"kill switch" support #66
Comments
|
Reddit thread has some fresher ideas. UFW can be used. And in context of WireGuard: the WG has the PostUp/PreDown actions which facilitate "kill switch" implementation: https://www.reddit.com/r/WireGuard/comments/bpmssc/configuring_wireguard_with_a_kill_switch/ |
|
This is not as easy as it looks. People have very different setups and setting up kill switch for everybody is impossible (there are just too many ways to do this). For example, we can not use UFW as that would force people to install UFW to manage the firewall and that would just be abusive towards people running distributions that come by default with alternatives to UFW. These scripts do not aim to provide a substitute for the PIA Desktop applications, which have been designed with kill switch and split tunnel. The idea is to provide a baseline that people can use and adapt to their own requirements. For battle-tested security, please use the Desktop applications. Because each system is different, this repo will become confusing and over-complicated very fast if we start adding:
That is why we encourage people to fork this repo and accommodate the scripts to their requirements. If their versions are well written, we can add those versions to the 3rd Party section in the README. My current opinion is that we should close both this ticket and also #62, as supporting this for everybody is just not possible. I will think over the next weeks if there is any way to adapt this to the code in this repo without making the code complicated and hard to understand. |
As complexity goes, the code is more than OK. It's shell, and you can always run it with "-x". The problem is the quirky interfacing between PIA backend and local VPN daemons. It's hard to know what is done why: is it required by backend? is it required by the VPN daemon? or is it required for something else entirely? I.e. don't mix up "code hard to understand" with "subject matter hard to understand". There are lots lots more shell experts than VPN/PIA experts. |
|
P.S. Re Desktop app. I haven't tried it recently, but in the past it was obscenely "user friendly", i.e. exclusively GUI, and not even copy-paste supported everywhere. (For most automation, I don't mind GUI running. But some do.) If PIA desktop software supported few basic command line command (start, stop, status & query of forwarded ports) that would have been a great & easy option too. (I.e. configure it once in the GUI, then start/stop it from the scripts.) In the past I've asked PIA support about some basic command line support for the desktop client, but received flat out rejection. |
|
@g00nix I have tried standard "desktop" client & found that (despite flat out rejection ~2 years ago) it now supports the command line interface (to manage the UI). So at least me and my use-cases appear to be covered. (I stopped using headless systems for VPN after few screw-ups with my "killswitch".) If no-one else is interested, then the ticket could be closed. Otherwise, I would suggest to document (or at least mention) that desktop client now support management via command line (piactl connect, piactl get portforward). Thanks! |
|
Awesome ideas! Thank you! I will add this to the roadmap for 2021! |
Please add support for a "kill switch".
Previously, the typical implementation of the "kill switch" was to configure iptables to only let through the traffic routed over the IP address of the VPN gateway. If the VPN connection broke, iptables prevented the traffic from going over the normal network interface.
(If I've missed it - or it is provided otherwise - please close the ticket (with explanation).)
The text was updated successfully, but these errors were encountered: