Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

newbie clarification help

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)

Topic Author
vpn_newbie
Posts: 8
Joined: Thu Aug 10, 2017 3:09 am

newbie clarification help

Postby vpn_newbie » Wed Aug 16, 2017 12:23 pm

Hello CS people,

questions questions questions...

1/
About my CS plan, I have it for 1 year, for 4 devices.
Does that mean that I can use 4 at the same time, but I can have them installed on 10 devices?
For instance, I set my raspberry pi, my android, my machine, my laptop, my mothers computer, my fathers android...
...but only 4 can use CS vpn service?
And if so, how is that determined? first 4, and rest are cut off, or last 4, as in if 5th logs in, 1st is bumped out?
Or does CS supports just 4 devices and that is it?

2/
As I understood, connection between my computer and CS is encrypted, from there on is not. That way I can surf anonimly.
But what if I log into some accounts? (websites, gmail,...)
Do I need to restart cs service after that?

3/
How about mail client? that is always running? that goes via cs too? Am I leaking info if I run mail client?

4/
so, in this thread viewtopic.php?f=46&t=5256
there is a picture
Image
to set DNS.
Problem (?) on my gentoo gnu/linux machine:
before I entered those ip's from that picture, I could visit ip/dns test websites (https://ipleak.net, and https://www.dnsleaktest.com/), but there was ip leak on both sites, I could see my ip, along with cs's ip.
As I set picture ip's in my router, I can not access ipleak.net at all, and https://www.dnsleaktest.com/ gets CS's ip, but if I click test, it get stuck on 'Test in progress...' for ever
Otherwise, I can surf the web just fine.

these sites I can visit (with dns set as in picture), and they show just CS's ip:
http://whatismyipaddress.com/
https://www.whatismyip.com/
http://ipaddress.com/
https://www.iplocation.net/find-ip-address

On my windows laptop I have no such problem, with or without dns set on router,
I can visit ipleak.net, and https://www.dnsleaktest.com/ and it shows just CS's ip.

I have no iptables running, or any rules for it,
which brings me to question number 5


5/
what is with those iptables? on linux, do I need them?
If I understand Lignus from that thread,
(/5a) those are router's iptables(?),
(/5b) are those Lignus's iptables's rules good for user(?):

Code: Select all

# FLUSH (clear) any IPv6 rules
ip6tables -F INPUT
ip6tables -F FORWARD
ip6tables -F OUTPUT
ip6tables -F

# DROP all IPv6 traffic
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP

# ALLOW two-way traffic from LAN to VPN
iptables -I FORWARD -i br-lan -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br-lan -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT


# ***************************************************************************#
# DROP all traffic to the WAN that originates from the LAN clients #
#     This prevents LAN traffic from going out unencrypted!              #
# ***************************************************************************#
iptables -I FORWARD -i br-lan -o br-wan -j DROP
iptables -I FORWARD -i br-wan -o br-lan -j DROP

# ALLOW NAT to VPN
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

# ALLOW HTTP, SSH, and DHCP access to router only over LAN interface
iptables -A INPUT -p tcp -i br-lan --dport 80 -d 10.13.37.1 -j ACCEPT
iptables -A INPUT -p tcp -i br-lan --dport 22 -d 10.13.37.1 -j ACCEPT
iptables -A INPUT -p udp -i br-lan --dport 68 -j ACCEPT
iptables -A INPUT -p udp -i br-lan --dport 67 -j ACCEPT

# ALLOW solicited traffic on WAN/VPN interface
iptables -A INPUT -i br-wan -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT



# DROP unsolicited traffic on ALL interfaces
iptables -A INPUT -i br-lan -j DROP
iptables -A INPUT -i br-wan -j DROP
iptables -A INPUT -i tun0 -j DROP

(/5c) and in which file should I put them on router?
(/5d) do I need iptables rules?


Thank you all for reading this far, if you could help with some of the questions, please do.

Kind regards

User avatar

parityboy
Site Admin
Posts: 1104
Joined: Wed Feb 05, 2014 3:47 am

Re: newbie clarification help

Postby parityboy » Fri Aug 18, 2017 7:51 pm

@OP

1. Yes, it's 4 simultaneous connections. Once 4 simultaneous connections are established, a 5th will fail to authenticate.

2. For clarification: the connection between your computer is tunnelled (and encrypted) so that your ISP can only see VPN traffic going between your router and the VPN exit node - they will have no idea what the ultimate destination of your traffic will be. Once your traffic exits the tunnel and leaves the exit node, its state will depend on the ultimate endpoint. Connection to a remote machine via non-SSL protocols will be plain and unsecured, whereas HTTPS, IMAPS and SSH will be encrypted.

3. Specifically with email (and perhaps other messaging protocols) somebody will know the source and destination email addresses, whether via a general packet sniffer (sniffing unsecured protocols) or via a mail relay. Obviously a mail protocol secured with SSL (IMAP4S, POP3S, SMTPS) will not reveal email addresses while travelling between machines, but whoever is operating the mail relays will see source and destination email addresses.

Therefore, using a VPN and then using your real name email address blows your anonymity away. VPN + pseudo email and/or burner email is the way to go.

4. So just to clarify, you're running the widget on your Windows machine, and OpenVPN on your Gentoo machine?


Topic Author
vpn_newbie
Posts: 8
Joined: Thu Aug 10, 2017 3:09 am

Re: newbie clarification help

Postby vpn_newbie » Fri Aug 18, 2017 11:50 pm

hey there ParityBoy, hello,

1/ understood, thank you

2/ yes, that clears up things, thank you very much

3/ now that 2nd is clear, this is also understandable, again, thank you

4/ windows laptop is running CS widget, connecting via wi-fi
to dd-wrt router (wrt54gl original, I did 30/30/30
and installed minimal and than vpn version of dd-wrt),
gentoo box is cable to dd-wrt, running openvpn,
tun as module, since there was no go with built in kernel.
I disabled ip6 and I run command openvpn --config oneOfYoursConfigFiles to get it up and running.


Parity, thank you so much on your time and input, any more is welcome

Kind regards, vpn_newbie

User avatar

parityboy
Site Admin
Posts: 1104
Joined: Wed Feb 05, 2014 3:47 am

Re: newbie clarification help

Postby parityboy » Sat Aug 19, 2017 7:09 am

@OP

So just to be clear, your DD-WRT is NOT running an OpenVPN client? You have two simultaneous connections: one Windows, one Gentoo Linux? Is this correct?

Oh by the way - "than" is comparative, "then" is temporal. Like this. :)


Topic Author
vpn_newbie
Posts: 8
Joined: Thu Aug 10, 2017 3:09 am

Re: newbie clarification help

Postby vpn_newbie » Sat Aug 19, 2017 11:01 am

good morning parityboy, hello there,

here is my router, I guess openvpn is not running:
http://picpaste.com/dd-wrt-NTVx5tNt.png
(picture expires in one week)

I did not use windows laptop and gentoo box at the same time, yet,
I'll try today, first coffe and dogs...
But yes, I have two connections, one windows over wi-fi to router,
the other gentoo over cable to router.

and you are right, lapsus linguae, THEN is the word I meant to use,
I am sorry, I am not a native english speaker ;)

Thanks again Parity for your time and input

User avatar

parityboy
Site Admin
Posts: 1104
Joined: Wed Feb 05, 2014 3:47 am

Re: newbie clarification help

Postby parityboy » Mon Aug 21, 2017 12:13 am

@OP

Thank you for the additional info. I don't use Gentoo (used to, years ago) but the basic rules should apply. I'll post an excerpt of my own firewall rules to help you along. On Ubuntu there's a package called iptables-persistent which uses scripts to load and save firewall rules, including at boot time.

The scripts are /etc/iptables/rules.v4 and /etc/iptables/rules.v6. rules.v6 is the shorter one so I'll post that first.

Code: Select all

# Generated by ip6tables-save v1.4.21 on Tue Jul 28 22:11:07 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT


OK, so my rules.v4 looks like this:

Code: Select all

# Generated by iptables-save v1.4.12 on Sat Nov  2 02:21:14 2013
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]

#  Accept traffic from localhost
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT

#  Accept traffic from LAN
-A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
-A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT

#  EXAMPLE: accept/permit traffic from/to the NL exit nodes
-A INPUT -i eth0 -s linux-netherlands.cryptostorm.net -p udp -m udp --sport 443 -j ACCEPT
-A OUTPUT -o eth0 -d linux-netherlands.cryptostorm.net -p udp -m udp --dport 443 -j ACCEPT

#  All other traffic is accepted, but only through the VPN
-A INPUT -i tun0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
COMMIT


Obviously, edit it to suit the exit nodes you actually use as well as the address range of your LAN. :) By having DROP as the default policy, if the VPN drops for any reason, no traffic will leak - killswitch!!. One thing to be mindful of is the DNS - if you're using NetworkManager, the DNS will be updated automatically by the exit node when the VPN connection is established, and then reverted when it is shut down. If you're using OpenVPN manually or via some other means, I'm not sure what will happen.

As for the then/than thing, native English speakers are actually the worst offenders. :P

EDIT
Looked at the pic and no, the OpenVPN client isn't running. Domestic routers generally don't have the horsepower anyway, so apart from convenience, you're not missing anything.


Return to “member support & tech assistance”

Who is online

Users browsing this forum: Boorbun21 and 11 guests

cron

Login