Search found 37 matches

by cryptomon
Sat Nov 20, 2021 5:33 am
Forum: member support & tech assistance
Topic: tls-crypt-v2 with openvpn service
Replies: 3
Views: 1681

Re: tls-crypt-v2 with openvpn service

Thanks for the feedback
by cryptomon
Sat Nov 13, 2021 7:18 pm
Forum: member support & tech assistance
Topic: tls-crypt-v2 with openvpn service
Replies: 3
Views: 1681

Re: tls-crypt-v2 with openvpn service

Okay the solution I've found after following the guidelines for the manual method was that when applying the command

Code: Select all

openvpn --config whatever.ovpn --tls-crypt-v2 tcv2.key
which in my case was as shown above using override.conf service file, one must have also deleted the existing key in the given config file. I did this using the sed command

Code: Select all

sed -i '/<tls-crypt>/,/<\/tls-crypt>/d' "<whatever>.conf"
by cryptomon
Tue Nov 09, 2021 11:09 am
Forum: member support & tech assistance
Topic: tls-crypt-v2 with openvpn service
Replies: 3
Views: 1681

tls-crypt-v2 with openvpn service

Summary:
Following the blog https://cryptostorm.is/blog/tlscryptv2 for tls-crypt-v2 setup using the command line in bash under "For everyone else". I use the steps given as:

Code: Select all

wget -O tcv2.key https://cryptostorm.is/tlscryptv2
openvpn --config whatever.ovpn --tls-crypt-v2 tcv2.key
except for the fact i need to modify the connect using a service file.
openvpn-client@.service
where my override.conf file is modified to be

Code: Select all

[Service]
ExecStart=
ExecStart=/usr/bin/openvpn --suppress-timestamps --nobind --config %i.conf --tls-crypt-v2 tcv2.key
However, I git this error:'
openvpn[]: Options error: --tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode

I'm applying something wrong here. Is the openvpn command above meant to replace the tls-crypt-v1 certificate or do I still need to modify the .conf file? Not sure why I get this error, if someone might have a suggestion?
by cryptomon
Fri Jan 22, 2021 9:26 am
Forum: member support & tech assistance
Topic: AUTH_FAILED
Replies: 4
Views: 13528

Re: AUTH_FAILED

parityboy wrote:
Mon Nov 09, 2020 3:51 pm
@OP

The token checker is here. It only checks if a token is still in date though, it doesn't check current sessions in use.
If my connected computers is less than the maximum permitted with a token (e.g. 2/6), and an auth_failed error is due to too many sessions in use, how does one resolve this issue or diagnose that that is what the problem is?
by cryptomon
Sun Dec 20, 2020 8:15 am
Forum: member support & tech assistance
Topic: AUTH_FAILED
Replies: 4
Views: 13528

Re: AUTH_FAILED

I'm having this issue with 2 of 3 computers even though my token is valid for 6 computers.
by cryptomon
Wed Oct 14, 2020 12:17 pm
Forum: member support & tech assistance
Topic: Wireguard
Replies: 3
Views: 16209

Re: Wireguard

Any further updates on when the wireguard webpage will work to get wireguard configs working? It still seems to go no-where for me...
by cryptomon
Tue Apr 28, 2020 12:04 pm
Forum: member support & tech assistance
Topic: Wireguard
Replies: 3
Views: 16209

Wireguard

Cryptostorm says is supports wireguard. I have not been able to set it up. The wireguard webpage doesn't seem to work or return the required information. Am I missing something?
by cryptomon
Fri Mar 27, 2020 2:11 pm
Forum: member support & tech assistance
Topic: dnscrypt-proxy connection warnings
Replies: 0
Views: 19007

dnscrypt-proxy connection warnings

I am getting some warnings on these resolvers:
Mar 27 <time> <name> dnscrypt-proxy: [WARNING] [cs-usil] is incompatible with anonymization
Mar 27 <time> <name> dnscrypt-proxy: [WARNING] [cs-mo] Incorrect signature for provider name: [2.dnscrypt-cert.cryptostorm.is.]
Mar 27 <time> <name> dnscrypt-proxy: [WARNING] [cs-ca2] is incompatible with anonymization
I can still connect. Is this significant?
by cryptomon
Wed Mar 04, 2020 10:29 am
Forum: member support & tech assistance
Topic: dnscrypt-proxy sdns (dns stamps)
Replies: 0
Views: 17285

dnscrypt-proxy sdns (dns stamps)

Okay, so this weeks job was to learn some iptables. Subsequently I also wanted to get the IP addresses for cryptostorm (CS) from dnscrypt dns stamps (https://github.com/DNSCrypt/dnscrypt-proxy/wiki/stamps) using bash, which I managed to do. Somewhat to my surprise they all seem to have the same relay IP address (167.114.84.132:443) and the same resolvers IP address (162.221.207.228) between locations.

Is this normal practice to have the same IP for all the different locations?

I can see though that the resolver I end up using is not the same from the command:
$ dnscrypt-proxy -resolve www.archlinx.org

Thanks for any feed back.
by cryptomon
Tue Nov 05, 2019 9:14 am
Forum: member support & tech assistance
Topic: cs dnscrypt-proxy server TIMEOUT
Replies: 10
Views: 18876

Re: cs dnscrypt-proxy server TIMEOUT

Strangely at the same time I have having trouble resolving the Balancer vpn option. No issue if I change to Switzerland for example.
by cryptomon
Tue Nov 05, 2019 7:30 am
Forum: member support & tech assistance
Topic: cs dnscrypt-proxy server TIMEOUT
Replies: 10
Views: 18876

Re: cs dnscrypt-proxy server TIMEOUT

I seem to be having more success now.

So I have a full list of "cs- " type servers listed after "server_names", as before.
It seems to actually make each of these dns servers accessible only via an anon relay I have to manually create the "route" list for each item under server_names. One is okay, but for a long list it becomes more tedious. Might have to automate that in some way myself with some criteria say of differing country of anon relay to dns server country.
by cryptomon
Mon Nov 04, 2019 10:36 am
Forum: member support & tech assistance
Topic: cs dnscrypt-proxy server TIMEOUT
Replies: 10
Views: 18876

Re: cs dnscrypt-proxy server TIMEOUT

I guess one has to now manually provide a list of routes for each resolver used or listed in the "server_names" list?
by cryptomon
Mon Nov 04, 2019 8:52 am
Forum: member support & tech assistance
Topic: cs dnscrypt-proxy server TIMEOUT
Replies: 10
Views: 18876

cs dnscrypt-proxy server TIMEOUT

Been trying to work through an issue of dnscrypt-proxy not connecting to the cs resolver servers. I keep getting TIMEOUT on all servers.
Previously it was telling me "No useable certificate found", but this doesn't seem to be showing up now - only the TIMEOUT errors.

[...] dnscrypt-proxy[149367]: Source [/var/cache/dnscrypt-proxy/public-resolvers.md] loaded
[...] dnscrypt-proxy[149367]: Firefox workaround initialized
[...] dnscrypt-proxy[149367]: Now listening to 127.0.0.1:53 [UDP]
[...] dnscrypt-proxy[149367]: Now listening to 127.0.0.1:53 [TCP]
[...] dnscrypt-proxy[149367]: No useable certificate found
[...] dnscrypt-proxy[149367]: dnscrypt-proxy is waiting for at least one server to be reachable
[...] dnscrypt-proxy[149367]: [cs-fi] TIMEOUT
[...] dnscrypt-proxy[149367]: [cs-nl2] TIMEOUT
[...] dnscrypt-proxy[149367]: [cs-ca] TIMEOUT

Is there any known issues wtih these servers? Changing to some other servers that are not CS based seem to work okay. May be the anoymous relay servers offerred now are a better/equivalent option?

UPDATE: I just found this article
https://cryptostorm.is/blog/anondns
and
https://github.com/DNSCrypt/dnscrypt-pr ... ymized-DNS
https://twitter.com/cryptostorm_is
which seems to imply these servers are no longer available with the anon servers preferred?

So if anonymous servers are the future how should one configure the .toml file? i.e.
Before I had the list of "cs- " type servers listed after "server_names". Now this should remain commented?
Are the cs- resolvers still accessible from an anon-cs relay?
by cryptomon
Sun Mar 10, 2019 8:09 pm
Forum: member support & tech assistance
Topic: NBN (National Broadband Network) in Australia
Replies: 2
Views: 12737

Re: NBN (National Broadband Network) in Australia

From what one reads the NBN is the internet and CS is a VPN. Are the guides of any help to connect the two? However, I get the impression that is not what you are asking?
by cryptomon
Tue Nov 13, 2018 12:07 pm
Forum: guides, HOWTOs & tutorials
Topic: ASUS router stock firmware OpenVPN working.
Replies: 7
Views: 32652

Re: ASUS router stock firmware OpenVPN working.

Wow, I got that to work now using the custom section at the base of the VPN config page to redirect to the /jffs file as you suggested. Thanks.
by cryptomon
Thu Oct 18, 2018 7:04 am
Forum: general chat, suggestions, industry news
Topic: Token Hashing - OpenVPN user input
Replies: 24
Views: 73554

Re: Token Hashing - OpenVPN user input

parityboy wrote:see if the router actually stores the credentials in a file somewhere, rather than a database.
It does store the credentials in a file called the "up" file. Whilst I can write to this file using "vi" and have it save a long hash, it's not persistent.
The directory itself (/tmp/etc/openvpn/client1) and the file seem temporary and are created/written if the GUI is turned off/on. So it seems the code will read the screen, check it's 64 char length, if so write to file, if not revert to previous setting. So I think the code is the issue and is by design apparently judging from previous comments.
by cryptomon
Wed Oct 17, 2018 3:47 am
Forum: general chat, suggestions, industry news
Topic: Token Hashing - OpenVPN user input
Replies: 24
Views: 73554

Re: Token Hashing - OpenVPN user input

parityboy wrote: Could you try inspecting the HTML
Yes, but the right click "Inspect Element" already says "maxlength"=255, so I don't think that is the issue in the firmware code. I can paste the long string into the box but it won't stick.
by cryptomon
Tue Oct 16, 2018 4:41 am
Forum: general chat, suggestions, industry news
Topic: Token Hashing - OpenVPN user input
Replies: 24
Views: 73554

Re: Token Hashing - OpenVPN user input

ebpf-ftw wrote:Very late but it seems not to have been mentioned.
....
auth-user-pass /jffs/filename

start openvpn.
Tried this without success. Substituting a file for GUI inputs doesn't seem an option. However, there may be a subtle method to achieve this I'm so far unaware of.
by cryptomon
Tue Oct 16, 2018 4:34 am
Forum: guides, HOWTOs & tutorials
Topic: ASUS router stock firmware OpenVPN working.
Replies: 7
Views: 32652

Re: ASUS router stock firmware OpenVPN working.

cryptomon wrote:the suggestion of modifying the "Inspect Element"
ebpf-ftw wrote:Very late but it seems not to have been mentioned.
I've now looked at both these ideas but couldn't get either to work.
by cryptomon
Sun Oct 14, 2018 5:46 am
Forum: guides, HOWTOs & tutorials
Topic: ASUS router stock firmware OpenVPN working.
Replies: 7
Views: 32652

Re: ASUS router stock firmware OpenVPN working.

An interesting topic that I also queried here..
viewtopic.php?p=18499#p18499

Although I haven't yet tried the suggestion of modifying the "Inspect Element" by the original poster of this topic, this is a reply I got which also looks like an alternative approach...
ebpf-ftw wrote:Very late but it seems not to have been mentioned. I've not used used merlin but have used close variants, so ymmv, but I suspect this'll work.

Enable jffs
https://github.com/RMerl/asuswrt-merlin/wiki/Jffs

log into your router with ssh (if unfamiliar there are many guides),and create a text file on the jffs partition - first line your hashed token, 2nd a password.


cd jffs/
vi filename
press i
type your things
press esc, then :wq then enter
exit


add the following line to your openvpn config, in the advanced tab on the ovpn page via your browser

auth-user-pass /jffs/filename

start openvpn.
by cryptomon
Sun Oct 14, 2018 5:16 am
Forum: member support & tech assistance
Topic: New configuration files - my setup issues
Replies: 3
Views: 12452

Re: New configuration files - my setup issues

That sounds about right because a day or two later later I started getting the okay (green colour) from the web checks.

I notice also from my output that there are now about 2368 exit node IP addresses from CS plus the 28 resolvers. This is an impressive list.

As far as UFW goes I haven't found a better way than placing every exit node IP address into my firewall rules e.g.
ufw allow out log-all to 162.221.207.75 port 5060 proto udp comment "montreal.cstorm.is | "

and every resolver as well e.g.
ufw allow out log-all to 212.129.46.86 port 443 proto udp comment "DNS resolver cs-fr|CS France DNSCrypt server|Paris France|212.129.46.86:443"
by cryptomon
Fri Oct 12, 2018 4:35 am
Forum: member support & tech assistance
Topic: New configuration files - my setup issues
Replies: 3
Views: 12452

New configuration files - my setup issues

So I've updated to the new ECC configuration files using openvpn. A bit confused as to whether I should be using the default /ecc, /ed448 or /ed25519. Is this just personal preference based on the papers written about them?

My firewall settings are unchanged, but now the check page says I'm not connected to CS https://cryptostorm.is/test, whilst it displays an ip address of an exit node. Not sure what to look at here to fix this as I thought I had the firewall leaks etc solved. Suggestions welcome.

Using UFW is there some general recommended settings to set up a leak proof firewall? Thanks.
by cryptomon
Thu Jun 07, 2018 6:53 am
Forum: general chat, suggestions, industry news
Topic: Token Hashing - OpenVPN user input
Replies: 24
Views: 73554

Re: Token Hashing - OpenVPN user input

I was actually trying to use VMM as you suggested but got lost on what should be bridged or otherwise for the nic. Virsh cmd line is fine if it makes things more direct to configure. How and what were virtbr0 and virtbr0-nic created when I installed OPNsense?
Trying to set up similar to parityboy's diagram but have just been a bit ignorant (despite days of reading) on what the nic arrangement settings should be to LAN nic and host (Host with internal connection to VM).

To elaborate I have (Host Linux box)
2 x ethernet nics enp4s0, enp5s0;
tun0 via openVPN;
OPNsense VM installed;
Direct ethernet connection to internet;
LAN PCs inc. host.

|OPNsense VM|
|-----------|<-bridge?->|Physical NIC 0|<->Ethernet to ISP connect<->Internet
|-----------|<-bridge?->|Physical NIC 1|<->LAN<->Switch<>Network PCs
|-----------|<-source mode?->|<->LAN<->Host PC

Not sure how tun0 is meant to be incorporated here so all LAN goes via VPN. Perhaps this is just an internal configuration in OPNsense?

(I realise this might not be the place to ask these advanced user issues and don't expect help, but this stuff is so interesting in Linux and closely related to a nice setup I can but ask)
by cryptomon
Wed Jun 06, 2018 7:02 pm
Forum: general chat, suggestions, industry news
Topic: Token Hashing - OpenVPN user input
Replies: 24
Views: 73554

Re: Token Hashing - OpenVPN user input

Thanks for the contribution. I'll give it a go next opportunity.

Although now I've discovered OPNsense and similar arrangements, I think this might be a better direction to go. I tried to set one up as a virtual machine as suggested by Parityboy above but failed trying to use QEMU and KVM rather than Virtualbox. Couldn't find enough information that I understood to get it working unfortunately. Haven't given up yet though. Hoping I'll figure it out. Probably easier doing it on a separate box ultimately.
by cryptomon
Thu Mar 29, 2018 7:40 am
Forum: general chat, suggestions, industry news
Topic: Token Hashing - OpenVPN user input
Replies: 24
Views: 73554

Re: Token Hashing - OpenVPN user input

parityboy wrote:@cryptomon
When he moved the VPN connection to his Mac Mini,...
That's an interesting observation. So I need to find some Linux friendly hardware like the Mac Mini that I can install this BSD firewall software onto like pfsense or OVPsense. I'm sure the Mac works well for him, but I'm not a Mac person unfortunately.
by cryptomon
Thu Mar 29, 2018 7:34 am
Forum: member support & tech assistance
Topic: DNS configuration / usage
Replies: 6
Views: 19165

Re: DNS configuration / usage

parityboy wrote: EDIT:
I just saw this, so I have a better understanding of where it gets the DNS server IP addresses from (I think, lol).
Yeah, so I noticed that the list of resolvers from that web page you gave contain the same list as provided by CS dnscrypt-resolvers.csv. By entering this list into the dnscrypt-proxy.toml config file it limits the lookup addresses to one of those CS addresses, so as not to use one of the other available resolvers that might want to log the requests.

It seems a nicely written 'go' program. I've been able to script some things such as strip out these names (like the ones in the list I gave above) from the first column of the dnscrypt-resolvers.csv file and insert them into the dnscrypt-proxy.toml config file and place it into the require directory (/etc/dnscrypt-proxy), along with an IP blacklist file. Then I've automated the setup of the UFW firewall with the resolver and exit node IP addresses created from the host-names stripped from the CS config files. I then monitor my connection to check whether the vpn is still active and connected and firewall is up. When things go down on the occasion it is nice to see what my options are at a glance.
by cryptomon
Tue Mar 27, 2018 8:45 am
Forum: member support & tech assistance
Topic: DNS configuration / usage
Replies: 6
Views: 19165

Re: DNS configuration / usage

parityboy wrote: 5. Yes. The addresses in dnscrypt-resolvers.csv are publicly contactable outside of the VPN tunnel, so using one to resolve the domain name of an exit node is a sensible idea.
Not sure you mean one only ever, or one of the many to choose from in a random sense...

So having set up dnscrypt2 (https://github.com/jedisct1/dnscrypt-proxy), I have set my list of "server names =" inside dnscrypt-proxy.toml to be the list provided by (https://github.com/cryptostorm/cstorm_deepDNS) dnscrypt-resolvers.csv i.e.:
server_names = [
'cs-fr',
'cs-fr2',
'cs-cfi',
'cs-de',
'cs-pt',
'cs-uk',
'cs-ch',
'cs-cawest',
'cs-caeast',
'cs-rome',
'cs-dk',
'cs-ro',
'cs-lv',
'cs-nl',
'cs-es',
'cs-pl',
'cs-fi',
'cs-lt',
'cs-de3',
'cs-nl',
'cs-uswest',
'cs-uswest3',
'cs-uswest5',
'cs-useast',
'cs-useast2',
'cs-ussouth',
'cs-ussouth2',
'cs-usnorth'
]
and I've set
fallback_resolver = '109.71.42.228:53'

Is that an acceptable approach given I may be using only one exit node? i.e. it doesn't matter which resolver/s is/are used? (I've read elsewhere others saying you should use only one resolver from the exit node location, but the lists are not always 1-1 matching e.g. Denmark or Netherlands each have 2 server locations)

Thinking aloud here, if one was using the balancer exit node there are no specific resolvers for that so it seems that any should do, without leakage being an issue? After all if I understand this, the resolver merely finds the exit node's IP address after which your DNS requests then go through the tunnel, correct?
by cryptomon
Tue Mar 27, 2018 7:09 am
Forum: general chat, suggestions, industry news
Topic: Token Hashing - OpenVPN user input
Replies: 24
Views: 73554

Re: Token Hashing - OpenVPN user input

parityboy wrote: What's your connection speed?
I know what you are thinking....but unfortunately nothing special, 100Mb is possible if you pay for it, but I just use the slowest speed. In reality I only get about 5-50% of that speed on a good day. Provider congestion/over subscription has a lot to do with it.
The problem with this is that low power hardware does not support high-speed encryption. Most low powered hardware will top out really quickly, especially with AES256 encryption.
Okay, but I have openvpn with CS config installed on an ASUS RT AC68U, is not that already doing something like that?
by cryptomon
Mon Mar 26, 2018 9:05 am
Forum: general chat, suggestions, industry news
Topic: Token Hashing - OpenVPN user input
Replies: 24
Views: 73554

Re: Token Hashing - OpenVPN user input

parityboy wrote: Yes it can run on the same PC (which is what I do) which will have a lot more horsepower for encryption than a domestic router will.
Appreciate the input. (I seem to learn find new things all the time ever since going down the CS route. A great learning experience.) I had to read it a few times to digest the content. I think I need a diagram to help see how the connection arrangement works. The PC appears to connect to the VM via a LAN as does one of the physical LAN port adapters?

I suppose on the down side your PC needs to be running to give network access to other networked devices. Great if your box is on 24h a day, but also too if you want to try without finding new hardware.

Without knowing better I might be inclined to try the competition's OPNsense for this. In my case I should be able to connect directly to the WAN at the PC adaptor, as it is ethernet all the way to the exchange. No ADSL/copper so no modem needed etc.

It would still be nice to find some generic lower power hardware to install on for a long term 24h solution. That could then make a permament retirement for any domestic hardware router and the associated firmware issues.
by cryptomon
Mon Mar 19, 2018 4:50 am
Forum: member support & tech assistance
Topic: New openVPN ECC config files
Replies: 5
Views: 20663

Re: New openVPN ECC config files

cryptomon wrote:I must have missed something, .... Is this still okay for Linux?
My apologies, it turns out I didn't read the entire comments in the .ovpn files, which did provide further insights....
Quote:
# Even though the hostname below says "windows", the configuration for
# these ECC instances are actually cross-platform. It was just easier
# to reuse the DNS used by the Windows instances since the ECC instances
# are on port 5060 of all of the Windows instance IPs.
by cryptomon
Sun Mar 18, 2018 2:09 pm
Forum: member support & tech assistance
Topic: New openVPN ECC config files
Replies: 5
Views: 20663

New openVPN ECC config files

I must have missed something, is there somewhere one can read up about the new ECC config files? (https://github.com/cryptostorm/cryptost ... tion_files)
I've worked out it stands for eliptic-curve-cryptography and from the readme: "provide the best/strongest crypto available to OpenVPN at the moment." The readme says "Unlike the old ones, these new instances will be cross-platform." however, when I opened a udp version it says "remote windows-lisbon.cryptostorm.nu 5060 udp" Is this still okay for Linux?

A brief explanation would help please?
by cryptomon
Sun Mar 18, 2018 12:52 pm
Forum: general chat, suggestions, industry news
Topic: Token Hashing - OpenVPN user input
Replies: 24
Views: 73554

Re: Token Hashing - OpenVPN user input

So as a work around I have just downgraded back to the previous firmware version 380.69-2.

In the mean time I might give OPNsense a try once I've found suitable low power hardware for it. Open to suggestions here...
by cryptomon
Fri Mar 02, 2018 11:18 am
Forum: member support & tech assistance
Topic: DNS configuration / usage
Replies: 6
Views: 19165

Re: DNS configuration / usage

cryptomon wrote: I note that the new v2 setup is a bit different to v1 and manual modification of the resolv.conf file is not required. It is automatically updated with
nameserver 127.0.0.1
Sorry my mistake, this is not correct. I use dhcpcd service so to make the DNS (127.0.0.1) listed in resolv.conf file persistent I chose to add 127.0.0.1 as the first DNS server in my dhcpcd.conf file.
by cryptomon
Mon Feb 26, 2018 2:06 pm
Forum: general chat, suggestions, industry news
Topic: Token Hashing - OpenVPN user input
Replies: 24
Views: 73554

Re: Token Hashing - OpenVPN user input

parityboy wrote:@OP
As for alternative firmware, I have a physical ADSL router which is untouched, but "behind" it I run a virtualised instance of pfSense. I also have a couple instances running LEDE and OpenWRT but they are just for testing purposes, nothing serious. :)
This sounds like an interesting area to get working on. Just got to get my head around what hardware configuration is required. Can a virtualised instance of pfSense run on the same PC etc..? Is it an alternative to OpenWRT?
by cryptomon
Mon Feb 26, 2018 9:09 am
Forum: member support & tech assistance
Topic: DNS configuration / usage
Replies: 6
Views: 19165

Re: DNS configuration / usage

That does help, thank you. It seems as long as I look at this stuff I never seem to fully conquer it, but I think I'm getting there. I do find it all very intriguing despite the learning curve. I created bash scripts to automate the install and configuration and corresponding UFW settings, so life is easier. I also created a systemd service notification to tell me if a connection is down with where the issue might lie. Not seamless yet but it helps.

On item 7, I have now looked into DNSCrypt now I better understand its benefit (inc caching) and looks like something relatively straight forward to setup using dnscrypt-proxy v2
https://github.com/jedisct1/dnscrypt-proxy
also mentioned here: viewtopic.php?f=51&t=9515

I note that the new v2 setup is a bit different to v1 and manual modification of the resolv.conf file is not required. It is automatically updated with
nameserver 127.0.0.1

I modified the configuration file /etc/dnscrypt-proxy/dnscrypt-proxy.toml
to only have Cryptostorm Names e.g. cs-pt from the resolver list under setting: server_names = [cs-pt,....etc.]
https://github.com/cryptostorm/cstorm_d ... olvers.csv
Couldn't work out how it scrapes this data in the background whether directly from the CS github site or otherwise, with the interest of knowing whether the latest resoler IP update had filtered through yet. Can anyone enlighten?
by cryptomon
Sat Feb 24, 2018 6:02 pm
Forum: general chat, suggestions, industry news
Topic: Token Hashing - OpenVPN user input
Replies: 24
Views: 73554

Token Hashing - OpenVPN user input

So I use an ASUS router and have the option to setup OpenVPN in it using Asuswrt-Merlin firmware.

Recently, ASUS updated their firmware (v384.3) to restrict the username and password to be 64 characters max each.

I notice that the hash is 128 char long. Is this always the case? If so, would it be a flying possibility for the hash to be input as two parts (as an optional choice) so that the first 64 char of the hash go into the username and the second 64 char go into the password. Could this be interpreted by the server authentication system? It would be one way around the firmware issue many people might have.

It has been suggested that I use the token without hashing it as a work around, but that might be a sad situation given the privacy benefit of hashing.

Any thoughts?

Alternatively, can anyone sing the praises for alternative firmware? I don't think OpenWRT is an option for me (a shame with its linux base) , but DD-WRT or Tomato Shibby are I think. Do Cryptostorm/other gurus have a favourite router and opensource firmware arrangement for setting up VPN?
by cryptomon
Fri Feb 23, 2018 11:46 am
Forum: member support & tech assistance
Topic: DNS configuration / usage
Replies: 6
Views: 19165

DNS configuration / usage

DNS settings - I have questions (sorry for the length and basic context).

I use Linux with openVPN that is configured with systemd and firewall UFW.

1. Does it matter whether one uses openDNS (e.g. 208.67.222.222, 208.67.220.220) or the VPN entry IP address? (I use the openDNS IPs because they seemed on occasion to be more reliable i.e. when VPN drops at least I still have DNS resolution)

2. Entry point IPs are listed here
https://github.com/cryptostorm/cstorm_d ... olvers.csv
which gives a "Resolver Address" for example as: Vilnius, Lithuania 93.115.30.154

Are these forever fixed for the life of the list?

3. However, when one from the command-line does say:
$ nslookup linux-lithuania.cryptostorm.net
Non-authoritative answer:
Name: linux-lithuania.cryptostorm.net
Address: 93.115.30.155

Should I always use the Resolver Address of 93.115.30.154?

4. Is there a way to get this Resolver Address of linux-lithuania.cryptostorm.net without the need to lookup the Resolver List. i.e. using some command line query like nslookup?

5. Should my firewall UFW in this example allow outbound access to both 93.115.30.154 and 93.115.30.155?

6. If I run nslookup on the IP addresses listed in

$ nslookup linux-balancer.cryptostorm.net

In my lithuania example this gives:

$ nslookup 93.115.30.155

155.30.115.93.in-addr.arpa name = hst-93-115-30-155.balticservers.eu.
Authoritative answers can be found from:

but in some cases one sees e.g.:
** server can't find 76.95.208.173.in-addr.arpa: NXDOMAIN

Does this mean the server is down. If so, how does balancer compensate? (e.g. Does it just move on to the next)

7. Should I be using DNScrypt? I assume it is a different setup to what I discussed above? (Haven't quite worked it out or found a good resource to explain its benefits or usage)