Search the Community

Hi all, first post here, site looks like a fantastic resource. I have installed the Europeian and Asian server files and several individual server files on to my openUSE Gnome 13.10.02 box as per the Gnome Network Manager tutorial. Everything went fine until I checked for DNS leaks using GRC'S https://www.grc.com/dns/dns.htm I was still querying my ISP's DNS. I manually set each VPN to use OpenNIC's non logging DNS http://www.opennicproject.org/, I have sucssesfully done this with Mint and Ubuntu using Gnome Network Manager. However I seem to be having an issue with OpenSUSE, I can only connect reliably to the Swedish server and occasionally to the Netherlands, non of the others ie Europe/Asia/Romania/Luxumberg/Singapore even though they are all configured identically. I have obviously broken something by manually setting the DNS. I also don't know and cannot find the openSUSE command to open the openvpn logs which isn't helping. Any help much appreciated.

OK, I posted a support query on shutting down OpenVPN. As it turned out OpenVPN is set to automatically restart if the connection is dropped. Shutting down via Ctrl C is (as a Linux user at least) apparently the way to do it if you have started OpenVPN in a Terminal. My shutting down using Ctrl C was causing the /usr/share/openvpn/update-resolv-conf script to become confused as it was out of sync with itself & threw an error whenever I tried to start OpenVPN after it had been closed via Ctrl C. (Which is why this thread & the support ticket started.) The start.VPN.sh script was born: It requires that you make the following two files; /etc/resolv.conf_VPN /etc/resolv.conf_VPN.bak These two identical files carry the following: # For use when OpenVPN is running: domain home nameserver 10.4.0.1 # AirVPN DNS nameserver 8.8.8.8 # Backup DNS (Google DNS) Following is what the script does, in order: * The script calls IPTables at its beginning, & shows the user that it is running via output to the Terminal. (See link to how-to at the bottom of the page.) * It then checks that /etc/resolv.conf & /etc/resolv.conf_VPN exist. * Then it checks to see if they are the same size, (which is to protect from the resolv.conf_VPN having not been swapped back to having the AirVPN DNS on the last OpenVPN shutdown. * If the files are the same size, then the script copies the /etc/resolv.conf_VPN.bak file to /etc/resolv.conf_VPN . * Now the contents of the /etc/resolv.conf & the /etc/resolv.conf_VPN files are swapped. Meaning /etc/resolv.conf now has the AirVPN DNS followed by the Google DNS in it. * Now is the time to call OpenVPN & your chosen server, my current call follows: openvpn --config /etc/openvpn/AirVPN_NL-Dorsum_UDP-443.ovpnAirVPN using its own DNS should now be running. * When OpenVPN is closed via Ctlr C or via the Disconnect Now button, or however else you can close it. The first thing that happens (providing that you have IPTables setup correctly) is all internet connections are terminated. This is all in the hands of the IPTables that was started at the beginning of the script (IPTables must be setup by you before hand). * Then /etc/resolv.conf & the /etc/resolv.conf_VPN files swap their contents again. Meaning that the /etc/resolv.conf now has the DNS or your routers IP address, that it had in it before this script was started. That is it for what the script does. The start.VPN.sh script: #!/bin/bash ## Starts IPTables & shows that it is running. ## Then: ## Function to swap 2 files holding DNS addresses, /etc/resolv.conf ## & /etc/resolv.conf_VPN. ## To protect from the possibility of the resolv.conf with non-VPN ## DNS address overwriting your resolv.conf_VPN & causing you to use ## the wrong DNS, this script now checks whether resolv.conf & ## resolv.conf_VPN are the same, & if they are, then resolv.conf_VPN ## is replaced by its backup, ie, /etc/resolv.conf_VPN.bak. ## ## After the above is done, then OpenVPN with AirVPN server is ## called. When OpenVPN closes, the resolv.conf files are swapped ## back again, so the original, non VPN file (DNS) is restored to ## /etc/resolv.conf . ## You need to create the /etc/resolv.conf_VPN & the ## /etc/resolv.conf.VPN.bak files with the AirVPN DNS & a backup ## DNS that is NOT your ISP's DNS. ## ## I use the following 4 lines of text for those two previously ## mentioned files: ## ## # AirVPN DNS followed by Google's DNS: ## domain home ## nameserver 10.4.0.1 ## nameserver 8.8.8.8 ## ########################################### # Turn on iptables - which protects my IP by allowing only VPN DNS # if I lose VPN all internet connections are imediately stopped. systemctl start iptables.service systemctl status iptables.service iptables -nvL --line-numbers #Check entered arguments if [ ! $1 ] || [ ! $2 ] then echo "Using inbuilt defaults" file1="/etc/resolv.conf" file2="/etc/resolv.conf_VPN" else file1=$1 file2=$2 fi #Check if the files exist if [ ! -f $file1 ] || [ ! -f $file2 ] then echo "File(s) doesnt exist" exit 1 fi #Check whether the files are same if [[ ! `cmp $file1 $file2` ]] then echo "Files $file1 $file2 same" echo "Replacing $file2 with $file2.bak" if [ ! -f "$file2.bak" ] then echo "File $file2.bak doesnt exist" echo "Exiting.." exit 1 else cp "$file2.bak" "$file2" fi fi #The swap function swap() { cp $file2 file.bak mv $file1 $file2 mv file.bak $file1 } #Swap the files swap $file1 $file2 echo "Files $file1 and $file2 swapped" #Do openVPN stuff openvpn --config /etc/openvpn/AirVPN_NL-Dorsum_UDP-443.ovpn #Again swap the files, ie, go back to the original state swap $file2 $file1 echo "Files $file2 and $file1 swapped" # Turn off iptables - this allows usage of NON-VPN internet & DNS # this is here for certain circumstances when it may be useful. # Just uncomment the following two lines if needed. Doing so # renders the identity protection that may be offered by your # IPTables setup useless. #systemctl stop iptables.service #echo "Turned off iptables - normal internet is now accessible BEWARE!" #Done exit 0 Calling the script via a ~/.bashrc alias: By adding the (see below) following alias to your ~/.bashrc you can call the start.VPN.sh script by just entering vpn at the Terminal prompt. (You need to change the path to the start.VPN.sh script to suit where you have it stored on your system. alias vpn="sudo su -c ~/.config/openvpn/start.VPN.sh" After having entered any alias (or making any other edits) in your ~/.bashrc you need to reinitialize the Terminal to activate any changes to your ~/.bashrc. You can do this by closing & restarting your Teminal, or you can enter the following in the Terminal: source .bashrc I actually have an alias for the above command in my ~/.bashrc too, as follows: alias src="/external_image/?url=source+.bashrc" Using the above alias src in the Terminal, runs the source .bashrc command. I've not yet tried running the start.VPN.sh script from inside of the /etc/openvpn/AirVPN .ovpn file. I'll post my results when I have some. Associated Links: I haven't yet tried calling the script from inside of the /etc/openvnp/AirVPN .ovnp file. I'll post & hopefully edit the page when I've tried that. This is the how-to that I used to get IPTables setup: https://airvpn.org/topic/9139-prevent-leaks-with-linux-iptables/?hl=%2Biptables+%2Bleaks+%2Blinux Here is the solution to my silly error when setting up IPTables: https://airvpn.org/topic/10598-linux-set-up-firewall-as-per-how-to-from-staff-member/ This is the link to the update-resolv-conf page: https://airvpn.org/topic/9608-how-to-accept-dns-push-on-linux-systems-with-resolvconf/

I'm not sure if anyone else would find this useful, but I threw together a simple script the other day for speeding up the process of configuring and managing my VPN connections on my desktop (Linux Mint). Note that this is far from comprehensive--I made it with my use cases in mind. https://github.com/mindcruzer/airvpn-cli ex. ~$ airvpn setup pavonis --connect Would prompt you for your username and password, generate the configuration, save it and set the appropriate permissions, then start the openvpn daemon. There are a few other useful commands as well.

I started using AirVPN just recently. I downloaded a .tar archive for OpenVPN from the website and there are 2 problems with it: 1. All files inside have rwxrwxrwx permissions (.ovpn, ca.crt, user.crt, user.key). Since I downloaded a tar, not zip, it should be possible to prevent that. 2. The instructions on the website do not tell you to change permissions, they only tell to unpack the archive and launch "sudo openvpn <filename.ovpn>". Many users might overlook the problem.

​Hello. ​Just tried this simple rule: ​-A INPUT -p tcp --syn -j DROP ​...​and found out, it prevents me from establishing an Airvpn session. ​ So, my question is in the subject line - and I'm not good enough at networking to figure that out myself. ​Would appreciate specific suggestions. ​

Hello, is it possible to use the iptables tutorial but allow two or more vpn servers? I think that this is the important line. Everything else than this destination is getting blocked by iptables. Can I just add another line of that with a different destination? I would assume that everything gets blocked then. iptables -A OUTPUT -o eth+ ! -d a.b.c.d -j DROP Thanks

Hi all, I have just finished configuring the SSL tunnel for AirVPN under Linux (Ubuntu). I think the guide at https://airvpn.org/ssl/ needs to be updated. If you use apt-get install stunnel Ubuntu will install stunnel4, but the softlink which is used in stunnel "AirVPN <..> - SSL <..>.ssl" points at version stunnel3. So first, go to /usr/bin/ and change the softlink to point at stunnel4 instead of 3: sudo -ln -s /usr/bin/stunnel4 /usr/bin/stunnel [EDIT from Staff: the correct command is "sudo ln ..."] Second point is, stunnel needs to know where the ssl certificate is located, if you don't point it to the right directory, the connection will end with the error: End of section stunnel: SSL server needs a certificate So to get rid of this, you have to go to /etc/stunnel and create a file stunnel.conf (also check the README there for more infos) and in it insert 2 lines: cert=/path/to/pemkey=/path/to/keyLast but not least you have to generate a stunnel private key: openssl req -new -x509 -days 365 -nodes Just remember to put it in the folder, which is listed in the stunnel.conf file. Now you should be able to run the connection through a tunnel Because I'm not a Linux wiz, I have used help from the following guides: Google http://serverfault.com/questions/424619/stunnel-not-reading-configuration-file http://www.onsight.com/faq/stunnel/stunnel-faq-a.html https://www.stunnel.org/pipermail/stunnel-users/2011-September/003261.html

Hi, On windows 8, home computer, all is OK, airvpn good speed... but... On laptop linux (arch), sometime some websites display slowly (google), but most websites does not display. (Its the same line, internet box, ISP) I try with various protocols and various ports (udp 443, tcp 443 ...53) but nothing... My config file : client dev tun proto udp remote earth.vpn.airdns.org 53 resolv-retry infinite nobind ns-cert-type server cipher AES-256-CBC comp-lzo verb 3 explicit-exit-notify 5 ca "etc/openvpn/ca.crt" cert "etc/openvpn/user.crt" key "etc/openvpn/user.key" I lauched openvpn : # openvpn /etc/openvpn/airvpn_UDP_53.ovpn Tue Sep 24 09:59:14 2013 OpenVPN 2.3.2 x86_64-unknown-linux-gnu [sSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [iPv6] built on Jun 9 2013 Tue Sep 24 09:59:14 2013 Socket Buffers: R=[212982->131062] S=[212982->131062] Tue Sep 24 09:59:14 2013 UDPv4 link local: [undef] Tue Sep 24 09:59:14 2013 UDPv4 link remote: [AF_INET]181.74.203.161:53 Tue Sep 24 09:59:14 2013 TLS: Initial packet from [AF_INET]181.74.203.161:53, sid=bd1c2aa8 deb44c102 Tue Sep 24 09:59:15 2013 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org Tue Sep 24 09:59:15 2013 VERIFY OK: nsCertType=SERVER Tue Sep 24 09:59:15 2013 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@vpninfo.org Tue Sep 24 09:59:17 2013 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Tue Sep 24 09:59:17 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Sep 24 09:59:17 2013 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Tue Sep 24 09:59:17 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Sep 24 09:59:17 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Tue Sep 24 09:59:17 2013 [server] Peer Connection Initiated with [AF_INET]181.74.203.161:53 Tue Sep 24 09:59:19 2013 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Tue Sep 24 09:59:19 2013 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.7.0.1,comp-lzo no,route 10.7.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.7.1.97 10.7.1.96 Tue Sep 24 09:59:19 2013 OPTIONS IMPORT: timers and/or timeouts modified Tue Sep 24 09:59:19 2013 OPTIONS IMPORT: LZO parms modified Tue Sep 24 09:59:19 2013 OPTIONS IMPORT: --ifconfig/up options modified Tue Sep 24 09:59:19 2013 OPTIONS IMPORT: route options modified Tue Sep 24 09:59:19 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Tue Sep 24 09:59:19 2013 ROUTE_GATEWAY 192.168.0.254/255.255.255.0 IFACE=enp3s0f2 HWADDR=b2:35:42:c1:a3:47 Tue Sep 24 09:59:19 2013 TUN/TAP device tun0 opened Tue Sep 24 09:59:19 2013 TUN/TAP TX queue length set to 100 Tue Sep 24 09:59:19 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Tue Sep 24 09:59:19 2013 /usr/bin/ip link set dev tun0 up mtu 1500 Tue Sep 24 09:59:19 2013 /usr/bin/ip addr add dev tun0 local 10.7.1.97 peer 10.7.1.96 Tue Sep 24 09:59:19 2013 /usr/bin/ip route add 181.74.203.161/32 via 192.168.0.254 Tue Sep 24 09:59:19 2013 /usr/bin/ip route add 0.0.0.0/1 via 10.7.1.96 Tue Sep 24 09:59:19 2013 /usr/bin/ip route add 128.0.0.0/1 via 10.7.1.96 Tue Sep 24 09:59:19 2013 /usr/bin/ip route add 10.7.0.1/32 via 10.7.1.96 Tue Sep 24 09:59:19 2013 Initialization Sequence Completed Can you help me please ?

help !! i've set up pfsense to work with airvpn. my ip address shows as the desired location and it makes me think everything is set up correctly. but . . . when i do a dns test it shows my true ip address from the internet company. also, when i log on to this web site it indicates "not connected" and shows the same ip address. i have tried various combinations for the dns settings of general setup. for the dns server i have 10.0.5.1 and 10.0.4.1. i've tried various combinations of the "allow dns server list" box and the "do not use the dns forwarder" box. what am i missing? what settings do i need to mask my ip address with no dns leaks??? this noob appreciates any assistance.

I have just purchased this for port forwarding as i have 2 different computer that I want to use for webhosting and cannot port forward to 2 separate computers. I have installed network-manager-openvpn-gnome on the computer with Ubuntu. I do not have a GUI so the instructions to follow here https://airvpn.org/linux/ do not work. I have created openvpn in my home directory and uploaded the 4 files made in airvpn to here. i restarted openvpn and get the following NO VPN is running. What do I need to do next. I have not set up the port forwarding as yet. Thanks for any help.

NOTE: if you run Eddie or Hummingbird you don't need this guide, but you might need to get rid of update-systemd-resolved which, in one of its various working modes, can interfere fatally with DNS handling. This post describes how to accept OpenVPN servers DNS push on Linux, OpenBSD, FreeBSD and some other POSIX-compliant OS when: resolvconf package OR openresolv package is installed OpenVPN is run directly (i.e. NOT through any OpenVPN GUI/wrapper such as network-manager) OpenVPN version is 2.1 or higher Warning: the specified "update-resolv-conf" script path refers to many Linux distributions and OpenVPN package installation, but NOT to all of them. Please check the correct path of the mentioned file before proceeding (for example: it could be /usr/share/openvpn instead of /etc/openvpn). If the script is not on your system, you'll need to create it. See the typical script here: https://wiki.archlinux.org/index.php/OpenVPN#DNS Important: in the same above linked page, note that if you have a system based on systemd you might need some important modifications: Add to your OpenVPN configuration file(s), either in field "Custom Directives" of the Configuration Generator or by editing the configuration directly, the following lines: script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf In this way update-resolv-conf will record the DNS push and through resolvconf or openresolv will modify the nameserver accordingly. When OpenVPN quits, update-resolv-conf restores the previous nameserver line(s). Kind regards

Hey guys, I followed the instructions and when attempting to connect I get to Initalization Sequence Completed and then.. Nothing. It just hangs it seems like. Anyone have any suggestions? I did an alt+C to cancel at the end to restore internet access. Mon Jun 17 12:04:40 2013 OpenVPN 2.2.1 x86_64-linux-gnu [sSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [iPv6 payload 20110424-2 (2.2RC2)] built on Feb 27 2013Mon Jun 17 12:04:40 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executablesMon Jun 17 12:04:40 2013 WARNING: file 'user.key' is group or others accessibleMon Jun 17 12:04:40 2013 LZO compression initializedMon Jun 17 12:04:40 2013 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]Mon Jun 17 12:04:40 2013 Socket Buffers: R=[229376->131072] S=[229376->131072]Mon Jun 17 12:04:40 2013 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]Mon Jun 17 12:04:40 2013 Local Options hash (VER=V4): '22188c5b'Mon Jun 17 12:04:40 2013 Expected Remote Options hash (VER=V4): 'a8f55717'Mon Jun 17 12:04:40 2013 UDPv4 link local: [undef]Mon Jun 17 12:04:40 2013 UDPv4 link remote: [AF_INET]149.255.33.154:443Mon Jun 17 12:04:40 2013 TLS: Initial packet from [AF_INET]149.255.33.154:443, sid=73901bca b6551ec2Mon Jun 17 12:04:40 2013 VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.orgMon Jun 17 12:04:40 2013 VERIFY OK: nsCertType=SERVERMon Jun 17 12:04:40 2013 VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.orgMon Jun 17 12:04:41 2013 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit keyMon Jun 17 12:04:41 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationMon Jun 17 12:04:41 2013 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit keyMon Jun 17 12:04:41 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationMon Jun 17 12:04:41 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSAMon Jun 17 12:04:41 2013 [server] Peer Connection Initiated with [AF_INET]149.255.33.154:443Mon Jun 17 12:04:43 2013 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)Mon Jun 17 12:04:43 2013 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.4.0.1,comp-lzo no,route 10.4.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.4.39.62 10.4.39.61'Mon Jun 17 12:04:43 2013 OPTIONS IMPORT: timers and/or timeouts modifiedMon Jun 17 12:04:43 2013 OPTIONS IMPORT: LZO parms modifiedMon Jun 17 12:04:43 2013 OPTIONS IMPORT: --ifconfig/up options modifiedMon Jun 17 12:04:43 2013 OPTIONS IMPORT: route options modifiedMon Jun 17 12:04:43 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modifiedMon Jun 17 12:04:43 2013 ROUTE default_gateway=192.168.3.30Mon Jun 17 12:04:43 2013 TUN/TAP device tun0 openedMon Jun 17 12:04:43 2013 TUN/TAP TX queue length set to 100Mon Jun 17 12:04:43 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0Mon Jun 17 12:04:43 2013 /sbin/ifconfig tun0 10.4.39.62 pointopoint 10.4.39.61 mtu 1500Mon Jun 17 12:04:43 2013 /sbin/route add -net 149.255.33.154 netmask 255.255.255.255 gw 192.168.3.30Mon Jun 17 12:04:43 2013 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.4.39.61Mon Jun 17 12:04:43 2013 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.4.39.61Mon Jun 17 12:04:43 2013 /sbin/route add -net 10.4.0.1 netmask 255.255.255.255 gw 10.4.39.61Mon Jun 17 12:04:43 2013 Initialization Sequence Completed^CMon Jun 17 12:05:10 2013 event_wait : Interrupted system call (code=4)

Hi, Just wanted to share a solution which (for me) continued from this post , which explained in great detail how to set up your OpenVPN with linux. After having followed the steps exactly, I was unable to click on the "Save" button to save my VPN configuration/import because the "save" button was just grey. No matter what I tried, the button just stayed grey. Having researched this topic on Google, I found many posts where other Linux users had the same problem and in some instances reported this as a bug. Like here for example. Well, as it turns out the answer is so simple, that I could kick myself for having not thought of such a simple solution earlier. The answer is right here on AirVPN. Normally when saving a configuration, you probably just save it from AirVPN onto your laptop or computer, right? Well, there is one single thing that you need to do prior to clicking the Generate button. Place a "tick" in the "Advanced Mode box. Then pick "Linux and others", and most importantly under Advanced pick "Separe keys/certs from .ovpn file". You then get seperate files: ca.crt, user.crt, user.key, and the .ovpn file. Then click the "Import" button button in your Network > VPN config section and import the .ovpn file. It automatically populates all the other fields with your other certificates and keys. And your "Save" button is now clickable.

This guide shows how to set rules to prevent leaks in case of unexpected VPN disconnection and provides you with clear scripts ready to be used with basic modifications on Red Hat Enterprise Linux and RHEL rebuilds such as Oracle Linux, Scientific Linux, X/OS, CentOS etc. THANKS TO JESSEZ - ORIGINAL POST BY JESSEZ (minor editing & clean-up by Air staff) This method requires the ipset package: sudo yum install ipsetRHEL 6 and rebuilds (Oracle Linux, Scientific Linux and CentOS) do not have a kmod-ipset that I could find. The ip_set module has to be loaded manually as neither netfilter, iptables nor conntrack call the module themselves. As far as I know some Linux distros do have a kmod for ip_set so that would make usage of sysconfig/ipset.conf not necessary and also could cause a boot-time error (fatal nor not). The ip_set module has to be loaded and a script run to load the ip_set script (creates and contains the AirVPN server IP addresses) so that there is a table to be read by the time iptables_restore runs (otherwise iptables_restore throws the error that no ipset "airvpn" exists). So there are 3 files. The first and the second file can be found attached to this message. The last one is a system file that needs a modification. 1 /etc/sysconfig/ipset.conf This script tests whether the ip_set module is already loaded. If not it loads it into the kernel (modprobe). ipset.conf.txt 2 /etc/sysconfig/ipset-airvpn.sh This file creates and fills the ip_set table of AirVPN server addresses. I haven't listed the servers, so that no-one can just open the file and get the server IPs. Add the ones you want where the a.b.c.d 's are. Add or subtract lines as necessary. I think I added enough buffers so that all the servers should be able to go into the table (which lives in RAM while the system is up and is lost at shutdown/re-start). After running the script use: sudo ipset -L airvpn -to make sure all the servers you added to the script are there (It's easiest just to count the lines if you know how many servers you added in the first place), if not, change the part: hashsize 65536 to the next larger: hashsize 131072 (doing this obviously eats up RAM, so don't change it unless you need to) and note that the hashsize can start at 1024 and can only be a power of 2 (1024, 2048, 4096, ..., 131072...) If you're only using one or two servers and you need to save RAM, just change it down, re-run the script and issue the command sudo ipset -L airvpn again to check that all the desired servers are listed. Keep doubling the hashsize until they are. If anyone is wondering about the -exist option, it's there so that in case of accidental duplication of an IP address the script won't fail. iptables-airvpn_2013-01-19.txt 3 /etc/init.d/iptables This is the system file, so be careful; add 2 new lines that become line 55 and line 56: # Load /etc/sysconfig/ipset-airvpn.sh to make the airvpn table sh /etc/sysconfig/ipset-airvpn.sh Ok, that should be it, iptables and the "airvpn" ipset table should now survive a reboot with no errors. Test by rebooting, and trying Internet access of any and /or several kind(s) before starting a VPN connection when the desktop is up. If it's working you will have no Internet before starting a VPN connection, and you will be able to connect to any of the servers you added to ipset-airvpn.sh without OpenVPN throwing an error (probably: write UDPv4 []: Operation not permitted (code=1)). Note: rename the attached files according to the names given above. Put the files in the appropriate folders as listed above. Regards, jz

EDITED ON 21 Aug 12 EDITED ON 24 Nov 12: added important note for some Linux users, see bottom of message EDITED ON 02 Jun 15: please refer to https://airvpn.org/faq/software_lock for a more advanced set of rules WARNING: this guide assumes that you have no IPv6 connectivity. If you have, you should block outgoing IPv6 packets while connected to the VPN with "ip6tables". Please see https://airvpn.org/faq/software_lock Hello! You can use iptables, a very powerful packet filtering and NAT program (probably one of the most powerful, if not the most powerful of all). iptables is already included in all official Ubuntu distros and most Linux distros, anyway if you don't have it just install it with aptitude. Adding the following simple rules will prevent leaks in case of [accidental] VPN disconnection. In this example, it is assumed that your network interface is eth+ (change it as appropriate; for example, you might have wlan0 for a WiFi connection). a.b.c.d is the entry-IP address of the Air server you connect to. You can find out the address simply looking at the line "remote" of your air.ovpn configuration file. In case of doubts, just ask us. Some of the following rules might be redundant if you have already chains. Assumptions: you are in a 192.168.0.0/16 network and your router is a DHCP server. You have a a physical network interface named eth*. The tun adapter is tun* and the loopback interface is lo. iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT #allow loopback access iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server iptables -A INPUT -s 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT #make sure that you can communicate within your own network iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT iptables -A FORWARD -i eth+ -o tun+ -j ACCEPT iptables -A FORWARD -i tun+ -o eth+ -j ACCEPT # make sure that eth+ and tun+ can communicate iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE # in the POSTROUTING chain of the NAT table, map the tun+ interface outgoing packet IP address, cease examining rules and let the header be modified, so that we don't have to worry about ports or any other issue - please check this rule with care if you have already a NAT table in your chain iptables -A OUTPUT -o eth+ ! -d a.b.c.d -j DROP # if destination for outgoing packet on eth+ is NOT a.b.c.d, drop the packet, so that nothing leaks if VPN disconnects When you add the above rules, take care about pre-existing rules, if you have already some tables, and always perform a test to verify that the subsequent behavior is what you expect: when you disconnect from the VPN, all outgoing traffic should be blocked, except for a reconnection to an Air server. In order to block specific programs only, some more sophisticated usage of iptables is needed, and you will also need to know which ports those programs use. See "man iptables" for all the features and how to make the above rules persistent or not according to your needs. Warning: the following applies ONLY for Linux users who don't have resolvconf installed and don't use up & down OpenVPN directives with update-resolv-conf script In this case, your system has no way to process the DNS push from our servers. Therefore your system will just tunnel the DNS queries with destination the DNS IP address specified in the "nameserver" lines of the /etc/resolv.conf file. But if your first nameserver is your router IP, the queries will be sent to your router which in turn will send them out unencrypted. Solution is straightforward: edit the /etc/resolv.conf file and add the following line at the top (just an example, of course you can use any of your favorite DNS, as long as it is NOT your router): nameserver 10.4.0.1 # in order to use AirVPN DNS nameserver 31.220.5.106 # in order to use OpenNIC DNS only if AirVPN DNS is unavailable Kind regards Original thread post: https://airvpn.org/topic/1713-win-mac-bsd-block-traffic-when-vpn-disconnects/page-2?do=findComment&comment=2010