ANSWERED Having kill switch with pf on OpenBSD?

[theradgrad 1]

Hello,

I'm having a bit of trouble trying to have a functioning kill switch using pf on OpenBSD 7.6. I basically want it so that, when the VPN connection drops, whether that be OpenVPN or Wireguard (currently using OpenVPN), all Internet traffic is blocked (but local network traffic is still permitted, so I can SSH into my computer locally for example). I do not want any Internet traffic leaking out of the VPN tunnel ever.

I've tried reading through this suggested how-to guide from jessez, but given it's from 2012 I wasn't sure if it was still applicable (especially to OpenBSD, since this appears to be from OS X if that matters), or if any rule changes would need to be made. Also, would I need to manually add every AirVPN server IP to a pf.conf rule? I'd like to be able to use any AirVPN server in the world but this sounds like a lot of rules, and if IP addresses change I would have to manually update my pf.conf file regularly.

In short, if somebody could list out a full /etc/pf.conf ruleset that not only acts as a kill switch for Internet traffic but also will work with every AirVPN server exclusively, that would be awesome!

Edited ... by theradgrad
Improved code formatting.

[OpenSourcerer 1435]

It would be interesting to have something like this since the BSDs are underrepresented operating systems. Guides tend to be written by users, and the BSDs don't really have those. I think it will come down to you investing time into experiments yourself. If I may be so frank, no normal user would choose to install a BSD, so I'm guessing you've got the knowledge for this but maybe not the time.

[theradgrad 1]

I like your response, OpenSourcerer. I'm indeed not your average user, haha!

Speaking as objectively as I can, I have a fair bit of both knowledge and time, but am a little fearful of breaking things (more crucial here as I don't have easy physical KVM access to the machine to undo a bad config) or implementing rules that appear to work but have some kind of serious flaws I don't end up discovering until it's in the form of an unexpected problem later on.

With regards to the IP addresses for example, my fear was that, I get a big list of AirVPN server IPs (somehow...) and create a bunch of rules whitelisting them...but then a server's IP changes, therefore the IP I had specified in my pf.conf becomes somebody else's IP, and it potentially leads to an undesired leak. I had figured that using domain names instead would pretty much resolve this issue entirely, but from what I could tell, pf doesn't support something like that (I'd love to be proven wrong though!).

The other issue I in particular face is that I have a hard time fully grasping information sometimes. I've scoured both the pf(4) and pf.conf(5) manpages, various blogs (1 2; 3 4; 5; 6) and overall have spent about six days straight, multiple hours on end, trying to get this working. It seems like the solution is something very simple, just some magic words in my pf.conf, but my brain cannot comprehend the meanings behind the rule examples I've seen (which is just as important to me as a working solution).

I will keep trial-and-error'ing with my config file and see how that turns out. Hopefully there's an easier way to determine all of those server IPs (please do share if so), but in the meantime I can connect to a handful of servers and specify what AirVPN's awesome ipleak.net reports.

We're getting Linux marketshare numbers up, now time for the BSDs to follow suit! (and I say this in general because I love all of those OSes and want them to flourish)

[OpenSourcerer 1435]

9 hours ago, theradgrad said:

I will keep trial-and-error'ing with my config file and see how that turns out. Hopefully there's an easier way to determine all of those server IPs (please do share if so), but in the meantime I can connect to a handful of servers and specify what AirVPN's awesome ipleak.net reports.

I think programmatically building the pf.conf is necessary here. You can use the API to fetch the server list and their IP addresses, filter the returned JSON with jq and fill in the blanks in the script that way. It will require learning the jq syntax in addition to the pf syntax, but if that works, whenever the infrastructure changes, you'll just have to execute that script and the pf.conf will be updated.
And, by the way, IPLeak features an API, too.

[OpenSourcerer 1435]

Don't be alarmed, I split the post outlining your solution into its own thread.You may edit this a bit to give it more of a guiding character. And so, one more guide gets born.

[theradgrad 1]

On 11/8/2024 at 7:58 PM, OpenSourcerer said:

Don't be alarmed, I split the post outlining your solution into its own thread.

You may edit this a bit to give it more of a guiding character. And so, one more guide gets born.

Sounds good! Happy to help out. I just reformatted a fair bit of it now to hopefully fit better with the site.

My apologies that it took me a few days to do. I was having sloooow bandwidth troubles, but eventually found out that using UDP instead of TCP (as suggested by AirVPN anyway) resolved it.

Cheers! Edited ... by theradgrad
:-D

[OpenSourcerer 1435]

On 11/12/2024 at 2:51 PM, theradgrad said:

My apologies that it took me a few days to do.

Silly to apologize for not doing a thing you're not obligated to do. Take your time.