166
Tutorials and FAQs / Re: HOWTO - Routing Traffic over Private VPN
« on: September 22, 2017, 10:14:36 am »
As promised (most of it is the same as in the initial post from M4DM4NZ / but DNS leak and SMB/CIFS username
leak prevention is extra)
https://ipleak.net/
https://www.dnsleaktest.com/
http://witch.valdikss.org.ru/
https://browserleaks.com/ip
EDIT: changed remove VPN default Gateway in advanced section
leak prevention is extra)
Code: [Select]
####################################################################
Firewall -> Aliases -> view [ add a new alias ]
[ Type ] Network
[ Name ] N_LOCALNETS
[ Description ] All local Networks
[ Aliases ]
192.168.x.x/XX (your local networks)
[SAVE]
[ add a new alias ]
[ Type ] Network
[ Name ] N_VPNUSER
[ Description ] All Hosts/Networks that should use VPN
[ Aliases ]
192.168.x.x/32 (your hosts or networks that should use VPN)
[SAVE]
[ add a new alias ]
[ Type ] Hosts
[ Name ] H_ALLOWED_DNS
[ Description ] allowed DNS Server
[ Aliases ]
10.4.0.1
10.5.0.1
10.30.0.1
10.50.0.1
[SAVE]
[ add a new alias ]
[ Type ] Ports
[ Name ] P_MS_CIFS_SMB
[ Description ] block some MS ports
[ Aliases ]
137
138
139
445
[SAVE]
####################################################################
Firewall -> NAT -> Outbound
[X] Manual outbound NAT rule generation
## change the rest later
####################################################################
System -> Trust -> Authorities [ Add or import CA ]
[ Descriptive name ] AIRVPN CA
[ Method ] import an existing
[ Certificate data ]
-----BEGIN CERTIFICATE-----
<ca> section from .ovpn config
-----END CERTIFICATE-----
[SAVE]
####################################################################
System -> Trust -> Certificates [ add or import certificate ]
[ Method ] import an existing
[ Descriptive name ] AIRVPN Client Auth
[ Certificate data ]
-----BEGIN CERTIFICATE-----
<cert> section from .ovpn config
-----END CERTIFICATE-----
[ Private key data ]
-----BEGIN RSA PRIVATE KEY-----
<key> section from .ovpn config
-----END RSA PRIVATE KEY-----
[SAVE]
####################################################################
VPN -> OpenVPN -> Clients:
[ Server Mode ] Peer to Peer (SSL/TLS)
[ Protocol ] UDP (or TCP)
[ Device mode ] tun
[ Interface ] WAN
[ Server host ] nl.vpn.airdns.org (or whatever region you like)
[ Server port ] 443 ( alternative 53/80/1194 )
[ Server host name resoltion ] [X]
[ Description ] AIRVPN1
[ TLS Authentication ] [X] enable authentication
[ ] automatically generate
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END OpenVPN Static key V1-----
[ Peer Certificate Authority ] AIRVPN CA
[ Client Certificate ] AIRVPN Client Auth
[ Encryption algorithm ] AES-256-CBC (256 bit key, 128 bit block)
[ Auth Digest algorithm ] SHA1 (160bit)
[ Hardware Crypto ] No Hardware (AESNI is automatic)
[ Compression ] Disabled
[ Disable IPv6 ] [X]
[ Advanced ]
mssfix 1379; ## try to hide OpenVPN
fast-io; ## only for UDP
explicit-exit-notify 4; ## only UDP
server-poll-timeout 10;
key-direction 1;
key-method 2;
keysize 256;
prng SHA512 64;
remote-cert-tls server;
tls-version-min 1.2;
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384;
reneg-sec 3600;
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway
[SAVE]
####################################################################
VPN -> OpenVPN -> Clients: [ AIRVPN1 -> clone ]
[ Server host ] use a different server
[ Server port ] use a different Port ( IMPORTANT for different IP Pool https://airvpn.org/specs/ )
[ Description ] AIRVPN2
[SAVE]
####################################################################
Interfaces -> Assignments
New interface: ovpnc1 [ + ] (could be different if you have an openvpn server / use the last two)
New interface: ovpnc2 [ + ]
[ OPTx ]
[ Enable ] [x]
[ Descriptition ] AIRVPN1
[ Block bogon networks ] [x]
[SAVE]
[ OPTx ]
[ Enable ] [x]
[ Descriptition ] AIRVPN2
[ Block bogon networks ] [x]
[SAVE]
####################################################################
System -> Gateways -> All
[ AIRVPN1_VPNV6 ]
[ Disabled ] [x]
[ AIRVPN2_VPNV6 ]
[ Disabled ] [x]
[ AIRVPN1_VPNV4 ]
[ Disabled Gatetway Monitoring ] [ ] uncheck
[ AIRVPN2_VPNV4 ]
[ Disabled Gatetway Monitoring ] [ ] uncheck
####################################################################
System -> Gateways -> Group [ Add group ]
[ Group Name ] GRP_AIRVPN
[ Gateway Priority ]
[ AIRVPN1_VPNV4 ] [ Tier 1 ]
[ AIRVPN2_VPNV4 ] [ Tier 1 ]
[ Trigger Level ] Packet Loss or High Latency
[ Description ] GRP_AIRVPN Loadbalance
[SAVE]
[ Add group ]
[ Group Name ] GRP_AIRVPN_1_2
[ Gateway Priority ]
[ AIRVPN1_VPNV4 ] [ Tier 1 ]
[ AIRVPN2_VPNV4 ] [ Tier 2 ]
[ Trigger Level ] Packet Loss or High Latency
[ Description ] GRP_AIRVPN Failover 1 -> 2
[SAVE]
[ Add group ]
[ Group Name ] GRP_AIRVPN_2_1
[ Gateway Priority ]
[ AIRVPN1_VPNV4 ] [ Tier 2 ]
[ AIRVPN2_VPNV4 ] [ Tier 1 ]
[ Trigger Level ] Packet Loss or High Latency
[ Description ] GRP_AIRVPN Failover 2 -> 1
[SAVE]
####################################################################
Firewall -> Settings -> Advanced
[ Skip rules ] [x] Skip rules when gateway is down (IMPORTANT)
[ Sticky connections] [x] Use sticky connections (for loadbalance group)
####################################################################
Firewall -> NAT -> Outbound
[+]
[ Interface ] AIRVPN1
[ TCP/IP Version ] IPv4
[ Protocol ] any
[ Source address ] N_LOCALNETS
[ Destination invert ] [X]
[ Destination address ] N_LOCALNETS
[ Translation/target ] Interface address
[SAVE]
[ AIRVPN1 ] [CLONE]
[ Interface ] AIRVPN2
[SAVE]
####################################################################
Firewall -> Rules -> LAN (or whatever interface you want to force traffic to VPN /
repeat for other internal interfaces or group them and use the rules on the group interface )
[+]
[ Action ] block
[ Interface ] LAN (or LANGROUP)
[ TCP/IP Version ] IPv4
[ Protocol ] TCP/UDP
[ Source ] N_VPNUSER
[ Destination invert ] [X]
[ Destination ] N_LOCALNETS
[ Destination portrange] P_MS_CIFS_SMB
[ Description ] Block MS CIFS/SMB
[ Gateway ] GRP_AIRVPN (load balance)
[SAVE]
[+]
[ Action ] pass
[ Interface ] LAN (or LANGROUP)
[ TCP/IP Version ] IPv4
[ Protocol ] TCP/UDP
[ Source ] N_VPNUSER
[ Destination ] H_ALLOWED_DNS
[ Destination portrange] DNS DNS
[ Description ] Allow traffic to allowed DNS Server
[ Gateway ] GRP_AIRVPN (load balance)
[SAVE]
[+]
[ Action ] pass
[ Interface ] LAN (or LANGROUP)
[ TCP/IP Version ] IPv4
[ Protocol ] any
[ Source ] N_VPNUSER
[ Destination invert ] [X]
[ Destination ] N_LOCALNETS
[ Description ] force traffic over VPN
[ Gateway ] GRP_AIRVPN (load balance)
[SAVE]
####################################################################
Firewall -> NAT -> Port Forward
[ Interface ] LAN (or LANGROUP)
[ TCP/IP Version ] IPv4
[ Protocol ] TCP/UDP
[ Source ] N_VPNUSER
[ Destination invert ] [X]
[ Destination ] H_ALLOWED_DNS
[ Destination portrange] DNS DNS
[ Redirect Target ] single Host or Network
10.5.0.1 (or any other from the allowed DNS)
[ Redirect Target Port ] DNS
[ Descriptiton ] redirect all DNS to allowed DNS
[SAVE]
check results ofhttps://ipleak.net/
https://www.dnsleaktest.com/
http://witch.valdikss.org.ru/
https://browserleaks.com/ip
EDIT: changed remove VPN default Gateway in advanced section