After some fiddling around with my newly flashed Tomato router and with the nice help of the guru's from Cryptostorm, I thought it would be nice to share the information with anyone who would like to use Cryptostorm Darknet with their Tomato install.
Using roughly the same approach as with the DD-WRT router setup, here is a visual guide.
Note: This guide is written for the Tomato USB build version 1.28 (20 January 2014) flashed onto the Asus RT-N66U router, but should be applicable to most recent Tomato builds.
Also note: This is a un-tuned setup, just tweaked enough to get a decent connection with a Tomato flashed router. Any constructive comments and suggestions to make this a better setup are welcome.
This thread is intended to get the most out of Tomato/Cryptostorm combinations.
First, go to your routers web based admin panel and from the left menu choose "VPN Tunneling" > "OpenVPN Client"
1. Basic tab
--- "Start with WAN" - Tick the box to start your VPN connection when your WAN activates
--- "Interface Type" - Set this to TUN
--- "Protocol" - Set this to UDP
--- "Server Address/Port" - Set the server to the general balancer or to your favorite exitnode cluster, the port has to be set to 443
--- "Firewall" - Set this to automatic or punch in your own firewall rules
--- "Authorization Mode" - Set this to TLS
--- "Username/Password Authentication" - As unintuitive as it may sound, leave this one off. You would normally enter your hashed token in the username field, but the hash does not fit in the input and will get cut off. We have to load this via a seperate file later.
--- "Extra HMAC authorization (tls-auth)" - Leave this one off
--- "Create NAT on tunnel" - Set this on
2. Advanced tab
--- "Poll Interval" - Leave this at 0, meaning disabled
--- "Redirect Internet traffic" - Set this on
--- "Accept DNS configuration" - Set this to strict
--- "Encryption cipher" - Set this to AES-256-CBC
--- "Compression" - Set this to Adaptive
--- "TLS Renegotiation Time" - Leave this at -1, defaults to 20 minutes
--- "Connection retry" - Leave this at -a, default to infinite
--- "Verify server certificate (tls-remote)" - Leave this off
--- "Custom Configuration" - Here we have to renable some settings that where not possible through the interface, enter the following lines:
Code: Select all
replay-window 128 30
Take special note of "auth SHA512" and "auth-user-pass /jffs/password.txt". The first one sets the encryption scheme, which you cannot set through the interface.
The second one is where we tell OpenVPN to load the username/password combo from an external plain text file. In my setup, I enabled the JFFS file system so my password file would be saved between router reboots.
The OpenVPN password file needs the username to be on the first line and the password on the second. Since Cryptostorm only uses a "username" you only need to enter your hashed token on the first line and save the file.
Also make sure to make this file only readable for root.
Now, normally, when loading the password from an external file, you should also set the "auth-nocache" setting so the password is not stored in memory. Unfortunately this triggers a known bug in OpenVPN where the first time you will be able to connect, but after a TLS renegotiation happens, it will fail to load your token (the username) and drop the connection with the error: "ERROR: could not read Auth username from stdin".
3. Keys tab
The only thing you have to enter here is the CA certificate from Cryptostorm.
That is it, with these settings you should be able to get a working Cryptostorm enabled Tomato router.
Again, any comments or suggestions are welcome, just shoot!