VPN exclusions for PC gaming

[mcl]

So, I'm toying with setting up VPN today on my new R1, and I want everything on my network except for a few things (video streaming from a couple of devices, and gaming -- primarily the last few CoDs and BF4 on my PC) to go over the VPN.

 

I'm pretty clear on how to exclude the video streaming, but I'm curious about the gaming:  since neither of the listed games are Source-based, am I correct in assuming that I'd use the "advanced" feature to set the appropriate destination ports and protocols for each game, identical to those that need forwarding on a more typical router?

 

I.e., for CoD, I'd add the following as exceptions:

• UDP: 3478
• UDP: 4379-4380
• TCP/UDP: 27000-27050, 3074

 

And, if I do this, do I need to disable the uPnP feature of the R1?

[Netduma Crossy]

Yeah, you'd need to add the ports that you want to exclude - as you said, the ones you'd use for port forwarding on your router  And no, I don't think you will need to disable UPnP.

[mcl]

Thanks, Crossy. 

 

As a first step, I'm just trying to get the VPN connected, but I'm repeatedly getting "Failed to connect" with no log output whatsoever (even if I comment out the log, verb, and mute statements from the config).

 

Could someone take a look?  It's Cryptostorm (cryptostorm.is), with any of their Linux configuration scripts (the one pasted here is the cstorm_linux_dynamic_1-4 config).  As instructed by cryptostorm, I've obtained a token, run it through the hashing, and am using it as my username, with a random string for the password (also as instructed).  I know it's weird; it's how cryptostorm authenticates users to maintain anonymity.

 

# this is the cryptostorm.is client settings file, versioning...
# cstorm_linux_dynamic_1-4.conf
# last update date: 12 January 2014

# it is intended to provide stochastic connection _and_ reconnection variablity
# across both exitnode clusters _and_ nodes within clusters
# thus, maximum hardening against aggressive attack vectors
# Chelsea Manning is indeed a badassed chick: #FreeChelsea!
# also... FuckTheNSA - for reals. W00d!


client
dev tun
resolv-retry 16
nobind
persist-tun
persist-key
float

txqueuelen 686
# expanded packet queue plane, to improve throughput on high-capacity sessions

sndbuf size 1655368
rcvbuf size 1655368
# increase pre-ring packet buffering cache, to improve high-throughput session performance

remote-random
# randomizes selection of connection profile from list below, for redundancy against...
# DNS blacklisting-based session blocking attacks

# iceland cluster
<connection>
remote linux-iceland.cryptostorm.net 443 udp
</connection>

<connection>
remote linux-iceland.cryptostorm.org 443 udp
</connection>

<connection>
remote linux-iceland.cryptostorm.nu 443 udp
</connection>

<connection>
remote linux-iceland.cstorm.pw 443 udp
</connection>


# Frankfurt cluster
<connection>
remote linux-frankfurt.cryptostorm.net 443 udp
</connection>

<connection>
remote linux-frankfurt.cryptostorm.org 443 udp
</connection>

<connection>
remote linux-frankfurt.cryptostorm.nu 443 udp
</connection>

<connection>
remote linux-frankfurt.cstorm.pw 443 udp
</connection>


# Montreal cluster
<connection>
remote linux-montreal.cryptostorm.net 443 udp
</connection>

<connection>
remote linux-montreal.cryptostorm.org 443 udp
</connection>

<connection>
remote linux-montreal.cryptostorm.nu 443 udp
</connection>

<connection>
remote linux-montreal.cstorm.pw 443 udp
</connection>


# Lisbon (Portugal) cluster
<connection>
remote linux-lisbon.cryptostorm.net 443 udp
</connection>

<connection>
remote linux-lisbon.cryptostorm.org 443 udp
</connection>

<connection>
remote linux-lisbon.cryptostorm.nu 443 udp
</connection>

<connection>
remote linux-lisbon.cstorm.pw 443 udp
</connection>


# Seattle / US west cluster
<connection>
remote linux-uswest.cryptostorm.net 443 udp
</connection>

<connection>
remote linux-uswest.cryptostorm.org 443 udp
</connection>

<connection>
remote linux-uswest.cryptostorm.nu 443 udp
</connection>

<connection>
remote linux-uswest.cstorm.pw 443 udp
</connection>


# US midwest cluster
<connection>
remote linux-uscentral.cryptostorm.net 443 udp
</connection>

<connection>
remote linux-uscentral.cryptostorm.org 443 udp
</connection>

<connection>
remote linux-uscentral.cryptostorm.nu 443 udp
</connection>

<connection>
remote linux-uscentral.cstorm.pw 443 udp
</connection>


# London (England) cluster
<connection>
remote linux-london.cryptostorm.net 443 udp
</connection>

<connection>
remote linux-london.cryptostorm.org 443 udp
</connection>

<connection>
remote linux-london.cryptostorm.nu 443 udp
</connection>

<connection>
remote linux-london.cstorm.pw 443 udp
</connection>


# Paris (France) cluster
<connection>
remote linux-paris.cryptostorm.net 443 udp
</connection>

<connection>
remote linux-paris.cryptostorm.org 443 udp
</connection>

<connection>
remote linux-paris.cryptostorm.nu 443 udp
</connection>

<connection>
remote linux-paris.cstorm.pw 443 udp
</connection>



comp-lzo no
# specifies refusal of link-layer compression defaults
# we prefer compression be handled elsewhere in the OSI layers
# see forum for ongoing discussion - https://cryptostorm.org/viewtopic.php?f=38&t=5981

down-pre
# runs client-side "down" script prior to shutdown, to help minimise risk...
# of session termination packet leakage

allow-pull-fqdn
# allows client to pull DNS names from server
# we don't use but may in future leakblock integration

explicit-exit-notify 3
# attempts to notify exit node when client session is terminated
# strengthens MiTM protections for orphan sessions

hand-window 37
# specified duration (in seconds) to wait for the session handshake to complete
# a renegotiation taking longer than this has a problem, & should be aborted

mssfix 1400
# congruent with server-side --fragment directive

auth-user-pass
# passes up, via bootstrapped TLS, SHA512 hashed token value to authenticate to darknet

# auth-retry interact
# 'interact' is an experimental parameter not yet in our production build.

ca ca.crt
# specification & location of server-verification PKI materials
# for details, see http://pki.cryptostorm.org

<ca>
-----BEGIN CERTIFICATE-----
MIIFHjCCBAagAwIBAgIJAKekpGXxXvhbMA0GCSqGSIb3DQEBCwUAMIG6MQswCQYD
VQQGEwJDQTELMAkGA1UECBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQK
FC1LYXRhbmEgSG9sZGluZ3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQx
ETAPBgNVBAsTCFRlY2ggT3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUG
CSqGSIb3DQEJARYYY2VydGFkbWluQGNyeXB0b3N0b3JtLmlzMB4XDTE0MDQyNTE3
MTAxNVoXDTE3MTIyMjE3MTAxNVowgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJR
QzERMA8GA1UEBxMITW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBM
aW1pdGUgLyAgY3J5cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMx
FzAVBgNVBAMUDmNyeXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRt
aW5AY3J5cHRvc3Rvcm0uaXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDJaOSYIX/sm+4/OkCgyAPYB/VPjDo9YBc+zznKGxd1F8fAkeqcuPpGNCxMBLOu
mLsBdxLdR2sppK8cu9kYx6g+fBUQtShoOj84Q6+n6F4DqbjsHlLwUy0ulkeQWk1v
vKKkpBViGVFsZ5ODdZ6caJ2UY2C41OACTQdblCqaebsLQvp/VGKTWdh9UsGQ3LaS
Tcxt0PskqpGiWEUeOGG3mKE0KWyvxt6Ox9is9QbDXJOYdklQaPX9yUuII03Gj3xm
+vi6q2vzD5VymOeTMyky7Geatbd2U459Lwzu/g+8V6EQl8qvWrXESX/ZXZvNG8QA
cOXU4ktNBOoZtws6TzknpQF3AgMBAAGjggEjMIIBHzAdBgNVHQ4EFgQUOFjh918z
L4vR8x1q3vkp6npwUSUwge8GA1UdIwSB5zCB5IAUOFjh918zL4vR8x1q3vkp6npw
USWhgcCkgb0wgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJRQzERMA8GA1UEBxMI
TW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBMaW1pdGUgLyAgY3J5
cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMxFzAVBgNVBAMUDmNy
eXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRtaW5AY3J5cHRvc3Rv
cm0uaXOCCQCnpKRl8V74WzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB
AQAK6B7AOEqbaYjXoyhXeWK1NjpcCLCuRcwhMSvf+gVfrcMsJ5ySTHg5iR1/LFay
IEGFsOFEpoNkY4H5UqLnBByzFp55nYwqJUmLqa/nfIc0vfiXL5rFZLao0npLrTr/
inF/hecIghLGVDeVcC24uIdgfMr3Z/EXSpUxvFLGE7ELlsnmpYBxm0rf7s9S9wtH
o6PjBpb9iurF7KxDjoXsIgHmYAEnI4+rrArQqn7ny4vgvXE1xfAkFPWR8Ty1ZlxZ
gEyypTkIWhphdHLSdifoOqo83snmCObHgyHG2zo4njXGExQhxS1ywPvZJRt7fhjn
X03mQP3ssBs2YRNR5hR5cMdC
-----END CERTIFICATE-----
</ca>

ns-cert-type server
# requires TLS-level confirmation of categorical state of server-side certificate for MiTM hardening.

auth SHA512
# data channel HMAC generation
# heavy processor load from this parameter, but the benefit is big gains in packet-level...
# integrity checks, & protection against packet injections / MiTM attack vectors

cipher AES-256-CBC
# data channel stream cipher methodology
# we are actively testing CBC alternatives & will deploy once well-tested...
# cipher libraries support our choice - AES-GCM is looking good currently

replay-window 128 30
# settings which determine when to throw out UDP datagrams that are out of order...
# either temporally or via sequence number

tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
# implements 'perfect forward secrecy' via TLS 1.x & its ephemeral Diffie-Hellman...
# see our forum for extensive discussion of ECDHE v. DHE & tradeoffs wrt ECC curve choice
# http://ecc.cryptostorm.org

tls-client
key-method 2
# specification of entropy source to be used in initial generation of TLS keys as part of session bootstrap

log devnull.txt
verb 0
mute 1
# sets logging verbosity client-side, by default, to zero
# no logs kept locally of connections - this can be changed...
# if you'd like to see more details of connection initiation & negotiation
 

[mcl]

Leaving the above there, in case anyone else needs help:  I started tweaking the script, and I found that commenting out the "explicit-exit-notify 3" line allowed me to connect.  Netduma folks, think there might be a possibility of supporting the explicit-exit-notify statement in the future? (Or know why the current implementation of OpenVPN on the R1 doesn't play nicely with that statement as written?)

[Netduma Fraser]

Leaving the above there, in case anyone else needs help:  I started tweaking the script, and I found that commenting out the "explicit-exit-notify 3" line allowed me to connect.  Netduma folks, think there might be a possibility of supporting the explicit-exit-notify statement in the future? (Or know why the current implementation of OpenVPN on the R1 doesn't play nicely with that statement as written?)

 

Good find on that fix, Iain will have to chime in on that, I'll direct him to this when he's available

[Netduma Iain]

Hi Mcl,

 

Sorry was away, in the next version of the router we automatically look for commands that are not available and remove them so the user doesn't have to be aware of it

 

The exclusion is more for PC's because they run multiple programs at once, all traffic on the console is releated to the game so exception is not that useful for consoles. I'd recommend just switching off the console to make sure it bypasses the VPN mate

[mcl]

Hi Mcl,

 

Sorry was away, in the next version of the router we automatically look for commands that are not available and remove them so the user doesn't have to be aware of it

 

The exclusion is more for PC's because they run multiple programs at once, all traffic on the console is releated to the game so exception is not that useful for consoles. I'd recommend just switching off the console to make sure it bypasses the VPN mate

 

Thanks Iain!  The exclusions I was discussing were for PC.   I grew up before using thumbs to play consoles was a thing; as such, I stick to keyboard/mouse on my PC (though I do have a XIM3, I still prefer PC).

[Netduma Iain]

Ahhh ok got it mate, yeah if we don't do DPI for your game let us know and we'll look into adding it. But in the meantime use the destination port for the game and (just to keep it simple use source port as well)

[mcl]

Will do!  I've got it working and have spent the last two days -- with what little playtime I could manage -- fine tuning the georestriction and rating the various servers I wind up on.  It's amazing... I no longer end up in lobbies with a bunch of people I used to, who routinely were so lagged that there was no way to kill them unless I got REALLY lucky.  I still run into one or two people, or servers, who seem to have decent ping but must have horrible jitter, because they're still one-shotting me after I empty half a magazine into them, but now they're the exception rather than the rule.

 

I love this router!

[Netduma Iain]

Awesome so glad to hear it mcl, thanks for letting us know