Jump to content
Not connected, Your IP: 3.226.254.255

Search the Community

Showing results for tags 'Linux'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • AirVPN
    • News and Announcement
    • How-To
    • Databases
  • Community
    • General & Suggestions
    • Troubleshooting and Problems
    • Blocked websites warning
    • Eddie - AirVPN Client
    • DNS Lists
    • Reviews
    • Other VPN competitors or features
    • Nonprofit
    • Off-Topic
  • Other Projects
    • IP Leak
    • XMPP

Product Groups

  • AirVPN Access
  • Coupons
  • Misc

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Twitter


Mastodon


AIM


MSN


ICQ


Yahoo


XMPP / Jabber


Skype


Location


Interests

Found 223 results

  1. Download your configuration file from the page Config Generator. If you don't already have the OpenVPN package installed in your system, you can tick Advanced Mode and tick Bundle executable (only for x86/amd64 based systems). Have a look here to take care of DNS push (OpenVPN will not do that for you by default): https://airvpn.org/topic/9608-how-to-accept-dns-push-on-linux-systems-with-resolvconf/Open a terminal console, reach the directory where you stored the files generated by the Configuration Generator and launchsudo openvpn foo.ovpnif you already have installed the OpenVPN package, orsudo ./openvpn foo.ovpnif you have downloaded our bundled executable. foo.ovpn is any *.ovpn files generated by the Config Generator. In the example we report "sudo" to run OpenVPN with root privileges. In some systems you might not have "sudo" available, or your account might be not included in the "sudo-ers". In these cases, you just need to run a terminal as root, or become root with "su" command.
  2. UPDATE Due to multiple, critical problems in network-manager-openvpn which after years have not been solved we recommend to NOT use it. Please understand that we will not provide support to network-manager-openvpn. In GNU/Linux we recommend that you run our free and open source software "Eddie", or our free and open source software "Hummingbird", or OpenVPN directly 21/04/2014: network-manager-openvpn runs OpenVPN so that OpenVPN does not check the server certificate. Therefore we DO NOT RECOMMEND usage of network-manager for security reasons. This issue is already fixed in newest version not yet available in Debian 7 Wheezy Download your configuration file from the page Config Generator Select "Advanced Mode" Tick "Separate certs/keys from .ovpn files" Save the downloaded zip-file somewhere, say in ~/.airvpn. Unzip it. Five files should be extracted. Try to make sure nobody but you can read the file user.key, because that one is secret. Erase the zip-file. Or at least, make sure only you can read it (since it contains the secret user.key file inside) Install the package named network-manager-openvpn-gnome, which is a plugin to NetworkManager handling OpenVPN connections. The install will automatically include all needed packages, like openvpn etc. Perhaps you'll have to log out and log in again, or even restart the computer or something. To check that openvpn plugin was properly installed in NetworkManager, click on the nm-applet (the NetworkManager icon) => VPN Connections => Configure VPN. In the little window that comes up, click the Add button. Is there an OpenVPN option in the menu? Good. But don't click on it. Just close the windows. This was just a check. Click on the nm-applet (the NetworkManager icon) => VPN Connections => Configure VPN In the little window that comes up, click the Import button. In the file chooser that comes up, find the previously downloaded file air.ovpn (perhaps you stored it in the ~/.airvpn directory?) A new little window comes up. It is pre-filled with the necessary airvpn-configuration stuff. Click the NetworkManager applet. Under VPN-connections, you should now be able to select the VPN-connection named air. After a little while, the applet icon should be decorated with a little padlock. For any comment or feedback, you can find the discussion here. Thanks to HugeHedon for this article.
  3. I just downloaded a new configuration from the config generator. I created one for Asia and one of USA. I used the generator to make the generator create separate files for the keys, certs. The ovpn is set to use port 443. This has worked before. Now it seems to time out. Tue Apr 15 18:23:52 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Tue Apr 15 18:23:52 2014 TLS Error: TLS handshake failed Tue Apr 15 18:23:52 2014 SIGUSR1[soft,tls-error] received, process restarting Here is everything: openvpn Asia443.ovpn Tue Apr 15 18:20:48 2014 OpenVPN 2.3.2 x86_64-redhat-linux-gnu [sSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [iPv6] built on Sep 12 2013 Tue Apr 15 18:20:48 2014 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file Tue Apr 15 18:20:48 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Apr 15 18:20:48 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Apr 15 18:20:48 2014 Socket Buffers: R=[212992->131072] S=[212992->131072] Tue Apr 15 18:20:48 2014 UDPv4 link local: [undef] Tue Apr 15 18:20:48 2014 UDPv4 link remote: [AF_INET]119.81.1.123:443 Tue Apr 15 18:21:48 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Tue Apr 15 18:21:48 2014 TLS Error: TLS handshake failed Tue Apr 15 18:21:48 2014 SIGUSR1[soft,tls-error] received, process restarting Tue Apr 15 18:21:48 2014 Restart pause, 2 second(s) Tue Apr 15 18:21:50 2014 Socket Buffers: R=[212992->131072] S=[212992->131072] Tue Apr 15 18:21:50 2014 UDPv4 link local: [undef] Tue Apr 15 18:21:50 2014 UDPv4 link remote: [AF_INET]119.81.1.123:443
  4. Hello!, When connecting on linux via the command 'sudo openvpn AirVPN_America_UDP-443.ovpn' I get the error in the subject line. It appears that I'm connected without problems but just wanted to check. I'm running the latest versions of Arch linux, openvpn, openssl, and have seperated keys/certs from ovpn files. The files are all in my home directory with permissions -rw-r--r-- Thank you for your help
  5. I've read the instructions on adding a VPN via the GUI NetworkManager in Linux. I cannot get these options to save. I'm attaching a screen shot as this explains it much better than I can. All fields are populated, yet I cannot apply/save these settings. VPN via the command line does work, but I cannot create this connection via NetworkManager. Please help, it's driving me crazy!!
  6. Hi all, first post here, site looks like a fantastic resource. I have installed the Europeian and Asian server files and several individual server files on to my openUSE Gnome 13.10.02 box as per the Gnome Network Manager tutorial. Everything went fine until I checked for DNS leaks using GRC'S https://www.grc.com/dns/dns.htm I was still querying my ISP's DNS. I manually set each VPN to use OpenNIC's non logging DNS http://www.opennicproject.org/, I have sucssesfully done this with Mint and Ubuntu using Gnome Network Manager. However I seem to be having an issue with OpenSUSE, I can only connect reliably to the Swedish server and occasionally to the Netherlands, non of the others ie Europe/Asia/Romania/Luxumberg/Singapore even though they are all configured identically. I have obviously broken something by manually setting the DNS. I also don't know and cannot find the openSUSE command to open the openvpn logs which isn't helping. Any help much appreciated.
  7. OK, I posted a support query on shutting down OpenVPN. As it turned out OpenVPN is set to automatically restart if the connection is dropped. Shutting down via Ctrl C is (as a Linux user at least) apparently the way to do it if you have started OpenVPN in a Terminal. My shutting down using Ctrl C was causing the /usr/share/openvpn/update-resolv-conf script to become confused as it was out of sync with itself & threw an error whenever I tried to start OpenVPN after it had been closed via Ctrl C. (Which is why this thread & the support ticket started.) The start.VPN.sh script was born: It requires that you make the following two files; /etc/resolv.conf_VPN /etc/resolv.conf_VPN.bak These two identical files carry the following: # For use when OpenVPN is running: domain home nameserver 10.4.0.1 # AirVPN DNS nameserver 8.8.8.8 # Backup DNS (Google DNS) Following is what the script does, in order: * The script calls IPTables at its beginning, & shows the user that it is running via output to the Terminal. (See link to how-to at the bottom of the page.) * It then checks that /etc/resolv.conf & /etc/resolv.conf_VPN exist. * Then it checks to see if they are the same size, (which is to protect from the resolv.conf_VPN having not been swapped back to having the AirVPN DNS on the last OpenVPN shutdown. * If the files are the same size, then the script copies the /etc/resolv.conf_VPN.bak file to /etc/resolv.conf_VPN . * Now the contents of the /etc/resolv.conf & the /etc/resolv.conf_VPN files are swapped. Meaning /etc/resolv.conf now has the AirVPN DNS followed by the Google DNS in it. * Now is the time to call OpenVPN & your chosen server, my current call follows: openvpn --config /etc/openvpn/AirVPN_NL-Dorsum_UDP-443.ovpnAirVPN using its own DNS should now be running. * When OpenVPN is closed via Ctlr C or via the Disconnect Now button, or however else you can close it. The first thing that happens (providing that you have IPTables setup correctly) is all internet connections are terminated. This is all in the hands of the IPTables that was started at the beginning of the script (IPTables must be setup by you before hand). * Then /etc/resolv.conf & the /etc/resolv.conf_VPN files swap their contents again. Meaning that the /etc/resolv.conf now has the DNS or your routers IP address, that it had in it before this script was started. That is it for what the script does. The start.VPN.sh script: #!/bin/bash ## Starts IPTables & shows that it is running. ## Then: ## Function to swap 2 files holding DNS addresses, /etc/resolv.conf ## & /etc/resolv.conf_VPN. ## To protect from the possibility of the resolv.conf with non-VPN ## DNS address overwriting your resolv.conf_VPN & causing you to use ## the wrong DNS, this script now checks whether resolv.conf & ## resolv.conf_VPN are the same, & if they are, then resolv.conf_VPN ## is replaced by its backup, ie, /etc/resolv.conf_VPN.bak. ## ## After the above is done, then OpenVPN with AirVPN server is ## called. When OpenVPN closes, the resolv.conf files are swapped ## back again, so the original, non VPN file (DNS) is restored to ## /etc/resolv.conf . ## You need to create the /etc/resolv.conf_VPN & the ## /etc/resolv.conf.VPN.bak files with the AirVPN DNS & a backup ## DNS that is NOT your ISP's DNS. ## ## I use the following 4 lines of text for those two previously ## mentioned files: ## ## # AirVPN DNS followed by Google's DNS: ## domain home ## nameserver 10.4.0.1 ## nameserver 8.8.8.8 ## ########################################### # Turn on iptables - which protects my IP by allowing only VPN DNS # if I lose VPN all internet connections are imediately stopped. systemctl start iptables.service systemctl status iptables.service iptables -nvL --line-numbers #Check entered arguments if [ ! $1 ] || [ ! $2 ] then echo "Using inbuilt defaults" file1="/etc/resolv.conf" file2="/etc/resolv.conf_VPN" else file1=$1 file2=$2 fi #Check if the files exist if [ ! -f $file1 ] || [ ! -f $file2 ] then echo "File(s) doesnt exist" exit 1 fi #Check whether the files are same if [[ ! `cmp $file1 $file2` ]] then echo "Files $file1 $file2 same" echo "Replacing $file2 with $file2.bak" if [ ! -f "$file2.bak" ] then echo "File $file2.bak doesnt exist" echo "Exiting.." exit 1 else cp "$file2.bak" "$file2" fi fi #The swap function swap() { cp $file2 file.bak mv $file1 $file2 mv file.bak $file1 } #Swap the files swap $file1 $file2 echo "Files $file1 and $file2 swapped" #Do openVPN stuff openvpn --config /etc/openvpn/AirVPN_NL-Dorsum_UDP-443.ovpn #Again swap the files, ie, go back to the original state swap $file2 $file1 echo "Files $file2 and $file1 swapped" # Turn off iptables - this allows usage of NON-VPN internet & DNS # this is here for certain circumstances when it may be useful. # Just uncomment the following two lines if needed. Doing so # renders the identity protection that may be offered by your # IPTables setup useless. #systemctl stop iptables.service #echo "Turned off iptables - normal internet is now accessible BEWARE!" #Done exit 0 Calling the script via a ~/.bashrc alias: By adding the (see below) following alias to your ~/.bashrc you can call the start.VPN.sh script by just entering vpn at the Terminal prompt. (You need to change the path to the start.VPN.sh script to suit where you have it stored on your system. alias vpn="sudo su -c ~/.config/openvpn/start.VPN.sh" After having entered any alias (or making any other edits) in your ~/.bashrc you need to reinitialize the Terminal to activate any changes to your ~/.bashrc. You can do this by closing & restarting your Teminal, or you can enter the following in the Terminal: source .bashrc I actually have an alias for the above command in my ~/.bashrc too, as follows: alias src="/external_image/?url=source+.bashrc" Using the above alias src in the Terminal, runs the source .bashrc command. I've not yet tried running the start.VPN.sh script from inside of the /etc/openvpn/AirVPN .ovpn file. I'll post my results when I have some. Associated Links: I haven't yet tried calling the script from inside of the /etc/openvnp/AirVPN .ovnp file. I'll post & hopefully edit the page when I've tried that. This is the how-to that I used to get IPTables setup: https://airvpn.org/topic/9139-prevent-leaks-with-linux-iptables/?hl=%2Biptables+%2Bleaks+%2Blinux Here is the solution to my silly error when setting up IPTables: https://airvpn.org/topic/10598-linux-set-up-firewall-as-per-how-to-from-staff-member/ This is the link to the update-resolv-conf page: https://airvpn.org/topic/9608-how-to-accept-dns-push-on-linux-systems-with-resolvconf/
  8. I'm not sure if anyone else would find this useful, but I threw together a simple script the other day for speeding up the process of configuring and managing my VPN connections on my desktop (Linux Mint). Note that this is far from comprehensive--I made it with my use cases in mind. https://github.com/mindcruzer/airvpn-cli ex. ~$ airvpn setup pavonis --connect Would prompt you for your username and password, generate the configuration, save it and set the appropriate permissions, then start the openvpn daemon. There are a few other useful commands as well.
  9. I'd like to share the configuration which I use with VPN in order discuss and for others to use. The idea is to launch apps which should use VPN inside a separate network namespace. Other apps will run inside the default network namespace and use the default direct connection without VPN. Linux network namespaces enable you to configure a container with separate set of network interfaces with separate routing table, separate firewall rules and separate resolv.conf. Only processes which are inside the namespace will be able to access and use all that. You should compile network namespace support in your kernel and the support the "veth" network device. veth is a pair of virtual devices. They operate this way: data that comes into one, comes out from another and vice versa. We use them to link namespaces together because your eth0 can only exist in one namespace. I am running: OS: Gentoo init system: systemd network managent tool: netctl (from Arch Linux, available in Gentoo) You would have to adapt your configuration if you're using anything else. It should be easy. GENERAL OVERVIEW. Default namespace contains these interface: lo lan0 veth1 br0 Additional namespace contains: lo veth0 tun0 lan0 is my physical net interface (you could think of that as eth0). Kernel links veth0 to veth1. br0 bridges lan0 and veth1 together. tun0 is the VPN tunnel through veth0. I called my additional namespace "vpn". This way processes from both namespaces can communicate with my LAN. Processes from the default namespace communicate this way: (br0) -> lan0. Processes from "vpn" namespace communicate this way. In case of a LAN connection: veth0 -> veth1 -> (br0) -> lan0 In general case: tun0 -> veth0 -> veth1 -> (br0) -> lan0 STEP 1. Startup script. Create a startup script which takes care of creating veth0/veth1 pair for you. It also creates the vpn namespace. In my case it is a systemd unit which runs before netctl: [unit] Description=Custom network namespace Before=netctl@bridge.service network.target Wants=network.target [service] Type=oneshot RemainAfterExit=1 ExecStart=/bin/ip netns add vpn ExecStart=/bin/ip link add type veth ExecStart=/bin/ip link set veth0 address 16:7c:e1:06:53:dd ExecStart=/bin/ip link set veth1 address f6:7c:e1:06:53:dd ExecStart=/bin/ip link set veth0 netns vpn ExecStart=/bin/ip link set veth1 up ExecStop=/bin/ip netns delete vpn [install] WantedBy=multi-user.target You can see that I am assigning MAC addresses here manually. The point is how br0 gets its MAC address. I want lan0's MAC higher than veth1's MAC in order for br0 to use lan0's MAC and for MAC-based DHCP server not to misbehave on my router. If br0 gets veth1's MAC, the machine will get a different IP address in comparison to what it gets without a bridge. STEP 2. resolv.conf After you run the script or reboot, you have to setup resolv.conf for the namespace. Look for it in /etc/netns/vpn/resolv.conf. For airvpn it should contain "nameserver 10.4.0.1" line. For a shell running in "vpn" namespace, /etc/netns/vpn/resolv.conf will be automatically bound to /etc/resolv.conf. STEP 3. Bridge interface. Setup the bridge interface. In my case it is a netctl profile in /etc/netctl/bridge: Description="bridge connection" Interface=br0 Connection=bridge BindsToInterfaces=(lan0 veth1) IP=dhcp TimeoutDHCP=15 STEP 4. Running openvpn in the namespace. Reboot and check that br0 is up. Create a helper script /usr/local/bin/ns_enter: #!/bin/bash ifconfig lo up ifconfig veth0 up ip route flush table main ip add flush dev veth0 ip add add 192.168.1.100/24 dev veth0 ip route add default via 192.168.1.1 metric 10 iptables -F OUTPUT iptables -A OUTPUT -d 95.211.138.7 -j ACCEPT iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT iptables -A OUTPUT -o tun0 -j ACCEPT iptables -P OUTPUT DROP Note that you have to specify the IP address and gateway for your LAN. Now you enter the namespace this way: sudo ip netns exec vpn /usr/local/bin/ns_enter sudo ip netns exec vpn su - <your_username> 95.211.138.7 is the VPN server. This rules allow all local traffic (192.168.1.0/24) and all traffic through VPN. Note that you cannot put hostname instead of 95.211.138.7 in your .ovpn file because openvpn wouldn't be able to resolve it. Check that the shell has access to exactly 2 interfaces: lo, veth0 (run ifconfig for that). Now launch openvpn: sudo openvpn --config /etc/openvpn/airvpn.ovpn --daemon You should see the 3rd interface (tun0) appear soon. Ready to roll. You can launch apps in background from the shell. The only serious problem I've encountered is that you can't runs apps which need dbus connections this way. I haven't figured out how to fix that yet. Setting the envitonment variable didn't help. Does anyone know why?
  10. I started using AirVPN just recently. I downloaded a .tar archive for OpenVPN from the website and there are 2 problems with it: 1. All files inside have rwxrwxrwx permissions (.ovpn, ca.crt, user.crt, user.key). Since I downloaded a tar, not zip, it should be possible to prevent that. 2. The instructions on the website do not tell you to change permissions, they only tell to unpack the archive and launch "sudo openvpn <filename.ovpn>". Many users might overlook the problem.
  11. ​Hello. ​Just tried this simple rule: ​-A INPUT -p tcp --syn -j DROP ​...​and found out, it prevents me from establishing an Airvpn session. ​ So, my question is in the subject line - and I'm not good enough at networking to figure that out myself. ​Would appreciate specific suggestions. ​
  12. Hello, is it possible to use the iptables tutorial but allow two or more vpn servers? I think that this is the important line. Everything else than this destination is getting blocked by iptables. Can I just add another line of that with a different destination? I would assume that everything gets blocked then. iptables -A OUTPUT -o eth+ ! -d a.b.c.d -j DROP Thanks
  13. Hi, On windows 8, home computer, all is OK, airvpn good speed... but... On laptop linux (arch), sometime some websites display slowly (google), but most websites does not display. (Its the same line, internet box, ISP) I try with various protocols and various ports (udp 443, tcp 443 ...53) but nothing... My config file : client dev tun proto udp remote earth.vpn.airdns.org 53 resolv-retry infinite nobind ns-cert-type server cipher AES-256-CBC comp-lzo verb 3 explicit-exit-notify 5 ca "etc/openvpn/ca.crt" cert "etc/openvpn/user.crt" key "etc/openvpn/user.key" I lauched openvpn : # openvpn /etc/openvpn/airvpn_UDP_53.ovpn Tue Sep 24 09:59:14 2013 OpenVPN 2.3.2 x86_64-unknown-linux-gnu [sSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [iPv6] built on Jun 9 2013 Tue Sep 24 09:59:14 2013 Socket Buffers: R=[212982->131062] S=[212982->131062] Tue Sep 24 09:59:14 2013 UDPv4 link local: [undef] Tue Sep 24 09:59:14 2013 UDPv4 link remote: [AF_INET]181.74.203.161:53 Tue Sep 24 09:59:14 2013 TLS: Initial packet from [AF_INET]181.74.203.161:53, sid=bd1c2aa8 deb44c102 Tue Sep 24 09:59:15 2013 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org Tue Sep 24 09:59:15 2013 VERIFY OK: nsCertType=SERVER Tue Sep 24 09:59:15 2013 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@vpninfo.org Tue Sep 24 09:59:17 2013 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Tue Sep 24 09:59:17 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Sep 24 09:59:17 2013 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Tue Sep 24 09:59:17 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Sep 24 09:59:17 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Tue Sep 24 09:59:17 2013 [server] Peer Connection Initiated with [AF_INET]181.74.203.161:53 Tue Sep 24 09:59:19 2013 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Tue Sep 24 09:59:19 2013 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.7.0.1,comp-lzo no,route 10.7.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.7.1.97 10.7.1.96 Tue Sep 24 09:59:19 2013 OPTIONS IMPORT: timers and/or timeouts modified Tue Sep 24 09:59:19 2013 OPTIONS IMPORT: LZO parms modified Tue Sep 24 09:59:19 2013 OPTIONS IMPORT: --ifconfig/up options modified Tue Sep 24 09:59:19 2013 OPTIONS IMPORT: route options modified Tue Sep 24 09:59:19 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Tue Sep 24 09:59:19 2013 ROUTE_GATEWAY 192.168.0.254/255.255.255.0 IFACE=enp3s0f2 HWADDR=b2:35:42:c1:a3:47 Tue Sep 24 09:59:19 2013 TUN/TAP device tun0 opened Tue Sep 24 09:59:19 2013 TUN/TAP TX queue length set to 100 Tue Sep 24 09:59:19 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Tue Sep 24 09:59:19 2013 /usr/bin/ip link set dev tun0 up mtu 1500 Tue Sep 24 09:59:19 2013 /usr/bin/ip addr add dev tun0 local 10.7.1.97 peer 10.7.1.96 Tue Sep 24 09:59:19 2013 /usr/bin/ip route add 181.74.203.161/32 via 192.168.0.254 Tue Sep 24 09:59:19 2013 /usr/bin/ip route add 0.0.0.0/1 via 10.7.1.96 Tue Sep 24 09:59:19 2013 /usr/bin/ip route add 128.0.0.0/1 via 10.7.1.96 Tue Sep 24 09:59:19 2013 /usr/bin/ip route add 10.7.0.1/32 via 10.7.1.96 Tue Sep 24 09:59:19 2013 Initialization Sequence Completed Can you help me please ?
  14. Hi all, I have just finished configuring the SSL tunnel for AirVPN under Linux (Ubuntu). I think the guide at https://airvpn.org/ssl/ needs to be updated. If you use apt-get install stunnel Ubuntu will install stunnel4, but the softlink which is used in stunnel "AirVPN <..> - SSL <..>.ssl" points at version stunnel3. So first, go to /usr/bin/ and change the softlink to point at stunnel4 instead of 3: sudo -ln -s /usr/bin/stunnel4 /usr/bin/stunnel [EDIT from Staff: the correct command is "sudo ln ..."] Second point is, stunnel needs to know where the ssl certificate is located, if you don't point it to the right directory, the connection will end with the error: End of section stunnel: SSL server needs a certificate So to get rid of this, you have to go to /etc/stunnel and create a file stunnel.conf (also check the README there for more infos) and in it insert 2 lines: cert=/path/to/pemkey=/path/to/keyLast but not least you have to generate a stunnel private key: openssl req -new -x509 -days 365 -nodes Just remember to put it in the folder, which is listed in the stunnel.conf file. Now you should be able to run the connection through a tunnel Because I'm not a Linux wiz, I have used help from the following guides: Google http://serverfault.com/questions/424619/stunnel-not-reading-configuration-file http://www.onsight.com/faq/stunnel/stunnel-faq-a.html https://www.stunnel.org/pipermail/stunnel-users/2011-September/003261.html
  15. help !! i've set up pfsense to work with airvpn. my ip address shows as the desired location and it makes me think everything is set up correctly. but . . . when i do a dns test it shows my true ip address from the internet company. also, when i log on to this web site it indicates "not connected" and shows the same ip address. i have tried various combinations for the dns settings of general setup. for the dns server i have 10.0.5.1 and 10.0.4.1. i've tried various combinations of the "allow dns server list" box and the "do not use the dns forwarder" box. what am i missing? what settings do i need to mask my ip address with no dns leaks??? this noob appreciates any assistance.
  16. I have just purchased this for port forwarding as i have 2 different computer that I want to use for webhosting and cannot port forward to 2 separate computers. I have installed network-manager-openvpn-gnome on the computer with Ubuntu. I do not have a GUI so the instructions to follow here https://airvpn.org/linux/ do not work. I have created openvpn in my home directory and uploaded the 4 files made in airvpn to here. i restarted openvpn and get the following NO VPN is running. What do I need to do next. I have not set up the port forwarding as yet. Thanks for any help.
  17. NOTE: if you run Eddie or Hummingbird you don't need this guide, but you might need to get rid of update-systemd-resolved which, in one of its various working modes, can interfere fatally with DNS handling. This post describes how to accept OpenVPN servers DNS push on Linux, OpenBSD, FreeBSD and some other POSIX-compliant OS when: resolvconf package OR openresolv package is installed OpenVPN is run directly (i.e. NOT through any OpenVPN GUI/wrapper such as network-manager) OpenVPN version is 2.1 or higher Warning: the specified "update-resolv-conf" script path refers to many Linux distributions and OpenVPN package installation, but NOT to all of them. Please check the correct path of the mentioned file before proceeding (for example: it could be /usr/share/openvpn instead of /etc/openvpn). If the script is not on your system, you'll need to create it. See the typical script here: https://wiki.archlinux.org/index.php/OpenVPN#DNS Important: in the same above linked page, note that if you have a system based on systemd you might need some important modifications: Add to your OpenVPN configuration file(s), either in field "Custom Directives" of the Configuration Generator or by editing the configuration directly, the following lines: script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf In this way update-resolv-conf will record the DNS push and through resolvconf or openresolv will modify the nameserver accordingly. When OpenVPN quits, update-resolv-conf restores the previous nameserver line(s). Kind regards
  18. Hey guys, I followed the instructions and when attempting to connect I get to Initalization Sequence Completed and then.. Nothing. It just hangs it seems like. Anyone have any suggestions? I did an alt+C to cancel at the end to restore internet access. Mon Jun 17 12:04:40 2013 OpenVPN 2.2.1 x86_64-linux-gnu [sSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [iPv6 payload 20110424-2 (2.2RC2)] built on Feb 27 2013Mon Jun 17 12:04:40 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executablesMon Jun 17 12:04:40 2013 WARNING: file 'user.key' is group or others accessibleMon Jun 17 12:04:40 2013 LZO compression initializedMon Jun 17 12:04:40 2013 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]Mon Jun 17 12:04:40 2013 Socket Buffers: R=[229376->131072] S=[229376->131072]Mon Jun 17 12:04:40 2013 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]Mon Jun 17 12:04:40 2013 Local Options hash (VER=V4): '22188c5b'Mon Jun 17 12:04:40 2013 Expected Remote Options hash (VER=V4): 'a8f55717'Mon Jun 17 12:04:40 2013 UDPv4 link local: [undef]Mon Jun 17 12:04:40 2013 UDPv4 link remote: [AF_INET]149.255.33.154:443Mon Jun 17 12:04:40 2013 TLS: Initial packet from [AF_INET]149.255.33.154:443, sid=73901bca b6551ec2Mon Jun 17 12:04:40 2013 VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.orgMon Jun 17 12:04:40 2013 VERIFY OK: nsCertType=SERVERMon Jun 17 12:04:40 2013 VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.orgMon Jun 17 12:04:41 2013 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit keyMon Jun 17 12:04:41 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationMon Jun 17 12:04:41 2013 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit keyMon Jun 17 12:04:41 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationMon Jun 17 12:04:41 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSAMon Jun 17 12:04:41 2013 [server] Peer Connection Initiated with [AF_INET]149.255.33.154:443Mon Jun 17 12:04:43 2013 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)Mon Jun 17 12:04:43 2013 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.4.0.1,comp-lzo no,route 10.4.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.4.39.62 10.4.39.61'Mon Jun 17 12:04:43 2013 OPTIONS IMPORT: timers and/or timeouts modifiedMon Jun 17 12:04:43 2013 OPTIONS IMPORT: LZO parms modifiedMon Jun 17 12:04:43 2013 OPTIONS IMPORT: --ifconfig/up options modifiedMon Jun 17 12:04:43 2013 OPTIONS IMPORT: route options modifiedMon Jun 17 12:04:43 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modifiedMon Jun 17 12:04:43 2013 ROUTE default_gateway=192.168.3.30Mon Jun 17 12:04:43 2013 TUN/TAP device tun0 openedMon Jun 17 12:04:43 2013 TUN/TAP TX queue length set to 100Mon Jun 17 12:04:43 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0Mon Jun 17 12:04:43 2013 /sbin/ifconfig tun0 10.4.39.62 pointopoint 10.4.39.61 mtu 1500Mon Jun 17 12:04:43 2013 /sbin/route add -net 149.255.33.154 netmask 255.255.255.255 gw 192.168.3.30Mon Jun 17 12:04:43 2013 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.4.39.61Mon Jun 17 12:04:43 2013 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.4.39.61Mon Jun 17 12:04:43 2013 /sbin/route add -net 10.4.0.1 netmask 255.255.255.255 gw 10.4.39.61Mon Jun 17 12:04:43 2013 Initialization Sequence Completed^CMon Jun 17 12:05:10 2013 event_wait : Interrupted system call (code=4)
  19. This guide shows how to set rules to prevent leaks in case of unexpected VPN disconnection and provides you with clear scripts ready to be used with basic modifications on Red Hat Enterprise Linux and RHEL rebuilds such as Oracle Linux, Scientific Linux, X/OS, CentOS etc. THANKS TO JESSEZ - ORIGINAL POST BY JESSEZ (minor editing & clean-up by Air staff) This method requires the ipset package: sudo yum install ipsetRHEL 6 and rebuilds (Oracle Linux, Scientific Linux and CentOS) do not have a kmod-ipset that I could find. The ip_set module has to be loaded manually as neither netfilter, iptables nor conntrack call the module themselves. As far as I know some Linux distros do have a kmod for ip_set so that would make usage of sysconfig/ipset.conf not necessary and also could cause a boot-time error (fatal nor not). The ip_set module has to be loaded and a script run to load the ip_set script (creates and contains the AirVPN server IP addresses) so that there is a table to be read by the time iptables_restore runs (otherwise iptables_restore throws the error that no ipset "airvpn" exists). So there are 3 files. The first and the second file can be found attached to this message. The last one is a system file that needs a modification. 1 /etc/sysconfig/ipset.conf This script tests whether the ip_set module is already loaded. If not it loads it into the kernel (modprobe). ipset.conf.txt 2 /etc/sysconfig/ipset-airvpn.sh This file creates and fills the ip_set table of AirVPN server addresses. I haven't listed the servers, so that no-one can just open the file and get the server IPs. Add the ones you want where the a.b.c.d 's are. Add or subtract lines as necessary. I think I added enough buffers so that all the servers should be able to go into the table (which lives in RAM while the system is up and is lost at shutdown/re-start). After running the script use: sudo ipset -L airvpn -to make sure all the servers you added to the script are there (It's easiest just to count the lines if you know how many servers you added in the first place), if not, change the part: hashsize 65536 to the next larger: hashsize 131072 (doing this obviously eats up RAM, so don't change it unless you need to) and note that the hashsize can start at 1024 and can only be a power of 2 (1024, 2048, 4096, ..., 131072...) If you're only using one or two servers and you need to save RAM, just change it down, re-run the script and issue the command sudo ipset -L airvpn again to check that all the desired servers are listed. Keep doubling the hashsize until they are. If anyone is wondering about the -exist option, it's there so that in case of accidental duplication of an IP address the script won't fail. iptables-airvpn_2013-01-19.txt 3 /etc/init.d/iptables This is the system file, so be careful; add 2 new lines that become line 55 and line 56: # Load /etc/sysconfig/ipset-airvpn.sh to make the airvpn table sh /etc/sysconfig/ipset-airvpn.sh Ok, that should be it, iptables and the "airvpn" ipset table should now survive a reboot with no errors. Test by rebooting, and trying Internet access of any and /or several kind(s) before starting a VPN connection when the desktop is up. If it's working you will have no Internet before starting a VPN connection, and you will be able to connect to any of the servers you added to ipset-airvpn.sh without OpenVPN throwing an error (probably: write UDPv4 []: Operation not permitted (code=1)). Note: rename the attached files according to the names given above. Put the files in the appropriate folders as listed above. Regards, jz
  20. Hi, Just wanted to share a solution which (for me) continued from this post , which explained in great detail how to set up your OpenVPN with linux. After having followed the steps exactly, I was unable to click on the "Save" button to save my VPN configuration/import because the "save" button was just grey. No matter what I tried, the button just stayed grey. Having researched this topic on Google, I found many posts where other Linux users had the same problem and in some instances reported this as a bug. Like here for example. Well, as it turns out the answer is so simple, that I could kick myself for having not thought of such a simple solution earlier. The answer is right here on AirVPN. Normally when saving a configuration, you probably just save it from AirVPN onto your laptop or computer, right? Well, there is one single thing that you need to do prior to clicking the Generate button. Place a "tick" in the "Advanced Mode box. Then pick "Linux and others", and most importantly under Advanced pick "Separe keys/certs from .ovpn file". You then get seperate files: ca.crt, user.crt, user.key, and the .ovpn file. Then click the "Import" button button in your Network > VPN config section and import the .ovpn file. It automatically populates all the other fields with your other certificates and keys. And your "Save" button is now clickable.
  21. EDITED ON 21 Aug 12 EDITED ON 24 Nov 12: added important note for some Linux users, see bottom of message EDITED ON 02 Jun 15: please refer to https://airvpn.org/faq/software_lock for a more advanced set of rules WARNING: this guide assumes that you have no IPv6 connectivity. If you have, you should block outgoing IPv6 packets while connected to the VPN with "ip6tables". Please see https://airvpn.org/faq/software_lock Hello! You can use iptables, a very powerful packet filtering and NAT program (probably one of the most powerful, if not the most powerful of all). iptables is already included in all official Ubuntu distros and most Linux distros, anyway if you don't have it just install it with aptitude. Adding the following simple rules will prevent leaks in case of [accidental] VPN disconnection. In this example, it is assumed that your network interface is eth+ (change it as appropriate; for example, you might have wlan0 for a WiFi connection). a.b.c.d is the entry-IP address of the Air server you connect to. You can find out the address simply looking at the line "remote" of your air.ovpn configuration file. In case of doubts, just ask us. Some of the following rules might be redundant if you have already chains. Assumptions: you are in a 192.168.0.0/16 network and your router is a DHCP server. You have a a physical network interface named eth*. The tun adapter is tun* and the loopback interface is lo. iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT #allow loopback access iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server iptables -A INPUT -s 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT #make sure that you can communicate within your own network iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT iptables -A FORWARD -i eth+ -o tun+ -j ACCEPT iptables -A FORWARD -i tun+ -o eth+ -j ACCEPT # make sure that eth+ and tun+ can communicate iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE # in the POSTROUTING chain of the NAT table, map the tun+ interface outgoing packet IP address, cease examining rules and let the header be modified, so that we don't have to worry about ports or any other issue - please check this rule with care if you have already a NAT table in your chain iptables -A OUTPUT -o eth+ ! -d a.b.c.d -j DROP # if destination for outgoing packet on eth+ is NOT a.b.c.d, drop the packet, so that nothing leaks if VPN disconnects When you add the above rules, take care about pre-existing rules, if you have already some tables, and always perform a test to verify that the subsequent behavior is what you expect: when you disconnect from the VPN, all outgoing traffic should be blocked, except for a reconnection to an Air server. In order to block specific programs only, some more sophisticated usage of iptables is needed, and you will also need to know which ports those programs use. See "man iptables" for all the features and how to make the above rules persistent or not according to your needs. Warning: the following applies ONLY for Linux users who don't have resolvconf installed and don't use up & down OpenVPN directives with update-resolv-conf script In this case, your system has no way to process the DNS push from our servers. Therefore your system will just tunnel the DNS queries with destination the DNS IP address specified in the "nameserver" lines of the /etc/resolv.conf file. But if your first nameserver is your router IP, the queries will be sent to your router which in turn will send them out unencrypted. Solution is straightforward: edit the /etc/resolv.conf file and add the following line at the top (just an example, of course you can use any of your favorite DNS, as long as it is NOT your router): nameserver 10.4.0.1 # in order to use AirVPN DNS nameserver 31.220.5.106 # in order to use OpenNIC DNS only if AirVPN DNS is unavailable Kind regards Original thread post: https://airvpn.org/topic/1713-win-mac-bsd-block-traffic-when-vpn-disconnects/page-2?do=findComment&comment=2010
  22. Personally I'm using gufw for linux, and it works very well. However, it's important to remember that gufw is just a graphical frontend for ufw, and ufw, in turn, is just a friendlier system for manipulating IPTABLES (which is again a system for manipulating netfilter directly in the running kernel). Gufw is perhaps over simplified, which is why I find it not really that great for anything else than providing an overview of your rules and turning the firewall on an off. With regards to firestarter, I have tried it once, but I didn't really have any good experience with it, since, as you guys have already posted, it seems rather poorly coded and does some odd things when manipulating IPTABLES. What I found invaluable about ufw is its ability to specify rules based on interface and its simplictity even though its quite powerful. This was my main motivation for using it over other solutions like Firestarter, and Shorewall was too complicated for my taste. My rule approach goes like this: Allow connections OUT to AirVPN servers I use the most (for connecting/reconnecting to the AirVPN service, entry IP's, marked RED on the screenshot) Allow connections OUT FROM the tun0 interface TO anywhere (when I'm connected, this is the interface used to communicate to the Internet, marked GREEN on the screenshot) Allow connections (UDP/TCP) IN TO the tun0 interface to a specific port (to enable AirVPN's port forwarding feature, marked BLUE on the screeshot) Allow connections IN FROM the 192.168.1.0/24 network TO the eth0 interface (enable home networking. Notice how it's on a different interface, YELLOW) Allow connections OUT FROM the eth0 interface TO the 192.168.1.0/24 network (enable home networking, also on the eth0 interface, YELLOW) Block ALL other traffic (by choosing DENY/DENY in gufw) When the VPN drops (and the tun0 interface is disabled), the only connections allowed OUT from the computer are to the AirVPN server IP's (to reconnect) and the local 192.168.1.0/24 network (to still function in the LAN). And the only connections allowed TO the computer are from the local network as well. No leaks. Now, the gufw GUI doesn't allow for specifying the interface (remember, it's over simplified), so to do that, it's necessary to use ufw directly. Gufw can, however, display the rules when created by ufw. For example: "sudo allow out on tun0 from any to any" - is quite straightforward, and of course creates the rule that allows for communication TO the Internet when connected to AirVPN. "sudo allow in on tun0 from any to any port xxxxx" - enables the port forwarding feature by allowing packets to the specified port on the tun0 interface to pass through. Tips: - the order of the rules is very important - mimic mine on the screenshot attached - to add rules in a specific order from the command line, use "insert x": "sudo insert 3 allow in on tun0 from any to any port xxxxx" - inserts the rule at the 3rd position and moves rules below it downward, includin the previous rule nr 3. - when adding rules via the commandline, press F5 in gufw to force a refresh and view the newly added rule - the UFW manual is well worth reading, although you may not need any more information than offered in this post - with this approach, you're blocking multicasting addresses possibly forwarded by your router. Just a thing to have in mind in case you need it; it is of couse easily remedied by creating a new rule allowing the address(es). Let me know how this works for ya
  23. WARNING: this guide assumes that you have no IPv6 connectivity. If you have, you should block outgoing IPv6 packets while connected to the VPN with "ip6tables". Please see https://airvpn.org/faq/software_lock Here is a guide to prevent leaks and completely stop traffic when the VPN drops in Linux. If the openvpn connection drops you will not be able to access the internet while the firewall is activated. Just click the "stop firewall" button and reconnect with Openvpn, then re-enable to firewall. If you wish to connect to the internet without openvpn just press the "stop firewall" button within firestarter. This way you are protected in the VPN drops. Tested on Debian, Ubuntu, Mint, and OpenSUSE. This is assuming you have already setup OpenVPN on Linux after following the guide here-----> https://airvpn.org/linux/ 1). Install Firestarter firewall for Linux by opening the terminal and typiing ----> sudo apt-get install firestarter 2). Allow traffic on the OpenVPN interface by updating /etc/firestarter/user-pre. There are multiple ways to do this depending on your Linux Distro. Here are 2 examples. A). Open the terminal with root privileges and type-----> gksu gedit /etc/firestarter/user-pre Add the following text to /etc/firestarter/user-pre and save----------> $IPT -A INPUT -i tun+ -j ACCEPT $IPT -A OUTPUT -o tun+ -j ACCEPT . The second way is simply to go to the folder /etc/firestarter/ and click on the file USER-PRE and open in terminal with root privileges. Then add the code and save-----> $IPT -A INPUT -i tun+ -j ACCEPT $IPT -A OUTPUT -o tun+ -j ACCEPT 3). Restart Firestarter by opening the terminal and typing ------------> sudo /etc/init.d/firestarter restart 4). Follow the images below to finish. You may have to restart the machine afterwards. <a href="/external_link/?url=http%3A%2F%2Fbeta.photobucket.com%2F" target="_blank"><img src="/external_image/?url=http%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F01firewallwizard.png" border="0" alt="Photobucket"/></a> <a href="/external_link/?url=http%3A%2F%2Fbeta.photobucket.com%2F" target="_blank"><img src="/external_image/?url=http%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F02firewallwizard.png" border="0" alt="Photobucket"/></a> <a href="/external_link/?url=http%3A%2F%2Fbeta.photobucket.com%2F" target="_blank"><img src="/external_image/?url=http%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F03wizard.png" border="0" alt="Photobucket"/></a> <a href="/external_link/?url=http%3A%2F%2Fbeta.photobucket.com%2F" target="_blank"><img src="/external_image/?url=http%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F04selectthepolicytab.png" border="0" alt="Photobucket"/></a> <a href="/external_link/?url=http%3A%2F%2Fbeta.photobucket.com%2F" target="_blank"><img src="/external_image/?url=http%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F05nothingdotooninboundp.png" border="0" alt="Photobucket"/></a> <a href="/external_link/?url=http%3A%2F%2Fbeta.photobucket.com%2F" target="_blank"><img src="/external_image/?url=http%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F06selectoutboundtraffic.png" border="0" alt="Photobucket"/></a> <a href="/external_link/?url=http%3A%2F%2Fbeta.photobucket.com%2F" target="_blank"><img src="/external_image/?url=http%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F07policyoutboundsetrest.png" border="0" alt="Photobucket"/></a>
×
×
  • Create New...