Join Log in
Score:1
candida2038 avatar Ubuntu

VPN "Kill Switch" Without Hard-Coded IPs

vg flag
candida2038

I'm using a popular VPN provider, and I downloaded their OpenVPN configs. In total there's probably >100 different server IPs specified in these configs. Is there a way to configure Ubuntu 22.04 LTS Desktop to have a VPN "kill switch" (blocking all traffic that doesn't go through the VPN) without manually hard-coding all these IPs into some firewall configuration? E.g. using iptables or UFW (Uncomplicated Firewall). So far all the tutorials I've seen require hard-coding the IP of the server you want to connect to. Which makes it annoying if you ever want to add or change OpenVPN configs.

Mainly what I'm looking for is:

  1. No hard-coded IPs (outside the OpenVPN config files themselves)
  2. The firewall is persistent, and I can re-connect or switch VPNs with the firewall still up
  3. No traffic is leaked if the VPN is not running yet, e.g. after a system restart
  4. No traffic is leaked when switching between VPNs, e.g. using the Network Manager GUI
  5. No traffic is leaked if the VPN is unable to connect, e.g. if the server specified in the OpenVPN config is down

The answer provided here looks promising, by assigning OpenVPN to run under a system group. However the comments under the answer say it doesn't work if you try to disconnect and re-connect while the firewall is up. I've also seen approaches that only allow a specific network interface (tun0), but those seem to also prevent re-connection.

I've seen some attempts to fix this by allowing traffic over port 1194, but this would allow applications besides OpenVPN to leak traffic over the same port. Would it instead be possible to be to only allow traffic for OpenVPN using an application-specific firewall, using methods like these?

Alternatively, this answer suggests a completely different approach: using network namespaces instead of a firewall, which looks promising as well. But is there a way to make all applications run in that namespace by default (aside from OpenVPN)? Or the opposite, blocking all internet in the default namespace but putting OpenVPN in a separate namespace?

Basically, I need the "kill switch" to be a one-time setup, even if I switch VPN providers in the future. I want to be managing OpenVPN config files, not managing firewall rules or network namespace rules.

151
0 + 2
vpn
candida2038 avatar
vg flag
candida2038
this is the Ubuntu StackExchange so obviously the OS is Ubuntu. and Version 22.04
0
Reply
candida2038 avatar
vg flag
candida2038
you're right that is important. I updated the question and highlighted the OS version so it stands out, let me know if there's any other changes I should make
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.