Jump to content


Staff

Member Since 04 Jun 2010
Online Last Active Today, 04:02 PM
*****

Posts I've Made

In Topic: 2 connections to same server prevention?

19 January 2019 - 08:31 PM

Hello!

 

Probably the most direct solution is selecting specific servers sets on each machine or different FQDNs on each device.

 

An automated solution from us is unlikely. Say that you connect to server A with some cert/key pair. Another machine of yours connects to the same server A with a different pair. If we banned the new machine from connecting (either at server level or (even worse) at client level by intrusions on your settings) we would be adding an intrusive feature which is unwanted by many users. Probably unacceptable especially when you consider how easy is avoiding this problem with your own mind.

 

Kind regards


In Topic: Server push `route 10.4.0.1`

19 January 2019 - 05:53 PM

Hello!

 

YES, the script rewrite for BSD looks like a perfectly suitable solution.

 

Kind regards


In Topic: 2 connections to same server prevention?

19 January 2019 - 05:42 PM

You can have multiple connections to the same server if you use different ports (at the server) or if you use different keys https://airvpn.org/devices/ .

 

 

Hello!

 

Additional updated information: with the latest implementation of load balancing system, connecting to different ports does not necessarily imply connection to different OpenVPN daemons (it's the load balancing system that decides which CPU core and therefore which OpenVPN daemon you will be "assigned" to) so this method might not work anymore. Therefore, setting different keys for different devices is now the only "guaranteed working" solution.

 

 

However, multiple connections to the same server means port forwarding won't work unless Air comes up with the ability for us to direct which key/device the port forward goes to.

 

Correct, this limitation stays in any case.

 

Kind regards


In Topic: Server push `route 10.4.0.1`

18 January 2019 - 05:44 PM

Hello!

 

OpenVPN for Unix-like systems can't process the DNS push, so you need to process them by yourself. Since OpenVPN allows execution of your own scripts, some Linux-related ideas (they need resolvconf or openresolv, or systemd, which luckily has never spread into *BSD systems) are here:

https://wiki.archlinux.org/index.php/OpenVPN#Update_resolv-conf_script

 

In general: a script launched by OpenVPN event "up" (launched by OpenVPN directive "up") finds the DNS push from the server, stores the current DNS settings, and change the system DNS according to the push. A script at VPN event "down" (triggered by directive "down") must restore the previous DNS settings of the system.

 

Kind regards


In Topic: Server push `route 10.4.0.1`

16 January 2019 - 10:22 AM

Other notes:

As far as I know, there's no easy way to set the VPN gateway as a DNS Forwarder/Resolver upstream server, which I guess would be ideal.

 

Hello!

 

But that's exactly what happens in our service. Check the pushed DNS by the OpenVPN server and make sure that your client takes care of the DNS push (of course our software "Eddie" takes care of it).

 

Having DNS and VPN gateway addresses match will make attacks based on DNS hijack through route-injection doomed to fail (this is a vulnerability which affects as far as we know almost all of our competitors).

 

Kind regards


Servers online. Online Sessions: 15505 - BW: 58510 Mbit/sYour IP: 18.212.92.235Guest Access.