Jump to content
Not connected, Your IP: 3.145.58.158
AirVPN
mblue

ANSWERED Need IP ranges to use ufw to act as a kill switch

By mblue, ... in General & Suggestions

Recommended Posts

mblue    4

mblue
Posted ...

It seems that one can use ufw to act as a vpn kill swtich by simply only allowing traffic through the IP ranges of AirVPN.  Is there a listing of the IP ranges to use for the various countries?

 

Note that this post gives some general setup steps.

Share this post

Link to post

InactiveUser    188

InactiveUser
Posted ...

Use the "Config Generator", check all the servers you want to use (you can check a whole region / country).

You have to enable "Advanced Mode" and "Resolved hosts in .ovpn file".

This will give you an .ovpn file containing the entry IPs in the form of

remote 1.2.3.4

remote 1.2.3.5

remote 1.2.3.6

...

 

You can then manually create UFW commands for these IPs, or write a Bash one-liner to automate the process, similar to what I did here for Fedora's firewall:

https://airvpn.org/topic/13064-block-all-non-vpn-traffic-in-fedora-21-firewalld/?p=22926

That post also contains screenshots for the "Config Generator".

 

You should also keep an eye on Air's News and Announcements section. Whenever Air withdraws a server, you should remove its entry IP from your firewall configuration.

rickjames and encrypted reacted to this

all of my content is released under CC-BY-SA 2.0

Share this post

Link to post

mblue    4

mblue
Posted ...

@sheivoko - Thank you.  I adapted your script to work parsing the entries for ufw.  I will update this post with complete instructions.

@rainmaker - I have a solution now, thanks.

mblue reacted to this

Share this post

Link to post

rickjames    106

rickjames
Posted ...

Allowing a range of vpn ip's access in your firewall isn't ideal. It would work as a kill switch sure, but from a security standpoint its adding additional attack vectors.

 

At least use conntrack and specify that the allowed outbound traffic to the vpn ip's are only allowed on the eth0 or what ever physical interface the system is using. +a drop invalid rule.

 

But I suppose if the system was previously using a non restrictive firewall setup this would only be a step up lol.

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Go To Topic Listing
×
×
  • Create New...