Jump to content
Not connected, Your IP: 18.188.130.151
unammeka

only allow AirVPN connections on Fedora 25

Recommended Posts

I've seen the sticky threads and guides, but unfortunately, from what I can tell, the ones relevant to my question are all severely outdated and they have not worked when I tried.

 

I'm looking for a solution to only allow connections to and from AirVPN's servers, including DNS. My OS is Fedora 25 and I would like to avoid the AirVPN client.

 

I'm assuming this would be done through IPTables, where everything is blocked except for all the AirVPN server IPs and the AirVPN DNS server? Would this work? If so, what would these IPTables look like and where would I get the list for all those IPs? Also, how would I make these rules permanent even through reboots?

 

Thanks a lot.

Share this post


Link to post

Avoid the AirVPN client, Eddie, why?  It would do what you want with a click of a button using the same iptables you'll use anyway.

Share this post


Link to post

Hi,

 

Here you are:

 

this is an iptables file, use it with "sudo iptables-restore < file.rules"

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# allow local traffic
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# allow access to vpn server
-A INPUT -i <interface> -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o <interface> -d <VPN_IP_address>/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# allow VPN traffic
-A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
COMMIT


You'll have to add all the different <VPN_IP_address> to make it work.

Also, you won't be able to use DNS to connect to a server therefore use only IPs.

Share this post


Link to post

Also, you won't be able to use DNS to connect to a server therefore use only IPs.

 

Huh? It needs to use the AirVPN DNS server.

Share this post


Link to post

 

Also, you won't be able to use DNS to connect to a server therefore use only IPs.

 

Huh? It needs to use the AirVPN DNS server.

You'll be able to use AirVPN DNS server once you're connected but with these rules your local DNS server won't be reachable.

Consequently you need the VPN IP addresses.

Share this post


Link to post

Ok, that's good! So I'm assuming the VPN_IP_address is the placeholder where I would just put all the AirVPN server IPs plus the AirVPN DNS server? Or do I need to put the desired DNS server separately somewhere? Would that work and would it prevent any IP leaks outside of an AirVPN VPN tunnel?

Share this post


Link to post

You only need to put AirVPN server IP addresses and it's one address per line,

Here's an example of a working iptables file (no need to add the dns):

 

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# allow local traffic
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# allow access to vpn servers (Canis, NL and Auva, USA)
-A INPUT -i <interface> -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o <interface> -d 213.152.161.218/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o <interface> -d 23.88.114.42/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# allow VPN traffic
-A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
COMMIT

Also <interface> is the LAN-facing interface, generally something like eth0 or enp3s0 (figures may vary)

 

NOTE: if you haven't already disabled IPv6, here is how.

Share this post


Link to post

Thanks a lot, that's very helpful. Just checked, the interface is indeed called enp** on Fedora. Is there a site where the current AirVPN server IPs are listed? I don't need the IPs from every country, just the countries I am going to connect to.

 

About the DNS, I've heard that on Linux, the DNS is chosen by what's in the resolv.conf file? That one has a 192.168.. IP in it that I can't seem to get rid of. After every reboot, it will be back. If I use your IPTables, how will it know to use AirVPN's DNS and to never fall back to my ISP one? Also, why don't I need to add the AirVPN DNS IP to the allowed IPs? Is DNS handled differently?

Share this post


Link to post

Update: I may actually have found a much simpler way to accomplish this (only allow AirVPN connections, through IPTables).

 

If I turn on the Eddie client with network lock, and then look at my current IPTables (sudo iptables -S), wouldn't that already be the perfect configuration that I could use just like that, but without the client? If yes, how do I just make these IPTable rules permanent and have them load at boot time?

Share this post


Link to post

Thanks a lot, that's very helpful. Just checked, the interface is indeed called enp** on Fedora. Is there a site where the current AirVPN server IPs are listed? I don't need the IPs from every country, just the countries I am going to connect to.

 

Here's how to get a list: https://airvpn.org/topic/14378-how-can-i-get-vpn-servers-entry-ip-addresses/ (use dig for Linux).

 

About the DNS, I've heard that on Linux, the DNS is chosen by what's in the resolv.conf file? That one has a 192.168.. IP in it that I can't seem to get rid of. After every reboot, it will be back. If I use your IPTables, how will it know to use AirVPN's DNS and to never fall back to my ISP one? Also, why don't I need to add the AirVPN DNS IP to the allowed IPs? Is DNS handled differently?

 

This behaviour is normal. OpenVPN will modify resolv.conf automatically.

 

 

Also, how would I make these rules permanent even through reboots?

 

WARNING: Before proceeding, make sure the rules I gave you work i.e. no connection when not connected to a VPN server and vice versa.

Then in a terminal window, type these commands in (with sudo):

 

systemctl stop firewalld
systemctl mask firewalld
dnf install iptables-services
systemctl enable iptables
gedit /etc/sysconfig/iptables

Empty the file, copy/paste the rules I gave you, save and exit.

 

systemctl restart iptables

Share this post


Link to post

Update: I may actually have found a much simpler way to accomplish this (only allow AirVPN connections, through IPTables).

 

If I turn on the Eddie client with network lock, and then look at my current IPTables (sudo iptables -S), wouldn't that already be the perfect configuration that I could use just like that, but without the client? If yes, how do I just make these IPTable rules permanent and have them load at boot time?

Simpler, I don't know but it'd also work.

Share this post


Link to post

I just tried both your IPtables and the IPTables created by AirVPN's client, and they both didn't work unfortunately. No connection was possible at all, neither directly to the internet, nor to an AirVPN server (using the standard VPN interface from the Network Manager). I added all the AirVPN servers to your list in the same manner and with enp7s0 as the interface.

 

This is what AirVPN's IPTables created by the Eddie client looked like (taken with Network lock enabled), which didn't work either. I've removed the full list of all the AirVPN IPs in this post, marked as (full list of all AirVPN IPs).

 

# Generated by iptables-save v1.6.0 on Mon Apr  3 
*nat
:PREROUTING ACCEPT [6:716]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [694:55661]
:POSTROUTING ACCEPT [560:42187]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_FedoraWorkstation - [0:0]
:POST_FedoraWorkstation_allow - [0:0]
:POST_FedoraWorkstation_deny - [0:0]
:POST_FedoraWorkstation_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_FedoraWorkstation - [0:0]
:PRE_FedoraWorkstation_allow - [0:0]
:PRE_FedoraWorkstation_deny - [0:0]
:PRE_FedoraWorkstation_log - [0:0]
-A POSTROUTING_ZONES -o wlp8s0 -g POST_FedoraWorkstation
-A PREROUTING_ZONES -i wlp8s0 -g PRE_FedoraWorkstation
COMMIT
# Completed on Mon Apr  3
# Generated by iptables-save v1.6.0 on Mon Apr  3
*raw
:PREROUTING ACCEPT [58896:68066921]
:OUTPUT ACCEPT [39141:7064194]
:OUTPUT_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_FedoraWorkstation - [0:0]
:PRE_FedoraWorkstation_allow - [0:0]
:PRE_FedoraWorkstation_deny - [0:0]
:PRE_FedoraWorkstation_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A PREROUTING_ZONES -i wlp8s0 -g PRE_FedoraWorkstation
-A PREROUTING_ZONES -i tun0 -g PRE_FedoraWorkstation
-A PREROUTING_ZONES -g PRE_FedoraWorkstation
-A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_log
-A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_deny
-A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_allow
-A PRE_FedoraWorkstation_allow -p udp -m udp --dport 137 -j CT --helper netbios-ns
COMMIT
# Completed on Mon Apr  3 
# Generated by iptables-save v1.6.0 on Mon Apr  3
*security
:INPUT ACCEPT [58962:68070237]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [39065:7052968]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Mon Apr  3 
# Generated by iptables-save v1.6.0 on Mon Apr  3 
*mangle
:PREROUTING ACCEPT [58896:68066921]
:INPUT ACCEPT [58895:68066345]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [39141:7064194]
:POSTROUTING ACCEPT [39015:7052478]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_FedoraWorkstation - [0:0]
:PRE_FedoraWorkstation_allow - [0:0]
:PRE_FedoraWorkstation_deny - [0:0]
:PRE_FedoraWorkstation_log - [0:0]
-A PREROUTING_ZONES -i wlp8s0 -g PRE_FedoraWorkstation
COMMIT
# Completed on Mon Apr  3 
# Generated by iptables-save v1.6.0 on Mon Apr  3 
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_FedoraWorkstation - [0:0]
:FWDI_FedoraWorkstation_allow - [0:0]
:FWDI_FedoraWorkstation_deny - [0:0]
:FWDI_FedoraWorkstation_log - [0:0]
:FWDO_FedoraWorkstation - [0:0]
:FWDO_FedoraWorkstation_allow - [0:0]
:FWDO_FedoraWorkstation_deny - [0:0]
:FWDO_FedoraWorkstation_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_FedoraWorkstation - [0:0]
:IN_FedoraWorkstation_allow - [0:0]
:IN_FedoraWorkstation_deny - [0:0]
:IN_FedoraWorkstation_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 255.255.255.255/32 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -j DROP
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -d 209.58.167.171/32 -j ACCEPT
(full list of all AirVPN IPs)
-A OUTPUT -d 52.48.66.85/32 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 255.255.255.255/32 -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -j DROP
-A FORWARD_IN_ZONES -i wlp8s0 -g FWDI_FedoraWorkstation
-A FORWARD_OUT_ZONES -o wlp8s0 -g FWDO_FedoraWorkstation
-A INPUT_ZONES -i wlp8s0 -g IN_FedoraWorkstation
COMMIT
# Completed on Mon Apr  3 

 

Why do these rules seem to work without any issues when connecting with the Eddie client, but there's no connection at all when trying to create a VPN connection through the Network Manager?

Share this post


Link to post

You're right, in my .ovpn files, there is an entry with "remote (location).vpn.airdns.org 443". But how do I find out the IP for that specific location?

Share this post


Link to post

Oops, I haven't seen that part before, thanks. With the new .ovpn files, it actually works now - thank you very much!

 

Just another quick question, since I've experienced DNS leaks before when using the standard Network Manager (although that was without specific IPTables rules): Since the 192.168... IP automatically gets added to resolv.conf on every reboot (below AirVPN's 10.4.0.1), wouldn't that cause the OS to fall back on the 192.168 DNS resolver, if AirVPN's DNS server isn't accessible for whatever reason? If so, would it be a good idea to run a script on boot time to remove the 192.168 IP from this file, if my goal is to prevent DNS leaks?

Share this post


Link to post

[..] would it be a good idea to run a script on boot time to remove the 192.168 IP from this file, if my goal is to prevent DNS leaks?

 

Don't use scripts, NetworkManager will override your manual changes sooner or later. There is a more reliable way to get rid of your default DNS: Go into GNOME's network settings. Edit your Wi-Fi connection. Disable "automatic" DNS and configure Air's server instead. Screenshot attached.


all of my content is released under CC-BY-SA 2.0

Share this post


Link to post

 

[..] would it be a good idea to run a script on boot time to remove the 192.168 IP from this file, if my goal is to prevent DNS leaks?

 

Don't use scripts, NetworkManager will override your manual changes sooner or later. There is a more reliable way to get rid of your default DNS: Go into GNOME's network settings. Edit your Wi-Fi connection. Disable "automatic" DNS and configure Air's server instead. Screenshot attached.

 

There's not need for that since the firewall rules don't allow it but you're right about network-manager overwriting any changes.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...