Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

New configuration files - my setup issues

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)

Topic Author
cryptomon
Posts: 30
Joined: Fri Feb 23, 2018 7:32 am

New configuration files - my setup issues

Post by cryptomon » Fri Oct 12, 2018 4:35 am

So I've updated to the new ECC configuration files using openvpn. A bit confused as to whether I should be using the default /ecc, /ed448 or /ed25519. Is this just personal preference based on the papers written about them?

My firewall settings are unchanged, but now the check page says I'm not connected to CS https://cryptostorm.is/test, whilst it displays an ip address of an exit node. Not sure what to look at here to fix this as I thought I had the firewall leaks etc solved. Suggestions welcome.

Using UFW is there some general recommended settings to set up a leak proof firewall? Thanks.

User avatar

parityboy
Site Admin
Posts: 1254
Joined: Wed Feb 05, 2014 3:47 am

Re: New configuration files - my setup issues

Post by parityboy » Sat Oct 13, 2018 7:03 am

@OP

I'd guess that the IP addresses of the new ecc/ed448/ed25519 instances are not yet in the check databases.


Topic Author
cryptomon
Posts: 30
Joined: Fri Feb 23, 2018 7:32 am

Re: New configuration files - my setup issues

Post by cryptomon » Sun Oct 14, 2018 5:16 am

That sounds about right because a day or two later later I started getting the okay (green colour) from the web checks.

I notice also from my output that there are now about 2368 exit node IP addresses from CS plus the 28 resolvers. This is an impressive list.

As far as UFW goes I haven't found a better way than placing every exit node IP address into my firewall rules e.g.
ufw allow out log-all to 162.221.207.75 port 5060 proto udp comment "montreal.cstorm.is | "

and every resolver as well e.g.
ufw allow out log-all to 212.129.46.86 port 443 proto udp comment "DNS resolver cs-fr|CS France DNSCrypt server|Paris France|212.129.46.86:443"

User avatar

df
Site Admin
Posts: 420
Joined: Thu Jan 01, 1970 5:00 am

Re: New configuration files - my setup issues

Post by df » Fri Oct 26, 2018 1:39 am

That was my bad. After the upgrade I completely forgot to update https://cryptostorm.is/whitelist , which is what cryptostorm.is/test and the thing on the main site uses.
It was updated shortly after the upgrade though, so all the IPs are in there.
Not sure where you're getting 2368 IPs though, maybe you forgot to run it through | sort -u?
Anyways, that https://cryptostorm.is/whitelist list has all the IPs, which is currently @ 647 if you include the iptables load balancers mentioned at https://cryptostorm.is/blog/balancing-loads
You can't get assigned those balancer IPs since they're used for entry only, not exit, but I thought it'd be a good idea to include them anyways for people using that list to create a home made killswitch, since you would need those IPs whitelisted as well in order to reach the exit IPs behind them.
Minus those, the # of IPs is 631.

Post Reply