Jump to content


Photo

Prevent Leaks with Linux & Firestarter (also Stop traffic when VPN Drops)

Linux Firestarter gufw ufw

  • Please log in to reply
82 replies to this topic

#41 neverfox

neverfox

    Member

  • Members
  • PipPip
  • 14 posts

Posted 14 September 2013 - 10:56 PM

Many thanks to worric for his gufw instructions. I got it all set up as described. I have to say, having never used gufw before, that it is simple, but it's not very friendly to mistakes. There seems to be no way to easily reorder rules if you mess up. You have to create the rule again, with the correct position number then delete the old one.

While worric's solution works, it appears to cater to someone who wants to only access the internet via VPN and not otherwise (unless the firewall is disabled). I have a slightly different need. I want to only have this kind of protection when I'm running certain programs, e.g. P2P, and otherwise allow normal internet traffic to "leak" if the VPN goes down. Of course, I could just put these rules into a separate firewall profile and switch to it before I run my P2P software, but that's a manual step that is both annoying and dangerous (because you could forget). What would be ideal is a firewall profile that could run all the time, allowing normal internet traffic (with or without the VPN active) and only VPN traffic for specific programs. For programs that allow binding to a specific interface, interface rules would be enough, but some don't have this feature. I think ufw has the ability to filter based on certain apps but I'll need to learn more about how to set that up. So, in theory, what I'm after is possible. If anyone already has some experience with that, I would appreciate some advice. Likewise, if I come up with something on my own, I'll post my solution.



#42 sheivoko

sheivoko

    Advanced Member

  • Members
  • PipPipPip
  • 214 posts

Posted 18 September 2013 - 08:02 PM

 

I have a slightly different need. I want to only have this kind of protection when I'm running certain programs, e.g. P2P, and otherwise allow normal internet traffic to "leak" if the VPN goes down.

 

 
You cannot do application-level rules with ufw.
Iptables has an "--uid-owner" option, which isn't application-level either, but you could use it like this:
 
- create a user account "p2puser"
- launch your p2p apps with this new user account
 
- deny traffic coming from user id "p2puser" on eth0/wlan0
- allow all other traffic on eth0/wlan0
 
(eth0 / wlan0 as examples for your non-VPN network interfaces).
 
I have not tried this myself, I loathe iptables. Good luck, I hope someone else has a better idea than this :)

all of my content is released under CC-BY-SA 2.0


#43 Zack

Zack

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 04 October 2013 - 11:45 PM

Hello

Trying out the gufw method on a friends PC running Ubuntu 12.04, but no matter if we use the network manager or terminal to run openvpn, the connection drops and resets every 10 seconds or so.

If we dont use a firewall, it does not happen.

Anything we missed here?

 

 

Edit:

We found out of the dropouts, the system clock and date was way off, maybe because we had tinkered with the firewall so much that it could not get the correct date from internet.

Fixed the data and it got stable,removed all GUI firewalls, followed this guide https://airvpn.org/topic/1713-win-mac-bsd-block-traffic-when-vpn-disconnects/page-2#entry2010  to set the iptables manually and the dns lines at the end to prevent dns leaks, now everything works and sites like http://dnsleaktest.com and http://ipleak.net show no leaks and the PC cant access internett without being on VPN.

 

Edit one more time:

Sorry for all the edits here but this is important as after a reboot the dns was back to the normal and the leaks was back.

We tried to set static IP, but it did not help on the dns and editing  /etc/resolv.conf just swaped back.

Searched for an answer, tried to edit the head file, but that only added the static to the top of the line and the rest from dhcp anyway.

Ended up with "sudo apt-get remove resolvconf" in combination with static IP, the resolv.conf did not update anymore and it stays like this after a reboot.

 

Seems like in 12.04 LTS at least, resolvconf does not update from the opendns push settings, so we was better with removing all the auto systems and just do things manually, since this PC just is for vpn use anyway. 



#44 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7797 posts

Posted 31 October 2013 - 01:48 PM

Seems like in 12.04 LTS at least, resolvconf does not update from the opendns push settings, so we was better with removing all the auto systems and just do things manually, since this PC just is for vpn use anyway. 

 

Hello!

 

Just in case you'll need in the future to accept the DNS push from our servers on a Linux system with resolvconf (or openresolv), please see our guide:

 

https://airvpn.org/topic/9608-how-to-accept-dns-push-on-linux-systems-with-resolvconf/

 

Kind regards



#45 Dannermax

Dannermax

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 02 November 2013 - 01:03 AM

Regarding Worrics post:

 

My GUFW looks like this:

g6cl.jpg
 
 
And in worric's post, he had a button to DENY all outgoing traffic, and i only have 1 button, and that is for, what seems to be, Deny all incoming traffic. Do i need that "missing" button in order, to set it up just like worric? I hope someone can explain this to me, because i just cant figure it out.. I have 
GUFW version 9.10.2 which is the latest version for my system: Openmediavault Debian squeeze...
 
Worrics picture:
1gfc.jpg
 
 
I really hope an expert, will help me out here..! :)
 
Thanks in advance. 


#46 randombit

randombit

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 12 December 2013 - 05:26 PM

Some of the newer features of UFW haven't arrived with the version you are
using. And although the GUI version of UFW is nice the command-line version
is much more advanced.

In the following quick tutorial I will try to give
you some guidance to get a simple setup (hopefully) working. This is only
for general guidance. Adjust addresses, port numbers and protocols as
needed. E.g. If your router is on a different IP-address then adjust the
rule to fit to your needs. Also if you want to connect to a different
VPN-server use the IP-address of the server you wish to use. The IP numbers
used here are only as an example.

Keep in mind that rule ordering is
important and the first match wins! The rule which is entered first will end
up higher in the list. At the end I will explain more about this (see point
8).

1.  Open an terminal window and enter the following commands and adjust them
    to your needs.
    Use su to log in as root if you haven't or place sudo before every command.
    the $ represents the prompt in the terminal.

2.  Enable UFW.

    $ ufw enable
    
    This will enable the firewall and now you can add rules.

3.  Set the default behavior to deny all incoming and out going traffic.

    $ ufw default deny out
    $ ufw default deny in
    
    Now all in- and outgoing traffic will be blocked.

4.  Add a rule to allow traffic to your router (only if this is needed).

    $ ufw allow out to 192.168.178.0/24
    
    This will allow traffic to the router/internal network which in this
    case is located on 192.168.178.0/24. If your computer has multiple
    network interfaces you can add the interface which you want to use. E.g.
    
    $ ufw allow out on eth0 to 192.168.178.0/24

    This will allow only connections to the internal network/router on eth0.
    If eth0 is not connected and you use for example the wlan0 connection
    UFW will block the traffic and you will not be able to connect to the
    router/internal network, because only traffic from eth0 is allowed to
    connect to 192.168.178.0/24.

5.  Add a rule to allow traffic to 46.19.137.114 on port 443 with UDP
    traffic. This is the AirVPN_CH-Virginis_UDP-443 server.

    $ ufw allow out to 46.19.137.144 port 443 proto udp
    
    This will allow UDP traffic on port 443 to the Virginis server
    (=46.19.137.144). This is needed to connect to the VPN-server. You can
    add more than one VPN-server by repeating the above rule and adjust the
    IP-address to the server which you want to add. It is also possible to
    specify different port numbers. Just change the port number to the port
    number which is needed to connect to the VPN server. If the proto udp
    part is omitted then tcp and udp traffic is allowed and if it's changed
    to proto tcp then only tcp traffic is allowed.

6.  Add a rule to allow in- and outgoing traffic over tun0. This is the
    traffic from and to the VPN-server.

    $ ufw allow out on tun0
    
    Now it's possible for an application like the browser to connect to
    different sites on the web. All the traffic will go through the vpn
    server.

7.  In the case that you use a bit-torrent client, you will also need to
    allow incoming traffic from the port which is specified by you in the
    bittorrent client (this is the port which is needed to allow peers/seeders
    to connect to the bit-torrent client (NAT).

    $ ufw allow in on tun0 from any to any port 54321
    
    This will enable incoming traffic which is coming from different
    IP-addresses (the peers/seeders which want to connect to your client) to
    connect through the VPN-server connection (which is tun0 here). In this case
    port number 54321 is used, adjust it the correct port number!

8.  If you now enter.

    $ ufw status verbose
    
    You will get a numbered list which something like:
    
        Status: active
        Logging: off
        Default: deny (incoming), deny (outgoing)
        New profiles: skip

        To                         Action      From
        --                         ------      ----
        54321 on tun0              ALLOW IN    Anywhere

        192.168.178.0/24           ALLOW OUT   Anywhere
        46.19.137.114 443          ALLOW OUT   Anywhere
        Anywhere                   ALLOW OUT   Anywhere on tun0
        
    This shows you which rules are applied and what the status of the
    firewall is. When you enter:
    
    $ ufw status numbered
    
    You will get a numbered list. It will look something like this:
    
        Status: active

             To                         Action      From
             --                         ------      ----
        [ 1] 192.168.178.0/24           ALLOW OUT   Anywhere (out)
        [ 2] 46.19.137.114 443          ALLOW OUT   Anywhere (out)
        [ 3] Anywhere                   ALLOW OUT   Anywhere on tun0 (out)
        [ 4] 54321 on tun0              ALLOW IN    Anywhere
        
    This is a numbered list. It is important to know that the order of the
    rules is important. If you allow something with rule number 1 which
    allows for example all incoming and outgoing traffic, all the other
    rules which are specified after that will have no effect!

    And as a final notice I will also point to the possibility to delete and
    insert rules. If you enter:
 
    $ ufw delete 1 # and confirm of course
    
    Rule number 1 will be deleted and all the other rules which followed
    rule 1 will shift up in this example the list will look something like
    this (after $ ufw status numbered):
    
        Status: active

             To                         Action      From
             --                         ------      ----
        [ 1] 46.19.137.114 443          ALLOW OUT   Anywhere (out)
        [ 2] Anywhere                   ALLOW OUT   Anywhere on tun0 (out)
        [ 3] 54321 on tun0              ALLOW IN    Anywhere
        
    And if you want to add a rule on a specific spot it is possible by using
    the insert command. E.g. we want to add a second VPN-server so we can
    choose a different one in the case one is down (could happen you know
    :-)) or if we want options. The command would look like this;
    
    $ ufw insert 2 allow out to 119.81.1.122 port 443 proto tcp   
    
    # this will add the SG-Sagittarii server
    
    Now on spot number 2 there is a new rule inserted. The other rules will
    shift down. We can generate a new list:
    
    $ ufw status numbered
    
    And the list will look like:
        Status: active

             To                         Action      From
             --                         ------      ----
        [ 1] 46.19.137.114 443          ALLOW OUT   Anywhere (out)
        [ 2] 119.81.1.122 443/tcp       ALLOW OUT   Anywhere (out)
        [ 3] Anywhere                   ALLOW OUT   Anywhere on tun0 (out)
        [ 4] 54321 on tun0              ALLOW IN    Anywhere

This concludes the tutorial. Use it to you benefit and I hope some things
get a little bit clearer. Make the appropriate changes for you setup and
expand on it. And again the GUI version is nice, but the command-line
version is beter, it only takes a little bit of time to get used to it.

 



#47 mr.Rhee

mr.Rhee

    Advanced Member

  • Members
  • PipPipPip
  • 44 posts

Posted 19 December 2013 - 09:15 AM

Awesome how-to randombit. :D

 

I'll go through & apply that tomorrow...



#48 mr.Rhee

mr.Rhee

    Advanced Member

  • Members
  • PipPipPip
  • 44 posts

Posted 19 December 2013 - 10:31 AM

I installed ufw & gufw & had a bit of a go tonight. I had to modify the procedure some, as Manjaro (Arch) uses systemd. Even so, I have all sorts of errors going on. My problem I know.

 

It looks like perhaps ufw won't tolerate IPv6 being disabled, by the look of this anyway:

 

 

# ufw status

WARN: / is world writable!

WARN: / is group writable!

Traceback (most recent call last):

  File "/usr/bin/ufw", line 95, in <module>

    ui = ufw.frontend.UFWFrontend(pr.dryrun)

  File "/usr/lib/python2.7/site-packages/ufw/frontend.py", line 153, in __init__

    self.backend = UFWBackendIptables(dryrun)

  File "/usr/lib/python2.7/site-packages/ufw/backend_iptables.py", line 45, in __init__

    ufw.backend.UFWBackend.__init__(self, "iptables", dryrun, files)

  File "/usr/lib/python2.7/site-packages/ufw/backend.py", line 88, in __init__

    nf_caps = ufw.util.get_netfilter_capabilities(self.ip6tables)

  File "/usr/lib/python2.7/site-packages/ufw/util.py", line 734, in get_netfilter_capabilities

    raise OSError(errno.ENOENT, out)

OSError: [Errno 2] ip6tables v1.4.20: can't initialize ip6tables table `filter': Address family not supported by protocol

Perhaps ip6tables or your kernel needs to be upgraded.

 

I'm running kernel: x86_64 Linux 3.12.5-1-MANJARO

 

 

edit:  I'm now running IPTables so the above is now unimportant to me.



#49 michaeljordan

michaeljordan

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 23 December 2013 - 11:22 PM

Personally I'm using gufw for linux, and it works very well.

However, it's important to remember that gufw is just a graphical frontend for ufw, and ufw, in turn, is just a friendlier system for manipulating IPTABLES (which is again a system for manipulating netfilter directly in the running kernel).

Gufw is perhaps over simplified, which is why I find it not really that great for anything else than providing an overview of your rules and turning the firewall on an off.
With regards to firestarter, I have tried it once, but I didn't really have any good experience with it, since, as you guys have already posted, it seems rather poorly coded and does some odd things when manipulating IPTABLES.

What I found invaluable about ufw is its ability to specify rules based on interface and its simplictity even though its quite powerful. This was my main motivation for using it over other solutions like Firestarter, and Shorewall was too complicated for my taste.

My rule approach goes like this:
Allow connections OUT to AirVPN servers I use the most (for connecting/reconnecting to the AirVPN service, entry IP's, marked RED on the screenshot)
Allow connections OUT FROM the tun0 interface TO anywhere (when I'm connected, this is the interface used to communicate to the Internet, marked GREEN on the screenshot)
Allow connections (UDP/TCP) IN TO the tun0 interface to a specific port (to enable AirVPN's port forwarding feature, marked BLUE on the screeshot)
Allow connections IN FROM the 192.168.1.0/24 network TO the eth0 interface (enable home networking. Notice how it's on a different interface, YELLOW)
Allow connections OUT FROM the eth0 interface TO the 192.168.1.0/24 network (enable home networking, also on the eth0 interface, YELLOW)

Block ALL other traffic (by choosing DENY/DENY in gufw)

When the VPN drops (and the tun0 interface is disabled), the only connections allowed OUT from the computer are to the AirVPN server IP's (to reconnect) and the local 192.168.1.0/24 network (to still function in the LAN). And the only connections allowed TO the computer are from the local network as well. No leaks.

Now, the gufw GUI doesn't allow for specifying the interface (remember, it's over simplified), so to do that, it's necessary to use ufw directly. Gufw can, however, display the rules when created by ufw.
For example:

"sudo allow out on tun0 from any to any" - is quite straightforward, and of course creates the rule that allows for communication TO the Internet when connected to AirVPN.

"sudo allow in on tun0 from any to any port xxxxx" - enables the port forwarding feature by allowing packets to the specified port on the tun0 interface to pass through.

Tips:
- the order of the rules is very important - mimic mine on the screenshot attached
- to add rules in a specific order from the command line, use "insert x": "sudo insert 3 allow in on tun0 from any to any port xxxxx" - inserts the rule at the 3rd position and moves rules below it downward, includin the previous rule nr 3.
- when adding rules via the commandline, press F5 in gufw to force a refresh and view the newly added rule
- the UFW manual is well worth reading, although you may not need any more information than offered in this post :)
- with this approach, you're blocking multicasting addresses possibly forwarded by your router. Just a thing to have in mind in case you need it; it is of couse easily remedied by creating a new rule allowing the address(es).

Let me know how this works for ya :)

 

 

Isn't there a way to export those settings so we can just import them?



#50 michaeljordan

michaeljordan

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 28 December 2013 - 12:12 PM

no way?



#51 JamesDean

JamesDean

    Advanced Member

  • Members
  • PipPipPip
  • 75 posts

Posted 03 January 2014 - 08:18 PM

Some of the newer features of UFW haven't arrived with the version you are
using. And although the GUI version of UFW is nice the command-line version
is much more advanced.

In the following quick tutorial...

 

 

This wasa GREAT tutorial! Worked perfect, thanks!



#52 JamesDean

JamesDean

    Advanced Member

  • Members
  • PipPipPip
  • 75 posts

Posted 03 January 2014 - 08:22 PM

  :)

 

Isn't there a way to export those settings so we can just import them?

 

 

Just open up a text editor and paste all his commands in after you type sudo, then change for your set up eth0, wlan0, network and mask, ips of the servers you want (from the ovpn file set up to resolve in advanced settings) etc... Copy into terminal one by one. Took me a few minutes.



#53 acacia

acacia

    Member

  • Members
  • PipPip
  • 14 posts

Posted 07 May 2014 - 07:40 PM

.... I have a slightly different need. I want to only have this kind of protection when I'm running certain programs, e.g. P2P, and otherwise allow normal internet traffic to "leak" if the VPN goes down. Of course, I could just put these rules into a separate firewall profile and switch to it before I run my P2P software, but that's a manual step that is both annoying and dangerous (because you could forget). What would be ideal is a firewall profile that could run all the time, allowing normal internet traffic (with or without the VPN active) and only VPN traffic for specific programs. For programs that allow binding to a specific interface, interface rules would be enough, but some don't have this feature. I think ufw has the ability to filter based on certain apps but I'll need to learn more about how to set that up. So, in theory, what I'm after is possible. If anyone already has some experience with that, I would appreciate some advice. Likewise, if I come up with something on my own, I'll post my solution.

 

The solution I found is to simply ALLOW out going traffic through gufw button, when i do not care about leaking, and when using DENY the outgoing traffic when I want NO leaking.



#54 acacia

acacia

    Member

  • Members
  • PipPip
  • 14 posts

Posted 07 May 2014 - 07:49 PM

Thank you worric!

 

it works with debian wheezy and gufw+ufw

 

At first i had problems reconnecting because i had no idea what the server's IP was. however:

  1. I was confusing my public airvpn IP with the airvpn server's IP, its NOT the same.
  2. Sever IP can be found in its specific server.ovpn file generated to connect. If the file is opened with text editor (gedit or pluma, for example) one can find "remote xx.xx.xx.xx." where the xx are the servers IP.
  3. The IP is only available in server.ovpn files and NOT in continent.ovpn or country.ovpn files.

So when leaking is not a real problem, or I want to connect to  a continent.ovpn or country.ovpn server:  I ALLOW outgoing traffic through gufw,

and when i want to avoid leaking or am using a server.ovpn I DENY outgoing through gufw.

I am guessing/experiencing this is the way to do it right.

 

Thank you again.



#55 sheivoko

sheivoko

    Advanced Member

  • Members
  • PipPipPip
  • 214 posts

Posted 08 May 2014 - 02:42 AM

  • The IP is only available in server.ovpn files and NOT in continent.ovpn or country.ovpn files.
In fact, you can get IPs in the continent/country .ovpn files!
In the config generator at https://airvpn.org/generator/ , choose your continent/country, check "Advanced Mode" and enable "Resolved hosts in .ovpn file".
You can now take all the IPs from the .ovpn file and add them all to your firewall configuration. After that, it should no longer be necessary for you to disable ufw for using the continent/country .ovpn files.

Please try it that way; if it doesn't work (or if I haven't fully understood your use case), ask again.

all of my content is released under CC-BY-SA 2.0


#56 acacia

acacia

    Member

  • Members
  • PipPip
  • 14 posts

Posted 09 May 2014 - 09:23 PM

 

  • The IP is only available in server.ovpn files and NOT in continent.ovpn or country.ovpn files.
In fact, you can get IPs in the continent/country .ovpn files!
In the config generator at https://airvpn.org/generator/ , choose your continent/country, check "Advanced Mode" and enable "Resolved hosts in .ovpn file".
You can now take all the IPs from the .ovpn file and add them all to your firewall configuration. After that, it should no longer be necessary for you to disable ufw for using the continent/country .ovpn files.

Please try it that way; if it doesn't work (or if I haven't fully understood your use case), ask again.

 

Thank you sheivoko, works perfectly.



#57 CriticalRabbit

CriticalRabbit

    Advanced Member

  • Members
  • PipPipPip
  • 66 posts

Posted 12 August 2014 - 10:51 AM

Okay, I'm getting mega frustrated with this, as I cannot get this to work!!

 

Here's my setup.

 

I'm using a PC with Debian and it is directly connected to the wifi hub via a eithernet cable.

 

The confusion:

 

1: Do I need to type this? I've no idea what this means and if I need to add this line of text? &#36; ufw allow out to 192.168.178.0/24?

 

2: I've tried this line (e.g. ufw allow out to 192.168.178.0/24?) and then the following ufw allow out to 46.19.137.144 port 443 proto udp and ufw allow out on tun0 and I cannot connect the VPN. What am I doing wrong here?



#58 sheivoko

sheivoko

    Advanced Member

  • Members
  • PipPipPip
  • 214 posts

Posted 13 August 2014 - 11:55 AM

ufw allow out to 192.168.178.0/24

the rule allows you to connect to LAN addresses 192.168.178.1 to 192.168.178.254. Make sure that this is the correct address range for your LAN (check "ifconfig" if you're not sure).
Such a rule should not be necessary for VPN connectivity. If you need access to other LAN machines (e.g. the router's webinterface), you may add the rule.

ufw allow out to 46.19.137.144 port 443 proto udp

This rule's syntax is correct, it would let you use the VPN server at 46.19.137.144, 443/UDP.
The problem is, there's no such server! I've checked "AirVPN_All-servers_UDP-443.ovpn", there's no such entry IP. AirVPN exit IPs are different from AirVPN entry IPs!

As an example, if you want to use the "Cephei" server and have downloaded its configuration file "AirVPN_CA-Cephei_UDP-443.ovpn", it will contain the line:
remote 184.75.214.162 443
This is the entry IP for Cephei, the one you need to allow access to in your firewall.

ufw default deny outgoing
ufw default deny incoming
ufw allow out to 184.75.214.162 port 443 proto udp
ufw allow out on tun0

This rule set should allow you to use VPN server Cephei on 443/UDP.

If this did not resolve your problem, please be more verbose than "cannot connect". Go step by step to see where the problem lies:

Ping the correct entry server IP with firewall disabled ("ufw disable"). If you get a response, enable the firewall ("ufw enable") and ping again:
- If you don't get a response, fix the firewall rules.
- If you get a response, proceed. Connect with openvpn, if it doesn't connect, look at openvpn's log entries. It might be a good idea to use openvpn on the command line (instead of connecting with GUI network managers) to see the connection log.

all of my content is released under CC-BY-SA 2.0


#59 CriticalRabbit

CriticalRabbit

    Advanced Member

  • Members
  • PipPipPip
  • 66 posts

Posted 13 August 2014 - 07:06 PM

Hi,

 

Thank you for replying.

 

I did as you suggested and added the four rules (see below) but I still cannot connect to the VPN; it just remains on 'authenticating'. I did note, however, that when I add the rule “ufw allow out on tun0” I get two entriues in gufw; I get “Anywhere ALLOW OUT Anywhere on tun0 (out) and I get “Anywhere (v6) ALLOW OUT Anywhere (v6) on tun0 (out). Do you think this is my problem?

 

e.g.

ufw default deny outgoing
ufw default deny incoming
ufw allow out to 184.75.214.162 port 443 proto udp
ufw allow out on tun0



#60 Believer_01

Believer_01

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 13 August 2014 - 11:03 PM

Hello guys,

I will try the setup for ufw but I have one question:

In the posts are mentioned some IP of the servers mostly used, then I can I know the IP of the servers I use, to add a rule for them?
Thanks.







0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Servers online. Online Sessions: 15806 - BW: 59065 Mbit/sYour IP: 54.146.227.92Guest Access.