PDA

View Full Version : Co-ordinated openVPN connection & Internet kill switch by single click



User808
30th April 2017, 07:30 PM
Hi.

This guide in competition for 2 previous guides, which are:

1) Universal Guide for VPN Connection, via OpenVPN, using Terminal:
http://www.forums.fedoraforum.org/showthread.php?t=312688

2) Guide for VPN Internet Kill Switch + IPv6 Leak Protection via Firewalld:
http://www.forums.fedoraforum.org/showthread.php?t=312722

Please review the above 2 guides before continue reading this guide.

Before go further, I would like to thank "HaydnH", member in this forum, who bring my attention for "--up" option of openvpn, which is the corner stone for this guide .....

In this guide we will treat an annoying issue: from above 2 guides we can established connection to VPN via openVPN by terminal, THEN we should open a SECOND terminal to establish Internet kill switch, & for each of these 2 steps we need to enter sudo password. This not brilliant. Even if we use tmux (terminal multipluxer) we will still in need to enter sudo password 2 times, & we will not gain shorter time because we will need to use Crtl+B combination for 2 time, one for divided terminal screen into 2 halves & 2nd for transmit our-self from half to half, plus time to run each of 2 steps (openVPN then kill switch).

In this guide we will learn how to make process so easy by achieving connection to VPN & establishing kill switch from terminal by single blow.

The corner stone is "--up" option of openvpn. This option allow user to run a script just after establishing tun/tan driver ...... This exactly what we need because our kill switch if established before tun/tan driver, then we will never be able to connect to Internet neither from VPN nor normally.

1) we need to add "--up" option to VPN configuration files:

We need to enter into openvpn directory by:


cd /etc/openvpn

We have to add these 2 lines (one bellow one) at end of configuration files:


script-security 2
up /home/username/.local/bin/iks.sh

N.B: "home/username/.local/bin" is the supposed path location where kill switch script located. If you use other location to store kill switch script, then you have to use it's path instead of this path.

N.B: iks.sh is name of kill switch. You can select other name as you like.

We can use sed command to append these 2 lines at end of all VPN configuration files using one of following 3 approaches:

a- apply bellow 2 commands one after other:


sudo sed -i -e "\$ascript-security 2" *.ovpn


sudo sed -i -e "\$sup /home/username/.local/bin/iks.sh" *.ovpn

b- or apply bellow 2 command one after other:


sudo sed -i -e '$ a script-security 2' *.ovpn


sudo sed -i -e '$ a up /home/username/.local/bin/iks.sh' *.ovpn

c- or we can append 2 lines bellow last line of original files in one blow (recommended) by:


sudo sed -i -e '$a\
script-security 2\
up /home/username/.local/bin/iks.sh' *.ovpn

N.B:
- the above command MUST written in 3 lines, otherwise will not execute the duty.
- you should type exact location path for script that you associated by --up option.

2) we need to modify the Internet kill switch script, that we explained in "Guide for VPN Internet Kill Switch + IPv6 Leak Protection via Firewalld"
http://www.forums.fedoraforum.org/showthread.php?t=312722

to change it from multi-rules script into multi-choices script via "read" command. It will be as following:


#! /bin/bash
echo
echo "================================================== ========================"
echo "Script for VPN Internet Kill Switch + IPv6 Leak Protection using Firewalld"
echo "================================================== ========================"
echo
echo "Enter one of following choices (on / off, or ON / OFF):"
echo -e "\e[44mon\e[0m: to establish unidirectional kill switch"
echo -e "\e[44moff\e[0m: to remove already established unidirectional kill switch"
echo -e "\e[44mON\e[0m: to establish bidirectional kill switch"
echo -e "\e[44mOFF\e[0m: to remove already established bidirectional kill switch"
read var
echo
case $var in
on ) echo "Toggle ON Unidirectional VPN Internet Kill Switch + IPv6 Leak Protection"
echo
echo "Warning: connection to VPN should be established before running this script. Otherwise any Internet connection will be impossible!"
echo "This script only allows VPN output! It does not provide DNS leak protection!"
echo
echo "Establishing firewalld rules is starting!"
sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv6 filter INPUT 0 -j DROP
sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -i lo -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 999 -j DROP
sudo firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -j DROP
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o tun+ -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 443 -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 999 -j DROP
sudo -k
echo "Establishing firewalld rules is completed!"
echo
echo -e "\e[32mVPN Internet Kill Switch is enabled! Only VPN output is allowed now!"
echo -e "\e[32mEnjoy surfing Internet safely!\e[0m"
;;
off ) echo "Toggle OFF Unidirectional VPN Internet Kill Switch + IPv6 Leak Protection"
echo
echo "Removing firewalld rules is starting!"
sudo firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv6 filter INPUT 0 -j DROP
sudo firewall-cmd --direct --remove-rule ipv4 filter INPUT 0 -i lo -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv4 filter INPUT 999 -j DROP
sudo firewall-cmd --direct --remove-rule ipv6 filter OUTPUT 0 -j DROP
sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -o tun+ -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 443 -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 999 -j DROP
sudo -k
echo "Removing firewalld rules is completed!"
echo
echo "VPN Internet Kill Switch is disabled!"
;;
ON ) echo "Toggle ON Bidirectional VPN Internet Kill Switch + IPv6 Leak Protection"
echo
echo "Warning: connection to VPN should be established before running this script. Otherwise any Internet connection will be impossible!"
echo "This script only allows VPN output! It does not provide DNS leak protection!"
echo
echo "Establishing firewalld rules is starting!"
sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv6 filter INPUT 0 -j DROP
sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -i lo -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -i tun+ -p tcp --dport 443 -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 999 -j DROP
sudo firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -j DROP
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o tun+ -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 443 -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 999 -j DROP
sudo -k
echo "Establishing firewalld rules is completed!"
echo
echo -e "\e[32mVPN Internet Kill Switch is enabled! Both VPN output & input are allowed now!"
echo -e "\e[32mEnjoy surfing Internet safely!\e[0m"
;;
OFF ) echo "Toggle OFF Bidirectional VPN Internet Kill Switch + IPv6 Leak Protection"
echo
echo "Removing firewalld rules is starting!"
sudo firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv6 filter INPUT 0 -j DROP
sudo firewall-cmd --direct --remove-rule ipv4 filter INPUT 0 -i lo -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv4 filter INPUT 1 -i tun+ -p tcp --dport 443 -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv4 filter INPUT 999 -j DROP
sudo firewall-cmd --direct --remove-rule ipv6 filter OUTPUT 0 -j DROP
sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -o tun+ -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 443 -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 999 -j DROP
sudo -k
echo "Removing firewalld rules is completed!"
echo
echo "VPN Internet Kill Switch is disabled!"
;;
* ) echo -e "\e[31mInvalid input! Please re-run this script with valid choice! If you use --up option of openvpn, you should kill process by Ctrl+C then re-run openvpn\e[0m"
esac

User808
30th April 2017, 07:30 PM
Now all what need to establish VPN connection & Internet kill switch by one blow, is to open terminal then just type:

vpn.sh variable

where "vpn.sh" is supposed name of script used to connect to VPN, while "variable" is a VPN configuration file name or rule refer to such file (please refer to this guide (http://www.forums.fedoraforum.org/showthread.php?t=312688) for more details). By doing this, at middle of process - just after establishing tun/tan driver - Internet kill switch script will run & will ask user to enter one of 4 choices (& will show these choices & a description for their actions). User need, then, to select suitable choice, & process will completed ...... If kill switch established, there will be message appear in green color about this. If user enter invalid choice, there will be red color massage appear in terminal worn user about this & ask heir/him to re-run script. In the last case VPN connection is established but without kill switch & user need to kill process by Ctrl+C then re-run vpn.sh script again & enter valid choice for iks.sh script when appear at middle of process.

When you like to end your VPN session, all what you need (after closing your browser), is to kill process by Ctrl+C then run iks.sh from same terminal with selecting either "off" or "OFF" according to what was you choice initially; "on" or "ON" respectively.

Injoy & say bye bye for Linux VPN company application !