Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

github repository for Mac confs

Looking for a bit more than customer support, and want to learn more about what cryptostorm is , what we've been announcing lately, and how the cryptostorm network makes the magic? This is a great place to start, so make yourself at home!
User avatar

Topic Author
Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

github repository for Mac confs

Postby Pattern_Juggled » Mon Mar 28, 2016 8:35 pm

I've taken the liberty of opening a very minimalist directory in our existing config repository, on github, for mac-specific config files... which, hopefully, will smooth the process of maintaining these without requiring manual fiddling on the part of members.

Mac-specific conf's at github

If anyone is interested in helping to populate this directory with relevant configs, please ping me or anyone on cors team and we'll pull you into that repository with write privileges.

Also: is it wise to maintain parallel versions of these conf's for Tunnelblick and Viscosity, respectively... or are they close enough in details that doing so would be overkill?

Many thanks, in advance, for helping to improve our support of our friends in the land of Mac - something we've been less than perfect in doing over the years, though not for lack of desire to improve!

Cheers.
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f

User avatar

Topic Author
Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

Tunnelblick/OSX conf repository

Postby Pattern_Juggled » Tue Mar 29, 2016 2:31 am

And, thanks to @Chevalier____, there's now a properly-updated, dedicated Tunnelblick/OSX repository full of lovingly-crafted (ok, that's prolly a bit much) config files:

Yes, lovingly crafted Tunnelblick/OSX conf's

Many thanks!
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f

User avatar

parityboy
Site Admin
Posts: 1066
Joined: Wed Feb 05, 2014 3:47 am

Re: github repository for Mac confs

Postby parityboy » Tue Mar 29, 2016 5:06 pm

@PJ

Gah, you beat me to it. :D Anyway, I've opened my own repo (see sig.) which will primarily serve as a non-redundant (in practical terms) mirror of CS configuration files and other data.

User avatar

hashtable
Posts: 40
Joined: Sat Mar 26, 2016 4:27 pm

Re: github repository for Mac confs

Postby hashtable » Tue Mar 29, 2016 9:19 pm

Thanks! I tried viscosity for a month or so - it had a nice interface but the connections began acting weird and then I read in the docs the were using 2 different protocols to simulate openvpn (which isn't supported 'natively' on OSX FYI - I found it in the dev forms trying to troubleshoot viscosity). But tunnelblick recently had a lot of development and I'd recommend it over viscosity - in case anyone is on the fence.

I'm currently porting the configs to iOS - maybe it'd be nice to have that inside the mac section too? I dunno, I'll post my results here.

User avatar

parityboy
Site Admin
Posts: 1066
Joined: Wed Feb 05, 2014 3:47 am

Re: github repository for Mac confs

Postby parityboy » Wed Mar 30, 2016 6:18 am

@hashtable

Good work. From what I've seen, the configs are pretty much the same across the 'NIX/'nux platforms, apart from rcvbuf, sendbuf and txqueuelen. Android and OS X don't like these options, so I can only suspect that iOS won't like them either. Additionally, the <remote></remote> tags can cause issues with certain OpenVPN and/or network manager implementations, e.g. Arne Schwab's OpenVPN for Android.


dccc
Posts: 27
Joined: Mon Jan 12, 2015 10:57 pm

Re: github repository for Mac confs

Postby dccc » Thu Mar 31, 2016 7:55 pm

Hey,

the configs in the Mac directory on GitHub are fully compatible with the OpenVPN iOS App.

Connect your iOS device with iTunes and start to copy the configs into the OpenVPN app (in iTunes, navigate to "Apps" tab of your connected iOS device, scroll to the bottom and select the OpenVPN app to be able to upload the configs. Don't forget to transfer the ca.crt file too! :-)

User avatar

hashtable
Posts: 40
Joined: Sat Mar 26, 2016 4:27 pm

Re: github repository for Mac confs

Postby hashtable » Thu Mar 31, 2016 9:10 pm

Actually there's one line you need to change:

Code: Select all

   client
   dev tun
   #randomly select a node from the list below, for redundancy against DNS blacklisting-based session blocking attacks.
   #see https://openvpn.net/archive/openvpn-users/2004-12/msg00055.html
   resolv-retry 16
   remote-random
   #switch the urls for different configs
   remote linux-southkorea.cryptostorm.net 443 udp
   remote linux-southkorea.cryptostorm.nu 443 udp
   remote linux-southkorea.cryptostorm.org 443 udp
   remote linux-southkorea.cstorm.pw 443 udp
   explicit-exit-notify 3
   mssfix 1400
   nobind
   comp-lzo
   down-pre
   reneg-sec 0
   hand-window 17
   verb 4
   mute 3
   auth-user-pass
   ns-cert-type server
   auth SHA512
   cipher AES-256-CBC
   tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
   # add this line here
   client-cert-not-required
   # not sure if crt needs to be inlined   
   tls-client
   key-method 2
   ca ca.crt


My original files got symlinked and lost somewhere.. but I went back to the iOS discussion thread to figure out why the config wasn't working and the one line that needs to be added is client-cert-not-required. I dunno why - also multiple settings are ignored by the app but doesn't seem to make a difference.


dccc
Posts: 27
Joined: Mon Jan 12, 2015 10:57 pm

Re: github repository for Mac confs

Postby dccc » Thu Mar 31, 2016 11:07 pm

Hi hashtable,

The OpenVPN iOS app will not accept the configs, when you don't add the ca.crt to the upload process (during the described process in iTunes) --> This would look like this:
Image

I don't want to change the Cryptostorm config files fundamentally (eg removing mention of certificate in the configs) unless the CS staff is cool with that.

On the other hand, the configs optimized for Mac (on GitHub) do work, when you add the ca.crt as standalone file during the process of installation in iTunes or Tunnelblick on OS X (as described on GitHub in Mac folder)


prospav
Posts: 13
Joined: Sun Jan 06, 2013 7:19 pm

Re: github repository for Mac confs

Postby prospav » Fri Apr 01, 2016 11:07 am

I would like to have the forums help in trying to solve the OSX and iOS issues. Having read many of the forum discussion here and elsewhere on CS, I thought it would be beneficial to get this together and sorted. I am no programmer but a simple end user, trying to make it easier for others like me.

As far as I can see there are 2 methods in uploading our config files for both systems.
For reference purposes, I will use the file: cstorm_linux-frankfurt_udp.ovpn, f5bb00a, Dec 2, 2015 (FCLF named for discussion)

Lets begin with OSX (using 10.11.4)
2 methods to upload, A) Viscosity and B) Tunnelblick

A) Viscosity accepts FCLF as is. The end user only needs to upload the complete file. (Viscosity does create 4 lines for nodes as it does not accept remote-random instruction)

B) Tunnelblick. The end user will need to separate the original FCLF into two, such that the certificate is saved as another file.Then the end user uploads both files into the program. A few more settings need to done, but otherwise works well as per forum users.

(Per previous discussions, Viscosity does not accept: rcvbuf, sendbuf and txqueuelen commands.
Any others? I don't know if Tunnelblick does accept these or not, as in the repository for Mac currently Frankfurt file is without, but new Dynamic has them in (cut copy paste typo???))

Now for iOS 9.3.1, using OpenVPN 1.0.5 build 177.
Again, 2 upload methods via iTunes, C) single file and D) 2 files

C) FCLF is modified prior to upload, with the line ca ca.crt removed and another line is inserted between tis-cipher and tis-client, client-cert-not-required. (Whether or not the insertion should be elsewhere, maybe someone can shed more light onto it)
This creates a "Standard profile" in the app.

D)FCLF is modified as per Tunnelblick, i.e. 2 files with certificate separate, and these are uploaded. This creates an "External certificate profile" in the app, (in my case, with a second line stating no certificate selected)

For iOS, it was mentioned previously that not all the code is accepted by the app as per config files. Please let the forum know how to improve the configs. On the OpenVpn forums, most configs try to include all parts into one file, such that cert, key etc are part of ovpn file.

And for my last comment, most OSX/iOS users are not so computer literate or inclined, they want a product that just works. Whilst I appreciate having the latest config files on GitHub, most users are not able to correctly download and save the files required, often creating mistakes via the text editors or elsewhere (as seen by the numerous help topics). Forum topics that are closed off from discussion but containing the latest downloadable files should be available for the average end user, so that they only copy paste or upload as required. As new config files are created, the older posts should be deleted or archived, so that new users don't find them and create problems for themselves. Files need to be versioned as well.

Thanks :silent:

User avatar

hashtable
Posts: 40
Joined: Sat Mar 26, 2016 4:27 pm

Re: github repository for Mac confs

Postby hashtable » Fri Apr 01, 2016 11:48 am

dccc wrote:
I don't want to change the Cryptostorm config files fundamentally (eg removing mention of certificate in the configs) unless the CS staff is cool with that.

On the other hand, the configs optimized for Mac (on GitHub) do work, when you add the ca.crt as standalone file during the process of installation in iTunes or Tunnelblick on OS X (as described on GitHub in Mac folder)


It's only one line of code that I got from the iOS thread. If you read through the app's FAQ (under 'more help') - it says make sure to import the ca, cert, and key. But we don't have a cert or key because we input that manually. It also inserts a 'key direction' method and ipv6 support is mandatory (can't shut it off).

Overall it's a badass app that works great and doesn't disconnect when switching between wifi / cellular data. But it won't follow the guidelines of a linux machine - neither iOS or OSX support the openvpn protocol 'officially' (trust me) - so these apps have use what's available to hack together the speck, and the only way to make your traffic encrypted is for apple to be able to poke holes. I'm not paranoid about apple and it shouldn't effect anything on the internet - but that's the reality.

prospav wrote:I would like to have the forums help in trying to solve the OSX and iOS issues. Having read many of the forum discussion here and elsewhere on CS, I thought it would be beneficial to get this together and sorted. I am no programmer but a simple end user, trying to make it easier for others like me.


I've imported these files in every way - differently every time - I have no idea what i'm doing. Dragging files didn't work for tunnelblick - but clicking the file normally did. When I tried this last month - clicking the file wouldn't detect the ca.crt in the same folder. but it should just be a double click away from config with tunnelblick. Viscosity could log me on to 3-4 at the same time - it was 'on' more than tunnelblick - but I highly doubt that's true. I don't think there's anything malicious in the code - but all VPN got FUCKKED with osx 10.11 - and raped by 10.11.4. The dev forums are full with weird shit of how vpns stopped working. They literally have changed the entire protocol layer for how these apps can connect. Again - because openvpn isn't supported, developers will have to hack it. Looking at some new API's - I'm optimistic that there are ways to do it - maybe even better than before - but it's a different API in the core system and older apps won't necessarily 'fail' if your using a depreciated protocol. It will still encrypt traffic once it leaves your computer or home router - but one developer was pissed to find like unencrypted http shit going down the wire to help satisfy the protocol adhoc (apple is terrible at documenting new features). That's why I'm trying to put the openvpn on raspi or openwrt router - or at least restrict my routers settings to be linux securish and then openvpn from my computer. I'm testing both.

I could do a huge write up on methods, software, etc. to best use a mac (you could take an older mavericks and basically kill it for netsec and it works pretty good). Pf firewalls - blocking ports - killing the social widget processes and i cloud. I dunno - i use two laptops for testing anyway, and a few raspis with a few routers and 3 firewall apps and 5 guides etc. etc. i just love mac.

fyi more dev's use macs than linux. state of the world 2016

User avatar

parityboy
Site Admin
Posts: 1066
Joined: Wed Feb 05, 2014 3:47 am

Re: github repository for Mac confs

Postby parityboy » Fri Apr 01, 2016 9:31 pm

@prospav

I'm currently running Tunnelblick 3.6.0a on OS X 10.10.5. It accepts sndbuf and rcvbuf but NOT txqueuelen. Additionally, it appears to accept the inline certificate - however if you add the line "ca ca.crt" I think it will go looking for it (I need to verify this).

@hashtable

What you say about OS X El Capitan is quite surprising. Has Apple completely forgotten about secure remote working? Either way, I'll be sticking with 10.10.x. :p


dccc
Posts: 27
Joined: Mon Jan 12, 2015 10:57 pm

Re: github repository for Mac confs

Postby dccc » Sat Apr 02, 2016 2:06 pm

Newly updated mac configs should work with Tunnelblick/iOS/Viscosity "out of the box" now (steps: download, import and connect)

The ca.crt is not needed as an extra file anymore. Tunnelblick, iOS and Viscosity now recognizes the cert inside the config.

User avatar

hashtable
Posts: 40
Joined: Sat Mar 26, 2016 4:27 pm

Re: github repository for Mac confs

Postby hashtable » Sat Apr 02, 2016 9:11 pm

This is what I was able to gather from the dev forums.. not trying to be a bummer... :wtf:

AFAIK OS X does not have OpenVPN support built-in.  You would have to talk to the OpenVPN about how best to import your .ovpn file (and, indeed, whether you'd need to install their software to act on it).

I would like to set the protocol for this shared manager to SSL. Is this possible ?
No.  NEVPNManager is used to set up “Personal VPN”, which always uses built-in VPN transports (IPsec or IKEv2).  There’s no built-in transport for SSL-based VPNs, so if you want to set that up you have to either write your own transport (which involves NETunnelProvider, which involves special entitlements) or use some other approach (like a configuration profile).

The OpenSSL implementation of TLS is available, but the preinstalled OpenSSL library is deprecated in OS X v10.7 and later for binary compatibility reasons. If you require OpenSSL, provide your own copy of this library instead, and statically link it into your program.

It is not possible to create app rules for Apple system apps. The one exception to this rule is Safari. In the case of Safari, the VPN can only tunnel the network traffic for web sites in certain domains, not all web sites.

User avatar

hashtable
Posts: 40
Joined: Sat Mar 26, 2016 4:27 pm

Re: github repository for Mac confs

Postby hashtable » Sat Apr 02, 2016 9:21 pm

But if you can't tunnel it.. block it :)

murusfirewall.com/docs13/

murusfirewall.com/downloads/

murusfirewall.com/forum/

apple kept openbsd's pf firewall (pfctl) it's not even used and rarely mentioned.

amazing guide on everything here:

github.com/drduh/OS-X-Security-and-Privacy-Guide

(they're highlighted not clickable links)

User avatar

parityboy
Site Admin
Posts: 1066
Joined: Wed Feb 05, 2014 3:47 am

Re: github repository for Mac confs

Postby parityboy » Sun Apr 03, 2016 9:38 am

@thread

I've taken the liberty of adding OS X config files to my own github repo (see sig.). I've created a separate set for Tunnelblick and Viscosity - most notably, Tunnelblick supports (or perhaps simply ignores) sndbuf and rcvbuf parameters so I've left them in. Viscosity chokes on both - as well as txqueuelen - so I've taken all three out for that configuration set.

Next up is to test against the official OpenVPN client on OS X, but I suspect its config will be similar to Tunnelblick's.

User avatar

hashtable
Posts: 40
Joined: Sat Mar 26, 2016 4:27 pm

Re: github repository for Mac confs

Postby hashtable » Tue May 03, 2016 10:11 pm

Hey, So I've gained a slightly more comprehensive understanding of the situation now.

1) Apple's court battle with FBI has shifted the entire companies stance on encryption for the better.

2) VPN's broke during the beta phase of 10.11.4 - because they changed the some underlying protocols for how to create the TLS connections / hypervisors etc. Basically, things broke during the transition, everything seems to work now (seems backwards compatible), but there might have been some last minute code written to make it seem like it's working the same? I have no idea honestly.

3) On a positive note, after releasing 10.11.4, they finally released documention on how to make secure VPN protocols, and tunnelblick has shipped lots of beta's since the release (easily found on github), so if you're using the latest version of OSx - definitely uses the lastest beta version of tunnelblick (I can't comment on viscoscity)

4) You can also use dnscrypt in parallel with openvpn - someone wrote a nice gui for it - no programming skillz required

5) Vallum firewall is officially released - but the only way set up mac in such a way that it can only connect to the internet with vpn is if you change the pf settings. I have program capable of creating pre-configured pf rules that can be shared with any mac - and it uses a simple drag n drop interface (if you're consuming it) - and before turning on, it shows every single file that's being added to the system, where it's located, what rules are being added, etc. - so it's not a black box, it's just meant for admins at a corporation with lots of macs to easily config a vpn secure firewall or some equivalent to hundreds of random macs.
Last edited by hashtable on Tue May 03, 2016 10:28 pm, edited 2 times in total.

User avatar

hashtable
Posts: 40
Joined: Sat Mar 26, 2016 4:27 pm

Re: github repository for Mac confs

Postby hashtable » Tue May 03, 2016 10:18 pm

also, was anybody able to get iOS working without adding

client-cert-not-required

???


thisis4thepeople
Posts: 22
Joined: Sat Jun 13, 2015 9:08 am

Re: github repository for Mac confs

Postby thisis4thepeople » Sat May 07, 2016 11:03 am

Yes, they work fine on iOS.


Abc

Re: github repository for Mac confs

Postby Abc » Tue May 10, 2016 9:31 pm

If you don't mind, can you share those confs and prog?

hashtable wrote:5) Vallum firewall is officially released - but the only way set up mac in such a way that it can only connect to the internet with vpn is if you change the pf settings. I have program capable of creating pre-configured pf rules that can be shared with any mac - and it uses a simple drag n drop interface (if you're consuming it) - and before turning on, it shows every single file that's being added to the system, where it's located, what rules are being added, etc. - so it's not a black box, it's just meant for admins at a corporation with lots of macs to easily config a vpn secure firewall or some equivalent to hundreds of random macs.


dccc
Posts: 27
Joined: Mon Jan 12, 2015 10:57 pm

Re: github repository for Mac confs

Postby dccc » Wed May 11, 2016 2:34 pm

Yes, all mac configs at GitHub are now fully compatible with Tunnelblick/Viscosity/OpenVPN iOS App!

User avatar

hashtable
Posts: 40
Joined: Sat Mar 26, 2016 4:27 pm

Re: github repository for Mac confs

Postby hashtable » Mon May 16, 2016 5:14 am

Abc wrote:If you don't mind, can you share those confs and prog?

hashtable wrote:5) Vallum firewall is officially released - but the only way set up mac in such a way that it can only connect to the internet with vpn is if you change the pf settings. I have program capable of creating pre-configured pf rules that can be shared with any mac - and it uses a simple drag n drop interface (if you're consuming it) - and before turning on, it shows every single file that's being added to the system, where it's located, what rules are being added, etc. - so it's not a black box, it's just meant for admins at a corporation with lots of macs to easily config a vpn secure firewall or some equivalent to hundreds of random macs.



Sure, for now I'll copy/paste some of the files that would be implemented for pf. Ideally I'd like to read up on pf and implement a custom strategy which won't use some of the murus defaults. Vallum is just whatev. sometimes I block a lot of shit, sometimes I don't, it's easy to modify.

First, it will start a launchdaemon that runs this bash script:

Code: Select all

#!/bin/sh
#
# Murus pf boot script for OS X 10.9 and 10.10
#
# Murus is a pf GUI for OS X
# www.murusfirewall.com
# by The Murus Team
# info@murus.it
#
# This file is public domain.
#
#
# V 1.0.1 (June 2015)
# no forwarding
#
#
# We need to trap on TERM signals, according to Apple's launchd docs:
#
trap 'exit 1' 15

#
# Use the "ipconfig waitall" command to wait for all the interfaces to come up:
#
ipconfig waitall
sleep 7
#
# System sysctl
#
sysctl -w net.inet6.ip6.fw.verbose=0
sysctl -w net.inet.ip.fw.verbose=0
sysctl -w net.inet.ip.fw.verbose_limit=0

#
# interface forwarding disabled
#
sysctl -w net.inet.ip.forwarding=0

#
# enable pf using tokens and load Murus rules
#
/sbin/pfctl -E
/sbin/pfctl -f /etc/murus/murus.conf

...


there's some additional dummynet and logging configs I didn't feel was relevant at the moment, but if it's possible to modify this file (I'm not sure, maybe?) I bet there are additional sysctl settings that would be optimal for CS (I've looked at CS server / client sysctl setups on github)

Here's the main conf - i'll try to comment out murus specific rules so that it could be implemented by using pfctl and creating your own pf.conf or modifying the system pf.conf located in /etc directory.

Code: Select all

set   block-policy drop
set   fingerprints '/etc/pf.os'
set   skip on lo0
scrub-anchor   "com.apple/*"

*'loads anchors'* (didn't include here) - loading apples anchor is optional

include   '/etc/murus/murus.tables'
include   '/etc/murus/murus.blacklist'

**murus.tables**

table <Everyone> {0.0.0.0/0 ::/0 } persist
table <192.168-net> {192.168.0.0/16 } persist
table <10-net> {10.0.0.0/8 } persist
table <172.16-net> {172.16.0.0/12 } persist
table <IPv6-net> {fe80::/10 } persist
table <169.254-net> {169.254.0.0/16 } persist
table <vpn> {0.0.0.0/0 } persist

****** notice I disabled ipv6 in the vpn - later on it's implemented exclusively for the utun0 interface *****

// these settings can be turned on / off in preferences
pass  quick on awdl0  flags any no state
pass  quick on p2p0  flags any no state
pass  quick on utun0  flags any no state
pass  quick on utun1  flags any no state
//

block in quick  from <_blacklist> to any  label "BlackList_IN"
block out quick  from any to <_blacklist>  label "BlackList_OUT"

// this is also optional and everything below can be turned off by default (my router doesn't implement ipv6 so it's only local ipv6 being used. Which apple is making ipv6 mandatory very soon  fyi //

block in quick  from no-route to any
block in quick  from urpf-failed
block  inet from any to any  label "Block_V4"
block  inet6 from any to any  label "Block_V6"
anchor   'com.apple/*'
load   anchor 'com.apple' from '/etc/pf.anchors/com.apple'
pass   proto icmp
block in quick inet proto icmp all icmp-type echoreq
pass in quick  proto udp from any port {5353} to any port {5353} allow-opts
pass out quick  proto udp from any port {5353} to any port {5353} allow-opts
pass out quick  proto {tcp, udp} from any port {68} to any port {67}
pass in quick  proto {tcp, udp} from any port {67} to any port {68}
pass  quick inet6 proto udp from any to any port {546}
pass  inet6 proto ipv6-icmp  icmp6-type {128, 130, 131, 132,133, 134, 135, 136, 143} allow-opts
pass   proto igmp allow-opts
pass  quick  from any to {224.0.0.0/4 ff00::/8}  allow-opts
//

// the following is loaded via an anchor, but it's the most important set of rules and what I configured personally (most of what's above is default in the config)

block out  proto {tcp, udp} from any to any port {1:65535}
block out  proto {tcp, udp} from any to any port {53 67 68 123 389 636 5353 5354}
pass out on utun0  proto {tcp, udp} from any to <vpn> port {53 67 68 123 389 636 5353 5354}
block out  proto tcp from any to any port {80 443}
pass out on utun0  proto tcp from any to <vpn> port {80 443}
block out  proto tcp from any to any port {22}
pass out on utun0  proto tcp from any to <vpn> port {22}
block out  proto {tcp, udp} from any to any port {49152:65535}
pass out on utun0  proto {tcp, udp} from any to <vpn> port {49152:65535}
pass out  proto {tcp, udp} from any to any port {123}
block out  proto udp from any to any port {53}
pass out on utun0  proto udp from any to <vpn> port {53}
block out  proto tcp from any to any port {20 21}
pass out on utun0  proto tcp from any to <vpn> port {20 21}
block out  proto {tcp, udp} from any to any port {80 443 554 3689 5353 6001 6002}
pass out on utun0  proto {tcp, udp} from any to <vpn> port {80 443 554 3689 5353 6001 6002}



It's not perfect by any stretch of the imagination, should be optimized. I could add cryptostorm host ip's and create a default config where vpn could theoretically just remain as the default on your machine. However, because utun0 isn't loaded initially there's some weirdness that needs to be implemented and makes it less predictable, so I usually turn on the vpn-only pf firewall AFTER connecting to the vpn and utun0 is loaded. It might not stop all connections but it should def. kill the internet if the vpn goes down. which (at the moment) also prevents me from starting the vpn again.


thisis4thepeople
Posts: 22
Joined: Sat Jun 13, 2015 9:08 am

Re: github repository for Mac confs

Postby thisis4thepeople » Mon Jun 06, 2016 2:22 pm

The dynamic config stopped working on my iPhone. It keeps connecting until it times out.


dccc
Posts: 27
Joined: Mon Jan 12, 2015 10:57 pm

Re: github repository for Mac confs

Postby dccc » Mon Jun 06, 2016 3:50 pm

thisis4thepeople wrote:The dynamic config stopped working on my iPhone. It keeps connecting until it times out.


Yes, it's a config problem. i.e. Tunnelblick accepts 64 remote options only (limited to 64 'remote' options).
--> Too many nodes :angel:


dccc
Posts: 27
Joined: Mon Jan 12, 2015 10:57 pm

Re: github repository for Mac confs

Postby dccc » Mon Jun 06, 2016 11:37 pm

Oh and since you're on iOS: OpenVPN App was updated recently and they've changed some default settings --> go into the OpenVPN App settings and turn on 'Force AES-CBC ciphersuites' Cryptostorm should work again after that.


thisis4thepeople
Posts: 22
Joined: Sat Jun 13, 2015 9:08 am

Re: github repository for Mac confs

Postby thisis4thepeople » Wed Jun 08, 2016 12:10 am

dccc wrote:Oh and since you're on iOS: OpenVPN App was updated recently and they've changed some default settings --> go into the OpenVPN App settings and turn on 'Force AES-CBC ciphersuites' Cryptostorm should work again after that.


Great, that worked on iOS, thanks a lot.

User avatar

hashtable
Posts: 40
Joined: Sat Mar 26, 2016 4:27 pm

Re: github repository for Mac confs

Postby hashtable » Sun Jul 10, 2016 8:33 am

Hey, so I noticed in the linux repo lists a few commands to disable ipv6 - but why not the love for mac???

Code: Select all

networksetup -setv6off Wi-Fi


It should work on 10.9 > (even works on macOS beta so hopefully future proof)

To see a list of avail ports you can do

Code: Select all

networksetup -listallnetworkservices

// It'll say something like this: //
An asterisk (*) denotes that a network service is disabled.
Ethernet
Wi-Fi
Bluetooth PAN


Use whatever interface you connect to the internet with as the last line in the first command I wrote above (it could thunderbolt ethernet or usb ethernet or whatever).

Also this app seem to work pretty well with tunnelblick

- dnscrypt

If you can find the secret path inside the pref pane app - you can just switch the list with the latest one
- dnscrypt-resolvers.csv

and also (please tell me if this is completely stupid) - but I noticed all the deepdns url's i've tried work with dnscrypt. so I just copy/past an existing line, add onto the list, then copy/past the deepdns url associated with whatever I'm connected to, BEFORE CONNECTING it seems to work.. just remember whether or not it's running, because tunnelblick will not override the dnscrypt IP regardless of which server you choose.

User avatar

hashtable
Posts: 40
Joined: Sat Mar 26, 2016 4:27 pm

Re: github repository for Mac confs

Postby hashtable » Sat Sep 24, 2016 6:49 pm

the above commands aren't necessary because openvpn automatically does this - but still useful info


Return to “cryptostorm in-depth: announcements, how it works, what it is”

Who is online

Users browsing this forum: No registered users and 11 guests

Login