Search the Community

Hello all, This is collection from different tutorials which I will refer here, but usually changed since some things changed. Setting up VPN on Synology is modified neolefort tutorial from here and reconnect script if from sundi which you can find here, which probably modified this script, plus my iptables for blocking Synology on router level when VPN fails. Other contributions: foobar666 - you no longer need to enter variables manually _sinnerman_ - fixed script for DS 6.1 I'm doing this mostly because I usually forget things I managed to solve after year or two, so this is way to have constant reminder how it was solved and also help others. 1. Get your certificates from AirVPN. Go to the https://airvpn.org/generator/ page to generate the configuration file. (1) SELECT the Advanced Mode (under "Config generator" title ) (2) SELECT LINUX OS (3) Under "Protocols" section select one with protocol UDP, port 443 and tls-auth in the right column (at the time of writing, it was in middle of the list). You can choose any combination of protocol/port, but then also change iptables accordingly if you are using failsafe script. Don't choose any combination which has tls-crypt in the right column. (4) Under "Advanced - OpenVPN only" section (right part of page), toggle "Separate keys/certs from .ovpn file" button and change/leave OpenVPN version to 2.5 (This works in DSM 7.2.1. For older versions you will maybe have to select OpenVPN version 2.4). (5) SELECT 1 SERVER (refer to section "by single servers") OR COUNTRY OR ANYTHING ELSE YOU WANT In original tutorial, neolefort said to choose 1 server, because in that case you will get IP instead of xxx.airvpn.org domain. Choosing 1 server is safe because it doesn't need working DNS when you want to connect to VPN. If you choose anything else, you need working DNS on your router when establishing VPN connection. (6) Click "GENERATE" at the bottom. (7) Page will reload with links on top to your files, save them to you computer. Following files will be generated: -AirVPN_XXXXX_UDP-443.ovpn -ca.crt -user.crt -user.key -ta.key 2. Setup AirVPN on Synology. - Login as admin or with user from Administrator group. - Open Control panel. - Go "Network" and click on tab "Network Interface" - Click on button "Create" - "Create VPN profile" - Choose "OpenVPN (via importing .ovpn file)" - Click "Advanced options" so it shows all options - Profile name: anything you want, but please keep is short and if you can without spaces " ", for example "AirVPN". - User name: LEAVE EMPTY (for DSM 7+ just put anything here) - Password: LEAVE EMPTY (for DSM 7+ just put anything here) - Import .ovpn file: click button and import your AirVPN_XXXXX_UDP-443.ovpn - CA certificate: click button and import your ca.crt - Client certificate: click button and import your user.crt - Client key: click button and import your user.key - Certificate revocation: LEAVE EMPTY - TLS-auth key: click button and import your ta.key - Click "Next" - Select all options and click "Done" Now you have working OpenVPN link on your Synology. You just need to start it from "Control panel" - "Network" - "Network Interface". If you want to make your connection faster, you can remove some ciphers. Look for this line in .ovpn file: data-ciphers AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC And change it to this: data-ciphers AES-128-GCM Then save file and create new connection with it. After some testing I found out AES-128-GCM is fastest from all other mentioned in settings. You can also test other ciphers your self and leave one you find fastest. EXTRAS!!! 3. Setting up external access to your Synology. First what you will notice is, "I CAN'T ACCESS MY SYNOLOGY FROM OUTSIDE OF MY LAN!!!!!!! OMG OMG OMG!!!!" I will not explain port fowards on your router here, if you don't know how to make one, learn! (1) You can port forward trough AirVPN webpage and access your Syno via VPN exit IP. This sometimes works, most of times it doesn't since Syno has some ports you cannot change. Anyway, change your default HTTP / HTTPS port on Syno to your forwarded AirVPN port and you should be fine. But forget about Cloudstation and similliar things. (2) If you want to access Syno via you ISP IP (WAN), then problem is, your Syno is receiving your connection, but it's replying trough VPN. That's a security risk and those connections get droped. But there is solution! - Access "Control panel" - "Network" - "General" - Click "Advanced Settings" button - Mark "Enable multiple gateways" and click "OK" and then "Apply" You're done! It's working now (if you forwarded good ports on your router). 4. Prevent leaks when VPN connection on Synology fails. There will be time, when you VPN will fail, drop, disconnect, and your ISP IP will become visible to world. This is one of ways you can prevent it, on router level. For this you need Tomato, Merlin, DD-WRT or OpenWRT firmware on your router. I will tell you steps for Tomato router. If you are using different firmware, then you need to learn alone how to input this code into your router. Since Shibby version 129 for ARM routers, syntax of iptables changed and depending on which version of iptables you are using, apply that code. - Login to your router (usually just by entering 192.168.1.1 into your browser, if your IP is different, find out which is your gateway IP). - Click on "Administration" - Click on "Scripts" - Choose tab "Firewall" For Shibby v129 for ARM and later (iptables 1.4.x) us this: #Use this order of commands because it executes in reverse order. #This command will execute last, it kills all UDP requests. iptables -I FORWARD -p udp -s 192.168.1.100 -j REJECT #This command will execute second and will block all TCP source ports except those needed for web access or services iptables -I FORWARD -p tcp -s 192.168.1.100 -m multiport ! --sports 5000,5001,6690 -j REJECT #This command will execute first and will ACCEPT connection to your VPN on destination port 443 UDP iptables -I FORWARD -p udp -s 192.168.1.100 -m multiport --dports 443 -j ACCEPT For earlier Shibby versions and later for MIPS routers: #Use this order of commands because it executes in reverse order. #This command will execute last, it kills all UDP requests. iptables -I FORWARD -p udp -s 192.168.1.100 -j REJECT #This command will execute second and will block all TCP source ports except those needed for web access or services iptables -I FORWARD -p tcp -s 192.168.1.100 -m multiport --sports ! 5000,5001,6690 -j REJECT #This command will execute first and will ACCEPT connection to your VPN on destination port 443 UDP iptables -I FORWARD -p udp -s 192.168.1.100 -m multiport --dports 443 -j ACCEPT Port TCP 5000 = HTTP for for Synology web access (change to your if it's not default) Port TCP 5001 = HTTPS for for Synology web access (change to your it's not default) Port TCP 6690 = Cloud Station port Port UDP 443 = AirVPN connection port which you defined in step 1 of this tutorial. If you are using TCP port, then you need to change "-p udp" to "-p tcp" in that line. If you need more ports, just add them separated by comma ",". If you want port range, for example 123,124,125,126,127, you can add it like this 123:127. Change IP 192.168.1.100 to your Synology LAN IP. Be careful NOT TO assign those ports to your Download Station on Synology. This isn't perfect, you can still leak your IP through UDP 443, but since torrent uses mostly TCP, those chances are minimal. If you use TCP port for VPN, then those chances increase. If you really want to be sure nothing leaks even on UDP 443 (or your custom port), you need to choose 1 (ONE) AirVPN server. You need to find that server entry IP and change last IPTABLES rule to something like this: iptables -I FORWARD -p udp -s 192.168.1.100 -d 123.456.789.123 -m multiport --dports 443 -j ACCEPT Where 123.456.789.123 is AirVPN server entry IP. This will allow UDP 443 only for that server, rest will be rejected by router. These are all my opinions, from my very limited knowledge, which may be right and may be wrong. 5. Auto reconnection when VPN is down. Since when you made your VPN connection on your Synology, you checked "Reconnect" option, Syno will try to reconnect automaticly when connection fails. But in some cases, your network will be offline long enough and Syno will stop trying to reconnect, or will hang with VPN connection established, but not working. In those cases you can use this auto reconnect script. This is reconnect script. Just select all script text and copy it. #VPN Check script modified Sep 11, 2016 #Script checks if VPN is up, and if it is, it checks if it's working or not. It provides details like VPN is up since, data #received/sent, VPN IP & WAN IP. #If VPN is not up it will report it in the log file and start it #Change LogFile path to your own location. #Save this script to file of your choosing (for example "synovpn_reconnect"). Store it in one of your Synology shared folders and chmod it: "chmod +x /volume1/shared_folder_name/your_path/synovpn_reconnect" #Edit "/etc/crontab" and add this line without quotes for starting script every 10 minutes: "*/10 * * * * root /volume1/shared_folder_name/your_path/synovpn_reconnect" #After that restart cron with: "/usr/syno/sbin/synoservicectl --restart crond" #!/bin/sh DATE=$(date +"%F") TIME=$(date +"%T") VPNID=$(grep "\[.*\]" /usr/syno/etc/synovpnclient/openvpn/ovpnclient.conf | cut -f 2 -d "[" | cut -f 1 -d "]") VPNNAME=$(grep conf_name /usr/syno/etc/synovpnclient/openvpn/ovpnclient.conf | cut -f 2 -d "=") LogFile="/volume1/filmovi/Backup/airvpn/check_airvpn_$DATE.log" PUBIP=$(curl -s -m 5 icanhazip.com) #PUBIP=$(curl -s -m 5 ipinfo.io/ip) #PUBIP=$(curl -s -m 5 ifconfig.me) CHECKIP=$(echo $PUBIP | grep -c ".") start_vpn() { echo "VPN is down. Attempting to (re)start now." >> $LogFile # /usr/syno/bin/synovpnc kill_client --protocol=openvpn --name=$VPNNAME /usr/syno/bin/synovpnc kill_client /bin/kill `cat /var/run/ovpn_client.pid` 2>/dev/null sleep 35 echo 1 > /usr/syno/etc/synovpnclient/vpnc_connecting echo conf_id=$VPNID > /usr/syno/etc/synovpnclient/vpnc_connecting echo conf_name=$VPNNAME >> /usr/syno/etc/synovpnclient/vpnc_connecting echo proto=openvpn >> /usr/syno/etc/synovpnclient/vpnc_connecting /usr/syno/bin/synovpnc reconnect --protocol=openvpn --name=$VPNNAME >> $LogFile } sleep 6 echo "======================================" >> $LogFile echo "$DATE $TIME" >> $LogFile if ifconfig tun0 | grep -q "00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00" then if [ "$CHECKIP" == 1 ] then IPADDR=$(/sbin/ifconfig tun0 | grep 'inet addr' | cut -d: -f2 | awk '{print $1}') RXDATA=$(/sbin/ifconfig tun0 | grep "bytes:" | cut -d: -f2 | awk '{print $1,$2,$3}') TXDATA=$(/sbin/ifconfig tun0 | grep "bytes:" | cut -d: -f3 | awk '{print $1,$2,$3}') UPTIME=$(cat /var/log/messages | grep "$IPADDR" | awk '{print $1}' | tail -1) UPTIME=$(date -d"$UPTIME" +"%Y/%m/%d %H:%M:%S") echo "VPN is up since: $UPTIME" >> $LogFile echo "Session Data RX: $RXDATA" >> $LogFile echo "Session Data TX: $TXDATA" >> $LogFile echo "VPN IP is: $IPADDR" >> $LogFile echo "WAN IP is: $PUBIP" >> $LogFile else start_vpn fi else start_vpn fi exit 0 (1) Login to you Synology DSM web interface as admin. - As admin go to "Control panel" - "Task Scheduler" (you need to enable advanced mode in top right corner of control panel for this) - Click "Create" button near top of page, then select "Scheduled Task" and then "User-defined script" (2) New popup window will open. - under "Task:" enter task name - under "User:" select "root" if it's not already selected - switch to "Schedule" tab and select how often you want this task to run, my settings are: - "Run of following days" - "Daily" - "First run time" - 00:00 - "Frequency" - "Every 10 minutes" - "Last run time" - 23:50 - switch to "Task settings" tab - paste script you copied into empty box under "User-defined script" title - press OK and you're done I tested this on DSM 6.2.2 and it works without problems for now. Still, I'm keeping old instructions in next post, if someone wants to do it like that. Tip: If you don't want logfile, you can comment out those lines, or remove ">> $LogFile" code from whole script. That's all. If you entered everything correctly, you should be fine and ready to go! Comments are welcome. If you find mistakes, please correct me.

Hi, I noticed tonight that my ISP is leaking in the webRTC section on ipleak.net, is this a known issue that's being worked on?

Is this a misconfiguration issue? I observed via tcpdump on eth+, Noscript's ABE feature causing 10.x.x.x to contact the Air server ip on port 80 -- outside the tunnel. Then the Air external server replied outside tunnel -- port 80 -- to 10.x.x.x. This should not happen. Correct? This occurred during the usual back and forth to informaction.com and the OCSP response for Noscript's certificate. Additionally I have my firewall configured so that my local interface *only* connects to the modem/router and Air server ips. It's the AirVPN recommended firewall settings for linux. Anyone else experienced this?

When VPN connected from San Francisco area via Comcast ISP to Germany IPLeak.net in Chrome browser shows the following: IP 213.152.162.84 WebRTC 213.152.162.84 DNS Addr Det. US 162.242.211.137 Germany 78.46.223.24 I was surprised to see a US DNS address. With NSLookup 162.242.211.137 showed as a non-existent domain trying to resolve with OpenDNS in my home NAT router. But I can ping that IP address. In the Chrome browser I am using the WebRTC Leak Prevent addon. I think WebRTC is ok since it only shows my IP address in Germany.

As soon as i used last version of Eddie, ​I got a heavy unwanted traffics come into my fresh windows VM. By tracing the mentioned traffic back, I found they are connected to the notorious and discredited big data seller companies. ​ ​Such as: ​Hosting Services Inc​Amanah Tech Inc​Leaseweb​Softlayer Technologies IncZAO Russian Telecommunicatoions Group​Deepak Mehta FIE​YesUp E-Commerce Solutions Incand tons of other third party companies. My question is why by using your VPN client I'll revived this much traffic on ICMP protocol, but by using OpenVPN in exact same server I won't get any? Are you selling/renting/trading our information? Will we a part of big botnet by using your client VPN version? ​ ​I (we) need a clear official answer. Privacy is matter.

Hello, for reasons that i cannot identify my Network Lock is not working. When i disengage the VPN or the connection drops all of my applications are able to get through unfettered. I have attached my log to see if it can provide any help to you. I will also be submitting a support ticket. My Network and Sharing settings are the standard automatic for my wireless adapter and my Firewall was reset once when i could not connect without the VPN, so i am curious as to how i can fix this. Log.txt

I'm running ubuntu server 15.10 and I set up a kill switch with airvpn using ufw. I'm concerned that I may have leaks that i'm unaware of, and i don't know how to check to see if I have them or how to avoid them without using a GUI. So how do i check to see if i have a leak without a GUI, and if I do indeed have a leak, how would I fix it? To be clear, I do not want to install a GUI on my ubuntu server just to check this. Thank you!

Hello, I'm using "OpenVPN Settings" on Android, because of an unfixed bug of Android which completely prevents me from using OpenVPN for Android. So I am sorry that I cannot use the recommended app. I created an "Android" config file in the client area, but my first problem is that "/sbin/ip" was not found: iproute was at "/system/bin/ip" instead. I figured out that adding `iproute /system/bin/ip` to my ovpn config file fixed this. Now the openvpn successfully connects either from terminal using `openvpn <filename.ovpn` or using OpenVPN Settings app. But, my browser is still going straight to the web from my mobile network. My IP address is still my normal IP address when I look it up, though OpenVPN logs appear normal and successfully connected. I have tried adding 'redirect-gateway' to the config file but it doesn't work. I would love some support making this connection successful and secure as I would like to use my phone through VPN only for some tasks. I have attached my logs. Thanks!

So I just downloaded AirVPN yesterday and started exploring it today. I am very new to this vpn thing. I figured out port forwarding for qbittorrent, but I haven't tried to torrent yet. Anyway I used dnslinktest.com When I turn on the Network lock there are leaks, when I turn it off there are no leaks. Isn't the purpose of the network lock to prevent leaks?

I m connected to Talitha and all DNS is going trough the VPN. I took a look at my windows firewall (which i enabled due to "network lock") and it shows a lot of these: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path 2015-06-29 11:33:34 DROP UDP 192.168.2.94 54.172.47.69 58683 3478 0 - - - - - - - SEND 2015-06-29 11:33:35 DROP UDP 192.168.2.94 54.172.47.69 58683 3478 0 - - - - - - - SEND 2015-06-29 11:33:37 DROP UDP 192.168.2.94 54.172.47.69 58683 3478 0 - - - - - - - SEND 54.172.47.69 --> is an amazon IP After allowing this IP, my IP get leaked by webrtc. (tested on https://ipleak.net/) Can anyone explain this behaviour?

Hi, I guess my real IP is leaked. I am in the Netherlands and I want to use a German VPN. When I check my IP all seems fine. But all the ads and google+1 is in Dutch!? (See attached image.) ipleaks.net and dnsleaktest.com don't show that leak. I use OpenVPN and update-resolv-conf and I also added following line to the ovpn (for which I used the generator): script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf I deleted all cookies, cache, and flashcookies. How does google for example know my real location?

Hi, I want to set up comodo to prevent dns & ip leaks. I have found this tutorial on a vpn review website. But it's dated. How can I set up comodo just as in this tutorial for the new version of comodo? https://www.bestvpn.com/blog/10218/build-your-own-vpn-kill-switch-in-windows-comodo/ Thank you.

Hey I got a problem. When i connect to a vpn server, it says connected. but im still using my ISP IP instead of the IP of the VPN Server... How do i fix this? These are my machine details: Operating System Version: Microsoft Windows Server 2012 Datacenter Hardware information: HP ProLiant ML110 G6 Processors: Intel® Xeon® CPU X3430 @2.40GHz Installed Memory (RAM): 24GB Installed Roles: AD DSDHCPDNSFile and Storage ServicesHyper-VIIS 8.0IPAMNAPRemote AccessWDSLog: http://pastebin.com/43UnP5Ci SOLVED: This message is the answer!: Awesome StaffAdvanced Member Staff5013 postsPosted Yesterday, 11:40 PM Hello! The tun/tap interface (the virtual network card used by OpenVPN) does not come up. Please try to run our client Eddie, which includes some additional code which tries to force the interface up. If the client attempt does not work, please follow all the steps described here: https://airvpn.org/t...2012/#entry8321 Kind regards

Hi guys, I set up Comodo Firewall in the way you descriped it on this tutorial https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=3405&Itemid=142 I did everything correctly (I think so) but I'm still leaking DNS. When I access AirVPN homepage via VPNClient it says at the bottom "not connected" Any ideas how to fix this?? I can see my own IP address

Hi there, I have some questions regarding security/anonymity issues for only one pc. Not all people have 2 PCs in their home where they could split up like one for all non-VPN tasks and the other one strictly for VPN tasks. Some of them have their VPN always on, also for real-life identity tasks (let's call these non-VPN tasks) like banking, shopping, ... Just because they don't want their traffic to be sniffed by ISP or others, so this is just to protect their data usage, not their identities because they give it to the bank, amazon etc, when logging in to their website and doing bank transfers, buy books... So what about the security then if they need the VPN for "real VPN tasks" (let's call these VPN tasks), whatever that might be depends of course. Remember we have only one PC. So would it be a solution to work with a dedicated country or just some dedicated (VPN-)servers of a country for all non-VPN tasks and to take servers from other countries for VPN tasks. On top of that the VPN servers for VPN-tasks will be used with another browser-profile to avoid exact fingerprinting. Also there is always a complete setup comodo-firewall running which only let's traffic through the VPN to the outside. The DNS of the network interface will always be static and pointing to the VPN-DNS. So in fact there is no traffic possible without being connected to the VPN. Which security issues can come up like that? I think most people with one PC will do it that way that they use no VPN for non-VPN tasks and VPN only for VPN tasks. This is of course quite different but the same questions come up. Of course care is taken to not mix identities, eg to not login to your bank account if you are not in the non-VPN servers using the non-VPN browser profile.

I connect to AirVPN using the network-manager applet on Fedora 20 x64. I have a couple of ports forwarded, which are manually allowed in Fedora's firewall and entered into qBittorrent (latest v3.1.9-2). I have just noticed that while the connection never leaks DNS when used normally, as soon as qBittorrent is running my DNS leaks almost every time I test. Here is what happens once qBittorrent is open: Once qBittorrent is closed, the leaks stop. Does anyone have any ideas? As far as I knew DNS leaks were basically a Windows problem. Currently qBittorrent is set to use the tun0 interface only, and my network-manager settings are as follows: Ethernet: Connect automatically, IPv4 only, connect to AirVPN as soon as interface is up. AirVPN: Port 443 over UDP, no special settings after importing config files from Air's generator. The whole machine connects through an IPFire (Linux hardware firewall/router distro) box. Can anyone help shed some light on this please? Thanks in advance.

How do you configure the firewall (I'm wondering about both Comodo (Windows) and GUFW (Linux)) when using Air VPN over TOR? Or, are the firewall settings to prevent leaks the same as if I were just using Air VPN? Assuming I was fine with my ISP seeing that I'm using TOR, is there any reason to choose TOR over VPN instead of VPN over TOR? I read the TOR page on this site, but I just want to be sure there aren't cases in which I shouldn't choose VPN over TOR. I've heard some people talk about wanting to hide from their ISP the fact that they are using TOR. Why is this? Do some ISPs not tolerate their customers using TOR?

I'll cut right to the chase. AirVpn Doesn't seem to be showing accurate data transfer rates / totals when I use it while playing the MMORPG video game Final Fantasy XIV. Comodo shows it being connected to the tunnel properly, and I also have setup Comodo to immediatly shut down all net traffic in case of disconnection from Airvpn, thus, I can only assume FFXIV is indeed being tunneled properly. The reason I can say for certain that the rates are off, is because they show 0kb-2kb per second, despite the fact my in-game monitor shows sometimes ( usually) over 1.5mbps. So... uhh... What Gives? Is this indicative of a leak? Or is there more at play here than I can see?