UFW (uncomplicated firewall) Openvpn killswitch Issues
Trying to use UFW for my openvpn killswitch instead of Iptables because I am new to linux and iptables is too esoteric and complicated looking for me to dive into now. I am currently able to get my openVPN connection to PIA's VPN server running on startup.
Now I want my UFW settings to act as a killswitch preventing any traffic entering or leaving my computer, except through my VPN. Obviously, I have to allow my real IP address to connect to the VPN before the rest of the firewall kicks in. The ip address (LAN IP) of my router is 192.168.0.1.
I use this command to check my ip address in terminal and make sure the VPN is connected:
curl http://ipinfo.io/ip
I downloaded the default openvpn configuration files that connect over UDP port 1198 from here:
https://helpdesk.privateinternetaccess.com/hc/en-us/articles/218984968-What-is-the-difference-between-the-OpenVPN-config-files-on-your-website-
Here are the UFW commands I used:
sudo apt install ufw (installs UFW)
sudo ufw reset (resets all default settings)
sudo ufw default deny outgoing (block all traffic coming out, then give exceptions)
sudo ufw default deny incoming (block all traffic coming in, then give exceptions)
sudo ufw allow out 1198/udp (connect to PIA server with their default openvpn file)
sudo ufw allow to 192.168.0.1/24 (allow outgoing traffic to within lan)
sudo ufw allow in from 192.168.0.1/24 (allow incoming traffic from within lan)
sudo ufw allow out on tun0 (allow traffic out through tun0 (VPN))
sudo ufw allow in on tun0 (allow traffic in through tun0 (VPN))
sudo ufw enable (enables ufw, then I need to reboot computer)
Now after I reboot my computer and try to use the "curl http://ipinfo.io/ip" command, terminal spits back:
curl: (6) Could not resolve host: ipinfo.io
I presume my UFW firewall settings are shutting off any incoming or outgoing connections because I didn't establish a VPN connection at startup?
Would anyone please explain to me what I am doing wrong? What do I need to change in my UFW settings?
Thanks
Comments
Unfortunately when I added your suggested allow in UFW rule with the others I showed above, I still was not able to run the ip address checking command in terminal and got the same error as before:
Wish someone else who's got some experience with UFW could tell me what I am doing wrong.
2. I know my VPN allow in and out rules are too lax. First I wanted to test that I could connect to my VPN with my UFW killswitch rules turned on, that UFW would drop my internet connection in case my VPN connection died or my VPN were shutoff. Then my plan was to tighten up my firewall rules to only allow certain protocols (e.g. http/https/SSH etc.) over the ports I specify
Thanks for your suggestion, piaabo!
When names normally resolve into IP addresses when not using a VPN, who is doing that for me in the first place? Does my router itself do that for me? Or does my ISP? How does one normally decide which DNS service to use? I've read there are alternative DNS services such as Google DNS and OpenDNS to choose from. PIA uses it's own DNS server whenever my VPN is turned on doesn't it?
Anyways, what sort of UFW firewall rule will I need to allow DNS resolution? Does it need to be both outbound and inbound?
I did check my WLAN settings on my router and noticed that it does have "Connect to DNS server automatically" set to "Yes".
Do I need to add an extra outgoing or incoming rule for UFW to allow DNS? If so, what should my rule look like?
Thanks!
So going back to my original post, I provided everyone with the exact list of UFW commands I ran in my attempt to create my own openvpn killswitch from scratch. But I can't even check what my ip address is after startup right now once UFW is enabled...
Can you or anyone else tell me what other UFW commands I should add or modify to my existing ones so that my device will drop its internet connection to the outside world (ie.e. outside of my local network) if the VPN connection drops?
I've been stuck on this for a while and wanted to know what I was doing wrong.