10

How to prevent IP leak on Linux when OpenVPN fails to connect to the server while I am surfing on the net?

I read about kill switch, but after some internet searches I found out that is not implemented in OpenVPN.

g0rbe
  • 133
  • 1
  • 1
  • 8

1 Answers1

30

You should use a simple firewall which does nothing more than block all non-OpenVPN client output to the outside. Don't simply whitelist port 1194 or you will allow trivial deanonymization. Instead, allow egress from only your privileged OpenVPN process.

If you do not have an openvpn group, create it. The -r makes it a system group.

groupadd -r openvpn

Once it exists, add this line to your OpenVPN configuration file to run with this group.

group openvpn

Now you can set the firewall to block output for all processes other than the OpenVPN client. You do not need to specifically whitelist any ports, just the correct group and the TUN device.

# Flush the tables. This may cut the system's internet.
iptables -F

# The default policy, if no other rules match, is to refuse traffic.
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Let the VPN client communicate with the outside world.
iptables -A OUTPUT -j ACCEPT -m owner --gid-owner openvpn

# The loopback device is harmless, and TUN is required for the VPN.
iptables -A OUTPUT -j ACCEPT -o lo
iptables -A OUTPUT -j ACCEPT -o tun+
    
# We should permit replies to traffic we've sent out.
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED

If everything worked, you should now have access to the internet only through your VPN. In order to make these changes persistent, follow your distribution's instructions on saving firewall settings. Note that this is a trivial example firewall. It may be too restrictive as it will, for example, prevent you from using DHCP on your local network. Adjust the firewall as needed.

Please understand that VPNs are not designed for privacy or anonymity. Even when using a proper firewall, there are countless ways to circumvent its supposed protections, even if the VPN claims not to keep logs. If you need actual anonymity, you should instead use something like Tor.

forest
  • 65,613
  • 20
  • 208
  • 262
  • 2
    your answer to this closed question is the only OpenVPN killswitch guide on the internet that doesn't involve hardcoding IPs or Ports (no other results for "openvpn" "killswitch" "groupadd"). But in my linux newbness I can't reproduce it. If I paste your stuff I'm left unable to resolve access to any internet or vpn. Neither from the GUI nor by running e.g. `sudo openvpn 'Austria.ovpn'` - which is a config file to which I prepended `group openvpn`. Must I reboot? Because if I reboot the iptables reset, but I don't want to try to make them permanent if they might brick my internet :) – Spectraljump Dec 09 '18 at 13:20
  • @Spectraljump If this is not a remote server, then you don't have to worry about bricking your internet. If you do something wrong and you block connections, just revert the changes. It's only a real problem if it's a remote server and you end up blocking SSH. – forest Dec 09 '18 at 13:25
  • After I `iptables-save` (using `sudo apt-get install iptables-persistent`) and I restart, it's the same as before I restart: I can connect to my LAN & have no access to internet. But I can't establish any openvpn connection: `cannot resolve host address my.vpn.domain:Port` & `could not determine IPV4/IPv6 protocol`. I give up for now, I have no clue what further rabbit holes to go through to debug this overcomplicated stuff that should just be built in <_<. Oh, and `sudo iptables -P OUTPUT REJECT ` throws `iptables: Bad policy name` - I tried DROP instead & also tried not adding that rule. – Spectraljump Dec 09 '18 at 14:22
  • @Spectraljump Are you sure that OpenVPN is running in the `openvpn` group? If it is, then it should not be getting blocked by the firewall. If it is not, then that would explain the issue. – forest Dec 10 '18 at 08:15
  • 2
    @Spectraljump: the GID is set to `openvpn` *after* the VPN tunnel is established, hence your openvpn client cannot resolve the hostname of your openvpn server. You will need to either specify the IP address (instead of the hostname) of your openvpn server, or make sure that DNS resolution is allowed by the firewall. – ema Jul 09 '19 at 21:42
  • Unfortunately, these instructions did not work for me either, and I tried a number of additional things (like adding DNS ip access etc..) which still did not help. – ste_kwr Dec 20 '20 at 18:49
  • Do you also need `iptables -P FORWARD DROP`? – robertspierre Feb 06 '21 at 13:36