sheivoko

Some of the newer features of UFW haven't arrived with the version you are
using. And although the GUI version of UFW is nice the command-line version
is much more advanced.

In the following quick tutorial I will try to give
you some guidance to get a simple setup (hopefully) working. This is only
for general guidance. Adjust addresses, port numbers and protocols as
needed. E.g. If your router is on a different IP-address then adjust the
rule to fit to your needs. Also if you want to connect to a different
VPN-server use the IP-address of the server you wish to use. The IP numbers
used here are only as an example.

Keep in mind that rule ordering is
important and the first match wins! The rule which is entered first will end
up higher in the list. At the end I will explain more about this (see point
8).

1.  Open an terminal window and enter the following commands and adjust them
    to your needs.
    Use su to log in as root if you haven't or place sudo before every command.
    the $ represents the prompt in the terminal.

2.  Enable UFW.

    $ ufw enable
    
    This will enable the firewall and now you can add rules.

3.  Set the default behavior to deny all incoming and out going traffic.

    $ ufw default deny out
    $ ufw default deny in
    
    Now all in- and outgoing traffic will be blocked.

4.  Add a rule to allow traffic to your router (only if this is needed).

    $ ufw allow out to 192.168.178.0/24
    
    This will allow traffic to the router/internal network which in this
    case is located on 192.168.178.0/24. If your computer has multiple
    network interfaces you can add the interface which you want to use. E.g.
    
    $ ufw allow out on eth0 to 192.168.178.0/24

    This will allow only connections to the internal network/router on eth0.
    If eth0 is not connected and you use for example the wlan0 connection
    UFW will block the traffic and you will not be able to connect to the
    router/internal network, because only traffic from eth0 is allowed to
    connect to 192.168.178.0/24.

5.  Add a rule to allow traffic to 46.19.137.114 on port 443 with UDP
    traffic. This is the AirVPN_CH-Virginis_UDP-443 server.

    $ ufw allow out to 46.19.137.144 port 443 proto udp
    
    This will allow UDP traffic on port 443 to the Virginis server
    (=46.19.137.144). This is needed to connect to the VPN-server. You can
    add more than one VPN-server by repeating the above rule and adjust the
    IP-address to the server which you want to add. It is also possible to
    specify different port numbers. Just change the port number to the port
    number which is needed to connect to the VPN server. If the proto udp
    part is omitted then tcp and udp traffic is allowed and if it's changed
    to proto tcp then only tcp traffic is allowed.

6.  Add a rule to allow in- and outgoing traffic over tun0. This is the
    traffic from and to the VPN-server.

    $ ufw allow out on tun0
    
    Now it's possible for an application like the browser to connect to
    different sites on the web. All the traffic will go through the vpn
    server.

7.  In the case that you use a bit-torrent client, you will also need to
    allow incoming traffic from the port which is specified by you in the
    bittorrent client (this is the port which is needed to allow peers/seeders
    to connect to the bit-torrent client (NAT).

    $ ufw allow in on tun0 from any to any port 54321
    
    This will enable incoming traffic which is coming from different
    IP-addresses (the peers/seeders which want to connect to your client) to
    connect through the VPN-server connection (which is tun0 here). In this case
    port number 54321 is used, adjust it the correct port number!

8.  If you now enter.

    $ ufw status verbose
    
    You will get a numbered list which something like:
    
        Status: active
        Logging: off
        Default: deny (incoming), deny (outgoing)
        New profiles: skip

        To                         Action      From
        --                         ------      ----
        54321 on tun0              ALLOW IN    Anywhere

        192.168.178.0/24           ALLOW OUT   Anywhere
        46.19.137.114 443          ALLOW OUT   Anywhere
        Anywhere                   ALLOW OUT   Anywhere on tun0
        
    This shows you which rules are applied and what the status of the
    firewall is. When you enter:
    
    $ ufw status numbered
    
    You will get a numbered list. It will look something like this:
    
        Status: active

             To                         Action      From
             --                         ------      ----
        [ 1] 192.168.178.0/24           ALLOW OUT   Anywhere (out)
        [ 2] 46.19.137.114 443          ALLOW OUT   Anywhere (out)
        [ 3] Anywhere                   ALLOW OUT   Anywhere on tun0 (out)
        [ 4] 54321 on tun0              ALLOW IN    Anywhere
        
    This is a numbered list. It is important to know that the order of the
    rules is important. If you allow something with rule number 1 which
    allows for example all incoming and outgoing traffic, all the other
    rules which are specified after that will have no effect!

    And as a final notice I will also point to the possibility to delete and
    insert rules. If you enter:
 
    $ ufw delete 1 # and confirm of course
    
    Rule number 1 will be deleted and all the other rules which followed
    rule 1 will shift up in this example the list will look something like
    this (after $ ufw status numbered):
    
        Status: active

             To                         Action      From
             --                         ------      ----
        [ 1] 46.19.137.114 443          ALLOW OUT   Anywhere (out)
        [ 2] Anywhere                   ALLOW OUT   Anywhere on tun0 (out)
        [ 3] 54321 on tun0              ALLOW IN    Anywhere
        
    And if you want to add a rule on a specific spot it is possible by using
    the insert command. E.g. we want to add a second VPN-server so we can
    choose a different one in the case one is down (could happen you know
    :-)) or if we want options. The command would look like this;
    
    $ ufw insert 2 allow out to 119.81.1.122 port 443 proto tcp   
    
    # this will add the SG-Sagittarii server
    
    Now on spot number 2 there is a new rule inserted. The other rules will
    shift down. We can generate a new list:
    
    $ ufw status numbered
    
    And the list will look like:
        Status: active

             To                         Action      From
             --                         ------      ----
        [ 1] 46.19.137.114 443          ALLOW OUT   Anywhere (out)
        [ 2] 119.81.1.122 443/tcp       ALLOW OUT   Anywhere (out)
        [ 3] Anywhere                   ALLOW OUT   Anywhere on tun0 (out)
        [ 4] 54321 on tun0              ALLOW IN    Anywhere

This concludes the tutorial. Use it to you benefit and I hope some things
get a little bit clearer. Make the appropriate changes for you setup and
expand on it. And again the GUI version is nice, but the command-line
version is beter, it only takes a little bit of time to get used to it.
 

X-Forwarded-For is related to HTTP headers and is used by non-anonymous HTTP proxies, this is how it is usually used:

 

1. you access a site going through such a proxy

2. the proxy accesses the site for you, adds X-Forwarded-For (containing your IP address) to HTTP header

3. site reads HTTP header and now knows your IP/location

 

I would say you can safely add a fake X-Forwarded-For, regardless of your use of (Air)VPN.

It will only defeat a small portion of georestriction methods, but if it helps in your specific case, go ahead.

DEPRECATED. USE V2:
https://airvpn.org/topic/14233-how-to-openvpn-on-fritzbox-routers/
 
--
 
In the following I will describe the steps necessary to connect to and route all traffic through AirVPN using modified firmwares for Fritz!Box routers by AVM. AVM is a manufacturer of quite popular (and expensive) routers in German-speaking countries. Unfortunately it has it's restrictions - especially on older models there is absolutely no VPN software preinstalled. So how do we solve this problem?
The solution is called Freetz. Basically it's just a firmware modification kit with which you apply mods and packages to the original firmware. One of those packages is openvpn and this guide shows how to configure it to use with AirVPN.

Be aware that VoIP won't work properly with AirVPN since you'd need to forward more than 32 ports to make it work without issues.

1. Read the FAQ.
2. Read Freetz for beginners.
3. Read this how-to for an overview of what expects you.
All right? Let's go!

-- BUILDING THE FILESYSTEM --

1. Startup linux on VirtualBox. Checkout the recent freetz-trunk using
svn checkout http://svn.freetz.org/trunk freetz-develThis is really important, because recent trunks contain OpenVPN v2.3 which fixes serious routing problems on the Fritz!Box. cd to freetz-devel after completion.
2. Build your minimal firmware and flash it.
3. If everything went fine make yourself familiar with the web interface. Then proceed.

I) In Packages/Packages select OpenVPN with version (2.3.3), SSL library (OpenSSL), Enable Management Console, Optimize for size.
II) In Packages/Unstable select Iptables 1.4.11.1 (binary only, unstable) and Iptables-CGI 1.1.
The general Iptables kernel modules and Iptables shared libraries are automatically selected. For full fun consider selecting everything in Select kernel modules (IPv4), Select shared libraries (IPv4) and Select shared libraries (both IPv4 and IPv6).
III) Now build your firmware and flash it.

If everything worked fine proceed to the AirVPN config.

-- OPENVPN CONFIGURATION --

Go to the config generator to generate your configuration files. Choose Router or other, then your preferred server. Check Advanced, your preferred connection mode and then Separate keys/certs from .ovpn file (not necessary, but this one will make it easier to setup the keys/certificates).
Open every generated file with an editor like Notepad++. The config is only necessary to grab information you need, you are not going to upload it.
Look into the .ovpn file and set up everything like this:



Now you have to add the certificates. You can find the menu items I mention in the sidebar.
Copy the whole content from
1) user.crt into the box at Box Cert.
2) ca.crt into the box at CA Cert.
3) user.key into the box at Private Key.
4) ta.key into the box at Static Key.

Now start OpenVPN over the web interface. Your internet connection will drop but you will be able to connect to the Fritz!Box.
 
-- 301: INTERNET MOVED PERMANENTLY --
 
Don't worry. iptables will help you to get the internet connection back.
You just need to create one simple rule to nat all traffic to tun0. Now the Iptables-CGI comes into play.
1. Click on Iptables in the sidebar, check Automatic at "start type" and then press the start button.
2. Go to Editor in the sidebar. Check Add and pick from the drop-down menus:
Chain: POSTROUTING
Input-Interface: tun0
NAT: Normal
Click on Submit.
Go back to Iptables and press the restart button. Now check at Rules whether iptables-save has saved your rule. It should have been done so. This might look different for you:
# Generated by iptables-save v1.4.11.1 on Tue Apr 15 23:43:28 2014 *nat :PREROUTING ACCEPT [75:4106] :POSTROUTING ACCEPT [27:4097] -t nat -o tun0 -j MASQUERADE :OUTPUT ACCEPT [10:3229] COMMIT # Completed on Tue Apr 15 23:43:28 2014 # Generated by iptables-save v1.4.11.1 on Tue Apr 15 23:43:28 2014 *filter :INPUT ACCEPT [461:31565] :FORWARD ACCEPT [45:2332] :OUTPUT ACCEPT [457:137328] COMMIT # Completed on Tue Apr 15 23:43:28 2014 You're done. The internet connection of ​all the devices in your network is routed through the tunnel.
 
Tested on AVM Fritz!Box Fon WLAN 7141 with firmware 41.04.77, Freetz version: freetz-devel-11941

Hello!
 
No, it's closed source (but your are not forced to use it: you can run OpenVPN directly or any OpenVPN wrapper/GUI you wish in order to connect to the Air VPN servers). The next client release, "Eddie", will be free and open source (very probably under GPLv3).
 
Kind regards

I agree with virtualization being an additional layer of security.
I disagree with TBB being "highly exploitable". The leaked presentation clearly shows that digging up native FF vulns is a pain in the ass, even for the NSA.
So, they won't waste such vulns for wide-spread attacks against Joe Blow users. ¹ ³
 
Also, VirtualBox is not a security product and it's maintained by Oracle, a commercial vendor with an awful track record wrt to code quality and security management. ²
 
---
 
¹ Case in point: The FF vuln recently used by FBI for their "Torsploit" was no 0day, it was long patched - which either means they didn't have a better vuln for a more effective exploit - or they didn't want to waste it for this particular attack. 
² https://www.whonix.org/wiki/Advanced_Security_Guide#About_VirtualBox
³ "The good news is that they went for a browser exploit, meaning there's no indication they can break the Tor protocol or do traffic analysis on the Tor network. (..) you can target individuals with browser exploits, but if you attack too many users, somebody's going to notice." from: https://blog.torproject.org/blog/yes-we-know-about-guardian-article

You cannot do application-level rules with ufw.Iptables has an "--uid-owner" option, which isn't application-level either, but you could use it like this: - create a user account "p2puser"- launch your p2p apps with this new user account - deny traffic coming from user id "p2puser" on eth0/wlan0- allow all other traffic on eth0/wlan0 (eth0 / wlan0 as examples for your non-VPN network interfaces). I have not tried this myself, I loathe iptables. Good luck, I hope someone else has a better idea than this