using multiple vpns with vpn-firewall

Discussion in 'privacy problems' started by darren2015, Jan 14, 2015.

  1. darren2015

    darren2015 Registered Member

    Joined:
    Jan 14, 2015
    Posts:
    4
    Im currently running a setup with VPN with openvpn in my host os(mint) with adrelanos vpn-firewall to kill the internet traffic if the vpn drops and to make sure I dont connect directly from my ISP on bootup.

    But im also running a guest os (xubuntu) with virtualbox and with a second vpn. This works fine. But I would like to harden the setup with using adrelanos vpn-firewall inside the guest also. But if I try to install the vpnfirewall , edit the script adding the vpn server IP , it doesnt work. The vpnfirewall in the guest blocks the vpn inside the guest.

    The setup im going for is ISP -> VPN -> VPN -> Internet

    Would really appreciate any help regarding this matter. Am I going at it all wrong ?

    FYI im a beginner with linux , currently learning:)
     
  2. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    If you just set the VPN connection to "Automatically Connect" in Network Manager, then your connection will only be allowed to go through the VPN and will drop when the VPN is interrupted. There's a few seconds upon initializing the VPN connection where it'll leak but that shouldn't be a huge issue as long as you keep it in mind

    In practice, a VPN dropping randomly is very rare at least with the providers I've had, maybe once a year
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    That should work. For /usr/bin/vpnfirewall in the guest, you should specify the IP address of the VPN server that the guest is connecting to. But maybe that's obvious. Also, in vpnfirewall, you must use the VPN server IP address, not its hostname. In a root terminal, use "host" to get the IP address from the hostname.
     
  4. darren2015

    darren2015 Registered Member

    Joined:
    Jan 14, 2015
    Posts:
    4
    thanks for the input guys.

    krustytheclown2 : as you are saying there would be a leak , approx 5-10 seconds , before the network manager in the guest connects to the VPN using automatically connect. thats an issue in my opinion. though I havent experienced any drops in a while with any of the VPN providers. The vpnfirewall is also there for other reasons , like blocking all IPv6 and as a safety layer on making sure all the traffic is going through the VPN tunnel.

    mirmir : I have specified the /usr/bin/vpnfirewall in the guest to connect to the guest VPN IP . I had some tranining setting this up in the host first , which works perfectly.

    The guest network adapter is connected to the host with 'NAT'

    The VPN interface in the /usr/bin/vpnfirewall in the guest is specified as "tun0"

    What software would you recommend to install on the guest to see what's blocking the VPN from connecting with the vpnfirewall running (in the guest)?
     
  5. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    Unless you have a browser tab open, just a few bytes of data are going to be received/sent in those few seconds.

    How would

    sudo ufw deny all && sudo ufw allow openvpn

    work here? Mirimir chime in
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Here's how I'd diagnose. First make sure that the host VPN is connecting, and that you can browse stuff. Then configure vpnfirewall in the host, fire up, and make sure that you can still browse stuff. Then make sure that the VPN in the guest is connecting, and that you can browse stuff. Then configure vpnfirewall in the guest, fire up, and make sure that you can still browse stuff. That should tell you what's messed up.

    You can install ntop in both host and guest, and see where the expected traffic shows up and doesn't. You could also install Wireshark in both host and guest, and use that. If you summarize conversations, you can see traffic in real time.
     
  7. darren2015

    darren2015 Registered Member

    Joined:
    Jan 14, 2015
    Posts:
    4
    Thats how I do it. The host is running with a VPN trough OpenVPN with vpnfirewall enabled and the guest is running its own VPN trough OpenVPN. Everything works right until I install vpnfirewall in the guest. Ill give wireshark a try ;) Could the problem be that I have to set static ips to the network in the host and the guest ?

    I have looked for GUI's for iptables. Like Firestarter , but its not supported anymore. Gufw is not enough.

    Things was so much easier with Comodo in windows.

    Maybe setting up pfSense as a VPN client connected to the host and to the Workstation VM. Wouldn't that be better ?
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    That tells me that vpnfirewall in the guest isn't configured properly.
    I don't think so. In vpnfirewall, you specify the network adapter (typically eth0) and the IP(s) of the VPN server(s).
    That's why I like vpnfirewall :) Once you have it working, you can install iptables-persistent, and then edit /etc/iptables.v4 and /etc/iptables.v\6 as desired.
    :)
    Yes, I like that better. See https://www.ivpn.net/privacy-guides/advanced-privacy-and-anonymity-part-6 :)
     
  9. darren2015

    darren2015 Registered Member

    Joined:
    Jan 14, 2015
    Posts:
    4
    Thanks for answering and the help. I've read the privacy guides by you on iVPN , thats where I first got familiar with adrelanos vpnfirewall , whonix and more.

    The problem occur after enabling the vpnfirewall in the guest yes. But /usr/bin/vpnfirewall in the guest is edited the same way as in the host , with the VPN Interface set to 'tun0' , the only difference is of course that in host I specify the VPN IP for the host and in the guest I specify the VPN IP of the guest. If I set the VPN interface in vpnfirewall to 'eth0' then the vpnfirewall operates on the ethernet connection , not the OpenVPN (tun0).

    Ill figure it out somehow. Sometimes its a real rookie mistake that you have overlooked all from the start , im sure its gonna crack me up :D
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    I didn't mean to set "VPN_INTERFACE=eth0". And saying "you specify the network adapter (typically eth0)" was misleading. I meant that the iptables rules apply to eth0 by default, except for the ones that specify $VPN_INTERFACE:
    Code:
    iptables -A INPUT -i "$VPN_INTERFACE" -j ACCEPT
    iptables -A OUTPUT -o "$VPN_INTERFACE" -j ACCEPT
     
Loading...