Howto Guide: Whole House VPN with Ubiquiti + Cryptostorm (netflix safe!)

This post will describe what hardware to buy & how to configure it so that you have 2 wireless networks in your house: One that seamlessly forces all of the traffic on that network through a VPN--and one that connects to the Internet normally . When finished, the internet activity for any device connected to the first network will be entirely encrypted so that the ISP cannot see which websites are visited*, what software you use, and what information you send & receive on the internet.

* Assuming your config doesn't leak DNS; see improvements section

Update 2017-08-25: Added "kill switch" firewall rule that prevents LAN traffic from escaping to the ISP unless it passed through the VPN's vtun0 interface first. Following this change, if the VPN connection is down, the internet will not be accessible (as desired) over the 'home' wifi network (without this, the router bypasses the VPN by sending the packets straight to the ISP--giving a false sense of privacy).

Update 2021-02-01: Fixed GitHub URL of cryptostorm's free OpenVPN configuration file
Update 2021-02-14: Fixed GitHub URL of cryptostorm's paid OpenVPN configuration file

Update: I wrote this guide in 2017. It's intended for an audience that has knowledge of *nix, Networking (DNS, firewalls, NATs), and OpenVPN.
I highly recommend Ubiquiti equipment for enterprise, home-office, or power users who want quality hardware running their WiFi networks. If you specifically want to setup a dual-SSID (one with whole-house-VPN) using Ubiquiti equipment, then keep reading.
However, if you just want a simpler-to-setup whole-house VPN where the VPN can be toggled with a hardware switch, then you might want to buy a whole-house VPN wireless router from GL.iNET instead.
You can buy a GL.iNet Slate Gigabit VPN Router for about $50 new.
Buy the GL.iNet Slate Gigabit VPN Router on Amazon

In April 2017, Trump signed Bill S.J.Res.34, which repeals the Broadband Consumer Privacy Proposal from October 2016. This enormous step backwards permits anyone's ISP to sell their Internet activity. The EFF put it best:

companies like Cox, Comcast, Time Warner, AT&T, and Verizon will have free rein to hijack your searches, sell your data, and hammer you with unwanted advertisem*nts. Worst yet, consumers will now have to pay a privacy tax by relying on VPNs to safeguard their information.
source

This post will describe how to setup such a VPN in a seamless manner. Your router will automatically relay all your traffic to your VPN provider. The devices themselves don't require any special configuration. All your ISP will see is a bunch of useless encrypted data on its way to your VPN provider.

Why not VPN all-the-things (cough Netflix)

Not only will your ISP see traffic going to your VPN provider, the site you're accessing will also see your traffic originating from your VPN provider. Because VPN providers are sometimes used by customers to bypass geolocks (and, indeed, you'll be able to choose which country/region you'd like your traffic to "originate" from using this config), many services (ie: netflix) simply block any customers whose traffic originated from a known VPN network.

Another reason you may choose not to use a VPN is for applications that require low-latency. For example, video games.

For the above reasons, you'll be able to connect to the wifi network "home-clear." Traffic on this wireless network will be sent out of the router in "cleartext" to your ISP, skipping the encrypt-and-send-to-vpn step.

This solution is achievable with lots of different hardware, but I'm just going to describe the hardware I used. If you found a way to achieve the same results with different hardware, please post your devices & configuration in the comments 🙂

Here's a couple posts on doing Whole House VPN using CryptoStorm with ddwrt & tomato:

Router

The router we choose for this guide needs to be a general-purpose router with DHCP & DNS servers, but it also needs to support VLANs, firewalls, and be able to run an OpenVPN client. It should also be well-built with sufficient RAM & good reviews--unlike many cheap dlink/linksys consumer-grade routers.

Steve Gibson (Security Researcher, host of Security Now!) has often recommended the Ubiquiti EdgeRouter X (ER-X) for its VLAN support, thereby allowing segregating IoT devices from the rest of the network. It's a cute, small, 5-port router running EdgeOS--which is a fork of Vyatta, which was based from Debian (squeeze).

You can buy an ER-X router for $50-$150 new.

Buy the Ubiquiti EdgeRouter X on Amazon

Access Points

Probably the most popular small-business-grade APs available today are the Ubiquiti Access Points. I recommend the Ubiquiti UniFi AP AC Lite, as it supports both 2.4 & 5 Ghz.

You can buy this Ubiquiti AP for $80-$100 new.

If you have a very large area to cover, you might need to get a few of these (but know that Ubiquiti APs have much better coverage than your typical consumer-grade APs)

Buy the Ubiquiti AP AC Lite on Amazon

Why brick-and-mortars + Cash are good

Oh, and expect delays when shipping these devices so the FBI can intercept the device & install spyware on it.

"People go, 'Oh, well, the CIA’s not gonna be breaking into my house, right?' And that’s actually true.
...
What they do is they wait for when these devices are being shipped to you, when you order them on Amazon or whatever. They go to them at the airports. They get the box. They use a little hair dryer to soften the adhesive. They open up the box. Then they put the USB stick in. They seal the box back all nice and perfect, and then they ship it on to you. And now your router, your computer, your TV is hacked. This is a very routine thing that happens"
-Edward Snowden on Intercepted "Snowden vs. Trump" 2017-03-15
source

...I recommend buying these devices at a brick-and-mortar for cash.

Let's describe how these devices will be configured.

Physical Ports

The ER-X has 5 physical ports: eth0, eth1, eth2, eth3, & eth4.

In this config, eth0 will be WAN (the ethernet cable will connect to the ISP's modem).

VLAN

In addition to switch0 made up of physical ports, we'll create a switch0.30 on a VLAN tag=30. We will configure the Access Points to tag packets from clients connected to the 'home-clear' SSID with VLAN tag=30 so the ER-X router puts them in switch0.30 under a distinct subnet. Clients connected to the 'home' SSID will have untagged packets; they will be using switch0.

SSIDs

We will have 2 SSIDs:

'home' All traffic on this wireless network will be forced out to the VPN
'home-clear' All traffic on this wireless network will be sent out normally in "cleartext"* to the ISP

* If you're using end-to-end encryption (ie: https), the ISP will only be able to see where you're sending your traffic. The payload of your packets will still be encrypted when sent to your ISP.

Subnets

We will have the following subnets:

192.168.1.0/24 LAN for 'home' wireless & hard-wired clients for traffic destined to the VPN
192.168.30.0/24 VLAN for 'home-clear' wireless for traffic destined to be sent straight to the ISP, not the VPN
10.56.0.0/16 VPN network. This may change at cryptostorm's discretion

And, once finished, the routetable should look something like this

admin@ubnt:~$ ip r0.0.0.0/16 dev vtun0 proto kernel scope link default via 98.X.X.1 dev eth0 proto zebra 10.56.0.0/16 dev vtun0 proto kernel scope link src 10.56.0.3 98.X.X.0/24 dev eth0 proto kernel scope link src 98.X.X.X192.168.1.0/24 dev switch0 proto kernel scope link src 192.168.1.1 192.168.30.0/24 dev switch0.30 proto kernel scope link src 192.168.30.1

DHCP

Our router will have two DHCP servers:

192.168.1.0/24 LAN
192.168.30.0/24 VLAN

Additionally, the router will be a DCHP client for getting IP addresses for two interfaces:

eth0 ISP WAN
vtun0 VPN

DNS

Our LAN & VLAN subnets will be configured to use OpenDNS nameservers:

208.67.222.222
208.67.220.220

This is less than ideal (DNS usually is), but generally not an issue as OpenDNS can only log DNS lookups originating from cryptostorm's servers. See improvements section for more information.

Firewall

We will create a firewall rule for the LAN subnet to use a distinct route table that sends traffic out on vtun0.

We will also create a "eth0 out" firewall ruleset that will drop by default & only allow outbound traffic that's either [a] established/related, [b] originating from the vpn's vtun0 interface, or originating from the vlan = the 'home-clear' wifi network.

In my personal searches, I feel the most transparent & trustworthy vpn service today is cryptostorm. I am in no way affiliated with cryptostorm.

For testing before buying, cryptostorm provides cryptofree--a free version of their service that's capped at "about 160kbps down, 130 kbps up." This guide will use cryptofree's configs so you can play before you buy. Later in this guide I'll describe how to update your OpenVPN config to use purchased cyrptostorm tokens that are uncapped.

Cryptostorm offers VPN service only using OpenVPN, which is supported by the ER-X.

This section will describe how to configure each network device

Router

The first thing we're going to setup is your router. In this section, we'll assume you're using the Ubiquiti EdgeRouter X (ER-X).

Connect

After unboxing your router, plug in the power adapter, and connect a patch ethernet cable between your computer and the router's eth0 port. Set your computer to use a static IP address on the 192.168.1.x subnet, such as 192.168.1.100 (gateway=192.168.1.1 & netmask=255.255.255.0).

Connect to the router's web UI by typing 'https://192.168.1.1' in your web browser. Unfortunately you'll have to accept an exception for the router's self-signed https certificate. TOFU yall.

Update Firmware

At the time of writing, the latest firmware is v1.9.1.1, but my router did not come with the latest firmware. Before you begin to configure your new router, you should make sure you update to the latest firmware.

To determine your current firmware, check to top-left of the web UI. It should say "EdgeRouter X v1.9.1.1" or similar.

To determine the latest available firmware version, check Ubiquiti's downloads page for the EdgeRouter X. If necessary, download the latest firmware, then navigate to System -> Upload System Image to update the router's firmware.

I also recommend downloading the Edge OS User Guide, which is an invaluable reference when working with your router; it is a great supplement to this article if you get stuck.

Wizard

After you've verified that you're running the latest firmware, we can setup the router by connecting it to the WAN (Internet) on eth0, configuring eth[1-4] as a LAN switch, and setting up DHCP & DNS. The easiest way to set this up is to go to Wizard -> WAN+2LAN2 in the web UI.

The default options should be fine--except you'll want to click "Create new admin user" at the bottom. Type 'admin' for the 'User', and enter a new username & password under the "User setup" section. Be sure to use a good, long passphrase.

Click 'Apply'. The WUI will warn you.
Click 'Apply Changes'. It should say 'The configuration has been applied successfully'
Click 'Reboot'. It should say "Are you sure? Your network will be temporarily unavailable while your router reboot"
Click 'Yes, I'm sure'

Verify

While your router reboots, do the following:

Change your computer's network configuration from static back to dhcp
Unplug the ethernet port from the router's eth0 port. Replug it into eth4

Your computer should get an IP address.

Now, go to 'https://192.168.1.1' in your browser, and login with the 'admin' account created through the wizard above.

If you can login successfully, then plug-in the ethernet cable coming out of your modem into your ER-X's eth0 port.

Wait a few minutes, and verify that [a] your router has an Internet IP address for eth0 and [b] your computer has Internet access before proceeding.

Access Points

This section will describe how to setup your Ubiquiti Unifi Access Points (APs) to have 2 separate wireless network SSIDs. One of these will be on a separate vlan. We'll later configure the router to send this vlan traffic directly to the ISP, rather than to the VPN.

For brevity, I will only describe how to configure only 1 AP, but most setups will have >1 AP, and it's trivial to apply the knowledge for subsequent APs.

Power

After unboxing your Ubiquiti Unifi AP, attach one end of an ethernet cable into the Access Point and the other end into the POE adapter on the side labeled "POE". Take another ethernet cable and attach one end into the side of POE adapter labeled "LAN" and attach the other end into the router's port eth1.

Now, plug in the power cable for the POE adapter. The Unifi AP should power-on.

Controller Software Install

Unifi APs don't have a built-in WUI. Instead, you need to run a Unifi Controller server, which can be run on Mac, Windows, or Linux. I installed the debian package on Ubuntu, but it may be easier to blow the dust off an old laptop in the closet, install windows on it, and use that as your Ubiquiti Controller. Make sure you download the latest version of the Controller software.

After your controller is installed, you can access it in the browser on port 8443. For example, I'm running the Controller locally on my linux laptop, so I type 'https://127.0.0.1:8443' into my browser. Again, you'll have to accept adding an exception to your browser for the Controller's self-signed certificate.

Controller Software Configuration

Before proceeding, with the AP's config, go to Settings -> Site in the Controller WUI. Set a Username & Password for the "Device Authentication" section. Be sure to use a good, long passphrase.

Now, create your 2x SSIDs by going to Settings -> Wireless Networks in the Controller WUI.

Add AP

Browse to the "Devices" section of the Controller WUI. You should see your AP. Click the "Adopt" link on the right.

When the node is finished provisioning, you should be able to connect to your network over wifi. Finally, you can unteather yourself, brew a cup, and recline in a nice comfy chair to finish the config wirelessly.

Upgrade APs

Before exiting the controller software, check to see if your AP has an "UPGRADE" available. If so, go ahead and update their firmware by clicking the button.

ER-X OpenVPN Client Configuration

Unfortunately the ER-X doesn't have a GUI for configuring an OpenVPN client (note that this router also supports setting up an OpenVPN server, so that you can securely connect to your home network when you're away--this is distinct from the OpenVPN config we're implementing in this article).

To create a virtual tunnel interface that sends encrypted traffic to cryptostorm (or another vpn provider) on the Ubiquiti EdgeRouter-X, we must do so from the command-line. This guide assumes you're running ubuntu linux, but any OS with an ssh client should work.

Add Cryptofree Config Files to ER-X

First, ssh into your ER-X router using the same username & password you use to login to the WUI

ssh admin@192.168.1.1

Now, create the vpn connection. Note that cryptofree is free, so the username & password don't matter-ish. They do need to be set, but they can be set to anything.

cd /config# create bogus passwords fileecho -e "bogusUser\nbogusPass" > /config/cryptofree_pass.txt# download the cryptofree openvpn filecurl -O https://raw.githubusercontent.com/cryptostorm/cryptostorm_client_configuration_files/master/cryptofree/cryptofree_rsa-udp.ovpn# add our password file to the configsed -i '/auth-user-pass/d' cryptofree_rsa-udp.ovpnecho "auth-user-pass /config/cryptofree_pass.txt" >> cryptofree_rsa-udp.ovpn# Add route-nopull so we can setup our routes, not the server. This is# necessary since cryptstorm wants all our traffic to them, but in-fact we want# some traffic to rote to the ISP (our vlan on the 'home-clear' wifi network)echo "route-nopull" >> cryptofree_rsa-udp.ovpn# add openvpn to er-x configconfigureset interfaces openvpn vtun0 config-file /config/cryptofree_rsa-udp.ovpncommitsaveexit

After the 'commit' step above, your router will create a vtun0 interface & connect to the VPN. 'save' makes it persistent across reboots.

Masquerade for vtun0

Back in the router's WUI, click on the 'Firewall/NAT' -> 'NAT' tab.

Click 'Add Source NAT Rule'
For 'Description', type 'masquerade for VPN'
For 'Outbound Interface', select 'vtun0'.
Check both 'Use Masquerade' and 'All protocols'
Click 'Save'

You should now be connected to the VPN, even though no traffic is forced through it yet. Let's set that up now.

Force traffic through VPN

Finally, let's setup [a] our LAN to use a new firewall rule SOURCE_ROUTE, [b] the SOURCE_ROUTE firewall rule that uses a custom route table 1, and a custom route table 1 that forces all traffic out to the ISP modem.

Unfortunately, I haven't found a good way to do all these things through the GUI, so hop back to the terminal & type the following into the router's CLI over ssh:

configureset interfaces switch switch0 firewall in modify SOURCE_ROUTEset firewall modify SOURCE_ROUTE rule 1 description "traffic from LAN goes through VPN"set firewall modify SOURCE_ROUTE rule 1 modify table 1set firewall modify SOURCE_ROUTE rule 1 source address 192.168.1.0/24set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0commitsaveexit

Congrats! All your traffic should be flowing through the VPN. Now let's setup that second wifi network & fix DHCP.

Create Switch0.30

To create a new switch for the VLAN traffic coming from the 'home-clear' wifi network, go the the "Dashboard" tab of the ER-X WUI, and click "Add Interface" -> "Add VLAN"

For "VLAN ID", type '30'
For "Interface", select 'switch0'
For "Description", type "home-clear"
For "Address", select "Manually define IP address", and type "192.168.30.1/24"
Click "Save"

Your Dashboard should now show "switch0.30" in the list of Interfaces.

Create DHCP Server for Switch0.30

Because we created a distinct subnet for our VLAN, we need to create a distinct DHCP server for the 192.168.30.0/24 network. To do so, Click the "Services" tab in the ER-X WUI.

Click "Add DHCP Server"

For "DHCP Name" type 'VLAN'
For "Subnet" type '192.168.30.0/24'
For "Range Start" type '192.168.30.2'
For "Range Stop" type '192.168.30.254'
For "Router" type '192.168.30.1'
For "DNS 1" type '208.67.222.222'
For "DNS 2" type '208.67.220.220'
Click "Save"

Change DNS Servers for LAN

Let's also update the DNS servers for our LAN to use OpenDNS, so that we're not calling back to the ISP from our VPN (which actually may not work at all).

For the "LAN" DHCP Server, click "Actions" -> "View Details"

Erase the contents of "DNS 1" and "DNS 2"
For "DNS 1" type '208.67.222.222'
For "DNS 2" type '208.67.220.220'

A VPN Kill Switch is a mechanism to prevent your Internet traffic from flowing directly to your ISP when it's expected to be flowing through a VPN first. The "kill switch" will essentially shut off your Internet access if your vpn tunnel experiences connectivity issues, rather than send your packets straight to the ISP (bypassing your VPN).

To create the VPN Kill Switch go to "Firewall/NAT" -> "Firewall Policies" in the Controller WUI.

Click "Add Ruleset"
For "Name" type 'WAN_OUT'
For "Description" type 'Internal to WAN'
For "Default Action" choose 'Drop'
Click "Save"

After saving, edit the empty ruleset by clicking "Actions" -> "Edit Ruleset" on the new "WAN_OUT" line.

Click "Add New Rule"
For "Description" type 'Allow established/related'
For "Action" choose 'Accept'
Click the "Advanced" tab
Check the "Established" checkbox
Check the "Related" checkbox
Click "Save"

Click "Add New Rule"
For "Description" type 'Drop invalid state'
For "Action" choose 'Drop'
Click the "Advanced" tab
Check the "Invalid" checkbox
Click "Save"

Click "Add New Rule"
For "Description" type 'permit vlan to bypass vpn'
For "Action" choose 'Accept'
Click the "Source" tab
For "Interface Network" choose "switch0.30"
Click "Save"

You should now see the following summary of the 3 rules created above

Click the "Interfaces" tab
For "Interface" choose 'eth0'
For "Direction" choose 'out'
Click "Save Ruleset"

Click the "x" to close the "Ruleset Configuration for WAN_OUT" window. That's it! Your router's vpn kill switch is setup.

Note that (because of the firewall rules created earlier) it is not necessary to create a rule in this ruleset specifically for the traffic with source = vtun0.

Congrats, you've finished setting up the Netflix-safe, Whole House VPN on your router! To verify that it works:

Connect to the 'home-clear' wifi network & google "whats my ip geo" to find a website that will tell you the Internet IP Address that they see + where they think you are geographically located. Write down the results.
Connect to the 'home' wifi network & visit the same site as above. Compare your results.

My favorite website for this is currently ifconfig.co--which can also be used with curl on the command line.

If the results differ on both networks, then you're all set! Note that cryptofree currently routes out through France at the time of writing.

This section will describe how to update your config if you decide to purchase a token for uncapped connections to the CryptoStorm VPN service.

After you pay for your subscription to CS, they will display for you (and email you) your new token. According to CS, they keep no records of this token being offered. And to further obfuscate your identity (by decoupling [possibly anonymous] payment information from OpenVPN authentication credentials), your OpenVPN credentials consist of a strong, cryptographic hash of the token that CS gave you. This hashed token is your username. Your password can be anything (their guide recommends 'password', so that's what we'll use here).

In this example, the token that CS gave you after payment is 'CHANGEME'. You should change this to the token they gave you. The part that says 'password' (as explained above) should be kept as 'password'.

First, store your CS hashed token to a file on the router. Run the following on the CLI of the router via ssh:

echo -n 'CHANGEME' | sha512sum | awk '{print $1}' > /config/cryptostorm_pass.txtecho 'password' >> /config/cryptostorm_pass.txt

Next, download & configure the cryptostorm openvpn config for linux udp. Note that this is different from the cryptofree config. Also note that if you poke around the git repo, you can choose which geo-regional exit nodes you want to use.

Run the following on the CLI of the router via ssh:

cd /configcurl -O https://raw.githubusercontent.com/cryptostorm/cryptostorm_client_configuration_files/master/rsa/Balancer_UDP.ovpnsed -i '/auth-user-pass/d' Balancer_UDP.ovpnecho "auth-user-pass /config/cryptostorm_pass.txt" >> Balancer_UDP.ovpnecho "route-nopull" >> Balancer_UDP.ovpnconfiguredelete interfaces openvpn vtun0set interfaces openvpn vtun0 config-file /config/Balancer_UDP.ovpncommitsaveexit

This section will describe what this solution does not provide and some ways it could be improved.

Not a suitable replacement for TAILS

Unfortunately, there's no 'security' button on your keyboard. Not only is nothing 100% secure, but this Whole House VPN solution is necessarily far from achieving an acceptable amount of privacy for many users.

If you are an investigative journalist, activist, or political dissident looking to safely browse the internet without being tracked by an oppressive regime, this solution is not for you. If you're concerned that an adversary having access to your Internet activity could cause pain, suffering, or loss-of-life, then you should not trust this system to protect you. Instead, you should use TAILS.

If, however, you're afraid that Verizon, AT&T, Comcast, Time Warner, or Cox will be selling your queries to WebMD about Rheumatoid Arthritis, and you have a legitimate fear that your future insurance prices will rise because of it, this solution may help you. But you probably should still use TAILS if you are especially concerned about it.

DNS Leaks

I haven't yet put an sniffer between the router & the modem to see if DNS queries are escaping from the regular (non-vlan) network in cleartext. The goal is to have all packets, including DNS, be encrypted & sent to the VPN server, decrypted by the VPN server, and then passed to the DNS server. Even if we're using ordinary DNS (instead of, say, dnscrypt), the DNS server should only know that a cryptostorm user did a lookup for a given domain name.

The fear is that the DNS query gets passed to the router, which sends it to the ISP's DNS servers instead of through the VPN tunnel. This would tell the ISP which websites we're going to and when. This metadata alone is significant, and could lead to death in an opressive regime.

Bandwidth & Latency Results

This setup does meet my requirements, and I'm going to keep it.

However, I was shocked how poor my bandwidth was using cryptostorm. I changed my openvpn config to use a cryptostorm server that was less than a few hundered miles from me. I also switched to using openvpn over udp, which helped.

Overall, I got great latency of ~20 ms.

But my bandwidth on my actual 100 Mbps up & down fiber line couldn't break 15 Mbps. For a VPN service that caters to torrenters, this was a big let down. That said, I couldn't detect a decrease in "usage performance" when just browsing the web. You'd notice it when downloading ISOs for your favourite linux disto, however.

If you'd like to learn more about the background of this article, I recommend the following additional resources:

: Ephemeral Firefox as a Site-Specific Browser (3/3)

: WordPress Multisite on the Darknet (Mercator .onion alias)

: Tor->VPN in TAILS to bypass tor-blocking

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael

Howto Guide: Whole House VPN with Ubiquiti + Cryptostorm (netflix safe!) - Michael Altfield's Tech Blog (2024)

Why not VPN all-the-things (cough Netflix)

Router

Access Points

Why brick-and-mortars + Cash are good

Physical Ports

VLAN

SSIDs

Subnets

DHCP

DNS

Firewall

Router

Connect

Update Firmware

Wizard

Verify

Access Points

Power

Controller Software Install

Controller Software Configuration

Add AP

Upgrade APs

ER-X OpenVPN Client Configuration

Add Cryptofree Config Files to ER-X

Masquerade for vtun0

Force traffic through VPN

Create Switch0.30

Create DHCP Server for Switch0.30

Change DNS Servers for LAN

Not a suitable replacement for TAILS

DNS Leaks

Bandwidth & Latency Results

Related Posts

References