Jump to content
Not connected, Your IP: 3.229.142.91

Clodo

Staff
  • Content Count

    449
  • Joined

    ...
  • Last visited

    ...
  • Days Won

    34

Reputation Activity

  1. Thanks
    Clodo got a reaction from Stalinium in ipleak uses Google Maps   ...
    For the moment, we made the map visible with user confirmation, so there isn't anymore any request outside ipleak.net domain

    Thanks for the feedback
  2. Thanks
    Clodo got a reaction from Flx in Eddie Desktop 2.21 beta released   ...
    After the testing, our Config Generator will be able to create WireGuard .conf file, usable without Eddie (wg / wg-quick or any official WireGuard app).
  3. Like
    Clodo reacted to cambell in Eddie Desktop 2.21 beta released   ...
    thanks Clodo, working great.
  4. Like
    Clodo got a reaction from bluesjunior in Eddie Desktop 2.21 beta released   ...
    I confirm an issue with Windows build with Network Lock activated, will be fixed as soon as possible, thanks
  5. Thanks
    Clodo got a reaction from Flx in Eddie Desktop 2.21 beta released   ...
    After the testing, our Config Generator will be able to create WireGuard .conf file, usable without Eddie (wg / wg-quick or any official WireGuard app).
  6. Like
    Clodo got a reaction from puff-m-d in Eddie Desktop 2.21 beta released   ...
    Thanks. Probably Eddie UI start BEFORE the service, and try to relaunch. I'm investigating this issue, i hope a fix in the next release in few days. Thanks again.
  7. Like
    Clodo reacted to puff-m-d in Eddie Desktop 2.21 beta released   ...
    Hello @Clodo,
     
    Confirmed, "Don't ask elevation every run" is checked. Yes. No, an UAC prompt does not appear.

    The strange thing is that I only get an UAC prompt from Windows on boot if I have Eddie set to "Start with System". Any manual start of Eddie never produces an UAC prompt...

    I hope that this helps...
  8. Thanks
    Clodo got a reaction from Flx in Eddie Desktop 2.21 beta released   ...
    After the testing, our Config Generator will be able to create WireGuard .conf file, usable without Eddie (wg / wg-quick or any official WireGuard app).
  9. Like
    Clodo got a reaction from Monotremata in Eddie Desktop 2.21 beta released   ...
    You need to keep "Use Hummingbir d" for now, making HB the default may occur in future release.
  10. Like
    Clodo reacted to boblinthewild in Eddie Desktop 2.21 beta released   ...
    2.21 beta working perfectly on Windows 11 22000.100.
  11. Thanks
    Clodo got a reaction from blackpaws in [ERROR] '/usr/sbin/nscd' not owned by root   ...
    I'm investigating this issue, it will be fixed in the next release.
  12. Like
    Clodo reacted to Xfeatures in A manage ports bug   ...
    Hi AirVPN,

    I've noticed that when visiting the Client Area > Forwarded ports section there is a HTML value that does not need to be there as it is displaying on the submit button:

    This can be fixed if you remove the value field from the HTML, I cant see why its there, please correct me if i am wrong:



    Hope this helps
     
  13. Like
    Clodo got a reaction from harold.lewis in Eddie Desktop 2.19beta released   ...
    On Arch launch sudo pacman -S stunnel
  14. Thanks
    Clodo got a reaction from kid_kyrie in Eddie Desktop 2.19beta released   ...
    Hi, we compile Eddie with Raspberry OS 64 beta (based on Debian). I don't have currently an Ubuntu rPI for testing.
    Anyway in the latest release we fix a bug related to elevation in CLI mode under Linux, please recheck.

    Please note also that aarch64 edition of Eddie include OpenVPN 2.4.8 (armv7 and other platform include the latest 2.5.0). This because OpenVPN build process is not still updated to support aarch64, it's a pending issue.
  15. Like
    Clodo reacted to OpenSourcerer in ipleak.net DNS zone is broken   ...
    IPLeak resolves with my ISP's DNS servers now.
  16. Thanks
    Clodo got a reaction from cambell in Eddie Desktop 2.19beta released   ...
    All of your: please retry the latest beta version, contain the fix. Thanks.
  17. Like
    Clodo reacted to cambell in Eddie Desktop 2.19beta released   ...
    Clodo, thanks. 2.19.6. is working great, stay safe🤗
    Just 1 thing. Should in settings networking layer inside tunnel ipv4 if issue is deteced be ticked. It isn't by default!
    ipv6 is. Thanks
  18. Thanks
    Clodo got a reaction from kid_kyrie in Eddie Desktop 2.19beta released   ...
    Hi, we compile Eddie with Raspberry OS 64 beta (based on Debian). I don't have currently an Ubuntu rPI for testing.
    Anyway in the latest release we fix a bug related to elevation in CLI mode under Linux, please recheck.

    Please note also that aarch64 edition of Eddie include OpenVPN 2.4.8 (armv7 and other platform include the latest 2.5.0). This because OpenVPN build process is not still updated to support aarch64, it's a pending issue.
  19. Thanks
    Clodo got a reaction from cambell in Eddie Desktop 2.19beta released   ...
    All of your: please retry the latest beta version, contain the fix. Thanks.
  20. Confused
    Clodo got a reaction from Staff in ipleak.net DNS zone is broken   ...
    This occurs because we use PowerDNS software.

    https://doc.powerdns.com/authoritative/appendices/FAQ.html

    IpLeak has this configuration since almost TEN years ago, it's very very difficult for us to think the issue is not yet resolved.
    Anyway, this is still under investigation, but currently we can't fix, we can't replace PowerDNS.
  21. Like
    Clodo got a reaction from cambell in How to use wintun driver in Windows   ...
    The problem with OpenVPN2.5 rc2 (or rc1, or beta5) with Eddie is caused by recent changes in OpenVPN that produce a compatibility issue.
    Please be patient, both errors above ("Object reference not set to an instance of an object." and "ERROR:  Wintun requires SYSTEM privilege") will be fixed in the next Eddie release, please wait.
    We plan to release version 2.19.5 in a few days, and another one (or maybe the same) in bundle with OpenVPN 2.5 STABLE when a stable version is released.
  22. Like
    Clodo got a reaction from cambell in How to use wintun driver in Windows   ...
    The problem with OpenVPN2.5 rc2 (or rc1, or beta5) with Eddie is caused by recent changes in OpenVPN that produce a compatibility issue.
    Please be patient, both errors above ("Object reference not set to an instance of an object." and "ERROR:  Wintun requires SYSTEM privilege") will be fixed in the next Eddie release, please wait.
    We plan to release version 2.19.5 in a few days, and another one (or maybe the same) in bundle with OpenVPN 2.5 STABLE when a stable version is released.
  23. Like
    Clodo reacted to nwlyoc in Interactive Wrapper for Eddie's CLI version   ...
    Hello,
    after I posted some suggestions for Eddie's CLI version in this thread and received some helpful information there, I set out to write my own little interface in bash for it to implement the suggestions. Being no programmer it turned out to be quite a project for me, and I would like to share it here in case anybody else prefers to run Eddie in the terminal rather than as a full GUI application. This script still uses Eddie itself, it's just a wrapper to make it as easy to use in the command line as it is as a desktop application. Screenshots are attached.
     
    Some features and advantages:
    uses less resources (top shows usually 0.3% CPU usage compared to 4-5% for the desktop version) can be exited without disconnecting interactive, sortable server list option to connect to another VPN with openconnect (since I need to do that from time to time, but it should be easy to add other connection methods as well) option to lock down the system's network traffic by default, so even without Eddie running with its own network lock there will be no leaks What to watch out for:
    The default network lock works with direct rules in firewalld because I'm using Fedora. It should be easy to change it to use iptables directly on other distributions since firewalld's direct rules are just a way to directly manipulate iptables. Once activated, the lock will stay in place until manually deactivated (also surviving reboots), so no internet connection will be possible unless connected to AirVPN or other whitelisted VPNs. AirVPN's network lock overwrites the default network lock, so there will be no interference. Check your /etc/resolv.conf file while not running Eddie (because Eddie's network lock replaces that file temporarily) to make sure your router is not set as a nameserver (so no 192.168... address). Some routers will push themselves on that list by DHCP whenever you connect to their network. Since communication with the router is allowed in the lock rules, DNS requests will be handled by the router and sent to whatever DNS server is configured there even when network traffic should be blocked. There are ways to prevent that file from being changed by DHCP, best configure network manager for that if you use it. To connect to other VPNs, their IPs must be whitelisted and DNS requests for their domains must be allowed in the default network lock rules. The rules for airvpn.org can be copied and adjusted. I haven't yet included an option to pass command line arguments to Eddie. So if you need to set more advanced options like black-/whitelists, use of certain protocols etc., you need to set them manually in the connect_server function. All the possible options can be found in 'man eddie-ui'. You need to insert your own API key in line 5. It can be found in your account under Client Area -> API. Without this, connections will still work, but user info and connection status in the main window will not be properly updated. I tried to only use basic system tools. The script relies mostly on dialog, awk and curl (and firewalld as described and openconnect if needed), so it should work on most systems, but I'm not sure. And, lastly, VERY IMPORTANT: As I said, I'm no programmer and new to this, so even though I tried my best to make this script secure and error free, there might very well be some bad practice, never-ever-do-this mistakes or other hiccups in there. It works well for me, but better check it yourself. Feel free to use this as you wish, I hope someone can benefit from this. I'm happy about any improvements and corrections and will update this if I find the time.

    UPDATE: A new version which uses Hummingbird and has been improved in many aspects (including automatic connection at boot) can be found here.
     
    #!/bin/bash # an interactive shell script to control the command line version of the AirVPN Eddie client and openconnect more comfortably PROFILE_PATH="$HOME/.airvpn/default.xml" API_KEY="<your api key>" DIALOG_OK=0 DIALOG_CANCEL=1 DIALOG_EXTRA=3 DIALOG_ESC=255 HEIGHT=0 WIDTH=0 BACKTITLE="VPN Control" FORMAT="text" URL="https://airvpn.org/api/" PID=$$ function check_sudo { # check if user has sudo privileges sudo -vn &> /dev/null # gain sudo privileges for commands that need it (better than running everything with sudo) if [ $? = "1" ] then unset EXIT_STATUS_SUDO PASS_PROMPT="Establishing VPN connections and changing network traffic rules requires root privileges. Please enter your password:" until [ "$EXIT_STATUS_SUDO" = "0" ] do dialog \ --backtitle "$BACKTITLE" \ --title "Password Needed" \ --output-fd 1 \ --insecure \ --passwordbox "$PASS_PROMPT" 11 35 | xargs printf '%s\n' | sudo -Svp '' &> /dev/null EXIT_STATUS_PIPE=( "${PIPESTATUS[@]}" ) EXIT_STATUS_DIALOG="${EXIT_STATUS_PIPE[0]}" EXIT_STATUS_SUDO="${EXIT_STATUS_PIPE[2]}" EXIT_SUDO_TEST="${EXIT_STATUS_PIPE[2]}" PASS_PROMPT="The password you entered is incorrect. Please try again:" case $EXIT_STATUS_DIALOG in $DIALOG_CANCEL|$DIALOG_ESC) return 1 ;; esac done # keep sudo permission until script exits or permissions are revoked (e.g. when computer goes to sleep) while [ "$EXIT_SUDO_TEST" = "0" ]; do sudo -vn; EXIT_SUDO_TEST=$?; sleep 60; kill -0 "$PID" || exit; done &> /dev/null & fi return 0 } function get_list { SERVICE_NAME="status" ARGS="{ \"format\":\"$FORMAT\", \"service\":\"$SERVICE_NAME\" }" timeout --signal=SIGINT 10 curl -s -d "$ARGS" -X POST "$URL" > "/tmp/.eddie_server_list.txt" } function sort_list { # pipe server status list to awk, filter out unnecessary stuff, # combine lines that relate to same server into single lines which are saved as array, # loop through array to format info, # print array and sort according to options, # add numbers to list for menu LIST=$(awk -F '[.]' \ 'BEGIN{OFS=";"} \ /^servers/ && !/ip_/ && !/country_code/ {c=$2; \ if (c in servers) servers[c]=servers[c] OFS $3; \ else servers[c]=$3; \ for (k in servers) gsub(/;bw=/, " :", servers[k]); \ for (k in servers) gsub(/;bw_max=/, "/", servers[k]); \ for (k in servers) gsub(/;currentload=/, " :", servers[k]); \ for (k in servers) gsub(/;health=/, "%:", servers[k]); \ for (k in servers) gsub(/;.*=/, ":", servers[k]); \ for (k in servers) gsub(/^.*=/, "", servers[k])} \ END{ \ for (c in servers) print servers[c]}' "/tmp/.eddie_server_list.txt" | sort -t ":" $1 | awk -F '[;]' 'BEGIN{OFS=":"} {print v++";"$1}') } function get_userinfo { SERVICE_NAME="userinfo" ARGS="{ \"format\":\"$FORMAT\", \"service\":\"$SERVICE_NAME\", \"key\":\"$API_KEY\" }" # filter specific lines, save values to variables after protecting whitespace read U_LOGIN U_EXP U_CONNECTED U_DEVICE U_SERVER_NAME U_SERVER_COUNTRY U_SERVER_LOCATION U_TIME <<< $( \ timeout --signal=SIGINT 10 curl -s -d "$ARGS" -X POST "$URL" | \ awk -F '[=]' \ 'BEGIN{ORS=";"} \ /^user.login|^user.expiration_days|^user.connected|^sessions.*device_name|^connection.server_name|^connection.server_country=|^connection.server_location|^connection.connected_since_date/ \ {print $2}' | \ sed 's/\ /\\\ /g' | sed 's/;/\ /g' \ ) if [ "$U_CONNECTED" = "1" ] then U_CONNECTED="connected" U_SERVER_FULL="$U_SERVER_NAME ($U_SERVER_LOCATION, $U_SERVER_COUNTRY)" U_TIME=$(date -d "$U_TIME UTC" +"%m/%d/%Y %H:%M:%S") else U_CONNECTED="not connected" U_SERVER_FULL="--" U_TIME="--" fi } function connect_server { if [ "$KILLED" = "true" ] then # create pipes to process status of client if [ ! -p "/tmp/.eddie_fifo1" ] then mkfifo "/tmp/.eddie_fifo1" fi if [ ! -p "/tmp/.eddie_fifo2" ] then mkfifo "/tmp/.eddie_fifo2" fi # run eddie in background and detached from current window, pipe output to named pipe (sudo eddie-ui --cli --netlock --connect --server="$1" --profile="$PROFILE_PATH" | tee "/tmp/.eddie_fifo2" &> "/tmp/.eddie_fifo1" &) cat "/tmp/.eddie_fifo2" | dialog --backtitle "$BACKTITLE" --title "Connecting to AirVPN..." --progressbox 20 80 & timeout --signal=SIGINT 60 grep -q -m 1 "Initialization Sequence Completed" "/tmp/.eddie_fifo1" INIT_EXIT=$? pkill -f cat.*eddie_fifo2 if [ $INIT_EXIT = "0" ] then get_userinfo else U_CONNECTED="error during connection attempt" U_SERVER_FULL="--" U_TIME="--" fi else U_CONNECTED="error during disconnection" U_SERVER_FULL="--" U_TIME="--" fi } function disconnect_server { # check for running instance of eddie pgrep -f mono.*eddie-ui &> /dev/null if [ $? = 0 ] then # kill process and wait for confirmation from process output if [ -p "/tmp/.eddie_fifo1" -a -p "/tmp/.eddie_fifo2" ] then sudo pkill -2 -f mono.*eddie-ui & cat "/tmp/.eddie_fifo1" | dialog --backtitle "$BACKTITLE" --title "Disconnecting AirVPN..." --progressbox 20 80 & timeout --signal=SIGINT 10 grep -q -m 1 "Shutdown complete" "/tmp/.eddie_fifo2" else # in case connection was started without this script sudo pkill -2 -f mono.*eddie-ui sleep 5 fi # give some time to completely close process, without sleep it's too early for new connection sleep 3 pgrep -f mono.*eddie-ui &> /dev/null if [ $? = 1 ] then KILLED1="true" else KILLED1="false" fi else KILLED1="true" fi # check for running instance of openconnect pgrep -f "openconnect.*--" &> /dev/null if [ $? = 0 ] then sudo pkill -2 -f "openconnect.*--" sleep 1 pgrep -f "openconnect.*--" &> /dev/null if [ $? = 1 ] then KILLED2="true" # somehow openconnect doesn't receive SIGINT and shuts down improperly, # so vpnc can't restore resolv.conf by itself sudo cp "/var/run/vpnc/resolv.conf-backup" "/etc/resolv.conf" else KILLED2="false" fi else KILLED2="true" fi if [ "$KILLED1" = "true" -a "$KILLED2" = "true" ] then KILLED="true" else KILLED="false" fi } function define_lock { if [ "$1" = "activate" ] then GAUGE_TITLE="Activating Network Lock" RULE_ACTION="add-rule" elif [ "$1" = "deactivate" ] then GAUGE_TITLE="Deactivating Network Lock" RULE_ACTION="remove-rule" else return 1 fi GAUGE_BODY="$1" IPRULES=(\ #allow loopback "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter INPUT 0 -i lo -j ACCEPT" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 0 -o lo -j ACCEPT" \ #allow lan (out) and broadcasting/dhcp "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 0 -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter INPUT 0 -s 255.255.255.255 -j ACCEPT" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 0 -d 255.255.255.255 -j ACCEPT" \ # allow tun device to communicate (so any VPN connection should be possible, also without Air, but respective DNS requests must be allowed) "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter FORWARD 0 -o tun+ -j ACCEPT" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter FORWARD 0 -i tun+ -j ACCEPT" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 998 -o tun+ -j ACCEPT" \ # optional masquerade rule (NAT/ports) "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 nat POSTROUTING 0 -o tun+ -j MASQUERADE" \ # allow ipv4 only to airvpn.org for status update # allow DNS query to resolve hostname (hex string reads "06 airvpn 03 org" - numbers are counting bits), # restrict packet length to length of this specific request package (might change?) to avoid hijacking # of query (very unlikely I guess, but who cares if we're already being paranoid for the fun of it), # whitelist destination IP for TCP handshake "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 1 -p udp --dport 53 -m string --hex-string '|06 61697276706e 03 6f7267|' --algo bm -m length --length 0:126 -m recent --set -j ACCEPT" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 1 -p tcp --dport 53 -m string --hex-string '|06 61697276706e 03 6f7267|' --algo bm -m length --length 0:126 -m recent --set -j ACCEPT" \ # add rules for other domains you wish to allow DNS requests to here (packet length can be determined with e.g. wireshark) and adjust array index # # allow SYN request to whitelisted IP to initiate handshake, remove IP from whitelist "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 1 -p tcp --syn --dport 53 -m recent --remove -j ACCEPT" \ # allow outgoing connection to Air's IP "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 1 -d 5.196.64.52 -j ACCEPT" \ # add rules for other IPs you wish to allow connections to here # # allow communication "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter INPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT" \ # drop outgoing ipv4 (if not specifically allowed by other rules) "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 999 -j DROP" \ # block incoming ipv4 "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter INPUT 999 -j DROP" \ # drop all ipv6 "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv6 filter OUTPUT 0 -j DROP" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv6 filter INPUT 0 -j DROP" \ # reload and restart firewalld to activate permanent rule changes "sudo firewall-cmd --reload" \ "sudo systemctl restart firewalld"\ ) toggle_lock } function toggle_lock { PERCENTAGE_STEP=$(awk -v rules="${#IPRULES[@]}" 'BEGIN {print 100/rules}') PERCENTAGE=0 COUNTER=0 # initial window dialog --backtitle "$BACKTITLE" \ --title "$GAUGE_TITLE" \ --mixedgauge "Applying iptable rules to $GAUGE_BODY the default network lock..." 35 80 "$(awk -v per="$PERCENTAGE" 'BEGIN {printf "%.0f", per}')" \ "Allow Loopback IN" "${RESULT[0]}" \ "Allow Loopback OUT" "${RESULT[1]}" \ "Allow LAN OUT" "${RESULT[2]}" \ "Allow DHCP IN" "${RESULT[3]}" \ "Allow DHCP OUT" "${RESULT[4]}" \ "Allow tun out FORWARD" "${RESULT[5]}" \ "Allow tun in FORWARD" "${RESULT[6]}" \ "Allow tun out OUT" "${RESULT[7]}" \ "tun masquerade" "${RESULT[8]}" \ "Allow DNS via UDP to airvpn.org" "${RESULT[9]}" \ "Allow DNS via TCP to airvpn.org" "${RESULT[10]}" \ "Allow connection initiation" "${RESULT[11]}" \ "Allow traffic to airvpn.org" "${RESULT[12]}" \ "Allow established connections" "${RESULT[13]}" \ "Block IPv4 OUT" "${RESULT[14]}" \ "Block IPv4 IN" "${RESULT[15]}" \ "Block IPv6 OUT" "${RESULT[16]}" \ "Block IPv6 IN" "${RESULT[17]}" \ "activate changes" "${RESULT[18]}" \ "restart firewalld" "${RESULT[19]}" for i in "${IPRULES[@]}" do RESULT["$COUNTER"]=$(eval $i) (( COUNTER++ )) PERCENTAGE=$(awk -v per="$PERCENTAGE" -v per_step="$PERCENTAGE_STEP" 'BEGIN {print per+per_step}') # progress window dialog --backtitle "$BACKTITLE" \ --title "$GAUGE_TITLE" \ --mixedgauge "Applying iptable rules to $GAUGE_BODY the default network lock..." 35 80 "$(awk -v per="$PERCENTAGE" 'BEGIN {printf "%.0f", per}')" \ "Allow Loopback IN" "${RESULT[0]}" \ "Allow Loopback OUT" "${RESULT[1]}" \ "Allow LAN OUT" "${RESULT[2]}" \ "Allow DHCP IN" "${RESULT[3]}" \ "Allow DHCP OUT" "${RESULT[4]}" \ "Allow tun out FORWARD" "${RESULT[5]}" \ "Allow tun in FORWARD" "${RESULT[6]}" \ "Allow tun out OUT" "${RESULT[7]}" \ "tun masquerade" "${RESULT[8]}" \ "Allow DNS via UDP to airvpn.org" "${RESULT[9]}" \ "Allow DNS via TCP to airvpn.org" "${RESULT[10]}" \ "Allow connection initiation" "${RESULT[11]}" \ "Allow traffic to airvpn.org" "${RESULT[12]}" \ "Allow established connections" "${RESULT[13]}" \ "Block IPv4 OUT" "${RESULT[14]}" \ "Block IPv4 IN" "${RESULT[15]}" \ "Block IPv6 OUT" "${RESULT[16]}" \ "Block IPv6 IN" "${RESULT[17]}" \ "activate changes" "${RESULT[18]}" \ "restart firewalld" "${RESULT[19]}" done # final window to show results dialog --backtitle "$BACKTITLE" \ --title "$GAUGE_TITLE" \ --mixedgauge "Applying iptable rules to $GAUGE_BODY the default network lock..." 35 80 "$(awk -v per="$PERCENTAGE" 'BEGIN {printf "%.0f", per}')" \ "Allow Loopback IN" "${RESULT[0]}" \ "Allow Loopback OUT" "${RESULT[1]}" \ "Allow LAN OUT" "${RESULT[2]}" \ "Allow DHCP IN" "${RESULT[3]}" \ "Allow DHCP OUT" "${RESULT[4]}" \ "Allow tun out FORWARD" "${RESULT[5]}" \ "Allow tun in FORWARD" "${RESULT[6]}" \ "Allow tun out OUT" "${RESULT[7]}" \ "tun masquerade" "${RESULT[8]}" \ "Allow DNS via UDP to airvpn.org" "${RESULT[9]}" \ "Allow DNS via TCP to airvpn.org" "${RESULT[10]}" \ "Allow connection initiation" "${RESULT[11]}" \ "Allow traffic to airvpn.org" "${RESULT[12]}" \ "Allow established connections" "${RESULT[13]}" \ "Block IPv4 OUT" "${RESULT[14]}" \ "Block IPv4 IN" "${RESULT[15]}" \ "Block IPv6 OUT" "${RESULT[16]}" \ "Block IPv6 IN" "${RESULT[17]}" \ "activate changes" "${RESULT[18]}" \ "restart firewalld" "${RESULT[19]}" sleep 2 unset RESULT check_lock } function check_lock { # check for success (not really though, needs improvement) LOCK_RULES=$( sudo firewall-cmd --direct --permanent --get-all-rules | wc -l ) if [ "$LOCK_RULES" -gt 16 ] then LOCK_ACTIVE="active" else LOCK_ACTIVE="inactive" fi } function yesno { dialog \ --backtitle "$BACKTITLE" \ --title "$1" \ --clear \ --yesno "$2" \ $HEIGHT $WIDTH EXIT_STATUS=$? } check_sudo if [ $? = "1" ] then clear exit fi get_userinfo # if currently connected by openconnect, set status to unknown (connection could have been established outside of this script) pgrep openconnect &> /dev/null if [ $? = 0 ] then U_CONNECTED="connected (openconnect)" U_SERVER_FULL="unknown" U_TIME="unknown" fi check_lock while true; do exec 3>&1 selection=$(dialog \ --cr-wrap \ --backtitle "$BACKTITLE" \ --title "Main Menu" \ --clear \ --cancel-label "Quit" \ --menu "This is a control script for VPN connections, primarily for Eddie, the AirVPN client.\nThis script can be exited and re-entered without affecting a running connection.\n\nUser: $U_LOGIN\nDays Until Expiration: $U_EXP\n\nDefault Network Lock: $LOCK_ACTIVE\n\nStatus: $U_CONNECTED\nServer: $U_SERVER_FULL\nConnected Since: $U_TIME\n\nPlease select one of the following options:" $HEIGHT $WIDTH 6 \ "0" "Connect to Recommended Server" \ "1" "Connect to Specific Server" \ "2" "Connect via openconnect" \ "3" "Disconnect" \ "4" "Refresh User Info" \ "5" "Toggle Default Network Lock" \ 2>&1 1>&3) EXIT_STATUS=$? exec 3>&- case $EXIT_STATUS in $DIALOG_CANCEL|$DIALOG_ESC) yesno "Quit" "Exit Script?" case $EXIT_STATUS in $DIALOG_CANCEL|$DIALOG_ESC) ;; $DIALOG_OK) break ;; esac ;; esac case $selection in 0 ) check_sudo if [ $? = "0" ] then disconnect_server connect_server "" fi ;; 1 ) while true; do exec 3>&1 SERVER_SORT=$(dialog \ --backtitle "$BACKTITLE" \ --title "Sort Server List" \ --no-collapse \ --ok-label "sort ascending" \ --extra-button \ --extra-label "sort descending" \ --menu "Please choose how you want to sort the server list." \ 14 0 7 \ "1" "Name" \ "2" "Country" \ "3" "Location" \ "4" "Continent" \ "5" "Bandwidth" \ "6" "Users" \ "7" "Load" \ 2>&1 1>&3) EXIT_STATUS=$? exec 3>&- case $EXIT_STATUS in $DIALOG_CANCEL|$DIALOG_ESC) break ;; $DIALOG_EXTRA) SERVER_SORT_OPTION="r" ;; $DIALOG_OK) SERVER_SORT_OPTION="" ;; esac if [ "$SERVER_SORT" = "5" -o "$SERVER_SORT" = "6" -o "$SERVER_SORT" = "7" ] then SERVER_NUM_OPTION="n" else SERVER_NUM_OPTION="" fi if [ ! -f "/tmp/.eddie_server_list.txt" ] then get_list fi while true do sort_list "-k$SERVER_SORT,$SERVER_SORT$SERVER_SORT_OPTION$SERVER_NUM_OPTION" IFS=$';\n' exec 3>&1 SERVER_NMBR=$(dialog \ --backtitle "$BACKTITLE" \ --title "Server List" \ --colors \ --no-collapse \ --extra-button \ --extra-label "Refresh List" \ --column-separator ":" \ --menu "Choose a server from the list to connect to it. (Press ESC to go back.)\n\n\Zb # Name Country Location Continent Bandwidth Users Load Health\ZB" \ 40 102 31 $LIST 2>&1 1>&3) EXIT_STATUS=$? exec 3>&- IFS=$' \t\n' case $EXIT_STATUS in $DIALOG_CANCEL) break 2 ;; $DIALOG_ESC) break ;; $DIALOG_EXTRA) get_list ;; $DIALOG_OK) check_sudo if [ $? = "0" ] then SELECTED_SERVER=$(printf -- '%s\n' "${LIST[@]}" | grep "^$SERVER_NMBR;" | cut -d ";" -f 2 | cut -d ":" -f 1) disconnect_server connect_server "$SELECTED_SERVER" break 2 fi ;; esac done done ;; 2 ) exec 3>&1 # adjust field lengths if necessary CONNECT_INFO=$(dialog \ --backtitle "$BACKTITLE" \ --title "VPN via openconnect" \ --insecure \ --mixedform "Please provide your login credentials to connect to a VPN via openconnect:\n(Leave unneeded fields blank and type options as in command line, separated by space.)" $HEIGHT $WIDTH 6 \ "Server:" 1 1 "" 1 21 25 0 0 \ "Group:" 2 1 "" 2 21 25 0 0 \ "User:" 3 1 "" 3 21 25 0 0 \ "Password:" 4 1 "" 4 21 25 0 1 \ "Additional Options:" 5 1 "" 5 21 25 0 0 \ 2>&1 1>&3) EXIT_STATUS=$? exec 3>&- case $EXIT_STATUS in $DIALOG_CANCEL|$DIALOG_ESC) ;; $DIALOG_OK) check_sudo if [ $? = "0" ] then disconnect_server if [ "$KILLED" = "true" ] then if [ ! -p "/tmp/.eddie_fifo1" ] then mkfifo "/tmp/.eddie_fifo1" fi ALT_SERVER=$(echo -n "$CONNECT_INFO" | cut -d$'\n' -f 1) ALT_GROUP=$(echo -n "$CONNECT_INFO" | cut -d$'\n' -f 2) ALT_USER=$(echo -n "$CONNECT_INFO" | cut -d$'\n' -f 3) ALT_PASS=$(echo -n "$CONNECT_INFO" | cut -d$'\n' -f 4) ALT_OPTS=$(echo -n "$CONNECT_INFO" | cut -d$'\n' -f 5) echo "$ALT_PASS" | (sudo openconnect $ALT_OPTS --authgroup=$ALT_GROUP --user=$ALT_USER --passwd-on-stdin $ALT_SERVER &> "/tmp/.eddie_fifo1" &) timeout --signal=SIGINT 3 cat "/tmp/.eddie_fifo1" | dialog --backtitle "$BACKTITLE" --title "Connecting via openconnect..." --timeout 5 --programbox 20 80 U_CONNECTED="connected" U_SERVER_FULL="$ALT_SERVER" U_TIME=$(date +"%m/%d/%Y %H:%M:%S") else U_CONNECTED="error during disconnection" U_SERVER_FULL="--" U_TIME="--" fi fi ;; esac ;; 3 ) check_sudo if [ $? = "0" ] then disconnect_server if [ "$KILLED" = "true" ] then get_userinfo else U_CONNECTED="error during disconnection" U_SERVER_FULL="--" U_TIME="--" fi if [ -p "/tmp/.eddie_fifo1" ] then rm "/tmp/.eddie_fifo1" fi if [ -p "/tmp/.eddie_fifo2" ] then rm "/tmp/.eddie_fifo2" fi fi ;; 4 ) get_userinfo ;; 5 ) pgrep -f mono.*eddie-ui &> /dev/null if [ $? = 0 ] then dialog --backtitle "$BACKTITLE" --title "Toggle Network Lock" --timeout 3 --msgbox "You need to be disconnected to change network traffic rules." 10 35 else if [ "$LOCK_ACTIVE" = "inactive" ] then yesno "Toggle Network Lock" "Are you sure you want to activate the default network lock and block all connections while not connected to (any) VPN?" case $EXIT_STATUS in $DIALOG_CANCEL|$DIALOG_ESC) ;; $DIALOG_OK) check_sudo if [ $? = "0" ] then define_lock "activate" fi ;; esac else yesno "Toggle Network Lock" "Are you sure you want to deactivate the default network lock and allow all connections, even when not connected to a VPN?" case $EXIT_STATUS in $DIALOG_CANCEL|$DIALOG_ESC) ;; $DIALOG_OK) check_sudo if [ $? = "0" ] then define_lock "deactivate" fi ;; esac fi fi ;; esac done clear





  24. Like
    Clodo reacted to nwlyoc in Interactive Wrapper for Hummingbird (with boot script and default network lock)   ...
    Hello,
    last year I had written a wrapper for Eddie's CLI version (in bash) to be able to use it more easily and extensively in the linux command line like the GUI, but with less resources. I have used it since then every day without problems, but now I have finally gotten to overhaul it and adjust it to Hummingbird because it is just so much faster! I also tried to make it more easy to configure (by having a separate configuration file) and added some new functionality like support (and automatic recognition) of iptables and nftables to lock down the system even without being connected to AirVPN and automatic connection at boot with a systemd unit.
    Again, feel free to use this as you wish, I hope someone can benefit from this. I'm happy about any improvements and corrections and will update this if I find the time.

    Features
    graphical interface in the command line to connect to AirVPN with Hummingbird (no Eddie involved) runs in background, the interface can be closed/opened anytime without affecting the running connection possibility to connect to any server with just one ovpn configuration file easily connect to a random server, to a recommended server, to the recommended server of a specific country or to a specific server sortable list of all servers including info like used bandwidth, load and number of users possibility to connect to other VPNs with openconnect lock down system by default (permanently if you want), so even without AirVPN/Hummingbird running there won't be any unwanted network traffic automatically establish connection at boot (which can later be controlled via the interface) logging of Hummingbird's output (number of days to keep logs for can be adjusted) system notifications to let you know what happens in the background
    Some general notes The default network lock determines, like Hummingbird itself, if iptables, iptables-legacy or nftables is available on your system and will use the first one found in that list. You can overwrite that by specifying which one to use in the configuration file. Once activated, the lock will stay in place until manually deactivated, so no internet connection will be possible unless connected to AirVPN or other whitelisted VPNs. You can make the lock permanent (or rather activate at boot) by enabling that option in the configuration file. AirVPN's network lock overwrites the default network lock, so there will be no interference. IMPORTANT: If you have any frontend firewall for iptables/nftables running, you might to disable that or read up on how it might interfere with rule changes you make directly via iptables/nft. The same thing applies if you use just Hummingbird itself. If you enable the default permanent network lock, it will write the lock rules at boot, most likely overwriting rules by firewalld or the like, but other enabled firewalls might interfere later. Also important: If you have SELinux and you want to use nftables for Hummingbird starting at boot, you have to create a SELinux exception for nft bcause otherwise it will be denied and Hummingbird starts without setting up its own lock, thus leaving you unprotected (AirVPN staff is aware of this issue). You can do that with audit2allow. Follow for example this guide to troubleshoot the problem and fix it with the solution given by sealert. Check your /etc/resolv.conf file while not running Hummingbird (because Hummingbird's network lock replaces that file temporarily) to make sure your router is not set as a nameserver (so no 192.168... address). Some routers will push themselves on that list by DHCP whenever you connect to their network. Since communication with the router is allowed in the lock rules, DNS requests will be handled by the router and sent to whatever DNS server is configured there even when network traffic should be blocked. There are ways to prevent that file from being changed by DHCP, best configure network manager for that if you use it. To connect to other VPNs, their IPs must be whitelisted and DNS requests for their domains must be allowed in the default network lock rules (netfilter_ipbatles.rulesipv4/ipv6 and/or netfilter_nftables.rules). Only edit those files with the default network lock deactivated. The rules for airvpn.org can be copied and adjusted. You can set custom options for Hummingbird in the interface or the configuration file. All the possible options can be found in the Hummingbird manual or with sudo hummingbird --help Apart from dialog I tried to only use basic system tools. The scripts will check if everything needed is present, if not they will exit. At least bash 4 is needed. The scripts rely mostly on dialog, awk and curl (and iptables/nft as described and openconnect if needed), so it should work on most systems. I wrote and tested this on Fedora 32 with Hummingbird 1.0.3. It should be possible to use any ovpn config file generated by the AirVPN's config generator. Even with the file for one specific server it should be possible to connect to any other server because the server override function is used here. I haven't tested that extensively though and just use the config file for earth. AirVPN's API seems to be a little unreliable sometimes as in not correctly reporting the connection status. Sometimes the API reports me not being connected although I am connected to an AirVPN server. This is no big deal, it just means that the connection status sometimes may be shown falsely as disconnected. If you have the default network lock activated, no traffic would be possible if you were actually disconnected. And, lastly, VERY IMPORTANT: I am still no programmer and do this only on this on the side, so even though I tried my best to make these scripts secure and error free, there might very well be some bad practice, never-ever-do-this mistakes or other hiccups in there. It works very well for me (and has for quite a while by now), but better check it yourself.  
    UPDATE
    As of 2020/08/29 this project including updates, changelog and further instructions is publicly available on GitLab. There it can be more easily examined, downloaded and updated. Thus I have removed the scripts, installation instructions and the archive with all the files from this post. Check out the GitLab project for the newest version.
     





     
     
     
     
  25. Like
    Clodo got a reaction from User of AirVPN in Wireguard response from Mullvad   ...
    It is not mandatory to wait for next Debian version: we are already testing up to date WireGuard version.
    When we'll make WireGuard available to customers, it will be on all servers.
     


    Exactly, it's unavoidable.
     


    With OpenVPN that's currently correct.

    However, with WireGuard we need to keep it, because it's written in .conf file generated via Config Generator and stored by users. See below for users' option to change or invalidate it.

     

    Some of our competitors do this. 
    Some accept only their official client software because of the issue. That's neither good nor acceptable for us, as we don't want to lock user into our software.
    Therefore the change you mention might be an Eddie's additional feature but we will try to make Wireguard main branch as secure as Eddie's, whenever possible.
     
     


    Yes, we still use ifconfig-pool-persist in OpenVPN.  It's very different than Wireguard's addresses binary mapping, especially under a legal point of view.

    When a client is connected, OpenVPN daemon necessarily needs to link clients' public and VPN IP addresses. As soon as the client disconnects the link is lost.
    One of WireGuard controversies is that client's real IP address remains visible with 'wg show' even after client's disconnection. The issue is resolved by removing and re-adding the peer after a disconnection (disconnection in WireGuard is basically a handshake timeout).

     


    Some current testing implementation features are:
    Unique WireGuard IPv4 and IPv6 subnets across servers which don't conflict with OpenVPN subnets Assigning a non-conflicting, pseudo-random, local IP address  for each customer's device (for AllowedIPs), similar to remotely forwarded port assignments Users can renew a local IP address for a device anytime. WireGuard .conf manually used in official client would become invalid. Eddie will automatically update. The same happens when a user regenerates OpenVPN client certificate and key pair: the action invalidates any previously stored OpenVPN profile.
    We will offer an API to automate the above, letting users write a script that performs HTTPS calls to change local IP address, download updated .conf, and then wg-quick. 

    An API to obtain a .conf file (Config Generator without UI) is already in production for OpenVPN and it will be of course available for WireGuard too.

    When a device's WireGuard local IP address changes, up to a 10 seconds wait is required. It's the time required to propagate device key onto all VPN servers, in order to update the AllowedIPs peer node.

    No other solution allowing us to let our customers use the official WireGuard client with a simple .conf file and, at the same time, preserve their privacy currently exists.

    Please keep the above information as a proposal: we are currently studying pros and cons and something may change before WireGuard public beta support in our VPN servers is available.
     
×
×
  • Create New...