Leaderboard
Popular Content
Showing content with the highest reputation on 11/23/20 in all areas
-
1 point
NetworkLock on macOS 11
stupid are cocksure reacted to Staff for a post in a topic
Hello! More about macOS Big Sur, Eddie and Hummingbird. Eddie and Hummingbird enforce Network Lock through pf rules. The mentioned problem is that kernel extensions are deprecated, and the new API NetworkExtensions includes exceptions to filtering rules which allow 56 Apple apps and services to bypass any filtering rule enforced via the API (which is quite atrocious and says a lot about Apple's respect toward its customers, but that's how it is). However, pf is the system firewall which is autonomous from NetworkExtensions API and its exceptions. Therefore Eddie and Hummingbird Network Lock are working fine just as usual. Note that the NetworkExtensions exceptions were active even in Catalina. However, nobody noticed them because third-party firewalls bypassed them by relying on kernel extensions (kexts). Now that kexts don't work well anymore, the problem has exploded, but as usual you are safe with AirVPN Network Lock both in Eddie and Hummingbird. Kind regards -
1 point@Flx The first message was approved by some moderator in the wrong thread, not a big deal. Then we moved the message on its own thread, this one. Then user "wireguard" posted more messages which were all approved by some moderator. @Brainbleach Of course. We were replying to "wireguard" who invites surreptitiously to punish AirVPN because AirVPN uses and develops actively OpenVPN: "Needless to say, investing in AirVPN means investing in OpenVPN, and that's not acceptable to me at this point," . He/she also kept claiming that "it's time to retire OpenVPN" (sic), that OpenVPN is a "truly disgusting hack" (sic) and so on,. showing his/her embarrassing ignorance and lack of good faith. Nothing to do with your messages. Funny how bogus account writers are so eager to become from time to time AirVPN software lead developers, general managers for AirVPN strategies, marketing directors and more. 😀 We wanted to prove beyond any reasonable doubt that his/her claim are unreasonable and based on wrong assumptions and terrible omissions, showing how Wireguard can not replace OpenVPN for a significant percentage of our customers and how our OpenVPN development has been beneficial for many users around the world. That said, we claimed that Wireguard needed to be developed and tested further years ago, so at the time our claim was totally reasonable. We also claimed years ago that the problem was not with CHACHA20 which to the best of nowadays knowledge is a very robust and secure cipher. Now the problems are different because Wireguard is asked to offer something which it was not designed for, i.e. providing some kind of anonymity layer. Such problems include lack of DNS push, lack of dynamic IP address assignment (with subsequent problems with client key-private address static correspondence, a very tough legal problem for us but above all for our customers), need of keeping client real IP address stored in a file. We have resolved them one by one with external software and internal work around. Once the problems are resolved in a robust way, which means testing thoroughly the adopted work-around, we can offer Wireguard, not earlier. Kind regards
-
1 point
Wireguard
Chris Wyatt reacted to OpenSourcerer for a post in a topic
I can confirm it is coming. Even though wg matured a bit, it's still got technical and privacy caveats Staff will make very clear when the first experimental servers hit the scene. However, I cannot say when. Stay tuned for more info on the Announcements forum. -
1 pointHaha coincidentally I did the same thing and got into it maybe more than I should have, time investment wise... Thank you for sharing though! dmenu is a cool idea, the server list part was quite a mess to get together for me. I'm no programmer, just learning this while doing, so this is probably far from elegant and "good practice", also planning to improve it, but here is what I got so far, it works: It's a script that can be run to interface with the client in the background, it doesn't have to be open and eddie will be run invisibly. You can also get a server list (although not interactive yet), show some info about the current session and put a permanent default iptables network lock in place, applied through firewalld (because I'm on Fedora). The server list and user info (and also this website) is also available with the lock turned on. The script requires only curl, awk and eddie itself (and firewalld for the lock, but that can be adjusted to iptables directly), I tried to stay with system tools. #!/bin/bash API_KEY="<your key>" FORMAT="text" URL="https://airvpn.org/api/" COLS=$( tput cols ) ROWS=$( tput lines ) HEADING1_1="This is a wrapping script for" HEADING1_2="Eddie, the AirVPN client." HEADING2_1="This script can be exited" HEADING2_2="and re-entered without" HEADING2_3="affecting a running connection." # change default prompt for select command PS3="Choose one of the options by selecting the corresponding number: " # provide options as array OPTIONS[0]="Connect to Recommended Server" OPTIONS[1]="Connect to Specific Server" OPTIONS[2]="Show List of Servers" OPTIONS[3]="Refresh User Info" OPTIONS[4]="Disconnect" OPTIONS[5]="Toggle Default Network Lock" OPTIONS[6]="Quit" function get_list { SERVICE_NAME="status" ARGS="{ \"format\":\"$FORMAT\", \"service\":\"$SERVICE_NAME\" }" # pipe server status list to awk, filter out unnecessary stuff, # combine lines that relate to same server (and country, continent, and planet) into single lines which are saved as array, # loop through arrays to format info, # sort each array and print as section, # align columns with column, # pipe to less for better readability timeout --signal=SIGINT 10 curl -d "$ARGS" -X POST "$URL" | \ awk -F '[.]' \ 'BEGIN{OFS=";"; print "Server List"} \ !/^routing/ && !/ip_/ && !/country_code/ {c=$1 OFS $2; \ if ($1 ~ /servers/ && c in servers) servers[c]=servers[c] OFS $3; \ else if ($1 ~ /servers/) servers[c]=$3; \ else if ($1 ~ /countries/ && c in countries) countries[c]=countries[c] OFS $3; \ else if ($1 ~ /countries/) countries[c]=$3; \ else if ($1 ~ /continents/ && c in continents) continents[c]=continents[c] OFS $3; \ else if ($1 ~ /continents/) continents[c]=$3; \ else if ($1 ~ /planets/ && c in planets) planets[c]=planets[c] OFS $3; \ else if ($1 ~ /planets/) planets[c]=$3; \ for (k in servers) gsub(/;bw_max=/, "/", servers[k]); \ for (k in servers) gsub(/;.*=/, ":", servers[k]); \ for (k in servers) gsub(/^.*=/, "", servers[k]); \ for (k in countries) gsub(/;bw_max=/, "/", countries[k]); \ for (k in countries) gsub(/;.*=/, ":", countries[k]); \ for (k in countries) gsub(/^.*=/, "", countries[k]); \ for (k in continents) gsub(/;bw_max=/, "/", continents[k]); \ for (k in continents) gsub(/;.*=/, ":", continents[k]); \ for (k in continents) gsub(/^.*=/, "", continents[k]); \ for (k in planets) gsub(/;bw_max=/, "/", planets[k]); \ for (k in planets) gsub(/;.*=/, ":", planets[k]); \ for (k in planets) gsub(/^.*=/, "", planets[k])} \ END{ \ print "\n:\nServers\n:\nName:Country:Location:Continent:Bandwidth:Users:Current Load:Health"; \ n=asorti(servers, servers_sorted, "@val_num_asc"); \ for (i=1; i<=n; i++) print servers[servers_sorted[i]]; \ print "\n:\nCountries\n:\nCountry:Best Server:Bandwidth:Users:Servers:Current Load:Health"; \ n=asorti(countries, countries_sorted, "@val_num_asc"); \ for (i=1; i<=n; i++) print countries[countries_sorted[i]]; \ print "\n:\nContinents\n:\nContinent:Best Server:Bandwidth:Users:Servers:Current Load:Health"; \ n=asorti(continents, continents_sorted, "@val_num_asc"); \ for (i=1; i<=n; i++) print continents[continents_sorted[i]]; \ print "\n:\nAll\n:\nPlanet:Best Server:Bandwidth:Users:Servers:Current Load:Health"; \ n=asorti(planets, planets_sorted, "@val_num_asc"); \ for (i=1; i<=n; i++) print planets[planets_sorted[i]]}' | column -t -s ':' | less } function get_userinfo { tput cup 25 0 SERVICE_NAME="userinfo" ARGS="{ \"format\":\"$FORMAT\", \"service\":\"$SERVICE_NAME\", \"key\":\"$API_KEY\" }" # filter specific lines, save values (after "=") to variables after protecting whitespace read U_LOGIN U_EXP U_CONNECTED U_SERVER_NAME U_SERVER_COUNTRY U_SERVER_LOCATION U_SERVER_BW <<< $( \ timeout --signal=SIGINT 10 curl -d "$ARGS" -X POST "$URL" | \ awk -F '[=]' \ 'BEGIN{ORS=";"} \ /^user.login|^user.expiration_days|^user.connected|^connection.server_name|^connection.server_country=|^connection.server_location|^connection.server_bw/ \ {print $2}' | \ sed 's/\ /\\\ /g' | sed 's/;/\ /g' \ ) if [ "$U_CONNECTED" = "1" ] then U_CONNECTED="connected" U_SERVER_FULL="$U_SERVER_NAME ($U_SERVER_LOCATION, $U_SERVER_COUNTRY)" else U_CONNECTED="not connected" U_SERVER_FULL="--" U_SERVER_BW="--" fi } function disconnect_server { # check for running instance of eddie pgrep -f mono.*eddie-ui &> /dev/zero if [ $? = 0 ] then U_CONNECTED="disconnecting..." print_heading # kill process and wait for confirmation from process output sudo pkill -f mono.*eddie-ui if [ -p "/tmp/.eddie_fifo" ] then timeout --signal=SIGINT 60 grep -q -m 1 "Shutdown complete" "/tmp/.eddie_fifo" else # in case connection was started without this script sleep 5 fi if [ $? = 0 ] then # give some time to completely close process, without sleep it's too early for new connection sleep 3 pgrep -f mono.*eddie-ui &> /dev/zero if [ $? = 1 ] then KILLED="true" else KILLED="false" fi else KILLED="false" fi else KILLED="true" fi } function activate_lock { echo "Activating iptable rules:" #allow loopback sudo firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 -i lo -j ACCEPT sudo firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT #allow lan (out) and broadcasting/dhcp sudo firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT sudo firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 -s 255.255.255.255 -j ACCEPT sudo firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 -d 255.255.255.255 -j ACCEPT # allow tun device to communicate (so any VPN connection should be possible, also without Air) sudo firewall-cmd --direct --permanent --add-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT sudo firewall-cmd --direct --permanent --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT sudo firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 998 -o tun+ -j ACCEPT # optional masquerade rule (NAT/ports) #sudo firewall-cmd --direct --permanent --add-rule ipv4 nat POSTROUTING 0 -o tun+ -j MASQUERADE # allow ipv4 only to airvpn.org for status update # allow DNS query to resolve hostname (hex string reads "06 airvpn 03 org" - numbers are counting bits), # restrict packet length to length of this specific request package (might change?) to avoid hijacking # of query (very unlikely I guess, but who cares if we're already being paranoid for the fun of it), # whitelist destination IP for TCP handshake sudo firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 1 -p udp --dport 53 -m string --hex-string '|06 61697276706e 03 6f7267|' --algo bm -m length --length 0:126 -m recent --set -j ACCEPT sudo firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 1 -p tcp --dport 53 -m string --hex-string '|06 61697276706e 03 6f7267|' --algo bm -m length --length 0:126 -m recent --set -j ACCEPT # allow SYN request to whitelisted IP to initiate handshake, remove IP from whitelist sudo firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 1 -p tcp --syn --dport 53 -m recent --remove -j ACCEPT # allow outgoing connection to Air's IP sudo firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 1 -d 5.196.64.52 -j ACCEPT # allow communication sudo firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # drop outgoing ipv4 (if not specifically allowed by other rules) sudo firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 999 -j DROP # block incoming ipv4 sudo firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 999 -j DROP # drop all ipv6 sudo firewall-cmd --direct --permanent --add-rule ipv6 filter OUTPUT 0 -j DROP sudo firewall-cmd --direct --permanent --add-rule ipv6 filter INPUT 0 -j DROP # reload and restart firewalld to activate permanent rule changes sudo firewall-cmd --reload sudo systemctl restart firewalld # check for success (not really though, needs improvement) LOCK_RULES=$( sudo firewall-cmd --direct --permanent --get-all-rules | wc -l ) if [ "$LOCK_RULES" -gt 15 ] then LOCK_ACTIVE="active" else LOCK_ACTIVE="inactive" fi print_heading } function deactivate_lock { echo "Deactivating iptable rules:" sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter INPUT 0 -i lo -j ACCEPT sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter OUTPUT 0 -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter INPUT 0 -s 255.255.255.255 -j ACCEPT sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter OUTPUT 0 -d 255.255.255.255 -j ACCEPT sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter OUTPUT 998 -o tun+ -j ACCEPT #sudo firewall-cmd --direct --permanent --remove-rule ipv4 nat POSTROUTING 0 -o tun+ -j MASQUERADE sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter OUTPUT 1 -p udp --dport 53 -m string --hex-string '|06 61697276706e 03 6f7267|' --algo bm -m length --length 0:126 -m recent --set -j ACCEPT sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter OUTPUT 1 -p tcp --dport 53 -m string --hex-string '|06 61697276706e 03 6f7267|' --algo bm -m length --length 0:126 -m recent --set -j ACCEPT sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter OUTPUT 1 -p tcp --syn --dport 53 -m recent --remove -j ACCEPT sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter OUTPUT 1 -d 5.196.64.52 -j ACCEPT sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter INPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter OUTPUT 999 -j DROP sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter INPUT 999 -j DROP sudo firewall-cmd --direct --permanent --remove-rule ipv6 filter OUTPUT 0 -j DROP sudo firewall-cmd --direct --permanent --remove-rule ipv6 filter INPUT 0 -j DROP sudo firewall-cmd --reload sudo systemctl restart firewalld LOCK_RULES=$( sudo firewall-cmd --direct --permanent --get-all-rules | wc -l ) if [ "$LOCK_RULES" -gt 15 ] then LOCK_ACTIVE="active" else LOCK_ACTIVE="inactive" fi print_heading } function print_heading { tput cup 0 0 printf %"$COLS"s | tr " " "#" echo -n "#"; printf %"$(( $COLS - 2 ))"s | tr " " " "; echo "#" echo -n "#"; printf %"$(( ($COLS - 2 - ${#HEADING1_1}) / 2 ))"s | tr " " " "; echo -n "$HEADING1_1"; printf %"$(( $COLS - 2 - ${#HEADING1_1} - ($COLS - 2 - ${#HEADING1_1}) / 2 ))"s | tr " " " "; echo "#" echo -n "#"; printf %"$(( ($COLS - 2 - ${#HEADING1_2}) / 2 ))"s | tr " " " "; echo -n "$HEADING1_2"; printf %"$(( $COLS - 2 - ${#HEADING1_2} - ($COLS - 2 - ${#HEADING1_2}) / 2 ))"s | tr " " " "; echo "#" echo -n "#"; printf %"$(( $COLS - 2 ))"s | tr " " " "; echo "#" echo -n "#"; printf %"$(( ($COLS - 2 - ${#HEADING2_1}) / 2 ))"s | tr " " " "; echo -n "$HEADING2_1"; printf %"$(( $COLS - 2 - ${#HEADING2_1} - ($COLS - 2 - ${#HEADING2_1}) / 2 ))"s | tr " " " "; echo "#" echo -n "#"; printf %"$(( ($COLS - 2 - ${#HEADING2_2}) / 2 ))"s | tr " " " "; echo -n "$HEADING2_2"; printf %"$(( $COLS - 2 - ${#HEADING2_2} - ($COLS - 2 - ${#HEADING2_2}) / 2 ))"s | tr " " " "; echo "#" echo -n "#"; printf %"$(( ($COLS - 2 - ${#HEADING2_3}) / 2 ))"s | tr " " " "; echo -n "$HEADING2_3"; printf %"$(( $COLS - 2 - ${#HEADING2_3} - ($COLS - 2 - ${#HEADING2_3}) / 2 ))"s | tr " " " "; echo "#" echo -n "#"; printf %"$(( $COLS - 2 ))"s | tr " " " "; echo "#" echo -n "# User: $U_LOGIN"; printf %"$(( $COLS - 9 - ${#U_LOGIN} ))"s | tr " " " "; echo "#" echo -n "# Days Until Expiration: $U_EXP"; printf %"$(( $COLS - 26 - ${#U_EXP} ))"s | tr " " " "; echo "#" echo -n "# Default Network Lock: $LOCK_ACTIVE"; printf %"$(( $COLS - 25 - ${#LOCK_ACTIVE} ))"s | tr " " " "; echo "#" echo -n "#"; printf %"$(( $COLS - 2 ))"s | tr " " " "; echo "#" echo -n "# Status: $U_CONNECTED"; printf %"$(( $COLS - 11 - ${#U_CONNECTED} ))"s | tr " " " "; echo "#" echo -n "# Server: $U_SERVER_FULL"; printf %"$(( $COLS - 11 - ${#U_SERVER_FULL} ))"s | tr " " " "; echo "#" echo -n "# Server Bandwidth: $U_SERVER_BW"; printf %"$(( $COLS - 21 - ${#U_SERVER_BW} ))"s | tr " " " "; echo "#" echo -n "#"; printf %"$(( $COLS - 2 ))"s | tr " " " "; echo "#" printf %"$COLS"s | tr " " "#" } # move to secondary screen tput smcup tput cup 0 0 # gain sudo privileges for commands that need it (better than running everything with sudo) sudo -v -p "The AirVPN client and network traffic changes requires root privileges to run. Please enter your password:" # keep sudo permission until script exits (or until computer goes to sleep - not ideal) while true; do sudo -n true; sleep 60; kill -0 "$$" || exit; done 2>/dev/null & get_userinfo LOCK_RULES=$( sudo firewall-cmd --direct --permanent --get-all-rules | wc -l ) if [ "$LOCK_RULES" -gt 15 ] then LOCK_ACTIVE="active" else LOCK_ACTIVE="inactive" fi print_heading while true; do # clear screen below heading tput cup 18 0 tput ed tput cup 19 0 select OPTION in "${OPTIONS[@]}" do case $OPTION in "${OPTIONS[0]}") disconnect_server if [ "$KILLED" = "true" ] then U_CONNECTED="connecting..." U_SERVER_FULL="--" U_SERVER_BW="--" print_heading # create pipe to process status of client if [ ! -p "/tmp/.eddie_fifo" ] then mkfifo "/tmp/.eddie_fifo" fi # run eddie in background and detached from current window, pipe output to named pipe (sudo eddie-ui --cli --netlock --connect --profile="$HOME/.airvpn/default.xml" &> "/tmp/.eddie_fifo" &) timeout --signal=SIGINT 60 grep -q -m 1 "Initialization Sequence Completed" "/tmp/.eddie_fifo" if [ $? = 0 ] then get_userinfo print_heading else U_CONNECTED="error during connection attempt" U_SERVER_FULL="--" U_SERVER_BW="--" print_heading fi else U_CONNECTED="error during disconnection" U_SERVER_FULL="--" U_SERVER_BW="--" print_heading fi break ;; "${OPTIONS[1]}") read -p 'Please type the exact server name (type "back" to go back): ' SERVER if [ "$SERVER" = "back" ] then break else disconnect_server if [ "$KILLED" = "true" ] then U_CONNECTED="connecting..." U_SERVER_FULL="--" U_SERVER_BW="--" print_heading if [ ! -p "/tmp/.eddie_fifo" ] then mkfifo "/tmp/.eddie_fifo" fi (sudo eddie-ui --cli --netlock --connect --server="$SERVER" --profile="$HOME/.airvpn/default.xml" &> "/tmp/.eddie_fifo" &) timeout --signal=SIGINT 60 grep -q -m 1 "Initialization Sequence Completed" "/tmp/.eddie_fifo" if [ $? = 0 ] then get_userinfo print_heading else U_CONNECTED="error during connection attempt" U_SERVER_FULL="--" U_SERVER_BW="--" print_heading fi else U_CONNECTED="error during disconnection" U_SERVER_FULL="--" U_SERVER_BW="--" print_heading fi break fi ;; "${OPTIONS[2]}") # return to primary screen since server list gets piped to less which # seems to interfere with tput, then move to secondary screen again tput rmcup get_list tput smcup print_heading break ;; "${OPTIONS[3]}") get_userinfo print_heading break ;; "${OPTIONS[4]}") disconnect_server if [ "$KILLED" = "false" ] then U_CONNECTED="error during disconnection" U_SERVER_FULL="--" U_SERVER_BW="--" print_heading else get_userinfo print_heading fi rm "/tmp/.eddie_fifo" break ;; "${OPTIONS[5]}") pgrep -f mono.*eddie-ui &> /dev/zero if [ $? = 0 ] then echo "You need to be disconnected to change network traffic rules." sleep 2 break fi if [ "$LOCK_ACTIVE" = "inactive" ] then read -p "Are you sure you want to activate the default network lock and block all connections while not connected to (any) VPN? [y/n]: " ANSWER if [ "$ANSWER" = "y" ] then activate_lock else break fi else read -p "Are you sure you want to deactivate the default network lock and allow all connections, even when not connected to a VPN? [y/n]: " ANSWER if [ "$ANSWER" = "y" ] then deactivate_lock else break fi fi break ;; "${OPTIONS[6]}") break 2 ;; esac done done #return to primary (original) screen tput rmcup I will hopefully update this in the future!