Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

HOW-TO: Tomato router setup

Guides, HOWTOs etc on how to setup Cryptostorm on PCs, smartphones, tablets and routers.
User avatar

Topic Author
timusan
Posts: 15
Joined: Mon Feb 10, 2014 9:27 am
Contact:

HOW-TO: Tomato router setup

Postby timusan » Tue Feb 11, 2014 2:17 pm

Hi everyone

After some fiddling around with my newly flashed Tomato router and with the nice help of the guru's from Cryptostorm, I thought it would be nice to share the information with anyone who would like to use Cryptostorm Darknet with their Tomato install.

Using roughly the same approach as with the DD-WRT router setup, here is a visual guide.
Note: This guide is written for the Tomato USB build version 1.28 (20 January 2014) flashed onto the Asus RT-N66U router, but should be applicable to most recent Tomato builds.

Also note: This is a un-tuned setup, just tweaked enough to get a decent connection with a Tomato flashed router. Any constructive comments and suggestions to make this a better setup are welcome.
This thread is intended to get the most out of Tomato/Cryptostorm combinations.

First, go to your routers web based admin panel and from the left menu choose "VPN Tunneling" > "OpenVPN Client"

1. Basic tab

basic.png


--- "Start with WAN" - Tick the box to start your VPN connection when your WAN activates
--- "Interface Type" - Set this to TUN
--- "Protocol" - Set this to UDP
--- "Server Address/Port" - Set the server to the general balancer or to your favorite exitnode cluster, the port has to be set to 443
--- "Firewall" - Set this to automatic or punch in your own firewall rules
--- "Authorization Mode" - Set this to TLS
--- "Username/Password Authentication" - As unintuitive as it may sound, leave this one off. You would normally enter your hashed token in the username field, but the hash does not fit in the input and will get cut off. We have to load this via a seperate file later.
--- "Extra HMAC authorization (tls-auth)" - Leave this one off
--- "Create NAT on tunnel" - Set this on

2. Advanced tab

advanced.png


--- "Poll Interval" - Leave this at 0, meaning disabled
--- "Redirect Internet traffic" - Set this on
--- "Accept DNS configuration" - Set this to strict
--- "Encryption cipher" - Set this to AES-256-CBC
--- "Compression" - Set this to Adaptive
--- "TLS Renegotiation Time" - Leave this at -1, defaults to 20 minutes
--- "Connection retry" - Leave this at -a, default to infinite
--- "Verify server certificate (tls-remote)" - Leave this off
--- "Custom Configuration" - Here we have to renable some settings that where not possible through the interface, enter the following lines:

Code: Select all

ns-cert-type server
auth SHA512
auth-user-pass /jffs/password.txt
hand-window 17
replay-window 128 30


Take special note of "auth SHA512" and "auth-user-pass /jffs/password.txt". The first one sets the encryption scheme, which you cannot set through the interface.
The second one is where we tell OpenVPN to load the username/password combo from an external plain text file. In my setup, I enabled the JFFS file system so my password file would be saved between router reboots.
The OpenVPN password file needs the username to be on the first line and the password on the second. Since Cryptostorm only uses a "username" you only need to enter your hashed token on the first line and save the file.
Also make sure to make this file only readable for root.

Now, normally, when loading the password from an external file, you should also set the "auth-nocache" setting so the password is not stored in memory. Unfortunately this triggers a known bug in OpenVPN where the first time you will be able to connect, but after a TLS renegotiation happens, it will fail to load your token (the username) and drop the connection with the error: "ERROR: could not read Auth username from stdin".

3. Keys tab

keys.png


The only thing you have to enter here is the CA certificate from Cryptostorm.

That is it, with these settings you should be able to get a working Cryptostorm enabled Tomato router.

Again, any comments or suggestions are welcome, just shoot!

Cheers
Tim


geoale66
Posts: 1
Joined: Mon Dec 29, 2014 9:23 am

Re: HOW-TO: Tomato router setup

Postby geoale66 » Tue Dec 30, 2014 12:29 am

Hi, how do I load my token (already converted to a username via the tool)?

User avatar

Fermi
Site Admin
Posts: 226
Joined: Tue Jun 17, 2014 11:42 am

Re: HOW-TO: Tomato router setup

Postby Fermi » Wed Dec 31, 2014 1:56 pm

On IRC, you wrote:

02:52:22 --> | web_83944 (web_83944@cryptostorm.is) has joined #cryptostorm 02:53:02 web_83944 | Hi guys! I am still trying to setup my connection, and haven't had any luck with the tomato router guide in the forum. I have the hash file converted from my token, I am using it as username in the interface, I already downloaded the CA.crt key that I found as most recent. I am using uscentral.cryptostorm.nu port 443 as my exit node, under UDP pro
02:53:02 web_83944 | tocol. I wonder what I am missing. I don´t know if should use vpn keys (client certificate or client key). I would be grateful if you can help me, since my vpn client can´t be started.
02:53:40 web_83944 | thanks for your comments │
02:58:51 web_83944 | I think nobody is there available, I will try my post later

ca.crt is the pre-HB certificate, if you want to connect to uscentral.cryptostorm.nu, you'll need the post-HB one:

Code: Select all

-----BEGIN CERTIFICATE-----
MIIFHjCCBAagAwIBAgIJAKekpGXxXvhbMA0GCSqGSIb3DQEBCwUAMIG6MQswCQYD
VQQGEwJDQTELMAkGA1UECBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQK
FC1LYXRhbmEgSG9sZGluZ3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQx
ETAPBgNVBAsTCFRlY2ggT3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUG
CSqGSIb3DQEJARYYY2VydGFkbWluQGNyeXB0b3N0b3JtLmlzMB4XDTE0MDQyNTE3
MTAxNVoXDTE3MTIyMjE3MTAxNVowgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJR
QzERMA8GA1UEBxMITW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBM
aW1pdGUgLyAgY3J5cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMx
FzAVBgNVBAMUDmNyeXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRt
aW5AY3J5cHRvc3Rvcm0uaXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDJaOSYIX/sm+4/OkCgyAPYB/VPjDo9YBc+zznKGxd1F8fAkeqcuPpGNCxMBLOu
mLsBdxLdR2sppK8cu9kYx6g+fBUQtShoOj84Q6+n6F4DqbjsHlLwUy0ulkeQWk1v
vKKkpBViGVFsZ5ODdZ6caJ2UY2C41OACTQdblCqaebsLQvp/VGKTWdh9UsGQ3LaS
Tcxt0PskqpGiWEUeOGG3mKE0KWyvxt6Ox9is9QbDXJOYdklQaPX9yUuII03Gj3xm
+vi6q2vzD5VymOeTMyky7Geatbd2U459Lwzu/g+8V6EQl8qvWrXESX/ZXZvNG8QA
cOXU4ktNBOoZtws6TzknpQF3AgMBAAGjggEjMIIBHzAdBgNVHQ4EFgQUOFjh918z
L4vR8x1q3vkp6npwUSUwge8GA1UdIwSB5zCB5IAUOFjh918zL4vR8x1q3vkp6npw
USWhgcCkgb0wgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJRQzERMA8GA1UEBxMI
TW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBMaW1pdGUgLyAgY3J5
cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMxFzAVBgNVBAMUDmNy
eXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRtaW5AY3J5cHRvc3Rv
cm0uaXOCCQCnpKRl8V74WzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB
AQAK6B7AOEqbaYjXoyhXeWK1NjpcCLCuRcwhMSvf+gVfrcMsJ5ySTHg5iR1/LFay
IEGFsOFEpoNkY4H5UqLnBByzFp55nYwqJUmLqa/nfIc0vfiXL5rFZLao0npLrTr/
inF/hecIghLGVDeVcC24uIdgfMr3Z/EXSpUxvFLGE7ELlsnmpYBxm0rf7s9S9wtH
o6PjBpb9iurF7KxDjoXsIgHmYAEnI4+rrArQqn7ny4vgvXE1xfAkFPWR8Ty1ZlxZ
gEyypTkIWhphdHLSdifoOqo83snmCObHgyHG2zo4njXGExQhxS1ywPvZJRt7fhjn
X03mQP3ssBs2YRNR5hR5cMdC
-----END CERTIFICATE-----

User avatar

dfkt
Site Admin
Posts: 13
Joined: Thu Jan 29, 2015 2:29 pm

Re: HOW-TO: Tomato router setup

Postby dfkt » Fri Jan 30, 2015 6:00 pm

I set up Cryptostorm on my Asus RT-N16 running Tomato-USB 1.28. My custom config is here: http://paste.debian.net/plain/143048 (I simply took a default config and commented everything out that would give errors.) I also tried it with the same config as in the original post above. Those configs really don't make much of a difference, speed-wise.

Unfortunately, the connection is really slow, despite the N16 being a fairly powerful router for a consumer device (http://wiki.openwrt.org/toh/asus/rt-n16). The attached screenshot shows my speed with Cryptostorm running on the router, in comparison to running the Cryptostorm widget on Windows, and with direct connection to the internet (the two lines with the red frames).

Is it possible to improve the speed of Cryptostorm running on my router, or am I stuck with running a client/widget on each machine in my LAN?

Or should I look at other router firmwares, maybe? Is it known if eg. DD-WRT or OpenWRT have better performance than Tomato-USB?

Thanks in advance for any help.

EDIT: here's a log from the router: http://paste.debian.net/plain/143049
Attachments
2015-01-30_134247.png

User avatar

Fermi
Site Admin
Posts: 226
Joined: Tue Jun 17, 2014 11:42 am

Re: HOW-TO: Tomato router setup

Postby Fermi » Fri Jan 30, 2015 6:16 pm

dfkt,

Can you trace CPU usage in Tomato?
You will probably see that your CPU is the bottleneck when using OpenVPN on the router.

Regards,

/Fermi

User avatar

dfkt
Site Admin
Posts: 13
Joined: Thu Jan 29, 2015 2:29 pm

Re: HOW-TO: Tomato router setup

Postby dfkt » Fri Jan 30, 2015 6:34 pm

Thanks for the reply, Fermi.

You're right. So there's nothing I can do, I suppose.

There's no way to run Cryptostorm over PPTP instead of OpenVPN, I guess - sacrificing stronger encryption for better performance?
Attachments
2015-01-30_143030.png

User avatar

dfkt
Site Admin
Posts: 13
Joined: Thu Jan 29, 2015 2:29 pm

Re: HOW-TO: Tomato router setup

Postby dfkt » Sat Jan 31, 2015 12:30 am

Ok, just read the tweet about PPTP 'security'... no more questions regarding that matter. ;^)

https://twitter.com/cryptostorm_is/stat ... 8482575360

User avatar

Fermi
Site Admin
Posts: 226
Joined: Tue Jun 17, 2014 11:42 am

Re: HOW-TO: Tomato router setup

Postby Fermi » Sat Jan 31, 2015 3:26 pm

dfkt,

Indeed, there's nothing much you can do on the CPU part I'm afraid.

/Fermi


Raka74
Posts: 11
Joined: Sun Mar 29, 2015 10:24 pm

Re: HOW-TO: Tomato router setup

Postby Raka74 » Fri Dec 11, 2015 2:25 pm

Hi all,

I'm running Advanced Tomato 1.28.0000 -3.0-132 K26ARM USB AIO-64K on an RT-AC68U.

The config as described above works great but I want to go trough VPN only on certain hosts.

Can I check 'Ignore redirect gateway' on the advanced tab:

https://www.dropbox.com/s/st4csz9myrr6j ... 4.png?dl=0

And then on the Routing Policy tab add ip addresses?

https://www.dropbox.com/s/he1xq9ub04vjo ... 8.png?dl=0


Or is this not the correct way to do this


Raka74
Posts: 11
Joined: Sun Mar 29, 2015 10:24 pm

Re: HOW-TO: Tomato router setup

Postby Raka74 » Sat Dec 12, 2015 2:50 pm

A reply to myself with a new question.

The above seems to work fine, with ' Ignore redirect Gateway' (route-nopull) checked only the client I specified on the ' routing policy' (from source IP) tab is using VPN.

When I take a look on ipleak.net though I see that the machine using VPN is still using my ISP's DNS server (dnsleak?)

Is there any way to prevent this? like adding the DNS option to the ' custom configuration ' ?

In the meantime I have just setup manual DNS with Opennic servers...


dccc
Posts: 27
Joined: Mon Jan 12, 2015 10:57 pm

Re: HOW-TO: Tomato router setup

Postby dccc » Sat Apr 16, 2016 5:28 pm

Any solution on that matter? I'm about to use a Asus RT-N66U with AdvancedTomato firmware and would greatly appreciate the CS deepDNS feature.


tom user

Re: HOW-TO: Tomato router setup

Postby tom user » Mon Apr 18, 2016 12:55 am

Hi. Have you tried adding the DNS addresses manually?

Basic - Network - Wan settings.

Take your picks from the list below.

https://github.com/cryptostorm/cstorm_d ... 5bab4d198d

User avatar

parityboy
Site Admin
Posts: 1234
Joined: Wed Feb 05, 2014 3:47 am

Re: HOW-TO: Tomato router setup

Postby parityboy » Mon Apr 18, 2016 11:19 pm

@dccc

Have a look at this list. You can enter the IPs into your router or your PC, but ignore the listed port number - they also answer on port 53 for standard DNS requests.


dccc
Posts: 27
Joined: Mon Jan 12, 2015 10:57 pm

Re: HOW-TO: Tomato router setup

Postby dccc » Tue Apr 19, 2016 12:01 am

Thanks for the heads up! Today I had the chance to flash the router to the latest (stable) AdvancedTomato firmware. No problems with DNS settings (set as 'strict'). No leaks, beautiful CS deepDNS. The problem now is the router itself: Asus RT-N66U with 600Mhz CPU is too slow to handle reasonable fast VPN speeds.

User avatar

parityboy
Site Admin
Posts: 1234
Joined: Wed Feb 05, 2014 3:47 am

Re: HOW-TO: Tomato router setup

Postby parityboy » Tue Apr 19, 2016 2:41 pm

@dccc

You could always look into one of the EdgeRouters from Ubiquiti Networks, EdgeRouter Lite maybe?


user5

Re: HOW-TO: Tomato router setup

Postby user5 » Sat Jan 21, 2017 10:40 pm

Sorry to revive a dead post but is anyone able to get any of the balancers working with Tomato? I can get any standard one to work but none of the balancers. It will show status as working but it isn't connected.

User avatar

parityboy
Site Admin
Posts: 1234
Joined: Wed Feb 05, 2014 3:47 am

Re: HOW-TO: Tomato router setup

Postby parityboy » Sun Jan 22, 2017 7:56 am

user5 wrote:Sorry to revive a dead post but is anyone able to get any of the balancers working with Tomato? I can get any standard one to work but none of the balancers. It will show status as working but it isn't connected.


Tomato should be set to use linux-balancer.cryptostorm.net. What do the logs show?


AnonAsPossible
Posts: 16
Joined: Fri Feb 10, 2017 3:49 am

Re: HOW-TO: Tomato router setup

Postby AnonAsPossible » Sun Jul 15, 2018 2:19 am

I know this is an old thread. Suppose it's better to keep all things Tomato in 1 thread.

Has anyone been able to run the new 'ECC' config on a Tomato router? I tried changing the obvious differences, but it wouldn't work.

If someone is able to get "ECC' running on their Tomato router, could you post the settings here?! Thanks


Return to “guides, HOWTOs & tutorials”

Who is online

Users browsing this forum: No registered users and 5 guests

Login