Jump to content
Not connected, Your IP: 44.210.149.205

Recommended Posts

Ok, what I did...

I modified the last version of your script like this:
 

#!/bin/bash

PORT=$1
if [ "$PORT" = "" ]; then PORT=3128; fi

# helper function
token () {
N=$1
shift
eval echo \$${N}
}

echo
echo === scanning routing table to set VPN gateway variables ...

# determine VPN gateway IPv4 address and interface name
ip -4 route show
ROUTE4=`ip -4 route show 0.0.0.0/1`
#echo ROUTE4=$ROUTE4
GATEWAY_IF=`token 3 $ROUTE4`
echo GATEWAY_IF=$GATEWAY_IF

# determine VPN local IPv4 address
ip -4 addr show dev $GATEWAY_IF
ADDR4=`ip -4 addr show dev $GATEWAY_IF | grep global`
GATEWAY_LOCAL4=`token 2 $ADDR4`
GATEWAY_LOCAL4=${GATEWAY_LOCAL4%%/*}
echo GATEWAY_LOCAL4=$GATEWAY_LOCAL4
ip -6 addr show dev $GATEWAY_IF
# determine VPN local IPv6 address
ADDR6=`ip -6 addr show dev $GATEWAY_IF | grep global`
GATEWAY_LOCAL6=`token 2 $ADDR6`
GATEWAY_LOCAL6=${GATEWAY_LOCAL6%%/*}
echo GATEWAY_LOCAL6=$GATEWAY_LOCAL6

NAME=squid_vpn_${PORT}

mkdir -p ~/Documents/VPNscripts/squid_service/tmp > /dev/null

cat <<EOF >~/Documents/VPNscripts/squid_service/tmp/${NAME}.conf
tcp_outgoing_address $GATEWAY_LOCAL4
tcp_outgoing_address $GATEWAY_LOCAL6
udp_outgoing_address $GATEWAY_LOCAL4
udp_outgoing_address $GATEWAY_LOCAL6
# quad9 DNS
dns_nameservers 9.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::9
# Cloudflare DNS
#dns_nameservers 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001
# Google DNS
#dns_nameservers 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
http_port 127.0.0.1:${PORT}
pid_filename $HOME/Documents/VPNscripts/squid_service/tmp/${NAME}.pid
acl localnet src 127.0.0.1
http_access allow localnet
shutdown_lifetime 1 seconds
buffered_logs off
cache deny all
access_log none
cache_store_log none
cache_log /dev/null
netdb_filename none
via off
forwarded_for delete
EOF

echo
echo === contents of squid configuration file ...

cat ~/Documents/VPNscripts/squid_service/tmp/${NAME}.conf

echo
echo === starting squid ...

pushd ~/Documents/VPNscripts/squid_service/tmp > /dev/null
SQUID_BIN=/usr/sbin/squid
echo SQUID_RUN=$SQUID_BIN
$SQUID_BIN -f ~/Documents/VPNscripts/squid_service/tmp/${NAME}.conf -N -k kill
$SQUID_BIN -f ~/Documents/VPNscripts/squid_service/tmp/${NAME}.conf -N -n SQUID${PORT}
popd > /dev/null

echo
echo === ... squid has stopped
Adding options to avoid logging, not even in background.

I call this script at the end of vpn_gateway_route, so once the VPN is up the proxy starts. I remmed out the first instruction to kill squid because (see here) I put that at the end of vpn_gateway_show (hardcoded, as variables are not available, in any case I have no intention of changing the port, no big deal).

In Eddie I have three Events configured.

Session Start - launches vpn_gateway_hide
VPN Up - launches vpn_gateway_ route (which ends by calling the proxy script above, activating squid proxy)
Session End - launches vpn_gateway_show (which ends by killing the squid process)

In process monitor I see squid starting once the VPN is up and closing once the VPN is down. Together with the proxy extension on Firefox this is now pretty much seamless.

I couldn't have done anything without your help, nothing at all... so I remain immensely grateful. Thanks!

One thing that I'm pretty sure about is that this configuration leaks DNS requests somehow.

If I don't set any DNS at all in Eddie (DNS Switch mode disabled) I see my home router DNS there.
If I set DNS in Eddie (Automatic switch mode, while adding quad9 DNS addresses), I see in IPleak a mix of DNS addresses from my country and from the VPN's exit point country. Not my home router DNS (which I set to Cloudflare to avoid confusion in the analysis).

Thought it was worth mentioning.

But again: thank you!

Share this post


Link to post
On 4/12/2023 at 5:35 AM, tranquivox69 said:
...

One thing that I'm pretty sure about is that this configuration leaks DNS requests somehow.

If I don't set any DNS at all in Eddie (DNS Switch mode disabled) I see my home router DNS there.
If I set DNS in Eddie (Automatic switch mode, while adding quad9 DNS addresses), I see in IPleak a mix of DNS addresses from my country and from the VPN's exit point country. Not my home router DNS (which I set to Cloudflare to avoid confusion in the analysis).

Thought it was worth mentioning.

But again: thank you!

EDIT: I know now that this leak is coming from Firefox. Not SQUID. If you set "DNS over HTTPS" to "https://dns.google/dns-query" while everything else points somewhere else, then the "leak" is to Google. So Firefox is doing DNS look ups without relying on SQUID.

Yeah. I think the binding to the specified UDP outgoing address, which is used for DNS, is not fully respected by the DNS module in squid. At some point it makes a DNS look up request in the usual way which will use the default DNS server.

I didn't want to put you off. I don't see this as a big issue. Particularly if you set the default DNS for your system to Cloudflare, Google or Quad9. That is actually why I suggested it.

If I feel energetic sometime I will chase it down. But then I would have to compile squid myself. I doubt I would ever convince the development team to incorporate some fix I offered.

I will look at the scripts to see if I can make the scanning for addresses more bullet-proof. I don't like that these work with Eddie but not openvpn or wq-quick. I would like to believe they will work with any VPN client/wrapper.
 

Share this post


Link to post
1 hour ago, NaDre said:

I didn't want to put you off. I don't see this as a big issue. Particularly if you set the default DNS for your system to Cloudflare, Google or Quad9. That is actually why I suggested it.


Oh, don't worry! It's in my nature to try to understand things, so I investigate and report. That doesn't have to lead to any action. Considering the huge amount of time you've dedicated to help me... I feel the least I can do is test stuff thoroughly. I have to say I'm quite proud of the current solution I have, which wouldn't have been possible without your huge help and coding.

Looking at the code, the thing that stopped me from getting the gateways in an automated way was solved through %%/*
Is that a regular expression or something similar?

Next step, I'll try by myself, is seeing whether I can do something similar when using Wireguard protocol from Eddie. But that's not "urgent" (nothing was but still...).

Edit: also thanks for Quad9, which I wasn't familiar with. Seems ideal for VPN use.

Share this post


Link to post
1 hour ago, tranquivox69 said:
...
Looking at the code, the thing that stopped me from getting the gateways in an automated way was solved through %%/*
Is that a regular expression or something similar?
...

Yes. String manipulation. Drops "/" and anything following it from the end of the string. squid did not like having the subnet mask.

It is a bash-ism. A bash extension from what a POSIX compliant shell needs to provide. Do "man bash". For background scripts I usually try to use "/bin/sh" rather than "/bin/bash". Bash is huge. All kinds of bells and whistles. But I could not remember how to do that string trick in "/bin/sh".

I will probably look at how to use "/bin/sh" in that script too.
 

Share this post


Link to post
44 minutes ago, NaDre said:
...

It is a bash-ism.
...

Oops. I lied. %% is not a bash-ism. But "pushd" used in that script is. So I will change that in order to use "/bin/sh".
 

Share this post


Link to post
22 hours ago, tranquivox69 said:

I remmed out the first instruction to kill squid because I put that at the end of vpn_gateway_show

A partial mistake. The instruction needs to stay there, because, if Eddie has  to switch server, things get messed up for the proxy. It stays there but, at the same time, I leave it at the end of vpn_gateway_show, so as not to leave a useless process if I close the VPN. I modified that post and linked to this one for explanation.

Share this post


Link to post
16 hours ago, NaDre said:

Drops "/" and anything following it from the end of the string. squid did not like having the subnet mask.

Yeah, I got that squid did not want that there... I simply did not know how to manipulate the string 😕

Edit: also... a day has passed, finally a good night of sleep and... god, these few days, your huge help, brought me back to the days when the internet was an incredible and wonderful place. It can still be and you showed me that. Thanks for that too.

Share this post


Link to post
3 hours ago, tranquivox69 said:
... brought me back to the days when the internet was an incredible and wonderful place. ...

Hacking can be a good hobby. Just don't try doing it for a living. It won't be as much fun.
 

Share this post


Link to post
On 4/12/2023 at 5:42 PM, tranquivox69 said:

Next step, I'll try by myself, is seeing whether I can do something similar when using Wireguard protocol from Eddie. But that's not "urgent" (nothing was but still...).

Ended up not even trying Wireguard, as with the current OpenVPN based setup my gigabit bandwidth gets saturated anyway.
I'm astonished at the speed improvement brought by Linux when compared to Windows. Even more so considering I'm using a far less powerful processor.

Share this post


Link to post
On 4/13/2023 at 3:43 PM, NaDre said:

Hacking can be a good hobby. Just don't try doing it for a living. It won't be as much fun.
 
Hi NaDre. I've discovered that I need to open my torrent client port on Linux Mint firewall to be connectable. Is this expected behavior? I was led to believe that that was a Windows only thing.

If I disable the events-based scripts, the port is seen as open for IPv4 but not for IPv6. If I have the scripts active (and the port open in the firewall), both IPv4 and IPv6 report the port as open and client as connectable.

This is how Eddie is configured for networking:

image.png.b7d678db98c3fd360fcda643929331ca.png

And this is the port forwarding configuration, here on AirVPN website:

image.png.af3d525c7399f1b1848717985e6bfe0c.png
 

Share this post


Link to post
2 hours ago, tranquivox69 said:
Hi NaDre. I've discovered that I need to open my torrent client port on Linux Mint firewall to be connectable. Is this expected behavior? I was led to believe that that was a Windows only thing.

If I disable the events-based scripts, the port is seen as open for IPv4 but not for IPv6. If I have the scripts active (and the port open in the firewall), both IPv4 and IPv6 report the port as open and client as connectable.

...

If you have UFW ("Uncomplicated Firewall") installed, then I think you will need to do something. It seems to set up an elaborate set of netfilter/nftables rules that block things by default.

It seems that many distros install UFW by default now. Same when you set up a VPS. I just remove it. I am familiar with Netfilter/iptables/nftables. I just do what I feel I need for myself. But then I am probably a dinosaur.

I am not sure what you mean by "event-based scripts". If you mean that you did not set up the source-address routing, then I am not surprised things did not work. All of my experience says this is needed.
 

Share this post


Link to post
18 minutes ago, NaDre said:

If you have UFW ("Uncomplicated Firewall") installed, then I think you will need to do something. It seems to set up an elaborate set of netfilter/nftables rules that block things by default.

It seems that many distros install UFW by default now. Same when you set up a VPS. I just remove it. I am familiar with Netfilter/iptables/nftables. I just do what I feel I need for myself. But then I am probably a dinosaur.

On Mint I found GUFW installed by default and I use that https://costales.github.io/projects/gufw/. And unless I misunderstand things, yeah, it's a GUI for UFW.
 
20 minutes ago, NaDre said:

I am not sure what you mean by "event-based scripts". If you mean that you did not set up the source-address routing, then I am not surprised things did not work. All of my experience says this is needed.


No, no, I am using the source-address routing scripts. I wrote event-based because they are set up like this:

image.png.e54908763edfd6b2f7316cf8bd0e30e1.png

Share this post


Link to post
58 minutes ago, tranquivox69 said:
...
No, no, I am using the source-address routing scripts. I wrote event-based because they are set up like this:
...
3 hours ago, tranquivox69 said:
...
If I disable the events-based scripts, the port is seen as open for IPv4 but not for IPv6. If I have the scripts active (and the port open in the firewall), both IPv4 and IPv6 report the port as open and client as connectable.
...

So you meant that when you try just using the VPN as the default gateway, then IPv6 seems not to be forwarded? You could temporarily disable UFW and try again. Just to see if UFW is still doing something strange.
 

Share this post


Link to post
4 hours ago, NaDre said:

So you meant that when you try just using the VPN as the default gateway, then IPv6 seems not to be forwarded? You could temporarily disable UFW and try again. Just to see if UFW is still doing something strange

What happens is:

Using the scripts
If I don't open the relevant port in the firewall, the torrent client is not connectable. The port appears closed to the outside, checked with AirVPN tool here on the website.
If I open the relevant port in the firewall, the torrent client is connectable and the port is open on both IPv4 and IPv6.

Not using the scripts
If I don't open the relevant port in the firewall, the torrent client is connectable and the port appears open for IPv4 but closed for IPv6

I guess the question is: do I risk anything by opening the port on UFW? To note: on Windows I had always needed to open the port on the Windows Firewall, when using similar scripts for routing.

Share this post


Link to post
9 minutes ago, tranquivox69 said:
...

I guess the question is: do I risk anything by opening the port on UFW? To note: on Windows I had always needed to open the port on the Windows Firewall, when using similar scripts for routing.

In Windows you could restrict access to the port to qBittorrent itself. In Linux the port will accessible by any program that listens on that port. So perhaps a little more risky. But you do want to be connectable. I think the risk is pretty tiny. There are ways to see everything that is listening - "sudo ss -lutp" on the  command line for example. Get rid of anything you don't really need.
 

Share this post


Link to post
On 6/23/2023 at 9:51 PM, NaDre said:

In Windows you could restrict access to the port to qBittorrent itself. In Linux the port will accessible by any program that listens on that port. So perhaps a little more risky. But you do want to be connectable. I think the risk is pretty tiny. There are ways to see everything that is listening - "sudo ss -lutp" on the  command line for example. Get rid of anything you don't really need.
 

I'm not sure if I get what you mean correctly but listening on qBittorrent's port I see only qBittorrent, using the command you suggested. Which I suppose it's how it's supposed to be.

Share this post


Link to post

Need help, new to airvpn, I was with mullvad before and split tunneling on windows was easy, Now with airvpn, I need to exclude steam completely from the VPN, also need to exclude TruckersMP (its a multiplayer mod for a game, when it detects I use a VPN, they kick me out because they think I try to ban evade) the problem is, there's no ways to know their IP addresses because they want to avoid DDOS so the exact IP of the game servers are kept a secret, we only know they are located in europe for most of them.

Share this post


Link to post
On 4/12/2023 at 4:32 PM, NaDre said:

EDIT: I know now that this leak is coming from Firefox. Not SQUID. If you set "DNS over HTTPS" to "https://dns.google/dns-query" while everything else points somewhere else, then the "leak" is to Google. So Firefox is doing DNS look ups without relying on SQUID.

Yeah. I think the binding to the specified UDP outgoing address, which is used for DNS, is not fully respected by the DNS module in squid. At some point it makes a DNS look up request in the usual way which will use the default DNS server.

I didn't want to put you off. I don't see this as a big issue. Particularly if you set the default DNS for your system to Cloudflare, Google or Quad9. That is actually why I suggested it.

If I feel energetic sometime I will chase it down. But then I would have to compile squid myself. I doubt I would ever convince the development team to incorporate some fix I offered.

I will look at the scripts to see if I can make the scanning for addresses more bullet-proof. I don't like that these work with Eddie but not openvpn or wq-quick. I would like to believe they will work with any VPN client/wrapper.
 

Hi Nadre. Spent some time investigating these DNS leaks. As far as I can tell, setting network.trr.mode to 3 in Firefox seems to solve the issue. I set up Quad9 as DNS through network.trr.uri and I only see Quad9 addresses in DNS calls, none from my actual country.

Share this post


Link to post
On 7/5/2023 at 6:32 PM, JohnDoe1941 said:

Need help, new to airvpn, I was with mullvad before and split tunneling on windows was easy, Now with airvpn, I need to exclude steam completely from the VPN, also need to exclude TruckersMP (its a multiplayer mod for a game, when it detects I use a VPN, they kick me out because they think I try to ban evade) the problem is, there's no ways to know their IP addresses because they want to avoid DDOS so the exact IP of the game servers are kept a secret, we only know they are located in europe for most of them.

https://github.com/TunnlTo 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...