How to block internet connection when VPN fails?

If none of the more specific forums is the right place to ask

Re: How to block internet connection when VPN fails?

Postby M51 » 2014-05-02 13:35

Ok, from your logs, what you have is an issue resolving the hostname of your vpn provider.

Once the script has placed the iptables rules in effect, you cannot resolve any hostnames. This is by design, because to allow resolution would automatically allow DNS leaks if your vpn drops.

You could place entries in your /etc/hosts file for any names you need. Note these will not be dynamic; if the ip changes, communication will break.

I'm not sure if placing a rule in iptables allowing outbound communication to your vpn provider's hostname will work. Iptables resolves the names to ip addresses at the time the rules are loaded, so if the machine is up a long time and the ip changes, the rule will be wrong. Additionally, since we are blocking DNS traffic, I'm unsure if the machine will ever be able to resolve the name when it starts processing the rules...you could always try it and see.

Alternatively, you could add lines at the start of the script to resolve the names and rely on the DNS cache holding them for some time (this is probably why your current setup works for some time: the values are cached and it stops working when the cache is cleared or times out). Even fancier, you could resolve them and write them into the /etc/hosts file, which would still have an issue if the machine is up a long time and the provider's ip changes, but would work otherwise. Just be careful not to clobber your hosts file or add new entries on each boot without removing the old ones. An easy way would be to add a dummy entry to the hosts file and have the script use sed to replace the ip with the one the script gets.
M51
 
Posts: 397
Joined: 2013-05-13 01:38

Re: How to block internet connection when VPN fails?

Postby Danielorum » 2014-05-03 15:09

Right, that makes sense.

But what would you do to solve this problem if you were me? I must admit, this is a little bit over my head.

From what you wrote, i would prefer the last option, where i load the ipaddresses into the hosts file. But i would like some solution that would just work all the time. But i see alot of my vpn providers ipaddresses when i do:

Iptables -L -n



So to check if you are right, could I then do this in my hosts file?:

Code: Select all
123.123.123.123   Vpnhostname.com
321.321.321.321    vpnhostname.com


And so on and so on..?

If the dummy method is the best bet, could you give me an example on how it would look like or perhaps point me in the right direction with some links?

Here is an experimental thought.. What if i asked my vpn provider if i could connect directly to an ip? Wouldent this solve the problem? In my openvpn cfg from my provider im able to choose between a couple of different hostnames, perhaps i could input an ip addrees there and connect directly?

This was always in my cfg file, dont know if its relevant:

#Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
Danielorum
 
Posts: 32
Joined: 2013-10-21 17:47

Re: How to block internet connection when VPN fails?

Postby M51 » 2014-05-03 16:52

You should be able to connect directly to an IP. That's what I do.

If you want to add an entry into the hosts 'dynamically', do this in your script before you start setting iptables rules:

HOST=vpnhostname.com
sed -i /$HOST/d /etc/hosts
IP=$(host $HOST | grep "$HOST has address" | cut -d' ' -f4)
if [ -z $IP ]
then
echo "Unable to resolve $HOST"
exit
fi
echo "$IP $HOST" >> /etc/hosts
M51
 
Posts: 397
Joined: 2013-05-13 01:38

Re: How to block internet connection when VPN fails?

Postby Danielorum » 2014-05-03 20:50

I wasn't able to use the script.. It kept telling me that it couldent resolve hostname...i even tried with different hostnames....

BUT!.. and here comes the fun part:

I tried to input an ip address and a hostname into /etc/hosts

and that worked!! Tried to restart a couple of times, and connection is stable and ip table rules are loaded with persistent package.. so i guess this solution works for me!! Im so happy now.. thanks again..!!!
Danielorum
 
Posts: 32
Joined: 2013-10-21 17:47

Re: How to block internet connection when VPN fails?

Postby M51 » 2014-05-03 22:12

The script probably didn't work because the iptables rules were already in effect. It will only work if the iptables rules are empty when the resolutions occurs.

Glad to hear you got it working.
M51
 
Posts: 397
Joined: 2013-05-13 01:38

Re: How to block internet connection when VPN fails?

Postby oweqq99 » 2014-06-10 01:56

Hi- im having the same issue- like trying to restrict all the connections from my pc to VPN i use

trying to follow ur posts i created my ruleset and saved to file, made it exacutable but when i try to run it with sudo on terminal it reports

' not found.4.21: host/network `XX.XX.XX.XX

where XX.XX.XX.XX is my vpn remote host ip address

what am i donf wrong? please help me,,,,need to lock any connections to vpn only, allowing local area connections and trying to figure out how to make it permanent on my system
running lin mint 17 cinnamon gui

PLEASE HELP

thanks
oweqq99
 
Posts: 15
Joined: 2014-06-10 01:49

Re: How to block internet connection when VPN fails?

Postby Danielorum » 2014-06-12 02:23

Not claiming to be able to help with your specific problem, but you would probably have a much higher chance of recieving support, if you posted your iptable rules
Danielorum
 
Posts: 32
Joined: 2013-10-21 17:47

Re: How to block internet connection when VPN fails?

Postby oweqq99 » 2014-06-13 15:22

Hi
Do u mean terminal command: iptables -L -n -v ?

i tried it - here is the output


Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination




what am i doing wrong?

when i try to execute

sudo /(my script.sh location)

my script is located locally at my pc at

/home/aaaaa/virtconfigs/script

i created a separate folder where i put *.ovpn files (w/o keys and certs, just ovpns to be parced by script, so ovp`s are stored at

/home/aaaaa/virtconfigs/allOvpn


here is how my script does look



#!/bin/sh
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
/sbin/iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --sport 68 --dport 67 -j ACCEPT
/bin/grep -h '^remote ' /home/aaaaa/virtconfigs/allOvpn/*.ovpn | /usr/bin/cut -d ' ' -f 2 | /usr/bin/sort -du | /usr/bin/xargs -I @ /sbin/iptables -A OUTPUT -d @ -j ACCEPT
/sbin/iptables -A OUTPUT -o eth1 -j REJECT


my router is at 192.168.1.11


cant execute the script in terminal
get an error report of

' not found.4.21: host/network `XX.XX.XX.XX

where XX.XX.XX.XX is my vpv server address

please help
oweqq99
 
Posts: 15
Joined: 2014-06-10 01:49

Re: How to block internet connection when VPN fails?

Postby M51 » 2014-06-13 17:09

I'm guessing the formatting of your ovpn files is the cause. If the lines end with carriage returns + newlines (i.e. Windows line endings), it'll mess things up.
M51
 
Posts: 397
Joined: 2013-05-13 01:38

Re: How to block internet connection when VPN fails?

Postby oweqq99 » 2014-06-13 17:27

thank you for your reply

how can i check if the ovpn. formated in a right way?
let me know please- thanks in advance, following ur topic for about 6 month on different systems and it all was ok but now its total failure))
oweqq99
 
Posts: 15
Joined: 2014-06-10 01:49

Re: How to block internet connection when VPN fails?

Postby oweqq99 » 2014-06-13 17:29

BTW- please have a look in script lines i use- is this all correct in case i have 192.168.1.11 as router in my local net?

thanks
oweqq99
 
Posts: 15
Joined: 2014-06-10 01:49

Re: How to block internet connection when VPN fails?

Postby M51 » 2014-06-13 17:51

Your router's IP should be fine.

Try stripping out any carriage returns by modifying this line:

/bin/grep -h '^remote ' /home/aaaaa/virtconfigs/allOvpn/*.ovpn | /usr/bin/cut -d ' ' -f 2 | /usr/bin/sort -du | /usr/bin/xargs -I @ /sbin/iptables -A OUTPUT -d @ -j ACCEPT

to be:

/bin/grep -h '^remote ' /home/aaaaa/virtconfigs/allOvpn/*.ovpn | /usr/bin/tr -d '\r' | /usr/bin/cut -d ' ' -f 2 | /usr/bin/sort -du | /usr/bin/xargs -I @ /sbin/iptables -A OUTPUT -d @ -j ACCEPT
M51
 
Posts: 397
Joined: 2013-05-13 01:38

Re: How to block internet connection when VPN fails?

Postby oweqq99 » 2014-06-13 18:06

you are a PRO- it did the trick- im not familiar with/how to make it via command lines and when i got ur messages about carriage returns win style,- i created a test 1test.ovpn with one line inside
remote XX.XX.XX.XXX
where XX.XX.XX.XXX is an ip of my vpn server and it worked out immediately!!!
with your line it works out of the box wih my ovpn file

if i have several vpn servers i use - should i add *ovpn file for every connection setup to folder where scrips parces for remote ip`s? will it parce all files and get all ips for remotes i might need to connect? would i be able to swith vpns and get it working after connection established?

i have every connection setup in subfolder and not sure if script can parce subfolders ..i guess you understand,,,im sorry, im not a linux pro) sometimes its even hard to explaing what is wrong - its complicated for beginners sometimes)
oweqq99
 
Posts: 15
Joined: 2014-06-10 01:49

Re: How to block internet connection when VPN fails?

Postby M51 » 2014-06-13 18:31

The script works only if all your ovpn files are in a single directory. It will not recurse into subdirectories.

You could try this:

/bin/grep -h '^remote ' $(find /home/aaaaa/virtconfigs/allOvpn/ -name '*.ovpn') | /usr/bin/tr -d '\r' | /usr/bin/cut -d ' ' -f 2 | /usr/bin/sort -du | /usr/bin/xargs -I @ /sbin/iptables -A OUTPUT -d @ -j ACCEPT

given that all ovpn files are under subdirectories of /home/aaaaa/virtconfigs/allOvpn/

It probably will blow up if any ovpn files have spaces in the names.
M51
 
Posts: 397
Joined: 2013-05-13 01:38

Re: How to block internet connection when VPN fails?

Postby oweqq99 » 2014-06-13 18:36

i can run the script now- but it allows me to access the web w/o vpn connected
is this ok? may i get to you via pm to provide my script and all the details for analisys? appreciate your help- may be i need to provide my iptables output...
oweqq99
 
Posts: 15
Joined: 2014-06-10 01:49

PreviousNext

Return to General Questions

Who is online

Users browsing this forum: No registered users and 13 guests

fashionable