Search the Community

How to prevent VPN leakage with OPNsense In this topic I want to share with you what i've learned regarding the prevention of VPN leakage using OPNsense. This guide assumes you're familiar with OPNsense and you have already a working configuration. What this howto is about This howto results in the following; 1. DNS requests are forced to go to the Unbound Service on OPNsense and will be TLS encrypted to prevent your ISP logging your DNS traffic. 2. Traffic destined for your AIRVPN tunnel is tagged and any leakage on your normal WAN blocks that traffic. 3. Traffic destined to your WAN interface is kept local. About my configuration I run OPNSense as a firewall and NAT router. I have multiple VLANs for specific purposes (LAN, DMZ, IOT, Management, GUEST and dedicated VPN segments). I run multiple OpenVPN instances to several countries, some are set up load balanced or failover with gateway groups. Some of my VM's or containers reside in a VPN network and this is in my opinion the best way to ensure traffic is enforced through VPN. This is one of the reasons i make heavily use of FLOATing rules to minimize the amount of rules needed (which cost CPU time). Most LAN hosts are normally routed through WAN but specific ones i route through VPN by grouping them in aliases. What is VPN leakage? All AirVPN configurations are of a full tunnel type. This means that all traffic is supposed to be routed through that tunnel to the other side. But sometimes this is not the case for all types of traffic. For instance, most VPN clients support local traffic alongside the tunnel, or you have a custom VPN setup on your router to direct some, but not all traffic to your VPN tunnel. VPN or firewall misconfigurations can lead to traffic leaking outside of the tunnel. Some examples are: 1. The tunnel is down on your router, your endpoint is unaware and all traffic is suddenly unencrypted 2. You have a running VPN tunnel but allow local DNS and all your DNS resolves are being sent in clear text outside the tunnel Endpoint and application configuration (out of scope of this topic) can also leak information, be aware of the following; 3. Dual stack machines and IPv6 can leak information about your location. (use ipv4 and NAT exclusively) 4. Browser misconfigurations can also leak information of your whereabouts. (webrtc, locale settings) Preventing DNS leakage with Port NAT and Unbound Unbound configuration Where i live ISPs are obligated to log traffic. To prevent this i have setup Unbound to use DNS-over-TLS (DoT) to make sure my resolves are encrypted. I don't route my DNS through VPN as i need it to work when my VPNs are down. These are the changes i made to the configuration to Unbound. 1. in Unbound DNS|General|Advanced Mode staat de "outgoing network interfaces" op WAN_PPOE 2. In Unbound|DNS over TLS i have configured several DoT forwarders An example for dns.adguard.com: I do have configured quad9 and cloudflare but only for fallback as i don't trust them for privacy reasons. Also, consider the following; When you have configured your own local zone ie. myhouse.com set the "Local Zone Type" to "static" in the general settings of unbound. I think the default is "transparent" which results in forwarding unknown hosts to outside DNS servers and you should not want that to happen. PortNAT configuration I have several hosts with docker containers which have hardcoded DNS configurations to google, cloudflare etc. I make sure they resolve to my unbound through portnat; 1. Create a network group alias "networkgroup_local". In here, you put all your local network segments like __lan_network and all __opt*_networks; 2. Create a port NAT rule like this; This results in all traffic from several local network segments, destined to any host NOT local (see destination/invert) to port 53 being rerouted to my LAN interface. I have "Firewall Rule Assocation" turned off as i like to have full control over my own firewall rules. 3. Create a floating rule like this; This portNAT and rule combination results in the following; 1. All traffic with destination other than local segments to port 53 will be portNATted to my LAN interface where Unbound is servicing DNS. 2. one floating rule allows traffic to port 53 flow from their respective VLANS to my LAN interface to port 53. I also block DOH as again, several docker containers are hard-coded to external DNS-over-HTTPS servers. To prevent this from happening i subscribe to a blocklist and block traffic. This is just me being paranoid and outside the scope of this topic ;-) You can make use of external lists by creating an alias which you can use in firewall rules like this; The list i use is: https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt Use this alias to create an interface or floating rule that blocks traffic destined to the alias on port 443. Preventing traffic leakage with tagging OPNsense has a feature where you can tag traffic and pass or block traffic based on these tags. With this we can block traffic on the WAN interface that should've been routed through the VPN tunnel. Tagging of Outbound NAT traffic Outbound NAT rules for your tunnel traffic MUST be above any NAT rules for normal WAN! Find your AIRVPN outbound NAT rule and make the following adjustment; This example will NAT any traffic to my WAN_AIRVPN1 interface coming from my VPN VLAN destined to any host not local and tags it with "NO_VPN_LEAK" Next, change the matching outbound firewall rule; This rule, added to my VPN VLAN routes all traffic through VPN (with the gateway setting) and tags it with "NO_VPN_LEAK" Block tagged traffic on the WAN interface Next, we block outbound traffic tagged with "NO_VPN_LEAK" on the WAN interface. Create a FLOATING rule. Make sure this is high up the list: This rule is active on the normal WAN interface and screens outbound traffic matching "NO_VPN_LEAK tags and blocks it. Prevent WAN Callback leakage WAN Callback leakage can assist ISP's or three letter agencies in detecting which outbound VPN IP address you're using when you access your own services you may have active on your WAN interface. I have several web services running on OPNsense behind HAProxy. Traffic from hosts behind VPN should route locally. For this i have created an outbound NAT like this; (make sure this is the TOP NAT rule) Add a FLOATing firewalle rule to match this traffic; Also, make sure this rule is somewhere at the top of your FLOATing rule list. I like to make use of floating rules as i can match traffic from several interfaces with one rule but it can also be an interface rule if you have only one LAN interface.

Hi, I am taking the test here https://www.dnsleaktest.com Both 'standard test' and 'extended test' list my AirVPN server along with 1-4 DNS servers of my ISP provider (I can provide screenshot if needed). 'Reset to Default Settings' and reboot was performed before the final test and post here. There is no other VPN installed/used right now. Some info: * Eddie UI Logs: . 2022.03.09 21:15:39 - Eddie version: 2.21.5beta / linux_x64, System: Linux, Name: Arch Linux, Version: Linux myhostname 5.16.13-arch1-1 #1 SMP PREEMPT Tue, 08 Mar 2022 20:07:36 +0000 x86_64 GNU/Linux, Mono/.Net: 6.12.0 (makepkg/c621c35ffa0 Thu Jun 17 02:48:02 PM -03 2021); Framework: v4.0.30319 . 2022.03.09 21:15:39 - Command line arguments (2): path.resources="/usr/share/eddie-ui" path.exec="/usr/bin/eddie-ui" . 2022.03.09 21:15:39 - Raise system privileges . 2022.03.09 21:15:46 - Reading options from /home/myuser/.config/eddie/default.profile . 2022.03.09 21:15:47 - OpenVPN - Version: 2.5.5 - OpenSSL 1.1.1m 14 Dec 2021, LZO 2.10 (/usr/bin/openvpn) . 2022.03.09 21:15:47 - SSH - Version: OpenSSH_8.9p1, OpenSSL 1.1.1m 14 Dec 2021 (/usr/bin/ssh) I 2022.03.09 21:15:47 - SSL - Not available . 2022.03.09 21:15:47 - curl - Version: 7.82.0 (/usr/bin/curl) . 2022.03.09 21:15:47 - Recovery. Unexpected crash? . 2022.03.09 21:15:47 - IPv6 restored on network adapter (eno2) . 2022.03.09 21:15:47 - IPv6 restored on network adapter (ipv6leakintrf0) . 2022.03.09 21:15:47 - IPv6 restored on network adapter (wlo1) ! 2022.03.09 21:15:47 - Deactivation of Network Lock I 2022.03.09 21:15:50 - Ready . 2022.03.09 21:15:51 - Collect information about AirVPN completed I 2022.03.09 21:15:58 - Session starting. I 2022.03.09 21:15:58 - Checking authorization ... W 2022.03.09 21:15:59 - The server supports IPv6, but IPv6 is disabled at OS level. You need to re-enable it manually (reboot is required) or disable this warning by setting Preferences > Networking > Layer IPv6: Block. W 2022.03.09 21:15:59 - 'Preferences > Networking > Layer IPv6' automatically switched to 'Block'. . 2022.03.09 21:15:59 - IPv6 disabled on network adapter (eno2) . 2022.03.09 21:15:59 - IPv6 disabled on network adapter (wlo1) ! 2022.03.09 21:15:59 - Connecting to Lacaille (Singapore, Singapore) . 2022.03.09 21:15:59 - Routes, add 209.58.173.159/32 for interface "eno2". . 2022.03.09 21:15:59 - Routes, add 209.58.173.159/32 for interface "eno2", already exists. . 2022.03.09 21:15:59 - OpenVPN > OpenVPN 2.5.5 [git:makepkg/869f194c23ae93c4+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Dec 15 2021 . 2022.03.09 21:15:59 - OpenVPN > library versions: OpenSSL 1.1.1m 14 Dec 2021, LZO 2.10 . 2022.03.09 21:15:59 - OpenVPN > Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key . 2022.03.09 21:15:59 - OpenVPN > Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication . 2022.03.09 21:15:59 - OpenVPN > Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key . 2022.03.09 21:15:59 - OpenVPN > Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication . 2022.03.09 21:15:59 - OpenVPN > TCP/UDP: Preserving recently used remote address: [AF_INET]209.58.173.159:443 . 2022.03.09 21:15:59 - OpenVPN > Socket Buffers: R=[212992->212992] S=[212992->212992] . 2022.03.09 21:15:59 - OpenVPN > UDP link local: (not bound) . 2022.03.09 21:15:59 - OpenVPN > UDP link remote: [AF_INET]209.58.173.159:443 . 2022.03.09 21:15:59 - OpenVPN > TLS: Initial packet from [AF_INET]209.58.173.159:443, sid=0ef8b0c3 c6186b17 . 2022.03.09 21:15:59 - OpenVPN > VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org . 2022.03.09 21:15:59 - OpenVPN > VERIFY KU OK . 2022.03.09 21:15:59 - OpenVPN > Validating certificate extended key usage . 2022.03.09 21:15:59 - OpenVPN > ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication . 2022.03.09 21:15:59 - OpenVPN > VERIFY EKU OK . 2022.03.09 21:15:59 - OpenVPN > VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Lacaille, emailAddress=info@airvpn.org . 2022.03.09 21:16:00 - OpenVPN > Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 4096 bit RSA, signature: RSA-SHA512 . 2022.03.09 21:16:00 - OpenVPN > [Lacaille] Peer Connection Initiated with [AF_INET]209.58.173.159:443 . 2022.03.09 21:16:00 - OpenVPN > SENT CONTROL [Lacaille]: 'PUSH_REQUEST' (status=1) . 2022.03.09 21:16:00 - OpenVPN > PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway ipv6 def1 bypass-dhcp,dhcp-option DNS 10.28.34.1,dhcp-option DNS6 fde6:7a:7d20:1822::1,tun-ipv6,route-gateway 10.28.34.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fde6:7a:7d20:1822::1034/64 fde6:7a:7d20:1822::1,ifconfig 10.28.34.54 255.255.255.0,peer-id 1,cipher AES-256-GCM' . 2022.03.09 21:16:00 - OpenVPN > Pushed option removed by filter: 'redirect-gateway ipv6 def1 bypass-dhcp' . 2022.03.09 21:16:00 - OpenVPN > Pushed option removed by filter: 'dhcp-option DNS 10.28.34.1' . 2022.03.09 21:16:00 - OpenVPN > Pushed option removed by filter: 'dhcp-option DNS6 fde6:7a:7d20:1822::1' . 2022.03.09 21:16:00 - OpenVPN > Pushed option removed by filter: 'tun-ipv6' . 2022.03.09 21:16:00 - OpenVPN > Pushed option removed by filter: 'ifconfig-ipv6 fde6:7a:7d20:1822::1034/64 fde6:7a:7d20:1822::1' . 2022.03.09 21:16:00 - OpenVPN > OPTIONS IMPORT: timers and/or timeouts modified . 2022.03.09 21:16:00 - OpenVPN > OPTIONS IMPORT: compression parms modified . 2022.03.09 21:16:00 - OpenVPN > OPTIONS IMPORT: --ifconfig/up options modified . 2022.03.09 21:16:00 - OpenVPN > OPTIONS IMPORT: route-related options modified . 2022.03.09 21:16:00 - OpenVPN > OPTIONS IMPORT: peer-id set . 2022.03.09 21:16:00 - OpenVPN > OPTIONS IMPORT: adjusting link_mtu to 1625 . 2022.03.09 21:16:00 - OpenVPN > OPTIONS IMPORT: data channel crypto options modified . 2022.03.09 21:16:00 - OpenVPN > Data Channel: using negotiated cipher 'AES-256-GCM' . 2022.03.09 21:16:00 - OpenVPN > Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key . 2022.03.09 21:16:00 - OpenVPN > Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key . 2022.03.09 21:16:00 - OpenVPN > TUN/TAP device tun0 opened . 2022.03.09 21:16:00 - OpenVPN > net_iface_mtu_set: mtu 1500 for tun0 . 2022.03.09 21:16:00 - OpenVPN > net_iface_up: set tun0 up . 2022.03.09 21:16:00 - OpenVPN > net_addr_v4_add: 10.28.34.54/24 dev tun0 . 2022.03.09 21:16:05 - OpenVPN > Initialization Sequence Completed . 2022.03.09 21:16:06 - DNS of the system updated to VPN DNS (Rename method: /etc/resolv.conf generated) . 2022.03.09 21:16:06 - Routes, add 0.0.0.0/1 for interface "tun0". . 2022.03.09 21:16:06 - Routes, add 128.0.0.0/1 for interface "tun0". . 2022.03.09 21:16:06 - Routes, add 209.58.173.138/32 for interface "tun0". . 2022.03.09 21:16:06 - Routes, skipped for 2001:df1:800:a00e:4::a44e : IPv6 blocked. . 2022.03.09 21:16:06 - Flushing DNS . 2022.03.09 21:16:06 - Flush DNS - nscd I 2022.03.09 21:16:06 - Checking route IPv4 I 2022.03.09 21:16:07 - Checking DNS ! 2022.03.09 21:16:09 - Connected Eddie's System Report: Eddie System/Environment Report - 3/9/2022 - 7:31 PM UTC Eddie version: 2.21.5beta Eddie OS build: linux_x64 Eddie architecture: x64 OS type: Linux OS name: Arch Linux OS version: Linux myhostname 5.16.13-arch1-1 #1 SMP PREEMPT Tue, 08 Mar 2022 20:07:36 +0000 x86_64 GNU/Linux OS architecture: x64 Mono /.Net Framework: 6.12.0 (makepkg/c621c35ffa0 Thu Jun 17 02:48:02 PM -03 2021); Framework: v4.0.30319 OpenVPN: 2.5.5 - OpenSSL 1.1.1m 14 Dec 2021, LZO 2.10 (/usr/bin/openvpn) Hummingbird: 3.3.2 - Hummingbird - AirVPN OpenVPN 3 Client 1.1.2 - 4 June 2021 (/usr/local/bin/hummingbird) WireGuard: 1.0.0 SSH: OpenSSH_8.9p1, OpenSSL 1.1.1m 14 Dec 2021 (/usr/bin/ssh) SSL: Not available curl: 7.82.0 (/usr/bin/curl) Profile path: /home/myuser/.config/eddie/default.profile Data path: /home/myuser/.config/eddie Application path: /usr/lib/eddie-ui Executable path: /usr/lib/eddie-ui/eddie-ui.exe Command line arguments: (2 args) path.resources="/usr/share/eddie-ui" path.exec="/usr/bin/eddie-ui" Network Lock Active: No Connected to VPN: Yes, Lacaille OS support IPv4: Yes OS support IPv6: No Detected DNS: 10.28.34.1 Test DNS IPv4: Ok Test DNS IPv6: Failed Test Ping IPv4: 365 ms Test Ping IPv6: Failed Test HTTP IPv4: Ok Test HTTP IPv6: Error: curl: (7) Couldn't connect to server Test HTTPS: Ok ---------------------------- Important options not at defaults: login: (omissis) password: (omissis) remember: True servers.allowlist: a61744e4ad91aec37c94aeffc2d7344e79400c541b06df8f1d7773b130529191 areas.allowlist: ca,jp,nl,sg,es,br,ie proxy.mode: none network.ipv6.mode: block ---------------------------- Logs: . 2022.03.09 21:30:11 - Eddie version: 2.21.5beta / linux_x64, System: Linux, Name: Arch Linux, Version: Linux myhostname 5.16.13-arch1-1 #1 SMP PREEMPT Tue, 08 Mar 2022 20:07:36 +0000 x86_64 GNU/Linux, Mono/.Net: 6.12.0 (makepkg/c621c35ffa0 Thu Jun 17 02:48:02 PM -03 2021); Framework: v4.0.30319 . 2022.03.09 21:30:11 - Command line arguments (2): path.resources="/usr/share/eddie-ui" path.exec="/usr/bin/eddie-ui" . 2022.03.09 21:30:11 - Raise system privileges . 2022.03.09 21:30:14 - Reading options from /home/myuser/.config/eddie/default.profile . 2022.03.09 21:30:15 - OpenVPN - Version: 2.5.5 - OpenSSL 1.1.1m 14 Dec 2021, LZO 2.10 (/usr/bin/openvpn) . 2022.03.09 21:30:15 - SSH - Version: OpenSSH_8.9p1, OpenSSL 1.1.1m 14 Dec 2021 (/usr/bin/ssh) I 2022.03.09 21:30:15 - SSL - Not available . 2022.03.09 21:30:15 - curl - Version: 7.82.0 (/usr/bin/curl) . 2022.03.09 21:30:15 - DNS of the system restored to original settings (Rename method) . 2022.03.09 21:30:15 - Recovery. Unexpected crash? . 2022.03.09 21:30:15 - IPv6 restored on network adapter (eno2) . 2022.03.09 21:30:15 - IPv6 restored on network adapter (wlo1) I 2022.03.09 21:30:18 - Ready . 2022.03.09 21:30:22 - Collect information about AirVPN completed ! 2022.03.09 21:30:35 - Activation of Network Lock - Linux nftables . 2022.03.09 21:30:35 - Network lock not enabled on IPv6 layer. IPv6 seems disabled at system level. I 2022.03.09 21:30:37 - Session starting. F 2022.03.09 21:30:37 - OpenVPN is already running (/usr/bin/openvpn Resolv.conf: $ cat /etc/resolv.conf # Generated by Eddie v2.21.5beta - https://eddie.website - Wednesday, March 9, 2022 7:31:11 PM UTC nameserver 10.28.34.1 $ cat /etc/resolv.conf.eddie # Generated by NetworkManager search home nameserver 192.168.1.1 NetworkManager: $ tree /etc/NetworkManager/ /etc/NetworkManager/ ├── conf.d ├── dispatcher.d │ ├── no-wait.d │ ├── pre-down.d │ └── pre-up.d ├── dnsmasq.d ├── dnsmasq-shared.d ├── NetworkManager.conf └── system-connections [error opening dir] $ cat /etc/NetworkManager/NetworkManager.conf # Configuration file for NetworkManager. # See "man 5 NetworkManager.conf" for details. Openvpn: $ sudo tree /etc/openvpn/ /etc/openvpn/ ├── client └── server 2 directories, 0 files Networking: $ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:00:00:00:00:01 brd ff:ff:ff:ff:ff:ff altname enp0s31f6 inet 192.168.1.2/24 brd 192.168.1.255 scope global dynamic eno2 valid_lft 84892sec preferred_lft 84892sec 3: wlo1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 00:00:00:00:00:02 brd ff:ff:ff:ff:ff:ff permaddr 24:41:8c:ab:a6:ad altname wlp0s20f3 4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000 link/ether 00:00:00:00:00:03 brd ff:ff:ff:ff:ff:ff inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 valid_lft forever preferred_lft forever 5: virbr2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000 link/ether 00:00:00:00:00:04 brd ff:ff:ff:ff:ff:ff 6: virbr1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000 link/ether 00:00:00:00:00:05 brd ff:ff:ff:ff:ff:ff inet 10.0.2.2/24 brd 10.0.2.255 scope global virbr1 valid_lft forever preferred_lft forever 8: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500 link/none inet 10.28.34.54/24 scope global tun0 valid_lft forever preferred_lft forever $ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 0.0.0.0 128.0.0.0 U 0 0 0 tun0 0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 eno2 0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 eno2 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr1 10.28.34.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 128.0.0.0 0.0.0.0 128.0.0.0 U 0 0 0 tun0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eno2 192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 eno2 192.168.1.1 0.0.0.0 255.255.255.255 UH 100 0 0 eno2 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0 209.58.173.138 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 209.58.173.159 192.168.1.1 255.255.255.255 UGH 0 0 0 eno2 $ route -6 Kernel IPv6 routing table Destination Next Hop Flag Met Ref Use If [::]/0 [::] !n -1 1 0 lo [::]/0 [::] !n -1 1 0 lo What else I have tried: Deleted /etc/resolv.conf.eddie Enabling network-lock (doesn't matter I assume, just mentioning) Settings->DNS->DNS Switch Mode: Disabled -> Disconnect -> Connect -> leads to infinite Looping between server pool, can't connect, I assume it fails at "checking DNS" stdout log after setting DNS Switch Mode to Disabled: [...] I 2022.03.09 21:50:25 - Checking authorization ... . 2022.03.09 21:50:26 - IPv6 disabled on network adapter (eno2) . 2022.03.09 21:50:26 - IPv6 disabled on network adapter (wlo1) ! 2022.03.09 21:50:26 - Connecting to Azmidiske (Sweden, Uppsala) . 2022.03.09 21:50:26 - Routes, add 62.102.148.208/32 for interface "eno2". . 2022.03.09 21:50:26 - Routes, add 62.102.148.208/32 for interface "eno2", already exists. . 2022.03.09 21:50:26 - OpenVPN > OpenVPN 2.5.5 [git:makepkg/869f194c23ae93c4+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Dec 15 2021 . 2022.03.09 21:50:26 - OpenVPN > library versions: OpenSSL 1.1.1m 14 Dec 2021, LZO 2.10 . 2022.03.09 21:50:26 - OpenVPN > Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key . 2022.03.09 21:50:26 - OpenVPN > Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication . 2022.03.09 21:50:26 - OpenVPN > Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key . 2022.03.09 21:50:26 - OpenVPN > Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication . 2022.03.09 21:50:26 - OpenVPN > TCP/UDP: Preserving recently used remote address: [AF_INET]62.102.148.208:443 . 2022.03.09 21:50:26 - OpenVPN > Socket Buffers: R=[212992->212992] S=[212992->212992] . 2022.03.09 21:50:26 - OpenVPN > UDP link local: (not bound) . 2022.03.09 21:50:26 - OpenVPN > UDP link remote: [AF_INET]62.102.148.208:443 . 2022.03.09 21:50:26 - OpenVPN > TLS: Initial packet from [AF_INET]62.102.148.208:443, sid=dab05c11 6caf74dc . 2022.03.09 21:50:26 - OpenVPN > VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org . 2022.03.09 21:50:26 - OpenVPN > VERIFY KU OK . 2022.03.09 21:50:26 - OpenVPN > Validating certificate extended key usage . 2022.03.09 21:50:26 - OpenVPN > ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication . 2022.03.09 21:50:26 - OpenVPN > VERIFY EKU OK . 2022.03.09 21:50:26 - OpenVPN > VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Azmidiske, emailAddress=info@airvpn.org . 2022.03.09 21:50:26 - OpenVPN > Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 4096 bit RSA, signature: RSA-SHA512 . 2022.03.09 21:50:26 - OpenVPN > [Azmidiske] Peer Connection Initiated with [AF_INET]62.102.148.208:443 . 2022.03.09 21:50:27 - OpenVPN > PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway ipv6 def1 bypass-dhcp,dhcp-option DNS 10.11.34.1,dhcp-option DNS6 fde6:7a:7d20:722::1,tun-ipv6,route-gateway 10.11.34.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fde6:7a:7d20:722::1024/64 fde6:7a:7d20:722::1,ifconfig 10.11.34.38 255.255.255.0,peer-id 1,cipher AES-256-GCM' . 2022.03.09 21:50:27 - OpenVPN > Pushed option removed by filter: 'redirect-gateway ipv6 def1 bypass-dhcp' . 2022.03.09 21:50:27 - OpenVPN > Pushed option removed by filter: 'dhcp-option DNS 10.11.34.1' . 2022.03.09 21:50:27 - OpenVPN > Pushed option removed by filter: 'dhcp-option DNS6 fde6:7a:7d20:722::1' . 2022.03.09 21:50:27 - OpenVPN > Pushed option removed by filter: 'tun-ipv6' . 2022.03.09 21:50:27 - OpenVPN > Pushed option removed by filter: 'ifconfig-ipv6 fde6:7a:7d20:722::1024/64 fde6:7a:7d20:722::1' . 2022.03.09 21:50:27 - OpenVPN > OPTIONS IMPORT: timers and/or timeouts modified . 2022.03.09 21:50:27 - OpenVPN > OPTIONS IMPORT: compression parms modified . 2022.03.09 21:50:27 - OpenVPN > OPTIONS IMPORT: --ifconfig/up options modified . 2022.03.09 21:50:27 - OpenVPN > OPTIONS IMPORT: route-related options modified . 2022.03.09 21:50:27 - OpenVPN > OPTIONS IMPORT: peer-id set . 2022.03.09 21:50:27 - OpenVPN > OPTIONS IMPORT: adjusting link_mtu to 1625 . 2022.03.09 21:50:27 - OpenVPN > OPTIONS IMPORT: data channel crypto options modified . 2022.03.09 21:50:27 - OpenVPN > Data Channel: using negotiated cipher 'AES-256-GCM' . 2022.03.09 21:50:27 - OpenVPN > Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key . 2022.03.09 21:50:27 - OpenVPN > Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key . 2022.03.09 21:50:27 - OpenVPN > TUN/TAP device tun0 opened . 2022.03.09 21:50:27 - OpenVPN > net_iface_mtu_set: mtu 1500 for tun0 . 2022.03.09 21:50:27 - OpenVPN > net_iface_up: set tun0 up . 2022.03.09 21:50:27 - OpenVPN > net_addr_v4_add: 10.11.34.38/24 dev tun0 . 2022.03.09 21:50:31 - OpenVPN > Initialization Sequence Completed . 2022.03.09 21:50:31 - Routes, add 0.0.0.0/1 for interface "tun0". . 2022.03.09 21:50:31 - Routes, add 128.0.0.0/1 for interface "tun0". . 2022.03.09 21:50:31 - Routes, add 62.102.148.154/32 for interface "tun0". . 2022.03.09 21:50:31 - Routes, skipped for 2a00:1520:27:1:dc5a:b7fa:4950:47c4 : IPv6 blocked. . 2022.03.09 21:50:31 - Flushing DNS . 2022.03.09 21:50:31 - Flush DNS - nscd I 2022.03.09 21:50:31 - Checking route IPv4 I 2022.03.09 21:50:32 - Checking DNS . 2022.03.09 21:50:39 - Checking DNS (4° try) . 2022.03.09 21:50:44 - Checking DNS (5° try) E 2022.03.09 21:50:44 - Checking DNS failed, last reason: Checking DNS failed: ! 2022.03.09 21:50:44 - Disconnecting . 2022.03.09 21:50:44 - Sending soft termination signal . 2022.03.09 21:50:44 - OpenVPN > event_wait : Interrupted system call (code=4) . 2022.03.09 21:50:44 - OpenVPN > SIGTERM received, sending exit notification to peer . 2022.03.09 21:50:49 - OpenVPN > Closing TUN/TAP interface . 2022.03.09 21:50:49 - OpenVPN > net_addr_v4_del: 10.11.34.38 dev tun0 . 2022.03.09 21:50:49 - OpenVPN > SIGTERM[soft,exit-with-notification] received, process exiting . 2022.03.09 21:50:49 - Routes, delete 0.0.0.0/1 for interface "tun0", not exists. . 2022.03.09 21:50:49 - Routes, delete 128.0.0.0/1 for interface "tun0", not exists. . 2022.03.09 21:50:49 - Routes, delete 62.102.148.208/32 for interface "eno2". . 2022.03.09 21:50:49 - Routes, delete 62.102.148.154/32 for interface "tun0", not exists. . 2022.03.09 21:50:49 - Routes, skipped for 2a00:1520:27:1:dc5a:b7fa:4950:47c4 : IPv6 blocked. . 2022.03.09 21:50:49 - Routes, delete 62.102.148.208/32 for interface "eno2", not exists. . 2022.03.09 21:50:49 - IPv6 restored on network adapter (eno2) . 2022.03.09 21:50:49 - IPv6 restored on network adapter (wlo1) . 2022.03.09 21:50:49 - Connection terminated. [...] Any thoughts on how to troubleshoot further? Thanks

Hi - the instructions for setting up AirVPN on Chromebook are very helpful, and worked for me. https://airvpn.org/chromeos/ But I cannot figure out if the "block-outside-dns" (or similar) command is enabled as part of this software and settings. When I used dnsleaktest.com I don't see any leaks, and it seems like the "tunnel" is secure. So: Can someone tell me if the AirVPN Chromebook set up has the same "network lock" functionality as Eddie does when I use it on a Mac? Is there a code to use or setting to *check* to make sure this is *always* enabled (block outside dns etc.)? Thank you!

Hi all, I'm running the new AirVPN suite (which is awesome) on a Raspberry Pi (Debian) and connecting a SOCKS 5 proxy (Dante) to tun0. So far so good in terms of having a VPN available for my network devices that I want to direct traffic to. Where I reach the edge of my understanding is handling DNS in such a setup. I can see that the suite overwrites resolv.conf on the Pi with the (varying) VPN DNS server. What I'd really like is to point my local DNS server to the Pi and have all my outgoing DNS traffic to the VPN DNS. I'm guessing I need something listening on the Pi's DNS ports that forwards appropriately, but I don't know if I need a full server like Bind, a proxy, a forwarder, or how to pick up the correct DNS from the VPN. Possibly I'm literally just missing a good search term for finding the right tool & configuration. Suggestions would be appreciated!

Hi all, i have some issues with my openvpn for android client. i followed the instructions in the how-to section to setup openvpn for android. everything worked fine but: first issue: i get reconnects every few minutes and second issue: when i check for dnsleaks on ipleak.net everything looks smooth. no leak. i see airvpn exitip and airvpndns. but when i visit airvpn.org i see on top of the site my real ipv6 address. someone can tell me how to solve this errors? regards

Hello users and staff of AirVPN. I have been using AirVPN for months now and the entire time I have had a dns leak. I currently use dnscrypt, but that did not affect my own openvpn connections or AirVPN connections when I was using Windows 7. I have disabled dnscrypt and switched to normal google dns servers then connected to airvpn or my own servers, still I have dns leaks. I have disabled IPv6, still I have dns leaks. I have disabled multi-honed dns in windows 10, still I have dns leaks. I have even used the option "setenv opt block-outside-dns" in my own openvpn configs.... STILL I HAVE DNS LEAKS. How can I fix dns leaks in windows 10?

Just a quick question, I have OpenVPN setup in my Shibby Tomato router to use airvpn. No issues until I started to selectively route a few of the Source IP through the tunnel (using the GUI OpenVPN Client tab Routing Policy) as I can't Netflix to work. So now, my ISP's DNS is showing up in DNS leak test. I've tried to insert static DNS in the basic network config to use another DNS server, but nothing worked. DNS Leak test still show me that I am using my ISP's DNS server. Anyone has this problem when selectively routing a few IPs through the tunnel using Tomato?

Good morning, first of all: great service. Just signed up for a whole year after a 3 day trial. My config: using win10, opendns servers in my router settings, and the latest openvpn and tcp settings on all your servers One thing i noticed is: I tried several of your servers and for some (including Gacrux) i see a dns leak on https://ipleak.net. It´s not bothering me a lot, but it makes me scratch my head. - are you using different configs on all your servers? - is it me who´s doing something wrong? Thanks in advance and keep up the good work!

I recently bought an Asus router RT-AC68U to flash Tomato firmware as AirVPN offers a config generation for this. I had a few issues with that and noticed that Asus supports OpenVPN from scratch. I've tried it and it works flawless, no tomato is needed. Difficulty: Very low Time: 2 Minutes Prerequisite: - Asus Router (in my case it's a RT-AC68U but it should work for all asus routers that have OpenVPN support) Steps: 1. Browse to https://airvpn.org/generator/ and select 'Router or others' and choose a server you like. Tick on 'Direct, protocol UDP, port 443' and click on 'Generate'. Save this openvpn config file anywhere on your computer. 2. Open the asus router webinterface and click on 'VPN'. Click on 'Add profile', choose OpenVPN. Enter a description, leave username and password EMPTY. Click on 'Browse' and select the downloaded openvpn config file. Click on upload. Click on OK. That's it now you can click on connect. 3. Visit https://ipleak.net and check if it works. By default I have no dns leak. But in case you have you can setup the AirVPN DNS this way: 3b. Click on WAN tab. Turn DNS server off and enter either google's DNS 8.8.8.8 or AirVPN's DNS 10.4.0.1 or both as in the screenshot. That's it. Every client which is connected to the router now is secured by VPN.

This tutorial is about blocking ALL traffic outside of the VPN connection which reveal your real IP address and also work as DNS Leak Fix. This works ONLY for Viscosity users and ONLY if you have ANY firewall (in my case I'm using GData Internet Security 2015). Why only for Viscosity? Because Viscosity makes it very easy for us by creating network adapters and I had trouble applying the Comodo guide to GData Firewall. In short: We simply block ALL traffic on our others network adapters and just allow Viscosity (and the network adapters of viscosity). Step by step: 1. Create a new rule set called AirVPN or whatever else. 2. We need a to create only a few custom rules in our rule set 3. We need to allow the Openvpn.exe inside of the Viscosity folder. I recommend using the assistant of GData. 3a) We need to allow in/out connections to our homework by allowing connections from 192.168.0.0 to 192.168.255.255 3b) We need to allow in/out connections to AirVPN in general, because GData has no kind of collection we must create for every IP a rule. We allow in/out connections to 95.211.138.143 and to 212.117.180.25 3c) Next we allow connections to the AIRVPN server(s) in this case I'm allowing connections to the AirVPN Switzerland server //Edit: This doesn't seem to be necessary at all. 3d) At the end we block ALL other traffic 4. As previously told Viscosity creates network adapters. So we just need to apply this rule set to our local network adapter only. As soon as Viscosity has lost the connection, we are no longer be able to connect to the internet because our local network has been blocked. But we can reconnect with Viscosity to our AirVPN servers. So we made sure that all traffic is going through our VPN tunnel. This works with all firewalls that support these steps and its very easy to set up. Feedback is appreciated.