HOW-TO: Tomato router setup

[timusan]

Hi everyone

After some fiddling around with my newly flashed Tomato router and with the nice help of the guru's from Cryptostorm, I thought it would be nice to share the information with anyone who would like to use Cryptostorm Darknet with their Tomato install.

Using roughly the same approach as with the DD-WRT router setup, here is a visual guide.
Note: This guide is written for the Tomato USB build version 1.28 (20 January 2014) flashed onto the Asus RT-N66U router, but should be applicable to most recent Tomato builds.

Also note: This is a un-tuned setup, just tweaked enough to get a decent connection with a Tomato flashed router. Any constructive comments and suggestions to make this a better setup are welcome.
This thread is intended to get the most out of Tomato/Cryptostorm combinations.

First, go to your routers web based admin panel and from the left menu choose "VPN Tunneling" > "OpenVPN Client"

1. Basic tab

--- "Start with WAN" - Tick the box to start your VPN connection when your WAN activates
--- "Interface Type" - Set this to TUN
--- "Protocol" - Set this to UDP
--- "Server Address/Port" - Set the server to the general balancer or to your favorite exitnode cluster, the port has to be set to 443
--- "Firewall" - Set this to automatic or punch in your own firewall rules
--- "Authorization Mode" - Set this to TLS
--- "Username/Password Authentication" - As unintuitive as it may sound, leave this one off. You would normally enter your hashed token in the username field, but the hash does not fit in the input and will get cut off. We have to load this via a seperate file later.
--- "Extra HMAC authorization (tls-auth)" - Leave this one off
--- "Create NAT on tunnel" - Set this on

2. Advanced tab

--- "Poll Interval" - Leave this at 0, meaning disabled
--- "Redirect Internet traffic" - Set this on
--- "Accept DNS configuration" - Set this to strict
--- "Encryption cipher" - Set this to AES-256-CBC
--- "Compression" - Set this to Adaptive
--- "TLS Renegotiation Time" - Leave this at -1, defaults to 20 minutes
--- "Connection retry" - Leave this at -a, default to infinite
--- "Verify server certificate (tls-remote)" - Leave this off
--- "Custom Configuration" - Here we have to renable some settings that where not possible through the interface, enter the following lines:

Code: Select all

ns-cert-type server
auth SHA512
auth-user-pass /jffs/password.txt
hand-window 17
replay-window 128 30

Take special note of "auth SHA512" and "auth-user-pass /jffs/password.txt". The first one sets the encryption scheme, which you cannot set through the interface.
The second one is where we tell OpenVPN to load the username/password combo from an external plain text file. In my setup, I enabled the JFFS file system so my password file would be saved between router reboots.
The OpenVPN password file needs the username to be on the first line and the password on the second. Since Cryptostorm only uses a "username" you only need to enter your hashed token on the first line and save the file.
Also make sure to make this file only readable for root.

Now, normally, when loading the password from an external file, you should also set the "auth-nocache" setting so the password is not stored in memory. Unfortunately this triggers a known bug in OpenVPN where the first time you will be able to connect, but after a TLS renegotiation happens, it will fail to load your token (the username) and drop the connection with the error: "ERROR: could not read Auth username from stdin".

3. Keys tab

The only thing you have to enter here is the CA certificate from Cryptostorm.

That is it, with these settings you should be able to get a working Cryptostorm enabled Tomato router.

Again, any comments or suggestions are welcome, just shoot!

Cheers
Tim

[geoale66]

Hi, how do I load my token (already converted to a username via the tool)?

[Fermi]

On IRC, you wrote:

02:52:22 --> | web_83944 (web_83944@cryptostorm.is) has joined #cryptostorm 02:53:02 web_83944 | Hi guys! I am still trying to setup my connection, and haven't had any luck with the tomato router guide in the forum. I have the hash file converted from my token, I am using it as username in the interface, I already downloaded the CA.crt key that I found as most recent. I am using uscentral.cryptostorm.nu port 443 as my exit node, under UDP pro
02:53:02 web_83944 | tocol. I wonder what I am missing. I don´t know if should use vpn keys (client certificate or client key). I would be grateful if you can help me, since my vpn client can´t be started.
02:53:40 web_83944 | thanks for your comments │
02:58:51 web_83944 | I think nobody is there available, I will try my post later

ca.crt is the pre-HB certificate, if you want to connect to uscentral.cryptostorm.nu, you'll need the post-HB one:

Code: Select all

-----BEGIN CERTIFICATE-----
MIIFHjCCBAagAwIBAgIJAKekpGXxXvhbMA0GCSqGSIb3DQEBCwUAMIG6MQswCQYD
VQQGEwJDQTELMAkGA1UECBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQK
FC1LYXRhbmEgSG9sZGluZ3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQx
ETAPBgNVBAsTCFRlY2ggT3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUG
CSqGSIb3DQEJARYYY2VydGFkbWluQGNyeXB0b3N0b3JtLmlzMB4XDTE0MDQyNTE3
MTAxNVoXDTE3MTIyMjE3MTAxNVowgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJR
QzERMA8GA1UEBxMITW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBM
aW1pdGUgLyAgY3J5cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMx
FzAVBgNVBAMUDmNyeXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRt
aW5AY3J5cHRvc3Rvcm0uaXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDJaOSYIX/sm+4/OkCgyAPYB/VPjDo9YBc+zznKGxd1F8fAkeqcuPpGNCxMBLOu
mLsBdxLdR2sppK8cu9kYx6g+fBUQtShoOj84Q6+n6F4DqbjsHlLwUy0ulkeQWk1v
vKKkpBViGVFsZ5ODdZ6caJ2UY2C41OACTQdblCqaebsLQvp/VGKTWdh9UsGQ3LaS
Tcxt0PskqpGiWEUeOGG3mKE0KWyvxt6Ox9is9QbDXJOYdklQaPX9yUuII03Gj3xm
+vi6q2vzD5VymOeTMyky7Geatbd2U459Lwzu/g+8V6EQl8qvWrXESX/ZXZvNG8QA
cOXU4ktNBOoZtws6TzknpQF3AgMBAAGjggEjMIIBHzAdBgNVHQ4EFgQUOFjh918z
L4vR8x1q3vkp6npwUSUwge8GA1UdIwSB5zCB5IAUOFjh918zL4vR8x1q3vkp6npw
USWhgcCkgb0wgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJRQzERMA8GA1UEBxMI
TW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBMaW1pdGUgLyAgY3J5
cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMxFzAVBgNVBAMUDmNy
eXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRtaW5AY3J5cHRvc3Rv
cm0uaXOCCQCnpKRl8V74WzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB
AQAK6B7AOEqbaYjXoyhXeWK1NjpcCLCuRcwhMSvf+gVfrcMsJ5ySTHg5iR1/LFay
IEGFsOFEpoNkY4H5UqLnBByzFp55nYwqJUmLqa/nfIc0vfiXL5rFZLao0npLrTr/
inF/hecIghLGVDeVcC24uIdgfMr3Z/EXSpUxvFLGE7ELlsnmpYBxm0rf7s9S9wtH
o6PjBpb9iurF7KxDjoXsIgHmYAEnI4+rrArQqn7ny4vgvXE1xfAkFPWR8Ty1ZlxZ
gEyypTkIWhphdHLSdifoOqo83snmCObHgyHG2zo4njXGExQhxS1ywPvZJRt7fhjn
X03mQP3ssBs2YRNR5hR5cMdC
-----END CERTIFICATE-----

[dfkt]

I set up Cryptostorm on my Asus RT-N16 running Tomato-USB 1.28. My custom config is here: http://paste.debian.net/plain/143048 (I simply took a default config and commented everything out that would give errors.) I also tried it with the same config as in the original post above. Those configs really don't make much of a difference, speed-wise.

Unfortunately, the connection is really slow, despite the N16 being a fairly powerful router for a consumer device (http://wiki.openwrt.org/toh/asus/rt-n16). The attached screenshot shows my speed with Cryptostorm running on the router, in comparison to running the Cryptostorm widget on Windows, and with direct connection to the internet (the two lines with the red frames).

Is it possible to improve the speed of Cryptostorm running on my router, or am I stuck with running a client/widget on each machine in my LAN?

Or should I look at other router firmwares, maybe? Is it known if eg. DD-WRT or OpenWRT have better performance than Tomato-USB?

Thanks in advance for any help.

EDIT: here's a log from the router: http://paste.debian.net/plain/143049

[Fermi]

dfkt,

Can you trace CPU usage in Tomato?
You will probably see that your CPU is the bottleneck when using OpenVPN on the router.

Regards,

/Fermi

[dfkt]

Thanks for the reply, Fermi.

You're right. So there's nothing I can do, I suppose.

There's no way to run Cryptostorm over PPTP instead of OpenVPN, I guess - sacrificing stronger encryption for better performance?

[dfkt]

Ok, just read the tweet about PPTP 'security'... no more questions regarding that matter. ;^)

https://twitter.com/cryptostorm_is/stat ... 8482575360

[Fermi]

dfkt,

Indeed, there's nothing much you can do on the CPU part I'm afraid.

/Fermi

[Raka74]

Hi all,

I'm running Advanced Tomato 1.28.0000 -3.0-132 K26ARM USB AIO-64K on an RT-AC68U.

The config as described above works great but I want to go trough VPN only on certain hosts.

Can I check 'Ignore redirect gateway' on the advanced tab:

https://www.dropbox.com/s/st4csz9myrr6j ... 4.png?dl=0

And then on the Routing Policy tab add ip addresses?

https://www.dropbox.com/s/he1xq9ub04vjo ... 8.png?dl=0


Or is this not the correct way to do this

[Raka74]

A reply to myself with a new question.

The above seems to work fine, with ' Ignore redirect Gateway' (route-nopull) checked only the client I specified on the ' routing policy' (from source IP) tab is using VPN.

When I take a look on ipleak.net though I see that the machine using VPN is still using my ISP's DNS server (dnsleak?)

Is there any way to prevent this? like adding the DNS option to the ' custom configuration ' ?

In the meantime I have just setup manual DNS with Opennic servers...

[dccc]

Any solution on that matter? I'm about to use a Asus RT-N66U with AdvancedTomato firmware and would greatly appreciate the CS deepDNS feature.

[tom user]

Hi. Have you tried adding the DNS addresses manually?

Basic - Network - Wan settings.

Take your picks from the list below.

https://github.com/cryptostorm/cstorm_d ... 5bab4d198d

[parityboy]

@dccc

Have a look at this list. You can enter the IPs into your router or your PC, but ignore the listed port number - they also answer on port 53 for standard DNS requests.

[dccc]

Thanks for the heads up! Today I had the chance to flash the router to the latest (stable) AdvancedTomato firmware. No problems with DNS settings (set as 'strict'). No leaks, beautiful CS deepDNS. The problem now is the router itself: Asus RT-N66U with 600Mhz CPU is too slow to handle reasonable fast VPN speeds.

[parityboy]

@dccc

You could always look into one of the EdgeRouters from Ubiquiti Networks, EdgeRouter Lite maybe?

[user5]

Sorry to revive a dead post but is anyone able to get any of the balancers working with Tomato? I can get any standard one to work but none of the balancers. It will show status as working but it isn't connected.

[parityboy]

Sorry to revive a dead post but is anyone able to get any of the balancers working with Tomato? I can get any standard one to work but none of the balancers. It will show status as working but it isn't connected.

Tomato should be set to use linux-balancer.cryptostorm.net. What do the logs show?

[AnonAsPossible]

I know this is an old thread. Suppose it's better to keep all things Tomato in 1 thread.

Has anyone been able to run the new 'ECC' config on a Tomato router? I tried changing the obvious differences, but it wouldn't work.

If someone is able to get "ECC' running on their Tomato router, could you post the settings here?! Thanks

[blurb]

Here's how I've managed to get it to work with the new ECC connection. I'm sure there'll be tweaks and improvements (shout out if you know of any, dear reader), but it works and is stable on my router. The rest of this thread is bollocks now, and as I have time off work I'll set things strait.

You'll need JFFS turned on, and your hashed token/'password' in a file there as uber long strings can be too much for the GUI. Shout for help if that scares you (settings in Administration - JFFS).

Make sure to press save before moving to another tab or you'll loose your input.

Basic tab is as follows -





Interface Type - TUN
Protocol - UDP
Server/Port - england.cstorm.is 5060 (or other node/address, but keep port)
Firewall - Automatic
Authorisation - TLS
leave username/password auth unchecked. We'll point to that shortly.
Extra HMAC.. - Disabled
Auth Digest - SHA512 ( )
Create NAT - Checked.

Advanced tab



Poll Interval - 0
Redirect Traffic- Checked
Accept DNS conf - Relaxed
Cipher Nego' - Enabled
Compression - Disabled
TLS Renego' - -1
Connect' Retry - -1
Verify Serv Cert- Unchecked

Now, in the Extended Configuration box add the following. The static key HAS to be here and not on the Keys page. Also, make sure you've put your token/pass in a file in JFFS and point at it here.

Code: Select all

resolv-retry 16
remote-cert-tls server
verb 4
mute 3
auth-nocache
compress
cipher AES-256-GCM
auth-user-pass /jffs/password
tls-version-max 1.2
dhcp-option DNS 10.31.33.7

<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
4875d729589689955012a2ee77f180ec
b815c4a336c719c11241a058dafaae00
806bbc21d5f1abad085341a3fca4b4f9
3949151c2979b4ee4390e8d9443acb00
61d537f1e9157e45f542c3648f563305
05f3eaff97ef82ee063b9d88bb9d5aa0
060428455b51a2a4fd929d9af4b94adc
b0a4acaa14ff62a9b0f4f9f0b3f01e71
fc98a6c60e8584f4deb3de793a5a7bc2
7014c9369f9724bc810ef0d191b30204
78eead725b3ae6aaef2e1030a197e417
421f159ed54eb2629afcfb337cf9a002
5bf1d5c0d820fffb219d0b4214043d2d
f27ed367b522945a5dadc748e2ca379e
3971789dbdf609b3d9bfe866361b28e3
c90589baa925157ad833093a5a7bede5
-----END OpenVPN Static key V1-----
</tls-crypt>

Keys

Grab the cert from a config here.
https://github.com/cryptostorm/cryptost ... master/ecc



Paste it into the Certificate Authority box.


Press Start.

!	Message from: parityboy
	Cleaned up image links so that they are parsed correctly.

[blurb]

Ah, should have said if you've not updated in a while this might not work. It requires a certain level of OpenVPN/OpenSSL.

Details here in df's blog post -

https://cryptostorm.is/blog/new-features