Staff

Hello!

As you already noted, the DNS push appears correct. Also, the routing table is correct.

The odd thing is that you have problems with all the servers except Pegasi, but all the servers have the very same configuration and same OpenVPN server version, scripts etc.

Can you please check the following:

http://code.google.com/p/tunnelblick/wiki/cConnectedBut#If_OpenVPN_is_connected_to_the_server_but_you_can%27t_access

In particular, check your Mac DNS settings in "System Preferences".

Kind regards

Thanks for the reply. Unfortunately, I can't get much help from LnS support because they're MIA. The firewall seems like ity's not supported anymore, which is a shame. But it's the best, and really the only, rule-based firewall out there that doesn't have a HIPS or antivirus scanner, etc., so I'm keeping it.

Hello!

HIPS and Antivirus are optional in Comodo. Our guide refers to Comodo Firewall, Antivirus and HIPS are not required. However Windows users may greatly benefit from the additional protection provided by Defense+ against very many threats.

In order to disable permanently Comodo HIPS, set Defense+ to "Disabled".

In order to disable permanently Comodo Antivirus, just install Comodo Firewall (i.e. do not install the package Firewall+Antivirus), or set "Antivirus" to "Disabled".

I've gone through the Comodo thread as best I can and created some rules that will help. From top to bottom:

1. VPN Allow - Allow TCP/UDP in/out from my nic MAC and routed IP to any MAC on TCP/UPD port 443

For other readers who like the same approach: change the destination port, or add rules, in case you connect to ports 53 or 80. EDIT: please note that this approach is deprecated by us.

5. VPN DHCP - Allow all in/out from any IP port 67 to any MAC to IP equal to 255.255.255.255 any port.

You might need to add port 68 too.

6. VPN Block - Block TCP/UDP in/out from any MAC IP Range not in 10.4.0.0 - 10.9.255.255 to any MAC different then my adapter MAC, and IP any port. The rule is activated when utorrent.exe is active

That about sums up the ruleset. I'm not looking at it to block DNS leaks, just to block connections from utorrent.exe should the VPN drop.

If it's a global rule, the above rule also prevents DNS leaks (and any other leak, except those toward port 443 from your physical interface) by blocking everything outside the tunnel, including svchost.exe DNS queries leaks. Therefore, after you're connected to the VPN you can activate it even though utorrent is not running.

Please be aware that this rule must be inactive in order to allow DNS resolution when you don't want to be connected to the VPN etc.

EDIT: finally please be aware that this approach will not prevent leaks toward port 443 (or 80 or 53).

Kind regards

Same here. It seems to be connected for about 30 45 seconds and then disconnects then reconnects.

2012-09-23 07:15:04 *Tunnelblick: OS X 10.8.2; Tunnelblick 3.2.8 (build 2891.3099)

Hello!

Tunnelblick 3.2.8 is not fully compatible with Mac OSX 10.8.x. Please install the correct version, see here:

http://code.google.com/p/tunnelblick/wiki/DownloadsEntry?tm=2

Kind regards

My VPN keeps dropping out cant supply logs can you please investigate.

Hello!

After your message it appears that your connection is stable. Can you confirm that the problem is solved? If the problem occurs again, it's likely that it's a momentary problem due to some factor such as routing, Internet congestion, peering, so you might try a connection to a TCP port on different servers in order to mitigate it.

Kind regards

@ergolon

Hello!

It was assumed that your client was running in a *BSD machine (OpenBSD, FreeBSD, Mac OSX...) with pf. If you connect through your DD-WRT router, then you must not set the firewall rules specified by the tutorial by jessez on your *BSD device. In order to secure your connection you will have to use iptables on the DD-WRT.

It's definitely correct that your forward ports in your home network. The warning pertains to forwarding ports in the router physical network interface which communicates with the "outside", which would be dangerous.

Kind regards

Hello!

It appears that there's absolutely nothing wrong in your configuration, so it's still likely that it's a firmware problem. In the specialized forums, we have seen tons of E2500 users reporting your very same, exact problem ("connection reset" without explanation), but no solution. So this is not a true support answer, sorry, but we'll keep investigating and keep you updated. Also, feel free to keep the thread "up".

Kind regards

Hello!

Can you please send us the Tunnelblick logs? It might still be a DNS problem.

A side note: Polaris is no more, it was dismissed more than a year, maybe almost two years, ago (replaced with more powerful hardware)!

Kind regards

Ok. Is this better. I've added a few lines that are supposed to get it to auto-reconnect after my system wakes up.

Hello!

It looks just fine!

Kind regards

I find it odd that I always get the same exit IP address when connecting to Castor (haven't checked the other servers). I expected different addresses.

What am I missing here?

Thanks.

Hello!

It's correct, each server has one, shared exit-IP address.

Kind regards

Thanks..

i want to clarify...

if im calling from skype prepaid calls to a regular phone over vpn, the ip cannot be traced but the conversation can be discovered?

Hello!

That's correct. Skype retains any and each encryption key, so Skype can decrypt your communications whenever it wishes or whenever it is asked to do so by a proper authority.

second, what about different Voip program? are there any recommend and secure one?

This will require a little investigation by you. You might like to start from here:

http://en.wikipedia.org/wiki/Voip#Securing_VoIP

Kind regards

Hi there,

refering to https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&limit=6&limitstart=36&Itemid=142#2532, how do I enable portforwarding to my machine in pf.conf?

Probably this has already been answered, but I just couldn´t find it via search...

Thanks for your help!

ergolon

Hello!

You don't need any "allow" rule on pf (as long as there are no blocking rules for ports on your tun interface): all the traffic is tunneled to/from a single port so all the packets will be properly forwarded to the correct application without need of pf policy. Just make sure that you have remotely forwarded the port(s) you wish on our system.

https://airvpn.org/faq

Kind regards

I think that's not hilarious, because I should be able to try the service before bying, or don't??? Ok I'll choose an other vpn provider

Hello!

In order to test the service you must apply for a free trial AND activate your account with your free trial coupon code. We don't provide free trials with a registration on a website. However, we do provide permanent free access to activists in human rights hostile countries who can't afford to pay.

Kind regards

After creating a new account, I started the cliend and logged in, but a message says that my account is not active. I have read the others topics, but for me the problem is not solved. Anyway, I'm running Windows 7 with Comodo Firewall, I don't know if this could be a firewall problem, I allowed the client to connect.

Hello!

It is not a mistake, your account is correctly not active and not authorized to access VPN servers. Please subscribe to a plan in order to activate your account.

Kind regards

I still can't seem to get the attachments to work but I see that my first response never made it. Here it is again.

---

I tried the suggestion to change the direction to "out" as seen in my "try2" screen cap.

It still has the same problem.

Just to see what it would do, I set the rule for IE to "ask" instead of "block". "ask.jpg" enclosed popped up. I've included it not knowing if it helps at all.

Hello!

It was understood that you were talking about a different application pertaining to VoIP.

Realizing that I should probably create another thread for this, what is this actually doing? Let's imagine that I'm using a torrent client that has the same rule mentioned earlier with the setting blocking both "in/out". Why would my imaginary client be showing normal uploading and downloading operations if I have only set to exclude an IP range in the source address tab? Shouldn't comodo be stopping either the in or the out?

No, it must stop only packets "out" NOT coming from 10.4.0.0->10.9.255.255. Your service (torrent client etc.) must be able to receive packets from any IP address. If you reject/drop packets in, you prevent your service to receive ANY packet, because the range 10.4.0.0->10.9.255.255 is the range of the virtual private network.

I'm fully aware that these are probably some of the most novice questions but I appreciate the help. It would also be great if anyone had any suggestions as to where to start reading / getting information on how to understand computer networking and infrastructure better. I don't even know what an IPv4 address is or how it differs from IPv6. The wikipedia page kind of helps, but trying to put everything together and figure out why it matters is slow going. I can appreciate the idea behind services like AIRVPN and Comodo but my understanding is very shallow.

Thanks in advance.

Don't worry, you don't need to be a network expert to use AirVPN. Anyway, reading the Comodo manual can really help.

Please follow this tutorial in order to prevent leaks with Comodo without setting up rules for each application:

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=3405&Itemid=142

Kind regards

Hello!

The file attachments are uploaded when you click "Submit", after you have completed your post. You can be sure you have attached a file when you have picked it from the requester which should appear when you click on the attach option. Your attachment was successful and we could see it (did you read the answer?).

When the forum is in "moderated" mode, all the messages must be approved to show up.

Kind regards

Hello everyone,

need you help.

few question:

can someone trace my ip if im using whatapp over vpn?

can someone trace my ip when skype/viber phone calls to computer users

and from skype to regular phone? is it possible to trace the ip?

appreciate it

Hello!

No, it's not possible, as long as you are connected to the VPN and you started your application after the connection to a VPN server.

Anyway, remember that if Skype knows who you are, changing IP does not matter: your calls and chats will be anyway logged and linked to your account.

Kind regards

I have submit this message several times and for whatever reason it doesn't show up in "my topics" or the forum. Apologies if I'm the only one not seeing it.

---

Hello!

Don't worry, it's not your or your browser problem. Currently the forum messages need to be approved by a moderator to show up. We took this decision to fight spam.

Kind regards

I have been enjoying AIRVPN for a while now.

Today I tried to make a call using google phone while connected to AIRVPN.

The call box says "download the voice plugin".

I have it downloaded and running already.

This is most likely a comodo problem but I learned about comodo and how to set it up here.

As one of the admins kindly instructed, I made a network connection rule to block TCP and UDP, In/Out and exclude IPv4 Address Range Start 10.4.0.0 End 10.9.255.255. I have this set up on several applications so that connections will be cut off or prevented when not connected to AIRVPN.

When I turn off comodo, the phone service works fine. What have I done wrong?

Hello!

Please change "Direction" in the rule to "Out" only.

"In/Out" will block any incoming packet for the application not coming from 10.4.0.0->10.9.255.255, effectively blocking any chance for the application to receive any packet.

Kind regards

Hello!

We're glad to inform you that a new servers monitor has been implemented.

The new monitor provides a completely redesigned graphics, additional efficiency and plenty of new information. The new layout will let you be informed more quickly and pleasantly about the status of the Air infrastructure.

The monitor will also allow us to inform you with more effectiveness about the status of the VPN servers. Each server can have a short message informing you of potential problems or any other relevant information.

New aggregated data have also been added on the right column. In the "Geographical distribution" table you can see the total of connected clients, used and available bandwidth divided into planets, continents and countries.

The "Top 10" tables on the right column show the highest detected data in the specified field pertaining only to currently online clients. Nick names are not displayed, however from your "Settings" menu you can allow the display if you wish so. The tables are useful to check stability and verify the performance of the network.

The monitor is accessible at the usual link https://airvpn.org/status

As usual your feedback will be appreciated.

Kind regards

Hello!

Your list is just fine, there's only that "alien" 176.61.136.35.

Kind regards

It appears that this server is coming from Pennsylvania, not California.

Hello!

We noticed that, but it's a geo IP location error. The server is in a datacenter in Los Angeles.

Kind regards

I wonder if someone might be able me. I opened a support ticket but I was sent to this thread. That, and it's a little boring talking to myself. I know I'm not using comodo firewall, but someone has to have an opinion or advice about any of this. I'm trying to figure this whole 'block when no vpn, dns leak, dhcp issue' thing out and I could use some help. I want to continue using air but I need to get these issues straightened out.

Here's what I got:

A UDP rule that allows port 68 from the source (for DHCP)

Hello!

Sorry, we're not familiar with your firewall. Anyway, since it's a commercial product, surely their customer support will be able to translate the Comodo rules for you in 1 minute.

You should change that rule allowing connections to destination IP 255.255.255.255. To understand why your rule will not necessarily work all the times in the DHCP "negotiation":

http://support.microsoft.com/kb/169289

A TCP/UDP rule that allows connection from my nic MAC to a destination port 443

a TCP/UDP block fule for everything outside 10.4.0.0 -10.9.255.255 as the source where my nic MAC is the destination when app X is running.

Apparently this is the wrong approach. Allowing indiscriminate communications to port 443 will not prevent all the leaks, for example from your browser to https websites, if your browser is not in the blocked application list. About the block rule, you will have to insert any and each application that you want to secure against leaks, however remember NOT to insert openvpn.exe and airvpn.exe amongst those.

Furthermore, it is unclear how you can prevent DNS leaks with this approach. If you put svchost.exe in the secured application list rule, you won't have connectivity at all at the boot or when disconnected from the VPN (not even a successful DHCP handshake), so you would be forced to switch on and off continuously the rule for svchost.exe in order to prevent DNS leaks.

All in all, probably you can speed up your work and obtain better results just translating Comodo global rules into LooknStop rules.

Kind regards

Hello!

It's a nice idea and we have evaluated it. However we consider OpenVPN over TOR much more secure. A multihop VPN with all servers belonging to the same entity might add just a very thin additional security layer. Of course we could create separate entities/companies which handle various servers, however it's difficult to see a real advantage in comparison to Air over TOR.

Kind regards

DD-WRT also lets you select which devices on your WAN will use the tunnel and which not.

Kind regards

Ahhhhhhhh this is perfect, I did not know this. I thought it would be for the entire router. That makes this whole thing a lot easier.

Hello!

Yes, DD-WRT supports Policy Based Routing with multiple routing tables. If you're curious, start from here to get an idea:

http://www.dd-wrt.com/wiki/index.php/Policy_Based_Routing

and then have a look here:

http://www.dd-wrt.com/wiki/index.php/OpenVPN

So you might say, for example, that 192.168.1.101 uses the tunnel, while 192.168.1.102 does not.

Kind regards

1/13/2007 - 1:30 AM The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

Hello!

During the login phase, airvpn.exe establishes an SSL/TLS connection with airvpn.org. It seems that your system does not trust the airvpn.org certificate.

Kind regards