# CryptoStorm config file for OpenVPN Connect iOS 1.0.4 build 140 client dev tun resolv-retry 16 nobind float remote linux-uswest.cryptostorm.org 443 # remote linux-uswest.cryptostorm.net 443 redirect-gateway ipv6 # Note that iOS 7 requires that if redirect-gateway is used that it is used for both... # IPv4 and IPv6 as the above directive accomplishes. comp-lzo no # specifies refusal of link-layer compression defaults # we prefer compression be handled elsewhere in the OSI layers # see forum for ongoing discussion - https://cryptostorm.org/viewtopic.php?f=38&t=5981 down-pre # runs client-side "down" script prior to shutdown, to help minimise risk... # of session termination packet leakage allow-pull-fqdn # allows client to pull DNS names from server # we don't use but may in future leakblock integration explicit-exit-notify 3 # attempts to notify exit node when client session is terminated # strengthens MiTM protections for orphan sessions hand-window 37 # specified duration (in seconds) to wait for the session handshake to complete # a renegotiation taking longer than this has a problem, & should be aborted # mssfix 1400 # congruent with server-side --fragment directive auth-user-pass # passes up, via bootstrapped TLS, SHA512 hashed token value to authenticate to darknet -----BEGIN CERTIFICATE----- MIIFHjCCBAagAwIBAgIJAKekpGXxXvhbMA0GCSqGSIb3DQEBCwUAMIG6MQswCQYD VQQGEwJDQTELMAkGA1UECBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQK FC1LYXRhbmEgSG9sZGluZ3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQx ETAPBgNVBAsTCFRlY2ggT3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUG CSqGSIb3DQEJARYYY2VydGFkbWluQGNyeXB0b3N0b3JtLmlzMB4XDTE0MDQyNTE3 MTAxNVoXDTE3MTIyMjE3MTAxNVowgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJR QzERMA8GA1UEBxMITW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBM aW1pdGUgLyAgY3J5cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMx FzAVBgNVBAMUDmNyeXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRt aW5AY3J5cHRvc3Rvcm0uaXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDJaOSYIX/sm+4/OkCgyAPYB/VPjDo9YBc+zznKGxd1F8fAkeqcuPpGNCxMBLOu mLsBdxLdR2sppK8cu9kYx6g+fBUQtShoOj84Q6+n6F4DqbjsHlLwUy0ulkeQWk1v vKKkpBViGVFsZ5ODdZ6caJ2UY2C41OACTQdblCqaebsLQvp/VGKTWdh9UsGQ3LaS Tcxt0PskqpGiWEUeOGG3mKE0KWyvxt6Ox9is9QbDXJOYdklQaPX9yUuII03Gj3xm +vi6q2vzD5VymOeTMyky7Geatbd2U459Lwzu/g+8V6EQl8qvWrXESX/ZXZvNG8QA cOXU4ktNBOoZtws6TzknpQF3AgMBAAGjggEjMIIBHzAdBgNVHQ4EFgQUOFjh918z L4vR8x1q3vkp6npwUSUwge8GA1UdIwSB5zCB5IAUOFjh918zL4vR8x1q3vkp6npw USWhgcCkgb0wgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJRQzERMA8GA1UEBxMI TW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBMaW1pdGUgLyAgY3J5 cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMxFzAVBgNVBAMUDmNy eXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRtaW5AY3J5cHRvc3Rv cm0uaXOCCQCnpKRl8V74WzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB AQAK6B7AOEqbaYjXoyhXeWK1NjpcCLCuRcwhMSvf+gVfrcMsJ5ySTHg5iR1/LFay IEGFsOFEpoNkY4H5UqLnBByzFp55nYwqJUmLqa/nfIc0vfiXL5rFZLao0npLrTr/ inF/hecIghLGVDeVcC24uIdgfMr3Z/EXSpUxvFLGE7ELlsnmpYBxm0rf7s9S9wtH o6PjBpb9iurF7KxDjoXsIgHmYAEnI4+rrArQqn7ny4vgvXE1xfAkFPWR8Ty1ZlxZ gEyypTkIWhphdHLSdifoOqo83snmCObHgyHG2zo4njXGExQhxS1ywPvZJRt7fhjn X03mQP3ssBs2YRNR5hR5cMdC -----END CERTIFICATE----- ns-cert-type server # requires TLS-level confirmation of categorical state of server-side certificate for MiTM hardening. auth SHA512 # data channel HMAC generation # heavy processor load from this parameter, but the benefit is big gains in packet-level... # integrity checks, & protection against packet injections / MiTM attack vectors cipher AES-256-CBC # data channel stream cipher methodology # we are actively testing CBC alternatives & will deploy once well-tested... # cipher libraries support our choice - AES-GCM is looking good currently replay-window 128 30 # settings which determine when to throw out UDP datagrams that are out of order... # either temporally or via sequence number tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA # implements 'perfect forward secrecy' via TLS 1.x & its ephemeral Diffie-Hellman... # see our forum for extensive discussion of ECDHE v. DHE & tradeoffs wrt ECC curve choice # http://ecc.cryptostorm.org client-cert-not-required # Allows connection without client certificate key-direction 1 # iOS specific requirement tls-client key-method 2 # specification of entropy source to be used in initial generation of TLS keys as part of session bootstrap log devnull.txt verb 5 mute 1 # sets logging verbosity client-side, by default, to zero # no logs kept locally of connections - this can be changed... # if you'd like to see more details of connection initiation & negotiation