PIA Iptables Manager NEW

shadowspectre · May 2013

PIA Iptables Manager
Current Version: 0.4

Hey everyone!

I recently updated to v0.4. I'm also working on an android version which will hopefully be available soon. This latest update is way more lightweight than before and doesn't require any set-up.

Features

Kill-Switch protection.
DNS leak protection.
No coding required. Simply download the file and follow the instructions.
Configures iptables for the currently connected VPN server. (Should work with other VPN providers as well.)
Clean interface simplifies management.
Easy Iptables control.
Simple status check. (Updated)
Single file rather than dealing with multiple scripts.

Verified Operating Systems

Ubuntu 12.04
Raspbian Wheezy
Linux Mint 14
Xubuntu 12.04
(Theoretically any OS using Bash)

Download | Changelog

PIA Iptables Manager v0.4 | Source

Pia-iptm is now standalone. No other files are generated or used.
Rework: adjusts iptables for currently connected VPN server instead of all PIA servers (should work with other VPN providers).
Status function improved to detect actual current iptables configuration.

PIA Iptables Manager v0.3 | Source

Removed initial-setup menu option. Intial set-up now runs automatically when the script is first run.
Required scripts are now generated to /.pia/ instead of /pia/ so the folder is hidden to avoid clutter.
Reworked Status function into 2 parts; f_Status which returns a value and f_PrintStatus which prints the status based on results from f_Status.
Reworked Quit function to automatically deactivate the service before closing the program if its not already inactive.
Updated thread with source code for different versions, list of verified operating systems, and updated screenshots.

PIA Iptables Manager v0.2 | Source

Changed name from 'PIA Kill-Switch Manager' to 'PIA Iptables Manager'
Added 'Status' function to check/display the status of the Iptables
Required scripts are now generated in /pia/ rather than ~/vpn/
Renamed some Menu options

PIA Kill-Switch Manager v0.1 | Source

Initial release

Installation

Download the latest version of pia-iptm and place it anywhere you want.
Open terminal navigate to the directory of the file. You can use the 'cd' command to change the directory and 'ls' to view the current directory.
Once you are in the correct location you can launch it with 'sudo sh pia-iptm'.
Important: On your first launch make sure you perform the intial set-up; option 5. Initial set-up now runs automatically on the first time. This creates the required scripts to provide full functionality. Initial set-up is not required. The script is standalone meaning you don't need any type of set-up. Just run the script and everything should function properly.

Instructions

Connect to VPN server of choice.
Open terminal and navigate to directory holding pia-iptm file.
Launch pia-iptm. 'sudo sh pia-iptm'
Select option 1 to activate the service.
Once finished with VPN, close the VPN connection.
Select option 2 to deactivate the service and reset iptables or option 6 which will deactivate the service and close the script.
Select option 5 to close the script and return to terminal.

Donate

I spent quite a bit of time on this and I plan on keeping it updated. I'll leave a bitcoin address here in case anyone enjoys it enough to consider donating. Donate: 1MMgC7fD91bGsc8AnFNAd2DfV9n1gBfMfn

Comments/Suggestions

Please leave comments/suggestions in the forum below. You can also PM me or email me directly at [email protected]. I appreciate any feedback you can give. I want to try to keep this bug-free and as user friendly as possible and that begins with you feedback!

mattfox27 · May 2014

does this work? When i run it then disconnect VPN i can still ping google?

mattfox27 · June 2014

any support available?

meno · June 2014

Hi @mattfox27,

I came across your post on Reddit and thought I'd share it here in our forum as well. Thank you!

URL: http://www.reddit.com/r/VPN/comments/2805zd/pia_iptables_killswitch_for_pia_and_other_vpns/

Post:

So thanks to u/elfer90 I think i have figured out a working IPtables killswitch script for PIA vpn. This actually should work for most vpn's because it calls and finds out your WAN IP than plugs that into the script. I set this up to trigger when OpenVPN starts that way it auto plugs into IPtables then i run a script when OpenVPN stops to remove it from iptables..

vpnon.sh

#!/bin/bash
IP=$(wget https://duckduckgo.com/?q=whats+my+ip -q -O - | grep  -Eo '\&lt;[[:digit:]]{1,3}(\.[[:digit:]]{1,3}){3}\&gt;')
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
####
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT #allow loopback access
iptables -A OUTPUT -d 255.255.255.255 -j  ACCEPT #make sure  you can communicate with any DHCP server
iptables -A INPUT -s 255.255.255.255 -j ACCEPT #make sure you   can communicate with any DHCP server
iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT   #make sure that you can communicate within your own network
iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT # make sure that   eth+ and tun+ can communicate
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE # in the   POSTROUTING chain of the NAT table, map the tun+ interface     outgoing packet IP address, cease examining rules and let the header  be modified, so that we don't have to worry about ports or any other  issue - please check this rule with care if you have already a NAT  table in your chain
iptables -A OUTPUT -o eth0 ! -d $IP -j DROP  # if destination for    outgoing packet on eth+ is NOT a.b.c.d, drop the packet, so that    nothing leaks if VPN disconnects
exit 1
done

Then vpnoff.sh when openvpn stop

iptables -F

mattfox27 · June 2014

Yes this one seems to work pretty good, the IPtables manager didn't seem to work at all...

quickrun · June 2014

Thanks for sharing this, It s seems to be working just how I need it to. Thanks again.

DePingus · July 2014

I had to edit the regex on line 2 of meno's script to get it to work. Mine now reads:

IP=$(wget https://duckduckgo.com/?q=whats+my+ip -q -O - | grep -Eo '([0-9]{1,3}[\.]){3}[0-9]{1,3}')

wiz561 · September 2014

Does this allow client to client traffic, or is that not allowed on PIA servers?

spectro · December 2014

I cant get it to work, I activate it connect to vpn. then disconnect vpn to test killswitch but internet still works

likely_inebriated · January 2015

hi, just thought i'd leave a few thoughts..

IP=$(curl ifconfig.me)

might be the easier option to fix depingus' issue.

and maybe

#!/bin/bash

IF=$1

STATUS=$2

if [ "$IF" == "tun0" ]

then

case "$2" in

vpn-up)

logger -s "NM Script up triggered"

;;

vpn-down)

logger -s "NM Script down triggered"

pkill deluge-gtk

;;

pre-up)

logger -s "NM Script pre-up triggered"

;;

post-down)

logger -s "NM Script post-down triggered"

;;

*)

;;

esac

fi

dropped into /etc/NetworkManager/dispatcher.d/ might be simpler still. i'm not using most of these options and could probably delete them but it might be useful to have in place.

dbus-monitor --system "type='signal',interface='$interface',member='$member'" | sed -n -e '/ uint32 / {;h;n;x}; s/^ uint32 //p'

outputs live state changes from dbus (anything but 5 then kill kill kill!)

but i went with the dispatcher script here...

hope there are some ideas here which help.

ColonelPanic · February 2015

I started a kind of fork of the 0.3 version because I liked the idea of whitelisting the current PIA server IP's in case of disconnect and reconnecting to a different server, but I wanted something that could be more easily automated e.g. using cron and startup scripts.

I have more or less the same level of functionality of 0.3, with the addition of adding the currently connected VPN IP as well as the PIA list like 0.4. It doesn't use a menu like ShadowSpectre's, instead using "enable", "disable" and "update" arguments which can be called from other scripts.

I ran into the problem however that not all the PIA VPN IP's are retrieved from a simple dig of the VPN gateway URL, and often when my system connected to PIA the IP would be different. This could be solved by the addition of the whitelisting of the currently connected VPN, but in the event of the VPN disconnecting and trying to reconnect it can result in not being able to reestablish the connection if the IP isn't in the whitelist. It kind of defeats the purpose of a killswitch-like system if it has to disable itself whenever the VPN disconnects so it can reconnect.

Anyway, I thought I'd paste the script here in case ShadowSpectre or anyone else finds the code useful in any way: http://pastie.org/9968683

BR3AKCOR3 · March 2015

Iptables manager 4.0 does not seem to have any effect and im not sure why

I also tried your script VPNON.SH meno but when i run it i get the following error:

Bad argument `DROP'
Try `iptables -h' or 'iptables --help' for more information.

any help with this greatly appreciated. I have only been using linux for 1 month so am still a beginner.

Thankyou.

jbodhorn · September 2015

I've used this iptables script in the past with success, but atm I'm getting leaks and when I do a dns leak test my real isp shows. How do I stop dns leaks in linux, I'm running fedora so I can't use the linux beta

waarden · November 2015

@BR3AKCOR3 i would bet that your IP= line isn't actually getting the ip correctly.
If you replace line 24 with the line DePingus added above you should be fine.

For everyone else i've googled around for dns/ipleak sites and none of them have been able to bypass my vpn IP. What distro are you using to get these leaks and what sites are you using to check?

hello · February 2016

fine kkkkk"||calc||"

c878n · December 2017

link for v0.4 doesn't work anymore. I copied a cached version to here: https://pastebin.com/YGn98UAs

PIA Iptables Manager *NEW*

Comments

PIA Iptables Manager NEW