As there have been a number of instances in which cryptostorm members are facing local network firewalling of wide swaths of UDP traffic, we have been working on a TCP-based daemon framework to enable connections in this type of local networking environment. This is a generic version of our 1.2 revision configuration framework itself, stripped-down to its cryptographic essentials in order to provide the widest possible range of connect abilities without losing any of our essential security components. It should work for most OS flavours, and even for the widget with a bit of tweaking of the underlying widget config file settings.
note: this is a beta distribution, as it has not received extensive in-house staff testing - we are releasing it in order to receive further community input and assistance in the testing. If you use it, please post your results in this thread so that we are able to improve and track this connection framework.
We do not recommend that members use TCP-based sessions unless it is absolutely necessary, and we are not engaging in the same level of intensive performance-tuning of these TCP-session instances as we do our mainline, UDP-based frameworks. This is because TCP over TCP is always going to be severely performance constrained; this is inherent to the structural underpinnings of such a network topology. More details can be found in this reference thread.
Finally, we are working on additional firewall/DPI transcendence techniques. In the short term, this involves routing of UDP packets via protocol masquerading. Medium-term, we are working with the Dust protocol to implement a broad-range, highly robust, extremely well-designed protocol obfuscation framework that is proven effective in the wild against essentially every known firewalling / filtering / DPI-based tool on the market today.
Code: Select all
[root@bruno tcpvpn]# cat tcpvpn.conf # cryptostorm_server version 1.2 config - TCP sessions # beta version of deprecated TCP-over-TCP legacy support daemon # discussion & details in http://serverconf.cryptostorm.org daemon local 220.127.116.11 port 443 proto tcp dev tun txqueuelen 286 # expanded packet queue plane, to improve throughput on high-capacity sessions sndbuf size 655368 rcvbuf size 655368 # increase pre-ring packet buffering cache, to improve high-throughput session performance # tun-ipv6 # we aren't yet supporting IPv6 as it's not supported fully by OpenVPN & OpenSSL # several active dev projects are at work on this & we are following them regularly persist-key push "persist-key" # not essential, but smooths SIGHUPs of individual openvpn processes as in new conf loads persist-tun push "persist-tun" # retain tun instantiation client-side during reconnects, to smooth process fast-io # experimental directive in OpenVPN 2.3.2 - testing for performance gains on openvpn # optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior... # to the write operation ca /etc/tcpvpn/easy-rsa/keys/ca.crt cert /etc/tcpvpn/easy-rsa/keys/server.crt key /etc/tcpvpn/easy-rsa/keys/server.key dh /etc/tcpvpn/easy-rsa/keys/dh2048.pem # standard PKI/CA asymmetric key materials storage # we manually generate & manage all key materials firsthand via cryptographic best practices script-security 2 auth-user-pass-verify /etc/tcpvpn/auth.sh via-file client-connect /etc/tcpvpn/session_up.sh client-disconnect /etc/tcpvpn/session_down.sh # custom-generated script hooks into our token auth system tmp-dir /tmp # manually set temp directory, to ensure active swap over-writes temp data consistently topology subnet server 10.22.0.0 255.255.0.0 # internal, non-routed subnet topology for ephemeral network member assignment # essentially, an internal DHCP framework for client-to-exitnode tunnelized packet transit float # allows client to change IP, as with DHCP re-lease, & retain secure session... # if HMAC continues to validate push "redirect-gateway def1" push "redirect-gateway bypass-dhcp" # directives to allow clients to re-lease local DHCP outside of secure session via... # LAN route details & metrics allow-pull-fqdn # allows client to pull DNS names from server # we don't use but may in future leakblock integration # these below are our selected DNS services for within-network canonical resolution push "dhcp-option DNS 18.104.22.168" push "dhcp-option DNS 22.214.171.124" # OpenNICproject.org, Canuck-optimised :-) push "dhcp-option DNS 126.96.36.199" # Telecomix is.gd/jj4IER push "dhcp-option DNS 188.8.131.52" # CCC http://is.gd/eC4apk duplicate-cn client-cert-not-required # we do not use certs to uniquely identify connected members... # doing so is a serious security failure and needlessly endangers anonymity on-net keepalive 20 60 # retains active sessions with connected members during temporary traffic lulls max-clients 300 # caps the number of simultaneous connections to a specific exitnode machine # fragment 1400 # mssfix 1400 # tunes the UDP session by fragmenting below the MTU upper bound # much undocumented/unexpected behaviours result from these parameters, beware! # we routinely test & refine these parameters, in-house, for best performance # they cannot be 'pushed' to clients, as are required a priori for control channel setup reneg-sec 1200 # cycle symmetric keys via tls renegotiation every 20 minutes # an essential fallback to TLS-based 'perfect forward secrecy' via Diffie Hellman keygen auth SHA512 # data channel HMAC generation # heavy processor load from this parameter, but the benefit is big gains in packet-level... # integrity checks, & protection against packet injections / MiTM attack vectors cipher AES-256-CBC # data channel stream cipher methodology # we are actively testing CBC alternatives & will deploy once cipher libraries offer our choice... # AES-GCM is looking good currently tls-server key-method 2 # specification of entropy sources (PRNG) used in generation of key materials tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA # implements 'perfect forward secrecy' via TLS 1.x, natively, thru ephemeral Diffie-Hellman... # see our forum for extensive discussion of ECDHE v. DHE & tradeoffs wrt ECC curve choice # http://ecc.cryptostorm.org tls-exit # exit on TLS negotiation failure # comp-lzo no # push "comp-lzo no" # we are working towards removal of this from the network... # but it sneaks in via client-side prefs user nobody group nobody # nogroup on some distros tran-window 256 # amount of overlap between old and new TLS control channel session keys allowed # default is 3600, which is way too long to work with PFS & 1200 2nd key renegotiations verb 5 mute 2 status /var/log/tcpvpn-status.log log /var/log/tcpvpn.log # rotating error & connection log parameters - cycle w/ each connection # used to track packet-level errors within secure sessions # does not retain any session-level detail - also wipes via regular session cycle