cryptostorm's community forum

I have a similar problem on all pay nodes with my Aleph token.

All pay nodes tell me "Auth rejected". Sometimes I can connect for a couple of minutes until it drops with Auth rejected. CryptoStorm is (apart from the free node) unusable for me right now.

Because Twitter is banned with cryptofree I cannot create an account to tell the team. May somebody be so nice to direct the attention of the Twitter-CS-God to this thread? Thanks!

Let me salute the CS-Team as well! You've always done a terrific job in my book. And the few times where things went sideways it wasn't because of you being ignorant or negligent but because there is only so much a small team of human beings can do with the limited resources they have. I sometimes may use harsh words or get on your nerves but its always to spur you on and to highlight an issue I identified as being important even if it wasn't important in the end. I was more than once proven wrong by you guys and still you were always nice and supporting about it. I learned a lot from you guys not only about VPN security but also about being open minded and determined. It's a shallow saying but: KEEP IT UP! You and many community members on this forum are the only people I really trust on the internet. You are the best community in the world!

I know I went very silent and I only speak up when the situation requires it. This doesn't mean I lost 1% of my love for the team or the community. I'm still there just more as an observer than an active participant.

Also let me give a small salute to PJ as well. For a guy I never met in person I really care for him and I'm saddened about his condition. He is the one who got me hooked with CryptoStorm and I always liked to read his book-sized ramblings on the forums or in the blog. The genius is often just one step away from being a madman. At least this is how I picture PJ. Be it true or not.

I never watched Star Wars but this cracks me up: ___and even more___

Hello everyone,

it's good ol' uncle DesuStrike and I've got a little "present" for everyone who wants things to be a tad more secure than the CryptoStorm standard. (Which is the most secure out there already so this is for my fellow tinfoil heads. <3)

Basically I'll give you my personal config files (based on df's most recent release) which are slightly modified to work without DNS. This makes it possible to use as strict as possible iptable config files (which I will upload as well) and thus effectively preventing any kind of leaks may it be DNS or even worse.

In short: My setup makes sure that your computer only can talk to the local network and to the CryptoStorm exit nodes. EVERYTHING ELSE IS BLOCKED.


What you need:

- A debian based Linux (though others might work as well)

- OpenVPN (Duh! sudo apt-get install openvpn)

- Persistent iptables (sudo apt-get install iptables-persistent)

- A file named "password" with your hashed CryptoStorm token and a random password (I'll add a template)


Howto:

1. Place ONE (1!) of my config files with your desired exit node into /etc/openvpn/
(You need root permissions for that, so use "sudo cp" command.)

2. Place the password file with your credentials already added into /etc/openvpn/

3. Install persistent iptables and exchange the rules.v4 in /etc/iptables/ with my version.

4. Restart your system

5. Enjoy your private internets!

Tinfoil Bonus:
For even more snuggly tinfoil follow dfkt's awesome firefox about:config tweaks at: https://github.com/dfkt/firefox-tweaks/ ... er/user.js (not all of this is privacy related and some can break your browsing experience so use with care!)

PS: I had to rar everything because the forum doesn't like unknown or no file extensions.

It's situations like these when I'm sad that I'm not gay because I fucking love you Taelc! (wtf am I talking?! )

I knew the router was not up to the task but this looks like it could handle connections up to 50MBit/s (at least according to my own experiments with different hardware).

Stupid idea here: I don't want to steal this from somebody else who dearly needs a setup like this but I'd like to hit you up with a small thank you donation. (especially because df and pj still ignore my donation requests. ) I still owe you somehow anyway.

Contact me via private message if you are not shy to accept.

Hey df!
Thanks for fixing this real quick as always!

This analysis is so badass! Nice work!

The other kind of torrent "tracker"...

I'm sorry I kinda developed into a jack in the box of unpleasant surprises: popping out of nowhere rubbing salt into hidden wounds.

Anyways: Love you guys! Always will be. Wish I had more time to hang around here.
Please see the attached picture about a problem I found with IP Magnet. Thanks!

Cash in snail would be nice but I don't trust it to reach our friends at cs when send around half of the world.

Also I don't know how safe it is for our friends to regularly go to the same post box to collect money. If I was Uncle Sam I would lay low near the box and hit as soon as somebody opens the box.

I see no thread about the new forum design... or maybe I'm just blinded by the bright baby blue background. Please move this post into the right thread if there is one and I just missed it.

I really like the new design as it fits the main page. It is (like always) unusual regarding the colour choices but by now this has become a trademark (evil word) of CS and I love it.

Everything is pretty huge (avatars, text, etc.) but I think it's just unfamiliar and you can adapt to it.

I like that you now see the avatar of the last user posting in a thread. This really helps with orientation IMO.

All in all: Thanks for this pretty style upgrade!

Congrats from me as well! Better late than never, eh? ;P

Let me give some of that praise right back at you. Yes I know and I'll never forget. Others might consider this a little thing but for me it also was a "faith in humanity restored"-moment. Or maybe now I just know who I can trust and where I can find them.

Also don't worry too much about inactivity. I must admit to my own disappointment that I probably have the grand lead position in the department of work caused inactivity. You did your part well and faithfully. Get your live in balance again and when you feel ready just come back. I was welcomed back several times and you will as well. Maybe I just take your temporary leave as a call of duty for me.

Hope to see you again soon, friend!

df wrote:I'm probably wrong, but I think these lines will allow leaks:

Code: Select all

iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT -m comment --comment "allow all local traffic"
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT -m comment --comment "allow all local traffic"

Shouldn't this be mitigated by enforcing a set of DNS IPs on the client and telling it to disregard any DHCP pushed DNS?

df wrote:I just updated the list, replaced the old mishigami IP 167.88.9.27 with the new 198.204.245.2 one, and added the new singapore IP

Thanks for keeping this list recent. Work got hold of me again and I appreciate all the help the community helpers and/or admins can provide in keeping these howtos up2date. My only request: Please don't change the overall layout of things and especially don't change my personal choice of words like "United States of NSA" or "Mother Russia".

This is all. Thanks and keep on being the most awesome people on the internets!

I'll add this notice to all my howtos and reference charts.

Client isolation is a very important topic also for "Guest" WIFI access points, if you run one.
But it is indeed strange that OpenVPN allowed such a thing even with the feature disabled. O.o

Thanks to OkayKappa for being such an observant member of the community and reporting his finding!
+
Thanks to df for being quick with a fix!

I probably know whats wrong:
In the plaintext password file you need to put the token in the first line and some random characters in the second line. The token alone isn't enough!

For example:

Merkle-Damgard wrote:DesuStrike, can you please update the list to include St. Petersburg too?

Thanks

Thanks for reminding me to update.
Done!

New exit nodes become a somewhat double edged sword to me. I'm happy about every new node but since Turing it's also coupled with a sad and tragic story of individuals from the past. Nonetheless I welcome this new direction for naming exit nodes. While most of the cryptostorm community use this project for "normal" privacy needs or participating in sharing, there are probably many (too much...) that need a trustworthy VPN to not getting thrown in jail for doing what they feel is right and necessary. I like the idea that those community members can use exit nodes named after great individuals that either fought for their cause, were prosecuted for their ideals or simply were victims of the system they lived in. (I already said this about Turings node:) I can't think of a better way to salute and honor those great individuals. Even though I'm not religious I still catch myself imagining how they might smile from above knowing that their name now protects others who try to make a change or simply want to live free. And I also smirk at the pissed of faces of those who try in vain to catch those using these exit nodes.
They can't catch anyone because Turing and Laika are protecting them. :')

We had a great discussion about Sealand and it's history on IRC some time ago. Sealand has a history fit for a blockbuster movie but in the end the "King" of Sealand is loyal to the british crown and thus there is no advantage whatsoever to build an exit node on Sealand.

In the end I thing Cuba would be a way bigger troll to pull off but money is too valuable to waste it on troll actions.

The guest System pretty much makes polls useless. Faking is always possible with multiaccs but right now it's a piece of cake.

Oh boy what a great start for a service that basically provides me with a browser I enter all kinds of sensitive information to. And I mean this for both: The guys that got their database stolen and the guy that now runs the other service.

I kept away from this because I shudder from the simple fact that this is afaik a browser as a service and not "only" a web proxy. At least this is what their websites description suggests by saying they render the website on their system, etc. :S

EDIT: Also ammune seems to be pretty slow. (Just did a test on my "Icky-Stuff VM")

EDIT2: Also seems to fail at hiding real browser information and other fingerprinting relevant stuff. Will do some more testing asap.
EDIT3: It seems to hide at least some but afaik not all identifiying bits. Although it could be that it just accidentally uses some parameters I use myself.

Tealc wrote: its lead from the Soviet Union rather than the European Union

This part actually made me go and look how they call Belarus in German because I don't know this name: Weißrussland (White Russia)
I actually know this country by it's German name and afaik it's widely known to be "the last dictatorship on the European continent" after the almost recent fall of the Spanish Franco Dictatorship.

Looking at the current course of things in Europe this classification is pretty ironic of course but it's funny how well the country reflects it's German name. I wonder what Belarus/Weißrussland calls itself in its native tongue. Afaik they have their own language although Russian is the second official language.

[youtube][/youtube]

I'm torn between Russia and Poland.

marzametal wrote:Damn RAS, falls on its ass in the same way that FireGloves did... it cannot properly mask timezone and screen resolution...

AFAIK Secret Agent was able to do that but it was very lacking in all other regards RAS is covering very well. Also with Javascript active you always can read out the system time anyways thus creating pretty unique mismatches. You can test those on whoer.net for example.

All in all the virtual machine thingy probably is the best solution possible to this date. In my opinion we only need to find a way to run and display it directly inside the browser so you don't create an "application break point" that disrupts work flow.

I remember this from my windows days. I don't know why but creating virtual network adapters in windows sooner or later will result in this situation. (Tested on WinXP and Win7) Especially when you use different software that each create their own virtual adapter or software that regularly removes and creates new virtual adapters with every start or every update of the software. (Don't ask me why the latter is necessary...)

The problem basically is that either Windows or lots of these software sometimes fail to remove the v-adpaters correctly and then just create a new v-adapter next to the existing one. Use these apps long enough and those "ghost adapters" will pile up eventually. The normal user usually doesn't look into their network manager regularly so it often has time to reach gigantic numbers before noticed.

The worst of them all was HAMACHI, a (vpn) software that many gamers use to play LAN-Multiplayer/CoOp over the Internet. There are other competitors out there nowadays but I didn't use such software for years so I can't tell you their names. Hamachi was especially pestering because for some reason I couldn't even force remove the v-adapters created by it.

I also heard that some "remote assistance" software (e.g. TeamViewer) nowadays uses VPN to do file transfer or whatever.


I'd suggest to ask the persons affected if they use either of these software categories to rule out any third party software involved. Though I wouldn't be surprised if Windows itself is the culprit after all because even the Cisco VPN client once did this to me and I had no other VPN installed on the device at this time...

The forum now supports embedding of video links from (allegedly) every video site. Let's put that bold statement to a test (and keep the video spam all in one place) and post some videos that might be entertaining or interesting to other people. Please no 18+ content!


Obligatory 31C3 Video

[youtube][/youtube]


Really like this song and some random shots from Saxony.
2 Cookies for anyone who can tell me where that crazy english accent at the beginning comes from.

[youtube][/youtube]

Isn't there a windows "terminal" method to do a speed test like you can do with wget or curl on *nix systems? Those web based test produce the craziest results on lots of machines.

As tempting as this idea might be there are numerous reasons why they should not or even why it makes not sense at all (at least this moment).

I'd be the fist one to rent a server hosted inside grazes cookie jar, protected by pjs furry friends and that runs on manure provided by dfs magical unicorns but I don't see this happen anytime soon. Even though out of beta CryptoStorm VPN project is far from being "completed" (it's more like a never ending process anyway) and still high maintenance. There are also numerous projects in the making like Stormlink and Stormphone. I bet if you add up the hours of sleep deprivation of all the staffers combined you'd have to sleep until 2025 to catch up.

dccc wrote:I wish I could be more of help with this matter but due to lack of competence with coding and compiling, I have no other choice to ask you guys for updates, heh

Tell me about it! I always hang around github, looking at interesting projects browsing the code and wishing I could contribute but I can't. I kinda was a dumbass as a kid for favoring gaming above coding or other useful activities you can do with your computer. Now every time I sit down and try to learn some C or Java (ugh! I know! but android....) something big comes around the corner and takes my energy and attention away from it. I'm starting to feel like I missed the spot of opportunity when I was a kid and now I'm doomed to stay code illiterate my whole live.

Pattern_Juggled wrote:ps: sorry to be butting in on your locked thread, DS... rather rude thing to do. :-/

No problem pj, that's totally fine! This is a issue that needs to be discussed or better decided on so it can be included in the current forum upgrade process. (More and more things pop up around here and I like those new features a lot!)

In fact I waited for an official statement like this or an answer to my plea not making my guides obsolete. With your suggestion now I can edit and split my HOWTO Guides so they fit the new approach and hopefully they can become part of the official guides. I'll tackle this task the coming days.

The second I know for sure he is a bot and not human...

afaik dynamic switches you to a new random node with every reconnect from a lost connection. So if you've got an unstable mobile connection for example, you will regularly switch IPs.

smooth on the other hand gives you a random IP on first connection and then "locks you in" for the duration of the session even if you temporarily lose connectivity. To get a new IP you have to end the session and start a new one.

Just want to post what I already said in IRC:

This is both moving and impressive. I learned a lot about Turing I didn't know before. I think providing a tool to protect people from those who persecuted Alan Turing is a wonderful way to honor this great man. Better than any statue or memorial plaque.

Little brain training here: Compare Iran a couple of decades ago with Iran today. Now look at the current situation in UK/USA and their plans for the coming years. Realize something?

Bonus Quest: Read up on the US involvement in Iran, the Iranian Revolution and what caused it.

I find science fascinating in general but Astronomy and other "space science" often lets my jar drop. It's really exciting how often they find new objects or occurrences that call widely believed theories into questions. I find this process of regularly scrutinizing your view on this universe really healthy and we should adopt it to our everyday lives so we learn to regularly question the things around us.

marzametal wrote:Anyone heard of this? BitBox

I know someone who actually does this manually to avoid browser identification by Google and such. His host browser never touched a google domain in years. Though it needs plugins for shared clipboard between VM and Host to provide comfortable usage and even with this I find it not suitable for everyday use.

I guess you are talking about the load balancer option, right? I can only guess here because I don't use the widget and know this stuff only second hand.
But to my knowledge the configuration files for the nodes and load balancers are not dynamically updated like the drop down menu but either hardcoded into the binary or provided alongside the client package. So it's probably just deprecated...

Hmmm. This actually highlights a possible weak spot in the widget approach!
The widget is not only for convenience but afaik primary for ENABLING non tech people to use CryptoStorm in the first place. So the widget should do everything automatically. This of course includes (a future leakblock aside) updating the configuration files no matter in which form they are provided. I guess the required infrastructure for this isn't ready yet so the staff pushes updates manually and somebody simply forgot to do it.

To make this less dramatic: As long as the "dead" nodes do not allow connections to them this isn't a security/privacy hazard.

loop wrote:These addresses don't route correctly.
linux-paris.cryptostorm.net
linux-uswest.cryptostorm.nu

Confirmed.
I did a quick check and can reproduce these results.

marzametal wrote:89.26.243.108 ?

This must be the windows IP if I remember correctly though I wouldn't recommend using it at this moment. The nodelist is used by the windows widget and thus represents the teams selection of production ready windows exit nodes.

Well, I am the one who set Fermi up to run the spoofability test because marzametal and I got those crazy results showing several IPs belonging to Google. Even though Fermi could not exactly reproduce our findings his results are strange as well.

So I'm starting to think we have several problems here resulting in different effects.
I have absolutely no idea what could be causing my results but I can say with absolute confidence that I don't have any software or hardware in my network that forwards, redirects or regularly calls on IPs owned by Google. I take extra care to make sure of that. So wherever this redirection occurs it can't be coming from my private network. It would also be strange if marzmetal just happens to have the same configuration error like me causing such a unique behavior.

Pic says it all. Firefox 34 on Ubuntu.

CanvasBlocker (Also for Firefox for Android)

The technique of des canvas-fingerprinting (more informations: http://www.browserleaks.com/canvas ) to identify users can be prevented with this Add-On.

Therefore the <canvas>-API which is necessary for the fingerprinting gets blocked. The different blocking modes are:

• block everything: ignore all lists and block everything.
• allow only white list: sites in the white list can use the API.
• ask for permission: if a page is not listed on white or black list the user will be asked if the site should have access.
• block readout API: <canvas> can be used to display something but can not be read out.
• fake readout API: my favorite! Also the readout-API can be used but only return random values. So the fingerprinting also returns different values all the time.
• ask for readout API permission: as for "ask for permission" there will be a confirm promt if a <canvas> is read.
• block only black list: everything on the black list has no access.

The native PDF display of Firefox uses canvas. Therefore a document that has MIME-content type of "*/pdf" will have access. This can be deactivated seperately.

As presetting my domain (kkapsner.de) is whitelisted.

Please report issues and feature requests at https://github.com/kkapsner/CanvasBlocker/issues

I agree on the endless comments under guides being confusing and/or intimidating to new users. In fact your post here made me just realized how important clean one post threads are for guides. Our little discussion here already draws away attention from the relevant facts in the first post. Imagine the effect on those giant HOWTO Threads.

I'd be very happy/proud if my individual guides could be separated from the discussions, maybe edited to your liking and then be used as those new clean guides you intend to provide. I spent lots of time and energy to create and update them so it would be a shame if they'd be disposed of. I'll see if I can make them even simpler and in fact already cut out all the crap from the leakblock guide so it's a very clean guide now.

But if you plan for something totally different: Then be it. In the end the result is what is important: Clean and easy to understand guides that can be easily found.

100%[======================================>] 104.857.600 7,89MB/s in 13s

2015-01-07 14:09:26 (7,73 MB/s) - ‘/dev/null’ saved [104857600/104857600]

Connected to Cantus (Germany)

In fact it went up over 8 MB/s (64Mbit/s) at some point.

I wonder... Do you have any kind of QoS (Quality of Service) running on your PC or Router? Also could your ISP maybe do traffic shaping and be biased against encrypted traffic?

I think this is a good place to mention that the last couple of days both Fermi and I experience strange lags when resolving DNS queries with the standard pushed DNS servers. I'll try to find the culprit and will test if it gets better when I remove it.

Just another reason for in house DNS resolvers!


EDIT: Yes indeed. I changed the DNS servers to a set of uncensored DNS provided by German internet rights groups and everything is running smooth again.

Here is what I use until CryptoStorm has their own DNS up and running for production:

85.214.20.141 (FoeBud)
194.150.168.168 (dns.as250.net; Berlin/Frankfurt)
213.73.91.35 (dnscache.berlin.ccc.de)

Can you try this one and report the results?
Those flash/html5 speed tests are very unreliable and regularly provide completely false information.
With apple I wouldn't be surprised if there is some kind of traffic shaping based on ISP in place. So a speed test with cache fly should give us the most unbiased result.

cryptostorm_support wrote:

Guest wrote:I run dd-wrt as well.
I just bought a aleph token- would greatly apreciate any attention admin here could give to the dd-wrt setup thread, it's a bit of an outdated mess.

To be perfectly honest, more than a couple tutorials suffer from the same affliction and we're working to fix that. We've already updated a couple, but I'll make sure the dd-wrt gets added to the queue.

Scratch that from the list CS_S! I volunteer to update the DD-WRT guide. I made it originally anyways...

EDIT: DONE! Please click here
I hope you enjoy.
Please consider that depending on your router performance you will get slower internet speeds than usual running cryptostorm on a router. Your router should at least have a 1.4 GHz dualcore processor to get 50 Megabits per second pushed through.

DNS Spoofability Test: https://www.grc.com/dns/dns.htm

Will test it as soon as I added the Servers to my setup but maybe some people will run their own test.

EDIT:
I forgot to make screenshots but to make a long story short: The DNS servers are indeed very beta at the moment.
-> The performance is very volatile but mostly slow.
-> The GRC spoofing test result was "MODERATE". Query Transaction ID Distribution was EXCELLENT but Query Source Port Distribution was very biased with a clear cut off at a certain port number and also stuck bits.
-> DNS-Leaktest went totally insane for some reason showing 20 Google servers as being my DNS resolvers. This is obviously false but I wonder what caused that.

I also noticed that both DNS servers are located in the USA. Dunno if that could be problematic or not.

THANK YOU!

I was waiting for this like from the day I switched to cryptostorm. DNS censorship is a lengthly discussed issue in my country but even though we managed to prevent it being broadly deployed so far there already is a (recently leaked) government maintained secret blacklist for "youth protection" that some ISPs enforce. But the idea of DNS censorship is one of those political zombies that for some reason never die but always come back crawling at us no matter how often we squash them. It's just a matter of time until we lose this fight and then we can't get rid of it anymore.

So an uncensored DNS that provides the three fundamental basics of security deployed by a highly trusted source is very welcome!

One question though: Is it possible to add a third IP to your DNS pool?

(Maybe this is the wrong place for discussion...)
Most routers use ISP provided DNS servers by default if you don't specify your own selection. So I always add my own choice of DNS to my dd-wrt router to overwrite this default setting. The problem here: DD-WRT lets you specify three custom DNS. If you add only two and leave the third one blank the primary DNS of my ISP will be transparently used as the tertiary DNS by my router. Transparently because the third slot stays blank but if you do some extensive DNS leak testing the ISP DNS will pop up eventually. Only if I specify three custom DNS I was able to get rid of my ISP.

I don't know why this happens and maybe this is a DD-WRT specific bug. Also this observation was made over a year ago when I was really a noob and I might goofed up somewhere. I'd be happy if others also using DD-WRT and custom DNS could tell me their experiences with this. thx

Did a quick client check on SSL Labs with my Windows 7 VM and IE11.
I won't do any testing with this VM though. I don't trust this OS even half as far as I can throw Satya Nadella. Sry...

Pattern_Juggled wrote: Bunkers don't work. Period.

You really strike a chord with that statement. I could start giving talks for hours about this but I just want to boil it down in a few sentences without derailing this thread:

With all this unlimited funds government dragnet surveillance around and on the other side projects like cryptostorm that run mostly on blood, sweat and tears lots of people get the impression that we are in the middle of an internet guerrilla style warzone or something along those lines. Fact is: We are not. Projects like CryptoStorm operate completely within the legal scope of basic human rights and pursue to enable people to assume those rights today and in the future. The only actors breaking the law in all this are those government agencies.

This fact brings up a very important issue: Though I'm one of those who believe the main solution against surveillance is technology, I'm aware of the fact that we (at least currently) very much depend on a world where basic human rights are still mostly intact in enough places. Otherwise we would have a hard time deploying hardware and running free software on top of it to provide our technology solutions. So I urge everyone to try and see within their scope of possibilities that their government is not going postal on their rights or maybe one day the legal foundation for projects like this is gone.

@oldnewb: I hope you didn't took our reaction as critique against you. Our reaction is purely directed against those guys... ehrm... "security decisions"... As I said in my first sentence: I'm glad that you (and hopefully others as well) are looking around, inform themselves and if they got any questions they go ahead and ask instead of just believing what marketing says. I'm far from being an expert, especially compared to PJ, but two years ago I might have bought into that crap ramvpn is selling today. So feel free to continue asking questions and providing ideas how to make CryptoStorm better. It's the best way to learn about those things.

First I want to thank oldnewb about caring enough for CryptoStorm that he is looking for ways to improve it. Community input and fresh ideas are very important and always welcome. You also involuntarily provided a good example for how dangerous the marketing yap of many "VPN-Services" is.

Which leads me to my second statement:

Why on earth would someone want to randomize the used chipher and digest? Especially with those horrible options available! The only thing you'll archive with that is people accidentally using RC4-MD5 or other horrible combinations. Those guys are either not qualified to run a secure service or deliberately try to fool their customers in suggesting that "random" is always the best choice when it comes to encryption. :\

I'm not even remotely close to be an expert like you are but I also grew desperate on this topic when I tried to secure a server. There is just no cipher suite available at the moment that is both 100% acceptable from a security stance but also compatible with all popular browsers and OS. If you want to reach an acceptable solution you are simply forced to sacrifice either some compatibility or add some less secure ciphers. On private servers you can easily opt for security but when you want to serve a public audience you probably have no choice but to opt for compatibility. It's no shortcoming of the people running a server but the fault of those who decide what ciphers are implemented in their software. But that's makes it all the more frustrating because you are forced to make decisions you don't want to make.

Thanks for archiving those. The more copys we have of this the better!

I don't see a discussion thread so I reply here:

I wonder whats the difference between V1.3 and V1.4.

I use the V1.3 configs for all nodes and aside from the hostnames which I don't use it's identical to the V1.4 configs posted here.

Nice catch!

Because most of my guides/howtos somewhat depend on each other to properly work I decided to make a small reference chart. This chart contains both threads and single posts. I try my best to keep all guides up2date. I hope you enjoy and happy tunneling!

UP 2 DATE
Linux/RAW IP reference chart

LEAKBLOCK HOWTO (Android and Ubuntu)

HOWTO: DD-WRT Routers

HOWTO: Ubuntu Network Manager plug-in

Mini HOWTO: Automatically connect to CS after boot without Network Manager

PROBABLY OUTDATED
HOWTO: Mac/OSX connections with Viscosity

EDIT: Since this data is out of date and there's no plans to update it, I'm going to go ahead and lock this thread. The most up to date OpenVPN configs (Linux too) are always at https://github.com/cryptostorm/conf/

!	Message from: DesuStrike
	I hereby invite the community helpers and staff to keep these reference charts and howtos up2date together with me. Yet I ask for respecting two things: 1. Don't change the overall layout and/or style of my lists/posts 2. Don't change/remove my personal choice of words like "United States of NSA" or "Mother Russia" Thanks and keep on being the most awesome people on the internets!

last updated: 24.01.2015

This thread is a reference chart of the current Linux/RAW exit node IPs because they were removed from the node list. It is intended for community members who prefer to use IPs instead of hostnames for connecting to CryptoStorm. This can be useful for using a proper leakblock but might serve other purposes as well. I try to keep this list up to date but useful hints are very welcome if I happen to miss a change.

@parityboy

yes, 89.26.243.109 is the IP from Tagus. Brisa is just your legacy label.

compac wrote:Thanks for testing this concept. I'm looking forward to this since pj metioned the idea. Shame you can't make 12 months token tough

Isn't this the exact same post somebody else did in vpnDarks thread about token mixing?!

Oh wow! I have to take a closer look on that one! Sandboxing isn't the holy grail as many exploits used for sandbox breakouts proof but it certainly adds a somewhat useful extra layer of security if done right.

I second that!

Woah! Looks like I dropped a brick here.
I was talking about "shady copy cats" because I was simply guessing for the reason of this source dump. I do not follow the cryptostorm twitter account very closely because it's a bit too spammy for my RSS feed(*).

I want to emphasize that I as well do not call oldpiratebay.org or the people running it shady or bad in any way. Nor do I say they are good. In fact I know so little about them that I do not even have a private opinion about them.

But I agree: It was a mistake to automatically assume something bad about those you were simply watching. I'm actually very disappointed about myself that this was my first assumption because it's exactly what governments and agencies want people to assume when THEY are watching certain people. "Ah! If the NSA is watching XY he must probably done something bad." <-- Bullshit!
Bad excuse: I was reading up on very questionable piratebay replacements short before I posted, so maybe I got the negative preoccupation from there.


(*)I don't have a twitter account so I use a twitter parser that creates rss feeds. Unfortunately the only good parser went disfunctional and the new one can't filter out retweets and conversations. So active and responsive twitter feeds easily become too spammy. This is ironic because I actually like it when somebody is responsive but in this case my priorities are different.

While I do not mind dumping the source of those new "Pirate Bay"s as it could certainly be useful in future I still wonder why pick oldpiratebay.org. Is there anything special about it other than it's from the same guys that picked up the isohunt name after the original was shut down?

If it's about watching shady copy cats I'd suggest thepiratebay.cr
This domain provided a tpb proxy in the past but now they are pretending to be the real tpb staff, send out press releases announcing their revival and offer shady login masks that very well might be used for fishing login credentials of unwary users.

My guess is that the "stealth" config is "stealthy" because it chooses randomly from 4 exit nodes thus changing your visible IP around a bit. It's very far fetched to call such a thing "stealthy" but that never hindered anybody of those money grabbing wannabe VPNs from talking marketing bs all day long.

I can also confirm that 109 is the raw/linux instance. It's against the usual rule that lower numbers are win and higher numbers are raw/linux, but as long as it works... huh?

Can you please elaborate a bit further? Skpye should be working no problem, so we need to debug this together. Thanks

Updated as promised. Enjoy

I so gonna fix thix guide as soon as I got my mod powers back! It's only a hand full changes but I bet it frustrated many people who weren't able to run it because of them.

Dear CryptoStorm community,

today I filed my own resignation from my position as a forum helper and now I want to inform the community about it.
There are several personal issues I have to take care of which make it impassible for me to properly exercise this role.
Some of the shortcomings on this forum stem mostly from my lack of time and energy.

I know there hardly couldn't be a worse time to resign as the team is very busy right now but I'm at my limit. Maybe the extra work load finally showed me that I started lagging behind a long time ago.
Actually the workload isn't all that much but it's too much for me right now. A motivated person with some free time at hand could do this job easily.

I don't know if CryptoStorm plans to promote one or more community members to be the new forum helper(s). Nonetheless I suggested one or more people to them to be my successor.
We won't tell anybody who I suggested though. So don't ask. Neither I nor them will tell you. The fact that somebody was picked by CS also doesn't mean that I suggested them. So please don't try to make conclusions based on that.

I won't sign onto the forum after this post. Actually this account will be deleted. (Hint @ CS-Team!) So possible PMs won't be read by me.
My posts will stay as I wrote some HOWTOs and it would be bad if they are gone only because I'm gone.

I am very sorry that I have to take this step as I love CryptoStorm and I was very proud to be a small part of it.
I wish both the CryptoStorm Team and the community all the luck and success in the world. Together you can make this VPN even better than it already is. Always remember that by contributing to CS you not only help yourself but a lot of activists and other people that need protection around the world. CS is not a run off the mill "company" that strives for money and nothing else. To be honest I sometimes wonder if CS is even self sufficient or if some from the team pay for this project with their own money. Either way CS is run by people with high standard ideals in both HOW a VPN is properly run and WHY it is important to never betray a community member. These people have a dream they fight for and they do a damn good job while they are at it!

So support them! Help them so they can help you in return!
You can help in many ways: Money, Forum Helper, writing HOWTOs and stuff, helping other community members, reporting bugs and contacting support@cryptostorm.is if something is out of order.

Maybe I'll come back one day. Maybe not. But if I do you better made this VPN the damn most successful one the internet has ever seen!
Either way I will always be among you as I obviously will continue using CrypoStorm. There is no alternative! Always remember that!

Last melancholy cheers,
~DesuStrike

@parityboy: It only happens on cryptostorm. But for me that sounds like an DNS error. On the other hand: If you use the same DNS settings on every exit node it can't be DNS...

Update:
I got severals answers from support yesterday (Thanks for the short response time!) but I was too tired to boot up the pc, cram out the password and post here. Sorry
I'll just quote what support says:

cryptostorm_support wrote: Indeed, someone's triggering our alarms by doing penetration attempts via cantus:

Source: 46.165.222.246
DNS: raw-cantus.cryptostorm.net

So we're trying to find a way to turn off the alarm without opening up an attack surface. Ah, the joys of the internet.

I think there is nothing to add other than a big and several facepalms towards that sucker!

Since we don't have an off topic forum I guess using "open debate" is the most fitting subforum for this.
This is shameless advertising for a game I am in no way affiliated with. It's pure fanboi "talk". (actually I won't talk at all about the game. Just post pictures and links.)
It's kinda unusual to advertise a game here but because this is cryptostorm and they help activists around the world I guess the theme of this game absolutely fits the overall context of this VPN.
I also know that this game will provoke both positive and negative reactions as some poeple probably will have the opinion this is no topic to make a game about, let alone center the whole game dynamic around. I obviously don't share this opinion. I think those games help you understand the dynamic of such situations an by giving you the chance to play "the other side" you start understanding their motivations and thereby often see the true drama behind those occurrences. And yes... Maybe next time you are at a protest you keep more calm because you stopped blindly hating the other party. No matter what side you might be on.

And while we are at it: Also check out PAPERS, PLEASE! (trailer) for some really intense dark dystopian game that shows you the problems and moral dilemmas people in a dictatorship have to endure.
This game really gave me the shivers. It forces you to make quick decisions and after some time you start to understand why people behave in certain counrties and certain situations like they do. It's nothing to look down to. It's often just pure trial to survive or to have a somewhat decent live.

RIOT

First of all please check out the video.
This is their website.
Please help funding this project by preordering it! You can also add a tip if you want.

Quick Facts

• You can play as both rioters or police
• Based on real events like arab spring, greek austerity protests, etc
• Available on Linux, Windows, MAC, iOS, Android (one purchase all devices available!)
• Indiegogo campaign is over but you can still back them via humble bundle (link)

Some alpha/beta footage:

Does anybody else have problems with reaching cryptostorm.ch/is when connected to the German exit node?

I have this problem since today.

I gonna inform support but I guess asking other if they experience the same could be useful, too.

Graze wrote: I love wikis. I use them all the time, and I actually use a personal one[...]

Ok, now you HAVE to tell me how and where you do that!

Is it hosted on a internet facing server so you can reach it everywhere you go, or is it locally on your computer?
And do you use a special kind of wiki flavour?

I use wikis kinda regularly but I don't favour them over simple html tree structured approaches, blogs or just plain single purpose websites. Also a wiki is nice for reference but discussion is hell on those. I wrote/edited few wiki articles in my life and it was always hell when a discussion broke lose because wikis are not made for discussions. It made me lose interest in actually contributing to them pretty fast, so now I'm just leeching.

Anyways: A personal wiki sounds like one of the most useful things to do if you have to administrate something. I've got tons of bookmarks but hell... If one of those sites goes down and I didn't memorize the contents: F-Bomb Time

So I want this!