Jump to content


Photo

Prevent Leaks with Linux & Firestarter (also Stop traffic when VPN Drops)

Linux Firestarter gufw ufw

  • Please log in to reply
82 replies to this topic

#1 Corsair28

Corsair28

    Advanced Member

  • Members
  • PipPipPip
  • 35 posts

Posted 18 November 2012 - 03:49 AM

WARNING: this guide assumes that you have no IPv6 connectivity. If you have, you should block outgoing IPv6 packets while connected to the VPN with "ip6tables". Please see https://airvpn.org/faq/software_lock

 

Here is a guide to prevent leaks and completely stop traffic when the VPN drops in Linux. If the openvpn connection drops you will not be able to access the internet while the firewall is activated. Just click the "stop firewall" button and reconnect with Openvpn, then re-enable to firewall. If you wish to connect to the internet without openvpn just press the "stop firewall" button within firestarter. This way you are protected in the VPN drops. Tested on Debian, Ubuntu, Mint, and OpenSUSE.

This is assuming you have already setup OpenVPN on Linux after following the guide here-----> https://airvpn.org/linux/

1). Install Firestarter firewall for Linux by opening the terminal and typiing ----> sudo apt-get install firestarter

2). Allow traffic on the OpenVPN interface by updating /etc/firestarter/user-pre. There are multiple ways to do this depending on your Linux Distro. Here are 2 examples.
A). Open the terminal with root privileges and type-----> gksu gedit /etc/firestarter/user-pre
Add the following text to /etc/firestarter/user-pre and save----------> $IPT -A INPUT -i tun+ -j ACCEPT
$IPT -A OUTPUT -o tun+ -j ACCEPT

B). The second way is simply to go to the folder /etc/firestarter/ and click on the file USER-PRE and open in terminal with root privileges. Then add the code and save-----> $IPT -A INPUT -i tun+ -j ACCEPT
$IPT -A OUTPUT -o tun+ -j ACCEPT

3). Restart Firestarter by opening the terminal and typing ------------> sudo /etc/init.d/firestarter restart

4). Follow the images below to finish. You may have to restart the machine afterwards.

<a href="http://beta.photobucket.com/" target="_blank"><img src="/external_image/?url=%3Ca+href%3D%27%2Fexternal_link%2F%3Furl%3Dhttp%253A%252F%252Fi1285.photobucket.com%252Falbums%252Fa582%252Fcorsair28%252F01firewallwizard.png%27+class%3D%27bbc_url%27+title%3D%27External+link%27+rel%3D%27nofollow+external%27%3Ehttp%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F01firewallwizard.png%3C%2Fa%3E" border="0" alt="Photobucket"/></a>
<a href="http://beta.photobucket.com/" target="_blank"><img src="/external_image/?url=%3Ca+href%3D%27%2Fexternal_link%2F%3Furl%3Dhttp%253A%252F%252Fi1285.photobucket.com%252Falbums%252Fa582%252Fcorsair28%252F02firewallwizard.png%27+class%3D%27bbc_url%27+title%3D%27External+link%27+rel%3D%27nofollow+external%27%3Ehttp%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F02firewallwizard.png%3C%2Fa%3E" border="0" alt="Photobucket"/></a>
<a href="http://beta.photobucket.com/" target="_blank"><img src="/external_image/?url=%3Ca+href%3D%27%2Fexternal_link%2F%3Furl%3Dhttp%253A%252F%252Fi1285.photobucket.com%252Falbums%252Fa582%252Fcorsair28%252F03wizard.png%27+class%3D%27bbc_url%27+title%3D%27External+link%27+rel%3D%27nofollow+external%27%3Ehttp%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F03wizard.png%3C%2Fa%3E" border="0" alt="Photobucket"/></a>
<a href="http://beta.photobucket.com/" target="_blank"><img src="/external_image/?url=%3Ca+href%3D%27%2Fexternal_link%2F%3Furl%3Dhttp%253A%252F%252Fi1285.photobucket.com%252Falbums%252Fa582%252Fcorsair28%252F04selectthepolicytab.png%27+class%3D%27bbc_url%27+title%3D%27External+link%27+rel%3D%27nofollow+external%27%3Ehttp%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F04selectthepolicytab.png%3C%2Fa%3E" border="0" alt="Photobucket"/></a>
<a href="http://beta.photobucket.com/" target="_blank"><img src="/external_image/?url=%3Ca+href%3D%27%2Fexternal_link%2F%3Furl%3Dhttp%253A%252F%252Fi1285.photobucket.com%252Falbums%252Fa582%252Fcorsair28%252F05nothingdotooninboundp.png%27+class%3D%27bbc_url%27+title%3D%27External+link%27+rel%3D%27nofollow+external%27%3Ehttp%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F05nothingdotooninboundp.png%3C%2Fa%3E" border="0" alt="Photobucket"/></a>
<a href="http://beta.photobucket.com/" target="_blank"><img src="/external_image/?url=%3Ca+href%3D%27%2Fexternal_link%2F%3Furl%3Dhttp%253A%252F%252Fi1285.photobucket.com%252Falbums%252Fa582%252Fcorsair28%252F06selectoutboundtraffic.png%27+class%3D%27bbc_url%27+title%3D%27External+link%27+rel%3D%27nofollow+external%27%3Ehttp%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F06selectoutboundtraffic.png%3C%2Fa%3E" border="0" alt="Photobucket"/></a>
<a href="http://beta.photobucket.com/" target="_blank"><img src="/external_image/?url=%3Ca+href%3D%27%2Fexternal_link%2F%3Furl%3Dhttp%253A%252F%252Fi1285.photobucket.com%252Falbums%252Fa582%252Fcorsair28%252F07policyoutboundsetrest.png%27+class%3D%27bbc_url%27+title%3D%27External+link%27+rel%3D%27nofollow+external%27%3Ehttp%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F07policyoutboundsetrest.png%3C%2Fa%3E" border="0" alt="Photobucket"/></a>



#2 Corsair28

Corsair28

    Advanced Member

  • Members
  • PipPipPip
  • 35 posts

Posted 18 November 2012 - 01:10 PM

Here are the pics to the rest of the guide.

Posted Image

Posted Image

Posted Image

Posted Image

Posted Image

Posted Image

Posted Image

#3 Guest_rbj_*

Guest_rbj_*
  • Guests

Posted 18 November 2012 - 01:18 PM

Can someone please explain how I can view the photobucket images in #4 so I can finish this? Thanks in advance.

#4 Corsair28

Corsair28

    Advanced Member

  • Members
  • PipPipPip
  • 35 posts

Posted 18 November 2012 - 02:45 PM

I fixed it and replied but I think it takes a while for replies to threads to be reviewed and updated. I've tried this on several Linux distros so far and all work flawlessly. Once you set everything up, the firewall stops all traffic when the vpn is dropped. You have to stop the firewall though in order to reconnect to the vpn or use the internet on your network. Like I said, the firewall stops ALL traffic, but this is actually a good thing. I keep the firestarter firewall window open so I know I am using vpn only and monitor my connections like I do with Comodo on a Windows machine. Once I am finished with the vpn, I shut off the firewall as well so I can use the internet if I have to, but in my case I am always on the vpn so no need. Try it out, it fulfills all of my objectives and yours I believe as well. and again sorry the pictures did not show up I am trying out the new BETA for photobucket.

#5 Guest_rbj_*

Guest_rbj_*
  • Guests

Posted 18 November 2012 - 03:26 PM

It's exactly what I'm looking for, I just didn't know how to do. Thanks

#6 psychocydd

psychocydd

    Member

  • Members
  • PipPip
  • 13 posts

Posted 18 November 2012 - 03:39 PM

could this be done just to restrict 1 port from traffic going out and leave the rest to be able to use the internet if the vpn drops out?

#7 Corsair28

Corsair28

    Advanced Member

  • Members
  • PipPipPip
  • 35 posts

Posted 18 November 2012 - 11:20 PM

I am not sure how to do that with the Firestarter firewall. Firestarter simplifies iptables. I tried doing something similar with iptables, but could not get it to work. I would say that is your best way to do what you are asking, but you would definitely have to do quite a bit of reading on iptables. You can try to do that with Firestarter too, I would have to look into doing that kind of setup with it, although I am very satisfied with this setup here now. Here is the website for Firestarter. They have a tutorial on there.-------> http://www.fs-security.com/

BTW, the last picture on the manual I posted above, the port should be 1194 and not 1149.

#8 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7457 posts

Posted 19 November 2012 - 09:26 AM

BTW, the last picture on the manual I posted above, the port should be 1194 and not 1149.



Hello!

Our OpenVPN servers don't listen to port 1194, they listen to ports 53, 80 and 443 (TCP and UDP).

Kind regards

#9 Corsair28

Corsair28

    Advanced Member

  • Members
  • PipPipPip
  • 35 posts

Posted 19 November 2012 - 02:17 PM

BTW, the last picture on the manual I posted above, the port should be 1194 and not 1149.



Hello!

Our OpenVPN servers don't listen to port 1194, they listen to ports 53, 80 and 443 (TCP and UDP).

Kind regards




Hello

When you go to the Window to add the Openvpn service, Openvpn is not listed so you have to type in the default port which is 1194. The firewall is only routing traffic through the Openvpn service, not the port you put in. Since all of the connection settings were already imported in the files we downloaded from AirVPN, we do not have to specify them again. I want to make sure this works for everybody, so I went further and tested the setup again. I went back into the policies and modified them from this:

Posted Image

To this:

Posted Image

Then I disconnected from Air again and all traffic stopped just like before. It does not seem to matter what port is in there as long as it knows the service is Openvpn. The settings are already imported from the downloaded files. In any case, I like to be sure so I took additional steps. I added the AirVPN server as well for inbound and outbound policies, similar to the Windows and comodo setup and made them look like this for inbound:

Posted Image

and this for outbound:

Posted Image

Afterwards everything looked like this:

Posted Image

I went ahead and tested again, and when I disconnected from AirVPN, I had no internet service and everything was blocked. The firewall has to be shut off in order to have any access at this point to any internet. The original configuration and the modified one here both work equally the same. I tested the original on 4 Linux distros just to be sure, and all of them worked the same way, but if anyone has more input I would really appreciate it just to be sure I am not missing anything. I did the dnsleak test from here--------> http://www.dnsleaktest.com/ which resulted in 3 google servers from germany. Then I did another test from here--------> http://ip-check.info/?lang=en This was just to make sure everything was working and check the ip. This might be going into overkill at this point, but I am very satisfied with everything so far. Primarily, I am looking for input from everyone to see if I may have missed something on the 4 computers I tested this setup on and thank you as well for your input and this service I really like it a lot and plan on using it permanently.

#10 Anonymous Writer

Anonymous Writer

    Advanced Member

  • Members
  • PipPipPip
  • 43 posts

Posted 20 November 2012 - 03:58 AM

BTW, the last picture on the manual I posted above, the port should be 1194 and not 1149.



Hello!

Our OpenVPN servers don't listen to port 1194, they listen to ports 53, 80 and 443 (TCP and UDP).

Kind regards




Hello

When you go to the Window to add the Openvpn service, Openvpn is not listed so you have to type in the default port which is 1194. The firewall is only routing traffic through the Openvpn service, not the port you put in. Since all of the connection settings were already imported in the files we downloaded from AirVPN, we do not have to specify them again. I want to make sure this works for everybody, so I went further and tested the setup again. I went back into the policies and modified them from this:

Posted Image

To this:

Posted Image

Then I disconnected from Air again and all traffic stopped just like before. It does not seem to matter what port is in there as long as it knows the service is Openvpn. The settings are already imported from the downloaded files. In any case, I like to be sure so I took additional steps. I added the AirVPN server as well for inbound and outbound policies, similar to the Windows and comodo setup and made them look like this for inbound:

Posted Image

and this for outbound:

Posted Image

Afterwards everything looked like this:

Posted Image

I went ahead and tested again, and when I disconnected from AirVPN, I had no internet service and everything was blocked. The firewall has to be shut off in order to have any access at this point to any internet. The original configuration and the modified one here both work equally the same. I tested the original on 4 Linux distros just to be sure, and all of them worked the same way, but if anyone has more input I would really appreciate it just to be sure I am not missing anything. I did the dnsleak test from here--------> http://www.dnsleaktest.com/ which resulted in 3 google servers from germany. Then I did another test from here--------> http://ip-check.info/?lang=en This was just to make sure everything was working and check the ip. This might be going into overkill at this point, but I am very satisfied with everything so far. Primarily, I am looking for input from everyone to see if I may have missed something on the 4 computers I tested this setup on and thank you as well for your input and this service I really like it a lot and plan on using it permanently.



Bravo! In my privacy book, I make a very similar presentation, except that I use Gufw. Basically, both Gufw and Firestarter simplify iptables for the masses and secures all connections--VPNs and proxies--from "leaks." The admin can vouch for my comments, since he has a copy of my book, which he bought some time ago, though I am not sure if he has finished reading it.

Nevertheless, there are things about Firestarte I dislike: too many bugs, too many disconnections, too much freezing, et al. There is a new version planned, which hopefully will improve things. In addition, there are some disadvantages to the Firestarter OpenVPN configuration, as opposed to the Gufw.

In addition, what do you think of the following from the Firestarter page?

Virtual Private Networking

Firestarter 1.0 does not support VPN configurations without some tweaking. VPN capability in Firestarter is currently planned for version 1.1.



And

OpenVPN

OpenVPN is an easy to use cross-platform VPN solution that is also Open Source. If OpenVPN is to be used on the computer that Firestarter is running on, traffic must be allowed to and from the OpenVPN virtual interface with the following lines:

# Allow traffic on the OpenVPN inteface
$IPT -A INPUT -i tun+ -j ACCEPT
$IPT -A OUTPUT -o tun+ -j ACCEPT

OpenVPN requires no configuration changes if it is used on the local network.



#11 Anonymous Writer

Anonymous Writer

    Advanced Member

  • Members
  • PipPipPip
  • 43 posts

Posted 20 November 2012 - 04:00 AM

I went ahead and tested again, and when I disconnected from AirVPN, I had no internet service and everything was blocked. The firewall has to be shut off in order to have any access at this point to any internet.



This is what I was referring to in my previous post. Firestarter has too many problems. After disconnecting, the whole app goes off. Best to avoid Firestarter until version 1.1. (if even then).

#12 Corsair28

Corsair28

    Advanced Member

  • Members
  • PipPipPip
  • 35 posts

Posted 20 November 2012 - 02:02 PM

I went ahead and tested again, and when I disconnected from AirVPN, I had no internet service and everything was blocked. The firewall has to be shut off in order to have any access at this point to any internet.



This is what I was referring to in my previous post. Firestarter has too many problems. After disconnecting, the whole app goes off. Best to avoid Firestarter until version 1.1. (if even then).




Hello,

Can you be a bit more specific about the Firestarter problems? Today is day 11 since I have been using this setup and I am not seeing Firestarter shut off on any Linux distro that I tested this on. After the VPN drops, all traffic is blocked and that was the objective. This is exactly what I needed and so far I am not experiencing any issues at all. Maybe you can try it yourself using the guide and let me know what you experience? What Linux Distro are you using? I have no problem copying your setup to find any issues. In fact today on my primary machine, I installed and I am using an experimental version of Linux from here--------> http://forums.linuxmint.com/viewtopic.php?f=61&t=113571
After the installation, I installed the firewall according to the guide and no problems. Let me know what distro you are using and I will try it on there as well.

#13 Anonymous Writer

Anonymous Writer

    Advanced Member

  • Members
  • PipPipPip
  • 43 posts

Posted 20 November 2012 - 03:42 PM

What happened to Corsair's last post--it was deleted? Why?

Anyway, the configuration does not work. I have tried it as he laid it out but to no avail.

My opinion about Firestarter has not changed. When you tinker with its rules, there is always some issue. There are better apps available for the Linux community.

#14 Corsair28

Corsair28

    Advanced Member

  • Members
  • PipPipPip
  • 35 posts

Posted 20 November 2012 - 09:53 PM

What happened to Corsair's last post--it was deleted? Why?

Anyway, the configuration does not work. I have tried it as he laid it out but to no avail.

My opinion about Firestarter has not changed. When you tinker with its rules, there is always some issue. There are better apps available for the Linux community.



Hello,

Please let me know what Linux Distribution you are using. I would like to configure it this way as well. As I said before I have tried 4, well 5 now if you count the new one I told you about earlier. In some cases you have to restart the computer, but I stated that in the guide as well. Looking forward to hearing from you again about your distro so I can test the configuration.

#15 Anonymous Writer

Anonymous Writer

    Advanced Member

  • Members
  • PipPipPip
  • 43 posts

Posted 21 November 2012 - 01:12 AM

What happened to Corsair's last post--it was deleted? Why?

Anyway, the configuration does not work. I have tried it as he laid it out but to no avail.

My opinion about Firestarter has not changed. When you tinker with its rules, there is always some issue. There are better apps available for the Linux community.



Hello,

Please let me know what Linux Distribution you are using. I would like to configure it this way as well. As I said before I have tried 4, well 5 now if you count the new one I told you about earlier. In some cases you have to restart the computer, but I stated that in the guide as well. Looking forward to hearing from you again about your distro so I can test the configuration.



I appreciate your concern. In truth, I have been testing Firestarter for this purpose for a long time now (long before you posted on this topic), with a variety of distributions, including Ubuntu and Linux Mint; but more importantly, it is not very important.

As I already stated, I already use a similar configuration (in my humble opinion, "better") with Gufw, which I think is more flexible and more secure. There are some things I like about Firestarter but the cons outweigh the pros. Even if you took the time to exam this closer, it would not be of any importance to me, since I do not use Firestarter and I prefer my configuration with Gufw. But to each his own.

Thank you.

#16 Guest_rbj_*

Guest_rbj_*
  • Guests

Posted 21 November 2012 - 12:22 PM


My opinion about Firestarter has not changed. When you tinker with its rules, there is always some issue. There are better apps available for the Linux community.





As I already stated, I already use a similar configuration (in my humble opinion, "better") with Gufw, which I think is more flexible and more secure. There are some things I like about Firestarter but the cons outweigh the pros. Even if you took the time to exam this closer, it would not be of any importance to me, since I do not use Firestarter and I prefer my configuration with Gufw. But to each his own.

Thank you.



Hello Anonymous Writer. Would it be possible to get the set up instructions for Gufw (to do the same as Firestarter)? I've been trying to get Gufw to prevent leaks and stop traffic, but I don't know enough to figure it out. Basically I copied the Firestarter instructions and applied them to Gufw. That didn't work. Any directions, tutorials, websites would be greatly appreciated.

#17 Corsair28

Corsair28

    Advanced Member

  • Members
  • PipPipPip
  • 35 posts

Posted 21 November 2012 - 06:54 PM

What happened to Corsair's last post--it was deleted? Why?

Anyway, the configuration does not work. I have tried it as he laid it out but to no avail.

My opinion about Firestarter has not changed. When you tinker with its rules, there is always some issue. There are better apps available for the Linux community.



Hello,

Please let me know what Linux Distribution you are using. I would like to configure it this way as well. As I said before I have tried 4, well 5 now if you count the new one I told you about earlier. In some cases you have to restart the computer, but I stated that in the guide as well. Looking forward to hearing from you again about your distro so I can test the configuration.



I appreciate your concern. In truth, I have been testing Firestarter for this purpose for a long time now (long before you posted on this topic), with a variety of distributions, including Ubuntu and Linux Mint; but more importantly, it is not very important.

As I already stated, I already use a similar configuration (in my humble opinion, "better") with Gufw, which I think is more flexible and more secure. There are some things I like about Firestarter but the cons outweigh the pros. Even if you took the time to exam this closer, it would not be of any importance to me, since I do not use Firestarter and I prefer my configuration with Gufw. But to each his own.

Thank you.



Hello,

I never saw your post with gufw and I cannot find it. I tried that as well, but could not get it to work the way I have firestarter working. In the past I tried iptables, gufw, webmin, and now firestarter. I have a working iptables configuration on ArchLinux, but I have to input commands to stop and start the firewall after disconnect. Firestarter is working well with the original configuration I posted and this is day 12. I will continue to use it, but as I said I have never seen a gufw configuration in this forum, only iptables.

#18 Guest_rbj_*

Guest_rbj_*
  • Guests

Posted 27 November 2012 - 08:13 PM

Worric's gufw

I've studied the screenshot and have read all day but I'm really stumped on how to write the first rule in the yellow box. All the others I figured out but I can't seem to figure out what I'm doing wrong on this one

I'm writing it like: sudo ufw allow in from 192.168.1.0/24 to eth0, I get 'bad destination address.' Yet if I reverse the rule it is accepted. I truly would appreciated help on this.

Frustrated AirVPN user :)

#19 Guest_rbj_*

Guest_rbj_*
  • Guests

Posted 28 November 2012 - 05:30 PM

What am I doing wrong writing this rule? "sudo ufw allow in from 192.168.1.0/24 to eth0" I keep getting bad destination address. I got all the others but I've researched and can't find any help on this.

Thanks to anyone willing to help a confused AirVPN'er.

#20 magnumpi

magnumpi

    Member

  • Members
  • PipPip
  • 24 posts

Posted 01 December 2012 - 06:28 PM

Thanks for this! Another dumb question that may help RBJ....

The "192.168.1.0/24" address is for a subnet? Do we all use this address specifically or do we use our local router IP? Sorry, network newb here too. Not sure if the subnet/mask is referencing something on AirVPN or my local router?

(As an aside I noticed the screenshot and router settings for the DDWRT settings AVPN provides differ in the 3rd slot, one showing zero the other showing 255 - 255.255.255.0 vs. 255.255.0.0 - not sure if that means anything; of course I dont even know what a subnet mask is ;-))





5 user(s) are reading this topic

0 members, 5 guests, 0 anonymous users

Servers online. Online Sessions: 13028 - BW: 40291 Mbit/sYour IP: 54.92.174.226Guest Access.