Jump to content
Not connected, Your IP: 100.24.113.182
nwlyoc

Interactive Wrapper for Hummingbird (with boot script and default network lock)

Recommended Posts

Hello,
last year I had written a wrapper for Eddie's CLI version (in bash) to be able to use it more easily and extensively in the linux command line like the GUI, but with less resources. I have used it since then every day without problems, but now I have finally gotten to overhaul it and adjust it to Hummingbird because it is just so much faster! I also tried to make it more easy to configure (by having a separate configuration file) and added some new functionality like support (and automatic recognition) of iptables and nftables to lock down the system even without being connected to AirVPN and automatic connection at boot with a systemd unit.
Again, feel free to use this as you wish, I hope someone can benefit from this. I'm happy about any improvements and corrections and will update this if I find the time.

Features

  • graphical interface in the command line to connect to AirVPN with Hummingbird (no Eddie involved)
  • runs in background, the interface can be closed/opened anytime without affecting the running connection
  • possibility to connect to any server with just one ovpn configuration file
  • easily connect to a random server, to a recommended server, to the recommended server of a specific country or to a specific server
  • sortable list of all servers including info like used bandwidth, load and number of users
  • possibility to connect to other VPNs with openconnect
  • lock down system by default (permanently if you want), so even without AirVPN/Hummingbird running there won't be any unwanted network traffic
  • automatically establish connection at boot (which can later be controlled via the interface)
  • logging of Hummingbird's output (number of days to keep logs for can be adjusted)
  • system notifications to let you know what happens in the background

Some general notes
  • The default network lock determines, like Hummingbird itself, if iptables, iptables-legacy or nftables is available on your system and will use the first one found in that list. You can overwrite that by specifying which one to use in the configuration file. Once activated, the lock will stay in place until manually deactivated, so no internet connection will be possible unless connected to AirVPN or other whitelisted VPNs. You can make the lock permanent (or rather activate at boot) by enabling that option in the configuration file. AirVPN's network lock overwrites the default network lock, so there will be no interference.
  • IMPORTANT: If you have any frontend firewall for iptables/nftables running, you might to disable that or read up on how it might interfere with rule changes you make directly via iptables/nft. The same thing applies if you use just Hummingbird itself. If you enable the default permanent network lock, it will write the lock rules at boot, most likely overwriting rules by firewalld or the like, but other enabled firewalls might interfere later. Also important: If you have SELinux and you want to use nftables for Hummingbird starting at boot, you have to create a SELinux exception for nft bcause otherwise it will be denied and Hummingbird starts without setting up its own lock, thus leaving you unprotected (AirVPN staff is aware of this issue). You can do that with audit2allow. Follow for example this guide to troubleshoot the problem and fix it with the solution given by sealert.
  • Check your /etc/resolv.conf file while not running Hummingbird (because Hummingbird's network lock replaces that file temporarily) to make sure your router is not set as a nameserver (so no 192.168... address). Some routers will push themselves on that list by DHCP whenever you connect to their network. Since communication with the router is allowed in the lock rules, DNS requests will be handled by the router and sent to whatever DNS server is configured there even when network traffic should be blocked. There are ways to prevent that file from being changed by DHCP, best configure network manager for that if you use it.
  • To connect to other VPNs, their IPs must be whitelisted and DNS requests for their domains must be allowed in the default network lock rules (netfilter_ipbatles.rulesipv4/ipv6 and/or netfilter_nftables.rules). Only edit those files with the default network lock deactivated. The rules for airvpn.org can be copied and adjusted.
  • You can set custom options for Hummingbird in the interface or the configuration file. All the possible options can be found in the Hummingbird manual or with sudo hummingbird --help
  • Apart from dialog I tried to only use basic system tools. The scripts will check if everything needed is present, if not they will exit. At least bash 4 is needed. The scripts rely mostly on dialog, awk and curl (and iptables/nft as described and openconnect if needed), so it should work on most systems. I wrote and tested this on Fedora 32 with Hummingbird 1.0.3.
  • It should be possible to use any ovpn config file generated by the AirVPN's config generator. Even with the file for one specific server it should be possible to connect to any other server because the server override function is used here. I haven't tested that extensively though and just use the config file for earth.
  • AirVPN's API seems to be a little unreliable sometimes as in not correctly reporting the connection status. Sometimes the API reports me not being connected although I am connected to an AirVPN server. This is no big deal, it just means that the connection status sometimes may be shown falsely as disconnected. If you have the default network lock activated, no traffic would be possible if you were actually disconnected.
  • And, lastly, VERY IMPORTANT: I am still no programmer and do this only on this on the side, so even though I tried my best to make these scripts secure and error free, there might very well be some bad practice, never-ever-do-this mistakes or other hiccups in there. It works very well for me (and has for quite a while by now), but better check it yourself.

 

UPDATE
As of 2020/08/29 this project including updates, changelog and further instructions is publicly available on GitLab. There it can be more easily examined, downloaded and updated. Thus I have removed the scripts, installation instructions and the archive with all the files from this post. Check out the GitLab project for the newest version.

 

VPNControl1.png

VPNControl2.png

VPNControl3.png

VPNControl4.png

VPNControl5.png

 

 

 

 

Share this post


Link to post

Hi, and first of all thanks for sharing your work!

If I may comment a couple of thoughts:
 

3 hours ago, nwlyoc said:

AirVPN's API seems to be a little unreliable sometimes as in not correctly reporting the connection status. Sometimes the API reports me not being connected although I am connected to an AirVPN server.

This very same thing happened to me. hummingbirds logs showed some errors while this behavior. There's a hummingbirds beta version (that uses a newer openvpn version) that might have addressed this, but it's in beta stage yet.

For "Country list" and "Server list"  If you omit the numbering before the entries the first word that you use for each line will become the key of the line and you will be able to find things by writing (at least the first character of) the name of the server, or the name of the country or whatever word you put in first place, for faster moving through the menus.

For a later version you might want to offer some menus to chose the protocol and port to use too.

Nice job anyway!! thanks.

Share this post


Link to post

Thank you for your feedback! I added your suggestions.

On 6/14/2020 at 10:45 AM, eburom said:

For "Country list" and "Server list"  If you omit the numbering before the entries the first word that you use for each line will become the key of the line and you will be able to find things by writing (at least the first character of) the name of the server, or the name of the country or whatever word you put in first place, for faster moving through the menus.

I removed the numbers, you can now navigate by typing the server name.
 
On 6/14/2020 at 10:45 AM, eburom said:

For a later version you might want to offer some menus to chose the protocol and port to use too.

There is a menu now to set custom options. They will be used for connections made until you exit the script. There is also an option to make them permanent. Apart from that it's now possible to set custom options directly in the configuration file.

other UPDATES:
  • added permanent default network lock
    • Activating the default network lock in the interface will only have effect until reboot.
    • There is a new option in the configuration file to make the default network lock permanent: Lock rules will be written by the systemd unit at boot.
    • While working that out I noticed that when starting Hummingbird with the systemd unit and using nftables for the network lock, Hummingbird failed to set up its network lock. This was because of a SELinux denial for nft. So if you want to use that combination, you have to create an exception (more info in the original post).
  • fixed bug which led to deleting older log files while cycling through failing connection attempts

UPDATE 2:
  • fixed the country selection

Share this post


Link to post

Many thanks for the effort to get this script written.

2 3 4 5* issues I've encountered so far.

1) Cutting and pasting from the install instructions above doesn't work for some bizarre reason. It looks like some extra characters are being copied:

pi@pidown:~/.vpncontrol/config $ od -bc
sudo systemctl daemon-reload
0000000 163 165 144 157 357 273 277 040 163 171 163 164 145 155 143 164
          s   u   d   o 357 273 277       s   y   s   t   e   m   c   t
0000020 154 040 144 141 145 155 157 156 357 273 277 055 162 145 154 157
          l       d   a   e   m   o   n 357 273 277   -   r   e   l   o
Although I appreciate that this probably isn't your issue.

2) On my system, the VPNcontrol.sh initially complains about dialog not being installed. Possibly need to add this to the install instructions.

3) In the VPNcontrol.sh script, you set the variable VPNCONTROL_CONFIG to be "$HOME/...". If you run the script with sudo then that defaults to /root while you want it to be your user directory.

4) In airvpn.service you are making the assumption that bash lives at /usr/bin/bash. On my system (Ubuntu) it's in /bin/bash.

5) When I try to start the script as a service I get the error message:
Hummingbird - AirVPN OpenVPN 3 Client 1.1.0 - 23 June 2020

Thu Jun 25 10:47:50.082 2020 System and service manager in use is systemd
ERROR: --network-lock option must be on, iptables, nftables, pf or off

* No-one expects the Spanish Inquisition

Share this post


Link to post

Thanks for the feedback!
 

13 hours ago, dL4l7dY6 said:
2 3 4 5* issues I've encountered so far.
I'm surprised and afraid that there were so many!
 
13 hours ago, dL4l7dY6 said:

1) Cutting and pasting from the install instructions above doesn't work for some bizarre reason. It looks like some extra characters are being copied:

That's indeed bad. Probably wouldn't happen if I inserted it as a code block, but I used a spoiler block because only those are collapsable and without that the post would have been very long to scroll past. And it seems you can only download the attached file when you're logged into this forum. I'll put everything on Gitlab or something when I have the time.
 
13 hours ago, dL4l7dY6 said:

2) On my system, the VPNcontrol.sh initially complains about dialog not being installed. Possibly need to add this to the install instructions.

I put this under the 'basic system tools', but it really isn't one. I'll add it to the instructions.
 
13 hours ago, dL4l7dY6 said:

3) In the VPNcontrol.sh script, you set the variable VPNCONTROL_CONFIG to be "$HOME/...". If you run the script with sudo then that defaults to /root while you want it to be your user directory.

I forgot to mention that this script was meant to be run as a regular user, didn't think of the possible need to run it as root. But good point, I'll point that out. Otherwise it should run fine as root except the notifications maybe (and all the sudo stuff wouldn't be needed anymore, but that shouldn't be a problem).
 
13 hours ago, dL4l7dY6 said:

4) In airvpn.service you are making the assumption that bash lives at /usr/bin/bash. On my system (Ubuntu) it's in /bin/bash.

I wasn't aware that might differ. I looked it up and it seems '/bin/bash' should be the best way to specify it (also better than '/usr/bin/env bash' it seems). Changed it.
 
13 hours ago, dL4l7dY6 said:

5) When I try to start the script as a service I get the error message: 


Hummingbird - AirVPN OpenVPN 3 Client 1.1.0 - 23 June 2020

Thu Jun 25 10:47:50.082 2020 System and service manager in use is systemd
ERROR: --network-lock option must be on, iptables, nftables, pf or off

 

Damn that was a bad typo. It only happens when custom options are set and only with the airvpn_boot.sh-script. On line 116 '$HUM_OPTIONS' needs to be before '--network-lock'. I changed it above and in the .tar-file.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...