I've read a few guides regarding this and all of them mentioned that if you disconnect from your VPN server and want to re-connect, you'll need to temporarily disable UFW or else you won't be able to use the internet at all, including to connect to the VPN server. Is this true? Also, is it possible to write app-specific rules instead of applying a system-wide rule? Thank you for the answers.
Just use Adrelanos' VPN-Firewall: https://github.com/adrelanos/VPN-Firewall You specify the IPs of the VPN servers that you're using, so you can reconnect to them if the VPN fails. If you like, you can use the iptables-persistent package to make the rulesets persistent. Once you become a little familiar with the format, editing /etc/iptables/rules.v4 and /etc/iptables/rules.v6 is not too hard. The rulesets that VPN-Firewall gives you are solid starting point.
Ufw allows you to setup per app rules but it's actually the same as usual port based rules, they are internally transferred to port based rules by /etc/ufw/application.d/ If you want to fully control each app like Windows, I think only way will be directly edit iptables with --pid-owner but its problem is its PID based, so to achieve Windows like control you have to dynamically generate rules which Droidwall does on Android. I don't know if there's any app which do this on Linux.
The UFW part is how I have total control over my system. Even though several of my vpn providers have excellent clients I still use UFW as my personal stop gap for any unseen client issues. I use UFW along with the clients. To me its worth the five seconds of my time while bringing up my linux host each session. Since you are asking about UFW it must mean you are on linux as well. The vpn tunnel will leave your machine on what your system calls tun0. So, simply connect via your client or openvpn network manger. Once the connection is made then terminal ufw to a tun0 ONLY rule. In other words NOTHING leaves or comes in unless its going through tun0. What Mirimir suggested would work too. I use wayyyyy too many servers to be bothered with entering the IP of each into my firewall as he describes. I am somewhat unique in how many servers I connect to. If you are interested I can post the ufw ruleset I use. Its basically one rule that allows ONLY tun0 and ONLY on IPV4. I can enable and disable ufw in less than 5 seconds. One added bonus is that this approach isolates my "hobby" machine from all other devices on my network. INTRA-net has some dangers as well.
@mirimir Thanks. I'll look into it. @142395 That's unfortunate to know. @Palancar I'm not really in Linux environment. Just tested a few distros in VMs and while I'm at it, why not starting to play around with this as well? I was wondering if it is possible to keep the firewall enabled while the user locks up system connections if s/he uses a VPN. What if the user forgot? Pardon my silly newbieness, but isn't tun0 is the MAC/physical address of the network device? I'll be glad to get enlightenment about the rules so I can get the image of how am I supposed to configure it. Thanks.
Welp, I managed to pull this off to some extend. I put these commands in the terminal: Code: sudo ufw disable Then... Code: sudo ufw default deny incoming sudo ufw default deny outgoing Then... Code: sudo ufw allow out on tun0 from any to any And lastly... Code: sudo ufw enable It surprisingly worked, as I thought I needed to replace "tun0" with the VPN's interface name, which I don't even know what this was talking about. From a simple test I couldn't access the web without first establishing connection to the VPN server. And after disconnecting from the VPN I couldn't connect to the VPN server as long as the firewall is enabled. Now I'm waiting for Palancar's rule to compare with what I've got. BTW, I took a look at Adrelanos' VPN Firewall. Considering I'm completely clueless about Linux I don't know what I'm supposed to do with this. I previously thought it was an app package.
In Linux, tun0 is the name of the first virtual tunnel interface (with the rest being tun1 etc). Yes, it isn't really that hard. VPN-Firewall basically does that, and also allows traffic to your VPN server(s) and LAN(s). It's just a shell script that adds the iptables rules.
It sounds like you basically have it down. Remember that I use this along with a really great linux vpn client. I know you said you are just getting started with linux so I won't overwhelm you. For quite some time I didn't use any vpn providers' clients because I wanted to learn to configure the connection myself so I understood what was going on. That too was not that tough and after using those semi-manual configs for awhile I then started using the clients. Still, as mentioned above I will NEVER use someone else's client and not cover a broken connection on my own. Paranoid maybe, but a full out leak could "sink my battleship" if you know what I mean. Not so much here. Try this simple command in terminal: sudo ufw status verbose and you should see the following: active, logging off (my preference), outgoing and incoming blocked, and tun0 (I specifically make sure ipv6 is off and only allow tun0 on IPV4). There is more than one way to skin a cat! I used to do that with the windows firewall especially,and my guides described how to do it. I actually help beta test the linux client network locks so I purposely need to be able to drop ufw often. A good linux vpn client will actually do everything we are discussing here. I have not seen a leak in the one I use and its acid tested personally semi-weekly. Even so I still run my personal rig as if someday it might betray me. That means ufw as discussed above.
Thanks for the help folks. Yes, I saw in the status that both incoming and outgoing traffics are blocked whilst outgoing traffic through tun0 is allowed. It's just my personal taste but I block all inbound connections as I don't need to allow it. So judging from what others have said, it looks like I've done it right.