Jump to content
Not connected, Your IP: 3.227.254.12

Search the Community

Showing results for tags 'OpenVPN'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • AirVPN
    • News and Announcement
    • How-To
    • Frequently asked questions
    • Databases
  • Community
    • General & Suggestions
    • Troubleshooting and Problems
    • Blocked websites warning
    • Eddie - AirVPN Client
    • Reviews
    • Other VPN competitors or features
    • Nonprofit
    • Off-Topic
  • Other Projects
    • IP Leak
    • XMPP
    • Mirrors

Product Groups

  • AirVPN Access
  • Coupons
  • Misc

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Twitter


Mastodon


AIM


MSN


ICQ


Yahoo


XMPP / Jabber


Skype


Location


Interests

Found 180 results

  1. Hi there, I use Eddie software to connect airvpn in my windows 10 station (unattended windows version with a lot of service / app disable). The first time I tried to connect it worked great. But after a restart of the computer I was not able to connect at all, Eddie software try to join a server and immediately disconnect. But if I install OpenVPN Gui, it works again, I can connect with Eddie without problem. But as soon as I restart the computer, it cannot connect anymore. Do you have an idea from where my problem could be coming? Thanks in advance
  2. Hi, I have written an alternative client for AirVPN that I would like to share with you. Just as Eddie, it supports other providers, too, as long as OpenVPN config files are provided. For AirVPN and Mullvad it offers a convenient update function that just requires you to enter your credentials in order to download the latest server configurations. Furthermore, it allows you to choose among the plethora of protocols offered by AirVPN (including OpenVPN over SSL/SSH) except the experimental ones (I might add support for those in the future, once they become available for all servers). Qomui (Qt OpenVPN management UI) as I have named it, is written in Python and PyQt and should run on any GNU/Linux distribution. It allows you to easily create double-hop connections. In other words, you can route your requests via two OpenVPN servers. This feature works provider-independent. For example, you could choose a Mullvad server for the first hop, and AirVPN for the second (I have successfully tested this with AirVPN, Mullvad and ProtonVPN). Thereby, it avoids a major downside of similar offers by some providers, namely the fact that if one provider controls all "hops" he or she could potentially still see, log or inspect all your traffic. In the latter case, you would gain little in terms of privacy. With the ability to "mix" providers, Qomui does not suffer from the same problem and hence offers some tangible benefits. Obviously, you would still have to sacrifice some speed/bandwith, though. Depending on your DE (looking at you, Gnome!), Qomui will also display a systray icon that shows the country of the server you are currently connected to. Additional features include protection against DNS leaks and a firewall that optionally blocks all outgoing network connections except for the OpenVPN server you have chosen. Since it is never recommended to run graphical applications as root, which is a major flaw of most OpenVPN clients, all commands that require root privileges are handled by a background service that can be controlled via systemd. The following screenshot gives you an idea of what Qomui looks like (on Arch/Arc Dark Theme). If you are interested, you can download Qomui from github: https://github.com/corrad1nho/qomui Of course, I'd be happy for any kind of feedback. If you find bugs or Qomui does not run properly or not at all on your machine, please let me know. I'm happy to help! At last, a big thank you to AirVPN and its amazing community. The fact that you rely more on explaining technical details than empty promises, has helped me to learn a lot. It is also one of the main reason why I chose AirVPN. Commendably, Eddie is also released as open-source software. Only Mullvad does that, too, to my knowledge. Why doesn't every provider do that? You are selling a service, not software! Why would I trust in proprietary software? Funnily, I have never really used Eddie, though, since I was accustomed to manually adding config files to NetworkManager as my first provider did not offer a GNU/Linux client. My interest in features such as OpenVPN over SSL made me look into more convenient solutions, though. Ultimately I decided to write my own program as I wanted to learn some Python and this provided a perfect practical challenge. I have actually used Qomui daily on multiple machines during the past few months and constantly tried to improve it. So I'd thought it'd be about to time to share it (it's an alpha release, though). Have a nice weekend! Corrado
  3. Hi all, I've followed the instructions at https://airvpn.org/topic/11431-using-airvpn-with-linux-from-terminal/ in order to set up my account. This works fine and leak-free, when my local networks gives me an IPv4 address -- but if I get an IPv6 address, that address is leaked to remote sites according to https://ipleak.net/ . How do I prevent that? Thanks, Chris
  4. Hello all, This is collection from different tutorials which I will refer here, but usually changed since some things changed. Setting up VPN on Synology is modified neolefort tutorial from here and reconnect script if from sundi which you can find here, which probably modified this script, plus my iptables for blocking Synology on router level when VPN fails. Other contributions: foobar666 - you no longer need to enter variables manually _sinnerman_ - fixed script for DS 6.1 I'm doing this mostly because I usually forget things I managed to solve after year or two, so this is way to have constant reminder how it was solved and also help others. 1. Get your certificates from AirVPN. Go to the https://airvpn.org/generator/ page to generate the configuration file. (1) SELECT LINUX OS (2) SELECT 1 SERVER (refer to section "by single servers") OR COUNTRY OR ANYTHING ELSE YOU WANT In original tutorial, neolefort said to choose 1 server, because in that case you will get IP instead of xxx.airvpn.org domain. Choosing 1 server is safe because it doesn't need working DNS when you want to connect to VPN. If you choose anything else, you need working DNS on your router when establishing VPN connection. (3) SELECT the Advanced Mode (refer to section "connection modes") -select Direct, -protocol UDP, -port 443 -Separate keys/certs from .ovpn file You can choose any combination of protocol/port, but then also change iptables accordingly if you are using failsafe script. (4) ACCEPT THE RULES OF AIRVPN Tick the two checkboxes : I have read and I accept the Terms of Service I HEREBY EXPLICITLY ACCEPT POINTS 8, 10, 11 Then click on the GENERATE button. (5) Click on the ZIP button in order to download the AIRVPN configuration files and unzip them anywhere on your computer The ZIP archive should contain the following files: -AirVPN_XXXXX_UDP-443.ovpn -ca.crt -user.crt -user.key -ta.key 2. Setup AirVPN on Synology. In new DSM 6 it's much more easier since Synology developers allowed everything in GUI now. - Login as admin or with user from Administrator group. - Open Control panel. - Go "Network" and click on tab "Network Interface" - Click on button "Create" - "Create VPN profile" - Choose "OpenVPN (via importing .ovpn file) - Click "Advanced options" so it shows all options - Profile name: anything you want, but please keep is short and if you can without spaces " ", for example "AirVPN". - User name: Enter your username (anything you want, or you can enter AirVPN username) - Password: Enter your password (anything you want, or you can enter AirVPN password) - Import .ovpn file: click button and import your AirVPN_XXXXX_UDP-443.ovpn - CA certificate: click button and import your ca.crt - Client certificate: click button and import your user.crt - Client key: click button and import your user.key - Certificate revocation: LEAVE EMPTY - TLS-auth key: click button and import your ta.key - Click "Next" - Select all options, EXCEPT "Enable compression on the VPN link" (well, you can select that also if you really want, but don't ) Now you have working OpenVPN link on your Synology DS6+. You just need to start it from "Control panel" - "Network" - "Network Interface". EXTRAS!!! 3. Setting up external access to your Synology. First what you will notice is, "I CAN'T ACCESS MY SYNOLOGY FROM OUTSIDE OF MY LAN!!!!!!! OMG OMG OMG!!!!" I will not explain port fowards on your router here, if you don't know how to make one, learn! (1) You can port forward trough AirVPN webpage and access your Syno via VPN exit IP. This sometimes works, most of times it doesn't since Syno has some ports you cannot change. Anyway, change your default HTTP / HTTPS port on Syno to your forwarded AirVPN port and you should be fine. But forget about Cloudstation and similliar things. (2) If you want to access Syno via you ISP IP (WAN), then problem is, your Syno is receiving your connection, but it's replying trough VPN. That's a security risk and those connections get droped. But there is solution! - Access "Control panel" - "Network" - "General" - Click "Advanced Settings" button - Mark "Enable multiple gateways" and click "OK" and then "Apply" You're done! It's working now (if you forwarded good ports on your router). 4. Prevent leaks when VPN connection on Synology fails. There will be time, when you VPN will fail, drop, disconnect, and your ISP IP will become visible to world. This is one of ways you can prevent it, on router level. For this you need Tomato, Merlin, DD-WRT or OpenWRT firmware on your router. I will tell you steps for Tomato router. If you are using different firmware, then you need to learn alone how to input this code into your router. Since Shibby version 129 for ARM routers, syntax of iptables changed and depending on which version of iptables you are using, apply that code. - Login to your router (usually just by entering 192.168.1.1 into your browser, if your IP is different, find out which is your gateway IP). - Click on "Administration" - Click on "Scripts" - Choose tab "Firewall" For Shibby v129 for ARM and later (iptables 1.4.x) us this: #Use this order of commands because it executes in reverse order. #This command will execute last, it kills all UDP requests. iptables -I FORWARD -p udp -s 192.168.1.100 -j REJECT #This command will execute second and will block all TCP source ports except those needed for web access or services iptables -I FORWARD -p tcp -s 192.168.1.100 -m multiport ! --sports 5000,5001,6690 -j REJECT #This command will execute first and will ACCEPT connection to your VPN on destination port 443 UDP iptables -I FORWARD -p udp -s 192.168.1.100 -m multiport --dports 443 -j ACCEPT For earlier Shibby versions and later for MIPS routers:#Use this order of commands because it executes in reverse order. #This command will execute last, it kills all UDP requests. iptables -I FORWARD -p udp -s 192.168.1.100 -j REJECT #This command will execute second and will block all TCP source ports except those needed for web access or services iptables -I FORWARD -p tcp -s 192.168.1.100 -m multiport --sports ! 5000,5001,6690 -j REJECT #This command will execute first and will ACCEPT connection to your VPN on destination port 443 UDP iptables -I FORWARD -p udp -s 192.168.1.100 -m multiport --dports 443 -j ACCEPT Port TCP 5000 = HTTP for for Synology web access (change to your if it's not default)Port TCP 5001 = HTTPS for for Synology web access (change to your it's not default) Port TCP 6690 = Cloud Station port Port UDP 443 = AirVPN connection port which you defined in step 1 of this tutorial. If you are using TCP port, then you need to change "-p udp" to "-p tcp" in that line. If you need more ports, just add them separated by comma ",". If you want port range, for example 123,124,125,126,127, you can add it like this 123:127. Change IP 192.168.1.100 to your Synology LAN IP. Be careful NOT TO assign those ports to your Download Station on Synology. This isn't perfect, you can still leak your IP through UDP 443, but since torrent uses mostly TCP, those chances are minimal. If you use TCP port for VPN, then those chances increase. If you really want to be sure nothing leaks even on UDP 443 (or your custom port), you need to choose 1 (ONE) AirVPN server. You need to find that server entry IP and change last IPTABLES rule to something like this: iptables -I FORWARD -p udp -s 192.168.1.100 -d 123.456.789.123 -m multiport --dports 443 -j ACCEPT Where 123.456.789.123 is AirVPN server entry IP. This will allow UDP 443 only for that server, rest will be rejected by router. These are all my opinions, from my very limited knowledge, which may be right and may be wrong. 5. Auto reconnection when VPN is down. Since when you made your VPN connection on your Synology, you checked "Reconnect" option, Syno will try to reconnect automaticly when connection fails. But in some cases, your network will be offline long enough and Syno will stop trying to reconnect, or will hang with VPN connection established, but not working. In those cases you can use this auto reconnect script. This is reconnect script. Save it in file named whatever you want. I'm using file name "synovpn_reconnect". All instructions how to use it are inside script in comments, but I will repeat them in this post also. #VPN Check script modified Sep 11, 2016 #Script checks if VPN is up, and if it is, it checks if it's working or not. It provides details like VPN is up since, data #received/sent, VPN IP & WAN IP. #If VPN is not up it will report it in the log file and start it #Change LogFile path to your own location. #Save this script to file of your choosing (for example "synovpn_reconnect"). Store it in one of your Synology shared folders and chmod it: "chmod +x /volume1/shared_folder_name/your_path/synovpn_reconnect" #Edit "/etc/crontab" and add this line without quotes for starting script every 10 minutes: "*/10 * * * * root /volume1/shared_folder_name/your_path/synovpn_reconnect" #After that restart cron with: "/usr/syno/sbin/synoservicectl --restart crond" #!/bin/sh DATE=$(date +"%F") TIME=$(date +"%T") VPNID=$(grep "\[.*\]" /usr/syno/etc/synovpnclient/openvpn/ovpnclient.conf | cut -f 2 -d "[" | cut -f 1 -d "]") VPNNAME=$(grep conf_name /usr/syno/etc/synovpnclient/openvpn/ovpnclient.conf | cut -f 2 -d "=") LogFile="/volume1/video/Backup/airvpn/check_airvpn_$DATE.log" PUBIP=$(curl -s -m 5 icanhazip.com) #PUBIP=$(curl -s -m 5 ipinfo.io/ip) #PUBIP=$(curl -s -m 5 ifconfig.me) CHECKIP=$(echo $PUBIP | grep -c ".") start_vpn() { echo "VPN is down. Attempting to (re)start now." >> $LogFile /usr/syno/bin/synovpnc kill_client --protocol=openvpn --name=$VPNNAME echo 1 > /usr/syno/etc/synovpnclient/vpnc_connecting echo conf_id=$VPNID > /usr/syno/etc/synovpnclient/vpnc_connecting echo conf_name=$VPNNAME >> /usr/syno/etc/synovpnclient/vpnc_connecting echo proto=openvpn >> /usr/syno/etc/synovpnclient/vpnc_connecting /usr/syno/bin/synovpnc reconnect --protocol=openvpn --name=$VPNNAME >> $LogFile } sleep 6 echo "======================================" >> $LogFile echo "$DATE $TIME" >> $LogFile if ifconfig tun0 | grep -q "00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00" then if [ "$CHECKIP" == 1 ] then IPADDR=$(/sbin/ifconfig tun0 | grep 'inet addr' | cut -d: -f2 | awk '{print $1}') RXDATA=$(/sbin/ifconfig tun0 | grep "bytes:" | cut -d: -f2 | awk '{print $1,$2,$3}') TXDATA=$(/sbin/ifconfig tun0 | grep "bytes:" | cut -d: -f3 | awk '{print $1,$2,$3}') UPTIME=$(cat /var/log/messages | grep "$IPADDR" | awk '{print $1}' | tail -1) UPTIME=$(date -d"$UPTIME" +"%Y/%m/%d %H:%M:%S") echo "VPN is up since: $UPTIME" >> $LogFile echo "Session Data RX: $RXDATA" >> $LogFile echo "Session Data TX: $TXDATA" >> $LogFile echo "VPN IP is: $IPADDR" >> $LogFile echo "WAN IP is: $PUBIP" >> $LogFile else start_vpn fi else start_vpn fi exit 0 (1) Enable SSH on your Synology if you didn't already. - As admin go to "Control panel" - "Terminal & SNMP" (you need to enable advanced mode in top right corner of control panel for this) - Check "Enable SSH service" - Click "Apply" (2) Save script above in file "synovpn_reconnect". Make sure to save it in UNIX UTF8, not windows. You can do that on windows with Notepad++, just open file with Notepad++, click "Encoding" - "Convert to UTF-8 without BOM" and them save file. (3) Edit script variables so it works for your system. You only need to edit this part: LogFile="/volume1/video/Backup/airvpn/check_airvpn_$DATE.log" Thanks to foobar666, you no longer need to enter VPNID or VPNNAME, it will detect them automatically. Now you only need to change your LogFile variable to match your wishes. After you finish editing script, save it. (4) Move or copy "synovpn_reconnect" to your Synology shared drive. Doesn't matter which, just be sure to know full path to it. If you only have 1 volume/drive, with multiple shared folders, your path should look similar to this: /volume1/shared_folder_name/your_path/ So for example, if you keep your files in default CloudStation folder, your path should look something like this:/volume1/home/your_username/CloudStation/ You can also do all this with VI, check original tutorial for that. (5) Now use Putty if you are on windows, or your terminal on linux, to access your Synology via SSH. I will not tutor you how to do that, learn. admin@192.168.1.100 or username@192.168.1.100 + password, or whatever your Syno LAN IP is. (6) Now type this into Putty/terminal: sudo chmod +x /volume1/shared_folder_name/your_path/synovpn_reconnect You need to chmod it to be executable. You will notice I use "sudo". It's because my admin username isn't default "admin". If you are using default "admin" user, then you probably don't need sudo. (7) Setup cron so it automatically starts your script every X minutes / hours / days. To setup it enter this: vi /etc/crontab And then press "i" to enter editing mode. Go to last line, and start new line with this:*/10 * * * * root /volume1/shared_folder_name/your_path/synovpn_reconnect Note that those ARE NOT spaces, those are TABS. This will start your script every 10 minutes. Change to whatever you want.Then press ESC key, and then type: :wq To exit VI and save file. After that type: /usr/syno/sbin/synoservicectl --restart crond To restart cron (or restart your Synology). Tip: If you don't want logfile, you can comment out those lines, or remove ">> $LogFile" code from whole script. That's all. If you entered everything correctly, you should be fine and ready to go! Comments are welcome. If you find mistakes, please correct me.
  5. NOTICE to the Moderator: PLEASE MOVE TO THE RIGHT FORUM Hello, I want to make a thread about split tunneling through a spezific user. I figured out how it works and want to share it. I use Debian 8/9 but it should work with other distros too. Openvpn Split tunnel though user Debian 8 & 9 based Install openvpn from apt or install it via source apt-get update -y && apt-get upgrade -y && apt-get install openvpn htop nload dstat sudo apt-utils iptables curl resolvconf -y nano /etc/systemd/system/openvpn@openvpn.service Config: [Unit] Description=OpenVPN connection to %i Documentation=man:openvpn(8) Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO After=network.target [Service] RuntimeDirectory=openvpn PrivateTmp=true KillMode=mixed Type=forking ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid PIDFile=/run/openvpn/%i.pid ExecReload=/bin/kill -HUP $MAINPID WorkingDirectory=/etc/openvpn Restart=on-failure RestartSec=3 ProtectSystem=yes LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw [Install] WantedBy=multi-user.target Enable Service systemctl enable openvpn@openvpn.service Download Airvpn/Openvpn config and paste it in there: nano /etc/openvpn/openvpn.conf Add this to the config: nobind script-security 2 route-noexec up /etc/openvpn/iptables.sh down /etc/openvpn/update-resolv-conf Change DNS nano /etc/openvpn/update-resolv-conf foreign_option_1='dhcp-option DNS AIRVPN DNS1' foreign_option_2='dhcp-option DNS AIRVPN DNS2' foreign_option_3='dhcp-option DNS 1.1.1.1' Add user and group adduser --disabled-login vpn usermod -aG vpn XXX usermod -aG XXX vpn Iptables Flush & Rules iptables -F iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP apt-get install iptables-persistent -y nano /etc/openvpn/iptables.sh Change INTERFACE, VPNUSER, LOCALIP and NETIF Script: #! /bin/bash export INTERFACE="tun0" export VPNUSER="vpn" export LOCALIP="192.168.1.130" export NETIF="eth0" # flushes all the iptables rules, if you have other rules to use then add them into the script iptables -F -t nat iptables -F -t mangle iptables -F -t filter # mark packets from $VPNUSER iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT -j CONNMARK --save-mark # allow responses iptables -A INPUT -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT # block everything incoming on $INTERFACE to prevent accidental exposing of ports iptables -A INPUT -i $INTERFACE -j REJECT # let $VPNUSER access lo and $INTERFACE iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT # all packets on $INTERFACE needs to be masqueraded iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE # reject connections from predator IP going over $NETIF iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT # Start routing script /etc/openvpn/routing.sh exit 0 chmod +x /etc/openvpn/iptables.sh nano /etc/openvpn/routing.sh Change ifconfig to ip if your OS dont support ifconfig anymore or install it. apt install net-tools Change VPNIG and VPNUSER if needed Script: #! /bin/bash VPNIF="tun0" VPNUSER="vpn" GATEWAYIP=`ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1` if [[ `ip rule list | grep -c 0x1` == 0 ]]; then ip rule add from all fwmark 0x1 lookup $VPNUSER fi ip route replace default via $GATEWAYIP table $VPNUSER ip route append default via 127.0.0.1 dev lo table $VPNUSER ip route flush cache # run update-resolv-conf script to set VPN DNS /etc/openvpn/update-resolv-conf exit 0 chmod +x /etc/openvpn/routing.sh nano /etc/iproute2/rt_tables Add 200 vpn Edit vpn filter nano /etc/sysctl.d/9999-vpn.conf Add: Replace XXXXXX with your eth/wireless interface net.ipv4.conf.all.rp_filter = 2 net.ipv4.conf.default.rp_filter = 2 net.ipv4.conf.XXXXXX.rp_filter = 2 net.ipv6.conf.all.rp_filter = 2 net.ipv6.conf.default.rp_filter = 2 net.ipv6.conf.XXXXXX.rp_filter = 2 Apply Rules and show status sysctl --system service openvpn status Test it IP: sudo -u vpn -i -- curl ipinfo.io DNS: sudo -u vpn -i -- cat /etc/resolv.conf Enjoy
  6. Initially you should have router with OpenWRT firmware with OpenVPN client enabled. The main page of the firmware is http://openwrt.org Router, flashed with OpenWRT firmware image, initially accept connection only by telnet, so you should connect to it by telnet to the IP 192.168.1.1 and change root password with command "passwd". After this command it accepts connection via ssh. By default openvpn isn't included in the firmware image, so you should install it by use of opkg: # opkg update # opkg install openvpn-openssl You can also install luci-component of openvpn configuration, but it is optional: # opkg install install luci-app-openvpn You can also build firmware image with openvpn. Good manual of general OpenVPN client configuration you can find on the page https://github.com/StreisandEffect/streisand/wiki/Setting-an-OpenWrt-Based-Router-as-OpenVPN-Client We will follow it with modifications, specific for AirVPN. After openvpn installation you can make it autostarting when router starts: # /etc/init.d/openvpn enable Download configuration files needed for OpenVPN connection via tool on the link https://airvpn.org/generator Choose "Linux", and further options. Notice, that there is amount of different options like country, protocol, and port number. In the result you get one or more OpenVPN configuration files with extension "ovpn", possibly in archive. File name in the archive defines country or region, number, protocol and port. For example, consider the file "AirVPN_America_UDP-443.ovpn" "America" means America, "UDP" means UDP protocol, and "443" means port number. We will use this file for example, other files are treated similarly. Comment with "#" the option "explicit-exit-notify 5" in the file, because OpenVPN client in OpenWRT doesn't recognize it. In result the line should start with "#": "# explicit-exit-notify 5". Copy the file "AirVPN_America_UDP-443.ovpn" with pscp or WinSCP programs in Windows, scp command in Linux to /etc/openvpn/ folder of router filesystem. In case of copy problems you should force using exactly scp protocol (it also can use sftp). The file itself contains contents of file "ca.crt" between tags "<ca>" and "</ca>", "user.crt" between tags "<cert>" and "</cert>", "user.key" between tags "<key>" and "</key", and contents of file "ta.key" between tags "<tls-auth>" and "</tls-auth>". You can create separate files "ca.crt", "user.crt", "user.key", and "ta.key" with corresponding content excluding tags, in the same folder, and replace tags with content in original file with following strings: ca ca.crt cert user.crt key user.key tls-auth ta.key 1 Notice, that contents of all files for different OpenVPN configuration files are identical. In other words, the significand difference of OpenVPN configuration files is string, containing server address and port, beginning with the word "remote". Configuration of OpenVPN using the file "AirVPN_America_UDP-443.ovpn" could be implemented by two ways. 1) Change the extension of the file "ovpn" to "conf". In this case OpenVPN will find it automatically by extension. 2) Specify file name in /etc/config/openvpn You can use uci: # uci set openvpn.airvpn=openvpn # uci set openvpn.airvpn.enabled='1' # uci set openvpn.airvpn.config='/etc/openvpn/AirVPN_America_UDP-443.ovpn' # uci commit openvpn The file /etc/config/openvpn should contain following appended strings: config openvpn 'airvpn' option enabled '1' option config '/etc/openvpn/AirVPN_America_UDP-443.ovpn' You can also change extension of the file "ovpn" to "conf", and speficify it in the file /etc/config/openvpn, in this case OpenVPN will start with this configuration file just once. You can also manually specify parameters specific for OpenVPN-connection in the file /etc/config/openvpn. In this case you don't need the file "AirVPN_America_UDP-443.ovpn", because all necessary parameters from it are specified explicitly. However, it is tiresomely. Create new network interface: # uci set network.airvpntun=interface # uci set network.airvpntun.proto='none' # uci set network.airvpntun.ifname='tun0' # uci commit network The file /etc/config/network should contain following appended strings: config interface 'airvpntun' option proto 'none' option ifname 'tun0' Create new firewall zone and add forwarding rule from LAN to VPN: # uci add firewall zone # uci set firewall.@zone[-1].name='vpnfirewall' # uci set firewall.@zone[-1].input='REJECT' # uci set firewall.@zone[-1].output='ACCEPT' # uci set firewall.@zone[-1].forward='REJECT' # uci set firewall.@zone[-1].masq='1' # uci set firewall.@zone[-1].mtu_fix='1' # uci add_list firewall.@zone[-1].network='airvpntun' # uci add firewall forwarding # uci set firewall.@forwarding[-1].src='/external_image/?url=lan' # uci set firewall.@forwarding[-1].dest='vpnfirewall' # uci commit firewall To prevent traffic leakage outside the VPN-tunnel you should remove forwarding rule from lan to wan. In default configuration there is single forwarding rule, so the command is: # uci del firewall.@forwarding[0] You can also set "masquerading" option to '0' for wan zone, it goes after lan zone, so the command is: # uci set firewall.@zone[1].masq=0 After configuration you should commit changes: # uci commit firewall The file /etc/config/firewall should contain following appended strings: config zone option name 'vpnfirewall' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' list network 'airvpntun' config forwarding option src 'lan' option dest 'vpnfirewall' Now we should configure DNS servers. The simplest approach is to use public DNS for WAN interface of router. You can add OpenDNS: # uci set network.wan.peerdns='0' # uci del network.wan.dns # uci add_list network.wan.dns='208.67.222.222' # uci add_list network.wan.dns='208.67.220.220' # uci commit The file /etc/config/network should contain section 'wan' with following strings (three bottom strings has been appended): config interface 'wan' option ifname 'eth0.2' option force_link '1' option proto 'dhcp' option peerdns '0' list dns '208.67.222.222' list dns '208.67.220.220' You can also add GoogleDNS: # uci set network.wan.peerdns='0' # uci del network.wan.dns # uci add_list network.wan.dns='8.8.8.8' # uci add_list network.wan.dns='8.8.4.4' # uci commit The appended strings should be similar to previous one. To prevent traffic leakage in case VPN-tunnel drops you should edit the file /etc/firewall.user with following content: # This file is interpreted as shell script. # Put your custom iptables rules here, they will # be executed with each firewall (re-)start. # Internal uci firewall chains are flushed and recreated on reload, so # put custom rules into the root chains e.g. INPUT or FORWARD or into the # special user chains, e.g. input_wan_rule or postrouting_lan_rule. if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then iptables -I forwarding_rule -j REJECT fi if (! iptables -C forwarding_lan_rule ! -o tun+ -j REJECT); then iptables -I forwarding_lan_rule ! -o tun+ -j REJECT fi You should also create the file 99-prevent-leak in the folder /etc/hotplug.d/iface/ with following content: #!/bin/sh if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then iptables -D forwarding_rule -j REJECT fi if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then iptables -I forwarding_rule -j REJECT fi In some cases openvpn hangs with log message like (couldn't resolve host ...). In this case tunnel stays up, but connection is lost. It should be reconnected manually, with the following script /etc/openvpn/reconnect.sh, which is added to /etc/rc.local as: /etc/openvpn/reconnect.sh & The content of script reconnect.sh is like: #!/bin/sh n=10 while sleep 50; do t=$(ping -c $n 8.8.8.8 | grep -o -E '\d+ packets r' | grep -o -E '\d+') if [ "$t" -eq 0 ]; then /etc/init.d/openvpn restart fi done
  7. Hi I have installed dd-wrt on Netgear R6400, i followed the official guide for configuring AirVPN on it, and the problem is that im getting maximum speeds of 10-17mbps instead of around 70mbps. Are my settings fine ? what could i try ? Thanks
  8. Hey there! I have a question regarding the creation of an openvpn config through this site's config generator in the client area. I can create one but what I want is a way to have the same or similar settings as my Eddie AirVPN application on windows PCs. Specifically the section in preferences (inside Eddie) Tor/Proxy. Mine is set to default Tor settings with 9150 as port, empty login info and when tested it's successful. Now why I need this openvpn config is for use on a tablet/phone. Can anyone provide information to help me create a new ovpn file with the same Tor safeguards as are available in the Eddie GUI on PC. Thank you for any help you can provide me. -T
  9. When using newly generated .ovpn files in Tunnelblick I keep seeing this... Warning: This VPN may not connect in the future. The OpenVPN configuration file for 'AirVPN_Europe_UDP-443' contains these OpenVPN options: • 'comp-lzo' was deprecated in OpenVPN 2.4 and has been or will be removed in a later version You should update the configuration so it can be used with modern versions of OpenVPN. Tunnelblick will use OpenVPN 2.4.7 - OpenSSL v1.0.2r to connect this configuration. However, you will not be able to connect to this VPN with future versions of Tunnelblick that do not include a version of OpenVPN that accepts the options.
  10. To connect I usually just download an .ovpn file and type in terminal "sudo openvpn <.ovpn file>" and the connection works. Or I go to gnome connection manager and "import saved configuration", import the .ovpn file and use that to connect graphically. However, I have noticed other vpn providers - they only provide these .ovpn files for Android. For ubuntu linux set ups they recommend manually importing the certificates and changing the settings in the advanced settings manually. Is there a difference in these methods? is one method more secure ? is it okay to just import a whole saved configuration from an .ovpn file for ubuntu linux, rather than manually entering the certificate etc ?
  11. Goal We want to use AirVPN's SSL tunneling mode on Android. SSL tunneling can be very useful, especially to defeat firewalls that block OpenVPN or SSH on a protocol level. We will use the Termux Terminal Emulator to install and run stunnel and OpenVPN for Android to manage the OpenVPN connection. Requirements Android 6.0 or newer (5.0 and derivatives thereof such as FireOS should work too)the Android device does not have to be rootedGoogle PlayStore or the free & open source F-Droid market (recommended)OpenVPN for Android (FOSS) – or Air's official Eddie Android Edition Please stay tuned for future Eddie releases as they may include native SSL tunnel support (which would make this cumbersome guide unnecessary)Termux Terminal Emulator (FOSS)stunnel (FOSS), via Termux repositorya separate computer to download/edit the config files (entirely optional, but recommended) Setup instructions Part 1: generate AirVPN config files 1/7: open AirVPN's config generator. When asked for your operating system, pick Linux: 2/7: Choose servers: Pick a single server. Do not select more than one. Do not select a whole region. 3/7: Protocols: First, enable Advanced Mode: Now select the SSL mode, port 443: 4/7: Accept Terms of Service and generate the config files: 5/7: Download the generated zip archive: 6/7: unzip AirVPN.zip and open the *.ssl file in a text editor. find this line: pid = /tmp/stunnel4.pid replace it with: pid = /data/data/com.termux/files/home/stunnel4.pid 7/7: Now transfer the AirVPN folder to your phone's sdcard / main storage directory. For ease of use, don't put it into any subdirectories. Instead, put it into your "root" storage directory, meaning on the same level as your other default Android folders such as Documents, Download and Movies. Part 2: Install and prepare Android software 1/3: Install OpenVPN for Android, via F-Droid or Play Store. Don't configure anything just yet. 2/3: Install Termux Terminal Emulator, via F-Droid or PlayStore open Termux and run: termux-setup-storageAllow Termux to access files on your device. (Android 8.0 Oreo users, please read the note at the end of this tutorial).The pkg command is used to install und update software packages. Make sure your base packages are all up to date: pkg upgradenow install stunnel: pkg install stunnel 3/3: Still in Termux, jump to the AirVPN folder you copied to your phone: cd storage/shared/AirVPNThe command lsshould list 3 files: AirVPN*.ovpn (the OpenVPN config file)AirVPN*.ssl (the stunnel config file)stunnel.crt (stunnel certificate)Now start stunnel: stunnel AirVPN*.ssl press the Home button to get out of Termux.Start OpenVPN and import the AirVPN*.ovpn config fileEdit your new OpenVPN connection (tap the "pencil button")in the ALLOWED APPS tab, tick the box next to Termuxreturn to OpenVPN's connection listyour VPN connection is now configured. A tap on its name will establish the connection.verify that a connection has been established by looking for the log entry Initialization Sequence Completedbrowse to ipleak.net (or any similar site) to verify that your traffic is indeed routed through the VPN tunnelHere's a short video, demonstrating the steps above: https://vimeo.com/246306477 Part 3: Usage instructions Now that everything is configured, future usage will be much easier: open Termuxnavigate to your AirVPN folder: cd storage/shared/AirVPNnow run stunnel: stunnel AirVPN*.sslPress the Home button and open the OpenVPN appConnect to your VPN profile Addendum: Tips as an alternative to OpenVPN for Android, you can also use Air's official Eddie Android edition. Don't forget to dive into Eddie's settings to exclude ("blacklist") Termux from the VPN tunnel.don't forget to periodically run pkg upgradeto keep all of Termux' packages, including stunnel, up-to-date.To prevent leaks, it's recommended to let OpenVPN set the default route for both IPv4 and IPv6; as well disabling the LAN bypass: you may want to take a look at Termux:Widget (via F-Droid or Play Store. It's an extension to Termux. If you put your stunnel commands into shell scripts, stored in ~/.shortcuts/ , you can launch them via Home screen widgets.enable Termux' extended keyboard by sliding out the left-side menu and long-pressing the KEYBOARD button. This will enable a row of additional keys, such as CTRL, ALT and TAB which are very useful in a terminal environment -- especially the TAB key, allowing you to autocomplete command and path names. Here's a short video on Vimeo demonstrating the extended keyboard.you may generate config files for as many servers as you like, put them into your AirVPN folder on your phone and add the *.ovpn profiles to OpenVPN.you may want to consider AFWall+ for additional firewalling (root required)it is recommended to move the *.ssl and stunnel.crt files out of Android's shared storage and into Termux' private data directory, while also deleting the no longer needed *.ovpn file: cd ~ mkdir st cd storage/shared/AirVPN cp *.ssl stunnel.crt ~/st rm *.ssl stunnel.crt *.ovpn Moving those files obviously changes the paths of your Termux commands. Instead of running: cd storage/shared/AirVPN stunnel AirVPN*.ssl You'd now need to run: cd ~/st stunnel AirVPN*.ssl Addendum: Caveats Following this tutorial will add the Termux app to OpenVPN's exclusion list, allowing it connect to the VPN server. But this also means that anything else you may do via Termux will also bypass the VPN tunnel. If you need a VPN-tunneled terminal app, I recommend using Termux only to run stunnel; using another terminal emulator app for your other tasks. Addendum: Testing and bugs This tutorial has been tested on: Stock Android 6.0Stock Android 7.0Stock Android 8.0LineageOS 14.1 (~ Android 7.1.x)Fire OS 5.6.0.0 (~ Android 5.x), testing done by user steve74it Important Notice for Android 8.0+ (Oreo) users: The command termux-setup-storage does not work (yet). Instead, follow this workaround to access storage: https://github.com/termux/termux-app/issues/157#issuecomment-246659496 The workaround will no longer be necessary once this bug is resolved: https://github.com/termux/termux-packages/issues/1578 EDIT LOG Thu Dec 7 20:24 UTC 2017: initial releaseThu Dec 7 20:40 UTC 2017: formatting correctionsThu Dec 7 20:58 UTC 2017: spellingFri Dec 8 18:47 UTC 2017: add recommended route settings. credit and thanks to Darkspace-HarbingerFri Jan 5 17:30 UTC 2018: add note that this guide is functional on FireOS 5.6 (Android 5.x). testing done by user steve74it, thank you!Mon Jan 22 18:34 UTC 2018: add mikevvl's security tip to move files out of shared storage. thank you!Sun Jul 15 12:16 UTC 2018: recommend against alternative VPN apps (thanks steve74it)Tue Jul 17 12:20 UTC 2018: mention Eddie compatibility (thanks steve74it) Any corrections, further testing, as well as general suggestions for improvement would be much appreciated.
  12. This is only a solution for people in their home country willing/wanting to bypass the VPN to access their Netflix account. Does not help for out-of-country Netflix access. I was surprised to not see this in the forum, as it's very simple and works. It is a very short script added to the Custom Configuration which pulls the current IP addresses for a domain name (Netflix.com, Hulu.com) and routes those addresses "around" the VPN. allow-pull-fqdn route www.netflix.com 255.255.255.255 net_gateway So far I've been using this for a day, and had to restart things one time to get it to pick up new addresses. I would like to find a way to run this at regular intervals to add to the IP list (without duplicating addresses already in the list).
  13. heyhey, i'm having trouble setting up a ipv6 vpn connection with the (manjaro/arch) linux "network-manager". when i want to set up a ipv4 connection, i go to the "client area" on airvpn.org, start the "config generator", check "advanced" an then set: OS: LinuxOpenVPN version >= 2.4Need IPv6?: "IPv4 only"Protocol: UDP | Port: 443 | Entry IP: 1In the advanced section i check "Separate keys/certs from .ovpn file" and "Resolved hosts in .ovpn file"Server: xxxi then generate the config and download all the files into a new/empty folder. afterwards i start the network-manager connection editors gui ($ nm-connection-editor), click the "+" button, select "import a saved vpn configuration", click "create", navigate to the folder with the config and key files, select the "xxx.ovpn" file and then just click "save", since the nm-connection-editor automatically sets up the right key files etc. in this case everything works as expected. HOWEVER if i try to do the same with a IPv6 config file ("Need IPv6?" set to "IPv4 & IPv6 (connect with IPv6)" - all other settings the same) i get an error when trying to "import a saved vpn configuration" with the nm-connection-editor. when i open the "xxx.ovpn" file with a text editor and change the line "proto udp6" (this is the line before "tls-auth 'ta.key' 1") to "proto udp", i can import without the error message however the connection is not working afterwards. do you have any ideas what i could do different? should i set up the connection manually? thanks in advance!
  14. I always get this error no matter what: Sat Dec 2 19:17:00 2017 daemon.err openvpn(LA_VPN)[4922]: Options error: specify only one of --tls-server, --tls-client, or --secret Sat Dec 2 19:17:00 2017 daemon.warn openvpn(LA_VPN)[4922]: Use --help for more information. Screenshots are attached, OpenVPN version is 2.4.4-2, is there anything I can do to fix this through LuCI?
  15. I'm personally not a huge fan of it. Don't get me wrong it did need abit of an update but imo it looks to android like now and I seem to have tap more to get to where I want such as see the statistics.
  16. When using VPN on Linux with openvpn I get 3 DNS adresses on ipleak.net. 1. AirVpn-Server Exit Ipv4, 2. AirVpn-Server Exit Ipv6 and 3. the residential address of my ISP. Note: This is not my own home IP, but rather the one by my ISP. Should I be worried? Ipv6 is disabled.
  17. Hi, I am using open vpn on a dd-wrt router. The non vpn connection is 100mbit and I get 70 to 80mbit without issue. With AirVPN I am getting 15mbit down and 5mbit up. Is this normal? I am sure a while ago I was getting 10mbit down. Thanks.
  18. Hello, I've trying to connect to AirVPN on my Raspberry Pi running Raspbian Stretch (which is pretty much Debian Stretch). I've generated a .ovpn file here and have simply typed the command: sudo openvpn --config AirVPN_Sweden.ovpn However, when I do this, it sits there for ages on the following. I don't know if this means it's done or not (XXX to remove an address I think is sensitive): Sun Jun 24 10:47:43 2018 /sbin/ip addr add dev tun1 10.10.136.46/24 broadcast 10.10.136.255 Sun Jun 24 10:47:49 2018 /sbin/ip route add XXX.XXX.XXX.XXX/32 via 192.168.0.1 Sun Jun 24 10:47:49 2018 /sbin/ip route add 0.0.0.0/1 via 10.10.136.1 Sun Jun 24 10:47:49 2018 /sbin/ip route add 128.0.0.0/1 via 10.10.136.1 Sun Jun 24 10:47:49 2018 Initialization Sequence Completed If Ctrl+Z then bg to get control of my shell back, I then can't ping anything external at all using either a URL or an IP address. The top of my .ovpn file is as follows: client dev tun remote se.vpn.airdns.org 443 resolv-retry infinite nobind persist-key persist-tun auth-nocache route-delay 5 verb 3 explicit-exit-notify 5 remote-cert-tls server cipher AES-256-CBC comp-lzo no proto udp key-direction 1 <ca> -----BEGIN CERTIFICATE----- ..... What am I doing wrong? (Please note: I've flushed iptables and 127.0.0.1 resolves to localhost in the hosts file.)
  19. Hi all, i have some issues with my openvpn for android client. i followed the instructions in the how-to section to setup openvpn for android. everything worked fine but: first issue: i get reconnects every few minutes and second issue: when i check for dnsleaks on ipleak.net everything looks smooth. no leak. i see airvpn exitip and airvpndns. but when i visit airvpn.org i see on top of the site my real ipv6 address. someone can tell me how to solve this errors? regards
  20. Hello forum! I've used OpenVPN on Asus RT-N18U running DD-WRT over a year now. I made files up.sh to start and dn.sh to stop OpenVPN to get rid of GUI and later on to run them via ssh from lan. OpenVPN version got updated to 2.4 and I made the necessary changes to conf file and scripts. It ran without issues couple of months. However, last Thursday my VPN connection went down while I was just browsing the interwebs. OpenVPN log was filled with messages: Recursive routing detected, drop tun packet to [AF_INET]62.102.148.132:443. There's no difference if I set up OpenVPN via GUI or use only my scripts. I've tried both UDP and TCP protocols but the issue persists. Outcome is always the same. Since then I've contacted AirVPN support as I cannot fix this by myself. I don't have the skills for that and I've tried my everything. As you may notice I feel desperate. EDIT: Here was a zip-file including kernel and ip routing tables, scripts, openvpn.conf file and OpenVPN log. I've censored my IP-address and tun1 IP from the files. All I found out is that the router for some reason removes line 62.102.148.132 via 84.xx.xx.xx dev vlan2 from routing table. You can see the difference between before-error_ip-route.txt. and after-error_ip-route.txt. DD-WRT seems to think that the fastest route outside is only via tun1 as VPN endpoint IP is in the same location as tun1 IP-address. Just a guess, might be totally wrong. Then it removes the previously mentioned routing rule and creates a loop. If I use allow-recursive-routing option in OpenVPN configuration, after a while log begins to spam "UDP messages too big" or something like that. I hadn't done any changes to DD-WRT settings, configuration files or script files. Recursive routing just popped up from no where. Router is being used as a gateway and WiFi AP only. All I've done is I moved to a new apartment which has different IP-address provided by the same ISP. That might not affect anything, just FYI. I really hope someone could help me with this. Thanks. Update: Turns out my ISP assings new IP-address every 20 minutes and almost every service on DD-WRT restarts which makes everything kind of frustrating to config...
  21. Hi, I would like to use AirVPN on my Android device but am concerned about leaking. I have seen some posts on here about using AfWall+ and was wondering if this is the best way to go. Android now also natively has a kind of Network Lock feature. But then there is also the boot leak (discussed here, along with providing a userinit script for droidwall to disable network connectivity during boot and also a script to prevent Google portal capture during wifi connection: https://blog.torproject.org/mission-impossible-hardening-android-security-and-privacy). My thinking is to use OpenVPN on the latest Lineage OS and would appreciate any assistance on the matter. Thank you.
  22. Apparently it is as easy as adding the following to the client/server OPVN files: http://my.host.net.nz/2014/04/12/adding-perfect-forward-secrecy-to-openvpn/ Create a common private key, eg openvpn --genkey --secret /path/to/store/pfs.key Securely distribute this key to each OpenVPN client, then add the following to the server tls-servertls-auth /path/to/store/pfs.key 0 and this to each client tls-clienttls-auth /path/to/store/pfs.key 1 Without this, using OpenVPN standalone will lack some essential security features.
  23. Eddie IS without a doubt leaking lastpass connections to the web through the vpn. Eddie is still using the 2.4.3 client; though seeing eddie is a big program it could be some other function of Eddie. Using OpenVPN 2.4.5 solves this leakage. So, OpenVPN 2.4.5 it is. Here is a screenshot of the leak inside Wireshark. https://ibb.co/jgdQqH https://image.ibb.co/gzbBVH/Leaks_using_Eddie.png
  24. Initially you should have router with Padavan's firmware with OpenVPN client enabled. The main page of the firmware is https://bitbucket.org/padavan/rt-n56u There is also script Prometheus, which was developed to simplify compilation process and to expand the list of supported devices http://prometheus.freize.net Login to your router via web-interface. By default it has LAN-address 192.168.1.1 Go to VPN Client item of main menu with corresponding link http://192.168.1.1/vpncli.asp#cfg (http://my.router/vpncli.asp#cfg). Toggle the switch "Enable VPN Client", after that fill forms as shown on Scr1.png You can use servers, specified in OpenVPN configuration files with extension "ovpn". Download configuration files needed for OpenVPN connection via tool on the link https://airvpn.com/generator Choose "Linux", and further options. Notice, that there is amount of different options like country, protocol, and port number. In the result you get one or more OpenVPN configuration files with extension "ovpn", possibly in archive. File name in the archive defines country or region, number, protocol and port. For example, consider the file "AirVPN_America_UDP-443.ovpn" "America" means America, "UDP" means UDP protocol, and "443" means port number. We will use this file for example, other files are treated similarly. The string, containing server address, begins with the word "remote". In the example it is "remote america.vpn.airdns.org 443". The last numerical value is port number. On the screen the example of UDP-protocol is shown. To use TCP-protocol change fields "Port" to corresponding value of port number and "Transport" to TCP. Protocol is also specified in the string beginning from "proto". You can leave OpenVPN Extended Configuration, you can also comment the line "ns-cert-type server" with leading "#". Go down and fill forms as shown on Scr2.png, and press "Apply" button. In the example there is option not to obtain DNS from VPN-server. It is assumed, that WAN of router was configured to use OpenDNS (208.67.222.222, 208.67.220.220) or GoogleDNS (8.8.8.8, 8.8.4.4). Also there is option to specify DNS for LAN clients (Advanced Settings -> LAN -> tab DHCP server, http://192.168.232.1/Advanced_DHCP_Content.asp, http://my.router/Advanced_DHCP_Content.asp). However you can set this option to obtain DNS from VPN-server ("Add to existing list" or "Replace all existing"). Pay special attention to the item Restrict Access from VPN Server Site. The item controls access to router from Internet via tunnel. The safest option as shown on Scr2.png is Yes, block all connections (site is foreign). If you choose No (Site-to-Site), using NAT translation, TOTAL ACCESS TO ROUTER INCLUDING MANAGEMENT - HTTP, HTTPS, AND SSH WILL BE GRANTED FROM INTERNET VIA TUNNEL. Go to the tab "OpenVPN Certificates & Keys" with corresponding link http://192.168.1.1/vpncli.asp#ssl (http://my.router/vpncli.asp#ssl), and copy content between tags "<ca>" and "</ca>" to the field "ca.crt", content between tags "<cert>" and "</cert>" to the field "client.crt", content between tags "<key>" and "</key>" to the field "client.key", content between tags "<tls-auth>" and "</tls-auth>" to the field "ta.key", and press "Apply" button, as shown on Scr3.png Tags are always excluded from contents. Now your router should successfully connect to VPN-server. You can check it by the white word "Connected" in the green rectange to the right of VPN-server address on VPN Client item of main menu with corresponding link http://192.168.1.1/vpncli.asp#cfg (http://my.router/vpncli.asp#cfg), as shown on Scr1.png You can also visit site, displaying your IP-address, e.g. https://ipleak.net After positive result you should make your changes permanent. You can do it by three ways: run in console command "mtd_storage.sh save"; on the page Advanced Settings -> Administration -> Settings with corresponding link http://192.168.1.1/Advanced_SettingBackup_Content.asp (http://my.router/Advanced_SettingBackup_Content.asp) press button "Commit" to the right of item "Commit Internal Storage to Flash Memory Now"; reboot router by pressing Reboot button to the right of "Logout" button. To sum up, files, corresponding to filled fields, are stored in the directory /etc/storage/openvpn/client, resulting OpenVPN configuration file is stored in the directory /etc/openvpn/client. To prevent traffic leakage in case VPN-tunnel drops you should edit the contents of item "Run the Script After Connected/Disconnected to VPN Server" on VPN Client item of main menu with corresponding link http://192.168.1.1/vpncli.asp#cfg (http://my.router/vpncli.asp#cfg), which is shown on Scr2.png, to add lines to functions func_ipup and func_ipdown, the result content should be as in the file /etc/storage/vpnc_server_script.sh By the word, it is the same file where form content is saved. Also you should block traffic until tunnel is up. To do it edit the form "Run After Firewall Rules Restarted" on the page Advanced Settings -> Customization -> Scripts with corresponding link http://192.168.1.1/Advanced_Scripts_Content.asp (http://my.router/Advanced_Scripts_Content.asp), the result content should be as in the file /etc/storage/post_iptables_script.sh Addional lines serve to remove SNAT target. Finally you should make your changes permanent by the same way, as was discussed before. vpnc_server_script.sh: #!/bin/sh ### Custom user script ### Called after internal VPN client connected/disconnected to remote VPN server ### $1 - action (up/down) ### $IFNAME - tunnel interface name (e.g. ppp5 or tun0) ### $IPLOCAL - tunnel local IP address ### $IPREMOTE - tunnel remote IP address ### $DNS1 - peer DNS1 ### $DNS2 - peer DNS2 # private LAN subnet behind a remote server (example) peer_lan="192.168.9.0" peer_msk="255.255.255.0" ### example: add static route to private LAN subnet behind a remote server func_ipup() { # route add -net $peer_lan netmask $peer_msk gw $IPREMOTE dev $IFNAME # unblock traffic if blocking rule exists if iptables -C FORWARD -j REJECT; then iptables -D FORWARD -j REJECT fi return 0 } func_ipdown() { # route del -net $peer_lan netmask $peer_msk gw $IPREMOTE dev $IFNAME # block traffic leakage in case of tunnel drops if (! iptables -C FORWARD -j REJECT); then iptables -I FORWARD -j REJECT fi return 0 } logger -t vpnc-script "$IFNAME $1" case "$1" in up) func_ipup ;; down) func_ipdown ;; esac post_iptables_script.sh: #!/bin/sh ### Custom user script ### Called after internal iptables reconfig (firewall update) # prevent traffic leakage while tunnel is not up if [ -z "$(ip a s tun0 | grep 'state UP')" ] && (! iptables -C FORWARD -j REJECT); then iptables -I FORWARD -j REJECT fi ipch=$(iptables -t nat -S | grep SNAT | grep -v br0) if [ ! -z "$ipch" ]; then eval 'iptables -t nat -D'${ipch:2} fi
  25. I apologize in advance for such a (I hope) simple problem. I'm trying to start Airvpn on Lunix using config file and the terminal per the instructions in the "how to." It runs, then the last line on the terminal is "Initialization sequence completed." It hangs there with internet dead, and never does anything else. If I ctl. C, it continues and terminates whatever it was doing. I've tried this on several systems with the same result. My question is, is there something else I have to do? OpenVPN is installed, is there anything else that has to be there? I'm doing this because there seems to be no other way to start Airvpn on KaOS. Below is the terminal printout. I know this shows that I only gave it less then a minute, but prior attempts on several systems showed that it would never do anything. Thanks, Pete [pete@pete-pc Downloads]$ sudo openvpn vpn.ovpn Thu Mar 15 16:08:32 2018 OpenVPN 2.4.5 x86_64-pc-linux-gnu [sSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 1 2018 Thu Mar 15 16:08:32 2018 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.10 Thu Mar 15 16:08:32 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Mar 15 16:08:32 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Mar 15 16:08:32 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]104.254.90.234:443 Thu Mar 15 16:08:32 2018 Socket Buffers: R=[212992->212992] S=[212992->212992] Thu Mar 15 16:08:32 2018 UDP link local: (not bound) Thu Mar 15 16:08:32 2018 UDP link remote: [AF_INET]104.254.90.234:443 Thu Mar 15 16:08:32 2018 TLS: Initial packet from [AF_INET]104.254.90.234:443, sid=aa8cd42a 332651f4 Thu Mar 15 16:08:32 2018 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org Thu Mar 15 16:08:32 2018 VERIFY KU OK Thu Mar 15 16:08:32 2018 Validating certificate extended key usage Thu Mar 15 16:08:32 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Thu Mar 15 16:08:32 2018 VERIFY EKU OK Thu Mar 15 16:08:32 2018 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org Thu Mar 15 16:08:33 2018 Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA Thu Mar 15 16:08:33 2018 [server] Peer Connection Initiated with [AF_INET]104.254.90.234:443 Thu Mar 15 16:08:34 2018 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Thu Mar 15 16:08:34 2018 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.4.13.251 255.255.0.0' Thu Mar 15 16:08:34 2018 OPTIONS IMPORT: timers and/or timeouts modified Thu Mar 15 16:08:34 2018 OPTIONS IMPORT: compression parms modified Thu Mar 15 16:08:34 2018 OPTIONS IMPORT: --ifconfig/up options modified Thu Mar 15 16:08:34 2018 OPTIONS IMPORT: route options modified Thu Mar 15 16:08:34 2018 OPTIONS IMPORT: route-related options modified Thu Mar 15 16:08:34 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Thu Mar 15 16:08:34 2018 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key Thu Mar 15 16:08:34 2018 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Mar 15 16:08:34 2018 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key Thu Mar 15 16:08:34 2018 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Mar 15 16:08:34 2018 ROUTE_GATEWAY 192.168.1.254/255.255.255.0 IFACE=enp10s0 HWADDR=08:62:66:c7:b0:29 Thu Mar 15 16:08:34 2018 TUN/TAP device tun0 opened Thu Mar 15 16:08:34 2018 TUN/TAP TX queue length set to 100 Thu Mar 15 16:08:34 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Thu Mar 15 16:08:34 2018 /usr/bin/ip link set dev tun0 up mtu 1500 Thu Mar 15 16:08:34 2018 /usr/bin/ip addr add dev tun0 10.4.13.251/16 broadcast 10.4.255.255 Thu Mar 15 16:08:40 2018 /usr/bin/ip route add 104.254.90.234/32 via 192.168.1.254 Thu Mar 15 16:08:40 2018 /usr/bin/ip route add 0.0.0.0/1 via 10.4.0.1 Thu Mar 15 16:08:40 2018 /usr/bin/ip route add 128.0.0.0/1 via 10.4.0.1 Thu Mar 15 16:08:40 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Thu Mar 15 16:08:40 2018 Initialization Sequence Completed ^CThu Mar 15 16:09:18 2018 event_wait : Interrupted system call (code=4) Thu Mar 15 16:09:18 2018 SIGTERM received, sending exit notification to peer Thu Mar 15 16:09:23 2018 /usr/bin/ip route del 104.254.90.234/32 Thu Mar 15 16:09:23 2018 /usr/bin/ip route del 0.0.0.0/1 Thu Mar 15 16:09:23 2018 /usr/bin/ip route del 128.0.0.0/1 Thu Mar 15 16:09:23 2018 Closing TUN/TAP interface Thu Mar 15 16:09:23 2018 /usr/bin/ip addr del dev tun0 10.4.13.251/16 Thu Mar 15 16:09:23 2018 SIGTERM[soft,exit-with-notification] received, process exiting
×
×
  • Create New...