Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 25/26 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 15th September 2016, 05:53 PM
User808 Offline
Registered User
 
Join Date: Aug 2016
Location: Iraq
Posts: 728
linuxfedorafirefox
Exclamation How can I do Internet Kill Switch for VPN on Fedora

Hi.

I'm very satisfied with Fedora 24. The only remaining major issue that I need to solve is how to make Internet Kill Switch for VPN on Fedora ?

Most VPN servers & companies have no specific application package to be installed on Linux & only way is using manual setup for such VPN either by using terminal or network-manager after downloading configuration files from company site & setup them manually. The bigest problem in this case is that no internet kill switch.

I investigate options in OpenVPN in network-manager of Fedora & it has very advanced options but unfortunately has no Internet Kill Switch.

Please is there a workaround for this issue?

Best

Last edited by User808; 31st October 2016 at 09:34 PM.
Reply With Quote
  #2  
Old 15th September 2016, 08:04 PM
Madtiger Offline
Registered User
 
Join Date: May 2016
Location: Fayetteville, Arkansas, USA
Posts: 261
linuxfedorafirefox
Re: How can I do Internet Kill Switch for VPN on Fedora

I use OpenVPN also and would be very interested in the answer to this question. Most VPN providers offer a kill switch for windows but not Linux. So if there is a way to set one up I would love to do it.

Thanks
Reply With Quote
  #3  
Old 15th September 2016, 09:03 PM
User808 Offline
Registered User
 
Join Date: Aug 2016
Location: Iraq
Posts: 728
linuxfedorafirefox
Re: How can I do Internet Kill Switch for VPN on Fedora

Ideal solution is that dev. team of OpenVPN add such option. Meanwhile we shouls search for workaround.
Reply With Quote
  #4  
Old 15th September 2016, 09:34 PM
Madtiger Offline
Registered User
 
Join Date: May 2016
Location: Fayetteville, Arkansas, USA
Posts: 261
linuxfedorafirefox
Re: How can I do Internet Kill Switch for VPN on Fedora

Quote:
Originally Posted by User808 View Post
Ideal solution is that dev. team of OpenVPN add such option. Meanwhile we shouls search for workaround.
Well, as it stands right now, if my VPN goes down, my internet goes down also. I don't know how long it takes to kill my internet but it seems that everytime I wake up and my VPN has failed, my entire internet is down and I have to restart it with network manager. Does yours do the same thing?

David
Reply With Quote
  #5  
Old 16th September 2016, 06:51 AM
User808 Offline
Registered User
 
Join Date: Aug 2016
Location: Iraq
Posts: 728
linuxfedorafirefox
Re: How can I do Internet Kill Switch for VPN on Fedora

No ! You are not protected at all. Please look for this link from OpenVPN forum:

https://forums.openvpn.net/viewtopic.php?t=19193

There are instances where dropping in VPN not associated with internet drop & this is risk. It seem that you suffer from global internet dropping (my be caused by VPN use or due to other reason).
It seem that at present there is way to achieve internet kill switch from build in firewall. Look for this video:

https://www.youtube.com/watch?v=x9fb2UAWkBE

But this on UFW. On Fedora firewall certainly it is possible but will be more painful ! Fedora firewall is more complicated. I need time to learn it. It is not easy even from GUI !

Even with UFW on Debian or Ubuntu, this method is painful. You need to configure your firewall each time you like to use VPN, then reconfigure it to normal every time you end your work with VPN to restore normal connection !

But since no other solution yet, it will be very helpful if an expert member in this forum explain step by step (using dictated text in forum) how to achieve internet kill switch for VPN using Fedora firewall
Reply With Quote
  #6  
Old 16th September 2016, 07:14 AM
Madtiger Offline
Registered User
 
Join Date: May 2016
Location: Fayetteville, Arkansas, USA
Posts: 261
linuxfedorafirefox
Re: How can I do Internet Kill Switch for VPN on Fedora

Well, I found a site that seems like it might be the answer. I have not tried it yet because I don't understand some of it. Here is the site. It tells how to use iptables to make a kill switch with a special script written by somebody else. Im not saying this will work, but it might work if you want to give it a try. Let me know what you decide or how it works out for you.

David
Reply With Quote
  #7  
Old 16th September 2016, 11:30 AM
User808 Offline
Registered User
 
Join Date: Aug 2016
Location: Iraq
Posts: 728
linuxfedorafirefox
Re: How can I do Internet Kill Switch for VPN on Fedora

The solution that you gave in last reply to use involving use of script & seem to be more complicated.

It seem that firewall approach much easier. I get following link that involve approach than we can modify it + make it more simple. Please look to this & read t carefully:

https://www.reddit.com/r/VPN/comment...t_will/comog21

Fore simplification & discussion I will rewrite it concentrating on some point by CAPS:

-----------------------------

Now we are going to block all traffic on the computer.

Step 1) sudo ufw default deny outgoing

Do this for incoming also

Step 2) sudo ufw default deny incoming

Okay. Now we want to make it so there is an exception for VPN. If you are using OpenVPN and TUN as network adapter (you most probably are) then we call the network interface as tun0.

Allow outgoing traffic on tun0

Step 3) sudo ufw allow out on tun0 from any to any

Now security wise you don't need to allow incoming traffic to use the Internet. But if you may want to require it (for example seeding torrents this is necessary). So add it if you want.

Steo 4 "optional" ) sudo ufw allow in on tun0 from any to any

Okay. So now ALL TRAFFIC IS ALLOWED ON VPN AND NO TRAFFIC IS ALLOWED WITHOUT VPN. But it's really annoying to TURN FIREWALL ON AND OFF EACH TIME WE WANT TO CONNECT TO A VPN so we'll add an exception for establishing the initial connection to the VPN server.

--------------------------------------

From above selection it seem that only 1st 3 (or 1st 4 steps) is necessary on Fedora because FIREWALL ENABLED BY DEFAULT ON FEDORA. Also most Fedora users prefer maintaining firewall turned on because they are more concerned about security. For me I select Fedora over openSUSE when Debian not satisfy hardwares of my laptop, because Fedora by default more secure than openSUSE (though Fedora less stable). More over on openSUSE I can turn on my dedicated VGA while till now it is off on Fedora, but I sticky for Fedora for being more secure by default than openSUSE. I think most other Fedora users are of same mind. For that no need for turning on/off of firewall every time we use VPN so no need to concern about steps that I not including in my cut above.

All we need are:

1) perform command corresponding to "sudo ufw default deny outgoing"

2) perform command corresponding to "sudo ufw default deny incoming"

3) perform command corresponding to "sudo ufw allow out on tun0 from any to any"

4) now (after all steps above) we should connect to VPN either from terminal or from network manager

5) after finishing your VPN session, you will close VPN then:

6) you have now (after closing VPN) need to reverse step 1 & step 2 to original state that was before (which should be allow outgoing / allow incoming - or allow outgoing / deny incoming according to your preference)

7) when you like to reconnect for VPN (enjoy other VPN session) then ALL you need are JUST STEP 1 & 2 then go to reconnect to VPN from terminal or network manager.

Regarding point 7 just mentioned above, I supposed that step 3 "sudo ufw allow out on tun0 from any to any" will remain active & valid what ever we change default setting in step 1 & step 2 ISN'T IT ???? Please answer this: is step 3 "sudo ufw allow out on tun0 from any to any" will remain valid & thus we need not to repeat step 3 or it will be broken & we should repeat it every time before connection to VPN ??????????

Now we need Fedora commands that are corresponding for following Debian/Ubuntu commands:

sudo ufw default deny outgoing

sudo ufw default deny incoming

sudo ufw allow out on tun0 from any to any

sudo ufw allow in on tun0 from any to any

Also, it will be very nice if expert members make screenshots about how to achieve all above from GUI of firewall.

If all above are correct & achieved then I think that modulators of forum should fix this thread to be used as reference since there is following statement from link bellow:

https://www.reddit.com/r/VPN/comment...ak_prevention/

"For killswitch again shouldn't use a client. If your client crashes your killswitch is dead. Instead you have a much more reliable method. Set up a firewall level system wide killswitch. By using iptables (or my preference UFW which is an easy to use front end to iptables) then you are interacting with netfilter (the firewall built into the Linux kernel). As such you can not have a superior failsafe than this as it then becomes a failsafe built directly into the Linux kernel (the foundation of your entire operating system)."

Please modulators & expert members give this thread more attention
Reply With Quote
  #8  
Old 16th September 2016, 10:38 PM
Madtiger Offline
Registered User
 
Join Date: May 2016
Location: Fayetteville, Arkansas, USA
Posts: 261
linuxfedorafirefox
Re: How can I do Internet Kill Switch for VPN on Fedora

User808,

I think your right, we would not have to repeat step 3 at all. You did a great write-up on this and if we could figure out how to use our firewall instead of UFW we would have it made. I hope somebody with a great deal of knowledge about our firewall chimes in here and lends us a hand. Without some expert advice I fear we are dead in the water. I have tried to understand our firewall but I just can not. My friend got his firewall all messed up by my messing with it and I ended up removing his firewall and just using IPTABLES instead. That was our only choice. So I can say for sure we need help with the firewall issue before I am willing to give this a try. If somebody does help us, your write-up is good enough to be a guide for everybody once we take out all the UFW and replace it with our firewall commands.

PS: I keep my VPN on at all times so I wouldn't have to turn mine on and off at all...just on one time and that would be that.

Good Job

David
Reply With Quote
  #9  
Old 17th September 2016, 06:26 AM
User808 Offline
Registered User
 
Join Date: Aug 2016
Location: Iraq
Posts: 728
linuxfedorafirefox
Re: How can I do Internet Kill Switch for VPN on Fedora

I'm also did not understand almost all Fedora firewall ! It is very difficult ! They remove UFW because it need to reload every time you change it's setting - as a web site say. If you read about Fedora firewall you will see that you have "runtime" & "permanent". The "runtime" mode allow you to apply changes without need to reload of firewall & THUS WITHOUT INTERRUPTION FOR PRESENT ONGING CONNECTION & BY THIS AVOID INTERRUPTION OF SERVER. So, it seem that Fedora firewall is much mature than UFW being oriented toward servers. However, for that reason it is much hard.

All what I get is the equivalent of 1st 2 steps:

1) sudo firewall-cmd --panic-on

this = to "sudo ufw default deny outgoing" & "sudo ufw default deny incoming" together, so it is = to step 1 + step 2

2) sudo firewall-cmd --panic-off

this is to undo the above change & restore your firewall to original state. So, it is = to step 6 in my arrangement.

But what about steps 3 & 4 I do not know.

I'm very surprised that only you with me in this important thread !!!!!! We are a Linux community which for being Linuxers they should almost always seeking for privicy & security & thus asking about & for VPN. Is internel kill switch not important ?!! VPN without this option is useless !!

Please help !!
Reply With Quote
  #10  
Old 17th September 2016, 02:57 PM
beaker_'s Avatar
beaker_ Offline
Registered User
 
Join Date: Nov 2008
Location: Canada
Posts: 2,718
linuxfedorafirefox
Re: How can I do Internet Kill Switch for VPN on Fedora

Code:
... Is internel kill switch not important ?!! VPN without this option is useless !!
Depends on your meaning? You expect all traffic to be routed through your vpn automatcially? That sounds like a vpn configuration problem: it should be pushing routes to you and not the other way around.

firewalld and ufw are just fronts for iptables.

simplified and wrt iptables, I think you're all dancing around:
-- set policies (input, output, forward) to drop
-- allow input and output on loopback interface (Assuming nothing nasty here)
-- all all established and related incoming on public nic
-- allow outgoing on public nic to dport of vpn. dest static, then rattle off ip-address aswell.
-- drop all other outgoing on public nic
-- drop all other incoming on public nic
-- allow all incoming on vpn device
-- allow all outgoing on vpn device

Either iptables does this full time or your vpn connection triggers the changes, up & down sctips in openvpn are ex., and set routes at connection and when disconnected.
Reply With Quote
  #11  
Old 17th September 2016, 05:46 PM
flyingdutchman Offline
Registered User
 
Join Date: Jan 2015
Location: Al Ain, UAE
Posts: 724
macosfirefox
Re: How can I do Internet Kill Switch for VPN on Fedora

Uhmmm...

/sbin/iptables -I INPUT -s 1.2.3.4 -j DROP

Que?
__________________
--
Have fun!
http://www.aeronetworks.ca
Reply With Quote
  #12  
Old 17th September 2016, 08:13 PM
User808 Offline
Registered User
 
Join Date: Aug 2016
Location: Iraq
Posts: 728
linuxfedorafirefox
Re: How can I do Internet Kill Switch for VPN on Fedora

Hi

1st of all I would like to change my statement about FirewallID of Fedora. Is not so difficult as I thought. It was just use of correct document to study it's options. I discovered the following excellent tutorial:

https://www.digitalocean.com/communi...ld-on-centos-7

I read it quickly & it need to read it more & more in deep manner. Inspite quick reading I understand many things that I did not understand from official Fedora documents !

I even started to understand GUI of firewalld that previously I do not understand from it any thing.

Before reading this tutorial I did not know what tun0: interface? service? ..... After reading tutorial I know now that tun0 is an interface like my wifi connection.

--------------------

Regarding beaker_ reply:

I did not study iptables & only study about ufw because 2nd is simple & satisfy me on Debian. I ignore iptables because I'm not interested in using Linux for servers. I need Linux for personal use workstation instead of windows.

I know that ufw is frontend for iptables .......

I found this link on internet:
https://docs.fedoraproject.org/en-US..._Policies.html

From above link I found:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

These 3 commands above corresponding to 1st line in your approach [-- set policies (input, output, forward) to drop]

But I do not & can not find corresponding commands to remaining lines in your approach. Why you do not give us them in commands lines explanation ??

From other side: I understand from your approach the following PRINCIPLE: "To achieve Internet kill switch for VPN from within Linux firewall we need to put all interfaces & all things to zone=drop BUT we need to put VPN interface (which is tun0) to zone=trust" isn't it ? So, if this is the case, can we achieve Internet kill switch from the following much easy way using GUI?:

1) we should 1st install configuration files of VPN to the openvpn on network manager.

2) before connecting to VPN we have to open GUI of firewall & change default zone of firewall to drop

3) we have to configured VPN from network manager to be on zone=trust (it has GUI has such option: please look to screenshot, all we need is to set it at trusted). This step should be done not in this sequence but in fact during setup of VPN when we load configuration files of VPN.

This step should set tun0 at zone=trusted isn't it ????

4) now connect to VPN by network manager.

5) when you finish your VPN session disconnect from VPN from within network manager then - last step:

6) open GUI of firewall then restore default setting to it's original state = public (or what you like)

Is these steps enough? If not, can you explain why not enough?
Attached Thumbnails
Click image for larger version

Name:	openvpn.png
Views:	118
Size:	42.8 KB
ID:	26680  
Reply With Quote
  #13  
Old 17th September 2016, 08:29 PM
Madtiger Offline
Registered User
 
Join Date: May 2016
Location: Fayetteville, Arkansas, USA
Posts: 261
linuxfedorafirefox
Re: How can I do Internet Kill Switch for VPN on Fedora

User808,

First of all, I use Fedora 23 with the KDE Spin. I don't know what your using. How did you get to the page you just took a screenshot of. I don't have that page that I can find anywhere. Please tell me the steps you took to open that exact page so I can see if I have that page too.

Thank You

David
Reply With Quote
  #14  
Old 17th September 2016, 08:41 PM
User808 Offline
Registered User
 
Join Date: Aug 2016
Location: Iraq
Posts: 728
linuxfedorafirefox
Re: How can I do Internet Kill Switch for VPN on Fedora

Dear Nadtiger.

I'm on Fedora 24 cinnamon x64 bit OS. This picture is VPN setting from network manager. You can reach it as following:

enter into network setting or network connection. Then click on edit on your VPN & it will apear to you.

By the way, I does not establish any VPN on my system & get this picture when I click over + in window of network setting (or you will get it when you click over add in windows of network connections). In both cases you have many options: select VPN then select openvpn & it will appear to you.

Also it is present in other type of connections like wifi:

put pointer of mouse over wifi icon, then click over network setting. You will see your wifi active connection & there is setting icon for it. Press over this setting icon & you will see similar option.

Best

Last edited by User808; 17th September 2016 at 08:59 PM.
Reply With Quote
  #15  
Old 17th September 2016, 08:58 PM
Madtiger Offline
Registered User
 
Join Date: May 2016
Location: Fayetteville, Arkansas, USA
Posts: 261
linuxfedorafirefox
Re: How can I do Internet Kill Switch for VPN on Fedora

User808,

Well your firewall gui and mine are completely different. HERE IS A PIC OF MINE.
So I don't know if we just have different firewalls or what is going on but mine is much more complicated. This is the firewall that came with the KDE Spin of Fedora 23. So now it seems we are on different pages with our firewall stuff.

David
Reply With Quote
Reply

Tags
clients , dns , fedora , generic , internet , kill , leaks , linux , openvpn , prevent , script , switch , vpn

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
VPN connect on boot and kill switch. B1ueB1aze Using Fedora 0 12th June 2013 07:21 AM
The myth of the Sony 'kill switch' Wayne Wibble 15 28th January 2010 01:41 PM
Kill Switch not working on TravelMate recon1025 Hardware & Laptops 2 14th March 2008 10:17 PM
FC8 NW8240 RF Kill Switch Problem jd_sa Hardware & Laptops 1 11th January 2008 09:56 PM
Radio kill switch - Wireless not working frxshmxn Hardware & Laptops 14 18th May 2005 06:32 PM


Current GMT-time: 19:24 (Saturday, 21-10-2017)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat