Jump to content
Not connected, Your IP: 3.235.75.174

sheivoko

Members2
  • Content Count

    214
  • Joined

    ...
  • Last visited

    ...
  • Days Won

    28

Reputation Activity

  1. Like
    sheivoko got a reaction from friendman in *** Tor -> VPN Issues ***   ...
    xer:

     

    Part 1 of your question: Yes, leave Tor alone. For all recent versions of TBB, the port number is 9150 (and open by default). All you have to do is to make an application, like for example your OpenVPN client, use it.

     

    Part 2 of your question:

     

    1) You --> TBB = browsing via Tor

     

    2) Your application --> TBB's Socks port = your application connects to world through Tor

     

    If that application is your OpenVPN client, pointed at Socks port 9150:

     

    3) You --> VPN (while VPN is connected through Tor, see 2)! ) --> Internet 

     

     

    Now, your question was, why does TBB not show the VPN IP address?

    Well, because internally, TBB's Firefox uses Socks port 9150 to connect to the Tor process. It's the same procedure as in 2) !  So, whatever you do with your VPN configuration -  in Tor Browser, you will always see a Tor IP. 

     

    Please ask again if it is still unclear!
  2. Like
    sheivoko reacted to zhang888 in Is the fact that I'm using a vpn (specifically AirVPN) viewable to my ISP? I want it to be hidden!   ...
    OpenVPN by itself, has a signature and behavior that is possible to detect using Deep Packet Inspection.
    You can obfuscate the fact that you are using a VPN by using SSL/SSH connection methods.
    But that will not stop a really determined adversary from knowing you are doing it for VPN reasons.
     
    In case you are routing the majority of your traffic to a specific number of the same IP addresses, the
    usage of some kind of a tunneling is very noticeable.
    If you live in a place where it is really illegal to use VPN, in terms of physical safety, I suggest you do
    the research first, before using any kind of VPN.
     
    Test it in a public place which is not directly linked to you and see that SSL/SSH methods are working correctly.
  3. Like
    sheivoko reacted to Staff in We support OONI   ...
    Hello!
     
    We're very glad to announce that we support the TorProject Open Observatory of Network Interference:
    https://ooni.torproject.org

    Our support includes, since July 2015 up to June 2016, monetary funding to aid project financial sustainability. See also https://airvpn.org/mission

    Furthermore, we are sponsoring an important OONI event, Adina15 hackathon, which will be held in Rome on October the 1st and 2nd, 2015.
    https://ooni.torproject.org/event/adina15
     
    We'll be gladly providing all the awards and prizes to participants and winners of the Adina15 event.

    Members of the AirVPN team will attend the event.
     
    EDIT 27-SEP-15 - Only today it has been announced that the Adina15 hackathon event has been postponed to unknown date. https://lists.torproject.org/pipermail/ooni-dev/2015-September/000340.html
    This decision is obviously outside our control (we sponsor the event, we have no role in its organization) and we regret it very much.

    Kind regards and datalove
    AirVPN Staff
  4. Like
    sheivoko got a reaction from Menissalt in From Windows 7 to Linux Problem   ...
    Two steps:
    - Tell the AirVPN client to automatically connect when launched
    - Add the AirVPN client to Mint's "Startup Applications".

    Here's a screenshot detailing all the steps:

    I tried this with Mint 17.1 MATE, but the Cinnamon edition features the same "Startup Applications" tool, afaik.

    Caveat: You still have to enter your sudo/user password every time AirVPN starts.
    If that bothers you, you can edit the "sudoers" file to let you run AirVPN as root without having to enter any password.
    If you're totally new to sudo and its sudoers file, I'd recommend reading Ubuntu's documentation first:
    ​https://help.ubuntu.com/community/Sudoers
    ​The paragraph "Shutting Down From The Console Without A Password" describes a similar use case to what we're doing here.
    The only way to edit sudoers is on the command line using:
     
    sudo visudo Add the following line to the very end of that file (replace the word "user" with your own user name):
     
    user ALL=(ALL) NOPASSWD: /usr/bin/airvpn Exit visudo with ctrl-x.
     

    Go back into Mint's "Startup Applications", edit the AirVPN entry.
    Change its command from ..
    /usr/bin/airvpn to ..
    sudo /usr/bin/airvpn and reboot.
  5. Like
    sheivoko reacted to snapz in Germany: The secret service’s 300-million-euro surveillance plan   ...
    EDRi-gram news. - FYI
     
    Fiberglass surveillance, scanning of Internet traffic in real time, cracking encryption, hacking computers: Germany’s foreign intelligence agency ”Bundesnachrichtendienst” (BND) is massively expanding its internet surveillance capabilities.
    https://edri.org/
     
    Original article published by Andre Meister on Netzpolitik.org:
    https://netzpolitik.org/2015/strategic-initiative-technology-how-bnd-wants-to-ramp-up-its-tech-capabilities-for-300-million-euros/
  6. Like
    sheivoko got a reaction from rei.andrea in [How-To] [OBSOLETE] AirVPN through stunnel on Android   ...
    ATTENTION: This tutorial is out of date, incomplete and deprecated. 
    A new and improved version of this tutorial can be found here: https://airvpn.org/topic/24349-how-to-airvpn-via-sslstunnel-on-android-678/
     
     
    This thread is only kept online for historical reference.
     
     
     
     
     


    Goal and obstacles

    We want to use AirVPN's SSL tunneling mode on Android. SSL tunneling can be very useful, especially to defeat firewalls that block OpenVPN or SSH on a protocol level. On Android, a few obstacles have to be worked around:

    a. there is no AirVPN Eddie client for Android.
    Solution: We will use OpenVPN and stunnel directly.
    b. there is no stunnel app in any Android appstore.
    Solution: we will download the stunnel Android binary (provided by the stunnel project itself) and run it from the commandline.
    c. Android does not allow us to execute any programs from the sdcard.
    Solution: we will move stunnel to a special location (owned by the Terminal app), which will allow the Terminal app to execute stunnel.
    d. stunnel wants to write to /tmp/, but there's no /tmp/ on Android.
    Solution: we will modify the .ssl config file to change the pidfile location to a writable directory.





    Software RequirementsAndroid 4.0 or newer (device does not have to be rooted) stunnel compiled for Android (FOSS), via project website OpenVPN for Android (FOSS), via F-Droid or Play Store Jack Palevich's Terminal Emulator for Android (FOSS), via F-Droid or Play Store a separate computer to download/edit the necessary config files and binaries (entirely optional, but easier than doing everything on the Android device itself)



    Setup instructions

    1. Generate config files with AirVPN's config generatorchoose Linux pick one single server of your choice. I will use Nunki for this tutorial! for Connection Mode, choose SSL Tunnel, port 443 (visible after enabling Advanced Mode) enable Resolved hosts in .ovpn file leave all the other settings at their default values download and unzip the generated zip file this should result in an AirVPN folder, containing three files 2. Open the ssl config file (AirVPN_GB-Manchester_Nunki_SSL-443.ssl) in a text editor.

    Find the line:
    pid = /tmp/stunnel4.pidChange it to:
    pid = /data/data/jackpal.androidterm/app_HOME/stunnel4.pidSave and close the file.
     
    3. In a text editor, create a new file with the following contents:
    #!/system/bin/shcd /data/data/jackpal.androidterm/app_HOME./stunnel AirVPN_GB-Manchester_Nunki_SSL-443.sslSave it to a file named nunki (no file extension).
    Put the file into the AirVPN folder, next to our other config files.


    4. Download and unzip stunnel for Android from the stunnel website (stunnel-X.XX-android.zip)

    Put the stunnel file (only the file, not the folder) into the AirVPN folder.


    5. Make sure your AirVPN folder now contains the following files:
    AirVPN_GB-Manchester_Nunki_SSL-443.ovpnAirVPN_GB-Manchester_Nunki_SSL-443.sslnunkistunnelstunnel.crt6. Copy the whole AirVPN folder to your Android's SD card.

    The path should be:
    /sdcard/AirVPN/7. Install OpenVPN for Android via F-Droid or Play Store and import the .ovpn config file located at
    /sdcard/AirVPN/AirVPN_GB-Manchester_Nunki_SSL-443.ovpnDon't try to connect just yet.


    8. Install Terminal Emulator for Android, via F-Droid or Play Store


    9. Open Terminal Emulator and successively run the following commands:
    cdThe simple cd command should take you to the app's home directory (/data/data/jackpal.androidterm/app_HOME).
    This is where we need to put our config files and the stunnel binary. Let's move them over by running:
    mv /sdcard/AirVPN/* .It's important to type every character correctly (commandline is case sensitive); the "*" is a wildcard expanding to all files in the AirVPN folder, and the "." is a placeholder for the current directory /data/data/jackpal.androidterm/app_HOME. Typing commands on Android is a big pain, so I try to keep them as short as possible!

    Finally, we need to modify permissions for the binary and the script, allowing us to execute them:
    chmod 555 stunnel nunkiWe should be ready to go!





    Usage instructions

    I. Open Terminal Emulator and run the following two commands:
      cd ./nunkiA log message should appear: Configuration successful
    Great! Keep the Terminal app running, but use the Home button to get out.

    II. Open OpenVPN for Android and connect to the profile AirVPN_GB_Manchester_Nunki_SSL-443
    Unless something went wrong, you should get Initialization Sequence Completed - great!
    I recommend performing the usual leak tests and perhaps diving into OpenVPN's profile settings before relying on your configuration to work as you expect it to.


    III. To disconnect:
    Disconnect VPN in OpenVPN open Terminal Emulator, press VOLUME_DOWN + C to kill stunnel press the X button to close the terminal session IV. If stunnel isn't shutdown properly, you may see an error if you try to run stunnel again:
     
    [!] Error binding service [openvpn] to 127.0.0.1:1413[!] bind: Address already in use (98)[ ] Closing service [openvpn][ ] Service [openvpn] closedThis means stunnel is still running in the background. You can kill it by running:
     
    killall stunnel




    Footnotes

    I successfully followed my own tutorial using: CyanogenMod 12.1 nightly (≈ Android 5.1)stunnel 5.23OpenVPN for Android 0.6.35 (F-Droid)Terminal Emulator 1.0.70 (F-Droid)Testers welcome, especially if you're using different Android and software versions.

    Credits:
    Kevin Boone for the clever binary execution workaround.
  7. Like
    sheivoko got a reaction from rei.andrea in [How-To] [OBSOLETE] AirVPN through stunnel on Android   ...
    ATTENTION: This tutorial is out of date, incomplete and deprecated. 
    A new and improved version of this tutorial can be found here: https://airvpn.org/topic/24349-how-to-airvpn-via-sslstunnel-on-android-678/
     
     
    This thread is only kept online for historical reference.
     
     
     
     
     


    Goal and obstacles

    We want to use AirVPN's SSL tunneling mode on Android. SSL tunneling can be very useful, especially to defeat firewalls that block OpenVPN or SSH on a protocol level. On Android, a few obstacles have to be worked around:

    a. there is no AirVPN Eddie client for Android.
    Solution: We will use OpenVPN and stunnel directly.
    b. there is no stunnel app in any Android appstore.
    Solution: we will download the stunnel Android binary (provided by the stunnel project itself) and run it from the commandline.
    c. Android does not allow us to execute any programs from the sdcard.
    Solution: we will move stunnel to a special location (owned by the Terminal app), which will allow the Terminal app to execute stunnel.
    d. stunnel wants to write to /tmp/, but there's no /tmp/ on Android.
    Solution: we will modify the .ssl config file to change the pidfile location to a writable directory.





    Software RequirementsAndroid 4.0 or newer (device does not have to be rooted) stunnel compiled for Android (FOSS), via project website OpenVPN for Android (FOSS), via F-Droid or Play Store Jack Palevich's Terminal Emulator for Android (FOSS), via F-Droid or Play Store a separate computer to download/edit the necessary config files and binaries (entirely optional, but easier than doing everything on the Android device itself)



    Setup instructions

    1. Generate config files with AirVPN's config generatorchoose Linux pick one single server of your choice. I will use Nunki for this tutorial! for Connection Mode, choose SSL Tunnel, port 443 (visible after enabling Advanced Mode) enable Resolved hosts in .ovpn file leave all the other settings at their default values download and unzip the generated zip file this should result in an AirVPN folder, containing three files 2. Open the ssl config file (AirVPN_GB-Manchester_Nunki_SSL-443.ssl) in a text editor.

    Find the line:
    pid = /tmp/stunnel4.pidChange it to:
    pid = /data/data/jackpal.androidterm/app_HOME/stunnel4.pidSave and close the file.
     
    3. In a text editor, create a new file with the following contents:
    #!/system/bin/shcd /data/data/jackpal.androidterm/app_HOME./stunnel AirVPN_GB-Manchester_Nunki_SSL-443.sslSave it to a file named nunki (no file extension).
    Put the file into the AirVPN folder, next to our other config files.


    4. Download and unzip stunnel for Android from the stunnel website (stunnel-X.XX-android.zip)

    Put the stunnel file (only the file, not the folder) into the AirVPN folder.


    5. Make sure your AirVPN folder now contains the following files:
    AirVPN_GB-Manchester_Nunki_SSL-443.ovpnAirVPN_GB-Manchester_Nunki_SSL-443.sslnunkistunnelstunnel.crt6. Copy the whole AirVPN folder to your Android's SD card.

    The path should be:
    /sdcard/AirVPN/7. Install OpenVPN for Android via F-Droid or Play Store and import the .ovpn config file located at
    /sdcard/AirVPN/AirVPN_GB-Manchester_Nunki_SSL-443.ovpnDon't try to connect just yet.


    8. Install Terminal Emulator for Android, via F-Droid or Play Store


    9. Open Terminal Emulator and successively run the following commands:
    cdThe simple cd command should take you to the app's home directory (/data/data/jackpal.androidterm/app_HOME).
    This is where we need to put our config files and the stunnel binary. Let's move them over by running:
    mv /sdcard/AirVPN/* .It's important to type every character correctly (commandline is case sensitive); the "*" is a wildcard expanding to all files in the AirVPN folder, and the "." is a placeholder for the current directory /data/data/jackpal.androidterm/app_HOME. Typing commands on Android is a big pain, so I try to keep them as short as possible!

    Finally, we need to modify permissions for the binary and the script, allowing us to execute them:
    chmod 555 stunnel nunkiWe should be ready to go!





    Usage instructions

    I. Open Terminal Emulator and run the following two commands:
      cd ./nunkiA log message should appear: Configuration successful
    Great! Keep the Terminal app running, but use the Home button to get out.

    II. Open OpenVPN for Android and connect to the profile AirVPN_GB_Manchester_Nunki_SSL-443
    Unless something went wrong, you should get Initialization Sequence Completed - great!
    I recommend performing the usual leak tests and perhaps diving into OpenVPN's profile settings before relying on your configuration to work as you expect it to.


    III. To disconnect:
    Disconnect VPN in OpenVPN open Terminal Emulator, press VOLUME_DOWN + C to kill stunnel press the X button to close the terminal session IV. If stunnel isn't shutdown properly, you may see an error if you try to run stunnel again:
     
    [!] Error binding service [openvpn] to 127.0.0.1:1413[!] bind: Address already in use (98)[ ] Closing service [openvpn][ ] Service [openvpn] closedThis means stunnel is still running in the background. You can kill it by running:
     
    killall stunnel




    Footnotes

    I successfully followed my own tutorial using: CyanogenMod 12.1 nightly (≈ Android 5.1)stunnel 5.23OpenVPN for Android 0.6.35 (F-Droid)Terminal Emulator 1.0.70 (F-Droid)Testers welcome, especially if you're using different Android and software versions.

    Credits:
    Kevin Boone for the clever binary execution workaround.
  8. Like
    sheivoko got a reaction from Zaroad in Unable to access VPN from public wifi.   ...
    Tutorial now available!
  9. Like
    sheivoko got a reaction from Zaroad in Unable to access VPN from public wifi.   ...
    I think there are two scenarios here:

    1. the AP blocks on a protocol basis (anything other than HTTP/TLS/DNS on 80/443/53)
    2. the AP blocks AirVPN entry IPs. This is certainly possible, but somewhat unlikely IMHO

    Unless #2 is the case, you should be able to use OpenVPN over SSL. Are you able to do so on platforms other than Android?
    I have successfully tinkered with stunnel on Android: it's a bit fiddly to set up but definitely doable. I'll provide a tutorial soon (later this day or tomorrow). edit: see below
  10. Like
    sheivoko reacted to zhang888 in More CIS Servers pretty please   ...
    For Russia - RETN.net, Anders.ru is a good choice, they are not censored by RosKomNadzor (The Russian version of GFW). Other providers with a dedicated 1gbps port are hard to find.
    Ukraine - there is already a server
    Belarus - every provider includes around 20-30Gb of traffic - the rest will be billed as extra 1$/GB. Buyers need to provide ID number and copy.
    Azerbaijan - same as Belarus + operating a VPN service can get you into a real trouble with the local law. No one will risk that.
    Kazakhstan - pretty much a monopoly operated by KAZTELECOM. VPNs and censorship bypass services are not allowed.
    Kyrgyzstan - only 2 ISPs, payment is in a local currency, constant country-wide power outages. No foreign customers are welcome.
    Armenia, Tajikistan, Uzbekistan and Turkmenistan - You won't find any offers there even on exoticvps.com
    Georgia - same as Kyrgyzstan, local presense required.
    Those providers don't even want foreigners on their network.
     
    The only exception is this list is Moldova, with a good selection of ISPs and relatively cheap bandwidth.
    But that will overlap with 2 already existing Romanian servers that are barely used and I think would be redundant, if not useless.
  11. Like
    sheivoko reacted to Staff in Accessing Transmission Web Interface through AirVPN   ...
    Hello!
     
    That's very true, thanks for the clarification.
     
    Kind regards
     
    Disclaimer: DynDns is a registered trademark by Dynamic Network Services, Inc. AirVPN does not use anywhere in its service, web site, forums and support tickets the term "DynDns" to indicate or describe AirVPN DDNS.
  12. Like
    sheivoko reacted to zhang888 in Server in Belgium (or Routing)   ...
    Such companies are not qualified, those are "Netflix VPNs" and not privacy oriented VPNs.
    This is the list of the real VPN providers with dedicated hardware in most cases:
    https://torrentfreak.com/anonymous-vpn-service-provider-review-2015-150228/
     
    Btw, the provider you linked uses the VPS I mentioned above as a the Belgian node.
    Using a ~10Euro shared 100Mbit port and call it a VPN node is an amateur approach, or a fraud
    against the customers if it's done deliberately. Those nodes are only good for geo-routing.
  13. Like
    sheivoko got a reaction from spinmaster in Using AirVPN with Tor   ...
    This graphic for "Using AirVPN with Tor" describes the following situation:
    you run a Tor client - let's say via Tor Browser. Tor will be listening on local port 9150 you want to use AirVPN through Tor (meaning your traffic first goes through Tor, then exits through through AirVPN). To achieve that, you configure AirVPN to use Tor via port 9150. Now the question is, what happens if some application connects to the internet? What "path" does the connection take?
    That's the question the "arrows" try to answer.
     
    "Does App use Tor directly" simply means: Has the app been configured to proxy through local port 9150?
     
    Example A: Chromium browser. Does this app use Tor directly? No, that browser is not configured to use any proxies.
    So, we have to follow the "No" arrow: Any of Chromium's connections will use the AirVPN connection, which in turn is tunneled through Tor. That's why that path is annotated "ENCRYPTED by VPN & Tor".
     
    Example B: Tor Browser. Does this app use Tor directly? Yes, it does, because it's configured to use SOCKS5 proxy 127.0.0.1:9150. Local connections won't get tunneled through the VPN, which is why the arrow is annotated "(only) ENCRYPTED by Tor".
     
     
    All this really means is: If you tunnel AirVPN through Tor Browser's Tor client, but then use that Tor Browser to browse the web, your request will still only go through Tor, but not through the VPN.
     
     
     
    This would be my example A: If you tunnel AirVPN through Tor, most applications would make their connections through AirVPN, without knowing anything about AirVPN being tunneled through Tor first - thus, they would be using Tor indirectly.
     
     
     
    Not at all. You can hook up Tor and AirVPN in both directions; either tunneling AirVPN through Tor or tunneling Tor through AirVPN.
    There's just that little "gotcha" that you can't tunnel AirVPN through Tor Browser and then expect your browsing in Tor Browser to also go through AirVPN.
     
    This does not apply at all if you connect to AirVPN directly and then use Tor Browser on top (tunneling Tor through AirVPN).
    Slightly off-topic but I'd claim that it usually makes more sense to tunnel Tor through AirVPN instead of the other way 'round, but that's entirely up to you.
  14. Like
    sheivoko got a reaction from rei.andrea in [How-To] [OBSOLETE] AirVPN through stunnel on Android   ...
    ATTENTION: This tutorial is out of date, incomplete and deprecated. 
    A new and improved version of this tutorial can be found here: https://airvpn.org/topic/24349-how-to-airvpn-via-sslstunnel-on-android-678/
     
     
    This thread is only kept online for historical reference.
     
     
     
     
     


    Goal and obstacles

    We want to use AirVPN's SSL tunneling mode on Android. SSL tunneling can be very useful, especially to defeat firewalls that block OpenVPN or SSH on a protocol level. On Android, a few obstacles have to be worked around:

    a. there is no AirVPN Eddie client for Android.
    Solution: We will use OpenVPN and stunnel directly.
    b. there is no stunnel app in any Android appstore.
    Solution: we will download the stunnel Android binary (provided by the stunnel project itself) and run it from the commandline.
    c. Android does not allow us to execute any programs from the sdcard.
    Solution: we will move stunnel to a special location (owned by the Terminal app), which will allow the Terminal app to execute stunnel.
    d. stunnel wants to write to /tmp/, but there's no /tmp/ on Android.
    Solution: we will modify the .ssl config file to change the pidfile location to a writable directory.





    Software RequirementsAndroid 4.0 or newer (device does not have to be rooted) stunnel compiled for Android (FOSS), via project website OpenVPN for Android (FOSS), via F-Droid or Play Store Jack Palevich's Terminal Emulator for Android (FOSS), via F-Droid or Play Store a separate computer to download/edit the necessary config files and binaries (entirely optional, but easier than doing everything on the Android device itself)



    Setup instructions

    1. Generate config files with AirVPN's config generatorchoose Linux pick one single server of your choice. I will use Nunki for this tutorial! for Connection Mode, choose SSL Tunnel, port 443 (visible after enabling Advanced Mode) enable Resolved hosts in .ovpn file leave all the other settings at their default values download and unzip the generated zip file this should result in an AirVPN folder, containing three files 2. Open the ssl config file (AirVPN_GB-Manchester_Nunki_SSL-443.ssl) in a text editor.

    Find the line:
    pid = /tmp/stunnel4.pidChange it to:
    pid = /data/data/jackpal.androidterm/app_HOME/stunnel4.pidSave and close the file.
     
    3. In a text editor, create a new file with the following contents:
    #!/system/bin/shcd /data/data/jackpal.androidterm/app_HOME./stunnel AirVPN_GB-Manchester_Nunki_SSL-443.sslSave it to a file named nunki (no file extension).
    Put the file into the AirVPN folder, next to our other config files.


    4. Download and unzip stunnel for Android from the stunnel website (stunnel-X.XX-android.zip)

    Put the stunnel file (only the file, not the folder) into the AirVPN folder.


    5. Make sure your AirVPN folder now contains the following files:
    AirVPN_GB-Manchester_Nunki_SSL-443.ovpnAirVPN_GB-Manchester_Nunki_SSL-443.sslnunkistunnelstunnel.crt6. Copy the whole AirVPN folder to your Android's SD card.

    The path should be:
    /sdcard/AirVPN/7. Install OpenVPN for Android via F-Droid or Play Store and import the .ovpn config file located at
    /sdcard/AirVPN/AirVPN_GB-Manchester_Nunki_SSL-443.ovpnDon't try to connect just yet.


    8. Install Terminal Emulator for Android, via F-Droid or Play Store


    9. Open Terminal Emulator and successively run the following commands:
    cdThe simple cd command should take you to the app's home directory (/data/data/jackpal.androidterm/app_HOME).
    This is where we need to put our config files and the stunnel binary. Let's move them over by running:
    mv /sdcard/AirVPN/* .It's important to type every character correctly (commandline is case sensitive); the "*" is a wildcard expanding to all files in the AirVPN folder, and the "." is a placeholder for the current directory /data/data/jackpal.androidterm/app_HOME. Typing commands on Android is a big pain, so I try to keep them as short as possible!

    Finally, we need to modify permissions for the binary and the script, allowing us to execute them:
    chmod 555 stunnel nunkiWe should be ready to go!





    Usage instructions

    I. Open Terminal Emulator and run the following two commands:
      cd ./nunkiA log message should appear: Configuration successful
    Great! Keep the Terminal app running, but use the Home button to get out.

    II. Open OpenVPN for Android and connect to the profile AirVPN_GB_Manchester_Nunki_SSL-443
    Unless something went wrong, you should get Initialization Sequence Completed - great!
    I recommend performing the usual leak tests and perhaps diving into OpenVPN's profile settings before relying on your configuration to work as you expect it to.


    III. To disconnect:
    Disconnect VPN in OpenVPN open Terminal Emulator, press VOLUME_DOWN + C to kill stunnel press the X button to close the terminal session IV. If stunnel isn't shutdown properly, you may see an error if you try to run stunnel again:
     
    [!] Error binding service [openvpn] to 127.0.0.1:1413[!] bind: Address already in use (98)[ ] Closing service [openvpn][ ] Service [openvpn] closedThis means stunnel is still running in the background. You can kill it by running:
     
    killall stunnel




    Footnotes

    I successfully followed my own tutorial using: CyanogenMod 12.1 nightly (≈ Android 5.1)stunnel 5.23OpenVPN for Android 0.6.35 (F-Droid)Terminal Emulator 1.0.70 (F-Droid)Testers welcome, especially if you're using different Android and software versions.

    Credits:
    Kevin Boone for the clever binary execution workaround.
  15. Like
    sheivoko reacted to Staff in Tor and vpn   ...
    @sheivoko
     
    Adding a "Con" to VPN over Tor: all the system traffic will flow indefinitely on the same Tor circuit (for an important reason Tor does not change circuit for the same TCP stream - incidentally it is this feature that makes OpenVPN over Tor a viable option).
     
    Kind regards
  16. Like
    sheivoko got a reaction from rei.andrea in [How-To] [OBSOLETE] AirVPN through stunnel on Android   ...
    ATTENTION: This tutorial is out of date, incomplete and deprecated. 
    A new and improved version of this tutorial can be found here: https://airvpn.org/topic/24349-how-to-airvpn-via-sslstunnel-on-android-678/
     
     
    This thread is only kept online for historical reference.
     
     
     
     
     


    Goal and obstacles

    We want to use AirVPN's SSL tunneling mode on Android. SSL tunneling can be very useful, especially to defeat firewalls that block OpenVPN or SSH on a protocol level. On Android, a few obstacles have to be worked around:

    a. there is no AirVPN Eddie client for Android.
    Solution: We will use OpenVPN and stunnel directly.
    b. there is no stunnel app in any Android appstore.
    Solution: we will download the stunnel Android binary (provided by the stunnel project itself) and run it from the commandline.
    c. Android does not allow us to execute any programs from the sdcard.
    Solution: we will move stunnel to a special location (owned by the Terminal app), which will allow the Terminal app to execute stunnel.
    d. stunnel wants to write to /tmp/, but there's no /tmp/ on Android.
    Solution: we will modify the .ssl config file to change the pidfile location to a writable directory.





    Software RequirementsAndroid 4.0 or newer (device does not have to be rooted) stunnel compiled for Android (FOSS), via project website OpenVPN for Android (FOSS), via F-Droid or Play Store Jack Palevich's Terminal Emulator for Android (FOSS), via F-Droid or Play Store a separate computer to download/edit the necessary config files and binaries (entirely optional, but easier than doing everything on the Android device itself)



    Setup instructions

    1. Generate config files with AirVPN's config generatorchoose Linux pick one single server of your choice. I will use Nunki for this tutorial! for Connection Mode, choose SSL Tunnel, port 443 (visible after enabling Advanced Mode) enable Resolved hosts in .ovpn file leave all the other settings at their default values download and unzip the generated zip file this should result in an AirVPN folder, containing three files 2. Open the ssl config file (AirVPN_GB-Manchester_Nunki_SSL-443.ssl) in a text editor.

    Find the line:
    pid = /tmp/stunnel4.pidChange it to:
    pid = /data/data/jackpal.androidterm/app_HOME/stunnel4.pidSave and close the file.
     
    3. In a text editor, create a new file with the following contents:
    #!/system/bin/shcd /data/data/jackpal.androidterm/app_HOME./stunnel AirVPN_GB-Manchester_Nunki_SSL-443.sslSave it to a file named nunki (no file extension).
    Put the file into the AirVPN folder, next to our other config files.


    4. Download and unzip stunnel for Android from the stunnel website (stunnel-X.XX-android.zip)

    Put the stunnel file (only the file, not the folder) into the AirVPN folder.


    5. Make sure your AirVPN folder now contains the following files:
    AirVPN_GB-Manchester_Nunki_SSL-443.ovpnAirVPN_GB-Manchester_Nunki_SSL-443.sslnunkistunnelstunnel.crt6. Copy the whole AirVPN folder to your Android's SD card.

    The path should be:
    /sdcard/AirVPN/7. Install OpenVPN for Android via F-Droid or Play Store and import the .ovpn config file located at
    /sdcard/AirVPN/AirVPN_GB-Manchester_Nunki_SSL-443.ovpnDon't try to connect just yet.


    8. Install Terminal Emulator for Android, via F-Droid or Play Store


    9. Open Terminal Emulator and successively run the following commands:
    cdThe simple cd command should take you to the app's home directory (/data/data/jackpal.androidterm/app_HOME).
    This is where we need to put our config files and the stunnel binary. Let's move them over by running:
    mv /sdcard/AirVPN/* .It's important to type every character correctly (commandline is case sensitive); the "*" is a wildcard expanding to all files in the AirVPN folder, and the "." is a placeholder for the current directory /data/data/jackpal.androidterm/app_HOME. Typing commands on Android is a big pain, so I try to keep them as short as possible!

    Finally, we need to modify permissions for the binary and the script, allowing us to execute them:
    chmod 555 stunnel nunkiWe should be ready to go!





    Usage instructions

    I. Open Terminal Emulator and run the following two commands:
      cd ./nunkiA log message should appear: Configuration successful
    Great! Keep the Terminal app running, but use the Home button to get out.

    II. Open OpenVPN for Android and connect to the profile AirVPN_GB_Manchester_Nunki_SSL-443
    Unless something went wrong, you should get Initialization Sequence Completed - great!
    I recommend performing the usual leak tests and perhaps diving into OpenVPN's profile settings before relying on your configuration to work as you expect it to.


    III. To disconnect:
    Disconnect VPN in OpenVPN open Terminal Emulator, press VOLUME_DOWN + C to kill stunnel press the X button to close the terminal session IV. If stunnel isn't shutdown properly, you may see an error if you try to run stunnel again:
     
    [!] Error binding service [openvpn] to 127.0.0.1:1413[!] bind: Address already in use (98)[ ] Closing service [openvpn][ ] Service [openvpn] closedThis means stunnel is still running in the background. You can kill it by running:
     
    killall stunnel




    Footnotes

    I successfully followed my own tutorial using: CyanogenMod 12.1 nightly (≈ Android 5.1)stunnel 5.23OpenVPN for Android 0.6.35 (F-Droid)Terminal Emulator 1.0.70 (F-Droid)Testers welcome, especially if you're using different Android and software versions.

    Credits:
    Kevin Boone for the clever binary execution workaround.
  17. Like
    sheivoko got a reaction from ZPKZ in Accessing Transmission Web Interface through AirVPN   ...
    The 10.x.x.x address you see in the client area is in fact your VPN-internal IP, assigned to you be the VPN server - much like your home router assigns you your internal LAN IP address.
    Before we get into AirVPN port forwarding, let's consider this example to better understand how port forwarding works in general:
     
    your router has an internal IP 192.168.1.1 (internal means it's only reachable from within in your LAN) your router has an external IP 234.123.111.222 (assigned by your ISP. external means it's reachable from the internet) your PC has an internal IP 192.168.1.43 there's an application running on your PC, it's listening on port 27364, on all available IPs (192.168.1.43) If you want to access this application from the internet:
    your router will have to accept incoming connections on port 27364 on its external IP your router will have to forward those connections to internal IP 192.168.1.43, port 27364 your PC will have to accept incoming connections on port 27364 on its internal IP If these conditions are met, you can access 234.123.111.222:27364 from anywhere in the world and be forwarded to your PC at port 27364.
     
    Now let's try to do that through AirVPN:
    the AirVPN server has an external IP 123.234.123.123 (reachable from the internet) your PC has an internal IP 192.168.1.43 (only reachable from within in your LAN) your PC has an internal VPN IP 10.x.x.x (only reachable from within the VPN, or more specifically, by you and by the AirVPN server) there's an application running on your PC, it's listening on port 27364, on all available IPs (both 192.168.1.43 and 10.x.x.x) If you want to access this application from the internet:
    AirVPN's server will have to accept incoming connections on port 27364 on its external IP AirVPN's server will have to forward those connections to your internal VPN IP 10.x.x.x, port 27364 your PC will have to accept incoming connections on that IP/port Step 3 is taken care by configuring your PC's firewall accordingly, whereas both step 1 and step 2 are taken care by using AirVPN's forwarding in the client area.
     
    It's very important to keep in mind: Do not ever open/forward any ports on your router if you're forwarding through AirVPN. It's not at all necessary and might potentially leak your IP through correlation attacks.
     
     
     
    Unless you also forward the same ports in your router, there shouldn't be any IP leakage concerns when forwarding ports through AirVPN.
    That said, opening a port to the internet - with or without a VPN - is only as safe as the application that's listening on that port.
  18. Like
    sheivoko got a reaction from rei.andrea in [How-To] [OBSOLETE] AirVPN through stunnel on Android   ...
    ATTENTION: This tutorial is out of date, incomplete and deprecated. 
    A new and improved version of this tutorial can be found here: https://airvpn.org/topic/24349-how-to-airvpn-via-sslstunnel-on-android-678/
     
     
    This thread is only kept online for historical reference.
     
     
     
     
     


    Goal and obstacles

    We want to use AirVPN's SSL tunneling mode on Android. SSL tunneling can be very useful, especially to defeat firewalls that block OpenVPN or SSH on a protocol level. On Android, a few obstacles have to be worked around:

    a. there is no AirVPN Eddie client for Android.
    Solution: We will use OpenVPN and stunnel directly.
    b. there is no stunnel app in any Android appstore.
    Solution: we will download the stunnel Android binary (provided by the stunnel project itself) and run it from the commandline.
    c. Android does not allow us to execute any programs from the sdcard.
    Solution: we will move stunnel to a special location (owned by the Terminal app), which will allow the Terminal app to execute stunnel.
    d. stunnel wants to write to /tmp/, but there's no /tmp/ on Android.
    Solution: we will modify the .ssl config file to change the pidfile location to a writable directory.





    Software RequirementsAndroid 4.0 or newer (device does not have to be rooted) stunnel compiled for Android (FOSS), via project website OpenVPN for Android (FOSS), via F-Droid or Play Store Jack Palevich's Terminal Emulator for Android (FOSS), via F-Droid or Play Store a separate computer to download/edit the necessary config files and binaries (entirely optional, but easier than doing everything on the Android device itself)



    Setup instructions

    1. Generate config files with AirVPN's config generatorchoose Linux pick one single server of your choice. I will use Nunki for this tutorial! for Connection Mode, choose SSL Tunnel, port 443 (visible after enabling Advanced Mode) enable Resolved hosts in .ovpn file leave all the other settings at their default values download and unzip the generated zip file this should result in an AirVPN folder, containing three files 2. Open the ssl config file (AirVPN_GB-Manchester_Nunki_SSL-443.ssl) in a text editor.

    Find the line:
    pid = /tmp/stunnel4.pidChange it to:
    pid = /data/data/jackpal.androidterm/app_HOME/stunnel4.pidSave and close the file.
     
    3. In a text editor, create a new file with the following contents:
    #!/system/bin/shcd /data/data/jackpal.androidterm/app_HOME./stunnel AirVPN_GB-Manchester_Nunki_SSL-443.sslSave it to a file named nunki (no file extension).
    Put the file into the AirVPN folder, next to our other config files.


    4. Download and unzip stunnel for Android from the stunnel website (stunnel-X.XX-android.zip)

    Put the stunnel file (only the file, not the folder) into the AirVPN folder.


    5. Make sure your AirVPN folder now contains the following files:
    AirVPN_GB-Manchester_Nunki_SSL-443.ovpnAirVPN_GB-Manchester_Nunki_SSL-443.sslnunkistunnelstunnel.crt6. Copy the whole AirVPN folder to your Android's SD card.

    The path should be:
    /sdcard/AirVPN/7. Install OpenVPN for Android via F-Droid or Play Store and import the .ovpn config file located at
    /sdcard/AirVPN/AirVPN_GB-Manchester_Nunki_SSL-443.ovpnDon't try to connect just yet.


    8. Install Terminal Emulator for Android, via F-Droid or Play Store


    9. Open Terminal Emulator and successively run the following commands:
    cdThe simple cd command should take you to the app's home directory (/data/data/jackpal.androidterm/app_HOME).
    This is where we need to put our config files and the stunnel binary. Let's move them over by running:
    mv /sdcard/AirVPN/* .It's important to type every character correctly (commandline is case sensitive); the "*" is a wildcard expanding to all files in the AirVPN folder, and the "." is a placeholder for the current directory /data/data/jackpal.androidterm/app_HOME. Typing commands on Android is a big pain, so I try to keep them as short as possible!

    Finally, we need to modify permissions for the binary and the script, allowing us to execute them:
    chmod 555 stunnel nunkiWe should be ready to go!





    Usage instructions

    I. Open Terminal Emulator and run the following two commands:
      cd ./nunkiA log message should appear: Configuration successful
    Great! Keep the Terminal app running, but use the Home button to get out.

    II. Open OpenVPN for Android and connect to the profile AirVPN_GB_Manchester_Nunki_SSL-443
    Unless something went wrong, you should get Initialization Sequence Completed - great!
    I recommend performing the usual leak tests and perhaps diving into OpenVPN's profile settings before relying on your configuration to work as you expect it to.


    III. To disconnect:
    Disconnect VPN in OpenVPN open Terminal Emulator, press VOLUME_DOWN + C to kill stunnel press the X button to close the terminal session IV. If stunnel isn't shutdown properly, you may see an error if you try to run stunnel again:
     
    [!] Error binding service [openvpn] to 127.0.0.1:1413[!] bind: Address already in use (98)[ ] Closing service [openvpn][ ] Service [openvpn] closedThis means stunnel is still running in the background. You can kill it by running:
     
    killall stunnel




    Footnotes

    I successfully followed my own tutorial using: CyanogenMod 12.1 nightly (≈ Android 5.1)stunnel 5.23OpenVPN for Android 0.6.35 (F-Droid)Terminal Emulator 1.0.70 (F-Droid)Testers welcome, especially if you're using different Android and software versions.

    Credits:
    Kevin Boone for the clever binary execution workaround.
  19. Like
    sheivoko got a reaction from zhang888 in A Question Of Privacy (Threefold)   ...
    Answering your questions in reverse order:
     
     
    It's a bit of both. Let's say you want to access your home server from the internet: You configure your server to listen for incoming connections on some port. But, by default, most routers will not accept incoming connections on any port. Opening a port refers to adding an exception to the router's firewall, allowing incoming connections on a specific port. But, the router will also need to forward connections to the actual recipient - your home server. Then, it's possible to contact YOUR_ROUTER'S_EXTERNAL_IP:open_port, and your router will forward the incoming connection to YOUR_HOMESERVER'S_INTERNAL_IP:open_port.
     
    If we take that example and apply it to AirVPN forwarding: By forwarding a port in AirVPN's webinterface, you open that port in AirVPN's firewall (on the AirVPN exit server) and also forward it to your VPN-internal IP.
     
     
     
    People forward ports to be reachable from the outside - some want their P2P application to perform better, others might want to access their NAS from the internet. In any case, doing so over a VPN will improve your privacy - it is preferable to run a P2P application on a VPN port rather than directly on your home connection. If you have a good reason to be reachable from the outside, I don't see why you should stop port forwarding altogether.

    However, there are security implications: The internet gets port-scanned around the clock. Whether you accept incoming connections on your home connection (router) or on your VPN connection does not make a difference - in both cases, the port will be exposed to the internet and thus discovered pretty much immediately. As a consequence, you want to make sure that you don't use weak authentication (bruteforceable passwords) on any ports exposed to the internet. For example, if you expose a local SSH server to the internet, you probably want to disable password authentication in favor of public key authentication.
     
    Another worry would be "remote code execution" vulnerabilities. This basically means that a piece of software exposed to the internet may react unexpectedly to malformed (malicious) input, potentially causing information leakage or even full system compromise. For this reason, it's usually considered good practice to physically separate "sensitive" machines" from machines that are reachable from the internet.
    For example, a bank would (so I hope) not run their webserver on the same machine that controls the security cameras or the vault's locks, knowing that their webserver might get compromised. In the same vein, you probably want to avoid exposing to the internet some outdated, vulnerable WordPress installation on a machine that also holds your private photos.
     
     
     
    Your particular example doesn't warrant any true concern. Using VPNs means using a shared connection, which helps to prevent personal attribution or correlation. In all actuality, it is much more complicated, depending on how malicious your VPN provider is, who your adversary is and what parts of the internet they have access to.
    In a similar vein, using a VPN for privacy reasons doesn't magically eradicate tracking - for example, Facebook doesn't care whether you use a VPN, they will happily track you regardless, so you still have to prevent that by practicing good browsing hygiene.
  20. Like
    sheivoko reacted to zhang888 in A Question Of Privacy (Threefold)   ...
    Sheivoko's answers are almost like a Wiki page. And I thought I was the one with the full details
     
    I would like to take this question to a deeper, theoretical level in order to help you to understand your threat model better.
     
    Your question is lacking a very important moment - who is the adversary you are afraid of correlating your email and torrent activity?
    If that's your ISP, you are probably fine. If that's your government, you are probably not. But the good news here is that the government
    agencies that have access to such correlation data never care about copyrights and DMCA. I can't explain it (you will have to read about it)
    but the best example I can come with, is that no one will bring a SWAT team on you for stealing a bubble gum in your local store.
     
    Correlation is mostly done today in conjunction with products. It's not that the companies want to track you just for the sake of tracking,
    they just want to keep their business models and reports, and to sell you their junk according to your personal profile.
     
     
    Your only actual threat here would be:
    Using the same email provider AND the same ISP at the same time.
    Let's take AT&T as an example. If you both torrent and access webmail from the same AirVPN IP, there is a good chance they can
    corellate it back to you and send you those DMCA notices. But probably nothing more serious than this.
     
    Regards.
  21. Like
    sheivoko got a reaction from zhang888 in A Question Of Privacy (Threefold)   ...
    Answering your questions in reverse order:
     
     
    It's a bit of both. Let's say you want to access your home server from the internet: You configure your server to listen for incoming connections on some port. But, by default, most routers will not accept incoming connections on any port. Opening a port refers to adding an exception to the router's firewall, allowing incoming connections on a specific port. But, the router will also need to forward connections to the actual recipient - your home server. Then, it's possible to contact YOUR_ROUTER'S_EXTERNAL_IP:open_port, and your router will forward the incoming connection to YOUR_HOMESERVER'S_INTERNAL_IP:open_port.
     
    If we take that example and apply it to AirVPN forwarding: By forwarding a port in AirVPN's webinterface, you open that port in AirVPN's firewall (on the AirVPN exit server) and also forward it to your VPN-internal IP.
     
     
     
    People forward ports to be reachable from the outside - some want their P2P application to perform better, others might want to access their NAS from the internet. In any case, doing so over a VPN will improve your privacy - it is preferable to run a P2P application on a VPN port rather than directly on your home connection. If you have a good reason to be reachable from the outside, I don't see why you should stop port forwarding altogether.

    However, there are security implications: The internet gets port-scanned around the clock. Whether you accept incoming connections on your home connection (router) or on your VPN connection does not make a difference - in both cases, the port will be exposed to the internet and thus discovered pretty much immediately. As a consequence, you want to make sure that you don't use weak authentication (bruteforceable passwords) on any ports exposed to the internet. For example, if you expose a local SSH server to the internet, you probably want to disable password authentication in favor of public key authentication.
     
    Another worry would be "remote code execution" vulnerabilities. This basically means that a piece of software exposed to the internet may react unexpectedly to malformed (malicious) input, potentially causing information leakage or even full system compromise. For this reason, it's usually considered good practice to physically separate "sensitive" machines" from machines that are reachable from the internet.
    For example, a bank would (so I hope) not run their webserver on the same machine that controls the security cameras or the vault's locks, knowing that their webserver might get compromised. In the same vein, you probably want to avoid exposing to the internet some outdated, vulnerable WordPress installation on a machine that also holds your private photos.
     
     
     
    Your particular example doesn't warrant any true concern. Using VPNs means using a shared connection, which helps to prevent personal attribution or correlation. In all actuality, it is much more complicated, depending on how malicious your VPN provider is, who your adversary is and what parts of the internet they have access to.
    In a similar vein, using a VPN for privacy reasons doesn't magically eradicate tracking - for example, Facebook doesn't care whether you use a VPN, they will happily track you regardless, so you still have to prevent that by practicing good browsing hygiene.
  22. Like
    sheivoko got a reaction from ZPKZ in Accessing Transmission Web Interface through AirVPN   ...
    The 10.x.x.x address you see in the client area is in fact your VPN-internal IP, assigned to you be the VPN server - much like your home router assigns you your internal LAN IP address.
    Before we get into AirVPN port forwarding, let's consider this example to better understand how port forwarding works in general:
     
    your router has an internal IP 192.168.1.1 (internal means it's only reachable from within in your LAN) your router has an external IP 234.123.111.222 (assigned by your ISP. external means it's reachable from the internet) your PC has an internal IP 192.168.1.43 there's an application running on your PC, it's listening on port 27364, on all available IPs (192.168.1.43) If you want to access this application from the internet:
    your router will have to accept incoming connections on port 27364 on its external IP your router will have to forward those connections to internal IP 192.168.1.43, port 27364 your PC will have to accept incoming connections on port 27364 on its internal IP If these conditions are met, you can access 234.123.111.222:27364 from anywhere in the world and be forwarded to your PC at port 27364.
     
    Now let's try to do that through AirVPN:
    the AirVPN server has an external IP 123.234.123.123 (reachable from the internet) your PC has an internal IP 192.168.1.43 (only reachable from within in your LAN) your PC has an internal VPN IP 10.x.x.x (only reachable from within the VPN, or more specifically, by you and by the AirVPN server) there's an application running on your PC, it's listening on port 27364, on all available IPs (both 192.168.1.43 and 10.x.x.x) If you want to access this application from the internet:
    AirVPN's server will have to accept incoming connections on port 27364 on its external IP AirVPN's server will have to forward those connections to your internal VPN IP 10.x.x.x, port 27364 your PC will have to accept incoming connections on that IP/port Step 3 is taken care by configuring your PC's firewall accordingly, whereas both step 1 and step 2 are taken care by using AirVPN's forwarding in the client area.
     
    It's very important to keep in mind: Do not ever open/forward any ports on your router if you're forwarding through AirVPN. It's not at all necessary and might potentially leak your IP through correlation attacks.
     
     
     
    Unless you also forward the same ports in your router, there shouldn't be any IP leakage concerns when forwarding ports through AirVPN.
    That said, opening a port to the internet - with or without a VPN - is only as safe as the application that's listening on that port.
  23. Like
    sheivoko reacted to rainmakerraw in Which small linux OS for AirVPN?   ...
    It's more about the desktop environment than the actual distro, really. For something fast and light in a VM I'd use Sparky Linux. It's based on Debian Testing so you have fairly up to date packages, it's light and lean, and fast. Sparky with the MATE desktop environment uses about 150MB of RAM on boot in a VM. When you say you need a small distro because you'll run several, bear in mind that virtualisation software will be pretty smart about RAM handling these days. If you load four versions of the same OS at once, the VM software will only load one set of the shared components into RAM, and then allow all four machines to access it.
  24. Like
    sheivoko got a reaction from go558a83nk in Unusual Probing on Forwarded Port   ...
    With a fast internet connection and tools like Masscan, it only takes anywhere from a few minutes to a few hours to scan the entire internet for open ports.

    This means that you can expect every port that's open to the internet to see some unexpected traffic rather sooner than later. That, in itself, is nothing to worry about unless you're running vulnerable services or weak authentication.
    You might have picked a port especially interesting to some scanners, which may explain why you haven't seen such activity on your other ports (yet).

    The connection attempt you saw is not related to APNIC, they are just the registry for that block of IPs.
    Here's the actual whois info for your IP:

    netname: UNICOM-BJ
    descr: China Unicom Beijing province network

    Some trivia: Besides the private bulletin board on port 443 (~ 20.000 registered users), the Linux server at IP 221.220.155.170 runs a number of other services: SSH, FTP, VNC, Telnet, and a Synology web interface. Looks like someone's personal server to me, or perhaps a server shared by a number of people. The FTP server greets you with a somewhat amusing message:
    220 PLS DISCONNECT IF U HAVE NO IDEA WHERE U R AT!
     
  25. Like
    sheivoko got a reaction from rickjames in FirewallD killswitch   ...
    Somewhat comparable to ufw, firewalld is just an interface to iptables. It allows for convenient higher-level rule constructs ("rich rules" and zones) but also allows direct iptables manipulation (so called "direct rules"). The actual rule syntax for direct rules is virtually identical to iptables.

    There are two ways to manage firewalld - graphically (firewall-config) or on the commandline (firewall-cmd).
    I compiled some notes and screenshots on firewalld usage in this post. Written last year, so some parts of my post concerning Air's config generator are no longer accurate or useful. Anything concerning firewalld and Fedora is still valid.
    More importantly though, read the man page for firewall-cmd and also understand the different between the runtime and permanent ruleset.
     
     
    This is how I would "translate" your UFW rules:
    (All systemctl and firewall-cmd commands need root privileges! drop to a root shell or use sudo)
     
    1. First, make sure that the firewalld service is enabled and started:
     
    systemctl enable firewalld systemctl start firewalld 2. Now configure your permanent rules:
     
    firewall-cmd --direct --permanent --add-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT firewall-cmd --direct --permanent --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT firewall-cmd --direct --permanent --add-rule ipv6 filter INPUT 0 -j DROP firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 -i lo -j ACCEPT firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 1 -i tun+ -p tcp --dport 60002 -j ACCEPT firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 1 -i tun+ -p udp --dport 60002 -j ACCEPT firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 999 -j DROP firewall-cmd --direct --permanent --add-rule ipv6 filter OUTPUT 0 -j DROP firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 -o tun+ -j ACCEPT firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 1 -p udp -m udp --dport 443 -d 178.162.198.40 -j ACCEPT firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 999 -j DROP 3. Runtime rules (omitting the --permanent switch) take effect immediately (but don't survive reboots etc.). Permanent rules, however, only take effect after restarting or reloading firewalld:
     
    firewall-cmd --reload 4. To review your current runtime ruleset:
     
    firewall-cmd --direct --get-all-rules And your permanent ruleset:
     
    firewall-cmd --direct --permanent --get-all-rules  
     
    5. One final task: Thoroughly test your ruleset to make sure it actually accomplishes what you had in mind.
×
×
  • Create New...