cryptostorm's community forum

Weird things are afoot with NordVPN's app and the traffic it generates - Reg readers have spotted it contacting strange domains in the same way compromised machines talk to botnets' command-and-control servers. Although NordVPN has told us this is expected behaviour by the app and is intended as a ...

@df Apart from the usual SNAT/MASQ stuff which is needed anyway, the only thing outstanding I have in pfSense is a port forward rule to support a private tracker and that only applies to a single VM guest on a host-only network of its own. Another thing I noticed is that I can't get pfSense to reso...

@df

I get 88.202.180.213, which is one of the England exit node IPs.

@df

Code: Select all

whoami.cryptostorm.is has address 88.202.180.213

Those are exit node IPs. : ) They are what shows up on https://cryptostorm.is/test, depending on the exit node being used.

@df

I just tried the CS DNS Leak Test page. The IPs it listed are actually the IPs of the exit nodes I'm connected to, rather than the DNS servers I'm using, hence it lists them in red as "not cryptostorm DNS". I've configured pfSense to use 82.163.72.123 and 128.127.104.108 as DNS servers.

@OP

See here.

@OP As far as I am aware, the Great Firewall will (at least try to) block OpenVPN at the protocol level. The newer CS configs employ TLS to encrypt the OpenVPN handshake which should defeat and kind of Deep Packet Inspection. However Cryptostorm IPs are public, so blocking them is not exactly diffi...

@marza

Unless NBN goes out of its way to block port 443 or the OpenVPN protocol, it should no different to how it is now in terms of setup and operation.

@df

Really? All of the security-related posts here on the form have all pointed to compression being disabled (at least according to PJ and the earlier configs).

@OP Try this: sudo -s wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add - echo "deb http://build.openvpn.net/debian/openvpn/stable bionic main" > /etc/apt/sources.list.d/openvpn-aptrepo.list apt-get update && apt-get install openvpn exit Linux Mint is based on Ubuntu and the ...

@OP

Can you post some logs generated by OpenVPN?

MOQ888 wrote:kubuntu up and running, CS working well - HOORAY!

@df

As a router, VyOS is actually OK. As a security device, clearly not so much so I would never use it as an edge device (although some people put their firewalls behind their edge-located routers).

@df I blew the VyOS instance away (I'll likely get a mini PC from AliExpress or Banggood and stick pfSense on it) but here's the ca.crt I was using. -----BEGIN CERTIFICATE----- MIIFIDCCBAigAwIBAgIJAKekpGXxXvhbMA0GCSqGSIb3DQEBCwUAMIG6MQswCQYD VQQGEwJDQTELMAkGA1UECBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwN...

@MOQ888

Hmmm...I have KDE Neon badgering me to update it to its new 18.04 LTS base, but I'm now wondering whether it's worth it. Having said that, my VPN is handled by a router so I wouldn't need Network Manager for VPN duty.

@MOQ888

Glad you got working.

Now we just need Network Manager to support the ECC instances.

@df

I agree.

On that note, what happened to the Spain node? I see the legacy one has been consolidated onto the Portugal node and the newer configs (including RSA) have no Spain node at all.

@df

Oh, btw I love the ASCII art @ http://10.31.33.7.

@df

Sounds like something might be broken in the kernel running on that machine, or maybe sysctl needs a tweak? No reason why UDP should have issues when TCP works fine and the Windows-optimised instances also work fine.

@df Found it. :D In pfSense on the Port Forwarding page, simply creating the rule isn't enough. There's a field near the bottom of the page which says "Filter rule association". The default selection for this is "None" (no doubt for security reasons). To make the rule active, one needs to select "P...

@df Yep, I have a NAT hole punched in my pfSense firewall for the VPN client address (10.66.216.32) which is in turn forwarded to the VM running my BitTorrent client (which is listening on 45886). Weird - it definitely worked before the upgrade (I checked it with telnet from an outside network). I'...

@df

I'm currently on 128.127.104.111, port number 45886. Try telneting to it and see if you get a response.

I've just realised that the port forwarding feature on the legacy RSA nodes - <os>-<location>.cryptostorm.net - doesn't seem to be functional. The setup page at http://10.31.33.7/fwd is there and appears to set the mapping (even complaining when you try to set the mapping twice) but telnet ing to th...

@OP

I'm going to have to dig into this. I'm running KDE Neon (now based on 18.04 LTS but mine is still running a 16.04 LTS base) and I suspect it has a newer Network Manager that accommodates this. Mine looks like this.

@OP Oct 22 21:40:28 e8100i7 NetworkManager[1163]: nm-openvpn-Message: openvpn[7095]: send SIGTERM Oct 22 21:40:28 e8100i7 nm-openvpn[7095]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Oct 22 21:40:28 e8100i7 nm-openvpn[7095]: TLS Error: TLS hand...

@OP

Can you collect and post some logs so we can see what Network Manager is doing? I suspect it's related to TLS handshaking, but I'd like to be sure.

@marza

I can't really help you on the Windows side of things, but would you ever consider delegating VPN duty to a router? That way you wouldn't have to deal with all the weirdness.

@blurb Yeah, Wireguard looks really nice. Needs more router support and therefore greater adoption, but it needs auditing before anything else. OpenVPN is complex and annoying, but on the other hand it was the first decent VPN that wasn't closed code (i.e. enterprise and therefore expensive and/or ...

@blurb,@df OK, I've tested all of the legacy EU nodes ( linux-<location>.cryptostorm.net ). The following nodes connect and successfully pass traffic: Denmark Dusseldorf Frankfurt Finland Latvia Netherlands Paris Poland Romania Rome Sweden Switzerland The following nodes are broken and refuse to pa...

@blurb Well if I remember rightly, you've got it running on a Tomato-based router (which is based on Linux). I've experienced this issue on both Linux Mint 18.3 and pfSense 2.3.4 (which is based on FreeBSD). Also yes, all of the nodes are physical machines running multiple instances of OpenVPN, eac...

@blurb This is what I'm getting in my pfSense log: Oct 17 14:18:27 openvpn 22625 Bad LZO decompression header byte: 0 Oct 17 14:18:47 openvpn 22625 Bad LZO decompression header byte: 0 Oct 17 14:19:07 openvpn 22625 Bad LZO decompression header byte: 0 Oct 17 14:19:07 openvpn 22625 [cryptostorm serv...

@OP Going by this map , I'd say US West coast, based on the links. Failing that, I would suggest the most eastern part of Europe (Poland, Romania); bear in mind that overland links are not shown. Check this link for a list of the node locations. UPDATE I've just realised that we now have a Hong Kon...

@blurb Many thanks for sharing this. :D Ironically, while the newer ECC cryptographic algorithms are much more efficient than the older RSA - requiring much less CPU power for the same level of cryptographic strength - there's a good chance that the older routers (which would actually benefit from ...

@cryptomon It could be then that either the parsing code for the HTML page or the database which actually stores the username/password credentials have not been updated to reflect the update to the HTML page. Having said that, it might be worth looking to see if the router actually stores the crede...

@blurb

Yeah, I confirmed it directly from the desktop with Network Manager. My OP concerned pfSense, but the effect (unfortunately) is the same.

@cryptomon

Could you try inspecting the HTML in something like Firefox's debugger? It may give you the ability to alter the HTML (i.e. remove the restriction on the input field) temporarily just so that you can input the hashed token.

Has anyone else noticed this? I have the NL node configured identically and it works fine, but the England node (5.101.149.7) refuses to pass any traffic.

@OP

I'd guess that the IP addresses of the new ecc/ed448/ed25519 instances are not yet in the check databases.

Hi, I am running Asuswrt-Merlin 384.7 and I am getting the following in my log: httpd: nvram_check fail: nvram vpn_client_username over length (128 > 64) ovpn-client1[8736]: ERROR: username from Auth authfile 'up' is empty ovpn-client1[8736]: Exiting due to fatal error Any ideas on what I need to d...

@blurb

That sounds good.

Is your connection cable, fiber or xDSL (including hybrid fiber)? Also, would you be kind enough to document your experience in the Speed Test thread?

@df OK, so I tried using NordVPN's certificate (extracted from one of their OpenVPN configuration files) and VyOS accepted it. For posterity, here it is. -----BEGIN CERTIFICATE----- MIIFCjCCAvKgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA5MQswCQYDVQQGEwJQQTEQ MA4GA1UEChMHTm9yZFZQTjEYMBYGA1UEAxMPTm9yZFZQTiBSb290...

@df I checked using the method you described and yes, it's the RSA cert (1866 bytes long). As for the other certs and keys, seemingly the VyOS scripts expect them regardless of whether they are used or not. Either way, even before I created them, VyOS was whining that Cryptostorm's ca.crt was not v...

@thread

OK, quick update. I upgraded VyOS to 1.2.0, which runs OpenVPN 2.3.4 It will accept the CA cert for PIA, but NOT the one for Cryptostorm.

I have no idea why. df if you (or anyone else) can offer any ideas, it would be greatly appreciated.

OK, I've found two things: 1) PIA's ca.2048.crt file works perfectly well, while Cryptotsorm's ca.crt does not. 2) VyOS 1.1.8 actually uses OpenVPN 2.1.x, which doesn't connect even to PIA's network so it certainly won't connect to Cryptostorm's. The age of the OpenVPN build on VyOS 1.1.8 might be w...

@OP If you're talking specifically about the Cryptostorm VPN service, using the ECC instances will help, since (if I have this correct) they encrypt the handshake between client and server, so it cannot be identified as being OpenVPN. The non-ECC instances cannot do this and so they can be blocked ...

@blurb

Is the VPN connection on your router or your desktop? If it's on your router, that's pretty bloody impressive!

Background I'm currently running pfSense 2.3.4 as a virtualised router on VirtualBox, however it seems to have issues when the number of connections it needs to maintain (e.g. for torrenting) goes past a certain limit. It's nothing to do with the state table and seems to be more to do with the inte...

@parityboy https://cryptostorm.is/portfwd On that page the qBittorrent screenshot you use shows "Use UPnP /NAT-PMP forwarding from my router" as being selected. Not to nitpick but since Cryptostorm doesn't actually use UPnP (hence the manual port assignment page), it might be better to show that op...

I'm using it to test speeds, and since I torrent a fair bit I'm wondering why it's only getting really poor speeds at times, and if that would carry on with an actual token. Also I have tested with qBittorent and the speeds were the same. Torrents (well seeded ones) download as fast as the processo...

df wrote:Oh that's the problem. You're using port 64496. Ports 30000 and up are now reserved for our port forwarding feature.

What port forwarding feature?

@bentbanana223 Just out of interest, why are you torrenting over Cryptofree? Cryptofree is really a taster service and is useful for low bandwidth services such as IRC, instant messaging and email (depending on email content, obviously). It also serves as a backup if your token has just run out; to...

@OP

I've just done a speed test using Cryptofree to grab a test file on CacheFly's CDN. I'm getting around 40-45KB/s (320-360Kbit/s). This is on an 8Mb/1Mb ADSL connection.

Could it be that Cryptofree is choking, or maybe mis-configured?

pedro_cucaracha3 wrote:Does anyone know a good alternative? Or is there a better way to let them know besides leaving a 1-star rating in the app store?

You could try email the OpenVPN team directly. Also, have you tried using the un-hashed token to see if that works?

@OP

If I remember rightly, Cryptofree is limited to 1Mb/s download speed (can't remember what the upload is).

@Fermi

Cryptostorm has always disabled compression though, correct?

VORACLE = CRIME for VPNs VORACLE is not a new attack per-se, but a variation and mix of older cryptographic attacks such as CRIME , TIME , and BREACH . In those previous attacks, researchers discovered that they could recover data from TLS-encrypted connections if the data was compressed before it ...

@OP

Yep, I just tested this myself and it appears that the OpenVPN team don't have a build for Bionic Beaver. Additionally, I noticed that on their repository page, Bionic isn't listed.

@OP The package for OpenVPN isn't built for Mint 19 Tara but for the Ubuntu version Mint is built upon, namely 18.04 Bionic Beaver, so there will be an entry in either /etc/apt/sources.list or in one of the files in the /etc/apt/sources.list.d directory which reads "deb http://build.openvpn.net/deb...

@OP I don't use Google WiFi so I have no evidence, but if it fails to work it's likely because they are blocking either port 1194 (OpenVPN's default port) or port 443/UDP (commonly used by VPN providers to get past firewalls). In such an environment, you could use port 443/TCP to connect to Cryptos...

@OP

It's the right sub-forum.

I don't see any downsides at all. If you have the cash up front, it's definitely worth it.

@OP

1. You could use a service like WebQR to upload the QR code image to.

2. Yes, the countdown on the token activates on first use. If you don't use it, it will last for as long as Cryptostorm are providing VPN access.

@OP

Is openvpn already installed on your system? You can find out by doing this:

Code: Select all

which openvpn

If yes, then simply try to import a VPN configuration file from the NetworkManager menu. If not, install openvpn then try to import the configuration file.

@Boens If you enter the command I posted can you then ping anything on VLAN20 from your Linux machine? If yes, then the router already knows how to route traffic between the VLANs. If no, you'll have to configure your router accordingly. By "permanent change" I mean that the route to 192.168.20.0 v...

@Boens

Assuming that routing between VLANs is handled by your router, you could try something like

Code: Select all

route add 192.168.20.0 gateway 192.168.10.1

This will not survive a reboot, however. Making it a permanent change is left to you.

@OP 1. Modems can't run OpenWRT, so you have a router. If you have to plug your router into another box to get Internet access, it will still only be a router. If your router can also plug into your phone line, it will be a modem/router (or router/modem). 2. Those two files are block lists, not cro...

@maltfield

The non-ECC instances are already running on UDP/443 which helps to support clients which do not or cannot have the latest version of OpenVPN installed. Additionally, I do not know if OpenVPN can auto-negotiate between ECC and non-ECC ciphers.

Perhaps it can't?

@marzametal

Yeah it's all good here, keeping the home fires burning.

MARZA!!!

It's been a loooong time, my friend. How are you?

@OP

No, I'm not ignoring it. I'm not staff, so I have no information regarding Stripe. df or Fermi would be better people to ask.

@OP Just to be clear, you are at home and trying to stream from Hulu, Netflix etc from behind your pfSense instance (which is configured to use Cryptostorm), correct? Many of these streaming services make a point of hunting down the IP addresses of the more popular VPN services and adding them to a...

@OP

It looks like you are trying to connect to an ECC instance. Can you try connecting to a non-ECC instance and report back on success or failure?

Thanks.

@df

Neither is KMail, which is what I use.

@df To be honest, I'm not so sure regarding the routers. Routers supporting OpenVPN (e.g. ASUS) are pretty popular and (being routers) I'm not sure how many firmware updates they receive after launch or if those updates include updated OpenVPN instances (I doubt it). Most people are still on pretty...

@OP

it sounds like Android's VPNService isn't intercepting your connection. Which device and which version of Android?

@OP

OK, I'm going to test this on a couple platforms and report back.

Search found 1206 matches