Jump to content


Photo

AirVPN on Synology


  • Please log in to reply
33 replies to this topic

#21 sundi

sundi

    Advanced Member

  • Members
  • PipPipPip
  • 30 posts

Posted 05 June 2016 - 11:07 PM

You should allow both incoming and outgoing connections to the Air VPN servers :)

Unless you wish to send/receive traffic in only one direction, which will result in a very unusual experience :)

 

hi zhang888,

 

Sorry for asking this again and please forgive me for my ignorance.

 

For example commands for a single AirVPN server like:

iptables -A INPUT -s 150.129.41.193/32 -d 0/0 -j ACCEPT

Means allow incoming from source (AirVPN server) to any destination. It allows incoming connections from AirVPN server. This one looks fine to me.

iptables -A OUTPUT -s 150.129.41.193/32 -d 0/0 -j ACCEPT

Means allow outgoing from source (AirVPN server) to any destination. How can an AirVPN server be a SOURCE for OUTGOING from my router?

 

shouldn’t it be

iptables -A OUTPUT -s <Synology IP>/32 -d 150.129.41.193/32 -j ACCEPT

 

Also, I don’t understand how these two entries will stop outgoing connection to any destination from my Synology except for AirVPN servers as these entries are only allowing and not rejecting anything from Synology.



#22 zhang888

zhang888

    Donald Trump of IT/Security

  • Moderators
  • 2219 posts

Posted 06 June 2016 - 12:46 AM

These entries are only about allowing certain traffic thru your firewall.

The assumption is that you have a general "cleanup" rule at the end, which will

block all traffic that does not match the above rules.

In iptables, the rules are parsed in hierarchical level, from top to bottom, so you have

to first append (-A) the rules you want to allow, then to prepent, or Insert (-I) the rules

you want to add that are not matching anything above.

 

So you should basically have something like:

iptables -I INPUT -s IP -j DROP

iptables -I OUTPUT -s IP -j DROP

 

in the bottom of your router rules, where "IP" is the address of your Synology device.

 

Since the above (-A) rules will match some packets, like the outgoing Air servers,

they will be allowed, while other packets, like leaks, will not match any of the above

and then be dropped by the final -I rules.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.


#23 sundi

sundi

    Advanced Member

  • Members
  • PipPipPip
  • 30 posts

Posted 06 June 2016 - 01:46 AM

These entries are only about allowing certain traffic thru your firewall.

The assumption is that you have a general "cleanup" rule at the end, which will

block all traffic that does not match the above rules.

In iptables, the rules are parsed in hierarchical level, from top to bottom, so you have

to first append (-A) the rules you want to allow, then to prepent, or Insert (-I) the rules

you want to add that are not matching anything above.

 

So you should basically have something like:

iptables -I INPUT -s IP -j DROP

iptables -I OUTPUT -s IP -j DROP

 

in the bottom of your router rules, where "IP" is the address of your Synology device.

 

Since the above (-A) rules will match some packets, like the outgoing Air servers,

they will be allowed, while other packets, like leaks, will not match any of the above

and then be dropped by the final -I rules.

 

Hi zang888,

 

Thanks a lot for clarifying my doubts. I will apply these rules and will see how it goes.

Thanks a lot. Really appreciate your help.

 

Also, I assume you have gone through my query:

iptables -A OUTPUT -s 150.129.41.193/32 -d 0/0 -j ACCEPT

Means allow outgoing from source (AirVPN server) to any destination. How can an AirVPN server be a SOURCE for OUTGOING from my router?



#24 zhang888

zhang888

    Donald Trump of IT/Security

  • Moderators
  • 2219 posts

Posted 06 June 2016 - 01:53 AM

Also, I assume you have gone through my query:

iptables -A OUTPUT -s 150.129.41.193/32 -d 0/0 -j ACCEPT

Means allow outgoing from source (AirVPN server) to any destination. How can an AirVPN server be a SOURCE for OUTGOING from my router?

 

This was an obvious typo from my side, ofcourse it should be -d and not -s.

I copied the first line to the second to make an example and overlooked this completely.

Good that you were actually reading the rules and making corrections! :asd:


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.


#25 sundi

sundi

    Advanced Member

  • Members
  • PipPipPip
  • 30 posts

Posted 06 June 2016 - 04:04 AM

Also, I assume you have gone through my query:

iptables -A OUTPUT -s 150.129.41.193/32 -d 0/0 -j ACCEPT

Means allow outgoing from source (AirVPN server) to any destination. How can an AirVPN server be a SOURCE for OUTGOING from my router?

 

This was an obvious typo from my side, ofcourse it should be -d and not -s.

I copied the first line to the second to make an example and overlooked this completely.

Good that you were actually reading the rules and making corrections! :asd:

 

Hi zhang888,

 

Thanks a lot for helping me out.

I am really very grateful to you for this.

 

Soon, I will prepare a document for the setup like me so that others can benefit.



#26 SolidSnake007

SolidSnake007

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 10 June 2016 - 04:19 PM

Hello Guys,

Interesting thread.  I may be a bit off topic here but it's certainly related.  I too am testing AirVPN on my synology and I can get it to connect fine but upon testing internet connectivity I get some strange behaviour.  Using a terminal session to my synology I issue some traceroute commands to some domains on the internet.  For instance, I don't seem to be able to resolve any domain names so looks like a dns issue. On the other hand, pings to public dns servers of google (8.8.8.8) or any other ip address, work fine so internet connectivity is there, no doubt.  Like many others my concern is that it uses the VPN connection and gateways to access the internet. When you see the below traceroute however, you see that latency is very high and it really takes a long time to perform this trace. I find it very strange.

 

traceroute 90.216.180.87
traceroute to 90.216.180.87 (90.216.180.87), 30 hops max, 60 byte packets
 1  10.8.0.1 (10.8.0.1)  19.494 ms  21.157 ms  21.170 ms
 2  46.19.137.113 (46.19.137.113)  21.324 ms  21.298 ms  21.297 ms
 3  31.7.63.1 (31.7.63.1)  20.993 ms  21.009 ms  20.997 ms
 4  190.211.252.57 (190.211.252.57)  21.039 ms  21.128 ms  21.172 ms
 5  80.255.14.121 (80.255.14.121)  21.092 ms  21.123 ms  21.121 ms
 6  81.95.15.213 (81.95.15.213)  26.945 ms  26.728 ms  25.988 ms
 7  213.46.179.5 (213.46.179.5)  28.585 ms  26.110 ms  26.133 ms
 8  84.116.134.9 (84.116.134.9)  27.013 ms 84.116.134.5 (84.116.134.5)  60.475 ms  60.494 ms
 9  84.116.140.190 (84.116.140.190)  26.827 ms  27.018 ms  27.046 ms
10  213.46.179.102 (213.46.179.102)  44.268 ms  44.285 ms  44.340 ms
11  * * *
12  * * *
13  * * *
14  90.216.180.87 (90.216.180.87)  52.565 ms  51.988 ms  57.223 ms
15  90.216.180.87 (90.216.180.87)  57.006 ms  61.442 ms  61.592 ms
 

This is a trace to a friend's IP address (changed it for privacy so don't bother :P).  It eventually gets there but it takes like centuries.  Could it be just a server issue so I should go and try a different VPN gateway?  It looks like my internet bandwidth is throttled to the sub-zero point.

Anyway, with other VPN services I did manage to have a stable connection and have some bandwidth but this just feels like something is horribly wrong.

 

Thanks for your feedback!

 

SolidSnake007



#27 zhang888

zhang888

    Donald Trump of IT/Security

  • Moderators
  • 2219 posts

Posted 10 June 2016 - 04:36 PM

What is exactly wrong with 25-60ms?

Your traceroute may take longer to display since your DNS doesn't work.

Use traceroute -n flag.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.


#28 sundi

sundi

    Advanced Member

  • Members
  • PipPipPip
  • 30 posts

Posted 10 June 2016 - 05:03 PM

Hi SolidSnake007,

 

Your latency is fine (actually very good as per my results). I am getting 180-211ms in my results. But I am still happy with the download speed I am getting.

I think it varies a lot when you connect to an AirVPN server closest to your location vs a server located far from your location.

 

Here is my output:

traceroute -n 84.116.140.190
traceroute to 84.116.140.190 (84.116.140.190), 30 hops max, 60 byte packets
 1  10.4.0.1  180.189 ms  180.175 ms  180.183 ms
 2  178.162.198.124  180.197 ms  180.220 ms 178.162.198.125  180.227 ms
 3  178.162.223.144  180.232 ms 178.162.223.164  180.733 ms 178.162.223.136  183.897 ms
 4  46.165.255.122  183.934 ms 46.165.255.168  183.947 ms 46.165.255.98  183.953 ms
 5  46.165.255.115  191.488 ms 46.165.255.107  194.973 ms 46.165.255.109  193.205 ms
 6  213.46.177.89  194.098 ms  211.758 ms  211.490 ms
 7  * * *
 8  * * *
 9  84.116.140.190  187.591 ms  187.343 ms  188.990 ms
 

If you want to discuss how I have done my setup and want some configuration help, please let me know. I will try to help you.



#29 Mikeyy

Mikeyy

    Member

  • Members2
  • PipPip
  • 24 posts

Posted 03 August 2016 - 07:35 PM

I have setup a script which checks for the VPN tunnel presence every 5 minutes. If VPN tunnel is not present the script will terminate the current stale session and recreate a new VPN connection.

 

Can you please share this reconnect script?

 

Concerning your problems with blocking Synology internet access, today I found solution for my self, but it's exact same problem as yours so I'm sharing it with you.

You need to be able to use iptables on your router (dd-wrt, merlin or tomato). Since I read you are using Merlin, check this: https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

Use "firewall-start", create file named "firewall-start", make sure it's created for unix not windows, enter iptables inside, copy to jffs partition and mark as executable. It will start automaticly when router restarts.

 

#Use this order of commands because it executes in reverse order.
#This command will execute last, it kills all UDP requests.
iptables -I FORWARD -p udp -s 192.168.1.111 -j REJECT
#This command will execute second and will ACCEPT connection to your VPN on destination port 443 UDP
iptables -I FORWARD -p udp -s 192.168.1.111 -m multiport --dports 443 -j ACCEPT
#This command will execute first and will block all TCP source ports except those needed for web access
iptables -I FORWARD -p tcp -s 192.168.1.111 -m multiport ! --sports 5000,5001,6690 -j REJECT

 

Change 192.168.1.111 to you Synology LAN IP.

Change other ports, add or remove when you don't need.

Be careful to not assign some of those ports to download station BT ports, they must be different if you want to block them.



#30 sundi

sundi

    Advanced Member

  • Members
  • PipPipPip
  • 30 posts

Posted 03 August 2016 - 11:11 PM

Thanks for the firewall list. I will try to implement it soon.

 

I am using the following script:

 

Spoiler

 

Please change the conf_id and AirVPN_Name with yours.

You also need to put the script in the scheduler to run every 5 minutes.

Let me know how it works for you. I also have two more scripts to manage the logs generated by this script.



#31 Mikeyy

Mikeyy

    Member

  • Members2
  • PipPip
  • 24 posts

Posted 05 August 2016 - 01:17 PM

Thanks for the firewall list. I will try to implement it soon.
 
I am using the following script:

Please change the conf_id and AirVPN_Name with yours.
You also need to put the script in the scheduler to run every 5 minutes.
Let me know how it works for you. I also have two more scripts to manage the logs generated by this script.

I modified your script a bit, since it didn't reconnect if tun0 was up, but not working. This happens when VPN is active on Synology, but your router restarts. Then Synology is still reporting that VPN is up, but connection is broken and you can't connect to anything. Anyway, you can find script below with additional comments and variables:
#VPN Check script modified Aug 5, 2016
#Script checks if VPN is up, and if it is, it checks if it's working or not. It provides details like VPN is up since, data #received/sent, VPN IP & WAN IP.
#If VPN is not up it will report it in the log file and start it
#Change VPNID and VPNNAME to yours. SSH into Synology and run "cat /usr/syno/etc/synovpnclient/openvpn/ovpnclient.conf" to see your values.
#Save this script to file of your choosing (for example "synovpn_reconnect"). Store it in "/usr" folder of your Synology and chmod it: "chmod +x /usr/synovpn_reconnect"
#Edit "/etc/crontab" and add this line without quotes for starting script every 5 minutes: "*/5 *   *   *   *   root    /usr/synovpn_reconnect"
#After that restart cron with: "/usr/syno/sbin/synoservicectl --restart crond"

#!/bin/sh
DATE=$(date +"%F")
TIME=$(date +"%T")
VPNID="oXXXXXXXXXX"
VPNNAME="AirVPN"
LogFile="/volume1/home/user1/airvpn/check_airvpn_$DATE.log"
IPADDR=$(/sbin/ifconfig tun0 | grep 'inet addr' | cut -d: -f2 | awk '{print $1}')
PUBIP=$(curl -s -m 5 icanhazip.com)
CHECKIP=$(echo $PUBIP | grep -c ".")
#PUBIP=$(curl -s -m 5 ipinfo.io/ip)
#PUBIP=$(curl -s -m 5 ifconfig.me)
RXDATA=$(/sbin/ifconfig tun0 | grep "bytes:" | cut -d: -f2 | awk '{print $1,$2,$3}')
TXDATA=$(/sbin/ifconfig tun0 | grep "bytes:" | cut -d: -f3 | awk '{print $1,$2,$3}')
UPTIME=$(grep $IPADDR /var/log/synolog/synosys.log | awk '{print $2" "$3}'|tail -1)

start_vpn()
{
	echo "VPN is down. Attempting to (re)start now." >> $LogFile
	/usr/syno/bin/synovpnc kill_client --protocol=openvpn --name=$VPNNAME
	echo 1 > /usr/syno/etc/synovpnclient/vpnc_connecting
	echo conf_id=$VPNID > /usr/syno/etc/synovpnclient/vpnc_connecting
	echo conf_name=$VPNNAME >> /usr/syno/etc/synovpnclient/vpnc_connecting
	echo proto=openvpn >> /usr/syno/etc/synovpnclient/vpnc_connecting
	/usr/syno/bin/synovpnc reconnect --protocol=openvpn --name=$VPNNAME >> $LogFile
}

sleep 6
echo "======================================" >> $LogFile
echo "$DATE $TIME" >> $LogFile
if ifconfig tun0 | grep -q "00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00"
then
	if  [ "$CHECKIP" == 1 ]
	then
		echo "VPN is up since: $UPTIME" >> $LogFile
		echo "Session Data RX: $RXDATA" >> $LogFile
		echo "Session Data TX: $TXDATA" >> $LogFile
		echo "VPN IP is: $IPADDR" >> $LogFile
		echo "WAN IP is: $PUBIP" >> $LogFile
	else
		start_vpn
	fi
else
	start_vpn
fi
exit 0


#32 sundi

sundi

    Advanced Member

  • Members
  • PipPipPip
  • 30 posts

Posted 06 August 2016 - 04:33 AM

Thanks for modifying the script. It will be helpful.

 

The issue regarding stale VPN session or when VPN is showing as connected where as router got restarted, the script actually takes care of that.

The following section in the script checks if VPN can fetch it's public IP from internet, if not, it will restart the VPN.

 

Spoiler

 

Please see if works for you, as it works for me.



#33 Mikeyy

Mikeyy

    Member

  • Members2
  • PipPip
  • 24 posts

Posted 06 August 2016 - 06:37 AM

Nope, it doesn't work, that's why I changed it. Curl waits forever for reply and script hangs.

I added "-m 5" to curl which means it will wait for max 5 seconds to get reply. Rest are mostly cosmetic changes.



#34 sundi

sundi

    Advanced Member

  • Members
  • PipPipPip
  • 30 posts

Posted 06 August 2016 - 10:01 AM

Nope, it doesn't work, that's why I changed it. Curl waits forever for reply and script hangs.

I added "-m 5" to curl which means it will wait for max 5 seconds to get reply. Rest are mostly cosmetic changes.

That's strange, because it works for me. Curl gives me the correct WAN IP and if it does not then script disconnects and reconnects the VPN making sure there is no stale session and VPN is able to get to the internet.

I will also test your script and will get back to you :)







Similar Topics Collapse

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Servers online. Online Sessions: 15927 - BW: 71799 Mbit/sYour IP: 34.229.194.198Guest Access.