HOW-TO: Tomato router setup

[timusan]

Hi everyone

After some fiddling around with my newly flashed Tomato router and with the nice help of the guru's from Cryptostorm, I thought it would be nice to share the information with anyone who would like to use Cryptostorm Darknet with their Tomato install.

Using roughly the same approach as with the DD-WRT router setup, here is a visual guide.
Note: This guide is written for the Tomato USB build version 1.28 (20 January 2014) flashed onto the Asus RT-N66U router, but should be applicable to most recent Tomato builds.

Also note: This is a un-tuned setup, just tweaked enough to get a decent connection with a Tomato flashed router. Any constructive comments and suggestions to make this a better setup are welcome.
This thread is intended to get the most out of Tomato/Cryptostorm combinations.

First, go to your routers web based admin panel and from the left menu choose "VPN Tunneling" > "OpenVPN Client"

1. Basic tab

--- "Start with WAN" - Tick the box to start your VPN connection when your WAN activates
--- "Interface Type" - Set this to TUN
--- "Protocol" - Set this to UDP
--- "Server Address/Port" - Set the server to the general balancer or to your favorite exitnode cluster, the port has to be set to 443
--- "Firewall" - Set this to automatic or punch in your own firewall rules
--- "Authorization Mode" - Set this to TLS
--- "Username/Password Authentication" - As unintuitive as it may sound, leave this one off. You would normally enter your hashed token in the username field, but the hash does not fit in the input and will get cut off. We have to load this via a seperate file later.
--- "Extra HMAC authorization (tls-auth)" - Leave this one off
--- "Create NAT on tunnel" - Set this on

2. Advanced tab

--- "Poll Interval" - Leave this at 0, meaning disabled
--- "Redirect Internet traffic" - Set this on
--- "Accept DNS configuration" - Set this to strict
--- "Encryption cipher" - Set this to AES-256-CBC
--- "Compression" - Set this to Adaptive
--- "TLS Renegotiation Time" - Leave this at -1, defaults to 20 minutes
--- "Connection retry" - Leave this at -a, default to infinite
--- "Verify server certificate (tls-remote)" - Leave this off
--- "Custom Configuration" - Here we have to renable some settings that where not possible through the interface, enter the following lines:

Code: Select all

ns-cert-type server
auth SHA512
auth-user-pass /jffs/password.txt
hand-window 17
replay-window 128 30


Take special note of "auth SHA512" and "auth-user-pass /jffs/password.txt". The first one sets the encryption scheme, which you cannot set through the interface.
The second one is where we tell OpenVPN to load the username/password combo from an external plain text file. In my setup, I enabled the JFFS file system so my password file would be saved between router reboots.
The OpenVPN password file needs the username to be on the first line and the password on the second. Since Cryptostorm only uses a "username" you only need to enter your hashed token on the first line and save the file.
Also make sure to make this file only readable for root.

Now, normally, when loading the password from an external file, you should also set the "auth-nocache" setting so the password is not stored in memory. Unfortunately this triggers a known bug in OpenVPN where the first time you will be able to connect, but after a TLS renegotiation happens, it will fail to load your token (the username) and drop the connection with the error: "ERROR: could not read Auth username from stdin".

3. Keys tab

The only thing you have to enter here is the CA certificate from Cryptostorm.

That is it, with these settings you should be able to get a working Cryptostorm enabled Tomato router.

Again, any comments or suggestions are welcome, just shoot!

Cheers
Tim

[geoale66]

Hi, how do I load my token (already converted to a username via the tool)?

[Fermi]

On IRC, you wrote:

02:52:22 --> | web_83944 (web_83944@cryptostorm.is) has joined #cryptostorm 02:53:02 web_83944 | Hi guys! I am still trying to setup my connection, and haven't had any luck with the tomato router guide in the forum. I have the hash file converted from my token, I am using it as username in the interface, I already downloaded the CA.crt key that I found as most recent. I am using uscentral.cryptostorm.nu port 443 as my exit node, under UDP pro
02:53:02 web_83944 | tocol. I wonder what I am missing. I don´t know if should use vpn keys (client certificate or client key). I would be grateful if you can help me, since my vpn client can´t be started.
02:53:40 web_83944 | thanks for your comments │
02:58:51 web_83944 | I think nobody is there available, I will try my post later

ca.crt is the pre-HB certificate, if you want to connect to uscentral.cryptostorm.nu, you'll need the post-HB one:

Code: Select all

-----BEGIN CERTIFICATE-----
MIIFHjCCBAagAwIBAgIJAKekpGXxXvhbMA0GCSqGSIb3DQEBCwUAMIG6MQswCQYD
VQQGEwJDQTELMAkGA1UECBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQK
FC1LYXRhbmEgSG9sZGluZ3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQx
ETAPBgNVBAsTCFRlY2ggT3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUG
CSqGSIb3DQEJARYYY2VydGFkbWluQGNyeXB0b3N0b3JtLmlzMB4XDTE0MDQyNTE3
MTAxNVoXDTE3MTIyMjE3MTAxNVowgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJR
QzERMA8GA1UEBxMITW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBM
aW1pdGUgLyAgY3J5cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMx
FzAVBgNVBAMUDmNyeXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRt
aW5AY3J5cHRvc3Rvcm0uaXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDJaOSYIX/sm+4/OkCgyAPYB/VPjDo9YBc+zznKGxd1F8fAkeqcuPpGNCxMBLOu
mLsBdxLdR2sppK8cu9kYx6g+fBUQtShoOj84Q6+n6F4DqbjsHlLwUy0ulkeQWk1v
vKKkpBViGVFsZ5ODdZ6caJ2UY2C41OACTQdblCqaebsLQvp/VGKTWdh9UsGQ3LaS
Tcxt0PskqpGiWEUeOGG3mKE0KWyvxt6Ox9is9QbDXJOYdklQaPX9yUuII03Gj3xm
+vi6q2vzD5VymOeTMyky7Geatbd2U459Lwzu/g+8V6EQl8qvWrXESX/ZXZvNG8QA
cOXU4ktNBOoZtws6TzknpQF3AgMBAAGjggEjMIIBHzAdBgNVHQ4EFgQUOFjh918z
L4vR8x1q3vkp6npwUSUwge8GA1UdIwSB5zCB5IAUOFjh918zL4vR8x1q3vkp6npw
USWhgcCkgb0wgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJRQzERMA8GA1UEBxMI
TW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBMaW1pdGUgLyAgY3J5
cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMxFzAVBgNVBAMUDmNy
eXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRtaW5AY3J5cHRvc3Rv
cm0uaXOCCQCnpKRl8V74WzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB
AQAK6B7AOEqbaYjXoyhXeWK1NjpcCLCuRcwhMSvf+gVfrcMsJ5ySTHg5iR1/LFay
IEGFsOFEpoNkY4H5UqLnBByzFp55nYwqJUmLqa/nfIc0vfiXL5rFZLao0npLrTr/
inF/hecIghLGVDeVcC24uIdgfMr3Z/EXSpUxvFLGE7ELlsnmpYBxm0rf7s9S9wtH
o6PjBpb9iurF7KxDjoXsIgHmYAEnI4+rrArQqn7ny4vgvXE1xfAkFPWR8Ty1ZlxZ
gEyypTkIWhphdHLSdifoOqo83snmCObHgyHG2zo4njXGExQhxS1ywPvZJRt7fhjn
X03mQP3ssBs2YRNR5hR5cMdC
-----END CERTIFICATE-----

[dfkt]

I set up Cryptostorm on my Asus RT-N16 running Tomato-USB 1.28. My custom config is here: http://paste.debian.net/plain/143048 (I simply took a default config and commented everything out that would give errors.) I also tried it with the same config as in the original post above. Those configs really don't make much of a difference, speed-wise.

Unfortunately, the connection is really slow, despite the N16 being a fairly powerful router for a consumer device (http://wiki.openwrt.org/toh/asus/rt-n16). The attached screenshot shows my speed with Cryptostorm running on the router, in comparison to running the Cryptostorm widget on Windows, and with direct connection to the internet (the two lines with the red frames).

Is it possible to improve the speed of Cryptostorm running on my router, or am I stuck with running a client/widget on each machine in my LAN?

Or should I look at other router firmwares, maybe? Is it known if eg. DD-WRT or OpenWRT have better performance than Tomato-USB?

Thanks in advance for any help.

EDIT: here's a log from the router: http://paste.debian.net/plain/143049

[Fermi]

dfkt,

Can you trace CPU usage in Tomato?
You will probably see that your CPU is the bottleneck when using OpenVPN on the router.

Regards,

/Fermi

[dfkt]

Thanks for the reply, Fermi.

You're right. So there's nothing I can do, I suppose.

There's no way to run Cryptostorm over PPTP instead of OpenVPN, I guess - sacrificing stronger encryption for better performance?

[dfkt]

Ok, just read the tweet about PPTP 'security'... no more questions regarding that matter. ;^)

https://twitter.com/cryptostorm_is/stat ... 8482575360

[Fermi]

dfkt,

Indeed, there's nothing much you can do on the CPU part I'm afraid.

/Fermi

[Raka74]

Hi all,

I'm running Advanced Tomato 1.28.0000 -3.0-132 K26ARM USB AIO-64K on an RT-AC68U.

The config as described above works great but I want to go trough VPN only on certain hosts.

Can I check 'Ignore redirect gateway' on the advanced tab:

https://www.dropbox.com/s/st4csz9myrr6j ... 4.png?dl=0

And then on the Routing Policy tab add ip addresses?

https://www.dropbox.com/s/he1xq9ub04vjo ... 8.png?dl=0


Or is this not the correct way to do this

[Raka74]

A reply to myself with a new question.

The above seems to work fine, with ' Ignore redirect Gateway' (route-nopull) checked only the client I specified on the ' routing policy' (from source IP) tab is using VPN.

When I take a look on ipleak.net though I see that the machine using VPN is still using my ISP's DNS server (dnsleak?)

Is there any way to prevent this? like adding the DNS option to the ' custom configuration ' ?

In the meantime I have just setup manual DNS with Opennic servers...

[dccc]

Any solution on that matter? I'm about to use a Asus RT-N66U with AdvancedTomato firmware and would greatly appreciate the CS deepDNS feature.

[tom user]

Hi. Have you tried adding the DNS addresses manually?

Basic - Network - Wan settings.

Take your picks from the list below.

https://github.com/cryptostorm/cstorm_d ... 5bab4d198d

[parityboy]

@dccc

Have a look at this list. You can enter the IPs into your router or your PC, but ignore the listed port number - they also answer on port 53 for standard DNS requests.

[dccc]

Thanks for the heads up! Today I had the chance to flash the router to the latest (stable) AdvancedTomato firmware. No problems with DNS settings (set as 'strict'). No leaks, beautiful CS deepDNS. The problem now is the router itself: Asus RT-N66U with 600Mhz CPU is too slow to handle reasonable fast VPN speeds.

[parityboy]

@dccc

You could always look into one of the EdgeRouters from Ubiquiti Networks, EdgeRouter Lite maybe?

[user5]

Sorry to revive a dead post but is anyone able to get any of the balancers working with Tomato? I can get any standard one to work but none of the balancers. It will show status as working but it isn't connected.

[parityboy]

Sorry to revive a dead post but is anyone able to get any of the balancers working with Tomato? I can get any standard one to work but none of the balancers. It will show status as working but it isn't connected.

Tomato should be set to use linux-balancer.cryptostorm.net. What do the logs show?

[AnonAsPossible]

I know this is an old thread. Suppose it's better to keep all things Tomato in 1 thread.

Has anyone been able to run the new 'ECC' config on a Tomato router? I tried changing the obvious differences, but it wouldn't work.

If someone is able to get "ECC' running on their Tomato router, could you post the settings here?! Thanks