"IP-leak" before first vpn connection

[jonascj]

Am I right neither the main script (called by openvpn up/down) nor the extras (used manually) prevents outgoing connections (other than to the vpn server( before the first/initial openvpn connection?

I.e. if openvpn was suppose to autoconnect on boot/login, but never does so (vpn server down, systemd unit failing, etc.) then one would unknowingly be using a non-vpn connection, making ones real ip-address visible on outgoing traffic.

I suppose it is a few simple iptables calls needed to only allow connection to the vpn server on your normal interface (eth0, wlp0s1, etc.). Maybe this could be included in extras/basic_firewall.sh?

[wknapik]

Yes, neither vpnfailsafe, not any of the extras will prevent IP leaks before the initial VPN connection is established.

I'm working on some other extras at the moment, but will look into this.

[jonascj]

At least I got the overall workings of the scripts right :-P Also, I'm glad you find it a useful thing to give an example of.
I personally see two options for implementing it:

1. The user manually enters the servers to be exempt from the firewall drop-all-rule.
2. Parse all /etc/openvpn/*.conf files, do a dns lookup of their remote some.server.com entries, exempt the resulting IP addresses from the drop-all rule.

[wknapik]

Yeah, it's not my use case, but it's certainly someone's.

We have to get the whitelist of VPN servers somehow, so like you said, it would either have to be a list of hosts, or we'd have to parse the chosen VPN configs (or both, which I think would be the most flexible option).

In some cases it might even be easier than that and no scripts would be necessary at all. I see NetworkManager has a feature where you can say "automatically connect to the VPN when using this connection" - I don't know how safe it is, but it might be what you're looking for. I'll have to do more research.

Like I said though, there's something else in the works, so this will have to wait a bit.

[jonascj]

Sure, you work om what you want to, I just wanted to ask the question and 'raise the issue' while I remembered.

NetworkManager might have an autoconnect feature, Connman does which is what I am using for the project that lead me to your package / script.

And that is precisely my usecase for this request / idea, to protect against silent failure of any VPN auto connect feature.

[willbelr]

This is easily solved with ufw:

ufw default deny incoming
ufw default deny outgoing
ufw allow SSH
ufw allow from 192.168.0.0/24
ufw allow in on tun0
ufw allow out on tun0
ufw allow in on eth0 from any port 1198
ufw allow out on eth0 to any port 1198
ufw enable
systemctl enable ufw