Native OpenVPN kill switch under Linux

Discussion in 'all things UNIX' started by Stefan Froberg, Feb 5, 2017.

  1. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    Here's an interesting reading:
    http://blogs.igalia.com/dpino/2016/04/10/network-namespaces/

    With network namespaces you can completely isolate any program from normal network stack, routing table etc... That is, no matter how much you mess with it, your original network settings stay intact while your network "chrooted" application sees only what you want to see.

    This Linux feature can be exploited to build very rudimentary, native OpenVPN killswitch :)
    Here's what you need:
    - Linux (obviously)
    - OpenVPN client
    - Some VPN target server to test this with
    - My "fancy" openvpn-netns.sh script that basically just automates all the stuff mentioned in the above link (download from here: https://www.orwell1984.today/openvpn-netns.sh).
    - down.sh script that handles the cleanup of the routing table in case OpenVPN dies (download from here: https://www.orwell1984.today/down.sh and put it into /etc/openvpn directory).

    Usage:
    1) From terminal, start the openvpn inside network namespace:
    Example:
    ./openvpn-netns.sh vpn eth0 v-eth1

    Then open another terminal and do all the following stuff there:

    2) Try to ping google dns
    ip netns exec vpn ping -c3 8.8.8.8

    3) Check the routing table (you should see tun0 or something like that)
    ip netns exec vpn ip route show

    4) If it works start firefox/midori/etc in the shiny new network namespace named "vpn"
    ip netns exec vpn firefox

    5) Go to any number of "what is my ip" sites to confirm that OpenVPN works

    6) Now, kill the openvpn-netns.sh that you previously started in the first terminal with Ctrl + C

    7) Again in your second terminal, try to surf with your browser. (you should not be able). Also, giving command "ip netns exec vpn ip route show" again should now give you totally empty routing table. So now, your vpn namespace has no routing table, no network connection, and any browser/application/etc that used that particular vpn network namespace is now completely isolated because OpenVPN was killed/terminated.
    And all this while your normal network stack is completely intact :)

    The reason we can't simple delete the above mentioned vpn namespace and have to resort to cleaning router table inside the namespace is that the namespace will be completely removed only after the last application that uses it (in this example, the browser) exists.
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    What's the advantage of this, vs just using iptables rules?
     
  3. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    If just using network namespaces they are functionally pretty equivalent, except of course that with network namespaces you have totally separate network stack.

    But if you add other namespaces that linux offers like pid namespace (openvpn would see only it's own process pid) and/or mount namespace (equivalent like chroot filesystem isolation?) then what you have is an light weight OS-level virtual machine for that application. I believe those Linux containers and applications that use them (Docker?) use namespaces as building blocks.


    Something like what Tor and Tor browser is going to do with it's coming sandbox Tor
     
  4. The Count

    The Count Registered Member

    Joined:
    Jun 13, 2016
    Posts:
    176
    Location:
    France
    Possible release date?
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    @Stefan Froberg - OK, thanks :) I think that I'll stick with VMs, though.
     
  6. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    According to this post from december, there are no official binaries released yet(?)
    https://lists.torproject.org/pipermail/tor-dev/2016-December/011753.html

    But if you are in really hurry and ready for pain (Captain Freedom from running man movie :)) you can try to compile
    the alpha version of it and see if it works

    https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Sandbox/Linux

    EDIT: sandbox Tor is still in alpha state so use it only for testing purposes and helping developers to find bugs
     
    Last edited: Feb 7, 2017
  7. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    Here's also some interesting info about Linux namespaces, Linux containers (basically OS-level virtual machines that use namespaces and some other stuff like seccomp and capabilities) and also some little comparison how OS-level virtual machine compares against full virtual machines.

    https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-10pdf/

    One advantage that OS-level VM's have is performance and reduced bloat (you don't need virtualized hardware and don't need to install full OS into VM). For machines with low resources (like Raspberry Pi) OS-level VM is only possible choice.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.