Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

cryptostorm exitnode clusters: listing+requests+roadmap

Looking for a bit more than customer support, and want to learn more about what cryptostorm is , what we've been announcing lately, and how the cryptostorm network makes the magic? This is a great place to start, so make yourself at home!
User avatar

Fermi
Site Admin
Posts: 202
Joined: Tue Jun 17, 2014 11:42 am

Re: poll: where to add new exitnode clusters?

Post by Fermi » Mon Sep 29, 2014 4:05 am

Hi privangle,

The files you have used still contain the pre-heartbleed certificate. brisa is of course a post-heartbleed node.
Please change the certificate in the conf file with the following one (just copy paste): newclientcerts.zip, and import the file again.

raw-brisa.cryptostorm.nu doesn't resolve indeed , but having .org and .net should be sufficient (just redundancy).

Wrt. logging, if you use network manager, it will log to syslog (/var/log). I normally use 'tail -f syslog | grep openvpn' if I need a log while connecting.
(/var/log$ tail -f syslog | grep openvpn)

regards,

/Fermi

User avatar

privangle
Posts: 89
Joined: Thu Apr 25, 2013 5:57 am

Re: poll: where to add new exitnode clusters?

Post by privangle » Mon Sep 29, 2014 5:27 am

Hi Fermi,

You are great, thank you very much, your advice dit it !
The files you have used still contain the pre-heartbleed certificate. brisa is of course a post-heartbleed node.
So would you suggest to replace in all conf-files the certificate by the new one, or is there work to do on the old nodes before we can use the post-heartbleed-certificate ?

User avatar

Fermi
Site Admin
Posts: 202
Joined: Tue Jun 17, 2014 11:42 am

Re: poll: where to add new exitnode clusters?

Post by Fermi » Mon Sep 29, 2014 11:00 am

Hi privangle,

https://cryptostorm.is/status shows which IP addresses [and a lot more crucial info :)] are pre and post. The choice of the node determines the choice of the certificate.
In my humble opinion there's no reason to still connect to a pre-heartbleed node.

The IP's in the nodelist (https://cryptostorm.nu/nodelist.txt) are of course all post-heartbleed.

Regards,

/Fermi

User avatar

privangle
Posts: 89
Joined: Thu Apr 25, 2013 5:57 am

Re: poll: where to add new exitnode clusters?

Post by privangle » Mon Sep 29, 2014 12:50 pm

Hi Fermi,

thank you for the list.

I'm not shure to understand well
The choice of the node determines the choice of the certificate.
how it works for the connection adresses.

All nodes in all countries exist in raw and post heartbleed.

Does it mean that it is sufficient to change the certificate from old to new?

I ask because I don't see a relationship between the <connection> url and the node list.

Example Germany

cantus, raw (46.165.222.246) is pre heartbleed.
cantus, raw (46.165.222.248) ist post heartbleed.

So the adresss

cluster-frankfurt.cryptostorm.net,org,nu

is maintained, only the certificate changes ? (and so on... ?)

(But the lookup of cluster-frankfurt.cryptostorm.net gives the pre heatbleed ip-number (46.165.222.246).
Which domain would point to the post heartbleed ip ?

Sorry, every answer you give generates new questions for me. :)

Regards
privangle

User avatar

Fermi
Site Admin
Posts: 202
Joined: Tue Jun 17, 2014 11:42 am

Re: poll: where to add new exitnode clusters?

Post by Fermi » Mon Sep 29, 2014 2:16 pm

Hi privangle,

No worries ...
I'll try to give some answers:
The choice of the node determines the choice of the certificate. means: if you connect to a pre HB node you need the pre HB certificate, if you connect to a post HB node you need the post HB certificate. You can't connect to a post HB node using a pre HB certificate and visa versa.

So if you use 'remote-random' in the conf file you have to choose the FQDN's taking in consideration not to mix pre or post, according to the certificate used in the conf file.
There's also a balancer address provinding all IP's of the raw post HB:
host raw-balancer-dynamic.cryptostorm.net
raw-balancer-dynamic.cryptostorm.net has address 94.46.8.229
raw-balancer-dynamic.cryptostorm.net has address 23.19.35.14
raw-balancer-dynamic.cryptostorm.net has address 79.134.235.133
raw-balancer-dynamic.cryptostorm.net has address 46.165.222.248
raw-balancer-dynamic.cryptostorm.net has address 198.27.89.56
raw-balancer-dynamic.cryptostorm.net has address 212.83.167.81

cluster-frankfurt.cryptostorm.net,org,nu points to pre HB

raw-cantus-2.cryptostorm.net resolves to raw cantus post HB
raw-cantus-2.cryptostorm.ch resolves to 79.134.255.83 which isn't correct.
raw-cantus-2.cryptostorm.nu isn't resolvable.

Conclusion: if you want to connect to raw cantus post HB, use: raw-cantus-2.cryptostorm.net

Perhaps these unclarities mean that not all FQDN's are up to date, properly listed. I'll mention this in the IRC channel.

Regards,

/Fermi

User avatar

parityboy
Site Admin
Posts: 1254
Joined: Wed Feb 05, 2014 3:47 am

Re: poll: where to add new exitnode clusters?

Post by parityboy » Mon Sep 29, 2014 5:37 pm

@Fermi

The post-Heartbleed cantus address is 46.165.222.248, so what exactly does the "balancer" do? What is it balancing between?

User avatar

privangle
Posts: 89
Joined: Thu Apr 25, 2013 5:57 am

Re: poll: where to add new exitnode clusters?

Post by privangle » Mon Sep 29, 2014 6:23 pm

Hi parityboy,

I made a config file with the balancer, like this :

Code: Select all

remote-random

<connection>
remote raw-balancer-dynamic.cryptostorm.net 443 udp
</connection>

<connection>
remote raw-balancer-dynamic.cryptostorm.ch 443 udp
</connection>

(...storm.nu and .pw does not resolve)
with the post heartbleed certificate.

Almost every time I connect with this config file, I am connected to another node, like random.

I'm not shure if the balancer was made for that, but it works.

User avatar

Fermi
Site Admin
Posts: 202
Joined: Tue Jun 17, 2014 11:42 am

Re: poll: where to add new exitnode clusters?

Post by Fermi » Mon Sep 29, 2014 7:14 pm

Parityboy, privangle,

raw-balancer-dynamic.cryptostorm.net has multiple A records, meaning it's representing a pool of IP addresses, being the exit nodes.
Everytime a DNS query is done, the DNS server will provide you with one of these addresses. So there's a real chance thatyour CS connection is 'balanced' between the different exit nodes.
If the relation FQDN and IP address is still active in your local DNS cache, it will be reused of course.

So what privangle is experiencing is correct behaviour.

Regards,

/Fermi

User avatar

privangle
Posts: 89
Joined: Thu Apr 25, 2013 5:57 am

Re: poll: where to add new exitnode clusters?

Post by privangle » Tue Sep 30, 2014 12:05 am

Hi,

let me resume the available raw FQDNs post heartbleed (HB), pointing to the post HB nodes given in these lists

https://cryptostorm.is/status or https://cryptostorm.nu/nodelist.txt :

Germany
remote raw-cantus-2.cryptostorm.net

France
raw-onyx-1.cryptostorm.net

Portugal
raw-brisa.cryptostorm.net
raw-brisa.cryptostorm.ch
raw-brisa.cstorm.pw

Canada
raw-maple.cryptostorm.net
raw-maple.cryptostorm.ch
raw-maple.cstorm.pw

UnSA
raw-emerald.cryptostorm.net
raw-emerald.cryptostorm.ch
raw-emerald.cstorm.pw

Only Iceland is missing.

For Iceland I tested the following domains with host (or nslookup) command:

raw-fenrir.cryptostorm.net,org,nu and raw.fenrir.cstorm.pw,
raw-fenrir-1.cryptostorm.net,org,nu and raw.fenrir-1.cstorm.pw
raw-fenrir-2.cryptostorm.net,org,nu and raw.fenrir-2.cstorm.pw

raw-fenrir.cryptostorm.ch and raw-fenrir-N.cryptostorm.ch (N any integer) resolve to 79.134.255.83
which is neither the pre HB ip (79.134.235.132) of the list nor the post HB ip (79.134.235.133) of the list.

The same goes for raw-fenrir.cstorm.pw and raw-fenrir-N.cstorm.pw (N any integer)

Since they work with the pre HB certificate, I guess that a (or some) post HB FQDN will be created soonly.

Perhaps the résumé may be helpful to others.

User avatar

Operandi
Posts: 85
Joined: Fri Nov 22, 2013 4:23 pm

Re: poll: where to add new exitnode clusters?

Post by Operandi » Tue Sep 30, 2014 1:29 am

privangle wrote:Only Iceland is missing.
"Iceland:fenrir:windows" (79.134.235.134) is still named android-fenrir-cryptostorm.net.
"Iceland:fenrir:raw" (79.134.235.133) is ios-fenrir-cryptostorm.net; probably for the same reason.

Why not just use plain IP addresses, though?

User avatar

privangle
Posts: 89
Joined: Thu Apr 25, 2013 5:57 am

Re: poll: where to add new exitnode clusters?

Post by privangle » Tue Sep 30, 2014 2:26 am

operandi wrote:Why not just use plain IP addresses, though?
Right. I just tried it and it works. Perhaps it's ok to use the ip number directly, as long as there is no FQDN available.
Thank you.

User avatar

parityboy
Site Admin
Posts: 1254
Joined: Wed Feb 05, 2014 3:47 am

Re: poll: where to add new exitnode clusters?

Post by parityboy » Tue Sep 30, 2014 5:15 am

@Fermi

Yes, you are correct and I actually knew that, but failed to read your post correctly. The balancer is more of a "connection balancer" than a "packet balancer" - I suppose CS hasn't gotten big enough to warrant one of those yet, assuming such a device wouldn't violate the security of an OpenVPN session.

User avatar

privangle
Posts: 89
Joined: Thu Apr 25, 2013 5:57 am

Re: adding new exitnode clusters: discussion & suggestions

Post by privangle » Thu Oct 02, 2014 4:43 am

Hi,
  1. My impression is, since I changed all the nodes+certificate in the post heartbleed ones, that my pc connects a little bit faster to a node as before. Could that be the case (perhaps the old nodes with the old certificate are less supported?) or does my mind play a trick on me?
    .
  2. Connected to the portugal node, there is one website in my bookmarks that I can't access. As if the corresponding dns-server does not know the domain. I change the node and the webpage comes.
    Did you make similar experiences with one of the nodes ?

User avatar

marzametal
Posts: 432
Joined: Mon Aug 05, 2013 11:39 am

Re: adding new exitnode clusters: discussion & suggestions

Post by marzametal » Thu Oct 02, 2014 7:15 am

@ thread

In regards to 1 - I can confirm that I experience faster connections with Post Heartbleed nodes and certificates...

User avatar

Fermi
Site Admin
Posts: 202
Joined: Tue Jun 17, 2014 11:42 am

Re: adding new exitnode clusters: discussion & suggestions

Post by Fermi » Thu Oct 02, 2014 11:03 am

@privangle, thread,

Connected to the portugal node, there is one website in my bookmarks that I can't access. As if the corresponding dns-server does not know the domain. I change the node and the webpage comes.
Did you make similar experiences with one of the nodes ?


Most probably a case of geo-blocking, some explanation on this:
http://www.pcauthority.com.au/Feature/3 ... -want.aspx

Regards,

/Fermi

User avatar

timusan
Posts: 15
Joined: Mon Feb 10, 2014 9:27 am
Contact:

Re: cryptostorm exitnode clusters: listing+requests+roadmap

Post by timusan » Tue Nov 04, 2014 11:05 am

I, for one, would highly fancy an Asia exit node.

I live in Japan and me (and my family) use Cryptostorm exclusively for all things Internet.

For (almost) the past year I have been using Iceland and later Seattle as my exit node, which still gives me acceptable speeds.
I understand that an exit node in Japan would not be favorable from a geographical point of view, however Singapore sounds extremely pleasant.

If anyone needs some latency statistics from this neck of the woods (to check raw speeds and hubs between Japan and Singapore, for ex.), just let me know.


someonesomewhere

Re: cryptostorm exitnode clusters: listing+requests+roadmap

Post by someonesomewhere » Sat Nov 29, 2014 5:42 am

Guest wrote: Australia. Those are so far out that it's hard to service them well via mainland. They could also provide for all the smaller island around them and far southern Asia.
I would love to see an Australian or New Zealand exit node. Then users from that region can access some of the geographically blocked content securely.

User avatar

marzametal
Posts: 432
Joined: Mon Aug 05, 2013 11:39 am

Re: cryptostorm exitnode clusters: listing+requests+roadmap

Post by marzametal » Sat Jan 03, 2015 10:59 am

Does anyone have the URL for exit node status? There used to be a page where one could view the status of exit nodes... It used to be (according to my bookmark) "https://cryptostorm.is/status", which now produces a 404...

Locked