Staff 9973 Posted ... Hello, you can't specify multiple IP addresses with the not (!) operator(! not allowed with multiple source or destination IP addresses)So, you might simply DROP everything in OUTPUT (default policy): iptables -P OUTPUT DROP but ACCEPT all packets to the entry-IP addresses of the VPN servers you wish to connect to, to the IP range of your home network and to allow DHCP: iptables -A OUTPUT -o eth+ -d a.b.c.d,e.f.g.h,...,w.x.y.z -j ACCEPT # in this rule we use the "," operator to specify multiple IP addresses in just one line, but you can split the rule in multiple lines if you prefer soiptables -A OUTPUT -d 255.255.255.255 -j ACCEPTiptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT Kind regards 1 Strongduck reacted to this Quote Share this post Link to post
trustissues 2 Posted ... Hello, you can't specify multiple IP addresses with the not (!) operator(! not allowed with multiple source or destination IP addresses)So, you might simply DROP everything in OUTPUT (default policy): iptables -P OUTPUT DROP but ACCEPT all packets to the entry-IP addresses of the VPN servers you wish to connect to, to the IP range of your home network and to allow DHCP: iptables -A OUTPUT -o eth+ -d a.b.c.d,e.f.g.h,...,w.x.y.z -j ACCEPT # in this rule we use the "," operator to specify multiple IP addresses in just one line, but you can split the rule in multiple lines if you prefer soiptables -A OUTPUT -d 255.255.255.255 -j ACCEPTiptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT Kind regards Thanks for the clarification. I am now able to connect to multiple airVPNs and all other access is blocked, but it seems to have created a new issue somehow effecting DNS resolution. Even specifying "nameserver 10.4.0.1" as first line in /etc/resolve.conf does not allow me to browse sucessfully (or ping google/yahoo). Here are the differences between working/non-working iptables configurations (after executing iptables-save, just the relevent pieces that seem to be causing a difference) working completely: *filter:INPUT ACCEPT [3:522]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]-A OUTPUT ! -d a.b.c.d/32 -o wlan+ -j DROP connects but no name resolution: *filter:INPUT ACCEPT [14:2408]:FORWARD ACCEPT [0:0]:OUTPUT DROP [13:745]-A OUTPUT -d a.b.c.d/32 -o wlan+ -j ACCEPT Do I also need to create a rule for incomming or outgoing connections to the correct nameserver? Quote Share this post Link to post
Staff 9973 Posted ... Hello, yes, you need to allow packets from10.4.0.0/16 to any10.5.0.0/16 to any...10.9.0.0/16 to any and packets from any to 10.4.0.0/16, 10.5.0.0/16 etc. Kind regards Quote Share this post Link to post
trustissues 2 Posted ... Hello, yes, you need to allow packets from10.4.0.0/16 to any10.5.0.0/16 to any...10.9.0.0/16 to any and packets from any to 10.4.0.0/16, 10.5.0.0/16 etc. Kind regards Thanks for the guidance. Took me a while to figure out how to "translate" to iptables syntax and for the life of me I couldn't get any lookups to work with the airvpn dns servers, so switched to opendns (208.67.222.222 / 208.67.220.220) and haven't had any issues. I hope this isn't considered less secure. Also put those in my /etc/resolv.conf as the top lines, and I have dns working for both pre-connection (to wlan+) and vpn-connected (through tun+). I won't get into too much details this post, but the reason I want pre-connection dns access is so that I can bypass the VPN for certain sites so that that activity isn't sticking out if anyone was watching the other ends, in order to keep up appearances I guess (like popular e-mail or banking, those required sites to be productive these days that are ran by shill corporations willing to forfiet all your info and login-behavior). I'm still learning so maybe not the best way to go about it, its almost like you need a separate browser or system user to pipe connection through. It seems that they all enable many more connections than just login page, and not sure what information is passed on to each connection. For the iptables though, if anyone else is interested here is how it works using the methodology of allowing multiple VPN IP addresses for connecting through wlan+, then blocking everything else OUTPUT. I saved using "iptables-save > /etc/firewall.conf", and re-load it using a startup script "iptables-restore < /etc/firewall.conf". (Also IP addresses have been removed in example and are represented as "x.x.x.x") # Drop all OUTPUT, only allow VPN traffic (for the most part) # +Allow direct access to several VPN servers to wlan+ # +Allow direct access to personal login sites not wishing to tunnel through VPN # +Allow openDNS access to wlan+, so that non-VPN sites specified can still be looked up and later accessed in the browser. # (must also add these non-VPN sites to routing table, so that they can be bypassed outside of tun+)) ## FILTER *filter :INPUT ACCEPT [3:291] :FORWARD ACCEPT [0:0] :OUTPUT DROP [6:344] # Loopback / Lan (INPUT) -A INPUT -i lo -j ACCEPT -A INPUT -i tun+ -j ACCEPT -A INPUT -s 255.255.255.255/32 -j ACCEPT -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT # DNS (INPUT) -A INPUT -s 208.67.222.222 -p udp -i wlan+ --sport 53 -j ACCEPT -A INPUT -s 208.67.222.222 -p udp -i tun+ --sport 53 -j ACCEPT -A INPUT -s 208.67.222.220 -p udp -i wlan+ --sport 53 -j ACCEPT -A INPUT -s 208.67.222.220 -p udp -i tun+ --sport 53 -j ACCEPT -A FORWARD -i wlan+ -o tun+ -j ACCEPT -A FORWARD -i tun+ -o wlan+ -j ACCEPT # Loopback / Lan (OUTPUT) -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o tun+ -j ACCEPT -A OUTPUT -d 255.255.255.255/32 -j ACCEPT -A OUTPUT -d 192.168.0.0/16 -s 192.168.0.0/16 -j ACCEPT # DNS (OUTPUT) -A OUTPUT -d 208.67.222.222 -p udp -o wlan+ --dport 53 -j ACCEPT -A OUTPUT -d 208.67.222.222 -p udp -o tun+ --dport 53 -j ACCEPT -A OUTPUT -d 208.67.222.220 -p udp -o wlan+ --dport 53 -j ACCEPT -A OUTPUT -d 208.67.222.220 -p udp -o tun+ --dport 53 -j ACCEPT # AirVpn Access -A OUTPUT -o wlan+ -d x.x.x.x/32,x.x.x.x/32,x.x.x.x/32 -j ACCEPT # Routing outside of VPN (sample OUTPUT, not complete b/c many sites end up opening multiple connections. Still researching best methodology to bypass and also make sure that routing table puts these through wlan rather than tun connection) -A OUTPUT -d x.x.x.x/32 -o wlan+ -j ACCEPT COMMIT ## NAT *nat :PREROUTING ACCEPT [62:24525] :INPUT ACCEPT [5:953] :OUTPUT ACCEPT [24:1496] :POSTROUTING ACCEPT [1:90] -A POSTROUTING -o tun+ -j MASQUERADE COMMIT and if anyone wanted to use airvpn dns, this would be syntax for config file although again I could not get this working right, even with "nameserver 10.4.0.1" in resolv.conf: -A INPUT -s 10.4.0.0/16 -p udp -i tun+ --sport 53 -j ACCEPT-A OUTPUT -d 10.4.0.0/16 -p udp -o tun+ --dport 53 -j ACCEPT Quote Share this post Link to post
dickles 0 Posted ... Hey Guise. For several weeks, I have been working on an app/script that will kill my Bittorrent client upon disconnection from AirVPN. I thought I would share it with all of you because it seems to be working pretty well. Unlike complicated iptables (I tried but I just couldn't wrap my head around it.), my script pings AirVPN's DNS server and does a secondary check for IP address changes if the ping is unresponsive.I converted the script to an executable Mac application via Platypus for aesthetics but you can run it in a Terminal window if don't mind having Terminal open. Unfortunately, this is only my 2nd post in the AirVPN forums so I can't attach my app to this post so you will have to convert the script via Platypus yourself. Obviously, my script can be improved on and I welcome the feedback. I am a hobbyist and in no way am I a software developer. AlsoI do not assume any risk for the script causing you leaks. That being said, the script has worked well for me and saved me from leaks using the 8 second delay between checks. You can adjust the frequency and other variables if you like. #!/bin/bash # Get public IP by digging OpenDNSNEW_IP=$(dig +short myip.opendns.com @208.67.222.222 @208.67.220.220) # Log used to check for IP changesIPLOG=./ip.logtouch $IPLOGecho null > $IPLOG # A log for logging IPs - mostly used for the GeekTool componentTORLOG=./tor.logtouch $TORLOG # Get your old IP before the script overwrites the entryOLD_IP=`cat $IPLOG` # How many seconds between VPN connectivity checksDELAY=8 # Name of your BitTorrent clientBITTORRENT_APP=uTorrent # Log current ipecho $NEW_IP > $IPLOG while [ 1 ]; do # Ping AirVPN's DNS server to see if VPN is connected if ping -c 1 10.5.0.1 > /dev/null; then # DNS server is pingable, IP and status are logged echo $NEW_IP | tee -a $TORLOGecho AirVPN Connected | tee -a $TORLOG else # If ping does not respond, check for IP address changeecho Verifying... | tee -a $TORLOGecho $NEW_IP > $IPLOG # If your IP has changedif [ $NEW_IP != $OLD_IP ] ; then # Kill your BitTorrent client killall $BITTORRENT_APP # Log new IP and statusecho $NEW_IP | tee -a $TORLOGecho AirVPN Disconnected! | tee -a $TORLOG # Play a soundafplay ./dingding.mp3 # Exit the script / Quit Applicationkillall TorWatchexit fifi # Wait until the next check if VPN is connected sleep $DELAY done Quote Share this post Link to post
emoltz 0 Posted ... Good day, You'll can talk over my head in a heart beat, but I have to try and learn this. I am useing XP Pro. I am looking into being very privit and after some reading I am thinking about "what is the vpn disconnects". I would love a simple way to set up, that if I am disconnected. That very instand all traffic is stopped / open windows closed, when VPN disconnects on it's own, so no one can see what I was doing or looking at etc......... With my computer waiting for me to tell it to reconnect to the vpn or coninue with out the vpn. Is this possible? Quote Share this post Link to post
NaDre 157 Posted ... Good day, You'll can talk over my head in a heart beat, but I have to try and learn this. I am useing XP Pro. I am looking into being very privit and after some reading I am thinking about "what is the vpn disconnects". I would love a simple way to set up, that if I am disconnected. That very instand all traffic is stopped / open windows closed, when VPN disconnects on it's own, so no one can see what I was doing or looking at etc......... With my computer waiting for me to tell it to reconnect to the vpn or coninue with out the vpn. Is this possible? One way is described here: https://airvpn.org/topic/9787-the-pros-and-the-cons/?p=11501 If all you want is to block traffic when the VPN drops, you can have a one line .bat file to remove the default gateway, as described in the second half of that post, which you run after starting the VPN and before you start the torrent client. Quote Share this post Link to post
pitboost 0 Posted ... <snip> <snip> iptables -A OUTPUT -o eth+ ! -d a.b.c.d -j DROP # if destination for outgoing packet on eth+ is NOT a.b.c.d, drop the packet, so that nothing leaks if VPN disconnects <snip>Kind regards I made these rules, but when i look them with iptables -L command, it shows d.a.c.b as dns-name of airvpn entry address. Is this normal? Does the iptables -L command just look dns name from the ip in rules, or is the rule by dns name now? iptables -L output: DROP all -- anywhere !dns.name-of-entry-ip.com Quote Share this post Link to post
Dr5GF7mKcX 1 Posted ... Complicated... I am trying to do something similar but I could use some help. I travel a lot, and have to use many open wifi networks as a result. What I would like to do (ideally in Little Snitch, but I could use IceFloor instead) is to: 1) Restrict access on any WiFi network except those I declare as 'safe' ONLY to:a) The local network (to be able to navigate to html pages to input passwords and userids) AirVPN addresses to connect to the VPNs in European countries, depending upon where I'm travelling, using the AirVPN Mac client) From the above I cannot figure out how to do this, as all the references to the local network appear to be specific address ranges, and of course I cannot predict what locan network address ranges any given wifi address will use. Quote Share this post Link to post
gopro 0 Posted ... hi! Today I installed OS Maverick. this my pf.conf block drop out inet from 192.168.0.0/16 to any block drop out inet from 10.2.0.0/16 to any block drop out inet from 172.16.0.0/16 to any # Vpn pass out quick inet from 192.168.0.0/16 to { ip } flags S/SA keep state pass out quick inet from 10.2.0.0/16 to { ip } flags S/SA keep state pass out quick inet from 172.16.0.0/16 to { ip } flags S/SA keep state # Local network pass out quick inet from 192.168.0.0/16 to 192.168.0.0/16 flags S/SA keep state # Allow all on lo0 pass out quick inet from 127.0.0.1 to any flags S/SA keep state # Everything tunneled #pass out quick inet from 10.10.0.0/24 to any flags S/SA keep state By the way, it has errors? (I do not know what the last line) then I executed the command MacBook-Air-admin:~ admin$ sudo pfctl -e No ALTQ support in kernel ALTQ related functions disabled pfctl: pf already enabled and MacBook-Air-admin:~ admin$ sudo pfctl -f /etc/pf.conf pfctl: Use of -f option, could result in flushing of rules present in the main ruleset added by the system at startup. See /etc/pf.conf for further details. No ALTQ support in kernel ALTQ related functions disabled what problem? pfctl: Use of -f option, could result in flushing of rules present in the main ruleset added by the system at startup. See /etc/pf.conf for further details. and I still have a problem - after restarting the firewall does not work, we have to re-enter two commands (sudo pfctl -e, sudo pfctl -f /etc/pf.conf).on OS X Mountain Lion was the same, but OS X Lion everything worked well - after reboot was not required to enter commands Quote Share this post Link to post
Sipo 0 Posted ... Any way to do this with Agnitum Outpost? Bought it years ago and wouldn't want to change to Comodo. It seems that even though it might be able to allow the Airvpn-ip-range, it's not possible to block others. And if you block all for a application, you cannot allow some IP's.. Quote Share this post Link to post
sasv 0 Posted ... I've been able to deny all connections to external networks unless my OpenVPN connection is active using pf.confInto etc/pf.confin the end i add## Allow connection via Viscosity only#wifi=en1 #change this to en0 on MacBook Airs and other Macs without ethernet portsvpn=tun0vpn2=tap0block allset skip on lo # allow local trafficpass on p2p0 #allow AirDroppass on p2p1 #allow AirDroppass on p2p2 #allow AirDroppass quick proto tcp to any port 631 #allow AirPrintpass on $wifi proto udp # allow only UDP packets over unprotected Wi-Fipass on $vpn # allow everything else through the VPN (tun interface)pass on $vpn2 # allow everything else through the VPN (tap interface)Then i enable packet filter service with sudo pfctl -e and load the new rules with sudo pfctl -f /etc/pf.confWorks great, BUT, i can't connect to the internet via VPN I have no any connection to the internet( My OS - Mac OS X 10.9.4P.S. i think that problem in last 2pass on $vpn # allow everything else through the VPN (tun interface)pass on $vpn2 # allow everything else through the VPN (tap interface)Who can help me with that? Because pass on $wifi proto udp # allow only UDP packets over unprotected Wi-Fi It works great, clock updated time automatic Quote Share this post Link to post
Dr5GF7mKcX 1 Posted ... This thread is huge and mind boggling. I have AirVPN,Utorrent Version 1.8.1 (28758)Mac OS X Lion 10.7.5 (11G63) Is there a tutorial for adding these rules so traffic will be blocked if VPN drops? Sorry if its already here… Thanks Hello! You can use pf which is included by default in Mac OS X 10.7.x. Thanks to jessez the guide is available here:https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&limit=6&limitstart=36&Itemid=142#2532Ummm, I don't see how that answers the question. It seems to assume you're using a desktop machine, and not a laptop. I am on Mac OS X 10.9. If I use icefloor, because of my security setup (normal user is non-admin), my laptop will not sleep, and it is really dreary to have to shut down and restart every time I have to take my laptop somewhere else. Like many people using a laptop, I'm routinely on wifi networks, some of which require something be done in a web browser in order to gain Internet access, some of which only require a WPA/WPA2 key, some of which require both. What's really needed is a simple, straightforward series of commands that will allow people with Macs to use a laptop on many different WiFi networks that blocks non-LAN traffic unless the firewall is up. If anyone can point me to a specific set of commands that will implement this, I'd really be grateful; I'm reasonably technical but reading through many pages of instructions, for mixed Mac, and PC uses, isn't really helpful; this thread is, frankly, a bit out of control. IMO. It is great that many people are helping many other people but I suspect I am not alone wanting to be able to do this very simply, without reading pages and pages of variations on scripts. If after more than an hour spent reading various forum posts I have somehow missed finding the answer and it was here all the time, I'd love a reference to a specific, single, message where the answer lies - otherwise, candidly, AirVPN staff should create one. Again, IMO. Quote Share this post Link to post
Staff 9973 Posted ... I am on Mac OS X 10.9. If I use icefloor, because of my security setup (normal user is non-admin), my laptop will not sleep, and it is really dreary to have to shut down and restart every time I have to take my laptop somewhere else. [...]What's really needed is a simple, straightforward series of commands that will allow people with Macs to use a laptop on many different WiFi networks that blocks non-LAN traffic unless the firewall is up. If anyone can point me to a specific set of commands that will implement this, I'd really be grateful; I'm reasonably technical but reading through many pages of instructions, for mixed Mac, and PC uses, isn't really helpful; this thread is, frankly, a bit out of control. IMO. It is great that many people are helping many other people but I suspect I am not alone wanting to be able to do this very simply, without reading pages and pages of variations on scripts. If after more than an hour spent reading various forum posts I have somehow missed finding the answer and it was here all the time, I'd love a reference to a specific, single, message where the answer lies - otherwise, candidly, AirVPN staff should create one. Again, IMO. Hello! Activate the option "Network Lock" in our Eddie client for Mavericks and Yosemite. See also https://airvpn.org/topic/12175-network-lock Feel free to tell us how Network Lock and Eddie work (in another thread) when you put your computer to sleep and then you wake it up: these situations need to be investigated (there are a lot of variables, for example you might put the computer to sleep in one network, and then wake it up in another network). Kind regards Quote Share this post Link to post
Avatara 0 Posted ... Hi,I am using Norton Antivirus, can I set this up on there ?Can you direct me to the best process for this.Thanks Quote Share this post Link to post
rmartinezv 1 Posted ... Hello, I'm new with AirVPN. I have Win8 and downloaded the client. When I make the first connection I use the lock network option, and now I cant get the laptop connected to Internet whitout using the AirVPN client. How I can Fix this? Thanks. Quote Share this post Link to post
jb007 0 Posted ... Hello, I'm new with AirVPN. I have Win8 and downloaded the client. When I make the first connection I use the lock network option, and now I cant get the laptop connected to Internet whitout using the AirVPN client. How I can Fix this? Thanks. Check your DNS addresses of the network adapter that you're using (WiFi or Ethernet) and if necessary change it to Google's DNS (8.8.8.8 and 8.8.4.4). Quote Share this post Link to post
Monotremata 22 Posted ... Sorry to necro this thread but.. I had a quick and easy PF setup based on the rules posted on the first few pages, but apparently at some point it got replaced so now its back to default. I was wondering, is it sufficient enough to just copy what Eddie adds to the pf.conf when its enabled to the regular pf.conf?? I finally noticed in the logs that when network lock was enabled, Eddie modifies PF, then sets it back to 'normal' again when its turned off. While it was running I ran 'sudo pfctl -sr' which showed me the currently loaded ruleset. Then I opened up the temporary PF file that was located in ~/.airvpn and saw the actual pf.conf that the network lock is using. Can I just copy these into the regular /etc/pf.conf and get the same results if Eddie happens to crash or not load? The one I had before was fairly simple, it just blocked everything out, allowed local traffic on the 192 range, and allowed the 192 range to connect to the specific Air servers I had setup from my ethernet interface. But after reading more through this thread, and seeing what Eddie actually does to block traffic, I wanna add all the exceptions for IPv6, DNS, etc. Basically just do exactly what Eddie does, so I know its the securest it can be. If it ever happens to shut down, say while Im asleep, I want to make sure something like qBitTorrent (which I have running pretty much 24/7) isn't going to be able to allowed to run free until I can wake up and restart Eddie. Quote Share this post Link to post
LZ1 672 Posted ... so I know its the securest it can be. If it ever happens to shut down, say while Im asleep, I want to make sure something like qBitTorrent (which I have running pretty much 24/7) isn't going to be able to allowed to run free until I can wake up and restart Eddie.Hello! For that bit at least, you can go to qBittorents Tools/Preferences>Advanced>Bind to Tun0 interface. Then it won't do anything if Eddie goes down. 1 Monotremata reacted to this Quote Hide LZ1's signature Hide all signatures Hi there, are you new to AirVPN? Many of your questions are already answered in this guide. You may also read the Eddie Android FAQ. Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you. Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily. Share this post Link to post
Monotremata 22 Posted ... Well hell that works! Thats really my only concern if it goes down. Might as well take care of that instead! EDIT: Holy crap that works!! I set it to uTun1 (thats what mine uses) restarted qBT, it started seeding something right away, I disconnected from Aquila and watched my upstream dwindle to nothing in Little Snitch hah. I have the network lock deactivated right now and am here editing this post, and qBT cant do a damn thing haha. Thanks LZ1! Ive seen this mentioned on here elsewhere but figured it was something Id probably screw up but that was easy! 1 LZ1 reacted to this Quote Share this post Link to post