-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"IP-leak" before first vpn connection #18
Comments
Yes, neither vpnfailsafe, not any of the extras will prevent IP leaks before the initial VPN connection is established. I'm working on some other extras at the moment, but will look into this. |
At least I got the overall workings of the scripts right :-P Also, I'm glad you find it a useful thing to give an example of.
|
Yeah, it's not my use case, but it's certainly someone's. We have to get the whitelist of VPN servers somehow, so like you said, it would either have to be a list of hosts, or we'd have to parse the chosen VPN configs (or both, which I think would be the most flexible option). In some cases it might even be easier than that and no scripts would be necessary at all. I see NetworkManager has a feature where you can say "automatically connect to the VPN when using this connection" - I don't know how safe it is, but it might be what you're looking for. I'll have to do more research. Like I said though, there's something else in the works, so this will have to wait a bit. |
Sure, you work om what you want to, I just wanted to ask the question and 'raise the issue' while I remembered. NetworkManager might have an autoconnect feature, Connman does which is what I am using for the project that lead me to your package / script. And that is precisely my usecase for this request / idea, to protect against silent failure of any VPN auto connect feature. |
This is easily solved with ufw:
|
Am I right neither the main script (called by openvpn up/down) nor the extras (used manually) prevents outgoing connections (other than to the vpn server( before the first/initial openvpn connection?
I.e. if openvpn was suppose to autoconnect on boot/login, but never does so (vpn server down, systemd unit failing, etc.) then one would unknowingly be using a non-vpn connection, making ones real ip-address visible on outgoing traffic.
I suppose it is a few simple iptables calls needed to only allow connection to the vpn server on your normal interface (eth0, wlp0s1, etc.). Maybe this could be included in extras/basic_firewall.sh?
The text was updated successfully, but these errors were encountered: