Block IP and DNS leaks - WaterRoof - *Rules not working

[lambrinoul 0]

 

 

I am concerned about leaking IPs when torrenting, among other things, and I decided to use WaterRoof on my osx 10.6.

 

I flushed previous rules and imported the airvpn-ipfw-ruleset from jesees post.

Looking around WaterRoof I realised that this deals with ipv4. 

 

a)IPV6

When I pressed on the ipv4/ipv6 button that reveals the ipv6 rules, no rules are present. I tried to import again in this tab but rules are not imported here. So it seems rules are working for ipv4 only.

 

b)Dynamic rules

All the above has to do with static rules. Looking around I discovered there is window to add dynamic rules. Should I import the rules there too?

 

c)Connections inspector

I opened the connections inspector window and there are 7 rules that apparently are "root processes". Should I block any of these? What are these and how can i tell if they are factory made or "planted" there by someone?

 

d)Application Icon /monitor

I cannot seem to find any way to monitor if the waterproof application (and the rules) are running, like a menu bar icon. Is there something I am missing?

 

e)little snitch

Is WaterRoof compatible with little snitch?

 

f)ITunnelblick

In the advanced settings of the configuration there is the option "Route all traffic through the VPN". I had the impression that that was happening anyway. What is its role? (is there any good place with information regarding the proper configuration of Tunnelblick - for not very technical people?)

 

Any help greatly appreciated.

 

p.s. I am not so much into technical stuff so a "kill switch" (for killing the connection during a possible (probable?) disconnection from AirVPN) would be very helpful for people like me.

 

Many thanks.

 

 

p.s.2  After using these rules i cannot connect neither to the internet to airvpn.

 

add 01000 allow log udp from 192.168.0.0/16 to 94.75.228.29 dst-port 53 keep-state

add 01002 allow log udp from 192.168.0.0/16 to 62.141.58.13 dst-port 53 keep-state

add 01004 allow log udp from 192.168.0.0/16 to 87.118.100.175 dst-port 53 keep-state

add 01006 allow log udp from 192.168.0.0/16 to 87.118.104.203 dst-port 53 keep-state

add 01008 allow log udp from 192.168.0.0/16 to 87.118.109.2 dst-port 53 keep-state

add 02000 allow ip from 192.168.0.0/16 to 46.165.208.65 keep-state

add 02004 allow ip from 192.168.0.0/16 to 95.211.169.3 keep-state

add 02008 allow ip from 192.168.0.0/16 to 178.248.29.132 keep-state

add 02012 allow ip from 192.168.0.0/16 to 108.59.8.147 keep-state

add 02016 allow ip from 192.168.0.0/16 to 69.163.36.66 keep-state

add 02020 allow ip from 192.168.0.0/16 to 89.149.226.185 keep-state

add 02024 allow ip from 192.168.0.0/16 to 146.185.25.170 keep-state

add 02028 allow ip from 192.168.0.0/16 to 62.212.85.65 keep-state

add 02032 allow ip from 192.168.0.0/16 to 85.17.123.26 keep-state

add 02036 allow ip from 192.168.0.0/16 to 95.211.98.154 keep-state

add 04000 allow ip from 127.0.0.1 to any

add 05000 allow log ip from 10.0.0.0/8 to any

add 05002 allow log ip from any to 10.0.0.0/8

add 65534 deny log ip from any to any

 

p.s.3 I flushed the waterroof rules and my connection was re-established. Are the above rules correct?

 

 

[lambrinoul 0]

After manually going through the rules and removing the "log" as suggested in another post, I removed the following rule:

 

add 65534 deny log ip from any to any

 

now the connection is reestablished but apparently there is no rule for blocking / denying connections.

 

I appreciate your help.

[lambrinoul 0]

edit: Also with the above configuration I can connect to the internet even though I am not connected to airvpn.

[lambrinoul 0]

It's a shame I still haven't received any reply on that. I have looked the other threads, I have tried the rules suggested and they are not working. Is there some other suggestion regarding setting up a firewall (ipfw) for dns leaking?

[Staff 9751]

Hello,

 

the rules are correct, provided that your home network is in 192.168.0.0/16 (please check). Another rule should be added to allow DHCP, if you need it (probably so), you need to allow anything in UDP to IP 255.255.255.255 (to know why, please see how DHCP discovery works).

 

Kind regards

[lambrinoul 0]

Thank you. I will try this.

[lambrinoul 0]

My home network is not 192.168.0.0/16   My ip is 192.168.1.4  I changed all the lines to include that but Waterroof changes it automatically to 192.168.0.0 upon import, which is strange.

 

I also tried to create the rules manually. I entered "me" in the popup menu for ip address but when the rule was added it said 192.168.0.0. I do not know how this is possible as my network settings --> tcp/ip show 192.168.1.4  as my ipv4 address.

 

thank you

[lambrinoul 0]

Ok. I will try to elaborate a little. I  am new to this and hope I am not causing you too much frustration with all these questions

 

I am putting all my questions here as they are IP firewall related.

 

 

a) These rules (from Jesee) permit connections to the relevant airvpn servers, right? But are they working with all configurations or are they only for America, or only for Europe, etc? What if I am interested in connecting with an other airvpn server in another continent? How do I find the IP address?

 

sudo ipfw add 02000 allow log ip from 192.168.0.0/16 to xxx keep-state    # allow connect to: Tauri

sudo ipfw add 02004 allow log ip from 192.168.0.0/16 to xxx keep-state     # Castor

sudo ipfw add 02008 allow log ip from 192.168.0.0/16 to xxx keep-state   # Draconis

sudo ipfw add 02012 allow log ip from 192.168.0.0/16 to xxx keep-state     # Sirius

sudo ipfw add 02016 allow log ip from 192.168.0.0/16 to xxx keep-state     # Vega

sudo ipfw add 02020 allow log ip from 192.168.0.0/16 to xxx keep-state   # Omnicron

sudo ipfw add 02024 allow log ip from 192.168.0.0/16 to xxx keep-state   # Delphini

sudo ipfw add 02028 allow log ip from 192.168.0.0/16 to xxx keep-state     # Lyra

sudo ipfw add 02032 allow log ip from 192.168.0.0/16 to xxx keep-state     # Leonis

sudo ipfw add 02036 allow log ip from 192.168.0.0/16 to xxx keep-state    # Orionis

 

 

If theoretically I want to connect only on one selected server, would the following work?

 

add 02000 allow log ip from 192.168.1.4/16 to xx.xxx.xx.xxx keep-state  # Server of my preference

add 03000 allow log UDP to 255.255.255.255  # as you suggested earlier in this thread

add 04000 allow log ip from 127.0.0.1 to any

add 05000 allow log ip from 10.0.0.0/8 to any

add 05002 allow log ip from any to 10.0.0.0/8

add 65534 deny log ip from any to any

 

c) Is blocking/ allowing IP enough? What about TCP and other protocols? 

 

d) I have asked this earlier, apparently watteroof does not let me change the "from" IP.  Neither when I change the text file and import it or when trying to create manually the rules inside waterproof. It does not accept my IP ("me" tab) which is 192.168.1.4 and it displays 192.168.0.0 instead. What am I doing wrong?

 

e) In the occasions I would be connecting to TOR *first* which hops around different IP addresses before connecting to AirVPN these rules would block connections to TOR, right? So how could one go around creating rules for TOR? 

 

 

Many thanks for your patience and support. Highly appreciated.

[Staff 9751]

Hello!

 

a) You can find the entry-IP address of a server by generating, with the Configuration Generator, the configuration for that server and looking (with any text editor) at the line "remote" of the .ovpn file. Or just ask us.

 

The rules are ok both for UDP and TCP. Anyway, you might like to eliminate all that logging, it may be useless and also slow down the system.

 

b ) Probably not. The rule:

"allow log UDP to 255.255.255.255" should be "allow udp from any to 255.255.255.255". Even "allow ip from any to 255.255.255.255" is ok.

 

The rule "allow log ip from 127.0.0.1 to any" is risky. It's safer something like "allow ip from 127.0.0.0/8 to 127.0.0.0/8"

 

Additionally, you need to communicate with your internal network devices (at least with your router) so you should also add:

"allow ip from 192.168.0.0/16 to 192.168.0.0/16" or maybe (it depends on your subnet) even a more restrictive "allow ip from 192.168.1.0/24 to 192.168.1.0/24" could be fine. However this rule will allow DNS queries to your router and that could lead to a sort of DNS leak if your router re-transmits the query to your ISP. In this case, block outbound port 53 in the subnet:

"deny ip from 192.168.0.0/16 to 192.168.0.0/16 53 out"

 

c) ip is Internet Protocol and includes TCP, UDP, ICMP etc.

 

d) 192.168.0.0/16 "covers" the range starting from 192.168.0.0 and ending to 192.168.255.255, so you're just fine.

 

e) Impossible to say in advance, you can't determine the entry node in the TOR network by default. One of the strong points of TOR is establishing different circuits. You're ok with the already mentioned rules, because if you connect OpenVPN over TOR, you want that the final destinations (of your physical network card packets, not of the packets in the tun adapter of course) are the entry-IP addresses of Air servers.

 

Kind regards

[amnesty 18]

 What if I am interested in connecting with an other airvpn server in another continent? How do I find the IP address?

 

You could also query the FDQN (Fully Qualified Domain Name) for the server's IP Address with ping or nslookup. But this would query DNS so there is a slim chance it might be wrong if they changed a servers IP and it hasn't propgated accross the Internet (theoretically, could take up to 48 hours).

 

ping servername.airvpn.org

 

C:\Users\max>ping virginis.airvpn.org

 

Pinging virginis.airvpn.org [46.19.137.114] with 32 bytes of data:

 

nslookup servername.airvpn.org

 

>nslookup lyra.airvpn.org

Server:  UnKnown

Address:  10.30.0.1

 

Non-authoritative answer:

Name:    lyra.airvpn.org

Address:  62.212.85.65

 

 

 

sudo ipfw add 02000 allow log ip from 192.168.0.0/16 to xxx keep-state    # allow connect to: Tauri

sudo ipfw add 02004 allow log ip from 192.168.0.0/16 to xxx keep-state     # Castor

sudo ipfw add 02008 allow log ip from 192.168.0.0/16 to xxx keep-state   # Draconis

sudo ipfw add 02012 allow log ip from 192.168.0.0/16 to xxx keep-state     # Sirius

sudo ipfw add 02016 allow log ip from 192.168.0.0/16 to xxx keep-state     # Vega

sudo ipfw add 02020 allow log ip from 192.168.0.0/16 to xxx keep-state   # Omnicron

sudo ipfw add 02024 allow log ip from 192.168.0.0/16 to xxx keep-state   # Delphini

sudo ipfw add 02028 allow log ip from 192.168.0.0/16 to xxx keep-state     # Lyra

sudo ipfw add 02032 allow log ip from 192.168.0.0/16 to xxx keep-state     # Leonis

sudo ipfw add 02036 allow log ip from 192.168.0.0/16 to xxx keep-state    # Orionis

 

Some of these might not be available now. check out the Status page. I didn't see:

 

Draconis

Vega

Omnicron

Delphini

 

You could confirm by using one of those commands:

 

>ping delphini.airvpn.org

Ping request could not find host delphini.airvpn.org. Please check the name and try again.

 

Could not find doesn't necessarily mean it does not exist, more like my Name Server cannot find an entry for it. However, if a Name Server cannot find an entry, we pretty much wouldn't be able to connect anyway.

 

 

e) In the occasions I would be connecting to TOR *first* which hops around different IP addresses before connecting to AirVPN these rules would block connections to TOR, right? So how could one go around creating rules for TOR? 

 

For what it's worth, the Tor community prefers the network not be used for torrenting (mentioned in your original post). It's mostly volunteers donating their bandwidth (among other things). Not that people care.

 

 

Many thanks for your patience and support. Highly appreciated.

 

I like that you're trying to learn this stuff.