cryptostorm's community forum

vinchat

Has anyone experienced delayed iMessages when using pf? iMessage uses TCP over 5223, 443, 80 . I've added this rule, but doesn't help:

Code: Select all

pass quick on $en proto tcp from any port 5223 to any port 5223

vinchat

Just tried Onyx (France):
/dev/null 100%[====================================>] 100.00M 13.1MB/s in 7.7s

(13.0 MB/s) - '/dev/null' saved [104857600/104857600]

Significantly better performance. So it really depends on the node you're connected to...

vinchat

parityboy wrote:@vlnchat

With regard to torrents, a cause of that might be a port forwarding issue. Using your ISP's connection, your router will probably forward your torrent client's ports using UPnP; port forwarding makes you more connectable, i.e. your client is able to accept unsolicited incoming connections, just like a web server.

OK, understood. The torrent downloading eventually turned out to have the same speed as a direct download, so that is OK.

parityboy wrote: CryptoStorm does not support port forwarding, so efficiency of a torrent swarm will suffer if many others in the swarm are as unconnectable as you are. For an additional data point, what's your CPU load while downloading over CS?

Load Avg.: 1.43
CPU usage: 1.17%

While downloading via the provided cachefly link.

vinchat

parityboy wrote:@vlnchat

4.65MB/s translates to 37.2Mb/s. Which node was that test conducted against?

IS node, 79.134.235.133.

vinchat

Downloading a popular torrent behind CS gives me ~100kb/s, while on my ISP I get 9-10MB/s download of the same torrent...

EDIT: now CS is providing me with 3MB/s, so kinda corresponds to 24Mb/s. Still not what I hoped to get behind CS VPN...

vinchat

DesuStrike wrote:Can you try this one and report the results?
Code: Select all
wget -O /dev/null http://cachefly.cachefly.net/100mb.test
Those flash/html5 speed tests are very unreliable and regularly provide completely false information.
With apple I wouldn't be surprised if there is some kind of traffic shaping based on ISP in place. So a speed test with cache fly should give us the most unbiased result.

Thanks for your quick reply. Downloading that file with wget gives me and average of 4.65MB/s. At that moment speedtest gave me 101Mb/s.

vinchat

Hi,

After seeing a few reports on CS VPN speeds like Tealc (viewtopic.php?f=51&t=6262) has reported in his signature, I started investigating a bit in why I do not get these speeds.

I'm using the 1_4 raw balancer for mac config. Connected to the Portugese, US and IS servers, it looks like I'm kind of capped at 25Mb/s. Only IS servers give me around 120Mb/s speed, but then when testing a real download via an http connection does not verify that. Testing this using an iPhone firmware download from Apple (http://appldnld.apple.com/ios8.1.2/031- ... store.ipsw) gives me ~2,5MB/s speeds (~15MB/s expected), while testing this download immediately after using my own ISP, I get a solid 22MB/s.

CS_vpn_Portugal and US after both 5 tries gives me all similar results like this, sometimes going to dl: 26Mb/s:

CS_vpn_IS:

CS_vpn_IS_2:

CS_vpn_IS_3:

CS_vpn_IS_4:

own ISP:

Is there something I'm doing wrong?

Thanks in advance for the feedback.

vinchat

Yes, disabling the skip on loopback was part of the problem. Some time ago I figured it out, it's inferieur to your solution, but works good enough. For the rest out of there...

Code: Select all

#
# com.apple anchor point
#
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"as
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"

vpn=tun0
en = "{en0 en4}"

table <local> const { 192.168.1.0/24, 192.168.178.0/24, 145.94.0.0/16, 192.168.178.0/24 }
table <dns> const { 212.54.40.25, 212.54.44.54, 10.4.0.1 }

table <cs_vpn> const { 46.165.222.248, 198.27.89.56, 79.134.235.133, 167.88.9.27, 23.19.35.14, 212.83.167.81, 89.26.243.109 }

block all

set skip on lo

# Allow Airdrop and Airprint. Remove if not desired.
pass on p2p0
pass on p2p1
pass on p2p2
pass quick proto tcp to any port 631

pass on $vpn

#pass DHCP requests
pass on $en proto udp to <local> port 5353
pass quick on $en proto udp from <local> port 67:68

# Bonjour
pass on $en proto tcp to <local> port 5354
pass on $en proto tcp from <local> port 5354
pass on $en proto udp to <local> port 5353
pass on $en proto udp from <local> port 5353
pass on $en proto udp from <local> port 53
pass on $en proto udp to <local> port 53

# ssh
pass on $en proto tcp from <local> port 22
pass on $en proto tcp to <local> port 22

# DNS servers
pass on $en proto { udp tcp } to <dns> port 53

# CS VPN servers
pass on $en proto udp to <cs_vpn> port 443
pass on $en proto udp from <cs_vpn> port 443

vinchat

Alright, so the problem was that the last line should be ended with <CR> char (\n). That is now fixed and the following rules are now loaded without errors:

Code: Select all

#
# com.apple anchor point
#
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"as
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"



# These variables may not be correct on your system.
# Physical interfaces found at "Apple > About This Mac > System Report… > Network"
vpn      = "tun0"
loopback = "lo0"
cryptostorm = "46.165.222.248"
wifi = "en0"

# These are private network addresses. Choose the one that is suitable to network(s)
# you wish to be compatible with.
#table <private> const { 192.168.0.0/16, 172.16.0.0/12, 169.254.0.0/16, 10.0.0.0/8 }

# Return on block instead of dropping packets.
#set block-policy return

# Ignore loopback interface.
#set skip on $loopback

# Scrub all packets.
#scrub in all

# Block everything by default.
block all

# Block all IPV6 packets. No support yet for IPV6.
#block quick inet6

# Block all ICMP packets. Can't hurt, right?
#block quick proto icmp



# Allow local network traffic.
#pass from <private> to <private>

# Allow Airdrop and Airprint. Remove if not desired.
pass on p2p0
pass on p2p1
pass on p2p2
pass quick proto tcp to any port 631

# Allow traffic on VPN interface.
pass on $vpn


# Allow DHCP packets. Not needed if manually configuring network.
pass out quick proto udp from any             port 68 to 255.255.255.255 port 67
pass in  quick proto udp from 255.255.255.255 port 67 to any             port 68

# Allow DNS servers. Replace Xs with OpenNIC DNSCrypt server IP address.
pass out proto udp to   213.73.91.35
pass in  proto udp from 213.73.91.35
pass out proto udp to   80.237.196.2
pass in  proto udp from 80.237.196.2

pass out proto udp to   $cryptostorm port 443
pass in  proto udp from $cryptostorm port 443

Changed position of a few rules and disabled a few because of the "Rules must be in order: options, normalization, queueing, translation, filtering" error. I'm connecting to the "raw-balancer-dynamic.cryptostorm.net" (46.165.222.248) server.

But now, viscosity is stuck here:

Code: Select all

06 16:56:54: Viscosity OpenVPN Engine Started
Dec 06 16:56:54: Running on Mac OS X 10.10.1
Dec 06 16:56:54: ---------
Dec 06 16:56:54: Checking reachability status of connection...
Dec 06 16:56:55: Connection is reachable. Starting connection attempt.
Dec 06 16:56:55: OpenVPN 2.3.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Dec  3 2014
Dec 06 16:56:55: library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08

Anyone...?

vinchat

Hi,

I'm following your procedure. Have all the files set up like this:
/etc/pf.anchors/firewall.conf
/etc/pf.anchors/or.cryptostorm.balancer
/etc/pf.anchors/pf_cs.conf

In which firewall.conf contains:

Code: Select all

anchor "pf_cs.conf"
load anchor "pf_cs.conf" from "/etc/pf.anchors/pf_cs.conf"

anchor "org.cryptostorm"

The other files are the same as yours.
When I execute the

Code: Select all

sudo pfctl -e -v -f /etc/pf.anchors/firewall.conf

I get the following error:

Code: Select all

pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.

No ALTQ support in kernel
ALTQ related functions disabled
/etc/pf.anchors/firewall.conf:4: syntax error
pfctl: Syntax error in config file: pf rules not loaded

So it says something is wrong with 'anchor "org.cryptostorm" ' in the firewall config. Any clue what's going on?

Thanks in advance!

vinchat

@parityboy ok thanks. It's more that I would like to have one VPN to "rule 'em all" as in: provides anonymity for personal activities and that can bypass the DPI firewall at my office. Hopefully CS will provide SSL wrapping in the future..

vinchat

Thanks guys.

Is there any other way of masking/hiding CS's VPN connection over port 443?

vinchat

The *.ssl certificate can easily be modified to point to cryptostorm servers. The ovpn however, is telling me it's invalid when I change it like so (changing remote, removing random, and adding proto udp):

Code: Select all

# this is the cryptostorm.is client settings file, versioning...
# cstorm_mac_dynamic_1-4 - post-heartbleed

# it is intended to provide connection to a dynamically loadbalanced pool of cs machines worldwide
# DNS resolver redundancy provided by TLD-striped, randomised lookup queries
# Chelsea Manning is indeed a badassed chick: #FreeChelsea!
# also... FuckTheNSA - for reals


client
dev tun
resolv-retry 16
nobind
float
proto udp

# txqueuelen 686
# expanded packet queue plane, to improve throughput on high-capacity sessions
# NOTE: keep this item commented out if using Viscosity as a client; see viscosity.cryptostorm.ch

sndbuf size 1655368
rcvbuf size 1655368
# increase pre-ring packet buffering cache, to improve high-throughput session performance

#remote-random
# randomizes selection of connection profile from list below, for redundancy against...
# DNS blacklisting-based session blocking attacks

<connection>
remote 127.0.0.1 443
</connection>

# <connection>
# remote raw-balancer-dynamic.cryptostorm.ch 443 udp
# </connection>
#
# <connection>
# remote raw-balancer-dynamic.cryptostorm.nu 443 udp
# </connection>
#
# <connection>
# remote raw-balancer-dynamic.cstorm.pw 443 udp
# </connection>

comp-lzo no
# specifies refusal of link-layer compression defaults
# we prefer compression be handled elsewhere in the OSI layers
# see forum for ongoing discussion - https://cryptostorm.ch/viewtopic.php?f=38&t=5981

down-pre
# runs client-side "down" script prior to shutdown, to help minimise risk...
# of session termination packet leakage

allow-pull-fqdn
# allows client to pull DNS names from server
# we don't use but may in future leakblock integration

explicit-exit-notify 3
# attempts to notify exit node when client session is terminated
# strengthens MiTM protections for orphan sessions

hand-window 37
# specified duration (in seconds) to wait for the session handshake to complete
# a renegotiation taking longer than this has a problem, & should be aborted

mssfix 1400
# congruent with server-side --fragment directive

auth-user-pass
# passes up, via bootstrapped TLS, SHA512 hashed token value to authenticate to darknet

# auth-retry interact
# 'interact' is an experimental parameter not yet in our production build.

<ca>
-----BEGIN CERTIFICATE-----
MIIFHjCCBAagAwIBAgIJAKekpGXxXvhbMA0GCSqGSIb3DQEBCwUAMIG6MQswCQYD
VQQGEwJDQTELMAkGA1UECBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQK
FC1LYXRhbmEgSG9sZGluZ3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQx
ETAPBgNVBAsTCFRlY2ggT3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUG
CSqGSIb3DQEJARYYY2VydGFkbWluQGNyeXB0b3N0b3JtLmlzMB4XDTE0MDQyNTE3
MTAxNVoXDTE3MTIyMjE3MTAxNVowgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJR
QzERMA8GA1UEBxMITW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBM
aW1pdGUgLyAgY3J5cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMx
FzAVBgNVBAMUDmNyeXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRt
aW5AY3J5cHRvc3Rvcm0uaXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDJaOSYIX/sm+4/OkCgyAPYB/VPjDo9YBc+zznKGxd1F8fAkeqcuPpGNCxMBLOu
mLsBdxLdR2sppK8cu9kYx6g+fBUQtShoOj84Q6+n6F4DqbjsHlLwUy0ulkeQWk1v
vKKkpBViGVFsZ5ODdZ6caJ2UY2C41OACTQdblCqaebsLQvp/VGKTWdh9UsGQ3LaS
Tcxt0PskqpGiWEUeOGG3mKE0KWyvxt6Ox9is9QbDXJOYdklQaPX9yUuII03Gj3xm
+vi6q2vzD5VymOeTMyky7Geatbd2U459Lwzu/g+8V6EQl8qvWrXESX/ZXZvNG8QA
cOXU4ktNBOoZtws6TzknpQF3AgMBAAGjggEjMIIBHzAdBgNVHQ4EFgQUOFjh918z
L4vR8x1q3vkp6npwUSUwge8GA1UdIwSB5zCB5IAUOFjh918zL4vR8x1q3vkp6npw
USWhgcCkgb0wgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJRQzERMA8GA1UEBxMI
TW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBMaW1pdGUgLyAgY3J5
cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMxFzAVBgNVBAMUDmNy
eXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRtaW5AY3J5cHRvc3Rv
cm0uaXOCCQCnpKRl8V74WzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB
AQAK6B7AOEqbaYjXoyhXeWK1NjpcCLCuRcwhMSvf+gVfrcMsJ5ySTHg5iR1/LFay
IEGFsOFEpoNkY4H5UqLnBByzFp55nYwqJUmLqa/nfIc0vfiXL5rFZLao0npLrTr/
inF/hecIghLGVDeVcC24uIdgfMr3Z/EXSpUxvFLGE7ELlsnmpYBxm0rf7s9S9wtH
o6PjBpb9iurF7KxDjoXsIgHmYAEnI4+rrArQqn7ny4vgvXE1xfAkFPWR8Ty1ZlxZ
gEyypTkIWhphdHLSdifoOqo83snmCObHgyHG2zo4njXGExQhxS1ywPvZJRt7fhjn
X03mQP3ssBs2YRNR5hR5cMdC
-----END CERTIFICATE-----
</ca>
# confirms via RSA-based public-key crypto that server instance is legitimately cryptostorm
# does NOT identify client, and is used solely as part of anti-Man In The Middle (MiTM) hardening

ns-cert-type server
# requires TLS-level confirmation of categorical state of server-side certificate for MiTM hardening.

auth SHA512
# data channel HMAC generation
# heavy processor load from this parameter, but the benefit is big gains in packet-level...
# integrity checks, & protection against packet injections / MiTM attack vectors

cipher AES-256-CBC
# data channel stream cipher methodology
# we are actively testing CBC alternatives & will deploy once well-tested...
# cipher libraries support our choice - AES-GCM is looking good currently

replay-window 128 30
# settings which determine when to throw out UDP datagrams that are out of order...
# either temporally or via sequence number

tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
# implements 'perfect forward secrecy' via TLS 1.x & its ephemeral Diffie-Hellman...
# see our forum for extensive discussion of ECDHE v. DHE & tradeoffs wrt ECC curve choice
# http://ecc.cryptostorm.ch

tls-client
key-method 2
# specification of entropy source to be used in initial generation of TLS keys as part of session bootstrap

# log devnull.txt
# verb 0
# mute 1
# commented out for OSX sessions as they do not play nicely with our local nomenclature syntax yet

It does not contain the a certificate and a private key to construct the HTTPS tunnel I think... Can someone please confirm that this wel never work without cryptostorm servers to fully support SSL tunnelling?

vinchat

Of course.

ovpn config:

Code: Select all

# --------------------------------------------------------
# Air VPN | https://airvpn.org | Saturday 6th of September 2014 01:50:00 PM
# OpenVPN Client Configuration
# AirVPN_NL-Nekkar_SSL-443
# --------------------------------------------------------

client
dev tun
proto tcp
remote 127.0.0.1 1413
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
verb 3
route 37.48.81.49 255.255.255.255 net_gateway
<ca>
-----BEGIN CERTIFICATE-----
[cert left out]
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
[cert left out]
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
[private key left out]
-----END RSA PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
[key left out]
-----END OpenVPN Static key V1-----
</tls-auth>

corresponding *.ssl config for stunnel:

Code: Select all

# --------------------------------------------------------
# Air VPN | https://airvpn.org | Saturday 6th of September 2014 01:50:00 PM
# STunnel Client Configuration
# AirVPN_NL-Nekkar_SSL-443
# --------------------------------------------------------

foreground = yes
pid = /tmp/stunnel4.pid
options = NO_SSLv2
client = yes
debug = 6

[openvpn]
accept = 127.0.0.1:1413
connect = 37.48.81.49:443
TIMEOUTclose = 0

vinchat

Hi,

Currently I'm using AirVPN's SSL tunnel (using stunnel) option to tunnel all my traffic through an OpenVPN connection masked as an HTTPS connection through port 433. This because I need to bypass a DPI firewall that only supports HTTPS through port 433. All other ports are blocked and VPN protocols through 433 are getting blocked as well.

I'm using stunnel with an .ssl config file provided by AirVPN. I'd like to move to cryptostorm, but with the general setup, it does not work.

Using OSX, Viscosity, used this thread to set up and get the ovpn config.

Currently it gets blocked. Any instructions on getting cryptostorm to work wrapped in an SSL layer are welcome

Thanks in advance!

cryptostorm's community forum

Search found 15 matches

Re: HOWTO: OS X VPN Leak Block

Re: Strange speed difference when downloading

Re: Strange speed difference when downloading

Re: Strange speed difference when downloading

Re: Strange speed difference when downloading

Re: Strange speed difference when downloading

Strange speed difference when downloading

Re: HOWTO: OS X VPN Leak Block

Re: HOWTO: OS X VPN Leak Block

Re: HOWTO: OS X VPN Leak Block

Re: tunnelling cryptosorm session thru SSL tunnel

Re: tunnelling cryptosorm session thru SSL tunnel

Re: tunnelling cryptosorm session thru SSL tunnel

Re: tunnelling cryptosorm session thru SSL tunnel

tunnelling cryptosorm session thru SSL tunnel