• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Cryptofree Configuration

Scheduled Pinned Locked Moved OpenVPN
2 Posts 2 Posters 949 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    signalz
    last edited by Aug 24, 2018, 5:14 PM

    I am trying to setup an OpenVPN client to connect to Cryptostorm's cryptofree service based on their config file, but I keep getting errors related to TLS. How do I translate their ovpn file to a working configuration in pfSense?

    Their config:

    client
    dev tun
    # "If hostname resolve fails for --remote, retry resolve for 16 seconds
    #  before failing."
    resolv-retry 16
    # "send server an exit notification if tunnel is restarted or OpenVPN
    # process is exited". This informs our server that the session has 
    # ended, which is necessary to decrease the session counter.
    explicit-exit-notify 3
    # "Require that peer certificate was signed with an explicit key usage
    # and extended key usage based on RFC3280 TLS rules. This is a useful
    # security option for clients, to ensure that the host they connect to
    # is a designated server. This is an important security precaution to
    # protect against a man-in-the-middle attack where an authorized client
    # attempts to connect to another client by impersonating the server.
    # The attack is easily prevented by having clients verify the server
    # certificate using any one of --remote-cert-tls, --verify-x509-name,
    # or --tls-verify."
    remote-cert-tls server
    # Even though the hostname below says "windows", the configuration for
    # these ECC instances are actually cross-platform. It was just easier
    # to reuse the DNS used by the Windows instances since the ECC instances 
    # are on port 5060 of all of the Windows instance IPs.
    remote windows-cryptofree.cryptostorm.nu 5060 udp
    # "LZ4 generally offers the best performance with least CPU usage"
    compress lz4
    # "Call --down cmd/script before, rather than after, TUN/TAP close."
    # No down cmd/script is used in this configuration, but most Debian
    # users will be adding the /etc/openvpn/update-resolv-conf up/down
    # script so OpenVPN can properly update the DNS.
    down-pre
    # Increase --verb for more verbosity, 0 to disable.
    verb 4
    # "Log at most 3 consecutive messages in the same category"
    # Helps prevent the logs or STDOUT from getting flooded with the same
    # messages.
    mute 3
    # Not doing "auth SHA512" for ECC instances, because:
    # "If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth 
    # algorithm is ignored for the data channel, and the authentication 
    # method of the AEAD cipher is used instead."
    # These instances use --cipher AES-256-GCM, so even if --auth is 
    # specified, it would be ignored.
    #
    # Uncomment the below line to enable --auth-nocache
    #auth-nocache
    # "If specified, this directive will cause OpenVPN to immediately 
    # forget username/password inputs after they are used".
    # We're not enabling it by default because, for users that are inputting
    # their token using standard input, it can be annoying because OpenVPN
    # will constantly ask them for their token on every TLS renegotiation.
    # For those providing a file to --auth-user-pass (to skip the user/pass 
    # prompt), --auth-nocache doesn't prompt the user since the user/pass
    # is loaded from a file.
    auth-user-pass
    # "256 bit key, 128 bit block". The best available at the moment.
    # GCM chosen instead of CBC because in our tests it shows better 
    # performance.
    cipher AES-256-GCM
    # TLS version 1.2 is the only version allowed, to prevent downgrade 
    # attacks.
    tls-version-min 1.2
    tls-version-max 1.2
    # Elliptic curve Diffie-Hellman + Elliptic Curve Digital Signature Algorithm
    # with AES-256-GCM-SHA384, used to encrypt the control channel.
    # The most secure available at the moment. Again, GCM chosen instead of
    # CBC because in our tests it outperformed CBC.
    tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
    tls-client
    # CA certificate, using the signature algorithm ecdsa-with-SHA512,
    # and prime256v1 to provide a 256 bit EC public key.
    # "a 256-bit elliptic curve public key should provide comparable 
    # security to a 3072-bit RSA public key".
    <ca>
    -----BEGIN CERTIFICATE-----
    MIIBszCCAVigAwIBAgIJALumkoBwGuApMAoGCCqGSM49BAMEMBkxFzAVBgNVBAMM
    DmNyeXB0b3N0b3JtIENBMB4XDTE4MDIyMjE5Mjc1NloXDTM4MDIyMjE5Mjc1Nlow
    GTEXMBUGA1UEAwwOY3J5cHRvc3Rvcm0gQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMB
    BwNCAATAkRZNfbXjbs6LE1zkFlmnvamGgFNuuTUMidN1qrB1Uho39qxuRzzWYKAC
    7flSU9vdIF9Wu0SoXxbx68ZStl/Uo4GIMIGFMB0GA1UdDgQWBBQ+CMOnCKZq7SzJ
    qpc1o2atGx9RUjBJBgNVHSMEQjBAgBQ+CMOnCKZq7SzJqpc1o2atGx9RUqEdpBsw
    GTEXMBUGA1UEAwwOY3J5cHRvc3Rvcm0gQ0GCCQC7ppKAcBrgKTAMBgNVHRMEBTAD
    AQH/MAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDBANJADBGAiEApPF2CAqMD4bHdOkG
    vg3HMUwmcAfWoEnMMT8lm6n8JeoCIQCv9GORxdibasrHSZnSjlbOtLOWhbOlmz46
    dVugiAfKSA==
    -----END CERTIFICATE-----
    </ca>
    # "Encrypt and authenticate all control channel packets with the key".
    # "Encrypting (and authenticating) control channel packets:
    #   provides more privacy by hiding the certificate used for the TLS connection,
    #   makes it harder to identify OpenVPN traffic as such,
    #   provides "poor-man's" post-quantum security"
    <tls-crypt>
    -----BEGIN OpenVPN Static key V1-----
    4875d729589689955012a2ee77f180ec
    b815c4a336c719c11241a058dafaae00
    806bbc21d5f1abad085341a3fca4b4f9
    3949151c2979b4ee4390e8d9443acb00
    61d537f1e9157e45f542c3648f563305
    05f3eaff97ef82ee063b9d88bb9d5aa0
    060428455b51a2a4fd929d9af4b94adc
    b0a4acaa14ff62a9b0f4f9f0b3f01e71
    fc98a6c60e8584f4deb3de793a5a7bc2
    7014c9369f9724bc810ef0d191b30204
    78eead725b3ae6aaef2e1030a197e417
    421f159ed54eb2629afcfb337cf9a002
    5bf1d5c0d820fffb219d0b4214043d2d
    f27ed367b522945a5dadc748e2ca379e
    3971789dbdf609b3d9bfe866361b28e3
    c90589baa925157ad833093a5a7bede5
    -----END OpenVPN Static key V1-----
    </tls-crypt>
    # uncomment the line below to enable TrackerSmacker,
    # our DNS-based intrusive ad/tracker blocking service
    #dhcp-option DNS 10.31.33.7
    

    My config:
    0_1535130816333_Screenshot-2018-8-24 tower suvk - VPN OpenVPN Clients Edit.png

    My errors:
    0_1535130878802_Screenshot-2018-8-24 tower suvk - Status System Logs OpenVPN.png

    1 Reply Last reply Reply Quote 0
    • D
      Derelict LAYER 8 Netgate
      last edited by Aug 27, 2018, 12:27 AM

      first, it's port 5060 not 560.

      Second, I could not get that server to respond. It came right up using this:

      # Cryptostorm.is config optimized for Tunnelblick/Viscosity OSX and OpenVPN iOS
      client
      dev tun
      resolv-retry 16
      nobind
      float
      #txqueuelen 686
      remote-random
      remote linux-cryptofree.cryptostorm.net 443 udp
      remote linux-cryptofree.cryptostorm.org 443 udp
      remote linux-cryptofree.cryptokens.ca 443 udp
      remote linux-cryptofree.cstorm.pw 443 udp
      remote linux-cryptofree.cryptostorm.nu 443 udp
      comp-lzo
      down-pre
      allow-pull-fqdn
      explicit-exit-notify 3
      hand-window 37
      mssfix 1400
      auth-user-pass
      <ca>
      -----BEGIN CERTIFICATE-----
      MIIFIDCCBAigAwIBAgIJAKekpGXxXvhbMA0GCSqGSIb3DQEBCwUAMIG6MQswCQYD
      VQQGEwJDQTELMAkGA1UECBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQK
      FC1LYXRhbmEgSG9sZGluZ3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQx
      ETAPBgNVBAsTCFRlY2ggT3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUG
      CSqGSIb3DQEJARYYY2VydGFkbWluQGNyeXB0b3N0b3JtLmlzMCAXDTE3MTIxNjA3
      NTk0MloYDzIwNjcxMjE2MDc1OTQyWjCBujELMAkGA1UEBhMCQ0ExCzAJBgNVBAgT
      AlFDMREwDwYDVQQHEwhNb250cmVhbDE2MDQGA1UEChQtS2F0YW5hIEhvbGRpbmdz
      IExpbWl0ZSAvICBjcnlwdG9zdG9ybV9kYXJrbmV0MREwDwYDVQQLEwhUZWNoIE9w
      czEXMBUGA1UEAxQOY3J5cHRvc3Rvcm1faXMxJzAlBgkqhkiG9w0BCQEWGGNlcnRh
      ZG1pbkBjcnlwdG9zdG9ybS5pczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
      ggEBAMlo5Jghf+yb7j86QKDIA9gH9U+MOj1gFz7POcobF3UXx8CR6py4+kY0LEwE
      s66YuwF3Et1Haymkrxy72RjHqD58FRC1KGg6PzhDr6foXgOpuOweUvBTLS6WR5Ba
      TW+8oqSkFWIZUWxnk4N1npxonZRjYLjU4AJNB1uUKpp5uwtC+n9UYpNZ2H1SwZDc
      tpJNzG3Q+ySqkaJYRR44YbeYoTQpbK/G3o7H2Kz1BsNck5h2SVBo9f3JS4gjTcaP
      fGb6+Lqra/MPlXKY55MzKTLsZ5q1t3ZTjn0vDO7+D7xXoRCXyq9atcRJf9ldm80b
      xABw5dTiS00E6hm3CzpPOSelAXcCAwEAAaOCASMwggEfMAwGA1UdEwQFMAMBAf8w
      HQYDVR0OBBYEFDhY4fdfMy+L0fMdat75Kep6cFElMIHvBgNVHSMEgecwgeSAFDhY
      4fdfMy+L0fMdat75Kep6cFEloYHApIG9MIG6MQswCQYDVQQGEwJDQTELMAkGA1UE
      CBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQKFC1LYXRhbmEgSG9sZGlu
      Z3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQxETAPBgNVBAsTCFRlY2gg
      T3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUGCSqGSIb3DQEJARYYY2Vy
      dGFkbWluQGNyeXB0b3N0b3JtLmlzggkAp6SkZfFe+FswDQYJKoZIhvcNAQELBQAD
      ggEBABrPLmFpugICgUKyJ+6q5h8ZKfoV3S0RtTfrwtobNSFf7H4ZQvCXF2bOuhyc
      g00ffreEGZN2uwtiLh38ncB/BFhHfgkITfTe88m08pJ45PkrpeBfrFbZ+ckXVhV/
      aCnUKkIZgmCNKnn1RIbUt4mzTzggwtN3GamoTzSWqSwCEO9Ig1AJKi5Ms/5Awtdz
      nr95qaqI0ih0NGnfC/yIGYvt1Yay0hCil3jIUT9Ogdw6DW6RqUdJaPrwm58fTwIR
      U33KzBqGs8r3UEIMWXuIGc6eXOm2Br08iFgOsUPGqp1ulvD52pFH1o1vT21v3aXl
      D9Ier/83JLMnBGctT1Kzs9OP/U0=
      -----END CERTIFICATE-----
      </ca>
      ns-cert-type server
      auth SHA512
      cipher AES-256-CBC
      replay-window 128 30
      tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
      tls-client
      key-method 2
      # uncomment the line below to enable TrackerSmacker,
      # our DNS-based intrusive ad/tracker blocking service
      #dhcp-option DNS 10.31.33.7
      
      
      

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received