You are not logged in.

Pages: 1

#1 2024-10-10 14:07:52

JohannDaart
Member
Registered: 2024-10-10
Posts: 2

Laptop as VPN hotspot. Trouble with UFW settings for a killswitch.

Hello, I’ve just registered smile

Since couple days I’ve tried solving this myself, to no avail. Researched it a lot, but I lack some knowledge.

I want to use old laptop, that connects to the internet through ethernet, as a WiFi hotspot that enables devices connected to it, acces internet only through VPN.
But I wanted to use UFW, to establish a killswitch, so if something goes wrong (like router restart), the devices won’t connect without VPN through laptop’s ethernet.
With UFW disabled, everything works correctly, phone connects to the hotpot and its traffic goes through VPN, but obviously there’s no killswitch.

My interfaces are:

  • enp6s0 for ethernet.

  • wlp2s0 for the hotspot, with 10.42.0.1/24 network.

  • tun0 for OpenVPN connection.

What I did so far..

I’ve disabled IPv6 and turned off IPv6 rule creation in UFW:

/etc/sysctl.conf

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

sudo sysctl -p

/etc/default/ufw

IPV6=no

Enabled IPv4 forwarding:

/etc/sysctl.conf

net.ipv4.ip_forward=1

sudo sysctl -p

Enabled forwarding in UFW:

/etc/default/ufw

DEFAULT_FORWARD_POLICY=”ACCEPT”

Added NAT rule for UWF, before *filter section:

/etc/ufw/before.rules

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.42.0.0/16 -o tun0 -j MASQUERADE
COMMIT

My VPN provider gives domain name, instead of static IP for connection config, so I’ve created
OpenVPN profile that enables UDP ports 1194 and 53:

[OpenVPN]
title=OpenVPN
description=Virtual private network or secure tunnel daemon.
ports=1194,53/udp

Added UFW rules:

sudo ufw default deny incoming
sudo ufw default deny outgoing

sudo ufw allow in OpenVPN
sudo ufw allow out OpenVPN

sudo ufw allow out on tun0 from any to any
sudo ufw allow in on tun0 from any to any

Resulting rules:

Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), allow (routed)
New profiles: skip

To                         Action      From
—                         ———      ——
53,1194/udp (OpenVPN)      ALLOW IN    Anywhere                  
Anywhere on tun0           ALLOW IN    Anywhere                  

53,1194/udp (OpenVPN)      ALLOW OUT   Anywhere                  
Anywhere                   ALLOW OUT   Anywhere on tun0

So here’s the problem, with this UFW rules, the laptop properly connects to the VPN and blocks ethernet traffic if I turn VPN down.
But a phone connecting to its hotspot, hangs on “Obtaining IP address”.

Then if I add rules to enable the hotspot network:

sudo ufw allow out to 10.42.0.0/16
sudo ufw allow in to 10.42.0.0/16

The phone connects to the hotspot, the traffic goes through VPN. But the killswitch is not working, if I turn VPN down, the phone connects through unprotected ethernet.

I’ve tried adding various rules restricting 10.42.0.0/16 access to ethernet, but then they also block devices from connecting to the hotspot.

How can I keep the killswitch working, while enabling devices to connect to the hotspot, allowing them only a VPN connection?

Offline

#2 2024-10-11 11:29:09

-thc
Member
Registered: 2017-03-15
Posts: 739

Re: Laptop as VPN hotspot. Trouble with UFW settings for a killswitch.

JohannDaart wrote:

But a phone connecting to its hotspot, hangs on “Obtaining IP address”.

If your devices connect to the WiFi they have to use DHCP to obtain an IP address - but your UFW rules do not allow DHCP.

Offline

#3 2024-10-12 17:25:28

JohannDaart
Member
Registered: 2024-10-10
Posts: 2

Re: Laptop as VPN hotspot. Trouble with UFW settings for a killswitch.

-thc wrote:

If your devices connect to the WiFi they have to use DHCP to obtain an IP address - but your UFW rules do not allow DHCP.

Yes, when I add this rules:

sudo ufw allow in on wlp2s0 from 10.42.0.0/24
sudo ufw allow out on wlp2s0 to 10.42.0.0/24

Then devices properly connect to the Hotspot.
The problem is that if they connect, they still CAN connect to unprotected ethernet when VPN is down and I’m not able to block it yet.

I’ve denied routing by default:

sudo ufw default deny routed

Even if I add rule like this one, denying hotspot devices access to ethernet, they can still connect to it..

sudo ufw deny out on enp6s0 from 10.42.0.0/24

So I realized, that probably NetworkManager is automatically adding this rule to iptables:

sudo iptables -t nat -L POSTROUTING -n -v —line-numbers
Chain POSTROUTING (policy ACCEPT 23 packets, 1572 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 MASQUERADE  all  —  *      *       10.42.0.0/24        !10.42.0.0/24

I’m not sure if that’s what causing the killswitch not to work, but I don’t know how to set the NetworkManager not to add it.

Edit:
Yeah, that's it. If I connect everything, then manually remove this iptables route added by NetworkManager, then the killswitch works for devices connected to the hotspot.
But when I restart NetworkManager, it adds this * route again...

So the question is, how to prevent NetworkManager from doing it? Or maybe even set it so it adds the route to tun0?

Last edited by JohannDaart (2024-10-12 18:36:37)

Offline

#4 2024-10-13 06:06:40

-thc
Member
Registered: 2017-03-15
Posts: 739

Re: Laptop as VPN hotspot. Trouble with UFW settings for a killswitch.

You probably configured a connection as "Shared to other computers". Then NM adds iptables rules.

Offline

Pages: 1

Board footer

Powered by FluxBB