5

I'd like to use a VPN when on public wifi for security. In order to establish my OpenVPN tunnel I need a working network connection. When I connect to a public wifi access point there is a window of time after connecting but before my VPN client is launched, connects and updates the route table, during which traffic from my system travels unencrypted over public wifi.

How can I cause wifi to pass no traffic except traffic destined for my OpenVPN server during that window of time?

Extra credit : Is there a way to whitelist wifi networks as trusted (like my home or work wifi) such that all traffic is allowed as I won't be using a VPN?

gene_wood
  • 473
  • 1
  • 8
  • 19
  • Interesting question. However, I don't think its feasible (even with iptable) as there's plenty of services, apps... etc running on various protocols/ports... etc. And they'll fire-up right away when you establish and internet connection. Well, that's my opinion but I might be wrong. Something to think of. – AzkerM May 04 '17 at 19:31
  • You can white-list your trusted network based on mac address of router with `iptables`. `sudo iptables -A INPUT -m mac --mac-source -j ACCEPT` and drop anything from different mac address on input with command `sudo iptables -A INPUT -m mac ! --mac-source -j DROP`. But this command will `DROP` input from public wifi. One more thing. Like you say you must allow some traffic when you wish connect on public wifi.If not, you cannot connect to `VPN`. If we cat traffic based on mac you will not get ip address from `DHCP` from public wifi router – 2707974 May 04 '17 at 21:39
  • This is an excellent question, I'm sorry to see that there is no satisfactory answer in more than 3 years. I can only guess that a solution could be to have routing table that allows only DNS and VPN server until the new routing from the vpn is defined. – rhermans Aug 11 '20 at 07:10
  • This is similar to [this](https://askubuntu.com/questions/1012099/disable-internet-access-only-if-its-accessed-via-a-vpn-on-ubuntu-17). – KGIII Aug 15 '20 at 21:13

2 Answers2

2

I would try the following with iptables, in this order:

# Allow dhcp
sudo iptables -A OUTPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT

# Allow outbound VPN traffic
sudo iptables -A OUTPUT -p udp --dport 1194 -d 0.0.0.0/0   -j ACCEPT" 

# DROP all outbound WIFI
sudo iptables -A OUTPUT -i wlan0 -j DROP

In office and home network you will have to run:

# Accept all outbound traffic
sudo iptables -D OUTPUT -i wlan0 -j DROP

There might be an iptables extension which will filter using WIFI SSID or some other router identifier, but I am not familiar with any

NOTE: you might need to update the ovpn remote port and/or WIFI network interface name

ofirule
  • 533
  • 1
  • 6
  • 19
  • Can you explain how this answers the OP question of allowing a VPN connection, but disallowing any other connection for untrusted networks while allowing all traffic for trusted networks? How does this work in practical terms? – rhermans Aug 12 '20 at 07:15
  • With these `iptables` rules every outbound packet will go through all the rules in the given order. So if it's dhcp it will be accepted if not it will go to the next rule, if it's a VPN it will be accepted if not it will go to the next rule, if it goes through the WIFI interface it will be dropped if not it will go to the DEFAULT policy which is to accept – ofirule Aug 12 '20 at 08:13
0

Maybe I have solution for you.

Create script in /etc/NetworkManager/dispatcher.d/vpn-up

#! /bin/bash

REQUIRED_CONNECTION_NAME="<name-of-connection>"
VPN_CONNECTION_NAME="<name-of-vpn-connection>"


activ_con=$(nmcli con status | grep "${REQUIRED_CONNECTION_NAME}")
activ_vpn=$(nmcli con status | grep "${VPN_CONNECTION_NAME}")
if [ "${activ_con}" -a ! "${activ_vpn}" ];
then
    nmcli con up id "${VPN_CONNECTION_NAME}"
fi

Witch mean, if is not connected to REQUIRED_CONNECTION_NAME aka home wifi dispecher will connect to vpn.

This will work only if you use NM for VPN connection. If not use NM for vpn connection, change in script nmcli con up id "${VPN_CONNECTION_NAME}" with you command for vpn connection to run.

2707974
  • 10,363
  • 6
  • 31
  • 44
  • Can you explain how is this stopping all traffic, except the VPN connection until the later is operational ? – rhermans Aug 11 '20 at 07:14