Leaderboard

Android does not include integrated support for OpenVPN servers. That's why you need an app which uses the VpnService API introduced in Android 4.0. Regarding port forwarding: Go to Client Area > Forwarded Ports and simply click on the +Add button. It will forward a random port for you, let's say, it's 9000. Then configure your P2P client to use the port it forwarded for you, in this case 9000.

Hello! Transparency report. NGOs, persons or entities in general whose public activities are compatible with our mission and that we decided to help, according to the limits set by our resources and the commitments to our customers, during the first half of 2019, in alphabetical order AccessNow, for the steadfast activity aimed to defend and extend the digital rights of users at risk around the world. Caitlin Johnstone, for her commitment to totally independent journalism, for publishing non-copyrighted articles and for her fight against censorship in the pursuit of truth. Chelsea Manning (through her legal defense fund), for having put freedom of expression and the right to access and make information public pertaining to war crimes on a level higher than her personal safety and freedom with exceptional courage and moral integrity. Electronic Frontier Foundation, for outstanding support of civil liberties and fundamental rights in the digital and non-digital world through correct and precise information, pro bono legal activities and support inside and outside courts, and development of valuable open source software tools. Mastodon, for the ongoing development of an open source software project which has the potential to significantly enhance freedom of expression and privacy in a "social network" environment Tor nodes and Tor Project, for their effective and invaluable ability to enhance privacy and bypass censorship in the digital world, through open source software, in ways easily available to any Internet-connected citizen in the world. WikiLeaks, for having revolutionized the world of journalism with unprecedented courage, through a nonprofit organization, in spite of the enormous risks derived by such a disruptive activity. Please consult our mission web page for details and additional information, as well as other entities supported by AirVPN in periods earlier than 2019: https://airvpn.org/mission NOTE During the first half of 2019, Amnesty International, for its long standing activities in protection of the right to a due and fair process, freedom of expression and other human rights, had been taken into serious consideration and donations had been planned. However, new events have caused concern and disappointment to AirVPN founders. AirVPN founders deem that Amnesty International decision to not consider Chelsea Manning and Julian Assange as prisoners of conscience is unfair and factually wrong. AirVPN founders also deem that Amnesty International decision to not pursue any active work in defense of Manning and Assange requires a serious re-consideration about the compatibility of Amnesty International activities with AirVPN mission. https://www.wsws.org/en/articles/2019/05/23/assa-m23.html In the course of 2019, in case Amnesty is not going to change the aforementioned decisions, donation funds for Amnesty will be re-allocated to support different NGOs or entities. EDIT: position of Amnesty International changed on late February 2020: https://www.amnesty.org/en/get-involved/take-action/julian-assange-usa-justice/ when Amnesty asked: thus recognizing that Assange is a political prisoner, as he is charged for his publishing activities. Kind regards and datalove AirVPN

Hello! Today we're starting AirVPN ninth birthday celebrations! From a two servers service located in a single country providing a handful of Mbit/s, the baby has grown up to a wide infrastructure in 22 countries in three continents, providing now 230,000+ Mbit/s to tens of thousands of people around the world. Software related development has also been powered up. Eddie Android edition is now a fully mature application which features an exclusive best effort method to prevent traffic leaks and a complete integration with AirVPN. In 2019 AirVPN has also started operating in South America, on top of Asia, Europe and North America, and the infrastructure has grown significantly, counting now on more than 260 bare metal servers, whose traffic is mainly powered by tier1 and tier2 transit providers. AirVPN has also become recently an EFF "Super Major Donor" member. Furthermore, and we're very glad to announce it here publicly for the first time, development for OpenBSD and FreeBSD has started. We are also integrating OpenVPN 3 on new software which will couple Eddie on UNIX-like systems, including Linux, during the second half of 2019. GDPR compliance was already a de facto standard for AirVPN way before the Regulation entered into force, mainly because we don't collect personal data, period. By the way the compliance is now fully formalized (check details in our Privacy Notice and Terms https://airvpn.org/privacy ). AirVPN provides probably the strongest protection to your data, not only personal data but all data, you can find on any service. If you are an AirVPN customer or user, you are probably aware that our service is radically different than any other VPN service you might have met anywhere. No whistles and bells, no marketing fluff, no fake locations, no advertising on mainstream media, a transparent privacy policy, no trackers on the web site or in mobile applications, no bullshit of any kind in our infrastructure to sell your personal data to any personal data merchant, and above all a clear mission which is the very reason which AirVPN operates for. https://airvpn.org/mission Many of you know that when you buy AirVPN service, you not only support yourself and improve your ability to exercise your fundamental rights, but you also support AirVPN mission. However, while AirVPN in itself has flourished, AirVPN mission aims and values related to fundamental rights have experienced, in 2018 and 2019, a grim time. Australia "encryption-busting" monstrous law is fully in force; the European Union has definitively approved the bad Copyright Directive, mandating automated filters, which will unavoidably limit freedom of expression on big boards, and making the first step to undermine the liability exemptions of mere conduits and web publishers alike; new threats to citizens' privacy are becoming real through plans of wide face recognition deployment, indiscriminate DNA databases proposals, more pervasive and efficient profiling (possibly even through AI), and strict cooperation between Internet tech giants and intelligence agencies; the persecution of journalists, publishers and whistleblowers all around the world has reached unprecedented levels, revealing a widespread plan to suppress freedom of the press and freedom of expression even in so called "Western democracies". One of the greatest journalists and publishers of all times, Julian Assange, nominated seven times for the Nobel Peace prize and winner of many journalistic prizes and awards, has been and is prosecuted and persecuted for having merely published the truth about war crimes, corruption, torture and more, with a 100% accuracy, and for having protected his sources as any good investigative journalist does. He has been detained arbitrarily and illegally, as widely ascertained and recognized by the UN. He has been victim of an abominable smear campaign based on ignominious lies and defamation, a campaign aimed to turn the public opinion against him and distract from WikiLeaks publications content exposing war criminals in governments key positions, warmongers, torture maniacs, systematic illegal surveillance, endemic privacy violations and plots to limit and reduce fundamental rights. He is currently detained in solitary confinement 23 hours a day, with no access to books, maximum two visits per month, forbidden in practice to coordinate a defense with his lawyers, in a tiny cell of a maximum security UK prison which has been designed for dangerous murderers and terrorists, while UK will decide whether to extradite him to the USA to face a potential 175 years imprisonment. Whistleblowers like Chelsea Manning, who should be regarded as a hero, as Noam Chomsky, John Pilger, Daniel Ellsberg and other titans of our times pointed out, have been tortured and are still persecuted by the very same criminals whose crimes were exposed. Privacy activists and software developers, like Ola Bini in Ecuador, are imprisoned without charges, simply for having showed friendship to Assange or WikiLeaks, or for having developed software aimed to protect privacy through encryption. And the list can go on and on and on. But make no mistake: the dark times we are living in, the environment of fear and intimidation that various governments are building against the exercise of those fundamental rights which our mission forces us to protect to the best of our abilities, the mounting attacks against "encryption for everyone" and the awareness that enemies of human rights nestle inside government agencies, have not undermined our determination. Quite the opposite: they have convinced us that our service is even more necessary now and we are resolute to do even more. Our mission has been and will be empowered by the ongoing support to projects and NGOs which aim to the protection of privacy, personal data and freedom of expression, now more than ever. We have confirmed our support to Tor and we will progressively add support to champions of freedom of expression and privacy in any way our capacities and abilities will allow us. If you're curious to know something about a series of fortunate events which gave birth to AirVPN, have a look here: https://airvpn.org/aboutus To worthily celebrate AirVPN ninth birthday, we're glad to inform you that starting from now we will offer a 20% discount on all long term plans. Hurry up, this special offer will end on June the 11th, 23:59:59 UTC! Check the new prices here. Kind regards and datalove AirVPN Staff

If they were Facebook or Google IPs, I'd be concerned. Everyone knows Cloudflare, we know LeaseWeb, some know DigitalOcean and I know netcup. They're all web hosters, so whatever "spying" you refer to, you always refer to something AirVPN Staff set up, if at all. No third-parties involved. But generally, it's good to know people do have a closer look on what their computer is doing. just don't condemn everything unknown as malicious straight away.

Hello! The list you made includes IP addresses of bootstrap servers used to download servers and client information to build a configuration file for OpenVPN according to your preferences. Eddie is free and open source software, therefore you can verify from the source code that Eddie sends only your username and password to the bootstrap servers, as well as the data required to negotiate the encrypted connection over HTTP. As usual, you are not forced to run Eddie to connect to our service. You can run OpenVPN or any OpenVPN frontend. Our Configuration Generator can generate all the profiles you need to connect. Kind regards

^ Thanks for that. I tried-out the ipleak.net test on my Mac—no VPN involved—and it said my DNS was 162.158.76.230, which is in an adjacent state to mine in the USA. I was surprised, because I have my router set to use the Cloudflare DNS 1.1.1.1, but when I investigated 162.158.76.230, it said it was a Cloudflare IP address. Is that normal, or should it have shown 1.1.1.1? Or does Cloudflare 1.1.1.1 hand-off DNS duties to a more nearby location? I still wish someone could tell me how to edit my AirVPN config to use my chosen DNS within the tunnel. Should my syntax be based on what AirVPN used for its own DNS, for example: remote 1.1.1.1 443 ...or should I use the aforementioned syntax?: dhcp-option DNS 1.1.1.1 Surely some of the over 800 viewers of this thread must know this right off the top of your head. A little help here, please, experts!

Not sure on how to implement, but to check if they are being used visit https://ipleak.net/ or https://leaktest.online/dns/

^ Yes, I had tried Eddie first thing, but I'm sorry, I tore my hair out for several days over its instability I experienced — it kept spontaneously kicking me off my VPN connection — so I settled on OpenVPN for Android, and it's been rock solid day in and day out. Do you know how to manually edit my AirVPN config file to specify my preferred DNS addresses?

If you are looking on how to configure AirVPN on pfSEnse, please follow this great post The following are just a few changes I made that worked for me and that might help someone with the same problems I had. Mostly, avoiding a DNS leak. Note that I am not an expert so anyone is welcome to comment if you think I'm doing something wrong. What follows is just a patch of multiple ideas on the net that led me to a working solution. 1. Create the VPN Certificates you need Go to AirVPN and download a config file (.ovpn) https://airvpn.org/generator/ Now go to pfSense and create a CA for AirVPN Descriptive name: [AirVPN CA] Method: [import an existing Certificate Authority] Certificate data: [Open .ovpn file and insert data found between <ca> and </ca>] Save Now open the Certificates tab and create a new certificate Method: [import an existing certificate] Descriptive name: [AirVPN Client] Certificate data: [Open .ovpn file and insert data found between <cert> and </cert>] Private key data: [Open .ovpn file and insert data found between <key> and </key>] 2. Create an OpenVPN connection https://rtr.noh.lan/vpn_openvpn_server.php Follow the document mentioned above and make the following modifications to it, Go to the Clients tab and make sure that: - You use an IP as the Server host to make sure you can re-connect if the line goes down. If the DNS you use is the one from AirVPN, the VPN connection has to be up before you can access it... - Add the following options: server-poll-timeout 10; explicit-exit-notify 5; auth-nocache mlock; fast-io; key-direction 1; prng SHA512 64; tls-version-min 1.2; key-method 2; tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384; tls-timeout 2; remote-cert-tls server; remote 185.206.225.58 443 # no.vpn.airdns.org remote 82.102.27.194 443 # no.vpn.airdns.org remote 91.207.102.162 443 # ro.vpn.airdns.org remote 86.105.9.66 443 # ro.vpn.airdns.org The "remote" entries allow your VPN to connect to another server if the VPN connection drops. 3. The resolver settings I have General Settings Enable: [X] Listen Port: [Blank] Network Interfaces: [LAN] + any other local network you may have Outgoing Network Interfaces: [Your VPN Interface] System Domain Local Zone Type: [Transparent] DNSSEC: [X] DNS Query Forwarding: [ ] DHCP Registration: [ ] Static DHCP: [X] OpenVPN Clients: [ ] Custom options: forward-zone: name: "." forward-addr: 10.4.0.1 Note that the Custom settings forward to an AirVPN internal DNS. Depending on the type of connection you use, the IP will change so check our it will fail. Advanced Settings Hide Identity: [x] Hide Version: [X] Prefetch Support: [X] Prefetch DNS Key Support: [X] Harden DNSSEC Data: [X] Serve Expired : [ ] The rest I have left as default. Now go to DNSLeakTest and test! I hope this helped someone.

Could you elaborate on this in detail ? I feel I'm not fully getting your statement... So if I use 1.1.1.1 as DNS they will see that and then in turn could inquire with AirVPN who that user was at that point in time... ? (1) since AirVPN does not store data, there should be no concern, right ? (2) and since there will most likely be multiple users using 1.1.1.1 it would be impossible to identify, right... ? trying to completely understand whether using DNS of 1.1.1.1 is defeating the purpose of using a VPN at all... Thanks for the info. You seem to understand things properly.

I am using eddie and have added DNS servers to the DNS tab in settings. Is this routing DNS requests inside the VPN tunnel?

Not what I asked

I was having a similar issue. You might want to try this: This from support fixed the problem for me: Can you please try to rename the following file while Eddie is NOT running: C:\Users\(your user name)\AppData\Local\AirVPN\default.xml This is the configuration file. At the next run Eddie will create a new configuration file with all default settings (you will need to re-enter your credentials). Should the problem be solved by this procedure, then the old configuration file could be corrupt in some way that causes the issue. Note that the AppData file is hidden, you need to select the view tab and select to show hidden files. I also deleted the history file (I think it was called) and restarted my computer. Works like a charm now; using the new beta version of Eddie.

Eddie 2.17.2 Portable on Manjaro Plasma Desktop everything seems ok from my side

What LZ1 said. : )

Tried restarting DS? I don't use DSM 6.1, so I wouldn't know if something changed. But sometimes same thing happens to me on 6.0, VPN is up, but you can't reach anything. Not sure if it's DSM problem or AirVPN problem, but DS reboot usually fix it.

Thanks, Mikeyy

Wow, good idea! Will add it. Not sure why you added other part? If VPN is off, current script will start it (when cronjob runs). If VPN is ON, but it's in error state (not letting traffic trough) it will kill VPN and start it again. EDIT: Added your contribution to tutorial. Changed some parts of tutorial. You no longer need to copy script to /usr/ folder. It's better if it stays in shared folder of your choice since there it will survive system upgrades.

The short answer is this: I updated the steps for a reason. Conversely, nothing in this entire guide is "required" except steps 2/3/4. AirVPN will be fully functional on pfSense with those three steps alone. Still, without further steps, many users, if not most still could not get clients to use the VPN. I was helping so many, I made the guide with the basic steps to further use the VPN on clients. The old guide was simply a guide on how to get started, and also avoid some DNS leaking. I actually consciously made it simple because there are so many different use cases that it is impossible for me to support/help users troubleshoot them. The old guide had zero, and I mean zero outbound firewall protection aside from DNS. The default allow outbound rule was migrated for use on whichever "LAN" was used in the old guide. This guide has some introductory examples on how to create local and outbound firewall rules. The old guide blocked all local traffic, this guide has examples on how to permit common local services. Since that time my knowledge of this area has grown, and I am now sharing the basic knowledge of a "Deny all, only allow what you need" security policy. While this setup could be considered harder and will require more user interaction, it is the correct way to use the firewall. ​ tl;dr = With the old guide your outgoing traffic is slightly more secure than a consumer router, but not much. If you keep the rules, you keep that level of security. At the end of the day, its a personal preference. My opinion is that everyone who used the old guide should take the time to migrate, but to each their own.

Website: http://www.rsi.ch/ Website: http://www.srf.ch/ Swiss public television channels (RSI, SRF). Status: OK Native: CH servers. Routing: All other servers.

I don't do this but it would be pretty easy to set up. 1.) Get VirtualBox https://www.virtualbox.org/wiki/Downloads 2.) Install Windows XP SP 3 (easily available) into a virtualbox instance, it's easy to do and follow the on screen prompts you just need the install disk (if you have an image and don't want to burn a cd, use http://wincdemu.sysprogs.org/ and mount the disk) with a couple gb of ram and some disk space allocated (fixed disk is faster) 3.) Install the AirVPN client in the VM 4.) Configure a shared folder with VirtualBox to move files back and forth or use ftp if you're paranoid about it getting infected and spreading via the share. 5.) Install qBittorrent http://www.qbittorrent.org/download.php in the VM which has built in search and is the best client I've ever used.

How can I set up the vpn in my settings instead of using an app? I want to use p2p app on android device, but don't know much about port forwarding and this is my first time using a vpn.

I tested it myself and OpenVPN for Android is more comprehensive than this. You can do more things with it. They don't only recommend it because of it's open source status (although they write it).. AirVPN is trying to deliver a great service and their recommendations support this aim.

How much this service cost or how much will it cost? in short I simple can't believe you guys provide VPN service for free...

since yesterday i cant connect with eddie (2.16.3 AND 2.17.2) to any airvpn server.. i try tunnelblick, but the same problem. eddie cant connect. with my tablet and openvpn it works perfect. log: I 2019.06.01 11:14:10 - Session starting. I 2019.06.01 11:14:10 - Checking authorization ... ! 2019.06.01 11:14:10 - Connecting to Capricornus (Belgium, Brussels) . 2019.06.01 11:14:10 - OpenVPN > OpenVPN 2.4.6 x86_64-apple-darwin17.6.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jul 29 2018 . 2019.06.01 11:14:10 - OpenVPN > library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10 . 2019.06.01 11:14:10 - Connection to OpenVPN Management Interface . 2019.06.01 11:14:10 - OpenVPN > MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:3100 . 2019.06.01 11:14:10 - OpenVPN > Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key . 2019.06.01 11:14:10 - OpenVPN > Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication . 2019.06.01 11:14:10 - OpenVPN > Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key . 2019.06.01 11:14:10 - OpenVPN > Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication . 2019.06.01 11:14:10 - OpenVPN > TCP/UDP: Preserving recently used remote address: [AF_INET]194.187.251.93:443 . 2019.06.01 11:14:10 - OpenVPN > Socket Buffers: R=[786896->262144] S=[9216->262144] . 2019.06.01 11:14:10 - OpenVPN > UDP link local: (not bound) . 2019.06.01 11:14:10 - OpenVPN > UDP link remote: [AF_INET]194.187.251.93:443 . 2019.06.01 11:14:10 - OpenVPN > MANAGEMENT: Client connected from [AF_INET]127.0.0.1:3100 . 2019.06.01 11:14:43 - OpenVPN > [UNDEF] Inactivity timeout (--ping-exit), exiting . 2019.06.01 11:14:43 - OpenVPN > SIGTERM received, sending exit notification to peer . 2019.06.01 11:14:47 - OpenVPN > SIGTERM[soft,exit-with-notification] received, process exiting ! 2019.06.01 11:14:47 - Disconnecting . 2019.06.01 11:14:47 - Connection terminated. I 2019.06.01 11:14:49 - Cancel requested. ! 2019.06.01 11:14:49 - Session terminated.

Use unbound with cloudflare Dot dns over tls1. 3 even your esni is encrypted configure firefox and done it works like a charm and for pfsense available If you have 2.4 pfsense then easy config follow this tutorial https://www.netgate.com/blog/dns-over-tls-with-pfsense.html

That is a very bad advice and an unnecessary security threat. The signatures are there for a reason, and that is to ensure the browser won't install malicious junk addons from various spyware sites, or addons that impersonate others with fake search engine results and other manipulations, that were quite common in the past. The solution is to install Firefox 66.0.4, or if you are on other unofficial branches install the hotfix from: https://storage.googleapis.com/moz-fx-normandy-prod-addons/extensions/hotfix-update-xpi-intermediate%40mozilla.com-1.0.2-signed.xpi

If I have a server connected to a VPN and having an HTTP server on port 9876, and connect my Android, will all incoming connections start to go to the Android device? What if I have an always on connection for my server? Why is the DDNS textbox in https://airvpn.org/ports/ , "Your forwarded ports" , blank?

Hey there, my buddies in Scandanavia have informed me something called Article 13 has passed, which basically gives the EU rights to raid any VPN they want. Should be worried? Can someone please inform me what is going on with this law?

Hello! We're very glad to inform you that a new 1 Gbit/s servers located in Montreal (Canada) is available: Lacerta. The AirVPN client will show automatically this new server, while if you use the OpenVPN client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator"). The server accepts connections on ports 53, 80, 443, 1194, 2018 UDP and TCP. Just like every other "second generation" Air server, Lacerta supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.2 and tls-crypt. Full IPv6 support is included as well. As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses. You can check the server status as usual in our real time servers monitor: https://airvpn.org/servers/Lacerta Do not hesitate to contact us for any information or issue. Kind regards and datalove AirVPN Team

@rohko Yes, the important change to tun0 by the OpenVPN script is the DNS global scope and this is sufficient to have your system use only the VPN DNS. Eddie 2.17beta should not be used in your (and any similar) environment until the detected bugs are not resolved because you can't even patch the issue with the OpenVPN scripts, we're sorry. After all this is a beta version so it's not upsetting that bugs can come out. Please go back to Eddie 2.16.3 and keep using OpenVPN scripts which work impeccably. Eddie developers have been already informed, of course. Kind regards

Take a look at 3rd point in my tutorial. After you do that, you need to forward ports on your router, but if that worked before, I guess you already forwarded your ports. Then you only need to connect to your REAL IP (IP given by your ISP), not AirVPN IP address and it will work.

Hi Mikeyy, sorry for the delay. Before your answer I did figure out a restart myself. And that got things going. But my forum message was still not approved, so I couldn't alter it. So in the end I managed to download stuff via DS Get via VPN. But all of my webservices were not reachable anymore. I read about that before hand, but thought a bit too optimisticly. After reading up on it, I got scared whether I would be able to have a VPN and run my webservices at the same time. I would need passthrough of: -torrents -IMAP -SMTP -POP3 -webinterface of synology To be honest I am afraid that I am not capable enough to make all those things work.

Thanks for that @S.O.A. It pretty much matches my usage. Tend to use Tor Browser by default. I second that.

Thanks for that @S.O.A. It pretty much matches my usage. Tend to use Tor Browser by default.

Hello! It's just sad that Mozilla receives money from Google, I think.

Website: Teleboy TV Switzerland streaming television, Live and On Demand. Status: OK Native: CH servers. Routing: All other servers.

I managed to get connected to AirVPN on Android using OpenVPN and TLS/SSL Tunnel. It took a few attempts, and I had to convert the crt file to a der file. Once it was converted, I saved it to my dropbox file and then downloaded it into Tunnel's Certificates Database. After that, I manually added the tunnel parameters into the app, setting the root certificate is set to custom cert store, and then ran the tunnel. After that, I started up OpenVPN and connected using config that connects to the tunnel. Sadly, it wasn't working with this closed source program, but it worked with OpenVPN for Android and even the Root-required version of OpenVPN. It's strange, but regardless at least now I'm able to connect to here with SSL. Not sure where this should be, but it's the best open thread I could find, and it applied to Android.

EDITED ON 21 Aug 12 EDITED ON 24 Nov 12: added important note for some Linux users, see bottom of message EDITED ON 02 Jun 15: please refer to https://airvpn.org/faq/software_lock for a more advanced set of rules WARNING: this guide assumes that you have no IPv6 connectivity. If you have, you should block outgoing IPv6 packets while connected to the VPN with "ip6tables". Please see https://airvpn.org/faq/software_lock Hello! You can use iptables, a very powerful packet filtering and NAT program (probably one of the most powerful, if not the most powerful of all). iptables is already included in all official Ubuntu distros and most Linux distros, anyway if you don't have it just install it with aptitude. Adding the following simple rules will prevent leaks in case of [accidental] VPN disconnection. In this example, it is assumed that your network interface is eth+ (change it as appropriate; for example, you might have wlan0 for a WiFi connection). a.b.c.d is the entry-IP address of the Air server you connect to. You can find out the address simply looking at the line "remote" of your air.ovpn configuration file. In case of doubts, just ask us. Some of the following rules might be redundant if you have already chains. Assumptions: you are in a 192.168.0.0/16 network and your router is a DHCP server. You have a a physical network interface named eth*. The tun adapter is tun* and the loopback interface is lo. iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT #allow loopback access iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server iptables -A INPUT -s 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT #make sure that you can communicate within your own network iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT iptables -A FORWARD -i eth+ -o tun+ -j ACCEPT iptables -A FORWARD -i tun+ -o eth+ -j ACCEPT # make sure that eth+ and tun+ can communicate iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE # in the POSTROUTING chain of the NAT table, map the tun+ interface outgoing packet IP address, cease examining rules and let the header be modified, so that we don't have to worry about ports or any other issue - please check this rule with care if you have already a NAT table in your chain iptables -A OUTPUT -o eth+ ! -d a.b.c.d -j DROP # if destination for outgoing packet on eth+ is NOT a.b.c.d, drop the packet, so that nothing leaks if VPN disconnects When you add the above rules, take care about pre-existing rules, if you have already some tables, and always perform a test to verify that the subsequent behavior is what you expect: when you disconnect from the VPN, all outgoing traffic should be blocked, except for a reconnection to an Air server. In order to block specific programs only, some more sophisticated usage of iptables is needed, and you will also need to know which ports those programs use. See "man iptables" for all the features and how to make the above rules persistent or not according to your needs. Warning: the following applies ONLY for Linux users who don't have resolvconf installed and don't use up & down OpenVPN directives with update-resolv-conf script In this case, your system has no way to process the DNS push from our servers. Therefore your system will just tunnel the DNS queries with destination the DNS IP address specified in the "nameserver" lines of the /etc/resolv.conf file. But if your first nameserver is your router IP, the queries will be sent to your router which in turn will send them out unencrypted. Solution is straightforward: edit the /etc/resolv.conf file and add the following line at the top (just an example, of course you can use any of your favorite DNS, as long as it is NOT your router): nameserver 10.4.0.1 # in order to use AirVPN DNS nameserver 31.220.5.106 # in order to use OpenNIC DNS only if AirVPN DNS is unavailable Kind regards Original thread post: https://airvpn.org/topic/1713-win-mac-bsd-block-traffic-when-vpn-disconnects/page-2?do=findComment&comment=2010