Michael Altfield's gravatar

Howto Guide: Whole House VPN with Ubiquiti + Cryptostorm (netflix safe!)

This post will describe what hardware to buy & how to configure it so that you have 2 wireless networks in your house: One that seamlessly forces all of the traffic on that network through a VPN–and one that connects to the Internet normally . When finished, the internet activity for any device connected to the first network will be entirely encrypted so that the ISP cannot see which websites are visited*, what software you use, and what information you send & receive on the internet.

* Assuming your config doesn’t leak DNS; see improvements section

Update 2017-08-25: Added “kill switch” firewall rule that prevents LAN traffic from escaping to the ISP unless it passed through the VPN’s vtun0 interface first. Following this change, if the VPN connection is down, the internet will not be accessible (as desired) over the ‘home’ wifi network (without this, the router bypasses the VPN by sending the packets straight to the ISP–giving a false sense of privacy).

Why

In April 2017, Trump signed Bill S.J.Res.34, which repeals the Broadband Consumer Privacy Proposal from October 2016. This enormous step backwards permits anyone’s ISP to sell their Internet activity. The EFF put it best:

Electronic Frontier Foundation Logo

companies like Cox, Comcast, Time Warner, AT&T, and Verizon will have free rein to hijack your searches, sell your data, and hammer you with unwanted advertisements. Worst yet, consumers will now have to pay a privacy tax by relying on VPNs to safeguard their information.

source

This post will describe how to setup such a VPN in a seamless manner. Your router will automatically relay all your traffic to your VPN provider. The devices themselves don’t require any special configuration. All your ISP will see is a bunch of useless encrypted data on its way to your VPN provider.

Why not VPN all-the-things (cough Netflix)

Encrypt All The Things Meme

Not only will your ISP see traffic going to your VPN provider, the site you’re accessing will also see your traffic originating from your VPN provider. Because VPN providers are sometimes used by customers to bypass geolocks (and, indeed, you’ll be able to choose which country/region you’d like your traffic to “originate” from using this config), many services (ie: netflix) simply block any customers whose traffic originated from a known VPN network.

Another reason you may choose not to use a VPN is for applications that require low-latency. For example, video games.

For the above reasons, you’ll be able to connect to the wifi network “home-clear.” Traffic on this wireless network will be sent out of the router in “cleartext” to your ISP, skipping the encrypt-and-send-to-vpn step.

Hardware

This solution is achievable with lots of different hardware, but I’m just going to describe the hardware I used. If you found a way to achieve the same results with different hardware, please post your devices & configuration in the comments :)

Here’s a couple posts on doing Whole House VPN using CryptoStorm with ddwrt & tomato:

  1. ddwrt
  2. tomato

Router

Steve Gibson shows off the Edge Router X

The router we choose for this guide needs to be a general-purpose router with DHCP & DNS servers, but it also needs to support VLANs, firewalls, and be able to run an OpenVPN client. It should also be well-built with sufficient RAM & good reviews–unlike many cheap dlink/linksys consumer-grade routers.

Steve Gibson (Security Researcher, host of Security Now!) has often recommended the Ubiquiti EdgeRouter X (ER-X) for its VLAN support, thereby allowing segregating IoT devices from the rest of the network. It’s a cute, small, 5-port router running EdgeOS–which is a fork of Vyatta, which was based from Debian (squeeze).

You can get this router for $50 new.

Access Points

Ubiquiti Unifi AP AC Lite with POE

Probably the most popular small-business-grade APs available today are the Ubiquiti Access Points. I recommend the Ubiquiti UniFi AP AC Lite, as it supports both 2.4 & 5 Ghz.

You can get this AP for $80 new.

If you have a very large area to cover, you might need to get a few of these (but know that Ubiquiti APs have much better coverage than your typical consumer-grade APs)

Why brick-and-mortars + Cash are good

Oh, and expect delays when shipping these devices so the FBI can intercept the device & install spyware on it.

Edward Snowden portrat

“People go, ‘Oh, well, the CIA’s not gonna be breaking into my house, right?’ And that’s actually true.

What they do is they wait for when these devices are being shipped to you, when you order them on Amazon or whatever. They go to them at the airports. They get the box. They use a little hair dryer to soften the adhesive. They open up the box. Then they put the USB stick in. They seal the box back all nice and perfect, and then they ship it on to you. And now your router, your computer, your TV is hacked. This is a very routine thing that happens”

-Edward Snowden on Intercepted “Snowden vs. Trump” 2017-03-15

source

…I recommend buying these devices at a brick-and-mortar for cash.

Architecture

Let’s describe how these devices will be configured.

Physical Ports

The ER-X has 5 physical ports: eth0, eth1, eth2, eth3, & eth4.

In this config, eth0 will be WAN (the ethernet cable will connect to the ISP’s modem).

All other ports (eth1, eth2, eth3, & eth4) will be LAN ports making up switch0. Cables from these ports will either go directly to computers/devices on the network, to Access Points providing wifi to the network, or to a switch that goes to computers/devices/APs.

In this article, eth1 will be used by the AP. All other ports are unused.

VLAN

In addition to switch0 made up of physical ports, we’ll create a switch0.30 on a VLAN tag=30. We will configure the Access Points to tag packets from clients connected to the ‘home’ SSID with VLAN tag=30 so the ER-X router puts them in switch0.30 under a distinct subnet. Clients connected to the ‘home-clear’ SSID will have untagged packets; they will be using switch0.

SSIDs

We will have 2 SSIDs:

  1. ‘home’ All traffic on this wireless network will be forced out to the VPN
  2. ‘home-clear’ All traffic on this wireless network will be sent out normally in “cleartext”* to the ISP

* If you’re using end-to-end encryption (ie: https), the ISP will only be able to see where you’re sending your traffic. The payload of your packets will still be encrypted when sent to your ISP.

Subnets

We will have the following subnets:

  1. 192.168.1.0/24 LAN for ‘home’ wireless & hard-wired clients for traffic destined to the VPN
  2. 192.168.30.0/24 VLAN for ‘home-clear’ wireless for traffic destined to be sent straight to the ISP, not the VPN
  3. 10.56.0.0/16 VPN network. This may change at cryptostorm’s discretion

And, once finished, the routetable should look something like this

admin@ubnt:~$ ip r
0.0.0.0/16 dev vtun0  proto kernel  scope link 
default via 98.X.X.1 dev eth0  proto zebra 
10.56.0.0/16 dev vtun0  proto kernel  scope link  src 10.56.0.3 
98.X.X.0/24 dev eth0  proto kernel  scope link  src 98.X.X.X
192.168.1.0/24 dev switch0  proto kernel  scope link  src 192.168.1.1 
192.168.30.0/24 dev switch0.30  proto kernel  scope link  src 192.168.30.1 

DHCP

Our router will have two DHCP servers:

  1. 192.168.1.0/24 LAN
  2. 192.168.30.0/24 VLAN

Additionally, the router will be a DCHP client for getting IP addresses for two interfaces:

  1. eth0 ISP WAN
  2. vtun0 VPN

DNS

Our LAN & VLAN subnets will be configured to use OpenDNS nameservers:

  1. 208.67.222.222
  2. 208.67.220.220

This is less than ideal (DNS usually is), but generally not an issue as OpenDNS can only log DNS lookups originating from cryptostorm’s servers. See improvements section for more information.

Firewall

We will create a firewall rule for the LAN subnet to use a distinct route table that sends traffic out on vtun0.

We will also create a “eth0 out” firewall ruleset that will drop by default & only allow outbound traffic that’s either [a] established/related, [b] originating from the vpn’s vtun0 interface, or [c] originating from the vlan = the ‘home-clear’ wifi network.

Software

In my personal searches, I feel the most transparent & trustworthy vpn service today is cryptostorm. I am in no way affiliated with cryptostorm.

For testing before buying, cryptostorm provides cryptofree–a free version of their service that’s capped at “about 160kbps down, 130 kbps up.” This guide will use cryptofree’s configs so you can play before you buy. Later in this guide I’ll describe how to update your OpenVPN config to use purchased cyrptostorm tokens that are uncapped.

Cryptostorm offers VPN service only using OpenVPN, which is supported by the ER-X.

Configuration

This section will describe how to configure each network device

Router

The first thing we’re going to setup is your router. In this section, we’ll assume you’re using the Ubiquiti EdgeRouter X (ER-X).

Connect

After unboxing your router, plug in the power adapter, and connect a patch ethernet cable between your computer and the router’s eth0 port. Set your computer to use a static IP address on the 192.168.1.x subnet, such as 192.168.1.100 (gateway=192.168.1.1 & netmask=255.255.255.0).

Connect to the router’s web UI by typing ‘https://192.168.1.1’ in your web browser. Unfortunately you’ll have to accept an exception for the router’s self-signed https certificate. TOFU yall.

ER-X Login ScreenER-X Login Screen

Login with the default username of ‘ubnt’ & password of ‘ubnt’.

Update Firmware

At the time of writing, the latest firmware is v1.9.1.1, but my router did not come with the latest firmware. Before you begin to configure your new router, you should make sure you update to the latest firmware.

To determine your current firmware, check to top-left of the web UI. It should say “EdgeRouter X v1.9.1.1” or similar.

Visual guide to updating ER-X Firmware

To determine the latest available firmware version, check Ubiquiti’s downloads page for the EdgeRouter X. If necessary, download the latest firmware, then navigate to System -> Upload System Image to update the router’s firmware.

I also recommend downloading the Edge OS User Guide, which is an invaluable reference when working with your router; it is a great supplement to this article if you get stuck.

Wizard

After you’ve verified that you’re running the latest firmware, we can setup the router by connecting it to the WAN (Internet) on eth0, configuring eth[1-4] as a LAN switch, and setting up DHCP & DNS. The easiest way to set this up is to go to Wizard -> WAN+2LAN2 in the web UI.

The default options should be fine–except you’ll want to click “Create new admin user” at the bottom. Type ‘admin’ for the ‘User’, and enter a new username & password under the “User setup” section. Be sure to use a good, long passphrase.

Screenshot of wizard when form is filled-out

Click ‘Apply’. The WUI will warn you.
Click ‘Apply Changes’. It should say ‘The configuration has been applied successfully’
Click ‘Reboot’. It should say “Are you sure? Your network will be temporarily unavailable while your router reboot”
Click ‘Yes, I’m sure’

Screenshot of ER-X WUI asking for confirmation following wizard submitScreenshot showing ER_X WUI saying that the apply was successfulScreenshot of ER-X WUI prompting for confirmation when asking for reboot

Verify

While your router reboots, do the following:

  1. Change your computer’s network configuration from static back to dhcp
  2. Unplug the ethernet port from the router’s eth0 port. Replug it into eth4

Your computer should get an IP address.

Now, go to ‘https://192.168.1.1’ in your browser, and login with the ‘admin’ account created through the wizard above.

If you can login successfully, then plug-in the ethernet cable coming out of your modem into your ER-X’s eth0 port.

Wait a few minutes, and verify that [a] your router has an Internet IP address for eth0 and [b] your computer has Internet access before proceeding.

Screenshot of ER-X Dashboard showing eth0 has a WAN IP Address

Access Points

This section will describe how to setup your Ubiquiti Unifi Access Points (APs) to have 2 separate wireless network SSIDs. One of these will be on a separate vlan. We’ll later configure the router to send this vlan traffic directly to the ISP, rather than to the VPN.

For brevity, I will only describe how to configure only 1 AP, but most setups will have >1 AP, and it’s trivial to apply the knowledge for subsequent APs.

Power

Ubiquiti guide to setting up POE

After unboxing your Ubiquiti Unifi AP, attach one end of an ethernet cable into the Access Point and the other end into the POE adapter on the side labeled “POE”. Take another ethernet cable and attach one end into the side of POE adapter labeled “LAN” and attach the other end into the router’s port eth1.

Now, plug in the power cable for the POE adapter. The Unifi AP should power-on.

Controller Software Install

Unifi APs don’t have a built-in WUI. Instead, you need to run a Unifi Controller server, which can be run on Mac, Windows, or Linux. I installed the debian package on Ubuntu, but it may be easier to blow the dust off an old laptop in the closet, install windows on it, and use that as your Ubiquiti Controller. Make sure you download the latest version of the Controller software.

After your controller is installed, you can access it in the browser on port 8443. For example, I’m running the Controller locally on my linux laptop, so I type ‘https://127.0.0.1:8443’ into my browser. Again, you’ll have to accept adding an exception to your browser for the Controller’s self-signed certificate.

Controller Software Configuration

Before proceeding, with the AP’s config, go to Settings -> Site in the Controller WUI. Set a Username & Password for the “Device Authentication” section. Be sure to use a good, long passphrase.

Screenshot of the Unifi Controller WUI's settings page with the password field filled-in

Now, create your 2x SSIDs by going to Settings -> Wireless Networks in the Controller WUI.

Screenshot of the Unifi Controller WUI's settings page showing no wireless networks

Click “CREATE NEW WIRELESS NETWORK”

For “Name/SSID”, type ‘home’, and check ‘WPA Personal’. Type a good, long passhprase for your wireless network. This is the passphrase you’ll enter on all your devices when you connect to the wifi. Note that Ubiquiti supports “guest networks,” but this is outside the scope of this article.

Screenshot of the filled-out form to add the first wireless network

Click ‘Save’

Now create the second SSID:

Click “CREATE NEW WIRELESS NETWORK”

For “Name/SSID”, type ‘home-clear’, and check ‘WPA Personal’. Again, type a good, long passhprase for your wireless network.

Click ‘ADVANCED OPTIONS’

Check the box that says ‘Use VLAN’ and type ’30’ into the ‘VLAN ID’ field.

Screenshot of the filled-out form to add the second wireless network

Click ‘Save’

You should now see both wireless networks (‘home’ and ‘home-clear’) in your “Wireless Networks” section of your “Settings” in the Unifi Controller WUI.

Screenshot of Unifi Controller Settings showing both new Wireless Networks

Add AP

Browse to the “Devices” section of the Controller WUI. You should see your AP. Click the “Adopt” link on the right.

Screenshot of the Unifi Controller WUI showing the orpahaned AP with a button to Adopt

When the node is finished provisioning, you should be able to connect to your network over wifi. Finally, you can unteather yourself, brew a cup, and recline in a nice comfy chair to finish the config wirelessly.

Screenshot of the Unifi Controller WUI showing the AP being adoptedScreenshot of the Unifi Controller WUI showing the AP being provisioned

Upgrade APs

Before exiting the controller software, check to see if your AP has an “UPGRADE” available. If so, go ahead and update their firmware by clicking the button.

Screenshot of the Unifi Controller WUI showing the connected AP and its UPGRADE button

ER-X OpenVPN Client Configuration

Unfortunately the ER-X doesn’t have a GUI for configuring an OpenVPN client (note that this router also supports setting up an OpenVPN server, so that you can securely connect to your home network when you’re away–this is distinct from the OpenVPN config we’re implementing in this article).

To create a virtual tunnel interface that sends encrypted traffic to cryptostorm (or another vpn provider) on the Ubiquiti EdgeRouter-X, we must do so from the command-line. This guide assumes you’re running ubuntu linux, but any OS with an ssh client should work.

Add Cryptofree Config Files to ER-X

First, ssh into your ER-X router using the same username & password you use to login to the WUI

ssh admin@192.168.1.1

Now, create the vpn connection. Note that cryptofree is free, so the username & password don’t matter-ish. They do need to be set, but they can be set to anything.

cd /config

# create bogus passwords file
echo -e "bogusUser\nbogusPass" > /config/cryptofree_pass.txt

# download the cryptofree openvpn file
curl -O https://raw.githubusercontent.com/cryptostorm/cryptostorm_client_configuration_files/master/cryptofree/cryptofree_linux-tcp.ovpn

# add our password file to the config
sed -i '/auth-user-pass/d' cryptofree_linux-tcp.ovpn
echo "auth-user-pass /config/cryptofree_pass.txt" >> cryptofree_linux-tcp.ovpn

# Add route-nopull so we can setup our routes, not the server. This is
# necessary since cryptstorm wants all our traffic to them, but in-fact we want
# some traffic to rote to the ISP (our vlan on the 'home-clear' wifi network)
echo "route-nopull" >> cryptofree_linux-tcp.ovpn

# add openvpn to er-x config
configure
set interfaces openvpn vtun0 config-file /config/cryptofree_linux-tcp.ovpn
commit
save
exit

After the ‘commit’ step above, your router will create a vtun0 interface & connect to the VPN. ‘save’ makes it persistent across reboots.

Masquerade for vtun0

Back in the router’s WUI, click on the ‘Firewall/NAT’ -> ‘NAT’ tab.

Click ‘Add Source NAT Rule’
For ‘Description’, type ‘masquerade for VPN’
For ‘Outbound Interface’, select ‘vtun0’.
Check both ‘Use Masquerade’ and ‘All protocols’
Click ‘Save’

Screenshot of the ER-X WUI with the fields filled-in to add a masquerade rule for the VPN

You should now be connected to the VPN, even though no traffic is forced through it yet. Let’s set that up now.

Force traffic through VPN

Finally, let’s setup [a] our LAN to use a new firewall rule SOURCE_ROUTE, [b] the SOURCE_ROUTE firewall rule that uses a custom route table 1, and [c] a custom route table 1 that forces all traffic out to the ISP modem.

Unfortunately, I haven’t found a good way to do all these things through the GUI, so hop back to the terminal & type the following into the router’s CLI over ssh:

configure
set interfaces switch switch0 firewall in modify SOURCE_ROUTE
set firewall modify SOURCE_ROUTE rule 1 description "traffic from LAN goes through VPN"
set firewall modify SOURCE_ROUTE rule 1 modify table 1
set firewall modify SOURCE_ROUTE rule 1 source address 192.168.1.0/24
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0
commit
save
exit

Congrats! All your traffic should be flowing through the VPN. Now let’s setup that second wifi network & fix DHCP.

Create Switch0.30

To create a new switch for the VLAN traffic coming from the ‘home-clear’ wifi network, go the the “Dashboard” tab of the ER-X WUI, and click “Add Interface” -> “Add VLAN”

For “VLAN ID”, type ’30’
For “Interface”, select ‘switch0’
For “Description”, type “home-clear”
For “Address”, select “Manually define IP address”, and type “192.168.30.1/24”
Click “Save”

Screenshot of the ER-X WUI with the fields filled-in to add a new VLAN

Your Dashboard should now show “switch0.30” in the list of Interfaces.

Screenshot of the ER-X dashboard showing the newly added vlan subnet0.30

Create DHCP Server for Switch0.30

Because we created a distinct subnet for our VLAN, we need to create a distinct DHCP server for the 192.168.30.0/24 network. To do so, Click the “Services” tab in the ER-X WUI.

Click “Add DHCP Server”

Screenshot of the ER-X WUI showing the fields filled-in to add a DHCP server

For “DHCP Name” type ‘VLAN’
For “Subnet” type ‘192.168.30.0/24’
For “Range Start” type ‘192.168.30.2’
For “Range Stop” type ‘192.168.30.254’
For “Router” type ‘192.168.30.1’
For “DNS 1” type ‘208.67.222.222’
For “DNS 2” type ‘208.67.220.220’
Click “Save”

Screenshot of the ER-X WUI showing the newly added dhcp server


Change DNS Servers for LAN

Let’s also update the DNS servers for our LAN to use OpenDNS, so that we’re not calling back to the ISP from our VPN (which actually may not work at all).

For the “LAN” DHCP Server, click “Actions” -> “View Details”

Screenshot of the ER-X WUI showing the filled-out fields to update the DNS for the LAN

Erase the contents of “DNS 1” and “DNS 2”
For “DNS 1” type ‘208.67.222.222’
For “DNS 2” type ‘208.67.220.220’

Create “VPN Kill Switch”

A VPN Kill Switch is a mechanism to prevent your Internet traffic from flowing directly to your ISP when it’s expected to be flowing through a VPN first. The “kill switch” will essentially shut off your Internet access if your vpn tunnel experiences connectivity issues, rather than send your packets straight to the ISP (bypassing your VPN).

To create the VPN Kill Switch go to “Firewall/NAT” -> “Firewall Policies” in the Controller WUI.

Click “Add Ruleset”
For “Name” type ‘WAN_OUT’
For “Description” type ‘Internal to WAN’
For “Default Action” choose ‘Drop’
Click “Save”

Screenshot of the ER-X WUI showing the filled-out fields to create a new firewall ruleset for the vpn kill switch

After saving, edit the empty ruleset by clicking “Actions” -> “Edit Ruleset” on the new “WAN_OUT” line.

Click “Add New Rule”
For “Description” type ‘Allow established/related’
For “Action” choose ‘Accept’
Click the “Advanced” tab
Check the “Established” checkbox
Check the “Related” checkbox
Click “Save”

Screenshot of ER-X WUI showing filled-in forms for adding the first rule to the killswith, basic tabScreenshot of ER-X WUI showing filled-in forms for adding the first rule to the killswith, advanced tab

Click “Add New Rule”
For “Description” type ‘Drop invalid state’
For “Action” choose ‘Drop’
Click the “Advanced” tab
Check the “Invalid” checkbox
Click “Save”

Screenshot of ER-X WUI showing filled-in forms for adding the second rule to the killswith, basic tabScreenshot of ER-X WUI showing filled-in forms for adding the second rule to the killswith, advanced tab

Click “Add New Rule”
For “Description” type ‘permit vlan to bypass vpn’
For “Action” choose ‘Accept’
Click the “Source” tab
For “Interface Network” choose “switch0.30”
Click “Save”

Screenshot of ER-X WUI showing filled-in forms for adding the third rule to the killswith, basic tabScreenshot of ER-X WUI showing filled-in forms for adding the third rule to the killswith, advanced tab

You should now see the following summary of the 3 rules created above

Screenshot of the ER-X WUI showing a summary of the rules added above

Click the “Interfaces” tab
For “Interface” choose ‘eth0’
For “Direction” choose ‘out’
Click “Save Ruleset”

Screenshot of the ER-X WUI showing a summary of the interfaces option for the above-described ruleset

Click the “x” to close the “Ruleset Configuration for WAN_OUT” window. That’s it! Your router’s vpn kill switch is setup.

Note that (because of the firewall rules created earlier) it is not necessary to create a rule in this ruleset specifically for the traffic with source = vtun0.

Testing

Congrats, you’ve finished setting up the Netflix-safe, Whole House VPN on your router! To verify that it works:

  1. Connect to the ‘home-clear’ wifi network & google “whats my ip geo” to find a website that will tell you the Internet IP Address that they see + where they think you are geographically located. Write down the results.
  2. Connect to the ‘home’ wifi network & visit the same site as above. Compare your results.

My favorite website for this is currently ifconfig.co–which can also be used with curl on the command line.

Screenshot of the website ifconfig.co while connected to 'home'. Shows our connection is originating from France and our hostname is 'linux-cryptofree1-a'

If the results differ on both networks, then you’re all set! Note that cryptofree currently routes out through France at the time of writing.

Change to Paid CryptoStorm

This section will describe how to update your config if you decide to purchase a token for uncapped connections to the CrytoStorm VPN service.

After you pay for your subscription to CS, they will display for you (and email you) your new token. According to CS, they keep no records of this token being offered. And to further obfuscate your identity (by decoupling [possibly anonymous] payment information from OpenVPN authentication credentials), your OpenVPN credentials consist of a strong, cryptographic hash of the token that CS gave you. This hashed token is your username. Your password can be anything (their guide recommends ‘password’, so that’s what we’ll use here).

In this example, the token that CS gave you after payment is ‘CHANGEME’. You should change this to the token they gave you. The part that says ‘password’ (as explained above) should be kept as ‘password’.

First, store your CS hashed token to a file on the router. Run the following on the CLI of the router via ssh:

echo -n 'CHANGEME' | sha512sum | awk '{print $1}' > /config/cryptostorm_pass.txt
echo 'password' >> /config/cryptostorm_pass.txt

Next, download & configure the cryptostorm openvpn config for linux udp. Note that this is different from the cryptofree config. Also note that if you poke around the git repo, you can choose which geo-regional exit nodes you want to use.

Run the following on the CLI of the router via ssh:

cd /config
curl -O https://raw.githubusercontent.com/cryptostorm/cryptostorm_client_configuration_files/master/linux/cstorm_linux-balancer_udp.ovpn
sed -i '/auth-user-pass/d' cstorm_linux-balancer_udp.ovpn
echo "auth-user-pass /config/cryptostorm_pass.txt" >> cstorm_linux-balancer_udp.ovpn
echo "route-nopull" >> cstorm_linux-balancer_udp.ovpn

configure
delete interfaces openvpn vtun0
set interfaces openvpn vtun0 config-file /config/cstorm_linux-balancer_udp.ovpn
commit
save
exit

Warnings, Limitations, & Pending Improvements

This section will describe what this solution does not provide and some ways it could be improved.

Not a suitable replacement for TAILS

Image of a button on a keyboard reading 'Security'

Unfortunately, there’s no ‘security’ button on your keyboard. Not only is nothing 100% secure, but this Whole House VPN solution is necessarily far from achieving an acceptable amount of privacy for many users.

If you are an investigative journalist, activist, or political dissident looking to safely browse the internet without being tracked by an oppressive regime, this solution is not for you. If you’re concerned that an adversary having access to your Internet activity could cause pain, suffering, or loss-of-life, then you should not trust this system to protect you. Instead, you should use TAILS.

If, however, you’re afraid that Verizon, AT&T, Comcast, Time Warner, or Cox will be selling your queries to WebMD about Rheumatoid Arthritis, and you have a legitimate fear that your future insurance prices will rise because of it, this solution may help you. But you probably should still use TAILS if you are especially concerned about it.

DNS Leaks

I haven’t yet put an sniffer between the router & the modem to see if DNS queries are escaping from the regular (non-vlan) network in cleartext. The goal is to have all packets, including DNS, be encrypted & sent to the VPN server, decrypted by the VPN server, and then passed to the DNS server. Even if we’re using ordinary DNS (instead of, say, dnscrypt), the DNS server should only know that a cryptostorm user did a lookup for a given domain name.

The fear is that the DNS query gets passed to the router, which sends it to the ISP’s DNS servers instead of through the VPN tunnel. This would tell the ISP which websites we’re going to and when. This metadata alone is significant, and could lead to death in an opressive regime.

Bandwidth & Latency Results

This setup does meet my requirements, and I’m going to keep it.

However, I was shocked how poor my bandwidth was using cryptostorm. I changed my openvpn config to use a cryptostorm server that was less than a few hundered miles from me. I also switched to using openvpn over udp, which helped.

Overall, I got great latency of ~20 ms.

But my bandwidth on my actual 100 Mbps up & down fiber line couldn’t break 15 Mbps. For a VPN service that caters to torrenters, this was a big let down. That said, I couldn’t detect a decrease in “usage performance” when just browsing the web. You’d notice it when downloading ISOs for your favourite linux disto, however.

Further Reading

If you’d like to learn more about the background of this article, I recommend the following additional resources:

  1. https://community.ubnt.com/t5/EdgeMAX/RFC-Howto-Guide-for-Whole-House-VPN-with-EdgeRouter-X/m-p/2041437

1 comment to Howto Guide: Whole House VPN with Ubiquiti + Cryptostorm (netflix safe!)

  • Jack

    I was looking to do exactly this last year when I purchased my rpi3 and was never able to get it to work properly. I may invest in some new hardware and give this a go.

    Odd as it may be, I was trying to get this setup so that I could manage the whole house with a single connection because of cryptostorm.

    Now that my one yeaar subscription to another service is up I will be trying this shortly

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>