iptables rules for preventing VPN IP leak

[ayu]

I'm trying to write some iptables rules to prevent that my IP is leaked when my VPN goes down.
Basically I don't want any packages to leave the computer in case the VPN tunnel disconnects.

I'm pretty rusty on iptables and such, haven't needed it for a year or so now, but this is what I have so far.

Code: Select all

iptables -I OUTPUT -d 46.246.44.130 -p udp -j ACCEPT
iptables -I OUTPUT -s 46.246.44.174 -d 46.246.44.0/24 -j ACCEPT
iptables -I OUTPUT -j DROP

46.246.44.130 - This is the IP of the VPN server (The VPN domain has many IPs connected to it so I found this via Wireshark for now)
46.246.44.0/24 - Is the VPN network/CIDR (OpenVPN adds a bunch of new routes so I wasn't sure)

Code: Select all

0.0.0.0         46.246.44.1     0.0.0.0         UG        0 0          0 tun0
10.0.2.0        0.0.0.0         255.255.255.0   U         0 0          0 eth2
46.246.44.0     0.0.0.0         255.255.255.0   U         0 0          0 tun0
46.246.44.130   10.0.2.2        255.255.255.255 UGH       0 0          0 eth2
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 tun0

46.246.44.174 - This is the IP I was assigned in the VPN network, "ifconfig -a" looks like this

Code: Select all

eth2      Link encap:Ethernet  HWaddr 08:00:27:24:a3:5d  
          inet addr:10.0.2.15  Bcast:10.0.2.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe24:a35d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:607109 errors:0 dropped:0 overruns:0 frame:0
          TX packets:269609 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:434745672 (434.7 MB)  TX bytes:45285337 (45.2 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:2366 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2366 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:211324 (211.3 KB)  TX bytes:211324 (211.3 KB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:46.246.44.174  P-t-P:46.246.44.174  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:114 errors:0 dropped:0 overruns:0 frame:0
          TX packets:45497 errors:0 dropped:43485 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:14176 (14.1 KB)  TX bytes:66794248 (66.7 MB)

So far I haven't gotten it to work.
Does anyone know how to do it properly?

[bad_brain]

hmmm...why not using static routes instead? as you have seen openvpn adds routes once it's started, without openvpn those are removed from the kernel routing table again. by hardcoding them into /etc/network/interfaces you could make them permanent, which would prevent any traffic without vpn (simply because the routes wouldn't work anymore)...

[ayu]

hmmm...why not using static routes instead? as you have seen openvpn adds routes once it's started, without openvpn those are removed from the kernel routing table again. by hardcoding them into /etc/network/interfaces you could make them permanent, which would prevent any traffic without vpn (simply because the routes wouldn't work anymore)...

hmm, interesting idea actually.
I'll give it a shot and report back soon.

[ayu]

I tried by adding the routes via /etc/network/interfaces, but they kept getting overwritten and removed

Code: Select all

post-up route add -net 0.0.0.0 netmask 0.0.0.0 gw 46.246.36.1 dev tun0
post-up route add -net 46.246.36.0 netmask 255.255.255.0 gw 0.0.0.0 dev tun0
post-up route add -net 169.254.0.0 netmask 255.255.0.0 gw 0.0.0.0 dev tun0
post-up route add -net 10.0.2.0 netmask 255.255.255.0 gw 0.0.0.0 dev eth2
post-up route add -net 46.246.36.2 netmask 255.255.255.255 gw 10.0.2.2 dev eth2

[bad_brain]

do you mean removed after a reboot, or do you mean removed when starting the vpn client? the latter one would be normal behavior, because openvpn flushes the routes and adds its own...what is important is: are the routes you have set manually restored again after you closed the vpn connection?

[ayu]

do you mean removed after a reboot, or do you mean removed when starting the vpn client? the latter one would be normal behavior, because openvpn flushes the routes and adds its own...what is important is: are the routes you have set manually restored again after you closed the vpn connection?

This is what I do

1: I add the routes to /etc/network/interfaces
2: Reboot the machine
3: Routes are gone from the table (I didn't even start openvpn)

[bad_brain]

oh, try this one:

create a file static-routes under /etc/network/if-up.d

and

#!/bin/sh
/sbin/route add -net 172.23.41.0 netmask 255.255.255.0 gw 192.168.129.194
/sbin/route add -net 172.23.42.0 netmask 255.255.255.0 gw 192.168.129.194


Make sure the file can be executed as a script.

quick copy&paste of course, so you will have to adjust it accordingly...^^

[ayu]

The routes for eth2 seems to be added, but the tun0 ones are not because that interface doesn't exist, and it wont let me add it unless the VPN connection is up.
Wouldn't the iptables solution work though?

[bad_brain]

yeah, iptables should of course work, I just thought doing it through route would be an easier solution....oh well, was at least worth a try...
I'll see if I can fiddle some iptables rules together during the weekend, just cam back from a nice long bike ride and I am pretty toasted...

[ayu]

yeah, iptables should of course work, I just thought doing it through route would be an easier solution....oh well, was at least worth a try...
I'll see if I can fiddle some iptables rules together during the weekend, just cam back from a nice long bike ride and I am pretty toasted...

haha ok nice
Yeah I will give it a go again tonight and see if I can get things working

[bad_brain]

ok, here's another attempt manipulating the kernel routing tables again, I did a test and it worked for me.

1.2.3.4 == VPN entry point
192.0.0.1 == router/gateway

first flush the default route for 0.0.0.0:

route delete 0.0.0.0 192.0.0.1

add the VPN as default route AND as first hop (that's what did the trick for me):

Code: Select all

route add -p 1.2.3.4 mask 255.255.255.255 192.0.0.1 metric 1

you would have to repeat the first step after a reboot though, but that should be np with a little script.