sheivoko

X-Forwarded-For is related to HTTP headers and is used by non-anonymous HTTP proxies, this is how it is usually used:

 

1. you access a site going through such a proxy

2. the proxy accesses the site for you, adds X-Forwarded-For (containing your IP address) to HTTP header

3. site reads HTTP header and now knows your IP/location

 

I would say you can safely add a fake X-Forwarded-For, regardless of your use of (Air)VPN.

It will only defeat a small portion of georestriction methods, but if it helps in your specific case, go ahead.

DEPRECATED. USE V2:
https://airvpn.org/topic/14233-how-to-openvpn-on-fritzbox-routers/
 
--
 
In the following I will describe the steps necessary to connect to and route all traffic through AirVPN using modified firmwares for Fritz!Box routers by AVM. AVM is a manufacturer of quite popular (and expensive) routers in German-speaking countries. Unfortunately it has it's restrictions - especially on older models there is absolutely no VPN software preinstalled. So how do we solve this problem?
The solution is called Freetz. Basically it's just a firmware modification kit with which you apply mods and packages to the original firmware. One of those packages is openvpn and this guide shows how to configure it to use with AirVPN.

Be aware that VoIP won't work properly with AirVPN since you'd need to forward more than 32 ports to make it work without issues.

1. Read the FAQ.
2. Read Freetz for beginners.
3. Read this how-to for an overview of what expects you.
All right? Let's go!

-- BUILDING THE FILESYSTEM --

1. Startup linux on VirtualBox. Checkout the recent freetz-trunk using
svn checkout http://svn.freetz.org/trunk freetz-develThis is really important, because recent trunks contain OpenVPN v2.3 which fixes serious routing problems on the Fritz!Box. cd to freetz-devel after completion.
2. Build your minimal firmware and flash it.
3. If everything went fine make yourself familiar with the web interface. Then proceed.

I) In Packages/Packages select OpenVPN with version (2.3.3), SSL library (OpenSSL), Enable Management Console, Optimize for size.
II) In Packages/Unstable select Iptables 1.4.11.1 (binary only, unstable) and Iptables-CGI 1.1.
The general Iptables kernel modules and Iptables shared libraries are automatically selected. For full fun consider selecting everything in Select kernel modules (IPv4), Select shared libraries (IPv4) and Select shared libraries (both IPv4 and IPv6).
III) Now build your firmware and flash it.

If everything worked fine proceed to the AirVPN config.

-- OPENVPN CONFIGURATION --

Go to the config generator to generate your configuration files. Choose Router or other, then your preferred server. Check Advanced, your preferred connection mode and then Separate keys/certs from .ovpn file (not necessary, but this one will make it easier to setup the keys/certificates).
Open every generated file with an editor like Notepad++. The config is only necessary to grab information you need, you are not going to upload it.
Look into the .ovpn file and set up everything like this:



Now you have to add the certificates. You can find the menu items I mention in the sidebar.
Copy the whole content from
1) user.crt into the box at Box Cert.
2) ca.crt into the box at CA Cert.
3) user.key into the box at Private Key.
4) ta.key into the box at Static Key.

Now start OpenVPN over the web interface. Your internet connection will drop but you will be able to connect to the Fritz!Box.
 
-- 301: INTERNET MOVED PERMANENTLY --
 
Don't worry. iptables will help you to get the internet connection back.
You just need to create one simple rule to nat all traffic to tun0. Now the Iptables-CGI comes into play.
1. Click on Iptables in the sidebar, check Automatic at "start type" and then press the start button.
2. Go to Editor in the sidebar. Check Add and pick from the drop-down menus:
Chain: POSTROUTING
Input-Interface: tun0
NAT: Normal
Click on Submit.
Go back to Iptables and press the restart button. Now check at Rules whether iptables-save has saved your rule. It should have been done so. This might look different for you:
# Generated by iptables-save v1.4.11.1 on Tue Apr 15 23:43:28 2014 *nat :PREROUTING ACCEPT [75:4106] :POSTROUTING ACCEPT [27:4097] -t nat -o tun0 -j MASQUERADE :OUTPUT ACCEPT [10:3229] COMMIT # Completed on Tue Apr 15 23:43:28 2014 # Generated by iptables-save v1.4.11.1 on Tue Apr 15 23:43:28 2014 *filter :INPUT ACCEPT [461:31565] :FORWARD ACCEPT [45:2332] :OUTPUT ACCEPT [457:137328] COMMIT # Completed on Tue Apr 15 23:43:28 2014 You're done. The internet connection of ​all the devices in your network is routed through the tunnel.
 
Tested on AVM Fritz!Box Fon WLAN 7141 with firmware 41.04.77, Freetz version: freetz-devel-11941

Hello!
 
No, it's closed source (but your are not forced to use it: you can run OpenVPN directly or any OpenVPN wrapper/GUI you wish in order to connect to the Air VPN servers). The next client release, "Eddie", will be free and open source (very probably under GPLv3).
 
Kind regards

I agree with virtualization being an additional layer of security.
I disagree with TBB being "highly exploitable". The leaked presentation clearly shows that digging up native FF vulns is a pain in the ass, even for the NSA.
So, they won't waste such vulns for wide-spread attacks against Joe Blow users. ¹ ³
 
Also, VirtualBox is not a security product and it's maintained by Oracle, a commercial vendor with an awful track record wrt to code quality and security management. ²
 
---
 
¹ Case in point: The FF vuln recently used by FBI for their "Torsploit" was no 0day, it was long patched - which either means they didn't have a better vuln for a more effective exploit - or they didn't want to waste it for this particular attack. 
² https://www.whonix.org/wiki/Advanced_Security_Guide#About_VirtualBox
³ "The good news is that they went for a browser exploit, meaning there's no indication they can break the Tor protocol or do traffic analysis on the Tor network. (..) you can target individuals with browser exploits, but if you attack too many users, somebody's going to notice." from: https://blog.torproject.org/blog/yes-we-know-about-guardian-article

You cannot do application-level rules with ufw.Iptables has an "--uid-owner" option, which isn't application-level either, but you could use it like this: - create a user account "p2puser"- launch your p2p apps with this new user account - deny traffic coming from user id "p2puser" on eth0/wlan0- allow all other traffic on eth0/wlan0 (eth0 / wlan0 as examples for your non-VPN network interfaces). I have not tried this myself, I loathe iptables. Good luck, I hope someone else has a better idea than this