swmpgs 2 Posted ... Hello, I have a question that maybe someone more knowledgeable can answer. I have a computer at home that runs airvpn client and a remote computer. I want to be able to connect from either computer to another one with ssh. Without airvpn client, everything works (obviously). If I run airvpn without network lock, I can ssh from home to remote (it goes via the AirVPN server) but not from remote to home. I tried to start airvpn with the parameter "routes.custom=my.remote.ip.addr,255.255.255.255,out" but it didn't help - the required route was not added to the routing table. However, that problem was easily solved: I added the route separately with "route add -host my.remote.ip.address gw 192.168.1.1" and all was well: ssh works from home to remote and from remote to home bypassing AirVPN as I want it to do. Now, I enable network lock. This time I need to add "allowed IP" parameter to be able to ssh from home to remote: ./airvpn -cli -connect -netlock -login=**** password=**** netlock.allowed_ips=my.remote.ip.addr But ssh from remote to home is blocked by the firewall. I can't find any airvpn parameter that can be used to create custom firewall rules. So I ended up with adding the required rule myself. Before: # iptables -L -v --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 177 16717 ACCEPT all -- lo any anywhere anywhere 2 0 0 ACCEPT all -- any any 255.255.255.255 anywhere 3 93 8963 ACCEPT all -- any any 192.168.0.0/16 192.168.0.0/16 4 26 4651 ACCEPT all -- any any 10.0.0.0/8 10.0.0.0/8 5 0 0 ACCEPT all -- any any 172.16.0.0/12 172.16.0.0/12 6 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request 7 1890 460K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 8 0 0 ACCEPT all -- tun+ any anywhere anywhere 9 6 502 DROP all -- any any anywhere anywhere Add the rule: iptables -t filter -I INPUT 9 -i eth0 -p tcp -s my.remote.ip.addr --dport 22 -j ACCEPT After: # iptables -L -v --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 182 17197 ACCEPT all -- lo any anywhere anywhere 2 0 0 ACCEPT all -- any any 255.255.255.255 anywhere 3 107 10296 ACCEPT all -- any any 192.168.0.0/16 192.168.0.0/16 4 41 6945 ACCEPT all -- any any 10.0.0.0/8 10.0.0.0/8 5 0 0 ACCEPT all -- any any 172.16.0.0/12 172.16.0.0/12 6 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request 7 1981 480K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 8 0 0 ACCEPT all -- tun+ any anywhere anywhere 9 0 0 ACCEPT tcp -- eth0 any my.remote.ip.addr anywhere tcp dpt:22 10 6 502 DROP all -- any any anywhere anywhere Now everything works again, but the question remains: what is the best way to achieve that ? In the worst case scenario, I can just start airvpn in the background, wait a minute or so and then run iptables with my additional rule. But that looks ugly. Can anyone think of a better way ? Maybe some "event.session..." or "event.vpn..." parameter will do the trick ? Thanks for any help. Quote Share this post Link to post
Staff 9972 Posted ... Hello! Please insert your script (with all necessary iptables commands) as the event at "VPN Pre" or "VPN Up". Similarly, set another script (if required) at "VPN Down", or at "App End". Don't execute the script at "App Start", because Network Lock is activated after that event. Kind regards Quote Share this post Link to post
Not connected, Your IP: 18.117.154.229
Online: 26167 users - 299952 Mbit/s total BW