sundi 8 Posted ... Hi, I have configured my synology NAS to connect to AirVPN. I have setup a script which checks for the VPN tunnel presence every 5 minutes. If VPN tunnel is not present the script will terminate the current stale session and recreate a new VPN connection. My router is configured to allow outgoing traffic from my NAS on VPN port 443 (UDP) only. Which means without VPN connection no port 443 will be opened and no outgoing/incoming traffic from/to my NAS. This setup was working fine till now. Recently I have started facing a weird issue. If for some reason the VPN is disconnected the script tries to reconnect but it fails to add route, though later it says "Initialization Sequence Completed" in the log file. After several tries it connects properly. I do not know the reason for multiple failures in connection. I am attaching my log file for more clarity. Also, once it connects properly it shows the following routing table. Kernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface0.0.0.0 10.4.0.1 128.0.0.0 UG 0 0 0 tun00.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth010.1.2.3 192.168.0.1 255.255.255.255 UGH 0 0 0 eth010.4.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tun0128.0.0.0 10.4.0.1 128.0.0.0 UG 0 0 0 tun0172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0195.154.194.18 192.168.0.1 255.255.255.255 UGH 0 0 0 eth0 I want to know if this is the correct routing table or am I leaking some thing. I just want my NAS to send/receive all traffic through VPN only. An explanation of this routing table will also be very helpful as it has multiple gateways so I am not clear on this. I would really appreciate if you all can help me. VPN_Log.txt Quote Share this post Link to post
sundi 8 Posted ... I request anybody who can help me on this to help me as I am little bit worried to use VPN because of the possible leakage issue. Quote Share this post Link to post
go558a83nk 362 Posted ... have you opened a ticket with support since it seems nobody can help you here? Quote Share this post Link to post
zhang888 1066 Posted ... This is a correct configuration and routing table, but note that if the VPN will be disconnected you will have a "leak",unless you don't apply iptables rules that prevent traffic on eth0 when the VPN is off. See this thread for details:https://airvpn.org/topic/9139-prevent-leaks-with-linux-iptables/ Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
sundi 8 Posted ... have you opened a ticket with support since it seems nobody can help you here? Hi go558a83nk, Thanks for your reply. I actually opened a ticket with support, but was informed that Synology is not supported and I should check in forums. Hence I posted here. Quote Share this post Link to post
sundi 8 Posted ... This is a correct configuration and routing table, but note that if the VPN will be disconnected you will have a "leak",unless you don't apply iptables rules that prevent traffic on eth0 when the VPN is off. See this thread for details:https://airvpn.org/topic/9139-prevent-leaks-with-linux-iptables/ Hi zhang888, Thanks a lot for your reply. It is a relief to know that this configuration and routing table is correct. I do need to understand it clearly though because of multiple gateway entries in the routing table.Regarding the leak, as I mentioned in my original post I have configured my router Netgear R7000 (on xvortex) to allow connections from my Synology to outside world only on UDP port 443 (AirVPN Port). If there is not VPN connection, that port wont be open and hence no outgoing/incoming connections from/to Synology.I would really appreciate if you can let me know if this router firewall/iptables config is correct or do you see any issue in the router configuration? I have already used tracker torrents on Synology which shows my AirVPN IP address only. So, I assume no real IP is leaked to the outside world. But again I could be completely incorrect.Is there some other way on how to check leaks on Synology? Quote Share this post Link to post
zhang888 1066 Posted ... A more complete solution would be setting the firewall on your router to allow connections on 443/udp only to the Air serveryou are connecting to, using your Synology. Otherwise all traffic to 443/udp will be potentially allowed. Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
sundi 8 Posted ... A more complete solution would be setting the firewall on your router to allow connections on 443/udp only to the Air serveryou are connecting to, using your Synology. Otherwise all traffic to 443/udp will be potentially allowed. Hi zhang888, I completely agree & understand your point but how to implement it on the router when I connect to random AirVPN servers?Do you suggest if I should create multiple entries in the router for all the AirVPN servers? Also, I have attached my client config file, if you can take a look and suggest me if any changes are required in it.Client_Config.txt Quote Share this post Link to post
zhang888 1066 Posted ... Your client config is fine.I made a list for you with all the current entry IPs of Air servers. The list was generated using the following steps, in case you wish to doit by yourself in a later stage: dig a earth.all.vpn.airdns.org > dig.txtawk -F "\t" '{print $4}' dig.txt > air.txt What you have to do next is adding them on your router's iptables, you canuse something like this: for IP in $(cat air.txt); do iptables -A INPUT -s $IP/32 -d 0/0 -j ACCEPT; donefor IP in $(cat air.txt); do iptables -A OUTPUT -s $IP/32 -d 0/0 -j ACCEPT; done This should read all the list from the file air.txt and add them to your iptables rules. 2 sundi and go558a83nk reacted to this Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
sundi 8 Posted ... Your client config is fine.I made a list for you with all the current entry IPs of Air servers. The list was generated using the following steps, in case you wish to doit by yourself in a later stage: dig a earth.all.vpn.airdns.org > dig.txtawk -F "\t" '{print $4}' dig.txt > air.txt What you have to do next is adding them on your router's iptables, you canuse something like this: for IP in $(cat air.txt); do iptables -A INPUT -s $IP/32 -d 0/0 -j ACCEPT; donefor IP in $(cat air.txt); do iptables -A OUTPUT -s $IP/32 -d 0/0 -j ACCEPT; done This should read all the list from the file air.txt and add them to your iptables rules. Hi zang888, Thanks a ton for this. I am really grateful to you.I will add these IP addresses in the router's IP tables access list. I have few more questions and would be thankful to you if you can share your thoughts on them:Why my VPN connection fails some time and gives "SIOCADDRT: Network is unreachable" as mentioned in my original post in the attached VPN_Log.txt file. Though after multiple retries it connects successfully? Why it fails and then connects after multiple retires with the same configuration. How can this be fixed? During unsuccessful connection it does show as connected on the AirVPN site as well as Synology but routing table entries on Synology are not complete (few entries are missing because of above mentioned errors) during this connection. What will be the result during this incorrect connection? Will it leak my IP address to the outside world? What can possibly go wrong if I try to download something (using torrents, etc.) during this incorrect connection (when it shows connection is there and port is opened on the router but routing table is not complete on Synology)? Waiting for your valuable advice.Soon I will prepare a complete document on my setup so that other Synology users can also benefit from it. Quote Share this post Link to post
zhang888 1066 Posted ... I am not sure how the OpenVPN client on Synology behaves, and what is the Kernel/TCP network stack used there,but in the majority of Linux distributions, which Synology is based on (probably Vanilla kernel with own patches),the SIOCADDRT errors usually happen when the OS cannot find the routes for a command issued by the user.In other words, if you have some routing conflict, your router has not assigned Synology the proper IP, or faultyiptables rules, you might get SIOCADDRT errors.This error has nothing to do with the VPN connection, since it usually means that your gateway is not ready.You might want to check the connectivity between your router and your Synology first. I cannot really reproduce it since I don't own such device, and they don't offer virtual images of it, so the suggestionsprovided are only based on generic Linux issues. Hopefully they will apply to your case as well. Since Synology is a closed source device and the OpenVPN support on it is not well documented, you should betterset the rules for it on your Linux router (Netgear) which has more predictable behavior.This is why, when you apply the above mentioned "Network Lock" rules on your router, controlling traffic originating fromyour Synology, you should not be worried about any potential leaks. Assuming you configured everything on the router,any leak that could happen due to poor documentation and support from Synology's side would be prevented by the router. 1 sundi reacted to this Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
sundi 8 Posted ... Hi zhang888, Thanks a lot for your input.I agree that router's firewall should prevent all the issues which Synology can cause because of it's closed system and unclear documentation. Synology has been assigned a static IP address (with DHCP reservation in the router) and this error can randomly occur any time if VPN connection drops or I try to reconnect for any reason. This error can occur sometime twice/thrice or sometimes not even once during reconnection (completely random with no pattern). During that time (when VPN connection drops and this error is thrown) Synology is completely and normally accessible from LAN without any issues. I have never seen any IP assignment / network related issue in Synology and router. Could it be possible that it has something to do with DNS servers as I am using opennic DNS servers in my Synology? My router only allows filter table either based on Black list or White list. I dont think it will be possible to add all AirVPN servers in the white list as enabling white list means only allow devices and ports in the white list. Creating a white list will be too difficult as I have so many devices in my network and adding entries for them with each allowed ports is not possible. On the other hand black list means block access to the devices and ports in the black list.I have attached a screenshot of my router to show current config of black list table. Here 192.168.0.100 is my Synology and black list table blocks everything on any destination from source (Synology) except TCP port 22 & UDP port 443. I know it means allow UDP port 443 on ANY destination (not only restricted to AirVPN servers). But given all the options I have, do you think it is fine?TCP port 22 is for SSH access to Synology from outside. Quote Share this post Link to post
zhang888 1066 Posted ... What I don't understand is why you don't use an open firmware on your router (OpenWRT/DD-WRT)and make this process much more easy. Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
sundi 8 Posted ... What I don't understand is why you don't use an open firmware on your router (OpenWRT/DD-WRT)and make this process much more easy.Hi zhang888, The current router firmware is a Asus-Merlin fork by xvortex and it is stable and working wonderfully (performance wise as well as features wise).I have been using it from last 2 years and it never gave me any chance of any complaints. Do you think changing the router's firmware to openWRT/DD-wrt is absolutely required in order to fix this issue?If there is no fix or workaround to fix this issue then I will try the other firmware.Please suggest. Quote Share this post Link to post
zhang888 1066 Posted ... As far as I know the Merlin firmware should provide a raw access to the iptables management.This is why you should have an easy way to configure the steps I mentioned above, without the GUI. Please update on how this is going on, the easiest way to achieve the setup you are possibly looking forwardwould be using SSH, and adding the above mentioned addresses in your iptables whitelist. 1 sundi reacted to this Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
sundi 8 Posted ... As far as I know the Merlin firmware should provide a raw access to the iptables management.This is why you should have an easy way to configure the steps I mentioned above, without the GUI. Please update on how this is going on, the easiest way to achieve the setup you are possibly looking forwardwould be using SSH, and adding the above mentioned addresses in your iptables whitelist.Hi zhang888, I do have ssh access to the router. Actually I did add two entries for the first IP address in the air.txt file, then executed iptables-save and then nvram commit on the router. Though iptables --list was showing those two entries, but it was not showing those two entries anywhere in the GUI so I was not sure if they will survive the reboot of the router or not. Also was not sure what to do with current black list for UDP port 443. Also the entry:for IP in $(cat air.txt); do iptables -A OUTPUT -s $IP/32 -d 0/0 -j ACCEPT; doneDoesn’t this mean allow any outgoing connections from AirVPN server to any destination? shouldn’t it befor IP in $(cat air.txt); do iptables -A OUTPUT -s <Synology IP>/32 -d $IP/32 -j ACCEPT; doneAren’t we allowing outgoing connection only from Synology to AirVPN servers. Quote Share this post Link to post
zhang888 1066 Posted ... Running the command:iptables -L -n should be your best way to know. I don't know anything about surviving reboots on Merlin, but as a generic Linux forkit should be easy to understand how to add these commands to your /etc/rc.local,or doing some workarounds like: iptables-save > /etc/iptables.conf And adding a line like: pre-up iptables-restore < /etc/iptables.conf in your/etc/network/interfaces might be the best option. But again, I never had Merlin, so your mileage may vary. 1 sundi reacted to this Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
sundi 8 Posted ... Hi zhang888, Thanks for your valuable suggestions. I will implement them Also the entry:for IP in $(cat air.txt); do iptables -A OUTPUT -s $IP/32 -d 0/0 -j ACCEPT; doneDoesn’t this mean allow any outgoing connections from AirVPN server to any destination? shouldn’t it befor IP in $(cat air.txt); do iptables -A OUTPUT -s <Synology IP>/32 -d $IP/32 -j ACCEPT; doneAren’t we allowing outgoing connection only from Synology to AirVPN servers? Quote Share this post Link to post
zhang888 1066 Posted ... You should allow both incoming and outgoing connections to the Air VPN servers Unless you wish to send/receive traffic in only one direction, which will result in a very unusual experience 1 sundi reacted to this Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
sundi 8 Posted ... You should allow both incoming and outgoing connections to the Air VPN servers Unless you wish to send/receive traffic in only one direction, which will result in a very unusual experience hi zhang888, Sorry for asking this again and please forgive me for my ignorance. For example commands for a single AirVPN server like:iptables -A INPUT -s 150.129.41.193/32 -d 0/0 -j ACCEPTMeans allow incoming from source (AirVPN server) to any destination. It allows incoming connections from AirVPN server. This one looks fine to me.iptables -A OUTPUT -s 150.129.41.193/32 -d 0/0 -j ACCEPTMeans allow outgoing from source (AirVPN server) to any destination. How can an AirVPN server be a SOURCE for OUTGOING from my router? shouldn’t it beiptables -A OUTPUT -s <Synology IP>/32 -d 150.129.41.193/32 -j ACCEPT Also, I don’t understand how these two entries will stop outgoing connection to any destination from my Synology except for AirVPN servers as these entries are only allowing and not rejecting anything from Synology. Quote Share this post Link to post
zhang888 1066 Posted ... These entries are only about allowing certain traffic thru your firewall.The assumption is that you have a general "cleanup" rule at the end, which willblock all traffic that does not match the above rules.In iptables, the rules are parsed in hierarchical level, from top to bottom, so you haveto first append (-A) the rules you want to allow, then to prepent, or Insert (-I) the rulesyou want to add that are not matching anything above. So you should basically have something like:iptables -I INPUT -s IP -j DROPiptables -I OUTPUT -s IP -j DROP in the bottom of your router rules, where "IP" is the address of your Synology device. Since the above (-A) rules will match some packets, like the outgoing Air servers,they will be allowed, while other packets, like leaks, will not match any of the aboveand then be dropped by the final -I rules. 1 sundi reacted to this Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
sundi 8 Posted ... These entries are only about allowing certain traffic thru your firewall.The assumption is that you have a general "cleanup" rule at the end, which willblock all traffic that does not match the above rules.In iptables, the rules are parsed in hierarchical level, from top to bottom, so you haveto first append (-A) the rules you want to allow, then to prepent, or Insert (-I) the rulesyou want to add that are not matching anything above. So you should basically have something like:iptables -I INPUT -s IP -j DROPiptables -I OUTPUT -s IP -j DROP in the bottom of your router rules, where "IP" is the address of your Synology device. Since the above (-A) rules will match some packets, like the outgoing Air servers,they will be allowed, while other packets, like leaks, will not match any of the aboveand then be dropped by the final -I rules. Hi zang888, Thanks a lot for clarifying my doubts. I will apply these rules and will see how it goes.Thanks a lot. Really appreciate your help. Also, I assume you have gone through my query:iptables -A OUTPUT -s 150.129.41.193/32 -d 0/0 -j ACCEPTMeans allow outgoing from source (AirVPN server) to any destination. How can an AirVPN server be a SOURCE for OUTGOING from my router? Quote Share this post Link to post
zhang888 1066 Posted ... Also, I assume you have gone through my query:iptables -A OUTPUT -s 150.129.41.193/32 -d 0/0 -j ACCEPTMeans allow outgoing from source (AirVPN server) to any destination. How can an AirVPN server be a SOURCE for OUTGOING from my router? This was an obvious typo from my side, ofcourse it should be -d and not -s.I copied the first line to the second to make an example and overlooked this completely.Good that you were actually reading the rules and making corrections! 1 sundi reacted to this Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
sundi 8 Posted ... Also, I assume you have gone through my query:iptables -A OUTPUT -s 150.129.41.193/32 -d 0/0 -j ACCEPTMeans allow outgoing from source (AirVPN server) to any destination. How can an AirVPN server be a SOURCE for OUTGOING from my router? This was an obvious typo from my side, ofcourse it should be -d and not -s.I copied the first line to the second to make an example and overlooked this completely.Good that you were actually reading the rules and making corrections! Hi zhang888, Thanks a lot for helping me out.I am really very grateful to you for this. Soon, I will prepare a document for the setup like me so that others can benefit. 1 SolidSnake007 reacted to this Quote Share this post Link to post