mblue 4 Posted ... It seems that one can use ufw to act as a vpn kill swtich by simply only allowing traffic through the IP ranges of AirVPN. Is there a listing of the IP ranges to use for the various countries? Note that this post gives some general setup steps. Quote Share this post Link to post
InactiveUser 188 Posted ... Use the "Config Generator", check all the servers you want to use (you can check a whole region / country).You have to enable "Advanced Mode" and "Resolved hosts in .ovpn file".This will give you an .ovpn file containing the entry IPs in the form ofremote 1.2.3.4remote 1.2.3.5remote 1.2.3.6... You can then manually create UFW commands for these IPs, or write a Bash one-liner to automate the process, similar to what I did here for Fedora's firewall:https://airvpn.org/topic/13064-block-all-non-vpn-traffic-in-fedora-21-firewalld/?p=22926That post also contains screenshots for the "Config Generator". You should also keep an eye on Air's News and Announcements section. Whenever Air withdraws a server, you should remove its entry IP from your firewall configuration. 2 encrypted and rickjames reacted to this Quote Hide InactiveUser's signature Hide all signatures all of my content is released under CC-BY-SA 2.0 Share this post Link to post
rainmakerraw 94 Posted ... Have you read the how-to on Air's forum (rather than the PIA one you linked to)? It started as a Firestarter thread (the premise is the same, anyway tbh) but later somoene posted the adaptation for GUFW. Quote Share this post Link to post
mblue 4 Posted ... @sheivoko - Thank you. I adapted your script to work parsing the entries for ufw. I will update this post with complete instructions.@rainmaker - I have a solution now, thanks. 1 mblue reacted to this Quote Share this post Link to post
rickjames 106 Posted ... Allowing a range of vpn ip's access in your firewall isn't ideal. It would work as a kill switch sure, but from a security standpoint its adding additional attack vectors. At least use conntrack and specify that the allowed outbound traffic to the vpn ip's are only allowed on the eth0 or what ever physical interface the system is using. +a drop invalid rule. But I suppose if the system was previously using a non restrictive firewall setup this would only be a step up lol. Quote Share this post Link to post