ufw

VPN kill switch implementation

Bug #2065519 reported by Matej Kovacic
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ufw
New
Wishlist
Unassigned

Bug Description

First of all, BIG thanks for your work on this project. This is not a bug, but more a feature proposal. But I think it could be very useful from the security point of view.

So, Android has a really nice feature, called "Block connections without VPN". Unfortunately Ubuntu does not have a setting like this. Therefore it would be nice if UFW would have this option, however I suggest two features:

- block all connections without VPN
- block all connections without VPN, but ONLY when VPN is active.

The first one would prevent any data leakage, while the other would prevent data leakage when VPN is established (for instance DNS leak, Tunnel vision attack, etc.).

Now, basically the manual script to do that would be:

    MyVPN="xx.xx.xx.xx"

    sudo ufw default deny incoming
    sudo ufw default deny outgoing

    # DNS, also from local interfaces:
    sudo ufw allow out on any from any to any port 53
    # DHCP, also from local interfaces:
    sudo ufw allow out on any from any to any port 67
    sudo ufw allow out on any from any to any port 68

    # If you are using default OpenVPN istallation on 1194/UDP:
    sudo ufw allow out to $MyVPN port 1194 proto udp

    # If you are using OpenVPN on 443/TCP:
    sudo ufw allow out to $MyVPN port 443 proto tcp

    # If you are using default Wireguard installation on 451194/UDP:
    sudo ufw allow out to $MyVPN port 51194 proto udp

    # Assuming OpenVPN uses tun0 interface:
    sudo ufw allow out on tun0 from any to any

    # Assuming Wireguard uses wg0 interface:
    sudo ufw allow out on wg0 from any to any

    # If we want to allow connections from VPN network to our computer (again, OpenVPN - tun0, Wireguard - wg0)
    sudo ufw allow in on tun0 from any to any
    sudo ufw allow in on wg0 from any to any

    # Enable UFW
    sudo ufw enable

Now the "VPN kill switch" is on.

If you want to turn it **off**:

    sudo ufw default allow outgoing

If you want to turn it back **on**:

    sudo ufw default deny outgoing

After that, you can use these commands in OpenVPN or Wireguard "post up" / "post down" commands). So when your VPN connection is established, turn the switch on automatically. But this is too much manual configuration, so that is why I am asking for this feature.

However, there is one problem. When I turn the switch on, the NetworkManager's WiFi icon shows I am not connected to the internet. Why, because `wlp3s0` network interface (my WiFi) is trying to connect to `connectivity-check.ubuntu.com`. And it is blocked by "VPN kill switch". Please not that if I ping `connectivity-check.ubuntu.com` from the terminal, connection is established, but that is because terminal uses `tun0`/`wg0` interface.

Now, the problem is, that UFW can not allow (or block) connections to domains (FQDN), but to IP addresses. And `connectivity-check.ubuntu.com` has a pool of always changing IP addresses.

So probably the script should have the option to redirect all traffic from `wlp3s0` to `tun0/wg0` or something, however, UFW should still allow protocols like DHCP on `wlp3s0` (and other local interfaces), and I am not sure if it is enough to allow 67 and 68 ports (and maybe 53 for DNS if there are captive portals used)...

So, as you can see, this is not just some simple task, however it would be just great to have some additional options in ufw, like `ufw block-non-vpn always`, `block-non-vpn vpnonly` and `ufw block-non-vpn none`.

What do you think?

Jamie Strandboge (jdstrand)
Changed in ufw:
importance: Undecided → Wishlist
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.