Thought I’d present this attempt to automate VPN connection at start-up. This method avoids need for an actual “kill-switch,” because if the connection is broken, there’s no other connection available for “leaks.” It has passed my (very limited) testing so far. I’m very much looking for
critique, correction and improvement. [Call it an “assay” submitted for marking (pun intended
]. Should it survive, it can be available in 1 piece, in 1 place, for every newbie to use. (See bottom for credits.)
I’ve seen a few really long, involved “kill-switches” built with ip tables. Your feedback may enlighten us (me) re the validity of the apparently huge labour needed for this approach. My hope is that this simplicity here actually is effective.
There are several apps/applets out there that work as kill-switches, and I found a 2-app combo that does everything anyone would ask for. It’s brilliant. But I’m no longer a very trusting person, and without getting inside them, you don’t really know what they’re doing. No disrespect to other travellers, but look at it this way: this might be a little more complicated to set up than installing an app, but this way gives you total control. And you’re doubt-free.
This post consists of some simple firewall rules and a little 1-command startup app.
(I use nordVPN, which does not use IPv6; at the bottom are commands to disable IPv6 and stop those leaks.)
Some considerations :
-
changing VPN servers - requires a bit of adjustment - need to change
both the
ip address in the
ufw rule and the
uuid in the startup app
-
torrenting - when the connection breaks when downloading a torrent file, qbittorrent continues to run, but download speed gradually drops to 0 - need to explain this (- am I now visible? -) and find a fix.
For Ubuntu et al., ufw is fine. Other distros....I don’t know.
Set up the firewall rules:
Code:
sudo ufw default deny outgoing
sudo ufw default deny incoming
sudo ufw allow out on tun0 from any to any
sudo ufw allow in on tun0 from any to any
sudo ufw allow out from any to <ip address of vpn>
sudo ufw enable
sudo ufw status
Next, follow these steps.
This command will show you your connections:
and will return something like:
Code:
NAME UUID TYPE DEVICE
Wired connection 1 f49e5cee-9a89-35ac-8a87-3e487c2f86f9 802-3-ethernet eno1
xx.nordvpn.com.tcp 8d7331ad-ff3c-4e19-a7a9-cc1b129dbe54 vpn eno1
tun0 e40b6153-802c-40ed-9f64-a02beee4be66 tun tun0
Now type this command:
Code:
$ nmcli con up uuid <your vpn uuid here> as in
$ nmcli con up uuid 8d7331ad-ff3c-4e19-a7a9-cc1b129dbe54
This should connect you to the VPN server.
Next, add that last command to your ‘Startup Applications” as a “custom command.” Maybe call it “StartVPN”....
Reboot; the VPN should connect automatically; turn off the VPN and see if anything can connect. It shouldn’t.
-confirm that nothing is still communicating after you kill the connection.
How to disable IPv6 on Linux?
First, run
ifconfig to get a list showing any IPv6 connections, if you find any, add them to the commands below after the command about
tun0 and substitute that connection name (eno1,etc.) for tun0.
Here's how to disable the protocol on a
Red Hat-based system:
1. Open a terminal window.
2. Change to the root user.
3. Issue the commands:
Code:
sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1
sysctl -w net.ipv6.conf.tun0.disable_ipv6=1
To re-enable IPv6, issue the following commands:
Code:
sysctl -w net.ipv6.conf.all.disable_ipv6=0
sysctl -w net.ipv6.conf.default.disable_ipv6=0
sysctl -w net.ipv6.conf.tun0.disable_ipv6=0
Here's how to disable the protocol on a Debian-based machine.
1. Open a terminal window.
2. Issue the command:
Code:
sudo nano /etc/sysctl.conf
3. Add the following at the bottom of the file:
Code:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.tun0.disable_ipv6 = 1
4. Save and close the file.
5. Reboot the machine.
To re-enable IPv6, remove the above lines from*/etc/sysctl.conf*and reboot the machine.
(Note: in the lines added for RedHat there are
no spaces beside the “=” signs, but for Debian systems, there
are spaces around the “=”. I don’t know if this is accurate; these were both cut & pasted. I have only tested for Debian and the spaces are accurate.)
Then make sure all network connections have IPv6 set to ignore.
(the “xmodulo” link below has another method to disable IPv6.)
Here's how to check:
https://ipleak.net
https://www.dnsleaktest.com
https://panopticlick.eff.org
https://browserprint.info/test
This info comes, bit by bit, from these sites:
http://https://support.nordvpn.com/?_ga=2.255307656.1602981805.1546285358-211648334.1546285358
http://https://www.reddit.com/r/VPN/comments/2vxrey/is_there_a_way_to_set_up_ubuntu_so_that_it_will/comog21/
http://https://www.smarthomebeginner.com/auto-connect-to-openvpn-linux-mint/
https://nordvpn.com/tutorials/linux/openvpn/
https://technofaq.org/posts/2017/08/...x-and-windows/
http://ask.xmodulo.com/disable-ipv6-linux.html