HOWTO: cryptostorm on Android non-root | cryptostorm.org/android

[Guest]

I have no problems at all on Cyanogenmod (all versions up to the current nightlies)

[parityboy]

@thread

Just tested this on a Google Nexus 4 running 5.1.1 (LMY48T), works fine connected to Cantus, Onyx and Turing.

[Tealc]

This is really strange, I'm at 5.1.1 stock Sony android and it doesn't work.

Are we seeing once again the problem in non-root and rooted?

[Tealc]

So once again an update... it works everywhere once again, download new conf's files from github

[furryguest]

First time trying and I get an error on import :
no endtag <//button> for starttag </button> found
Nexus 6p on mm

[wpaschukat]

Mr Tealc Sir,

works like a charm. Mille Gracie.

[Tealc]

First time trying and I get an error on import :
no endtag <//button> for starttag </button> found
Nexus 6p on mm

Are you using "OpenVPN for Android 0.6.47" application from Arne Schwabe ?

[wpaschukat]

First time trying and I get an error on import :
no endtag <//button> for starttag </button> found
Nexus 6p on mm

You're making the same mistake that I made (downloading the conf files directly from within github).

Download the lot directly https://github.com/tealcavalon/OpenVPN_ ... master.zip and extract the necessary confs from there.

[Guest]

First time trying and I get an error on import :
no endtag <//button> for starttag </button> found
Nexus 6p on mm

You're making the same mistake that I made (downloading the conf files directly from within github).

Download the lot directly https://github.com/tealcavalon/OpenVPN_ ... master.zip and extract the necessary confs from there.

Aha. Thanks, this worked !!

[JTD121]

Ah, great. I recently upgraded my Nexus 5 to 5.1.1 (CM12.1), and haven't tested connection to CS yet. In a couple weeks I will probably be using CS connection heavily (at a con) so hopefully this will be a non-issue by then :p

[marzametal]

Thanks for the work put to the Android confs... much appreciated Sir!

[dfkt]

Made some fresh configs with the currently available nodes - https://github.com/dfkt/cryptostorm-and ... pn-configs

They include remote-random, which seems to work just fine with the current version of Arne Schwabe's client.

[marzametal]

Made some fresh configs with the currently available nodes - https://github.com/dfkt/cryptostorm-and ... pn-configs

They include remote-random, which seems to work just fine with the current version of Arne Schwabe's client.

Just when I was looking to update mobile configs, I notice this. Thanks!

[ipv6problem]

I have a problem with IPV6. Is there any way to block IPV6 connections on a non-rooted device? whatsmyipaddress.com sees my device IPV6 address and locates me precisely.

I know that cyrptostorm does not handle IPV6 addresses and that is not a problem on a PC, but on android this is an issue.

I just tried VyprVPN with whatsmyipaddress.com and it only showed my IPV4 address and the VPN assigned IP address.

How can I block IPV6 connections using OpenVPN/cyptostorm?

[ipv6problem]

How do I disable IPv6? OpenVPN leaks my IPv6, or at least the config files do. My phone is not rooted so I am relying on the VPN client to deal with this. Can OpenVPN do this?

[ipv6problem]

Sorry about the double post before. I missed the moderation message before the page refreshed.

I wanted to add that I solved the IPv6 problem by doing the following workaround. I do not know if this works in all cases, but I tested it with www.ipv6leak.com and it reported that IPv6 is not leaking.

In OpenVPN under "Routing" tab, untick "Bypass VPN for local networks"

Under IPv6, untick "Use default Route" and enter a bogus local route under "Custom Routes".

This sends all IPv6 routing requests nowhere...

[Winehouse]

Hi.

Where can I find the .conf files for Android? I don't see them on Github.

Thanks.

[marzametal]

Hi.

Where can I find the .conf files for Android? I don't see them on Github.

Thanks.

https://github.com/cryptostorm/cryptost ... tion_files
The conf files you are looking for are located in the LINUX directory...

[kakoulo]

Hi, For me it does not work anymore, I change smartphone

I installed open vpn, but when i want to import a config he says :

" No endtag <//head> for startag </head> found "

Do you have a solution ?

thanks

[marzametal]

Hi, For me it does not work anymore, I change smartphone

I installed open vpn, but when i want to import a config he says :

" No endtag <//head> for startag </head> found "

Do you have a solution ?

thanks

CS on my Samsung Galaxy S2, running LineageOS 14.1, build date 08/01 is working fine. But I use OpenVPN for Android by Arne Schwabe.

I just had a look at my .conf / .ovpn file, and I couldn't find any head tags in it.

[parityboy]

Hi, For me it does not work anymore, I change smartphone

I installed open vpn, but when i want to import a config he says :

" No endtag <//head> for startag </head> found "

Do you have a solution ?

thanks

Sounds like you downloaded the config from GitHub. Left click on the config file, then click "raw". Save that into a config file, and then import it.

[user name]

Android 7.1.1 on Pixel
OpenVPN for Android 0.6.65, have working vpn configs

Tried linux and android ovpn files (raw) from github and android tutorials, which are linked in the token email.

Issue: nothing is being imported fromt the ovpn file. No server list, no certs, nothing. Import log says: your config had a few options that are not mapped to UI configurations.

How do I get it going on android?

[parityboy]

Android 7.1.1 on Pixel
OpenVPN for Android 0.6.65, have working vpn configs

Tried linux and android ovpn files (raw) from github and android tutorials, which are linked in the token email.

Issue: nothing is being imported fromt the ovpn file. No server list, no certs, nothing. Import log says: your config had a few options that are not mapped to UI configurations.

How do I get it going on android?

Have you tried these very same config files on a previous version of Android? Did they work? Did you have to edit them in any way?

[user name]

Have you tried these very same config files on a previous version of Android? Did they work? Did you have to edit them in any way?

I don't have access to older Android versions. But I do have other VPN servers set up and running on my current 7.1.1 phone.

[user name]

It is very disappoining to see such slow support response here. Days between me sending a post and it appearing, forget about getting an answer. My 1 week test token is about to expire, still no working android config.

[parityboy]

@user name

Does the config file have multiple <remote></remote> tags? If so, could you try removing the tags?

For example:

Code: Select all

# this is the cryptostorm.is client settings file, versioning...
# cstorm_linux-rome_1-4.conf
# last update date: 12 January 2014

# it is intended to provide connection solely to our London-based exitnode cluster... yay bad food! ;-)
# DNS resolver redundancy provided by TLD-striped, randomised lookup queries
# Chelsea Manning is indeed a badassed chick: #FreeChelsea!
# also... FuckTheNSA - for reals. W00d!


client
dev tun
resolv-retry 16
nobind
persist-tun
persist-key
float


remote-random
# randomizes selection of connection profile from list below, for redundancy against...
# DNS blacklisting-based session blocking attacks


# Exit node mappings for Rome
remote linux-rome.cryptostorm.net 443 udp
remote linux-rome.cryptostorm.org 443 udp
remote linux-rome.cryptostorm.nu 443 udp
remote linux-rome.cstorm.pw 443 udp



comp-lzo no
# specifies refusal of link-layer compression defaults
# we prefer compression be handled elsewhere in the OSI layers
# see forum for ongoing discussion - https://cryptostorm.org/viewtopic.php?f=38&t=5981

down-pre
# runs client-side "down" script prior to shutdown, to help minimise risk...
# of session termination packet leakage

allow-pull-fqdn
# allows client to pull DNS names from server
# we don't use but may in future leakblock integration

explicit-exit-notify 3
# attempts to notify exit node when client session is terminated
# strengthens MiTM protections for orphan sessions

hand-window 37
# specified duration (in seconds) to wait for the session handshake to complete
# a renegotiation taking longer than this has a problem, & should be aborted

mssfix 1400
# congruent with server-side --fragment directive

auth-user-pass
# passes up, via bootstrapped TLS, SHA512 hashed token value to authenticate to darknet

# auth-retry interact
# 'interact' is an experimental parameter not yet in our production build.

ca ca2.crt
# specification & location of server-verification PKI materials
# for details, see http://pki.cryptostorm.org

<ca>
-----BEGIN CERTIFICATE-----
MIIFHjCCBAagAwIBAgIJAKekpGXxXvhbMA0GCSqGSIb3DQEBCwUAMIG6MQswCQYD
VQQGEwJDQTELMAkGA1UECBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQK
FC1LYXRhbmEgSG9sZGluZ3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQx
ETAPBgNVBAsTCFRlY2ggT3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUG
CSqGSIb3DQEJARYYY2VydGFkbWluQGNyeXB0b3N0b3JtLmlzMB4XDTE0MDQyNTE3
MTAxNVoXDTE3MTIyMjE3MTAxNVowgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJR
QzERMA8GA1UEBxMITW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBM
aW1pdGUgLyAgY3J5cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMx
FzAVBgNVBAMUDmNyeXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRt
aW5AY3J5cHRvc3Rvcm0uaXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDJaOSYIX/sm+4/OkCgyAPYB/VPjDo9YBc+zznKGxd1F8fAkeqcuPpGNCxMBLOu
mLsBdxLdR2sppK8cu9kYx6g+fBUQtShoOj84Q6+n6F4DqbjsHlLwUy0ulkeQWk1v
vKKkpBViGVFsZ5ODdZ6caJ2UY2C41OACTQdblCqaebsLQvp/VGKTWdh9UsGQ3LaS
Tcxt0PskqpGiWEUeOGG3mKE0KWyvxt6Ox9is9QbDXJOYdklQaPX9yUuII03Gj3xm
+vi6q2vzD5VymOeTMyky7Geatbd2U459Lwzu/g+8V6EQl8qvWrXESX/ZXZvNG8QA
cOXU4ktNBOoZtws6TzknpQF3AgMBAAGjggEjMIIBHzAdBgNVHQ4EFgQUOFjh918z
L4vR8x1q3vkp6npwUSUwge8GA1UdIwSB5zCB5IAUOFjh918zL4vR8x1q3vkp6npw
USWhgcCkgb0wgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJRQzERMA8GA1UEBxMI
TW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBMaW1pdGUgLyAgY3J5
cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMxFzAVBgNVBAMUDmNy
eXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRtaW5AY3J5cHRvc3Rv
cm0uaXOCCQCnpKRl8V74WzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB
AQAK6B7AOEqbaYjXoyhXeWK1NjpcCLCuRcwhMSvf+gVfrcMsJ5ySTHg5iR1/LFay
IEGFsOFEpoNkY4H5UqLnBByzFp55nYwqJUmLqa/nfIc0vfiXL5rFZLao0npLrTr/
inF/hecIghLGVDeVcC24uIdgfMr3Z/EXSpUxvFLGE7ELlsnmpYBxm0rf7s9S9wtH
o6PjBpb9iurF7KxDjoXsIgHmYAEnI4+rrArQqn7ny4vgvXE1xfAkFPWR8Ty1ZlxZ
gEyypTkIWhphdHLSdifoOqo83snmCObHgyHG2zo4njXGExQhxS1ywPvZJRt7fhjn
X03mQP3ssBs2YRNR5hR5cMdC
-----END CERTIFICATE-----
</ca>

ns-cert-type server
# requires TLS-level confirmation of categorical state of server-side certificate for MiTM hardening.

auth SHA512
# data channel HMAC generation
# heavy processor load from this parameter, but the benefit is big gains in packet-level...
# integrity checks, & protection against packet injections / MiTM attack vectors

cipher AES-256-CBC
# data channel stream cipher methodology
# we are actively testing CBC alternatives & will deploy once well-tested...
# cipher libraries support our choice - AES-GCM is looking good currently

replay-window 128 30
# settings which determine when to throw out UDP datagrams that are out of order...
# either temporally or via sequence number

tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
# implements 'perfect forward secrecy' via TLS 1.x & its ephemeral Diffie-Hellman...
# see our forum for extensive discussion of ECDHE v. DHE & tradeoffs wrt ECC curve choice
# http://ecc.cryptostorm.org

tls-client
key-method 2
# specification of entropy source to be used in initial generation of TLS keys as part of session bootstrap

log devnull.txt
verb 0
mute 1
# sets logging verbosity client-side, by default, to zero
# no logs kept locally of connections - this can be changed...
# if you'd like to see more details of connection initiation & negotiation