Join Log in
Score:0
Frizelbliz avatar Ubuntu

How do I create a VPN kill switch for PrivateInternetAccess and Wireguard in ufw or iptables?

cn flag
Frizelbliz

I am using the manual-connections script collection from PrivateInternetAccess on my headless Ubuntu server. I start the setup script in a service unit and need to make sure that I don't access anything outside my local network whenever Wireguard crashes.

/etc/systemd/system/pia.service

[Unit]
Description=PrivateInternetAccess (Wireguard, Switzerland)
After=network-online.target

[Service]
User=ubuntu
Group=ubuntu
ExecStart=/usr/bin/sudo PIA_USER=REDACTED PIA_PASS=REDACTED PIA_DNS=true PIA_PF=true DISABLE_IPV6=yes VPN_PROTOCOL=wireguard PREFERRED_REGION=swiss ./run_setup.sh
WorkingDirectory=/home/ubuntu/src/manual-connections

[Install]
WantedBy=multi-user.target

journalctl logs:

PIA_USER=REDACTED

PIA_PASS input received.

Checking login credentials...OK!

PIA_TOKEN=REDACTED

This token will expire in 24 hours, on Wed Nov 24 12:23:26 2021.

PIA_PF=true

The variable DISABLE_IPV6=yes, does not start with 'n' for 'no'.
Defaulting to yes.

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

IPv6 has been disabled, you can enable it again with:
sysctl -w net.ipv6.conf.all.disable_ipv6=0
sysctl -w net.ipv6.conf.default.disable_ipv6=0

AUTOCONNECT was not declared.

Region input is : swiss

Getting the server list...OK!

The selected region is Switzerland.

The script found the best servers from the region you selected.
When connecting to an IP (no matter which protocol), please verify
the SSL/TLS certificate actually contains the hostname so that you
are sure you are connecting to a secure server, validated by the
PIA authority. Please find below the list of best IPs and matching
hostnames for each protocol:
Meta Services 212.102.37.176    -     zurich402
WireGuard     212.102.37.187    -     zurich402
OpenVPN TCP   212.102.37.187    -     zurich402
OpenVPN UDP   212.102.37.187    -     zurich402

Using existing token REDACTED.

VPN_PROTOCOL=wireguard

PIA_DNS=true

Getting the server list...OK!

Using existing token REDACTED.

The ./get_region.sh script got started with
VPN_PROTOCOL=wireguard, so we will automatically connect to WireGuard,
by running this command:
$ PIA_TOKEN=REDACTED \
WG_SERVER_IP=212.102.37.205 WG_HOSTNAME=zurich402 \
PIA_PF=true ./connect_to_wireguard_with_token.sh

Trying to connect to the PIA WireGuard API on 212.102.37.205...

Trying to disable a PIA WG connection in case it exists...
wg-quick: `pia' is not a WireGuard interface

Trying to set up DNS to 10.0.0.243. In case you do not have resolvconf,
this operation will fail and you will not get a VPN. If you have issues,
start this script without PIA_DNS.

Trying to write /etc/wireguard/pia.conf...OK!

Trying to create the wireguard interface...
[#] ip link add pia type wireguard
[#] wg setconf pia /dev/fd/63
[#] ip -4 address add 10.28.251.36 dev pia
[#] ip link set mtu 1420 up dev pia
[#] resolvconf -a tun.pia -m 0 -x
[#] wg set pia fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev pia table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n

The WireGuard interface got created.

At this point, internet should work via VPN.

To disconnect the VPN, run:

--> wg-quick down pia <--

This script got started with PIA_PF=true.

Starting port forwarding in 5...4...3...2...1...

Starting procedure to enable port forwarding by running the following command:
$ PIA_TOKEN=REDACTED \
  PF_GATEWAY=212.102.37.205 \
  PF_HOSTNAME=zurich402 \
  ./port_forwarding.sh

Getting new signature... OK!

Signature REDACTED
Payload   REDACTED

--> The port is 22419 and it will expire on 2022-01-25T00:25:25.06880542Z. <--

Trying to bind the port... OK!
Forwarded port  22419
Refreshed on    Tue Nov 23 12:23:43 UTC 2021
Expires on      Tue Jan 25 00:25:25 UTC 2022

This script will need to remain active to use port forwarding, and will refresh every 15 minutes.

I would like to have a UFW ruleset for the gateway described in the logs (while still being able to access any of my other machines in the local network). I can't figure out how. I found some guides that only apply to OpenVPN, not to the newer Wireguard.

Hardware: Raspberry Pi 3 Model B Plus Rev 1.3
OS: Ubuntu 21.10 (GNU/Linux 5.13.0-1010-raspi aarch64)

ip link show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether REDACTED brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether REDACTED brd ff:ff:ff:ff:ff:ff
4: pia: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/none
215
0 + 0
vpn
ufw
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.