How can I do Internet Kill Switch for VPN on Fedora

[User808]

Hi every one !

I get it !! I get it finally !!

Finally I get how we can do internet kill switch from firewalld !!

Follow this guide that I clarified & modified it & made it easy & more global than original one:

Warning !! Warning !! This guide only valid on DEFAULT zone that created by developer of firewalld & NOT APPLIED on user created zone. If you apply it on user created zone, you will loss ability to connect to internet totally from any zone & can not restore your internet connection unless by undo (remove) all rules of this guid from user created zone that you added them to it !!

Internet Kill Switch by Firewalld:

1. establish your VPN connection 1st (VERY IMPORTANT STEP)

2. Now, using terminal, configure your runtime rules as following, one by one:

sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT

sudo firewall-cmd --direct --add-rule ipv6 filter INPUT 0 -j DROP
sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -i lo -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -i tun+ -p udp --dport 443 -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 999 -j DROP

sudo firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -j DROP
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o tun+ -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p udp -m udp --dport 443 -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 999 -j DROP

(Command line in blue is optional. It allow incoming flow through VPN [NOT RECOMMENDED: LESS SECURE]. However, it is useful if you like to use torrent during your VPN session.)

(The items marked by RED COLOUR must be exactly the same that used in your VPN configuration files. I used totally different parameters & it works !!!)

4. To disable internet kill switch, YOU MUST REBOOT YOUR PC. Reloading firewalld will not disable Internet kill switch !!!

(If internet kill switch remain enabled, you can not neither brows internet using non-VPN connection nor establish new VPN connection.)

--------------------------------------------
Original source here:
https://airvpn.org/topic/15061-firewalld-killswitch/

Do not follow the original source. No need to add any IP address. Just apply my guide.

Do not use "--permanent" because I do not know how to undo the changes & if also you do not know, then you will never be able to disable internet kill switch &, thus, you will never be able to connect to internet again ! If some one know how to revert these changes (if we use '--permanent' ) then please kindly explain how.


Please notice that this guide give you not only VPN Internet Kill Switch, but also IPv6 leak protection !!

Please your examination & conformation about correctness of my guide.

Bset

[User808]

By the way, is there a way to execute all these 10 (or 11) sudo commands as a single sudo command ?

It is annoying to enter each of these commands one by one.

Please your help.

[antikythera]

maybe place them all into a script file and just execute that? just a thought

[User808]

maybe place them all into a script file and just execute that? just a thought

I know how to create scripts that ALREADY WRITTEN BY OTHER by copy / past it to text file. I just post a guide for this in the forum:

http://www.forums.fedoraforum.org/sh...37#post1774437

But I do not know HOW TO WRITE a scripts. This mean: can you write above commands as a scripts please ?

[DBelton]

Why go through all of this?

Just put firewalld into panic mode, it then locks down all traffic going through the interface.

Code:

firewall-cmd --panic-on

Or you can use the firewall applet.. Just right click on the firewall applet icon, and check the box to block all network traffic.

[User808]

Why go through all of this?

Just put firewalld into panic mode, it then locks down all traffic going through the interface.

Code:

firewall-cmd --panic-on

Or you can use the firewall applet.. Just right click on the firewall applet icon, and check the box to block all network traffic.

No !! This is totally wrong !! We mean by VPN Internet Kill Switch blocking all flows (in & out) out side VPN tunal BUT allow flow through VPN tunal. This mean allow internet flow ONLY THROUGH VPN.

Panic mode you suggest does not do this. It, instead, block all internet flow both through & out VPN. This = to shut down router or unplug cable. So, no internet at all.

[User808]

Hi all.

As the title show, it claim that there is scripts could be used to make VPN Internet kill switch + protect from DNS leak protection, & to be working with any VPN server you choice regardless it's IP.

Let me 1st say that I'm already reach for 100% VPN Internet kill Switch by using firewalld rules which also protect from IPv6 leak. Look comment 31 on the following link by me:

http://www.forums.fedoraforum.org/sh...=311476&page=3

Regarding DNS leak, you can change your DNS from "automatic" to custom secure DNS like level 3 for example. So, in fact my method is = to this suggested scripts if not superior.

However, it need our attention because Internet kill switch is very important & this suggested scripts (if realy work) it is good alternative.

This is the scripts:

up.sh:

#!/bin/bash

# Check that OpenVPN is actually running.
running=$(ps -e | grep openvpn)
if [ $? -eq 1 ]; then
echo "No active VPN session found."
exit 1
fi

# Determine the server IP address after DNS resolution.
vpn_server_ip_address=$(ip route show | tail -1 | cut -d ' ' -f 1)

# Configure and apply the iptables policy.
iptables -F
iptables -A INPUT -i lo -j ACCEPT # Loopback.
iptables -A OUTPUT -o lo -j ACCEPT # Loopback.
iptables -A INPUT -s 10.0.0.0/16 -d 10.0.0.0/16 -j ACCEPT # Private local addresses.
iptables -A OUTPUT -s 10.0.0.0/16 -d 10.0.0.0/16 -j ACCEPT # Private local addresses.
iptables -A INPUT -i tun+ -j ACCEPT # Incoming tunnel traffic.
iptables -A OUTPUT -o tun+ -j ACCEPT # Outgoing tunnel traffic.
iptables -A INPUT -p udp --sport 1194 -s $vpn_server_ip_address -j ACCEPT # Incoming VPN server traffic.
iptables -A OUTPUT -p udp --dport 1194 -d $vpn_server_ip_address -j ACCEPT # Outgoing VPN server traffic.
iptables -A INPUT -j DROP # Block all other incoming packets.
iptables -A OUTPUT -j DROP # Block all other outgoing packets.
echo "Now only allowing traffic through the VPN server at $vpn_server_ip_address."

# Exit successfully.
exit 0

down.sh:

#!/bin/bash

# Remove the iptables policy.
iptables -F
iptables -A INPUT -j ACCEPT
iptables -A OUTPUT -j ACCEPT

# Exit successfully.
exit 0

Let we see what written by developer about it:

I'd seen some other scripts specific to VPN providers on this subreddit that required downloading lists of resolved VPN server URL IPs or hardcoding your server's IP (assuming you had a static IP for it), so I wanted to make a script that can quickly block all IP traffic to addresses outside the tunnel by determining the tunnel server's IP at runtime.

This script instead automatically determines the IP address of the remote VPN server through a call to ip route show. All you have to do is run up.sh after connecting to a VPN and down.sh when you disconnect or if your connection has been lost.

I did not examine it because I feel that I'm not fit to evaluate efficiently certain aspects of it. For that I decided to post it here in this forum to be evaluated by other expert members of this forum.

Let me to give my notes:

1) I think that you should change udp to tcp if you use tcp protocol. And you should change 1194 if you use other port. This depend on youe configuration files.

2) I do not know whether this scripts protect from IPv6 leak or not & this is the chief aspect that I see my self unable to decide about.

3) please read discusion in source site about efficacy of this scripts. Some users say that there are defects, while other said it work 100% ! Again I feel that expert members in this forum should decide about this.

-------------------------------
Source site:
https://www.reddit.com/r/VPN/comment...ce&sh=a0c0914c

To know how to use & run already written scripts please refer to the guide that I prepare on following link:
http://www.forums.fedoraforum.org/sh...d.php?t=312026

Warning: DO NOT COPY/PAST THIS SCRIPTS FROM THIS FORUM. INSTEAD, COPY/PAST IT FROM SOURCE SITE. I do not know how to post scripts & commands inside code box.

Please your kind attention about this very important topic.

[antikythera]

threads merged, please do not open duplicate threads on the same topic. this person's script can be discussed here as well even though you have marked the thread [SOLVED], people will still read it.

[srakitnican]

I haven't looked into rules, so I don't understand what it does, but... this script is not compatible as is with firewalld that Fedora uses. You can't use iptables directly if you are using firewalld. If you filter rules through firewall-cmd it might work then, or if you disable it.

[User808]

I haven't looked into rules, so I don't understand what it does, but... this script is not compatible as is with firewalld that Fedora uses. You can't use iptables directly if you are using firewalld. If you filter rules through firewall-cmd it might work then, or if you disable it.

It is O.K if script not work on Fedora because my guide (rule) - or in fact not my rules but an airvpn.org forum member rules that I just simplified them - working 1000000%

Now can you help us:

1) do you know a way by which we can execute these rules by single sudo command instead of enter them one by one which is annoying ?

2) do you know how to change these rules into a script ?

[DBelton]

You could set up a new zone in firewalld, put the rules into the new zone (make them permanent), then when you connect to VPN, switch zones to the new zone you created.

[User808]

You could set up a new zone in firewalld, put the rules into the new zone (make them permanent), then when you connect to VPN, switch zones to the new zone you created.

Can you explain more please.

1) which is easier: create new zone from terminal or from GUI ?

2) which service(s) should I added to new zone ? Is there a need to add any services to the new zone ? If yes, please enumerate these services.

3) how can I enter command line parameter from within GUI ? Can you refer me to site explain by examples this ?

4) what about openvpn service ? Currently I already addded it to default zone (public). Originally - by default - openvpn not added to any zone. This mean that it will be added automatically to the default zone.

So, what I should do:
- mentain openvpn service in public zone ? In this case when I change default zone to new one you suggested openvpn will remain in public zone then does I will have 2 active zones: public + new suggested zone????
- restore openvpn to be not associated with any zone. In this case openvpn service will added automatically to new suggested zone when I activate this new suggested zone.
- add openvpn service to new suggested zone. But here openvpn service will be sticky to new suggested zone when I switch default zone to public zone. Does this will interfere with normal internet connection ?

[beaker_]

You do realize openvpn can and will execute scripts on connect and disconnect?

[User808]

You do realize openvpn can and will execute scripts on connect and disconnect?

I did not understand your comment ? Please explain ? I'm just beginner ? Why you almost talk to me as expert ? Also, I'm not native English tongue, so I will not understand you if you talk with me in unclear way even if your words existing in dictionary. Please appreciate.

Can you kindly answer the following answer, please:

"What happen if I mentain openvpn service added in "public" & "KillSwitch" ?? In this case does when I shift default zone to "public" openvpn will be in "public" zone only & when I shift default zone to "KillSwitch" openvpn will be in KillSwitch only ? I mean does it will be only one active zone or adding openvpn to 2 zone will result in activation of both 2 zones ?"

[User808]

Help me ! Help me please !

I try to creat new zone with above rules.

1st I restore openvpn to original state (not associated with any zone) by GUI after change to PERMANENT then restart laptop

then I create KillSwitch zone (after restart laptop)

then I reload firewall

then add to KillSwitch zone following services: dhcpv6-client, mdns, & ssh (but not openvpn)

then reload firewall

then I added (to KillSwitch zone) all rules except line highlighted in GREEN

finaly reload firewall

Then power off laptop then waited 3 minuts then power it on.

But I shocked when I found myself unable to connect to internet at all whether on public zone or on KillSwitch zone. On KillSwitch not possible to connected it is O.K no problem because it should activated AFTER establishing VPN connection. But why I can not connected to normal internet at public ?????!!!!!! I can not use internet at all & I can not connect to VPN at all !!!!!!!!!!!!!!!

This is why I asked repeatidly before any step because the risk of such diseasters !!

There is some thing I think cause this: when I added rules to new zones, there was no VPN connection!! I forget to connect to VPN 1st. I think this is the cause. I'm in state as if rules that I added, in fact added to PUBLIC (DEFAULT ZONE).

Please your kind help ! How can I restore my firewalld to original state ?? Is there command line option for that can undo all changes ??

Otherwise, I will be inforced to format my laptop with clean installation !! Very painfull !!