@marzametal
Each VPN instance uses a different 10.x.0.0/16 B-class, mostly because if I used the same B-class (or C-class) for multiple instances, two different clients might be assigned the same 10.x.x.x IP.
There's a check in place to prevent that from happening per-instance, but not per-server, so each instance gets it's own B-class.
On the older servers that only have 4 VPN IPs, there's 6 instances:
win TCP, ECC TCP, linux TCP, win UDP, ECC UDP, linux UDP
On those servers, I generally stick to networks:
10.33.0.0/16 for linux UDP
10.34.0.0/16 for linux TCP
10.44.0.0/16 for win UDP
10.45.0.0/16 for win TCP
10.54.0.0/16 for ECC UDP
10.55.0.0/16 for ECC TCP
On the newer servers that have large(ish) IP pools assigned to them (currently: frankfurt, paris, england, romania, ussouth, and switzerland), I'll usually start at 10.60.0.0/16 and increment it by one per IP.
But some of those servers (frankfurt, paris, and romania) are using new IP pools plus the above ranges, because
those three weren't new servers, they were just old ones I bought more IPs for.
Doing it that way on those three servers meant I could setup the new instances without disturbing the VPN sessions of people who were connected to the old instances.
For england, ussouth, and switzerland, they were new servers so I didn't have to bother with working around old instances. So for those 3, they only use 10.60.0.0/16 and onward (highest atm being 10.149.0.0/16).
Some time in the near future there might be more 10.x.0.0/16 networks used when other things get added (new instances for obfuscation protocols, wireguard [if they ever release a stable branch of that], etc.)
As for your firewall rules against 10.0.0.0/8, the only reason to do that would be to prevent your machine from accessing other things in your LAN (if your LAN is also in 10.0.0.0/8), since the networks listed in RFC1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) can't reach the internet.
If you're using a local firewall on the same machine you'll be connecting to cryptostorm with, you should keep in mind that the CS 10.0.0.0/8 traffic is only going out on the tunnel interface/adapter. The interface/adapter for your internet connection (eth0 in Linux, "Ethernet" in Windows, etc.) will only see traffic from you to the public/internet CS VPN IP.
Knowing that, you could add an exception to the local firewall so that only the tunnel interface can reach 10.0.0.0/8 (Usually tun0 in Linux, or whatever the TAP network adapter name is in Windows).
That way you can still prevent your machine from accessing the rest of your LAN by blocking access to 10.0.0.0/8 on your other non-tunnel interfaces/adapters.
If your firewall is on the network's router, and you're connecting to cryptostorm using a machine behind that router, it won't be seeing your traffic to the CS 10.0.0.0/8 network since that'll already be encrypted by the time it reaches your router.
So for that setup, you should be using the public CS IPs for a killswitch. You could even setup a rule based on source IP, for when you only want to do a killswitch for one or specific machines on your network.
If you're doing both the killswitch and connecting to cryptostorm on your router, then the stuff I said the paragraph before the last one would apply.
EDIT:
And yes, cryptostorm.nu is still @ 212.83.185.245, and the widget still uses that to check for nodelist updates.
And if using an external killswitch, with the new IP pools, you can't just use the balancer's DNS anymore since not all IPs are listed there.
You could do what the widget does and load all the hosts from
https://cryptostorm.nu/nodelist3.txt (I.e., `awk -F: '{print $NF}' nodelist3.txt`), then resolve them, then add those IPs to your firewall.
FYI: If you add a hostname to an iptables rule, it'll add all the IPs that hostname resolves to.
If you don't wanna do that,
https://cryptostorm.is/whitelist also has a list of all the possible exit IPs.
Regarding your question about the server names, I've gone ahead and updated
https://cryptostorm.is/whitelist to also include the region in the comments, next to the server name:
Code: Select all
csis@cryptostorm.is [~/www]# grep ^\# whitelist
#onyx / paris
#cf-i / cryptofree
#alors / paris
#tagus / lisbon
#jord / switzerland
#skana / canadawest
#goo / useast (New York City, NY)
#windy / usnorth (Chicago, IL)
#resurgens / ussouth (Atlanta, GA) - will be removed in August 2018, replaced with "resurg"
#rugby / england
#ham - canadaeast
#silver - uswest (Las Vegas, NV)
#riga - latvia
#rotte - netherlands
#warsaw - poland
#stadi - finland
#warlock - dusseldorf
#brabant - netherlands
#stakaya - uswest (Seattle, WA)
#dc - useast (Washington, D.C.)
#lax - uswest (Los Angeles, CA)
#blocko - denmark
#gambit - rome
#zuna - frankfurt
#voodoo - isle of man
#voodoo - romania
#voodoo - russia
#sallad - ussouth (Dallas, TX)
#balaur - romania
#resurg - ussouth (Atlanta, GA)
#zur - switzerland