Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

HOWTO: Connect to CryptoStorm on TAILS OS??

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)

Topic Author
DebianLive
Posts: 3
Joined: Fri Mar 13, 2015 2:38 am

HOWTO: Connect to CryptoStorm on TAILS OS??

Postby DebianLive » Fri Mar 13, 2015 3:04 am

Hello everyone,
I've been looking for a soluton to this for a few hours and have found nothing that has been able to provide the answers. I'm using Tails OS, and can't get the OS to succesfully connect to the VPN. Any suggestions please and thanks!

User avatar

marzametal
Posts: 504
Joined: Mon Aug 05, 2013 11:39 am

Re: HOWTO: Connect to CryptoStorm on TAILS OS??

Postby marzametal » Fri Mar 13, 2015 9:22 am

I just downloaded Tails OS... going to give it a shot in a VM soon... knowing my luck I am going to burn my house down...

User avatar

marzametal
Posts: 504
Joined: Mon Aug 05, 2013 11:39 am

Re: HOWTO: Connect to CryptoStorm on TAILS OS??

Postby marzametal » Fri Mar 13, 2015 2:09 pm

Hi DebianLive...

It turns out what you desire ain't gonna' happen mate...
Installed Tails OS onto USB, booted into it.
As soon as it smells an internet connection, it fires up Vidalia and Tor.

Did the usual stuff, sudo apt-get update, followed some posts from http://cryptostorm.org/viewtopic.php?f=37&t=3978 and from viewtopic.php?f=32&t=5996 , got it all set up.

Then I tried to connect, but couldn't. So I went back to Tails documentation and found VPN over TAILS cannot be done. VPN over TOR yes, but over TAILS at this point in time... no.

I might be mistaken, I am a mass n00b when it comes to *nix stuff, just passing on what I tried, saw and read.

Just a fyi, fuck I feel naked on TAILS. NOTHING TO PROTECT ME, but a fake Windows 8 GUI, lmao.

User avatar

marzametal
Posts: 504
Joined: Mon Aug 05, 2013 11:39 am

Re: HOWTO: Connect to CryptoStorm on TAILS OS??

Postby marzametal » Fri Mar 13, 2015 3:09 pm

The mods are going to authorise a post I made earlier... sent it via TAILS.
Sorry, from what I can gather, connecting to CS on TAILS is not available at the moment. After setting it all up, I saw in their FAQ they don't support VPN over TAILS... over TOR yes, over TAILS no.

User avatar

Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

cstorm on TAILS?

Postby Pattern_Juggled » Fri Mar 13, 2015 7:54 pm

marzametal wrote:The mods are going to authorise a post I made earlier... sent it via TAILS.
Sorry, from what I can gather, connecting to CS on TAILS is not available at the moment. After setting it all up, I saw in their FAQ they don't support VPN over TAILS... over TOR yes, over TAILS no.


Heya, apologies for coming in late here.

What version of openssl are those Tails images being distributed with?

Code: Select all

openssl version


I can't see that doing openvpn from Tails would be somehow blocked - indeed, I cannot imagine how such a block would actually be implemented.

We know a few folks close to that project team - if there's indeed some sort of overt issue that's confirmed after a bit of further digging, please post here so we can look for a constructive path beyond any such (hypothetical) snags, ok?

Cheers,

~ pj
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f

User avatar

marzametal
Posts: 504
Joined: Mon Aug 05, 2013 11:39 am

Re: HOWTO: Connect to CryptoStorm on TAILS OS??

Postby marzametal » Sat Mar 14, 2015 8:11 am

Got to the end, but when I checked openssl version, it still said 1.0.1e, even though I was using 1.0.2...

TAILS OS didn't contain some packages that were required, had to search and provide on-the-fly...

sudo apt-get update
sudo apt-get upgrade

sudo apt-get install network-manager-openvpn network-manager-openvpn-gnome

W: Ignoring Provides line with DepCompareOp for package php-psr-log-implementation
W: You may want to run apt-get update to correct these problems
<---- errors received when doing update and upgrade and openvpn

sudo service network-manager restart

sudo -s

apt-get install make <--- missing in TAILS OS
apt-get install gcc <--- missing in TAILS OS
W: <---- errors received when doing make

wget http://www.openssl.org/source/openssl-1.0.2.tar.gz
tar -xvzf openssl-1.0.2.tar.gz
cd openssl-1.0.2
./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl
make

had an error @ make...
no stdlib.h present
find / -name 'stdlib.h' returned no results, so...
apt-get install build-essential
W: <---- errors received when doing build-essential

tar -xvzf openssl-1.0.2.tar.gz
cd openssl-1.0.2
./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl
make

had an error @ make...
fatal error: bits/predefs.h: No such file or directory.. compilation terminated, so...
apt-get install gcc-multilib
W: <---- errors received when doing gcc-multilib

tar -xvzf openssl-1.0.2.tar.gz
cd openssl-1.0.2
./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl
make
sudo make install

/usr/local/openssl/bin/openssl version
WTF, still 1.0.1e!!!!


I think I just cranial raped myself...

User avatar

Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

version reporting in openssl / Linux

Postby Pattern_Juggled » Sat Mar 14, 2015 12:54 pm

I don't even need to read the details of the above post to know what's happened, as it's one of those universally frustrating things that we have all been thorough - fortunately, it's much easier to get beyond than it might seem.

This is a divergence in the mechanism by which openssl reports its version status (which is not technically accurate, but if you know it's not accurate then you know enough to know I'm not getting into that because it's mostly just distracting to do so, most of the time) as compared to what's being called or compiled into production packages that rely on openssl for crypto functionality.

I basically just picked a random stackoverflow thread on the topic. Start there, and within a couple clicks, you'll have the exact info on how to confirm versioning is correct. We're a little blase about this as we've seen it on so many machines, so many times. It's just one of those "gotchas" that eventually one learns to work around.

Anyhow it'll take you longer to read this post than to just loop back & get the proper syntax for version validation.

Cheers,

pj

edited to add: 1.0.2 is almost ready to go into full release, afaik, and has been pretty stable for us in the places we've been using it in late-beta form (webservers here and there, because it's alot less flaky about proper ECC support with proper curve init point-pairs and so on)... but those dependency hiccups might trace back to those late-beta blues, especially on Tails which tries to avoid unnecessary package/dependency bloat to improve security (which is excellent security practice, in fact). Mostly if you just keep iterating on the install, it'll eventually fill up its pockets with all the dep's it needs :-)
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f


Topic Author
DebianLive
Posts: 3
Joined: Fri Mar 13, 2015 2:38 am

Re: HOWTO: Connect to CryptoStorm on TAILS OS??

Postby DebianLive » Fri Mar 20, 2015 11:42 am

Sorry for the super late post, I really appreciate you guys and/or gals investing your time to research the problem. If you would please report this to TAILS dev team, it would be greatly appreciated.

EDIT: How would I achieve VPN over TOR?


this is marzametal

Re: HOWTO: Connect to CryptoStorm on TAILS OS??

Postby this is marzametal » Mon May 11, 2015 8:57 am

...yeah, bit delayed... sorry.

To get the correct version displayed.... just create a symbolic link like so...

mv /usr/bin/openssl /root/
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl

then bask in the glory of a correct output from "openssl version"


Tail Please

Re: HOWTO: Connect to CryptoStorm on TAILS OS??

Postby Tail Please » Thu Jul 09, 2015 12:39 am

Hi

Someone found a solution for this? Please help us.

Best regards.


Snygeios

Re: HOWTO: Connect to CryptoStorm on TAILS OS??

Postby Snygeios » Wed Jul 15, 2015 4:43 pm

Hello,

TailsOS is a Debian with a very specific custom configuration. TailsOS does not come with the VPN packages preinstalled meaning you can't configure the VPN connection out of the box but it is still doable in more than one way. The first method is using the standard TailsOS bootable USB key with persistent storage configured.
The second way is modifying the actual read-only distribution on the USB storage device.

Here is the general idea of how to configure VPN (cryptostorm specifically) on TailsOS. This is not a step-by step howto and requires some knowledge of Linux especially for the firewall configuration.
If needed, I could write a step-by-step how-to later on.

1) Configure persistent storage as described in the Tails documentation

2) Install required packages as described in the Tails doc -> advanced topics -> additional software (http://tails.boum.org/doc/advanced_topi ... ex.en.html) (Hint: apt-get update; apt-get install network-manager-pptp, network-manager-pptp-gnome).
The packages needed are: network-manager-pptp, network-manager-pptp-gnome, network-manager-openvpn and openvpn.
Note down any package dependencies as well.

3) Add the package list (including the dependencies) to the /live/persistence/TailsData_unlocked/live-additional-software.conf file (one package per line)

4) In the Network Manager configuration dialog, the VPN tab should allow you to create a new VPN connection. Use the apropriate cryptostorm config file, populate the user name hash and save the configuration

5)In a terminal window look at the iptables messages for dropped packets (tail -f /var/log/syslog|grep -i drop) and from Network Manager start your new VPN connection which will fail due to the firewall rules.
As far as I remember, the first packets I had to allow were DNS and openvpn related on the loopback interface, followed by udp traffic (inbound and outbound) to port 443 of the cryptostorm nodes

6) Based on the dropped packets, configure iptables to allow packets to and from the servers used by your VPN configuration. An example of iptables rules can be found here: https://github.com/cryptostorm/cryptoha ... ctives.txt and here: https://github.com/cryptostorm/cryptoha ... tostorm.sh
Based on the existing TailsOS rules and the ones on github, you should be able to script something which will allow you to start the VPN connection
Once the firewall is configured, the VPN connection should start without any problems.

7) add iptables rules to block all traffic to/from the outside world except for the the traffic to/from the cryptostorm nodes.

8) Restart tor (vidalia) and check the network setup using tcpdump or some other packet inspection application.

The second method is a lot sexier and can automate the entire VPN connection process but it involves modifying the squashfs image:
1) copy the squashfs file from the USB device to a temporary location
2) Install squashfs-tools and extract the image
3) mount --bind the proc, sys and dev file systems on the <extraction_dir>/proc, sys and dev directories
4) chroot to the directory containing the extracted squashfs
5) Install the openvpn packages (network-manager-pptp, network-manager-pptp-gnome, network-manager-openvpn, openvpn)
6) Modify the Network Manager dispatcher scripts in /etc/NetworkManager/dispatcher.d/
The scripts are run in order by Network Manager after it brings up the network connection. As far as I remember the first one is the firewall, followed by tor and last is the persistent software package updater. You will have to modify the firewall script and ensure that your VPN connection starts before tor. I would refer to the sample scripts on the cryptostorm github
To start a pre-configured VPN configuration at the command line, use nmcli in the script but before that you need to modify the VPN configuration file as follows:
- in the [vpn] section, set password-flags=0
- add a new [vpn-secrets] section containing the entry password=<whatever>
Without these modifications, the root user won't be able to start the VPN connection.
7) Once happy with the modifications, unmount proc, sys, dev and recreate the squashfs image file.
8) Make a backup of the original squashfs file on the USB device and replace the original with your newly created one.
9) Reboot. If done correctly, once you pass the startup dialog, Network Manager will get an IP for your machine and will launch the scripts you have created/modified. Ideally you'll see the clearnet network coming up, followed by the VPN and by tor.
10) Use tcpdump to confirm that all connections are dropped except the connections to the VPN servers.


Return to “member support & tech assistance”

Who is online

Users browsing this forum: No registered users and 16 guests

Login