El Rincón del Tío Nuke

Mozilla, software libre, privacidad y más

VPN Kill switch for Linux – Protect from VPN drops and DNS leaks

This post is a follow-up from the one posted at TheTinHat.com

What we want to ensure is that:

  • We connect to our VPN and all traffic goes through it (including DNS).
  • If our VPN connection drops there is no leak and it reconnects automatically.
  • We can return to not using VPN safely.

We will use two scripts, vpn-firewall.sh and vpn-off.sh. Pleace them under your /home/user/bin folder or anywhere else. Make then executable with chmod +x vpn-*

vpn-firewall.sh

vpn-off.sh

Usage:

  • Make sure you have the ufw package installed.
  • Before opening any app, execute vpn-firewall.sh to connect to the vpn and set up the firewall. This script will monitor your connection and re-connect to VPN if it drops avoiding any leaks. You can stop monitoring using Ctrl + Z.
  • If you want to stop using VPN, stop monitoring by Ctrl +Z and execute vpn-off.sh IMPORTANT: Make sure your close all apps first or list them under KILL_APPS on the vpn-off.sh script.

If you want to run vpn-firewall.sh each time you open session, you can create a file vpn-firewall.desktop under ~/.config/autostart/ folder with the following content:

[Desktop Entry]
Name=VPN Firewall autostart
Type=Application
NoDisplay=true
Exec=~/bin/vpn-firewall.sh

Note that this might not work for you since this script needs root access to modify Firewall rules.

4 comments for “VPN Kill switch for Linux – Protect from VPN drops and DNS leaks

  1. hd9gd87
    4 septiembre 2017 a las 19:47

    That’s great, thanks for that!
    Is it possible to use openvpn in terminal to connect instead of network manager? I do not use NM because it can leak DNS, using openvpn in terminal prevents it from happening.

  2. Claus
    12 septiembre 2017 a las 14:16

    Does the script allow LAN traffic while active and if not can it be modified to do that (I would like to locally access my box using xRDP)

  3. 12 septiembre 2017 a las 14:26

    Yes, it allows local traffic, check the code under

    # Allow local network connections

  4. 12 septiembre 2017 a las 14:28

    hd9gd87, yes, feel free to modify the nmcli lines with the corresponding openvpn ones.

    This script ensures there is no DNS leaks, DNS requests are blocked unless they go through the tunnel.

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *