Jump to content
Not connected, Your IP:

Search the Community

Showing results for tags 'linux'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • AirVPN
    • News and Announcement
    • How-To
    • Databases
  • Community
    • General & Suggestions
    • Troubleshooting and Problems
    • Blocked websites warning
    • Eddie - AirVPN Client
    • DNS Lists
    • Reviews
    • Other VPN competitors or features
    • Nonprofit
    • Off-Topic
  • Other Projects
    • IP Leak
    • XMPP

Product Groups

  • AirVPN Access
  • Coupons
  • Misc

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start



Website URL







XMPP / Jabber




Found 222 results

  1. Couple of days ago, my two Media Centres dropped off the face of the earth... I was unable to connect to them locally, I had to connect directly... When I did this, I discovered that I had no network connection at all... Was just these two machines... Everything else, that wasn't not using AirVPN was fine.. I stopped and disabled the service and surprise, network connectivity was resumed. When I restart it, it takes 5+ minutes to do latency tests... Any ideas why this would be?
  2. This guide will explain how to setup OpenVPN in a way such that only select programs will be able to use the VPN connection while all other life continues as usual. Please read this notice before applying the guide Advantages: fail-free "kill switch" functionality (actually better than 98% of VPNs out there) continue using another VPN as primary or don't reroute any other traffic at all nobody, not even peers on LAN, will be able to connect to your torrent client (the only way: through the VPN connection) - eliminating unintended leaks Disadvantage: the apps will still use your default DNS for hostname lookups (secure your DNS separately!) See two more drawings at the end. The guide is applicable to all VPN providers who don't restrict their users to use the OpenVPN client. The method however is universally applicable. It was made with examples from Windows, but with Linux/BSD you will only need little tweaking to do. Specifically, net_gateway placeholder may not available and that's all there is to it. Android clients are probably too limited for this task and lack options we need. - Since there'll be a lot of text, sections titled in (parantheses) are entirely optional to read. The other guide by NaDre is old (2013), hard to read and pursues a slightly different approach. A Staff member actually posted a good first comment there, that's what we're gonna do. (Preface) The BitTorrent as a network is entirely public. Through the decentralized technology called DHT, everyone in the world can find out what torrents you are presumably participating in (this does not apply to private trackers who disable DHT). Clearly this creates an unhealthy atmosphere for privacy of users, e.g. one could find out the OS distribution one is using for a more targetted attack etc. Sometimes the ISPs are outright hostile to peer-to-peer technologies due to the traffic and bandwidth these are consuming. Instead of upgrading dated infrastructure, they cripple their users instead. There are many reasons to use a VPN, that was but a limited selection. ("Split-tunneling") This has become somewhat a marketing term nowadays, but actually explains the nature of the traffic flow well. In this guide only the programs set to use the VPN connection will use it, nothing else. All your traffic goes past the VPN while torrent client traffic (or any other selected program) uses only the VPN connection. ("Kill switch") We'll literally nail it using software settings of your program (the torrent client). This is a marketing-loaded name. In short: if the VPN connection is not available, no traffic ought to be sent bypassing it. In most cases where you have a VPN redirect all your system traffic - you should not rely on it as a feature. The OpenVPN software on Windows is not 100% proof, based on empirical evidence (reconnects and startup/shutdown phases) and some other VPN providers do no better (based on comments and stories). The only bulletproof solution: the VPN tunnel is set up on an intermediary device your PC is connected to - your end device (the PC) has no chance whatsoever to bypass the tunnel in that case. If the VPN provider uses a firewall under the hood, that's good too but with this guide you will not need a firewall nor rely on the VPN software. ("Dual-hop") With the knowledge and methods from this guide you will be able to daisy-chain multiple VPN servers. In essence, your traffic passes PC->VPN1->VPN2->Destination. This was not intended for this guide nor with AirVPN, it's finicky and I wouldn't recommend it myself without a real need and skills to automate the setup and configuration. How it will work Many users (aka mostly idiots on Reddit) are running in circles like qBittorrent is the only client (or probably the only application in the universe, unconfirmed) that can be set to use a certain VPN. Here's the technicality: this is called 'binding' - you can 'bind to IP' which will force the app to use a specific IP address and nothing else. If it cannot use the IP (when VPN is disconnected) then it will not be able to do any networking at all. The OS will deny any communication with the internet: boom! Here's your praised 'kill switch' and 'split-tunneling', 2-in-1. This is the next best bulletproof solution (the only better alternative is to use an intermediary VPN device, as any software could choose a different interface now to communicate with the internet). In a broader sense, you want to 'bind to a network interface' - your client will use any available IPs from the VPN interface - making it ready for IPv4 and IPv6. Oh and you don't need to change the IP once the VPN connection changes to another server. The OS handles the rest. Examples of programs that can bind to user-defined addresses include: (Windows) ping, tracert (IPv6-only, WTF?), curl and wget, and many others, including your favorite torrent client You will find guides online how to do that in your client or just look in settings. (Linux-specific differences of the guide) If you are a Linux/*nix user, there're some minor changes to the quick guide below: * Create custom VPN interface: Create with ip tuntap command. The below line will create 5 interfaces "tun-air1" etc. for YOUR user. Specifying your user allows OpenVPN to drop root rights after connection and run under your user (security). AirVPN allows up to 5 connections. If you have no use for this, create only one. Note: User-owned tunnel interfaces allow to be used by your non-root $user account, but there're issues with running OpenVPN without elevated permissions as $user user="$(whoami)"; for i in {1..5}; do sudo ip tuntap add dev "tun-airvpn$i" mode tun user "$user" group "$user"; done Check their existance with ip -d a -- the interfaces will not be shown under /dev/tun* ALTERNATIVE: openvpn --mktap/--mktun. See manual with man openvpn * Select custom VPN interface: This config part differs from Windows, very confusing. Steps: 1. Replace "dev-node" in config with "dev" 2. Add "dev-type tun" or "tap". Example of config: # if you have these defined multiple times, last entries override previous entries dev tun-airvpn1 # previously dev-node dev-type tun # previously "dev tun" on Windows There're no more differences. In-depth explanation: If you try to use dev-node like for Windows, you will see: OpenVPN log: ERROR: Cannot open TUN/TAP dev /dev/tun-airvpn1: No such file or directory (errno=2) Example strace of error: openat(AT_FDCWD, "/dev/tun-airvpn1", O_RDWR) = -1 ENOENT (No such file or directory) OpenVPN cannot find the TUN/TAP with the name? No, on Linux/*nix/*BSD dev-node has a totally different meaning. Dev-node specifies where the control interface with the kernel is located. On Linux it's usually /dev/node/tun, for the "mknode" command. If OpenVPN can't detect it for some reason, then you'd need to use dev-node. Finally you can start OpenVPN from terminal: sudo openvpn --config 'path/to/config.ovpn' --user mysystemusername --group mysystemusergroup PS: There're issues when running OpenVPN under your current $user. I think the problem was that it couldn't remove added routes after a disconnect. Instead run OpenVPN as root (isn't a good advice but it's what works) Windows Quick Guide Go to the folder where you installed OpenVPN and its exe files: 'C:\Program Files\OpenVPN\' Open CMD inside the 'bin' folder: Hold Shift + Right Click the 'bin' folder -> 'Open Command Window here' We will use tapctl.exe to create a new VPN network interface solely for use with AirVPN (to look around: run "tapctl.exe" or "tapctl.exe help") C:\Program Files\OpenVPN\bin>tapctl create --name AirVPN-TAP {FDA13378-69B9-9000-8FFE-C52DEADBEEF0} C:\Program Files\OpenVPN\bin> A TAP interface is created by default. I have not played enough with Wireguard's TUN to recommend it. You can check it out, it will be under adapters in your Windows network settings Important: Configure your app/torrent client to use this 'AirVPN-TAP' interface. This is what ensures your traffic never leaks. It may appear under a different name, in such case find out which one it is in the output of 'ipconfig /all' (enter this into CMD) If your client does not allow to bind to a general interface but a specific IP (poor decision) then connect to the VPN first to find out the local IP within the VPN network. In this case with AirVPN you may only use one single server or you'll have to constantly change the IP in settings. Generate AirVPN configs where you connect to the server via IPv4! This is important Add these to the .ovpn config files (either under 'Advanced' on the config generator page or manually to each config file) # NOPULL START route-nopull # IF YOU DO NOT USE ANOTHER VPN THAT TAKES OVER ALL YOUR TRAFFIC, USE "net_gateway" (just copy-paste all of this) # net_gateway WILL BE AUTOMATICALLY DETERMINED AND WILL WORK IF YOU CONNECT THROUGH OTHER NETWORKS LIKE A PUBLIC WIFI # personally, due to a second VPN, I had to specify my router IP explicitly instead of net_gateway: # "default"/"vpn_gateway"/"remote_host"/"net_gateway" are allowed placeholders for IPv4 route remote_host net_gateway route vpn_gateway route default 666 route-ipv6 ::/0 default 666 dev-node AirVPN-TAP # END OF NOPULL Test if the configuration works. Full tests, don't leave it up to chance. In-depth explanation of the OpenVPN config route-nopull rejects any networking routes pushed to you by the server, we will write our own route remote_host <router IP> we tell our system that, to reach remote_host (the AirVPN server IP), it must send traffic to <router IP>. The subnet mask says that this only applies to this single IP set <router IP> to be net_gateway (only for Windows users, check availability on other platforms) <router IP> may be any of the OpenVPN placeholders too, for example "net_gateway" should work universally (you avoid hard-coding the router IP and if it ever changes: wondering years later why the config no longer works) <router IP> is "" in my case, for my home router that connects me to the internet. route vpn_gateway we tell our system that all 10.x.x.x traffic will be sent to the AirVPN server the internal VPN network with AirVPN is always on the - network range. The subnet mask reflects that. However this may interfere with other VPNs if you ever need to be connected to both at once. I will not go into detail on this. What you need to do is to be more specific with 10.x.x.x routes in this config, i.e. instead of /8 subnet, only route the specific /24 subnet of the current VPN server (AirVPN uses a /24 subnet for your connections on each VPN server -> 10.a.b.0 vpn_gateway is one of OpenVPN placeholders route default 666 allow routing of ANY traffic via the VPN we set the metric to 666, metric defined as path cost (historically) so setting it to a high value will make sure no normal connection runs through it, unless specifically bound to the VPN IP. route-ipv6 ::/0 default 666 same for IPv6. How many can claim they have working VPN IPv6 setup? Welcome in the future. IPv6 is over 20 years old at this point anyhow. dev-node AirVPN-TAP (Windows-only) tell OpenVPN to ONLY use this network interface to create the VPN tunnel on. Nothing should interfere with our setup now That's all, folks! Note: Somehow on Windows my AirVPN connection receives a wrong internal IP that doesn't enable networking at first. In my case I need to wait 1-3 minutes until OpenVPN reconnects itself based on ping timeout: after the reconnect I receive another IP and everything starts to work. I do not know whether it's an OpenVPN or a Windows bug. One last note: using multiple VPNs Actually this will work, that's how I roll. As long as both VPNs don't clash by using the same subnet. If this happens, you will need to change Line 5 to point to a more specific (aka smaller) subnet tailored to your AirVPN server. Specifying a 10.x.x.0/24 subnet for routing will surely do (subnet mask: Just be aware that you cannot practically use the same IP range in both networks at the same time (well, you'd need to bind the application you are using to either interface, which you cannot do with a browser or the printing service in case of internal resources). (The story of broken net_gateway) For this placeholder, OpenVPN attempts to determine your 'default gateway', i.e. the router all your internet traffic passes through. It normally works, but may not be supported on other platforms (Linux, sigh). However it has one unintended side-effect: if you already have a VPN that reroutes all your traffic, net_gateway will make all AirVPN traffic go through the first VPN: Your traffic -> VPN1 -> Internet Torrent traffic -> VPN1 -> AirVPN -> Internet That's the unintended dual-hop. Surely you can extend that scheme to 3,4,n-hops if you fiddle enough with routing, subnet masks and correct order. I'm not responsible for headaches We avoid that behavior with Line 4 from our config - the remote_host line forces the AirVPN traffic to go straight to the internet (through your LAN router). One more thing: net_gateway is not available for IPv6 routes in OpenVPN. That's why it currently only works with a IPv4 connection to the VPN server. (Crash course: Subnet masks) You've seen the weird number above. You should refer to other pages for a proper explanation, but basically this is a very simple way for computers to determine the range of IP addresses that are part of a network (a subnet). What's simple for computers is very hard to grasp for us humans. 255 means there are NO changes allowed to the first set of IP numbers. I.e. the 10 in always stays a 10. 0 means all numbers can be used. I.e. the zeroes in can be (0-255), lowest address is and the last address is (technically, is the first and the last is reserved for 'broadcast') Any number in between denotes ... a range in between. 2^(32-prefix)=number. Number is the amount of available addresses and prefix is called the subnet prefix. Both are meant to describe the same thing. For or with subnet mask of you get addresses in range -- 2^(32-26) = 64. Similarly you can convert the subnet mask into the prefix number and work from there; or eyeball it: 256-192 = 64. (Two ways to accomplish routing) If you have two equal routes, e.g. goes through VPN with metric 666 goes through LAN router with metric 10 then obviously the default route for a packet will travel through (2) - because it's a cheaper path. Unless an application specifies to talk only on the VPN interface. However a different rule applies whenever a more specific route exists goes through VPN2 with metric 666 goes through LAN router with metric 10 goes through VPN1 with metric 30 goes through VPN1 with metric 30 Here the routes (3) and (4) cover the entire addressing space, just like However because they are more specific, they'll be preferred for all traffic because these routes are more selective. This is how OpenVPN does override system routing with VPN routing by default. This is also what the other guide attempted as well, by pushing four {0,64,128,192}.0.0.0/2 routes. Since that was more specific, it would in return override the 0,128 routes and so on. We can calculate how many multi-hops we would be able to do with this method: IPv4 has 32 bits, we will not touch the last 8 bits of the subnets. That leaves us then with 24 bits or 24 maximum amount of hops. Theoretically. The routing table would be outright f---- to look at. This method is a bit more 'secure' in a way because you don't need to rely on overriding a certain metric value, you just slap a more specific route on top and it's automatically made default. Also you don't need to override the default gateway (router) and all that junk. However with my preferred method (first) you can quite easily do DIY dual-hop routing: goes through VPN2 with metric 666 goes through LAN router with metric 10 goes through VPN1 with metric 30 goes through VPN1 with metric 30 <VPN2-IP>/32 goes through VPN1 with metric (any) Such a setup will make sure that all traffic destined for the internet (hits 3 and 4) will go through VPN1. If a program specifies the VPN2 network interface, then VPN2 will be reached via VPN1 first (you->VPN1->VPN2). This is quite 'quizzacious' to set up/control. Not part of this guide. As a part of this guide we told the system to route VPN2 via router on LAN. Yet you could indeed chain multiple VPNs this way and force the VPN1 to not only catch all traffic but also be chained via multiple VPNs itself so you would not need to manually set programs. I've seen scripts online for that purpose. Although be aware of MTU issues due to encapsulation. Troubleshooting tips TEST. SERIOUSLY, TEST YOUR SETUP BEFORE ENGAGING YOUR DATA CANNONS! A couple hours now are infinitely many times more worth than a 'leaked' mistake and headaches later on. https://ipleak.net/ - tests your client's default connection route. It would not tell you if your client is alternatively available on LAN for example. If you followed this guide and set up your client correctly, it will not be available on LAN etc. See the images below: 'without interface binding' (most newbie users) and 'with interface binding' (this guide) Wireshark to inspect how the traffic is actually flowing. Follow online tutorials, you only need to select the right network interfaces and filter traffic by port/IP (tcp/udp and your local or VPN IP) curl to send network requests. Like ifconfig.co / ifconfig.io will respond with the IP address it sees you as: curl --interface <your computer IP> http://ifconfig.co curl --interface http://ifconfig.co # for IPv4 or IPv6, default route curl -4 http://ifconfig.co curl -6 http://ifconfig.co > route -4 print and > route -6 print on Windows. To compare the outputs, you can use Notepad++ with the compare plugin (you need two documents open, one in left and another in right pane before comparing). PS: AirVPN configuration generator does not support #comment lines. Please fix. Sorry Linux users, maybe another time I will write something tailored to you. But I believe you are smart cookies and will adapt the OS-specific steps to fulfill this guide's goal.
  3. EDIT: Figured it out. I was under the assumption that systemd-resolved took over all DNS processing and made /etc/resolv.conf obsolete, but apparently that's still where AirVPN pushes the DNS settings too and somehow systemd-resolved overwrites it. Disabling systemd-resolved seems to have fixed this problem for now. Running AirVPNsuite on my server (Operating System: Debian GNU/Linux 11 (bullseye); Kernel: Linux 5.10.0-20-amd64), DNS breaks randomly 5-60mins after establishing connection. DNS settings, as far as I can tell, aren't being changed. I can still ping the server-pushed DNS server as well, but it just doesn't resolve. Relevant logs below: Logs immediately after establishing connection: root@labserver:~# resolvectl Global Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: foreign Current DNS Server: DNS Servers: Link 2 (enp0s25) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported DNS Servers: Link 3 (docker0) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported DNS Servers: Link 4 (tun0) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported DNS Servers: root@labserver:~# goldcrest --bluetit-status 2023-03-02 22:47:43 Reading run control directives from file /root/.config/goldcrest.rc Goldcrest 1.2.1 - 9 December 2022 2023-03-02 22:47:43 Bluetit - AirVPN OpenVPN 3 Service 1.2.1 - 9 December 2022 2023-03-02 22:47:43 OpenVPN core 3.8.2 AirVPN linux x86_64 64-bit 2023-03-02 22:47:43 Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved. 2023-03-02 22:47:43 OpenSSL 1.1.1n 15 Mar 2022 2023-03-02 22:47:43 Bluetit is connected to VPN 2023-03-02 22:47:43 Persistent Network Lock and Filter is enabled. (using nftables) 2023-03-02 22:47:43 ---------------------- 2023-03-02 22:47:43 Connected to AirVPN server Yildun (Miami, United States of America) 2023-03-02 22:47:43 Users 50 - Load 8% - Bandwidth 80.08 Mbit/s - Max 1 Gbit/s 2023-03-02 22:47:43 Server IP Address - Port 443 - Protocol UDPv4 - Cipher AES-256-GCM 2023-03-02 22:47:43 Network topology: subnet - Server ping 10 s - Ping restart 60 s 2023-03-02 22:47:43 Pushed DNS: (IPv4) 2023-03-02 22:47:43 Connection time: 00:02:25 2023-03-02 22:47:43 Transferred data: In 34.09 KB, Out 9.15 KB 2023-03-02 22:47:43 Current rate: In 0 bit/s, Out 0 bit/s 2023-03-02 22:47:43 Maximum rate: In 14.78 Kbit/s, Out 1.09 Kbit/s root@labserver:~# ping google.com PING google.com ( 56(84) bytes of data. 64 bytes from mia07s61-in-f14.1e100.net ( icmp_seq=1 ttl=120 time=72.3 ms 64 bytes from mia07s61-in-f14.1e100.net ( icmp_seq=2 ttl=120 time=72.3 ms 64 bytes from mia07s61-in-f14.1e100.net ( icmp_seq=3 ttl=120 time=72.5 ms Logs ~1 hour later when DNS has failed: root@labserver:~# resolvectl Global Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: foreign Current DNS Server: DNS Servers: Link 2 (enp0s25) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported DNS Servers: Link 3 (docker0) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported DNS Servers: Link 4 (tun0) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported DNS Servers: root@labserver:~# goldcrest --bluetit-status 2023-03-02 23:56:38 Reading run control directives from file /root/.config/goldcrest.rc Goldcrest 1.2.1 - 9 December 2022 2023-03-02 23:56:38 Bluetit - AirVPN OpenVPN 3 Service 1.2.1 - 9 December 2022 2023-03-02 23:56:38 OpenVPN core 3.8.2 AirVPN linux x86_64 64-bit 2023-03-02 23:56:38 Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved. 2023-03-02 23:56:38 OpenSSL 1.1.1n 15 Mar 2022 2023-03-02 23:56:38 Bluetit is connected to VPN 2023-03-02 23:56:38 Persistent Network Lock and Filter is enabled. (using nftables) 2023-03-02 23:56:39 ---------------------- 2023-03-02 23:56:39 Connected to AirVPN server Yildun (Miami, United States of America) 2023-03-02 23:56:39 Users 50 - Load 4% - Bandwidth 48.70 Mbit/s - Max 1 Gbit/s 2023-03-02 23:56:39 Server IP Address - Port 443 - Protocol UDPv4 - Cipher AES-256-GCM 2023-03-02 23:56:39 Network topology: subnet - Server ping 10 s - Ping restart 60 s 2023-03-02 23:56:39 Pushed DNS: (IPv4) 2023-03-02 23:56:39 Connection time: 01:11:19 2023-03-02 23:56:39 Transferred data: In 627.65 KB, Out 107.48 KB 2023-03-02 23:56:39 Current rate: In 20 bit/s, Out 0 bit/s 2023-03-02 23:56:39 Maximum rate: In 65.65 Kbit/s, Out 3.59 Kbit/s root@labserver:~# ping google.com ping: google.com: Temporary failure in name resolution root@labserver:~# ping PING ( 56(84) bytes of data. 64 bytes from icmp_seq=1 ttl=120 time=72.3 ms 64 bytes from icmp_seq=2 ttl=120 time=72.3 ms 64 bytes from icmp_seq=3 ttl=120 time=72.3 ms root@labserver:~# dig google.com ; <<>> DiG 9.16.33-Debian <<>> google.com ;; global options: +cmd ;; connection timed out; no servers could be reached
  4. Hello all, I'm new to AirVPN and I'm currently loving it! Although, I have a question. I have 2 devices connected to AirVPN, one through the eddie-ui app and the other through the eddie-cli app (one Windows / one Linux). In the client area -> Sessions, it shows that both devices are connected, but when I inspect the sessions page, both devices have the same device name. I went to the devices tab in the Client Area and created a new device but I'm unsure of how to assign it to the second device. How can I go about this? Thank you. EDIT: I think it's called the AirVPN key. I was able to select it through the Eddie client app on Android but I'm unsure of how to do the same through the windows/linux version of Eddie-ui as well as the linux version of Eddie-cli.
  5. Hi guys, iv'e tried a few distros with WireGuard but for some reason they all connect, but I loose internet connectivity right after. I always use the config generator with IPv4 only and Europe. I then import the file in to the Network Manager in KDE, connect without any problems and from then on my Internet is down. I am currently running Manjaro on a Raspberry Pi. Does anybody have any similar issues? Running the VPN over my Router directly works fine, which is confusing me. Although, this won't help me with my project. Thanks in advance for any answers!
  6. Hi there, Long time hassle-free AirVPN user with a first troubleshooting request after switching from Eddie-UI to the Bluetit stack (love your work!) Looks as though the two processes are fighting for `/etc/resolv.conf` and causing issues with DNS. NetworkManager will rewrite the file on a Wi-Fi network change, causing loss of connectivity as local DNS is disallowed by the network lock. Can be worked around by stopping the Bluetit service, toggling Wi-Fi, then re-enabling; but this is tedious to repeat if the network is at marginal signal strength. Is there a way to configure NetworkManager not to mess with DNS? I think that would largely resolve the issue. But, in an ideal world I would be able to have NetworkManager still manage the DNS if Bluetit is not active so that I can still operate normally on local networks without routing through AirVPN if I choose to. Seems unlikely to be simple, but worth asking. Given that I am getting two warnings about DNS, I wonder if `systemd-resolved` could also be interfering and if there are other configuration steps I can take to ensure compatibility with it- ``` bluetit: WARNING: NetworkManager is running on this system and may interfere with DNS management and cause DNS leaks bluetit: WARNING: systemd-resolved is running on this system and may interfere with DNS management and cause DNS leaks ``` I also wonder whether use of Goldcrest could avoid some of these problems. Personally I have not understood the need for the utility and have been interacting with Bluetit directly via systemctl and `/etc/airvpn/bluetit.rc`. As far as I can tell, Goldcrest just moves configuration stuff out of the `.rc` file into CLI args?
  7. Using AirVPN with OpenWRT This guide is for users who want to set up a OpenWRT (Chaos Calmer) router and have it already up and running without modification. This guide will work with a router that has more than one network interface and at least 8 MB flash (because of the dependencies). Please backup your router first!!! 1. Set up the wan interface as a dhcp client, that way you can use your router at most of the isp boxes. 2. Set up a wireless network with the name and password of you choise, a dhcp server. (Please note that you should use WPA2-PSK). 3. Connect to your new wireless network. 4. Unbridge the LAN interface(s). Go to "Physical Settings" of the LAN interface(s) and uncheck the "creates a bridge over specified interface(s). Check the interface button of your new wireless network. 5. Connect to your router via SSH. 6. Install dependencies for the openvpn setup. First update the packages, than install openvpn and nanoopkg update opkg install openvpn-openssl opkg install nano 7. Backup the openvpn files mv /etc/config/openvpn /etc/config/openvpn_old 8. Create a new interface called airvpncat >> /etc/config/network << EOFconfig interface 'airvpn' option proto 'none' option ifname 'tun0'EOF 9. Use the "Config Generator" of Airvpn to create the openvpn files. Please select the "Advanced Mode" and check "Separate keys/certs from .ovpn file" and"Resolved hosts in .ovpn file". Save the files on your machine. 10. On the router move into the openvpn folder cd /etc/openvpn 11. Use nano to create all the required files on your router.Copy and paste the following files "AirVPN_**************.ovpn, ta.key, ca.crt, user.crt, user.key".Rename the "AirVPN_**************.ovpn" into airvpn.conf for usability.nano airvpn.conf nano ta.key nano ca.crt nano user.crt nano user.key The air.conf should look like this clientdev tunproto udpremote xxx.XXX.xxx.XXX XXXresolv-retry infinitenobindpersist-keypersist-tunremote-cert-tls servercipher AES-256-CBCcomp-lzo noroute-delay 5verb 3ca ca.crtcert user.crtkey user.keytls-auth ta.key 1 12. Create a firewall zone for the vpn.cat >> /etc/config/firewall << EOFconfig zone option name 'air_firewall' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' option network 'airvpn' config forwarding option dest 'air_firewall' option src 'lan' EOF 13. Reboot router 14. Test openvpn configurationopenvpn --cd /etc/openvpn --config /etc/openvpn/airvpn.confAt the end it should show "Initialization Sequence Completed"Stop openvpn with "Ctrl-C". 15. Use the Airvpn DNS (here Port 443 - Protocol UDP) and reboot. Please change if you use different port (https://airvpn.org/specs/)uci add_list dhcp.lan.dhcp_option="6,"uci commit dhcpreboot 16. Secure against IP Leak, backup old firewall and create new firewall rules mv /etc/config/firewall /etc/config/firewall.backup cat >> /etc/config/firewall << EOF config defaults option syn_flood '1' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' config zone option name 'lan' option network 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' config zone option name 'wan' option output 'ACCEPT' option forward 'REJECT' option network 'wan' option input 'ACCEPT' config zone option name 'airvpn' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' option network 'airvpn' config rule option name 'Allow-DHCP-Renew' option src 'wan' option proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-Ping' option src 'wan' option proto 'icmp' option icmp_type 'echo-request' option family 'ipv4' option target 'ACCEPT' config rule option name 'Allow-DHCPv6' option src 'wan' option proto 'udp' option src_ip 'fe80::/10' option src_port '547' option dest_ip 'fe80::/10' option dest_port '546' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Input' option src 'wan' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' list icmp_type 'router-solicitation' list icmp_type 'neighbour-solicitation' list icmp_type 'router-advertisement' list icmp_type 'neighbour-advertisement' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Forward' option src 'wan' option dest '*' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' config include option path '/etc/firewall.user' config forwarding option dest 'airvpn' option src 'lan' EOF TEST WITH ipleak.net...It worked that way with my router, i would be happy if someone else could verify my setup.
  8. Hi, I have written an alternative client for AirVPN that I would like to share with you. Just as Eddie, it supports other providers, too, as long as OpenVPN config files are provided. For AirVPN and Mullvad it offers a convenient update function that just requires you to enter your credentials in order to download the latest server configurations. Furthermore, it allows you to choose among the plethora of protocols offered by AirVPN (including OpenVPN over SSL/SSH) except the experimental ones (I might add support for those in the future, once they become available for all servers). Qomui (Qt OpenVPN management UI) as I have named it, is written in Python and PyQt and should run on any GNU/Linux distribution. It allows you to easily create double-hop connections. In other words, you can route your requests via two OpenVPN servers. This feature works provider-independent. For example, you could choose a Mullvad server for the first hop, and AirVPN for the second (I have successfully tested this with AirVPN, Mullvad and ProtonVPN). Thereby, it avoids a major downside of similar offers by some providers, namely the fact that if one provider controls all "hops" he or she could potentially still see, log or inspect all your traffic. In the latter case, you would gain little in terms of privacy. With the ability to "mix" providers, Qomui does not suffer from the same problem and hence offers some tangible benefits. Obviously, you would still have to sacrifice some speed/bandwith, though. Depending on your DE (looking at you, Gnome!), Qomui will also display a systray icon that shows the country of the server you are currently connected to. Additional features include protection against DNS leaks and a firewall that optionally blocks all outgoing network connections except for the OpenVPN server you have chosen. Since it is never recommended to run graphical applications as root, which is a major flaw of most OpenVPN clients, all commands that require root privileges are handled by a background service that can be controlled via systemd. The following screenshot gives you an idea of what Qomui looks like (on Arch/Arc Dark Theme). If you are interested, you can download Qomui from github: https://github.com/corrad1nho/qomui Of course, I'd be happy for any kind of feedback. If you find bugs or Qomui does not run properly or not at all on your machine, please let me know. I'm happy to help! At last, a big thank you to AirVPN and its amazing community. The fact that you rely more on explaining technical details than empty promises, has helped me to learn a lot. It is also one of the main reason why I chose AirVPN. Commendably, Eddie is also released as open-source software. Only Mullvad does that, too, to my knowledge. Why doesn't every provider do that? You are selling a service, not software! Why would I trust in proprietary software? Funnily, I have never really used Eddie, though, since I was accustomed to manually adding config files to NetworkManager as my first provider did not offer a GNU/Linux client. My interest in features such as OpenVPN over SSL made me look into more convenient solutions, though. Ultimately I decided to write my own program as I wanted to learn some Python and this provided a perfect practical challenge. I have actually used Qomui daily on multiple machines during the past few months and constantly tried to improve it. So I'd thought it'd be about to time to share it (it's an alpha release, though). Have a nice weekend! Corrado
  9. https://fruho.com is an open-source, zero-configuration VPN manager. It supports automatic setup and allows easy switching between VPN providers. AirVPN is supported, and this could be a great alternative to anyone who chooses to use this instead of Eddie, for example in case your distribution is not officially supprted by it. The developers always add new providers so it might soon become a very promising project. Which VPN services are supported? Curently we support "one click" import from the following providers: VpnBook (free)SecurityKISS (free or premium)Mullvad (free trial or premium)HideIpVPN (free trial or premium)VyprVPN (free trial or premium)AirVPN (premium only)CactusVPN (free trial or premium)ibVPN (free trial or premium)
  10. Lately, I've been unable to get Eddie to connect to any server on my Linux operation system. It's always stuck while doing latency tests and I get this following error message. E 2021.12.27 13:47:45 - Exception: nft issue: exit:1; out:; err:Error: syntax error, unexpected rule, expecting string E 2021.12.27 13:47:45 - del rule ip filter OUTPUT ip daddr counter accept E 2021.12.27 13:47:45 - ^^^^ If you need info on my OS... System: Host: <filter> Kernel: 5.14.0-4mx-amd64 x86_64 bits: 64 compiler: N/A parameters: BOOT_IMAGE=/vmlinuz-5.14.0-4mx-amd64 root=UUID=<filter> ro quiet splash slab_nomerge slub_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on vsyscall=none debugfs=off oops=panic loglevel=0 spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force ipv6.disable=1 apparmor=1 security=apparmor random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma kaslr pti=on slab_nomerge page_poison=1 slub_debug=FPZ nosmt Desktop: Xfce 4.16.0 tk: Gtk 3.24.24 info: xfce4-panel wm: xfwm4 dm: LightDM 1.26.0 Distro: MX-21_ahs_x64 Wildflower November 22 2021 base: Debian GNU/Linux 11 (bullseye) Machine: Type: Laptop System: ASUSTeK product: ROG Strix G713QM_G713QM v: 1.0 serial: <filter> Mobo: ASUSTeK model: G713QM v: 1.0 serial: <filter> UEFI: American Megatrends LLC. v: G713QM.314 date: 09/03/2021 Battery: ID-1: BAT0 charge: 87.5 Wh condition: 87.5/90.0 Wh (97%) volts: 17.2/15.9 model: AS3GWAF3KC GA50358 type: Li-ion serial: <filter> status: Full Device-1: hidpp_battery_0 model: Logitech Wireless Keyboard K270 serial: <filter> charge: 100% (should be ignored) rechargeable: yes status: Discharging Device-2: hidpp_battery_1 model: Logitech M585/M590 Multi-Device Mouse serial: <filter> charge: 55% (should be ignored) rechargeable: yes status: Discharging CPU: Topology: 8-Core model: AMD Ryzen 9 5900HX with Radeon Graphics bits: 64 type: MCP arch: N/A family: 19 (25) model-id: 50 (80) stepping: N/A microcode: A50000B L2 cache: 4096 KiB flags: avx avx2 lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm bogomips: 52703 Speed: 2857 MHz min/max: 1200/3300 MHz boost: enabled Core speeds (MHz): 1: 3370 2: 2728 3: 3567 4: 3239 5: 2523 6: 1916 7: 2650 8: 4126 Vulnerabilities: Type: itlb_multihit status: Not affected Type: l1tf status: Not affected Type: mds status: Not affected Type: meltdown status: Not affected Type: spec_store_bypass mitigation: Speculative Store Bypass disabled Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer sanitization Type: spectre_v2 mitigation: Full AMD retpoline, IBPB: always-on, IBRS_FW, STIBP: disabled, RSB filling Type: srbds status: Not affected Type: tsx_async_abort status: Not affected Graphics: Device-1: NVIDIA GA106M [GeForce RTX 3060 Mobile / Max-Q] vendor: ASUSTeK driver: N/A bus ID: 01:00.0 chip ID: 10de:2520 Device-2: AMD Cezanne vendor: ASUSTeK driver: amdgpu v: kernel bus ID: 06:00.0 chip ID: 1002:1638 Display: x11 server: X.Org 1.20.13 driver: amdgpu,ati unloaded: fbdev,modesetting,vesa resolution: 1920x1080~60Hz OpenGL: renderer: AMD RENOIR (DRM 3.42.0 5.14.0-4mx-amd64 LLVM 12.0.1) v: 4.6 Mesa 21.2.5 direct render: Yes Audio: Device-1: NVIDIA vendor: ASUSTeK driver: snd_hda_intel v: kernel bus ID: 01:00.1 chip ID: 10de:228e Device-2: AMD Renoir Radeon High Definition Audio vendor: ASUSTeK driver: snd_hda_intel v: kernel bus ID: 06:00.1 chip ID: 1002:1637 Device-3: AMD Raven/Raven2/FireFlight/Renoir Audio Processor vendor: ASUSTeK driver: N/A bus ID: 06:00.5 chip ID: 1022:15e2 Device-4: AMD Family 17h HD Audio vendor: ASUSTeK driver: snd_hda_intel v: kernel bus ID: 06:00.6 chip ID: 1022:15e3 Sound Server: ALSA v: k5.14.0-4mx-amd64 Network: Device-1: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet vendor: ASUSTeK driver: r8169 v: kernel port: e000 bus ID: 02:00.0 chip ID: 10ec:8168 IF: eth0 state: down mac: <filter> Device-2: Intel Wi-Fi 6 AX200 driver: iwlwifi v: kernel port: e000 bus ID: 03:00.0 chip ID: 8086:2723 IF: wlan0 state: up mac: <filter> IF-ID-1: tun0 state: unknown speed: 10 Mbps duplex: full mac: N/A Drives: Local Storage: total: 7.50 TiB used: 3.22 TiB (43.0%) ID-1: /dev/nvme0n1 vendor: Samsung model: MZVLQ1T0HBLB-00B00 size: 953.87 GiB block size: physical: 512 B logical: 512 B speed: 31.6 Gb/s lanes: 4 serial: <filter> rev: FXM7201Q scheme: GPT ID-2: /dev/nvme1n1 vendor: Samsung model: SSD 970 EVO Plus 250GB size: 232.89 GiB block size: physical: 512 B logical: 512 B speed: 31.6 Gb/s lanes: 4 serial: <filter> rev: 2B2QEXM7 scheme: GPT ID-3: /dev/sda type: USB vendor: Seagate model: Backup+ Hub BK size: 7.28 TiB block size: physical: 4096 B logical: 512 B serial: <filter> rev: D781 scheme: GPT Partition: ID-1: / raw size: 63.98 GiB size: 62.68 GiB (97.96%) used: 13.97 GiB (22.3%) fs: ext4 dev: /dev/dm-0 ID-2: /boot raw size: 256.0 MiB size: 237.9 MiB (92.93%) used: 104.7 MiB (44.0%) fs: ext4 dev: /dev/nvme1n1p2 Sensors: System Temperatures: cpu: 51.0 C mobo: N/A gpu: amdgpu temp: 46 C Fan Speeds (RPM): cpu: 0 Repos: No active apt repos in: /etc/apt/sources.list Active apt repos in: /etc/apt/sources.list.d/airvpn-stable.list 1: deb http://eddie.website/repository/apt stable main Active apt repos in: /etc/apt/sources.list.d/atom.list 1: deb [arch=amd64] https://packagecloud.io/AtomEditor/atom/any/ any main Active apt repos in: /etc/apt/sources.list.d/debian-stable-updates.list 1: deb http://deb.debian.org/debian bullseye-updates main contrib non-free Active apt repos in: /etc/apt/sources.list.d/debian.list 1: deb http://deb.debian.org/debian bullseye main contrib non-free 2: deb http://security.debian.org/debian-security bullseye-security main contrib non-free Active apt repos in: /etc/apt/sources.list.d/mx.list 1: deb https://mirror.us.oneandone.net/linux/distributions/mx/packages/mx/repo/ bullseye main non-free 2: deb https://mirror.us.oneandone.net/linux/distributions/mx/packages/mx/repo/ bullseye ahs Active apt repos in: /etc/apt/sources.list.d/whonix.list 1: deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.whonix.org bullseye main contrib non-free Info: Processes: 376 Uptime: 1h 32m Memory: 62.24 GiB used: 5.99 GiB (9.6%) Init: SysVinit v: N/A runlevel: 5 default: 5 Compilers: gcc: 10.2.1 alt: 10 Shell: quick-system-in running in: quick-system-in inxi: 3.0.36 Any help would be much appreciated. Thanks. Eddie_20211227_134819.txt
  11. Recently Qbittorrent has begun locking withing 60 seconds of startup when running Eddie. Even if no torrents are active, it locks up. I am running Fedora 34 and have tried a bunch of kernels and roll backs to no avail. I have downgraded openvpn and qbittorrent (both were updated recently). I even built qbittorrent from source to test. No luck. I have tried upgrading eddie ui to the 2.21 beta and downgrading to 2.16 and 2.18. (Still no positive result) I have tried using just the root user with no torrents, I have tried Fedora 35 beta with the same result. Frankly, I'm stumped. Are there other RPMs I could try downgrading or changing? Anyone else seeing something like this?
  12. It seems i can't post in How To so I'll post here. In this tutorial I will explain how to exclude individual programs while connected via the Eddie client and have the network lock active. I wanted to run steam without VPN so my latency was low for some competitive gaming, while my whole system was still connected and locked. For this to work we need firejail. Firejail can sandbox individual programs on it’s own with a lot of parameters. Install firejail first. We want a clean firewall state so disable network lock and flush the firewall. To check it's clean run: sudo iptables -nvL If not clean run: sudo iptables --flush Now we want to save this state to a file. sudo iptables-save -f /etc/firejail/iptables-save You can now network lock again. Make a bash script. #!/bin/bash firejail --noprofile \ --net=your_main_ethernet_interface \ --ip=ip_address_in_your_routers_subnet \ --defaultgw=router_ip \ --dns=dns_server_of_your_choice \ --dns=dns_server_of_your_choice \ --netfilter=/etc/firejail/iptables-save \ program_you_want_to_run Save in /usr/bin/ and make executable. chmod +x program You can now run the bash script and your program will be excluded from the VPN and network lock. Check with firejail --top to see if it is “jailed”. You could also replace program_you_want_to_run with $1 and name the script novpn or so. This would make it a lot more versatile. As you can now pas an argument with the script like so: novpn firefox novpn thunderbird novpn steam-runtime If you want to avoid a bash script and you want to directly run your program with firejail follow along. This means if you run (in my case) steam-runtime directly, it will be firejailed. If you do this you can delete the above bash script you made. cp /usr/share/doc/fireail/profile.template ~/.config/firejail/ Rename it to your_program.template your_program should match the executable name you want to run. In my case steam-runtime. Edit the file and comment out every include you see, so everything is commented out. And paste the text below as you see fit. Somewhere around “net” stuff would be my choice. net your_main_ethernet_interface ip ip_address_in_your_routers_subnet defaultgw router_ip dns dns_server_of_your_choice dns dns_server_of_your_choice netfilter /etc/firejail/iptables-save Make a symbolic link sudo ln -s /usr/bin/firejail /usr/local/bin/your_program And that’s It. Every time you run your_program it will be firejailed and outside of the vpn. Check with firejail --top.
  13. Hello. I have a minor, yet quite an annoying problem here. After switching OS (Windows -> Linux), I have noticed pings in the server overview being quite a bit higher. Has anyone had the same problem? Maybe any suggestions? I use: Arch Linux x86_64 Eddie 2.19.7 I'm using NetworkManager I tried comparing the results from Eddie with results from pinging using the terminal. With the first four results, I picked the first server on list from each country (sorted by lowest latency) With the last two I picked one near 100ms and a server near 150ms to hopefully see a pattern in the results. The IPs I pinged, are the ones you find if you right click a server, click more, and then take the IP from "remote". These are my results: Anser (Netherlands) Eddie: 19ms Terminal: 12.5ms Arion (UK) Eddie: 24ms Terminal: 16.8ms Cervantes (Germany) Eddie: 25ms Terminal: 16.4ms Algorab (Sweden) Eddie: 26ms Terminal: 15.1ms Dimidium (NY USA) Eddie: 104ms Terminal: 93ms Ran (Texas USA) Eddie: 150ms Terminal: 121ms
  14. I use AirVPN with Eddie on Linux (Ubuntu 21.04). I have certain applications (and even websites if possible) I would like to exclude from the VPN. I have to open and close the AirVPN connection numerous times a day since I need to open a VPN connection to my work where I download updated data. I also have an IRC client running which does not like the changes and cut me off every time I turn the VPN on and off. Other applications like Signal Desktop or Slack seems to handle these changes. Best would of course be if I could add my work VPN (OpenVPN) to the Eddie or in addition to Eddie, but that means two VPN's open at the same time and I do not even know if that is possible. I also have problems with Pandora which won't play when I set up my AirVPN connection to overseas locations (I live and work in the US). On Android it's easy to exclude apps, but on Linux I have no idea if it's possible and how I would go about setting it up.
  15. Currently AirVPN servers ONLY provide you with IPv6 connectivity (IPv6 traffic via VPN) if OpenVPN correctly pushes a certain value to the server. This is what the relevant config lines look like: push-peer-info setenv UV_IPV6 yes 'UV_IPV6 yes' is a variable that is set to 'yes', basically: yes, gimme IPv6 push-peer-info sends the server information about the client. This includes: OS version and OpenVPN client release, your router's MAC address and of course the UV_IPV6 variable that tells the server to give you an IPv6 address. This last part is problematic and has already led to problems for AirVPN users: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/556 I've run into this issue myself when I tried to get AirVPN running on Linux using the NetworkManager interface (present in virtually every distro out there). It's confusing because it seems to work but in reality it doesn't. You do get a connection, except without IPv6 forwarding. It's no surprise people encounter this: Why would one really need to install your client if the preinstalled GUI manager has worked fine before? Nobody knows the intricacies. Not even those who reported the issue to the correct place above! *drum-roll* and the problem is: NetworkManager. Really. NetworkManager is crippled in that it DOES NOT support many of the OpenVPN features. The combination of push-peer-info + setenv is one of them. The variable is not set upon connection -> VPN connects to the server -> The server does not see UV_IPV6=yes -> The server only setups IPv4 for the client. Yes, THIS IS A SECURITY ISSUE. According to Google, 32% of users have IPv6. Here come you, an AirVPN user with IPv4 and IPv6 on Linux, using NetworkManager. It seems to connect. You quickly check a website to see your IP and see that you indeed got a new IP (IPv4) after connecting to the VPN. Maybe the website doesn't show IPv6 at all, or the user doesn't pay attention to the fact this long and cryptic IPv6 didn't change or maybe the user did not yet have IPv6 and it was enabled later by the ISP... And there the user goes to surf online with half his ass naked: IPv4 is properly routed through AirVPN but IPv6 is still going through his real ISP. This must be changed. IPv6 must be the default. Do not leave a chance to expose users. When this change is applied, both config lines will be rendered obsolete and as a bonus, the clients will no longer unnecessarily send their internal MAC addresses to the server, which can be used too: - https://threatpost.com/fbi-mum-on-how-exactly-it-hacked-tor/117127/ | https://www.theregister.com/2018/02/24/tor_fbi_hacking_appeal/ - https://web.archive.org/web/20180923231303/https://blog.owenson.me/analysis-of-the-fbi-tor-malware/ Finally if you feel there's someone who really wishes to not use IPv6 via Air: reverse the config. Make it an explicit UV_IPV6=no to opt-out. Security must be the default. Thanks for reading. I really hope this change to be introduced soon. PS: Can someone login at the Freedesktop bug tracker above to tell these people that it's fixable? I don't have an account PPS: You can see what push-peer-info sends if you set verbosity to 4: "verb 4" in the config Tags: IPv6 not working AirVPN Linux config openvpn
  16. Personally I'm using gufw for linux, and it works very well. However, it's important to remember that gufw is just a graphical frontend for ufw, and ufw, in turn, is just a friendlier system for manipulating IPTABLES (which is again a system for manipulating netfilter directly in the running kernel). Gufw is perhaps over simplified, which is why I find it not really that great for anything else than providing an overview of your rules and turning the firewall on an off. With regards to firestarter, I have tried it once, but I didn't really have any good experience with it, since, as you guys have already posted, it seems rather poorly coded and does some odd things when manipulating IPTABLES. What I found invaluable about ufw is its ability to specify rules based on interface and its simplictity even though its quite powerful. This was my main motivation for using it over other solutions like Firestarter, and Shorewall was too complicated for my taste. My rule approach goes like this: Allow connections OUT to AirVPN servers I use the most (for connecting/reconnecting to the AirVPN service, entry IP's, marked RED on the screenshot) Allow connections OUT FROM the tun0 interface TO anywhere (when I'm connected, this is the interface used to communicate to the Internet, marked GREEN on the screenshot) Allow connections (UDP/TCP) IN TO the tun0 interface to a specific port (to enable AirVPN's port forwarding feature, marked BLUE on the screeshot) Allow connections IN FROM the network TO the eth0 interface (enable home networking. Notice how it's on a different interface, YELLOW) Allow connections OUT FROM the eth0 interface TO the network (enable home networking, also on the eth0 interface, YELLOW) Block ALL other traffic (by choosing DENY/DENY in gufw) When the VPN drops (and the tun0 interface is disabled), the only connections allowed OUT from the computer are to the AirVPN server IP's (to reconnect) and the local network (to still function in the LAN). And the only connections allowed TO the computer are from the local network as well. No leaks. Now, the gufw GUI doesn't allow for specifying the interface (remember, it's over simplified), so to do that, it's necessary to use ufw directly. Gufw can, however, display the rules when created by ufw. For example: "sudo allow out on tun0 from any to any" - is quite straightforward, and of course creates the rule that allows for communication TO the Internet when connected to AirVPN. "sudo allow in on tun0 from any to any port xxxxx" - enables the port forwarding feature by allowing packets to the specified port on the tun0 interface to pass through. Tips: - the order of the rules is very important - mimic mine on the screenshot attached - to add rules in a specific order from the command line, use "insert x": "sudo insert 3 allow in on tun0 from any to any port xxxxx" - inserts the rule at the 3rd position and moves rules below it downward, includin the previous rule nr 3. - when adding rules via the commandline, press F5 in gufw to force a refresh and view the newly added rule - the UFW manual is well worth reading, although you may not need any more information than offered in this post - with this approach, you're blocking multicasting addresses possibly forwarded by your router. Just a thing to have in mind in case you need it; it is of couse easily remedied by creating a new rule allowing the address(es). Let me know how this works for ya
  17. I'm trying to accept incoming connections to port 12345 on my VPN connection tun0. Right now split tunneling is working correctly, sending all data from user vpn through tun0. I've configured the port in the Client Area but am not able to successfully accept connections. This is my OpenVPN up.sh file that runs after a successful connection is made. #! /bin/bash export INTERFACE="tun0" export NETIF="eno1" export VPNUSER="vpn" export LOCALIP="" export LOCALSUB="" # flushes all the iptables rules iptables -F -t nat iptables -F -t mangle iptables -F -t filter # setting default actions iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT ip6tables -P INPUT DROP ip6tables -P FORWARD DROP ip6tables -P OUTPUT ACCEPT iptables -I INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -m conntrack --ctstate INVALID -j DROP iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT ! -s $LOCALIP -o $NETIF -j REJECT --reject-with icmp-port-unreachable # block outgoing mail iptables -A OUTPUT -p tcp --dport 25 -j REJECT #SSH iptables -A INPUT -s $LOCALSUB -i $NETIF -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 22 -j ACCEPT # mark packets from $VPNUSER iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT -j CONNMARK --save-mark # allow responses on VPN connection iptables -A INPUT -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT # let $VPNUSER access lo and $INTERFACE iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT # all packets on $INTERFACE needs to be masqueraded iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE # allow forwarded ports on VPN connection (this part doesn't seem to work) iptables -A INPUT -i $INTERFACE -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 12345 -j ACCEPT iptables -A INPUT -i $INTERFACE -p udp -m conntrack --ctstate NEW,ESTABLISHED --dport 12345 -j ACCEPT # allow IPv4 forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Start routing script /etc/openvpn/routing.sh exit 0 This is the output of iptables -S. -P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s -i eno1 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT -A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i tun0 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 12345 -j ACCEPT -A INPUT -i tun0 -p udp -m conntrack --ctstate NEW,ESTABLISHED -m udp --dport 12345 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT ! -s -o eno1 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o lo -m owner --uid-owner 1001 -j ACCEPT -A OUTPUT -o tun0 -m owner --uid-owner 1001 -j ACCEPT
  18. Hi all, I'm new to Linux and I'm trying to install Eddie for desktop on a machine with architecture arm64 and Armbian Linux. So, after many troubles with the dependencies, I managed to install the Eddie experimental version 2.20.0 (providing the commands in the terminal). I can see the Eddie icon between the installed software, but when I click on it, it does not start. I tried to write eddie-ui in the terminal, but it provides this umbe@arm-64:~$ eddie-ui Gtk-Message: 16:19:37.648: Failed to load module "gail" ** (mono:45754): WARNING **: 16:19:37.713: (../atk-adaptor/bridge.c:1018):atk_bridge_adaptor_init: runtime check failed: (root) at System.Drawing.GDIPlus.CheckStatus (System.Drawing.Status status) [0x0009b] in <728fbd68fe594062895e1f819791e76a>:0 at System.Drawing.Bitmap..ctor (System.Int32 width, System.Int32 height, System.Drawing.Imaging.PixelFormat format) [0x00017] in <728fbd68fe594062895e1f819791e76a>:0 at System.Drawing.Bitmap..ctor (System.Drawing.Image original, System.Int32 width, System.Int32 height) [0x00000] in <728fbd68fe594062895e1f819791e76a>:0 at System.Drawing.Bitmap..ctor (System.Drawing.Image original, System.Drawing.Size newSize) [0x00010] in <728fbd68fe594062895e1f819791e76a>:0 at (wrapper remoting-invoke-with-check) System.Drawing.Bitmap..ctor(System.Drawing.Image,System.Drawing.Size) at System.Windows.Forms.XplatUIX11.DefineCursor (System.Drawing.Bitmap bitmap, System.Drawing.Bitmap mask, System.Drawing.Color cursor_pixel, System.Drawing.Color mask_pixel, System.Int32 xHotSpot, System.Int32 yHotSpot) [0x0004e] in <a3daa9b84fd241a497578a25f68bc3c7>:0 at System.Windows.Forms.XplatUI.DefineCursor (System.Drawing.Bitmap bitmap, System.Drawing.Bitmap mask, System.Drawing.Color cursor_pixel, System.Drawing.Color mask_pixel, System.Int32 xHotSpot, System.Int32 yHotSpot) [0x00000] in <a3daa9b84fd241a497578a25f68bc3c7>:0 at System.Windows.Forms.Cursor.CreateCursor (System.IO.Stream stream) [0x00058] in <a3daa9b84fd241a497578a25f68bc3c7>:0 at System.Windows.Forms.Cursor..ctor (System.Type type, System.String resource) [0x00021] in <a3daa9b84fd241a497578a25f68bc3c7>:0 at System.Windows.Forms.Cursors.get_SizeNWSE () [0x0001a] in <a3daa9b84fd241a497578a25f68bc3c7>:0 at System.Windows.Forms.SizeGrip..ctor (System.Windows.Forms.Control CapturedControl) [0x00006] in <a3daa9b84fd241a497578a25f68bc3c7>:0 at (wrapper remoting-invoke-with-check) System.Windows.Forms.SizeGrip..ctor(System.Windows.Forms.Control) at System.Windows.Forms.ScrollableControl.CreateScrollbars () [0x000c2] in <a3daa9b84fd241a497578a25f68bc3c7>:0 at System.Windows.Forms.ScrollableControl..ctor () [0x000b0] in <a3daa9b84fd241a497578a25f68bc3c7>:0 at System.Windows.Forms.ContainerControl..ctor () [0x0000e] in <a3daa9b84fd241a497578a25f68bc3c7>:0 at System.Windows.Forms.Form..ctor () [0x00012] in <a3daa9b84fd241a497578a25f68bc3c7>:0 at Eddie.Forms.Form..ctor () [0x00000] in <46cc029634384b5c94f6b3babb3eff47>:0 at Eddie.Forms.Forms.WindowSplash..ctor () [0x00000] in <46cc029634384b5c94f6b3babb3eff47>:0 at (wrapper remoting-invoke-with-check) Eddie.Forms.Forms.WindowSplash..ctor() at Eddie.Forms.UiClient.Init (System.String environmentCommandLine) [0x0001e] in <46cc029634384b5c94f6b3babb3eff47>:0 at Eddie.Forms.Linux.Program.Main () [0x00089] in <fa7df81f0a8b4782926a44fe63f1975f>:0 [ERROR] FATAL UNHANDLED EXCEPTION: System.ArgumentException: A null reference or invalid value was found [GDI+ status: InvalidParameter] at System.Drawing.GDIPlus.CheckStatus (System.Drawing.Status status) [0x0009b] in <728fbd68fe594062895e1f819791e76a>:0 at System.Drawing.Bitmap..ctor (System.Int32 width, System.Int32 height, System.Drawing.Imaging.PixelFormat format) [0x00017] in <728fbd68fe594062895e1f819791e76a>:0 at System.Drawing.Bitmap..ctor (System.Drawing.Image original, System.Int32 width, System.Int32 height) [0x00000] in <728fbd68fe594062895e1f819791e76a>:0 at System.Drawing.Bitmap..ctor (System.Drawing.Image original, System.Drawing.Size newSize) [0x00010] in <728fbd68fe594062895e1f819791e76a>:0 at (wrapper remoting-invoke-with-check) System.Drawing.Bitmap..ctor(System.Drawing.Image,System.Drawing.Size) at System.Windows.Forms.XplatUIX11.DefineCursor (System.Drawing.Bitmap bitmap, System.Drawing.Bitmap mask, System.Drawing.Color cursor_pixel, System.Drawing.Color mask_pixel, System.Int32 xHotSpot, System.Int32 yHotSpot) [0x0004e] in <a3daa9b84fd241a497578a25f68bc3c7>:0 at System.Windows.Forms.XplatUI.DefineCursor (System.Drawing.Bitmap bitmap, System.Drawing.Bitmap mask, System.Drawing.Color cursor_pixel, System.Drawing.Color mask_pixel, System.Int32 xHotSpot, System.Int32 yHotSpot) [0x00000] in <a3daa9b84fd241a497578a25f68bc3c7>:0 at System.Windows.Forms.Cursor.CreateCursor (System.IO.Stream stream) [0x00058] in <a3daa9b84fd241a497578a25f68bc3c7>:0 at System.Windows.Forms.Cursor..ctor (System.Type type, System.String resource) [0x00021] in <a3daa9b84fd241a497578a25f68bc3c7>:0 at System.Windows.Forms.Cursors.get_SizeNWSE () [0x0001a] in <a3daa9b84fd241a497578a25f68bc3c7>:0 at System.Windows.Forms.SizeGrip..ctor (System.Windows.Forms.Control CapturedControl) [0x00006] in <a3daa9b84fd241a497578a25f68bc3c7>:0 at (wrapper remoting-invoke-with-check) System.Windows.Forms.SizeGrip..ctor(System.Windows.Forms.Control) at System.Windows.Forms.ScrollableControl.CreateScrollbars () [0x000c2] in <a3daa9b84fd241a497578a25f68bc3c7>:0 at System.Windows.Forms.ScrollableControl..ctor () [0x000b0] in <a3daa9b84fd241a497578a25f68bc3c7>:0 at System.Windows.Forms.ContainerControl..ctor () [0x0000e] in <a3daa9b84fd241a497578a25f68bc3c7>:0 at System.Windows.Forms.Form..ctor () [0x00012] in <a3daa9b84fd241a497578a25f68bc3c7>:0 at System.Windows.Forms.MessageBox+MessageBoxForm..ctor (System.Windows.Forms.IWin32Window owner, System.String text, System.String caption, System.Windows.Forms.MessageBoxButtons buttons, System.Windows.Forms.MessageBoxIcon icon, System.Boolean displayHelpButton) [0x0000c] in <a3daa9b84fd241a497578a25f68bc3c7>:0 at System.Windows.Forms.MessageBox+MessageBoxForm..ctor (System.Windows.Forms.IWin32Window owner, System.String text, System.String caption, System.Windows.Forms.MessageBoxButtons buttons, System.Windows.Forms.MessageBoxIcon icon) [0x00000] in <a3daa9b84fd241a497578a25f68bc3c7>:0 at (wrapper remoting-invoke-with-check) System.Windows.Forms.MessageBox+MessageBoxForm..ctor(System.Windows.Forms.IWin32Window,string,string,System.Windows.Forms.MessageBoxButtons,System.Windows.Forms.MessageBoxIcon) at System.Windows.Forms.MessageBox.Show (System.String text, System.String caption, System.Windows.Forms.MessageBoxButtons buttons, System.Windows.Forms.MessageBoxIcon icon) [0x00000] in <a3daa9b84fd241a497578a25f68bc3c7>:0 at Eddie.Forms.Linux.Program.Main () [0x000a1] in <fa7df81f0a8b4782926a44fe63f1975f>:0 Unluckily, I have no idea of what it means... Can anyone help me, please?
  19. Hello all, I am looking to create a docker container or some type of script to rotate my IP addresses. My goal is to rotate my IP address every time that it is unable to connect to a given IP (TTL like 30 seconds). However, If I am unable to do this I would like to simply rotate my IP address every couple of minutes. Does anyone know how I might do this efficiently? I would preferably run it from a local machine or docker container routing my applications through it.
  20. hi, i'm unable to use eddie so connect to airvpn using the terminal. however, this means that my system uses my ISP's dns servers and not airvpn dns servers. the guide on how to accept push requests mentions that I need to add the following to my openvpn configuration file: now please know that I am a dummy. i have tried putting this script into different openvpn files but have had no luck. could someone tell me exactly in which file this goes and exactly where in the specified file? i've also looked at the config generator but cannot find the "customs directives" field. thanks for any help
  21. Hi, folks, I observe a strange behavior when trying to bypass DNS-based site blocking in Russia. The name flibusta.is gets unexpectedly resolved to the ban site lawfilter.ertelecom.ru. I use openvpn under Debian Linux. OpenVPN 2.5.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 31 2020 Configuration files are downloaded from airvpn.org generator. By default, /etc/resolv.conf contains the following: nameserver When I connect to VPN, the settings do not change. My browser (Firefox 84) is configured to use DNS over HTTPS, but I can also change /etc/resolv.conf to use the Cloudflare DNS: nameserver Now, I run tcpdump to capture all DNS exchange and try to open flibusta.is in the browser. Here's what I get: 19:32:41.326041 Out ethertype IPv4 (0x0800), length 73: > 38651+ A? flibusta.is. (29) 19:32:41.326052 Out ethertype IPv4 (0x0800), length 73: > 2303+ AAAA? flibusta.is. (29) 19:32:41.345679 Out ethertype IPv4 (0x0800), length 84: > 25045+ A? lawfilter.ertelecom.ru. (40) 19:32:41.345690 Out ethertype IPv4 (0x0800), length 84: > 13267+ AAAA? lawfilter.ertelecom.ru. (40) 19:32:41.471163 In ethertype IPv4 (0x0800), length 100: > 25045 1/0/0 A (56) 19:32:41.619187 In ethertype IPv4 (0x0800), length 149: > 2303 0/1/0 (105) 19:32:41.619205 In ethertype IPv4 (0x0800), length 128: > 13267 0/1/0 (84) 19:32:41.619214 In ethertype IPv4 (0x0800), length 89: > 38651 1/0/0 A (45) is the address of the VPN interface. The request seems to go through VPN to Cloudflare, but for some reason it resolves to lawfilter.ertelecom.ru. This response gets inserted between request and the correct response (the last line). But this doesn't happen every time. Sometimes, after re-establishing VPN connection, tcpdump captures the correct response: 19:53:46.028205 Out ethertype IPv4 (0x0800), length 73: > 10615+ A? flibusta.is. (29) 19:53:46.028224 Out ethertype IPv4 (0x0800), length 73: > 4978+ AAAA? flibusta.is. (29) 19:53:46.121195 In ethertype IPv4 (0x0800), length 89: > 10615 1/0/0 A (45) So, basically, there are two things I can't understand. First, why the browser seems to ignore DOH settings, sending requests via plain UDP. But it is not related to VPN, so, let's not bother ourselves with this one. The second question is how the DNS request sent via VPN gets a spoofed response from the provider's blocker? Am I simply doing something wrong?
  22. Is there a SystemD Service or something similar available that I can use to get the VPN service to start on boot? I'm running Arch Linux
  23. Hey all! I ran into an issue the other day when setting up AirVPN where I found alot of the AirVPN IP's appear to be blocked by my ISP. In my quest to resolve this issue, I ended up creating a script that uses fping and dig to get all the IPs for a region, check that they work, and add those to your AirVPN configuration. I figured this script might be helpful to some, so I'd share it here. You can download it here: https://gist.github.com/zikeji/144247cb20793a5a7c65653e5f7c572b A simple one line to download it and set the executable bit: wget https://gist.githubusercontent.com/zikeji/144247cb20793a5a7c65653e5f7c572b/raw/a414cc4f6828904992f18e0a0bdecf6cf5e4f85c/airvpn_remotes.sh -q -O airvpn_remotes.sh && chmod +x airvpn_remotes.sh Warning: Remember, for your safety ALWAYS review a downloaded script before executing it! The command's help output: airvpn_remotes.sh Description: Use dig and fping generate multiple remotes for an AirVPN config, replacing existing remote(s), and ignoring IPs that aren't responding. Remotes are placed in order of lowest ping to highest. Usage: airvpn_remotes.sh [--port=<int>] [--query=<fqdn>] [--ipv4] [--ipv6] [--remote-random] [--in-place] [input-file] airvpn_remotes.sh -h | --help Options: -h, --help Show this screen. -p <int>, --port=<fqdn> Override the port supplied on each remote line [default: 443]. -q <fqdn>, --query=<fqdn> Supply the DNS record you wish to query to use the IPs from [default: ca.all.vpn.airdns.org]. -s <ns>, --server=<ns> The name server you wish to query the records against [default: ns1.airvpn.org]. -c <int>, --count=<int> Change the amount of pings ran by fping for more accurate ping sorting [default: 4]. -4, --ipv4 Only query IPv4. -6, --ipv6 Only query IPv6. -r, --remote-random Add remote-random to the AirVPN config (this will cause OpenVPN to randomize the server order when connecting). -i<ext>, --in-place=<ext> Edit the file in place (makes backup if extension supplied), ignored if no input file is supplied. The first non-option argument is the name of the input file; if no input file is specified, then the standard input is read. All other non-option arguments after the first are ignored. You'll need to ensure dig and fping are installed on your distribution before you can use it. Additionally, if your system doesn't support IPv6 it'll only return IPv4 be default (because naturally pinging the IPv6 addresses will fail). And finally, I've only tested the script on Ubuntu 20.04, but hopefully you don't run into trouble. By default the script checks the DNS record AirVPN maintains for all of CA's servers. You can find out more about the records option here: https://airvpn.org/faq/servers_ip/ The help file should be pretty clear as to how to use the script, but I'll provide an example. I want to update my AirVPN.ovpn file with new remotes that'll be executed randomly and only include IPv4 remotes, and I want them from the Netherlands. Additionally, instead of connecting in order I want it to connect to a random server defined in the config. Since I use port 1194 instead of port 443, I also want each remote to use port 1194 instead of the default. I also want it to backup my original config before overwriting it. I would run: ./airvpn_remotes.sh -r4 -qnl.all.vpn.airdns.org -p1194 -iold AirVPN.ovpn Which would remove any lines from my AirVPN conf that are a remote or a remote-random and add the new remotes, sorted by lowest ping first (which is irrelevant because we're also adding remote-random). Hopefully this script might be useful for someone else as well!
  24. Hello, last year I had written a wrapper for Eddie's CLI version (in bash) to be able to use it more easily and extensively in the linux command line like the GUI, but with less resources. I have used it since then every day without problems, but now I have finally gotten to overhaul it and adjust it to Hummingbird because it is just so much faster! I also tried to make it more easy to configure (by having a separate configuration file) and added some new functionality like support (and automatic recognition) of iptables and nftables to lock down the system even without being connected to AirVPN and automatic connection at boot with a systemd unit. Again, feel free to use this as you wish, I hope someone can benefit from this. I'm happy about any improvements and corrections and will update this if I find the time. Features graphical interface in the command line to connect to AirVPN with Hummingbird (no Eddie involved) runs in background, the interface can be closed/opened anytime without affecting the running connection possibility to connect to any server with just one ovpn configuration file easily connect to a random server, to a recommended server, to the recommended server of a specific country or to a specific server sortable list of all servers including info like used bandwidth, load and number of users possibility to connect to other VPNs with openconnect lock down system by default (permanently if you want), so even without AirVPN/Hummingbird running there won't be any unwanted network traffic automatically establish connection at boot (which can later be controlled via the interface) logging of Hummingbird's output (number of days to keep logs for can be adjusted) system notifications to let you know what happens in the background Some general notes The default network lock determines, like Hummingbird itself, if iptables, iptables-legacy or nftables is available on your system and will use the first one found in that list. You can overwrite that by specifying which one to use in the configuration file. Once activated, the lock will stay in place until manually deactivated, so no internet connection will be possible unless connected to AirVPN or other whitelisted VPNs. You can make the lock permanent (or rather activate at boot) by enabling that option in the configuration file. AirVPN's network lock overwrites the default network lock, so there will be no interference. IMPORTANT: If you have any frontend firewall for iptables/nftables running, you might to disable that or read up on how it might interfere with rule changes you make directly via iptables/nft. The same thing applies if you use just Hummingbird itself. If you enable the default permanent network lock, it will write the lock rules at boot, most likely overwriting rules by firewalld or the like, but other enabled firewalls might interfere later. Also important: If you have SELinux and you want to use nftables for Hummingbird starting at boot, you have to create a SELinux exception for nft bcause otherwise it will be denied and Hummingbird starts without setting up its own lock, thus leaving you unprotected (AirVPN staff is aware of this issue). You can do that with audit2allow. Follow for example this guide to troubleshoot the problem and fix it with the solution given by sealert. Check your /etc/resolv.conf file while not running Hummingbird (because Hummingbird's network lock replaces that file temporarily) to make sure your router is not set as a nameserver (so no 192.168... address). Some routers will push themselves on that list by DHCP whenever you connect to their network. Since communication with the router is allowed in the lock rules, DNS requests will be handled by the router and sent to whatever DNS server is configured there even when network traffic should be blocked. There are ways to prevent that file from being changed by DHCP, best configure network manager for that if you use it. To connect to other VPNs, their IPs must be whitelisted and DNS requests for their domains must be allowed in the default network lock rules (netfilter_ipbatles.rulesipv4/ipv6 and/or netfilter_nftables.rules). Only edit those files with the default network lock deactivated. The rules for airvpn.org can be copied and adjusted. You can set custom options for Hummingbird in the interface or the configuration file. All the possible options can be found in the Hummingbird manual or with sudo hummingbird --help Apart from dialog I tried to only use basic system tools. The scripts will check if everything needed is present, if not they will exit. At least bash 4 is needed. The scripts rely mostly on dialog, awk and curl (and iptables/nft as described and openconnect if needed), so it should work on most systems. I wrote and tested this on Fedora 32 with Hummingbird 1.0.3. It should be possible to use any ovpn config file generated by the AirVPN's config generator. Even with the file for one specific server it should be possible to connect to any other server because the server override function is used here. I haven't tested that extensively though and just use the config file for earth. AirVPN's API seems to be a little unreliable sometimes as in not correctly reporting the connection status. Sometimes the API reports me not being connected although I am connected to an AirVPN server. This is no big deal, it just means that the connection status sometimes may be shown falsely as disconnected. If you have the default network lock activated, no traffic would be possible if you were actually disconnected. And, lastly, VERY IMPORTANT: I am still no programmer and do this only on this on the side, so even though I tried my best to make these scripts secure and error free, there might very well be some bad practice, never-ever-do-this mistakes or other hiccups in there. It works very well for me (and has for quite a while by now), but better check it yourself. UPDATE As of 2020/08/29 this project including updates, changelog and further instructions is publicly available on GitLab. There it can be more easily examined, downloaded and updated. Thus I have removed the scripts, installation instructions and the archive with all the files from this post. Check out the GitLab project for the newest version.
  • Create New...