Jump to content
Not connected, Your IP: 18.97.14.89
tmick

Question about Eddie and UFW on a Debian Testing machine

Recommended Posts

Is there an IP Range I should be adding to my Firewall? If I run

dmesg
I have a lot of this:
[ 9489.598148] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=356592 PROTO=ICMPv6 TYPE=134 CODE=0 
[ 9492.373944] IPv4: martian source 192.168.0.91 from 82.94.183.165, on dev enp1s0
[ 9492.373953] ll header: 00000000: 30 9c 23 47 64 c5 48 4e fc f0 69 b8 08 00
[ 9492.600804] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=356592 PROTO=ICMPv6 TYPE=134 CODE=0 
[ 9495.603941] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=356592 PROTO=ICMPv6 TYPE=134 CODE=0 
Is there an IP Range or port  I should add to my firewall to get this to quit? I've read posts on here mentioning Port 53.
And I would like the VPN to be on when I reboot my machine, without having to log in all the time. Is that possible?
Thanks

Daaa Baby Smurf do do do😁

Go_Camping___.jpg

Share this post


Link to post

Your firewall rejects ICMPv6 packets with type 134, which seem to be Router Advertisement probes, see IPv6 > Router solicitation. Find out which of your devices on the network has the v6 address fe80::4a4e:fcff:fef0:69b8, interface MAC should be 48:4e:fc:f0:69:b8, that's where they're coming from.

That link talks about two cases: There is no answer, where after a few attempts no more attempts are done (it's assumed no routers are available), or there is one and the requesting machine continues with requesting a unicast prefix from the router which responded. Since your firewall is rejecting the packets, which ultimately means replying that a connection was refused, I'm not sure what happens, but it looks like the requesting machine assumes a communication error or something and simply retries probing for a router indefinitely.

Try changing the policy from REJECT to DROP if you don't use v6 in your network. If you do, try allowing it instead.
 

1 hour ago, tmick said:

And I would like the VPN to be on when I reboot my machine, without having to log in all the time. Is that possible?


That feature is there in Eddie and the Suite, so yes. :)

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

The main reason I'm asking is I'm getting disconnected frequently and my logs in Eddie are showing that I'm getting disconnected frequently also: 

. 2022.04.16 19:26:23 - OpenVPN > Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
. 2022.04.16 19:26:23 - OpenVPN > TUN/TAP device tun0 opened
. 2022.04.16 19:26:23 - OpenVPN > net_iface_mtu_set: mtu 1500 for tun0
. 2022.04.16 19:26:23 - OpenVPN > net_iface_up: set tun0 up
. 2022.04.16 19:26:23 - OpenVPN > net_addr_v4_add: 10.26.130.48/24 dev tun0
. 2022.04.16 19:26:23 - OpenVPN > net_iface_mtu_set: mtu 1500 for tun0
. 2022.04.16 19:26:23 - OpenVPN > net_iface_up: set tun0 up
. 2022.04.16 19:26:23 - OpenVPN > net_addr_v6_add: fde6:7a:7d20:1682::102e/64 dev tun0
. 2022.04.16 19:26:27 - OpenVPN > Initialization Sequence Completed
. 2022.04.16 19:26:27 - DNS of the system updated to VPN DNS (Rename method: /etc/resolv.conf generated)
. 2022.04.16 19:26:27 - Routes, add 0.0.0.0/1 for interface "tun0".
. 2022.04.16 19:26:27 - Routes, add 128.0.0.0/1 for interface "tun0".
. 2022.04.16 19:26:27 - Routes, add ::/1 for interface "tun0".
. 2022.04.16 19:26:27 - Routes, add 8000::/1 for interface "tun0".
. 2022.04.16 19:26:27 - Routes, add 193.37.254.3/32 for interface "tun0".
. 2022.04.16 19:26:27 - Routes, add 2a0d:5600:2:4:557:907e:7abb:8b73/128 for interface "tun0".
. 2022.04.16 19:26:27 - Flushing DNS
I 2022.04.16 19:26:28 - Checking route IPv4
I 2022.04.16 19:26:28 - Checking route IPv6
I 2022.04.16 19:26:29 - Checking DNS
! 2022.04.16 19:26:29 - Connected.
. 2022.04.16 19:27:30 - OpenVPN > [Bootes] Inactivity timeout (--ping-restart), restarting
. 2022.04.16 19:27:30 - OpenVPN > SIGUSR1[soft,ping-restart] received, process restarting
. 2022.04.16 19:27:30 - OpenVPN > Restart pause, 5 second(s)
! 2022.04.16 19:27:30 - Disconnecting
. 2022.04.16 19:27:30 - Sending soft termination signal
. 2022.04.16 19:27:30 - OpenVPN > Closing TUN/TAP interface
. 2022.04.16 19:27:30 - OpenVPN > net_addr_v4_del: 10.26.130.48 dev tun0
. 2022.04.16 19:27:30 - OpenVPN > net_addr_v6_del: fde6:7a:7d20:1682::102e/64 dev tun0
. 2022.04.16 19:27:30 - OpenVPN > SIGINT[hard,init_instance] received, process exiting
. 2022.04.16 19:27:30 - Routes, delete 0.0.0.0/1 for interface "tun0", not exists.
. 2022.04.16 19:27:30 - Routes, delete 128.0.0.0/1 for interface "tun0", not exists.
. 2022.04.16 19:27:30 - Routes, delete ::/1 for interface "tun0", not exists.
. 2022.04.16 19:27:30 - Routes, delete 8000::/1 for interface "tun0", not exists.
. 2022.04.16 19:27:30 - Routes, delete 193.37.254.5/32 for interface "enp1s0".
. 2022.04.16 19:27:31 - Routes, delete 193.37.254.3/32 for interface "tun0", not exists.
. 2022.04.16 19:27:31 - Routes, delete 2a0d:5600:2:4:557:907e:7abb:8b73/128 for interface "tun0", not exists.
. 2022.04.16 19:27:31 - Routes, delete 193.37.254.5/32 for interface "enp1s0", not exists.
. 2022.04.16 19:27:31 - DNS of the system restored to original settings (Rename method)
. 2022.04.16 19:27:31 - Connection terminated.
I 2022.04.16 19:27:34 - Checking authorization ...
! 2022.04.16 19:27:34 - Connecting to Bootes (United States of America, Phoenix, Arizona)
. 2022.04.16 19:27:34 - Routes, add 193.37.254.5/32 for interface "enp1s0".
. 2022.04.16 19:27:35 - Routes, add 193.37.254.5/32 for interface "enp1s0", already exists.
. 2022.04.16 19:27:35 - OpenVPN > OpenVPN 2.5.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 20 2022
. 2022.04.16 19:27:35 - OpenVPN > library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
. 2022.04.16 19:27:35 - OpenVPN > Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
. 2022.04.16 19:27:35 - OpenVPN > Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
. 2022.04.16 19:27:35 - OpenVPN > Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
. 2022.04.16 19:27:35 - OpenVPN > Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
. 2022.04.16 19:27:35 - OpenVPN > TCP/UDP: Preserving recently used remote address: [AF_INET]193.37.254.5:443
. 2022.04.16 19:27:35 - OpenVPN > Socket Buffers: R=[212992->212992] S=[212992->212992]
. 2022.04.16 19:27:35 - OpenVPN > UDP link local: (not bound)
. 2022.04.16 19:27:35 - OpenVPN > UDP link remote: [AF_INET]193.37.254.5:443
. 2022.04.16 19:27:35 - OpenVPN > TLS: Initial packet from [AF_INET]193.37.254.5:443, sid=b5fe52ec 97f91187
. 2022.04.16 19:27:35 - OpenVPN > VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
. 2022.04.16 19:27:35 - OpenVPN > VERIFY KU OK
. 2022.04.16 19:27:35 - OpenVPN > Validating certificate extended key usage
. 2022.04.16 19:27:35 - OpenVPN > ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
. 2022.04.16 19:27:35 - OpenVPN > VERIFY EKU OK
. 2022.04.16 19:27:35 - OpenVPN > VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Bootes, emailAddress=info@airvpn.org
. 2022.04.16 19:27:35 - OpenVPN > Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 4096 bit RSA, signature: RSA-SHA512
. 2022.04.16 19:27:35 - OpenVPN > [Bootes] Peer Connection Initiated with [AF_INET]193.37.254.5:443
. 2022.04.16 19:27:36 - OpenVPN > SENT CONTROL [Bootes]: 'PUSH_REQUEST' (status=1)
. 2022.04.16 19:27:36 - OpenVPN > PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway ipv6 def1 bypass-dhcp,dhcp-option DNS 10.26.130.1,dhcp-option DNS6 fde6:7a:7d20:1682::1,tun-ipv6,route-gateway 10.26.130.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fde6:7a:7d20:1682::102e/64 fde6:7a:7d20:1682::1,ifconfig 10.26.130.48 255.255.255.0,peer-id 2,cipher AES-256-GCM'
. 2022.04.16 19:27:36 - OpenVPN > Pushed option removed by filter: 'redirect-gateway ipv6 def1 bypass-dhcp'
. 2022.04.16 19:27:36 - OpenVPN > Pushed option removed by filter: 'dhcp-option DNS 10.26.130.1'
. 2022.04.16 19:27:36 - OpenVPN > Pushed option removed by filter: 'dhcp-option DNS6 fde6:7a:7d20:1682::1'
. 2022.04.16 19:27:36 - OpenVPN > OPTIONS IMPORT: timers and/or timeouts modified
. 2022.04.16 19:27:36 - OpenVPN > OPTIONS IMPORT: compression parms modified
. 2022.04.16 19:27:36 - OpenVPN > OPTIONS IMPORT: --ifconfig/up options modified
. 2022.04.16 19:27:36 - OpenVPN > OPTIONS IMPORT: route-related options modified
. 2022.04.16 19:27:36 - OpenVPN > OPTIONS IMPORT: peer-id set
. 2022.04.16 19:27:36 - OpenVPN > OPTIONS IMPORT: adjusting link_mtu to 1625
. 2022.04.16 19:27:36 - OpenVPN > OPTIONS IMPORT: data channel crypto options modified
. 2022.04.16 19:27:36 - OpenVPN > Data Channel: using negotiated cipher 'AES-256-GCM'
. 2022.04.16 19:27:36 - OpenVPN > Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
. 2022.04.16 19:27:36 - OpenVPN > Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
. 2022.04.16 19:27:36 - OpenVPN > TUN/TAP device tun0 opened
. 2022.04.16 19:27:36 - OpenVPN > net_iface_mtu_set: mtu 1500 for tun0
. 2022.04.16 19:27:37 - OpenVPN > net_iface_up: set tun0 up
. 2022.04.16 19:27:37 - OpenVPN > net_addr_v4_add: 10.26.130.48/24 dev tun0
. 2022.04.16 19:27:37 - OpenVPN > net_iface_mtu_set: mtu 1500 for tun0
. 2022.04.16 19:27:37 - OpenVPN > net_iface_up: set tun0 up
. 2022.04.16 19:27:37 - OpenVPN > net_addr_v6_add: fde6:7a:7d20:1682::102e/64 dev tun0
. 2022.04.16 19:27:41 - OpenVPN > Initialization Sequence Completed
. 2022.04.16 19:27:41 - DNS of the system updated to VPN DNS (Rename method: /etc/resolv.conf generated)
. 2022.04.16 19:27:41 - Routes, add 0.0.0.0/1 for interface "tun0".
. 2022.04.16 19:27:41 - Routes, add 128.0.0.0/1 for interface "tun0".
. 2022.04.16 19:27:42 - Routes, add ::/1 for interface "tun0".
. 2022.04.16 19:27:42 - Routes, add 8000::/1 for interface "tun0".
. 2022.04.16 19:27:42 - Routes, add 193.37.254.3/32 for interface "tun0".
. 2022.04.16 19:27:42 - Routes, add 2a0d:5600:2:4:557:907e:7abb:8b73/128 for interface "tun0".
. 2022.04.16 19:27:42 - Flushing DNS
I 2022.04.16 19:27:42 - Checking route IPv4
I 2022.04.16 19:27:43 - Checking route IPv6
I 2022.04.16 19:27:43 - Checking DNS
! 2022.04.16 19:27:44 - Connected.
It was working fine yesterday :(

Daaa Baby Smurf do do do😁

Go_Camping___.jpg

Share this post


Link to post

. 2022.04.16 19:27:30 - Routes, delete 0.0.0.0/1 for interface "tun0", not exists.
. 2022.04.16 19:27:30 - Routes, delete 128.0.0.0/1 for interface "tun0", not exists.
. 2022.04.16 19:27:30 - Routes, delete ::/1 for interface "tun0", not exists.
. 2022.04.16 19:27:30 - Routes, delete 8000::/1 for interface "tun0", not exists.
. 2022.04.16 19:27:30 - Routes, delete 193.37.254.5/32 for interface "enp1s0".
. 2022.04.16 19:27:31 - Routes, delete 193.37.254.3/32 for interface "tun0", not exists.
. 2022.04.16 19:27:31 - Routes, delete 2a0d:5600:2:4:557:907e:7abb:8b73/128 for interface "tun0", not exists.
. 2022.04.16 19:27:31 - Routes, delete 193.37.254.5/32 for interface "enp1s0", not exists.

This part is quite interesting. It seems as if either the routes are immediately deleted after OpenVPN connects, or the routes cannot be set at all. An inactivity timeout occurs exactly one minute and one second after connection, and that timeout is 60 seconds, further hinting at the previous assumption.

Does this happen with vanilla OpenVPN as well?

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

This may be wayyyyy off base for you but what about this suggestion:

[I am using nft but you can do similarly with UFW.  NFT is better with Debian but they both work.]

I use this as my simple NFT firewall:

flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iifname "lo" accept
ct state established,related accept
}

chain forward {
type filter hook forward priority 0; policy drop;
}

chain output {
type filter hook output priority 0; policy drop;
oifname "lo" accept
ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 accept
}
}


So here is the deal.  The above firewall locks the computer from getting "outside" and gaining any workspace on the internet when you bring Debian up.  However; when you mount Eddie it will copy the NFT firewall and save it for later.  Then Eddie creates its own firewall allowing ONLY the AirVpn tunnel as a way to the internet using TUN.  This is all automatic via Eddie.  When you exit Eddie the client will write back your firewall keeping the computer "closed" to the internet without Eddie logged in.  Would that work for you?  Its flawless on this end and its automatic once you write the simple little firewall.  Hell, just copy and paste.  Its VERY simple in structure BUT it does what it was designed to do for me.

Share this post


Link to post

So I am currently using the Wireguard config file and it seems to be working now.
@open sourcer I was using the generated vpn file for OpenVPN and was importing it.
@iwih2gk I gave up on UFW/ GUFW and went to nftables, once I get rid of a syntax error I think I'll stick with that.


Daaa Baby Smurf do do do😁

Go_Camping___.jpg

Share this post


Link to post
On 5/24/2022 at 3:06 AM, tmick said:

@open sourcer I was using the generated vpn file for OpenVPN and was importing it.


Sorry, why would you use a generated config with Eddie?

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post
22 minutes ago, tmick said:

Because Eddie gave the same results basically, and was getting frequent disconnects. 


Wait, so all that log output before, was this with the custom config in place?

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post
1 minute ago, OpenSourcerer said:

Wait, so all that log output before, was this with the custom config in place?
No, I should have been more clear I guess, the original post was from Eddie. I then went to the config generator and tried the OpenVPN config and got the same issue.

Daaa Baby Smurf do do do😁

Go_Camping___.jpg

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...