Frequently Asked Questions
-
1. Will cryptostorm make me 100% secure/anonymous?
No. A VPN is not an "all-in-one" solution for online security or privacy. Actually, there is no "all-in-one" solution. A VPN is simply one of the many tools that can help your online security/privacy. Other things that should be in your toolkit: Tor and/or I2P, compartmentalization, another VPN, good OPSEC, and some common sense.
-
2. Do you log?
Every VPN provider has to log something, be it for their website or their actual VPN service, and we're no exception. The difference between our log policies and our competitor's is that we openly share exactly what's being logged and why, all described at https://cryptostorm.is/privacy. In short, while we do have some logs for security reasons, we don't keep any logs that can be used to identify a customer, such as when they connect, or where they connect from, or where they're connecting to. See the aforementioned link for all the technical details.
-
3. Do I have to use your 'widget' program if I'm on Windows?
No. Our 'widget' is mostly just a GUI frontend for OpenVPN, so you could instead use OpenVPN GUI if you want, instructions are at https://cryptostorm.is/windows#ovpngui.
However, our 'widget' does also include some other things OpenVPN GUI doesn't have, like DNSCrypt to protect the pre-connect DNS, a killswitch, and some built-in obfuscation options. -
4. Can't I just run my own VPN inside a VPS?
Sure, but you would be missing out on two important things: First, with you being the only person connecting to that VPN, it wouldn't be difficult to figure out that traffic leaving that VPS belongs to you. With our servers, there are many other clients connected generating their own traffic, so you basically get "lost in the mix" (which also means plausible deniability). Second, some of our staff members have over 20 years experience with VPNs and internet security/privacy. While it is a lot easier these days to spin up a VPS loaded with OpenVPN and similar software, it's also easy to misconfigure that software in ways that might compromise your security or privacy. Also, a VPS is only as secure as the system actually hosting the VM. If you really want to DIY, we recommend not using a VPS at all and instead get a dedicated server. oneprovider.com and kimsufi.com often have 1Gbps dedicated servers in Paris and Amsterdam for as low as $5-$10/month.
-
5. Where are your servers located? / How many servers do you have?
There's a map on the main page, at https://cryptostorm.is/#smap, and a more detailed list at https://cryptostorm.is/uptime.
-
6. How many IPs do you have?
A rough estimate is listed at https://cryptostorm.is/#section4 in the right column, at the bottom.
-
7. Do you have a free trial?
No. During our first 10 years of service we did offer one, but we've decided to discontinue that service. Details are on https://cryptostorm.is/cryptofree
-
8. Where is the cryptostorm HQ located?
We have no central HQ. Our business entities are in several regions, with others as backups in case one entity gets pressured by any government or law enforcement agency. To make things more difficult for those who would try to shut us down, we keep the locations of these entities private.
-
9. Would you hand over customer data or start logging if law enforcement asks?
No, we have no data to hand over. Our decentralized business structure and our privacy-friendly choices for the regions our entities were incorporated in prevent any courts from executing a subpoena that would have us hand over data or start logging data. If the laws in those regions changed, we would dissolve that entity and switch to one of the backups in another region. Our staff members don't reside in any of those regions, so law enforcement can't prosecute our staff members for non-compliance of such a court order.
Keep in mind though, it is possible for law enforcement to request data from one of our payment providers (PayPal or CCBill).
Of course, the only data they would have is the information you give them (which they would need to already have so that they know what to look for).
Our payment providers never know the VPN access tokens, since there's no reason to share that with them.
So if you require more anonymity than that, pay with cryptocurrencies, use a disposable email service, and practice decent OPSEC. -
10. What if law enforcement bypasses you and goes directly to the data center and asks them to start logging?
It is possible that a data center we use might start logging packets (either at the data center itself, the data center's ISP, or that ISP's ISP, etc.).
That means traffic coming into the server and traffic leaving the server could be logged.
But since the servers have multiple users at any given time, law enforcement would first need to know your real IP before they could figure out which incoming traffic stream is yours.
The incoming traffic is encrypted, so the only information they would have is the metadata (the source IP, the time the traffic occured, etc.).
For outgoing traffic, they would need to know something about the destination (a specific site or service that only you visit, etc.) in order to differentiate your outgoing traffic from everyone else's.
Keep in mind that if you're using plaintext protocols (HTTP instead of HTTPS, etc.), even while on the VPN, when that traffic leaves our servers for the internet it will be plaintext again.
So any route/hop between our data center and the destination IP would be able to see the contents of that plaintext traffic.
That's why you should still be using strong end-to-end crypto, even while connected to the VPN. -
11. Do you own or have physical access to your servers?
No, we lease our dedicated servers from data centers all over the world.
Physical attempts to compromise the server while it's running would fail since linux-hardened denies any new USB devices that weren't connected at boot, and other unnecessary peripheral devices (CD/DVD drives, FireWire, Thunderbolt [and PCIe Hotplug], serial ports, etc.) are either disabled or blacklisted.
The only way to run code on our servers would be to take it offline first, boot it with a live CD/USB, backdoor something, then bring the server back online.
But we've accounted for that scenario, explained in the next section. -
12. What if one of the servers gets confiscated by law enforcement (or whoever)?
We've always operated under the assumption that this is going to happen eventually. That's why all of our servers were designed to be as disposable as possible.
There are no logs on the servers that can be used to identify a customer, and thanks to the Perfect Forward Secrecy provided by DH/ECDH/ephemeral keys, if a private server key was compromised, it couldn't be used to decrypt past traffic since that key isn't used to encrypt traffic. Instead, OpenVPN and WireGuard use the private key to secure the initial handshake, which is only responsible for exchanging the ephemeral session keys that actually encrypt the traffic, and those are rotated every 20 minutes. Because these ephemeral session keys are unique to each session and discarded after use, past traffic remains safe even if the server's private key is compromised.
But the only way to get those server private keys is through a cold boot attack, because the private keys needed for OpenVPN/WireGuard are securely removed from the hard drive after that service starts up, so those keys are only stored in RAM. Rebooting the server to boot it into a LiveCD/USB/PXE would wipe those private keys from RAM.
Each server also uses different randomly generated root passwords and SSH keys, so compromising one server won't get you access to any other server.
We also practice secure PKI management, which means the CA private key is never stored on any online server, which also means man-in-the-middle attacks won't be successful.
Even if someone did manage to somehow pull off a MiTM attack, the most they could do is a denial of service.
If any of our servers reboot or shut down for unknown reasons, we assume that while offline someone backdoored something, so when it's back up we always check the integrity of all files using AIDE before bringing OpenVPN/WireGuard back up. -
13. Do you allow BitTorrent/P2P/file-sharing?
Yes.
-
14. Do you allow hacking/scanning?
No, and we use snort as an intrusion prevention system to prevent most basic types of hacking (SQL injection, brute force, automated vulnerability scanning, etc.).
The reason for this IPS system is that most data centers don't allow abuse, and if we did allow that kind of noisy hacking, our IPs would quickly be blacklisted everywhere, which means clients would be getting CAPTCHA prompts everywhere they went.
That snort IPS setup seemed like the best option to prevent abuse complaints without requiring logging on our part, since it runs directly against the tunnel interface server-side. If you're good enough to bypass our snort rules, you're good enough to know that there are much better ways to hide your hacking activities. -
15. Do you allow SPAM?
No. When we get complaints from one of our data centers about a VPN client of ours sending SPAM, we'll temporarily block all SMTP on that server until the SPAM stops, since we have no way of knowing which customer of ours was doing that. If it's not e-mail based SPAM (forum SPAM, etc.), we'll temporarily block whatever website the SPAM was being sent to, so long as it's not a site a lot of clients would be using (Google, etc.).
-
16. Do you support [insert OS here]?
The only VPN protocols we use are OpenVPN and WireGuard, so we support whatever they do. At the moment, for OpenVPN, that includes: Linux, Windows XP/Vista/7 and higher, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris. Officially, we no longer support Windows XP, but it is still possible to connect with it. WireGuard's suppported operating systems are listed here.
-
17. OpenVPN/WireGuard is blocked in my country, can I still connect?
We do offer obfuscation with HTTPS, SSH, and obfs4. Our Russian customers say that obfs4 still works there, and HTTPS if you set the SNI to something commonly allowed in that region (vk.ru, yandex.ru, etc). As for China, it depends on where you are. The more rural areas tend to be more strict, blocking or throttling anything that looks encrypted. In more urban areas, it tends to be less strict. We are working on implementing newer obfuscation methods that should work better for Chinese users.
-
18. What are the device limits?
The device limit depends on your token's duration. For OpenVPN, the limit is how many concurrent sessions you can have open. For WireGuard, it's how many keys you're allowed to generate. OpenVPN and WireGuard's limits are independent of each other, so technically a one week token could connect two devices, if one device used OpenVPN and the other WireGuard. You could also connect several devices using the same WireGuard key, if each device connected to a different server.
Token Duration WireGuard keys OpenVPN sessions one week 1 1 one month 1 1 three months 2 2 six months 3 3 one year 4 4 two years 5 5 lifetime 6 6 -
19. Do you support IPv6?
We do now. All the nodes have a single IPv6 address that acts as an entry point, and another IPv6 address as an exit. There's still IPv4 addresses too though for people who don't want to or can't use IPv6.
-
20. Why are some proxy detection sites saying there's an open proxy on [insert VPN IP here]?
That's just a false positive. Those sites work by simply checking to see if some common proxy ports are open on an IP (8080, 3128, etc.).
All of our VPN IPs appear to have almost all ports open (1-29999).
Normally, more open ports means decreased security because usually each port is tied to a separate service/daemon, which means more potential attack surfaces.
In our setup, all of those ports are being forwarded to either OpenVPN or WireGuard, so having those ports open isn't decreasing the security.
More technical details are available at https://cryptostorm.is/blog/port-striping-v2 -
21. I didn't receive the email with my token in it, where is it?
Around February of 2024 we changed the delivery setup where now only people who have a recurring subscription (via PayPal or CCBill) get their tokens delivered by email. For everyone else the delivery happens in-browser only. If you do have a recurring subscription and you didn't receive your token delivery email, then check your SPAM folder. Some email providers mistake our token delivery email as SPAM. To prevent that from happening, figure out how to whitelist an email address with your email provider and add 'tokenbot@cryptostorm.is', or better yet '*@cryptostorm.is'
-
22. Why isn't my token working? / I'm getting an AUTH_FAILED error
Verify that you're using the correct token at https://cryptostorm.nu/. If you're hashing your token, make sure the hash is correct with https://cryptostorm.is/sha512. A common problem is that the font some people use for their email/webmail will make lower-case L and I and the number one look similar. So if your token has those characters in them and you're manually entering your token into something, change the font to make it easier to read.
-
23. I'm connected to the Switzerland server but IP location sites say I'm in the Netherlands (or any other server/location)
IP location lookup sites aren't 100% accurate. They use several methods to try to match IPs with their physical location.
Most will simply query the WHOIS server for whichever of the five Regional Internet Registries (ARIN, RIPE, APNIC, LACNIC, AFRINIC) is responsible for managing IP address allocations in that region. That will tell them the organization that controls that specific IP (usually a data center), then they can lookup that organization's location. The problem with that is not every organization or data center is required to disclose their physical location, and the organization listed isn't always the actual owner. It could be a subsidiary of a larger company, or a holdings company registered in a different location, or it could be a company that resells or delegates authority to another organization. It also doesn't help that IPs change ownership all the time, sometimes moving to new networks in completely different countries.
For those reasons, the GeoIP databases that the IP location sites use are never going to be 100% accurate.
If you're trying to verify that you're connected to the VPN, you shouldn't be using 3rd party IP location sites, you should use https://cryptostorm.is/test or https://cryptostorm.is/leaktest.
If you're trying to find out the location of an IP, we recommend iplocation.net because it uses 9 different GeoIP databases, which should give you a better idea of where an IP is probably located.
As for our Switzerland server, it is physically located in a data center in Zurich, but the company that owns the server (Private Layer Inc) is registered in Panama, which is why some IP location sites think the server is in Panama. A few list it as being in the Netherlands, possibly because Private Layer either used to be registered there or owned a data center there. -
24. It's not working
Imagine taking your car to the shop and telling the mechanic "it's not working". They'll ask for more specific information. Same goes for us. Any specific errors you're getting or logs you have are necessary to help us figure out what the problem you're having is. Also include the operating system (Windows, MacOS, Linux, etc.) and whether you're using WireGuard or OpenVPN.
-
25. Are there any speed/traffic limits?
No. We don't do any kind of throttling/QoS. All client traffic is treated the same. Our servers are 1 Gbps, except for Switzerland, Oregon, and Mexico, those three are 10 Gbps. All of our servers share their bandwidth with other servers in the same cabinet, so peak usage hours can affect speeds, but for most people the difference is negligible. If you're experiencing low speeds, try switching to TCP OpenVPN if you're using UDP OpenVPN (or vice-versa), or try switching to WireGuard, or try a different port. Some ISPs are known to throttle certain types of VPN traffic, so switching protocols or ports like that might bypass the throttle. If you're having issues with BitTorrent download speeds, make sure to use port forwarding as some swarms (especially private trackers) require it.