Jump to content
Not connected, Your IP: 44.222.64.76

Search the Community

Showing results for tags 'openvpn'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • AirVPN
    • News and Announcement
    • How-To
    • Databases
  • Community
    • General & Suggestions
    • Troubleshooting and Problems
    • Blocked websites warning
    • Eddie - AirVPN Client
    • DNS Lists
    • Reviews
    • Other VPN competitors or features
    • Nonprofit
    • Off-Topic
  • Other Projects
    • IP Leak
    • XMPP

Product Groups

  • AirVPN Access
  • Coupons
  • Misc

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Twitter


Mastodon


AIM


MSN


ICQ


Yahoo


XMPP / Jabber


Skype


Location


Interests

Found 198 results

  1. Hi all, I've followed the instructions at https://airvpn.org/topic/11431-using-airvpn-with-linux-from-terminal/ in order to set up my account. This works fine and leak-free, when my local networks gives me an IPv4 address -- but if I get an IPv6 address, that address is leaked to remote sites according to https://ipleak.net/ . How do I prevent that? Thanks, Chris
  2. NOTICE to the Moderator: PLEASE MOVE TO THE RIGHT FORUM Hello, I want to make a thread about split tunneling through a spezific user. I figured out how it works and want to share it. I use Debian 8/9 but it should work with other distros too. Openvpn Split tunnel though user Debian 8 & 9 based Install openvpn from apt or install it via source apt-get update -y && apt-get upgrade -y && apt-get install openvpn htop nload dstat sudo apt-utils iptables curl resolvconf -y nano /etc/systemd/system/openvpn@openvpn.service Config: [Unit] Description=OpenVPN connection to %i Documentation=man:openvpn(8) Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO After=network.target [Service] RuntimeDirectory=openvpn PrivateTmp=true KillMode=mixed Type=forking ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid PIDFile=/run/openvpn/%i.pid ExecReload=/bin/kill -HUP $MAINPID WorkingDirectory=/etc/openvpn Restart=on-failure RestartSec=3 ProtectSystem=yes LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw [Install] WantedBy=multi-user.target Enable Service systemctl enable openvpn@openvpn.service Download Airvpn/Openvpn config and paste it in there: nano /etc/openvpn/openvpn.conf Add this to the config: nobind script-security 2 route-noexec up /etc/openvpn/iptables.sh down /etc/openvpn/update-resolv-conf Change DNS nano /etc/openvpn/update-resolv-conf foreign_option_1='dhcp-option DNS AIRVPN DNS1' foreign_option_2='dhcp-option DNS AIRVPN DNS2' foreign_option_3='dhcp-option DNS 1.1.1.1' Add user and group adduser --disabled-login vpn usermod -aG vpn XXX usermod -aG XXX vpn Iptables Flush & Rules iptables -F iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP apt-get install iptables-persistent -y nano /etc/openvpn/iptables.sh Change INTERFACE, VPNUSER, LOCALIP and NETIF Script: #! /bin/bash export INTERFACE="tun0" export VPNUSER="vpn" export LOCALIP="192.168.1.130" export NETIF="eth0" # flushes all the iptables rules, if you have other rules to use then add them into the script iptables -F -t nat iptables -F -t mangle iptables -F -t filter # mark packets from $VPNUSER iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT -j CONNMARK --save-mark # allow responses iptables -A INPUT -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT # block everything incoming on $INTERFACE to prevent accidental exposing of ports iptables -A INPUT -i $INTERFACE -j REJECT # let $VPNUSER access lo and $INTERFACE iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT # all packets on $INTERFACE needs to be masqueraded iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE # reject connections from predator IP going over $NETIF iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT # Start routing script /etc/openvpn/routing.sh exit 0 chmod +x /etc/openvpn/iptables.sh nano /etc/openvpn/routing.sh Change ifconfig to ip if your OS dont support ifconfig anymore or install it. apt install net-tools Change VPNIG and VPNUSER if needed Script: #! /bin/bash VPNIF="tun0" VPNUSER="vpn" GATEWAYIP=`ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1` if [[ `ip rule list | grep -c 0x1` == 0 ]]; then ip rule add from all fwmark 0x1 lookup $VPNUSER fi ip route replace default via $GATEWAYIP table $VPNUSER ip route append default via 127.0.0.1 dev lo table $VPNUSER ip route flush cache # run update-resolv-conf script to set VPN DNS /etc/openvpn/update-resolv-conf exit 0 chmod +x /etc/openvpn/routing.sh nano /etc/iproute2/rt_tables Add 200 vpn Edit vpn filter nano /etc/sysctl.d/9999-vpn.conf Add: Replace XXXXXX with your eth/wireless interface net.ipv4.conf.all.rp_filter = 2 net.ipv4.conf.default.rp_filter = 2 net.ipv4.conf.XXXXXX.rp_filter = 2 net.ipv6.conf.all.rp_filter = 2 net.ipv6.conf.default.rp_filter = 2 net.ipv6.conf.XXXXXX.rp_filter = 2 Apply Rules and show status sysctl --system service openvpn status Test it IP: sudo -u vpn -i -- curl ipinfo.io DNS: sudo -u vpn -i -- cat /etc/resolv.conf Enjoy
  3. Initially you should have router with OpenWRT firmware with OpenVPN client enabled. The main page of the firmware is http://openwrt.org Router, flashed with OpenWRT firmware image, initially accept connection only by telnet, so you should connect to it by telnet to the IP 192.168.1.1 and change root password with command "passwd". After this command it accepts connection via ssh. By default openvpn isn't included in the firmware image, so you should install it by use of opkg: # opkg update # opkg install openvpn-openssl You can also install luci-component of openvpn configuration, but it is optional: # opkg install install luci-app-openvpn You can also build firmware image with openvpn. Good manual of general OpenVPN client configuration you can find on the page https://github.com/StreisandEffect/streisand/wiki/Setting-an-OpenWrt-Based-Router-as-OpenVPN-Client We will follow it with modifications, specific for AirVPN. After openvpn installation you can make it autostarting when router starts: # /etc/init.d/openvpn enable Download configuration files needed for OpenVPN connection via tool on the link https://airvpn.org/generator Choose "Linux", and further options. Notice, that there is amount of different options like country, protocol, and port number. In the result you get one or more OpenVPN configuration files with extension "ovpn", possibly in archive. File name in the archive defines country or region, number, protocol and port. For example, consider the file "AirVPN_America_UDP-443.ovpn" "America" means America, "UDP" means UDP protocol, and "443" means port number. We will use this file for example, other files are treated similarly. Comment with "#" the option "explicit-exit-notify 5" in the file, because OpenVPN client in OpenWRT doesn't recognize it. In result the line should start with "#": "# explicit-exit-notify 5". Copy the file "AirVPN_America_UDP-443.ovpn" with pscp or WinSCP programs in Windows, scp command in Linux to /etc/openvpn/ folder of router filesystem. In case of copy problems you should force using exactly scp protocol (it also can use sftp). The file itself contains contents of file "ca.crt" between tags "<ca>" and "</ca>", "user.crt" between tags "<cert>" and "</cert>", "user.key" between tags "<key>" and "</key", and contents of file "ta.key" between tags "<tls-auth>" and "</tls-auth>". You can create separate files "ca.crt", "user.crt", "user.key", and "ta.key" with corresponding content excluding tags, in the same folder, and replace tags with content in original file with following strings: ca ca.crt cert user.crt key user.key tls-auth ta.key 1 Notice, that contents of all files for different OpenVPN configuration files are identical. In other words, the significand difference of OpenVPN configuration files is string, containing server address and port, beginning with the word "remote". Configuration of OpenVPN using the file "AirVPN_America_UDP-443.ovpn" could be implemented by two ways. 1) Change the extension of the file "ovpn" to "conf". In this case OpenVPN will find it automatically by extension. 2) Specify file name in /etc/config/openvpn You can use uci: # uci set openvpn.airvpn=openvpn # uci set openvpn.airvpn.enabled='1' # uci set openvpn.airvpn.config='/etc/openvpn/AirVPN_America_UDP-443.ovpn' # uci commit openvpn The file /etc/config/openvpn should contain following appended strings: config openvpn 'airvpn' option enabled '1' option config '/etc/openvpn/AirVPN_America_UDP-443.ovpn' You can also change extension of the file "ovpn" to "conf", and speficify it in the file /etc/config/openvpn, in this case OpenVPN will start with this configuration file just once. You can also manually specify parameters specific for OpenVPN-connection in the file /etc/config/openvpn. In this case you don't need the file "AirVPN_America_UDP-443.ovpn", because all necessary parameters from it are specified explicitly. However, it is tiresomely. Create new network interface: # uci set network.airvpntun=interface # uci set network.airvpntun.proto='none' # uci set network.airvpntun.ifname='tun0' # uci commit network The file /etc/config/network should contain following appended strings: config interface 'airvpntun' option proto 'none' option ifname 'tun0' Create new firewall zone and add forwarding rule from LAN to VPN: # uci add firewall zone # uci set firewall.@zone[-1].name='vpnfirewall' # uci set firewall.@zone[-1].input='REJECT' # uci set firewall.@zone[-1].output='ACCEPT' # uci set firewall.@zone[-1].forward='REJECT' # uci set firewall.@zone[-1].masq='1' # uci set firewall.@zone[-1].mtu_fix='1' # uci add_list firewall.@zone[-1].network='airvpntun' # uci add firewall forwarding # uci set firewall.@forwarding[-1].src='/external_image/?url=lan' # uci set firewall.@forwarding[-1].dest='vpnfirewall' # uci commit firewall To prevent traffic leakage outside the VPN-tunnel you should remove forwarding rule from lan to wan. In default configuration there is single forwarding rule, so the command is: # uci del firewall.@forwarding[0] You can also set "masquerading" option to '0' for wan zone, it goes after lan zone, so the command is: # uci set firewall.@zone[1].masq=0 After configuration you should commit changes: # uci commit firewall The file /etc/config/firewall should contain following appended strings: config zone option name 'vpnfirewall' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' list network 'airvpntun' config forwarding option src 'lan' option dest 'vpnfirewall' Now we should configure DNS servers. The simplest approach is to use public DNS for WAN interface of router. You can add OpenDNS: # uci set network.wan.peerdns='0' # uci del network.wan.dns # uci add_list network.wan.dns='208.67.222.222' # uci add_list network.wan.dns='208.67.220.220' # uci commit The file /etc/config/network should contain section 'wan' with following strings (three bottom strings has been appended): config interface 'wan' option ifname 'eth0.2' option force_link '1' option proto 'dhcp' option peerdns '0' list dns '208.67.222.222' list dns '208.67.220.220' You can also add GoogleDNS: # uci set network.wan.peerdns='0' # uci del network.wan.dns # uci add_list network.wan.dns='8.8.8.8' # uci add_list network.wan.dns='8.8.4.4' # uci commit The appended strings should be similar to previous one. To prevent traffic leakage in case VPN-tunnel drops you should edit the file /etc/firewall.user with following content: # This file is interpreted as shell script. # Put your custom iptables rules here, they will # be executed with each firewall (re-)start. # Internal uci firewall chains are flushed and recreated on reload, so # put custom rules into the root chains e.g. INPUT or FORWARD or into the # special user chains, e.g. input_wan_rule or postrouting_lan_rule. if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then iptables -I forwarding_rule -j REJECT fi if (! iptables -C forwarding_lan_rule ! -o tun+ -j REJECT); then iptables -I forwarding_lan_rule ! -o tun+ -j REJECT fi You should also create the file 99-prevent-leak in the folder /etc/hotplug.d/iface/ with following content: #!/bin/sh if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then iptables -D forwarding_rule -j REJECT fi if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then iptables -I forwarding_rule -j REJECT fi In some cases openvpn hangs with log message like (couldn't resolve host ...). In this case tunnel stays up, but connection is lost. It should be reconnected manually, with the following script /etc/openvpn/reconnect.sh, which is added to /etc/rc.local as: /etc/openvpn/reconnect.sh & The content of script reconnect.sh is like: #!/bin/sh n=10 while sleep 50; do t=$(ping -c $n 8.8.8.8 | grep -o -E '\d+ packets r' | grep -o -E '\d+') if [ "$t" -eq 0 ]; then /etc/init.d/openvpn restart fi done Update of luci-app-openvpn - git-19.256.41054-c048f23-1 tried to find file with name 'openvpn-airvpn.conf' (see section in /etc/openvpn/config). So you should rename your file 'AirVPN_America_UDP-443.ovpn' to 'openvpn-airvpn.conf', and comment or remove corresponding string: config openvpn 'airvpn' option enabled '1' # option config '/etc/openvpn/AirVPN_America_UDP-443.ovpn'
  4. Hi I have installed dd-wrt on Netgear R6400, i followed the official guide for configuring AirVPN on it, and the problem is that im getting maximum speeds of 10-17mbps instead of around 70mbps. Are my settings fine ? what could i try ? Thanks
  5. Hey there! I have a question regarding the creation of an openvpn config through this site's config generator in the client area. I can create one but what I want is a way to have the same or similar settings as my Eddie AirVPN application on windows PCs. Specifically the section in preferences (inside Eddie) Tor/Proxy. Mine is set to default Tor settings with 9150 as port, empty login info and when tested it's successful. Now why I need this openvpn config is for use on a tablet/phone. Can anyone provide information to help me create a new ovpn file with the same Tor safeguards as are available in the Eddie GUI on PC. Thank you for any help you can provide me. -T
  6. When using newly generated .ovpn files in Tunnelblick I keep seeing this... Warning: This VPN may not connect in the future. The OpenVPN configuration file for 'AirVPN_Europe_UDP-443' contains these OpenVPN options: • 'comp-lzo' was deprecated in OpenVPN 2.4 and has been or will be removed in a later version You should update the configuration so it can be used with modern versions of OpenVPN. Tunnelblick will use OpenVPN 2.4.7 - OpenSSL v1.0.2r to connect this configuration. However, you will not be able to connect to this VPN with future versions of Tunnelblick that do not include a version of OpenVPN that accepts the options.
  7. To connect I usually just download an .ovpn file and type in terminal "sudo openvpn <.ovpn file>" and the connection works. Or I go to gnome connection manager and "import saved configuration", import the .ovpn file and use that to connect graphically. However, I have noticed other vpn providers - they only provide these .ovpn files for Android. For ubuntu linux set ups they recommend manually importing the certificates and changing the settings in the advanced settings manually. Is there a difference in these methods? is one method more secure ? is it okay to just import a whole saved configuration from an .ovpn file for ubuntu linux, rather than manually entering the certificate etc ?
  8. This is only a solution for people in their home country willing/wanting to bypass the VPN to access their Netflix account. Does not help for out-of-country Netflix access. I was surprised to not see this in the forum, as it's very simple and works. It is a very short script added to the Custom Configuration which pulls the current IP addresses for a domain name (Netflix.com, Hulu.com) and routes those addresses "around" the VPN. allow-pull-fqdn route www.netflix.com 255.255.255.255 net_gateway So far I've been using this for a day, and had to restart things one time to get it to pick up new addresses. I would like to find a way to run this at regular intervals to add to the IP list (without duplicating addresses already in the list).
  9. heyhey, i'm having trouble setting up a ipv6 vpn connection with the (manjaro/arch) linux "network-manager". when i want to set up a ipv4 connection, i go to the "client area" on airvpn.org, start the "config generator", check "advanced" an then set: OS: LinuxOpenVPN version >= 2.4Need IPv6?: "IPv4 only"Protocol: UDP | Port: 443 | Entry IP: 1In the advanced section i check "Separate keys/certs from .ovpn file" and "Resolved hosts in .ovpn file"Server: xxxi then generate the config and download all the files into a new/empty folder. afterwards i start the network-manager connection editors gui ($ nm-connection-editor), click the "+" button, select "import a saved vpn configuration", click "create", navigate to the folder with the config and key files, select the "xxx.ovpn" file and then just click "save", since the nm-connection-editor automatically sets up the right key files etc. in this case everything works as expected. HOWEVER if i try to do the same with a IPv6 config file ("Need IPv6?" set to "IPv4 & IPv6 (connect with IPv6)" - all other settings the same) i get an error when trying to "import a saved vpn configuration" with the nm-connection-editor. when i open the "xxx.ovpn" file with a text editor and change the line "proto udp6" (this is the line before "tls-auth 'ta.key' 1") to "proto udp", i can import without the error message however the connection is not working afterwards. do you have any ideas what i could do different? should i set up the connection manually? thanks in advance!
  10. I always get this error no matter what: Sat Dec 2 19:17:00 2017 daemon.err openvpn(LA_VPN)[4922]: Options error: specify only one of --tls-server, --tls-client, or --secret Sat Dec 2 19:17:00 2017 daemon.warn openvpn(LA_VPN)[4922]: Use --help for more information. Screenshots are attached, OpenVPN version is 2.4.4-2, is there anything I can do to fix this through LuCI?
  11. I'm personally not a huge fan of it. Don't get me wrong it did need abit of an update but imo it looks to android like now and I seem to have tap more to get to where I want such as see the statistics.
  12. Guest

    Ipleak showing 3 DNS adresses

    When using VPN on Linux with openvpn I get 3 DNS adresses on ipleak.net. 1. AirVpn-Server Exit Ipv4, 2. AirVpn-Server Exit Ipv6 and 3. the residential address of my ISP. Note: This is not my own home IP, but rather the one by my ISP. Should I be worried? Ipv6 is disabled.
  13. Hi, I am using open vpn on a dd-wrt router. The non vpn connection is 100mbit and I get 70 to 80mbit without issue. With AirVPN I am getting 15mbit down and 5mbit up. Is this normal? I am sure a while ago I was getting 10mbit down. Thanks.
  14. Hello, I've trying to connect to AirVPN on my Raspberry Pi running Raspbian Stretch (which is pretty much Debian Stretch). I've generated a .ovpn file here and have simply typed the command: sudo openvpn --config AirVPN_Sweden.ovpn However, when I do this, it sits there for ages on the following. I don't know if this means it's done or not (XXX to remove an address I think is sensitive): Sun Jun 24 10:47:43 2018 /sbin/ip addr add dev tun1 10.10.136.46/24 broadcast 10.10.136.255 Sun Jun 24 10:47:49 2018 /sbin/ip route add XXX.XXX.XXX.XXX/32 via 192.168.0.1 Sun Jun 24 10:47:49 2018 /sbin/ip route add 0.0.0.0/1 via 10.10.136.1 Sun Jun 24 10:47:49 2018 /sbin/ip route add 128.0.0.0/1 via 10.10.136.1 Sun Jun 24 10:47:49 2018 Initialization Sequence Completed If Ctrl+Z then bg to get control of my shell back, I then can't ping anything external at all using either a URL or an IP address. The top of my .ovpn file is as follows: client dev tun remote se.vpn.airdns.org 443 resolv-retry infinite nobind persist-key persist-tun auth-nocache route-delay 5 verb 3 explicit-exit-notify 5 remote-cert-tls server cipher AES-256-CBC comp-lzo no proto udp key-direction 1 <ca> -----BEGIN CERTIFICATE----- ..... What am I doing wrong? (Please note: I've flushed iptables and 127.0.0.1 resolves to localhost in the hosts file.)
  15. Hi all, i have some issues with my openvpn for android client. i followed the instructions in the how-to section to setup openvpn for android. everything worked fine but: first issue: i get reconnects every few minutes and second issue: when i check for dnsleaks on ipleak.net everything looks smooth. no leak. i see airvpn exitip and airvpndns. but when i visit airvpn.org i see on top of the site my real ipv6 address. someone can tell me how to solve this errors? regards
  16. Hello forum! I've used OpenVPN on Asus RT-N18U running DD-WRT over a year now. I made files up.sh to start and dn.sh to stop OpenVPN to get rid of GUI and later on to run them via ssh from lan. OpenVPN version got updated to 2.4 and I made the necessary changes to conf file and scripts. It ran without issues couple of months. However, last Thursday my VPN connection went down while I was just browsing the interwebs. OpenVPN log was filled with messages: Recursive routing detected, drop tun packet to [AF_INET]62.102.148.132:443. There's no difference if I set up OpenVPN via GUI or use only my scripts. I've tried both UDP and TCP protocols but the issue persists. Outcome is always the same. Since then I've contacted AirVPN support as I cannot fix this by myself. I don't have the skills for that and I've tried my everything. As you may notice I feel desperate. EDIT: Here was a zip-file including kernel and ip routing tables, scripts, openvpn.conf file and OpenVPN log. I've censored my IP-address and tun1 IP from the files. All I found out is that the router for some reason removes line 62.102.148.132 via 84.xx.xx.xx dev vlan2 from routing table. You can see the difference between before-error_ip-route.txt. and after-error_ip-route.txt. DD-WRT seems to think that the fastest route outside is only via tun1 as VPN endpoint IP is in the same location as tun1 IP-address. Just a guess, might be totally wrong. Then it removes the previously mentioned routing rule and creates a loop. If I use allow-recursive-routing option in OpenVPN configuration, after a while log begins to spam "UDP messages too big" or something like that. I hadn't done any changes to DD-WRT settings, configuration files or script files. Recursive routing just popped up from no where. Router is being used as a gateway and WiFi AP only. All I've done is I moved to a new apartment which has different IP-address provided by the same ISP. That might not affect anything, just FYI. I really hope someone could help me with this. Thanks. Update: Turns out my ISP assings new IP-address every 20 minutes and almost every service on DD-WRT restarts which makes everything kind of frustrating to config...
  17. Hi, I would like to use AirVPN on my Android device but am concerned about leaking. I have seen some posts on here about using AfWall+ and was wondering if this is the best way to go. Android now also natively has a kind of Network Lock feature. But then there is also the boot leak (discussed here, along with providing a userinit script for droidwall to disable network connectivity during boot and also a script to prevent Google portal capture during wifi connection: https://blog.torproject.org/mission-impossible-hardening-android-security-and-privacy). My thinking is to use OpenVPN on the latest Lineage OS and would appreciate any assistance on the matter. Thank you.
  18. Apparently it is as easy as adding the following to the client/server OPVN files: http://my.host.net.nz/2014/04/12/adding-perfect-forward-secrecy-to-openvpn/ Create a common private key, eg openvpn --genkey --secret /path/to/store/pfs.key Securely distribute this key to each OpenVPN client, then add the following to the server tls-servertls-auth /path/to/store/pfs.key 0 and this to each client tls-clienttls-auth /path/to/store/pfs.key 1 Without this, using OpenVPN standalone will lack some essential security features.
  19. Eddie IS without a doubt leaking lastpass connections to the web through the vpn. Eddie is still using the 2.4.3 client; though seeing eddie is a big program it could be some other function of Eddie. Using OpenVPN 2.4.5 solves this leakage. So, OpenVPN 2.4.5 it is. Here is a screenshot of the leak inside Wireshark. https://ibb.co/jgdQqH https://image.ibb.co/gzbBVH/Leaks_using_Eddie.png
  20. Initially you should have router with Padavan's firmware with OpenVPN client enabled. The main page of the firmware is https://bitbucket.org/padavan/rt-n56u There is also script Prometheus, which was developed to simplify compilation process and to expand the list of supported devices http://prometheus.freize.net Login to your router via web-interface. By default it has LAN-address 192.168.1.1 Go to VPN Client item of main menu with corresponding link http://192.168.1.1/vpncli.asp#cfg (http://my.router/vpncli.asp#cfg). Toggle the switch "Enable VPN Client", after that fill forms as shown on Scr1.png You can use servers, specified in OpenVPN configuration files with extension "ovpn". Download configuration files needed for OpenVPN connection via tool on the link https://airvpn.com/generator Choose "Linux", and further options. Notice, that there is amount of different options like country, protocol, and port number. In the result you get one or more OpenVPN configuration files with extension "ovpn", possibly in archive. File name in the archive defines country or region, number, protocol and port. For example, consider the file "AirVPN_America_UDP-443.ovpn" "America" means America, "UDP" means UDP protocol, and "443" means port number. We will use this file for example, other files are treated similarly. The string, containing server address, begins with the word "remote". In the example it is "remote america.vpn.airdns.org 443". The last numerical value is port number. On the screen the example of UDP-protocol is shown. To use TCP-protocol change fields "Port" to corresponding value of port number and "Transport" to TCP. Protocol is also specified in the string beginning from "proto". You can leave OpenVPN Extended Configuration, you can also comment the line "ns-cert-type server" with leading "#". Go down and fill forms as shown on Scr2.png, and press "Apply" button. In the example there is option not to obtain DNS from VPN-server. It is assumed, that WAN of router was configured to use OpenDNS (208.67.222.222, 208.67.220.220) or GoogleDNS (8.8.8.8, 8.8.4.4). Also there is option to specify DNS for LAN clients (Advanced Settings -> LAN -> tab DHCP server, http://192.168.232.1/Advanced_DHCP_Content.asp, http://my.router/Advanced_DHCP_Content.asp). However you can set this option to obtain DNS from VPN-server ("Add to existing list" or "Replace all existing"). Pay special attention to the item Restrict Access from VPN Server Site. The item controls access to router from Internet via tunnel. The safest option as shown on Scr2.png is Yes, block all connections (site is foreign). If you choose No (Site-to-Site), using NAT translation, TOTAL ACCESS TO ROUTER INCLUDING MANAGEMENT - HTTP, HTTPS, AND SSH WILL BE GRANTED FROM INTERNET VIA TUNNEL. Go to the tab "OpenVPN Certificates & Keys" with corresponding link http://192.168.1.1/vpncli.asp#ssl (http://my.router/vpncli.asp#ssl), and copy content between tags "<ca>" and "</ca>" to the field "ca.crt", content between tags "<cert>" and "</cert>" to the field "client.crt", content between tags "<key>" and "</key>" to the field "client.key", content between tags "<tls-auth>" and "</tls-auth>" to the field "ta.key", and press "Apply" button, as shown on Scr3.png Tags are always excluded from contents. Now your router should successfully connect to VPN-server. You can check it by the white word "Connected" in the green rectange to the right of VPN-server address on VPN Client item of main menu with corresponding link http://192.168.1.1/vpncli.asp#cfg (http://my.router/vpncli.asp#cfg), as shown on Scr1.png You can also visit site, displaying your IP-address, e.g. https://ipleak.net After positive result you should make your changes permanent. You can do it by three ways: run in console command "mtd_storage.sh save"; on the page Advanced Settings -> Administration -> Settings with corresponding link http://192.168.1.1/Advanced_SettingBackup_Content.asp (http://my.router/Advanced_SettingBackup_Content.asp) press button "Commit" to the right of item "Commit Internal Storage to Flash Memory Now"; reboot router by pressing Reboot button to the right of "Logout" button. To sum up, files, corresponding to filled fields, are stored in the directory /etc/storage/openvpn/client, resulting OpenVPN configuration file is stored in the directory /etc/openvpn/client. To prevent traffic leakage in case VPN-tunnel drops you should edit the contents of item "Run the Script After Connected/Disconnected to VPN Server" on VPN Client item of main menu with corresponding link http://192.168.1.1/vpncli.asp#cfg (http://my.router/vpncli.asp#cfg), which is shown on Scr2.png, to add lines to functions func_ipup and func_ipdown, the result content should be as in the file /etc/storage/vpnc_server_script.sh By the word, it is the same file where form content is saved. Also you should block traffic until tunnel is up. To do it edit the form "Run After Firewall Rules Restarted" on the page Advanced Settings -> Customization -> Scripts with corresponding link http://192.168.1.1/Advanced_Scripts_Content.asp (http://my.router/Advanced_Scripts_Content.asp), the result content should be as in the file /etc/storage/post_iptables_script.sh Addional lines serve to remove SNAT target. Finally you should make your changes permanent by the same way, as was discussed before. vpnc_server_script.sh: #!/bin/sh ### Custom user script ### Called after internal VPN client connected/disconnected to remote VPN server ### $1 - action (up/down) ### $IFNAME - tunnel interface name (e.g. ppp5 or tun0) ### $IPLOCAL - tunnel local IP address ### $IPREMOTE - tunnel remote IP address ### $DNS1 - peer DNS1 ### $DNS2 - peer DNS2 # private LAN subnet behind a remote server (example) peer_lan="192.168.9.0" peer_msk="255.255.255.0" ### example: add static route to private LAN subnet behind a remote server func_ipup() { # route add -net $peer_lan netmask $peer_msk gw $IPREMOTE dev $IFNAME # unblock traffic if blocking rule exists if iptables -C FORWARD -j REJECT; then iptables -D FORWARD -j REJECT fi return 0 } func_ipdown() { # route del -net $peer_lan netmask $peer_msk gw $IPREMOTE dev $IFNAME # block traffic leakage in case of tunnel drops if (! iptables -C FORWARD -j REJECT); then iptables -I FORWARD -j REJECT fi return 0 } logger -t vpnc-script "$IFNAME $1" case "$1" in up) func_ipup ;; down) func_ipdown ;; esac post_iptables_script.sh: #!/bin/sh ### Custom user script ### Called after internal iptables reconfig (firewall update) # prevent traffic leakage while tunnel is not up if [ -z "$(ip a s tun0 | grep 'state UP')" ] && (! iptables -C FORWARD -j REJECT); then iptables -I FORWARD -j REJECT fi ipch=$(iptables -t nat -S | grep SNAT | grep -v br0) if [ ! -z "$ipch" ]; then eval 'iptables -t nat -D'${ipch:2} fi
  21. I apologize in advance for such a (I hope) simple problem. I'm trying to start Airvpn on Lunix using config file and the terminal per the instructions in the "how to." It runs, then the last line on the terminal is "Initialization sequence completed." It hangs there with internet dead, and never does anything else. If I ctl. C, it continues and terminates whatever it was doing. I've tried this on several systems with the same result. My question is, is there something else I have to do? OpenVPN is installed, is there anything else that has to be there? I'm doing this because there seems to be no other way to start Airvpn on KaOS. Below is the terminal printout. I know this shows that I only gave it less then a minute, but prior attempts on several systems showed that it would never do anything. Thanks, Pete [pete@pete-pc Downloads]$ sudo openvpn vpn.ovpn Thu Mar 15 16:08:32 2018 OpenVPN 2.4.5 x86_64-pc-linux-gnu [sSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 1 2018 Thu Mar 15 16:08:32 2018 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.10 Thu Mar 15 16:08:32 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Mar 15 16:08:32 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Mar 15 16:08:32 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]104.254.90.234:443 Thu Mar 15 16:08:32 2018 Socket Buffers: R=[212992->212992] S=[212992->212992] Thu Mar 15 16:08:32 2018 UDP link local: (not bound) Thu Mar 15 16:08:32 2018 UDP link remote: [AF_INET]104.254.90.234:443 Thu Mar 15 16:08:32 2018 TLS: Initial packet from [AF_INET]104.254.90.234:443, sid=aa8cd42a 332651f4 Thu Mar 15 16:08:32 2018 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org Thu Mar 15 16:08:32 2018 VERIFY KU OK Thu Mar 15 16:08:32 2018 Validating certificate extended key usage Thu Mar 15 16:08:32 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Thu Mar 15 16:08:32 2018 VERIFY EKU OK Thu Mar 15 16:08:32 2018 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org Thu Mar 15 16:08:33 2018 Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA Thu Mar 15 16:08:33 2018 [server] Peer Connection Initiated with [AF_INET]104.254.90.234:443 Thu Mar 15 16:08:34 2018 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Thu Mar 15 16:08:34 2018 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.4.13.251 255.255.0.0' Thu Mar 15 16:08:34 2018 OPTIONS IMPORT: timers and/or timeouts modified Thu Mar 15 16:08:34 2018 OPTIONS IMPORT: compression parms modified Thu Mar 15 16:08:34 2018 OPTIONS IMPORT: --ifconfig/up options modified Thu Mar 15 16:08:34 2018 OPTIONS IMPORT: route options modified Thu Mar 15 16:08:34 2018 OPTIONS IMPORT: route-related options modified Thu Mar 15 16:08:34 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Thu Mar 15 16:08:34 2018 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key Thu Mar 15 16:08:34 2018 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Mar 15 16:08:34 2018 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key Thu Mar 15 16:08:34 2018 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Mar 15 16:08:34 2018 ROUTE_GATEWAY 192.168.1.254/255.255.255.0 IFACE=enp10s0 HWADDR=08:62:66:c7:b0:29 Thu Mar 15 16:08:34 2018 TUN/TAP device tun0 opened Thu Mar 15 16:08:34 2018 TUN/TAP TX queue length set to 100 Thu Mar 15 16:08:34 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Thu Mar 15 16:08:34 2018 /usr/bin/ip link set dev tun0 up mtu 1500 Thu Mar 15 16:08:34 2018 /usr/bin/ip addr add dev tun0 10.4.13.251/16 broadcast 10.4.255.255 Thu Mar 15 16:08:40 2018 /usr/bin/ip route add 104.254.90.234/32 via 192.168.1.254 Thu Mar 15 16:08:40 2018 /usr/bin/ip route add 0.0.0.0/1 via 10.4.0.1 Thu Mar 15 16:08:40 2018 /usr/bin/ip route add 128.0.0.0/1 via 10.4.0.1 Thu Mar 15 16:08:40 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Thu Mar 15 16:08:40 2018 Initialization Sequence Completed ^CThu Mar 15 16:09:18 2018 event_wait : Interrupted system call (code=4) Thu Mar 15 16:09:18 2018 SIGTERM received, sending exit notification to peer Thu Mar 15 16:09:23 2018 /usr/bin/ip route del 104.254.90.234/32 Thu Mar 15 16:09:23 2018 /usr/bin/ip route del 0.0.0.0/1 Thu Mar 15 16:09:23 2018 /usr/bin/ip route del 128.0.0.0/1 Thu Mar 15 16:09:23 2018 Closing TUN/TAP interface Thu Mar 15 16:09:23 2018 /usr/bin/ip addr del dev tun0 10.4.13.251/16 Thu Mar 15 16:09:23 2018 SIGTERM[soft,exit-with-notification] received, process exiting
  22. It's a new feature in OpenVPN 2.4, for more privacy and can also help with censorship circumvention in some cases. https://github.com/OpenVPN/openvpn/blob/master/Changes.rst Can AirVPN implement this?
  23. Hello. I’m trying to figure out how to import and use SSL or SSH on iOS and Android using the OpenVPN client. I’m not sure what I’m doing wrong but I can’t even get a connection to any server. any ideas on how to get this working?
  24. Hello, I recently installed Antergos Linux (Arch Linux) on my main Computer and my Laptop. So I downloaded the Config files and tried to run them with the default openvpn. I cannot establish a connection. The resulting error is: Thu Feb 1 12:47:55 2018 OpenVPN 2.4.4 x86_64-unknown-linux-gnu [sSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 26 2017 Thu Feb 1 12:47:55 2018 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.10 Thu Feb 1 12:47:55 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Feb 1 12:47:55 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Feb 1 12:47:55 2018 RESOLVE: Cannot resolve host address: switzerland.vpn.airdns.org:443 (Name or service not known) Thu Feb 1 12:47:55 2018 RESOLVE: Cannot resolve host address: switzerland.vpn.airdns.org:443 (Name or service not known) Thu Feb 1 12:47:55 2018 Could not determine IPv4/IPv6 protocol Thu Feb 1 12:47:55 2018 SIGUSR1[soft,init_instance] received, process restarting Thu Feb 1 12:47:55 2018 Restart pause, 5 second(s) I tried it on my Android device where I also have the config files from before a month. The old ones are working, the new ones don't. Maybe someone has the same problem or a solution? The Problem occurs also when I download another protocol-config or change the Server/State. Thanks
  25. I installed OpenVPN and downloaded the connection info for a variety of locations and installed them per the instructions. I am using a Samsung Chromebook Pro. When I run OpenVPN and choose a location it appears to connect correctly and I see a "success" message with an IP address. However, when I check to see what my IP address is, it is not the one that OpenVPN is showing me, instead it is for the local ISP here where I am traveling (in this case Prague). I can't access a number of website for sports streaming apps because they claim I am outside of the territorial restrictions, which technically I guess I am, but that's the point of using the VPN. I never had an problems on my old Windows laptop. Is this just some weird Chromebook issue? It seems strange that OpenVPN is showing me success and an IP connection but my traffic doesn't seem to be using it.
×
×
  • Create New...