Discovered flaw in automatically connecting to VPN in Ubuntu

In network manager I set my Wifi to "Automatically connect to VPN"

When you click to connect, you'll see the Wifi applet blinking for about 10 seconds before you connect to the VPN server

In this short time frame, you're able to access the actual network you're on without the VPN. I tested this by setting whatismyip.com as my homepage, and opening the browser in that brief moment, and seeing my actual ip address

Practically speaking, this can be a concern if you trying switching VPN exit nodes in the middle of a browsing session using the "Automatically connect" in an attempt to not expose the session- the sites you have open might be visible to your ISP for that brief glimpse

Just thought I'd like to point out the minor issue. Debian handled "Automatically connect" the same way as Ubuntu

 

This likely would expose the session, and that's surely a risk as you point out.

 

It's entirely possible that automated update checking and other features that "call home" would also deanonymize you unless your system is prevented from making any direct connections.

 

One solution is not switching VPN routes while browsing.

Another is installing <https://github.com/adrelanos/VPN-Firewall>. Configure it to allow traffic to all of the VPN server IPs that you'll be using. To do that, you edit /usr/bin/vpnfirewall:

###########################
## configuration
###########################
## IP address of the VPN server.
## Get the IP using: nslookup vpn-example-server.org
## Example: seattle.vpn.riseup.net
## Some providers provide multiple VPN servers.
## You can enter multiple IP addresses, separated by spaces
VPN_SERVERS="198.252.153.26"

## For OpenVPN.

VPN_INTERFACE=tun0

## Destinations you don not want routed through the VPN.
LOCAL_NET="192.168.1.0/24 192.168.0.0/24 127.0.0.0/8"

If you're using WiFi, "VPN_INTERFACE" should probably be "wlan0".

Then start VPN-Firewall as explained.

Now no traffic can get out, except to VPN servers. Not even DNS lookups.

 

This is similar to what we do to static. We static through the VPN, but provide no static's outside of the VPN. Therefore its impossible for any traffic to transverse outside of the VPN static route.

 

Like Mirimir I prefer to use a firewall structure to protect me (from myself) even if I make a mistake. Once I bring up the machine, start IP tables locking down to tun0, it becomes the only way in and out. I would like to think I wouldn't make such a stupid mistake, but hey I've seen "ME" do it before.

Being lazy I simply use an auto-revolving TOR circuit at the end of the chain. No need to drop the browser it all happens every 10 minutes in the background.