Jump to content
TorGuard

All Activity

This stream auto-updates     

  1. Today
  2. Dear TorGuard OpenWrt Users, Hello - and I hope that you are well. This is how to get and setup Let's Encrypt Certificate using DuckDNS on OpenWrt. If you follow these instructions you should have no problems at all. I picked DuckDns because - it allows you five Domains ( read sub-domains ) and supports Let's Encrypt on OpenWrt. First go to https://www.duckdns.org/ - Log in order create account. I use reddit to sign in - DuckDNS also offers Google, Twitter, GitHub, or Persona logins to create an account. You are allowed five sub domains - create one - name it would you like - something like secureone. Your full sub domain is now- secureone.duckdns.org - Click on " install " on the top banner - go to " first step - choose a domain " and from the drop down menu - select the sub-domain you just created - secureone.duckdns.org - then under " Routers " - select " OpenWrt " - you will then get these instructions: find them below the DuckDNS DDNS SCRIPT SECTION. Before You Begin You Should Make HOSTNAME under System something like cryptorouter ( or whatever you like ) and under Network > DHCP and DNS > Local domain - enter something like - home.secureone.duckdns.org When you are done this is the FQDN that your Let's Encrypt Certificate will named - in this example it is as follows : cryptorouter.home.secureone.duckdns.org DuckDNS DDNS SCRIPT SECTION: First, I use a script to update DuckDNS DDNS service. See here : https://www.bytebang.at/Blog/Find+public+IP+address+for+OpenWRT+via+Script# To implement this script, please follow these instructions below: opkg update ; opkg install knot-dig -- then: nano /usr/lib/ddns/getPublicIp.sh enter this script below in the new file : #!/bin/sh # sample script for detecting the public IP kdig +short myip.opendns.com @resolver1.opendns.com make it executable = chmod +x /usr/lib/ddns/getPublicIp.sh DuckDNS OpenWrt DDNS SETUP : opkg update opkg install ddns-scripts ## Davidc502 SnapShots Come With This Pre-Installed edit the config at /etc/config/ddns nano /etc/config/ddns ## Replace The IPV4 Configuration With The Contents Below: config service 'duckdns' option enabled '1' option username 'secureone' option domain 'secureone.duckdns.org' option password 'f8be3d28-104e-45d2-a5a9-e95599b84ae2' ## Use Your Own DuckDNS PassWord - This one is a fake option interface 'wan' option check_interval '5' option check_unit 'minutes' option force_interval '24' option force_unit 'hours' option ip_source 'script' option retry_interval '60' option retry_unit 'seconds' option ip_script '/usr/lib/ddns/./getPublicIp.sh' option update_url 'https://www.duckdns.org/update?domains=[USERNAME]&token=[PASSWORD]&ip=[IP]' option use_https '1' option cacert '/etc/ssl/certs/ca-bundle.crt' option lookup_host 'secureone.duckdns.org' Next here are the correct commands for SSL HTTPS DuckDNS below: opkg update opkg install curl ## Davidc502 SnapShots Come With This Pre-Installed mkdir -p /etc/ssl/certs ## Directory Exists Already On Davidc502 SnapShots Issue This Most Important Command Below: curl -k https://certs.secureserver.net/repository/sf_bundle-g2.crt > /etc/ssl/certs/ca-bundle.crt Now Start DDNS : sh . /usr/lib/ddns/dynamic_dns_functions.sh # note the leading period start_daemon_for_all_ddns_sections "wan" exit ## Very Important To Exit we can now test the script by running the command /usr/lib/ddns/dynamic_dns_updater.sh duckdns Then Check DDNS under Services Is Up And Running. Now that you have DuckDNS Service running on your OpenWrt Router - let us install Let's Encrypt Certificate. First you must issue these commands: uci delete uhttpd.main.listen_http uci set uhttpd.main.redirect_https=1 uci set uhttpd.main.rfc1918_filter='0' ## This allows you to login with public sub-domain uci commit /etc/init.d/uhttpd restart Now install necessary Let's Encrypt packages as follows : opkg update ; opkg install socat ncat luci-app-acme acme-dnsapi acme coreutils-stat ## acme-dnsapi is themost important one Then issue certificate with this command: ## Token is your DuckDNS Password & Please Note FQDN Placement DuckDNS_Token="f8be3d28-104e-45d2-a5a9-e95599b84ae2" /usr/lib/acme/acme.sh --issue -d cryptorouter.home.secureone.duckdns.org --dns dns_duckdns The issuance takes 120 seconds to complete after acme challenge ; when finished You can locate the certificate and key files in ./.acme.sh/your.domain/, and then in the uHTTPd settings point the certificate and key path to them respectively This means that the two main files you need are found here : /root/.acme.sh/cryptorouter.home.secureone.duckdns.org/cryptorouter.home.secureone.duckdns.org.cer /root/.acme.sh/cryptorouter.home.secureone.duckdns.org/cryptorouter.home.secureone.duckdns.org.key Now edit /etc/config/uhttpd file thusly as demonstrated below: ## Notice that I set https ONLY earlier and now the login port is set to " 10445 " nano /etc/config/uhttpd config uhttpd 'main' list listen_https '0.0.0.0:10445' list listen_https '[::]:10445' option redirect_https '1' option home '/www' option max_requests '3' option max_connections '100' option cert '/root/.acme.sh/cryptorouter.home.secureone.duckdns.org/cryptorouter.home.secureone.duckdns.org.cer' option key '/root/.acme.sh/cryptorouter.home.secureone.duckdns.org/cryptorouter.home.secureone.duckdns.org.key' option cgi_prefix '/cgi-bin' list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua' option script_timeout '60' option network_timeout '30' option http_keepalive '20' option tcp_keepalive '1' option ubus_prefix '/ubus' option rfc1918_filter '0' config cert 'defaults' option days '730' option bits '4096' option country 'US' option state 'Texas' option location 'Austin' option commonname 'OpenWrt' then issue this command : chmod 400 /root/.acme.sh/cryptorouter.home.secureone.duckdns.org/cryptorouter.home.secureone.duckdns.org.key At this point DO NOT !! - I REPEAT DO NOT !! - DO NOT RESTART " uhttpd " for any reason whatsoever. Instead clear your browser - close - clean cookies and all that good stuff. Then open your browser and login with - https://cryptorouter.home.secureone.duckdns.org:10445 - as per this example. You should not be prompted by " insecure warning " any longer - and the green padlock will appear in the address bar. Click on it and see the certificate details if you wish. NEXT CONFIGURE ACME FOR AUTOMATIC RENEWAL edit /etc/config/acme as below: nano /etc/config/acme config acme option state_dir '/root/.acme.sh/' option account_email '[email protected]' ## Fake E-mail Too option debug '1' config cert 'example' option keylength '4096' option update_uhttpd '1' option enabled '1' option webroot '/www' list domains 'cryptorouter.home.secureone.duckdns.org' option use_staging '0' option dns 'acme.sh --insecure --issue --dns dns_duckdns -d cryptorouter.home.secureone.duckdns.org' list credentials 'export DuckDNS_Token="f8be3d28-104e-45d2-a5a9-e95599b84ae2"' Then issue these commands : /etc/init.d/acme start and /etc/init.d/acme enable BONUS : In order to preserve your Let's Encrypt Certificates - use WINSCP and go into default directory. In this case open : /root/.acme.sh/cryptorouter.home.secureone.duckdns.org/ on the right side of the window. You will see all the certificates and associated files. Save them to a folder on your desktop USB or what have you in case you need to upgrade or install new OpenWrt - for instance, Dave puts out new SnapShots every two weeks approximately. As you know, Let's Encrypt Certificates are good for 90 days and you do not want to abuse this free service. You can reuse them via WINSCP - make sure to create and install them to proper directory on new install as follows- issue command: mkdir -p /root/.acme.sh/cryptorouter.home.secureone.duckdns.org/ Then WINSCP the saved Let's Encrypt Files from your previous storage desktop directory or USB into this newly created router directory. That is after you setup DuckDNS - installed necessary ACME packages and follow all the instructions above EXCEPT for creating a new certificate. Do not forget this command either: chmod 400 /root/.acme.sh/cryptorouter.home.secureone.duckdns.org/cryptorouter.home.secureone.duckdns.org.key Remember all of this was done using " fictional " hostname, local domain - DuckDNS token and so on ; however, it does illustrate how to get you going. I find DuckDNS very easy to implement and manage. I also use DuckDNS on pfSense and OPNsense.
  3. chuck

    uTorrent + SOCKS5 + no activity = fail

    Here's the thing - downloading is just fine, I'm routinely getting 10-15 megabytes per second, sometimes even 20 (my connection is 600/100).
  4. VengeanceTFN

    uTorrent + SOCKS5 + no activity = fail

    Yep... but the servers are overwhelmed pretty severly, so im betting everyone is having a hard time downloading... heres a short curl log collected from a script looping through the pool randomly to collect some data ... 1kb and 250 bytes collected from 2 urls.... 14 connection attempts to get 1.25kb of data....lol... i set a 4 second timeout got a ton of, no acks, sub-neg fails, no responses....etc... the servers are basically being ddos'd by paying customers to the point where they have exhuasted their all tcp ports... each connection has to wait inline... bandwith and transfers rates might be kinda ok... but the connection will reset many times before a movie comes down... Glad I only scrape data... not movies...lol heres the logs... could not paste them in here for some reason... https://pastebin.com/f2bXs6SR They defininetly need to up the number of servers... I have the list of socks 5 from last year, which still allows connections to some... but those ip's are under the same level of stress...
  5. RyDze

    uTorrent + SOCKS5 + no activity = fail

    I had similar issues and it was related to using "proxy.torguard.org" because using that uses a POOL of random ip's and after awhile if your torrents become inactive or for whatever reason the proxy ip changes... it causes the connection to "time out" because the tracker is expecting a connection from the initial IP but the proxy ip has changed which causes connectivity issues as the tracker is expecting a connection from the first ip you had but your ip has changed timing out the connection. Rebooting utorrent is a fix but only temporary until the timeout happens again changing the proxy ip causing a disconnection/timeout. The fix for this was to instead use a "specific" proxy IP address xxx.xxx.xxx.xxx instead of proxy.torguard.org which fixes the timeout issue and utorrent stays connected, using a specific ip address makes the connection much more stable!.
  6. I am using the latest uTorrent on Win10, connecting via SOCKS5. Everything works fine. Downloads are fast. But then the queue in uTorrent becomes inactive (empty or 'all done'). When this happens, and I add new torrents, uTorrent fails to connect. The fix is simple - restart uTorrent. I wonder if it's a bug in uTorrent software or some incompatibility with TorGuard's SOCKS5 proxies.
  7. Anon101

    TorGuard CA

    There is now a second longer <ca> included in the config file. What is this second certificate used for and do I need to add it to my older configs ?
  8. Yesterday
  9. Hi. Got a portforward service, and when i try to install it on my Synology 216play, it says bad or old certificate. There is no problem if i install the normal VPN service. have tried to make changes in the OVPN file but no luck. Do i need a other certificate to portforward ?
  10. Support

    outlook 2016 can't connect with VPN

    I think the real issue is that some shared IP's are blacklisted by mail services and so will likely not work on most services they offer, occasionally you may be rebooting or restart the app and ending up with a different IP that is blacklisted.
  11. 107787_1511348140

    outlook 2016 can't connect with VPN

    ummm...yes its still happening. it turns out every time microsoft do something i think its sorted, it keep coming back after a reboot. currently at L3 microsoft support, hasn't hit dev level yet, at least they are taking it seriously.
  12. Last week
  13. Parsley

    New server location suggestions

    Hi, Would be great if you could add more servers and options in Melbourne or Hobart, especially as it's getting very crowded in these areas! Appreciate all that you guys are doing!
  14. tumbleweedsxm

    request for new service

    HEllo. I would like to request for a new Residential IP (Canada), please. As well as some more Residential IP for other parts of Europe. Thank you in advance for your consideration to my request.
  15. Earlier
  16. I'd also like an official response. A canary would be a logical move now.
  17. Steve Maschue

    Use of Torguard VPN with Banks

    Thank you! Yes, I have no problem with Chase either. Only Citi and BA, and I've canceled my BA account. I have encountered problems with other businesses though. I understand the banks believe they have good security reasons for blocking connections from VPNs and that more banks and other businesses may start doing the same thing. So it may be a trend. Businesses don't want to be blamed for bad security practices, but at the same time, they are forcing customers to use less-secure connections. So if a customer gets "hacked" in some way, it is the customer's fault for not using a secure link -- not the business's fault. My question is: "How does the bank know I'm connecting through a VPN?" If I connect through a VPN server in LA, how is that different from me being in LA and connecting through a wifi link there? Is there a "blacklist" of IP addresses for VPNs? Are all of Torguard's IP addresses on that list? Or is there some other characteristic of the VPN connection that banks or other businesses can detect to recognize it is coming from a VPN?
  18. I've tried the 3.95.1 client on two different Windows 10 (1809) machines. On both, Torguuard starts making a connection, but never completes it. I'm using Protocol UDP, Cipher BF-CBC, HMAC SHA256, and PFS/TLS Yes/v1.2, with the Atlanta and New York servers. P.S. - I wish there were a lot more advice on how to choose among the various options.
  19. rfajman

    Use of Torguard VPN with Banks

    I also have the problem of Citibank not allowing me to connect while I am using the Torguard VPN. I don't use Bank of America, but have no problems with other banks or credit cards, such as Chase, American Express, Synchrony, Elan, and Discover. I also do not have the problem with my local bank. It is possible to bypass the problem with a static route (route the site's IP address to your external IP address), but, of course, you lose the protection.
  20. LochyMacleod

    Application only VPN

    I WILL NEVER STOP BUMPING THIS THREAD
  21. Farrapo

    New server location suggestions

    +1 for Argentina.
  22. Greetings! New to the forum and happy to be here! I would like to know if when you go to select confiquration file on set up on the Setup OpenVPN on ASUS Stock Firmware I can use my dedicated streaming IP which was assigned to me? Thank you.
  23. RyDze

    Use of Torguard VPN with Banks

    Torguard works fine for accessing my online banking , i have never had issues. Logically it is best to access your online banking from the same VPN ip to whichever country you reside in. So for example if you lived in the USA it would be best to access your online banking via a USA VPN IP. Accessing your online banking from foreign countries via VPN may cause issues with your online banking due to them thinking the account security may be compromised.
  24. john1

    Use of Torguard VPN with Banks

    If you use a 50% off code and pay for a year at a time it is only $27.50. I'm curious about the snooping myself.
  25. Support

    outlook 2016 can't connect with VPN

    Thanks for letting us know
  26. Support

    IOS app update timeline

    Hello, There is an iOS update coming very soon - it's not too far off completion. Are you able to send a screenshot of what you see? thanks Regards
  27. Steve Maschue

    Use of Torguard VPN with Banks

    Thank you! I did not know about this option! I did find it on the Torguard website for an additional $8/mo. That sounds expensive when added to the cost of the Torguard Anonymous VPN service. The other VPN services provide anonymous VPN and say they work with banks at a price lower than Torguard's combined price. Also, If I have a residential IP, would I still be protected? It appears the Ip addresses are associated with Time Warner or Cox. Would those ISPs be able to snoop on my link? Would they be able to find out who I am? Or would it still be an anonymous connection?
  28. otto38dd

    IOS app update timeline

    Hi. Is there any update on this? Since the latest iOS upgrade, VPN tunnels display an error and crash when the screen locks. Thanks, otto38dd
  29. When I enable or disable TorGuardVPN my NlaSvc (C\windows\System32\svhost.exe) is trying to communicate with msftncsi.com. Remote port TCP 80 (HTTP). and DHCP-client (C\windows\System32\svhost.exe) is trying to communicate with remote site (10.32.0.6). Local port UDP 27036 VPN seems to work fine no matter whether i deny or allow them wia eset nod32 or do nothing. But what I should do?
  1. Load more activity
×