OpenVPN kill switch

one_good_eye

I have been attempting to figure out how to setup a VPN kill switch but there is not a lot of info on how to do this with Linux in general. I do know that Wire Guard has it built in but from what it looks like there is not one built into OpenVPN. I have attempted to add firewall rules using UFW but for some reason OpenVPN is just randomly selecting ports to make the connection.

I would like to have some advice on how to properly setup an OpenVPN kill switch that can be reconnected when the VPN is disconnected. Also I should not have to change my firewall rules to get the connection back up and running.

[deleted]

Can't help you with the convenient solution you are looking for, i only have knowledge of a solution, where you have to run a script to activate the killswitch, when you have connected to your vpn. After you close the vpn connection, you will have to run a script to set ufw back to normal mode.

https://thetinhat.com/tutorials/misc/linux-vpn-drop-protection-firewall.html

one_good_eye

[deleted] Justin Thanks for both of your suggestions, I was figuring that this was going to be a hard question due to the limited amount on the web that I have come across. I did run across something that is getting closer but I would need to do more digging to get it to work with my current VPN provider. https://github.com/MorningCoffeeZombie/vswitch

Also my VPN that I use VPNarea does have a script for Linux but it only works on the main stream distros and their derivatives. https://vpnarea.com/front/home/softwarelinux

Justin

I've seen docker containers with OpenVPN built in to use applications in a secure VPN environment. This way if the VPN drops the applications internet is cut off.

jordanmn

one_good_eye surely you can use openvpn with it? That is what I am doing just fine with Nord VPN with open vpn.

Justin

jordanmn OpenVPN doesn't provide killswitch functionality to disallow any internet traffic if VPN isn't up. This is a privacy measure to ensure you don't miss the VPN getting disconnected and then find sensitive traffic is just flowing over the internet.

nodq

Justin Isn't that kinda untrue? There are lots of VPN providers that have Killswitch scripts that you can add to the .ovpn configs and it just works as intended.

Justin

nodq If you can find one for VPNarea.com please do let us know.

nodq

Justin try these from https://cryptostorm.is/killswitch I am pretty sure they work with little editing to your needs and your provider

Harvey

They don't make changes to .ovpn to enable a kill switch PIA from memory uses iptables to set firewall rules, forcing traffic over the VPN. Which is what I do without using their client and using ufw instead.

For example for PIA they provide a openvpn config that contains IP addresses instead of server domain names:
https://www.privateinternetaccess.com/openvpn/openvpn-ip.zip (Note the IP in the name).

Get the IP of the server you want from within it's .ovpn file.

Install ufw:
sudo eopkg it ufw

Default rules with ufw is deny all incoming allow all outgoing so change that:
sudo ufw default deny outgoing

Allow connection to VPN server (replace with relevant IP / port for your VPN).
sudo ufw allow out to 104.200.151.24 port 1198 proto udp

Force all other traffic out over the VPN:
sudo ufw allow out on tun0

Enable the firewall:
sudo ufw enable

With those rules all traffic is forced over the VPN except for the connection needed to create the VPN. If the connection to the VPN is dropped so is everything else as it has no way out. I have no idea why a VPN provider would have random ports.

Justin

Harvey Top guide! Might use this myself in the future.

Boggle247

Harvey Is there a way to also incorporate an exception to this, for local LAN traffic?

[deleted]

[unknown]
One way to make it easier to switch, would be to install Tilda (drop down terminal activated with F12), then make some aliases in .bashrc that will make it fast & easy, to activate the killswitch script and the normal mode script:

Killswitch script (in this example named Firewall_killswitch.sh):

#!/bin/bash
sudo ufw reset
sudo ufw default deny incoming
sudo ufw default deny outgoing
sudo ufw allow out on tun0 from any to any
sudo ufw enable
echo ""
echo ">>> Killswitch Activated <<<"
echo ""

Normal mode script (in this example named Firewall_normal.sh):

#!/bin/bash
sudo ufw reset
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable
sudo rm /etc/ufw/after.rules.20* /etc/ufw/after6.rules.20* /etc/ufw/user.rules.20* /etc/ufw/user6.rules.20* /etc/ufw/before.rules.20* /etc/ufw/before6.rules.20*
echo ""
echo ">>> Normal Mode Activated <<<"
echo ""

(The reason for removing some .rules files in the last script is that, when going back to normal mode the killswitch mode will accumulate some leftover .rules files, if they are not deleted there will just be more and more files left in /etc/ufw/ )

Then edit .bashrc to add the scripts (this is just an example):

alias fk="bash /path/to/your/script/Firewall_killswitch.sh"
alias fn="bash /path/to/your/script/Firewall_normal.sh"

(After editing .bashrc you need to run source ~/.bashrc in the terminal, or reboot for it to take effect)

All you need to do from now on, is to press F12 and type fk (= firewall killswitch) after connecting to the VPN, and fn (= firewall normal mode) when you have disconnected from the VPN..

A simpler solution could be to make script with a menu, for switcing between the two modes:

#!/bin/bash
# Script Menu
while true
do
PS3='Enter your choice: '
options=("Firewall Killswitch" "Firewall Normal" "Quit")
select opt in "${options[@]}"
do 
    case $opt in
        "Firewall Killswitch")
	    echo ""
	    echo ">>> Firewall Killswitch <<<"
	    sudo ufw reset
	    sudo ufw default deny incoming
	    sudo ufw default deny outgoing
	    sudo ufw allow out on tun0 from any to any
	    sudo ufw enable
	    echo ""
	    echo ">>> Killswitch Activated <<<"
	    echo ""
	    break
	    ;;

        "Firewall Normal")
	    echo ""
	    echo ">>> Firewall Normal <<<"
	    sudo ufw reset
	    sudo ufw default deny incoming
	    sudo ufw default allow outgoing
	    sudo ufw enable
	    sudo rm /etc/ufw/after.rules.20* /etc/ufw/after6.rules.20* /etc/ufw/user.rules.20* /etc/ufw/user6.rules.20* /etc/ufw/before.rules.20* /etc/ufw/before6.rules.20*
	    echo ""
	    echo ">>> Normal Mode Activated <<<"
	    echo ""
	    break
	    ;;

	"Quit")
            exit
            ;;

        *) echo "invalid option $REPLY";;
    esac    
done
done

Harvey

Boggle247

Adjust to your network addressing:
sudo ufw allow in to 192.168.0.0/24
sudo ufw allow out to 192.168.0.0/24

That'll trust 192.168.0.1 - 192.168.0.255

Boggle247

Harvey Gotcha. Thanks!