cryptostorm's community forum

I heard that AzireVPN also works well with Wireguard. They stared strong with no logging policy an additional security they called "blind operator mode," Anyone tested it yet? Their blind operator mode is pretty silly, even Jason (WireGuard author) says so himself - https://archive.is/ixN9A More in...

@gangelop I'm seeing something different when I use it with the Switzerland config (or anything else with multiple IPs). For me, that `route -n|grep UGH` command only returns the route for the VPN IP that I'm connected to, not the other IPs the host resolves to. It shouldn't be possible for there to...

@parityboy Just had someone else in IRC showing this same symptom, where dns leak test sites would show the vpn's exit IP instead of the DNS IP. But this person was also not able to resolve some obvious things like google/youtube/etc. from a host machine. They were running WireGuard directly on an O...

Those messages usually mean a packet was sent by the server out of sequence, which is fairly common on cellular networks. You can safely ignore them. By the way, if you start openvpn with `openvpn --config whatever.ovpn --daemon` it'll go into the background so you don't have to keep that terminal w...

@Moonlight My guess would be a DNS issue. Switzerland currently has 26 IPs, and Frankfurt has 28. Only way I could see the widget not displaying the select IP window is if somehow the host was resolving to only one IP. If you mean that option doesn't show up at all in the widget's options, then that...

If resolv.conf doesn't support lsattr/chattr, then it's most likely mounted onto a non-ext4 filesystem. On my Ubuntu system, /etc/resolv.conf is a symlink to /run/resolvconf/resolv.conf and /run is mounted as: tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,size=385288k,mode=755) You should stil...

Those iptables DNAT commands should be ran after connecting to the VPN, not before (since 10.31.33.8 isn't accessible until after you're connected). Be sure to read the note on https://cryptostorm.is/nix#dnsleak about how if you've got 127.0.0.x in your /etc/resolv.conf, then you'll need to change i...

Not really, they both perform the same task. It's just that it's Linux, so there's more than one way to do the same thing.

just do a `grep ^up whatever.ovpn` to check the up lines in the config. The update-resolv-conf script doesn't use iptables, it updates /etc/resolv.conf But killswitch does use iptables for DNS leak protection. You can check if those rules are still there with `iptables -L -n -t nat` But if they were...

It doesn't matter whether the script-security line is before or after up/down.
Only other thing I can think of is that there's more than one up/down line, that would also cause the killswitch not to run (like if your config is still using the old update-resolv-conf thing for DNS leak prevention).

That scenario #3 kill switch will remove the kill switch if OpenVPN exits "cleanly" (like it does via NM). You can test it by killing openvpn with `killall -9 openvpn` then trying to ping 8.8.8.8 It should also stay active if you keep the --up part but remove the --down part, but I haven't tested wi...

The page on http://10.31.33.7/fwd only accepts a single port per request, so your script would need to do it multiple times per port. Since you're using a script to connect to the VPN, you could add something like this that would run after being connected: #!/bin/bash declare -a ports=( 31340 31341 ...

Yea, comment out or remove those existing lines. The killswitch script does it's own DNS leak protection, so using the update-resolv-conf script isn't necessary.
And yes, you would have to remove the config from NM and set it up again for NM to see the changes.

@parityboy Maybe you're right, something in pfSense changed recently... the .i2p/.onion/.bit/etc. thing works by first resolving to something in 10.0.0.0/8 (10.99.0.0/16 for .onion, a single 10.98.0.1 for .i2p) and the VPN server sees the client trying to reach one of those ranges and forwards it to...

Do you have any custom iptables rules that are doing any SNAT or DNAT or MASQUERADE? Because I can't think of any other reason why an exit IP would show up in the whoami results or the dnsleaktest one, since none of the exit IPs are running any DNS servers. That's why `host whoami.cryptostorm.is 88....

@parityboy Weird... Not sure how that could happen. What do you get if you go to: https://aeopfieahofherurt.dnsl.cryptostorm.is/ ? That's the backend site that loads the images containing IPs, the "aeopfieahofherurt" bit can be any random letters. The IP in the image is what the custom DNS server se...

@parityboy You sure it's exit node IPs that's showing? Because it shouldn't do that... The custom DNS server behind it works the same way whoami.cryptostorm.is does, i.e. it only sees your DNS IP, no direct connection to the custom DNS server should happen. If you do `host whoami.cryptostorm.is` it ...

I haven't noticed that issue, but I don't use ipleak.net often. My go to is usually dnsleaktest.com. We also have our own at https://cryptostorm.is/dnsleaktest that might work better for some people. It's kinda BETA-ish, so it might fail to load completely, sometimes, but it seems fine so far in our...

See the very bottom of https://cryptostorm.is/multihop
it includes some info on how to do this.

DudeOfLondon: secp521r1 is default because it is more secure than Ed448 or Ed25519, but because it's an NIST curve we decided to also provide Ed25519/Ed448 options.
And there's no such thing as security overkill :-P

https://cryptostorm.is/wireguard just went live :-D Be sure to check out https://cryptostorm.is/blog/wireguard-support-added too for info on device limits and whatnot EDIT: Like it says on https://cryptostorm.is/wireguard and https://www.wireguard.com/ - WireGuard is not yet complete. You should not...

We're working on the interface for it now. Almost done.

Yea, if you save the default page it will save the HTML, which OpenVPN doesn't know how to read.
Need to click the "Raw" button, or download the master.zip, or download from https://cryptostorm.is/configs/ instead.

@marzametal The node list used by the widget is at https://cryptostorm.nu/nodelist4.txt and an easier to read version is at https://cryptostorm.nu/nodes.txt The whitelist that contains all the VPN IPs is at https://cryptostorm.is/whitelist.txt and the one with all the DNS IPs is at https://cryptosto...

The problem here is that the update-resolv-conf script needs to be added to the OpenVPN configs.
https://cryptostorm.is/nix#dnsleak has the instructions

@marzametal Only reason that would happen is if your system is using a different DNS than the one pushed by the VPN server. The only other IPs that'll work with block-outside-dns are 10.31.33.8 (same thing as the pushed IP), or 10.31.33.7 (the TS enabled IP). After connecting, try doing `nslookup wh...

@marzametal
What block-outside-dns thing?

No, of course not. Just update the file that contains your token (or it's hash), the file that's called by auth-user-pass in the openvpn config file.

I'm pretty sure this was a temporary issue. The .onion's aren't hosted on this web server, they're hosted on our Romanian server using a simple nginx reverse proxy that relays to the clearnet websites. Since that'll cause the Romanian server's IP to show up in things like https://cryptostorm.is/test...

Yea, just use CoinPayments for BTC. Bitpay's BTC thing is weird, doesn't use wallet addresses like normal, it uses some new payment protocol they're trying to push. That's why with BitPay, only the wallets listed at https://support.bitpay.com/hc/en-us/articles/115005701523-Which-wallets-work-for-a-B...

FYI, TS is disabled by default because a lot of people were complaining about it, mostly because they wanted to do something similar themselves.
If you want to use TS now, set your DNS to 10.31.33.7

Well I was going to delete this old thread, but since KungFuChe showed that it's still relevant, I'll keep it up :-)

There's just the one Cryptofree server in France. If you want more location options, buy a token :-P

https://github.com/jedisct1/dnscrypt-proxy/wiki/Installation-linux for DNSCrypt A killswitch will need to be written yourself, depending on your needs. We have one at https://cryptostorm.is/killswitch_user.txt that applies a killswitch to a specific user, it should make it relatively easy to write u...

The old theme wasn't supported in the latest phpBB, and I really didn't feel like going through changing colors in the current theme.

v3.42 is up now. Fixed a few bugs in v3.40 where the widget would crash on disconnect, and sometimes on exit. Switched from using slow as hell `netsh` commands for changing the system's DNS to much faster registry changes. Removed the TLS version GUI option since it'll now default to TLSv1.3, unless...

@Stan That's a bugfix for previous widget versions that would sometimes set DNS to 127.0.0.1 even when the widget's dnscrypt-proxy isn't running. You shouldn't need to run your own dnscrypt-proxy anyways, the widget includes it. If you want to use your own dnscrypt servers instead of ours, edit the ...

Just released v3.40, it's up on the main website now. It includes a new "Advanced" tab under Options that allows you to change a few defaults that might help in certain network setups (--route-method, --ip-win32, binding to a specific network adapter or IP, switching between TLSv1.2 and TLSv1.3). Al...

Sounds like you're probably using a browser addon like NoScript that's preventing the checkout page from working correctly.
Disable it, or add *.coinpayments.net to your whitelist, then try again.

Ah, that's right. In the ancient 2013 post @ https://cryptostorm.ch/viewtopic.php?f=38&t=5981 PJ describes in his round-about way something that sounds an awful lot like VORACLE, which was the reason we've (almost) always had compression disabled. IIRC, back then we had a mixture of "comp-lzo no" in...

I just talked to someone else who had this same issue, they also were using the app from Google's Play Store. The problem ended up being that Google Play Store has v0.7.5 of the app, which uses OpenSSL 1.1.0h, and the Ed25519/Ed448 configs require at least OpenSSL 1.1.1. F-Droid has version 0.7.6, w...

@Moonlight
Yes, all of the nodes are running a DNSCrypt server. With the widget, all you need to do is enable the DNSCrypt option, it'll start in the background and your DNS settings will be changed to point to that DNSCrypt instance.

We no longer offer any official support for Windows XP since Microsoft stopped supporting XP in April of 2014, and OpenVPN themselves stopped supporting it early last year. In 2017, Microsoft did release security patches for the vulnerability the WannaCry ransomware exploited, but that was a major v...

I just updated my Windows 10 Home VM to the latest, and updated Windows Defender to the latest (threat definition version: 1.283.2606.0), and I'm not seeing anything about the CS widget being detected, nor is any new firewall rules blocking it.... But then again, Microsoft doesn't use a single datab...

@parityboy
No, it's always been enabled, at least until Oct of last year

I'm sure you already have, but if not, you need to upgrade to the latest v3.36 widget. It fixes most DNS issues. The --block-outside-dns option is now pushed from the server if you connect from Windows (either via the widget or OpenVPN GUI). To tell your client to ignore that pushed setting, in the ...

I haven't heard of anything like this happening, but my suggestion would be to make sure you're using the latest OpenVPN for Android app from http://plaisthos.de/android/ics-openvpn-latest-stable.apk Other than that, check the logs and see if anything unusual is there (or post it here and we'll look...

FYI, even when you're using our DNS servers, it's still regular DNS, which is very easy to manipulate or block entirely.
To bypass anything like that, use our DNSCrypt servers instead. Most DNS blocking methods won't block that since it's TCP port 443, and it doesn't look anything like DNS.

I just posted an update in that other thread. Basically, those commands will only work if your distro branch/version is listed at https://build.openvpn.net/debian/openvpn/stable/dists/

@FoodMaven You need to change the "auth-user-password" line in /etc/openvpn/cstorm_linux-lisbon_udp.ovpn to point to a file containing your token (or it's hash) on the first line, and any random text on the second line. Otherwise it'll try to prompt you for the user/pass, but since you're not runnin...

I guess any of the styles at https://www.phpbb.com/customise/db/styl ... _styles-12 would work (just the ones that say "3.2.5"), but I'm not sure how to go about switching the styles on a per-user basis (via the UCP)

Notice the time/date stamp in the original post of this thread, it was started way back in 2013, so there's some outdated things here. But at the very top of the page (and every other page here), there's the notice "Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit ...

Keep in mind that both the Network Manager and Terminal instructions on https://cryptostorm.is/nix were intended for Ubuntu. They'll work on a few other Debian based distros, but not ones that aren't up to date or have their own version/branch names (such as Linux Mint). Here's a simple(ish) script ...

Yep, it was broken. Should be good now though. We were working on the main web server during New Year's since people were more likely to be out celebrating, and because there were some things that desperately needed upgrading. Now it's running the latest Apache/PHP, and this forum was upgraded to th...

The free client is the same as the paid client. See the instructions at https://cryptostorm.is/cryptofree (the last paragraph has the info you need)

yea. the configs normally have 4 "remote" lines, like in Balancer_UDP.ovpn it would have: remote balancer.cstorm.is 443 udp remote balancer.cstorm.net 443 udp remote balancer.cryptostorm.ch 443 udp remote balancer.cryptostorm.pw 443 udp delete all but one, and change the hostname to whoami.cryptosto...

So with 1.1.1.1 the only thing in your resolv.conf, you get cannot resolve errors with OpenVPN? heh, I've got an idea. change the remote lines in the OpenVPN config so that you're connecting to the hostname whoami.cryptostorm.is it'll fail, but it'll tell you what DNS is actually being used at the t...

"I uninstalled in the package manager", but did you install using that "VPN Manager" shortcut that runs /usr/bin/vpn-manager.sh? That thing was buggy as hell, I run it just ffs and selected PIA, it got stuck in a loop. Anyways, how are you running OpenVPN? Just a plain `openvpn --config Balancer_UDP...

I just tested with a clean Reborn OS install, it resolves it fine. Are you sure when you uninstalled that killswitch it really was uninstalled?
Could be some iptables rules leftover blocking the DNS, or maybe something else you did changed the cryptostorm OpenVPN config?

yea, that's cloudflare alright... and when you do `host sweden.cstorm.is` does it return 27 IPs?

try it without the 1.1.1.1

Both the `host` command and OpenVPN use the DNS settings that are in /etc/resolv.conf Can't think of any reason why `host` would work but openvpn wouldn't... But check that file anyways to see what's in it. If it's got 'nameserver 127.0.1.1' then you're probably using a local dnsmasq server, which i...

when you do `host sweden.cryptostorm.ch` does it resolve?

@privangle
Yea, similar to Tor relay chains.
And yes, VPNs can be attacked. Anything online can be attacked (and probably is being attacked), and a lot of offline stuff too.

Voodoo is something the CS-team invented, but it does use existing networking technologies, just in an unusual way :-)

Sun Nov 25 14:10:49 2018 us=888128 RESOLVE: Cannot resolve host address: sweden.cryptostorm.ch:5062 (System error) Sun Nov 25 14:10:54 2018 us=890652 RESOLVE: Cannot resolve host address: sweden.cryptostorm.ch:5062 (System error) Sun Nov 25 14:10:59 2018 us=893612 RESOLVE: Cannot resolve host addres...

@deadbeef I dunno if it's true on Buster, but I have seen some other distros do this weird thing where the openssl they install is one version, but the shared libraries used by programs like openvpn is another. If `openssl version` says 1.1.1, but `openvpn --version` says openssl 1.0.2o, then that c...

@deadbeef I don't think Debian or Ubuntu has OpenSSL 1.1.1 in their repos yet. Try installing OpenVPN and OpenSSL from source. As root, this should do it: cd /usr/src/ apt install -y build-essential zlib1g-dev liblz4-dev liblzo2-dev wget http://www.openssl.org/source/openssl-1.1.1.tar.gz;tar zxf ope...

@Moonlight Try Frankfurt again. Someone else was having issues too, turns out something between their PC and the frankfurt server was mucking around with IP headers just enough to make our port striping v2 thing to not work. So I added some extra rules to check for that. If it works for you too, the...

@Moonlight It might be that a previous widget version caused your DNS to be set to something invalid (like 127.0.0.1 even when the widget's not running). So when this version first starts, it remembers whatever DNS settings you have on launch so that it can restore that if the program crashes. If th...

@Brucie Try rebooting your system. There's a weird TAP adapter bug outside of the scope of our widget that causes the existing adapter to go into a strange read-only state. I wasn't able to reproduce it on win7, but I did get a win10 system do end up like that. For me, after rebooting it worked corr...

@Brucie Oh god damnit. You're right, I just tested on a Vista VM and it still did the TAP loop thing. Pretty sure I know what the problem is though. Apparently M$ thought it was a good idea to change the way simple IF statements work in batch files across different Windows versions. Either that or i...

@Moonlight Ah, there's the damn problem. The killswitch adds the VPN IPs all in one line using netsh advfirewall, but there's a character limit in the command prompt. The VPN IPs including the balancer IPs brings the total to > 600, so it hits that character limit and that cmd spits out an error. Se...

See the updated commands @ https://cryptostorm.is/nix
Turns out on some non-Ubuntu distros NM adds the file extension '.nmconnection' for the configs in /etc/NetworkManager/system-connections/
So the commands have been updated to check for that

@marzametal The blocking of outside DNS issue should be fixed now in the latest version that's up now. The dns proxy thing is clashing with dnscrypt-proxy because the widget is bundled with it's own dnscrypt-proxy. I renamed the one the widget comes with to cs-dnsc-p.exe so that when it checks the p...

That was our mistake. We were adding a new feature that lets people connect to our ECC instances on ports outside of 5060, but when adding the iptables rules they accidentally got added twice on the cryptofree server.
That error has been fixed, so cryptofree should work correctly for everyone now.

Search found 411 matches