The VPN provider for the truly paranoid
PGP Key Details
- Cryptostorm key
- 81FB A951 ACBC FB44 9F15 C971 8B8C EE72 4220 E582
Frequently Asked Questions
Will cryptostorm make me 100% secure/anonymous?
No, a VPN is not an “all-in-one” solution for online security or privacy. Actually, there is no such thing as an “all-in-one” solution. A VPN is simply one of the many tools that can help you obtain a higher level of online security/anonymity. Other things that should be in your toolkit: Tor and/or I2P, compartmentalization, another VPN, good OPSEC, and some common sense.
Can’t I just run my own VPN inside a VPS?
Sure, but you would be missing out on two important things: First, with you being the only person connecting to that VPN, it wouldn’t be difficult to figure out that traffic leaving that VPS belongs to you. With our servers, there are many other clients connected generating their own traffic, so you basically get “lost in the mix” (which also means plausible deniability). Second, some of our staff members have over 20 years experience with VPNs and internet security/privacy. While it is a lot easier these days to spin up a VPS loaded with OpenVPN and similar software, it’s also easy to misconfigure that software in ways that might compromise your security or privacy. Also, a VPS is only as secure as the system actually hosting the VM. If you really want to DIY, we recommend not using a VPS at all and instead get a dedicated server. oneprovider.com and kimsufi.com often have 1Gbps dedicated servers in Paris and Amsterdam for as low as $5-$10/month.
Do you log?
Every VPN provider has to log something, be it for their website or their actual VPN service, and we’re no exception. The difference between our log policies and our competitor’s is that we openly share exactly what’s being logged and why, all described at https://cryptostorm.is/privacy. In short, while we do have some logs for security reasons, we don’t keep any logs that can be used to identify a customer, such as when they connect, or where they connect from, or where they’re connecting to. See the aforementioned link for all the technical details.
Do I have to use your ‘widget’ program if I’m on Windows?
Nope. Our ‘widget’ is mostly just a GUI frontend for OpenVPN, so you could instead use OpenVPN GUI if you want, instructions are at https://cryptostorm.is/windows#ovpngui (just ignore/cancel the automatic widget download popup).
However, our ‘widget’ does also include some other things OpenVPN GUI doesn’t have, like DNSCrypt to protect the pre-connect DNS, a killswitch, and some built-in obfuscation options.
Where are your servers located? / How many servers do you have?
There’s a map on the main page, at https://cryptostorm.is/#smap, and a more detailed list at https://cryptostorm.is/uptime that includes the actual number of dedicated servers, since the map doesn’t show which ones are clusters.
How many IPs do you have?
The exact number is listed at https://cryptostorm.is/#section4 in the right right column, bottom section.
Do you have a free trial?
We do have a free service described at https://cryptostorm.is/cryptofree
Where is the cryptostorm HQ located?
We have no central HQ. Our business entities are in several regions, with others as backups in case one entity gets pressured by any government or law enforcement agency. To make things more difficult for those who would try to shut us down, we keep the locations of these entities private.
Would you hand over customer data or start logging if law enforcement asks?
No, we have no data to hand over. Our decentralized business structure and our privacy-friendly choices for the regions our entities were incorporated in prevent any courts from executing a subpoena that would have us hand over data or start logging data. If the laws in those regions changed, we would dissolve that entity and switch to one of the backups in another region. Our staff members don’t reside in any of those regions, so law enforcement can’t prosecute our staff members for non-compliance of such a court order.
Keep in mind though, it is possible for law enforcement to request data from one of our payment providers (PayPal or CCBill). Of course, the only data they would have is the information you give them (which they would need to already have so that they know what to look for). Our payment providers never know the access tokens, since there's no reason to share that with them. So if you require more anonymity than that, pay with cryptocurrencies, use a [disposable email service](https://cs.email), and practice decent OPSEC.
What if law enforcement bypasses you and goes directly to the data center and asks them to start logging?
We’ve tried to pick data centers that have a good track record for privacy, but it is still possible that they might start logging packets at the upstream level (the data center itself, the data center’s ISP, or that ISP’s ISP, etc.).
That means traffic coming into the server and traffic leaving the server could be logged by the upstream.
But since the servers have multiple users at any given time, law enforcement would first need to know your real IP before they could figure out which incoming traffic stream is yours.
The incoming traffic is encrypted, so the only information they would have is the metadata (the source IP, the time the traffic occured, etc.).
For outgoing traffic, they would need to know something about the destination (a specific site or service that only you visit, etc.) in order to differentiate your outgoing traffic from everyone else’s.
Keep in mind that if you’re using plaintext protocols (HTTP instead of HTTPS, etc.), even while on the VPN, when that traffic leaves our servers for the internet it will be plaintext again.
So any route/hop between our data center and the destination IP would be able to see the contents of that plaintext traffic.
That’s why you should still be using strong end-to-end crypto, even while connected to the VPN.
Do you own or have physical access to your servers?
No, we lease our dedicated servers from data centers all over the world.
Physical attempts to compromise the server while it’s running would fail since grsecurity denies any USB access, and our customized kernel also disables support for any other unnecessary peripheral devices (CD drives, etc.).
The only way to run code on our servers would be to take it offline first, boot it with a live CD, backdoor something, then bring the server back online.
But we’ve accounted for that scenario, explained in the next section.
What if one of the servers gets confiscated by law enforcement (or whoever)?
We’ve always operated under the assumption that this is going to happen eventually. That’s why all of our servers were designed to be as disposable as possible.
There are no logs on the servers that can be used to identify a customer, and thanks to the Perfect Forward Secrecy provided by DH/ECDH/ephemeral keys, if a private server key was obtained by physically confiscating a server, it couldn’t be used to decrypt VPN traffic (Well, key renegotiation is every 20 minutes, so there is a small window where some traffic from up to 20 minutes ago could be decrypted if it was logged, which is why we always say you should be using strong end-to-end crypto even while on the VPN).
Each server also uses different randomly generated root passwords and SSH keys, so compromising one server won’t get you access to any other server.
We also practice secure PKI management, which means the CA private key is never stored on any online server, which also means man-in-the-middle attacks won’t be successful.
The most that could happen in that case is a denial of service.
If any of our servers reboot or shut down for unknown reasons, we assume that while offline someone backdoored something, so when it’s back up we always check the integrity of all files using Tripwire before bringing OpenVPN back up.
Do you allow BitTorrent/P2P/file-sharing?
Do you allow hacking?
No, and we use snort as an intrusion prevention system to prevent most basic types of hacking (SQL injection, brute force, automated vulnerability scanning, etc.). The reason for this IPS system is that most data centers don’t allow abuse, and if we did allow that kind of noisy hacking, our IPs would quickly be blacklisted everywhere, which means clients would be getting CAPTCHA prompts everywhere they went. That snort IPS setup seemed like the best option to prevent abuse complaints without requiring logging on our part, since it runs directly against the tunnel interface server-side. If you’re good enough to bypass our snort rules, you’re good enough to know that there are much better ways to hide your hacking activities.
Do you allow SPAM?
No. When we get complaints from one of our data centers about a VPN client of ours sending SPAM, we’ll temporarily block all SMTP on that server until the SPAM stops, since we have no way of knowing which customer of ours was doing that.
If it’s not e-mail based SPAM (forum SPAM, etc.), we’ll temporarily block whatever website the SPAM was being sent to, so long as it’s not a site a lot of clients would be using (Google, etc.).
Do you support [insert OS here]?
The only VPN protocols we use are OpenVPN and WireGuard, so we support whatever they do. At the moment, for OpenVPN, that includes: Linux, Windows XP/Vista/7 and higher, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris. Officially, we no longer support Windows XP, but it is still possible to connect with it. WireGuard’s suppported operating systems are listed here.
What does “devices” mean on https://cryptostorm.is/#section5?
That would be the number of devices that are allowed to connect at the same time with that token. To clarify, that would be “at the same time”, so you could use a one week token on multiple devices, just not at the same time. If you need to connect more devices, either buy a token that allows more devices, or connect to cryptostorm with your router so all your devices are protected.
Do you support IPv6?
Not at the moment. Our current policy is to block it to prevent leaks.
Why are some proxy detection sites (whoer.net, etc.) saying there’s an open proxy on [insert VPN IP here]?
That’s just a false positive. Those sites work by simply checking to see if some common proxy ports are open on an IP (8080, 3128, etc.).
All of our VPN IPs appear to have almost all ports open (1-29999).
Normally, more open ports means decreased security because usually each port is tied to a separate service/daemon, which means more potential attack surfaces.
In our setup, all of those ports are being forwarded to one of two OpenVPN instances (one for UDP, one for TCP) per IP, so having those ports open isn’t decreasing the security.
More technical details are available at https://cryptostorm.is/blog/port-striping-v2
I didn’t receive the email with my token in it, where is it?
Check your SPAM folder. Some email providers mistake our welcome email as SPAM. To prevent that from happening, figure out how to whitelist an email address with your provider and add ’email@example.com’, or better yet ‘*@cryptostorm.is’
Why isn’t my token working?
Verify that you’re using the correct token at https://cryptostorm.nu/. If you’re hashing your token, make sure the hash is correct with https://cryptostorm.is/sha512. If there’s a 2-for-1/3-for-1 token sale going on or you bought one of the bundles, make sure you’re not copy/pasting all your tokens as one. The token delivery email/page will have one token per line, each with a format that looks like “FDx3E-P2mP1-OZ2fU-VsYnr”. Another common problem is that the font some people use for their email/webmail will make lower-case L and I and the number one look similar. So if your token has those characters in them and you’re manually entering your token into something, change the font to make it easier to read.
It’s not working
Imagine taking your car to the shop and telling the mechanic “it’s not working”. They’ll ask for more specific information. Same goes for us. Any specific errors you’re getting or logs you have are necessary to help us figure out what the problem you’re having is.
Why am I getting this error: “Options error: Unrecognized option or missing parameter(s) in Denmark_UDP.ovpn:36: compress (2.3.18)”
The ECC configs at https://cryptostorm.is/configs/ecc/ require at least OpenVPN 2.4.0 and OpenSSL 1.0.1d
It is possible to have an OpenVPN compiled against a different OpenSSL library than the OpenSSL you have installed system-wide, so check with `openvpn –version`
Why am I getting this error: “Options error: Unrecognized option or missing parameter(s) in Denmark_UDP.ovpn:36: tls-crypt (2.3.18)”
See the previous question. Same applies to this error.
Why am I getting this error: “TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)”
The Ed25519 and Ed448 configs require at least OpenVPN 2.4.3 and OpenSSL 1.1.1
If your OpenVPN/OpenSSL is up to date, or you’re not using those two config types, then either our server is down or something on your side is blocking the connection. See https://cryptostorm.is/uptime to check if any of our servers are down. If it’s your side, double-check any firewall that you might have enabled locally or on your router. If your ISP is blocking VPNs, try the ECC configs, or switching to different ports, or using the TCP configs instead of UDP.
Why am I getting this error: “Options error: Unrecognized option or missing or extra parameter(s) in Denmark_UDP.ovpn:7: <!DOCTYPE (2.4.6)”
This happens whenever you download the HTML page for one of our OpenVPN configs from GitHub, instead of downloading the actual config file. Make sure you click that “Raw” button to get to the page with the actual config, or just use the configs from our site.
Why am I getting this error: “AEAD Decrypt error: bad packet ID (may be a replay): [ #450481 ] – see the man page entry for –no-replay and –replay-window for more info or silence this warning with –mute-replay-warnings”
This happens whenever either side of the VPN connection receives the same packet twice. That usually just means a packet was received out of order, or a packet was retransmitted because the first attempt didn’t go through, or the OS thinks it didn’t. It’s unlikely that it’s an actual replay attack since that would only be useful at the initial connect, but even then the worse that could happen is a DoS. Encrypted traffic can’t be decrypted using such an attack. It would be a dumb attack though, if an attacker has the ability to monitor/inject traffic like that, a RST would be more efficient (same thing China does).