1earthlove 0 Posted ... To worric - Should your instructions to stop traffic when vpn drops work if you are airvpn-over-tor? To the AirAdmin - I'm NEW :sick: to forums & don't know the "stringy-stuff" etiquette. If its more appropriate to start a new topic - I don't care if you move this - just please explain it to me- I'm waiting for help on my current issue - and this other topic had a reply that may be related to what My Topic/Subject is asking for Help with- I'm overwhelmed by iptables in ubuntu - and yet it seems like a miracle that I'm NOW doing airvpn-over-tor successfully - I Need seriously-critical help with blocking All traffic if vpn dis-connects... Quote Share this post Link to post
Guest rbj Posted ... Worric - Your setup is now working great for me. Thanks for the help on that one rule. Quote Share this post Link to post
magnumpi 4 Posted ... Worric thanks! I got the printer working! So now I have the connection on VPN and when I disconnect the VPN my internet stops working - thanks to the rules in GUFW/UFW on my Ubuntu machine. What is weird is when I close my laptop (not sure it goes into actual standby mode or what) and come back several hours later to "wake it up", the Wifi connection remains active but the VPN disconnects. At that point if I then browse the internet - my IP shows my "true" IP?! The Firewall remains enabled so i don't understand how this is possible. I toggled the VPN back on and then it all works as expected. Not sure if I need to toggle the firewall too... will try next time this happens. Any ideas what is wrong? Quote Share this post Link to post
itsasunnyray 0 Posted ... Hello everyone and thanks worric for the info. I have done all of worric's set up exept the 192.168.1.0/24 home network because it didn't work without using VPN. When I right clicked on my connection information window it said under IPV4 192.168.0.105 for IP address and 192.168.0.255 for broadcast address so I set it up with 192.168.0.0/24 instead and it works without using VPN. Now I'm not quite sure I understand what I'm doing, isn't allowing a"normal" LAN connection defeating the purpose of going through selected port only? I ask this because I downloaded a P2P file through transmission and when done I let it in seeding mode for others until I saw in the terminal that my VPN connection had terminated, and it was still seeding!? So is this what you call a leak or I didn't set this up properly? Also there must be a way to have a warning when the connection stops and there should have an automatic re-connection process when it goes off shouldn't it? I use Linux Mint 13 with gufw Quote Share this post Link to post
magnumpi 4 Posted ... Worric thanks! I got the printer working! So now I have the connection on VPN and when I disconnect the VPN my internet stops working - thanks to the rules in GUFW/UFW on my Ubuntu machine. What is weird is when I close my laptop (not sure it goes into actual standby mode or what) and come back several hours later to "wake it up", the Wifi connection remains active but the VPN disconnects. At that point if I then browse the internet - my IP shows my "true" IP?! The Firewall remains enabled so i don't understand how this is possible. I toggled the VPN back on and then it all works as expected. Not sure if I need to toggle the firewall too... will try next time this happens. Any ideas what is wrong? Just to clarify: it seems that if my laptop goes into suspend mode, it stops the VPN and the GUFW/UFW. When I later wake the machine up I am back to square one. Anyone know how to stop this from happening? Quote Share this post Link to post
Staff 9972 Posted ... Worric thanks! I got the printer working! So now I have the connection on VPN and when I disconnect the VPN my internet stops working - thanks to the rules in GUFW/UFW on my Ubuntu machine.What is weird is when I close my laptop (not sure it goes into actual standby mode or what) and come back several hours later to "wake it up", the Wifi connection remains active but the VPN disconnects. At that point if I then browse the internet - my IP shows my "true" IP?! The Firewall remains enabled so i don't understand how this is possible. I toggled the VPN back on and then it all works as expected. Not sure if I need to toggle the firewall too... will try next time this happens. Any ideas what is wrong?Just to clarify: it seems that if my laptop goes into suspend mode, it stops the VPN and the GUFW/UFW. When I later wake the machine up I am back to square one.Anyone know how to stop this from happening?Hello!When your laptop wakes up, Ubuntu should execute the script /etc/pm/sleep.d (this admin is assuming that you're running Ubuntu...).So you might add a restart command for gufw/ufw there, if it is killed when the laptop goes to sleep. Kind regards Quote Share this post Link to post
magnumpi 4 Posted ... Sorry - yes I am using Ubuntu 12.04 but I am not a particularly expert Linux user so apologies if I need further explanation. Are you saying I should manually run that command on wake? Is there a way to automate this so I won't forget? Quote Share this post Link to post
Guest rbj Posted ... Can someone show me how to write one of Worric's iptable rules? It's this one: "sudo allow in on tun0 from any to any port xxxxx" - enables the port forwarding feature by allowing packets to the specified port on the tun0 interface to pass through. I figured out all the rest through research and trial and error. I know to use "sudo ufw" but after that I'm totally stuck I tried every way I could think of and still can't get it right. And I know this is important. Thanks. Quote Share this post Link to post
itsasunnyray 0 Posted ... I did just that "sudo allow in on tun0 from any to any port (and your port number)" with no problem, the difference is that I never use sudo but rather su and the password so I stay "in" all the time. Maybe you wrote capital "O" instead of the number "0". I used a port in the 50 thousands, try different ones above 2048. I put my chosen forwarded port in Transmission first, I don't know if it made a difference but it worked. Quote Share this post Link to post
vs.gruescu 0 Posted ... Gufw rules works perfect for me!!! And i'm not an expert on linux.(Ubuntu 12.04) Thanks worric! Quote Share this post Link to post
candtalan 0 Posted ... With Ubuntu 12.04 and gufw, and airvpn (with openvpn), udp, 443 I am hoplessly failing to set up gufw, (or understand), to arrange that if the vpn drops out then the browser (firefox) ceases. Examples and previous comments - various - seem to be using firestarter which seems to be no longer current, or seem to assume knowledge of gufw which I do not yet have :-(I have used a tutorial and gufw to simply deny all in and out, but allow only the browser, seems to work. But I am mostly inexperienced about ports, and I am very unclear about how gufw should handle openvpn (and airvpn?) (??)Some novice level details will be much appreciated...tia Quote Share this post Link to post
candtalan 0 Posted ... Can anyone please help with how to use gufw for this? I need to use gui (not script and ufw) to get to understand what goes on....For example I can use airvpn cassiopia (31.193.12.98) but what do I do in gufw (attached screenshot) to create a useful first rule - hoping for something like worric did with scripts etc?tia Quote Share this post Link to post
Mukahami25 0 Posted ... Hi, I used the guide to set up Firestarter, and it looks like it is geting the job done, when the vpn drops I no longer have any connection to the internet. There is a small issu that is worring me thou: When I am looking at the traffic in the Firestarter gui, the wlan0 activity is constantly higher than the tun0. This might be a noob question, but does that mean that some of my traffic is not going throu the VPN?? Quote Share this post Link to post
Staff 9972 Posted ... Hello, the traffic on the physical interface is equal to the sum of the traffic on the tun interface plus the overhead plus the internal network traffic plus some more (for example ping to VPN server) - so it is always higher than the tun0 traffic. If it's reasonably higher, it's perfectly normal. Browse to our web site and check the central bottom box for additional security (it must be green), or browse to http://ipleak.net Kind regards Quote Share this post Link to post
Vucnu 1 Posted ... Hi, Since I'm using fedora, can you help me to set up some rules usin firewallD, the default firewall in fedora? 1 LBDude reacted to this Quote Share this post Link to post
neverfox 2 Posted ... Many thanks to worric for his gufw instructions. I got it all set up as described. I have to say, having never used gufw before, that it is simple, but it's not very friendly to mistakes. There seems to be no way to easily reorder rules if you mess up. You have to create the rule again, with the correct position number then delete the old one.While worric's solution works, it appears to cater to someone who wants to only access the internet via VPN and not otherwise (unless the firewall is disabled). I have a slightly different need. I want to only have this kind of protection when I'm running certain programs, e.g. P2P, and otherwise allow normal internet traffic to "leak" if the VPN goes down. Of course, I could just put these rules into a separate firewall profile and switch to it before I run my P2P software, but that's a manual step that is both annoying and dangerous (because you could forget). What would be ideal is a firewall profile that could run all the time, allowing normal internet traffic (with or without the VPN active) and only VPN traffic for specific programs. For programs that allow binding to a specific interface, interface rules would be enough, but some don't have this feature. I think ufw has the ability to filter based on certain apps but I'll need to learn more about how to set that up. So, in theory, what I'm after is possible. If anyone already has some experience with that, I would appreciate some advice. Likewise, if I come up with something on my own, I'll post my solution. Quote Share this post Link to post
InactiveUser 188 Posted ... I have a slightly different need. I want to only have this kind of protection when I'm running certain programs, e.g. P2P, and otherwise allow normal internet traffic to "leak" if the VPN goes down. You cannot do application-level rules with ufw.Iptables has an "--uid-owner" option, which isn't application-level either, but you could use it like this: - create a user account "p2puser"- launch your p2p apps with this new user account - deny traffic coming from user id "p2puser" on eth0/wlan0- allow all other traffic on eth0/wlan0 (eth0 / wlan0 as examples for your non-VPN network interfaces). I have not tried this myself, I loathe iptables. Good luck, I hope someone else has a better idea than this 1 Staff reacted to this Quote Hide InactiveUser's signature Hide all signatures all of my content is released under CC-BY-SA 2.0 Share this post Link to post
Zack 0 Posted ... HelloTrying out the gufw method on a friends PC running Ubuntu 12.04, but no matter if we use the network manager or terminal to run openvpn, the connection drops and resets every 10 seconds or so.If we dont use a firewall, it does not happen.Anything we missed here? Edit:We found out of the dropouts, the system clock and date was way off, maybe because we had tinkered with the firewall so much that it could not get the correct date from internet.Fixed the data and it got stable,removed all GUI firewalls, followed this guide https://airvpn.org/topic/1713-win-mac-bsd-block-traffic-when-vpn-disconnects/page-2?do=findComment&comment=2010 to set the iptables manually and the dns lines at the end to prevent dns leaks, now everything works and sites like http://dnsleaktest.com and http://ipleak.net show no leaks and the PC cant access internett without being on VPN. Edit one more time:Sorry for all the edits here but this is important as after a reboot the dns was back to the normal and the leaks was back.We tried to set static IP, but it did not help on the dns and editing /etc/resolv.conf just swaped back.Searched for an answer, tried to edit the head file, but that only added the static to the top of the line and the rest from dhcp anyway.Ended up with "sudo apt-get remove resolvconf" in combination with static IP, the resolv.conf did not update anymore and it stays like this after a reboot. Seems like in 12.04 LTS at least, resolvconf does not update from the opendns push settings, so we was better with removing all the auto systems and just do things manually, since this PC just is for vpn use anyway. Quote Share this post Link to post
Staff 9972 Posted ... Seems like in 12.04 LTS at least, resolvconf does not update from the opendns push settings, so we was better with removing all the auto systems and just do things manually, since this PC just is for vpn use anyway. Hello! Just in case you'll need in the future to accept the DNS push from our servers on a Linux system with resolvconf (or openresolv), please see our guide: https://airvpn.org/topic/9608-how-to-accept-dns-push-on-linux-systems-with-resolvconf/ Kind regards Quote Share this post Link to post
Dannermax 0 Posted ... Regarding Worrics post: My GUFW looks like this: And in worric's post, he had a button to DENY all outgoing traffic, and i only have 1 button, and that is for, what seems to be, Deny all incoming traffic. Do i need that "missing" button in order, to set it up just like worric? I hope someone can explain this to me, because i just cant figure it out.. I have GUFW version 9.10.2 which is the latest version for my system: Openmediavault Debian squeeze... Worrics picture: I really hope an expert, will help me out here..! Thanks in advance. Quote Share this post Link to post
randombit 4 Posted ... Some of the newer features of UFW haven't arrived with the version you areusing. And although the GUI version of UFW is nice the command-line versionis much more advanced.In the following quick tutorial I will try to giveyou some guidance to get a simple setup (hopefully) working. This is onlyfor general guidance. Adjust addresses, port numbers and protocols asneeded. E.g. If your router is on a different IP-address then adjust therule to fit to your needs. Also if you want to connect to a differentVPN-server use the IP-address of the server you wish to use. The IP numbersused here are only as an example.Keep in mind that rule ordering isimportant and the first match wins! The rule which is entered first will endup higher in the list. At the end I will explain more about this (see point8).1. Open an terminal window and enter the following commands and adjust them to your needs. Use su to log in as root if you haven't or place sudo before every command. the $ represents the prompt in the terminal.2. Enable UFW. $ ufw enable This will enable the firewall and now you can add rules.3. Set the default behavior to deny all incoming and out going traffic. $ ufw default deny out $ ufw default deny in Now all in- and outgoing traffic will be blocked.4. Add a rule to allow traffic to your router (only if this is needed). $ ufw allow out to 192.168.178.0/24 This will allow traffic to the router/internal network which in this case is located on 192.168.178.0/24. If your computer has multiple network interfaces you can add the interface which you want to use. E.g. $ ufw allow out on eth0 to 192.168.178.0/24 This will allow only connections to the internal network/router on eth0. If eth0 is not connected and you use for example the wlan0 connection UFW will block the traffic and you will not be able to connect to the router/internal network, because only traffic from eth0 is allowed to connect to 192.168.178.0/24.5. Add a rule to allow traffic to 46.19.137.114 on port 443 with UDP traffic. This is the AirVPN_CH-Virginis_UDP-443 server. $ ufw allow out to 46.19.137.144 port 443 proto udp This will allow UDP traffic on port 443 to the Virginis server (=46.19.137.144). This is needed to connect to the VPN-server. You can add more than one VPN-server by repeating the above rule and adjust the IP-address to the server which you want to add. It is also possible to specify different port numbers. Just change the port number to the port number which is needed to connect to the VPN server. If the proto udp part is omitted then tcp and udp traffic is allowed and if it's changed to proto tcp then only tcp traffic is allowed.6. Add a rule to allow in- and outgoing traffic over tun0. This is the traffic from and to the VPN-server. $ ufw allow out on tun0 Now it's possible for an application like the browser to connect to different sites on the web. All the traffic will go through the vpn server.7. In the case that you use a bit-torrent client, you will also need to allow incoming traffic from the port which is specified by you in the bittorrent client (this is the port which is needed to allow peers/seeders to connect to the bit-torrent client (NAT). $ ufw allow in on tun0 from any to any port 54321 This will enable incoming traffic which is coming from different IP-addresses (the peers/seeders which want to connect to your client) to connect through the VPN-server connection (which is tun0 here). In this case port number 54321 is used, adjust it the correct port number!8. If you now enter. $ ufw status verbose You will get a numbered list which something like: Status: active Logging: off Default: deny (incoming), deny (outgoing) New profiles: skip To Action From -- ------ ---- 54321 on tun0 ALLOW IN Anywhere 192.168.178.0/24 ALLOW OUT Anywhere 46.19.137.114 443 ALLOW OUT Anywhere Anywhere ALLOW OUT Anywhere on tun0 This shows you which rules are applied and what the status of the firewall is. When you enter: $ ufw status numbered You will get a numbered list. It will look something like this: Status: active To Action From -- ------ ---- [ 1] 192.168.178.0/24 ALLOW OUT Anywhere (out) [ 2] 46.19.137.114 443 ALLOW OUT Anywhere (out) [ 3] Anywhere ALLOW OUT Anywhere on tun0 (out) [ 4] 54321 on tun0 ALLOW IN Anywhere This is a numbered list. It is important to know that the order of the rules is important. If you allow something with rule number 1 which allows for example all incoming and outgoing traffic, all the other rules which are specified after that will have no effect! And as a final notice I will also point to the possibility to delete and insert rules. If you enter: $ ufw delete 1 # and confirm of course Rule number 1 will be deleted and all the other rules which followed rule 1 will shift up in this example the list will look something like this (after $ ufw status numbered): Status: active To Action From -- ------ ---- [ 1] 46.19.137.114 443 ALLOW OUT Anywhere (out) [ 2] Anywhere ALLOW OUT Anywhere on tun0 (out) [ 3] 54321 on tun0 ALLOW IN Anywhere And if you want to add a rule on a specific spot it is possible by using the insert command. E.g. we want to add a second VPN-server so we can choose a different one in the case one is down (could happen you know :-)) or if we want options. The command would look like this; $ ufw insert 2 allow out to 119.81.1.122 port 443 proto tcp # this will add the SG-Sagittarii server Now on spot number 2 there is a new rule inserted. The other rules will shift down. We can generate a new list: $ ufw status numbered And the list will look like: Status: active To Action From -- ------ ---- [ 1] 46.19.137.114 443 ALLOW OUT Anywhere (out) [ 2] 119.81.1.122 443/tcp ALLOW OUT Anywhere (out) [ 3] Anywhere ALLOW OUT Anywhere on tun0 (out) [ 4] 54321 on tun0 ALLOW IN AnywhereThis concludes the tutorial. Use it to you benefit and I hope some thingsget a little bit clearer. Make the appropriate changes for you setup andexpand on it. And again the GUI version is nice, but the command-lineversion is beter, it only takes a little bit of time to get used to it. 4 1 mr.Rhee, InactiveUser, dx486 and 2 others reacted to this Quote Share this post Link to post
mr.Rhee 16 Posted ... Awesome how-to randombit. I'll go through & apply that tomorrow... Quote Share this post Link to post
mr.Rhee 16 Posted ... I installed ufw & gufw & had a bit of a go tonight. I had to modify the procedure some, as Manjaro (Arch) uses systemd. Even so, I have all sorts of errors going on. My problem I know. It looks like perhaps ufw won't tolerate IPv6 being disabled, by the look of this anyway: # ufw status WARN: / is world writable! WARN: / is group writable! Traceback (most recent call last): File "/usr/bin/ufw", line 95, in <module> ui = ufw.frontend.UFWFrontend(pr.dryrun) File "/usr/lib/python2.7/site-packages/ufw/frontend.py", line 153, in __init__ self.backend = UFWBackendIptables(dryrun) File "/usr/lib/python2.7/site-packages/ufw/backend_iptables.py", line 45, in __init__ ufw.backend.UFWBackend.__init__(self, "iptables", dryrun, files) File "/usr/lib/python2.7/site-packages/ufw/backend.py", line 88, in __init__ nf_caps = ufw.util.get_netfilter_capabilities(self.ip6tables) File "/usr/lib/python2.7/site-packages/ufw/util.py", line 734, in get_netfilter_capabilities raise OSError(errno.ENOENT, out) OSError: [Errno 2] ip6tables v1.4.20: can't initialize ip6tables table `filter': Address family not supported by protocol Perhaps ip6tables or your kernel needs to be upgraded. I'm running kernel: x86_64 Linux 3.12.5-1-MANJARO edit: I'm now running IPTables so the above is now unimportant to me. 1 RandEroge reacted to this Quote Share this post Link to post
michaeljordan 1 Posted ... Personally I'm using gufw for linux, and it works very well. However, it's important to remember that gufw is just a graphical frontend for ufw, and ufw, in turn, is just a friendlier system for manipulating IPTABLES (which is again a system for manipulating netfilter directly in the running kernel). Gufw is perhaps over simplified, which is why I find it not really that great for anything else than providing an overview of your rules and turning the firewall on an off.With regards to firestarter, I have tried it once, but I didn't really have any good experience with it, since, as you guys have already posted, it seems rather poorly coded and does some odd things when manipulating IPTABLES. What I found invaluable about ufw is its ability to specify rules based on interface and its simplictity even though its quite powerful. This was my main motivation for using it over other solutions like Firestarter, and Shorewall was too complicated for my taste. My rule approach goes like this:Allow connections OUT to AirVPN servers I use the most (for connecting/reconnecting to the AirVPN service, entry IP's, marked RED on the screenshot)Allow connections OUT FROM the tun0 interface TO anywhere (when I'm connected, this is the interface used to communicate to the Internet, marked GREEN on the screenshot)Allow connections (UDP/TCP) IN TO the tun0 interface to a specific port (to enable AirVPN's port forwarding feature, marked BLUE on the screeshot)Allow connections IN FROM the 192.168.1.0/24 network TO the eth0 interface (enable home networking. Notice how it's on a different interface, YELLOW)Allow connections OUT FROM the eth0 interface TO the 192.168.1.0/24 network (enable home networking, also on the eth0 interface, YELLOW) Block ALL other traffic (by choosing DENY/DENY in gufw) When the VPN drops (and the tun0 interface is disabled), the only connections allowed OUT from the computer are to the AirVPN server IP's (to reconnect) and the local 192.168.1.0/24 network (to still function in the LAN). And the only connections allowed TO the computer are from the local network as well. No leaks. Now, the gufw GUI doesn't allow for specifying the interface (remember, it's over simplified), so to do that, it's necessary to use ufw directly. Gufw can, however, display the rules when created by ufw.For example: "sudo allow out on tun0 from any to any" - is quite straightforward, and of course creates the rule that allows for communication TO the Internet when connected to AirVPN. "sudo allow in on tun0 from any to any port xxxxx" - enables the port forwarding feature by allowing packets to the specified port on the tun0 interface to pass through. Tips:- the order of the rules is very important - mimic mine on the screenshot attached- to add rules in a specific order from the command line, use "insert x": "sudo insert 3 allow in on tun0 from any to any port xxxxx" - inserts the rule at the 3rd position and moves rules below it downward, includin the previous rule nr 3.- when adding rules via the commandline, press F5 in gufw to force a refresh and view the newly added rule- the UFW manual is well worth reading, although you may not need any more information than offered in this post - with this approach, you're blocking multicasting addresses possibly forwarded by your router. Just a thing to have in mind in case you need it; it is of couse easily remedied by creating a new rule allowing the address(es). Let me know how this works for ya Isn't there a way to export those settings so we can just import them? 1 RandEroge reacted to this Quote Share this post Link to post