Jump to content
Not connected, Your IP: 100.24.20.141
Evenstar

Win - Mac - BSD Block traffic when VPN disconnects

Recommended Posts

Hello,

 

you can't specify multiple IP addresses with the not (!) operator

(! not allowed with multiple source or destination IP addresses)

So, you might simply DROP everything in OUTPUT (default policy):

 

iptables -P OUTPUT DROP

 

but ACCEPT all packets to the entry-IP addresses of the VPN servers you wish to connect to, to the IP range of your home network and to allow DHCP:

 

iptables -A OUTPUT -o eth+ -d a.b.c.d,e.f.g.h,...,w.x.y.z -j ACCEPT # in this rule we use the "," operator to specify multiple IP addresses in just one line, but you can split the rule in multiple lines if you prefer so

iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT

iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT

 

Kind regards

Share this post


Link to post

Hello,

 

you can't specify multiple IP addresses with the not (!) operator

(! not allowed with multiple source or destination IP addresses)

So, you might simply DROP everything in OUTPUT (default policy):

 

iptables -P OUTPUT DROP

 

but ACCEPT all packets to the entry-IP addresses of the VPN servers you wish to connect to, to the IP range of your home network and to allow DHCP:

 

iptables -A OUTPUT -o eth+ -d a.b.c.d,e.f.g.h,...,w.x.y.z -j ACCEPT # in this rule we use the "," operator to specify multiple IP addresses in just one line, but you can split the rule in multiple lines if you prefer so

iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT

iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT

 

Kind regards

 

Thanks for the clarification. I am now able to connect to multiple airVPNs and all other access is blocked, but it seems to have created a new issue somehow effecting DNS resolution. Even specifying "nameserver 10.4.0.1" as first line in /etc/resolve.conf does not allow me to browse sucessfully (or ping google/yahoo).

 

Here are the differences between working/non-working iptables configurations (after executing iptables-save, just the relevent pieces that seem to be causing a difference)

 

working completely:

 

*filter

:INPUT ACCEPT [3:522]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A OUTPUT ! -d a.b.c.d/32 -o wlan+ -j DROP

 

connects but no name resolution:

 

*filter

:INPUT ACCEPT [14:2408]

:FORWARD ACCEPT [0:0]

:OUTPUT DROP [13:745]

-A OUTPUT -d a.b.c.d/32 -o wlan+ -j ACCEPT

 

Do I also need to create a rule for incomming or outgoing connections to the correct nameserver?

Share this post


Link to post

Hello,

 

yes, you need to allow packets from

10.4.0.0/16 to any

10.5.0.0/16 to any

...

10.9.0.0/16 to any

 

and packets from any to 10.4.0.0/16, 10.5.0.0/16 etc.

 

Kind regards

Share this post


Link to post

Hello,

 

yes, you need to allow packets from

10.4.0.0/16 to any

10.5.0.0/16 to any

...

10.9.0.0/16 to any

 

and packets from any to 10.4.0.0/16, 10.5.0.0/16 etc.

 

Kind regards

 

Thanks for the guidance. Took me a while to figure out how to "translate" to iptables syntax and for the life of me I couldn't get any lookups to work with the airvpn dns servers, so switched to opendns (208.67.222.222 / 208.67.220.220) and haven't had any issues. I hope this isn't considered less secure.

 

Also put those in my /etc/resolv.conf as the top lines, and I have dns working for both pre-connection (to wlan+) and vpn-connected (through tun+). I won't get into too much details this post, but the reason I want pre-connection dns access is so that I can bypass the VPN for certain sites so that that activity isn't sticking out if anyone was watching the other ends, in order to keep up appearances I guess (like popular e-mail or banking, those required sites to be productive these days that are ran by shill corporations willing to forfiet all your info and login-behavior). I'm still learning so maybe not the best way to go about it, its almost like you need a separate browser or system user to pipe connection through. It seems that they all enable many more connections than just login page, and not sure what information is passed on to each connection.

 

For the iptables though, if anyone else is interested here is how it works using the methodology of allowing multiple VPN IP addresses for connecting through wlan+, then blocking everything else OUTPUT. I saved using "iptables-save > /etc/firewall.conf", and re-load it using a startup script "iptables-restore < /etc/firewall.conf". (Also IP addresses have been removed in example and are represented as "x.x.x.x")

 

# Drop all OUTPUT, only allow VPN traffic (for the most part)

# +Allow direct access to several VPN servers to wlan+

# +Allow direct access to personal login sites not wishing to tunnel through VPN

# +Allow openDNS access to wlan+, so that non-VPN sites specified can still be looked up and later accessed in the browser.

# (must also add these non-VPN sites to routing table, so that they can be bypassed outside of tun+))

## FILTER

*filter

:INPUT ACCEPT [3:291]

:FORWARD ACCEPT [0:0]

:OUTPUT DROP [6:344]

# Loopback / Lan (INPUT)

-A INPUT -i lo -j ACCEPT

-A INPUT -i tun+ -j ACCEPT

-A INPUT -s 255.255.255.255/32 -j ACCEPT

-A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT

# DNS (INPUT)

-A INPUT -s 208.67.222.222 -p udp -i wlan+ --sport 53 -j ACCEPT

-A INPUT -s 208.67.222.222 -p udp -i tun+ --sport 53 -j ACCEPT

-A INPUT -s 208.67.222.220 -p udp -i wlan+ --sport 53 -j ACCEPT

-A INPUT -s 208.67.222.220 -p udp -i tun+ --sport 53 -j ACCEPT

-A FORWARD -i wlan+ -o tun+ -j ACCEPT

-A FORWARD -i tun+ -o wlan+ -j ACCEPT

# Loopback / Lan (OUTPUT)

-A OUTPUT -o lo -j ACCEPT

-A OUTPUT -o tun+ -j ACCEPT

-A OUTPUT -d 255.255.255.255/32 -j ACCEPT

-A OUTPUT -d 192.168.0.0/16 -s 192.168.0.0/16 -j ACCEPT

# DNS (OUTPUT)

-A OUTPUT -d 208.67.222.222 -p udp -o wlan+ --dport 53 -j ACCEPT

-A OUTPUT -d 208.67.222.222 -p udp -o tun+ --dport 53 -j ACCEPT

-A OUTPUT -d 208.67.222.220 -p udp -o wlan+ --dport 53 -j ACCEPT

-A OUTPUT -d 208.67.222.220 -p udp -o tun+ --dport 53 -j ACCEPT

# AirVpn Access

-A OUTPUT -o wlan+ -d x.x.x.x/32,x.x.x.x/32,x.x.x.x/32 -j ACCEPT

# Routing outside of VPN (sample OUTPUT, not complete b/c many sites end up opening multiple connections. Still researching best methodology to bypass and also make sure that routing table puts these through wlan rather than tun connection)

-A OUTPUT -d x.x.x.x/32 -o wlan+ -j ACCEPT

COMMIT

## NAT

*nat

:PREROUTING ACCEPT [62:24525]

:INPUT ACCEPT [5:953]

:OUTPUT ACCEPT [24:1496]

:POSTROUTING ACCEPT [1:90]

-A POSTROUTING -o tun+ -j MASQUERADE

COMMIT

 

and if anyone wanted to use airvpn dns, this would be syntax for config file although again I could not get this working right, even with "nameserver 10.4.0.1" in resolv.conf:

 

-A INPUT -s 10.4.0.0/16 -p udp -i tun+ --sport 53 -j ACCEPT

-A OUTPUT -d 10.4.0.0/16 -p udp -o tun+ --dport 53 -j ACCEPT

Share this post


Link to post

Hey Guise.
 
For several weeks, I have been working on an app/script that will kill my Bittorrent client upon disconnection from AirVPN. I thought I would share it with all of you because it seems to be working pretty well.
 

Unlike complicated iptables (I tried but I just couldn't wrap my head around it.), my script pings AirVPN's DNS server and does a secondary check for IP address changes if the ping is unresponsive.


I converted the script to an executable Mac application via Platypus for aesthetics but you can run it in a Terminal window if don't mind having Terminal open. Unfortunately, this is only my 2nd post in the AirVPN forums so I can't attach my app to this post so you will have to convert the script via Platypus yourself.
 
Obviously, my script can be improved on and I welcome the feedback. I am a hobbyist and in no way am I a software developer. AlsoI do not assume any risk for the script causing you leaks. That being said, the script has worked well for me and saved me from leaks using the 8 second delay between checks. You can adjust the frequency and other variables if you like.
 
#!/bin/bash
 
 
# Get public IP by digging OpenDNS
NEW_IP=$(dig +short myip.opendns.com @208.67.222.222 @208.67.220.220)
 
# Log used to check for IP changes
IPLOG=./ip.log
touch $IPLOG
echo null > $IPLOG
 
# A log for logging IPs - mostly used for the GeekTool component
TORLOG=./tor.log
touch $TORLOG
 
# Get your old IP before the script overwrites the entry
OLD_IP=`cat $IPLOG`
 
# How many seconds between VPN connectivity checks
DELAY=8
 
# Name of your BitTorrent client
BITTORRENT_APP=uTorrent
 
# Log current ip
echo $NEW_IP > $IPLOG
 
while [ 1 ]; do
 
# Ping AirVPN's DNS server to see if VPN is connected   
if ping -c 1 10.5.0.1 > /dev/null; then
 
# DNS server is pingable, IP and status are logged
 
echo $NEW_IP | tee -a $TORLOG
echo AirVPN Connected | tee -a $TORLOG
 
else
 
# If ping does not respond, check for IP address change
echo Verifying... | tee -a $TORLOG
echo $NEW_IP > $IPLOG
 
# If your IP has changed
if [ $NEW_IP != $OLD_IP ] ; then
 
# Kill your BitTorrent client 
killall $BITTORRENT_APP
 
# Log new IP and status
echo $NEW_IP | tee -a $TORLOG
echo AirVPN Disconnected! | tee -a $TORLOG
 
# Play a sound
afplay ./dingding.mp3
 
# Exit the script / Quit Application
killall TorWatch
exit
 
fi
fi
 
# Wait until the next check if VPN is connected
     sleep $DELAY
 

done

Share this post


Link to post

Good day,

 

You'll can talk over my head in a heart beat, but I have to try and learn this. I am useing  XP Pro. I am looking into being very privit and after some reading I am thinking about "what is the vpn disconnects". I would love a simple way to set up, that if I am disconnected. That very instand all traffic is stopped / open windows closed, when VPN disconnects on it's own, so no one can see what I was doing or looking at etc......... With my computer waiting for me to tell it to reconnect to the vpn or coninue with out the vpn. Is this possible?

Share this post


Link to post

Good day,

 

You'll can talk over my head in a heart beat, but I have to try and learn this. I am useing  XP Pro. I am looking into being very privit and after some reading I am thinking about "what is the vpn disconnects". I would love a simple way to set up, that if I am disconnected. That very instand all traffic is stopped / open windows closed, when VPN disconnects on it's own, so no one can see what I was doing or looking at etc......... With my computer waiting for me to tell it to reconnect to the vpn or coninue with out the vpn. Is this possible?

 

One way is described here:

 

https://airvpn.org/topic/9787-the-pros-and-the-cons/?p=11501

 

If all you want is to block traffic when the VPN drops, you can have a one line .bat file to remove the default gateway, as described in the second half of that post, which you run after starting the VPN and before you start the torrent client.

Share this post


Link to post

 

<snip>

<snip>
iptables -A OUTPUT -o eth+ ! -d a.b.c.d -j DROP  # if destination for outgoing packet on eth+ is NOT a.b.c.d, drop the packet, so that nothing leaks if VPN disconnects
<snip>

Kind regards

 

I made these rules, but when i look them with iptables -L command, it shows d.a.c.b as dns-name of airvpn entry address. Is this normal? Does the iptables -L command just look dns name from the ip in rules, or is the rule by dns name now? 

 

iptables -L output:

 

DROP       all  --  anywhere            !dns.name-of-entry-ip.com

Share this post


Link to post

Complicated...

 

I am trying to do something similar but I could use some help.

 

I travel a lot, and have to use many open wifi networks as a result. What I would like to do (ideally in Little Snitch, but I could use IceFloor instead) is to:

 

1) Restrict access on any WiFi network except those I declare as 'safe' ONLY to:

a) The local network (to be able to navigate to html pages to input passwords and userids)

AirVPN addresses to connect to the VPNs in European countries, depending upon where I'm travelling, using the AirVPN Mac client)

 

From the above I cannot figure out how to do this, as all the references to the local network appear to be specific address ranges, and of course I cannot predict what locan network address ranges any given wifi address will use.

Share this post


Link to post

hi!

 

Today I installed OS Maverick.

 

this my pf.conf

block drop out inet from 192.168.0.0/16 to any
block drop out inet from 10.2.0.0/16 to any
block drop out inet from 172.16.0.0/16 to any
# Vpn
pass out quick inet from 192.168.0.0/16 to { ip } flags S/SA keep state
pass out quick inet from 10.2.0.0/16 to { ip } flags S/SA keep state
pass out quick inet from 172.16.0.0/16 to { ip } flags S/SA keep state
# Local network
pass out quick inet from 192.168.0.0/16 to 192.168.0.0/16 flags S/SA keep state
# Allow all on lo0
pass out quick inet from 127.0.0.1 to any flags S/SA keep state
# Everything tunneled
#pass out quick inet from 10.10.0.0/24 to any flags S/SA keep state

By the way, it has errors? (I do not know what the last line)

 

then I executed the command

MacBook-Air-admin:~ admin$ sudo pfctl -e
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: pf already enabled
 

and

MacBook-Air-admin:~ admin$ sudo pfctl -f /etc/pf.conf
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.

No ALTQ support in kernel
ALTQ related functions disabled
 

what problem? pfctl: Use of -f option, could result in flushing of rules present in the main ruleset added by the system at startup. See /etc/pf.conf for further details.

 

and I still have a problem - after restarting the firewall does not work, we have to re-enter two commands (sudo pfctl -e, sudo pfctl -f /etc/pf.conf).

on OS X Mountain Lion was the same, but  OS X Lion everything worked well - after reboot was not required to enter commands

Share this post


Link to post

Any way to do this with Agnitum Outpost? Bought it years ago and wouldn't want to change to Comodo. It seems that even though it might be able to allow the Airvpn-ip-range, it's not possible to block others. And if you block all for a application, you cannot allow some IP's..

Share this post


Link to post

I've been able to deny all connections to external networks unless my OpenVPN connection is active using pf.conf

Into etc/pf.conf

in the end i add

#
# Allow connection via Viscosity only
#
wifi=en1 #change this to en0 on MacBook Airs and other Macs without ethernet ports
vpn=tun0
vpn2=tap0

block all

set skip on lo # allow local traffic

pass on p2p0 #allow AirDrop
pass on p2p1 #allow AirDrop
pass on p2p2 #allow AirDrop
pass quick proto tcp to any port 631 #allow AirPrint

pass on $wifi proto udp # allow only UDP packets over unprotected Wi-Fi
pass on $vpn # allow everything else through the VPN (tun interface)
pass on $vpn2 # allow everything else through the VPN (tap interface)

Then i enable packet filter service with sudo pfctl -e and load the new rules with sudo pfctl -f /etc/pf.conf

Works great, BUT, i can't connect to the internet via VPN I have no any connection to the internet( My OS - Mac OS X 10.9.4

P.S. i think that problem in last 2

pass on $vpn # allow everything else through the VPN (tun interface)
pass on $vpn2 # allow everything else through the VPN (tap interface)

Who can help me with that?

 

 

Because pass on $wifi proto udp # allow only UDP packets over unprotected Wi-Fi It works great, clock updated time automatic

Share this post


Link to post

 

This thread is huge and mind boggling.

 

I have AirVPN,

Utorrent Version 1.8.1 (28758)

Mac OS X Lion 10.7.5 (11G63)

 

Is there a tutorial for adding these rules so traffic will be blocked if VPN drops?

 

Sorry if its already here…

 

Thanks

 

Hello!

 

You can use pf which is included by default in Mac OS X 10.7.x. Thanks to jessez the guide is available here:

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&limit=6&limitstart=36&Itemid=142#2532

Ummm, I don't see how that answers the question. It seems to assume you're using a desktop machine, and not a laptop.

 

I am on Mac OS X 10.9. If I use icefloor, because of my security setup (normal user is non-admin), my laptop will not sleep, and it is really dreary to have to shut down and restart every time I have to take my laptop somewhere else.

 

Like many people using a laptop, I'm routinely on wifi networks, some of which require something be done in a web browser in order to gain Internet access, some of which only require a WPA/WPA2 key, some of which require both.

 

What's really needed is a simple, straightforward series of commands that will allow people with Macs to use a laptop on many different WiFi networks that blocks non-LAN traffic unless the firewall is up.

 

If anyone can point me to a specific set of commands that will implement this, I'd really be grateful; I'm reasonably technical but reading through many pages of instructions, for mixed Mac, and PC uses, isn't really helpful; this thread is, frankly, a bit out of control. IMO.

 

It is great that many people are helping many other people but I suspect I am not alone wanting to be able to do this very simply, without reading pages and pages of variations on scripts. If after more than an hour spent reading various forum posts I have somehow missed finding the answer and it was here all the time, I'd love a reference to a specific, single, message where the answer lies - otherwise, candidly, AirVPN staff should create one. Again, IMO.

Share this post


Link to post

I am on Mac OS X 10.9. If I use icefloor, because of my security setup (normal user is non-admin), my laptop will not sleep, and it is really dreary to have to shut down and restart every time I have to take my laptop somewhere else.

 

[...]

What's really needed is a simple, straightforward series of commands that will allow people with Macs to use a laptop on many different WiFi networks that blocks non-LAN traffic unless the firewall is up.

 

If anyone can point me to a specific set of commands that will implement this, I'd really be grateful; I'm reasonably technical but reading through many pages of instructions, for mixed Mac, and PC uses, isn't really helpful; this thread is, frankly, a bit out of control. IMO.

 

It is great that many people are helping many other people but I suspect I am not alone wanting to be able to do this very simply, without reading pages and pages of variations on scripts. If after more than an hour spent reading various forum posts I have somehow missed finding the answer and it was here all the time, I'd love a reference to a specific, single, message where the answer lies - otherwise, candidly, AirVPN staff should create one. Again, IMO.

 

 

Hello!

 

Activate the option "Network Lock" in our Eddie client for Mavericks and Yosemite. See also https://airvpn.org/topic/12175-network-lock

 

Feel free to tell us how Network Lock and Eddie work (in another thread) when you put your computer to sleep and then you wake it up: these situations need to be investigated (there are a lot of variables, for example you might put the computer to sleep in one network, and then wake it up in another network).

 

Kind regards

Share this post


Link to post

Hi,

I am using Norton Antivirus, can I set this up on there ?

Can you direct me to the best process for this.

Thanks

Share this post


Link to post

Hello, I'm new with AirVPN. I have Win8 and downloaded the client. When I make the first connection I use the lock network option, and now I cant get the laptop connected to Internet whitout using the AirVPN client.

 

How I can Fix this?

 

Thanks.

Share this post


Link to post

Hello, I'm new with AirVPN. I have Win8 and downloaded the client. When I make the first connection I use the lock network option, and now I cant get the laptop connected to Internet whitout using the AirVPN client.

 

How I can Fix this?

 

Thanks.

 

Check your DNS addresses of the network adapter that you're using (WiFi or Ethernet) and if necessary change it to Google's DNS (8.8.8.8 and 8.8.4.4).

Share this post


Link to post

Sorry to necro this thread but.. I had a quick and easy PF setup based on the rules posted on the first few pages, but apparently at some point it got replaced so now its back to default. I was wondering, is it sufficient enough to just copy what Eddie adds to the pf.conf when its enabled to the regular pf.conf??

 

I finally noticed in the logs that when network lock was enabled, Eddie modifies PF, then sets it back to 'normal' again when its turned off. While it was running I ran 'sudo pfctl -sr' which showed me the currently loaded ruleset. Then I opened up the temporary PF file that was located in ~/.airvpn and saw the actual pf.conf that the network lock is using. Can I just copy these into the regular /etc/pf.conf and get the same results if Eddie happens to crash or not load? The one I had before was fairly simple, it just blocked everything out, allowed local traffic on the 192 range, and allowed the 192 range to connect to the specific Air servers I had setup from my ethernet interface. But after reading more through this thread, and seeing what Eddie actually does to block traffic, I wanna add all the exceptions for IPv6, DNS, etc. Basically just do exactly what Eddie does, so I know its the securest it can be. If it ever happens to shut down, say while Im asleep, I want to make sure something like qBitTorrent (which I have running pretty much 24/7) isn't going to be able to allowed to run free until I can wake up and restart Eddie.

Share this post


Link to post

so I know its the securest it can be. If it ever happens to shut down, say while Im asleep, I want to make sure something like qBitTorrent (which I have running pretty much 24/7) isn't going to be able to allowed to run free until I can wake up and restart Eddie.

Hello!

 

For that bit at least, you can go to qBittorents Tools/Preferences>Advanced>Bind to Tun0 interface. Then it won't do anything if Eddie goes down.


Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Share this post


Link to post

Well hell that works! Thats really my only concern if it goes down. Might as well take care of that instead!

 

EDIT: Holy crap that works!! I set it to uTun1 (thats what mine uses) restarted qBT, it started seeding something right away, I disconnected from Aquila and watched my upstream dwindle to nothing in Little Snitch hah. I have the network lock deactivated right now and am here editing this post, and qBT cant do a damn thing haha. Thanks LZ1! Ive seen this mentioned on here elsewhere but figured it was something Id probably screw up but that was easy!

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...