Jump to content
TorGuard

All Activity

This stream auto-updates     

  1. Past hour
  2. How do I remove port 8081 from the VPN software. I require that port to be open on my local internet connection for remote access. With the VPN off the remote access works fine, but with the VPN enabled i lose all access to port 8081 via the local internet connection, and thus lose all access to my machine. This used to work fine with the Viscosity VPN but it does not work at all with TG Desktop v3.96.0 Any help to fix this would be greatly appreciated. cheers
  3. dani1

    Problem with payment - Ticket (#326531)

    Hi, No, the problem hasn't been solved yet. I was advised to wait, as the payments would probably clear after a couple of days, but they didn't, they were made effective and now, my banks and I are trying to recover the charges by lodging a claim to Visa. But it is a slow process and I am still waiting. Bit disappointed because my bank said it would have been easier to cancel them while they were still showing as pending.
  4. Today
  5. Dear Community, This tutorial guide details dead simple GUARANTEED process to get WIREGUARD Client up and running on pfSense Firewall. Some of you may remember my work with GETDNS and STUBBY. This installation is for commercial WireGuard Clients ONLY ! - where creation of keys and how to exchange them is not needed. The keys are generated and managed by your WireGuard VPN service provider - in my case - TorGuard. 1 - This is what I did and it worked out great. First go to https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/ as pfSense is based on FreeBSD 11 - the current WireGuard release is version - July 2019 wireguard 0.0.20190702 . To get started install bash # pkg install bash ( as it is need by WireGuard-GO ). Scroll down page on FreeBSD package website ( find wireguard and wireguard-go ) Then issue these commands: # pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/wireguard-go-0.0.20190517.txz and # pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/wireguard-0.0.20190702.txz - As I said, this will install latest versions of these packages. W are now ready to get this going and up and running. Just follow these steps below: 2 - To begin you need to get your WIREGUARD configuration files from the TORGUARD website. To do so login your TORGUARD account then go to Tools ( along the top of Login Page ) from drop Down Menu click on Enable WIREGUARD Access. You will then be in your TorGuard Account Area. You will see this message along the top : Below is a list of WireGuard VPN Servers, Please click enable in front of the servers you like to connect to, and use the returned keys shown to connect. Currently, TORGUARD offers WIREGUARD Servers in USA - New York ( quite actually situated in Clifton, New Jersey ), Asia - Singapore and Europe - UK. Click on your preferred Server - Enable WIREGUARD. This will result in a green box below the now grayed out box - which states now Disable WIREGUARD- naturally leave your server enabled as you want to connect to the now enabled server. Next, Download Config file as the box allows you to do now that you have enabled your WIREGUARD Server. You will also see in the adjoining box the following : Location VPN Server Keys Manage USA - New York 1 159.xx.xxx.xx:xxx Server Public key: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= Your Private Key: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= Your Address: 10.xx.x.xxx/24 3 - Now I used this guide as the template for my manual installation of WIREGUARD on OPNsense see here : https://genneko.github.io/playing-with-bsd/networking/freebsd-wireguard-quicklook/ I will make this simple for you step by step. You may sing and / or hum along as we proceed. A- First - configure WireGuard Client. TorGuard, AzireVPN, VPN.ac, Mullvad, IVPN, are commercial VPN providers which offer LIVE ! WireGuard Services now. I use TorGuard here is a sample file. Keys are dummies - only used for illustrative purposes in this tutorial- Use your real WireGuard configuration file here: Create file by command line - # nano /usr/local/etc/wireguard/wg0.conf - and enter the configuration file below ( copy and paste ) - substitute your real one. Save and Close. Done with this file. # TorGuard WireGuard Config [Interface] PrivateKey = foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= ListenPort = 51820 DNS = 104.223.91.210 Address = 10.xx.x.xxx/24 [Peer] PublicKey = 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= AllowedIPs = 0.0.0.0/0 Endpoint = 159.xx.xx.xxx:xxx PersistentKeepalive = 25 B - Secondly, run command via SSH # wg-quick up wg0 ( wireguard-go is in package and this action creates wireguard interface ) You may also run # wireguard-go wg0 to create wg0 - however, I prefer to use the first method mentioned here. 4 - Configure WireGuard Service with rc.d - for automatic startup/shutdown of the tunnel. In order to achieve this there’s already an rc.d script /usr/local/etc/rc.d/wireguard which came with the wireguard package. You need to issue this command : # mv /usr/local/etc/rc.d/wireguard /usr/local/etc/rc.d/wireguard.sh then enter the file - # nano /usr/local/etc/rc.d/wireguard.sh Then go to bottom of file - lines 46 and 47 - change : ${wireguard_enable="NO"} to : ${wireguard_enable="YES"} and then add wg0 on line 47 : ${wireguard_interfaces=""} to : ${wireguard_interfaces="wg0"} ( wgZero ) - Save and Close - Make it executable, I run two commands - it works for me: # chmod a+x /usr/local/etc/rc.d/wireguard.sh # chmod 744 /usr/local/etc/rc.d/wireguard.sh - Done with this file. 5 - Now head to pfSense WEBGUI in order to configure Wireguard Interface ( created earlier ) and FireWall Rule. First, go to Interfaces > Assignments -you will see wg0 interface - click (+) add button /symbol. Once the wg0 interface is listed as OPT ( 1 - 2 depending on your setup ) - Click underneath it - - enter check in " Enable interface " - and enter description - I call mine " WIRE " - DO NOTHING ELSE HERE ! Save and Apply - Done with this phase. Second - Firewall Rule - go to Firewall > NAT > Outbound > Once on this Landing Page put a Dot in radio button Hybrid outbound NAT rule generation - Click on Save - Do Not - Repeat Do Not Click Save and Apply At This Time - Instead Click on Add Square with Up Arrow (underneath Mappings ) on the page which opens change Interface from WAN in drop down menu to your Wireguard ( wg0 ) Interface which you created and labeled previously - in this example " WIRE " . Next - Change Source Address to " LAN NET " . You must manually enter your LAN NET . For example if your LAN Address is 192.168.11.10 - then enter 192.168.11.0/ 24 . Finally, set ( leave ) Translation/target to Interface address. Enter " Description -e.g. " Made For Wire " now Click " Save " at bottom of page. You will be taken back to Firewall:Nat:Outbound Landing Page - Click on " Apply Changes " in right upper hand corner - Done with Firewall Rule for LAN. Repeat this Firewall Rule Operation for all of your other LAN Interface Subnets if you choose to do so. 6 - Your WireGuard Client is now installed and ready - you must enter command # /usr/local/etc/rc.d/wireguard.sh restart in order to start it up. Lastly, issue command # wg show which prints out your WireGuard Connection statistics and configuration. Sample output for wg show below: interface: wg0 public key: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= private key: (hidden) listening port: 51820 peer: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= endpoint: 159.x.xxx.xxx:xxx allowed ips: 0.0.0.0/0 latest handshake: 1 minute, 46 seconds ago transfer: 3.35 MiB received, 859.23 KiB sent persistent keepalive: every 25 seconds 7 - The Catch 22: Good and Bad News. When you reboot your pfSense FireWall, the WireGuard interface will be removed. Further you will be asked and required to " Assign Interfaces " again. You will see this message : Network interface mismatch - Running interface assignment option - In order to get your WireGuard VPN up and running again simply follow these steps after reassigning your vlans ( if you have any ), WAN, and LAN interfaces. All your network configurations will have been preserved including your firewall rules, addresses and so on. A - Remember your WireGuard interface ( wg 0 ) was removed on reboot. so, simply repeat this step to add it again: In the pfSense WEBGUI go to Interfaces > Assignments -you will see wg0 interface - click (+) add button /symbol. Once the wg0 interface is listed as OPT ( 1 - 2 depending on your setup ) - Click underneath it - - enter check in " Enable interface " - and enter description - I call mine " WIRE " - DO NOTHING ELSE HERE ! Save and Apply - Done with this phase. B - In order to get WireGuard up and running again - simply issue this command once again - # /usr/local/etc/rc.d/wireguard.sh restart You do not have to recreate any of your Firewall Rules as they are all still there. Your WireGuard VPN connection is now reestablished. Last Notes and Thoughts: I realize that this implementation is not perfect albeit it works. I run OpenVPN on pfSense as well. You must disable OpenVPN client before and when running WireGuard. I will write up a tutorial to switch between OpenVPN and WireGuard on pfSense. Currently, I am running WireGuard on pfSense 2.5.0 Development SnapShot VmWare Machine. pfSense 2.5.0 is based on FreeBSD 12 - so you must modify url's thusly and get the packages from : https://pkg.freebsd.org/FreeBSD:12:amd64/latest/All/ If anyone can provide me with a solution that will allow WireGuard interface ( wg0 ) the ability to survive a reboot; I will be most appreciative and edit this tutorial to include that solution. Peace and Grace Be Unto All God's Creation
  6. GaMbi

    Selecting Fastest Server

    4 years later
  7. Support

    IP set up changing to port 80.

    Dave, we have a fix coming today for the duplicate IP issue It will be pushed within the next 2 hours. Regards
  8. Got instructions to setup my router to use VPN but being totally computer-ignorant can not make the connection. Is there a simple way to get my router to use Torguard?
  9. Yesterday
  10. bigdave05

    IP set up changing to port 80.

    Is anyone having issue where they have multiple IP's with same set up but different ports. I have three IP's with same set up using ports 433, 80 and 1912. It was all fine until new software and now all keep changing to port 80 and start up, which isn't great as all have same IP now. Torguard don't seem interested as they have said all three can't connect at same time, not really the point tho.
  11. Support

    Melbourne Server

    Hello, We decided to look for a new DC/provider in this area - we will keep users updated when there is an eta on when that will happen. Regards
  12. Support

    Could not block outside DNS-Servers

    Did you try a simple reboot after the update? that normally clears it up. Regards
  13. Last week
  14. Treebear

    Melbourne Server

    I am also a Tassie user. Same Issue, Melbourne server disappeared! It was working yesterday 19th July. Was looking at the server status list https://torguard.net/network/ and it doesn't appear there either. Doesn't look good :(
  15. Well that worked! o.0 Been using this vpn for months and I have been using email and and a password that was given to me! so wierd I must be going crazy!
  16. The username and password used to login to the website and the VPN are different. Please try going to > https://torguard.net/managecredentials.php That link should lead you to the page where you can set it up.
  17. This issue is really annoying I'm copying my username and password into the website and I log in fine but when I copy it to the client it says its wrong.😡
  18. I agree as well, such an issue is really important. As much as i enjoy using torguard, I'm sure privacy takes a higher priority.
  19. Parsley

    Melbourne Server

    Indeed it is! How long have you been using torguad from down here? Have been using the Sydney server, but it isnt as fast as melbourne. Just hoping that they add more servers soon!
  20. Flyingturkey

    Could not block outside DNS-Servers

    recently updated torguard a month ago I Hadn't updated in a while and I have been receiving "Could not block outside DNS-Servers, please check your firewall settings" Nothing has been changed in my firewall forever. Running win-7. Not sure what is causing this.
  21. mrneilypops

    DDWRT router disconnects

    I have submitted a ticket now and your excellent support staff are assisting. I will update this thread if I find anything 'of use/amazing'
  22. Hello, Did you manage to get this set up? if not please submit a ticket here https://torguard.net/submitticket.php and we will be happy to login and setup for you. Regards
  23. Support

    DDWRT router disconnects

    Hello, Maintenance was finished some time ago - did you submit a support ticket by chance? Regards
  24. mrneilypops

    DDWRT router disconnects

    Hi, Is it possible that my daily reconnects to my streaming IP are due to your ongoing maintenance work? This has been happening over the last 2 weeks approximately I have to reboot the router every morning to reconnect. Once connected the router stays up all day... This did not happen very often in the past. I have 'keep alive' enabled in my DDWRT router. P.S. I have updated my DDWRT config/certificate as per your recent instructions.
  25. Dan_C

    Disappointed

    About Netflix, you need to buy an streaming IP or residential IP for the US, then it works, I have one and been using it for the last 1 year whet no problem, As I understand it you only get the amazon prime library in the country you live in no matter where you are, when I tried it all I get was the UK
  26. Tama

    Disappointed

    I have been using this just for 5 days and from what i have experienced this isn't what i was expecting. In netflixit doesn't work in us in spain and in any country i tried except japan. Also in amazon prime video in any country worked. And i request 2 things a solution with netflix and amazon prime or the money i expended in this service.
  27. pfsense original post here : https://forum.netgate.com/topic/144992/pfsense-dns-over-tls-updated-now-dead-simple ( also read johnpoz replies ) pfSense DNS OVER TLS UPDATED NOW ! DEAD SIMPLE Dear Community, NOW ! is the time for all of US ( A ) to GET INVLOVED and act with SOUL POWER ! - lyrics to sing along : https://genius.com/James-brown-get-up-get-into-it-get-involved-lyrics plus https://genius.com/James-brown-soul-power-lyrics and video : https://www.youtube.com/watch?v=SmrZRcfYWvA I noticed on https://www.freshports.org/dns/getdns/ that ever since getdns 1.5.2_1 - stubby is included in the package by default. PLEASE TAKE SPECIAL NOTE UNDER Commit History : - Update to 1.5.2 - Build with STUBBY by default due to popular demand This got me to thinking about how to install DNS Privacy DNS OVER TLS on pfSense ( Special Thanks and Kudos to Ryan Steinmetz aka zi - the port maintainer and developer getdns on FreeBSD ). This is an updated guide / tutorial which explains how to setup adding DNS-Over-TLS support for pfSense - Please disregard and do not use any guides and / or tutorials which pre-date this one which covers installation and configuration of DNS Privacy on pfSense FireWall. I run GetDns and Stubby forwarded to and integrated with Unbound. For those who wish to explore Stubby and GetDns - this method is the one recommended by DNSPRIVACY - see here : https://getdnsapi.net/ https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients#DNSPrivacyClients-Unbound - please read this carefully - you will note that it indicates : Unbound As A DNS TLS Client Features:Unbound can be run as a local caching forwarder, configured to use SSL upstream, however it cannot yet authenticate upstreams, re-use TCP/TLS connections, be configured for Opportunistic mode or send several of the privacy related options (padding, ECS privacy) etc. Some users combine Unbound (as a caching proxy with other features such as DNS Blacklisting) and Stubby (as a fully featured TLS forwarder). These are the reasons I choose to use GetDns and Stubby with Unbound. Those reasons being so that I can take full advantage of all of the most secure privacy features available when running DNS OVER TLS. What I give you here is the absolute best method of implementation and deployment of DNS OVER TLS. For any and all who may be wondering why DNS OVER TLS is all the rage - read this: https://tenta.com/blog/post/2017/12/dns-over-tls-vs-dnscrypt I always set up DNS OVER TLS first before configuring OpenVPN on pfSense - this DNS solution works flawlessly with OpenVPN. So here we go. So let's get started - just follow these steps below in order to install and configure getdns and stubby on your pfSense FireWall. I did the following and it worked out great. 1 - There are four dependency packages required before actually installing the getdns package. Two are available in the pfSense package repositories and two from the FreeBSD repository. Lastly the getdns package itself is also in the FreeBSD repository. So to begin enter these commands below in the order : A # pkg install libuv B # pkg install libyaml - Go to https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/ as pfSense is based on FreeBSD 11 - C # pkg add https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libev-4.24,1.txz D # pkg add https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libidn-1.35.txz Lastly, install getdns along with stubby E # pkg add https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/getdns-1.5.2_1.txz GetDNS and Stubby are now installed on pfSense FireWall. In order to configure UNBOUND along with stubby ( and getdns ) follow the steps below. 1 - Now Ryan Steinmetz aka zi - the port maintainer and developer of this port was kind enough to include a start up script ( stubby.in ) for this package. See the stubby.in here in the raw : https://svnweb.freebsd.org/ports/head/dns/getdns/files/stubby.in?view=markup. All I had to do was ask him and he did for any and all who elect to use this great piece of FreeBSD software. 2 - Now to put all of this together, The stubby.in file is located here - /usr/local/etc/rc.d/stubby by default. First though Stubby needs Unbound root.key - run this command before getting started: # su -m unbound -c /usr/local/sbin/unbound-anchor Then - A - Issue this command : # mv /usr/local/etc/rc.d/stubby /usr/local/etc/rc.d/stubby.sh Make it executable - I run two commands - it works for me: # chmod 744 /usr/local/etc/rc.d/stubby.sh # chmod a+x /usr/local/etc/rc.d/stubby.sh B - Yes must enable Stubby Daemon in the file - open file by : nano /usr/local/etc/rc.d/stubby.sh go to line 27 - : ${stubby_enable="NO"} change the setting to : ${stubby_enable="YES"} - that is all you have to do to this file. It comes pre-configured. Save and exit. 3 - You can and should also check real time status of DNS Privacy Servers as they are experimental and are not always stable - you can monitor DNS TLS Servers Real Time Status here below: https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/ I have read here: https://www.monperrus.net/martin/randomization-encryption-dns-requests that Also, it is good to set up some servers that listens on port 443 and others on port 853, so as to be resilient if you are on a network with blocked ports. You can also blend IPv4 and IPv6 addresses. Now you must configure Stubby to resolve DNS OVER TLS - nano /usr/local/etc/stubby/stubby.yml VERY IMPORTANT UPDATE: After checking, rechecking and the triple checking on this website mentioned above : https://www.immuniweb.com/ssl/?id=Su8SeUQ4 I have made some very serious discoveries regarding which DNS Privacy Test Servers to use. The bottom line that I strongly suggest you only choose to deploy servers which support the TLSv1.3 protocol. See here for information and importance of TLSv1.3 : https://kinsta.com/blog/tls-1-3/ I will save you some considerable leg work and post below the best configuration for your stubby.yml file. Here it is: nano /usr/local/etc/stubby/stubby.yml resolution_type: GETDNS_RESOLUTION_STUB round_robin_upstreams: 1 tls_authentication: GETDNS_AUTHENTICATION_REQUIRED tls_query_padding_blocksize: 128 edns_client_subnet_private: 1 idle_timeout: 60000 listen_addresses: - [email protected] dns_transport_list: - GETDNS_TRANSPORT_TLS tls_connection_retries: 5 tls_backoff_time: 900 timeout: 2000 upstream_recursive_servers: # IPV4 Servers ### DNS Privacy Test Servers ### #The DNS Warden DNS TLS Primary Server alternate tls_auth_name: adblock-dot.dnswarden.com and dot1.dnswarden.com - address_data: 116.203.70.156 tls_auth_name: "uncensored-dot.dnswarden.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: aPns02lcGrDxnJQcRSHN8Cfx0XG+IXwqy5ishTQtzR0= #The DNS Warden DNS TLS Secondary Server alternate tls_auth_name: adblock-dot.dnswarden.com and dot2.dnswarden.com - address_data: 116.203.35.255 tls_auth_name: "uncensored-dot.dnswarden.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: aPns02lcGrDxnJQcRSHN8Cfx0XG+IXwqy5ishTQtzR0= ### Test servers ### #The BlahDNS German DNS TLS Server - address_data: 159.69.198.101 tls_auth_name: "dot-de.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: RzMGlPVE8DlsiA9DQRuW9CoVkwFBjS8j+we5PZ3eE0c= #The BlahDNS Japan DNS TLS Server - address_data: 108.61.201.119 tls_auth_name: "dot-jp.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: 427fIEGdHRXL9C6i+PzEk+CstsrmNGXJaAnu9ECu+Hk= ## The Surfnet/Sinodun DNS TLS Server - address_data: 145.100.185.18 tls_port: 853 tls_auth_name: "dnsovertls3.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8= # The securedns.eu DNS TLS Server alternate tls_auth_name: ads-dot.securedns.eu - address_data: 146.185.167.43 tls_auth_name: "dot.securedns.eu" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g= #The dns.seby.io - Vultr DNS TLS Server - address_data: 139.99.222.72 tls_auth_name: "dot.seby.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 8A/1KQQiN+aFWenQon076nAINhlZjGkB15C4E/qogGw= #The Primary appliedprivacy.net DNS TLS Server - address_data: 37.252.185.232 tls_auth_name: "dot1.appliedprivacy.net" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: TvTo5uauOH66/Vnxl2QHwBhN9xdU0Zp1Jeqi+byC1p4= #The Secure DNS Project by PumpleX DNS TLS Server - address_data: 51.38.83.141 tls_auth_name: "dns.oszx.co" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: yevnTQfRqEOU1W8rUBABZRgToMgAwRn0eH7zJeBcq0s= #The ibksturm DNS TLS Server - address_data: 178.82.102.190 tls_auth_name: "ibksturm.synology.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: TjpalBJr0Ir27Dr59lXky4PXN0yTAoW92ddF8lBxYBQ= Save and Exit All of these name servers listed above DO NOT log ! repeat DO NOT log ! your DNS queries. In full disclosure some name servers claim to log traffic volume only. See here for details : https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers and look under " Logging " column. Use either or both of these two methods to verify QNAME Minimisation A - Run command : drill txt qnamemintest.internet.nl and / or B - Run command: dig txt qnamemintest.internet.nl +short and / or dig -t txt qnamemintest.internet.nl ( for more complete readout including DNSSEC results ). AD = Authenticated Data (for DNSSEC only; indicates that the data was authenticated) The results in any of these scenarios will show either: "HOORAY - QNAME minimisation is enabled on your resolver :)!” or “NO - QNAME minimisation is NOT enabled on your resolver :(.” Reference https://discourse.pi-hole.net/t/unbound-and-qname-minimisation/10038/4 You will and should get HOORAY ! - if you used the name servers listed in this guide for your Stubby configuration. Note: Starting with Unbound 1.7.2 qname minimisation is enabled by default. However, I still add these settings manually. These settings are entered under Unbound " Custom Options": qname-minimisation: yes qname-minimisation-strict: yes harden-below-nxdomain: yes 4- Now you must configure your Unbound DNS Server to use Stubby for DNS Over TLS. UNBOUND GENERAL SETTINGS Network Interfaces = Select ALL ! Under Custom options enter the following : server: do-not-query-localhost: no forward-zone: name: "." # Allow all DNS queries forward-addr: [email protected] ## END OF ENTRY Outgoing Network Interfaces = Select ALL ! Make Sure to NOT CHECK - DO NOT CHECK - the box for DNS Query Forwarding. Save and Apply Settings Next -Under System > Settings > General Settings Set the first DNS Server to 127.0.0.1 with no gateway selected / Make sure that DNS server option A - Allow DNS server list to be overridden by DHCP/PPP on WAN - Is Not I repeat - Is Not Checked ! and DNS server option B - Do not use the DNS Forwarder/Resolver as a DNS server for the firewall Is Not - I repeat - Is Not Checked ! I now only run 127.0.0.1 ( Localhost ) configured as the only DNS SERVER on my WAN interface. If others were added to WAN, when I ran dig or drill commands /etc/resolv.conf allowed those addresses to be queried. I only want to use Stubby yml Name Servers for DNS TLS , so this was the determinative factor in my reasoning and decision. - Save and Apply Settings C'est Fini C'est Ci Bon C'est Magnifique Reboot your router just to sure. Lastly, you can check your DNS at GRC DNS Nameserver Spoofability Test - DNSLeak.com - or any such service. Your results will render the DNS PRIVACY Name Servers which you selected in your stubby.yml configuration file. You are now running DNS OVER TLS with GETDNS plus STUBBY ( a fully featured TLS forwarder ) along with an Unbound DNS Caching Server. VERY IMPORTANT TIP: Please note that right at the top of the main DNS Privacy Test Servers Homepage ( https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers ) It Ominously Declares: DoT servers The following servers are experimental DNS-over-TLS servers. Note that they are experimental offerings (mainly by individuals/small organisations) with no guarantees on the lifetime of the service, service level provided. The level of logging may also vary (see the individual websites where available) - the information here about logging has not been verified. Also note that the single SPKI pins published here for many of these servers are subject to change (e.g on Certificate renewal) and should be used with care!! For these reasons it is most important to check and verify your SPKI pin(s) for TLS authentication manually yourself from time to time. There are sure fire methods to make sure that you are using the correct value for any upstream nameserver ( aka tls_pubkey_pinset value ) - Go to https://blahdns.com/ and scroll down to the section to the yellow section entitled What is DNS OVER TLS click on it and it will open up. When you do it will state some general information, but what you want to pay attention to is this section: How to get SPKI gnutls-cli --print-cert -p 853 185.49.141.37 - where you must pkg install gnutls OR echo | openssl s_client -connect '185.49.141.37:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 Remember to change port to 443 or port for IPV6 if different than standard 853 where applicable. https://www.dnsleaktest.com/ https://www.perfect-privacy.com/dns-leaktest https://cryptoip.info/dns-leak-test https://www.grc.com/dns/dns.htm https://www.vpninsights.com/dns-leak-test and last but not least https://cmdns.dev.dns-oarc.net/ for a thorough in depth DNS Test https://bash.ws/dnsleak/test/ Now all you need to do is run is a properly configured VPN Service. By doing so, running DNS over TLS with Stubby and GetDns will keep your VPN provider from spying on your encrypted DNS look ups - and also your DNS providers both the ISP ( replaced by encrypted Stubby ) and your Encrypted TLS DNS Service Provider will see your IP as the one from your encrypted tunneled VPN provider. I am convinced this setup is the right strategy for both security and privacy. I think it to be the best practice for all those most serious about multi-layered cyber security. Special thanks to all who helped me with this project. Thank you all and God Bless Always In Peace, ubernupe
  28. Taurean

    TorGuard Client v3.96.0

    This was first requested by someone else more than 3 years ago, though.
  29. Support

    TorGuard Client v3.96.0

    This will come but we have many (essential) features on the go that we want to get out very soon. The fix is included yes as it was in the previous release. Regards
  1. Load more activity
×