[opensuse] Blocking all traffic if vpn connection fails
Using openvpn service, what is the best way to block all traffic other than VPN? I've been looking at iptables, routes and eth0 vs tun0 devices, but I'm so far away from network stack, I'm either breaking the internet completely or still some traffic goes directly, either right away or after vpn connection failure. For some reason I had more luck setting up DD-WRT than full linux box. My goal is, provide openvpn with '--up' script that will set the machine to have either VPN or nothing. Even if changes can be reverted only by reboot, that's fine with me. -- Regards, Stas -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/14/2014 01:30 PM, Stanislav Baiduzhyi wrote:
Using openvpn service, what is the best way to block all traffic other than VPN?
I've been looking at iptables, routes and eth0 vs tun0 devices, but I'm so far away from network stack, I'm either breaking the internet completely or still some traffic goes directly, either right away or after vpn connection failure. For some reason I had more luck setting up DD-WRT than full linux box.
My goal is, provide openvpn with '--up' script that will set the machine to have either VPN or nothing. Even if changes can be reverted only by reboot, that's fine with me.
The general practice is to configure the firewall to allow only what you want, in this case OpenVPN. So just allow the UDP port it uses. When the tunnel shuts down, there should be nothing listening to that port. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sunday 14 December 2014 13:35:21 James Knott wrote:
On 12/14/2014 01:30 PM, Stanislav Baiduzhyi wrote:
Using openvpn service, what is the best way to block all traffic other than VPN?
I've been looking at iptables, routes and eth0 vs tun0 devices, but I'm so far away from network stack, I'm either breaking the internet completely or still some traffic goes directly, either right away or after vpn connection failure. For some reason I had more luck setting up DD-WRT than full linux box.
My goal is, provide openvpn with '--up' script that will set the machine to have either VPN or nothing. Even if changes can be reverted only by reboot, that's fine with me.
The general practice is to configure the firewall to allow only what you want, in this case OpenVPN. So just allow the UDP port it uses. When the tunnel shuts down, there should be nothing listening to that port.
Well, the problem is, the service I'm using works faster with TCP and uses port 443. Otherwise that idea would work perfectly. -- Regards, Stas -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/14/2014 01:39 PM, Stanislav Baiduzhyi wrote:
want, in this case OpenVPN. So just allow the UDP port it uses. When the tunnel shuts down, there should be nothing listening to that port. Well, the problem is, the service I'm using works faster with TCP and uses
The general practice is to configure the firewall to allow only what you port 443. Otherwise that idea would work perfectly.
Well, the same applies. You allow only the ports you want to come in. Also, as asked by someone else, is this a client or server? If client, it's not an issue. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sunday 14 December 2014 13:43:03 James Knott wrote:
On 12/14/2014 01:39 PM, Stanislav Baiduzhyi wrote:
The general practice is to configure the firewall to allow only what you
want, in this case OpenVPN. So just allow the UDP port it uses. When the tunnel shuts down, there should be nothing listening to that port.
Well, the problem is, the service I'm using works faster with TCP and uses port 443. Otherwise that idea would work perfectly.
Well, the same applies. You allow only the ports you want to come in. Also, as asked by someone else, is this a client or server? If client, it's not an issue.
Yes, but TCP on port 443 is HTTPS, which means that browser traffic will be allowed through this firewall rule, right? With DD-WRT I was using some firewall rule that blocked all traffic from br0 to WAN, then allowed traffic from tun0 to WAN and from br0 to run0. That allowed the router itself to see NTP and DNS, but all the clients had to go through openvpn or have no connection at all. And I cannot figure out if it's possible to create similar rules for normal client machine, where I have only one eth0 device and it can be reached directly... Is it possible to force tun0 as default network device, then allow only tun0 to contact eth0 and drop all other connections? -- Regards, Stas -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/14/2014 01:39 PM, Stanislav Baiduzhyi wrote:
Well, the problem is, the service I'm using works faster with TCP and uses port 443. Otherwise that idea would work perfectly.
BTW, it's generally not a good idea to run a VPN over TCP, unless necessary. This is because TCP uses flow control and with TCP running on top of TCP, you may confuse the flow control which will cause a slow down. UDP has behaviour similar to bare Ethernet so this problem doesn't arise. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sunday 14 December 2014 13:44:52 James Knott wrote:
On 12/14/2014 01:39 PM, Stanislav Baiduzhyi wrote:
Well, the problem is, the service I'm using works faster with TCP and uses port 443. Otherwise that idea would work perfectly.
BTW, it's generally not a good idea to run a VPN over TCP, unless necessary. This is because TCP uses flow control and with TCP running on top of TCP, you may confuse the flow control which will cause a slow down. UDP has behaviour similar to bare Ethernet so this problem doesn't arise.
Surprisingly, everyone says that UDP should work better for openvpn, I've also heard about packet size mismatch which may bring another breakdown of packets, and so on. But speedtest constantly shows much much better result on TCP than on UDP... -- Regards, Stas -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/14/2014 01:50 PM, Stanislav Baiduzhyi wrote:
But speedtest constantly shows much much better result on TCP than on UDP...
That might indicate a problem elsewhere. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sunday 14 December 2014 14:17:32 James Knott wrote:
On 12/14/2014 01:50 PM, Stanislav Baiduzhyi wrote:
But speedtest constantly shows much much better result on TCP than on UDP...
That might indicate a problem elsewhere.
Ok, my up script breaks openvpn connection as well. I'm trying to do it with yast firewall, but I cannot figure out how to do it properly... Here's what I'm doing: 1. assigning eth0 to external zone. 2. in "Allowed Services", checking "Protect Firewall..." checkbox. 3. in "Advanced" adding UDP 443. 4. now I want to allow UDP 53 only to opendns server, then in openvpn up script replace my resolv.conf to google DNS, to resolve address of openvpn server and then switch to DNS that is accessible through VPN only. But I cannot find a way to do that with yast firewall... -- Regards, Stas -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 14/12/14 a las 15:30, Stanislav Baiduzhyi escribió:
Using openvpn service, what is the best way to block all traffic other than VPN?
I've been looking at iptables, routes and eth0 vs tun0 devices, but I'm so far away from network stack, I'm either breaking the internet completely or still some traffic goes directly, either right away or after vpn connection failure. For some reason I had more luck setting up DD-WRT than full linux box.
My goal is, provide openvpn with '--up' script that will set the machine to have either VPN or nothing. Even if changes can be reverted only by reboot, that's fine with me.
Is this a VPN client or a vpn server ? Are you sure you want to block all outgoing traffic when there is no VPN connection or you want the VPN to be the default gateway ? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sunday 14 December 2014 15:35:28 Cristian Rodríguez wrote:
El 14/12/14 a las 15:30, Stanislav Baiduzhyi escribió:
Using openvpn service, what is the best way to block all traffic other than VPN?
I've been looking at iptables, routes and eth0 vs tun0 devices, but I'm so far away from network stack, I'm either breaking the internet completely or still some traffic goes directly, either right away or after vpn connection failure. For some reason I had more luck setting up DD-WRT than full linux box.
My goal is, provide openvpn with '--up' script that will set the machine to have either VPN or nothing. Even if changes can be reverted only by reboot, that's fine with me.
Is this a VPN client or a vpn server ?
Client.
Are you sure you want to block all outgoing traffic when there is no VPN connection or you want the VPN to be the default gateway ?
I'm absolutely sure I want to block all other traffic. -- Regards, Stas -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Sun, 14 Dec 2014 19:40:21 +0100
Stanislav Baiduzhyi
On Sunday 14 December 2014 15:35:28 Cristian Rodríguez wrote:
El 14/12/14 a las 15:30, Stanislav Baiduzhyi escribió:
Using openvpn service, what is the best way to block all traffic other than VPN?
I've been looking at iptables, routes and eth0 vs tun0 devices, but I'm so far away from network stack, I'm either breaking the internet completely or still some traffic goes directly, either right away or after vpn connection failure. For some reason I had more luck setting up DD-WRT than full linux box.
My goal is, provide openvpn with '--up' script that will set the machine to have either VPN or nothing. Even if changes can be reverted only by reboot, that's fine with me.
Is this a VPN client or a vpn server ?
Client.
Are you sure you want to block all outgoing traffic when there is no VPN connection or you want the VPN to be the default gateway ?
I'm absolutely sure I want to block all other traffic.
You will need to allow traffic to/from your VPN peer and to/from your VPN device; everything else can be blocked. You can limit VPN peer traffic to OpenVPN ports to be fully paranoid. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sunday 14 December 2014 21:57:38 Andrei Borzenkov wrote:
You will need to allow traffic to/from your VPN peer and to/from your VPN device; everything else can be blocked. You can limit VPN peer traffic to OpenVPN ports to be fully paranoid.
I tried to do that, here's what I came up with: /usr/sbin/iptables -A OUTPUT -o eth0 -j REJECT /usr/sbin/iptables -A OUTPUT -o eth0 -p udp --dport 443 /usr/sbin/iptables -A INPUT -i eth0 -p udp --sport 443 But as soon as that script is executed the openvpn connection drops. Which is kind of obvious, but I cannot find proper solution in google... Any hints? :) -- Regards, Stas -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, 2014-12-14 at 22:11 +0100, Stanislav Baiduzhyi wrote:
On Sunday 14 December 2014 21:57:38 Andrei Borzenkov wrote:
You will need to allow traffic to/from your VPN peer and to/from your VPN device; everything else can be blocked. You can limit VPN peer traffic to OpenVPN ports to be fully paranoid.
I tried to do that, here's what I came up with:
/usr/sbin/iptables -A OUTPUT -o eth0 -j REJECT /usr/sbin/iptables -A OUTPUT -o eth0 -p udp --dport 443 /usr/sbin/iptables -A INPUT -i eth0 -p udp --sport 443
But as soon as that script is executed the openvpn connection drops. Which is kind of obvious, but I cannot find proper solution in google... Any hints? :)
Normally openvpn works on port 1194, either on UDP or TCP. If you need th punch through a firewall, or through a proxy, you must use http-encapsulation, and thus needing TCP port 443, not udp. Furthermore, if you explicitly allow out-going https-traffic towards the vpn-server, you can user statefull incoming traffic. Hans -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Sun, 14 Dec 2014 22:11:43 +0100
Stanislav Baiduzhyi
On Sunday 14 December 2014 21:57:38 Andrei Borzenkov wrote:
You will need to allow traffic to/from your VPN peer and to/from your VPN device; everything else can be blocked. You can limit VPN peer traffic to OpenVPN ports to be fully paranoid.
I tried to do that, here's what I came up with:
/usr/sbin/iptables -A OUTPUT -o eth0 -j REJECT
This rule blocks everything. The first rule that applies to a packet wins. So you need to put exceptions first and rule that blocks everything as last.
/usr/sbin/iptables -A OUTPUT -o eth0 -p udp --dport 443 /usr/sbin/iptables -A INPUT -i eth0 -p udp --sport 443
But as soon as that script is executed the openvpn connection drops. Which is kind of obvious, but I cannot find proper solution in google... Any hints? :)
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Stanislav Baiduzhyi wrote:
Using openvpn service, what is the best way to block all traffic other than VPN?
Change default route, then redirect/reject everything that doesn't take the default route. -- Per Jessen, Zürich (8.8°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Sun, 14 Dec 2014 19:52:12 +0100
Per Jessen
Stanislav Baiduzhyi wrote:
Using openvpn service, what is the best way to block all traffic other than VPN?
Change default route, then redirect/reject everything that doesn't take the default route.
Including VPN traffic itself ... :) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrei Borzenkov wrote:
В Sun, 14 Dec 2014 19:52:12 +0100 Per Jessen
пишет: Stanislav Baiduzhyi wrote:
Using openvpn service, what is the best way to block all traffic other than VPN?
Change default route, then redirect/reject everything that doesn't take the default route.
Including VPN traffic itself ... :)
Hehe, yup, let port 1194 traffic go :-) -- Per Jessen, Zürich (9.0°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, 2014-12-14 at 20:07 +0100, Per Jessen wrote:
Andrei Borzenkov wrote:
В Sun, 14 Dec 2014 19:52:12 +0100 Per Jessen
пишет: Stanislav Baiduzhyi wrote:
Using openvpn service, what is the best way to block all traffic other than VPN?
Change default route, then redirect/reject everything that doesn't take the default route.
Including VPN traffic itself ... :)
Hehe, yup, let port 1194 traffic go :-)
Unless you use http-encapsulation of your openvpn-tunnel, in which case you just need to allow 443. The gateware-redirection can be push from the vpn-server to the vpn-client. However, there is a catch-22: In case your client uses dhcp for obtaining its IP-address and other parameters, you will be in for a surprise. If the lease-renewal occurs while tunnel is up AND you blocked 67/68 you will be out of an address and all traffic will drop. If you do allow renewal, you will notice that gateway definition from the vpn will be overwritten by dhcp. Hans -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (6)
-
Andrei Borzenkov
-
Cristian Rodríguez
-
Hans Witvliet
-
James Knott
-
Per Jessen
-
Stanislav Baiduzhyi