API tools faq
paste
Advertisement
Guest User

Cryptostorm free low speed OpenVPN config file

a guest
Jul 3rd, 2015
193
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.72 KB | None | 0 0
raw download clone embed print report
  1. # this is the cryptostorm.is client settings file, versioning...
  2. # cstorm_mac_dynamic_1-4
  3.  
  4. # it is intended to provide connection solely to a dynamically loadbalanced pool of cs machines worldwide
  5. # DNS resolver redundancy provided by TLD-striped, randomised lookup queries
  6. # Chelsea Manning is indeed a badassed chick: #FreeChelsea!
  7. # also... FuckTheNSA - for reals
  8.  
  9.  
  10. client
  11. dev tun
  12. resolv-retry 16
  13. nobind
  14. float
  15.  
  16. # NOTE: Comment this out for Viscosity (https://cryptostorm.org/viewtopic.php?f=47&t=6132#p8631)!
  17. # txqueuelen 686
  18.  
  19. # expanded packet queue plane, to improve throughput on high-capacity sessions
  20.  
  21. sndbuf size 1655368
  22. rcvbuf size 1655368
  23. # increase pre-ring packet buffering cache, to improve high-throughput session performance
  24.  
  25.  
  26. remote-random
  27. # randomizes selection of connection profile from list below, for redundancy against...
  28. # DNS blacklisting-based session blocking attacks
  29.  
  30.  
  31. <connection>
  32. remote linux-cryptofree.cryptostorm.net 443 udp
  33. </connection>
  34.  
  35. <connection>
  36. remote linux-cryptofree.cryptostorm.org 443 udp
  37. </connection>
  38.  
  39. <connection>
  40. remote linux-cryptofree.cryptokens.ca 443 udp
  41. </connection>
  42.  
  43. <connection>
  44. remote linux-cryptofree.cstorm.pw 443 udp
  45. </connection>
  46.  
  47. <connection>
  48. remote linux-cryptofree.cryptostorm.nu 443 udp
  49. </connection>
  50.  
  51.  
  52. comp-lzo no
  53. # specifies refusal of link-layer compression defaults
  54. # we prefer compression be handled elsewhere in the OSI layers
  55. # see forum for ongoing discussion - https://cryptostorm.org/viewtopic.php?f=38&t=5981
  56.  
  57. down-pre
  58. # runs client-side "down" script prior to shutdown, to help minimise risk...
  59. # of session termination packet leakage
  60.  
  61. allow-pull-fqdn
  62. # allows client to pull DNS names from server
  63. # we don't use but may in future leakblock integration
  64.  
  65. explicit-exit-notify 3
  66. # attempts to notify exit node when client session is terminated
  67. # strengthens MiTM protections for orphan sessions
  68.  
  69. hand-window 37
  70. # specified duration (in seconds) to wait for the session handshake to complete
  71. # a renegotiation taking longer than this has a problem, & should be aborted
  72.  
  73. mssfix 1400
  74. # congruent with server-side --fragment directive
  75.  
  76. # don’t forget to create /etc/openvpn/password.txt with the word ‘nope’ on 1st & 2nd line
  77. auth-user-pass password.txt
  78. # passes up, via bootstrapped TLS, SHA512 hashed token value to authenticate to darknet
  79.  
  80. # auth-retry interact
  81. # 'interact' is an experimental parameter not yet in our production build.
  82.  
  83. #ca ca.crt
  84. # specification & location of server-verification PKI materials
  85. # for details, see http://pki.cryptostorm.org
  86.  
  87. <ca>
  88. -----BEGIN CERTIFICATE-----
  89. MIIFHjCCBAagAwIBAgIJAKekpGXxXvhbMA0GCSqGSIb3DQEBCwUAMIG6MQswCQYD
  90. VQQGEwJDQTELMAkGA1UECBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQK
  91. FC1LYXRhbmEgSG9sZGluZ3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQx
  92. ETAPBgNVBAsTCFRlY2ggT3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUG
  93. CSqGSIb3DQEJARYYY2VydGFkbWluQGNyeXB0b3N0b3JtLmlzMB4XDTE0MDQyNTE3
  94. MTAxNVoXDTE3MTIyMjE3MTAxNVowgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJR
  95. QzERMA8GA1UEBxMITW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBM
  96. aW1pdGUgLyAgY3J5cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMx
  97. FzAVBgNVBAMUDmNyeXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRt
  98. aW5AY3J5cHRvc3Rvcm0uaXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
  99. AQDJaOSYIX/sm+4/OkCgyAPYB/VPjDo9YBc+zznKGxd1F8fAkeqcuPpGNCxMBLOu
  100. mLsBdxLdR2sppK8cu9kYx6g+fBUQtShoOj84Q6+n6F4DqbjsHlLwUy0ulkeQWk1v
  101. vKKkpBViGVFsZ5ODdZ6caJ2UY2C41OACTQdblCqaebsLQvp/VGKTWdh9UsGQ3LaS
  102. Tcxt0PskqpGiWEUeOGG3mKE0KWyvxt6Ox9is9QbDXJOYdklQaPX9yUuII03Gj3xm
  103. +vi6q2vzD5VymOeTMyky7Geatbd2U459Lwzu/g+8V6EQl8qvWrXESX/ZXZvNG8QA
  104. cOXU4ktNBOoZtws6TzknpQF3AgMBAAGjggEjMIIBHzAdBgNVHQ4EFgQUOFjh918z
  105. L4vR8x1q3vkp6npwUSUwge8GA1UdIwSB5zCB5IAUOFjh918zL4vR8x1q3vkp6npw
  106. USWhgcCkgb0wgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJRQzERMA8GA1UEBxMI
  107. TW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBMaW1pdGUgLyAgY3J5
  108. cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMxFzAVBgNVBAMUDmNy
  109. eXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRtaW5AY3J5cHRvc3Rv
  110. cm0uaXOCCQCnpKRl8V74WzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB
  111. AQAK6B7AOEqbaYjXoyhXeWK1NjpcCLCuRcwhMSvf+gVfrcMsJ5ySTHg5iR1/LFay
  112. IEGFsOFEpoNkY4H5UqLnBByzFp55nYwqJUmLqa/nfIc0vfiXL5rFZLao0npLrTr/
  113. inF/hecIghLGVDeVcC24uIdgfMr3Z/EXSpUxvFLGE7ELlsnmpYBxm0rf7s9S9wtH
  114. o6PjBpb9iurF7KxDjoXsIgHmYAEnI4+rrArQqn7ny4vgvXE1xfAkFPWR8Ty1ZlxZ
  115. gEyypTkIWhphdHLSdifoOqo83snmCObHgyHG2zo4njXGExQhxS1ywPvZJRt7fhjn
  116. X03mQP3ssBs2YRNR5hR5cMdC
  117. -----END CERTIFICATE-----
  118.  
  119. </ca>
  120.  
  121. ns-cert-type server
  122. # requires TLS-level confirmation of categorical state of server-side certificate for MiTM hardening.
  123.  
  124. auth SHA512
  125. # data channel HMAC generation
  126. # heavy processor load from this parameter, but the benefit is big gains in packet-level...
  127. # integrity checks, & protection against packet injections / MiTM attack vectors
  128.  
  129. cipher AES-256-CBC
  130. # data channel stream cipher methodology
  131. # we are actively testing CBC alternatives & will deploy once well-tested...
  132. # cipher libraries support our choice - AES-GCM is looking good currently
  133.  
  134. replay-window 128 30
  135. # settings which determine when to throw out UDP datagrams that are out of order...
  136. # either temporally or via sequence number
  137.  
  138. tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
  139. # implements 'perfect forward secrecy' via TLS 1.x & its ephemeral Diffie-Hellman...
  140. # see our forum for extensive discussion of ECDHE v. DHE & tradeoffs wrt ECC curve choice
  141. # http://ecc.cryptostorm.org
  142.  
  143. tls-client
  144. key-method 2
  145. # specification of entropy source to be used in initial generation of TLS keys as part of session bootstrap
  146.  
  147. # log devnull.txt
  148. # verb 5
  149. # mute 1
  150. # sets logging verbosity client-side, by default, to zero
  151. # no logs kept locally of connections - this can be changed...
  152. # if you'd like to see more details of connection initiation & negotiation
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!