How can I stop vpn leaks with iptables?

English Network/Internet
1

I started using an online vpn service and installed network manager (https://software.opensuse.org/package/NetworkManager) and openvpn (https://software.opensuse.org/package/NetworkManager-openvpn).

I knew nothing about iptables (trying to educate myself now) but I’ve heard that there can be data leaks if the connection is interrupted and you should set up iptables that will force all traffic to go through the vpn connection. In my searches, most of what I find is related to *ubuntu and debian. I’m not sure how those suggestions would work in opensuse and I’d rather not break my network connection without knowing how to fix it.

I’ve seen suggestions to:

  1. set up an iptable
  2. set up firewall rules
  3. set up openvpn rules

but I haven’t found anything in my searches that makes me feel comfortable that it would work.

So…anyone using an online vpn service and successfully forcing all traffic through your vpn?

2

I have a family member who was doing this on windows, moved over to
openSUSE 42.2, and wanted to continue it. The program he was using has
started porting to Linux, but it basically did not seem to work.

As I understand it, his goal was to:

  1. Make sure all traffic goes through the VPN.
  2. If the VPN stops, all traffic must immediately stop flowing instantly.
  3. He was willing to deal with possible outages caused by forgetting to
    turn on the VPN, as well as possibly reconfiguring the VPN IP address if
    ever it changed.

To that end, we spent a half hour or so and came up with the following script:


#!/bin/bash
if  $1 = 'off' ]]; then
sudo iptables -D OUTPUT -o tun0 -j ACCEPT
sudo iptables -D OUTPUT -o wlan0 -p tcp -m tcp -d 1.2.3.4 -j ACCEPT
sudo iptables -D OUTPUT -j DROP
else
sudo iptables -I OUTPUT -o tun0 -j ACCEPT
sudo iptables -I OUTPUT -o wlan0 -p tcp -m tcp -d 1.2.3.4 -j ACCEPT
sudo iptables -A OUTPUT -j DROP
fi

If called with ‘off’ as the first parameter it deletes the rules,
effectively allowing the system to make connections without forcing the
VPN to be working. Also note that you need to enter a valid VPN IP
address instead of ‘1.2.3.4’ or else the VPN is also prevented from making
its first connection. Finally, note that this is a TCP-based service,
where many VPNs may (should?) be UDP-based.

Another caveat: this uses iptables directly to make changes; a reboot
undoes the changes, as will several other types of system-level changes
such as using a device other than ‘wlan0’ (such as ‘eth0’ or ‘br0’), or
disabling the firewall entirely.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

3

IMO the rules suggested by ab should work,
But, if you’re more interested in writing something more elegant that defines re-usable objects, then there are a number of scripts that can be returned with a Google search, eg
https://www.ivpn.net/knowledgebase/191/How-do-I-prevent-VPN-leaks-using-iptables.html

Besides setting up your iptables, you may want to…

  • Test for DNS leakage
    Invoke “nslookup” to display the IP address of your current DNS server. If it’s still what was configured in your regular, non-VPN network connection or anything other than your VPN Provider’s DNS, then you have further configuration to do.
  • Remove any tunnel brokers, if they exist. Or, disable IPv6 if you have no use.
    On a Windows system, this would automatically mean disabling teredo, but even on Linux a tunnel broker may have been assigned by your ISP if it doesn’t support IPv6 natively.
  • Install a “Kill Switch.”
    There are various tutorials posted on the Internet. A “Kill Switch” is a script that kicks in whenever the tunnel is detected to be disconnected, and would then automatically kill running applications. This is so that you won’t be continuing to use your network applications oblivious to the fact you’re connected to the Internet directly and not through a VPN.

HTH,
TSU