Jump to content
Not connected, Your IP: 3.144.100.252

Recommended Posts

 

Hi,

 

I'm fairly new to using Debian but I'm using it for almost all of my online activity atm. However, I'm uncomfortable using airvpn without it being filtered by a firewall, just in case the connection drops. Can anyone provide a good walk through for using airvpn with ufw? Or any other Debian firewall? If so, the instructions would have to be fairly clear as I'm still a relative noob with using the terminal etc.


Cheers

 

Share this post


Link to post

As I suspected; I couldn't get past the first line. When I typed "su" and then my password followed by "allow out on tun0 from any to any" it just said "incorrect command".

 

#Sorted this.

Share this post


Link to post

Okay, I'm getting mega frustrated with this, as I cannot get this to work!!

 

Here's my setup.

 

I'm using a PC with Debian and it is directly connected to the wifi hub via a eithernet cable.

 

The confusion:

 

1: Do I need to type this? I've no idea what this means and if I need to add this line of text? $ ufw allow out to 192.168.178.0/24?

 

2: I've tried this line (e.g. ufw allow out to 192.168.178.0/24?) and then the following ufw allow out to 46.19.137.144 port 443 proto udp and ufw allow out on tun0 and I cannot connect the VPN. What am I doing wrong here?

Share this post


Link to post

Hi CriticalRabbit,

 

This if basically a way to drop all WAN traffic going out except to an airvpn server or through the tun0 interface which is the vpn.

 

sudo -s                                                                                  # enable root account, just so you don't have to type sudo before everything

ufw enable                                                                            # Enable ufw if not already started

ufw reset                                                                               # Reset any exisitng rules

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ufw default deny outgoing                                                     # Block all outgoing connections
ufw default deny incoming                                                    # Block all incoming connections

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ufw allow out to 192.168.178.0/24                                        # Allow all outgoing connections to LAN where 192.168.178.0 is your LAN IP.
ufw allow in to 192.168.178.0/24                                          # Allow all incoming connections to LAN where 192.168.178.0 is your LAN IP.
Or
ufw allow out on eth0 to 192.168.178.0/24                           # If you want to be more specific only allow on a specific adapter. eth0 or wlan0

ufw allow in on eth0 to 192.168.178.0/24                             # but yours may be different use ifconfig to find yours.

                       

 

This basically allows any connections from within your home network, eg LAN sync with Dropbox.

Only use one set though as the first allows all adapters, this is the one I use, best for laptops.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ufw allow out to 84.39.117.56 port 443 proto udp                # Allow out to the Airvpn server for connection where 84.39.117.56 is the server address in your config.
ufw allow out to 84.39.116.179 port 443 proto udp              # Just repeat with as many server addresses as you want.


ufw allow out on tun0                                                            # Allow all outgoing traffic through the vpn again make sure this is the correct adapter name

                                                                                              # by connecting to the vpn and running ifconfig to find the interface names.

 

All incoming connections are currently blocked with this config so you need to allow them.

A good way to do this is to find the ports and make an application whitelist in /etc/ufw/applications.d  Plex, BTsync, bittorrent etc.

Examples can be found in that folder just make a copy and change the details

 

cd /etc/ufw/applications.d

cp cups Plex                                                                       # makes a copy of the cups file and renames it Plex

nano Plex                                                                           # edit the Plex file with the right ports and titles, description

Ctrl x  then y                                                                      # to save the file.

 

Then just.

ufw allow Plex                                                                    # allows incoming connections to the ports listed in the Plex config

 

ufw reload                                                                          # Reload ufw

 

exit                                                                                    # To end root permissions

 

Hope this works for you.

Any questions I'll try to look back.

Share this post


Link to post

 

Hi,

 

Thank you for your reply. I'll give it another try.

 

Quick question though: do I use 192.168.178.0/24? I'm not sure what this refers to. When I ran ifconfig it gave three things; 'inet addrr'. 'Bcast' and 'Mask'. All three of these were different to 192.168.178.0/24. Which do I use (i.e. 'inet addrr'. 'Bcast' and 'Mask')?

 

Cheers

Share this post


Link to post

Hi,

 

The first three sets of numbers in inet and Bcast should be the same these are the numbers you will need and the forth set ignore but for the firewall replace with 0.

 

I'll use mine as an example

 

eg

 

inet addrr:192.168.50.2  Bcast:192.168.50.255

 

inet is the PC's IP

 

so for the firewall I have 192.168.50.0/24

 

The /24 just refers to all addresses in that range. So all internal IP's in the range 192.168.50.1 to 192.168.50.255 are allowed in and out.

 

ufw allow out to 192.168.50.0/24

ufw allow in to 192.168.50.0/24

Share this post


Link to post

 

Hi,

So apparently I only need to use these rules to block all connections but my PC to airvpn:

ufw default deny outgoing
ufw default deny incoming
ufw allow out to 184.75.214.162 port 443 proto udp (cephei)
ufw allow out on tun0

 

However, I still cannot connect to the VPN; it just remains on 'authenticating'. I did note, however, that when I add the rule “ufw allow out on tun0” I get two entriues in gufw; I get “Anywhere ALLOW OUT Anywhere on tun0 (out) and I get “Anywhere (v6) ALLOW OUT Anywhere (v6) on tun0 (out). Do you think this is my problem?

 

Share this post


Link to post

No the V6 is just when you do a ufw rule it makes it for ipv4 and ipv6 but that won't affect the connection

 

Just to confirm your using resolved addresses in network manager vpn settings. I'm thinking maybe its a DNS issue but this is probably not likely from a single server config file.

 

And it connects fine without the firewall on?

Share this post


Link to post

For Debian I'm using the graphical interface, although I can go back to just using the terminal. Do you think this could be an issue? I was intending on trouble shooting this actually but I've been away all weekend. And yeah, it connects fine without the firewall on.

Share this post


Link to post

To confirm by graphical interface do you mean the new AirVPN client or network manager?

 

The client may cause problems due to connecting to another IP before it connects the VPN. So you would need to add the ip address the client connects to into the firewall, network manager should be ok though.

Share this post


Link to post

Hi,

 

Yes I was referring to the Airvpn client. I switched back to using the terminal and I can get the firewall to block all connections except the vpn ip I reference in the firewall rules (see below). However, I now cannot get my browser to connect to the internet even though the script in the terminal shows a connection. Getting closer at least.

 

ufw default deny outgoing,
ufw default deny incoming
ufw allow out to 184.75.214.162 port 443 proto udp (cephei)
ufw allow out on tun0

 

I wonder if I need to include an additional rule for my browser?

Share this post


Link to post

 

Yeah I'm really stumped with this now. I've tried a few different rules but my browser will not connect to the internet even though the terminal shows a clear connection.

Share this post


Link to post

Sorry I've been busy the last few days but i haven't forgotten. I'm a bit confused myself. I'll spin up a debian image over the weekend and see if I can get it working with the client.

 

Can you tell me which version of debian your using and is it the default openvpn package in the repos.

 

Cheers

Share this post


Link to post

Hi,

 

I really appreciate that, thank you.

 

I'm using the newest version of Debian; 7.0 wheezy? As for Airvpn, I'm connecting via the terminal with openvpn. Although I'm happy to use the client if that works.

Share this post


Link to post
Guest
This topic is now closed to further replies.

×
×
  • Create New...