Jump to content
Not connected, Your IP: 3.87.11.93
mblue

ANSWERED Need IP ranges to use ufw to act as a kill switch

Recommended Posts

It seems that one can use ufw to act as a vpn kill swtich by simply only allowing traffic through the IP ranges of AirVPN.  Is there a listing of the IP ranges to use for the various countries?

 

Note that this post gives some general setup steps.

Share this post


Link to post

Use the "Config Generator", check all the servers you want to use (you can check a whole region / country).

You have to enable "Advanced Mode" and "Resolved hosts in .ovpn file".

This will give you an .ovpn file containing the entry IPs in the form of

remote 1.2.3.4

remote 1.2.3.5

remote 1.2.3.6

...

 

You can then manually create UFW commands for these IPs, or write a Bash one-liner to automate the process, similar to what I did here for Fedora's firewall:

https://airvpn.org/topic/13064-block-all-non-vpn-traffic-in-fedora-21-firewalld/?p=22926

That post also contains screenshots for the "Config Generator".

 

You should also keep an eye on Air's News and Announcements section. Whenever Air withdraws a server, you should remove its entry IP from your firewall configuration.


all of my content is released under CC-BY-SA 2.0

Share this post


Link to post

@sheivoko - Thank you.  I adapted your script to work parsing the entries for ufw.  I will update this post with complete instructions.

@rainmaker - I have a solution now, thanks.

Share this post


Link to post

Allowing a range of vpn ip's access in your firewall isn't ideal. It would work as a kill switch sure, but from a security standpoint its adding additional attack vectors.

 

At least use conntrack and specify that the allowed outbound traffic to the vpn ip's are only allowed on the eth0 or what ever physical interface the system is using. +a drop invalid rule.

 

But I suppose if the system was previously using a non restrictive firewall setup this would only be a step up lol.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...