Jump to content


Photo

Network Lock


  • This topic is locked This topic is locked
No replies to this topic

#1 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7022 posts

Posted 11 September 2014 - 12:10 AM

Network Lock


 
WARNING: this answer does NOT apply exactly to Eddie 2.8.8 or older versions.
 
Network lock is a feature that prevents IPv4/IPv6 communications when your system is not connected to an AirVPN server. Its main purpose is preventing IPv4/IPv6 leaks under any circumstance, including unexpected VPN disconnection, but not limited to it: contrarily to several so called "kill switches" and VPN check monitoring processes, which don't do anything while connection is on and become totally useless if they crash, the Network Lock is based on strict firewalls rules. Thus, the protection against leaks is active even when the connection is detected as "on" (regardless it is really "on" or not), even if Eddie could not work anymore and even if you mis-configured by accident a listening service binding it to a physical network card.


You can activate it by clicking the button pertaining to "Network Lock" in the "Overview" window.
A small icon on the top right corner will tell you anytime the status of Network Lock. Warning: if, after you have activated Network Lock, you modify the firewall rules, the client will not detect that. It's your responsibility to act accordingly.
After any change, do not forget to click the "Save" button.
Our software adopts various approaches to perform a network lock according to the operating system, software already available etc.
 
In AirVPN Menu -> Preferences -> Advanced - Network Lock you can find the following, additional options for Network Lock.
If Mode is set to None, the feature is not available. The commands are hidden in main window.
If it is set to 'Auto', the software automatically detects the best mode.
Otherwise, choose a specific mode. Note that only allowed modes for the current environment are listed.
By default the client option is set to "Automatic".
 
You can also decide whether to allow LAN and/or ping or not by ticking or un-ticking "Allow lan/private" and "Allow ping".
In Addresses allowed, you can specify a list of IP addresses that are enabled even if the network lock is active. That's useful for example to allow leaks to known trusted IP addresses. Separate each address with a newline. Empty lines are allowed. Use # for comments.


In Preferences > Routes if you specify that a route needs to be outside the tunnel, the same route bypasses the Network Lock.
 
You can't enable Network Lock and have at the same time the option Not specified routes go to Outside the VPN tunnel, because it would mean that Network Leak needs to be bypassed on every unknown range.
It's different from Addresses allowed, because these addresses are allowed during the Network Lock, but traffic to/from them is routed in the tunnel during VPN connection.


Mode 'Windows Firewall' in depth


Available on Windows Vista, 7, 8 and above.

Activation
  • Activate the Windows Service if not already active
  • A backup of the current rules is saved in file called winfirewallrules.wfw. This includes rules and notification settings
  • For each profile (domain, private, public) if the firewall was not active, it's activated. If the notification of the profile was enabled, it's disabled.
  • Delete all existing rules
  • Create AirVPN rules: allow icmp if ping is enabled, allow local subnet if private network is enabled, allow traffic over VPN, allow all IP addresses (under control of AirVPN) used by our authentication or VPN servers
  • Set BlockInbound & BlockOutbound as firewall policy for all profiles
Running
  • During execution, the allowed IP list is updated dynamically (for example if we add VPN servers).
Deactivation
  • AirVPN rules deleted
  • Firewall policy for all profiles are restored to previous state before the activation
  • Import of rules backup, that also resets notifications to previous state
  • For each profile, deactivate the firewall only if it was activated by the client in the activation step
  • Stop the Windows Service if it was activated by the client in the activation step


Mode 'OS X PF' in depth


Prerequisites
  • /etc/pf.conf exists.
Activation
  • Detect if it is already enabled or not. If not, activate it.
  • Load custom PF config file. It's created under the data directory.

    # Block policy, RST for quickly notice
    set block-policy return

    # Skip interfaces: lo0 and utun (only when connected)
    set skip on { lo0 utun0 }

    # Scrub
    scrub in all

    # Drop everything that doesn't match a rule
    block drop out inet from any to any

    # Only if 'Allow Private' is active:
    pass out quick inet from 192.168.0.0/16 to 192.168.0.0/16 flags S/SA keep state
    pass in quick inet from 192.168.0.0/16 to 192.168.0.0/16 flags S/SA keep state
    pass out quick inet from 172.16.0.0/12 to 172.16.0.0/12 flags S/SA keep state
    pass in quick inet from 172.16.0.0/12 to 172.16.0.0/12 flags S/SA keep state
    pass out quick inet from 10.0.0.0/8 to 10.0.0.0/8 flags S/SA keep state
    pass in quick inet from 10.0.0.0/8 to 10.0.0.0/8 flags S/SA keep state

    # Only if 'Allow Ping' is active:
    pass quick proto icmp

    # AirVPN IP (Auth and VPN), a list of:
    pass out quick inet from any to <ip> flags S/SA keep state
Note: tun interface name will be detected by Eddie and properly inserted in rules. Here, "utun0" is just an example, picked only because it is a frequent case. Eddie 2.7 only or higher.
 
Running
  • During execution, the allowed IP list is updated dynamically by regeneration and reloading of the PF config file.
Deactivation
  • Reloading of the system default rules, assuming it's /etc/pf.conf.
  • Deactivate PF, only if it was activated by the client in the activation step


Mode 'iptables' in depth


Prerequisites
  • iptables
  • iptables-save & iptables-restore
Activation
  • Backup of current iptables rules in iptables.dat backup file
  • Delete all existing rules, apply new rules:

    # Flush
    iptables -F
    iptables -t nat -F
    iptables -t mangle -F

    # Flush V6
    ip6tables -F
    ip6tables -t nat -F
    ip6tables -t mangle -F

    # Local
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT

    # Local V6
    ip6tables -A INPUT -i lo -j ACCEPT
    ip6tables -A OUTPUT -o lo -j ACCEPT

    # Make sure you can communicate with any DHCP server
    iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT
    iptables -A INPUT -s 255.255.255.255 -j ACCEPT

    # Make sure that you can communicate within your own network if Private Network option is enabled
    iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
    iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
    iptables -A INPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
    iptables -A OUTPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
    iptables -A INPUT -s 172.16.0.0/12 -d 172.16.0.0/12 -j ACCEPT
    iptables -A OUTPUT -s 172.16.0.0/12 -d 172.16.0.0/12 -j ACCEPT

    # Allow incoming pings if Ping option is enabled
    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

    # Allow established sessions to receive traffic:
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Allow TUN
    iptables -A INPUT -i tun+ -j ACCEPT
    iptables -A FORWARD -i tun+ -j ACCEPT
    iptables -A OUTPUT -o tun+ -j ACCEPT

    # Block All
    iptables -A OUTPUT -j DROP
    iptables -A INPUT -j DROP
    iptables -A FORWARD -j DROP

    # Block All V6
    ip6tables -A OUTPUT -j DROP
    ip6tables -A INPUT -j DROP
    ip6tables -A FORWARD -j DROP
Running
  • During execution, the allowed IP list are updated dynamically with insert or delete

    iptables -I OUTPUT 1 -d <ip> -j ACCEPT
    iptables -D OUTPUT -d <ip> -j ACCEPT
Deactivation
  • Delete all rules
  • Restore backup rules
  • Delete backup file





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Servers online. Online Sessions: 15602 - BW: 49290 Mbit/sYour IP: 54.234.65.78Guest Access.