You are not logged in.
Hello, I’ve just registered
Since couple days I’ve tried solving this myself, to no avail. Researched it a lot, but I lack some knowledge.
I want to use old laptop, that connects to the internet through ethernet, as a WiFi hotspot that enables devices connected to it, acces internet only through VPN.
But I wanted to use UFW, to establish a killswitch, so if something goes wrong (like router restart), the devices won’t connect without VPN through laptop’s ethernet.
With UFW disabled, everything works correctly, phone connects to the hotpot and its traffic goes through VPN, but obviously there’s no killswitch.
My interfaces are:
enp6s0 for ethernet.
wlp2s0 for the hotspot, with 10.42.0.1/24 network.
tun0 for OpenVPN connection.
What I did so far..
I’ve disabled IPv6 and turned off IPv6 rule creation in UFW:
/etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
sudo sysctl -p
/etc/default/ufw
IPV6=no
Enabled IPv4 forwarding:
/etc/sysctl.conf
net.ipv4.ip_forward=1
sudo sysctl -p
Enabled forwarding in UFW:
/etc/default/ufw
DEFAULT_FORWARD_POLICY=”ACCEPT”
Added NAT rule for UWF, before *filter section:
/etc/ufw/before.rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.42.0.0/16 -o tun0 -j MASQUERADE
COMMIT
My VPN provider gives domain name, instead of static IP for connection config, so I’ve created
OpenVPN profile that enables UDP ports 1194 and 53:
[OpenVPN]
title=OpenVPN
description=Virtual private network or secure tunnel daemon.
ports=1194,53/udp
Added UFW rules:
sudo ufw default deny incoming
sudo ufw default deny outgoing
sudo ufw allow in OpenVPN
sudo ufw allow out OpenVPN
sudo ufw allow out on tun0 from any to any
sudo ufw allow in on tun0 from any to any
Resulting rules:
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), allow (routed)
New profiles: skip
To Action From
— ——— ——
53,1194/udp (OpenVPN) ALLOW IN Anywhere
Anywhere on tun0 ALLOW IN Anywhere
53,1194/udp (OpenVPN) ALLOW OUT Anywhere
Anywhere ALLOW OUT Anywhere on tun0
So here’s the problem, with this UFW rules, the laptop properly connects to the VPN and blocks ethernet traffic if I turn VPN down.
But a phone connecting to its hotspot, hangs on “Obtaining IP address”.
Then if I add rules to enable the hotspot network:
sudo ufw allow out to 10.42.0.0/16
sudo ufw allow in to 10.42.0.0/16
The phone connects to the hotspot, the traffic goes through VPN. But the killswitch is not working, if I turn VPN down, the phone connects through unprotected ethernet.
I’ve tried adding various rules restricting 10.42.0.0/16 access to ethernet, but then they also block devices from connecting to the hotspot.
How can I keep the killswitch working, while enabling devices to connect to the hotspot, allowing them only a VPN connection?
Offline
But a phone connecting to its hotspot, hangs on “Obtaining IP address”.
If your devices connect to the WiFi they have to use DHCP to obtain an IP address - but your UFW rules do not allow DHCP.
Offline
If your devices connect to the WiFi they have to use DHCP to obtain an IP address - but your UFW rules do not allow DHCP.
Yes, when I add this rules:
sudo ufw allow in on wlp2s0 from 10.42.0.0/24
sudo ufw allow out on wlp2s0 to 10.42.0.0/24
Then devices properly connect to the Hotspot.
The problem is that if they connect, they still CAN connect to unprotected ethernet when VPN is down and I’m not able to block it yet.
I’ve denied routing by default:
sudo ufw default deny routed
Even if I add rule like this one, denying hotspot devices access to ethernet, they can still connect to it..
sudo ufw deny out on enp6s0 from 10.42.0.0/24
So I realized, that probably NetworkManager is automatically adding this rule to iptables:
sudo iptables -t nat -L POSTROUTING -n -v —line-numbers
Chain POSTROUTING (policy ACCEPT 23 packets, 1572 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 MASQUERADE all — * * 10.42.0.0/24 !10.42.0.0/24
I’m not sure if that’s what causing the killswitch not to work, but I don’t know how to set the NetworkManager not to add it.
Edit:
Yeah, that's it. If I connect everything, then manually remove this iptables route added by NetworkManager, then the killswitch works for devices connected to the hotspot.
But when I restart NetworkManager, it adds this * route again...
So the question is, how to prevent NetworkManager from doing it? Or maybe even set it so it adds the route to tun0?
Last edited by JohannDaart (2024-10-12 18:36:37)
Offline
You probably configured a connection as "Shared to other computers". Then NM adds iptables rules.
Offline