Jump to content
Not connected, Your IP: 54.234.191.202

Search the Community

Showing results for tags 'OpenVPN'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • AirVPN
    • News and Announcement
    • How-To
    • Databases
  • Community
    • General & Suggestions
    • Troubleshooting and Problems
    • Blocked websites warning
    • Eddie - AirVPN Client
    • DNS Lists
    • Reviews
    • Other VPN competitors or features
    • Nonprofit
    • Off-Topic
  • Other Projects
    • IP Leak
    • XMPP
    • Mirrors

Product Groups

  • AirVPN Access
  • Coupons
  • Misc

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Twitter


Mastodon


AIM


MSN


ICQ


Yahoo


XMPP / Jabber


Skype


Location


Interests

Found 193 results

  1. I have used Eddie for a few years now, but since using Windows 10 I have had endless connection problems. I have uninstalled etc but the issue still arises everytime I use the VPN. I have included 2 screenshots, one of the message that just freezes, and the only way around the problem that I have used, which is terminating OpenVPN in the task manager. I can just restart the laptop without using the task manager, and then it connects as it should. Any help to stop this annoying thing happening would be appreciated.
  2. Currently AirVPN servers ONLY provide you with IPv6 connectivity (IPv6 traffic via VPN) if OpenVPN correctly pushes a certain value to the server. This is what the relevant config lines look like: push-peer-info setenv UV_IPV6 yes 'UV_IPV6 yes' is a variable that is set to 'yes', basically: yes, gimme IPv6 push-peer-info sends the server information about the client. This includes: OS version and OpenVPN client release, your router's MAC address and of course the UV_IPV6 variable that tells the server to give you an IPv6 address. This last part is problematic and has already led to problems for AirVPN users: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/556 I've run into this issue myself when I tried to get AirVPN running on Linux using the NetworkManager interface (present in virtually every distro out there). It's confusing because it seems to work but in reality it doesn't. You do get a connection, except without IPv6 forwarding. It's no surprise people encounter this: Why would one really need to install your client if the preinstalled GUI manager has worked fine before? Nobody knows the intricacies. Not even those who reported the issue to the correct place above! *drum-roll* and the problem is: NetworkManager. Really. NetworkManager is crippled in that it DOES NOT support many of the OpenVPN features. The combination of push-peer-info + setenv is one of them. The variable is not set upon connection -> VPN connects to the server -> The server does not see UV_IPV6=yes -> The server only setups IPv4 for the client. Yes, THIS IS A SECURITY ISSUE. According to Google, 32% of users have IPv6. Here come you, an AirVPN user with IPv4 and IPv6 on Linux, using NetworkManager. It seems to connect. You quickly check a website to see your IP and see that you indeed got a new IP (IPv4) after connecting to the VPN. Maybe the website doesn't show IPv6 at all, or the user doesn't pay attention to the fact this long and cryptic IPv6 didn't change or maybe the user did not yet have IPv6 and it was enabled later by the ISP... And there the user goes to surf online with half his ass naked: IPv4 is properly routed through AirVPN but IPv6 is still going through his real ISP. This must be changed. IPv6 must be the default. Do not leave a chance to expose users. When this change is applied, both config lines will be rendered obsolete and as a bonus, the clients will no longer unnecessarily send their internal MAC addresses to the server, which can be used too: - https://threatpost.com/fbi-mum-on-how-exactly-it-hacked-tor/117127/ | https://www.theregister.com/2018/02/24/tor_fbi_hacking_appeal/ - https://web.archive.org/web/20180923231303/https://blog.owenson.me/analysis-of-the-fbi-tor-malware/ Finally if you feel there's someone who really wishes to not use IPv6 via Air: reverse the config. Make it an explicit UV_IPV6=no to opt-out. Security must be the default. Thanks for reading. I really hope this change to be introduced soon. PS: Can someone login at the Freedesktop bug tracker above to tell these people that it's fixable? I don't have an account PPS: You can see what push-peer-info sends if you set verbosity to 4: "verb 4" in the config Tags: IPv6 not working AirVPN Linux config openvpn
  3. This guide will explain how to setup OpenVPN in a way such that only select programs will be able to use the VPN connection while all other life continues as usual. Please read this notice before applying the guide Advantages: fail-free "kill switch" functionality (actually better than 98% of VPNs out there) continue using another VPN as primary or don't reroute any other traffic at all nobody, not even peers on LAN, will be able to connect to your torrent client (the only way: through the VPN connection) - eliminating unintended leaks Disadvantage: the apps will still use your default DNS for hostname lookups (secure your DNS separately!) See two more drawings at the end. The guide is applicable to all VPN providers who don't restrict their users to use the OpenVPN client. The method however is universally applicable. It was made with examples from Windows, but with Linux/BSD you will only need little tweaking to do. Specifically, net_gateway placeholder may not available and that's all there is to it. Android clients are probably too limited for this task and lack options we need. - Since there'll be a lot of text, sections titled in (parantheses) are entirely optional to read. The other guide by NaDre is old (2013), hard to read and pursues a slightly different approach. A Staff member actually posted a good first comment there, that's what we're gonna do. (Preface) The BitTorrent as a network is entirely public. Through the decentralized technology called DHT, everyone in the world can find out what torrents you are presumably participating in (this does not apply to private trackers who disable DHT). Clearly this creates an unhealthy atmosphere for privacy of users, e.g. one could find out the OS distribution one is using for a more targetted attack etc. Sometimes the ISPs are outright hostile to peer-to-peer technologies due to the traffic and bandwidth these are consuming. Instead of upgrading dated infrastructure, they cripple their users instead. There are many reasons to use a VPN, that was but a limited selection. ("Split-tunneling") This has become somewhat a marketing term nowadays, but actually explains the nature of the traffic flow well. In this guide only the programs set to use the VPN connection will use it, nothing else. All your traffic goes past the VPN while torrent client traffic (or any other selected program) uses only the VPN connection. ("Kill switch") We'll literally nail it using software settings of your program (the torrent client). This is a marketing-loaded name. In short: if the VPN connection is not available, no traffic ought to be sent bypassing it. In most cases where you have a VPN redirect all your system traffic - you should not rely on it as a feature. The OpenVPN software on Windows is not 100% proof, based on empirical evidence (reconnects and startup/shutdown phases) and some other VPN providers do no better (based on comments and stories). The only bulletproof solution: the VPN tunnel is set up on an intermediary device your PC is connected to - your end device (the PC) has no chance whatsoever to bypass the tunnel in that case. If the VPN provider uses a firewall under the hood, that's good too but with this guide you will not need a firewall nor rely on the VPN software. ("Dual-hop") With the knowledge and methods from this guide you will be able to daisy-chain multiple VPN servers. In essence, your traffic passes PC->VPN1->VPN2->Destination. This was not intended for this guide nor with AirVPN, it's finicky and I wouldn't recommend it myself without a real need and skills to automate the setup and configuration. How it will work Many users (aka mostly idiots on Reddit) are running in circles like qBittorrent is the only client (or probably the only application in the universe, unconfirmed) that can be set to use a certain VPN. Here's the technicality: this is called 'binding' - you can 'bind to IP' which will force the app to use a specific IP address and nothing else. If it cannot use the IP (when VPN is disconnected) then it will not be able to do any networking at all. The OS will deny any communication with the internet: boom! Here's your praised 'kill switch' and 'split-tunneling', 2-in-1. This is the next best bulletproof solution (the only better alternative is to use an intermediary VPN device, as any software could choose a different interface now to communicate with the internet). In a broader sense, you want to 'bind to a network interface' - your client will use any available IPs from the VPN interface - making it ready for IPv4 and IPv6. Oh and you don't need to change the IP once the VPN connection changes to another server. The OS handles the rest. Examples of programs that can bind to user-defined addresses include: (Windows) ping, tracert (IPv6-only, WTF?), curl and wget, and many others, including your favorite torrent client You will find guides online how to do that in your client or just look in settings. (Linux-specific differences of the guide) If you are a Linux/*nix user, there're some minor changes to the quick guide below: * Create custom VPN interface: Create with ip tuntap command. The below line will create 5 interfaces "tun-air1" etc. for YOUR user. Specifying your user allows OpenVPN to drop root rights after connection and run under your user (security). AirVPN allows up to 5 connections. If you have no use for this, create only one. user="$(whoami)"; for i in {1..5}; do sudo ip tuntap add dev "tun-airvpn$i" mode tun user "$user" group "$user"; done Check their existance with ip -d a -- the interfaces will not be shown under /dev/tun* ALTERNATIVE: openvpn --mktap/--mktun. See manual with man openvpn * Select custom VPN interface: This config part differs from Windows, very confusing. Steps: 1. Replace "dev-node" in config with "dev" 2. Add "dev-type tun" or "tap". Example of config: # if you have these defined multiple times, last entries override previous entries dev tun-airvpn1 # previously dev-node dev-type tun # previously "dev tun" on Windows There're no more differences. In-depth explanation: If you try to use dev-node like for Windows, you will see: OpenVPN log: ERROR: Cannot open TUN/TAP dev /dev/tun-airvpn1: No such file or directory (errno=2) Example strace of error: openat(AT_FDCWD, "/dev/tun-airvpn1", O_RDWR) = -1 ENOENT (No such file or directory) OpenVPN cannot find the TUN/TAP with the name? No, on Linux/*nix/*BSD dev-node has a totally different meaning. Dev-node specifies where the control interface with the kernel is located. On Linux it's usually /dev/node/tun, for the "mknode" command. If OpenVPN can't detect it for some reason, then you'd need to use dev-node. Finally you can start OpenVPN from terminal: sudo openvpn --config 'path/to/config.ovpn' --user mysystemusername --group mysystemusergroup Windows Quick Guide Go to the folder where you installed OpenVPN and its exe files: 'C:\Program Files\OpenVPN\' Open CMD inside the 'bin' folder: Hold Shift + Right Click the 'bin' folder -> 'Open Command Window here' We will use tapctl.exe to create a new VPN network interface solely for use with AirVPN (to look around: run "tapctl.exe" or "tapctl.exe help") C:\Program Files\OpenVPN\bin>tapctl create --name AirVPN-TAP {FDA13378-69B9-9000-8FFE-C52DEADBEEF0} C:\Program Files\OpenVPN\bin> A TAP interface is created by default. I have not played enough with Wireguard's TUN to recommend it. You can check it out, it will be under adapters in your Windows network settings Important: Configure your app/torrent client to use this 'AirVPN-TAP' interface. This is what ensures your traffic never leaks. It may appear under a different name, in such case find out which one it is in the output of 'ipconfig /all' (enter this into CMD) If your client does not allow to bind to a general interface but a specific IP (poor decision) then connect to the VPN first to find out the local IP within the VPN network. In this case with AirVPN you may only use one single server or you'll have to constantly change the IP in settings. Generate AirVPN configs where you connect to the server via IPv4! This is important Add these to the .ovpn config files (either under 'Advanced' on the config generator page or manually to each config file) # NOPULL START route-nopull # IF YOU DO NOT USE ANOTHER VPN THAT TAKES OVER ALL YOUR TRAFFIC, USE "net_gateway" (just copy-paste all of this) # net_gateway WILL BE AUTOMATICALLY DETERMINED AND WILL WORK IF YOU CONNECT THROUGH OTHER NETWORKS LIKE A PUBLIC WIFI # personally, due to a second VPN, I had to specify my router IP explicitly instead of net_gateway: 192.168.69.1 # "default"/"vpn_gateway"/"remote_host"/"net_gateway" are allowed placeholders for IPv4 route remote_host 255.255.255.255 net_gateway route 10.0.0.0 255.0.0.0 vpn_gateway route 0.0.0.0 0.0.0.0 default 666 route-ipv6 ::/0 default 666 dev-node AirVPN-TAP # END OF NOPULL Test if the configuration works. Full tests, don't leave it up to chance. In-depth explanation of the OpenVPN config route-nopull rejects any networking routes pushed to you by the server, we will write our own route remote_host 255.255.255.255 <router IP> we tell our system that, to reach remote_host (the AirVPN server IP), it must send traffic to <router IP>. The subnet mask 255.255.255.255 says that this only applies to this single IP set <router IP> to be net_gateway (only for Windows users, check availability on other platforms) <router IP> may be any of the OpenVPN placeholders too, for example "net_gateway" should work universally (you avoid hard-coding the router IP and if it ever changes: wondering years later why the config no longer works) <router IP> is "192.168.1.1" in my case, for my home router that connects me to the internet. route 10.0.0.0 255.0.0.0 vpn_gateway we tell our system that all 10.x.x.x traffic will be sent to the AirVPN server the internal VPN network with AirVPN is always on the 10.0.0.0 - 10.255.255.255 network range. The subnet mask reflects that. However this may interfere with other VPNs if you ever need to be connected to both at once. I will not go into detail on this. What you need to do is to be more specific with 10.x.x.x routes in this config, i.e. instead of /8 subnet, only route the specific /24 subnet of the current VPN server (AirVPN uses a /24 subnet for your connections on each VPN server -> 10.a.b.0 255.255.255.0) vpn_gateway is one of OpenVPN placeholders route 0.0.0.0 0.0.0.0 default 666 allow routing of ANY traffic via the VPN we set the metric to 666, metric defined as path cost (historically) so setting it to a high value will make sure no normal connection runs through it, unless specifically bound to the VPN IP. route-ipv6 ::/0 default 666 same for IPv6. How many can claim they have working VPN IPv6 setup? Welcome in the future. IPv6 is over 20 years old at this point anyhow. dev-node AirVPN-TAP (Windows-only) tell OpenVPN to ONLY use this network interface to create the VPN tunnel on. Nothing should interfere with our setup now That's all, folks! Note: Somehow on Windows my AirVPN connection receives a wrong internal IP that doesn't enable networking at first. In my case I need to wait 1-3 minutes until OpenVPN reconnects itself based on ping timeout: after the reconnect I receive another IP and everything starts to work. I do not know whether it's an OpenVPN or a Windows bug. One last note: using multiple VPNs Actually this will work, that's how I roll. As long as both VPNs don't clash by using the same 10.0.0.0/8 subnet. If this happens, you will need to change Line 5 to point to a more specific (aka smaller) subnet tailored to your AirVPN server. Specifying a 10.x.x.0/24 subnet for routing will surely do (subnet mask: 255.255.255.0). Just be aware that you cannot practically use the same IP range in both networks at the same time (well, you'd need to bind the application you are using to either interface, which you cannot do with a browser or the printing service in case of internal resources). (The story of broken net_gateway) For this placeholder, OpenVPN attempts to determine your 'default gateway', i.e. the router all your internet traffic passes through. It normally works, but may not be supported on other platforms (Linux, sigh). However it has one unintended side-effect: if you already have a VPN that reroutes all your traffic, net_gateway will make all AirVPN traffic go through the first VPN: Your traffic -> VPN1 -> Internet Torrent traffic -> VPN1 -> AirVPN -> Internet That's the unintended dual-hop. Surely you can extend that scheme to 3,4,n-hops if you fiddle enough with routing, subnet masks and correct order. I'm not responsible for headaches We avoid that behavior with Line 4 from our config - the remote_host line forces the AirVPN traffic to go straight to the internet (through your LAN router). One more thing: net_gateway is not available for IPv6 routes in OpenVPN. That's why it currently only works with a IPv4 connection to the VPN server. (Crash course: Subnet masks) You've seen the weird number 255.0.0.0 above. You should refer to other pages for a proper explanation, but basically this is a very simple way for computers to determine the range of IP addresses that are part of a network (a subnet). What's simple for computers is very hard to grasp for us humans. 255 means there are NO changes allowed to the first set of IP numbers. I.e. the 10 in 10.0.0.0 always stays a 10. 0 means all numbers can be used. I.e. the zeroes in 10.0.0.0 can be (0-255), lowest address is 10.0.0.1 and the last address is 10.255.255.254 (technically, 10.0.0.0 is the first and the last 10.255.255.255 is reserved for 'broadcast') Any number in between denotes ... a range in between. 2^(32-prefix)=number. Number is the amount of available addresses and prefix is called the subnet prefix. Both are meant to describe the same thing. For 10.0.0.0/26 or 10.0.0.0 with subnet mask of 255.255.255.192 you get addresses in range 10.0.0.0-10.0.0.64 -- 2^(32-26) = 64. Similarly you can convert the subnet mask into the prefix number and work from there; or eyeball it: 256-192 = 64. (Two ways to accomplish routing) If you have two equal routes, e.g. 0.0.0.0 goes through VPN with metric 666 0.0.0.0 goes through LAN router with metric 10 then obviously the default route for a packet will travel through (2) - because it's a cheaper path. Unless an application specifies to talk only on the VPN interface. However a different rule applies whenever a more specific route exists 0.0.0.0/0 goes through VPN2 with metric 666 0.0.0.0/0 goes through LAN router with metric 10 0.0.0.0/1 goes through VPN1 with metric 30 128.0.0.0/1 goes through VPN1 with metric 30 Here the routes (3) and (4) cover the entire addressing space, just like 0.0.0.0/0. However because they are more specific, they'll be preferred for all traffic because these routes are more selective. This is how OpenVPN does override system routing with VPN routing by default. This is also what the other guide attempted as well, by pushing four {0,64,128,192}.0.0.0/2 routes. Since that was more specific, it would in return override the 0,128 routes and so on. We can calculate how many multi-hops we would be able to do with this method: IPv4 has 32 bits, we will not touch the last 8 bits of the subnets. That leaves us then with 24 bits or 24 maximum amount of hops. Theoretically. The routing table would be outright f---- to look at. This method is a bit more 'secure' in a way because you don't need to rely on overriding a certain metric value, you just slap a more specific route on top and it's automatically made default. Also you don't need to override the default gateway (router) and all that junk. However with my preferred method (first) you can quite easily do DIY dual-hop routing: 0.0.0.0/0 goes through VPN2 with metric 666 0.0.0.0/0 goes through LAN router with metric 10 0.0.0.0/1 goes through VPN1 with metric 30 128.0.0.0/1 goes through VPN1 with metric 30 <VPN2-IP>/32 goes through VPN1 with metric (any) Such a setup will make sure that all traffic destined for the internet (hits 3 and 4) will go through VPN1. If a program specifies the VPN2 network interface, then VPN2 will be reached via VPN1 first (you->VPN1->VPN2). This is quite 'quizzacious' to set up/control. Not part of this guide. As a part of this guide we told the system to route VPN2 via router on LAN. Yet you could indeed chain multiple VPNs this way and force the VPN1 to not only catch all traffic but also be chained via multiple VPNs itself so you would not need to manually set programs. I've seen scripts online for that purpose. Although be aware of MTU issues due to encapsulation. Troubleshooting tips TEST. SERIOUSLY, TEST YOUR SETUP BEFORE ENGAGING YOUR DATA CANNONS! A couple hours now are infinitely many times more worth than a 'leaked' mistake and headaches later on. https://ipleak.net/ - tests your client's default connection route. It would not tell you if your client is alternatively available on LAN for example. If you followed this guide and set up your client correctly, it will not be available on LAN etc. See the images below: 'without interface binding' (most newbie users) and 'with interface binding' (this guide) Wireshark to inspect how the traffic is actually flowing. Follow online tutorials, you only need to select the right network interfaces and filter traffic by port/IP (tcp/udp and your local or VPN IP) curl to send network requests. Like ifconfig.co / ifconfig.io will respond with the IP address it sees you as: curl --interface <your computer IP> http://ifconfig.co curl --interface 192.168.1.42 http://ifconfig.co # for IPv4 or IPv6, default route curl -4 http://ifconfig.co curl -6 http://ifconfig.co > route -4 print and > route -6 print on Windows. To compare the outputs, you can use Notepad++ with the compare plugin (you need two documents open, one in left and another in right pane before comparing). PS: AirVPN configuration generator does not support #comment lines. Please fix. Sorry Linux users, maybe another time I will write something tailored to you. But I believe you are smart cookies and will adapt the OS-specific steps to fulfill this guide's goal.
  4. Hi, I have four pfSense routers (installed on Netgate hardware) that I use in different circumstances. Two of these four routers are configured to use AirVPN. Today, I updated my older router using AirVPN to the latest version of pfSense, which is pfSense Plus 21.02.2-RELEASE. This update includes the latest version of the OpenVPN client. Upon completing the pfSense update, it was necessary for me to fix some of the deprecated settings. To do so, I went through the latest AirVPN guide provided for pfSense (https://nguvu.org/pfsense/pfsense-baseline-setup/) and followed the OpenVPN settings section exactly (using the recommended UDP settings rather than the TCP I prefer). Now, when I boot up either of my AirVPN routers running pfSense from being powered off or, if I do a reboot from the user interface, AirVPN will not connect. Upon startup (and logging into pfSense), the pfSense Dashboard displays that the OpenVPN client interface statistics widget has a green arrow icon pointing up, but I am unable to send/receive any information to/from the Internet. The Interface Statistics widget within the pfSense dashboard shows a lot of of activity within the AirVPN_LAN interface, but very little (if any) activity within the AirVPN_WAN interface (only 0 - 30 packets in/out even after long periods of time). In order to get the OpenVPN service working, I have to restart it manually three to four times using the pfSense Dashboard controls. While doing so, the unbound DNS Resolver service crashes with each startup, forcing me to also start that manually each time. In case it is helpful, I have looked through the OpenVPN logs and noticed a recurring error "ioctl(TUNSIFMODE): Device busy (errno=16)". After repeatedly restarting these services, the OpenVPN WAN interface will finally begin to work, connecting me to AirVPN successfully. This is true for both my older and newer pfSense routers using AirVPN services. To anticipate possible questions that may arise: I use my AirVPN routers frequently but not consistently, making it necessary to turn them on and off. I prefer TCP because: TCP is said by some to be more stable than UDP (less dropped packets). TCP is said by others to be more secure than UDP. Regardless of whether either of the statements immediately above are true, for my needs, the slight drop in speed is not noticeable. My third and fourth pfSense routers, that connect via OpenVPN using VPN services from other providers, do not have this issue when powered off then on again. Thank you in advance for your guidance in fixing this problem.
  5. Hi Everyone Installed pfsense 2.5.0 community, no major dramas updating from 2.4.5.. However i'm getting the following error when starting up openvpn. Feb 17 16:24:49 192.168.10.1 openvpn[53019]: Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/client4/config.ovpn:41: key-method (2.5.0) I'm trying to find out what this parameter may be and if it's specfic to Airvpn, any ideas please?
  6. Hello everyone, so today I stumbled across this weird issue: Running Debian 10.7 with qBittorrent 4.1.5 and OpenVPN 2.4.7, both from Debian Repos. My QBittorrent is configured to bind to the tun0 interface (using OpenVPN).As soon as QBittorrent establishes any connection the whole tun0 interface (not just qBittorrent traffic) is limited to around 10Mbit/s in Download and stays that way even after exiting qBittorrent.After restarting the OpenVPN connection I have full speed on tun0 again until I start qBittorrent again and it establishes any connection. Took me a while to figure this out and I have no idea what's causing this. How to reproduce: Do a Webbrowser Speedtest over tun0 while qBittorrent isn't running -> full speed. Start qBittorrent an wait for it to establish any connection. Do a Webbrowser Speedtest over tun0 again -> Limited to around 10Mbit/s. Any idea what's the problem here? How could qBittorrent throttle the complete interface just by running in the background? Thanks!
  7. Hello everyone, I need a recommendation for a decent/not-expensive router with OpenVpn to be used with AirVPN. I took a look at something like GL.iNet GL-MT300N... ...BUT they seem to be chinese tools with vulnerabilities and backdoors, so that is for me like bodyjumping from a plane with a very good helmet but a very bad parachute. I suppose that people here in the forum should have good answers and experience in this topic. So, could you please recommend some portable/small Routers for Airvpn with no vulnerabilities and with a decent level of security? Thanks in advance!!
  8. I am getting two errors when attempting to connect Truenas via Airnas, see the screenshots below. Why would I be receiving an error about the certificate not being verified by the CA when I used the downloaded certificate provided? How do I sign the root such that it can use KeyUsage extension.
  9. Since installing iOS 14 on iPhone, I have been having issues with my AirVPN connection via OpenVPN. On multiple instances it will show there is a connection after coming out of sleep, to include showing the VPN icon, but there is no internet access. This happens both on cellular and WiFi connections. I have tired downloading new profiles from AirVPN, rekey, switching to TCP from UDP, deleting and reinstalling OpenVPN, but still happens. If I cycle the connection off/on in OpenVPN manually, then all works normally. The issue only happens on a background reconnect. Has anyone else encountered this issue or have any suggestions? Also checked OpenVPN forums but no info there either.
  10. Hi, I would like to use OpenVPN in Ubuntu to connect to AirVPN and it's easily set up with the generated config files. I can connect without problems. However, I have two incoming ports set up but can't confirm that they are open in my BitTorrent client (Transmission). When I check it says "closed". When I use Eddie on Linux the ports are "open" when I check. Is there something I need to add and/or enter in the OpenVPN connections I've set up to get incoming ports to check out as open? Maybe I am missing something obvious?
  11. I'm trying to setup a kill switch so that if OpenVPN goes down all other connections are automatically locked. I adapted this config as it follows: ### EDITED group openvpn ################ client dev tun remote XXXXXX 443 resolv-retry infinite nobind persist-key persist-tun auth-nocache verb 3 explicit-exit-notify 5 rcvbuf 262144 sndbuf 262144 push-peer-info setenv UV_IPV6 yes ca "/opt/openvpn/keys/ca.crt" cert "/opt/openvpn/keys/user.crt" key "/opt/openvpn/keys/user.key" remote-cert-tls server cipher AES-256-CBC comp-lzo no proto udp tls-auth "/opt/openvpn/keys/ta.key" 1 and this is my ipfw config #!/bin/bash ipfw -q -f flush cmd="ipfw -q add" vpn="tun2" $cmd 00001 allow all from any to any via lo0 $cmd 00010 allow all from any to any via tun0 $cmd 00101 allow all from me to 192.168.0.0/16 $cmd 00102 allow all from 192.168.0.0/16 to me ############################### # it should allow openvpn to establish the connection $cmd 00103 allow all from any to any gid openvpn ############################### $cmd 00104 allow all from any to any established $cmd 00110 allow tcp from any to any dst-port 53 out setup keep-state $cmd 00111 allow udp from any to any dst-port 53 out keep-state $cmd 00201 deny all from any to any when i try to start openvpn it won't work e.g. Mon Jul 20 22:13:17 2020 WARNING: file '/opt/openvpn/keys/user.key' is group or others accessible Mon Jul 20 22:13:17 2020 WARNING: file '/opt/openvpn/keys/ta.key' is group or others accessible Mon Jul 20 22:13:17 2020 OpenVPN 2.4.9 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 12 2020 Mon Jul 20 22:13:17 2020 library versions: OpenSSL 1.0.2u-freebsd 20 Dec 2019, LZO 2.10 Mon Jul 20 22:13:17 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Jul 20 22:13:17 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Jul 20 22:13:17 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]184.75.221.34:443 Mon Jul 20 22:13:17 2020 Socket Buffers: R=[42080->262144] S=[9216->262144] Mon Jul 20 22:13:17 2020 UDP link local: (not bound) Mon Jul 20 22:13:17 2020 UDP link remote: [AF_INET]184.75.221.34:443 Mon Jul 20 22:13:17 2020 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Mon Jul 20 22:13:17 2020 write UDP: Permission denied (code=13) Mon Jul 20 22:13:19 2020 write UDP: Permission denied (code=13) Mon Jul 20 22:13:23 2020 write UDP: Permission denied (code=13) it looks like that in freebsd openvpn wants to start as root/wheel no matter what ad it will downgrade to a custom group only once the first connection has been successfully established. Is there a way around that? Else, is there another way to allow only openvpn to connect to the internet? I'm not married to this solution, i just want to setup a killswitch and avoid iptables.
  12. Hi I am trying to connect to AirVPN from an OPNSense Firewall. I have tried many different configs and the status of my openvpn tunnel is always "connecting". The log file shows no errors, there is just a entry state all and client disconnected. Is there any working guide for the current OPNSense version. I do not have any problems to connect to AirVPN from any Windows Client in my network. I looked at my firewall log and did a tcpdump, but i can not see any incoming traffic. I do not have a private ip address, because i use a 5G router. could this be the problem? why is it working on other clients (Android, Windows Workstation)? thank you for your help
  13. Hi, since configuring AIrVPN on my pfSense machine, I've been struggling to get Sky On Demand working. SKY Q box tells me "download failed". Before AirVPN config, all was good. AirVPN is connecting nicely and allowing me to browse. I followed nguvu's guide here to get 3 connections to AIrVPN so that I could have some resilience in case one of the OpenVPN servers failed. All my devices seem to be connecting to the internet. Only the SKY Q is lamenting failures with downloads of movies. DNSLEAK TEST is giving 185.103.96.147 which is the AIrVPN exit node. When I do the extended test, I get 3 DNS servers, one for each of the OpenVPN connections I have up and running AirVPN's DNS Leak ipleak.net is also giving 3 DNS servers (the same as DNSLEAK TEST) and identifying me with one of the other AIrVPN servers in the Netherlands. So here doesn't appear to be a leak and the AirVPN routing seems to be correct too as its correctly exiting me in the UK by showing the UK AIrVPN exit node. So the question begs as to why and how Sky Q box is refusing to download the movies ("failed downloading"). Of course the Sky Q box has no log facilities ... so I have no hope of consulting that ... :-( Does anyone have a similar setup to mine with AIrVPN and is using Sky Q in the UK. I guess my next option is to let it through Clearnet (i.e. not through the VPN connection ....). Any thoughts? Thanks
  14. With the latest revelation from google about Quantum Computing, I would like to know how safe arewith with Airvpn? What is the best encryption method and how do we implement it .
  15. Hi there, I use Eddie software to connect airvpn in my windows 10 station (unattended windows version with a lot of service / app disable). The first time I tried to connect it worked great. But after a restart of the computer I was not able to connect at all, Eddie software try to join a server and immediately disconnect. But if I install OpenVPN Gui, it works again, I can connect with Eddie without problem. But as soon as I restart the computer, it cannot connect anymore. Do you have an idea from where my problem could be coming? Thanks in advance
  16. NOTICE to the Moderator: PLEASE MOVE TO THE RIGHT FORUM Hello, I want to make a thread about split tunneling through a spezific user. I figured out how it works and want to share it. I use Debian 8/9 but it should work with other distros too. Openvpn Split tunnel though user Debian 8 & 9 based Install openvpn from apt or install it via source apt-get update -y && apt-get upgrade -y && apt-get install openvpn htop nload dstat sudo apt-utils iptables curl resolvconf -y nano /etc/systemd/system/openvpn@openvpn.service Config: [Unit] Description=OpenVPN connection to %i Documentation=man:openvpn(8) Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO After=network.target [Service] RuntimeDirectory=openvpn PrivateTmp=true KillMode=mixed Type=forking ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid PIDFile=/run/openvpn/%i.pid ExecReload=/bin/kill -HUP $MAINPID WorkingDirectory=/etc/openvpn Restart=on-failure RestartSec=3 ProtectSystem=yes LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw [Install] WantedBy=multi-user.target Enable Service systemctl enable openvpn@openvpn.service Download Airvpn/Openvpn config and paste it in there: nano /etc/openvpn/openvpn.conf Add this to the config: nobind script-security 2 route-noexec up /etc/openvpn/iptables.sh down /etc/openvpn/update-resolv-conf Change DNS nano /etc/openvpn/update-resolv-conf foreign_option_1='dhcp-option DNS AIRVPN DNS1' foreign_option_2='dhcp-option DNS AIRVPN DNS2' foreign_option_3='dhcp-option DNS 1.1.1.1' Add user and group adduser --disabled-login vpn usermod -aG vpn XXX usermod -aG XXX vpn Iptables Flush & Rules iptables -F iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP apt-get install iptables-persistent -y nano /etc/openvpn/iptables.sh Change INTERFACE, VPNUSER, LOCALIP and NETIF Script: #! /bin/bash export INTERFACE="tun0" export VPNUSER="vpn" export LOCALIP="192.168.1.130" export NETIF="eth0" # flushes all the iptables rules, if you have other rules to use then add them into the script iptables -F -t nat iptables -F -t mangle iptables -F -t filter # mark packets from $VPNUSER iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT -j CONNMARK --save-mark # allow responses iptables -A INPUT -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT # block everything incoming on $INTERFACE to prevent accidental exposing of ports iptables -A INPUT -i $INTERFACE -j REJECT # let $VPNUSER access lo and $INTERFACE iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT # all packets on $INTERFACE needs to be masqueraded iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE # reject connections from predator IP going over $NETIF iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT # Start routing script /etc/openvpn/routing.sh exit 0 chmod +x /etc/openvpn/iptables.sh nano /etc/openvpn/routing.sh Change ifconfig to ip if your OS dont support ifconfig anymore or install it. apt install net-tools Change VPNIG and VPNUSER if needed Script: #! /bin/bash VPNIF="tun0" VPNUSER="vpn" GATEWAYIP=`ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1` if [[ `ip rule list | grep -c 0x1` == 0 ]]; then ip rule add from all fwmark 0x1 lookup $VPNUSER fi ip route replace default via $GATEWAYIP table $VPNUSER ip route append default via 127.0.0.1 dev lo table $VPNUSER ip route flush cache # run update-resolv-conf script to set VPN DNS /etc/openvpn/update-resolv-conf exit 0 chmod +x /etc/openvpn/routing.sh nano /etc/iproute2/rt_tables Add 200 vpn Edit vpn filter nano /etc/sysctl.d/9999-vpn.conf Add: Replace XXXXXX with your eth/wireless interface net.ipv4.conf.all.rp_filter = 2 net.ipv4.conf.default.rp_filter = 2 net.ipv4.conf.XXXXXX.rp_filter = 2 net.ipv6.conf.all.rp_filter = 2 net.ipv6.conf.default.rp_filter = 2 net.ipv6.conf.XXXXXX.rp_filter = 2 Apply Rules and show status sysctl --system service openvpn status Test it IP: sudo -u vpn -i -- curl ipinfo.io DNS: sudo -u vpn -i -- cat /etc/resolv.conf Enjoy
  17. Hi I have installed dd-wrt on Netgear R6400, i followed the official guide for configuring AirVPN on it, and the problem is that im getting maximum speeds of 10-17mbps instead of around 70mbps. Are my settings fine ? what could i try ? Thanks
  18. Hey there! I have a question regarding the creation of an openvpn config through this site's config generator in the client area. I can create one but what I want is a way to have the same or similar settings as my Eddie AirVPN application on windows PCs. Specifically the section in preferences (inside Eddie) Tor/Proxy. Mine is set to default Tor settings with 9150 as port, empty login info and when tested it's successful. Now why I need this openvpn config is for use on a tablet/phone. Can anyone provide information to help me create a new ovpn file with the same Tor safeguards as are available in the Eddie GUI on PC. Thank you for any help you can provide me. -T
  19. When using newly generated .ovpn files in Tunnelblick I keep seeing this... Warning: This VPN may not connect in the future. The OpenVPN configuration file for 'AirVPN_Europe_UDP-443' contains these OpenVPN options: • 'comp-lzo' was deprecated in OpenVPN 2.4 and has been or will be removed in a later version You should update the configuration so it can be used with modern versions of OpenVPN. Tunnelblick will use OpenVPN 2.4.7 - OpenSSL v1.0.2r to connect this configuration. However, you will not be able to connect to this VPN with future versions of Tunnelblick that do not include a version of OpenVPN that accepts the options.
  20. To connect I usually just download an .ovpn file and type in terminal "sudo openvpn <.ovpn file>" and the connection works. Or I go to gnome connection manager and "import saved configuration", import the .ovpn file and use that to connect graphically. However, I have noticed other vpn providers - they only provide these .ovpn files for Android. For ubuntu linux set ups they recommend manually importing the certificates and changing the settings in the advanced settings manually. Is there a difference in these methods? is one method more secure ? is it okay to just import a whole saved configuration from an .ovpn file for ubuntu linux, rather than manually entering the certificate etc ?
  21. heyhey, i'm having trouble setting up a ipv6 vpn connection with the (manjaro/arch) linux "network-manager". when i want to set up a ipv4 connection, i go to the "client area" on airvpn.org, start the "config generator", check "advanced" an then set: OS: LinuxOpenVPN version >= 2.4Need IPv6?: "IPv4 only"Protocol: UDP | Port: 443 | Entry IP: 1In the advanced section i check "Separate keys/certs from .ovpn file" and "Resolved hosts in .ovpn file"Server: xxxi then generate the config and download all the files into a new/empty folder. afterwards i start the network-manager connection editors gui ($ nm-connection-editor), click the "+" button, select "import a saved vpn configuration", click "create", navigate to the folder with the config and key files, select the "xxx.ovpn" file and then just click "save", since the nm-connection-editor automatically sets up the right key files etc. in this case everything works as expected. HOWEVER if i try to do the same with a IPv6 config file ("Need IPv6?" set to "IPv4 & IPv6 (connect with IPv6)" - all other settings the same) i get an error when trying to "import a saved vpn configuration" with the nm-connection-editor. when i open the "xxx.ovpn" file with a text editor and change the line "proto udp6" (this is the line before "tls-auth 'ta.key' 1") to "proto udp", i can import without the error message however the connection is not working afterwards. do you have any ideas what i could do different? should i set up the connection manually? thanks in advance!
  22. I'm personally not a huge fan of it. Don't get me wrong it did need abit of an update but imo it looks to android like now and I seem to have tap more to get to where I want such as see the statistics.
  23. Hello, I've trying to connect to AirVPN on my Raspberry Pi running Raspbian Stretch (which is pretty much Debian Stretch). I've generated a .ovpn file here and have simply typed the command: sudo openvpn --config AirVPN_Sweden.ovpn However, when I do this, it sits there for ages on the following. I don't know if this means it's done or not (XXX to remove an address I think is sensitive): Sun Jun 24 10:47:43 2018 /sbin/ip addr add dev tun1 10.10.136.46/24 broadcast 10.10.136.255 Sun Jun 24 10:47:49 2018 /sbin/ip route add XXX.XXX.XXX.XXX/32 via 192.168.0.1 Sun Jun 24 10:47:49 2018 /sbin/ip route add 0.0.0.0/1 via 10.10.136.1 Sun Jun 24 10:47:49 2018 /sbin/ip route add 128.0.0.0/1 via 10.10.136.1 Sun Jun 24 10:47:49 2018 Initialization Sequence Completed If Ctrl+Z then bg to get control of my shell back, I then can't ping anything external at all using either a URL or an IP address. The top of my .ovpn file is as follows: client dev tun remote se.vpn.airdns.org 443 resolv-retry infinite nobind persist-key persist-tun auth-nocache route-delay 5 verb 3 explicit-exit-notify 5 remote-cert-tls server cipher AES-256-CBC comp-lzo no proto udp key-direction 1 <ca> -----BEGIN CERTIFICATE----- ..... What am I doing wrong? (Please note: I've flushed iptables and 127.0.0.1 resolves to localhost in the hosts file.)
  24. Hi, I am using open vpn on a dd-wrt router. The non vpn connection is 100mbit and I get 70 to 80mbit without issue. With AirVPN I am getting 15mbit down and 5mbit up. Is this normal? I am sure a while ago I was getting 10mbit down. Thanks.
  25. Hello forum! I've used OpenVPN on Asus RT-N18U running DD-WRT over a year now. I made files up.sh to start and dn.sh to stop OpenVPN to get rid of GUI and later on to run them via ssh from lan. OpenVPN version got updated to 2.4 and I made the necessary changes to conf file and scripts. It ran without issues couple of months. However, last Thursday my VPN connection went down while I was just browsing the interwebs. OpenVPN log was filled with messages: Recursive routing detected, drop tun packet to [AF_INET]62.102.148.132:443. There's no difference if I set up OpenVPN via GUI or use only my scripts. I've tried both UDP and TCP protocols but the issue persists. Outcome is always the same. Since then I've contacted AirVPN support as I cannot fix this by myself. I don't have the skills for that and I've tried my everything. As you may notice I feel desperate. EDIT: Here was a zip-file including kernel and ip routing tables, scripts, openvpn.conf file and OpenVPN log. I've censored my IP-address and tun1 IP from the files. All I found out is that the router for some reason removes line 62.102.148.132 via 84.xx.xx.xx dev vlan2 from routing table. You can see the difference between before-error_ip-route.txt. and after-error_ip-route.txt. DD-WRT seems to think that the fastest route outside is only via tun1 as VPN endpoint IP is in the same location as tun1 IP-address. Just a guess, might be totally wrong. Then it removes the previously mentioned routing rule and creates a loop. If I use allow-recursive-routing option in OpenVPN configuration, after a while log begins to spam "UDP messages too big" or something like that. I hadn't done any changes to DD-WRT settings, configuration files or script files. Recursive routing just popped up from no where. Router is being used as a gateway and WiFi AP only. All I've done is I moved to a new apartment which has different IP-address provided by the same ISP. That might not affect anything, just FYI. I really hope someone could help me with this. Thanks. Update: Turns out my ISP assings new IP-address every 20 minutes and almost every service on DD-WRT restarts which makes everything kind of frustrating to config...
×
×
  • Create New...