[SOLVED] How can I do Internet Kill Switch for VPN on Fedora - Page 3
FedoraForum.org - Fedora Support Forums and Community
Page 3 of 4 FirstFirst 1 2 3 4 LastLast
Results 31 to 45 of 50
  1. #31
    Join Date
    Aug 2016
    Location
    Iraq
    Posts
    1,408
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Re: How can I do Internet Kill Switch for VPN on Fedora

    Hi every one !

    I get it !! I get it finally !!

    Finally I get how we can do internet kill switch from firewalld !!

    Follow this guide that I clarified & modified it & made it easy & more global than original one:

    Warning !! Warning !! This guide only valid on DEFAULT zone that created by developer of firewalld & NOT APPLIED on user created zone. If you apply it on user created zone, you will loss ability to connect to internet totally from any zone & can not restore your internet connection unless by undo (remove) all rules of this guid from user created zone that you added them to it !!

    Internet Kill Switch by Firewalld:

    1. establish your VPN connection 1st (VERY IMPORTANT STEP)

    2. Now, using terminal, configure your runtime rules as following, one by one:

    sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT
    sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT

    sudo firewall-cmd --direct --add-rule ipv6 filter INPUT 0 -j DROP
    sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -i lo -j ACCEPT
    sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -i tun+ -p udp --dport 443 -j ACCEPT
    sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 999 -j DROP

    sudo firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -j DROP
    sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT
    sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o tun+ -j ACCEPT
    sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p udp -m udp --dport 443 -j ACCEPT
    sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 999 -j DROP

    (Command line in blue is optional. It allow incoming flow through VPN [NOT RECOMMENDED: LESS SECURE]. However, it is useful if you like to use torrent during your VPN session.)

    (The items marked by RED COLOUR must be exactly the same that used in your VPN configuration files. I used totally different parameters & it works !!!)

    4. To disable internet kill switch, YOU MUST REBOOT YOUR PC. Reloading firewalld will not disable Internet kill switch !!!

    (If internet kill switch remain enabled, you can not neither brows internet using non-VPN connection nor establish new VPN connection.)

    --------------------------------------------
    Original source here:
    https://airvpn.org/topic/15061-firewalld-killswitch/

    Do not follow the original source. No need to add any IP address. Just apply my guide.

    Do not use "--permanent" because I do not know how to undo the changes & if also you do not know, then you will never be able to disable internet kill switch &, thus, you will never be able to connect to internet again ! If some one know how to revert these changes (if we use '--permanent' ) then please kindly explain how.


    Please notice that this guide give you not only VPN Internet Kill Switch, but also IPv6 leak protection !!

    Please your examination & conformation about correctness of my guide.

    Bset
    Last edited by User808; 4th November 2016 at 10:33 PM.

  2. #32
    Join Date
    Aug 2016
    Location
    Iraq
    Posts
    1,408
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Re: How can I do Internet Kill Switch for VPN on Fedora

    By the way, is there a way to execute all these 10 (or 11) sudo commands as a single sudo command ?

    It is annoying to enter each of these commands one by one.

    Please your help.

  3. #33
    Join Date
    Dec 2013
    Location
    United Kingdom
    Posts
    7,155
    Mentioned
    6 Post(s)
    Tagged
    1 Thread(s)

    Re: How can I do Internet Kill Switch for VPN on Fedora

    maybe place them all into a script file and just execute that? just a thought

  4. #34
    Join Date
    Aug 2016
    Location
    Iraq
    Posts
    1,408
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Re: How can I do Internet Kill Switch for VPN on Fedora

    Quote Originally Posted by antikythera
    maybe place them all into a script file and just execute that? just a thought
    I know how to create scripts that ALREADY WRITTEN BY OTHER by copy / past it to text file. I just post a guide for this in the forum:

    http://www.forums.fedoraforum.org/sh...37#post1774437

    But I do not know HOW TO WRITE a scripts. This mean: can you write above commands as a scripts please ?

  5. #35
    Join Date
    Aug 2009
    Posts
    9,781
    Mentioned
    28 Post(s)
    Tagged
    0 Thread(s)

    Re: How can I do Internet Kill Switch for VPN on Fedora

    Why go through all of this?

    Just put firewalld into panic mode, it then locks down all traffic going through the interface.

    Code:
    firewall-cmd --panic-on
    Or you can use the firewall applet.. Just right click on the firewall applet icon, and check the box to block all network traffic.

  6. #36
    Join Date
    Aug 2016
    Location
    Iraq
    Posts
    1,408
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Re: How can I do Internet Kill Switch for VPN on Fedora

    Quote Originally Posted by DBelton
    Why go through all of this?

    Just put firewalld into panic mode, it then locks down all traffic going through the interface.

    Code:
    firewall-cmd --panic-on
    Or you can use the firewall applet.. Just right click on the firewall applet icon, and check the box to block all network traffic.
    No !! This is totally wrong !! We mean by VPN Internet Kill Switch blocking all flows (in & out) out side VPN tunal BUT allow flow through VPN tunal. This mean allow internet flow ONLY THROUGH VPN.

    Panic mode you suggest does not do this. It, instead, block all internet flow both through & out VPN. This = to shut down router or unplug cable. So, no internet at all.

  7. #37
    Join Date
    Aug 2016
    Location
    Iraq
    Posts
    1,408
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Exclamation Generic kill switch script for OpenVPN Linux clients to prevent IP and DNS leaks ??!!

    Hi all.

    As the title show, it claim that there is scripts could be used to make VPN Internet kill switch + protect from DNS leak protection, & to be working with any VPN server you choice regardless it's IP.

    Let me 1st say that I'm already reach for 100% VPN Internet kill Switch by using firewalld rules which also protect from IPv6 leak. Look comment 31 on the following link by me:

    http://www.forums.fedoraforum.org/sh...=311476&page=3

    Regarding DNS leak, you can change your DNS from "automatic" to custom secure DNS like level 3 for example. So, in fact my method is = to this suggested scripts if not superior.

    However, it need our attention because Internet kill switch is very important & this suggested scripts (if realy work) it is good alternative.

    This is the scripts:

    up.sh:

    #!/bin/bash

    # Check that OpenVPN is actually running.
    running=$(ps -e | grep openvpn)
    if [ $? -eq 1 ]; then
    echo "No active VPN session found."
    exit 1
    fi

    # Determine the server IP address after DNS resolution.
    vpn_server_ip_address=$(ip route show | tail -1 | cut -d ' ' -f 1)

    # Configure and apply the iptables policy.
    iptables -F
    iptables -A INPUT -i lo -j ACCEPT # Loopback.
    iptables -A OUTPUT -o lo -j ACCEPT # Loopback.
    iptables -A INPUT -s 10.0.0.0/16 -d 10.0.0.0/16 -j ACCEPT # Private local addresses.
    iptables -A OUTPUT -s 10.0.0.0/16 -d 10.0.0.0/16 -j ACCEPT # Private local addresses.
    iptables -A INPUT -i tun+ -j ACCEPT # Incoming tunnel traffic.
    iptables -A OUTPUT -o tun+ -j ACCEPT # Outgoing tunnel traffic.
    iptables -A INPUT -p udp --sport 1194 -s $vpn_server_ip_address -j ACCEPT # Incoming VPN server traffic.
    iptables -A OUTPUT -p udp --dport 1194 -d $vpn_server_ip_address -j ACCEPT # Outgoing VPN server traffic.
    iptables -A INPUT -j DROP # Block all other incoming packets.
    iptables -A OUTPUT -j DROP # Block all other outgoing packets.
    echo "Now only allowing traffic through the VPN server at $vpn_server_ip_address."

    # Exit successfully.
    exit 0

    down.sh:

    #!/bin/bash

    # Remove the iptables policy.
    iptables -F
    iptables -A INPUT -j ACCEPT
    iptables -A OUTPUT -j ACCEPT

    # Exit successfully.
    exit 0

    Let we see what written by developer about it:

    I'd seen some other scripts specific to VPN providers on this subreddit that required downloading lists of resolved VPN server URL IPs or hardcoding your server's IP (assuming you had a static IP for it), so I wanted to make a script that can quickly block all IP traffic to addresses outside the tunnel by determining the tunnel server's IP at runtime.

    This script instead automatically determines the IP address of the remote VPN server through a call to ip route show. All you have to do is run up.sh after connecting to a VPN and down.sh when you disconnect or if your connection has been lost.

    I did not examine it because I feel that I'm not fit to evaluate efficiently certain aspects of it. For that I decided to post it here in this forum to be evaluated by other expert members of this forum.

    Let me to give my notes:

    1) I think that you should change udp to tcp if you use tcp protocol. And you should change 1194 if you use other port. This depend on youe configuration files.

    2) I do not know whether this scripts protect from IPv6 leak or not & this is the chief aspect that I see my self unable to decide about.

    3) please read discusion in source site about efficacy of this scripts. Some users say that there are defects, while other said it work 100% ! Again I feel that expert members in this forum should decide about this.

    -------------------------------
    Source site:
    https://www.reddit.com/r/VPN/comment...ce&sh=a0c0914c

    To know how to use & run already written scripts please refer to the guide that I prepare on following link:
    http://www.forums.fedoraforum.org/sh...d.php?t=312026

    Warning: DO NOT COPY/PAST THIS SCRIPTS FROM THIS FORUM. INSTEAD, COPY/PAST IT FROM SOURCE SITE. I do not know how to post scripts & commands inside code box.

    Please your kind attention about this very important topic.
    Last edited by User808; 2nd November 2016 at 07:10 PM.

  8. #38
    Join Date
    Dec 2013
    Location
    United Kingdom
    Posts
    7,155
    Mentioned
    6 Post(s)
    Tagged
    1 Thread(s)

    Re: How can I do Internet Kill Switch for VPN on Fedora

    threads merged, please do not open duplicate threads on the same topic. this person's script can be discussed here as well even though you have marked the thread [SOLVED], people will still read it.

  9. #39
    Join Date
    Oct 2011
    Posts
    1,917
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: How can I do Internet Kill Switch for VPN on Fedora

    I haven't looked into rules, so I don't understand what it does, but... this script is not compatible as is with firewalld that Fedora uses. You can't use iptables directly if you are using firewalld. If you filter rules through firewall-cmd it might work then, or if you disable it.

  10. #40
    Join Date
    Aug 2016
    Location
    Iraq
    Posts
    1,408
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Re: How can I do Internet Kill Switch for VPN on Fedora

    Quote Originally Posted by srakitnican
    I haven't looked into rules, so I don't understand what it does, but... this script is not compatible as is with firewalld that Fedora uses. You can't use iptables directly if you are using firewalld. If you filter rules through firewall-cmd it might work then, or if you disable it.
    It is O.K if script not work on Fedora because my guide (rule) - or in fact not my rules but an airvpn.org forum member rules that I just simplified them - working 1000000%

    Now can you help us:

    1) do you know a way by which we can execute these rules by single sudo command instead of enter them one by one which is annoying ?

    2) do you know how to change these rules into a script ?

  11. #41
    Join Date
    Aug 2009
    Posts
    9,781
    Mentioned
    28 Post(s)
    Tagged
    0 Thread(s)

    Re: How can I do Internet Kill Switch for VPN on Fedora

    You could set up a new zone in firewalld, put the rules into the new zone (make them permanent), then when you connect to VPN, switch zones to the new zone you created.

  12. #42
    Join Date
    Aug 2016
    Location
    Iraq
    Posts
    1,408
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Re: How can I do Internet Kill Switch for VPN on Fedora

    Quote Originally Posted by DBelton
    You could set up a new zone in firewalld, put the rules into the new zone (make them permanent), then when you connect to VPN, switch zones to the new zone you created.
    Can you explain more please.

    1) which is easier: create new zone from terminal or from GUI ?

    2) which service(s) should I added to new zone ? Is there a need to add any services to the new zone ? If yes, please enumerate these services.

    3) how can I enter command line parameter from within GUI ? Can you refer me to site explain by examples this ?

    4) what about openvpn service ? Currently I already addded it to default zone (public). Originally - by default - openvpn not added to any zone. This mean that it will be added automatically to the default zone.

    So, what I should do:
    - mentain openvpn service in public zone ? In this case when I change default zone to new one you suggested openvpn will remain in public zone then does I will have 2 active zones: public + new suggested zone????
    - restore openvpn to be not associated with any zone. In this case openvpn service will added automatically to new suggested zone when I activate this new suggested zone.
    - add openvpn service to new suggested zone. But here openvpn service will be sticky to new suggested zone when I switch default zone to public zone. Does this will interfere with normal internet connection ?
    Last edited by User808; 4th November 2016 at 11:24 AM.

  13. #43
    Join Date
    Nov 2008
    Location
    Canada
    Posts
    2,729
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: How can I do Internet Kill Switch for VPN on Fedora

    You do realize openvpn can and will execute scripts on connect and disconnect?

  14. #44
    Join Date
    Aug 2016
    Location
    Iraq
    Posts
    1,408
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Re: How can I do Internet Kill Switch for VPN on Fedora

    Quote Originally Posted by beaker_
    You do realize openvpn can and will execute scripts on connect and disconnect?
    I did not understand your comment ? Please explain ? I'm just beginner ? Why you almost talk to me as expert ? Also, I'm not native English tongue, so I will not understand you if you talk with me in unclear way even if your words existing in dictionary. Please appreciate.

    Can you kindly answer the following answer, please:

    "What happen if I mentain openvpn service added in "public" & "KillSwitch" ?? In this case does when I shift default zone to "public" openvpn will be in "public" zone only & when I shift default zone to "KillSwitch" openvpn will be in KillSwitch only ? I mean does it will be only one active zone or adding openvpn to 2 zone will result in activation of both 2 zones ?"

  15. #45
    Join Date
    Aug 2016
    Location
    Iraq
    Posts
    1,408
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Re: How can I do Internet Kill Switch for VPN on Fedora

    Help me ! Help me please !

    I try to creat new zone with above rules.

    1st I restore openvpn to original state (not associated with any zone) by GUI after change to PERMANENT then restart laptop

    then I create KillSwitch zone (after restart laptop)

    then I reload firewall

    then add to KillSwitch zone following services: dhcpv6-client, mdns, & ssh (but not openvpn)

    then reload firewall

    then I added (to KillSwitch zone) all rules except line highlighted in GREEN

    finaly reload firewall

    Then power off laptop then waited 3 minuts then power it on.

    But I shocked when I found myself unable to connect to internet at all whether on public zone or on KillSwitch zone. On KillSwitch not possible to connected it is O.K no problem because it should activated AFTER establishing VPN connection. But why I can not connected to normal internet at public ?????!!!!!! I can not use internet at all & I can not connect to VPN at all !!!!!!!!!!!!!!!

    This is why I asked repeatidly before any step because the risk of such diseasters !!

    There is some thing I think cause this: when I added rules to new zones, there was no VPN connection!! I forget to connect to VPN 1st. I think this is the cause. I'm in state as if rules that I added, in fact added to PUBLIC (DEFAULT ZONE).

    Please your kind help ! How can I restore my firewalld to original state ?? Is there command line option for that can undo all changes ??

    Otherwise, I will be inforced to format my laptop with clean installation !! Very painfull !!

Page 3 of 4 FirstFirst 1 2 3 4 LastLast

Similar Threads

  1. VPN connect on boot and kill switch.
    By B1ueB1aze in forum Using Fedora
    Replies: 0
    Last Post: 12th June 2013, 07:21 AM
  2. The myth of the Sony 'kill switch'
    By Wayne in forum Wibble
    Replies: 15
    Last Post: 28th January 2010, 01:41 PM
  3. Kill Switch not working on TravelMate
    By recon1025 in forum Hardware
    Replies: 2
    Last Post: 14th March 2008, 10:17 PM
  4. FC8 NW8240 RF Kill Switch Problem
    By jd_sa in forum Hardware
    Replies: 1
    Last Post: 11th January 2008, 09:56 PM
  5. Radio kill switch - Wireless not working
    By frxshmxn in forum Hardware
    Replies: 14
    Last Post: 18th May 2005, 06:32 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •