Jump to content
Not connected, Your IP: 18.119.163.95
JJNF_83585

Blocking all non-VPN traffic (Windows)

Recommended Posts

If you try to connect through the AirVPN client with that rule, you will get a "The remote name could not be resolved: 'airvpn.org'" error. One of the solutions I found was to disable the global rule (Easy way: Edit -> Action: Allow. Destination address: Uncheck exclude) and connect to AirVPN before activating it again. Alternatively, if you do not want to go through the hassle of enabling and disabling the rule every time you disconnect from and reconnect to AirVPN, you can start connecting through OpenVPN instead of the AirVPN client (https://airvpn.org/windows/ scroll down to "Access without AirVPN client.")

For connecting to AirVPN with the AirVPN client, I've tried excluding AirVPN.org's IP address in the rule, but I was still getting the same error. Is there a way to log into the client without having to disable the global rule? Also, is there a difference between blocking IP and blocking TCP&UDP/IMCP?

Hello!

The AirVPN client for Windows needs to resolve airvpn.org name in order to download via an encrypted connection certificates and key and then launch OpenVPN, so the quickest workaround is adding the following line to your hosts file:

46.105.19.36 airvpn.org

In this way airvpn.org will be resolved without the need of a DNS query outside the tunnel which is correctly blocked with your rules when you are not connected to an Air server. You will still have to authorize packets from and to 46.105.19.36 in the firewall.

Of course if we change the IP address of our frontend you will have to update your hosts file.

Kind regards

I don't get the part where i have to add the line "46.105.19.36 airvpn.org" to my host files.

How do i do that, where should i add this line exactly? C

Cause after i set the rules i get the same "The remote name could not be resolved" message.

I'm a bit noob in this area

Share this post


Link to post

If you try to connect through the AirVPN client with that rule, you will get a "The remote name could not be resolved: 'airvpn.org'" error. One of the solutions I found was to disable the global rule (Easy way: Edit -> Action: Allow. Destination address: Uncheck exclude) and connect to AirVPN before activating it again. Alternatively, if you do not want to go through the hassle of enabling and disabling the rule every time you disconnect from and reconnect to AirVPN, you can start connecting through OpenVPN instead of the AirVPN client (https://airvpn.org/windows/ scroll down to "Access without AirVPN client.")

For connecting to AirVPN with the AirVPN client, I've tried excluding AirVPN.org's IP address in the rule, but I was still getting the same error. Is there a way to log into the client without having to disable the global rule? Also, is there a difference between blocking IP and blocking TCP&UDP/IMCP?

Hello!

The AirVPN client for Windows needs to resolve airvpn.org name in order to download via an encrypted connection certificates and key and then launch OpenVPN, so the quickest workaround is adding the following line to your hosts file:

46.105.19.36 airvpn.org

In this way airvpn.org will be resolved without the need of a DNS query outside the tunnel which is correctly blocked with your rules when you are not connected to an Air server. You will still have to authorize packets from and to 46.105.19.36 in the firewall.

Of course if we change the IP address of our frontend you will have to update your hosts file.

Kind regards

I don't get the part where i have to add the line "46.105.19.36 airvpn.org" to my host files.

How do i do that, where should i add this line exactly? C

Cause after i set the rules i get the same "The remote name could not be resolved" message.

I'm a bit noob in this area :(

Hello!

The hosts file is located in

%systemroot%\system32\drivers\etc\

where %systemroot% is usually C:Windows, so the path would be

C:\Windows\system32\drivers\etc\

The information about airvpn.org resolution is outdated, please add the following lines:

85.17.207.151 airvpn.org

212.117.180.25 airvpn.org

In order to do so run a text editor (for example notepad) with administrator privileges and load the hosts file, modify and save it. The file name is "hosts", no extensions, therefore make sure that in the text editor file requester you choose to display "All files" otherwise you will not be able to see "hosts".

The updated and re-organized guide is linked in the announcements section of the forum:

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=3405&Itemid=142

Kind regards

Share this post


Link to post

I'm still getting the error message.

I did the following using Comodo:

Action: Allow

Protocol: IP

Direction: In/Out

Source Address: Any

Destination Address: IPv4 Single Address - 46.105.19.36

Action: Block

Protocol: IP

Direction: In/Out

Source Address: Network Zone - (Your WiFi/Ethernet's zone)

Destination Address: Exclude - IPv4 Single Address - Entry address of server (This case it is Sirius)

..then i insert the lines 85.17.207.151 airvpn.org and 212.117.180.25 airvpn.org in the host file.

So, once opened, the host file look like this:

Posted Image

Did i insert the lines not correctly?

Share this post


Link to post

Did i insert the lines not correctly?

Hello!

Yes, there's a pound symbol '#' at the beginning of the relevant lines. That symbol put at the beginning of a line in hosts tells the system that that line is a comment. That line will therefore not be evaluated. Please remove the # at the beginning of the lines for airvpn.org resolution.

Kind regards

Share this post


Link to post

Now when i disconnect from the vpn it blocks my normal connection, but when i try to connect again to airvpn it simply says "Unable to connect to the remote server".

Share this post


Link to post

Now when i disconnect from the vpn it blocks my normal connection, but when i try to connect again to airvpn it simply says "Unable to connect to the remote server".

Hello!

You need to modify your Comodo rules with the correct IP addresses (to allow the Air client to communicate not only with the VPN server(s) you picked, but also with the frontends. Allow any communication from/to 85.17.207.151 and 212.117.180.25

Kind regards

Share this post


Link to post

I have secured my virtual machine as follows, without comodo only using windows 7 firewall itself

- turn on firewall for home network, blocking traffic in and out

- turn off firewall for public network

- set rule in home network to let pass openvpn through

Thats all. Without openvpn connection no software is allowed to pass. Is this now properly secured? I think yes or any other suggestion?

Share this post


Link to post

Hello,

I thought I upload my screenshots on how I setup the Comodo Firewall after the "Windows & Comodo - Prevent leaks " found here:

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=3405&Itemid=142

to the admin:

I really apprichiate, if the admin would go through this setup (see attachments) and let us know if this is o.k.

I have no clue about what everything is regarding the "Home#1" thing and what it stands for. Any info is VERY welcome!

Also please note, that the first 6 blocked Global Rules I did not setup myself, but were some defaults by Comodo and showed up if I checked mark some options in Comodo. I also have no clue what this is all about - ADMIN, can you help out, again?

I really would like to the see info, given by the ADMIN regarding the setup of the Host file and were to find it, added to "Windows & Comodo - Prevent leaks " under section 12)

"The hosts file is located in %systemroot%\system32\drivers\etc\

where %systemroot% is usually C:Windows, so the path would be

C:\Windows\system32\drivers\etc\Thanks for any comments.

In order to do so run a text editor (for example notepad) with administrator privileges and load the hosts file, modify and save it. The file name is "hosts", no extensions, therefore make sure that in the text editor file requester you choose to display "All files" otherwise you will not be able to see "hosts"."

This will help a lot, for people like me, who are no computer experts!

I would also like to add, that some AntiVirus programs protect the Host file for changing anything, like Avira AntiVir, a screeshot is attached.

My computer is connected to a router. Under the section "DNS" I can add a "Preferred DNS Server and an "Alternate DNS Server". What should I put in? The same IP addresses like the ones I added to the Host file?

Any feedback is welcome.

Share this post


Link to post

well, I dont actually have problems with the setup

I just wanted to share my setup, but I still have some questions.

But I have noticed that not all my attachments have been uploaded

Is it not possible to upload more than one jpg file or is the upload MB limited?

Share this post


Link to post

well, I dont actually have problems with the setup

Hello!

Excellent!

I just wanted to share my setup, but I still have some questions.

But I have noticed that not all my attachments have been uploaded

Is it not possible to upload more than one jpg file or is the upload MB limited?

You can upload 1 image per message, only jpg, jpeg, gif, png, maximum size 1 MB, maximum pixel 1366x800. Alternatively you can upload one zip archive with as many files as you wish in any format and size, provided that the zipped archive is not larger than 1 MB.

Kind regards

Share this post


Link to post

 

But the Global Rules Method

airvpn.org/index.php?option=com_kunena&a...=3405&Itemid=142

*already* allows communication directly to Castor outside of the tunnel in "Rule 10":

 

Allow TCP or UDP In/Out From IP 95.211.169.3 To MAC Any Where Source Port Is Any And Destination Port Is Any

Allow TCP or UDP In/Out From MAC Any To IP 95.211.169.3 Where Source Port Is Any And Destination Port Is Any

 

Yes, but under normal circumstances, the ONLY application that communicates directly with the VPN server itself is openvpn.exe. No other application should be attempting to "talk" to Castor directly, regardless of the protocol.

 

You can confirm this by looking at your firewall's active connections. You should only see ONE direct connection taking place between your real network adapter (192.168.x.x) and the IP address of the VPN server (Castor). All other active connections (web browser, torrent client, etc.) should show ONLY the internal IP address assigned by the VPN (10.x.x.x) as its source IP address. Nothing else should be communicating on 192.168.x.x to the outside world besides openvpn.exe; no exceptions.

What prevents applications from trying to directly communicate with AirVPN servers if there is a rule that allows this to happen?

Share this post


Link to post

You all - all of the authors behind these posts - realize that they need to block ALL Internet traffic that doesn't pass-thru' AirVPN.

 

But why is it so difficult?

 

Solutions that - that don't work! - aren't solutions.  They're problems.

 

WHY IN THE WORLD can't a user - consider this - a user fires-up a computer, turns on the WiFi, connects, types-in the hotel's password, starts AirVPN.

 

And that should be it.  Everything should go thru' AirVPN.

 

I've been reading these EIGHT PAGES.  All - most - of the authors say - 'type-in these numbers' or 'THIS rule before THAT rule'.  And there is fussing, disagreeing, misunderstandings.  THIS IS TERRIBLE ENGINEERING.  It should be simple, understandable, obvious.  It should be simple, reliable, rubust.  It should be simple.  AT MOST, one should 'click (in) a box'.

 

I get the impression of - sorry, folks - that the writers are barely-patient technologists, sincere nit-pickers, staff struggling to be answer politely (or being patient, but not usefully-so).  Angry hackers.  People - such as myself - who are intelligent-enough, but just don't understand/can't follow the high-end tech involved.

 

I know, I know - there are a lot of good people here.  I don't mean to be personally-critical.

 

But, PROFESSIONALLY - a solution that isn't robust, reliable, easy-to-impliment - is not a 'solution'.  It's a problem.

 

I see lots of problems here.

 

I don't see solutions that I can - I see 'solutions' that I can't trust, and/or can't impliment.

 

COMMON, FOLKS!  You're suppose to be smarter than I am - and I'm sure that you are! - but I see you 'talking the talk', and not 'walking the walk'.

 

1) AirVPN should be set-up to BLOCK ALL TRAFFIC save thru' the VPN.  Shouldn't even be a question.

 

2) All this chit-chat about Comodo - AirVPN shouldn't need anything other than ***AirVPN*** to do ***AirVPN's job***.

 

3) If Comodo is necessary - and I'm not techie-enough to argue point #1/2 - then there should be some kind of an .EXE (XP, Vista, 7, 8) that sets-up Comodo properly.

 

Shouldn't be so many issues regarding 'designing the wheel'.  BTW, I'm not seeing 'wheel's here' - I'm seeing triangles and rectangles and shapes that aren't obviously-round.

 

Thanks for reading this.

 

Would appreciate reading the solution to this problem.

 

If it wasn't important, I'd not be researching this, nor writing about it.

 

Thanks.

Share this post


Link to post

2) All this chit-chat about Comodo - AirVPN shouldn't need anything other than ***AirVPN*** to do ***AirVPN's job***.

 

 

Hello,

 

first of all, if you just want the click-and-go solution just use the Windows Firewall and click "Network Lock" button on our Windows client Eddie, which is also free and open source. See here: https://airvpn.org/topic/12175-network-lock

 

Eddie implements Network Lock even for OS X and Linux, of course.

 

These guides come from the community and we are very happy about them because they provide alternative, community-driven solutions, instead of centralized solutions proposed by ourselves (which are anyway available).

 

We kindly ask you to get documentation before you write in our public forums. You will contribute to forum cleanness and readability and will avoid to write foolishness like the quoted sentence.

 

Kind regards

Share this post


Link to post

Thanks for reading this.

 

Would appreciate reading the solution to this problem.

 

If it wasn't important, I'd not be researching this, nor writing about it.

 

Thanks.

 

As mentioned by the staff there's already a solution -> The Eddie client.

 

This thread is primarily for folks that use firewall software other than the windows firewall, comodo ect.

Share this post


Link to post

"We kindly ask you to get documentation before you write in our public forums. You will contribute to forum cleanness and readability and will avoid to write foolishness like the quoted sentence.  Kind regards"

 

==========

 

Eddie Client:  Good, good.  Then, the Eddie Client is felt to be sufficient, eh? The Eddie Client, and the Windows Firewall?  Good, good.

 

'Course, I didn't mean to offend, not Staff, not Advanced Members, nor anyone else.  Wanted help - had a problem, wanted help.  From you folks.  Appreciate, greatly, your taking-the-time to offer it.

 

But, regarding the abovementioned perception that I hadn't read 'documentation' - and the need for 'forum cleanness and readability', and the need to 'avoid write foolishness' ... Tell you what.  Let my posting stay for a couple of days - just to see of others have similar or different thoughts - and I'll check this webpage tomorrow, Monday, Tuesday.

 

AND THEN - with, I'd hope, no hard feelings - please feel free to DELETE my post(s).

 

Worth mentioning - not EVERYONE is a smart as you folks are.  I'm not a techie; and I don't claim to know much about this.  AirVPN's website is mighty intense.  And so is this forum's webpage.

 

I do appreciate - now, and in the future - any help.

 

Kind Regards.

Share this post


Link to post

In response to previous emails, Staff informed me that my use of WXP was - if I/N security & privacy & such was important - was pointless.  I was strongly-advised to move-up to a more advanced system.  FAILING THAT, I was to try Comodo.

 

Well, I've tried Comodo, and ... it's too much for me.  Easy to install, sure.  But these/those rules ... the numbers ... can't handle it.

 

So, back to Windows Firewall.

 

Received a copy of Vista Basic today.  I'll install it, test it.

 

You see, 'Eddie' - mighty impressive software, Eddie! - Eddie's 'Network Lock' doesn't work in/with/under WXP.  So, I'm replacing, with honors, my ten-year-old WXP system.

 

HERE'S MY CONCERN (I'd typed it previously): As soon as I access a Wifi connection, enter it, am permitted thru' it - I suspect that there is a lot of bits and pieces of software on my computer that automatically contact this or that site.  Say, one's antivirus software - automatically connects to Mother Company for an update.  Say, (many) downloaded freeware, the writers of which who just wants to know their software is being used.  You know.

 

Now, I'm pleased to use Eddie - mighty impressive software, network! - but I'm not yet running it.  AND THERE IS INTERNET TRAFFIC passing-thru' prior to my activation/running of AirVPN.  And I don't want that.

 

I've dialed-in "No Exceptions" in the Windows Firewall.

 

I note - yes, I've looked at some of AirVPN's webpages, documentation - I see in the discussion of "Tor first or AirVPN first" that if Tor is activated first, then after Eddie Client brings one into/onto the Internet, THERE IS SOME TRAFFIC THAT GOES AROUND EDDIE, because some software was STARTED before Eddie Client was started.

 

Well, that makes sense; 'course it does.

 

But ... one need not involk Tor for this sort of thing to happen ... I figure (and, perhaps I'm wrong, I'm not a techie) ... I figure that this sort of thing can happen, has happened, does happen and will happen.

 

Don't want that.  Can't understand/handle all of these Comodo Rules, numbers.  Do remember that I'm not as smart as are you g/uys/als.

 

Look forward to reading your thoughts, because ...

 

... because this is important.  Zero local start-up/running footprint, that's important.

 

WHAT I WANT IS to hook-up to a WiFi ... and then, immediately after that, not-be-seen ... totally firewalled, running (sometimes) totally thru' AirVPN.

 

If this sort of thing isn't appropriate for this sort of forum - please, please DELETE it.

 

Kind Regards.

Share this post


Link to post

Now, I'm pleased to use Eddie - mighty impressive software, network! - but I'm not yet running it.  AND THERE IS INTERNET TRAFFIC passing-thru' prior to my activation/running of AirVPN.  And I don't want that.

 

 

Hello!

 

In this case you can block all traffic to the Internet. When Network Lock is activated, only tunneled traffic is allowed. When Network Lock is inactive, no traffic is allowed at all.

 

Kind regards

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...