Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

LEAKBLOCK HOWTO (Android and Ubuntu)

A core mission of cryptostorm is ensuring consistent, reliable network security with minimal fuss & drama. From DNS-based services like our DeepDNS in-browser native .onion/.i2p site access, through grounbreaking research on IP6 leakblocking, & to firewall-based structures to enable "fail-closed" security, this is where we discuss & develop cryptostorm-style leakblock tech.

Topic Author
Desu to the Strike

LEAKBLOCK HOWTO (Android and Ubuntu)

Post by Desu to the Strike » Fri Jul 18, 2014 2:05 pm

 ! Message from: DesuStrike
I hereby invite the community helpers and staff to keep these reference charts and howtos up2date together with me.

Yet I ask for respecting two things:
1. Don't change the overall layout and/or style of my lists/posts
2. Don't change/remove my personal choice of words like "United States of NSA" or "Mother Russia"


Thanks and keep on being the most awesome people on the internets!
last updated: 28 December 2014


[ANDROID]

1. Get AFWALL+ from F-Droid or (if you must...) Play-Store.

2. In AFWALL+ set things up like this
d2cb7890774d5aadb94cfdb49278e46633edbb7e.jpg
3. In AFWALL+ settings set things like that:
62435024da8f8c76d8803ad03467289f5ecab6e7.jpg
73e76c57acc682438d954f08a4c76f90cc338f2f.jpg
4399732d425087ad3aa29a94ddca2d9987e49f48.jpg
4. ENABLE the Firewall!

5. In Arne Schwabes openVPN for Android go to settings tab and activate PERSISTANT TUN

6. DONE: You have the best possible leakblock on Android. It's not perfect but pretty solid and should keep you safe for 99,9% of the time.

7. Also read those posts:
-> viewtopic.php?p=9376#p9376
-> viewtopic.php?p=9416#p9416
-> The second guest post here: viewtopic.php?f=32&t=6245


[UBUNTU]


1. Create a text file named "iptables-vpn" in your home directory and paste this stuff: READ THE INFO IN THE DNS SECTION!

Code: Select all

####removes all entries so we get a clean list

iptables -F
ip6tables -F


####by default all connections are blocked

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP


####only the tunnel adapter is allowed

iptables -A INPUT -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT


####local network stuff

#localhost and dnsmasq for ubuntu
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT

iptables -A INPUT -s 127.0.1.1 -j ACCEPT
iptables -A OUTPUT -d 127.0.1.1 -j ACCEPT

#Router
## Add your routers IP if need to access it.
##iptables -A INPUT -s x.x.x.x -j ACCEPT
##iptables -A OUTPUT -d x.x.x.x -j ACCEPT

#other stuff
## basically add everything else on your local network you want to access to or get accessed from.
##iptables -A INPUT -s x.x.x.x -j ACCEPT
##iptables -A OUTPUT -d x.x.x.x -j ACCEPT

####DNS
## As long as we are connecting directly via IPs we don't need to whitelist those.
## There is an ongoing controvery about this procedure among the CryptoStorm community.
## If you are among those using hostnames you MUST uncomment the following lines.
##
##iptables -A INPUT -s 198.100.146.51 -j ACCEPT
##iptables -A OUTPUT -d 198.100.146.51 -j ACCEPT
##
##iptables -A INPUT -s 91.191.136.152 -j ACCEPT
##iptables -A OUTPUT -d 91.191.136.152 -j ACCEPT
##
##iptables -A INPUT -s 213.73.91.35 -j ACCEPT
##iptables -A OUTPUT -d 213.73.91.35 -j ACCEPT

####VPN exit nodes

#Germany - Cantus
iptables -A INPUT -s 46.165.222.248 -j ACCEPT
iptables -A OUTPUT -d 46.165.222.248 -j ACCEPT

#Canada - Maple
iptables -A INPUT -s 198.27.89.56 -j ACCEPT
iptables -A OUTPUT -d 198.27.89.56 -j ACCEPT

#Iceland - Fenrir
iptables -A INPUT -s 79.134.235.133 -j ACCEPT
iptables -A OUTPUT -d 79.134.235.133 -j ACCEPT

#United States of NSA - NSA-Central
iptables -A INPUT -s 167.88.9.27 -j ACCEPT
iptables -A OUTPUT -d 167.88.9.27 -j ACCEPT

#United States of NSA - Emerald
iptables -A INPUT -s 23.19.35.14 -j ACCEPT
iptables -A OUTPUT -d 23.19.35.14 -j ACCEPT

#France - Onyx
iptables -A INPUT -s 212.83.167.81 -j ACCEPT
iptables -A OUTPUT -d 212.83.167.81 -j ACCEPT

#Portugal - Tagus/Lisbon
iptables -A INPUT -s 89.26.243.109 -j ACCEPT
iptables -A OUTPUT -d 89.26.243.109 -j ACCEPT

2. Put that file into your home folder, right-click on it and check "allow executing file as program"

3. In terminal run

Code: Select all

sudo ./iptables-vpn
4. Check if the rules were added with

Code: Select all

sudo iptables -S
5. Now run

Code: Select all

sudo apt-get install iptables-persistent
4. Agree to import your existing rules.

5. DONE!

6. Also read the second guest post here: viewtopic.php?f=32&t=6245

User avatar

marzametal
Posts: 432
Joined: Mon Aug 05, 2013 11:39 am

Re: LEAKBLOCK HOWTO (Android and Ubuntu)

Post by marzametal » Sat Jul 19, 2014 6:24 am

Wow, I will have to test this out... well part of it, the DNS Proxy is disabled in your screenshot!

User avatar

vpnDarknet
Posts: 104
Joined: Thu Feb 27, 2014 2:42 pm
Contact:

Re: LEAKBLOCK HOWTO (Android and Ubuntu)

Post by vpnDarknet » Sat Jul 19, 2014 6:58 am

Thanks for sharing this man :clap:

IP tables have always been a dark art to me, do I need to sacrifice a black cockrel at any point to ensure it works ;)
Buy your tokens via vpnDark.net and cryptostorm cannot and does not know anything about users - no link between a token & purchase details
Unofficial Wiki cryptostorm access guide
Ways to talk to me

User avatar

vpnDarknet
Posts: 104
Joined: Thu Feb 27, 2014 2:42 pm
Contact:

Re: LEAKBLOCK HOWTO (Android and Ubuntu)

Post by vpnDarknet » Sat Jul 19, 2014 3:59 pm

Desu, not sure if I'm following this correctly, but the file name leakblock-vpn is then referred to in your guide as iptables-vpn?

I'm running with leakblock-vpn set throughout, the tables are updated... but I can't seem to access the internet.

Only tested with Brunon though 46.165.222.248, which is included on the IP Table, and the DNS's I have set, that you provided earlier seem to be allowed too?

Any help appreciated
Buy your tokens via vpnDark.net and cryptostorm cannot and does not know anything about users - no link between a token & purchase details
Unofficial Wiki cryptostorm access guide
Ways to talk to me

User avatar

parityboy
Site Admin
Posts: 1254
Joined: Wed Feb 05, 2014 3:47 am

Re: LEAKBLOCK HOWTO (Android and Ubuntu)

Post by parityboy » Sat Jul 19, 2014 4:25 pm

@vpnDarknet

Those iptables rules are pretty similar to what I'm running. Can you connect to the VPN at all? If so, can you run "route" in a terminal and post the output here?


Topic Author
Desu to the Strike

Re: LEAKBLOCK HOWTO (Android and Ubuntu)

Post by Desu to the Strike » Sat Jul 19, 2014 10:34 pm

I indeed made two mistakes!

Could a moderator please edit my original post and correct it like this?

1. The file in the first step of Ubuntu guide has to be called "iptables-vpn"

2. in the iptables-vpn file you should add the following:

Code: Select all

####local network stuff
#localhost and dnsmasq for ubuntu
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT

iptables -A INPUT -s 127.0.1.1 -j ACCEPT
iptables -A OUTPUT -d 127.0.1.1 -j ACCEPT

#Router
iptables -A INPUT -s YOUR ROUTER IP -j ACCEPT
iptables -A OUTPUT -d YOUR ROUTER IP -j ACCEPT

#Printer and other stuff
iptables -A INPUT -s CUSTOM IP -j ACCEPT
iptables -A OUTPUT -d CUSTOM IP -j ACCEPT

User avatar

vpnDarknet
Posts: 104
Joined: Thu Feb 27, 2014 2:42 pm
Contact:

Re: LEAKBLOCK HOWTO (Android and Ubuntu)

Post by vpnDarknet » Sun Jul 20, 2014 2:44 am

Thanks for your help with this guys

IP Table running, vpn UP

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.33.0.1 128.0.0.0 UG 0 0 0 tun0
default 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
10.33.0.0 * 255.255.0.0 U 0 0 0 tun0
128.0.0.0 10.33.0.1 128.0.0.0 UG 0 0 0 tun0
174.142.78.196 192.168.1.254 255.255.255.255 UGH 0 0 0 eth0
192.168.1.0 * 255.255.255.0 U 1 0 0 eth0


PING 174.142.78.196 (174.142.78.196) 56(84) bytes of data.
64 bytes from 174.142.78.196: icmp_seq=1 ttl=44 time=255 ms
64 bytes from 174.142.78.196: icmp_seq=2 ttl=44 time=259 ms
64 bytes from 174.142.78.196: icmp_seq=3 ttl=44 time=255 ms

ping: unknown host https://cryptostorm.ch/

No traffic through Firefox... is it related to DNS?
FF screen content:

Server not found

Firefox can't find the server at cryptostorm.ch.

Check the address for typing errors such as ww.example.com instead of www.example.com
If you are unable to load any pages, check your computer's network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.
Buy your tokens via vpnDark.net and cryptostorm cannot and does not know anything about users - no link between a token & purchase details
Unofficial Wiki cryptostorm access guide
Ways to talk to me

User avatar

vpnDarknet
Posts: 104
Joined: Thu Feb 27, 2014 2:42 pm
Contact:

Re: LEAKBLOCK HOWTO (Android and Ubuntu)

Post by vpnDarknet » Mon Jul 21, 2014 1:48 pm

Desu, you're a star, thanks dude :D
All working like a charm!
Buy your tokens via vpnDark.net and cryptostorm cannot and does not know anything about users - no link between a token & purchase details
Unofficial Wiki cryptostorm access guide
Ways to talk to me


b3lt3r5
Posts: 24
Joined: Sun Dec 23, 2012 2:55 pm

Re: LEAKBLOCK HOWTO (Android and Ubuntu)

Post by b3lt3r5 » Mon Jul 21, 2014 6:17 pm

Desu to the Strike wrote: The very first thing you do is putting on some Orchestral Dubstep because following this guide makes you fucking awesome and thus you need some epic background music to emphasize your newly achived awesomeness: http://www.youtube.com/watch?v=7sSarLmx-8s
This part here is FUCKING quality bro!
Damn near pissed myself reading that. :clap: :lol:


Topic Author
Desu to the Strike

Re: LEAKBLOCK HOWTO (Android and Ubuntu)

Post by Desu to the Strike » Mon Jul 21, 2014 6:49 pm

@vpnDarknet: Don't mention it! CryptoStorm is a collaborative project that greatly benefits from community input and other contributions. It's the time, energy and money the CS_team and the community together invest into it what makes it so great. You resell tokens. Others think of new CS-Projects, post news and provide support. I write guides. And the CS_team do their black magic voodoo arts. I feel pride in being part of this and all of you should as well! :clap:

@b3lt3r5: :D (I actually wrote my guide while listening to this. ;) )

@marzametal: Nope, the DNS Proxy setting is exactly how it has to be in my picture. Otherwise you risk Android falling back to your ISP provided DNS-Servers and thus leaking.


@CS_Support: Please remember fixing my first post as described in my second one!

User avatar

marzametal
Posts: 432
Joined: Mon Aug 05, 2013 11:39 am

Re: LEAKBLOCK HOWTO (Android and Ubuntu)

Post by marzametal » Tue Jul 22, 2014 5:46 am

@Desu... can ya' make a HOW TO tutorial with a Hardstyle background? lmao... cheers for the info in relation to DNS Proxy, had no idea that fallback could occur if it is set to enabled auto.

User avatar

DesuStrike
ForumHelper
Posts: 287
Joined: Thu Oct 24, 2013 2:37 pm

Re: LEAKBLOCK HOWTO (Android and Ubuntu)

Post by DesuStrike » Sat Dec 06, 2014 6:11 am

I so gonna fix thix guide as soon as I got my mod powers back! It's only a hand full changes but I bet it frustrated many people who weren't able to run it because of them.
home is where the artillery hits

User avatar

DesuStrike
ForumHelper
Posts: 287
Joined: Thu Oct 24, 2013 2:37 pm

Re: LEAKBLOCK HOWTO (Android and Ubuntu)

Post by DesuStrike » Wed Dec 10, 2014 1:51 am

Updated as promised. Enjoy
home is where the artillery hits

User avatar

marzametal
Posts: 432
Joined: Mon Aug 05, 2013 11:39 am

Re: LEAKBLOCK HOWTO (Android and Ubuntu)

Post by marzametal » Sat May 02, 2015 3:55 pm

Any chance to get the Ubuntu IPTables section updated to reflect the new IPs and new exit nodes?
I am willing to try it on my VM, but I ain't a ubernix person... lol

If using Linux via VM, how would the rules be modified?

Post Reply