VPN Killswitch
I want to setup a killswitch for my debian based linux machine.
I want it to start up automatically and only allow traffic through my tunnel interface.
I tried UFW but cannot get it to work properly.
Also I need to be able to forward ports. I can already do that part just need to be able to do it through the firewall or rules.
Comments
I would recommend a simpler way and not complicating things:
iptables -I FORWARD ! -o tun+ -j DROP
Yes, you are correct - I use that firewall command on a (DD-WRT) router.
Perhaps you can comment further on my "solution" - is it failsafe or should I modify it?
I find this flowchart to be very useful: http://stuffphilwrites.com/2014/09/iptables-processing-flowchart/
Essentially, in the case of your router, packets will come in on the left, and take the path to the FORWARD chain as they go else where, to the wider internet. It's a very clear path, and that's why it's so simple.
But in case of OP, the machine that runs the VPN also generates the traffic that should go through the VPN. In that chart, it would arrive on the right as it is internally generated. It doesn't come from another computer on the network. That one doesn't go through the FORWARD chain at all, so you rule wouldn't apply. Now, this situation is a bit more tricky, because you have to both allow the openvpn daemon to access the regular internet, but nothing else. And they all come in the same spot. There are multiple approaches to this:
* You can block everything except the server IP you connect to -> you have to hardcode the IP because you can't do DNS nor fetch an updated list due to the block
* You can use network namespaces -> requires changing the init unit/script to either move the real interface to a namespace, or namespace everything
* You can remove the default gateway and manually add the route (that's how it's done in the app, because Windows) -> again requires to hardcode the IP, but also disrupts the network settings, and you may need to have network access without the VPN to say, update its IP.
* And of course, you can have the VPN run as a different user, and use that information to make an exception just for the VPN.
* (And technically, openvpn also has an fwmark option, but then you have to change both your openvpn *and* iptables, and apply this to every profile you use instead of once and forget.)
Does that answer your question?
YES! Thank you very much for your time - very informative and I hope it helps others too.
Vipper
iptables -A INPUT -s 255.255.255.255/32 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A INPUT -j DROP
iptables -A FORWARD -p udp -m udp --dport 53 -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -j DROP
iptables -A OUTPUT -p udp -m udp --dport 1198 -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -d 255.255.255.255/32 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
What do you mean by broadcasts/multicasts? My local DNS is done by the default gateway, would like an ipconfig/all give me multicast/broadcast addresses?
it's almost but not quite exactly the same as running the OS on bare metal..
Ubuntu 16.0.4 in VirtualBox on a Win10 host
Emulating: Intel Pro/1000 MT desktop NIC
Mode: Bridged
Promiscuous: Deny
the better choice for network interface is virtio-net (the paravirtualized one) try that first. if that didn't do it, the next thing is to allow promiscuous mode. no mode change - you're good there already.
you can count on everything about the network interface and programs using it to break when the host goes to sleep if there's no signalling or no cooperation on behalf of the VM. from the VM's point of view: you pulled the plug out (unless you have a way to signal the VM to go to sleep before the host does).
why are we still discovering the implementation and configuration of your collection of stuff?
...you're not wrong
EDIT: Gonna call it, it's been 3 days and it's rock solid. Thanks for being great.