Jump to content
Not connected, Your IP:


  • Content Count

  • Joined

  • Last visited

  • Days Won


Reputation Activity

  1. Like
    sheivoko reacted to randombit in Prevent Leaks with Linux & Firestarter (also Stop traffic when VPN Drops)   ...
    Some of the newer features of UFW haven't arrived with the version you are
    using. And although the GUI version of UFW is nice the command-line version
    is much more advanced.

    In the following quick tutorial I will try to give
    you some guidance to get a simple setup (hopefully) working. This is only
    for general guidance. Adjust addresses, port numbers and protocols as
    needed. E.g. If your router is on a different IP-address then adjust the
    rule to fit to your needs. Also if you want to connect to a different
    VPN-server use the IP-address of the server you wish to use. The IP numbers
    used here are only as an example.

    Keep in mind that rule ordering is
    important and the first match wins! The rule which is entered first will end
    up higher in the list. At the end I will explain more about this (see point

    1.  Open an terminal window and enter the following commands and adjust them
        to your needs.
        Use su to log in as root if you haven't or place sudo before every command.
        the $ represents the prompt in the terminal.

    2.  Enable UFW.

        $ ufw enable
        This will enable the firewall and now you can add rules.

    3.  Set the default behavior to deny all incoming and out going traffic.

        $ ufw default deny out
        $ ufw default deny in
        Now all in- and outgoing traffic will be blocked.

    4.  Add a rule to allow traffic to your router (only if this is needed).

        $ ufw allow out to
        This will allow traffic to the router/internal network which in this
        case is located on If your computer has multiple
        network interfaces you can add the interface which you want to use. E.g.
        $ ufw allow out on eth0 to

        This will allow only connections to the internal network/router on eth0.
        If eth0 is not connected and you use for example the wlan0 connection
        UFW will block the traffic and you will not be able to connect to the
        router/internal network, because only traffic from eth0 is allowed to
        connect to

    5.  Add a rule to allow traffic to on port 443 with UDP
        traffic. This is the AirVPN_CH-Virginis_UDP-443 server.

        $ ufw allow out to port 443 proto udp
        This will allow UDP traffic on port 443 to the Virginis server
        (= This is needed to connect to the VPN-server. You can
        add more than one VPN-server by repeating the above rule and adjust the
        IP-address to the server which you want to add. It is also possible to
        specify different port numbers. Just change the port number to the port
        number which is needed to connect to the VPN server. If the proto udp
        part is omitted then tcp and udp traffic is allowed and if it's changed
        to proto tcp then only tcp traffic is allowed.

    6.  Add a rule to allow in- and outgoing traffic over tun0. This is the
        traffic from and to the VPN-server.

        $ ufw allow out on tun0
        Now it's possible for an application like the browser to connect to
        different sites on the web. All the traffic will go through the vpn

    7.  In the case that you use a bit-torrent client, you will also need to
        allow incoming traffic from the port which is specified by you in the
        bittorrent client (this is the port which is needed to allow peers/seeders
        to connect to the bit-torrent client (NAT).

        $ ufw allow in on tun0 from any to any port 54321
        This will enable incoming traffic which is coming from different
        IP-addresses (the peers/seeders which want to connect to your client) to
        connect through the VPN-server connection (which is tun0 here). In this case
        port number 54321 is used, adjust it the correct port number!

    8.  If you now enter.

        $ ufw status verbose
        You will get a numbered list which something like:
            Status: active
            Logging: off
            Default: deny (incoming), deny (outgoing)
            New profiles: skip

            To                         Action      From
            --                         ------      ----
            54321 on tun0              ALLOW IN    Anywhere

             ALLOW OUT   Anywhere
   443          ALLOW OUT   Anywhere
            Anywhere                   ALLOW OUT   Anywhere on tun0
        This shows you which rules are applied and what the status of the
        firewall is. When you enter:
        $ ufw status numbered
        You will get a numbered list. It will look something like this:
            Status: active

                 To                         Action      From
                 --                         ------      ----
            [ 1]           ALLOW OUT   Anywhere (out)
            [ 2] 443          ALLOW OUT   Anywhere (out)
            [ 3] Anywhere                   ALLOW OUT   Anywhere on tun0 (out)
            [ 4] 54321 on tun0              ALLOW IN    Anywhere
        This is a numbered list. It is important to know that the order of the
        rules is important. If you allow something with rule number 1 which
        allows for example all incoming and outgoing traffic, all the other
        rules which are specified after that will have no effect!

        And as a final notice I will also point to the possibility to delete and
        insert rules. If you enter:
        $ ufw delete 1 # and confirm of course
        Rule number 1 will be deleted and all the other rules which followed
        rule 1 will shift up in this example the list will look something like
        this (after $ ufw status numbered):
            Status: active

                 To                         Action      From
                 --                         ------      ----
            [ 1] 443          ALLOW OUT   Anywhere (out)
            [ 2] Anywhere                   ALLOW OUT   Anywhere on tun0 (out)
            [ 3] 54321 on tun0              ALLOW IN    Anywhere
        And if you want to add a rule on a specific spot it is possible by using
        the insert command. E.g. we want to add a second VPN-server so we can
        choose a different one in the case one is down (could happen you know
        :-)) or if we want options. The command would look like this;
        $ ufw insert 2 allow out to port 443 proto tcp   
        # this will add the SG-Sagittarii server
        Now on spot number 2 there is a new rule inserted. The other rules will
        shift down. We can generate a new list:
        $ ufw status numbered
        And the list will look like:
            Status: active

                 To                         Action      From
                 --                         ------      ----
            [ 1] 443          ALLOW OUT   Anywhere (out)
            [ 2] 443/tcp       ALLOW OUT   Anywhere (out)
            [ 3] Anywhere                   ALLOW OUT   Anywhere on tun0 (out)
            [ 4] 54321 on tun0              ALLOW IN    Anywhere

    This concludes the tutorial. Use it to you benefit and I hope some things
    get a little bit clearer. Make the appropriate changes for you setup and
    expand on it. And again the GUI version is nice, but the command-line
    version is beter, it only takes a little bit of time to get used to it.
  2. Like
    sheivoko got a reaction from ZPKZ in Is it safe to change X-Forwarded-For?   ...
    X-Forwarded-For is related to HTTP headers and is used by non-anonymous HTTP proxies, this is how it is usually used:


    1. you access a site going through such a proxy

    2. the proxy accesses the site for you, adds X-Forwarded-For (containing your IP address) to HTTP header

    3. site reads HTTP header and now knows your IP/location


    I would say you can safely add a fake X-Forwarded-For, regardless of your use of (Air)VPN.

    It will only defeat a small portion of georestriction methods, but if it helps in your specific case, go ahead.

  3. Like
    sheivoko reacted to giganerd in [Deprecated] Using AirVPN with Fritz!Box routers [new link inside]   ...
    In the following I will describe the steps necessary to connect to and route all traffic through AirVPN using modified firmwares for Fritz!Box routers by AVM. AVM is a manufacturer of quite popular (and expensive) routers in German-speaking countries. Unfortunately it has it's restrictions - especially on older models there is absolutely no VPN software preinstalled. So how do we solve this problem?
    The solution is called Freetz. Basically it's just a firmware modification kit with which you apply mods and packages to the original firmware. One of those packages is openvpn and this guide shows how to configure it to use with AirVPN.

    Be aware that VoIP won't work properly with AirVPN since you'd need to forward more than 32 ports to make it work without issues.

    1. Read the FAQ.
    2. Read Freetz for beginners.
    3. Read this how-to for an overview of what expects you.
    All right? Let's go!


    1. Startup linux on VirtualBox. Checkout the recent freetz-trunk using
    svn checkout http://svn.freetz.org/trunk freetz-develThis is really important, because recent trunks contain OpenVPN v2.3 which fixes serious routing problems on the Fritz!Box. cd to freetz-devel after completion.
    2. Build your minimal firmware and flash it.
    3. If everything went fine make yourself familiar with the web interface. Then proceed.

    I) In Packages/Packages select OpenVPN with version (2.3.3), SSL library (OpenSSL), Enable Management Console, Optimize for size.
    II) In Packages/Unstable select Iptables (binary only, unstable) and Iptables-CGI 1.1.
    The general Iptables kernel modules and Iptables shared libraries are automatically selected. For full fun consider selecting everything in Select kernel modules (IPv4), Select shared libraries (IPv4) and Select shared libraries (both IPv4 and IPv6).
    III) Now build your firmware and flash it.

    If everything worked fine proceed to the AirVPN config.


    Go to the config generator to generate your configuration files. Choose Router or other, then your preferred server. Check Advanced, your preferred connection mode and then Separate keys/certs from .ovpn file (not necessary, but this one will make it easier to setup the keys/certificates).
    Open every generated file with an editor like Notepad++. The config is only necessary to grab information you need, you are not going to upload it.
    Look into the .ovpn file and set up everything like this:

    Now you have to add the certificates. You can find the menu items I mention in the sidebar.
    Copy the whole content from
    1) user.crt into the box at Box Cert.
    2) ca.crt into the box at CA Cert.
    3) user.key into the box at Private Key.
    4) ta.key into the box at Static Key.

    Now start OpenVPN over the web interface. Your internet connection will drop but you will be able to connect to the Fritz!Box.
    Don't worry. iptables will help you to get the internet connection back.
    You just need to create one simple rule to nat all traffic to tun0. Now the Iptables-CGI comes into play.
    1. Click on Iptables in the sidebar, check Automatic at "start type" and then press the start button.
    2. Go to Editor in the sidebar. Check Add and pick from the drop-down menus:
    Input-Interface: tun0
    NAT: Normal
    Click on Submit.
    Go back to Iptables and press the restart button. Now check at Rules whether iptables-save has saved your rule. It should have been done so. This might look different for you:
    # Generated by iptables-save v1.4.11.1 on Tue Apr 15 23:43:28 2014 *nat :PREROUTING ACCEPT [75:4106] :POSTROUTING ACCEPT [27:4097] -t nat -o tun0 -j MASQUERADE :OUTPUT ACCEPT [10:3229] COMMIT # Completed on Tue Apr 15 23:43:28 2014 # Generated by iptables-save v1.4.11.1 on Tue Apr 15 23:43:28 2014 *filter :INPUT ACCEPT [461:31565] :FORWARD ACCEPT [45:2332] :OUTPUT ACCEPT [457:137328] COMMIT # Completed on Tue Apr 15 23:43:28 2014 You're done. The internet connection of ​all the devices in your network is routed through the tunnel.
    Tested on AVM Fritz!Box Fon WLAN 7141 with firmware 41.04.77, Freetz version: freetz-devel-11941
  4. Like
    sheivoko reacted to Staff in AirVPN Client Souce Code   ...
    No, it's closed source (but your are not forced to use it: you can run OpenVPN directly or any OpenVPN wrapper/GUI you wish in order to connect to the Air VPN servers). The next client release, "Eddie", will be free and open source (very probably under GPLv3).
    Kind regards
  5. Like
    sheivoko got a reaction from Staff in How the NSA attacks Tor   ...
    I agree with virtualization being an additional layer of security.
    I disagree with TBB being "highly exploitable". The leaked presentation clearly shows that digging up native FF vulns is a pain in the ass, even for the NSA.
    So, they won't waste such vulns for wide-spread attacks against Joe Blow users. ¹ ³
    Also, VirtualBox is not a security product and it's maintained by Oracle, a commercial vendor with an awful track record wrt to code quality and security management. ²
    ¹ Case in point: The FF vuln recently used by FBI for their "Torsploit" was no 0day, it was long patched - which either means they didn't have a better vuln for a more effective exploit - or they didn't want to waste it for this particular attack. 
    ² https://www.whonix.org/wiki/Advanced_Security_Guide#About_VirtualBox
    ³ "The good news is that they went for a browser exploit, meaning there's no indication they can break the Tor protocol or do traffic analysis on the Tor network. (..) you can target individuals with browser exploits, but if you attack too many users, somebody's going to notice." from: https://blog.torproject.org/blog/yes-we-know-about-guardian-article
  6. Like
    sheivoko got a reaction from Staff in Prevent Leaks with Linux & Firestarter (also Stop traffic when VPN Drops)   ...
    You cannot do application-level rules with ufw.Iptables has an "--uid-owner" option, which isn't application-level either, but you could use it like this: - create a user account "p2puser"- launch your p2p apps with this new user account - deny traffic coming from user id "p2puser" on eth0/wlan0- allow all other traffic on eth0/wlan0 (eth0 / wlan0 as examples for your non-VPN network interfaces). I have not tried this myself, I loathe iptables. Good luck, I hope someone else has a better idea than this
  • Create New...