How to prevent IP leak on Linux when OpenVPN fails to connect to the server while I am surfing on the net?
I read about kill switch, but after some internet searches I found out that is not implemented in OpenVPN.
How to prevent IP leak on Linux when OpenVPN fails to connect to the server while I am surfing on the net?
I read about kill switch, but after some internet searches I found out that is not implemented in OpenVPN.
You should use a simple firewall which does nothing more than block all non-OpenVPN client output to the outside. Don't simply whitelist port 1194 or you will allow trivial deanonymization. Instead, allow egress from only your privileged OpenVPN process.
If you do not have an openvpn
group, create it. The -r
makes it a system group.
groupadd -r openvpn
Once it exists, add this line to your OpenVPN configuration file to run with this group.
group openvpn
Now you can set the firewall to block output for all processes other than the OpenVPN client. You do not need to specifically whitelist any ports, just the correct group and the TUN device.
# Flush the tables. This may cut the system's internet.
iptables -F
# The default policy, if no other rules match, is to refuse traffic.
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
# Let the VPN client communicate with the outside world.
iptables -A OUTPUT -j ACCEPT -m owner --gid-owner openvpn
# The loopback device is harmless, and TUN is required for the VPN.
iptables -A OUTPUT -j ACCEPT -o lo
iptables -A OUTPUT -j ACCEPT -o tun+
# We should permit replies to traffic we've sent out.
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED
If everything worked, you should now have access to the internet only through your VPN. In order to make these changes persistent, follow your distribution's instructions on saving firewall settings. Note that this is a trivial example firewall. It may be too restrictive as it will, for example, prevent you from using DHCP on your local network. Adjust the firewall as needed.
Please understand that VPNs are not designed for privacy or anonymity. Even when using a proper firewall, there are countless ways to circumvent its supposed protections, even if the VPN claims not to keep logs. If you need actual anonymity, you should instead use something like Tor.