Jump to content
Not connected, Your IP: 3.21.12.41
Evenstar

Win - Mac - BSD Block traffic when VPN disconnects

Recommended Posts

Hello, Once the firewall is activated, I cannot connect to AirVPN. Below is the Tunnelblick log. There is a Permission denied (code=13) message.

2012-06-29 14:47:20 *Tunnelblick: OS X 10.4.11; Tunnelblick 3.2.2 (build 2891.2917)

2012-06-29 14:47:20 *Tunnelblick: Attempting connection with US sirius udp; Set nameserver = 1; monitoring connection

2012-06-29 14:47:20 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpnstart start US\ sirius\ udp.ovpn 1338 1 0 0 0 49 -atDASNGWrdasngw

2012-06-29 14:47:20 *Tunnelblick: openvpnstart: /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn --cd /Users/misterq/Library/Application Support/Tunnelblick/Configurations --daemon --management 127.0.0.1 1338 --config /Users/misterq/Library/Application Support/Tunnelblick/Configurations/US sirius udp.ovpn --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Smisterq-SLibrary-SApplication Support-STunnelblick-SConfigurations-SUS sirius udp.ovpn.1_0_0_0_49.1338.openvpn.log --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDASNGWrdasngw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -atDASNGWrdasngw --up-restart

2012-06-29 14:47:21 *Tunnelblick: kextload: /Applications/Tunnelblick.app/Contents/Resources/tun-20090913.kext loaded successfully

2012-06-29 14:47:21 *Tunnelblick: openvpnstart message: Loading tun-20090913.kext

2012-06-29 14:47:21 OpenVPN 2.2.1 i386-apple-darwin10.8.0 [sSL] [LZO2] [PKCS11] [eurephia] built on Jan 8 2012

2012-06-29 14:47:21 MANAGEMENT: TCP Socket listening on 127.0.0.1:1338

2012-06-29 14:47:21 Need hold release from management interface, waiting...

2012-06-29 14:47:21 MANAGEMENT: Client connected from 127.0.0.1:1338

2012-06-29 14:47:21 *Tunnelblick: Established communication with OpenVPN

2012-06-29 14:47:21 MANAGEMENT: CMD 'pid'

2012-06-29 14:47:21 MANAGEMENT: CMD 'state on'

2012-06-29 14:47:21 MANAGEMENT: CMD 'state'

2012-06-29 14:47:21 MANAGEMENT: CMD 'hold release'

2012-06-29 14:47:21 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2012-06-29 14:47:21 WARNING: file 'user.key' is group or others accessible

2012-06-29 14:47:21 LZO compression initialized

2012-06-29 14:47:21 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]

2012-06-29 14:47:21 Socket Buffers: R=[42080->65536] S=[9216->65536]

2012-06-29 14:47:21 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]

2012-06-29 14:47:21 Local Options hash (VER=V4): '22188c5b'

2012-06-29 14:47:21 Expected Remote Options hash (VER=V4): 'a8f55717'

2012-06-29 14:47:21 UDPv4 link local: [undef]

2012-06-29 14:47:21 UDPv4 link remote: 108.59.8.147:443

2012-06-29 14:47:21 MANAGEMENT: >STATE:1341017241,WAIT,,,

2012-06-29 14:47:28 MANAGEMENT: >STATE:1341017248,AUTH,,,

2012-06-29 14:47:28 TLS: Initial packet from 108.59.8.147:443, sid=160213a7 110c9416

2012-06-29 14:47:29 VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org

2012-06-29 14:47:29 VERIFY OK: nsCertType=SERVER

2012-06-29 14:47:29 VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org

2012-06-29 14:47:32 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

2012-06-29 14:47:32 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

2012-06-29 14:47:32 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

2012-06-29 14:47:32 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

2012-06-29 14:47:32 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

2012-06-29 14:47:32 [server] Peer Connection Initiated with 108.59.8.147:443

2012-06-29 14:47:33 MANAGEMENT: >STATE:1341017253,GET_CONFIG,,,

2012-06-29 14:47:35 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

2012-06-29 14:47:35 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.4.0.1,comp-lzo no,route 10.4.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.4.3.14 10.4.3.13'

2012-06-29 14:47:35 OPTIONS IMPORT: timers and/or timeouts modified

2012-06-29 14:47:35 OPTIONS IMPORT: LZO parms modified

2012-06-29 14:47:35 OPTIONS IMPORT: --ifconfig/up options modified

2012-06-29 14:47:35 OPTIONS IMPORT: route options modified

2012-06-29 14:47:35 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

2012-06-29 14:47:35 ROUTE default_gateway=172.17.192.1

2012-06-29 14:47:35 TUN/TAP device /dev/tun0 opened

2012-06-29 14:47:35 MANAGEMENT: >STATE:1341017255,ASSIGN_IP,,10.4.3.14,

2012-06-29 14:47:35 /sbin/ifconfig tun0 delete

ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address

2012-06-29 14:47:35 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure

2012-06-29 14:47:35 /sbin/ifconfig tun0 10.4.3.14 10.4.3.13 mtu 1500 netmask 255.255.255.255 up

2012-06-29 14:47:35 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDASNGWrdasngw tun0 1500 1558 10.4.3.14 10.4.3.13 init

No such key

2012-06-29 14:47:37 *Tunnelblick client.up.tunnelblick.sh: Retrieved name server(s) [ 10.4.0.1 ] and WINS server(s) [ ] and using default domain name [ openvpn ]

2012-06-29 14:47:38 /sbin/route add -net 108.59.8.147 172.17.192.1 255.255.255.255

add net 108.59.8.147: gateway 172.17.192.1

2012-06-29 14:47:38 /sbin/route add -net 0.0.0.0 10.4.3.13 128.0.0.0

add net 0.0.0.0: gateway 10.4.3.13

2012-06-29 14:47:38 /sbin/route add -net 128.0.0.0 10.4.3.13 128.0.0.0

add net 128.0.0.0: gateway 10.4.3.13

2012-06-29 14:47:38 MANAGEMENT: >STATE:1341017258,ADD_ROUTES,,,

2012-06-29 14:47:38 /sbin/route add -net 10.4.0.1 10.4.3.13 255.255.255.255

add net 10.4.0.1: gateway 10.4.3.13

2012-06-29 14:47:38 Initialization Sequence Completed

2012-06-29 14:47:38 MANAGEMENT: >STATE:1341017258,CONNECTED,SUCCESS,10.4.3.14,108.59.8.147

Workaround Bonjour: Unknown error: 0

2012-06-29 14:47:38 *Tunnelblick client.up.tunnelblick.sh: Up to two 'No such key' warnings are normal and may be ignored

2012-06-29 14:47:38 *Tunnelblick client.up.tunnelblick.sh: Saved the DNS and WINS configurations for later use

2012-06-29 14:47:38 *Tunnelblick client.up.tunnelblick.sh: Set up to monitor system configuration with process-network-changes

2012-06-29 14:47:39 *Tunnelblick: Flushed the DNS cache

2012-06-29 14:48:08 write UDPv4: Permission denied (code=13)

2012-06-29 14:48:11 write UDPv4: Permission denied (code=13)

2012-06-29 14:48:13 write UDPv4: Permission denied (code=13)

2012-06-29 14:48:23 write UDPv4: Permission denied (code=13)

2012-06-29 14:48:26 write UDPv4: Permission denied (code=13)

2012-06-29 14:48:28 write UDPv4: Permission denied (code=13)

2012-06-29 14:48:38 write UDPv4: Permission denied (code=13)

2012-06-29 14:48:38 write UDPv4: Permission denied (code=13)

2012-06-29 14:48:41 write UDPv4: Permission denied (code=13)

2012-06-29 14:48:43 write UDPv4: Permission denied (code=13)

2012-06-29 14:48:50 event_wait : Interrupted system call (code=4)

2012-06-29 14:48:50 SIGTERM received, sending exit notification to peer

2012-06-29 14:48:50 write UDPv4: Permission denied (code=13)

2012-06-29 14:48:51 write UDPv4: Permission denied (code=13)

2012-06-29 14:48:52 write UDPv4: Permission denied (code=13)

2012-06-29 14:48:53 write UDPv4: Permission denied (code=13)

2012-06-29 14:48:53 write UDPv4: Permission denied (code=13)

2012-06-29 14:48:53 write UDPv4: Permission denied (code=13)

2012-06-29 14:48:55 TCP/UDP: Closing socket

2012-06-29 14:48:55 /sbin/route delete -net 10.4.0.1 10.4.3.13 255.255.255.255

delete net 10.4.0.1: gateway 10.4.3.13

2012-06-29 14:48:55 /sbin/route delete -net 108.59.8.147 172.17.192.1 255.255.255.255

delete net 108.59.8.147: gateway 172.17.192.1

2012-06-29 14:48:55 /sbin/route delete -net 0.0.0.0 10.4.3.13 128.0.0.0

delete net 0.0.0.0: gateway 10.4.3.13

2012-06-29 14:48:55 /sbin/route delete -net 128.0.0.0 10.4.3.13 128.0.0.0

delete net 128.0.0.0: gateway 10.4.3.13

2012-06-29 14:48:55 Closing TUN/TAP interface

2012-06-29 14:48:55 /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -atDASNGWrdasngw tun0 1500 1558 10.4.3.14 10.4.3.13 init

2012-06-29 14:48:55 *Tunnelblick client.down.tunnelblick.sh: Cancelled monitoring of system configuration changes

2012-06-29 14:48:56 SIGTERM[soft,exit-with-notification] received, process exiting

2012-06-29 14:48:56 MANAGEMENT: >STATE:1341017336,EXITING,exit-with-notification,,

2012-06-29 14:48:56 *Tunnelblick client.down.tunnelblick.sh: Restored the DNS and WINS configurations

2012-06-29 14:48:59 *Tunnelblick: Flushed the DNS cache

Share this post


Link to post

Hi galilao,

Ok, that's a new one. It would be great if the log would say exactly what file the system is denying write access to.

All I can suggest for now is to turn off the "Monitor Network Settings" in Tunnelblick. Monitoring network settings seems to be a bit flakey in tunnelblick for some reason.

What is interesting is that this part is usually the last items in the tunnelblick log when you have a successfully connected:

2012-06-29 14:47:38 Initialization Sequence Completed

2012-06-29 14:47:38 MANAGEMENT: >STATE:1341017258,CONNECTED,SUCCESS,10.4.3.14,108.59.8.147

and then it looks like it disconnected with this:

Workaround Bonjour: Unknown error: 0

Could you tell me if you have 1.) the same problem connecting with any server, and 2.) what method you used to get the rules in the firewall?

I'm wondering if the permissions on one of the files I attached has had some effect on how this is working on your machine..

Today I will be busy until later, so let me know how it goes at your end and I'll spend some time on it again tonight (Saturday here)

Regards,

jz

Share this post


Link to post

Hello Jz,

I copied your script and pasted it into the Terminal program that came with OS Panther that I am running on my Ibook. I only tried the script with one server.

Thanks

Galilao

Share this post


Link to post

Hi galilao,

Ok, if you are running Panther, that is a bit of a different beast. From the research I've done it seems that Apple injects some rules to ipfw that should be removed. I found a good article on setting up ipfw so it starts up differently (the procedure will make ipfw better by starting it before there is any network connection) and doesn't load any default Apple rules. The instructions for doing that are in the beginning of the article.

For others as well: there are some useful rules further down in the article for making other things work, such as FTP, etc... that could be useful for those needing an extended ruleset.

http://silvester.org.uk/OSX/wrangling_ipfw.html

Something I didn't know is that the attachments I provided just come up in text, so if the text is copied and pasted into textedit (or your fav text editor) and you save them to your home directory, then the permissions will be correct for your machine.

Anyway galilao, try that and see if you have a working firewall that lets you connect. If you are still having issues I will try to help resolve them.

Best,

jz

Share this post


Link to post

Anyone have any suggestions how to achieve this with Avira Internet Security please?

I tried installing Comodo along with Avira but there is probably some conflict or something. Because when I add a rule to comodo I can't browse at all even when vpn is connected.

I also tried enabling windows firewall and followed these instructions:

http://practicalrambler.blogspot.com/2011/01/windows-7-firewall-how-to-always-use.html

It worked with utorrent but firefox still worked even when I disconnect the vpn not sure why.

I am using win7 and connecting with openvpn gui btw.

Share this post


Link to post

Hi jokeramj,

I'm not familiar with Avira or Comodo suites, but you should only ever run one antivirus and/or firewall program. They will make your PC do some really bizarre things running two at the same time. If the version of Comodo you have does antivirus and firewalling then I would recommend going with Comodo as there is an article posted in this forum somewhere that has a link to a company that does testing of such software, and Comodo won out over everything else they tested. Here is the link to the original article: http://www.matousec.com/projects/proactive-security-challenge-64/

You should also disable the Windows firewall when using a third-party firewall program; they won't play nice together.

Somewhere in this post ( I think between pages 2 and 7 if I remember correctly) there are suggestions for the Comodo firewall.

In general what you want to do is deny traffic to everywhere, in and out, and then set up rules to allow connections to the AirVPN servers. The end result should be that there will be no internet access by any program or your operating system, except when you are connected to AirVPN.

Please don't hesitate to post again if you need any other assistance,

Best Regards,

jz

Share this post


Link to post

I just imported the airvpn ruleset Jessez created to WaterRoof and it seems to be working well - can't connect at all unless airvpn is connected and running.

It was pretty easy, just follow the instructions provided and you should be all set.

Thanks for all the help.

Share this post


Link to post

Hi parker81,

Thank you for testing and reporting your findings.

Best Regards,

jz

Share this post


Link to post

Thanks for replying jessez. I am aware it is not good idea to try two similar products at the same time. Although I disabled Avira's firewall section when I was trying comodo but Avira suite was still running and I imagine there can again be conflicts. I have windows firewall disabled, I just turned it on to try this. I'd like to stick to all in one solution rather then use dedicated firewall and av in any case. And I am not really sure how objective are matousec test results. It seems unbelievable that comodo is the only product that appears to have any protection out of those tested.

Anyway I might try switching to Bitdefender. I found this post on their forum which seems to cover what I need:

http://forum.bitdefender.com/lofiversion/index.php/t34417.html

Share this post


Link to post

Hi jokeramj,

No problem at all, glad to be able to help.

I found the post I was looking for with the comparative results, although for a little bit older versions of the software suites; it's on page 4 of this post (article?).

The Bitdefender rated at 97% I think, so not too bad. I personally have used Bitdefender products in the past and I still use their browser plugin. The article I referenced was also just talking about 64bit versions of the various software (and also didn't include some manufacturers suites), which possibly could be invalid for the 32bit versions. That's impossible to say without doing side-by-side testing. It seems like you are trying out different things, so just one suggestion for you at this point:

Download the software you want to try out. Disconnect from the internet and uninstall the other software (s). Reboot and then install the new software (still no internet connection). Reboot and put PC back on the internet, update the new software, then set the firewall rules. This method will result in a better experience for you and keep the O/S as clean of virus', etc... as possible.

Sorry if this is what you have been doing, I write these things so newcomers reading my posts will be able to follow along and take advantage of the documentation.

Yell if you need any help,

Best Regards,

jz

Share this post


Link to post

Hello, It turned out that I was running Terminal under 10.4.11 Tiger not Panther. I got confused with my other Mac portable, sorry. I tried to connect to the Sirius server with the Monitor Network Settings turned off, but still cannot connect. What am I doing wrong?

Share this post


Link to post

Hi galilao,

Could you post the firewall rules you are using and also the log from OpenVPN please? That would help in tracking down the problem.

To get the rules use terminal and this command: sudo ipfw show

Thanks very much,

jz

Share this post


Link to post

Hello,

Here is the Tunnelblick log:

2012-07-13 16:56:28 *Tunnelblick: OS X 10.4.11; Tunnelblick 3.2.2 (build 2891.2917)

2012-07-13 16:56:29 *Tunnelblick: Attempting connection with US sirius udp; Set nameserver = 1; monitoring connection

2012-07-13 16:56:29 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpnstart start US\ sirius\ udp.ovpn 1337 1 0 0 0 49 -atDASNGWrdasngw

2012-07-13 16:56:29 *Tunnelblick: openvpnstart: /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn --cd /Users/misterq/Library/Application Support/Tunnelblick/Configurations --daemon --management 127.0.0.1 1337 --config /Users/misterq/Library/Application Support/Tunnelblick/Configurations/US sirius udp.ovpn --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Smisterq-SLibrary-SApplication Support-STunnelblick-SConfigurations-SUS sirius udp.ovpn.1_0_0_0_49.1337.openvpn.log --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDASNGWrdasngw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -atDASNGWrdasngw --up-restart

2012-07-13 16:56:30 *Tunnelblick: kextload: /Applications/Tunnelblick.app/Contents/Resources/tun-20090913.kext loaded successfully

2012-07-13 16:56:30 *Tunnelblick: openvpnstart message: Loading tun-20090913.kext

2012-07-13 16:56:30 OpenVPN 2.2.1 i386-apple-darwin10.8.0 [sSL] [LZO2] [PKCS11] [eurephia] built on Jan 8 2012

2012-07-13 16:56:30 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337

2012-07-13 16:56:30 Need hold release from management interface, waiting...

2012-07-13 16:56:31 *Tunnelblick: Established communication with OpenVPN

2012-07-13 16:56:31 MANAGEMENT: Client connected from 127.0.0.1:1337

2012-07-13 16:56:31 MANAGEMENT: CMD 'pid'

2012-07-13 16:56:31 MANAGEMENT: CMD 'state on'

2012-07-13 16:56:31 MANAGEMENT: CMD 'state'

2012-07-13 16:56:31 MANAGEMENT: CMD 'hold release'

2012-07-13 16:56:31 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2012-07-13 16:56:31 WARNING: file 'user.key' is group or others accessible

2012-07-13 16:56:31 LZO compression initialized

2012-07-13 16:56:31 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]

2012-07-13 16:56:31 Socket Buffers: R=[42080->65536] S=[9216->65536]

2012-07-13 16:56:31 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]

2012-07-13 16:56:31 Local Options hash (VER=V4): '22188c5b'

2012-07-13 16:56:31 Expected Remote Options hash (VER=V4): 'a8f55717'

2012-07-13 16:56:31 UDPv4 link local: [undef]

2012-07-13 16:56:31 UDPv4 link remote: 108.59.8.147:443

2012-07-13 16:56:31 MANAGEMENT: >STATE:1342234591,WAIT,,,

2012-07-13 16:56:34 write UDPv4: Permission denied (code=13)

2012-07-13 16:56:34 write UDPv4: Permission denied (code=13)

2012-07-13 16:56:38 write UDPv4: Permission denied (code=13)

2012-07-13 16:56:46 write UDPv4: Permission denied (code=13)

2012-07-13 16:57:02 write UDPv4: Permission denied (code=13)

2012-07-13 16:57:14 event_wait : Interrupted system call (code=4)

2012-07-13 16:57:14 SIGTERM received, sending exit notification to peer

2012-07-13 16:57:19 TCP/UDP: Closing socket

2012-07-13 16:57:19 SIGTERM[soft,exit-with-notification] received, process exiting

2012-07-13 16:57:19 MANAGEMENT: >STATE:1342234639,EXITING,exit-with-notification,,

2012-07-13 16:57:22 *Tunnelblick: Flushed the DNS cache

and here are the IPFW rules:

02000 13925 1427960 allow ip from any to any via lo*

02010 0 0 deny ip from 127.0.0.0/8 to any in

02020 0 0 deny ip from any to 127.0.0.0/8 in

02030 0 0 deny ip from 224.0.0.0/3 to any in

02040 0 0 deny tcp from any to 224.0.0.0/3 in

02050 373 42249 allow tcp from any to any out

02060 433 413427 allow tcp from any to any established

02065 0 0 allow tcp from any to any frag

12190 0 0 deny log tcp from any to any

20000 0 0 deny log icmp from any to me in icmptypes 8

20310 0 0 allow udp from any to any dst-port 53 in

20320 3 1002 allow udp from any to any dst-port 68 in

20321 0 0 allow udp from any 67 to me in

20322 0 0 allow udp from any 5353 to me in

20340 65 5070 allow udp from any to any dst-port 137 in

20350 0 0 allow udp from any to any dst-port 427 in

20360 14 2774 allow udp from any to any dst-port 631 in

20370 416 101116 allow udp from any to any dst-port 5353 in

30510 370 43725 allow udp from me to any out keep-state

30520 9 4329 allow udp from any to any in frag

35000 104 25732 deny log udp from any to any in

65535 12 384 allow ip from any to any

Hope this helps,

galilao

Share this post


Link to post

Hi galilao,

Thanks for the logs, I see there is still that problem with permission denied. It looks like your tunnelblick config files are in ~/Library/Application Support/Tunnelblick/Configurations , so could you go there and make sure you are the owner of the sirius config file? If not do:

sudo chown -R <your username>:staff ~/Library/Application Support/Tunnelblick/Configurations/ <whatever the tblk filename is >

maybe also try getinfo and take the .tblk off the end to make it a folder again, make sure there is only the 4 files in there : ca.crt, config.ovpn, user.crt and user.key.

when you use getinfo again to put the .tblk back on, make sure theres no spaces in the filename, you can use underscores or dashes to separate words.

Start on that and see how it goes; I have to spend some time going through the rules, they're a bit of a mess. I'll probably get you to redo them, but I'll get back to you when I've sorted out the ones you posted.

jz

Share this post


Link to post

hi galilao,

I'm working on a custom set of rules for you based on the ones you posted.

I came across this IP address in one of your older posts: 172.17.192.1

Is it your routers IP address, or your computers IP address?

Also, are you using DHCP or is your computers IP address static ?

Thanks,

jz

Share this post


Link to post

Hello, Do I understand correctly that if I am not the owner, wouldn't that prevent me from logging onto the AirVPN server even without your firewall rules? Thank you

Share this post


Link to post

Hello, I was trying your firewall rules on my portable that is not with me right now. I think that 172.17.192.1 might be the IP address of another VPN service I was testing as a back-up to AirVPN, but concluded that AirVPN is better. When I tested your firewall rules with my portable, I was connected wirelessly to my college's network. I am using DHCP. Hope this helps, thank you.

Share this post


Link to post

Hello, I am sending this to you from my Ibook through my college's wireless network system. 172.17.192.1 is the college's router's address. The college's IP address is 172.17.211.215. I am using DHCP. Thank you for your help.

Share this post


Link to post

hi galilao,

Quote: "Hello, Do I understand correctly that if I am not the owner, wouldn't that prevent me from logging onto the AirVPN server even without your firewall rules? Thank you"

Yes I believe that is correct.

Also, If you cannot connect to AirVPN with the firewall disabled (off) then the problem is somewhere else.

The reason I was looking at permissions is because of the error in the tunnelblick log: write UDPv4: Permission denied (code=13)

I'm not sure where or what tunnelblick/openvpn is trying to write to there, so the logical place to start would be the config files.

Have you done a permmisions repair at all? Try this: sudo diskutil repairPermissions /

It won't take that long to run, and may solve the permissions problem.

Ok, I'll modify the firewall rules for you to try, please check the permissions on the tunnelblick config file as I outlined in my previous post, also I need to know if you need access to any oother computer at your college, or do you only want internet access?

jz

Share this post


Link to post

hi galilao,

ok, I've made a custom script for you for use at your college. Just copy/ paste the lines below into textedit and call it airvpn.sh. Run the script.

This is a very basic script which resets the firewall, and flushes the old rules, then adding the new rule-set, also allowing local network access, but otherwise only to Sirius. Make sure when you do the copy/paste that there is no extra space at the end. The mouse cursor should be sitting after the last letter of the last word, and not on the line below.

sudo sysctl -w net.inet.ip.fw.enable=0

sudo sysctl -w net.inet.ip.forwarding=0

sudo ipfw flush

sudo ipfw delete set 31

sudo /sbin/ipfw disable firewall

sudo /sbin/ipfw enable firewall

sudo sysctl -w net.inet.ip.fw.enable=1

sudo ipfw add 01000 allow ip from any to any via lo*

sudo ipfw add 01200 deny ip from any to 127.0.0.0/8

sudo ipfw add 01400 check-state

sudo ipfw add 01600 allow ip from any 67 to any 68 in

sudo ipfw add 01800 allow ip from any 5353 to any in

sudo ipfw add 02000 allow ip from 172.17.0.0/16 to 108.59.8.147 keep-state

sudo ipfw add 04000 allow ip from 127.0.0.1 to any

sudo ipfw add 05000 allow ip from 10.0.0.0/8 to any

sudo ipfw add 05200 allow ip from any to 10.0.0.0/8

sudo ipfw add 65534 deny log ip from any to any

sudo ipfw add 65535 allow ip from any to any

I hope that does it, but let me know how it goes,

Regards,

jz

Share this post


Link to post

Hello, I ran your rules on my desktop Mac by changing from 172.17.0.0/16 to be compatible with my home router's IP address 192.168.0.0/16 and I was able to connect to the Sirius server. By closing the Tunnelblick connection the Internet connection is also closed. Now I know that whenever I try to connect with my portable, from a coffee shop for example, I first have to determine the coffee shop's router's address and make the change in the IPFW rules as needed. I will be in touch with you again after I try to connect through my college's wireless network. Thank you very much!

Share this post


Link to post

Hi galilao,

You're welcome, I'm glad to be of help and that it's working for you now.

Best regards,

jz

Share this post


Link to post

Hello,

I was able to connect through my college's wireless network with this script. In the script you uploaded about 3 weeks ago, I changed the 192.168.0.0 values to 172.17.0.0, but was unable to connect through the college's network. What do I need to do?

Thank you

Share this post


Link to post

Hi galilao,

If the new script will work at home and at college with just the one adjustment, you should make two copies of it to save on your desktop; call one home and the other college, and just double-click the one for where you are. Actually you could make that into 2 applescript programs quite easily as well, and keep the two versions in the dock. I'm not sure why the old ruleset I posted doesn't work, so just ditch it.

Regards,

jz

Share this post


Link to post

hi galilao,

ok, I've made a custom script for you for use at your college. Just copy/ paste the lines below into textedit and call it airvpn.sh. Run the script.

This is a very basic script which resets the firewall, and flushes the old rules, then adding the new rule-set, also allowing local network access, but otherwise only to Sirius. Make sure when you do the copy/paste that there is no extra space at the end. The mouse cursor should be sitting after the last letter of the last word, and not on the line below.

sudo sysctl -w net.inet.ip.fw.enable=0

sudo sysctl -w net.inet.ip.forwarding=0

sudo ipfw flush

sudo ipfw delete set 31

sudo /sbin/ipfw disable firewall

sudo /sbin/ipfw enable firewall

sudo sysctl -w net.inet.ip.fw.enable=1

sudo ipfw add 01000 allow ip from any to any via lo*

sudo ipfw add 01200 deny ip from any to 127.0.0.0/8

sudo ipfw add 01400 check-state

sudo ipfw add 01600 allow ip from any 67 to any 68 in

sudo ipfw add 01800 allow ip from any 5353 to any in

sudo ipfw add 02000 allow ip from 172.17.0.0/16 to 108.59.8.147 keep-state

sudo ipfw add 04000 allow ip from 127.0.0.1 to any

sudo ipfw add 05000 allow ip from 10.0.0.0/8 to any

sudo ipfw add 05200 allow ip from any to 10.0.0.0/8

sudo ipfw add 65534 deny log ip from any to any

sudo ipfw add 65535 allow ip from any to any

I hope that does it, but let me know how it goes,

Regards,

jz

am i correct in assuming that this will work with 10.6.8, since it uses ipfw and not pf? also, will this work for all interfaces? how would i go about only using these rules for en0? my private ip space (all electronics in my network) is 10.0.0.0/16; would i even need "sudo ipfw add 02000 allow ip from <strong>172.17.0.0/16</strong> to 108.59.8.147 keep-state"?

would be madly appreciated if you could answer

//EDIT:

basically, i want to deny every outgoing connection that is not going through tun0 (95.211.169.3 -- castor). internal network access should be allowed though; the ip address space is 10.0.1.0-10.0.1.200. could you please help me out?

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...