Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

HOWTO: OpenWRT Routers

Post a reply


In an effort to prevent automatic submissions, we require that you complete the following challenge.
Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek: :angel: :clap: :crazy: :eh: :lolno: :problem: :shh: :shifty: :sick: :silent: :think: :thumbdown: :thumbup: :wave: :wtf: :yawn:
BBCode is ON
[img] is ON
[flash] is OFF
[url] is ON
Smilies are ON
Topic review
   

If you wish to attach one or more files enter the details below.

Expand view Topic review: HOWTO: OpenWRT Routers

Re: HOWTO: OpenWRT Routers

by df » Thu Jan 03, 2019 7:35 pm

@FoodMaven
You need to change the "auth-user-password" line in /etc/openvpn/cstorm_linux-lisbon_udp.ovpn to point to a file containing your token (or it's hash) on the first line, and any random text on the second line.
Otherwise it'll try to prompt you for the user/pass, but since you're not running OpenVPN from an interactive terminal, it'll give you the error that you saw.

Re: HOWTO: OpenWRT Routers

by df » Thu Jan 03, 2019 7:18 pm

Notice the time/date stamp in the original post of this thread, it was started way back in 2013, so there's some outdated things here.
But at the very top of the page (and every other page here), there's the notice "Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ"
with links to https://cryptostorm.is/configs/ and https://github.com/cryptostorm/conf/
Those two are the only place you should download configs from since they're up to date.

The separate ca.crt file is indeed not needed anymore since it's embedded in all the client configs.
I'm not sure if uploading config.zip will work since not every OpenVPN web UI will recognize and automatically unzip zip files like that.
But if you can login via SSH, you can download the same zip file from there and unzip it from the terminal.

I don't know what OpenWRT firmware version you have, but the first thing you should do is check your OpenVPN version with the command `openvpn --version`
https://cryptostorm.is/configs/ has a list of the four config types and their supported OpenVPN/OpenSSL versions:
RSA - Works with OpenVPN 2.3.2 through 2.4.6, and OpenSSL 1.0.0 through 1.1.1a
ECC - Works with OpenVPN 2.4.0 through 2.4.6, and OpenSSL 1.0.1d through 1.1.1a
Ed25519/Ed448 - Requires at least OpenVPN 2.4.3 and at least OpenSSL 1.1.1

Re: HOWTO: OpenWRT Routers

by r4nz » Thu Jan 03, 2019 5:57 pm

Hi,

This thread has not been used for a while and I find the info conflicting. I hope someone still reads this.

I have downloaded and tried all of the new config files and also tried different methods provided in this thread.
Nothing seems to work.

The ca.crt file can not be downloaded. But I guess you don't need that since it's specified in the ovpn files?

I have an OpenWRT router which connects to the gateway on the wan port. br-lan has the ip I can connect to using ssh. eth0.2 has an ip that the gateway gave to it.

I want to connect a device on the lan port. I don't really need wireless. So changing the firmware is not an option. And if I understand it correctly, that method is outdated anyway.

Hopefully somebody can explain what I need to do to be able to connect.

Right now when I log in to the router using my browser, I click OpenVPN and see the different config files rsa, ecc etc. and auth.txt.
When I try to upload the config.zip file it hangs in "processing". And I would think that those servers need to be in there in order to connect to a server? Or is the cryptofree server on 1 server?

This has to work sometime because otherwise there is no use paying for the token service...

Re: HOWTO: OpenWRT Routers

by FoodMaven » Thu Mar 15, 2018 11:24 pm

Following the purpose built guide, created for me, I did the steps:

Router OpenVPN Configuration
Router Tunnel Configuration
Router Firewall Configuration
Router DNS Configuration
[create] Router Killswitch Configuration
[create] 99-killswitch file.

Additionally, I added connection to the NTP time servers via these commands:

https://www.loganmarchione.com/2015/08/ ... #Setup_NTP

uci set system.@system[0].hostname="c7main"
uci set system.@system[0].zonename="America/Los Angeles"
uci set system.@system[0].timezone="PST8PDT,M3.2.0,M11.1.0"
uci commit system

uci set system.ntp="timeserver"
uci set system.ntp.enabled="1"
uci delete system.ntp.server
uci add_list system.ntp.server="0.us.pool.ntp.org"
uci add_list system.ntp.server="1.us.pool.ntp.org"
uci add_list system.ntp.server="2.us.pool.ntp.org"
uci add_list system.ntp.server="3.us.pool.ntp.org"
uci commit system

I made one change in the steps provided:

uci set openvpn.csvpn.config='/etc/openvpn/cstorm_linux-lisbon_udp.ovpn'

as I have a paid token.

Upon rebooting both modem (first) and allowing it to come up after a few minutes and then the router (OpenWRT, OpenVPN and Cryptostorm), I could not get back online. I could access the OpenWRT (LEDE actually) Router Admin Page.

The syslog gave:

Thu Mar 15 10:59:30 2018 daemon.notice openvpn(csvpn)[1717]: OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Mar 15 10:59:30 2018 daemon.notice openvpn(csvpn)[1717]: library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10
Thu Mar 15 10:59:30 2018 daemon.err openvpn(csvpn)[1717]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Auth Username:'. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Thu Mar 15 10:59:30 2018 daemon.notice openvpn(csvpn)[1717]: Exiting due to fatal error
Thu Mar 15 10:59:31 2018 daemon.err openvpn(cstorm_linux-lisbon_udp[1796]: Options error: No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass
Thu Mar 15 10:59:31 2018 daemon.warn openvpn(cstorm_linux-lisbon_udp[1796]: Use --help for more information.
Thu Mar 15 10:59:35 2018 daemon.notice openvpn(csvpn)[1797]: OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Mar 15 10:59:35 2018 daemon.notice openvpn(csvpn)[1797]: library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10
Thu Mar 15 10:59:35 2018 daemon.err openvpn(csvpn)[1797]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Auth Username:'. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Thu Mar 15 10:59:35 2018 daemon.notice openvpn(csvpn)[1797]: Exiting due to fatal error

Re: HOWTO: OpenWRT Routers

by FoodMaven » Tue Mar 13, 2018 4:54 am

Active IPv4-Routes

Code: Select all

Network		Target		IPv4-Gateway	Metric		Table
wan	      0.0.0.0/0	        192.168.1.254	0		main
wan	      192.168.1.0/24		        0               main
wan	      192.168.1.254		        0               main
lan	      192.168.11.0/24		        0               main

Re: HOWTO: OpenWRT Routers

by parityboy » Tue Mar 13, 2018 3:32 am

@FoodMaven

If you go to Status->Routes->Active IPv4-Routes in the web console, what do you see?

Re: HOWTO: OpenWRT Routers

by FoodMaven » Tue Mar 13, 2018 12:38 am

root@LEDE:/# uci set firewall.@forwarding[-1].src='lan'
root@LEDE:/# uci set firewall.@forwarding[-1].dest='vpnfirewall'
root@LEDE:/# uci commit firewall
root@LEDE:/# uci set network.wan.peerdns='0'
root@LEDE:/# uci del network.wan.dns
uci: Entry not found

Does Entry not found matter? Do I proceed without the entry?

A FEW MINUTES LATER.

As an experiment, I went ahead with the configging. Internet not available after rebooting.

Re: HOWTO: OpenWRT Routers

by FoodMaven » Fri Feb 23, 2018 5:32 am

I am at a loss of words to properly express my gratitude. You are an :angel:

I'm working on it now. I'll say OK when all is OK.

Re: HOWTO: OpenWRT Routers

by parityboy » Thu Feb 22, 2018 3:17 am

@FoodMaven

OK, so I took the liberty of using VirtualBox to create two VMs, one each of OpenWRT and LEDE. Having read your post, I installed OpenVPN and (on LEDE) the luci-app-openvpn web module. That module is basically crap so ignore it, seriously.

After a few searches I found the tutorial for getting the NordVPN service running on OpenWRT/LEDE. Here is what I did, using the Cryptofree service as the target. Obviously you can modify this for paid exit nodes.

Configuration Files
1. Download the configuration file from here.
2. Download the certificate file from here.
3. Load the configuration file into a text editor.
4. Remove explicit-exit-notify 3
5. Modify the line auth-user-pass so that it reads auth-user-pass auth.txt
6. Create the file auth.txt with your credentials. Cryptofree doesn't need valid tokens but you can put them in anyway just for convenience later when you transition to a paid exit node.

Code: Select all

echo <hashed token> >auth.txt
echo rand0mstr1ng0fcharact3rs >>auth.txt
7. Copy these files to /etc/openvpn on the router.

Code: Select all

scp cryptofree_linux-udp.ovpn ca.crt auth.txt root@192.168.1.1:/etc/openvpn
Router OpenVPN Configuration (SSH into your router for this)

Code: Select all

uci set openvpn.csvpn=openvpn
uci set openvpn.csvpn.enabled='1'
uci set openvpn.csvpn.config='/etc/openvpn/cryptofree_linux-udp.ovpn'
uci commit openvpn
Router Tunnel Configuration (SSH into your router for this)

Code: Select all

uci set network.csvpntun=interface
uci set network.csvpntun.proto='none'
uci set network.csvpntun.ifname='tun0'
uci commit network
Router Firewall Configuration (SSH into your router for this)

Code: Select all

uci add firewall zone
uci set firewall.@zone[-1].name='vpnfirewall'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'
uci add_list firewall.@zone[-1].network='csvpntun'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='vpnfirewall'
uci commit firewall
Router DNS Configuration (SSH into your router for this)

Code: Select all

uci set network.wan.peerdns='0'
uci del network.wan.dns
uci add_list network.wan.dns='8.8.8.8'
uci add_list network.wan.dns='8.8.4.4'
uci commit
(uses Google DNS as an example, but you'll probably want to change it)

Router Killswitch Configuration (SSH into your router for this)
1. Use vim editor to add the following to /etc/firewall.user

Code: Select all

if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
        iptables -I forwarding_rule -j REJECT
fi
2. Use vim to create the file /etc/hotplug.d/iface/99-killswitch with the following content.

Code: Select all

#!/bin/sh
if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then
        iptables -D forwarding_rule -j REJECT
fi
if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
        iptables -I forwarding_rule -j REJECT
fi
Now reboot your router and when it comes back up, OpenVPN should be up and running. You can verify this by checking your IP address here. You can also check Status->Routes->Active IPv4-Routes in the web interface.

Re: HOWTO: OpenWRT Routers

by FoodMaven » Tue Feb 20, 2018 10:56 pm

At the LEDE/LuCI forum, I read that changing the .ovpn was needed. To cstorm_linux-lisbon_udp.ovpn I added the following:

auth-user-pass /tmp/auth.conf
redirect-gateway def1
auth-nocache

The router's admin page, under the VPN tab shows 4 entries

Cryptostorm
sample_server
sample_client
provider

status on CS and provider is checked enabled, but not started. Port 1194 and Protocol is UDP.

Clicking the radio buttor for CS "Start" returns no-auth in system log.

Re: HOWTO: OpenWRT Routers

by parityboy » Tue Feb 20, 2018 7:31 pm

@FoodMaven

What's your progress so far?

Re: HOWTO: OpenWRT Routers

by FoodMaven » Mon Feb 19, 2018 9:56 pm

I think it worthy of note, that after searching the OpenVPN.net Forum for the keyword: cryptostorm, that there is only one entry. That that post's request goes un-responded to is irrelevant. Believe me when I say that I'm glad CS "flies under the radar". It's why I pay, monthly, for a token I have yet to get operational. CS may be the only honorable VPN provider out there.

Thanks, you nerds.

Re: HOWTO: OpenWRT Routers

by parityboy » Sat Feb 17, 2018 5:14 pm

@FoodMaven

The username is the hashed token, as you correctly surmised. The password can be anything (since the operational model doesn't rely on it to grant access) but it must be something - whether it's a single character or a stream of random characters, it doesn't matter either way.

Re: HOWTO: OpenWRT Routers

by FoodMaven » Sat Feb 17, 2018 12:57 am

The OpenWRT page on setting up the OpenVPN shows:

touch /tmp/auth.conf
echo "YOUR_VPN_USER_NAME" > /tmp/auth.conf
echo "YOUR_VPN_PASSWORD" >> /tmp/auth.conf

I've read but cannot find at this Forum, words about you CS doesn't use a "user name" or maybe the username is the hashed token but no password? In any case, please direct me to that information.

I'm somewhat uncertain as to how long it will take to get a response, so I will return to this page in 7 days; but, Dear Sirs, if that isn't a reasonable length of time, please give me an approximate date count. Many Thanks.

Re: HOWTO: OpenWRT Routers

by parityboy » Sat Feb 10, 2018 6:02 am

FoodMaven

I can confirm that Cryptostorm does NOT support IPv6. :)

Re: HOWTO: OpenWRT Routers

by FoodMaven » Fri Feb 09, 2018 6:40 am

The last reply to this post is quite old at 2016. I have put CS's .ovpn and .crt in the OpenWRT/LuCI's /etc/openvpn. I've hashed the Token and put that string in Local Startup.

But then this post get a little cloudy. So is CS now IvP6 capable?
Do I need to use

backup-OpenWrt-2013-11-07-Cleansed.tar.gz

or is it too out of date? Does anybody know?

(I'm feeling like an idiot by now) Is this also too out of date?

https://community.hide.me/tutorials/ope ... penwrt.38/ ????

Honestly, netsearching: cryptostorm ivp6 brings up nothing.

As Mulder once said: The Truth is out there.

Re: HOWTO: OpenWRT Routers

by parityboy » Sun Sep 25, 2016 9:45 pm

@hashtable

What device is your OpenWRT firmware running on? Its it x86 compatible? If so, you could probably build a very nice router with hardware-assisted AES for not much money.

Re: HOWTO: OpenWRT Routers

by hashtable » Sat Sep 24, 2016 6:34 pm

fuck it - i've changed my attitude - vpn on local devices is probably safest method - assuming it's capable. many devices aren't - so putting it in the router allows devices to connect securly that otherwise wouldn't be able to. but the catch-22 is routers are weird, they have different firewall rules, they need to properly route the clients, and they're closer to WAN (thus more vulnerable). I'm sure an epic vpn router is theoretically possible to build with openwrt... maybe even a node of the cs network - like how isp's upload firmware onto modems, if cs could upload firmware onto routers, that'd be legit. Also time consuming. Just throwing ideas around... does anybody knows how to config openwrt proper?

Re: HOWTO: OpenWRT Routers

by hashtable » Sun Aug 07, 2016 7:05 am

Is anybody down to take this shit to the next level!!!!!


Okay . so. I've been compiling openwrt firmware for the last month or so, getting my feet wet. The process isn't that complicated, but it takes a little getting used to. First, what's the difference between compiling your own build or just downloading a vanilla from the repo (or the new LEDE fork that's making epic fixes daily)?

Performance. Perfmance. Holy shit. Yes.

Eg. i might want to include all the kernel modules for every crypographic protocol used in openwrt's openvpn file (standard for linux). I can just add that file in the same place you'd place it if running on a normal debian/unix (whatever) - and it works. Not like the shitty ** ...8**..... slow grind of a router, I mean this shit works as well as any other medium I've used it on.

Same can't be true if you downloaded the files, even the same exact ones, but you're not using an optimized custom firmware. Instead of bragging about it, how about this. Is anyone interested in a cs-storm optimized - prebuilt openwrt firmware that you can literally just install like any other openwrt (if your router's comptable) - with the proper firewall rules etc. inside?

I still need to perfect some things. And there are few caveats... I don't know exactly what I'm doing so I'm still experimenting with it. The default 'linux' 'kill ipv6' is not proper either (ipv6 is necessary to masquerade / scramble some of the information between LAN / WAN ... maybe? or at least default implementation). Also, this might be coincidence, but the cstorm router is double nat behind another openwrt router. For some reason, using an experimental sqm cake protocol double 'triple-isolate' - it creates firewall rules that.. I don't know. When I turned that off, it stopped working for a bit. (might be random).

Also, the cstorm is behind another router, and they're not connected LAN-LAN but LAN-WAN. Your cstorm router can talk to the LAN router - but the LAN router will just give the cstrom router an IP from it's address range, and the cstorm router has it's own address range (just changed like.... 192.168.1.1 to 192.168.2.1) - the second to last number basically, you use anything. I also *rarely* route traffic with the cstorm router. I might plug in 1-2 computes. *maybe* turn on wifi for a sec if I'm in another room, but usually just have like one machine plugged in at a time (not using is as a default router for roommates n shit.

One other thing I'm experimenting with involves tunneling into the csrouter from the lan router and creating a port to proxy internet traffic from either a computer / or even just a single browser into the csrouter. I'm not sure if everything is configured as best as it could, (dns website checkers just keep sending posts without any results) - but to the best of my ability to monitor traffic from various computers and both routers, it appears to be working as it properly should. The custom crypto modules that won't come default in almost any router are really what make the difference between a 'meh' connection to 'this is pretty legit'

(ps. dnscrypt-proxy + adblock which forces DNS into the dns proxy tube (which caches) means you get dnscrypt-proxy + cstorm + noleaks)

with a better ui, and because a special dnscrypt version accepts using multiple hosts, you can (prob through scripts) sync which resolver you want to use with the openvpn being activated. Using a 'balanced' or 'dynamic' config would prevent you from having a 1-1 sync with dnscrypt and the perf is much more noticable for some regions rather than others.

I haven't tried voodoo since I compiled the new firmware. Lede is probably the way to go too (openwrt fork). You can configure individual clients / address ranges to have separate dhcp / dns rules, and with some creativity you can create networks were only like... a subset of computers (by MAC / IP-range) are on cryptostorm, and the rest of the space is just normal. Because I have two routers... and I know it's possible to created tunnels between them and to create any obscure iptable rule imaginable, I'm curious what kind of setups could be possible - just within the 'lan' (or maybe ssh into a vps?) or whatever. Even though all internet goes through 1 pipe, and some of this may seem redundent, I'm convinced that ISP's are by far - without comparison, the main perpetrator entity that is using weird techniques to montitor traffic, including (probably) trivial means to trick a routers' behavior. This is my true ISP - basically that's how I think of CS

Re: HOWTO: OpenWRT Routers

by hashtable » Sat Mar 26, 2016 5:40 pm

I found a great guide on hide.me's forum - linked here. It took me a while get all the settings right - and I'd also recommend checking out some of the latest community releases if you have a router that supports those builds, everything will be optimized and compiled for the router - and the latest trunk images have a shitload more packages available. My settings basically look like this:

Code: Select all

cat >> /etc/config/openvpn << EOF
config openvpn 'cstorm'
	option enabled '1'
	option client '1'
	option dev 'tun'
	option proto 'udp'
	option reneg_sec '0'
	option remote 'linux-balancer.cryptostorm.net 443'
	option comp_lzo 'adaptive'
	option nobind '1'
	option down_pre '1'
	option mssfix '1400'
	option persist_tun '1'
	option persist_key '1'
	option verb '3'
	option auth_user_pass '<path to key>'
	option ca '<path to crt>'
	option ns_cert_type 'server'
	option auth 'SHA512'
	option cipher 'AES-256-CBC'
	option tls_cipher 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
	option reneg_sec '0'
	option tls_client '1'
	option key_method '2'
And I followed their instructions for the firewall which looks something like this:

Code: Select all

cat >> /etc/config/firewall << EOF
config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    option network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'wan'
    option output 'ACCEPT'
    option forward 'REJECT'
    option network 'wan'
    option input 'ACCEPT'

config zone
    option name 'cstorm'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    option network 'cstorm'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fe80::/10'
    option src_port '547'
    option dest_ip 'fe80::/10'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config forwarding
    option dest 'cstorm'
    option src 'lan'
EOF
Something like that.. I turned off ipv6 where possible - I'm not doing using resolv-random so that I can sync the DNS properly (dnscrypt-proxy works great). Before I found that guide - I could get cryptostorm to work like 25% of the time - but now I'm getting better at it. 'comp-lzo' makes it reeaaalllyyy slow - removing it or changing the option to 'adaptive' seems to fix that. Also it seems to like the 'persist-tun' and 'persist-key' options. You could also try to retry infinite? But it works pretty good - especially on a build that has a version of openvpn optimized for the router precompiled.

Oh don't forget to add the key and crt files, chmod 600 the key.

Re: HOWTO: OpenWRT Routers

by DesuStrike » Fri Feb 07, 2014 8:02 pm

CrypotStorm is purely IPv4 (at the moment). If some IPv6 traffic is to happen you would basically bypass the VPN and surf unencrypted thus revealing your identity and contents.

Re: HOWTO: OpenWRT Routers

by Guest » Fri Feb 07, 2014 4:41 pm

Is there any particular reason you're blocking IPv6 addresses?

Not critique per se, just genuinely curious.

HOWTO: OpenWRT Routers

by Lignus » Thu Nov 07, 2013 7:50 am

note: this configuration will also block all IPv6 network traffic at the router level, to protect against out-of tunnel information transmission.


OK, not quite a "how-to" - more of a "mostly already preconfigured for you."

I did this setup on a Ubiquity Nanostation Loco M2. It has a single WLAN and a single LAN. I am using the ethernet port as the WAN and the WiFi was the LAN side. I have configured the setup using bridge interfaces, so all you need to do is add and remove physical interfaces to the virtual WAN or LAN bridge and you are now configured exactly how you want.

You will need to do some reconfiguration after installation. The WiFi SSID is OpenWrt and the password is changeme. I also set the WiFi to 10dbm to give it broad compatibility and not overload anyone's radio, this means you had better be close when you initially configure it.

The LAN subnet is 10.13.37.0/24. This is unlikely to be in use on the WAN side and I thought I may as well have a little fun adding a 1337 in there somewhere. The DHCP server will assign you 8.8.8.8 and 8.8.4.4 as your DNS servers, if anyone has a better idea for default DNS servers, let me know.

Speed is not ideal, but it is very usable. The 400MHz Atheros chipset in my device can push about 5MBps over the OpenVPN link to Cryptostorm:
Image
The upload is limited by my own 1MBps upload combined with the VPN overhead.

I ran some popular torrents and averaged about 350K/sec down and 30K/sec up simultaneously.

If you want more speed, you are going to have to go with a more powerful router.
Image
I tested with OpenWRT on an old AMD powered laptop with a second USB NIC(Exact config I am posting, just replaced wifi with ethernet) and my results were consistently 20% below my line speed. That is, I have a 10/1 and going through the VPN I get 8/0.8. Ran some popular torrents off the bay and managed a solid 975K/sec download rate. I would recommend throttling things, because it saturated the link and my ping times effectively tripled. Considering the OpenVPN process never peaked above 16% CPU (versus 50% on the Atheros router), if my connection were fast enough I could easily push 25MBps real throughput(31MBps inc overhead), assuming a linear scale and capping out at 50% cpu.

Setting up a new router consists of the following steps:
  1. Load OpenWRT (See specific guides for your router)
  2. Telnet into the router
    • passwd -- set your root passwd
    • reboot - lets router initialize SSH
  3. SSH into router and change the IP settings so it can access the internet. The following example is based on your home router having an IP of 192.168.1.254.
    • ifconfig br-lan 192.168.1.253
  4. Your SSH session will freeze because the router has a new IP, close it and reopen it to 192.168.1.253 to continue
    • route add default gw 192.168.1.254
    • echo 'nameserver 8.8.8.8' >> /etc/resolv.conf
    • opkg update
    • opkg install luci
    • opkg install openvpn-openssl
    • /etc/init.d/uhttpd start
    • /etc/init.d/uhttpd enable
  5. Your web-ui is now setup and accessible at http://192.168.1.253
    • Once logged in (root/password you set earlier), go to System-->Backup/Flash Firmware
    • Browse for the config backup attached to this post, and restore the backup from the flash
  6. Once booted again, your router will be broadcasting a Wireless Access point with the SSID 'OpenWrt' and a password of 'changeme'. Connect to the access point.
  7. Open your browser to http://10.13.37.1 and login with root/password you set earlier
  8. Go to System-->Startup
  9. Scroll down to the bottom of the page and in the text box and replace 'your_lowercase_SHA512_hash_goes_here' with your Token Hash.
  10. You can leave the lines there after the router reboots, or delete them.
  11. Change your WiFi settings to whatever your preference is.
  12. Done! :)
Here is the startup script that sets firewall rules every boot. It blocks all IPv6 traffic and makes the router nearly a black hole. With this configuration, there should be virtually no way into the router other than SSH and HTTP on the LAN side(The part you physically control).

Critiques of my iptables rules are very much welcome. I do not claim to be an expert and could have missed something.

Code: Select all

# This will place your username and password in a file to be read by the OpenVPN client and auto-connect.
# You can remove or comment out these lines after the first reboot with the correct value.

echo your_lowercase_SHA512_hash_goes_here > /etc/config/openvpn.key
echo 93b66e7059176bbfa418061c5cba87dd >> /etc/config/openvpn.key
chmod 600 /etc/config/openvpn.key

# FLUSH (clear) any IPv6 rules
ip6tables -F INPUT
ip6tables -F FORWARD
ip6tables -F OUTPUT
ip6tables -F

# DROP all IPv6 traffic
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP

# ALLOW two-way traffic from LAN to VPN
iptables -I FORWARD -i br-lan -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br-lan -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT


# ***************************************************************************#
# DROP all traffic to the WAN that originates from the LAN clients #
#     This prevents LAN traffic from going out unencrypted!              #
# ***************************************************************************#
iptables -I FORWARD -i br-lan -o br-wan -j DROP
iptables -I FORWARD -i br-wan -o br-lan -j DROP

# ALLOW NAT to VPN
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

# ALLOW HTTP, SSH, and DHCP access to router only over LAN interface
iptables -A INPUT -p tcp -i br-lan --dport 80 -d 10.13.37.1 -j ACCEPT
iptables -A INPUT -p tcp -i br-lan --dport 22 -d 10.13.37.1 -j ACCEPT
iptables -A INPUT -p udp -i br-lan --dport 68 -j ACCEPT
iptables -A INPUT -p udp -i br-lan --dport 67 -j ACCEPT

# ALLOW solicited traffic on WAN/VPN interface
iptables -A INPUT -i br-wan -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT



# DROP unsolicited traffic on ALL interfaces
iptables -A INPUT -i br-lan -j DROP
iptables -A INPUT -i br-wan -j DROP
iptables -A INPUT -i tun0 -j DROP

# REJECT all other access to router, prevents any services being pulled from router to possibly leak over WAN (DNS) - Probably a redundant rule
iptables -A INPUT -d 10.13.37.1 -j REJECT

# Connect to OpenVPN using openvpn.conf with the username and password stored in openvpn.key
openvpn --config /etc/config/openvpn.conf --auth-user-pass /etc/config/openvpn.key &

exit 0
Attachments
backup-OpenWrt-2013-11-07-Cleansed.tar.gz
(7.68 KiB) Downloaded 871 times

Top