How to block internet connection when VPN fails?

If none of the more specific forums is the right place to ask

How to block internet connection when VPN fails?

Postby Danielorum » 2015-01-14 23:58

And I don't know if it matters but I am using a different VPN provider then the one used in the original script. I use this command in a start up script, to activate the VPN tunnel:


sleep 10s
openvpn /storage/.config/vpn-config/my.vpn.provider.ovpn &



Don't know if it is relevant or not.

Sent from my iPad using Tapatalk
Danielorum
 
Posts: 32
Joined: 2013-10-21 17:47

Re: How to block internet connection when VPN fails?

Postby M51 » 2015-01-16 21:05

The errors you show are failures to resolve dns host names.

Does the vpn connect successfully? Try this: Ping something like www.google.com. Note the ip address. Connect to the vpn and try pinging the ip address directly. If it works, then for some reason your vpn provider's dns settings aren't being used or aren't working.
M51
 
Posts: 397
Joined: 2013-05-13 01:38

Re: How to block internet connection when VPN fails?

Postby Danielorum » 2015-01-17 13:35

Well finally something different happened!

When I try to ping Google's hostname it tells me bad address.but when I ping Google's IP address it works! I have tried this with Google's DNS address inserted into XBMCs network settings, and I tried with my VPN providers DNS address as well, with the same result.

so doesn't it seem like the IP table rules are creating this issue?

Because I did some digging around the web, and found this simple Set of rules, which doesn't create any problems.can't I just use these instead? And what are the main differences between these set of rules?

Code: Select all
#!/bin/sh
# Delete all existing rules
iptables -F

# Allow from local network
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.1.0/24 -j ACCEPT

# Allow OpenVPN
iptables -A OUTPUT -p udp --dport 1194 -j ACCEPT

# Deny eth0
iptables -A OUTPUT -o eth0 -j DROP
Danielorum
 
Posts: 32
Joined: 2013-10-21 17:47

Re: How to block internet connection when VPN fails?

Postby dbuse » 2015-11-27 04:21

Hi

Is this still open please?

I'm new to the forum and, er, I'm a Ubuntu user. I know that as a 'foreigner' 'I don't belong' to the Debian Forum but this script is, I hope, the only firewall I've found that does what I want .....

I was hoping if somebody could help me with the script in Ubuntu? When I run it, terminal just momentarily opens and closes and nothing happens. I am new to iptables (can this be done using gufw??? )

My ovpn scrips (and their certs) are in /etc/openvpn

My script is as the original:
Code: Select all
#!/bin/sh
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --sport 67 -j ACCEPT
/bin/grep -h '^remote ' /etc/openvpn/*.ovpn | /usr/bin/cut -d ' ' -f 2 | /usr/bin/sort -du | /usr/bin/xargs -I @ /sbin/iptables -A OUTPUT -d @ -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -j REJECT


Fingers crossed and thanks - either way ...
dbuse
 
Posts: 1
Joined: 2015-11-27 04:09

Re: How to block internet connection when VPN fails?

Postby jameshouston135 » 2016-02-02 13:11

Althought i have used selective VPN routing and I use the following logic in my script...

Code:

# Optionally FORCE the use of the VPN tunnel, so if the VPN tunnel drops, the device will not use the unencrypted default WAN
if [ "$FORCE" = "FORCE" ];then
logger -t "($(basename $0))" $$ VPN Selective routing for $IP_RANGE WAN access blocked
echo "$IP_RANGE WAN access blocked"
# Prevent duplicate blocking rule entries
iptables -D FORWARD -i br0 -s $IP_RANGE -o eth0 -j DROP
[COLOR="Red"]iptables -I FORWARD -i br0 -s $IP_RANGE -o eth0 -j DROP[/COLOR]
fi
# Allow removing of the WAN blocking if it was previously set
if [ "$FORCE" = "NOFORCE" ];then
logger -t "($(basename $0))" $$ VPN Selective routing for $IP_RANGE WAN access allowed
echo "$IP_RANGE WAN access allowed"
[COLOR="Red"]iptables -D FORWARD -i br0 -s $IP_RANGE -o eth0 -j DROP[/COLOR]
fi

So not sure if specifying eth0 will work in your case?
jameshouston135
 
Posts: 2
Joined: 2016-02-02 13:00

Re: How to block internet connection when VPN fails?

Postby laurenaria10 » 2016-03-02 11:34

I struggled the script as firewall and startup both times it did not work and i still have working internet after I disconnect the vpn/pptp.
laurenaria10
 
Posts: 1
Joined: 2016-03-02 11:21

Re: How to block internet connection when VPN fails?

Postby oweqq99 » 2020-10-01 18:21

Hi everyone
Same issue with Linux mint 20,it uses ufw as far as i know
I have a local folder with .ovpn files,ip addresses of vpn servers to be parsed from
Need to restrict all traffic to vpn server addresses only, restricting traffic to vpn only
I need no app may connect to internet if vpn is disabled/dropped etc
local network must be accessible even w/o vpn connected ..
Please advise
Got solution for iptables but need help with UFW
Please
oweqq99
 
Posts: 15
Joined: 2014-06-10 01:49

Re: How to block internet connection when VPN fails?

Postby sgosnell » 2020-10-01 21:40

You just revived a thread that has been dead for 4.5 years. A new thread might be a better plan.
Take my advice, I'm not using it.
sgosnell
 
Posts: 910
Joined: 2011-03-14 01:49

Re: How to block internet connection when VPN fails?

Postby oweqq99 » 2020-10-02 16:30

sgosnell wrote:You just revived a thread that has been dead for 4.5 years. A new thread might be a better plan.


I do believe it will get an attention of respected community as the problem still persists
It was perfectly solved once and will be done again with some effort )
Thanks
oweqq99
 
Posts: 15
Joined: 2014-06-10 01:49

Re: How to block internet connection when VPN fails?

Postby sickpig » 2020-10-02 19:50

oweqq99 wrote:Same issue with Linux mint 20,it uses ufw as far as i know

oweqq99 wrote:I do believe it will get an attention of respected community as the problem still persists

I do not suppose Linux Mint community would care much for necrobumped threads on this forum. I wouldn't hold my breath.
User avatar
sickpig
 
Posts: 589
Joined: 2019-01-23 10:34

Previous

Return to General Questions

Who is online

Users browsing this forum: sgosnell and 16 guests

fashionable