Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"IP-leak" before first vpn connection #18

Open
jonascj opened this issue Sep 4, 2017 · 5 comments
Open

"IP-leak" before first vpn connection #18

jonascj opened this issue Sep 4, 2017 · 5 comments

Comments

@jonascj
Copy link

jonascj commented Sep 4, 2017

Am I right neither the main script (called by openvpn up/down) nor the extras (used manually) prevents outgoing connections (other than to the vpn server( before the first/initial openvpn connection?

I.e. if openvpn was suppose to autoconnect on boot/login, but never does so (vpn server down, systemd unit failing, etc.) then one would unknowingly be using a non-vpn connection, making ones real ip-address visible on outgoing traffic.

I suppose it is a few simple iptables calls needed to only allow connection to the vpn server on your normal interface (eth0, wlp0s1, etc.). Maybe this could be included in extras/basic_firewall.sh?

@wknapik
Copy link
Owner

wknapik commented Sep 6, 2017

Yes, neither vpnfailsafe, not any of the extras will prevent IP leaks before the initial VPN connection is established.

I'm working on some other extras at the moment, but will look into this.

@jonascj
Copy link
Author

jonascj commented Sep 6, 2017

At least I got the overall workings of the scripts right :-P Also, I'm glad you find it a useful thing to give an example of.
I personally see two options for implementing it:

  1. The user manually enters the servers to be exempt from the firewall drop-all-rule.
  2. Parse all /etc/openvpn/*.conf files, do a dns lookup of their remote some.server.com entries, exempt the resulting IP addresses from the drop-all rule.

@wknapik
Copy link
Owner

wknapik commented Sep 7, 2017

Yeah, it's not my use case, but it's certainly someone's.

We have to get the whitelist of VPN servers somehow, so like you said, it would either have to be a list of hosts, or we'd have to parse the chosen VPN configs (or both, which I think would be the most flexible option).

In some cases it might even be easier than that and no scripts would be necessary at all. I see NetworkManager has a feature where you can say "automatically connect to the VPN when using this connection" - I don't know how safe it is, but it might be what you're looking for. I'll have to do more research.

Like I said though, there's something else in the works, so this will have to wait a bit.

@jonascj
Copy link
Author

jonascj commented Sep 7, 2017

Sure, you work om what you want to, I just wanted to ask the question and 'raise the issue' while I remembered.

NetworkManager might have an autoconnect feature, Connman does which is what I am using for the project that lead me to your package / script.

And that is precisely my usecase for this request / idea, to protect against silent failure of any VPN auto connect feature.

@willbelr
Copy link

willbelr commented Jul 8, 2019

This is easily solved with ufw:

ufw default deny incoming
ufw default deny outgoing
ufw allow SSH
ufw allow from 192.168.0.0/24
ufw allow in on tun0
ufw allow out on tun0
ufw allow in on eth0 from any port 1198
ufw allow out on eth0 to any port 1198
ufw enable
systemctl enable ufw

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants