VPN kill switch implementation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ufw |
New
|
Wishlist
|
Unassigned |
Bug Description
First of all, BIG thanks for your work on this project. This is not a bug, but more a feature proposal. But I think it could be very useful from the security point of view.
So, Android has a really nice feature, called "Block connections without VPN". Unfortunately Ubuntu does not have a setting like this. Therefore it would be nice if UFW would have this option, however I suggest two features:
- block all connections without VPN
- block all connections without VPN, but ONLY when VPN is active.
The first one would prevent any data leakage, while the other would prevent data leakage when VPN is established (for instance DNS leak, Tunnel vision attack, etc.).
Now, basically the manual script to do that would be:
MyVPN=
sudo ufw default deny incoming
sudo ufw default deny outgoing
# DNS, also from local interfaces:
sudo ufw allow out on any from any to any port 53
# DHCP, also from local interfaces:
sudo ufw allow out on any from any to any port 67
sudo ufw allow out on any from any to any port 68
# If you are using default OpenVPN istallation on 1194/UDP:
sudo ufw allow out to $MyVPN port 1194 proto udp
# If you are using OpenVPN on 443/TCP:
sudo ufw allow out to $MyVPN port 443 proto tcp
# If you are using default Wireguard installation on 451194/UDP:
sudo ufw allow out to $MyVPN port 51194 proto udp
# Assuming OpenVPN uses tun0 interface:
sudo ufw allow out on tun0 from any to any
# Assuming Wireguard uses wg0 interface:
sudo ufw allow out on wg0 from any to any
# If we want to allow connections from VPN network to our computer (again, OpenVPN - tun0, Wireguard - wg0)
sudo ufw allow in on tun0 from any to any
sudo ufw allow in on wg0 from any to any
# Enable UFW
sudo ufw enable
Now the "VPN kill switch" is on.
If you want to turn it **off**:
sudo ufw default allow outgoing
If you want to turn it back **on**:
sudo ufw default deny outgoing
After that, you can use these commands in OpenVPN or Wireguard "post up" / "post down" commands). So when your VPN connection is established, turn the switch on automatically. But this is too much manual configuration, so that is why I am asking for this feature.
However, there is one problem. When I turn the switch on, the NetworkManager's WiFi icon shows I am not connected to the internet. Why, because `wlp3s0` network interface (my WiFi) is trying to connect to `connectivity-
Now, the problem is, that UFW can not allow (or block) connections to domains (FQDN), but to IP addresses. And `connectivity-
So probably the script should have the option to redirect all traffic from `wlp3s0` to `tun0/wg0` or something, however, UFW should still allow protocols like DHCP on `wlp3s0` (and other local interfaces), and I am not sure if it is enough to allow 67 and 68 ports (and maybe 53 for DNS if there are captive portals used)...
So, as you can see, this is not just some simple task, however it would be just great to have some additional options in ufw, like `ufw block-non-vpn always`, `block-non-vpn vpnonly` and `ufw block-non-vpn none`.
What do you think?
Changed in ufw: | |
importance: | Undecided → Wishlist |