Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

Come on guys, get your shit together

Freewheeling spot to chew the fat on anything cryptostorm-related that doesn't fit elsewhere (i.e. support, howto, &c.). Criticism & praise & brainstorming & requests for explanation... this is where it goes when it's hot & ready for action! :-)

Topic Author
Cryptohenk
Posts: 5
Joined: Sat Jan 27, 2018 6:24 pm

Come on guys, get your shit together

Postby Cryptohenk » Sat Jan 27, 2018 7:15 pm

I was looking to use a VPN service and you guys definitely seem the coolest: knowledgable on the tech, open source, nice philosophy, no bullshit. So I researched a little more. (Spink stuff is funny)

But everything is just such a convoluted mess:

- Resellers list is only a subforum
- resellers.cryptostorm.org just redirects to subforum, and gives invalid https certificate error
- Resellers that don't exist are still sticky in the list
- subdomains for individual resellers don't work, give https certificate error
- are there any resellers left?
- You said in TorrentFreak answers that you don't have a corporate entitity, but if not then how does the money flow? How are people in on the project getting paid? Are there contracts? Is it based purely on trust? How do you report it to taxes? Who do we pay to? Just a private person who then distributes it on?
- Other links on frontpage cryptostorm.org also don't work, like http://bootstrap.cryptostorm.org/ which is supposed to link to info about the company being a "decentralised organisation [with] roots in Iceland[,] branches worldwide, (most) financials via Québec proudly independent & private". It just links to the forum, also with https error.
- Frontpage talks about warranty canaries, but there's no link and i didn't find any using google either, where are they to be found? or are they not there any more? And what does it mean if they're not?
- No clear guide how to install for each platform... you're just linking some guide posted 3 years ago by an anonymous guy with a request for feedback on it... if the guide is good, considering just offer it as a good guide, if it's not good, improve on it,or write something yourself (or if it's too much work to provide these, just tell people to google or link to some general openvpn guide that works for you)
- in header of forum there's a link to "big things happening" but it links to a thread from 2016, that doesn't make clear what the status of the project is at all "is in process of being integrated" (unless reading many pages with blabla first i guess)...
- There's this thread stuck everywhere on the forum for 'praise to the team', but it's from 2015, and still only has 11 replies, most of which are not even praise, just weird. Look, it was a nice idea, but it's not working, so remove it, this is creepy.
- Although Pattern_Juggled's rants on the more philosophical aspects of things are interesting, some of the more practical questions people have just need a short, concrete answer, at a place easy to find.

Come on, you guys have promise, having the tech know-how and the principles are most important for a VPN but this sucks. You guys badly need a mod/PR person/website maintainer if you want this operation to go anywhere. How many customers do you think you are missing this way? And the more customers use your servers the harder it is to identify them.


Topic Author
Cryptohenk
Posts: 5
Joined: Sat Jan 27, 2018 6:24 pm

Re: Come on guys, get your shit together

Postby Cryptohenk » Sat Jan 27, 2018 7:24 pm

And yeah I did read the rant about how a VPN provider should be gritty ( viewtopic.php?f=47&t=7007 ) and I agree. But this is not that, this just suggest a total lack of care in informing your users and potential users and makes you wonder how much you do care about the more fundamental aspects of keeping your users secure.


Topic Author
Cryptohenk
Posts: 5
Joined: Sat Jan 27, 2018 6:24 pm

Re: Come on guys, get your shit together

Postby Cryptohenk » Sat Jan 27, 2018 7:34 pm

and make a choice: you can have a badly maintained forum that you don't look at ever, just so other people can discuss you, but then don't do user support in it and don't link it from the frontpage as a resource for things that people need to know.


Topic Author
Cryptohenk
Posts: 5
Joined: Sat Jan 27, 2018 6:24 pm

Re: Come on guys, get your shit together

Postby Cryptohenk » Mon Feb 12, 2018 3:20 pm

Ok seems this company is more or less dead, with only the servers still running? weird though

User avatar

parityboy
Site Admin
Posts: 1244
Joined: Wed Feb 05, 2014 3:47 am

Re: Come on guys, get your shit together

Postby parityboy » Mon Feb 12, 2018 3:34 pm

@OP

CS is still very much alive. :D You make some good points regarding the forum, hopefully these will be addressed in fairly short order. :)

User avatar

df
Site Admin
Posts: 371
Joined: Thu Jan 01, 1970 5:00 am

Re: Come on guys, get your shit together

Postby df » Mon Feb 19, 2018 9:16 am

Resellers list is only a subforum

Yea, that's so anyone can become a reseller if they want, and post about it there.

resellers.cryptostorm.org just redirects to subforum, and gives invalid https certificate error

That's a leftover mistake from our former staff member, PJ. He thought subdomains looked "neat", so used them for everything, even whenever a subdir would have been better. I warned him that when HTTPS was up, it was going to cause problems later if we didn't buy a wildcard SSL cert for *.cryptostorm.org, but he kept doing it anyways.
As a result, there's still old subdomains littered all over the forum.
I've tried to fix most of them by replacing them with correct subdir redirections, so resellers.cryptostorm.org would change to https://cryptostorm.org/resellers/ etc., but there's so many on the forum that I'm sure I've missed some.
I just updated the main cryptostorm.is page so that it links to the correct subdir instead of the subdomain that it was pointing to.

Resellers that don't exist are still sticky in the list

Removed the sticky bits for those threads.

subdomains for individual resellers don't work, give https certificate error

See above.

are there any resellers left?

AFAIK, the only one that's active is https://okaruto.space/

You said in TorrentFreak answers that you don't have a corporate entitity, but if not then how does the money flow? How are people in on the project getting paid? Are there contracts? Is it based purely on trust? How do you report it to taxes? Who do we pay to? Just a private person who then distributes it on?

There are several entities that make up CS, registered in different regions. We mostly keep these as hidden as possible to make it more difficult for anyone looking to subpoena CS. Finances are also done in a distributed manner, with no one bank account or bitcoin wallet storing everything. This is so if an entity (NSA, CIA, FBI, Mafia, whoever) are looking to pressure us by confiscating our funds, we just drop that account and carry on with the rest (and possibly replacing that compromised one with a different account).
As far as taxes go, we choose regions and entity types that only require a flat annual rate.

Other links on frontpage cryptostorm.org also don't work, like http://bootstrap.cryptostorm.org/ which is supposed to link to info about the company being a "decentralised organisation [with] roots in Iceland[,] branches worldwide, (most) financials via Québec proudly independent & private". It just links to the forum, also with https error.

See above regarding the subdomain SSL errors. cryptostorm.is (which is the one I'm assuming you meant) has been updated with the correct links.

Frontpage talks about warranty canaries, but there's no link and i didn't find any using google either, where are they to be found? or are they not there any more? And what does it mean if they're not?

Oops. The warrant canary is at https://cryptostorm.is/canary.txt , but I forgot to link it on the main page.
Front page has been updated with a link to it.

No clear guide how to install for each platform... you're just linking some guide posted 3 years ago by an anonymous guy with a request for feedback on it... if the guide is good, considering just offer it as a good guide, if it's not good, improve on it,or write something yourself (or if it's too much work to provide these, just tell people to google or link to some general openvpn guide that works for you)

This is something on our to-do list. I'd like to be able to provide tutorials for all the popular platforms, without requiring a visit to the messy forums. I was thinking of doing something like a wiki page for that.

in header of forum there's a link to "big things happening" but it links to a thread from 2016, that doesn't make clear what the status of the project is at all "is in process of being integrated" (unless reading many pages with blabla first i guess)...

The forum doesn't get updated often, so that thread doesn't reflect current features being worked on.
As of now, the next feature that will be added shortly are OpenVPN instances using EC certs and very strong crypto. The crypto currently in use is plenty strong, but it's not the latest/greatest because a lot of our customers are connecting to CS on embedded devices that are often difficult to upgrade OpenVPN on. The latest OpenVPN 2.4.x is required to use these newer algorithms.
For that reason, I was thinking of keeping everything as it is for those customers, but also adding extra instances to all the IPs and have them use a random port range on that VPN IP that'll forward to the new instance. That way, people wanting to connect using bleeding-edge/experimental crypto can do so by connecting to a range of ports (12500-12600, for example).
That'll also allow us to add new obfuscation features without having to buy extra IPs for all the servers.
Obfuscation that I've been looking into adding would be things like https://github.com/kevinxucs/udpmask or scramblesuit.

There's this thread stuck everywhere on the forum for 'praise to the team', but it's from 2015, and still only has 11 replies, most of which are not even praise, just weird. Look, it was a nice idea, but it's not working, so remove it, this is creepy.

Yea, that is pretty creepy. Thread removed.

Although Pattern_Juggled's rants on the more philosophical aspects of things are interesting, some of the more practical questions people have just need a short, concrete answer, at a place easy to find.

Even though he's no longer with the project, his posts do sometimes bring in people interested in whatever topic he's ranting about. So probably shouldn't outright delete his posts.
Once we finally get a wiki up with tutorials on connecting on different platforms, it should make things easier for people looking for simple questions.
Maybe throwing up a FAQ wouldn't be a bad idea too, so people don't have to wander around the forum looking for answers.

Come on, you guys have promise, having the tech know-how and the principles are most important for a VPN but this sucks. You guys badly need a mod/PR person/website maintainer if you want this operation to go anywhere. How many customers do you think you are missing this way? And the more customers use your servers the harder it is to identify them.

PR has always been at the bottom of our to-do list. I'm sure it has repelled some potential customers, but at the same time it's attracted some who were relieved that we weren't focusing all of our energy on marketing. Instead, most of our energy is focused on keeping the network running as smoothly and strongly as possible. Some people prefer that we're doing that instead of worrying about what our Alexa rank is.


Topic Author
Cryptohenk
Posts: 5
Joined: Sat Jan 27, 2018 6:24 pm

Re: Come on guys, get your shit together

Postby Cryptohenk » Fri Mar 16, 2018 9:20 pm

I didn't expect a reply any more and I think it's pretty cool that you're still kicking & are fixing a lot of stuff!

Still I want to emphasise that providing links to correct places, having up to date info & guides to (potential) customers is still far away from being slick PR stuff, it's just basic decency of providing ppl with the knowledge they need to make decisions :)

Also i can see you not wanting to spend too much time updating the website/forum, but then just remove sections with info that's supposed to be 'the latest', so it doesn't look outdated if you don't update for a year :P

Also I didn't mean to suggest to delete PJ's post, like i said, they're pretty cool, but it's not an OR choice, so yeah, also a short practical FAQ would be good. Wiki also seems a good idea so users can take off some of the load.

User avatar

df
Site Admin
Posts: 371
Joined: Thu Jan 01, 1970 5:00 am

Re: Come on guys, get your shit together

Postby df » Wed Jul 04, 2018 3:43 pm

The main page has been updated again with some new info, and (i think) most importantly, https://cryptostorm.is/#section6 has been updated to include dedicated tutorial pages for most systems.
This way, people who are just trying to connect to cryptostorm don't have to navigate through this messy forum.
Plus, the tutorial pages are just basic HTML pages without all the JS/etc. that the main site has, so less overhead for anyone. Also includes screenshots for most systems to help the newbies navigate through the techie stuff.

Probably the next thing I'll add to the main site is a FAQ, since we do get asked some of the same questions pretty often, and it unnecessarily adds to our workload when we have to respond, when we could instead point them to the FAQ (if the issue is covered there).


patrickjburt
Posts: 4
Joined: Fri Jul 13, 2018 3:40 pm

Re: Come on guys, get your shit together

Postby patrickjburt » Fri Jul 13, 2018 3:56 pm

I use PureVPN Fast VPN service to keep my ISP from selling my data. I have no idea if my VPN is selling my data. I don't know if my browsing history is valuable in another country, so I trust the VPN over my ISP.

Huge WiFi hack, half the world has censored internet and you ask if VPNs are useful..

Just read out a review on PureVPN Review. Very insightful and worth reading. Hope you will like it too.

User avatar

df
Site Admin
Posts: 371
Joined: Thu Jan 01, 1970 5:00 am

Re: Come on guys, get your shit together

Postby df » Fri Jul 13, 2018 4:40 pm

@patrickjburt
That seems to be the way things are going, people trust a VPN provider more than their ISP.

Personally, I wouldn't choose PureVPN if I were to go with a non-cryptostorm VPN.
Any VPN that supports PPTP clearly doesn't care about security - https://en.wikipedia.org/wiki/Point-to- ... l#Security
Plus, their OpenVPN config appears to be pretty standard:

Code: Select all

client
dev tun
proto udp
remote usphx-ovpn-udp.pointtoserver.com 53
persist-key
persist-tun
ca ca.crt
tls-auth Wdc.key 1
cipher AES-256-CBC
comp-lzo
verb 1
mute 20
route-method exe
route-delay 2
route 0.0.0.0 0.0.0.0
auth-user-pass
auth-retry interact
explicit-exit-notify 2
ifconfig-nowarn
auth-nocache


Because they're not specifying --auth, it will default to the weaker SHA1.
Without specifying --tls-cipher, it will default to whatever the default is for OpenSSL that matches "DEFAULT:!EXP:!LOW:!MEDIUM:!PSK:!SRP:!kRSA".
That means that on some client systems with older versions of OpenSSL, their VPN session's encryption might be downgraded quite a bit, and even if they were using a newer OpenSSL a remote downgrade attack would still be possible since PureVPN isn't specifying the tls-cipher accepted.
They're also using SHA1 as a signature algorithm for their included CA certificate.

Cryptostorm's older instances use a CA with SHA256 for the signature algorithm.
The older instances use --cipher AES-256-CBC too, but we also specify --auth SHA512 for added strength, and --tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA to prevent downgrade attacks.
On our newer ECC instances, we're using --cipher AES-256-GCM and --tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384, as well as --tls-version-min 1.2 and --tls-version-max 1.2 to prevent attacks against other TLS versions.
The CA certificate used in the ECC instances also uses elliptic curve cryptography as well, which generally performs better than traditional RSA certificates, yet it provides more strength.
The signature algorithm for the CA is ecdsa-with-SHA512.
We're also using --tls-crypt to add an additional layer of encryption on top of everything, instead of the outdated --tls-auth that PureVPN is still using.
See the comments in https://github.com/cryptostorm/cryptost ... r_udp.ovpn for more info.

EDIT:
That review site you linked to, http://www.usavpn.com, is clearly sponsored content.
At least they're somewhat honest about it, near the bottom of the page:

Earnings disclosure: We are affiliated with some of the VPN services listed on this site. This helps us to cover the expenses of testing few VPN providers.


Since PureVPN doesn't really offer anything different than it's competitors, my guess is that they are one of those "affiliates".

ANOTHER EDIT:
heh, I just noticed something else odd in their configs.
In their linux-files.zip from https://support.purevpn.com/openvpn-files , there's all of their TCP/UDP linux configs, but in the UDP folder there's also a "test-udp.ovpn" file.
There's no corresponding "test-tcp.ovpn" file in the TCP folder, so I'm guessing someone forgot to delete "test-udp.ovpn".
The host used in test-udp.ovpn is "vlus-au1-ovpn-udp.ivacy.net".
In another random file, PureVPN uses the host "vlap-ustx1-ovpn-udp.pointtoserver.com".

That means either ivacy.net is PureVPN (or at least partners with them), or that PureVPN simply stole the client configuration files (and hostname format) from ivacy.net to use on their own network :lol:

Also, usavpn.com has Ivacy in the #3 spot, which further suggests that ivacy.net is PureVPN.

At https://www.ivacy.com/kodi-addon/servic ... -1.3.2.zip inside service.ivacy.monitor/Ivacy/ta.key is the exact same file as PureVPN's Wdc.key from linux-files.zip.
The hostnames used for OpenVPN in service.ivacy.monitor-1.3.2.zip in service.ivacy.monitor/Ivacy/LOCATIONS.txt all point to the domain "pointtoserver.com", which is what PureVPN uses.
So PureVPN = Ivacy.


Return to “general chat, suggestions, industry news”

Who is online

Users browsing this forum: No registered users and 19 guests

Login