Jump to content
Not connected, Your IP: 3.145.34.237
AirVPN
zammtech

Raspberian (RPi3) + Torrent + AirVPN

By zammtech, ... in Troubleshooting and Problems

Recommended Posts

zammtech    0

zammtech
Posted ...

I've been struggling trying to setup my Raspberian RPi3 to make sure that the only connection that is allowed is one through a VPN.  I've tried iptables, and using gufw but none of the tutorials I've found seem to work for me.  Here is what I'm looking to do.

 

Run my VPN (Eddie doesn't work on Raspberian), run my deluge client, if the VPN connection is active the RPi can connect to the outside world, if the RPi looses its VPN connection then RPi is disconnected from the world.  

 

Does anyone have a tutorial where they've been successful with this?  

Share this post

Link to post

nick75    25

nick75
Posted ...

Hi!

 

Basically, all you need to do is allow traffic on the tun interface and restrict traffic on the ethernet one:

Here is an excerpt of my iptables rule from my VPS:

 

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# allow local traffic
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# allow access to vpn server
-A INPUT -i <interface> -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o <interface> -d 46.19.137.114/32 -p udp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o <interface> -d 213.152.161.116/32 -p udp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o <interface> -d 213.152.162.113/32 -p udp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

# allow incoming p2p traffic
-A INPUT -i tun0 -p tcp --dport <port> -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i tun0 -p udp --dport <port> -m conntrack --ctstate NEW -j ACCEPT

# allow VPN traffic
-A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT

# allow SSH traffic
-A INPUT -i <interface> -s 192.168.0.0/16 -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -o <interface> -d 192.168.0.0/16 -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
COMMIT

You'll need to replace <interface> and <port> with the ones your system uses. Also the tun interface may have another name.

With this, access to the VPN servers is really restricted, so if it's too inconvenient, just use this:

-A OUTPUT -o <interface> -p udp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

Hope it helps!

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Go To Topic Listing
×
×
  • Create New...