Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # this is the cryptostorm.is client settings file, versioning...
- # cstorm_mac_dynamic_1-4
- # it is intended to provide connection solely to a dynamically loadbalanced pool of cs machines worldwide
- # DNS resolver redundancy provided by TLD-striped, randomised lookup queries
- # Chelsea Manning is indeed a badassed chick: #FreeChelsea!
- # also... FuckTheNSA - for reals
- client
- dev tun
- resolv-retry 16
- nobind
- float
- # NOTE: Comment this out for Viscosity (https://cryptostorm.org/viewtopic.php?f=47&t=6132#p8631)!
- # txqueuelen 686
- # expanded packet queue plane, to improve throughput on high-capacity sessions
- sndbuf size 1655368
- rcvbuf size 1655368
- # increase pre-ring packet buffering cache, to improve high-throughput session performance
- remote-random
- # randomizes selection of connection profile from list below, for redundancy against...
- # DNS blacklisting-based session blocking attacks
- <connection>
- remote linux-cryptofree.cryptostorm.net 443 udp
- </connection>
- <connection>
- remote linux-cryptofree.cryptostorm.org 443 udp
- </connection>
- <connection>
- remote linux-cryptofree.cryptokens.ca 443 udp
- </connection>
- <connection>
- remote linux-cryptofree.cstorm.pw 443 udp
- </connection>
- <connection>
- remote linux-cryptofree.cryptostorm.nu 443 udp
- </connection>
- comp-lzo no
- # specifies refusal of link-layer compression defaults
- # we prefer compression be handled elsewhere in the OSI layers
- # see forum for ongoing discussion - https://cryptostorm.org/viewtopic.php?f=38&t=5981
- down-pre
- # runs client-side "down" script prior to shutdown, to help minimise risk...
- # of session termination packet leakage
- allow-pull-fqdn
- # allows client to pull DNS names from server
- # we don't use but may in future leakblock integration
- explicit-exit-notify 3
- # attempts to notify exit node when client session is terminated
- # strengthens MiTM protections for orphan sessions
- hand-window 37
- # specified duration (in seconds) to wait for the session handshake to complete
- # a renegotiation taking longer than this has a problem, & should be aborted
- mssfix 1400
- # congruent with server-side --fragment directive
- # don’t forget to create /etc/openvpn/password.txt with the word ‘nope’ on 1st & 2nd line
- auth-user-pass password.txt
- # passes up, via bootstrapped TLS, SHA512 hashed token value to authenticate to darknet
- # auth-retry interact
- # 'interact' is an experimental parameter not yet in our production build.
- #ca ca.crt
- # specification & location of server-verification PKI materials
- # for details, see http://pki.cryptostorm.org
- <ca>
- -----BEGIN CERTIFICATE-----
- MIIFHjCCBAagAwIBAgIJAKekpGXxXvhbMA0GCSqGSIb3DQEBCwUAMIG6MQswCQYD
- VQQGEwJDQTELMAkGA1UECBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQK
- FC1LYXRhbmEgSG9sZGluZ3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQx
- ETAPBgNVBAsTCFRlY2ggT3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUG
- CSqGSIb3DQEJARYYY2VydGFkbWluQGNyeXB0b3N0b3JtLmlzMB4XDTE0MDQyNTE3
- MTAxNVoXDTE3MTIyMjE3MTAxNVowgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJR
- QzERMA8GA1UEBxMITW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBM
- aW1pdGUgLyAgY3J5cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMx
- FzAVBgNVBAMUDmNyeXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRt
- aW5AY3J5cHRvc3Rvcm0uaXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
- AQDJaOSYIX/sm+4/OkCgyAPYB/VPjDo9YBc+zznKGxd1F8fAkeqcuPpGNCxMBLOu
- mLsBdxLdR2sppK8cu9kYx6g+fBUQtShoOj84Q6+n6F4DqbjsHlLwUy0ulkeQWk1v
- vKKkpBViGVFsZ5ODdZ6caJ2UY2C41OACTQdblCqaebsLQvp/VGKTWdh9UsGQ3LaS
- Tcxt0PskqpGiWEUeOGG3mKE0KWyvxt6Ox9is9QbDXJOYdklQaPX9yUuII03Gj3xm
- +vi6q2vzD5VymOeTMyky7Geatbd2U459Lwzu/g+8V6EQl8qvWrXESX/ZXZvNG8QA
- cOXU4ktNBOoZtws6TzknpQF3AgMBAAGjggEjMIIBHzAdBgNVHQ4EFgQUOFjh918z
- L4vR8x1q3vkp6npwUSUwge8GA1UdIwSB5zCB5IAUOFjh918zL4vR8x1q3vkp6npw
- USWhgcCkgb0wgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJRQzERMA8GA1UEBxMI
- TW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBMaW1pdGUgLyAgY3J5
- cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMxFzAVBgNVBAMUDmNy
- eXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRtaW5AY3J5cHRvc3Rv
- cm0uaXOCCQCnpKRl8V74WzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB
- AQAK6B7AOEqbaYjXoyhXeWK1NjpcCLCuRcwhMSvf+gVfrcMsJ5ySTHg5iR1/LFay
- IEGFsOFEpoNkY4H5UqLnBByzFp55nYwqJUmLqa/nfIc0vfiXL5rFZLao0npLrTr/
- inF/hecIghLGVDeVcC24uIdgfMr3Z/EXSpUxvFLGE7ELlsnmpYBxm0rf7s9S9wtH
- o6PjBpb9iurF7KxDjoXsIgHmYAEnI4+rrArQqn7ny4vgvXE1xfAkFPWR8Ty1ZlxZ
- gEyypTkIWhphdHLSdifoOqo83snmCObHgyHG2zo4njXGExQhxS1ywPvZJRt7fhjn
- X03mQP3ssBs2YRNR5hR5cMdC
- -----END CERTIFICATE-----
- </ca>
- ns-cert-type server
- # requires TLS-level confirmation of categorical state of server-side certificate for MiTM hardening.
- auth SHA512
- # data channel HMAC generation
- # heavy processor load from this parameter, but the benefit is big gains in packet-level...
- # integrity checks, & protection against packet injections / MiTM attack vectors
- cipher AES-256-CBC
- # data channel stream cipher methodology
- # we are actively testing CBC alternatives & will deploy once well-tested...
- # cipher libraries support our choice - AES-GCM is looking good currently
- replay-window 128 30
- # settings which determine when to throw out UDP datagrams that are out of order...
- # either temporally or via sequence number
- tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
- # implements 'perfect forward secrecy' via TLS 1.x & its ephemeral Diffie-Hellman...
- # see our forum for extensive discussion of ECDHE v. DHE & tradeoffs wrt ECC curve choice
- # http://ecc.cryptostorm.org
- tls-client
- key-method 2
- # specification of entropy source to be used in initial generation of TLS keys as part of session bootstrap
- # log devnull.txt
- # verb 5
- # mute 1
- # sets logging verbosity client-side, by default, to zero
- # no logs kept locally of connections - this can be changed...
- # if you'd like to see more details of connection initiation & negotiation
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement