txtseam 0 Posted ... I have been trying to days to find or create a working firewall setup that only allows traffic through the vpn on a linux machine. I have been trying with iptables and ufw and every resource I find online doesn't work and is poorly explained. As soon as I try the firewall rules the VPN won't connect and if it is connected before then the connection drops. I have been through dozens and dozens of forum, blog and online posts but absolutely nothing is working. Does anyone have a working example of an iptables or UFW setup that only allows traffic through AirVPN? I'm almost at the point of wanting to pay someone to write one because I'm beginning to believe that no one actually knows how to do it. Quote Share this post Link to post
OpenSourcerer 1366 Posted ... Please see these official How-Tos:Prevent leaks with Linux & iptablesPrevent leaks with Ubuntu Linux & gufw/ufw (thanks to worric)Prevent Leaks with Linux & Firestarter (also Stop traffic when VPN Drops) <- it's got the ufw tag And, of course, Eddie's Network Lock feature. 1 snaggle reacted to this Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
snaggle 25 Posted ... HiFast and dirty using UFW.Just enter the following into a terminal - sudo ufw disablesudo ufw default deny incomingsudo ufw default deny outgoingsudo ufw allow out on tun0 from any to anysudo ufw enable You'll need to disable the firewall before connection - sudo ufw disablethen re-enable once you have connected - sudo ufw enable. This is assuming you have UFW installed. Quote Share this post Link to post
Woozle 0 Posted ... Hello, My guess is that you can't connect to the VPN because you've blocked port 53 (DNS requests), which is at the same time a very good idea in order to prevent DNS leaks... In the FAQ here there is a description of how you can determine an entry server's IP address, e.g. for a Dutch server you type in the terminal :nslookup nl.all.vpn.airdns.org Next you'll have to open the hosts file with a text editor with admin rights. If you use mousepad, it would be :sudo mousepad /etc/hostsEnter a new line containing : the IP address <tab> nl.vpn.airdns.org In GUFW you choose :deny all incomingdeny all outgoingThen you add a rule that allows outgoing traffic to the port that you chose when downloading the openvpn configuration files. Establish the VPN connection, which should work now. Once the tunnel is established, you can add any outgoing rule inside the tunnel that you need, e.g.port 80 TCP outgoing on tun0...You will also at least need port 53 outgoing on tun0 to make DNS requests ! Quote Share this post Link to post
txtseam 0 Posted ... HiFast and dirty using UFW.Just enter the following into a terminal - sudo ufw disablesudo ufw default deny incomingsudo ufw default deny outgoingsudo ufw allow out on tun0 from any to anysudo ufw enable You'll need to disable the firewall before connection - sudo ufw disablethen re-enable once you have connected - sudo ufw enable. This is assuming you have UFW installed. This doesn't work. The VPN can't even connect with these rules. I can get the VPN to at least connect if I add a rule allowing port 443. (My AirVPN config is using port 443.) sudo ufw disablesudo ufw default deny incomingsudo ufw default deny outgoingsudo ufw allow out on tun0 from any to anysudo ufw allow in 443sudo ufw allow out 443sudo ufw enable In my tests previous to this I've always been able to get OpenvPN to connect but I still have no internet access. Even with this setup I'm not actually online and it does nothing. Quote Share this post Link to post
rickjames 106 Posted ... That's how I do it but I don't use UFW. Its all done via iptables. The simplest thing to do is just use the airvpn client for linux, then enable the network lock.https://airvpn.org/enter/ choose linux. If you must use UFW only then you'll also need to make allow 80, 443, 53 rules for the tun0.The eth0 also needs allow rules for what ever ip/port your connecting to the vpn on. Here's a post from a while back.https://airvpn.org/topic/9139-prevent-leaks-with-linux-iptables/ 1 J0hnny5 reacted to this Quote Share this post Link to post
shmonkey 0 Posted ... I believe I've restricted all internet traffic to the VPN connection with the following (please let me know if anything is wrong here): ufw default deny outgoing ufw default deny incoming ufw allow out to 192.168.1.0/24 ufw allow in from 192.168.1.0/24 ufw allow out to {VPN server IP address} port 443 proto udp #ufw allow in from {VPN server IP address} port 443 proto udp # seemingly unnecessary for connection? ufw allow out on tun0 ufw allow out on docker0 # For Docker-contained website However, I now want to allow incoming (and outgoing) traffic on port 443 for a TLS-secured website I'm hosting, also only through the VPN connection. I've set up the AirVPN port forwarding to port 443 which seems to be working when the firewall is disabled. (I'm using example.com:{AirVPN-forwarded port} to access.) I don't seem to be able to work out the correct ufw command to allow: to/from VPN serverprotocol tcpport 443on tun0 I've tried a few variants but I have the wrong syntax/number of arguments. Does anyone know what the command should be? Edit: I've now found that these commands work: ufw allow in on tun0 from {VPN server IP address} port 443 proto tcp ufw allow out on tun0 to {VPN server IP address} port 443 proto tcp and: ufw allow in on tun0 from any port 443 proto tcp ufw allow out on tun0 to any port 443 proto tcp However, that doesn't seem to allow for access to the website from the Internet. I know access is possible as when the firewall is disabled the site is available. Quote Share this post Link to post
Not connected, Your IP: 3.144.9.164
Online: 23434 users - 254115 Mbit/s total BW