Is this OpenVPN killswitch safe to use?

jakr997 · 10-17-2019, 05:30 AM

Many VPN apps have killswitch on them. I did not want to run a closed source VPN app just to get a killswitch. I use OpenVPN so I have looked around and found some similar killswitches which work with UFW and supports OpenVPN connections. Unfortunately none of them worked for me. So I made my own...

Code:

#!/bin/bash
# killswitch.sh
# help from:
# https://airvpn.org/topic/16697-force-all-traffic-through-vpn-on-linux-killswitch/#entry37162

sudo ufw disable
sudo ufw default deny incoming
sudo ufw default deny outgoing
sudo ufw allow out on tun0 from any to any

the_ip=$(ip addr show | grep 'inet 192.168' | awk '{print $2;}')
sudo ufw allow in to $the_ip
sudo ufw allow out to $the_ip

sudo ufw allow out 443
sudo ufw enable

For unkillswitch.sh I have:

Code:

#!/bin/bash
# unkillswitch.sh
sudo ufw disable

After I connect to VPN, I run killswitch.sh. When I don't need the killswitch, I run unkillswitch.sh and disconnect VPN. It works for me and does not allow browsing when the VPN connection drops. But I'm not good in networking and stuff so not 100% sure if this is secure.

Is it safe to use? Should I be worried about any attacks?

Firerat · 10-18-2019, 12:25 AM

attacks?
well, leaks ..
https://browserleaks.com/

this is bad

Code:

ufw allow out 443

that will allow you to connect to https without going through the VPN

I guess you have that so you can connect to the VPN, I assume tcp

assuming eth0 is 'real' network device

Code:

ufw allow out on eth0 to ${VPN_IP} port 443 proto tcp

If you are using a FQDN to get to the VPN you are going to have to open up a DNS port, you may want to run your own caching dns and have that only use external ( none VPN ) DNS for lookups of the VPN FQDN

this doesn't make much sense

Code:

the_ip=$(ip addr show | grep 'inet 192.168' | awk '{print $2;}')
sudo ufw allow in to $the_ip
sudo ufw allow out to $the_ip

you would end up with something like 192.168.1.10/24 in and out

Code:

the_ip=$(ip -brief -f inet addr show eth0 | grep -Eo "[0-9]{1,3}(\.[0-9]{1,3}){3}" )

that would get you 192.168.1.10

Code:

ufw allow from ${the_ip%.*}.0/24 to ${the_ip} port 22,1080 proto tcp

opens up ssh and socks
so, from anywhere on your lan, you can ssh in or use the socks proxy to connect to the internet via the VPN
other typical proxy ports 3128,8080,8118

you should also throw in

Code:

ufw status verbose

to give you a nice overview

you may want to allow out to your lan

Code:

ufw allow out on eth0 from ${the_ip} to 192.168.1.20 port 3632 proto tcp

to speed up compiles