How to prevent IP leak on Linux when OpenVPN fails to connect to the server while I am surfing on the net?
I read about kill switch, but after some internet searches I found out that is not implemented in OpenVPN.
Asked
Active
Viewed 2.4k times
10
-
4Who said it does? – multithr3at3d Apr 07 '18 at 17:40
-
This sounds like a "how do I use software?" question, not a security question. – David Apr 07 '18 at 17:58
-
2It _sounds_ like what you want is a firewall which blocks non-VPN connections. For Linux, look into iptables. You can configure it to block connections that are not coming from the OpenVPN group (and you can set OpenVPN to run as a custom group). – forest Apr 08 '18 at 01:24
-
1why did this question got closed? it seems very specific to me – robertspierre Sep 04 '21 at 06:47
1 Answers
28
Unfortunately, the previous (since deleted) answer is incorrect and will allow deanonymization because it allows any connection over port 1194, not just traffic originating from OpenVPN. You should use a simpler firewall which does nothing more than block all non-OpenVPN client output to the outside.
If you do not have an openvpn group, create it. The -r makes it a system group.
groupadd -r openvpn
Once it exists, add this line to your OpenVPN configuration file to run with this group.
group openvpn
Now you can set the firewall to block output for all processes other than the OpenVPN client. You do not need to specifically whitelist any ports, just the correct group and the TUN device.
# Flush the tables. This may cut the system's internet.
iptables -F
# The default policy, if no other rules match, is to refuse traffic.
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
# Let the VPN client communicate with the outside world.
iptables -A OUTPUT -j ACCEPT -m owner --gid-owner openvpn
# The loopback device is harmless, and TUN is required for the VPN.
iptables -A OUTPUT -j ACCEPT -o lo
iptables -A OUTPUT -j ACCEPT -o tun+
# We should permit replies to traffic we've sent out.
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED
If everything worked, you should now have access to the internet only through your VPN. You may need to make some tweaks depending on your particular setup (for example, if you need access to other devices on your local network), but this should be a general solution. In order to make these changes persistent, follow your distribution's instructions on saving firewall settings.
Please understand that VPNs are not designed for privacy or anonymity. Even when using a proper firewall, there are countless ways to circumvent its supposed protections, even if the VPN claims not to keep logs. If you need actual anonymity, you should instead use something like Tor.
forest
- 64,616
- 20
- 206
- 257
-
2your answer to this closed question is the only OpenVPN killswitch guide on the internet that doesn't involve hardcoding IPs or Ports (no other results for "openvpn" "killswitch" "groupadd"). But in my linux newbness I can't reproduce it. If I paste your stuff I'm left unable to resolve access to any internet or vpn. Neither from the GUI nor by running e.g. `sudo openvpn 'Austria.ovpn'` - which is a config file to which I prepended `group openvpn`. Must I reboot? Because if I reboot the iptables reset, but I don't want to try to make them permanent if they might brick my internet :) – Spectraljump Dec 09 '18 at 13:20
-
@Spectraljump If this is not a remote server, then you don't have to worry about bricking your internet. If you do something wrong and you block connections, just revert the changes. It's only a real problem if it's a remote server and you end up blocking SSH. – forest Dec 09 '18 at 13:25
-
After I `iptables-save` (using `sudo apt-get install iptables-persistent`) and I restart, it's the same as before I restart: I can connect to my LAN & have no access to internet. But I can't establish any openvpn connection: `cannot resolve host address my.vpn.domain:Port` & `could not determine IPV4/IPv6 protocol`. I give up for now, I have no clue what further rabbit holes to go through to debug this overcomplicated stuff that should just be built in <_<. Oh, and `sudo iptables -P OUTPUT REJECT ` throws `iptables: Bad policy name` - I tried DROP instead & also tried not adding that rule. – Spectraljump Dec 09 '18 at 14:22
-
@Spectraljump Are you sure that OpenVPN is running in the `openvpn` group? If it is, then it should not be getting blocked by the firewall. If it is not, then that would explain the issue. – forest Dec 10 '18 at 08:15
-
2@Spectraljump: the GID is set to `openvpn` *after* the VPN tunnel is established, hence your openvpn client cannot resolve the hostname of your openvpn server. You will need to either specify the IP address (instead of the hostname) of your openvpn server, or make sure that DNS resolution is allowed by the firewall. – ema Jul 09 '19 at 21:42
-
Unfortunately, these instructions did not work for me either, and I tried a number of additional things (like adding DNS ip access etc..) which still did not help. – ste_kwr Dec 20 '20 at 18:49
-