Справочник Пользователя для your-freedom user guide
Your Freedom User Guide
Page 46 of 52
2.9.3.2 Know your networking environment
If you are behind a firewall and need to be able to reach servers that have Internet IP
addresses but are not reachable from the Internet, you need to add route exclusion
lines to your config file (see chapters 2.5.2 and 2.5.3 on page 33).
addresses but are not reachable from the Internet, you need to add route exclusion
lines to your config file (see chapters 2.5.2 and 2.5.3 on page 33).
99% of all users won’t have to configure excludes. All non-Internet IP addresses are
automatically excluded anyway (this covers 10.0.0.0/8, 172.16.0.0/12,
192.168.0.0/16). Networks that are already routed on your PC are excluded as well.
automatically excluded anyway (this covers 10.0.0.0/8, 172.16.0.0/12,
192.168.0.0/16). Networks that are already routed on your PC are excluded as well.
For all others, add an openvpn_exclude line per IP or network as described in the
config file chapter, e.g.
config file chapter, e.g.
openvpn_exclude 1.2.3.4
openvpn_exclude 2.3.0.0 255.255.0.0
Note that Your Freedom is clever enough to automatically exclude all IP addresses
that it needs to be able to reach in order to maintain the connection to the Your
Freedom server.
that it needs to be able to reach in order to maintain the connection to the Your
Freedom server.
2.9.3.3 Tick the OpenVPN box
Go to the Ports panel and tick the OpenVPN checkbox. Leave the port number as it
is, unless there are reasons why you need to use a different port.
is, unless there are reasons why you need to use a different port.
2.9.3.4 Start the Your Freedom connection
The connection set-up should look like usual, but approximately 10 seconds after the
door opens, it should open a bit more.
door opens, it should open a bit more.
☺ The message log should tell you as well
when it happens. Have a look at your PC’s routing table (in Windows, run “cmd”, then
type “route print”; Unix users type “netstat –rn” or “route –n”); you should see a whole
bunch of routes there all going to some 169.254.xxx.yyy address. These routes cover
the whole Internet address space minus the excludes mentioned above. We cannot
replace your PC’s default route, that would very likely cut you off from your local
network and make the Your Freedom server unreachable.
type “route print”; Unix users type “netstat –rn” or “route –n”); you should see a whole
bunch of routes there all going to some 169.254.xxx.yyy address. These routes cover
the whole Internet address space minus the excludes mentioned above. We cannot
replace your PC’s default route, that would very likely cut you off from your local
network and make the Your Freedom server unreachable.
2.9.3.5 Relay for others?
Yes, you can and you may. But unless your PC masquerades the other PCs they
need to run their own OpenVPN session. When you start the connection, the Your
Freedom client creates some config files in your home directory (please see chapter
2.5.2 on page 33 for location details) all starting with “client” or “server”; copy them to
their PCs into some directory, edit “client.ovpn” and replace 127.0.0.1 with your PC’s
internal IP address, then right-click on the “client.ovpn” file and choose the second
option (Start OpenVPN with this config file). Of course they need to install OpenVPN
first!
need to run their own OpenVPN session. When you start the connection, the Your
Freedom client creates some config files in your home directory (please see chapter
2.5.2 on page 33 for location details) all starting with “client” or “server”; copy them to
their PCs into some directory, edit “client.ovpn” and replace 127.0.0.1 with your PC’s
internal IP address, then right-click on the “client.ovpn” file and choose the second
option (Start OpenVPN with this config file). Of course they need to install OpenVPN
first!
2.9.3.6 What about the Windows firewall?
Feel free to use it, but don’t complain if it breaks things.
☺ Seriously, there is no
reason why you would need it, only outbound connections work on the tunnel
interface. However if you suspect your applications to secretly open connections,
then yes, use it! If something doesn’t work, try without.
interface. However if you suspect your applications to secretly open connections,
then yes, use it! If something doesn’t work, try without.