Add Sweden

ecc/CS-ECC-sweden_tcp.ovpn

@@ -0,0 +1,112 @@
+client
+dev tun
+# "If hostname resolve fails for --remote, retry resolve for 16 seconds
+#  before failing."
+resolv-retry 16
+# "Require that peer certificate was signed with an explicit key usage
+# and extended key usage based on RFC3280 TLS rules. This is a useful
+# security option for clients, to ensure that the host they connect to
+# is a designated server. This is an important security precaution to
+# protect against a man-in-the-middle attack where an authorized client
+# attempts to connect to another client by impersonating the server.
+# The attack is easily prevented by having clients verify the server
+# certificate using any one of --remote-cert-tls, --verify-x509-name,
+# or --tls-verify."
+remote-cert-tls server
+# Even though the hostname below says "windows", the configuration for
+# these ECC instances are actually cross-platform. It was just easier
+# to reuse the DNS used by the Windows instances since the ECC instances 
+# are on port 5060 of all of the Windows instance IPs.
+remote windows-sweden.cryptostorm.nu 5060 tcp
+# "LZ4 generally offers the best performance with least CPU usage"
+compress lz4
+# "Call --down cmd/script before, rather than after, TUN/TAP close."
+# No down cmd/script is used in this configuration, but most Debian
+# users will be adding the /etc/openvpn/update-resolv-conf up/down
+# script so OpenVPN can properly update the DNS.
+down-pre
+# Increase --verb for more verbosity, 0 to disable.
+verb 4
+# "Log at most 3 consecutive messages in the same category"
+# Helps prevent the logs or STDOUT from getting flooded with the same
+# messages.
+mute 3
+# Not doing "auth SHA512" for ECC instances, because:
+# "If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth 
+# algorithm is ignored for the data channel, and the authentication 
+# method of the AEAD cipher is used instead."
+# These instances use --cipher AES-256-GCM, so even if --auth is 
+# specified, it would be ignored.
+#
+# Uncomment the below line to enable --auth-nocache
+#auth-nocache
+# "If specified, this directive will cause OpenVPN to immediately 
+# forget username/password inputs after they are used".
+# We're not enabling it by default because, for users that are inputting
+# their token using standard input, it can be annoying because OpenVPN
+# will constantly ask them for their token on every TLS renegotiation.
+# For those providing a file to --auth-user-pass (to skip the user/pass 
+# prompt), --auth-nocache doesn't prompt the user since the user/pass
+# is loaded from a file.
+auth-user-pass
+# "256 bit key, 128 bit block". The best available at the moment.
+# GCM chosen instead of CBC because in our tests it shows better 
+# performance.
+cipher AES-256-GCM
+# TLS version 1.2 is the only version allowed, to prevent downgrade 
+# attacks.
+tls-version-min 1.2
+tls-version-max 1.2
+# Elliptic curve Diffie-Hellman + Elliptic Curve Digital Signature Algorithm
+# with AES-256-GCM-SHA384, used to encrypt the control channel.
+# The most secure available at the moment. Again, GCM chosen instead of
+# CBC because in our tests it outperformed CBC.
+tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
+tls-client
+# CA certificate, using the signature algorithm ecdsa-with-SHA512,
+# and prime256v1 to provide a 256 bit EC public key.
+# "a 256-bit elliptic curve public key should provide comparable 
+# security to a 3072-bit RSA public key".
+<ca>
+-----BEGIN CERTIFICATE-----
+MIIBszCCAVigAwIBAgIJALumkoBwGuApMAoGCCqGSM49BAMEMBkxFzAVBgNVBAMM
+DmNyeXB0b3N0b3JtIENBMB4XDTE4MDIyMjE5Mjc1NloXDTM4MDIyMjE5Mjc1Nlow
+GTEXMBUGA1UEAwwOY3J5cHRvc3Rvcm0gQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAATAkRZNfbXjbs6LE1zkFlmnvamGgFNuuTUMidN1qrB1Uho39qxuRzzWYKAC
+7flSU9vdIF9Wu0SoXxbx68ZStl/Uo4GIMIGFMB0GA1UdDgQWBBQ+CMOnCKZq7SzJ
+qpc1o2atGx9RUjBJBgNVHSMEQjBAgBQ+CMOnCKZq7SzJqpc1o2atGx9RUqEdpBsw
+GTEXMBUGA1UEAwwOY3J5cHRvc3Rvcm0gQ0GCCQC7ppKAcBrgKTAMBgNVHRMEBTAD
+AQH/MAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDBANJADBGAiEApPF2CAqMD4bHdOkG
+vg3HMUwmcAfWoEnMMT8lm6n8JeoCIQCv9GORxdibasrHSZnSjlbOtLOWhbOlmz46
+dVugiAfKSA==
+-----END CERTIFICATE-----
+</ca>
+# "Encrypt and authenticate all control channel packets with the key".
+# "Encrypting (and authenticating) control channel packets:
+#   provides more privacy by hiding the certificate used for the TLS connection,
+#   makes it harder to identify OpenVPN traffic as such,
+#   provides "poor-man's" post-quantum security"
+<tls-crypt>
+-----BEGIN OpenVPN Static key V1-----
+4875d729589689955012a2ee77f180ec
+b815c4a336c719c11241a058dafaae00
+806bbc21d5f1abad085341a3fca4b4f9
+3949151c2979b4ee4390e8d9443acb00
+61d537f1e9157e45f542c3648f563305
+05f3eaff97ef82ee063b9d88bb9d5aa0
+060428455b51a2a4fd929d9af4b94adc
+b0a4acaa14ff62a9b0f4f9f0b3f01e71
+fc98a6c60e8584f4deb3de793a5a7bc2
+7014c9369f9724bc810ef0d191b30204
+78eead725b3ae6aaef2e1030a197e417
+421f159ed54eb2629afcfb337cf9a002
+5bf1d5c0d820fffb219d0b4214043d2d
+f27ed367b522945a5dadc748e2ca379e
+3971789dbdf609b3d9bfe866361b28e3
+c90589baa925157ad833093a5a7bede5
+-----END OpenVPN Static key V1-----
+</tls-crypt>
+# uncomment the line below to enable TrackerSmacker,
+# our DNS-based intrusive ad/tracker blocking service
+#dhcp-option DNS 10.31.33.7
+

ecc/CS-ECC-sweden_udp.ovpn

@@ -0,0 +1,116 @@
+client
+dev tun
+# "If hostname resolve fails for --remote, retry resolve for 16 seconds
+#  before failing."
+resolv-retry 16
+# "send server an exit notification if tunnel is restarted or OpenVPN
+# process is exited". This informs our server that the session has 
+# ended, which is necessary to decrease the session counter.
+explicit-exit-notify 3
+# "Require that peer certificate was signed with an explicit key usage
+# and extended key usage based on RFC3280 TLS rules. This is a useful
+# security option for clients, to ensure that the host they connect to
+# is a designated server. This is an important security precaution to
+# protect against a man-in-the-middle attack where an authorized client
+# attempts to connect to another client by impersonating the server.
+# The attack is easily prevented by having clients verify the server
+# certificate using any one of --remote-cert-tls, --verify-x509-name,
+# or --tls-verify."
+remote-cert-tls server
+# Even though the hostname below says "windows", the configuration for
+# these ECC instances are actually cross-platform. It was just easier
+# to reuse the DNS used by the Windows instances since the ECC instances 
+# are on port 5060 of all of the Windows instance IPs.
+remote windows-sweden.cryptostorm.nu 5060 udp
+# "LZ4 generally offers the best performance with least CPU usage"
+compress lz4
+# "Call --down cmd/script before, rather than after, TUN/TAP close."
+# No down cmd/script is used in this configuration, but most Debian
+# users will be adding the /etc/openvpn/update-resolv-conf up/down
+# script so OpenVPN can properly update the DNS.
+down-pre
+# Increase --verb for more verbosity, 0 to disable.
+verb 4
+# "Log at most 3 consecutive messages in the same category"
+# Helps prevent the logs or STDOUT from getting flooded with the same
+# messages.
+mute 3
+# Not doing "auth SHA512" for ECC instances, because:
+# "If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth 
+# algorithm is ignored for the data channel, and the authentication 
+# method of the AEAD cipher is used instead."
+# These instances use --cipher AES-256-GCM, so even if --auth is 
+# specified, it would be ignored.
+#
+# Uncomment the below line to enable --auth-nocache
+#auth-nocache
+# "If specified, this directive will cause OpenVPN to immediately 
+# forget username/password inputs after they are used".
+# We're not enabling it by default because, for users that are inputting
+# their token using standard input, it can be annoying because OpenVPN
+# will constantly ask them for their token on every TLS renegotiation.
+# For those providing a file to --auth-user-pass (to skip the user/pass 
+# prompt), --auth-nocache doesn't prompt the user since the user/pass
+# is loaded from a file.
+auth-user-pass
+# "256 bit key, 128 bit block". The best available at the moment.
+# GCM chosen instead of CBC because in our tests it shows better 
+# performance.
+cipher AES-256-GCM
+# TLS version 1.2 is the only version allowed, to prevent downgrade 
+# attacks.
+tls-version-min 1.2
+tls-version-max 1.2
+# Elliptic curve Diffie-Hellman + Elliptic Curve Digital Signature Algorithm
+# with AES-256-GCM-SHA384, used to encrypt the control channel.
+# The most secure available at the moment. Again, GCM chosen instead of
+# CBC because in our tests it outperformed CBC.
+tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
+tls-client
+# CA certificate, using the signature algorithm ecdsa-with-SHA512,
+# and prime256v1 to provide a 256 bit EC public key.
+# "a 256-bit elliptic curve public key should provide comparable 
+# security to a 3072-bit RSA public key".
+<ca>
+-----BEGIN CERTIFICATE-----
+MIIBszCCAVigAwIBAgIJALumkoBwGuApMAoGCCqGSM49BAMEMBkxFzAVBgNVBAMM
+DmNyeXB0b3N0b3JtIENBMB4XDTE4MDIyMjE5Mjc1NloXDTM4MDIyMjE5Mjc1Nlow
+GTEXMBUGA1UEAwwOY3J5cHRvc3Rvcm0gQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAATAkRZNfbXjbs6LE1zkFlmnvamGgFNuuTUMidN1qrB1Uho39qxuRzzWYKAC
+7flSU9vdIF9Wu0SoXxbx68ZStl/Uo4GIMIGFMB0GA1UdDgQWBBQ+CMOnCKZq7SzJ
+qpc1o2atGx9RUjBJBgNVHSMEQjBAgBQ+CMOnCKZq7SzJqpc1o2atGx9RUqEdpBsw
+GTEXMBUGA1UEAwwOY3J5cHRvc3Rvcm0gQ0GCCQC7ppKAcBrgKTAMBgNVHRMEBTAD
+AQH/MAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDBANJADBGAiEApPF2CAqMD4bHdOkG
+vg3HMUwmcAfWoEnMMT8lm6n8JeoCIQCv9GORxdibasrHSZnSjlbOtLOWhbOlmz46
+dVugiAfKSA==
+-----END CERTIFICATE-----
+</ca>
+# "Encrypt and authenticate all control channel packets with the key".
+# "Encrypting (and authenticating) control channel packets:
+#   provides more privacy by hiding the certificate used for the TLS connection,
+#   makes it harder to identify OpenVPN traffic as such,
+#   provides "poor-man's" post-quantum security"
+<tls-crypt>
+-----BEGIN OpenVPN Static key V1-----
+4875d729589689955012a2ee77f180ec
+b815c4a336c719c11241a058dafaae00
+806bbc21d5f1abad085341a3fca4b4f9
+3949151c2979b4ee4390e8d9443acb00
+61d537f1e9157e45f542c3648f563305
+05f3eaff97ef82ee063b9d88bb9d5aa0
+060428455b51a2a4fd929d9af4b94adc
+b0a4acaa14ff62a9b0f4f9f0b3f01e71
+fc98a6c60e8584f4deb3de793a5a7bc2
+7014c9369f9724bc810ef0d191b30204
+78eead725b3ae6aaef2e1030a197e417
+421f159ed54eb2629afcfb337cf9a002
+5bf1d5c0d820fffb219d0b4214043d2d
+f27ed367b522945a5dadc748e2ca379e
+3971789dbdf609b3d9bfe866361b28e3
+c90589baa925157ad833093a5a7bede5
+-----END OpenVPN Static key V1-----
+</tls-crypt>
+# uncomment the line below to enable TrackerSmacker,
+# our DNS-based intrusive ad/tracker blocking service
+#dhcp-option DNS 10.31.33.7
+

linux/cstorm_linux-sweden_tcp.ovpn

@@ -0,0 +1,62 @@
+client
+dev tun
+#randomly select a node from the list below, for redundancy against DNS blacklisting-based session blocking attacks.
+#see https://openvpn.net/archive/openvpn-users/2004-12/msg00055.html
+resolv-retry 16
+remote-random
+remote linux-sweden.cryptostorm.net 443 tcp
+remote linux-sweden.cryptostorm.nu 443 tcp
+remote linux-sweden.cryptostorm.org 443 tcp
+remote linux-sweden.cstorm.pw 443 tcp
+nobind
+comp-lzo
+down-pre
+reneg-sec 0
+hand-window 17
+verb 4
+mute 3
+auth-user-pass
+ns-cert-type server
+auth SHA512
+cipher AES-256-CBC
+tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
+tls-client
+key-method 2
+ca ca.crt
+# specification & location of server-verification PKI materials
+# for details, see https://cryptostorm.org/pki
+<ca>
+-----BEGIN CERTIFICATE-----
+MIIFIDCCBAigAwIBAgIJAKekpGXxXvhbMA0GCSqGSIb3DQEBCwUAMIG6MQswCQYD
+VQQGEwJDQTELMAkGA1UECBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQK
+FC1LYXRhbmEgSG9sZGluZ3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQx
+ETAPBgNVBAsTCFRlY2ggT3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUG
+CSqGSIb3DQEJARYYY2VydGFkbWluQGNyeXB0b3N0b3JtLmlzMCAXDTE3MTIxNjA3
+NTk0MloYDzIwNjcxMjE2MDc1OTQyWjCBujELMAkGA1UEBhMCQ0ExCzAJBgNVBAgT
+AlFDMREwDwYDVQQHEwhNb250cmVhbDE2MDQGA1UEChQtS2F0YW5hIEhvbGRpbmdz
+IExpbWl0ZSAvICBjcnlwdG9zdG9ybV9kYXJrbmV0MREwDwYDVQQLEwhUZWNoIE9w
+czEXMBUGA1UEAxQOY3J5cHRvc3Rvcm1faXMxJzAlBgkqhkiG9w0BCQEWGGNlcnRh
+ZG1pbkBjcnlwdG9zdG9ybS5pczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMlo5Jghf+yb7j86QKDIA9gH9U+MOj1gFz7POcobF3UXx8CR6py4+kY0LEwE
+s66YuwF3Et1Haymkrxy72RjHqD58FRC1KGg6PzhDr6foXgOpuOweUvBTLS6WR5Ba
+TW+8oqSkFWIZUWxnk4N1npxonZRjYLjU4AJNB1uUKpp5uwtC+n9UYpNZ2H1SwZDc
+tpJNzG3Q+ySqkaJYRR44YbeYoTQpbK/G3o7H2Kz1BsNck5h2SVBo9f3JS4gjTcaP
+fGb6+Lqra/MPlXKY55MzKTLsZ5q1t3ZTjn0vDO7+D7xXoRCXyq9atcRJf9ldm80b
+xABw5dTiS00E6hm3CzpPOSelAXcCAwEAAaOCASMwggEfMAwGA1UdEwQFMAMBAf8w
+HQYDVR0OBBYEFDhY4fdfMy+L0fMdat75Kep6cFElMIHvBgNVHSMEgecwgeSAFDhY
+4fdfMy+L0fMdat75Kep6cFEloYHApIG9MIG6MQswCQYDVQQGEwJDQTELMAkGA1UE
+CBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQKFC1LYXRhbmEgSG9sZGlu
+Z3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQxETAPBgNVBAsTCFRlY2gg
+T3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUGCSqGSIb3DQEJARYYY2Vy
+dGFkbWluQGNyeXB0b3N0b3JtLmlzggkAp6SkZfFe+FswDQYJKoZIhvcNAQELBQAD
+ggEBABrPLmFpugICgUKyJ+6q5h8ZKfoV3S0RtTfrwtobNSFf7H4ZQvCXF2bOuhyc
+g00ffreEGZN2uwtiLh38ncB/BFhHfgkITfTe88m08pJ45PkrpeBfrFbZ+ckXVhV/
+aCnUKkIZgmCNKnn1RIbUt4mzTzggwtN3GamoTzSWqSwCEO9Ig1AJKi5Ms/5Awtdz
+nr95qaqI0ih0NGnfC/yIGYvt1Yay0hCil3jIUT9Ogdw6DW6RqUdJaPrwm58fTwIR
+U33KzBqGs8r3UEIMWXuIGc6eXOm2Br08iFgOsUPGqp1ulvD52pFH1o1vT21v3aXl
+D9Ier/83JLMnBGctT1Kzs9OP/U0=
+-----END CERTIFICATE-----
+</ca>
+# uncomment the line below to enable TrackerSmacker,
+# our DNS-based intrusive ad/tracker blocking service
+#dhcp-option DNS 10.31.33.7

linux/cstorm_linux-sweden_udp.ovpn

@@ -0,0 +1,64 @@
+client
+dev tun
+#randomly select a node from the list below, for redundancy against DNS blacklisting-based session blocking attacks.
+#see https://openvpn.net/archive/openvpn-users/2004-12/msg00055.html
+resolv-retry 16
+remote-random
+remote linux-sweden.cryptostorm.net 443 udp
+remote linux-sweden.cryptostorm.nu 443 udp
+remote linux-sweden.cryptostorm.org 443 udp
+remote linux-sweden.cstorm.pw 443 udp
+explicit-exit-notify 3
+mssfix 1400
+nobind
+comp-lzo
+down-pre
+reneg-sec 0
+hand-window 17
+verb 4
+mute 3
+auth-user-pass
+ns-cert-type server
+auth SHA512
+cipher AES-256-CBC
+tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
+tls-client
+key-method 2
+ca ca.crt
+# specification & location of server-verification PKI materials
+# for details, see https://cryptostorm.org/pki
+<ca>
+-----BEGIN CERTIFICATE-----
+MIIFIDCCBAigAwIBAgIJAKekpGXxXvhbMA0GCSqGSIb3DQEBCwUAMIG6MQswCQYD
+VQQGEwJDQTELMAkGA1UECBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQK
+FC1LYXRhbmEgSG9sZGluZ3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQx
+ETAPBgNVBAsTCFRlY2ggT3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUG
+CSqGSIb3DQEJARYYY2VydGFkbWluQGNyeXB0b3N0b3JtLmlzMCAXDTE3MTIxNjA3
+NTk0MloYDzIwNjcxMjE2MDc1OTQyWjCBujELMAkGA1UEBhMCQ0ExCzAJBgNVBAgT
+AlFDMREwDwYDVQQHEwhNb250cmVhbDE2MDQGA1UEChQtS2F0YW5hIEhvbGRpbmdz
+IExpbWl0ZSAvICBjcnlwdG9zdG9ybV9kYXJrbmV0MREwDwYDVQQLEwhUZWNoIE9w
+czEXMBUGA1UEAxQOY3J5cHRvc3Rvcm1faXMxJzAlBgkqhkiG9w0BCQEWGGNlcnRh
+ZG1pbkBjcnlwdG9zdG9ybS5pczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMlo5Jghf+yb7j86QKDIA9gH9U+MOj1gFz7POcobF3UXx8CR6py4+kY0LEwE
+s66YuwF3Et1Haymkrxy72RjHqD58FRC1KGg6PzhDr6foXgOpuOweUvBTLS6WR5Ba
+TW+8oqSkFWIZUWxnk4N1npxonZRjYLjU4AJNB1uUKpp5uwtC+n9UYpNZ2H1SwZDc
+tpJNzG3Q+ySqkaJYRR44YbeYoTQpbK/G3o7H2Kz1BsNck5h2SVBo9f3JS4gjTcaP
+fGb6+Lqra/MPlXKY55MzKTLsZ5q1t3ZTjn0vDO7+D7xXoRCXyq9atcRJf9ldm80b
+xABw5dTiS00E6hm3CzpPOSelAXcCAwEAAaOCASMwggEfMAwGA1UdEwQFMAMBAf8w
+HQYDVR0OBBYEFDhY4fdfMy+L0fMdat75Kep6cFElMIHvBgNVHSMEgecwgeSAFDhY
+4fdfMy+L0fMdat75Kep6cFEloYHApIG9MIG6MQswCQYDVQQGEwJDQTELMAkGA1UE
+CBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQKFC1LYXRhbmEgSG9sZGlu
+Z3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQxETAPBgNVBAsTCFRlY2gg
+T3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUGCSqGSIb3DQEJARYYY2Vy
+dGFkbWluQGNyeXB0b3N0b3JtLmlzggkAp6SkZfFe+FswDQYJKoZIhvcNAQELBQAD
+ggEBABrPLmFpugICgUKyJ+6q5h8ZKfoV3S0RtTfrwtobNSFf7H4ZQvCXF2bOuhyc
+g00ffreEGZN2uwtiLh38ncB/BFhHfgkITfTe88m08pJ45PkrpeBfrFbZ+ckXVhV/
+aCnUKkIZgmCNKnn1RIbUt4mzTzggwtN3GamoTzSWqSwCEO9Ig1AJKi5Ms/5Awtdz
+nr95qaqI0ih0NGnfC/yIGYvt1Yay0hCil3jIUT9Ogdw6DW6RqUdJaPrwm58fTwIR
+U33KzBqGs8r3UEIMWXuIGc6eXOm2Br08iFgOsUPGqp1ulvD52pFH1o1vT21v3aXl
+D9Ier/83JLMnBGctT1Kzs9OP/U0=
+-----END CERTIFICATE-----
+</ca>
+# uncomment the line below to enable TrackerSmacker,
+# our DNS-based intrusive ad/tracker blocking service
+#dhcp-option DNS 10.31.33.7