Jump to content
Not connected, Your IP:

Recommended Posts

Hi Air's,


thought I'd share my setup on my Linux box. It it very basic, but does the job for me.


Basic idea: Have connection to Air setup at system startup, e.g. when entering runlevel 5. Keep phase of "open" traffic as short as possible, with as few connections as possible.


Solution (steps to take, no code):

  1. Create a script /etc/rc.d/vpn that reflects a service startup.
  2. Make it dependent on network startup.
  3. In the start-section of that script:
  • remove default route of main network device
  • add route to google via default gateway on main network device
  • add route to desired Air-Gateway(s) (e.g.  europe.dns.airvpn.org) using default gateway
  • ping until Air-Gateway can be reached (means network is up)
  • start openvpn with desired configuration
  • Inspect route -n until tun0 is visible
  • delete route to google via default gateway on main network device
  • add default route to tun0
  • add exceptional routes for hosts which should go outside tunnel.

In the stop-section, simply:

  • killall openvpn
  • ifdown <main network device>

I have also added a section "retunnel" which first ifdowns the main network, then ifups it again and calls start.

Then, link that script into your desired runlevel (usually 5 for a desktop box).


The result of this is that the tunnel is setup right before the graphical login. So when the user logs in, all autostarted email and web programs already go through the tunnel, as do most of the ntp and other system relevant update tasks. Therefore, you're quite opaque to your ISP . If the tunnel cannot be setup, you have not working internet connection - a sign that something is wrong!


Hope that helps anyone,



#! /bin/sh
# Provides:       vpn
# Required-Start: $network $syslog
# Should-Start:   
# Required-Stop:  
# Should-Stop:    
# Default-Start:  3 5
# Default-Stop:   0 1 2 6
# Short-Description: Start VPN Tunnel
# Description:    Start VPN Tunnel

. /etc/rc.status

case "$1" in
		echo -n "Setting up VPN"
		route del default dev wlan0
		route add -host gw $GW
		route add -host $VPNHOST gw $GW
		while ! ping -c 1 $VPNHOST ; do sleep 2; done
		# Start openvpn the way I want it.
		cd /root/bin
		# Wait for tunnel to appear
		while ! route -n | grep tun ; do sleep 1; done
		route del -host dev wlan0
		route add default dev tun0
		# Add routes to hosts to visit outside tunnel, e.g.:
		route add -host airvpn.org gw $GW
		rc_status -v
		echo -n "Stopping VPN "
		killall -w -SIGTERM openvpn
		while route -n | grep tun; do sleep 1; done
		ifdown wlan0
		rc_status -v
		if test "$1" = "condrestart"; then
			echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}"
		$0 status
		if test $? = 0; then
			$0 restart
		echo -n "Restarting: Stop..."
		$0 stop
		sleep 5
		route -n
		echo -n "Restarting: Notunnel..."
		$0 notunnel
		sleep 5
		echo -n "Restarting: Start..."
		$0 start
		$0 status
		rc_status -v
		$0 restart
		rc_status -v
		echo "Checking VPN"
		route -n | grep "tun"
		rc_status -v
		ifup wlan0
		rc_status -v
		echo "Usage: $0 {start|stop|status|force-reload|reload|restart|reload|probe}"
		exit 1


Share this post

Link to post

Are you asking or prividing a solution?

Since in case you are providing a working setup, you had to post it in the

"General and Suggestions" sub forum.

Reading your suggestions, I can say that OpenVPN takes care of most of

this, like pinging the tun0 gateways and checking routes. Are you sure that

all these steps are really needed, to make sure they happen manually?

A shorter solution would be simply checking the OpenVPN log file, in case

of an error with any of the steps you mention. Nevertheless, welcome to

the community and hope you like the service.




I just read your topic again and it looks like you are trying to provide a tech

solution for a headless OpenVPN init. While your general steps were fine,

there are few small caveats that users have to take in mind.

For example, you suggested to add:


route add -host gw $GW


Your "deletion" rule is very explicit to your own OS and setup,

route del -host dev wlan0


You cannot assume that all users will know to replace wlan0 with

their own adapter, on all major OS branches. So this makes your

deletion rule work on very small Linux distros, generating an error

on other distros where the adapter is not Wifi and/or not named wlan0,

leading us to potential DNS leaks, since any local system presenting itself

as (Or, for this matter, even the real Google Anycast ISPs) will

get all the DNS traffic from all interfaces, causing a DNS leak that services

such as AirVPN try to prevent in the first place.


You should never hardcode your own system variables in such guides,

just as a tip for your later posts, a better way would be getting it from

local system utilities and use them as environment variables.


For example, a proper way to get the default adapter name on most Linux

systems would be running the following command:


netstat -r | awk '/default/ { print $8 }'



Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post

Link to post

Thank you for your suggestions. I intended to post under How To, but couldn't, so posted it here.


Yes, it was meant as an example of setting up the tunnel *without* user interaction, and very specific to my setup. It should serve as a point to start. Anyone doing something like this I expect to be sufficiently fluent in Linux to adapt to the example to their own needs. I was in no way intending to write a complete, one-fits-all guide. And yes, at least for my configuration, all these steps were necessary to get it working properly and reliably.


To clarify: The point of posting was to share the idea of having the tunnel setup *before* the user starts "surfing". Why? Well, at least on my system, without this, the sequence of events was like this:

  1. Boot up. Network gets established.
  2. System reaches runlevel 5.
  3. User logs in. Email client and Webbrowser are saved from last session.
  4. Email client, Webbrowser, package manager, ntp, and what not, are busily connecting using the main network connection!
  5. User starts VPN tunnel, if it is not forgotten.
  6. Browser still has some connections left via the un-tunneled gateway. (Checked with etherape).

This clearly identifies your main connection points: Email, homepage, maybe your default "I always check these pages" sites, ...and so on. That is already a lot an ISP can make use of, for whatever reasons. I was not happy with that, that's why I created this script. With the new setup, the only thing the isp ever sees is that a VPN tunnel to an Air-server gets setup up, using google dns. Much less information!


As they so nicely say on the internet, YMMV!

Share this post

Link to post

I block all traffic to my ISP with some few ufw rules and then I use Eddie with network blocked.

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Security Check
    Play CAPTCHA Audio
    Refresh Image

  • Create New...