Search found 203 matches

by Fermi
Thu Apr 16, 2020 7:47 am
Forum: member support & tech assistance
Topic: Cryptostorm network - news
Replies: 26
Views: 36120

Re: Cryptostorm network - news

Does anyone beside df have access to the cryptostorm keybase account? https://keybase.io/cryptostorm
Yes, I have ... .
by Fermi
Tue Oct 30, 2018 8:27 pm
Forum: member support & tech assistance
Topic: OpenVPN says I have incorrect credentials after a month even though I paid for another month
Replies: 2
Views: 6504

Re: OpenVPN says I have incorrect credentials after a month even though I paid for another month

With recurring monthly billing, you receive a new key (token) each month.
Be sure to check your spam folder, the email sometimes ends up there.
You can check the validity of your token @ cryptostorm.nu

/Fermi
by Fermi
Tue Aug 21, 2018 11:22 pm
Forum: crypto, VPN & security news
Topic: [BleepingComputer] VORACLE Attack Can Recover HTTP Data From VPN Connections
Replies: 5
Views: 17769

Re: [BleepingComputer] VORACLE Attack Can Recover HTTP Data From VPN Connections

We did study this attack and will take appropriate actions to disable pre-encryption compression.
Twitter and this forum will keep you up to date on the changes we are planning.

/Fermi
by Fermi
Sun Jul 15, 2018 6:31 pm
Forum: member support & tech assistance
Topic: Unable to connect to LAN (except router) while connected
Replies: 7
Views: 16567

Re: Unable to connect to LAN (except router) while connected

Normally that shouldn't be an issue. Something mist be wrong with your routing table, it should look more or less like this, depending on your local situation:

Code: Select all

ubuntu@ubuntu2:~$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.33.0.1       0.0.0.0         UG    0      0        0 tun0
10.33.0.0       0.0.0.0         255.255.0.0     U     0      0        0 tun0
89.163.214.183  192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     1      0        0 eth0
The last line ensures that communication with your local lan (in my case 192.168.1.0/24) remains possible.

What's your outcome of: route -n

/Fermi
by Fermi
Tue Mar 20, 2018 11:40 am
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: You Broke Xfinity Anonymity
Replies: 2
Views: 14968

Re: You Broke Xfinity Anonymity

Please have a look @:
 ! Message from: parityboy
Made link clickable.
by Fermi
Wed Feb 21, 2018 8:24 pm
Forum: member support & tech assistance
Topic: [Help] Debian 9 OpenVPN Network Manager: Cryptostorm randomly disconnects!
Replies: 16
Views: 16003

Re: [Help] Debian 9 OpenVPN Network Manager: Cryptostorm randomly disconnects!

@NeedHelp6969

Try to raise log level to verb 7 and look for 'RECEIVED PING PACKET'
to find the cause of:
Sun Feb 18 11:25:13 2018 us=486000 [server] Inactivity timeout (--ping-restart), restarting
/Fermi
by Fermi
Tue Feb 13, 2018 1:26 am
Forum: member support & tech assistance
Topic: Another $50 router blown up.
Replies: 2
Views: 8610

Re: Another $50 router blown up.

No, we will not remove this post. Your request for help (twitter/email) reached us two days ago.
We are not able to answer all requests in a flash.

As for your current situation we don't know if you flashed with OpenWRT or LEDE, or if you flashed with the right version for your router. OpenWRT is fairly resilient when it comes to the structure of configuration files, but I can assume that configuration files from 2013 can be considered outdated.

I'm fairly sure you still can recover your router if you follow the OpenWRT unbrick guides that are out there.

Once done, I would suggest that you install a suitable release and that you configure the unit manually.

Regards,
/fermi
by Fermi
Mon Feb 12, 2018 12:01 pm
Forum: member support & tech assistance
Topic: QUIC woes
Replies: 2
Views: 8047

Re: QUIC woes

Hi,

I don't recall to have seen a mail in our mailbox related to this.
QUIC (Quick UDP Internet Connections) isn't a protocol we use, so the right dissector would be OpenVPN instead.
So the output of wireshark isn't relevant as you are using the wrong dissector.

Every 20 minutes key renewal takes place, so this is perhaps what you are noticing.

/Fermi
by Fermi
Sun Dec 24, 2017 12:20 pm
Forum: member support & tech assistance
Topic: Connection issues
Replies: 3
Views: 7281

Re: Connection issues

Hi,

Please have a look @

https://cryptostorm.is/newCA

/fermi
by Fermi
Fri Dec 22, 2017 10:55 pm
Forum: member support & tech assistance
Topic: Can't connect...
Replies: 11
Views: 11041

Re: Can't connect...

privangle,

Have a look @ https://cryptostorm.is/newCA

/fermi
by Fermi
Sun Aug 13, 2017 3:17 pm
Forum: member support & tech assistance
Topic: Waiting for password with Tunnelblick
Replies: 2
Views: 7401

Re: Waiting for password with Tunnelblick

Hi,

Please have a look in cryptostorm.ch/userguide

/fermi
by Fermi
Sun Jun 18, 2017 6:27 pm
Forum: member support & tech assistance
Topic: Debian 8.8 Cinnamon: Cant import vpn config
Replies: 1
Views: 5150

Re: Debian 8.8 Cinnamon: Cant import vpn config

try:

Code: Select all

apt-get install network-manager-openvpn network-manager-openvpn-gnome
followed by a reboot ...
After this you should be able to import conf files.

/fermi
by Fermi
Fri May 05, 2017 11:52 pm
Forum: member support & tech assistance
Topic: Can't play anything on redbull.tv
Replies: 20
Views: 15992

Re: Can't play anything on redbull.tv

The above reasoning isn't entirely correct. Redbull.tv will not work without trackers and other 'malicious stuff'. The only two deepDNS servers that have trackers enabled are: 46.165.222.246 and 46.165.240.171

Also DNS servers are assigned on the level of network connections/adapters. So one should check the DNS servers that are used by the tun adapter; or use ipleak.net (or similar) when connected to CS in order to verify that Tunnelblick isn't changing to pushed DNS servers (after removing the manual addresses stated above of course).

/fermi
by Fermi
Fri May 05, 2017 12:39 pm
Forum: member support & tech assistance
Topic: Token repeatedly has auth failures, too many logons.
Replies: 19
Views: 20011

Re: Token repeatedly has auth failures, too many logons.

@ Wobbly Coconuts

Are you using a 1M token on your mobile? In that case it could be that the timeout of 120s we have server side could indeed be a nuisance. It would surprise me that it disconnects more often now than it did in the past. In the past we had indeed some 'grace' sessions buffering this, which could indeed give another perception.

So if you can contact us, we'll arrange a token which you strictly use for your mobile, so you can test and give us some feedback.

Note that we do care about our customers, but I don't fully agree with your remarks on our service.
But let us first try to solve the mobile thing.

/fermi
by Fermi
Fri May 05, 2017 12:29 pm
Forum: member support & tech assistance
Topic: Token repeatedly has auth failures, too many logons.
Replies: 19
Views: 20011

Re: Token repeatedly has auth failures, too many logons.

@ Captain Blackberry
Thu May 04 22:49:53 2017 us=369602 [server] Inactivity timeout (--ping-restart),
restarting
can happen, it means there is a connection problem between client and server. Situations like this cannot be excluded, since we are dealing with technology.
In that case the client will try to reestablish connection, while the server will not decrease the session count until a timeout window of 120s has passed. If a reconnect happens in that window and all allowed token sessions have been used up, an auth failed will be thrown.

So session count should repair itself, if not please ping us. We've tried numerous scenarios, but we were not able to reproduce the issue (pulling ethernet cables, switching from wired to wifi, ...).

What might be a solution on the firewalled machine is adding:
remap-usr1 SIGTERM
to the conf file.
OpenVPN will reconnect using a new connection instead of trying to reestablish connection using the old parameters.

Actually the only thing we've changed is a differentiation of sessions allowed related to token duration, all the other back end code remained the same. In the past all tokens were allowed 5 sessions, now it is more strict.

Note that we do care about our customers, and if you have ideas on how to reproduce this, they are welcome.

/fermi
by Fermi
Wed May 03, 2017 12:17 pm
Forum: member support & tech assistance
Topic: Token repeatedly has auth failures, too many logons.
Replies: 19
Views: 20011

Re: Token repeatedly has auth failures, too many logons.

So now my 3 month token gets me only one logon?
If this is the case you could be dealing with zombie sessions (3M tokens should allow two connections). In that case please communicate us your token or hash, and we will take care of it.

Note: our warrant canary didn't kick in ... .

/fermi
by Fermi
Wed May 03, 2017 12:13 pm
Forum: member support & tech assistance
Topic: Token repeatedly has auth failures, too many logons.
Replies: 19
Views: 20011

Re: Token repeatedly has auth failures, too many logons.

Collecting Pizzas wrote:On and off and on and off on my mobile. 2-5 minutes if I'm lucky then it kicks out, and takes 2 mins to re-allow connections.

This VPN is completely useless right now. It's worse than ever.


I'm going to spend 30 minutes of my life to get the latest config files copied to my phone.

Sigh.
The disconnects could be typical for your mobile connection quality. We've recently changed the number of concurrent sessions allowed, related to the token duration.
Please note that the simultaneous devices/token are:
1M (and less) tokens: 1 device/token
3M: 2 devices/token
6M tokens: 3 devices/token
1Y & 2Y tokens: 4 devices/token
(
If the session hasn't been properly closed there's a 120s server timeout indeed. This is inherent to the design. In the past all tokens were allowed 5 sessions which led to abuse.
Changing from UDP to TCP could perhaps avoid the 120s ... .

/fermi
by Fermi
Mon May 01, 2017 9:07 pm
Forum: member support & tech assistance
Topic: OpenVPN version
Replies: 5
Views: 6668

Re: OpenVPN version

in Wireshark ...
by Fermi
Mon May 01, 2017 8:30 pm
Forum: member support & tech assistance
Topic: OpenVPN version
Replies: 5
Views: 6668

Re: OpenVPN version

Wireshark will in most cases propose the QUIC dissector when analyzing OpenVPN traffic. You should force the protocol to OpenVPN.
The used libraries/versions are OK.

/fermi
by Fermi
Mon May 01, 2017 8:27 pm
Forum: member support & tech assistance
Topic: Can't play anything on redbull.tv
Replies: 20
Views: 15992

Re: Can't play anything on redbull.tv

Code: Select all

Also forgot to say my token seem to work on only two servers: fr and nl

osx with tunnelblick
We have a central authentication back-end, so if your token 'works' on one server, it will work on others
(unless cryptostorm.nu indicates: 'That token has reached the maximum number of sessions.').

redbull.tv isn't a reference for testing CS connections. To verify if you are connected, consult logfiles or visit: cryptostorm.is/test.

The fact that redbull.tv works on some servers and not on others could be the result of geo-blocking.
Any errors/messages in the latter case?

/fermi
by Fermi
Mon Apr 17, 2017 9:49 pm
Forum: member support & tech assistance
Topic: Token repeatedly has auth failures, too many logons.
Replies: 19
Views: 20011

Re: Token repeatedly has auth failures, too many logons.

Due to the fact we don't log we had limited data to build upon and the rules were somewhat ... relaxed. We added 4 grace sessions. This is too much and not corresponding with the price model, so a change was imminent. As a consequence the scripts didn't detect the difference between a initial login and key renewal, we run into the
'Inactivity timeout (--ping-restart), restarting'
issue

viewtopic.php?f=32&t=9141&p=16889&hilit ... out#p16701

when people were having 5 devices connected at the same time.
After a code change, and without having to implement something new next to the existing 'session counter', we were able to differentiate between an initial login and a key renewal.
This gave use the possibility to bind a different number of simultaneous connections to the different token lengths. So instead of unofficially allowing 5 connections/token we implemented other values:
simultaneous connections/token are:
1M (and less) tokens: 1 connection/token
3M & 6M tokens: 2 connections/token
1Y & 2Y tokens: 4 connections/token
We did test these scripts using different methods (sending SIGUSR1, SIGTERM signals; firewalling the client in plain action) and we always saw the session counter decreasing. In some cases immediately, in other cases after a signal caused by the 'keepalive 20 60' directive we use. But apparently in some cases it seems that the session counter isn't decreased like it should be.
We need to profoundly look into this if your session counter doesn't decrease within 120s after the connection has been interrupted on your side (for whatever reason).

So we will work on/analyse this issue.

/fermi
by Fermi
Mon Apr 17, 2017 9:24 pm
Forum: member support & tech assistance
Topic: Token repeatedly has auth failures, too many logons.
Replies: 19
Views: 20011

Re: Token repeatedly has auth failures, too many logons.

@Captain Blackberry

Sorry to hear that and not acceptable. We will try to solve this issue asap. In the mean time, can you PM me the token/hash on IRC please (@Fermi)?

I'll elaborate more in the next couple of hours.

/fermi
by Fermi
Sat Apr 15, 2017 5:53 pm
Forum: member support & tech assistance
Topic: [RESOLVED] OpenVPN android Issue
Replies: 4
Views: 6207

Re: OpenVPN android Issue

Perhaps your are connected with other devices using the same token and are hitting the session limit:
Please note that the simultaneous devices/token are:
1M (and less) tokens: 1 device/token
3M & 6M tokens: 2 devices/token
1Y & 2Y tokens: 4 devices/token
(

If you test your token @ cryptostorm.nu and you get: 'That token has
reached the maximum number of sessions.' and this doesn't correspond with
the actual connections, please mail us your token.
/fermi
by Fermi
Sat Apr 15, 2017 1:40 pm
Forum: member support & tech assistance
Topic: Ubuntu 16.04 DNS Leaks ...
Replies: 14
Views: 13406

Re: Ubuntu 16.04 DNS Leaks ...

This is odd, because of:

Code: Select all

$IPT6 -P OUTPUT DROP -m comment --comment "set default policies to drop all communication unless specifically allowed"
It shouldn't allow DNS queries over the IPv6 stack.
Perhaps it's a good idea to disable IPv6 in your kernel.

/fermi
by Fermi
Thu Apr 13, 2017 7:02 pm
Forum: member support & tech assistance
Topic: Ubuntu 16.04 DNS Leaks ...
Replies: 14
Views: 13406

Re: Ubuntu 16.04 DNS Leaks ...

The reason why you get this is because the script doesn't allow DNS queries before you connect to Cryptostorm. If you are not using IP addresses to connect to Cryptostorm, the system will not be able to connect.

To avoid this, you change (or you use IP addresses to connect:

Code: Select all

$IPT -A OUTPUT -d 192.168.1.0/24 -p udp --dport 53 -j REJECT -m comment --comment "prevent usage of local DNS server"
to

Code: Select all

$IPT -A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "allow DNS queries"
$IPT -A OUTPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "allow DNS queries"
After applying this, the lines with:

Code: Select all

--comment "dnscrypt-cert.okturtles.com"
are obsolete and can be removed.

After this change you should be able to make your tables persistent.

/fermi
by Fermi
Thu Apr 13, 2017 4:13 pm
Forum: member support & tech assistance
Topic: Ubuntu 16.04 DNS Leaks ...
Replies: 14
Views: 13406

Re: Ubuntu 16.04 DNS Leaks ...

The latest and (perhaps 8-) ) greatest can be found here:

Code: Select all

https://github.com/fermi-cryptostorm/fermi-cryptostorm-git
/fermi
by Fermi
Thu Apr 13, 2017 1:23 pm
Forum: member support & tech assistance
Topic: Ubuntu 16.04 DNS Leaks ...
Replies: 14
Views: 13406

Re: Ubuntu 16.04 DNS Leaks ...

There's no need to launch it @ reboot.
You can make these rules persistent. If you google for your linux version and iptables + persistent you'll get some hits on the how ... .

Of course is we add/remove nodes it is advised to re-run and save again.

I need to update the script to include protection against WebRTC and update rules, so nslookup can switch to tcp to handle:

Code: Select all

The Transmission Control Protocol (TCP) is used when the response data size exceeds 512 bytes, or for tasks such as zone transfers.
I'll post something in this thread when done ... .

/fermi
by Fermi
Wed Apr 12, 2017 11:31 pm
Forum: member support & tech assistance
Topic: Can't Authenticate On Any Node
Replies: 21
Views: 16286

Re: Can't Authenticate On Any Node

Hi,

we've changed our policy regarding the allowed simultaneous connections/token:
https://twitter.com/cryptostorm_is/stat ... 2279579648

It boils down to the following:

Code: Select all

simultaneous connections/token (sc/t) count:
1M (and less) tokens: 1 sc/t
3M & 6M tokens: 2 sc/t
1Y & 2Y tokens: 4 sc/t
best regards,

/fermi
by Fermi
Wed Apr 05, 2017 9:24 pm
Forum: member support & tech assistance
Topic: OpenVPN not connecting on Fedora 25
Replies: 1
Views: 4521

Re: OpenVPN not connecting on Fedora 25

That log snippet doesn't indicate that authentication is successful, please post the complete scrubbed log.

/fermi
by Fermi
Wed Apr 05, 2017 9:21 pm
Forum: member support & tech assistance
Topic: Connection Issues Again
Replies: 6
Views: 7637

Re: Connection Issues Again

What OS are you using?
Are you connecting using the widget or OpenVPN app?

Best thing is to drop by in our irc channel: cryptostorm.is/irc, drop your question/issue and have some patience ...

/fermi
by Fermi
Mon Apr 03, 2017 9:49 pm
Forum: member support & tech assistance
Topic: Connection Issues Again
Replies: 6
Views: 7637

Re: Connection Issues Again

Please check token @ cryptostorm.nu
Most likely it will tell you:
That token has reached the maximum number of sessions.
In that case please mail your token to support@cryptostorm.is

/fermi
by Fermi
Mon Apr 03, 2017 9:47 pm
Forum: member support & tech assistance
Topic: Says my token is invalid?
Replies: 1
Views: 4303

Re: Says my token is invalid?

That token has reached the maximum number of sessions.
is the clue, please mail your token to support@cryptostorm.is

/fermi
by Fermi
Sun Mar 26, 2017 4:37 pm
Forum: member support & tech assistance
Topic: Constant disconnects
Replies: 2
Views: 4458

Re: Constant disconnects

Please check token @ cryptostorm.nu .
If max sessions reached is indicated, mail your token to support@cryptostorm.is
in order to have a session count reset.

/fermi
by Fermi
Sat Mar 25, 2017 10:08 pm
Forum: cryptofree: no-cost cryptostorm network access
Topic: troubles connecting
Replies: 6
Views: 15565

Re: troubles connecting

Code: Select all

Sat Mar 25 15:08:00 2017 us=496104 UDPv4 link remote: [AF_INET]195.154.33.73:443
Sat Mar 25 15:08:17 2017 us=762532 TLS Error: TLS key negotiation failed to occur within 17 seconds (check your network connectivity)
Sat Mar 25 15:08:17 2017 us=762532 TLS Error: TLS handshake failed
That node is down at the moment, this explains the error you are getting.
There's a second Cryptofree node, so after an

Code: Select all

ipconfig /flushdns
, there's a possibility the widget will connect to the working one.

We will look into this issue.

/fermi
by Fermi
Tue Mar 14, 2017 12:10 am
Forum: member support & tech assistance
Topic: Auth failing
Replies: 7
Views: 6825

Re: Auth failing

I had a look in the support@cryptostorm.is mailbox. There's no mail related to you're issues in there ... .
Can you resend it? Or visit our IRC channel: cryptostorm.is/irc

Regards,

/Fermi
by Fermi
Tue Feb 28, 2017 5:48 pm
Forum: member support & tech assistance
Topic: Error: Authorization failed for that token
Replies: 11
Views: 11965

Re: Error: Authorization failed for that token

Only solution for that is sending token or hash to support@cryptostorm.is, so I can reset the sessions.

/fermi
by Fermi
Sun Feb 26, 2017 12:52 pm
Forum: independent cryptostorm token resellers, & tokens 101
Topic: Free Aleph
Replies: 3
Views: 18215

Re: Free Aleph

Actually the token has already been deleted before it was posted. The fact that the token is posted here is the result of ... (I won't waste my words on this one).

/fermi
by Fermi
Sun Feb 19, 2017 2:26 pm
Forum: member support & tech assistance
Topic: USSouth Windows vs Linux
Replies: 3
Views: 5559

Re: USSouth Windows vs Linux

Two DNS queries, with some time in between. You can clearly see the order in which the records are provided is different:

Code: Select all

$ nslookup linux-frankfurt.cryptostorm.net

Non-authoritative answer:
Name:	linux-frankfurt.cryptostorm.net
Address: 46.165.240.174
Name:	linux-frankfurt.cryptostorm.net
Address: 46.165.222.248

$ nslookup linux-frankfurt.cryptostorm.net

Non-authoritative answer:
Name:	linux-frankfurt.cryptostorm.net
Address: 46.165.222.248
Name:	linux-frankfurt.cryptostorm.net
Address: 46.165.240.174
by Fermi
Sun Feb 19, 2017 1:48 pm
Forum: member support & tech assistance
Topic: USSouth Windows vs Linux
Replies: 3
Views: 5559

Re: USSouth Windows vs Linux

linux-ussouth.cryptostorm.net represents a cluster of two servers in two different DC's (same for Windows):

Code: Select all

host linux-ussouth.cryptostorm.net:
linux-ussouth.cryptostorm.net has address 108.62.19.132
linux-ussouth.cryptostorm.net has address 70.32.38.68
When resolving the address it depends on the order the records are presented, the OS will most likely take the first one in the list, and taking into account DNS cache; explains your observation.

/fermi
by Fermi
Sun Feb 19, 2017 1:39 pm
Forum: member support & tech assistance
Topic: ISP detecting Piratebay on VPN
Replies: 5
Views: 6858

Re: ISP detecting Piratebay on VPN

What's the URL you are using?
Are you sure the message is coming from your ISP? Can you post a screenshot, removing all information which can lead to ISP or yourself?

Did you check on ipleak.net or cryptostorm.is if you are connected or subject of leaks?

/fermi
by Fermi
Tue Feb 14, 2017 6:46 pm
Forum: member support & tech assistance
Topic: Router: Zyxel p-2812HNU-F1 configuration
Replies: 4
Views: 4816

Re: Router: Zyxel p-2812HNU-F1 configuration

ZYX,

Cryptostorm is using the OpenVPN protocol, not IPsec. If your router doesn't have specific OpenVPN support, it will not work.

Best regards,

Fermi
by Fermi
Tue Feb 07, 2017 6:00 pm
Forum: member support & tech assistance
Topic: All connections down?
Replies: 26
Views: 15468

Re: All connections down?

Hi,

Sounds like a 'max sessions reached' problem ... . Please check token @ cryptostorm.nu for this message.
If positive, please mail token top support@ or fermi@ so we can reset it.

/fermi
by Fermi
Tue Feb 07, 2017 3:59 pm
Forum: member support & tech assistance
Topic: All connections down?
Replies: 26
Views: 15468

Re: All connections down?

Just ran a test towards all nodes. Good results ... .
Something wrong on your side?

/fermi
by Fermi
Fri Jan 20, 2017 12:38 pm
Forum: member support & tech assistance
Topic: Major reliability issues with CryptoStorm since October
Replies: 10
Views: 7809

Re: Major reliability issues with CryptoStorm since October

We're looking into the OpenVPN source code on how to differentiate between an authentication cycle issued by key renewal and initial login.
If we are able to do that we can solve this issue without having to add extra logging/data on our end.
We'll keep you posted.

/fermi
by Fermi
Fri Jan 20, 2017 12:38 pm
Forum: member support & tech assistance
Topic: Serious Drops and packet loss South node
Replies: 108
Views: 76329

Re: Serious Drops and packet loss South node

We're looking into the OpenVPN source code on how to differentiate between an authentication cycle issued by key renewal and initial login.
If we are able to do that we can solve this issue without having to add extra logging/data on our end.
We'll keep you posted.

/fermi
by Fermi
Tue Jan 17, 2017 6:21 pm
Forum: member support & tech assistance
Topic: Serious Drops and packet loss South node
Replies: 108
Views: 76329

Re: Serious Drops and packet loss South node

The issue can be triggered by the session limitation parameter. Officially Cryptostorm allows one connection / token. To technically deal with slow disconnects etc, the limit is put on three. This means that technically spoken there can be three concurrent connections, taking into account that there is no simultaneous renegotiation occurring.
After doing some extensive testing, we are confident that the majority of these 'Inactivity timeout' issues are related to the session limit. Simulation shows that when all sessions are occupied, renegotiation (happens every 1200 seconds), which includes authentication, doesn't result in a AUTH_FAILED message, but leads to the 'Inactivity timeout' issue.
There no way OpenVPN differentiates between an initial authentication and a authentication as a result of a renegotiation. If the latter would have been the case than this issue would have an issue solution.
When you are prepared to log extra data like (non-conclusive and non-exhaustive) IP, node, timestamp ..., one can also tackle this issue. But Cryptostorm is very reluctant to add additional critical data to the process.
We're looking into this, but for now please monitor your tokens wrt. the sessions. When sessions are not properly handled, this can lead to zombie sessions. In that case please contact us.

regards,

/Fermi ;)
by Fermi
Thu Dec 29, 2016 8:15 pm
Forum: member support & tech assistance
Topic: Problem Adding Config Files to Tunnelblick
Replies: 2
Views: 3951

Re: Problem Adding Config Files to Tunnelblick

Is the .opvn file human readable?

Please note when downloading profiles from github:
When saving these config files, DO NOT USE right-click -> "Save file as" in your browser.
That will cause the HTML page listing the file to be saved, which will cause errors in OpenVPN.

Instead, click on the file you want to use, then click on "Raw", then save it.
/fermi
by Fermi
Sun Dec 25, 2016 5:12 am
Forum: member support & tech assistance
Topic: Serious Drops and packet loss South node
Replies: 108
Views: 76329

Re: Serious Drops and packet loss South node

0x24d wrote:Earlier this week I decided to test to see whether the token re-authentication issue would happen with multiple tokens.

I have been connected to the Lithuania node with a secondary token I bought a month after I bought the token I was using originally. The connection has been fine, the longest I have been connected is 10 hours and that was due to turning my PC off and not due to the connection dropping.

My original token still disconnects after 20 minutes (to Lithuania), I am authenticating using the sha256 hashes of each token so the issue isn't to do with non-hashed vs hashed tokens.
If it disconnects systematically each 20 minutes, you most likely have reached your session limit. Check your token @ cryptostorm.nu while connected. If it states max sessions reached, please send the token referring to this topic to support@cryptostorm.is.

/fermi
by Fermi
Thu Dec 22, 2016 8:35 pm
Forum: member support & tech assistance
Topic: [pfSense] Transparent Darknet Access
Replies: 3
Views: 5400

Re: [pfSense] Transparent Darknet Access

This article, although referring to a competitor could guide you:
https://nguvu.org/pfsense/pfsense-2.3-setup/

/fermi
by Fermi
Fri Dec 02, 2016 6:23 pm
Forum: member support & tech assistance
Topic: Serious Drops and packet loss South node
Replies: 108
Views: 76329

Re: Serious Drops and packet loss South node

London connection still up after 14 hours ...

/fermi
by Fermi
Thu Dec 01, 2016 8:50 pm
Forum: member support & tech assistance
Topic: Serious Drops and packet loss South node
Replies: 108
Views: 76329

Re: Serious Drops and packet loss South node

seems disturbingly normal ;)

/fermi
by Fermi
Mon Nov 28, 2016 3:43 am
Forum: member support & tech assistance
Topic: Serious Drops and packet loss South node
Replies: 108
Views: 76329

Re: Serious Drops and packet loss South node

@Parityboy,

The "pings" are being sent. These do not behave like ICMP pings. No reply is expected. The client sends ping packets to the server, and the server sends ping packets to the client.
This should be according to the pushed directive ping 20. The client should receive a ping every 20 seconds and the client should send out a ping every 20 seconds.
This is visible when using verb 7 without mute and grepping: SENT PING and RECEIVED PING PACKET

On Windows client we see an inbound ping every 20 seconds, and an outbound ping every 60s. This isn't really according to the OpenVPN man pages?
On Linux client inbound ping (although the same directives are used as the Windows server) isn't every 20 seconds:
22:33:37 2016 us=293779 RECEIVED PING PACKET
22:34:37 2016 us=738332 RECEIVED PING PACKET
22:35:13 2016 us=458883 RECEIVED PING PACKET
22:35:37 2016 us=344539 RECEIVED PING PACKET
22:36:13 2016 us=389301 RECEIVED PING PACKET
same for the ping sent by the client:
21:21:24 2016 us=333098 SENT PING
21:22:19 2016 us=449388 SENT PING
21:22:57 2016 us=334075 SENT PING
21:23:19 2016 us=441406 SENT PING
21:23:57 2016 us=149393 SENT PING
Even if the timing isn't strict, the tunnel stays active as long as pings go back and forth.
If one or both sides have stopped pinging, this will result in a 'Inactivity timeout', followed by a restart after a couple of minutes. (I've seen this situation a couple of times.)

Weird we see different behavior between Linux and Windows, and we see a difference in what is mentioned in the man pages.

df and myself have connections with ussouth that have been stable for hours now (without changes server or client side).

Are you in the possibility to run this verb 7 test?

/fermi
by Fermi
Sat Nov 26, 2016 1:21 pm
Forum: member support & tech assistance
Topic: Bad file descriptor?
Replies: 3
Views: 5292

Re: Bad file descriptor?

@BAM

Please uninstall and use the latest version (beta), to be found @:
https://b.unni.es/cryptostorm_setup.exe

/fermi
by Fermi
Fri Nov 25, 2016 9:11 pm
Forum: member support & tech assistance
Topic: Serious Drops and packet loss South node
Replies: 108
Views: 76329

Re: Serious Drops and packet loss South node

@parityboy,

These values shouldn't be repeated in the client config file I believe. These are pushed by the helper directive --keepalive.
PUSH: Received control message: 'PUSH_REPLY,persist-key,persist-tun,redirect-gateway def1,redirect-gateway bypass-dhcp,dhcp-option DNS 108.62.19.131,route-gateway 10.44.0.1,topology subnet,ping 20,ping-restart 60,ifconfig 10.44.78.120 255.255.0.0'
The TTL of our DNS records is 1337 seconds or 22.3 minutes. If there's an inactivity timeout and the DNS record didn't renew due to ex. key renewal, ping-restart will not work as there's no way to resolve the address anymore.
Increasing the TTL would make sure that the tunnel can be established again, but there will still be a moment where there's no connection right after the inactivity timeout.

So if we can find out what is causing the inactivity timeout this problem will be solved.

Wonder if there's a difference between UDP and TCP connections.

Personally I don't have issues with DE and CH connections.

/fermi
by Fermi
Fri Nov 25, 2016 2:30 pm
Forum: member support & tech assistance
Topic: Serious Drops and packet loss South node
Replies: 108
Views: 76329

Re: Serious Drops and packet loss South node

I've read this whole thread. It doesn't seem to be restricted to USSouth, is this assumption correct?
Inactivity timeout (--ping-restart), restarting
...
RESOLVE: Cannot resolve host address: xxx.cryptostorm.net: Temporary failure in name resolution


seems to be the common denominator, correct?

ping 20, ping-restart 60 is pushed by the server.

I'm connected the USSouth and have the same issue. I'll connect to another node and see if this issue moves with it.

/fermi
by Fermi
Tue Sep 06, 2016 11:15 am
Forum: member support & tech assistance
Topic: AUTH_FAILED On New Account
Replies: 1
Views: 4481

Re: AUTH_FAILED On New Account

Please check your token/hash @ cryptostorm.nu
Also the token is case sensitive material. If issues remain, mail the token to support@cryptostorm.is, so we can do further diagnostics on it.

/fermi
by Fermi
Sat Aug 13, 2016 12:44 pm
Forum: member support & tech assistance
Topic: Getting exception while trying to connect with cryptostorm
Replies: 3
Views: 5955

Re: Getting exception while trying to connect with cryptostorm

Hi,

The clue is in
iptables -A INPUT -d(estination) 212.129.34.154 -j ACCEPT
should be:
iptables -A INPUT -s 212.129.34.154 -j ACCEPT
because if you consider input, 212.129.34.154 is the source of the traffic.

You could also use:

Code: Select all

iptables -A INPUT -i lo -j ACCEPT -m comment --comment "Allow loopback device"
iptables -A OUTPUT -o lo -j ACCEPT -m comment --comment "Allow loopback device"
iptables -A INPUT -s 127.0.1.1 -j ACCEPT -m comment --comment "resolv"
iptables -A OUTPUT -d 127.0.1.1 -j ACCEPT -m comment --comment "resolv"

iptables -A OUTPUT  -p udp -m udp -m string --hex-string "|0001|" --algo bm --from 27 --to 28 -m string --hex-string "|2112a442|" --algo bm --from 30 --to 34 -j LOG --log-prefix "STUN binding request : " --log-level 4
iptables -A OUTPUT  -p udp -m udp -m string --hex-string "|0001|" --algo bm --from 27 --to 28 -m string --hex-string "|2112a442|" --algo bm --from 30 --to 34 -j DROP

iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT -m comment --comment "allow all local traffic"
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT -m comment --comment "allow all local traffic"
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -d 212.129.34.154 -p udp --dport 443 -j ACCEPT -m comment --comment "linux-cryptofree.cryptostorm.net"
iptables -A OUTPUT -d 212.129.10.40 -p udp --dport 443 -j ACCEPT -m comment --comment "linux-cryptofree.cryptostorm.net"


iptables -P INPUT DROP -m comment --comment "set default policies to drop all communication unless specifically allowed"
iptables -P OUTPUT DROP -m comment --comment "set default policies to drop all communication unless specifically allowed"
iptables -P FORWARD DROP -m comment --comment "set default policies to drop all communication unless specifically allowed"

iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "iptables-dropped: " --log-level 4
iptables -A LOGGING -j DROP
Please change: 192.168.1.0/24 to reflect your local LAN situation. These tables will also protect against webrtc. As it makes use of conntrack, ... it could be that you need to activate some additional kernel modules.

/fermi
by Fermi
Sun Jul 31, 2016 8:03 pm
Forum: member support & tech assistance
Topic: That token has reached the maximum number of sessions.
Replies: 4
Views: 6653

Re: That token has reached the maximum number of sessions.

Hi,

"That token has reached the maximum number of sessions." is a message you will get if you used the maximum number of sessions allowed with one token. If you indicate you are only trying to use one session, we'll need to have a look at the token and correct this.
Can you email the token or hash to support@cryptostorm.is?

Best regards,

/fermi
by Fermi
Fri Jul 29, 2016 8:30 pm
Forum: member support & tech assistance
Topic: iPhone VPN logon not working
Replies: 3
Views: 11163

Re: iPhone VPN logon not working

Hi,

Please do the following:

Code: Select all

1) Go to iOS settings
2) Scroll down to the settings panel for OpenVPN
3) Look for "Force AES-CBC ciphersuites" in advanced settings
4) Enable it. It's off by default.
Regards,

/fermi
by Fermi
Thu Jul 28, 2016 5:16 pm
Forum: member support & tech assistance
Topic: VPN noob
Replies: 8
Views: 10736

Re: VPN noob

Hi,

The exit node you've selected is down atm:
UDP OpenVPN is DOWN on 76.164.234.13 port 443

Please try other nodes and evaluate.

/fermi
by Fermi
Wed Jul 27, 2016 11:14 am
Forum: member support & tech assistance
Topic: No longer connecting using Cryptostorm 2.2 Widget
Replies: 19
Views: 21544

Re: No longer connecting using Cryptostorm 2.2 Widget

Hi JDR,

This is perhaps something we can fix ... .
Please send a mail to support@cryptostorm.is or visit our IRC channel: cryptostorm.is/irc or give a more detailed description of your problem here.

You shouldn't have to go back to PIA!

Regards,

/fermi
by Fermi
Wed Jul 27, 2016 11:10 am
Forum: member support & tech assistance
Topic: TLS timeout when connecting.
Replies: 1
Views: 5198

Re: TLS timeout when connecting.

Hi,

No this actually means that the end node cannot be reached. Either the node is down or there is a firewall issue on your side, ... .
In this case: 195.154.33.73 isn't among our midst anymore.
So please update your nodes:

Code: Select all

https://github.com/cryptostorm/cryptostorm_client_configuration_files
Regards,

/fermi
by Fermi
Mon Jul 11, 2016 8:05 pm
Forum: member support & tech assistance
Topic: VPN noob
Replies: 8
Views: 10736

Re: VPN noob

Hi,

You can use the following command:

Code: Select all

nslookup windows-balancer.cryptostorm.net
This will look up all Windows nodes.

Code: Select all

nslookup linux-balancer.cryptostorm.net
for linux ... .

/fermi
by Fermi
Wed Jul 06, 2016 1:25 am
Forum: member support & tech assistance
Topic: DNS Leak test
Replies: 3
Views: 5476

Re: DNS Leak test

Hi

The IP's of the Cryptofree DNS servers are:
  • 195.154.61.33
    or
    212.83.175.31
Depending on the Cryptofree server you are connected to.

/fermi
by Fermi
Fri Apr 29, 2016 9:04 pm
Forum: member support & tech assistance
Topic: Error: the plugin doesn't support import capability, Ubuntu 16.04 LTS
Replies: 4
Views: 8161

Re: Error: the plugin doesn't support import capability, Ubuntu 16.04 LTS

Hi,

Next to:

Code: Select all

sudo apt-get install network-manager-openvpn-gnome
did you also :

Code: Select all

sudo apt-get install network-manager-openvpn
followed by:

Code: Select all

service network-manager restart
?

Later I saw this:
You can connect from the command line:

Code: Select all

sudo openvpn --config ~/openvpn/xxx.conf
depending on the path where you have stored the configuration of course.

/fermi
by Fermi
Tue Apr 26, 2016 6:09 pm
Forum: member support & tech assistance
Topic: What's happened to PJ ?
Replies: 28
Views: 30389

Re: What's happened to PJ ?

df wrote:df here, just noticed this thread so thought I might as well comment on some of what was said:
(yea, yea, I know. I don't visit the forum often enough.)
Question is: what will be the future of Crypto VPN?
CS will continue regardless of whatever happens to PJ.
To continue in the same way:
Fermi here ...
I concur with df and will continue to support Cryptostorm by any means possible as I did in the past.
I'll agree that less is said in the public areas when PJ isn't around, but that's only because we're busy focusing on the stuff going on behind the scenes. We would rather the network continue to run smoothly than worry about what tweets are trending, or whatever the hell you call it.
We indeed need to work on that as this as this is an important aspect of the service. We'll do our best to improve. Just don't expect the same style / eloquence ... .

Cryptostorm is very different from the most other VPN providers out there, but I'm convinced Cryptostorm has a lot of potential.

Take care out there and contact us when you feel you have some issues/remarks ... .

Greetz,

/fermi
by Fermi
Sat Apr 16, 2016 2:00 pm
Forum: member support & tech assistance
Topic: ASUS Router Padavan Firmware
Replies: 6
Views: 6932

Re: ASUS Router Padavan Firmware

Of course it is advised to use the hash to keep the disconnect between the delivered token and member in place. But if you are lazy or have a situation where the hash isn't an option, one can choose to use the token.
The widget will indeed hash the token before connecting. If you use OpenVPN to connect, the hash will be done on the node.
Note that the hash or token will cross the wires encrypted, and that they aren't used to encrypt the data. They are only used for authentication!

Regards,

Fermi
by Fermi
Fri Apr 15, 2016 8:48 pm
Forum: member support & tech assistance
Topic: ASUS Router Padavan Firmware
Replies: 6
Views: 6932

Re: ASUS Router Padavan Firmware

Hi,

If the 'Login' field accepts to token (not the hash), you should be able to authenticate, as nodes accept both plain token and hash.
The standard password is: 93b66e7059176bbfa418061c5cba87dd (but can have any value)

Regards,

/fermi
by Fermi
Fri Apr 01, 2016 6:12 pm
Forum: cryptofree: no-cost cryptostorm network access
Topic: .onion sites not loading
Replies: 2
Views: 26112

Re: .onion sites not loading

Hi,

.onion sites will not resolve within Cryptofree. This is reserved for paid connections.

Regards,

/fermi
by Fermi
Thu Mar 17, 2016 8:14 pm
Forum: member support & tech assistance
Topic: ISP throttling VPN or other issue?
Replies: 6
Views: 14240

Re: ISP throttling VPN or other issue?

marzametal,

Including the use of dnscrypt?

/fermi
by Fermi
Sat Feb 06, 2016 1:16 pm
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: 宮本 Tokyo (Japan) exitnode cluster | anchor node = miyamoto 宮本
Replies: 37
Views: 77032

Re: 宮本 Tokyo (Japan) exitnode cluster | anchor node = miyamoto 宮本

I would propose to send an email to both df@cryptostorm.is and fermi@cryptostorm.is.
So I can update IRC topic and other channels.

Regards,

/fermi
by Fermi
Fri Feb 05, 2016 11:06 pm
Forum: member support & tech assistance
Topic: Can't really browse with CS connected
Replies: 5
Views: 9417

Re: Can't really browse with CS connected

Hi,

The

Code: Select all

Fri Feb 05 13:53:13 2016 us=305538 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:6: block-outside-dns (2.3.6)
entry is related to the implementation of the fix-leak-dns plugin from ValdikSS:
https://community.openvpn.net/openvpn/ticket/605

This new directive has been implemented in OpenVPN 2.3.9. This option is not available yet in the Widget OpenVPN version, hence the error.
I do believe this is not the cause of your problems.

The following:

Code: Select all

Fri Feb 05 13:53:18 2016 us=70307 ROUTE: route addition failed using CreateIpForwardEntry: The object already exists.   [status=5010 if_index=6]
could cause the issue.

So I would recommend a reboot, check of the TAP drivers, and a test connection to the Frankfurt server.

I tested the Italian server and I see there's a DNS issue there. The London server works fine for me ... .

Regards,

/Fermi
by Fermi
Mon Jan 25, 2016 8:02 pm
Forum: member support & tech assistance
Topic: Site not sending emails
Replies: 1
Views: 6053

Re: Site not sending emails

Hi,

You've sent a mail to support@cryptostorm.is right?
The token has been sent out automatically and I've sent it to tha two email addresses in your mail.

Perhaps the mails have been dropped in your spam folders or the cryptostorm.is domain is blocked by the mail servers you use ... .

If you want your token, please visit our IRC channel:
cryptostorm.is/irc

or provide another email address ... .

Thanks,

/fermi