Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

Freshtomato Firmware, ECC.

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)

Topic Author
blurb
Posts: 24
Joined: Fri Dec 29, 2017 4:42 pm

Freshtomato Firmware, ECC.

Post by blurb » Tue Oct 16, 2018 9:41 pm

Has anyone set up their Tomato router to work properly since the upgrade, to work with ECC? If so, could you please share the setup?

Kille72 'Freshtomato' 2018.4

Code: Select all

# uname -a
Linux unknown 2.6.36.4brcmarm #2 SMP PREEMPT Mon Sep 10 22:01:30 CEST 2018 armv7l Tomato


# openssl version && openvpn --version

[b]OpenSSL 1.0.2p[/b] 14 Aug 2018
[b]OpenVPN 2.4.6[/b] arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Sep 10 2018
library versions: OpenSSL 1.0.2p 14 Aug 2018, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=no enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=no enable_plugin_down_root=no enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir=/lib with_sysroot=no


I'd upload PrtSc's of my set up, but it's a faff - so am trying the direct and mindless question first. Truth be told, I'm completely pissed off with it. I fucking hate openvpn. It's too fucking complicated. Bring on wireguard, can't come soon enough.


Topic Author
blurb
Posts: 24
Joined: Fri Dec 29, 2017 4:42 pm

Re: Freshtomato Firmware, ECC.

Post by blurb » Wed Oct 17, 2018 12:30 am

Got to say, this upgrade has ruined my experience of Cryptostorm after an easy 4 years of it just ticking away almost without fault :/ I have tried so many combinations without any luck today. I just don't know what the fuck to do to make it work.

*deep breath*.

Here is my current broken config as it appears in the gui, another failed attempt to translate from this file:-
https://github.com/cryptostorm/cryptost ... k_UDP.ovpn

Basic -
[url=https:///]Image[/url] image host

Advanced -
[url=https:///]Image[/url] free image host

(for good measure) Keys.
[url=https:///]Image[/url] free image upload

Here's the log on trying to start it.

Code: Select all

Oct 16 21:24:02 unknown daemon.notice openvpn[8385]: Current Parameter Settings:
Oct 16 21:24:02 unknown daemon.notice openvpn[8385]:  config = 'config.ovpn'
Oct 16 21:24:02 unknown daemon.notice openvpn[8385]:  mode = 0
Oct 16 21:24:02 unknown daemon.notice openvpn[8385]: NOTE: --mute triggered...
Oct 16 21:24:02 unknown daemon.notice openvpn[8385]: 227 variation(s) on previous 3 message(s) suppressed by --mute
Oct 16 21:24:02 unknown daemon.notice openvpn[8385]: OpenVPN 2.4.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Sep 10 2018
Oct 16 21:24:02 unknown daemon.notice openvpn[8385]: library versions: OpenSSL 1.0.2p 14 Aug 2018, LZO 2.10
Oct 16 21:24:02 unknown daemon.warn openvpn[8389]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 16 21:24:02 unknown daemon.notice openvpn[8389]: Outgoing Control Channel Authentication: Using 384 bit message hash 'SHA384' for HMAC authentication
Oct 16 21:24:02 unknown daemon.notice openvpn[8389]: Incoming Control Channel Authentication: Using 384 bit message hash 'SHA384' for HMAC authentication
Oct 16 21:24:02 unknown daemon.notice openvpn[8389]: Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Oct 16 21:24:02 unknown daemon.notice openvpn[8389]: Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Oct 16 21:24:02 unknown daemon.notice openvpn[8389]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1585,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA384,keysize 256,tls-auth,key-method 2,tls-client'
Oct 16 21:24:02 unknown daemon.notice openvpn[8389]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1585,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA384,keysize 256,tls-auth,key-method 2,tls-server'
Oct 16 21:24:02 unknown daemon.notice openvpn[8389]: TCP/UDP: Preserving recently used remote address: [AF_INET]185.212.169.142:5060
Oct 16 21:24:02 unknown daemon.notice openvpn[8389]: Socket Buffers: R=[120832->120832] S=[120832->120832]
Oct 16 21:24:02 unknown daemon.notice openvpn[8389]: UDP link local: (not bound)
Oct 16 21:24:02 unknown daemon.notice openvpn[8389]: UDP link remote: [AF_INET]185.212.169.142:5060
Oct 16 21:24:03 unknown user.notice vpnrouting[8390][tun12]: Clean-up
Oct 16 21:24:07 unknown daemon.err openvpn[8389]: event_wait : Interrupted system call (code=4)
Oct 16 21:24:07 unknown daemon.notice openvpn[8389]: OpenVPN STATISTICS
Oct 16 21:24:07 unknown daemon.notice openvpn[8389]: Updated,Tue Oct 16 21:24:07 2018
Oct 16 21:24:07 unknown daemon.notice openvpn[8389]: TUN/TAP read bytes,0
Oct 16 21:24:07 unknown daemon.notice openvpn[8389]: TUN/TAP write bytes,0
Oct 16 21:24:07 unknown daemon.notice openvpn[8389]: TCP/UDP read bytes,0
Oct 16 21:24:07 unknown daemon.notice openvpn[8389]: TCP/UDP write bytes,140
Oct 16 21:24:07 unknown daemon.notice openvpn[8389]: Auth read bytes,0
Oct 16 21:24:07 unknown daemon.notice openvpn[8389]: END
Oct 16 21:25:02 unknown daemon.err openvpn[8389]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Oct 16 21:25:02 unknown daemon.err openvpn[8389]: TLS Error: TLS handshake failed
Oct 16 21:25:02 unknown daemon.notice openvpn[8389]: TCP/UDP: Closing socket
Oct 16 21:25:02 unknown daemon.notice openvpn[8389]: SIGUSR1[soft,tls-error] received, process restarting
Oct 16 21:25:02 unknown daemon.notice openvpn[8389]: Restart pause, 5 second(s)

I throw myself at your collect feet. Save me! How do I make that fucking handshake work? My network connectivity is fine, just way too bareback for my liking.


Topic Author
blurb
Posts: 24
Joined: Fri Dec 29, 2017 4:42 pm

Re: Freshtomato Firmware, ECC.

Post by blurb » Wed Oct 17, 2018 2:27 am

FAO @df

Getting closer. With the static key in the extended config, explicitly setting AES-256-GCM, and comp-lzo too (was getting an "write to TUN/TAP : Invalid argument (code=22)" error that a search revealed to be a bug which recommended that as a work around), it's getting as far as pulling in the DNS...but still no cigar. No ping from laptop or router direct...still, feels like progress.

Here's the logs for me to pester you with. My hopelessness is lifting a little.

Code: Select all

Oct 16 23:12:27 unknown daemon.notice openvpn[13485]: OpenVPN STATISTICS
Oct 16 23:12:27 unknown daemon.notice openvpn[13485]: Updated,Tue Oct 16 23:12:27 2018
Oct 16 23:12:27 unknown daemon.notice openvpn[13485]: TUN/TAP read bytes,0
Oct 16 23:12:27 unknown daemon.notice openvpn[13485]: TUN/TAP write bytes,0
Oct 16 23:12:27 unknown daemon.notice openvpn[13485]: TCP/UDP read bytes,3211
Oct 16 23:12:27 unknown daemon.notice openvpn[13485]: TCP/UDP write bytes,1375
Oct 16 23:12:27 unknown daemon.notice openvpn[13485]: Auth read bytes,0
Oct 16 23:12:27 unknown daemon.notice openvpn[13485]: pre-compress bytes,0
Oct 16 23:12:27 unknown daemon.notice openvpn[13485]: post-compress bytes,0
Oct 16 23:12:27 unknown daemon.notice openvpn[13485]: pre-decompress bytes,0
Oct 16 23:12:31 unknown daemon.notice openvpn[13485]: SENT CONTROL [cryptostorm server]: 'PUSH_REQUEST' (status=1)
Oct 16 23:12:31 unknown daemon.notice openvpn[13485]: PUSH: Received control message: 'PUSH_REPLY,persist-key,persist-tun,redirect-gateway def1,dhcp-option DNS 185.212.169.139,route-gateway 10.66.2.1,topology subnet,ping 20,ping-restart 60,ifconfig 10.66.2.10 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Oct 16 23:12:31 unknown daemon.notice openvpn[13485]: OPTIONS IMPORT: timers and/or timeouts modified
Oct 16 23:12:31 unknown daemon.notice openvpn[13485]: NOTE: --mute triggered...
Oct 16 23:12:31 unknown daemon.notice openvpn[13485]: 8 variation(s) on previous 3 message(s) suppressed by --mute
Oct 16 23:12:31 unknown daemon.notice openvpn[13485]: Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ]
Oct 16 23:12:31 unknown daemon.notice openvpn[13485]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 16 23:12:31 unknown daemon.notice openvpn[13485]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 16 23:12:31 unknown daemon.notice openvpn[13485]: TUN/TAP device tun12 opened
Oct 16 23:12:31 unknown daemon.notice openvpn[13485]: TUN/TAP TX queue length set to 100
Oct 16 23:12:31 unknown daemon.notice openvpn[13485]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Oct 16 23:12:31 unknown daemon.notice openvpn[13485]: /sbin/ifconfig tun12 10.66.2.10 netmask 255.255.255.0 mtu 1500 broadcast 10.66.2.255
Oct 16 23:12:31 unknown daemon.notice openvpn[13485]: updown.sh tun12 1500 1553 10.66.2.10 255.255.255.0 init
Oct 16 23:12:31 unknown daemon.info dnsmasq[13399]: exiting on receipt of SIGTERM
Oct 16 23:12:32 unknown daemon.info dnsmasq[13619]: started, version 2.80test6 cachesize 4096
Oct 16 23:12:32 unknown daemon.info dnsmasq[13619]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset Tomato-helper no-auth DNSSEC no-ID loop-detect inotify no-dumpfile
Oct 16 23:12:32 unknown daemon.info dnsmasq[13619]: asynchronous logging enabled, queue limit is 5 messages
Oct 16 23:12:32 unknown daemon.info dnsmasq-dhcp[13619]: DHCP, IP range 192.168.1.2 -- 192.168.1.51, lease time 1d
Oct 16 23:12:32 unknown daemon.notice openvpn[13485]: /sbin/route add -net 185.212.169.142 netmask 255.255.255.255 gw 195.166.130.255
Oct 16 23:12:32 unknown daemon.notice openvpn[13485]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.66.2.1
Oct 16 23:12:32 unknown daemon.notice openvpn[13485]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.66.2.1
Oct 16 23:12:32 unknown daemon.notice openvpn[13485]: Initialization Sequence Completed
Oct 16 23:12:32 unknown daemon.info dnsmasq[13619]: reading /etc/resolv.dnsmasq
Oct 16 23:12:32 unknown daemon.info dnsmasq[13619]: using nameserver 10.31.33.7#53
Oct 16 23:12:32 unknown daemon.info dnsmasq[13619]: using nameserver 185.212.169.139#53
Oct 16 23:12:32 unknown daemon.info dnsmasq[13619]: using nameserver ***.***.***.***#53
Oct 16 23:12:32 unknown daemon.info dnsmasq[13619]: using nameserver ***.***.***.***#53
Oct 16 23:12:32 unknown daemon.info dnsmasq[13619]: read /etc/hosts - 2 addresses
Oct 16 23:12:32 unknown daemon.info dnsmasq[13619]: read /etc/dnsmasq/hosts - 5 addresses
Oct 16 23:12:32 unknown daemon.info dnsmasq[13619]: read /etc/dnsmasq/dhcp-hosts - 0 addresses
Oct 16 23:12:32 unknown daemon.info dnsmasq-dhcp[13619]: read /etc/dnsmasq/hosts
Oct 16 23:12:32 unknown daemon.info dnsmasq-dhcp[13619]: read /etc/dnsmasq/dhcp-hosts
For good measure, here's the extended conf as it stands...(WORK IN PROGRESS, DO NOT COPY FELLOW TOMATO USERS)

Code: Select all

resolv-retry 16
remote-cert-tls server
verb 4
mute 3
auth-nocache
comp-lzo
cipher AES-256-GCM
auth-user-pass /jffs/password.txt
tls-version-max 1.2
dhcp-option DNS 10.31.33.7

<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
4875d729589689955012a2ee77f180ec
b815c4a336c719c11241a058dafaae00
806bbc21d5f1abad085341a3fca4b4f9
3949151c2979b4ee4390e8d9443acb00
61d537f1e9157e45f542c3648f563305
05f3eaff97ef82ee063b9d88bb9d5aa0
060428455b51a2a4fd929d9af4b94adc
b0a4acaa14ff62a9b0f4f9f0b3f01e71
fc98a6c60e8584f4deb3de793a5a7bc2
7014c9369f9724bc810ef0d191b30204
78eead725b3ae6aaef2e1030a197e417
421f159ed54eb2629afcfb337cf9a002
5bf1d5c0d820fffb219d0b4214043d2d
f27ed367b522945a5dadc748e2ca379e
3971789dbdf609b3d9bfe866361b28e3
c90589baa925157ad833093a5a7bede5
-----END OpenVPN Static key V1-----
</tls-crypt>


Topic Author
blurb
Posts: 24
Joined: Fri Dec 29, 2017 4:42 pm

Re: Freshtomato Firmware, ECC.

Post by blurb » Wed Oct 17, 2018 3:16 am

Victory is mine!, of course with help from df.

Code: Select all

$ whois $(curl ipinfo.io/ip)                                                         
 % Total  % Received % Xferd Average Speed  Time  Time   Time Current
                 Dload Upload  Total  Spent  Left Speed
100  16 100  16  0   0   27   0 --:--:-- --:--:-- --:--:--  27
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%    To receive output for a database update, use the "-B" flag.

% Information related to '185.212.169.0 - 185.212.169.255'

% Abuse contact for '185.212.169.0 - 185.212.169.255' is 'abuse@m247.ro'

inetnum:    185.212.169.0 - 185.212.169.255
netname:    M247-LTD-Copenhagen
descr:     M247 LTD Copenhagen Infrastructure
country:    DK
geoloc:     55.67 12.56
admin-c:    GBXS22-RIPE
tech-c:     GBXS22-RIPE
status:     LIR-PARTITIONED PA
mnt-by:     GLOBALAXS-MNT
remarks:    ---- LEGAL CONCERNS ----
remarks:    For any legal requests, please send an email to
remarks:    ro-legal@m24seven.com for a maximum 48hours response.
remarks:    ---- LEGAL CONCERNS----
created:    2017-07-12T14:48:56Z
last-modified: 2018-06-13T14:19:36Z
source:     RIPE

role:      GLOBALAXS COPENHAGEN NOC
address:    Industriparken 20A, 2750 Ballerup, Denmark
nic-hdl:    GBXS22-RIPE
mnt-by:     GLOBALAXS-MNT
created:    2017-06-07T04:59:05Z
last-modified: 2017-06-07T04:59:05Z
source:     RIPE # Filtered

% Information related to '185.212.169.0/24AS9009'

route:     185.212.169.0/24
origin:     AS9009
mnt-by:     GLOBALAXS-MNT
created:    2017-07-13T06:52:11Z
last-modified: 2017-07-13T06:52:11Z
source:     RIPE

% This query was served by the RIPE Database Query Service version 1.92.6 (WAGYU)
Whois has never been so pretty. :clap:

I'll dump the proper set up in the Tomato thread( minus the self pity, woe and swearing) when I can bring myself to face an ovpn config again. :crazy:

Post Reply