Solved - Disabling data transfer if VPN fails

[FallGuy]

Hello, I'm using Deluge 1.3.6 on Ubuntu 12.04 with an Asus RTN16 router to handle the PPTP connection. This setup works well for me. The only concern I have is if the vpn connection fails, I'm now exposed and Deluge is still running and downloading. Is there a setup that would stop all communication to my computer if it fails? Are there any apps you can recommend? Does something like a static route help this?

 

 

Thanks for the help,

Ben

[FallGuy]

Turns out my solution is wrong. Got too excited this morning. So still looking for a solution.

[TorGuard Admin]

Hi Duke, The TorGuard team is current working on a simple cross platform leak block utility that should be ready for download in the coming weeks.

 

Right now, the best solution for you would be to run your deluge torrents through a secure proxy. You can still run the PPTP VPN overtop for an added layer of encryption and security. If your interested in a proxy, please contact our support team and we'll arrange a discount for you.

[FallGuy]

That's great! Ill keep an eye out for when it's ready. I'd like to try out.

[Guest]

I run a linux server that has a firewall doing pretty much what you want I think. My linux box is a dedicated virtual machine though that only does torrents.

This is my OUTPUT iptables firewall;

Chain OUTPUT (policy DROP 3993 packets, 435K bytes)
pkts bytes target     prot opt in     out     source               destination         
 587 96855 ACCEPT     all  --  any    lo      anywhere             anywhere            
36856  201M ACCEPT     all  --  any    eth0    anywhere             192.168.0.0/16      
   0     0 REJECT     all  --  any    tun+    anywhere             192.168.0.0/16       reject-with icmp-port-unreachable
731K  220M ACCEPT     all  --  any    tun+    anywhere             anywhere            
722K  267M ACCEPT     udp  --  any    eth0    anywhere             anywhere             udp dpt:https

The key rules are the last 2 lines and having the default policy of DROP.

The last rule allows all traffic out to port 443 (which TorGuard openvpn uses).

The 2nd last rule allow all traffic out only if it goes over a tun device (which openvpn creates when it is connected).

And anything not matching either of those 2 rules, like say traffic to be sent to the internet without going via the VPN will hit the default policy of the OUTPUT table which is to drop the packet.

The first 3 rules are just some internal housekeeping for my home network and the loopback device.

 

I've only set this up today (brand new user myself), but if you like I can post the iptables commands I used to create the firewall. It has worked so far in my testing.

[FallGuy]

The commands would be very helpful because I'm very new to the Linux command line and I woke up this morning to find the vpn disconnected. I've tried using GUFW to setup up some rules in the past and it didnt workout too well.

 

I have changed my setup a bit. I'm using the network manager in Ubuntu to establish the openvpn connection because I've found the speeds a little better then PPTP in my router.

 

Thanks.

[Guest]

Well these rules only work if the host is running the vpn, so that works well.

I will apologize as I run Fedora, so I'm not 100% certain howto set these rules to be permanent, but this is what I've done;

iptables -F OUTPUT # Empty the OUTPUT chain of any current rules

iptables -P OUTPUT DROP # Default action if no other rules match

iptables -A OUTPUT -o lo -j ACCEPT # Allow loopback traffic

iptables -A OUTPUT -o tun+ -j ACCEPT # Allow all traffic out over the vpn

iptables -A OUTPUT -o eth0 -p udp -m udp --dport 443 -j ACCEPT # Allow traffic out on port 443 which the VPN uses

And then on Fedora;

/usr/libexec/iptables/iptables.init save

systemctl enable iptables.service

So that it loads the firewall on each boot.

For Ubuntu I'd look at https://help.ubuntu.com/community/IptablesHowTo

 

If you are using a TCP based tunnel rather than UDP, just change all the 'udp' to 'tcp' in the last rule

 

And remember, once the VPN goes down, the box won't be able to talk to anything on the internet properly until the VPN is restored.

[FallGuy]

Thanks. I'll be trying this out in the next few days. Work is extremely busy for today and tomorrow. I'll let you know the results.

[FallGuy]

I've found a different solution with the help of ubuntu forums and support from Torguard staff.

 

1- Create a file called vpnscript (or anything else) in /etc/NetworkManager/dispatcher.d/

 

2-copy/paste the following into that script

 

#!/bin/sh

# use tail - /var/log/syslog in terminal to check if it is executed the four lines help you spot easily

 

logger -s XXXXXXXXXX

logger -s $1

logger -s $2

logger -s XXXXXXXXXX

 

 

if [ $2 = "vpn-down" ]

then

# Shut down eth0 when vpn fails (change eth0 to your nic)

ifconfig eth0 down

# this will turn off your wireless networking completely

# ip link set wlan0 down

fi

 

3- in a terminal run chmod 755 vpnscript

 

That's it. If the VPN fails the network connection gets disabled including on your internal network. So if you have any shared files or drives this will get disabled also. If this happens re-enable the network connection in Network Manager.

 

Marc, I tried a copy/paste of the commands you provided into a terminal and it was blocking all traffic. I will retry this weekend when I have more time.

 

Thanks for all the help.

 

[Guest]

Duke, sorry it didn't work out for you...

 

some small revisions then...

iptables -F OUTPUT # Empty the OUTPUT chain of any current rules

iptables -A OUTPUT -o lo -j ACCEPT # Allow loopback traffic

iptables -A OUTPUT -o tun+ -j ACCEPT # Allow all traffic out over the vpn

iptables -A OUTPUT -o eth0 -p udp -m udp --dport 443 -j ACCEPT # Allow traffic out on port 443 which the VPN uses

iptables -A OUTPUT -o eth0 -d 192.168.0.0/24 -j ACCEPT # Allow local network traffic

iptables -P OUTPUT DROP # Default action if no other rules match

 

In the 2nd last rule, change 192.168.0.0/24 to match whatever you use on your home network

My apologies there, I didn't try to cover local network traffic.

I also moved the DROP rule to be the last thing done so your session doesn't drop if you do this remotely.

[FallGuy]

Perfect! it works. For anyone interested, I've added the two lines below to /etc/network/interfaces to get it to work every time I boot up.

 

pre-up iptables-restore < /etc/iptables.rules

post-down iptables-save > /etc/iptables.rules

 

Thanks again. This is much better then the solution I've posted.

 

 

[Guest]

Mark C, can you post your current rules in their entirety. Your solution looks like what I need.

[Guest]

Duke, sorry it didn't work out for you...

 

some small revisions then...

iptables -F OUTPUT # Empty the OUTPUT chain of any current rules

iptables -A OUTPUT -o lo -j ACCEPT # Allow loopback traffic

iptables -A OUTPUT -o tun+ -j ACCEPT # Allow all traffic out over the vpn

iptables -A OUTPUT -o eth0 -p udp -m udp --dport 443 -j ACCEPT # Allow traffic out on port 443 which the VPN uses

iptables -A OUTPUT -o eth0 -d 192.168.0.0/24 -j ACCEPT # Allow local network traffic

iptables -P OUTPUT DROP # Default action if no other rules match

 

In the 2nd last rule, change 192.168.0.0/24 to match whatever you use on your home network

My apologies there, I didn't try to cover local network traffic.

I also moved the DROP rule to be the last thing done so your session doesn't drop if you do this remotely.

 

Thank you for this! I never thought about using my firewall to limit traffic to the VPN. I adjusted my ipTables script to include what you have shared and now I have my VM connected securely. Verified that if the VPN goes down it cuts off internet to whole VM. I did have to make an adjustment but afterwards it has worked beautifully and now I know that my traffic is hidden from prying eyes!