VPN Killswitch OpenVPN

[Yummiesttag]

I've installed OpenVPN, it works great. It will run in tandem with transmission to download the glorious Linux ISOs. I cannot get a killswitch working, I've tried various configs from online to no avail. Any help would be greatly appreciated.

freenasdocs/guides/vpn-client-jail.md at master · danjacques/freenasdocs

Collection of FreeNAS documentation. Contribute to danjacques/freenasdocs development by creating an account on GitHub.

github.com

 

[Volts]

What does killswitch mean?
What has been tried and what is the current configuration?
What are the current symptoms?

What are the contents of /etc/rc.conf, the output of ipfw list, and the output of netstat -rn?

 

[Yummiesttag]

What does killswitch mean?
What has been tried and what is the current configuration?
What are the current symptoms?

What are the contents of /etc/rc.conf, the output of ipfw list, and the output of netstat -rn?

When home I’ll get the output and contents.
Killswitch meaning if openvpn disconnects from the VPN provider it blocks all network traffic until it reconnects

 

[Yummiesttag]

What does killswitch mean?
What has been tried and what is the current configuration?
What are the current symptoms?

What are the contents of /etc/rc.conf, the output of ipfw list, and the output of netstat -rn?

 

[Volts]

When home I’ll get the output and contents.
Killswitch meaning if openvpn disconnects from the VPN provider it blocks all network traffic until it reconnects

That's a "Windows" way to think about it. A more "ipfw" way to think about it is "allow the torrent user to send data through the VPN; don't allow the torrent user to send otherwise". The result is similar, but there's no "switch" - the rule is always present.

What's in /usr/local/etc/openvpn/ipfw.rules, as referenced by /etc/rc.conf?

That's a slightly unusual place to put that file - /usr/local/etc would be more typical.

 

[Yummiesttag]

That's a "Windows" way to think about it. A more "ipfw" way to think about it is "allow the torrent user to send data through the VPN; don't allow the torrent user to send otherwise". The result is similar, but there's no "switch" - the rule is always present.

What's in /usr/local/etc/openvpn/ipfw.rules, as referenced by /etc/rc.conf?

That's a slightly unusual place to put that file - /usr/local/etc would be more typical.

Gotcha, the windows application has the "switch" but I see how it should be explained for a linux type application.

Code:

#!/bin/bash
# Flush out the list before we begin
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
vpn="tun0"

# allow all local traffic on the loopback interface $cmd 00001 allow all from any to any via lo0

# allow any connection to/from VPN interface $cmd 00010 allow all from any to any via $vpn

# allow connection to/from LAN by Deluge $cmd 00101 allow all from me to 192.168.1.0/24 uid transmission $cmd 00102 allow all from 192.168.1.0/24 to me uid transmission

 # deny any Deluge connection outside LAN that does not use VPN $cmd 00103 deny all from any to any uid transmission

Code:

#!/bin/sh
##
# OpenVPN Kill Switch Configuration.
#
# From:
# https://github.com/danjacques/freenasdocs
##

. /etc/network.subr

RULE_NO=1000
fwcmd="/sbin/ipfw"
add_fw() {
  ${fwcmd} add ${RULE_NO} $*
  RULE_NO=$((${RULE_NO}+1))
}

# Flush all current rules before we start.
${fwcmd} -f flush

# Enable loopback.
add_fw allow ip from any to any via lo0

# Enable VPN traffic.
add_fw allow ip from any to any via tun*

# Internal Routing
#
# Change these addresses accordingly for your internal network and netmask.
add_fw allow log ip from any to 192.168.1.0/24 keep-state

# Allow DNS traffic.
#
# OpenVPN configs may use host names, and we'll need to look these up.
# Default route.
add_fw allow log udp from any to any dst-port 53 keep-state

# Allow traffic on OpenVPN UDP port.
#
# If you're using TCP VPN and/or a different port, update accordingly. Consult
# your OpenVPN config for details.
add_fw allow log udp from any to any dst-port 1198 keep-state

# Cleanup rules.
RULE_NO=4000
add_fw allow ip from 127.0.0.1 to any

# VPN Network Access.
RULE_NO=5000
add_fw allow ip from 10.0.0.0/7 to any
add_fw allow ip from any to 10.0.0.0/7

# Block everything else.
RULE_NO=65534
add_fw deny log ip from any to any

 

[Volts]

> linux type application

If you'd rather use Linux-type stuff, look at SCALE.

What files are those snippets from?

The first one has almost everything commented out, all it does it flush the ruleset. The second doesn't appear to be active.