IPv6 support added

Table of contents

  1. Introduction
  2. Instructions
  3. Port forwarding
  4. New config generators
  5. Other updates

Introduction

We finally got around to adding IPv6 support. Originally, we didn't want to do IPv6 because when cryptostorm first started, the protocol had multiple vulnerabilities, and many implementations had their own vulnerabilities. These days, most IPv6 related vulnerabilities involve features that we're not using, so it should be safe enough to use now. Another reason we're adding support for it is that a lot of operating systems will prefer IPv6 over IPv4, which can cause leaks on an IPv4-only VPN if the client-side isn't blocking or disabling IPv6.

In our implementation, a single IPv6 address (per server) will act as the entry point, and another single address acts as the exit (the one the internet sees you as having). The IPv6 address space is very large, and most of our servers have an entire /64 subnet (264 [18,446,744,073,709,551,616] addresses), more than enough for each client, but we decided against assigning individual IPs to each client because that could introduce correlation opportunities. Better to have them be shared as our IPv4 addresses are, which adds plausible deniability because other clients are also generating traffic from the same exit IP. Another benefit to having separate entry/exit IPs is that we can block all incoming traffic (excluding established connections and port forwarding) on the exit, so that services/sites that scan the IP to look for VPN related services won't be able to find anything.

Also, unlike our current IPv4 addresses, we don't plan on publicly disclosing these IPv6 exit IPs. It makes it too easy for VPN IP databases (ipinfo.io, etc.) to harvest our IPs when we do that. The top of the main cryptostorm.is page and the cryptostorm.is/test page will still tell you whether you're connected to the VPN, and obviously you can figure out the exit IP if you connect to the VPN, but at least now people trying to collect our exit IPs will have to put in more effort. Plus, with such a large address space available, we can frequently rotate out the exit IP, which should keep us out of those lists. 

We might eventually do separate entry/exit addresses for IPv4 too, but that will take time since all of our current IPv4 addresses are known since we've already disclosed them, and it will take time to order new IPv4 addresses for all the servers.

Instructions

OpenVPN users should be able to use the new IPv6 addresses immediately, as long as IPv6 isn't blocked by a firewall or disabled in the OS. If you're using our Windows client, update to the latest version (v3.61 as of this writing) to use IPv6. The IPv6 routes are only pushed to you from the server if you connect to the IPv6 VPN address. It's set up this way for people that don't want to use IPv6, so they can keep using their current configuration. Although, some operating systems will still prefer IPv6 over IPv4 regardless. If you're using OpenVPN (or OpenVPN GUI) directly, you can force IPv6 by simply adding a 6 to the end of the remote lines in your config. I.e., 

remote paris.cstorm.is 443 udp
remote paris.cstorm.net 443 udp
remote paris.cryptostorm.pw 443 udp

would become:

remote paris.cstorm.is 443 udp6
remote paris.cstorm.net 443 udp6
remote paris.cryptostorm.pw 443 udp6

And if you want to force IPv4, you would do the same except add a 4 at the end instead of a 6.

WireGuard users can generate new configs at cryptostorm.is/wireguard to use IPv6.
If you prefer to keep using the keys/configs you already have but still want to use IPv6, follow these steps:

  1. Go to cryptostorm.is/wireguard_man and type in your token. A new local IPv6 address should be shown for each of your WireGuard keys. Copy down the IPv6 address (it starts with fd00:10:10:) for whichever key you're going to be editing the config for.
  2. Add that fd00:10:10::x address to the Address =  line in your WireGuard config.
  3. Add ::/1 (or ::/0 if using the built-in killswitch) to the AllowedIPs =  line in your WireGuard config.

    Address and AllowedIPs accept multiple IPs separated by commas, so don't replace the IPv4 address that's already there, just add the IPv6 one to the end, using a comma to separate the two.

I.e., if your WireGuard config contains:

Address = 10.10.129.7/32
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1

You would change those lines to (assuming the page shows fd00:10:10::de40 tied to 10.10.129.7):

Address = 10.10.129.7/32, fd00:10:10::de40/128
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1

There's also new IPv6 DNS addresses at:

  • 2001:db8::7 (ad/tracker blocking)
  • 2001:db8::8 (no blocking).

We recommend adding these to the DNS line in your WireGuard config. If your config contains:

DNS = 10.31.33.7

You would change it to:

DNS = 10.31.33.7, 2001:db8::7

And if it contains:

DNS = 10.31.33.8

You would change it to:

DNS = 10.31.33.8, 2001:db8::8

Port forwarding

These new IPv6 exit addresses support port forwarding too. For IPv4 port forwarding, you would use http://10.31.33.7/fwd to add/remove forwards. For IPv6, the URL is http://[2001:db8::7]/fwd

We couldn't figure out a way to do both IPv6 and IPv4 using the pre-existing http://10.31.33.7/fwd, at least not without changing a lot of things, and potentially breaking stuff for people who might not want to use IPv6. Creating a separate http://[2001::db8::7]/ seemed the best route.

For OpenVPN users, that http://[2001::db8::7]/ URL will only be accessible if you choose the IPv6 address when connecting. If you connect to an IPv4 address, IPv6 routes won't get pushed from the server to you.

The port forwarding page(s) have also been updated to better support mobile devices. Before the page didn't render correctly on some phones/tablets.

New config generators

WireGuard
The WireGuard config generator on cryptostorm.is/wireguard has been updated too. In the old version, you would generate your private/public key and give us the public key (and your cryptostorm token), then the page would generate a preshared key and local 10.10.x.x IP then add your public key to the network. In the new version, there's a Simple method that only needs your cryptostorm token, and we generate everything for you. As it says on that page, the only downside is it places your WireGuard tunnel's security into the hands of our website's security. But it makes everything much easier, especially for people on mobile devices. And if you don't want to sacrifice security for usability, there's an Advanced method that works just like the old page did.

The /wgconfzip and /wgconfqr pages now just redirect to /wireguard, since everything those pages did is now included in the new /wireguard page. /wgconfzip used client-side Javascript to generate a configs.zip containing configs for all the nodes. /wgconfqr would generate a QR code to make it easier for mobile users to import a config. Now, both the Simple and Advanced methods on /wireguard include all of those features. The /wg_confgen.txt script is still there just in case anyone has it in a script, but it's been updated to include the IPv6 routes.

OpenVPN
The cryptostorm.is/configs/ page has been turned into a proper config generator. Before, it was just a basic directory listing containing all the configs, so if you wanted to do something like change the port or embed --auth-user-pass or a --client-connect script into all of your OpenVPN configs, you had to do it by hand (or use sed or some other scripting language). Now, you can just plug in whatever config directives you need into the config generator page. You can also set the port, or enable --tls-crypt-v2, or force IPv4 (or IPv6), or have it only include IPs in the configs (not recommended, but maybe for some reason you can't do DNS lookups to connect). People who prefer the old simple directory listing can still do that by going to cryptostorm.is/configs/ecc/ or cryptostorm.is/configs/rsa/

Other updates

All the tutorial pages (except a few in /routers) have been updated too. WireGuard instructions have been moved from /wireguard to the pages for specific operating systems (/nix, /windows, /android, /ios, /macintosh). The text on all of those pages have been updated, and the old screenshots were replaced with new videos.

Some minor fixes were also applied to every page to fix issues mobile devices were having where the width of some pages went past the device's screen width.

Posted on