Firewall Rules for when VPN Quits.

Hey folks! First of all my desktop is running Ubuntu 18.10 Vanilla Gnome-Session and running stock ‘UFW’ firewall.

I occasionally use a VPN service when doing P2P and torrenting. A few days ago I left my deluge client up and seeding overnight, with the VPN connection active. In the morning I noticed the VPN had quit, but the connection remained up, and I was torrenting in the open fully exposed. Subsequently, I rec’d the dreaded ISP letter.

I had followed this tutorial to set up my firewall, with the expectation that if the VPN went down, so would my entire internet connection, thereby protecting me from being exposed. Unfortunately it didn’t work.
Now, I’m not a sysadmin or network guru - so hopefully some expertise here could help with firewall rules that would prevent this from happening again. Suggestions gratefully excepted. Thank-you!

1 Like

You wrote that you use your vpn some times. What connection are you using without vpn? Because if you only allow the vpn tun device you should not have any other network connection.

can I have the output of the following (redacte private Information, you can change ip addresses)

sudo ufw status
sudo ip link show
sudo netstat -tulpn

1 Like

Hi, thanks for your reply.

When I’m not using my VPN (all my devices are behind my ISP provided consumer router/switch) on a home LAN. Generally only the workstation desktop connects to the VPN service using openvpn client in Ubuntu.

I have removed all the rules from the previous tutorial from ‘ufw’, so would the information requested have any use? I mean, I don’t even activate the firewall software unless I’m on the DHT networks …

If you happen to see it not working again you can com back. With your disabled ufw every connection in outgoing direction is allowed.

What I’m looking for is a set of rules for ufw to kill my internet connection on that
desktop, when the VPN fails. Thanks. I assumed that a guru would be able to tell me what was
wrong with the foregoing tutorial. Those rules didn’t work at all. Nothing got in or out
regardless if tun0 was connected or not.

··· On Sat, 2019-01-26 at 03:00 +0100, idnovic wrote: > > > > > > > > > > idnovic > > > January 26 > > > > If you happen to see it not working again you can com back. With your disabled ufw every > connection in outgoing direction is allowed. > > > > > > > > > > > Visit Topic or reply to this email to respond. > > > You are receiving this because you enabled mailing list mode. > > To unsubscribe from these emails, click here. > > > > > > > > > >

The guide you posted looks right. Their must be something wrong with the tun rule part.

Following the guide you should expect no connection at all without vpn. Vpn connection works as long as you did the ip address set up right. I do not know the ip of your vpn provider. You do not need the openvpn client. Any software able to use your tun device should be able to talk to the ip you set up in the ufw rules. But the tun device is used for the vpn connection in your case.

You wrote that nothing got in or out. That means it did exactly what you wanted. I am not sure how you connected when nothing got out. Were you able to connect to the vpn provider with the ufw rules of the guide you posted enabled?

1 Like

Actually perhaps I’m making this more complicated than it needs be.
Since Deluge has a proxy configuration of it’s own, I’m going to enable that using
Socks5/Auth. That should suffice, correct? I mean if the app depends on the Socks Proxy in
order to work, that should be “good enough” - What do you think?

··· On Sat, 2019-01-26 at 03:30 +0100, idnovic wrote: > > > > > > > > > > idnovic > > > January 26 > > > > > The guide you posted looks right. Their must be something wrong with the tun rule part. > > Following the guide you should expect no connection at all without vpn. Vpn connection > works as long as you did the ip address set up right. I do not know the ip of your vpn > provider. You do not need the openvpn client. Any software able to use your tun device > should be able to talk to the ip you set up in the ufw rules. But the tun device is used > for the vpn connection in your case. > > You wrote that nothing got in or out. That means it did exactly what you wanted. I am not > sure how you connected when nothing got out. Were you able to connect to the vpn provider > with the ufw rules of the guide you posted enabled? > > > > > > > > > > > > Visit Topic or reply to this email to respond. > > > You are receiving this because you enabled mailing list mode. > > To unsubscribe from these emails, click here. > > > > > > > > > >

Yes. As long as the torrent client stops the connection and does not connect over an other. Just try it out. Start a session and kill the proxy. Not sure how you would do that. Where is the socks proxy?

1 Like

It’s in another country at the moment. I noticed in the Deluge options that it’s possible to bind to an address too. So I believe the Deluge solution may be the way to proceed.

Hey, I know this is an old thread but maybe someone will benefit from this information. IMO, don’t screw around with UFW / iptables directly - it’s a recipe for disaster (mistake can either prevent a connection or leak your IP). Use this script: https://github.com/wknapik/vpnfailsafe.

2 Likes

No worries - thanks for the script. I will definitely check it out!