Jump to content
Not connected, Your IP:
Sign in to follow this  

iptables on router setup question for airvpn

Recommended Posts

Hello, I'm a new airvpn user. I run Tomato USB on my router and have iptables setup on the router to limit the WAN ip addresses one of my LAN clients can talk with. The idea is if my my VPN client drops, no more data will go OUT from this particular client through my public IP. The router should still forward all WAN traffic IN to this client but the client won't respond with any data.


I had this working well with my previous VPN providor and I think the iptables rules below are what's needed for airvpn. But I've had 2 disconnections in about 2 days since I joined airvpn and am wondering if there's another airvpn IP I need to include in my list below to have a stable connection. If I drop again, I'll be sure to copy the log and post in the forums for help. But maybe there's something with my iptables that needs tweaking; tia.


# iptables on router with tomato usb firmware
# for LAN client [lan client mac address] only allow outgoing traffic to WAN airvpn.org and vpn server
iptables -I FORWARD 1 -m mac --mac-source [lan client mac address] -d [airvpn.org ip address] -j ACCEPT
iptables -I FORWARD 2 -m mac --mac-source [lan client mac address] -d [airvpn server ip address] -j ACCEPT
iptables -I FORWARD 3 -m mac --mac-source [lan client mac address] -j DROP

Share this post

Link to post



Just as a preliminary check, there's a very important difference between our service and (as far as we know) all the others: the entry-IP and the exit-IP of our servers are not the same. This is very important for security reasons and fix the notorious vulnerability to some types of correlation attacks which affect most of VPN services with shared IP addresses. Therefore, to begin with, check that the Air server IP you specify in the FORWARD chain is the entry-IP, not the exit-IP.


You can determine the entry-IP of each server by looking at the line "remote" of the configuration file (generated by the Config Generator) or ask us directly (not in the forum, entry-IP addresses normally are not published here).


Kind regards

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

  • Create New...