If you simply add a VPN using common instructions, it generally fails open. That means, if the VPN breaks down, because the connection is interrupted, traffic will be send without the VPN.
It's much safer when it fails closed, i.e. when the VPN connection breaks down, the whole internet connection must be down as long as the VPN connection isn't restored.
- Forbid outgoing traffic after the VPN software broke down for some reason.
- Tight firewall rules, using iptables policy drop.
- Only tested with OpenVPN. Should work with other VPN clients such as PPTP in theory, you should test if it does what it claims anyway.
- Only tested on Debian Wheezy and Whonix. Should work on any other Linux distribution in theory, you should test if it does what it claims.
- Open Source / Free Software
- Care about DNS leaks. Consult your VPN software's/provider's documentation and configure /etc/resolv.conf to use the DNS server of your VPN server.
- Defend against IP leaks. If a locally installed application uses trickery to obtain the the users real IP and sends it somewhere though the VPN.
- Defend against adversaries, which are in position to run code locally, i.e. manipulate the firewall rules.
- Prevent any other kind trickery to circumvent using the VPN.
- Prevent leaks caused by bugs in the VPN software.
- Run the VPN software as unprivileged user. For OpenVPN see [OpenVPN wiki UnprivilegedUser](https://community.openvpn.net/openvpn/wiki/ UnprivilegedUser).
- Manage IPv6 traffic. IPv6 traffic is blocked.
- Install (Open)VPN.
- Configure (Open)VPN.
- Autostart (Open)VPN.
- Anything else not mentioned above in "What does it do".
- First learn how to get your VPN software connected without using VPN-Firewall.
Use the IP to connect to your VPN server, not the hostname!
-
Remove old versions of VPN-Firewall.
sudo update-rc.d vpnfirewall remove sudo rm /usr/local/bin/vpnfirewall sudo rm /usr/bin/vpnfirewall sudo rm /etc/init.d/vpnfirewall
-
Get the firewall script and install it.
cd ~
git clone https://github.com/adrelanos/VPN-Firewall.git
cd VPN-Firewall
sudo cp ./usr/bin/vpnfirewall /usr/bin/
-
Edit the /usr/bin/vpnfirewall settings with your favorite editor.
Note, that you must use the IP of your VPN server, not the hostname.
- Load /usr/bin/vpnfirewall before the network and before OpenVPN goes up.
- If you are NOT permanently using (Open)VPN, i.e. if you only occasionally, manually connect to the VPN.
Just run the following command before starting OpenVPN.
sudo /usr/bin/vpnfirewall
Should reply:
OK: Loading VPN firewall...
OK: The firewall should not show any messages,
OK: besides output beginning with prefix OK:...
OK: VPN firewall loaded.
- If you are permanently using (Open)VPN, i.e. always want to use the VPN.
Install the init script.
sudo cp ./etc/init.d/vpnfirewall /etc/init.d/
sudo update-rc.d vpnfirewall defaults
Test the init script.
sudo service vpnfirewall restart
sudo service vpnfirewall status
echo $?
Should reply:
0
Reboot.
Check VPN Firewall status again.
sudo service vpnfirewall status
Should reply:
0
- How to unload VPN Firewall?
If you want to disable VPN Firewall, see: https://gist.github.com/adrelanos/10565852
-
Install.
-
Test if it works. Check whatismyipaddress.com if you your external IP is from the VPN.
-
Kill the VPN client.
Example OpenVPN:
sudo killall openvpn
- Check if you can still connect to whatismyipaddress.com.
If yes, bad, something is wrong.
If no, good, you won't connect to any remote servers besides the VPN IP once the VPN client broke down.
Developers only.
Enable debugging. Uncomment "set -x" in all scripts.
Check iptables logs.
tail -f /var/log/syslog
- One could play with the linux equivalent of the route command.
- Hardening your VPN Setup with iptables
- VPNCheck - No source code. Nice looking user interface.
- VPNetMon - No source code. Windows only. Checks every, let's say 500 ms, if the VPN IP is still valid, if not, kill a list of applications. This is not very secure, it's a game if that time period is sufficient to stop a leak and if killing the applications is fast enough. Nice looking user interface.
- OPENVPN Watchdog - No source code. Windows only. Nice looking user interface.
- VPN Lifeguard supports PPTP and IPSec, not OpenVPN. Windows only. Nice looking user interface.
- ForceBindIP - Bind any Windows application to a specific interface. No source code. Windows only.
- Some individual VPN services distribute closed source applications with vendor lock in. Nice looking user interfaces.
- One could tighten the firewall rules even more, by creating a dedicated user account for (Open)VPN, allow only the (Open)VPN process to connect to the VPN server. (VPN-Firewall lets all processes connect to the VPN IP, not only (Open)VPN. However, the setup would become more difficult, it may require modifying the OpenVPN init script.)
- Much safer would be, if one would build something similar to Whonix. Very briefly, while Whonix uses Tor and consists of a Gateway and a Workstation, since the Workstation doesn't know it's own external IP, the Workstation can never leak it and never connect in the clear. One could create similarly a VPNBOX.
Welcome.
- Patrick Schleizer
- e-mail: adrelanos@riseup.net
- gpg: 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA
- twitter: https://twitter.com/Whonix
- Donate
GPLv3+