VPN, Firewalls, and Connection Blocking in Linux

Discussion in 'privacy technology' started by rawrware, Mar 17, 2013.

Thread Status:
Not open for further replies.
  1. rawrware

    rawrware Registered Member

    Joined:
    Mar 10, 2013
    Posts:
    9
    Location:
    US
    Hi everyone back again.

    Lubuntu setup, trying to force all traffic to the VPN and set it to disconnect the internet if the VPN disconnects.

    Mullvad's own software (edit of openvpn it seems) for whatever reason gives me no options, but is suppose be able to do this. It does in windows, but eh really don't want to resort to a version of XP or something and invite those troubles.

    Tried OpenVPN and setting GUFW to block net in the event of VPN failure and IPtables. Not a single guide I've found works. Either it completely doesn't work or completely shuts the connection at all times. Also tried shorewall, but didn't get far since it didn't seem any less complex then directly using IPtables.

    It is trickier since the IP does change, but does give me a dynamic name so that shouldn't be that bad. Even just using the IP I was using at the time fails completely.
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
  3. rawrware

    rawrware Registered Member

    Joined:
    Mar 10, 2013
    Posts:
    9
    Location:
    US
    Looks good, but it lost me with this part here.


    Code:
    Your /etc/resolv.conf should look like:
    
       domain localdomain
       search localdomain
       nameserver 10.X.Y.Z
       nameserver 10.X.Y'.Z'
    
    Those are the VPN service's private nameservers. If you're
    not getting them automatically as the VPN connects, you may
    need to edit /etc/resolv.conf manually. You can get them
    from the OpenVPN connection log. After doing that, make the
    file read-only:
    I swapped my DNS to google using nano though its seems to have changed back, so joyous. I'm not sure if mullvad still maintains their own DNS, good vpn, but their information is lacking badly. So if I connect the vpn just look in the log and copy paste?

    Sorry just trying to actually understand rather then just do since just doing hasn't worked previously.
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    In the OpenVPN connection log, there will be a line that begins with "PUSH: Received control message" and that includes "dhcp-option DNS 10.X.Y.Z".

    That's the DNS server to use in resolv.conf.

    This is a VirtualBox VM, right?

    Simply editing resolv.conf often doesn't work out well, because it gets reverted whenever the DHCP lease gets renewed. Making it read-only will work, but it's inelegant. And, unless you're connecting to a Mullvad numeric IP address, you'll need to change it back before reconnecting.

    These days, I either use pfSense VMs or Network Manager for my VPN connections. If you were connecting to Mullvad using Network Manager, I'd say to add Mullvad's DNS server there.

    A complicating factor is that Network Manager does whatever's needed to give you a working Internet connection. It changes routing tables, DNS servers, and anything else that it can. But ufw rules stop it, and making resolv.conf read-only stops it.
     
  5. rawrware

    rawrware Registered Member

    Joined:
    Mar 10, 2013
    Posts:
    9
    Location:
    US
    Yes its in a VM. Strangely Network Manager is what I went for second to change DNS, but the option is grayed. .status is missing the .log after it and can't seem to be opened by conventional means. pfSense is tempting, but yet another thing to learn as iirc its BSD based and rather unfamiliar. Networking is very much my weakest point sadly.
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Have no fear, pfSense has an incredible web GUI!

    And playing with pfSense VMs is a great way to learn networking :)
     
  7. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    803
    +1 pfsense is beautiful ....once you get to know it abit , lols
     
  8. rawrware

    rawrware Registered Member

    Joined:
    Mar 10, 2013
    Posts:
    9
    Location:
    US
    Part way into PFsense I realize it can't run any of the software I needed. Neat OS though.
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    What do you want to run?

    It's not a general purpose OS. It's a router/firewall OS.

    You run your apps on a separate VM, that uses pfSense as its gateway router.
     
  10. rawrware

    rawrware Registered Member

    Joined:
    Mar 10, 2013
    Posts:
    9
    Location:
    US
    Ya I'm familiar with its purpose didn't realize it couldn't be expanded, but this is a case of blocked traffic types making it very hard to do things like download mods, patches, and even a lot of official software, like say my copy of windows 7 if I need the repair disc, its offered as a torrent. And a few linux versions out there only offer through that as well or at least don't take forever to get that way.

    Its why I was trying to create a VM and leak proof it, because say for instance windows dies during an update and I can't find my repair disc or its scratched I'm stuck reinstalling. Things like that. And yes that exact situation did happen before, and I was lucky enough to have a friend with one handy. I like to stay prepared and in the know now.
     
  11. qwax

    qwax Registered Member

    Joined:
    Feb 3, 2013
    Posts:
    41
    I haven t put these shorewall rules in yet mirimir,it looks so complicated.

    @rawware
    But about Mullvad; i have a virtualbox with xubuntu , i ticked the relevant box in the mullvad dialog , and "block the internet on connection failure"works as advertised.

    theer is also this file for linux, it has the options in a gui.
     
  12. rawrware

    rawrware Registered Member

    Joined:
    Mar 10, 2013
    Posts:
    9
    Location:
    US
    Yes the .deb file installs, gives an icon, will sit down in the tray, but cannot be clicked and does not connect. It was the first thing I ever tried since its basically an openvpn mod and they offer the source so it seemed safe.

    Maybe its my distro, but its a buntu based on 12.04 LTS so it should work well with a .deb. I'll try the xu flavor though maybe it will work.
     
  13. qwax

    qwax Registered Member

    Joined:
    Feb 3, 2013
    Posts:
    41
    I presume you go into the menu /internet/Mulvad , then you get a password dialog , and then you get the litltle icon?
    You can mail mullvad , they reply usually within a day and are helpful.
     
  14. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Complicated?

    It'd be complicated if you had to write the rules!

    But all you're doing is installing shorewall, editing its control script, creating five files in its working folder, and starting it.

    Just try it, you'll like it ;)
     
  15. rawrware

    rawrware Registered Member

    Joined:
    Mar 10, 2013
    Posts:
    9
    Location:
    US
    In case someone running into the same issue unearths this later. It was the distro being used. Xubuntu solved the problem so far I guess it just didn't like lxde.

    Still plan to work on understanding linux firewalls.
     
  16. dontfail

    dontfail Registered Member

    Joined:
    Mar 19, 2013
    Posts:
    1
    @mirimir 1. your awesome and thanks for all the info all over these forums.

    As you can tell this is my first post, but I have been lurking all over (particularly your posts) the forum. Went through everything you and happyyarou666 did to setup the VPN>TOR>VPN, and got to say that it wasn't easy the first time around. Especially setting up mullvad to accept TCP connection. All in all its a great system. I also set it up on my laptop and its running well.

    Now its time to pick your brain on how we can improve it :p

    1. How / Which firewall should I use to limit my host machine from accessing the internet. (Host is linux)
    2. Keeping pfsense/Tor VMs in some sort of hibernate for quick accessing after closing laptop screen.
    3. pfsense OpenVPN wont accept url for remote server name has to be IP which means I have to manually change it every so often.

    Thanks to everyone who contributes to this great forum and keep it up. :)

    ps Would it be possible to use something other than pfsense? Like openwrt?
     
    Last edited: Mar 22, 2013
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Hey, thank you :) As a long-time privacy geek, I like to share and learn.

    That is very cool! Congratulations :)

    By all means :)

    I'm not sure which setup you're using. Is there a VPN running on your host machine? And what are you using it for?

    It would help if you could briefly describe your setup.

    If there is a VPN running on the host, just use these shorewall rules: https://www.wilderssecurity.com/showthread.php?p=2201706#post2201706

    If there's no VPN running on the host, and you aren't using it for anything except running VMs, you could configure the pfSense VM client for your first/outer VPN to bridge to the host NIC instead of NATing. Once you verify that it works, you can create shorewall rules that block everything from using the host eth0. It should be fairly obvious how to tweak the shorewall setup that I've provided.

    I don't use laptops much for this stuff. Maybe the simplest approach would be configuring the laptop to do nothing when you close the lid.

    Which VPN is this on: inner (second) or outer (first)?

    That's telling you that your DNS server setup for that pfSense VM, and perhaps whatever it's connecting through, isn't set up properly. With no DNS server available, it can't resolve URLs to IPs.

    Thank you :)

    I picked pfSense because I liked its OpenVPN client and easy-to-understand routing and firewall GUI.

    I'm sure that one could also use OpenWRT and other Linux-based router/firewall distros.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.