Ubuntu – How to block traffic over wifi before the VPN connects

networkingSecurityvpnwireless

I'd like to use a VPN when on public wifi for security. In order to establish my OpenVPN tunnel I need a working network connection. When I connect to a public wifi access point there is a window of time after connecting but before my VPN client is launched, connects and updates the route table, during which traffic from my system travels unencrypted over public wifi.

How can I cause wifi to pass no traffic except traffic destined for my OpenVPN server during that window of time?

Extra credit : Is there a way to whitelist wifi networks as trusted (like my home or work wifi) such that all traffic is allowed as I won't be using a VPN?

Best Answer

I would try the following with iptables, in this order:

# Allow dhcp
sudo iptables -A OUTPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT

# Allow outbound VPN traffic
sudo iptables -A OUTPUT -p udp --dport 1194 -d 0.0.0.0/0   -j ACCEPT" 

# DROP all outbound WIFI
sudo iptables -A OUTPUT -i wlan0 -j DROP

In office and home network you will have to run:

# Accept all outbound traffic
sudo iptables -D OUTPUT -i wlan0 -j DROP

There might be an iptables extension which will filter using WIFI SSID or some other router identifier, but I am not familiar with any

NOTE: you might need to update the ovpn remote port and/or WIFI network interface name

Related Solutions

Ubuntu – How to create a vpn over another vpn

From my testing NetworkManager (using nmcli) only supports one VPN connection at a time. You will need to write a script that manually invokes openvpn and place it in /etc/NetworkManager/dispatcher.d/. The script will need to query networkmanager to see if your other VPN connection has been made.

I wrote a script that automatically starts my VPN connection under certain conditions, maybe you can use it as a starting place.

Also, keep a close watch on your routing table. If you start a VPN while connected to another one, it could redirect traffic from the first VPN, disrupting both VPN connections.

Ubuntu – Problem with DNS with OpenVPN on Ubuntu 20.04

It seems, that the main problem is with systemd-resolve as described here: https://github.com/systemd/systemd/issues/6076
Really great article is here, which I took as a starting point: https://www.gabriel.urdhr.fr/2020/03/17/systemd-revolved-dns-configuration-for-vpn/

A small workaround that worked for me is to run this after every connection to VPN. Basically setting DNS manually

sudo resolvectl dns tun0 10.0.9.2 # Replace with IP of your DNS server
# All internal services are like git.int.mycompany.com or ldap.int.mycompany.com
# You can try to set up "~mycompany.com", worked for me as well
sudo resolvectl domain tun0 "~int.mycompany.com"

How to automate it

With NetworkManager:
If you use Network Manager (pictures of Manager available here), you can automate this with scripts in /etc/NetworkManager/dispatcher.d/

Create custom script, name it 02-ifupdown set chmod +x to it and paste

#!/bin/sh

EXPECTED_VPN_NAME="MyCompany VPN" # Put your VPN name here
VPN_CONN_NAME=`nmcli --get name,type con show --active | grep vpn | sed 's/\:.*//'`

if [ "$2" = "vpn-up" ] && [ "$EXPECTED_VPN_NAME" = "$VPN_CONN_NAME" ]; then
        resolvectl dns tun0 10.0.9.2 # Replace with IP of your DNS server
        resolvectl domain tun0 "~int.mycompany.com"
fi

With CLI:
Create your custom script, set chmod +x to it and paste into config:

script-security 2
up /path/to/my/script

Best Answer

Related Solutions

Ubuntu – How to create a vpn over another vpn

Ubuntu – Problem with DNS with OpenVPN on Ubuntu 20.04

How to automate it

Related Question