Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

Network timeouts periodically

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at [email protected] :)

Topic Author
touche112
Posts: 9
Joined: Tue Oct 07, 2014 6:47 pm

Network timeouts periodically

Postby touche112 » Tue Oct 07, 2014 7:29 pm

Howdy guys

I just started with CryptoStorm yesterday, and I'm impressed so far. Except for one thing - I'm timing out periodically.

It's weird, I'll be getting pretty good speeds and latency with US servers (Chili is fastest for me), and then after about 20 minutes of use, I get absolutely no response from any protocol. Even pings and DNS requests don't go through. I simply have to disconnect and reconnect, and everything is fine again.

Any suggestions? I'm using the latest version of the proprietary widget on Windows 8.

User avatar

Fermi
ForumHelper
Posts: 174
Joined: Tue Jun 17, 2014 11:42 am

Re: Network timeouts periodically

Postby Fermi » Tue Oct 07, 2014 8:13 pm

touche112,

Are you connected with multiple devices @ the same time, using the same token?
(you can only be connected using the same tokens once ...)
If so the 20 minutes begins to sound very familiar to me. If not, we have to continue looking. Any logs?
After 20 minutes there's a key renegotiation, if @ this moment the end-node address cannot be resolved anymore, you'll get the same issue.
If this is the case there's an issue with your DNS behaviour.

Regards,

/Fermi

User avatar

parityboy
ForumHelper
Posts: 905
Joined: Wed Feb 05, 2014 3:47 am

Re: Network timeouts periodically

Postby parityboy » Tue Oct 07, 2014 10:13 pm

@Fermi

If the OP is able to disconnect and then reconnect, then his DNS is obviously fine (especially since the widget no doubt uses the FQDNs of the exit nodes as opposed to the IP addresses). That 20 minute hiccup does indeed sound familiar...


Topic Author
touche112
Posts: 9
Joined: Tue Oct 07, 2014 6:47 pm

Re: Network timeouts periodically

Postby touche112 » Tue Oct 07, 2014 10:19 pm

I am only using one device with this access token.

DNS isn't the problem, because when it times out, I can't ping plain IPs either - the entire route is down. Next time it happens, I'll post results of a tracert.

User avatar

Fermi
ForumHelper
Posts: 174
Joined: Tue Jun 17, 2014 11:42 am

Re: Network timeouts periodically

Postby Fermi » Tue Oct 07, 2014 10:39 pm

parityboy wrote:@Fermi

If the OP is able to disconnect and then reconnect, then his DNS is obviously fine (especially since the widget no doubt uses the FQDNs of the exit nodes as opposed to the IP addresses).


@parityboy,

I experienced this a couple of times connecting to a raw instance.
During re neg, the FQDN of the end-node cannot be resolved, and this is also indicated as such in the openvpn log file. Once in that stadium, the connection is in a state like touche112 describes (also no plain ping to IP's possible).
Of course here we have the cause and effect discussion; does the connection drop to an undefined state due to the openvpn process not being able to resolve the FQDN during re neg, or ... .

Reconnecting solves the issue.

I haven't looked more profoundly into this issue as the frequency is rather marginal.

Regards,

/Fermi


Topic Author
touche112
Posts: 9
Joined: Tue Oct 07, 2014 6:47 pm

Re: Network timeouts periodically

Postby touche112 » Wed Oct 08, 2014 12:39 am

Pardon my technical incompetence on the subject, but where are logs stored? I'm new to OpenVPN.

User avatar

Fermi
ForumHelper
Posts: 174
Joined: Tue Jun 17, 2014 11:42 am

Re: Network timeouts periodically

Postby Fermi » Wed Oct 08, 2014 2:21 am

touche112 wrote:Pardon my technical incompetence on the subject, but where are logs stored? I'm new to OpenVPN.


touche112,

I don't use the widget because I use a Linux environment. I quickly installed the widget in a VM on W7. A quick scan doesn't show me evidence of a log being stored. But if you maximize the CS client, there's a black portion with a terminal look. In there you should see text scrolling by when the client is connecting.
If you experience the issue, you can select that text with your mouse, CTRL-C it, and paste it into this forum.

Hope this helps,

Regards,

/Fermi


Topic Author
touche112
Posts: 9
Joined: Tue Oct 07, 2014 6:47 pm

Re: Network timeouts periodically

Postby touche112 » Wed Oct 08, 2014 3:04 am

Just checked - no logs found. No report of anything past when I initially connected in the widget.

User avatar

Fermi
ForumHelper
Posts: 174
Joined: Tue Jun 17, 2014 11:42 am

Re: Network timeouts periodically

Postby Fermi » Wed Oct 08, 2014 3:15 am

touche112 wrote:Just checked - no logs found. No report of anything past when I initially connected in the widget.


Strange, wasn't able to check the widget on W8, but I included a screenshot of my maximized widget. The text appearing in the black part, is the actual logging.

/Fermi
Attachments


Topic Author
touche112
Posts: 9
Joined: Tue Oct 07, 2014 6:47 pm

Re: Network timeouts periodically

Postby touche112 » Wed Oct 08, 2014 4:02 am

My bad, yes, I have those logs. But past the log of the initial connection, there's nothing further that it reports.


Topic Author
touche112
Posts: 9
Joined: Tue Oct 07, 2014 6:47 pm

Re: Network timeouts periodically

Postby touche112 » Wed Oct 08, 2014 4:30 am

Any reason why browsing speeds are fine, but torrent speeds are slow? I'm seeing 1-2MBps HTTP downloads, but only 100-200kBps torrent downloads.

User avatar

marzametal
Posts: 487
Joined: Mon Aug 05, 2013 11:39 am

Re: Network timeouts periodically

Postby marzametal » Wed Oct 08, 2014 6:28 am

This VPN wasn't set up as a primary tool for torrenting... security has been placed higher than convenience.


Topic Author
touche112
Posts: 9
Joined: Tue Oct 07, 2014 6:47 pm

Re: Network timeouts periodically

Postby touche112 » Wed Oct 08, 2014 7:46 am

Timeout occurred again using the Portugal exit node. Tried a tracert, couldn't get a single hop out. DNS resolution is down as well. Disconnect and reconnect fixed the problem.

I'm thinking this may be a client issue, so I'm going to try using the standard OpenVPN client, and report back.

User avatar

marzametal
Posts: 487
Joined: Mon Aug 05, 2013 11:39 am

Re: Network timeouts periodically

Postby marzametal » Wed Oct 08, 2014 9:44 am

Another thread had a topic about Portugal, it's down for the time-being, and the CS staff are working on getting it rectified. You're better off hopping onto another node for the moment.

User avatar

Fermi
ForumHelper
Posts: 174
Joined: Tue Jun 17, 2014 11:42 am

Re: Network timeouts periodically

Postby Fermi » Wed Oct 08, 2014 12:56 pm

touche112 wrote:My bad, yes, I have those logs. But past the log of the initial connection, there's nothing further that it reports.


Same here, so I did a little tweak, which redirects the logging to a log file. I clearly can see the re neg now:
Wed Oct 08 09:03:20 2014 Initialization Sequence Completed
Wed Oct 08 09:03:52 2014 FRAG TTL expired i=7
Wed Oct 08 09:03:52 2014 FRAG TTL expired i=9
Wed Oct 08 09:03:52 2014 FRAG TTL expired i=17
Wed Oct 08 09:21:49 2014 FRAG TTL expired i=3
Wed Oct 08 09:21:49 2014 FRAG TTL expired i=16
Wed Oct 08 09:22:14 2014 FRAG TTL expired i=2
Wed Oct 08 09:22:14 2014 FRAG TTL expired i=20
Wed Oct 08 09:23:14 2014 VERIFY OK: depth=1, C=CA, ST=QC, L=Montreal, O=Katana Holdings Limite / cryptostorm_darknet, OU=Tech Ops, CN=cryptostorm_is, [email protected]
Wed Oct 08 09:23:14 2014 VERIFY OK: nsCertType=SERVER
Wed Oct 08 09:23:14 2014 VERIFY OK: depth=0, C=CA, ST=QC, L=Montreal, O=Katana Holdings Limite / cryptostorm_darknet, OU=Tech Ops, CN=server, [email protected]
Wed Oct 08 09:23:14 2014 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Oct 08 09:23:14 2014 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Oct 08 09:23:14 2014 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Oct 08 09:23:14 2014 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Oct 08 09:23:14 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA


I have changed the following in the vpn.conf (C:\Program Files\Cryptostorm Client\user or C:\Program Files (x86)\Cryptostorm Client\user):
verb 7
mute 3
to
verb 3
log file
When connecting a file named 'file' will be created in the same directory containing the log file.
(make sure to revert it when done testing)

As the widget isn't able to 'redirect' the log to the GUI, it will sort of hang, but you can trace the connection in the log file of course.

Of course using the OpenVPN client is a valid alternative.

Regards,

/Fermi

User avatar

Fermi
ForumHelper
Posts: 174
Joined: Tue Jun 17, 2014 11:42 am

Re: Network timeouts periodically

Postby Fermi » Wed Oct 08, 2014 2:17 pm

marzametal wrote:Another thread had a topic about Portugal, it's down for the time-being, and the CS staff are working on getting it rectified. You're better off hopping onto another node for the moment.


Brisa is alive again since 6/10/2014: https://twitter.com/cryptostorm_is/stat ... 1592078336

Brisa (our nice new Portugal-based node) had some teething pains, but it's all good now. Phew!
(i.e. multiple from-the-metal OS reinstalls)

/Fermi


Topic Author
touche112
Posts: 9
Joined: Tue Oct 07, 2014 6:47 pm

Re: Network timeouts periodically

Postby touche112 » Wed Oct 08, 2014 8:31 pm

I can't get the OpenVPN client to connect. I have no clue why - it halts at "mute triggered" and then hangs. I gave up after an hour. The instructions are clear-cut, so I don't know why it won't work for me. But whatever.

Anyway, experienced the timeout again, after exactly 20 minutes, using chili. Nothing related to the incident reported in any logs. It's even configured to output in verbose mode.

User avatar

Tealc
ForumHelper
Posts: 283
Joined: Tue Jan 28, 2014 12:38 am

Re: Network timeouts periodically

Postby Tealc » Wed Oct 08, 2014 10:02 pm

touche112 wrote:Any reason why browsing speeds are fine, but torrent speeds are slow? I'm seeing 1-2MBps HTTP downloads, but only 100-200kBps torrent downloads.


I may have a "solution" for you...

Long time ago I had the same problem and after a lot of searching I found that due to the architecture that CS uses if someone is already torrenting in the same node as you and uses the same port you will not get a lot a speed since there will be a lot of conflict with the exit IP.
So just point your torrent program to a port high enough that nobody uses (and keep on trying, it took me a couple of hours) and don't use the random port in the config.

Just to show you that I can get easily 19.3 MB/s in the germany node right now with only 62 seeds :-D

User avatar

Tealc
ForumHelper
Posts: 283
Joined: Tue Jan 28, 2014 12:38 am

Re: Network timeouts periodically

Postby Tealc » Wed Oct 08, 2014 10:07 pm

touche112 wrote:I can't get the OpenVPN client to connect. I have no clue why - it halts at "mute triggered" and then hangs. I gave up after an hour. The instructions are clear-cut, so I don't know why it won't work for me. But whatever.

Anyway, experienced the timeout again, after exactly 20 minutes, using chili. Nothing related to the incident reported in any logs. It's even configured to output in verbose mode.


Can you post here in attachment the openvpn config that you have this problem? Is this on chili?
Can you remove the Win TAP 32 and add a new one?

If you would like to try my OVPN for chili, it works great :-D they are a little bit different from the original and approved in CS
Attachments
usa_chili.ovpn
(2.22 KiB) Downloaded 176 times


Topic Author
touche112
Posts: 9
Joined: Tue Oct 07, 2014 6:47 pm

Re: Network timeouts periodically

Postby touche112 » Wed Oct 08, 2014 11:34 pm

Tealc wrote:
touche112 wrote:Any reason why browsing speeds are fine, but torrent speeds are slow? I'm seeing 1-2MBps HTTP downloads, but only 100-200kBps torrent downloads.


I may have a "solution" for you...

Long time ago I had the same problem and after a lot of searching I found that due to the architecture that CS uses if someone is already torrenting in the same node as you and uses the same port you will not get a lot a speed since there will be a lot of conflict with the exit IP.
So just point your torrent program to a port high enough that nobody uses (and keep on trying, it took me a couple of hours) and don't use the random port in the config.

Just to show you that I can get easily 19.3 MB/s in the germany node right now with only 62 seeds :-D
torrent_speed_germany.jpg


Perfect solution. I changed to an unusually high port number, and now speeds are comparable to my HTTP speeds. Thanks for the assistance - I knew something was up. :D

I'm in class now, but when I get home I'll try out your config files for the standard client, and maybe fix this timeout issue. Thanks!

User avatar

parityboy
ForumHelper
Posts: 905
Joined: Wed Feb 05, 2014 3:47 am

Re: Network timeouts periodically

Postby parityboy » Wed Oct 08, 2014 11:49 pm

@Tealc

That's an interesting solution. It means that whether a torrent client is initiating a connection and receiving replies, or is fielding incoming requests initiated from another peer, it uses the same port. This is in stark contrast to - for example - a Tor relay, which might receive requests on port 9001, but when it initiates connections to another relay, it receives replies from that relay on a completely different (and random) port.

User avatar

Tealc
ForumHelper
Posts: 283
Joined: Tue Jan 28, 2014 12:38 am

Re: Network timeouts periodically

Postby Tealc » Thu Oct 09, 2014 1:03 am

parityboy wrote:@Tealc

That's an interesting solution. It means that whether a torrent client is initiating a connection and receiving replies, or is fielding incoming requests initiated from another peer, it uses the same port. This is in stark contrast to - for example - a Tor relay, which might receive requests on port 9001, but when it initiates connections to another relay, it receives replies from that relay on a completely different (and random) port.


I believed that this is due to the limited public IP address CS has, but I can't confirm this.
I do have to say that assigning one abnormal port is the way to go, but I do see where you go with this parityboy and I think that this issue was already address in a specific topic about torrent speeds and the differences from RAW and Windows connections, but unfortunately I can't find that topic :wtf:

User avatar

df
Site Admin
Posts: 230
Joined: Thu Jan 01, 1970 5:00 am

Re: Network timeouts periodically

Postby df » Thu Oct 09, 2014 1:23 am

Back to the original problem with the 20 minute disconnects...

I talked with PJ (he'll probably post something more detailed in an hour or so), and he said he's seen this problem before with a few other clients. On the server-side we do:

reneg-sec 1200
# cycle symmetric keys via tls renegotiation every 20 minutes
# an essential fallback to TLS-based 'perfect forward secrecy' via Diffie Hellman keygen

Which is probably the cause of this sudden dead route. It's there in case someone (your ISP, government, or a hacker) tries to inject packets into your session in an attempt to do any kind of MiTM style hijacking, or if they're trying to block sites by doing what China does with spoofed TCP RST packets.

If an exitnode sees any odd behavior like this, the session is immediately dropped, which means you won't be able to connect to anything. It's there as a security measure to protect the user from attacks like this.

What I would suggest doing is installing Wireshark and let it sniff packets for 20 minutes while you wait for the VPN connection to timeout. Try not to do a lot of things online in that time to keep the logs from filling up. Once it's done, you can analyze the packets leading up to the VPN timeout/disconnect and see who's sending what to you (or just send the log to us so we can analyze it). If your ISP is trying to inject some odd packets into your session it can usually be stopped using a local firewall, once you know the type of injection going on.

It's either that or just a really slow connection.


jdurne
Posts: 7
Joined: Sat Feb 02, 2013 12:27 pm

Re: Network timeouts periodically

Postby jdurne » Sun Oct 12, 2014 2:13 pm

I have exactly the same problems and so far I have not been able to sort it.
Mine started when I changed my token to a new one and before that it have been running flawless since the start of Cryptostorm. Sent in a ticket and got a answer from PJ that the tech folks are looking at it so I hope for a fast resolution.

User avatar

Fermi
ForumHelper
Posts: 174
Joined: Tue Jun 17, 2014 11:42 am

Re: Network timeouts periodically

Postby Fermi » Sun Oct 12, 2014 2:54 pm

jdurne wrote:I have exactly the same problems and so far I have not been able to sort it.
Mine started when I changed my token to a new one and before that it have been running flawless since the start of Cryptostorm. Sent in a ticket and got a answer from PJ that the tech folks are looking at it so I hope for a fast resolution.


jdurne, @thread,

Strange, I'm connected to two different end nodes, and these connections are stable.
One raw, the other one to a windows node (brisa), the latter renegotiating every 60 seconds instead of 1200 seconds.

Regards,

/Fermi


jdurne
Posts: 7
Joined: Sat Feb 02, 2013 12:27 pm

Re: Network timeouts periodically

Postby jdurne » Sun Oct 12, 2014 6:24 pm

yeah I know it's really strange. I tried several nodes and all of them are disconnecting after 10-20min and just restarting the windows widget solves the problem for another 10-20 min.

User avatar

parityboy
ForumHelper
Posts: 905
Joined: Wed Feb 05, 2014 3:47 am

Re: Network timeouts periodically

Postby parityboy » Sun Oct 12, 2014 9:11 pm

@jdurne

I'm connected to brisa on both the Windows and raw instances, and both connections have been solid for over two hours. We've run into this issue before with the 20 minute fall-over - it was on Cantus for me - and if I remember rightly it was somehow related to the token, but I can't remember the exact details.


@Tealc
I believed that this is due to the limited public IP address CS has, but I can't confirm this.


Correct. It's called "port collision". Two clients effectively end up "sharing" a port at the clear side of the exit node; packets intended for one end up going to the other, and vice versa.


jdurne
Posts: 7
Joined: Sat Feb 02, 2013 12:27 pm

Re: Network timeouts periodically

Postby jdurne » Sun Oct 12, 2014 10:27 pm

parityboy wrote:@jdurne

I'm connected to brisa on both the Windows and raw instances, and both connections have been solid for over two hours. We've run into this issue before with the 20 minute fall-over - it was on Cantus for me - and if I remember rightly it was somehow related to the token, but I can't remember the exact details.


@Tealc
I believed that this is due to the limited public IP address CS has, but I can't confirm this.


Correct. It's called "port collision". Two clients effectively end up "sharing" a port at the clear side of the exit node; packets intended for one end up going to the other, and vice versa.

Ok thx for the info parityboy.
I first had the problem on Cantus and then on fenrir, onyx and emerald. After trying all of them I gave up and sent in a ticket on the problem.
Hope they can solve it soon. :)


Return to “member support & tech assistance”

Who is online

Users browsing this forum: No registered users and 15 guests

Login