Code: Select all
pass quick on $en proto tcp from any port 5223 to any port 5223
Code: Select all
pass quick on $en proto tcp from any port 5223 to any port 5223
OK, understood. The torrent downloading eventually turned out to have the same speed as a direct download, so that is OK.parityboy wrote:@vlnchat
With regard to torrents, a cause of that might be a port forwarding issue. Using your ISP's connection, your router will probably forward your torrent client's ports using UPnP; port forwarding makes you more connectable, i.e. your client is able to accept unsolicited incoming connections, just like a web server.
Load Avg.: 1.43parityboy wrote: CryptoStorm does not support port forwarding, so efficiency of a torrent swarm will suffer if many others in the swarm are as unconnectable as you are. For an additional data point, what's your CPU load while downloading over CS?
IS node, 79.134.235.133.parityboy wrote:@vlnchat
4.65MB/s translates to 37.2Mb/s. Which node was that test conducted against?
Thanks for your quick reply. Downloading that file with wget gives me and average of 4.65MB/s. At that moment speedtest gave me 101Mb/s.DesuStrike wrote:Can you try this one and report the results?
Those flash/html5 speed tests are very unreliable and regularly provide completely false information.Code: Select all
wget -O /dev/null http://cachefly.cachefly.net/100mb.test
With apple I wouldn't be surprised if there is some kind of traffic shaping based on ISP in place. So a speed test with cache fly should give us the most unbiased result.
Code: Select all
#
# com.apple anchor point
#
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"as
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
vpn=tun0
en = "{en0 en4}"
table <local> const { 192.168.1.0/24, 192.168.178.0/24, 145.94.0.0/16, 192.168.178.0/24 }
table <dns> const { 212.54.40.25, 212.54.44.54, 10.4.0.1 }
table <cs_vpn> const { 46.165.222.248, 198.27.89.56, 79.134.235.133, 167.88.9.27, 23.19.35.14, 212.83.167.81, 89.26.243.109 }
block all
set skip on lo
# Allow Airdrop and Airprint. Remove if not desired.
pass on p2p0
pass on p2p1
pass on p2p2
pass quick proto tcp to any port 631
pass on $vpn
#pass DHCP requests
pass on $en proto udp to <local> port 5353
pass quick on $en proto udp from <local> port 67:68
# Bonjour
pass on $en proto tcp to <local> port 5354
pass on $en proto tcp from <local> port 5354
pass on $en proto udp to <local> port 5353
pass on $en proto udp from <local> port 5353
pass on $en proto udp from <local> port 53
pass on $en proto udp to <local> port 53
# ssh
pass on $en proto tcp from <local> port 22
pass on $en proto tcp to <local> port 22
# DNS servers
pass on $en proto { udp tcp } to <dns> port 53
# CS VPN servers
pass on $en proto udp to <cs_vpn> port 443
pass on $en proto udp from <cs_vpn> port 443
Code: Select all
#
# com.apple anchor point
#
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"as
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
# These variables may not be correct on your system.
# Physical interfaces found at "Apple > About This Mac > System Report… > Network"
vpn = "tun0"
loopback = "lo0"
cryptostorm = "46.165.222.248"
wifi = "en0"
# These are private network addresses. Choose the one that is suitable to network(s)
# you wish to be compatible with.
#table <private> const { 192.168.0.0/16, 172.16.0.0/12, 169.254.0.0/16, 10.0.0.0/8 }
# Return on block instead of dropping packets.
#set block-policy return
# Ignore loopback interface.
#set skip on $loopback
# Scrub all packets.
#scrub in all
# Block everything by default.
block all
# Block all IPV6 packets. No support yet for IPV6.
#block quick inet6
# Block all ICMP packets. Can't hurt, right?
#block quick proto icmp
# Allow local network traffic.
#pass from <private> to <private>
# Allow Airdrop and Airprint. Remove if not desired.
pass on p2p0
pass on p2p1
pass on p2p2
pass quick proto tcp to any port 631
# Allow traffic on VPN interface.
pass on $vpn
# Allow DHCP packets. Not needed if manually configuring network.
pass out quick proto udp from any port 68 to 255.255.255.255 port 67
pass in quick proto udp from 255.255.255.255 port 67 to any port 68
# Allow DNS servers. Replace Xs with OpenNIC DNSCrypt server IP address.
pass out proto udp to 213.73.91.35
pass in proto udp from 213.73.91.35
pass out proto udp to 80.237.196.2
pass in proto udp from 80.237.196.2
pass out proto udp to $cryptostorm port 443
pass in proto udp from $cryptostorm port 443
Code: Select all
06 16:56:54: Viscosity OpenVPN Engine Started
Dec 06 16:56:54: Running on Mac OS X 10.10.1
Dec 06 16:56:54: ---------
Dec 06 16:56:54: Checking reachability status of connection...
Dec 06 16:56:55: Connection is reachable. Starting connection attempt.
Dec 06 16:56:55: OpenVPN 2.3.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Dec 3 2014
Dec 06 16:56:55: library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
Code: Select all
anchor "pf_cs.conf"
load anchor "pf_cs.conf" from "/etc/pf.anchors/pf_cs.conf"
anchor "org.cryptostorm"
Code: Select all
sudo pfctl -e -v -f /etc/pf.anchors/firewall.conf
Code: Select all
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.
No ALTQ support in kernel
ALTQ related functions disabled
/etc/pf.anchors/firewall.conf:4: syntax error
pfctl: Syntax error in config file: pf rules not loaded
Code: Select all
# this is the cryptostorm.is client settings file, versioning...
# cstorm_mac_dynamic_1-4 - post-heartbleed
# it is intended to provide connection to a dynamically loadbalanced pool of cs machines worldwide
# DNS resolver redundancy provided by TLD-striped, randomised lookup queries
# Chelsea Manning is indeed a badassed chick: #FreeChelsea!
# also... FuckTheNSA - for reals
client
dev tun
resolv-retry 16
nobind
float
proto udp
# txqueuelen 686
# expanded packet queue plane, to improve throughput on high-capacity sessions
# NOTE: keep this item commented out if using Viscosity as a client; see viscosity.cryptostorm.ch
sndbuf size 1655368
rcvbuf size 1655368
# increase pre-ring packet buffering cache, to improve high-throughput session performance
#remote-random
# randomizes selection of connection profile from list below, for redundancy against...
# DNS blacklisting-based session blocking attacks
<connection>
remote 127.0.0.1 443
</connection>
# <connection>
# remote raw-balancer-dynamic.cryptostorm.ch 443 udp
# </connection>
#
# <connection>
# remote raw-balancer-dynamic.cryptostorm.nu 443 udp
# </connection>
#
# <connection>
# remote raw-balancer-dynamic.cstorm.pw 443 udp
# </connection>
comp-lzo no
# specifies refusal of link-layer compression defaults
# we prefer compression be handled elsewhere in the OSI layers
# see forum for ongoing discussion - https://cryptostorm.ch/viewtopic.php?f=38&t=5981
down-pre
# runs client-side "down" script prior to shutdown, to help minimise risk...
# of session termination packet leakage
allow-pull-fqdn
# allows client to pull DNS names from server
# we don't use but may in future leakblock integration
explicit-exit-notify 3
# attempts to notify exit node when client session is terminated
# strengthens MiTM protections for orphan sessions
hand-window 37
# specified duration (in seconds) to wait for the session handshake to complete
# a renegotiation taking longer than this has a problem, & should be aborted
mssfix 1400
# congruent with server-side --fragment directive
auth-user-pass
# passes up, via bootstrapped TLS, SHA512 hashed token value to authenticate to darknet
# auth-retry interact
# 'interact' is an experimental parameter not yet in our production build.
<ca>
-----BEGIN CERTIFICATE-----
MIIFHjCCBAagAwIBAgIJAKekpGXxXvhbMA0GCSqGSIb3DQEBCwUAMIG6MQswCQYD
VQQGEwJDQTELMAkGA1UECBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQK
FC1LYXRhbmEgSG9sZGluZ3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQx
ETAPBgNVBAsTCFRlY2ggT3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUG
CSqGSIb3DQEJARYYY2VydGFkbWluQGNyeXB0b3N0b3JtLmlzMB4XDTE0MDQyNTE3
MTAxNVoXDTE3MTIyMjE3MTAxNVowgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJR
QzERMA8GA1UEBxMITW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBM
aW1pdGUgLyAgY3J5cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMx
FzAVBgNVBAMUDmNyeXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRt
aW5AY3J5cHRvc3Rvcm0uaXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDJaOSYIX/sm+4/OkCgyAPYB/VPjDo9YBc+zznKGxd1F8fAkeqcuPpGNCxMBLOu
mLsBdxLdR2sppK8cu9kYx6g+fBUQtShoOj84Q6+n6F4DqbjsHlLwUy0ulkeQWk1v
vKKkpBViGVFsZ5ODdZ6caJ2UY2C41OACTQdblCqaebsLQvp/VGKTWdh9UsGQ3LaS
Tcxt0PskqpGiWEUeOGG3mKE0KWyvxt6Ox9is9QbDXJOYdklQaPX9yUuII03Gj3xm
+vi6q2vzD5VymOeTMyky7Geatbd2U459Lwzu/g+8V6EQl8qvWrXESX/ZXZvNG8QA
cOXU4ktNBOoZtws6TzknpQF3AgMBAAGjggEjMIIBHzAdBgNVHQ4EFgQUOFjh918z
L4vR8x1q3vkp6npwUSUwge8GA1UdIwSB5zCB5IAUOFjh918zL4vR8x1q3vkp6npw
USWhgcCkgb0wgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJRQzERMA8GA1UEBxMI
TW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBMaW1pdGUgLyAgY3J5
cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMxFzAVBgNVBAMUDmNy
eXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRtaW5AY3J5cHRvc3Rv
cm0uaXOCCQCnpKRl8V74WzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB
AQAK6B7AOEqbaYjXoyhXeWK1NjpcCLCuRcwhMSvf+gVfrcMsJ5ySTHg5iR1/LFay
IEGFsOFEpoNkY4H5UqLnBByzFp55nYwqJUmLqa/nfIc0vfiXL5rFZLao0npLrTr/
inF/hecIghLGVDeVcC24uIdgfMr3Z/EXSpUxvFLGE7ELlsnmpYBxm0rf7s9S9wtH
o6PjBpb9iurF7KxDjoXsIgHmYAEnI4+rrArQqn7ny4vgvXE1xfAkFPWR8Ty1ZlxZ
gEyypTkIWhphdHLSdifoOqo83snmCObHgyHG2zo4njXGExQhxS1ywPvZJRt7fhjn
X03mQP3ssBs2YRNR5hR5cMdC
-----END CERTIFICATE-----
</ca>
# confirms via RSA-based public-key crypto that server instance is legitimately cryptostorm
# does NOT identify client, and is used solely as part of anti-Man In The Middle (MiTM) hardening
ns-cert-type server
# requires TLS-level confirmation of categorical state of server-side certificate for MiTM hardening.
auth SHA512
# data channel HMAC generation
# heavy processor load from this parameter, but the benefit is big gains in packet-level...
# integrity checks, & protection against packet injections / MiTM attack vectors
cipher AES-256-CBC
# data channel stream cipher methodology
# we are actively testing CBC alternatives & will deploy once well-tested...
# cipher libraries support our choice - AES-GCM is looking good currently
replay-window 128 30
# settings which determine when to throw out UDP datagrams that are out of order...
# either temporally or via sequence number
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
# implements 'perfect forward secrecy' via TLS 1.x & its ephemeral Diffie-Hellman...
# see our forum for extensive discussion of ECDHE v. DHE & tradeoffs wrt ECC curve choice
# http://ecc.cryptostorm.ch
tls-client
key-method 2
# specification of entropy source to be used in initial generation of TLS keys as part of session bootstrap
# log devnull.txt
# verb 0
# mute 1
# commented out for OSX sessions as they do not play nicely with our local nomenclature syntax yet
Code: Select all
# --------------------------------------------------------
# Air VPN | https://airvpn.org | Saturday 6th of September 2014 01:50:00 PM
# OpenVPN Client Configuration
# AirVPN_NL-Nekkar_SSL-443
# --------------------------------------------------------
client
dev tun
proto tcp
remote 127.0.0.1 1413
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
verb 3
route 37.48.81.49 255.255.255.255 net_gateway
<ca>
-----BEGIN CERTIFICATE-----
[cert left out]
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
[cert left out]
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
[private key left out]
-----END RSA PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
[key left out]
-----END OpenVPN Static key V1-----
</tls-auth>
Code: Select all
# --------------------------------------------------------
# Air VPN | https://airvpn.org | Saturday 6th of September 2014 01:50:00 PM
# STunnel Client Configuration
# AirVPN_NL-Nekkar_SSL-443
# --------------------------------------------------------
foreground = yes
pid = /tmp/stunnel4.pid
options = NO_SSLv2
client = yes
debug = 6
[openvpn]
accept = 127.0.0.1:1413
connect = 37.48.81.49:443
TIMEOUTclose = 0