Staff 9973 Posted ... @ergolon Hello! It was assumed that your client was running in a *BSD machine (OpenBSD, FreeBSD, Mac OSX...) with pf. If you connect through your DD-WRT router, then you must not set the firewall rules specified by the tutorial by jessez on your *BSD device. In order to secure your connection you will have to use iptables on the DD-WRT. It's definitely correct that your forward ports in your home network. The warning pertains to forwarding ports in the router physical network interface which communicates with the "outside", which would be dangerous. Kind regards Quote Share this post Link to post
Guest ergolon Posted ... @admin: Nope, you were right, although I´m using a DD-WRT router (and I might as well try to setup AirVPN for my router some day), I connect to the AirVPN servers with my Mac (through Shimo [http://www.chungwasoft.com/shimo/] to be precise). So the port forwarding problem from post #4303 persists... any ideas? Thanks! Quote Share this post Link to post
Mistergigahertz 0 Posted ... Hi! I've imported the ruleset into Waterproof, but if I turn of airVPN, I can still connect to everything. I also tried adding the script in terminal with the same result. What to do what to do? Quote Share this post Link to post
Staff 9973 Posted ... @Mistergigahertz Can you please make sure that ipfw is running and applying the correct rules? Kind regards Quote Share this post Link to post
Necromacy1 0 Posted ... Hello! I'm new to VPN services and on using the Terminal so I'm still experimenting as I have for the past 2 hours. I'm running on Mountain Lion Mac OSX and have installed the VPN client TunnelBlick and created the necessary certificates to connect to the VPN servers. I can confirm that the majority of my traffic data is what showed on the AirVPN website. However after reviewing a website http://www.dnsleaktest.com I've discovered that several local servers that belong to my ISP were detected so I must not have a "complete" tunnel. I've restarted all applications and computer, being sure to start the client first. I've searched and seen the very helpful information posted by Jessez in regards to halting DNS leaks, and seemed to get a part of the script working, however when attempting to use the command ipfw -a list I got an error Operation not permitted The list I realize was not tantamount to getting it to work, however I still seem to be having trouble. Can anyone help me in setting up my system so 100% of my network traffic is moving through the VPN server? Thank you! Quote Share this post Link to post
galilao 2 Posted ... Hello: I only have Snow Leopard, but you can try going to Network in System Preferences and selecting the DNS tab. This will enable you to type in the addresses of the DNS servers you want, for example from the Swiss Privacy Foundation. Sometimes the modem provided by your ISP will lock the DNS server setting in the ROM as Clearwire does. With the Clearwire modem, it was impossible for me to change the DNS servers. If this is your situation, it will be necessary to switch to a different ISP that allows its customers to program the modem to choose the DNS servers they want. Hope this helps. Quote Share this post Link to post
Staff 9973 Posted ... Hello:I only have Snow Leopard, but you can try going to Network in System Preferences and selecting the DNS tab. This will enable you to type in the addresses of the DNS servers you want, for example from the Swiss Privacy Foundation. Sometimes the modem provided by your ISP will lock the DNS server setting in the ROM as Clearwire does. With the Clearwire modem, it was impossible for me to change the DNS servers. If this is your situation, it will be necessary to switch to a different ISP that allows its customers to program the modem to choose the DNS servers they want.Hope this helps.Hello!If the modem/router DNS are locked, you can anyway bypass them. Once you're inside the VPN you can use the VPN DNS or tunnel any DNS query you like over the VPN.Kind regards Quote Share this post Link to post
galilao 2 Posted ... Hello: My recollection is that even with the AirVPN connected the DNS leak test was still showing the Clearwire DNS servers. I had to change ISP to be able to select the DNS servers of my choice. Thank you Quote Share this post Link to post
Staff 9973 Posted ... Hello:My recollection is that even with the AirVPN connected the DNS leak test was still showing the Clearwire DNS servers. I had to change ISP to be able to select the DNS servers of my choice.Thank youHello!Of course, this may happen if your computer sends DNS queries to your locked router/modem. The locked router/modem will then send a query to your ISP DNS. In this case you need either to prevent leaks with our firewall guides or force the DNS resolution to the VPN DNS (10.4.0.1 https://airvpn.org/specs), so that the VPN query will be encrypted and encapsulated by your OpenVPN client, sent to our servers and finally processed by them. This gives the advantage to be able to access VPN internal services and bypass some ICE censorship which can't be bypassed with any other DNS.Kind regards Quote Share this post Link to post
galilao 2 Posted ... Hello, How do I force the DNS resolution to 10.4.0.1? Do I understand correctly that using a firewall with a locked router/modem, the DNS query won't go out through the locked router/modem, but it also means that the DNS query doesn't go out at all and I get no response? Thank you Quote Share this post Link to post
Staff 9973 Posted ... Hello,How do I force the DNS resolution to 10.4.0.1?Hello!It depends on your OS, which one are you using?Do I understand correctly that using a firewall with a locked router/modem, the DNS query won't go out through the locked router/modem, but it also means that the DNS query doesn't go out at all and I get no response?No DNS query will go out when you're disconnected from the VPN with the firewall recommended rules set in the computer which runs the client, regardless of a locked or not locked router (this is the reason for which we recommend, in some configurations, to add in the hosts file the airvpn.org resolution, otherwise reconnection with the Windows Air client would not be possible - no modification is necessary if you use OpenVPN directly). When that computer is connected to the VPN, only encrypted (tunneled) DNS queries will go out. The tunneled DNS queries not only can't be read by your ISP, but can't even be recognized as such.Kind regards Quote Share this post Link to post
galilao 2 Posted ... Hello, I am running Mac 10.5.8. and 10.6.8. Thank you Quote Share this post Link to post
Staff 9973 Posted ... Hello,I am running Mac 10.5.8. and 10.6.8.Thank youHello!In order to change DNS:- Choose Apple menu > System Preferences, and then click Network.- Select the network connection service/card you want to use in the list, and then click Advanced.- Click DNS and enter the IP address of the VPN DNS server (10.4.0.1) as firstRepeat the process for every network card.Kind regards Quote Share this post Link to post
RubeGoldberg 0 Posted ... Trouble getting this to work. 2012-11-27 20:56:03 *Tunnelblick client.up.tunnelblick.sh: Saved the DNS and WINS configurations for later use 2012-11-27 20:56:03 *Tunnelblick client.up.tunnelblick.sh: Set up to monitor system configuration with process-network-changes 2012-11-27 20:56:08 *Tunnelblick process-network-changes: A system configuration change was ignored because it was not relevant 2012-11-27 21:10:34 write UDPv4: Permission denied (code=13) 2012-11-27 21:10:45 write UDPv4: Permission denied (code=13) 2012-11-27 21:10:51 write UDPv4: Permission denied (code=13) 2012-11-27 21:10:51 write UDPv4: Permission denied (code=13) 2012-11-27 21:10:52 write UDPv4: Permission denied (code=13) 2012-11-27 21:10:52 write UDPv4: Permission denied (code=13) 2012-11-27 21:10:54 write UDPv4: Permission denied (code=13) 2012-11-27 21:10:54 write UDPv4: Permission denied (code=13) 2012-11-27 21:10:55 write UDPv4: Permission denied (code=13) 2012-11-27 21:10:56 write UDPv4: Permission denied (code=13) 2012-11-27 21:10:58 write UDPv4: Permission denied (code=13) 2012-11-27 21:10:58 write UDPv4: Permission denied (code=13) 2012-11-27 21:10:59 write UDPv4: Permission denied (code=13) 2012-11-27 21:11:06 write UDPv4: Permission denied (code=13) 2012-11-27 21:11:06 write UDPv4: Permission denied (code=13) 2012-11-27 21:11:08 write UDPv4: Permission denied (code=13) 2012-11-27 21:11:19 write UDPv4: Permission denied (code=13) 2012-11-27 21:11:22 write UDPv4: Permission denied (code=13) 2012-11-27 21:11:22 write UDPv4: Permission denied (code=13) I'm running osx 10.6.8 Tried everything on this this thread to no avail. Enabled/Disabled the the Mac firewall and then ran the script. Tried importing the rules into waterproof. I do have a program called TCPBlock, tried disabling it. Tried the alternate script written for galilao. Checked the router address as well. Any suggestions? Quote Share this post Link to post
Staff 9973 Posted ... Hello! If you are 100% sure that nothing in your system is blocking Tunnelblick / OpenVPN, then the first option to be considered is that your ISP is blocking outbound port 443 UDP. Please try to change connection ports. Try 443 TCP, 80 UDP and 80 TCP. Please feel free to let us know if the above solves your problem. Kind regards Quote Share this post Link to post
RubeGoldberg 0 Posted ... 443 UDP works fine whenever I don't try these rules. Quote Share this post Link to post
RubeGoldberg 0 Posted ... PS Here is what it looks like normally, without trying the suggested ipfw rules. 2012-12-02 16:05:37 *Tunnelblick: OS X 10.6.8; Tunnelblick 3.2.8 (build 2891.3099) 2012-12-02 16:05:38 *Tunnelblick: Attempting connection with AirVPN IT Crucis - UDP 443; Set nameserver = 1; monitoring connection 2012-12-02 16:05:38 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpnstart start AirVPN\ IT\ Crucis\ -\ UDP\ 443.ovpn 1338 1 0 0 0 49 -atDASNGWrdasngw 2012-12-02 16:05:38 *Tunnelblick: openvpnstart: /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn --cd /Users/Ash/Library/Application Support/Tunnelblick/Configurations --daemon --management 127.0.0.1 1338 --config /Users/Ash/Library/Application Support/Tunnelblick/Configurations/AirVPN IT Crucis - UDP 443.ovpn --log /Library/Application Support/Tunnelblick/Logs/-SUsers-SAsh-SLibrary-SApplication Support-STunnelblick-SConfigurations-SAirVPN IT Crucis -- UDP 443.ovpn.1_0_0_0_49.1338.openvpn.log --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDASNGWrdasngw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -atDASNGWrdasngw --up-restart 2012-12-02 16:05:39 *Tunnelblick: openvpnstart message: Loading tun.kext 2012-12-02 16:05:39 *Tunnelblick: Established communication with OpenVPN 2012-12-02 16:05:39 OpenVPN 2.2.1 i386-apple-darwin10.8.0 [sSL] [LZO2] [PKCS11] [eurephia] built on Aug 10 2012 2012-12-02 16:05:39 MANAGEMENT: TCP Socket listening on 127.0.0.1:1338 2012-12-02 16:05:39 Need hold release from management interface, waiting... 2012-12-02 16:05:39 MANAGEMENT: Client connected from 127.0.0.1:1338 2012-12-02 16:05:39 MANAGEMENT: CMD 'pid' 2012-12-02 16:05:39 MANAGEMENT: CMD 'state on' 2012-12-02 16:05:39 MANAGEMENT: CMD 'state' 2012-12-02 16:05:39 MANAGEMENT: CMD 'hold release' 2012-12-02 16:05:39 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2012-12-02 16:05:39 WARNING: file 'user.key' is group or others accessible 2012-12-02 16:05:39 LZO compression initialized 2012-12-02 16:05:39 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ] 2012-12-02 16:05:39 Socket Buffers: R=[42080->65536] S=[9216->65536] 2012-12-02 16:05:39 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ] 2012-12-02 16:05:39 Local Options hash (VER=V4): '22188c5b' 2012-12-02 16:05:39 Expected Remote Options hash (VER=V4): 'a8f55717' 2012-12-02 16:05:39 UDPv4 link local: [undef] 2012-12-02 16:05:39 UDPv4 link remote: 95.110.200.16:443 2012-12-02 16:05:39 MANAGEMENT: >STATE:1354493139,WAIT,,, 2012-12-02 16:05:39 MANAGEMENT: >STATE:1354493139,AUTH,,, 2012-12-02 16:05:39 TLS: Initial packet from 95.110.200.16:443, sid=669bbb21 ac82949c 2012-12-02 16:05:50 VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org 2012-12-02 16:05:50 VERIFY OK: nsCertType=SERVER 2012-12-02 16:05:50 VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org 2012-12-02 16:06:22 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 2012-12-02 16:06:22 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication 2012-12-02 16:06:22 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 2012-12-02 16:06:22 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication 2012-12-02 16:06:22 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA 2012-12-02 16:06:22 [server] Peer Connection Initiated with 95.110.200.16:443 2012-12-02 16:06:23 MANAGEMENT: >STATE:1354493183,GET_CONFIG,,, 2012-12-02 16:06:24 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) 2012-12-02 16:06:25 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.4.0.1,comp-lzo no,route 10.4.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.4.2.222 10.4.2.221' 2012-12-02 16:06:25 OPTIONS IMPORT: timers and/or timeouts modified 2012-12-02 16:06:25 OPTIONS IMPORT: LZO parms modified 2012-12-02 16:06:25 OPTIONS IMPORT: --ifconfig/up options modified 2012-12-02 16:06:25 OPTIONS IMPORT: route options modified 2012-12-02 16:06:25 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified 2012-12-02 16:06:25 ROUTE default_gateway=192.168.1.254 2012-12-02 16:06:25 TUN/TAP device /dev/tun0 opened 2012-12-02 16:06:25 MANAGEMENT: >STATE:1354493185,ASSIGN_IP,,10.4.2.222, 2012-12-02 16:06:25 /sbin/ifconfig tun0 delete ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address 2012-12-02 16:06:25 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure 2012-12-02 16:06:25 /sbin/ifconfig tun0 10.4.2.222 10.4.2.221 mtu 1500 netmask 255.255.255.255 up 2012-12-02 16:06:25 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDASNGWrdasngw tun0 1500 1558 10.4.2.222 10.4.2.221 init No such key 2012-12-02 16:06:27 *Tunnelblick client.up.tunnelblick.sh: Retrieved name server(s) [ 10.4.0.1 ] and WINS server(s) [ ] and using default domain name [ openvpn ] 2012-12-02 16:06:27 *Tunnelblick client.up.tunnelblick.sh: Up to two 'No such key' warnings are normal and may be ignored 2012-12-02 16:06:27 *Tunnelblick client.up.tunnelblick.sh: Saved the DNS and WINS configurations for later use 2012-12-02 16:06:28 *Tunnelblick: Flushed the DNS cache 2012-12-02 16:06:28 /sbin/route add -net 95.110.200.16 192.168.1.254 255.255.255.255 add net 95.110.200.16: gateway 192.168.1.254 2012-12-02 16:06:28 /sbin/route add -net 0.0.0.0 10.4.2.221 128.0.0.0 add net 0.0.0.0: gateway 10.4.2.221 2012-12-02 16:06:28 /sbin/route add -net 128.0.0.0 10.4.2.221 128.0.0.0 add net 128.0.0.0: gateway 10.4.2.221 2012-12-02 16:06:28 MANAGEMENT: >STATE:1354493188,ADD_ROUTES,,, 2012-12-02 16:06:28 /sbin/route add -net 10.4.0.1 10.4.2.221 255.255.255.255 add net 10.4.0.1: gateway 10.4.2.221 2012-12-02 16:06:28 Initialization Sequence Completed 2012-12-02 16:06:28 MANAGEMENT: >STATE:1354493188,CONNECTED,SUCCESS,10.4.2.222,95.110.200.16 Quote Share this post Link to post
jessez 3 Posted ... Hi RubeGoldberg, Could you please post the ruleset you are using? I should be able to figure out what is going wrong. I have seen the same error you are having: "write UDPv4: Permission denied (code=13)" before, but just don't remember off the top of my head what the reason was. Anyway I will figure it out again and post it so we all have it documented. Regards, jz Quote Share this post Link to post
RubeGoldberg 0 Posted ... Thanks so much! I was actually using the rules you posted in an earlier message on this thread.. Page 8. Tried the script as well as the command line. Then I tried the rules you wrote for galilao on page 12. Also changed the file permissions jic. I have added- push "redirect-gateway def1" to all of my config files.. besides that I'm using the auto generated files from AirVpn. I do have os x firewall turned on/set to application specific... as well as a program called TCPBlock... I have tried disabling them both. Quote Share this post Link to post
RubeGoldberg 0 Posted ... The rules you posted on page 12: sudo sysctl -w net.inet.ip.fw.enable=0 sudo sysctl -w net.inet.ip.forwarding=0 sudo ipfw flush sudo ipfw delete set 31 sudo /sbin/ipfw disable firewall sudo /sbin/ipfw enable firewall sudo sysctl -w net.inet.ip.fw.enable=1 sudo ipfw add 01000 allow ip from any to any via lo* sudo ipfw add 01200 deny ip from any to 127.0.0.0/8 sudo ipfw add 01400 check-state sudo ipfw add 01600 allow ip from any 67 to any 68 in sudo ipfw add 01800 allow ip from any 5353 to any in sudo ipfw add 02000 allow ip from 172.17.0.0/16 to 108.59.8.147 keep-state sudo ipfw add 04000 allow ip from 127.0.0.1 to any sudo ipfw add 05000 allow ip from 10.0.0.0/8 to any sudo ipfw add 05200 allow ip from any to 10.0.0.0/8 sudo ipfw add 65534 deny log ip from any to any sudo ipfw add 65535 allow ip from any to any this is what I got : -atDASNGWrdasngw --up-restart 2012-12-03 20:39:55 *Tunnelblick: openvpnstart message: Loading tun.kext 2012-12-03 20:39:55 *Tunnelblick: Established communication with OpenVPN 2012-12-03 20:39:55 OpenVPN 2.2.1 i386-apple-darwin10.8.0 [sSL] [LZO2] [PKCS11] [eurephia] built on Aug 10 2012 2012-12-03 20:39:55 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337 2012-12-03 20:39:55 Need hold release from management interface, waiting... 2012-12-03 20:39:55 MANAGEMENT: Client connected from 127.0.0.1:1337 2012-12-03 20:39:55 MANAGEMENT: CMD 'pid' 2012-12-03 20:39:55 MANAGEMENT: CMD 'state on' 2012-12-03 20:39:55 MANAGEMENT: CMD 'state' 2012-12-03 20:39:55 MANAGEMENT: CMD 'hold release' 2012-12-03 20:39:55 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2012-12-03 20:39:55 WARNING: file 'user.key' is group or others accessible 2012-12-03 20:39:55 LZO compression initialized 2012-12-03 20:39:55 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ] 2012-12-03 20:39:55 Socket Buffers: R=[42080->65536] S=[9216->65536] 2012-12-03 20:39:55 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ] 2012-12-03 20:39:55 Local Options hash (VER=V4): '22188c5b' 2012-12-03 20:39:55 Expected Remote Options hash (VER=V4): 'a8f55717' 2012-12-03 20:39:55 UDPv4 link local: [undef] 2012-12-03 20:39:55 UDPv4 link remote: 108.59.8.147:443 2012-12-03 20:39:55 MANAGEMENT: >STATE:1354595995,WAIT,,, 2012-12-03 20:39:55 write UDPv4: Permission denied (code=13) 2012-12-03 20:39:57 write UDPv4: Permission denied (code=13) 2012-12-03 20:40:01 write UDPv4: Permission denied (code=13) 2012-12-03 20:40:09 write UDPv4: Permission denied (code=13) 2012-12-03 20:40:25 write UDPv4: Permission denied (code=13) 2012-12-03 20:40:55 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 2012-12-03 20:40:55 TLS Error: TLS handshake failed 2012-12-03 20:40:56 TCP/UDP: Closing socket 2012-12-03 20:40:56 SIGUSR1[soft,tls-error] received, process restarting 2012-12-03 20:40:56 MANAGEMENT: >STATE:1354596056,RECONNECTING,tls-error,, 2012-12-03 20:40:56 MANAGEMENT: CMD 'hold release' 2012-12-03 20:40:56 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2012-12-03 20:40:56 WARNING: file 'user.key' is group or others accessible 2012-12-03 20:40:56 LZO compression initialized 2012-12-03 20:40:56 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ] 2012-12-03 20:40:56 Socket Buffers: R=[42080->65536] S=[9216->65536] 2012-12-03 20:40:56 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ] 2012-12-03 20:40:56 Local Options hash (VER=V4): '22188c5b' 2012-12-03 20:40:56 Expected Remote Options hash (VER=V4): 'a8f55717' 2012-12-03 20:40:56 UDPv4 link local: [undef] 2012-12-03 20:40:56 UDPv4 link remote: 108.59.8.147:443 2012-12-03 20:40:56 MANAGEMENT: >STATE:1354596056,WAIT,,, 2012-12-03 20:40:56 write UDPv4: Permission denied (code=13) 2012-12-03 20:40:58 write UDPv4: Permission denied (code=13) 2012-12-03 20:41:02 write UDPv4: Permission denied (code=13) 2012-12-03 20:41:10 write UDPv4: Permission denied (code=13) 2012-12-03 20:41:26 write UDPv4: Permission denied (code=13) 2012-12-03 20:41:36 *Tunnelblick: Disconnecting; user cancelled 2012-12-03 20:41:36 event_wait : Interrupted system call (code=4) 2012-12-03 20:41:36 SIGTERM received, sending exit notification to peer 2012-12-03 20:41:41 TCP/UDP: Closing socket 2012-12-03 20:41:41 SIGTERM[soft,exit-with-notification] received, process exiting 2012-12-03 20:41:41 MANAGEMENT: >STATE:1354596101,EXITING,exit-with-notification,, 2012-12-03 20:41:42 *Tunnelblick: Flushed the DNS cache Thanks for checkin it out! Quote Share this post Link to post
jessez 3 Posted ... Hi RubeGoldberg, No problem, but Thanks! for the Thanks... Ok, I,ve made a new ruleset, I hope this one works for you but let me know if not and post the errors. I noticed from one of your previous posts that your router has IP address 192.168.1.254, so I made the ruleset to reflect that scenario. Again, let me know if that isn't correct, and if not, what the router address and/ or DHCP range is from your router/dhcp server, and we'll get the ruleset fixed up. I added notes in with the ruleset so you know what each line is doing, and also it should help other in future that would like to know what the rules are doing. Obviously don't include those notes if you make the ruleset into a script. Regards, jz ps attach a file isn't working for me so here's the body: sudo sysctl -w net.inet.ip.fw.enable=0 sudo sysctl -w net.inet.ip.forwarding=0 sudo ipfw flush sudo ipfw delete set 31 sudo /sbin/ipfw disable firewall sudo /sbin/ipfw enable firewall sudo sysctl -w net.inet.ip.fw.enable=1 sudo ipfw add 01000 allow ip from any to any via lo* sudo ipfw add 01300 allow ip from any to 127.0.0.0/8 sudo ipfw add 01200 allow ip from 192.168.1.0/24 to 192.168.1.254 sudo ipfw add 01400 check-state sudo ipfw add 01600 allow ip from any 67 to any 68 in sudo ipfw add 01800 allow ip from any 5353 to any in sudo ipfw add 02000 allow ip from 192.168.1.0/24 to 108.59.8.147 keep-state sudo ipfw add 05000 allow ip from 10.4.0.0/8 to any sudo ipfw add 05100 allow ip from 10.5.0.0/8 to any sudo ipfw add 05200 allow ip from 10.6.0.0/8 to any sudo ipfw add 05300 allow ip from 10.7.0.0/8 to any sudo ipfw add 05400 allow ip from 10.8.0.0/8 to any sudo ipfw add 05500 allow ip from 10.9.0.0/8 to any sudo ipfw add 65534 deny log ip from any to any sudo ipfw add 65535 allow ip from any to any line 1: turns off firewall, if system is rebooted, firewall is down. line 2: turns off forwarding (NAT), if system is rebooted, NAT is disabled. line 3: flushes existing ruleset line 4: deletes system ruleset #31, if it is able to. If not it isn't a problem. line 5: disables firewall in current session. line 6: re-enables firewall in current session. line 7: re-enables firewall to start on reboot, etc. line 8: add rule to allow any protocol via lo (loopback address) line 9: allow all protocols via loopback alias line 10: allow access to local router line 11: checks firewall rules state for problems line 12: allow DHCP to and from router or DHCP server (wherever DHCP is coming from) line 13: allow mdns - required for DNS lookups line 14: allow any protocol from 192.168.x.x IP range to AirVPN server USA (un-named because Google searches these forum posts) add more lines like this one, with each server IP you want to connect to. lines 15 - 16 : allow traffic out to the AirVPN ranges that are used - For port 443 ( see https://airvpn.org/specs/ for more on this) lines 17 - 18 : allow traffic out to the AirVPN ranges that are used - For port 80 ( see https://airvpn.org/specs/ for more on this) lines 19 - 20 : allow traffic out to the AirVPN ranges that are used - For port 53 ( see https://airvpn.org/specs/ for more on this) line 21 : deny all traffic that makes it this far through the ruleset. line 22 : ruleset #32 if deleting it earlier didn't work, rule 65534 nullifies anything that would normally make it this far, so nothing does.RubeGoldberg-ipfwruleset.txt Quote Share this post Link to post
Staff 9973 Posted ... sudo ipfw add 05000 allow ip from 10.4.0.0/8 to anysudo ipfw add 05100 allow ip from 10.5.0.0/8 to anysudo ipfw add 05200 allow ip from 10.6.0.0/8 to anysudo ipfw add 05300 allow ip from 10.7.0.0/8 to anysudo ipfw add 05400 allow ip from 10.8.0.0/8 to anysudo ipfw add 05500 allow ip from 10.9.0.0/8 to anysudo ipfw add 65534 deny log ip from any to anysudo ipfw add 65535 allow ip from any to anyHello!Just a glitch, the above must be 10.x.0.0/16, for examplesudo ipfw add 05100 allow ip from 10.5.0.0/16 to anyKind regards Quote Share this post Link to post
jessez 3 Posted ... Hi admins, Oops, my mistake, thanks very much for catching that! jz. No need to post this one in the forum...lol Quote Share this post Link to post
kinginter 0 Posted ... This thread is huge and mind boggling. I have AirVPN, Utorrent Version 1.8.1 (28758) Mac OS X Lion 10.7.5 (11G63) Is there a tutorial for adding these rules so traffic will be blocked if VPN drops? Sorry if its already here… Thanks Quote Share this post Link to post