As there have been a number of instances in which cryptostorm members are facing local network firewalling of wide swaths of UDP traffic, we have been working on a TCP-based daemon framework to enable connections in this type of local networking environment. This is a generic version of our 1.2 revision configuration framework itself, stripped-down to its cryptographic essentials in order to provide the widest possible range of connect abilities without losing any of our essential security components. It should work for most OS flavours, and even for the widget with a bit of tweaking of the underlying widget config file settings.
note: this is a beta distribution, as it has not received extensive in-house staff testing - we are releasing it in order to receive further community input and assistance in the testing. If you use it, please post your results in this thread so that we are able to improve and track this connection framework.
We do not recommend that members use TCP-based sessions unless it is absolutely necessary, and we are not engaging in the same level of intensive performance-tuning of these TCP-session instances as we do our mainline, UDP-based frameworks. This is because TCP over TCP is always going to be severely performance constrained; this is inherent to the structural underpinnings of such a network topology. More details can be found in this reference thread.
Finally, we are working on additional firewall/DPI transcendence techniques. In the short term, this involves routing of UDP packets via protocol masquerading. Medium-term, we are working with the Dust protocol to implement a broad-range, highly robust, extremely well-designed protocol obfuscation framework that is proven effective in the wild against essentially every known firewalling / filtering / DPI-based tool on the market today.
Code: Select all
[root@bruno tcpvpn]# cat tcpvpn.conf
# cryptostorm_server version 1.2 config - TCP sessions
# beta version of deprecated TCP-over-TCP legacy support daemon
# discussion & details in http://serverconf.cryptostorm.org
# expanded packet queue plane, to improve throughput on high-capacity sessions
sndbuf size 655368
rcvbuf size 655368
# increase pre-ring packet buffering cache, to improve high-throughput session performance
# we aren't yet supporting IPv6 as it's not supported fully by OpenVPN & OpenSSL
# several active dev projects are at work on this & we are following them regularly
# not essential, but smooths SIGHUPs of individual openvpn processes as in new conf loads
# retain tun instantiation client-side during reconnects, to smooth process
# experimental directive in OpenVPN 2.3.2 - testing for performance gains on openvpn
# optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior...
# to the write operation
# standard PKI/CA asymmetric key materials storage
# we manually generate & manage all key materials firsthand via cryptographic best practices
auth-user-pass-verify /etc/tcpvpn/auth.sh via-file
# custom-generated script hooks into our token auth system
# manually set temp directory, to ensure active swap over-writes temp data consistently
server 10.22.0.0 255.255.0.0
# internal, non-routed subnet topology for ephemeral network member assignment
# essentially, an internal DHCP framework for client-to-exitnode tunnelized packet transit
# allows client to change IP, as with DHCP re-lease, & retain secure session...
# if HMAC continues to validate
push "redirect-gateway def1"
push "redirect-gateway bypass-dhcp"
# directives to allow clients to re-lease local DHCP outside of secure session via...
# LAN route details & metrics
# allows client to pull DNS names from server
# we don't use but may in future leakblock integration
# these below are our selected DNS services for within-network canonical resolution
push "dhcp-option DNS 220.127.116.11"
push "dhcp-option DNS 18.104.22.168"
# OpenNICproject.org, Canuck-optimised :-)
push "dhcp-option DNS 22.214.171.124"
# Telecomix is.gd/jj4IER
push "dhcp-option DNS 126.96.36.199"
# CCC http://is.gd/eC4apk
# we do not use certs to uniquely identify connected members...
# doing so is a serious security failure and needlessly endangers anonymity on-net
keepalive 20 60
# retains active sessions with connected members during temporary traffic lulls
# caps the number of simultaneous connections to a specific exitnode machine
# fragment 1400
# mssfix 1400
# tunes the UDP session by fragmenting below the MTU upper bound
# much undocumented/unexpected behaviours result from these parameters, beware!
# we routinely test & refine these parameters, in-house, for best performance
# they cannot be 'pushed' to clients, as are required a priori for control channel setup
# cycle symmetric keys via tls renegotiation every 20 minutes
# an essential fallback to TLS-based 'perfect forward secrecy' via Diffie Hellman keygen
# data channel HMAC generation
# heavy processor load from this parameter, but the benefit is big gains in packet-level...
# integrity checks, & protection against packet injections / MiTM attack vectors
# data channel stream cipher methodology
# we are actively testing CBC alternatives & will deploy once cipher libraries offer our choice...
# AES-GCM is looking good currently
# specification of entropy sources (PRNG) used in generation of key materials
# implements 'perfect forward secrecy' via TLS 1.x, natively, thru ephemeral Diffie-Hellman...
# see our forum for extensive discussion of ECDHE v. DHE & tradeoffs wrt ECC curve choice
# exit on TLS negotiation failure
# comp-lzo no
# push "comp-lzo no"
# we are working towards removal of this from the network...
# but it sneaks in via client-side prefs
# nogroup on some distros
# amount of overlap between old and new TLS control channel session keys allowed
# default is 3600, which is way too long to work with PFS & 1200 2nd key renegotiations
# rotating error & connection log parameters - cycle w/ each connection
# used to track packet-level errors within secure sessions
# does not retain any session-level detail - also wipes via regular session cycle