LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-17-2019, 06:30 AM   #1
jakr997
LQ Newbie
 
Registered: Oct 2019
Posts: 1

Rep: Reputation: Disabled
Is this OpenVPN killswitch safe to use?


Many VPN apps have killswitch on them. I did not want to run a closed source VPN app just to get a killswitch. I use OpenVPN so I have looked around and found some similar killswitches which work with UFW and supports OpenVPN connections. Unfortunately none of them worked for me. So I made my own...


Code:
#!/bin/bash
# killswitch.sh
# help from:
# https://airvpn.org/topic/16697-force-all-traffic-through-vpn-on-linux-killswitch/#entry37162

sudo ufw disable
sudo ufw default deny incoming
sudo ufw default deny outgoing
sudo ufw allow out on tun0 from any to any

the_ip=$(ip addr show | grep 'inet 192.168' | awk '{print $2;}')
sudo ufw allow in to $the_ip
sudo ufw allow out to $the_ip

sudo ufw allow out 443
sudo ufw enable

For unkillswitch.sh I have:

Code:
#!/bin/bash
# unkillswitch.sh
sudo ufw disable
After I connect to VPN, I run killswitch.sh. When I don't need the killswitch, I run unkillswitch.sh and disconnect VPN. It works for me and does not allow browsing when the VPN connection drops. But I'm not good in networking and stuff so not 100% sure if this is secure.

Is it safe to use? Should I be worried about any attacks?
 
Old 10-18-2019, 01:25 AM   #2
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian sid
Posts: 2,627

Rep: Reputation: 749Reputation: 749Reputation: 749Reputation: 749Reputation: 749Reputation: 749Reputation: 749
attacks?
well, leaks ..
https://browserleaks.com/

this is bad
Code:
ufw allow out 443
that will allow you to connect to https without going through the VPN

I guess you have that so you can connect to the VPN, I assume tcp

assuming eth0 is 'real' network device
Code:
ufw allow out on eth0 to ${VPN_IP} port 443 proto tcp
If you are using a FQDN to get to the VPN you are going to have to open up a DNS port, you may want to run your own caching dns and have that only use external ( none VPN ) DNS for lookups of the VPN FQDN

this doesn't make much sense
Code:
the_ip=$(ip addr show | grep 'inet 192.168' | awk '{print $2;}')
sudo ufw allow in to $the_ip
sudo ufw allow out to $the_ip
you would end up with something like 192.168.1.10/24 in and out

Code:
the_ip=$(ip -brief -f inet addr show eth0 | grep -Eo "[0-9]{1,3}(\.[0-9]{1,3}){3}" )
that would get you 192.168.1.10
Code:
ufw allow from ${the_ip%.*}.0/24 to ${the_ip} port 22,1080 proto tcp
opens up ssh and socks
so, from anywhere on your lan, you can ssh in or use the socks proxy to connect to the internet via the VPN
other typical proxy ports 3128,8080,8118

you should also throw in
Code:
ufw status verbose
to give you a nice overview

you may want to allow out to your lan

Code:
ufw allow out on eth0 from ${the_ip} to 192.168.1.20 port 3632 proto tcp
to speed up compiles
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: GNOME Settings Daemon 3.11.3 Adds Bluetooth Killswitch Support LXer Syndicated Linux News 0 01-03-2014 07:50 PM
Exception: Failed to initialize killswitch manager (GUI). stf92 Slackware 7 01-13-2013 04:46 PM
[SOLVED] "Wireless is disabled" even with killswitch off greatquizzard Linux - Wireless Networking 14 10-17-2010 06:32 AM
[SOLVED] IPW2200; Killswitch; WICD. jamescondron Linux - Hardware 1 11-26-2009 01:31 PM
OpenSUSE 11.0 / KDE 4.1.1 / wifi killswitch problem manishsingh4u Linux - Wireless Networking 0 09-11-2008 09:04 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration