-uscentral.cryptostorm.net - linux-balancer.cryptostorm.net"
iptables -A INPUT -s 198.204.245.2 -p udp --sport 443 -j ACCEPT -m comment --comment "mishigami.cryptostorm.net - linux-uscentral.cryptostorm.net - linux-balancer.cryptostorm.net"

iptables -A OUTPUT -d 212.83.167.81 -p udp --dport 443 -j ACCEPT -m comment --comment "linux-onyx1.cryptostorm.net - linux-paris.cryptostorm.net - linux-balancer.cryptostorm.net"
iptables -A INPUT -s 212.83.167.81 -p udp --sport 443 -j ACCEPT -m comment --comment "linux-onyx1.cryptostorm.net - linux-paris.cryptostorm.net - linux-balancer.cryptostorm.net"

iptables -A OUTPUT -d 76.164.234.12 -p udp --dport 443 -j ACCEPT -m comment --comment "linux-stakaya1.cryptostorm.net - linux-uswest.cryptostorm.net - linux-balancer.cryptostorm.net"
iptables -A INPUT -s 76.164.234.12 -p udp --sport 443 -j ACCEPT -m comment --comment "linux-stakaya1.cryptostorm.net - linux-uswest.cryptostorm.net - linux-balancer.cryptostorm.net"

iptables -A OUTPUT -d 109.71.42.163 -p udp --dport 443 -j ACCEPT -m comment --comment "linux-lisbon.cryptostorm.net - linux-balancer.cryptostorm.net"
iptables -A INPUT -s 109.71.42.163 -p udp --sport 443 -j ACCEPT -m comment --comment "linux-lisbon.cryptostorm.net - linux-balancer.cryptostorm.net"

iptables -A OUTPUT -d 130.180.201.117 -p udp --dport 443 -j ACCEPT -m comment --comment "linux-turing1.cryptostorm.net - linux-london.cryptostorm.net - linux-balancer.cryptostorm.net"
iptables -A INPUT -s 130.180.201.117 -p udp --sport 443 -j ACCEPT -m comment --comment "linux-turing1.cryptostorm.net - linux-london.cryptostorm.net - linux-balancer.cryptostorm.net"

iptables -A OUTPUT -o tun+ -j ACCEPT -m comment --comment "accept all TUN connections"
iptables -A INPUT -i tun+ -j ACCEPT -m comment --comment "accept all TUN connections"

iptables -P INPUT DROP -m comment --comment "set default policies to drop all communication unless specifically allowed"
iptables -P OUTPUT DROP -m comment --comment "set default policies to drop all communication unless specifically allowed"
iptables -P FORWARD DROP -m comment --comment "set default policies to drop all communication unless specifically allowed"


 ! Message from: parityboy
Edited for better formatting


uz-uz-uz
Posts: 8
Joined: Sun Feb 15, 2015 4:23 pm

Re: HOWTO: DD-WRT Routers

Postby uz-uz-uz » Sat Feb 13, 2016 10:03 pm

anony, thanks and sorry, i didn't get a message, so i thought nobody answered. it turned out that the version i installed must have been buggy, now i have the next version from a few days later running on my router and everything is fine.

i tried both tun and tap with the january 13.th beta but neither worked, so it would have been helpful to know which one SHOULD work in the first place and circle the problem further from there.
Also I tried 3 different browsers, so mos def it wasn't on the browser side.

anyhow, as i said, with the next release everything went smooth and i can now connect to CS everytime without hickupps.

thanks for your reply, I'll check on the extended leakblock ... some day ;)


spunky
Posts: 3
Joined: Sun Mar 06, 2016 10:11 am

Re: HOWTO: DD-WRT Routers

Postby spunky » Sun Mar 06, 2016 10:43 am

Using DD-WRT on Netgear WDR-3700 and having no luck setting up the vpn on the router.

I've tried to put together the config based on the various info in the thread. Here's my config:

Code: Select all

resolv-retry 16
nobind
float
sndbuf size 1655368
rcvbuf size 1655368
comp-lzo no
down-pre
allow-pull-fqdn
explicit-exit-notify 3
hand-window 37
auth-user-pass /tmp/user.conf
auth-user-pass
replay-window 128 30
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
tls-client
key-method 2
auth-retry nointeract
auth-nocache
float


And my firewall:

Code: Select all

iptables -I INPUT -p udp --dport 68 -j ACCEPT
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o eth0 -j DROP
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE

And my startup script:

Code: Select all

echo xxxxxxxx > /tmp/user.conf
echo 93b66e7059176bbfa418061c5cba87dd >> /tmp/user.conf
chmod 600 /tmp/user.conf

Also using the crt file above.
Basically I lose the connection as soon as this is enabled. Anything stand out? or any thoughts? Thanks..

 ! Message from: parityboy
Formatted the code for better readability


Guest

Re: HOWTO: DD-WRT Routers

Postby Guest » Mon Mar 07, 2016 1:33 am

The second auth-user-pass may be making it try to use the form user/pass, which is presumably blank. I've never had any luck getting the form user/pass to work, (likely exceeds the allowed # of characters) best just to use the file created at startup, and leave the form on services>vpn blank. Try removing it.

The other thing that sticks out is auth-nocache. -caching may be needed on session renegotiation- not really sure as I've never used this. afaik auth-nocache only protects against local access, and the token system doesn't use the user/pass as an integral part of the encryption, it's only for granting access to CS- so this really isn't that important to protect. iow the most someone could steal is the ability to use CS, and to do that they'd need local access to your router, in which case you've got much bigger problems.


spunky
Posts: 3
Joined: Sun Mar 06, 2016 10:11 am

Re: HOWTO: DD-WRT Routers

Postby spunky » Wed Mar 09, 2016 1:52 pm

Thanks Guest. I removed the second auth-user-pass and the auth-nocache also.

I also took a look at my ifconfig just to double check the firewall settings. I *think* this line:

Code: Select all

iptables -I FORWARD -i br0 -o eth0 -j DROP

should be updated to:

Code: Select all

iptables -I FORWARD -i br0 -o eth1 -j DROP

But Im not sure, I tried it and I still have no connection - after running ifconfig I could see that packets and data was increasing. I tried pinging yahoo.com and could not ping their site. I ended up pinging the ipaddress and it worked. So something is messed up with DNS after connecting. Anyone have any suggestions?


Code: Select all

ath0      Link encap:Ethernet  HWaddr C4:15:41:8F:2D:54
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:165 errors:0 dropped:0 overruns:0 frame:0
          TX packets:377 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:21539 (21.0 KiB)  TX bytes:64876 (63.3 KiB)

ath1      Link encap:Ethernet  HWaddr C4:15:41:8F:2D:55
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4212 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5071 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:422301 (412.4 KiB)  TX bytes:4530570 (4.3 MiB)

br0       Link encap:Ethernet  HWaddr C4:15:41:8F:2D:54
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4382 errors:0 dropped:81 overruns:0 frame:0
          TX packets:4880 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:382592 (373.6 KiB)  TX bytes:4361144 (4.1 MiB)

br0:0     Link encap:Ethernet  HWaddr C4:15:41:8F:2D:54
          inet addr:169.254.255.1  Bcast:169.254.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

eth0      Link encap:Ethernet  HWaddr C4:15:41:8F:2D:54
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:307 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:44925 (43.8 KiB)
          Interrupt:4

eth1      Link encap:Ethernet  HWaddr C4:15:41:8F:2D:56
          inet addr:xx.xxx.xxx.xxx  Bcast:xx.xxx.xxx.xxx  Mask:255.255.254.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4869 errors:0 dropped:4027 overruns:0 frame:0
          TX packets:857 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:553729 (540.7 KiB)  TX bytes:214622 (209.5 KiB)
          Interrupt:5

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:65536  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1088 (1.0 KiB)  TX bytes:1088 (1.0 KiB)

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:xx.xx.xx.xx  P-t-P:xx.xx.xx.xx  Mask:255.255.0.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:508 errors:0 dropped:0 overruns:0 frame:0
          TX packets:703 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:73155 (71.4 KiB)  TX bytes:95951 (93.7 KiB)
         


Guest

Re: HOWTO: DD-WRT Routers

Postby Guest » Thu Mar 10, 2016 3:09 am

DNS is set through the Setup>Basic setup page, under Network Address Server Settings (DHCP), (which should be set to Server) look for static dns. enter the dns server that corresponds to to the node your connecting on. the first three ocolets of the address will match, the fourth usually being plus or minus a digit or two. For instance cantus is 46.165.222.248 while it's dns is 46.165.222.246. You can set the same for all three fields, or set a rollback with a different CS dns address- there's a setting @ Services>Services under DNS masq to enable checking them in strict order. Raw IP's can be found on the github, though they may be a bit outdated, they don't change much, so it's no a huge deal. When your dns is working you can ping the HAF names to get updated info.

ping -c 1 cantus.deepdns.cryptostorm.net
responds:
PING cantus.deepdns.cryptostorm.net (46.165.222.246) 56(84) bytes of data.
so there's the current ip (which hasn't changed..)


This really only matters for initial (pre-tunnel) connection. the 'allow-pull-fqdn' (err something close to that) setting the ovpn config will pull and apply current dns settings after the vpn tunnel connects.

I'm currently having an issue with no-script interfering with changes on the admin page... this is new, and frustrating behaviour- are you having the same issue? anyway, once I figure it out I'll poke around a bit more.


spunky
Posts: 3
Joined: Sun Mar 06, 2016 10:11 am

Re: HOWTO: DD-WRT Routers

Postby spunky » Tue Mar 15, 2016 9:15 am

Hmm.. Still no luck.

I tried using 76.164.234.12 for OpenVPN client Server IP/Name and Static DNS. I'm not sure how you get a different IP for DNS.

I got the hostname for VPN client server name from here and pinged it
https://github.com/cryptostorm/cryptost ... t_udp.ovpn

Also DNS here shows the same
https://github.com/cryptostorm/cstorm_d ... uction.txt

Code: Select all

linux-uswest IN A 76.164.234.12


Any other ideas?


I was able to right click the no-script icon and allow for the router ip and that seems to fix issue.

Thanks


Guest

Re: HOWTO: DD-WRT Routers

Postby Guest » Tue Mar 15, 2016 7:58 pm

according to my old list, the DNS for stakaya (76.164.234.12) is 76.164.234.11
I'm useing that node/dns now, can confirm it works.
No idea why the github would have that wrong.

here's my old list (which was pulled from the linux raw ip thread here on forum iirc) dns is OS agnostic.
DeepDNS:

Code: Select all

79.134.235.131
79.134.235.132
103.254.153.244
109.71.42.228
198.100.159.249
198.204.245.3
212.129.46.32
212.129.46.86
31.24.34.50
46.165.222.246
76.164.234.11
91.214.70.199

my firefox issue is likely related to other tweeks I've made in about:config. getting around it with a sandboxed defualt install.


theThingThatThings
Posts: 2
Joined: Sun May 15, 2016 6:11 pm

Re: HOWTO: DD-WRT Routers

Postby theThingThatThings » Sun May 15, 2016 9:48 pm

Hello, can someone help me separate traffic by interfaces? I want everything BUT wlan0.1 to go through CryptoStorm. wlan0.1 should go directly to WAN and NOT be protected.

Edit: Also, anything supposed to be protected should drop everything when OpenVPN isn't connected.

Edit 2: The second set of iptables rules worked for me.


uz-uz-uz
Posts: 8
Joined: Sun Feb 15, 2015 4:23 pm

Re: HOWTO: DD-WRT Routers

Postby uz-uz-uz » Mon Jul 25, 2016 12:22 am

Hello again,
my dd-wrt started loosing it's connection once more. It used to work, so I thought I might have changed a parameter by accident or put in the wrong Firewall settings, but I cannot figure out what happens. The Token ist my recent one, so that's also fine.

Current situation over here:
The openVPN-client connects successfully and then enters some kind of loop of connecting and disconnecting (see below). I does to get a 'local address', but there appears no 'remote address'.
From the log, it seems there is something wrong with "the LINUX route add command". Could it be that?

I have cleared the Firewall settings for now, to see if that helps for now, but that changes nothing. The behaviour seems like before.

Code: Select all

State
Client: CONNECTED SUCCESS
Local Address: 10.88.74.126
Remote Address:

Status
VPN Client Stats
TUN/TAP read bytes   1582
TUN/TAP write bytes   0
TCP/UDP read bytes   4513
TCP/UDP write bytes   6004
Auth read bytes   0
pre-compress bytes   0
post-compress bytes   0
pre-decompress bytes   0
post-decompress bytes   0



Code: Select all

20160724 20:31:08 I do_ifconfig tt->ipv6=1 tt->did_ifconfig_ipv6_setup=0
20160724 20:31:08 I /sbin/ifconfig tun0 10.88.39.120 netmask 255.255.0.0 mtu 1500 broadcast 10.88.255.255
20160724 20:31:08 /sbin/route add -net 46.165.222.248 netmask 255.255.255.255 gw 192.168.177.1
20160724 20:31:08 W ERROR: Linux route add command failed: external program exited with error status: 1
20160724 20:31:08 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.88.0.1
20160724 20:31:08 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.88.0.1
20160724 20:31:08 I Initialization Sequence Completed
20160724 20:31:08 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20160724 20:31:08 D MANAGEMENT: CMD 'log 500'
20160724 20:31:08 MANAGEMENT: Client disconnected
20160724 20:31:10 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20160724 20:31:10 D MANAGEMENT: CMD 'state'
20160724 20:31:10 MANAGEMENT: Client disconnected
20160724 20:31:10 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20160724 20:31:10 D MANAGEMENT: CMD 'state'
20160724 20:31:10 MANAGEMENT: Client disconnected
20160724 20:31:10 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20160724 20:31:10 D MANAGEMENT: CMD 'state'
20160724 20:31:10 MANAGEMENT: Client disconnected
20160724 20:31:10 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20160724 20:31:10 D MANAGEMENT: CMD 'status 2'
20160724 20:31:10 MANAGEMENT: Client disconnected
20160724 20:31:10 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20160724 20:31:10 D MANAGEMENT: CMD 'log 500'
20160724 20:31:10 MANAGEMENT: Client disconnected
20160724 20:31:11 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20160724 20:31:11 D MANAGEMENT: CMD 'state'
20160724 20:31:11 MANAGEMENT: Client disconnected
20160724 20:31:11 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20160724 20:31:11 D MANAGEMENT: CMD 'state'
20160724 20:31:11 MANAGEMENT: Client disconnected
20160724 20:31:11 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20160724 20:31:11 D MANAGEMENT: CMD 'state'
20160724 20:31:11 MANAGEMENT: Client disconnected
20160724 20:31:11 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20160724 20:31:11 D MANAGEMENT: CMD 'status 2'
20160724 20:31:11 MANAGEMENT: Client disconnected
20160724 20:31:11 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20160724 20:31:11 D MANAGEMENT: CMD 'log 500'
20160724 20:31:11 MANAGEMENT: Client disconnected
20160724 20:31:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20160724 20:31:12 D MANAGEMENT: CMD 'state'
20160724 20:31:12 MANAGEMENT: Client disconnected
20160724 20:31:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20160724 20:31:12 D MANAGEMENT: CMD 'state'
20160724 20:31:12 MANAGEMENT: Client disconnected
20160724 20:31:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20160724 20:31:12 D MANAGEMENT: CMD 'state'
20160724 20:31:12 MANAGEMENT: Client disconnected
20160724 20:31:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20160724 20:31:12 D MANAGEMENT: CMD 'status 2'
20160724 20:31:12 MANAGEMENT: Client disconnected
20160724 20:31:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20160724 20:31:12 D MANAGEMENT: CMD 'log 500'
20160724 20:31:12 MANAGEMENT: Client disconnected
20160724 20:31:14 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20160724 20:31:14 D MANAGEMENT: CMD 'state'
20160724 20:31:14 MANAGEMENT: Client disconnected
20160724 20:31:14 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20160724 20:31:14 D MANAGEMENT: CMD 'state'
20160724 20:31:14 MANAGEMENT: Client disconnected
20160724 20:31:14 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20160724 20:31:14 D MANAGEMENT: CMD 'state'
20160724 20:31:14 MANAGEMENT: Client disconnected
20160724 20:31:14 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20160724 20:31:14 D MANAGEMENT: CMD 'status 2'
20160724 20:31:14 MANAGEMENT: Client disconnected
20160724 20:31:14 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20160724 20:31:14 D MANAGEMENT: CMD 'log 500'
20160724 20:31:14 MANAGEMENT: Client disconnected
20160724 20:31:15 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20160724 20:31:15 D MANAGEMENT: CMD 'state'
20160724 20:31:15 MANAGEMENT: Client disconnected
20160724 20:31:15 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20160724 20:31:15 D MANAGEMENT: CMD 'state'
20160724 20:31:15 MANAGEMENT: Client disconnected
20160724 20:31:15 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20160724 20:31:15 D MANAGEMENT: CMD 'state'
20160724 20:31:15 MANAGEMENT: Client disconnected
20160724 20:31:15 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20160724 20:31:15 D MANAGEMENT: CMD 'status 2'
20160724 20:31:15 MANAGEMENT: Client disconnected
20160724 20:31:15 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20160724 20:31:15 D MANAGEMENT: CMD 'log 500'
19700101 01:00:00


when i' calling "route" via the command-prompt, it only says "Kernel routing table" (=empty) when connected to the VPN. When I'm in NSAland it says:

Code: Select all

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.177.1   0.0.0.0         UG    0      0        0 vlan2
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
169.254.0.0     *               255.255.0.0     U     0      0        0 br0
192.168.11.0    *               255.255.255.0   U     0      0        0 br0
192.168.177.0   *               255.255.255.0   U     0      0        0 vlan2


that's curious, since when I'm connected to the VPN the "official routing table" via Setup=>Advanced Routing=>Show Routing Table tells me that cryptostorm is active:

Destination LAN NET	Subnet Mask	Gateway		Flags	Metric	Interface
default 128.0.0.0 10.88.0.1 UG 0 tun0
default 0.0.0.0 192.168.177.1 UG 0 WAN
10.88.0.0 255.255.0.0 * U 0 tun0
46.165.222.248 255.255.255.255 192.168.177.1 UGH 0 WAN
128.0.0.0 128.0.0.0 10.88.0.1 UG 0 tun0
169.254.0.0 255.255.0.0 * U 0 LAN & WLAN
192.168.11.0 255.255.255.0 * U 0 LAN & WLAN
192.168.177.0 255.255.255.0 * U 0 WAN

Any ideas on how to approach this?
THANKS!


Tony

Re: HOWTO: DD-WRT Routers

Postby Tony » Mon Jul 25, 2016 10:37 pm

I set up my Asus RT-AC5300 AC5300 following the exact instructions above.

Two issues:
1. The VPN keeps dropping and when I review the Status > VPN tab the top section is just empty. I go to Services > VPN and scroll to the bottom and click Apply Settings (I didn't change anything) and then the Status > VPN and it doesn't change. Back to Services > VPN and Apply Settings again and then it usually says "connected success" and have internet back.

2. The speeds are no where near 50 megabit/sec. I getting around 17-20.

Any ideas? What configuration information would you need to troubleshoot?

Thanks


cryptoclusterfuck

Re: HOWTO: DD-WRT Routers

Postby cryptoclusterfuck » Sat Jul 30, 2016 12:24 pm

I have been confused before. Many times have I struggled with a new vpn provider when trying to get it setup on my dd wrt router.

But NEVER ever as confused and frustrated as I am right now. This whole website is nothing but conflicting information and guides that don't work with URLs that go to places other than where they are supposed to

No wonder subscription was only 4 bucks for a month. they dont even give you the actual server ips!

IE who the hell is the host of your own server status page? And why the hell isnt it cryptostorm? like wtf


uz-uz-uz
Posts: 8
Joined: Sun Feb 15, 2015 4:23 pm

Re: HOWTO: DD-WRT Routers

Postby uz-uz-uz » Sun Jul 31, 2016 7:42 pm

I was hoping for an answer, not a rant...
there are other ways to get into CS that work out of the box.
just for the frggin dd-wrt you need to be a bashkid to handle that. not sure if you can blame CS. true however, a word on the current cs support status of dd-wrt or a current setup would be helpful.


Khariz
Posts: 162
Joined: Sun Jan 17, 2016 7:48 am

Re: HOWTO: DD-WRT Routers

Postby Khariz » Mon Aug 01, 2016 6:57 am

Have you read the second to last post in this thread? viewtopic.php?p=16194


uz-uz-uz
Posts: 8
Joined: Sun Feb 15, 2015 4:23 pm

Re: HOWTO: DD-WRT Routers

Postby uz-uz-uz » Tue Aug 02, 2016 12:31 am

okay happy people.
apparently the IP from above screenshots doesn't work (anymore?).
I put 46.165.240.174 into the GUI and set the additional cfg to remote random.
now i still need to figure out my firewall-leak-fix...

ps: khariz, thanks, but that didn't do anything


uz-uz-uz
Posts: 8
Joined: Sun Feb 15, 2015 4:23 pm

Re: HOWTO: DD-WRT Routers

Postby uz-uz-uz » Tue Aug 02, 2016 2:17 am

works for me, as of today:
Image


uz-uz-uz
Posts: 8
Joined: Sun Feb 15, 2015 4:23 pm

Re: HOWTO: DD-WRT Routers

Postby uz-uz-uz » Sun Aug 14, 2016 9:06 pm

had another hickup after rebooting my router.
did NOT change SHIT.
no connection.
finally deleted the

Code: Select all

remote-random </connection> ... <connection>

stuff.
now it works.
also, the gui of my early 2016 dd-wrt seems to allow full names (linux-frankfurt.cryptostorm.net) now, as opposed to sometime back in the days (if that wasn't some other misconfig).


dexter
Posts: 24
Joined: Thu Dec 21, 2017 3:34 am

Re: HOWTO: DD-WRT Routers

Postby dexter » Sat Dec 23, 2017 3:28 am

Hi, if someone can help me out: viewtopic.php?f=32&t=9502


Return to “guides, HOWTOs & tutorials”

Who is online

Users browsing this forum: No registered users and 3 guests

Login