LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-05-2019, 06:22 PM   #1
Captain Brillo
Member
 
Registered: Jul 2018
Location: Capital of Raccoon Nation
Posts: 155

Rep: Reputation: Disabled
A way to auto-connect to your VPN at startup without an App


Thought I’d present this attempt to automate VPN connection at start-up. This method avoids need for an actual “kill-switch,” because if the connection is broken, there’s no other connection available for “leaks.” It has passed my (very limited) testing so far. I’m very much looking for critique, correction and improvement. [Call it an “assay” submitted for marking (pun intended ]. Should it survive, it can be available in 1 piece, in 1 place, for every newbie to use. (See bottom for credits.)


I’ve seen a few really long, involved “kill-switches” built with ip tables. Your feedback may enlighten us (me) re the validity of the apparently huge labour needed for this approach. My hope is that this simplicity here actually is effective.

There are several apps/applets out there that work as kill-switches, and I found a 2-app combo that does everything anyone would ask for. It’s brilliant. But I’m no longer a very trusting person, and without getting inside them, you don’t really know what they’re doing. No disrespect to other travellers, but look at it this way: this might be a little more complicated to set up than installing an app, but this way gives you total control. And you’re doubt-free.

This post consists of some simple firewall rules and a little 1-command startup app.
(I use nordVPN, which does not use IPv6; at the bottom are commands to disable IPv6 and stop those leaks.)

Some considerations :

- changing VPN servers - requires a bit of adjustment - need to change both the ip address in the ufw rule and the uuid in the startup app

- torrenting - when the connection breaks when downloading a torrent file, qbittorrent continues to run, but download speed gradually drops to 0 - need to explain this (- am I now visible? -) and find a fix.

For Ubuntu et al., ufw is fine. Other distros....I don’t know.

Set up the firewall rules:

Code:
sudo ufw default deny outgoing
sudo ufw default deny incoming
sudo ufw allow out on tun0 from any to any
sudo ufw allow in on tun0 from any to any
sudo ufw allow out from any to <ip address of vpn>
sudo ufw enable
sudo ufw status
Next, follow these steps.

This command will show you your connections:

Code:
nmcli con
and will return something like:

Code:
NAME                   			UUID                                  				TYPE            	DEVICE 
Wired connection 1     	f49e5cee-9a89-35ac-8a87-3e487c2f86f9  	802-3-ethernet    eno1   
xx.nordvpn.com.tcp  	8d7331ad-ff3c-4e19-a7a9-cc1b129dbe54 	vpn           eno1   
tun0                  	e40b6153-802c-40ed-9f64-a02beee4be66  	tun                tun0
Now type this command:

Code:
$  nmcli con up uuid <your vpn uuid here>   as in 

$  nmcli con up uuid  8d7331ad-ff3c-4e19-a7a9-cc1b129dbe54
This should connect you to the VPN server.

Next, add that last command to your ‘Startup Applications” as a “custom command.” Maybe call it “StartVPN”....

Reboot; the VPN should connect automatically; turn off the VPN and see if anything can connect. It shouldn’t.

-confirm that nothing is still communicating after you kill the connection.

How to disable IPv6 on Linux?

First, run ifconfig to get a list showing any IPv6 connections, if you find any, add them to the commands below after the command about tun0 and substitute that connection name (eno1,etc.) for tun0.

Here's how to disable the protocol on a Red Hat-based system:

1. Open a terminal window.
2. Change to the root user.
3. Issue the commands:

Code:
sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1
sysctl -w net.ipv6.conf.tun0.disable_ipv6=1
To re-enable IPv6, issue the following commands:

Code:
sysctl -w net.ipv6.conf.all.disable_ipv6=0
sysctl -w net.ipv6.conf.default.disable_ipv6=0
sysctl -w net.ipv6.conf.tun0.disable_ipv6=0
Here's how to disable the protocol on a Debian-based machine.
1. Open a terminal window.
2. Issue the command:

Code:
sudo nano /etc/sysctl.conf
3. Add the following at the bottom of the file:

Code:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.tun0.disable_ipv6 = 1
4. Save and close the file.

5. Reboot the machine.

To re-enable IPv6, remove the above lines from*/etc/sysctl.conf*and reboot the machine.

(Note: in the lines added for RedHat there are no spaces beside the “=” signs, but for Debian systems, there are spaces around the “=”. I don’t know if this is accurate; these were both cut & pasted. I have only tested for Debian and the spaces are accurate.)

Then make sure all network connections have IPv6 set to ignore.
(the “xmodulo” link below has another method to disable IPv6.)


Here's how to check:
https://ipleak.net
https://www.dnsleaktest.com
https://panopticlick.eff.org
https://browserprint.info/test



This info comes, bit by bit, from these sites:

http://https://support.nordvpn.com/?_ga=2.255307656.1602981805.1546285358-211648334.1546285358

http://https://www.reddit.com/r/VPN/comments/2vxrey/is_there_a_way_to_set_up_ubuntu_so_that_it_will/comog21/

http://https://www.smarthomebeginner.com/auto-connect-to-openvpn-linux-mint/


https://nordvpn.com/tutorials/linux/openvpn/

https://technofaq.org/posts/2017/08/...x-and-windows/

http://ask.xmodulo.com/disable-ipv6-linux.html

Last edited by Captain Brillo; 01-05-2019 at 07:11 PM. Reason: Forgot part.
 
Old 01-05-2019, 07:33 PM   #2
ferrari
Senior Member
 
Registered: Sep 2003
Location: Auckland, NZ
Distribution: openSUSE Leap
Posts: 3,765

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
You could also use NetworkManager's dispatcher script capability...
https://wiki.archlinux.org/index.php...is_established

More info
Code:
man NetworkManager
 
2 members found this post helpful.
Old 01-05-2019, 08:06 PM   #3
Captain Brillo
Member
 
Registered: Jul 2018
Location: Capital of Raccoon Nation
Posts: 155

Original Poster
Rep: Reputation: Disabled
Thanks, I saved that. It's still beyond my scripting/programming skills, which is why I've suggested this is for newbies.
Notice any glaring boo-boos?
 
Old 03-14-2019, 05:33 AM   #4
markophillips
LQ Newbie
 
Registered: Mar 2019
Posts: 1

Rep: Reputation: 0
Very helpful thread.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to configure networkmanager to auto connect on startup without a user logging in (Wifi) Larry James Ubuntu 4 09-05-2016 03:10 PM
Ubuntu 14.04 x64 - xfce with vnc - auto login, auto start wine app kingkong89 Ubuntu 0 09-30-2015 08:45 PM
VPN server to VPN server IP Address auto route cheesewizz Linux - Networking 0 06-26-2012 07:01 PM
how to auto run app on startup? babag Mandriva 2 05-08-2008 11:40 PM
How to configure auto login & after login auto startup some program. hocheetiong Linux - Newbie 1 02-18-2008 12:49 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration