Skip to content

Leak Protection (Fail Safe Mechanism) for (Open)VPN

Notifications You must be signed in to change notification settings

Jack28/VPN-Firewall

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
 
 
 
 

Repository files navigation

Simple VPN Firewall

	by Felix bauer
	very much based on adrelanos vpn-firewall https://github.com/adrelanos/VPN-Firewall

	/home/felix/bin/vpnfirewall [-in {ACCEPT|DROP}] (IP|DNS)
		-in 		defines iptables INPUT policy
		IP|DNS		OUTPUT is allowed to those hosts only

	alternatively allowed outgoing connections can be added with
	/home/felix/bin/vpnfirewall ALLOW (IP|DNS)

comes with absolutely NO WARRANTY

Changes

Stand alone bash script.

New arguments [-in {ACCEPT|DROP}] [IP|DNS] -in {ACCEPT|DROP} to set INPUT policy [IP|DNS] to specify allowed tunnel gateway ALLOW (IP|DNS)

*thanks to adrelanos

Why

If you simply add a VPN using common instructions, it generally fails open. That means, if the VPN breaks down, because the connection is interrupted, traffic will be send without the VPN.

It's much safer when it fails closed, i.e. when the VPN connection breaks down, the whole internet connection must be down as long as the VPN connection isn't restored.

What does it do

  • Forbid outgoing traffic after the VPN software broke down for some reason.
  • Tight firewall rules, using iptables policy drop.
  • Only tested with OpenVPN. Should work with other VPN clients such as PPTP in theory, you should test if it does what it claims anyway.
  • Only tested on Debian Wheezy and Whonix. Should work on any other Linux distribution in theory, you should test if it does what it claims.
  • Open Source / Free Software

What does it NOT do

  • Care about DNS leaks. Consult your VPN software's/provider's documentation and configure /etc/resolv.conf to use the DNS server of your VPN server.
  • Defend against IP leaks. If a locally installed application uses trickery to obtain the the users real IP and sends it somewhere though the VPN.
  • Defend against adversaries, which are in position to run code locally, i.e. manipulate the firewall rules.
  • Prevent any other kind trickery to circumvent using the VPN.
  • Prevent leaks caused by bugs in the VPN software.
  • Run the VPN software as unprivileged user. For OpenVPN see [OpenVPN wiki UnprivilegedUser](https://community.openvpn.net/openvpn/wiki/ UnprivilegedUser).
  • Manage IPv6 traffic. IPv6 traffic is blocked.
  • Install (Open)VPN.
  • Configure (Open)VPN.
  • Autostart (Open)VPN.
  • Anything else not mentioned above in "What does it do".

How to Use

  1. First learn how to get your VPN software connected without using VPN-Firewall.

Use the IP to connect to your VPN server, not the hostname!

  1. Remove old versions of VPN-Firewall.

    sudo update-rc.d vpnfirewall remove sudo rm /usr/local/bin/vpnfirewall sudo rm /usr/bin/vpnfirewall sudo rm /etc/init.d/vpnfirewall

  2. Get the firewall script and install it.

    cd ~

    git clone https://github.com/adrelanos/VPN-Firewall.git

    cd VPN-Firewall

    sudo cp ./usr/bin/vpnfirewall /usr/bin/

  3. Edit the /usr/bin/vpnfirewall settings with your favorite editor.

Note, that you must use the IP of your VPN server, not the hostname.

  1. Load /usr/bin/vpnfirewall before the network and before OpenVPN goes up.
  • If you are NOT permanently using (Open)VPN, i.e. if you only occasionally, manually connect to the VPN.

Just run the following command before starting OpenVPN.

sudo /usr/bin/vpnfirewall

Should reply:

OK: Loading VPN firewall...
OK: The firewall should not show any messages,
OK: besides output beginning with prefix OK:...
OK: VPN firewall loaded.
  • If you are permanently using (Open)VPN, i.e. always want to use the VPN.

Install the init script.

sudo cp ./etc/init.d/vpnfirewall /etc/init.d/

sudo update-rc.d vpnfirewall defaults

Test the init script.

sudo service vpnfirewall restart

sudo service vpnfirewall status

echo $?

Should reply:

0

Reboot.

Check VPN Firewall status again.

sudo service vpnfirewall status

Should reply:

0

How to Test

  1. Install.

  2. Test if it works. Check whatismyipaddress.com if you your external IP is from the VPN.

  3. Kill the VPN client.

Example OpenVPN:

sudo killall openvpn
  1. Check if you can still connect to whatismyipaddress.com.

If yes, bad, something is wrong.

If no, good, you won't connect to any remote servers besides the VPN IP once the VPN client broke down.

How to Debug

Developers only.

Enable debugging. Uncomment "set -x" in all scripts.

Check iptables logs.

tail -f /var/log/syslog

Alternatives

  • One could play with the linux equivalent of the route command.
  • Hardening your VPN Setup with iptables
  • VPNCheck - No source code. Nice looking user interface.
  • VPNetMon - No source code. Windows only. Checks every, let's say 500 ms, if the VPN IP is still valid, if not, kill a list of applications. This is not very secure, it's a game if that time period is sufficient to stop a leak and if killing the applications is fast enough. Nice looking user interface.
  • OPENVPN Watchdog - No source code. Windows only. Nice looking user interface.
  • VPN Lifeguard supports PPTP and IPSec, not OpenVPN. Windows only. Nice looking user interface.
  • ForceBindIP - Bind any Windows application to a specific interface. No source code. Windows only.
  • Some individual VPN services distribute closed source applications with vendor lock in. Nice looking user interfaces.
  • One could tighten the firewall rules even more, by creating a dedicated user account for (Open)VPN, allow only the (Open)VPN process to connect to the VPN server. (VPN-Firewall lets all processes connect to the VPN IP, not only (Open)VPN. However, the setup would become more difficult, it may require modifying the OpenVPN init script.)
  • Much safer would be, if one would build something similar to Whonix. Very briefly, while Whonix uses Tor and consists of a Gateway and a Workstation, since the Workstation doesn't know it's own external IP, the Workstation can never leak it and never connect in the clear. One could create similarly a VPNBOX.

Forks, Patches, Testers, Comments, etc.

Welcome.

Author

BTC

1JgzCCSox56Sh4NnQJqRiwoxKi8oVSZBEd

License

GPLv3+

About

Leak Protection (Fail Safe Mechanism) for (Open)VPN

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Shell 100.0%