Jump to content
Not connected, Your IP: 54.225.35.224
Corsair28

Prevent Leaks with Linux & Firestarter (also Stop traffic when VPN Drops)

Recommended Posts

WARNING: this guide assumes that you have no IPv6 connectivity. If you have, you should block outgoing IPv6 packets while connected to the VPN with "ip6tables". Please see https://airvpn.org/faq/software_lock

 

Here is a guide to prevent leaks and completely stop traffic when the VPN drops in Linux. If the openvpn connection drops you will not be able to access the internet while the firewall is activated. Just click the "stop firewall" button and reconnect with Openvpn, then re-enable to firewall. If you wish to connect to the internet without openvpn just press the "stop firewall" button within firestarter. This way you are protected in the VPN drops. Tested on Debian, Ubuntu, Mint, and OpenSUSE.

This is assuming you have already setup OpenVPN on Linux after following the guide here-----> https://airvpn.org/linux/

1). Install Firestarter firewall for Linux by opening the terminal and typiing ----> sudo apt-get install firestarter

2). Allow traffic on the OpenVPN interface by updating /etc/firestarter/user-pre. There are multiple ways to do this depending on your Linux Distro. Here are 2 examples.
A). Open the terminal with root privileges and type-----> gksu gedit /etc/firestarter/user-pre
Add the following text to /etc/firestarter/user-pre and save----------> $IPT -A INPUT -i tun+ -j ACCEPT
$IPT -A OUTPUT -o tun+ -j ACCEPT

. The second way is simply to go to the folder /etc/firestarter/ and click on the file USER-PRE and open in terminal with root privileges. Then add the code and save-----> $IPT -A INPUT -i tun+ -j ACCEPT
$IPT -A OUTPUT -o tun+ -j ACCEPT

3). Restart Firestarter by opening the terminal and typing ------------> sudo /etc/init.d/firestarter restart

4). Follow the images below to finish. You may have to restart the machine afterwards.

<a href="/external_link/?url=%3Ca+href%3D"http://beta.photobucket.com/" rel="external nofollow">http://beta.photobucket.com/" target="_blank"><img src="/external_image/?url=%3Ca+href%3D"/external_link/?url=http%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F01firewallwizard.png" rel="external nofollow">http://i1285.photobucket.com/albums/a582/corsair28/01firewallwizard.png" border="0" alt="Photobucket"/></a>
<a href="/external_link/?url=%3Ca+href%3D"http://beta.photobucket.com/" rel="external nofollow">http://beta.photobucket.com/" target="_blank"><img src="/external_image/?url=%3Ca+href%3D"/external_link/?url=http%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F02firewallwizard.png" rel="external nofollow">http://i1285.photobucket.com/albums/a582/corsair28/02firewallwizard.png" border="0" alt="Photobucket"/></a>
<a href="/external_link/?url=%3Ca+href%3D"http://beta.photobucket.com/" rel="external nofollow">http://beta.photobucket.com/" target="_blank"><img src="/external_image/?url=%3Ca+href%3D"/external_link/?url=http%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F03wizard.png" rel="external nofollow">http://i1285.photobucket.com/albums/a582/corsair28/03wizard.png" border="0" alt="Photobucket"/></a>
<a href="/external_link/?url=%3Ca+href%3D"http://beta.photobucket.com/" rel="external nofollow">http://beta.photobucket.com/" target="_blank"><img src="/external_image/?url=%3Ca+href%3D"/external_link/?url=http%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F04selectthepolicytab.png" rel="external nofollow">http://i1285.photobucket.com/albums/a582/corsair28/04selectthepolicytab.png" border="0" alt="Photobucket"/></a>
<a href="/external_link/?url=%3Ca+href%3D"http://beta.photobucket.com/" rel="external nofollow">http://beta.photobucket.com/" target="_blank"><img src="/external_image/?url=%3Ca+href%3D"/external_link/?url=http%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F05nothingdotooninboundp.png" rel="external nofollow">http://i1285.photobucket.com/albums/a582/corsair28/05nothingdotooninboundp.png" border="0" alt="Photobucket"/></a>
<a href="/external_link/?url=%3Ca+href%3D"http://beta.photobucket.com/" rel="external nofollow">http://beta.photobucket.com/" target="_blank"><img src="/external_image/?url=%3Ca+href%3D"/external_link/?url=http%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F06selectoutboundtraffic.png" rel="external nofollow">http://i1285.photobucket.com/albums/a582/corsair28/06selectoutboundtraffic.png" border="0" alt="Photobucket"/></a>
<a href="/external_link/?url=%3Ca+href%3D"http://beta.photobucket.com/" rel="external nofollow">http://beta.photobucket.com/" target="_blank"><img src="/external_image/?url=%3Ca+href%3D"/external_link/?url=http%3A%2F%2Fi1285.photobucket.com%2Falbums%2Fa582%2Fcorsair28%2F07policyoutboundsetrest.png" rel="external nofollow">http://i1285.photobucket.com/albums/a582/corsair28/07policyoutboundsetrest.png" border="0" alt="Photobucket"/></a>

Share this post


Link to post
Guest rbj

Can someone please explain how I can view the photobucket images in #4 so I can finish this? Thanks in advance.

Share this post


Link to post

I fixed it and replied but I think it takes a while for replies to threads to be reviewed and updated. I've tried this on several Linux distros so far and all work flawlessly. Once you set everything up, the firewall stops all traffic when the vpn is dropped. You have to stop the firewall though in order to reconnect to the vpn or use the internet on your network. Like I said, the firewall stops ALL traffic, but this is actually a good thing. I keep the firestarter firewall window open so I know I am using vpn only and monitor my connections like I do with Comodo on a Windows machine. Once I am finished with the vpn, I shut off the firewall as well so I can use the internet if I have to, but in my case I am always on the vpn so no need. Try it out, it fulfills all of my objectives and yours I believe as well. and again sorry the pictures did not show up I am trying out the new BETA for photobucket.

Share this post


Link to post
Guest rbj

It's exactly what I'm looking for, I just didn't know how to do. Thanks

Share this post


Link to post

could this be done just to restrict 1 port from traffic going out and leave the rest to be able to use the internet if the vpn drops out?

Share this post


Link to post

I am not sure how to do that with the Firestarter firewall. Firestarter simplifies iptables. I tried doing something similar with iptables, but could not get it to work. I would say that is your best way to do what you are asking, but you would definitely have to do quite a bit of reading on iptables. You can try to do that with Firestarter too, I would have to look into doing that kind of setup with it, although I am very satisfied with this setup here now. Here is the website for Firestarter. They have a tutorial on there.-------> http://www.fs-security.com/

BTW, the last picture on the manual I posted above, the port should be 1194 and not 1149.

Share this post


Link to post

BTW, the last picture on the manual I posted above, the port should be 1194 and not 1149.

Hello!

Our OpenVPN servers don't listen to port 1194, they listen to ports 53, 80 and 443 (TCP and UDP).

Kind regards

Share this post


Link to post

BTW, the last picture on the manual I posted above, the port should be 1194 and not 1149.

Hello!

Our OpenVPN servers don't listen to port 1194, they listen to ports 53, 80 and 443 (TCP and UDP).

Kind regards

Hello

When you go to the Window to add the Openvpn service, Openvpn is not listed so you have to type in the default port which is 1194. The firewall is only routing traffic through the Openvpn service, not the port you put in. Since all of the connection settings were already imported in the files we downloaded from AirVPN, we do not have to specify them again. I want to make sure this works for everybody, so I went further and tested the setup again. I went back into the policies and modified them from this:

Posted Image

To this:

Posted Image

Then I disconnected from Air again and all traffic stopped just like before. It does not seem to matter what port is in there as long as it knows the service is Openvpn. The settings are already imported from the downloaded files. In any case, I like to be sure so I took additional steps. I added the AirVPN server as well for inbound and outbound policies, similar to the Windows and comodo setup and made them look like this for inbound:

Posted Image

and this for outbound:

Posted Image

Afterwards everything looked like this:

Posted Image

I went ahead and tested again, and when I disconnected from AirVPN, I had no internet service and everything was blocked. The firewall has to be shut off in order to have any access at this point to any internet. The original configuration and the modified one here both work equally the same. I tested the original on 4 Linux distros just to be sure, and all of them worked the same way, but if anyone has more input I would really appreciate it just to be sure I am not missing anything. I did the dnsleak test from here--------> http://www.dnsleaktest.com/ which resulted in 3 google servers from germany. Then I did another test from here--------> http://ip-check.info/?lang=en This was just to make sure everything was working and check the ip. This might be going into overkill at this point, but I am very satisfied with everything so far. Primarily, I am looking for input from everyone to see if I may have missed something on the 4 computers I tested this setup on and thank you as well for your input and this service I really like it a lot and plan on using it permanently.

Share this post


Link to post

BTW, the last picture on the manual I posted above, the port should be 1194 and not 1149.

Hello!

Our OpenVPN servers don't listen to port 1194, they listen to ports 53, 80 and 443 (TCP and UDP).

Kind regards

Hello

When you go to the Window to add the Openvpn service, Openvpn is not listed so you have to type in the default port which is 1194. The firewall is only routing traffic through the Openvpn service, not the port you put in. Since all of the connection settings were already imported in the files we downloaded from AirVPN, we do not have to specify them again. I want to make sure this works for everybody, so I went further and tested the setup again. I went back into the policies and modified them from this:

Posted Image

To this:

Posted Image

Then I disconnected from Air again and all traffic stopped just like before. It does not seem to matter what port is in there as long as it knows the service is Openvpn. The settings are already imported from the downloaded files. In any case, I like to be sure so I took additional steps. I added the AirVPN server as well for inbound and outbound policies, similar to the Windows and comodo setup and made them look like this for inbound:

Posted Image

and this for outbound:

Posted Image

Afterwards everything looked like this:

Posted Image

I went ahead and tested again, and when I disconnected from AirVPN, I had no internet service and everything was blocked. The firewall has to be shut off in order to have any access at this point to any internet. The original configuration and the modified one here both work equally the same. I tested the original on 4 Linux distros just to be sure, and all of them worked the same way, but if anyone has more input I would really appreciate it just to be sure I am not missing anything. I did the dnsleak test from here--------> http://www.dnsleaktest.com/ which resulted in 3 google servers from germany. Then I did another test from here--------> http://ip-check.info/?lang=en This was just to make sure everything was working and check the ip. This might be going into overkill at this point, but I am very satisfied with everything so far. Primarily, I am looking for input from everyone to see if I may have missed something on the 4 computers I tested this setup on and thank you as well for your input and this service I really like it a lot and plan on using it permanently.

Bravo! In my privacy book, I make a very similar presentation, except that I use Gufw. Basically, both Gufw and Firestarter simplify iptables for the masses and secures all connections--VPNs and proxies--from "leaks." The admin can vouch for my comments, since he has a copy of my book, which he bought some time ago, though I am not sure if he has finished reading it.

Nevertheless, there are things about Firestarte I dislike: too many bugs, too many disconnections, too much freezing, et al. There is a new version planned, which hopefully will improve things. In addition, there are some disadvantages to the Firestarter OpenVPN configuration, as opposed to the Gufw.

In addition, what do you think of the following from the Firestarter page?

Virtual Private Networking

Firestarter 1.0 does not support VPN configurations without some tweaking. VPN capability in Firestarter is currently planned for version 1.1.

And

OpenVPN

OpenVPN is an easy to use cross-platform VPN solution that is also Open Source. If OpenVPN is to be used on the computer that Firestarter is running on, traffic must be allowed to and from the OpenVPN virtual interface with the following lines:

# Allow traffic on the OpenVPN inteface

$IPT -A INPUT -i tun+ -j ACCEPT

$IPT -A OUTPUT -o tun+ -j ACCEPT

OpenVPN requires no configuration changes if it is used on the local network.

Share this post


Link to post

I went ahead and tested again, and when I disconnected from AirVPN, I had no internet service and everything was blocked. The firewall has to be shut off in order to have any access at this point to any internet.

This is what I was referring to in my previous post. Firestarter has too many problems. After disconnecting, the whole app goes off. Best to avoid Firestarter until version 1.1. (if even then).

Share this post


Link to post

I went ahead and tested again, and when I disconnected from AirVPN, I had no internet service and everything was blocked. The firewall has to be shut off in order to have any access at this point to any internet.

This is what I was referring to in my previous post. Firestarter has too many problems. After disconnecting, the whole app goes off. Best to avoid Firestarter until version 1.1. (if even then).

Hello,

Can you be a bit more specific about the Firestarter problems? Today is day 11 since I have been using this setup and I am not seeing Firestarter shut off on any Linux distro that I tested this on. After the VPN drops, all traffic is blocked and that was the objective. This is exactly what I needed and so far I am not experiencing any issues at all. Maybe you can try it yourself using the guide and let me know what you experience? What Linux Distro are you using? I have no problem copying your setup to find any issues. In fact today on my primary machine, I installed and I am using an experimental version of Linux from here--------> http://forums.linuxmint.com/viewtopic.php?f=61&t=113571

After the installation, I installed the firewall according to the guide and no problems. Let me know what distro you are using and I will try it on there as well.

Share this post


Link to post

What happened to Corsair's last post--it was deleted? Why?

Anyway, the configuration does not work. I have tried it as he laid it out but to no avail.

My opinion about Firestarter has not changed. When you tinker with its rules, there is always some issue. There are better apps available for the Linux community.

Share this post


Link to post

What happened to Corsair's last post--it was deleted? Why?

Anyway, the configuration does not work. I have tried it as he laid it out but to no avail.

My opinion about Firestarter has not changed. When you tinker with its rules, there is always some issue. There are better apps available for the Linux community.

Hello,

Please let me know what Linux Distribution you are using. I would like to configure it this way as well. As I said before I have tried 4, well 5 now if you count the new one I told you about earlier. In some cases you have to restart the computer, but I stated that in the guide as well. Looking forward to hearing from you again about your distro so I can test the configuration.

Share this post


Link to post

What happened to Corsair's last post--it was deleted? Why?

Anyway, the configuration does not work. I have tried it as he laid it out but to no avail.

My opinion about Firestarter has not changed. When you tinker with its rules, there is always some issue. There are better apps available for the Linux community.

Hello,

Please let me know what Linux Distribution you are using. I would like to configure it this way as well. As I said before I have tried 4, well 5 now if you count the new one I told you about earlier. In some cases you have to restart the computer, but I stated that in the guide as well. Looking forward to hearing from you again about your distro so I can test the configuration.

I appreciate your concern. In truth, I have been testing Firestarter for this purpose for a long time now (long before you posted on this topic), with a variety of distributions, including Ubuntu and Linux Mint; but more importantly, it is not very important.

As I already stated, I already use a similar configuration (in my humble opinion, "better") with Gufw, which I think is more flexible and more secure. There are some things I like about Firestarter but the cons outweigh the pros. Even if you took the time to exam this closer, it would not be of any importance to me, since I do not use Firestarter and I prefer my configuration with Gufw. But to each his own.

Thank you.

Share this post


Link to post
Guest rbj

My opinion about Firestarter has not changed. When you tinker with its rules, there is always some issue. There are better apps available for the Linux community.

 

As I already stated, I already use a similar configuration (in my humble opinion, "better") with Gufw, which I think is more flexible and more secure. There are some things I like about Firestarter but the cons outweigh the pros. Even if you took the time to exam this closer, it would not be of any importance to me, since I do not use Firestarter and I prefer my configuration with Gufw. But to each his own.

Thank you.

Hello Anonymous Writer. Would it be possible to get the set up instructions for Gufw (to do the same as Firestarter)? I've been trying to get Gufw to prevent leaks and stop traffic, but I don't know enough to figure it out. Basically I copied the Firestarter instructions and applied them to Gufw. That didn't work. Any directions, tutorials, websites would be greatly appreciated.

Share this post


Link to post

What happened to Corsair's last post--it was deleted? Why?

Anyway, the configuration does not work. I have tried it as he laid it out but to no avail.

My opinion about Firestarter has not changed. When you tinker with its rules, there is always some issue. There are better apps available for the Linux community.

Hello,

Please let me know what Linux Distribution you are using. I would like to configure it this way as well. As I said before I have tried 4, well 5 now if you count the new one I told you about earlier. In some cases you have to restart the computer, but I stated that in the guide as well. Looking forward to hearing from you again about your distro so I can test the configuration.

I appreciate your concern. In truth, I have been testing Firestarter for this purpose for a long time now (long before you posted on this topic), with a variety of distributions, including Ubuntu and Linux Mint; but more importantly, it is not very important.

As I already stated, I already use a similar configuration (in my humble opinion, "better") with Gufw, which I think is more flexible and more secure. There are some things I like about Firestarter but the cons outweigh the pros. Even if you took the time to exam this closer, it would not be of any importance to me, since I do not use Firestarter and I prefer my configuration with Gufw. But to each his own.

Thank you.

Hello,

I never saw your post with gufw and I cannot find it. I tried that as well, but could not get it to work the way I have firestarter working. In the past I tried iptables, gufw, webmin, and now firestarter. I have a working iptables configuration on ArchLinux, but I have to input commands to stop and start the firewall after disconnect. Firestarter is working well with the original configuration I posted and this is day 12. I will continue to use it, but as I said I have never seen a gufw configuration in this forum, only iptables.

Share this post


Link to post
Guest rbj

Worric's gufw

I've studied the screenshot and have read all day but I'm really stumped on how to write the first rule in the yellow box. All the others I figured out but I can't seem to figure out what I'm doing wrong on this one

I'm writing it like: sudo ufw allow in from 192.168.1.0/24 to eth0, I get 'bad destination address.' Yet if I reverse the rule it is accepted. I truly would appreciated help on this.

Frustrated AirVPN user

Share this post


Link to post
Guest rbj

What am I doing wrong writing this rule? "sudo ufw allow in from 192.168.1.0/24 to eth0" I keep getting bad destination address. I got all the others but I've researched and can't find any help on this.

Thanks to anyone willing to help a confused AirVPN'er.

Share this post


Link to post

Thanks for this! Another dumb question that may help RBJ....

The "192.168.1.0/24" address is for a subnet? Do we all use this address specifically or do we use our local router IP? Sorry, network newb here too. Not sure if the subnet/mask is referencing something on AirVPN or my local router?

(As an aside I noticed the screenshot and router settings for the DDWRT settings AVPN provides differ in the 3rd slot, one showing zero the other showing 255 - 255.255.255.0 vs. 255.255.0.0 - not sure if that means anything; of course I dont even know what a subnet mask is ;-))

Share this post


Link to post

Also, if I have a laptop with wifi, no bluetooth or hard ethernet cable. So do I just replace all these rules with the Wireless interface wlan0 instead of eth0 and tun0? Or does the home network somehow use another interface (does interface=communication device)?

Share this post


Link to post

Oh is tun0 the VPN and the other interface your internet connection? If we aren't doing any port forwarding, is that rule optional?

Share this post


Link to post

OK, I got everything to work except my network printer. Any ideas here? I assumed adding the local network stuff would allow that to work, but evidently not. Is that some other interface?

Share this post


Link to post

Ello

Soz, I've been quite busy these days, but I'll try to elaborate.

@rbj: The syntax is "sudo ufw allow in on eth0 from 192.168.1.0/24 to any"

@magnumpi: the 192.168.1.0/24 is indeed a subnet. It refers to the network containing the 255 addresses located between 192.168.1.1-192.168.1.255.

IF you have a different assignment of local addresses (say, 10.0.0.xxx) you should use those addresses instead (that is, 10.0.0.0/24)

if you want LAN traffic to work on your wireless adapter, then yes, you should use wlan0 instead of eth0 in the rules allowing your LAN addresses in and out.

The tun0 interface is 'the VPN interface' where internet traffic will go through. If you don't need or use the port forwarding feature of AirVPN, don't add the inbound rule on tun0 interface. But ofc keep the other rule.

Also, the subnet mask of 255.255.0.0 IS different from 255.255.255.0 in that it's a different size of network. If you don't have any specific reason for choosing 255.255.0.0, you should prolly change it back to 255.255.255.0 for a more standard setup and less confusion.

Your network printer should work as well, given that it's on the same LAN that your computer is on; all traffic to and from the LAN is allowed.

Share this post


Link to post

Worric,

I was too busy to thank you before for posting your setup. It works great and I have 2 setups which work well for me. The GUFW approach is definitely a lot easier than the firestarter approach so I would recommend it to anyone who is not familiar setting up a firewall on their system.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...