Staff

Hello! We have received this e-mail from one of our customers and we gladly re-publish it here, because we think it may be helpful for anybody running a DD-WRT router behind other routers. The example configuration is with Vega, you can easily change that according to your favorite server and port. ====================================== Hi Guys, I just thought I'd let you know I figured it all out. The DD-WRT I have is the latest generic openvpn (DD-WRT v24-sp2 (08/07/10) vpn) installed on an old WRT54G v2.0. My ISP's router is a DLink BCM96358 which is pretty locked down. I reset to defaults, turned on syslog, set the VPN settings as per your help page, and used the following startup script (containing what you generated for me) - date 032601152012 sleep 30 echo "client dev tun proto tcp remote 69.163.36.66 443 resolv-retry infinite nobind ca /tmp/openvpncl/ca.crt cert /tmp/openvpncl/client.crt key /tmp/openvpncl/client.key ns-cert-type server cipher AES-256-CBC comp-lzo verb 3" > /tmp/openvpncl/myopenvpn.conf ( sleep 20 ; killall openvpn ; /usr/sbin/openvpn --config /tmp/openvpncl/myopenvpn.conf --route-up /tmp/openvpncl/route-up.sh --down /tmp/openvpncl/route-down.sh --daemon ) & The date is necessary because otherwise the system date is in 1970 and the certs don't work. The other key is the sleep statements. Nothing works if the init processes too fast. I also had to add a line to the firewall rule too for the wireless to work - iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT iptables -I INPUT -i tun0 -j REJECT iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE This gives me a VPN behind my DD-WRT and non-VPN behind the ISP router. Cheers.

@allanmills Hello! The error issued by ifconfig is normal, you have no tap interface, our setup use the tun interface. About the core of your issue, it is likely that since your interface changed from eth0 to wlan0, your script/config may still be using the old interface. There are several articles that can point you to the right direction: https://duckduckgo.com/?q=ping%3A+sendmsg%3A+operation+not+permitted Please do not hesitate to contact us for any further information and support. Kind regards

Hello! Can we put [sOLVED] in the thread subject, for future references? Kind regards

Hello! We pick datacenters with PoP directly connected to tier1 and tier2 providers, including, in Europe, the "big 4". We're afraid that if your ISP peering is not good, or your ISP is anyway connected to tier3 providers or worse, there's unfortunately nothing that can be done to improve speed. See also the FAQ for further explanations. Just in case your ISP caps certain ports, make sure you have tested also port 53 TCP, port 80 TCP and port 53 UDP. Kind regards

Hello! We once again confirm that CBS is perfectly accessible from Vega and Sirius. Therefore, it remains to be seen what your system is leaking. Please note that to watch CBS with Firefox in Windows, you can't have all plug-ins disabled, because you need Flash. You might monitor your connections with tools like Wireshark to determine if there's a leak of some sort. You can also install Comodo Firewall and block all the outgoing packets not coming from 10.4.0.0->10.4.255.255 IP range to see whether this fixes the issue. See also https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&Itemid=142#1715 Once you are sure that there's no leak from the tunnel, examine carefully the Firefox behaviour. Try different browsers and make sure that the referrer browser string does not contain anything other than english/USA related (you can use the add-on RefControl to do that on Firefox), just in case CBS checks that. Feel free to keep us posted. Kind regards

Hello! Thank you for your subscription. Your choice is just fine and your decision to stay away from PPTP is wise. For further considerations about TCP and UDP ports, please see the FAQ: https://airvpn.org/faq For extremely critical data exchange you might like to know how to use AirVPN over TOR: https://airvpn.org/tor Please do not hesitate to contact us for any further information or support. Kind regards

Hello! CBS is perfectly accessible both from Vega and Sirius. Perhaps you have a leak from some program that disclose that you are not in the USA to the CBS tests. The usual suspects are the browser and its plugins. If you use Windows, avoid Internet Explorer at all costs. Kind regards

Hello! Please connect to your DD-WRT router via Telnet or SSH (http://www.dd-wrt.com/wiki/index.php/SSH) and type the command netstat -nr or route -n Then just copy the output and paste it here. Kind regards

Hello! We are aware that blocking outbound port 25 may be annoying, but leaving it open would cause a quick blacklisting of our servers on most spam detectors with severe consequences for us and all our customers. On the other hand, using an SMPT server which accepts TLS/SSL connections (for example on port 465) is a good practice and it's also extremely simple, so it's not really an issue. An e-mail provider that does not offer such connections should not be taken seriously. Please do not hesitate to contact us for any further information. Kind regards

Hello! Are you able to ping the 10.x.0.1 IP address (for example, if you connect to port 443 UDP, are you able to ping 10.4.0.1)? Could you please publish the routing table after the connection (delete your real IP address for privacy reasons)? Kind regards

Hello! This is a bug of the AEC payment processor (a commercial product) that we use to handle accounts expirations. We have given you back your 6 missing days. We apologize for the inconvenience. Please do not hesitate to contact us for any further information or support. Kind regards

Hello! You have various options, for example connecting the guest OS to the TAP-Win32 adapter via bridging and disabling access to all the other network cards. In this way, if the VPN connection is not established (or drops), the guest OS can't communicate with the Internet. VirtualBox, currently one of the best virtualization packages available, will let you do that with a few clicks. Please refer to the manuals of your virtualization software for additional details, and do not hesitate to contact us for any further information. Kind regards

Hello! Your message has a reply to the e-mail address you specified to receive the answer. Please re-send it if you did not get the reply [EDIT: please make sure that your e-mail address properly receive e-mails] Kind regards

Hello! Can you please see this thread, from here: https://airvpn.org/index.php?option=com_kunena&func=view&catid=2&id=970&limit=6&limitstart=12&Itemid=142#1748 ? Try to apply the suggested fix. We're looking forward to hearing from you. Kind regards

Hello! Thank you for your nice words. We're glad to know that you have managed to have a working and secure setup. If there was a conflict, the message should not have been "syntax error", but something different. Anyway, "block out any"? The rule is "block out all". Kind regards

Hello! About the glitch of the red token on UDP ports, we are still investigating. This does not prevent anyway the correct forwarding of UDP packets. The remaining is not a glitch (please see our previous message). Also, it appears from our tests that everything is working properly. Can you please check that listening services are configured to listen to the matching ports and on the correct network interface? Kind regards

Hello! This is correct. If you leave the remote port field blank and click Add, the system will pick randomly an available port and remap it to the same local port (if the local port field has been left blank) or to the specified local port. Kind regards

Hello! [EDIT] We're looking into the issue, please stand-by. In the meantime you can try to: - forward a new port explicitly specifying as "local port" the same number of the forwarded port; - forward a new port without specifying any local port [EDIT 2] About the red token, we are now aware that there's the chance that you get a red token (for an UDP port only) even if that port is closed on your router. Techies will work on it too asap. Kind regards

Hello! We're sorry, currently we don't provide step-by-step support for Symantec products. Symantec products are commercial products which offer full customer support, so you might try to have support from their team. You could: - replicate the rules suggested for any firewall in the forum (Comodo, PF...) on your Norton Firewall - switch to Comodo: independent peer-reviews performed with high-standard leak tests show that Comodo Firewall in terms of security is highly superior to Norton Firewall (we underline "firewall"); in severe leak tests Norton Firewall 2012 protection rates as "NONE" (!!!) while Comodo rates as "excellent", see for example http://www.matousec.com/projects/proactive-security-challenge/results.php - Comodo is not open source but it's freely redistributable, see https://personalfirewall.comodo.com The only software firewalls for old Windows OS that are not useless (or dangerous) toys are (% shows the percentage of passed leak tests, the higher the better): Comodo Internet Security 5.3.176757.1236FREE 100 % Online Solutions Security Suite 1.5.14905.0 99% Privatefirewall 7.0.25.4FREE 98 % Outpost Security Suite Free 7.0.4.3418.520.1245.401FREE 97% Outpost Security Suite Pro 7.5.1.3791.596.1681 97% BitDefender Internet Security 2011 14.0.30.357 97 % Kaspersky Internet Security 2012 12.0.0.374 93 % Malware Defender 2.7.3.0002FREE 91% Norton Internet Security 2012 has 20% (protection "none"). For the most updated "Proactive Security Challenge", see http://www.matousec.com/projects/proactive-security-challenge-64/results.php. This new challenge shows that apart from Comodo (94%), a secure firewall for 64-bit Windows versions does not exist. Kind regards

Hello! No, this is not what you want, the firewall will not block anything without that rule. Replace it with: block out from 192.168.0.0/16 to any PF will block any outgoing packet from 192.168.*.*, except those which match the subsequent "pass out" rules. If there are no more syntax errors, test the configuration. Activate pf. Now you should lose your Internet connectivity, except toward Lyra. Connect to Air server Lyra entry-IP (62.212.85.65), any port. The connection should succeed thanks to the relevant pass out rule. Now you should have full connectivity. Launch a bittorrent client, share some redistributable content. Let it work for some minutes. Then, disconnect from the VPN. If everything is ok, you should immediately see a total drop of outgoing packets from any application, including the bittorrent client. Anyway, you should investigate further, because "block out all" is a perfectly legal directive on any pf version. Kind regards

Hello! Locate line 23 to be sure to identify which line is giving syntax error. Also, make sure that after the copy & paste you have not inserted characters which may cause problems to the pf parser, for example CR+LF. Also, each line must be terminated with a CR, including the last line. Refer finally to your pf man page to check whether the syntax of your pf version is slightly different. Kind regards

Hello! It looks like geolocalization of those services needs improvements! We have verified that CBS, Hulu, Pandora and Netflix are accessible from Sirius and Vega. Please do not hesitate to contact us for any further information and support. Kind regards

Hello! About point one: yes, a simple but not very flexible way would be to run the service before you connect to an Air server. When you connect to the VPN, the service will continue exchanging packets outside the tunnel, but only for already established connections. Thus, if this is a TCP based service the above may be a good solution, otherwise it's probably not. The alternative would be to modify your routing table. By default our VPN servers push routes so that all your traffic will be routed through the encrypted tunnel. After the connection you might modify routes so that traffic for certain IP addresses is routed outside, through your "normal" gateway, bypassing tun interface. Compare your routing tables before and after the connection, and proceed with caution, a mistake may compromise the anonymity layer. About point two: 40 Mbit/s is an awesome result, better (as far as we know) than the average bandwidth offered by most VPN providers in the world. To beat that, you need at least a 100 Mbit/s server exclusively dedicated to you (please note that your 40 Mbit/s imply 80 Mbit/s on the Air server - bw used by the server for a client is the double of the bw used by that client). Actually, we can provide 100 Mbit/s and 1 Gbit/s servers (please note that a dedicated server will not offer the usual AirVPN anonymity layer) but probably you would not beat that speed anyway. Any additional bandwidth allocation guaranteed by us probably would have no effect, because you already enjoy from Air servers an available bandwidth (700-800 Mbit/s) greater than the maximum speed you can reach. Kind regards

Hello! The green token shows that your service is reachable when behind the VPN. Let's try to make a step at a time, then. Change the SSH daemon listening port. Set it to a TCP port you have remotely forwarded without local remap. Then connect your server to an AirVPN server. Check that ssh has a bind to the correct network interface: it must listen on the tun interface used by OpenVPN. Finally, make sure to start ssh. If the ssh service was already running, restart it, this is very important. After all that, try to connect to your server with ssh :, from a device NOT connected to the same Air server. We're looking forward to hearing from you. Kind regards

Hello! What is that 443 in line pass out quick from 192.168.0.0/16 to 62.212.85.65 443? Please delete it. Kind regards