Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

cryptostorm VPNleakage

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)

Topic Author
Anonymous poster

cryptostorm VPNleakage

Postby Anonymous poster » Fri Nov 25, 2016 3:51 am

According to vpntesting.info cryptostorm has VPN leakage problems.


Khariz
Posts: 163
Joined: Sun Jan 17, 2016 7:48 am

Re: cryptostorm VPNleakage

Postby Khariz » Fri Nov 25, 2016 6:22 am

You mean DNS leaks? That's likely because people didn't set things up properly. If you either use the most current version of the CS client, or if you use OpenVPN with the disable-outside-DNS argument, there are absolutely no DNS leaks with CS. I've done extensive testing with both clients.


Topic Author
Anonymous poster

Re: cryptostorm VPNleakage

Postby Anonymous poster » Fri Nov 25, 2016 8:39 am

The leak test covered IPv4 and IPv6 leaks and cryptostorm failed at both categories, according to the leak test:
Image


Khariz
Posts: 163
Joined: Sun Jan 17, 2016 7:48 am

Re: cryptostorm VPNleakage

Postby Khariz » Fri Nov 25, 2016 10:04 pm

It only fails if you don't know how to configure it correctly. Those people are idiots.


sm1th
Posts: 15
Joined: Wed Sep 07, 2016 1:55 pm

Re: cryptostorm VPNleakage

Postby sm1th » Sat Nov 26, 2016 2:43 am

Khariz wrote:It only fails if you don't know how to configure it correctly. Those people are idiots.


Be kind. It's not simple unless you know it. Also, it's not true security if we blame the user for lack of knowledge.

We need to get this shit as easy as turning windows on...and I say this as a 12 year (with no gaps or giving in) linux user.

If we rely on what they know, we've failed. If you, Kharis, think you're so fucking clever....put it into words your Gran would understand :)


Khariz
Posts: 163
Joined: Sun Jan 17, 2016 7:48 am

Re: cryptostorm VPNleakage

Postby Khariz » Sat Nov 26, 2016 2:55 am

What are you taking about? I'm not teaching someone here, I'm saying that the SOURCE of that DNS leak test must be comprised of idiots if they couldn't figure out how to configure cryptostorm without having a DNS leak. I'm not speaking to the OP here. I'm addressing the acumen of vpntesting.info

For an entity that is making themselves out as some kind of "authority" on which sites have DNS leaks and which don't, they obviously don't know the basics of how to configure things for their tests.


Topic Author
Anonymous poster

Re: cryptostorm VPNleakage

Postby Anonymous poster » Sat Nov 26, 2016 2:56 am

The above image was for Windows 7 VPN clients. I forgot to embed the image for the Mac OS X VPN clients, so here it is:
Image

The test was sponsored by IVPN, which was the only VPN service that passed both the Windows 7 leakage test and the Mac OS X leakage test, so how unbiased the test was can be questioned. Though, I have heard that IVPN are quite good security-wise, so it wouldn't suprise me if the test is genuine.

Khariz wrote:It only fails if you don't know how to configure it correctly. Those people are idiots.

Maybe cryptostorm could be made foolproof even for rookie users?


Khariz
Posts: 163
Joined: Sun Jan 17, 2016 7:48 am

Re: cryptostorm VPNleakage

Postby Khariz » Sat Nov 26, 2016 5:48 am

It is for windows users. Download the client. Run it. Both DNS leaks and WebRTC are plugged up by the client. You would have to manually go mucking around with your TAP adapter's DNS settings after connecting with the CS client if you wanted to create a DNS leak.

For us power users and people insisting on using OpenVPN (paranoid "only open source" software type people) they should know how to add "block-outside-DNS" to a .ovpn file.

I wrote an entire guide to using CS via iOS without the need of any outside platform as an aid. There are no DNS or WebRTC issues on iOS by default though.

I mean, and I'm being completely serious here, it's harder to experience a DNS leak with CS than to NOT experience one. The only way they could have experienced one is if they downloaded a stock .ovpn file from the Github and ran it through OpenVPN without adding in the block-outside-DNS argument.

Now that I think about it, that's probably exactly what they did. They probably performed their tests using CryptoFree and default .ovpn files. No wonder they got such crappy results.

User avatar

Operandi
Posts: 88
Joined: Fri Nov 22, 2013 4:23 pm

Re: cryptostorm VPNleakage

Postby Operandi » Sat Nov 26, 2016 8:43 pm

Not sure if this is relevant, but I think it's worth mentioning either way: some time ago I noticed that the England node can leak one's location in rare circumstances (happened to me when visiting UserBenchmark and Top Ten Reviews), which is odd, considering that all those leak-test websites do not report anything suspicious. I brought this up in the cs IRC channel, but everyone just kept shrugging. Decided to check out the England node once again after seeing this thread - still seems leaky.

I use Windows 7 (heavily firewalled), and OpenVPN with the official config files.


Khariz
Posts: 163
Joined: Sun Jan 17, 2016 7:48 am

Re: cryptostorm VPNleakage

Postby Khariz » Sat Nov 26, 2016 9:20 pm

If you aren't adding the command:

block-outside-DNS

To your .ovpn files, you need to do that. Otherwise OpenVPN isn't necessarily sending ALL DNS requests through the tunnel.

Also, in case anyone is wondering "why isn't that command just added in there by CryptoStorm?" Here is the answer: the command is not compatible with certain versions of Windows, nor other operating systems. I think the newest versions of the beta OpenVPN will ignore the command it if doesn't apply to the operating system, but most people aren't using that version.

If you use Windows 7, 8, or 10, you really need to add this command to your ovpn files.

User avatar

Operandi
Posts: 88
Joined: Fri Nov 22, 2013 4:23 pm

Re: cryptostorm VPNleakage

Postby Operandi » Sun Nov 27, 2016 1:29 am

Khariz wrote:block-outside-DNS

That's the thing - this option is already present in the official Windows config files. "Blocking outside DNS" can be clearly seen in the console output.

And, again, only the England node seems to exhibit such an odd behavior.


Khariz
Posts: 163
Joined: Sun Jan 17, 2016 7:48 am

Re: cryptostorm VPNleakage

Postby Khariz » Sun Nov 27, 2016 1:35 am

I believe you, but it literally doesn't make any sense. If the client is blocking all DNS requests from being made anywhere but the tunnel's set DNS server, a failure would result in a failed lookup, not a leak. Even if the the England node's DNS were malfunctioning, it wouldn't attempt to use DNS servers that weren't set as an alternate in your TAP adapter.

I suggest this: connect to the England node and then manually open the settings on your TAP adapter and see if you have a secondary DNS server set. Or open up a command prompt and do a ipconfig /all and see if your tap adapter is reporting multiple DNS servers set. It should only have the internal 10.x.x.x server set.


Topic Author
Anonymous poster

Re: cryptostorm VPNleakage

Postby Anonymous poster » Sun Nov 27, 2016 5:44 am

I just found some links on vpntesting.info that might be helpful to figuring out this issue:

Methodology and detailed results for Windows 7 leak test: https://vpntesting.info/Initial-Win7-Results.html
Methodology and detailed results for Mac OS X leak test: https://vpntesting.info/Initial-OSX-Results.html
Leak test guide written by the guy who preformed the the leak test: https://www.ivpn.net/privacy-guides/how-to-perform-a-vpn-leak-test


Khariz
Posts: 163
Joined: Sun Jan 17, 2016 7:48 am

Re: cryptostorm VPNleakage

Postby Khariz » Sun Nov 27, 2016 6:32 am

Ahh, okay. He was interrupting the links to test for leaks during disconnects and interruptions.

As CryptoStorm doesn't have any kind of "Network Lock" feature, that easily explains why he experienced DNS links. He was intentionally trying to create them and succeeded.

The 6 that passed his test all have competent firewall-rule-based network locks that cause your entire internet-facing network to 100% fail when the connection is not tunneling out of the TAP adapter.

I now believe that the test results are accurate, but CS has never made any claims to the contrary. You won't find CS saying "you won't leak your ISP's DNS if you disconnect from our network". Of course the CS client or OpenVPN leak DNS in the event of the crash. Neither have Network Lock features.


Topic Author
Anonymous poster

Re: cryptostorm VPNleakage

Postby Anonymous poster » Sun Nov 27, 2016 5:36 pm

Are you saying that cryptostorm doesn't have an Internet killswitch? Isn't that a basic feature that most VPNs have? If a user were to download something via BitTorrent and leave his/her computer on overnight, cryptostorm would happen to disconnect and pirate hunters/copyright nazis would happen to monitor one or several of the torrents the user is downloading, then the user is screwed.

User avatar

Operandi
Posts: 88
Joined: Fri Nov 22, 2013 4:23 pm

Re: cryptostorm VPNleakage

Postby Operandi » Sun Nov 27, 2016 9:23 pm

@Khariz

It doesn't seem to be a DNS-related issue, as I don't even use any DNS servers located in my country. Most likely an IP-address leak of sorts. Oddly enough, it happens only when visiting a certain couple of sites via a certain exit node.

UPDATE: I finally decided to give the cs widget (3.0.0.56) a try, and... still the same thing with the England node. I have no bloody idea what's going on.


Khariz
Posts: 163
Joined: Sun Jan 17, 2016 7:48 am

Re: cryptostorm VPNleakage

Postby Khariz » Sun Nov 27, 2016 10:23 pm

Anonymous poster wrote:Are you saying that cryptostorm doesn't have an Internet killswitch? Isn't that a basic feature that most VPNs have? If a user were to download something via BitTorrent and leave his/her computer on overnight, cryptostorm would happen to disconnect and pirate hunters/copyright nazis would happen to monitor one or several of the torrents the user is downloading, then the user is screwed.


That's correct. With CS, if you get disconnected while downloading, you are "screwed", unless you are savvy enough to know how to build your own network lock via firewall rules (which most people are admitted not). Hell, I'm pretty much too lazy to bother with that even though I know how. I like the software to do it for me.

PJ has expressed his opinion in the past that nobody has a truly functioning Network Lock and that everyone is lying to us, and that's why CS doesn't need one (but he is wrong, as a good handful of VPN providers now have truly good network lock functionality based both on windows firewall and WFP policy rules). I'll give him this though, there are just as many VPN providers with crappy network locks that don't work as advertised. But some, like AirVPN and IVPN as examples, truly functions like they are supposed to, completely killing your network if you get disconnected.

So yeah, if disconnection-based leakage is a concern of yours, you definitely want to look elsewhere for now.


Topic Author
Guest

Re: cryptostorm VPNleakage

Postby Guest » Mon Nov 28, 2016 12:14 am

Why not just take a peek under AirVPN's hood if cryptostorm can't figure out how to make a functional Internet killswitch themselves? But yeah, looks like IVPN or maybe AirVPN is the best option at the moment. Too bad, in every other regard cryptostorm seems like a great VPN service.


Khariz
Posts: 163
Joined: Sun Jan 17, 2016 7:48 am

Re: cryptostorm VPNleakage

Postby Khariz » Mon Nov 28, 2016 3:44 am

Good point. The software is open source.


Return to “member support & tech assistance”

Who is online

Users browsing this forum: Bing [Bot] and 31 guests

cron

Login