Linux

There are somewhere between 300 and 600 active Linux distributions, so we couldn't possibly give instructions for every single one. Luckily, most Linux distributions use only a handful of different package managers and desktop environments, and many distros are based on a smaller subset of other distros, so even if we don't have instructions for your specific distro, there's a good chance that the instructions for the distro that it's based on will work.

OpenVPN

Debian

Ubuntu

Fedora

Manjaro

Linux Mint

EndeavourOS

openSUSE

Pop!_OS

Elementary OS

Zorin OS

Solus

MX Linux

Gentoo

Parrot OS

Nitrux

Kali Linux

Whonix

Kodachi

Qubes OS

Tails

WireGuard®

Debian

Ubuntu

Fedora

Manjaro

Linux Mint

EndeavourOS

openSUSE

Pop!_OS

Elementary OS

Zorin OS

Solus

MX Linux

Gentoo

Parrot OS

Nitrux

Kali Linux

Whonix

Kodachi

Qubes OS

Tails

We now support IPv6, so you no longer need to disable it locally to prevent leaks.

If you need a killswitch, see cryptostorm.is/killswitch

Debian - OpenVPN

  1. If you plan on using the default Firefox browser, you should go into Settings -> Privacy & Security then near the bottom, set DNS over HTTPS to Off.
  2. Open up Terminal, run su, type in your root password, then run apt-get install network-manager-openvpn-gnome iptables
  3. Next, copy/paste these commands (still as root) in to Terminal:
    cd /etc/NetworkManager/dispatcher.d/
cat > cs << 'EOF'
#!/bin/bash
case $2 in
vpn-up)
iptables -t nat -A OUTPUT -p udp -m udp --dport 53 -j DNAT --to-destination 10.31.33.7
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 53 -j DNAT --to-destination 10.31.33.7
ip6tables -t nat -A OUTPUT -p udp -m udp --dport 53 -j DNAT --to-destination 2001:db8::7
ip6tables -t nat -A OUTPUT -p tcp -m tcp --dport 53 -j DNAT --to-destination 2001:db8::7
;;
vpn-down)
iptables -t nat -D OUTPUT -p udp -m udp --dport 53 -j DNAT --to-destination 10.31.33.7
iptables -t nat -D OUTPUT -p tcp -m tcp --dport 53 -j DNAT --to-destination 10.31.33.7
ip6tables -t nat -D OUTPUT -p udp -m udp --dport 53 -j DNAT --to-destination 2001:db8::7
ip6tables -t nat -D OUTPUT -p tcp -m tcp --dport 53 -j DNAT --to-destination 2001:db8::7
;;
esac
EOF
chmod +x cs
  4. Replace 10.31.33.7 with 10.31.33.8 (and 2001:db8::7 with 2001:db8::8) if you don't want to use the ad/tracker blocking DNS

    5. If you prefer to use nftables instead of iptables, you can skip installing iptables with apt-get and instead use this script: 
    cd /etc/NetworkManager/dispatcher.d/
cat > cs << 'EOF'
#!/bin/bash
case $2 in
vpn-up)
nft add rule ip nat output udp dport 53 dnat to 10.31.33.7
nft add rule ip nat output tcp dport 53 dnat to 10.31.33.7
nft add rule ip6 nat output udp dport 53 dnat to 2001:db8::7
nft add rule ip6 nat output tcp dport 53 dnat to 2001:db8::7
;;
vpn-down)
nft delete rule ip nat output udp dport 53 dnat to 10.31.33.7
nft delete rule ip nat output tcp dport 53 dnat to 10.31.33.7
nft delete rule ip6 nat output udp dport 53 dnat to 2001:db8::7
nft delete rule ip6 nat output tcp dport 53 dnat to 2001:db8::7
;;
esac
EOF
chmod +x cs
  5. Go to our OpenVPN config generator and download a config
  6. Click the networking/sound/battery icons in the top right, then the gear icon to open Settings
  7. Click the Network tab to the left, then to the right of VPN click the + icon
  8. Choose Import from file, and select the config file you just downloaded
  9. On some WiFi networks, and certain virtual machines, you might need to set the MTU to 1400 under Advanced, at least for the UDP configs.
  10. Enter your cryptostorm token into the username field, and any text into the password field, then click the blue Add button in the top right
  11. Toggle the switch on to connect. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.

Ubuntu - OpenVPN

  1. If you plan on using the default Firefox browser, you should go into Settings -> Privacy & Security then near the bottom, set DNS over HTTPS to Off.
  2. Go to our OpenVPN config generator and download a config.
  3. Click the networking/sound/battery icons in the top right, then the gear icon to open Settings.
  4. You should be in the Network tab, so click the + icon to the right of "VPN".
  5. Choose "Import from file...", then select the config file you just downloaded.
  6. On some WiFi networks, and virtual machines, you might need to set the MTU to 1400 under Advanced, at least for the UDP configs.
  7. Enter your cryptostorm token into the username field, and any text into the password field, then click the "Add" button in the top right.
  8. Toggle the switch on to connect. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.

Fedora - OpenVPN

  1. If you plan on using the default Firefox browser, you should go into Settings -> Privacy & Security then near the bottom, set DNS over HTTPS to Off.
  2. Go to our OpenVPN config generator and download a config
  3. Click the networking/sound/battery icons in the top right, then the gear icon to open Settings
  4. Click the Network tab to the left, then to the right of VPN click the + icon
  5. Choose Import from file, and select the config file you just downloaded
  6. On some WiFi networks, and certain virtual machines, you might need to set the MTU to 1400 under Advanced, at least for the UDP configs.
  7. Enter your cryptostorm token into the username field, and any text into the password field, then click the blue Add button in the top right
  8. Toggle the switch on to connect. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.

Manjaro - OpenVPN

  1. If you plan on using the default Firefox browser, you should go into Settings -> Privacy & Security then near the bottom, set DNS over HTTPS to Off.
  2. Go to our OpenVPN config generator and download a config
  3. Click the networking/sound/battery icons in the top right, then the gear icon to open Settings
  4. Click the Network tab to the left, then to the right of VPN click the + icon
  5. Choose Import from file, and select the config file you just downloaded
  6. On some WiFi networks, and certain virtual machines, you might need to set the MTU to 1400 under Advanced, at least for the UDP configs.
  7. Enter your cryptostorm token into the username field, and any text into the password field, then click the blue Add button in the top right
  8. Toggle the switch on to connect. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.

Linux Mint - OpenVPN

  1. Go to our OpenVPN config generator and download a config.
  2. Click the networking icon in the bottom right, then click Network Settings
  3. Click the + icon near the bottom left, then choose Import from file...
  4. Select the config file you just downloaded
  5. On some WiFi networks, and certain virtual machines, you might need to set the MTU to 1400 under Advanced, at least for the UDP configs.
  6. Enter your cryptostorm token into the username field, and any text into the password field, then click the Add button in the bottom right
  7. Toggle the switch on to connect. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.

EndeavourOS - OpenVPN

  1. If you plan on using the default Firefox browser, you should go into Settings -> Privacy & Security then near the bottom, set DNS over HTTPS to Off.
  2. Go to our OpenVPN config generator and download a config.
  3. EndeavourOS's NetworkManager openvpn plugin doesn't support --tls-crypt-v2, so don't enable that
  4. Next, click the network icon in the bottom right, then the settings icon to the right of "Networks".
  5. In the Wi-Fi & Networking window, click the + symbol then choose "Import VPN Connection..." and click the Create button.
  6. Navigate to your Downloads folder, and select the config file you just downloaded.
  7. On some WiFi networks, and certain virtual machines, you might need to set the MTU to 1400 under Advanced, at least for the UDP configs.
  8. Enter your cryptostorm token into the username field, and any text into the password field, then click the Apply button near the bottom right.
  9. From this Wi-Fi & Networking window right click the new VPN entry then click "Connect" to connect.
    You can also connect by clicking on that network icon in the bottom right, then clicking the "Connect" button, the one to the right of the VPN entry.
  10. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.

openSUSE - OpenVPN

  1. If you plan on using the default Firefox browser, you should go into Settings -> Privacy & Security then near the bottom, set DNS over HTTPS to Off.
  2. Go to our OpenVPN config generator and download a config.
  3. openSUSE's NetworkManager doesn't support --tls-crypt-v2, so don't enable that
  4. Next, click the network icon in the bottom right, then the settings icon to the right of "Networks".
  5. In the Connections window, click the + symbol then choose "Import VPN Connection..." and click the Create button.
  6. Navigate to your Downloads folder, and select the config file you just downloaded.
  7. On some WiFi networks, and certain virtual machines, you might need to set the MTU to 1400 under Advanced, at least for the UDP configs.
  8. Enter your cryptostorm token into the username field, and any text into the password field, then click the Apply button near the bottom right.
  9. From this Connections window right click the new VPN entry then click "Connect" to connect.
    You can also connect by clicking on that network icon in the bottom right, then clicking the "Connect" button, the one to the right of the VPN entry.
  10. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.

Pop!_OS - OpenVPN

  1. If you plan on using the default Firefox browser, you should go into Settings -> Privacy & Security then near the bottom, set DNS over HTTPS to Off.
  2. Go to our OpenVPN config generator and download a config.
  3. Click the settings icon in the bottom right (if using the dock), otherwise click the networking icon in the top right and go to Settings.
  4. Click the + icon to the right of the text "VPN"
  5. Choose "Import from file...", and select the config file you just downloaded
  6. On some WiFi networks, and certain virtual machines, you might need to set the MTU to 1400 under Advanced, at least for the UDP configs.
  7. Enter your cryptostorm token into the username field, and any text into the password field, then click the Add button to the top right
  8. Toggle the switch on to connect. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.

Elementary OS - OpenVPN

  1. Go to our OpenVPN config generator and download a config
  2. Click the <...> icon in the top right, then go to Network Settings...
  3. Click the VPN tab to the left, then the + icon near the bottom
  4. Choose "Import a saved VPN configuration...", then click Create and select the config file you just downloaded
  5. On some WiFi networks, and certain virtual machines, you might need to set the MTU to 1400 under Advanced, at least for the UDP configs.
  6. Enter your cryptostorm token into the username field, and any text into the password field, then click the Save button in the bottom right
  7. Click the Connect button to connect. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.

Zorin OS - OpenVPN

  1. Go to our OpenVPN config generator and download a config
  2. Click the networking/sound/battery icons in the bottom right, then the gear icon to open Settings
  3. Click the Network tab to the left, then to the right of VPN click the + icon
  4. Choose Import from file, and select the config file you just downloaded
  5. On some WiFi networks, and certain virtual machines, you might need to set the MTU to 1400 under Advanced, at least for the UDP configs.
  6. Enter your cryptostorm token into the username field, and any text into the password field, then click the blue Add button in the top right
  7. Toggle the switch on to connect. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.

Solus - OpenVPN

  1. Go to our OpenVPN config generator and download a config
  2. Right click the networking icon in the bottom right, then click "VPN Connections", then "Configure VPN..."
    (or "Add a VPN connection..." if this is the first VPN you've configured)
  3. Click the + icon, then "Import a saved VPN configuration..." at the bottom of the list, click the Create button then select the config file you just downloaded
  4. On some WiFi networks, and certain virtual machines, you might need to set the MTU to 1400 under Advanced, at least for the UDP configs.
  5. Enter your cryptostorm token into the username field, and any text into the password field, then click the Save button at the bottom right
  6. Right click the networking icon in the bottom right again, then click "VPN Connections", then click the VPN server you just imported.
  7. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.

MX Linux - OpenVPN

  1. Go to our OpenVPN config generator and download a config.
  2. Click the networking icon to the left, then go to "VPN Connections" then "Add a VPN connection..."
    (or "Configure VPN..." if this isn't your first time setting up a VPN)
  3. Choose "Import a saved VPN configuration..." at the very bottom of that list, then select the config file you just downloaded.
  4. On some WiFi networks, and certain virtual machines, you might need to set the MTU to 1400 under Advanced, at least for the UDP configs.
  5. Enter your cryptostorm token into the username field, and any text into the password field, then click the Save button to the bottom right.
  6. Go back to the networking icon in the top right, click VPN Conenctins, then click the VPN server you just imported.
  7. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.

Gentoo - OpenVPN

  1. Go to our OpenVPN config generator and download a config
  2. Gentoo's NetworkManager doesn't support --tls-crypt-v2, so don't enable that.
  3. Click the networking icon in the bottom right, then the settings icon to open Settings.
  4. Click the + icon at the bottom center, choose Import VPN connection at the bottom of that list then click the Create button, then select the config file you just downloaded.
  5. On some WiFi networks, and certain virtual machines, you might need to set the MTU to 1400 under Advanced, at least for the UDP configs.
  6. Enter your cryptostorm token into the username field, and any text into the password field, then click the blue Add button in the top right
  7. Toggle the switch on to connect. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.

Parrot OS - OpenVPN

  1. Go to our OpenVPN config generator and download a config
  2. Click the networking icon in the top right, then go to "VPN Connections" then "Add a VPN connection..."
    (or "Configure VPN..." if this isn't your first time setting up a VPN)
  3. Choose "Import a saved VPN configuration..." at the very bottom of that list, then select the config file you just downloaded.
  4. On some WiFi networks, and certain virtual machines, you might need to set the MTU to 1400 under Advanced, at least for the UDP configs.
  5. Enter your cryptostorm token into the username field, and any text into the password field, then click the Save button to the bottom right.
  6. Go back to the networking icon in the top right, click VPN Conenctins, then click the VPN server you just imported.
  7. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.
  8. Parrot OS includes software that could be used maliciously (for scanning, hacking, etc.).
    Port scanning, subnet scanning, hacking, etc. is NOT allowed on cryptostorm. See our terms of service page.

Nitrux - OpenVPN

  1. Go to our OpenVPN config generator and download a config.
  2. Nitrux's NetworkManager doesn't support --tls-crypt-v2, so don't enable that.
  3. Right-click the networking icon in the top right, then click Configure Network Connections.
  4. Click the + icon at the bottom left, choose Import VPN connection at the bottom of that list then click the Create button.
  5. Select the config file you just downloaded, then once it's imported, click on it under the VPN(openvpn) list to select it.
  6. On some WiFi networks, and certain virtual machines, you might need to set the MTU to 1400 under Advanced, at least for the UDP configs.
  7. Enter your cryptostorm token into the username field, and any text into the password field, then click the Apply button at the bottom right.
  8. Before you connect, first open up a terminal and run: 
    sudo tee /etc/NetworkManager/dispatcher.d/cs > /dev/null << 'EOF'
#!/bin/bash
case $2 in
vpn-up)
cp /etc/resolv.conf /etc/resolv.conf.bak
echo nameserver 10.31.33.7 > /etc/resolv.conf
echo nameserver 2001:db8::7 >> /etc/resolv.conf
;;
vpn-down)
mv -f /etc/resolv.conf.bak /etc/resolv.conf
;;
esac
EOF
sudo chmod +x /etc/NetworkManager/dispatcher.d/cs
  9. Replace 10.31.33.7 with 10.31.33.8 (and 2001:db8::7 with 2001:db8::8) if you don't want to use the ad/tracker blocking DNS
  10. Click the networking icon at the top right, then click the VPN node you just added, then the Connect button.
  11. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.

Kali Linux - OpenVPN

  1. Go to our OpenVPN config generator and download a config.
  2. Click the networking icon in the top right, then go to "VPN Connections" then "Add a VPN connection..."
    (or "Configure VPN..." if this isn't your first time setting up a VPN)
  3. Choose "Import a saved VPN configuration..." at the very bottom of that list, then select the config file you just downloaded.
  4. On some WiFi networks, and certain virtual machines, you might need to set the MTU to 1400 under Advanced, at least for the UDP configs.
  5. Enter your cryptostorm token into the username field, and any text into the password field, then click the Save button to the bottom right.
  6. Go back to the networking icon in the top right, click VPN Conenctins, then click the VPN server you just imported.
  7. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.
  8. Kali Linux includes software that could be used maliciously (for scanning, hacking, etc.).
    Port scanning, subnet scanning, hacking, etc. is NOT allowed on cryptostorm. See our terms of service page.

Whonix - OpenVPN

  • See whonix.org/wiki/Tunnels/Introduction for more details on combining a VPN with Tor.

    • VPN -> Tor

  • This would really only be useful for people behind restrictive firewalls that only allow VPN (or SSH, or HTTPS) connections.
    If you're trying to hide your Tor usage from your ISP, use bridges and pluggable transports.

    • VPN -> Tor -> Internet (VPN on the Host OS)

    1. This one is probably the easiest to do. Simply connect to the VPN from the Host OS using the instructions for that OS.
    2. Once you're connected, start up the Gateway and Workstation Whonix VMs.
      3. The Gateway VM will connect to Tor via the Host OS's VPN connection.

    VPN -> Tor -> Internet (VPN on the Gateway VM)

    1. Start up the Gateway VM, and if this is the first time you've started the VM, when the Anon Connection Wizard pops up just leave it open.
      If this isn't the first time you've started the VM, click the blue icon to the top left, then go to System then start Anon Connection Wizard, then choose Disable Tor.
    2. Open the terminal and run: sudoedit /etc/whonix_firewall.d/50_user.conf (the default sudo pass is: changeme)
      In that empty file add: 
      VPN_FIREWALL=1
      then save/close the file.
    3. Next, run sudoedit /lib/systemd/system/openvpn-client@.service and anywhere under the [Service] section add: 
      User=tunnel
Group=tunnel
      and change the line: 
      CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE
      to: 
      AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE
      (so just change the text CapabilityBoundingSet to AmbientCapabilities)
    4. Reload the firewall with the command: sudo whonix_firewall
    5. Next, create the openvpn config file using the command: sudoedit /etc/openvpn/client/Singapore_TCP.conf (for example)
    6. Whonix VMs by default have Host to Guest shared clipboard enabled, so on the Host OS download an OpenVPN config from cryptostorm.is/configs/
      and be sure to select the "IPs only" option since the Whonix Gateway VM has no DNS by default,
      and be sure to select the TCP option since Tor doesn't play well with UDP tunnels,
      and just to make things easier, use the inline <auth-user-pass> option described on the OpenVPN config generator page.
    7. Open the config you just downloaded in a text editor on the Host, select everything (ctrl+a on most OSes) and copy it (ctrl+c on most OSes)
    8. Switch back to the Whonix Gateway VM, paste (ctrl+v) into the empty file sudoedit should still have open, and anywhere in the file also add the two lines:
      persist-tun
persist-key
      and change the line (near the top): 
      dev tun
      to: 
      dev tun0
      then remove any remote lines that have an IPv6 address (since Whonix has no IPv6 support), then save/close the file.
    9. Next, run the command: sudoedit /lib/systemd/system/tor@default.service.d/40_network-target.conf
      and change the line: 
      After=network.target
      to: 
      After=network.target openvpn-client@Singapore_TCP.service
      then save/close the file, then run the command: sudo systemctl daemon-reload
    10. And finally, run sudo systemctl start openvpn-client@Singapore_TCP to connect to the VPN
    11. Use the command: sudo systemctl enable openvpn-client@Singapore_TCP if you want openvpn to connect on boot
    12. Now you can connect to tor. If you left that Anon Connection Wizard open from the beginning, click Connect then Next, Next, Finish.
      If you didn't leave it open, click the blue icon to the top left, then go to System then Anon Connection Wizard then Connect.
    13. The Anon Connection Wizard will tell you when you're connected to Tor. If it appears to be stuck at 50%, try rebooting.
      You can't use cryptostorm.is/test to verify that you're on cryptostorm because it'll show your Tor IP, not the VPN IP.
      The only way to verify that your traffic is going through the VPN first is to use a packet sniffer like Wireshark on the Host OS or your router.

    VPN -> Tor -> Internet (VPN on the Workstation VM)

    1. This is unsupported.
      It probably is possible, but it would require removing/changing a lot of the default iptables rules and network settings, since the Workstation VM is configured to only connect to the internet through the Gateway VM. The Gateway sends everything through Tor, so if you misconfigure the Workstation while trying to get it to connect to a VPN first, it most likely will lead to leaks. If you really want to connect to a VPN before Tor, use one of the above methods.

    Tor -> VPN

  • This might be useful if a website you're going to blocks Tor exit IPs, but allows VPN IPs.

    • Tor -> VPN -> Internet (VPN on the Host OS)

    1. This wouldn't work.
      Everything through the Gateway goes through Tor, and the Gateway is bound to your main network adapter, which if on a VPN, will do VPN -> Tor, not Tor -> VPN.

    Tor -> VPN -> Internet (VPN on the Gateway VM)

    According to whonix.org/wiki/Tunnels/Connecting_to_Tor_before_a_VPN this is unsupported, unless using Qubes and a separate Gateway VM.

    Tor -> VPN -> Internet (VPN on the Workstation OS)

    1. Start the Gateway VM and connect to Tor with the Anon Connection Wizard like you normally would, then start up the Workstation VM.
    2. After both are fully connected to Tor, open the terminal on the Workstation VM and run the command: sudo apt update (the default sudo pass is changeme)
      and once that's done installing, run the command: sudoedit /etc/whonix_firewall.d/50_user.conf
      and in that empty file add: 
      WORKSTATION_FIREWALL=1
TUNNEL_FIREWALL_ENABLE=true
      then save/close the file.
    3. Next, run sudoedit /lib/systemd/system/openvpn-client@.service and anywhere under the [Service] section add: 
      User=tunnel
Group=tunnel
      and change the line: 
      CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE
      to: 
      AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE
      (so just change the text CapabilityBoundingSet to AmbientCapabilities)
      and if you want OpenVPN to start automatically next time you boot the Workstation VM, also change the lines (under [Unit] near the top): 
      After=network-online.target
Wants=network-online.target
      to: 
      After=network-online.target tor.service
Wants=network-online.target tor.service
    4. Reload the firewall with the command: sudo whonix_firewall
    5. Next, create the openvpn config file using the command: sudoedit /etc/openvpn/client/Singapore_TCP.conf (for example)
    6. Whonix VMs by default have Host to Guest shared clipboard enabled, so on the Host OS download an OpenVPN config from cryptostorm.is/configs/
      and be sure to select the IPs only option,
      and be sure to select the TCP option since Tor can't handle UDP tunnels,
      and just to make things easier, use the inline <auth-user-pass> option described on the OpenVPN config generator page.
    7. Open the config you just downloaded in a text editor on the Host, select everything (ctrl+a on most OSes) and copy it (ctrl+c on most OSes)
    8. Switch back to the Whonix Gateway VM, paste (ctrl+v) into the empty file sudoedit should still have open, and anywhere in the file also add the lines:
      persist-tun
persist-key
script-security 2
up "/etc/openvpn/cs-dns script_type=up dev=tun0"
down "/etc/openvpn/cs-dns script_type=down dev=tun0"
      and change the line (near the top): 
      dev tun
      to: 
      dev tun0
      then save/close that file.
    9. Next, run the command: sudoedit /etc/openvpn/cs-dns and paste these lines into the file: 
      #!/bin/bash
case "$script_type" in
 up)
  echo "nameserver 10.31.33.7" > /etc/resolv.conf
 ;;
 down)
  echo "nameserver 10.152.152.10" > /etc/resolv.conf
 ;;
esac
    10. Replace 10.31.33.7 with 10.31.33.8 if you don't want to use the ad/tracker blocking DNS
    11. Run the command sudo chmod 755 /etc/openvpn/cs-dns
      then finally connect to the VPN with the command: sudo systemctl start openvpn-client@Singapore_TCP
      and if you want it to connect next time you start the Workstation VM, you can use the command sudo systemctl enable openvpn-client@Singapore_TCP
      (provided you also added tor.service to the After=/Wants= lines in openvpn-client@.service above).
    12. Before you can install anything, you need to tell apt not to use the Tor SOCKS proxy by running the command: sudo sed -e's/tor+//' -i /etc/apt/sources.list /etc/apt/sources.list.d/*
      then the command: sudo sh -c 'echo uwtwrapper_global=0 > /etc/uwt.d/50_uwt_user.conf'
    13. The default browser is Tor Browser, which is hardcoded to use the Tor SOCKS proxy that's on the Gateway, so you'll need to install a different browser to use the VPN IP on websites.
      For example, to install chromium the command would be: sudo apt install chromium
      Then you can start it by clicking on the blue icon in the top left then going to Internet -> Chromium, or by running the command chromium
    14. Use cryptostorm.is/test (not in Tor Browser, in Chromium, or whatever browser you install) to verify that the internet sees you as using the VPN IP and not a Tor IP.
    15. The other internet software preinstalled (HexChat, Thunderbird, etc.) are also setup to use the Gateway's Tor SOCKS proxy, but it's not hardcoded.
      HexChat's proxy settings are under Settings -> Preferences -> Network -> Network setup. Remove the IP from the Proxy Server section.
      As for Thunderbird, click the three horizontal lines near the top right, then go to Settings -> Network & Disk Space -> Connection -> Settings and select "No proxy".
      Even though you're configuring these programs to *not* use the Tor SOCKS proxy, they will still connect to Tor first because everything goes through the VPN, which you connected to through Tor.
      You can verify that the connection is doing Tor -> VPN by openining the tor-control-panel (lock icon on the top right in the Gateway VM -> Tor control panel) then going to Utilities -> Onion Circuits.
      You should see the VPN IP somewhere in there, and it'll tell you what Tor circuit is used to connect to that IP.
      Another way is to run Wireshark on the Host OS, against your main network adapter. If you connect to the VPN but Wireshark doesn't show any packets going to that IP, then it's correctly routing through Tor first.

    Kodachi - OpenVPN

  • Sometimes we get emails from people asking how to connect to cryptostorm using this distro.

    Kodachi hasn't been updated since early 2023, and it includes even older versions of important security/privacy related software:
    OpenSSH 8.2 is from 2020-2-14, OpenVPN 2.4.4 is from 2017-9-26 (but built on 2022-3-22, when 2.5.6 was the latest), OpenSSL 1.1.1 is from 2018-9-11, tor 0.4.4.5 is from 2021-09-15, Tor Browser 12.0.3 is from 2023-2-17 (but Help -> About Tor Browser incorrectly says it's "Up to date"), etc. etc.
    All of these programs have vulnerabilities that are addressed in newer versions.
    There's also a lot of extra software installed that most people probably won't need, and unnecessary duplicates of the same type of software.
    More software = more attack surfaces. Oh, and apt update/upgrade is broken by default, as is the gui package updater. So you won't be able to upgrade anything without fixing the apt setup.
    The "Kodachi Lite Browser" is just Firefox 110.0, which came out in 2023-2-14, and since apt is broken it won't automatically update.
    Using anything but the latest version of a browser will make your system less secure.
    So unless you plan on compiling things from source yourself, we don't recommend using Kodachi for anything.
    And if you are planning on compiling things yourself, you might as well use a minimal distro that you would have more control over.

    For these reasons, we're not going to write instructions for connecting to cryptostorm using Kodachi.
    The background widgets and the dashboard might look neat, but behind the curtains things aren't nearly as private or secure.

    • Qubes OS - OpenVPN


  • These instructions are for Qubes OS 4.2
    If you keep your online identities separate between each qube, you should keep in mind that the methods below would give your AppVMs the same VPN IP
    (unless you're creating separate ProxyVMs for each AppVM/identity).

    • NetVM

    1. In this setup, you connect to the VPN from the NetVM, the qube that's providing all your other qubes with internet.
      All your AppVMs that use this NetVM would also use the VPN.
    2. Open a terminal in your NetVM (sys-net by default), then run: sudo dnf update openvpn ; sudo mkdir /rw/config/csvpn
    3. Copy/paste these commands into the terminal: 
      sudo tee -a /rw/config/rc.local > /dev/null << 'EOF'
CSVPN_DNS="/rw/config/csvpn/csdns"
if [[ -f $CSVPN_DNS ]]; then
 cp -f $CSVPN_DNS /etc/NetworkManager/dispatcher.d/
fi
EOF
sudo tee /rw/config/csvpn/csdns > /dev/null << 'EOF'
#!/usr/bin/sh
CSDNS="10.31.33.7"
ORIGINAL_RULES="/rw/config/csvpn/original.rules"
if ! [ -f "$ORIGINAL_RULES" ]; then
    nft list chain ip qubes dnat-dns > $ORIGINAL_RULES
fi
if [[ ( "$DEVICE_IFACE" == cs-* || "$DEVICE_IFACE" == tun* ) && ( "$2" == "up" || "$2" == "vpn-up" ) ]]; then
    nft flush chain ip qubes dnat-dns
    nft add rule ip qubes dnat-dns ip daddr 10.139.1.1 udp dport 53 dnat to $CSDNS
    nft add rule ip qubes dnat-dns ip daddr 10.139.1.1 tcp dport 53 dnat to $CSDNS
    nft add rule ip qubes dnat-dns ip daddr 10.139.1.2 udp dport 53 dnat to $CSDNS
    nft add rule ip qubes dnat-dns ip daddr 10.139.1.2 tcp dport 53 dnat to $CSDNS
    chmod -x /etc/NetworkManager/dispatcher.d/qubes-nmhook
fi

if [[ ( "$DEVICE_IFACE" == cs-* || "$DEVICE_IFACE" == tun* ) && ( "$2" == "down" || "$2" == "vpn-down" ) ]]; then
    nft flush chain ip qubes dnat-dns
    chmod +x /etc/NetworkManager/dispatcher.d/qubes-nmhook
    if [ -f $ORIGINAL_RULES ]; then
        nft -f $ORIGINAL_RULES
        rm -f $ORIGINAL_RULES
    fi
fi
EOF
sudo chmod +x /rw/config/csvpn/csdns
sudo /rw/config/rc.local
    4. Replace 10.31.33.7 with 10.31.33.8 if you don't want to use our ad/tracker blocking DNS.
    5. Start Firefox in whichever AppVM you use for web browsing, then go to our OpenVPN config generator to download a config.
    6. Open the Thunar File Manager for that AppVM, navigate to the Downloads folder, right click on the config you just downloaded, and select 'Move to other qube'.
      Select the sys-net qube from the Target: dropdown list.
    7. Switch back to the NetVM/sys-net terminal and copy that config to your homedir with: cp ~/QubesIncoming/*/*.ovpn ~/
      then import the config into NetworkManager using nm-connection-editor -i Singapore_UDP.ovpn
      (replace Singapore_UDP.ovpn with the filename of the config you just downloaded).
    8. On some WiFi networks, you might need to set the MTU to 1400 under Advanced, at least for the UDP configs.
    9. Enter your cryptostorm token into the username field, and any text into the password field, then click the Save button at the bottom right.
    10. To connect, click the networking icon in the top right then go to VPN Connections, then click the VPN profile you just imported.
    11. That's it! Any qube using this NetVM for their networking should now be using the VPN.
      Use https://cryptostorm.is/test on any networking enabled qube to verify that your IP has changed.
      Keep in mind that this setup is not failsafe (it lacks a killswitch to prevent leaks if the VPN goes down). If you need that, use the ProxyVM setup below.

    ProxyVM

    1. In this setup, you create a ProxyVM that's acts as the NetVM for whichever AppVM you want to use the VPN.
      This means you can choose which AppVMs use the VPN, and which connect directly to the internet.
      It also means it's easier to implement a killswitch, and your VPN credentials are separated from the NetVM and AppVM.
    2. Open the Qube Manager and click the New qube button. Name it sys-vpn-cs (or whatever) and pick a color for it.
      Leave the Type as the default "AppVM (persistent home, volatile root)", the Template as the fedora default, and Networking as "default (sys-firewall)".
      Select the "Launch settings after creation" box, and click the Advanced tab and check the "Provides network access to other qubes" box.
    3. Click OK to create the qube, then when the Settings window comes up, switch to the Services tab and add the network-manager, meminfo-writer, and qubes-firewall services.
      Click Apply/OK, then start up the new qube.
    4. Start a terminal under this new sys-vpn-cs qube using the start menu to the top left, or the qube icon in the top right.
    5. OpenVPN should already be installed, but you should still update it to the latest with the command: sudo dnf update openvpn
    6. Start Firefox in whichever AppVM you use for web browsing, then go to our OpenVPN config generator to download a config.
    7. Open the Thunar File Manager for that AppVM, navigate to the Downloads folder, right click on the config you just downloaded, and select 'Move to other qube'.
      Select the sys-vpn-cs qube from the Target: dropdown list.
    8. Switch back to the sys-vpn-cs terminal and copy that config to your homedir with: cp ~/QubesIncoming/*/*.ovpn ~/
      then import the config into NetworkManager using nm-connection-editor -i Singapore_UDP.ovpn
      (replace Singapore_UDP.ovpn with the filename of the config you just downloaded).
    9. On some WiFi networks, you might need to set the MTU to 1400 under Advanced, at least for the UDP configs.
    10. Enter your cryptostorm token into the username field, and any text into the password field, then click the Save button at the bottom right.
    11. To connect, click the networking icon in the top right (the one for this qube, not the main NetVM one), then VPN Connections, then click the VPN profile you just imported.
    12. That's it! Use the Qube Manager to set another qube's NetVM/networking to this new sys-vpn-cs ProxyVM, if you want that qube to use the VPN.
      On the qube(s) that you choose to do that with, use https://cryptostorm.is/test to verify that your IP has changed.
      And if you need a killswitch, running these commands on the ProxyVM will prevent any non-VPN traffic from leaving the AppVMs connected to this ProxyVM: 
      sudo nft flush chain qubes custom-forward
sudo nft flush chain ip6 qubes custom-forward
sudo nft insert rule qubes custom-forward oifname eth0 counter drop
sudo nft insert rule ip6 qubes custom-forward oifname eth0 counter drop
sudo nft insert rule qubes custom-forward iifname eth0 counter drop
sudo nft insert rule ip6 qubes custom-forward iifname eth0 counter drop

    Tails - OpenVPN

  • See the Tails Wiki for the current state of VPN support in Tails. TLDR: Officially, VPNs aren't supported in Tails, yet. But it's doable.

    • VPN -> Tor

  • This would really only be useful for people behind restrictive firewalls that only allow VPN (or SSH, or HTTPS) connections.
    If you're trying to hide your Tor usage from your ISP, use bridges and pluggable transports.

    • VPN -> Tor -> Internet (VPN on the Host)

    1. This one would be if running Tails in a VM. Basically, just connect to the VPN on the Host system like you normally would.
    2. Once you start up the Tails VM, it'll connect to Tor through the VPN on the Host.
    3. You can verify that you're connected to the VPN by going to Applications -> Internet -> Unsafe Browser and going to cryptostorm.is/test

    VPN -> Tor -> Internet (VPN on Tails)

    1. You still need to connect to Tor initially to install OpenVPN since it doesn't come preinstalled.
    2. When you first start Tails, a Welcome to Tails screen will appear. At the bottom left of this window is an Additional Settings section.
      Click the + sign that's under this, then double click Administration Password then choose a password.
      You can also choose to enable Persistent Storage on this Welcome screen.
      If you don't enable it, then every time you boot you'll have to reinstall OpenVPN and redownload the config(s).
      Click the Start Tails button near the top right when you're done setting a password.
    3. A Tor Connection window will pop up after that, and it'll ask if you want to "Connect to Tor automatically", or "Hide to my local network that I'm connecting to Tor".
      Choose the "Connect to Tor automatically" option then click the Connect to Tor button.
    4. When that's finished, click Applications -> System Tools -> Root Terminal, then type in the password you picked earlier.
    5. Run the command: apt update then run: apt install openvpn then leave the terminal open.
    6. After openvpn is finished installing, go to Applications -> Internet -> Tor Browser and navigate to our OpenVPN config generator page to download a config.
      and be sure to select the "IPs only" option since DNS won't work when Tor is stopped later,
      and just to make things easier, use the inline <auth-user-pass> option described on the OpenVPN config generator page.
      and be sure to save to the default amnesia -> Tor Browser directory
    7. Back at the Root Terminal, run the command: modprobe tun then, if you chose a UDP config (the default) run the command:
      iptables -I OUTPUT ! -o lo -m udp -p udp --dport 443 -m owner --uid-owner 0 -j ACCEPT
      or if you chose a TCP config, run the command:
      iptables -I OUTPUT ! -o lo -m tcp -p tcp --dport 443 -m owner --uid-owner 0 -j ACCEPT
      and if you changed the default port (443) on the OpenVPN config generator page, be sure to change it in the above command as well.
    8. Next, run the command: cd /home/amnesia/'Tor Browser'
      then stop Tor with: systemctl stop tor
      then connect to the VPN with: openvpn --config Singapore_UDP.ovpn
      (Replace Singapore_UDP.ovpn with the actual filename of the config you just downloaded).
      Once you see "Initialization Sequence Complete", the VPN is connected.
    9. Finally, start Tor back up again by running: systemctl start tor
      You should now be connected to Tor via the VPN.
      If you disconnect from the VPN you'll need to run the above iptables command again before you can reconnect to the VPN.
    10. Also, the Unsafe Browser (under Applications -> Internet) that bypasses Tor won't work because it's DNS isn't configured.
      After you connect to the VPN, you can run the command echo nameserver 10.31.33.7 > /etc/resolv-over-clearnet.conf to get DNS working with that browser.
      Technically, doing this would act as a killswitch for the VPN since 10.31.33.7 is only accessible while on the VPN,
      so if the VPN disconnects the Unsafe Browser wouldn't be able to resolve anything, which would keep your real IP from accessing websites.
      And if you disconnect from the VPN, /etc/resolv-over-clearnet.conf will be emptied, so you would have to run that echo command again if you need to use the Unsafe Browser.

    Tor -> VPN -> Internet

    1. This is unsupported.
      It probably is possible, but it would require changing a lot of individual software settings, and a bunch of the default iptables rules.
      Something similar to the Whonix instructions for Tor -> VPN might work, but it would be more difficult in Tails.

    Debian - WireGuard

    using NetworkManager

    1. If you plan on using the default Firefox browser, you should go into Settings -> Privacy & Security then near the bottom, set DNS over HTTPS to Off.
    2. Copy your cryptostorm token from the delivery page/email, and paste it into the Simple box on our WireGuard config generator page.
    3. Be sure to enable the killswitch option. In our tests, traffic wouldn't flow without it.
    4. Download the config(s) from that page, then open up a Terminal
    5. Switch to the Downloads directory with the command: cd Downloads
      6. Then run: su -c 'nmcli connection import type wireguard file cs-montreal.conf'
      (replacing cs-montreal.conf with the actual filename of the config you just downloaded
    6. Once you run that command, you will instantly connect to the VPN.
    7. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.
      8. If you need to disconnect, use the command: su -c 'nmcli connection down cs-montreal'
      To reconnect, use the command: su -c 'nmcli connection up cs-montreal'
      or you can use the networking icon in the top right to disconnect/reconnect.
      If you need to remove a VPN profile, use su -c 'nmcli connection delete cs-montreal'
      (again, replacing cs-montreal with whatever node you connected to)

    not using NetworkManager

    1. If you plan on using the default Firefox browser, you should go into Settings -> Privacy & Security then near the bottom, set DNS over HTTPS to Off.
    2. Copy your cryptostorm token from the delivery page/email, and paste it into the Simple box on our WireGuard config generator page.
    3. Be sure to enable the killswitch option. In our tests, traffic wouldn't flow without it.
    4. Download the config(s) from that page, then open up a Terminal
    5. Switch to the Downloads directory with the command: cd Downloads
      then run: su -c 'apt-get install wireguard openresolv'
    6. Move the configs to /etc/wireguard/ with: su -c 'mv cs-* /etc/wireguard/'
    7. To connect, run the command su -lc 'wg-quick up cs-montreal' (replacing cs-montreal with the config you just downloaded)
    8. Notice the -l in this su. If you don't do that wg-quick won't be able to find resolvconf.
    9. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.

    Ubuntu - WireGuard

    The latest Ubuntu

    1. If you plan on using the default Firefox browser, you should go into Settings -> Privacy & Security then near the bottom, set DNS over HTTPS to Off.
    2. Copy your cryptostorm token from the delivery page/email, and paste it into the Simple box on our WireGuard config generator page.
    3. Be sure to enable the killswitch option. In our tests, traffic wouldn't flow without it.
    4. Download the config(s) from that page, then click the networking/sound/battery icons in the top right, then the gear icon to open Settings
    5. Click the Network tab to the left, then to the right of VPN click the + icon
    6. Choose Import from file, and select the config file you just downloaded
    7. Toggle the switch on to connect. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.

    Ubuntu 23.10 (Mantic Minotaur)

    1. Copy your cryptostorm token from the delivery page/email, and paste it into the Simple box on our WireGuard config generator page.
    2. Be sure to enable the killswitch option. In our tests, traffic wouldn't flow without it.
    3. Download the config(s) from that page, then click the networking/sound/battery icons in the top right, then the gear icon to open Settings.
    4. Click the Network tab to the left, then to the right of VPN click the + icon.
    5. Choose Import from file, and select the config file you just downloaded.
    6. Before you toggle the switch on to connect, first open up a Terminal.
    7. Copy/paste into the Terminal the commands:
      sudo tee /etc/NetworkManager/dispatcher.d/cs > /dev/null << 'EOF'
#!/bin/bash
case $2 in
up)
cp /etc/resolv.conf /etc/resolv.conf.bak
echo nameserver 10.31.33.7 > /etc/resolv.conf
echo nameserver 2001:db8::7 >> /etc/resolv.conf
;;
down)
mv /etc/resolv.conf.bak /etc/resolv.conf
;;
esac
EOF
sudo chmod +x /etc/NetworkManager/dispatcher.d/cs
    8. Replace 10.31.33.7 with 10.31.33.8 (and 2001:db8::7 with 2001:db8::8) if you don't want to use our ad/tracker blocking DNS.
    9. Now you can go back to the Settings window and toggle the switch on to connect.
    10. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.
    11. There's an obscure bug in this Ubuntu release.
      If you import a WireGuard config, the 10.10.x.x/fd00:10:10:x IPs get added to an /etc/netplan/90-NM*.yaml file.
      The bug is that if you delete that VPN profile, then generate and import a new config for the same node, NetworkManager will
      add the old 10.10.x.x/fd00:10:10:x IPs to the new config, alongside the new IPs, which breaks things.
      So if you're trying to import a new config for a node you've already used/deleted before, try deleting /etc/netplan/90-NM*.yaml first.

    Ubuntu 22.04.4 LTS (Jammy Jellyfish)

    1. Copy your cryptostorm token from the delivery page/email, and paste it into the Simple box on our WireGuard config generator page.
    2. Be sure to enable the killswitch option. In our tests, traffic wouldn't flow without it.
    3. Download the config(s) from that page, then open up a Terminal.
    4. Switch to the Downloads directory with the command: cd Downloads
      Then run: sudo nmcli connection import type wireguard file cs-montreal.conf
      (replacing cs-montreal.conf with the actual filename of the config you just downloaded).
    5. Once you run that command, you will instantly connect to the VPN.
    6. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.
      7. If you need to disconnect, use the command: sudo nmcli connection down cs-montreal
      To reconnect, use the command: sudo nmcli connection up cs-montreal
      If you need to remove a VPN profile, use sudo nmcli connection delete cs-montreal
      (again, replacing cs-montreal with whatever node you connected to).

    Ubuntu 20.04.6 LTS (Focal Fossa)

    1. Copy your cryptostorm token from the delivery page/email, and paste it into the Simple box on our WireGuard config generator page.
    2. Be sure to enable the killswitch option. In our tests, traffic wouldn't flow without it.
    3. Download the config(s) from that page, then open up a Terminal.
    4. Switch to the Downloads directory with the command: cd Downloads then copy/paste: 
      sudo tee /etc/NetworkManager/dispatcher.d/cs > /dev/null << 'EOF'
#!/bin/bash
case $2 in
up)
cp /etc/resolv.conf /etc/resolv.conf.bak
echo nameserver 10.31.33.7 > /etc/resolv.conf
echo nameserver 2001:db8::7 >> /etc/resolv.conf
;;
down)
mv /etc/resolv.conf.bak /etc/resolv.conf
;;
esac
EOF
sudo chmod +x /etc/NetworkManager/dispatcher.d/cs
    5. Replace 10.31.33.7 with 10.31.33.8 (and 2001:db8::7 with 2001:db8::8) if you don't want to use our ad/tracker blocking DNS.
      6. Then run: sudo nmcli connection import type wireguard file cs-montreal.conf
      (replacing cs-montreal.conf with the actual filename of the config you just downloaded).
    6. Once you run that command, you will instantly connect to the VPN.
    7. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.
      8. If you need to disconnect, use the command: sudo nmcli connection down cs-montreal
      To reconnect, use the command: sudo nmcli connection up cs-montreal
      If you need to remove a VPN profile, use sudo nmcli connection delete cs-montreal
      (again, replacing cs-montreal with whatever node you connected to).

    Fedora - WireGuard

    1. If you plan on using the default Firefox browser, you should go into Settings -> Privacy & Security then near the bottom, set DNS over HTTPS to Off.
    2. Copy your cryptostorm token from the delivery page/email, and paste it into the Simple box on our WireGuard config generator page.
    3. Download the config(s) from that page, then click the networking/sound/battery icons in the top right, then the gear icon to open Settings
    4. Click the Network tab to the left, then to the right of VPN click the + icon
    5. Choose Import from file, and select the config file you just downloaded
    6. Toggle the switch on to connect. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.

    Manjaro - WireGuard

    1. If you plan on using the default Firefox browser, you should go into Settings -> Privacy & Security then near the bottom, set DNS over HTTPS to Off.
    2. Copy your cryptostorm token from the delivery page/email, and paste it into the Simple box on our WireGuard config generator page.
    3. Download the config(s) from that page, then click the networking/sound/battery icons in the top right, then the gear icon to open Settings
    4. Click the Network tab to the left, then to the right of VPN click the + icon
    5. Choose Import from file, and select the config file you just downloaded
    6. Toggle the switch on to connect. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.

    Linux Mint - WireGuard

    1. Copy your cryptostorm token from the delivery page/email, and paste it into the Simple box on our WireGuard config generator page.
    2. Be sure to enable the killswitch option. In our tests, traffic wouldn't flow without it.
    3. Download the config(s) from that page, then open up a Terminal
    4. Switch to the Downloads directory with the command: cd Downloads
      Then run: sudo nmcli connection import type wireguard file cs-montreal.conf
      (replacing cs-montreal.conf with the actual filename of the config you just downloaded).
    5. Once you run that command, you will instantly connect to the VPN.
    6. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.
      7. If you need to disconnect, use the command: sudo nmcli connection down cs-montreal
      To reconnect, use the command: sudo nmcli connection up cs-montreal
      or you can use the networking icon in the bottom right to disconnect/reconnect.
      If you need to remove a VPN profile, use sudo nmcli connection delete cs-montreal
      (again, replacing cs-montreal with whatever node you connected to)

    EndeavourOS - WireGuard

    1. If you plan on using the default Firefox browser, you should go into Settings -> Privacy & Security then near the bottom, set DNS over HTTPS to Off.
    2. Copy your cryptostorm token from the delivery page/email, and paste it into the Simple box on our WireGuard config generator page.
    3. Be sure to enable the killswitch option. In our tests, traffic wouldn't flow without it.
    4. Download the config(s) from that page, and save them to the Downloads folder.
      If you downloaded all the configs, open up a terminal and do cd Downloads ; unzip configs.zip or use the GUI to unzip configs.zip
    5. Click the network icon on the bottom right, then the configure icon to the right of "Networks", near the top right of that window.
    6. Click the plus sign and choose "Import VPN connection...", then go to your Downloads folder and select the config file you just downloaded.
    7. Once you import the WireGuard config, it will automatically connect.
      You can also connect from this Wi-Fi & Networking window by right clicking the new VPN entry then clicking "Connect",
      or you can click on that network icon in the bottom right, then the "Connect" button, the one to the right of the VPN entry.
    8. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.

    openSUSE - WireGuard

    1. If you plan on using the default Firefox browser, you should go into Settings -> Privacy & Security then near the bottom, set DNS over HTTPS to Off.
    2. Copy your cryptostorm token from the delivery page/email, and paste it into the Simple box on our WireGuard config generator page.
    3. Be sure to enable the killswitch option. In our tests, traffic wouldn't flow without it.

    4. Download the config(s) from that page, and save them to the Downloads folder.
      If you downloaded all the configs, open up a terminal and do cd Downloads ; unzip configs.zip or use the GUI to unzip configs.zip
    5. Click the network icon on the bottom right, then the configure icon to the right of "Networks", near the top right of that window.
    6. Click the plus sign and choose "Import VPN connection...", then go to your Downloads folder and select the config file you just downloaded.
    7. Once you import the WireGuard config, it will automatically connect.
      You can also connect from this Connections window by right clicking the new VPN entry then clicking "Connect",
      or you can click on that network icon in the bottom right, then the "Connect" button, the one to the right of the VPN entry.
    8. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.

    Pop!_OS - WireGuard

    Live CD

    1. If you plan on using the default Firefox browser, you should go into Settings -> Privacy & Security then near the bottom, set DNS over HTTPS to Off.
    2. WireGuard is not installed by default, and NetworkManager doesn't have a wireguard plugin, so connecting via terminal is the only option.
    3. Open up a terminal from the bottom dock or the Applications menu in the top left, then run sudo apt install wireguard
    4. Copy your cryptostorm token from the delivery page/email, and paste it into the Simple box on our WireGuard config generator page
    5. Be sure to enable the killswitch option. In our tests, traffic wouldn't flow without it.
    6. Download the config(s) from that page, and save them to the Downloads folder.
    7. Back in the terminal, switch to the Downloads directory with cd Downloads
      then move the configs to /etc/wireguard/ with sudo mv cs-* /etc/wireguard/
      or if you chose to download all the configs: sudo mv configs.zip /etc/wireguard/
      followed by: sudo unzip /etc/wireguard/configs.zip -d /etc/wireguard/
    8. Connect to the VPN with the command: sudo wg-quick up cs-la replacing cs-la with the name of the config you just downloaded, excluding the .conf part
    9. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.

    Installed

    1. Everything needed to connect is installed by default, and DNS doesn't leak but NetworkManager only has partial WireGuard support, so the Terminal is still needed.
    2. Copy your cryptostorm token from the delivery page/email, and paste it into the Simple box on our WireGuard config generator page.
    3. Be sure to enable the killswitch option. In our tests, traffic wouldn't flow without it.
    4. Download the config(s) from that page, then open up a Terminal
    5. Switch to the Downloads directory with the command: cd Downloads
      Then run: sudo nmcli connection import type wireguard file cs-montreal.conf
      (replacing cs-montreal.conf with the actual filename of the config you just downloaded).
    6. Once you run that command, you will instantly connect to the VPN.
    7. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.
      8. If you need to disconnect, use the command: sudo nmcli connection down cs-montreal
      and to reconnect, use the command: sdo nmcli connection up cs-montreal
      or if you need to remove a VPN profile, use sudo nmcli connection delete cs-montreal
      (again, replacing cs-montreal with whatever node you connected to)

    Elementary OS - WireGuard

    1. Copy your cryptostorm token from the delivery page/email, and paste it into the Simple box on our WireGuard config generator page.
    2. Be sure to enable the killswitch option. In our tests, traffic wouldn't flow without it.
    3. Download the config(s) from that page, then open up a Terminal
    4. Switch to the Downloads directory with the command: cd Downloads
      Then run: sudo nmcli connection import type wireguard file cs-montreal.conf
      (replacing cs-montreal.conf with the actual filename of the config you just downloaded).
    5. Once you run that command, you will instantly connect to the VPN.
    6. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.
      7. If you need to disconnect, use the command: sudo nmcli connection down cs-montreal
      and to reconnect, use the command: sudo nmcli connection up cs-montreal
      or if you need to remove a VPN profile, use sudo nmcli connection delete cs-montreal
      (again, replacing cs-montreal with whatever node you connected to)

    Zorin OS - WireGuard

    1. Copy your cryptostorm token from the delivery page/email, and paste it into the Simple box on our WireGuard config generator page.
    2. Be sure to enable the killswitch option. In our tests, traffic wouldn't flow without it.
    3. Download the config(s) from that page, then open up a Terminal
    4. Switch to the Downloads directory with the command: cd Downloads
      Then run: sudo nmcli connection import type wireguard file cs-montreal.conf
      (replacing cs-montreal.conf with the actual filename of the config you just downloaded).
    5. Once you run that command, you will instantly connect to the VPN.
    6. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.
      7. If you need to disconnect, use the command: sudo nmcli connection down cs-montreal
      To reconnect, use the command: sudo nmcli connection up cs-montreal
      or you can use the networking icon in the bottom right. Clicking on cs-montreal (or whatever) will disconnect/reconnect it.
      If you need to remove a VPN profile, use sudo nmcli connection delete cs-montreal
      (again, replacing cs-montreal with whatever node you connected to)

    Solus - WireGuard

    1. Copy your cryptostorm token from the delivery page/email, and paste it into the Simple box on our WireGuard config generator page.
    2. Be sure to enable the killswitch option. In our tests, traffic wouldn't flow without it.
    3. Download the config(s) from that page, then right click the networking icon in the bottom right, then click "VPN Connections"
      then click "Configure VPN..." (or "Add a VPN connection..." if this is the first VPN you've configured)
    4. Choose "Import a saved VPN configuration", and select the config file you just downloaded
    5. Click the Save button and it will automatically connect to the VPN.
    6. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.

    MX Linux - WireGuard

    1. Copy your cryptostorm token from the delivery page/email, and paste it into the Simple box on our WireGuard config generator page.
    2. Be sure to enable the killswitch option. In our tests, traffic wouldn't flow without it.
    3. Download the config(s) from that page, then open up a Terminal
    4. Switch to the Downloads directory with the command: cd Downloads
      Then run: sudo nmcli connection import type wireguard file cs-montreal.conf
      (replacing cs-montreal.conf with the actual filename of the config you just downloaded).
    5. Once you run that command, you will instantly connect to the VPN.
    6. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.
      7. If you need to disconnect, do so from the networking icon to the left.

    Gentoo - WireGuard

    1. Copy your cryptostorm token from the delivery page/email, and paste it into the Simple box on our WireGuard config generator page.
    2. Download the config(s) from that page, then click the networking icon in the bottom right, then the settings icon to open Settings.
    3. Click the + icon at the bottom center, choose Import VPN connection at the bottom of that list and click the Create button, then select the config file you just downloaded.
    4. Once you import the config, it should immediately connect. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.

    Parrot OS - WireGuard

    1. Copy your cryptostorm token from the delivery page/email, and paste it into the Simple box on our WireGuard config generator page.
    2. Be sure to enable the killswitch option. In our tests, traffic wouldn't flow without it.
    3. Download the config(s) from that page, then open up a Terminal.
    4. Switch to the Downloads directory with the command: cd Downloads
      Then run: sudo nmcli connection import type wireguard file cs-montreal.conf
      (replacing cs-montreal.conf with the actual filename of the config you just downloaded).
    5. Once you run that command, you will instantly connect to the VPN.
    6. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.
      7. If you need to disconnect or remove a VPN profile, use the networking icon in the top right.
    7. Parrot OS includes software that could be used maliciously (for scanning, hacking, etc.).
      Port scanning, subnet scanning, hacking, etc. is NOT allowed on cryptostorm. See our terms of service page.

    Nitrux - WireGuard

    1. If you plan on using the default Firefox browser, you should go into Settings -> Privacy & Security then near the bottom, set DNS over HTTPS to Off.
    2. Copy your cryptostorm token from the delivery page/email, and paste it into the Simple box on our WireGuard config generator page.
    3. Be sure to enable the killswitch option. In our tests, traffic wouldn't flow without it.
    4. Download a config from that page, but before you import it, open a terminal first and copy/paste into it: 
      sudo tee /etc/NetworkManager/dispatcher.d/cs > /dev/null << 'EOF'
#!/bin/bash
case $2 in
up)
cp /etc/resolv.conf /etc/resolv.conf.bak
echo nameserver 10.31.33.7 > /etc/resolv.conf
echo nameserver 2001:db8::7 >> /etc/resolv.conf
;;
down)
mv -f /etc/resolv.conf.bak /etc/resolv.conf
;;
esac
EOF
sudo chmod +x /etc/NetworkManager/dispatcher.d/cs
    5. Replace 10.31.33.7 with 10.31.33.8 (and 2001:db8::7 with 2001:db8::8) if you don't want to use the ad/tracker blocking DNS
    6. Right-click the networking icon in the top right, then click Configure Network Connections.
    7. Click the + icon at the bottom left, choose Import VPN connection at the bottom of that list then click the Create button.
    8. Select the config file you just downloaded. It will immediately connect once you import it.
    9. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.

    Kali Linux - WireGuard

    1. Copy your cryptostorm token from the delivery page/email, and paste it into the Simple box on our WireGuard config generator page.
    2. Download a config from that page, and be sure to select "Enable killswitch"
    3. Click the networking icon in the top right, then go to "VPN Connections" then "Add a VPN connection..."
    4. Choose "Import a saved VPN configuration..." at the very bottom of that list, then select the config file you just downloaded, then click the Save button.
    5. After that last step, it will automatically connect to the VPN.
    6. That's it! Check with https://cryptostorm.is/test to verify that your IP has changed.
    7. Kali Linux includes software that could be used maliciously (scanning, hacking, etc.).
      Port scanning, subnet scanning, hacking, etc. is NOT allowed on cryptostorm. See our terms of service page.

    Whonix - WireGuard

  • See whonix.org/wiki/Tunnels/Introduction for more details on combining a VPN with Tor.

    • VPN -> Tor

  • This would really only be useful for people behind restrictive firewalls that only allow WireGuard's UDP traffic.
    If you're trying to hide your Tor usage from your ISP, use bridges and pluggable transports.

    • VPN -> Tor -> Internet (VPN on the Host OS)

    1. Simply connect to the VPN with WireGaurd from the Host OS using the instructions for that OS.
    2. Once you're connected, start up the Gateway and Workstation Whonix VMs.
      The Gateway VM will connect to Tor via the Host OS's VPN connection.
      This appears to be the only method that works.

    Tor -> VPN

  • This doesn't appear to be possible, since Tor can't handle UDP tunnels.
    It might be possible in the future though, if we add TCP tunneling on top of WireGuard (socat client-side + haproxy server-side, for example).

    • Kodachi - WireGuard

  • See the OpenVPN Kodachi instructions.

    • Qubes OS - WireGuard


  • These instructions are for Qubes OS 4.2
    If you keep your online identities separate between each qube, you should keep in mind that the methods below would give your AppVMs the same VPN IP
    (unless you're creating separate ProxyVMs for each AppVM/identity).

    • NetVM

    1. In this setup, you connect to the VPN from the NetVM, the qube that's providing all your other qubes with internet.
      All your AppVMs that use this NetVM would also use the VPN.
    2. Open a terminal in your NetVM (sys-net by default), then run: sudo mkdir /rw/config/csvpn
    3. Copy/paste these commands into the terminal: 
      sudo tee -a /rw/config/rc.local > /dev/null << 'EOF'
CSVPN_DNS="/rw/config/csvpn/csdns"
if [[ -f $CSVPN_DNS ]]; then
 cp -f $CSVPN_DNS /etc/NetworkManager/dispatcher.d/
fi
EOF
sudo tee /rw/config/csvpn/csdns > /dev/null << 'EOF'
#!/usr/bin/sh
CSDNS="10.31.33.7"
ORIGINAL_RULES="/rw/config/csvpn/original.rules"
if ! [ -f "$ORIGINAL_RULES" ]; then
    nft list chain ip qubes dnat-dns > $ORIGINAL_RULES
fi
if [[ ( "$DEVICE_IFACE" == cs-* || "$DEVICE_IFACE" == tun* ) && ( "$2" == "up" || "$2" == "vpn-up" ) ]]; then
    nft flush chain ip qubes dnat-dns
    nft add rule ip qubes dnat-dns ip daddr 10.139.1.1 udp dport 53 dnat to $CSDNS
    nft add rule ip qubes dnat-dns ip daddr 10.139.1.1 tcp dport 53 dnat to $CSDNS
    nft add rule ip qubes dnat-dns ip daddr 10.139.1.2 udp dport 53 dnat to $CSDNS
    nft add rule ip qubes dnat-dns ip daddr 10.139.1.2 tcp dport 53 dnat to $CSDNS
    chmod -x /etc/NetworkManager/dispatcher.d/qubes-nmhook
fi

if [[ ( "$DEVICE_IFACE" == cs-* || "$DEVICE_IFACE" == tun* ) && ( "$2" == "down" || "$2" == "vpn-down" ) ]]; then
    nft flush chain ip qubes dnat-dns
    chmod +x /etc/NetworkManager/dispatcher.d/qubes-nmhook
    if [ -f $ORIGINAL_RULES ]; then
        nft -f $ORIGINAL_RULES
        rm -f $ORIGINAL_RULES
    fi
fi
EOF
sudo chmod +x /rw/config/csvpn/csdns
sudo /rw/config/rc.local
    4. Replace 10.31.33.7 with 10.31.33.8 if you don't want to use our ad/tracker blocking DNS.
    5. Start Firefox in whichever AppVM you use for web browsing, then go to our WireGuard config generator to download a config.
    6. Be sure to enable the killswitch option. In our tests, traffic wouldn't flow without it.
    7. Open the Thunar File Manager for that AppVM, navigate to the Downloads folder, right click on the config you just downloaded, and select 'Move to other qube'.
      Select the sys-net qube from the Target: dropdown list.
    8. Switch back to the NetVM/sys-net terminal and copy that config to your homedir with: cp ~/QubesIncoming/*/*.conf ~/
      then import the config into NetworkManager using nmcli con import type wireguard file cs-singapore.conf
      (replace cs-singapore.conf with the filename of the config you just downloaded).
    9. As soon as you import the config, it should instantly connect to the VPN.
    10. That's it! Any qube using this NetVM for their networking should now be using the VPN.
      Use https://cryptostorm.is/test on any networking enabled qube to verify that your IP has changed.
      Keep in mind that this setup is not failsafe (it lacks a killswitch to prevent leaks if the VPN goes down). If you need that, use the ProxyVM setup below.

    ProxyVM

    1. In this setup, you create a ProxyVM that's acts as the NetVM for whichever AppVM you want to use the VPN.
      This means you can choose which AppVMs use the VPN, and which connect directly to the internet.
      It also means it's easier to implement a killswitch, and your VPN credentials are separated from the NetVM and AppVM.
    2. Open the Qube Manager and click the New qube button. Name it sys-vpn-cs (or whatever) and pick a color for it.
      Leave the Type as the default "AppVM (persistent home, volatile root)", the Template as the fedora default, and Networking as "default (sys-firewall)".
      Select the "Launch settings after creation" box, and click the Advanced tab and check the "Provides network access to other qubes" box.
    3. Click OK to create the qube, then when the Settings window comes up, switch to the Services tab and add the network-manager, meminfo-writer, and qubes-firewall services.
      Click Apply/OK, then start up the new qube.
    4. Start a terminal under this new sys-vpn-cs qube using the start menu to the top left, or the qube icon in the top right.
    5. Start Firefox in whichever AppVM you use for web browsing, then go to our WireGuard config generator to download a config.
    6. Be sure to enable the killswitch option. In our tests, traffic wouldn't flow without it.
    7. Open the Thunar File Manager for that AppVM, navigate to the Downloads folder, right click on the config you just downloaded, and select 'Move to other qube'.
      Select the sys-vpn-cs qube from the Target: dropdown list.
    8. Switch back to the sys-vpn-cs terminal and copy that config to your homedir with: cp ~/QubesIncoming/*/*.conf ~/
      then import the config into NetworkManager using nmcli con import type wireguard file cs-singapore.conf
      (replace cs-singapore.conf with the filename of the config you just downloaded).
    9. As soon as you import the config, it should instantly connect to the VPN.
    10. That's it! Use the Qube Manager to set another qube's NetVM/networking to this new sys-vpn-cs ProxyVM, if you want that qube to use the VPN.
      On the qube(s) that you choose to do that with, use https://cryptostorm.is/test to verify that your IP has changed.
      And if you need a killswitch, running these commands on the ProxyVM will prevent any non-VPN traffic from leaving the AppVMs connected to this ProxyVM: 
      sudo nft flush chain qubes custom-forward
sudo nft insert rule qubes custom-forward oifname eth0 counter drop
sudo nft insert rule ip6 qubes custom-forward oifname eth0 counter drop
sudo nft insert rule qubes custom-forward iifname eth0 counter drop
sudo nft insert rule ip6 qubes custom-forward iifname eth0 counter drop

    Tails - WireGuard

  • See the Tails Wiki for the current state of VPN support in Tails. TLDR: Officially, VPNs aren't supported in Tails, yet. But it's doable.

    • VPN -> Tor

  • This would really only be useful for people behind restrictive firewalls that only allow WireGuard's UDP traffic.
    If you're trying to hide your Tor usage from your ISP, use bridges and pluggable transports.

    • VPN -> Tor -> Internet (VPN on the Host)

    1. This one would be if running Tails in a VM. Basically, just connect to the VPN on the Host system like you normally would.
    2. Once you start up the Tails VM, it'll connect to Tor through the VPN on the Host.
    3. You can verify that you're connected to the VPN by going to Applications -> Internet -> Unsafe Browser and going to cryptostorm.is/test

    VPN -> Tor -> Internet (VPN on Tails)

      It doesn't look like this is possible, at least not without creating your own custom Tails distro.
      The problem is the squashfs that contains the default iptables rules is mounted read-only, and it's applied any time the network settings change.
      That means wg-quick won't work out of the box, so you would have to manually run the wg/ip commands that wg-quick would do.

    Tor -> VPN

  • This doesn't appear to be possible, since Tor can't handle UDP tunnels.
    It might be possible in the future though, if we add TCP tunneling on top of WireGuard (socat client-side + haproxy server-side, for example).