Skip to content

Commit

Permalink
fixed shared VPN/Tor server leak bug (#12)
Browse files Browse the repository at this point in the history
use ip(6)tables --wait
made ip(6)tables commands configurable
RELATED,ESTABLISHED -> ESTABLISHED for better security (fixes #9)
ported from sysvinit to (systemd) netfilter-persistent
also source configuration folder /rw/config/vpn-firewall.d/*.conf
Debian packaging
licensing
refactoring
comments
  • Loading branch information
Patrick Schleizer committed May 11, 2016
1 parent 23f1a30 commit f5a0d06
Show file tree
Hide file tree
Showing 16 changed files with 473 additions and 483 deletions.
115 changes: 8 additions & 107 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,16 +5,18 @@ It's much safer when it fails closed, i.e. when the VPN connection breaks down,

# What does it do

* Forbid outgoing traffic after the VPN software broke down for some reason.
* Forbid outgoing traffic after the VPN / tunnel software broke down for some reason.
* Tight firewall rules, using iptables policy drop.
* Only tested with OpenVPN. Should work with other VPN clients such as PPTP in theory, you should test if it does what it claims anyway.
* Only tested on Debian Wheezy. Should work in many Linux distribution in theory, you should test if it does what it claims.
* Defeat [shared VPN/Tor server leak bug](https://github.com/adrelanos/vpn-firewall/issues/12)
* Only tested with OpenVPN. Should work with other VPN and tunnel clients such as PPTP in theory, you should test if it does what it claims anyway.
* Only tested on Debian Jessie. Should work in many Linux distribution supporting netfilter-persistent in theory, you should test if it does what it claims.
* Open Source / Free Software

# What does it NOT do

* Care about DNS leaks. Consult your VPN software's/provider's documentation and
configure /etc/resolv.conf to use the DNS server of your VPN server.
* Block WebRTC leaks.
* Defend against
[IP leaks](https://blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea).
If a locally installed application uses trickery to obtain the the users real
Expand All @@ -23,10 +25,7 @@ IP and sends it somewhere though the VPN.
manipulate the firewall rules.
* Prevent any other kind trickery to circumvent using the VPN.
* Prevent leaks caused by bugs in the VPN software.
* Be compatible with Whonix-Gateway. (VPN-Firewall is incompatible with Whonix-Gateway's firewall!)
* Run the VPN software as unprivileged user. For OpenVPN see
[OpenVPN wiki UnprivilegedUser](https://community.openvpn.net/openvpn/wiki/
UnprivilegedUser).
* Be compatible with Whonix-Gateway/Workstation. (VPN-Firewall is incompatible with Whonix-Gateway/Workstation's firewall! Use Whonix documentation and use their built-in features.)
* Manage IPv6 traffic. IPv6 traffic is blocked.
* Install (Open)VPN.
* Configure (Open)VPN.
Expand All @@ -35,108 +34,10 @@ UnprivilegedUser).
* Untested to work in Qubes ProxyVMs. (They have a different way to up networking and firewall.)

# How to Use
1) First learn how to get your VPN software connected without using VPN-Firewall.

Use the IP to connect to your VPN server, not the hostname!
See:

2) Remove old versions of VPN-Firewall.

sudo update-rc.d vpnfirewall remove
sudo rm /usr/local/bin/vpnfirewall
sudo rm /usr/bin/vpnfirewall
sudo rm /etc/init.d/vpnfirewall

3) Get the firewall script and install it.

cd ~

git clone https://github.com/adrelanos/VPN-Firewall.git

cd VPN-Firewall

sudo cp ./usr/bin/vpnfirewall /usr/bin/

4) Edit the /usr/bin/vpnfirewall settings with your favorite editor.

Note, that you must use the IP of your VPN server, not the hostname.

5) Load /usr/bin/vpnfirewall before the network and before OpenVPN goes up.

* If you are NOT permanently using (Open)VPN, i.e. if you only occasionally, manually connect to the VPN.

Just run the following command before starting OpenVPN.

sudo /usr/bin/vpnfirewall

Should reply:

OK: Loading VPN firewall...
OK: The firewall should not show any messages,
OK: besides output beginning with prefix OK:...
OK: VPN firewall loaded.

* If you are permanently using (Open)VPN, i.e. always want to use the VPN.

Install the init script.

sudo cp ./etc/init.d/vpnfirewall /etc/init.d/

sudo update-rc.d vpnfirewall defaults

Test the init script.

sudo service vpnfirewall restart

sudo service vpnfirewall status

echo $?

Should reply:

0

Reboot.

Check VPN Firewall status again.

sudo service vpnfirewall status

Should reply:

0

6) How to unload VPN Firewall?

If you want to disable VPN Firewall, see:
https://gist.github.com/adrelanos/10565852

# How to Test

1) Install.

2) Test if it works. Check whatismyipaddress.com if you your external IP is from the VPN.

3) Kill the VPN client.

Example OpenVPN:

sudo killall openvpn

4) Check if you can still connect to whatismyipaddress.com.

If yes, bad, something is wrong.

If no, good, you won't connect to any remote servers besides the VPN IP once the VPN client broke down.

# How to Debug

Developers only.

Enable debugging. Uncomment "set -x" in all scripts.

Check iptables logs.

tail -f /var/log/syslog
https://www.whonix.org/wiki/VPN-Firewall#How_to_use_VPN-Firewall

# Alternatives

Expand Down
81 changes: 81 additions & 0 deletions changelog.upstream
Original file line number Diff line number Diff line change
@@ -1,3 +1,84 @@
commit 23f1a3046cd81ebcc714fe5c9e69e0ffa090f09c
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Tue Jan 26 19:46:36 2016 +0100

updated readme

Conflicts:
README.md

commit 12a9a7baacb3cf6be456ae0c769ce382462db6c1
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Jan 20 19:31:29 2016 +0100

etc/vpn-firewall.d/30_default -> etc/vpn-firewall.d/30_default.conf

commit 5d0c2a1bac3e90d4fb3bbedfe34e6adf4d4b6def
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Jan 20 19:30:59 2016 +0100

source only configuration files ending with .conf

commit 619cbc3d97da1ef8b89d8d1b7fced3087585a27f
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Mon Feb 9 13:59:32 2015 +0000

comment

commit c4f9fc1eb7efcf1dcb9c8b2592247a17398a398e
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Mon Feb 9 13:48:47 2015 +0000

added man page

commit 644d69af42dd9fd114e29d53d04495cb23dcf1f2
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Mon Feb 9 13:46:03 2015 +0000

update

commit 4a6921ca34d1c3f5cf151cd4f391e882386e14cf
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Mon Feb 9 13:45:22 2015 +0000

renamed: etc/vpn_firewall.d/30_default -> etc/vpn-firewall.d/30_default

commit f51763f36baba7ce935bc84fffe263f0b75e84bc
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Mon Feb 9 13:44:13 2015 +0000

renamed: usr/bin/vpnfirewall -> usr/bin/vpn-firewall

commit 044e193c9c7cc03fbab854963e95e49a5c6349aa
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Mon Feb 9 13:42:30 2015 +0000

init script: provide itself to fix lintian warning

commit 98b3b7ed88622f9411dbb47f425eab251c5750ef
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Mon Feb 9 13:41:00 2015 +0000

fixed lintian warning in machine readable copyright file

commit f36bedc0caad0ab7c89046ac70e37cc630c6a1ee
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Mon Feb 9 13:39:14 2015 +0000

fixed debian/changelog

commit c27d7bdfbff37ccb32fd048b0a6e84c22317ea4f
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Mon Feb 9 13:35:00 2015 +0000

updated debian/rules

commit 215f5223fe3609052772fccfbe77c08eeccb38f4
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Mon Feb 9 13:34:25 2015 +0000

added upstream changelog

commit bdab55e8d273d62d3f63569fc0487916f26c3432
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Mon Feb 9 13:34:04 2015 +0000
Expand Down
6 changes: 6 additions & 0 deletions debian/changelog
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
vpn-firewall (3:0.3-1) unstable; urgency=medium

* New upstream version.

-- Patrick Schleizer <adrelanos@riseup.net> Wed, 11 May 2016 17:39:42 +0200

vpn-firewall (3:0.2-1) unstable; urgency=low

* New upstream version.
Expand Down
4 changes: 2 additions & 2 deletions debian/control
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,11 @@ Build-Depends: debhelper (>= 8), faketime, git
Homepage: https://github.com/adrelanos/VPN-Firewall
Vcs-Browser: https://github.com/adrelanos/VPN-Firewall
Vcs-Git: https://github.com/adrelanos/VPN-Firewall.git
Standards-Version: 3.9.4
Standards-Version: 3.9.6

Package: vpn-firewall
Architecture: all
Depends: ${misc:Depends}
Depends: netfilter-persistent, ${misc:Depends}
Description: Ensures no traffic is send, once OpenVPN breaks down for some reason
If you simply add a VPN using common instructions, it generally fails open.
That means, if the VPN breaks down, because the connection is interrupted,
Expand Down
1 change: 0 additions & 1 deletion debian/rules
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@
dh $@

override_dh_install:
dh_installinit --onlyscripts
$(CURDIR)/make-helper.bsh manpages
dh_installman $(CURDIR)/debian/tmp-man/*

Expand Down
2 changes: 2 additions & 0 deletions debian/source/lintian-overrides
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
## https://phabricator.whonix.org/T277
debian-watch-may-check-gpg-signature
78 changes: 78 additions & 0 deletions debian/vpn-firewall.postinst
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
#!/bin/bash

## This file is part of Whonix.
## Copyright (C) 2012 - 2014 Patrick Schleizer <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

if [ -f /usr/lib/pre.bsh ]; then
source /usr/lib/pre.bsh
fi

set -e

true "
#####################################################################
## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME ${1+"$@"}
#####################################################################
"

case "$1" in
configure)
true "INFO: Configuring $DPKG_MAINTSCRIPT_PACKAGE..."

user_account_list="tunnel"

for user_account in $user_account_list ; do
ret="0"
id "$user_account" || { ret="$?" ; true; };

if [ "$ret" = "0" ]; then
echo "INFO: Not creating user '$user_account', because it already exists."
else
echo "INFO: Creating user '$user_account'..."
if command -v qubesdb-read >/dev/null 2>&1 ; then
## Qubes-Whonix
## Qubes does by upstream default not use linux user account passwords.
password=""
else
## Non-Qubes-Whonix
## setting password of user $user_account to changeme
##
## How this password was created:
## sudo apt-get install whois
## mkpasswd
## changeme
## Resulted in: aTayYxVyw5kDo
password="aTayYxVyw5kDo"
fi
useradd --create-home --password "$password" --user-group --shell /bin/bash "$user_account"
fi
done

true "INFO: End configuring $DPKG_MAINTSCRIPT_PACKAGE."

;;

*)
;;
esac

if [ -d /run/systemd/system ] ; then
systemd-tmpfiles --create /usr/lib/tmpfiles.d/50_openvpn-unpriv.conf >/dev/null || true
systemctl --system daemon-reload >/dev/null || true
fi

true "INFO: debhelper beginning here."

#DEBHELPER#

true "INFO: Done with debhelper."

true "
#####################################################################
## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME ${1+"$@"}
#####################################################################
"

## Explicitly "exit 0", so eventually trapped errors can be ignored.
exit 0
Loading

0 comments on commit f5a0d06

Please sign in to comment.