Jump to content
Not connected, Your IP: 3.235.137.159

Search the Community

Showing results for tags 'OPENVPN'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • AirVPN
    • News and Announcement
    • How-To
    • Frequently asked questions
    • Databases
  • Community
    • General & Suggestions
    • Troubleshooting and Problems
    • Blocked websites warning
    • Eddie - AirVPN Client
    • Reviews
    • Other VPN competitors or features
    • Nonprofit
    • Off-Topic
  • Other Projects
    • IP Leak
    • XMPP
    • Mirrors

Product Groups

  • AirVPN Access
  • Coupons
  • Misc

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Twitter


Mastodon


AIM


MSN


ICQ


Yahoo


XMPP / Jabber


Skype


Location


Interests

Found 184 results

  1. Hi, I would like to use OpenVPN in Ubuntu to connect to AirVPN and it's easily set up with the generated config files. I can connect without problems. However, I have two incoming ports set up but can't confirm that they are open in my BitTorrent client (Transmission). When I check it says "closed". When I use Eddie on Linux the ports are "open" when I check. Is there something I need to add and/or enter in the OpenVPN connections I've set up to get incoming ports to check out as open? Maybe I am missing something obvious?
  2. Hi I am trying to connect to AirVPN from an OPNSense Firewall. I have tried many different configs and the status of my openvpn tunnel is always "connecting". The log file shows no errors, there is just a entry state all and client disconnected. Is there any working guide for the current OPNSense version. I do not have any problems to connect to AirVPN from any Windows Client in my network. I looked at my firewall log and did a tcpdump, but i can not see any incoming traffic. I do not have a private ip address, because i use a 5G router. could this be the problem? why is it working on other clients (Android, Windows Workstation)? thank you for your help
  3. I'm trying to setup a kill switch so that if OpenVPN goes down all other connections are automatically locked. I adapted this config as it follows: ### EDITED group openvpn ################ client dev tun remote XXXXXX 443 resolv-retry infinite nobind persist-key persist-tun auth-nocache verb 3 explicit-exit-notify 5 rcvbuf 262144 sndbuf 262144 push-peer-info setenv UV_IPV6 yes ca "/opt/openvpn/keys/ca.crt" cert "/opt/openvpn/keys/user.crt" key "/opt/openvpn/keys/user.key" remote-cert-tls server cipher AES-256-CBC comp-lzo no proto udp tls-auth "/opt/openvpn/keys/ta.key" 1 and this is my ipfw config #!/bin/bash ipfw -q -f flush cmd="ipfw -q add" vpn="tun2" $cmd 00001 allow all from any to any via lo0 $cmd 00010 allow all from any to any via tun0 $cmd 00101 allow all from me to 192.168.0.0/16 $cmd 00102 allow all from 192.168.0.0/16 to me ############################### # it should allow openvpn to establish the connection $cmd 00103 allow all from any to any gid openvpn ############################### $cmd 00104 allow all from any to any established $cmd 00110 allow tcp from any to any dst-port 53 out setup keep-state $cmd 00111 allow udp from any to any dst-port 53 out keep-state $cmd 00201 deny all from any to any when i try to start openvpn it won't work e.g. Mon Jul 20 22:13:17 2020 WARNING: file '/opt/openvpn/keys/user.key' is group or others accessible Mon Jul 20 22:13:17 2020 WARNING: file '/opt/openvpn/keys/ta.key' is group or others accessible Mon Jul 20 22:13:17 2020 OpenVPN 2.4.9 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 12 2020 Mon Jul 20 22:13:17 2020 library versions: OpenSSL 1.0.2u-freebsd 20 Dec 2019, LZO 2.10 Mon Jul 20 22:13:17 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Jul 20 22:13:17 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Jul 20 22:13:17 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]184.75.221.34:443 Mon Jul 20 22:13:17 2020 Socket Buffers: R=[42080->262144] S=[9216->262144] Mon Jul 20 22:13:17 2020 UDP link local: (not bound) Mon Jul 20 22:13:17 2020 UDP link remote: [AF_INET]184.75.221.34:443 Mon Jul 20 22:13:17 2020 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Mon Jul 20 22:13:17 2020 write UDP: Permission denied (code=13) Mon Jul 20 22:13:19 2020 write UDP: Permission denied (code=13) Mon Jul 20 22:13:23 2020 write UDP: Permission denied (code=13) it looks like that in freebsd openvpn wants to start as root/wheel no matter what ad it will downgrade to a custom group only once the first connection has been successfully established. Is there a way around that? Else, is there another way to allow only openvpn to connect to the internet? I'm not married to this solution, i just want to setup a killswitch and avoid iptables.
  4. Hello all, This is collection from different tutorials which I will refer here, but usually changed since some things changed. Setting up VPN on Synology is modified neolefort tutorial from here and reconnect script if from sundi which you can find here, which probably modified this script, plus my iptables for blocking Synology on router level when VPN fails. Other contributions: foobar666 - you no longer need to enter variables manually _sinnerman_ - fixed script for DS 6.1 I'm doing this mostly because I usually forget things I managed to solve after year or two, so this is way to have constant reminder how it was solved and also help others. 1. Get your certificates from AirVPN. Go to the https://airvpn.org/generator/ page to generate the configuration file. (1) SELECT the Advanced Mode (near top right of the page) (2) SELECT LINUX OS (3) Under "Protocols" section select one with protocol UDP and port 443 (at the time of writing, it was first in list). You can choose any combination of protocol/port, but then also change iptables accordingly if you are using failsafe script. (4) Under "Advanced - OpenVPN only" section (right part of page), select "Separate keys/certs from .ovpn file" and change OpenVPN version to "<2.4" (5) SELECT 1 SERVER (refer to section "by single servers") OR COUNTRY OR ANYTHING ELSE YOU WANT In original tutorial, neolefort said to choose 1 server, because in that case you will get IP instead of xxx.airvpn.org domain. Choosing 1 server is safe because it doesn't need working DNS when you want to connect to VPN. If you choose anything else, you need working DNS on your router when establishing VPN connection. (6) Click "GENERATE" at the bottom. (7) Click on the ZIP button in order to download the AIRVPN configuration files and unzip them anywhere on your computer The ZIP archive should contain the following files: -AirVPN_XXXXX_UDP-443.ovpn -ca.crt -user.crt -user.key -ta.key 2. Setup AirVPN on Synology. In new DSM 6 it's much more easier since Synology developers allowed everything in GUI now. - Login as admin or with user from Administrator group. - Open Control panel. - Go "Network" and click on tab "Network Interface" - Click on button "Create" - "Create VPN profile" - Choose "OpenVPN (via importing .ovpn file) - Click "Advanced options" so it shows all options - Profile name: anything you want, but please keep is short and if you can without spaces " ", for example "AirVPN". - User name: LEAVE EMPTY - Password: LEAVE EMPTY - Import .ovpn file: click button and import your AirVPN_XXXXX_UDP-443.ovpn - CA certificate: click button and import your ca.crt - Client certificate: click button and import your user.crt - Client key: click button and import your user.key - Certificate revocation: LEAVE EMPTY - TLS-auth key: click button and import your ta.key - Click "Next" - Select all options, EXCEPT "Enable compression on the VPN link" (well, you can select that also if you really want, but don't ) Now you have working OpenVPN link on your Synology DS6+. You just need to start it from "Control panel" - "Network" - "Network Interface". EXTRAS!!! 3. Setting up external access to your Synology. First what you will notice is, "I CAN'T ACCESS MY SYNOLOGY FROM OUTSIDE OF MY LAN!!!!!!! OMG OMG OMG!!!!" I will not explain port fowards on your router here, if you don't know how to make one, learn! (1) You can port forward trough AirVPN webpage and access your Syno via VPN exit IP. This sometimes works, most of times it doesn't since Syno has some ports you cannot change. Anyway, change your default HTTP / HTTPS port on Syno to your forwarded AirVPN port and you should be fine. But forget about Cloudstation and similliar things. (2) If you want to access Syno via you ISP IP (WAN), then problem is, your Syno is receiving your connection, but it's replying trough VPN. That's a security risk and those connections get droped. But there is solution! - Access "Control panel" - "Network" - "General" - Click "Advanced Settings" button - Mark "Enable multiple gateways" and click "OK" and then "Apply" You're done! It's working now (if you forwarded good ports on your router). 4. Prevent leaks when VPN connection on Synology fails. There will be time, when you VPN will fail, drop, disconnect, and your ISP IP will become visible to world. This is one of ways you can prevent it, on router level. For this you need Tomato, Merlin, DD-WRT or OpenWRT firmware on your router. I will tell you steps for Tomato router. If you are using different firmware, then you need to learn alone how to input this code into your router. Since Shibby version 129 for ARM routers, syntax of iptables changed and depending on which version of iptables you are using, apply that code. - Login to your router (usually just by entering 192.168.1.1 into your browser, if your IP is different, find out which is your gateway IP). - Click on "Administration" - Click on "Scripts" - Choose tab "Firewall" For Shibby v129 for ARM and later (iptables 1.4.x) us this: #Use this order of commands because it executes in reverse order. #This command will execute last, it kills all UDP requests. iptables -I FORWARD -p udp -s 192.168.1.100 -j REJECT #This command will execute second and will block all TCP source ports except those needed for web access or services iptables -I FORWARD -p tcp -s 192.168.1.100 -m multiport ! --sports 5000,5001,6690 -j REJECT #This command will execute first and will ACCEPT connection to your VPN on destination port 443 UDP iptables -I FORWARD -p udp -s 192.168.1.100 -m multiport --dports 443 -j ACCEPT For earlier Shibby versions and later for MIPS routers: #Use this order of commands because it executes in reverse order. #This command will execute last, it kills all UDP requests. iptables -I FORWARD -p udp -s 192.168.1.100 -j REJECT #This command will execute second and will block all TCP source ports except those needed for web access or services iptables -I FORWARD -p tcp -s 192.168.1.100 -m multiport --sports ! 5000,5001,6690 -j REJECT #This command will execute first and will ACCEPT connection to your VPN on destination port 443 UDP iptables -I FORWARD -p udp -s 192.168.1.100 -m multiport --dports 443 -j ACCEPT Port TCP 5000 = HTTP for for Synology web access (change to your if it's not default) Port TCP 5001 = HTTPS for for Synology web access (change to your it's not default) Port TCP 6690 = Cloud Station port Port UDP 443 = AirVPN connection port which you defined in step 1 of this tutorial. If you are using TCP port, then you need to change "-p udp" to "-p tcp" in that line. If you need more ports, just add them separated by comma ",". If you want port range, for example 123,124,125,126,127, you can add it like this 123:127. Change IP 192.168.1.100 to your Synology LAN IP. Be careful NOT TO assign those ports to your Download Station on Synology. This isn't perfect, you can still leak your IP through UDP 443, but since torrent uses mostly TCP, those chances are minimal. If you use TCP port for VPN, then those chances increase. If you really want to be sure nothing leaks even on UDP 443 (or your custom port), you need to choose 1 (ONE) AirVPN server. You need to find that server entry IP and change last IPTABLES rule to something like this: iptables -I FORWARD -p udp -s 192.168.1.100 -d 123.456.789.123 -m multiport --dports 443 -j ACCEPT Where 123.456.789.123 is AirVPN server entry IP. This will allow UDP 443 only for that server, rest will be rejected by router. These are all my opinions, from my very limited knowledge, which may be right and may be wrong. 5. Auto reconnection when VPN is down. Since when you made your VPN connection on your Synology, you checked "Reconnect" option, Syno will try to reconnect automaticly when connection fails. But in some cases, your network will be offline long enough and Syno will stop trying to reconnect, or will hang with VPN connection established, but not working. In those cases you can use this auto reconnect script. This is reconnect script. Just select all script text and copy it. #VPN Check script modified Sep 11, 2016 #Script checks if VPN is up, and if it is, it checks if it's working or not. It provides details like VPN is up since, data #received/sent, VPN IP & WAN IP. #If VPN is not up it will report it in the log file and start it #Change LogFile path to your own location. #Save this script to file of your choosing (for example "synovpn_reconnect"). Store it in one of your Synology shared folders and chmod it: "chmod +x /volume1/shared_folder_name/your_path/synovpn_reconnect" #Edit "/etc/crontab" and add this line without quotes for starting script every 10 minutes: "*/10 * * * * root /volume1/shared_folder_name/your_path/synovpn_reconnect" #After that restart cron with: "/usr/syno/sbin/synoservicectl --restart crond" #!/bin/sh DATE=$(date +"%F") TIME=$(date +"%T") VPNID=$(grep "\[.*\]" /usr/syno/etc/synovpnclient/openvpn/ovpnclient.conf | cut -f 2 -d "[" | cut -f 1 -d "]") VPNNAME=$(grep conf_name /usr/syno/etc/synovpnclient/openvpn/ovpnclient.conf | cut -f 2 -d "=") LogFile="/volume1/filmovi/Backup/airvpn/check_airvpn_$DATE.log" PUBIP=$(curl -s -m 5 icanhazip.com) #PUBIP=$(curl -s -m 5 ipinfo.io/ip) #PUBIP=$(curl -s -m 5 ifconfig.me) CHECKIP=$(echo $PUBIP | grep -c ".") start_vpn() { echo "VPN is down. Attempting to (re)start now." >> $LogFile # /usr/syno/bin/synovpnc kill_client --protocol=openvpn --name=$VPNNAME /usr/syno/bin/synovpnc kill_client /bin/kill `cat /var/run/ovpn_client.pid` 2>/dev/null sleep 35 echo 1 > /usr/syno/etc/synovpnclient/vpnc_connecting echo conf_id=$VPNID > /usr/syno/etc/synovpnclient/vpnc_connecting echo conf_name=$VPNNAME >> /usr/syno/etc/synovpnclient/vpnc_connecting echo proto=openvpn >> /usr/syno/etc/synovpnclient/vpnc_connecting /usr/syno/bin/synovpnc reconnect --protocol=openvpn --name=$VPNNAME >> $LogFile } sleep 6 echo "======================================" >> $LogFile echo "$DATE $TIME" >> $LogFile if ifconfig tun0 | grep -q "00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00" then if [ "$CHECKIP" == 1 ] then IPADDR=$(/sbin/ifconfig tun0 | grep 'inet addr' | cut -d: -f2 | awk '{print $1}') RXDATA=$(/sbin/ifconfig tun0 | grep "bytes:" | cut -d: -f2 | awk '{print $1,$2,$3}') TXDATA=$(/sbin/ifconfig tun0 | grep "bytes:" | cut -d: -f3 | awk '{print $1,$2,$3}') UPTIME=$(cat /var/log/messages | grep "$IPADDR" | awk '{print $1}' | tail -1) UPTIME=$(date -d"$UPTIME" +"%Y/%m/%d %H:%M:%S") echo "VPN is up since: $UPTIME" >> $LogFile echo "Session Data RX: $RXDATA" >> $LogFile echo "Session Data TX: $TXDATA" >> $LogFile echo "VPN IP is: $IPADDR" >> $LogFile echo "WAN IP is: $PUBIP" >> $LogFile else start_vpn fi else start_vpn fi exit 0 (1) Login to you Synology DSM web interface as admin. - As admin go to "Control panel" - "Task Scheduler" (you need to enable advanced mode in top right corner of control panel for this) - Click "Create" button near top of page, then select "Scheduled Task" and then "User-defined script" (2) New popup window will open. - under "Task:" enter task name - under "User:" select "root" if it's not already selected - switch to "Schedule" tab and select how often you want this task to run, my settings are: - "Run of following days" - "Daily" - "First run time" - 00:00 - "Frequency" - "Every 10 minutes" - "Last run time" - 23:50 - switch to "Task settings" tab - paste script you copied into empty box under "User-defined script" title - press OK and you're done I tested this on DSM 6.2.2 and it works without problems for now. Still, I'm keeping old instructions in next post, if someone wants to do it like that. Tip: If you don't want logfile, you can comment out those lines, or remove ">> $LogFile" code from whole script. That's all. If you entered everything correctly, you should be fine and ready to go! Comments are welcome. If you find mistakes, please correct me.
  5. Hey. I'm running OpenVPN 2.3.2 on Ubuntu server 14.04 in a VirtualBox 5.0.14 instance on a Win-64 box to connect to AirVPN using the config file generated from the AirVPN site. The VirtualBox instance is bridged to my host NIC using a PCnet-FAST III driver in Ubuntu. Set to auto-start with the AirVPN config file as the default in /etc/openvpn so I control it with service stop / start. The tunnel will work for somewhere between 1 and 6 hours and then it will remain established but no traffic will move through it. I've tried adding keepalive 10 60 to the config but no change. I've anecdotally seen that it could be related to interruption in the internet connection. How can I either a. get the openvpn service to withstand internet connectivity interruptions or b. cron a script to test and if fail restart the openvpn service. FYI I'm reasonably strong technically but my Linux skill is newbie.
  6. Hi, I have written an alternative client for AirVPN that I would like to share with you. Just as Eddie, it supports other providers, too, as long as OpenVPN config files are provided. For AirVPN and Mullvad it offers a convenient update function that just requires you to enter your credentials in order to download the latest server configurations. Furthermore, it allows you to choose among the plethora of protocols offered by AirVPN (including OpenVPN over SSL/SSH) except the experimental ones (I might add support for those in the future, once they become available for all servers). Qomui (Qt OpenVPN management UI) as I have named it, is written in Python and PyQt and should run on any GNU/Linux distribution. It allows you to easily create double-hop connections. In other words, you can route your requests via two OpenVPN servers. This feature works provider-independent. For example, you could choose a Mullvad server for the first hop, and AirVPN for the second (I have successfully tested this with AirVPN, Mullvad and ProtonVPN). Thereby, it avoids a major downside of similar offers by some providers, namely the fact that if one provider controls all "hops" he or she could potentially still see, log or inspect all your traffic. In the latter case, you would gain little in terms of privacy. With the ability to "mix" providers, Qomui does not suffer from the same problem and hence offers some tangible benefits. Obviously, you would still have to sacrifice some speed/bandwith, though. Depending on your DE (looking at you, Gnome!), Qomui will also display a systray icon that shows the country of the server you are currently connected to. Additional features include protection against DNS leaks and a firewall that optionally blocks all outgoing network connections except for the OpenVPN server you have chosen. Since it is never recommended to run graphical applications as root, which is a major flaw of most OpenVPN clients, all commands that require root privileges are handled by a background service that can be controlled via systemd. The following screenshot gives you an idea of what Qomui looks like (on Arch/Arc Dark Theme). If you are interested, you can download Qomui from github: https://github.com/corrad1nho/qomui Of course, I'd be happy for any kind of feedback. If you find bugs or Qomui does not run properly or not at all on your machine, please let me know. I'm happy to help! At last, a big thank you to AirVPN and its amazing community. The fact that you rely more on explaining technical details than empty promises, has helped me to learn a lot. It is also one of the main reason why I chose AirVPN. Commendably, Eddie is also released as open-source software. Only Mullvad does that, too, to my knowledge. Why doesn't every provider do that? You are selling a service, not software! Why would I trust in proprietary software? Funnily, I have never really used Eddie, though, since I was accustomed to manually adding config files to NetworkManager as my first provider did not offer a GNU/Linux client. My interest in features such as OpenVPN over SSL made me look into more convenient solutions, though. Ultimately I decided to write my own program as I wanted to learn some Python and this provided a perfect practical challenge. I have actually used Qomui daily on multiple machines during the past few months and constantly tried to improve it. So I'd thought it'd be about to time to share it (it's an alpha release, though). Have a nice weekend! Corrado
  7. Goal We want to use AirVPN's SSL tunneling mode on Android. SSL tunneling can be very useful, especially to defeat firewalls that block OpenVPN or SSH on a protocol level. We will use the Termux Terminal Emulator to install and run stunnel and OpenVPN for Android to manage the OpenVPN connection. Requirements Android 6.0 or newer (5.0 and derivatives thereof such as FireOS should work too)the Android device does not have to be rootedGoogle PlayStore or the free & open source F-Droid market (recommended)OpenVPN for Android (FOSS) – or Air's official Eddie Android Edition Please stay tuned for future Eddie releases as they may include native SSL tunnel support (which would make this cumbersome guide unnecessary)Termux Terminal Emulator (FOSS)stunnel (FOSS), via Termux repositorya separate computer to download/edit the config files (entirely optional, but recommended) Setup instructions Part 1: generate AirVPN config files 1/7: open AirVPN's config generator. When asked for your operating system, pick Linux: 2/7: Choose servers: Pick a single server. Do not select more than one. Do not select a whole region. 3/7: Protocols: First, enable Advanced Mode: Now select the SSL mode, port 443: 4/7: Accept Terms of Service and generate the config files: 5/7: Download the generated zip archive: 6/7: unzip AirVPN.zip and open the *.ssl file in a text editor. find this line: pid = /tmp/stunnel4.pid replace it with: pid = /data/data/com.termux/files/home/stunnel4.pid 7/7: Now transfer the AirVPN folder to your phone's sdcard / main storage directory. For ease of use, don't put it into any subdirectories. Instead, put it into your "root" storage directory, meaning on the same level as your other default Android folders such as Documents, Download and Movies. Part 2: Install and prepare Android software 1/3: Install OpenVPN for Android, via F-Droid or Play Store. Don't configure anything just yet. 2/3: Install Termux Terminal Emulator, via F-Droid or PlayStore open Termux and run: termux-setup-storageAllow Termux to access files on your device. (Android 8.0 Oreo users, please read the note at the end of this tutorial).The pkg command is used to install und update software packages. Make sure your base packages are all up to date: pkg upgradenow install stunnel: pkg install stunnel 3/3: Still in Termux, jump to the AirVPN folder you copied to your phone: cd storage/shared/AirVPNThe command lsshould list 3 files: AirVPN*.ovpn (the OpenVPN config file)AirVPN*.ssl (the stunnel config file)stunnel.crt (stunnel certificate)Now start stunnel: stunnel AirVPN*.ssl press the Home button to get out of Termux.Start OpenVPN and import the AirVPN*.ovpn config fileEdit your new OpenVPN connection (tap the "pencil button")in the ALLOWED APPS tab, tick the box next to Termuxreturn to OpenVPN's connection listyour VPN connection is now configured. A tap on its name will establish the connection.verify that a connection has been established by looking for the log entry Initialization Sequence Completedbrowse to ipleak.net (or any similar site) to verify that your traffic is indeed routed through the VPN tunnelHere's a short video, demonstrating the steps above: https://vimeo.com/246306477 Part 3: Usage instructions Now that everything is configured, future usage will be much easier: open Termuxnavigate to your AirVPN folder: cd storage/shared/AirVPNnow run stunnel: stunnel AirVPN*.sslPress the Home button and open the OpenVPN appConnect to your VPN profile Addendum: Tips as an alternative to OpenVPN for Android, you can also use Air's official Eddie Android edition. Don't forget to dive into Eddie's settings to exclude ("blacklist") Termux from the VPN tunnel.don't forget to periodically run pkg upgradeto keep all of Termux' packages, including stunnel, up-to-date.To prevent leaks, it's recommended to let OpenVPN set the default route for both IPv4 and IPv6; as well disabling the LAN bypass: you may want to take a look at Termux:Widget (via F-Droid or Play Store. It's an extension to Termux. If you put your stunnel commands into shell scripts, stored in ~/.shortcuts/ , you can launch them via Home screen widgets.enable Termux' extended keyboard by sliding out the left-side menu and long-pressing the KEYBOARD button. This will enable a row of additional keys, such as CTRL, ALT and TAB which are very useful in a terminal environment -- especially the TAB key, allowing you to autocomplete command and path names. Here's a short video on Vimeo demonstrating the extended keyboard.you may generate config files for as many servers as you like, put them into your AirVPN folder on your phone and add the *.ovpn profiles to OpenVPN.you may want to consider AFWall+ for additional firewalling (root required)it is recommended to move the *.ssl and stunnel.crt files out of Android's shared storage and into Termux' private data directory, while also deleting the no longer needed *.ovpn file: cd ~ mkdir st cd storage/shared/AirVPN cp *.ssl stunnel.crt ~/st rm *.ssl stunnel.crt *.ovpn Moving those files obviously changes the paths of your Termux commands. Instead of running: cd storage/shared/AirVPN stunnel AirVPN*.ssl You'd now need to run: cd ~/st stunnel AirVPN*.ssl Addendum: Caveats Following this tutorial will add the Termux app to OpenVPN's exclusion list, allowing it connect to the VPN server. But this also means that anything else you may do via Termux will also bypass the VPN tunnel. If you need a VPN-tunneled terminal app, I recommend using Termux only to run stunnel; using another terminal emulator app for your other tasks. Addendum: Testing and bugs This tutorial has been tested on: Stock Android 6.0Stock Android 7.0Stock Android 8.0LineageOS 14.1 (~ Android 7.1.x)Fire OS 5.6.0.0 (~ Android 5.x), testing done by user steve74it Important Notice for Android 8.0+ (Oreo) users: The command termux-setup-storage does not work (yet). Instead, follow this workaround to access storage: https://github.com/termux/termux-app/issues/157#issuecomment-246659496 The workaround will no longer be necessary once this bug is resolved: https://github.com/termux/termux-packages/issues/1578 EDIT LOG Thu Dec 7 20:24 UTC 2017: initial releaseThu Dec 7 20:40 UTC 2017: formatting correctionsThu Dec 7 20:58 UTC 2017: spellingFri Dec 8 18:47 UTC 2017: add recommended route settings. credit and thanks to Darkspace-HarbingerFri Jan 5 17:30 UTC 2018: add note that this guide is functional on FireOS 5.6 (Android 5.x). testing done by user steve74it, thank you!Mon Jan 22 18:34 UTC 2018: add mikevvl's security tip to move files out of shared storage. thank you!Sun Jul 15 12:16 UTC 2018: recommend against alternative VPN apps (thanks steve74it)Tue Jul 17 12:20 UTC 2018: mention Eddie compatibility (thanks steve74it) Any corrections, further testing, as well as general suggestions for improvement would be much appreciated.
  8. Hi, since configuring AIrVPN on my pfSense machine, I've been struggling to get Sky On Demand working. SKY Q box tells me "download failed". Before AirVPN config, all was good. AirVPN is connecting nicely and allowing me to browse. I followed nguvu's guide here to get 3 connections to AIrVPN so that I could have some resilience in case one of the OpenVPN servers failed. All my devices seem to be connecting to the internet. Only the SKY Q is lamenting failures with downloads of movies. DNSLEAK TEST is giving 185.103.96.147 which is the AIrVPN exit node. When I do the extended test, I get 3 DNS servers, one for each of the OpenVPN connections I have up and running AirVPN's DNS Leak ipleak.net is also giving 3 DNS servers (the same as DNSLEAK TEST) and identifying me with one of the other AIrVPN servers in the Netherlands. So here doesn't appear to be a leak and the AirVPN routing seems to be correct too as its correctly exiting me in the UK by showing the UK AIrVPN exit node. So the question begs as to why and how Sky Q box is refusing to download the movies ("failed downloading"). Of course the Sky Q box has no log facilities ... so I have no hope of consulting that ... :-( Does anyone have a similar setup to mine with AIrVPN and is using Sky Q in the UK. I guess my next option is to let it through Clearnet (i.e. not through the VPN connection ....). Any thoughts? Thanks
  9. With the latest revelation from google about Quantum Computing, I would like to know how safe arewith with Airvpn? What is the best encryption method and how do we implement it .
  10. Hi there, I use Eddie software to connect airvpn in my windows 10 station (unattended windows version with a lot of service / app disable). The first time I tried to connect it worked great. But after a restart of the computer I was not able to connect at all, Eddie software try to join a server and immediately disconnect. But if I install OpenVPN Gui, it works again, I can connect with Eddie without problem. But as soon as I restart the computer, it cannot connect anymore. Do you have an idea from where my problem could be coming? Thanks in advance
  11. Hi all, I've followed the instructions at https://airvpn.org/topic/11431-using-airvpn-with-linux-from-terminal/ in order to set up my account. This works fine and leak-free, when my local networks gives me an IPv4 address -- but if I get an IPv6 address, that address is leaked to remote sites according to https://ipleak.net/ . How do I prevent that? Thanks, Chris
  12. NOTICE to the Moderator: PLEASE MOVE TO THE RIGHT FORUM Hello, I want to make a thread about split tunneling through a spezific user. I figured out how it works and want to share it. I use Debian 8/9 but it should work with other distros too. Openvpn Split tunnel though user Debian 8 & 9 based Install openvpn from apt or install it via source apt-get update -y && apt-get upgrade -y && apt-get install openvpn htop nload dstat sudo apt-utils iptables curl resolvconf -y nano /etc/systemd/system/openvpn@openvpn.service Config: [Unit] Description=OpenVPN connection to %i Documentation=man:openvpn(8) Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO After=network.target [Service] RuntimeDirectory=openvpn PrivateTmp=true KillMode=mixed Type=forking ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid PIDFile=/run/openvpn/%i.pid ExecReload=/bin/kill -HUP $MAINPID WorkingDirectory=/etc/openvpn Restart=on-failure RestartSec=3 ProtectSystem=yes LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw [Install] WantedBy=multi-user.target Enable Service systemctl enable openvpn@openvpn.service Download Airvpn/Openvpn config and paste it in there: nano /etc/openvpn/openvpn.conf Add this to the config: nobind script-security 2 route-noexec up /etc/openvpn/iptables.sh down /etc/openvpn/update-resolv-conf Change DNS nano /etc/openvpn/update-resolv-conf foreign_option_1='dhcp-option DNS AIRVPN DNS1' foreign_option_2='dhcp-option DNS AIRVPN DNS2' foreign_option_3='dhcp-option DNS 1.1.1.1' Add user and group adduser --disabled-login vpn usermod -aG vpn XXX usermod -aG XXX vpn Iptables Flush & Rules iptables -F iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP apt-get install iptables-persistent -y nano /etc/openvpn/iptables.sh Change INTERFACE, VPNUSER, LOCALIP and NETIF Script: #! /bin/bash export INTERFACE="tun0" export VPNUSER="vpn" export LOCALIP="192.168.1.130" export NETIF="eth0" # flushes all the iptables rules, if you have other rules to use then add them into the script iptables -F -t nat iptables -F -t mangle iptables -F -t filter # mark packets from $VPNUSER iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT -j CONNMARK --save-mark # allow responses iptables -A INPUT -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT # block everything incoming on $INTERFACE to prevent accidental exposing of ports iptables -A INPUT -i $INTERFACE -j REJECT # let $VPNUSER access lo and $INTERFACE iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT # all packets on $INTERFACE needs to be masqueraded iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE # reject connections from predator IP going over $NETIF iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT # Start routing script /etc/openvpn/routing.sh exit 0 chmod +x /etc/openvpn/iptables.sh nano /etc/openvpn/routing.sh Change ifconfig to ip if your OS dont support ifconfig anymore or install it. apt install net-tools Change VPNIG and VPNUSER if needed Script: #! /bin/bash VPNIF="tun0" VPNUSER="vpn" GATEWAYIP=`ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1` if [[ `ip rule list | grep -c 0x1` == 0 ]]; then ip rule add from all fwmark 0x1 lookup $VPNUSER fi ip route replace default via $GATEWAYIP table $VPNUSER ip route append default via 127.0.0.1 dev lo table $VPNUSER ip route flush cache # run update-resolv-conf script to set VPN DNS /etc/openvpn/update-resolv-conf exit 0 chmod +x /etc/openvpn/routing.sh nano /etc/iproute2/rt_tables Add 200 vpn Edit vpn filter nano /etc/sysctl.d/9999-vpn.conf Add: Replace XXXXXX with your eth/wireless interface net.ipv4.conf.all.rp_filter = 2 net.ipv4.conf.default.rp_filter = 2 net.ipv4.conf.XXXXXX.rp_filter = 2 net.ipv6.conf.all.rp_filter = 2 net.ipv6.conf.default.rp_filter = 2 net.ipv6.conf.XXXXXX.rp_filter = 2 Apply Rules and show status sysctl --system service openvpn status Test it IP: sudo -u vpn -i -- curl ipinfo.io DNS: sudo -u vpn -i -- cat /etc/resolv.conf Enjoy
  13. Initially you should have router with OpenWRT firmware with OpenVPN client enabled. The main page of the firmware is http://openwrt.org Router, flashed with OpenWRT firmware image, initially accept connection only by telnet, so you should connect to it by telnet to the IP 192.168.1.1 and change root password with command "passwd". After this command it accepts connection via ssh. By default openvpn isn't included in the firmware image, so you should install it by use of opkg: # opkg update # opkg install openvpn-openssl You can also install luci-component of openvpn configuration, but it is optional: # opkg install install luci-app-openvpn You can also build firmware image with openvpn. Good manual of general OpenVPN client configuration you can find on the page https://github.com/StreisandEffect/streisand/wiki/Setting-an-OpenWrt-Based-Router-as-OpenVPN-Client We will follow it with modifications, specific for AirVPN. After openvpn installation you can make it autostarting when router starts: # /etc/init.d/openvpn enable Download configuration files needed for OpenVPN connection via tool on the link https://airvpn.org/generator Choose "Linux", and further options. Notice, that there is amount of different options like country, protocol, and port number. In the result you get one or more OpenVPN configuration files with extension "ovpn", possibly in archive. File name in the archive defines country or region, number, protocol and port. For example, consider the file "AirVPN_America_UDP-443.ovpn" "America" means America, "UDP" means UDP protocol, and "443" means port number. We will use this file for example, other files are treated similarly. Comment with "#" the option "explicit-exit-notify 5" in the file, because OpenVPN client in OpenWRT doesn't recognize it. In result the line should start with "#": "# explicit-exit-notify 5". Copy the file "AirVPN_America_UDP-443.ovpn" with pscp or WinSCP programs in Windows, scp command in Linux to /etc/openvpn/ folder of router filesystem. In case of copy problems you should force using exactly scp protocol (it also can use sftp). The file itself contains contents of file "ca.crt" between tags "<ca>" and "</ca>", "user.crt" between tags "<cert>" and "</cert>", "user.key" between tags "<key>" and "</key", and contents of file "ta.key" between tags "<tls-auth>" and "</tls-auth>". You can create separate files "ca.crt", "user.crt", "user.key", and "ta.key" with corresponding content excluding tags, in the same folder, and replace tags with content in original file with following strings: ca ca.crt cert user.crt key user.key tls-auth ta.key 1 Notice, that contents of all files for different OpenVPN configuration files are identical. In other words, the significand difference of OpenVPN configuration files is string, containing server address and port, beginning with the word "remote". Configuration of OpenVPN using the file "AirVPN_America_UDP-443.ovpn" could be implemented by two ways. 1) Change the extension of the file "ovpn" to "conf". In this case OpenVPN will find it automatically by extension. 2) Specify file name in /etc/config/openvpn You can use uci: # uci set openvpn.airvpn=openvpn # uci set openvpn.airvpn.enabled='1' # uci set openvpn.airvpn.config='/etc/openvpn/AirVPN_America_UDP-443.ovpn' # uci commit openvpn The file /etc/config/openvpn should contain following appended strings: config openvpn 'airvpn' option enabled '1' option config '/etc/openvpn/AirVPN_America_UDP-443.ovpn' You can also change extension of the file "ovpn" to "conf", and speficify it in the file /etc/config/openvpn, in this case OpenVPN will start with this configuration file just once. You can also manually specify parameters specific for OpenVPN-connection in the file /etc/config/openvpn. In this case you don't need the file "AirVPN_America_UDP-443.ovpn", because all necessary parameters from it are specified explicitly. However, it is tiresomely. Create new network interface: # uci set network.airvpntun=interface # uci set network.airvpntun.proto='none' # uci set network.airvpntun.ifname='tun0' # uci commit network The file /etc/config/network should contain following appended strings: config interface 'airvpntun' option proto 'none' option ifname 'tun0' Create new firewall zone and add forwarding rule from LAN to VPN: # uci add firewall zone # uci set firewall.@zone[-1].name='vpnfirewall' # uci set firewall.@zone[-1].input='REJECT' # uci set firewall.@zone[-1].output='ACCEPT' # uci set firewall.@zone[-1].forward='REJECT' # uci set firewall.@zone[-1].masq='1' # uci set firewall.@zone[-1].mtu_fix='1' # uci add_list firewall.@zone[-1].network='airvpntun' # uci add firewall forwarding # uci set firewall.@forwarding[-1].src='/external_image/?url=lan' # uci set firewall.@forwarding[-1].dest='vpnfirewall' # uci commit firewall To prevent traffic leakage outside the VPN-tunnel you should remove forwarding rule from lan to wan. In default configuration there is single forwarding rule, so the command is: # uci del firewall.@forwarding[0] You can also set "masquerading" option to '0' for wan zone, it goes after lan zone, so the command is: # uci set firewall.@zone[1].masq=0 After configuration you should commit changes: # uci commit firewall The file /etc/config/firewall should contain following appended strings: config zone option name 'vpnfirewall' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' list network 'airvpntun' config forwarding option src 'lan' option dest 'vpnfirewall' Now we should configure DNS servers. The simplest approach is to use public DNS for WAN interface of router. You can add OpenDNS: # uci set network.wan.peerdns='0' # uci del network.wan.dns # uci add_list network.wan.dns='208.67.222.222' # uci add_list network.wan.dns='208.67.220.220' # uci commit The file /etc/config/network should contain section 'wan' with following strings (three bottom strings has been appended): config interface 'wan' option ifname 'eth0.2' option force_link '1' option proto 'dhcp' option peerdns '0' list dns '208.67.222.222' list dns '208.67.220.220' You can also add GoogleDNS: # uci set network.wan.peerdns='0' # uci del network.wan.dns # uci add_list network.wan.dns='8.8.8.8' # uci add_list network.wan.dns='8.8.4.4' # uci commit The appended strings should be similar to previous one. To prevent traffic leakage in case VPN-tunnel drops you should edit the file /etc/firewall.user with following content: # This file is interpreted as shell script. # Put your custom iptables rules here, they will # be executed with each firewall (re-)start. # Internal uci firewall chains are flushed and recreated on reload, so # put custom rules into the root chains e.g. INPUT or FORWARD or into the # special user chains, e.g. input_wan_rule or postrouting_lan_rule. if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then iptables -I forwarding_rule -j REJECT fi if (! iptables -C forwarding_lan_rule ! -o tun+ -j REJECT); then iptables -I forwarding_lan_rule ! -o tun+ -j REJECT fi You should also create the file 99-prevent-leak in the folder /etc/hotplug.d/iface/ with following content: #!/bin/sh if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then iptables -D forwarding_rule -j REJECT fi if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then iptables -I forwarding_rule -j REJECT fi In some cases openvpn hangs with log message like (couldn't resolve host ...). In this case tunnel stays up, but connection is lost. It should be reconnected manually, with the following script /etc/openvpn/reconnect.sh, which is added to /etc/rc.local as: /etc/openvpn/reconnect.sh & The content of script reconnect.sh is like: #!/bin/sh n=10 while sleep 50; do t=$(ping -c $n 8.8.8.8 | grep -o -E '\d+ packets r' | grep -o -E '\d+') if [ "$t" -eq 0 ]; then /etc/init.d/openvpn restart fi done Update of luci-app-openvpn - git-19.256.41054-c048f23-1 tried to find file with name 'openvpn-airvpn.conf' (see section in /etc/openvpn/config). So you should rename your file 'AirVPN_America_UDP-443.ovpn' to 'openvpn-airvpn.conf', and comment or remove corresponding string: config openvpn 'airvpn' option enabled '1' # option config '/etc/openvpn/AirVPN_America_UDP-443.ovpn'
  14. Hi I have installed dd-wrt on Netgear R6400, i followed the official guide for configuring AirVPN on it, and the problem is that im getting maximum speeds of 10-17mbps instead of around 70mbps. Are my settings fine ? what could i try ? Thanks
  15. Hey there! I have a question regarding the creation of an openvpn config through this site's config generator in the client area. I can create one but what I want is a way to have the same or similar settings as my Eddie AirVPN application on windows PCs. Specifically the section in preferences (inside Eddie) Tor/Proxy. Mine is set to default Tor settings with 9150 as port, empty login info and when tested it's successful. Now why I need this openvpn config is for use on a tablet/phone. Can anyone provide information to help me create a new ovpn file with the same Tor safeguards as are available in the Eddie GUI on PC. Thank you for any help you can provide me. -T
  16. When using newly generated .ovpn files in Tunnelblick I keep seeing this... Warning: This VPN may not connect in the future. The OpenVPN configuration file for 'AirVPN_Europe_UDP-443' contains these OpenVPN options: • 'comp-lzo' was deprecated in OpenVPN 2.4 and has been or will be removed in a later version You should update the configuration so it can be used with modern versions of OpenVPN. Tunnelblick will use OpenVPN 2.4.7 - OpenSSL v1.0.2r to connect this configuration. However, you will not be able to connect to this VPN with future versions of Tunnelblick that do not include a version of OpenVPN that accepts the options.
  17. To connect I usually just download an .ovpn file and type in terminal "sudo openvpn <.ovpn file>" and the connection works. Or I go to gnome connection manager and "import saved configuration", import the .ovpn file and use that to connect graphically. However, I have noticed other vpn providers - they only provide these .ovpn files for Android. For ubuntu linux set ups they recommend manually importing the certificates and changing the settings in the advanced settings manually. Is there a difference in these methods? is one method more secure ? is it okay to just import a whole saved configuration from an .ovpn file for ubuntu linux, rather than manually entering the certificate etc ?
  18. This is only a solution for people in their home country willing/wanting to bypass the VPN to access their Netflix account. Does not help for out-of-country Netflix access. I was surprised to not see this in the forum, as it's very simple and works. It is a very short script added to the Custom Configuration which pulls the current IP addresses for a domain name (Netflix.com, Hulu.com) and routes those addresses "around" the VPN. allow-pull-fqdn route www.netflix.com 255.255.255.255 net_gateway So far I've been using this for a day, and had to restart things one time to get it to pick up new addresses. I would like to find a way to run this at regular intervals to add to the IP list (without duplicating addresses already in the list).
  19. heyhey, i'm having trouble setting up a ipv6 vpn connection with the (manjaro/arch) linux "network-manager". when i want to set up a ipv4 connection, i go to the "client area" on airvpn.org, start the "config generator", check "advanced" an then set: OS: LinuxOpenVPN version >= 2.4Need IPv6?: "IPv4 only"Protocol: UDP | Port: 443 | Entry IP: 1In the advanced section i check "Separate keys/certs from .ovpn file" and "Resolved hosts in .ovpn file"Server: xxxi then generate the config and download all the files into a new/empty folder. afterwards i start the network-manager connection editors gui ($ nm-connection-editor), click the "+" button, select "import a saved vpn configuration", click "create", navigate to the folder with the config and key files, select the "xxx.ovpn" file and then just click "save", since the nm-connection-editor automatically sets up the right key files etc. in this case everything works as expected. HOWEVER if i try to do the same with a IPv6 config file ("Need IPv6?" set to "IPv4 & IPv6 (connect with IPv6)" - all other settings the same) i get an error when trying to "import a saved vpn configuration" with the nm-connection-editor. when i open the "xxx.ovpn" file with a text editor and change the line "proto udp6" (this is the line before "tls-auth 'ta.key' 1") to "proto udp", i can import without the error message however the connection is not working afterwards. do you have any ideas what i could do different? should i set up the connection manually? thanks in advance!
  20. I always get this error no matter what: Sat Dec 2 19:17:00 2017 daemon.err openvpn(LA_VPN)[4922]: Options error: specify only one of --tls-server, --tls-client, or --secret Sat Dec 2 19:17:00 2017 daemon.warn openvpn(LA_VPN)[4922]: Use --help for more information. Screenshots are attached, OpenVPN version is 2.4.4-2, is there anything I can do to fix this through LuCI?
  21. I'm personally not a huge fan of it. Don't get me wrong it did need abit of an update but imo it looks to android like now and I seem to have tap more to get to where I want such as see the statistics.
  22. When using VPN on Linux with openvpn I get 3 DNS adresses on ipleak.net. 1. AirVpn-Server Exit Ipv4, 2. AirVpn-Server Exit Ipv6 and 3. the residential address of my ISP. Note: This is not my own home IP, but rather the one by my ISP. Should I be worried? Ipv6 is disabled.
  23. Hi, I am using open vpn on a dd-wrt router. The non vpn connection is 100mbit and I get 70 to 80mbit without issue. With AirVPN I am getting 15mbit down and 5mbit up. Is this normal? I am sure a while ago I was getting 10mbit down. Thanks.
  24. Hello, I've trying to connect to AirVPN on my Raspberry Pi running Raspbian Stretch (which is pretty much Debian Stretch). I've generated a .ovpn file here and have simply typed the command: sudo openvpn --config AirVPN_Sweden.ovpn However, when I do this, it sits there for ages on the following. I don't know if this means it's done or not (XXX to remove an address I think is sensitive): Sun Jun 24 10:47:43 2018 /sbin/ip addr add dev tun1 10.10.136.46/24 broadcast 10.10.136.255 Sun Jun 24 10:47:49 2018 /sbin/ip route add XXX.XXX.XXX.XXX/32 via 192.168.0.1 Sun Jun 24 10:47:49 2018 /sbin/ip route add 0.0.0.0/1 via 10.10.136.1 Sun Jun 24 10:47:49 2018 /sbin/ip route add 128.0.0.0/1 via 10.10.136.1 Sun Jun 24 10:47:49 2018 Initialization Sequence Completed If Ctrl+Z then bg to get control of my shell back, I then can't ping anything external at all using either a URL or an IP address. The top of my .ovpn file is as follows: client dev tun remote se.vpn.airdns.org 443 resolv-retry infinite nobind persist-key persist-tun auth-nocache route-delay 5 verb 3 explicit-exit-notify 5 remote-cert-tls server cipher AES-256-CBC comp-lzo no proto udp key-direction 1 <ca> -----BEGIN CERTIFICATE----- ..... What am I doing wrong? (Please note: I've flushed iptables and 127.0.0.1 resolves to localhost in the hosts file.)
  25. Hi all, i have some issues with my openvpn for android client. i followed the instructions in the how-to section to setup openvpn for android. everything worked fine but: first issue: i get reconnects every few minutes and second issue: when i check for dnsleaks on ipleak.net everything looks smooth. no leak. i see airvpn exitip and airvpndns. but when i visit airvpn.org i see on top of the site my real ipv6 address. someone can tell me how to solve this errors? regards
×
×
  • Create New...