Arch Linux

dimez

Member

Registered: 2015-07-24

Posts: 8

OpenVPN Killswitch

Does anyone have a good set of (bash) scripts for an openvpn killswitch. I use gnome and the gnome networking icon to connect to my VPN via OpenVPN. I just need a good set of scripts so that when my vpn connection drops, my network/internet in general drops, until another "down" script is run and I reconnect to the VPN, then I would use the "up" script after connecting back to the internet and VPN, to enable the killswitch again. I used to have a good one that required a little bit of a hassle of configuration, but worked a charm. But I have not been able to find that or another decent one that I could get working via my searches on search engines and in the bbs archives. I am a novice in linux in general, and do not know any programming or scripting myself. THANKS!!

SubS0

Member

Registered: 2015-02-10

Posts: 37

Re: OpenVPN Killswitch

This subject has been discussed here two weeks ago, but I'm not sure if I understand well what you need exactly.
Xyne proposed a python script to start a deamon. Dunno if it can fit your needs, can be a starting point ?
https://bbs.archlinux.org/viewtopic.php?id=221927

A simple search woud let you find several bash scripts to tweak…

Personnally, I simply adjust my Iptables rules to avoid packets leaking out of the tun interface in case of vpn disconnection.
It’s easy to find how to do it, maybe easier if you’re not into scripting ?

dimez

Member

Registered: 2015-07-24

Posts: 8

Re: OpenVPN Killswitch

I'm not too familiar with iptables, but what I used to have, was a pair of scripts for starting and stopping the 'internet kill switch' once my vpn was activated and once it dropped. I am not looking to kill a specific program, would much rather stop all internet until second script is ran, all internet apps closed, & vpn connected is re-established, and first protection script is ran. The pair of scripts I had before used something with iptables commands in a script.

I tried searching "vpn killswitch" on the search here on the forums but it only came back with unrelated topics. I tried site:bbs.archlinux.org "vpn killswitch" on google, and only found the page with the daemon you linked. Maybe I am just not using the correct search terms.

Last edited by dimez (2017-02-04 00:38:07)

rexx

Member

Registered: 2017-02-04

Posts: 10

Re: OpenVPN Killswitch

Maybe I'm misunderstanding what your goal is but multiple scripts might overly complicate things. Have you considered UFW?

$ sudo ufw enable

$ sudo ufw default deny incoming

$ sudo ufw default deny outgoing

$ sudo ufw allow out on <wlan0> to <vpn server IP> proto <tcp/udp> port <443/80/53> comment 'some awesome vpn server'

$ sudo ufw allow out on tun0

<wlan0> is your wireless interface, it might appear as wlp1s0
<VPN IP> will need to be present in your .ovpn config, (e.g. 12.345.67.89) OpenVPN will not be able to resolve domains
<tcp/udp> is the protocol of your choosing
<443/80> is the port of your choosing

This configuration will only allow packets out if tun0 is present. Should your VPN connection be interrupted or stopped, you won't be able to access the web.

Last edited by rexx (2017-02-04 03:12:59)

dimez

Member

Registered: 2015-07-24

Posts: 8

Re: OpenVPN Killswitch

That looks like an awesome solution rexx, thanks I'll try it tommorrow. Hadn't heard of UFW before, but it looks like a good fit for me.

TheChickenMan

Member

From: United States

Registered: 2015-07-25

Posts: 354

Re: OpenVPN Killswitch

You're running OpenVPN while connected to, say, a public WiFi hotspot.
Something happens causing the VPN connection to be interrupted.
By default, it will fail silently while network traffic begins to use the standard WiFi connection unencrypted.

I think that this is a really bad default condition especially if you're relying on that VPN to keep your communications private while using your computer in an untrusted location. I would much rather see the network connection stop allowing any communication in the event of VPN failure. I wonder if this is something which is a matter for the upstream OpenVPN guys?

---

If quantum mechanics hasn't profoundly shocked you, you haven't understood it yet.
Niels Bohr

rexx

Member

Registered: 2017-02-04

Posts: 10

Re: OpenVPN Killswitch

By default, it will fail silently while network traffic begins to use the standard WiFi connection unencrypted.

$ ufw default deny outgoing

$ ufw allow out on tun0

Not if the machine is firewalled properly. The virtual interface tun0 (created by OpenVPN) must be present for the machine to access the internet.