Jump to content
Not connected, Your IP: 44.221.43.88
Corsair28

Prevent Leaks with Linux & Firestarter (also Stop traffic when VPN Drops)

Recommended Posts

To worric - Should your instructions to stop traffic when vpn drops work if you are airvpn-over-tor?

To the AirAdmin - I'm NEW :sick: to forums & don't know the "stringy-stuff" etiquette. If its more appropriate to start a new topic - I don't care if you move this - just please explain it to me-

I'm waiting for help on my current issue - and this other topic had a reply that may be related to what My Topic/Subject is asking for Help with-

I'm overwhelmed by iptables in ubuntu - and yet it seems like a miracle that I'm NOW doing airvpn-over-tor successfully - I Need seriously-critical help with blocking All traffic if vpn dis-connects...

Share this post


Link to post
Guest rbj

Worric -

Your setup is now working great for me. Thanks for the help on that one rule.

Share this post


Link to post

Worric thanks! I got the printer working!

So now I have the connection on VPN and when I disconnect the VPN my internet stops working - thanks to the rules in GUFW/UFW on my Ubuntu machine.

What is weird is when I close my laptop (not sure it goes into actual standby mode or what) and come back several hours later to "wake it up", the Wifi connection remains active but the VPN disconnects. At that point if I then browse the internet - my IP shows my "true" IP?! The Firewall remains enabled so i don't understand how this is possible. I toggled the VPN back on and then it all works as expected. Not sure if I need to toggle the firewall too... will try next time this happens. Any ideas what is wrong?

Share this post


Link to post

Hello everyone and thanks worric for the info. I have done all of worric's set up exept the 192.168.1.0/24 home network because it didn't work without using VPN. When I right clicked on my connection information window it said under IPV4 192.168.0.105 for IP address and 192.168.0.255 for broadcast address so I set it up with 192.168.0.0/24 instead and it works without using VPN. Now I'm not quite sure I understand what I'm doing, isn't allowing a"normal" LAN connection defeating the purpose of going through selected port only? I ask this because I downloaded a P2P file through transmission and when done I let it in seeding mode for others until I saw in the terminal that my VPN connection had terminated, and it was still seeding!? So is this what you call a leak or I didn't set this up properly? Also there must be a way to have a warning when the connection stops and there should have an automatic re-connection process when it goes off shouldn't it? I use Linux Mint 13 with gufw

Share this post


Link to post

Worric thanks! I got the printer working!

So now I have the connection on VPN and when I disconnect the VPN my internet stops working - thanks to the rules in GUFW/UFW on my Ubuntu machine.

What is weird is when I close my laptop (not sure it goes into actual standby mode or what) and come back several hours later to "wake it up", the Wifi connection remains active but the VPN disconnects. At that point if I then browse the internet - my IP shows my "true" IP?! The Firewall remains enabled so i don't understand how this is possible. I toggled the VPN back on and then it all works as expected. Not sure if I need to toggle the firewall too... will try next time this happens. Any ideas what is wrong?

Just to clarify: it seems that if my laptop goes into suspend mode, it stops the VPN and the GUFW/UFW. When I later wake the machine up I am back to square one.

Anyone know how to stop this from happening?

Share this post


Link to post

Worric thanks! I got the printer working!

So now I have the connection on VPN and when I disconnect the VPN my internet stops working - thanks to the rules in GUFW/UFW on my Ubuntu machine.

What is weird is when I close my laptop (not sure it goes into actual standby mode or what) and come back several hours later to "wake it up", the Wifi connection remains active but the VPN disconnects. At that point if I then browse the internet - my IP shows my "true" IP?! The Firewall remains enabled so i don't understand how this is possible. I toggled the VPN back on and then it all works as expected. Not sure if I need to toggle the firewall too... will try next time this happens. Any ideas what is wrong?

Just to clarify: it seems that if my laptop goes into suspend mode, it stops the VPN and the GUFW/UFW. When I later wake the machine up I am back to square one.

Anyone know how to stop this from happening?

Hello!

When your laptop wakes up, Ubuntu should execute the script /etc/pm/sleep.d (this admin is assuming that you're running Ubuntu...).

So you might add a restart command for gufw/ufw there, if it is killed when the laptop goes to sleep.

Kind regards

Share this post


Link to post

Sorry - yes I am using Ubuntu 12.04 but I am not a particularly expert Linux user so apologies if I need further explanation. Are you saying I should manually run that command on wake? Is there a way to automate this so I won't forget?

Share this post


Link to post
Guest rbj

Can someone show me how to write one of Worric's iptable rules? It's this one: "sudo allow in on tun0 from any to any port xxxxx" - enables the port forwarding feature by allowing packets to the specified port on the tun0 interface to pass through. I figured out all the rest through research and trial and error.

I know to use "sudo ufw" but after that I'm totally stuck I tried every way I could think of and still can't get it right. And I know this is important.

Thanks.

Share this post


Link to post

I did just that "sudo allow in on tun0 from any to any port (and your port number)" with no problem, the difference is that I never use sudo but rather su and the password so I stay "in" all the time. Maybe you wrote capital "O" instead of the number "0". I used a port in the 50 thousands, try different ones above 2048. I put my chosen forwarded port in Transmission first, I don't know if it made a difference but it worked.

Share this post


Link to post

With Ubuntu 12.04 and gufw, and airvpn (with openvpn), udp, 443

 

I am hoplessly failing to set up gufw, (or understand), to arrange that if the vpn drops out then the browser (firefox) ceases.

 

Examples and previous comments  - various - seem to be using firestarter which seems to be no longer current, or seem to assume knowledge of gufw which I do not yet have :-(

I have used a tutorial and gufw to simply deny all in and out, but allow only the browser, seems to work. But I am mostly inexperienced about ports, and I am very unclear about how gufw should handle openvpn (and airvpn?) (??)

Some novice level details will be much appreciated...

tia

Share this post


Link to post

Can anyone please help with how to use gufw for this? I need to use gui (not script and ufw) to get to understand what goes on....

For example I can use airvpn cassiopia (31.193.12.98) but what do I do in gufw (attached screenshot) to create a useful first rule - hoping for something like worric  did with scripts etc?

tia

Share this post


Link to post

Hi, I used the guide to set up Firestarter, and it looks like it is geting the job done, when the vpn drops I no longer have any connection to the internet. There is a small issu that is worring me thou: When I am looking at the traffic in the Firestarter gui, the wlan0 activity is constantly higher than the tun0. This might be a noob question, but does that mean that some of my traffic is not going throu the VPN??

Share this post


Link to post

Hello,

 

the traffic on the physical interface is equal to the sum of the traffic on the tun interface plus the overhead plus the internal network traffic plus some more (for example ping to VPN server) - so it is always higher than the tun0 traffic. If it's reasonably higher, it's perfectly normal. Browse to our web site and check the central bottom box for additional security (it must be green), or browse to http://ipleak.net

 

Kind regards

Share this post


Link to post

Hi,

 

Since I'm using fedora,

 

can you help me to set up some rules usin firewallD, the default firewall in fedora?

Share this post


Link to post

Many thanks to worric for his gufw instructions. I got it all set up as described. I have to say, having never used gufw before, that it is simple, but it's not very friendly to mistakes. There seems to be no way to easily reorder rules if you mess up. You have to create the rule again, with the correct position number then delete the old one.

While worric's solution works, it appears to cater to someone who wants to only access the internet via VPN and not otherwise (unless the firewall is disabled). I have a slightly different need. I want to only have this kind of protection when I'm running certain programs, e.g. P2P, and otherwise allow normal internet traffic to "leak" if the VPN goes down. Of course, I could just put these rules into a separate firewall profile and switch to it before I run my P2P software, but that's a manual step that is both annoying and dangerous (because you could forget). What would be ideal is a firewall profile that could run all the time, allowing normal internet traffic (with or without the VPN active) and only VPN traffic for specific programs. For programs that allow binding to a specific interface, interface rules would be enough, but some don't have this feature. I think ufw has the ability to filter based on certain apps but I'll need to learn more about how to set that up. So, in theory, what I'm after is possible. If anyone already has some experience with that, I would appreciate some advice. Likewise, if I come up with something on my own, I'll post my solution.

Share this post


Link to post

 

I have a slightly different need. I want to only have this kind of protection when I'm running certain programs, e.g. P2P, and otherwise allow normal internet traffic to "leak" if the VPN goes down.

 

 
You cannot do application-level rules with ufw.
Iptables has an "--uid-owner" option, which isn't application-level either, but you could use it like this:
 
- create a user account "p2puser"
- launch your p2p apps with this new user account
 
- deny traffic coming from user id "p2puser" on eth0/wlan0
- allow all other traffic on eth0/wlan0
 
(eth0 / wlan0 as examples for your non-VPN network interfaces).
 
I have not tried this myself, I loathe iptables. Good luck, I hope someone else has a better idea than this

all of my content is released under CC-BY-SA 2.0

Share this post


Link to post

Hello

Trying out the gufw method on a friends PC running Ubuntu 12.04, but no matter if we use the network manager or terminal to run openvpn, the connection drops and resets every 10 seconds or so.

If we dont use a firewall, it does not happen.

Anything we missed here?

 

 

Edit:

We found out of the dropouts, the system clock and date was way off, maybe because we had tinkered with the firewall so much that it could not get the correct date from internet.

Fixed the data and it got stable,removed all GUI firewalls, followed this guide https://airvpn.org/topic/1713-win-mac-bsd-block-traffic-when-vpn-disconnects/page-2?do=findComment&comment=2010  to set the iptables manually and the dns lines at the end to prevent dns leaks, now everything works and sites like http://dnsleaktest.com and http://ipleak.net show no leaks and the PC cant access internett without being on VPN.

 

Edit one more time:

Sorry for all the edits here but this is important as after a reboot the dns was back to the normal and the leaks was back.

We tried to set static IP, but it did not help on the dns and editing  /etc/resolv.conf just swaped back.

Searched for an answer, tried to edit the head file, but that only added the static to the top of the line and the rest from dhcp anyway.

Ended up with "sudo apt-get remove resolvconf" in combination with static IP, the resolv.conf did not update anymore and it stays like this after a reboot.

 

Seems like in 12.04 LTS at least, resolvconf does not update from the opendns push settings, so we was better with removing all the auto systems and just do things manually, since this PC just is for vpn use anyway. 

Share this post


Link to post

Seems like in 12.04 LTS at least, resolvconf does not update from the opendns push settings, so we was better with removing all the auto systems and just do things manually, since this PC just is for vpn use anyway. 

 

Hello!

 

Just in case you'll need in the future to accept the DNS push from our servers on a Linux system with resolvconf (or openresolv), please see our guide:

 

https://airvpn.org/topic/9608-how-to-accept-dns-push-on-linux-systems-with-resolvconf/

 

Kind regards

Share this post


Link to post

Regarding Worrics post:

 

My GUFW looks like this:

g6cl.jpg
 
 
And in worric's post, he had a button to DENY all outgoing traffic, and i only have 1 button, and that is for, what seems to be, Deny all incoming traffic. Do i need that "missing" button in order, to set it up just like worric? I hope someone can explain this to me, because i just cant figure it out.. I have 
GUFW version 9.10.2 which is the latest version for my system: Openmediavault Debian squeeze...
 
Worrics picture:
1gfc.jpg
 
 
I really hope an expert, will help me out here..!
 
Thanks in advance. 

Share this post


Link to post

Some of the newer features of UFW haven't arrived with the version you are
using. And although the GUI version of UFW is nice the command-line version
is much more advanced.

In the following quick tutorial I will try to give
you some guidance to get a simple setup (hopefully) working. This is only
for general guidance. Adjust addresses, port numbers and protocols as
needed. E.g. If your router is on a different IP-address then adjust the
rule to fit to your needs. Also if you want to connect to a different
VPN-server use the IP-address of the server you wish to use. The IP numbers
used here are only as an example.

Keep in mind that rule ordering is
important and the first match wins! The rule which is entered first will end
up higher in the list. At the end I will explain more about this (see point
8).

1.  Open an terminal window and enter the following commands and adjust them
    to your needs.
    Use su to log in as root if you haven't or place sudo before every command.
    the $ represents the prompt in the terminal.

2.  Enable UFW.

    $ ufw enable
    
    This will enable the firewall and now you can add rules.

3.  Set the default behavior to deny all incoming and out going traffic.

    $ ufw default deny out
    $ ufw default deny in
    
    Now all in- and outgoing traffic will be blocked.

4.  Add a rule to allow traffic to your router (only if this is needed).

    $ ufw allow out to 192.168.178.0/24
    
    This will allow traffic to the router/internal network which in this
    case is located on 192.168.178.0/24. If your computer has multiple
    network interfaces you can add the interface which you want to use. E.g.
    
    $ ufw allow out on eth0 to 192.168.178.0/24

    This will allow only connections to the internal network/router on eth0.
    If eth0 is not connected and you use for example the wlan0 connection
    UFW will block the traffic and you will not be able to connect to the
    router/internal network, because only traffic from eth0 is allowed to
    connect to 192.168.178.0/24.

5.  Add a rule to allow traffic to 46.19.137.114 on port 443 with UDP
    traffic. This is the AirVPN_CH-Virginis_UDP-443 server.

    $ ufw allow out to 46.19.137.144 port 443 proto udp
    
    This will allow UDP traffic on port 443 to the Virginis server
    (=46.19.137.144). This is needed to connect to the VPN-server. You can
    add more than one VPN-server by repeating the above rule and adjust the
    IP-address to the server which you want to add. It is also possible to
    specify different port numbers. Just change the port number to the port
    number which is needed to connect to the VPN server. If the proto udp
    part is omitted then tcp and udp traffic is allowed and if it's changed
    to proto tcp then only tcp traffic is allowed.

6.  Add a rule to allow in- and outgoing traffic over tun0. This is the
    traffic from and to the VPN-server.

    $ ufw allow out on tun0
    
    Now it's possible for an application like the browser to connect to
    different sites on the web. All the traffic will go through the vpn
    server.

7.  In the case that you use a bit-torrent client, you will also need to
    allow incoming traffic from the port which is specified by you in the
    bittorrent client (this is the port which is needed to allow peers/seeders
    to connect to the bit-torrent client (NAT).

    $ ufw allow in on tun0 from any to any port 54321
    
    This will enable incoming traffic which is coming from different
    IP-addresses (the peers/seeders which want to connect to your client) to
    connect through the VPN-server connection (which is tun0 here). In this case
    port number 54321 is used, adjust it the correct port number!

8.  If you now enter.

    $ ufw status verbose
    
    You will get a numbered list which something like:
    
        Status: active
        Logging: off
        Default: deny (incoming), deny (outgoing)
        New profiles: skip

        To                         Action      From
        --                         ------      ----
        54321 on tun0              ALLOW IN    Anywhere

        192.168.178.0/24           ALLOW OUT   Anywhere
        46.19.137.114 443          ALLOW OUT   Anywhere
        Anywhere                   ALLOW OUT   Anywhere on tun0
        
    This shows you which rules are applied and what the status of the
    firewall is. When you enter:
    
    $ ufw status numbered
    
    You will get a numbered list. It will look something like this:
    
        Status: active

             To                         Action      From
             --                         ------      ----
        [ 1] 192.168.178.0/24           ALLOW OUT   Anywhere (out)
        [ 2] 46.19.137.114 443          ALLOW OUT   Anywhere (out)
        [ 3] Anywhere                   ALLOW OUT   Anywhere on tun0 (out)
        [ 4] 54321 on tun0              ALLOW IN    Anywhere
        
    This is a numbered list. It is important to know that the order of the
    rules is important. If you allow something with rule number 1 which
    allows for example all incoming and outgoing traffic, all the other
    rules which are specified after that will have no effect!

    And as a final notice I will also point to the possibility to delete and
    insert rules. If you enter:
 
    $ ufw delete 1 # and confirm of course
    
    Rule number 1 will be deleted and all the other rules which followed
    rule 1 will shift up in this example the list will look something like
    this (after $ ufw status numbered):
    
        Status: active

             To                         Action      From
             --                         ------      ----
        [ 1] 46.19.137.114 443          ALLOW OUT   Anywhere (out)
        [ 2] Anywhere                   ALLOW OUT   Anywhere on tun0 (out)
        [ 3] 54321 on tun0              ALLOW IN    Anywhere
        
    And if you want to add a rule on a specific spot it is possible by using
    the insert command. E.g. we want to add a second VPN-server so we can
    choose a different one in the case one is down (could happen you know
    :-)) or if we want options. The command would look like this;
    
    $ ufw insert 2 allow out to 119.81.1.122 port 443 proto tcp   
    
    # this will add the SG-Sagittarii server
    
    Now on spot number 2 there is a new rule inserted. The other rules will
    shift down. We can generate a new list:
    
    $ ufw status numbered
    
    And the list will look like:
        Status: active

             To                         Action      From
             --                         ------      ----
        [ 1] 46.19.137.114 443          ALLOW OUT   Anywhere (out)
        [ 2] 119.81.1.122 443/tcp       ALLOW OUT   Anywhere (out)
        [ 3] Anywhere                   ALLOW OUT   Anywhere on tun0 (out)
        [ 4] 54321 on tun0              ALLOW IN    Anywhere

This concludes the tutorial. Use it to you benefit and I hope some things
get a little bit clearer. Make the appropriate changes for you setup and
expand on it. And again the GUI version is nice, but the command-line
version is beter, it only takes a little bit of time to get used to it.

 

Share this post


Link to post

I installed ufw & gufw & had a bit of a go tonight. I had to modify the procedure some, as Manjaro (Arch) uses systemd. Even so, I have all sorts of errors going on. My problem I know.

 

It looks like perhaps ufw won't tolerate IPv6 being disabled, by the look of this anyway:

 

 

# ufw status

WARN: / is world writable!

WARN: / is group writable!

Traceback (most recent call last):

  File "/usr/bin/ufw", line 95, in <module>

    ui = ufw.frontend.UFWFrontend(pr.dryrun)

  File "/usr/lib/python2.7/site-packages/ufw/frontend.py", line 153, in __init__

    self.backend = UFWBackendIptables(dryrun)

  File "/usr/lib/python2.7/site-packages/ufw/backend_iptables.py", line 45, in __init__

    ufw.backend.UFWBackend.__init__(self, "iptables", dryrun, files)

  File "/usr/lib/python2.7/site-packages/ufw/backend.py", line 88, in __init__

    nf_caps = ufw.util.get_netfilter_capabilities(self.ip6tables)

  File "/usr/lib/python2.7/site-packages/ufw/util.py", line 734, in get_netfilter_capabilities

    raise OSError(errno.ENOENT, out)

OSError: [Errno 2] ip6tables v1.4.20: can't initialize ip6tables table `filter': Address family not supported by protocol

Perhaps ip6tables or your kernel needs to be upgraded.

 

I'm running kernel: x86_64 Linux 3.12.5-1-MANJARO

 

 

edit:  I'm now running IPTables so the above is now unimportant to me.

Share this post


Link to post

Personally I'm using gufw for linux, and it works very well.

 

However, it's important to remember that gufw is just a graphical frontend for ufw, and ufw, in turn, is just a friendlier system for manipulating IPTABLES (which is again a system for manipulating netfilter directly in the running kernel).

 

Gufw is perhaps over simplified, which is why I find it not really that great for anything else than providing an overview of your rules and turning the firewall on an off.

With regards to firestarter, I have tried it once, but I didn't really have any good experience with it, since, as you guys have already posted, it seems rather poorly coded and does some odd things when manipulating IPTABLES.

 

What I found invaluable about ufw is its ability to specify rules based on interface and its simplictity even though its quite powerful. This was my main motivation for using it over other solutions like Firestarter, and Shorewall was too complicated for my taste.

 

My rule approach goes like this:

Allow connections OUT to AirVPN servers I use the most (for connecting/reconnecting to the AirVPN service, entry IP's, marked RED on the screenshot)

Allow connections OUT FROM the tun0 interface TO anywhere (when I'm connected, this is the interface used to communicate to the Internet, marked GREEN on the screenshot)

Allow connections (UDP/TCP) IN TO the tun0 interface to a specific port (to enable AirVPN's port forwarding feature, marked BLUE on the screeshot)

Allow connections IN FROM the 192.168.1.0/24 network TO the eth0 interface (enable home networking. Notice how it's on a different interface, YELLOW)

Allow connections OUT FROM the eth0 interface TO the 192.168.1.0/24 network (enable home networking, also on the eth0 interface, YELLOW)

 

Block ALL other traffic (by choosing DENY/DENY in gufw)

 

When the VPN drops (and the tun0 interface is disabled), the only connections allowed OUT from the computer are to the AirVPN server IP's (to reconnect) and the local 192.168.1.0/24 network (to still function in the LAN). And the only connections allowed TO the computer are from the local network as well. No leaks.

 

Now, the gufw GUI doesn't allow for specifying the interface (remember, it's over simplified), so to do that, it's necessary to use ufw directly. Gufw can, however, display the rules when created by ufw.

For example:

 

"sudo allow out on tun0 from any to any" - is quite straightforward, and of course creates the rule that allows for communication TO the Internet when connected to AirVPN.

 

"sudo allow in on tun0 from any to any port xxxxx" - enables the port forwarding feature by allowing packets to the specified port on the tun0 interface to pass through.

 

Tips:

- the order of the rules is very important - mimic mine on the screenshot attached

- to add rules in a specific order from the command line, use "insert x": "sudo insert 3 allow in on tun0 from any to any port xxxxx" - inserts the rule at the 3rd position and moves rules below it downward, includin the previous rule nr 3.

- when adding rules via the commandline, press F5 in gufw to force a refresh and view the newly added rule

- the UFW manual is well worth reading, although you may not need any more information than offered in this post

- with this approach, you're blocking multicasting addresses possibly forwarded by your router. Just a thing to have in mind in case you need it; it is of couse easily remedied by creating a new rule allowing the address(es).

 

Let me know how this works for ya

 

 

Isn't there a way to export those settings so we can just import them?

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...