galilao 2 Posted ... Hello, Once the firewall is activated, I cannot connect to AirVPN. Below is the Tunnelblick log. There is a Permission denied (code=13) message. 2012-06-29 14:47:20 *Tunnelblick: OS X 10.4.11; Tunnelblick 3.2.2 (build 2891.2917) 2012-06-29 14:47:20 *Tunnelblick: Attempting connection with US sirius udp; Set nameserver = 1; monitoring connection 2012-06-29 14:47:20 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpnstart start US\ sirius\ udp.ovpn 1338 1 0 0 0 49 -atDASNGWrdasngw 2012-06-29 14:47:20 *Tunnelblick: openvpnstart: /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn --cd /Users/misterq/Library/Application Support/Tunnelblick/Configurations --daemon --management 127.0.0.1 1338 --config /Users/misterq/Library/Application Support/Tunnelblick/Configurations/US sirius udp.ovpn --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Smisterq-SLibrary-SApplication Support-STunnelblick-SConfigurations-SUS sirius udp.ovpn.1_0_0_0_49.1338.openvpn.log --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDASNGWrdasngw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -atDASNGWrdasngw --up-restart 2012-06-29 14:47:21 *Tunnelblick: kextload: /Applications/Tunnelblick.app/Contents/Resources/tun-20090913.kext loaded successfully 2012-06-29 14:47:21 *Tunnelblick: openvpnstart message: Loading tun-20090913.kext 2012-06-29 14:47:21 OpenVPN 2.2.1 i386-apple-darwin10.8.0 [sSL] [LZO2] [PKCS11] [eurephia] built on Jan 8 2012 2012-06-29 14:47:21 MANAGEMENT: TCP Socket listening on 127.0.0.1:1338 2012-06-29 14:47:21 Need hold release from management interface, waiting... 2012-06-29 14:47:21 MANAGEMENT: Client connected from 127.0.0.1:1338 2012-06-29 14:47:21 *Tunnelblick: Established communication with OpenVPN 2012-06-29 14:47:21 MANAGEMENT: CMD 'pid' 2012-06-29 14:47:21 MANAGEMENT: CMD 'state on' 2012-06-29 14:47:21 MANAGEMENT: CMD 'state' 2012-06-29 14:47:21 MANAGEMENT: CMD 'hold release' 2012-06-29 14:47:21 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2012-06-29 14:47:21 WARNING: file 'user.key' is group or others accessible 2012-06-29 14:47:21 LZO compression initialized 2012-06-29 14:47:21 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ] 2012-06-29 14:47:21 Socket Buffers: R=[42080->65536] S=[9216->65536] 2012-06-29 14:47:21 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ] 2012-06-29 14:47:21 Local Options hash (VER=V4): '22188c5b' 2012-06-29 14:47:21 Expected Remote Options hash (VER=V4): 'a8f55717' 2012-06-29 14:47:21 UDPv4 link local: [undef] 2012-06-29 14:47:21 UDPv4 link remote: 108.59.8.147:443 2012-06-29 14:47:21 MANAGEMENT: >STATE:1341017241,WAIT,,, 2012-06-29 14:47:28 MANAGEMENT: >STATE:1341017248,AUTH,,, 2012-06-29 14:47:28 TLS: Initial packet from 108.59.8.147:443, sid=160213a7 110c9416 2012-06-29 14:47:29 VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org 2012-06-29 14:47:29 VERIFY OK: nsCertType=SERVER 2012-06-29 14:47:29 VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org 2012-06-29 14:47:32 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 2012-06-29 14:47:32 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication 2012-06-29 14:47:32 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 2012-06-29 14:47:32 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication 2012-06-29 14:47:32 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA 2012-06-29 14:47:32 [server] Peer Connection Initiated with 108.59.8.147:443 2012-06-29 14:47:33 MANAGEMENT: >STATE:1341017253,GET_CONFIG,,, 2012-06-29 14:47:35 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) 2012-06-29 14:47:35 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.4.0.1,comp-lzo no,route 10.4.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.4.3.14 10.4.3.13' 2012-06-29 14:47:35 OPTIONS IMPORT: timers and/or timeouts modified 2012-06-29 14:47:35 OPTIONS IMPORT: LZO parms modified 2012-06-29 14:47:35 OPTIONS IMPORT: --ifconfig/up options modified 2012-06-29 14:47:35 OPTIONS IMPORT: route options modified 2012-06-29 14:47:35 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified 2012-06-29 14:47:35 ROUTE default_gateway=172.17.192.1 2012-06-29 14:47:35 TUN/TAP device /dev/tun0 opened 2012-06-29 14:47:35 MANAGEMENT: >STATE:1341017255,ASSIGN_IP,,10.4.3.14, 2012-06-29 14:47:35 /sbin/ifconfig tun0 delete ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address 2012-06-29 14:47:35 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure 2012-06-29 14:47:35 /sbin/ifconfig tun0 10.4.3.14 10.4.3.13 mtu 1500 netmask 255.255.255.255 up 2012-06-29 14:47:35 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDASNGWrdasngw tun0 1500 1558 10.4.3.14 10.4.3.13 init No such key 2012-06-29 14:47:37 *Tunnelblick client.up.tunnelblick.sh: Retrieved name server(s) [ 10.4.0.1 ] and WINS server(s) [ ] and using default domain name [ openvpn ] 2012-06-29 14:47:38 /sbin/route add -net 108.59.8.147 172.17.192.1 255.255.255.255 add net 108.59.8.147: gateway 172.17.192.1 2012-06-29 14:47:38 /sbin/route add -net 0.0.0.0 10.4.3.13 128.0.0.0 add net 0.0.0.0: gateway 10.4.3.13 2012-06-29 14:47:38 /sbin/route add -net 128.0.0.0 10.4.3.13 128.0.0.0 add net 128.0.0.0: gateway 10.4.3.13 2012-06-29 14:47:38 MANAGEMENT: >STATE:1341017258,ADD_ROUTES,,, 2012-06-29 14:47:38 /sbin/route add -net 10.4.0.1 10.4.3.13 255.255.255.255 add net 10.4.0.1: gateway 10.4.3.13 2012-06-29 14:47:38 Initialization Sequence Completed 2012-06-29 14:47:38 MANAGEMENT: >STATE:1341017258,CONNECTED,SUCCESS,10.4.3.14,108.59.8.147 Workaround Bonjour: Unknown error: 0 2012-06-29 14:47:38 *Tunnelblick client.up.tunnelblick.sh: Up to two 'No such key' warnings are normal and may be ignored 2012-06-29 14:47:38 *Tunnelblick client.up.tunnelblick.sh: Saved the DNS and WINS configurations for later use 2012-06-29 14:47:38 *Tunnelblick client.up.tunnelblick.sh: Set up to monitor system configuration with process-network-changes 2012-06-29 14:47:39 *Tunnelblick: Flushed the DNS cache 2012-06-29 14:48:08 write UDPv4: Permission denied (code=13) 2012-06-29 14:48:11 write UDPv4: Permission denied (code=13) 2012-06-29 14:48:13 write UDPv4: Permission denied (code=13) 2012-06-29 14:48:23 write UDPv4: Permission denied (code=13) 2012-06-29 14:48:26 write UDPv4: Permission denied (code=13) 2012-06-29 14:48:28 write UDPv4: Permission denied (code=13) 2012-06-29 14:48:38 write UDPv4: Permission denied (code=13) 2012-06-29 14:48:38 write UDPv4: Permission denied (code=13) 2012-06-29 14:48:41 write UDPv4: Permission denied (code=13) 2012-06-29 14:48:43 write UDPv4: Permission denied (code=13) 2012-06-29 14:48:50 event_wait : Interrupted system call (code=4) 2012-06-29 14:48:50 SIGTERM received, sending exit notification to peer 2012-06-29 14:48:50 write UDPv4: Permission denied (code=13) 2012-06-29 14:48:51 write UDPv4: Permission denied (code=13) 2012-06-29 14:48:52 write UDPv4: Permission denied (code=13) 2012-06-29 14:48:53 write UDPv4: Permission denied (code=13) 2012-06-29 14:48:53 write UDPv4: Permission denied (code=13) 2012-06-29 14:48:53 write UDPv4: Permission denied (code=13) 2012-06-29 14:48:55 TCP/UDP: Closing socket 2012-06-29 14:48:55 /sbin/route delete -net 10.4.0.1 10.4.3.13 255.255.255.255 delete net 10.4.0.1: gateway 10.4.3.13 2012-06-29 14:48:55 /sbin/route delete -net 108.59.8.147 172.17.192.1 255.255.255.255 delete net 108.59.8.147: gateway 172.17.192.1 2012-06-29 14:48:55 /sbin/route delete -net 0.0.0.0 10.4.3.13 128.0.0.0 delete net 0.0.0.0: gateway 10.4.3.13 2012-06-29 14:48:55 /sbin/route delete -net 128.0.0.0 10.4.3.13 128.0.0.0 delete net 128.0.0.0: gateway 10.4.3.13 2012-06-29 14:48:55 Closing TUN/TAP interface 2012-06-29 14:48:55 /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -atDASNGWrdasngw tun0 1500 1558 10.4.3.14 10.4.3.13 init 2012-06-29 14:48:55 *Tunnelblick client.down.tunnelblick.sh: Cancelled monitoring of system configuration changes 2012-06-29 14:48:56 SIGTERM[soft,exit-with-notification] received, process exiting 2012-06-29 14:48:56 MANAGEMENT: >STATE:1341017336,EXITING,exit-with-notification,, 2012-06-29 14:48:56 *Tunnelblick client.down.tunnelblick.sh: Restored the DNS and WINS configurations 2012-06-29 14:48:59 *Tunnelblick: Flushed the DNS cache Quote Share this post Link to post
jessez 3 Posted ... Hi galilao, Ok, that's a new one. It would be great if the log would say exactly what file the system is denying write access to. All I can suggest for now is to turn off the "Monitor Network Settings" in Tunnelblick. Monitoring network settings seems to be a bit flakey in tunnelblick for some reason. What is interesting is that this part is usually the last items in the tunnelblick log when you have a successfully connected: 2012-06-29 14:47:38 Initialization Sequence Completed 2012-06-29 14:47:38 MANAGEMENT: >STATE:1341017258,CONNECTED,SUCCESS,10.4.3.14,108.59.8.147 and then it looks like it disconnected with this: Workaround Bonjour: Unknown error: 0 Could you tell me if you have 1.) the same problem connecting with any server, and 2.) what method you used to get the rules in the firewall? I'm wondering if the permissions on one of the files I attached has had some effect on how this is working on your machine.. Today I will be busy until later, so let me know how it goes at your end and I'll spend some time on it again tonight (Saturday here) Regards, jz Quote Share this post Link to post
galilao 2 Posted ... Hello Jz, I copied your script and pasted it into the Terminal program that came with OS Panther that I am running on my Ibook. I only tried the script with one server. Thanks Galilao Quote Share this post Link to post
jessez 3 Posted ... Hi galilao, Ok, if you are running Panther, that is a bit of a different beast. From the research I've done it seems that Apple injects some rules to ipfw that should be removed. I found a good article on setting up ipfw so it starts up differently (the procedure will make ipfw better by starting it before there is any network connection) and doesn't load any default Apple rules. The instructions for doing that are in the beginning of the article. For others as well: there are some useful rules further down in the article for making other things work, such as FTP, etc... that could be useful for those needing an extended ruleset. http://silvester.org.uk/OSX/wrangling_ipfw.html Something I didn't know is that the attachments I provided just come up in text, so if the text is copied and pasted into textedit (or your fav text editor) and you save them to your home directory, then the permissions will be correct for your machine. Anyway galilao, try that and see if you have a working firewall that lets you connect. If you are still having issues I will try to help resolve them. Best, jz Quote Share this post Link to post
jokeramj 0 Posted ... Anyone have any suggestions how to achieve this with Avira Internet Security please? I tried installing Comodo along with Avira but there is probably some conflict or something. Because when I add a rule to comodo I can't browse at all even when vpn is connected. I also tried enabling windows firewall and followed these instructions: http://practicalrambler.blogspot.com/2011/01/windows-7-firewall-how-to-always-use.html It worked with utorrent but firefox still worked even when I disconnect the vpn not sure why. I am using win7 and connecting with openvpn gui btw. Quote Share this post Link to post
jessez 3 Posted ... Hi jokeramj, I'm not familiar with Avira or Comodo suites, but you should only ever run one antivirus and/or firewall program. They will make your PC do some really bizarre things running two at the same time. If the version of Comodo you have does antivirus and firewalling then I would recommend going with Comodo as there is an article posted in this forum somewhere that has a link to a company that does testing of such software, and Comodo won out over everything else they tested. Here is the link to the original article: http://www.matousec.com/projects/proactive-security-challenge-64/ You should also disable the Windows firewall when using a third-party firewall program; they won't play nice together. Somewhere in this post ( I think between pages 2 and 7 if I remember correctly) there are suggestions for the Comodo firewall. In general what you want to do is deny traffic to everywhere, in and out, and then set up rules to allow connections to the AirVPN servers. The end result should be that there will be no internet access by any program or your operating system, except when you are connected to AirVPN. Please don't hesitate to post again if you need any other assistance, Best Regards, jz Quote Share this post Link to post
parker81 0 Posted ... I just imported the airvpn ruleset Jessez created to WaterRoof and it seems to be working well - can't connect at all unless airvpn is connected and running. It was pretty easy, just follow the instructions provided and you should be all set. Thanks for all the help. Quote Share this post Link to post
jessez 3 Posted ... Hi parker81, Thank you for testing and reporting your findings. Best Regards, jz Quote Share this post Link to post
jokeramj 0 Posted ... Thanks for replying jessez. I am aware it is not good idea to try two similar products at the same time. Although I disabled Avira's firewall section when I was trying comodo but Avira suite was still running and I imagine there can again be conflicts. I have windows firewall disabled, I just turned it on to try this. I'd like to stick to all in one solution rather then use dedicated firewall and av in any case. And I am not really sure how objective are matousec test results. It seems unbelievable that comodo is the only product that appears to have any protection out of those tested. Anyway I might try switching to Bitdefender. I found this post on their forum which seems to cover what I need: http://forum.bitdefender.com/lofiversion/index.php/t34417.html Quote Share this post Link to post
jessez 3 Posted ... Hi jokeramj, No problem at all, glad to be able to help. I found the post I was looking for with the comparative results, although for a little bit older versions of the software suites; it's on page 4 of this post (article?). The Bitdefender rated at 97% I think, so not too bad. I personally have used Bitdefender products in the past and I still use their browser plugin. The article I referenced was also just talking about 64bit versions of the various software (and also didn't include some manufacturers suites), which possibly could be invalid for the 32bit versions. That's impossible to say without doing side-by-side testing. It seems like you are trying out different things, so just one suggestion for you at this point: Download the software you want to try out. Disconnect from the internet and uninstall the other software (s). Reboot and then install the new software (still no internet connection). Reboot and put PC back on the internet, update the new software, then set the firewall rules. This method will result in a better experience for you and keep the O/S as clean of virus', etc... as possible. Sorry if this is what you have been doing, I write these things so newcomers reading my posts will be able to follow along and take advantage of the documentation. Yell if you need any help, Best Regards, jz Quote Share this post Link to post
galilao 2 Posted ... Hello, It turned out that I was running Terminal under 10.4.11 Tiger not Panther. I got confused with my other Mac portable, sorry. I tried to connect to the Sirius server with the Monitor Network Settings turned off, but still cannot connect. What am I doing wrong? Quote Share this post Link to post
jessez 3 Posted ... Hi galilao, Could you post the firewall rules you are using and also the log from OpenVPN please? That would help in tracking down the problem. To get the rules use terminal and this command: sudo ipfw show Thanks very much, jz Quote Share this post Link to post
galilao 2 Posted ... Hello, Here is the Tunnelblick log: 2012-07-13 16:56:28 *Tunnelblick: OS X 10.4.11; Tunnelblick 3.2.2 (build 2891.2917) 2012-07-13 16:56:29 *Tunnelblick: Attempting connection with US sirius udp; Set nameserver = 1; monitoring connection 2012-07-13 16:56:29 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpnstart start US\ sirius\ udp.ovpn 1337 1 0 0 0 49 -atDASNGWrdasngw 2012-07-13 16:56:29 *Tunnelblick: openvpnstart: /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn --cd /Users/misterq/Library/Application Support/Tunnelblick/Configurations --daemon --management 127.0.0.1 1337 --config /Users/misterq/Library/Application Support/Tunnelblick/Configurations/US sirius udp.ovpn --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Smisterq-SLibrary-SApplication Support-STunnelblick-SConfigurations-SUS sirius udp.ovpn.1_0_0_0_49.1337.openvpn.log --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDASNGWrdasngw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -atDASNGWrdasngw --up-restart 2012-07-13 16:56:30 *Tunnelblick: kextload: /Applications/Tunnelblick.app/Contents/Resources/tun-20090913.kext loaded successfully 2012-07-13 16:56:30 *Tunnelblick: openvpnstart message: Loading tun-20090913.kext 2012-07-13 16:56:30 OpenVPN 2.2.1 i386-apple-darwin10.8.0 [sSL] [LZO2] [PKCS11] [eurephia] built on Jan 8 2012 2012-07-13 16:56:30 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337 2012-07-13 16:56:30 Need hold release from management interface, waiting... 2012-07-13 16:56:31 *Tunnelblick: Established communication with OpenVPN 2012-07-13 16:56:31 MANAGEMENT: Client connected from 127.0.0.1:1337 2012-07-13 16:56:31 MANAGEMENT: CMD 'pid' 2012-07-13 16:56:31 MANAGEMENT: CMD 'state on' 2012-07-13 16:56:31 MANAGEMENT: CMD 'state' 2012-07-13 16:56:31 MANAGEMENT: CMD 'hold release' 2012-07-13 16:56:31 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2012-07-13 16:56:31 WARNING: file 'user.key' is group or others accessible 2012-07-13 16:56:31 LZO compression initialized 2012-07-13 16:56:31 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ] 2012-07-13 16:56:31 Socket Buffers: R=[42080->65536] S=[9216->65536] 2012-07-13 16:56:31 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ] 2012-07-13 16:56:31 Local Options hash (VER=V4): '22188c5b' 2012-07-13 16:56:31 Expected Remote Options hash (VER=V4): 'a8f55717' 2012-07-13 16:56:31 UDPv4 link local: [undef] 2012-07-13 16:56:31 UDPv4 link remote: 108.59.8.147:443 2012-07-13 16:56:31 MANAGEMENT: >STATE:1342234591,WAIT,,, 2012-07-13 16:56:34 write UDPv4: Permission denied (code=13) 2012-07-13 16:56:34 write UDPv4: Permission denied (code=13) 2012-07-13 16:56:38 write UDPv4: Permission denied (code=13) 2012-07-13 16:56:46 write UDPv4: Permission denied (code=13) 2012-07-13 16:57:02 write UDPv4: Permission denied (code=13) 2012-07-13 16:57:14 event_wait : Interrupted system call (code=4) 2012-07-13 16:57:14 SIGTERM received, sending exit notification to peer 2012-07-13 16:57:19 TCP/UDP: Closing socket 2012-07-13 16:57:19 SIGTERM[soft,exit-with-notification] received, process exiting 2012-07-13 16:57:19 MANAGEMENT: >STATE:1342234639,EXITING,exit-with-notification,, 2012-07-13 16:57:22 *Tunnelblick: Flushed the DNS cache and here are the IPFW rules: 02000 13925 1427960 allow ip from any to any via lo* 02010 0 0 deny ip from 127.0.0.0/8 to any in 02020 0 0 deny ip from any to 127.0.0.0/8 in 02030 0 0 deny ip from 224.0.0.0/3 to any in 02040 0 0 deny tcp from any to 224.0.0.0/3 in 02050 373 42249 allow tcp from any to any out 02060 433 413427 allow tcp from any to any established 02065 0 0 allow tcp from any to any frag 12190 0 0 deny log tcp from any to any 20000 0 0 deny log icmp from any to me in icmptypes 8 20310 0 0 allow udp from any to any dst-port 53 in 20320 3 1002 allow udp from any to any dst-port 68 in 20321 0 0 allow udp from any 67 to me in 20322 0 0 allow udp from any 5353 to me in 20340 65 5070 allow udp from any to any dst-port 137 in 20350 0 0 allow udp from any to any dst-port 427 in 20360 14 2774 allow udp from any to any dst-port 631 in 20370 416 101116 allow udp from any to any dst-port 5353 in 30510 370 43725 allow udp from me to any out keep-state 30520 9 4329 allow udp from any to any in frag 35000 104 25732 deny log udp from any to any in 65535 12 384 allow ip from any to any Hope this helps, galilao Quote Share this post Link to post
jessez 3 Posted ... Hi galilao, Thanks for the logs, I see there is still that problem with permission denied. It looks like your tunnelblick config files are in ~/Library/Application Support/Tunnelblick/Configurations , so could you go there and make sure you are the owner of the sirius config file? If not do: sudo chown -R <your username>:staff ~/Library/Application Support/Tunnelblick/Configurations/ <whatever the tblk filename is > maybe also try getinfo and take the .tblk off the end to make it a folder again, make sure there is only the 4 files in there : ca.crt, config.ovpn, user.crt and user.key. when you use getinfo again to put the .tblk back on, make sure theres no spaces in the filename, you can use underscores or dashes to separate words. Start on that and see how it goes; I have to spend some time going through the rules, they're a bit of a mess. I'll probably get you to redo them, but I'll get back to you when I've sorted out the ones you posted. jz Quote Share this post Link to post
jessez 3 Posted ... hi galilao, I'm working on a custom set of rules for you based on the ones you posted. I came across this IP address in one of your older posts: 172.17.192.1 Is it your routers IP address, or your computers IP address? Also, are you using DHCP or is your computers IP address static ? Thanks, jz Quote Share this post Link to post
galilao 2 Posted ... Hello, Do I understand correctly that if I am not the owner, wouldn't that prevent me from logging onto the AirVPN server even without your firewall rules? Thank you Quote Share this post Link to post
galilao 2 Posted ... Hello, I was trying your firewall rules on my portable that is not with me right now. I think that 172.17.192.1 might be the IP address of another VPN service I was testing as a back-up to AirVPN, but concluded that AirVPN is better. When I tested your firewall rules with my portable, I was connected wirelessly to my college's network. I am using DHCP. Hope this helps, thank you. 1 Georgefal reacted to this Quote Share this post Link to post
galilao 2 Posted ... Hello, I am sending this to you from my Ibook through my college's wireless network system. 172.17.192.1 is the college's router's address. The college's IP address is 172.17.211.215. I am using DHCP. Thank you for your help. Quote Share this post Link to post
jessez 3 Posted ... hi galilao, Quote: "Hello, Do I understand correctly that if I am not the owner, wouldn't that prevent me from logging onto the AirVPN server even without your firewall rules? Thank you" Yes I believe that is correct. Also, If you cannot connect to AirVPN with the firewall disabled (off) then the problem is somewhere else. The reason I was looking at permissions is because of the error in the tunnelblick log: write UDPv4: Permission denied (code=13) I'm not sure where or what tunnelblick/openvpn is trying to write to there, so the logical place to start would be the config files. Have you done a permmisions repair at all? Try this: sudo diskutil repairPermissions / It won't take that long to run, and may solve the permissions problem. Ok, I'll modify the firewall rules for you to try, please check the permissions on the tunnelblick config file as I outlined in my previous post, also I need to know if you need access to any oother computer at your college, or do you only want internet access? jz Quote Share this post Link to post
jessez 3 Posted ... hi galilao, ok, I've made a custom script for you for use at your college. Just copy/ paste the lines below into textedit and call it airvpn.sh. Run the script. This is a very basic script which resets the firewall, and flushes the old rules, then adding the new rule-set, also allowing local network access, but otherwise only to Sirius. Make sure when you do the copy/paste that there is no extra space at the end. The mouse cursor should be sitting after the last letter of the last word, and not on the line below. sudo sysctl -w net.inet.ip.fw.enable=0 sudo sysctl -w net.inet.ip.forwarding=0 sudo ipfw flush sudo ipfw delete set 31 sudo /sbin/ipfw disable firewall sudo /sbin/ipfw enable firewall sudo sysctl -w net.inet.ip.fw.enable=1 sudo ipfw add 01000 allow ip from any to any via lo* sudo ipfw add 01200 deny ip from any to 127.0.0.0/8 sudo ipfw add 01400 check-state sudo ipfw add 01600 allow ip from any 67 to any 68 in sudo ipfw add 01800 allow ip from any 5353 to any in sudo ipfw add 02000 allow ip from 172.17.0.0/16 to 108.59.8.147 keep-state sudo ipfw add 04000 allow ip from 127.0.0.1 to any sudo ipfw add 05000 allow ip from 10.0.0.0/8 to any sudo ipfw add 05200 allow ip from any to 10.0.0.0/8 sudo ipfw add 65534 deny log ip from any to any sudo ipfw add 65535 allow ip from any to any I hope that does it, but let me know how it goes, Regards, jz Quote Share this post Link to post
galilao 2 Posted ... Hello, I ran your rules on my desktop Mac by changing from 172.17.0.0/16 to be compatible with my home router's IP address 192.168.0.0/16 and I was able to connect to the Sirius server. By closing the Tunnelblick connection the Internet connection is also closed. Now I know that whenever I try to connect with my portable, from a coffee shop for example, I first have to determine the coffee shop's router's address and make the change in the IPFW rules as needed. I will be in touch with you again after I try to connect through my college's wireless network. Thank you very much! Quote Share this post Link to post
jessez 3 Posted ... Hi galilao, You're welcome, I'm glad to be of help and that it's working for you now. Best regards, jz Quote Share this post Link to post
galilao 2 Posted ... Hello, I was able to connect through my college's wireless network with this script. In the script you uploaded about 3 weeks ago, I changed the 192.168.0.0 values to 172.17.0.0, but was unable to connect through the college's network. What do I need to do? Thank you Quote Share this post Link to post
jessez 3 Posted ... Hi galilao, If the new script will work at home and at college with just the one adjustment, you should make two copies of it to save on your desktop; call one home and the other college, and just double-click the one for where you are. Actually you could make that into 2 applescript programs quite easily as well, and keep the two versions in the dock. I'm not sure why the old ruleset I posted doesn't work, so just ditch it. Regards, jz Quote Share this post Link to post
dmd 0 Posted ... hi galilao, ok, I've made a custom script for you for use at your college. Just copy/ paste the lines below into textedit and call it airvpn.sh. Run the script. This is a very basic script which resets the firewall, and flushes the old rules, then adding the new rule-set, also allowing local network access, but otherwise only to Sirius. Make sure when you do the copy/paste that there is no extra space at the end. The mouse cursor should be sitting after the last letter of the last word, and not on the line below. sudo sysctl -w net.inet.ip.fw.enable=0 sudo sysctl -w net.inet.ip.forwarding=0 sudo ipfw flush sudo ipfw delete set 31 sudo /sbin/ipfw disable firewall sudo /sbin/ipfw enable firewall sudo sysctl -w net.inet.ip.fw.enable=1 sudo ipfw add 01000 allow ip from any to any via lo* sudo ipfw add 01200 deny ip from any to 127.0.0.0/8 sudo ipfw add 01400 check-state sudo ipfw add 01600 allow ip from any 67 to any 68 in sudo ipfw add 01800 allow ip from any 5353 to any in sudo ipfw add 02000 allow ip from 172.17.0.0/16 to 108.59.8.147 keep-state sudo ipfw add 04000 allow ip from 127.0.0.1 to any sudo ipfw add 05000 allow ip from 10.0.0.0/8 to any sudo ipfw add 05200 allow ip from any to 10.0.0.0/8 sudo ipfw add 65534 deny log ip from any to any sudo ipfw add 65535 allow ip from any to any I hope that does it, but let me know how it goes, Regards, jz am i correct in assuming that this will work with 10.6.8, since it uses ipfw and not pf? also, will this work for all interfaces? how would i go about only using these rules for en0? my private ip space (all electronics in my network) is 10.0.0.0/16; would i even need "sudo ipfw add 02000 allow ip from <strong>172.17.0.0/16</strong> to 108.59.8.147 keep-state"? would be madly appreciated if you could answer //EDIT: basically, i want to deny every outgoing connection that is not going through tun0 (95.211.169.3 -- castor). internal network access should be allowed though; the ip address space is 10.0.1.0-10.0.1.200. could you please help me out? Quote Share this post Link to post
Not connected, Your IP: 18.225.56.79
Online: 25378 users - 297060 Mbit/s total BW