tranquivox69 25 Posted ... Ok, what I did... I modified the last version of your script like this: #!/bin/bash PORT=$1 if [ "$PORT" = "" ]; then PORT=3128; fi # helper function token () { N=$1 shift eval echo \$${N} } echo echo === scanning routing table to set VPN gateway variables ... # determine VPN gateway IPv4 address and interface name ip -4 route show ROUTE4=`ip -4 route show 0.0.0.0/1` #echo ROUTE4=$ROUTE4 GATEWAY_IF=`token 3 $ROUTE4` echo GATEWAY_IF=$GATEWAY_IF # determine VPN local IPv4 address ip -4 addr show dev $GATEWAY_IF ADDR4=`ip -4 addr show dev $GATEWAY_IF | grep global` GATEWAY_LOCAL4=`token 2 $ADDR4` GATEWAY_LOCAL4=${GATEWAY_LOCAL4%%/*} echo GATEWAY_LOCAL4=$GATEWAY_LOCAL4 ip -6 addr show dev $GATEWAY_IF # determine VPN local IPv6 address ADDR6=`ip -6 addr show dev $GATEWAY_IF | grep global` GATEWAY_LOCAL6=`token 2 $ADDR6` GATEWAY_LOCAL6=${GATEWAY_LOCAL6%%/*} echo GATEWAY_LOCAL6=$GATEWAY_LOCAL6 NAME=squid_vpn_${PORT} mkdir -p ~/Documents/VPNscripts/squid_service/tmp > /dev/null cat <<EOF >~/Documents/VPNscripts/squid_service/tmp/${NAME}.conf tcp_outgoing_address $GATEWAY_LOCAL4 tcp_outgoing_address $GATEWAY_LOCAL6 udp_outgoing_address $GATEWAY_LOCAL4 udp_outgoing_address $GATEWAY_LOCAL6 # quad9 DNS dns_nameservers 9.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::9 # Cloudflare DNS #dns_nameservers 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 # Google DNS #dns_nameservers 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 http_port 127.0.0.1:${PORT} pid_filename $HOME/Documents/VPNscripts/squid_service/tmp/${NAME}.pid acl localnet src 127.0.0.1 http_access allow localnet shutdown_lifetime 1 seconds buffered_logs off cache deny all access_log none cache_store_log none cache_log /dev/null netdb_filename none via off forwarded_for delete EOF echo echo === contents of squid configuration file ... cat ~/Documents/VPNscripts/squid_service/tmp/${NAME}.conf echo echo === starting squid ... pushd ~/Documents/VPNscripts/squid_service/tmp > /dev/null SQUID_BIN=/usr/sbin/squid echo SQUID_RUN=$SQUID_BIN $SQUID_BIN -f ~/Documents/VPNscripts/squid_service/tmp/${NAME}.conf -N -k kill $SQUID_BIN -f ~/Documents/VPNscripts/squid_service/tmp/${NAME}.conf -N -n SQUID${PORT} popd > /dev/null echo echo === ... squid has stopped Adding options to avoid logging, not even in background. I call this script at the end of vpn_gateway_route, so once the VPN is up the proxy starts. I remmed out the first instruction to kill squid because (see here) I put that at the end of vpn_gateway_show (hardcoded, as variables are not available, in any case I have no intention of changing the port, no big deal). In Eddie I have three Events configured. Session Start - launches vpn_gateway_hide VPN Up - launches vpn_gateway_ route (which ends by calling the proxy script above, activating squid proxy) Session End - launches vpn_gateway_show (which ends by killing the squid process) In process monitor I see squid starting once the VPN is up and closing once the VPN is down. Together with the proxy extension on Firefox this is now pretty much seamless. I couldn't have done anything without your help, nothing at all... so I remain immensely grateful. Thanks! One thing that I'm pretty sure about is that this configuration leaks DNS requests somehow. If I don't set any DNS at all in Eddie (DNS Switch mode disabled) I see my home router DNS there. If I set DNS in Eddie (Automatic switch mode, while adding quad9 DNS addresses), I see in IPleak a mix of DNS addresses from my country and from the VPN's exit point country. Not my home router DNS (which I set to Cloudflare to avoid confusion in the analysis). Thought it was worth mentioning. But again: thank you! Quote Share this post Link to post
NaDre 154 Posted ... On 4/12/2023 at 5:35 AM, tranquivox69 said: ... One thing that I'm pretty sure about is that this configuration leaks DNS requests somehow. If I don't set any DNS at all in Eddie (DNS Switch mode disabled) I see my home router DNS there. If I set DNS in Eddie (Automatic switch mode, while adding quad9 DNS addresses), I see in IPleak a mix of DNS addresses from my country and from the VPN's exit point country. Not my home router DNS (which I set to Cloudflare to avoid confusion in the analysis). Thought it was worth mentioning. But again: thank you! EDIT: I know now that this leak is coming from Firefox. Not SQUID. If you set "DNS over HTTPS" to "https://dns.google/dns-query" while everything else points somewhere else, then the "leak" is to Google. So Firefox is doing DNS look ups without relying on SQUID. Yeah. I think the binding to the specified UDP outgoing address, which is used for DNS, is not fully respected by the DNS module in squid. At some point it makes a DNS look up request in the usual way which will use the default DNS server. I didn't want to put you off. I don't see this as a big issue. Particularly if you set the default DNS for your system to Cloudflare, Google or Quad9. That is actually why I suggested it. If I feel energetic sometime I will chase it down. But then I would have to compile squid myself. I doubt I would ever convince the development team to incorporate some fix I offered. I will look at the scripts to see if I can make the scanning for addresses more bullet-proof. I don't like that these work with Eddie but not openvpn or wq-quick. I would like to believe they will work with any VPN client/wrapper. 1 tranquivox69 reacted to this Quote Share this post Link to post
tranquivox69 25 Posted ... 1 hour ago, NaDre said: I didn't want to put you off. I don't see this as a big issue. Particularly if you set the default DNS for your system to Cloudflare, Google or Quad9. That is actually why I suggested it. Oh, don't worry! It's in my nature to try to understand things, so I investigate and report. That doesn't have to lead to any action. Considering the huge amount of time you've dedicated to help me... I feel the least I can do is test stuff thoroughly. I have to say I'm quite proud of the current solution I have, which wouldn't have been possible without your huge help and coding. Looking at the code, the thing that stopped me from getting the gateways in an automated way was solved through %%/* Is that a regular expression or something similar? Next step, I'll try by myself, is seeing whether I can do something similar when using Wireguard protocol from Eddie. But that's not "urgent" (nothing was but still...). Edit: also thanks for Quad9, which I wasn't familiar with. Seems ideal for VPN use. Quote Share this post Link to post
NaDre 154 Posted ... 1 hour ago, tranquivox69 said: ... Looking at the code, the thing that stopped me from getting the gateways in an automated way was solved through %%/* Is that a regular expression or something similar? ... Yes. String manipulation. Drops "/" and anything following it from the end of the string. squid did not like having the subnet mask. It is a bash-ism. A bash extension from what a POSIX compliant shell needs to provide. Do "man bash". For background scripts I usually try to use "/bin/sh" rather than "/bin/bash". Bash is huge. All kinds of bells and whistles. But I could not remember how to do that string trick in "/bin/sh". I will probably look at how to use "/bin/sh" in that script too. 1 tranquivox69 reacted to this Quote Share this post Link to post
NaDre 154 Posted ... 44 minutes ago, NaDre said: ... It is a bash-ism. ... Oops. I lied. %% is not a bash-ism. But "pushd" used in that script is. So I will change that in order to use "/bin/sh". Quote Share this post Link to post
tranquivox69 25 Posted ... 22 hours ago, tranquivox69 said: I remmed out the first instruction to kill squid because I put that at the end of vpn_gateway_show A partial mistake. The instruction needs to stay there, because, if Eddie has to switch server, things get messed up for the proxy. It stays there but, at the same time, I leave it at the end of vpn_gateway_show, so as not to leave a useless process if I close the VPN. I modified that post and linked to this one for explanation. Quote Share this post Link to post
tranquivox69 25 Posted ... 16 hours ago, NaDre said: Drops "/" and anything following it from the end of the string. squid did not like having the subnet mask. Yeah, I got that squid did not want that there... I simply did not know how to manipulate the string 😕 Edit: also... a day has passed, finally a good night of sleep and... god, these few days, your huge help, brought me back to the days when the internet was an incredible and wonderful place. It can still be and you showed me that. Thanks for that too. 1 Pavement5158 reacted to this Quote Share this post Link to post
NaDre 154 Posted ... 3 hours ago, tranquivox69 said: ... brought me back to the days when the internet was an incredible and wonderful place. ... Hacking can be a good hobby. Just don't try doing it for a living. It won't be as much fun. 1 tranquivox69 reacted to this Quote Share this post Link to post
tranquivox69 25 Posted ... On 4/12/2023 at 5:42 PM, tranquivox69 said: Next step, I'll try by myself, is seeing whether I can do something similar when using Wireguard protocol from Eddie. But that's not "urgent" (nothing was but still...). Ended up not even trying Wireguard, as with the current OpenVPN based setup my gigabit bandwidth gets saturated anyway. I'm astonished at the speed improvement brought by Linux when compared to Windows. Even more so considering I'm using a far less powerful processor. Quote Share this post Link to post
tranquivox69 25 Posted ... On 4/13/2023 at 3:43 PM, NaDre said: Hacking can be a good hobby. Just don't try doing it for a living. It won't be as much fun. Hi NaDre. I've discovered that I need to open my torrent client port on Linux Mint firewall to be connectable. Is this expected behavior? I was led to believe that that was a Windows only thing. If I disable the events-based scripts, the port is seen as open for IPv4 but not for IPv6. If I have the scripts active (and the port open in the firewall), both IPv4 and IPv6 report the port as open and client as connectable. This is how Eddie is configured for networking: And this is the port forwarding configuration, here on AirVPN website: Quote Share this post Link to post
NaDre 154 Posted ... 2 hours ago, tranquivox69 said: Hi NaDre. I've discovered that I need to open my torrent client port on Linux Mint firewall to be connectable. Is this expected behavior? I was led to believe that that was a Windows only thing. If I disable the events-based scripts, the port is seen as open for IPv4 but not for IPv6. If I have the scripts active (and the port open in the firewall), both IPv4 and IPv6 report the port as open and client as connectable. ... If you have UFW ("Uncomplicated Firewall") installed, then I think you will need to do something. It seems to set up an elaborate set of netfilter/nftables rules that block things by default. It seems that many distros install UFW by default now. Same when you set up a VPS. I just remove it. I am familiar with Netfilter/iptables/nftables. I just do what I feel I need for myself. But then I am probably a dinosaur. I am not sure what you mean by "event-based scripts". If you mean that you did not set up the source-address routing, then I am not surprised things did not work. All of my experience says this is needed. 1 tranquivox69 reacted to this Quote Share this post Link to post
tranquivox69 25 Posted ... 18 minutes ago, NaDre said: If you have UFW ("Uncomplicated Firewall") installed, then I think you will need to do something. It seems to set up an elaborate set of netfilter/nftables rules that block things by default. It seems that many distros install UFW by default now. Same when you set up a VPS. I just remove it. I am familiar with Netfilter/iptables/nftables. I just do what I feel I need for myself. But then I am probably a dinosaur. On Mint I found GUFW installed by default and I use that https://costales.github.io/projects/gufw/. And unless I misunderstand things, yeah, it's a GUI for UFW. 20 minutes ago, NaDre said: I am not sure what you mean by "event-based scripts". If you mean that you did not set up the source-address routing, then I am not surprised things did not work. All of my experience says this is needed. No, no, I am using the source-address routing scripts. I wrote event-based because they are set up like this: Quote Share this post Link to post
NaDre 154 Posted ... 58 minutes ago, tranquivox69 said: ... No, no, I am using the source-address routing scripts. I wrote event-based because they are set up like this: ... 3 hours ago, tranquivox69 said: ... If I disable the events-based scripts, the port is seen as open for IPv4 but not for IPv6. If I have the scripts active (and the port open in the firewall), both IPv4 and IPv6 report the port as open and client as connectable. ... So you meant that when you try just using the VPN as the default gateway, then IPv6 seems not to be forwarded? You could temporarily disable UFW and try again. Just to see if UFW is still doing something strange. 1 tranquivox69 reacted to this Quote Share this post Link to post
tranquivox69 25 Posted ... 4 hours ago, NaDre said: So you meant that when you try just using the VPN as the default gateway, then IPv6 seems not to be forwarded? You could temporarily disable UFW and try again. Just to see if UFW is still doing something strange What happens is:Using the scripts If I don't open the relevant port in the firewall, the torrent client is not connectable. The port appears closed to the outside, checked with AirVPN tool here on the website. If I open the relevant port in the firewall, the torrent client is connectable and the port is open on both IPv4 and IPv6.Not using the scripts If I don't open the relevant port in the firewall, the torrent client is connectable and the port appears open for IPv4 but closed for IPv6 I guess the question is: do I risk anything by opening the port on UFW? To note: on Windows I had always needed to open the port on the Windows Firewall, when using similar scripts for routing. Quote Share this post Link to post
NaDre 154 Posted ... 9 minutes ago, tranquivox69 said: ... I guess the question is: do I risk anything by opening the port on UFW? To note: on Windows I had always needed to open the port on the Windows Firewall, when using similar scripts for routing. In Windows you could restrict access to the port to qBittorrent itself. In Linux the port will accessible by any program that listens on that port. So perhaps a little more risky. But you do want to be connectable. I think the risk is pretty tiny. There are ways to see everything that is listening - "sudo ss -lutp" on the command line for example. Get rid of anything you don't really need. 1 tranquivox69 reacted to this Quote Share this post Link to post
tranquivox69 25 Posted ... On 6/23/2023 at 9:51 PM, NaDre said: In Windows you could restrict access to the port to qBittorrent itself. In Linux the port will accessible by any program that listens on that port. So perhaps a little more risky. But you do want to be connectable. I think the risk is pretty tiny. There are ways to see everything that is listening - "sudo ss -lutp" on the command line for example. Get rid of anything you don't really need. I'm not sure if I get what you mean correctly but listening on qBittorrent's port I see only qBittorrent, using the command you suggested. Which I suppose it's how it's supposed to be. Quote Share this post Link to post
JohnDoe1941 0 Posted ... Need help, new to airvpn, I was with mullvad before and split tunneling on windows was easy, Now with airvpn, I need to exclude steam completely from the VPN, also need to exclude TruckersMP (its a multiplayer mod for a game, when it detects I use a VPN, they kick me out because they think I try to ban evade) the problem is, there's no ways to know their IP addresses because they want to avoid DDOS so the exact IP of the game servers are kept a secret, we only know they are located in europe for most of them. Quote Share this post Link to post
tranquivox69 25 Posted ... On 4/12/2023 at 4:32 PM, NaDre said: EDIT: I know now that this leak is coming from Firefox. Not SQUID. If you set "DNS over HTTPS" to "https://dns.google/dns-query" while everything else points somewhere else, then the "leak" is to Google. So Firefox is doing DNS look ups without relying on SQUID. Yeah. I think the binding to the specified UDP outgoing address, which is used for DNS, is not fully respected by the DNS module in squid. At some point it makes a DNS look up request in the usual way which will use the default DNS server. I didn't want to put you off. I don't see this as a big issue. Particularly if you set the default DNS for your system to Cloudflare, Google or Quad9. That is actually why I suggested it. If I feel energetic sometime I will chase it down. But then I would have to compile squid myself. I doubt I would ever convince the development team to incorporate some fix I offered. I will look at the scripts to see if I can make the scanning for addresses more bullet-proof. I don't like that these work with Eddie but not openvpn or wq-quick. I would like to believe they will work with any VPN client/wrapper. Hi Nadre. Spent some time investigating these DNS leaks. As far as I can tell, setting network.trr.mode to 3 in Firefox seems to solve the issue. I set up Quad9 as DNS through network.trr.uri and I only see Quad9 addresses in DNS calls, none from my actual country. Quote Share this post Link to post
legitacc1234 5 Posted ... On 7/5/2023 at 6:32 PM, JohnDoe1941 said: Need help, new to airvpn, I was with mullvad before and split tunneling on windows was easy, Now with airvpn, I need to exclude steam completely from the VPN, also need to exclude TruckersMP (its a multiplayer mod for a game, when it detects I use a VPN, they kick me out because they think I try to ban evade) the problem is, there's no ways to know their IP addresses because they want to avoid DDOS so the exact IP of the game servers are kept a secret, we only know they are located in europe for most of them. https://github.com/TunnlTo Quote Share this post Link to post
Not connected, Your IP: 3.19.56.45
Online: 22019 users - 244774 Mbit/s total BW