Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ
Ξ We've updated our CA certificate. All members need to be using the latest ones by Dec 22. See this page for more infoΞ

HOWTO: OpenWRT Routers

Guides, HOWTOs etc on how to setup Cryptostorm on PCs, smartphones, tablets and routers.

Topic Author
Lignus
Posts: 33
Joined: Sat Nov 02, 2013 1:26 am

HOWTO: OpenWRT Routers

Postby Lignus » Thu Nov 07, 2013 7:50 am

{direct link: openwrt.cryptostorm.org}
note: this configuration will also block all IPv6 network traffic at the router level, to protect against out-of tunnel information transmission.


OK, not quite a "how-to" - more of a "mostly already preconfigured for you."

I did this setup on a Ubiquity Nanostation Loco M2. It has a single WLAN and a single LAN. I am using the ethernet port as the WAN and the WiFi was the LAN side. I have configured the setup using bridge interfaces, so all you need to do is add and remove physical interfaces to the virtual WAN or LAN bridge and you are now configured exactly how you want.

You will need to do some reconfiguration after installation. The WiFi SSID is OpenWrt and the password is changeme. I also set the WiFi to 10dbm to give it broad compatibility and not overload anyone's radio, this means you had better be close when you initially configure it.

The LAN subnet is 10.13.37.0/24. This is unlikely to be in use on the WAN side and I thought I may as well have a little fun adding a 1337 in there somewhere. The DHCP server will assign you 8.8.8.8 and 8.8.4.4 as your DNS servers, if anyone has a better idea for default DNS servers, let me know.

Speed is not ideal, but it is very usable. The 400MHz Atheros chipset in my device can push about 5MBps over the OpenVPN link to Cryptostorm:
Image
The upload is limited by my own 1MBps upload combined with the VPN overhead.

I ran some popular torrents and averaged about 350K/sec down and 30K/sec up simultaneously.

If you want more speed, you are going to have to go with a more powerful router.
Image
I tested with OpenWRT on an old AMD powered laptop with a second USB NIC(Exact config I am posting, just replaced wifi with ethernet) and my results were consistently 20% below my line speed. That is, I have a 10/1 and going through the VPN I get 8/0.8. Ran some popular torrents off the bay and managed a solid 975K/sec download rate. I would recommend throttling things, because it saturated the link and my ping times effectively tripled. Considering the OpenVPN process never peaked above 16% CPU (versus 50% on the Atheros router), if my connection were fast enough I could easily push 25MBps real throughput(31MBps inc overhead), assuming a linear scale and capping out at 50% cpu.

Setting up a new router consists of the following steps:
  1. Load OpenWRT (See specific guides for your router)
  2. Telnet into the router
    • passwd -- set your root passwd
    • reboot - lets router initialize SSH
  3. SSH into router and change the IP settings so it can access the internet. The following example is based on your home router having an IP of 192.168.1.254.
    • ifconfig br-lan 192.168.1.253
  4. Your SSH session will freeze because the router has a new IP, close it and reopen it to 192.168.1.253 to continue
    • route add default gw 192.168.1.254
    • echo 'nameserver 8.8.8.8' >> /etc/resolv.conf
    • opkg update
    • opkg install luci
    • opkg install openvpn-openssl
    • /etc/init.d/uhttpd start
    • /etc/init.d/uhttpd enable
  5. Your web-ui is now setup and accessible at http://192.168.1.253
    • Once logged in (root/password you set earlier), go to System-->Backup/Flash Firmware
    • Browse for the config backup attached to this post, and restore the backup from the flash
  6. Once booted again, your router will be broadcasting a Wireless Access point with the SSID 'OpenWrt' and a password of 'changeme'. Connect to the access point.
  7. Open your browser to http://10.13.37.1 and login with root/password you set earlier
  8. Go to System-->Startup
  9. Scroll down to the bottom of the page and in the text box and replace 'your_lowercase_SHA512_hash_goes_here' with your Token Hash.
  10. You can leave the lines there after the router reboots, or delete them.
  11. Change your WiFi settings to whatever your preference is.
  12. Done! :)

Here is the startup script that sets firewall rules every boot. It blocks all IPv6 traffic and makes the router nearly a black hole. With this configuration, there should be virtually no way into the router other than SSH and HTTP on the LAN side(The part you physically control).

Critiques of my iptables rules are very much welcome. I do not claim to be an expert and could have missed something.

Code: Select all

# This will place your username and password in a file to be read by the OpenVPN client and auto-connect.
# You can remove or comment out these lines after the first reboot with the correct value.

echo your_lowercase_SHA512_hash_goes_here > /etc/config/openvpn.key
echo 93b66e7059176bbfa418061c5cba87dd >> /etc/config/openvpn.key
chmod 600 /etc/config/openvpn.key

# FLUSH (clear) any IPv6 rules
ip6tables -F INPUT
ip6tables -F FORWARD
ip6tables -F OUTPUT
ip6tables -F

# DROP all IPv6 traffic
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP

# ALLOW two-way traffic from LAN to VPN
iptables -I FORWARD -i br-lan -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br-lan -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT


# ***************************************************************************#
# DROP all traffic to the WAN that originates from the LAN clients #
#     This prevents LAN traffic from going out unencrypted!              #
# ***************************************************************************#
iptables -I FORWARD -i br-lan -o br-wan -j DROP
iptables -I FORWARD -i br-wan -o br-lan -j DROP

# ALLOW NAT to VPN
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

# ALLOW HTTP, SSH, and DHCP access to router only over LAN interface
iptables -A INPUT -p tcp -i br-lan --dport 80 -d 10.13.37.1 -j ACCEPT
iptables -A INPUT -p tcp -i br-lan --dport 22 -d 10.13.37.1 -j ACCEPT
iptables -A INPUT -p udp -i br-lan --dport 68 -j ACCEPT
iptables -A INPUT -p udp -i br-lan --dport 67 -j ACCEPT

# ALLOW solicited traffic on WAN/VPN interface
iptables -A INPUT -i br-wan -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT



# DROP unsolicited traffic on ALL interfaces
iptables -A INPUT -i br-lan -j DROP
iptables -A INPUT -i br-wan -j DROP
iptables -A INPUT -i tun0 -j DROP

# REJECT all other access to router, prevents any services being pulled from router to possibly leak over WAN (DNS) - Probably a redundant rule
iptables -A INPUT -d 10.13.37.1 -j REJECT

# Connect to OpenVPN using openvpn.conf with the username and password stored in openvpn.key
openvpn --config /etc/config/openvpn.conf --auth-user-pass /etc/config/openvpn.key &

exit 0
Attachments
backup-OpenWrt-2013-11-07-Cleansed.tar.gz
(7.68 KiB) Downloaded 665 times


Guest

Re: HOWTO: OpenWRT Routers

Postby Guest » Fri Feb 07, 2014 4:41 pm

Is there any particular reason you're blocking IPv6 addresses?

Not critique per se, just genuinely curious.

User avatar

DesuStrike
ForumHelper
Posts: 345
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: OpenWRT Routers

Postby DesuStrike » Fri Feb 07, 2014 8:02 pm

CrypotStorm is purely IPv4 (at the moment). If some IPv6 traffic is to happen you would basically bypass the VPN and surf unencrypted thus revealing your identity and contents.
home is where the artillery hits

User avatar

hashtable
Posts: 40
Joined: Sat Mar 26, 2016 4:27 pm

Re: HOWTO: OpenWRT Routers

Postby hashtable » Sat Mar 26, 2016 5:40 pm

I found a great guide on hide.me's forum - linked here. It took me a while get all the settings right - and I'd also recommend checking out some of the latest community releases if you have a router that supports those builds, everything will be optimized and compiled for the router - and the latest trunk images have a shitload more packages available. My settings basically look like this:

Code: Select all

cat >> /etc/config/openvpn << EOF
config openvpn 'cstorm'
   option enabled '1'
   option client '1'
   option dev 'tun'
   option proto 'udp'
   option reneg_sec '0'
   option remote 'linux-balancer.cryptostorm.net 443'
   option comp_lzo 'adaptive'
   option nobind '1'
   option down_pre '1'
   option mssfix '1400'
   option persist_tun '1'
   option persist_key '1'
   option verb '3'
   option auth_user_pass '<path to key>'
   option ca '<path to crt>'
   option ns_cert_type 'server'
   option auth 'SHA512'
   option cipher 'AES-256-CBC'
   option tls_cipher 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
   option reneg_sec '0'
   option tls_client '1'
   option key_method '2'


And I followed their instructions for the firewall which looks something like this:

Code: Select all

cat >> /etc/config/firewall << EOF
config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    option network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'wan'
    option output 'ACCEPT'
    option forward 'REJECT'
    option network 'wan'
    option input 'ACCEPT'

config zone
    option name 'cstorm'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    option network 'cstorm'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fe80::/10'
    option src_port '547'
    option dest_ip 'fe80::/10'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config forwarding
    option dest 'cstorm'
    option src 'lan'
EOF


Something like that.. I turned off ipv6 where possible - I'm not doing using resolv-random so that I can sync the DNS properly (dnscrypt-proxy works great). Before I found that guide - I could get cryptostorm to work like 25% of the time - but now I'm getting better at it. 'comp-lzo' makes it reeaaalllyyy slow - removing it or changing the option to 'adaptive' seems to fix that. Also it seems to like the 'persist-tun' and 'persist-key' options. You could also try to retry infinite? But it works pretty good - especially on a build that has a version of openvpn optimized for the router precompiled.

Oh don't forget to add the key and crt files, chmod 600 the key.

User avatar

hashtable
Posts: 40
Joined: Sat Mar 26, 2016 4:27 pm

Re: HOWTO: OpenWRT Routers

Postby hashtable » Sun Aug 07, 2016 7:05 am

Is anybody down to take this shit to the next level!!!!!


Okay . so. I've been compiling openwrt firmware for the last month or so, getting my feet wet. The process isn't that complicated, but it takes a little getting used to. First, what's the difference between compiling your own build or just downloading a vanilla from the repo (or the new LEDE fork that's making epic fixes daily)?

Performance. Perfmance. Holy shit. Yes.

Eg. i might want to include all the kernel modules for every crypographic protocol used in openwrt's openvpn file (standard for linux). I can just add that file in the same place you'd place it if running on a normal debian/unix (whatever) - and it works. Not like the shitty ** ...8**..... slow grind of a router, I mean this shit works as well as any other medium I've used it on.

Same can't be true if you downloaded the files, even the same exact ones, but you're not using an optimized custom firmware. Instead of bragging about it, how about this. Is anyone interested in a cs-storm optimized - prebuilt openwrt firmware that you can literally just install like any other openwrt (if your router's comptable) - with the proper firewall rules etc. inside?

I still need to perfect some things. And there are few caveats... I don't know exactly what I'm doing so I'm still experimenting with it. The default 'linux' 'kill ipv6' is not proper either (ipv6 is necessary to masquerade / scramble some of the information between LAN / WAN ... maybe? or at least default implementation). Also, this might be coincidence, but the cstorm router is double nat behind another openwrt router. For some reason, using an experimental sqm cake protocol double 'triple-isolate' - it creates firewall rules that.. I don't know. When I turned that off, it stopped working for a bit. (might be random).

Also, the cstorm is behind another router, and they're not connected LAN-LAN but LAN-WAN. Your cstorm router can talk to the LAN router - but the LAN router will just give the cstrom router an IP from it's address range, and the cstorm router has it's own address range (just changed like.... 192.168.1.1 to 192.168.2.1) - the second to last number basically, you use anything. I also *rarely* route traffic with the cstorm router. I might plug in 1-2 computes. *maybe* turn on wifi for a sec if I'm in another room, but usually just have like one machine plugged in at a time (not using is as a default router for roommates n shit.

One other thing I'm experimenting with involves tunneling into the csrouter from the lan router and creating a port to proxy internet traffic from either a computer / or even just a single browser into the csrouter. I'm not sure if everything is configured as best as it could, (dns website checkers just keep sending posts without any results) - but to the best of my ability to monitor traffic from various computers and both routers, it appears to be working as it properly should. The custom crypto modules that won't come default in almost any router are really what make the difference between a 'meh' connection to 'this is pretty legit'

(ps. dnscrypt-proxy + adblock which forces DNS into the dns proxy tube (which caches) means you get dnscrypt-proxy + cstorm + noleaks)

with a better ui, and because a special dnscrypt version accepts using multiple hosts, you can (prob through scripts) sync which resolver you want to use with the openvpn being activated. Using a 'balanced' or 'dynamic' config would prevent you from having a 1-1 sync with dnscrypt and the perf is much more noticable for some regions rather than others.

I haven't tried voodoo since I compiled the new firmware. Lede is probably the way to go too (openwrt fork). You can configure individual clients / address ranges to have separate dhcp / dns rules, and with some creativity you can create networks were only like... a subset of computers (by MAC / IP-range) are on cryptostorm, and the rest of the space is just normal. Because I have two routers... and I know it's possible to created tunnels between them and to create any obscure iptable rule imaginable, I'm curious what kind of setups could be possible - just within the 'lan' (or maybe ssh into a vps?) or whatever. Even though all internet goes through 1 pipe, and some of this may seem redundent, I'm convinced that ISP's are by far - without comparison, the main perpetrator entity that is using weird techniques to montitor traffic, including (probably) trivial means to trick a routers' behavior. This is my true ISP - basically that's how I think of CS

User avatar

hashtable
Posts: 40
Joined: Sat Mar 26, 2016 4:27 pm

Re: HOWTO: OpenWRT Routers

Postby hashtable » Sat Sep 24, 2016 6:34 pm

fuck it - i've changed my attitude - vpn on local devices is probably safest method - assuming it's capable. many devices aren't - so putting it in the router allows devices to connect securly that otherwise wouldn't be able to. but the catch-22 is routers are weird, they have different firewall rules, they need to properly route the clients, and they're closer to WAN (thus more vulnerable). I'm sure an epic vpn router is theoretically possible to build with openwrt... maybe even a node of the cs network - like how isp's upload firmware onto modems, if cs could upload firmware onto routers, that'd be legit. Also time consuming. Just throwing ideas around... does anybody knows how to config openwrt proper?

User avatar

parityboy
Site Admin
Posts: 1220
Joined: Wed Feb 05, 2014 3:47 am

Re: HOWTO: OpenWRT Routers

Postby parityboy » Sun Sep 25, 2016 9:45 pm

@hashtable

What device is your OpenWRT firmware running on? Its it x86 compatible? If so, you could probably build a very nice router with hardware-assisted AES for not much money.


FoodMaven
Posts: 34
Joined: Thu Jun 01, 2017 2:22 am

Re: HOWTO: OpenWRT Routers

Postby FoodMaven » Fri Feb 09, 2018 6:40 am

The last reply to this post is quite old at 2016. I have put CS's .ovpn and .crt in the OpenWRT/LuCI's /etc/openvpn. I've hashed the Token and put that string in Local Startup.

But then this post get a little cloudy. So is CS now IvP6 capable?
Do I need to use

backup-OpenWrt-2013-11-07-Cleansed.tar.gz

or is it too out of date? Does anybody know?

(I'm feeling like an idiot by now) Is this also too out of date?

https://community.hide.me/tutorials/ope ... penwrt.38/ ????

Honestly, netsearching: cryptostorm ivp6 brings up nothing.

As Mulder once said: The Truth is out there.



FoodMaven
Posts: 34
Joined: Thu Jun 01, 2017 2:22 am

Re: HOWTO: OpenWRT Routers

Postby FoodMaven » Sat Feb 17, 2018 12:57 am

The OpenWRT page on setting up the OpenVPN shows:

touch /tmp/auth.conf
echo "YOUR_VPN_USER_NAME" > /tmp/auth.conf
echo "YOUR_VPN_PASSWORD" >> /tmp/auth.conf

I've read but cannot find at this Forum, words about you CS doesn't use a "user name" or maybe the username is the hashed token but no password? In any case, please direct me to that information.

I'm somewhat uncertain as to how long it will take to get a response, so I will return to this page in 7 days; but, Dear Sirs, if that isn't a reasonable length of time, please give me an approximate date count. Many Thanks.

User avatar

parityboy
Site Admin
Posts: 1220
Joined: Wed Feb 05, 2014 3:47 am

Re: HOWTO: OpenWRT Routers

Postby parityboy » Sat Feb 17, 2018 5:14 pm

@FoodMaven

The username is the hashed token, as you correctly surmised. The password can be anything (since the operational model doesn't rely on it to grant access) but it must be something - whether it's a single character or a stream of random characters, it doesn't matter either way.


FoodMaven
Posts: 34
Joined: Thu Jun 01, 2017 2:22 am

Re: HOWTO: OpenWRT Routers

Postby FoodMaven » Mon Feb 19, 2018 9:56 pm

I think it worthy of note, that after searching the OpenVPN.net Forum for the keyword: cryptostorm, that there is only one entry. That that post's request goes un-responded to is irrelevant. Believe me when I say that I'm glad CS "flies under the radar". It's why I pay, monthly, for a token I have yet to get operational. CS may be the only honorable VPN provider out there.

Thanks, you nerds.



FoodMaven
Posts: 34
Joined: Thu Jun 01, 2017 2:22 am

Re: HOWTO: OpenWRT Routers

Postby FoodMaven » Tue Feb 20, 2018 10:56 pm

At the LEDE/LuCI forum, I read that changing the .ovpn was needed. To cstorm_linux-lisbon_udp.ovpn I added the following:

auth-user-pass /tmp/auth.conf
redirect-gateway def1
auth-nocache

The router's admin page, under the VPN tab shows 4 entries

Cryptostorm
sample_server
sample_client
provider

status on CS and provider is checked enabled, but not started. Port 1194 and Protocol is UDP.

Clicking the radio buttor for CS "Start" returns no-auth in system log.

User avatar

parityboy
Site Admin
Posts: 1220
Joined: Wed Feb 05, 2014 3:47 am

Re: HOWTO: OpenWRT Routers

Postby parityboy » Thu Feb 22, 2018 3:17 am

@FoodMaven

OK, so I took the liberty of using VirtualBox to create two VMs, one each of OpenWRT and LEDE. Having read your post, I installed OpenVPN and (on LEDE) the luci-app-openvpn web module. That module is basically crap so ignore it, seriously.

After a few searches I found the tutorial for getting the NordVPN service running on OpenWRT/LEDE. Here is what I did, using the Cryptofree service as the target. Obviously you can modify this for paid exit nodes.

Configuration Files
1. Download the configuration file from here.
2. Download the certificate file from here.
3. Load the configuration file into a text editor.
4. Remove explicit-exit-notify 3
5. Modify the line auth-user-pass so that it reads auth-user-pass auth.txt
6. Create the file auth.txt with your credentials. Cryptofree doesn't need valid tokens but you can put them in anyway just for convenience later when you transition to a paid exit node.

Code: Select all

echo <hashed token> >auth.txt
echo rand0mstr1ng0fcharact3rs >>auth.txt

7. Copy these files to /etc/openvpn on the router.

Code: Select all

scp cryptofree_linux-udp.ovpn ca.crt auth.txt root@192.168.1.1:/etc/openvpn


Router OpenVPN Configuration (SSH into your router for this)

Code: Select all

uci set openvpn.csvpn=openvpn
uci set openvpn.csvpn.enabled='1'
uci set openvpn.csvpn.config='/etc/openvpn/cryptofree_linux-udp.ovpn'
uci commit openvpn


Router Tunnel Configuration (SSH into your router for this)

Code: Select all

uci set network.csvpntun=interface
uci set network.csvpntun.proto='none'
uci set network.csvpntun.ifname='tun0'
uci commit network


Router Firewall Configuration (SSH into your router for this)

Code: Select all

uci add firewall zone
uci set firewall.@zone[-1].name='vpnfirewall'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'
uci add_list firewall.@zone[-1].network='csvpntun'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='vpnfirewall'
uci commit firewall


Router DNS Configuration (SSH into your router for this)

Code: Select all

uci set network.wan.peerdns='0'
uci del network.wan.dns
uci add_list network.wan.dns='8.8.8.8'
uci add_list network.wan.dns='8.8.4.4'
uci commit

(uses Google DNS as an example, but you'll probably want to change it)

Router Killswitch Configuration (SSH into your router for this)
1. Use vim editor to add the following to /etc/firewall.user

Code: Select all

if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
        iptables -I forwarding_rule -j REJECT
fi

2. Use vim to create the file /etc/hotplug.d/iface/99-killswitch with the following content.

Code: Select all

#!/bin/sh
if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then
        iptables -D forwarding_rule -j REJECT
fi
if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
        iptables -I forwarding_rule -j REJECT
fi

Now reboot your router and when it comes back up, OpenVPN should be up and running. You can verify this by checking your IP address here. You can also check Status->Routes->Active IPv4-Routes in the web interface.


FoodMaven
Posts: 34
Joined: Thu Jun 01, 2017 2:22 am

Re: HOWTO: OpenWRT Routers

Postby FoodMaven » Fri Feb 23, 2018 5:32 am

I am at a loss of words to properly express my gratitude. You are an :angel:

I'm working on it now. I'll say OK when all is OK.


FoodMaven
Posts: 34
Joined: Thu Jun 01, 2017 2:22 am

Re: HOWTO: OpenWRT Routers

Postby FoodMaven » Tue Mar 13, 2018 12:38 am

root@LEDE:/# uci set firewall.@forwarding[-1].src='lan'
root@LEDE:/# uci set firewall.@forwarding[-1].dest='vpnfirewall'
root@LEDE:/# uci commit firewall
root@LEDE:/# uci set network.wan.peerdns='0'
root@LEDE:/# uci del network.wan.dns
uci: Entry not found

Does Entry not found matter? Do I proceed without the entry?

A FEW MINUTES LATER.

As an experiment, I went ahead with the configging. Internet not available after rebooting.

User avatar

parityboy
Site Admin
Posts: 1220
Joined: Wed Feb 05, 2014 3:47 am

Re: HOWTO: OpenWRT Routers

Postby parityboy » Tue Mar 13, 2018 3:32 am

@FoodMaven

If you go to Status->Routes->Active IPv4-Routes in the web console, what do you see?


FoodMaven
Posts: 34
Joined: Thu Jun 01, 2017 2:22 am

Re: HOWTO: OpenWRT Routers

Postby FoodMaven » Tue Mar 13, 2018 4:54 am

Active IPv4-Routes

Code: Select all

Network      Target      IPv4-Gateway   Metric      Table
wan         0.0.0.0/0           192.168.1.254   0      main
wan         192.168.1.0/24              0               main
wan         192.168.1.254              0               main
lan         192.168.11.0/24              0               main


FoodMaven
Posts: 34
Joined: Thu Jun 01, 2017 2:22 am

Re: HOWTO: OpenWRT Routers

Postby FoodMaven » Thu Mar 15, 2018 11:24 pm

Following the purpose built guide, created for me, I did the steps:

Router OpenVPN Configuration
Router Tunnel Configuration
Router Firewall Configuration
Router DNS Configuration
[create] Router Killswitch Configuration
[create] 99-killswitch file.

Additionally, I added connection to the NTP time servers via these commands:

https://www.loganmarchione.com/2015/08/ ... #Setup_NTP

uci set system.@system[0].hostname="c7main"
uci set system.@system[0].zonename="America/Los Angeles"
uci set system.@system[0].timezone="PST8PDT,M3.2.0,M11.1.0"
uci commit system

uci set system.ntp="timeserver"
uci set system.ntp.enabled="1"
uci delete system.ntp.server
uci add_list system.ntp.server="0.us.pool.ntp.org"
uci add_list system.ntp.server="1.us.pool.ntp.org"
uci add_list system.ntp.server="2.us.pool.ntp.org"
uci add_list system.ntp.server="3.us.pool.ntp.org"
uci commit system

I made one change in the steps provided:

uci set openvpn.csvpn.config='/etc/openvpn/cstorm_linux-lisbon_udp.ovpn'

as I have a paid token.

Upon rebooting both modem (first) and allowing it to come up after a few minutes and then the router (OpenWRT, OpenVPN and Cryptostorm), I could not get back online. I could access the OpenWRT (LEDE actually) Router Admin Page.

The syslog gave:

Thu Mar 15 10:59:30 2018 daemon.notice openvpn(csvpn)[1717]: OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Mar 15 10:59:30 2018 daemon.notice openvpn(csvpn)[1717]: library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10
Thu Mar 15 10:59:30 2018 daemon.err openvpn(csvpn)[1717]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Auth Username:'. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Thu Mar 15 10:59:30 2018 daemon.notice openvpn(csvpn)[1717]: Exiting due to fatal error
Thu Mar 15 10:59:31 2018 daemon.err openvpn(cstorm_linux-lisbon_udp[1796]: Options error: No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass
Thu Mar 15 10:59:31 2018 daemon.warn openvpn(cstorm_linux-lisbon_udp[1796]: Use --help for more information.
Thu Mar 15 10:59:35 2018 daemon.notice openvpn(csvpn)[1797]: OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Mar 15 10:59:35 2018 daemon.notice openvpn(csvpn)[1797]: library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10
Thu Mar 15 10:59:35 2018 daemon.err openvpn(csvpn)[1797]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Auth Username:'. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Thu Mar 15 10:59:35 2018 daemon.notice openvpn(csvpn)[1797]: Exiting due to fatal error


Return to “guides, HOWTOs & tutorials”

Who is online

Users browsing this forum: Bing [Bot] and 4 guests

Login