Jump to content

Geo-filter Ping going through VPN even with exception enabled


Recommended Posts

  • Administrators

Oh, I'm not suggesting replacing the names with the MACs.  I'd just like to see the MACs as well as the IPs in the Edit section of Device Manager, so it's easier to know which device is which when faced with a screenful of unnamed devices.

 

While we're at it, it'd also be nice if the screen didn't refresh and change hosts while I'm in the middle of editing the handle/quality on a host in the Host Filtering page.  It does it routinely, and screws up my host filtering.  Highlighting on the map the host you're currently pinging/editing would also be helpful, in case it does change, so you can go back to the one you were interrupted from working with, too. :)

 

Yeah, as an added bonus :)  Oh I've never had that issue, are you using IE by any chance? As Chrome/Firefox is recommended and may fix that issue. Yeah thats a nice little feature, highlighting would be cool!

Link to comment
Share on other sites

Hm.  It seems in my Host Filtering geo-filter, whenever my VPN is enabled, the ping is going through my VPN rather than through the hybrid.  Prior to my problems today, this was working fine (i.e., geo-filter pings going out over the Internet, even when my VPN was enabled).  Now, however, they're all going through my VPN.  Did I break the hybrid somehow?

 

My VPN configuration hasn't changed, by the way.

 

EDIT: The weird thing, too, is that the geo-filtering still seems to work; it's just that the ping of the hosts is 300ms and up, which is clearly wrong because the same hosts ping at 20-40ms when I turn off the VPN.

 

It'd be a shame if this is "as intended", because it makes the hybrid VPN solution useless with geo-filtering, since we can't accurately rate hosts.

Link to comment
Share on other sites

Yeah, as an added bonus :)  Oh I've never had that issue, are you using IE by any chance? As Chrome/Firefox is recommended and may fix that issue. Yeah thats a nice little feature, highlighting would be cool!

 

Nope, I'm using the latest Firefox on Win 8.1.

 

Speaking of highlighting, adding the handle of the host you're hovering over in the allow/deny slider at the bottom would be awesome.

Link to comment
Share on other sites

  • Administrators

Nope, I'm using the latest Firefox on Win 8.1.

 

Speaking of highlighting, adding the handle of the host you're hovering over in the allow/deny slider at the bottom would be awesome.

 

Just a thought, turn off auto ping and see if that refreshing issue goes away. Redoing the Allow and Deny is something we have been planning on doing, having this would definitely be a good addition. 

Link to comment
Share on other sites

I'll give it a shot.

 

 

After having to do a factory reset after every time I made a change to my VPN config file (I've done 5 factory resets today, including having to change the LAN subnet each time, rename all my devices, redo the congestion control, and lose all my host ratings from the geo-filter), I'm really, really wanting a way to disable the VPN outside of the VPN page itself.  Or have it not dependent on the network so I can turn it off when something's not working right.

 

Also, it'd be great if there were some easy way to skip the forced tour that occurs after a factory reset, since having gone through it five times now just today, it's really rather unnecessary.

 

It's also somewhat frustrating, because the only changes I'm making to the VPN config file is commenting out one or more servers to change the list of servers I'm using.  Yet, whenever I hit Apply, I always get "Unable to communicate with the router", and if I ever reload the page, I just get "VPN" and the pulsating progress bar forever.  And since at that point I have no networking and can't turn the VPN off (it doesn't matter anyway, since once I start getting "Unable to communicate with router", unchecking the "enable" box and hitting Apply does nothing), I'm forced to do a factory reset just to get networking back.  My wife and daughter have been very forgiving of not having network all day because I've been fighting with this.

 

At this point, I'm either going to have to live with the fact that certain programs won't work right through the VPN (including the geofilter ping), or give up on trying to use VPN with the R1.  Which is also frustrating since I just paid for 3 months of service.

Link to comment
Share on other sites

Yup, tried that.  Once I start getting "unable to communicate with router", unticking enable and clicking apply just generates the same error.  And a reboot just gives me the endless progress bar under VPN without access to any of the VPN settings.

Link to comment
Share on other sites

  • Administrators

Yup, tried that.  Once I start getting "unable to communicate with router", unticking enable and clicking apply just generates the same error.  And a reboot just gives me the endless progress bar under VPN without access to any of the VPN settings.

 

So disabling anti virus etc did nothing? Okay, just as an alternative test, if you make a free hide my ass account and then use the basic part of the VPN do these issues still persist?

Link to comment
Share on other sites

  • Administrators

I'll test that this evening and let you know.

 

Okay great, I'm going to move the support part of this thread to somewhere more relevant to keep your original suggestions as the main focus :)

Link to comment
Share on other sites

 

It's all one config.  Here's what I'm using:

 

# this is the cryptostorm.is client settings file, versioning...

# cstorm_linux_dynamic_1-4.conf

# last update date: 12 January 2014

 

# it is intended to provide stochastic connection _and_ reconnection variablity

# across both exitnode clusters _and_ nodes within clusters

# thus, maximum hardening against aggressive attack vectors

# Chelsea Manning is indeed a badassed chick: #FreeChelsea!

# also... FuckTheNSA - for reals. W00d!

 

 

client

dev tun

resolv-retry 16

nobind

persist-tun

persist-key

float

 

txqueuelen 686

# expanded packet queue plane, to improve throughput on high-capacity sessions

 

sndbuf size 1655368

rcvbuf size 1655368

# increase pre-ring packet buffering cache, to improve high-throughput session performance

 

remote-random

# randomizes selection of connection profile from list below, for redundancy against...

# DNS blacklisting-based session blocking attacks

 

# iceland cluster

<connection>

remote linux-iceland.cryptostorm.net 443 udp

</connection>

 

<connection>

remote linux-iceland.cryptostorm.org 443 udp

</connection>

 

<connection>

remote linux-iceland.cryptostorm.nu 443 udp

</connection>

 

<connection>

remote linux-iceland.cstorm.pw 443 udp

</connection>

 

 

# Frankfurt cluster

<connection>

remote linux-frankfurt.cryptostorm.net 443 udp

</connection>

 

<connection>

remote linux-frankfurt.cryptostorm.org 443 udp

</connection>

 

<connection>

remote linux-frankfurt.cryptostorm.nu 443 udp

</connection>

 

<connection>

remote linux-frankfurt.cstorm.pw 443 udp

</connection>

 

 

# Montreal cluster

<connection>

remote linux-montreal.cryptostorm.net 443 udp

</connection>

 

<connection>

remote linux-montreal.cryptostorm.org 443 udp

</connection>

 

<connection>

remote linux-montreal.cryptostorm.nu 443 udp

</connection>

 

<connection>

remote linux-montreal.cstorm.pw 443 udp

</connection>

 

 

# Lisbon (Portugal) cluster

<connection>

remote linux-lisbon.cryptostorm.net 443 udp

</connection>

 

<connection>

remote linux-lisbon.cryptostorm.org 443 udp

</connection>

 

<connection>

remote linux-lisbon.cryptostorm.nu 443 udp

</connection>

 

<connection>

remote linux-lisbon.cstorm.pw 443 udp

</connection>

 

 

# Seattle / US west cluster

<connection>

remote linux-uswest.cryptostorm.net 443 udp

</connection>

 

<connection>

remote linux-uswest.cryptostorm.org 443 udp

</connection>

 

<connection>

remote linux-uswest.cryptostorm.nu 443 udp

</connection>

 

<connection>

remote linux-uswest.cstorm.pw 443 udp

</connection>

 

 

# US midwest cluster

<connection>

remote linux-uscentral.cryptostorm.net 443 udp

</connection>

 

<connection>

remote linux-uscentral.cryptostorm.org 443 udp

</connection>

 

<connection>

remote linux-uscentral.cryptostorm.nu 443 udp

</connection>

 

<connection>

remote linux-uscentral.cstorm.pw 443 udp

</connection>

 

 

# London (England) cluster

<connection>

remote linux-london.cryptostorm.net 443 udp

</connection>

 

<connection>

remote linux-london.cryptostorm.org 443 udp

</connection>

 

<connection>

remote linux-london.cryptostorm.nu 443 udp

</connection>

 

<connection>

remote linux-london.cstorm.pw 443 udp

</connection>

 

 

# Paris (France) cluster

<connection>

remote linux-paris.cryptostorm.net 443 udp

</connection>

 

<connection>

remote linux-paris.cryptostorm.org 443 udp

</connection>

 

<connection>

remote linux-paris.cryptostorm.nu 443 udp

</connection>

 

<connection>

remote linux-paris.cstorm.pw 443 udp

</connection>

 

 

 

comp-lzo no

# specifies refusal of link-layer compression defaults

# we prefer compression be handled elsewhere in the OSI layers

# see forum for ongoing discussion - https://cryptostorm.org/viewtopic.php?f=38&t=5981

 

down-pre

# runs client-side "down" script prior to shutdown, to help minimise risk...

# of session termination packet leakage

 

allow-pull-fqdn

# allows client to pull DNS names from server

# we don't use but may in future leakblock integration

 

#explicit-exit-notify 3

# attempts to notify exit node when client session is terminated

# strengthens MiTM protections for orphan sessions

 

hand-window 37

# specified duration (in seconds) to wait for the session handshake to complete

# a renegotiation taking longer than this has a problem, & should be aborted

 

mssfix 1400

# congruent with server-side --fragment directive

 

auth-user-pass

# passes up, via bootstrapped TLS, SHA512 hashed token value to authenticate to darknet

 

# auth-retry interact

# 'interact' is an experimental parameter not yet in our production build.

 

ca ca.crt

# specification & location of server-verification PKI materials

# for details, see http://pki.cryptostorm.org

 

<ca>

-----BEGIN CERTIFICATE-----

MIIFHjCCBAagAwIBAgIJAKekpGXxXvhbMA0GCSqGSIb3DQEBCwUAMIG6MQswCQYD

VQQGEwJDQTELMAkGA1UECBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQK

FC1LYXRhbmEgSG9sZGluZ3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQx

ETAPBgNVBAsTCFRlY2ggT3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUG

CSqGSIb3DQEJARYYY2VydGFkbWluQGNyeXB0b3N0b3JtLmlzMB4XDTE0MDQyNTE3

MTAxNVoXDTE3MTIyMjE3MTAxNVowgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJR

QzERMA8GA1UEBxMITW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBM

aW1pdGUgLyAgY3J5cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMx

FzAVBgNVBAMUDmNyeXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRt

aW5AY3J5cHRvc3Rvcm0uaXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB

AQDJaOSYIX/sm+4/OkCgyAPYB/VPjDo9YBc+zznKGxd1F8fAkeqcuPpGNCxMBLOu

mLsBdxLdR2sppK8cu9kYx6g+fBUQtShoOj84Q6+n6F4DqbjsHlLwUy0ulkeQWk1v

vKKkpBViGVFsZ5ODdZ6caJ2UY2C41OACTQdblCqaebsLQvp/VGKTWdh9UsGQ3LaS

Tcxt0PskqpGiWEUeOGG3mKE0KWyvxt6Ox9is9QbDXJOYdklQaPX9yUuII03Gj3xm

+vi6q2vzD5VymOeTMyky7Geatbd2U459Lwzu/g+8V6EQl8qvWrXESX/ZXZvNG8QA

cOXU4ktNBOoZtws6TzknpQF3AgMBAAGjggEjMIIBHzAdBgNVHQ4EFgQUOFjh918z

L4vR8x1q3vkp6npwUSUwge8GA1UdIwSB5zCB5IAUOFjh918zL4vR8x1q3vkp6npw

USWhgcCkgb0wgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJRQzERMA8GA1UEBxMI

TW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBMaW1pdGUgLyAgY3J5

cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMxFzAVBgNVBAMUDmNy

eXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRtaW5AY3J5cHRvc3Rv

cm0uaXOCCQCnpKRl8V74WzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB

AQAK6B7AOEqbaYjXoyhXeWK1NjpcCLCuRcwhMSvf+gVfrcMsJ5ySTHg5iR1/LFay

IEGFsOFEpoNkY4H5UqLnBByzFp55nYwqJUmLqa/nfIc0vfiXL5rFZLao0npLrTr/

inF/hecIghLGVDeVcC24uIdgfMr3Z/EXSpUxvFLGE7ELlsnmpYBxm0rf7s9S9wtH

o6PjBpb9iurF7KxDjoXsIgHmYAEnI4+rrArQqn7ny4vgvXE1xfAkFPWR8Ty1ZlxZ

gEyypTkIWhphdHLSdifoOqo83snmCObHgyHG2zo4njXGExQhxS1ywPvZJRt7fhjn

X03mQP3ssBs2YRNR5hR5cMdC

-----END CERTIFICATE-----

</ca>

 

ns-cert-type server

# requires TLS-level confirmation of categorical state of server-side certificate for MiTM hardening.

 

auth SHA512

# data channel HMAC generation

# heavy processor load from this parameter, but the benefit is big gains in packet-level...

# integrity checks, & protection against packet injections / MiTM attack vectors

 

cipher AES-256-CBC

# data channel stream cipher methodology

# we are actively testing CBC alternatives & will deploy once well-tested...

# cipher libraries support our choice - AES-GCM is looking good currently

 

replay-window 128 30

# settings which determine when to throw out UDP datagrams that are out of order...

# either temporally or via sequence number

 

tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA

# implements 'perfect forward secrecy' via TLS 1.x & its ephemeral Diffie-Hellman...

# see our forum for extensive discussion of ECDHE v. DHE & tradeoffs wrt ECC curve choice

# http://ecc.cryptostorm.org

 

tls-client

key-method 2

# specification of entropy source to be used in initial generation of TLS keys as part of session bootstrap

 

log devnull.txt

verb 0

mute 1

# sets logging verbosity client-side, by default, to zero

# no logs kept locally of connections - this can be changed...

# if you'd like to see more details of connection initiation & negotiation

 

Link to comment
Share on other sites

So disabling anti virus etc did nothing? Okay, just as an alternative test, if you make a free hide my ass account and then use the basic part of the VPN do these issues still persist?

 

Hm.  I can't find any free account for hidemyass.  At best, there's 1 month for $9.99.  Do you have a link?

Link to comment
Share on other sites

  • Administrators

They used to do a free version but seems like they've stopped that now! I spoke with Iain about this issue, we didn't expect people to use the Geo-filter ping when you're using exceptions and so only outputs the ping from the VPN not what it is through the exception.

Link to comment
Share on other sites

In that case, I'd like to make a suggestion that when a host is VPN-enabled on the router, and that host is also selected at the top of the host filtering page, that the pings go out separate from the VPN?  Particularly as you're aiming for a VPN hybrid that does the right thing automatically.

Link to comment
Share on other sites

  • Administrators

That is a good suggestion, I believe when I spoke to Iain he said that it may not be possible due to the way its been implemented. However, I will try to get clarification on this as it would be good to do.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...