Win - Mac - BSD Block traffic when VPN disconnects

[Staff 9972]

This thread is huge and mind boggling.

I have AirVPN,

Utorrent Version 1.8.1 (28758)

Mac OS X Lion 10.7.5 (11G63)

Is there a tutorial for adding these rules so traffic will be blocked if VPN drops?

Sorry if its already here…

Thanks

Hello!

You can use pf which is included by default in Mac OS X 10.7.x. Thanks to jessez the guide is available here:

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&limit=6&limitstart=36&Itemid=142#2532

Kind regards

[azarenko 0]

thanks a lot for this topic!

I have a problem with Skype. For example, I use this pf.conf

block all

all traffic stops to go with my computer, I see it through Little Snitch. But! If I open Skype, it begins to send packets of bytes 20-30 to different ip addresses. It would seem that we have banned all incoming and outgoing connections, all programs are "heard", but not Skype. He sends the first UPD packages, then TCP.

It is worth noting that the incoming traffic is not on Skype, just the outgoing.

I give the screenshots http://s17.postimage.org/uj74908jj/image.png, I should note, not to mislead you, "Connect : 2 blocked" - this is port 80 and 443, I blocked them via Little Snitch. But it took over port 40030 36 bytes. The second screenshot http://s8.postimage.org/65euovmyt/123.png shows how much data has gone through the UPD ports - 3.93 kilobyte.

[Staff 9972]

@azarenko

Hello!

Apparently the screenshots you posted seem to confirm, not to deny, that pf is successfully dropping Skype packets.

Kind regards

[azarenko 0]

admin, why do you think so? why only skype appears in the lists of Little Snitch? I also run other programs - TeamViewer, torrent, ICQ, opera

None of these programs does not appear in the list, only skype.

How else can I check whether the data leaks away from my computer?

thanks!

[Staff 9972]

admin, why do you think so? why only skype appears in the lists of Little Snitch? I also run other programs - TeamViewer, torrent, ICQ, opera

None of these programs does not appear in the list, only skype.

How else can I check whether the data leaks away from my computer?

thanks!

Hello!

Try and monitor the packet flow in your interface (while disconnected from the VPN and everything should be blocked) with Packet Peeper or similar tools:

http://packetpeeper.sourceforge.net

If you see that packets flow out from your network card to various destinations, re-check your pf setup, make sure it is active, and if everything is confirmed please report to pf developers and/or Apple customer support.

Kind regards

[azarenko 0]

If the connection drops, no packets will go out, so you will be able only to reconnect to the VPN and nothing else until you disable pf with <code>pfctl -d</code>. Also, those rules will prevent DNS leakage.

 

Hello!

After this command, I work only those DNS servers, which are set in the configuration Wi Fi and the file resolv.conf.

How can I cancel this command? Will only reinstall the system?

The thing is, before I used DNS server 127.0.0.1. And when I connect to VPN, he used the DNS server his ISP. Now any DNS server is not listed in file resolv.conf (configuration Wi Fi) not working

[jessez 3]

Hi azarenko,

This will help get your mac back on the internet at any time (just don't forget when you do pfctl -d , and these two others you are disabling the firewall and leaving yourself exposed to some level of threat, although if you are behind a router that risk is negligible):

Flush any existing rules at any time with: sudo pfctl -Fa

Or for worst case scenario:

To stop the firewall from loading at boot, paste:

sudo sysctl -w net.inet.ip.fw.enable=0

in the terminal, hit enter, reboot the mac, and you'll be clean with no ipfw firewalling when it restarts.

It won't restart until you pfctl - e

Br,

jz

[adriankoooo 0]

Can you please post me a working iptables config for fixed ip?

inet addr:192.x.x27 Bcast:192.x.x.31 Mask:255.255.255.240

[jessez 3]

Hi adriankoooo,

That shouldn't be a problem (I think), however some details would be useful. What operating system and version are you using, and could you clarify this please?: inet addr:192.x.x27 -- theres only two dots so some typo.

If you are using RHEL6 or clones there is a script here that could be modified to suit your environment. Let me know if you want to try that and if so if you need help with it.

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=7000&Itemid=142

Br,

jz

[azarenko 0]

jessez, but I do not want to disable pf.conf.

When I first read your messages and start to execute commands pfctl - e and pfctl-f / etc / pf.conf, DNS servers are functioning properly. And when I used the command pfctl - d, then the DNS servers stopped working.

[Weduku 0]

Hi,

I just switched to Comodo to setup Torrent blocking when VPN drops. I created a rule exactly like this one https://airvpn.org/media/kunena/attachments/62/comodo_rule1.jpg

Initially, it appears to be working (sometimes), allowing connections with VPN and blocking when disconnecting. But there's a problem. When I connect or disconnect the VPN, Comodo will show me a windows telling me that the torrent client wants to accept a connection and wants me to allow or deny it. Now, if I either allow or deny, that allow or denial will disregard the rule I already created, and it no longer works as intended. If I click Allow, it will allow all connections, even when disconnected from the VPN. I don't understand why Comodo asks me to allow or deny this, why can't it just use the rule I created instead of breaking it? Allowing or denying is just a simple yes or no, it doesn't take into account that I've blocked connections outside the specified IP area, and it appears to override my rule.

[Weduku 0]

I think I've found a solution that works. I had different problems with the posted rule for Comodo - it would ask me for accept/deny, but I also noticed that it would sometimes block downloads, but allow uploads. Don't ask me why, because I don't know.

I'm now using the posted rule for Comodo, but I've also created an equivalent rule for incoming connections, it

s the same, but for incoming. Then I made a rule which is basically "Allow all connections", and I put it at the bottom, under the two block rules. This rule appears to be stopping Comodo from asking me to allow/reject a connection? Anyway, it seems to be working now.

[zalbard 0]

Therefore, in order to block a program to send out packets when you're not connected to Air, just block (for any program you wish) any outgoing packet NOT coming from range 10.4.0.0->10.9.255.255, from any port to any port. Comodo supports both IP ranges (without need of CIDR notation) and the NOT operator.

Thank you for your help. What would be the appropriate range for IPv6?

[zalbard 0]

Therefore' date=' in order to block a program to send out packets when you're not connected to Air, just block (for any program you wish) any outgoing packet NOT coming from range 10.4.0.0->10.9.255.255, from any port to any port. Comodo supports both IP ranges (without need of CIDR notation) and the NOT operator.[/quote']

Strange, my previous post disappeared...

Anyway, thanks for your help!

What would be the appropriate IPv6 range in this case?

[B3NJAMIN 3]

Hello

Solution with Coodo is really straightforward.

Are you maye aware of any Linux (ubuntu) solution, which can be used as Comodo on Windows?

Default gufw can not be configured that way, I haven't been able to find a proper simple solution....

Thank you

<em>EDITED ON 21 Aug 12</em>

<em>EDITED ON 24 Nov 12: added important note for some Linux users, see bottom of message</em>

Hello!

You can use iptables, a very powerful packet filtering and NAT program (probably one of the most powerful, if not the most powerful of all). iptables is already included in all official Ubuntu distros and most Linux distros, anyway if you don't have it just install it with aptitude.

Adding the following simple rules will prevent leaks in case of [accidental] VPN disconnection. In this example, it is assumed that your network interface is eth+ (change it as appropriate; for example, you might have wlan0 for a WiFi connection).

a.b.c.d is the entry-IP address of the Air server you connect to. You can find out the address simply looking at the line "remote" of your air.ovpn configuration file. In case of doubts, just ask us. Some of the following rules might be redundant if you have already chains.

Assumptions: you are in a 192.168.0.0/16 network and your router is a DHCP server. You have a a physical network interface named eth*. The tun adapter is tun* and the loopback interface is lo.

<code>iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT #allow loopback access

iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server

iptables -A INPUT -s 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server

iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT #make sure that you can communicate within your own network

iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT

iptables -A FORWARD -i eth+ -o tun+ -j ACCEPT

iptables -A FORWARD -i tun+ -o eth+ -j ACCEPT # make sure that eth+ and tun+ can communicate

iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE # in the POSTROUTING chain of the NAT table, map the tun+ interface outgoing packet IP address, cease examining rules and let the header be modified, so that we don't have to worry about ports or any other issue - please check this rule with care if you have already a NAT table in your chain

iptables -A OUTPUT -o eth+ ! -d a.b.c.d -j DROP # if destination for outgoing packet on eth+ is NOT a.b.c.d, drop the packet, so that nothing leaks if VPN disconnects

</code>

When you add the above rules, take care about pre-existing rules, if you have already some tables, and always perform a test to verify that the subsequent behavior is what you expect: when you disconnect from the VPN, all outgoing traffic should be blocked, except for a reconnection to an Air server.

In order to block specific programs only, some more sophisticated usage of iptables is needed, and you will also need to know which ports those programs use. See "man iptables" for all the features and how to make the above rules persistent or not according to your needs.

<strong>Warning: the following applies ONLY for Linux users who don't have resolvconf installed and don't use up & down OpenVPN client scripts</strong>

In this case, your system has no way to process the DNS push from our servers. Therefore your system will just tunnel the DNS queries with destination the DNS IP address specified in the "nameserver" lines of the /etc/resolv.conf file. But if your first nameserver is your router IP, the queries will be sent to your router which in turn will send them out unencrypted. Solution is straightforward: edit the /etc/resolv.conf file and add the following line at the top (just an example, of course you can use any of your favorite DNS, as long as it is NOT your router):

<code>nameserver 10.4.0.1 # in order to use AirVPN DNS

nameserver 8.8.8.8 # in order to use Google DNS only if AirVPN DNS is unavailable</code>

Kind regards

Hi,

I have added this in my Linux system and it works fine

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT

iptables -A INPUT -s 255.255.255.255 -j ACCEPT

iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT

iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT

iptables -A OUTPUT -o tun0 -j ACCEPT

iptables -A OUTPUT -d a.b.c.d -j ACCEPT

iptables -A OUTPUT -j DROP

I hope it can help u guys

btw, thx for this great service AirVPN, u rock!

[chewy74 2]

I saw a couple of Symantec (Nortons) users users and wanted to share my settings for preventing dns leaks in the event of vpn disconnect.

 

I use symantec endpoint v11

 

This rule is to ALLOW all traffic while connected to VPN

 

Go into the Network Threat Protection - > Configure Firewall Rules

 

Under General tab

Rule name-> [vpn connected*or whatever you want*]

Action - > Allow this traffic

Firewall settings Apply this rule to the following network adapter - > TAP-Windows Adapter V9

Apply this rule while the screen saver is - > Either on or off

Check the box to record packet traffic if you want it logged

 

Hosts tab

Remote host - > All hosts (or filter by IP or Mac id if you want)

 

Ports and Protocols tab

Protocol - > all IP protocols

Traffic direction - > Both

 

Applications tab

Click the browse button to navigate to your utorrent, or other torrent client's exe and select

 

Scheduling tab

I didn't configure this section since I want this rule active at all times

 

This rule is to BLOCK all traffic while DISCONNECTED from VPN

 

Go into the Network Threat Protection - > Configure Firewall Rules

 

Under General tab

Rule name-> [vpn disconnected*or whatever you want*]

Action - > BLOCK this traffic

Firewall settings Apply this rule to the following network adapter - > SELECT YOUR LAN OR WIRELESS ADAPTER (whichever you use regularly)

Apply this rule while the screen saver is - > Either on or off

Check the box to record packet traffic if you want it logged

 

Hosts tab

Remote host - > All hosts (or filter by IP or Mac id if you want)

 

Ports and Protocols tab

Protocol - > all IP protocols

Traffic direction - > Both

 

Applications tab

Click the browse button to navigate to your utorrent, or other torrent client's exe and select

 

Scheduling tab

I didn't configure this section since I want this rule active at all times

 

I've been using these 2 rules for and they seem to be working fine. If you use 3rd party torrenting apps like transdroid to control utorrent, you will need to add a separate allow rule with your internal IP RANGES your network uses and allow on all network adapters.

 

Hope this was useful

[zalbard 0]

When you connect to AirVPN, regardless of the server you're connected to, your TUN/TAP adapter is DHCP-assigned an IP address in the range specified by our Technical Specs page. https://airvpn.org/specs/

 

Therefore, in order to block a program to send out packets when you're not connected to Air, just block (for any program you wish) any outgoing packet NOT coming from range 10.4.0.0->10.9.255.255, from any port to any port.

Is it also possible to somehow limit IPv6 traffic in a similar way?

[resettler 0]

I saw a couple of Symantec (Nortons) users users and wanted to share my settings for preventing dns leaks in the event of vpn disconnect.

 

I use symantec endpoint v11

 

Does your method work to block programs/applications from sending out packets when I am not connected to AirVPN?

[chewy74 2]

Yes, it does. I just checked the packet log.

 

I saw a couple of Symantec (Nortons) users users and wanted to share my settings for preventing dns leaks in the event of vpn disconnect.

I use symantec endpoint v11

 

Does your method work to block programs/applications from sending out packets when I am not connected to AirVPN?

[resettler 0]

Yes, it does. I just checked the packet log.

 

Thanks for your reply.

 

Have you used Comodo (free edition) for the same purpose?

 

If yes, how would you rate Symantec Endpoint Protection against Comodo in terms of the effectiveness of blocking programs/applications from accessing the internet when the VPN is disconnected?

[resettler 0]

Hosts tab

Remote host - > All hosts (or filter by IP or Mac id if you want)

 

I have the following questions:

 

1. What is meant by "hosts"?

 

2. Which is more effective: filter by IP or filter by MAC?

[chewy74 2]

I've never used comodo, but endpoint stopped all torrent traffic when I disconnected vpn adapter. So it did it's job well for me.

 

 

 

Yes, it does. I just checked the packet log.

Thanks for your reply.

 

Have you used Comodo (free edition) for the same purpose?

 

If yes, how would you rate Symantec Endpoint Protection against Comodo in terms of the effectiveness of blocking programs/applications from accessing the internet when the VPN is disconnected?

1. Any device that tries to connect to your pc

 

2. That depends on what you're trying to accomplish with your allow/block rule. With ip you can set an ip range vs. Mac id let's you only block a single device

 

 

 

Hosts tab

Remote host - > All hosts (or filter by IP or Mac id if you want)

I have the following questions:

 

1. What is meant by "hosts"?

 

2. Which is more effective: filter by IP or filter by MAC?

[mstenzel 0]

Hi,

 

thank you very much for the very useful information (refer. to message #32):

 

I am facing a problem, though:

 

The line

 

iptables -A POSTROUTING -t nat -o tun+ -j MASQUERADE

 

gives the following error message:

 

iptables: No chain/target/match by that name.

 

The line 

 

iptables -A POSTROUTING -t nat -o tun+ -j MASQUERADE -v

 

gives additionally:

 

MASQUERADE all opt -- in * out tun+ 0.0.0.0/0 -> 0.0.0.0/0

 

 

I flushed all the previous rules before to rule out any bias.

 

 

How to proceed?

 

Thank you in advance, Martin Stenzel

 

 

P. S. System is a suse linux box with a wlan card.

[tonynca 0]

Does anyone know how to allow Windows sharing to be routed through the pf rules?

[trustissues 2]

 

Hello

Solution with Coodo is really straightforward.

Are you maye aware of any Linux (ubuntu) solution, which can be used as Comodo on Windows?

Default gufw can not be configured that way, I haven't been able to find a proper simple solution....

 

Thank you

 

EDITED ON 21 Aug 12

EDITED ON 24 Nov 12: added important note for some Linux users, see bottom of message

 

Hello!

 

You can use iptables, a very powerful packet filtering and NAT program (probably one of the most powerful, if not the most powerful of all). iptables is already included in all official Ubuntu distros and most Linux distros, anyway if you don't have it just install it with aptitude.

 

Adding the following simple rules will prevent leaks in case of [accidental] VPN disconnection. In this example, it is assumed that your network interface is eth+ (change it as appropriate; for example, you might have wlan0 for a WiFi connection).

 

a.b.c.d is the entry-IP address of the Air server you connect to. You can find out the address simply looking at the line "remote" of your air.ovpn configuration file. In case of doubts, just ask us. Some of the following rules might be redundant if you have already chains.

 

Assumptions: you are in a 192.168.0.0/16 network and your router is a DHCP server. You have a a physical network interface named eth*. The tun adapter is tun* and the loopback interface is lo.

 

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT #allow loopback access
iptables -A OUTPUT -d 255.255.255.255 -j  ACCEPT #make sure you can communicate with any DHCP server
iptables -A INPUT -s 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server
iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT #make sure that you can communicate within your own network
iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -i eth+ -o tun+ -j ACCEPT 
iptables -A FORWARD -i tun+ -o eth+ -j ACCEPT # make sure that eth+ and tun+ can communicate
iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE # in the POSTROUTING chain of the NAT table, map the tun+ interface outgoing packet IP address, cease examining rules and let the header be modified, so that we don't have to worry about ports or any other issue - please check this rule with care if you have already a NAT table in your chain
iptables -A OUTPUT -o eth+ ! -d a.b.c.d -j DROP  # if destination for outgoing packet on eth+ is NOT a.b.c.d, drop the packet, so that nothing leaks if VPN disconnects

 

When you add the above rules, take care about pre-existing rules, if you have already some tables, and always perform a test to verify that the subsequent behavior is what you expect: when you disconnect from the VPN, all outgoing traffic should be blocked, except for a reconnection to an Air server.

 

In order to block specific programs only, some more sophisticated usage of iptables is needed, and you will also need to know which ports those programs use. See "man iptables" for all the features and how to make the above rules persistent or not according to your needs.

 

 

Warning: the following applies ONLY for Linux users who don't have resolvconf installed and don't use up & down OpenVPN client scripts

 

In this case, your system has no way to process the DNS push from our servers. Therefore your system will just tunnel the DNS queries with destination the DNS IP address specified in the "nameserver" lines of the /etc/resolv.conf file. But if your first nameserver is your router IP, the queries will be sent to your router which in turn will send them out unencrypted. Solution is straightforward: edit the /etc/resolv.conf file and add the following line at the top (just an example, of course you can use any of your favorite DNS, as long as it is NOT your router):

nameserver 10.4.0.1 # in order to use AirVPN DNS
nameserver 8.8.8.8 # in order to use Google DNS only if AirVPN DNS is unavailable

 

Kind regards

 

I was able to get this working after a few google/manual page readings specific to my setup, and appreciate the write-up.

 

I did have a question though, is it possible to include multiple VPN addresses in the DROP all but VPN source line? I'd like to be able to reach several different AirVPN addresses without having to edit the rules and re-load iptables each time.

 

iptables -A OUTPUT -o eth+ ! -d a.b.c.d -j DROP

 

I tried adding several airVPN server addresses, but I belive the order of rules has an effect and it seems only the last one can be followed. In below example, only ip "i.j.k.l" is accessible outside of VPN. Is there a way to have 2-3 addresses per rule?

 

iptables -A OUTPUT -o eth+ ! -d a.b.c.d -j DROP

iptables -A OUTPUT -o eth+ ! -d e.f.g.h -j DROP

iptables -A OUTPUT -o eth+ ! -d i.j.k.l -j DROP