Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

cryptostorm connections from Linux | DEPRECATED

Looking for a bit more than customer support, and want to learn more about what cryptostorm is , what we've been announcing lately, and how the cryptostorm network makes the magic? This is a great place to start, so make yourself at home!
User avatar

Topic Author
cryptostorm_team
ForumHelper
Posts: 159
Joined: Sat Mar 02, 2013 12:12 am

cryptostorm connections from Linux | DEPRECATED

Postby cryptostorm_team » Thu Oct 24, 2013 3:03 am

edit: this connection guide is pretty much out of date, and since it was put together Debian connections have become much easier - we're putting together a new, much less tangled, explanation and hope to post it shortly. In the meantime, please be sure to scroll this thread before you look at it & think "oh geez, this looks horrible" - it's really not. "Raw" Linux connections are (usually) very straightforward & our in-house development team mostly uses such connections everyday ("eating our own dog food"), so we're right on board. ALSO please note that you must hash your token before you feed it to the connection as 'username' (details below) - otherwise it'll throw an "auth failed" message. We have made a one-step hashing tool available here - cryptostorm.is/hash - or of course you can use terminal-based tools, or whatever else, for the SHA512 transform. Thanks! :-)

~ ~ ~ ~

If you're using a Linux-flavoured local client computer to connect to the cryptostorm network, we've got some good news for you: without any need for extra installers, "client applications," or anything else you'll be able to connect with very little drama.

The best way to do this is from the terminal window. Now, if you're not a terminal jockey and tend to stick to a more GUI-centric frontend, that's not a problem. This is not a complex terminal process involving complex commands or clever manipulation of resources. With really baseline terminal skills, you'll find this to be a very easy process - surprisingly so.

If you've never used the terminal window before, then it might be a bit much to learn this way... however if you've got an hour to spare and the patience to google a few questions (or ask a friend with some experience), it'll be no more work than that - and once you know how to do it, there's nothing more to learn.

We're talking about writing a little bash script to automate this process. That's likely to happen soon, so if all this talk about the terminal seems off-putting, no worries - this is just if you want to get on the network now! :-P

Finally, we're not going to use precise syntax in these steps below, as they can vary just enough between Linux distros that it might end up being a hassle. Rather, we're hoping folks with specific Linux installs can post up their specific syntax used, in follow-on posts, so we've got both the general outline and the specifics as well.

The general process goes as follows:

    1. The first, and (mysteriously) occasionally only challenging step is to make sure you have a current build of the OpenVPN engine available locally!. Should be simple, but for some distros there's really tragically broken repository pointers out there. For example, folks in Debian-land might find this repository mapping very helpful:

    Code: Select all

    deb http://swupdate.openvpn.net precise Release
    we'll keep updating this post with the best direct links to current repositories for various distros; for now it's absolutely essential you have a current OpenVPN build on your machine. For example, OpenVPN 2.2.1 is hard-bound to a very out-of-date OpenSSL build (pre 1.0)... and that means a whole raft of essential cipher suite improvements are simply impossible to use.

    Yes, we really do need to use the most current OpenVPN build (2.3.2) - because it supports the suite of cipher algorithms that, in combination, provide the minimised attack surface & optimised hardening we've worked so hard to develop for cryptostorm's members. This can be a pain in the ass to get done on some distros, especially until we get some really smart folks coming through here to show us the elegant way! :-)

    There's always the option of compiling from source, in a pinch.


    1b. Note that you'll need a fairly current set of the openssl libraries on your machine, as well. Some repository/package managers will fetch this key dependency automagically; some will assume you've got it already. Some distros surely package it up with regular updates - although a few don't. This is, fortunately, rarely a complex issue. Rule of thumb: if you've got anything as current or better than 1.0.1(c), you're good to go :-) note: checking your openssl version requires only this from the terminal: openssl version.


    2. Phew, ok with those two essential pieces settled on your local machine, you're ready for the easy steps. First, grab a current copy of our client configuration file from this thread; it'll be down towards the bottom, in the latest posts (we keep old versions there so folks can see what we've been adjusting over time, so don't just grab the first one you see as you read down the thread!). Save that to someplace convenient in your directory structure. In fact, you can rename it if you want to - it's ok, and a shorter name is a little easier to manage in some cases. Remember where you saved it, as you'll need to head back to it in the next step...


    3. Open a terminal window, and navigate over to where you just saved the config file. This is the easiest way, although you can specify the directory path of the config file from the step above, if you prefer to do that and are comfortable with that sort of mapping.


    4. Now, you're ready to start your network session! Type in the following command at your shell prompt:

    Code: Select all

    openvpn --config {enter config file name here}


    Of course, replace the entire {enter config file name here} block with your config file name. For example, let's say you saved the config file locally as "cryptostorm.conf" - a fine name, that :-P The syntax for invoking an openvpn session would then look exactly like this:

    Code: Select all

    openvpn --config cryptostorm.conf


    ...no muss, no fuss. It's a pretty elegant way to call forth a really quite powerful application.

    (note: it's usually a good idea to run this step as root, but the specifics of doing so depends on the distro and your own security setup locally - if you're in Ubuntu, for example, you'll add "sudo" to the beginning of that line; we're testing out ways to ensure this isn't necessary in later builds, but for now you won't go wrong if you invoke as root and, in our opinion, the security risk of doing so is very minimal)


    5. Just like that, the terminal window will ask you for your "username" - in our security model, remember, this is the SHA512 hashed version of your network access token. That will be exactly 128 bytes of alphanumeric text: no spaces, no dashes, no line breaks. Paste that honker of a entropy-brick into your terminal window, and hit "enter."


    6. It'll now ask for password, & you can enter our default (MD5 hashed) generic passy: 93b66e7059176bbfa418061c5cba87dd - hit enter again...


...at this point, nothing happens. There's no big spinning 3-d lock that sings a jaunty tune to announce you've successfully auth'd into the darknet. The terminal window will just... sit there. Behind the scenes, the entire encrypted tunnel & associated control-channel session is being bootstrapped into existence. Routing tables are being flushed, new routs & metrics added. New DNS servers - pushed from our network - are being mapped. Lots of 1s turning into 0s, and the reverse.

Give it 30 seconds or so. If nothing happens, that's an auspicious sign :-) point your browser at a website that echoes your source IP, to confirm you're routing through our network (or just traceroute from a different terminal window - the first few hops'll tell you what's up with your routing topology). There you go. That's it. There's nothing else to set, fiddle, adjust, change, or check on.

The secure connection will retain itself quite aggressively. If your local network drops, the secure session will spin up immediately when it can pass packets again. It won't "time out" by itself - you are welcome to stay connected to our network for days, weeks, months - seriously. All your packets, and protocols, and ports, and applications will route through it - no additional fiddling required.

(if you close that terminal window, you'll end your cryptostorm network connection - you can of course minimise that terminal window, open additional ones, and so on... and when you do want to end the secure session, just close the window & it's over)

Now, when our widget is ready to compile for our Linux members, it'll bring some nice features with it: remembering saved (hashed) token values between sessions, throwing a little desktop icon to confirm "connected" status, enabling exitnode selection dynamically... all good stuff, for sure.

But...

The command-line interface to OpenVPN is powerful. It does exactly what it is supposed to to: make a very strong, very durable, very reliable secure session into our darknet. It does that behind the scenes, with absolute minimal intervention required. That's good - as it should be.

We'll be adding to, editing, fine-tuning, and improving this HOWTO as we go. Readers who see errors, opportunities to clarify, additions... please post in reply! We'll be happy to bring your good suggestions up into the core text - and provide you with attribution for your help, if you approve. This is a community effort, as always - it's where the strength manifests most clearly.

    ~ cryptostorm_team
cryptostorm_team - a shared, team-wide forum account (not a person)
PLEASE DON'T SEND PRIVATE MESSAGES to this account, as we can't guarantee quick replies!
--> feel free to use any of our other contact channels, or post in the support forum
cryptostorm: structurally anonymous, token-based, unlimited ☂ bandwidth, opensource, darknet data security for everyone!
keybase.io validatorsonename.io validatorsPGP key @ MITnetwork statuscryptostorm github
support team bitmessage address: BM-2cTMH8K5JnjbfSALjZtSkRWCLfc3Tr8GBV
support team email: [email protected]
live chat support: #cryptostorm

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: cryptostorm network connections from Linux

Postby DesuStrike » Thu Oct 24, 2013 3:10 pm

Hey there folks!

I use Ubuntu 13.04 and had some problems with the repo you suggested in this thread because it seems to be unreachable.

I found two nice and easy *.deb files though. (Downloads at the end of this post) One for i386 and one for amd64. It is not the very latest develpment release of 2.3.2 but it should do the trick. I will test it this afternoon.

So if you are still on Ubuntu raring ringtail like me you can install it via terminal:
sudo dpkg -i {name of the *.deb file}

e.g. sudo dpkg -i openvpn_2.3.2-2pmjdebruijn1~raring_amd64.deb

Good luck!


User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: cryptostorm network connections from Linux

Postby DesuStrike » Thu Oct 24, 2013 6:25 pm

Please disregard the two posts I made here. The linked packages give some weird error message. Seems like you have to upgrade to Ubuntu 13.10 to get the newest openvpn with all dependencies.

User avatar

Pattern_Juggled
Posts: 1493
Joined: Sun Dec 16, 2012 6:34 am
Contact:

updating current...

Postby Pattern_Juggled » Thu Oct 24, 2013 8:30 pm

DesuStrike wrote:Please disregard the two posts I made here. The linked packages give some weird error message. Seems like you have to upgrade to Ubuntu 13.10 to get the newest openvpn with all dependencies.


Yah, we'd seen those issues in working through this install with several beta network members.

But it's more complicated than that - and better news, actually!

Several of our in-house team members have a fully-current OpenVPN build on their Ubuntu test boxes... and none of them are running 13.10 yet. One is on 13.04, one is 12.04 - you see the mystery here, eh?

We've asked them to remember how they went about getting the current libraries, once a block of time opens up for them to think back on it (been a busy couple of weeks 'round here). It could be they self-compiled, but at this point it's lost in the fog of "dunno, just figured out how to get OpenVPN current & then started on the real work" recollection.

So: it's possible to do this even before 13.10 (which, personally, I'd recommend avoiding for now - fwiw). We know it, 'cause we've got folks testing with it in-house... we just don't remember, right now, how we did it!

(note that it's possible they did their updates to the libraries before the OpenVPN team managed to break their repositories - all their repositories - for this application package)

Finally, if we can't find good binaries/RPMs out there, we'll just self-compile a selection for the more common Linux flavours and make 'em available directly to customers. That seems crazy to need to do given how big a project OpenVPN is - but in a pinch, one does what one must.

Thanks for taking a look at this - it's pretty damned mysterious at this point. A basic step like updating OpenVPN libraries to current (heck, even close-to-current) should be less than 5 minutes' time, in total. So this huge tail-chasing expedition is aberrant...
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
[email protected]ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: cryptostorm network connections from Linux

Postby DesuStrike » Fri Oct 25, 2013 3:17 am

Thanks for the heads up. I hope all this isn't discouraging anyone to keep on trying.

btw: Please check your mail for information on some issue sourrounding this guide and DNS...

ps: firefox for android seems to hate phpBB. please excuse any possible strange formatting.
home is where the artillery hits

User avatar

Topic Author
cryptostorm_team
ForumHelper
Posts: 159
Joined: Sat Mar 02, 2013 12:12 am

Re: HOWTO: cryptostorm network connections from Linux

Postby cryptostorm_team » Fri Oct 25, 2013 7:40 pm

We did some poking around in the quasi-official Mint distros, and it does look like their compiles of OpenVPN are noncurrent. That's on top of the Debian-level weirdness with current packages, so the rabbit hole indeed does seem to go down a few levels...

Right now, we're picking at doing generic builds of the current source for Debian-flavoured machines & sticking them up on a makeshift repository. Seems a bit of an odd thing to do give how widespread use of OpenVPN is... but it also seems that a big chunk of Linux folks are using old, outdated, insecure builds of client-side OpenVPN because all the standard repositories lack more current package build support. Which is really, really scary.

At this point we have in-house builds that are quite happy on a couple of Debian-based distros we've used for testing (the key being ensuring availability of current openssl libraries - which, fortunately, are now supported in the main Debian repositories) - so unless something else shakes out of the community shortly, we're likely to release those for beta testers to try out in wider config variations.

Prior to that, however, we're going to test some scripting-fu if we can just hunt down some repository - somewhere - that retains an image of the generic 2.3.2 Debian builds. That would seem a simple process, but... yeah. Quite an adventure! :-)

Thanks again for helping test this out - it's extremely useful and is uncovering just the sort of unexpected snags that only a wider testing deployment can really nail down.

    ~ cryptostorm_team
cryptostorm_team - a shared, team-wide forum account (not a person)
PLEASE DON'T SEND PRIVATE MESSAGES to this account, as we can't guarantee quick replies!
--> feel free to use any of our other contact channels, or post in the support forum
cryptostorm: structurally anonymous, token-based, unlimited ☂ bandwidth, opensource, darknet data security for everyone!
keybase.io validatorsonename.io validatorsPGP key @ MITnetwork statuscryptostorm github
support team bitmessage address: BM-2cTMH8K5JnjbfSALjZtSkRWCLfc3Tr8GBV
support team email: [email protected]
live chat support: #cryptostorm

User avatar

Pattern_Juggled
Posts: 1493
Joined: Sun Dec 16, 2012 6:34 am
Contact:

Re: HOWTO: cryptostorm network connections from Linux

Postby Pattern_Juggled » Fri Oct 25, 2013 7:49 pm

DesuStrike wrote:ps: firefox for android seems to hate phpBB. please excuse any possible strange formatting.


That's likely not actually Flrefox's fault, and rather relates to us shoehorning in a phpBB style that's not technically actually directly version-aligned with our phpBB build. Which tends to result in odd manifestations of non-responsive CSS behaviour like you're seeing...

And, yes, we're going to get that settled so the style is congruent with our forum rev... but likely not until the wave of beta network testing settles into a more stable trajectory in the next week or three. Or, indeed, unless someone shows up in the meantime & wants to volunteer to help fiddle the styles on the install here to get things all happy and peaceful! :-P

We've done our best to proof the main cryptostorm.is site to be reliably "responsive," so if you see odd DOM-painting errors when you visit that site, then we're definitely blaming Firefox! ;-)

Cheers,
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
[email protected]ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: cryptostorm network connections from Linux

Postby DesuStrike » Fri Oct 25, 2013 8:31 pm

The amount of coincidences is very strange indeed, while outdated software in the main distro repos unfortunately is not. This is the reason I strongly support the idea of a special repo maintained by the cryptostorm_team. I know it is somewhat of an extra load of work for the team but you can never trust anybody else's repo to always be as up to date as yours might need to be.

I also tend to favor easy to use solutions as long as they have no impact on security. Not because I am incapable of fiddling with the console to eventually get to a solution but because I have a family and a girlfriend that I want to protect. They need easy to use tools they can operate. I have a solution for my family (DD-WRT. Will test it as soon as I get to it.) but my girlfriend needs something that starts automatically or with a double-click after I configured it.

I guess other people have similar problems or just don't have the time or knowledge to work around problems like the current one concerning a up to date repo.

This is why I am happy that you are working on a Linux-Widged and an Andorid-Widget. But as far as I know those tools still need the original openvpn binaries to run. It would be very confusing for many people if the installation of the widget fails due to an outdated repo or if people need to switch from time to time.

Maintaining an own repo would avoid such problems to begin with. :)

PS: This is no critique about the current situation. This project is in beta and I can imagine the lack of sleep everyone on the team has to endure on a daily basis. I try to help along as much as my personal life allows me to (I volunteered for the German translation of the widget) but in the end you guys are doing the REAL work behind the scenes. So I hope my post didn't steal too much time from you. I just wanted to add my personal thoughts. ;)


@PJ: Haha... Oh well, either a lot of people tend to edit the board software like you do or it IS a problem cause by firefox mobile. These errors occur with almost every textbox I try to write in.

But no worries: The main page works great. ;)
home is where the artillery hits


Guest

Re: HOWTO: cryptostorm network connections from Linux

Postby Guest » Tue Oct 29, 2013 2:28 am

Any chance to get a guide for openSUSE 12.3? Just want to be sure I got it correct. I see that openvpn is there by default, but do I need to get a specific openvpn build different than what comes out of the box?

User avatar

Pattern_Juggled
Posts: 1493
Joined: Sun Dec 16, 2012 6:34 am
Contact:

OpenSUSE info

Postby Pattern_Juggled » Tue Oct 29, 2013 3:20 pm

Guest wrote:Any chance to get a guide for openSUSE 12.3? Just want to be sure I got it correct. I see that openvpn is there by default, but do I need to get a specific openvpn build different than what comes out of the box?


From the terminal, ask what version of the OpenVPN package is currently on the machine; the syntax for that should be:

Code: Select all

openvpn --version


This will spit out a bunch of details, most of which are options relating to how the package was configured (with each config parameter being set to "yes" or "no," generally). The version number for the core application is right there in the first line; the rest is mostly just for curiosity's sake unless you're experimenting with custom compile options & so forth:

Code: Select all

OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Jun  3 2013
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <[email protected]>
Compile time defines: enable_crypto=yes enable_debug=no enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_eurephia=yes enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=no enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no


If it looks like you're not current with 2.3.2 (which is required to support the suite of cipher algorithms that underpins the cryptostorm security model), then here's the OpenVPN manual page discussing Linux installs' basically, you can either compile your own package, or just grab a current build from the usual repositories:

Linux Notes (using RPM package)

If you are using a Linux distribution which supports RPM packages (SuSE, Fedora, Redhat, etc.), it's best to install using this mechanism. The easiest method is to find an existing binary RPM file for your distribution. You can also build your own binary RPM file:
    rpmbuild -tb openvpn-[version].tar.gz


Once you have the .rpm file, you can install it with the usual
    rpm -ivh openvpn-[details].rpm


or upgrade an existing installation with
    rpm -Uvh openvpn-[details].rpm


Installing OpenVPN from a binary RPM package has these dependencies:

    openssl
    lzo
    pam


Furthermore, if you are building your own binary RPM package, there are several additional dependencies:

    openssl-devel
    lzo-devel
    pam-devel


See the openvpn.spec file for additional notes on building an RPM package for Red Hat Linux 9 or building with reduced dependencies.


Linux Notes (without RPM)

If you are using Debian, Gentoo, or a non-RPM-based Linux distribution, use your distro-specific packaging mechanism such as apt-get on Debian or emerge on Gentoo.

It is also possible to install OpenVPN on Linux using the universal ./configure method. First expand the .tar.gz file:
    tar xfz openvpn-[version].tar.gz


Then cd to the top-level directory and type:
    ./configure
    make
    make install


Finally, here's a rather comprehensive list of pre-compiled rpm packages of OpenVPN 2.3.2x for various CPU architectures and the Linux distros that work with rpm-based installers (more or less the non-Debian distros). Most folks will either find the current build in standard repo or jump right to compiling their own package from source - but we're including this resource here, just in case it's useful for some folks to have it rather than need to hunt around looking :-)


Extra Checks:

If you're curious to confirm that your build of OpenVPN supports the required cipher suites, you can ask this from the terminal window:

Code: Select all

openvpn --show-tls


...which will output something like this:

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA
TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-DSS-WITH-AES-256-GCM-SHA384
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
TLS-DHE-DSS-WITH-AES-256-CBC-SHA256
TLS-DHE-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-DSS-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA
TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384
TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384
TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384
TLS-ECDH-RSA-WITH-AES-256-CBC-SHA
TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA
TLS-RSA-WITH-AES-256-GCM-SHA384
TLS-RSA-WITH-AES-256-CBC-SHA256
TLS-RSA-WITH-AES-256-CBC-SHA
TLS-RSA-WITH-CAMELLIA-256-CBC-SHA
TLS-PSK-WITH-AES-256-CBC-SHA
TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA
TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA
TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA
TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA
TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA
TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA
TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA
TLS-RSA-WITH-3DES-EDE-CBC-SHA
TLS-PSK-WITH-3DES-EDE-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA
TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-DSS-WITH-AES-128-GCM-SHA256
TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
TLS-DHE-DSS-WITH-AES-128-CBC-SHA256
TLS-DHE-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-DSS-WITH-AES-128-CBC-SHA
TLS-DHE-RSA-WITH-SEED-CBC-SHA
TLS-DHE-DSS-WITH-SEED-CBC-SHA
TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA
TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256
TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256
TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256
TLS-ECDH-RSA-WITH-AES-128-CBC-SHA
TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA
TLS-RSA-WITH-AES-128-GCM-SHA256
TLS-RSA-WITH-AES-128-CBC-SHA256
TLS-RSA-WITH-AES-128-CBC-SHA
TLS-RSA-WITH-SEED-CBC-SHA
TLS-RSA-WITH-CAMELLIA-128-CBC-SHA
TLS-PSK-WITH-AES-128-CBC-SHA
TLS-ECDHE-RSA-WITH-RC4-128-SHA
TLS-ECDHE-ECDSA-WITH-RC4-128-SHA
TLS-ECDH-RSA-WITH-RC4-128-SHA
TLS-ECDH-ECDSA-WITH-RC4-128-SHA
TLS-RSA-WITH-RC4-128-SHA
TLS-RSA-WITH-RC4-128-MD5
TLS-PSK-WITH-RC4-128-SHA
TLS-DHE-RSA-WITH-DES-CBC-SHA
TLS-DHE-DSS-WITH-DES-CBC-SHA
TLS-RSA-WITH-DES-CBC-SHA
TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA
TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA
TLS-RSA-EXPORT-WITH-DES40-CBC-SHA
TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5
TLS-RSA-EXPORT-WITH-RC4-40-MD5


Which, if you're a cipher geek, is interesting stuff!

Finally, you might want to make sure the underlying OpenSSL libraries on your machine are up-to-date. Again, in theory this should pretty much happen by itself during routine package updating procedures... but OpenSSL can get behind for several moderately common reasons. The syntax to ask, from the terminal, what version of OpenSSL you're running is...

Code: Select all

openssl version


From there, you can ask about available cipher suites in OpenSSL with this command:

Code: Select all

openssl ciphers


Which will output a big textbrick looking like this:

ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5


Cheers!
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
[email protected]ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f


Guest

Re: HOWTO: cryptostorm network connections from Linux

Postby Guest » Tue Oct 29, 2013 7:14 pm

Wow! I didn't expect a write up so quickly. Thank you much friends :)


Guest

Re: HOWTO: cryptostorm network connections from Linux

Postby Guest » Mon Nov 18, 2013 5:43 am

I am working with Mint distro (Olivia). Currently OpenVPN 2.2.1 is installed. Like others said, OpenVPN 2.3.2 is required.

I downloaded the .tar.gz file of 2.3.2 from here http://openvpn.net/index.php/open-source/downloads.html

I extracted it and ran ./ configure, I got several errors (ssl, lzo, and libpam, required but missing) and fixed those as per: http://selvakumar-arumugam.rhcloud.com/auto-login-openvpn-without-prompt-for-username-password-on-ubuntu/.

And after that it configured. I ran "make" OK, but when I tried to do "make install" I get several errors:

"/usr//bin/install: cannot remove '/usr/local/include/openvpn-plugin.h': permission denied.
make[3]: *** [install-includeHEADERS] Error 1
make[2] *** [install-am] Error 2
make[1] *** [instal-recursive] Error1
make: *** [install] Error 1

I tried "sudo make install, " which runs and does not give those errors, but if I type "openvpn --version" it tells me I still have v 2.2.1 installed.

Can anyone offer help?

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: cryptostorm network connections from Linux

Postby DesuStrike » Mon Nov 18, 2013 6:22 am

hmm... I'm not very good at compiling source code and stuff but does "make install" not just create an install script that you still need to run to eventually install the compiled code? Sorry if this is stupid to the max but I kind of remember doing that once.
home is where the artillery hits

User avatar

acid1c
Posts: 49
Joined: Sat Aug 31, 2013 5:42 am

Re: HOWTO: cryptostorm network connections from Linux

Postby acid1c » Mon Nov 18, 2013 8:55 pm

You could try installing from an openvpn deb. this tutorial should suffix I hope https://community.openvpn.net/openvpn/w ... twareRepos
Bitmessage me with Questions, Help, or ChitChat :) - BM-2cV5BzWc9P7vufQREE8Be4U64GBgRJ3GnT
" Those who do not move, do not notice their chains." -Rosa Luxemburg


rocket
Posts: 9
Joined: Wed Jul 03, 2013 4:41 pm

Re: HOWTO: cryptostorm network connections from Linux

Postby rocket » Thu Nov 21, 2013 4:08 pm

acid1c wrote:You could try installing from an openvpn deb. this tutorial should suffix I hope https://community.openvpn.net/openvpn/w ... twareRepos


Yep, works for me :clap:

Incidentally, there's a note at the bottom of that page indicating that repos.openvpn.net is discontinued & has been replaced with swupdate.openvpn.net.

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: cryptostorm network connections from Linux

Postby DesuStrike » Thu Nov 21, 2013 4:31 pm

rocket wrote:Incidentally, there's a note at the bottom of that page indicating that repos.openvpn.net is discontinued & has been replaced with swupdate.openvpn.net.


HA! Good find! I will immediately update the guide.
Thank you very much for helping with this! :thumbup:
home is where the artillery hits

User avatar

cryptostorm_ops
ForumHelper
Posts: 104
Joined: Wed Jan 16, 2013 9:20 pm
Contact:

Re: HOWTO: cryptostorm network connections from Linux

Postby cryptostorm_ops » Sat Dec 21, 2013 1:41 pm

Here's the quote from the newly-revised page on OpenVPN installation for Linux:

Notes on old apt/yum repositories

The current incarnation of OpenVPN apt repositories is the third one. The first repositories were hosted on build.openvpn.net and the second ones on repos.openvpn.net, a now discontinued server. The apt lines for the latter still work, but new OpenVPN releases (2.3.3 and later) will only be added to current swupdate.openvpn.net repos. Unfortunately due to the complete restructuring of the apt repository structure it is not possible to cleanly migrate from the repos.openvpn.net-based configuration to the swupdate.openvpn.net configuration.

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: cryptostorm network connections from Linux

Postby DesuStrike » Sat Dec 21, 2013 10:59 pm

Sheesh! They are really jumping from repo to repo... Kinda annoying if you have to keep up with that.
As far as Ubuntu users are concerned Canonical promises to provide "critical" updates until June 2014. So this sounds a bit more relaxed but I wonder what that means in practice: Do they not provide every update? Are they taking lots of time until they push a news version?

I'm a pretty new Ubuntu user. If somebody has experience how Canonical is handling those updates I would very much appreciate if you share you knowledge with us.

If they get lazy with updates I definitely would opt for adding the offical openVPN repo.
home is where the artillery hits


b3ing
Posts: 2
Joined: Fri Feb 07, 2014 8:03 am

Re: HOWTO: cryptostorm network connections from Linux

Postby b3ing » Fri Feb 07, 2014 6:01 pm

First off, thanks for this tutorial! Though I'm running a Debian-based distro, I believe I avoided all this trouble by upgrading to the testing branch (Jessie) of Debian, which seems to have the needed OpenVPN version.

There are only two/three additions I'd like to make:

If you are tired of typing your username and password in all of the time, there is a very simple way to let your system remember them. First you have to add the name of any text file to the line auth-user-pass, so the line for example reads:

Code: Select all

auth-user-pass login.conf

Then you have to create said text file in the same directory as your *.conf file. The first line of this file should be your username, the second your password. Since both are saved in plain text you could maybe increase security by changing the owner of both files to root, and changing the permissions accordingly.

If you want to start your vpn in the background, you just have to add --daemon to your openvpn command. This may seem problematic, because you can't see if it is really running. Well, I use the i3 window manager, with the i3status bar, and have told my OpenVPN to start on startup, and write a pid file:

Code: Select all

sudo openvpn --daemon --writepid /var/run/crypto.pid --config crypto.conf


Then I just added the following in to the .i3status.conf file:

Code: Select all

run_watch VPN {
           pidfile = "/var/run/crypto.pid"
}


Now my title bar always shows me if I'm connected to the VPN, which loads automatically!


b3ing
Posts: 2
Joined: Fri Feb 07, 2014 8:03 am

Re: HOWTO: cryptostorm network connections from Linux

Postby b3ing » Sat Feb 08, 2014 9:43 pm

I've found the setup I posted just above not to be very clever: Instead of creating the file login.conf, name it login.txt, and change the vpn *.conf file accordingly. Then copy both files into /etc/openvpn. The VPN should now automatically start when you boot. If not, change the file /etc/defaults/openvpn accordingly. The *.pid file can be found in /run/openvpn/. Hope this helps!


Return to “cryptostorm in-depth: announcements, how it works, what it is”

Who is online

Users browsing this forum: No registered users and 3 guests

cron

Login