unammeka 0 Posted ... I've seen the sticky threads and guides, but unfortunately, from what I can tell, the ones relevant to my question are all severely outdated and they have not worked when I tried. I'm looking for a solution to only allow connections to and from AirVPN's servers, including DNS. My OS is Fedora 25 and I would like to avoid the AirVPN client. I'm assuming this would be done through IPTables, where everything is blocked except for all the AirVPN server IPs and the AirVPN DNS server? Would this work? If so, what would these IPTables look like and where would I get the list for all those IPs? Also, how would I make these rules permanent even through reboots? Thanks a lot. Quote Share this post Link to post
go558a83nk 364 Posted ... Avoid the AirVPN client, Eddie, why? It would do what you want with a click of a button using the same iptables you'll use anyway. Quote Share this post Link to post
nick75 25 Posted ... Hi, Here you are: this is an iptables file, use it with "sudo iptables-restore < file.rules" *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] # allow local traffic -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT # allow access to vpn server -A INPUT -i <interface> -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -o <interface> -d <VPN_IP_address>/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT # allow VPN traffic -A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -o tun0 -j ACCEPT COMMIT You'll have to add all the different <VPN_IP_address> to make it work.Also, you won't be able to use DNS to connect to a server therefore use only IPs. Quote Share this post Link to post
unammeka 0 Posted ... Also, you won't be able to use DNS to connect to a server therefore use only IPs. Huh? It needs to use the AirVPN DNS server. Quote Share this post Link to post
nick75 25 Posted ... Also, you won't be able to use DNS to connect to a server therefore use only IPs. Huh? It needs to use the AirVPN DNS server.You'll be able to use AirVPN DNS server once you're connected but with these rules your local DNS server won't be reachable.Consequently you need the VPN IP addresses. Quote Share this post Link to post
unammeka 0 Posted ... Ok, that's good! So I'm assuming the VPN_IP_address is the placeholder where I would just put all the AirVPN server IPs plus the AirVPN DNS server? Or do I need to put the desired DNS server separately somewhere? Would that work and would it prevent any IP leaks outside of an AirVPN VPN tunnel? Quote Share this post Link to post
nick75 25 Posted ... You only need to put AirVPN server IP addresses and it's one address per line,Here's an example of a working iptables file (no need to add the dns): *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] # allow local traffic -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT # allow access to vpn servers (Canis, NL and Auva, USA) -A INPUT -i <interface> -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -o <interface> -d 213.152.161.218/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -o <interface> -d 23.88.114.42/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT # allow VPN traffic -A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -o tun0 -j ACCEPT COMMIT Also <interface> is the LAN-facing interface, generally something like eth0 or enp3s0 (figures may vary) NOTE: if you haven't already disabled IPv6, here is how. Quote Share this post Link to post
unammeka 0 Posted ... Thanks a lot, that's very helpful. Just checked, the interface is indeed called enp** on Fedora. Is there a site where the current AirVPN server IPs are listed? I don't need the IPs from every country, just the countries I am going to connect to. About the DNS, I've heard that on Linux, the DNS is chosen by what's in the resolv.conf file? That one has a 192.168.. IP in it that I can't seem to get rid of. After every reboot, it will be back. If I use your IPTables, how will it know to use AirVPN's DNS and to never fall back to my ISP one? Also, why don't I need to add the AirVPN DNS IP to the allowed IPs? Is DNS handled differently? Quote Share this post Link to post
unammeka 0 Posted ... Update: I may actually have found a much simpler way to accomplish this (only allow AirVPN connections, through IPTables). If I turn on the Eddie client with network lock, and then look at my current IPTables (sudo iptables -S), wouldn't that already be the perfect configuration that I could use just like that, but without the client? If yes, how do I just make these IPTable rules permanent and have them load at boot time? Quote Share this post Link to post
nick75 25 Posted ... Thanks a lot, that's very helpful. Just checked, the interface is indeed called enp** on Fedora. Is there a site where the current AirVPN server IPs are listed? I don't need the IPs from every country, just the countries I am going to connect to. Here's how to get a list: https://airvpn.org/topic/14378-how-can-i-get-vpn-servers-entry-ip-addresses/ (use dig for Linux). About the DNS, I've heard that on Linux, the DNS is chosen by what's in the resolv.conf file? That one has a 192.168.. IP in it that I can't seem to get rid of. After every reboot, it will be back. If I use your IPTables, how will it know to use AirVPN's DNS and to never fall back to my ISP one? Also, why don't I need to add the AirVPN DNS IP to the allowed IPs? Is DNS handled differently? This behaviour is normal. OpenVPN will modify resolv.conf automatically. Also, how would I make these rules permanent even through reboots? WARNING: Before proceeding, make sure the rules I gave you work i.e. no connection when not connected to a VPN server and vice versa.Then in a terminal window, type these commands in (with sudo): systemctl stop firewalld systemctl mask firewalld dnf install iptables-services systemctl enable iptables gedit /etc/sysconfig/iptables Empty the file, copy/paste the rules I gave you, save and exit. systemctl restart iptables Quote Share this post Link to post
nick75 25 Posted ... Update: I may actually have found a much simpler way to accomplish this (only allow AirVPN connections, through IPTables). If I turn on the Eddie client with network lock, and then look at my current IPTables (sudo iptables -S), wouldn't that already be the perfect configuration that I could use just like that, but without the client? If yes, how do I just make these IPTable rules permanent and have them load at boot time?Simpler, I don't know but it'd also work. Quote Share this post Link to post
unammeka 0 Posted ... I just tried both your IPtables and the IPTables created by AirVPN's client, and they both didn't work unfortunately. No connection was possible at all, neither directly to the internet, nor to an AirVPN server (using the standard VPN interface from the Network Manager). I added all the AirVPN servers to your list in the same manner and with enp7s0 as the interface. This is what AirVPN's IPTables created by the Eddie client looked like (taken with Network lock enabled), which didn't work either. I've removed the full list of all the AirVPN IPs in this post, marked as (full list of all AirVPN IPs). # Generated by iptables-save v1.6.0 on Mon Apr 3 *nat :PREROUTING ACCEPT [6:716] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [694:55661] :POSTROUTING ACCEPT [560:42187] :OUTPUT_direct - [0:0] :POSTROUTING_ZONES - [0:0] :POSTROUTING_ZONES_SOURCE - [0:0] :POSTROUTING_direct - [0:0] :POST_FedoraWorkstation - [0:0] :POST_FedoraWorkstation_allow - [0:0] :POST_FedoraWorkstation_deny - [0:0] :POST_FedoraWorkstation_log - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_FedoraWorkstation - [0:0] :PRE_FedoraWorkstation_allow - [0:0] :PRE_FedoraWorkstation_deny - [0:0] :PRE_FedoraWorkstation_log - [0:0] -A POSTROUTING_ZONES -o wlp8s0 -g POST_FedoraWorkstation -A PREROUTING_ZONES -i wlp8s0 -g PRE_FedoraWorkstation COMMIT # Completed on Mon Apr 3 # Generated by iptables-save v1.6.0 on Mon Apr 3 *raw :PREROUTING ACCEPT [58896:68066921] :OUTPUT ACCEPT [39141:7064194] :OUTPUT_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_FedoraWorkstation - [0:0] :PRE_FedoraWorkstation_allow - [0:0] :PRE_FedoraWorkstation_deny - [0:0] :PRE_FedoraWorkstation_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A PREROUTING_ZONES -i wlp8s0 -g PRE_FedoraWorkstation -A PREROUTING_ZONES -i tun0 -g PRE_FedoraWorkstation -A PREROUTING_ZONES -g PRE_FedoraWorkstation -A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_log -A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_deny -A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_allow -A PRE_FedoraWorkstation_allow -p udp -m udp --dport 137 -j CT --helper netbios-ns COMMIT # Completed on Mon Apr 3 # Generated by iptables-save v1.6.0 on Mon Apr 3 *security :INPUT ACCEPT [58962:68070237] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [39065:7052968] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Mon Apr 3 # Generated by iptables-save v1.6.0 on Mon Apr 3 *mangle :PREROUTING ACCEPT [58896:68066921] :INPUT ACCEPT [58895:68066345] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [39141:7064194] :POSTROUTING ACCEPT [39015:7052478] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_FedoraWorkstation - [0:0] :PRE_FedoraWorkstation_allow - [0:0] :PRE_FedoraWorkstation_deny - [0:0] :PRE_FedoraWorkstation_log - [0:0] -A PREROUTING_ZONES -i wlp8s0 -g PRE_FedoraWorkstation COMMIT # Completed on Mon Apr 3 # Generated by iptables-save v1.6.0 on Mon Apr 3 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :FORWARD_IN_ZONES - [0:0] :FORWARD_IN_ZONES_SOURCE - [0:0] :FORWARD_OUT_ZONES - [0:0] :FORWARD_OUT_ZONES_SOURCE - [0:0] :FORWARD_direct - [0:0] :FWDI_FedoraWorkstation - [0:0] :FWDI_FedoraWorkstation_allow - [0:0] :FWDI_FedoraWorkstation_deny - [0:0] :FWDI_FedoraWorkstation_log - [0:0] :FWDO_FedoraWorkstation - [0:0] :FWDO_FedoraWorkstation_allow - [0:0] :FWDO_FedoraWorkstation_deny - [0:0] :FWDO_FedoraWorkstation_log - [0:0] :INPUT_ZONES - [0:0] :INPUT_ZONES_SOURCE - [0:0] :INPUT_direct - [0:0] :IN_FedoraWorkstation - [0:0] :IN_FedoraWorkstation_allow - [0:0] :IN_FedoraWorkstation_deny - [0:0] :IN_FedoraWorkstation_log - [0:0] :OUTPUT_direct - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -s 255.255.255.255/32 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i tun+ -j ACCEPT -A INPUT -j DROP -A FORWARD -i tun+ -j ACCEPT -A FORWARD -j DROP -A OUTPUT -d 209.58.167.171/32 -j ACCEPT (full list of all AirVPN IPs) -A OUTPUT -d 52.48.66.85/32 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -d 255.255.255.255/32 -j ACCEPT -A OUTPUT -o tun+ -j ACCEPT -A OUTPUT -j DROP -A FORWARD_IN_ZONES -i wlp8s0 -g FWDI_FedoraWorkstation -A FORWARD_OUT_ZONES -o wlp8s0 -g FWDO_FedoraWorkstation -A INPUT_ZONES -i wlp8s0 -g IN_FedoraWorkstation COMMIT # Completed on Mon Apr 3 Why do these rules seem to work without any issues when connecting with the Eddie client, but there's no connection at all when trying to create a VPN connection through the Network Manager? Quote Share this post Link to post
nick75 25 Posted ... Verify in the ovpn file that what is in front of "remote" is an IP address not a name Quote Share this post Link to post
unammeka 0 Posted ... You're right, in my .ovpn files, there is an entry with "remote (location).vpn.airdns.org 443". But how do I find out the IP for that specific location? Quote Share this post Link to post
nick75 25 Posted ... read previous posts 1 unammeka reacted to this Quote Share this post Link to post
unammeka 0 Posted ... Oops, I haven't seen that part before, thanks. With the new .ovpn files, it actually works now - thank you very much! Just another quick question, since I've experienced DNS leaks before when using the standard Network Manager (although that was without specific IPTables rules): Since the 192.168... IP automatically gets added to resolv.conf on every reboot (below AirVPN's 10.4.0.1), wouldn't that cause the OS to fall back on the 192.168 DNS resolver, if AirVPN's DNS server isn't accessible for whatever reason? If so, would it be a good idea to run a script on boot time to remove the 192.168 IP from this file, if my goal is to prevent DNS leaks? Quote Share this post Link to post
nick75 25 Posted ... Not possible with the rules you have but test with https://ipleak.net Quote Share this post Link to post
InactiveUser 188 Posted ... [..] would it be a good idea to run a script on boot time to remove the 192.168 IP from this file, if my goal is to prevent DNS leaks? Don't use scripts, NetworkManager will override your manual changes sooner or later. There is a more reliable way to get rid of your default DNS: Go into GNOME's network settings. Edit your Wi-Fi connection. Disable "automatic" DNS and configure Air's server instead. Screenshot attached. Quote Hide InactiveUser's signature Hide all signatures all of my content is released under CC-BY-SA 2.0 Share this post Link to post
nick75 25 Posted ... [..] would it be a good idea to run a script on boot time to remove the 192.168 IP from this file, if my goal is to prevent DNS leaks? Don't use scripts, NetworkManager will override your manual changes sooner or later. There is a more reliable way to get rid of your default DNS: Go into GNOME's network settings. Edit your Wi-Fi connection. Disable "automatic" DNS and configure Air's server instead. Screenshot attached. There's not need for that since the firewall rules don't allow it but you're right about network-manager overwriting any changes. Quote Share this post Link to post