Search the Community
Showing results for tags 'ipfw'.
Found 3 results
-
I'm trying to setup a kill switch so that if OpenVPN goes down all other connections are automatically locked. I adapted this config as it follows: ### EDITED group openvpn ################ client dev tun remote XXXXXX 443 resolv-retry infinite nobind persist-key persist-tun auth-nocache verb 3 explicit-exit-notify 5 rcvbuf 262144 sndbuf 262144 push-peer-info setenv UV_IPV6 yes ca "/opt/openvpn/keys/ca.crt" cert "/opt/openvpn/keys/user.crt" key "/opt/openvpn/keys/user.key" remote-cert-tls server cipher AES-256-CBC comp-lzo no proto udp tls-auth "/opt/openvpn/keys/ta.key" 1 and this is my ipfw config #!/bin/bash ipfw -q -f flush cmd="ipfw -q add" vpn="tun2" $cmd 00001 allow all from any to any via lo0 $cmd 00010 allow all from any to any via tun0 $cmd 00101 allow all from me to 192.168.0.0/16 $cmd 00102 allow all from 192.168.0.0/16 to me ############################### # it should allow openvpn to establish the connection $cmd 00103 allow all from any to any gid openvpn ############################### $cmd 00104 allow all from any to any established $cmd 00110 allow tcp from any to any dst-port 53 out setup keep-state $cmd 00111 allow udp from any to any dst-port 53 out keep-state $cmd 00201 deny all from any to any when i try to start openvpn it won't work e.g. Mon Jul 20 22:13:17 2020 WARNING: file '/opt/openvpn/keys/user.key' is group or others accessible Mon Jul 20 22:13:17 2020 WARNING: file '/opt/openvpn/keys/ta.key' is group or others accessible Mon Jul 20 22:13:17 2020 OpenVPN 2.4.9 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 12 2020 Mon Jul 20 22:13:17 2020 library versions: OpenSSL 1.0.2u-freebsd 20 Dec 2019, LZO 2.10 Mon Jul 20 22:13:17 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Jul 20 22:13:17 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Jul 20 22:13:17 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]184.75.221.34:443 Mon Jul 20 22:13:17 2020 Socket Buffers: R=[42080->262144] S=[9216->262144] Mon Jul 20 22:13:17 2020 UDP link local: (not bound) Mon Jul 20 22:13:17 2020 UDP link remote: [AF_INET]184.75.221.34:443 Mon Jul 20 22:13:17 2020 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Mon Jul 20 22:13:17 2020 write UDP: Permission denied (code=13) Mon Jul 20 22:13:19 2020 write UDP: Permission denied (code=13) Mon Jul 20 22:13:23 2020 write UDP: Permission denied (code=13) it looks like that in freebsd openvpn wants to start as root/wheel no matter what ad it will downgrade to a custom group only once the first connection has been successfully established. Is there a way around that? Else, is there another way to allow only openvpn to connect to the internet? I'm not married to this solution, i just want to setup a killswitch and avoid iptables.
-
I recently posted a how-to running Transmission in a jail within freenas so the jail is the only thing running through the VPN and ipfw prevents Transmission from connecting to anything other than the VPN. Thought it might help others trying to do the same: http://forums.freenas.org/index.php?threads/how-to-use-openvpn-ipfw-in-a-jail-so-it-only-connects-to-the-vpn.18669/ Cheers
-
Please see the following guide (courtesy of jessez, thank you very much jessez!): https://airvpn.org/topic/1713-win-mac-bsd-block-traffic-when-vpn-disconnects/page-3?do=findComment&comment=2756