2

Been searching for the answer, but have found nothing.

Like most smart Internet users, I use a VPN. You can correct me if I'm wrong, but when I set up a VPN (using the OpenVPN protocol, at least) the network routing looks like this:

app 1 -----
           |
app 2 -----+ ----- tun0 -----> outside world
           |
app 3------+

Then, if the vpn is shut down:

app 1 -----
           |
app 2 -----+ -----------> outside world [No protection :(]
           |
app 3------+

Other sources have the setup to allow traffic from tun0 to the VPN's IP address. However, in a lot of cases the IP address isn't known or it's chosen at random (i.e. at the user's whim).

The issue I've come across in spending hours on this problem is that I was able to get this to work (allowing only tun0 to anywhere) but only if tun0 was already active, and only during that connection session. Once I ended the connection the rules would not allow any traffic through, and wouldn't even connect to the vpn.

Strangely, Android makes this very easy. All I need to do is install AFWall+, my favorite VPN, allow connections to the net to my VPN, and then allow only VPN connections from apps I want. All others will be blocked, and if the VPN goes down, no traffic will be allowed through. Why is this so hard to do on a PC?

tl;dr Is there a ufw rule to allow all/some traffic to tun0, then allow traffic from tun0 to anywhere?

Dash2TheDot
  • 21

1 Answers1

2

I'll treat this as an XY problem: Your goal (X) is to have some applications use a VPN, and stop having internet connection when the VPN goes down. You think you need (Y) to do this with firewall rules and a kill switch, but there's a much easier solution: network namespaces.

So set up OpenVPN to create the tun interface in a new network namespace (see e.g. this question). Then start all your applications that should access the internet only through the VPN inside this namespace (using ip netns exec, see link above). If the VPN should go down, the apps don't have any internet access any more. If it goes up again, they have again access.

As a bonus, any applications running in your main namespace will still be able to access the internet directly, without the VPN (and therefore with a faster connection).

Trying to do this with firewall rules is more involved, because of course you can only set up the firewall rules after all IP addresses related to the VPN are known. A firewall works on IP bases, so there's no way around that.

I have no idea what AFWall+ actually does (did you try to find out?). Maybe it's using namespaces internally ...

dirkt
  • 32,309