ANSWERED Eddie strict firewall requirements

[salacronix 1]

Could somebody document what eddie needs open and to where? For example, if I needed to open firewall ports to a specific destination like port 443 to nl.vpn.airdns.org, what other EXACT destinations and ports does it need in order to function?
What specific server does it connect to for authentication and could I put that i a host file so I would not need external DNS?

Thanks in advance.
 

[OpenSourcerer 1435]

17 hours ago, salacronix said:

what other EXACT destinations and ports does it need in order to function?

It must be able to connect to at least one bootstrap server. This is done directly via IP AFAIK, no DNS needed. Ask Staff here or via ticket for more info, I'm hesitant to post those addresses publically.
Then you obviously need to open 1+ outbound ports to the AirVPN server. The port list is in Eddie Preferences > Ports, open them all or stick to one or two like 443 and 2018. UDP is sufficient, TCP can remain closed unless you've got massive connection problems.
ICMP to all servers for determining the latency in Eddie, plus obviously outbound connections to one, more or all servers, depending on how tight you want your setup to be.
 

17 hours ago, salacronix said:

What specific server does it connect to for authentication and could I put that i a host file so I would not need external DNS?

See above regarding the bootstrap server. You don't need to use DNS, so you don't need a hosts entry.

[Flx 76]

7 hours ago, OpenSourcerer said:

It must be able to connect to at least one bootstrap server. This is done directly via IP AFAIK, no DNS needed. Ask Staff here or via ticket for more info, I'm hesitant to post those addresses publically.

They are already documented....and posted in the How-to

13) If you use the Air client, add rules to allow communications with IP addresses 5.196.64.52 and  95.211.138.143 (two of our frontend servers), In and Out
 

[OpenSourcerer 1435]

I wasn't sure this info is still valid, but if you know it for a fact, yeah, there you are, Mr. salacronix. Thanks, Flx.

[salacronix 1]

So just for anybody else that is trying to get something like this to work, if you are trying to set up strict firewall rules to only allow traffic to AirVPN, it is kinda tricky.
First AirVPN doesn't have a DNS attached to their bootstrap server addresses, so you will have to ask for those. Second, a server list like nl.vpn.airdns.org doesn't return a list of servers, but just one. So there is no easy way to add the list of netherlands servers to your outbound firewall rules. After I added the bootstrap servers to the outbound firewall rules, eddie got a little further along, and the server it was trying to connect to was in the logs. I added that server IP address to my outbound firewall rules, and then bingo, it worked. However when it decides to connect to another server, it will stop working and I will have to add it again.  The other option is to generate OVPN configs for ALL of the servers I want to use and then get the IP addresses out of those config files. Ugh.
Do I have this right?

 

[OpenSourcerer 1435]

8 hours ago, salacronix said:

Second, a server list like nl.vpn.airdns.org doesn't return a list of servers, but just one. So there is no easy way to add the list of netherlands servers to your outbound firewall rules

nl.all.vpn.airdns.org

 

[salacronix 1]

1 hour ago, OpenSourcerer said:

nl.all.vpn.airdns.org

 

This is getting a bit ridiculous. I put in an alias on my firewall for "nl.all.vpn.airdns.org" and it works. I can ping all of the servers returned from that query. But then something really stupid happens. Eddie apparently has an entirely different set of IP's for all of those servers than the ones returned from the query. Any idea how to get eddie to just use what is currently returned by "nl.all.vpn.airdns.org"?
 

[OpenSourcerer 1435]

Could be the entry IP and tls-auth/tls-crypt setting of Eddie, 3 being the default in Eddie, 1 being by default returned if DNS-queried. 1 is tls-auth, 2 is its alternative and 3 is tls-crypt with 4 being it's alternative. To fetch all primary IPv4 tls-crypt addresses of the Netherlands:

nl3.all.vpn.airdns.org

Refer to this FAQ for more info:
https://airvpn.org/faq/servers_ip/

[salacronix 1]

1 hour ago, OpenSourcerer said:

Could be the entry IP and tls-auth/tls-crypt setting of Eddie, 3 being the default in Eddie, 1 being by default returned if DNS-queried. 1 is tls-auth, 2 is its alternative and 3 is tls-crypt with 4 being it's alternative. To fetch all primary IPv4 tls-crypt addresses of the Netherlands:

nl3.all.vpn.airdns.org 

Refer to this FAQ for more info:
https://airvpn.org/faq/servers_ip/

B-B-B-B-B-Bingo!!!!!! That was it. Thank you for the assist my good man!!!!!!!