Most Linux users will connect using either:

Terminal is the recommended method, because Network Manager hasn't yet implemented the latest OpenVPN features
That means you won't be able to use anything but the RSA configs if you're connecting with Network Manager.



Network Manager

  • Ubuntu's default Network Manager doesn't include OpenVPN support, so a plugin will need to be installed.
    First, open up the Terminal.

  • The first thing that needs to be done is update the apt sources with the command:
    sudo apt update
    Then, install OpenVPN:
    sudo apt install openvpn

  • Next, type in the following command:
    sudo apt-get install network-manager-openvpn
    Or if your desktop environment is GNOME, use the command:
    sudo apt-get install network-manager-openvpn-gnome

    Note: The Ubuntu Live CD/DVD by default has the "universe" repository disabled, and that's where the above two packages are.
    So if you're using the Live CD/DVD, you'll need to type these commands before the above two will work:
    sudo -s
    . /etc/lsb-release
    echo "deb http://archive.ubuntu.com/ubuntu $DISTRIB_CODENAME universe" >> /etc/apt/sources.list
    apt-get update

  • After that plugin is installed, you may need to restart Network Manager with the command:
    sudo service network-manager restart
    Check first if the plugin was installed successfully. Click on the Network Manager icon in the top right hand corner, then go to "Edit Connections"


    Then click "Add"


    Then click the drop down list. If the plugin installed correctly, you should see "OpenVPN" in the list, under "VPN"

  • The next step is to download the cryptostorm OpenVPN configs.
    For this example, my account is named "test", and I'll be putting the configs in /home/test/Documents/conf/
    Open up Terminal again and create the directory you'll be using:
    mkdir ~/Documents/conf
    cd ~/Documents/conf
    Then download and unzip the configs:
    wget https://cryptostorm.is/configs/rsa/configs.zip
    unzip configs.zip

    Note: only the RSA configs are supported in Network Manager, at least, until they add support for --tls-crypt and --compress (OpenVPN options used in the ECC configs)

  • The default Ubuntu includes a dnsmasq server that will overwrite /etc/resolv.conf, which will cause DNS leaks with OpenVPN.
    There is an update-resolv-conf script that should fix this leak, but it seems that there are different versions of this script out there, and some of them don't work.
    Instead of dealing with that or updating /etc/resolv.conf, we recommend using iptables to plug DNS leaks.
    After you connect to the VPN, run these two commands:
    iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 10.31.33.8
    iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 10.31.33.8
    
    That will redirect all DNS queries to the VPN server's DNS.
    If you want to use our TrackerSmacker ad/tracker blocking service, replace 10.31.33.8 in the above two commands with 10.31.33.7

    Note: If your /etc/resolv.conf points to a localhost IP such as 127.0.0.1 or 127.0.0.53, the above rules will cause this error when you try to resolve something:
    ../../../../lib/isc/unix/socket.c:2135: internal_send: 127.0.0.1#53: Invalid argument
    and DNS will fail. To get past that, run echo 'nameserver 1.1.1.1' > /etc/resolv.conf
    It doesn't matter what IP you use, so long as it's not something in 127.0.0.x
    After you run the commands below, your DNS will go to whatever IP you specify in the above command.
    If you want to use our DNS instead of Cloudflare's 1.1.1.1, our DNS server IPs are listed at https://cryptostorm.is/dns.txt

    Whenever you decide to disconnect from the VPN, you need to remove the DNS leak protection with these commands before DNS will work again:
    iptables -t nat -D OUTPUT -p udp --dport 53 -j DNAT --to-destination 10.31.33.8
    iptables -t nat -D OUTPUT -p tcp --dport 53 -j DNAT --to-destination 10.31.33.8
    

  • Next, import all of the configs into Network Manager using the command:
    for conf in *.ovpn;do nmcli connection import type openvpn file $conf;done

  • To save yourself from having to enter the username/password for every config, you can instead use these commands to add the user/pass to all the configs.
    First, become root, enter your password when prompted:
    sudo -s

    Next, add the user/pass to all the imported configs (replace CsTok-enGvX-F4b4a-j7CED with your cryptostorm token)
    The following commands should be ran while still in the configs directory.
    Note: It's recommended that you first hash your token using the token hasher at https://cryptostorm.is/#section6, under the teddy bear
    CSTOKEN=CsTok-enGvX-F4b4a-j7CED
    for conf in `ls *.ovpn|sed -e's/.ovpn//'`;do
    if [ -e "/etc/NetworkManager/system-connections/$conf.nmconnection" ];then
    conf="$conf.nmconnection"
    fi
    sed "/\[vpn\]/a username=$CSTOKEN" -i /etc/NetworkManager/system-connections/$conf
    sed -e"s/password-flags=.*/password-flags=0/" -i /etc/NetworkManager/system-connections/$conf
    sed "\$a\\\n[vpn-secrets]\npassword=whatever\n" -i /etc/NetworkManager/system-connections/$conf
    done


    And finally, one last restart of Network Manager:
    service network-manager restart

    You can now select a node to connect to from Network Manager:

  • You should see a notification once you're connected to the VPN:

  • You're done! Check with https://cryptostorm.is/test to verify that you're IP has changed.


Terminal (using OpenVPN's apt repos)

  • The OpenVPN in older Ubuntu apt repos is outdated, so first we'll need to add OpenVPN's repository.
    If you're on Debian 9 or Ubuntu 18.x (bionic), you can skip this step since they do include a later OpenVPN 2.4.x
    In Terminal, start a root shell with the command:
    sudo -s
    Enter your password when it asks. Next, add the OpenVPN repository:
    wget -O- https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add -
    Then add the OpenVPN repo to the local sources list:
    . /etc/lsb-release;echo "deb https://build.openvpn.net/debian/openvpn/stable $DISTRIB_CODENAME main" > /etc/apt/sources.list.d/openvpn-aptrepo.list

  • After that, install the latest OpenVPN with:
    apt-get update && apt-get install openvpn
    When that's done, verify that you now have the latest OpenVPN with the command:
    openvpn --version|head -n1
    To see what the latest OpenVPN version is, visit: https://openvpn.net/index.php/open-source/downloads.html

  • Next, download and unzip the cryptostorm OpenVPN configs.
    The RSA ones are at https://cryptostorm.is/configs/rsa/configs.zip
    The ECC ones are at https://cryptostorm.is/configs/ecc/configs.zip
    The Ed25519 ones are at https://cryptostorm.is/configs/ecc/ed25519/configs.zip
    The Ed448 ones are at https://cryptostorm.is/configs/ecc/ed448/configs.zip
    See https://cryptostorm.is/config/ for details on the differences between these.

    OpenVPN 2.4.x is required for the ECC configs.
    OpenVPN 2.4.x AND OpenSSL 1.1.1 is required for the Ed25519 and Ed448 configs.

    So for ECC, the commands would be:
    wget https://cryptostorm.is/configs/ecc/configs.zip
    unzip configs.zip

  • So you don't have to enter your token every time you connect, store your token in a random file.
    (Replace CsTok-enGvX-F4b4a-j7CED with your token or your token's hash using the token hasher at https://cryptostorm.is/#section6, under the teddy bear
    And replace /home/test/cstoken with the location you want to save the token to. My username is "test", so I'm storing the file in /home/test/cstoken)
    echo CsTok-enGvX-F4b4a-j7CED > /home/test/cstoken;echo anythingcangohere >> /home/test/cstoken;chmod 600 /home/test/cstoken
    Then edit all the configs to use /home/test/cstoken:
    sed -e's_^auth-user-pass.*_auth-user-pass /home/test/cstoken_' -i *.ovpn

  • The default Ubuntu/Debian includes a dnsmasq server that will overwrite /etc/resolv.conf, which will cause DNS leaks with OpenVPN.
    There is an update-resolv-conf script that should fix this leak, but it seems that there are different versions of this script out there, and some of them don't work.
    Instead of dealing with that or updating /etc/resolv.conf, we recommend using iptables to plug DNS leaks.
    After you connect to the VPN, run these two commands:
    iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 10.31.33.8
    iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 10.31.33.8
    
    That will redirect all DNS queries to the VPN server's DNS.
    If you want to use our TrackerSmacker ad/tracker blocking service, replace 10.31.33.8 in the above two commands with 10.31.33.7

    Note: If your /etc/resolv.conf points to a localhost IP such as 127.0.0.1 or 127.0.0.53, the above rules will cause this error when you try to resolve something:
    ../../../../lib/isc/unix/socket.c:2135: internal_send: 127.0.0.1#53: Invalid argument
    and DNS will fail. To get past that, run echo 'nameserver 1.1.1.1' > /etc/resolv.conf
    It doesn't matter what IP you use, so long as it's not something in 127.0.0.x
    After you run the commands below, your DNS will go to whatever IP you specify in the above command.
    If you want to use our DNS instead of Cloudflare's 1.1.1.1, our DNS server IPs are listed at https://cryptostorm.is/dns.txt

    Whenever you decide to disconnect from the VPN, you can remove the DNS leak protection with the commands:
    iptables -t nat -D OUTPUT -p udp --dport 53 -j DNAT --to-destination 10.31.33.8
    iptables -t nat -D OUTPUT -p tcp --dport 53 -j DNAT --to-destination 10.31.33.8
    

  • Finally, connect with:
    sudo openvpn --config Paris_UDP.ovpn
    (Replace "Paris_UDP.ovpn" with whatever node you want to connect to)

  • Once you see "Initialization Sequence Completed", you're connected!
    Check with https://cryptostorm.is/test to verify that you're IP has changed.


Terminal (compiling from source)

  • If you're using a distro that isn't support yet by the OpenVPN repository, and the OpenVPN/OpenSSL included in your distro isn't recent enough, you may have to compile from source.
    On pretty much every Debian or Ubunbtu based distro, really anything that uses `apt` as a package manager, the commands to compile OpenVPN and OpenSSL from source would be the same.

    First, install the nececssary libraries and compilers (if not already installed):

    sudo apt install -y build-essential zlib1g-dev liblz4-dev liblzo2-dev net-tools

    Next, download and compile OpenSSL:

    sudo -s
    cd /usr/src/
    wget https://www.openssl.org/source/openssl-1.1.1b.tar.gz --no-check-certificate
    if [[ `sha256sum openssl-1.1.1b.tar.gz|awk '{print $1}'` != "5c557b023230413dfb0756f3137a13e6d726838ccd1430888ad15bfb2b43ea4b" ]]; then
    echo "bad sha256 hash for openssl-1.1.1b.tar.gz"
    exit
    fi
    tar zxf openssl-1.1.1b.tar.gz
    rm -f openssl-1.1.1b.tar.gz
    cd openssl-1.1.1b
    ./config --prefix=/usr -fPIC no-gost shared zlib enable-ec_nistp_64_gcc_128 -Wl,-rpath=/usr/local/ossl111b/lib --prefix=/usr/local/ossl111b
    make depend
    make
    make install

    It will take a few minutes for the compile/install to finish.
    Next, download and compile OpenVPN:

    sudo -s
    cd /usr/src/
    wget https://swupdate.openvpn.org/community/releases/openvpn-2.4.7.tar.gz --no-check-certificate
    if [[ `sha256sum openvpn-2.4.7.tar.gz|awk '{print $1}'` != "73dce542ed3d6f0553674f49025dfbdff18348eb8a25e6215135d686b165423c" ]]; then
    echo "bad sha256 hash for openvpn-2.4.7.tar.gz"
    exit
    fi
    tar zxf openvpn-2.4.7.tar.gz
    rm -f openvpn-2.4.7.tar.gz
    cd openvpn-2.4.7
    CFLAGS="-I/usr/local/ossl111b/include -Wl,-rpath=/usr/local/ossl111b/lib -L/usr/local/ossl111b/lib" ./configure --disable-plugin-auth-pam --prefix=/usr
    make
    make install


Those first commands will install the compilers, along with the libraries needed (zlib, lz4, lzo2).
The second set of commands will download OpenSSL, then verify it's sha256 hash, then compile it, then install it to /usr/local/ossl111b
The reason for installing it there and not system-wide is because some distros are very picky about the version of OpenSSL that's installed.
Putting it there takes care of any potential conflicts 1.1.1b might have with some pre-installed crypto software that doesn't yet support 1.1.1b

After that, the last set of commands will download OpenVPN 2.4.7, again checking it's sha256 hash, then compile it against the OpenSSL 1.1.1b at /usr/local/ossl111b
OpenVPN is installed system-wide, since replacing any possible previous OpenVPN installations shouldn't have any affect on other crypto software.
--no-check-certificate is used with wget because (at least for openssl.org) the default Ubuntu distro doesn't have their CA in the local CA store,
so checking the SSL certificate is disabled. It's not really needed anyways since we're checking the sha256 hash.

Once all that's finished, you can run the command `openvpn --version` to verify that you're using the latest OpenVPN compiled against the latest OpenSSL:

After that, the next steps are the same as they would be if you installed from the OpenVPN repos:

  • Download and unzip the cryptostorm OpenVPN configs.
    The RSA ones are at https://cryptostorm.is/configs/rsa/configs.zip
    The ECC ones are at https://cryptostorm.is/configs/ecc/configs.zip
    The Ed25519 ones are at https://cryptostorm.is/configs/ecc/ed25519/configs.zip
    The Ed448 ones are at https://cryptostorm.is/configs/ecc/ed448/configs.zip
    See https://cryptostorm.is/config/ for details on the differences between these.

    At least OpenSSL 1.1.1 is required for the Ed25519 and Ed448 configs, but since you now have 1.1.1b they should work.

    So for ECC, the commands would be:
    wget https://cryptostorm.is/configs/ecc/configs.zip
    unzip configs.zip

  • So you don't have to enter your token every time you connect, store your token in a random file.
    (Replace CsTok-enGvX-F4b4a-j7CED with your token or your token's hash using the token hasher at https://cryptostorm.is/#section6, under the teddy bear
    And replace /home/test/cstoken with the location you want to save the token to. My username is "test", so I'm storing the file in /home/test/cstoken)
    echo CsTok-enGvX-F4b4a-j7CED > /home/test/cstoken;echo anythingcangohere >> /home/test/cstoken;chmod 600 /home/test/cstoken
    Then edit all the configs to use /home/test/cstoken:
    sed -e's_^auth-user-pass.*_auth-user-pass /home/test/cstoken_' -i *.ovpn

  • The default Ubuntu/Debian includes a dnsmasq server that will overwrite /etc/resolv.conf, which will cause DNS leaks with OpenVPN.
    There is an update-resolv-conf script that should fix this leak, but it seems that there are different versions of this script out there, and some of them don't work.
    Instead of dealing with that or updating /etc/resolv.conf, we recommend using iptables to plug DNS leaks.
    After you connect to the VPN, run these two commands:
    iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 10.31.33.8
    iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 10.31.33.8
    
    That will redirect all DNS queries to the VPN server's DNS.
    If you want to use our TrackerSmacker ad/tracker blocking service, replace 10.31.33.8 in the above two commands with 10.31.33.7

    Note: If your /etc/resolv.conf points to a localhost IP such as 127.0.0.1 or 127.0.0.53, the above rules will cause this error when you try to resolve something:
    ../../../../lib/isc/unix/socket.c:2135: internal_send: 127.0.0.1#53: Invalid argument
    and DNS will fail. To get past that, run echo 'nameserver 1.1.1.1' > /etc/resolv.conf
    It doesn't matter what IP you use, so long as it's not something in 127.0.0.x
    After you run the commands below, your DNS will go to whatever IP you specify in the above command.
    If you want to use our DNS instead of Cloudflare's 1.1.1.1, our DNS server IPs are listed at https://cryptostorm.is/dns.txt

    Whenever you decide to disconnect from the VPN, you can remove the DNS leak protection with the commands:
    iptables -t nat -D OUTPUT -p udp --dport 53 -j DNAT --to-destination 10.31.33.8
    iptables -t nat -D OUTPUT -p tcp --dport 53 -j DNAT --to-destination 10.31.33.8
    

  • Finally, connect with:
    sudo openvpn --config Paris_UDP.ovpn
    (Replace "Paris_UDP.ovpn" with whatever node you want to connect to)

  • Once you see "Initialization Sequence Completed", you're connected!
    Check with https://cryptostorm.is/test to verify that you're IP has changed.