Search the Community

I have a weird situation and I know I "might" compromise some security in doing so. I have a Synology NAS running AirVPN. I also have a web server on it with a domain name as set up by my ISP using my ISP supplied static IP, that is accessible from the internet. I'm running rTorrent and that is going through the AirVPN interface. The issue comes when I try to access the web server myself. My PC has Eddie on it. With Eddie disconnected I can access the web server, however when I activate Eddie I can no longer access the web server. I don't think this would actually relate to "Blocked Websites" which is why I haven't posted the query there. Suggestions to resolve this would be appreciated (as i am considering also setting up a mail server) Thanks

It's a security feature. When the DNS IP address matches the VPN gateway IP address the notorious attack based on DNS hijacking and route injection, which most commercial VPNs are vulnerable to, becomes impossible. https://www.researchgate.net/publication/274800185_A_Glance_through_the_VPN_Looking_Glass_IPv6_Leakage_and_DNS_Hijacking_in_Commercial_VPN_clients Note that the paper cites AirVPN, but that's a paramount error, as the researchers did not fix the paper, not even after we repeatedly warned them about their mistake. We are not aware of any negative consequence, please feel free to elaborate. You are anyway free to query 10.4.0.1 in case you don't like the security feature for any reason. Address 10.4.0.1 is reachable by DNS queries from any VPN subnet. Kind regards

Hey, I got this since a while now. Sometimes I try to resolve airvpn.org it fails. After some trys or minutes it works fine. I use a Pi-Hole as DNS Server running a local unbound (127.0.0.1) and as said I only got issues with this domain here.. real strange. Luckily today I was able to grab some logs, maybe someone can read them and tell me if the dnssec-query request tell something useful ? Jan 4 19:19:07 dnsmasq[31678]: query[PTR] 44.1.168.192.in-addr.arpa from 192.168.1.15 Jan 4 19:19:07 dnsmasq[31678]: /etc/pihole/local.list 192.168.1.44 is pi-hole Jan 4 19:19:07 dnsmasq[31678]: query[A] airvpn.org.localdomain from 192.168.1.15 Jan 4 19:19:07 dnsmasq[31678]: cached airvpn.org.localdomain is NXDOMAIN Jan 4 19:19:07 dnsmasq[31678]: query[AAAA] airvpn.org.localdomain from 192.168.1.15 Jan 4 19:19:07 dnsmasq[31678]: cached airvpn.org.localdomain is NXDOMAIN Jan 4 19:19:07 dnsmasq[31678]: query[A] airvpn.org from 192.168.1.15 Jan 4 19:19:07 dnsmasq[31678]: forwarded airvpn.org to 127.0.0.1 Jan 4 19:19:09 dnsmasq[31678]: query[AAAA] airvpn.org from 192.168.1.15 Jan 4 19:19:09 dnsmasq[31678]: forwarded airvpn.org to 127.0.0.1 Jan 4 19:19:16 dnsmasq[31678]: dnssec-query[DS] airvpn.org to 127.0.0.1 Jan 4 19:19:16 dnsmasq[31678]: dnssec-query[DS] airvpn.org to 127.0.0.1 Jan 4 19:19:16 dnsmasq[31678]: reply airvpn.org is DS keytag 55882, algo 8, digest 1 Jan 4 19:19:16 dnsmasq[31678]: reply airvpn.org is DS keytag 57919, algo 8, digest 1 Jan 4 19:19:16 dnsmasq[31678]: dnssec-query[DNSKEY] airvpn.org to 127.0.0.1 Jan 4 19:19:16 dnsmasq[31678]: reply airvpn.org is DS keytag 55882, algo 8, digest 1 Jan 4 19:19:16 dnsmasq[31678]: reply airvpn.org is DS keytag 57919, algo 8, digest 1 Jan 4 19:19:16 dnsmasq[31678]: dnssec-query[DNSKEY] airvpn.org to 127.0.0.1 Jan 4 19:19:16 dnsmasq[31678]: reply airvpn.org is DNSKEY keytag 57919, algo 8 Jan 4 19:19:16 dnsmasq[31678]: reply airvpn.org is DNSKEY keytag 55882, algo 8 Jan 4 19:19:16 dnsmasq[31678]: reply airvpn.org is DNSKEY keytag 59298, algo 8 Jan 4 19:19:16 dnsmasq[31678]: reply airvpn.org is DNSKEY keytag 38193, algo 8 Jan 4 19:19:16 dnsmasq[31678]: validation result is SECURE Jan 4 19:19:16 dnsmasq[31678]: reply airvpn.org is 5.196.64.52 Jan 4 19:19:16 dnsmasq[31678]: reply airvpn.org is DNSKEY keytag 57919, algo 8 Jan 4 19:19:16 dnsmasq[31678]: reply airvpn.org is DNSKEY keytag 55882, algo 8 Jan 4 19:19:16 dnsmasq[31678]: reply airvpn.org is DNSKEY keytag 59298, algo 8 Jan 4 19:19:16 dnsmasq[31678]: reply airvpn.org is DNSKEY keytag 38193, algo 8 Jan 4 19:19:16 dnsmasq[31678]: validation result is SECURE Jan 4 19:19:16 dnsmasq[31678]: reply airvpn.org is 2001:41d0:a:6034:: Please note that I was running a nslookup airvpn.org here and at the end it was working. Same command 2 minutes earlier failed. So till 19:19:07 I had a DNS timeout when querying airvpn.org and on 19:19:16 it started to work just fine Any help is much appreciated.

Hi there! Seemingly there are no AAAA resource records returned when querying any DNS server for AirVPN's server IPs: $ dig any in errai.airvpn.org. ; <<>> DiG 9.11.5-P4-3-Debian <<>> any in errai.airvpn.org. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63963 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;errai.airvpn.org. IN ANY ;; ANSWER SECTION: errai.airvpn.org. 3198 IN A 185.189.112.10 errai.airvpn.org. 3198 IN RRSIG A 8 3 3600 20190512182416 20190427182416 5220 airvpn.org. Bs2dfKKNAWs6TvfjDLIl7WvXiLETD3NmesZrLX8bnYBtGEyrTrum4W6T btSU54u6oAQeArwNH+umxqarXGCKXgTtzy+HPQ9M3g76NqPPCie5rx5B ZCTj1D80D30PrCvICwwQRnaP1sElsQJdyrecrT3rWGB9S+RQSEBbTvzf sac= ;; Query time: 52 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fr Mai 03 19:06:51 CEST 2019 ;; MSG SIZE rcvd: 231 I tried my ISP's DNS resolver, Google's and Cloudflare's Public DNS (which returned a NOTIMP for ANY requests, but didn't return any AAAAs otherwise) on servers with IPv6 support, like Errai shown above. Is this intended? Did I miss a thread on this in the past? Or am I doing something wrong?

DNS is unencrypted. If you use a DNS other than AirDNS, the query is unencrypted after the AirVPN server and visible to the outside. If you use AirDNS, it stays in the tunnel which is encrypted, therefore, the DNS query is as well. So yes, Vegas stays in Vegas kind of a thing.

Oke, some may disagree with this solution, but I have had a MAJOR struggle to stop DNS leaks to my WAN and this (I believe!) fixed my issue. Please, if you believe I am missing something, or providing incorrect information, feel free to correct! I've tested this extensively with packet dumps on my WAN connection, pfSense "seemingly random" sends DNS queries to the default gateway, regardless of any settings. Sometimes, mutliple test queries from pfSense and clients in the LAN would not trigger a single packet to be sent out over the default gateway, and then suddenly, for whatever reason, I see queries over the WAN for a DNS query test I was doing. Just one, after which it was quiet again for a few queries. Moreover, it leaks your internal domain as well by appending the local domain suffix to a domain I am testing. Example: 12:40:48.313250 IP (tos 0x0, ttl 64, id 15226, offset 0, flags [none], proto UDP (17), length 67) 192.168.1.1.17078 > 84.200.69.80.53: [udp sum ok] 51473+ [1au] A? google.com. ar: . OPT UDPsize=4096 OK (39)12:40:48.341439 IP (tos 0x0, ttl 64, id 24297, offset 0, flags [none], proto UDP (17), length 67) 192.168.1.1.60070 > 84.200.69.80.53: [udp sum ok] 41295+ [1au] AAAA? google.com. ar: . OPT UDPsize=4096 OK (39)12:40:48.368481 IP (tos 0x0, ttl 64, id 17792, offset 0, flags [none], proto UDP (17), length 67) 192.168.1.1.7038 > 84.200.70.40.53: [udp sum ok] 38162+ [1au] CNAME? google.com. ar: . OPT UDPsize=4096 OK (39)12:40:48.404360 IP (tos 0x0, ttl 64, id 37382, offset 0, flags [none], proto UDP (17), length 81) 192.168.1.1.13371 > 84.200.69.80.53: [udp sum ok] 3273+ CNAME? google.com.internal.mydomain.com. (53)Also, sometimes pfSense (DNS Resolver, actually), queries root servers directly over the default gateway. I haven't figured out why or when. Again, this seems to happen randomly. I've read everything I could find, I've set gateways for DNS servers to VPN gateways and I've tested VPN gateway addresses as DNS servers (the private range IP's, 10.4.0.1 for example). I tried creating port forwards for DNS and "catch" the DNS queries and forward them to the VPN gateway. Things would look oke for a few minutes and I thought I fixed it, but then suddenly, for no apparent reason, I see packets flying out over the default gateway or I see root server queries out of the blue. I got so tired of this ... . Enough, the solution: Disable DNS forwarding in DNS Resolver. Remove ALL DNS servers under General Setup. In DNS Resolver, enable DNSCrypt. In DNS Resolver, under Advanced, tick the following options: These actually don't help hiding your DNS queries, they are simply "advised" to enable. - Hide Identity - Hide Version - Prefetch Support - Prefetch DNS Key Support - Harden DNSSEC Data In DNS Resolver, make it listen to LAN and localhost only (unless you know you require another interface as well). In DNS Resolver, make WAN (no VPN, but only your direct internet connection) the ONLY outgoing interface for queries (trust me on this one). Then, in the custom config box, place the following text: server: forward-zone: name: "." forward-ssl-upstream: yes forward-addr: 1.1.1.1@853 forward-addr: 1.0.0.1@853 Save and apply. Double check you have removed ALL DNS servers from General Settings and you have disabled DNS Query Forwarding in DNS Resolver. In the above custom config box, you basically told DNS Resolver to forward ALL queries ("." is a wildcard) to 1.1.1.1 or 1.0.0.1 at port 853 and enable SSL/TLS on that link. Any public DNS server that supports DNS over TLS will do. Adjust the IP and port in forward-addr: to reflect your DNS server of choice. At this point I can hear you scream behind your PC: but this will send out all my DNS queries out over the default gateway! Yes, you are correct. Except, nothing will recognizable and not even with packet sniffers or DPI will they be able to see which domains you are trying to resolve. No spying eyes are possible on your queries since they are encrypted over TLS. The IP addresses above are Cloudflare servers. They guarantee anonymity and apply no DNS blacklisting or filtering. Another incredible plus with this setup, is that this is EXTREMELY FAST! Most of my queries resolve within 10ms, this is insanely fast. Querying google public DNS directly typically does 40ms from my location. Running DNS over VPN sometimes does 400ms or even more. I can NOTICABLY see a difference in response in my web browser. Please enjoy! And again, comments, corrections are more than welcome! Funny result from ipleak.net: DNS Address - 0 servers, 100 errors. It doesn't even see which DNS servers I am using. Thanks!

Thanks for the help! So to be clear, will my ISP be able to see what sites i visit if i just use AirVPN? It sounds like they can't if encryption is active between me and the OpenVPN/AirVPN server? I only really care about that part in regards to DoH, because in my country the ISP keeps logs of every site people visit for an entire year. In Firefox go to about:config and: 1. Search for "network.trr.bootstrapaddress" and change the value to 1.1.1.1 2. Search for "network.trr.mode" and change the value to 3 (this will force DoH, and a value of 2 will use regular DNS as a fallback) 3. Search for "network.trr.uri" and set the value to https://mozilla.cloudflare-dns.com/dns-query Then you can go to https://1.1.1.1/help to see if it's working :)

Suddenly I'm unable to resolve any hosts at all once connected to AirVPN. I've tried using both the Eddie GUI and the stable 2.16 command line client as well as the 2.17 experimental build. At first, I couldn't get past the "Checking DNS" step. On the Support staff's advice I disabled both Check DNS and disabled IPV6. Now I can get past the "Checking DNS" point and connect but I cannot resolve any hosts at all. Here is the log using Eddie 2.16 command line: arl@popcorn eddie-cli]$ . 2019.04.04 14:25:47 - Eddie version: 2.16.3 / linux_x64, System: Linux, Name: Arch Linux \r (\l), Version: Linux popcorn 5.0.4-arch1-1-ARCH #1 SMP PREEMPT Sat Mar 23 21:00:33 UTC 2019 x86_64 GNU/Linux, Mono/.Net: 4.6.2 (Stable 4.6.2.16/ac9e222); Framework: v4.0.30319 . 2019.04.04 14:25:48 - Reading options from /home/carl/Downloads/eddie-cli/default.xml I 2019.04.04 14:25:48 - Press 'X' to Cancel, 'N' to connect/reconnect to the best available server. . 2019.04.04 14:25:48 - Command line arguments (6): servers.whitelist="Capricornus,Brussels,Belgium" login="**" password="**" ipv6.mode="Disable" dns.check="False" connect="True" . 2019.04.04 14:25:48 - Profile path: /home/carl/Downloads/eddie-cli/default.xml . 2019.04.04 14:25:49 - OpenVPN Driver - Found, /dev/net/tun . 2019.04.04 14:25:49 - OpenVPN - Version: 2.4.6 - OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10 (/home/carl/Downloads/eddie-cli/openvpn) . 2019.04.04 14:25:49 - SSH - Version: OpenSSH_7.9p1, OpenSSL 1.1.1b 26 Feb 2019 (/usr/bin/ssh) . 2019.04.04 14:25:49 - SSL - Version: stunnel 5.40 (/home/carl/Downloads/eddie-cli/stunnel) . 2019.04.04 14:25:49 - curl - Version: 7.64.0 (/usr/bin/curl) . 2019.04.04 14:25:49 - Certification Authorities: /home/carl/Downloads/eddie-cli/res//cacert.pem W 2019.04.04 14:25:49 - Recovery. Unexpected crash? . 2019.04.04 14:25:49 - Routes, removed a route previously added, 194.187.251.91 for gateway 10.12.174.1 . 2019.04.04 14:25:49 - Routes, removed a route previously added, 2001:ac8:27:a:d655:22aa:7624:7223 for gateway fde6:7a:7d20:8ae::1 . 2019.04.04 14:25:49 - DNS of the system restored to original settings (Rename method) . 2019.04.04 14:25:49 - Updating systems & servers data ... I 2019.04.04 14:25:49 - Checking login ... ! 2019.04.04 14:25:50 - Logged in. . 2019.04.04 14:25:50 - Systems & servers data update completed I 2019.04.04 14:25:50 - Session starting. I 2019.04.04 14:25:56 - Checking authorization ... ! 2019.04.04 14:25:56 - Connecting to Capricornus (Belgium, Brussels) [carl@popcorn eddie-cli]$ . 2019.04.04 14:25:57 - OpenVPN > OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 27 2018 . 2019.04.04 14:25:57 - OpenVPN > library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10 . 2019.04.04 14:25:57 - Connection to OpenVPN Management Interface [carl@popcorn eddie-cli]$ . 2019.04.04 14:25:57 - OpenVPN > MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:3100 . 2019.04.04 14:25:57 - OpenVPN > Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key . 2019.04.04 14:25:57 - OpenVPN > Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication . 2019.04.04 14:25:57 - OpenVPN > Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key . 2019.04.04 14:25:57 - OpenVPN > Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication . 2019.04.04 14:25:57 - OpenVPN > TCP/UDP: Preserving recently used remote address: [AF_INET]194.187.251.93:443 . 2019.04.04 14:25:57 - OpenVPN > Socket Buffers: R=[212992->212992] S=[212992->212992] . 2019.04.04 14:25:57 - OpenVPN > UDP link local: (not bound) . 2019.04.04 14:25:57 - OpenVPN > UDP link remote: [AF_INET]194.187.251.93:443 [carl@popcorn eddie-cli]$ . 2019.04.04 14:25:57 - OpenVPN > TLS: Initial packet from [AF_INET]194.187.251.93:443, sid=d04f6298 ee783d1f . 2019.04.04 14:25:57 - OpenVPN > MANAGEMENT: Client connected from [AF_INET]127.0.0.1:3100 . 2019.04.04 14:25:57 - OpenVPN > VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org . 2019.04.04 14:25:57 - OpenVPN > VERIFY KU OK . 2019.04.04 14:25:57 - OpenVPN > Validating certificate extended key usage . 2019.04.04 14:25:57 - OpenVPN > ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication . 2019.04.04 14:25:57 - OpenVPN > VERIFY EKU OK . 2019.04.04 14:25:57 - OpenVPN > VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Capricornus, emailAddress=info@airvpn.org [carl@popcorn eddie-cli]$ . 2019.04.04 14:25:57 - OpenVPN > Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA . 2019.04.04 14:25:57 - OpenVPN > [Capricornus] Peer Connection Initiated with [AF_INET]194.187.251.93:443 [carl@popcorn eddie-cli]$ . 2019.04.04 14:25:58 - OpenVPN > SENT CONTROL [Capricornus]: 'PUSH_REQUEST' (status=1) . 2019.04.04 14:25:58 - OpenVPN > PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway ipv6 def1 bypass-dhcp,dhcp-option DNS 10.12.174.1,dhcp-option DNS6 fde6:7a:7d20:8ae::1,tun-ipv6,route-gateway 10.12.174.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fde6:7a:7d20:8ae::1074/64 fde6:7a:7d20:8ae::1,ifconfig 10.12.174.118 255.255.255.0,peer-id 4,cipher AES-256-GCM' . 2019.04.04 14:25:58 - OpenVPN > Pushed option removed by filter: 'redirect-gateway ipv6 def1 bypass-dhcp' . 2019.04.04 14:25:58 - OpenVPN > OPTIONS IMPORT: timers and/or timeouts modified . 2019.04.04 14:25:58 - OpenVPN > OPTIONS IMPORT: compression parms modified . 2019.04.04 14:25:58 - OpenVPN > OPTIONS IMPORT: --ifconfig/up options modified . 2019.04.04 14:25:58 - OpenVPN > OPTIONS IMPORT: route-related options modified . 2019.04.04 14:25:58 - OpenVPN > OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified . 2019.04.04 14:25:58 - OpenVPN > OPTIONS IMPORT: peer-id set . 2019.04.04 14:25:58 - OpenVPN > OPTIONS IMPORT: adjusting link_mtu to 1625 . 2019.04.04 14:25:58 - OpenVPN > OPTIONS IMPORT: data channel crypto options modified . 2019.04.04 14:25:58 - OpenVPN > Data Channel: using negotiated cipher 'AES-256-GCM' . 2019.04.04 14:25:58 - OpenVPN > Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key . 2019.04.04 14:25:58 - OpenVPN > Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key . 2019.04.04 14:25:58 - OpenVPN > ROUTE_GATEWAY 192.168.2.1/255.255.255.0 IFACE=enp4s0 HWADDR=38:60:77:9f:10:f4 . 2019.04.04 14:25:58 - OpenVPN > GDG6: remote_host_ipv6=n/a . 2019.04.04 14:25:58 - OpenVPN > ROUTE6: default_gateway=UNDEF . 2019.04.04 14:25:58 - OpenVPN > TUN/TAP device tun0 opened . 2019.04.04 14:25:58 - OpenVPN > TUN/TAP TX queue length set to 100 . 2019.04.04 14:25:58 - OpenVPN > do_ifconfig, tt->did_ifconfig_ipv6_setup=1 . 2019.04.04 14:25:58 - OpenVPN > /sbin/ip link set dev tun0 up mtu 1500 . 2019.04.04 14:25:58 - OpenVPN > /sbin/ip addr add dev tun0 10.12.174.118/24 broadcast 10.12.174.255 . 2019.04.04 14:25:58 - OpenVPN > /sbin/ip -6 addr add fde6:7a:7d20:8ae::1074/64 dev tun0 . 2019.04.04 14:26:03 - OpenVPN > /sbin/ip route add 194.187.251.93/32 via 192.168.2.1 E 2019.04.04 14:26:03 - OpenVPN > ERROR: Linux route add command failed: external program exited with error status: 2 . 2019.04.04 14:26:03 - OpenVPN > /sbin/ip route add 0.0.0.0/1 via 10.12.174.1 . 2019.04.04 14:26:03 - OpenVPN > RTNETLINK answers: File exists . 2019.04.04 14:26:03 - OpenVPN > /sbin/ip route add 128.0.0.0/1 via 10.12.174.1 . 2019.04.04 14:26:03 - OpenVPN > add_route_ipv6(::/3 -> fde6:7a:7d20:8ae::1 metric -1) dev tun0 . 2019.04.04 14:26:03 - OpenVPN > /sbin/ip -6 route add ::/3 dev tun0 . 2019.04.04 14:26:03 - OpenVPN > add_route_ipv6(2000::/4 -> fde6:7a:7d20:8ae::1 metric -1) dev tun0 . 2019.04.04 14:26:03 - OpenVPN > /sbin/ip -6 route add 2000::/4 dev tun0 . 2019.04.04 14:26:03 - OpenVPN > add_route_ipv6(3000::/4 -> fde6:7a:7d20:8ae::1 metric -1) dev tun0 . 2019.04.04 14:26:03 - OpenVPN > /sbin/ip -6 route add 3000::/4 dev tun0 . 2019.04.04 14:26:03 - OpenVPN > add_route_ipv6(fc00::/7 -> fde6:7a:7d20:8ae::1 metric -1) dev tun0 . 2019.04.04 14:26:03 - OpenVPN > /sbin/ip -6 route add fc00::/7 dev tun0 . 2019.04.04 14:26:03 - /etc/resolv.conf moved to /etc/resolv.conf.eddie as backup . 2019.04.04 14:26:03 - DNS of the system updated to VPN DNS (Rename method: /etc/resolv.conf generated) . 2019.04.04 14:26:03 - Routes, added a new route, 194.187.251.91 for gateway 10.12.174.1 . 2019.04.04 14:26:03 - Routes, added a new route, 2001:ac8:27:a:d655:22aa:7624:7223 for gateway fde6:7a:7d20:8ae::1 . 2019.04.04 14:26:03 - Flushing DNS I 2019.04.04 14:26:03 - Checking route IPv4 I 2019.04.04 14:26:04 - Checking route IPv6 ! 2019.04.04 14:26:05 - Connected. . 2019.04.04 14:26:05 - OpenVPN > Initialization Sequence Completed And here is the log for 2.17. Note that 2.17 doesn't get very far at all. It never moves beyond the "Collecting Information" step: eddie-cli_2.17.2_linux_x64_portable]$ . 2019.04.04 14:22:56 - Eddie version: 2.17.2 / linux_x64, System: Linux, Name: Arch Linux \r (\l), Version: Linux popcorn 5.0.4-arch1-1-ARCH #1 SMP PREEMPT Sat Mar 23 21:00:33 UTC 2019 x86_64 GNU/Linux, Mono/.Net: 4.6.2 (Stable 4.6.2.16/ac9e222); Framework: v4.0.30319 . 2019.04.04 14:22:56 - Reading options from /home/carl/Downloads/eddie-cli_2.17.2_linux_x64_portable/default.xml I 2019.04.04 14:22:56 - Press 'X' to Cancel, 'N' to connect/reconnect to the best available server. . 2019.04.04 14:22:56 - Command line arguments (4): servers.whitelist="Capricornus,Brussels,Belgium" login="**" password="**" connect="True" . 2019.04.04 14:22:56 - Profile path: /home/carl/Downloads/eddie-cli_2.17.2_linux_x64_portable/default.xml . 2019.04.04 14:22:58 - OpenVPN Driver - Found, /dev/net/tun . 2019.04.04 14:22:58 - OpenVPN - Version: 2.4.6 - OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10 (/home/carl/Downloads/eddie-cli_2.17.2_linux_x64_portable/openvpn) . 2019.04.04 14:22:58 - SSH - Version: OpenSSH_7.9p1, OpenSSL 1.1.1b 26 Feb 2019 (/usr/bin/ssh) . 2019.04.04 14:22:58 - SSL - Version: stunnel 5.40 (/home/carl/Downloads/eddie-cli_2.17.2_linux_x64_portable/stunnel) . 2019.04.04 14:22:58 - curl - Version: 7.64.0 (/usr/bin/curl) . 2019.04.04 14:22:58 - Certification Authorities: /home/carl/Downloads/eddie-cli_2.17.2_linux_x64_portable/res//cacert.pem I 2019.04.04 14:22:58 - Checking login ... ! 2019.04.04 14:22:58 - Logged in. I 2019.04.04 14:22:58 - Ready . 2019.04.04 14:22:59 - Collect information about AirVPN completed This is what happens when I try to run openvpn with my generated AirVPN config. It never gets past the Initialization step: Thu Apr 4 14:09:21 2019 OpenVPN 2.4.7 [git:makepkg/2b8aec62d5db2c17+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 19 2019 Thu Apr 4 14:09:21 2019 library versions: OpenSSL 1.1.1b 26 Feb 2019, LZO 2.10 Thu Apr 4 14:09:21 2019 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Apr 4 14:09:21 2019 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Apr 4 14:09:23 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]91.207.57.114:443 Thu Apr 4 14:09:23 2019 Socket Buffers: R=[131072->425984] S=[16384->425984] Thu Apr 4 14:09:23 2019 Attempting to establish TCP connection with [AF_INET]91.207.57.114:443 [nonblock] Thu Apr 4 14:09:24 2019 TCP connection established with [AF_INET]91.207.57.114:443 Thu Apr 4 14:09:24 2019 TCP_CLIENT link local: (not bound) Thu Apr 4 14:09:24 2019 TCP_CLIENT link remote: [AF_INET]91.207.57.114:443 Thu Apr 4 14:09:24 2019 TLS: Initial packet from [AF_INET]91.207.57.114:443, sid=695f5069 3af31c9d Thu Apr 4 14:09:24 2019 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org Thu Apr 4 14:09:24 2019 VERIFY KU OK Thu Apr 4 14:09:24 2019 Validating certificate extended key usage Thu Apr 4 14:09:24 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Thu Apr 4 14:09:24 2019 VERIFY EKU OK Thu Apr 4 14:09:24 2019 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Castor, emailAddress=info@airvpn.org Thu Apr 4 14:09:25 2019 Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA Thu Apr 4 14:09:25 2019 [Castor] Peer Connection Initiated with [AF_INET]91.207.57.114:443 Thu Apr 4 14:09:26 2019 SENT CONTROL [Castor]: 'PUSH_REQUEST' (status=1) Thu Apr 4 14:09:26 2019 PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.12.237.1,route-gateway 10.12.237.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.12.237.186 255.255.255.0,peer-id 0,cipher AES-256-GCM' Thu Apr 4 14:09:26 2019 OPTIONS IMPORT: timers and/or timeouts modified Thu Apr 4 14:09:26 2019 OPTIONS IMPORT: compression parms modified Thu Apr 4 14:09:26 2019 OPTIONS IMPORT: --ifconfig/up options modified Thu Apr 4 14:09:26 2019 OPTIONS IMPORT: route options modified Thu Apr 4 14:09:26 2019 OPTIONS IMPORT: route-related options modified Thu Apr 4 14:09:26 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Thu Apr 4 14:09:26 2019 OPTIONS IMPORT: peer-id set Thu Apr 4 14:09:26 2019 OPTIONS IMPORT: adjusting link_mtu to 1627 Thu Apr 4 14:09:26 2019 OPTIONS IMPORT: data channel crypto options modified Thu Apr 4 14:09:26 2019 Data Channel: using negotiated cipher 'AES-256-GCM' Thu Apr 4 14:09:26 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Thu Apr 4 14:09:26 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Thu Apr 4 14:09:26 2019 ROUTE_GATEWAY 192.168.2.1/255.255.255.0 IFACE=enp4s0 HWADDR=38:60:77:9f:10:f4 Thu Apr 4 14:09:26 2019 TUN/TAP device tun0 opened Thu Apr 4 14:09:26 2019 TUN/TAP TX queue length set to 100 Thu Apr 4 14:09:26 2019 /usr/bin/ip link set dev tun0 up mtu 1500 Thu Apr 4 14:09:26 2019 /usr/bin/ip addr add dev tun0 10.12.237.186/24 broadcast 10.12.237.255 Thu Apr 4 14:09:26 2019 /usr/bin/ip route add 91.207.57.114/32 via 192.168.2.1 Thu Apr 4 14:09:26 2019 /usr/bin/ip route add 0.0.0.0/1 via 10.12.237.1 Thu Apr 4 14:09:26 2019 /usr/bin/ip route add 128.0.0.0/1 via 10.12.237.1 Thu Apr 4 14:09:26 2019 Initialization Sequence Completed resolv.conf looks correct: cat /etc/resolv.conf # Generated by Eddie v2.16.3 | https://eddie.website nameserver 10.12.174.1 nameserver fde6:7a:7d20:8ae::1 When connected to the VPN, I cant resolve anything. It eventually times out but here I just killed it: $ resolvectl query google.com ^C $ When not connected, resolution works fine: $ resolvectl query google.com google.com: 64.233.177.113 -- link: enp4s0 64.233.177.102 -- link: enp4s0 64.233.177.100 -- link: enp4s0 64.233.177.139 -- link: enp4s0 64.233.177.138 -- link: enp4s0 64.233.177.101 -- link: enp4s0 I've tried the advice for enabling DNS push here but the result is the same: https://airvpn.org/topic/9608-how-to-accept-dns-push-on-linux-systems-with-resolvconf/ Anyone have any ideas? This has been happening for a few days and I have not made any changes to the system. My Windows machine works just fine with AirVPN.

/******** * ULTIMATE HARDENED FIREFOX USER.JS * Combines changes outlined in ghacks.net and GitHub's hardened FF profiles as at October 2015. The GHacks version was used as the base profile, with additional Github privacy/settings inserted (marked with 'GITHUB' label). * Successfully tested with Linux FF 41.0.2 (Youtube etc). * All credits to the primary authors and many contributors from Github, GHacks Forums and Wilders Security Forums who did the hard yards. * Minor changes have been made by this author to further increase privacy and convenience e.g. no OCSP checks due to third parties involved, changes to cookie policies/behaviours, disabling of spdy, using all privacy options to clear data/cookies etc upon FF shutdown, enabling full native HTML5 support by default (and several others). * This entire text block should be saved to a new file named user.js ********/ /********* * The two original user.js profiles used to create this 'ultimate' privacy/security profile can be found here: * url: http://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/ * url: https://github.com/pyllyukko/user.js * This is NOT a "comprehensive" list of ALL things privacy/security-related, otherwise it would be enormous. * It is actually a long list of settings that generally differ from their defaults, and is aimed at improving security, privacy, a "quieter" FF, fingerprinting, and tracking - while allowing (most) functionality. There will be trade-offs and conflicts between these. * IMPORTANT STEPS: * Note: user.js - this OVER-WRITES any corresponding about:config entries on Firefox start if accidentally stored in the default folder! see: http://kb.mozillazine.org/User.js_file To avoid this problem, carefully follow the steps below: 1. Create a new FF profile and directory to store this new version of user.js for testing purposes. * To create a new profile in GNU/Linux, the FF profile manager can be accessed via the terminal (Alt-F2): firefox -P * Create a new profile, give it a suitable name, and then shutdown FF. * To access the FF profile manager in other O/S and create new profiles, see simple Mozilla notes online. 3. This entire text file should be saved as user.js and moved to the new profile directory you just created. * In GNU/Linux, run in terminal: ls .mozilla/firefox You will see that FF profiles are stored (hidden) under your home directory: ./mozilla/firefox * In Windoze, you need to drop the user.js file to %appdata%\Mozilla\Firefox\Profiles\XXXXXXXX.your_new_profile_name. * Do NOT touch the 'XXXXXX.default' profile directory or dump your new user.js in the default folder! You will lose all your current 'default' settings, bookmarks and other data! 4. Restart Firefox and select your new profile at start-up. Voila! You now have a 'secure' profile available alongside your 'default' profile. * NOTE: BEFORE deciding to use this new user.js, you SHOULD actually read what the prefs do (information is provided, and links) and if necessary, change, remove or comment out with two forward slashes (//) any preferences you're not happy with or not sure about. * COMMON PROBLEMS: some prefs will break a number of popular sites (it's inevitable). In particular, these two settings below may need to be reset to defaults to stop breakage: security.OCSP.require dom.indexedDB.enabled * ADDITIONAL FF CHANGES: Add-ons are also essential for safer browsing e.g. HTTPS Everywhere, No-Script & Canvas Blocker (stops HTML5 canvas/image data extraction). Also strongly consider installing UBlock Origin, Privacy Badger, Self-destructing Cookies and Random Agent Spoofer as complimentary add-ons. * In preferences, set your default homepage to a search provider that doesn't track by default e.g. https://search.disconnect.me Consider also turning off hardware acceleration as it is understood to be a possible attack vector (?), along with cached web content settings (set to zero MB). * Other general FF settings for better security - set all plug-ins to 'never activate' and do not install additional themes/services/languages. They are all likely to be trackable identifiers, and plug-ins are further notorious for leaking lots of data about your system and protocols. *********/ // STARTUP // 0100: STARTUP // 0101: disable "slow startup" warnings, disk history, welcomes, intros, EULA, default browser check user_pref("browser.slowStartup.notificationDisabled", true); user_pref("browser.slowStartup.maxSamples", 0); user_pref("browser.slowStartup.samples", 0); user_pref("browser.rights.3.shown", true); user_pref("browser.startup.homepage_override.mstone", "ignore"); user_pref("startup.homepage_welcome_url", ""); user_pref("startup.homepage_override_url", ""); user_pref("browser.feeds.showFirstRunUI", false); user_pref("browser.shell.checkDefaultBrowser", false); // GEO // 0200: GEO // 0201: disable location-aware browsing user_pref("geo.enabled", false); user_pref("geo.wifi.uri", "http://127.0.0.1"); user_pref("browser.search.geoip.url", ""); // 0202: disable GeoIP-based search results - https://trac.torproject.org/projects/tor/ticket/16254 user_pref("browser.search.countryCode", "US"); user_pref("browser.search.region", "US"); // QUIET Fox Part 1 // 0300: QUIET FOX [PART 1] - no (auto) phoning home for anything - you can still do manual updates // NOTE: It is still important to do updates for security reasons. If you don't auto update then make sure you do manually in a timely fashion // NOTE: There are many legitimate reasons for turning off AUTO updating, including hijacked moneytized extensions, // time contraints, legacy issues, and trepidation of breakage (easier to wait for others to report bugs) // 0301: disable browser auto update user_pref("app.update.enabled", false); // 0302: disable browser auto installing update when you do a manual check user_pref("app.update.auto", false); // 0303: disable search update user_pref("browser.search.update", false); // 0304: disable add-ons auto checking for new versions user_pref("extensions.update.enabled", false); // 0305: disable add-ons auto update user_pref("extensions.update.autoUpdateDefault", false); // 0306: disable add-on metadata updating - sends daily pings to mozilla about extensions and recent startups - privacy issue user_pref("extensions.getAddons.cache.enabled", false); // 0307: disable auto updating of personas (themes) user_pref("lightweightThemes.update.enabled", false); // 0308: disable update plugin notifications - if you're using flash, java, silverlight - turn on their own auto-update mechanisms // also see 1804 below - Mozilla only checks a few plugins anyway - Silverlight, Flash, Java?, Quicktime? WMP? user_pref("plugins.update.notifyUser", false); // GITHUB 1: CIS Version 1.2.0 October 21st, 2011 2.1.3 Enable Information Bar for Outdated Plugins user_pref("plugins.hide_infobar_for_outdated_plugin", false); // 0309: disable sending plugin crash reports - keep FF quiet user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false); // 0310: disable sending the URL of the website where a plugin crashed - privacy issue user_pref("dom.ipc.plugins.reportCrashURL", false); // 0320: disable extension discovery - featured extensions for displaying in Get Add-ons panel user_pref("extensions.webservice.discoverURL", "http://127.0.0.1"); // 0330: disable telemetry // big fat list here: https://gecko.readthedocs.org/en/latest/toolkit/components/telemetry/telemetry/preferences.html // the pref (.unified) affects the behaviour of the pref (.enabled) // IF unified=false then .enabled controls the telemetry module : IF unfied=true then .enabled ONLY controls whether to record extended data // so make sure to have both set as false user_pref("toolkit.telemetry.unified", false); user_pref("toolkit.telemetry.enabled", false); // 0331: remove url of server telemetry pings are sent to user_pref("toolkit.telemetry.server", ""); // 0332: disable archiving pings locally - irrelevant if toolkit.telemetry.unified is false user_pref("toolkit.telemetry.archive.enabled", false); // 0333: disable health report user_pref("datareporting.healthreport.uploadEnabled", false); user_pref("datareporting.healthreport.documentServerURI", ""); user_pref("datareporting.healthreport.service.enabled", false); // 0334: FF41+ see https://gecko.readthedocs.org/en/latest/toolkit/components/telemetry/telemetry/preferences.html // https://bugzilla.mozilla.org/show_bug.cgi?id=1195552 // This is the master-kill-switch for upload/reporting for Health Reports and Telemetry user_pref("datareporting.policy.dataSubmissionEnabled", false); // 0340: disable experiments user_pref("experiments.enabled", false); user_pref("experiments.manifest.uri", ""); user_pref("experiments.supported", false); user_pref("experiments.activeExperiment", false); // 0341: disable mozilla permission to silently opt you into tests user_pref("network.allow-experiments", false); // 0350: disable crash reports user_pref("breakpad.reportURL", ""); // 0360: disable new tab tile ads & preload & marketing junk user_pref("browser.newtab.preload", false); user_pref("browser.newtabpage.directory.ping", ""); user_pref("browser.newtabpage.directory.source", ""); user_pref("browser.newtabpage.enabled", false); user_pref("browser.newtabpage.enhanced", false); user_pref("browser.newtabpage.introShown", true); // GITHUB2: Control newtab behaviour // https://wiki.mozilla.org/Privacy/Reviews/New_Tab user_pref("browser.newtabpage.enabled", false); // https://support.mozilla.org/en-US/kb/new-tab-page-show-hide-and-customize-top-sites#w_how-do-i-turn-the-new-tab-page-off user_pref("browser.newtab.url", "about:blank"); // 0370: https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service user_pref("browser.aboutHomeSnippets.updateUrl", "https://127.0.0.1"); // 0371: disable heartbeat - mozilla user rating telemetry user_pref("browser.selfsupport.url", ""); // 0372: disable hello - a WebRTC mozilla voice & video call that doesn't require an account - WebRTC (IP leak) user_pref("loop.enabled", false); // 0373: disable pocket, remove urls for good measure - a third party "save for later" service - privacy concerns user_pref("browser.pocket.enabled", false); user_pref("reader.parse-on-load.enabled", false); user_pref("browser.pocket.api", ""); user_pref("browser.pocket.site", ""); // 0374: disable "social" integration - https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Social_API user_pref("social.whitelist", ""); user_pref("social.toast-notifications.enabled", false); user_pref("social.shareDirectory", ""); user_pref("social.remote-install.enabled", false); user_pref("social.directories", ""); user_pref("social.share.activationPanelEnabled", false); // QUIET Fox Part 2 // 0400: QUIET FOX [PART 2] - NOTE: This section has security & tracking protection implications vs privacy concerns // These settings are geared up to make FF "quiet" & private, if you want safebrowsing & tracking protection then don't use this section (or parts of it) /// 0401: DON'T disable extension blocklist as it is now includes updates for "revoked certificates", this is not a privacy issue // see https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ // NOTE: requires extensions.blocklist.url to be set at default user_pref("extensions.blocklist.enabled", true); // 0402: disable block reported web forgeries - when true this compares visited URLs against a blacklist or submits // URLs to a third party to determine whether a site is legitimate = privacy concerns. This setting is under Options>Security user_pref("browser.safebrowsing.enabled", false); // 0410: disable block reported attack sites - This setting is under Options>Security // safebrowsing uses locally stored data, but if the item is not found, then google is contacted - privacy concerns user_pref("browser.safebrowsing.malware.enabled", false); // 0411: disable safebrowsing urls & download user_pref("browser.safebrowsing.downloads.enabled", false); user_pref("browser.safebrowsing.downloads.remote.enabled", false); user_pref("browser.safebrowsing.appRepURL", ""); user_pref("browser.safebrowsing.gethashURL", ""); user_pref("browser.safebrowsing.malware.reportURL", ""); user_pref("browser.safebrowsing.reportErrorURL", ""); user_pref("browser.safebrowsing.reportGenericURL", ""); user_pref("browser.safebrowsing.reportMalwareErrorURL", ""); user_pref("browser.safebrowsing.reportMalwareURL", ""); user_pref("browser.safebrowsing.reportPhishURL", ""); user_pref("browser.safebrowsing.reportURL", ""); user_pref("browser.safebrowsing.updateURL", ""); // 0420: disable tracking protection - // https://support.mozilla.org/en-US/kb/tracking-protection-firefox // I believe there are no privacy concerns here, but you are better off using an extension such as uBlock Origin // which is not decided by a third party (disconnect) and which is far more effective (when used correctly) user_pref("privacy.trackingprotection.enabled", false); user_pref("browser.polaris.enabled", false); // deprecated? user_pref("browser.trackingprotection.gethashURL", ""); user_pref("browser.trackingprotection.getupdateURL", ""); user_pref("privacy.trackingprotection.pbmode.enabled", false); // GITHUB 3: CIS Mozilla Firefox 24 ESR v1.0.0 - 3.6 Enable IDN Show Punycode // http://kb.mozillazine.org/Network.IDN_show_punycode user_pref("network.IDN_show_punycode", true); // GITHUB 4: Disallow NTLMv1 // https://bugzilla.mozilla.org/show_bug.cgi?id=828183 user_pref("network.negotiate-auth.allow-insecure-ntlm-v1", false); // it is still allowed through HTTPS. uncomment the following to disable it completely. //user_pref("network.negotiate-auth.allow-insecure-ntlm-v1-https", false); // https://blog.mozilla.org/security/2012/11/01/preloading-hsts/ // https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List user_pref("network.stricttransportsecurity.preloadlist", true); // BLOCK IMPLICIT OUTBOUND [not explicitly asked for - eg clicked on] // 0600: BLOCK IMPLICIT OUTBOUND [not explicitly asked for - eg clicked on] // 0601: disable link prefetching user_pref("network.prefetch-next", false); // 0602: disable dns prefetching user_pref("network.dns.disablePrefetch", true); user_pref("network.dns.disablePrefetchFromHTTPS", true); // 0603: disable seer/necko user_pref("network.predictor.enabled", false); // 0604: disable search suggestions user_pref("browser.search.suggest.enabled", false); // 0605: disable link-mouseover opening connection to linked server user_pref("network.http.speculative-parallel-limit", 0); // 0606: disable pings (but enforce same host in case) user_pref("browser.send_pings", false); user_pref("browser.send_pings.require_same_host", true); // LOCATION BAR / SEARCH / AUTO SUGGESTIONS / HISTORY etc // 0800: LOCATION BAR / SEARCH / AUTO SUGGESTIONS / HISTORY / FORMS etc // Not ALL of these are strictly needed, some are for the truely paranoid, but included for a more comprehensive list (see comments on each one) // 0801: disable location bar using search, give error message instead - don't leak typos to a search engine - PRIVACY user_pref("keyword.enabled", false); // 0802: disable location bar domain guessing - intercepts DNS "hostname not found errors" and resends a request eg by adding www or .com. // Inconsistent use (eg FQDNs), does not work via Proxy Servers (different error), can send extra unexpected DNS requests, // is a flawed use of DNS (TLDs: why treat .com as the 411 for DNS errors?), privacy issues (why connect to sites you didn't intend to), // can leak sensitive data? (eg query strings: eg Princeton attack), and is a security risk (eg common typos & malicious sites set up to exploit this) - PRIVACY/SECURITY user_pref("browser.fixup.alternate.enabled", false); // 0803: disable location bar dropdown - PRIVACY issue (i.e computer forensics/shoulder surfers) user_pref("browser.urlbar.maxRichResults", 0); // 0804: display all parts of the url - why rely on just a visual clue - helps SECURITY user_pref("browser.urlbar.trimURLs", false); // 0805: disable URLbar autofill - http://kb.mozillazine.org/Inline_autocomplete - PRIVACY issue (i.e computer forensics/shoulder surfers) user_pref("browser.urlbar.autoFill", false); user_pref("browser.urlbar.autoFill.typed", false); // 0806: disable autocomplete - PRIVACY issue (i.e computer forensics/shoulder surfers) user_pref("browser.urlbar.autocomplete.enabled", false); // 0807: disable history manipulation - https://developer.mozilla.org/en-US/docs/Web/Guide/API/DOM/Manipulating_the_browser_history - SECURITY // false=disable, have set to true otherwise it breaks some sites (youtube) ability to correctly show the url in location bar and for the forward/back tab history to work user_pref("browser.history.allowPopState", true); user_pref("browser.history.allowPushState", true); user_pref("browser.history.allowReplaceState", true); // GITHUB 5: Don't remember browsing history user_pref("places.history.enabled", false); // GITHUB 6: CIS Version 1.2.0 October 21st, 2011 2.5.4 Delete History and Form Data // http://kb.mozillazine.org/Browser.history_expire_days user_pref("browser.history_expire_days", 0); // http://kb.mozillazine.org/Browser.history_expire_sites user_pref("browser.history_expire_sites", 0); // http://kb.mozillazine.org/Browser.history_expire_visits user_pref("browser.history_expire_visits", 0); // 0808: disable history suggestions - PRIVACY issue (i.e computer forensics/shoulder surfers) user_pref("browser.urlbar.suggest.history", false); // 0809: limit history PER TAB (back/forward) - history leaks via enumeration - PRIVACY // default=50!! minimum=1=currentpage, 2 is good for some sites/pages to work, 4 may be more practical user_pref("browser.sessionhistory.max_entries", 4); // 0810: disable css querying page history - css history leak - PRIVACY user_pref("layout.css.visited_links_enabled", false); // 0811: disable displaying Javascript in history URLs - SECURITY user_pref("browser.urlbar.filter.javascript", true); // 0812: disable saving information entered in web forms AND the search bar - PRIVACY issue (i.e computer forensics/shoulder surfers) // for convenience & functionality, this is best left at default true - you can clear formdata on exiting firefox. But, lets go full secure-tard. user_pref("browser.formfill. enable", false); // 0813: disable saving form data on secure websites (default=true) - PRIVACY issue (i.e computer forensics/shoulder surfers) // for convenience & functionality, this is best left at default true - you can clear formdata on exiting firefox. But, lets go full secure-tard. user_pref("browser.formfill.saveHttpsForms", false); // 0814: disable auto-filling username & password form fields (can leak in cross-site forms AND be spoofed) - http://kb.mozillazine.org/Signon.autofillForms // password will still be set after the user name is manually entered - SECURITY user_pref("signon.autofillForms", false); // GITHUB 7: CIS Version 1.2.0 October 21st, 2011 2.5.3 Disable Prompting for Credential Storage user_pref("security.ask_for_password", 0); // GITHUB 8: CIS Version 1.2.0 October 21st, 2011 2.5.2 Disallow Credential Storage user_pref("signon.rememberSignons", false); // CACHE // 1000: CACHE // 1001: disable disk cache user_pref("browser.cache.disk.enable", false); // 1002: disable disk caching of SSL pages - http://kb.mozillazine.org/Browser.cache.disk_cache_ssl user_pref("browser.cache.disk_cache_ssl", false); // 1003: disable memory cache as well IF you're REALLY paranoid (yep!), you'll take a performance/traffic hit user_pref("browser.cache.memory.enable", false); // 1004: disable offline cache user_pref("browser.cache.offline.enable", false); // 1005: disable storing extra session data 0=all 1=http-only 2=none user_pref("browser.sessionstore.privacy_level", 2); user_pref("browser.sessionstore.privacy_level_deferred", 2); // GITHUB9: Remove sessionstore data // http://kb.mozillazine.org/Browser.sessionstore.postdata // NOTE: relates to CIS 2.5.7 user_pref("browser.sessionstore.postdata", 0); // http://kb.mozillazine.org/Browser.sessionstore.enabled user_pref("browser.sessionstore.enabled", false); // SSL / OCSP / CIPHERS // 1200: SSL / OCSP / CERTS / ENCRYPTION (CIPHERS) // GITHUB 10: Warn of missing SSL // https://developer.mozilla.org/en/Preferences/Mozilla_preferences_for_uber-geeks // see also CVE-2009-3555 user_pref("security.ssl.warn_missing_rfc5746", 1); // GITHUB 11: TLS 1.[012] // http://kb.mozillazine.org/Security.tls.version.max // 1 = TLS 1.0 is the minimum required / maximum supported encryption protocol. (This is the current default for the maximum supported version.) // 2 = TLS 1.1 is the minimum required / maximum supported encryption protocol. user_pref("security.tls.version.min", 1); user_pref("security.tls.version.max", 3); // CIS Version 1.2.0 October 21st, 2011 2.2.3 Enable Warning of Using Weak Encryption user_pref("security.warn_entering_weak", true); // 1201: block rc4 fallback and disable whitelist // https://developer.mozilla.org/en-US/Firefox/Releases/38#Security // https://bugzil.la/1138882 // https://rc4.io/ user_pref("security.tls.unrestricted_rc4_fallback", false); user_pref("security.tls.insecure_fallback_hosts.use_static_list", false); // 1203: https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ user_pref("security.ssl.enable_ocsp_stapling", false); // 1204: https://wiki.mozilla.org/Security:Renegotiation - eventually this will be set to true by default, // leave commented out for now, as when set to true it can break too many sites eg some microsoft.com ones // user_pref("security.ssl.require_safe_negotiation", true); // 1205: display warning (red padlock) for "broken security" - https://wiki.mozilla.org/Security:Renegotiation user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true); // 1206: require certificate revocation check through OCSP protocol. - this leaks information about the sites you visit to the CA // It's a trade-off between security (checking) and privacy (leaking info to the CA) - your choice (default is false) // WARNING: If set to true, this may cause some site breakage - some users have mentioned issues with youtube, microsoft etc user_pref("security.OCSP.require", false); // 1207: query OCSP responder servers to confirm current validity of certificates (default=1) // 0=disable, 1=validate only certificates that specify an OCSP service URL, 2=enable and use values in security.OCSP.URL and security.OCSP.signing user_pref("security.OCSP.enabled", 0); // 1208: enforce strict pinning - https://trac.torproject.org/projects/tor/ticket/16206 (default is 1) // PKP (public key pinning) 0-disabled 1=allow user MITM (such as your antivirus), 2=strict // WARNING: If you rely on an AV (antivirus) to protect your web browsing by inspecting ALL your web traffic, then leave at default =1 user_pref("security.cert_pinning.enforcement_level", 2); // https://support.mozilla.org/en-US/kb/certificate-pinning-reports // // we could also disable security.ssl.errorReporting.enabled, but I think it's // good to leave the option to report potentially malicious sites if the user // chooses to do so. // // you can test this at https://pinningtest.appspot.com/ user_pref("security.ssl.errorReporting.automatic", false); /****************************************************************************** * CIPHERS * * * * you can debug the SSL handshake with tshark: tshark -t ad -n -i wlan0 -T text -V -R ssl.handshake ******************************************************************************/ // GITHUB12: disable null ciphers user_pref("security.ssl3.rsa_null_sha", false); user_pref("security.ssl3.rsa_null_md5", false); user_pref("security.ssl3.ecdhe_rsa_null_sha", false); user_pref("security.ssl3.ecdhe_ecdsa_null_sha", false); user_pref("security.ssl3.ecdh_rsa_null_sha", false); user_pref("security.ssl3.ecdh_ecdsa_null_sha", false); /* GITHUB13: SEED * https://en.wikipedia.org/wiki/SEED */ user_pref("security.ssl3.rsa_seed_sha", false); // GITHUB 14: 40 bits... user_pref("security.ssl3.rsa_rc4_40_md5", false); user_pref("security.ssl3.rsa_rc2_40_md5", false); // GITHUB 15: 56 bits user_pref("security.ssl3.rsa_1024_rc4_56_sha", false); // GITHUB 16: 128 bits user_pref("security.ssl3.rsa_camellia_128_sha", false); user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false); user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false); user_pref("security.ssl3.ecdh_rsa_aes_128_sha", false); user_pref("security.ssl3.ecdh_ecdsa_aes_128_sha", false); user_pref("security.ssl3.dhe_rsa_camellia_128_sha", false); user_pref("security.ssl3.dhe_rsa_aes_128_sha", false); // GITHUB 17: RC4 (CVE-2013-2566) user_pref("security.ssl3.ecdh_ecdsa_rc4_128_sha", false); user_pref("security.ssl3.ecdh_rsa_rc4_128_sha", false); user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false); user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false); user_pref("security.ssl3.rsa_rc4_128_md5", false); user_pref("security.ssl3.rsa_rc4_128_sha", false); user_pref("security.tls.unrestricted_rc4_fallback", false); /* * GITHUB 18: 3DES -> false because effective key size < 128 * * https://en.wikipedia.org/wiki/3des#Security * http://en.citizendium.org/wiki/Meet-in-the-middle_attack * * * See also: * * http://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html */ user_pref("security.ssl3.dhe_dss_des_ede3_sha", false); user_pref("security.ssl3.dhe_rsa_des_ede3_sha", false); user_pref("security.ssl3.ecdh_ecdsa_des_ede3_sha", false); user_pref("security.ssl3.ecdh_rsa_des_ede3_sha", false); user_pref("security.ssl3.ecdhe_ecdsa_des_ede3_sha", false); user_pref("security.ssl3.ecdhe_rsa_des_ede3_sha", false); user_pref("security.ssl3.rsa_des_ede3_sha", false); user_pref("security.ssl3.rsa_fips_des_ede3_sha", false); // GITHUB 19: Ciphers with ECDH (without /e$/) user_pref("security.ssl3.ecdh_rsa_aes_256_sha", false); user_pref("security.ssl3.ecdh_ecdsa_aes_256_sha", false); // GITHUB 20: 256 bits without PFS user_pref("security.ssl3.rsa_camellia_256_sha", false); // GITHUB 21: Ciphers with ECDHE and > 128bits user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", true); user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true); // GITHUB 22: GCM, yes please! user_pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true); user_pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true); // GITHUB 23: Susceptible to the logjam attack - https://weakdh.org/ user_pref("security.ssl3.dhe_rsa_camellia_256_sha", false); user_pref("security.ssl3.dhe_rsa_aes_256_sha", false); // GITHUB 24: Ciphers with DSA (max 1024 bits) user_pref("security.ssl3.dhe_dss_aes_128_sha", false); user_pref("security.ssl3.dhe_dss_aes_256_sha", false); user_pref("security.ssl3.dhe_dss_camellia_128_sha", false); user_pref("security.ssl3.dhe_dss_camellia_256_sha", false); // GITHUB 25: Fallbacks due compatibility reasons user_pref("security.ssl3.rsa_aes_256_sha", true); user_pref("security.ssl3.rsa_aes_128_sha", true); // FONTS // 1400: FONTS // 1401: disable websites downloading their own fonts - change this to 0 in FF41+. Note: 0=block, 1=allow // This is the preference under Options>Content>Font & Colors>Advanced>Allow pages to choose their own fonts // If you disallow fonts, this blocks font enumeration (by JS) which is a high entropy fingerprinting vector // disabling fonts uglifies the web a little, and until FF41 will also block icon fonts user_pref("browser.display.use_document_fonts", 0); // 1402: but for FF41+ allow icon fonts (gylphs) through user_pref("gfx.downloadable_fonts.enabled", true); // 1403: https://wiki.mozilla.org/SVGOpenTypeFonts - iSEC Partners Report recommends to disable this user_pref("gfx.font_rendering.opentype_svg.enabled", false); // HEADERS // 1600: HEADERS // 1601: disable Referer from an SSL Website user_pref("network.http.sendSecureXSiteReferrer", false); // 1602: DNT HTTP header - essentially useless // http://kb.mozillazine.org/Privacy.donottrackheader.value - this pref is required since FF21+ user_pref("privacy.donottrackheader.enabled", true); user_pref("privacy.donottrackheader.value", 1); // 1603: REFERER - http://kb.mozillazine.org/Network.http.sendRefererHeader // It is better to leave these at default (2, false) and use an extension to block all and then whitelist ( eg RefControl ) // otherwise too much of the internet breaks. Even TOR does nothing about this. user_pref("network.http.sendRefererHeader",2); user_pref("network.http.referer.spoofSource", true); // PLUGINS // 1800: PLUGINS // 1801: set default plugin state (i.e new plugins on discovery) to never activate - 0=disabled, 1=ask to activate, 2=active - you can override individual plugins user_pref("plugin.default.state", 0); user_pref("plugin.defaultXpi.state", 0); // 1802: enable click to play and set to 0 minutes user_pref("plugins.click_to_play", true); user_pref("plugin.sessionPermissionNow.intervalinminutes", 0); // make sure a plugin is in a certain state: 0=deactivated 1=ask 2=enabled - flash example below // you can just set all these plugin.state's via add-ons>plugins NOTE: you can still over-ride individual sites eg Youtube/ via site permissions user_pref("plugin.state.flash", 0); // 1803: remove plugin finder service - http://kb.mozillazine.org/Pfs.datasource.url // plugins are a dying breed, do we really want mozilla to find us missing plugins? user_pref("pfs.datasource.url", ""); // 1804: disable plugin enumeration // WARNING: disabling plugin.enumerate.names breaks the plugin check at https://www.mozilla.org/en-US/plugincheck/ // If you want to use this, then the default setting is an asterix. Otherwise most plugins have their own auto-update checks & downloads user_pref("plugins.enumerable_names", ""); // deprecated soon?: https://bugzilla.mozilla.org/show_bug.cgi?id=1169945 user_pref("security.xpconnect.plugin.unrestricted", false); // 1805: disable scanning for plugins - http://kb.mozillazine.org/Plugin_scanning // plid.all = whether to scan the directories specified in the Windows registry for PLIDs - includes: RealPlayer, Next-Generation Java Plug-In, Adobe Flash user_pref("plugin.scan.plid.all", false); // 1806: Acrobat, Quicktime, WMP are handled separately - integer refers to min version number allowed user_pref("plugin.scan.Acrobat", 99999); user_pref("plugin.scan.Quicktime", 99999); user_pref("plugin.scan.WindowsMediaPlayer", 99999); // 1807: disable auto-play of HTML5 media - have put this under plugins, not media. Note: this disables webm's auto playing user_pref("media.autoplay.enabled", false); // 1808: disable OpenH264 user_pref("media.gmp-provider.enabled", false); // MEDIA / CAMERA / MIKE // 2000: MEDIA / CAMERA / MIKE // 2001: disable webRTC user_pref("media.peerconnection.enabled", false); user_pref("media.peerconnection.use_document_iceservers", false); user_pref("media.peerconnection.video.enabled", false); user_pref("media.peerconnection.identity.timeout", 1); // 2002: disable WebRTC - firefox making automatic connections#w_media-capabilities user_pref("media.gmp-gmpopenh264.enabled", false); user_pref("media.gmp-manager.url", ""); // 2003: disable EME bits - https://trac.torproject.org/projects/tor/ticket/16285 user_pref("browser.eme.ui.enabled", false); user_pref("media.gmp-eme-adobe.enabled", false); user_pref("media.eme.enabled", false); user_pref("media.eme.apiVisible", false); // 2004: getUserMedia - https://wiki.mozilla.org/Media/getUserMedia user_pref("media.navigator.enabled", false); // 2010: disable webGL, force bare minimum feature set if used & disable webGL extensions user_pref("webgl.disabled", true); user_pref("pdfjs.enableWebGL", false); user_pref("webgl.min_capability_mode", true); user_pref("webgl.disable-extensions", true); // 2020: disable video statistics fingerprinting vector - javascript performace fingerprinting user_pref("media.video_stats.enabled", false); // 2021: disable speech recognition user_pref("media.webspeech.recognition.enable", false); // 2022: disable screensharing user_pref("media.getusermedia.screensharing.enabled", false); user_pref("media.getusermedia.screensharing.allowed_domains", ""); // 2023: disable camera stuff user_pref("camera.control.autofocus_moving_callback.enabled", false); user_pref("camera.control.face_detection.enabled", false); // UI meddling // 2200: UI meddling // see http://kb.mozillazine.org/Prevent_websites_from_disabling_new_window_features // 2201: disable website control over rightclick context menu user_pref("dom.event.contextmenu.enabled", false); // GITHUB 26: Disable DOM web notifications user_pref("dom.webnotifications.enabled", false); // 2202: UI SPOOFING: disable scripts hiding or disabling the following on new windows user_pref("dom.disable_window_open_feature.location", true); user_pref("dom.disable_window_open_feature.menubar", true); user_pref("dom.disable_window_open_feature.resizable", true); user_pref("dom.disable_window_open_feature.scrollbars", true); user_pref("dom.disable_window_open_feature.status", true); user_pref("dom.disable_window_open_feature.toolbar", true); // 2203: POPUP windows - prevent or allow javascript UI meddling user_pref("dom.disable_window_flip", true); // window z-order user_pref("dom.disable_window_move_resize", true); user_pref("dom.disable_window_open_feature.close", true); user_pref("dom.disable_window_open_feature.minimizable", true); user_pref("dom.disable_window_open_feature.personalbar", true); //bookmarks toolbar user_pref("dom.disable_window_open_feature.titlebar", true); user_pref("dom.disable_window_status_change", true); user_pref("dom.allow_scripts_to_close_windows", false); // DOM - JAVASCRIPT // 2400: DOM - JAVASCRIPT // GITHUB 27: Disable javascript options // https://secure.wikimedia.org/wikibooks/en/wiki/Grsecurity/Application-specific_Settings#Firefox_.28or_Iceweasel_in_Debian.29 user_pref("javascript.options.methodjit.chrome", false); user_pref("javascript.options.methodjit.content", false); // http://asmjs.org/ // https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/ // https://www.mozilla.org/en-US/security/advisories/mfsa2015-50/ // https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2712 user_pref("javascript.options.asmjs", false); // 2401: disable dom storage user_pref("dom.storage.enabled", false); // 2402: disable website access to clipboard events (will break some sites functionaility such as pasting into Facebook) // this applies to onCut, onCopy, onPaste events - i.e is you have to interact with the website for it to look at the clipboard user_pref("dom.event.clipboardevents.enabled", false); // 2403: disable scripts changing images eg google maps - will break a lot of web apps // user_pref("dom.disable_image_src_set", true); // 2404: disable JS storing data permanently - NOTE disabling this could break extensions (started in FFv35) - this bug has now been fixed but... // Note: this is the setting under about:permissions>All SItes>Maintain Offline Storage - you can override individual domains under site permissions // WARNING: i'll set as false (disabled), this WILL break some [old] add-ons and may break some sites' functionality user_pref("dom.indexedDB.enabled", false); // 2405: https://wiki.mozilla.org/WebAPI/Security/WebTelephony user_pref("dom.telephony.enabled", false); // 2406: disable gamepad API - fingerprinting - USB device ID enumeration user_pref("dom.gamepad.enabled", false); // 2407: disable battery API - fingerprinting vector user_pref("dom.battery.enabled", false); // 2408: disable network API - fingerprinting vector user_pref("dom.network.enabled", false); // 2409: disable giving away network info - https://developer.mozilla.org/en-US/docs/Web/API/Network_Information_API user_pref("dom.netinfo.enabled", false); // 2410: disable User Timing API - https://trac.torproject.org/projects/tor/ticket/16336 user_pref("dom.enable_user_timing", false); // 2411: disable resource/navigation timing user_pref("dom.enable_resource_timing", false); // 2412: https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI - javascript performace fingerprinting user_pref("dom.enable_performance", false); // 2413: disable virtual reality devices user_pref("dom.vr.enabled", false); // 2414: disable shaking the screen user_pref("dom.vibrator.enabled", false); // 2415: max popups from a single non-click event - default is 20! user_pref("dom.popup_maximum", 3); // 2416: disable idle observation user_pref("dom.idle-observers-api.enabled", false); // 2417: disable SharedWorkers for now - https://www.torproject.org/projects/torbrowser/design/#identifier-linkability (see no. 8) // https://bugs.torproject.org/15562 - SharedWorker violates first party isolation user_pref("dom.workers.sharedWorkers.enabled", false); // 2418: disbale full-screen API. This is the setting under about:permissions>All Sites>Fullscreen // set to false=block, set to true=ask. NOTE: you can still override individual domains under site permissions user_pref("full-screen-api.enabled", false); // MISC - LEAKS / FINGERPRINTING / PRIVACY / SECURITY // 2600: MISC - LEAKS / FINGERPRINTING / PRIVACY / SECURITY // 2601: disable sending additional analytics to web servers - https://developer.mozilla.org/en-US/docs/Web/API/navigator.sendBeacon user_pref("beacon.enabled", false); // 2602: CIS 2.3.2 disable downloading on desktop user_pref("browser.download.folderList", 2); // 2603: always ask the user where to download - enforces user interaction for security reasons user_pref("browser.download.useDownloadDir", false); // 2604: https://bugzil.la/238789#c19 user_pref("browser.helperApps.deleteTempFileOnExit", true); // 2605: don't integrate activity into windows recent documents user_pref("browser.download.manager.addToRecentDocs", false); // GITHUB 28: CIS Version 1.2.0 October 21st, 2011 2.5.5 Delete Download History // Zero (0) is an indication that no download history is retained for the current profile. user_pref("browser.download.manager.retention", 0); // 2606: disable hiding mime types in prefs applications tab that are not associated with a plugin user_pref("browser.download.hide_plugins_without_extensions", false); // 2607: disable page thumbnails - privacy user_pref("browser.pagethumbnails.capturing_disabled", true); // 2608: disable JAR from opening Unsafe File Types user_pref("network.jar.open-unsafe-types", false); // 2609: disable insecure active content on https pages - mixed content user_pref("security.mixed_content.block_active_content", true); // 2610: disable insecure passive content (such as images) on https pages - mixed context // current default is false, am inclined to leave it this way as too many sites break visually user_pref("security.mixed_content.block_display_content", true); // GITHUB 29: Content security policy // https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy user_pref("security.csp.enable", true); // https://bugzilla.mozilla.org/show_bug.cgi?id=855326 user_pref("security.csp.experimentalEnabled", true); // 2611: disable WebIDE to prevent remote debugging and addon downloads // https://trac.torproject.org/projects/tor/ticket/16222 user_pref("devtools.webide.autoinstallADBHelper", false); user_pref("devtools.webide.autoinstallFxdtAdapters", false); user_pref("devtools.debugger.remote-enabled", false); user_pref("devtools.webide.enabled", false); // GITHUB 30: Strict File Origin Policy // CIS Mozilla Firefox 24 ESR v1.0.0 - 3.8 Set File URI Origin Policy // http://kb.mozillazine.org/Security.fileuri.strict_origin_policy user_pref("security.fileuri.strict_origin_policy", true); // GITHUB 31: Subresource integrity // https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity // https://wiki.mozilla.org/Security/Subresource_Integrity user_pref("security.sri.enable", true); // 2612: disable SimpleServiceDiscovery - which can bypass proxy settings - eg Roku // https://trac.torproject.org/projects/tor/ticket/16222 user_pref("browser.casting.enabled", false); user_pref("gfx.layerscope.enabled", false); // 2613: disable device sensor API - fingerprinting vector user_pref("device.sensors.enabled", false); // 2614: disable SPDY as it can contain identifiers - https://www.torproject.org/projects/torbrowser/design/#identifier-linkability (see no. 10) user_pref("network.http.spdy.enabled", false); user_pref("network.http.spdy.enabled.v3-1", false); // 2615: disable http/2 for now as well - need more info user_pref("network.http.spdy.enabled.http2", false); user_pref("network.http.spdy.enabled.http2draft", false); // 2617: disable pdf.js as an option to preview PDFs within FF (see mime-types under Options>Applications) - exploit risk // enabling this will change your option - most likely to Ask, or Open with some external pdf reader // NOTE: this does NOT necessarily prevent pdf.js being used via other means, it only removes the option // I think this should probably be left at default (false) - but we'll change it anyway, even though 1. It won't stop JS bypassing it. 2. Depending on external pdf viewers there is just as much risk or more (acrobat) // 3. mozilla are very quick to patch these sorts of exploits, they treat them as severe/critical 4. convenience user_pref("pdfjs.disabled", true); // 2618: when using SOCKS have the proxy server do the DNS lookup - dns leak issue // http://kb.mozillazine.org/Network.proxy.socks_remote_dns // https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers // eg in TOR, this stops your local DNS server from knowing your Tor destination as a remote Tor node will handle the DNS request user_pref("network.proxy.socks_remote_dns", true); // http://kb.mozillazine.org/Network.proxy.type // the default in Firefox for Linux is to use system proxy settings. // We change it to direct connection //user_pref("network.proxy.type", 0); // 2619: limit HTTP redirects (this does not control redirects with HTML meta tags or JS), default is 20 // WARNING: a low setting of 5 or under will probably break some sites [eg gmail logins]. This can be better handled by an addon [eg NoRedirect] // user_pref("network.http.redirection-limit", 20); // PERSONAL SETTINGS (with privacy implications) // 2800: PERSONAL SETTINGS [that have PRIVACY implications] // These can all be set via options. you don't have to use this section // This is included for those who wish to add this type of control into their user.js // 2801: COOKIES // disable cookies on all sites (you can still use exceptions under site permissions or use an extension - eg Cookie Controller, Self-destructing Cookies) // 0=allow all, 1=allow same host, 2=disallow all, 3= allow 3rd party if it has already set a cookie user_pref("network.cookie.cookieBehavior", 1); // The cookie expires at the end of the session (when the browser closes). // http://kb.mozillazine.org/Network.cookie.lifetimePolicy#2 user_pref("network.cookie.lifetimePolicy", 2); // 2082: enable FF to clear stuff on close (Options>Privacy>Clear history when firefox closes) user_pref("privacy.sanitize.sanitizeOnShutdown", true); // 2803: what to clear (Options>Privacy>Clear history when firefox closes>Settings) // these are the settings of the author of this user.js, chose your own user_pref("privacy.clearOnShutdown.cache", true); user_pref("privacy.clearOnShutdown.cookies", true); user_pref("privacy.clearOnShutdown.downloads", true); user_pref("privacy.clearOnShutdown.formdata", true); user_pref("privacy.clearOnShutdown.history", true); user_pref("privacy.clearOnShutdown.offlineApps", true); user_pref("privacy.clearOnShutdown.passwords", true); user_pref("privacy.clearOnShutdown.sessions", true); // active logins user_pref("privacy.clearOnShutdown.siteSettings", true); // 2804: (to match above) - auto selection of items to delete with Ctrl-Shift-Del user_pref("privacy.cpd.cache", true); user_pref("privacy.cpd.cookies", true); user_pref("privacy.cpd.downloads", true); user_pref("privacy.cpd.formdata", true); user_pref("privacy.cpd.history", true); user_pref("privacy.cpd.offlineApps", true); user_pref("privacy.cpd.passwords", true); user_pref("privacy.cpd.sessions", true); user_pref("privacy.cpd.siteSettings", true); // GITHUB 32: Always use private browsing // https://support.mozilla.org/en-US/kb/Private-Browsing // https://wiki.mozilla.org/PrivateBrowsing user_pref("browser.privatebrowsing.autostart", true); // Personal Handy Settings // 3000: PERSONAL HANDY SETTINGS // these are just damn handy to know, have lying around, and be able to easily migrate to a new profile // users can put their own non-security/privacy/fingerprinting/tracking stuff here // 3001: disable annoying warnings user_pref("general.warnOnAboutConfig", false); user_pref("browser.tabs.warnOnClose", false); user_pref("browser.tabs.warnOnCloseOtherTabs", false); user_pref("browser.tabs.warnOnOpen", false); // 3001a disable warning when a domain requests full screen // https://developer.mozilla.org/en-US/docs/Web/Guide/API/DOM/Using_full_screen_mode // user_pref("full-screen-api.approval-required", false); // deprecated after FF42? // user_pref("full-screen-api.warning.timeout", 0); // FF43+ // 3002: disable closing browser with last tab user_pref("browser.tabs.closeWindowWithLastTab", false); // 3003: disable new search panel UI user_pref("browser.search.showOneOffButtons", false); // 3004: disable backspace user_pref("browser.backspace_action", 2); // 3005: disable autocopy default (use extensions autocopy 2 & copy plain text 2) user_pref("clipboard.autocopy", false); //3006: turn on full native HTML5 player support user_pref ("media.fragmented-mp4.enabled", true); user_pref ("media.fragmented-mp4.exposed", true); user_pref ("media.fragmented-mp4.ffmpeg.enabled", true); user_pref ("media.fragmented-mp4.gmp.enabled", true); user_pref ("media.fragmented-mp4.use-blank-decoder", false);

There is no browser level. The route checker does a normal HTTP query like a browser would do and all servers get a 200 back. Can you try with another machine?

Wrong query for airvpn.org.localdomain. The client at 192.168.1.15 is doing it wrong, how did you query it? nslookup? Browser? This is a different query and it's done with DNSSEC. The answer can only be 5.196.64.52 as it's verified, that's where it starts to work for you.

Hello! A possible explanation is related to the DNS settings of the device behind the pfSense box. Keep in mind that in order to access Netflix USA the device must query Air VPN DNS. Any device will not necessarily query the DNS set in pfSense, obviously. On top of that, some devices such as the Roku 3 have hard coded DNS (an old version of Roku queries Google DNS for example). In such cases you need to pre-route (re-direct) any DNS query from any device to AirVPN DNS through the tun interface (you can't reach VPN DNS from outside the tunnel). Kind regards Hi Staff, Is there a tutorial on how we can redirect DNS to AirVPNs through the tun interface? Or maybe if you can elaborate with more info. I like the sound of that. I'd like to give a try. Please,let us know

Hello! A possible explanation is related to the DNS settings of the device behind the pfSense box. Keep in mind that in order to access Netflix USA the device must query Air VPN DNS. Any device will not necessarily query the DNS set in pfSense, obviously. On top of that, some devices such as the Roku 3 have hard coded DNS (an old version of Roku queries Google DNS for example). In such cases you need to pre-route (re-direct) any DNS query from any device to AirVPN DNS through the tun interface (you can't reach VPN DNS from outside the tunnel). Kind regards

Hello, after I posted some suggestions for Eddie's CLI version in this thread and received some helpful information there, I set out to write my own little interface in bash for it to implement the suggestions. Being no programmer it turned out to be quite a project for me, and I would like to share it here in case anybody else prefers to run Eddie in the terminal rather than as a full GUI application. This script still uses Eddie itself, it's just a wrapper to make it as easy to use in the command line as it is as a desktop application. Screenshots are attached. Some features and advantages: uses less resources (top shows usually 0.3% CPU usage compared to 4-5% for the desktop version)can be exited without disconnectinginteractive, sortable server listoption to connect to another VPN with openconnect (since I need to do that from time to time, but it should be easy to add other connection methods as well)option to lock down the system's network traffic by default, so even without Eddie running with its own network lock there will be no leaksWhat to watch out for: The default network lock works with direct rules in firewalld because I'm using Fedora. It should be easy to change it to use iptables directly on other distributions since firewalld's direct rules are just a way to directly manipulate iptables. Once activated, the lock will stay in place until manually deactivated (also surviving reboots), so no internet connection will be possible unless connected to AirVPN or other whitelisted VPNs. AirVPN's network lock overwrites the default network lock, so there will be no interference.Check your /etc/resolv.conf file while not running Eddie (because Eddie's network lock replaces that file temporarily) to make sure your router is not set as a nameserver (so no 192.168... address). Some routers will push themselves on that list by DHCP whenever you connect to their network. Since communication with the router is allowed in the lock rules, DNS requests will be handled by the router and sent to whatever DNS server is configured there even when network traffic should be blocked. There are ways to prevent that file from being changed by DHCP, best configure network manager for that if you use it.To connect to other VPNs, their IPs must be whitelisted and DNS requests for their domains must be allowed in the default network lock rules. The rules for airvpn.org can be copied and adjusted.I haven't yet included an option to pass command line arguments to Eddie. So if you need to set more advanced options like black-/whitelists, use of certain protocols etc., you need to set them manually in the connect_server function. All the possible options can be found in 'man eddie-ui'.You need to insert your own API key in line 5. It can be found in your account under Client Area -> API. Without this, connections will still work, but user info and connection status in the main window will not be properly updated.I tried to only use basic system tools. The script relies mostly on dialog, awk and curl (and firewalld as described and openconnect if needed), so it should work on most systems, but I'm not sure.And, lastly, VERY IMPORTANT: As I said, I'm no programmer and new to this, so even though I tried my best to make this script secure and error free, there might very well be some bad practice, never-ever-do-this mistakes or other hiccups in there. It works well for me, but better check it yourself.Feel free to use this as you wish, I hope someone can benefit from this. I'm happy about any improvements and corrections and will update this if I find the time. #!/bin/bash # an interactive shell script to control the command line version of the AirVPN Eddie client and openconnect more comfortably PROFILE_PATH="$HOME/.airvpn/default.xml" API_KEY="<your api key>" DIALOG_OK=0 DIALOG_CANCEL=1 DIALOG_EXTRA=3 DIALOG_ESC=255 HEIGHT=0 WIDTH=0 BACKTITLE="VPN Control" FORMAT="text" URL="https://airvpn.org/api/" PID=$$ function check_sudo { # check if user has sudo privileges sudo -vn &> /dev/null # gain sudo privileges for commands that need it (better than running everything with sudo) if [ $? = "1" ] then unset EXIT_STATUS_SUDO PASS_PROMPT="Establishing VPN connections and changing network traffic rules requires root privileges. Please enter your password:" until [ "$EXIT_STATUS_SUDO" = "0" ] do dialog \ --backtitle "$BACKTITLE" \ --title "Password Needed" \ --output-fd 1 \ --insecure \ --passwordbox "$PASS_PROMPT" 11 35 | xargs printf '%s\n' | sudo -Svp '' &> /dev/null EXIT_STATUS_PIPE=( "${PIPESTATUS[@]}" ) EXIT_STATUS_DIALOG="${EXIT_STATUS_PIPE[0]}" EXIT_STATUS_SUDO="${EXIT_STATUS_PIPE[2]}" EXIT_SUDO_TEST="${EXIT_STATUS_PIPE[2]}" PASS_PROMPT="The password you entered is incorrect. Please try again:" case $EXIT_STATUS_DIALOG in $DIALOG_CANCEL|$DIALOG_ESC) return 1 ;; esac done # keep sudo permission until script exits or permissions are revoked (e.g. when computer goes to sleep) while [ "$EXIT_SUDO_TEST" = "0" ]; do sudo -vn; EXIT_SUDO_TEST=$?; sleep 60; kill -0 "$PID" || exit; done &> /dev/null & fi return 0 } function get_list { SERVICE_NAME="status" ARGS="{ \"format\":\"$FORMAT\", \"service\":\"$SERVICE_NAME\" }" timeout --signal=SIGINT 10 curl -s -d "$ARGS" -X POST "$URL" > "/tmp/.eddie_server_list.txt" } function sort_list { # pipe server status list to awk, filter out unnecessary stuff, # combine lines that relate to same server into single lines which are saved as array, # loop through array to format info, # print array and sort according to options, # add numbers to list for menu LIST=$(awk -F '[.]' \ 'BEGIN{OFS=";"} \ /^servers/ && !/ip_/ && !/country_code/ {c=$2; \ if (c in servers) servers[c]=servers[c] OFS $3; \ else servers[c]=$3; \ for (k in servers) gsub(/;bw=/, " :", servers[k]); \ for (k in servers) gsub(/;bw_max=/, "/", servers[k]); \ for (k in servers) gsub(/;currentload=/, " :", servers[k]); \ for (k in servers) gsub(/;health=/, "%:", servers[k]); \ for (k in servers) gsub(/;.*=/, ":", servers[k]); \ for (k in servers) gsub(/^.*=/, "", servers[k])} \ END{ \ for (c in servers) print servers[c]}' "/tmp/.eddie_server_list.txt" | sort -t ":" $1 | awk -F '[;]' 'BEGIN{OFS=":"} {print v++";"$1}') } function get_userinfo { SERVICE_NAME="userinfo" ARGS="{ \"format\":\"$FORMAT\", \"service\":\"$SERVICE_NAME\", \"key\":\"$API_KEY\" }" # filter specific lines, save values to variables after protecting whitespace read U_LOGIN U_EXP U_CONNECTED U_DEVICE U_SERVER_NAME U_SERVER_COUNTRY U_SERVER_LOCATION U_TIME <<< $( \ timeout --signal=SIGINT 10 curl -s -d "$ARGS" -X POST "$URL" | \ awk -F '[=]' \ 'BEGIN{ORS=";"} \ /^user.login|^user.expiration_days|^user.connected|^sessions.*device_name|^connection.server_name|^connection.server_country=|^connection.server_location|^connection.connected_since_date/ \ {print $2}' | \ sed 's/\ /\\\ /g' | sed 's/;/\ /g' \ ) if [ "$U_CONNECTED" = "1" ] then U_CONNECTED="connected" U_SERVER_FULL="$U_SERVER_NAME ($U_SERVER_LOCATION, $U_SERVER_COUNTRY)" U_TIME=$(date -d "$U_TIME UTC" +"%m/%d/%Y %H:%M:%S") else U_CONNECTED="not connected" U_SERVER_FULL="--" U_TIME="--" fi } function connect_server { if [ "$KILLED" = "true" ] then # create pipes to process status of client if [ ! -p "/tmp/.eddie_fifo1" ] then mkfifo "/tmp/.eddie_fifo1" fi if [ ! -p "/tmp/.eddie_fifo2" ] then mkfifo "/tmp/.eddie_fifo2" fi # run eddie in background and detached from current window, pipe output to named pipe (sudo eddie-ui --cli --netlock --connect --server="$1" --profile="$PROFILE_PATH" | tee "/tmp/.eddie_fifo2" &> "/tmp/.eddie_fifo1" &) cat "/tmp/.eddie_fifo2" | dialog --backtitle "$BACKTITLE" --title "Connecting to AirVPN..." --progressbox 20 80 & timeout --signal=SIGINT 60 grep -q -m 1 "Initialization Sequence Completed" "/tmp/.eddie_fifo1" INIT_EXIT=$? pkill -f cat.*eddie_fifo2 if [ $INIT_EXIT = "0" ] then get_userinfo else U_CONNECTED="error during connection attempt" U_SERVER_FULL="--" U_TIME="--" fi else U_CONNECTED="error during disconnection" U_SERVER_FULL="--" U_TIME="--" fi } function disconnect_server { # check for running instance of eddie pgrep -f mono.*eddie-ui &> /dev/null if [ $? = 0 ] then # kill process and wait for confirmation from process output if [ -p "/tmp/.eddie_fifo1" -a -p "/tmp/.eddie_fifo2" ] then sudo pkill -2 -f mono.*eddie-ui & cat "/tmp/.eddie_fifo1" | dialog --backtitle "$BACKTITLE" --title "Disconnecting AirVPN..." --progressbox 20 80 & timeout --signal=SIGINT 10 grep -q -m 1 "Shutdown complete" "/tmp/.eddie_fifo2" else # in case connection was started without this script sudo pkill -2 -f mono.*eddie-ui sleep 5 fi # give some time to completely close process, without sleep it's too early for new connection sleep 3 pgrep -f mono.*eddie-ui &> /dev/null if [ $? = 1 ] then KILLED1="true" else KILLED1="false" fi else KILLED1="true" fi # check for running instance of openconnect pgrep -f "openconnect.*--" &> /dev/null if [ $? = 0 ] then sudo pkill -2 -f "openconnect.*--" sleep 1 pgrep -f "openconnect.*--" &> /dev/null if [ $? = 1 ] then KILLED2="true" # somehow openconnect doesn't receive SIGINT and shuts down improperly, # so vpnc can't restore resolv.conf by itself sudo cp "/var/run/vpnc/resolv.conf-backup" "/etc/resolv.conf" else KILLED2="false" fi else KILLED2="true" fi if [ "$KILLED1" = "true" -a "$KILLED2" = "true" ] then KILLED="true" else KILLED="false" fi } function define_lock { if [ "$1" = "activate" ] then GAUGE_TITLE="Activating Network Lock" RULE_ACTION="add-rule" elif [ "$1" = "deactivate" ] then GAUGE_TITLE="Deactivating Network Lock" RULE_ACTION="remove-rule" else return 1 fi GAUGE_BODY="$1" IPRULES=(\ #allow loopback "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter INPUT 0 -i lo -j ACCEPT" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 0 -o lo -j ACCEPT" \ #allow lan (out) and broadcasting/dhcp "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 0 -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter INPUT 0 -s 255.255.255.255 -j ACCEPT" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 0 -d 255.255.255.255 -j ACCEPT" \ # allow tun device to communicate (so any VPN connection should be possible, also without Air, but respective DNS requests must be allowed) "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter FORWARD 0 -o tun+ -j ACCEPT" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter FORWARD 0 -i tun+ -j ACCEPT" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 998 -o tun+ -j ACCEPT" \ # optional masquerade rule (NAT/ports) "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 nat POSTROUTING 0 -o tun+ -j MASQUERADE" \ # allow ipv4 only to airvpn.org for status update # allow DNS query to resolve hostname (hex string reads "06 airvpn 03 org" - numbers are counting bits), # restrict packet length to length of this specific request package (might change?) to avoid hijacking # of query (very unlikely I guess, but who cares if we're already being paranoid for the fun of it), # whitelist destination IP for TCP handshake "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 1 -p udp --dport 53 -m string --hex-string '|06 61697276706e 03 6f7267|' --algo bm -m length --length 0:126 -m recent --set -j ACCEPT" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 1 -p tcp --dport 53 -m string --hex-string '|06 61697276706e 03 6f7267|' --algo bm -m length --length 0:126 -m recent --set -j ACCEPT" \ # add rules for other domains you wish to allow DNS requests to here (packet length can be determined with e.g. wireshark) and adjust array index # # allow SYN request to whitelisted IP to initiate handshake, remove IP from whitelist "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 1 -p tcp --syn --dport 53 -m recent --remove -j ACCEPT" \ # allow outgoing connection to Air's IP "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 1 -d 5.196.64.52 -j ACCEPT" \ # add rules for other IPs you wish to allow connections to here # # allow communication "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter INPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT" \ # drop outgoing ipv4 (if not specifically allowed by other rules) "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter OUTPUT 999 -j DROP" \ # block incoming ipv4 "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv4 filter INPUT 999 -j DROP" \ # drop all ipv6 "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv6 filter OUTPUT 0 -j DROP" \ "sudo firewall-cmd --direct --permanent --$RULE_ACTION ipv6 filter INPUT 0 -j DROP" \ # reload and restart firewalld to activate permanent rule changes "sudo firewall-cmd --reload" \ "sudo systemctl restart firewalld"\ ) toggle_lock } function toggle_lock { PERCENTAGE_STEP=$(awk -v rules="${#IPRULES[@]}" 'BEGIN {print 100/rules}') PERCENTAGE=0 COUNTER=0 # initial window dialog --backtitle "$BACKTITLE" \ --title "$GAUGE_TITLE" \ --mixedgauge "Applying iptable rules to $GAUGE_BODY the default network lock..." 35 80 "$(awk -v per="$PERCENTAGE" 'BEGIN {printf "%.0f", per}')" \ "Allow Loopback IN" "${RESULT[0]}" \ "Allow Loopback OUT" "${RESULT[1]}" \ "Allow LAN OUT" "${RESULT[2]}" \ "Allow DHCP IN" "${RESULT[3]}" \ "Allow DHCP OUT" "${RESULT[4]}" \ "Allow tun out FORWARD" "${RESULT[5]}" \ "Allow tun in FORWARD" "${RESULT[6]}" \ "Allow tun out OUT" "${RESULT[7]}" \ "tun masquerade" "${RESULT[8]}" \ "Allow DNS via UDP to airvpn.org" "${RESULT[9]}" \ "Allow DNS via TCP to airvpn.org" "${RESULT[10]}" \ "Allow connection initiation" "${RESULT[11]}" \ "Allow traffic to airvpn.org" "${RESULT[12]}" \ "Allow established connections" "${RESULT[13]}" \ "Block IPv4 OUT" "${RESULT[14]}" \ "Block IPv4 IN" "${RESULT[15]}" \ "Block IPv6 OUT" "${RESULT[16]}" \ "Block IPv6 IN" "${RESULT[17]}" \ "activate changes" "${RESULT[18]}" \ "restart firewalld" "${RESULT[19]}" for i in "${IPRULES[@]}" do RESULT["$COUNTER"]=$(eval $i) (( COUNTER++ )) PERCENTAGE=$(awk -v per="$PERCENTAGE" -v per_step="$PERCENTAGE_STEP" 'BEGIN {print per+per_step}') # progress window dialog --backtitle "$BACKTITLE" \ --title "$GAUGE_TITLE" \ --mixedgauge "Applying iptable rules to $GAUGE_BODY the default network lock..." 35 80 "$(awk -v per="$PERCENTAGE" 'BEGIN {printf "%.0f", per}')" \ "Allow Loopback IN" "${RESULT[0]}" \ "Allow Loopback OUT" "${RESULT[1]}" \ "Allow LAN OUT" "${RESULT[2]}" \ "Allow DHCP IN" "${RESULT[3]}" \ "Allow DHCP OUT" "${RESULT[4]}" \ "Allow tun out FORWARD" "${RESULT[5]}" \ "Allow tun in FORWARD" "${RESULT[6]}" \ "Allow tun out OUT" "${RESULT[7]}" \ "tun masquerade" "${RESULT[8]}" \ "Allow DNS via UDP to airvpn.org" "${RESULT[9]}" \ "Allow DNS via TCP to airvpn.org" "${RESULT[10]}" \ "Allow connection initiation" "${RESULT[11]}" \ "Allow traffic to airvpn.org" "${RESULT[12]}" \ "Allow established connections" "${RESULT[13]}" \ "Block IPv4 OUT" "${RESULT[14]}" \ "Block IPv4 IN" "${RESULT[15]}" \ "Block IPv6 OUT" "${RESULT[16]}" \ "Block IPv6 IN" "${RESULT[17]}" \ "activate changes" "${RESULT[18]}" \ "restart firewalld" "${RESULT[19]}" done # final window to show results dialog --backtitle "$BACKTITLE" \ --title "$GAUGE_TITLE" \ --mixedgauge "Applying iptable rules to $GAUGE_BODY the default network lock..." 35 80 "$(awk -v per="$PERCENTAGE" 'BEGIN {printf "%.0f", per}')" \ "Allow Loopback IN" "${RESULT[0]}" \ "Allow Loopback OUT" "${RESULT[1]}" \ "Allow LAN OUT" "${RESULT[2]}" \ "Allow DHCP IN" "${RESULT[3]}" \ "Allow DHCP OUT" "${RESULT[4]}" \ "Allow tun out FORWARD" "${RESULT[5]}" \ "Allow tun in FORWARD" "${RESULT[6]}" \ "Allow tun out OUT" "${RESULT[7]}" \ "tun masquerade" "${RESULT[8]}" \ "Allow DNS via UDP to airvpn.org" "${RESULT[9]}" \ "Allow DNS via TCP to airvpn.org" "${RESULT[10]}" \ "Allow connection initiation" "${RESULT[11]}" \ "Allow traffic to airvpn.org" "${RESULT[12]}" \ "Allow established connections" "${RESULT[13]}" \ "Block IPv4 OUT" "${RESULT[14]}" \ "Block IPv4 IN" "${RESULT[15]}" \ "Block IPv6 OUT" "${RESULT[16]}" \ "Block IPv6 IN" "${RESULT[17]}" \ "activate changes" "${RESULT[18]}" \ "restart firewalld" "${RESULT[19]}" sleep 2 unset RESULT check_lock } function check_lock { # check for success (not really though, needs improvement) LOCK_RULES=$( sudo firewall-cmd --direct --permanent --get-all-rules | wc -l ) if [ "$LOCK_RULES" -gt 16 ] then LOCK_ACTIVE="active" else LOCK_ACTIVE="inactive" fi } function yesno { dialog \ --backtitle "$BACKTITLE" \ --title "$1" \ --clear \ --yesno "$2" \ $HEIGHT $WIDTH EXIT_STATUS=$? } check_sudo if [ $? = "1" ] then clear exit fi get_userinfo # if currently connected by openconnect, set status to unknown (connection could have been established outside of this script) pgrep openconnect &> /dev/null if [ $? = 0 ] then U_CONNECTED="connected (openconnect)" U_SERVER_FULL="unknown" U_TIME="unknown" fi check_lock while true; do exec 3>&1 selection=$(dialog \ --cr-wrap \ --backtitle "$BACKTITLE" \ --title "Main Menu" \ --clear \ --cancel-label "Quit" \ --menu "This is a control script for VPN connections, primarily for Eddie, the AirVPN client.\nThis script can be exited and re-entered without affecting a running connection.\n\nUser: $U_LOGIN\nDays Until Expiration: $U_EXP\n\nDefault Network Lock: $LOCK_ACTIVE\n\nStatus: $U_CONNECTED\nServer: $U_SERVER_FULL\nConnected Since: $U_TIME\n\nPlease select one of the following options:" $HEIGHT $WIDTH 6 \ "0" "Connect to Recommended Server" \ "1" "Connect to Specific Server" \ "2" "Connect via openconnect" \ "3" "Disconnect" \ "4" "Refresh User Info" \ "5" "Toggle Default Network Lock" \ 2>&1 1>&3) EXIT_STATUS=$? exec 3>&- case $EXIT_STATUS in $DIALOG_CANCEL|$DIALOG_ESC) yesno "Quit" "Exit Script?" case $EXIT_STATUS in $DIALOG_CANCEL|$DIALOG_ESC) ;; $DIALOG_OK) break ;; esac ;; esac case $selection in 0 ) check_sudo if [ $? = "0" ] then disconnect_server connect_server "" fi ;; 1 ) while true; do exec 3>&1 SERVER_SORT=$(dialog \ --backtitle "$BACKTITLE" \ --title "Sort Server List" \ --no-collapse \ --ok-label "sort ascending" \ --extra-button \ --extra-label "sort descending" \ --menu "Please choose how you want to sort the server list." \ 14 0 7 \ "1" "Name" \ "2" "Country" \ "3" "Location" \ "4" "Continent" \ "5" "Bandwidth" \ "6" "Users" \ "7" "Load" \ 2>&1 1>&3) EXIT_STATUS=$? exec 3>&- case $EXIT_STATUS in $DIALOG_CANCEL|$DIALOG_ESC) break ;; $DIALOG_EXTRA) SERVER_SORT_OPTION="r" ;; $DIALOG_OK) SERVER_SORT_OPTION="" ;; esac if [ "$SERVER_SORT" = "5" -o "$SERVER_SORT" = "6" -o "$SERVER_SORT" = "7" ] then SERVER_NUM_OPTION="n" else SERVER_NUM_OPTION="" fi if [ ! -f "/tmp/.eddie_server_list.txt" ] then get_list fi while true do sort_list "-k$SERVER_SORT,$SERVER_SORT$SERVER_SORT_OPTION$SERVER_NUM_OPTION" IFS=$';\n' exec 3>&1 SERVER_NMBR=$(dialog \ --backtitle "$BACKTITLE" \ --title "Server List" \ --colors \ --no-collapse \ --extra-button \ --extra-label "Refresh List" \ --column-separator ":" \ --menu "Choose a server from the list to connect to it. (Press ESC to go back.)\n\n\Zb # Name Country Location Continent Bandwidth Users Load Health\ZB" \ 40 102 31 $LIST 2>&1 1>&3) EXIT_STATUS=$? exec 3>&- IFS=$' \t\n' case $EXIT_STATUS in $DIALOG_CANCEL) break 2 ;; $DIALOG_ESC) break ;; $DIALOG_EXTRA) get_list ;; $DIALOG_OK) check_sudo if [ $? = "0" ] then SELECTED_SERVER=$(printf -- '%s\n' "${LIST[@]}" | grep "^$SERVER_NMBR;" | cut -d ";" -f 2 | cut -d ":" -f 1) disconnect_server connect_server "$SELECTED_SERVER" break 2 fi ;; esac done done ;; 2 ) exec 3>&1 # adjust field lengths if necessary CONNECT_INFO=$(dialog \ --backtitle "$BACKTITLE" \ --title "VPN via openconnect" \ --insecure \ --mixedform "Please provide your login credentials to connect to a VPN via openconnect:\n(Leave unneeded fields blank and type options as in command line, separated by space.)" $HEIGHT $WIDTH 6 \ "Server:" 1 1 "" 1 21 25 0 0 \ "Group:" 2 1 "" 2 21 25 0 0 \ "User:" 3 1 "" 3 21 25 0 0 \ "Password:" 4 1 "" 4 21 25 0 1 \ "Additional Options:" 5 1 "" 5 21 25 0 0 \ 2>&1 1>&3) EXIT_STATUS=$? exec 3>&- case $EXIT_STATUS in $DIALOG_CANCEL|$DIALOG_ESC) ;; $DIALOG_OK) check_sudo if [ $? = "0" ] then disconnect_server if [ "$KILLED" = "true" ] then if [ ! -p "/tmp/.eddie_fifo1" ] then mkfifo "/tmp/.eddie_fifo1" fi ALT_SERVER=$(echo -n "$CONNECT_INFO" | cut -d$'\n' -f 1) ALT_GROUP=$(echo -n "$CONNECT_INFO" | cut -d$'\n' -f 2) ALT_USER=$(echo -n "$CONNECT_INFO" | cut -d$'\n' -f 3) ALT_PASS=$(echo -n "$CONNECT_INFO" | cut -d$'\n' -f 4) ALT_OPTS=$(echo -n "$CONNECT_INFO" | cut -d$'\n' -f 5) echo "$ALT_PASS" | (sudo openconnect $ALT_OPTS --authgroup=$ALT_GROUP --user=$ALT_USER --passwd-on-stdin $ALT_SERVER &> "/tmp/.eddie_fifo1" &) timeout --signal=SIGINT 3 cat "/tmp/.eddie_fifo1" | dialog --backtitle "$BACKTITLE" --title "Connecting via openconnect..." --timeout 5 --programbox 20 80 U_CONNECTED="connected" U_SERVER_FULL="$ALT_SERVER" U_TIME=$(date +"%m/%d/%Y %H:%M:%S") else U_CONNECTED="error during disconnection" U_SERVER_FULL="--" U_TIME="--" fi fi ;; esac ;; 3 ) check_sudo if [ $? = "0" ] then disconnect_server if [ "$KILLED" = "true" ] then get_userinfo else U_CONNECTED="error during disconnection" U_SERVER_FULL="--" U_TIME="--" fi if [ -p "/tmp/.eddie_fifo1" ] then rm "/tmp/.eddie_fifo1" fi if [ -p "/tmp/.eddie_fifo2" ] then rm "/tmp/.eddie_fifo2" fi fi ;; 4 ) get_userinfo ;; 5 ) pgrep -f mono.*eddie-ui &> /dev/null if [ $? = 0 ] then dialog --backtitle "$BACKTITLE" --title "Toggle Network Lock" --timeout 3 --msgbox "You need to be disconnected to change network traffic rules." 10 35 else if [ "$LOCK_ACTIVE" = "inactive" ] then yesno "Toggle Network Lock" "Are you sure you want to activate the default network lock and block all connections while not connected to (any) VPN?" case $EXIT_STATUS in $DIALOG_CANCEL|$DIALOG_ESC) ;; $DIALOG_OK) check_sudo if [ $? = "0" ] then define_lock "activate" fi ;; esac else yesno "Toggle Network Lock" "Are you sure you want to deactivate the default network lock and allow all connections, even when not connected to a VPN?" case $EXIT_STATUS in $DIALOG_CANCEL|$DIALOG_ESC) ;; $DIALOG_OK) check_sudo if [ $? = "0" ] then define_lock "deactivate" fi ;; esac fi fi ;; esac done clear

This does not generate a config file. You do this here. You just replace the remote directive in the generated file with what the app generated for you. But yes, you cannot select individual servers. This must be done manually. Fortunately, you can simply do something like this, even if you need to query a DNS server beforehand, but it's the easiest solution: remote antares.airvpn.org 443 remote menkab.airvpn.org 443 remote yourserver.airvpn.org 443 remote-random Another one is to simply replace yourserver.airvpn.org with the IP you get when you do a nslookup, host or dig on it, like: $ nslookup ogma.airvpn.org Server: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: Name: ogma.airvpn.org Address: 185.189.112.18 Then you simply add a remote 185.189.112.18 instead of ogma.airvpn.org. And this with every server which "likes" you.

Haha coincidentally I did the same thing and got into it maybe more than I should have, time investment wise... Thank you for sharing though! dmenu is a cool idea, the server list part was quite a mess to get together for me. I'm no programmer, just learning this while doing, so this is probably far from elegant and "good practice", also planning to improve it, but here is what I got so far, it works: It's a script that can be run to interface with the client in the background, it doesn't have to be open and eddie will be run invisibly. You can also get a server list (although not interactive yet), show some info about the current session and put a permanent default iptables network lock in place, applied through firewalld (because I'm on Fedora). The server list and user info (and also this website) is also available with the lock turned on. The script requires only curl, awk and eddie itself (and firewalld for the lock, but that can be adjusted to iptables directly), I tried to stay with system tools. #!/bin/bash API_KEY="<your key>" FORMAT="text" URL="https://airvpn.org/api/" COLS=$( tput cols ) ROWS=$( tput lines ) HEADING1_1="This is a wrapping script for" HEADING1_2="Eddie, the AirVPN client." HEADING2_1="This script can be exited" HEADING2_2="and re-entered without" HEADING2_3="affecting a running connection." # change default prompt for select command PS3="Choose one of the options by selecting the corresponding number: " # provide options as array OPTIONS[0]="Connect to Recommended Server" OPTIONS[1]="Connect to Specific Server" OPTIONS[2]="Show List of Servers" OPTIONS[3]="Refresh User Info" OPTIONS[4]="Disconnect" OPTIONS[5]="Toggle Default Network Lock" OPTIONS[6]="Quit" function get_list { SERVICE_NAME="status" ARGS="{ \"format\":\"$FORMAT\", \"service\":\"$SERVICE_NAME\" }" # pipe server status list to awk, filter out unnecessary stuff, # combine lines that relate to same server (and country, continent, and planet) into single lines which are saved as array, # loop through arrays to format info, # sort each array and print as section, # align columns with column, # pipe to less for better readability timeout --signal=SIGINT 10 curl -d "$ARGS" -X POST "$URL" | \ awk -F '[.]' \ 'BEGIN{OFS=";"; print "Server List"} \ !/^routing/ && !/ip_/ && !/country_code/ {c=$1 OFS $2; \ if ($1 ~ /servers/ && c in servers) servers[c]=servers[c] OFS $3; \ else if ($1 ~ /servers/) servers[c]=$3; \ else if ($1 ~ /countries/ && c in countries) countries[c]=countries[c] OFS $3; \ else if ($1 ~ /countries/) countries[c]=$3; \ else if ($1 ~ /continents/ && c in continents) continents[c]=continents[c] OFS $3; \ else if ($1 ~ /continents/) continents[c]=$3; \ else if ($1 ~ /planets/ && c in planets) planets[c]=planets[c] OFS $3; \ else if ($1 ~ /planets/) planets[c]=$3; \ for (k in servers) gsub(/;bw_max=/, "/", servers[k]); \ for (k in servers) gsub(/;.*=/, ":", servers[k]); \ for (k in servers) gsub(/^.*=/, "", servers[k]); \ for (k in countries) gsub(/;bw_max=/, "/", countries[k]); \ for (k in countries) gsub(/;.*=/, ":", countries[k]); \ for (k in countries) gsub(/^.*=/, "", countries[k]); \ for (k in continents) gsub(/;bw_max=/, "/", continents[k]); \ for (k in continents) gsub(/;.*=/, ":", continents[k]); \ for (k in continents) gsub(/^.*=/, "", continents[k]); \ for (k in planets) gsub(/;bw_max=/, "/", planets[k]); \ for (k in planets) gsub(/;.*=/, ":", planets[k]); \ for (k in planets) gsub(/^.*=/, "", planets[k])} \ END{ \ print "\n:\nServers\n:\nName:Country:Location:Continent:Bandwidth:Users:Current Load:Health"; \ n=asorti(servers, servers_sorted, "@val_num_asc"); \ for (i=1; i<=n; i++) print servers[servers_sorted[i]]; \ print "\n:\nCountries\n:\nCountry:Best Server:Bandwidth:Users:Servers:Current Load:Health"; \ n=asorti(countries, countries_sorted, "@val_num_asc"); \ for (i=1; i<=n; i++) print countries[countries_sorted[i]]; \ print "\n:\nContinents\n:\nContinent:Best Server:Bandwidth:Users:Servers:Current Load:Health"; \ n=asorti(continents, continents_sorted, "@val_num_asc"); \ for (i=1; i<=n; i++) print continents[continents_sorted[i]]; \ print "\n:\nAll\n:\nPlanet:Best Server:Bandwidth:Users:Servers:Current Load:Health"; \ n=asorti(planets, planets_sorted, "@val_num_asc"); \ for (i=1; i<=n; i++) print planets[planets_sorted[i]]}' | column -t -s ':' | less } function get_userinfo { tput cup 25 0 SERVICE_NAME="userinfo" ARGS="{ \"format\":\"$FORMAT\", \"service\":\"$SERVICE_NAME\", \"key\":\"$API_KEY\" }" # filter specific lines, save values (after "=") to variables after protecting whitespace read U_LOGIN U_EXP U_CONNECTED U_SERVER_NAME U_SERVER_COUNTRY U_SERVER_LOCATION U_SERVER_BW <<< $( \ timeout --signal=SIGINT 10 curl -d "$ARGS" -X POST "$URL" | \ awk -F '[=]' \ 'BEGIN{ORS=";"} \ /^user.login|^user.expiration_days|^user.connected|^connection.server_name|^connection.server_country=|^connection.server_location|^connection.server_bw/ \ {print $2}' | \ sed 's/\ /\\\ /g' | sed 's/;/\ /g' \ ) if [ "$U_CONNECTED" = "1" ] then U_CONNECTED="connected" U_SERVER_FULL="$U_SERVER_NAME ($U_SERVER_LOCATION, $U_SERVER_COUNTRY)" else U_CONNECTED="not connected" U_SERVER_FULL="--" U_SERVER_BW="--" fi } function disconnect_server { # check for running instance of eddie pgrep -f mono.*eddie-ui &> /dev/zero if [ $? = 0 ] then U_CONNECTED="disconnecting..." print_heading # kill process and wait for confirmation from process output sudo pkill -f mono.*eddie-ui if [ -p "/tmp/.eddie_fifo" ] then timeout --signal=SIGINT 60 grep -q -m 1 "Shutdown complete" "/tmp/.eddie_fifo" else # in case connection was started without this script sleep 5 fi if [ $? = 0 ] then # give some time to completely close process, without sleep it's too early for new connection sleep 3 pgrep -f mono.*eddie-ui &> /dev/zero if [ $? = 1 ] then KILLED="true" else KILLED="false" fi else KILLED="false" fi else KILLED="true" fi } function activate_lock { echo "Activating iptable rules:" #allow loopback sudo firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 -i lo -j ACCEPT sudo firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT #allow lan (out) and broadcasting/dhcp sudo firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT sudo firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 -s 255.255.255.255 -j ACCEPT sudo firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 -d 255.255.255.255 -j ACCEPT # allow tun device to communicate (so any VPN connection should be possible, also without Air) sudo firewall-cmd --direct --permanent --add-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT sudo firewall-cmd --direct --permanent --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT sudo firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 998 -o tun+ -j ACCEPT # optional masquerade rule (NAT/ports) #sudo firewall-cmd --direct --permanent --add-rule ipv4 nat POSTROUTING 0 -o tun+ -j MASQUERADE # allow ipv4 only to airvpn.org for status update # allow DNS query to resolve hostname (hex string reads "06 airvpn 03 org" - numbers are counting bits), # restrict packet length to length of this specific request package (might change?) to avoid hijacking # of query (very unlikely I guess, but who cares if we're already being paranoid for the fun of it), # whitelist destination IP for TCP handshake sudo firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 1 -p udp --dport 53 -m string --hex-string '|06 61697276706e 03 6f7267|' --algo bm -m length --length 0:126 -m recent --set -j ACCEPT sudo firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 1 -p tcp --dport 53 -m string --hex-string '|06 61697276706e 03 6f7267|' --algo bm -m length --length 0:126 -m recent --set -j ACCEPT # allow SYN request to whitelisted IP to initiate handshake, remove IP from whitelist sudo firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 1 -p tcp --syn --dport 53 -m recent --remove -j ACCEPT # allow outgoing connection to Air's IP sudo firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 1 -d 5.196.64.52 -j ACCEPT # allow communication sudo firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # drop outgoing ipv4 (if not specifically allowed by other rules) sudo firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 999 -j DROP # block incoming ipv4 sudo firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 999 -j DROP # drop all ipv6 sudo firewall-cmd --direct --permanent --add-rule ipv6 filter OUTPUT 0 -j DROP sudo firewall-cmd --direct --permanent --add-rule ipv6 filter INPUT 0 -j DROP # reload and restart firewalld to activate permanent rule changes sudo firewall-cmd --reload sudo systemctl restart firewalld # check for success (not really though, needs improvement) LOCK_RULES=$( sudo firewall-cmd --direct --permanent --get-all-rules | wc -l ) if [ "$LOCK_RULES" -gt 15 ] then LOCK_ACTIVE="active" else LOCK_ACTIVE="inactive" fi print_heading } function deactivate_lock { echo "Deactivating iptable rules:" sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter INPUT 0 -i lo -j ACCEPT sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter OUTPUT 0 -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter INPUT 0 -s 255.255.255.255 -j ACCEPT sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter OUTPUT 0 -d 255.255.255.255 -j ACCEPT sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter OUTPUT 998 -o tun+ -j ACCEPT #sudo firewall-cmd --direct --permanent --remove-rule ipv4 nat POSTROUTING 0 -o tun+ -j MASQUERADE sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter OUTPUT 1 -p udp --dport 53 -m string --hex-string '|06 61697276706e 03 6f7267|' --algo bm -m length --length 0:126 -m recent --set -j ACCEPT sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter OUTPUT 1 -p tcp --dport 53 -m string --hex-string '|06 61697276706e 03 6f7267|' --algo bm -m length --length 0:126 -m recent --set -j ACCEPT sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter OUTPUT 1 -p tcp --syn --dport 53 -m recent --remove -j ACCEPT sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter OUTPUT 1 -d 5.196.64.52 -j ACCEPT sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter INPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter OUTPUT 999 -j DROP sudo firewall-cmd --direct --permanent --remove-rule ipv4 filter INPUT 999 -j DROP sudo firewall-cmd --direct --permanent --remove-rule ipv6 filter OUTPUT 0 -j DROP sudo firewall-cmd --direct --permanent --remove-rule ipv6 filter INPUT 0 -j DROP sudo firewall-cmd --reload sudo systemctl restart firewalld LOCK_RULES=$( sudo firewall-cmd --direct --permanent --get-all-rules | wc -l ) if [ "$LOCK_RULES" -gt 15 ] then LOCK_ACTIVE="active" else LOCK_ACTIVE="inactive" fi print_heading } function print_heading { tput cup 0 0 printf %"$COLS"s | tr " " "#" echo -n "#"; printf %"$(( $COLS - 2 ))"s | tr " " " "; echo "#" echo -n "#"; printf %"$(( ($COLS - 2 - ${#HEADING1_1}) / 2 ))"s | tr " " " "; echo -n "$HEADING1_1"; printf %"$(( $COLS - 2 - ${#HEADING1_1} - ($COLS - 2 - ${#HEADING1_1}) / 2 ))"s | tr " " " "; echo "#" echo -n "#"; printf %"$(( ($COLS - 2 - ${#HEADING1_2}) / 2 ))"s | tr " " " "; echo -n "$HEADING1_2"; printf %"$(( $COLS - 2 - ${#HEADING1_2} - ($COLS - 2 - ${#HEADING1_2}) / 2 ))"s | tr " " " "; echo "#" echo -n "#"; printf %"$(( $COLS - 2 ))"s | tr " " " "; echo "#" echo -n "#"; printf %"$(( ($COLS - 2 - ${#HEADING2_1}) / 2 ))"s | tr " " " "; echo -n "$HEADING2_1"; printf %"$(( $COLS - 2 - ${#HEADING2_1} - ($COLS - 2 - ${#HEADING2_1}) / 2 ))"s | tr " " " "; echo "#" echo -n "#"; printf %"$(( ($COLS - 2 - ${#HEADING2_2}) / 2 ))"s | tr " " " "; echo -n "$HEADING2_2"; printf %"$(( $COLS - 2 - ${#HEADING2_2} - ($COLS - 2 - ${#HEADING2_2}) / 2 ))"s | tr " " " "; echo "#" echo -n "#"; printf %"$(( ($COLS - 2 - ${#HEADING2_3}) / 2 ))"s | tr " " " "; echo -n "$HEADING2_3"; printf %"$(( $COLS - 2 - ${#HEADING2_3} - ($COLS - 2 - ${#HEADING2_3}) / 2 ))"s | tr " " " "; echo "#" echo -n "#"; printf %"$(( $COLS - 2 ))"s | tr " " " "; echo "#" echo -n "# User: $U_LOGIN"; printf %"$(( $COLS - 9 - ${#U_LOGIN} ))"s | tr " " " "; echo "#" echo -n "# Days Until Expiration: $U_EXP"; printf %"$(( $COLS - 26 - ${#U_EXP} ))"s | tr " " " "; echo "#" echo -n "# Default Network Lock: $LOCK_ACTIVE"; printf %"$(( $COLS - 25 - ${#LOCK_ACTIVE} ))"s | tr " " " "; echo "#" echo -n "#"; printf %"$(( $COLS - 2 ))"s | tr " " " "; echo "#" echo -n "# Status: $U_CONNECTED"; printf %"$(( $COLS - 11 - ${#U_CONNECTED} ))"s | tr " " " "; echo "#" echo -n "# Server: $U_SERVER_FULL"; printf %"$(( $COLS - 11 - ${#U_SERVER_FULL} ))"s | tr " " " "; echo "#" echo -n "# Server Bandwidth: $U_SERVER_BW"; printf %"$(( $COLS - 21 - ${#U_SERVER_BW} ))"s | tr " " " "; echo "#" echo -n "#"; printf %"$(( $COLS - 2 ))"s | tr " " " "; echo "#" printf %"$COLS"s | tr " " "#" } # move to secondary screen tput smcup tput cup 0 0 # gain sudo privileges for commands that need it (better than running everything with sudo) sudo -v -p "The AirVPN client and network traffic changes requires root privileges to run. Please enter your password:" # keep sudo permission until script exits (or until computer goes to sleep - not ideal) while true; do sudo -n true; sleep 60; kill -0 "$$" || exit; done 2>/dev/null & get_userinfo LOCK_RULES=$( sudo firewall-cmd --direct --permanent --get-all-rules | wc -l ) if [ "$LOCK_RULES" -gt 15 ] then LOCK_ACTIVE="active" else LOCK_ACTIVE="inactive" fi print_heading while true; do # clear screen below heading tput cup 18 0 tput ed tput cup 19 0 select OPTION in "${OPTIONS[@]}" do case $OPTION in "${OPTIONS[0]}") disconnect_server if [ "$KILLED" = "true" ] then U_CONNECTED="connecting..." U_SERVER_FULL="--" U_SERVER_BW="--" print_heading # create pipe to process status of client if [ ! -p "/tmp/.eddie_fifo" ] then mkfifo "/tmp/.eddie_fifo" fi # run eddie in background and detached from current window, pipe output to named pipe (sudo eddie-ui --cli --netlock --connect --profile="$HOME/.airvpn/default.xml" &> "/tmp/.eddie_fifo" &) timeout --signal=SIGINT 60 grep -q -m 1 "Initialization Sequence Completed" "/tmp/.eddie_fifo" if [ $? = 0 ] then get_userinfo print_heading else U_CONNECTED="error during connection attempt" U_SERVER_FULL="--" U_SERVER_BW="--" print_heading fi else U_CONNECTED="error during disconnection" U_SERVER_FULL="--" U_SERVER_BW="--" print_heading fi break ;; "${OPTIONS[1]}") read -p 'Please type the exact server name (type "back" to go back): ' SERVER if [ "$SERVER" = "back" ] then break else disconnect_server if [ "$KILLED" = "true" ] then U_CONNECTED="connecting..." U_SERVER_FULL="--" U_SERVER_BW="--" print_heading if [ ! -p "/tmp/.eddie_fifo" ] then mkfifo "/tmp/.eddie_fifo" fi (sudo eddie-ui --cli --netlock --connect --server="$SERVER" --profile="$HOME/.airvpn/default.xml" &> "/tmp/.eddie_fifo" &) timeout --signal=SIGINT 60 grep -q -m 1 "Initialization Sequence Completed" "/tmp/.eddie_fifo" if [ $? = 0 ] then get_userinfo print_heading else U_CONNECTED="error during connection attempt" U_SERVER_FULL="--" U_SERVER_BW="--" print_heading fi else U_CONNECTED="error during disconnection" U_SERVER_FULL="--" U_SERVER_BW="--" print_heading fi break fi ;; "${OPTIONS[2]}") # return to primary screen since server list gets piped to less which # seems to interfere with tput, then move to secondary screen again tput rmcup get_list tput smcup print_heading break ;; "${OPTIONS[3]}") get_userinfo print_heading break ;; "${OPTIONS[4]}") disconnect_server if [ "$KILLED" = "false" ] then U_CONNECTED="error during disconnection" U_SERVER_FULL="--" U_SERVER_BW="--" print_heading else get_userinfo print_heading fi rm "/tmp/.eddie_fifo" break ;; "${OPTIONS[5]}") pgrep -f mono.*eddie-ui &> /dev/zero if [ $? = 0 ] then echo "You need to be disconnected to change network traffic rules." sleep 2 break fi if [ "$LOCK_ACTIVE" = "inactive" ] then read -p "Are you sure you want to activate the default network lock and block all connections while not connected to (any) VPN? [y/n]: " ANSWER if [ "$ANSWER" = "y" ] then activate_lock else break fi else read -p "Are you sure you want to deactivate the default network lock and allow all connections, even when not connected to a VPN? [y/n]: " ANSWER if [ "$ANSWER" = "y" ] then deactivate_lock else break fi fi break ;; "${OPTIONS[6]}") break 2 ;; esac done done #return to primary (original) screen tput rmcup I will hopefully update this in the future!

I find this topic kind of hilarious because you seem to think the problem you are describing is limited to AirVPN, I'm here to give you a fact check. Let's consider PIA, a few years ago they had serious issues with Cloudflare, that powers around 10% of the web, such that even doing a google query, or going to a cloudflare page with high security would trigger a recaptcha. You can use NordVPN, but as the staff suggests, their application collects analytics, and you can read their subreddit to understand just how terrible they are. What you are describing is a fundamental truth of shared services that isn't limited to the digital world; if you're on a bus, it only takes 1 bad actor to ruin the days of all the other passengers. If this is so unacceptable, I might advise you to forget about VPN's, because let me be very very clear: you must accept the problem you describe, you must accept it can happen on any provider at any time, and you must accept the provider can't do anything to solve this. If I wanted, I could blocklist AirVPN's IP's within 60 seconds such that no customer can connect to my website. I can buy a list of VPN's/Proxies/TOR nodes and block them all because I dislike that. As a matter of fact, this thread concludes you're not best suited for having protection of your traffic. Please do disconnect from AirVPN and use your ISP IP and DNS, they'll not only thank you for such data, but you may find it works better. :).

Fastidious replies in return of this query with solid arguments and describing the whole thing about that. Also visit my web blog ... guaranteed seo

Hi, I followed this guide through (nice guide btw)..have rechecked and afaik all settings are correct but I can't access any DNS servers, the openvpn log says can't resolve host address Prior to this setup I had been connecting through the pfsense router using the airvpn "eddie" and was connecting without issue. The only real difference to the guideline setup is this pfsense router (192.168.3.1) is behind a NAT ISP router (192.168.1.1) so I was replacing the 192.168.1.1 entries in the guide with 192.168.3.1 I'm not too experienced with this stuff but have included DNS resolver log - Apr 26 21:00:30 unbound 91287:3 info: send_udp over interface: 127.0.0.1 Apr 26 21:00:30 unbound 91287:3 info: receive_udp on interface: 127.0.0.1 Apr 26 21:00:30 unbound 91287:2 info: send_udp over interface: 192.168.3.1 Apr 26 21:00:30 unbound 91287:2 info: receive_udp on interface: 192.168.3.1 Apr 26 21:00:30 unbound 91287:2 debug: cache memory msg=77683 rrset=66072 infra=3130 val=66280 Apr 26 21:00:30 unbound 91287:2 info: 0RDd mod1 rep 2.pool.ntp.org.home. A IN Apr 26 21:00:30 unbound 91287:2 info: 128.000000 256.000000 1 Apr 26 21:00:30 unbound 91287:2 info: 32.000000 64.000000 1 Apr 26 21:00:30 unbound 91287:2 info: 16.000000 32.000000 1 Apr 26 21:00:30 unbound 91287:2 info: 8.000000 16.000000 3 Apr 26 21:00:30 unbound 91287:2 info: 2.000000 4.000000 1 Apr 26 21:00:30 unbound 91287:2 info: 0.000000 0.000001 659 Apr 26 21:00:30 unbound 91287:2 info: lower(secs) upper(secs) recursions Apr 26 21:00:30 unbound 91287:2 info: [25%]=2.52656e-07 median[50%]=5.05311e-07 [75%]=7.57967e-07 Apr 26 21:00:30 unbound 91287:2 info: histogram of recursion processing times Apr 26 21:00:30 unbound 91287:2 info: average recursion processing time 0.391632 sec Apr 26 21:00:30 unbound 91287:2 info: mesh_run: end 1 recursion states (1 with reply, 0 detached), 1 waiting replies, 666 recursion replies sent, 0 replies dropped, 0 states jostled out Apr 26 21:00:30 unbound 91287:2 debug: query took 0.000000 sec Apr 26 21:00:30 unbound 91287:2 info: send_udp over interface: 127.0.0.1 Apr 26 21:00:30 unbound 91287:2 debug: mesh_run: validator module exit state is module_finished Apr 26 21:00:30 unbound 91287:2 debug: cannot validate non-answer, rcode SERVFAIL Apr 26 21:00:30 unbound 91287:2 debug: validator: nextmodule returned Apr 26 21:00:30 unbound 91287:2 info: validator operate: query db.au.clamav.net.home. A IN Apr 26 21:00:30 unbound 91287:2 debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone Apr 26 21:00:30 unbound 91287:2 debug: mesh_run: iterator module exit state is module_finished Apr 26 21:00:30 unbound 91287:2 debug: return error response SERVFAIL Apr 26 21:00:30 unbound 91287:2 debug: store error response in message cache Apr 26 21:00:30 unbound 91287:2 debug: configured forward servers failed -- returning SERVFAIL Apr 26 21:00:30 unbound 91287:2 debug: No more query targets, attempting last resort Apr 26 21:00:30 unbound 91287:2 debug: rtt=120000 Apr 26 21:00:30 unbound 91287:2 debug: servselect ip4 10.4.0.1 port 53 (len 16) Apr 26 21:00:30 unbound 91287:2 debug: attempt to get extra 3 targets Apr 26 21:00:30 unbound 91287:2 debug: ip4 10.4.0.1 port 53 (len 16) Apr 26 21:00:30 unbound 91287:2 info: DelegationPoint<.>: 0 names (0 missing), 1 addrs (0 result, 1 avail) parentNS Apr 26 21:00:30 unbound 91287:2 debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 0 Apr 26 21:00:30 unbound 91287:2 info: processQueryTargets: db.au.clamav.net.home. A IN Apr 26 21:00:30 unbound 91287:2 debug: iter_handle processing q with state QUERY TARGETS STATE Apr 26 21:00:30 unbound 91287:2 debug: forwarding request Apr 26 21:00:30 unbound 91287:2 debug: request has dependency depth of 0 Apr 26 21:00:30 unbound 91287:2 info: resolving db.au.clamav.net.home. A IN Apr 26 21:00:30 unbound 91287:2 debug: iter_handle processing q with state INIT REQUEST STATE Apr 26 21:00:30 unbound 91287:2 debug: process_request: new external request event Apr 26 21:00:30 unbound 91287:2 debug: iterator[module 1] operate: extstate:module_state_initial event:module_event_pass Apr 26 21:00:30 unbound 91287:2 debug: mesh_run: validator module exit state is module_wait_module Apr 26 21:00:30 unbound 91287:2 debug: validator: pass to next module Apr 26 21:00:30 unbound 91287:2 info: validator operate: query db.au.clamav.net.home. A IN Apr 26 21:00:30 unbound 91287:2 debug: validator[module 0] operate: extstate:module_state_initial event:module_event_new Apr 26 21:00:30 unbound 91287:2 debug: mesh_run: start Apr 26 21:00:30 unbound 91287:2 debug: udp request from ip4 127.0.0.1 port 37143 (len 16) Apr 26 21:00:30 unbound 91287:2 info: receive_udp on interface: 127.0.0.1 Apr 26 21:00:29 unbound 91287:0 info: send_udp over interface: 192.168.3.1 Apr 26 21:00:29 unbound 91287:0 info: receive_udp on interface: 192.168.3.1 Apr 26 21:00:29 unbound 91287:3 info: send_udp over interface: 127.0.0.1 Apr 26 21:00:29 unbound 91287:3 info: receive_udp on interface: 127.0.0.1 Apr 26 21:00:28 unbound 91287:2 debug: cache memory msg=77508 rrset=66072 infra=3130 val=66280 Apr 26 21:00:28 unbound 91287:2 info: 0RDd mod1 rep 2.pool.ntp.org.home. A IN Apr 26 21:00:28 unbound 91287:2 info: 128.000000 256.000000 1 Apr 26 21:00:28 unbound 91287:2 info: 32.000000 64.000000 1 Apr 26 21:00:28 unbound 91287:2 info: 16.000000 32.000000 1 Apr 26 21:00:28 unbound 91287:2 info: 8.000000 16.000000 3 Apr 26 21:00:28 unbound 91287:2 info: 2.000000 4.000000 1 Apr 26 21:00:28 unbound 91287:2 info: 0.000000 0.000001 658 Apr 26 21:00:28 unbound 91287:2 info: lower(secs) upper(secs) recursions Apr 26 21:00:28 unbound 91287:2 info: [25%]=2.5266e-07 median[50%]=5.05319e-07 [75%]=7.57979e-07 Apr 26 21:00:28 unbound 91287:2 info: histogram of recursion processing times Apr 26 21:00:28 unbound 91287:2 info: average recursion processing time 0.392221 sec Apr 26 21:00:28 unbound 91287:2 info: mesh_run: end 1 recursion states (1 with reply, 0 detached), 1 waiting replies, 665 recursion replies sent, 0 replies dropped, 0 states jostled out Apr 26 21:00:28 unbound 91287:2 debug: query took 0.000000 sec Apr 26 21:00:28 unbound 91287:2 info: send_udp over interface: 127.0.0.1 Apr 26 21:00:28 unbound 91287:2 debug: mesh_run: validator module exit state is module_finished Apr 26 21:00:28 unbound 91287:2 debug: cannot validate non-answer, rcode SERVFAIL Apr 26 21:00:28 unbound 91287:2 debug: validator: nextmodule returned Apr 26 21:00:28 unbound 91287:2 info: validator operate: query 2.pool.ntp.org. AAAA IN Apr 26 21:00:28 unbound 91287:2 debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone Apr 26 21:00:28 unbound 91287:2 debug: mesh_run: iterator module exit state is module_finished Apr 26 21:00:28 unbound 91287:2 debug: return error response SERVFAIL Apr 26 21:00:28 unbound 91287:2 debug: store error response in message cache Apr 26 21:00:28 unbound 91287:2 debug: configured forward servers failed -- returning SERVFAIL Apr 26 21:00:28 unbound 91287:2 debug: No more query targets, attempting last resort Apr 26 21:00:28 unbound 91287:2 debug: rtt=120000 Apr 26 21:00:28 unbound 91287:2 debug: servselect ip4 10.4.0.1 port 53 (len 16) Apr 26 21:00:28 unbound 91287:2 debug: attempt to get extra 3 targets Apr 26 21:00:28 unbound 91287:2 debug: ip4 10.4.0.1 port 53 (len 16) Apr 26 21:00:28 unbound 91287:2 info: DelegationPoint<.>: 0 names (0 missing), 1 addrs (0 result, 1 avail) parentNS Apr 26 21:00:28 unbound 91287:2 debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 0 Apr 26 21:00:28 unbound 91287:2 info: processQueryTargets: 2.pool.ntp.org. AAAA IN Apr 26 21:00:28 unbound 91287:2 debug: iter_handle processing q with state QUERY TARGETS STATE Apr 26 21:00:28 unbound 91287:2 debug: forwarding request Apr 26 21:00:28 unbound 91287:2 debug: request has dependency depth of 0 Apr 26 21:00:28 unbound 91287:2 info: resolving 2.pool.ntp.org. AAAA IN Apr 26 21:00:28 unbound 91287:2 debug: iter_handle processing q with state INIT REQUEST STATE Apr 26 21:00:28 unbound 91287:2 debug: process_request: new external request event Apr 26 21:00:28 unbound 91287:2 debug: iterator[module 1] operate: extstate:module_state_initial event:module_event_pass Apr 26 21:00:28 unbound 91287:2 debug: mesh_run: validator module exit state is module_wait_module Apr 26 21:00:28 unbound 91287:2 debug: validator: pass to next module Apr 26 21:00:28 unbound 91287:2 info: validator operate: query 2.pool.ntp.org. AAAA IN Apr 26 21:00:28 unbound 91287:2 debug: validator[module 0] operate: extstate:module_state_initial event:module_event_new Apr 26 21:00:28 unbound 91287:2 debug: mesh_run: start Apr 26 21:00:28 unbound 91287:2 debug: udp request from ip4 127.0.0.1 port 60673 (len 16) Apr 26 21:00:28 unbound 91287:2 debug: answer from the cache failed Apr 26 21:00:28 unbound 91287:2 info: receive_udp on interface: 127.0.0.1 Apr 26 21:00:28 unbound 91287:0 info: send_udp over interface: 127.0.0.1 Apr 26 21:00:28 unbound 91287:0 info: receive_udp on interface: 127.0.0.1 Apr 26 21:00:28 unbound 91287:3 info: send_udp over interface: 192.168.3.1 Apr 26 21:00:28 unbound 91287:3 info: receive_udp on interface: 192.168.3.1 Apr 26 21:00:27 unbound 91287:2 info: send_udp over interface: 192.168.3.1 Apr 26 21:00:27 unbound 91287:2 info: receive_udp on interface: 192.168.3.1 Apr 26 21:00:27 unbound 91287:2 debug: cache memory msg=77508 rrset=66072 infra=3130 val=66280 Apr 26 21:00:27 unbound 91287:2 info: 0RDd mod1 rep 2.pool.ntp.org.home. A IN Apr 26 21:00:27 unbound 91287:2 info: 128.000000 256.000000 1 Apr 26 21:00:27 unbound 91287:2 info: 32.000000 64.000000 1 Apr 26 21:00:27 unbound 91287:2 info: 16.000000 32.000000 1 Apr 26 21:00:27 unbound 91287:2 info: 8.000000 16.000000 3 Apr 26 21:00:27 unbound 91287:2 info: 2.000000 4.000000 1 Apr 26 21:00:27 unbound 91287:2 info: 0.000000 0.000001 657 Apr 26 21:00:27 unbound 91287:2 info: lower(secs) upper(secs) recursions Apr 26 21:00:27 unbound 91287:2 info: [25%]=2.52664e-07 median[50%]=5.05327e-07 [75%]=7.57991e-07 Apr 26 21:00:27 unbound 91287:2 info: histogram of recursion processing times Apr 26 21:00:27 unbound 91287:2 info: average recursion processing time 0.392812 sec Apr 26 21:00:27 unbound 91287:2 info: mesh_run: end 1 recursion states (1 with reply, 0 detached), 1 waiting replies, 664 recursion replies sent, 0 replies dropped, 0 states jostled out Apr 26 21:00:27 unbound 91287:2 debug: query took 0.000000 sec Apr 26 21:00:27 unbound 91287:2 info: send_udp over interface: 127.0.0.1 Apr 26 21:00:27 unbound 91287:2 debug: mesh_run: validator module exit state is module_finished Apr 26 21:00:27 unbound 91287:2 debug: cannot validate non-answer, rcode SERVFAIL Apr 26 21:00:27 unbound 91287:2 debug: validator: nextmodule returned Apr 26 21:00:27 unbound 91287:2 info: validator operate: query nl.vpn.airdns.org. A IN Apr 26 21:00:27 unbound 91287:2 debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone Apr 26 21:00:27 unbound 91287:2 debug: mesh_run: iterator module exit state is module_finished Apr 26 21:00:27 unbound 91287:2 debug: return error response SERVFAIL Apr 26 21:00:27 unbound 91287:2 debug: store error response in message cache Apr 26 21:00:27 unbound 91287:2 debug: configured forward servers failed -- returning SERVFAIL Apr 26 21:00:27 unbound 91287:2 debug: No more query targets, attempting last resort Apr 26 21:00:27 unbound 91287:2 debug: rtt=120000 Apr 26 21:00:27 unbound 91287:2 debug: servselect ip4 10.4.0.1 port 53 (len 16) Apr 26 21:00:27 unbound 91287:2 debug: attempt to get extra 3 targets Apr 26 21:00:27 unbound 91287:2 debug: ip4 10.4.0.1 port 53 (len 16) Apr 26 21:00:27 unbound 91287:2 info: DelegationPoint<.>: 0 names (0 missing), 1 addrs (0 result, 1 avail) parentNS Apr 26 21:00:27 unbound 91287:2 debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 0 Apr 26 21:00:27 unbound 91287:2 info: processQueryTargets: nl.vpn.airdns.org. A IN Apr 26 21:00:27 unbound 91287:2 debug: iter_handle processing q with state QUERY TARGETS STATE Apr 26 21:00:27 unbound 91287:2 debug: forwarding request Apr 26 21:00:27 unbound 91287:2 debug: request has dependency depth of 0 Apr 26 21:00:27 unbound 91287:2 info: resolving nl.vpn.airdns.org. A IN Apr 26 21:00:27 unbound 91287:2 debug: iter_handle processing q with state INIT REQUEST STATE Apr 26 21:00:27 unbound 91287:2 debug: process_request: new external request event Apr 26 21:00:27 unbound 91287:2 debug: iterator[module 1] operate: extstate:module_state_initial event:module_event_pass Apr 26 21:00:27 unbound 91287:2 debug: mesh_run: validator module exit state is module_wait_module Apr 26 21:00:27 unbound 91287:2 debug: validator: pass to next module Apr 26 21:00:27 unbound 91287:2 info: validator operate: query nl.vpn.airdns.org. A IN Apr 26 21:00:27 unbound 91287:2 debug: validator[module 0] operate: extstate:module_state_initial event:module_event_new Apr 26 21:00:27 unbound 91287:2 debug: mesh_run: start Apr 26 21:00:27 unbound 91287:2 debug: udp request from ip4 127.0.0.1 port 1665 (len 16) Apr 26 21:00:27 unbound 91287:2 debug: answer from the cache failed Apr 26 21:00:27 unbound 91287:2 info: receive_udp on interface: 127.0.0.1 Apr 26 21:00:27 unbound 91287:3 info: send_udp over interface: 192.168.3.1 Apr 26 21:00:27 unbound 91287:3 info: receive_udp on interface: 192.168.3.1 Apr 26 21:00:26 unbound 91287:0 info: send_udp over interface: 192.168.3.1 Apr 26 21:00:26 unbound 91287:0 info: receive_udp on interface: 192.168.3.1 Apr 26 21:00:26 unbound 91287:2 debug: cache memory msg=77508 rrset=66072 infra=3130 val=66280 Apr 26 21:00:26 unbound 91287:2 info: 0RDd mod1 rep 2.pool.ntp.org.home. A IN Apr 26 21:00:26 unbound 91287:2 info: 128.000000 256.000000 1 Apr 26 21:00:26 unbound 91287:2 info: 32.000000 64.000000 1 Apr 26 21:00:26 unbound 91287:2 info: 16.000000 32.000000 1 Apr 26 21:00:26 unbound 91287:2 info: 8.000000 16.000000 3 Apr 26 21:00:26 unbound 91287:2 info: 2.000000 4.000000 1 Apr 26 21:00:26 unbound 91287:2 info: 0.000000 0.000001 656 Apr 26 21:00:26 unbound 91287:2 info: lower(secs) upper(secs) recursions Apr 26 21:00:26 unbound 91287:2 info: [25%]=2.52668e-07 median[50%]=5.05335e-07 [75%]=7.58003e-07 Apr 26 21:00:26 unbound 91287:2 info: histogram of recursion processing times Apr 26 21:00:26 unbound 91287:2 info: average recursion processing time 0.393404 sec Apr 26 21:00:26 unbound 91287:2 info: mesh_run: end 1 recursion states (1 with reply, 0 detached), 1 waiting replies, 663 recursion replies sent, 0 replies dropped, 0 states jostled out Apr 26 21:00:26 unbound 91287:2 debug: query took 0.000000 sec Apr 26 21:00:26 unbound 91287:2 info: send_udp over interface: 127.0.0.1 Apr 26 21:00:26 unbound 91287:2 debug: mesh_run: validator module exit state is module_finished Apr 26 21:00:26 unbound 91287:2 debug: cannot validate non-answer, rcode SERVFAIL Apr 26 21:00:26 unbound 91287:2 debug: validator: nextmodule returned Apr 26 21:00:26 unbound 91287:2 info: validator operate: query 2.pool.ntp.org. A IN Apr 26 21:00:26 unbound 91287:2 debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone Apr 26 21:00:26 unbound 91287:2 debug: mesh_run: iterator module exit state is module_finished Apr 26 21:00:26 unbound 91287:2 debug: return error response SERVFAIL Apr 26 21:00:26 unbound 91287:2 debug: store error response in message cache Apr 26 21:00:26 unbound 91287:2 debug: configured forward servers failed -- returning SERVFAIL Apr 26 21:00:26 unbound 91287:2 debug: No more query targets, attempting last resort Apr 26 21:00:26 unbound 91287:2 debug: rtt=120000 Apr 26 21:00:26 unbound 91287:2 debug: servselect ip4 10.4.0.1 port 53 (len 16) Apr 26 21:00:26 unbound 91287:2 debug: attempt to get extra 3 targets Apr 26 21:00:26 unbound 91287:2 debug: ip4 10.4.0.1 port 53 (len 16) Apr 26 21:00:26 unbound 91287:2 info: DelegationPoint<.>: 0 names (0 missing), 1 addrs (0 result, 1 avail) parentNS Apr 26 21:00:26 unbound 91287:2 debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 0 Apr 26 21:00:26 unbound 91287:2 info: processQueryTargets: 2.pool.ntp.org. A IN Apr 26 21:00:26 unbound 91287:2 debug: iter_handle processing q with state QUERY TARGETS STATE Apr 26 21:00:26 unbound 91287:2 debug: forwarding request Apr 26 21:00:26 unbound 91287:2 debug: request has dependency depth of 0 Apr 26 21:00:26 unbound 91287:2 info: resolving 2.pool.ntp.org. A IN Apr 26 21:00:26 unbound 91287:2 debug: iter_handle processing q with state INIT REQUEST STATE Apr 26 21:00:26 unbound 91287:2 debug: process_request: new external request event Apr 26 21:00:26 unbound 91287:2 debug: iterator[module 1] operate: extstate:module_state_initial event:module_event_pass Apr 26 21:00:26 unbound 91287:2 debug: mesh_run: validator module exit state is module_wait_module Apr 26 21:00:26 unbound 91287:2 debug: validator: pass to next module Apr 26 21:00:26 unbound 91287:2 info: validator operate: query 2.pool.ntp.org. A IN

Ed. actually see my latest reply to this topic for some python code to modify all all your ovpn files at once ---------- Hi all - inspired by some other threads I've been involved in here is part 1 of my Ubuntu setup - please don't hesitate to correct or comment: The OS ====== I use Ubuntu 16.04.5 LTS. I don't use 18.04 LTS as I have found it difficult get it set up just right. In particular I find preventing DNS leakage almost impossible. Software & Updates ================== Change the update server to the main server because you'll want to use apt while connected to your VPN and you don't want it connecting back to your country of origin's mirror GRUB ==== I modify /etc/default/grub thus: GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash" i.e. I disable ipv6 in GRUB as it's been my experience I cannot stop leaks and other unwanted peer communication whilever ipv6 is enabled. (don't forget to run update-grub after) UFW === This is my minimal ufw init script: ufw reset ufw enable ufw default deny incoming ufw allow in 67/udp # for DHCP ufw allow in 53/udp # DNS ufw deny out 22,23/tcp # deny telnet and ssh ufw reload ufw status verbose FIREFOX -P ========== In Terminal run firefox -P, create a new profile "maxprivacy" and deselect the option for the default profile. Find the section on WebRTC and further securing firefox at https://privacytools.io (i.e. go through all the instructions to modify the settings such as geo.enabled and webgl.disabled etc.) OPENVPN 2.4 =========== Ubuntu 16.04.5 doesn't come with OpenVPN 2.4 so you have to install it using the instructions here: https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos AIRVPN CONFIG GENERATOR (https://airvpn.org/generator/) ======================================================= Check "Advanced Mode" Click Linux Check "Separate keys/certs from .ovpn file" Check "Resolved hosts in .ovpn file" <-- VERY IMPORTANT - STOPS YOUR ISP KNOWING YOU'RE CONNECTING TO AN AIRVPN SERVER Scroll down to where the "Entry IP" 3 and 4 are (i.e. we only want to use the servers with TLS encryption enabled) Select protocols UDP 443, 2018, 41185 for Entry 3 and Entry 4 Scroll down to where the individual servers are listed and click "Invert Selection" - now all the individual servers will be downloaded with resolved hostnames Scroll to bottom of page and select both checkboxes then click Generate On the generated settings page scroll all the way down till you see the ZIP file and download it. In Terminal: ------------ mkdir ~/mytemp && mkdir ~/mytemp/ovpntemp cd ~/mytemp/ovpntemp unzip ~/Downloads/AirVPN.zip rm ~/Downloads/AirVPN.zip chmod 600 *key # this makes sure only your user account can access your key files mkdir ~/.airvpn mv *key ~/.airvpn mv *crt ~/.airvpn # moving keys and certs to upper level directory - you only need one copy mkdir ~/.airvpn/UDP-443-TLS-PRI && mkdir ~/.airvpn/UDP-443-TLS-ALT mv Air*443*Entry3* ~/.airvpn/UDP-443-TLS-PRI mv Air*443*Entry4* ~/.airvpn/UDP-443-TLS-ALT repeat for ports 2018 and 41185 (i.e. make directories UDP-2018-TLS-PRI etc. and move the ovpn files) MODIFY OVPN FILES ================= This part is a little laborious unless you're handy with python or something to write a script to modify all your ovpn files. Basically before you connect to a particular server change the following lines in the ovpn file: ca "../ca.crt" # remember our key and crt files are one level above cert "../user.crt" key "../user.key" remote-cert-tls server cipher AES-256-CBC comp-lzo no proto udp tls-crypt "../tls-crypt.key" auth sha512 # the following part locks down the DNS when connected script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf CONNECT TO VPN SERVER IN TERMINAL ================================= sudo openvpn <the ovpn file you just modified - be in the same directory as it> In the output you should see something like this: ... Mon Nov 12 18:53:38 2018 /etc/openvpn/update-resolv-conf tun0 1500 1553 x1.x2.x3.x4 255.255.255.0 init dhcp-option DNS y1.y2.y3.y4 Mon Nov 12 18:53:44 2018 /sbin/ip route add z1.z2.z3.z4/32 via m1.m2.m3.m4 Mon Nov 12 18:53:44 2018 /sbin/ip route add 0.0.0.0/1 via y1.y2.y3.y4 Mon Nov 12 18:53:44 2018 /sbin/ip route add 128.0.0.0/1 via y1.y2.y3.y4 Mon Nov 12 18:53:44 2018 Initialization Sequence Completed ... but CHECK THE DNS resolver using dig: dig www.ubuntu.com ... ;; Query time: 422 msec ;; SERVER: y1.y2.y3.y4#53(y1.y2.y3.y4) <-- if you see 127.0.0.1 here something is wrong! ;; WHEN: Mon Nov 12 20:02:37 AEDT 2018 ;; MSG SIZE rcvd: 59 CHECK YOU HAVE NO DNS LEAKAGE and WebRTC is DISABLED ==================================================== Run firefox and select the maxprivacy profile https://ipleak.net/ https://dnsleaktest.com/ (run exteneded tests) Also in a separate terminal window you can run: sudo tcpdump -v -n 'port 53' -i tun0 which will show you all DNS resolution - you should only see server y1.y2.y3.y4 being used ----------- This is a work in progress - I'm yet to add sections for setting up rtorrent and running Tor browser ----------- DISCLAIMER: I have no formal training in Linux everything i know I've learnt from books or online. If I am in error anywhere don't hesitate to let me know - I welcome constructive feedback

Hello, I am a AirVPN user and I like it very much. I have a question about the infrastructure of the AirVPN servers though. I have read in this forum that the VPN servers do not keep a database or any kind of user data, and instead send a message to a back-end server when a new VPN connection request comes in. The back-end server has a centrelized database on it, with a table of active_sessions among others, and the back-end server sends a reply back to the VPN server after checking some information (nr of sessions among others). This reply from the back-end server to the VPN server, basically has a ALLOW or DENY message, it is used to let the VPN server know if the VPN connection request should be allowed or denied. My question is this: does OpenVPN daemon software has the possibility to make use of external software (programs/scripts) during a connection request? So that when a connection request comes in, OpenVPN service forwards this request to an external script/program so that this external script/program can send a message to a back-end server? If it does not have this possibility, how are you sending a request to a back-end server? Or are you listening on the 80, 445 etc ports on the VPN servers by using a different daemon (not OpenVPN) software, and only after the query message forwarding the reply from the back-end to OpenVPN daemon? I hope you will be able to explain, because I am not sure that OpenVPN has this option by defuault. Thank you for your answer!

If you are looking on how to configure AirVPN on pfSEnse, please follow this great post The following are just a few changes I made that worked for me and that might help someone with the same problems I had. Mostly, avoiding a DNS leak. Note that I am not an expert so anyone is welcome to comment if you think I'm doing something wrong. What follows is just a patch of multiple ideas on the net that led me to a working solution. 1. Create the VPN Certificates you need Go to AirVPN and download a config file (.ovpn) https://airvpn.org/generator/ Now go to pfSense and create a CA for AirVPN Descriptive name: [AirVPN CA] Method: [import an existing Certificate Authority] Certificate data: [Open .ovpn file and insert data found between <ca> and </ca>] Save Now open the Certificates tab and create a new certificate Method: [import an existing certificate] Descriptive name: [AirVPN Client] Certificate data: [Open .ovpn file and insert data found between <cert> and </cert>] Private key data: [Open .ovpn file and insert data found between <key> and </key>] 2. Create an OpenVPN connection https://rtr.noh.lan/vpn_openvpn_server.php Follow the document mentioned above and make the following modifications to it, Go to the Clients tab and make sure that: - You use an IP as the Server host to make sure you can re-connect if the line goes down. If the DNS you use is the one from AirVPN, the VPN connection has to be up before you can access it... - Add the following options: server-poll-timeout 10; explicit-exit-notify 5; auth-nocache mlock; fast-io; key-direction 1; prng SHA512 64; tls-version-min 1.2; key-method 2; tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384; tls-timeout 2; remote-cert-tls server; remote 185.206.225.58 443 # no.vpn.airdns.org remote 82.102.27.194 443 # no.vpn.airdns.org remote 91.207.102.162 443 # ro.vpn.airdns.org remote 86.105.9.66 443 # ro.vpn.airdns.org The "remote" entries allow your VPN to connect to another server if the VPN connection drops. 3. The resolver settings I have General Settings Enable: [X] Listen Port: [Blank] Network Interfaces: [LAN] + any other local network you may have Outgoing Network Interfaces: [Your VPN Interface] System Domain Local Zone Type: [Transparent] DNSSEC: [X] DNS Query Forwarding: [ ] DHCP Registration: [ ] Static DHCP: [X] OpenVPN Clients: [ ] Custom options: forward-zone: name: "." forward-addr: 10.4.0.1 Note that the Custom settings forward to an AirVPN internal DNS. Depending on the type of connection you use, the IP will change so check our it will fail. Advanced Settings Hide Identity: [x] Hide Version: [X] Prefetch Support: [X] Prefetch DNS Key Support: [X] Harden DNSSEC Data: [X] Serve Expired : [ ] The rest I have left as default. Now go to DNSLeakTest and test! I hope this helped someone.

Hello, Very new to VPN, and first time setting up Open VPN on my mac. I have entered several locations, and in all get the following message: The username and password were not accepted by the remote VPN server. Can someone assist? OS configs: OS X El Captain Version 10.11.6 Logs: *Tunnelblick: OS X 10.11.6; Tunnelblick 3.6.8 (build 4625); prior version 3.6.3 (build 4560) 2016-10-23 07:03:13 *Tunnelblick: Attempting connection with australia_melbourne-udp8000-256; Set nameserver = 769; monitoring connection 2016-10-23 07:03:13 *Tunnelblick: openvpnstart start australia_melbourne-udp8000-256.tblk 1337 769 0 3 0 1065264 -ptADGNWradsgnw 2.3.12 2016-10-23 07:03:13 *Tunnelblick: openvpnstart log: OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line): /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.12/openvpn --daemon --log /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Saustralia_melbourne--udp8000--256.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_1065264.1337.openvpn.log --cd /Library/Application Support/Tunnelblick/Shared/australia_melbourne-udp8000-256.tblk/Contents/Resources --verb 3 --config /Library/Application Support/Tunnelblick/Shared/australia_melbourne-udp8000-256.tblk/Contents/Resources/config.ovpn --verb 3 --cd /Library/Application Support/Tunnelblick/Shared/australia_melbourne-udp8000-256.tblk/Contents/Resources --management 127.0.0.1 1337 --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw 2016-10-23 07:03:13 OpenVPN 2.3.12 x86_64-apple-darwin [sSL (OpenSSL)] [LZO] [PKCS11] [MH] [iPv6] built on Oct 9 2016 2016-10-23 07:03:13 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09 2016-10-23 07:03:13 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337 2016-10-23 07:03:13 Need hold release from management interface, waiting... 2016-10-23 07:03:13 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337 2016-10-23 07:03:13 *Tunnelblick: openvpnstart starting OpenVPN 2016-10-23 07:03:13 *Tunnelblick: Established communication with OpenVPN 2016-10-23 07:03:13 *Tunnelblick: Obtained VPN username and password from the Keychain 2016-10-23 07:03:13 MANAGEMENT: CMD 'pid' 2016-10-23 07:03:13 MANAGEMENT: CMD 'state on' 2016-10-23 07:03:13 MANAGEMENT: CMD 'state' 2016-10-23 07:03:13 MANAGEMENT: CMD 'bytecount 1' 2016-10-23 07:03:13 MANAGEMENT: CMD 'hold release' 2016-10-23 07:03:13 MANAGEMENT: CMD 'username "Auth" "username@vpn.ac"' 2016-10-23 07:03:13 MANAGEMENT: CMD 'password [...]' 2016-10-23 07:03:13 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2016-10-23 07:03:13 Control Channel Authentication: tls-auth using INLINE static key file 2016-10-23 07:03:13 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 07:03:13 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 07:03:13 Socket Buffers: R=[196724->196724] S=[9216->9216] 2016-10-23 07:03:13 MANAGEMENT: >STATE:1477224193,RESOLVE,,, 2016-10-23 07:03:13 UDPv4 link local: [undef] 2016-10-23 07:03:13 UDPv4 link remote: [AF_INET]168.1.66.76:8000 2016-10-23 07:03:13 MANAGEMENT: >STATE:1477224193,WAIT,,, 2016-10-23 07:03:14 MANAGEMENT: >STATE:1477224194,AUTH,,, 2016-10-23 07:03:14 TLS: Initial packet from [AF_INET]168.1.66.76:8000, sid=882685a8 a5766a17 2016-10-23 07:03:14 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this 2016-10-23 07:03:16 VERIFY OK: depth=1, C=RO, ST=BUC, O=VPN.AC, OU=VPN.AC CA, CN=VPN.AC, emailAddress=info@vpn.ac 2016-10-23 07:03:16 Validating certificate key usage 2016-10-23 07:03:16 ++ Certificate has key usage 00a0, expects 00a0 2016-10-23 07:03:16 VERIFY KU OK 2016-10-23 07:03:16 Validating certificate extended key usage 2016-10-23 07:03:16 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2016-10-23 07:03:16 VERIFY EKU OK 2016-10-23 07:03:16 VERIFY OK: depth=0, CN=au1-4096 2016-10-23 07:03:19 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 2016-10-23 07:03:19 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 07:03:19 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 2016-10-23 07:03:19 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 07:03:19 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA 2016-10-23 07:03:19 [au1-4096] Peer Connection Initiated with [AF_INET]168.1.66.76:8000 2016-10-23 07:03:20 MANAGEMENT: >STATE:1477224200,GET_CONFIG,,, 2016-10-23 07:03:21 SENT CONTROL [au1-4096]: 'PUSH_REQUEST' (status=1) 2016-10-23 07:03:22 AUTH: Received control message: AUTH_FAILED 2016-10-23 07:03:22 SIGTERM received, sending exit notification to peer 2016-10-23 07:03:24 SIGTERM[soft,exit-with-notification] received, process exiting 2016-10-23 07:03:24 MANAGEMENT: >STATE:1477224204,EXITING,exit-with-notification,, 2016-10-23 07:03:29 *Tunnelblick: Disconnecting; user cancelled authorization or there was an error obtaining authorization 2016-10-23 07:03:29 *Tunnelblick: No 'pre-disconnect.sh' script to execute 2016-10-23 07:03:29 *Tunnelblick: Disconnecting using 'kill' 2016-10-23 07:03:30 *Tunnelblick: No 'post-disconnect.sh' script to execute 2016-10-23 07:03:30 *Tunnelblick: Expected disconnection occurred. *Tunnelblick: OS X 10.11.6; Tunnelblick 3.6.8 (build 4625); prior version 3.6.3 (build 4560) 2016-10-23 06:49:35 *Tunnelblick: Attempting connection with germany_frankfurt-udp8000-256; Set nameserver = 769; monitoring connection 2016-10-23 06:49:35 *Tunnelblick: openvpnstart start germany_frankfurt-udp8000-256.tblk 1340 769 0 3 0 1065264 -ptADGNWradsgnw 2.3.12 2016-10-23 06:49:35 OpenVPN 2.3.12 x86_64-apple-darwin [sSL (OpenSSL)] [LZO] [PKCS11] [MH] [iPv6] built on Oct 9 2016 2016-10-23 06:49:35 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09 2016-10-23 06:49:35 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1340 2016-10-23 06:49:35 Need hold release from management interface, waiting... 2016-10-23 06:49:35 *Tunnelblick: openvpnstart starting OpenVPN 2016-10-23 06:49:36 *Tunnelblick: openvpnstart log: OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line): /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.12/openvpn --daemon --log /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Sgermany_frankfurt--udp8000--256.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_1065264.1340.openvpn.log --cd /Library/Application Support/Tunnelblick/Shared/germany_frankfurt-udp8000-256.tblk/Contents/Resources --verb 3 --config /Library/Application Support/Tunnelblick/Shared/germany_frankfurt-udp8000-256.tblk/Contents/Resources/config.ovpn --verb 3 --cd /Library/Application Support/Tunnelblick/Shared/germany_frankfurt-udp8000-256.tblk/Contents/Resources --management 127.0.0.1 1340 --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw 2016-10-23 06:49:36 *Tunnelblick: Established communication with OpenVPN 2016-10-23 06:49:36 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1340 2016-10-23 06:49:36 MANAGEMENT: CMD 'pid' 2016-10-23 06:49:36 MANAGEMENT: CMD 'state on' 2016-10-23 06:49:36 MANAGEMENT: CMD 'state' 2016-10-23 06:49:36 MANAGEMENT: CMD 'bytecount 1' 2016-10-23 06:49:36 MANAGEMENT: CMD 'hold release' 2016-10-23 06:49:53 MANAGEMENT: CMD 'username "Auth" "username@vpn.ac"' 2016-10-23 06:49:53 MANAGEMENT: CMD 'password [...]' 2016-10-23 06:49:53 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2016-10-23 06:49:53 Control Channel Authentication: tls-auth using INLINE static key file 2016-10-23 06:49:53 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 06:49:53 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 06:49:53 Socket Buffers: R=[196724->196724] S=[9216->9216] 2016-10-23 06:49:53 MANAGEMENT: >STATE:1477223393,RESOLVE,,, 2016-10-23 06:49:53 UDPv4 link local: [undef] 2016-10-23 06:49:53 UDPv4 link remote: [AF_INET]46.165.230.39:8000 2016-10-23 06:49:53 MANAGEMENT: >STATE:1477223393,WAIT,,, 2016-10-23 06:49:53 MANAGEMENT: >STATE:1477223393,AUTH,,, 2016-10-23 06:49:53 TLS: Initial packet from [AF_INET]46.165.230.39:8000, sid=b2ae7a7f d210839c 2016-10-23 06:49:53 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this 2016-10-23 06:49:54 VERIFY OK: depth=1, C=RO, ST=BUC, O=VPN.AC, OU=VPN.AC CA, CN=VPN.AC, emailAddress=info@vpn.ac 2016-10-23 06:49:54 Validating certificate key usage 2016-10-23 06:49:54 ++ Certificate has key usage 00a0, expects 00a0 2016-10-23 06:49:54 VERIFY KU OK 2016-10-23 06:49:54 Validating certificate extended key usage 2016-10-23 06:49:54 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2016-10-23 06:49:54 VERIFY EKU OK 2016-10-23 06:49:54 VERIFY OK: depth=0, CN=de1-4096 2016-10-23 06:49:56 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 2016-10-23 06:49:56 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 06:49:56 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 2016-10-23 06:49:56 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 06:49:56 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA 2016-10-23 06:49:56 [de1-4096] Peer Connection Initiated with [AF_INET]46.165.230.39:8000 2016-10-23 06:49:57 MANAGEMENT: >STATE:1477223397,GET_CONFIG,,, 2016-10-23 06:49:58 SENT CONTROL [de1-4096]: 'PUSH_REQUEST' (status=1) 2016-10-23 06:49:58 AUTH: Received control message: AUTH_FAILED 2016-10-23 06:49:58 SIGTERM received, sending exit notification to peer 2016-10-23 06:50:01 SIGTERM[soft,exit-with-notification] received, process exiting 2016-10-23 06:50:01 MANAGEMENT: >STATE:1477223401,EXITING,exit-with-notification,, 2016-10-23 06:50:10 *Tunnelblick: Disconnecting; user cancelled authorization or there was an error obtaining authorization 2016-10-23 06:50:10 *Tunnelblick: No 'pre-disconnect.sh' script to execute 2016-10-23 06:50:10 *Tunnelblick: Disconnecting using 'kill' 2016-10-23 06:50:11 *Tunnelblick: No 'post-disconnect.sh' script to execute 2016-10-23 06:50:11 *Tunnelblick: Expected disconnection occurred. *Tunnelblick: OS X 10.11.6; Tunnelblick 3.6.8 (build 4625); prior version 3.6.3 (build 4560) 2016-10-23 06:47:37 *Tunnelblick: Attempting connection with hong-kong_chai-wan-udp8000-256; Set nameserver = 769; monitoring connection 2016-10-23 06:47:37 *Tunnelblick: openvpnstart start hong-kong_chai-wan-udp8000-256.tblk 1337 769 0 3 0 1065264 -ptADGNWradsgnw 2.3.12 2016-10-23 06:47:37 *Tunnelblick: openvpnstart log: OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line): /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.12/openvpn --daemon --log /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Shong--kong_chai--wan--udp8000--256.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_1065264.1337.openvpn.log --cd /Library/Application Support/Tunnelblick/Shared/hong-kong_chai-wan-udp8000-256.tblk/Contents/Resources --verb 3 --config /Library/Application Support/Tunnelblick/Shared/hong-kong_chai-wan-udp8000-256.tblk/Contents/Resources/config.ovpn --verb 3 --cd /Library/Application Support/Tunnelblick/Shared/hong-kong_chai-wan-udp8000-256.tblk/Contents/Resources --management 127.0.0.1 1337 --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw 2016-10-23 06:47:37 *Tunnelblick: Established communication with OpenVPN 2016-10-23 06:47:37 *Tunnelblick: Obtained VPN username and password from the Keychain 2016-10-23 06:47:37 OpenVPN 2.3.12 x86_64-apple-darwin [sSL (OpenSSL)] [LZO] [PKCS11] [MH] [iPv6] built on Oct 9 2016 2016-10-23 06:47:37 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09 2016-10-23 06:47:37 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337 2016-10-23 06:47:37 Need hold release from management interface, waiting... 2016-10-23 06:47:37 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337 2016-10-23 06:47:37 MANAGEMENT: CMD 'pid' 2016-10-23 06:47:37 MANAGEMENT: CMD 'state on' 2016-10-23 06:47:37 MANAGEMENT: CMD 'state' 2016-10-23 06:47:37 MANAGEMENT: CMD 'bytecount 1' 2016-10-23 06:47:37 MANAGEMENT: CMD 'hold release' 2016-10-23 06:47:37 MANAGEMENT: CMD 'username "Auth" "vieiraleov"' 2016-10-23 06:47:37 MANAGEMENT: CMD 'password [...]' 2016-10-23 06:47:37 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2016-10-23 06:47:37 Control Channel Authentication: tls-auth using INLINE static key file 2016-10-23 06:47:37 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 06:47:37 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 06:47:37 Socket Buffers: R=[196724->196724] S=[9216->9216] 2016-10-23 06:47:37 MANAGEMENT: >STATE:1477223257,RESOLVE,,, 2016-10-23 06:47:37 UDPv4 link local: [undef] 2016-10-23 06:47:37 UDPv4 link remote: [AF_INET]103.10.197.106:8000 2016-10-23 06:47:37 MANAGEMENT: >STATE:1477223257,WAIT,,, 2016-10-23 06:47:37 *Tunnelblick: openvpnstart starting OpenVPN 2016-10-23 06:48:24 *Tunnelblick: Disconnecting; notification window disconnect button pressed 2016-10-23 06:48:24 *Tunnelblick: No 'pre-disconnect.sh' script to execute 2016-10-23 06:48:24 *Tunnelblick: Disconnecting using 'kill' 2016-10-23 06:48:24 event_wait : Interrupted system call (code=4) 2016-10-23 06:48:24 SIGTERM received, sending exit notification to peer 2016-10-23 06:48:26 SIGTERM[soft,exit-with-notification] received, process exiting 2016-10-23 06:48:26 MANAGEMENT: >STATE:1477223306,EXITING,exit-with-notification,, 2016-10-23 06:48:27 *Tunnelblick: No 'post-disconnect.sh' script to execute 2016-10-23 06:48:27 *Tunnelblick: Expected disconnection occurred. *Tunnelblick: OS X 10.11.6; Tunnelblick 3.6.8 (build 4625); prior version 3.6.3 (build 4560) 2016-10-23 06:52:02 *Tunnelblick: Attempting connection with netherland_amsterdam-3-udp8000-256; Set nameserver = 769; monitoring connection 2016-10-23 06:52:02 *Tunnelblick: openvpnstart start netherland_amsterdam-3-udp8000-256.tblk 1337 769 0 3 0 1065264 -ptADGNWradsgnw 2.3.12 2016-10-23 06:52:02 *Tunnelblick: openvpnstart starting OpenVPN 2016-10-23 06:52:03 *Tunnelblick: openvpnstart log: OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line): /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.12/openvpn --daemon --log /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Snetherland_amsterdam--3--udp8000--256.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_1065264.1337.openvpn.log --cd /Library/Application Support/Tunnelblick/Shared/netherland_amsterdam-3-udp8000-256.tblk/Contents/Resources --verb 3 --config /Library/Application Support/Tunnelblick/Shared/netherland_amsterdam-3-udp8000-256.tblk/Contents/Resources/config.ovpn --verb 3 --cd /Library/Application Support/Tunnelblick/Shared/netherland_amsterdam-3-udp8000-256.tblk/Contents/Resources --management 127.0.0.1 1337 --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw 2016-10-23 06:52:03 *Tunnelblick: Established communication with OpenVPN 2016-10-23 06:52:03 OpenVPN 2.3.12 x86_64-apple-darwin [sSL (OpenSSL)] [LZO] [PKCS11] [MH] [iPv6] built on Oct 9 2016 2016-10-23 06:52:03 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09 2016-10-23 06:52:03 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337 2016-10-23 06:52:03 Need hold release from management interface, waiting... 2016-10-23 06:52:03 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337 2016-10-23 06:52:03 MANAGEMENT: CMD 'pid' 2016-10-23 06:52:03 MANAGEMENT: CMD 'state on' 2016-10-23 06:52:03 MANAGEMENT: CMD 'state' 2016-10-23 06:52:03 MANAGEMENT: CMD 'bytecount 1' 2016-10-23 06:52:03 MANAGEMENT: CMD 'hold release' 2016-10-23 06:52:20 MANAGEMENT: CMD 'username "Auth" "username@vpn.ac"' 2016-10-23 06:52:20 MANAGEMENT: CMD 'password [...]' 2016-10-23 06:52:20 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2016-10-23 06:52:20 Control Channel Authentication: tls-auth using INLINE static key file 2016-10-23 06:52:20 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 06:52:20 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 06:52:20 Socket Buffers: R=[196724->196724] S=[9216->9216] 2016-10-23 06:52:20 MANAGEMENT: >STATE:1477223540,RESOLVE,,, 2016-10-23 06:52:20 UDPv4 link local: [undef] 2016-10-23 06:52:20 UDPv4 link remote: [AF_INET]109.201.135.167:8000 2016-10-23 06:52:20 MANAGEMENT: >STATE:1477223540,WAIT,,, 2016-10-23 06:52:22 MANAGEMENT: >STATE:1477223542,AUTH,,, 2016-10-23 06:52:22 TLS: Initial packet from [AF_INET]109.201.135.167:8000, sid=ea71a036 3c15fdf9 2016-10-23 06:52:22 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this 2016-10-23 06:52:24 VERIFY OK: depth=1, C=RO, ST=BUC, O=VPN.AC, OU=VPN.AC CA, CN=VPN.AC, emailAddress=info@vpn.ac 2016-10-23 06:52:24 Validating certificate key usage 2016-10-23 06:52:24 ++ Certificate has key usage 00a0, expects 00a0 2016-10-23 06:52:24 VERIFY KU OK 2016-10-23 06:52:24 Validating certificate extended key usage 2016-10-23 06:52:24 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2016-10-23 06:52:24 VERIFY EKU OK 2016-10-23 06:52:24 VERIFY OK: depth=0, CN=nl3-4096 2016-10-23 06:52:25 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 2016-10-23 06:52:25 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 06:52:25 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 2016-10-23 06:52:25 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 06:52:25 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA 2016-10-23 06:52:25 [nl3-4096] Peer Connection Initiated with [AF_INET]109.201.135.167:8000 2016-10-23 06:52:27 MANAGEMENT: >STATE:1477223547,GET_CONFIG,,, 2016-10-23 06:52:28 SENT CONTROL [nl3-4096]: 'PUSH_REQUEST' (status=1) 2016-10-23 06:52:28 AUTH: Received control message: AUTH_FAILED 2016-10-23 06:52:28 SIGTERM received, sending exit notification to peer 2016-10-23 06:52:30 SIGTERM[soft,exit-with-notification] received, process exiting 2016-10-23 06:52:30 MANAGEMENT: >STATE:1477223550,EXITING,exit-with-notification,, 2016-10-23 06:52:33 *Tunnelblick: Disconnecting; user cancelled authorization or there was an error obtaining authorization 2016-10-23 06:52:33 *Tunnelblick: No 'pre-disconnect.sh' script to execute 2016-10-23 06:52:33 *Tunnelblick: Disconnecting using 'kill' 2016-10-23 06:52:34 *Tunnelblick: No 'post-disconnect.sh' script to execute 2016-10-23 06:52:34 *Tunnelblick: Expected disconnection occurred. *Tunnelblick: OS X 10.11.6; Tunnelblick 3.6.8 (build 4625); prior version 3.6.3 (build 4560) 2016-10-23 06:52:40 *Tunnelblick: Attempting connection with romania_bucharest-udp8000-256; Set nameserver = 769; monitoring connection 2016-10-23 06:52:40 *Tunnelblick: openvpnstart start romania_bucharest-udp8000-256.tblk 1338 769 0 3 0 1065264 -ptADGNWradsgnw 2.3.12 2016-10-23 06:52:40 *Tunnelblick: openvpnstart starting OpenVPN 2016-10-23 06:52:41 *Tunnelblick: openvpnstart log: OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line): /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.12/openvpn --daemon --log /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Sromania_bucharest--udp8000--256.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_1065264.1338.openvpn.log --cd /Library/Application Support/Tunnelblick/Shared/romania_bucharest-udp8000-256.tblk/Contents/Resources --verb 3 --config /Library/Application Support/Tunnelblick/Shared/romania_bucharest-udp8000-256.tblk/Contents/Resources/config.ovpn --verb 3 --cd /Library/Application Support/Tunnelblick/Shared/romania_bucharest-udp8000-256.tblk/Contents/Resources --management 127.0.0.1 1338 --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw 2016-10-23 06:52:41 *Tunnelblick: Established communication with OpenVPN 2016-10-23 06:52:41 OpenVPN 2.3.12 x86_64-apple-darwin [sSL (OpenSSL)] [LZO] [PKCS11] [MH] [iPv6] built on Oct 9 2016 2016-10-23 06:52:41 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09 2016-10-23 06:52:41 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1338 2016-10-23 06:52:41 Need hold release from management interface, waiting... 2016-10-23 06:52:41 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1338 2016-10-23 06:52:41 MANAGEMENT: CMD 'pid' 2016-10-23 06:52:41 MANAGEMENT: CMD 'state on' 2016-10-23 06:52:41 MANAGEMENT: CMD 'state' 2016-10-23 06:52:41 MANAGEMENT: CMD 'bytecount 1' 2016-10-23 06:52:41 MANAGEMENT: CMD 'hold release' 2016-10-23 06:52:57 MANAGEMENT: CMD 'username "Auth" "username@vpn.ac"' 2016-10-23 06:52:57 MANAGEMENT: CMD 'password [...]' 2016-10-23 06:52:57 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2016-10-23 06:52:57 Control Channel Authentication: tls-auth using INLINE static key file 2016-10-23 06:52:57 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 06:52:57 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 06:52:57 Socket Buffers: R=[196724->196724] S=[9216->9216] 2016-10-23 06:52:57 MANAGEMENT: >STATE:1477223577,RESOLVE,,, 2016-10-23 06:52:57 UDPv4 link local: [undef] 2016-10-23 06:52:57 UDPv4 link remote: [AF_INET]185.100.84.135:8000 2016-10-23 06:52:57 MANAGEMENT: >STATE:1477223577,WAIT,,, 2016-10-23 06:52:57 MANAGEMENT: >STATE:1477223577,AUTH,,, 2016-10-23 06:52:57 TLS: Initial packet from [AF_INET]185.100.84.135:8000, sid=0d51eed3 328dd638 2016-10-23 06:52:57 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this 2016-10-23 06:52:59 VERIFY OK: depth=1, C=RO, ST=BUC, O=VPN.AC, OU=VPN.AC CA, CN=VPN.AC, emailAddress=info@vpn.ac 2016-10-23 06:52:59 Validating certificate key usage 2016-10-23 06:52:59 ++ Certificate has key usage 00a0, expects 00a0 2016-10-23 06:52:59 VERIFY KU OK 2016-10-23 06:52:59 Validating certificate extended key usage 2016-10-23 06:52:59 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2016-10-23 06:52:59 VERIFY EKU OK 2016-10-23 06:52:59 VERIFY OK: depth=0, CN=ro1-4096 2016-10-23 06:53:01 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 2016-10-23 06:53:01 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 06:53:01 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 2016-10-23 06:53:01 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 06:53:01 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA 2016-10-23 06:53:01 [ro1-4096] Peer Connection Initiated with [AF_INET]185.100.84.135:8000 2016-10-23 06:53:02 MANAGEMENT: >STATE:1477223582,GET_CONFIG,,, 2016-10-23 06:53:04 SENT CONTROL [ro1-4096]: 'PUSH_REQUEST' (status=1) 2016-10-23 06:53:04 AUTH: Received control message: AUTH_FAILED 2016-10-23 06:53:04 SIGTERM received, sending exit notification to peer 2016-10-23 06:53:06 SIGTERM[soft,exit-with-notification] received, process exiting 2016-10-23 06:53:06 MANAGEMENT: >STATE:1477223586,EXITING,exit-with-notification,, 2016-10-23 06:53:07 *Tunnelblick: Disconnecting; user cancelled authorization or there was an error obtaining authorization 2016-10-23 06:53:07 *Tunnelblick: No 'pre-disconnect.sh' script to execute 2016-10-23 06:53:07 *Tunnelblick: Disconnecting using 'kill' 2016-10-23 06:53:08 *Tunnelblick: No 'post-disconnect.sh' script to execute 2016-10-23 06:53:08 *Tunnelblick: Expected disconnection occurred. *Tunnelblick: OS X 10.11.6; Tunnelblick 3.6.8 (build 4625); prior version 3.6.3 (build 4560) 2016-10-23 06:53:13 *Tunnelblick: Attempting connection with switzerland_zurich-udp8000-256; Set nameserver = 769; monitoring connection 2016-10-23 06:53:13 *Tunnelblick: openvpnstart start switzerland_zurich-udp8000-256.tblk 1337 769 0 3 0 1065264 -ptADGNWradsgnw 2.3.12 2016-10-23 06:53:13 OpenVPN 2.3.12 x86_64-apple-darwin [sSL (OpenSSL)] [LZO] [PKCS11] [MH] [iPv6] built on Oct 9 2016 2016-10-23 06:53:13 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09 2016-10-23 06:53:13 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337 2016-10-23 06:53:13 Need hold release from management interface, waiting... 2016-10-23 06:53:13 *Tunnelblick: openvpnstart starting OpenVPN 2016-10-23 06:53:14 *Tunnelblick: openvpnstart log: OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line): /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.12/openvpn --daemon --log /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Sswitzerland_zurich--udp8000--256.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_1065264.1337.openvpn.log --cd /Library/Application Support/Tunnelblick/Shared/switzerland_zurich-udp8000-256.tblk/Contents/Resources --verb 3 --config /Library/Application Support/Tunnelblick/Shared/switzerland_zurich-udp8000-256.tblk/Contents/Resources/config.ovpn --verb 3 --cd /Library/Application Support/Tunnelblick/Shared/switzerland_zurich-udp8000-256.tblk/Contents/Resources --management 127.0.0.1 1337 --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw 2016-10-23 06:53:14 *Tunnelblick: Established communication with OpenVPN 2016-10-23 06:53:14 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337 2016-10-23 06:53:14 MANAGEMENT: CMD 'pid' 2016-10-23 06:53:14 MANAGEMENT: CMD 'state on' 2016-10-23 06:53:14 MANAGEMENT: CMD 'state' 2016-10-23 06:53:14 MANAGEMENT: CMD 'bytecount 1' 2016-10-23 06:53:14 MANAGEMENT: CMD 'hold release' 2016-10-23 06:53:28 MANAGEMENT: CMD 'username "Auth" "username@vpn.ac"' 2016-10-23 06:53:28 MANAGEMENT: CMD 'password [...]' 2016-10-23 06:53:28 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2016-10-23 06:53:28 Control Channel Authentication: tls-auth using INLINE static key file 2016-10-23 06:53:28 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 06:53:28 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 06:53:28 Socket Buffers: R=[196724->196724] S=[9216->9216] 2016-10-23 06:53:28 MANAGEMENT: >STATE:1477223608,RESOLVE,,, 2016-10-23 06:53:28 UDPv4 link local: [undef] 2016-10-23 06:53:28 UDPv4 link remote: [AF_INET]31.7.60.210:8000 2016-10-23 06:53:28 MANAGEMENT: >STATE:1477223608,WAIT,,, 2016-10-23 06:53:28 MANAGEMENT: >STATE:1477223608,AUTH,,, 2016-10-23 06:53:28 TLS: Initial packet from [AF_INET]31.7.60.210:8000, sid=16c2631e 18d0c814 2016-10-23 06:53:28 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this 2016-10-23 06:53:29 VERIFY OK: depth=1, C=RO, ST=BUC, O=VPN.AC, OU=VPN.AC CA, CN=VPN.AC, emailAddress=info@vpn.ac 2016-10-23 06:53:29 Validating certificate key usage 2016-10-23 06:53:29 ++ Certificate has key usage 00a0, expects 00a0 2016-10-23 06:53:29 VERIFY KU OK 2016-10-23 06:53:29 Validating certificate extended key usage 2016-10-23 06:53:29 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2016-10-23 06:53:29 VERIFY EKU OK 2016-10-23 06:53:29 VERIFY OK: depth=0, CN=ch1-4096 2016-10-23 06:53:31 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 2016-10-23 06:53:31 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 06:53:31 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 2016-10-23 06:53:31 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 06:53:31 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA 2016-10-23 06:53:31 [ch1-4096] Peer Connection Initiated with [AF_INET]31.7.60.210:8000 2016-10-23 06:53:32 MANAGEMENT: >STATE:1477223612,GET_CONFIG,,, 2016-10-23 06:53:33 SENT CONTROL [ch1-4096]: 'PUSH_REQUEST' (status=1) 2016-10-23 06:53:33 AUTH: Received control message: AUTH_FAILED 2016-10-23 06:53:33 SIGTERM received, sending exit notification to peer 2016-10-23 06:53:35 SIGTERM[soft,exit-with-notification] received, process exiting 2016-10-23 06:53:35 MANAGEMENT: >STATE:1477223615,EXITING,exit-with-notification,, 2016-10-23 06:53:36 *Tunnelblick: Disconnecting; user cancelled authorization or there was an error obtaining authorization 2016-10-23 06:53:36 *Tunnelblick: No 'pre-disconnect.sh' script to execute 2016-10-23 06:53:36 *Tunnelblick: Disconnecting using 'kill' 2016-10-23 06:53:37 *Tunnelblick: No 'post-disconnect.sh' script to execute 2016-10-23 06:53:37 *Tunnelblick: Expected disconnection occurred. *Tunnelblick: OS X 10.11.6; Tunnelblick 3.6.8 (build 4625); prior version 3.6.3 (build 4560) 2016-10-23 06:54:10 *Tunnelblick: Attempting connection with united-kingdom_coventry-udp8000-256; Set nameserver = 769; monitoring connection 2016-10-23 06:54:10 *Tunnelblick: openvpnstart start united-kingdom_coventry-udp8000-256.tblk 1339 769 0 3 0 1065264 -ptADGNWradsgnw 2.3.12 2016-10-23 06:54:10 *Tunnelblick: openvpnstart log: OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line): /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.12/openvpn --daemon --log /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Sunited--kingdom_coventry--udp8000--256.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_1065264.1339.openvpn.log --cd /Library/Application Support/Tunnelblick/Shared/united-kingdom_coventry-udp8000-256.tblk/Contents/Resources --verb 3 --config /Library/Application Support/Tunnelblick/Shared/united-kingdom_coventry-udp8000-256.tblk/Contents/Resources/config.ovpn --verb 3 --cd /Library/Application Support/Tunnelblick/Shared/united-kingdom_coventry-udp8000-256.tblk/Contents/Resources --management 127.0.0.1 1339 --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw 2016-10-23 06:54:10 *Tunnelblick: Established communication with OpenVPN 2016-10-23 06:54:10 OpenVPN 2.3.12 x86_64-apple-darwin [sSL (OpenSSL)] [LZO] [PKCS11] [MH] [iPv6] built on Oct 9 2016 2016-10-23 06:54:10 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09 2016-10-23 06:54:10 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1339 2016-10-23 06:54:10 Need hold release from management interface, waiting... 2016-10-23 06:54:10 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1339 2016-10-23 06:54:10 MANAGEMENT: CMD 'pid' 2016-10-23 06:54:10 MANAGEMENT: CMD 'state on' 2016-10-23 06:54:10 MANAGEMENT: CMD 'state' 2016-10-23 06:54:10 MANAGEMENT: CMD 'bytecount 1' 2016-10-23 06:54:10 MANAGEMENT: CMD 'hold release' 2016-10-23 06:54:10 *Tunnelblick: openvpnstart starting OpenVPN 2016-10-23 06:54:20 MANAGEMENT: CMD 'username "Auth" "username@vpn.ac"' 2016-10-23 06:54:20 MANAGEMENT: CMD 'password [...]' 2016-10-23 06:54:20 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2016-10-23 06:54:20 Control Channel Authentication: tls-auth using INLINE static key file 2016-10-23 06:54:20 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 06:54:20 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 06:54:20 Socket Buffers: R=[196724->196724] S=[9216->9216] 2016-10-23 06:54:20 MANAGEMENT: >STATE:1477223660,RESOLVE,,, 2016-10-23 06:54:20 UDPv4 link local: [undef] 2016-10-23 06:54:20 UDPv4 link remote: [AF_INET]78.110.169.82:8000 2016-10-23 06:54:20 MANAGEMENT: >STATE:1477223660,WAIT,,, 2016-10-23 06:54:20 MANAGEMENT: >STATE:1477223660,AUTH,,, 2016-10-23 06:54:20 TLS: Initial packet from [AF_INET]78.110.169.82:8000, sid=84f2a05e eed83207 2016-10-23 06:54:20 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this 2016-10-23 06:54:26 VERIFY OK: depth=1, C=RO, ST=BUC, O=VPN.AC, OU=VPN.AC CA, CN=VPN.AC, emailAddress=info@vpn.ac 2016-10-23 06:54:26 Validating certificate key usage 2016-10-23 06:54:26 ++ Certificate has key usage 00a0, expects 00a0 2016-10-23 06:54:26 VERIFY KU OK 2016-10-23 06:54:26 Validating certificate extended key usage 2016-10-23 06:54:26 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2016-10-23 06:54:26 VERIFY EKU OK 2016-10-23 06:54:26 VERIFY OK: depth=0, CN=uk2-4096 2016-10-23 06:54:27 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 2016-10-23 06:54:27 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 06:54:27 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 2016-10-23 06:54:27 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 06:54:27 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA 2016-10-23 06:54:27 [uk2-4096] Peer Connection Initiated with [AF_INET]78.110.169.82:8000 2016-10-23 06:54:28 MANAGEMENT: >STATE:1477223668,GET_CONFIG,,, 2016-10-23 06:54:29 SENT CONTROL [uk2-4096]: 'PUSH_REQUEST' (status=1) 2016-10-23 06:54:30 AUTH: Received control message: AUTH_FAILED 2016-10-23 06:54:30 SIGTERM received, sending exit notification to peer 2016-10-23 06:54:31 *Tunnelblick: Disconnecting; user cancelled authorization or there was an error obtaining authorization 2016-10-23 06:54:32 *Tunnelblick: No 'pre-disconnect.sh' script to execute 2016-10-23 06:54:32 *Tunnelblick: Disconnecting using 'kill' 2016-10-23 06:54:32 *Tunnelblick: No 'post-disconnect.sh' script to execute 2016-10-23 06:54:32 *Tunnelblick: Expected disconnection occurred. 2016-10-23 06:54:32 event_wait : Interrupted system call (code=4) 2016-10-23 06:54:32 SIGTERM[hard,] received, process exiting 2016-10-23 06:54:32 MANAGEMENT: >STATE:1477223672,EXITING,SIGTERM,, *Tunnelblick: OS X 10.11.6; Tunnelblick 3.6.8 (build 4625); prior version 3.6.3 (build 4560) 2016-10-23 07:00:07 *Tunnelblick: Attempting connection with us-east_new-york-udp8000-256; Set nameserver = 769; monitoring connection 2016-10-23 07:00:07 *Tunnelblick: openvpnstart start us-east_new-york-udp8000-256.tblk 1338 769 0 3 0 1065264 -ptADGNWradsgnw 2.3.12 2016-10-23 07:00:07 *Tunnelblick: openvpnstart log: OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line): /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.12/openvpn --daemon --log /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Sus--east_new--york--udp8000--256.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_1065264.1338.openvpn.log --cd /Library/Application Support/Tunnelblick/Shared/us-east_new-york-udp8000-256.tblk/Contents/Resources --verb 3 --config /Library/Application Support/Tunnelblick/Shared/us-east_new-york-udp8000-256.tblk/Contents/Resources/config.ovpn --verb 3 --cd /Library/Application Support/Tunnelblick/Shared/us-east_new-york-udp8000-256.tblk/Contents/Resources --management 127.0.0.1 1338 --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw 2016-10-23 07:00:07 *Tunnelblick: Established communication with OpenVPN 2016-10-23 07:00:07 OpenVPN 2.3.12 x86_64-apple-darwin [sSL (OpenSSL)] [LZO] [PKCS11] [MH] [iPv6] built on Oct 9 2016 2016-10-23 07:00:07 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09 2016-10-23 07:00:07 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1338 2016-10-23 07:00:07 Need hold release from management interface, waiting... 2016-10-23 07:00:07 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1338 2016-10-23 07:00:07 MANAGEMENT: CMD 'pid' 2016-10-23 07:00:07 MANAGEMENT: CMD 'state on' 2016-10-23 07:00:07 MANAGEMENT: CMD 'state' 2016-10-23 07:00:07 MANAGEMENT: CMD 'bytecount 1' 2016-10-23 07:00:07 MANAGEMENT: CMD 'hold release' 2016-10-23 07:00:07 *Tunnelblick: openvpnstart starting OpenVPN 2016-10-23 07:00:15 MANAGEMENT: CMD 'username "Auth" "username@vpn.ac"' 2016-10-23 07:00:15 MANAGEMENT: CMD 'password [...]' 2016-10-23 07:00:15 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2016-10-23 07:00:15 Control Channel Authentication: tls-auth using INLINE static key file 2016-10-23 07:00:15 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 07:00:15 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 07:00:15 Socket Buffers: R=[196724->196724] S=[9216->9216] 2016-10-23 07:00:15 MANAGEMENT: >STATE:1477224015,RESOLVE,,, 2016-10-23 07:00:15 UDPv4 link local: [undef] 2016-10-23 07:00:15 UDPv4 link remote: [AF_INET]216.155.145.67:8000 2016-10-23 07:00:15 MANAGEMENT: >STATE:1477224015,WAIT,,, 2016-10-23 07:00:15 MANAGEMENT: >STATE:1477224015,AUTH,,, 2016-10-23 07:00:15 TLS: Initial packet from [AF_INET]216.155.145.67:8000, sid=1c80c316 67651031 2016-10-23 07:00:15 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this 2016-10-23 07:00:15 VERIFY OK: depth=1, C=RO, ST=BUC, O=VPN.AC, OU=VPN.AC CA, CN=VPN.AC, emailAddress=info@vpn.ac 2016-10-23 07:00:15 Validating certificate key usage 2016-10-23 07:00:15 ++ Certificate has key usage 00a0, expects 00a0 2016-10-23 07:00:15 VERIFY KU OK 2016-10-23 07:00:15 Validating certificate extended key usage 2016-10-23 07:00:15 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2016-10-23 07:00:15 VERIFY EKU OK 2016-10-23 07:00:15 VERIFY OK: depth=0, CN=us4-4096 2016-10-23 07:00:17 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 2016-10-23 07:00:17 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 07:00:17 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 2016-10-23 07:00:17 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 07:00:17 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA 2016-10-23 07:00:17 [us4-4096] Peer Connection Initiated with [AF_INET]216.155.145.67:8000 2016-10-23 07:00:18 MANAGEMENT: >STATE:1477224018,GET_CONFIG,,, 2016-10-23 07:00:19 SENT CONTROL [us4-4096]: 'PUSH_REQUEST' (status=1) 2016-10-23 07:00:19 AUTH: Received control message: AUTH_FAILED 2016-10-23 07:00:19 SIGTERM received, sending exit notification to peer 2016-10-23 07:00:21 SIGTERM[soft,exit-with-notification] received, process exiting 2016-10-23 07:00:21 MANAGEMENT: >STATE:1477224021,EXITING,exit-with-notification,, 2016-10-23 07:00:22 *Tunnelblick: Disconnecting; user cancelled authorization or there was an error obtaining authorization 2016-10-23 07:00:22 *Tunnelblick: No 'pre-disconnect.sh' script to execute 2016-10-23 07:00:22 *Tunnelblick: Disconnecting using 'kill' 2016-10-23 07:00:22 *Tunnelblick: No 'post-disconnect.sh' script to execute 2016-10-23 07:00:22 *Tunnelblick: Expected disconnection occurred. *Tunnelblick: OS X 10.11.6; Tunnelblick 3.6.8 (build 4625); prior version 3.6.3 (build 4560) 2016-10-23 07:00:30 *Tunnelblick: Attempting connection with us-west_los-angeles-udp8000-256; Set nameserver = 769; monitoring connection 2016-10-23 07:00:30 *Tunnelblick: openvpnstart start us-west_los-angeles-udp8000-256.tblk 1339 769 0 3 0 1065264 -ptADGNWradsgnw 2.3.12 2016-10-23 07:00:30 OpenVPN 2.3.12 x86_64-apple-darwin [sSL (OpenSSL)] [LZO] [PKCS11] [MH] [iPv6] built on Oct 9 2016 2016-10-23 07:00:30 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09 2016-10-23 07:00:30 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1339 2016-10-23 07:00:30 Need hold release from management interface, waiting... 2016-10-23 07:00:30 *Tunnelblick: openvpnstart starting OpenVPN 2016-10-23 07:00:31 *Tunnelblick: openvpnstart log: OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line): /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.12/openvpn --daemon --log /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Sus--west_los--angeles--udp8000--256.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_1065264.1339.openvpn.log --cd /Library/Application Support/Tunnelblick/Shared/us-west_los-angeles-udp8000-256.tblk/Contents/Resources --verb 3 --config /Library/Application Support/Tunnelblick/Shared/us-west_los-angeles-udp8000-256.tblk/Contents/Resources/config.ovpn --verb 3 --cd /Library/Application Support/Tunnelblick/Shared/us-west_los-angeles-udp8000-256.tblk/Contents/Resources --management 127.0.0.1 1339 --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw 2016-10-23 07:00:31 *Tunnelblick: Established communication with OpenVPN 2016-10-23 07:00:31 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1339 2016-10-23 07:00:31 MANAGEMENT: CMD 'pid' 2016-10-23 07:00:31 MANAGEMENT: CMD 'state on' 2016-10-23 07:00:31 MANAGEMENT: CMD 'state' 2016-10-23 07:00:31 MANAGEMENT: CMD 'bytecount 1' 2016-10-23 07:00:31 MANAGEMENT: CMD 'hold release' 2016-10-23 07:00:37 MANAGEMENT: CMD 'username "Auth" "username@vpn.ac"' 2016-10-23 07:00:37 MANAGEMENT: CMD 'password [...]' 2016-10-23 07:00:37 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2016-10-23 07:00:37 Control Channel Authentication: tls-auth using INLINE static key file 2016-10-23 07:00:37 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 07:00:37 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 07:00:37 Socket Buffers: R=[196724->196724] S=[9216->9216] 2016-10-23 07:00:37 MANAGEMENT: >STATE:1477224037,RESOLVE,,, 2016-10-23 07:00:37 UDPv4 link local: [undef] 2016-10-23 07:00:37 UDPv4 link remote: [AF_INET]155.94.193.196:8000 2016-10-23 07:00:37 MANAGEMENT: >STATE:1477224037,WAIT,,, 2016-10-23 07:00:38 MANAGEMENT: >STATE:1477224038,AUTH,,, 2016-10-23 07:00:38 TLS: Initial packet from [AF_INET]155.94.193.196:8000, sid=642a5797 517771a8 2016-10-23 07:00:38 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this 2016-10-23 07:00:42 VERIFY OK: depth=1, C=RO, ST=BUC, O=VPN.AC, OU=VPN.AC CA, CN=VPN.AC, emailAddress=info@vpn.ac 2016-10-23 07:00:42 Validating certificate key usage 2016-10-23 07:00:42 ++ Certificate has key usage 00a0, expects 00a0 2016-10-23 07:00:42 VERIFY KU OK 2016-10-23 07:00:42 Validating certificate extended key usage 2016-10-23 07:00:42 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2016-10-23 07:00:42 VERIFY EKU OK 2016-10-23 07:00:42 VERIFY OK: depth=0, CN=us3-4096 2016-10-23 07:00:43 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 2016-10-23 07:00:43 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 07:00:43 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 2016-10-23 07:00:43 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 07:00:43 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA 2016-10-23 07:00:43 [us3-4096] Peer Connection Initiated with [AF_INET]155.94.193.196:8000 2016-10-23 07:00:44 MANAGEMENT: >STATE:1477224044,GET_CONFIG,,, 2016-10-23 07:00:45 SENT CONTROL [us3-4096]: 'PUSH_REQUEST' (status=1) 2016-10-23 07:00:45 AUTH: Received control message: AUTH_FAILED 2016-10-23 07:00:45 SIGTERM received, sending exit notification to peer 2016-10-23 07:00:47 *Tunnelblick: Disconnecting; user cancelled authorization or there was an error obtaining authorization 2016-10-23 07:00:47 *Tunnelblick: No 'pre-disconnect.sh' script to execute 2016-10-23 07:00:47 *Tunnelblick: Disconnecting using 'kill' 2016-10-23 07:00:47 *Tunnelblick: No 'post-disconnect.sh' script to execute 2016-10-23 07:00:47 *Tunnelblick: Expected disconnection occurred. 2016-10-23 07:00:47 event_wait : Interrupted system call (code=4) 2016-10-23 07:00:47 SIGTERM[hard,] received, process exiting 2016-10-23 07:00:47 MANAGEMENT: >STATE:1477224047,EXITING,SIGTERM,, *Tunnelblick: OS X 10.11.6; Tunnelblick 3.6.8 (build 4625); prior version 3.6.3 (build 4560) 2016-10-23 06:54:35 *Tunnelblick: Attempting connection with us-west_san-jose-udp8000-256; Set nameserver = 769; monitoring connection 2016-10-23 06:54:35 *Tunnelblick: openvpnstart start us-west_san-jose-udp8000-256.tblk 1337 769 0 3 0 1065264 -ptADGNWradsgnw 2.3.12 2016-10-23 06:54:35 OpenVPN 2.3.12 x86_64-apple-darwin [sSL (OpenSSL)] [LZO] [PKCS11] [MH] [iPv6] built on Oct 9 2016 2016-10-23 06:54:35 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09 2016-10-23 06:54:35 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337 2016-10-23 06:54:35 Need hold release from management interface, waiting... 2016-10-23 06:54:35 *Tunnelblick: openvpnstart starting OpenVPN 2016-10-23 06:54:36 *Tunnelblick: openvpnstart log: OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line): /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.12/openvpn --daemon --log /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Sus--west_san--jose--udp8000--256.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_1065264.1337.openvpn.log --cd /Library/Application Support/Tunnelblick/Shared/us-west_san-jose-udp8000-256.tblk/Contents/Resources --verb 3 --config /Library/Application Support/Tunnelblick/Shared/us-west_san-jose-udp8000-256.tblk/Contents/Resources/config.ovpn --verb 3 --cd /Library/Application Support/Tunnelblick/Shared/us-west_san-jose-udp8000-256.tblk/Contents/Resources --management 127.0.0.1 1337 --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw 2016-10-23 06:54:36 *Tunnelblick: Established communication with OpenVPN 2016-10-23 06:54:36 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337 2016-10-23 06:54:36 MANAGEMENT: CMD 'pid' 2016-10-23 06:54:36 MANAGEMENT: CMD 'state on' 2016-10-23 06:54:36 MANAGEMENT: CMD 'state' 2016-10-23 06:54:36 MANAGEMENT: CMD 'bytecount 1' 2016-10-23 06:54:36 MANAGEMENT: CMD 'hold release' 2016-10-23 06:54:43 MANAGEMENT: CMD 'username "Auth" "username@vpn.ac"' 2016-10-23 06:54:43 MANAGEMENT: CMD 'password [...]' 2016-10-23 06:54:43 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2016-10-23 06:54:43 Control Channel Authentication: tls-auth using INLINE static key file 2016-10-23 06:54:43 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 06:54:43 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 06:54:43 Socket Buffers: R=[196724->196724] S=[9216->9216] 2016-10-23 06:54:43 MANAGEMENT: >STATE:1477223683,RESOLVE,,, 2016-10-23 06:54:43 UDPv4 link local: [undef] 2016-10-23 06:54:43 UDPv4 link remote: [AF_INET]173.255.140.26:8000 2016-10-23 06:54:43 MANAGEMENT: >STATE:1477223683,WAIT,,, 2016-10-23 06:54:43 MANAGEMENT: >STATE:1477223683,AUTH,,, 2016-10-23 06:54:43 TLS: Initial packet from [AF_INET]173.255.140.26:8000, sid=93de7229 5ab1b649 2016-10-23 06:54:43 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this 2016-10-23 06:54:44 VERIFY OK: depth=1, C=RO, ST=BUC, O=VPN.AC, OU=VPN.AC CA, CN=VPN.AC, emailAddress=info@vpn.ac 2016-10-23 06:54:44 Validating certificate key usage 2016-10-23 06:54:44 ++ Certificate has key usage 00a0, expects 00a0 2016-10-23 06:54:44 VERIFY KU OK 2016-10-23 06:54:44 Validating certificate extended key usage 2016-10-23 06:54:44 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2016-10-23 06:54:44 VERIFY EKU OK 2016-10-23 06:54:44 VERIFY OK: depth=0, CN=us9-4096 2016-10-23 06:54:45 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 2016-10-23 06:54:45 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 06:54:45 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 2016-10-23 06:54:45 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication 2016-10-23 06:54:45 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA 2016-10-23 06:54:45 [us9-4096] Peer Connection Initiated with [AF_INET]173.255.140.26:8000 2016-10-23 06:54:46 MANAGEMENT: >STATE:1477223686,GET_CONFIG,,, 2016-10-23 06:54:47 SENT CONTROL [us9-4096]: 'PUSH_REQUEST' (status=1) 2016-10-23 06:54:47 AUTH: Received control message: AUTH_FAILED 2016-10-23 06:54:47 SIGTERM received, sending exit notification to peer 2016-10-23 06:54:49 SIGTERM[soft,exit-with-notification] received, process exiting 2016-10-23 06:54:49 MANAGEMENT: >STATE:1477223689,EXITING,exit-with-notification,, 2016-10-23 06:54:50 *Tunnelblick: Disconnecting; user cancelled authorization or there was an error obtaining authorization 2016-10-23 06:54:50 *Tunnelblick: No 'pre-disconnect.sh' script to execute 2016-10-23 06:54:50 *Tunnelblick: Disconnecting using 'kill' 2016-10-23 06:54:51 *Tunnelblick: No 'post-disconnect.sh' script to execute 2016-10-23 06:54:51 *Tunnelblick: Expected disconnection occurred. Thank you in advance.

Is there a way to (programatically) find a server's ip if its name is known? For example I can use the API and query the "status" service and get a nice list of servers and which is the recommended one, but the array doesn't contain the ip. I'd like to be able to programatically find the best server (using the status service) then get it's IP (somehow), and alter my config file and connect to that server (much like the AirVpn client software does it.) I can't find anywhere on airvpn.org to obtain the ip addresses other than manually going through the config file generator... Thanks!

I'll try and answer your questions, but I'm not an authority by any measure. Keep that in mind. First things first. In my very personal opinion, there are different opinions of what a DNS leak actually is. Here's mine . Imagine the piping system in your house that's distributing water. When you open a tap, do we call that a leak? Of course not. When half way down the pipe, water drips from a bad connection. Do we call that a leak? Yes we do. With DNS (again, my personal opinion on this), when you make a request to a DNS server, that server ALWAYS has your IP, your query and the result it sends back. Whether they keep logs or not, at the time of the request, it has all that. Is that a leak? Your query ends up where it needs to be, where you intended it to be ... a destination you chose to trust ... of course that's not a leak! They are the tap that's open. But when you send your request unencrypted to that server that you trust, and your ISP or anyone else who can see the packets you send across the internet, can see the origin (your IP), your domain name query, the destination you're sending it to, and the result it sends back ... do we have a leak? Yes, we definitely do! So what do we do about it? We fix the pipe! We make sure there are no drips, besides the final destination that you choose to trust. Whatever DNS provider you choose, you need to make sure your pipe doesn't leak to prying eyes that you do not trust. So how do we fix the pipe? We use encryption. In my example above, this uses TLS. It goes out over your ISP connection but they only see where it's from and where it goes. There is no way for anyone but the source and destination to see what domain you're querying and what answer is coming back. So someone may argue that you're leaking your source and destination IP's. While true, you're doing that with AirVPN server connections too. What does that tell anyone except that you just talked to a DNS server or a VPN server in some datacenter, it tells them nothing else whatsoever. So Q1, capture traffic on the router on the interface with the public IP on it. Any other capture is useless. Set it to destination port 53 and see what happens. If it stays quiet for an hour or more, after you and your household buddies/family have been browsing around, used youtube, facebook, snapchat, you're good. Next, set it to destination port 853 (you had it wrong, its not 883 unless that was a typo?) and see what happens. If you see packets with indistinguishable and unreadable garbage, that's good too (IMO!! ISP sees queries, but don't know what it is). You could send those queries over VPN. Extra layer of obscurity and maybe security, your choice. Q2, The leak here (if that's what you want to call it) is that 1.1.1.1 and 1.0.0.1 are "special" addresses. They use a little trick and they are routed to a cluster of DNS servers closest to you to provide the best and fastest experience. So if you are in the UK, that is no coincidence. Read up on Cloudflare's policy, and what info they gather and make up your choice. They gather anonimized data and geolocation among some other things, but no source IP addresses or other identifiable data. Your choice to trust that or not. Your observation is difficult. I want my internet to go down when VPN is down, but this is a choice. The ONLY traffic that goes out it DNS over TLS to Cloudfare and encrypted UDP tunnel to AirVPN. Not entirely true, I watch Netflix so I have a bypass for AWS and Netflix servers. The problem with AirVPN DNS is that you need to "fix" that DNS server IP address to a gateway address that may vary, depending on your OpenVPN configuration. Using a fixed DNS server to your VPN gateway address only works when you connect your OpenVPN client directly to a server or IP address. But when you use a country FQDN like de.vpn.airdns.org, you may end up on a gen2 server that hands out a different subnet and gateway address to your client, and your DNS won't work anymore. See my post here for more info on how that actually works. I totally love airVPN for their setup with country FQDN's and their load balancing, I really do, but they killed that feature when they chose to push different subnets to clients from Gen2 servers and I had to resort to the fix in that link. Hope that helps man, feel free to criticise and challenge my thoughts!