Cryptostorm VPN Integration For Whonix?

Hello,

This post is a companion to a similar offer made on the Qubes mailing list a few minutes ago.

A recent study has revealed 14 of the top VPN providers are vulnerable to leaks via IPv6 as well as DNS.

Cryptostorm has been researching VPN service providers for a while and additional failure modes observed include VPN client binary blobs that install adware, key loggers, trojans, etc. The details down to the level of traffic captures from the offending services are found at this Cryptostorm project site:

http://cleanvpn.org

Cryptostorm’s offering is fundamentally different from every other provider out there. Specifically:

Zero Customer Knowledge VPN - buy a token, hash it, the hash is your username, your password can be anything. Bitcoin is just one of a number of purchase paths. Cryptostorm doesn’t need to make dramatic vows about not logging it users - the system can’t, as it never has your identity. The hash is impossible to reverse, this provides additional protection since it’s impossible to derive the original token from it.

Adversary Resistant Networking - the Cryptostorm client, an open piece of Perl code, was modified to interdict the webrtc/STUN public IP address leak within days after this became public.

https://cryptostorm.org/viewtopic.php?t=8549

Recently, malware analysis experts Kaspersky reported that they faced a six month battle to eject espionage-ware from their network, identifying the effort as Duqu Bet, with Bet being the second letter in the Hebrew alphabet, a not so subtle slap at the Israeli government, whom they believe to behind the campaign.

Cryptostorm has had direct experience with Duqu Bet and from that have developed NIC parameter and sysctl hardening that interdict some of the midpoint injection methods used. This is still in the process of being included in the client side configuration, but it an example of the attention to detail Cryptostorm provides above and beyond the simple transport of packets.

Cryptostorm offers a free rate limited service which can be found at http://cryptofree.me - this service provides 256k symmetric capacity and mixes the free customers in with the paid customers of a busy node. It is felt that this serves several purposes, providing a no-cost means to evaluate the product, as well as supporting users in developing countries who need an alternative to Tor for whatever reason. You can examine the free service by using this config file:

We would like to hear from someone at Whonix regarding the following:

  1. We want to share the particulars of the NIC and sysctl hardening being used, and what specific threats this eliminates, with an eye on this being included in Whonix.

  2. We’ve been wrestling with bringing Whonix gateway up to a version of OpenVPN that works with Cryptostorm and this has been challenging for someone who has a good bit of unix background. We’d like to see Whonix ship with a more recent version of OpenVPN/OpenSSL, and some simple instructions for a wget of the config file for the free service. We realize Whonix is all volunteer, we can probably do most of the work, we just need connected to the right person within the Whonix team.

I am happy to answer questions from other Adversary Resistant Computing efforts such as Qubes, TAILS, etc - we’d love to see Cryptostorm Zero Customer Knowledge VPN service bundled with all of them, and we’re hoping given the recent negative attention on other providers that we can stampede a portion of the market into not simply vowing that they don’t log, but instead using methods similar to ours, which eliminates that possibility entirely.

As a general feedback, your post looks too much like an advertisement for a commercial service.

[hr]

What about VPN-Firewall like approach?

Would it address these issues equally well?
Want to contribute to that project?

[hr]

Can you implement this feature? https://phabricator.whonix.org/T158

[hr]

1. We want to share the particulars of the NIC
Please elaborate.
and sysctl hardening being used, and what specific threats this eliminates, with an eye on this being included in Whonix.
Please post a commented /etc/sysctl.d/ snippet. Preferably on git. Preferably on github.
2. We've been wrestling with bringing Whonix gateway up to a version of OpenVPN that works with Cryptostorm and this has been challenging for someone who has a good bit of unix background.
Figured out how to do this on Debian wheezy, that is very similar to Whonix 10 already? Then you probably also figured out how to do it with Whonix? [Whonix 11 will be based on Debian jessie.]
We'd like to see Whonix ship with a more recent version of OpenVPN/OpenSSL,
What versions?
and some simple instructions for a wget of the config file for the free service.
Wget isn't the most secure choice. But who knows. Maybe we can host this in Whonix wiki or if this is something good we ship the config file for the user to copy.
we'd love to see Cryptostorm Zero Customer Knowledge VPN service bundled with all of them
(I am not considering this yet...)

What does this entail? Only a config file? Some perl program? Is it Free/Libre Software?

[hr]

Have you considered to contribute your patches upstream to Debian? Because then those would flow down to all the downstream distributions such as Whonix, Tails, Ubuntu, Mint and other Debian based distribution.

Lots of good stuff there, I will try to explain one by one.

The need for a “VPN firewall”, which I read as fail closed VPN, is something I have personally spent a lot of time exploring.

The first time I solved for this was after I did some reading on Whonix. I have need to do things that Tor can’t touch, so I built something similar to the gateway, only it used NAT, terminated at cstorm, and there was no default route, just some /32s for various cstorm concentrators. I installed Tor on the gateway, made SOCSK5 service available to workstations, for some work the client VMs had a default route, for other stuff no route, do everything through Tor.

If I were asked to construct a fail closed solution for Whonix as it stands today, I would make sure OpenVPN 2.3.6 were included in the gateway, right now I think the OVA ships with 2.2.1, and it’s not compatible with current Cryptostorm config practice. I would ship a working install of Cryptofree, the 256kb symmetric free service, with clear instructions on how to activate it, and how to upgrade if needed. This will work for other VPN providers as they start to use the zero customer knowledge process Cryptostorm has.

I spent maybe six or eight hours one day, wrestling with getting Cryptofree running on the gateway, I had everything done except how to mod the iptables setup, wrote up the instructions, and then I managed to step on that file when cleaning house about a week ago.

re: getting it going on Whonix, I needed to make modifications to the gateway, there wasn’t a smooth path to getting it to load files from other locations, and cut/paste doesn’t work under VirtualBox because the needed extensions are not included. I finally ended up pulling what I needed to the workstation, using python -m SimpleHTTPServer to provide a way to move the files over.

I think wget would be fine in this instance - all we’re talking about is a single text file for OpenVPN, 151 lines total only 67 lines of actual config, easy to verify. The only other things needed are OpenVPN in the 2.3.x series and the OpenSSL to support it.

Some of the friction is that I’m new to Whonix, I’m sure I went the long way round getting it running.

Whonix is a Libre Software distro not a platform for advertising third party commercial services. For that reason alone I do not think it should be included in Whonix as a default. You can go cut a deal with Windows OEMs for that sort of arrangement, but don’t expect Privacy projects, with their goals and moral obligations to cater to your business.

If you depend on some newer version of OpenVPN, you will have to wait for it to come into Debian Stable, just like everyone else.

Whonix-Gateway has a VPN-Firewall feature already by the way:

I haven’t understood why a VPN-Firewall Libre Softeware solution isn’t a perfect solution to this problem. And you didn’t answer my questions.

The required VBox guest additions are installed by default in recent Whonix versions. Clipboard copy and paste into Whonix VBox (and other virtualizers) VMs is fully functional. For VirtualBox, you just need to set it to bidirectional, which is documented here:
https://www.whonix.org/wiki/VirtualBox_Guest_Additions#Clipboard_Sharing

I am not sure, if there are any unsolvable issues with advertising commercial services from within privacy projects. As long as it’s fair… As long as it’s Libre Software… The definition of Libre Software explicitly allows money involvement. As long there are no artificial restrictions… I could imagine having some optional, non-intrusive wizard that eases setup of a commercial provider. Explains that it’s an advertisement, allows for alternative providers and whatnot. It’s a bit theoretical though. There probably won’t be any generous offers by commercial services anytime soon that make this worthwhile to even consider. (Consider for example the flashplugin-nonfree package from the nonfree Debian repository. Imagine Debian would only maintain the package, if paid some sum, I guess that would still be fair? Taking money from a commercial vendor for a service while not doing anything evil.)

am not sure, if there are any unsolvable issues with advertising commercial services from within privacy projects. As long as it's fair... As long as it's Libre Software... The definition of Libre Software explicitly allows money involvement.

Sure. Let me qualify my earlier statement.

(Consider for example the flashplugin-nonfree package from the nonfree Debian repository. Imagine Debian would only maintain the package, if paid some sum, I guess that would still be fair? Taking money from a commercial vendor for a service while not doing anything evil.)

Thats not the same as promoting non-free network services that could have detrimental effect on a user’s privacy. For example The Tor Project allowing Mozilla FireFox’s in-browser advertisements in Tor Browser to make some money would be “permitted” under the GPL but the tracking would be catastrophic for users.

Endorsing VPN providers, when we know what an utter failure this model is for providing real anonymity or even the “privacy” they all claim, is saying to users that we think VPNs are safe to use - They are not and cannot. The CS Papers published on the topic and the anecdotal evidence floating on the web show this entire industry are snake-oil peddlers. All it takes is access to their servers with or without their consent and people’s lives are ruined.

Thats not the same as promoting non-free network services that could have detrimental effect on a user's privacy.
You mean non-Free or non-gratis? For me, non-Free is a deal breaker, non-gratis is not.

In comparison to the current flashplugin-nonfree package, they’re currently not promoting it? Not mentioning it in a default installation.

but the tracking would be catastrophic for users.
Yes.
Endorsing VPN providers, when we know what an utter failure this model is for providing real anonymity or even the "privacy" they all claim, is saying to users that we think VPNs are safe to use - They are not and cannot. The CS Papers published on the topic and the anecdotal evidence floating on the web show this entire industry are snake-oil peddlers. All it takes is access to their servers with or without their consent and people's lives are ruined.
Sure, it would have to be very fairly documented what we believe they can accomplish and what not. For example, for simple circumvention (not strong hiding) of censored Tor entries or websites blocking Tor, VPNs are still usable.

By the way, please feel free to add some VPN threat analysis if you we don’t already have it in documentation. Such as the paper you mention, we could quote some essential conclusions and link it. I am not sure where it fits best. All needs to be restructured anyhow. (https://phabricator.whonix.org/T125)
Maybe some page linked here:
Features, Advantages, Use Cases - Whonix
Or:
TorPlusVPN · Wiki · Legacy / Trac · GitLab
Or:
Whonix versus Proxies

By non-Free I mean non-Libre. Their client AND server components should be published under a Free license to qualify as Libre. Who Does That Server Really Serve? - GNU Project - Free Software Foundation

Sure, it would have to be very fairly documented what we believe they can accomplish and what not. For example, for simple circumvention (not strong hiding) of censored Tor entries or websites blocking Tor, VPNs are still usable.

Yes.

By the way, please feel free to add some VPN threat analysis if you we don't already have it in documentation. Such as the paper you mention, we could quote some essential conclusions and link it. I am not sure where it fits best. All needs to be restructured anyhow.

Heres the paper:

Tell me if there are specific things in there you want quoted besides what I’m planning to add.

Cryptostorm publishes the source for their client and the server side configuration - they fully meet the Libre/auditable requirement. The github account is a Byzantine maze though, fair warning in advance.

Cryptostorm runs Cryptofree - 256kbit symmetric service, free of charge. This is good for people who want to try things before they spend any money, and for an activist in a developing country, where $5 to $7/month is a lot of money, this provides enough capacity that they can mix in with their better funded western counterparts.

If you visit the Cryptostorm forums you’ll find a small community of really sharp people who are doing bleeding edge work on identifying and mitigating network threats.

http://cryptostorm.org

So Cryptostorm is Libre to the core, it’s Gratis for those who truly need to do things and don’t have a budget, it has a sensible revenue model, which Tor & I2P lack, and it solves for anonymity at the purchase level, permitting zero customer knowledge use of the network by those who are paying.

There are some VPN providers that offer low speed Gratis service, there are some that permit purchase by bitcoin or other relatively anonymous methods, but I don’t think any of them offer the same level of anonymity that comes with a zero customer knowledge configuration, and this is the only VPN provider I know of that is performing and publishing research on new threats.

Cryptostorm is not right for every situation, but neither are Tor nor I2P. We have long been aware of the faults of providers who require root privilege for binary blobs, now it looks like the world is waking up to it as well. We’re expecting to see Cryptostorm clones spring up, as the reality of zero customer knowledge VPNs spreads. The others claim they don’t log, Cryptostorm simply can’t, and that is a very good thing.

I created a killswitch account on Phabricator, researching & documenting configs is something I can do.

@killswitch please continue to shill for your service while not acknowledging the systemic flaws in using VPNs for security.

So Cryptostorm is Libre to the core, it's Gratis for those who truly need to do things and don't have a budget, it has a sensible revenue model, which Tor & I2P lack, and it solves for anonymity at the purchase level, permitting zero customer knowledge use of the network by those who are paying.

I would hardly call a few configuration files “open to the core”. There is nothing sensible about charging for a privacy/anonymity service. Not only does it make it out of reach for those who need it the most but the financial paper trail is dangerous for users. There is no such thing as “zero customer knowledge use” anyone sitting on your network can do traffic analysis and deanonymize the source of a certain stream of packets. Vanilla SSL does not protect against website fingerprinting - a simple attack that a large network adversary can pull off without even accessing your network. VPNs are a single point of failure that harm users with their false sense of security. They are only relevant to our the conversation in a very narrow usecase and IMO ineffectively so.

There are some VPN providers that offer low speed Gratis service, there are some that permit purchase by bitcoin or other relatively anonymous methods, but I don't think any of them offer the same level of anonymity that comes with a zero customer knowledge configuration, and this is the only VPN provider I know of that is performing and publishing research on new threats.

You and Joe Blow VPN cannot provide the anonymity or privacy guarantees you claim. I just explained why. Unlike the poor bastards that are happy to pay you to MITM their internet traffic, no one here believes your false claims. Take them somewhere else.

killswitch, note, I am unsure if something useful is coming out of this discussion. (Besides HulaHoop going to edit documentation, which was triggered a welcome byproduct of this discussion.) Not sure we speak the same language, have compatible motivation. You triggered both, my and HulaHoop’s increased caution. Whonix is a privacy conscious Libre Software. There is no margin for messing up. Just mentioning, so you don’t complain about futile effort later. Mainly, I am not convinced, why VPN-Firewall isn’t the more suited solution to this issue.

Cryptostorm publishes the source for their client and the server side configuration
What about the server side code? Just OpenVPN + your config or do you also have a custom server program?

[quote=“killswitch, post:11, topic:1195”][quote author=Patrick link=topic=1383.msg8829#msg8829 date=1436043407]

Can you implement this feature? https://phabricator.whonix.org/T158

[/quote]

I created a killswitch account on Phabricator, researching & documenting configs is something I can do.[/quote]
But can you implement that ticket?

killswitch’s spamvertisement, inspired me to write a blog post.

I didn’t link to this thread because I don’t want to give his service publicity of any kind.

What about the server side code? Just OpenVPN + your config or do you also have a custom server program?[/quote]

The server side code is out there, the developers expect that at some point the industry is going to have an epiphany, and a lot of them are going to have to switch to zero customer knowledge. That will be counted as a win, as validation, and confirmation that an industry that needed disruption has been changed. A flock of competitors appearing would be just fine.

How would an outsider, short of intruding, ever know what was running on the server side? I know that the logging stuff server side is disabled, the people who run those systems want to be able to just shrug if someone asks for logs. This is as much a protection for the operator as the subscriber; given the unknowable status of internal code, the subscriber has to lean on the zero customer knowledge attribute to ensure their safety.

Can you implement this feature? https://phabricator.whonix.org/T158

I created a killswitch account on Phabricator, researching & documenting configs is something I can do.

The two things I want to accomplish with Whonix are:

  1. OpenVPN behaves on gateway so those running with type 2 hypervisor solutions don’t have to depend on the host OS for fine grained control of routing. Working with any OpenVPN provider would be fine, there are several other use cases besides Cryptostorm.

  2. gateway/workstation behave under Qubes. I’ve done the install, thought it needed a lot of polish, and I see that the person leading that has stepped away.

I just read the details for T158. I had never considered the need for a post-Tor TCP OpenVPN for Tor exit ban evasion, but that is something that could be done with both Cryptofree and Cryptostorm. The Cryptostorm exits are occasional subject to bans, there is someone who contacts site operators when this happens, and I am told they have a good track record for clearing up misunderstandings.

So yes, I would be interested in T158, but I have a learning curve to climb in terms of Whonix construction work before I can help.

@killswitch don’t Vpn’s in general have no Fail Closed Mechanism also aren’t they affected by identity correlation?A few years ago I asked Patrick about VPN’s and elite proxies and chain elite proxies this was in the old sourceforge forum anyway this is what he replied with “In summary, I believe all solutions, i.e. multi hop VPNs, elite proxy chains and so on are less safe than Tor.Some quick thoughts:
While VPN’s prevent leaks by forcing the whole operating system through it, it fails open. (Unless Fail Closed Mechanism is used.) And they are affected by identity correlation. (see Whonix download | SourceForge.net to get an idea what I mean by identity correlation)”
heres where me and patricke talked about it Whonix download | SourceForge.net

I don’t believe Killswitch is qualified to be a spokesperson for CryptoStorm. I am a crypstorm customer myself and I chose them because they operate like no other VPN on the market. They are an intelligent bunch of folks and are careful on the language they use to describe their services and expectations.

They even admit that their system is not perfect and even detail theoretical attacks an adversary may use. One such example would be using rainbow tables of tokens and their hashes to potentially correlate a specific user, should they even get as far as identifying the hash.

There is no need for integration. Whonix’s primary focus is on Privacy and Anonymity. Some people’s lives literally depend on this! It would be foolish; both Patrick and HulaHoop are correct in saying that there is limited use and/or benefit to using a VPN.

I use it to hide the fact I am using TOR from my ISP. Using iptables it is possible to have a fail closed setup and I do wholeheartedly believe in the CryptoStorm network.

One thing I would like to say is that HulaHoop is using general assumptions and does not seem to have done any research on CryptoStorm specifically. They are not advertising multi hop magic or that this be the end all be all. They describe in detail how they work and let you decide if they are a good fit for your particular situation.

Lastly, to re-iterate Whonix should not IMO “integrate” with any commercial VPN service! There is plenty of documentation and resources available to implement a VPN yourself should you choose to.

[quote=“killswitch, post:10, topic:1195”]Cryptostorm publishes the source for their client and the server side configuration - they fully meet the Libre/auditable requirement. The github account is a Byzantine maze though, fair warning in advance.

Cryptostorm runs Cryptofree - 256kbit symmetric service, free of charge. This is good for people who want to try things before they spend any money, and for an activist in a developing country, where $5 to $7/month is a lot of money, this provides enough capacity that they can mix in with their better funded western counterparts.

If you visit the Cryptostorm forums you’ll find a small community of really sharp people who are doing bleeding edge work on identifying and mitigating network threats.

http://cryptostorm.org

So Cryptostorm is Libre to the core, it’s Gratis for those who truly need to do things and don’t have a budget, it has a sensible revenue model, which Tor & I2P lack, and it solves for anonymity at the purchase level, permitting zero customer knowledge use of the network by those who are paying.

There are some VPN providers that offer low speed Gratis service, there are some that permit purchase by bitcoin or other relatively anonymous methods, but I don’t think any of them offer the same level of anonymity that comes with a zero customer knowledge configuration, and this is the only VPN provider I know of that is performing and publishing research on new threats.

Cryptostorm is not right for every situation, but neither are Tor nor I2P. We have long been aware of the faults of providers who require root privilege for binary blobs, now it looks like the world is waking up to it as well. We’re expecting to see Cryptostorm clones spring up, as the reality of zero customer knowledge VPNs spreads. The others claim they don’t log, Cryptostorm simply can’t, and that is a very good thing.[/quote]

At the end you told Cryptostorm can’t log our activity, how ?