API tools faq
paste
Advertisement
Guest User

Cryptostorm free low speed OpenVPN config file

a guest
Jul 12th, 2015
60
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.65 KB | None | 0 0
raw download clone embed print report
  1. # this is the cryptofree.me client settings file, versioning...
  2. # cryptofree_client_linux1_4.conf
  3. # last update date: 5 November 2014: remember, remember...
  4.  
  5. # it is intended to provide connection solely to the global cryptofree instance/node resource pool
  6. # DNS resolver redundancy provided by TLD-striped, randomised lookup queries
  7. # Chelsea Manning is indeed a badassed chick: #FreeChelsea!
  8. # also... FuckTheNSA - for reals
  9.  
  10.  
  11. client
  12. dev tun
  13. resolv-retry 16
  14. nobind
  15. float
  16.  
  17. txqueuelen 686
  18. # expanded packet queue plane, to improve throughput on high-capacity sessions
  19.  
  20. sndbuf size 1655368
  21. rcvbuf size 1655368
  22. # increase pre-ring packet buffering cache, to improve high-throughput session performance
  23.  
  24.  
  25. remote-random
  26. # randomizes selection of connection profile from list below, for redundancy against...
  27. # DNS blacklisting-based session blocking attacks
  28.  
  29.  
  30. <connection>
  31. remote linux-cryptofree.cryptostorm.net 443 udp
  32. </connection>
  33.  
  34. <connection>
  35. remote linux-cryptofree.cryptostorm.org 443 udp
  36. </connection>
  37.  
  38. <connection>
  39. remote linux-cryptofree.cryptokens.ca 443 udp
  40. </connection>
  41.  
  42. <connection>
  43. remote linux-cryptofree.cstorm.pw 443 udp
  44. </connection>
  45.  
  46. <connection>
  47. remote linux-cryptofree.cryptostorm.nu 443 udp
  48. </connection>
  49.  
  50.  
  51. comp-lzo no
  52. # specifies refusal of link-layer compression defaults
  53. # we prefer compression be handled elsewhere in the OSI layers
  54. # see forum for ongoing discussion - https://cryptostorm.org/viewtopic.php?f=38&t=5981
  55.  
  56. down-pre
  57. # runs client-side "down" script prior to shutdown, to help minimise risk...
  58. # of session termination packet leakage
  59.  
  60. allow-pull-fqdn
  61. # allows client to pull DNS names from server
  62. # we don't use but may in future leakblock integration
  63.  
  64. explicit-exit-notify 3
  65. # attempts to notify exit node when client session is terminated
  66. # strengthens MiTM protections for orphan sessions
  67.  
  68. hand-window 37
  69. # specified duration (in seconds) to wait for the session handshake to complete
  70. # a renegotiation taking longer than this has a problem, & should be aborted
  71.  
  72. mssfix 1400
  73. # congruent with server-side --fragment directive
  74.  
  75. # be sure to create /etc/openvpn/password.txt with two lines
  76. # of text, first is username, second is password, but with
  77. # cryptofree these can be any random strings
  78. auth-user-pass password.txt
  79.  
  80.  
  81. # auth-retry interact
  82. # 'interact' is an experimental parameter not yet in our production build.
  83.  
  84. ca ca.crt
  85. # specification & location of server-verification PKI materials
  86. # for details, see http://pki.cryptostorm.org
  87.  
  88. <ca>
  89. -----BEGIN CERTIFICATE-----
  90. MIIFHjCCBAagAwIBAgIJAKekpGXxXvhbMA0GCSqGSIb3DQEBCwUAMIG6MQswCQYD
  91. VQQGEwJDQTELMAkGA1UECBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQK
  92. FC1LYXRhbmEgSG9sZGluZ3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQx
  93. ETAPBgNVBAsTCFRlY2ggT3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUG
  94. CSqGSIb3DQEJARYYY2VydGFkbWluQGNyeXB0b3N0b3JtLmlzMB4XDTE0MDQyNTE3
  95. MTAxNVoXDTE3MTIyMjE3MTAxNVowgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJR
  96. QzERMA8GA1UEBxMITW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBM
  97. aW1pdGUgLyAgY3J5cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMx
  98. FzAVBgNVBAMUDmNyeXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRt
  99. aW5AY3J5cHRvc3Rvcm0uaXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
  100. AQDJaOSYIX/sm+4/OkCgyAPYB/VPjDo9YBc+zznKGxd1F8fAkeqcuPpGNCxMBLOu
  101. mLsBdxLdR2sppK8cu9kYx6g+fBUQtShoOj84Q6+n6F4DqbjsHlLwUy0ulkeQWk1v
  102. vKKkpBViGVFsZ5ODdZ6caJ2UY2C41OACTQdblCqaebsLQvp/VGKTWdh9UsGQ3LaS
  103. Tcxt0PskqpGiWEUeOGG3mKE0KWyvxt6Ox9is9QbDXJOYdklQaPX9yUuII03Gj3xm
  104. +vi6q2vzD5VymOeTMyky7Geatbd2U459Lwzu/g+8V6EQl8qvWrXESX/ZXZvNG8QA
  105. cOXU4ktNBOoZtws6TzknpQF3AgMBAAGjggEjMIIBHzAdBgNVHQ4EFgQUOFjh918z
  106. L4vR8x1q3vkp6npwUSUwge8GA1UdIwSB5zCB5IAUOFjh918zL4vR8x1q3vkp6npw
  107. USWhgcCkgb0wgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJRQzERMA8GA1UEBxMI
  108. TW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBMaW1pdGUgLyAgY3J5
  109. cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMxFzAVBgNVBAMUDmNy
  110. eXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRtaW5AY3J5cHRvc3Rv
  111. cm0uaXOCCQCnpKRl8V74WzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB
  112. AQAK6B7AOEqbaYjXoyhXeWK1NjpcCLCuRcwhMSvf+gVfrcMsJ5ySTHg5iR1/LFay
  113. IEGFsOFEpoNkY4H5UqLnBByzFp55nYwqJUmLqa/nfIc0vfiXL5rFZLao0npLrTr/
  114. inF/hecIghLGVDeVcC24uIdgfMr3Z/EXSpUxvFLGE7ELlsnmpYBxm0rf7s9S9wtH
  115. o6PjBpb9iurF7KxDjoXsIgHmYAEnI4+rrArQqn7ny4vgvXE1xfAkFPWR8Ty1ZlxZ
  116. gEyypTkIWhphdHLSdifoOqo83snmCObHgyHG2zo4njXGExQhxS1ywPvZJRt7fhjn
  117. X03mQP3ssBs2YRNR5hR5cMdC
  118. -----END CERTIFICATE-----
  119. </ca>
  120.  
  121. ns-cert-type server
  122. # requires TLS-level confirmation of categorical state of server-side certificate for MiTM hardening.
  123.  
  124. auth SHA512
  125. # data channel HMAC generation
  126. # heavy processor load from this parameter, but the benefit is big gains in packet-level...
  127. # integrity checks, & protection against packet injections / MiTM attack vectors
  128.  
  129. cipher AES-256-CBC
  130. # data channel stream cipher methodology
  131. # we are actively testing CBC alternatives & will deploy once well-tested...
  132. # cipher libraries support our choice - AES-GCM is looking good currently
  133.  
  134. replay-window 128 30
  135. # settings which determine when to throw out UDP datagrams that are out of order...
  136. # either temporally or via sequence number
  137.  
  138. tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
  139. # implements 'perfect forward secrecy' via TLS 1.x & its ephemeral Diffie-Hellman...
  140. # see our forum for extensive discussion of ECDHE v. DHE & tradeoffs wrt ECC curve choice
  141. # http://ecc.cryptostorm.org
  142.  
  143. tls-client
  144. key-method 2
  145. # specification of entropy source to be used in initial generation of TLS keys as part of session bootstrap
  146.  
  147. log devnull.txt
  148. verb 0
  149. mute 1
  150. # sets logging verbosity client-side, by default, to zero
  151. # no logs kept locally of connections - this can be changed...
  152. # if you'd like to see more details of connection initiation & negotiation
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!