Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

android cryptostorm howto DEPRECATED | go to cryptostorm.org/android

Looking for a bit more than customer support, and want to learn more about what cryptostorm is , what we've been announcing lately, and how the cryptostorm network makes the magic? This is a great place to start, so make yourself at home!
User avatar

Topic Author
Graze
Posts: 247
Joined: Mon Dec 17, 2012 2:37 am
Contact:

android cryptostorm howto DEPRECATED | go to cryptostorm.org/android

Postby Graze » Tue Oct 22, 2013 6:31 am

NOTE: GO HERE FIRST.

This thread is a bunch of us slowly getting to what became Tealc's wonderful summary.

STOP READING AND CLICK THAT LINK! ;)


Additionally, this thread offers some useful tools for enhanced security on your mobile device... :thumbup:



I've played with a few different settings and I just can't seem to get it working. any possible set up as of now to manage to get cryptostorm running on android?

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: openvpn for android cryptostorm

Postby DesuStrike » Fri Oct 25, 2013 3:29 am

I use a Nexus 4 with Android 4.3 and OpenVPN connect.

After renaming the config file type to *.ovpn I was able to import it. I entered my 'username and password' like I do in linux and was presented with the request for a certificate after hitting the connect button. Even though the ca.crt is inline I downloaded it from another thread and tried if it would accept it. Unfortunately it didn't.

Maybe the team has some idea.
home is where the artillery hits


Guest

Re: HOWTO: openvpn for android cryptostorm

Postby Guest » Fri Oct 25, 2013 5:52 pm

DesuStrike wrote:I use a Nexus 4 with Android 4.3 and OpenVPN connect.

After renaming the config file type to *.ovpn I was able to import it. I entered my 'username and password' like I do in linux and was presented with the request for a certificate after hitting the connect button. Even though the ca.crt is inline I downloaded it from another thread and tried if it would accept it. Unfortunately it didn't.

Maybe the team has some idea.



I've had better luck with openvpn for android as it keeps can.crts inline and can show it does.
I get across the problem as it states its authentication but then disconnects which I assume the problem is with the TLS cipher but I can't be certain.

User avatar

cryptostorm_team
ForumHelper
Posts: 159
Joined: Sat Mar 02, 2013 12:12 am

post-auth TLS handshake hiccups

Postby cryptostorm_team » Fri Oct 25, 2013 7:20 pm

Guest wrote:I've had better luck with openvpn for android as it keeps can.crts inline and can show it does.

I get across the problem as it states its authentication but then disconnects which I assume the problem is with the TLS cipher but I can't be certain.


To see the TLS error throw post-authentication is somewhat unusual, and suggests that there might be a hiccup that's not actually related to cipher suites even though the error message kind of makes it seem it is.

In general, if the session is going to throw a hard cipher fail it will do so before authentication as the TLS session itself instantiates before authentication in the OpenVPN security model; from within that bootstrapped TLS session, the auth parameters are then passed up to the server to confirm authentication. If the auth fails, the server will send a soft-reset down to the client (in theory - sometimes certain clients just read the auth fail as a hard reset, for mysterious reasons). There's exceptions to this general rule, but they tend to be relatively obscure questions of transient preexisting TLS sessions being invoked despite a re-key happening during the downtime between reconnect (we force a TLS-level session abort very quickly after the 1200-second rekey takes place, to minimise the risk of session hijacking via what are functionally orphaned prior sessions using expired ephemeral-exchanged symmetric keys).

We can diagnose that side of things pretty elegantly by simply checking to see if there's been any successful auths of the token being used - which we don't actually need your token for but rather only the hashed version of it (which is better than sending the token itself anywhere). If we can see that the hash has auth'd successfully via Mongo (our backend, distributed noSQL framework of choice) and that the auth has been passed back down to client-side, then we have narrowed the issue down to a very small window of possibly synch problems.

Also we can confirm that it's not a username-length problem causing this error to be thrown, which is one we've seen in alpha testing internally prior to some recompiles of edited source server-side. Depending on the build parameters of the OpenVPN client being deployed on Android that you've chosen, it's possible there's a hard-limit for username length (in bytes, anything less than 129) baked into the build. This would be a really easy fix, actually, as it's a simple source edit in the Android client app you're using (we know right where it is in the source) and the recompile is something we could do in-house with no problems as we've been working on our own opensource Android fork of the OpenVPN client for most of this year; ergo, we've got a compile platform already well-settled and all needed dependencies mapped and ready to go.

Thanks for helping to work on the Android side of things. If you're ok to pass up the hashed token, our lead developer who has been working specifically on the Android build this year can coordinate directly with you to debug what's going on. In fact, he's made successful test connects from an Android build in-house... although it's a somewhat modified kernel on a non-mainline Android build and thus might be slightly tweaked from the flavour (and version) of Android you're using.

Cheers,

    ~ cryptostorm_team
cryptostorm_team - a shared, team-wide forum account (not a person)
PLEASE DON'T SEND PRIVATE MESSAGES to this account, as we can't guarantee quick replies!
--> feel free to use any of our other contact channels, or post in the support forum
cryptostorm: structurally anonymous, token-based, unlimited ☂ bandwidth, opensource, darknet data security for everyone!
keybase.io validatorsonename.io validatorsPGP key @ MITnetwork statuscryptostorm github
support team bitmessage address: BM-2cTMH8K5JnjbfSALjZtSkRWCLfc3Tr8GBV
support team email: support@cryptostorm.is
live chat support: #cryptostorm


Guest

Re: HOWTO: openvpn for android cryptostorm

Postby Guest » Fri Oct 25, 2013 9:56 pm

with openvon for android not openvpn connect, the log in debug mode states peer connection initialised. push request status equals 1 then I get this. P:WRRAUTH: Received control message: AUTH_FAILED.

I'll do anything to help out. :)

User avatar

Topic Author
Graze
Posts: 247
Joined: Mon Dec 17, 2012 2:37 am
Contact:

HOWTO: CryptoStorm on Android (ICS or v4.0+)

Postby Graze » Sun Oct 27, 2013 11:50 pm

This is sort of technical, but really, it's just about following what I did, so if you can grit your teeth and avoid typos, this should work out ok.

I have used this in the past to torrent movies while at work over my work internet, and while they know I'm doing something non-standard, they don't know exactly what -- which is cool with me. ;)

It assumes you hardcode in an exitnode (in this case, our Montreal IP, as it's the only one we've released publicly from our alpha testing at this time) but will address that going forward with a "country select" option and some fast flux DNS wizardry, or so I hear.

Caveats:

  1. This was hacked together and may not be optimized or correct. Please add any comments below if you discover anything.
  2. This has been tested very lightly. No guarantees!
  3. This works on a rooted Samsung Galaxy running an AOKP Ice Cream Sandwich v4.2+ and probably works on some earlier OS's ... please tell me!
  4. This may have battery life implication. Arne (the guy who wrote the Open Source OVPN libs) notes this, and can only offer some suggestions on his pages (linked to further down.)

Instructions:

  1. First off, you're going to need to get this ca.crt file...
    ca2.crt
    (1.79 KiB) Downloaded 5780 times
    ... onto your phone somehow. Tether your phone and drop it into some directory (keep track of where you save it!) or mail it to yourself and save as an attachment. [EDIT: updated download to reflect post-heartbleed certs
    -cryptostorm_support
    ]

  2. Download this open-source client of OpenVPN. That Arne Schwabe guy did a great job with this app, and if it works out for you send him some $'s here. Source is here for the paranoid/wise.
  3. Once installed, run it, and you should see this:
    2013-10-27 13.43.36.png

  4. Now, click on the "+" to add a new account. Give it a name.
    2013-10-27 13.43.59.png

  5. Now you'll see the config menu with many options. Don't Panic! :) We'll work our way through them.
    2013-10-27 13.44.09.png

  6. Click on the first item "Basic"...
  7. Add the Server Address (IP) and Port as follows

    Code: Select all

    Server Address: 70.38.46.226
    Server Port: 443

    2013-10-27 13.46.38.png

  8. Ensure LZO Compression is checked (I think it was already so .. maybe ignore this line ;) )
  9. There is a Type dropdown right under the LZO Compression. Change it from Android Certificate to Username/Password:
    2013-10-27 13.46.45.png

  10. Now, right under that option is Client Certificate. This is where we go off and find that ca.crt file that we saved to our phone somewhere. Let's go get it!
    2013-10-27 13.47.32.png

  11. Ok, things are progressing well -- Now we hammer in our Username and Password. As a refresher, because of how we have decoupled people from payments, your Username is the SHA512 hash of your token, so... You'll want to take your token and (on your phone) put it in here and calculate the SHA512 hash.
    2013-10-27 15.02.22.png

  12. Take that SHA512 and use it as your Username (NOT password!!!)... Paste it in there. (**If you have problems pasting on your device for whatever reason, I ended up picking up a free app called EZ Copy&Paste, which allowed me to shove my SHA512 in there and I am suddenly wondering how I lived without it... Anyway....)

    2013-10-27 13.48.21.png

  13. Enter a password. Can be anything. Cannot be left blank (it complains about that later if you do...)
  14. Press the back button, and click on the Routing section
  15. Activate "Use default Route" for both IPv4 and IPv6
    15.png

  16. Press the back button, and click on the Advanced section
  17. Set "Connection retries" to unlimitedand select "Persistent tun" and "Enable Custom Options". This allows us to enter stuff as text, just like in the client.conf or client.ovpn file:
    17.png

  18. Under Custom Options, add the following (obviously, spelling counts!):

    Code: Select all

    ns-cert-type server
    cipher AES-256-CBC
    key-method 2
    fragment 1400
    tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
    auth SHA512

    2013-10-27 15.18.27.png

  19. Return to the main menu where you can now see your newly created connection and go to the "Settings" tab on the top of your screen.
  20. Select both "Reconnect on reboot" and "Reconnect on network change"
    NEU.png

  21. Go to the main menu and click on your connection (mine was named "cryptostorm", so I clicked on that...)
  22. A bunch of logging text scrolls by. Bask in the matrix... :P
  23. You should see this at the end: "P:Initialization Sequence Completed" and hopefully no "AUTH_FAIL" in there...
  24. Test your connection:
    2013-10-27 14.07.15.png

I think that's it.

Any comments or improvements, please send them along!

Good luck!
------------------------
My avatar is pretty much what I look like. ;) <-- ...actually true, says pj
WebMonkey, Foilhat, cstorm evangelnomitron.
Twitter: @grazestorm.
For any time sensitive help requests, best to email the fine bots in support@cryptostorm.is or via Bitmessage at BM-NBjJaLNBwWiwZeQF5BMLYqarawbgycwJ ;)

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: openvpn for android cryptostorm

Postby DesuStrike » Mon Oct 28, 2013 12:49 am

@Graze: Check your mail. I sent a solution to your copy paste problem on android. ;)

User avatar

Topic Author
Graze
Posts: 247
Joined: Mon Dec 17, 2012 2:37 am
Contact:

Re: HOWTO: openvpn for android cryptostorm

Postby Graze » Mon Oct 28, 2013 8:05 am

DesuStrike wrote:@Graze: Check your mail. I sent a solution to your copy paste problem on android. ;)

Many thanks - testing it out right now! :thumbup:

edited to add: our fix for this bug is successful in our test/sandbox environment; we're going to queue it for inclusion in the next production systems push, likely late in the day Monday (28 October).

Once that's done, and confirmed stable, I'll make sure a post comes up in this thread to confirm the bug is resolved - thanks again.
------------------------
My avatar is pretty much what I look like. ;) <-- ...actually true, says pj
WebMonkey, Foilhat, cstorm evangelnomitron.
Twitter: @grazestorm.
For any time sensitive help requests, best to email the fine bots in support@cryptostorm.is or via Bitmessage at BM-NBjJaLNBwWiwZeQF5BMLYqarawbgycwJ ;)

User avatar

Topic Author
Graze
Posts: 247
Joined: Mon Dec 17, 2012 2:37 am
Contact:

Re: HOWTO: CryptoStorm on Android (ICS or v4.0+)

Postby Graze » Tue Oct 29, 2013 6:47 am

Also note that we do have a fork of this source in alpha, which will has a lot of this pre-selected so that we can hand it to people without this much fiddling. The good news is that even with the above, once you set it up it's done (oh ya, consider backing up your phone, just in case!)

Also, we made a slight server tweak that may make this work better for other clients as well. I'm too exhausted to try them, though, so if you had the other OpenVPN client almost working retry it and see if it's good now.

My next project will be iOS, possibly, though I have not tried a VPN over iOS in years, honestly, so I'm not looking forward to jumping over to that thread. I love the sexiness of Apple products, but that walls in the walled garden make getting non-standard things running a bit harder than they should be.

Anyway, thanks to DesuStrike for the help with the copy pasta issues, and everyone else for helping get this going!!

Graze
------------------------
My avatar is pretty much what I look like. ;) <-- ...actually true, says pj
WebMonkey, Foilhat, cstorm evangelnomitron.
Twitter: @grazestorm.
For any time sensitive help requests, best to email the fine bots in support@cryptostorm.is or via Bitmessage at BM-NBjJaLNBwWiwZeQF5BMLYqarawbgycwJ ;)

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: openvpn for android cryptostorm

Postby DesuStrike » Tue Oct 29, 2013 3:20 pm

Thanks for the guide. I'll try it out later even though I see nothing you did that a simple "import config" wouldn't have done, too. (apart from the username password thingie, of course.)

Concerning iOS: My first real smartphone was the iPhone 4 and I used it for years but I am now on android so I cannot do any testing with it. The only useable VPN Client is "openVPN connect" but I don't know how recent the openvpn binaries are in there.

The other one is a commercial product that doesn't do shit. Excuse my language but I almost paid money for it and was lucky some friend fell for their scam first.

All other VPN clients I found where service specific so you could not enter a custom server IP etc.

So if you find the time to do some testing I'd recommend you try openVPN connect first so you don't waste your time.
home is where the artillery hits

User avatar

Topic Author
Graze
Posts: 247
Joined: Mon Dec 17, 2012 2:37 am
Contact:

Re: HOWTO: openvpn for android cryptostorm

Postby Graze » Tue Oct 29, 2013 6:51 pm

DesuStrike wrote:Thanks for the guide. I'll try it out later even though I see nothing you did that a simple "import config" wouldn't have done, too. (apart from the username password thingie, of course.)


(Typing on my phone - apologies for being terse)

I couldn't see an import in this app. In the other OpenVPN app, I get an error about the fragment option ???
------------------------
My avatar is pretty much what I look like. ;) <-- ...actually true, says pj
WebMonkey, Foilhat, cstorm evangelnomitron.
Twitter: @grazestorm.
For any time sensitive help requests, best to email the fine bots in support@cryptostorm.is or via Bitmessage at BM-NBjJaLNBwWiwZeQF5BMLYqarawbgycwJ ;)

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: openvpn for android cryptostorm

Postby DesuStrike » Tue Oct 29, 2013 7:45 pm

Ok, first of all: I managed to connect to the VPN via Arne Schwabe's "openVPN for Android". Whatever you guys changed server side it fixed the problems I ran into before.


@Graze:

OpenVPN for Android: Look at your the first screenshot you posted. Right there it tells you to press the folder icon to import a *.ovpn or *.conf file. That's what I did. It even recognizes the inline certificate.**

OpenVPN Connect: I didn't get any errors like you did. With this client you must import a *.ovpn file because it does not allow you to configure a connection by hand. The problem I had was that it did not recognize the inline certificate and adding a cert file didn't help either. So I guess the openvpn binary is out of date or something.


** If you run into any problems check if the following settings are switched on:
- "Pull Settings" in IP and DNS Menu
- "Use default Route" in Routing Menu (afaik very important to avoid leaks!)
- "Expect TLS server certificate" in Authentication/Encryption Menu
home is where the artillery hits


Guest

Re: HOWTO: openvpn for android cryptostorm

Postby Guest » Tue Oct 29, 2013 9:12 pm

works great!

User avatar

Topic Author
Graze
Posts: 247
Joined: Mon Dec 17, 2012 2:37 am
Contact:

Re: HOWTO: openvpn for android cryptostorm

Postby Graze » Wed Oct 30, 2013 6:44 am

DesuStrike wrote:Ok, first of all: I managed to connect to the VPN via Arne Schwabe's "openVPN for Android". Whatever you guys changed server side it fixed the problems I ran into before.


@Graze:

OpenVPN for Android: Look at your the first screenshot you posted. Right there it tells you to press the folder icon to import a *.ovpn or *.conf file. That's what I did. It even recognizes the inline certificate.**
...


Um. So, um... That's pretty freakin' obvious. :P Ok, I owe you again. THANKS!!!

DesuStrike wrote:OpenVPN Connect: I didn't get any errors like you did. With this client you must import a *.ovpn file because it does not allow you to configure a connection by hand. The problem I had was that it did not recognize the inline certificate and adding a cert file didn't help either. So I guess the openvpn binary is out of date or something.
...


Ya, I got the impression that it was version related. Here's what I got:

2013-10-29 09.46.04.png


... as it says "...directive is not supported, nor is connecting to a server that uses..." which sort of implies that "fragment" is of a later version.
------------------------
My avatar is pretty much what I look like. ;) <-- ...actually true, says pj
WebMonkey, Foilhat, cstorm evangelnomitron.
Twitter: @grazestorm.
For any time sensitive help requests, best to email the fine bots in support@cryptostorm.is or via Bitmessage at BM-NBjJaLNBwWiwZeQF5BMLYqarawbgycwJ ;)


Guest

Re: HOWTO: openvpn for android cryptostorm

Postby Guest » Wed Oct 30, 2013 8:07 am

make sure to download the latest openvpn for android by Arne, not currently on Google play. its a beta through Google+ but they are openly available on his site http://plai.de/android/ics-openvpn-0.5.47.apk

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: openvpn for android cryptostorm

Postby DesuStrike » Thu Nov 07, 2013 8:01 pm

Little Info: F-Droid has the newest version of Android for Android ready compiled to download.

I recommend everyone to install "F-Droid". This is an alternative App-Store for Android that only features opensource software. The maintainers of the main repo try to build everything themselves from source and also remove Anti-Features like google tracking in the process. Those builds are marked as "source". Anti-Features that could not be removed are clearly advertised on the app page so you don't end up running something you don't want to. Apps that were not build from source by the repo maintainers are marked as "bin". You have to trust the supplier of those bins in this case, wich are always the original authors of the app in question. (eg: Firefox for Android comes as a bin)
Last edited by DesuStrike on Sat Nov 09, 2013 4:11 am, edited 1 time in total.
home is where the artillery hits

User avatar

acid1c
Posts: 49
Joined: Sat Aug 31, 2013 5:42 am

Re: HOWTO: openvpn for android cryptostorm

Postby acid1c » Thu Nov 07, 2013 11:29 pm

you mean openvpn for android desu? :p

great minds think alike. I'm glad to see it hit fdroid servers

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: openvpn for android cryptostorm

Postby DesuStrike » Sat Nov 09, 2013 4:14 am

acid1c wrote:you mean openvpn for android desu? :p

great minds think alike. I'm glad to see it hit fdroid servers


Haha. Yes I did indeed. Thanks for the notice, I just fixed it. :thumbup:
home is where the artillery hits


Guest

Re: HOWTO: openvpn for android cryptostorm

Postby Guest » Mon Jan 13, 2014 3:52 pm

Hi guys,
Thanks for this guide, it works a treat for me on 4.2.2 :clap:

But now I'm VPN'd I don't want Google to follow me, so I tried the latest Cyanogenmod 11 Nightly, and I'm afraid I can't get this to work.

I've checked all of the details with no luck, any ideas?

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: openvpn for android cryptostorm

Postby DesuStrike » Mon Jan 13, 2014 8:40 pm

Hmmm...

I'm on Cyanogenmod too but on a lower version. Reason is that with every Android version (speaking 4.2 -> 4.3 -> 4.4) Google is making an effort to make security relevant apps unsusable. I didn't test the latest CM 11 nightly but I tested an earlier one and openVPN worked fine. So I guess this time it's CM to blame and not Google?

Unfortunately I can't help you if you insist on using CM 11. I hope someone else can help you.


On the other hand: If you want a personal advice of me... Use either CM 10.2 or 10.1.3.

10.2 lets you use AFWall+ for an effective leakblock (See this thread for a guide!) and 10.1.3 lets you even use SetDNS (grab it somewhere else than the PlayStore... ;) ) for DNS-Leak security when using hostnames instead of IPs!


Ah: And also remember to use the 0.9d configs for Android as the newer ones are not yet ready for use on Android.


Cheers!
home is where the artillery hits

User avatar

Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

Re: HOWTO: openvpn for android cryptostorm

Postby Pattern_Juggled » Tue Jan 14, 2014 5:01 am

DesuStrike wrote:Ah: And also remember to use the 0.9d configs for Android as the newer ones are not yet ready for use on Android.


We've got Android-specific server instances spun up and ready to be provisioned, so let's go ahead and fork client/server configurations specifically for Android - do you have any advice based on your work with the connections so far, as to parameters you know should be included or excluded from the Android-specific framework?

I know, for example, that iOS is unable to handle any --fragment directives or MTU customisation... so for those instances, we are removing all such things from config on client & server side.

Thanks!
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: openvpn for android cryptostorm

Postby DesuStrike » Tue Jan 14, 2014 5:36 pm

Pattern_Juggled wrote:do you have any advice based on your work with the connections so far, as to parameters you know should be included or excluded from the Android-specific framework?


Actually there is very little to chane for android.

I'd always go with the "ping n" command because I don't want my connection to drop because of battery saving mechanics of android but this might be a too personal opinion of mine and it doesn't help fight 100% of disconnects anyways. So it's a totally optional directive.

Other than that I only ran into problems when using more than one hostname based gateway with Arnes client. So your multi TLD approach will definitely not work with Android until Graze got some fork working that adds support for this!

I tend to recommend 0.9d for android user so they don't have to change the "remote*" directive but that's it.

If there is futher tweaking potential I don't know of it. I'm happy as long as my connection is stable, fast (as fuck) and doesn't make my token go haiwire. ;)


PS: A very strange fact which is 100% reproduceable is that Cantus is WAY faster than Bruno and Shadow with android. I can't see a reason why but I'm talking about 4 MBit/s vs 1,5 MByte/s here! (no typo!)
home is where the artillery hits

User avatar

Jarmer
Posts: 15
Joined: Sat Aug 17, 2013 9:10 pm

Re: HOWTO: openvpn for android cryptostorm

Postby Jarmer » Tue Mar 18, 2014 12:47 am

are there any plans for an android app by the cryptostorm team?

also, all these instructions are quite dated now aren't they? is there any post or place where we can get a pretty simple and easy to follow "here's how to connect on android " ...?

otherwise thanks so much for all the instructions.

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: openvpn for android cryptostorm

Postby DesuStrike » Tue Mar 18, 2014 4:03 pm

Well, I agree that this thread needs a major overhaul. Basically I'd just throw out everything but the first post (because the additional tools still work!), and just tell people to install "OpenVPN for Android by Arne Schwabe", download the newest RAW-Config from the appropriate thread and import that thing. Activate "seamless/persistent tun", disable "disable on screen off" and activate "reconnect on phone restart". DONE! (Yes this is kinda a quick guide for you. ;) )

Of course these steps should be presented in a nice pictured guide but I don't have the time on hands right now. Same goes for the team that is heels over top stuck with polishing out the new Windows widget.
Also there is a problem with the configs of Montreal and "United National Security Agency" (USA) that causes the connection to fail. You must remove "txqueuelen 686" from those configs because Android does not allow this feature.


All in all the forum situation is kinda messy right now:
  • We don't have configs for every commonly used device.
  • Our configs, though having the same version number, do not match up. (Lacking attributes or having them set differently.)
  • Not all configs are posted in the official "newest configs"-thread.
  • Depending on the VPN-software some attributes of the configs get discarded upon import. (Only a CrypotoStrom widget could fix this.)
  • Many guides are messy and/or outdated.

This leads to people often having to figure out stuff on their own or asking for special guidance on the forums.
I know this doesn't look all that great but CS popularity grew way faster than the team could have ever imagined and thus greatly depended on community folks like me to help them write up guides and stuff.
The problem with this is that community folks doesn't get paid for the work they do so they can only work in their free time. This results in guides not getting updated as regularly as it might be necessary in times of great changes to the configs.

On behalf of the CryptoStorm staff and community contributers I want to apologize for the current situation.
We all know about the current shortcomings and I promise you that behind the curtains people are working their ass off day and night for getting things straight again.

Then again the most important aspects of a VPN never got neglected even once in the past and never will be neglected in future!
This is namely the AVAILABILITY and SECURITY of the transport encryption and exit nodes.
A lot of time goes into maintaining these aspects 24/7 and it's one of the reasons why running CryptoStorm causes way more workload for the team than any other VPN-"Service" out there does.
There are lots of threads here on the forum that go into detail what makes CryptoStorm stand out from the others simply security wise.

I hope everybody also sees this side of the matter and understands though the forum might be a big mess right now using CryptoStorm is the right thing to do.
Also the people I know currently using CryptoStorm are very happy with their experience because of fast speeds, great connectivity and low ping times.

~DesuStrike
home is where the artillery hits

User avatar

Jarmer
Posts: 15
Joined: Sat Aug 17, 2013 9:10 pm

Re: HOWTO: openvpn for android cryptostorm

Postby Jarmer » Tue Mar 18, 2014 8:25 pm

Thanks for the details Desu. I completely agree that using CS is the right thing to do and I absolutely love the dedication, speed, and stability when I'm using it on my linux laptop. I use it all the time, and love the service, you guys are awesome! I also know that things can be super busy, so I'm not complaining at all, just maybe some constructive feedback :)

RE this android thing: I don't think we need a fancy picture guide at all, I just think there should be a dedicated sticky or knowledgebase article or something similar that would have a simple guide with updated resources and notes, etc... on how to connect, stay connected, and notes on common issues - and this would always be updated with the most recent details. There's a LOT of info related to android and mobile vpn stuff around here that's confusing. For instance, there's mention of using older conf's, there's specific android only clusters in operation, certain configs need editing, etc... This just leads me to not even try to connect because I'm not even sure where to begin.

I know you guys are super busy, and I sincerely appreciate all the hard work and support, and fast responses on here as well. I will just wait to connect on android for two things:

- the new cluster pricing is released so I can get a second token at a discount instead of buying two full price tokens
- there's a more clear and simple guide on how to connect on android

Again, thanks Desu!

User avatar

acid1c
Posts: 49
Joined: Sat Aug 31, 2013 5:42 am

Re: HOWTO: openvpn for android cryptostorm

Postby acid1c » Wed Mar 19, 2014 1:28 am

As for android only clusters, Ive had no problems connecting on montreal, germany, and iceland. and while seperate tokens are great to have, and essential for privacy purposes, 1 token does indeed work on multiple devices, I do have a leakblock for android thread, but for some reason i dont have edit perms anymore. :(
Bitmessage me with Questions, Help, or ChitChat :) - BM-2cV5BzWc9P7vufQREE8Be4U64GBgRJ3GnT
" Those who do not move, do not notice their chains." -Rosa Luxemburg

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: openvpn for android cryptostorm

Postby DesuStrike » Wed Mar 19, 2014 5:54 pm

Sorry acid1c but I can't make you a thread moderator/maintainer (anymore?!).

This is something to add to the list of shortcomings I posted but I refrained from doing so because it sounds like I just want to get more moderation rights.

But to be honest I do lack the required moderation/admin powers to manage this forum sufficiently. Especially when PJ and staff are busy... *sigh*
home is where the artillery hits

User avatar

Topic Author
Graze
Posts: 247
Joined: Mon Dec 17, 2012 2:37 am
Contact:

Re: HOWTO: openvpn for android cryptostorm

Postby Graze » Fri Mar 21, 2014 6:18 am

acid1c wrote:As for android only clusters, Ive had no problems connecting on montreal, germany, and iceland. and while seperate tokens are great to have, and essential for privacy purposes, 1 token does indeed work on multiple devices, I do have a leakblock for android thread, but for some reason i dont have edit perms anymore. :(


On the general forum issue stuff, we had issues with the PHP in the forum when we were playing with the skins a few weeks ago. Somehow we corrupted the thing - but just enough so that it was stumbling on, sort of. We have it stable now, but me and another dev did so by chaining our way through errors "oh, now the forum is complaining that it cannot find the blah.php file, so let's just copy that over from the standard theme directory", etc.) side effects seem to be:

1) Some of the more obscure functions are not working 100% correctly. For example, when we switched our BitMessage address over, I went to PJ's signature to change it there, and the admin function that allows you to edit signatures with a cool WYSIWYG editor totally corrupted it, and did not allow me to get it back until I logged into MySQL and changed it there. So ... I'm scared to change anything! :P
2) Some mostly benign issues remain, such as some of the moderation functions (these didn't throw as many errors so we may not have fixed them all) - so if you see any issues, send a note to support@cryptocloud.is and one of us will be lucky enough to have it sent to our attention, and we'll roll our eyes and roll up our sleeves. ;)

Thanks again for the support!
G
------------------------
My avatar is pretty much what I look like. ;) <-- ...actually true, says pj
WebMonkey, Foilhat, cstorm evangelnomitron.
Twitter: @grazestorm.
For any time sensitive help requests, best to email the fine bots in support@cryptostorm.is or via Bitmessage at BM-NBjJaLNBwWiwZeQF5BMLYqarawbgycwJ ;)

User avatar

marzametal
Posts: 498
Joined: Mon Aug 05, 2013 11:39 am

Re: HOWTO: openvpn for android cryptostorm

Postby marzametal » Wed Mar 26, 2014 6:30 am

acid1c wrote:As for android only clusters, Ive had no problems connecting on montreal, germany, and iceland.


What address would I enter for the USA exit-node?
I just managed to root my Samsung Galaxy S2 with JellyBean 4.1.2... firing myself up to give this a shot!

EDIT:
I might be confusing this...

Code: Select all

Server Address: 70.38.46.226
Server Port: 443

with an exit-node cluster...

User avatar

marzametal
Posts: 498
Joined: Mon Aug 05, 2013 11:39 am

Re: HOWTO: openvpn for android cryptostorm

Postby marzametal » Wed Mar 26, 2014 7:57 am

Damn, got the "AUTH: Received control message: AUTH_FAILED"...

Maybe it doesn't go well with 4.1.2?
I followed the instructions to the letter, but am wondering at step "Now, right under that option is Client Certificate. This is where we go off and find that ca.crt file that we saved to our phone somewhere. Let's go get it!"... you asked to fetch the ca.crt file, which I did... do I need the other ones too? Your screenshot has all the files that the widget user folder has...

...last handful of entries...

Code: Select all

Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
[server] Peer Connection Initiated with [AF_INET]70.38.46.226:443
MANAGEMENT: >STATE:1395804347,GET_CONFIG,,,
SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
AUTH: Received control message: AUTH_FAILED
TCP_UDP: Closing socket


EDIT:
I remember reading somewhere that it's one token per device?

User avatar

Topic Author
Graze
Posts: 247
Joined: Mon Dec 17, 2012 2:37 am
Contact:

Re: HOWTO: openvpn for android cryptostorm

Postby Graze » Wed Mar 26, 2014 9:19 pm

Hmmm. I have CyanogenMod 4.2.2 - And have not tried a VPN install for a long while (I have re-imaged my phone many times since the original posts in here) maybe it's time to give it another shot and see how it works out?

If you get AUTH_FAILED, the client has a cool feature to get a copy of the logs - you could email those to support@cryptostorm.is they might be able to figure out if it's a bad token or whatever.

EDIT TO ADD: Once we prove this install out - and the versions it works with - it makes sense for us to make the EASY version of this post into a static page on our website, instead of these wonderful discussions and debug sessions here.
------------------------
My avatar is pretty much what I look like. ;) <-- ...actually true, says pj
WebMonkey, Foilhat, cstorm evangelnomitron.
Twitter: @grazestorm.
For any time sensitive help requests, best to email the fine bots in support@cryptostorm.is or via Bitmessage at BM-NBjJaLNBwWiwZeQF5BMLYqarawbgycwJ ;)

User avatar

Topic Author
Graze
Posts: 247
Joined: Mon Dec 17, 2012 2:37 am
Contact:

Re: HOWTO: openvpn for android cryptostorm

Postby Graze » Wed Mar 26, 2014 10:12 pm

Jarmer wrote:are there any plans for an android app by the cryptostorm team?

also, all these instructions are quite dated now aren't they? is there any post or place where we can get a pretty simple and easy to follow "here's how to connect on android " ...?

otherwise thanks so much for all the instructions.


One of our devs did a branch of the older OpenVPN app for another VPN company. So there's tech savvy in house to make a "just type in your token" version. However, we still are finishing up the Window's widget and the Apple people are being vocal about how they don't have a widget... So hopefully soon is the best we can say on this. :P
------------------------
My avatar is pretty much what I look like. ;) <-- ...actually true, says pj
WebMonkey, Foilhat, cstorm evangelnomitron.
Twitter: @grazestorm.
For any time sensitive help requests, best to email the fine bots in support@cryptostorm.is or via Bitmessage at BM-NBjJaLNBwWiwZeQF5BMLYqarawbgycwJ ;)

User avatar

acid1c
Posts: 49
Joined: Sat Aug 31, 2013 5:42 am

Re: HOWTO: openvpn for android cryptostorm

Postby acid1c » Wed Mar 26, 2014 11:22 pm

These instructions are still relatively useful accept a few kinks have been worked out since. :)
I have a leakblock for android post in the leakblock subforum, with talks about using fdroid for means to download a firewall, the openvpn for android app, Firefox and others. I will gladly start an updated android post if need be, :)
Bitmessage me with Questions, Help, or ChitChat :) - BM-2cV5BzWc9P7vufQREE8Be4U64GBgRJ3GnT
" Those who do not move, do not notice their chains." -Rosa Luxemburg

User avatar

marzametal
Posts: 498
Joined: Mon Aug 05, 2013 11:39 am

Re: HOWTO: openvpn for android cryptostorm

Postby marzametal » Thu Mar 27, 2014 3:57 am

BLAH! Got it to work... stupid extra keystroke when I copied the token over... damn copy and paste! Phew!

In regards to:
"It assumes you hardcode in an exitnode (in this case, our Montreal IP, as it's the only one we've released publicly from our alpha testing at this time)"

What hardcoded server address would I use for the USA exitnode?

User avatar

Topic Author
Graze
Posts: 247
Joined: Mon Dec 17, 2012 2:37 am
Contact:

Re: HOWTO: openvpn for android cryptostorm

Postby Graze » Fri Mar 28, 2014 4:13 am

acid1c wrote:These instructions are still relatively useful accept a few kinks have been worked out since. :)
I have a leakblock for android post in the leakblock subforum, with talks about using fdroid for means to download a firewall, the openvpn for android app, Firefox and others. I will gladly start an updated android post if need be, :)



Tealc already did, here: Feel free to add to that one, and I'll let this one stumble off into the distance. I linked to it in the first post here, and marked this thread deprecated.

Thanks again, all!!
------------------------
My avatar is pretty much what I look like. ;) <-- ...actually true, says pj
WebMonkey, Foilhat, cstorm evangelnomitron.
Twitter: @grazestorm.
For any time sensitive help requests, best to email the fine bots in support@cryptostorm.is or via Bitmessage at BM-NBjJaLNBwWiwZeQF5BMLYqarawbgycwJ ;)

User avatar

Topic Author
Graze
Posts: 247
Joined: Mon Dec 17, 2012 2:37 am
Contact:

Re: HOWTO: openvpn for android cryptostorm (deprecated)

Postby Graze » Fri Mar 28, 2014 4:15 am

I am going to lock and (eventually) retire this thread, because ...

Tealc started another one that is less confusing here.

Thanks to everyone who worked on this!
------------------------
My avatar is pretty much what I look like. ;) <-- ...actually true, says pj
WebMonkey, Foilhat, cstorm evangelnomitron.
Twitter: @grazestorm.
For any time sensitive help requests, best to email the fine bots in support@cryptostorm.is or via Bitmessage at BM-NBjJaLNBwWiwZeQF5BMLYqarawbgycwJ ;)


Return to “cryptostorm in-depth: announcements, how it works, what it is”

Who is online

Users browsing this forum: No registered users and 4 guests

Login